fuzz: Apply HasTooManySubFrag (et al) to miniscript

maflcko commented at 10:47 am on July 22, 2024: member

Should the check be applied to miniscript_string, for example the miniscript_string/ae395bdc087e233d7f8e1844d4814b2c00cc9d21 input, as well?

Originally posted by @maflcko in #30197 (comment)

Seems useful to at least apply to that fuzz target as well. In theory it could be applied to parse_univalue as well (reverting commit a1b8a917b176ee36961203ccee96457d85102e60).

maflcko added the label Tests on Jul 22, 2024

darosior commented at 4:18 pm on July 27, 2024: member

I said it makes sense, but giving this a closer look i don’t think it’s needed. And it’s the reason why it wasn’t hit by this target before. HasDeepDerivPath does not apply as we do not parse derivation paths in this target. HasTooManySubFrag is not needed as this target does not call any function which involves quadratic algorithms over the number of sub fragments. Similarly, HasTooManyWrappers isn’t needed because we do not call ToScript() on the parsed miniscript.

maflcko commented at 7:37 am on July 29, 2024: member

Ok, then maybe another limit could be appropriate, because I am not sure if a 120KB string is a real-world use case. (No objection to fuzzing it, but is seems to be taking a long time, which will hurt fuzzing of other inputs in the same target).

0───────┬────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1       │ File: ./miniscript_string/ae395bdc087e233d7f8e1844d4814b2c00cc9d21
2───────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────
3   1   │ v:and_b(and_b(and_b(and_b(and_b(and_b(and_b(and_b(and_b(and_b(and_b(and_b(and_b(and_b(and_b(and_b(and_b(and_b(a
4       │ nd_b(and_b(older(7403566),a:0),a:0),t:or_d(u:thresh(3,u:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:
5       │ 1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1
6       │ ,au:1,au:1,au:1,auau:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:1,au:
7       │ 1,au:1,au:1,au:1,aullllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll

https://cirrus-ci.com/task/6370113769701376?logs=ci#L4545:

 0Run miniscript_string with args ['/ci_container_base/ci/scratch/build/bitcoin-x86_64-pc-linux-gnu/src/test/fuzz/fuzz', '-runs=1', PosixPath('/ci_container_base/ci/scratch/qa-assets/fuzz_seed_corpus/miniscript_string')]INFO: Running with entropic power schedule (0xFF, 100).
 1INFO: Seed: 1619189122
 2INFO: Loaded 1 modules   (616236 inline 8-bit counters): 616236 [0x56001e233918, 0x56001e2ca044), 
 3INFO: Loaded 1 PC tables (616236 PCs): 616236 [0x56001e2ca048,0x56001ec31308), 
 4INFO:     1234 files found in /ci_container_base/ci/scratch/qa-assets/fuzz_seed_corpus/miniscript_string
 5INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 262199 bytes
 6INFO: seed corpus: files: 1234 min: 1b max: 262199b total: 3963484b rss: 112Mb
 7[#1024](/bitcoin-bitcoin/1024/)	pulse  cov: 3454 ft: 24651 corp: 751/204Kb exec/s: 256 rss: 292Mb
 8Slowest unit: 19 s:
 9artifact_prefix='./'; Test unit written to ./slow-unit-ae395bdc087e233d7f8e1844d4814b2c00cc9d21
10[#1235](/bitcoin-bitcoin/1235/)	INITED cov: 3454 ft: 25292 corp: 832/851Kb exec/s: 13 rss: 942Mb
11[#1235](/bitcoin-bitcoin/1235/)	DONE   cov: 3454 ft: 25292 corp: 832/851Kb lim: 130419 exec/s: 13 rss: 942Mb
12Done 1235 runs in 92 second(s)

0$ FUZZ=miniscript_string perf record -g --call-graph dwarf  ./src/test/fuzz/fuzz ./miniscript_string/ae395bdc087e233d7f8e1844d4814b2c00cc9d21 
1$ hotspot ./perf.data

Screenshot from 2024-07-29 09-36-00

fuzz: Apply HasTooManySubFrag (et al) to miniscript_string (et al) #30498