x/tools/go/ssa: Crash when dereferencing an unsafe.Pointer

[waj334]

What version of Go are you using (go version)?

$ go version
go version go1.20.2 windows/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
set GO111MODULE=on
set GOARCH=amd64
set GOBIN=
set GOCACHE=C:\Users\waj33\AppData\Local\go-build
set GOENV=C:\Users\waj33\AppData\Roaming\go\env
set GOEXE=.exe
set GOEXPERIMENT=
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOINSECURE=
set GOMODCACHE=C:\Users\waj33\go\pkg\mod
set GONOPROXY=
set GONOSUMDB=
set GOOS=windows
set GOPATH=C:\Users\waj33\go
set GOPRIVATE=
set GOPROXY=https://proxy.golang.org,direct
set GOROOT=C:\Program Files\Go
set GOSUMDB=sum.golang.org
set GOTMPDIR=
set GOTOOLDIR=C:\Program Files\Go\pkg\tool\windows_amd64
set GOVCS=
set GOVERSION=go1.20.2
set GCCGO=gccgo
set GOAMD64=v1
set AR=ar
set CC=gcc
set CXX=g++
set CGO_ENABLED=1
set GOMOD=C:\Users\waj33\Projects\sigo\go.mod
set GOWORK=
set CGO_CFLAGS=-O2 -g
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-O2 -g
set CGO_FFLAGS=-O2 -g
set CGO_LDFLAGS=-O2 -g
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-m64 -mthreads -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=C:\Users\waj33\AppData\Local\Temp\go-build2612552315=/tmp/go-build -gno-record-gcc-switches

What did you do?

I attempted to generate SSA from a source file containing the following:

package cortexm

import "unsafe"

var _start_bss unsafe.Pointer
var _bss_size uintptr

func initMemory() {
    base := unsafe.Pointer(uintptr(*_start_bss))
    for offset := uintptr(0); offset < _bss_size; offset += 4 {
        ptr := unsafe.Add(base, offset)
        *(*uint32)(ptr) = 0
    }
}

Where _start_bss is some arbitrary pointer value.

What did you expect to see?

I expected it to not crash and emit the proper SSA

What did you see instead?

panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xc0000005 code=0x0 addr=0x0 pc=0x7ff7bec7cc1a]

goroutine 75 [running]:
golang.org/x/tools/go/ssa.emitConv(0xc000003b00, {0x7ff7c1d84b28, 0xc0002b2300}, {0x0, 0x0})
        C:/Users/waj33/go/pkg/mod/golang.org/x/tools@v0.8.0/go/ssa/emit.go:182 +0xda
golang.org/x/tools/go/ssa.(*builder).expr0(0xc000611c18, 0xc000003b00, {0x7ff7c1d827c8, 0xc0002342c0}, {0x0, {0x0, 0x0}, {0x0, 0x0}})
        C:/Users/waj33/go/pkg/mod/golang.org/x/tools@v0.8.0/go/ssa/builder.go:677 +0xbb7
golang.org/x/tools/go/ssa.(*builder).expr(0xc0003c9c18, 0xc000003b00, {0x7ff7c1d827c8, 0xc0002342c0})
        C:/Users/waj33/go/pkg/mod/golang.org/x/tools@v0.8.0/go/ssa/builder.go:625 +0x23c
golang.org/x/tools/go/ssa.(*builder).expr0(0xc0003c9c18, 0xc000003b00, {0x7ff7c1d827c8, 0xc000234300}, {0x0, {0x0, 0x0}, {0x0, 0x0}})
        C:/Users/waj33/go/pkg/mod/golang.org/x/tools@v0.8.0/go/ssa/builder.go:676 +0xb51
golang.org/x/tools/go/ssa.(*builder).expr(0xc0003c9c18, 0xc000003b00, {0x7ff7c1d827c8, 0xc000234300})
        C:/Users/waj33/go/pkg/mod/golang.org/x/tools@v0.8.0/go/ssa/builder.go:625 +0x23c
golang.org/x/tools/go/ssa.(*builder).assign(0xc0003c9c18, 0xc000003b00, {0x7ff7c1d833e0, 0xc0003c0150}, {0x7ff7c1d827c8, 0xc000234300}, 0x1, 0xc0006107c0)
        C:/Users/waj33/go/pkg/mod/golang.org/x/tools@v0.8.0/go/ssa/builder.go:598 +0x4fd
golang.org/x/tools/go/ssa.(*builder).assignStmt(0xc000611c18, 0xc000003b00, {0xc00021c0f0, 0x1, 0x1}, {0xc00021c120, 0x1, 0x1}, 0x1)
        C:/Users/waj33/go/pkg/mod/golang.org/x/tools@v0.8.0/go/ssa/builder.go:1205 +0x6a8
golang.org/x/tools/go/ssa.(*builder).stmt(0xc0003c9c18, 0xc000003b00, {0x7ff7c1d82648, 0xc000234340})
        C:/Users/waj33/go/pkg/mod/golang.org/x/tools@v0.8.0/go/ssa/builder.go:2181 +0x907
golang.org/x/tools/go/ssa.(*builder).stmtList(0xc000611c18, 0xc000003b00, {0xc00020e680, 0x2, 0x2})
        C:/Users/waj33/go/pkg/mod/golang.org/x/tools@v0.8.0/go/ssa/builder.go:946 +0xa5
golang.org/x/tools/go/ssa.(*builder).stmt(0xc0003c9c18, 0xc000003b00, {0x7ff7c1d82768, 0xc000218330})
        C:/Users/waj33/go/pkg/mod/golang.org/x/tools@v0.8.0/go/ssa/builder.go:2277 +0x11bd
golang.org/x/tools/go/ssa.(*builder).buildFunctionBody(0xc0003c9c18, 0xc000003b00)
        C:/Users/waj33/go/pkg/mod/golang.org/x/tools@v0.8.0/go/ssa/builder.go:2391 +0x492
golang.org/x/tools/go/ssa.(*builder).buildFunction(0xc0003c9c18, 0xc000003b00)
        C:/Users/waj33/go/pkg/mod/golang.org/x/tools@v0.8.0/go/ssa/builder.go:2326 +0x5b
golang.org/x/tools/go/ssa.(*builder).buildCreated(0xc000611c18)
        C:/Users/waj33/go/pkg/mod/golang.org/x/tools@v0.8.0/go/ssa/builder.go:2413 +0x85
golang.org/x/tools/go/ssa.(*Package).build(0xc000348880)
        C:/Users/waj33/go/pkg/mod/golang.org/x/tools@v0.8.0/go/ssa/builder.go:2606 +0xbfc
sync.(*Once).doSlow(0xc0003488ac, 0xc0004bff78)
        C:/Program Files/Go/src/sync/once.go:74 +0x138
sync.(*Once).Do(0xc0003488ac, 0xc0004bff78)
        C:/Program Files/Go/src/sync/once.go:65 +0x45
golang.org/x/tools/go/ssa.(*Package).Build(0xc000348880)
        C:/Users/waj33/go/pkg/mod/golang.org/x/tools@v0.8.0/go/ssa/builder.go:2477 +0x5d
golang.org/x/tools/go/ssa.(*Program).Build.func1(0xc000348880)
        C:/Users/waj33/go/pkg/mod/golang.org/x/tools@v0.8.0/go/ssa/builder.go:2462 +0x2c
created by golang.org/x/tools/go/ssa.(*Program).Build
        C:/Users/waj33/go/pkg/mod/golang.org/x/tools@v0.8.0/go/ssa/builder.go:2461 +0x1c5

[randall77]

That source isn't compileable - you can't dereference an unsafe.Pointer.
I'm not sure what the behavior of the ssa package should be in that case. Probably it shouldn't crash, but also probably it shouldn't "emit the proper SSA", as there isn't proper SSA for this program. It should probably error out in some fashion.
Is that what you're asking? Or am I misunderstanding what you expected as a result?

[waj334]

Hmm... You're right. That shouldn't even compile and (something) probably should return error. Should I have even been able to get past packages.Load with that bad syntax? It didn't return any error.

[randall77]

I think the syntax is ok, it just doesn't typecheck.
I'm not terribly familiar with the ssa package, it has been a long while since I last used it. Do you typecheck before calling it, or does it typecheck itself?

[waj334]

It seems to type check, but I missed that it will return those kinds of errors as a slice inside of the struct for each package that package.Load creates. I am now checking for those errors and bombing out before SSA generation occurs. The crash above is still a legit crash unless undefined behavior is to be expected if the code is bad.

[timothy-king]

The example given fails to typecheck https://go.dev/play/p/Sw96NfY-pe-

This gives the error:

./prog.go:14:34: invalid operation: cannot indirect _start_bss (variable of type unsafe.Pointer)

The crash above is still a legit crash unless undefined behavior is to be expected if the code is bad.

Panicking on code that does not type checking is expected behavior for ssa. (Not quite "undefined", but this is splitting hairs.) Panicking on non-go code is kinda baked into the design of the package and is hard to change.

Do you typecheck before calling it, or does it typecheck itself?

x/tools/go/sssa assumes type checked packages. Typechecking is done by packages.Load normally.