Fuzz: extend CConnman tests #28584

pull vasild wants to merge 7 commits into bitcoin:master from vasild:fuzz_connman changing 15 files +281 −66
  1. vasild commented at 11:27 am on October 4, 2023: contributor

    Extend CConnman fuzz tests to also exercise the methods OpenNetworkConnection(), CreateNodeFromAcceptedSocket(), InitBinds() and SocketHandler().

    Previously fuzzing those methods would have resulted in real socket functions being called in the operating system which is undesirable during fuzzing. Now that #21878 is complete all those are mocked to a fuzzed socket and a fuzzed DNS resolver (see how CreateSock and g_dns_lookup are replaced in the first commit).

  2. DrahtBot commented at 11:27 am on October 4, 2023: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Code Coverage & Benchmarks

    For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/28584.

    Reviews

    See the guideline for information on the review process.

    Type Reviewers
    Concept ACK dergoegge
    Stale ACK brunoerg, jonatack

    If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

    Conflicts

    Reviewers, this pull request conflicts with the following ones:

    • #30988 (Split CConnman by vasild)
    • #30381 ([WIP] net: return result from addnode RPC by willcl-ark)
    • #29641 (scripted-diff: Use LogInfo over LogPrintf [WIP, NOMERGE, DRAFT] by maflcko)
    • #29415 (Broadcast own transactions only via short-lived Tor or I2P connections by vasild)

    If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

  3. DrahtBot added the label Tests on Oct 4, 2023
  4. dergoegge commented at 11:48 am on October 4, 2023: member
    Concept ACK
  5. dergoegge commented at 2:07 pm on October 4, 2023: member

    The cpu utilization of this target doesn’t look great, i suspect this is due to timeouts/sleeps e.g.: https://github.com/bitcoin/bitcoin/blob/db7b5dfcc502a8a81c51f56fe753990ae8b3a202/src/net.cpp#L2099

    Would be nice to address that (maybe in a follow up).

    Here is a preliminary coverage report: https://dergoegge.github.io/bitcoin-coverage/pr28584/fuzz.coverage/index.html (I’ll update this after fuzzing for longer). Looks good to me as the target alone now has more coverage (by line count) in net.cpp than our coverage on master with all targets.

  6. DrahtBot added the label CI failed on Oct 4, 2023
  7. brunoerg commented at 10:24 pm on October 4, 2023: contributor
    Concept ACK
  8. DrahtBot removed the label CI failed on Oct 5, 2023
  9. vasild commented at 10:33 am on October 5, 2023: contributor

    @dergoegge, thanks for looking into this!

    The cpu utilization of this target doesn’t look great

    How did you measure? I guess it should be possible to mock CConnman::interruptNet so that its sleep_for() method returns immediately.

  10. dergoegge commented at 10:48 am on October 5, 2023: member

    How did you measure?

    Eyeballing htop this target only achieves about 10% - 30% per core on my machine.

    I guess it should be possible to mock CConnman::interruptNet so that its sleep_for() method returns immediately.

    Sounds good to me.

  11. vasild commented at 11:50 am on October 5, 2023: contributor
    When I run FUZZ=connman ./src/test/fuzz/fuzz it is single CPU/single threaded and it stays at 98%-100% CPU all the time. It is the same in master. Does it get executed on >1 cores for you?
  12. dergoegge commented at 10:34 am on October 6, 2023: member

    When I run FUZZ=connman ./src/test/fuzz/fuzz it is single CPU/single threaded and it stays at 98%-100% CPU all the time.

    For how long did you run this? The fuzzer needs to first find inputs that trigger sleep_for for you to be able to observe the problem. I have tested this on two machines now and the result is always the same.

    Does it get executed on >1 cores for you?

    You can let libfuzzer run on multiple cores with either -jobs=<num cpus> or -fork=<num cpus>. I prefer fork since it also includes a minimization step.

  13. vasild commented at 9:40 am on October 11, 2023: contributor

    I guess it should be possible to mock CConnman::interruptNet so that its sleep_for() method returns immediately.

    Another use-case for that mock: #28635:

    If the test suite could mock the delay in ThreadOpenAddedConnections

  14. DrahtBot added the label Needs rebase on Jan 9, 2024
  15. vasild force-pushed on Jan 17, 2024
  16. DrahtBot removed the label Needs rebase on Jan 17, 2024
  17. vasild commented at 8:40 am on January 18, 2024: contributor
    20a9fc83bd...cd5bbb12e0: rebase due to conflicts
  18. in src/test/fuzz/connman.cpp:165 in b1b74a13ad outdated 
    159@@ -160,6 +160,15 @@ FUZZ_TARGET(connman, .init = initialize_connman)
160                     /*strDest=*/fuzzed_data_provider.ConsumeBool() ? nullptr : random_string.c_str(),
161                     /*conn_type=*/conn_type,
162                     /*use_v2transport=*/fuzzed_data_provider.ConsumeBool());
163+            },
164+            [&] {
165+                connman.SetNetworkActive(true);
    brunoerg commented at 1:01 pm on February 2, 2024:
    In b1b74a13adb8e943d90fbe56c4a706b0ae91335a: nit: I don’t think to set network active here is a must, we could fuzz it with both network active and inactive.
    vasild commented at 1:38 pm on February 4, 2024:
    Right, done!
  19. in src/test/fuzz/util/net.h:105 in d923b86264 outdated 
    100+{
101+    std::vector<CService> ret;
102+    const size_t size = fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, max_vector_size);
103+    ret.reserve(size);
104+    for (size_t i = 0; i < size; ++i) {
105+        ret.emplace_back(ConsumeNetAddr(fuzzed_data_provider),
    brunoerg commented at 1:19 pm on February 2, 2024:

    In d923b86264df93ad86c7bd557b9970e156585dc7: You could use ConsumeService into ConsumeServiceVector.

     0diff --git a/src/test/fuzz/util/net.h b/src/test/fuzz/util/net.h
 1index a97017555d..78e61b51d9 100644
 2--- a/src/test/fuzz/util/net.h
 3+++ b/src/test/fuzz/util/net.h
 4@@ -102,8 +102,7 @@ inline std::vector<CService> ConsumeServiceVector(FuzzedDataProvider& fuzzed_dat
 5     const size_t size = fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, max_vector_size);
 6     ret.reserve(size);
 7     for (size_t i = 0; i < size; ++i) {
 8-        ret.emplace_back(ConsumeNetAddr(fuzzed_data_provider),
 9-                         fuzzed_data_provider.ConsumeIntegral<uint16_t>());
10+        ret.emplace_back(ConsumeService(fuzzed_data_provider));
11     }
12     return ret;
13 }
    vasild commented at 1:38 pm on February 4, 2024:
    Done, thanks!
  20. vasild force-pushed on Feb 4, 2024
  21. vasild commented at 1:38 pm on February 4, 2024: contributor
    cd5bbb12e0...5e3c80da14: address suggestions
  22. brunoerg approved
  23. brunoerg commented at 5:03 pm on February 5, 2024: contributor
    utACK 5e3c80da1473f90406b84c1ba14dc563ce4d2853
  24. DrahtBot requested review from dergoegge on Feb 5, 2024
  25. DrahtBot added the label CI failed on Mar 13, 2024
  26. DrahtBot commented at 11:59 pm on March 13, 2024: contributor

    🚧 At least one of the CI tasks failed. Make sure to run all tests locally, according to the documentation.

    Possibly this is due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.

    Leave a comment here, if you need help tracking down a confusing failure.

    Debug: https://github.com/bitcoin/bitcoin/runs/21199329709

  27. vasild force-pushed on Mar 27, 2024
  28. vasild commented at 6:01 pm on March 27, 2024: contributor
    5e3c80da14...6d9083b249: rebase due to silent merge conflict
  29. DrahtBot removed the label CI failed on Mar 28, 2024
  30. brunoerg approved
  31. brunoerg commented at 11:53 am on April 30, 2024: contributor
    reACK 6d9083b249376d503621da7980ef7ae02e690e0b
  32. DrahtBot added the label CI failed on Jun 22, 2024
  33. DrahtBot commented at 11:23 am on June 22, 2024: contributor

    🚧 At least one of the CI tasks failed. Make sure to run all tests locally, according to the documentation.

    Possibly this is due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.

    Leave a comment here, if you need help tracking down a confusing failure.

    Debug: https://github.com/bitcoin/bitcoin/runs/23166298024

  34. vasild force-pushed on Jun 25, 2024
  35. vasild commented at 3:39 pm on June 25, 2024: contributor
    6d9083b249...45f4dbe484: rebase due to conflicts
  36. DrahtBot removed the label CI failed on Jun 25, 2024
  37. vasild force-pushed on Jun 26, 2024
  38. vasild commented at 6:46 am on June 26, 2024: contributor
    45f4dbe484...655a2cf666: the previous push resolved the merge conflict in a too late commit, causing the “test each commit” CI job to fail
  39. vasild force-pushed on Sep 2, 2024
  40. vasild commented at 2:48 pm on September 2, 2024: contributor
    655a2cf666...99b1f88fe8: rebase to pick CMake
  41. DrahtBot added the label CI failed on Sep 12, 2024
  42. DrahtBot removed the label CI failed on Sep 15, 2024
  43. achow101 requested review from brunoerg on Oct 15, 2024
  44. DrahtBot added the label CI failed on Oct 25, 2024
  45. DrahtBot removed the label CI failed on Oct 25, 2024
  46. DrahtBot added the label Needs rebase on Oct 25, 2024
  47. vasild force-pushed on Nov 6, 2024
  48. vasild commented at 10:53 am on November 6, 2024: contributor

    99b1f88fe8...cf83f0c14c: rebase due to conflicts and mock the sleeps

    I guess it should be possible to mock CConnman::interruptNet so that its sleep_for() method returns immediately.

    Sounds good to me.

    Done. CThreadInterrupt can now be mocked in other tests as well. Thanks for the suggestion, @dergoegge!

  49. in src/test/fuzz/util/threadinterrupt.cpp:21 in cf83f0c14c outdated 
    14+    return m_fuzzed_data_provider.ConsumeBool();
15+}
16+
17+bool FuzzedThreadInterrupt::sleep_for(Clock::duration)
18+{
19+    return m_fuzzed_data_provider.ConsumeBool();
    dergoegge commented at 10:59 am on November 6, 2024:
    Perhaps in a follow up we can make mocktime accurate to the millisecond and then advance it here to simulate an actual sleep.
    vasild commented at 12:59 pm on November 6, 2024:

    I like simulating some time passage here.

    Changing static std::atomic<std::chrono::seconds> g_mock_time{}; to a finer precision is indeed out of the scope here.

    Following a discussion on IRC I checked that indeed the time is frozen already for fuzz tests so calling SetMockTime() here is not going to freeze it (since it is already frozen). I added:

    0SetMockTime(ConsumeTime(m_fuzzed_data_provider)); // Time could go backwards.

    It could end up increasing the time more than the argument to sleep_for() but this might happen during normal operation, so is a good exercise.

    It could end up with the time going backwards. If this is undesirable then this may be changed to something like:

    0SetMockTime(NodeClock::now() + ConsumeIntegralInRange(0, the_argument_to_sleep_for * 2));
  50. DrahtBot removed the label Needs rebase on Nov 6, 2024
  51. DrahtBot added the label CI failed on Nov 6, 2024
  52. DrahtBot commented at 12:43 pm on November 6, 2024: contributor

    🚧 At least one of the CI tasks failed. Debug: https://github.com/bitcoin/bitcoin/runs/32589451018

    Try to run the tests locally, according to the documentation. However, a CI failure may still happen due to a number of reasons, for example:

    • Possibly due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.

    • A sanitizer issue, which can only be found by compiling with the sanitizer and running the affected test.

    • An intermittent issue.

    Leave a comment here, if you need help tracking down a confusing failure.

  53. vasild force-pushed on Nov 6, 2024
  54. vasild commented at 1:00 pm on November 6, 2024: contributor
    cf83f0c...c97d496: simulate time passage from FuzzedThreadInterrupt::sleep_for() and (hopefully) fix CI
  55. DrahtBot removed the label CI failed on Nov 6, 2024
  56. jonatack commented at 10:20 pm on November 19, 2024: member
    utACK c97d49628a78aac9a65f2bd1ddc733b0b425090b
  57. DrahtBot requested review from dergoegge on Nov 19, 2024
  58. vasild force-pushed on Nov 28, 2024
  59. vasild commented at 2:29 pm on November 28, 2024: contributor
    c97d49628a...687a9af2a8: include #31316 as first commit here. It fixes a problem in master with FuzzedSock::Accept() which might be triggered by the tests added in this PR.
  60. dergoegge commented at 10:15 am on December 9, 2024: member 
    0$ echo "XGQtSi1YAIIkp/8D/yQtJCRYq/9YSv///95cXFz//gABQQAAAABcXCVcXP9cZVxcXFxcXGP//2FkZHL/bWVya2xlYjpISEhISFgjSlgAAQAADABJMCEgIf//5wD+AAsA/wAA/////wAAAQDdAAAAAAAAAAAQAAAJAAAARQD4LgAAABD//gAA/PoAAAAA9v8EAP2n/wP/XGVcXFxcXFxj//8A5wD+AAsA/wD8ZPwjAA==" | base64 --decode > connman.crash
1$ FUZZ=connman fuzz connman.crash
2==9344==ERROR: MemorySanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5b532b2c62 bp 0x7ffe2ed01cb0 sp 0x7ffe2ed01468 T9344)
  61. vasild force-pushed on Dec 10, 2024
  62. vasild commented at 10:17 am on December 10, 2024: contributor

    Oops, ConsumeBytes() could return less bytes than requested :facepalm: :face_with_head_bandage:

    Fixed:

    687a9af2a8...33ffe74302: #31316 (comment)

    Thanks!

  63. dergoegge commented at 11:21 am on December 10, 2024: member

    Please rebase on #31235, fuzzing otherwise leads to:

    0$ echo "VlZWVlZWVlZWVlZWVhZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWACWcAFwEAAAAZVz9f61hY2v/XHP8BIAI/1z9IiIiIyIiIiIiIiIAIgAACwAAPQ8AAAAAAAAnD29ja3R4AAUAAAAAAAQAAAAAAAAAAAEAAAAAAAAAACAAAAAAOAAAAAAAAAAAAAAAAAAAKm90aAD//wAA//8BAwAAAAAAAAAAAAAAAAAAAND///8AIQAAAAAAACEAAAQAIQAAAAAAXAAAACEAAAARAP8/bH7//wAAAHkAAAAAAAD/ACf/AIN5eVwMAAAAOgHe+6Oj24ejdHgIfmNjY2NjhYWFhY9yYwAAAN6JB/t5eXl5eXl5eXkDAwMAAAAAAAAAAAD+Mf/77zoBAAEAACf/AIN5eVwMAAAAOgEAAUB139773977o6PbeXl5eXl5ef4x///vOgEAAQAAkBEBAQAACH5+fiFcZXYlYWNrAP8hdmX/BXRgY2sHN2hlYWRlcnMAAAAAAAAAUAABAQAkmwAhAEAEAAAAAAAAAND/////////////AAA=" | base64 --decode > connman2.crash
1$ FUZZ=connman fuzz connman2.crash
2==27516==ERROR: MemorySanitizer: requested allocation size 0x23d7999a4970a3a8 exceeds maximum supported size of 0x10000000000

    Additionally:

     0$ echo "XGRYSlgAgiQkLSQkXSQkJCRYq/9YSv///95cXFwBAAABAAAAAVxcXFz/fGVcXFxcXGNoMWVjRUVFRUX+//9F/0VFdGtw//8HCgAAAAAA5gAAADAhICH//+cA/gALAP8AAP////8AAAEA3QAAAAAAAAAAAAAAAAAA////+gAAAAAQ//4AAPz6AAAAAPb/BAD9p/8D/wcAAAAAADchICH//+cA/gALAP8A/Pz8AxA=" | base64 --decode > connman3.crash
 1$ FUZZ=connman fuzz connman3.crash
 2==247==WARNING: MemorySanitizer: use-of-uninitialized-value
 3    [#0](/bitcoin-bitcoin/0/) 0x55adc01e655c in CService::SetSockAddr(sockaddr const*) /workdir/bitcoin/build_fuzz/src/./netaddress.cpp:812:5
 4    [#1](/bitcoin-bitcoin/1/) 0x55adc12ba012 in GetBindAddress(Sock const&) /workdir/bitcoin/build_fuzz/src/./net.cpp:382:19
 5    [#2](/bitcoin-bitcoin/2/) 0x55adc12ddb12 in CConnman::AcceptConnection(CConnman::ListenSocket const&) /workdir/bitcoin/build_fuzz/src/./net.cpp:1722:51
 6    [#3](/bitcoin-bitcoin/3/) 0x55adc12ed808 in CConnman::SocketHandlerListening(std::__1::unordered_map<std::__1::shared_ptr<Sock const>, Sock::Events, Sock::HashSharedPtrSock, Sock::EqualSharedPtrSock, std::__1::allocator<std::__1::pair<std::__1::shared_ptr<Sock const> const, Sock::Events>>> const&) /workdir/bitcoin/build_fuzz/src/./net.cpp:2160:13
 7    [#4](/bitcoin-bitcoin/4/) 0x55adc12e9d48 in CConnman::SocketHandler() /workdir/bitcoin/build_fuzz/src/./net.cpp:2053:5
 8    [#5](/bitcoin-bitcoin/5/) 0x55adbf82d129 in ConnmanTestMsg::SocketHandlerPublic() /workdir/bitcoin/build_fuzz/src/test/fuzz/./test/util/net.h:85:9
 9    [#6](/bitcoin-bitcoin/6/) 0x55adbf82d129 in connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_26::operator()() const /workdir/bitcoin/build_fuzz/src/test/fuzz/./test/fuzz/connman.cpp:211:25
10    [#7](/bitcoin-bitcoin/7/) 0x55adbf82d129 in unsigned long CallOneOf<connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_4, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_5, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_6, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_7, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_8, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_9, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_10, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_11, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_12, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_13, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_0, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_1, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_14, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_15, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_16, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_17, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_18, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_19, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_20, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_21, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_22, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_23, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_24, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_25, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_26>(FuzzedDataProvider&, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_4, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_5, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_6, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_7, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_8, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_9, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_10, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_11, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_12, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_13, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_0, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_1, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_14, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_15, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_16, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_17, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_18, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_19, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_20, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_21, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_22, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_23, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_24, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_25, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_26) /workdir/bitcoin/build_fuzz/src/test/fuzz/./test/fuzz/util.h:42:27
11    [#8](/bitcoin-bitcoin/8/) 0x55adbf82d129 in connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>) /workdir/bitcoin/build_fuzz/src/test/fuzz/./test/fuzz/connman.cpp:94:9
12    [#9](/bitcoin-bitcoin/9/) 0x55adbf5200a5 in decltype(std::declval<void (*&)(std::__1::span<unsigned char const, 18446744073709551615ul>)>()(std::declval<std::__1::span<unsigned char const, 18446744073709551615ul>>())) std::__1::__invoke[abi:de190104]<void (*&)(std::__1::span<unsigned char const, 18446744073709551615ul>), std::__1::span<unsigned char const, 18446744073709551615ul>>(void (*&)(std::__1::span<unsigned char const, 18446744073709551615ul>), std::__1::span<unsigned char const, 18446744073709551615ul>&&) /libcxx_msan/include/c++/v1/__type_traits/invoke.h:149:25
13    [#10](/bitcoin-bitcoin/10/) 0x55adbf5200a5 in void std::__1::__invoke_void_return_wrapper<void, true>::__call[abi:de190104]<void (*&)(std::__1::span<unsigned char const, 18446744073709551615ul>), std::__1::span<unsigned char const, 18446744073709551615ul>>(void (*&)(std::__1::span<unsigned char const, 18446744073709551615ul>), std::__1::span<unsigned char const, 18446744073709551615ul>&&) /libcxx_msan/include/c++/v1/__type_traits/invoke.h:224:5
14    [#11](/bitcoin-bitcoin/11/) 0x55adbf5200a5 in std::__1::__function::__alloc_func<void (*)(std::__1::span<unsigned char const, 18446744073709551615ul>), std::__1::allocator<void (*)(std::__1::span<unsigned char const, 18446744073709551615ul>)>, void (std::__1::span<unsigned char const, 18446744073709551615ul>)>::operator()[abi:de190104](std::__1::span<unsigned char const, 18446744073709551615ul>&&) /libcxx_msan/include/c++/v1/__functional/function.h:171:12
15    [#12](/bitcoin-bitcoin/12/) 0x55adbf5200a5 in std::__1::__function::__func<void (*)(std::__1::span<unsigned char const, 18446744073709551615ul>), std::__1::allocator<void (*)(std::__1::span<unsigned char const, 18446744073709551615ul>)>, void (std::__1::span<unsigned char const, 18446744073709551615ul>)>::operator()(std::__1::span<unsigned char const, 18446744073709551615ul>&&) /libcxx_msan/include/c++/v1/__functional/function.h:313:10
16    [#13](/bitcoin-bitcoin/13/) 0x55adc0034ce2 in std::__1::__function::__value_func<void (std::__1::span<unsigned char const, 18446744073709551615ul>)>::operator()[abi:de190104](std::__1::span<unsigned char const, 18446744073709551615ul>&&) const /libcxx_msan/include/c++/v1/__functional/function.h:430:12
17    [#14](/bitcoin-bitcoin/14/) 0x55adc0034ce2 in std::__1::function<void (std::__1::span<unsigned char const, 18446744073709551615ul>)>::operator()(std::__1::span<unsigned char const, 18446744073709551615ul>) const /libcxx_msan/include/c++/v1/__functional/function.h:989:10
18    [#15](/bitcoin-bitcoin/15/) 0x55adc0034ce2 in LLVMFuzzerTestOneInput /workdir/bitcoin/build_fuzz/src/test/fuzz/util/./test/fuzz/fuzz.cpp:213:5
19    [#16](/bitcoin-bitcoin/16/) 0x55adbf409dc6 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
20    [#17](/bitcoin-bitcoin/17/) 0x55adbf3f3662 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:328:6
21    [#18](/bitcoin-bitcoin/18/) 0x55adbf3f957f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:863:9
22    [#19](/bitcoin-bitcoin/19/) 0x55adbf4259a2 in main /llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
23    [#20](/bitcoin-bitcoin/20/) 0x7f6a6dd60d67  (/lib/x86_64-linux-gnu/libc.so.6+0x29d67) (BuildId: 3bc74dbb72522bb47e0d899e5615140b044a5b40)
24    [#21](/bitcoin-bitcoin/21/) 0x7f6a6dd60e24 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e24) (BuildId: 3bc74dbb72522bb47e0d899e5615140b044a5b40)
25    [#22](/bitcoin-bitcoin/22/) 0x55adbf3eb6b0 in _start (/workdir/out/libfuzzer_msan/fuzz+0xf226b0)
26
27  Uninitialized value was stored to memory at
28    [#0](/bitcoin-bitcoin/0/) 0x55adc01e6555 in CService::SetSockAddr(sockaddr const*) /workdir/bitcoin/build_fuzz/src/./netaddress.cpp:812:20
29    [#1](/bitcoin-bitcoin/1/) 0x55adc12ba012 in GetBindAddress(Sock const&) /workdir/bitcoin/build_fuzz/src/./net.cpp:382:19
30    [#2](/bitcoin-bitcoin/2/) 0x55adc12ddb12 in CConnman::AcceptConnection(CConnman::ListenSocket const&) /workdir/bitcoin/build_fuzz/src/./net.cpp:1722:51
31    [#3](/bitcoin-bitcoin/3/) 0x55adc12ed808 in CConnman::SocketHandlerListening(std::__1::unordered_map<std::__1::shared_ptr<Sock const>, Sock::Events, Sock::HashSharedPtrSock, Sock::EqualSharedPtrSock, std::__1::allocator<std::__1::pair<std::__1::shared_ptr<Sock const> const, Sock::Events>>> const&) /workdir/bitcoin/build_fuzz/src/./net.cpp:2160:13
32    [#4](/bitcoin-bitcoin/4/) 0x55adc12e9d48 in CConnman::SocketHandler() /workdir/bitcoin/build_fuzz/src/./net.cpp:2053:5
33    [#5](/bitcoin-bitcoin/5/) 0x55adbf82d129 in ConnmanTestMsg::SocketHandlerPublic() /workdir/bitcoin/build_fuzz/src/test/fuzz/./test/util/net.h:85:9
34    [#6](/bitcoin-bitcoin/6/) 0x55adbf82d129 in connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_26::operator()() const /workdir/bitcoin/build_fuzz/src/test/fuzz/./test/fuzz/connman.cpp:211:25
35    [#7](/bitcoin-bitcoin/7/) 0x55adbf82d129 in unsigned long CallOneOf<connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_4, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_5, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_6, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_7, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_8, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_9, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_10, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_11, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_12, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_13, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_0, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_1, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_14, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_15, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_16, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_17, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_18, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_19, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_20, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_21, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_22, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_23, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_24, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_25, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_26>(FuzzedDataProvider&, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_4, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_5, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_6, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_7, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_8, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_9, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_10, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_11, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_12, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_13, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_0, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_1, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_14, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_15, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_16, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_17, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_18, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_19, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_20, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_21, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_22, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_23, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_24, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_25, connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)::$_26) /workdir/bitcoin/build_fuzz/src/test/fuzz/./test/fuzz/util.h:42:27
36    [#8](/bitcoin-bitcoin/8/) 0x55adbf82d129 in connman_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>) /workdir/bitcoin/build_fuzz/src/test/fuzz/./test/fuzz/connman.cpp:94:9
37    [#9](/bitcoin-bitcoin/9/) 0x55adbf5200a5 in decltype(std::declval<void (*&)(std::__1::span<unsigned char const, 18446744073709551615ul>)>()(std::declval<std::__1::span<unsigned char const, 18446744073709551615ul>>())) std::__1::__invoke[abi:de190104]<void (*&)(std::__1::span<unsigned char const, 18446744073709551615ul>), std::__1::span<unsigned char const, 18446744073709551615ul>>(void (*&)(std::__1::span<unsigned char const, 18446744073709551615ul>), std::__1::span<unsigned char const, 18446744073709551615ul>&&) /libcxx_msan/include/c++/v1/__type_traits/invoke.h:149:25
38    [#10](/bitcoin-bitcoin/10/) 0x55adbf5200a5 in void std::__1::__invoke_void_return_wrapper<void, true>::__call[abi:de190104]<void (*&)(std::__1::span<unsigned char const, 18446744073709551615ul>), std::__1::span<unsigned char const, 18446744073709551615ul>>(void (*&)(std::__1::span<unsigned char const, 18446744073709551615ul>), std::__1::span<unsigned char const, 18446744073709551615ul>&&) /libcxx_msan/include/c++/v1/__type_traits/invoke.h:224:5
39    [#11](/bitcoin-bitcoin/11/) 0x55adbf5200a5 in std::__1::__function::__alloc_func<void (*)(std::__1::span<unsigned char const, 18446744073709551615ul>), std::__1::allocator<void (*)(std::__1::span<unsigned char const, 18446744073709551615ul>)>, void (std::__1::span<unsigned char const, 18446744073709551615ul>)>::operator()[abi:de190104](std::__1::span<unsigned char const, 18446744073709551615ul>&&) /libcxx_msan/include/c++/v1/__functional/function.h:171:12
40    [#12](/bitcoin-bitcoin/12/) 0x55adbf5200a5 in std::__1::__function::__func<void (*)(std::__1::span<unsigned char const, 18446744073709551615ul>), std::__1::allocator<void (*)(std::__1::span<unsigned char const, 18446744073709551615ul>)>, void (std::__1::span<unsigned char const, 18446744073709551615ul>)>::operator()(std::__1::span<unsigned char const, 18446744073709551615ul>&&) /libcxx_msan/include/c++/v1/__functional/function.h:313:10
41    [#13](/bitcoin-bitcoin/13/) 0x55adc0034ce2 in std::__1::__function::__value_func<void (std::__1::span<unsigned char const, 18446744073709551615ul>)>::operator()[abi:de190104](std::__1::span<unsigned char const, 18446744073709551615ul>&&) const /libcxx_msan/include/c++/v1/__functional/function.h:430:12
42    [#14](/bitcoin-bitcoin/14/) 0x55adc0034ce2 in std::__1::function<void (std::__1::span<unsigned char const, 18446744073709551615ul>)>::operator()(std::__1::span<unsigned char const, 18446744073709551615ul>) const /libcxx_msan/include/c++/v1/__functional/function.h:989:10
43    [#15](/bitcoin-bitcoin/15/) 0x55adc0034ce2 in LLVMFuzzerTestOneInput /workdir/bitcoin/build_fuzz/src/test/fuzz/util/./test/fuzz/fuzz.cpp:213:5
44    [#16](/bitcoin-bitcoin/16/) 0x55adbf409dc6 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
45    [#17](/bitcoin-bitcoin/17/) 0x55adbf3f3662 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:328:6
46    [#18](/bitcoin-bitcoin/18/) 0x55adbf3f957f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:863:9
47    [#19](/bitcoin-bitcoin/19/) 0x55adbf4259a2 in main /llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
48    [#20](/bitcoin-bitcoin/20/) 0x7f6a6dd60d67  (/lib/x86_64-linux-gnu/libc.so.6+0x29d67) (BuildId: 3bc74dbb72522bb47e0d899e5615140b044a5b40)
49
50  Uninitialized value was created by an allocation of 'sockaddr_bind' in the stack frame
51    [#0](/bitcoin-bitcoin/0/) 0x55adc12b9e9e in GetBindAddress(Sock const&) /workdir/bitcoin/build_fuzz/src/./net.cpp:379:5
52
53SUMMARY: MemorySanitizer: use-of-uninitialized-value /workdir/bitcoin/build_fuzz/src/./netaddress.cpp:812:5 in CService::SetSockAddr(sockaddr const*)

    Probably caused by FuzzedSock::GetSockName using ConsumeData on an empty data provider (i.e. sockaddr* name won’t be initialized):

    https://github.com/bitcoin/bitcoin/blob/37e49c2c7ca5969124830d79b2cb31041c570755/src/test/fuzz/util/net.cpp#L342-L354

  64. fuzz: set the output argument of FuzzedSock::Accept() 
    `FuzzedSock::Accept()` properly returns a new socket, but it forgot to
set the output argument `addr`, like `accept(2)` is expected to.

This could lead to reading uninitialized data during testing when we
read it, e.g. from `CService::SetSockAddr()` which reads the `sa_family`
member.

Set `addr` to a fuzzed IPv4 or IPv6 address.
    6a8289b98f
  65. fuzz: add CConnman::OpenNetworkConnection() to the tests 
    Now that all network calls done by `CConnman::OpenNetworkConnection()`
are done via `Sock` they can be redirected (mocked) to `FuzzedSocket`
for testing.
    723a62b75e
  66. fuzz: add CConnman::CreateNodeFromAcceptedSocket() to the tests f1d14fd671
  67. fuzz: add CConnman::InitBinds() to the tests f07bb8a929
  68. fuzz: add CConnman::SocketHandler() to the tests 4deb5e2121
  69. fuzz: make it possible to mock (fuzz) CThreadInterrupt 
    * Make the methods of `CThreadInterrupt` virtual and store a pointer to
  it in `CConnman`, thus making it possible to override with a mocked
  instance.
* Initialize `CConnman::m_interrupt_net` from the constructor, making it
  possible for callers to supply mocked version.
* Introduce `FuzzedThreadInterrupt` and `ConsumeThreadInterrupt()` and
  use them in `src/test/fuzz/connman.cpp` and `src/test/fuzz/i2p.cpp`.

This improves the CPU utilization of the `connman` fuzz test.

As a nice side effect, the `std::shared_ptr` used for
`CConnman::m_interrupt_net` resolves the possible lifetime issues with
it (see the removed comment for that variable).
    33d6a80c92
  70. fuzz: change FuzzedSock::GetSockName() to always fully set the output 
    It would be somewhat broken OS if `getsockname()` returns `0` (success)
and returns `sa_family` as `AF_INET` and only sets e.g. 2 bytes in the
output.
    72ff6d2b50
  71. vasild force-pushed on Dec 10, 2024
  72. vasild commented at 12:03 pm on December 10, 2024: contributor

    33ffe74302...72ff6d2b50:

    Please rebase on #31235

    Done. Rebasing fixed connman2.crash for me.

    I can’t reproduce connman3.crash (!?) but anyway I can see the problem with FuzzedSock::GetSockName() initializing too little of the output, so I changed it to fully set the entire output, always.

  73. dergoegge commented at 12:09 pm on December 10, 2024: member

    I can’t reproduce connman3.crash

    You’ll need memory sanitizer instrumentation for that one, which unfortunately requires all dependencies (including libc++) to be instrumented as well, so it’s a pain to setup. I’ll re-test the fix for you!

  74. maflcko commented at 12:28 pm on December 10, 2024: member
    Shouldn’t valgrind be able to detect UB memory issues, unless they were optimized out?


vasild DrahtBot dergoegge brunoerg jonatack maflcko


dergoegge brunoerg

Labels
Tests

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-22 03:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me