-
Notifications
You must be signed in to change notification settings - Fork 279
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
make go-fuzz-build work with modules (for #195) #263
Conversation
Thanks @kjk! Well I guess more testing is needed though this fix looks quite trivial so if this really works this is awesome:) I'll do some testing myself as well. please feel free to comment on issues you are aware of with this fix. |
This needs tests :) |
@mvdan do you have any specific test in mind? I could add |
No specific test in mind; just that this one-line change is subtle and will likely break some users, so we should have extensive tests covering multiple realistic scenarios. For example:
You should check which of these worked before the change and after, and see if any regressions are introduced. |
I can confirm that this works on https://github.com/coredns/coredns with go modules enabled. before jumping and writing complicated tests my suggestion is the following: use an "experimental" Also we can add this experimental flag to the documentation so other people will be able to experiment with this. Let me know what you think |
I think before adding a custom env var, a better option would be to simply leave the existing |
@mvdan This fine by me. it just that it might break behaviour for users who didn't explicitly set GO111MODULE=off. |
Also @dominikh brought this comment https://github.com/dvyukov/go-fuzz/blob/master/go-fuzz-build/main.go#L626 to my attention which I'm not sure what it means but maybe @josharian @dvyukov knows how this affects go-modules |
So, there are a couple interesting things about how go-fuzz-build works with this change. go-fuzz-build constructs a workdir that contains a copy of the package under test and all of its dependencies. This currently always constructs a complete GOPATH, not a module. This is probably(tm) fine. If go/packages has already resolved all the module dependencies, then we don't need a go.mod to resolve dependencies correctly. go/packages in module mode also takes care of the module path. If we have a go.mod with What doesn't work is a fun interaction with go.mod and working in GOPATH mode. Even when working in GOPATH, and even when GO111MODULE=off, An example is the nats-io/nats-server project. Said project has a go.mod saying However, when go-fuzz-build processes the same package, it doesn't know about the To observe the interaction of GOPATH, |
@dominikh Let's not fall into "perfect is the enemy of good" trap. We know We know that no-one with really deep knowledge of Not merging a fix for a large number of cases (that is easy to verify as working) because it might not cover all cases is "perfect is is the enemy of good". The absolute worst thing that can happen is: we merge, it breaks people, they report it in the bug tracker, we revert it. I expect that it'll fix the issue for a great number of people and if there are cases where it doesn't work, people will report them and we can investigate them. |
I'm not an expert on the nuances of all permutations of GOPATH and go modules. But I'm totally in favour of getting the ball rolling by merging this commit (with either experimental flag or removing the hardcoded environment variable completely). And of course keeping an eye on any issues that arise. |
@kjk I suspect copying a When in GOPATH mode, Second, one minor clarification on this comment:
It is fairly common for people to work inside GOPATH and use One approach would be to have the README say Alternatively, it might work to tweak the current approach in the PR of always setting Of my two comments here, the first about copying Personally, I'm all for incremental progress, but might be worth briefly and quickly evaluating 1-2 small tweaks to the proposed fix here, but of course, others can/should weigh in on that. |
Also, one additional related comment / FYI is that making it easier to work in GOPATH with modules is one of the changes for modules coming in the near-term with Go 1.13, where Go 1.13 is adjusting the meaning of |
It's very much intended that a Go module can be worked on from inside GOPATH. That's why
Nobody said that we shouldn't merge this. I documented the short-comings of the patch, and mvdan asked for test cases, so that we have clear indication of which configurations work, which didn't, and to prove that there are no regressions. I don't care if if my concern gets fixed before or after the merge, but it should be documented and it should be fixed.
I mean… considering you tell people who know the finer points of go/packages that their concerns aren't valid... FWIW, I don't think the change can break any existing use-cases. Just don't claim that it's a complete solution. And please don't get all defensive because people engage in discussion and code review. |
The current change is doing the following in
A simpler change that might work better might be just using That might work better, and might align better with people's expectations. It also might possibly be a safer change, especially with the coming Go 1.13 change that redefines It would mean dependencies are found here based on whatever the user has currently set for That said, there are many permutations to think through, so maybe that is not right. However, could be worth a quick try. |
Note that before we set GO111MODULE=off, it was at its default value of auto, and that caused problems in google/oss-fuzz#2188. That was why we started setting it to off, recently. I am thus a bit skeptical that this change is actually moving the ball forwards in any meaningful way. At a minimum, it would be good to confirm that setting it back to auto won't break oss-fuzz. |
@josharian what about my suggestion of an experimental flag? as this fix a lot of problems in repos that use go-modules which currently cannot use go-fuzz at all. |
I dunno. We could do something like But I'd rather actually fix the underlying issue. Until we do that, there will still be a steady stream of support needs, only it'll be more complicated to deal with them, since there are more knobs that people might have fiddled with. |
How about It won't regress anything and will make it possible to work with modules if explicitly set. I also tested a variant that would check if Or we can remove setting
Not sure how actionable this is. For the module-based project I tested, the issue was that What are success criteria for accepting a fix for #195? |
I would rather simply respect any existing GO111MODULE envvar that is set (use os.LookupEnv). Then if later we remove that logic, no one's scripts or invocations have to change, and we aren't left with a vestigial flag.
For any successful invocation of Switching to go/packages (a few months ago) helped a lot with the "same code" problem. We clearly haven't solved the "also succeed" problem. It may be as simple as synthesizing a go.mod. I don't know exactly; finding out for sure is half of the effort in fixing it properly. The other half is writing tests. I hope this helps clarify. |
We are anxiously awaiting this to be merged for use in fuzzing Caddy. Please let us know if we can help with this at all! |
@thepudds am I correct that you are trying to pull this off? do you need any help? |
Hello @yevgenypats, I was able to make some progress, and I have something that seems to be working following what I think is a reasonable approach, with reasonable test coverage... but we'll have to see what the others think. ;-) I'll hopefully send a more detailed update in the next 2-3 days? There is one more bit of history I want to double-check first. (I don't want to send the conversation in a circle or otherwise eat up time from people if I am misremembering something...). |
@thepudds awesome!! |
Empirically, this change makes
go-fuzz-build
work with modules.For testing I'm using https://github.com/gomarkdown/markdown package which uses go modules (i.e. has
go.mod
file).Testing steps:
rm -rf ${GOPATH}/src/github.com/gomarkdown/markdown
. Things might accidentally work if this is presentgit clone https://github.com/gomarkdown/markdown.git
to a directory that is outside ofGOPATH
e.g.~/src/markdown
cd ~/src/markdown
Before this change we get the following error:
The error comes from
c.loadPkg(pkg) // load and typecheck pkg
step, although all the heavy lifting is done by/x/tools
library.This is not surprising.
go-fuzz-build
forcesGO111MODULE=off
which means that the tooling doesn't understandgo.mod
file. Sincegh.neting.cc/gomarkdown/markdown
usesgh.neting.cc/gomarkdown/markdown/ast
, the tooling is trying to find that code inGOPATH
but it's not there, so it fails.After this change, which merely sets
GO111MODULE=auto
, bothgo-fuzz-build -x github.com/gomarkdown/markdown
andgo-fuzz-build -x .
complete the build.This is not unexpected - we tell the tools to figure out modules vs. GOPATH and act accordingly.
I've also had a version that checked if
go.mod
file exists and settingGO111MODULE=off
orGO111MODULE=on
based on that. It also worked.I can't say this will work on every module-enabled repo but it does fix the problem on the one I've tested.
cc @yevgenypats