tests: Add fuzzing harness for CScript and CScriptNum operations #18176

practicalswift commented at 7:23 PM on February 18, 2020: contributor

Add fuzzing harness for CScript and CScriptNum operations.

Test this PR using:

$ make distclean
$ ./autogen.sh
$ CC=clang CXX=clang++ ./configure --enable-fuzz \
      --with-sanitizers=address,fuzzer,undefined
$ make
$ src/test/fuzz/script_ops
…
$ src/test/fuzz/scriptnum_ops
…

practicalswift force-pushed on Feb 18, 2020

DrahtBot added the label Build system on Feb 18, 2020

DrahtBot added the label Tests on Feb 18, 2020

MarcoFalke removed the label Build system on Feb 18, 2020

MarcoFalke commented at 7:51 PM on February 18, 2020: member

ACK 0730ac98c61f895893d40cb0fdff4cd7339a11b0

DrahtBot commented at 9:30 PM on February 18, 2020: member

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

No conflicts as of last run.

practicalswift force-pushed on Feb 19, 2020

practicalswift renamed this:
~~tests: Add fuzzing harness for CScript operations~~
tests: Add fuzzing harness for CScript and CScriptNum operations
on Feb 19, 2020

practicalswift commented at 4:52 PM on February 19, 2020: contributor

@MarcoFalke Added CScriptNum fuzzer too. Moved common functions to fuzz.h. Please re-review :)

practicalswift force-pushed on Feb 19, 2020

practicalswift force-pushed on Feb 26, 2020

in src/test/fuzz/scriptnum_ops.cpp:37 in f137f64cde outdated

  32 | +        switch (fuzzed_data_provider.ConsumeIntegralInRange(0, 26)) {
  33 | +        case 0:
  34 | +            (void)(script_num == fuzzed_data_provider.ConsumeIntegral<int64_t>());
  35 | +            break;
  36 | +        case 1:
  37 | +            (void)(script_num != fuzzed_data_provider.ConsumeIntegral<int64_t>());

MarcoFalke commented at 10:19 PM on March 7, 2020:

Can combine case 0 and 1?

const auto int = fuzzed_data_provider.ConsumeIntegral<int64_t>()
(script_num == int) != (script_num != int)

practicalswift commented at 4:57 PM on March 9, 2020:

Fixed!

in src/test/fuzz/scriptnum_ops.cpp:46 in f137f64cde outdated

  41 | +            break;
  42 | +        case 3:
  43 | +            (void)(script_num < fuzzed_data_provider.ConsumeIntegral<int64_t>());
  44 | +            break;
  45 | +        case 4:
  46 | +            (void)(script_num >= fuzzed_data_provider.ConsumeIntegral<int64_t>());

MarcoFalke commented at 10:19 PM on March 7, 2020:

Same here:

(s_n < int) != (s_n >= int)

practicalswift commented at 4:58 PM on March 9, 2020:

Fixed!

in src/test/fuzz/scriptnum_ops.cpp:49 in f137f64cde outdated

  44 | +            break;
  45 | +        case 4:
  46 | +            (void)(script_num >= fuzzed_data_provider.ConsumeIntegral<int64_t>());
  47 | +            break;
  48 | +        case 5:
  49 | +            (void)(script_num > fuzzed_data_provider.ConsumeIntegral<int64_t>());

MarcoFalke commented at 10:20 PM on March 7, 2020:

Same here:

(s_n > int ) != (s_n <= int)

practicalswift commented at 4:57 PM on March 9, 2020:

Fixed!

in src/test/fuzz/scriptnum_ops.cpp:67 in f137f64cde outdated

  62 | +            break;
  63 | +        case 10:
  64 | +            (void)(script_num >= ConsumeScriptNum(fuzzed_data_provider));
  65 | +            break;
  66 | +        case 11:
  67 | +            (void)(script_num > ConsumeScriptNum(fuzzed_data_provider));

MarcoFalke commented at 10:20 PM on March 7, 2020:

Same for all of these

practicalswift commented at 4:58 PM on March 9, 2020:

Fixed!

in src/test/fuzz/scriptnum_ops.cpp:73 in f137f64cde outdated

  68 | +            break;
  69 | +        case 12:
  70 | +            script_num = script_num + fuzzed_data_provider.ConsumeIntegral<int64_t>();
  71 | +            break;
  72 | +        case 13:
  73 | +            script_num = script_num - fuzzed_data_provider.ConsumeIntegral<int64_t>();

MarcoFalke commented at 10:22 PM on March 7, 2020:

Could combine these?

(script_num - int ) + int == script_num
(script_num + int ) - int == script_num

practicalswift commented at 4:57 PM on March 9, 2020:

Fixed!

in src/test/fuzz/scriptnum_ops.cpp:79 in f137f64cde outdated

  74 | +            break;
  75 | +        case 14:
  76 | +            script_num = script_num + ConsumeScriptNum(fuzzed_data_provider);
  77 | +            break;
  78 | +        case 15:
  79 | +            script_num = script_num - ConsumeScriptNum(fuzzed_data_provider);

MarcoFalke commented at 10:23 PM on March 7, 2020:

Same here and below?

practicalswift commented at 4:57 PM on March 9, 2020:

Fixed!

MarcoFalke approved

MarcoFalke commented at 10:25 PM on March 7, 2020: member

ACK

practicalswift force-pushed on Mar 9, 2020

practicalswift commented at 4:58 PM on March 9, 2020: contributor

@MarcoFalke Thanks for reviewing. All feedback addressed. Please re-review :)

DrahtBot added the label Needs rebase on Mar 9, 2020

tests: Add common Consume* fuzzing functions eb7c50ca1f

tests: Add fuzzing harness for CScript operations 65a52a0024

practicalswift force-pushed on Mar 9, 2020

practicalswift commented at 7:25 PM on March 9, 2020: contributor

Rebased again :)

in src/test/fuzz/scriptnum_ops.cpp:37 in 4532649328 outdated

  40 | +            assert((script_num <= i) != script_num > i);
  41 | +            break;
  42 | +        }
  43 | +        case 2: {
  44 | +            const int64_t i = fuzzed_data_provider.ConsumeIntegral<int64_t>();
  45 | +            assert((script_num >= i) != (script_num < i));

MarcoFalke commented at 8:08 PM on March 9, 2020:

in commit 4532649328ad5056f9ae2bf99f3aba2212bdc785:

Any reason those are separate cases for the fuzzer to find? They can all be executed in the same case:

             assert((script_num == i) != (script_num != i));
             assert((script_num <= i) != script_num > i);
             assert((script_num >= i) != (script_num < i));

practicalswift commented at 8:40 PM on March 9, 2020:

Oh, of course. Now fixed. Thanks!

in src/test/fuzz/scriptnum_ops.cpp:60 in 4532649328 outdated

  55 | +            assert((script_num <= sn) != (script_num > sn));
  56 | +            break;
  57 | +        }
  58 | +        case 5: {
  59 | +            const CScriptNum sn = ConsumeScriptNum(fuzzed_data_provider);
  60 | +            assert((script_num >= sn) != (script_num < sn));

MarcoFalke commented at 8:08 PM on March 9, 2020:

Same here

in src/test/fuzz/scriptnum_ops.cpp:82 in 4532649328 outdated

  77 | +        case 7: {
  78 | +            const CScriptNum sn = ConsumeScriptNum(fuzzed_data_provider);
  79 | +            // Avoid signed integer overflow:
  80 | +            // script/script.h:264:93: runtime error: signed integer overflow: -9223126527765971126 + -9223372036854756825 cannot be represented in type 'long'
  81 | +            if (IsValidAddition(script_num, sn)) {
  82 | +                assert((script_num + sn) - sn == script_num);

MarcoFalke commented at 8:11 PM on March 9, 2020:

Same here

in src/test/fuzz/scriptnum_ops.cpp:160 in 4532649328 outdated

 155 | +            // Avoid negation failure:
 156 | +            // script/script.h:332:35: runtime error: negation of -9223372036854775808 cannot be represented in type 'int64_t' (aka 'long'); cast to an unsigned type to negate this value to itself
 157 | +            if (script_num == CScriptNum{std::numeric_limits<int64_t>::min()}) {
 158 | +                break;
 159 | +            }
 160 | +            (void)script_num.getvch();

MarcoFalke commented at 8:13 PM on March 9, 2020:

Also in commit 4532649:

No input is consumed from the fuzzer, so this doesn't need to be special cased and can be executed unconditionally?

practicalswift commented at 8:40 PM on March 9, 2020:

True! Fixed.

MarcoFalke approved

MarcoFalke commented at 8:14 PM on March 9, 2020: member

ACK ad040fc2a503a0a5c7097dfe8aa6d341901436d9 👦

<details><summary>Show signature and timestamp</summary>

Signature:

Timestamp of file with hash 009db7b3b5d4284568143d3ed9fcbb2849ef578b5853b7f040cd0dd8c4f64f5f -

</details>

tests: Add fuzzing harness for CScriptNum operations e7ddbd9893

Make lifetime correctness easier to see (avoid reference lifetime extension) e37f53648e

practicalswift force-pushed on Mar 9, 2020

DrahtBot removed the label Needs rebase on Mar 9, 2020

MarcoFalke commented at 3:01 AM on March 10, 2020: member

ACK e37f53648e3acc6aea75adafec4de2bdbd8cb293 🦂

<details><summary>Show signature and timestamp</summary>

Signature:

Timestamp of file with hash de3f5a712c02cb66b6ad6e76c0ec5a38c880d09962e085e811ec889daf153c65 -

</details>

MarcoFalke merged this on Mar 10, 2020

MarcoFalke closed this on Mar 10, 2020

sidhujag referenced this in commit 779929e7d8 on Mar 11, 2020

sidhujag referenced this in commit cdb0fd7821 on Nov 10, 2020

Fabcien referenced this in commit 829a5e64a8 on Jan 19, 2021

practicalswift deleted the branch on Apr 10, 2021

kittywhiskers referenced this in commit 99f7cb8537 on May 7, 2022

kittywhiskers referenced this in commit d25b4b381f on May 7, 2022

kittywhiskers referenced this in commit d096c9e8d2 on Jun 14, 2022

kittywhiskers referenced this in commit d59f912263 on Jun 14, 2022

kittywhiskers referenced this in commit a28b3141f6 on Jun 18, 2022

kittywhiskers referenced this in commit ce5b149c68 on Jul 4, 2022

kittywhiskers referenced this in commit b6199c79fb on Jul 4, 2022

kittywhiskers referenced this in commit a1808aa93f on Jul 6, 2022

kittywhiskers referenced this in commit f319ddbe85 on Jul 6, 2022

PastaPastaPasta referenced this in commit eefdae1a53 on Jul 12, 2022

knst referenced this in commit 0a9addaff7 on Jul 21, 2022

DrahtBot locked this on Aug 18, 2022