fuzz: Call SendMessages after ProcessMessage to increase coverage

[maflcko]

No description provided.

[practicalswift]

Concept ACK: more is more when it comes to coverage :)

[practicalswift]

Tested ACK fa09f97

Before:

INITED cov: 15027 ft: 49881 corp: 1258/1045Kb exec/s: 181 rss: 683Mb

After:

INITED cov: 16201 ft: 52112 corp: 1260/1038Kb exec/s: 93 rss: 669Mb

Net result: Increase in coverage: Decrease in execs/second.

In fuzzing we can always add more hardware to the fuzzing farm in order to increase execs/second. Better coverage on the other hand is relatively costly to obtain. Thus we want to optimise for coverage rather than execs/second in the general case.

[dhruv]

tACK fa09f97

I used some additional seeds and ran fuzz tests (took care to remove any further seeds generated between runs):

FUZZ=process_message src/test/fuzz/fuzz qa-assets/fuzz_seed_corpus/process_message
master:    #9987	INITED cov: 23996 ft: 91376 corp: 1999/59Mb exec/s: 59 rss: 863Mb
pr/20674:  #9987	INITED cov: 25491 ft: 94009 corp: 1976/62Mb exec/s: 27 rss: 827Mb

FUZZ=process_messages src/test/fuzz/fuzz qa-assets/fuzz_seed_corpus/process_messages
master:   #14819	INITED cov: 28055 ft: 180329 corp: 3885/119Mb exec/s: 22 rss: 657Mb
pr/20674: #14675	INITED cov: 30072 ft: 183415 corp: 3584/58Mb exec/s: 35 rss: 703Mb

@MarcoFalke Do I understand correctly that:

• Previously, the test tried fuzz inputs to m_node.ProcessMessage(). Since some of those are valid, as coverage increases, m_node accumulates valid responses to send back to p2p_node
• This (very clever) PR takes those accumulated in-memory responses and exercises the code to flush them via SendMessages(p2p_node)

If that's all correct, I think there might be more coverage to gain if we can invoke p2p_node.ProcessMessage() using those in-memory responses(since they are probably valid p2p messages). I am not sure this is possible without a significant refactor. If it is useful, I'd be interested in helping extend this with your guidance.

[dhruv]

Do I understand correctly that we do not need try { ... } catch (const std::ios_base::failure&) {} here because the inputs to SendMessages() have effectively been filtered for "sane inputs" by ProcessMessage()?

[sipa]

std::ios_base::failure is thrown by the serialization framework when deserialization fails. SendMessages AFAIK doesn't deserialize anything, it just acts on already parsed data. So I wouldn't say it's just been "filtered" - it has been completely processed already, and the result of that processing may trigger responses in SendMessages.

[dhruv]

That makes sense. Thanks, @sipa !

[Crypt-iQ]

cr ACK fa09f97

[sipa]

utACK fa09f97

[sipa]

std::ios_base::failure is thrown by the serialization framework when deserialization fails. SendMessages AFAIK doesn't deserialize anything, it just acts on already parsed data. So I wouldn't say it's just been "filtered" - it has been completely processed already, and the result of that processing may trigger responses in SendMessages.