fuzz: Remove incorrect float round-trip serialization test #21929

MarcoFalke commented at 12:46 PM on May 12, 2021: member

It tests the wrong way of the round-trip: int -> float -> int, but only float -> int -> float is allowed and used. See also src/test/fuzz/float.cpp.

Hopefully fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34118

fuzz: Remove incorrect float round-trip serialization test fae814c9a6

fanquake added the label Tests on May 12, 2021

MarcoFalke commented at 3:18 PM on May 12, 2021: member

@elichai on 32-bit you can reproduce this yourself in a few seconds:

$ FUZZ=integer ./src/test/fuzz/fuzz  
INFO: Seed: 2184836021
INFO: Loaded 1 modules   (187658 inline 8-bit counters): 187658 [0x584f7ee8, 0x58525bf2), 
INFO: Loaded 1 PC tables (187658 PCs): 187658 [0x58525bf4,0x58694444), 
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
[#2](/bitcoin-bitcoin/2/)	INITED cov: 15 ft: 16 corp: 1/1b exec/s: 0 rss: 40Mb
	NEW_FUNC[1/1665]: 0x57239350 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::~basic_string() (/bitcoin/src/test/fuzz/fuzz+0xc69350)
	NEW_FUNC[2/1665]: 0x572393e0 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string<std::allocator<char> >(char const*, std::allocator<char> const&) (/bitcoin/src/test/fuzz/fuzz+0xc693e0)
[#4965](/bitcoin-bitcoin/4965/)	NEW    cov: 2428 ft: 2432 corp: 2/54b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 3 CopyPart-InsertByte-CrossOver-
[#4971](/bitcoin-bitcoin/4971/)	NEW    cov: 2431 ft: 2443 corp: 3/107b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 1 CrossOver-
[#4974](/bitcoin-bitcoin/4974/)	NEW    cov: 2434 ft: 2446 corp: 4/160b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 3 CMP-CrossOver-ChangeBit- DE: "\x01\x00\x00\x03"-
[#4985](/bitcoin-bitcoin/4985/)	NEW    cov: 2435 ft: 2449 corp: 5/213b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 1 CrossOver-
[#4995](/bitcoin-bitcoin/4995/)	NEW    cov: 2435 ft: 2450 corp: 6/265b lim: 53 exec/s: 0 rss: 43Mb L: 52/53 MS: 5 CMP-EraseBytes-ShuffleBytes-PersAutoDict-InsertRepeatedBytes- DE: "\xff?"-"\x01\x00\x00\x03"-
[#5000](/bitcoin-bitcoin/5000/)	REDUCE cov: 2435 ft: 2450 corp: 6/264b lim: 53 exec/s: 0 rss: 43Mb L: 52/53 MS: 5 PersAutoDict-ShuffleBytes-ShuffleBytes-CrossOver-EraseBytes- DE: "\x01\x00\x00\x03"-
[#5002](/bitcoin-bitcoin/5002/)	NEW    cov: 2435 ft: 2451 corp: 7/317b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 2 CopyPart-CrossOver-
[#5012](/bitcoin-bitcoin/5012/)	REDUCE cov: 2435 ft: 2452 corp: 8/370b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 5 ChangeBinInt-InsertByte-CopyPart-ChangeBinInt-CopyPart-
[#5015](/bitcoin-bitcoin/5015/)	NEW    cov: 2436 ft: 2453 corp: 9/423b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 3 ChangeBinInt-ChangeByte-ChangeBinInt-
	NEW_FUNC[1/5]: 0x57264d80 in bool __gnu_debug::__foreign_iterator_aux4<__gnu_cxx::__normal_iterator<unsigned char const*, std::__cxx1998::vector<unsigned char, zero_after_free_allocator<unsigned char> > >, std::__debug::vector<unsigned char, zero_after_free_allocator<unsigned char> >, std::random_access_iterator_tag>(__gnu_debug::_Safe_iterator<__gnu_cxx::__normal_iterator<unsigned char const*, std::__cxx1998::vector<unsigned char, zero_after_free_allocator<unsigned char> > >, std::__debug::vector<unsigned char, zero_after_free_allocator<unsigned char> >, std::random_access_iterator_tag> const&, ...) (/bitcoin/src/test/fuzz/fuzz+0xc94d80)
	NEW_FUNC[2/5]: 0x57265c60 in decltype(_S_construct(fp, fp0, std::forward<unsigned char>(fp1))) std::allocator_traits<zero_after_free_allocator<unsigned char> >::construct<unsigned char, unsigned char>(zero_after_free_allocator<unsigned char>&, unsigned char*, unsigned char&&) (/bitcoin/src/test/fuzz/fuzz+0xc95c60)
[#5018](/bitcoin-bitcoin/5018/)	NEW    cov: 2447 ft: 2491 corp: 10/476b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 3 ShuffleBytes-ShuffleBytes-CopyPart-
[#5031](/bitcoin-bitcoin/5031/)	NEW    cov: 2447 ft: 2492 corp: 11/529b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 3 CrossOver-PersAutoDict-CopyPart- DE: "\x01\x00\x00\x03"-
[#5067](/bitcoin-bitcoin/5067/)	NEW    cov: 2447 ft: 2493 corp: 12/582b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 1 ChangeByte-
[#5077](/bitcoin-bitcoin/5077/)	NEW    cov: 2447 ft: 2494 corp: 13/635b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 5 EraseBytes-ChangeBinInt-ChangeByte-CMP-CopyPart- DE: "\xff\xff\xff\xff\xff\xff\xffL"-
[#5082](/bitcoin-bitcoin/5082/)	NEW    cov: 2447 ft: 2495 corp: 14/688b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 5 ShuffleBytes-ChangeByte-ChangeBinInt-ChangeBinInt-CrossOver-
[#5153](/bitcoin-bitcoin/5153/)	NEW    cov: 2447 ft: 2496 corp: 15/741b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 1 ChangeByte-
[#5243](/bitcoin-bitcoin/5243/)	NEW    cov: 2450 ft: 2502 corp: 16/794b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 5 CrossOver-ChangeByte-InsertByte-CopyPart-InsertRepeatedBytes-
[#5277](/bitcoin-bitcoin/5277/)	NEW    cov: 2452 ft: 2508 corp: 17/847b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 4 EraseBytes-EraseBytes-InsertRepeatedBytes-PersAutoDict- DE: "\xff?"-
[#5289](/bitcoin-bitcoin/5289/)	NEW    cov: 2452 ft: 2509 corp: 18/900b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 2 ShuffleBytes-CrossOver-
[#5304](/bitcoin-bitcoin/5304/)	NEW    cov: 2452 ft: 2513 corp: 19/952b lim: 53 exec/s: 0 rss: 43Mb L: 52/53 MS: 5 ChangeByte-CrossOver-ChangeByte-InsertRepeatedBytes-InsertRepeatedBytes-
[#5326](/bitcoin-bitcoin/5326/)	NEW    cov: 2452 ft: 2515 corp: 20/1004b lim: 53 exec/s: 5326 rss: 43Mb L: 52/53 MS: 2 ChangeBit-ChangeBinInt-
[#5348](/bitcoin-bitcoin/5348/)	NEW    cov: 2452 ft: 2516 corp: 21/1057b lim: 53 exec/s: 5348 rss: 43Mb L: 53/53 MS: 2 ChangeBinInt-ChangeBit-
[#5384](/bitcoin-bitcoin/5384/)	NEW    cov: 2453 ft: 2517 corp: 22/1110b lim: 53 exec/s: 5384 rss: 43Mb L: 53/53 MS: 1 InsertByte-
[#5415](/bitcoin-bitcoin/5415/)	NEW    cov: 2453 ft: 2518 corp: 23/1163b lim: 53 exec/s: 5415 rss: 43Mb L: 53/53 MS: 1 InsertByte-
[#5416](/bitcoin-bitcoin/5416/)	NEW    cov: 2453 ft: 2519 corp: 24/1216b lim: 53 exec/s: 5416 rss: 43Mb L: 53/53 MS: 1 ChangeByte-
	NEW_FUNC[1/3]: 0x57244080 in std::error_code::error_code<std::io_errc, void>(std::io_errc) (/bitcoin/src/test/fuzz/fuzz+0xc74080)
	NEW_FUNC[2/3]: 0x572442d0 in std::make_error_code(std::io_errc) (/bitcoin/src/test/fuzz/fuzz+0xc742d0)
[#5929](/bitcoin-bitcoin/5929/)	NEW    cov: 2463 ft: 2538 corp: 25/1273b lim: 58 exec/s: 5929 rss: 43Mb L: 57/57 MS: 3 ChangeBinInt-ShuffleBytes-InsertRepeatedBytes-
	NEW_FUNC[1/2]: 0x572e6fd0 in std::atomic<bool>::operator bool() const (/bitcoin/src/test/fuzz/fuzz+0xd16fd0)
	NEW_FUNC[2/2]: 0x572e7110 in std::operator&(std::memory_order, std::__memory_order_modifier) (/bitcoin/src/test/fuzz/fuzz+0xd17110)
[#5931](/bitcoin-bitcoin/5931/)	NEW    cov: 2468 ft: 2545 corp: 26/1327b lim: 58 exec/s: 5931 rss: 43Mb L: 54/57 MS: 2 CopyPart-InsertByte-
[#5943](/bitcoin-bitcoin/5943/)	NEW    cov: 2471 ft: 2552 corp: 27/1384b lim: 58 exec/s: 5943 rss: 43Mb L: 57/57 MS: 2 InsertByte-InsertRepeatedBytes-
[#5945](/bitcoin-bitcoin/5945/)	NEW    cov: 2471 ft: 2553 corp: 28/1439b lim: 58 exec/s: 5945 rss: 43Mb L: 55/57 MS: 2 ChangeByte-CMP- DE: "\x96\x00"-
[#6036](/bitcoin-bitcoin/6036/)	NEW    cov: 2471 ft: 2555 corp: 29/1496b lim: 58 exec/s: 6036 rss: 43Mb L: 57/57 MS: 1 CopyPart-
[#6075](/bitcoin-bitcoin/6075/)	NEW    cov: 2471 ft: 2556 corp: 30/1554b lim: 58 exec/s: 3037 rss: 43Mb L: 58/58 MS: 4 PersAutoDict-CopyPart-ShuffleBytes-ChangeASCIIInt- DE: "\x96\x00"-
[#6126](/bitcoin-bitcoin/6126/)	NEW    cov: 2471 ft: 2557 corp: 31/1608b lim: 58 exec/s: 3063 rss: 43Mb L: 54/58 MS: 1 InsertByte-
[#6131](/bitcoin-bitcoin/6131/)	NEW    cov: 2471 ft: 2559 corp: 32/1665b lim: 58 exec/s: 3065 rss: 43Mb L: 57/58 MS: 5 ChangeBit-ShuffleBytes-CrossOver-EraseBytes-InsertRepeatedBytes-
[#6289](/bitcoin-bitcoin/6289/)	NEW    cov: 2471 ft: 2560 corp: 33/1719b lim: 58 exec/s: 3144 rss: 43Mb L: 54/58 MS: 3 InsertByte-ShuffleBytes-ShuffleBytes-
[#6394](/bitcoin-bitcoin/6394/)	REDUCE cov: 2471 ft: 2560 corp: 33/1714b lim: 58 exec/s: 3197 rss: 43Mb L: 53/57 MS: 5 ChangeBit-CopyPart-EraseBytes-ChangeBinInt-InsertRepeatedBytes-
[#6442](/bitcoin-bitcoin/6442/)	NEW    cov: 2471 ft: 2562 corp: 34/1772b lim: 58 exec/s: 3221 rss: 43Mb L: 58/58 MS: 3 ChangeBit-InsertByte-CrossOver-
[#6698](/bitcoin-bitcoin/6698/)	REDUCE cov: 2471 ft: 2562 corp: 34/1771b lim: 58 exec/s: 3349 rss: 43Mb L: 52/58 MS: 1 EraseBytes-
[#6759](/bitcoin-bitcoin/6759/)	REDUCE cov: 2471 ft: 2562 corp: 34/1770b lim: 58 exec/s: 2253 rss: 43Mb L: 57/57 MS: 1 EraseBytes-
[#7007](/bitcoin-bitcoin/7007/)	NEW    cov: 2472 ft: 2567 corp: 35/1824b lim: 58 exec/s: 2335 rss: 43Mb L: 54/57 MS: 3 EraseBytes-CrossOver-InsertRepeatedBytes-
[#7514](/bitcoin-bitcoin/7514/)	NEW    cov: 2475 ft: 2579 corp: 36/1887b lim: 63 exec/s: 1878 rss: 43Mb L: 63/63 MS: 2 ChangeByte-CrossOver-
[#7517](/bitcoin-bitcoin/7517/)	REDUCE cov: 2475 ft: 2581 corp: 37/1950b lim: 63 exec/s: 1879 rss: 43Mb L: 63/63 MS: 3 PersAutoDict-ChangeASCIIInt-CrossOver- DE: "\x01\x00\x00\x03"-
[#7518](/bitcoin-bitcoin/7518/)	NEW    cov: 2476 ft: 2585 corp: 38/2011b lim: 63 exec/s: 1879 rss: 43Mb L: 61/63 MS: 1 CopyPart-
[#7530](/bitcoin-bitcoin/7530/)	NEW    cov: 2476 ft: 2587 corp: 39/2073b lim: 63 exec/s: 1882 rss: 43Mb L: 62/63 MS: 2 ChangeBit-EraseBytes-
[#7636](/bitcoin-bitcoin/7636/)	NEW    cov: 2478 ft: 2589 corp: 40/2127b lim: 63 exec/s: 1909 rss: 43Mb L: 54/63 MS: 1 CopyPart-
[#7672](/bitcoin-bitcoin/7672/)	REDUCE cov: 2478 ft: 2589 corp: 40/2118b lim: 63 exec/s: 1918 rss: 43Mb L: 54/63 MS: 1 EraseBytes-
	NEW_FUNC[1/2]: 0x57796160 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_erase(unsigned int, unsigned int) (/bitcoin/src/test/fuzz/fuzz+0x11c6160)
	NEW_FUNC[2/2]: 0x57a9c9a0 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::erase(unsigned int, unsigned int) (/bitcoin/src/test/fuzz/fuzz+0x14cc9a0)
[#7745](/bitcoin-bitcoin/7745/)	REDUCE cov: 2488 ft: 2604 corp: 41/2181b lim: 63 exec/s: 1936 rss: 43Mb L: 63/63 MS: 3 ChangeASCIIInt-ChangeASCIIInt-CrossOver-
[#8192](/bitcoin-bitcoin/8192/)	pulse  cov: 2488 ft: 2604 corp: 41/2181b lim: 63 exec/s: 1638 rss: 43Mb
[#8261](/bitcoin-bitcoin/8261/)	NEW    cov: 2488 ft: 2605 corp: 42/2246b lim: 68 exec/s: 1652 rss: 43Mb L: 65/65 MS: 1 PersAutoDict- DE: "\x96\x00"-
[#8264](/bitcoin-bitcoin/8264/)	NEW    cov: 2489 ft: 2608 corp: 43/2314b lim: 68 exec/s: 1652 rss: 43Mb L: 68/68 MS: 3 PersAutoDict-EraseBytes-CrossOver- DE: "\xff?"-
[#8323](/bitcoin-bitcoin/8323/)	NEW    cov: 2489 ft: 2614 corp: 44/2377b lim: 68 exec/s: 1664 rss: 43Mb L: 63/68 MS: 4 ShuffleBytes-PersAutoDict-PersAutoDict-CopyPart- DE: "\xff\xff\xff\xff\xff\xff\xffL"-"\x96\x00"-
[#8332](/bitcoin-bitcoin/8332/)	NEW    cov: 2489 ft: 2615 corp: 45/2444b lim: 68 exec/s: 1666 rss: 43Mb L: 67/68 MS: 4 CMP-InsertRepeatedBytes-PersAutoDict-CopyPart- DE: "\x01\x00\x00\x95"-"\x01\x00\x00\x03"-
	NEW_FUNC[1/9]: 0x57258ad0 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::begin() (/bitcoin/src/test/fuzz/fuzz+0xc88ad0)
	NEW_FUNC[2/9]: 0x57258b50 in __gnu_cxx::__normal_iterator<char const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::__normal_iterator<char*>(__gnu_cxx::__normal_iterator<char*, __gnu_cxx::__enable_if<std::__are_same<char*, char*>::__value, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::__type> const&) (/bitcoin/src/test/fuzz/fuzz+0xc88b50)
[#8352](/bitcoin-bitcoin/8352/)	NEW    cov: 2521 ft: 2686 corp: 46/2512b lim: 68 exec/s: 1670 rss: 43Mb L: 68/68 MS: 5 EraseBytes-CrossOver-ChangeBit-ChangeBit-CrossOver-
	NEW_FUNC[1/1]: 0x5738a9a0 in GetVirtualTransactionSize(long long, long long) (/bitcoin/src/test/fuzz/fuzz+0xdba9a0)
[#8493](/bitcoin-bitcoin/8493/)	NEW    cov: 2524 ft: 2695 corp: 47/2580b lim: 68 exec/s: 1698 rss: 43Mb L: 68/68 MS: 1 CopyPart-
[#8663](/bitcoin-bitcoin/8663/)	REDUCE cov: 2524 ft: 2695 corp: 47/2579b lim: 68 exec/s: 1732 rss: 43Mb L: 64/68 MS: 5 ChangeBit-EraseBytes-ShuffleBytes-CopyPart-PersAutoDict- DE: "\x01\x00\x00\x03"-
[#8828](/bitcoin-bitcoin/8828/)	NEW    cov: 2524 ft: 2697 corp: 48/2647b lim: 68 exec/s: 1471 rss: 43Mb L: 68/68 MS: 5 CopyPart-ChangeBinInt-InsertByte-InsertByte-CrossOver-
[#9265](/bitcoin-bitcoin/9265/)	REDUCE cov: 2524 ft: 2697 corp: 48/2645b lim: 68 exec/s: 1544 rss: 43Mb L: 52/68 MS: 2 ChangeBinInt-EraseBytes-
	NEW_FUNC[1/1]: 0x57adbc30 in atoi64(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/bitcoin/src/test/fuzz/fuzz+0x150bc30)
[#9584](/bitcoin-bitcoin/9584/)	NEW    cov: 2528 ft: 2704 corp: 49/2713b lim: 68 exec/s: 1369 rss: 43Mb L: 68/68 MS: 4 EraseBytes-PersAutoDict-CrossOver-ChangeBit- DE: "\xff?"-
[#10193](/bitcoin-bitcoin/10193/)	NEW    cov: 2529 ft: 2706 corp: 50/2784b lim: 74 exec/s: 1274 rss: 43Mb L: 71/71 MS: 4 CMP-ChangeBit-CopyPart-InsertRepeatedBytes- DE: "\xf7\x00\x00\xf5\x00\xff\xff\x7f"-
[#10195](/bitcoin-bitcoin/10195/)	NEW    cov: 2531 ft: 2710 corp: 51/2858b lim: 74 exec/s: 1274 rss: 43Mb L: 74/74 MS: 2 ChangeBit-CrossOver-
	NEW_FUNC[1/1]: 0x57dbfb20 in base_uint<256u>::operator<<=(unsigned int) (/bitcoin/src/test/fuzz/fuzz+0x17efb20)
[#10208](/bitcoin-bitcoin/10208/)	REDUCE cov: 2542 ft: 2723 corp: 52/2932b lim: 74 exec/s: 1276 rss: 43Mb L: 74/74 MS: 3 ChangeBinInt-ChangeBinInt-CrossOver-
[#10212](/bitcoin-bitcoin/10212/)	NEW    cov: 2542 ft: 2725 corp: 53/3001b lim: 74 exec/s: 1276 rss: 43Mb L: 69/74 MS: 4 ChangeBinInt-ChangeBinInt-ShuffleBytes-InsertByte-
[#10231](/bitcoin-bitcoin/10231/)	NEW    cov: 2542 ft: 2728 corp: 54/3074b lim: 74 exec/s: 1278 rss: 43Mb L: 73/74 MS: 4 ShuffleBytes-CopyPart-ChangeBit-InsertRepeatedBytes-
[#10233](/bitcoin-bitcoin/10233/)	REDUCE cov: 2542 ft: 2730 corp: 55/3145b lim: 74 exec/s: 1279 rss: 43Mb L: 71/74 MS: 2 CopyPart-InsertRepeatedBytes-
	NEW_FUNC[1/2]: 0x5750a9b0 in operator>(base_uint<256u> const&, base_uint<256u> const&) (/bitcoin/src/test/fuzz/fuzz+0xf3a9b0)
	NEW_FUNC[2/2]: 0x57dc04f0 in base_uint<256u>::CompareTo(base_uint<256u> const&) const (/bitcoin/src/test/fuzz/fuzz+0x17f04f0)
[#10237](/bitcoin-bitcoin/10237/)	NEW    cov: 2555 ft: 2752 corp: 56/3218b lim: 74 exec/s: 1279 rss: 43Mb L: 73/74 MS: 4 InsertRepeatedBytes-InsertRepeatedBytes-ChangeASCIIInt-CopyPart-
[#10267](/bitcoin-bitcoin/10267/)	NEW    cov: 2555 ft: 2754 corp: 57/3288b lim: 74 exec/s: 1283 rss: 43Mb L: 70/74 MS: 5 EraseBytes-CopyPart-ChangeByte-InsertRepeatedBytes-InsertRepeatedBytes-
[#10438](/bitcoin-bitcoin/10438/)	NEW    cov: 2558 ft: 2757 corp: 58/3362b lim: 74 exec/s: 1304 rss: 43Mb L: 74/74 MS: 1 CrossOver-
[#10475](/bitcoin-bitcoin/10475/)	REDUCE cov: 2558 ft: 2757 corp: 58/3360b lim: 74 exec/s: 1309 rss: 43Mb L: 52/74 MS: 2 InsertByte-EraseBytes-
[#10489](/bitcoin-bitcoin/10489/)	REDUCE cov: 2558 ft: 2759 corp: 59/3434b lim: 74 exec/s: 1311 rss: 43Mb L: 74/74 MS: 4 CopyPart-CrossOver-CrossOver-ChangeBinInt-
fuzz: test/fuzz/integer.cpp:128: void integer_fuzz_target(FuzzBufferType): Assertion `ser_float_to_uint32(f) == u32' failed.
==59359== ERROR: libFuzzer: deadly signal
    [#0](/bitcoin-bitcoin/0/) 0x5723786b in __sanitizer_print_stack_trace (/bitcoin/src/test/fuzz/fuzz+0xc6786b)
    [#1](/bitcoin-bitcoin/1/) 0x571decf6 in fuzzer::PrintStackTrace() (/bitcoin/src/test/fuzz/fuzz+0xc0ecf6)
    [#2](/bitcoin-bitcoin/2/) 0x571c920e in fuzzer::Fuzzer::CrashCallback() (/bitcoin/src/test/fuzz/fuzz+0xbf920e)
    [#3](/bitcoin-bitcoin/3/) 0x571c91ae in fuzzer::Fuzzer::StaticCrashSignalCallback() (/bitcoin/src/test/fuzz/fuzz+0xbf91ae)
    [#4](/bitcoin-bitcoin/4/) 0x571df255 in fuzzer::CrashHandler(int, siginfo_t*, void*) (/bitcoin/src/test/fuzz/fuzz+0xc0f255)
LLVMSymbolizer: error reading file: No such file or directory
    [#5](/bitcoin-bitcoin/5/) 0xf7faa57f  (linux-gate.so.1+0x57f)
    [#6](/bitcoin-bitcoin/6/) 0xf7faa558  (linux-gate.so.1+0x558)
    [#7](/bitcoin-bitcoin/7/) 0xf7aa9335 in raise (/lib32/libc.so.6+0x35335)
    [#8](/bitcoin-bitcoin/8/) 0xf7a913f6 in abort (/lib32/libc.so.6+0x1d3f6)
    [#9](/bitcoin-bitcoin/9/) 0xf7a912ba  (/lib32/libc.so.6+0x1d2ba)
    [#10](/bitcoin-bitcoin/10/) 0xf7aa0ece in __assert_fail (/lib32/libc.so.6+0x2cece)
    [#11](/bitcoin-bitcoin/11/) 0x5738a20b in integer_fuzz_target(Span<unsigned char const>) (/bitcoin/src/test/fuzz/fuzz+0xdba20b)
    [#12](/bitcoin-bitcoin/12/) 0x5723a630 in std::_Function_handler<void (Span<unsigned char const>), void (*)(Span<unsigned char const>)>::_M_invoke(std::_Any_data const&, Span<unsigned char const>&&) (/bitcoin/src/test/fuzz/fuzz+0xc6a630)
    [#13](/bitcoin-bitcoin/13/) 0x57db5762 in std::function<void (Span<unsigned char const>)>::operator()(Span<unsigned char const>) const (/bitcoin/src/test/fuzz/fuzz+0x17e5762)
    [#14](/bitcoin-bitcoin/14/) 0x57db55c9 in LLVMFuzzerTestOneInput (/bitcoin/src/test/fuzz/fuzz+0x17e55c9)
    [#15](/bitcoin-bitcoin/15/) 0x571ca57b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) (/bitcoin/src/test/fuzz/fuzz+0xbfa57b)
    [#16](/bitcoin-bitcoin/16/) 0x571c9ee0 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned int, bool, fuzzer::InputInfo*, bool*) (/bitcoin/src/test/fuzz/fuzz+0xbf9ee0)
    [#17](/bitcoin-bitcoin/17/) 0x571cb488 in fuzzer::Fuzzer::MutateAndTestOne() (/bitcoin/src/test/fuzz/fuzz+0xbfb488)
    [#18](/bitcoin-bitcoin/18/) 0x571cbde4 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/bitcoin/src/test/fuzz/fuzz+0xbfbde4)
    [#19](/bitcoin-bitcoin/19/) 0x571bd408 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) (/bitcoin/src/test/fuzz/fuzz+0xbed408)
    [#20](/bitcoin-bitcoin/20/) 0x571df487 in main (/bitcoin/src/test/fuzz/fuzz+0xc0f487)
    [#21](/bitcoin-bitcoin/21/) 0xf7a92ee4 in __libc_start_main (/lib32/libc.so.6+0x1eee4)
    [#22](/bitcoin-bitcoin/22/) 0x57196094 in _start (/bitcoin/src/test/fuzz/fuzz+0xbc6094)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 1 InsertRepeatedBytes-; base unit: dbb4fcdda5e893b1e393c937cb45e0d31191df56
0xa,0x1,0x0,0x0,0x3,0xff,0xa,0x1,0x0,0x0,0x3,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xa,0x1,0xf5,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xff,0x9b,0xff,0xff,0x0,0x0,0x7e,0x0,0x0,0xff,0xff,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
\x0a\x01\x00\x00\x03\xff\x0a\x01\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x01\xf5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\x9b\xff\xff\x00\x00~\x00\x00\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00
artifact_prefix='./'; Test unit written to ./crash-09ffc420318e63eb4fbb19dffcb8cf4e499f7e5a
Base64: CgEAAAP/CgEAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoB9QAAAAAAAAAAAAAAAP+b//8AAH4AAP//AAAAAAAAAAA=

practicalswift commented at 9:07 PM on May 12, 2021: contributor

Hopefully fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34118

That URL is not publicly accessible. I think you forgot to make it public :)

MarcoFalke commented at 7:26 AM on May 13, 2021: member

I don't plan to make them public, but instead try to include all relevant information in the pull request itself. A bot will make them public the day after they are fixed.

practicalswift commented at 8:37 AM on May 14, 2021: contributor

What is the reason that the input file crash-09ffc420318e63eb4fbb19dffcb8cf4e499f7e5a triggers the assertion failure under 32-bit only? IIRC the integer harness reads fixed width integer types only.

FWIW:

$ uname -o -i
x86_64 GNU/Linux
$ echo -n 'CgEAAAP/CgEAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoB9QAAAAAAAAAAAAAAAP+b//8AAH4AAP//AAAAAAAAAAA=' | base64 -d > crash-09ffc420318e63eb4fbb19dffcb8cf4e499f7e5a
$ shasum crash-09ffc420318e63eb4fbb19dffcb8cf4e499f7e5a
09ffc420318e63eb4fbb19dffcb8cf4e499f7e5a  crash-09ffc420318e63eb4fbb19dffcb8cf4e499f7e5a
$ FUZZ=integer src/test/fuzz/fuzz crash-09ffc420318e63eb4fbb19dffcb8cf4e499f7e5a
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3741142330
INFO: Loaded 1 modules   (373000 inline 8-bit counters): 373000 [0x5574a26b89a8, 0x5574a2713ab0),
INFO: Loaded 1 PC tables (373000 PCs): 373000 [0x5574a2713ab0,0x5574a2cc4b30),
src/test/fuzz/fuzz: Running 1 inputs 1 time(s) each.
Running: crash-09ffc420318e63eb4fbb19dffcb8cf4e499f7e5a
Executed crash-09ffc420318e63eb4fbb19dffcb8cf4e499f7e5a in 1 ms
***
*** NOTE: fuzzing was not performed, you have only
***       executed the target code on a fixed set of inputs.
***

$ echo $?
0

That URL is not publicly accessible. I think you forgot to make it public :)

I don't plan to make them public, but instead try to include all relevant information in the pull request itself. A bot will make them public the day after they are fixed.

OK, then it works as intended :)

MarcoFalke commented at 9:06 AM on May 14, 2021: member

What is the reason that the input file crash-09ffc420318e63eb4fbb19dffcb8cf4e499f7e5a triggers the assertion failure under 32-bit only?

I have no idea, while it might be interesting to know, this isn't relevant to this pull.

The code paths test code that isn't used in production
The code paths test the wrong round-trip way
There is no reason to believe that any bit array of 32-bits/64-bits is a valid and unique representation of a float/double
Whereas the converse is true: Any float/double serialized to 32-bits/64-bits can always be represented in an unsigned integer of the same size

Any of the reasons above is enough to remove the test here. Feel free to pick just the ones you like.

MarcoFalke commented at 9:13 AM on May 14, 2021: member

For example 4288413440 and 4292607744 both represent a float of -nan. I have no idea if any or none representations are invalid.

laanwj commented at 10:12 AM on May 14, 2021: member

Though it is somehow surprising to see here (this does nothing with the value, just memcpying), FPU operations are not guaranteed to keep the bit pattern the same. Even if that is just loading a value and storing it again.

To be honest I wish we could get rid of floating point in the serialization code completely.

Anyhow, ACK fae814c9a6c8ce4822f1fc6b88cfbbde7cc2d49c

laanwj merged this on May 14, 2021

laanwj closed this on May 14, 2021

MarcoFalke deleted the branch on May 14, 2021

sidhujag referenced this in commit e77df577eb on May 14, 2021

practicalswift commented at 6:48 PM on May 16, 2021: contributor

Post-merge ACK fae814c9a6c8ce4822f1fc6b88cfbbde7cc2d49c

I'd love to understand exactly why the assertion failure is 32-bit only but so far I've been unsuccessful at recreating this issue locally which rules out any in-depth practical investigation.

MarcoFalke commented at 7:10 PM on May 16, 2021: member

This is trivial to reproduce locally:

$ cat 1.cpp

#include <cstring>
#include <iostream>

int main() {
  uint32_t a{4288413440};
  float b;
  std::memcpy(&b, &a, sizeof(a));
  float c = b;
  uint32_t d;
  std::memcpy(&d, &c, sizeof(c));
  std::cout << b << std::endl;
  std::cout << a << std::endl;
  std::cout << d << std::endl;
}



$ g++ -m32  1.cpp -o exe && ./exe 
-nan
4288413440
4292607744



$ g++ -m64  1.cpp -o exe && ./exe 
-nan
4288413440
4288413440

sipa commented at 7:13 PM on May 16, 2021: member

Is it just NaNs that get changed? Because that's not unexpected. For non-NaN it would surprise me

MarcoFalke commented at 7:16 PM on May 16, 2021: member

I should have printed in order. It is

4288413440 -> -nan -> 4292607744 (32-bit)
4288413440 -> -nan -> 4288413440 (64-bit)

sipa commented at 7:20 PM on May 16, 2021: member

@MarcoFalke This may be a result of 32-bit code using 387 instructions, and 64-bit code using SSE instructions for floating point. They may not behave identically.

If you're really curious, you could try compiling with -mfpmath=387 in 64-bit mode, or with -mfpath=sse -msse ib 32-bit mode.

practicalswift commented at 7:29 PM on May 16, 2021: contributor

Thanks @MarcoFalke. I didn't catch that the assertion failure was g++ -O0 only (in addition to -m32).

FWIW:

$ for C in g++ clang++; do
    for M in 32 64; do
      for O in 0 1 2 3; do
        echo "$C -m${M} -O${O}: "
        $C -m${M} -O${O} 1.cpp -o exe
        ./exe
        echo
      done
    done
  done
g++ -m32 -O0:
-nan
4288413440
4292607744

g++ -m32 -O1:
-nan
4288413440
4288413440

g++ -m32 -O2:
-nan
4288413440
4288413440

g++ -m32 -O3:
-nan
4288413440
4288413440

g++ -m64 -O0:
-nan
4288413440
4288413440

g++ -m64 -O1:
-nan
4288413440
4288413440

g++ -m64 -O2:
-nan
4288413440
4288413440

g++ -m64 -O3:
-nan
4288413440
4288413440

clang++ -m32 -O0:
-nan
4288413440
4288413440

clang++ -m32 -O1:
-nan
4288413440
4288413440

clang++ -m32 -O2:
-nan
4288413440
4288413440

clang++ -m32 -O3:
-nan
4288413440
4288413440

clang++ -m64 -O0:
-nan
4288413440
4288413440

clang++ -m64 -O1:
-nan
4288413440
4288413440

clang++ -m64 -O2:
-nan
4288413440
4288413440

clang++ -m64 -O3:
-nan
4288413440
4288413440

MarcoFalke commented at 7:30 PM on May 16, 2021: member

$ g++ -m64 -mfpmath=387  1.cpp -o exe && ./exe 
-nan
4288413440
4292607744


$ g++ -m32 -mfpmath=sse   1.cpp -o exe && ./exe 
cc1plus: warning: SSE instruction set disabled, using 387 arithmetics
-nan
4288413440
4292607744


$ clang++ -m32 -mfpmath=sse   1.cpp -o exe && ./exe 
-nan
4288413440
4288413440

practicalswift commented at 8:09 PM on May 16, 2021: contributor

Assertion failures:

g++ -m32 -O0 -mfpmath=387: Assertion `ser_float_to_uint32(ser_uint32_to_float(u32)) == u32' failed.
g++ -m32 -O0 -mfpmath=sse: Assertion `ser_float_to_uint32(ser_uint32_to_float(u32)) == u32' failed.
g++ -m64 -O0 -mfpmath=387: Assertion `ser_float_to_uint32(ser_uint32_to_float(u32)) == u32' failed.
clang++ -m32 -O0 -mfpmath=387 -mno-sse: Assertion `ser_float_to_uint32(ser_uint32_to_float(u32)) == u32' failed.
clang++ -m32 -O0 -mfpmath=sse: Assertion `ser_float_to_uint32(ser_uint32_to_float(u32)) == u32' failed.
clang++ -m32 -O1 -mfpmath=387 -mno-sse: Assertion `ser_float_to_uint32(ser_uint32_to_float(u32)) == u32' failed.
clang++ -m32 -O1 -mfpmath=sse: Assertion `ser_float_to_uint32(ser_uint32_to_float(u32)) == u32' failed.

Other combinations of {g,clang}++ -m{32,64} -O{0,1,2,3,s,fast} -mfpmath={387,sse} seem to non-fail :)

$ g++ --version
g++ 7.5.0
$ clang++ --version
clang version 12.0.0

PastaPastaPasta referenced this in commit d045b0d849 on Mar 13, 2022

gwillen referenced this in commit 7d5047620a on Jun 1, 2022

DrahtBot locked this on Aug 16, 2022