fuzz: wallet: add target for `TransactionCanBeBumped`

brunoerg commented at 2:07 pm on November 20, 2025: contributor

This PR adds a fuzz target for the TransactionCanBeBumped function. This function checks if a transaction can be bumped based on:

Transaction has descendants in the wallet.
Transaction has descendants in the mempool.
Transaction has been mined.
Transaction was already bumped.
Transaction has inputs that are not mine.

This target will create scenarios to exercise all these cases. For the scenario (2), it has a mocked CTxMemPool that has a function to update the descendant state on mempool - this way we can speed up the target by avoiding to interacting with the mempool to really create descedants (e.g. creating blocks to trigger it).

Also, the CheckTransaction calls are to avoid UB on SetSpentKeyState - e.g. by calling it with a transaction without any output.

DrahtBot added the label Tests on Nov 20, 2025

DrahtBot commented at 2:07 pm on November 20, 2025: contributor

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Code Coverage & Benchmarks

For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/33916.

Reviews

See the guideline for information on the review process.

Type	Reviewers
Stale ACK	janb84

If your review is incorrectly listed, please copy-paste <!–meta-tag:bot-skip–> into the comment that the bot should ignore.

fanquake added the label Fuzzing on Nov 20, 2025

brunoerg commented at 2:13 pm on November 20, 2025: contributor

Coverage report is available at: https://brunoerg.xyz/bitcoin-core-coverage/33916/

janb84 commented at 1:34 pm on November 24, 2025: contributor

ACK 2df9f10755ea7de94ecc9a17e6dd6dc89de0a637

PR adds new fuzzing target. Target wallet_tx_can_be_bumped.

Ran fuzzer for 2 hours without issues, Codecoverage equals to what is reported. New Target is NOT deterministic, but I’m also not sure what to change to make it deterministic (if it’s even feasible)

This fuzzer increases fuzzing coverage :

Totals master:	69.81% (5082/7280)	41.91% (10784/25729)	62.64% (57301/91479)	56.83% (39387/69312)	56.96% (21311/37411)
Totals this PR	70.58% (5142/7285)	42.32% (10893/25742)	63.09% (57787/91592)	57.34% (39758/69343)	57.28% (21428/37411)

Big improvement area’s:

master	src/wallet/transaction.cpp	0.00% (0/6)	0.00% (0/6)	0.00% (0/41)	0.00% (0/20)	0.00% (0/16)
this PR	src/wallet/transaction.cpp	33.33% (2/6)	33.33% (2/6)	41.46% (17/41)	30.00% (6/20)	31.25% (5/16)

master	src/wallet/transaction.h	5.88% (3/51)	2.42% (3/124)	8.54% (14/164)	6.45% (8/124)	0.00% (0/42)
this PR	src/wallet/transaction.h	49.02% (25/51)	29.03% (36/124)	50.61% (83/164)	36.29% (45/124)	4.76% (2/42)

master	src/wallet/wallet.cpp	15.31% (32/209)	15.17% (32/211)	8.55% (273/3192)	7.76% (239/3079)	6.31% (97/1538)
this PR	src/wallet/wallet.cpp	24.88% (52/209)	24.64% (52/211)	15.32% (489/3192)	14.58% (449/3079)	11.96% (184/1538)

master	src/wallet/wallet.h	37.14% (13/35)	24.14% (14/58)	36.26% (33/91)	24.84% (39/157)	18.37% (9/49)
this PR	src/wallet/wallet.h	40.00% (14/35)	29.31% (17/58)	41.76% (38/91)	30.57% (48/157)	20.41% (10/49)

master	src/wallet/walletdb.cpp	15.66% (13/83)	15.66% (13/83)	4.77% (67/1404)	4.38% (28/639)	4.87% (15/308)
this PR	src/wallet/walletdb.cpp	19.28% (16/83)	19.28% (16/83)	5.48% (77/1404)	5.16% (33/639)	5.19% (16/308)

master	src/wallet/walletdb.h	33.33% (4/12)	28.21% (11/39)	31.03% (18/58)	22.58% (7/31)	10.00% (1/10)
this PR	src/wallet/walletdb.h	33.33% (4/12)	35.90% (14/39)	31.03% (18/58)	22.58% (7/31)	10.00% (1/10)

in src/wallet/test/fuzz/feebumper.cpp:37 in 2df9f10755

32+    g_setup = testing_setup.get();
33+}
34+
35+TxState ConsumeTxState(FuzzedDataProvider& fdp) {
36+    TxState state = TxStateInactive{
37+        /*abandoned=*/fdp.ConsumeBool()

maflcko commented at 9:48 am on November 26, 2025:

missing trailing comma?

brunoerg commented at 4:28 pm on November 26, 2025:

Done

in src/wallet/test/fuzz/feebumper.cpp:35 in 2df9f10755

30+{
31+    static const auto testing_setup = MakeNoLogFileContext<TestingSetup>();
32+    g_setup = testing_setup.get();
33+}
34+
35+TxState ConsumeTxState(FuzzedDataProvider& fdp) {

maflcko commented at 9:48 am on November 26, 2025:

clang format new code?

brunoerg commented at 4:28 pm on November 26, 2025:

Done

DrahtBot added the label CI failed on Nov 26, 2025

DrahtBot commented at 10:02 am on November 26, 2025: contributor

🚧 At least one of the CI tasks failed. Task previous releases: https://github.com/bitcoin/bitcoin/actions/runs/19539609660/job/56432179681 LLM reason (✨ experimental): Compilation failed: missing member UpdateDescendantState in CTxMemPoolEntry (feebumper.cpp) causing fuzz target build error.

Try to run the tests locally, according to the documentation. However, a CI failure may still happen due to a number of reasons, for example:

Possibly due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.
A sanitizer issue, which can only be found by compiling with the sanitizer and running the affected test.
An intermittent issue.

Leave a comment here, if you need help tracking down a confusing failure.

maflcko commented at 10:05 am on November 26, 2025: member

needs rebase

fuzz: wallet: add target for `TransactionCanBeBumped` 52101d8809

brunoerg force-pushed on Nov 26, 2025

brunoerg commented at 4:30 pm on November 26, 2025: contributor

Force-pushed 2df9f10755ea7de94ecc9a17e6dd6dc89de0a637..52101d8809062d524393ebfde20c926d36fe5bf8:

Rebased - and now that we have cluster mempool, I simplified the target by mocking HasDescendants.
Addressed #33916 (review) and #33916 (review)

DrahtBot removed the label CI failed on Nov 26, 2025

fuzz: wallet: add target for TransactionCanBeBumped #33916

Code Coverage & Benchmarks

Reviews

fuzz: wallet: add target for `TransactionCanBeBumped` #33916