tests: Add fuzzing harness for ProcessMessage(...). Enables high-level fuzzing of the P2P layer. #17989
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
practicalswift
force-pushed
the
fuzzers-net-process_message
branch
from
1f02326 to
cebc565
Compare
Contributor
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. ConflictsReviewers, this pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
practicalswift
force-pushed
the
fuzzers-net-process_message
branch
from
cebc565 to
1b67435
Compare
Member
|
code review ACK 1b67435bccb8e159130ee8dc558c039cbcc5767c |
Contributor
Author
|
@laanwj Thanks for reviewing. Pushed a commit which removes the tinyformat dependency from |
This was referenced Feb 11, 2020
practicalswift
force-pushed
the
fuzzers-net-process_message
branch
from
54d69fa to
9a8ac87
Compare
Contributor
Author
|
Rebased! :) |
practicalswift
force-pushed
the
fuzzers-net-process_message
branch
from
9a8ac87 to
e083b0c
Compare
practicalswift
force-pushed
the
fuzzers-net-process_message
branch
from
e083b0c to
fadf53c
Compare
Contributor
Author
|
Rebased :) |
maflcko
reviewed
Mar 10, 2020
Member
maflcko
left a comment
maflcko
left a comment
There was a problem hiding this comment.
Concept ACK. Is there a reason to both allow all message types and then add some fuzzers that only allow one message type?
practicalswift
force-pushed
the
fuzzers-net-process_message
branch
3 times, most recently
from
10ee74e to
3e2185c
Compare
maflcko
approved these changes
Mar 10, 2020
Member
maflcko
left a comment
maflcko
left a comment
There was a problem hiding this comment.
ACK 4d4f38ee5a 🔒
Show signature and timestamp
Signature:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
ACK 4d4f38ee5a 🔒
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEE+rVPoUahrI9sLGYTzit1aX5ppUgFAlwqrYAACgkQzit1aX5p
pUjV/gwAyGMYagoM2OCSoUvGaS0o3rBEIIUJ6lt8R/i91LUEuc46NitcJk/GH61o
fH0lnYi3lmLxRxk2BUvwxY7aS+0lHExqcz/O2VBd7A7A8iqQ4TVUcMibXcJMdNrO
C3b+8ndKv18XuYvSaoSWOAG1E9smnB824klvz6gQoF45Ku6qgAd1b/05D85lQf1D
8t5ovpvjN6et1jWoRR5VTL6UeUdtDcwM/HatJ/S6hHqDqbtYlV0HWhqXwt+DqmvY
6Tl6w2yKRXrvrAaLwSFmD+iEQOYSkiEGJgxchjGuy6lo4rQPUQBCwKSZtOEGobLO
qlC1iVhjKHWVflitLkC6u1oW/4domq/ahqkt+PMg9uJMMsMt9L1UtC1t9gqqC7qk
LDAQihxRnYF5jWN5Is25/Qp5OsVRQU8VZQAQ8EpxBHVWkHWIloT+lvXVSp0xbNyJ
KnwQtKxpZ+cSGqd/8nX4aLwTMXo+v5H9+5DudrZ4gpQLdZKp4RqMOyrwWRTdsCfn
vdu0tFx9
=aujQ
-----END PGP SIGNATURE-----
Timestamp of file with hash 730802cd0481d1a196758386a01e5111c8d68b5c12c7079e969bf05a0cec0a02 -
Member
|
Also, travis is failing |
Contributor
Author
Yes there is :)
|
practicalswift
force-pushed
the
fuzzers-net-process_message
branch
4 times, most recently
from
3076814 to
626174d
Compare
Contributor
|
Concept ACK. This seems super-useful. |
Member
|
ACK 9220a0f 🏊 Show signature and timestampSignature: Timestamp of file with hash |
deadalnix
pushed a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Oct 20, 2020
…l fuzzing of the P2P layer.
Summary:
```
Add fuzzing harness for ProcessMessage(...). Enables high-level fuzzing
of the P2P layer.
All code paths reachable from this fuzzer can be assumed to be reachable
for an untrusted peer.
Seeded from thin air (an empty corpus) this fuzzer reaches roughly 20
000 lines of code.
To test this PR:
$ make distclean
$ ./autogen.sh
$ CC=clang CXX=clang++ ./configure --enable-fuzz \
--with-sanitizers=address,fuzzer,undefined
$ make
$ src/test/fuzz/process_message
…
Worth noting about this fuzzing harness:
To achieve a reasonable number of executions per seconds the state
of the fuzzer is unfortunately not entirely reset between test_one_input
calls. The set-up (FuzzingSetup ctor) and tear-down (~FuzzingSetup) work
is simply too costly to be run on every iteration. There is a trade-off
to handle here between a.) achieving high executions/second and b.)
giving the fuzzer a totally blank slate for each call. Please let me
know if you have any suggestion on how to improve this situation while
maintaining >1000 executions/second.
To achieve optimal results when using coverage-guided fuzzing I've
chosen to create one specialised fuzzing binary per message type
(process_message_addr, process_message_block, process_message_blocktxn ,
etc.) and one general fuzzing binary (process_message) which handles all
messages types. The latter general fuzzer can be seeded with inputs
generated by the former specialised fuzzers.
Happy fuzzing friends!
```
Backport od core [[bitcoin/bitcoin#17989 | PR17989]].
Depends on D8004 (test plan only, fixes a fuzz fixture issue).
Test Plan:
ninja bitcoin-fuzzers
./src/test/fuzz/process_message
./src/test/fuzz/process_message_getheaders # Or any other message
Reviewers: #bitcoin_abc, deadalnix
Reviewed By: #bitcoin_abc, deadalnix
Subscribers: deadalnix
Differential Revision: https://reviews.bitcoinabc.org/D8005
kwvg
added a commit
to kwvg/dash
that referenced
this pull request
Apr 5, 2022
…nables high-level fuzzing of the P2P layer Co-authored-by: UdjinM6 <[email protected]>
kwvg
added a commit
to kwvg/dash
that referenced
this pull request
Apr 19, 2022
…nables high-level fuzzing of the P2P layer Co-authored-by: UdjinM6 <[email protected]>
PastaPastaPasta
added a commit
to dashpay/dash
that referenced
this pull request
Apr 20, 2022
merge bitcoin#15931, bitcoin#16839, bitcoin#17192, bitcoin#17407, bitcoin#18037, bitcoin#17997, partial bitcoin#15639, bitcoin#17989: deglobalisation and mining rpc backports
kwvg
added a commit
to kwvg/dash
that referenced
this pull request
Jul 15, 2022
…binary per message type for optimal results when using coverage-guided fuzzing
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add fuzzing harness for
ProcessMessage(...). Enables high-level fuzzing of the P2P layer.All code paths reachable from this fuzzer can be assumed to be reachable for an untrusted peer.
Seeded from thin air (an empty corpus) this fuzzer reaches roughly 20 000 lines of code.
To test this PR:
Worth noting about this fuzzing harness:
test_one_inputcalls. The set-up (FuzzingSetupctor) and tear-down (~FuzzingSetup) work is simply too costly to be run on every iteration. There is a trade-off to handle here between a.) achieving high executions/second and b.) giving the fuzzer a totally blank slate for each call. Please let me know if you have any suggestion on how to improve this situation while maintaining >1000 executions/second.process_message_addr,process_message_block,process_message_blocktxn, etc.) and one general fuzzing binary (process_message) which handles all messages types. The latter general fuzzer can be seeded with inputs generated by the former specialised fuzzers.Happy fuzzing friends!