8 files changed, 181 insertions, 88 deletions

diff --git a/src/test/fuzz/coins_view.cpp b/src/test/fuzz/coins_view.cpp
index 360dc00307..6c96702f1e 100644
--- a/src/test/fuzz/coins_view.cpp
+++ b/src/test/fuzz/coins_view.cpp
@@ -10,7 +10,6 @@
 #include <consensus/tx_verify.h>
 #include <consensus/validation.h>
 #include <key.h>
-#include <node/coinstats.h>
 #include <policy/policy.h>
 #include <primitives/transaction.h>
 #include <pubkey.h>
@@ -26,10 +25,6 @@
 #include <string>
 #include <vector>
 
-using node::CCoinsStats;
-using node::CoinStatsHashType;
-using node::GetUTXOStats;
-
 namespace {
 const TestingSetup* g_setup;
 const Coin EMPTY_COIN{};
@@ -270,16 +265,6 @@ FUZZ_TARGET_INIT(coins_view, initialize_coins_view)
                 (void)GetTransactionSigOpCost(transaction, coins_view_cache, flags);
             },
             [&] {
-                CCoinsStats stats{CoinStatsHashType::HASH_SERIALIZED};
-                bool expected_code_path = false;
-                try {
-                    (void)GetUTXOStats(&coins_view_cache, g_setup->m_node.chainman->m_blockman, stats);
-                } catch (const std::logic_error&) {
-                    expected_code_path = true;
-                }
-                assert(expected_code_path);
-            },
-            [&] {
                 (void)IsWitnessStandard(CTransaction{random_mutable_transaction}, coins_view_cache);
             });
     }
diff --git a/src/test/fuzz/miniscript.cpp b/src/test/fuzz/miniscript.cpp
new file mode 100644
index 0000000000..6be75322b4
--- /dev/null
+++ b/src/test/fuzz/miniscript.cpp
@@ -0,0 +1,167 @@
+// Copyright (c) 2021 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <core_io.h>
+#include <hash.h>
+#include <key.h>
+#include <script/miniscript.h>
+#include <script/script.h>
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+#include <util/strencodings.h>
+
+namespace {
+
+//! Some pre-computed data for more efficient string roundtrips.
+struct TestData {
+    typedef CPubKey Key;
+
+    // Precomputed public keys.
+    std::vector<Key> dummy_keys;
+    std::map<Key, int> dummy_key_idx_map;
+    std::map<CKeyID, Key> dummy_keys_map;
+
+    //! Set the precomputed data.
+    void Init() {
+        unsigned char keydata[32] = {1};
+        for (size_t i = 0; i < 256; i++) {
+            keydata[31] = i;
+            CKey privkey;
+            privkey.Set(keydata, keydata + 32, true);
+            const Key pubkey = privkey.GetPubKey();
+
+            dummy_keys.push_back(pubkey);
+            dummy_key_idx_map.emplace(pubkey, i);
+            dummy_keys_map.insert({pubkey.GetID(), pubkey});
+        }
+    }
+} TEST_DATA;
+
+/**
+ * Context to parse a Miniscript node to and from Script or text representation.
+ * Uses an integer (an index in the dummy keys array from the test data) as keys in order
+ * to focus on fuzzing the Miniscript nodes' test representation, not the key representation.
+ */
+struct ParserContext {
+    typedef CPubKey Key;
+
+    bool KeyCompare(const Key& a, const Key& b) const {
+        return a < b;
+    }
+
+    std::optional<std::string> ToString(const Key& key) const
+    {
+        auto it = TEST_DATA.dummy_key_idx_map.find(key);
+        if (it == TEST_DATA.dummy_key_idx_map.end()) return {};
+        uint8_t idx = it->second;
+        return HexStr(Span{&idx, 1});
+    }
+
+    template<typename I>
+    std::optional<Key> FromString(I first, I last) const {
+        if (last - first != 2) return {};
+        auto idx = ParseHex(std::string(first, last));
+        if (idx.size() != 1) return {};
+        return TEST_DATA.dummy_keys[idx[0]];
+    }
+
+    template<typename I>
+    std::optional<Key> FromPKBytes(I first, I last) const {
+        Key key;
+        key.Set(first, last);
+        if (!key.IsValid()) return {};
+        return key;
+    }
+
+    template<typename I>
+    std::optional<Key> FromPKHBytes(I first, I last) const {
+        assert(last - first == 20);
+        CKeyID keyid;
+        std::copy(first, last, keyid.begin());
+        const auto it = TEST_DATA.dummy_keys_map.find(keyid);
+        if (it == TEST_DATA.dummy_keys_map.end()) return {};
+        return it->second;
+    }
+} PARSER_CTX;
+
+//! Context that implements naive conversion from/to script only, for roundtrip testing.
+struct ScriptParserContext {
+    //! For Script roundtrip we never need the key from a key hash.
+    struct Key {
+        bool is_hash;
+        std::vector<unsigned char> data;
+    };
+
+    bool KeyCompare(const Key& a, const Key& b) const {
+        return a.data < b.data;
+    }
+
+    const std::vector<unsigned char>& ToPKBytes(const Key& key) const
+    {
+        assert(!key.is_hash);
+        return key.data;
+    }
+
+    const std::vector<unsigned char> ToPKHBytes(const Key& key) const
+    {
+        if (key.is_hash) return key.data;
+        const auto h = Hash160(key.data);
+        return {h.begin(), h.end()};
+    }
+
+    template<typename I>
+    std::optional<Key> FromPKBytes(I first, I last) const
+    {
+        Key key;
+        key.data.assign(first, last);
+        key.is_hash = false;
+        return key;
+    }
+
+    template<typename I>
+    std::optional<Key> FromPKHBytes(I first, I last) const
+    {
+        Key key;
+        key.data.assign(first, last);
+        key.is_hash = true;
+        return key;
+    }
+} SCRIPT_PARSER_CONTEXT;
+
+} // namespace
+
+void FuzzInit()
+{
+    ECC_Start();
+    TEST_DATA.Init();
+}
+
+/* Fuzz tests that test parsing from a string, and roundtripping via string. */
+FUZZ_TARGET_INIT(miniscript_string, FuzzInit)
+{
+    FuzzedDataProvider provider(buffer.data(), buffer.size());
+    auto str = provider.ConsumeRemainingBytesAsString();
+    auto parsed = miniscript::FromString(str, PARSER_CTX);
+    if (!parsed) return;
+
+    const auto str2 = parsed->ToString(PARSER_CTX);
+    assert(str2);
+    auto parsed2 = miniscript::FromString(*str2, PARSER_CTX);
+    assert(parsed2);
+    assert(*parsed == *parsed2);
+}
+
+/* Fuzz tests that test parsing from a script, and roundtripping via script. */
+FUZZ_TARGET(miniscript_script)
+{
+    FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
+    const std::optional<CScript> script = ConsumeDeserializable<CScript>(fuzzed_data_provider);
+    if (!script) return;
+
+    const auto ms = miniscript::FromScript(*script, SCRIPT_PARSER_CONTEXT);
+    if (!ms) return;
+
+    assert(ms->ToScript(SCRIPT_PARSER_CONTEXT) == *script);
+}
diff --git a/src/test/fuzz/miniscript_decode.cpp b/src/test/fuzz/miniscript_decode.cpp
deleted file mode 100644
index 4cc0a1be8f..0000000000
--- a/src/test/fuzz/miniscript_decode.cpp
+++ /dev/null
@@ -1,72 +0,0 @@
-// Copyright (c) 2022 The Bitcoin Core developers
-// Distributed under the MIT software license, see the accompanying
-// file COPYING or http://www.opensource.org/licenses/mit-license.php.
-
-#include <core_io.h>
-#include <hash.h>
-#include <key.h>
-#include <script/miniscript.h>
-#include <script/script.h>
-#include <span.h>
-#include <test/fuzz/FuzzedDataProvider.h>
-#include <test/fuzz/fuzz.h>
-#include <test/fuzz/util.h>
-#include <util/strencodings.h>
-
-#include <optional>
-
-using miniscript::operator""_mst;
-
-
-struct Converter {
-    typedef CPubKey Key;
-
-    bool ToString(const Key& key, std::string& ret) const {
-        ret = HexStr(key);
-        return true;
-    }
-    const std::vector<unsigned char> ToPKBytes(const Key& key) const {
-        return {key.begin(), key.end()};
-    }
-    const std::vector<unsigned char> ToPKHBytes(const Key& key) const {
-        const auto h = Hash160(key);
-        return {h.begin(), h.end()};
-    }
-
-    template<typename I>
-    bool FromString(I first, I last, Key& key) const {
-        const auto bytes = ParseHex(std::string(first, last));
-        key.Set(bytes.begin(), bytes.end());
-        return key.IsValid();
-    }
-    template<typename I>
-    bool FromPKBytes(I first, I last, CPubKey& key) const {
-        key.Set(first, last);
-        return key.IsValid();
-    }
-    template<typename I>
-    bool FromPKHBytes(I first, I last, CPubKey& key) const {
-        assert(last - first == 20);
-        return false;
-    }
-};
-
-const Converter CONVERTER;
-
-FUZZ_TARGET(miniscript_decode)
-{
-    FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
-    const std::optional<CScript> script = ConsumeDeserializable<CScript>(fuzzed_data_provider);
-    if (!script) return;
-
-    const auto ms = miniscript::FromScript(*script, CONVERTER);
-    if (!ms) return;
-
-    // We can roundtrip it to its string representation.
-    std::string ms_str;
-    assert(ms->ToString(CONVERTER, ms_str));
-    assert(*miniscript::FromString(ms_str, CONVERTER) == *ms);
-    // The Script representation must roundtrip since we parsed it this way the first time.
-    const CScript ms_script = ms->ToScript(CONVERTER);
-    assert(ms_script == *script);
-}
diff --git a/src/test/fuzz/rpc.cpp b/src/test/fuzz/rpc.cpp
index 03a84b697d..e4e83c3f32 100644
--- a/src/test/fuzz/rpc.cpp
+++ b/src/test/fuzz/rpc.cpp
@@ -128,6 +128,7 @@ const std::vector<std::string> RPC_COMMANDS_SAFE_FOR_FUZZING{
     "getmempoolancestors",
     "getmempooldescendants",
     "getmempoolentry",
+    "gettxspendingprevout",
     "getmempoolinfo",
     "getmininginfo",
     "getnettotals",
diff --git a/src/test/fuzz/tx_out.cpp b/src/test/fuzz/tx_out.cpp
index 39a50b6c80..a2421ff582 100644
--- a/src/test/fuzz/tx_out.cpp
+++ b/src/test/fuzz/tx_out.cpp
@@ -4,6 +4,7 @@
 
 #include <consensus/validation.h>
 #include <core_memusage.h>
+#include <policy/feerate.h>
 #include <policy/policy.h>
 #include <primitives/transaction.h>
 #include <streams.h>
diff --git a/src/test/fuzz/tx_pool.cpp b/src/test/fuzz/tx_pool.cpp
index 771d7a11cb..4f40608c4f 100644
--- a/src/test/fuzz/tx_pool.cpp
+++ b/src/test/fuzz/tx_pool.cpp
@@ -97,7 +97,7 @@ void Finish(FuzzedDataProvider& fuzzed_data_provider, MockedTxPool& tx_pool, CCh
         BlockAssembler::Options options;
         options.nBlockMaxWeight = fuzzed_data_provider.ConsumeIntegralInRange(0U, MAX_BLOCK_WEIGHT);
         options.blockMinFeeRate = CFeeRate{ConsumeMoney(fuzzed_data_provider, /*max=*/COIN)};
-        auto assembler = BlockAssembler{chainstate, *static_cast<CTxMemPool*>(&tx_pool), options};
+        auto assembler = BlockAssembler{chainstate, &tx_pool, options};
         auto block_template = assembler.CreateNewBlock(CScript{} << OP_TRUE);
         Assert(block_template->block.vtx.size() >= 1);
     }
diff --git a/src/test/fuzz/util.cpp b/src/test/fuzz/util.cpp
index 033c6e18d5..883698aff1 100644
--- a/src/test/fuzz/util.cpp
+++ b/src/test/fuzz/util.cpp
@@ -223,6 +223,15 @@ bool FuzzedSock::Wait(std::chrono::milliseconds timeout, Event requested, Event*
     return true;
 }
 
+bool FuzzedSock::WaitMany(std::chrono::milliseconds timeout, EventsPerSock& events_per_sock) const
+{
+    for (auto& [sock, events] : events_per_sock) {
+        (void)sock;
+        events.occurred = m_fuzzed_data_provider.ConsumeBool() ? events.requested : 0;
+    }
+    return true;
+}
+
 bool FuzzedSock::IsConnected(std::string& errmsg) const
 {
     if (m_fuzzed_data_provider.ConsumeBool()) {
diff --git a/src/test/fuzz/util.h b/src/test/fuzz/util.h
index 3fc6fa1cd5..66d00b1767 100644
--- a/src/test/fuzz/util.h
+++ b/src/test/fuzz/util.h
@@ -71,6 +71,8 @@ public:
 
     bool Wait(std::chrono::milliseconds timeout, Event requested, Event* occurred = nullptr) const override;
 
+    bool WaitMany(std::chrono::milliseconds timeout, EventsPerSock& events_per_sock) const override;
+
     bool IsConnected(std::string& errmsg) const override;
 };