x/vuln: invalid memory address or nil pointer dereference

[rd-codete]

Today I got a panic when scanning my service.

$ govulncheck ./...
Scanning your code and 728 packages across 134 dependent modules for known vulnerabilities...

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x28 pc=0x104862b54]

goroutine 10048 [running]:
golang.org/x/tools/go/ssa.memberFromObject(0x1403a275800, {0x0, 0x0?}, {0x0, 0x0})
        /Users/user/.go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/ssa/create.go:53 +0x34
golang.org/x/tools/go/ssa.membersFromDecl(0x1403a275800, {0x104a35d10?, 0x1404853cc00?})
        /Users/user/.go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/ssa/create.go:159 +0x29c
golang.org/x/tools/go/ssa.(*Program).CreatePackage(0x140328f83c0, 0x14048afcb40, {0x14048aff110, 0x6, 0x6}, 0x14048575130, 0x1)
        /Users/user/.go/pkg/mod/golang.org/x/tools@v0.12.1-0.20230815132531-74c255bcf846/go/ssa/create.go:222 +0x744
golang.org/x/vuln/internal/vulncheck.buildSSA.func1(0x14000082980?)
        /Users/user/.go/pkg/mod/golang.org/x/vuln@v1.0.1/internal/vulncheck/utils.go:37 +0xc0
golang.org/x/vuln/internal/vulncheck.buildSSA({0x1403c9d2dc0, 0x2b, 0x14001664f98?}, 0x10484495c?)
        /Users/user/.go/pkg/mod/golang.org/x/vuln@v1.0.1/internal/vulncheck/utils.go:45 +0xc8
golang.org/x/vuln/internal/vulncheck.Source.func1()
        /Users/user/.go/pkg/mod/golang.org/x/vuln@v1.0.1/internal/vulncheck/source.go:63 +0x88
created by golang.org/x/vuln/internal/vulncheck.Source in goroutine 6
        /Users/user/.go/pkg/mod/golang.org/x/vuln@v1.0.1/internal/vulncheck/source.go:61 +0x254        

I could really use some guidance what data I can provide to help investigate on that.

[cagedmantis]

Is this a duplicate of #65590

[timothy-king]

@cagedmantis I think so.

@rd-codete The practical advice is to recompile your tools with 1.22 and to make sure your go at command line is >= 1.22. This seems to have fixed everyone.

I could really use some guidance what data I can provide to help investigate on that.

It is unsatisfying that the reason why it is a fix is still unknown. We are having a hard time creating a reproducer for this. If you are eager to help us understand this, #65590 also has a request for more info to know which function is the problem. I suspect we also need is for vulncheck to be recompiled at 1.21 with extra debugging info to let us know what x/tools/go/packages is getting from go list.