Skip to content

tests: Add fuzzing harnesses for CAutoFile, CBufferedFile, LoadExternalBlockFile and other FILE* consumers #19143

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
maflcko merged 8 commits into from
Jul 18, 2020
Merged

tests: Add fuzzing harnesses for CAutoFile, CBufferedFile, LoadExternalBlockFile and other FILE* consumers #19143

maflcko merged 8 commits into from
Jul 18, 2020

Conversation

@practicalswift
Copy link
Contributor

@practicalswift practicalswift commented Jun 2, 2020
edited
Loading

Add fuzzing harnesses for CAutoFile, CBufferedFile, LoadExternalBlockFile and other FILE* consumers:

  • Add FuzzedFileProvider which provides a FILE* interface to FuzzedDataProvider using fopencookie
  • Add FuzzedAutoFileProvider which provides a CAutoFile interface to FuzzedDataProvider
  • Add serialization/deserialization fuzzing helpers WriteToStream(…)/ReadFromStream(…)
  • Add fuzzing harness for CAutoFile (streams.h)
  • Add fuzzing harness for CBufferedFile (streams.h)
  • Add fuzzing harness for LoadExternalBlockFile(...) (validation.h)
  • Add fuzzing harness for CBlockPolicyEstimator::Read and CBlockPolicyEstimator::Write (policy/fees.h)

See doc/fuzzing.md for information on how to fuzz Bitcoin Core. Don't forget to contribute any coverage increasing inputs you find to the Bitcoin Core fuzzing corpus repo.

Happy fuzzing :)

@DrahtBot DrahtBot mentioned this pull request Jun 7, 2020
Merged
@DrahtBot
Copy link
Contributor

DrahtBot commented Jun 8, 2020
edited
Loading

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

Reviewers, this pull request conflicts with the following ones:

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

This was referenced Jun 9, 2020
Closed
Merged
Merged
@DrahtBot DrahtBot mentioned this pull request Jun 13, 2020
Merged
@DrahtBot DrahtBot mentioned this pull request Jun 16, 2020
Merged
@practicalswift practicalswift mentioned this pull request Jun 22, 2020
Merged
@DrahtBot DrahtBot mentioned this pull request Jun 30, 2020
Merged
Crypt-iQ
Crypt-iQ reviewed Jul 10, 2020
View reviewed changes
Copy link
Contributor

@Crypt-iQ Crypt-iQ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

utACK 27bef8c

Crypt-iQ
Crypt-iQ reviewed Jul 14, 2020
View reviewed changes
Copy link
Contributor

@Crypt-iQ Crypt-iQ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Combined fuzzing coverage for only the fuzzers in this branch: https://crypt-iq.github.io/pr19143_cov/src/

Each fuzzer was run for about 24 hours. I used a variation of libFuzzer and AFL.
There seems to be some missing coverage in CBlockPolicyEstimator::Write & CBlockPolicyEstimator::Read. That could probably be fixed by better seeds. There's also missing coverage in LoadExternalBlockFile, and this can also be fixed by better seeds. I don't know the format of the external block files (I copy pasted the magic bytes from MessageStart() as seeds but no luck). This was the only slow fuzzing harness with ~5 execs/s.

@practicalswift practicalswift force-pushed the fuzzers-FILE branch 2 times, most recently from f4f0a0c to 74a31f2 Compare July 15, 2020 00:44
@practicalswift
Copy link
Contributor Author

practicalswift commented Jul 15, 2020

Combined fuzzing coverage for only the fuzzers in this branch: https://crypt-iq.github.io/pr19143_cov/src/

Each fuzzer was run for about 24 hours. I used a variation of libFuzzer and AFL.

Wow, that's some thorough testing! Thanks a lot!

There seems to be some missing coverage in CBlockPolicyEstimator::Write & CBlockPolicyEstimator::Read. That could probably be fixed by better seeds.

I think the perceived lack of coverage is simply due to src/test/fuzz/policy_estimator being very slow (CBlockPolicyEstimator creation is costly): I believe that given enough time the fuzzer will span the full CFG :)

To speed things up I've now added also a dedicated fuzzer for CBlockPolicyEstimator::{Write,Read} which re-uses the CBlockPolicyEstimator object across runs (without sacrificing substantial coverage stability AFAICT): see src/test/fuzz/policy_estimator_io.cpp.

This dedicated fuzzer is running at >1000 exec/s compared to <50 exec/s for the non-dedicated one.

There's also missing coverage in LoadExternalBlockFile, and this can also be fixed by better seeds. I don't know the format of the external block files (I copy pasted the magic bytes from MessageStart() as seeds but no luck). This was the only slow fuzzing harness with ~5 execs/s.

libFuzzer from LLVM 10 is able to reach past the magic bytes check within a few seconds. Perhaps you were using an old version of libFuzzer when running the load_external_block_file fuzzer?

@practicalswift practicalswift force-pushed the fuzzers-FILE branch 2 times, most recently from 46ce3bf to bb87114 Compare July 15, 2020 08:43
Crypt-iQ
Crypt-iQ reviewed Jul 15, 2020
View reviewed changes
Copy link
Contributor

@Crypt-iQ Crypt-iQ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With clang-10 I can pass the magic bytes check (I guess it uses coverage in memcmp to solve for it?). Currently running the new policy_estimator_io fuzzer as well.

@Crypt-iQ
Copy link
Contributor

Crypt-iQ commented Jul 16, 2020
edited
Loading

Can confirm that the new policy_estimator_io fuzzer is significantly faster with libfuzzer (600-700 exec/s on one core) and hits checks in Read & Write that it otherwise doesn't hit in the policy_estimator fuzzer due to being slower. Also tried with AFL but was very slow since I forgot to compile with persistent mode :/. Will review the latest set of changes now. Coverage for just the policy_estimator_io fuzzer is here https://crypt-iq.github.io/policy_cov_llvm_outs/src/policy/fees.cpp.gcov.html

@Crypt-iQ
Copy link
Contributor

Crypt-iQ commented Jul 18, 2020

Tested ACK ad6c348

@maflcko maflcko merged commit 090d877 into bitcoin:master Jul 18, 2020
sidhujag pushed a commit to syscoin/syscoin that referenced this pull request Jul 18, 2020
Merge bitcoin#19143: tests: Add fuzzing harnesses for CAutoFile, CBuf…
60a95ac 
…feredFile, LoadExternalBlockFile and other FILE* consumers

ad6c348 tests: Add fuzzing harness for CBlockPolicyEstimator::{Read,Write} (policy/fees.h) (practicalswift)
614e080 tests: Add fuzzing harness for CBufferedFile::{SetPos,GetPos,GetType,GetVersion} (stream.h) (practicalswift)
7bcc71e tests: Add fuzzing harness for LoadExternalBlockFile(...) (validation.h) (practicalswift)
9823376 tests: Add fuzzing harness for CBufferedFile (streams.h) (practicalswift)
f3aa659 tests: Add fuzzing harness for CAutoFile (streams.h) (practicalswift)
e507c07 tests: Add serialization/deserialization fuzzing helpers WriteToStream(…)/ReadFromStream(…) (practicalswift)
e48094a tests: Add FuzzedAutoFileProvider which provides a CAutoFile interface to FuzzedDataProvider (practicalswift)
9dbcd68 tests: Add FuzzedFileProvider which provides a FILE* interface to FuzzedDataProvider using fopencookie (practicalswift)

Pull request description:

  Add fuzzing harnesses for `CAutoFile`, `CBufferedFile`, `LoadExternalBlockFile` and other `FILE*` consumers:
  * Add `FuzzedFileProvider` which provides a `FILE*` interface to `FuzzedDataProvider` using `fopencookie`
  * Add `FuzzedAutoFileProvider` which provides a `CAutoFile` interface to `FuzzedDataProvider`
  * Add serialization/deserialization fuzzing helpers `WriteToStream(…)`/`ReadFromStream(…)`
  * Add fuzzing harness for `CAutoFile` (`streams.h`)
  * Add fuzzing harness for `CBufferedFile` (`streams.h`)
  * Add fuzzing harness for `LoadExternalBlockFile(...)` (`validation.h`)
  * Add fuzzing harness for `CBlockPolicyEstimator::Read` and `CBlockPolicyEstimator::Write` (`policy/fees.h`)

  See [`doc/fuzzing.md`](https://github.com/bitcoin/bitcoin/blob/master/doc/fuzzing.md) for information on how to fuzz Bitcoin Core. Don't forget to contribute any coverage increasing inputs you find to the [Bitcoin Core fuzzing corpus repo](https://github.com/bitcoin-core/qa-assets).

  Happy fuzzing :)

ACKs for top commit:
  Crypt-iQ:
    Tested ACK ad6c348

Tree-SHA512: a38e142608218496796a527d7e59b74e30279a2815450408b7c27a76ed600cebc6b88491e831665a0639671e2d212453fcdca558500bbadbeb32b267751f8f72
@fanquake fanquake mentioned this pull request Jul 20, 2020
Closed
@LarryRuane LarryRuane mentioned this pull request Dec 7, 2020
Merged
Fabcien pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this pull request Feb 3, 2021
@practicalswift @Fabcien
tests: Add fuzzing harnesses for CAutoFile, CBufferedFile, LoadExtern…
b528049 
…alBlockFile and other FILE* consumers

Summary:
Backport of core [[bitcoin/bitcoin#19143 | PR19143]].

Depends on D9131.

The last commit
(bitcoin/bitcoin@ad6c348)
has been skipped since we don't have the policy estimator like core.

Test Plan:
  ninja bitcoin-fuzzers
  ./test/fuzz/test_runner.py <path_to_corpus>

Reviewers: #bitcoin_abc, majcosta

Reviewed By: #bitcoin_abc, majcosta

Differential Revision: https://reviews.bitcoinabc.org/D9132
@practicalswift practicalswift deleted the fuzzers-FILE branch April 10, 2021 19:42
kwvg added a commit to kwvg/dash that referenced this pull request Jul 15, 2022
@kwvg
partial bitcoin#19143: Add fuzzing harnesses for CAutoFile, CBuffered…
eb2fa81 
…File, LoadExternalBlockFile and other FILE* consumers
PastaPastaPasta added a commit to dashpay/dash that referenced this pull request Jul 17, 2022
@PastaPastaPasta
Merge pull request #4886 from kittywhiskers/fuzz3
30d6584 
backport: bitcoin#18867, bitcoin#19247, bitcoin#19222, bitcoin#18363, bitcoin#18190, bitcoin#18393, partial bitcoin#18047, bitcoin#18314, bitcoin#19143 (fuzzing harness backports: part 3)
@bitcoin bitcoin locked as resolved and limited conversation to collaborators Aug 18, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

2 more reviewers

@maflcko maflcko maflcko left review comments

@Crypt-iQ Crypt-iQ Crypt-iQ left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Build system Tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@practicalswift @DrahtBot @Crypt-iQ @maflcko