New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tests: Add fuzzing harness for ProcessMessage(...). Enables high-level fuzzing of the P2P layer. #17989
tests: Add fuzzing harness for ProcessMessage(...). Enables high-level fuzzing of the P2P layer. #17989
Conversation
1f02326
to
cebc565
Compare
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. ConflictsReviewers, this pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
cebc565
to
1b67435
Compare
code review ACK 1b67435 |
@laanwj Thanks for reviewing. Pushed a commit which removes the tinyformat dependency from |
54d69fa
to
9a8ac87
Compare
Rebased! :) |
9a8ac87
to
e083b0c
Compare
e083b0c
to
fadf53c
Compare
Rebased :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Concept ACK. Is there a reason to both allow all message types and then add some fuzzers that only allow one message type?
10ee74e
to
3e2185c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK 4d4f38e 🔒
Show signature and timestamp
Signature:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
ACK 4d4f38ee5a 🔒
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEE+rVPoUahrI9sLGYTzit1aX5ppUgFAlwqrYAACgkQzit1aX5p
pUjV/gwAyGMYagoM2OCSoUvGaS0o3rBEIIUJ6lt8R/i91LUEuc46NitcJk/GH61o
fH0lnYi3lmLxRxk2BUvwxY7aS+0lHExqcz/O2VBd7A7A8iqQ4TVUcMibXcJMdNrO
C3b+8ndKv18XuYvSaoSWOAG1E9smnB824klvz6gQoF45Ku6qgAd1b/05D85lQf1D
8t5ovpvjN6et1jWoRR5VTL6UeUdtDcwM/HatJ/S6hHqDqbtYlV0HWhqXwt+DqmvY
6Tl6w2yKRXrvrAaLwSFmD+iEQOYSkiEGJgxchjGuy6lo4rQPUQBCwKSZtOEGobLO
qlC1iVhjKHWVflitLkC6u1oW/4domq/ahqkt+PMg9uJMMsMt9L1UtC1t9gqqC7qk
LDAQihxRnYF5jWN5Is25/Qp5OsVRQU8VZQAQ8EpxBHVWkHWIloT+lvXVSp0xbNyJ
KnwQtKxpZ+cSGqd/8nX4aLwTMXo+v5H9+5DudrZ4gpQLdZKp4RqMOyrwWRTdsCfn
vdu0tFx9
=aujQ
-----END PGP SIGNATURE-----
Timestamp of file with hash 730802cd0481d1a196758386a01e5111c8d68b5c12c7079e969bf05a0cec0a02 -
Also, travis is failing |
Yes there is :)
|
3076814
to
626174d
Compare
Concept ACK. This seems super-useful. |
ACK 9220a0f 🏊 Show signature and timestampSignature:
Timestamp of file with hash |
…l fuzzing of the P2P layer. Summary: ``` Add fuzzing harness for ProcessMessage(...). Enables high-level fuzzing of the P2P layer. All code paths reachable from this fuzzer can be assumed to be reachable for an untrusted peer. Seeded from thin air (an empty corpus) this fuzzer reaches roughly 20 000 lines of code. To test this PR: $ make distclean $ ./autogen.sh $ CC=clang CXX=clang++ ./configure --enable-fuzz \ --with-sanitizers=address,fuzzer,undefined $ make $ src/test/fuzz/process_message … Worth noting about this fuzzing harness: To achieve a reasonable number of executions per seconds the state of the fuzzer is unfortunately not entirely reset between test_one_input calls. The set-up (FuzzingSetup ctor) and tear-down (~FuzzingSetup) work is simply too costly to be run on every iteration. There is a trade-off to handle here between a.) achieving high executions/second and b.) giving the fuzzer a totally blank slate for each call. Please let me know if you have any suggestion on how to improve this situation while maintaining >1000 executions/second. To achieve optimal results when using coverage-guided fuzzing I've chosen to create one specialised fuzzing binary per message type (process_message_addr, process_message_block, process_message_blocktxn , etc.) and one general fuzzing binary (process_message) which handles all messages types. The latter general fuzzer can be seeded with inputs generated by the former specialised fuzzers. Happy fuzzing friends! ``` Backport od core [[bitcoin/bitcoin#17989 | PR17989]]. Depends on D8004 (test plan only, fixes a fuzz fixture issue). Test Plan: ninja bitcoin-fuzzers ./src/test/fuzz/process_message ./src/test/fuzz/process_message_getheaders # Or any other message Reviewers: #bitcoin_abc, deadalnix Reviewed By: #bitcoin_abc, deadalnix Subscribers: deadalnix Differential Revision: https://reviews.bitcoinabc.org/D8005
…nables high-level fuzzing of the P2P layer
…nables high-level fuzzing of the P2P layer
…nables high-level fuzzing of the P2P layer
…nables high-level fuzzing of the P2P layer
…nables high-level fuzzing of the P2P layer
…nables high-level fuzzing of the P2P layer
…nables high-level fuzzing of the P2P layer
…nables high-level fuzzing of the P2P layer
…nables high-level fuzzing of the P2P layer Co-authored-by: UdjinM6 <UdjinM6@users.noreply.github.com>
…nables high-level fuzzing of the P2P layer Co-authored-by: UdjinM6 <UdjinM6@users.noreply.github.com>
…nables high-level fuzzing of the P2P layer Co-authored-by: UdjinM6 <UdjinM6@users.noreply.github.com>
…nables high-level fuzzing of the P2P layer Co-authored-by: UdjinM6 <UdjinM6@users.noreply.github.com>
…nables high-level fuzzing of the P2P layer Co-authored-by: UdjinM6 <UdjinM6@users.noreply.github.com>
…nables high-level fuzzing of the P2P layer Co-authored-by: UdjinM6 <UdjinM6@users.noreply.github.com>
…nables high-level fuzzing of the P2P layer Co-authored-by: UdjinM6 <UdjinM6@users.noreply.github.com>
…nables high-level fuzzing of the P2P layer Co-authored-by: UdjinM6 <UdjinM6@users.noreply.github.com>
…nables high-level fuzzing of the P2P layer Co-authored-by: UdjinM6 <UdjinM6@users.noreply.github.com>
merge bitcoin#15931, bitcoin#16839, bitcoin#17192, bitcoin#17407, bitcoin#18037, bitcoin#17997, partial bitcoin#15639, bitcoin#17989: deglobalisation and mining rpc backports
…binary per message type for optimal results when using coverage-guided fuzzing
…binary per message type for optimal results when using coverage-guided fuzzing
…binary per message type for optimal results when using coverage-guided fuzzing
…binary per message type for optimal results when using coverage-guided fuzzing
…binary per message type for optimal results when using coverage-guided fuzzing
Add fuzzing harness for
ProcessMessage(...)
. Enables high-level fuzzing of the P2P layer.All code paths reachable from this fuzzer can be assumed to be reachable for an untrusted peer.
Seeded from thin air (an empty corpus) this fuzzer reaches roughly 20 000 lines of code.
To test this PR:
Worth noting about this fuzzing harness:
test_one_input
calls. The set-up (FuzzingSetup
ctor) and tear-down (~FuzzingSetup
) work is simply too costly to be run on every iteration. There is a trade-off to handle here between a.) achieving high executions/second and b.) giving the fuzzer a totally blank slate for each call. Please let me know if you have any suggestion on how to improve this situation while maintaining >1000 executions/second.process_message_addr
,process_message_block
,process_message_blocktxn
, etc.) and one general fuzzing binary (process_message
) which handles all messages types. The latter general fuzzer can be seeded with inputs generated by the former specialised fuzzers.Happy fuzzing friends!