From 0a12cff2a8e54453de1f17e9c0e87e54bbe25a34 Mon Sep 17 00:00:00 2001 From: brunoerg Date: Wed, 28 Feb 2024 12:49:08 -0300 Subject: [PATCH 1/5] fuzz: move `AddrManDeterministic` to util --- src/test/fuzz/addrman.cpp | 110 ++------------------------------------ src/test/fuzz/util/net.h | 104 +++++++++++++++++++++++++++++++++++ 2 files changed, 108 insertions(+), 106 deletions(-) diff --git a/src/test/fuzz/addrman.cpp b/src/test/fuzz/addrman.cpp index bcc3dd3e14a69..570bcb2c13601 100644 --- a/src/test/fuzz/addrman.cpp +++ b/src/test/fuzz/addrman.cpp @@ -118,121 +118,19 @@ void FillAddrman(AddrMan& addrman, FuzzedDataProvider& fuzzed_data_provider) } } -class AddrManDeterministic : public AddrMan -{ -public: - explicit AddrManDeterministic(const NetGroupManager& netgroupman, FuzzedDataProvider& fuzzed_data_provider) - : AddrMan(netgroupman, /*deterministic=*/true, GetCheckRatio()) - { - WITH_LOCK(m_impl->cs, m_impl->insecure_rand.Reseed(ConsumeUInt256(fuzzed_data_provider))); - } - - /** - * Compare with another AddrMan. - * This compares: - * - the values in `mapInfo` (the keys aka ids are ignored) - * - vvNew entries refer to the same addresses - * - vvTried entries refer to the same addresses - */ - bool operator==(const AddrManDeterministic& other) const - { - LOCK2(m_impl->cs, other.m_impl->cs); - - if (m_impl->mapInfo.size() != other.m_impl->mapInfo.size() || m_impl->nNew != other.m_impl->nNew || - m_impl->nTried != other.m_impl->nTried) { - return false; - } - - // Check that all values in `mapInfo` are equal to all values in `other.mapInfo`. - // Keys may be different. - - auto addrinfo_hasher = [](const AddrInfo& a) { - CSipHasher hasher(0, 0); - auto addr_key = a.GetKey(); - auto source_key = a.source.GetAddrBytes(); - hasher.Write(TicksSinceEpoch(a.m_last_success)); - hasher.Write(a.nAttempts); - hasher.Write(a.nRefCount); - hasher.Write(a.fInTried); - hasher.Write(a.GetNetwork()); - hasher.Write(a.source.GetNetwork()); - hasher.Write(addr_key.size()); - hasher.Write(source_key.size()); - hasher.Write(addr_key); - hasher.Write(source_key); - return (size_t)hasher.Finalize(); - }; - - auto addrinfo_eq = [](const AddrInfo& lhs, const AddrInfo& rhs) { - return std::tie(static_cast(lhs), lhs.source, lhs.m_last_success, lhs.nAttempts, lhs.nRefCount, lhs.fInTried) == - std::tie(static_cast(rhs), rhs.source, rhs.m_last_success, rhs.nAttempts, rhs.nRefCount, rhs.fInTried); - }; - - using Addresses = std::unordered_set; - - const size_t num_addresses{m_impl->mapInfo.size()}; - - Addresses addresses{num_addresses, addrinfo_hasher, addrinfo_eq}; - for (const auto& [id, addr] : m_impl->mapInfo) { - addresses.insert(addr); - } - - Addresses other_addresses{num_addresses, addrinfo_hasher, addrinfo_eq}; - for (const auto& [id, addr] : other.m_impl->mapInfo) { - other_addresses.insert(addr); - } - - if (addresses != other_addresses) { - return false; - } - - auto IdsReferToSameAddress = [&](nid_type id, nid_type other_id) EXCLUSIVE_LOCKS_REQUIRED(m_impl->cs, other.m_impl->cs) { - if (id == -1 && other_id == -1) { - return true; - } - if ((id == -1 && other_id != -1) || (id != -1 && other_id == -1)) { - return false; - } - return m_impl->mapInfo.at(id) == other.m_impl->mapInfo.at(other_id); - }; - - // Check that `vvNew` contains the same addresses as `other.vvNew`. Notice - `vvNew[i][j]` - // contains just an id and the address is to be found in `mapInfo.at(id)`. The ids - // themselves may differ between `vvNew` and `other.vvNew`. - for (size_t i = 0; i < ADDRMAN_NEW_BUCKET_COUNT; ++i) { - for (size_t j = 0; j < ADDRMAN_BUCKET_SIZE; ++j) { - if (!IdsReferToSameAddress(m_impl->vvNew[i][j], other.m_impl->vvNew[i][j])) { - return false; - } - } - } - - // Same for `vvTried`. - for (size_t i = 0; i < ADDRMAN_TRIED_BUCKET_COUNT; ++i) { - for (size_t j = 0; j < ADDRMAN_BUCKET_SIZE; ++j) { - if (!IdsReferToSameAddress(m_impl->vvTried[i][j], other.m_impl->vvTried[i][j])) { - return false; - } - } - } - - return true; - } -}; - FUZZ_TARGET(addrman, .init = initialize_addrman) { FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size()); SetMockTime(ConsumeTime(fuzzed_data_provider)); NetGroupManager netgroupman{ConsumeNetGroupManager(fuzzed_data_provider)}; - auto addr_man_ptr = std::make_unique(netgroupman, fuzzed_data_provider); + auto addr_man_ptr = std::make_unique(netgroupman, fuzzed_data_provider, GetCheckRatio()); if (fuzzed_data_provider.ConsumeBool()) { const std::vector serialized_data{ConsumeRandomLengthByteVector(fuzzed_data_provider)}; DataStream ds{serialized_data}; try { ds >> *addr_man_ptr; } catch (const std::ios_base::failure&) { - addr_man_ptr = std::make_unique(netgroupman, fuzzed_data_provider); + addr_man_ptr = std::make_unique(netgroupman, fuzzed_data_provider, GetCheckRatio()); } } AddrManDeterministic& addr_man = *addr_man_ptr; @@ -310,8 +208,8 @@ FUZZ_TARGET(addrman_serdeser, .init = initialize_addrman) SetMockTime(ConsumeTime(fuzzed_data_provider)); NetGroupManager netgroupman{ConsumeNetGroupManager(fuzzed_data_provider)}; - AddrManDeterministic addr_man1{netgroupman, fuzzed_data_provider}; - AddrManDeterministic addr_man2{netgroupman, fuzzed_data_provider}; + AddrManDeterministic addr_man1{netgroupman, fuzzed_data_provider, GetCheckRatio()}; + AddrManDeterministic addr_man2{netgroupman, fuzzed_data_provider, GetCheckRatio()}; DataStream data_stream{}; diff --git a/src/test/fuzz/util/net.h b/src/test/fuzz/util/net.h index 1a5902329e26a..e2cb34c68fd2c 100644 --- a/src/test/fuzz/util/net.h +++ b/src/test/fuzz/util/net.h @@ -5,6 +5,8 @@ #ifndef BITCOIN_TEST_FUZZ_UTIL_NET_H #define BITCOIN_TEST_FUZZ_UTIL_NET_H +#include +#include #include #include #include @@ -34,6 +36,108 @@ */ CNetAddr ConsumeNetAddr(FuzzedDataProvider& fuzzed_data_provider, FastRandomContext* rand = nullptr) noexcept; +class AddrManDeterministic : public AddrMan +{ +public: + explicit AddrManDeterministic(const NetGroupManager& netgroupman, FuzzedDataProvider& fuzzed_data_provider, int32_t check_ratio) + : AddrMan(netgroupman, /*deterministic=*/true, check_ratio) + { + WITH_LOCK(m_impl->cs, m_impl->insecure_rand.Reseed(ConsumeUInt256(fuzzed_data_provider))); + } + + /** + * Compare with another AddrMan. + * This compares: + * - the values in `mapInfo` (the keys aka ids are ignored) + * - vvNew entries refer to the same addresses + * - vvTried entries refer to the same addresses + */ + bool operator==(const AddrManDeterministic& other) const + { + LOCK2(m_impl->cs, other.m_impl->cs); + + if (m_impl->mapInfo.size() != other.m_impl->mapInfo.size() || m_impl->nNew != other.m_impl->nNew || + m_impl->nTried != other.m_impl->nTried) { + return false; + } + + // Check that all values in `mapInfo` are equal to all values in `other.mapInfo`. + // Keys may be different. + + auto addrinfo_hasher = [](const AddrInfo& a) { + CSipHasher hasher(0, 0); + auto addr_key = a.GetKey(); + auto source_key = a.source.GetAddrBytes(); + hasher.Write(TicksSinceEpoch(a.m_last_success)); + hasher.Write(a.nAttempts); + hasher.Write(a.nRefCount); + hasher.Write(a.fInTried); + hasher.Write(a.GetNetwork()); + hasher.Write(a.source.GetNetwork()); + hasher.Write(addr_key.size()); + hasher.Write(source_key.size()); + hasher.Write(addr_key); + hasher.Write(source_key); + return (size_t)hasher.Finalize(); + }; + + auto addrinfo_eq = [](const AddrInfo& lhs, const AddrInfo& rhs) { + return std::tie(static_cast(lhs), lhs.source, lhs.m_last_success, lhs.nAttempts, lhs.nRefCount, lhs.fInTried) == + std::tie(static_cast(rhs), rhs.source, rhs.m_last_success, rhs.nAttempts, rhs.nRefCount, rhs.fInTried); + }; + + using Addresses = std::unordered_set; + + const size_t num_addresses{m_impl->mapInfo.size()}; + + Addresses addresses{num_addresses, addrinfo_hasher, addrinfo_eq}; + for (const auto& [id, addr] : m_impl->mapInfo) { + addresses.insert(addr); + } + + Addresses other_addresses{num_addresses, addrinfo_hasher, addrinfo_eq}; + for (const auto& [id, addr] : other.m_impl->mapInfo) { + other_addresses.insert(addr); + } + + if (addresses != other_addresses) { + return false; + } + + auto IdsReferToSameAddress = [&](nid_type id, nid_type other_id) EXCLUSIVE_LOCKS_REQUIRED(m_impl->cs, other.m_impl->cs) { + if (id == -1 && other_id == -1) { + return true; + } + if ((id == -1 && other_id != -1) || (id != -1 && other_id == -1)) { + return false; + } + return m_impl->mapInfo.at(id) == other.m_impl->mapInfo.at(other_id); + }; + + // Check that `vvNew` contains the same addresses as `other.vvNew`. Notice - `vvNew[i][j]` + // contains just an id and the address is to be found in `mapInfo.at(id)`. The ids + // themselves may differ between `vvNew` and `other.vvNew`. + for (size_t i = 0; i < ADDRMAN_NEW_BUCKET_COUNT; ++i) { + for (size_t j = 0; j < ADDRMAN_BUCKET_SIZE; ++j) { + if (!IdsReferToSameAddress(m_impl->vvNew[i][j], other.m_impl->vvNew[i][j])) { + return false; + } + } + } + + // Same for `vvTried`. + for (size_t i = 0; i < ADDRMAN_TRIED_BUCKET_COUNT; ++i) { + for (size_t j = 0; j < ADDRMAN_BUCKET_SIZE; ++j) { + if (!IdsReferToSameAddress(m_impl->vvTried[i][j], other.m_impl->vvTried[i][j])) { + return false; + } + } + } + + return true; + } +}; + class FuzzedSock : public Sock { FuzzedDataProvider& m_fuzzed_data_provider; From fe624631aeb4b5fbad732ad6476c5cd986674b4f Mon Sep 17 00:00:00 2001 From: brunoerg Date: Wed, 28 Feb 2024 12:49:44 -0300 Subject: [PATCH 2/5] fuzz: fuzz `connman` with a non-empty addrman --- src/test/fuzz/connman.cpp | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/src/test/fuzz/connman.cpp b/src/test/fuzz/connman.cpp index beefc9d82edbe..a3914bfcf318f 100644 --- a/src/test/fuzz/connman.cpp +++ b/src/test/fuzz/connman.cpp @@ -20,6 +20,12 @@ namespace { const TestingSetup* g_setup; + +int32_t GetCheckRatio() +{ + return std::clamp(g_setup->m_node.args->GetIntArg("-checkaddrman", 0), 0, 1000000); +} + } // namespace void initialize_connman() @@ -32,9 +38,21 @@ FUZZ_TARGET(connman, .init = initialize_connman) { FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()}; SetMockTime(ConsumeTime(fuzzed_data_provider)); + auto netgroupman{*g_setup->m_node.netgroupman}; + auto addr_man_ptr{std::make_unique(netgroupman, fuzzed_data_provider, GetCheckRatio())}; + if (fuzzed_data_provider.ConsumeBool()) { + const std::vector serialized_data{ConsumeRandomLengthByteVector(fuzzed_data_provider)}; + DataStream ds{serialized_data}; + try { + ds >> *addr_man_ptr; + } catch (const std::ios_base::failure&) { + addr_man_ptr = std::make_unique(netgroupman, fuzzed_data_provider, GetCheckRatio()); + } + } + AddrManDeterministic& addr_man{*addr_man_ptr}; ConnmanTestMsg connman{fuzzed_data_provider.ConsumeIntegral(), fuzzed_data_provider.ConsumeIntegral(), - *g_setup->m_node.addrman, + addr_man, *g_setup->m_node.netgroupman, Params(), fuzzed_data_provider.ConsumeBool()}; From 18c8a0945bda554e121c2a684105dffd55505cd7 Mon Sep 17 00:00:00 2001 From: brunoerg Date: Mon, 5 Feb 2024 15:41:26 -0300 Subject: [PATCH 3/5] fuzz: move `ConsumeNetGroupManager` to util --- src/test/fuzz/addrman.cpp | 7 ------- src/test/fuzz/util/net.h | 8 ++++++++ 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/src/test/fuzz/addrman.cpp b/src/test/fuzz/addrman.cpp index 570bcb2c13601..a7e7f49d9f470 100644 --- a/src/test/fuzz/addrman.cpp +++ b/src/test/fuzz/addrman.cpp @@ -39,13 +39,6 @@ void initialize_addrman() g_setup = testing_setup.get(); } -[[nodiscard]] inline NetGroupManager ConsumeNetGroupManager(FuzzedDataProvider& fuzzed_data_provider) noexcept -{ - std::vector asmap = ConsumeRandomLengthBitVector(fuzzed_data_provider); - if (!SanityCheckASMap(asmap, 128)) asmap.clear(); - return NetGroupManager(asmap); -} - FUZZ_TARGET(data_stream_addr_man, .init = initialize_addrman) { FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()}; diff --git a/src/test/fuzz/util/net.h b/src/test/fuzz/util/net.h index e2cb34c68fd2c..cc73cdff4b795 100644 --- a/src/test/fuzz/util/net.h +++ b/src/test/fuzz/util/net.h @@ -17,6 +17,7 @@ #include #include #include +#include #include #include @@ -197,6 +198,13 @@ class FuzzedSock : public Sock return FuzzedSock{fuzzed_data_provider}; } +[[nodiscard]] inline NetGroupManager ConsumeNetGroupManager(FuzzedDataProvider& fuzzed_data_provider) noexcept +{ + std::vector asmap = ConsumeRandomLengthBitVector(fuzzed_data_provider); + if (!SanityCheckASMap(asmap, 128)) asmap.clear(); + return NetGroupManager(asmap); +} + inline CSubNet ConsumeSubNet(FuzzedDataProvider& fuzzed_data_provider) noexcept { return {ConsumeNetAddr(fuzzed_data_provider), fuzzed_data_provider.ConsumeIntegral()}; From 33b0f3ae966ffa50b55489eb867c4d93c0ed3489 Mon Sep 17 00:00:00 2001 From: brunoerg Date: Fri, 1 Mar 2024 18:38:48 -0300 Subject: [PATCH 4/5] fuzz: use `ConsumeNetGroupManager` in connman target --- src/test/fuzz/connman.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/test/fuzz/connman.cpp b/src/test/fuzz/connman.cpp index a3914bfcf318f..2537869b3d7c4 100644 --- a/src/test/fuzz/connman.cpp +++ b/src/test/fuzz/connman.cpp @@ -38,7 +38,7 @@ FUZZ_TARGET(connman, .init = initialize_connman) { FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()}; SetMockTime(ConsumeTime(fuzzed_data_provider)); - auto netgroupman{*g_setup->m_node.netgroupman}; + auto netgroupman{ConsumeNetGroupManager(fuzzed_data_provider)}; auto addr_man_ptr{std::make_unique(netgroupman, fuzzed_data_provider, GetCheckRatio())}; if (fuzzed_data_provider.ConsumeBool()) { const std::vector serialized_data{ConsumeRandomLengthByteVector(fuzzed_data_provider)}; @@ -53,7 +53,7 @@ FUZZ_TARGET(connman, .init = initialize_connman) ConnmanTestMsg connman{fuzzed_data_provider.ConsumeIntegral(), fuzzed_data_provider.ConsumeIntegral(), addr_man, - *g_setup->m_node.netgroupman, + netgroupman, Params(), fuzzed_data_provider.ConsumeBool()}; From 552cae243a1bf26bfec03eccd1458f3bf33e01dc Mon Sep 17 00:00:00 2001 From: brunoerg Date: Mon, 5 Feb 2024 15:43:20 -0300 Subject: [PATCH 5/5] fuzz: cover `ASMapHealthCheck` in connman target --- src/test/fuzz/connman.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/src/test/fuzz/connman.cpp b/src/test/fuzz/connman.cpp index 2537869b3d7c4..f2bf44c76139e 100644 --- a/src/test/fuzz/connman.cpp +++ b/src/test/fuzz/connman.cpp @@ -158,6 +158,7 @@ FUZZ_TARGET(connman, .init = initialize_connman) (void)connman.GetTotalBytesSent(); (void)connman.GetTryNewOutboundPeer(); (void)connman.GetUseAddrmanOutgoing(); + (void)connman.ASMapHealthCheck(); connman.ClearTestNodes(); }