fuzz: check that ser+unser produces the same AddrMan #21129

pull vasild wants to merge 2 commits into bitcoin:master from vasild:fuzz_addrman_serunser changing 2 files +215 −11
  1. vasild commented at 4:12 pm on February 9, 2021: member

    Add a fuzz test that fills addrman with a pile of randomly generated addresses, serializes it to a stream, unserializes the stream to another addrman object and compares the two.

    Some discussion of this already happened at https://github.com/jnewbery/bitcoin/pull/18.

  2. DrahtBot added the label Tests on Feb 9, 2021
  3. practicalswift commented at 8:53 pm on February 10, 2021: contributor
    Concept ACK: very nice fuzzing work @vasild! :)
  4. practicalswift commented at 8:59 pm on February 28, 2021: contributor

    Tested ACK b0f06d04c1a57b3b440ebccf8482fcee124b6337

    Thanks for improving our fuzzing harnesses @vasild! :)

  5. jonatack commented at 9:05 pm on February 28, 2021: member
    Concept ACK
  6. adamjonas commented at 6:01 pm on April 27, 2021: member

    Tested b0f06d0 with FUZZ=addrman src/test/fuzz/fuzz qa-assets/fuzz_seed_corpus/addrman

    0INFO: Seed: 66461418
1INFO: Loaded 1 modules   (442033 inline 8-bit counters): 442033 [0x562796653cc0, 0x5627966bfb71),
2INFO: Loaded 1 PC tables (442033 PCs): 442033 [0x5627966bfb78,0x562796d7e688),
3INFO:     3980 files found in qa-assets/fuzz_seed_corpus/addrman
4INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 1048576 bytes
5INFO: seed corpus: files: 3980 min: 1b max: 1048576b total: 46509329b rss: 109Mb
6[#512](/bitcoin-bitcoin/512/)    pulse  cov: 4448 ft: 10018 corp: 209/12622b exec/s: 256 rss: 132Mb
7[#1024](/bitcoin-bitcoin/1024/)   pulse  cov: 4989 ft: 16253 corp: 342/26Kb exec/s: 128 rss: 154Mb
8...

    Works as expected.

  7. DrahtBot commented at 3:00 am on May 24, 2021: member

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Conflicts

    Reviewers, this pull request conflicts with the following ones:

    • #20233 (addrman: Make consistency checks a runtime option by jnewbery)

    If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

  8. DrahtBot added the label Needs rebase on May 27, 2021
  9. vasild force-pushed on May 28, 2021
  10. vasild commented at 12:35 pm on May 28, 2021: member
    b0f06d04c1...0de22a097e: rebase due to conflicts
  11. jonatack commented at 1:26 pm on May 28, 2021: member
    ACK 0de22a097e89af200d1c6125ba7e5c71fa71e53e
  12. DrahtBot removed the label Needs rebase on May 28, 2021
  13. practicalswift commented at 3:10 pm on May 28, 2021: contributor
    re-ACK 0de22a097e89af200d1c6125ba7e5c71fa71e53e
  14. DrahtBot added the label Needs rebase on Jul 22, 2021
  15. in src/test/fuzz/addrman.cpp:54 in 0de22a097e outdated 
    52+        const uint8_t net = insecure_rand.randrange(6) + 1; // [1..6]
53+
54+        CDataStream s(SER_NETWORK, PROTOCOL_VERSION | ADDRV2_FORMAT);
55+
56+        s << net;
57+        s << insecure_rand.randbytes(net_len_map.at(net));
    MarcoFalke commented at 9:05 am on July 24, 2021:

    Wouldn’t it be better to read the address from the fuzz input? Fuzz input isn’t uniform and thus can easier reach edge-cases like 000000, which would be non-trivial or next to impossible with a uniform distribution over a large enough range.

    Also, how is this different from ConsumeNetAddr?

    vasild commented at 11:38 am on July 26, 2021:

    The problem with consuming addresses directly from the fuzz input is that it is limited in size. This test needs 1000s of addresses. What happened in practice was that some random addresses were consumed followed by 1000s of all-zero addresses due to the fuzzing input being exhausted.

    That is the main difference from ConsumeNetAddr().

    MarcoFalke commented at 12:00 pm on July 26, 2021:
    Maybe add a few fuzzed addresses and fill up the rest with synthetic ones?
    vasild commented at 3:55 pm on July 26, 2021:
    Right. The fuzzed provider is not used for anything after consuming the pile of addresses, so it is ok to fully exhaust it. Once it is exhausted, start generating ones from insecure_rand.
  16. MarcoFalke approved
  17. vasild force-pushed on Jul 26, 2021
  18. vasild commented at 3:56 pm on July 26, 2021: member
    0de22a097e...fe9401b75d: rebase due to conflicts and address review suggestion
  19. in src/test/fuzz/addrman.cpp:49 in fe9401b75d outdated 
    45+     * Generate a random address. Always returns a valid address.
46+     */
47+    CNetAddr RandAddr()
48+    {
49+        CNetAddr addr;
50+        if (m_fuzzed_data_provider.remaining_bytes() > 0) {
    MarcoFalke commented at 4:07 pm on July 26, 2021:

    Maybe allow the fuzz engine to flip-flop between the two branches, if possible?

    0        if (m_fuzzed_data_provider.ConsumeBool()) {
    vasild commented at 4:42 pm on July 26, 2021:

    Even better!

    Kept the remaining_bytes() check for clarity (it will still work without it because ConsumeBool() would always return false once fuzz input is exhausted but that would be somewhat unclear/obscure).

  20. jnewbery commented at 4:27 pm on July 26, 2021: member
    Concept ACK
  21. vasild force-pushed on Jul 26, 2021
  22. vasild commented at 4:40 pm on July 26, 2021: member
    fe9401b75d...2fe1efa94c: address review suggestion
  23. DrahtBot removed the label Needs rebase on Jul 26, 2021
  24. DrahtBot added the label Needs rebase on Aug 2, 2021
  25. fuzz: move init code to the CAddrManDeterministic constructor 
    Move the addrman init code from the test case to a newly added
`CAddrManDeterministic` constructor. This way it can be reused by other
tests.
    6408b24517
  26. vasild force-pushed on Aug 2, 2021
  27. vasild commented at 12:52 pm on August 2, 2021: member
    2fe1efa94c...1f00d22e12: rebase due to conflicts
  28. DrahtBot removed the label Needs rebase on Aug 2, 2021
  29. vasild force-pushed on Aug 2, 2021
  30. fuzz: check that ser+unser produces the same AddrMan 87651795d8
  31. vasild force-pushed on Aug 4, 2021
  32. vasild commented at 4:26 pm on August 4, 2021: member
    6d5e55e755...87651795d8: fix locking in the test’s RandAddr(), optimize addrman comparison (3-4x speedup!) and reduce the size of addrmans to avoid tests running so long as to cause a timeout.
  33. jonatack commented at 5:30 pm on August 4, 2021: member

    optimize addrman comparison (3-4x speedup!) and reduce the size of addrmans to avoid tests running so long as to cause a timeout.

    Nice!

  34. practicalswift commented at 9:17 pm on August 4, 2021: contributor
    cr ACK 87651795d8622d354f8e3c481eb868d9433b841c
  35. in src/test/fuzz/addrman.cpp:93 in 87651795d8 
    91+        // Add some of the addresses directly to the "tried" table.
92+
93+        // 0, 1, 2, 3 corresponding to 0%, 100%, 50%, 33%
94+        const size_t n = m_fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 3);
95+
96+        const size_t num_sources = m_fuzzed_data_provider.ConsumeIntegralInRange<size_t>(10, 50);
    MarcoFalke commented at 10:27 am on August 5, 2021:
    Is there a reason to exclude num_sources == 1?
    vasild commented at 4:47 pm on August 5, 2021:
    No.
  36. jonatack commented at 1:17 pm on August 5, 2021: member
    ACK 87651795d8622d354f8e3c481eb868d9433b841c rebased to current master, reviewed, fuzz build, ran FUZZ=addrman_serdeser src/test/fuzz/fuzz
  37. MarcoFalke merged this on Aug 5, 2021
  38. MarcoFalke closed this on Aug 5, 2021
  39. sidhujag referenced this in commit 4b71afc3d6 on Aug 5, 2021
  40. vasild deleted the branch on Aug 5, 2021
  41. vasild referenced this in commit 7b63f26845 on Aug 5, 2021
  42. in src/test/fuzz/addrman.cpp:104 in 87651795d8 
    102+            const size_t num_addresses = insecure_rand.randrange(500) + 1; // [1..500]
103+
104+            for (size_t j = 0; j < num_addresses; ++j) {
105+                const auto addr = CAddress{CService{RandAddr(), 8333}, NODE_NETWORK};
106+                const auto time_penalty = insecure_rand.randrange(100000001);
107+#if 1
    jnewbery commented at 9:24 am on September 8, 2021:
    What is this for?
    vasild commented at 10:10 am on September 9, 2021:
    Change it to #if 0 to enable the equivalent #else branch which is much shorter and clear, but also slower. The #else snippet also shows what the faster snippet is trying to achieve by “manually” fiddling with addrman internals.
  43. laanwj referenced this in commit 7f7bd3111c on Sep 20, 2021
  44. sidhujag referenced this in commit 07fd7af727 on Sep 21, 2021
  45. DrahtBot locked this on Oct 30, 2022


vasild practicalswift jonatack adamjonas DrahtBot MarcoFalke jnewbery

Labels
Tests

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-07-03 13:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me