This shouldn't be needed, I think, because CScriptNum values are restricted to 32-bit.

OK, thanks.

Should I close this PR even if it's a trivial fix to #18046 ? (cf discussion in #18383 )

I must be wrong, because I don't really understand why it's possible that that fuzzer is able to trigger a negation of -2^63.

@sipa FWIW:

$ xxd -p -r <<< "2d360932445550092d36093609092d393939393939393939393939393939393939360955" > crash-parse_script
$ src/test/fuzz/parse_script crash-parse_script
script/script.h:332:35: runtime error: negation of -9223372036854775808 cannot be represented in type 'int64_t' (aka 'long'); cast to an unsigned type to negate this value to itself
    #0 0x55e134173738 in CScriptNum::serialize(long const&) src/./script/script.h:332:35
    #1 0x55e134172f40 in CScript::push_int64(long) src/./script/script.h:405:22
    #2 0x55e13416984f in CScript::operator<<(long) src/./script/script.h:445:45
    #3 0x55e13416984f in ParseScript(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) src/core_read.cpp:62:20
    #4 0x55e134167b0b in test_one_input(std::vector<unsigned char, std::allocator<unsigned char> > const&) src/test/fuzz/parse_script.cpp:13:15

I don't really understand why it's possible that that fuzzer is able to trigger a negation of -2^63.

In the input provided by @practicalswift above, 2d39393939393939393939393939393939393936 is the ASCII string -9999999999999999996 which is translated by the atoi64 in core_read.cpp:ParseScript to -2^63 while looping over the words.
This is then sent to CScriptNum::serialize via CScript::push_int64.

I could not find the proposed input in https://github.com/bitcoin-core/qa-assets/ nor bitcoin-core/qa-assets#7 so I guess the end goal here is to increase code coverage by adding more data to qa-assets in a future PR ?

TL;DR I reckon there is 3 options:

• not considereing the provided ASCII text input
• since the atoi64 already changes values beyond 2^63 when doing the ASCII->int64_t conversion, limit the atoi64 output to (-)2^32 as @sipa thought (by modifying it manually)
• the current CI build fails seems to be due to some compiler versions not respecting the standard (namely MSVC, quite ironic), I updated my branch to use abs instead (which hopefully all compilers have fully tested..)

From what I gather, ParseScript is only used in bitcoin-tx.cpp once (except for tests), which takes input directly from the CLI.

So if you find this PR too intrusive, limiting the output of atoi64 in ParseScript might be a better option ? (I might be wrong though)

Code review ACK bab50c56e1fa2477f7d625855485e8527c78747c, with either std::abs or std::llabs.

It's more obviously correct and should avoid the fuzzer issues we're seeing. I have also verified that there are no consensus-critical code paths that can trigger this (they're all restricted to much smaller numbers).

I think the use of atoi64 and its clamping behavior in core_read.cpp is independently problematic (it should just fail when the number is too big), but I don't think that's on the critical path for fixing this issue. I'll open a PR to restrict it to -0xFFFFFFFF..0xFFFFFFFF.

OK, thanks. (also note that atoi64 seems platform dependant (which might explain why other people in the above issue didn't see the fuzzer error)).

I would'nt mind trying to do the PR for the atoi64 too, but I guess it will be faster/less work for other people if @sipa do it :)

@pierreN Feel free to restrict the number conversion in ParseScript yourself if you like.

Thanks, it seems you are right. I guess the fuzzer is not triggered here since we use abs but the UB is still there.

I'm not sure that adding a special check for -2^63 inside CScript::serialize (or inside abs) is a good thing. The only decent option available seems to be the stackoverflow post above, but it is inapplicable here.

Hence, I reckon there is 2 possible options for this PR :

• just close it since util: Limit decimal range of numbers ParseScript accepts #18416 prevents the UB from happening anyway
• rename the commit into something like "script: rely on std implementation to get abs value for num opcode serialize" - since relying on the standard seems cleaner and show more obviously the intent ?

What do you guys think ?

@theStack Looking at the standard library implementation isn't relevant, as it is allowed to rely on platform-specific behavior. However, it looks like std::abs is indeed specified to be undefined if the result cannot be represented in the input type.

What is wrong with uint64_t absvalue = (value < 0) ? -uint64_t(value) : uint64_t(value). I remember you tried this, but don't remember what error came out.

An alternative can be uint64_t absvalue = (value < 0) ? ~uint64_t(value) + 1 : uint64_t(value) which is semantically exactly the same but avoids a negation of a unsigned type.

The issue with -uint64_t(value) was that MSVC seemed not to implement the 5.3.1 §8 of the standard about the - unary operator properly...

It seems however that 2s complement by hand works : https://godbolt.org/z/cr-phu so I updated the branch accordingly. Thanks.

FWIW, I just checked where else the manual abs approach of "determining-sign-and-when indicating-negating-the-number", is used in the codebase, and found this function:

I didnt' check though in which range the amount values are passed from the call-sites. Maybe you want to look into it if UB is also a problem here in the course of this (or a possible future) PR.

Thanks. From a quick check and believing that the variable name COIN is accurate, you have 2^62/21 000 000/COINS > 1000 so this shoould not be able to trigger the UB ?

It seems it costs nothing to prevent it though, and I'd be happy to do a PR for that if others agree.

@theStack Good catch regarding ValueFromAmount(const CAmount& amount). I noticed it too when fuzzing ValueFromAmount:

I think ideally all our functions should i.) state pre-conditions clearly (using documentation and/or assertions), and ii.) robustly handle all inputs that are not explicitly disallowed by the clearly stated pre-conditions :)

I noticed it too when fuzzing ValueFromAmount:

Looking at the interesting integer.cpp, shouldn't the same be applied to FormatMoney if we follow that logic ?

With a quick regexp search I also found occurences in :

• qt/bitcoinunits.cpp : qint64 n_abs = (n > 0 ? n : -n);
• timedata.cpp : in the abs64 function (edit: this can't happen since at worst we abs the average between 0 and the nOffsetSample argument)

Looking at the interesting integer.cpp, shouldn't the same be applied to FormatMoney if we follow that logic ?

I suggest doing that in a follow-up PR to keep this PR focused. Would be really nice to get this one merged to get rid of the last known fuzzing roadblock :)

@practicalswift What is the fuzzer that hits this in current master? And what is the backtrace?

@MarcoFalke Oh, it seems I got the crashes mixed up.

This is the remaining case (it is unrelated to this PR):

$ UBSAN_OPTIONS="print_stacktrace=1:halt_on_error=1:report_error_type=1" src/test/fuzz/transaction crash-transaction
INFO: Seed: 2635477314
INFO: Loaded 1 modules   (415121 inline 8-bit counters): 415121 [0x5575e380b6d8, 0x5575e3870c69), 
INFO: Loaded 1 PC tables (415121 PCs): 415121 [0x5575e3870c70,0x5575e3ec6580), 
src/test/fuzz/transaction: Running 1 inputs 1 time(s) each.
Running: crash-transaction
primitives/transaction.cpp:87:19: runtime error: signed integer overflow: 1095216725760 + 9223372032559808512 cannot be represented in type 'long'
    #0 0x5575e2041ec1 in CTransaction::GetValueOut() const src/primitives/transaction.cpp:87:19
    #1 0x5575e0eb4a97 in test_one_input(std::vector<unsigned char, std::allocator<unsigned char> > const&) src/test/fuzz/transaction.cpp:78:18

This remaining case is fixed in #18383.

OK, thanks.

What about recycling this PR to fix those custom absolute value functions ?

For this purpose I added a small fuzzing harness in the PR #18491

Or we can just close this PR (and hence also close the fuzzing harness in #18491)

So following this comment : #18491 (comment) just added CScriptNum::serialize to the integer fuzzing harness to this PR instead of opening another one.

Could also add the following diff:

diff --git a/src/test/fuzz/scriptnum_ops.cpp b/src/test/fuzz/scriptnum_ops.cpp
index db44bb9e19..d45c85bc51 100644
--- a/src/test/fuzz/scriptnum_ops.cpp
+++ b/src/test/fuzz/scriptnum_ops.cpp
@@ -128,10 +128,6 @@ void test_one_input(const std::vector<uint8_t>& buffer)
             script_num &= fuzzed_data_provider.ConsumeIntegral<int64_t>();
             break;
         }
-        // Avoid negation failure:
-        // script/script.h:332:35: runtime error: negation of -9223372036854775808 cannot be represented in type 'int64_t' (aka 'long'); cast to an unsigned type to negate this value to itself
-        if (script_num != CScriptNum{std::numeric_limits<int64_t>::min()}) {
             (void)script_num.getvch();
-        }
     }
 }

Ow, right, thanks. Branch updated.

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

No conflicts as of last run.

It's been around a month this PR has been opened - do you guys think I should close it?

Thanks.

ACK 2748e87

ACK 2748e87, only checked that the bitcoind binary does not change with clang -O2 🎓

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

ACK 2748e8793267126c5b40621d75d1930e358f057e, only checked that the bitcoind binary does not change with clang -O2 🎓
-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEE+rVPoUahrI9sLGYTzit1aX5ppUgFAlwqrYAACgkQzit1aX5p
pUi98wwAwknOFbsqPTE+alfdjNCoL0MsBT7VrsX7Io4GqSF0gopF0hSAvuDiiR+9
I0+Hl10iCynEOzQgDPRLQGpuQOp1uAxqbKc6QCOF1vdwwu2WdRoCTGCtVr/jxCeg
MYg0S0IWlyoaM8v5rP7tci4HXsI7TDkrx13izCKfTuB7HXcUjA3vja6K1Crb4vIZ
2qpI1yCy2unnAwkoQO8qj752rFIefw2b0hDly2IkWWxfE5CCwkqBYlft9kfR03zA
L81M/Eo2xniXosHiVjSRr5q01LZBWykD8EexYQPOMqP8eYXumPgLob1WD1h/ryVp
k9qmDsCoV32tfsUiOv53I5CRLG69jJaLqvNAkdTMfrlb1VZlvQwmtdVNx+W1UPNC
fknQj1whu40fPMNYX+Qk8F9HKHXV3zCZu27sFad0nnGtg5Xio29ayck/OTb5uLcU
ACSj6sFSf9rta3WvFGU9HwoicnkArFhb/81itfvn4K+M9YHDO0Fafokv2xm4grjx
CZwsrSnk
=ovF6
-----END PGP SIGNATURE-----

ACK 2748e87

@pierreN no worries, a month (or much, much longer) isn't unusual due to the number of PRs opened relative to the number of people who review.

Ow my bad - OK, thanks for the ACKs, I'll leave the PR open.