Found by oss-fuzz
clusterfuzz-testcase-crypto_fschacha20poly1305-6583678709334016.txt
0FUZZ=crypto_fschacha20poly1305 perf record -g --call-graph dwarf ./src/test/fuzz/fuzz ./clusterfuzz-testcase-crypto_fschacha20poly1305-6583678709334016
1...
2hotspot ./perf.data
Found the timeout really fast by running:
0diff --git a/src/test/fuzz/crypto_chacha20poly1305.cpp b/src/test/fuzz/crypto_chacha20poly1305.cpp
1index 2b39a06094..e2e6df6c77 100644
2--- a/src/test/fuzz/crypto_chacha20poly1305.cpp
3+++ b/src/test/fuzz/crypto_chacha20poly1305.cpp
4@@ -130,7 +130,7 @@ FUZZ_TARGET(crypto_fschacha20poly1305)
5 // data).
6 InsecureRandomContext rng(provider.ConsumeIntegral<uint64_t>());
7
8- LIMITED_WHILE(provider.ConsumeBool(), 10000)
9+ LIMITED_WHILE(true, 10000)
10 {
11 // Mode:
12 // - Bit 0: whether to use single-plain Encrypt/Decrypt; otherwise use a split at prefix.
0➜ bitcoin-core-dev git:(master) ✗ FUZZ=crypto_fschacha20poly1305 ./src/test/fuzz/fuzz -max_total_time=300 -print_final_stats=1 -timeout=5
1INFO: Running with entropic power schedule (0xFF, 100).
2INFO: Seed: 932334287
3INFO: Loaded 1 modules (1225171 inline 8-bit counters): 1225171 [0x105b55a70, 0x105c80c43),
4INFO: Loaded 1 PC tables (1225171 PCs): 1225171 [0x105c80c48,0x106f32978),
5INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
6INFO: A corpus is not provided, starting from an empty corpus
7[#2](/bitcoin-bitcoin/2/) INITED cov: 373 ft: 373 corp: 1/1b exec/s: 2 rss: 75Mb
8[#3](/bitcoin-bitcoin/3/) NEW cov: 373 ft: 621 corp: 2/2b lim: 4 exec/s: 0 rss: 76Mb L: 1/1 MS: 1 ChangeByte-
9[#4](/bitcoin-bitcoin/4/) pulse cov: 373 ft: 848 corp: 2/2b lim: 4 exec/s: 0 rss: 77Mb
10[#4](/bitcoin-bitcoin/4/) NEW cov: 373 ft: 848 corp: 3/3b lim: 4 exec/s: 0 rss: 77Mb L: 1/1 MS: 1 ChangeByte-
11[#8](/bitcoin-bitcoin/8/) pulse cov: 373 ft: 908 corp: 3/3b lim: 4 exec/s: 0 rss: 81Mb
12[#8](/bitcoin-bitcoin/8/) NEW cov: 375 ft: 908 corp: 4/5b lim: 4 exec/s: 0 rss: 81Mb L: 2/2 MS: 4 ShuffleBytes-ShuffleBytes-ShuffleBytes-InsertByte-
13[#9](/bitcoin-bitcoin/9/) NEW cov: 375 ft: 911 corp: 5/7b lim: 4 exec/s: 0 rss: 82Mb L: 2/2 MS: 1 CrossOver-
14[#12](/bitcoin-bitcoin/12/) NEW cov: 375 ft: 916 corp: 6/9b lim: 4 exec/s: 0 rss: 85Mb L: 2/2 MS: 3 ChangeByte-ChangeBit-CrossOver-
15 NEW_FUNC[1/1]: 0x1029ad75c in std::__1::vector<std::byte, std::__1::allocator<std::byte>>::shrink_to_fit() vector:1431
16[#13](/bitcoin-bitcoin/13/) NEW cov: 390 ft: 934 corp: 7/12b lim: 4 exec/s: 0 rss: 86Mb L: 3/3 MS: 1 CrossOver-
17[#15](/bitcoin-bitcoin/15/) NEW cov: 390 ft: 939 corp: 8/15b lim: 4 exec/s: 0 rss: 89Mb L: 3/3 MS: 2 InsertByte-ChangeBit-
18[#16](/bitcoin-bitcoin/16/) pulse cov: 390 ft: 949 corp: 8/15b lim: 4 exec/s: 0 rss: 90Mb
19[#16](/bitcoin-bitcoin/16/) NEW cov: 392 ft: 949 corp: 9/19b lim: 4 exec/s: 0 rss: 90Mb L: 4/4 MS: 1 CopyPart-
20[#17](/bitcoin-bitcoin/17/) NEW cov: 392 ft: 950 corp: 10/21b lim: 4 exec/s: 0 rss: 91Mb L: 2/4 MS: 1 InsertByte-
21ALARM: working on the last Unit for 5 seconds
22 and the timeout value is 5 (use -timeout=N to change)
23MS: 2 ShuffleBytes-InsertByte-; base unit: fe0cbc86d858d84b2bfd33eb7a8c2987231df1a6
240xa,0xb9,0xa,0x7a,
25\012\271\012z
26artifact_prefix='./'; Test unit written to ./timeout-b0b9b4efc0088bf1964f6b868a74323f58e4a853
27Base64: CrkKeg==
28==87101== ERROR: libFuzzer: timeout after 5 seconds
29 [#0](/bitcoin-bitcoin/0/) 0x10868ce84 in __sanitizer_print_stack_trace+0x28 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x5ce84)
30 [#1](/bitcoin-bitcoin/1/) 0x104f4fc9c in fuzzer::PrintStackTrace() FuzzerUtil.cpp:210
31 [#2](/bitcoin-bitcoin/2/) 0x104f35c98 in fuzzer::Fuzzer::AlarmCallback() FuzzerLoop.cpp:304
32 [#3](/bitcoin-bitcoin/3/) 0x1870d9a20 in _sigtramp+0x34 (libsystem_platform.dylib:arm64+0x3a20)
33 [#4](/bitcoin-bitcoin/4/) 0xe02d000104d0fbf4 (<unknown module>)
34 [#5](/bitcoin-bitcoin/5/) 0x104d0ae8c in (anonymous namespace)::ComputeTag(ChaCha20&, Span<std::byte const>, Span<std::byte const>, Span<std::byte>) chacha20poly1305.cpp:64
35 [#6](/bitcoin-bitcoin/6/) 0x104d0b140 in AEADChaCha20Poly1305::Decrypt(Span<std::byte const>, Span<std::byte const>, std::__1::pair<unsigned int, unsigned long long>, Span<std::byte>, Span<std::byte>) chacha20poly1305.cpp:90
36 [#7](/bitcoin-bitcoin/7/) 0x104d0ba7c in FSChaCha20Poly1305::Decrypt(Span<std::byte const>, Span<std::byte const>, Span<std::byte>, Span<std::byte>) chacha20poly1305.cpp:132
37 [#8](/bitcoin-bitcoin/8/) 0x102c30b4c in crypto_fschacha20poly1305_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>) crypto_chacha20poly1305.cpp:170
38 [#9](/bitcoin-bitcoin/9/) 0x103252214 in LLVMFuzzerTestOneInput fuzz.cpp:209
39 [#10](/bitcoin-bitcoin/10/) 0x104f37140 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) FuzzerLoop.cpp:614
40 [#11](/bitcoin-bitcoin/11/) 0x104f36a44 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) FuzzerLoop.cpp:516
41 [#12](/bitcoin-bitcoin/12/) 0x104f37e94 in fuzzer::Fuzzer::MutateAndTestOne() FuzzerLoop.cpp:760
42 [#13](/bitcoin-bitcoin/13/) 0x104f38bf4 in fuzzer::Fuzzer::Loop(std::__1::vector<fuzzer::SizedFile, std::__1::allocator<fuzzer::SizedFile>>&) FuzzerLoop.cpp:905
43 [#14](/bitcoin-bitcoin/14/) 0x104f29228 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) FuzzerDriver.cpp:914
44 [#15](/bitcoin-bitcoin/15/) 0x104f50584 in main FuzzerMain.cpp:20
45 [#16](/bitcoin-bitcoin/16/) 0x186d290dc (<unknown module>)
46 [#17](/bitcoin-bitcoin/17/) 0xe537fffffffffffc (<unknown module>)
47
48SUMMARY: libFuzzer: timeout
49stat::number_of_executed_units: 19
50stat::average_exec_per_sec: 0
51stat::new_units_added: 9
52stat::slowest_unit_time_sec: 0
53stat::peak_rss_mb: 93
Found the timeout really fast by running:
The fuzz input should also be in the attachment in the pull request description, which also allows to reproduce it.