Add Murch’s fuzz seeds June 2024 (2nd attempt) #186

pull murchandamus wants to merge 4 commits into bitcoin-core:main from murchandamus:2024-06-add-murch changing 8849 files +34817 −0
  1. murchandamus commented at 9:05 pm on June 3, 2024: contributor

    I tried a variant of the prior approach. I moved the upstream seeds to a separate directory, created a set_cover_merge from the existing and the new seeds from scratch, then restored the upstream entries.
    After that I did a second set_cover_merge with the target directory already having the resulting seeds from first merge. I found that it added seeds to several targets that increased the feature count, but on a few targets also increased coverage.

    0mv fuzz_seed_corpus fuzz_inputs_upstream
    1test/fuzz/test_runner.py -l DEBUG --par $( nproc ) --m_dir ./fuzz_inputs_upstream/  --m_dir ./active-fuzzing      fuzz_seed_corpus
    2git restore -- ./fuzz_seed_corpus
    3test/fuzz/test_runner.py -l DEBUG --par $( nproc ) --m_dir ./fuzz_inputs_upstream/  --m_dir ./active-fuzzing      fuzz_seed_corpus
    4git add ./fuzz_seed_corpus
    5git commit -m "Add Murch’s fuzz seeds June 2024"
    

    I also did some additional fuzzing for timeoffsets and scriptpubkeyman given their recent updates.

  2. Add Murch’s fuzz seeds June 2024 8d624b4441
  3. maflcko commented at 10:11 am on June 4, 2024: contributor

    I found that it added seeds to several targets that increased the feature count, but on a few targets also increased coverage.

    This is expected, see https://github.com/bitcoin/bitcoin/issues/29018

  4. maflcko commented at 10:16 am on June 4, 2024: contributor
    About the CI error: I guess you’ll have to increase the rss limit for run_once (c.f. https://github.com/bitcoin/bitcoin/blame/9efc2af3be5817972d9899893c343fc4deab7df5/test/fuzz/test_runner.py#L299C14-L299C28), or change the fuzz target.
  5. maflcko commented at 11:24 am on June 4, 2024: contributor

    Looks like 30 more lines are covered, according to my coverage report.

    However, the msan task runtime also doubled, apart from the failure? Seems odd, because the others stayed roughly the same.

  6. murchandamus commented at 1:11 pm on June 4, 2024: contributor
    Perhaps it found some significantly longer seeds that increase the coverage but take longer to run?
  7. murchandamus commented at 1:16 pm on June 4, 2024: contributor
    I could merge the package_rbf seeds again with a lower limit?
  8. maflcko commented at 1:18 pm on June 4, 2024: contributor
    It could also be a bug in the fuzz target. Not sure if it changed recently.
  9. murchandamus commented at 1:24 pm on June 4, 2024: contributor

    I think package_rbf just got added in March or April.

    I did fuzz the three targets feefrac, build_and_compare_feerate_diagram, and package_rbf somewhat heavily when I got my new workstation since they were pretty new, so my active fuzzing directory would have the results of a few hundred extra CPU hours fuzzing package_rbf.

  10. Add some wallet_bdb_parser seeds 24c507b3ea
  11. murchandamus commented at 1:28 pm on June 4, 2024: contributor
    I realized that wallet_bdb_parser got added and fuzzed it a bit last night. Just added the seeds in a second commit.
  12. maflcko commented at 3:13 pm on June 4, 2024: contributor
     0Run wallet_bdb_parser with args ['/ci_container_base/ci/scratch/build/bitcoin-x86_64-pc-linux-gnu/src/test/fuzz/fuzz', '-runs=1', PosixPath('/ci_container_base/ci/scratch/qa-assets/fuzz_seed_corpus/wallet_bdb_parser')]INFO: Running with entropic power schedule (0xFF, 100).
     1INFO: Seed: 3961532020
     2INFO: Loaded 1 modules   (583901 inline 8-bit counters): 583901 [0x55692c3d17e8, 0x55692c4600c5), 
     3INFO: Loaded 1 PC tables (583901 PCs): 583901 [0x55692c4600c8,0x55692cd48e98), 
     4INFO:       44 files found in /ci_container_base/ci/scratch/qa-assets/fuzz_seed_corpus/wallet_bdb_parser
     5INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
     6INFO: seed corpus: files: 44 min: 1b max: 1237b total: 32203b rss: 160Mb
     7wallet/migrate.cpp:554:35: runtime error: implicit conversion from type 'int64_t' (aka 'long') of value -1 (64-bit, signed) to type 'uint32_t' (aka 'unsigned int') changed the value to 4294967295 (32-bit, unsigned)
     8    [#0](/bitcoin-core-qa-assets/0/) 0x55692a5f5353 in wallet::BerkeleyRODatabase::Open() src/wallet/migrate.cpp:554:35
     9    [#1](/bitcoin-core-qa-assets/1/) 0x55692a605a6e in wallet::BerkeleyRODatabase::BerkeleyRODatabase(fs::path const&, bool) src/./wallet/migrate.h:29:19
    10    [#2](/bitcoin-core-qa-assets/2/) 0x55692a5fba8c in std::__detail::_MakeUniq<wallet::BerkeleyRODatabase>::__single_object std::make_unique<wallet::BerkeleyRODatabase, fs::path&>(fs::path&) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/unique_ptr.h:1070:34
    11    [#3](/bitcoin-core-qa-assets/3/) 0x55692a5fba8c in wallet::MakeBerkeleyRODatabase(fs::path const&, wallet::DatabaseOptions const&, wallet::DatabaseStatus&, bilingual_str&) src/wallet/migrate.cpp:775:50
    12    [#4](/bitcoin-core-qa-assets/4/) 0x556929373d8b in wallet_bdb_parser_fuzz_target(Span<unsigned char const>) src/wallet/test/fuzz/wallet_bdb_parser.cpp:57:13
    13    [#5](/bitcoin-core-qa-assets/5/) 0x5569298f4d3d in std::function<void (Span<unsigned char const>)>::operator()(Span<unsigned char const>) const /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_function.h:591:9
    14    [#6](/bitcoin-core-qa-assets/6/) 0x5569298f4d3d in LLVMFuzzerTestOneInput src/test/fuzz/fuzz.cpp:201:5
    15    [#7](/bitcoin-core-qa-assets/7/) 0x55692921b044 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/ci_container_base/ci/scratch/build/bitcoin-x86_64-pc-linux-gnu/src/test/fuzz/fuzz+0x1aae044) (BuildId: 7154ae27bd1f5ece90cc0583ab3298ddfefc46d0)
    16    [#8](/bitcoin-core-qa-assets/8/) 0x55692921a739 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/ci_container_base/ci/scratch/build/bitcoin-x86_64-pc-linux-gnu/src/test/fuzz/fuzz+0x1aad739) (BuildId: 7154ae27bd1f5ece90cc0583ab3298ddfefc46d0)
    17    [#9](/bitcoin-core-qa-assets/9/) 0x55692921c356 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile>>&) (/ci_container_base/ci/scratch/build/bitcoin-x86_64-pc-linux-gnu/src/test/fuzz/fuzz+0x1aaf356) (BuildId: 7154ae27bd1f5ece90cc0583ab3298ddfefc46d0)
    18    [#10](/bitcoin-core-qa-assets/10/) 0x55692921c867 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile>>&) (/ci_container_base/ci/scratch/build/bitcoin-x86_64-pc-linux-gnu/src/test/fuzz/fuzz+0x1aaf867) (BuildId: 7154ae27bd1f5ece90cc0583ab3298ddfefc46d0)
    19    [#11](/bitcoin-core-qa-assets/11/) 0x556929209d5f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/ci_container_base/ci/scratch/build/bitcoin-x86_64-pc-linux-gnu/src/test/fuzz/fuzz+0x1a9cd5f) (BuildId: 7154ae27bd1f5ece90cc0583ab3298ddfefc46d0)
    20    [#12](/bitcoin-core-qa-assets/12/) 0x5569292343e6 in main (/ci_container_base/ci/scratch/build/bitcoin-x86_64-pc-linux-gnu/src/test/fuzz/fuzz+0x1ac73e6) (BuildId: 7154ae27bd1f5ece90cc0583ab3298ddfefc46d0)
    21    [#13](/bitcoin-core-qa-assets/13/) 0x7fe3a6d2b1c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 08134323d00289185684a4cd177d202f39c2a5f3)
    22    [#14](/bitcoin-core-qa-assets/14/) 0x7fe3a6d2b28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 08134323d00289185684a4cd177d202f39c2a5f3)
    23    [#15](/bitcoin-core-qa-assets/15/) 0x5569291fed44 in _start (/ci_container_base/ci/scratch/build/bitcoin-x86_64-pc-linux-gnu/src/test/fuzz/fuzz+0x1a91d44) (BuildId: 7154ae27bd1f5ece90cc0583ab3298ddfefc46d0)
    24
    25SUMMARY: UndefinedBehaviorSanitizer: implicit-signed-integer-truncation wallet/migrate.cpp:554:35 
    26MS: 0 ; base unit: 0000000000000000000000000000000000000000
    27artifact_prefix='./'; Test unit written to ./crash-580fdb975cf6c529d5f97b0c61b2ce15b59cbb98
    
  13. maflcko commented at 3:14 pm on June 4, 2024: contributor
    The msan CI failure: It spends a long time hashing the large transaction, which has a large witness. The runtime is NUM_ITERS (aka 10'000) times n (size of the transaction), because the hashing is done in the loop.
  14. murchandamus commented at 4:57 pm on June 5, 2024: contributor
    0SUMMARY: UndefinedBehaviorSanitizer: implicit-signed-integer-truncation wallet/migrate.cpp:554:35 
    

    That’s odd, my fuzzer is generally configured with --with-sanitizers=address,fuzzer,undefined

    The msan CI failure: It spends a long time hashing the large transaction, which has a large witness. The runtime is NUM_ITERS (aka 10'000) times n (size of the transaction), because the hashing is done in the loop.

    Sounds like we should limit the size of the transaction in the fuzz target?

  15. maflcko commented at 7:44 am on June 6, 2024: contributor

    That’s odd, my fuzzer is generally configured with --with-sanitizers=address,fuzzer,undefined

    The integer sanitizer is a different sanitizer from the undefined sanitizer

  16. murchandamus commented at 5:44 pm on June 6, 2024: contributor

    One downside of only submitting every two months is that I rediscover every time how all of this actually works. :sweat_smile:

    I am now redoing the merge with all sanitizers. I then intend to manually re-merge package_rbf enforcing a shorter limit for the seeds.

  17. Remove two problematic seeds 7335365557
  18. murchandamus commented at 7:45 pm on June 6, 2024: contributor
    As discussed, I removed the two problematic seeds for the moment. I used a separate commit to make it easy to revert the removal, when the underlying issue has been addressed.
  19. dergoegge commented at 8:27 am on June 7, 2024: member
    There is still one or more ISan triggering inputs in the wallet_bdb_parser corpus
  20. maflcko commented at 9:14 am on June 7, 2024: contributor

    You can test locally if you removed all violating fuzz inputs:

    0CC=clang CXX=clang++ ./configure --enable-fuzz --with-sanitizers=fuzzer,undefined,integer,float-divide-by-zero && make clean && make
    1FUZZ=wallet_bdb_parser UBSAN_OPTIONS="suppressions=$(pwd)/test/sanitizer_suppressions/ubsan:print_stacktrace=1:halt_on_error=1:report_error_type=1" ./src/test/fuzz/fuzz -runs=1 ../qa-assets/fuzz_seed_corpus/wallet_bdb_parser
    
  21. Remove several additional delinquent fuzz inputs d6f98c4e12
  22. maflcko commented at 12:56 pm on June 9, 2024: contributor
    lgtm
  23. maflcko approved
  24. dergoegge merged this on Jun 9, 2024
  25. dergoegge closed this on Jun 9, 2024

  26. murchandamus deleted the branch on Jun 10, 2024

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/qa-assets. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-10-30 01:25 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me