tests: Add fuzzing harness for bloom filter classes (CBloomFilter + CRollingBloomFilter) #18206

practicalswift commented at 8:17 AM on February 25, 2020: contributor

Add fuzzing harness for bloom filter classes (CBloomFilter + CRollingBloomFilter).

Test this PR using:

$ make distclean
$ ./autogen.sh
$ CC=clang CXX=clang++ ./configure --enable-fuzz \
      --with-sanitizers=address,fuzzer,undefined
$ make
$ src/test/fuzz/bloom_filter
…
$ src/test/fuzz/rolling_bloom_filter
…

fanquake added the label Tests on Feb 25, 2020

DrahtBot commented at 1:01 PM on February 25, 2020: member

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

Reviewers, this pull request conflicts with the following ones:

#18190 (tests: Add fuzzing harness for Golomb-Rice coding (GolombRiceEncode/GolombRiceDecode) by practicalswift)
#18176 (tests: Add fuzzing harness for CScript and CScriptNum operations by practicalswift)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

in src/test/fuzz/bloom_filter.cpp:60 in d5d40e2e26 outdated

  55 | +        case 4: {
  56 | +            const Optional<COutPoint> out_point = ConsumeDeserializable<COutPoint>(fuzzed_data_provider);
  57 | +            if (!out_point) {
  58 | +                break;
  59 | +            }
  60 | +            (void)bloom_filter.contains(*out_point);

MarcoFalke commented at 2:56 PM on February 25, 2020:

Why does this need to be a different fuzzer-instructed path? I'd guess it would be simpler and more efficient to call this as the first step in case 1

practicalswift commented at 4:53 PM on February 25, 2020:

Good point. Fixed!

in src/test/fuzz/bloom_filter.cpp:68 in d5d40e2e26 outdated

  63 | +        case 5: {
  64 | +            const Optional<uint256> u256 = ConsumeDeserializable<uint256>(fuzzed_data_provider);
  65 | +            if (!u256) {
  66 | +                break;
  67 | +            }
  68 | +            (void)bloom_filter.contains(*u256);

MarcoFalke commented at 2:56 PM on February 25, 2020:

Same

in src/test/fuzz/bloom_filter.cpp:52 in d5d40e2e26 outdated

  47 | +            assert(present);
  48 | +            break;
  49 | +        }
  50 | +        case 3: {
  51 | +            const std::vector<unsigned char>& b = ConsumeRandomLengthByteVector(fuzzed_data_provider);
  52 | +            (void)bloom_filter.contains(b);

MarcoFalke commented at 2:56 PM on February 25, 2020:

Same

in src/test/fuzz/bloom_filter.cpp:20 in d5d40e2e26 outdated

  15 | +
  16 | +void test_one_input(const std::vector<uint8_t>& buffer)
  17 | +{
  18 | +    FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
  19 | +
  20 | +    CBloomFilter bloom_filter{fuzzed_data_provider.ConsumeIntegralInRange<unsigned int>(1, 10000000), 1.0 / fuzzed_data_provider.ConsumeIntegralInRange<unsigned int>(1, std::numeric_limits<unsigned int>::max()), fuzzed_data_provider.ConsumeIntegral<unsigned int>(), static_cast<unsigned char>(fuzzed_data_provider.PickValueInArray({BLOOM_UPDATE_NONE, BLOOM_UPDATE_ALL, BLOOM_UPDATE_P2PUBKEY_ONLY, BLOOM_UPDATE_MASK}))};

MarcoFalke commented at 2:57 PM on February 25, 2020:

I know that our clang-format allows infinite length lines. But in editors that don't line-wrap this is really hard to read. Maybe add a newline after each ,?

in src/test/fuzz/bloom_filter.cpp:78 in d5d40e2e26 outdated

  73 | +            break;
  74 | +        case 7:
  75 | +            bloom_filter.reset(fuzzed_data_provider.ConsumeIntegral<unsigned int>());
  76 | +            break;
  77 | +        case 8:
  78 | +            (void)bloom_filter.IsWithinSizeConstraints();

MarcoFalke commented at 2:59 PM on February 25, 2020:

Why does this need to be fuzzer-instructed? More coverage can be achieved by calling it unconditionally.

in src/test/fuzz/fuzz.h:13 in d5d40e2e26 outdated

   9 | +#include <attributes.h>
  10 | +#include <optional.h>
  11 | +#include <serialize.h>
  12 | +#include <streams.h>
  13 | +#include <test/fuzz/FuzzedDataProvider.h>
  14 | +#include <test/fuzz/fuzz.h>

MarcoFalke commented at 3:02 PM on February 25, 2020:

Why include itself?

in src/test/fuzz/fuzz.h:10 in d5d40e2e26 outdated

   4 | @@ -5,10 +5,39 @@
   5 |  #ifndef BITCOIN_TEST_FUZZ_FUZZ_H
   6 |  #define BITCOIN_TEST_FUZZ_FUZZ_H
   7 |  
   8 | -#include <stdint.h>
   9 | +#include <attributes.h>
  10 | +#include <optional.h>
  11 | +#include <serialize.h>

MarcoFalke commented at 3:03 PM on February 25, 2020:

This header takes a long time to parse, but not every fuzz target is using it. It might reduce compile time to put the fuzzedDataProvider helpers in a new module (header) and keep this header the raw and minimal "main fuzz header"

practicalswift commented at 5:06 PM on February 25, 2020:

Good point. Now fixed.

in src/test/fuzz/rolling_bloom_filter.cpp:49 in d5d40e2e26 outdated

  44 | +        case 3: {
  45 | +            const Optional<uint256> u256 = ConsumeDeserializable<uint256>(fuzzed_data_provider);
  46 | +            if (!u256) {
  47 | +                break;
  48 | +            }
  49 | +            (void)rolling_bloom_filter.contains(*u256);

MarcoFalke commented at 3:05 PM on February 25, 2020:

Why does this need to be a different fuzzer-instructed path? I'd guess it would be simpler and more efficient to call this as the first step in case 1

in src/test/fuzz/rolling_bloom_filter.cpp:41 in d5d40e2e26 outdated

  36 | +            assert(present);
  37 | +            break;
  38 | +        }
  39 | +        case 2: {
  40 | +            const std::vector<unsigned char>& b = ConsumeRandomLengthByteVector(fuzzed_data_provider);
  41 | +            (void)rolling_bloom_filter.contains(b);

MarcoFalke commented at 3:05 PM on February 25, 2020:

Same

MarcoFalke approved

MarcoFalke commented at 3:05 PM on February 25, 2020: member

ACK

practicalswift force-pushed on Feb 25, 2020

tests: Add fuzzing harness for bloom filter class CBloomFilter 2a6a6ea0f5

tests: Add fuzzing harness for rolling bloom filter class CRollingBloomFilter eabbbe409f

practicalswift force-pushed on Feb 25, 2020

practicalswift commented at 5:11 PM on February 25, 2020: contributor

@MarcoFalke Thanks for reviewing. Good feedback! All points addressed - please re-review :)

MarcoFalke commented at 7:37 PM on February 25, 2020: member

ACK eabbbe409f397e97b1e6fad7385d9d1813ae2880 🤞

<details><summary>Show signature and timestamp</summary>

Signature:

Timestamp of file with hash 6fe8d1c8528304d7c8bc08ad9e3af6e5c9f2a116bb4b9ad3ff899c36e90eb082 -

</details>

MarcoFalke merged this on Feb 25, 2020

MarcoFalke closed this on Feb 25, 2020

practicalswift deleted the branch on Apr 10, 2021

kittywhiskers referenced this in commit 41b1baf8e8 on Feb 27, 2022

kittywhiskers referenced this in commit 26c17bcc72 on Feb 27, 2022

kittywhiskers referenced this in commit 3ebc5d9a30 on Feb 28, 2022

kittywhiskers referenced this in commit 37a70ab8ff on Feb 28, 2022

kittywhiskers referenced this in commit d190a2aacc on Feb 28, 2022

kittywhiskers referenced this in commit 8699fa18cb on Mar 13, 2022

kittywhiskers referenced this in commit 0a3abbe3a9 on Mar 24, 2022

kittywhiskers referenced this in commit bc25f29eec on Mar 24, 2022

PastaPastaPasta referenced this in commit bf458b161c on Mar 29, 2022

DrahtBot locked this on Aug 18, 2022