[FUZZ] Beaconfuzz_v2 crash-8aca1b5ce295f678fb67bd5ea8bb36c13a0d7f20 in struct_proposer_slashing

[Daft-Wullie]

I've done and provided the following:

• Checked to see if any other [FUZZ] issue already refers to that crasher
• Attached the crashing input (either attached to the issue as a .zip or .gz, or as a link to a file sharing service)
• Noted the beacon-fuzz version or commit used.
• Provided crash output
• Noted the command or fuzzer used to generate the crash
• Name of the original crash file
• (Optional but optimal) Checked if the crash can be consistently replicated by re-running the input.

Info to Reproduce

• Command run: e.g. make fuzz-all

• Crasher file name: crash-8aca1b5ce295f678fb67bd5ea8bb36c13a0d7f20
  crash-8aca1b5ce295f678fb67bd5ea8bb36c13a0d7f20.zip

• Client exercised: Teku

• Fuzzing engine used (if applicable):

Crash output and stacktrace

note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Traceback (most recent call last, using override)
/home/nimbus-eth2/vendor/nimbus-build-system/vendor/Nim/lib/system/excpt.nim(614) signalHandler
SIGABRT: Abnormal termination.
==1516179== ERROR: libFuzzer: fuzz target exited
    #0 0x55c3c5eec791  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xe45791)
    #1 0x55c3c89b7160  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x3910160)
    #2 0x55c3c89cbecb  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x3924ecb)
    #3 0x7f996f31ca26  (/lib/x86_64-linux-gnu/libc.so.6+0x49a26)
    #4 0x7f996f31cbdf  (/lib/x86_64-linux-gnu/libc.so.6+0x49bdf)
    #5 0x55c3c678039c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x16d939c)
    #6 0x7f996f31920f  (/lib/x86_64-linux-gnu/libc.so.6+0x4620f)
    #7 0x7f996f31918a  (/lib/x86_64-linux-gnu/libc.so.6+0x4618a)
    #8 0x7f996f2f8858  (/lib/x86_64-linux-gnu/libc.so.6+0x25858)
    #9 0x55c3c8a84916  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x39dd916)
    #10 0x55c3c8a6d455  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x39c6455)
    #11 0x55c3c89aa6a6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x39036a6)
    #12 0x55c3c8a752d5  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x39ce2d5)
    #13 0x55c3c605bdf4  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xfb4df4)
    #14 0x55c3c605a4b9  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xfb34b9)
    #15 0x55c3c605bc94  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xfb4c94)
    #16 0x55c3c61289d4  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x10819d4)
    #17 0x55c3c6124b36  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x107db36)
    #18 0x55c3c600e102  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xf67102)
    #19 0x55c3c5f91681  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xeea681)
    #20 0x55c3c89aa6d0  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x39036d0)
    #21 0x55c3c89aa32f  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x390332f)
    #22 0x55c3c89cc32c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x392532c)
    #23 0x55c3c899d439  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x38f6439)
    #24 0x55c3c89a7232  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x3900232)
    #25 0x55c3c5e69346  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xdc2346)
    #26 0x7f996f2fa0b2  (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #27 0x55c3c5e694ed  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xdc24ed)

SUMMARY: libFuzzer: fuzz target exited
────────────────────────────────────────────────────────────────────────────────

Error: Fuzz target exited with exit code: 77

Your Environment

• Fuzzer ran: beaconfuzz_v2
• Version/Commit used: latest
• Operating System and version: Ubuntu 20.04

[pventuzelo]

FYI, that the same file and issue than #82 but this time it's teku that return a different result than the others.

For analysis, here is a package containing the pre state, the proposerslashing and the post state generated by teku.

issue_90_proposer_slashing.zip

lighthouse reject this proposerslashing processing with the error: ProposalsIdentical
prysm reject the proposerslashing processing
nimbus reject the proposerslashing processing
teku process the proposerslashing processing

You can reproduce with:

../beaconfuzz_v2 debug beacon.ssz propslash.ssz proposerslashing

Thanks @Daft-Wullie

[zedt3ster]

Confirmed to be the same type of discrepancy described in #82. For its process_proposer_slashings function, Teku compares the SignedBeaconBlockHeaders, instead of the BeaconBlockHeaders.