fuzz: add p2p_private_broadcast harness #35090

nit use: auto& node{g_setup->m_node}; here?

Thanks

Is this copied from an older code before commit fabf8d1c5bdb6a944762792cdc762caa6c1a760b? Because it seems you are re-introducing the issue (or at least the risk of the issue) that was fixed and worked around in that pull request?

Yes you are right. Seems I was working from an older branch. I'll update this to reflect the changes

If it was written by an LLM, it could also be that it had the old code in memory?

It's not written by llm. Or does anything seems to suggest otherwise ?

No indication. I just wondered how this could have happened, because the commit f1eae996ba69badd8a81b4a60da63b9527f78634 is from today and based on a recent main commit. It is fine, I was just curious :sweat_smile:

Ah, you copied from src/test/fuzz/p2p_handshake.cpp? Maybe commit https://github.com/bitcoin/bitcoin/commit/fabf8d1c5bdb6a944762792cdc762caa6c1a760b should be applied to that file as well?

Seemingly so, I can see that it also calls peerman→SendMessages(), so would probably also need the fabf8d1 fix. Would it be appropriate to add it here as a second commit or just open a separate PR? Vasild has proposed deduplicating some features here #35090 (review), Do you think that would help?

As for src/test/fuzz/p2p_handshake.cpp, have confirmed that SendMessages coverage is identical before and after applying the fabf8d1 pattern fix, so thats fine. Happy to do a followup though to remove the the dangling reference_wrapper<AddrMan> risk, which I believe is still necessary.

Nice. Feel free to create a new pull request right away. I'd be happy to review/ack it.

Break line below can be added here.

    LIMITED_WHILE(!p2p_node.fDisconnect && fuzzed_data_provider.ConsumeBool(), 100)

Thanks for taking a look. Did you mean LIMITED_WHILE(!p2p_node.fDisconnect && fuzzed_data_provider.ConsumeBool(), 100) , in your suggestion ?

How long does this loop expect to go on?

        LIMITED_WHILE(more_work && fuzzed_data_provider.ConsumeBool(), 100) {

I think the plain while (more_work) loop is the established pattern in other similar harnesses (process_message and p2p_handshake).

nit: newline at end of file

will change. thanks

In the commit message: would be nice to follow the 50-72 rule.

s/Cconnman::PushMessage/CConnman::PushMessage/

great. will update that

Still the lines in the commit message are very long.

done. thanks

        ServiceFlags{NODE_NONE}); // We advertise our services as NODE_NONE to private broadcast peers (see PushNodeVersion()).

otherwise it looks like that they advertise to us.

There is no need for the cast, NODE_NONE is already of type ServiceFlags:

        NODE_NONE); // Private broadcast peers advertise NODE_NONE (see PushNodeVersion).

This will be a memory leak at the end of the test?

I dont think so. release() transfers ownership to connman.m_nodes via AddTestNode() (src/test/util/net.h:65), and connman.StopNodes() deletes every node in that list at the end of the iteration (src/net.cpp:3661).

Ok, I was looking for where it is freed after the release(). But it is added to connman before. So it is good. I would find it more natural to do the release first:

CNode& p2p_node = *pb_node.release();
connman.AddTestNode(p2p_node);
node.peerman->InitializeNode(p2p_node, ...);

and then the question why use unique_ptr in the first place if we are going to release() is right after. The production uses bare new, maybe the test can do the same:

CNode* pb_node = new CNode(...);
connman.AddTestNode(*pb_node);
node.peerman->InitializeNode(*pb_node, ...);

Would be good to indicate that these are "out" or "outbound" message types. Won't be long before we extend this to do something with "inbound" message types, which are different (e.g. GETDATA is allowed).

Given that this is inside a file called p2p_private_broadcast.cpp, may omit the PRIVATE_BROADCAST from the name of the variable if you wish.

will update. thanks

Wait! These are the messages that the tests simulates we have received from the peer. Those are inbound messages. INV, TX, and PING are ignored. The interesting ones are: VERSION, VERACK, GETDATA, PONG.

Yes, looking more keenly, I see that {VERSION, VERACK, GETDATA, PONG} is indeed the right model for what's tested here. And there’s actually some additional coverage(GETDATA handler (line 4144, 0 → 23 hits) and the post-handshake message filter (line 4016, 0 → 27 hits)). The earlier array was mistakenly based on the CConnman::PushMessage outbound allowlist. Thanks for catching this.

This test is very very similar to p2p_handshake from src/test/fuzz/p2p_handshake.cpp. Can it be deduplicated somehow?

Yes, the overlap is in the setup scaffolding (peerman/addrman reset, connman casts, g_msgproc_mutex lock, StopNodes()), and the same scaffolding exists across the other p2p harnesses. Agreed it's worth deduplicating, I’ll try it separately and if it comes out good it could be a follow-up?, or open a different PR altogether for it

Also the bool more_work{true}; while (more_work) { is duplicated. Already in more than one fuzz test. I agree here we can add one more dup and then separately try to dedup.

nit: this alias seems unnecessary. Maybe use pb_node-> below instead of p2p_node. and *pb_node instead of p2p_node. Or move this 2 statements earlier and use p2p_node in the calls to AddTestNode() and InitializeNode() which now use *pb_node.

nit: You can use ConsumeDuration with 10min, but just a style-nit.

Is there a reason to limit those? Shouldn't it be the goal of the fuzz test to check that the node does not crash and ignores them when unneeded messages are sent?

Looking at the code below the goal seems to be to just check against crashes/coverage, and not specifically about logic checks?

I might be mistaken, my understanding is that it would be very unlikely for the fuzzer to guess interesting (valid) message types. It would be good to feed also some random garbage into it and normally I would do some random and some of those predefined (interesting) ones, however it seems that test/fuzz/process_messages.cpp is already doing the random garbage stuff?

I might be mistaken, my understanding is that it would be very unlikely for the fuzzer to guess interesting (valid) message types.

I am confident this is not true, at least with modern fuzz engines, which have the full message array (list of strings) in memory and will inject it into the fuzz byte stream. Even without this array, it shouldn't take more than a few minutes for a modern fuzz engine to figure it out. Moreover, with an initial set, using the pre-existing qa-assets files, it is likely that there is already close to full coverage in this test without even starting a fuzz engine.

however it seems that test/fuzz/process_messages.cpp is already doing the random garbage stuff?

I don't think this is true. If the private broadcast stuff was already covered by another fuzz target, there would be no need for this pull request and it could be closed.

Looking at the code below the goal seems to be to just check against crashes/coverage, and not specifically about logic checks?

Shouldn't we be relying on the code’s own invariant checks?,

To give some more context, the code changes should follow what the goal here is of this pull request.

If the goal is to just add code coverage, to catch crashes, it may be better to modify the other fuzz targets to just have an optional call to InitiateTxBroadcastPrivate, because the other fuzz targets also create other message types already and also create more than one peer, etc ... (Avoiding duplicate code was brought up before, IIRC)

If the goal is to add more fine grained checks, it may be better to have a separate fuzz target, which exercises the inner logic with more strict checks.

Shouldn't we be relying on the code’s own invariant checks?,

Yes, this is a possible answer and actually true for most fuzz targets. However, it doesn't have to be, because fuzz tests are free to check any advanced state or outcome they want to.

So the only difference between this and test/fuzz/process_messages.cpp is that this has an extra call to InitiateTxBroadcastPrivate()?

So the only difference between this and test/fuzz/process_messages.cpp is that this has an extra call to InitiateTxBroadcastPrivate()?

There are a few reasons why I did not want to bundle it in test/fuzz/process_messages.cpp .

Here, every iteration uses ConnectionType::PRIVATE_BROADCAST (not random), m_tx_for_private_broadcast is seeded before the handshake so PushPrivateBroadcastTx reaches the send-INV path rather than immediately disconnecting,

well, and of course the message type constraining to the four, with private broadcast-specific handling. I think that without the seeding in particular, process_messages only ever hits the disconnect branch of PushPrivateBroadcastTx

and of course I thought forcing it inside there might reduce the effectiveness of those particular harnesses (process_messages or p2p_handshake)

I know that maflcko is right that the randomness issue alone could, in theory, be solved by running the fuzzer long enough and that it will eventually pick PRIVATE_BROADCAST. But I'm not sure if the seeding of m_tx_for_private_broadcast can be solved by corpus growth alone, without a structural change to the harness setup

To give some more context, the code changes should follow what the goal here is of this pull request.

If the goal is to just add code coverage, to catch crashes, it may be better to modify the other fuzz targets to just have an optional call to InitiateTxBroadcastPrivate, because the other fuzz targets also create other message types already and also create more than one peer, etc ... (Avoiding duplicate code was brought up before, IIRC)

If the goal is to add more fine grained checks, it may be better to have a separate fuzz target, which exercises the inner logic with more strict checks.

+1. I think you can add some verifications such as INVs in vSendMsg are well-formed and contains a single msg tx, then you could check that its hash is the same of the created tx.

I don't think "random" is the right way to think about consuming fuzzer input. Fuzzers are coverage guided. They will discover paths to take and then mutate the input that takes that path to fully exercise every path they can. If we give the harness a path to exercise private broadcast connections, it will find the path and take it.

But I'm not sure if the seeding of m_tx_for_private_broadcast can be solved by corpus growth alone

Wouldn't adding the following to process_messages exercise everything in this harness and more? This would be preferable, no?

    // Seed with up to 3 transactions to test multiple pending broadcasts.
    const int num_txs{fuzzed_data_provider.ConsumeIntegralInRange(0, 3)};
    for (int i = 0; i < num_txs; ++i) {
        node.peerman->InitiateTxBroadcastPrivate(
            MakeTransactionRef(ConsumeTransaction(fuzzed_data_provider, /*prevout_txids=*/std::nullopt)));
    }

Wouldn't adding the following to process_messages exercise everything in this harness and more? This would be preferable, no?

I think it is missing the mocktime setting? Otherwise, this is what I had in mind. When it comes to "preferable", I'd say either is fine. A dedicated fuzz target has a smaller overall input space to reach full coverage, so it may be easier to handle. Though, a more general fuzz target may trigger a bug that hasn't been envisioned while writing the more focussed one.

So I think anything is fine here, or we may even go as far and do both? :sweat_smile:

or we may even go as far and do both? 😅

That might also be a good approach

Does it make sense to break; from the loop if all peers have fDisconnect == true?

I think break would terminate prematurely in this case (am using multiple peers unlike before where I had just one peer). Also, I believe the loop terminates naturally because of ConsumeBool() returning false, and capped at 100 iterations.

6d0d18fca6cbb2fb846d987d9793f7adfc0d1712: I don't think we need to consume from the input for some fields here (e.g. m_network_key), they could be a constant since their values will not be used in practice.

I think these fields still influence node identity and could impact connection establishment in edge cases. For example, nLocalHostNonceIn is checked against the peer's VERSION nonce for self-connection detection, which determines if the peer is immediately dropped.

Also, I agree with maflcko's earlier review feedback about avoiding the "streetlight effect" (https://github.com/bitcoin/bitcoin/pull/35090#issuecomment-4288969545). My guess is that fixing these to constants could perhaps narrow the state space and blind the fuzzer to edge cases, without providing a clear corresponding benefit to exercising the private broadcast paths.

I think these fields still influence node identity and could impact connection establishment in edge cases. For example, nLocalHostNonceIn is checked against the peer's VERSION nonce for self-connection detection, which determines if the peer is immediately dropped.

Specifically in the context of private broadcast? Which is what you really want to exercise here.

I have grepped deeper and found that the VERSION handler and the self-connection check is gated on IsInboundConn(), so guess this means it never fires for outbound PRIVATE_BROADCAST peers regardless of nLocalHostNonceIn. The other fields (nKeyedNetGroup, addrBind, addrName, network_key) also don't appear in this path. Changed in new commit. Thanks.

Any value to call this in the loop?

can you share a coverage report? I think the harness could be improved to also create valid transactions.

Is this(https://github.com/bitcoin/bitcoin/pull/35090#issuecomment-4258396013) helpful ?

Any value to call this in the loop?

The loop produces distinct transactions per call (fresh bytes from fuzzed_data_provider each iteration)?..Initially I had just a single tx, but after review insights here I decided to seed multiple transactions(I am no sure if there is any way to add the multiple txs without the loop...)

I meant if there's value in calling it in the LIMITED_WHILE loop below. Looking at the coverage, there is missing coverage in ReattemptPrivateBroadcast, AbortPrivateBroadcast, private broadcast branches in NetMsgType::TX processing.

I meant if there's value in calling it in the LIMITED_WHILE loop below.

Ok. trying that now. Edit: Yes, I see value in doing that. Updated in new commit. Thanks.

Looking at the coverage, there is missing coverage in ReattemptPrivateBroadcast, AbortPrivateBroadcast, private broadcast branches in NetMsgType::TX processing.

Seems to be a structural gap. Have not checked to see the kind of refactors that would cover these, though.

Edit: I have worked on a refactor that helps reach NetMsgType::TX . However for ReattemptPrivateBroadcast and AbortPrivateBroadcast, they might be out of scope here?

formatting seems off compared to other tests, here and elsewhere

Thanks. will fix this

I think this would be more readable if this and choosing m_type was in a CallOneOf

Tried CallOneOf, measured coverage and realised complete regression. I'm not sure if it works well in this kind of harness.

Using CallOneOf shouldn't make a difference for coverage afaict? Plus I personally find it a bit easier to review and evaluate since the cases are separated nicely.

Using CallOneOf shouldn't make a difference for coverage afaict? Plus I personally find it a bit easier to review and evaluate since the cases are separated nicely.

Indeed, you are right. I fuzzed a few more hours on nosan and found that my earlier 'regression' was just a corpus size issue.

https://github.com/bitcoin/bitcoin/actions/runs/26278223054/job/77348533404?pr=35090#step:10:4782

...
    inlined from ‘p2p_private_broadcast_fuzz_target(FuzzBufferType)::<lambda()>’ at /home/runner/work/_temp/src/test/fuzz/p2p_private_broadcast.cpp:151:48:
/usr/arm-linux-gnueabihf/include/c++/14/bits/stl_construct.h:119:7: error: ‘void* __builtin_memcpy(void*, const void*, unsigned int)’ offset [5, 36] is out of the bounds [0, 5] [-Werror=array-bounds=]
  119 |       ::new((void*)__p) _Tp(std::forward<_Args>(__args)...);
      |       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Hmm!?

Thinking of trying out NetMsg::Make(https://github.com/bitcoin/bitcoin/blob/master/src/netmessagemaker.h) to replace DataStream, as a workaround

Used NetMsg::Make which I think works fine for this specific use case (Constructing outbound GETDATA). It serializes through VectorWriter directly into std::vector<unsigned char>, bypassing the std::byte which was troublesome before

nit: The PR summary states that there are 5 types, but there are only 4 types

Would it make sense to bias towards known service flags like the below? Or are we intentionally keeping this search space wide open?

            ConsumeWeakEnum(fuzzed_data_provider, ALL_SERVICE_FLAGS));

Would it make sense to bias towards known service flags like the below?

I doubt if it helps much in this harness. Also, p2p_handshake.cpp (from which most initial formatting for this harness was copied) uses the same pattern https://github.com/bitcoin/bitcoin/blob/eeeeb2a0b902ed69b5cd5523833d3ab5d963c81f/src/test/fuzz/p2p_handshake.cpp#L72

Okay I ran some tests and verified that you're correct! This example clears up some randomness misunderstandings that I had. Thanks :)

I think m_num_to_open will keep incrementing if we don't reset connman. Similar to the process_message(s) fuzz tests, we should add connman.Reset() here so that state doesn't persist between iterations.

I tested the coverage of the harness without and with the handshake patch suggested below and got the following diff:

net_processing.cpp:3570 (PushPrivateBroadcastTx)

-  3570|      0|    MakeAndPushMessage(node, NetMsgType::INV, ...
+  3570|    377|    MakeAndPushMessage(node, NetMsgType::INV, ...

Without this handshake (modeled after p2p_headers_presync), the harness never reaches the INV send path. InitializeNode does not set nVersion, so inbound VERACK is ignored before PushPrivateBroadcastTx runs.

    // Complete handshake so PushPrivateBroadcastTx runs.
    connman.Handshake(
        /*node=*/*pb_node,
        /*successfully_connected=*/true,
        /*remote_services=*/ServiceFlags(NODE_NETWORK | NODE_WITNESS),
        /*local_services=*/NODE_NONE,
        /*version=*/PROTOCOL_VERSION,
        /*relay_txs=*/true);