oss-fuzz: coins_view_overlay: ASSERT: m_dirty_count == 0 #34645

1. 
   fanquake commented at 4:07 pm on February 21, 2026: member

   https://issues.oss-fuzz.com/issues/486389268

    0Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bitcoin-core_83aef6625aaeafa301867de74608b320f3c923fe/revisions/coins_view_overlay -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-e84f31ab73616c1a282fb40ce4e33abd394fb911
    1	Time ran: 0.49608683586120605
    2	
    3	INFO: Running with entropic power schedule (0xFF, 100).
    4	INFO: Seed: 360939801
    5	INFO: Loaded 1 modules   (603691 inline 8-bit counters): 603691 [0x55a793000eb0, 0x55a7930944db),
    6	INFO: Loaded 1 PC tables (603691 PCs): 603691 [0x55a7930944e0,0x55a7939ca790),
    7	/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_bitcoin-core_83aef6625aaeafa301867de74608b320f3c923fe/revisions/coins_view_overlay: Running 1 inputs 100 time(s) each.
    8	Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-e84f31ab73616c1a282fb40ce4e33abd394fb911
    9	coins.cpp:283 void CCoinsViewCache::Flush(bool): Assertion `m_dirty_count == 0` failed.
   10	==241== ERROR: libFuzzer: deadly signal
   11	    [#0](/bitcoin-bitcoin/0/) 0x55a7909aa551 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
   12	    [#1](/bitcoin-bitcoin/1/) 0x55a79089bff8 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
   13	    [#2](/bitcoin-bitcoin/2/) 0x55a79087eb45 in fuzzer::Fuzzer::CrashCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:231:3
   14	    [#3](/bitcoin-bitcoin/3/) 0x7f08d19c041f in libpthread.so.0
   15	    [#4](/bitcoin-bitcoin/4/) 0x7f08d17b400a in __libc_signal_restore_set /build/glibc-B3wQXB/glibc-2.31/sysdeps/unix/sysv/linux/internal-signals.h:86:3
   16	    [#5](/bitcoin-bitcoin/5/) 0x7f08d17b400a in raise /build/glibc-B3wQXB/glibc-2.31/sysdeps/unix/sysv/linux/raise.c:48:3
   17	    [#6](/bitcoin-bitcoin/6/) 0x7f08d1793858 in abort /build/glibc-B3wQXB/glibc-2.31/stdlib/abort.c:79:7
   18	    [#7](/bitcoin-bitcoin/7/) 0x55a7915cc5e2 in assertion_fail(std::__1::source_location const&, std::__1::basic_string_view<char, std::__1::char_traits<char>>) [bitcoin-core/src/util/check.cpp:41](https://github.com/bitcoin/bitcoin/blob/ee2065fdeaca91caaad9eb7daeeffe939441d804/src/util/check.cpp#L41):5
   19	    [#8](/bitcoin-bitcoin/8/) 0x55a79128c7ea in inline_assertion_check<false, bool> [bitcoin-core/src/util/check.h:90](https://github.com/bitcoin/bitcoin/blob/ee2065fdeaca91caaad9eb7daeeffe939441d804/src/util/check.h#L90):13
   20	    [#9](/bitcoin-bitcoin/9/) 0x55a79128c7ea in CCoinsViewCache::Flush(bool) [bitcoin-core/src/coins.cpp:283](https://github.com/bitcoin/bitcoin/blob/ee2065fdeaca91caaad9eb7daeeffe939441d804/src/coins.cpp#L283):5
   21	    [#10](/bitcoin-bitcoin/10/) 0x55a790c4dea7 in operator() [bitcoin-core/src/test/fuzz/coins_view.cpp:135](https://github.com/bitcoin/bitcoin/blob/ee2065fdeaca91caaad9eb7daeeffe939441d804/src/test/fuzz/coins_view.cpp#L135):34
   22	    [#11](/bitcoin-bitcoin/11/) 0x55a790c4dea7 in CallOneOf<(lambda at /src/bitcoin-core/src/test/fuzz/coins_view.cpp:116:13), (lambda at /src/bitcoin-core/src/test/fuzz/coins_view.cpp:134:13), (lambda at /src/bitcoin-core/src/test/fuzz/coins_view.cpp:137:13), (lambda at /src/bitcoin-core/src/test/fuzz/coins_view.cpp:140:13), (lambda at /src/bitcoin-core/src/test/fuzz/coins_view.cpp:146:13), (lambda at /src/bitcoin-core/src/test/fuzz/coins_view.cpp:160:13), (lambda at /src/bitcoin-core/src/test/fuzz/coins_view.cpp:164:13), (lambda at /src/bitcoin-core/src/test/fuzz/coins_view.cpp:167:13), (lambda at /src/bitcoin-core/src/test/fuzz/coins_view.cpp:173:13), (lambda at /src/bitcoin-core/src/test/fuzz/coins_view.cpp:181:13), (lambda at /src/bitcoin-core/src/test/fuzz/coins_view.cpp:189:13), (lambda at /src/bitcoin-core/src/test/fuzz/coins_view.cpp:197:13)> [bitcoin-core/src/test/fuzz/util.h:42](https://github.com/bitcoin/bitcoin/blob/ee2065fdeaca91caaad9eb7daeeffe939441d804/src/test/fuzz/util.h#L42):27
   23	    [#12](/bitcoin-bitcoin/12/) 0x55a790c4dea7 in TestCoinsView(FuzzedDataProvider&, CCoinsViewCache&, CCoinsView&, bool) [bitcoin-core/src/test/fuzz/coins_view.cpp:114](https://github.com/bitcoin/bitcoin/blob/ee2065fdeaca91caaad9eb7daeeffe939441d804/src/test/fuzz/coins_view.cpp#L114):9
   24	    [#13](/bitcoin-bitcoin/13/) 0x55a790c4c486 in coins_view_overlay_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>) [bitcoin-core/src/test/fuzz/coins_view.cpp:404](https://github.com/bitcoin/bitcoin/blob/ee2065fdeaca91caaad9eb7daeeffe939441d804/src/test/fuzz/coins_view.cpp#L404):5
   25	    [#14](/bitcoin-bitcoin/14/) 0x55a7912282f4 in operator() /usr/local/include/c++/v1/__functional/function.h:274:12
   26	    [#15](/bitcoin-bitcoin/15/) 0x55a7912282f4 in operator() /usr/local/include/c++/v1/__functional/function.h:772:10
   27	    [#16](/bitcoin-bitcoin/16/) 0x55a7912282f4 in test_one_input [bitcoin-core/src/test/fuzz/fuzz.cpp:88](https://github.com/bitcoin/bitcoin/blob/ee2065fdeaca91caaad9eb7daeeffe939441d804/src/test/fuzz/fuzz.cpp#L88):5
   28	    [#17](/bitcoin-bitcoin/17/) 0x55a7912282f4 in LLVMFuzzerTestOneInput [bitcoin-core/src/test/fuzz/fuzz.cpp:216](https://github.com/bitcoin/bitcoin/blob/ee2065fdeaca91caaad9eb7daeeffe939441d804/src/test/fuzz/fuzz.cpp#L216):5
   29	    [#18](/bitcoin-bitcoin/18/) 0x55a79088022d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:619:13
   30	    [#19](/bitcoin-bitcoin/19/) 0x55a790869f42 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:329:6
   31	    [#20](/bitcoin-bitcoin/20/) 0x55a79086fe10 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:865:9
   32	    [#21](/bitcoin-bitcoin/21/) 0x55a79089c9a2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
   33	    [#22](/bitcoin-bitcoin/22/) 0x7f08d1795082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/libc-start.c:308:16
   34	    [#23](/bitcoin-bitcoin/23/) 0x55a79086302d in _start
   35	
   36	NOTE: libFuzzer has rudimentary signal handlers.
   37	      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
   38	SUMMARY: libFuzzer: deadly signal
   

2. fanquake added this to the milestone 31.0 on Feb 21, 2026
3. 
   fanquake commented at 4:08 pm on February 21, 2026: member

   cc @andrewtoth
4. 
   l0rinc commented at 4:32 pm on February 21, 2026: contributor

   This is more likely related to https://github.com/bitcoin/bitcoin/pull/33512/changes#diff-f0ed73d62dae6ca28ebd3045e5fc0d5d02eaaacadb4c2a292985a3fbd7e1c77cR268 (cc: @sipa), or the combination of the two.

   Edit: I wonder if https://github.com/bitcoin/bitcoin/pull/33018/changes#diff-1ef3b6a1936b50f3d5ec4a1786d9e2d63d1a3e1815b103e67f20601995f355b4R134 would fix this?

5. 
   sipa commented at 7:48 pm on February 21, 2026: member

   FWIW:

   0$ base64 <clusterfuzz-testcase-minimized-coins_view_overlay-6749085850992640 
   1ICAJICAgXCDpeunp6enp6enp6enp6enp6enp6enp6enp6enp6eDp6enp6elcICAgICAgICAgICAg
   2ICAgICAgICAgICAgICAgICAgICAgICAgIFwg6Xrp6enp6enp6enp6enp6enp6enp6enp6enp6eng
   36enp6enpXCDl/yD/MP8g/yD/MP8g5f8g/yD/MP8g/13/
   

   And indeed, looks like it is fixed by #33018.

   EDIT: this seems coincidental; 33018 doesn’t address the root cause.

6. 
   sipa commented at 7:55 pm on February 21, 2026: member

   However, after merging 33018, the following seed fails FUZZ=coins_view_overlay (which does not fail on master). This is with a very hastily-created merge as there were some conflicts, it is possible I introduced a bug when merging.

    0Tc8pCSCAAeUKAAAAAAAAAFxTAAAAAA4AAAD/U1MBAAAAAAAAaFNT8VNT8VOs//v///9B/7S0tIv/
    1tLRdtKN////f/////uDg/6kAdR/gAAD///////8hAAAAAAAAAAAFBQ3l2AmLXFNTU1NTPprxQfFT
    2U1OnrFP/mQEnXF1dXV1dXV1dXV1dXV1TAAAAAA4AAAD/U1MBAAAAAAAAaFNTrFNT//////8FBQUA
    3BQUNAQAAAAAAgAHlCv////////8BBf///////6xTU///////BQAFBQUFDQEAAAAAAIAB5QoAAAAA
    4AAAAXFMAAAAADgAAAP9TUwEAAAAAAABoU1PxU1PxU6z/+////0H/tLS0i/+0tF20o3///9/////+
    54OD/qQB1H+AAAP///////yEAAAAAAAAAAAUFDeXYCVxTU1NTUz6a8UHxU1MBAAAAAAAAaFNT////
    6///74AAA////////IQAAAAAAAAUAAOUF2A0JXFNTU1NTPprxQfFTU1OnrFP///8h////////BQAF
    7BQUFDQEAAAAAAIAB5QoAAAAAAAAADSdcUwBTU1NTU1OsUxkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZ
    8GRkZGRkZGRkZGRkZGRkZGRk6GRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRgZGRkZGRkZGRkZGRlT
    9U/HxQfHs8SsjDPGZr/Hs+SsjDPGZrw0nXFMAU1NTU1NTrFNTU/HxQarx7PE/KyMM8Zmv8ew/KyMM
   108Zmv
   

7. 
   andrewtoth commented at 8:47 pm on February 21, 2026: contributor

   https://github.com/bitcoin/bitcoin/pull/34647
8. 
   sipa commented at 8:56 pm on February 21, 2026: member

   Looks like it’s the result of the combination of #33512 and #34165, and ultimately a bug in the fuzz test, not the code being tested.
9. 
   andrewtoth commented at 2:56 pm on February 22, 2026: contributor

   Previously double iterating cursor entries was safe, but after #33512 we are decrementing m_dirty_count which can’t be done twice.
10. achow101 closed this on Feb 24, 2026

    ---

11. pull[bot] referenced this in commit 76eb04b16f on Feb 24, 2026

Contributors
fanquake l0rinc sipa andrewtoth

Milestone
31.0