aboutsummaryrefslogtreecommitdiff
path: root/src/test/fuzz
diff options
context:
space:
mode:
Diffstat (limited to 'src/test/fuzz')
-rw-r--r--src/test/fuzz/FuzzedDataProvider.h1
-rw-r--r--src/test/fuzz/addrman.cpp23
-rw-r--r--src/test/fuzz/asmap_direct.cpp3
-rw-r--r--src/test/fuzz/autofile.cpp3
-rw-r--r--src/test/fuzz/banman.cpp15
-rw-r--r--src/test/fuzz/bech32.cpp32
-rw-r--r--src/test/fuzz/bloom_filter.cpp2
-rw-r--r--src/test/fuzz/buffered_file.cpp3
-rw-r--r--src/test/fuzz/coins_view.cpp21
-rw-r--r--src/test/fuzz/connman.cpp49
-rw-r--r--src/test/fuzz/crypto.cpp21
-rw-r--r--src/test/fuzz/crypto_chacha20.cpp2
-rw-r--r--src/test/fuzz/crypto_chacha20_poly1305_aead.cpp2
-rw-r--r--src/test/fuzz/cuckoocache.cpp2
-rwxr-xr-xsrc/test/fuzz/danger_link_all.sh28
-rw-r--r--src/test/fuzz/data_stream.cpp5
-rw-r--r--src/test/fuzz/descriptor_parse.cpp1
-rw-r--r--src/test/fuzz/deserialize.cpp51
-rw-r--r--src/test/fuzz/eval_script.cpp1
-rw-r--r--src/test/fuzz/fee_rate.cpp4
-rw-r--r--src/test/fuzz/float.cpp64
-rw-r--r--src/test/fuzz/fuzz.cpp47
-rw-r--r--src/test/fuzz/fuzz.h30
-rw-r--r--src/test/fuzz/i2p.cpp57
-rw-r--r--src/test/fuzz/integer.cpp10
-rw-r--r--src/test/fuzz/key.cpp1
-rw-r--r--src/test/fuzz/kitchen_sink.cpp2
-rw-r--r--src/test/fuzz/load_external_block_file.cpp11
-rw-r--r--src/test/fuzz/merkleblock.cpp2
-rw-r--r--src/test/fuzz/muhash.cpp12
-rw-r--r--src/test/fuzz/net.cpp28
-rw-r--r--src/test/fuzz/net_permissions.cpp4
-rw-r--r--src/test/fuzz/netaddress.cpp3
-rw-r--r--src/test/fuzz/netbase_dns_lookup.cpp71
-rw-r--r--src/test/fuzz/node_eviction.cpp26
-rw-r--r--src/test/fuzz/p2p_transport_deserializer.cpp42
-rw-r--r--src/test/fuzz/p2p_transport_serialization.cpp85
-rw-r--r--src/test/fuzz/parse_iso8601.cpp2
-rw-r--r--src/test/fuzz/parse_numbers.cpp6
-rw-r--r--src/test/fuzz/parse_univalue.cpp1
-rw-r--r--src/test/fuzz/policy_estimator.cpp5
-rw-r--r--src/test/fuzz/policy_estimator_io.cpp5
-rw-r--r--src/test/fuzz/pow.cpp10
-rw-r--r--src/test/fuzz/process_message.cpp102
-rw-r--r--src/test/fuzz/process_messages.cpp15
-rw-r--r--src/test/fuzz/psbt.cpp28
-rw-r--r--src/test/fuzz/rolling_bloom_filter.cpp2
-rw-r--r--src/test/fuzz/rpc.cpp359
-rw-r--r--src/test/fuzz/script.cpp65
-rw-r--r--src/test/fuzz/script_assets_test_minimizer.cpp29
-rw-r--r--src/test/fuzz/script_descriptor_cache.cpp2
-rw-r--r--src/test/fuzz/script_flags.cpp18
-rw-r--r--src/test/fuzz/script_ops.cpp63
-rw-r--r--src/test/fuzz/scriptnum_ops.cpp2
-rw-r--r--src/test/fuzz/signature_checker.cpp20
-rw-r--r--src/test/fuzz/signet.cpp5
-rw-r--r--src/test/fuzz/socks5.cpp45
-rw-r--r--src/test/fuzz/string.cpp8
-rw-r--r--src/test/fuzz/strprintf.cpp63
-rw-r--r--src/test/fuzz/system.cpp6
-rw-r--r--src/test/fuzz/timedata.cpp4
-rw-r--r--src/test/fuzz/torcontrol.cpp80
-rw-r--r--src/test/fuzz/transaction.cpp21
-rw-r--r--src/test/fuzz/tx_pool.cpp339
-rw-r--r--src/test/fuzz/util.cpp281
-rw-r--r--src/test/fuzz/util.h145
-rw-r--r--src/test/fuzz/utxo_snapshot.cpp87
-rw-r--r--src/test/fuzz/validation_load_mempool.cpp39
-rw-r--r--src/test/fuzz/versionbits.cpp350
69 files changed, 2410 insertions, 561 deletions
diff --git a/src/test/fuzz/FuzzedDataProvider.h b/src/test/fuzz/FuzzedDataProvider.h
index 744a9d78ce..6cbfc39bc2 100644
--- a/src/test/fuzz/FuzzedDataProvider.h
+++ b/src/test/fuzz/FuzzedDataProvider.h
@@ -20,6 +20,7 @@
#include <cstdint>
#include <cstring>
#include <initializer_list>
+#include <limits>
#include <string>
#include <type_traits>
#include <utility>
diff --git a/src/test/fuzz/addrman.cpp b/src/test/fuzz/addrman.cpp
index 1ea6b3d01d..db0b461873 100644
--- a/src/test/fuzz/addrman.cpp
+++ b/src/test/fuzz/addrman.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
@@ -57,12 +57,6 @@ FUZZ_TARGET_INIT(addrman, initialize_addrman)
(void)addr_man.SelectTriedCollision();
},
[&] {
- (void)addr_man.Select(fuzzed_data_provider.ConsumeBool());
- },
- [&] {
- (void)addr_man.GetAddr(fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 4096), fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 4096));
- },
- [&] {
const std::optional<CAddress> opt_address = ConsumeDeserializable<CAddress>(fuzzed_data_provider);
const std::optional<CNetAddr> opt_net_addr = ConsumeDeserializable<CNetAddr>(fuzzed_data_provider);
if (opt_address && opt_net_addr) {
@@ -104,14 +98,17 @@ FUZZ_TARGET_INIT(addrman, initialize_addrman)
[&] {
const std::optional<CService> opt_service = ConsumeDeserializable<CService>(fuzzed_data_provider);
if (opt_service) {
- addr_man.SetServices(*opt_service, ServiceFlags{fuzzed_data_provider.ConsumeIntegral<uint64_t>()});
+ addr_man.SetServices(*opt_service, ConsumeWeakEnum(fuzzed_data_provider, ALL_SERVICE_FLAGS));
}
- },
- [&] {
- (void)addr_man.Check();
});
}
- (void)addr_man.size();
+ const CAddrMan& const_addr_man{addr_man};
+ (void)/*const_*/addr_man.GetAddr(
+ /* max_addresses */ fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 4096),
+ /* max_pct */ fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 4096),
+ /* network */ std::nullopt);
+ (void)/*const_*/addr_man.Select(fuzzed_data_provider.ConsumeBool());
+ (void)const_addr_man.size();
CDataStream data_stream(SER_NETWORK, PROTOCOL_VERSION);
- data_stream << addr_man;
+ data_stream << const_addr_man;
}
diff --git a/src/test/fuzz/asmap_direct.cpp b/src/test/fuzz/asmap_direct.cpp
index 8b7822dc16..8ca4de3919 100644
--- a/src/test/fuzz/asmap_direct.cpp
+++ b/src/test/fuzz/asmap_direct.cpp
@@ -2,8 +2,9 @@
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
-#include <test/fuzz/fuzz.h>
+#include <netaddress.h>
#include <util/asmap.h>
+#include <test/fuzz/fuzz.h>
#include <cstdint>
#include <optional>
diff --git a/src/test/fuzz/autofile.cpp b/src/test/fuzz/autofile.cpp
index 9ecd172e19..479342e4be 100644
--- a/src/test/fuzz/autofile.cpp
+++ b/src/test/fuzz/autofile.cpp
@@ -1,8 +1,7 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
-#include <optional.h>
#include <streams.h>
#include <test/fuzz/FuzzedDataProvider.h>
#include <test/fuzz/fuzz.h>
diff --git a/src/test/fuzz/banman.cpp b/src/test/fuzz/banman.cpp
index e0715f3e29..759a70a857 100644
--- a/src/test/fuzz/banman.cpp
+++ b/src/test/fuzz/banman.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
@@ -8,6 +8,7 @@
#include <test/fuzz/FuzzedDataProvider.h>
#include <test/fuzz/fuzz.h>
#include <test/fuzz/util.h>
+#include <test/util/setup_common.h>
#include <util/system.h>
#include <cstdint>
@@ -26,18 +27,22 @@ int64_t ConsumeBanTimeOffset(FuzzedDataProvider& fuzzed_data_provider) noexcept
void initialize_banman()
{
- static const auto testing_setup = MakeFuzzingContext<>();
+ static const auto testing_setup = MakeNoLogFileContext<>();
}
FUZZ_TARGET_INIT(banman, initialize_banman)
{
+ // The complexity is O(N^2), where N is the input size, because each call
+ // might call DumpBanlist (or other methods that are at least linear
+ // complexity of the input size).
+ int limit_max_ops{300};
FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
SetMockTime(ConsumeTime(fuzzed_data_provider));
- const fs::path banlist_file = GetDataDir() / "fuzzed_banlist.dat";
+ const fs::path banlist_file = gArgs.GetDataDirNet() / "fuzzed_banlist.dat";
fs::remove(banlist_file);
{
BanMan ban_man{banlist_file, nullptr, ConsumeBanTimeOffset(fuzzed_data_provider)};
- while (fuzzed_data_provider.ConsumeBool()) {
+ while (--limit_max_ops >= 0 && fuzzed_data_provider.ConsumeBool()) {
CallOneOf(
fuzzed_data_provider,
[&] {
@@ -51,7 +56,6 @@ FUZZ_TARGET_INIT(banman, initialize_banman)
[&] {
ban_man.ClearBanned();
},
- [] {},
[&] {
ban_man.IsBanned(ConsumeNetAddr(fuzzed_data_provider));
},
@@ -71,7 +75,6 @@ FUZZ_TARGET_INIT(banman, initialize_banman)
[&] {
ban_man.DumpBanlist();
},
- [] {},
[&] {
ban_man.Discourage(ConsumeNetAddr(fuzzed_data_provider));
});
diff --git a/src/test/fuzz/bech32.cpp b/src/test/fuzz/bech32.cpp
index 95cd4b413f..ad3bf73af4 100644
--- a/src/test/fuzz/bech32.cpp
+++ b/src/test/fuzz/bech32.cpp
@@ -16,28 +16,28 @@
FUZZ_TARGET(bech32)
{
const std::string random_string(buffer.begin(), buffer.end());
- const std::pair<std::string, std::vector<uint8_t>> r1 = bech32::Decode(random_string);
- if (r1.first.empty()) {
- assert(r1.second.empty());
+ const auto r1 = bech32::Decode(random_string);
+ if (r1.hrp.empty()) {
+ assert(r1.encoding == bech32::Encoding::INVALID);
+ assert(r1.data.empty());
} else {
- const std::string& hrp = r1.first;
- const std::vector<uint8_t>& data = r1.second;
- const std::string reencoded = bech32::Encode(hrp, data);
+ assert(r1.encoding != bech32::Encoding::INVALID);
+ const std::string reencoded = bech32::Encode(r1.encoding, r1.hrp, r1.data);
assert(CaseInsensitiveEqual(random_string, reencoded));
}
std::vector<unsigned char> input;
ConvertBits<8, 5, true>([&](unsigned char c) { input.push_back(c); }, buffer.begin(), buffer.end());
- const std::string encoded = bech32::Encode("bc", input);
- assert(!encoded.empty());
- const std::pair<std::string, std::vector<uint8_t>> r2 = bech32::Decode(encoded);
- if (r2.first.empty()) {
- assert(r2.second.empty());
- } else {
- const std::string& hrp = r2.first;
- const std::vector<uint8_t>& data = r2.second;
- assert(hrp == "bc");
- assert(data == input);
+ if (input.size() + 3 + 6 <= 90) {
+ // If it's possible to encode input in Bech32(m) without exceeding the 90-character limit:
+ for (auto encoding : {bech32::Encoding::BECH32, bech32::Encoding::BECH32M}) {
+ const std::string encoded = bech32::Encode(encoding, "bc", input);
+ assert(!encoded.empty());
+ const auto r2 = bech32::Decode(encoded);
+ assert(r2.encoding == encoding);
+ assert(r2.hrp == "bc");
+ assert(r2.data == input);
+ }
}
}
diff --git a/src/test/fuzz/bloom_filter.cpp b/src/test/fuzz/bloom_filter.cpp
index d43c182644..c5bb8744a4 100644
--- a/src/test/fuzz/bloom_filter.cpp
+++ b/src/test/fuzz/bloom_filter.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
diff --git a/src/test/fuzz/buffered_file.cpp b/src/test/fuzz/buffered_file.cpp
index 3a1b2dbbe7..ed72260d10 100644
--- a/src/test/fuzz/buffered_file.cpp
+++ b/src/test/fuzz/buffered_file.cpp
@@ -1,8 +1,7 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
-#include <optional.h>
#include <streams.h>
#include <test/fuzz/FuzzedDataProvider.h>
#include <test/fuzz/fuzz.h>
diff --git a/src/test/fuzz/coins_view.cpp b/src/test/fuzz/coins_view.cpp
index 8ece94d771..42f19d16c6 100644
--- a/src/test/fuzz/coins_view.cpp
+++ b/src/test/fuzz/coins_view.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
@@ -6,6 +6,7 @@
#include <chainparams.h>
#include <chainparamsbase.h>
#include <coins.h>
+#include <consensus/tx_check.h>
#include <consensus/tx_verify.h>
#include <consensus/validation.h>
#include <key.h>
@@ -16,6 +17,7 @@
#include <test/fuzz/FuzzedDataProvider.h>
#include <test/fuzz/fuzz.h>
#include <test/fuzz/util.h>
+#include <test/util/setup_common.h>
#include <validation.h>
#include <cstdint>
@@ -25,6 +27,7 @@
#include <vector>
namespace {
+const TestingSetup* g_setup;
const Coin EMPTY_COIN{};
bool operator==(const Coin& a, const Coin& b)
@@ -36,7 +39,8 @@ bool operator==(const Coin& a, const Coin& b)
void initialize_coins_view()
{
- static const auto testing_setup = MakeFuzzingContext<const TestingSetup>();
+ static const auto testing_setup = MakeNoLogFileContext<const TestingSetup>();
+ g_setup = testing_setup.get();
}
FUZZ_TARGET_INIT(coins_view, initialize_coins_view)
@@ -229,10 +233,13 @@ FUZZ_TARGET_INIT(coins_view, initialize_coins_view)
// consensus/tx_verify.cpp:171: bool Consensus::CheckTxInputs(const CTransaction &, TxValidationState &, const CCoinsViewCache &, int, CAmount &): Assertion `!coin.IsSpent()' failed.
return;
}
- try {
- (void)Consensus::CheckTxInputs(transaction, state, coins_view_cache, fuzzed_data_provider.ConsumeIntegralInRange<int>(0, std::numeric_limits<int>::max()), tx_fee_out);
+ TxValidationState dummy;
+ if (!CheckTransaction(transaction, dummy)) {
+ // It is not allowed to call CheckTxInputs if CheckTransaction failed
+ return;
+ }
+ if (Consensus::CheckTxInputs(transaction, state, coins_view_cache, fuzzed_data_provider.ConsumeIntegralInRange<int>(0, std::numeric_limits<int>::max()), tx_fee_out)) {
assert(MoneyRange(tx_fee_out));
- } catch (const std::runtime_error&) {
}
},
[&] {
@@ -260,10 +267,10 @@ FUZZ_TARGET_INIT(coins_view, initialize_coins_view)
(void)GetTransactionSigOpCost(transaction, coins_view_cache, flags);
},
[&] {
- CCoinsStats stats;
+ CCoinsStats stats{CoinStatsHashType::HASH_SERIALIZED};
bool expected_code_path = false;
try {
- (void)GetUTXOStats(&coins_view_cache, stats, CoinStatsHashType::HASH_SERIALIZED);
+ (void)GetUTXOStats(&coins_view_cache, WITH_LOCK(::cs_main, return std::ref(g_setup->m_node.chainman->m_blockman)), stats);
} catch (const std::logic_error&) {
expected_code_path = true;
}
diff --git a/src/test/fuzz/connman.cpp b/src/test/fuzz/connman.cpp
index 71b4b00116..bbec5943af 100644
--- a/src/test/fuzz/connman.cpp
+++ b/src/test/fuzz/connman.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
@@ -10,6 +10,7 @@
#include <test/fuzz/FuzzedDataProvider.h>
#include <test/fuzz/fuzz.h>
#include <test/fuzz/util.h>
+#include <test/util/setup_common.h>
#include <util/translation.h>
#include <cstdint>
@@ -17,47 +18,32 @@
void initialize_connman()
{
- static const auto testing_setup = MakeFuzzingContext<>();
+ static const auto testing_setup = MakeNoLogFileContext<>();
}
FUZZ_TARGET_INIT(connman, initialize_connman)
{
FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
SetMockTime(ConsumeTime(fuzzed_data_provider));
- CConnman connman{fuzzed_data_provider.ConsumeIntegral<uint64_t>(), fuzzed_data_provider.ConsumeIntegral<uint64_t>(), fuzzed_data_provider.ConsumeBool()};
- CAddress random_address;
+ CAddrMan addrman;
+ CConnman connman{fuzzed_data_provider.ConsumeIntegral<uint64_t>(), fuzzed_data_provider.ConsumeIntegral<uint64_t>(), addrman, fuzzed_data_provider.ConsumeBool()};
CNetAddr random_netaddr;
CNode random_node = ConsumeNode(fuzzed_data_provider);
- CService random_service;
CSubNet random_subnet;
std::string random_string;
while (fuzzed_data_provider.ConsumeBool()) {
CallOneOf(
fuzzed_data_provider,
[&] {
- random_address = ConsumeAddress(fuzzed_data_provider);
- },
- [&] {
random_netaddr = ConsumeNetAddr(fuzzed_data_provider);
},
[&] {
- random_service = ConsumeService(fuzzed_data_provider);
- },
- [&] {
random_subnet = ConsumeSubNet(fuzzed_data_provider);
},
[&] {
random_string = fuzzed_data_provider.ConsumeRandomLengthString(64);
},
[&] {
- std::vector<CAddress> addresses;
- while (fuzzed_data_provider.ConsumeBool()) {
- addresses.push_back(ConsumeAddress(fuzzed_data_provider));
- }
- // Limit nTimePenalty to int32_t to avoid signed integer overflow
- (void)connman.AddNewAddresses(addresses, ConsumeAddress(fuzzed_data_provider), fuzzed_data_provider.ConsumeIntegral<int32_t>());
- },
- [&] {
connman.AddNode(random_string);
},
[&] {
@@ -79,32 +65,34 @@ FUZZ_TARGET_INIT(connman, initialize_connman)
connman.ForEachNode([](auto) {});
},
[&] {
- connman.ForEachNodeThen([](auto) {}, []() {});
- },
- [&] {
(void)connman.ForNode(fuzzed_data_provider.ConsumeIntegral<NodeId>(), [&](auto) { return fuzzed_data_provider.ConsumeBool(); });
},
[&] {
- (void)connman.GetAddresses(fuzzed_data_provider.ConsumeIntegral<size_t>(), fuzzed_data_provider.ConsumeIntegral<size_t>());
+ (void)connman.GetAddresses(
+ /* max_addresses */ fuzzed_data_provider.ConsumeIntegral<size_t>(),
+ /* max_pct */ fuzzed_data_provider.ConsumeIntegral<size_t>(),
+ /* network */ std::nullopt);
},
[&] {
- (void)connman.GetAddresses(random_node, fuzzed_data_provider.ConsumeIntegral<size_t>(), fuzzed_data_provider.ConsumeIntegral<size_t>());
+ (void)connman.GetAddresses(
+ /* requestor */ random_node,
+ /* max_addresses */ fuzzed_data_provider.ConsumeIntegral<size_t>(),
+ /* max_pct */ fuzzed_data_provider.ConsumeIntegral<size_t>());
},
[&] {
(void)connman.GetDeterministicRandomizer(fuzzed_data_provider.ConsumeIntegral<uint64_t>());
},
[&] {
- (void)connman.GetNodeCount(fuzzed_data_provider.PickValueInArray({CConnman::CONNECTIONS_NONE, CConnman::CONNECTIONS_IN, CConnman::CONNECTIONS_OUT, CConnman::CONNECTIONS_ALL}));
- },
- [&] {
- connman.MarkAddressGood(random_address);
+ (void)connman.GetNodeCount(fuzzed_data_provider.PickValueInArray({ConnectionDirection::None, ConnectionDirection::In, ConnectionDirection::Out, ConnectionDirection::Both}));
},
[&] {
(void)connman.OutboundTargetReached(fuzzed_data_provider.ConsumeBool());
},
[&] {
// Limit now to int32_t to avoid signed integer overflow
- (void)connman.PoissonNextSendInbound(fuzzed_data_provider.ConsumeIntegral<int32_t>(), fuzzed_data_provider.ConsumeIntegral<int>());
+ (void)connman.PoissonNextSendInbound(
+ std::chrono::microseconds{fuzzed_data_provider.ConsumeIntegral<int32_t>()},
+ std::chrono::seconds{fuzzed_data_provider.ConsumeIntegral<int>()});
},
[&] {
CSerializedNetMsg serialized_net_msg;
@@ -125,9 +113,6 @@ FUZZ_TARGET_INIT(connman, initialize_connman)
connman.SetNetworkActive(fuzzed_data_provider.ConsumeBool());
},
[&] {
- connman.SetServices(random_service, ConsumeWeakEnum(fuzzed_data_provider, ALL_SERVICE_FLAGS));
- },
- [&] {
connman.SetTryNewOutboundPeer(fuzzed_data_provider.ConsumeBool());
});
}
diff --git a/src/test/fuzz/crypto.cpp b/src/test/fuzz/crypto.cpp
index c2bb3a1a4e..f83747e424 100644
--- a/src/test/fuzz/crypto.cpp
+++ b/src/test/fuzz/crypto.cpp
@@ -1,10 +1,9 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
#include <crypto/hmac_sha256.h>
#include <crypto/hmac_sha512.h>
-#include <crypto/muhash.h>
#include <crypto/ripemd160.h>
#include <crypto/sha1.h>
#include <crypto/sha256.h>
@@ -20,6 +19,10 @@
FUZZ_TARGET(crypto)
{
+ // Hashing is expensive with sanitizers enabled, so limit the number of
+ // calls
+ int limit_max_ops{30};
+
FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
std::vector<uint8_t> data = ConsumeRandomLengthByteVector(fuzzed_data_provider);
if (data.empty()) {
@@ -36,9 +39,8 @@ FUZZ_TARGET(crypto)
CSHA512 sha512;
SHA3_256 sha3;
CSipHasher sip_hasher{fuzzed_data_provider.ConsumeIntegral<uint64_t>(), fuzzed_data_provider.ConsumeIntegral<uint64_t>()};
- MuHash3072 muhash;
- while (fuzzed_data_provider.ConsumeBool()) {
+ while (--limit_max_ops >= 0 && fuzzed_data_provider.ConsumeBool()) {
CallOneOf(
fuzzed_data_provider,
[&] {
@@ -63,12 +65,6 @@ FUZZ_TARGET(crypto)
(void)Hash(data);
(void)Hash160(data);
(void)sha512.Size();
-
- if (fuzzed_data_provider.ConsumeBool()) {
- muhash *= MuHash3072(data);
- } else {
- muhash /= MuHash3072(data);
- }
},
[&] {
(void)hash160.Reset();
@@ -78,7 +74,6 @@ FUZZ_TARGET(crypto)
(void)sha256.Reset();
(void)sha3.Reset();
(void)sha512.Reset();
- muhash = MuHash3072();
},
[&] {
CallOneOf(
@@ -122,10 +117,6 @@ FUZZ_TARGET(crypto)
[&] {
data.resize(SHA3_256::OUTPUT_SIZE);
sha3.Finalize(data);
- },
- [&] {
- uint256 out;
- muhash.Finalize(out);
});
});
}
diff --git a/src/test/fuzz/crypto_chacha20.cpp b/src/test/fuzz/crypto_chacha20.cpp
index bb8dd4594f..8adfa92420 100644
--- a/src/test/fuzz/crypto_chacha20.cpp
+++ b/src/test/fuzz/crypto_chacha20.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
diff --git a/src/test/fuzz/crypto_chacha20_poly1305_aead.cpp b/src/test/fuzz/crypto_chacha20_poly1305_aead.cpp
index 0e1c44cded..bb4ef22158 100644
--- a/src/test/fuzz/crypto_chacha20_poly1305_aead.cpp
+++ b/src/test/fuzz/crypto_chacha20_poly1305_aead.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
diff --git a/src/test/fuzz/cuckoocache.cpp b/src/test/fuzz/cuckoocache.cpp
index dc20dc3f62..a522c837ef 100644
--- a/src/test/fuzz/cuckoocache.cpp
+++ b/src/test/fuzz/cuckoocache.cpp
@@ -30,7 +30,7 @@ FUZZ_TARGET(cuckoocache)
{
FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
fuzzed_data_provider_ptr = &fuzzed_data_provider;
- CuckooCache::cache<bool, RandomHasher> cuckoo_cache{};
+ CuckooCache::cache<int, RandomHasher> cuckoo_cache{};
if (fuzzed_data_provider.ConsumeBool()) {
const size_t megabytes = fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 16);
cuckoo_cache.setup_bytes(megabytes << 20);
diff --git a/src/test/fuzz/danger_link_all.sh b/src/test/fuzz/danger_link_all.sh
deleted file mode 100755
index 2ddd00c658..0000000000
--- a/src/test/fuzz/danger_link_all.sh
+++ /dev/null
@@ -1,28 +0,0 @@
-#!/usr/bin/env bash
-# Copyright (c) 2020 The Bitcoin Core developers
-# Distributed under the MIT software license, see the accompanying
-# file COPYING or http://www.opensource.org/licenses/mit-license.php.
-
-export LC_ALL=C.UTF-8
-
-set -e
-
-ROOT_DIR="$(git rev-parse --show-toplevel)"
-
-# Run only once (break make recursion)
-if [ -d "${ROOT_DIR}/lock_fuzz_link_all" ]; then
- exit
-fi
-mkdir "${ROOT_DIR}/lock_fuzz_link_all"
-
-echo "Linking each fuzz target separately."
-for FUZZING_HARNESS in $(PRINT_ALL_FUZZ_TARGETS_AND_ABORT=1 "${ROOT_DIR}/src/test/fuzz/fuzz" | sort -u); do
- echo "Building src/test/fuzz/${FUZZING_HARNESS} ..."
- git checkout -- "${ROOT_DIR}/src/test/fuzz/fuzz.cpp"
- sed -i "s/std::getenv(\"FUZZ\")/\"${FUZZING_HARNESS}\"/g" "${ROOT_DIR}/src/test/fuzz/fuzz.cpp"
- make
- mv "${ROOT_DIR}/src/test/fuzz/fuzz" "${ROOT_DIR}/src/test/fuzz/${FUZZING_HARNESS}"
-done
-git checkout -- "${ROOT_DIR}/src/test/fuzz/fuzz.cpp"
-rmdir "${ROOT_DIR}/lock_fuzz_link_all"
-echo "Successfully built all fuzz targets."
diff --git a/src/test/fuzz/data_stream.cpp b/src/test/fuzz/data_stream.cpp
index f3b6e6af04..473caec6ff 100644
--- a/src/test/fuzz/data_stream.cpp
+++ b/src/test/fuzz/data_stream.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
@@ -7,13 +7,14 @@
#include <test/fuzz/FuzzedDataProvider.h>
#include <test/fuzz/fuzz.h>
#include <test/fuzz/util.h>
+#include <test/util/setup_common.h>
#include <cstdint>
#include <vector>
void initialize_data_stream_addr_man()
{
- static const auto testing_setup = MakeFuzzingContext<>();
+ static const auto testing_setup = MakeNoLogFileContext<>();
}
FUZZ_TARGET_INIT(data_stream_addr_man, initialize_data_stream_addr_man)
diff --git a/src/test/fuzz/descriptor_parse.cpp b/src/test/fuzz/descriptor_parse.cpp
index 0d1921f285..ffe4855662 100644
--- a/src/test/fuzz/descriptor_parse.cpp
+++ b/src/test/fuzz/descriptor_parse.cpp
@@ -6,7 +6,6 @@
#include <pubkey.h>
#include <script/descriptor.h>
#include <test/fuzz/fuzz.h>
-#include <util/memory.h>
void initialize_descriptor_parse()
{
diff --git a/src/test/fuzz/deserialize.cpp b/src/test/fuzz/deserialize.cpp
index ba5f0c1a75..721e4360d0 100644
--- a/src/test/fuzz/deserialize.cpp
+++ b/src/test/fuzz/deserialize.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2009-2020 The Bitcoin Core developers
+// Copyright (c) 2009-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
@@ -15,7 +15,6 @@
#include <net.h>
#include <netbase.h>
#include <node/utxo_snapshot.h>
-#include <optional.h>
#include <primitives/block.h>
#include <protocol.h>
#include <psbt.h>
@@ -26,6 +25,7 @@
#include <version.h>
#include <exception>
+#include <optional>
#include <stdexcept>
#include <stdint.h>
#include <unistd.h>
@@ -53,9 +53,9 @@ struct invalid_fuzzing_input_exception : public std::exception {
};
template <typename T>
-CDataStream Serialize(const T& obj, const int version = INIT_PROTO_VERSION)
+CDataStream Serialize(const T& obj, const int version = INIT_PROTO_VERSION, const int ser_type = SER_NETWORK)
{
- CDataStream ds(SER_NETWORK, version);
+ CDataStream ds(ser_type, version);
ds << obj;
return ds;
}
@@ -69,9 +69,9 @@ T Deserialize(CDataStream ds)
}
template <typename T>
-void DeserializeFromFuzzingInput(FuzzBufferType buffer, T& obj, const Optional<int> protocol_version = nullopt)
+void DeserializeFromFuzzingInput(FuzzBufferType buffer, T& obj, const std::optional<int> protocol_version = std::nullopt, const int ser_type = SER_NETWORK)
{
- CDataStream ds(buffer, SER_NETWORK, INIT_PROTO_VERSION);
+ CDataStream ds(buffer, ser_type, INIT_PROTO_VERSION);
if (protocol_version) {
ds.SetVersion(*protocol_version);
} else {
@@ -92,9 +92,9 @@ void DeserializeFromFuzzingInput(FuzzBufferType buffer, T& obj, const Optional<i
}
template <typename T>
-void AssertEqualAfterSerializeDeserialize(const T& obj, const int version = INIT_PROTO_VERSION)
+void AssertEqualAfterSerializeDeserialize(const T& obj, const int version = INIT_PROTO_VERSION, const int ser_type = SER_NETWORK)
{
- assert(Deserialize<T>(Serialize(obj, version)) == obj);
+ assert(Deserialize<T>(Serialize(obj, version, ser_type)) == obj);
}
} // namespace
@@ -136,8 +136,7 @@ FUZZ_TARGET_DESERIALIZE(partial_merkle_tree_deserialize, {
FUZZ_TARGET_DESERIALIZE(pub_key_deserialize, {
CPubKey pub_key;
DeserializeFromFuzzingInput(buffer, pub_key);
- // TODO: The following equivalence should hold for CPubKey? Fix.
- // AssertEqualAfterSerializeDeserialize(pub_key);
+ AssertEqualAfterSerializeDeserialize(pub_key);
})
FUZZ_TARGET_DESERIALIZE(script_deserialize, {
CScript script;
@@ -251,9 +250,37 @@ FUZZ_TARGET_DESERIALIZE(messageheader_deserialize, {
DeserializeFromFuzzingInput(buffer, mh);
(void)mh.IsCommandValid();
})
-FUZZ_TARGET_DESERIALIZE(address_deserialize, {
+FUZZ_TARGET_DESERIALIZE(address_deserialize_v1_notime, {
CAddress a;
- DeserializeFromFuzzingInput(buffer, a);
+ DeserializeFromFuzzingInput(buffer, a, INIT_PROTO_VERSION);
+ // A CAddress without nTime (as is expected under INIT_PROTO_VERSION) will roundtrip
+ // in all 5 formats (with/without nTime, v1/v2, network/disk)
+ AssertEqualAfterSerializeDeserialize(a, INIT_PROTO_VERSION);
+ AssertEqualAfterSerializeDeserialize(a, PROTOCOL_VERSION);
+ AssertEqualAfterSerializeDeserialize(a, 0, SER_DISK);
+ AssertEqualAfterSerializeDeserialize(a, PROTOCOL_VERSION | ADDRV2_FORMAT);
+ AssertEqualAfterSerializeDeserialize(a, ADDRV2_FORMAT, SER_DISK);
+})
+FUZZ_TARGET_DESERIALIZE(address_deserialize_v1_withtime, {
+ CAddress a;
+ DeserializeFromFuzzingInput(buffer, a, PROTOCOL_VERSION);
+ // A CAddress in V1 mode will roundtrip in all 4 formats that have nTime.
+ AssertEqualAfterSerializeDeserialize(a, PROTOCOL_VERSION);
+ AssertEqualAfterSerializeDeserialize(a, 0, SER_DISK);
+ AssertEqualAfterSerializeDeserialize(a, PROTOCOL_VERSION | ADDRV2_FORMAT);
+ AssertEqualAfterSerializeDeserialize(a, ADDRV2_FORMAT, SER_DISK);
+})
+FUZZ_TARGET_DESERIALIZE(address_deserialize_v2, {
+ CAddress a;
+ DeserializeFromFuzzingInput(buffer, a, PROTOCOL_VERSION | ADDRV2_FORMAT);
+ // A CAddress in V2 mode will roundtrip in both V2 formats, and also in the V1 formats
+ // with time if it's V1 compatible.
+ if (a.IsAddrV1Compatible()) {
+ AssertEqualAfterSerializeDeserialize(a, PROTOCOL_VERSION);
+ AssertEqualAfterSerializeDeserialize(a, 0, SER_DISK);
+ }
+ AssertEqualAfterSerializeDeserialize(a, PROTOCOL_VERSION | ADDRV2_FORMAT);
+ AssertEqualAfterSerializeDeserialize(a, ADDRV2_FORMAT, SER_DISK);
})
FUZZ_TARGET_DESERIALIZE(inv_deserialize, {
CInv i;
diff --git a/src/test/fuzz/eval_script.cpp b/src/test/fuzz/eval_script.cpp
index 635288fc36..77ed798923 100644
--- a/src/test/fuzz/eval_script.cpp
+++ b/src/test/fuzz/eval_script.cpp
@@ -6,7 +6,6 @@
#include <script/interpreter.h>
#include <test/fuzz/FuzzedDataProvider.h>
#include <test/fuzz/fuzz.h>
-#include <util/memory.h>
#include <limits>
diff --git a/src/test/fuzz/fee_rate.cpp b/src/test/fuzz/fee_rate.cpp
index 2955213635..dff0e58000 100644
--- a/src/test/fuzz/fee_rate.cpp
+++ b/src/test/fuzz/fee_rate.cpp
@@ -20,8 +20,8 @@ FUZZ_TARGET(fee_rate)
const CFeeRate fee_rate{satoshis_per_k};
(void)fee_rate.GetFeePerK();
- const size_t bytes = fuzzed_data_provider.ConsumeIntegral<size_t>();
- if (!MultiplicationOverflow(static_cast<int64_t>(bytes), satoshis_per_k) && bytes <= static_cast<uint64_t>(std::numeric_limits<int64_t>::max())) {
+ const auto bytes = fuzzed_data_provider.ConsumeIntegral<uint32_t>();
+ if (!MultiplicationOverflow(int64_t{bytes}, satoshis_per_k)) {
(void)fee_rate.GetFee(bytes);
}
(void)fee_rate.ToString();
diff --git a/src/test/fuzz/float.cpp b/src/test/fuzz/float.cpp
index d18a87d177..2f77c8949e 100644
--- a/src/test/fuzz/float.cpp
+++ b/src/test/fuzz/float.cpp
@@ -3,40 +3,60 @@
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
#include <memusage.h>
-#include <serialize.h>
-#include <streams.h>
#include <test/fuzz/FuzzedDataProvider.h>
#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+#include <util/serfloat.h>
#include <version.h>
#include <cassert>
-#include <cstdint>
+#include <cmath>
+#include <limits>
FUZZ_TARGET(float)
{
FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
{
- const double d = fuzzed_data_provider.ConsumeFloatingPoint<double>();
+ const double d{[&] {
+ double tmp;
+ CallOneOf(
+ fuzzed_data_provider,
+ // an actual number
+ [&] { tmp = fuzzed_data_provider.ConsumeFloatingPoint<double>(); },
+ // special numbers and NANs
+ [&] { tmp = fuzzed_data_provider.PickValueInArray({
+ std::numeric_limits<double>::infinity(),
+ -std::numeric_limits<double>::infinity(),
+ std::numeric_limits<double>::min(),
+ -std::numeric_limits<double>::min(),
+ std::numeric_limits<double>::max(),
+ -std::numeric_limits<double>::max(),
+ std::numeric_limits<double>::lowest(),
+ -std::numeric_limits<double>::lowest(),
+ std::numeric_limits<double>::quiet_NaN(),
+ -std::numeric_limits<double>::quiet_NaN(),
+ std::numeric_limits<double>::signaling_NaN(),
+ -std::numeric_limits<double>::signaling_NaN(),
+ std::numeric_limits<double>::denorm_min(),
+ -std::numeric_limits<double>::denorm_min(),
+ }); },
+ // Anything from raw memory (also checks that DecodeDouble doesn't crash on any input)
+ [&] { tmp = DecodeDouble(fuzzed_data_provider.ConsumeIntegral<uint64_t>()); });
+ return tmp;
+ }()};
(void)memusage::DynamicUsage(d);
- assert(ser_uint64_to_double(ser_double_to_uint64(d)) == d);
- CDataStream stream(SER_NETWORK, INIT_PROTO_VERSION);
- stream << d;
- double d_deserialized;
- stream >> d_deserialized;
- assert(d == d_deserialized);
- }
-
- {
- const float f = fuzzed_data_provider.ConsumeFloatingPoint<float>();
- (void)memusage::DynamicUsage(f);
- assert(ser_uint32_to_float(ser_float_to_uint32(f)) == f);
-
- CDataStream stream(SER_NETWORK, INIT_PROTO_VERSION);
- stream << f;
- float f_deserialized;
- stream >> f_deserialized;
- assert(f == f_deserialized);
+ uint64_t encoded = EncodeDouble(d);
+ if constexpr (std::numeric_limits<double>::is_iec559) {
+ if (!std::isnan(d)) {
+ uint64_t encoded_in_memory;
+ std::copy((const unsigned char*)&d, (const unsigned char*)(&d + 1), (unsigned char*)&encoded_in_memory);
+ assert(encoded_in_memory == encoded);
+ }
+ }
+ double d_deserialized = DecodeDouble(encoded);
+ assert(std::isnan(d) == std::isnan(d_deserialized));
+ assert(std::isnan(d) || d == d_deserialized);
}
}
diff --git a/src/test/fuzz/fuzz.cpp b/src/test/fuzz/fuzz.cpp
index e5df672163..a33297e0ed 100644
--- a/src/test/fuzz/fuzz.cpp
+++ b/src/test/fuzz/fuzz.cpp
@@ -1,27 +1,33 @@
-// Copyright (c) 2009-2020 The Bitcoin Core developers
+// Copyright (c) 2009-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
#include <test/fuzz/fuzz.h>
+#include <netaddress.h>
+#include <netbase.h>
#include <test/util/setup_common.h>
#include <util/check.h>
+#include <util/sock.h>
#include <cstdint>
+#include <exception>
+#include <memory>
+#include <string>
#include <unistd.h>
#include <vector>
const std::function<void(const std::string&)> G_TEST_LOG_FUN{};
-std::map<std::string_view, std::tuple<TypeTestOneInput, TypeInitialize>>& FuzzTargets()
+std::map<std::string_view, std::tuple<TypeTestOneInput, TypeInitialize, TypeHidden>>& FuzzTargets()
{
- static std::map<std::string_view, std::tuple<TypeTestOneInput, TypeInitialize>> g_fuzz_targets;
+ static std::map<std::string_view, std::tuple<TypeTestOneInput, TypeInitialize, TypeHidden>> g_fuzz_targets;
return g_fuzz_targets;
}
-void FuzzFrameworkRegisterTarget(std::string_view name, TypeTestOneInput target, TypeInitialize init)
+void FuzzFrameworkRegisterTarget(std::string_view name, TypeTestOneInput target, TypeInitialize init, TypeHidden hidden)
{
- const auto it_ins = FuzzTargets().try_emplace(name, std::move(target), std::move(init));
+ const auto it_ins = FuzzTargets().try_emplace(name, std::move(target), std::move(init), hidden);
Assert(it_ins.second);
}
@@ -29,12 +35,35 @@ static TypeTestOneInput* g_test_one_input{nullptr};
void initialize()
{
+ // Terminate immediately if a fuzzing harness ever tries to create a TCP socket.
+ CreateSock = [](const CService&) -> std::unique_ptr<Sock> { std::terminate(); };
+
+ // Terminate immediately if a fuzzing harness ever tries to perform a DNS lookup.
+ g_dns_lookup = [](const std::string& name, bool allow_lookup) {
+ if (allow_lookup) {
+ std::terminate();
+ }
+ return WrappedGetAddrInfo(name, false);
+ };
+
+ bool should_abort{false};
if (std::getenv("PRINT_ALL_FUZZ_TARGETS_AND_ABORT")) {
for (const auto& t : FuzzTargets()) {
+ if (std::get<2>(t.second)) continue;
std::cout << t.first << std::endl;
}
- Assert(false);
+ should_abort = true;
+ }
+ if (const char* out_path = std::getenv("WRITE_ALL_FUZZ_TARGETS_AND_ABORT")) {
+ std::cout << "Writing all fuzz target names to '" << out_path << "'." << std::endl;
+ std::ofstream out_stream(out_path, std::ios::binary);
+ for (const auto& t : FuzzTargets()) {
+ if (std::get<2>(t.second)) continue;
+ out_stream << t.first << std::endl;
+ }
+ should_abort = true;
}
+ Assert(!should_abort);
std::string_view fuzz_target{Assert(std::getenv("FUZZ"))};
const auto it = FuzzTargets().find(fuzz_target);
Assert(it != FuzzTargets().end());
@@ -43,7 +72,7 @@ void initialize()
std::get<1>(it->second)();
}
-#if defined(PROVIDE_MAIN_FUNCTION)
+#if defined(PROVIDE_FUZZ_MAIN_FUNCTION)
static bool read_stdin(std::vector<uint8_t>& data)
{
uint8_t buffer[1024];
@@ -70,8 +99,8 @@ extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv)
return 0;
}
-#if defined(PROVIDE_MAIN_FUNCTION)
-__attribute__((weak)) int main(int argc, char** argv)
+#if defined(PROVIDE_FUZZ_MAIN_FUNCTION)
+int main(int argc, char** argv)
{
initialize();
static const auto& test_one_input = *Assert(g_test_one_input);
diff --git a/src/test/fuzz/fuzz.h b/src/test/fuzz/fuzz.h
index 19386a5059..2bad77bdc1 100644
--- a/src/test/fuzz/fuzz.h
+++ b/src/test/fuzz/fuzz.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2009-2020 The Bitcoin Core developers
+// Copyright (c) 2009-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
@@ -15,22 +15,26 @@ using FuzzBufferType = Span<const uint8_t>;
using TypeTestOneInput = std::function<void(FuzzBufferType)>;
using TypeInitialize = std::function<void()>;
+using TypeHidden = bool;
-void FuzzFrameworkRegisterTarget(std::string_view name, TypeTestOneInput target, TypeInitialize init);
+void FuzzFrameworkRegisterTarget(std::string_view name, TypeTestOneInput target, TypeInitialize init, TypeHidden hidden);
-inline void FuzzFrameworkEmptyFun() {}
+inline void FuzzFrameworkEmptyInitFun() {}
#define FUZZ_TARGET(name) \
- FUZZ_TARGET_INIT(name, FuzzFrameworkEmptyFun)
-
-#define FUZZ_TARGET_INIT(name, init_fun) \
- void name##_fuzz_target(FuzzBufferType); \
- struct name##_Before_Main { \
- name##_Before_Main() \
- { \
- FuzzFrameworkRegisterTarget(#name, name##_fuzz_target, init_fun); \
- } \
- } const static g_##name##_before_main; \
+ FUZZ_TARGET_INIT(name, FuzzFrameworkEmptyInitFun)
+
+#define FUZZ_TARGET_INIT(name, init_fun) \
+ FUZZ_TARGET_INIT_HIDDEN(name, init_fun, false)
+
+#define FUZZ_TARGET_INIT_HIDDEN(name, init_fun, hidden) \
+ void name##_fuzz_target(FuzzBufferType); \
+ struct name##_Before_Main { \
+ name##_Before_Main() \
+ { \
+ FuzzFrameworkRegisterTarget(#name, name##_fuzz_target, init_fun, hidden); \
+ } \
+ } const static g_##name##_before_main; \
void name##_fuzz_target(FuzzBufferType buffer)
#endif // BITCOIN_TEST_FUZZ_FUZZ_H
diff --git a/src/test/fuzz/i2p.cpp b/src/test/fuzz/i2p.cpp
new file mode 100644
index 0000000000..fb6d23aca5
--- /dev/null
+++ b/src/test/fuzz/i2p.cpp
@@ -0,0 +1,57 @@
+// Copyright (c) 2020-2021 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <i2p.h>
+#include <netaddress.h>
+#include <netbase.h>
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+#include <test/util/setup_common.h>
+#include <threadinterrupt.h>
+#include <util/system.h>
+
+void initialize_i2p()
+{
+ static const auto testing_setup = MakeNoLogFileContext<>();
+}
+
+FUZZ_TARGET_INIT(i2p, initialize_i2p)
+{
+ FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
+
+ // Mock CreateSock() to create FuzzedSock.
+ auto CreateSockOrig = CreateSock;
+ CreateSock = [&fuzzed_data_provider](const CService&) {
+ return std::make_unique<FuzzedSock>(fuzzed_data_provider);
+ };
+
+ const CService sam_proxy;
+ CThreadInterrupt interrupt;
+
+ i2p::sam::Session sess{gArgs.GetDataDirNet() / "fuzzed_i2p_private_key", sam_proxy, &interrupt};
+
+ i2p::Connection conn;
+
+ if (sess.Listen(conn)) {
+ if (sess.Accept(conn)) {
+ try {
+ (void)conn.sock->RecvUntilTerminator('\n', 10ms, interrupt, i2p::sam::MAX_MSG_SIZE);
+ } catch (const std::runtime_error&) {
+ }
+ }
+ }
+
+ const CService to;
+ bool proxy_error;
+
+ if (sess.Connect(to, conn, proxy_error)) {
+ try {
+ conn.sock->SendComplete("verack\n", 10ms, interrupt);
+ } catch (const std::runtime_error&) {
+ }
+ }
+
+ CreateSock = CreateSockOrig;
+}
diff --git a/src/test/fuzz/integer.cpp b/src/test/fuzz/integer.cpp
index ac83d91ea0..e9fa343896 100644
--- a/src/test/fuzz/integer.cpp
+++ b/src/test/fuzz/integer.cpp
@@ -84,8 +84,7 @@ FUZZ_TARGET_INIT(integer, initialize_integer)
(void)DecompressAmount(u64);
(void)FormatISO8601Date(i64);
(void)FormatISO8601DateTime(i64);
- // FormatMoney(i) not defined when i == std::numeric_limits<int64_t>::min()
- if (i64 != std::numeric_limits<int64_t>::min()) {
+ {
int64_t parsed_money;
if (ParseMoney(FormatMoney(i64), parsed_money)) {
assert(parsed_money == i64);
@@ -123,17 +122,12 @@ FUZZ_TARGET_INIT(integer, initialize_integer)
assert(dynamic_usage == incremental_dynamic_usage * i64s.size());
}
(void)MillisToTimeval(i64);
- const double d = ser_uint64_to_double(u64);
- assert(ser_double_to_uint64(d) == u64);
- const float f = ser_uint32_to_float(u32);
- assert(ser_float_to_uint32(f) == u32);
(void)SighashToStr(uch);
(void)SipHashUint256(u64, u64, u256);
(void)SipHashUint256Extra(u64, u64, u256, u32);
(void)ToLower(ch);
(void)ToUpper(ch);
- // ValueFromAmount(i) not defined when i == std::numeric_limits<int64_t>::min()
- if (i64 != std::numeric_limits<int64_t>::min()) {
+ {
int64_t parsed_money;
if (ParseMoney(ValueFromAmount(i64).getValStr(), parsed_money)) {
assert(parsed_money == i64);
diff --git a/src/test/fuzz/key.cpp b/src/test/fuzz/key.cpp
index aa8f826e4a..32077b1fe2 100644
--- a/src/test/fuzz/key.cpp
+++ b/src/test/fuzz/key.cpp
@@ -17,7 +17,6 @@
#include <script/standard.h>
#include <streams.h>
#include <test/fuzz/fuzz.h>
-#include <util/memory.h>
#include <util/strencodings.h>
#include <cassert>
diff --git a/src/test/fuzz/kitchen_sink.cpp b/src/test/fuzz/kitchen_sink.cpp
index fa4024fc38..908e9a1c83 100644
--- a/src/test/fuzz/kitchen_sink.cpp
+++ b/src/test/fuzz/kitchen_sink.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
diff --git a/src/test/fuzz/load_external_block_file.cpp b/src/test/fuzz/load_external_block_file.cpp
index 95597bf082..a7770c90e8 100644
--- a/src/test/fuzz/load_external_block_file.cpp
+++ b/src/test/fuzz/load_external_block_file.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
@@ -13,9 +13,14 @@
#include <cstdint>
#include <vector>
+namespace {
+const TestingSetup* g_setup;
+} // namespace
+
void initialize_load_external_block_file()
{
- static const auto testing_setup = MakeFuzzingContext<const TestingSetup>();
+ static const auto testing_setup = MakeNoLogFileContext<const TestingSetup>();
+ g_setup = testing_setup.get();
}
FUZZ_TARGET_INIT(load_external_block_file, initialize_load_external_block_file)
@@ -27,5 +32,5 @@ FUZZ_TARGET_INIT(load_external_block_file, initialize_load_external_block_file)
return;
}
FlatFilePos flat_file_pos;
- ::ChainstateActive().LoadExternalBlockFile(Params(), fuzzed_block_file, fuzzed_data_provider.ConsumeBool() ? &flat_file_pos : nullptr);
+ g_setup->m_node.chainman->ActiveChainstate().LoadExternalBlockFile(Params(), fuzzed_block_file, fuzzed_data_provider.ConsumeBool() ? &flat_file_pos : nullptr);
}
diff --git a/src/test/fuzz/merkleblock.cpp b/src/test/fuzz/merkleblock.cpp
index 23e0baa564..1eefd4c521 100644
--- a/src/test/fuzz/merkleblock.cpp
+++ b/src/test/fuzz/merkleblock.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
diff --git a/src/test/fuzz/muhash.cpp b/src/test/fuzz/muhash.cpp
index 8f843ca773..4ea9511870 100644
--- a/src/test/fuzz/muhash.cpp
+++ b/src/test/fuzz/muhash.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
@@ -41,6 +41,11 @@ FUZZ_TARGET(muhash)
muhash.Finalize(out2);
assert(out == out2);
+ MuHash3072 muhash3;
+ muhash3 *= muhash;
+ uint256 out3;
+ muhash3.Finalize(out3);
+ assert(out == out3);
// Test that removing all added elements brings the object back to it's initial state
muhash /= muhash;
@@ -50,4 +55,9 @@ FUZZ_TARGET(muhash)
muhash2.Finalize(out2);
assert(out == out2);
+
+ muhash3.Remove(data);
+ muhash3.Remove(data2);
+ muhash3.Finalize(out3);
+ assert(out == out3);
}
diff --git a/src/test/fuzz/net.cpp b/src/test/fuzz/net.cpp
index 21dca4eb05..20d8581312 100644
--- a/src/test/fuzz/net.cpp
+++ b/src/test/fuzz/net.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
@@ -7,7 +7,6 @@
#include <net.h>
#include <net_permissions.h>
#include <netaddress.h>
-#include <optional.h>
#include <protocol.h>
#include <random.h>
#include <test/fuzz/FuzzedDataProvider.h>
@@ -17,12 +16,13 @@
#include <test/util/setup_common.h>
#include <cstdint>
+#include <optional>
#include <string>
#include <vector>
void initialize_net()
{
- static const auto testing_setup = MakeFuzzingContext<>(CBaseChainParams::MAIN);
+ static const auto testing_setup = MakeNoLogFileContext<>(CBaseChainParams::MAIN);
}
FUZZ_TARGET_INIT(net, initialize_net)
@@ -58,27 +58,6 @@ FUZZ_TARGET_INIT(net, initialize_net)
}
},
[&] {
- if (node.m_addr_known == nullptr) {
- return;
- }
- const std::optional<CAddress> addr_opt = ConsumeDeserializable<CAddress>(fuzzed_data_provider);
- if (!addr_opt) {
- return;
- }
- node.AddAddressKnown(*addr_opt);
- },
- [&] {
- if (node.m_addr_known == nullptr) {
- return;
- }
- const std::optional<CAddress> addr_opt = ConsumeDeserializable<CAddress>(fuzzed_data_provider);
- if (!addr_opt) {
- return;
- }
- FastRandomContext fast_random_context{ConsumeUInt256(fuzzed_data_provider)};
- node.PushAddress(*addr_opt, fast_random_context);
- },
- [&] {
const std::optional<CInv> inv_opt = ConsumeDeserializable<CInv>(fuzzed_data_provider);
if (!inv_opt) {
return;
@@ -110,7 +89,6 @@ FUZZ_TARGET_INIT(net, initialize_net)
const int ref_count = node.GetRefCount();
assert(ref_count >= 0);
(void)node.GetCommonVersion();
- (void)node.RelayAddrsWithConn();
const NetPermissionFlags net_permission_flags = ConsumeWeakEnum(fuzzed_data_provider, ALL_NET_PERMISSION_FLAGS);
(void)node.HasPermission(net_permission_flags);
diff --git a/src/test/fuzz/net_permissions.cpp b/src/test/fuzz/net_permissions.cpp
index 544a33047b..6ea79464d0 100644
--- a/src/test/fuzz/net_permissions.cpp
+++ b/src/test/fuzz/net_permissions.cpp
@@ -25,7 +25,7 @@ FUZZ_TARGET(net_permissions)
(void)NetPermissions::ToStrings(net_whitebind_permissions.m_flags);
(void)NetPermissions::AddFlag(net_whitebind_permissions.m_flags, net_permission_flags);
assert(NetPermissions::HasFlag(net_whitebind_permissions.m_flags, net_permission_flags));
- (void)NetPermissions::ClearFlag(net_whitebind_permissions.m_flags, net_permission_flags);
+ (void)NetPermissions::ClearFlag(net_whitebind_permissions.m_flags, NetPermissionFlags::Implicit);
(void)NetPermissions::ToStrings(net_whitebind_permissions.m_flags);
}
@@ -35,7 +35,7 @@ FUZZ_TARGET(net_permissions)
(void)NetPermissions::ToStrings(net_whitelist_permissions.m_flags);
(void)NetPermissions::AddFlag(net_whitelist_permissions.m_flags, net_permission_flags);
assert(NetPermissions::HasFlag(net_whitelist_permissions.m_flags, net_permission_flags));
- (void)NetPermissions::ClearFlag(net_whitelist_permissions.m_flags, net_permission_flags);
+ (void)NetPermissions::ClearFlag(net_whitelist_permissions.m_flags, NetPermissionFlags::Implicit);
(void)NetPermissions::ToStrings(net_whitelist_permissions.m_flags);
}
}
diff --git a/src/test/fuzz/netaddress.cpp b/src/test/fuzz/netaddress.cpp
index 6e9bb47ff6..f9d8129ca9 100644
--- a/src/test/fuzz/netaddress.cpp
+++ b/src/test/fuzz/netaddress.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
@@ -9,7 +9,6 @@
#include <cassert>
#include <cstdint>
-#include <netinet/in.h>
#include <vector>
FUZZ_TARGET(netaddress)
diff --git a/src/test/fuzz/netbase_dns_lookup.cpp b/src/test/fuzz/netbase_dns_lookup.cpp
new file mode 100644
index 0000000000..cf2fa33744
--- /dev/null
+++ b/src/test/fuzz/netbase_dns_lookup.cpp
@@ -0,0 +1,71 @@
+// Copyright (c) 2021 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <netaddress.h>
+#include <netbase.h>
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+
+#include <cstdint>
+#include <string>
+#include <vector>
+
+FUZZ_TARGET(netbase_dns_lookup)
+{
+ FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
+ const std::string name = fuzzed_data_provider.ConsumeRandomLengthString(512);
+ const unsigned int max_results = fuzzed_data_provider.ConsumeIntegral<unsigned int>();
+ const bool allow_lookup = fuzzed_data_provider.ConsumeBool();
+ const uint16_t default_port = fuzzed_data_provider.ConsumeIntegral<uint16_t>();
+
+ auto fuzzed_dns_lookup_function = [&](const std::string&, bool) {
+ std::vector<CNetAddr> resolved_addresses;
+ while (fuzzed_data_provider.ConsumeBool()) {
+ resolved_addresses.push_back(ConsumeNetAddr(fuzzed_data_provider));
+ }
+ return resolved_addresses;
+ };
+
+ {
+ std::vector<CNetAddr> resolved_addresses;
+ if (LookupHost(name, resolved_addresses, max_results, allow_lookup, fuzzed_dns_lookup_function)) {
+ for (const CNetAddr& resolved_address : resolved_addresses) {
+ assert(!resolved_address.IsInternal());
+ }
+ }
+ assert(resolved_addresses.size() <= max_results || max_results == 0);
+ }
+ {
+ CNetAddr resolved_address;
+ if (LookupHost(name, resolved_address, allow_lookup, fuzzed_dns_lookup_function)) {
+ assert(!resolved_address.IsInternal());
+ }
+ }
+ {
+ std::vector<CService> resolved_services;
+ if (Lookup(name, resolved_services, default_port, allow_lookup, max_results, fuzzed_dns_lookup_function)) {
+ for (const CNetAddr& resolved_service : resolved_services) {
+ assert(!resolved_service.IsInternal());
+ }
+ }
+ assert(resolved_services.size() <= max_results || max_results == 0);
+ }
+ {
+ CService resolved_service;
+ if (Lookup(name, resolved_service, default_port, allow_lookup, fuzzed_dns_lookup_function)) {
+ assert(!resolved_service.IsInternal());
+ }
+ }
+ {
+ CService resolved_service = LookupNumeric(name, default_port, fuzzed_dns_lookup_function);
+ assert(!resolved_service.IsInternal());
+ }
+ {
+ CSubNet resolved_subnet;
+ if (LookupSubNet(name, resolved_subnet, fuzzed_dns_lookup_function)) {
+ assert(resolved_subnet.IsValid());
+ }
+ }
+}
diff --git a/src/test/fuzz/node_eviction.cpp b/src/test/fuzz/node_eviction.cpp
index aaebe83c0a..a3f71426fa 100644
--- a/src/test/fuzz/node_eviction.cpp
+++ b/src/test/fuzz/node_eviction.cpp
@@ -3,7 +3,6 @@
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
#include <net.h>
-#include <optional.h>
#include <protocol.h>
#include <test/fuzz/FuzzedDataProvider.h>
#include <test/fuzz/fuzz.h>
@@ -21,23 +20,24 @@ FUZZ_TARGET(node_eviction)
std::vector<NodeEvictionCandidate> eviction_candidates;
while (fuzzed_data_provider.ConsumeBool()) {
eviction_candidates.push_back({
- fuzzed_data_provider.ConsumeIntegral<NodeId>(),
- fuzzed_data_provider.ConsumeIntegral<int64_t>(),
- fuzzed_data_provider.ConsumeIntegral<int64_t>(),
- fuzzed_data_provider.ConsumeIntegral<int64_t>(),
- fuzzed_data_provider.ConsumeIntegral<int64_t>(),
- fuzzed_data_provider.ConsumeBool(),
- fuzzed_data_provider.ConsumeBool(),
- fuzzed_data_provider.ConsumeBool(),
- fuzzed_data_provider.ConsumeIntegral<uint64_t>(),
- fuzzed_data_provider.ConsumeBool(),
- fuzzed_data_provider.ConsumeBool(),
+ /* id */ fuzzed_data_provider.ConsumeIntegral<NodeId>(),
+ /* nTimeConnected */ fuzzed_data_provider.ConsumeIntegral<int64_t>(),
+ /* m_min_ping_time */ std::chrono::microseconds{fuzzed_data_provider.ConsumeIntegral<int64_t>()},
+ /* nLastBlockTime */ fuzzed_data_provider.ConsumeIntegral<int64_t>(),
+ /* nLastTXTime */ fuzzed_data_provider.ConsumeIntegral<int64_t>(),
+ /* fRelevantServices */ fuzzed_data_provider.ConsumeBool(),
+ /* fRelayTxes */ fuzzed_data_provider.ConsumeBool(),
+ /* fBloomFilter */ fuzzed_data_provider.ConsumeBool(),
+ /* nKeyedNetGroup */ fuzzed_data_provider.ConsumeIntegral<uint64_t>(),
+ /* prefer_evict */ fuzzed_data_provider.ConsumeBool(),
+ /* m_is_local */ fuzzed_data_provider.ConsumeBool(),
+ /* m_network */ fuzzed_data_provider.PickValueInArray(ALL_NETWORKS),
});
}
// Make a copy since eviction_candidates may be in some valid but otherwise
// indeterminate state after the SelectNodeToEvict(&&) call.
const std::vector<NodeEvictionCandidate> eviction_candidates_copy = eviction_candidates;
- const Optional<NodeId> node_to_evict = SelectNodeToEvict(std::move(eviction_candidates));
+ const std::optional<NodeId> node_to_evict = SelectNodeToEvict(std::move(eviction_candidates));
if (node_to_evict) {
assert(std::any_of(eviction_candidates_copy.begin(), eviction_candidates_copy.end(), [&node_to_evict](const NodeEvictionCandidate& eviction_candidate) { return *node_to_evict == eviction_candidate.id; }));
}
diff --git a/src/test/fuzz/p2p_transport_deserializer.cpp b/src/test/fuzz/p2p_transport_deserializer.cpp
deleted file mode 100644
index 163f1b839e..0000000000
--- a/src/test/fuzz/p2p_transport_deserializer.cpp
+++ /dev/null
@@ -1,42 +0,0 @@
-// Copyright (c) 2019-2020 The Bitcoin Core developers
-// Distributed under the MIT software license, see the accompanying
-// file COPYING or http://www.opensource.org/licenses/mit-license.php.
-
-#include <chainparams.h>
-#include <net.h>
-#include <protocol.h>
-#include <test/fuzz/fuzz.h>
-
-#include <cassert>
-#include <cstdint>
-#include <limits>
-#include <vector>
-
-void initialize_p2p_transport_deserializer()
-{
- SelectParams(CBaseChainParams::REGTEST);
-}
-
-FUZZ_TARGET_INIT(p2p_transport_deserializer, initialize_p2p_transport_deserializer)
-{
- // Construct deserializer, with a dummy NodeId
- V1TransportDeserializer deserializer{Params(), (NodeId)0, SER_NETWORK, INIT_PROTO_VERSION};
- Span<const uint8_t> msg_bytes{buffer};
- while (msg_bytes.size() > 0) {
- const int handled = deserializer.Read(msg_bytes);
- if (handled < 0) {
- break;
- }
- if (deserializer.Complete()) {
- const std::chrono::microseconds m_time{std::numeric_limits<int64_t>::max()};
- uint32_t out_err_raw_size{0};
- Optional<CNetMessage> result{deserializer.GetMessage(m_time, out_err_raw_size)};
- if (result) {
- assert(result->m_command.size() <= CMessageHeader::COMMAND_SIZE);
- assert(result->m_raw_message_size <= buffer.size());
- assert(result->m_raw_message_size == CMessageHeader::HEADER_SIZE + result->m_message_size);
- assert(result->m_time == m_time);
- }
- }
- }
-}
diff --git a/src/test/fuzz/p2p_transport_serialization.cpp b/src/test/fuzz/p2p_transport_serialization.cpp
new file mode 100644
index 0000000000..edee5aeef7
--- /dev/null
+++ b/src/test/fuzz/p2p_transport_serialization.cpp
@@ -0,0 +1,85 @@
+// Copyright (c) 2019-2020 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <chainparams.h>
+#include <hash.h>
+#include <net.h>
+#include <netmessagemaker.h>
+#include <protocol.h>
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+
+#include <cassert>
+#include <cstdint>
+#include <limits>
+#include <optional>
+#include <vector>
+
+void initialize_p2p_transport_serialization()
+{
+ SelectParams(CBaseChainParams::REGTEST);
+}
+
+FUZZ_TARGET_INIT(p2p_transport_serialization, initialize_p2p_transport_serialization)
+{
+ // Construct deserializer, with a dummy NodeId
+ V1TransportDeserializer deserializer{Params(), (NodeId)0, SER_NETWORK, INIT_PROTO_VERSION};
+ V1TransportSerializer serializer{};
+ FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
+
+ auto checksum_assist = fuzzed_data_provider.ConsumeBool();
+ auto magic_bytes_assist = fuzzed_data_provider.ConsumeBool();
+ std::vector<uint8_t> mutable_msg_bytes;
+
+ auto header_bytes_remaining = CMessageHeader::HEADER_SIZE;
+ if (magic_bytes_assist) {
+ auto msg_start = Params().MessageStart();
+ for (size_t i = 0; i < CMessageHeader::MESSAGE_SIZE_SIZE; ++i) {
+ mutable_msg_bytes.push_back(msg_start[i]);
+ }
+ header_bytes_remaining -= CMessageHeader::MESSAGE_SIZE_SIZE;
+ }
+
+ if (checksum_assist) {
+ header_bytes_remaining -= CMessageHeader::CHECKSUM_SIZE;
+ }
+
+ auto header_random_bytes = fuzzed_data_provider.ConsumeBytes<uint8_t>(header_bytes_remaining);
+ mutable_msg_bytes.insert(mutable_msg_bytes.end(), header_random_bytes.begin(), header_random_bytes.end());
+ auto payload_bytes = fuzzed_data_provider.ConsumeRemainingBytes<uint8_t>();
+
+ if (checksum_assist && mutable_msg_bytes.size() == CMessageHeader::CHECKSUM_OFFSET) {
+ CHash256 hasher;
+ unsigned char hsh[32];
+ hasher.Write(payload_bytes);
+ hasher.Finalize(hsh);
+ for (size_t i = 0; i < CMessageHeader::CHECKSUM_SIZE; ++i) {
+ mutable_msg_bytes.push_back(hsh[i]);
+ }
+ }
+
+ mutable_msg_bytes.insert(mutable_msg_bytes.end(), payload_bytes.begin(), payload_bytes.end());
+ Span<const uint8_t> msg_bytes{mutable_msg_bytes};
+ while (msg_bytes.size() > 0) {
+ const int handled = deserializer.Read(msg_bytes);
+ if (handled < 0) {
+ break;
+ }
+ if (deserializer.Complete()) {
+ const std::chrono::microseconds m_time{std::numeric_limits<int64_t>::max()};
+ uint32_t out_err_raw_size{0};
+ std::optional<CNetMessage> result{deserializer.GetMessage(m_time, out_err_raw_size)};
+ if (result) {
+ assert(result->m_command.size() <= CMessageHeader::COMMAND_SIZE);
+ assert(result->m_raw_message_size <= mutable_msg_bytes.size());
+ assert(result->m_raw_message_size == CMessageHeader::HEADER_SIZE + result->m_message_size);
+ assert(result->m_time == m_time);
+
+ std::vector<unsigned char> header;
+ auto msg = CNetMsgMaker{result->m_recv.GetVersion()}.Make(result->m_command, MakeUCharSpan(result->m_recv));
+ serializer.prepareForTransport(msg, header);
+ }
+ }
+ }
+}
diff --git a/src/test/fuzz/parse_iso8601.cpp b/src/test/fuzz/parse_iso8601.cpp
index dcb24ac127..a56f2aa48d 100644
--- a/src/test/fuzz/parse_iso8601.cpp
+++ b/src/test/fuzz/parse_iso8601.cpp
@@ -15,7 +15,7 @@ FUZZ_TARGET(parse_iso8601)
{
FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
- const int64_t random_time = fuzzed_data_provider.ConsumeIntegral<int64_t>();
+ const int64_t random_time = fuzzed_data_provider.ConsumeIntegral<int32_t>();
const std::string random_string = fuzzed_data_provider.ConsumeRemainingBytesAsString();
const std::string iso8601_datetime = FormatISO8601DateTime(random_time);
diff --git a/src/test/fuzz/parse_numbers.cpp b/src/test/fuzz/parse_numbers.cpp
index ddd2bcfba3..2c546e9b4a 100644
--- a/src/test/fuzz/parse_numbers.cpp
+++ b/src/test/fuzz/parse_numbers.cpp
@@ -18,6 +18,12 @@ FUZZ_TARGET(parse_numbers)
double d;
(void)ParseDouble(random_string, &d);
+ uint8_t u8;
+ (void)ParseUInt8(random_string, &u8);
+
+ uint16_t u16;
+ (void)ParseUInt16(random_string, &u16);
+
int32_t i32;
(void)ParseInt32(random_string, &i32);
(void)atoi(random_string);
diff --git a/src/test/fuzz/parse_univalue.cpp b/src/test/fuzz/parse_univalue.cpp
index afe382ba21..3fffaac8d0 100644
--- a/src/test/fuzz/parse_univalue.cpp
+++ b/src/test/fuzz/parse_univalue.cpp
@@ -7,7 +7,6 @@
#include <rpc/client.h>
#include <rpc/util.h>
#include <test/fuzz/fuzz.h>
-#include <util/memory.h>
#include <limits>
#include <string>
diff --git a/src/test/fuzz/policy_estimator.cpp b/src/test/fuzz/policy_estimator.cpp
index fff893fb3f..116b7a71d9 100644
--- a/src/test/fuzz/policy_estimator.cpp
+++ b/src/test/fuzz/policy_estimator.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
@@ -7,6 +7,7 @@
#include <test/fuzz/FuzzedDataProvider.h>
#include <test/fuzz/fuzz.h>
#include <test/fuzz/util.h>
+#include <test/util/setup_common.h>
#include <txmempool.h>
#include <cstdint>
@@ -16,7 +17,7 @@
void initialize_policy_estimator()
{
- static const auto testing_setup = MakeFuzzingContext<>();
+ static const auto testing_setup = MakeNoLogFileContext<>();
}
FUZZ_TARGET_INIT(policy_estimator, initialize_policy_estimator)
diff --git a/src/test/fuzz/policy_estimator_io.cpp b/src/test/fuzz/policy_estimator_io.cpp
index 73242870a0..9021d95954 100644
--- a/src/test/fuzz/policy_estimator_io.cpp
+++ b/src/test/fuzz/policy_estimator_io.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
@@ -6,13 +6,14 @@
#include <test/fuzz/FuzzedDataProvider.h>
#include <test/fuzz/fuzz.h>
#include <test/fuzz/util.h>
+#include <test/util/setup_common.h>
#include <cstdint>
#include <vector>
void initialize_policy_estimator_io()
{
- static const auto testing_setup = MakeFuzzingContext<>();
+ static const auto testing_setup = MakeNoLogFileContext<>();
}
FUZZ_TARGET_INIT(policy_estimator_io, initialize_policy_estimator_io)
diff --git a/src/test/fuzz/pow.cpp b/src/test/fuzz/pow.cpp
index c4348495bf..47b4323e81 100644
--- a/src/test/fuzz/pow.cpp
+++ b/src/test/fuzz/pow.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
@@ -34,7 +34,7 @@ FUZZ_TARGET_INIT(pow, initialize_pow)
}
CBlockIndex current_block{*block_header};
{
- CBlockIndex* previous_block = !blocks.empty() ? &blocks[fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, blocks.size() - 1)] : nullptr;
+ CBlockIndex* previous_block = blocks.empty() ? nullptr : &PickValue(fuzzed_data_provider, blocks);
const int current_height = (previous_block != nullptr && previous_block->nHeight != std::numeric_limits<int>::max()) ? previous_block->nHeight + 1 : 0;
if (fuzzed_data_provider.ConsumeBool()) {
current_block.pprev = previous_block;
@@ -66,9 +66,9 @@ FUZZ_TARGET_INIT(pow, initialize_pow)
}
}
{
- const CBlockIndex* to = &blocks[fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, blocks.size() - 1)];
- const CBlockIndex* from = &blocks[fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, blocks.size() - 1)];
- const CBlockIndex* tip = &blocks[fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, blocks.size() - 1)];
+ const CBlockIndex* to = &PickValue(fuzzed_data_provider, blocks);
+ const CBlockIndex* from = &PickValue(fuzzed_data_provider, blocks);
+ const CBlockIndex* tip = &PickValue(fuzzed_data_provider, blocks);
try {
(void)GetBlockProofEquivalentTime(*to, *from, *tip, consensus_params);
} catch (const uint_error&) {
diff --git a/src/test/fuzz/process_message.cpp b/src/test/fuzz/process_message.cpp
index a3e46ca2a2..c4e4d4c785 100644
--- a/src/test/fuzz/process_message.cpp
+++ b/src/test/fuzz/process_message.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
@@ -18,7 +18,7 @@
#include <test/util/net.h>
#include <test/util/setup_common.h>
#include <test/util/validation.h>
-#include <util/memory.h>
+#include <txorphanage.h>
#include <validationinterface.h>
#include <version.h>
@@ -35,11 +35,42 @@ namespace {
const TestingSetup* g_setup;
} // namespace
+size_t& GetNumMsgTypes()
+{
+ static size_t g_num_msg_types{0};
+ return g_num_msg_types;
+}
+#define FUZZ_TARGET_MSG(msg_type) \
+ struct msg_type##_Count_Before_Main { \
+ msg_type##_Count_Before_Main() \
+ { \
+ ++GetNumMsgTypes(); \
+ } \
+ } const static g_##msg_type##_count_before_main; \
+ FUZZ_TARGET_INIT(process_message_##msg_type, initialize_process_message) \
+ { \
+ fuzz_target(buffer, #msg_type); \
+ }
+
void initialize_process_message()
{
- static const auto testing_setup = MakeFuzzingContext<const TestingSetup>();
+ Assert(GetNumMsgTypes() == getAllNetMessageTypes().size()); // If this fails, add or remove the message type below
+
+ static const auto testing_setup = MakeNoLogFileContext<const TestingSetup>();
g_setup = testing_setup.get();
+
+ // Temporary debug for https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35027
+ {
+ LOCK(::cs_main);
+ assert(CheckDiskSpace(gArgs.GetDataDirNet()));
+ assert(CheckDiskSpace(gArgs.GetDataDirNet(), 48 * 2 * 2 * g_setup->m_node.chainman->ActiveChainstate().CoinsTip().GetCacheSize()));
+ }
for (int i = 0; i < 2 * COINBASE_MATURITY; i++) {
+ {
+ LOCK(::cs_main);
+ assert(CheckDiskSpace(gArgs.GetDataDirNet()));
+ assert(CheckDiskSpace(gArgs.GetDataDirNet(), 48 * 2 * 2 * g_setup->m_node.chainman->ActiveChainstate().CoinsTip().GetCacheSize()));
+ }
MineBlock(g_setup->m_node, CScript() << OP_TRUE);
}
SyncWithValidationInterfaceQueue();
@@ -49,8 +80,8 @@ void fuzz_target(FuzzBufferType buffer, const std::string& LIMIT_TO_MESSAGE_TYPE
{
FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
- ConnmanTestMsg& connman = *(ConnmanTestMsg*)g_setup->m_node.connman.get();
- TestChainState& chainstate = *(TestChainState*)&g_setup->m_node.chainman->ActiveChainstate();
+ ConnmanTestMsg& connman = *static_cast<ConnmanTestMsg*>(g_setup->m_node.connman.get());
+ TestChainState& chainstate = *static_cast<TestChainState*>(&g_setup->m_node.chainman->ActiveChainstate());
SetMockTime(1610000000); // any time to successfully reset ibd
chainstate.ResetIbd();
@@ -60,7 +91,7 @@ void fuzz_target(FuzzBufferType buffer, const std::string& LIMIT_TO_MESSAGE_TYPE
}
CNode& p2p_node = *ConsumeNodeAsUniquePtr(fuzzed_data_provider).release();
- const bool successfully_connected{true};
+ const bool successfully_connected{fuzzed_data_provider.ConsumeBool()};
p2p_node.fSuccessfullyConnected = successfully_connected;
connman.AddTestNode(p2p_node);
g_setup->m_node.peerman->InitializeNode(&p2p_node);
@@ -81,32 +112,41 @@ void fuzz_target(FuzzBufferType buffer, const std::string& LIMIT_TO_MESSAGE_TYPE
g_setup->m_node.peerman->SendMessages(&p2p_node);
}
SyncWithValidationInterfaceQueue();
- LOCK2(::cs_main, g_cs_orphans); // See init.cpp for rationale for implicit locking order requirement
g_setup->m_node.connman->StopNodes();
}
FUZZ_TARGET_INIT(process_message, initialize_process_message) { fuzz_target(buffer, ""); }
-FUZZ_TARGET_INIT(process_message_addr, initialize_process_message) { fuzz_target(buffer, "addr"); }
-FUZZ_TARGET_INIT(process_message_block, initialize_process_message) { fuzz_target(buffer, "block"); }
-FUZZ_TARGET_INIT(process_message_blocktxn, initialize_process_message) { fuzz_target(buffer, "blocktxn"); }
-FUZZ_TARGET_INIT(process_message_cmpctblock, initialize_process_message) { fuzz_target(buffer, "cmpctblock"); }
-FUZZ_TARGET_INIT(process_message_feefilter, initialize_process_message) { fuzz_target(buffer, "feefilter"); }
-FUZZ_TARGET_INIT(process_message_filteradd, initialize_process_message) { fuzz_target(buffer, "filteradd"); }
-FUZZ_TARGET_INIT(process_message_filterclear, initialize_process_message) { fuzz_target(buffer, "filterclear"); }
-FUZZ_TARGET_INIT(process_message_filterload, initialize_process_message) { fuzz_target(buffer, "filterload"); }
-FUZZ_TARGET_INIT(process_message_getaddr, initialize_process_message) { fuzz_target(buffer, "getaddr"); }
-FUZZ_TARGET_INIT(process_message_getblocks, initialize_process_message) { fuzz_target(buffer, "getblocks"); }
-FUZZ_TARGET_INIT(process_message_getblocktxn, initialize_process_message) { fuzz_target(buffer, "getblocktxn"); }
-FUZZ_TARGET_INIT(process_message_getdata, initialize_process_message) { fuzz_target(buffer, "getdata"); }
-FUZZ_TARGET_INIT(process_message_getheaders, initialize_process_message) { fuzz_target(buffer, "getheaders"); }
-FUZZ_TARGET_INIT(process_message_headers, initialize_process_message) { fuzz_target(buffer, "headers"); }
-FUZZ_TARGET_INIT(process_message_inv, initialize_process_message) { fuzz_target(buffer, "inv"); }
-FUZZ_TARGET_INIT(process_message_mempool, initialize_process_message) { fuzz_target(buffer, "mempool"); }
-FUZZ_TARGET_INIT(process_message_notfound, initialize_process_message) { fuzz_target(buffer, "notfound"); }
-FUZZ_TARGET_INIT(process_message_ping, initialize_process_message) { fuzz_target(buffer, "ping"); }
-FUZZ_TARGET_INIT(process_message_pong, initialize_process_message) { fuzz_target(buffer, "pong"); }
-FUZZ_TARGET_INIT(process_message_sendcmpct, initialize_process_message) { fuzz_target(buffer, "sendcmpct"); }
-FUZZ_TARGET_INIT(process_message_sendheaders, initialize_process_message) { fuzz_target(buffer, "sendheaders"); }
-FUZZ_TARGET_INIT(process_message_tx, initialize_process_message) { fuzz_target(buffer, "tx"); }
-FUZZ_TARGET_INIT(process_message_verack, initialize_process_message) { fuzz_target(buffer, "verack"); }
-FUZZ_TARGET_INIT(process_message_version, initialize_process_message) { fuzz_target(buffer, "version"); }
+FUZZ_TARGET_MSG(addr);
+FUZZ_TARGET_MSG(addrv2);
+FUZZ_TARGET_MSG(block);
+FUZZ_TARGET_MSG(blocktxn);
+FUZZ_TARGET_MSG(cfcheckpt);
+FUZZ_TARGET_MSG(cfheaders);
+FUZZ_TARGET_MSG(cfilter);
+FUZZ_TARGET_MSG(cmpctblock);
+FUZZ_TARGET_MSG(feefilter);
+FUZZ_TARGET_MSG(filteradd);
+FUZZ_TARGET_MSG(filterclear);
+FUZZ_TARGET_MSG(filterload);
+FUZZ_TARGET_MSG(getaddr);
+FUZZ_TARGET_MSG(getblocks);
+FUZZ_TARGET_MSG(getblocktxn);
+FUZZ_TARGET_MSG(getcfcheckpt);
+FUZZ_TARGET_MSG(getcfheaders);
+FUZZ_TARGET_MSG(getcfilters);
+FUZZ_TARGET_MSG(getdata);
+FUZZ_TARGET_MSG(getheaders);
+FUZZ_TARGET_MSG(headers);
+FUZZ_TARGET_MSG(inv);
+FUZZ_TARGET_MSG(mempool);
+FUZZ_TARGET_MSG(merkleblock);
+FUZZ_TARGET_MSG(notfound);
+FUZZ_TARGET_MSG(ping);
+FUZZ_TARGET_MSG(pong);
+FUZZ_TARGET_MSG(sendaddrv2);
+FUZZ_TARGET_MSG(sendcmpct);
+FUZZ_TARGET_MSG(sendheaders);
+FUZZ_TARGET_MSG(tx);
+FUZZ_TARGET_MSG(verack);
+FUZZ_TARGET_MSG(version);
+FUZZ_TARGET_MSG(wtxidrelay);
diff --git a/src/test/fuzz/process_messages.cpp b/src/test/fuzz/process_messages.cpp
index 810f0aac92..11b236c9bd 100644
--- a/src/test/fuzz/process_messages.cpp
+++ b/src/test/fuzz/process_messages.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
@@ -13,7 +13,7 @@
#include <test/util/net.h>
#include <test/util/setup_common.h>
#include <test/util/validation.h>
-#include <util/memory.h>
+#include <txorphanage.h>
#include <validation.h>
#include <validationinterface.h>
@@ -23,7 +23,7 @@ const TestingSetup* g_setup;
void initialize_process_messages()
{
- static const auto testing_setup = MakeFuzzingContext<const TestingSetup>();
+ static const auto testing_setup = MakeNoLogFileContext<const TestingSetup>();
g_setup = testing_setup.get();
for (int i = 0; i < 2 * COINBASE_MATURITY; i++) {
MineBlock(g_setup->m_node, CScript() << OP_TRUE);
@@ -35,8 +35,8 @@ FUZZ_TARGET_INIT(process_messages, initialize_process_messages)
{
FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
- ConnmanTestMsg& connman = *(ConnmanTestMsg*)g_setup->m_node.connman.get();
- TestChainState& chainstate = *(TestChainState*)&g_setup->m_node.chainman->ActiveChainstate();
+ ConnmanTestMsg& connman = *static_cast<ConnmanTestMsg*>(g_setup->m_node.connman.get());
+ TestChainState& chainstate = *static_cast<TestChainState*>(&g_setup->m_node.chainman->ActiveChainstate());
SetMockTime(1610000000); // any time to successfully reset ibd
chainstate.ResetIbd();
@@ -46,7 +46,7 @@ FUZZ_TARGET_INIT(process_messages, initialize_process_messages)
peers.push_back(ConsumeNodeAsUniquePtr(fuzzed_data_provider, i).release());
CNode& p2p_node = *peers.back();
- const bool successfully_connected{true};
+ const bool successfully_connected{fuzzed_data_provider.ConsumeBool()};
p2p_node.fSuccessfullyConnected = successfully_connected;
p2p_node.fPauseSend = false;
g_setup->m_node.peerman->InitializeNode(&p2p_node);
@@ -65,7 +65,7 @@ FUZZ_TARGET_INIT(process_messages, initialize_process_messages)
net_msg.m_type = random_message_type;
net_msg.data = ConsumeRandomLengthByteVector(fuzzed_data_provider);
- CNode& random_node = *peers.at(fuzzed_data_provider.ConsumeIntegralInRange<int>(0, peers.size() - 1));
+ CNode& random_node = *PickValue(fuzzed_data_provider, peers);
(void)connman.ReceiveMsgFrom(random_node, net_msg);
random_node.fPauseSend = false;
@@ -80,6 +80,5 @@ FUZZ_TARGET_INIT(process_messages, initialize_process_messages)
}
}
SyncWithValidationInterfaceQueue();
- LOCK2(::cs_main, g_cs_orphans); // See init.cpp for rationale for implicit locking order requirement
g_setup->m_node.connman->StopNodes();
}
diff --git a/src/test/fuzz/psbt.cpp b/src/test/fuzz/psbt.cpp
index 0b4588c4ce..6c62dd6e48 100644
--- a/src/test/fuzz/psbt.cpp
+++ b/src/test/fuzz/psbt.cpp
@@ -2,18 +2,19 @@
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+#include <test/fuzz/FuzzedDataProvider.h>
#include <test/fuzz/fuzz.h>
#include <node/psbt.h>
-#include <optional.h>
#include <psbt.h>
#include <pubkey.h>
#include <script/script.h>
#include <streams.h>
-#include <util/memory.h>
+#include <util/check.h>
#include <version.h>
#include <cstdint>
+#include <optional>
#include <string>
#include <vector>
@@ -24,10 +25,10 @@ void initialize_psbt()
FUZZ_TARGET_INIT(psbt, initialize_psbt)
{
+ FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
PartiallySignedTransaction psbt_mut;
- const std::string raw_psbt{buffer.begin(), buffer.end()};
std::string error;
- if (!DecodeRawPSBT(psbt_mut, raw_psbt, error)) {
+ if (!DecodeRawPSBT(psbt_mut, fuzzed_data_provider.ConsumeRandomLengthString(), error)) {
return;
}
const PartiallySignedTransaction psbt = psbt_mut;
@@ -40,7 +41,7 @@ FUZZ_TARGET_INIT(psbt, initialize_psbt)
(void)psbt.IsNull();
- Optional<CMutableTransaction> tx = psbt.tx;
+ std::optional<CMutableTransaction> tx = psbt.tx;
if (tx) {
const CMutableTransaction& mtx = *tx;
const PartiallySignedTransaction psbt_from_tx{mtx};
@@ -50,6 +51,7 @@ FUZZ_TARGET_INIT(psbt, initialize_psbt)
(void)PSBTInputSigned(input);
(void)input.IsNull();
}
+ (void)CountPSBTUnsignedInputs(psbt);
for (const PSBTOutput& output : psbt.outputs) {
(void)output.IsNull();
@@ -72,6 +74,20 @@ FUZZ_TARGET_INIT(psbt, initialize_psbt)
const PartiallySignedTransaction psbt_from_tx{result};
}
+ PartiallySignedTransaction psbt_merge;
+ if (!DecodeRawPSBT(psbt_merge, fuzzed_data_provider.ConsumeRandomLengthString(), error)) {
+ psbt_merge = psbt;
+ }
+ psbt_mut = psbt;
+ (void)psbt_mut.Merge(psbt_merge);
+ psbt_mut = psbt;
+ (void)CombinePSBTs(psbt_mut, {psbt_mut, psbt_merge});
psbt_mut = psbt;
- (void)psbt_mut.Merge(psbt);
+ for (unsigned int i = 0; i < psbt_merge.tx->vin.size(); ++i) {
+ (void)psbt_mut.AddInput(psbt_merge.tx->vin[i], psbt_merge.inputs[i]);
+ }
+ for (unsigned int i = 0; i < psbt_merge.tx->vout.size(); ++i) {
+ Assert(psbt_mut.AddOutput(psbt_merge.tx->vout[i], psbt_merge.outputs[i]));
+ }
+ psbt_mut.unknown.insert(psbt_merge.unknown.begin(), psbt_merge.unknown.end());
}
diff --git a/src/test/fuzz/rolling_bloom_filter.cpp b/src/test/fuzz/rolling_bloom_filter.cpp
index 2a08b45aa3..07059cce76 100644
--- a/src/test/fuzz/rolling_bloom_filter.cpp
+++ b/src/test/fuzz/rolling_bloom_filter.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
diff --git a/src/test/fuzz/rpc.cpp b/src/test/fuzz/rpc.cpp
new file mode 100644
index 0000000000..9195cc4873
--- /dev/null
+++ b/src/test/fuzz/rpc.cpp
@@ -0,0 +1,359 @@
+// Copyright (c) 2021 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <base58.h>
+#include <core_io.h>
+#include <key.h>
+#include <key_io.h>
+#include <node/context.h>
+#include <primitives/block.h>
+#include <primitives/transaction.h>
+#include <psbt.h>
+#include <rpc/blockchain.h>
+#include <rpc/client.h>
+#include <rpc/request.h>
+#include <rpc/server.h>
+#include <rpc/util.h>
+#include <span.h>
+#include <streams.h>
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+#include <test/util/setup_common.h>
+#include <tinyformat.h>
+#include <univalue.h>
+#include <util/strencodings.h>
+#include <util/string.h>
+#include <util/time.h>
+
+#include <cstdint>
+#include <iostream>
+#include <memory>
+#include <optional>
+#include <stdexcept>
+#include <string>
+#include <vector>
+
+namespace {
+struct RPCFuzzTestingSetup : public TestingSetup {
+ RPCFuzzTestingSetup(const std::string& chain_name, const std::vector<const char*>& extra_args) : TestingSetup{chain_name, extra_args}
+ {
+ }
+
+ UniValue CallRPC(const std::string& rpc_method, const std::vector<std::string>& arguments)
+ {
+ JSONRPCRequest request;
+ request.context = &m_node;
+ request.strMethod = rpc_method;
+ request.params = RPCConvertValues(rpc_method, arguments);
+ return tableRPC.execute(request);
+ }
+
+ std::vector<std::string> GetRPCCommands() const
+ {
+ return tableRPC.listCommands();
+ }
+};
+
+RPCFuzzTestingSetup* rpc_testing_setup = nullptr;
+std::string g_limit_to_rpc_command;
+
+// RPC commands which are not appropriate for fuzzing: such as RPC commands
+// reading or writing to a filename passed as an RPC parameter, RPC commands
+// resulting in network activity, etc.
+const std::vector<std::string> RPC_COMMANDS_NOT_SAFE_FOR_FUZZING{
+ "addconnection", // avoid DNS lookups
+ "addnode", // avoid DNS lookups
+ "addpeeraddress", // avoid DNS lookups
+ "analyzepsbt", // avoid signed integer overflow in CFeeRate::GetFee(unsigned long) (https://github.com/bitcoin/bitcoin/issues/20607)
+ "dumptxoutset", // avoid writing to disk
+ "dumpwallet", // avoid writing to disk
+ "echoipc", // avoid assertion failure (Assertion `"EnsureAnyNodeContext(request.context).init" && check' failed.)
+ "generatetoaddress", // avoid prohibitively slow execution (when `num_blocks` is large)
+ "generatetodescriptor", // avoid prohibitively slow execution (when `nblocks` is large)
+ "gettxoutproof", // avoid prohibitively slow execution
+ "importwallet", // avoid reading from disk
+ "loadwallet", // avoid reading from disk
+ "prioritisetransaction", // avoid signed integer overflow in CTxMemPool::PrioritiseTransaction(uint256 const&, long const&) (https://github.com/bitcoin/bitcoin/issues/20626)
+ "savemempool", // disabled as a precautionary measure: may take a file path argument in the future
+ "setban", // avoid DNS lookups
+ "stop", // avoid shutdown state
+};
+
+// RPC commands which are safe for fuzzing.
+const std::vector<std::string> RPC_COMMANDS_SAFE_FOR_FUZZING{
+ "clearbanned",
+ "combinepsbt",
+ "combinerawtransaction",
+ "converttopsbt",
+ "createmultisig",
+ "createpsbt",
+ "createrawtransaction",
+ "decodepsbt",
+ "decoderawtransaction",
+ "decodescript",
+ "deriveaddresses",
+ "disconnectnode",
+ "echo",
+ "echojson",
+ "estimaterawfee",
+ "estimatesmartfee",
+ "finalizepsbt",
+ "generate",
+ "generateblock",
+ "getaddednodeinfo",
+ "getbestblockhash",
+ "getblock",
+ "getblockchaininfo",
+ "getblockcount",
+ "getblockfilter",
+ "getblockhash",
+ "getblockheader",
+ "getblockstats",
+ "getblocktemplate",
+ "getchaintips",
+ "getchaintxstats",
+ "getconnectioncount",
+ "getdescriptorinfo",
+ "getdifficulty",
+ "getindexinfo",
+ "getmemoryinfo",
+ "getmempoolancestors",
+ "getmempooldescendants",
+ "getmempoolentry",
+ "getmempoolinfo",
+ "getmininginfo",
+ "getnettotals",
+ "getnetworkhashps",
+ "getnetworkinfo",
+ "getnodeaddresses",
+ "getpeerinfo",
+ "getrawmempool",
+ "getrawtransaction",
+ "getrpcinfo",
+ "gettxout",
+ "gettxoutsetinfo",
+ "help",
+ "invalidateblock",
+ "joinpsbts",
+ "listbanned",
+ "logging",
+ "mockscheduler",
+ "ping",
+ "preciousblock",
+ "pruneblockchain",
+ "reconsiderblock",
+ "scantxoutset",
+ "sendrawtransaction",
+ "setmocktime",
+ "setnetworkactive",
+ "signmessagewithprivkey",
+ "signrawtransactionwithkey",
+ "submitblock",
+ "submitheader",
+ "syncwithvalidationinterfacequeue",
+ "testmempoolaccept",
+ "uptime",
+ "utxoupdatepsbt",
+ "validateaddress",
+ "verifychain",
+ "verifymessage",
+ "verifytxoutproof",
+ "waitforblock",
+ "waitforblockheight",
+ "waitfornewblock",
+};
+
+std::string ConsumeScalarRPCArgument(FuzzedDataProvider& fuzzed_data_provider)
+{
+ const size_t max_string_length = 4096;
+ const size_t max_base58_bytes_length{64};
+ std::string r;
+ CallOneOf(
+ fuzzed_data_provider,
+ [&] {
+ // string argument
+ r = fuzzed_data_provider.ConsumeRandomLengthString(max_string_length);
+ },
+ [&] {
+ // base64 argument
+ r = EncodeBase64(fuzzed_data_provider.ConsumeRandomLengthString(max_string_length));
+ },
+ [&] {
+ // hex argument
+ r = HexStr(fuzzed_data_provider.ConsumeRandomLengthString(max_string_length));
+ },
+ [&] {
+ // bool argument
+ r = fuzzed_data_provider.ConsumeBool() ? "true" : "false";
+ },
+ [&] {
+ // range argument
+ r = "[" + ToString(fuzzed_data_provider.ConsumeIntegral<int64_t>()) + "," + ToString(fuzzed_data_provider.ConsumeIntegral<int64_t>()) + "]";
+ },
+ [&] {
+ // integral argument (int64_t)
+ r = ToString(fuzzed_data_provider.ConsumeIntegral<int64_t>());
+ },
+ [&] {
+ // integral argument (uint64_t)
+ r = ToString(fuzzed_data_provider.ConsumeIntegral<uint64_t>());
+ },
+ [&] {
+ // floating point argument
+ r = strprintf("%f", fuzzed_data_provider.ConsumeFloatingPoint<double>());
+ },
+ [&] {
+ // tx destination argument
+ r = EncodeDestination(ConsumeTxDestination(fuzzed_data_provider));
+ },
+ [&] {
+ // uint160 argument
+ r = ConsumeUInt160(fuzzed_data_provider).ToString();
+ },
+ [&] {
+ // uint256 argument
+ r = ConsumeUInt256(fuzzed_data_provider).ToString();
+ },
+ [&] {
+ // base32 argument
+ r = EncodeBase32(fuzzed_data_provider.ConsumeRandomLengthString(max_string_length));
+ },
+ [&] {
+ // base58 argument
+ r = EncodeBase58(MakeUCharSpan(fuzzed_data_provider.ConsumeRandomLengthString(max_base58_bytes_length)));
+ },
+ [&] {
+ // base58 argument with checksum
+ r = EncodeBase58Check(MakeUCharSpan(fuzzed_data_provider.ConsumeRandomLengthString(max_base58_bytes_length)));
+ },
+ [&] {
+ // hex encoded block
+ std::optional<CBlock> opt_block = ConsumeDeserializable<CBlock>(fuzzed_data_provider);
+ if (!opt_block) {
+ return;
+ }
+ CDataStream data_stream{SER_NETWORK, PROTOCOL_VERSION};
+ data_stream << *opt_block;
+ r = HexStr(data_stream);
+ },
+ [&] {
+ // hex encoded block header
+ std::optional<CBlockHeader> opt_block_header = ConsumeDeserializable<CBlockHeader>(fuzzed_data_provider);
+ if (!opt_block_header) {
+ return;
+ }
+ CDataStream data_stream{SER_NETWORK, PROTOCOL_VERSION};
+ data_stream << *opt_block_header;
+ r = HexStr(data_stream);
+ },
+ [&] {
+ // hex encoded tx
+ std::optional<CMutableTransaction> opt_tx = ConsumeDeserializable<CMutableTransaction>(fuzzed_data_provider);
+ if (!opt_tx) {
+ return;
+ }
+ CDataStream data_stream{SER_NETWORK, fuzzed_data_provider.ConsumeBool() ? PROTOCOL_VERSION : (PROTOCOL_VERSION | SERIALIZE_TRANSACTION_NO_WITNESS)};
+ data_stream << *opt_tx;
+ r = HexStr(data_stream);
+ },
+ [&] {
+ // base64 encoded psbt
+ std::optional<PartiallySignedTransaction> opt_psbt = ConsumeDeserializable<PartiallySignedTransaction>(fuzzed_data_provider);
+ if (!opt_psbt) {
+ return;
+ }
+ CDataStream data_stream{SER_NETWORK, PROTOCOL_VERSION};
+ data_stream << *opt_psbt;
+ r = EncodeBase64({data_stream.begin(), data_stream.end()});
+ },
+ [&] {
+ // base58 encoded key
+ const std::vector<uint8_t> random_bytes = fuzzed_data_provider.ConsumeBytes<uint8_t>(32);
+ CKey key;
+ key.Set(random_bytes.begin(), random_bytes.end(), fuzzed_data_provider.ConsumeBool());
+ if (!key.IsValid()) {
+ return;
+ }
+ r = EncodeSecret(key);
+ },
+ [&] {
+ // hex encoded pubkey
+ const std::vector<uint8_t> random_bytes = fuzzed_data_provider.ConsumeBytes<uint8_t>(32);
+ CKey key;
+ key.Set(random_bytes.begin(), random_bytes.end(), fuzzed_data_provider.ConsumeBool());
+ if (!key.IsValid()) {
+ return;
+ }
+ r = HexStr(key.GetPubKey());
+ });
+ return r;
+}
+
+std::string ConsumeArrayRPCArgument(FuzzedDataProvider& fuzzed_data_provider)
+{
+ std::vector<std::string> scalar_arguments;
+ while (fuzzed_data_provider.ConsumeBool()) {
+ scalar_arguments.push_back(ConsumeScalarRPCArgument(fuzzed_data_provider));
+ }
+ return "[\"" + Join(scalar_arguments, "\",\"") + "\"]";
+}
+
+std::string ConsumeRPCArgument(FuzzedDataProvider& fuzzed_data_provider)
+{
+ return fuzzed_data_provider.ConsumeBool() ? ConsumeScalarRPCArgument(fuzzed_data_provider) : ConsumeArrayRPCArgument(fuzzed_data_provider);
+}
+
+RPCFuzzTestingSetup* InitializeRPCFuzzTestingSetup()
+{
+ static const auto setup = MakeNoLogFileContext<RPCFuzzTestingSetup>();
+ SetRPCWarmupFinished();
+ return setup.get();
+}
+}; // namespace
+
+void initialize_rpc()
+{
+ rpc_testing_setup = InitializeRPCFuzzTestingSetup();
+ const std::vector<std::string> supported_rpc_commands = rpc_testing_setup->GetRPCCommands();
+ for (const std::string& rpc_command : supported_rpc_commands) {
+ const bool safe_for_fuzzing = std::find(RPC_COMMANDS_SAFE_FOR_FUZZING.begin(), RPC_COMMANDS_SAFE_FOR_FUZZING.end(), rpc_command) != RPC_COMMANDS_SAFE_FOR_FUZZING.end();
+ const bool not_safe_for_fuzzing = std::find(RPC_COMMANDS_NOT_SAFE_FOR_FUZZING.begin(), RPC_COMMANDS_NOT_SAFE_FOR_FUZZING.end(), rpc_command) != RPC_COMMANDS_NOT_SAFE_FOR_FUZZING.end();
+ if (!(safe_for_fuzzing || not_safe_for_fuzzing)) {
+ std::cerr << "Error: RPC command \"" << rpc_command << "\" not found in RPC_COMMANDS_SAFE_FOR_FUZZING or RPC_COMMANDS_NOT_SAFE_FOR_FUZZING. Please update " << __FILE__ << ".\n";
+ std::terminate();
+ }
+ if (safe_for_fuzzing && not_safe_for_fuzzing) {
+ std::cerr << "Error: RPC command \"" << rpc_command << "\" found in *both* RPC_COMMANDS_SAFE_FOR_FUZZING and RPC_COMMANDS_NOT_SAFE_FOR_FUZZING. Please update " << __FILE__ << ".\n";
+ std::terminate();
+ }
+ }
+ const char* limit_to_rpc_command_env = std::getenv("LIMIT_TO_RPC_COMMAND");
+ if (limit_to_rpc_command_env != nullptr) {
+ g_limit_to_rpc_command = std::string{limit_to_rpc_command_env};
+ }
+}
+
+FUZZ_TARGET_INIT(rpc, initialize_rpc)
+{
+ FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
+ SetMockTime(ConsumeTime(fuzzed_data_provider));
+ const std::string rpc_command = fuzzed_data_provider.ConsumeRandomLengthString(64);
+ if (!g_limit_to_rpc_command.empty() && rpc_command != g_limit_to_rpc_command) {
+ return;
+ }
+ const bool safe_for_fuzzing = std::find(RPC_COMMANDS_SAFE_FOR_FUZZING.begin(), RPC_COMMANDS_SAFE_FOR_FUZZING.end(), rpc_command) != RPC_COMMANDS_SAFE_FOR_FUZZING.end();
+ if (!safe_for_fuzzing) {
+ return;
+ }
+ std::vector<std::string> arguments;
+ while (fuzzed_data_provider.ConsumeBool()) {
+ arguments.push_back(ConsumeRPCArgument(fuzzed_data_provider));
+ }
+ try {
+ rpc_testing_setup->CallRPC(rpc_command, arguments);
+ } catch (const UniValue&) {
+ } catch (const std::runtime_error&) {
+ }
+}
diff --git a/src/test/fuzz/script.cpp b/src/test/fuzz/script.cpp
index 7fadf36f98..b87bcf2ef5 100644
--- a/src/test/fuzz/script.cpp
+++ b/src/test/fuzz/script.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2019-2020 The Bitcoin Core developers
+// Copyright (c) 2019-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
@@ -20,7 +20,6 @@
#include <test/fuzz/fuzz.h>
#include <test/fuzz/util.h>
#include <univalue.h>
-#include <util/memory.h>
#include <algorithm>
#include <cassert>
@@ -44,7 +43,7 @@ FUZZ_TARGET_INIT(script, initialize_script)
if (!script_opt) return;
const CScript script{*script_opt};
- std::vector<unsigned char> compressed;
+ CompressedScript compressed;
if (CompressScript(script, compressed)) {
const unsigned int size = compressed[0];
compressed.erase(compressed.begin());
@@ -56,22 +55,45 @@ FUZZ_TARGET_INIT(script, initialize_script)
}
CTxDestination address;
- (void)ExtractDestination(script, address);
-
TxoutType type_ret;
std::vector<CTxDestination> addresses;
int required_ret;
- (void)ExtractDestinations(script, type_ret, addresses, required_ret);
-
- const FlatSigningProvider signing_provider;
- (void)InferDescriptor(script, signing_provider);
-
- (void)IsSegWitOutput(signing_provider, script);
-
- (void)IsSolvable(signing_provider, script);
+ bool extract_destinations_ret = ExtractDestinations(script, type_ret, addresses, required_ret);
+ bool extract_destination_ret = ExtractDestination(script, address);
+ if (!extract_destinations_ret) {
+ assert(!extract_destination_ret);
+ if (type_ret == TxoutType::MULTISIG) {
+ assert(addresses.empty() && required_ret == 0);
+ } else {
+ assert(type_ret == TxoutType::PUBKEY ||
+ type_ret == TxoutType::NONSTANDARD ||
+ type_ret == TxoutType::NULL_DATA);
+ }
+ } else {
+ assert(required_ret >= 1 && required_ret <= 16);
+ assert((unsigned long)required_ret == addresses.size());
+ assert(type_ret == TxoutType::MULTISIG || required_ret == 1);
+ }
+ if (type_ret == TxoutType::NONSTANDARD || type_ret == TxoutType::NULL_DATA) {
+ assert(!extract_destinations_ret);
+ }
+ if (!extract_destination_ret) {
+ assert(type_ret == TxoutType::PUBKEY ||
+ type_ret == TxoutType::NONSTANDARD ||
+ type_ret == TxoutType::NULL_DATA ||
+ type_ret == TxoutType::MULTISIG);
+ } else {
+ assert(address == addresses[0]);
+ }
+ if (type_ret == TxoutType::NONSTANDARD ||
+ type_ret == TxoutType::NULL_DATA ||
+ type_ret == TxoutType::MULTISIG) {
+ assert(!extract_destination_ret);
+ }
TxoutType which_type;
bool is_standard_ret = IsStandard(script, which_type);
+ assert(type_ret == which_type);
if (!is_standard_ret) {
assert(which_type == TxoutType::NONSTANDARD ||
which_type == TxoutType::NULL_DATA ||
@@ -88,6 +110,11 @@ FUZZ_TARGET_INIT(script, initialize_script)
which_type == TxoutType::NONSTANDARD);
}
+ const FlatSigningProvider signing_provider;
+ (void)InferDescriptor(script, signing_provider);
+ (void)IsSegWitOutput(signing_provider, script);
+ (void)IsSolvable(signing_provider, script);
+
(void)RecursiveDynamicUsage(script);
std::vector<std::vector<unsigned char>> solutions;
@@ -104,9 +131,11 @@ FUZZ_TARGET_INIT(script, initialize_script)
(void)ScriptToAsmStr(script, true);
UniValue o1(UniValue::VOBJ);
- ScriptPubKeyToUniv(script, o1, true);
+ ScriptPubKeyToUniv(script, o1, true, true);
+ ScriptPubKeyToUniv(script, o1, true, false);
UniValue o2(UniValue::VOBJ);
- ScriptPubKeyToUniv(script, o2, false);
+ ScriptPubKeyToUniv(script, o2, false, true);
+ ScriptPubKeyToUniv(script, o2, false, false);
UniValue o3(UniValue::VOBJ);
ScriptToUniv(script, o3, true);
UniValue o4(UniValue::VOBJ);
@@ -114,10 +143,12 @@ FUZZ_TARGET_INIT(script, initialize_script)
{
const std::vector<uint8_t> bytes = ConsumeRandomLengthByteVector(fuzzed_data_provider);
+ CompressedScript compressed_script;
+ compressed_script.assign(bytes.begin(), bytes.end());
// DecompressScript(..., ..., bytes) is not guaranteed to be defined if the bytes vector is too short
- if (bytes.size() >= 32) {
+ if (compressed_script.size() >= 32) {
CScript decompressed_script;
- DecompressScript(decompressed_script, fuzzed_data_provider.ConsumeIntegral<unsigned int>(), bytes);
+ DecompressScript(decompressed_script, fuzzed_data_provider.ConsumeIntegral<unsigned int>(), compressed_script);
}
}
diff --git a/src/test/fuzz/script_assets_test_minimizer.cpp b/src/test/fuzz/script_assets_test_minimizer.cpp
index 2091ad5d91..a80338b965 100644
--- a/src/test/fuzz/script_assets_test_minimizer.cpp
+++ b/src/test/fuzz/script_assets_test_minimizer.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
@@ -28,12 +28,12 @@
//
// (normal build)
// $ mkdir dump
-// $ for N in $(seq 1 10); do TEST_DUMP_DIR=dump test/functional/feature_taproot --dumptests; done
+// $ for N in $(seq 1 10); do TEST_DUMP_DIR=dump test/functional/feature_taproot.py --dumptests; done
// $ ...
//
-// (fuzz test build)
+// (libFuzzer build)
// $ mkdir dump-min
-// $ ./src/test/fuzz/script_assets_test_minimizer -merge=1 dump-min/ dump/
+// $ FUZZ=script_assets_test_minimizer ./src/test/fuzz/fuzz -merge=1 -use_value_profile=1 dump-min/ dump/
// $ (echo -en '[\n'; cat dump-min/* | head -c -2; echo -en '\n]') >script_assets_test.json
namespace {
@@ -133,8 +133,7 @@ unsigned int ParseScriptFlags(const std::string& str)
std::vector<std::string> words;
boost::algorithm::split(words, str, boost::algorithm::is_any_of(","));
- for (const std::string& word : words)
- {
+ for (const std::string& word : words) {
auto it = FLAG_NAMES.find(word);
if (it == FLAG_NAMES.end()) throw std::runtime_error("Unknown verification flag " + word);
flags |= it->second;
@@ -161,7 +160,7 @@ void Test(const std::string& str)
tx.vin[idx].scriptWitness = ScriptWitnessFromJSON(test["success"]["witness"]);
PrecomputedTransactionData txdata;
txdata.Init(tx, std::vector<CTxOut>(prevouts));
- MutableTransactionSignatureChecker txcheck(&tx, idx, prevouts[idx].nValue, txdata);
+ MutableTransactionSignatureChecker txcheck(&tx, idx, prevouts[idx].nValue, txdata, MissingDataBehavior::ASSERT_FAIL);
for (const auto flags : ALL_FLAGS) {
// "final": true tests are valid for all flags. Others are only valid with flags that are
// a subset of test_flags.
@@ -176,7 +175,7 @@ void Test(const std::string& str)
tx.vin[idx].scriptWitness = ScriptWitnessFromJSON(test["failure"]["witness"]);
PrecomputedTransactionData txdata;
txdata.Init(tx, std::vector<CTxOut>(prevouts));
- MutableTransactionSignatureChecker txcheck(&tx, idx, prevouts[idx].nValue, txdata);
+ MutableTransactionSignatureChecker txcheck(&tx, idx, prevouts[idx].nValue, txdata, MissingDataBehavior::ASSERT_FAIL);
for (const auto flags : ALL_FLAGS) {
// If a test is supposed to fail with test_flags, it should also fail with any superset thereof.
if ((flags & test_flags) == test_flags) {
@@ -186,15 +185,19 @@ void Test(const std::string& str)
}
}
-ECCVerifyHandle handle;
-
-} // namespace
+void test_init()
+{
+ static ECCVerifyHandle handle;
+}
-FUZZ_TARGET(script_assets_test_minimizer)
+FUZZ_TARGET_INIT_HIDDEN(script_assets_test_minimizer, test_init, /* hidden */ true)
{
if (buffer.size() < 2 || buffer.back() != '\n' || buffer[buffer.size() - 2] != ',') return;
const std::string str((const char*)buffer.data(), buffer.size() - 2);
try {
Test(str);
- } catch (const std::runtime_error&) {}
+ } catch (const std::runtime_error&) {
+ }
}
+
+} // namespace
diff --git a/src/test/fuzz/script_descriptor_cache.cpp b/src/test/fuzz/script_descriptor_cache.cpp
index 1c62c018e7..6ce13d5679 100644
--- a/src/test/fuzz/script_descriptor_cache.cpp
+++ b/src/test/fuzz/script_descriptor_cache.cpp
@@ -2,7 +2,6 @@
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
-#include <optional.h>
#include <pubkey.h>
#include <script/descriptor.h>
#include <test/fuzz/FuzzedDataProvider.h>
@@ -10,6 +9,7 @@
#include <test/fuzz/util.h>
#include <cstdint>
+#include <optional>
#include <string>
#include <vector>
diff --git a/src/test/fuzz/script_flags.cpp b/src/test/fuzz/script_flags.cpp
index ce8915ca2c..1278dc87d4 100644
--- a/src/test/fuzz/script_flags.cpp
+++ b/src/test/fuzz/script_flags.cpp
@@ -5,14 +5,11 @@
#include <pubkey.h>
#include <script/interpreter.h>
#include <streams.h>
-#include <util/memory.h>
+#include <test/util/script.h>
#include <version.h>
#include <test/fuzz/fuzz.h>
-/** Flags that are not forbidden by an assert */
-static bool IsValidFlagCombination(unsigned flags);
-
void initialize_script_flags()
{
static const ECCVerifyHandle verify_handle;
@@ -44,6 +41,10 @@ FUZZ_TARGET_INIT(script_flags, initialize_script_flags)
for (unsigned i = 0; i < tx.vin.size(); ++i) {
CTxOut prevout;
ds >> prevout;
+ if (!MoneyRange(prevout.nValue)) {
+ // prevouts should be consensus-valid
+ prevout.nValue = 1;
+ }
spent_outputs.push_back(prevout);
}
PrecomputedTransactionData txdata;
@@ -51,7 +52,7 @@ FUZZ_TARGET_INIT(script_flags, initialize_script_flags)
for (unsigned i = 0; i < tx.vin.size(); ++i) {
const CTxOut& prevout = txdata.m_spent_outputs.at(i);
- const TransactionSignatureChecker checker{&tx, i, prevout.nValue, txdata};
+ const TransactionSignatureChecker checker{&tx, i, prevout.nValue, txdata, MissingDataBehavior::ASSERT_FAIL};
ScriptError serror;
const bool ret = VerifyScript(tx.vin.at(i).scriptSig, prevout.scriptPubKey, &tx.vin.at(i).scriptWitness, verify_flags, checker, &serror);
@@ -75,10 +76,3 @@ FUZZ_TARGET_INIT(script_flags, initialize_script_flags)
return;
}
}
-
-static bool IsValidFlagCombination(unsigned flags)
-{
- if (flags & SCRIPT_VERIFY_CLEANSTACK && ~flags & (SCRIPT_VERIFY_P2SH | SCRIPT_VERIFY_WITNESS)) return false;
- if (flags & SCRIPT_VERIFY_WITNESS && ~flags & SCRIPT_VERIFY_P2SH) return false;
- return true;
-}
diff --git a/src/test/fuzz/script_ops.cpp b/src/test/fuzz/script_ops.cpp
index bdbfe817ff..4bc709ed35 100644
--- a/src/test/fuzz/script_ops.cpp
+++ b/src/test/fuzz/script_ops.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
@@ -14,55 +14,54 @@
FUZZ_TARGET(script_ops)
{
FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
- CScript script = ConsumeScript(fuzzed_data_provider);
+ CScript script_mut = ConsumeScript(fuzzed_data_provider);
while (fuzzed_data_provider.remaining_bytes() > 0) {
CallOneOf(
fuzzed_data_provider,
[&] {
CScript s = ConsumeScript(fuzzed_data_provider);
- script = std::move(s);
+ script_mut = std::move(s);
},
[&] {
const CScript& s = ConsumeScript(fuzzed_data_provider);
- script = s;
+ script_mut = s;
},
[&] {
- script << fuzzed_data_provider.ConsumeIntegral<int64_t>();
+ script_mut << fuzzed_data_provider.ConsumeIntegral<int64_t>();
},
[&] {
- script << ConsumeOpcodeType(fuzzed_data_provider);
+ script_mut << ConsumeOpcodeType(fuzzed_data_provider);
},
[&] {
- script << ConsumeScriptNum(fuzzed_data_provider);
+ script_mut << ConsumeScriptNum(fuzzed_data_provider);
},
[&] {
- script << ConsumeRandomLengthByteVector(fuzzed_data_provider);
+ script_mut << ConsumeRandomLengthByteVector(fuzzed_data_provider);
},
[&] {
- script.clear();
- },
- [&] {
- (void)script.GetSigOpCount(false);
- (void)script.GetSigOpCount(true);
- (void)script.GetSigOpCount(script);
- (void)script.HasValidOps();
- (void)script.IsPayToScriptHash();
- (void)script.IsPayToWitnessScriptHash();
- (void)script.IsPushOnly();
- (void)script.IsUnspendable();
- {
- CScript::const_iterator pc = script.begin();
- opcodetype opcode;
- (void)script.GetOp(pc, opcode);
- std::vector<uint8_t> data;
- (void)script.GetOp(pc, opcode, data);
- (void)script.IsPushOnly(pc);
- }
- {
- int version;
- std::vector<uint8_t> program;
- (void)script.IsWitnessProgram(version, program);
- }
+ script_mut.clear();
});
}
+ const CScript& script = script_mut;
+ (void)script.GetSigOpCount(false);
+ (void)script.GetSigOpCount(true);
+ (void)script.GetSigOpCount(script);
+ (void)script.HasValidOps();
+ (void)script.IsPayToScriptHash();
+ (void)script.IsPayToWitnessScriptHash();
+ (void)script.IsPushOnly();
+ (void)script.IsUnspendable();
+ {
+ CScript::const_iterator pc = script.begin();
+ opcodetype opcode;
+ (void)script.GetOp(pc, opcode);
+ std::vector<uint8_t> data;
+ (void)script.GetOp(pc, opcode, data);
+ (void)script.IsPushOnly(pc);
+ }
+ {
+ int version;
+ std::vector<uint8_t> program;
+ (void)script.IsWitnessProgram(version, program);
+ }
}
diff --git a/src/test/fuzz/scriptnum_ops.cpp b/src/test/fuzz/scriptnum_ops.cpp
index bc4867839c..62ed50d13f 100644
--- a/src/test/fuzz/scriptnum_ops.cpp
+++ b/src/test/fuzz/scriptnum_ops.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
diff --git a/src/test/fuzz/signature_checker.cpp b/src/test/fuzz/signature_checker.cpp
index 3e7b72805e..6b86c8889d 100644
--- a/src/test/fuzz/signature_checker.cpp
+++ b/src/test/fuzz/signature_checker.cpp
@@ -6,7 +6,8 @@
#include <script/interpreter.h>
#include <test/fuzz/FuzzedDataProvider.h>
#include <test/fuzz/fuzz.h>
-#include <util/memory.h>
+#include <test/fuzz/util.h>
+#include <test/util/script.h>
#include <cstdint>
#include <limits>
@@ -15,7 +16,7 @@
void initialize_signature_checker()
{
- static const auto verify_handle = MakeUnique<ECCVerifyHandle>();
+ static const auto verify_handle = std::make_unique<ECCVerifyHandle>();
}
namespace {
@@ -57,17 +58,12 @@ FUZZ_TARGET_INIT(signature_checker, initialize_signature_checker)
FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
const unsigned int flags = fuzzed_data_provider.ConsumeIntegral<unsigned int>();
const SigVersion sig_version = fuzzed_data_provider.PickValueInArray({SigVersion::BASE, SigVersion::WITNESS_V0});
- const std::string script_string_1 = fuzzed_data_provider.ConsumeRandomLengthString(65536);
- const std::vector<uint8_t> script_bytes_1{script_string_1.begin(), script_string_1.end()};
- const std::string script_string_2 = fuzzed_data_provider.ConsumeRandomLengthString(65536);
- const std::vector<uint8_t> script_bytes_2{script_string_2.begin(), script_string_2.end()};
+ const auto script_1 = ConsumeScript(fuzzed_data_provider, 65536);
+ const auto script_2 = ConsumeScript(fuzzed_data_provider, 65536);
std::vector<std::vector<unsigned char>> stack;
- (void)EvalScript(stack, {script_bytes_1.begin(), script_bytes_1.end()}, flags, FuzzedSignatureChecker(fuzzed_data_provider), sig_version, nullptr);
- if ((flags & SCRIPT_VERIFY_CLEANSTACK) != 0 && ((flags & SCRIPT_VERIFY_P2SH) == 0 || (flags & SCRIPT_VERIFY_WITNESS) == 0)) {
+ (void)EvalScript(stack, script_1, flags, FuzzedSignatureChecker(fuzzed_data_provider), sig_version, nullptr);
+ if (!IsValidFlagCombination(flags)) {
return;
}
- if ((flags & SCRIPT_VERIFY_WITNESS) != 0 && (flags & SCRIPT_VERIFY_P2SH) == 0) {
- return;
- }
- (void)VerifyScript({script_bytes_1.begin(), script_bytes_1.end()}, {script_bytes_2.begin(), script_bytes_2.end()}, nullptr, flags, FuzzedSignatureChecker(fuzzed_data_provider), nullptr);
+ (void)VerifyScript(script_1, script_2, nullptr, flags, FuzzedSignatureChecker(fuzzed_data_provider), nullptr);
}
diff --git a/src/test/fuzz/signet.cpp b/src/test/fuzz/signet.cpp
index 83effec064..303dcf13e3 100644
--- a/src/test/fuzz/signet.cpp
+++ b/src/test/fuzz/signet.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
@@ -10,6 +10,7 @@
#include <test/fuzz/FuzzedDataProvider.h>
#include <test/fuzz/fuzz.h>
#include <test/fuzz/util.h>
+#include <test/util/setup_common.h>
#include <cstdint>
#include <optional>
@@ -17,7 +18,7 @@
void initialize_signet()
{
- static const auto testing_setup = MakeFuzzingContext<>(CBaseChainParams::SIGNET);
+ static const auto testing_setup = MakeNoLogFileContext<>(CBaseChainParams::SIGNET);
}
FUZZ_TARGET_INIT(signet, initialize_signet)
diff --git a/src/test/fuzz/socks5.cpp b/src/test/fuzz/socks5.cpp
new file mode 100644
index 0000000000..c3a6eed089
--- /dev/null
+++ b/src/test/fuzz/socks5.cpp
@@ -0,0 +1,45 @@
+// Copyright (c) 2020-2021 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <netaddress.h>
+#include <netbase.h>
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+#include <test/util/setup_common.h>
+
+#include <cstdint>
+#include <string>
+#include <vector>
+
+namespace {
+int default_socks5_recv_timeout;
+};
+
+extern int g_socks5_recv_timeout;
+
+void initialize_socks5()
+{
+ static const auto testing_setup = MakeNoLogFileContext<const BasicTestingSetup>();
+ default_socks5_recv_timeout = g_socks5_recv_timeout;
+}
+
+FUZZ_TARGET_INIT(socks5, initialize_socks5)
+{
+ FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
+ ProxyCredentials proxy_credentials;
+ proxy_credentials.username = fuzzed_data_provider.ConsumeRandomLengthString(512);
+ proxy_credentials.password = fuzzed_data_provider.ConsumeRandomLengthString(512);
+ InterruptSocks5(fuzzed_data_provider.ConsumeBool());
+ // Set FUZZED_SOCKET_FAKE_LATENCY=1 to exercise recv timeout code paths. This
+ // will slow down fuzzing.
+ g_socks5_recv_timeout = (fuzzed_data_provider.ConsumeBool() && std::getenv("FUZZED_SOCKET_FAKE_LATENCY") != nullptr) ? 1 : default_socks5_recv_timeout;
+ FuzzedSock fuzzed_sock = ConsumeSock(fuzzed_data_provider);
+ // This Socks5(...) fuzzing harness would have caught CVE-2017-18350 within
+ // a few seconds of fuzzing.
+ (void)Socks5(fuzzed_data_provider.ConsumeRandomLengthString(512),
+ fuzzed_data_provider.ConsumeIntegral<uint16_t>(),
+ fuzzed_data_provider.ConsumeBool() ? &proxy_credentials : nullptr,
+ fuzzed_sock);
+}
diff --git a/src/test/fuzz/string.cpp b/src/test/fuzz/string.cpp
index 282a2cd8ca..286375f7ae 100644
--- a/src/test/fuzz/string.cpp
+++ b/src/test/fuzz/string.cpp
@@ -1,10 +1,11 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
#include <blockfilter.h>
#include <clientversion.h>
#include <logging.h>
+#include <netaddress.h>
#include <netbase.h>
#include <outputtype.h>
#include <rpc/client.h>
@@ -67,6 +68,7 @@ FUZZ_TARGET(string)
}
OutputType output_type;
(void)ParseOutputType(random_string_1, output_type);
+ (void)RemovePrefix(random_string_1, random_string_2);
(void)ResolveErrMsg(random_string_1, random_string_2);
try {
(void)RPCConvertNamedValues(random_string_1, random_string_vector);
@@ -78,8 +80,10 @@ FUZZ_TARGET(string)
}
(void)SanitizeString(random_string_1);
(void)SanitizeString(random_string_1, fuzzed_data_provider.ConsumeIntegralInRange<int>(0, 3));
+#ifndef WIN32
(void)ShellEscape(random_string_1);
- int port_out;
+#endif // WIN32
+ uint16_t port_out;
std::string host_out;
SplitHostPort(random_string_1, port_out, host_out);
(void)TimingResistantEqual(random_string_1, random_string_2);
diff --git a/src/test/fuzz/strprintf.cpp b/src/test/fuzz/strprintf.cpp
index b66a7abfb3..18de0e1960 100644
--- a/src/test/fuzz/strprintf.cpp
+++ b/src/test/fuzz/strprintf.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
@@ -49,67 +49,6 @@ FUZZ_TARGET(str_printf)
// Upstream bug report: https://github.com/c42f/tinyformat/issues/70
try {
- (void)strprintf(format_string, (signed char*)nullptr);
- (void)tinyformat::format(bilingual_string, (signed char*)nullptr);
- } catch (const tinyformat::format_error&) {
- }
- try {
- (void)strprintf(format_string, (unsigned char*)nullptr);
- (void)tinyformat::format(bilingual_string, (unsigned char*)nullptr);
- } catch (const tinyformat::format_error&) {
- }
- try {
- (void)strprintf(format_string, (void*)nullptr);
- (void)tinyformat::format(bilingual_string, (void*)nullptr);
- } catch (const tinyformat::format_error&) {
- }
- try {
- (void)strprintf(format_string, (bool*)nullptr);
- (void)tinyformat::format(bilingual_string, (bool*)nullptr);
- } catch (const tinyformat::format_error&) {
- }
- try {
- (void)strprintf(format_string, (float*)nullptr);
- (void)tinyformat::format(bilingual_string, (float*)nullptr);
- } catch (const tinyformat::format_error&) {
- }
- try {
- (void)strprintf(format_string, (double*)nullptr);
- (void)tinyformat::format(bilingual_string, (double*)nullptr);
- } catch (const tinyformat::format_error&) {
- }
- try {
- (void)strprintf(format_string, (int16_t*)nullptr);
- (void)tinyformat::format(bilingual_string, (int16_t*)nullptr);
- } catch (const tinyformat::format_error&) {
- }
- try {
- (void)strprintf(format_string, (uint16_t*)nullptr);
- (void)tinyformat::format(bilingual_string, (uint16_t*)nullptr);
- } catch (const tinyformat::format_error&) {
- }
- try {
- (void)strprintf(format_string, (int32_t*)nullptr);
- (void)tinyformat::format(bilingual_string, (int32_t*)nullptr);
- } catch (const tinyformat::format_error&) {
- }
- try {
- (void)strprintf(format_string, (uint32_t*)nullptr);
- (void)tinyformat::format(bilingual_string, (uint32_t*)nullptr);
- } catch (const tinyformat::format_error&) {
- }
- try {
- (void)strprintf(format_string, (int64_t*)nullptr);
- (void)tinyformat::format(bilingual_string, (int64_t*)nullptr);
- } catch (const tinyformat::format_error&) {
- }
- try {
- (void)strprintf(format_string, (uint64_t*)nullptr);
- (void)tinyformat::format(bilingual_string, (uint64_t*)nullptr);
- } catch (const tinyformat::format_error&) {
- }
-
- try {
CallOneOf(
fuzzed_data_provider,
[&] {
diff --git a/src/test/fuzz/system.cpp b/src/test/fuzz/system.cpp
index 3621702e45..b25dcfcd3b 100644
--- a/src/test/fuzz/system.cpp
+++ b/src/test/fuzz/system.cpp
@@ -1,4 +1,4 @@
-// Copyright (c) 2020 The Bitcoin Core developers
+// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
@@ -51,7 +51,7 @@ FUZZ_TARGET(system)
// Avoid hitting:
// util/system.cpp:425: void ArgsManager::AddArg(const std::string &, const std::string &, unsigned int, const OptionsCategory &): Assertion `ret.second' failed.
const std::string argument_name = GetArgumentName(fuzzed_data_provider.ConsumeRandomLengthString(16));
- if (args_manager.GetArgFlags(argument_name) != nullopt) {
+ if (args_manager.GetArgFlags(argument_name) != std::nullopt) {
return;
}
args_manager.AddArg(argument_name, fuzzed_data_provider.ConsumeRandomLengthString(16), fuzzed_data_provider.ConsumeIntegral<unsigned int>() & ~ArgsManager::COMMAND, options_category);
@@ -63,7 +63,7 @@ FUZZ_TARGET(system)
std::vector<std::string> hidden_arguments;
for (const std::string& name : names) {
const std::string hidden_argument = GetArgumentName(name);
- if (args_manager.GetArgFlags(hidden_argument) != nullopt) {
+ if (args_manager.GetArgFlags(hidden_argument) != std::nullopt) {
continue;
}
if (std::find(hidden_arguments.begin(), hidden_arguments.end(), hidden_argument) != hidden_arguments.end()) {
diff --git a/src/test/fuzz/timedata.cpp b/src/test/fuzz/timedata.cpp
index d7fa66298a..f7dc5f433e 100644
--- a/src/test/fuzz/timedata.cpp
+++ b/src/test/fuzz/timedata.cpp
@@ -15,10 +15,12 @@ FUZZ_TARGET(timedata)
{
FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
const unsigned int max_size = fuzzed_data_provider.ConsumeIntegralInRange<unsigned int>(0, 1000);
+ // A max_size of 0 implies no limit, so cap the max number of insertions to avoid timeouts
+ auto max_to_insert = fuzzed_data_provider.ConsumeIntegralInRange<int>(0, 4000);
// Divide by 2 to avoid signed integer overflow in .median()
const int64_t initial_value = fuzzed_data_provider.ConsumeIntegral<int64_t>() / 2;
CMedianFilter<int64_t> median_filter{max_size, initial_value};
- while (fuzzed_data_provider.remaining_bytes() > 0) {
+ while (fuzzed_data_provider.remaining_bytes() > 0 && --max_to_insert >= 0) {
(void)median_filter.median();
assert(median_filter.size() > 0);
assert(static_cast<size_t>(median_filter.size()) == median_filter.sorted().size());
diff --git a/src/test/fuzz/torcontrol.cpp b/src/test/fuzz/torcontrol.cpp
new file mode 100644
index 0000000000..a97d3962bf
--- /dev/null
+++ b/src/test/fuzz/torcontrol.cpp
@@ -0,0 +1,80 @@
+// Copyright (c) 2020-2021 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+#include <test/util/setup_common.h>
+#include <torcontrol.h>
+
+#include <cstdint>
+#include <string>
+#include <vector>
+
+class DummyTorControlConnection : public TorControlConnection
+{
+public:
+ DummyTorControlConnection() : TorControlConnection{nullptr}
+ {
+ }
+
+ bool Connect(const std::string&, const ConnectionCB&, const ConnectionCB&)
+ {
+ return true;
+ }
+
+ void Disconnect()
+ {
+ }
+
+ bool Command(const std::string&, const ReplyHandlerCB&)
+ {
+ return true;
+ }
+};
+
+void initialize_torcontrol()
+{
+ static const auto testing_setup = MakeNoLogFileContext<>();
+}
+
+FUZZ_TARGET_INIT(torcontrol, initialize_torcontrol)
+{
+ FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
+
+ TorController tor_controller;
+ while (fuzzed_data_provider.ConsumeBool()) {
+ TorControlReply tor_control_reply;
+ CallOneOf(
+ fuzzed_data_provider,
+ [&] {
+ tor_control_reply.code = 250;
+ },
+ [&] {
+ tor_control_reply.code = 510;
+ },
+ [&] {
+ tor_control_reply.code = fuzzed_data_provider.ConsumeIntegral<int>();
+ });
+ tor_control_reply.lines = ConsumeRandomLengthStringVector(fuzzed_data_provider);
+ if (tor_control_reply.lines.empty()) {
+ break;
+ }
+ DummyTorControlConnection dummy_tor_control_connection;
+ CallOneOf(
+ fuzzed_data_provider,
+ [&] {
+ tor_controller.add_onion_cb(dummy_tor_control_connection, tor_control_reply);
+ },
+ [&] {
+ tor_controller.auth_cb(dummy_tor_control_connection, tor_control_reply);
+ },
+ [&] {
+ tor_controller.authchallenge_cb(dummy_tor_control_connection, tor_control_reply);
+ },
+ [&] {
+ tor_controller.protocolinfo_cb(dummy_tor_control_connection, tor_control_reply);
+ });
+ }
+}
diff --git a/src/test/fuzz/transaction.cpp b/src/test/fuzz/transaction.cpp
index 13ae450756..ff34cc87b2 100644
--- a/src/test/fuzz/transaction.cpp
+++ b/src/test/fuzz/transaction.cpp
@@ -61,8 +61,11 @@ FUZZ_TARGET_INIT(transaction, initialize_transaction)
return;
}
- TxValidationState state_with_dupe_check;
- (void)CheckTransaction(tx, state_with_dupe_check);
+ {
+ TxValidationState state_with_dupe_check;
+ const bool res{CheckTransaction(tx, state_with_dupe_check)};
+ Assert(res == state_with_dupe_check.IsValid());
+ }
const CFeeRate dust_relay_fee{DUST_RELAY_TX_FEE};
std::string reason;
@@ -100,16 +103,6 @@ FUZZ_TARGET_INIT(transaction, initialize_transaction)
(void)IsWitnessStandard(tx, coins_view_cache);
UniValue u(UniValue::VOBJ);
- // ValueFromAmount(i) not defined when i == std::numeric_limits<int64_t>::min()
- bool skip_tx_to_univ = false;
- for (const CTxOut& txout : tx.vout) {
- if (txout.nValue == std::numeric_limits<int64_t>::min()) {
- skip_tx_to_univ = true;
- }
- }
- if (!skip_tx_to_univ) {
- TxToUniv(tx, /* hashBlock */ {}, u);
- static const uint256 u256_max(uint256S("ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"));
- TxToUniv(tx, u256_max, u);
- }
+ TxToUniv(tx, /* hashBlock */ uint256::ZERO, /* include_addresses */ true, u);
+ TxToUniv(tx, /* hashBlock */ uint256::ONE, /* include_addresses */ false, u);
}
diff --git a/src/test/fuzz/tx_pool.cpp b/src/test/fuzz/tx_pool.cpp
new file mode 100644
index 0000000000..bab34ea340
--- /dev/null
+++ b/src/test/fuzz/tx_pool.cpp
@@ -0,0 +1,339 @@
+// Copyright (c) 2021 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <consensus/validation.h>
+#include <miner.h>
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+#include <test/util/mining.h>
+#include <test/util/script.h>
+#include <test/util/setup_common.h>
+#include <util/rbf.h>
+#include <validation.h>
+#include <validationinterface.h>
+
+namespace {
+
+const TestingSetup* g_setup;
+std::vector<COutPoint> g_outpoints_coinbase_init_mature;
+std::vector<COutPoint> g_outpoints_coinbase_init_immature;
+
+struct MockedTxPool : public CTxMemPool {
+ void RollingFeeUpdate() EXCLUSIVE_LOCKS_REQUIRED(!cs)
+ {
+ LOCK(cs);
+ lastRollingFeeUpdate = GetTime();
+ blockSinceLastRollingFeeBump = true;
+ }
+};
+
+void initialize_tx_pool()
+{
+ static const auto testing_setup = MakeNoLogFileContext<const TestingSetup>();
+ g_setup = testing_setup.get();
+
+ for (int i = 0; i < 2 * COINBASE_MATURITY; ++i) {
+ CTxIn in = MineBlock(g_setup->m_node, P2WSH_OP_TRUE);
+ // Remember the txids to avoid expensive disk access later on
+ auto& outpoints = i < COINBASE_MATURITY ?
+ g_outpoints_coinbase_init_mature :
+ g_outpoints_coinbase_init_immature;
+ outpoints.push_back(in.prevout);
+ }
+ SyncWithValidationInterfaceQueue();
+}
+
+struct TransactionsDelta final : public CValidationInterface {
+ std::set<CTransactionRef>& m_removed;
+ std::set<CTransactionRef>& m_added;
+
+ explicit TransactionsDelta(std::set<CTransactionRef>& r, std::set<CTransactionRef>& a)
+ : m_removed{r}, m_added{a} {}
+
+ void TransactionAddedToMempool(const CTransactionRef& tx, uint64_t /* mempool_sequence */) override
+ {
+ Assert(m_added.insert(tx).second);
+ }
+
+ void TransactionRemovedFromMempool(const CTransactionRef& tx, MemPoolRemovalReason reason, uint64_t /* mempool_sequence */) override
+ {
+ Assert(m_removed.insert(tx).second);
+ }
+};
+
+void SetMempoolConstraints(ArgsManager& args, FuzzedDataProvider& fuzzed_data_provider)
+{
+ args.ForceSetArg("-limitancestorcount",
+ ToString(fuzzed_data_provider.ConsumeIntegralInRange<unsigned>(0, 50)));
+ args.ForceSetArg("-limitancestorsize",
+ ToString(fuzzed_data_provider.ConsumeIntegralInRange<unsigned>(0, 202)));
+ args.ForceSetArg("-limitdescendantcount",
+ ToString(fuzzed_data_provider.ConsumeIntegralInRange<unsigned>(0, 50)));
+ args.ForceSetArg("-limitdescendantsize",
+ ToString(fuzzed_data_provider.ConsumeIntegralInRange<unsigned>(0, 202)));
+ args.ForceSetArg("-maxmempool",
+ ToString(fuzzed_data_provider.ConsumeIntegralInRange<unsigned>(0, 200)));
+ args.ForceSetArg("-mempoolexpiry",
+ ToString(fuzzed_data_provider.ConsumeIntegralInRange<unsigned>(0, 999)));
+}
+
+void Finish(FuzzedDataProvider& fuzzed_data_provider, MockedTxPool& tx_pool, CChainState& chainstate)
+{
+ WITH_LOCK(::cs_main, tx_pool.check(chainstate));
+ {
+ BlockAssembler::Options options;
+ options.nBlockMaxWeight = fuzzed_data_provider.ConsumeIntegralInRange(0U, MAX_BLOCK_WEIGHT);
+ options.blockMinFeeRate = CFeeRate{ConsumeMoney(fuzzed_data_provider, /* max */ COIN)};
+ auto assembler = BlockAssembler{chainstate, *static_cast<CTxMemPool*>(&tx_pool), ::Params(), options};
+ auto block_template = assembler.CreateNewBlock(CScript{} << OP_TRUE);
+ Assert(block_template->block.vtx.size() >= 1);
+ }
+ const auto info_all = tx_pool.infoAll();
+ if (!info_all.empty()) {
+ const auto& tx_to_remove = *PickValue(fuzzed_data_provider, info_all).tx;
+ WITH_LOCK(tx_pool.cs, tx_pool.removeRecursive(tx_to_remove, /* dummy */ MemPoolRemovalReason::BLOCK));
+ std::vector<uint256> all_txids;
+ tx_pool.queryHashes(all_txids);
+ assert(all_txids.size() < info_all.size());
+ WITH_LOCK(::cs_main, tx_pool.check(chainstate));
+ }
+ SyncWithValidationInterfaceQueue();
+}
+
+void MockTime(FuzzedDataProvider& fuzzed_data_provider, const CChainState& chainstate)
+{
+ const auto time = ConsumeTime(fuzzed_data_provider,
+ chainstate.m_chain.Tip()->GetMedianTimePast() + 1,
+ std::numeric_limits<decltype(chainstate.m_chain.Tip()->nTime)>::max());
+ SetMockTime(time);
+}
+
+FUZZ_TARGET_INIT(tx_pool_standard, initialize_tx_pool)
+{
+ FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
+ const auto& node = g_setup->m_node;
+ auto& chainstate = node.chainman->ActiveChainstate();
+
+ MockTime(fuzzed_data_provider, chainstate);
+ SetMempoolConstraints(*node.args, fuzzed_data_provider);
+
+ // All RBF-spendable outpoints
+ std::set<COutPoint> outpoints_rbf;
+ // All outpoints counting toward the total supply (subset of outpoints_rbf)
+ std::set<COutPoint> outpoints_supply;
+ for (const auto& outpoint : g_outpoints_coinbase_init_mature) {
+ Assert(outpoints_supply.insert(outpoint).second);
+ }
+ outpoints_rbf = outpoints_supply;
+
+ // The sum of the values of all spendable outpoints
+ constexpr CAmount SUPPLY_TOTAL{COINBASE_MATURITY * 50 * COIN};
+
+ CTxMemPool tx_pool_{/* estimator */ nullptr, /* check_ratio */ 1};
+ MockedTxPool& tx_pool = *static_cast<MockedTxPool*>(&tx_pool_);
+
+ // Helper to query an amount
+ const CCoinsViewMemPool amount_view{WITH_LOCK(::cs_main, return &chainstate.CoinsTip()), tx_pool};
+ const auto GetAmount = [&](const COutPoint& outpoint) {
+ Coin c;
+ Assert(amount_view.GetCoin(outpoint, c));
+ return c.out.nValue;
+ };
+
+ while (fuzzed_data_provider.ConsumeBool()) {
+ {
+ // Total supply is the mempool fee + all outpoints
+ CAmount supply_now{WITH_LOCK(tx_pool.cs, return tx_pool.GetTotalFee())};
+ for (const auto& op : outpoints_supply) {
+ supply_now += GetAmount(op);
+ }
+ Assert(supply_now == SUPPLY_TOTAL);
+ }
+ Assert(!outpoints_supply.empty());
+
+ // Create transaction to add to the mempool
+ const CTransactionRef tx = [&] {
+ CMutableTransaction tx_mut;
+ tx_mut.nVersion = CTransaction::CURRENT_VERSION;
+ tx_mut.nLockTime = fuzzed_data_provider.ConsumeBool() ? 0 : fuzzed_data_provider.ConsumeIntegral<uint32_t>();
+ const auto num_in = fuzzed_data_provider.ConsumeIntegralInRange<int>(1, outpoints_rbf.size());
+ const auto num_out = fuzzed_data_provider.ConsumeIntegralInRange<int>(1, outpoints_rbf.size() * 2);
+
+ CAmount amount_in{0};
+ for (int i = 0; i < num_in; ++i) {
+ // Pop random outpoint
+ auto pop = outpoints_rbf.begin();
+ std::advance(pop, fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, outpoints_rbf.size() - 1));
+ const auto outpoint = *pop;
+ outpoints_rbf.erase(pop);
+ amount_in += GetAmount(outpoint);
+
+ // Create input
+ const auto sequence = ConsumeSequence(fuzzed_data_provider);
+ const auto script_sig = CScript{};
+ const auto script_wit_stack = std::vector<std::vector<uint8_t>>{WITNESS_STACK_ELEM_OP_TRUE};
+ CTxIn in;
+ in.prevout = outpoint;
+ in.nSequence = sequence;
+ in.scriptSig = script_sig;
+ in.scriptWitness.stack = script_wit_stack;
+
+ tx_mut.vin.push_back(in);
+ }
+ const auto amount_fee = fuzzed_data_provider.ConsumeIntegralInRange<CAmount>(-1000, amount_in);
+ const auto amount_out = (amount_in - amount_fee) / num_out;
+ for (int i = 0; i < num_out; ++i) {
+ tx_mut.vout.emplace_back(amount_out, P2WSH_OP_TRUE);
+ }
+ const auto tx = MakeTransactionRef(tx_mut);
+ // Restore previously removed outpoints
+ for (const auto& in : tx->vin) {
+ Assert(outpoints_rbf.insert(in.prevout).second);
+ }
+ return tx;
+ }();
+
+ if (fuzzed_data_provider.ConsumeBool()) {
+ MockTime(fuzzed_data_provider, chainstate);
+ }
+ if (fuzzed_data_provider.ConsumeBool()) {
+ SetMempoolConstraints(*node.args, fuzzed_data_provider);
+ }
+ if (fuzzed_data_provider.ConsumeBool()) {
+ tx_pool.RollingFeeUpdate();
+ }
+ if (fuzzed_data_provider.ConsumeBool()) {
+ const auto& txid = fuzzed_data_provider.ConsumeBool() ?
+ tx->GetHash() :
+ PickValue(fuzzed_data_provider, outpoints_rbf).hash;
+ const auto delta = fuzzed_data_provider.ConsumeIntegralInRange<CAmount>(-50 * COIN, +50 * COIN);
+ tx_pool.PrioritiseTransaction(txid, delta);
+ }
+
+ // Remember all removed and added transactions
+ std::set<CTransactionRef> removed;
+ std::set<CTransactionRef> added;
+ auto txr = std::make_shared<TransactionsDelta>(removed, added);
+ RegisterSharedValidationInterface(txr);
+ const bool bypass_limits = fuzzed_data_provider.ConsumeBool();
+ ::fRequireStandard = fuzzed_data_provider.ConsumeBool();
+
+ // Make sure ProcessNewPackage on one transaction works and always fully validates the transaction.
+ // The result is not guaranteed to be the same as what is returned by ATMP.
+ const auto result_package = WITH_LOCK(::cs_main,
+ return ProcessNewPackage(node.chainman->ActiveChainstate(), tx_pool, {tx}, true));
+ auto it = result_package.m_tx_results.find(tx->GetWitnessHash());
+ Assert(it != result_package.m_tx_results.end());
+ Assert(it->second.m_result_type == MempoolAcceptResult::ResultType::VALID ||
+ it->second.m_result_type == MempoolAcceptResult::ResultType::INVALID);
+
+ const auto res = WITH_LOCK(::cs_main, return AcceptToMemoryPool(chainstate, tx_pool, tx, bypass_limits));
+ const bool accepted = res.m_result_type == MempoolAcceptResult::ResultType::VALID;
+ SyncWithValidationInterfaceQueue();
+ UnregisterSharedValidationInterface(txr);
+
+ Assert(accepted != added.empty());
+ Assert(accepted == res.m_state.IsValid());
+ Assert(accepted != res.m_state.IsInvalid());
+ if (accepted) {
+ Assert(added.size() == 1); // For now, no package acceptance
+ Assert(tx == *added.begin());
+ } else {
+ // Do not consider rejected transaction removed
+ removed.erase(tx);
+ }
+
+ // Helper to insert spent and created outpoints of a tx into collections
+ using Sets = std::vector<std::reference_wrapper<std::set<COutPoint>>>;
+ const auto insert_tx = [](Sets created_by_tx, Sets consumed_by_tx, const auto& tx) {
+ for (size_t i{0}; i < tx.vout.size(); ++i) {
+ for (auto& set : created_by_tx) {
+ Assert(set.get().emplace(tx.GetHash(), i).second);
+ }
+ }
+ for (const auto& in : tx.vin) {
+ for (auto& set : consumed_by_tx) {
+ Assert(set.get().insert(in.prevout).second);
+ }
+ }
+ };
+ // Add created outpoints, remove spent outpoints
+ {
+ // Outpoints that no longer exist at all
+ std::set<COutPoint> consumed_erased;
+ // Outpoints that no longer count toward the total supply
+ std::set<COutPoint> consumed_supply;
+ for (const auto& removed_tx : removed) {
+ insert_tx(/* created_by_tx */ {consumed_erased}, /* consumed_by_tx */ {outpoints_supply}, /* tx */ *removed_tx);
+ }
+ for (const auto& added_tx : added) {
+ insert_tx(/* created_by_tx */ {outpoints_supply, outpoints_rbf}, /* consumed_by_tx */ {consumed_supply}, /* tx */ *added_tx);
+ }
+ for (const auto& p : consumed_erased) {
+ Assert(outpoints_supply.erase(p) == 1);
+ Assert(outpoints_rbf.erase(p) == 1);
+ }
+ for (const auto& p : consumed_supply) {
+ Assert(outpoints_supply.erase(p) == 1);
+ }
+ }
+ }
+ Finish(fuzzed_data_provider, tx_pool, chainstate);
+}
+
+FUZZ_TARGET_INIT(tx_pool, initialize_tx_pool)
+{
+ FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
+ const auto& node = g_setup->m_node;
+ auto& chainstate = node.chainman->ActiveChainstate();
+
+ MockTime(fuzzed_data_provider, chainstate);
+ SetMempoolConstraints(*node.args, fuzzed_data_provider);
+
+ std::vector<uint256> txids;
+ for (const auto& outpoint : g_outpoints_coinbase_init_mature) {
+ txids.push_back(outpoint.hash);
+ }
+ for (int i{0}; i <= 3; ++i) {
+ // Add some immature and non-existent outpoints
+ txids.push_back(g_outpoints_coinbase_init_immature.at(i).hash);
+ txids.push_back(ConsumeUInt256(fuzzed_data_provider));
+ }
+
+ CTxMemPool tx_pool_{/* estimator */ nullptr, /* check_ratio */ 1};
+ MockedTxPool& tx_pool = *static_cast<MockedTxPool*>(&tx_pool_);
+
+ while (fuzzed_data_provider.ConsumeBool()) {
+ const auto mut_tx = ConsumeTransaction(fuzzed_data_provider, txids);
+
+ if (fuzzed_data_provider.ConsumeBool()) {
+ MockTime(fuzzed_data_provider, chainstate);
+ }
+ if (fuzzed_data_provider.ConsumeBool()) {
+ SetMempoolConstraints(*node.args, fuzzed_data_provider);
+ }
+ if (fuzzed_data_provider.ConsumeBool()) {
+ tx_pool.RollingFeeUpdate();
+ }
+ if (fuzzed_data_provider.ConsumeBool()) {
+ const auto& txid = fuzzed_data_provider.ConsumeBool() ?
+ mut_tx.GetHash() :
+ PickValue(fuzzed_data_provider, txids);
+ const auto delta = fuzzed_data_provider.ConsumeIntegralInRange<CAmount>(-50 * COIN, +50 * COIN);
+ tx_pool.PrioritiseTransaction(txid, delta);
+ }
+
+ const auto tx = MakeTransactionRef(mut_tx);
+ const bool bypass_limits = fuzzed_data_provider.ConsumeBool();
+ ::fRequireStandard = fuzzed_data_provider.ConsumeBool();
+ const auto res = WITH_LOCK(::cs_main, return AcceptToMemoryPool(node.chainman->ActiveChainstate(), tx_pool, tx, bypass_limits));
+ const bool accepted = res.m_result_type == MempoolAcceptResult::ResultType::VALID;
+ if (accepted) {
+ txids.push_back(tx->GetHash());
+ }
+ }
+ Finish(fuzzed_data_provider, tx_pool, chainstate);
+}
+} // namespace
diff --git a/src/test/fuzz/util.cpp b/src/test/fuzz/util.cpp
index 0a541e4186..bcf0b0ce72 100644
--- a/src/test/fuzz/util.cpp
+++ b/src/test/fuzz/util.cpp
@@ -3,8 +3,201 @@
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
#include <test/fuzz/util.h>
+#include <test/util/script.h>
+#include <util/rbf.h>
+#include <util/time.h>
#include <version.h>
+FuzzedSock::FuzzedSock(FuzzedDataProvider& fuzzed_data_provider)
+ : m_fuzzed_data_provider{fuzzed_data_provider}
+{
+ m_socket = fuzzed_data_provider.ConsumeIntegralInRange<SOCKET>(INVALID_SOCKET - 1, INVALID_SOCKET);
+}
+
+FuzzedSock::~FuzzedSock()
+{
+ // Sock::~Sock() will be called after FuzzedSock::~FuzzedSock() and it will call
+ // Sock::Reset() (not FuzzedSock::Reset()!) which will call CloseSocket(m_socket).
+ // Avoid closing an arbitrary file descriptor (m_socket is just a random very high number which
+ // theoretically may concide with a real opened file descriptor).
+ Reset();
+}
+
+FuzzedSock& FuzzedSock::operator=(Sock&& other)
+{
+ assert(false && "Move of Sock into FuzzedSock not allowed.");
+ return *this;
+}
+
+void FuzzedSock::Reset()
+{
+ m_socket = INVALID_SOCKET;
+}
+
+ssize_t FuzzedSock::Send(const void* data, size_t len, int flags) const
+{
+ constexpr std::array send_errnos{
+ EACCES,
+ EAGAIN,
+ EALREADY,
+ EBADF,
+ ECONNRESET,
+ EDESTADDRREQ,
+ EFAULT,
+ EINTR,
+ EINVAL,
+ EISCONN,
+ EMSGSIZE,
+ ENOBUFS,
+ ENOMEM,
+ ENOTCONN,
+ ENOTSOCK,
+ EOPNOTSUPP,
+ EPIPE,
+ EWOULDBLOCK,
+ };
+ if (m_fuzzed_data_provider.ConsumeBool()) {
+ return len;
+ }
+ const ssize_t r = m_fuzzed_data_provider.ConsumeIntegralInRange<ssize_t>(-1, len);
+ if (r == -1) {
+ SetFuzzedErrNo(m_fuzzed_data_provider, send_errnos);
+ }
+ return r;
+}
+
+ssize_t FuzzedSock::Recv(void* buf, size_t len, int flags) const
+{
+ // Have a permanent error at recv_errnos[0] because when the fuzzed data is exhausted
+ // SetFuzzedErrNo() will always return the first element and we want to avoid Recv()
+ // returning -1 and setting errno to EAGAIN repeatedly.
+ constexpr std::array recv_errnos{
+ ECONNREFUSED,
+ EAGAIN,
+ EBADF,
+ EFAULT,
+ EINTR,
+ EINVAL,
+ ENOMEM,
+ ENOTCONN,
+ ENOTSOCK,
+ EWOULDBLOCK,
+ };
+ assert(buf != nullptr || len == 0);
+ if (len == 0 || m_fuzzed_data_provider.ConsumeBool()) {
+ const ssize_t r = m_fuzzed_data_provider.ConsumeBool() ? 0 : -1;
+ if (r == -1) {
+ SetFuzzedErrNo(m_fuzzed_data_provider, recv_errnos);
+ }
+ return r;
+ }
+ std::vector<uint8_t> random_bytes;
+ bool pad_to_len_bytes{m_fuzzed_data_provider.ConsumeBool()};
+ if (m_peek_data.has_value()) {
+ // `MSG_PEEK` was used in the preceding `Recv()` call, return `m_peek_data`.
+ random_bytes.assign({m_peek_data.value()});
+ if ((flags & MSG_PEEK) == 0) {
+ m_peek_data.reset();
+ }
+ pad_to_len_bytes = false;
+ } else if ((flags & MSG_PEEK) != 0) {
+ // New call with `MSG_PEEK`.
+ random_bytes = m_fuzzed_data_provider.ConsumeBytes<uint8_t>(1);
+ if (!random_bytes.empty()) {
+ m_peek_data = random_bytes[0];
+ pad_to_len_bytes = false;
+ }
+ } else {
+ random_bytes = m_fuzzed_data_provider.ConsumeBytes<uint8_t>(
+ m_fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, len));
+ }
+ if (random_bytes.empty()) {
+ const ssize_t r = m_fuzzed_data_provider.ConsumeBool() ? 0 : -1;
+ if (r == -1) {
+ SetFuzzedErrNo(m_fuzzed_data_provider, recv_errnos);
+ }
+ return r;
+ }
+ std::memcpy(buf, random_bytes.data(), random_bytes.size());
+ if (pad_to_len_bytes) {
+ if (len > random_bytes.size()) {
+ std::memset((char*)buf + random_bytes.size(), 0, len - random_bytes.size());
+ }
+ return len;
+ }
+ if (m_fuzzed_data_provider.ConsumeBool() && std::getenv("FUZZED_SOCKET_FAKE_LATENCY") != nullptr) {
+ std::this_thread::sleep_for(std::chrono::milliseconds{2});
+ }
+ return random_bytes.size();
+}
+
+int FuzzedSock::Connect(const sockaddr*, socklen_t) const
+{
+ // Have a permanent error at connect_errnos[0] because when the fuzzed data is exhausted
+ // SetFuzzedErrNo() will always return the first element and we want to avoid Connect()
+ // returning -1 and setting errno to EAGAIN repeatedly.
+ constexpr std::array connect_errnos{
+ ECONNREFUSED,
+ EAGAIN,
+ ECONNRESET,
+ EHOSTUNREACH,
+ EINPROGRESS,
+ EINTR,
+ ENETUNREACH,
+ ETIMEDOUT,
+ };
+ if (m_fuzzed_data_provider.ConsumeBool()) {
+ SetFuzzedErrNo(m_fuzzed_data_provider, connect_errnos);
+ return -1;
+ }
+ return 0;
+}
+
+int FuzzedSock::GetSockOpt(int level, int opt_name, void* opt_val, socklen_t* opt_len) const
+{
+ constexpr std::array getsockopt_errnos{
+ ENOMEM,
+ ENOBUFS,
+ };
+ if (m_fuzzed_data_provider.ConsumeBool()) {
+ SetFuzzedErrNo(m_fuzzed_data_provider, getsockopt_errnos);
+ return -1;
+ }
+ if (opt_val == nullptr) {
+ return 0;
+ }
+ std::memcpy(opt_val,
+ ConsumeFixedLengthByteVector(m_fuzzed_data_provider, *opt_len).data(),
+ *opt_len);
+ return 0;
+}
+
+bool FuzzedSock::Wait(std::chrono::milliseconds timeout, Event requested, Event* occurred) const
+{
+ constexpr std::array wait_errnos{
+ EBADF,
+ EINTR,
+ EINVAL,
+ };
+ if (m_fuzzed_data_provider.ConsumeBool()) {
+ SetFuzzedErrNo(m_fuzzed_data_provider, wait_errnos);
+ return false;
+ }
+ if (occurred != nullptr) {
+ *occurred = m_fuzzed_data_provider.ConsumeBool() ? requested : 0;
+ }
+ return true;
+}
+
+bool FuzzedSock::IsConnected(std::string& errmsg) const
+{
+ if (m_fuzzed_data_provider.ConsumeBool()) {
+ return true;
+ }
+ errmsg = "disconnected at random by the fuzzer";
+ return false;
+}
+
void FillNode(FuzzedDataProvider& fuzzed_data_provider, CNode& node, bool init_version) noexcept
{
const ServiceFlags remote_services = ConsumeWeakEnum(fuzzed_data_provider, ALL_SERVICE_FLAGS);
@@ -23,3 +216,91 @@ void FillNode(FuzzedDataProvider& fuzzed_data_provider, CNode& node, bool init_v
node.m_tx_relay->fRelayTxes = filter_txs;
}
}
+
+CAmount ConsumeMoney(FuzzedDataProvider& fuzzed_data_provider, const std::optional<CAmount>& max) noexcept
+{
+ return fuzzed_data_provider.ConsumeIntegralInRange<CAmount>(0, max.value_or(MAX_MONEY));
+}
+
+int64_t ConsumeTime(FuzzedDataProvider& fuzzed_data_provider, const std::optional<int64_t>& min, const std::optional<int64_t>& max) noexcept
+{
+ // Avoid t=0 (1970-01-01T00:00:00Z) since SetMockTime(0) disables mocktime.
+ static const int64_t time_min = ParseISO8601DateTime("1970-01-01T00:00:01Z");
+ static const int64_t time_max = ParseISO8601DateTime("9999-12-31T23:59:59Z");
+ return fuzzed_data_provider.ConsumeIntegralInRange<int64_t>(min.value_or(time_min), max.value_or(time_max));
+}
+
+CMutableTransaction ConsumeTransaction(FuzzedDataProvider& fuzzed_data_provider, const std::optional<std::vector<uint256>>& prevout_txids, const int max_num_in, const int max_num_out) noexcept
+{
+ CMutableTransaction tx_mut;
+ const auto p2wsh_op_true = fuzzed_data_provider.ConsumeBool();
+ tx_mut.nVersion = fuzzed_data_provider.ConsumeBool() ?
+ CTransaction::CURRENT_VERSION :
+ fuzzed_data_provider.ConsumeIntegral<int32_t>();
+ tx_mut.nLockTime = fuzzed_data_provider.ConsumeIntegral<uint32_t>();
+ const auto num_in = fuzzed_data_provider.ConsumeIntegralInRange<int>(0, max_num_in);
+ const auto num_out = fuzzed_data_provider.ConsumeIntegralInRange<int>(0, max_num_out);
+ for (int i = 0; i < num_in; ++i) {
+ const auto& txid_prev = prevout_txids ?
+ PickValue(fuzzed_data_provider, *prevout_txids) :
+ ConsumeUInt256(fuzzed_data_provider);
+ const auto index_out = fuzzed_data_provider.ConsumeIntegralInRange<uint32_t>(0, max_num_out);
+ const auto sequence = ConsumeSequence(fuzzed_data_provider);
+ const auto script_sig = p2wsh_op_true ? CScript{} : ConsumeScript(fuzzed_data_provider);
+ CScriptWitness script_wit;
+ if (p2wsh_op_true) {
+ script_wit.stack = std::vector<std::vector<uint8_t>>{WITNESS_STACK_ELEM_OP_TRUE};
+ } else {
+ script_wit = ConsumeScriptWitness(fuzzed_data_provider);
+ }
+ CTxIn in;
+ in.prevout = COutPoint{txid_prev, index_out};
+ in.nSequence = sequence;
+ in.scriptSig = script_sig;
+ in.scriptWitness = script_wit;
+
+ tx_mut.vin.push_back(in);
+ }
+ for (int i = 0; i < num_out; ++i) {
+ const auto amount = fuzzed_data_provider.ConsumeIntegralInRange<CAmount>(-10, 50 * COIN + 10);
+ const auto script_pk = p2wsh_op_true ?
+ P2WSH_OP_TRUE :
+ ConsumeScript(fuzzed_data_provider, /* max_length */ 128, /* maybe_p2wsh */ true);
+ tx_mut.vout.emplace_back(amount, script_pk);
+ }
+ return tx_mut;
+}
+
+CScriptWitness ConsumeScriptWitness(FuzzedDataProvider& fuzzed_data_provider, const size_t max_stack_elem_size) noexcept
+{
+ CScriptWitness ret;
+ const auto n_elements = fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, max_stack_elem_size);
+ for (size_t i = 0; i < n_elements; ++i) {
+ ret.stack.push_back(ConsumeRandomLengthByteVector(fuzzed_data_provider));
+ }
+ return ret;
+}
+
+CScript ConsumeScript(FuzzedDataProvider& fuzzed_data_provider, const std::optional<size_t>& max_length, const bool maybe_p2wsh) noexcept
+{
+ const std::vector<uint8_t> b = ConsumeRandomLengthByteVector(fuzzed_data_provider, max_length);
+ CScript r_script{b.begin(), b.end()};
+ if (maybe_p2wsh && fuzzed_data_provider.ConsumeBool()) {
+ uint256 script_hash;
+ CSHA256().Write(r_script.data(), r_script.size()).Finalize(script_hash.begin());
+ r_script.clear();
+ r_script << OP_0 << ToByteVector(script_hash);
+ }
+ return r_script;
+}
+
+uint32_t ConsumeSequence(FuzzedDataProvider& fuzzed_data_provider) noexcept
+{
+ return fuzzed_data_provider.ConsumeBool() ?
+ fuzzed_data_provider.PickValueInArray({
+ CTxIn::SEQUENCE_FINAL,
+ CTxIn::SEQUENCE_FINAL - 1,
+ MAX_BIP125_RBF_SEQUENCE,
+ }) :
+ fuzzed_data_provider.ConsumeIntegral<uint32_t>();
+}
diff --git a/src/test/fuzz/util.h b/src/test/fuzz/util.h
index 7a2dcfe84a..023dcdb3e5 100644
--- a/src/test/fuzz/util.h
+++ b/src/test/fuzz/util.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2009-2020 The Bitcoin Core developers
+// Copyright (c) 2009-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
@@ -10,6 +10,7 @@
#include <attributes.h>
#include <chainparamsbase.h>
#include <coins.h>
+#include <compat.h>
#include <consensus/consensus.h>
#include <merkleblock.h>
#include <net.h>
@@ -23,14 +24,12 @@
#include <test/fuzz/FuzzedDataProvider.h>
#include <test/fuzz/fuzz.h>
#include <test/util/net.h>
-#include <test/util/setup_common.h>
#include <txmempool.h>
#include <uint256.h>
-#include <util/time.h>
-#include <util/vector.h>
#include <version.h>
#include <algorithm>
+#include <array>
#include <cstdint>
#include <cstdio>
#include <optional>
@@ -45,21 +44,33 @@ void CallOneOf(FuzzedDataProvider& fuzzed_data_provider, Callables... callables)
const size_t call_index{fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, call_size - 1)};
size_t i{0};
- return ((i++ == call_index ? callables() : void()), ...);
+ ((i++ == call_index ? callables() : void()), ...);
}
-[[nodiscard]] inline std::vector<uint8_t> ConsumeRandomLengthByteVector(FuzzedDataProvider& fuzzed_data_provider, const size_t max_length = 4096) noexcept
+template <typename Collection>
+auto& PickValue(FuzzedDataProvider& fuzzed_data_provider, Collection& col)
{
- const std::string s = fuzzed_data_provider.ConsumeRandomLengthString(max_length);
+ const auto sz = col.size();
+ assert(sz >= 1);
+ auto it = col.begin();
+ std::advance(it, fuzzed_data_provider.ConsumeIntegralInRange<decltype(sz)>(0, sz - 1));
+ return *it;
+}
+
+[[nodiscard]] inline std::vector<uint8_t> ConsumeRandomLengthByteVector(FuzzedDataProvider& fuzzed_data_provider, const std::optional<size_t>& max_length = std::nullopt) noexcept
+{
+ const std::string s = max_length ?
+ fuzzed_data_provider.ConsumeRandomLengthString(*max_length) :
+ fuzzed_data_provider.ConsumeRandomLengthString();
return {s.begin(), s.end()};
}
-[[nodiscard]] inline std::vector<bool> ConsumeRandomLengthBitVector(FuzzedDataProvider& fuzzed_data_provider, const size_t max_length = 4096) noexcept
+[[nodiscard]] inline std::vector<bool> ConsumeRandomLengthBitVector(FuzzedDataProvider& fuzzed_data_provider, const std::optional<size_t>& max_length = std::nullopt) noexcept
{
return BytesToBits(ConsumeRandomLengthByteVector(fuzzed_data_provider, max_length));
}
-[[nodiscard]] inline CDataStream ConsumeDataStream(FuzzedDataProvider& fuzzed_data_provider, const size_t max_length = 4096) noexcept
+[[nodiscard]] inline CDataStream ConsumeDataStream(FuzzedDataProvider& fuzzed_data_provider, const std::optional<size_t>& max_length = std::nullopt) noexcept
{
return CDataStream{ConsumeRandomLengthByteVector(fuzzed_data_provider, max_length), SER_NETWORK, INIT_PROTO_VERSION};
}
@@ -86,7 +97,7 @@ template <typename T>
}
template <typename T>
-[[nodiscard]] inline std::optional<T> ConsumeDeserializable(FuzzedDataProvider& fuzzed_data_provider, const size_t max_length = 4096) noexcept
+[[nodiscard]] inline std::optional<T> ConsumeDeserializable(FuzzedDataProvider& fuzzed_data_provider, const std::optional<size_t>& max_length = std::nullopt) noexcept
{
const std::vector<uint8_t> buffer = ConsumeRandomLengthByteVector(fuzzed_data_provider, max_length);
CDataStream ds{buffer, SER_NETWORK, INIT_PROTO_VERSION};
@@ -112,24 +123,17 @@ template <typename WeakEnumType, size_t size>
return static_cast<opcodetype>(fuzzed_data_provider.ConsumeIntegralInRange<uint32_t>(0, MAX_OPCODE));
}
-[[nodiscard]] inline CAmount ConsumeMoney(FuzzedDataProvider& fuzzed_data_provider) noexcept
-{
- return fuzzed_data_provider.ConsumeIntegralInRange<CAmount>(0, MAX_MONEY);
-}
+[[nodiscard]] CAmount ConsumeMoney(FuzzedDataProvider& fuzzed_data_provider, const std::optional<CAmount>& max = std::nullopt) noexcept;
-[[nodiscard]] inline int64_t ConsumeTime(FuzzedDataProvider& fuzzed_data_provider) noexcept
-{
- // Avoid t=0 (1970-01-01T00:00:00Z) since SetMockTime(0) is a no-op.
- static const int64_t time_min = ParseISO8601DateTime("1970-01-01T00:00:01Z");
- static const int64_t time_max = ParseISO8601DateTime("9999-12-31T23:59:59Z");
- return fuzzed_data_provider.ConsumeIntegralInRange<int64_t>(time_min, time_max);
-}
+[[nodiscard]] int64_t ConsumeTime(FuzzedDataProvider& fuzzed_data_provider, const std::optional<int64_t>& min = std::nullopt, const std::optional<int64_t>& max = std::nullopt) noexcept;
-[[nodiscard]] inline CScript ConsumeScript(FuzzedDataProvider& fuzzed_data_provider) noexcept
-{
- const std::vector<uint8_t> b = ConsumeRandomLengthByteVector(fuzzed_data_provider);
- return {b.begin(), b.end()};
-}
+[[nodiscard]] CMutableTransaction ConsumeTransaction(FuzzedDataProvider& fuzzed_data_provider, const std::optional<std::vector<uint256>>& prevout_txids, const int max_num_in = 10, const int max_num_out = 10) noexcept;
+
+[[nodiscard]] CScriptWitness ConsumeScriptWitness(FuzzedDataProvider& fuzzed_data_provider, const size_t max_stack_elem_size = 32) noexcept;
+
+[[nodiscard]] CScript ConsumeScript(FuzzedDataProvider& fuzzed_data_provider, const std::optional<size_t>& max_length = std::nullopt, const bool maybe_p2wsh = false) noexcept;
+
+[[nodiscard]] uint32_t ConsumeSequence(FuzzedDataProvider& fuzzed_data_provider) noexcept;
[[nodiscard]] inline CScriptNum ConsumeScriptNum(FuzzedDataProvider& fuzzed_data_provider) noexcept
{
@@ -251,6 +255,25 @@ template <class T>
}
/**
+ * Sets errno to a value selected from the given std::array `errnos`.
+ */
+template <typename T, size_t size>
+void SetFuzzedErrNo(FuzzedDataProvider& fuzzed_data_provider, const std::array<T, size>& errnos)
+{
+ errno = fuzzed_data_provider.PickValueInArray(errnos);
+}
+
+/*
+ * Sets a fuzzed errno in the range [0, 133 (EHWPOISON)]. Can be used from functions emulating
+ * standard library functions that set errno, or in other contexts where the value of errno
+ * might be relevant for the execution path that will be taken.
+ */
+inline void SetFuzzedErrNo(FuzzedDataProvider& fuzzed_data_provider) noexcept
+{
+ errno = fuzzed_data_provider.ConsumeIntegralInRange<int>(0, 133);
+}
+
+/**
* Returns a byte vector of specified size regardless of the number of remaining bytes available
* from the fuzzer. Pads with zero value bytes if needed to achieve the specified size.
*/
@@ -324,19 +347,6 @@ inline std::unique_ptr<CNode> ConsumeNodeAsUniquePtr(FuzzedDataProvider& fdp, co
void FillNode(FuzzedDataProvider& fuzzed_data_provider, CNode& node, bool init_version) noexcept;
-template <class T = const BasicTestingSetup>
-std::unique_ptr<T> MakeFuzzingContext(const std::string& chain_name = CBaseChainParams::REGTEST, const std::vector<const char*>& extra_args = {})
-{
- // Prepend default arguments for fuzzing
- const std::vector<const char*> arguments = Cat(
- {
- "-nodebuglogfile",
- },
- extra_args);
-
- return MakeUnique<T>(chain_name, arguments);
-}
-
class FuzzedFileProvider
{
FuzzedDataProvider& m_fuzzed_data_provider;
@@ -349,6 +359,7 @@ public:
FILE* open()
{
+ SetFuzzedErrNo(m_fuzzed_data_provider);
if (m_fuzzed_data_provider.ConsumeBool()) {
return nullptr;
}
@@ -373,7 +384,7 @@ public:
[&] {
mode = "a+";
});
-#ifdef _GNU_SOURCE
+#if defined _GNU_SOURCE && !defined __ANDROID__
const cookie_io_functions_t io_hooks = {
FuzzedFileProvider::read,
FuzzedFileProvider::write,
@@ -390,6 +401,7 @@ public:
static ssize_t read(void* cookie, char* buf, size_t size)
{
FuzzedFileProvider* fuzzed_file = (FuzzedFileProvider*)cookie;
+ SetFuzzedErrNo(fuzzed_file->m_fuzzed_data_provider);
if (buf == nullptr || size == 0 || fuzzed_file->m_fuzzed_data_provider.ConsumeBool()) {
return fuzzed_file->m_fuzzed_data_provider.ConsumeBool() ? 0 : -1;
}
@@ -408,6 +420,7 @@ public:
static ssize_t write(void* cookie, const char* buf, size_t size)
{
FuzzedFileProvider* fuzzed_file = (FuzzedFileProvider*)cookie;
+ SetFuzzedErrNo(fuzzed_file->m_fuzzed_data_provider);
const ssize_t n = fuzzed_file->m_fuzzed_data_provider.ConsumeIntegralInRange<ssize_t>(0, size);
if (AdditionOverflow(fuzzed_file->m_offset, (int64_t)n)) {
return fuzzed_file->m_fuzzed_data_provider.ConsumeBool() ? 0 : -1;
@@ -418,8 +431,9 @@ public:
static int seek(void* cookie, int64_t* offset, int whence)
{
- assert(whence == SEEK_SET || whence == SEEK_CUR); // SEEK_END not implemented yet.
+ assert(whence == SEEK_SET || whence == SEEK_CUR || whence == SEEK_END);
FuzzedFileProvider* fuzzed_file = (FuzzedFileProvider*)cookie;
+ SetFuzzedErrNo(fuzzed_file->m_fuzzed_data_provider);
int64_t new_offset = 0;
if (whence == SEEK_SET) {
new_offset = *offset;
@@ -428,6 +442,12 @@ public:
return -1;
}
new_offset = fuzzed_file->m_offset + *offset;
+ } else if (whence == SEEK_END) {
+ const int64_t n = fuzzed_file->m_fuzzed_data_provider.ConsumeIntegralInRange<int64_t>(0, 4096);
+ if (AdditionOverflow(n, *offset)) {
+ return -1;
+ }
+ new_offset = n + *offset;
}
if (new_offset < 0) {
return -1;
@@ -440,6 +460,7 @@ public:
static int close(void* cookie)
{
FuzzedFileProvider* fuzzed_file = (FuzzedFileProvider*)cookie;
+ SetFuzzedErrNo(fuzzed_file->m_fuzzed_data_provider);
return fuzzed_file->m_fuzzed_data_provider.ConsumeIntegralInRange<int>(-1, 0);
}
};
@@ -492,8 +513,6 @@ void WriteToStream(FuzzedDataProvider& fuzzed_data_provider, Stream& stream) noe
WRITE_TO_STREAM_CASE(uint32_t, fuzzed_data_provider.ConsumeIntegral<uint32_t>()),
WRITE_TO_STREAM_CASE(int64_t, fuzzed_data_provider.ConsumeIntegral<int64_t>()),
WRITE_TO_STREAM_CASE(uint64_t, fuzzed_data_provider.ConsumeIntegral<uint64_t>()),
- WRITE_TO_STREAM_CASE(float, fuzzed_data_provider.ConsumeFloatingPoint<float>()),
- WRITE_TO_STREAM_CASE(double, fuzzed_data_provider.ConsumeFloatingPoint<double>()),
WRITE_TO_STREAM_CASE(std::string, fuzzed_data_provider.ConsumeRandomLengthString(32)),
WRITE_TO_STREAM_CASE(std::vector<char>, ConsumeRandomLengthIntegralVector<char>(fuzzed_data_provider)));
} catch (const std::ios_base::failure&) {
@@ -524,8 +543,6 @@ void ReadFromStream(FuzzedDataProvider& fuzzed_data_provider, Stream& stream) no
READ_FROM_STREAM_CASE(uint32_t),
READ_FROM_STREAM_CASE(int64_t),
READ_FROM_STREAM_CASE(uint64_t),
- READ_FROM_STREAM_CASE(float),
- READ_FROM_STREAM_CASE(double),
READ_FROM_STREAM_CASE(std::string),
READ_FROM_STREAM_CASE(std::vector<char>));
} catch (const std::ios_base::failure&) {
@@ -534,4 +551,42 @@ void ReadFromStream(FuzzedDataProvider& fuzzed_data_provider, Stream& stream) no
}
}
+class FuzzedSock : public Sock
+{
+ FuzzedDataProvider& m_fuzzed_data_provider;
+
+ /**
+ * Data to return when `MSG_PEEK` is used as a `Recv()` flag.
+ * If `MSG_PEEK` is used, then our `Recv()` returns some random data as usual, but on the next
+ * `Recv()` call we must return the same data, thus we remember it here.
+ */
+ mutable std::optional<uint8_t> m_peek_data;
+
+public:
+ explicit FuzzedSock(FuzzedDataProvider& fuzzed_data_provider);
+
+ ~FuzzedSock() override;
+
+ FuzzedSock& operator=(Sock&& other) override;
+
+ void Reset() override;
+
+ ssize_t Send(const void* data, size_t len, int flags) const override;
+
+ ssize_t Recv(void* buf, size_t len, int flags) const override;
+
+ int Connect(const sockaddr*, socklen_t) const override;
+
+ int GetSockOpt(int level, int opt_name, void* opt_val, socklen_t* opt_len) const override;
+
+ bool Wait(std::chrono::milliseconds timeout, Event requested, Event* occurred = nullptr) const override;
+
+ bool IsConnected(std::string& errmsg) const override;
+};
+
+[[nodiscard]] inline FuzzedSock ConsumeSock(FuzzedDataProvider& fuzzed_data_provider)
+{
+ return FuzzedSock{fuzzed_data_provider};
+}
+
#endif // BITCOIN_TEST_FUZZ_UTIL_H
diff --git a/src/test/fuzz/utxo_snapshot.cpp b/src/test/fuzz/utxo_snapshot.cpp
new file mode 100644
index 0000000000..6f2bc081c6
--- /dev/null
+++ b/src/test/fuzz/utxo_snapshot.cpp
@@ -0,0 +1,87 @@
+// Copyright (c) 2021 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <chainparams.h>
+#include <consensus/validation.h>
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+#include <test/util/mining.h>
+#include <test/util/setup_common.h>
+#include <validation.h>
+#include <validationinterface.h>
+
+namespace {
+
+const std::vector<std::shared_ptr<CBlock>>* g_chain;
+
+void initialize_chain()
+{
+ const auto params{CreateChainParams(ArgsManager{}, CBaseChainParams::REGTEST)};
+ static const auto chain{CreateBlockChain(2 * COINBASE_MATURITY, *params)};
+ g_chain = &chain;
+}
+
+FUZZ_TARGET_INIT(utxo_snapshot, initialize_chain)
+{
+ FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
+ std::unique_ptr<const TestingSetup> setup{MakeNoLogFileContext<const TestingSetup>()};
+ const auto& node = setup->m_node;
+ auto& chainman{*node.chainman};
+
+ const auto snapshot_path = gArgs.GetDataDirNet() / "fuzzed_snapshot.dat";
+
+ Assert(!chainman.SnapshotBlockhash());
+
+ {
+ CAutoFile outfile{fsbridge::fopen(snapshot_path, "wb"), SER_DISK, CLIENT_VERSION};
+ const auto file_data{ConsumeRandomLengthByteVector(fuzzed_data_provider)};
+ outfile << Span<const uint8_t>{file_data};
+ }
+
+ const auto ActivateFuzzedSnapshot{[&] {
+ CAutoFile infile{fsbridge::fopen(snapshot_path, "rb"), SER_DISK, CLIENT_VERSION};
+ SnapshotMetadata metadata;
+ try {
+ infile >> metadata;
+ } catch (const std::ios_base::failure&) {
+ return false;
+ }
+ return chainman.ActivateSnapshot(infile, metadata, /* in_memory */ true);
+ }};
+
+ if (fuzzed_data_provider.ConsumeBool()) {
+ for (const auto& block : *g_chain) {
+ BlockValidationState dummy;
+ bool processed{chainman.ProcessNewBlockHeaders({*block}, dummy, ::Params())};
+ Assert(processed);
+ const auto* index{WITH_LOCK(::cs_main, return chainman.m_blockman.LookupBlockIndex(block->GetHash()))};
+ Assert(index);
+ }
+ }
+
+ if (ActivateFuzzedSnapshot()) {
+ LOCK(::cs_main);
+ Assert(!chainman.ActiveChainstate().m_from_snapshot_blockhash->IsNull());
+ Assert(*chainman.ActiveChainstate().m_from_snapshot_blockhash ==
+ *chainman.SnapshotBlockhash());
+ const auto& coinscache{chainman.ActiveChainstate().CoinsTip()};
+ int64_t chain_tx{};
+ for (const auto& block : *g_chain) {
+ Assert(coinscache.HaveCoin(COutPoint{block->vtx.at(0)->GetHash(), 0}));
+ const auto* index{chainman.m_blockman.LookupBlockIndex(block->GetHash())};
+ const auto num_tx{Assert(index)->nTx};
+ Assert(num_tx == 1);
+ chain_tx += num_tx;
+ }
+ Assert(g_chain->size() == coinscache.GetCacheSize());
+ Assert(chain_tx == chainman.ActiveTip()->nChainTx);
+ } else {
+ Assert(!chainman.SnapshotBlockhash());
+ Assert(!chainman.ActiveChainstate().m_from_snapshot_blockhash);
+ }
+ // Snapshot should refuse to load a second time regardless of validity
+ Assert(!ActivateFuzzedSnapshot());
+}
+} // namespace
diff --git a/src/test/fuzz/validation_load_mempool.cpp b/src/test/fuzz/validation_load_mempool.cpp
new file mode 100644
index 0000000000..c2aaf486c5
--- /dev/null
+++ b/src/test/fuzz/validation_load_mempool.cpp
@@ -0,0 +1,39 @@
+// Copyright (c) 2020 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <chainparamsbase.h>
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+#include <test/util/setup_common.h>
+#include <txmempool.h>
+#include <util/time.h>
+#include <validation.h>
+
+#include <cstdint>
+#include <vector>
+
+namespace {
+const TestingSetup* g_setup;
+} // namespace
+
+void initialize_validation_load_mempool()
+{
+ static const auto testing_setup = MakeNoLogFileContext<const TestingSetup>();
+ g_setup = testing_setup.get();
+}
+
+FUZZ_TARGET_INIT(validation_load_mempool, initialize_validation_load_mempool)
+{
+ FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
+ SetMockTime(ConsumeTime(fuzzed_data_provider));
+ FuzzedFileProvider fuzzed_file_provider = ConsumeFile(fuzzed_data_provider);
+
+ CTxMemPool pool{};
+ auto fuzzed_fopen = [&](const fs::path&, const char*) {
+ return fuzzed_file_provider.open();
+ };
+ (void)LoadMempool(pool, g_setup->m_node.chainman->ActiveChainstate(), fuzzed_fopen);
+ (void)DumpMempool(pool, fuzzed_fopen, true);
+}
diff --git a/src/test/fuzz/versionbits.cpp b/src/test/fuzz/versionbits.cpp
new file mode 100644
index 0000000000..9186821836
--- /dev/null
+++ b/src/test/fuzz/versionbits.cpp
@@ -0,0 +1,350 @@
+// Copyright (c) 2020-2021 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <chain.h>
+#include <chainparams.h>
+#include <consensus/params.h>
+#include <primitives/block.h>
+#include <versionbits.h>
+
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+
+#include <cstdint>
+#include <limits>
+#include <memory>
+#include <vector>
+
+namespace {
+class TestConditionChecker : public AbstractThresholdConditionChecker
+{
+private:
+ mutable ThresholdConditionCache m_cache;
+ const Consensus::Params dummy_params{};
+
+public:
+ const int64_t m_begin;
+ const int64_t m_end;
+ const int m_period;
+ const int m_threshold;
+ const int m_min_activation_height;
+ const int m_bit;
+
+ TestConditionChecker(int64_t begin, int64_t end, int period, int threshold, int min_activation_height, int bit)
+ : m_begin{begin}, m_end{end}, m_period{period}, m_threshold{threshold}, m_min_activation_height{min_activation_height}, m_bit{bit}
+ {
+ assert(m_period > 0);
+ assert(0 <= m_threshold && m_threshold <= m_period);
+ assert(0 <= m_bit && m_bit < 32 && m_bit < VERSIONBITS_NUM_BITS);
+ assert(0 <= m_min_activation_height);
+ }
+
+ bool Condition(const CBlockIndex* pindex, const Consensus::Params& params) const override { return Condition(pindex->nVersion); }
+ int64_t BeginTime(const Consensus::Params& params) const override { return m_begin; }
+ int64_t EndTime(const Consensus::Params& params) const override { return m_end; }
+ int Period(const Consensus::Params& params) const override { return m_period; }
+ int Threshold(const Consensus::Params& params) const override { return m_threshold; }
+ int MinActivationHeight(const Consensus::Params& params) const override { return m_min_activation_height; }
+
+ ThresholdState GetStateFor(const CBlockIndex* pindexPrev) const { return AbstractThresholdConditionChecker::GetStateFor(pindexPrev, dummy_params, m_cache); }
+ int GetStateSinceHeightFor(const CBlockIndex* pindexPrev) const { return AbstractThresholdConditionChecker::GetStateSinceHeightFor(pindexPrev, dummy_params, m_cache); }
+ BIP9Stats GetStateStatisticsFor(const CBlockIndex* pindexPrev) const { return AbstractThresholdConditionChecker::GetStateStatisticsFor(pindexPrev, dummy_params); }
+
+ bool Condition(int32_t version) const
+ {
+ uint32_t mask = ((uint32_t)1) << m_bit;
+ return (((version & VERSIONBITS_TOP_MASK) == VERSIONBITS_TOP_BITS) && (version & mask) != 0);
+ }
+
+ bool Condition(const CBlockIndex* pindex) const { return Condition(pindex->nVersion); }
+};
+
+/** Track blocks mined for test */
+class Blocks
+{
+private:
+ std::vector<std::unique_ptr<CBlockIndex>> m_blocks;
+ const uint32_t m_start_time;
+ const uint32_t m_interval;
+ const int32_t m_signal;
+ const int32_t m_no_signal;
+
+public:
+ Blocks(uint32_t start_time, uint32_t interval, int32_t signal, int32_t no_signal)
+ : m_start_time{start_time}, m_interval{interval}, m_signal{signal}, m_no_signal{no_signal} {}
+
+ size_t size() const { return m_blocks.size(); }
+
+ CBlockIndex* tip() const
+ {
+ return m_blocks.empty() ? nullptr : m_blocks.back().get();
+ }
+
+ CBlockIndex* mine_block(bool signal)
+ {
+ CBlockHeader header;
+ header.nVersion = signal ? m_signal : m_no_signal;
+ header.nTime = m_start_time + m_blocks.size() * m_interval;
+ header.nBits = 0x1d00ffff;
+
+ auto current_block = std::make_unique<CBlockIndex>(header);
+ current_block->pprev = tip();
+ current_block->nHeight = m_blocks.size();
+ current_block->BuildSkip();
+
+ return m_blocks.emplace_back(std::move(current_block)).get();
+ }
+};
+
+std::unique_ptr<const CChainParams> g_params;
+
+void initialize()
+{
+ // this is actually comparatively slow, so only do it once
+ g_params = CreateChainParams(ArgsManager{}, CBaseChainParams::MAIN);
+ assert(g_params != nullptr);
+}
+
+constexpr uint32_t MAX_START_TIME = 4102444800; // 2100-01-01
+
+FUZZ_TARGET_INIT(versionbits, initialize)
+{
+ const CChainParams& params = *g_params;
+ const int64_t interval = params.GetConsensus().nPowTargetSpacing;
+ assert(interval > 1); // need to be able to halve it
+ assert(interval < std::numeric_limits<int32_t>::max());
+
+ FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
+
+ // making period/max_periods larger slows these tests down significantly
+ const int period = 32;
+ const size_t max_periods = 16;
+ const size_t max_blocks = 2 * period * max_periods;
+
+ const int threshold = fuzzed_data_provider.ConsumeIntegralInRange(1, period);
+ assert(0 < threshold && threshold <= period); // must be able to both pass and fail threshold!
+
+ // too many blocks at 10min each might cause uint32_t time to overflow if
+ // block_start_time is at the end of the range above
+ assert(std::numeric_limits<uint32_t>::max() - MAX_START_TIME > interval * max_blocks);
+
+ const int64_t block_start_time = fuzzed_data_provider.ConsumeIntegralInRange<uint32_t>(params.GenesisBlock().nTime, MAX_START_TIME);
+
+ // what values for version will we use to signal / not signal?
+ const int32_t ver_signal = fuzzed_data_provider.ConsumeIntegral<int32_t>();
+ const int32_t ver_nosignal = fuzzed_data_provider.ConsumeIntegral<int32_t>();
+
+ // select deployment parameters: bit, start time, timeout
+ const int bit = fuzzed_data_provider.ConsumeIntegralInRange<int>(0, VERSIONBITS_NUM_BITS - 1);
+
+ bool always_active_test = false;
+ bool never_active_test = false;
+ int64_t start_time;
+ int64_t timeout;
+ if (fuzzed_data_provider.ConsumeBool()) {
+ // pick the timestamp to switch based on a block
+ // note states will change *after* these blocks because mediantime lags
+ int start_block = fuzzed_data_provider.ConsumeIntegralInRange<int>(0, period * (max_periods - 3));
+ int end_block = fuzzed_data_provider.ConsumeIntegralInRange<int>(0, period * (max_periods - 3));
+
+ start_time = block_start_time + start_block * interval;
+ timeout = block_start_time + end_block * interval;
+
+ // allow for times to not exactly match a block
+ if (fuzzed_data_provider.ConsumeBool()) start_time += interval / 2;
+ if (fuzzed_data_provider.ConsumeBool()) timeout += interval / 2;
+ } else {
+ if (fuzzed_data_provider.ConsumeBool()) {
+ start_time = Consensus::BIP9Deployment::ALWAYS_ACTIVE;
+ always_active_test = true;
+ } else {
+ start_time = Consensus::BIP9Deployment::NEVER_ACTIVE;
+ never_active_test = true;
+ }
+ timeout = fuzzed_data_provider.ConsumeBool() ? Consensus::BIP9Deployment::NO_TIMEOUT : fuzzed_data_provider.ConsumeIntegral<int64_t>();
+ }
+ int min_activation = fuzzed_data_provider.ConsumeIntegralInRange<int>(0, period * max_periods);
+
+ TestConditionChecker checker(start_time, timeout, period, threshold, min_activation, bit);
+
+ // Early exit if the versions don't signal sensibly for the deployment
+ if (!checker.Condition(ver_signal)) return;
+ if (checker.Condition(ver_nosignal)) return;
+ if (ver_nosignal < 0) return;
+
+ // TOP_BITS should ensure version will be positive and meet min
+ // version requirement
+ assert(ver_signal > 0);
+ assert(ver_signal >= VERSIONBITS_LAST_OLD_BLOCK_VERSION);
+
+ // Now that we have chosen time and versions, setup to mine blocks
+ Blocks blocks(block_start_time, interval, ver_signal, ver_nosignal);
+
+ /* Strategy:
+ * * we will mine a final period worth of blocks, with
+ * randomised signalling according to a mask
+ * * but before we mine those blocks, we will mine some
+ * randomised number of prior periods; with either all
+ * or no blocks in the period signalling
+ *
+ * We establish the mask first, then consume "bools" until
+ * we run out of fuzz data to work out how many prior periods
+ * there are and which ones will signal.
+ */
+
+ // establish the mask
+ const uint32_t signalling_mask = fuzzed_data_provider.ConsumeIntegral<uint32_t>();
+
+ // mine prior periods
+ while (fuzzed_data_provider.remaining_bytes() > 0) {
+ // all blocks in these periods either do or don't signal
+ bool signal = fuzzed_data_provider.ConsumeBool();
+ for (int b = 0; b < period; ++b) {
+ blocks.mine_block(signal);
+ }
+
+ // don't risk exceeding max_blocks or times may wrap around
+ if (blocks.size() + 2 * period > max_blocks) break;
+ }
+ // NOTE: fuzzed_data_provider may be fully consumed at this point and should not be used further
+
+ // now we mine the final period and check that everything looks sane
+
+ // count the number of signalling blocks
+ int blocks_sig = 0;
+
+ // get the info for the first block of the period
+ CBlockIndex* prev = blocks.tip();
+ const int exp_since = checker.GetStateSinceHeightFor(prev);
+ const ThresholdState exp_state = checker.GetStateFor(prev);
+ BIP9Stats last_stats = checker.GetStateStatisticsFor(prev);
+
+ int prev_next_height = (prev == nullptr ? 0 : prev->nHeight + 1);
+ assert(exp_since <= prev_next_height);
+
+ // mine (period-1) blocks and check state
+ for (int b = 1; b < period; ++b) {
+ const bool signal = (signalling_mask >> (b % 32)) & 1;
+ if (signal) ++blocks_sig;
+
+ CBlockIndex* current_block = blocks.mine_block(signal);
+
+ // verify that signalling attempt was interpreted correctly
+ assert(checker.Condition(current_block) == signal);
+
+ // state and since don't change within the period
+ const ThresholdState state = checker.GetStateFor(current_block);
+ const int since = checker.GetStateSinceHeightFor(current_block);
+ assert(state == exp_state);
+ assert(since == exp_since);
+
+ // GetStateStatistics may crash when state is not STARTED
+ if (state != ThresholdState::STARTED) continue;
+
+ // check that after mining this block stats change as expected
+ const BIP9Stats stats = checker.GetStateStatisticsFor(current_block);
+ assert(stats.period == period);
+ assert(stats.threshold == threshold);
+ assert(stats.elapsed == b);
+ assert(stats.count == last_stats.count + (signal ? 1 : 0));
+ assert(stats.possible == (stats.count + period >= stats.elapsed + threshold));
+ last_stats = stats;
+ }
+
+ if (exp_state == ThresholdState::STARTED) {
+ // double check that stats.possible is sane
+ if (blocks_sig >= threshold - 1) assert(last_stats.possible);
+ }
+
+ // mine the final block
+ bool signal = (signalling_mask >> (period % 32)) & 1;
+ if (signal) ++blocks_sig;
+ CBlockIndex* current_block = blocks.mine_block(signal);
+ assert(checker.Condition(current_block) == signal);
+
+ // GetStateStatistics is safe on a period boundary
+ // and has progressed to a new period
+ const BIP9Stats stats = checker.GetStateStatisticsFor(current_block);
+ assert(stats.period == period);
+ assert(stats.threshold == threshold);
+ assert(stats.elapsed == 0);
+ assert(stats.count == 0);
+ assert(stats.possible == true);
+
+ // More interesting is whether the state changed.
+ const ThresholdState state = checker.GetStateFor(current_block);
+ const int since = checker.GetStateSinceHeightFor(current_block);
+
+ // since is straightforward:
+ assert(since % period == 0);
+ assert(0 <= since && since <= current_block->nHeight + 1);
+ if (state == exp_state) {
+ assert(since == exp_since);
+ } else {
+ assert(since == current_block->nHeight + 1);
+ }
+
+ // state is where everything interesting is
+ switch (state) {
+ case ThresholdState::DEFINED:
+ assert(since == 0);
+ assert(exp_state == ThresholdState::DEFINED);
+ assert(current_block->GetMedianTimePast() < checker.m_begin);
+ break;
+ case ThresholdState::STARTED:
+ assert(current_block->GetMedianTimePast() >= checker.m_begin);
+ if (exp_state == ThresholdState::STARTED) {
+ assert(blocks_sig < threshold);
+ assert(current_block->GetMedianTimePast() < checker.m_end);
+ } else {
+ assert(exp_state == ThresholdState::DEFINED);
+ }
+ break;
+ case ThresholdState::LOCKED_IN:
+ if (exp_state == ThresholdState::LOCKED_IN) {
+ assert(current_block->nHeight + 1 < min_activation);
+ } else {
+ assert(exp_state == ThresholdState::STARTED);
+ assert(blocks_sig >= threshold);
+ }
+ break;
+ case ThresholdState::ACTIVE:
+ assert(always_active_test || min_activation <= current_block->nHeight + 1);
+ assert(exp_state == ThresholdState::ACTIVE || exp_state == ThresholdState::LOCKED_IN);
+ break;
+ case ThresholdState::FAILED:
+ assert(never_active_test || current_block->GetMedianTimePast() >= checker.m_end);
+ if (exp_state == ThresholdState::STARTED) {
+ assert(blocks_sig < threshold);
+ } else {
+ assert(exp_state == ThresholdState::FAILED);
+ }
+ break;
+ default:
+ assert(false);
+ }
+
+ if (blocks.size() >= period * max_periods) {
+ // we chose the timeout (and block times) so that by the time we have this many blocks it's all over
+ assert(state == ThresholdState::ACTIVE || state == ThresholdState::FAILED);
+ }
+
+ if (always_active_test) {
+ // "always active" has additional restrictions
+ assert(state == ThresholdState::ACTIVE);
+ assert(exp_state == ThresholdState::ACTIVE);
+ assert(since == 0);
+ } else if (never_active_test) {
+ // "never active" does too
+ assert(state == ThresholdState::FAILED);
+ assert(exp_state == ThresholdState::FAILED);
+ assert(since == 0);
+ } else {
+ // for signalled deployments, the initial state is always DEFINED
+ assert(since > 0 || state == ThresholdState::DEFINED);
+ assert(exp_since > 0 || exp_state == ThresholdState::DEFINED);
+ }
+}
+} // namespace