Add Murch’s Inputs July 2025 (2nd attempt)

[murchandamus]

Following up on #229 with a second attempt to upstream my inputs.

[dergoegge]

MSan CI fails due to OOM. Since it's only the MSan job, I'd guess that the MSan instrumentation's overhead is the cause. Maybe just delete the offending inputs?

[murchandamus]

I removed the five slow and the one oom txorphan inputs:

deleted:    115c827e96a74fd0a0de3c4d9454f95d2dd33a7e
deleted:    4e87c2fe521894325f07804c1879fb274d7878aa
deleted:    557d1498f51bbdb9adf44c0cfd749dd85a5420da
deleted:    9d8f0ff4776aab8f425fb5f42d666d68b9ce3151
deleted:    bb0d053ebfd17f042e6aff39b31f56c9f5dc278a
deleted:    f49790635cf83a0c87b445d93e6fc05d034f9d7d

[murchandamus]

Squashed it, because CI was unhappy about the deletions, as I should have expected.

[maflcko]

There should be no need to delete pre-existing inputs from main. Only deleting your own added input(s) should be enough.

ci is trying to tell you that 4e87c2fe521894325f07804c1879fb274d7878aa already exists and was deleted by you.

[dergoegge]

Oh, I assumed the troublesome inputs would be new ones. Did we change anything about the MSan CI or the failing harnesses that could cause existing inputs to start failing?

[maflcko]

the oom inputs was a different one : 115c827e96a74fd0a0de3c4d9454f95d2dd33a7e

[murchandamus]

Thanks, I’ll amend the PR tomorrow, when I’m in the office.

[maflcko]

Used 9935aeb, to include the other pull in the meantime:

https://drahtbot.space/host_reports/DrahtBot/reports/coverage_fuzz/monotree/7129c9ea8e950f50/9935aeb3bdd556ef/fuzz.coverage/index.html

vs main:

https://drahtbot.space/host_reports/DrahtBot/reports/coverage_fuzz/monotree/7129c9ea8e950f50/e6e82b895a44365a/fuzz.coverage/index.html

[maflcko]

My report still does not show any function or line coverage difference. Also, according to the CI logs, the coverage is mostly identical: https://cirrus-ci.com/task/5416573638279168?logs=ci#L4498 vs https://cirrus-ci.com/task/6084064303644672?logs=ci#L8614

So I guess there is still something wrong on your side?

[murchandamus]

Uh, only 7,000 files after weeks of fuzzing does look wrong. o.0
I’m going to try rebuilding the submission and see if I get a different result, but so far don’t understand what it might be that I have done differently than before my move.

[maflcko]

Ok, I am thinking about going with #232 first, and then wait for you to revisit your fuzzing workflow, if this sounds good?

[murchandamus]

Please feel free to go ahead with #232. My submission crafting is pretty quick on the new computer, and should my workflow now actually be right, it is easy for me to rebase on the pruned commit history.

[murchandamus]

I redid my submission (with one more week of fuzzing under the belt) and pushed. Going to take a look at the CI logs and see if I can find the fuzz_coverage report, when it finishes running. If it still doesn’t improve, I’m gonna comb through my documentation of the process again to make sure I’m not setting myself up to fail in some manner, but if that still yields no explanation, I could probably use some help.

[maflcko]

I guess you'll have to cherry-pick your commit after the force push?

[murchandamus]

At least compared to the CI logs we used for comparison above, I could find a few targets for which the coverage improved. Will rebase.
E.g., autofile went from 468 to 474.

[maflcko]

Yeah, seems fine to add inputs that trigger coverage internal to the sanitizer instrumentation. However, it would be better if there also was at least one real line of code covered additionally :)

I'll go ahead and merge this nonetheless.

this pull: https://drahtbot.space/host_reports/DrahtBot/reports/coverage_fuzz/monotree/5ad79b203505fe7b/10347b1814bf734d/fuzz.coverage/index.html

main: https://drahtbot.space/host_reports/DrahtBot/reports/coverage_fuzz/monotree/5ad79b203505fe7b/fd7e08cd37a175b3/fuzz.coverage/index.html

[maflcko]

Just checked for comparison on a 8-core vm, running for two weeks, the coverage increase was 35 lines and two new functions. (#233 (comment))

Happy to check your logs, if you want, to see if there is anything standing out. But maybe it was just a randomly odd run with little new coverage for you? 🤷‍♂️

[murchandamus]

That does make me think that something is wrong about my process. What data could I best provide to help?

[murchandamus]

I think I’ll just try to craft another submission next week and see if it provides any additional code coverage. If it does, I’ll chalk it up to happenstance, if not, we could investigate any logs that seem useful.

[maflcko]

Yeah, in the logs I'd check how long it takes to start fuzzing. If there are too many input files, it can take a long time to iterate over all of them.

[murchandamus]

Okay, I’ll check tomorrow.

[murchandamus]

To clarify, I move aside the fuzz_corpora whenever I upstream every two months, so I wouldn’t expect it to be exorbitantly big, but it might be an issue with the -fork option?

I could try to use -jobs instead.

---

I tried a few that I think might be among the slower targets:

• tx_package_eval took 66s to init.

{14:12}~/Workspace/qa-fuzz:fuzz ✗ ➭ FUZZ="tx_package_eval" build_fuzz_nosan/bin/fuzz -max_total_time=60 ../qa-assets-active-fuzzing/fuzz_corpora/tx_package_eval
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1920993678
INFO: Loaded 1 modules   (384743 inline 8-bit counters): 384743 [0x586ff17e17d0, 0x586ff183f6b7), 
INFO: Loaded 1 PC tables (384743 PCs): 384743 [0x586ff183f6b8,0x586ff1e1e528), 
INFO:    18113 files found in ../qa-assets-active-fuzzing/fuzz_corpora/tx_package_eval
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 1048576 bytes
INFO: seed corpus: files: 18113 min: 1b max: 4377832b total: 267099690b rss: 88Mb
#8192	pulse  cov: 5315 ft: 21276 corp: 1733/111Kb exec/s: 2730 rss: 89Mb
#16384	pulse  cov: 5487 ft: 34264 corp: 3239/3313Kb exec/s: 1365 rss: 96Mb
#18114	INITED cov: 5491 ft: 35655 corp: 3552/33Mb exec/s: 274 rss: 159Mb
#18114	DONE   cov: 5491 ft: 35655 corp: 3552/33Mb lim: 484403 exec/s: 274 rss: 159Mb
Done 18114 runs in 66 second(s)

• utxo_total_supply took 88s to init:

{14:16}~/Workspace/qa-fuzz:fuzz ✗ ➭ FUZZ="utxo_total_supply" build_fuzz_nosan/bin/fuzz -max_total_time=1 ../qa-assets-active-fuzzing/fuzz_corpora/utxo_total_supply
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3323359572
INFO: Loaded 1 modules   (384743 inline 8-bit counters): 384743 [0x5624042ee7d0, 0x56240434c6b7), 
INFO: Loaded 1 PC tables (384743 PCs): 384743 [0x56240434c6b8,0x56240492b528), 
INFO:     4081 files found in ../qa-assets-active-fuzzing/fuzz_corpora/utxo_total_supply
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 1048575 bytes
INFO: seed corpus: files: 4081 min: 1b max: 1048575b total: 22988936b rss: 81Mb
#512	pulse  cov: 7355 ft: 20462 corp: 364/7872b exec/s: 170 rss: 96Mb
#1024	pulse  cov: 7363 ft: 23378 corp: 605/17Kb exec/s: 146 rss: 96Mb
#2048	pulse  cov: 7641 ft: 27812 corp: 981/49Kb exec/s: 85 rss: 96Mb
#4082	INITED cov: 7760 ft: 31266 corp: 1323/127Kb exec/s: 46 rss: 97Mb
#4082	DONE   cov: 7760 ft: 31266 corp: 1323/127Kb lim: 2149 exec/s: 46 rss: 97Mb
Done 4082 runs in 88 second(s)

• addrman took 40s to init

{14:18}~/Workspace/qa-fuzz:fuzz ✗ ➭ FUZZ="addrman" build_fuzz_nosan/bin/fuzz -max_total_time=1 ../qa-assets-active-fuzzing/fuzz_corpora/addrman
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 790879254
INFO: Loaded 1 modules   (384743 inline 8-bit counters): 384743 [0x5ced16dc87d0, 0x5ced16e266b7), 
INFO: Loaded 1 PC tables (384743 PCs): 384743 [0x5ced16e266b8,0x5ced17405528), 
INFO:    12440 files found in ../qa-assets-active-fuzzing/fuzz_corpora/addrman
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 1048551 bytes
INFO: seed corpus: files: 12440 min: 1b max: 1048551b total: 638724870b rss: 50Mb
#4096	pulse  cov: 2059 ft: 6489 corp: 1082/83Kb exec/s: 2048 rss: 52Mb
#8192	pulse  cov: 2218 ft: 9129 corp: 1766/251Kb exec/s: 1365 rss: 53Mb
#12441	INITED cov: 2311 ft: 12445 corp: 2628/51Mb exec/s: 311 rss: 155Mb
#12441	DONE   cov: 2311 ft: 12445 corp: 2628/51Mb lim: 976682 exec/s: 311 rss: 155Mb
Done 12441 runs in 40 second(s)

• process_message took 15s to init:

{14:19}~/Workspace/qa-fuzz:fuzz ✗ ➭ FUZZ="process_message" build_fuzz_nosan/bin/fuzz -max_total_time=1 ../qa-assets-active-fuzzing/fuzz_corpora/process_message                
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 957489127
INFO: Loaded 1 modules   (384743 inline 8-bit counters): 384743 [0x576b7abd97d0, 0x576b7ac376b7), 
INFO: Loaded 1 PC tables (384743 PCs): 384743 [0x576b7ac376b8,0x576b7b216528), 
INFO:    22928 files found in ../qa-assets-active-fuzzing/fuzz_corpora/process_message
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 1048576 bytes
INFO: seed corpus: files: 22928 min: 1b max: 4194323b total: 345058184b rss: 89Mb
#8192	pulse  cov: 8507 ft: 14513 corp: 1218/161Kb exec/s: 4096 rss: 100Mb
#16384	pulse  cov: 8782 ft: 17224 corp: 1824/363Kb exec/s: 1820 rss: 100Mb
#22929	INITED cov: 8974 ft: 24112 corp: 3007/56Mb exec/s: 1528 rss: 235Mb
#22929	DONE   cov: 8974 ft: 24112 corp: 3007/56Mb lim: 973417 exec/s: 1528 rss: 235Mb
Done 22929 runs in 15 second(s)

• process_messages took 28s to init:

{14:21}~/Workspace/qa-fuzz:fuzz ✗ ➭ FUZZ="process_messages" build_fuzz_nosan/bin/fuzz -max_total_time=1 ../qa-assets-active-fuzzing/fuzz_corpora/process_messages
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 2660714888
INFO: Loaded 1 modules   (384743 inline 8-bit counters): 384743 [0x63e803d057d0, 0x63e803d636b7), 
INFO: Loaded 1 PC tables (384743 PCs): 384743 [0x63e803d636b8,0x63e804342528), 
INFO:    38671 files found in ../qa-assets-active-fuzzing/fuzz_corpora/process_messages
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 900455 bytes
INFO: seed corpus: files: 38671 min: 1b max: 900455b total: 373337440b rss: 94Mb
#16384	pulse  cov: 8837 ft: 20859 corp: 2207/419Kb exec/s: 2730 rss: 100Mb
#32768	pulse  cov: 9608 ft: 37271 corp: 4515/3492Kb exec/s: 1820 rss: 102Mb
#38672	INITED cov: 9696 ft: 40688 corp: 5376/39Mb exec/s: 1381 rss: 176Mb
#38672	DONE   cov: 9696 ft: 40688 corp: 5376/39Mb lim: 883130 exec/s: 1381 rss: 176Mb
Done 38672 runs in 28 second(s)

• wallet_create_transaction took 30s to init:

{14:22}~/Workspace/qa-fuzz:fuzz ✗ ➭ FUZZ="wallet_create_transaction" build_fuzz_nosan/bin/fuzz -max_total_time=1 ../qa-assets-active-fuzzing/fuzz_corpora/wallet_create_transaction
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1908365092
INFO: Loaded 1 modules   (384743 inline 8-bit counters): 384743 [0x640e8e2547d0, 0x640e8e2b26b7), 
INFO: Loaded 1 PC tables (384743 PCs): 384743 [0x640e8e2b26b8,0x640e8e891528), 
INFO:     5765 files found in ../qa-assets-active-fuzzing/fuzz_corpora/wallet_create_transaction
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 131078 bytes
INFO: seed corpus: files: 5765 min: 1b max: 131078b total: 15964391b rss: 86Mb
#2048	pulse  cov: 3733 ft: 8543 corp: 572/39Kb exec/s: 682 rss: 86Mb
#4096	pulse  cov: 3741 ft: 12390 corp: 1082/236Kb exec/s: 409 rss: 86Mb
#5766	INITED cov: 3742 ft: 15651 corp: 1376/992Kb exec/s: 192 rss: 88Mb
#5766	DONE   cov: 3742 ft: 15651 corp: 1376/992Kb lim: 10207 exec/s: 192 rss: 88Mb
Done 5766 runs in 30 second(s)

• addrman_serdeser took 179s to init:

{14:20}~/Workspace/qa-fuzz:fuzz ✗ ➭ FUZZ="addrman_serdeser" build_fuzz_nosan/bin/fuzz -max_total_time=1 ../qa-assets-active-fuzzing/fuzz_corpora/addrman_serdeser
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 4181448787
INFO: Loaded 1 modules   (384743 inline 8-bit counters): 384743 [0x64f3743cc7d0, 0x64f37442a6b7), 
INFO: Loaded 1 PC tables (384743 PCs): 384743 [0x64f37442a6b8,0x64f374a09528), 
INFO:     4320 files found in ../qa-assets-active-fuzzing/fuzz_corpora/addrman_serdeser
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 615925 bytes
INFO: seed corpus: files: 4320 min: 1b max: 615925b total: 62660549b rss: 49Mb
#1024	pulse  cov: 1683 ft: 8382 corp: 619/32Kb exec/s: 56 rss: 63Mb
#2048	pulse  cov: 1861 ft: 10177 corp: 1118/89Kb exec/s: 28 rss: 67Mb
#4096	pulse  cov: 1902 ft: 11034 corp: 1662/4533Kb exec/s: 24 rss: 68Mb
#4321	INITED cov: 1903 ft: 11101 corp: 1702/12043Kb exec/s: 24 rss: 78Mb
#4321	DONE   cov: 1903 ft: 11101 corp: 1702/12043Kb lim: 439975 exec/s: 24 rss: 78Mb
Done 4321 runs in 179 second(s)

[maflcko]

Hmm, a few minutes look good and harmless, when you target a few hours of fuzzing.