tests: Add fuzzing harness for functions/classes in flatfile.h, merkleblock.h, random.h, serialize.h and span.h

practicalswift · Fabcien · commit 21dba1639a38 · 2021-01-20T20:57:33.000+01:00
Summary: ``` - Add fuzzing harness for functions/classes in flatfile.h - Add fuzzing harness for functions/classes in merkleblock.h - Add fuzzing harness for functions/classes in span.h - Add fuzzing harness for LimitedString (serialize.h) - Add fuzzing harness for functions/classes in random.h ``` Backport of core [[bitcoin/bitcoin#18455 | PR18455]]. Depends on D8979. Test Plan: ninja bitcoin-fuzzers ./test/fuzz/test_runner.py <path_to_corpus> Reviewers: #bitcoin_abc, PiRK Reviewed By: #bitcoin_abc, PiRK Subscribers: PiRK Differential Revision: https://reviews.bitcoinabc.org/D8981
diff --git a/src/random.h b/src/random.h
@@ -179,7 +179,10 @@ class FastRandomContext {
         }
     }
 
-    /** Generate a random integer in the range [0..range). */
+    /**
+     * Generate a random integer in the range [0..range).
+     * Precondition: range > 0.
+     */
     uint64_t randrange(uint64_t range) noexcept {
         assert(range);
         --range;
diff --git a/src/test/fuzz/CMakeLists.txt b/src/test/fuzz/CMakeLists.txt
@@ -87,12 +87,14 @@ add_regular_fuzz_targets(
 	descriptor_parse
 	eval_script
 	fee_rate
+	flatfile
 	float
 	hex
 	integer
 	key
 	key_io
 	locale
+	merkleblock
 	multiplication_overflow
 	net_permissions
 	netaddress
@@ -106,12 +108,14 @@ add_regular_fuzz_targets(
 	process_messages
 	protocol
 	psbt
+	random
 	rolling_bloom_filter
 	script
 	script_flags
 	script_ops
 	scriptnum_ops
 	signature_checker
+	span
 	spanparsing
 	string
 	strprintf
diff --git a/src/test/fuzz/flatfile.cpp b/src/test/fuzz/flatfile.cpp
@@ -0,0 +1,33 @@
+// Copyright (c) 2020 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <flatfile.h>
+
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+
+#include <cassert>
+#include <cstdint>
+#include <optional>
+#include <string>
+#include <vector>
+
+void test_one_input(const std::vector<uint8_t> &buffer) {
+    FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
+    std::optional<FlatFilePos> flat_file_pos =
+        ConsumeDeserializable<FlatFilePos>(fuzzed_data_provider);
+    if (!flat_file_pos) {
+        return;
+    }
+    std::optional<FlatFilePos> another_flat_file_pos =
+        ConsumeDeserializable<FlatFilePos>(fuzzed_data_provider);
+    if (another_flat_file_pos) {
+        assert((*flat_file_pos == *another_flat_file_pos) !=
+               (*flat_file_pos != *another_flat_file_pos));
+    }
+    (void)flat_file_pos->ToString();
+    flat_file_pos->SetNull();
+    assert(flat_file_pos->IsNull());
+}
diff --git a/src/test/fuzz/merkleblock.cpp b/src/test/fuzz/merkleblock.cpp
@@ -0,0 +1,28 @@
+// Copyright (c) 2020 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <merkleblock.h>
+#include <uint256.h>
+
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+
+#include <cstdint>
+#include <optional>
+#include <string>
+#include <vector>
+
+void test_one_input(const std::vector<uint8_t> &buffer) {
+    FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
+    std::optional<CPartialMerkleTree> partial_merkle_tree =
+        ConsumeDeserializable<CPartialMerkleTree>(fuzzed_data_provider);
+    if (!partial_merkle_tree) {
+        return;
+    }
+    (void)partial_merkle_tree->GetNumTransactions();
+    std::vector<uint256> matches;
+    std::vector<size_t> indices;
+    (void)partial_merkle_tree->ExtractMatches(matches, indices);
+}
diff --git a/src/test/fuzz/random.cpp b/src/test/fuzz/random.cpp
@@ -0,0 +1,36 @@
+// Copyright (c) 2020 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <random.h>
+
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+
+#include <algorithm>
+#include <cstdint>
+#include <string>
+#include <vector>
+
+void test_one_input(const std::vector<uint8_t> &buffer) {
+    FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
+    FastRandomContext fast_random_context{ConsumeUInt256(fuzzed_data_provider)};
+    (void)fast_random_context.rand64();
+    (void)fast_random_context.randbits(
+        fuzzed_data_provider.ConsumeIntegralInRange<int>(0, 64));
+    (void)fast_random_context.randrange(
+        fuzzed_data_provider.ConsumeIntegralInRange<uint64_t>(
+            FastRandomContext::min() + 1, FastRandomContext::max()));
+    (void)fast_random_context.randbytes(
+        fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 1024));
+    (void)fast_random_context.rand32();
+    (void)fast_random_context.rand256();
+    (void)fast_random_context.randbool();
+    (void)fast_random_context();
+
+    std::vector<int64_t> integrals =
+        ConsumeRandomLengthIntegralVector<int64_t>(fuzzed_data_provider);
+    Shuffle(integrals.begin(), integrals.end(), fast_random_context);
+    std::shuffle(integrals.begin(), integrals.end(), fast_random_context);
+}
diff --git a/src/test/fuzz/span.cpp b/src/test/fuzz/span.cpp
@@ -0,0 +1,41 @@
+// Copyright (c) 2020 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <span.h>
+
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+
+#include <cassert>
+#include <cstddef>
+#include <cstdint>
+#include <string>
+#include <vector>
+
+void test_one_input(const std::vector<uint8_t> &buffer) {
+    FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
+
+    std::string str = fuzzed_data_provider.ConsumeBytesAsString(32);
+    const Span<const char> span = MakeSpan(str);
+    (void)span.data();
+    (void)span.begin();
+    (void)span.end();
+    if (span.size() > 0) {
+        const std::ptrdiff_t idx =
+            fuzzed_data_provider.ConsumeIntegralInRange<std::ptrdiff_t>(
+                0U, span.size() - 1U);
+        (void)span.first(idx);
+        (void)span.last(idx);
+        (void)span.subspan(idx);
+        (void)span.subspan(idx, span.size() - idx);
+        (void)span[idx];
+    }
+
+    std::string another_str = fuzzed_data_provider.ConsumeBytesAsString(32);
+    const Span<const char> another_span = MakeSpan(another_str);
+    assert((span <= another_span) != (span > another_span));
+    assert((span == another_span) != (span != another_span));
+    assert((span >= another_span) != (span < another_span));
+}
diff --git a/src/test/fuzz/string.cpp b/src/test/fuzz/string.cpp
@@ -12,9 +12,8 @@
 #include <rpc/server.h>
 #include <rpc/util.h>
 #include <script/descriptor.h>
-#include <test/fuzz/FuzzedDataProvider.h>
-#include <test/fuzz/fuzz.h>
-#include <test/fuzz/util.h>
+#include <serialize.h>
+#include <streams.h>
 #include <util/error.h>
 #include <util/message.h>
 #include <util/settings.h>
@@ -23,6 +22,11 @@
 #include <util/system.h>
 #include <util/translation.h>
 #include <util/url.h>
+#include <version.h>
+
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
 
 #include <cstdint>
 #include <string>
@@ -95,4 +99,31 @@ void test_one_input(const std::vector<uint8_t> &buffer) {
     (void)urlDecode(random_string_1);
     (void)ValidAsCString(random_string_1);
     (void)_(random_string_1.c_str());
+
+    {
+        CDataStream data_stream{SER_NETWORK, INIT_PROTO_VERSION};
+        std::string s;
+        LimitedString<10> limited_string = LIMITED_STRING(s, 10);
+        data_stream << random_string_1;
+        try {
+            data_stream >> limited_string;
+            assert(data_stream.empty());
+            assert(s.size() <= random_string_1.size());
+            assert(s.size() <= 10);
+            if (!random_string_1.empty()) {
+                assert(!s.empty());
+            }
+        } catch (const std::ios_base::failure &) {
+        }
+    }
+    {
+        CDataStream data_stream{SER_NETWORK, INIT_PROTO_VERSION};
+        const LimitedString<10> limited_string =
+            LIMITED_STRING(random_string_1, 10);
+        data_stream << limited_string;
+        std::string deserialized_string;
+        data_stream >> deserialized_string;
+        assert(data_stream.empty());
+        assert(deserialized_string == random_string_1);
+    }
 }
diff --git a/src/test/fuzz/util.h b/src/test/fuzz/util.h
@@ -22,16 +22,16 @@
 
 NODISCARD inline std::vector<uint8_t>
 ConsumeRandomLengthByteVector(FuzzedDataProvider &fuzzed_data_provider,
-                              size_t max_length = 4096) noexcept {
+                              const size_t max_length = 4096) noexcept {
     const std::string s =
         fuzzed_data_provider.ConsumeRandomLengthString(max_length);
     return {s.begin(), s.end()};
 }
 
 NODISCARD inline std::vector<std::string>
 ConsumeRandomLengthStringVector(FuzzedDataProvider &fuzzed_data_provider,
-                                size_t max_vector_size = 16,
-                                size_t max_string_length = 16) noexcept {
+                                const size_t max_vector_size = 16,
+                                const size_t max_string_length = 16) noexcept {
     const size_t n_elements =
         fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, max_vector_size);
     std::vector<std::string> r;
@@ -42,10 +42,23 @@ ConsumeRandomLengthStringVector(FuzzedDataProvider &fuzzed_data_provider,
     return r;
 }
 
+template <typename T>
+NODISCARD inline std::vector<T>
+ConsumeRandomLengthIntegralVector(FuzzedDataProvider &fuzzed_data_provider,
+                                  const size_t max_vector_size = 16) noexcept {
+    const size_t n_elements =
+        fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, max_vector_size);
+    std::vector<T> r;
+    for (size_t i = 0; i < n_elements; ++i) {
+        r.push_back(fuzzed_data_provider.ConsumeIntegral<T>());
+    }
+    return r;
+}
+
 template <typename T>
 NODISCARD inline std::optional<T>
 ConsumeDeserializable(FuzzedDataProvider &fuzzed_data_provider,
-                      size_t max_length = 4096) noexcept {
+                      const size_t max_length = 4096) noexcept {
     const std::vector<uint8_t> buffer =
         ConsumeRandomLengthByteVector(fuzzed_data_provider, max_length);
     CDataStream ds{buffer, SER_NETWORK, INIT_PROTO_VERSION};
@@ -95,7 +108,8 @@ ConsumeUInt256(FuzzedDataProvider &fuzzed_data_provider) noexcept {
     return uint256{v256};
 }
 
-template <typename T> bool MultiplicationOverflow(T i, T j) {
+template <typename T>
+NODISCARD bool MultiplicationOverflow(const T i, const T j) noexcept {
     static_assert(std::is_integral<T>::value, "Integral required.");
     if (std::numeric_limits<T>::is_signed) {
         if (i > 0) {

Original file line number	Diff line number	Diff line change
`@@ -179,7 +179,10 @@ class FastRandomContext {`
`179`	`179`	`}`
`180`	`180`	`}`
`181`	`181`
`182`		`- /** Generate a random integer in the range [0..range). */`
	`182`	`+ /**`
	`183`	`+ * Generate a random integer in the range [0..range).`
	`184`	`+ * Precondition: range > 0.`
	`185`	`+ */`
`183`	`186`	`uint64_t randrange(uint64_t range) noexcept {`
`184`	`187`	`assert(range);`
`185`	`188`	`--range;`