6 files changed, 117 insertions, 24 deletions

diff --git a/doc/fuzzing.md b/doc/fuzzing.md
index c34ca4cb59..af82371d58 100644
--- a/doc/fuzzing.md
+++ b/doc/fuzzing.md
@@ -52,7 +52,7 @@ For macOS you may need to ignore x86 compilation checks when running `make`:
 To build Bitcoin Core using AFL instrumentation (this assumes that the
 `AFLPATH` was set as above):
 ```
-./configure --disable-ccache --disable-shared --enable-tests --enable-fuzz CC=${AFLPATH}/afl-gcc CXX=${AFLPATH}/afl-g++
+./configure --disable-shared --enable-tests --enable-fuzz CC=${AFLPATH}/afl-gcc CXX=${AFLPATH}/afl-g++
 export AFL_HARDEN=1
 make
 ```
@@ -60,7 +60,7 @@ make
 If you are using clang you will need to substitute `afl-gcc` with `afl-clang`
 and `afl-g++` with `afl-clang++`, so the first line above becomes:
 ```
-./configure --disable-ccache --disable-shared --enable-tests --enable-fuzz CC=${AFLPATH}/afl-clang CXX=${AFLPATH}/afl-clang++
+./configure --disable-shared --enable-tests --enable-fuzz CC=${AFLPATH}/afl-clang CXX=${AFLPATH}/afl-clang++
 ```
 
 We disable ccache because we don't want to pollute the ccache with instrumented
@@ -102,7 +102,7 @@ libFuzzer is needed (all found in the `compiler-rt` runtime libraries package).
 To build all fuzz targets with libFuzzer, run
 
 ```
-./configure --disable-ccache --enable-fuzz --with-sanitizers=fuzzer,address,undefined CC=clang CXX=clang++
+./configure --enable-fuzz --with-sanitizers=fuzzer,address,undefined CC=clang CXX=clang++
 make
 ```
 
@@ -134,5 +134,5 @@ clang does not come first in your path.
 
 Full configure that was tested on macOS Catalina with `brew` installed `llvm`:
 ```
-./configure --disable-ccache --enable-fuzz --with-sanitizers=fuzzer,address,undefined CC=/usr/local/opt/llvm/bin/clang CXX=/usr/local/opt/llvm/bin/clang++ --disable-asm
+./configure --enable-fuzz --with-sanitizers=fuzzer,address,undefined CC=/usr/local/opt/llvm/bin/clang CXX=/usr/local/opt/llvm/bin/clang++ --disable-asm
 ```
diff --git a/src/Makefile.test.include b/src/Makefile.test.include
index 9697a157fb..e92b02a9bc 100644
--- a/src/Makefile.test.include
+++ b/src/Makefile.test.include
@@ -91,6 +91,7 @@ FUZZ_TARGETS = \
   test/fuzz/script_ops \
   test/fuzz/scriptnum_ops \
   test/fuzz/service_deserialize \
+  test/fuzz/signature_checker \
   test/fuzz/snapshotmetadata_deserialize \
   test/fuzz/spanparsing \
   test/fuzz/string \
@@ -809,6 +810,12 @@ test_fuzz_service_deserialize_LDADD = $(FUZZ_SUITE_LD_COMMON)
 test_fuzz_service_deserialize_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
 test_fuzz_service_deserialize_SOURCES = $(FUZZ_SUITE) test/fuzz/deserialize.cpp
 
+test_fuzz_signature_checker_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES)
+test_fuzz_signature_checker_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
+test_fuzz_signature_checker_LDADD = $(FUZZ_SUITE_LD_COMMON)
+test_fuzz_signature_checker_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
+test_fuzz_signature_checker_SOURCES = $(FUZZ_SUITE) test/fuzz/signature_checker.cpp
+
 test_fuzz_snapshotmetadata_deserialize_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES) -DSNAPSHOTMETADATA_DESERIALIZE=1
 test_fuzz_snapshotmetadata_deserialize_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
 test_fuzz_snapshotmetadata_deserialize_LDADD = $(FUZZ_SUITE_LD_COMMON)
diff --git a/src/consensus/merkle.cpp b/src/consensus/merkle.cpp
index 843985e54c..241cc316a6 100644
--- a/src/consensus/merkle.cpp
+++ b/src/consensus/merkle.cpp
@@ -10,7 +10,7 @@
        that the following merkle tree algorithm has a serious flaw related to
        duplicate txids, resulting in a vulnerability (CVE-2012-2459).
 
-       The reason is that if the number of hashes in the list at a given time
+       The reason is that if the number of hashes in the list at a given level
        is odd, the last one is duplicated before computing the next level (which
        is unusual in Merkle trees). This results in certain sequences of
        transactions leading to the same merkle root. For example, these two
diff --git a/src/test/dbwrapper_tests.cpp b/src/test/dbwrapper_tests.cpp
index b647c0f70b..3dfae29de6 100644
--- a/src/test/dbwrapper_tests.cpp
+++ b/src/test/dbwrapper_tests.cpp
@@ -399,15 +399,15 @@ BOOST_AUTO_TEST_CASE(iterator_string_ordering)
 
 BOOST_AUTO_TEST_CASE(unicodepath)
 {
-    // Attempt to create a database with a utf8 character in the path.
+    // Attempt to create a database with a UTF8 character in the path.
     // On Windows this test will fail if the directory is created using
-    // the ANSI CreateDirectoryA  call and the code page isn't UTF8.
-    // It will succeed if the created with  CreateDirectoryW.
+    // the ANSI CreateDirectoryA call and the code page isn't UTF8.
+    // It will succeed if created with CreateDirectoryW.
     fs::path ph = GetDataDir() / "test_runner_₿_🏃_20191128_104644";
     CDBWrapper dbw(ph, (1 << 20));
 
     fs::path lockPath = ph / "LOCK";
-    BOOST_CHECK(boost::filesystem::exists(lockPath));
+    BOOST_CHECK(fs::exists(lockPath));
 }
 
 
diff --git a/src/test/fuzz/signature_checker.cpp b/src/test/fuzz/signature_checker.cpp
new file mode 100644
index 0000000000..312db27adc
--- /dev/null
+++ b/src/test/fuzz/signature_checker.cpp
@@ -0,0 +1,68 @@
+// Copyright (c) 2009-2019 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <pubkey.h>
+#include <script/interpreter.h>
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <util/memory.h>
+
+#include <cstdint>
+#include <limits>
+#include <string>
+#include <vector>
+
+void initialize()
+{
+    static const auto verify_handle = MakeUnique<ECCVerifyHandle>();
+}
+
+namespace {
+class FuzzedSignatureChecker : public BaseSignatureChecker
+{
+    FuzzedDataProvider& m_fuzzed_data_provider;
+
+public:
+    FuzzedSignatureChecker(FuzzedDataProvider& fuzzed_data_provider) : m_fuzzed_data_provider(fuzzed_data_provider)
+    {
+    }
+
+    virtual bool CheckSig(const std::vector<unsigned char>& scriptSig, const std::vector<unsigned char>& vchPubKey, const CScript& scriptCode, SigVersion sigversion) const
+    {
+        return m_fuzzed_data_provider.ConsumeBool();
+    }
+
+    virtual bool CheckLockTime(const CScriptNum& nLockTime) const
+    {
+        return m_fuzzed_data_provider.ConsumeBool();
+    }
+
+    virtual bool CheckSequence(const CScriptNum& nSequence) const
+    {
+        return m_fuzzed_data_provider.ConsumeBool();
+    }
+
+    virtual ~FuzzedSignatureChecker() {}
+};
+} // namespace
+
+void test_one_input(const std::vector<uint8_t>& buffer)
+{
+    FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
+    const unsigned int flags = fuzzed_data_provider.ConsumeIntegral<unsigned int>();
+    const SigVersion sig_version = fuzzed_data_provider.PickValueInArray({SigVersion::BASE, SigVersion::WITNESS_V0});
+    const std::string script_string_1 = fuzzed_data_provider.ConsumeRandomLengthString(65536);
+    const std::vector<uint8_t> script_bytes_1{script_string_1.begin(), script_string_1.end()};
+    const std::string script_string_2 = fuzzed_data_provider.ConsumeRandomLengthString(65536);
+    const std::vector<uint8_t> script_bytes_2{script_string_2.begin(), script_string_2.end()};
+    std::vector<std::vector<unsigned char>> stack;
+    (void)EvalScript(stack, {script_bytes_1.begin(), script_bytes_1.end()}, flags, FuzzedSignatureChecker(fuzzed_data_provider), sig_version, nullptr);
+    if ((flags & SCRIPT_VERIFY_CLEANSTACK) != 0 && ((flags & SCRIPT_VERIFY_P2SH) == 0 || (flags & SCRIPT_VERIFY_WITNESS) == 0)) {
+        return;
+    }
+    if ((flags & SCRIPT_VERIFY_WITNESS) != 0 && (flags & SCRIPT_VERIFY_P2SH) == 0) {
+        return;
+    }
+    (void)VerifyScript({script_bytes_1.begin(), script_bytes_1.end()}, {script_bytes_2.begin(), script_bytes_2.end()}, nullptr, flags, FuzzedSignatureChecker(fuzzed_data_provider), nullptr);
+}
diff --git a/test/fuzz/test_runner.py b/test/fuzz/test_runner.py
index 520a2b5a95..1786c39c36 100755
--- a/test/fuzz/test_runner.py
+++ b/test/fuzz/test_runner.py
@@ -14,7 +14,10 @@ import logging
 
 
 def main():
-    parser = argparse.ArgumentParser(formatter_class=argparse.ArgumentDefaultsHelpFormatter)
+    parser = argparse.ArgumentParser(
+        formatter_class=argparse.ArgumentDefaultsHelpFormatter,
+        description='''Run the fuzz targets with all inputs from the seed_dir once.''',
+    )
     parser.add_argument(
         "-l",
         "--loglevel",
@@ -23,11 +26,6 @@ def main():
         help="log events at this level and higher to the console. Can be set to DEBUG, INFO, WARNING, ERROR or CRITICAL. Passing --loglevel DEBUG will output all logs to console.",
     )
     parser.add_argument(
-        '--export_coverage',
-        action='store_true',
-        help='If true, export coverage information to files in the seed corpus',
-    )
-    parser.add_argument(
         '--valgrind',
         action='store_true',
         help='If true, run fuzzing binaries under the valgrind memory error detector',
@@ -46,6 +44,10 @@ def main():
         nargs='*',
         help='The target(s) to run. Default is to run all targets.',
     )
+    parser.add_argument(
+        '--m_dir',
+        help='Merge inputs from this directory into the seed_dir. Needs /target subdirectory.',
+    )
 
     args = parser.parse_args()
 
@@ -122,16 +124,39 @@ def main():
         logging.error("subprocess timed out: Currently only libFuzzer is supported")
         sys.exit(1)
 
+    if args.m_dir:
+        merge_inputs(
+            corpus=args.seed_dir,
+            test_list=test_list_selection,
+            build_dir=config["environment"]["BUILDDIR"],
+            merge_dir=args.m_dir,
+        )
+
     run_once(
         corpus=args.seed_dir,
         test_list=test_list_selection,
         build_dir=config["environment"]["BUILDDIR"],
-        export_coverage=args.export_coverage,
         use_valgrind=args.valgrind,
     )
 
 
-def run_once(*, corpus, test_list, build_dir, export_coverage, use_valgrind):
+def merge_inputs(*, corpus, test_list, build_dir, merge_dir):
+    logging.info("Merge the inputs in the passed dir into the seed_dir. Passed dir {}".format(merge_dir))
+    for t in test_list:
+        args = [
+            os.path.join(build_dir, 'src', 'test', 'fuzz', t),
+            '-merge=1',
+            os.path.join(corpus, t),
+            os.path.join(merge_dir, t),
+        ]
+        os.makedirs(os.path.join(corpus, t), exist_ok=True)
+        os.makedirs(os.path.join(merge_dir, t), exist_ok=True)
+        logging.debug('Run {} with args {}'.format(t, args))
+        output = subprocess.run(args, check=True, stderr=subprocess.PIPE, universal_newlines=True).stderr
+        logging.debug('Output: {}'.format(output))
+
+
+def run_once(*, corpus, test_list, build_dir, use_valgrind):
     for t in test_list:
         corpus_path = os.path.join(corpus, t)
         os.makedirs(corpus_path, exist_ok=True)
@@ -155,13 +180,6 @@ def run_once(*, corpus, test_list, build_dir, export_coverage, use_valgrind):
                 logging.info(e.stderr)
             logging.info("Target \"{}\" failed with exit code {}: {}".format(t, e.returncode, " ".join(args)))
             sys.exit(1)
-        if not export_coverage:
-            continue
-        for l in output.splitlines():
-            if 'INITED' in l:
-                with open(os.path.join(corpus, t + '_coverage'), 'w', encoding='utf-8') as cov_file:
-                    cov_file.write(l)
-                    break
 
 
 def parse_test_list(makefile):