aboutsummaryrefslogtreecommitdiff
path: root/src/test/fuzz
diff options
context:
space:
mode:
Diffstat (limited to 'src/test/fuzz')
-rw-r--r--src/test/fuzz/rpc.cpp378
-rw-r--r--src/test/fuzz/script.cpp56
-rw-r--r--src/test/fuzz/script_flags.cpp4
3 files changed, 425 insertions, 13 deletions
diff --git a/src/test/fuzz/rpc.cpp b/src/test/fuzz/rpc.cpp
new file mode 100644
index 0000000000..dae6f6b6a7
--- /dev/null
+++ b/src/test/fuzz/rpc.cpp
@@ -0,0 +1,378 @@
+// Copyright (c) 2021 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <base58.h>
+#include <chainparamsbase.h>
+#include <core_io.h>
+#include <interfaces/chain.h>
+#include <key.h>
+#include <key_io.h>
+#include <node/context.h>
+#include <primitives/block.h>
+#include <primitives/transaction.h>
+#include <psbt.h>
+#include <rpc/blockchain.h>
+#include <rpc/client.h>
+#include <rpc/request.h>
+#include <rpc/server.h>
+#include <rpc/util.h>
+#include <span.h>
+#include <streams.h>
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+#include <test/util/setup_common.h>
+#include <tinyformat.h>
+#include <univalue.h>
+#include <util/strencodings.h>
+#include <util/string.h>
+#include <util/time.h>
+
+#include <cstdint>
+#include <iostream>
+#include <memory>
+#include <optional>
+#include <stdexcept>
+#include <string>
+#include <vector>
+
+namespace {
+struct RPCFuzzTestingSetup : public TestingSetup {
+ RPCFuzzTestingSetup(const std::string& chain_name, const std::vector<const char*>& extra_args) : TestingSetup{chain_name, extra_args}
+ {
+ }
+
+ UniValue CallRPC(const std::string& rpc_method, const std::vector<std::string>& arguments)
+ {
+ JSONRPCRequest request;
+ request.context = &m_node;
+ request.strMethod = rpc_method;
+ request.params = RPCConvertValues(rpc_method, arguments);
+ return tableRPC.execute(request);
+ }
+
+ std::vector<std::string> GetRPCCommands() const
+ {
+ return tableRPC.listCommands();
+ }
+};
+
+RPCFuzzTestingSetup* rpc_testing_setup = nullptr;
+std::string g_limit_to_rpc_command;
+
+// RPC commands which are not appropriate for fuzzing: such as RPC commands
+// reading or writing to a filename passed as an RPC parameter, RPC commands
+// resulting in network activity, etc.
+const std::vector<std::string> RPC_COMMANDS_NOT_SAFE_FOR_FUZZING{
+ "addconnection", // avoid DNS lookups
+ "addnode", // avoid DNS lookups
+ "addpeeraddress", // avoid DNS lookups
+ "analyzepsbt", // avoid signed integer overflow in CFeeRate::GetFee(unsigned long) (https://github.com/bitcoin/bitcoin/issues/20607)
+ "dumptxoutset", // avoid writing to disk
+#ifdef ENABLE_WALLET
+ "dumpwallet", // avoid writing to disk
+#endif
+ "echoipc", // avoid assertion failure (Assertion `"EnsureAnyNodeContext(request.context).init" && check' failed.)
+ "generatetoaddress", // avoid timeout
+ "gettxoutproof", // avoid slow execution
+#ifdef ENABLE_WALLET
+ "importwallet", // avoid reading from disk
+ "loadwallet", // avoid reading from disk
+#endif
+ "mockscheduler", // avoid assertion failure (Assertion `delta_seconds.count() > 0 && delta_seconds < std::chrono::hours{1}' failed.)
+ "prioritisetransaction", // avoid signed integer overflow in CTxMemPool::PrioritiseTransaction(uint256 const&, long const&) (https://github.com/bitcoin/bitcoin/issues/20626)
+ "setban", // avoid DNS lookups
+ "stop", // avoid shutdown state
+};
+
+// RPC commands which are safe for fuzzing.
+const std::vector<std::string> RPC_COMMANDS_SAFE_FOR_FUZZING{
+ "clearbanned",
+ "combinepsbt",
+ "combinerawtransaction",
+ "converttopsbt",
+ "createmultisig",
+ "createpsbt",
+ "createrawtransaction",
+ "decodepsbt",
+ "decoderawtransaction",
+ "decodescript",
+ "deriveaddresses",
+ "disconnectnode",
+ "echo",
+ "echojson",
+ "estimaterawfee",
+ "estimatesmartfee",
+ "finalizepsbt",
+ "generate",
+ "generateblock",
+ "generatetodescriptor",
+ "getaddednodeinfo",
+ "getbestblockhash",
+ "getblock",
+ "getblockchaininfo",
+ "getblockcount",
+ "getblockfilter",
+ "getblockhash",
+ "getblockheader",
+ "getblockstats",
+ "getblocktemplate",
+ "getchaintips",
+ "getchaintxstats",
+ "getconnectioncount",
+ "getdescriptorinfo",
+ "getdifficulty",
+ "getindexinfo",
+ "getmemoryinfo",
+ "getmempoolancestors",
+ "getmempooldescendants",
+ "getmempoolentry",
+ "getmempoolinfo",
+ "getmininginfo",
+ "getnettotals",
+ "getnetworkhashps",
+ "getnetworkinfo",
+ "getnodeaddresses",
+ "getpeerinfo",
+ "getrawmempool",
+ "getrawtransaction",
+ "getrpcinfo",
+ "gettxout",
+ "gettxoutsetinfo",
+ "help",
+ "invalidateblock",
+ "joinpsbts",
+ "listbanned",
+ "logging",
+ "ping",
+ "preciousblock",
+ "pruneblockchain",
+ "reconsiderblock",
+ "savemempool",
+ "scantxoutset",
+ "sendrawtransaction",
+ "setmocktime",
+ "setnetworkactive",
+ "signmessagewithprivkey",
+ "signrawtransactionwithkey",
+ "submitblock",
+ "submitheader",
+ "syncwithvalidationinterfacequeue",
+ "testmempoolaccept",
+ "uptime",
+ "utxoupdatepsbt",
+ "validateaddress",
+ "verifychain",
+ "verifymessage",
+ "verifytxoutproof",
+ "waitforblock",
+ "waitforblockheight",
+ "waitfornewblock",
+};
+
+std::string ConsumeScalarRPCArgument(FuzzedDataProvider& fuzzed_data_provider)
+{
+ const size_t max_string_length = 4096;
+ std::string r;
+ CallOneOf(
+ fuzzed_data_provider,
+ [&] {
+ // string argument
+ r = fuzzed_data_provider.ConsumeRandomLengthString(max_string_length);
+ },
+ [&] {
+ // base64 argument
+ r = EncodeBase64(fuzzed_data_provider.ConsumeRandomLengthString(max_string_length));
+ },
+ [&] {
+ // hex argument
+ r = HexStr(fuzzed_data_provider.ConsumeRandomLengthString(max_string_length));
+ },
+ [&] {
+ // bool argument
+ r = fuzzed_data_provider.ConsumeBool() ? "true" : "false";
+ },
+ [&] {
+ // range argument
+ r = "[" + ToString(fuzzed_data_provider.ConsumeIntegral<int64_t>()) + "," + ToString(fuzzed_data_provider.ConsumeIntegral<int64_t>()) + "]";
+ },
+ [&] {
+ // integral argument (int64_t)
+ r = ToString(fuzzed_data_provider.ConsumeIntegral<int64_t>());
+ },
+ [&] {
+ // integral argument (uint64_t)
+ r = ToString(fuzzed_data_provider.ConsumeIntegral<uint64_t>());
+ },
+ [&] {
+ // floating point argument
+ r = strprintf("%f", fuzzed_data_provider.ConsumeFloatingPoint<double>());
+ },
+ [&] {
+ // tx destination argument
+ r = EncodeDestination(ConsumeTxDestination(fuzzed_data_provider));
+ },
+ [&] {
+ // uint160 argument
+ r = ConsumeUInt160(fuzzed_data_provider).ToString();
+ },
+ [&] {
+ // uint256 argument
+ r = ConsumeUInt256(fuzzed_data_provider).ToString();
+ },
+ [&] {
+ // base32 argument
+ r = EncodeBase32(fuzzed_data_provider.ConsumeRandomLengthString(max_string_length));
+ },
+ [&] {
+ // base58 argument
+ r = EncodeBase58(MakeUCharSpan(fuzzed_data_provider.ConsumeRandomLengthString(max_string_length)));
+ },
+ [&] {
+ // base58 argument with checksum
+ r = EncodeBase58Check(MakeUCharSpan(fuzzed_data_provider.ConsumeRandomLengthString(max_string_length)));
+ },
+ [&] {
+ // hex encoded block
+ std::optional<CBlock> opt_block = ConsumeDeserializable<CBlock>(fuzzed_data_provider);
+ if (!opt_block) {
+ return;
+ }
+ CDataStream data_stream{SER_NETWORK, PROTOCOL_VERSION};
+ data_stream << *opt_block;
+ r = HexStr(data_stream);
+ },
+ [&] {
+ // hex encoded block header
+ std::optional<CBlockHeader> opt_block_header = ConsumeDeserializable<CBlockHeader>(fuzzed_data_provider);
+ if (!opt_block_header) {
+ return;
+ }
+ CDataStream data_stream{SER_NETWORK, PROTOCOL_VERSION};
+ data_stream << *opt_block_header;
+ r = HexStr(data_stream);
+ },
+ [&] {
+ // hex encoded tx
+ std::optional<CMutableTransaction> opt_tx = ConsumeDeserializable<CMutableTransaction>(fuzzed_data_provider);
+ if (!opt_tx) {
+ return;
+ }
+ CDataStream data_stream{SER_NETWORK, fuzzed_data_provider.ConsumeBool() ? PROTOCOL_VERSION : (PROTOCOL_VERSION | SERIALIZE_TRANSACTION_NO_WITNESS)};
+ data_stream << *opt_tx;
+ r = HexStr(data_stream);
+ },
+ [&] {
+ // base64 encoded psbt
+ std::optional<PartiallySignedTransaction> opt_psbt = ConsumeDeserializable<PartiallySignedTransaction>(fuzzed_data_provider);
+ if (!opt_psbt) {
+ return;
+ }
+ CDataStream data_stream{SER_NETWORK, PROTOCOL_VERSION};
+ data_stream << *opt_psbt;
+ r = EncodeBase64({data_stream.begin(), data_stream.end()});
+ },
+ [&] {
+ // base58 encoded key
+ const std::vector<uint8_t> random_bytes = fuzzed_data_provider.ConsumeBytes<uint8_t>(32);
+ CKey key;
+ key.Set(random_bytes.begin(), random_bytes.end(), fuzzed_data_provider.ConsumeBool());
+ if (!key.IsValid()) {
+ return;
+ }
+ r = EncodeSecret(key);
+ },
+ [&] {
+ // hex encoded pubkey
+ const std::vector<uint8_t> random_bytes = fuzzed_data_provider.ConsumeBytes<uint8_t>(32);
+ CKey key;
+ key.Set(random_bytes.begin(), random_bytes.end(), fuzzed_data_provider.ConsumeBool());
+ if (!key.IsValid()) {
+ return;
+ }
+ r = HexStr(key.GetPubKey());
+ });
+ return r;
+}
+
+std::string ConsumeArrayRPCArgument(FuzzedDataProvider& fuzzed_data_provider)
+{
+ std::vector<std::string> scalar_arguments;
+ while (fuzzed_data_provider.ConsumeBool()) {
+ scalar_arguments.push_back(ConsumeScalarRPCArgument(fuzzed_data_provider));
+ }
+ return "[\"" + Join(scalar_arguments, "\",\"") + "\"]";
+}
+
+std::string ConsumeRPCArgument(FuzzedDataProvider& fuzzed_data_provider)
+{
+ return fuzzed_data_provider.ConsumeBool() ? ConsumeScalarRPCArgument(fuzzed_data_provider) : ConsumeArrayRPCArgument(fuzzed_data_provider);
+}
+
+RPCFuzzTestingSetup* InitializeRPCFuzzTestingSetup()
+{
+ static const auto setup = MakeNoLogFileContext<RPCFuzzTestingSetup>();
+ SetRPCWarmupFinished();
+ return setup.get();
+}
+}; // namespace
+
+void initialize_rpc()
+{
+ rpc_testing_setup = InitializeRPCFuzzTestingSetup();
+ const std::vector<std::string> supported_rpc_commands = rpc_testing_setup->GetRPCCommands();
+ for (const std::string& rpc_command : supported_rpc_commands) {
+ const bool safe_for_fuzzing = std::find(RPC_COMMANDS_SAFE_FOR_FUZZING.begin(), RPC_COMMANDS_SAFE_FOR_FUZZING.end(), rpc_command) != RPC_COMMANDS_SAFE_FOR_FUZZING.end();
+ const bool not_safe_for_fuzzing = std::find(RPC_COMMANDS_NOT_SAFE_FOR_FUZZING.begin(), RPC_COMMANDS_NOT_SAFE_FOR_FUZZING.end(), rpc_command) != RPC_COMMANDS_NOT_SAFE_FOR_FUZZING.end();
+ if (!(safe_for_fuzzing || not_safe_for_fuzzing)) {
+ std::cerr << "Error: RPC command \"" << rpc_command << "\" not found in RPC_COMMANDS_SAFE_FOR_FUZZING or RPC_COMMANDS_NOT_SAFE_FOR_FUZZING. Please update " << __FILE__ << ".\n";
+ std::terminate();
+ }
+ if (safe_for_fuzzing && not_safe_for_fuzzing) {
+ std::cerr << "Error: RPC command \"" << rpc_command << "\" found in *both* RPC_COMMANDS_SAFE_FOR_FUZZING and RPC_COMMANDS_NOT_SAFE_FOR_FUZZING. Please update " << __FILE__ << ".\n";
+ std::terminate();
+ }
+ }
+ for (const std::string& rpc_command : RPC_COMMANDS_SAFE_FOR_FUZZING) {
+ const bool supported_rpc_command = std::find(supported_rpc_commands.begin(), supported_rpc_commands.end(), rpc_command) != supported_rpc_commands.end();
+ if (!supported_rpc_command) {
+ std::cerr << "Error: Unknown RPC command \"" << rpc_command << "\" found in RPC_COMMANDS_SAFE_FOR_FUZZING. Please update " << __FILE__ << ".\n";
+ std::terminate();
+ }
+ }
+ for (const std::string& rpc_command : RPC_COMMANDS_NOT_SAFE_FOR_FUZZING) {
+ const bool supported_rpc_command = std::find(supported_rpc_commands.begin(), supported_rpc_commands.end(), rpc_command) != supported_rpc_commands.end();
+ if (!supported_rpc_command) {
+ std::cerr << "Error: Unknown RPC command \"" << rpc_command << "\" found in RPC_COMMANDS_NOT_SAFE_FOR_FUZZING. Please update " << __FILE__ << ".\n";
+ std::terminate();
+ }
+ }
+ const char* limit_to_rpc_command_env = std::getenv("LIMIT_TO_RPC_COMMAND");
+ if (limit_to_rpc_command_env != nullptr) {
+ g_limit_to_rpc_command = std::string{limit_to_rpc_command_env};
+ }
+}
+
+FUZZ_TARGET_INIT(rpc, initialize_rpc)
+{
+ FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
+ SetMockTime(ConsumeTime(fuzzed_data_provider));
+ const std::string rpc_command = fuzzed_data_provider.ConsumeRandomLengthString(64);
+ if (!g_limit_to_rpc_command.empty() && rpc_command != g_limit_to_rpc_command) {
+ return;
+ }
+ const bool safe_for_fuzzing = std::find(RPC_COMMANDS_SAFE_FOR_FUZZING.begin(), RPC_COMMANDS_SAFE_FOR_FUZZING.end(), rpc_command) != RPC_COMMANDS_SAFE_FOR_FUZZING.end();
+ if (!safe_for_fuzzing) {
+ return;
+ }
+ std::vector<std::string> arguments;
+ while (fuzzed_data_provider.ConsumeBool()) {
+ arguments.push_back(ConsumeRPCArgument(fuzzed_data_provider));
+ }
+ try {
+ rpc_testing_setup->CallRPC(rpc_command, arguments);
+ } catch (const UniValue&) {
+ } catch (const std::runtime_error&) {
+ }
+}
diff --git a/src/test/fuzz/script.cpp b/src/test/fuzz/script.cpp
index e87ae5b04b..b87bcf2ef5 100644
--- a/src/test/fuzz/script.cpp
+++ b/src/test/fuzz/script.cpp
@@ -43,7 +43,7 @@ FUZZ_TARGET_INIT(script, initialize_script)
if (!script_opt) return;
const CScript script{*script_opt};
- std::vector<unsigned char> compressed;
+ CompressedScript compressed;
if (CompressScript(script, compressed)) {
const unsigned int size = compressed[0];
compressed.erase(compressed.begin());
@@ -55,22 +55,45 @@ FUZZ_TARGET_INIT(script, initialize_script)
}
CTxDestination address;
- (void)ExtractDestination(script, address);
-
TxoutType type_ret;
std::vector<CTxDestination> addresses;
int required_ret;
- (void)ExtractDestinations(script, type_ret, addresses, required_ret);
-
- const FlatSigningProvider signing_provider;
- (void)InferDescriptor(script, signing_provider);
-
- (void)IsSegWitOutput(signing_provider, script);
-
- (void)IsSolvable(signing_provider, script);
+ bool extract_destinations_ret = ExtractDestinations(script, type_ret, addresses, required_ret);
+ bool extract_destination_ret = ExtractDestination(script, address);
+ if (!extract_destinations_ret) {
+ assert(!extract_destination_ret);
+ if (type_ret == TxoutType::MULTISIG) {
+ assert(addresses.empty() && required_ret == 0);
+ } else {
+ assert(type_ret == TxoutType::PUBKEY ||
+ type_ret == TxoutType::NONSTANDARD ||
+ type_ret == TxoutType::NULL_DATA);
+ }
+ } else {
+ assert(required_ret >= 1 && required_ret <= 16);
+ assert((unsigned long)required_ret == addresses.size());
+ assert(type_ret == TxoutType::MULTISIG || required_ret == 1);
+ }
+ if (type_ret == TxoutType::NONSTANDARD || type_ret == TxoutType::NULL_DATA) {
+ assert(!extract_destinations_ret);
+ }
+ if (!extract_destination_ret) {
+ assert(type_ret == TxoutType::PUBKEY ||
+ type_ret == TxoutType::NONSTANDARD ||
+ type_ret == TxoutType::NULL_DATA ||
+ type_ret == TxoutType::MULTISIG);
+ } else {
+ assert(address == addresses[0]);
+ }
+ if (type_ret == TxoutType::NONSTANDARD ||
+ type_ret == TxoutType::NULL_DATA ||
+ type_ret == TxoutType::MULTISIG) {
+ assert(!extract_destination_ret);
+ }
TxoutType which_type;
bool is_standard_ret = IsStandard(script, which_type);
+ assert(type_ret == which_type);
if (!is_standard_ret) {
assert(which_type == TxoutType::NONSTANDARD ||
which_type == TxoutType::NULL_DATA ||
@@ -87,6 +110,11 @@ FUZZ_TARGET_INIT(script, initialize_script)
which_type == TxoutType::NONSTANDARD);
}
+ const FlatSigningProvider signing_provider;
+ (void)InferDescriptor(script, signing_provider);
+ (void)IsSegWitOutput(signing_provider, script);
+ (void)IsSolvable(signing_provider, script);
+
(void)RecursiveDynamicUsage(script);
std::vector<std::vector<unsigned char>> solutions;
@@ -115,10 +143,12 @@ FUZZ_TARGET_INIT(script, initialize_script)
{
const std::vector<uint8_t> bytes = ConsumeRandomLengthByteVector(fuzzed_data_provider);
+ CompressedScript compressed_script;
+ compressed_script.assign(bytes.begin(), bytes.end());
// DecompressScript(..., ..., bytes) is not guaranteed to be defined if the bytes vector is too short
- if (bytes.size() >= 32) {
+ if (compressed_script.size() >= 32) {
CScript decompressed_script;
- DecompressScript(decompressed_script, fuzzed_data_provider.ConsumeIntegral<unsigned int>(), bytes);
+ DecompressScript(decompressed_script, fuzzed_data_provider.ConsumeIntegral<unsigned int>(), compressed_script);
}
}
diff --git a/src/test/fuzz/script_flags.cpp b/src/test/fuzz/script_flags.cpp
index aa911cdeda..1278dc87d4 100644
--- a/src/test/fuzz/script_flags.cpp
+++ b/src/test/fuzz/script_flags.cpp
@@ -41,6 +41,10 @@ FUZZ_TARGET_INIT(script_flags, initialize_script_flags)
for (unsigned i = 0; i < tx.vin.size(); ++i) {
CTxOut prevout;
ds >> prevout;
+ if (!MoneyRange(prevout.nValue)) {
+ // prevouts should be consensus-valid
+ prevout.nValue = 1;
+ }
spent_outputs.push_back(prevout);
}
PrecomputedTransactionData txdata;