Sigma Prime - auditinghttps://blog.sigmaprime.io/2026-06-09T12:00:00+10:00Solutions for a secure & decentralised worldGo for Security Auditors: Part 1 - Syntax That Will Trip You Up2026-06-09T12:00:00+10:002026-06-09T12:00:00+10:00Elmedin Burniktag:blog.sigmaprime.io,2026-06-09:/go-for-security-auditors-part-1.html<p>The first in a three-part series on auditing Go code, covering deceptive syntax, common pitfalls like nil maps and slice aliasing, testing gotchas, and compiler pragmas that hide security-relevant behaviour.</p><h1>Go for Security Auditors: Part 1 - Syntax That Will Trip You Up</h1>
<p>Go has a reputation for being easy to pick up. The syntax is minimal, there is no inheritance to untangle, and the standard library handles most of what you need. Developers coming from Java or C++ often feel productive within days.</p>
<p>But that learning curve is deceptive. The simplicity of Go means the language has fewer features, and those features carry more weight. When something behaves unexpectedly, it is not because of some obscure language corner case you never learned. It is because a common pattern you use daily has an edge case you never hit before. And that is exactly where security bugs hide.</p>
<p>We have audited a lot of Go code over the years: consensus clients, bridge infrastructure, validator nodes, financial protocols. The bugs we find are not usually exotic. They come from developers (often experienced ones) misunderstanding how a seemingly simple language feature actually works in practice.</p>
<p>This is the first post in a three-part series:</p>
<ul>
<li><strong>Part 1 (this post)</strong>: Weird syntax, common pitfalls, and testing gotchas. The foundational stuff you need to know before touching a Go codebase.</li>
<li><strong>Part 2</strong>: Where to start a review without being overwhelmed. Top-down vs bottom-up approaches, finding main functions, and locating entry points (HTTP handlers, gRPC services, libp2p listeners, etc.).</li>
<li><strong>Part 3</strong>: Common vulnerabilities. The actual bugs we find repeatedly in Go code.</li>
</ul>
<h2>Weird Syntax</h2>
<p>Before we get into the dangerous stuff, let us clear up some syntax that looks strange if you are coming from other languages. You will see these patterns everywhere in Go codebases, and misreading them wastes time.</p>
<h3>Sparse Array Initialization</h3>
<p>Most languages initialise arrays sequentially. Go lets you skip around:</p>
<div class="highlight"><pre><span></span><code><span class="nx">b</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="p">[</span><span class="o">...</span><span class="p">]</span><span class="kt">int</span><span class="p">{</span><span class="mi">100</span><span class="p">,</span><span class="w"> </span><span class="mi">3</span><span class="p">:</span><span class="w"> </span><span class="mi">400</span><span class="p">,</span><span class="w"> </span><span class="mi">500</span><span class="p">}</span>
<span class="c1">// Result: [100 0 0 400 500]</span>
</code></pre></div>
<p>The <code>3:</code> syntax places <code>400</code> at index 3, and Go zero-fills indices 1 and 2 automatically. The <code>500</code> then lands at index 4.</p>
<p>This seems like a minor convenience until you are reviewing protocol code that constructs byte arrays for wire formats. If a developer uses this syntax and miscounts indices, you get silent zero-padding in the middle of what should be a packed structure. In cryptographic or serialisation code, unexpected zeros can cause signature verification failures or parsing mismatches that are difficult to debug.</p>
<h3>Multi-Parameter Type Sharing</h3>
<p>When consecutive function parameters share a type, you only declare it once:</p>
<div class="highlight"><pre><span></span><code><span class="kd">func</span><span class="w"> </span><span class="nx">transferAssets</span><span class="p">(</span><span class="nx">from</span><span class="p">,</span><span class="w"> </span><span class="nx">to</span><span class="w"> </span><span class="kt">string</span><span class="p">,</span><span class="w"> </span><span class="nx">amount</span><span class="p">,</span><span class="w"> </span><span class="nx">fee</span><span class="w"> </span><span class="kt">uint64</span><span class="p">)</span><span class="w"> </span><span class="kt">error</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">balance</span><span class="p">[</span><span class="nx">from</span><span class="p">]</span><span class="w"> </span><span class="p"><</span><span class="w"> </span><span class="nx">amount</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">errors</span><span class="p">.</span><span class="nx">New</span><span class="p">(</span><span class="s">"not enough funds"</span><span class="p">)</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="p">}</span>
</code></pre></div>
<p>This is just syntactic sugar. But when you are skimming a function signature trying to understand what it accepts, it is easy to miss that <code>from</code> and <code>to</code> are both strings. If you see something like <code>func verify(a, b, expected []byte)</code>, take a second to confirm all three parameters are meant to be byte slices. Copy-paste errors can propagate here when a parameter that should have been a different type inherits the wrong one.</p>
<h3>The Blank Identifier</h3>
<p>Go forces you to use every variable you declare. If you do not need a value, you explicitly discard it with an underscore:</p>
<div class="highlight"><pre><span></span><code><span class="k">for</span><span class="w"> </span><span class="nx">_</span><span class="p">,</span><span class="w"> </span><span class="nx">operator</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="k">range</span><span class="w"> </span><span class="nx">operators</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">addr</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">operator</span><span class="p">.</span><span class="nx">Addr</span><span class="p">.</span><span class="nx">Hex</span><span class="p">()</span>
<span class="w"> </span><span class="nx">staked</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">weiToEth</span><span class="p">(</span><span class="nx">operator</span><span class="p">.</span><span class="nx">Staked</span><span class="p">)</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="p">}</span>
</code></pre></div>
<p>The <code>_</code> discards the loop index. This is idiomatic Go and you will see it constantly.</p>
<p>The thing to watch for is code where the index <em>should</em> have been used but was not. If you see logic that depends on position within a collection, but the loop discards the index, something is wrong. Either the code is broken or it is doing something seemingly clever with side effects that deserves a closer look.</p>
<h3>Closures and Variable Capture</h3>
<p>Go supports closures. A function defined inside another function can reference variables from the enclosing scope:</p>
<div class="highlight"><pre><span></span><code><span class="kd">func</span><span class="w"> </span><span class="nx">createCounter</span><span class="p">()</span><span class="w"> </span><span class="kd">func</span><span class="p">()</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">i</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="mi">0</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="kd">func</span><span class="p">()</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">i</span><span class="o">++</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">i</span>
<span class="w"> </span><span class="p">}</span>
<span class="p">}</span>
</code></pre></div>
<p>The returned function "closes over" <code>i</code>. Each time you call it, <code>i</code> increments and persists. This is powerful for creating stateful callbacks, and Go code uses it heavily.</p>
<p>The problem comes with loops. This used to be one of the most common Go bugs:</p>
<div class="highlight"><pre><span></span><code><span class="k">for</span><span class="w"> </span><span class="nx">i</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="mi">0</span><span class="p">;</span><span class="w"> </span><span class="nx">i</span><span class="w"> </span><span class="p"><</span><span class="w"> </span><span class="mi">10</span><span class="p">;</span><span class="w"> </span><span class="nx">i</span><span class="o">++</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">go</span><span class="w"> </span><span class="kd">func</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">fmt</span><span class="p">.</span><span class="nx">Println</span><span class="p">(</span><span class="nx">i</span><span class="p">)</span><span class="w"> </span><span class="c1">// Bug: captures 'i' by reference</span>
<span class="w"> </span><span class="p">}()</span>
<span class="p">}</span>
<span class="c1">// Usually prints "10" ten times, not 0-9</span>
</code></pre></div>
<p>The closure captures <code>i</code> by reference, not by value. All ten goroutines share the same variable, and by the time they execute, the loop has finished and <code>i</code> equals 10.</p>
<p>Go 1.22 finally fixed this by making each loop iteration create a fresh variable. But plenty of production code predates that fix, and you will encounter this pattern in audits for years to come. When you see goroutines spawned in loops, check whether the code was written for pre-1.22 Go and whether it handles variable capture correctly.</p>
<h3>Method Receivers</h3>
<p>Go does not have classes, but it has methods. You attach a function to a type by declaring a "receiver":</p>
<div class="highlight"><pre><span></span><code><span class="kd">func</span><span class="w"> </span><span class="p">(</span><span class="nx">s</span><span class="w"> </span><span class="o">*</span><span class="nx">State</span><span class="p">)</span><span class="w"> </span><span class="nx">GetHeight</span><span class="p">(</span><span class="nx">dstID</span><span class="p">,</span><span class="w"> </span><span class="nx">srcID</span><span class="w"> </span><span class="kt">uint64</span><span class="p">)</span><span class="w"> </span><span class="kt">uint64</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">s</span><span class="p">.</span><span class="nx">mu</span><span class="p">.</span><span class="nx">Lock</span><span class="p">()</span>
<span class="w"> </span><span class="k">defer</span><span class="w"> </span><span class="nx">s</span><span class="p">.</span><span class="nx">mu</span><span class="p">.</span><span class="nx">Unlock</span><span class="p">()</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">s</span><span class="p">.</span><span class="nx">heights</span><span class="p">[</span><span class="nx">dstID</span><span class="p">][</span><span class="nx">srcID</span><span class="p">]</span>
<span class="p">}</span>
</code></pre></div>
<p>The <code>(s *State)</code> makes this a method on <code>*State</code>. You call it as <code>myState.GetHeight(...)</code>.</p>
<p>The critical detail is the asterisk. A pointer receiver (<code>*State</code>) can modify the underlying struct. A value receiver (<code>State</code>) works on a copy. If a method is supposed to update state but uses a value receiver, then mutations silently disappear. This can cause anything from configuration not persisting to security checks being bypassed because an "updated" flag was set on a copy that got discarded.</p>
<h3>Infinite Loops</h3>
<p>Go has no <code>while</code> keyword. When you need a loop that runs until some condition inside the body, you write a bare <code>for</code>:</p>
<div class="highlight"><pre><span></span><code><span class="k">for</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">select</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">case</span><span class="w"> </span><span class="o"><-</span><span class="nx">ctx</span><span class="p">.</span><span class="nx">Done</span><span class="p">():</span>
<span class="w"> </span><span class="k">return</span>
<span class="w"> </span><span class="k">case</span><span class="w"> </span><span class="nx">msg</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="o"><-</span><span class="nx">messages</span><span class="p">:</span>
<span class="w"> </span><span class="nx">process</span><span class="p">(</span><span class="nx">msg</span><span class="p">)</span>
<span class="w"> </span><span class="p">}</span>
<span class="p">}</span>
</code></pre></div>
<p>This is the standard pattern for event loops, network listeners, and background workers. You will see it in basically every Go service.</p>
<p>Always trace the exit paths. Unbounded loops that do not respect context cancellation are denial-of-service bugs. If a goroutine spins forever because nothing signals it to stop, then you are leaking resources at best and creating a way to exhaust server capacity at worst.</p>
<h2>Common Pitfalls</h2>
<p>These next issues are not about unusual syntax. They are about common patterns that behave in ways developers do not expect.</p>
<h3>Nil Maps vs Empty Maps</h3>
<p>This trips up almost everyone at some point:</p>
<div class="highlight"><pre><span></span><code><span class="kd">var</span><span class="w"> </span><span class="nx">nilMap</span><span class="w"> </span><span class="kd">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="kt">int</span><span class="w"> </span><span class="c1">// nil</span>
<span class="nx">emptyMap</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="kd">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="kt">int</span><span class="p">{}</span><span class="w"> </span><span class="c1">// empty, but not nil</span>
<span class="c1">// Reading from nil map is fine</span>
<span class="nx">_</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">nilMap</span><span class="p">[</span><span class="s">"key"</span><span class="p">]</span><span class="w"> </span><span class="c1">// Returns zero value (0)</span>
<span class="c1">// Writing to nil map panics!</span>
<span class="nx">nilMap</span><span class="p">[</span><span class="s">"key"</span><span class="p">]</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="c1">// panic: assignment to entry in nil map</span>
</code></pre></div>
<p>A nil map and an empty map look the same when you read from them. Both return zero values for missing keys. But writing to a nil map crashes your program.</p>
<p>This matters because struct fields default to nil:</p>
<div class="highlight"><pre><span></span><code><span class="kd">type</span><span class="w"> </span><span class="nx">Config</span><span class="w"> </span><span class="kd">struct</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">Settings</span><span class="w"> </span><span class="kd">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="kt">string</span>
<span class="p">}</span>
<span class="nx">cfg</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">Config</span><span class="p">{}</span>
<span class="nx">cfg</span><span class="p">.</span><span class="nx">Settings</span><span class="p">[</span><span class="s">"key"</span><span class="p">]</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="s">"value"</span><span class="w"> </span><span class="c1">// panic!</span>
</code></pre></div>
<p>If a constructor does not explicitly initialise the map, you get a nil map panic the first time someone writes to it. The sneaky part is that iterating over a nil map works fine (it just does nothing), so code that only reads might work in tests but crash in production when a new code path tries to write.</p>
<p>Look for structs with map fields and check whether constructors initialise them. Missing initialisation is a latent crash waiting for the right input.</p>
<h3>Slice Aliasing</h3>
<p>Slices in Go are references to underlying arrays. When you create a slice from another slice, they share memory:</p>
<div class="highlight"><pre><span></span><code><span class="nx">original</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="p">[]</span><span class="kt">int</span><span class="p">{</span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="mi">3</span><span class="p">,</span><span class="w"> </span><span class="mi">4</span><span class="p">,</span><span class="w"> </span><span class="mi">5</span><span class="p">}</span>
<span class="nx">slice</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">original</span><span class="p">[</span><span class="mi">1</span><span class="p">:</span><span class="mi">3</span><span class="p">]</span><span class="w"> </span><span class="c1">// [2, 3]</span>
<span class="nx">slice</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="mi">99</span><span class="w"> </span><span class="c1">// Modifies original too!</span>
<span class="c1">// original is now [1, 99, 3, 4, 5]</span>
</code></pre></div>
<p>This is intentional. It makes slicing cheap. But it means that what looks like a copy is not a copy at all.</p>
<p>For security-sensitive code, this creates real problems. If you slice off part of a buffer containing sensitive data, both slices reference the same memory. If <code>append</code> later causes one slice to move to a new backing array, zeroing the original no longer clears the copy. And modifications to what you thought was a local copy can propagate back to shared state when they still share the same underlying array.</p>
<p>The <code>append</code> function makes this worse:</p>
<div class="highlight"><pre><span></span><code><span class="nv">a</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nf">make</span><span class="p">([]</span><span class="nv">int</span><span class="p">,</span><span class="w"> </span><span class="mi">3</span><span class="p">,</span><span class="w"> </span><span class="mi">6</span><span class="p">)</span><span class="w"> </span><span class="o">//</span><span class="w"> </span><span class="nv">len</span><span class="o">=</span><span class="mi">3</span><span class="p">,</span><span class="w"> </span><span class="nv">cap</span><span class="o">=</span><span class="mi">6</span>
<span class="nf">copy</span><span class="p">(</span><span class="nv">a</span><span class="p">,</span><span class="w"> </span><span class="p">[]</span><span class="nv">int</span><span class="p">{</span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="mi">3</span><span class="p">})</span>
<span class="nv">b</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nv">a</span><span class="p">[</span><span class="mi">0</span><span class="o">:</span><span class="mi">3</span><span class="p">]</span>
<span class="nv">b</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nf">append</span><span class="p">(</span><span class="nv">b</span><span class="p">,</span><span class="w"> </span><span class="mi">4</span><span class="p">)</span>
<span class="o">//</span><span class="w"> </span><span class="nv">Did</span><span class="w"> </span><span class="nv">this</span><span class="w"> </span><span class="nv">modify</span><span class="w"> </span><span class="nv">the</span><span class="w"> </span><span class="no">und</span><span class="nv">erlying</span><span class="w"> </span><span class="nv">array</span><span class="w"> </span><span class="nv">used</span><span class="w"> </span><span class="nv">by</span><span class="w"> </span><span class="nv">a</span>?<span class="w"> </span><span class="nv">Yes</span><span class="p">,</span><span class="w"> </span><span class="nv">because</span><span class="w"> </span><span class="nv">cap</span><span class="w"> </span><span class="nv">was</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="nv">exceeded</span>
<span class="nv">Before</span><span class="w"> </span><span class="nv">append</span><span class="o">:</span>
┌───┬───┬───┬───┬───┬───┐
│<span class="w"> </span><span class="mi">1</span><span class="w"> </span>│<span class="w"> </span><span class="mi">2</span><span class="w"> </span>│<span class="w"> </span><span class="mi">3</span><span class="w"> </span>│<span class="w"> </span>│<span class="w"> </span>│<span class="w"> </span>│<span class="w"> </span><span class="nv">backing</span><span class="w"> </span><span class="nf">array</span><span class="w"> </span><span class="p">(</span><span class="nv">cap</span><span class="o">=</span><span class="mi">6</span><span class="p">)</span>
└───┴───┴───┴───┴───┴───┘
<span class="w"> </span>▲──────────▲<span class="w"> </span><span class="nf">a</span><span class="w"> </span><span class="p">(</span><span class="nv">len</span><span class="o">=</span><span class="mi">3</span><span class="p">)</span>
<span class="w"> </span>▲──────────▲<span class="w"> </span><span class="nf">b</span><span class="w"> </span><span class="p">(</span><span class="nv">len</span><span class="o">=</span><span class="mi">3</span><span class="p">)</span>
<span class="nv">After</span><span class="w"> </span><span class="nv">b</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nf">append</span><span class="p">(</span><span class="nv">b</span><span class="p">,</span><span class="w"> </span><span class="mi">4</span><span class="p">)</span><span class="o">:</span>
┌───┬───┬───┬───┬───┬───┐
│<span class="w"> </span><span class="mi">1</span><span class="w"> </span>│<span class="w"> </span><span class="mi">2</span><span class="w"> </span>│<span class="w"> </span><span class="mi">3</span><span class="w"> </span>│<span class="w"> </span><span class="mi">4</span><span class="w"> </span>│<span class="w"> </span>│<span class="w"> </span>│<span class="w"> </span><span class="nv">same</span><span class="w"> </span><span class="nv">backing</span><span class="w"> </span><span class="nv">array</span><span class="o">!</span>
└───┴───┴───┴───┴───┴───┘
<span class="w"> </span>▲──────────▲<span class="w"> </span><span class="nf">a</span><span class="w"> </span><span class="p">(</span><span class="nv">len</span><span class="o">=</span><span class="mi">3</span><span class="p">,</span><span class="w"> </span><span class="k">do</span><span class="nv">es</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="nv">see</span><span class="w"> </span><span class="mi">4</span><span class="p">)</span>
<span class="w"> </span>▲──────────────▲<span class="w"> </span><span class="nf">b</span><span class="w"> </span><span class="p">(</span><span class="nv">len</span><span class="o">=</span><span class="mi">4</span><span class="p">)</span>
</code></pre></div>
<p>When a slice has spare capacity, <code>append</code> modifies in place. When it does not have capacity, <code>append</code> allocates a new array. So whether <code>append</code> creates aliasing depends on the current capacity, which might not be obvious from reading the code. In concurrent code, this can cause state corruption when one goroutine's append unexpectedly modifies another goroutine's view of the data.</p>
<h3>Defer Timing</h3>
<p>The <code>defer</code> statement schedules a function call to run when the enclosing function returns. Go developers use it constantly for cleanup:</p>
<div class="highlight"><pre><span></span><code><span class="kd">func</span><span class="w"> </span><span class="nx">processFile</span><span class="p">(</span><span class="nx">path</span><span class="w"> </span><span class="kt">string</span><span class="p">)</span><span class="w"> </span><span class="kt">error</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">f</span><span class="p">,</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">os</span><span class="p">.</span><span class="nx">Open</span><span class="p">(</span><span class="nx">path</span><span class="p">)</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="kc">nil</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">err</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">defer</span><span class="w"> </span><span class="nx">f</span><span class="p">.</span><span class="nx">Close</span><span class="p">()</span>
<span class="w"> </span><span class="c1">// ... work with f ...</span>
<span class="p">}</span>
</code></pre></div>
<p>Two things catch people off guard. First, multiple defers execute in LIFO order:</p>
<div class="highlight"><pre><span></span><code><span class="kd">func</span><span class="w"> </span><span class="nx">example</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">defer</span><span class="w"> </span><span class="nx">fmt</span><span class="p">.</span><span class="nx">Println</span><span class="p">(</span><span class="s">"first"</span><span class="p">)</span>
<span class="w"> </span><span class="k">defer</span><span class="w"> </span><span class="nx">fmt</span><span class="p">.</span><span class="nx">Println</span><span class="p">(</span><span class="s">"second"</span><span class="p">)</span>
<span class="w"> </span><span class="k">defer</span><span class="w"> </span><span class="nx">fmt</span><span class="p">.</span><span class="nx">Println</span><span class="p">(</span><span class="s">"third"</span><span class="p">)</span>
<span class="p">}</span>
<span class="c1">// Prints: third, second, first</span>
</code></pre></div>
<p>Second, and more dangerous: deferred function arguments are evaluated immediately, not when the deferred function runs:</p>
<div class="highlight"><pre><span></span><code><span class="kd">func</span><span class="w"> </span><span class="nx">logDuration</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">start</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">time</span><span class="p">.</span><span class="nx">Now</span><span class="p">()</span>
<span class="w"> </span><span class="k">defer</span><span class="w"> </span><span class="nx">log</span><span class="p">.</span><span class="nx">Printf</span><span class="p">(</span><span class="s">"took %v"</span><span class="p">,</span><span class="w"> </span><span class="nx">time</span><span class="p">.</span><span class="nx">Since</span><span class="p">(</span><span class="nx">start</span><span class="p">))</span><span class="w"> </span><span class="c1">// Bug!</span>
<span class="w"> </span><span class="nx">doExpensiveWork</span><span class="p">()</span>
<span class="p">}</span>
<span class="c1">// Logs "took 0s" because time.Since(start) was evaluated at defer time</span>
</code></pre></div>
<p>The <code>time.Since(start)</code> call happens right when the <code>defer</code> statement executes, not when the function returns. This is a common source of confusing logs and broken metrics. The fix is to wrap it in a closure:</p>
<div class="highlight"><pre><span></span><code><span class="k">defer</span><span class="w"> </span><span class="kd">func</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">log</span><span class="p">.</span><span class="nx">Printf</span><span class="p">(</span><span class="s">"took %v"</span><span class="p">,</span><span class="w"> </span><span class="nx">time</span><span class="p">.</span><span class="nx">Since</span><span class="p">(</span><span class="nx">start</span><span class="p">))</span>
<span class="p">}()</span>
</code></pre></div>
<p>Now the timing happens when the closure executes at function exit.</p>
<h3>Interface Nil Confusion</h3>
<p>This one is subtle and causes real bugs in error handling:</p>
<div class="highlight"><pre><span></span><code><span class="kd">type</span><span class="w"> </span><span class="nx">MyError</span><span class="w"> </span><span class="kd">struct</span><span class="p">{</span><span class="w"> </span><span class="nx">msg</span><span class="w"> </span><span class="kt">string</span><span class="w"> </span><span class="p">}</span>
<span class="kd">func</span><span class="w"> </span><span class="p">(</span><span class="nx">e</span><span class="w"> </span><span class="o">*</span><span class="nx">MyError</span><span class="p">)</span><span class="w"> </span><span class="nx">Error</span><span class="p">()</span><span class="w"> </span><span class="kt">string</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">e</span><span class="p">.</span><span class="nx">msg</span><span class="w"> </span><span class="p">}</span>
<span class="kd">func</span><span class="w"> </span><span class="nx">mayFail</span><span class="p">()</span><span class="w"> </span><span class="kt">error</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="kd">var</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">*</span><span class="nx">MyError</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="kc">nil</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">err</span>
<span class="p">}</span>
<span class="kd">func</span><span class="w"> </span><span class="nx">main</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">mayFail</span><span class="p">()</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="kc">nil</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">fmt</span><span class="p">.</span><span class="nx">Println</span><span class="p">(</span><span class="s">"error!"</span><span class="p">)</span><span class="w"> </span><span class="c1">// This prints!</span>
<span class="w"> </span><span class="p">}</span>
<span class="p">}</span>
</code></pre></div>
<p>You might think that <code>mayFail</code> returns nil.</p>
<p>Not quite. We returned a nil <code>*MyError</code>, but the return type is <code>error</code> (an interface). In Go, an interface value contains two things: a type and a value. The returned interface has type <code>*MyError</code> and value <code>nil</code>. An interface is only <code>nil</code> when <em>both</em> the type and value are nil.</p>
<div class="highlight"><pre><span></span><code><span class="nx">bare</span><span class="w"> </span><span class="nx">nil</span><span class="w"> </span><span class="kd">interface</span><span class="p">:</span><span class="w"> </span><span class="nx">typed</span><span class="w"> </span><span class="nx">nil</span><span class="w"> </span><span class="kd">interface</span><span class="p">:</span>
<span class="err">┌──────────────────┐</span><span class="w"> </span><span class="err">┌────────────────────┐</span>
<span class="err">│</span><span class="w"> </span><span class="k">type</span><span class="p">:</span><span class="w"> </span><span class="nx">nil</span><span class="w"> </span><span class="err">│</span><span class="w"> </span><span class="err">│</span><span class="w"> </span><span class="k">type</span><span class="p">:</span><span class="w"> </span><span class="o">*</span><span class="nx">MyError</span><span class="w"> </span><span class="err">│</span>
<span class="err">│</span><span class="w"> </span><span class="nx">value</span><span class="p">:</span><span class="w"> </span><span class="nx">nil</span><span class="w"> </span><span class="err">│</span><span class="w"> </span><span class="err">│</span><span class="w"> </span><span class="nx">value</span><span class="p">:</span><span class="w"> </span><span class="nx">nil</span><span class="w"> </span><span class="err">│</span>
<span class="err">└──────────────────┘</span><span class="w"> </span><span class="err">└────────────────────┘</span>
<span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="nx">nil</span><span class="w"> </span><span class="err">✓</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="nx">nil</span><span class="w"> </span><span class="err">✗</span>
</code></pre></div>
<p>So <code>err != nil</code> is true, even though the underlying pointer is nil.</p>
<p>This causes real bugs. If a function returns a typed nil instead of a bare <code>nil</code>, error checks pass when they should not. The fix is to always return bare <code>nil</code> for success:</p>
<div class="highlight"><pre><span></span><code><span class="kd">func</span><span class="w"> </span><span class="nx">mayFail</span><span class="p">()</span><span class="w"> </span><span class="kt">error</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="c1">// ... do work ...</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="kc">nil</span><span class="w"> </span><span class="c1">// Return bare nil, not typed nil</span>
<span class="p">}</span>
</code></pre></div>
<p>When auditing error handling, watch for functions that declare a typed error variable and return it directly. That is often a sign of this bug.</p>
<h3>Variable Shadowing</h3>
<p>Go allows you to declare a new variable with the same name as one in an outer scope:</p>
<div class="highlight"><pre><span></span><code><span class="kd">func</span><span class="w"> </span><span class="nx">processRequest</span><span class="p">(</span><span class="nx">r</span><span class="w"> </span><span class="o">*</span><span class="nx">Request</span><span class="p">)</span><span class="w"> </span><span class="kt">error</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">validate</span><span class="p">(</span><span class="nx">r</span><span class="p">)</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="kc">nil</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">err</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">r</span><span class="p">.</span><span class="nx">NeedsAuth</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">user</span><span class="p">,</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">authenticate</span><span class="p">(</span><span class="nx">r</span><span class="p">)</span><span class="w"> </span><span class="c1">// Shadows outer 'err'!</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="kc">nil</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">err</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="nx">r</span><span class="p">.</span><span class="nx">User</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">user</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">process</span><span class="p">(</span><span class="nx">r</span><span class="p">)</span><span class="w"> </span><span class="c1">// Uses outer 'err'</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">err</span>
<span class="p">}</span>
</code></pre></div>
<p>The <code>:=</code> inside the <code>if</code> block creates a new <code>err</code> variable that shadows the outer one. Inside that block, <code>err</code> refers to the authenticate result. Outside, it refers to the validate result (or later, the process result).</p>
<p>This code actually works correctly because each error is checked immediately. But the pattern is fragile. If someone refactors and moves the error check, or if logic depends on which error occurred, then shadowing creates confusion about which <code>err</code> you are looking at.</p>
<p>A related pitfall is stale error references. Here is a real bug from a client we reviewed:</p>
<div class="highlight"><pre><span></span><code><span class="nx">forwardUnpacked</span><span class="p">,</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">forward</span><span class="p">.</span><span class="nx">Inputs</span><span class="p">.</span><span class="nx">Unpack</span><span class="p">(</span><span class="nx">updatePayloadBytes</span><span class="p">[</span><span class="mi">4</span><span class="p">:])</span>
<span class="k">if</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="kc">nil</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="kc">nil</span><span class="p">,</span><span class="w"> </span><span class="kc">nil</span><span class="p">,</span><span class="w"> </span><span class="nx">fmt</span><span class="p">.</span><span class="nx">Errorf</span><span class="p">(</span><span class="s">"failed to unpack update payload: %w"</span><span class="p">,</span><span class="w"> </span><span class="nx">err</span><span class="p">)</span>
<span class="p">}</span>
<span class="nx">aggregator</span><span class="p">,</span><span class="w"> </span><span class="nx">ok</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">forwardUnpacked</span><span class="p">[</span><span class="mi">0</span><span class="p">].(</span><span class="nx">common</span><span class="p">.</span><span class="nx">Address</span><span class="p">)</span>
<span class="k">if</span><span class="w"> </span><span class="p">!</span><span class="nx">ok</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="kc">nil</span><span class="p">,</span><span class="w"> </span><span class="kc">nil</span><span class="p">,</span><span class="w"> </span><span class="nx">fmt</span><span class="p">.</span><span class="nx">Errorf</span><span class="p">(</span><span class="s">"failed to unpack forward data (to): %w"</span><span class="p">,</span><span class="w"> </span><span class="nx">err</span><span class="p">)</span><span class="w"> </span><span class="c1">// Bug!</span>
<span class="p">}</span>
</code></pre></div>
<p>The type assertion for <code>aggregator</code> does not set <code>err</code>. If the assertion fails, the error message wraps whatever <code>err</code> was from the previous <code>Unpack</code> call, which succeeded (otherwise we would have returned already). The wrapped error is either nil or irrelevant to the actual failure. This pattern is easy to miss because the code looks structurally correct.</p>
<p>Run <code>go vet -shadow</code> on codebases you are reviewing. It catches shadowing issues, and they are worth examining even when they are technically correct.</p>
<h2>Testing Gotchas</h2>
<p>Tests are part of the attack surface too. Weak tests mean bugs ship. Go also has some testing patterns that look thorough but hide gaps.</p>
<h3>External Test Packages</h3>
<p>Test files can declare a different package name:</p>
<div class="highlight"><pre><span></span><code><span class="c1">// In mypkg/impl_test.go</span>
<span class="kn">package</span><span class="w"> </span><span class="nx">mypkg_test</span><span class="w"> </span><span class="c1">// Note: _test suffix</span>
<span class="kn">import</span><span class="w"> </span><span class="s">"mypkg"</span>
<span class="kd">func</span><span class="w"> </span><span class="nx">TestPublicAPI</span><span class="p">(</span><span class="nx">t</span><span class="w"> </span><span class="o">*</span><span class="nx">testing</span><span class="p">.</span><span class="nx">T</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="c1">// Can only access exported symbols</span>
<span class="p">}</span>
</code></pre></div>
<p>With the <code>_test</code> suffix, the test file can only access public symbols. This is good for black-box API testing.</p>
<p>But during security reviews, you often want to see how internal state is tested. Look for test files <em>without</em> the <code>_test</code> suffix on the package name. Those can access unexported functions and fields. If internal invariants are only tested through the public API, then subtle internal bugs might slip through.</p>
<h3>Parallel Test Capture Bug</h3>
<p>Tests can run in parallel with <code>t.Parallel()</code>:</p>
<div class="highlight"><pre><span></span><code><span class="kd">func</span><span class="w"> </span><span class="nx">TestParallel</span><span class="p">(</span><span class="nx">t</span><span class="w"> </span><span class="o">*</span><span class="nx">testing</span><span class="p">.</span><span class="nx">T</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nx">_</span><span class="p">,</span><span class="w"> </span><span class="nx">tc</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="k">range</span><span class="w"> </span><span class="nx">testCases</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">tc</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">tc</span><span class="w"> </span><span class="c1">// Required before Go 1.22!</span>
<span class="w"> </span><span class="nx">t</span><span class="p">.</span><span class="nx">Run</span><span class="p">(</span><span class="nx">tc</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span><span class="w"> </span><span class="kd">func</span><span class="p">(</span><span class="nx">t</span><span class="w"> </span><span class="o">*</span><span class="nx">testing</span><span class="p">.</span><span class="nx">T</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">t</span><span class="p">.</span><span class="nx">Parallel</span><span class="p">()</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="w"> </span><span class="p">})</span>
<span class="w"> </span><span class="p">}</span>
<span class="p">}</span>
</code></pre></div>
<p>See that <code>tc := tc</code> line? Before Go 1.22, it was required. Without it, all parallel subtests would share the same loop variable and probably test the last case multiple times while skipping others.</p>
<p>If you are reviewing a codebase that targets pre-1.22 Go and you see parallel subtests without this copy, the tests are likely broken. They might pass, but they are not testing what they claim to test.</p>
<h3>Table-Driven Test Gaps</h3>
<p>Table-driven tests are idiomatic Go:</p>
<div class="highlight"><pre><span></span><code><span class="nx">tests</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="p">[]</span><span class="kd">struct</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">name</span><span class="w"> </span><span class="kt">string</span>
<span class="w"> </span><span class="nx">input</span><span class="w"> </span><span class="kt">string</span>
<span class="w"> </span><span class="nx">expected</span><span class="w"> </span><span class="kt">int</span>
<span class="p">}{</span>
<span class="w"> </span><span class="p">{</span><span class="s">"empty"</span><span class="p">,</span><span class="w"> </span><span class="s">""</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">},</span>
<span class="w"> </span><span class="p">{</span><span class="s">"simple"</span><span class="p">,</span><span class="w"> </span><span class="s">"hello"</span><span class="p">,</span><span class="w"> </span><span class="mi">5</span><span class="p">},</span>
<span class="p">}</span>
<span class="k">for</span><span class="w"> </span><span class="nx">_</span><span class="p">,</span><span class="w"> </span><span class="nx">tt</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="k">range</span><span class="w"> </span><span class="nx">tests</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">t</span><span class="p">.</span><span class="nx">Run</span><span class="p">(</span><span class="nx">tt</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span><span class="w"> </span><span class="kd">func</span><span class="p">(</span><span class="nx">t</span><span class="w"> </span><span class="o">*</span><span class="nx">testing</span><span class="p">.</span><span class="nx">T</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">got</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">process</span><span class="p">(</span><span class="nx">tt</span><span class="p">.</span><span class="nx">input</span><span class="p">)</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">got</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="nx">tt</span><span class="p">.</span><span class="nx">expected</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">t</span><span class="p">.</span><span class="nx">Errorf</span><span class="p">(</span><span class="s">"got %d, want %d"</span><span class="p">,</span><span class="w"> </span><span class="nx">got</span><span class="p">,</span><span class="w"> </span><span class="nx">tt</span><span class="p">.</span><span class="nx">expected</span><span class="p">)</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">})</span>
<span class="p">}</span>
</code></pre></div>
<p>This pattern looks comprehensive. There is a nice table of cases! But tables make it easy to add happy-path cases while neglecting edges. Does the table test error conditions? Boundary values? Malformed input?</p>
<p>The structure of a table-driven test can give false confidence. Always check what the table actually contains, not just that a table exists.</p>
<h3>Build Tags Hide Tests</h3>
<p>Go supports build tags that conditionally include files:</p>
<div class="highlight"><pre><span></span><code><span class="c1">//go:build integration</span>
<span class="kn">package</span><span class="w"> </span><span class="nx">mypackage</span>
<span class="kd">func</span><span class="w"> </span><span class="nx">TestRequiresDatabase</span><span class="p">(</span><span class="nx">t</span><span class="w"> </span><span class="o">*</span><span class="nx">testing</span><span class="p">.</span><span class="nx">T</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="c1">// Only runs with: go test -tags integration</span>
<span class="p">}</span>
</code></pre></div>
<p>This test only runs if you pass <code>-tags integration</code>. That is fine for slow integration tests. But sometimes security-relevant tests get tagged and then skipped in CI because nobody remembered to enable the tag.</p>
<p>When auditing, run tests with different tag combinations. Check for <code>//go:build !prod</code> or similar patterns that might disable security checks in production builds.</p>
<h3>Fuzzing and <code>t.Skip()</code></h3>
<p>Go's built-in fuzzing lets you discard uninteresting inputs:</p>
<div class="highlight"><pre><span></span><code><span class="kd">func</span><span class="w"> </span><span class="nx">FuzzParser</span><span class="p">(</span><span class="nx">f</span><span class="w"> </span><span class="o">*</span><span class="nx">testing</span><span class="p">.</span><span class="nx">F</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">f</span><span class="p">.</span><span class="nx">Fuzz</span><span class="p">(</span><span class="kd">func</span><span class="p">(</span><span class="nx">t</span><span class="w"> </span><span class="o">*</span><span class="nx">testing</span><span class="p">.</span><span class="nx">T</span><span class="p">,</span><span class="w"> </span><span class="nx">data</span><span class="w"> </span><span class="p">[]</span><span class="kt">byte</span><span class="p">)</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nb">len</span><span class="p">(</span><span class="nx">data</span><span class="p">)</span><span class="w"> </span><span class="p"><</span><span class="w"> </span><span class="mi">4</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nx">t</span><span class="p">.</span><span class="nx">Skip</span><span class="p">()</span><span class="w"> </span><span class="c1">// Discard inputs that are too short</span>
<span class="w"> </span><span class="k">return</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="nx">Parse</span><span class="p">(</span><span class="nx">data</span><span class="p">)</span>
<span class="w"> </span><span class="p">})</span>
<span class="p">}</span>
</code></pre></div>
<p>Here is the catch: <code>t.Skip()</code> currently does the same thing as <code>return</code>. If the input increases coverage, it still gets added to the corpus. The skip is more of a hint than a directive.</p>
<p>This might change in future Go versions, but for now, do not assume <code>t.Skip()</code> actually discards inputs from the fuzzer's consideration.</p>
<h2>Compiler Pragmas</h2>
<p>Go has special comments that change how code compiles. They look like comments, so they are easy to miss:</p>
<div class="highlight"><pre><span></span><code><span class="c1">//go:noescape</span>
<span class="kd">func</span><span class="w"> </span><span class="nx">riskyOperation</span><span class="p">(</span><span class="nx">p</span><span class="w"> </span><span class="o">*</span><span class="kt">byte</span><span class="p">)</span>
<span class="c1">//go:nosplit</span>
<span class="kd">func</span><span class="w"> </span><span class="nx">criticalPath</span><span class="p">()</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="c1">// Cannot grow stack</span>
<span class="p">}</span>
<span class="c1">//go:embed config.json</span>
<span class="kd">var</span><span class="w"> </span><span class="nx">configData</span><span class="w"> </span><span class="p">[]</span><span class="kt">byte</span>
</code></pre></div>
<p>These have security implications:</p>
<p><code>//go:noescape</code> tells the compiler a pointer does not escape to the heap. If the annotation is wrong, the pointer might be used after its stack frame is gone. Use-after-free in a "safe" language.</p>
<p><code>//go:nosplit</code> prevents the runtime from growing the stack. If the function recurses or calls deep chains, you get a stack overflow.</p>
<p><code>//go:linkname</code> lets you access unexported symbols from other packages. It is an escape hatch that breaks encapsulation. If you see it, someone is doing something unusual that deserves scrutiny.</p>
<p>These pragmas are rare in application code. When you see them, slow down and understand why they are there.</p>
<h2>Minor Quirks</h2>
<p>A few smaller things worth knowing:</p>
<p><strong>Module path encoding</strong>: If you see paths like <code>github.com/!cosm!wasm/wasmvm</code> in go.mod or the module cache, the <code>!</code> characters encode capital letters. Go does this for filesystem compatibility on case-insensitive systems. The real URL is <code>github.com/CosmWasm/wasmvm</code>. Mostly harmless, but confusing when searching for packages.</p>
<p><strong>Struct field alignment</strong>: Running <code>go vet -fieldalignment</code> produces warnings about struct size. Go pads struct fields for memory alignment, and field order affects total size. This is usually a performance concern, not a security one. But if you are reviewing code that does binary serialisation or memory-mapped I/O, field layout might matter for correctness.</p>
<h2>What is Next</h2>
<p>The patterns in this post account for a surprising number of real bugs. They are easy to write, they pass code review, they often pass tests, and they are still wrong.</p>
<p>Part 2 covers how to actually navigate a Go codebase: finding entry points, understanding how HTTP handlers and gRPC services route requests, and identifying the security-critical code paths without getting lost. Part 3 gets into vulnerability patterns specific to Go, drawing from real findings across our audits. From goroutine leaks that hung indefinitely without a timeout, to nil pointer dereferences that crashed in production, to a missing nil check in a client's attestation keeper that panicked on malformed votes.</p>
<hr>
<p><em>Part 1 of 3. Next: Navigating Go Codebases.</em></p>