Skip to content

fuzz: Remove incorrect float round-trip serialization test #21929

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
laanwj merged 1 commit into from
May 14, 2021
Merged

fuzz: Remove incorrect float round-trip serialization test #21929

laanwj merged 1 commit into from
May 14, 2021

Conversation

@maflcko
Copy link
Member

@maflcko maflcko commented May 12, 2021
edited
Loading

It tests the wrong way of the round-trip: int -> float -> int, but only float -> int -> float is allowed and used. See also src/test/fuzz/float.cpp.

Hopefully fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34118

@fanquake fanquake added the Tests label May 12, 2021
@maflcko
Copy link
Member Author

maflcko commented May 12, 2021

@elichai on 32-bit you can reproduce this yourself in a few seconds:

$ FUZZ=integer ./src/test/fuzz/fuzz  
INFO: Seed: 2184836021
INFO: Loaded 1 modules   (187658 inline 8-bit counters): 187658 [0x584f7ee8, 0x58525bf2), 
INFO: Loaded 1 PC tables (187658 PCs): 187658 [0x58525bf4,0x58694444), 
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2	INITED cov: 15 ft: 16 corp: 1/1b exec/s: 0 rss: 40Mb
	NEW_FUNC[1/1665]: 0x57239350 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::~basic_string() (/bitcoin/src/test/fuzz/fuzz+0xc69350)
	NEW_FUNC[2/1665]: 0x572393e0 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string<std::allocator<char> >(char const*, std::allocator<char> const&) (/bitcoin/src/test/fuzz/fuzz+0xc693e0)
#4965	NEW    cov: 2428 ft: 2432 corp: 2/54b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 3 CopyPart-InsertByte-CrossOver-
#4971	NEW    cov: 2431 ft: 2443 corp: 3/107b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 1 CrossOver-
#4974	NEW    cov: 2434 ft: 2446 corp: 4/160b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 3 CMP-CrossOver-ChangeBit- DE: "\x01\x00\x00\x03"-
#4985	NEW    cov: 2435 ft: 2449 corp: 5/213b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 1 CrossOver-
#4995	NEW    cov: 2435 ft: 2450 corp: 6/265b lim: 53 exec/s: 0 rss: 43Mb L: 52/53 MS: 5 CMP-EraseBytes-ShuffleBytes-PersAutoDict-InsertRepeatedBytes- DE: "\xff?"-"\x01\x00\x00\x03"-
#5000	REDUCE cov: 2435 ft: 2450 corp: 6/264b lim: 53 exec/s: 0 rss: 43Mb L: 52/53 MS: 5 PersAutoDict-ShuffleBytes-ShuffleBytes-CrossOver-EraseBytes- DE: "\x01\x00\x00\x03"-
#5002	NEW    cov: 2435 ft: 2451 corp: 7/317b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 2 CopyPart-CrossOver-
#5012	REDUCE cov: 2435 ft: 2452 corp: 8/370b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 5 ChangeBinInt-InsertByte-CopyPart-ChangeBinInt-CopyPart-
#5015	NEW    cov: 2436 ft: 2453 corp: 9/423b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 3 ChangeBinInt-ChangeByte-ChangeBinInt-
	NEW_FUNC[1/5]: 0x57264d80 in bool __gnu_debug::__foreign_iterator_aux4<__gnu_cxx::__normal_iterator<unsigned char const*, std::__cxx1998::vector<unsigned char, zero_after_free_allocator<unsigned char> > >, std::__debug::vector<unsigned char, zero_after_free_allocator<unsigned char> >, std::random_access_iterator_tag>(__gnu_debug::_Safe_iterator<__gnu_cxx::__normal_iterator<unsigned char const*, std::__cxx1998::vector<unsigned char, zero_after_free_allocator<unsigned char> > >, std::__debug::vector<unsigned char, zero_after_free_allocator<unsigned char> >, std::random_access_iterator_tag> const&, ...) (/bitcoin/src/test/fuzz/fuzz+0xc94d80)
	NEW_FUNC[2/5]: 0x57265c60 in decltype(_S_construct(fp, fp0, std::forward<unsigned char>(fp1))) std::allocator_traits<zero_after_free_allocator<unsigned char> >::construct<unsigned char, unsigned char>(zero_after_free_allocator<unsigned char>&, unsigned char*, unsigned char&&) (/bitcoin/src/test/fuzz/fuzz+0xc95c60)
#5018	NEW    cov: 2447 ft: 2491 corp: 10/476b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 3 ShuffleBytes-ShuffleBytes-CopyPart-
#5031	NEW    cov: 2447 ft: 2492 corp: 11/529b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 3 CrossOver-PersAutoDict-CopyPart- DE: "\x01\x00\x00\x03"-
#5067	NEW    cov: 2447 ft: 2493 corp: 12/582b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 1 ChangeByte-
#5077	NEW    cov: 2447 ft: 2494 corp: 13/635b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 5 EraseBytes-ChangeBinInt-ChangeByte-CMP-CopyPart- DE: "\xff\xff\xff\xff\xff\xff\xffL"-
#5082	NEW    cov: 2447 ft: 2495 corp: 14/688b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 5 ShuffleBytes-ChangeByte-ChangeBinInt-ChangeBinInt-CrossOver-
#5153	NEW    cov: 2447 ft: 2496 corp: 15/741b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 1 ChangeByte-
#5243	NEW    cov: 2450 ft: 2502 corp: 16/794b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 5 CrossOver-ChangeByte-InsertByte-CopyPart-InsertRepeatedBytes-
#5277	NEW    cov: 2452 ft: 2508 corp: 17/847b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 4 EraseBytes-EraseBytes-InsertRepeatedBytes-PersAutoDict- DE: "\xff?"-
#5289	NEW    cov: 2452 ft: 2509 corp: 18/900b lim: 53 exec/s: 0 rss: 43Mb L: 53/53 MS: 2 ShuffleBytes-CrossOver-
#5304	NEW    cov: 2452 ft: 2513 corp: 19/952b lim: 53 exec/s: 0 rss: 43Mb L: 52/53 MS: 5 ChangeByte-CrossOver-ChangeByte-InsertRepeatedBytes-InsertRepeatedBytes-
#5326	NEW    cov: 2452 ft: 2515 corp: 20/1004b lim: 53 exec/s: 5326 rss: 43Mb L: 52/53 MS: 2 ChangeBit-ChangeBinInt-
#5348	NEW    cov: 2452 ft: 2516 corp: 21/1057b lim: 53 exec/s: 5348 rss: 43Mb L: 53/53 MS: 2 ChangeBinInt-ChangeBit-
#5384	NEW    cov: 2453 ft: 2517 corp: 22/1110b lim: 53 exec/s: 5384 rss: 43Mb L: 53/53 MS: 1 InsertByte-
#5415	NEW    cov: 2453 ft: 2518 corp: 23/1163b lim: 53 exec/s: 5415 rss: 43Mb L: 53/53 MS: 1 InsertByte-
#5416	NEW    cov: 2453 ft: 2519 corp: 24/1216b lim: 53 exec/s: 5416 rss: 43Mb L: 53/53 MS: 1 ChangeByte-
	NEW_FUNC[1/3]: 0x57244080 in std::error_code::error_code<std::io_errc, void>(std::io_errc) (/bitcoin/src/test/fuzz/fuzz+0xc74080)
	NEW_FUNC[2/3]: 0x572442d0 in std::make_error_code(std::io_errc) (/bitcoin/src/test/fuzz/fuzz+0xc742d0)
#5929	NEW    cov: 2463 ft: 2538 corp: 25/1273b lim: 58 exec/s: 5929 rss: 43Mb L: 57/57 MS: 3 ChangeBinInt-ShuffleBytes-InsertRepeatedBytes-
	NEW_FUNC[1/2]: 0x572e6fd0 in std::atomic<bool>::operator bool() const (/bitcoin/src/test/fuzz/fuzz+0xd16fd0)
	NEW_FUNC[2/2]: 0x572e7110 in std::operator&(std::memory_order, std::__memory_order_modifier) (/bitcoin/src/test/fuzz/fuzz+0xd17110)
#5931	NEW    cov: 2468 ft: 2545 corp: 26/1327b lim: 58 exec/s: 5931 rss: 43Mb L: 54/57 MS: 2 CopyPart-InsertByte-
#5943	NEW    cov: 2471 ft: 2552 corp: 27/1384b lim: 58 exec/s: 5943 rss: 43Mb L: 57/57 MS: 2 InsertByte-InsertRepeatedBytes-
#5945	NEW    cov: 2471 ft: 2553 corp: 28/1439b lim: 58 exec/s: 5945 rss: 43Mb L: 55/57 MS: 2 ChangeByte-CMP- DE: "\x96\x00"-
#6036	NEW    cov: 2471 ft: 2555 corp: 29/1496b lim: 58 exec/s: 6036 rss: 43Mb L: 57/57 MS: 1 CopyPart-
#6075	NEW    cov: 2471 ft: 2556 corp: 30/1554b lim: 58 exec/s: 3037 rss: 43Mb L: 58/58 MS: 4 PersAutoDict-CopyPart-ShuffleBytes-ChangeASCIIInt- DE: "\x96\x00"-
#6126	NEW    cov: 2471 ft: 2557 corp: 31/1608b lim: 58 exec/s: 3063 rss: 43Mb L: 54/58 MS: 1 InsertByte-
#6131	NEW    cov: 2471 ft: 2559 corp: 32/1665b lim: 58 exec/s: 3065 rss: 43Mb L: 57/58 MS: 5 ChangeBit-ShuffleBytes-CrossOver-EraseBytes-InsertRepeatedBytes-
#6289	NEW    cov: 2471 ft: 2560 corp: 33/1719b lim: 58 exec/s: 3144 rss: 43Mb L: 54/58 MS: 3 InsertByte-ShuffleBytes-ShuffleBytes-
#6394	REDUCE cov: 2471 ft: 2560 corp: 33/1714b lim: 58 exec/s: 3197 rss: 43Mb L: 53/57 MS: 5 ChangeBit-CopyPart-EraseBytes-ChangeBinInt-InsertRepeatedBytes-
#6442	NEW    cov: 2471 ft: 2562 corp: 34/1772b lim: 58 exec/s: 3221 rss: 43Mb L: 58/58 MS: 3 ChangeBit-InsertByte-CrossOver-
#6698	REDUCE cov: 2471 ft: 2562 corp: 34/1771b lim: 58 exec/s: 3349 rss: 43Mb L: 52/58 MS: 1 EraseBytes-
#6759	REDUCE cov: 2471 ft: 2562 corp: 34/1770b lim: 58 exec/s: 2253 rss: 43Mb L: 57/57 MS: 1 EraseBytes-
#7007	NEW    cov: 2472 ft: 2567 corp: 35/1824b lim: 58 exec/s: 2335 rss: 43Mb L: 54/57 MS: 3 EraseBytes-CrossOver-InsertRepeatedBytes-
#7514	NEW    cov: 2475 ft: 2579 corp: 36/1887b lim: 63 exec/s: 1878 rss: 43Mb L: 63/63 MS: 2 ChangeByte-CrossOver-
#7517	REDUCE cov: 2475 ft: 2581 corp: 37/1950b lim: 63 exec/s: 1879 rss: 43Mb L: 63/63 MS: 3 PersAutoDict-ChangeASCIIInt-CrossOver- DE: "\x01\x00\x00\x03"-
#7518	NEW    cov: 2476 ft: 2585 corp: 38/2011b lim: 63 exec/s: 1879 rss: 43Mb L: 61/63 MS: 1 CopyPart-
#7530	NEW    cov: 2476 ft: 2587 corp: 39/2073b lim: 63 exec/s: 1882 rss: 43Mb L: 62/63 MS: 2 ChangeBit-EraseBytes-
#7636	NEW    cov: 2478 ft: 2589 corp: 40/2127b lim: 63 exec/s: 1909 rss: 43Mb L: 54/63 MS: 1 CopyPart-
#7672	REDUCE cov: 2478 ft: 2589 corp: 40/2118b lim: 63 exec/s: 1918 rss: 43Mb L: 54/63 MS: 1 EraseBytes-
	NEW_FUNC[1/2]: 0x57796160 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_erase(unsigned int, unsigned int) (/bitcoin/src/test/fuzz/fuzz+0x11c6160)
	NEW_FUNC[2/2]: 0x57a9c9a0 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::erase(unsigned int, unsigned int) (/bitcoin/src/test/fuzz/fuzz+0x14cc9a0)
#7745	REDUCE cov: 2488 ft: 2604 corp: 41/2181b lim: 63 exec/s: 1936 rss: 43Mb L: 63/63 MS: 3 ChangeASCIIInt-ChangeASCIIInt-CrossOver-
#8192	pulse  cov: 2488 ft: 2604 corp: 41/2181b lim: 63 exec/s: 1638 rss: 43Mb
#8261	NEW    cov: 2488 ft: 2605 corp: 42/2246b lim: 68 exec/s: 1652 rss: 43Mb L: 65/65 MS: 1 PersAutoDict- DE: "\x96\x00"-
#8264	NEW    cov: 2489 ft: 2608 corp: 43/2314b lim: 68 exec/s: 1652 rss: 43Mb L: 68/68 MS: 3 PersAutoDict-EraseBytes-CrossOver- DE: "\xff?"-
#8323	NEW    cov: 2489 ft: 2614 corp: 44/2377b lim: 68 exec/s: 1664 rss: 43Mb L: 63/68 MS: 4 ShuffleBytes-PersAutoDict-PersAutoDict-CopyPart- DE: "\xff\xff\xff\xff\xff\xff\xffL"-"\x96\x00"-
#8332	NEW    cov: 2489 ft: 2615 corp: 45/2444b lim: 68 exec/s: 1666 rss: 43Mb L: 67/68 MS: 4 CMP-InsertRepeatedBytes-PersAutoDict-CopyPart- DE: "\x01\x00\x00\x95"-"\x01\x00\x00\x03"-
	NEW_FUNC[1/9]: 0x57258ad0 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::begin() (/bitcoin/src/test/fuzz/fuzz+0xc88ad0)
	NEW_FUNC[2/9]: 0x57258b50 in __gnu_cxx::__normal_iterator<char const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::__normal_iterator<char*>(__gnu_cxx::__normal_iterator<char*, __gnu_cxx::__enable_if<std::__are_same<char*, char*>::__value, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::__type> const&) (/bitcoin/src/test/fuzz/fuzz+0xc88b50)
#8352	NEW    cov: 2521 ft: 2686 corp: 46/2512b lim: 68 exec/s: 1670 rss: 43Mb L: 68/68 MS: 5 EraseBytes-CrossOver-ChangeBit-ChangeBit-CrossOver-
	NEW_FUNC[1/1]: 0x5738a9a0 in GetVirtualTransactionSize(long long, long long) (/bitcoin/src/test/fuzz/fuzz+0xdba9a0)
#8493	NEW    cov: 2524 ft: 2695 corp: 47/2580b lim: 68 exec/s: 1698 rss: 43Mb L: 68/68 MS: 1 CopyPart-
#8663	REDUCE cov: 2524 ft: 2695 corp: 47/2579b lim: 68 exec/s: 1732 rss: 43Mb L: 64/68 MS: 5 ChangeBit-EraseBytes-ShuffleBytes-CopyPart-PersAutoDict- DE: "\x01\x00\x00\x03"-
#8828	NEW    cov: 2524 ft: 2697 corp: 48/2647b lim: 68 exec/s: 1471 rss: 43Mb L: 68/68 MS: 5 CopyPart-ChangeBinInt-InsertByte-InsertByte-CrossOver-
#9265	REDUCE cov: 2524 ft: 2697 corp: 48/2645b lim: 68 exec/s: 1544 rss: 43Mb L: 52/68 MS: 2 ChangeBinInt-EraseBytes-
	NEW_FUNC[1/1]: 0x57adbc30 in atoi64(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/bitcoin/src/test/fuzz/fuzz+0x150bc30)
#9584	NEW    cov: 2528 ft: 2704 corp: 49/2713b lim: 68 exec/s: 1369 rss: 43Mb L: 68/68 MS: 4 EraseBytes-PersAutoDict-CrossOver-ChangeBit- DE: "\xff?"-
#10193	NEW    cov: 2529 ft: 2706 corp: 50/2784b lim: 74 exec/s: 1274 rss: 43Mb L: 71/71 MS: 4 CMP-ChangeBit-CopyPart-InsertRepeatedBytes- DE: "\xf7\x00\x00\xf5\x00\xff\xff\x7f"-
#10195	NEW    cov: 2531 ft: 2710 corp: 51/2858b lim: 74 exec/s: 1274 rss: 43Mb L: 74/74 MS: 2 ChangeBit-CrossOver-
	NEW_FUNC[1/1]: 0x57dbfb20 in base_uint<256u>::operator<<=(unsigned int) (/bitcoin/src/test/fuzz/fuzz+0x17efb20)
#10208	REDUCE cov: 2542 ft: 2723 corp: 52/2932b lim: 74 exec/s: 1276 rss: 43Mb L: 74/74 MS: 3 ChangeBinInt-ChangeBinInt-CrossOver-
#10212	NEW    cov: 2542 ft: 2725 corp: 53/3001b lim: 74 exec/s: 1276 rss: 43Mb L: 69/74 MS: 4 ChangeBinInt-ChangeBinInt-ShuffleBytes-InsertByte-
#10231	NEW    cov: 2542 ft: 2728 corp: 54/3074b lim: 74 exec/s: 1278 rss: 43Mb L: 73/74 MS: 4 ShuffleBytes-CopyPart-ChangeBit-InsertRepeatedBytes-
#10233	REDUCE cov: 2542 ft: 2730 corp: 55/3145b lim: 74 exec/s: 1279 rss: 43Mb L: 71/74 MS: 2 CopyPart-InsertRepeatedBytes-
	NEW_FUNC[1/2]: 0x5750a9b0 in operator>(base_uint<256u> const&, base_uint<256u> const&) (/bitcoin/src/test/fuzz/fuzz+0xf3a9b0)
	NEW_FUNC[2/2]: 0x57dc04f0 in base_uint<256u>::CompareTo(base_uint<256u> const&) const (/bitcoin/src/test/fuzz/fuzz+0x17f04f0)
#10237	NEW    cov: 2555 ft: 2752 corp: 56/3218b lim: 74 exec/s: 1279 rss: 43Mb L: 73/74 MS: 4 InsertRepeatedBytes-InsertRepeatedBytes-ChangeASCIIInt-CopyPart-
#10267	NEW    cov: 2555 ft: 2754 corp: 57/3288b lim: 74 exec/s: 1283 rss: 43Mb L: 70/74 MS: 5 EraseBytes-CopyPart-ChangeByte-InsertRepeatedBytes-InsertRepeatedBytes-
#10438	NEW    cov: 2558 ft: 2757 corp: 58/3362b lim: 74 exec/s: 1304 rss: 43Mb L: 74/74 MS: 1 CrossOver-
#10475	REDUCE cov: 2558 ft: 2757 corp: 58/3360b lim: 74 exec/s: 1309 rss: 43Mb L: 52/74 MS: 2 InsertByte-EraseBytes-
#10489	REDUCE cov: 2558 ft: 2759 corp: 59/3434b lim: 74 exec/s: 1311 rss: 43Mb L: 74/74 MS: 4 CopyPart-CrossOver-CrossOver-ChangeBinInt-
fuzz: test/fuzz/integer.cpp:128: void integer_fuzz_target(FuzzBufferType): Assertion `ser_float_to_uint32(f) == u32' failed.
==59359== ERROR: libFuzzer: deadly signal
    #0 0x5723786b in __sanitizer_print_stack_trace (/bitcoin/src/test/fuzz/fuzz+0xc6786b)
    #1 0x571decf6 in fuzzer::PrintStackTrace() (/bitcoin/src/test/fuzz/fuzz+0xc0ecf6)
    #2 0x571c920e in fuzzer::Fuzzer::CrashCallback() (/bitcoin/src/test/fuzz/fuzz+0xbf920e)
    #3 0x571c91ae in fuzzer::Fuzzer::StaticCrashSignalCallback() (/bitcoin/src/test/fuzz/fuzz+0xbf91ae)
    #4 0x571df255 in fuzzer::CrashHandler(int, siginfo_t*, void*) (/bitcoin/src/test/fuzz/fuzz+0xc0f255)
LLVMSymbolizer: error reading file: No such file or directory
    #5 0xf7faa57f  (linux-gate.so.1+0x57f)
    #6 0xf7faa558  (linux-gate.so.1+0x558)
    #7 0xf7aa9335 in raise (/lib32/libc.so.6+0x35335)
    #8 0xf7a913f6 in abort (/lib32/libc.so.6+0x1d3f6)
    #9 0xf7a912ba  (/lib32/libc.so.6+0x1d2ba)
    #10 0xf7aa0ece in __assert_fail (/lib32/libc.so.6+0x2cece)
    #11 0x5738a20b in integer_fuzz_target(Span<unsigned char const>) (/bitcoin/src/test/fuzz/fuzz+0xdba20b)
    #12 0x5723a630 in std::_Function_handler<void (Span<unsigned char const>), void (*)(Span<unsigned char const>)>::_M_invoke(std::_Any_data const&, Span<unsigned char const>&&) (/bitcoin/src/test/fuzz/fuzz+0xc6a630)
    #13 0x57db5762 in std::function<void (Span<unsigned char const>)>::operator()(Span<unsigned char const>) const (/bitcoin/src/test/fuzz/fuzz+0x17e5762)
    #14 0x57db55c9 in LLVMFuzzerTestOneInput (/bitcoin/src/test/fuzz/fuzz+0x17e55c9)
    #15 0x571ca57b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) (/bitcoin/src/test/fuzz/fuzz+0xbfa57b)
    #16 0x571c9ee0 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned int, bool, fuzzer::InputInfo*, bool*) (/bitcoin/src/test/fuzz/fuzz+0xbf9ee0)
    #17 0x571cb488 in fuzzer::Fuzzer::MutateAndTestOne() (/bitcoin/src/test/fuzz/fuzz+0xbfb488)
    #18 0x571cbde4 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/bitcoin/src/test/fuzz/fuzz+0xbfbde4)
    #19 0x571bd408 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) (/bitcoin/src/test/fuzz/fuzz+0xbed408)
    #20 0x571df487 in main (/bitcoin/src/test/fuzz/fuzz+0xc0f487)
    #21 0xf7a92ee4 in __libc_start_main (/lib32/libc.so.6+0x1eee4)
    #22 0x57196094 in _start (/bitcoin/src/test/fuzz/fuzz+0xbc6094)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 1 InsertRepeatedBytes-; base unit: dbb4fcdda5e893b1e393c937cb45e0d31191df56
0xa,0x1,0x0,0x0,0x3,0xff,0xa,0x1,0x0,0x0,0x3,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xa,0x1,0xf5,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xff,0x9b,0xff,0xff,0x0,0x0,0x7e,0x0,0x0,0xff,0xff,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
\x0a\x01\x00\x00\x03\xff\x0a\x01\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x01\xf5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\x9b\xff\xff\x00\x00~\x00\x00\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00
artifact_prefix='./'; Test unit written to ./crash-09ffc420318e63eb4fbb19dffcb8cf4e499f7e5a
Base64: CgEAAAP/CgEAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoB9QAAAAAAAAAAAAAAAP+b//8AAH4AAP//AAAAAAAAAAA=

@practicalswift
Copy link
Contributor

practicalswift commented May 12, 2021

Hopefully fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34118

That URL is not publicly accessible. I think you forgot to make it public :)

@maflcko
Copy link
Member Author

maflcko commented May 13, 2021

I don't plan to make them public, but instead try to include all relevant information in the pull request itself. A bot will make them public the day after they are fixed.

@practicalswift
Copy link
Contributor

practicalswift commented May 14, 2021

What is the reason that the input file crash-09ffc420318e63eb4fbb19dffcb8cf4e499f7e5a triggers the assertion failure under 32-bit only? IIRC the integer harness reads fixed width integer types only.

FWIW:

$ uname -o -i
x86_64 GNU/Linux
$ echo -n 'CgEAAAP/CgEAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoB9QAAAAAAAAAAAAAAAP+b//8AAH4AAP//AAAAAAAAAAA=' | base64 -d > crash-09ffc420318e63eb4fbb19dffcb8cf4e499f7e5a
$ shasum crash-09ffc420318e63eb4fbb19dffcb8cf4e499f7e5a
09ffc420318e63eb4fbb19dffcb8cf4e499f7e5a  crash-09ffc420318e63eb4fbb19dffcb8cf4e499f7e5a
$ FUZZ=integer src/test/fuzz/fuzz crash-09ffc420318e63eb4fbb19dffcb8cf4e499f7e5a
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3741142330
INFO: Loaded 1 modules   (373000 inline 8-bit counters): 373000 [0x5574a26b89a8, 0x5574a2713ab0),
INFO: Loaded 1 PC tables (373000 PCs): 373000 [0x5574a2713ab0,0x5574a2cc4b30),
src/test/fuzz/fuzz: Running 1 inputs 1 time(s) each.
Running: crash-09ffc420318e63eb4fbb19dffcb8cf4e499f7e5a
Executed crash-09ffc420318e63eb4fbb19dffcb8cf4e499f7e5a in 1 ms
***
*** NOTE: fuzzing was not performed, you have only
***       executed the target code on a fixed set of inputs.
***

$ echo $?
0

That URL is not publicly accessible. I think you forgot to make it public :)

I don't plan to make them public, but instead try to include all relevant information in the pull request itself. A bot will make them public the day after they are fixed.

OK, then it works as intended :)

@maflcko
Copy link
Member Author

maflcko commented May 14, 2021

What is the reason that the input file crash-09ffc420318e63eb4fbb19dffcb8cf4e499f7e5a triggers the assertion failure under 32-bit only?

I have no idea, while it might be interesting to know, this isn't relevant to this pull.

  • The code paths test code that isn't used in production
  • The code paths test the wrong round-trip way
  • There is no reason to believe that any bit array of 32-bits/64-bits is a valid and unique representation of a float/double
  • Whereas the converse is true: Any float/double serialized to 32-bits/64-bits can always be represented in an unsigned integer of the same size

Any of the reasons above is enough to remove the test here. Feel free to pick just the ones you like.

@maflcko
Copy link
Member Author

maflcko commented May 14, 2021
edited
Loading

For example 4288413440 and 4292607744 both represent a float of -nan. I have no idea if any or none representations are invalid.

@laanwj
Copy link
Member

laanwj commented May 14, 2021

Though it is somehow surprising to see here (this does nothing with the value, just memcpying), FPU operations are not guaranteed to keep the bit pattern the same. Even if that is just loading a value and storing it again.

To be honest I wish we could get rid of floating point in the serialization code completely.

Anyhow, ACK fae814c

@laanwj laanwj merged commit b82c3a0 into bitcoin:master May 14, 2021
@maflcko maflcko deleted the 2105-fuzzFloat branch May 14, 2021 10:21
sidhujag pushed a commit to syscoin/syscoin that referenced this pull request May 14, 2021
@laanwj
Merge bitcoin#21929: fuzz: Remove incorrect float round-trip serializ…
e77df57 
…ation test

fae814c fuzz: Remove incorrect float round-trip serialization test (MarcoFalke)

Pull request description:

  It tests the wrong way of the round-trip: `int -> float -> int`, but only `float -> int -> float` is allowed and used. See also `src/test/fuzz/float.cpp`.

  Hopefully fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34118

ACKs for top commit:
  laanwj:
    Anyhow, ACK fae814c

Tree-SHA512: 8412a7985be2225109f382b7c7ea6d6fcfbea15711671fdf2f41dd1a9adbb3b4489592863751d78bedaff98e9b0b13571d9cae06ffd92db8fbf7ce0f47874a41
@practicalswift practicalswift mentioned this pull request May 16, 2021
Closed
@practicalswift
Copy link
Contributor

practicalswift commented May 16, 2021

Post-merge ACK fae814c

I'd love to understand exactly why the assertion failure is 32-bit only but so far I've been unsuccessful at recreating this issue locally which rules out any in-depth practical investigation.

@maflcko
Copy link
Member Author

maflcko commented May 16, 2021

This is trivial to reproduce locally:

$ cat 1.cpp

#include <cstring>
#include <iostream>

int main() {
  uint32_t a{4288413440};
  float b;
  std::memcpy(&b, &a, sizeof(a));
  float c = b;
  uint32_t d;
  std::memcpy(&d, &c, sizeof(c));
  std::cout << b << std::endl;
  std::cout << a << std::endl;
  std::cout << d << std::endl;
}



$ g++ -m32  1.cpp -o exe && ./exe 
-nan
4288413440
4292607744



$ g++ -m64  1.cpp -o exe && ./exe 
-nan
4288413440
4288413440

@sipa
Copy link
Member

sipa commented May 16, 2021

Is it just NaNs that get changed? Because that's not unexpected. For non-NaN it would surprise me

@maflcko
Copy link
Member Author

maflcko commented May 16, 2021

I should have printed in order. It is

  • 4288413440 -> -nan -> 4292607744 (32-bit)
  • 4288413440 -> -nan -> 4288413440 (64-bit)

@sipa
Copy link
Member

sipa commented May 16, 2021
edited
Loading

@MarcoFalke This may be a result of 32-bit code using 387 instructions, and 64-bit code using SSE instructions for floating point. They may not behave identically.

If you're really curious, you could try compiling with -mfpmath=387 in 64-bit mode, or with -mfpath=sse -msse ib 32-bit mode.

@practicalswift
Copy link
Contributor

practicalswift commented May 16, 2021

Thanks @MarcoFalke. I didn't catch that the assertion failure was g++ -O0 only (in addition to -m32).

FWIW:

$ for C in g++ clang++; do
    for M in 32 64; do
      for O in 0 1 2 3; do
        echo "$C -m${M} -O${O}: "
        $C -m${M} -O${O} 1.cpp -o exe
        ./exe
        echo
      done
    done
  done
g++ -m32 -O0:
-nan
4288413440
4292607744

g++ -m32 -O1:
-nan
4288413440
4288413440

g++ -m32 -O2:
-nan
4288413440
4288413440

g++ -m32 -O3:
-nan
4288413440
4288413440

g++ -m64 -O0:
-nan
4288413440
4288413440

g++ -m64 -O1:
-nan
4288413440
4288413440

g++ -m64 -O2:
-nan
4288413440
4288413440

g++ -m64 -O3:
-nan
4288413440
4288413440

clang++ -m32 -O0:
-nan
4288413440
4288413440

clang++ -m32 -O1:
-nan
4288413440
4288413440

clang++ -m32 -O2:
-nan
4288413440
4288413440

clang++ -m32 -O3:
-nan
4288413440
4288413440

clang++ -m64 -O0:
-nan
4288413440
4288413440

clang++ -m64 -O1:
-nan
4288413440
4288413440

clang++ -m64 -O2:
-nan
4288413440
4288413440

clang++ -m64 -O3:
-nan
4288413440
4288413440

@maflcko
Copy link
Member Author

maflcko commented May 16, 2021 

$ g++ -m64 -mfpmath=387  1.cpp -o exe && ./exe 
-nan
4288413440
4292607744


$ g++ -m32 -mfpmath=sse   1.cpp -o exe && ./exe 
cc1plus: warning: SSE instruction set disabled, using 387 arithmetics
-nan
4288413440
4292607744


$ clang++ -m32 -mfpmath=sse   1.cpp -o exe && ./exe 
-nan
4288413440
4288413440

@practicalswift
Copy link
Contributor

practicalswift commented May 16, 2021
edited
Loading

Assertion failures:

g++ -m32 -O0 -mfpmath=387: Assertion `ser_float_to_uint32(ser_uint32_to_float(u32)) == u32' failed.
g++ -m32 -O0 -mfpmath=sse: Assertion `ser_float_to_uint32(ser_uint32_to_float(u32)) == u32' failed.
g++ -m64 -O0 -mfpmath=387: Assertion `ser_float_to_uint32(ser_uint32_to_float(u32)) == u32' failed.
clang++ -m32 -O0 -mfpmath=387 -mno-sse: Assertion `ser_float_to_uint32(ser_uint32_to_float(u32)) == u32' failed.
clang++ -m32 -O0 -mfpmath=sse: Assertion `ser_float_to_uint32(ser_uint32_to_float(u32)) == u32' failed.
clang++ -m32 -O1 -mfpmath=387 -mno-sse: Assertion `ser_float_to_uint32(ser_uint32_to_float(u32)) == u32' failed.
clang++ -m32 -O1 -mfpmath=sse: Assertion `ser_float_to_uint32(ser_uint32_to_float(u32)) == u32' failed.

Other combinations of {g,clang}++ -m{32,64} -O{0,1,2,3,s,fast} -mfpmath={387,sse} seem to non-fail :)

$ g++ --version
g++ 7.5.0
$ clang++ --version
clang version 12.0.0

PastaPastaPasta pushed a commit to PastaPastaPasta/dash that referenced this pull request Mar 13, 2022
@laanwj @PastaPastaPasta
Merge bitcoin#21929: fuzz: Remove incorrect float round-trip serializ…
d045b0d 
…ation test

fae814c fuzz: Remove incorrect float round-trip serialization test (MarcoFalke)

Pull request description:

  It tests the wrong way of the round-trip: `int -> float -> int`, but only `float -> int -> float` is allowed and used. See also `src/test/fuzz/float.cpp`.

  Hopefully fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34118

ACKs for top commit:
  laanwj:
    Anyhow, ACK fae814c

Tree-SHA512: 8412a7985be2225109f382b7c7ea6d6fcfbea15711671fdf2f41dd1a9adbb3b4489592863751d78bedaff98e9b0b13571d9cae06ffd92db8fbf7ce0f47874a41
gwillen pushed a commit to ElementsProject/elements that referenced this pull request Jun 1, 2022
@apoelstra
Merge b82c3a0 into merged_master (Bitcoin PR bitcoin/bitcoin#21929)
7d50476
@bitcoin bitcoin locked as resolved and limited conversation to collaborators Aug 16, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

Tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@maflcko @practicalswift @laanwj @sipa @fanquake