fuzz: expand script verification flag testing to segwit v0 and tapscript #34593

pull b-l-u-e wants to merge 2 commits into bitcoin:master from b-l-u-e:fuzz-script-flags-segwit-tapscript changing 6 files +175 −20
  1. b-l-u-e commented at 8:34 pm on February 14, 2026: contributor

    This continues the work originally started by dergoegge in #31460.

    The script_flags fuzz harness tests that script verification flags are soft-forks applying flags can only tighten rules never widen them. Currently, the fuzzer can’t reach SigVersion::WITNESS_V0 or SigVersion::TAPSCRIPT code paths because it can’t construct inputs that pass the P2WSH script hash check or a valid taproot commitment.

    This PR makes those checks mockable by moving them into virtual methods on BaseSignatureChecker

    • CheckWitnessScriptHash(program, exec_script) for P2WSH script hash verification
    • CheckTaprootCommitment(control, program, tapleaf_hash) for taproot script-path commitment

    A new script_flags_mocked fuzz target uses FuzzedSignatureChecker which mocks out signature validation and these commitment checks, allowing the fuzzer to exercise the interpreter under witness v0 and tapscript contexts

    so the coverage report shows that script_flags_mocked reaches segwit v0 and tapscript paths

    Segwit v0 (P2WSH / P2WPKH)

    Line Hits Code path
    program.size() == WITNESS_V0_SCRIPTHASH_SIZE 10.0k P2WSH branch entered
    checker.CheckWitnessScriptHash(program, exec_script) 6.77k P2WSH script-hash check
    ExecuteWitnessScript(..., SigVersion::WITNESS_V0, ...) (P2WSH) 4.87k Witness v0 script execution (P2WSH)
    ExecuteWitnessScript(..., SigVersion::WITNESS_V0, ...) (P2WPKH) 2.11k Witness v0 script execution (P2WPKH)

    Taproot / tapscript

    Line Hits Code path
    checker.CheckSchnorrSignature(..., SigVersion::TAPROOT, ...) 88 Key-path spend
    checker.CheckTaprootCommitment(control, program, ...) 273 Script-path commitment
    (control[0] & TAPROOT_LEAF_MASK) == TAPROOT_LEAF_TAPSCRIPT 87 Tapscript leaf branch
    ExecuteWitnessScript(..., SigVersion::TAPSCRIPT, ...) 80 Tapscript execution
  2. DrahtBot added the label Fuzzing on Feb 14, 2026
  3. DrahtBot commented at 8:35 pm on February 14, 2026: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Reviews

    See the guideline for information on the review process. A summary of reviews will appear here.

  4. DrahtBot added the label CI failed on Feb 14, 2026
  5. DrahtBot commented at 9:51 pm on February 14, 2026: contributor

    🚧 At least one of the CI tasks failed. Task lint: https://github.com/bitcoin/bitcoin/actions/runs/22023859338/job/63637248135 LLM reason (✨ experimental): Lint check failed due to trailing whitespace and missing trailing newline in src/test/fuzz/script_flags.cpp.

    Try to run the tests locally, according to the documentation. However, a CI failure may still happen due to a number of reasons, for example:

    • Possibly due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.

    • A sanitizer issue, which can only be found by compiling with the sanitizer and running the affected test.

    • An intermittent issue.

    Leave a comment here, if you need help tracking down a confusing failure.

  6. script: move taproot commitment and witness script hash checks to BaseSignatureChecker 
    Signed-off-by: b-l-u-e <winnie.gitau282@gmail.com>
    27684418da
  7. fuzz: add script_flags_mocked target for segwit v0 and tapscript coverage 
    Signed-off-by: b-l-u-e <winnie.gitau282@gmail.com>
    93676e529c
  8. b-l-u-e force-pushed on Feb 14, 2026
  9. fanquake commented at 2:58 pm on February 16, 2026: member

    https://github.com/bitcoin/bitcoin/actions/runs/22025166541/job/63640569730?pr=34593#step:11:3973:

    0fuzz: test/fuzz/miniscript.cpp:1149: void (anonymous namespace)::TestNode(const MsCtx, const std::optional<Node> &, FuzzedDataProvider &): Assertion `res || serror == ScriptError::SCRIPT_ERR_OP_COUNT || serror == ScriptError::SCRIPT_ERR_STACK_SIZE' failed.
1==8513== ERROR: libFuzzer: deadly signal
  10. fanquake commented at 2:59 pm on February 16, 2026: member
    cc @dergoegge


b-l-u-e DrahtBot fanquake

Labels
CI failed Fuzzing

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-02-17 06:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me