Newer libevent causes http_request fuzz target failure #30096

1. 
   hebasto commented at 3:37 pm on May 13, 2024: member

   When building with MSVC, the libevent dependency package is provided by the vcpkg package manager.

   The #27335 pinned the libevent version to 2.1.12#7 to avoid issues with the changed signature of the evhttp_connection_get_peer function.

   Then, #29774 introduced the fuzz.exe binary.

   It turned out that the newer libevent version 2.1.12+20230128 leads to failures in the http_request fuzz target.

   To accommodate the newer libevent version, the following diff can be applied:

    0--- a/build_msvc/common.init.vcxproj.in
    1+++ b/build_msvc/common.init.vcxproj.in
    2@@ -90,12 +90,12 @@
    3       <AdditionalOptions>/utf-8 /Zc:preprocessor /Zc:__cplusplus /std:c++20 %(AdditionalOptions)</AdditionalOptions>
    4       <DisableSpecificWarnings>4018;4244;4267;4715;4805</DisableSpecificWarnings>
    5       <TreatWarningAsError>true</TreatWarningAsError>
    6-      <PreprocessorDefinitions>_SILENCE_CXX17_CODECVT_HEADER_DEPRECATION_WARNING;SECP256K1_STATIC;ZMQ_STATIC;NOMINMAX;WIN32;_CRT_SECURE_NO_WARNINGS;_CONSOLE;_WIN32_WINNT=0x0601;_WIN32_IE=0x0501;WIN32_LEAN_AND_MEAN;PROVIDE_FUZZ_MAIN_FUNCTION;%(PreprocessorDefinitions)</PreprocessorDefinitions>
    7+      <PreprocessorDefinitions>HAVE_EVHTTP_CONNECTION_GET_PEER_CONST_CHAR;_SILENCE_CXX17_CODECVT_HEADER_DEPRECATION_WARNING;SECP256K1_STATIC;ZMQ_STATIC;NOMINMAX;WIN32;_CRT_SECURE_NO_WARNINGS;_CONSOLE;_WIN32_WINNT=0x0601;_WIN32_IE=0x0501;WIN32_LEAN_AND_MEAN;PROVIDE_FUZZ_MAIN_FUNCTION;%(PreprocessorDefinitions)</PreprocessorDefinitions>
    8       <AdditionalIncludeDirectories>..\..\src;..\..\src\minisketch\include;..\..\src\univalue\include;..\..\src\secp256k1\include;..\..\src\leveldb\include;..\..\src\leveldb\helpers\memenv;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
    9     </ClCompile>
   10     <Link>
   11       <SubSystem>Console</SubSystem>
   12-      <AdditionalDependencies>Iphlpapi.lib;ws2_32.lib;Shlwapi.lib;kernel32.lib;user32.lib;gdi32.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
   13+      <AdditionalDependencies>bcrypt.lib;Iphlpapi.lib;ws2_32.lib;Shlwapi.lib;kernel32.lib;user32.lib;gdi32.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
   14       <RandomizedBaseAddress>true</RandomizedBaseAddress>
   15     </Link>
   16   </ItemDefinitionGroup>
   17--- a/build_msvc/vcpkg.json
   18+++ b/build_msvc/vcpkg.json
   19@@ -15,7 +15,7 @@
   20   "overrides": [
   21     {
   22       "name": "libevent",
   23-      "version": "2.1.12#7"
   24+      "version": "2.1.12+20230128"
   25     }
   26   ]
   27 }
   

   Here is an example of a CI log demonstrating the issue: https://github.com/hebasto/bitcoin/actions/runs/9064987376/job/24904490588:

   0Run http_request with args ['D:\\a\\bitcoin\\bitcoin\\src\\fuzz.exe', WindowsPath('D:/a/_temp/qa-assets/fuzz_seed_corpus/http_request')]
   1Target ['D:\\a\\bitcoin\\bitcoin\\src\\fuzz.exe', WindowsPath('D:/a/_temp/qa-assets/fuzz_seed_corpus/http_request')] failed with exit code 3221225477
   

2. hebasto referenced this in commit 49d4c30144 on May 13, 2024
3. 
   fanquake commented at 2:16 am on May 14, 2024: member

   Is there something for this repo to do here? If that patch should be applied, then this should be a PR? If not, I guess close this?
4. 
   hebasto commented at 9:46 am on May 14, 2024: member

   Is there something for this repo to do here? If that patch should be applied, then this should be a PR? If not, I guess close this?

   I’m in the middle of the investigation.

5. 
   hebasto commented at 11:29 am on May 14, 2024: member

   Is there something for this repo to do here? If that patch should be applied, then this should be a PR? If not, I guess close this?

   I’m in the middle of the investigation.

   The crash is reproducible on Linux as well.

6. hebasto renamed this:
   windows: Newer libevent causes `http_request` fuzz target failure
   Newer libevent causes `http_request` fuzz target failure
   on May 14, 2024
7. hebasto added the label Upstream on May 14, 2024
8. 
   fanquake commented at 11:34 am on May 14, 2024: member

   The crash is reproducible on Linux as well.

   Can you post steps to reproduce. What version of libevent.

9. 
   hebasto commented at 11:55 am on May 14, 2024: member

   The crash is reproducible on Linux as well.

   Can you post steps to reproduce.

   Compiling with depends in this branch. Then:

   0FUZZ=http_request ./src/test/fuzz/fuzz /home/hebasto/git/bitcoin/qa-assets/fuzz_seed_corpus/http_request
   

   What version of libevent.

   https://github.com/libevent/libevent/commit/4d85d28acdbb83bb60e500e9345bab757b64d6d1

10. 
    fanquake commented at 11:58 am on May 14, 2024: member

    Ok, then I think this can be closed. The problem here primarily seems to be that Microsoft/vcpkg is shipping unreleased code into production.
11. 
    maflcko commented at 12:01 pm on May 14, 2024: member

    (I deleted my comment, because the fuzz CI config does not use depends, but the libevent-dev from Ubuntu)
12. 
    fanquake commented at 12:04 pm on May 14, 2024: member

    Ok. Edited my comment as well. This can still be closed. Maybe an issue can be filed with vcpkg to only ship stable code in production.
13. 
    hebasto commented at 12:37 pm on May 14, 2024: member

    Ok, then I think this can be closed. The problem here primarily seems to be that Microsoft/vcpkg is shipping unreleased code into production.

    I agree. I opened this issue to document https://github.com/hebasto/bitcoin/pull/199.

    Closing.

14. hebasto closed this on May 14, 2024

    ---

Contributors
hebasto fanquake maflcko

Labels
Upstream