fuzz: extract unsequenced operations with side-effects #32141

pull l0rinc wants to merge 1 commits into bitcoin:master from l0rinc:l0rinc/psbt-fuzz-fix changing 1 files +2 −1
  1. l0rinc commented at 8:35 pm on March 25, 2025: contributor

    #30746 (review) introduced unsequenced operations with side-effects - which is undefined behavior, i.e. the right hand side can be evaluated before the left hand side, which happens to mutate it.

    0clang++ --analyze -std=c++20 -I./src -I./src/test -I./src/test/fuzz src/test/fuzz/base_encode_decode.cpp src/psbt.cpp

    but it didn’t warn about UB.

    Grepped for similar ones, but could find any other one in the codebase:

     0> grep -rnE --include='*.cpp' --include='*.h' '\b(\w+)\(([^)]*\b(\w+)\b[^)]*)\)\s*==\s*\3\.' .
 1
 2./src/test/arith_uint256_tests.cpp:373:    BOOST_CHECK(R1L.GetHex() == R1L.ToString());
 3./src/test/arith_uint256_tests.cpp:374:    BOOST_CHECK(R2L.GetHex() == R2L.ToString());
 4./src/test/arith_uint256_tests.cpp:375:    BOOST_CHECK(OneL.GetHex() == OneL.ToString());
 5./src/test/arith_uint256_tests.cpp:376:    BOOST_CHECK(MaxL.GetHex() == MaxL.ToString());
 6./src/test/fuzz/cluster_linearize.cpp:565:        assert(depgraph.FeeRate(best_anc.transactions) == best_anc.feerate);
 7./src/test/fuzz/cluster_linearize.cpp:646:        assert(depgraph.FeeRate(found.transactions) == found.feerate);
 8./src/test/fuzz/cluster_linearize.cpp:765:            assert(depgraph.FeeRate(chunk_info.transactions) == chunk_info.feerate);
 9./src/test/fuzz/base_encode_decode.cpp:95:    assert(DecodeBase64PSBT(psbt, random_string, error) == error.empty());
10./src/test/fuzz/key.cpp:102:        assert(pubkey.data() == pubkey.begin());
11./src/test/skiplist_tests.cpp:42:        BOOST_CHECK(vIndex[from].GetAncestor(0) == vIndex.data());
12./src/script/signingprovider.cpp:535:                   ComputeTapbranchHash(node.sub[1]->hash, node.sub[1]->hash) == node.hash) {
13./src/pubkey.h:78:      return vch.size() > 0 && GetLen(vch[0]) == vch.size();
14./src/cluster_linearize.h:881:            Assume(elem.inc.feerate.IsEmpty() == elem.pot_feerate.IsEmpty());

    Hodlinator deduced the UB on Windows in #32135 (comment)

    Fixes #32135

  2. fuzz: extract unsequenced operations with side-effects 
    https://github.com/bitcoin/bitcoin/pull/30746#discussion_r1817851827 introduced an unsequenced operations with side-effects - which is undefined behavior, i.e. the right hand side can be evaluated before the left hand side, which happens to mutate it.

Tried:
```
clang++ --analyze -std=c++20 -I./src -I./src/test -I./src/test/fuzz src/test/fuzz/base_encode_decode.cpp src/psbt.cpp
```
but it didn't warn about UB.

Grepped for similar ones, but could find any other one in the codebase:
> grep -rnE --include='*.cpp' --include='*.h' '\b(\w+)\(([^)]*\b(\w+)\b[^)]*)\)\s*==\s*\3\.' .
```
./src/test/arith_uint256_tests.cpp:373:    BOOST_CHECK(R1L.GetHex() == R1L.ToString());
./src/test/arith_uint256_tests.cpp:374:    BOOST_CHECK(R2L.GetHex() == R2L.ToString());
./src/test/arith_uint256_tests.cpp:375:    BOOST_CHECK(OneL.GetHex() == OneL.ToString());
./src/test/arith_uint256_tests.cpp:376:    BOOST_CHECK(MaxL.GetHex() == MaxL.ToString());
./src/test/fuzz/cluster_linearize.cpp:565:        assert(depgraph.FeeRate(best_anc.transactions) == best_anc.feerate);
./src/test/fuzz/cluster_linearize.cpp:646:        assert(depgraph.FeeRate(found.transactions) == found.feerate);
./src/test/fuzz/cluster_linearize.cpp:765:            assert(depgraph.FeeRate(chunk_info.transactions) == chunk_info.feerate);
./src/test/fuzz/base_encode_decode.cpp:95:    assert(DecodeBase64PSBT(psbt, random_string, error) == error.empty());
./src/test/fuzz/key.cpp:102:        assert(pubkey.data() == pubkey.begin());
./src/test/skiplist_tests.cpp:42:        BOOST_CHECK(vIndex[from].GetAncestor(0) == vIndex.data());
./src/script/signingprovider.cpp:535:                   ComputeTapbranchHash(node.sub[1]->hash, node.sub[1]->hash) == node.hash) {
./src/pubkey.h:78:      return vch.size() > 0 && GetLen(vch[0]) == vch.size();
./src/cluster_linearize.h:881:            Assume(elem.inc.feerate.IsEmpty() == elem.pot_feerate.IsEmpty());
```

Hodlinator deduced the UB on Windows in https://github.com/bitcoin/bitcoin/issues/32135#issuecomment-2751723855

Co-authored-by: Hodlinator <172445034+hodlinator@users.noreply.github.com>
    b1de59e896
  3. DrahtBot commented at 8:35 pm on March 25, 2025: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Code Coverage & Benchmarks

    For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/32141.

    Reviews

    See the guideline for information on the review process.

    Type Reviewers
    ACK hodlinator, marcofleon, brunoerg, maflcko

    If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

  4. DrahtBot added the label Tests on Mar 25, 2025
  5. maflcko commented at 8:45 pm on March 25, 2025: member

    I’ve also added an optional PSBT_MAGIC_BYTES prefix, otherwise the the fuzzer couldn’t even crack this condition https://github.com/bitcoin/bitcoin/blob/master/src/psbt.h#L1043 in time. After this change the fuzzer is finally stressing the PartiallySignedTransaction deserialization.

    If a fuzz engine can’t crack a 5-byte constant byte literal, then something must be wrong.

    According to https://drahtbot.space/host_reports/DrahtBot/reports/coverage_fuzz/monotree/dfb7d58108daf372/c62dc520e0c7caee/fuzz.coverage/src/psbt.h.gcov.html it is already covered.

    What are the exact steps to reproduce that you took to confirm it isn’t covered and unreachable?

  6. l0rinc force-pushed on Mar 25, 2025
  7. l0rinc commented at 9:33 pm on March 25, 2025: contributor

    What are the exact steps to reproduce that you took to confirm it isn’t covered and unreachable?

    Not unreachable, just “couldn’t even crack this condition […] in time.”

    0	// PartiallySignedTransaction
1    inline void Unserialize(Stream& s) {
2        // Read the magic bytes
3        uint8_t magic[5];
4        s >> magic;
5        if (!std::equal(magic, magic + 5, PSBT_MAGIC_BYTES)) {
6            throw std::ios_base::failure("Invalid PSBT magic bytes");
7        }
8
9        throw "MAGIC!"; // Added to see failure

    fails basically immediately with the added magic prefix:

    0INFO: A corpus is not provided, starting from an empty corpus
1[#2](/bitcoin-bitcoin/2/)      INITED cov: 55 ft: 55 corp: 1/1b exec/s: 0 rss: 34Mb
2[#3](/bitcoin-bitcoin/3/)      NEW    cov: 60 ft: 60 corp: 2/3b lim: 4 exec/s: 0 rss: 34Mb L: 2/2 MS: 1 CopyPart-
3[#4](/bitcoin-bitcoin/4/)      NEW    cov: 61 ft: 61 corp: 3/4b lim: 4 exec/s: 0 rss: 34Mb L: 1/2 MS: 1 ChangeBinInt-
4[#25](/bitcoin-bitcoin/25/)     NEW    cov: 69 ft: 69 corp: 4/6b lim: 4 exec/s: 0 rss: 34Mb L: 2/2 MS: 1 CopyPart-
5libc++abi: terminating due to uncaught exception of type char const*
6==9147== ERROR: libFuzzer: deadly signal
7NOTE: libFuzzer has rudimentary signal handlers.
8      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
9SUMMARY: libFuzzer: deadly signal

    but the original:

    0FUZZ_TARGET(psbt_base64_decode)
1{
2    const std::string random_string{buffer.begin(), buffer.end()};

    works a lot on the prefix (instead of the rest of the PSBT format):

     0INFO: Running with entropic power schedule (0xFF, 100).
 1INFO: Seed: 1756400214
 2INFO: Loaded 1 modules   (570750 inline 8-bit counters): 570750 [0x10206c000, 0x1020f757e), 
 3INFO: Loaded 1 PC tables (570750 PCs): 570750 [0x1020f7580,0x1029acd60), 
 4INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
 5INFO: A corpus is not provided, starting from an empty corpus
 6[#2](/bitcoin-bitcoin/2/)      INITED cov: 37 ft: 37 corp: 1/1b exec/s: 0 rss: 34Mb
 7[#4](/bitcoin-bitcoin/4/)      NEW    cov: 38 ft: 38 corp: 2/3b lim: 4 exec/s: 0 rss: 34Mb L: 2/2 MS: 2 ChangeBinInt-InsertByte-
 8[#7](/bitcoin-bitcoin/7/)      NEW    cov: 38 ft: 39 corp: 3/6b lim: 4 exec/s: 0 rss: 34Mb L: 3/3 MS: 3 InsertByte-ChangeByte-InsertByte-
 9[#15](/bitcoin-bitcoin/15/)     NEW    cov: 42 ft: 44 corp: 4/10b lim: 4 exec/s: 0 rss: 34Mb L: 4/4 MS: 3 InsertByte-ShuffleBytes-InsertByte-
10[#124](/bitcoin-bitcoin/124/)    NEW    cov: 43 ft: 45 corp: 5/14b lim: 4 exec/s: 0 rss: 34Mb L: 4/4 MS: 4 EraseBytes-InsertByte-ChangeBit-InsertByte-
11[#231](/bitcoin-bitcoin/231/)    NEW    cov: 45 ft: 47 corp: 6/18b lim: 4 exec/s: 0 rss: 34Mb L: 4/4 MS: 2 ChangeBit-CrossOver-
12[#390](/bitcoin-bitcoin/390/)    NEW    cov: 47 ft: 50 corp: 7/22b lim: 4 exec/s: 0 rss: 34Mb L: 4/4 MS: 4 ShuffleBytes-ChangeBit-CopyPart-CopyPart-
13[#459](/bitcoin-bitcoin/459/)    NEW    cov: 48 ft: 51 corp: 8/26b lim: 4 exec/s: 0 rss: 34Mb L: 4/4 MS: 4 ChangeByte-ChangeByte-ChangeBit-CopyPart-
14        NEW_FUNC[1/6]: 0x100cdbb54
15        NEW_FUNC[2/6]: 0x100d6f438
16[#562](/bitcoin-bitcoin/562/)    NEW    cov: 69 ft: 75 corp: 9/30b lim: 4 exec/s: 0 rss: 34Mb L: 4/4 MS: 3 ShuffleBytes-ChangeBit-ChangeByte-
17[#611](/bitcoin-bitcoin/611/)    NEW    cov: 69 ft: 77 corp: 10/34b lim: 4 exec/s: 0 rss: 34Mb L: 4/4 MS: 4 ChangeBit-EraseBytes-ChangeBit-CrossOver-
18[#826](/bitcoin-bitcoin/826/)    NEW    cov: 69 ft: 78 corp: 11/39b lim: 6 exec/s: 0 rss: 34Mb L: 5/5 MS: 5 ShuffleBytes-ChangeBinInt-ChangeByte-EraseBytes-InsertRepeatedBytes-
19[#856](/bitcoin-bitcoin/856/)    NEW    cov: 70 ft: 79 corp: 12/43b lim: 6 exec/s: 0 rss: 34Mb L: 4/5 MS: 5 ShuffleBytes-ChangeBit-ChangeBinInt-EraseBytes-CopyPart-
20[#1380](/bitcoin-bitcoin/1380/)   NEW    cov: 70 ft: 80 corp: 13/52b lim: 11 exec/s: 0 rss: 34Mb L: 9/9 MS: 4 ChangeBinInt-CrossOver-ChangeByte-InsertByte-
21[#1642](/bitcoin-bitcoin/1642/)   NEW    cov: 72 ft: 86 corp: 14/60b lim: 11 exec/s: 0 rss: 34Mb L: 8/9 MS: 2 CrossOver-CopyPart-
22[#2263](/bitcoin-bitcoin/2263/)   NEW    cov: 72 ft: 90 corp: 15/76b lim: 17 exec/s: 0 rss: 34Mb L: 16/16 MS: 1 CopyPart-
23[#2274](/bitcoin-bitcoin/2274/)   NEW    cov: 72 ft: 91 corp: 16/93b lim: 17 exec/s: 0 rss: 34Mb L: 17/17 MS: 1 InsertRepeatedBytes-
24[#2360](/bitcoin-bitcoin/2360/)   NEW    cov: 72 ft: 92 corp: 17/109b lim: 17 exec/s: 0 rss: 34Mb L: 16/17 MS: 1 ChangeByte-
25[#3174](/bitcoin-bitcoin/3174/)   NEW    cov: 75 ft: 95 corp: 18/132b lim: 25 exec/s: 0 rss: 34Mb L: 23/23 MS: 4 CrossOver-InsertRepeatedBytes-EraseBytes-InsertRepeatedBytes-
26[#3180](/bitcoin-bitcoin/3180/)   NEW    cov: 76 ft: 96 corp: 19/156b lim: 25 exec/s: 0 rss: 35Mb L: 24/24 MS: 1 CrossOver-
27[#3589](/bitcoin-bitcoin/3589/)   NEW    cov: 76 ft: 99 corp: 20/180b lim: 29 exec/s: 0 rss: 35Mb L: 24/24 MS: 4 ChangeBinInt-ChangeBit-CopyPart-InsertRepeatedBytes-
28[#4068](/bitcoin-bitcoin/4068/)   NEW    cov: 76 ft: 100 corp: 21/213b lim: 33 exec/s: 0 rss: 35Mb L: 33/33 MS: 4 CopyPart-ShuffleBytes-ChangeBit-InsertRepeatedBytes-
29[#5524](/bitcoin-bitcoin/5524/)   NEW    cov: 76 ft: 102 corp: 22/253b lim: 43 exec/s: 0 rss: 35Mb L: 40/40 MS: 1 InsertRepeatedBytes-
30[#6161](/bitcoin-bitcoin/6161/)   NEW    cov: 76 ft: 104 corp: 23/297b lim: 48 exec/s: 0 rss: 35Mb L: 44/44 MS: 2 ChangeByte-InsertRepeatedBytes-
31[#8191](/bitcoin-bitcoin/8191/)   NEW    cov: 77 ft: 105 corp: 24/364b lim: 68 exec/s: 0 rss: 35Mb L: 67/67 MS: 5 CopyPart-ChangeByte-ShuffleBytes-EraseBytes-InsertRepeatedBytes-
32[#8249](/bitcoin-bitcoin/8249/)   NEW    cov: 78 ft: 106 corp: 25/428b lim: 68 exec/s: 0 rss: 35Mb L: 64/67 MS: 3 ShuffleBytes-ChangeByte-InsertRepeatedBytes-
33[#9017](/bitcoin-bitcoin/9017/)   REDUCE cov: 78 ft: 106 corp: 25/426b lim: 74 exec/s: 0 rss: 35Mb L: 65/65 MS: 3 ChangeBit-CopyPart-EraseBytes-
34[#10248](/bitcoin-bitcoin/10248/)  NEW    cov: 78 ft: 107 corp: 26/498b lim: 86 exec/s: 0 rss: 35Mb L: 72/72 MS: 1 InsertRepeatedBytes-
35[#14613](/bitcoin-bitcoin/14613/)  NEW    cov: 79 ft: 108 corp: 27/626b lim: 128 exec/s: 0 rss: 36Mb L: 128/128 MS: 5 CMP-CrossOver-ChangeByte-InsertRepeatedBytes-CopyPart- DE: ">\000\000\000\000\000\000\000"-
36[#16905](/bitcoin-bitcoin/16905/)  NEW    cov: 79 ft: 109 corp: 28/754b lim: 149 exec/s: 0 rss: 36Mb L: 128/128 MS: 2 InsertByte-CopyPart-
37[#17031](/bitcoin-bitcoin/17031/)  NEW    cov: 79 ft: 110 corp: 29/890b lim: 149 exec/s: 0 rss: 36Mb L: 136/136 MS: 1 InsertRepeatedBytes-
38[#17497](/bitcoin-bitcoin/17497/)  REDUCE cov: 79 ft: 110 corp: 29/886b lim: 149 exec/s: 0 rss: 36Mb L: 68/136 MS: 1 EraseBytes-
39[#19999](/bitcoin-bitcoin/19999/)  REDUCE cov: 79 ft: 110 corp: 29/882b lim: 170 exec/s: 0 rss: 36Mb L: 64/136 MS: 2 EraseBytes-InsertByte-
40[#22675](/bitcoin-bitcoin/22675/)  REDUCE cov: 79 ft: 110 corp: 29/878b lim: 191 exec/s: 0 rss: 36Mb L: 12/136 MS: 1 EraseBytes-
41[#23730](/bitcoin-bitcoin/23730/)  NEW    cov: 79 ft: 111 corp: 30/1072b lim: 198 exec/s: 0 rss: 36Mb L: 194/194 MS: 5 ChangeByte-ChangeBit-InsertByte-InsertRepeatedBytes-InsertRepeatedBytes-
42[#25064](/bitcoin-bitcoin/25064/)  REDUCE cov: 79 ft: 113 corp: 31/1272b lim: 205 exec/s: 0 rss: 36Mb L: 200/200 MS: 4 ShuffleBytes-InsertRepeatedBytes-CrossOver-CopyPart-
43[#25331](/bitcoin-bitcoin/25331/)  REDUCE cov: 79 ft: 113 corp: 31/1268b lim: 205 exec/s: 0 rss: 36Mb L: 36/200 MS: 2 EraseBytes-CrossOver-
44[#33104](/bitcoin-bitcoin/33104/)  NEW    cov: 79 ft: 114 corp: 32/1543b lim: 277 exec/s: 0 rss: 37Mb L: 275/275 MS: 3 InsertRepeatedBytes-ChangeBit-InsertRepeatedBytes-
45[#34774](/bitcoin-bitcoin/34774/)  REDUCE cov: 79 ft: 114 corp: 32/1529b lim: 293 exec/s: 0 rss: 37Mb L: 261/261 MS: 5 ShuffleBytes-CopyPart-ChangeByte-EraseBytes-InsertRepeatedBytes-
46[#38904](/bitcoin-bitcoin/38904/)  NEW    cov: 79 ft: 115 corp: 33/1852b lim: 333 exec/s: 38904 rss: 37Mb L: 323/323 MS: 5 InsertRepeatedBytes-CopyPart-CopyPart-CrossOver-InsertRepeatedBytes-
47[#49627](/bitcoin-bitcoin/49627/)  REDUCE cov: 79 ft: 115 corp: 33/1840b lim: 437 exec/s: 49627 rss: 37Mb L: 188/323 MS: 3 EraseBytes-ShuffleBytes-CrossOver-
48[#52714](/bitcoin-bitcoin/52714/)  REDUCE cov: 79 ft: 115 corp: 33/1835b lim: 461 exec/s: 52714 rss: 37Mb L: 256/323 MS: 2 ShuffleBytes-EraseBytes-
49[#55990](/bitcoin-bitcoin/55990/)  REDUCE cov: 79 ft: 115 corp: 33/1831b lim: 493 exec/s: 55990 rss: 37Mb L: 132/323 MS: 1 EraseBytes-
50[#65018](/bitcoin-bitcoin/65018/)  NEW    cov: 80 ft: 116 corp: 34/1839b lim: 580 exec/s: 65018 rss: 37Mb L: 8/323 MS: 3 InsertByte-ShuffleBytes-CrossOver-
51[#77187](/bitcoin-bitcoin/77187/)  NEW    cov: 80 ft: 117 corp: 35/2498b lim: 697 exec/s: 38593 rss: 37Mb L: 659/659 MS: 4 ChangeBinInt-CrossOver-CopyPart-InsertRepeatedBytes-
52[#100174](/bitcoin-bitcoin/100174/) REDUCE cov: 80 ft: 117 corp: 35/2495b lim: 922 exec/s: 50087 rss: 37Mb L: 656/656 MS: 2 CopyPart-CrossOver-
53[#127395](/bitcoin-bitcoin/127395/) REDUCE cov: 80 ft: 117 corp: 35/2487b lim: 1190 exec/s: 42465 rss: 37Mb L: 180/656 MS: 1 CrossOver-
54[#131072](/bitcoin-bitcoin/131072/) pulse  cov: 80 ft: 117 corp: 35/2487b lim: 1220 exec/s: 43690 rss: 37Mb
55[#132743](/bitcoin-bitcoin/132743/) REDUCE cov: 80 ft: 118 corp: 36/3083b lim: 1240 exec/s: 44247 rss: 37Mb L: 596/656 MS: 3 CrossOver-CopyPart-CopyPart-
56[#133641](/bitcoin-bitcoin/133641/) REDUCE cov: 80 ft: 118 corp: 36/3082b lim: 1240 exec/s: 44547 rss: 37Mb L: 322/656 MS: 3 CopyPart-ChangeByte-EraseBytes-
57[#149165](/bitcoin-bitcoin/149165/) REDUCE cov: 80 ft: 119 corp: 37/4314b lim: 1390 exec/s: 37291 rss: 37Mb L: 1232/1232 MS: 4 CopyPart-InsertRepeatedBytes-EraseBytes-CopyPart-
58[#152496](/bitcoin-bitcoin/152496/) REDUCE cov: 80 ft: 119 corp: 37/4310b lim: 1420 exec/s: 38124 rss: 37Mb L: 176/1232 MS: 1 EraseBytes-
59[#158323](/bitcoin-bitcoin/158323/) REDUCE cov: 80 ft: 119 corp: 37/4242b lim: 1470 exec/s: 39580 rss: 37Mb L: 528/1232 MS: 2 ShuffleBytes-EraseBytes-
60[#160032](/bitcoin-bitcoin/160032/) REDUCE cov: 80 ft: 119 corp: 37/4104b lim: 1480 exec/s: 40008 rss: 37Mb L: 1094/1094 MS: 4 ChangeByte-ChangeByte-CrossOver-CrossOver-
61[#165774](/bitcoin-bitcoin/165774/) REDUCE cov: 80 ft: 119 corp: 37/4046b lim: 1530 exec/s: 41443 rss: 37Mb L: 598/1094 MS: 2 ChangeByte-EraseBytes-
62[#171841](/bitcoin-bitcoin/171841/) REDUCE cov: 80 ft: 119 corp: 37/4042b lim: 1590 exec/s: 42960 rss: 37Mb L: 172/1094 MS: 2 CrossOver-EraseBytes-
63[#176498](/bitcoin-bitcoin/176498/) REDUCE cov: 80 ft: 119 corp: 37/4022b lim: 1630 exec/s: 44124 rss: 37Mb L: 578/1094 MS: 2 InsertRepeatedBytes-EraseBytes-
64[#187724](/bitcoin-bitcoin/187724/) REDUCE cov: 80 ft: 119 corp: 37/4021b lim: 1740 exec/s: 37544 rss: 37Mb L: 321/1094 MS: 1 EraseBytes-
65[#198026](/bitcoin-bitcoin/198026/) REDUCE cov: 80 ft: 119 corp: 37/4009b lim: 1840 exec/s: 39605 rss: 37Mb L: 516/1094 MS: 2 ShuffleBytes-EraseBytes-
66[#199185](/bitcoin-bitcoin/199185/) REDUCE cov: 80 ft: 119 corp: 37/4007b lim: 1850 exec/s: 39837 rss: 37Mb L: 192/1094 MS: 4 ChangeByte-InsertRepeatedBytes-EraseBytes-InsertByte-
67[#262144](/bitcoin-bitcoin/262144/) pulse  cov: 80 ft: 119 corp: 37/4007b lim: 2468 exec/s: 37449 rss: 37Mb
68[#268590](/bitcoin-bitcoin/268590/) REDUCE cov: 80 ft: 119 corp: 37/4002b lim: 2534 exec/s: 38370 rss: 37Mb L: 1089/1089 MS: 5 InsertRepeatedBytes-CrossOver-ChangeBinInt-CMP-EraseBytes- DE: "\001\026"-
69[#285269](/bitcoin-bitcoin/285269/) REDUCE cov: 80 ft: 120 corp: 38/6337b lim: 2699 exec/s: 40752 rss: 37Mb L: 2335/2335 MS: 4 CrossOver-ShuffleBytes-CrossOver-CrossOver-
70[#288545](/bitcoin-bitcoin/288545/) REDUCE cov: 80 ft: 120 corp: 38/6200b lim: 2721 exec/s: 41220 rss: 37Mb L: 2198/2198 MS: 1 EraseBytes-
71[#323534](/bitcoin-bitcoin/323534/) REDUCE cov: 80 ft: 120 corp: 38/6199b lim: 3062 exec/s: 40441 rss: 38Mb L: 320/2198 MS: 4 ChangeBinInt-CrossOver-CMP-EraseBytes- DE: "\002\000\000\000\000\000\000\000"-
72[#379377](/bitcoin-bitcoin/379377/) REDUCE cov: 80 ft: 120 corp: 38/6155b lim: 3612 exec/s: 37937 rss: 38Mb L: 2154/2154 MS: 3 InsertByte-ShuffleBytes-EraseBytes-
73[#396676](/bitcoin-bitcoin/396676/) REDUCE cov: 80 ft: 120 corp: 38/6154b lim: 3777 exec/s: 39667 rss: 38Mb L: 577/2154 MS: 4 PersAutoDict-ChangeBinInt-ChangeBinInt-EraseBytes- DE: "\002\000\000\000\000\000\000\000"-
74[#430453](/bitcoin-bitcoin/430453/) REDUCE cov: 80 ft: 120 corp: 38/6153b lim: 4096 exec/s: 39132 rss: 38Mb L: 576/2154 MS: 2 CopyPart-EraseBytes-
75[#471934](/bitcoin-bitcoin/471934/) REDUCE cov: 80 ft: 120 corp: 38/6122b lim: 4096 exec/s: 39327 rss: 38Mb L: 2123/2123 MS: 1 EraseBytes-
76[#524288](/bitcoin-bitcoin/524288/) pulse  cov: 80 ft: 120 corp: 38/6122b lim: 4096 exec/s: 37449 rss: 38Mb
77[#770383](/bitcoin-bitcoin/770383/) REDUCE cov: 80 ft: 120 corp: 38/6120b lim: 4096 exec/s: 38519 rss: 38Mb L: 2121/2121 MS: 4 ChangeBit-ChangeBinInt-CrossOver-EraseBytes-
78[#800683](/bitcoin-bitcoin/800683/) REDUCE cov: 80 ft: 120 corp: 38/6119b lim: 4096 exec/s: 38127 rss: 38Mb L: 1088/2121 MS: 5 CopyPart-ShuffleBytes-InsertRepeatedBytes-InsertRepeatedBytes-EraseBytes-
79[#1048576](/bitcoin-bitcoin/1048576/)        pulse  cov: 80 ft: 120 corp: 38/6119b lim: 4096 exec/s: 37449 rss: 38Mb
80[#2097152](/bitcoin-bitcoin/2097152/)        pulse  cov: 80 ft: 120 corp: 38/6119b lim: 4096 exec/s: 38130 rss: 38Mb
81[#2185901](/bitcoin-bitcoin/2185901/)        REDUCE cov: 80 ft: 120 corp: 38/6118b lim: 4096 exec/s: 37687 rss: 38Mb L: 2120/2120 MS: 3 InsertRepeatedBytes-PersAutoDict-EraseBytes- DE: "\002\000\000\000\000\000\000\000"-
82[#2396085](/bitcoin-bitcoin/2396085/)        REDUCE cov: 80 ft: 120 corp: 38/6112b lim: 4096 exec/s: 38033 rss: 38Mb L: 2114/2114 MS: 4 InsertByte-CopyPart-ChangeByte-CrossOver-
83[#3730734](/bitcoin-bitcoin/3730734/)        REDUCE cov: 80 ft: 120 corp: 38/6110b lim: 4096 exec/s: 38068 rss: 38Mb L: 2112/2112 MS: 4 InsertByte-EraseBytes-InsertRepeatedBytes-CrossOver-
84[#4194304](/bitcoin-bitcoin/4194304/)        pulse  cov: 80 ft: 120 corp: 38/6110b lim: 4096 exec/s: 37786 rss: 38Mb
85[#5041825](/bitcoin-bitcoin/5041825/)        REDUCE cov: 80 ft: 120 corp: 38/6106b lim: 4096 exec/s: 37908 rss: 38Mb L: 512/2112 MS: 1 EraseBytes-
86[#8388608](/bitcoin-bitcoin/8388608/)        pulse  cov: 80 ft: 120 corp: 38/6106b lim: 4096 exec/s: 37786 rss: 38Mb
87[#8388608](/bitcoin-bitcoin/8388608/)        pulse  cov: 80 ft: 120 corp: 38/6106b lim: 4096 exec/s: 37786 rss: 38Mb
88[#16777216](/bitcoin-bitcoin/16777216/)       pulse  cov: 80 ft: 120 corp: 38/6106b lim: 4096 exec/s: 37957 rss: 38Mb
89[#33554432](/bitcoin-bitcoin/33554432/)       pulse  cov: 80 ft: 120 corp: 38/6106b lim: 4096 exec/s: 38043 rss: 38Mb

    Edit:

    According to drahtbot.space/host_reports/DrahtBot/reports/coverage_fuzz/monotree/dfb7d58108daf372/c62dc520e0c7caee/fuzz.coverage/src/psbt.h.gcov.html it is already covered.

    Sweet, do we save every input that ever makes new progress to the coverage corpora automatically? I’m surprised it was able to crack the whole format, that’s pretty neat (especially since I don’t see that locally)

  8. maflcko commented at 9:45 pm on March 25, 2025: member

    Running fuzzing in a single thread, for less than 4 minutes, with an empty fuzz input folder isn’t representative.

    My recommendation would be to run in in more threads, for longer time, and with the existing fuzz inputs.

    If you really want to start with an empty folder, you can try -use_value_profile=1.

    If you want to help the fuzz engine with the encoding, it seems best to do over the whole input and not only the prefix.

    In any case, I don’t see why this should be bundled in this pull request, which is a bugfix that probably should be backported.

  9. l0rinc force-pushed on Mar 25, 2025
  10. l0rinc commented at 9:52 pm on March 25, 2025: contributor

    In any case, I don’t see why this should be bundled in this pull request, which is a bugfix that probably should be backported.

    It’s not that important, I dropped that commit

  11. maflcko added this to the milestone 29.0 on Mar 25, 2025
  12. maflcko added the label Needs backport (29.x) on Mar 25, 2025
  13. hodlinator approved
  14. hodlinator commented at 10:32 pm on March 25, 2025: contributor

    ACK b1de59e8965354fff5a149bc0fe61ed0704aea7a

    Verified fix works on Windows/MSVC. Undid the change, and re-ran again to confirm that I could reproduce the failing assert issue due to unspecified evaluation order seen on CI.

    PR description/title suggestions

    0- fuzz: extract unsequenced operations with side-effects
1+ fuzz: extract unsequenced operation with side-effects
2...
3- introduced an unsequenced operations with side-effects
4+ introduced two unsequenced operations where one had side-effects
5...
6+ Fixes [#32135](/bitcoin-bitcoin/32135/)
  15. marcofleon commented at 5:01 pm on March 26, 2025: contributor
    Nice, ACK b1de59e8965354fff5a149bc0fe61ed0704aea7a
  16. brunoerg approved
  17. brunoerg commented at 5:20 pm on March 26, 2025: contributor

    code review ACK b1de59e8965354fff5a149bc0fe61ed0704aea7a

    worth mentioning on docs it?

  18. maflcko commented at 7:17 am on March 27, 2025: member
    lgtm ACK b1de59e8965354fff5a149bc0fe61ed0704aea7a
  19. fanquake merged this on Mar 27, 2025
  20. fanquake closed this on Mar 27, 2025
  21. l0rinc deleted the branch on Mar 27, 2025


l0rinc DrahtBot maflcko hodlinator marcofleon brunoerg

Labels
Tests Needs backport (29.x)

Milestone
29.0

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2025-03-28 15:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me