fuzz: Abort when global PRNG is used before SeedRand::ZEROS #31548

pull maflcko wants to merge 1 commits into bitcoin:master from maflcko:2412-fuzz-abort-g-rng changing 3 files +10 −6
  1. maflcko commented at 3:30 pm on December 20, 2024: member

    This adds one more check to abort when global PRNG is used before SeedRand::ZEROS in fuzz tests. This is achieved by carving out the two remaining uses. First, g_rng_temp_path_init, and second the random fallback for RANDOM_CTX_SEED, which isn’t used in fuzz tests anyway.

    Requested in #31521 (comment)

    Can be tested by reverting fadd568931a2d21e0f80e1efaf2281f5164fa20e and observing an abort when running the utxo_total_supply fuzz target.

  2. DrahtBot commented at 3:30 pm on December 20, 2024: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Code Coverage & Benchmarks

    For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/31548.

    Reviews

    See the guideline for information on the review process.

    Type Reviewers
    ACK marcofleon, hodlinator

    If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

  3. DrahtBot added the label Tests on Dec 20, 2024
  4. in src/test/fuzz/fuzz.cpp:111 in fa7267022e outdated 
    107@@ -108,12 +108,12 @@ void ResetCoverageCounters() {}
108 #endif
109 
110 
111-void initialize()
112+inline void initialize()
    hodlinator commented at 9:16 am on January 8, 2025:
    Just curious - why inline rather than static?
    maflcko commented at 10:45 am on January 8, 2025:
    I think anything is fine that documents that this function is local to this module.
    maflcko commented at 3:03 pm on January 8, 2025:
    Actually, static seems a better fit. Thx, fixed.
  5. hodlinator approved
  6. hodlinator commented at 9:34 am on January 8, 2025: contributor

    ACK fa7267022e8992f3db8eb7c8e81563c29294c19b

    Good that you also replaced the defunct comment in fuzz.cpp with a useful one.

    Could extend this to also catch too early uses of randomness when they occur in GetRandBytes, but g_rng_temp_path_init makes that a bit cumbersome.

    Tested

    Removing g_used_g_prng = false in g_rng_temp_path_init - triggered expected assert.

    Reverted fadd568931a2d21e0f80e1efaf2281f5164fa20e as suggested - again triggering expected assert.

  7. maflcko commented at 10:47 am on January 8, 2025: member

    Could extend this to also catch too early uses of randomness when they occur in GetRandBytes, but g_rng_temp_path_init makes that a bit cumbersome.

    That is what this pull is trying to do. Did I miss something?

  8. hodlinator commented at 10:53 am on January 8, 2025: contributor

    That is what this pull is trying to do. Did I miss something?

    Was thinking something like:

    0void GetRandBytes(Span<unsigned char> bytes) noexcept
1{
2    g_used_g_prng = true;
3+   if constexpr (G_FUZZING) {
4+       Assert(g_seeded_g_prng_zero); // Need to seed randomness first
5+   }
6    ProcRand(bytes.data(), bytes.size(), RNGLevel::FAST, /*always_use_real_rng=*/false);
7}

    So one gets that assert as quickly as possible. But as I said, g_rng_temp_path_init would make that check a bit more complicated.

  9. maflcko commented at 11:00 am on January 8, 2025: member
    I think as long as the assert hits at any time, it should be good enough and more than sufficient for now, as long as random use isn’t missed fully. Debugging should be trivial in any case for a developer, I’d presume.
  10. maflcko force-pushed on Jan 8, 2025
  11. fuzz: Abort when global PRNG is used before SeedRand::ZEROS fa3c787b62
  12. maflcko force-pushed on Jan 8, 2025
  13. DrahtBot added the label CI failed on Jan 8, 2025
  14. DrahtBot removed the label CI failed on Jan 8, 2025
  15. maflcko requested review from marcofleon on Jan 13, 2025
  16. marcofleon commented at 12:20 pm on January 14, 2025: contributor

    ACK fa3c787b62af6abaac35a8f0d785becdb8871cc0

    iiuc this PR adds a check to make sure that no randomness is used before SeedRandomStateForTest(SeedRand::ZEROS) occurs (except in a couple special cases such as g_rng_temp_path_init), vs what check_globals does which is just checking if seeding happened at any point in the fuzz test.

    Tested by moving SeedRandomStateForTest(SeedRand::ZEROS) to after test setup in utxo_total_supply and saw the assertion failure.

    0/src/test/util/random.cpp:45 SeedRandomStateForTest: Assertion `!g_used_g_prng' failed.
  17. DrahtBot requested review from hodlinator on Jan 14, 2025
  18. hodlinator approved
  19. hodlinator commented at 3:15 pm on January 14, 2025: contributor

    re-ACK fa3c787b62af6abaac35a8f0d785becdb8871cc0

    Switched 2 inline functions to static which more clearly communicates the purpose being translation-unit-locality.


maflcko DrahtBot hodlinator marcofleon

Labels
Tests

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2025-01-21 06:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me