fuzz: `txgraph`: Assertion `cmp == 0' failed #33097

$ echo "oK+goKCgArv/GMG0oAkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOTkAr6AAAgIC/wICAgICAgICCAAAAAAAAAAAAAgAAP8A/wACAAAAAAAAAAAAAAAAAAAAAAAAAAAAABACAgICf/8AoKAAAAAAAAAAAAgAAP8AAgAAAAAAABACAgICf/8AAAAAIAAAAAAAAAAAAAAACAAA/wACgIAAAAAAgIAAAAAAAAAAAAAACAAA/wACAAAAAAAAAAAAAAAAAAAAAAAAAAAAABACAgICf/8AoF4AFgAAAAAAAAAIAAD/AAIAAICAAAA=" | base64 --decode > txgraph.crash
$ FUZZ=txgraph ./fuzz txgraph.crash 
fuzz: test/fuzz/txgraph.cpp:1057: void txgraph_fuzz_target(FuzzBufferType): Assertion `cmp == 0' failed.
==6038== ERROR: libFuzzer: deadly signal
/usr/bin/llvm-symbolizer: error: 'linux-vdso.so.1': No such file or directory
   [#0](/bitcoin-bitcoin/0/) 0xaaaae4109fc4 in __sanitizer_print_stack_trace /llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
   [#1](/bitcoin-bitcoin/1/) 0xaaaae4005890 in fuzzer::PrintStackTrace() /llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
   [#2](/bitcoin-bitcoin/2/) 0xaaaae3feae50 in fuzzer::Fuzzer::CrashCallback() /llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:231:3
   [#3](/bitcoin-bitcoin/3/) 0xffff856b57b8  (linux-vdso.so.1+0x7b8) (BuildId: d721ef96679f76202b9d0a21a3db1069daa73c69)
   [#4](/bitcoin-bitcoin/4/) 0xffff851b7dbc  (/lib/aarch64-linux-gnu/libc.so.6+0x87dbc) (BuildId: 817c172ae01de5c5673c0e5a5d33e8fa0d4c6bd5)
   [#5](/bitcoin-bitcoin/5/) 0xffff8516697c in raise (/lib/aarch64-linux-gnu/libc.so.6+0x3697c) (BuildId: 817c172ae01de5c5673c0e5a5d33e8fa0d4c6bd5)
   [#6](/bitcoin-bitcoin/6/) 0xffff85151ac0 in abort (/lib/aarch64-linux-gnu/libc.so.6+0x21ac0) (BuildId: 817c172ae01de5c5673c0e5a5d33e8fa0d4c6bd5)
   [#7](/bitcoin-bitcoin/7/) 0xffff8515f9b8  (/lib/aarch64-linux-gnu/libc.so.6+0x2f9b8) (BuildId: 817c172ae01de5c5673c0e5a5d33e8fa0d4c6bd5)
   [#8](/bitcoin-bitcoin/8/) 0xaaaae461b4b0 in txgraph_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>) txgraph.cpp
   [#9](/bitcoin-bitcoin/9/) 0xaaaae4791604 in LLVMFuzzerTestOneInput fuzz.cpp
   [#10](/bitcoin-bitcoin/10/) 0xaaaae3fec344 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
   [#11](/bitcoin-bitcoin/11/) 0xaaaae3fd7ff8 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:328:6
   [#12](/bitcoin-bitcoin/12/) 0xaaaae3fdd4ac in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:863:9
   [#13](/bitcoin-bitcoin/13/) 0xaaaae4006070 in main /llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
   [#14](/bitcoin-bitcoin/14/) 0xffff85152298  (/lib/aarch64-linux-gnu/libc.so.6+0x22298) (BuildId: 817c172ae01de5c5673c0e5a5d33e8fa0d4c6bd5)
   [#15](/bitcoin-bitcoin/15/) 0xffff85152378 in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x22378) (BuildId: 817c172ae01de5c5673c0e5a5d33e8fa0d4c6bd5)
   [#16](/bitcoin-bitcoin/16/) 0xaaaae3fd19ac in _start (/workdir/out/libfuzzer_asan/fuzz+0x14819ac)

I'm guessing this is new after #32263 was merged yesterday. cc @sipa @glozow

Do you recall the fuzzing engine used to find this? I tried libFuzzer on 8 threads for two weeks, but haven't re-found it so far.

The crashing input was found by afl++ but libFuzzer and honggfuzz were also part of the campaign (probably took ~64 CPU hours).