Bitcoin Core 30.99.0
P2P Digital Currency
miniscript.cpp
Go to the documentation of this file.
1// Copyright (c) 2021-present The Bitcoin Core developers
2// Distributed under the MIT software license, see the accompanying
3// file COPYING or http://www.opensource.org/licenses/mit-license.php.
4
5#include <core_io.h>
6#include <hash.h>
7#include <key.h>
8#include <script/miniscript.h>
9#include <script/script.h>
10#include <script/signingprovider.h>
11#include <test/fuzz/FuzzedDataProvider.h>
12#include <test/fuzz/fuzz.h>
13#include <test/fuzz/util.h>
14#include <test/fuzz/util/descriptor.h>
15#include <util/strencodings.h>
16
17#include <algorithm>
18#include <optional>
19
20namespace {
21
22using Fragment = miniscript::Fragment;
23using Node = miniscript::Node<CPubKey>;
24using Type = miniscript::Type;
25using MsCtx = miniscript::MiniscriptContext;
26using miniscript::operator""_mst;
27
29struct TestData {
30 typedef CPubKey Key;
31
32 // Precomputed public keys, and a dummy signature for each of them.
33 std::vector<Key> dummy_keys;
34 std::map<Key, int> dummy_key_idx_map;
35 std::map<CKeyID, Key> dummy_keys_map;
36 std::map<Key, std::pair<std::vector<unsigned char>, bool>> dummy_sigs;
37 std::map<XOnlyPubKey, std::pair<std::vector<unsigned char>, bool>> schnorr_sigs;
38
39 // Precomputed hashes of each kind.
40 std::vector<std::vector<unsigned char>> sha256;
41 std::vector<std::vector<unsigned char>> ripemd160;
42 std::vector<std::vector<unsigned char>> hash256;
43 std::vector<std::vector<unsigned char>> hash160;
44 std::map<std::vector<unsigned char>, std::vector<unsigned char>> sha256_preimages;
45 std::map<std::vector<unsigned char>, std::vector<unsigned char>> ripemd160_preimages;
46 std::map<std::vector<unsigned char>, std::vector<unsigned char>> hash256_preimages;
47 std::map<std::vector<unsigned char>, std::vector<unsigned char>> hash160_preimages;
48
50 void Init() {
51 unsigned char keydata[32] = {1};
52 // All our signatures sign (and are required to sign) this constant message.
53 constexpr uint256 MESSAGE_HASH{"0000000000000000f5cd94e18b6fe77dd7aca9e35c2b0c9cbd86356c80a71065"};
54 // We don't pass additional randomness when creating a schnorr signature.
55 const auto EMPTY_AUX{uint256::ZERO};
56
57 for (size_t i = 0; i < 256; i++) {
58 keydata[31] = i;
59 CKey privkey;
60 privkey.Set(keydata, keydata + 32, true);
61 const Key pubkey = privkey.GetPubKey();
62
63 dummy_keys.push_back(pubkey);
64 dummy_key_idx_map.emplace(pubkey, i);
65 dummy_keys_map.insert({pubkey.GetID(), pubkey});
66 XOnlyPubKey xonly_pubkey{pubkey};
67 dummy_key_idx_map.emplace(xonly_pubkey, i);
68 uint160 xonly_hash{Hash160(xonly_pubkey)};
69 dummy_keys_map.emplace(xonly_hash, pubkey);
70
71 std::vector<unsigned char> sig, schnorr_sig(64);
72 privkey.Sign(MESSAGE_HASH, sig);
73 sig.push_back(1); // SIGHASH_ALL
74 dummy_sigs.insert({pubkey, {sig, i & 1}});
75 assert(privkey.SignSchnorr(MESSAGE_HASH, schnorr_sig, nullptr, EMPTY_AUX));
76 schnorr_sig.push_back(1); // Maximally-sized signature has sighash byte
77 schnorr_sigs.emplace(XOnlyPubKey{pubkey}, std::make_pair(std::move(schnorr_sig), i & 1));
78
79 std::vector<unsigned char> hash;
80 hash.resize(32);
81 CSHA256().Write(keydata, 32).Finalize(hash.data());
82 sha256.push_back(hash);
83 if (i & 1) sha256_preimages[hash] = std::vector<unsigned char>(keydata, keydata + 32);
84 CHash256().Write(keydata).Finalize(hash);
85 hash256.push_back(hash);
86 if (i & 1) hash256_preimages[hash] = std::vector<unsigned char>(keydata, keydata + 32);
87 hash.resize(20);
88 CRIPEMD160().Write(keydata, 32).Finalize(hash.data());
89 assert(hash.size() == 20);
90 ripemd160.push_back(hash);
91 if (i & 1) ripemd160_preimages[hash] = std::vector<unsigned char>(keydata, keydata + 32);
92 CHash160().Write(keydata).Finalize(hash);
93 hash160.push_back(hash);
94 if (i & 1) hash160_preimages[hash] = std::vector<unsigned char>(keydata, keydata + 32);
95 }
96 }
97
99 const std::pair<std::vector<unsigned char>, bool>* GetSig(const MsCtx script_ctx, const Key& key) const {
100 if (!miniscript::IsTapscript(script_ctx)) {
101 const auto it = dummy_sigs.find(key);
102 if (it == dummy_sigs.end()) return nullptr;
103 return &it->second;
104 } else {
105 const auto it = schnorr_sigs.find(XOnlyPubKey{key});
106 if (it == schnorr_sigs.end()) return nullptr;
107 return &it->second;
108 }
109 }
110} TEST_DATA;
111
117struct ParserContext {
118 typedef CPubKey Key;
119
120 const MsCtx script_ctx;
121
122 constexpr ParserContext(MsCtx ctx) noexcept : script_ctx(ctx) {}
123
124 bool KeyCompare(const Key& a, const Key& b) const {
125 return a < b;
126 }
127
128 std::optional<std::string> ToString(const Key& key, bool& has_priv_key) const
129 {
130 has_priv_key = false;
131 auto it = TEST_DATA.dummy_key_idx_map.find(key);
132 if (it == TEST_DATA.dummy_key_idx_map.end()) {
133 return HexStr(key);
134 }
135 has_priv_key = true;
136 uint8_t idx = it->second;
137 return HexStr(std::span{&idx, 1});
138 }
139
140 std::vector<unsigned char> ToPKBytes(const Key& key) const {
141 if (!miniscript::IsTapscript(script_ctx)) {
142 return {key.begin(), key.end()};
143 }
144 const XOnlyPubKey xonly_pubkey{key};
145 return {xonly_pubkey.begin(), xonly_pubkey.end()};
146 }
147
148 std::vector<unsigned char> ToPKHBytes(const Key& key) const {
149 if (!miniscript::IsTapscript(script_ctx)) {
150 const auto h = Hash160(key);
151 return {h.begin(), h.end()};
152 }
153 const auto h = Hash160(XOnlyPubKey{key});
154 return {h.begin(), h.end()};
155 }
156
157 template<typename I>
158 std::optional<Key> FromString(I first, I last) const {
159 if (last - first != 2) return {};
160 auto idx = ParseHex(std::string(first, last));
161 if (idx.size() != 1) return {};
162 return TEST_DATA.dummy_keys[idx[0]];
163 }
164
165 template<typename I>
166 std::optional<Key> FromPKBytes(I first, I last) const {
167 if (!miniscript::IsTapscript(script_ctx)) {
168 Key key{first, last};
169 if (key.IsValid()) return key;
170 return {};
171 }
172 if (last - first != 32) return {};
173 XOnlyPubKey xonly_pubkey;
174 std::copy(first, last, xonly_pubkey.begin());
175 return xonly_pubkey.GetEvenCorrespondingCPubKey();
176 }
177
178 template<typename I>
179 std::optional<Key> FromPKHBytes(I first, I last) const {
180 assert(last - first == 20);
181 CKeyID keyid;
182 std::copy(first, last, keyid.begin());
183 const auto it = TEST_DATA.dummy_keys_map.find(keyid);
184 if (it == TEST_DATA.dummy_keys_map.end()) return {};
185 return it->second;
186 }
187
188 MsCtx MsContext() const {
189 return script_ctx;
190 }
191};
192
194struct ScriptParserContext {
195 const MsCtx script_ctx;
196
197 constexpr ScriptParserContext(MsCtx ctx) noexcept : script_ctx(ctx) {}
198
200 struct Key {
201 bool is_hash;
202 std::vector<unsigned char> data;
203 };
204
205 bool KeyCompare(const Key& a, const Key& b) const {
206 return a.data < b.data;
207 }
208
209 const std::vector<unsigned char>& ToPKBytes(const Key& key) const
210 {
211 assert(!key.is_hash);
212 return key.data;
213 }
214
215 std::vector<unsigned char> ToPKHBytes(const Key& key) const
216 {
217 if (key.is_hash) return key.data;
218 const auto h = Hash160(key.data);
219 return {h.begin(), h.end()};
220 }
221
222 template<typename I>
223 std::optional<Key> FromPKBytes(I first, I last) const
224 {
225 Key key;
226 key.data.assign(first, last);
227 key.is_hash = false;
228 return key;
229 }
230
231 template<typename I>
232 std::optional<Key> FromPKHBytes(I first, I last) const
233 {
234 Key key;
235 key.data.assign(first, last);
236 key.is_hash = true;
237 return key;
238 }
239
240 MsCtx MsContext() const {
241 return script_ctx;
242 }
243};
244
246struct SatisfierContext : ParserContext {
247
248 constexpr SatisfierContext(MsCtx ctx) noexcept : ParserContext(ctx) {}
249
250 // Timelock challenges satisfaction. Make the value (deterministically) vary to explore different
251 // paths.
252 bool CheckAfter(uint32_t value) const { return value % 2; }
253 bool CheckOlder(uint32_t value) const { return value % 2; }
254
255 // Signature challenges fulfilled with a dummy signature, if it was one of our dummy keys.
256 miniscript::Availability Sign(const CPubKey& key, std::vector<unsigned char>& sig) const {
257 bool sig_available{false};
258 if (auto res = TEST_DATA.GetSig(script_ctx, key)) {
259 std::tie(sig, sig_available) = *res;
260 }
261 return sig_available ? miniscript::Availability::YES : miniscript::Availability::NO;
262 }
263
265 miniscript::Availability LookupHash(const std::vector<unsigned char>& hash, std::vector<unsigned char>& preimage,
266 const std::map<std::vector<unsigned char>, std::vector<unsigned char>>& map) const
267 {
268 const auto it = map.find(hash);
269 if (it == map.end()) return miniscript::Availability::NO;
270 preimage = it->second;
271 return miniscript::Availability::YES;
272 }
273 miniscript::Availability SatSHA256(const std::vector<unsigned char>& hash, std::vector<unsigned char>& preimage) const {
274 return LookupHash(hash, preimage, TEST_DATA.sha256_preimages);
275 }
276 miniscript::Availability SatRIPEMD160(const std::vector<unsigned char>& hash, std::vector<unsigned char>& preimage) const {
277 return LookupHash(hash, preimage, TEST_DATA.ripemd160_preimages);
278 }
279 miniscript::Availability SatHASH256(const std::vector<unsigned char>& hash, std::vector<unsigned char>& preimage) const {
280 return LookupHash(hash, preimage, TEST_DATA.hash256_preimages);
281 }
282 miniscript::Availability SatHASH160(const std::vector<unsigned char>& hash, std::vector<unsigned char>& preimage) const {
283 return LookupHash(hash, preimage, TEST_DATA.hash160_preimages);
284 }
285};
286
288const struct CheckerContext: BaseSignatureChecker {
289 // Signature checker methods. Checks the right dummy signature is used.
290 bool CheckECDSASignature(const std::vector<unsigned char>& sig, const std::vector<unsigned char>& vchPubKey,
291 const CScript& scriptCode, SigVersion sigversion) const override
292 {
293 const CPubKey key{vchPubKey};
294 const auto it = TEST_DATA.dummy_sigs.find(key);
295 if (it == TEST_DATA.dummy_sigs.end()) return false;
296 return it->second.first == sig;
297 }
298 bool CheckSchnorrSignature(std::span<const unsigned char> sig, std::span<const unsigned char> pubkey, SigVersion,
299 ScriptExecutionData&, ScriptError*) const override {
300 XOnlyPubKey pk{pubkey};
301 auto it = TEST_DATA.schnorr_sigs.find(pk);
302 if (it == TEST_DATA.schnorr_sigs.end()) return false;
303 return std::ranges::equal(it->second.first, sig);
304 }
305 bool CheckLockTime(const CScriptNum& nLockTime) const override { return nLockTime.GetInt64() & 1; }
306 bool CheckSequence(const CScriptNum& nSequence) const override { return nSequence.GetInt64() & 1; }
307} CHECKER_CTX;
308
310const struct KeyComparator {
311 bool KeyCompare(const CPubKey& a, const CPubKey& b) const {
312 return a < b;
313 }
314} KEY_COMP;
315
316// A dummy scriptsig to pass to VerifyScript (we always use Segwit v0).
317const CScript DUMMY_SCRIPTSIG;
318
320struct NodeInfo {
322 Fragment fragment;
324 uint32_t k;
326 std::vector<CPubKey> keys;
328 std::vector<unsigned char> hash;
330 std::vector<Type> subtypes;
331
332 NodeInfo(Fragment frag): fragment(frag), k(0) {}
333 NodeInfo(Fragment frag, CPubKey key): fragment(frag), k(0), keys({key}) {}
334 NodeInfo(Fragment frag, uint32_t _k): fragment(frag), k(_k) {}
335 NodeInfo(Fragment frag, std::vector<unsigned char> h): fragment(frag), k(0), hash(std::move(h)) {}
336 NodeInfo(std::vector<Type> subt, Fragment frag): fragment(frag), k(0), subtypes(std::move(subt)) {}
337 NodeInfo(std::vector<Type> subt, Fragment frag, uint32_t _k): fragment(frag), k(_k), subtypes(std::move(subt)) {}
338 NodeInfo(Fragment frag, uint32_t _k, std::vector<CPubKey> _keys): fragment(frag), k(_k), keys(std::move(_keys)) {}
339};
340
342template<typename T, typename A>
343T ConsumeIndex(FuzzedDataProvider& provider, A& col) {
344 const uint8_t i = provider.ConsumeIntegral<uint8_t>();
345 return col[i];
346}
347
348CPubKey ConsumePubKey(FuzzedDataProvider& provider) {
349 return ConsumeIndex<CPubKey>(provider, TEST_DATA.dummy_keys);
350}
351
352std::vector<unsigned char> ConsumeSha256(FuzzedDataProvider& provider) {
353 return ConsumeIndex<std::vector<unsigned char>>(provider, TEST_DATA.sha256);
354}
355
356std::vector<unsigned char> ConsumeHash256(FuzzedDataProvider& provider) {
357 return ConsumeIndex<std::vector<unsigned char>>(provider, TEST_DATA.hash256);
358}
359
360std::vector<unsigned char> ConsumeRipemd160(FuzzedDataProvider& provider) {
361 return ConsumeIndex<std::vector<unsigned char>>(provider, TEST_DATA.ripemd160);
362}
363
364std::vector<unsigned char> ConsumeHash160(FuzzedDataProvider& provider) {
365 return ConsumeIndex<std::vector<unsigned char>>(provider, TEST_DATA.hash160);
366}
367
368std::optional<uint32_t> ConsumeTimeLock(FuzzedDataProvider& provider) {
369 const uint32_t k = provider.ConsumeIntegral<uint32_t>();
370 if (k == 0 || k >= 0x80000000) return {};
371 return k;
372}
373
388std::optional<NodeInfo> ConsumeNodeStable(MsCtx script_ctx, FuzzedDataProvider& provider, Type type_needed) {
389 bool allow_B = (type_needed == ""_mst) || (type_needed << "B"_mst);
390 bool allow_K = (type_needed == ""_mst) || (type_needed << "K"_mst);
391 bool allow_V = (type_needed == ""_mst) || (type_needed << "V"_mst);
392 bool allow_W = (type_needed == ""_mst) || (type_needed << "W"_mst);
393
394 switch (provider.ConsumeIntegral<uint8_t>()) {
395 case 0:
396 if (!allow_B) return {};
397 return {{Fragment::JUST_0}};
398 case 1:
399 if (!allow_B) return {};
400 return {{Fragment::JUST_1}};
401 case 2:
402 if (!allow_K) return {};
403 return {{Fragment::PK_K, ConsumePubKey(provider)}};
404 case 3:
405 if (!allow_K) return {};
406 return {{Fragment::PK_H, ConsumePubKey(provider)}};
407 case 4: {
408 if (!allow_B) return {};
409 const auto k = ConsumeTimeLock(provider);
410 if (!k) return {};
411 return {{Fragment::OLDER, *k}};
412 }
413 case 5: {
414 if (!allow_B) return {};
415 const auto k = ConsumeTimeLock(provider);
416 if (!k) return {};
417 return {{Fragment::AFTER, *k}};
418 }
419 case 6:
420 if (!allow_B) return {};
421 return {{Fragment::SHA256, ConsumeSha256(provider)}};
422 case 7:
423 if (!allow_B) return {};
424 return {{Fragment::HASH256, ConsumeHash256(provider)}};
425 case 8:
426 if (!allow_B) return {};
427 return {{Fragment::RIPEMD160, ConsumeRipemd160(provider)}};
428 case 9:
429 if (!allow_B) return {};
430 return {{Fragment::HASH160, ConsumeHash160(provider)}};
431 case 10: {
432 if (!allow_B || IsTapscript(script_ctx)) return {};
433 const auto k = provider.ConsumeIntegral<uint8_t>();
434 const auto n_keys = provider.ConsumeIntegral<uint8_t>();
435 if (n_keys > 20 || k == 0 || k > n_keys) return {};
436 std::vector<CPubKey> keys{n_keys};
437 for (auto& key: keys) key = ConsumePubKey(provider);
438 return {{Fragment::MULTI, k, std::move(keys)}};
439 }
440 case 11:
441 if (!(allow_B || allow_K || allow_V)) return {};
442 return {{{"B"_mst, type_needed, type_needed}, Fragment::ANDOR}};
443 case 12:
444 if (!(allow_B || allow_K || allow_V)) return {};
445 return {{{"V"_mst, type_needed}, Fragment::AND_V}};
446 case 13:
447 if (!allow_B) return {};
448 return {{{"B"_mst, "W"_mst}, Fragment::AND_B}};
449 case 15:
450 if (!allow_B) return {};
451 return {{{"B"_mst, "W"_mst}, Fragment::OR_B}};
452 case 16:
453 if (!allow_V) return {};
454 return {{{"B"_mst, "V"_mst}, Fragment::OR_C}};
455 case 17:
456 if (!allow_B) return {};
457 return {{{"B"_mst, "B"_mst}, Fragment::OR_D}};
458 case 18:
459 if (!(allow_B || allow_K || allow_V)) return {};
460 return {{{type_needed, type_needed}, Fragment::OR_I}};
461 case 19: {
462 if (!allow_B) return {};
463 auto k = provider.ConsumeIntegral<uint8_t>();
464 auto n_subs = provider.ConsumeIntegral<uint8_t>();
465 if (k == 0 || k > n_subs) return {};
466 std::vector<Type> subtypes;
467 subtypes.reserve(n_subs);
468 subtypes.emplace_back("B"_mst);
469 for (size_t i = 1; i < n_subs; ++i) subtypes.emplace_back("W"_mst);
470 return {{std::move(subtypes), Fragment::THRESH, k}};
471 }
472 case 20:
473 if (!allow_W) return {};
474 return {{{"B"_mst}, Fragment::WRAP_A}};
475 case 21:
476 if (!allow_W) return {};
477 return {{{"B"_mst}, Fragment::WRAP_S}};
478 case 22:
479 if (!allow_B) return {};
480 return {{{"K"_mst}, Fragment::WRAP_C}};
481 case 23:
482 if (!allow_B) return {};
483 return {{{"V"_mst}, Fragment::WRAP_D}};
484 case 24:
485 if (!allow_V) return {};
486 return {{{"B"_mst}, Fragment::WRAP_V}};
487 case 25:
488 if (!allow_B) return {};
489 return {{{"B"_mst}, Fragment::WRAP_J}};
490 case 26:
491 if (!allow_B) return {};
492 return {{{"B"_mst}, Fragment::WRAP_N}};
493 case 27: {
494 if (!allow_B || !IsTapscript(script_ctx)) return {};
495 const auto k = provider.ConsumeIntegral<uint16_t>();
496 const auto n_keys = provider.ConsumeIntegral<uint16_t>();
497 if (n_keys > 999 || k == 0 || k > n_keys) return {};
498 std::vector<CPubKey> keys{n_keys};
499 for (auto& key: keys) key = ConsumePubKey(provider);
500 return {{Fragment::MULTI_A, k, std::move(keys)}};
501 }
502 default:
503 break;
504 }
505 return {};
506}
507
508/* This structure contains a table which for each "target" Type a list of recipes
509 * to construct it, automatically inferred from the behavior of ComputeType.
510 * Note that the Types here are not the final types of the constructed Nodes, but
511 * just the subset that are required. For example, a recipe for the "Bo" type
512 * might construct a "Bondu" sha256() NodeInfo, but cannot construct a "Bz" older().
513 * Each recipe is a Fragment together with a list of required types for its subnodes.
514 */
515struct SmartInfo
516{
517 using recipe = std::pair<Fragment, std::vector<Type>>;
518 std::map<Type, std::vector<recipe>> wsh_table, tap_table;
519
520 void Init()
521 {
522 Init(wsh_table, MsCtx::P2WSH);
523 Init(tap_table, MsCtx::TAPSCRIPT);
524 }
525
526 void Init(std::map<Type, std::vector<recipe>>& table, MsCtx script_ctx)
527 {
528 /* Construct a set of interesting type requirements to reason with (sections of BKVWzondu). */
529 std::vector<Type> types;
530 for (int base = 0; base < 4; ++base) { /* select from B,K,V,W */
531 Type type_base = base == 0 ? "B"_mst : base == 1 ? "K"_mst : base == 2 ? "V"_mst : "W"_mst;
532 for (int zo = 0; zo < 3; ++zo) { /* select from z,o,(none) */
533 Type type_zo = zo == 0 ? "z"_mst : zo == 1 ? "o"_mst : ""_mst;
534 for (int n = 0; n < 2; ++n) { /* select from (none),n */
535 if (zo == 0 && n == 1) continue; /* z conflicts with n */
536 if (base == 3 && n == 1) continue; /* W conflicts with n */
537 Type type_n = n == 0 ? ""_mst : "n"_mst;
538 for (int d = 0; d < 2; ++d) { /* select from (none),d */
539 if (base == 2 && d == 1) continue; /* V conflicts with d */
540 Type type_d = d == 0 ? ""_mst : "d"_mst;
541 for (int u = 0; u < 2; ++u) { /* select from (none),u */
542 if (base == 2 && u == 1) continue; /* V conflicts with u */
543 Type type_u = u == 0 ? ""_mst : "u"_mst;
544 Type type = type_base | type_zo | type_n | type_d | type_u;
545 types.push_back(type);
546 }
547 }
548 }
549 }
550 }
551
552 /* We define a recipe a to be a super-recipe of recipe b if they use the same
553 * fragment, the same number of subexpressions, and each of a's subexpression
554 * types is a supertype of the corresponding subexpression type of b.
555 * Within the set of recipes for the construction of a given type requirement,
556 * no recipe should be a super-recipe of another (as the super-recipe is
557 * applicable in every place the sub-recipe is, the sub-recipe is redundant). */
558 auto is_super_of = [](const recipe& a, const recipe& b) {
559 if (a.first != b.first) return false;
560 if (a.second.size() != b.second.size()) return false;
561 for (size_t i = 0; i < a.second.size(); ++i) {
562 if (!(b.second[i] << a.second[i])) return false;
563 }
564 return true;
565 };
566
567 /* Sort the type requirements. Subtypes will always sort later (e.g. Bondu will
568 * sort after Bo or Bu). As we'll be constructing recipes using these types, in
569 * order, in what follows, we'll construct super-recipes before sub-recipes.
570 * That means we never need to go back and delete a sub-recipe because a
571 * super-recipe got added. */
572 std::sort(types.begin(), types.end());
573
574 // Iterate over all possible fragments.
575 for (int fragidx = 0; fragidx <= int(Fragment::MULTI_A); ++fragidx) {
576 int sub_count = 0;
577 int sub_range = 1;
578 size_t data_size = 0;
579 size_t n_keys = 0;
580 uint32_t k = 0;
581 Fragment frag{fragidx};
582
583 // Only produce recipes valid in the given context.
584 if ((!miniscript::IsTapscript(script_ctx) && frag == Fragment::MULTI_A)
585 || (miniscript::IsTapscript(script_ctx) && frag == Fragment::MULTI)) {
586 continue;
587 }
588
589 // Based on the fragment, determine #subs/data/k/keys to pass to ComputeType. */
590 switch (frag) {
591 case Fragment::PK_K:
592 case Fragment::PK_H:
593 n_keys = 1;
594 break;
595 case Fragment::MULTI:
596 case Fragment::MULTI_A:
597 n_keys = 1;
598 k = 1;
599 break;
600 case Fragment::OLDER:
601 case Fragment::AFTER:
602 k = 1;
603 break;
604 case Fragment::SHA256:
605 case Fragment::HASH256:
606 data_size = 32;
607 break;
608 case Fragment::RIPEMD160:
609 case Fragment::HASH160:
610 data_size = 20;
611 break;
612 case Fragment::JUST_0:
613 case Fragment::JUST_1:
614 break;
615 case Fragment::WRAP_A:
616 case Fragment::WRAP_S:
617 case Fragment::WRAP_C:
618 case Fragment::WRAP_D:
619 case Fragment::WRAP_V:
620 case Fragment::WRAP_J:
621 case Fragment::WRAP_N:
622 sub_count = 1;
623 break;
624 case Fragment::AND_V:
625 case Fragment::AND_B:
626 case Fragment::OR_B:
627 case Fragment::OR_C:
628 case Fragment::OR_D:
629 case Fragment::OR_I:
630 sub_count = 2;
631 break;
632 case Fragment::ANDOR:
633 sub_count = 3;
634 break;
635 case Fragment::THRESH:
636 // Thresh logic is executed for 1 and 2 arguments. Larger numbers use ad-hoc code to extend.
637 sub_count = 1;
638 sub_range = 2;
639 k = 1;
640 break;
641 }
642
643 // Iterate over the number of subnodes (sub_count...sub_count+sub_range-1).
644 std::vector<Type> subt;
645 for (int subs = sub_count; subs < sub_count + sub_range; ++subs) {
646 // Iterate over the possible subnode types (at most 3).
647 for (Type x : types) {
648 for (Type y : types) {
649 for (Type z : types) {
650 // Compute the resulting type of a node with the selected fragment / subnode types.
651 subt.clear();
652 if (subs > 0) subt.push_back(x);
653 if (subs > 1) subt.push_back(y);
654 if (subs > 2) subt.push_back(z);
655 Type res = miniscript::internal::ComputeType(frag, x, y, z, subt, k, data_size, subs, n_keys, script_ctx);
656 // Continue if the result is not a valid node.
657 if ((res << "K"_mst) + (res << "V"_mst) + (res << "B"_mst) + (res << "W"_mst) != 1) continue;
658
659 recipe entry{frag, subt};
660 auto super_of_entry = [&](const recipe& rec) { return is_super_of(rec, entry); };
661 // Iterate over all supertypes of res (because if e.g. our selected fragment/subnodes result
662 // in a Bondu, they can form a recipe that is also applicable for constructing a B, Bou, Bdu, ...).
663 for (Type s : types) {
664 if ((res & "BKVWzondu"_mst) << s) {
665 auto& recipes = table[s];
666 // If we don't already have a super-recipe to the new one, add it.
667 if (!std::any_of(recipes.begin(), recipes.end(), super_of_entry)) {
668 recipes.push_back(entry);
669 }
670 }
671 }
672
673 if (subs <= 2) break;
674 }
675 if (subs <= 1) break;
676 }
677 if (subs <= 0) break;
678 }
679 }
680 }
681
682 /* Find which types are useful. The fuzzer logic only cares about constructing
683 * B,V,K,W nodes, so any type that isn't needed in any recipe (directly or
684 * indirectly) for the construction of those is uninteresting. */
685 std::set<Type> useful_types{"B"_mst, "V"_mst, "K"_mst, "W"_mst};
686 // Find the transitive closure by adding types until the set of types does not change.
687 while (true) {
688 size_t set_size = useful_types.size();
689 for (const auto& [type, recipes] : table) {
690 if (useful_types.contains(type)) {
691 for (const auto& [_, subtypes] : recipes) {
692 for (auto subtype : subtypes) useful_types.insert(subtype);
693 }
694 }
695 }
696 if (useful_types.size() == set_size) break;
697 }
698 // Remove all rules that construct uninteresting types.
699 for (auto type_it = table.begin(); type_it != table.end();) {
700 if (!useful_types.contains(type_it->first)) {
701 type_it = table.erase(type_it);
702 } else {
703 ++type_it;
704 }
705 }
706
707 /* Find which types are constructible. A type is constructible if there is a leaf
708 * node recipe for constructing it, or a recipe whose subnodes are all constructible.
709 * Types can be non-constructible because they have no recipes to begin with,
710 * because they can only be constructed using recipes that involve otherwise
711 * non-constructible types, or because they require infinite recursion. */
712 std::set<Type> constructible_types{};
713 auto known_constructible = [&](Type type) { return constructible_types.contains(type); };
714 // Find the transitive closure by adding types until the set of types does not change.
715 while (true) {
716 size_t set_size = constructible_types.size();
717 // Iterate over all types we have recipes for.
718 for (const auto& [type, recipes] : table) {
719 if (!known_constructible(type)) {
720 // For not (yet known to be) constructible types, iterate over their recipes.
721 for (const auto& [_, subt] : recipes) {
722 // If any recipe involves only (already known to be) constructible types,
723 // add the recipe's type to the set.
724 if (std::all_of(subt.begin(), subt.end(), known_constructible)) {
725 constructible_types.insert(type);
726 break;
727 }
728 }
729 }
730 }
731 if (constructible_types.size() == set_size) break;
732 }
733 for (auto type_it = table.begin(); type_it != table.end();) {
734 // Remove all recipes which involve non-constructible types.
735 type_it->second.erase(std::remove_if(type_it->second.begin(), type_it->second.end(),
736 [&](const recipe& rec) {
737 return !std::all_of(rec.second.begin(), rec.second.end(), known_constructible);
738 }), type_it->second.end());
739 // Delete types entirely which have no recipes left.
740 if (type_it->second.empty()) {
741 type_it = table.erase(type_it);
742 } else {
743 ++type_it;
744 }
745 }
746
747 for (auto& [type, recipes] : table) {
748 // Sort recipes for determinism, and place those using fewer subnodes first.
749 // This avoids runaway expansion (when reaching the end of the fuzz input,
750 // all zeroes are read, resulting in the first available recipe being picked).
751 std::sort(recipes.begin(), recipes.end(),
752 [](const recipe& a, const recipe& b) {
753 if (a.second.size() < b.second.size()) return true;
754 if (a.second.size() > b.second.size()) return false;
755 return a < b;
756 }
757 );
758 }
759 }
760} SMARTINFO;
761
772std::optional<NodeInfo> ConsumeNodeSmart(MsCtx script_ctx, FuzzedDataProvider& provider, Type type_needed) {
774 const auto& table{IsTapscript(script_ctx) ? SMARTINFO.tap_table : SMARTINFO.wsh_table};
775 auto recipes_it = table.find(type_needed);
776 assert(recipes_it != table.end());
778 const auto& [frag, subt] = PickValue(provider, recipes_it->second);
779
780 // Based on the fragment the recipe uses, fill in other data (k, keys, data).
781 switch (frag) {
782 case Fragment::PK_K:
783 case Fragment::PK_H:
784 return {{frag, ConsumePubKey(provider)}};
785 case Fragment::MULTI: {
786 const auto n_keys = provider.ConsumeIntegralInRange<uint8_t>(1, 20);
787 const auto k = provider.ConsumeIntegralInRange<uint8_t>(1, n_keys);
788 std::vector<CPubKey> keys{n_keys};
789 for (auto& key: keys) key = ConsumePubKey(provider);
790 return {{frag, k, std::move(keys)}};
791 }
792 case Fragment::MULTI_A: {
793 const auto n_keys = provider.ConsumeIntegralInRange<uint16_t>(1, 999);
794 const auto k = provider.ConsumeIntegralInRange<uint16_t>(1, n_keys);
795 std::vector<CPubKey> keys{n_keys};
796 for (auto& key: keys) key = ConsumePubKey(provider);
797 return {{frag, k, std::move(keys)}};
798 }
799 case Fragment::OLDER:
800 case Fragment::AFTER:
801 return {{frag, provider.ConsumeIntegralInRange<uint32_t>(1, 0x7FFFFFF)}};
802 case Fragment::SHA256:
803 return {{frag, PickValue(provider, TEST_DATA.sha256)}};
804 case Fragment::HASH256:
805 return {{frag, PickValue(provider, TEST_DATA.hash256)}};
806 case Fragment::RIPEMD160:
807 return {{frag, PickValue(provider, TEST_DATA.ripemd160)}};
808 case Fragment::HASH160:
809 return {{frag, PickValue(provider, TEST_DATA.hash160)}};
810 case Fragment::JUST_0:
811 case Fragment::JUST_1:
812 case Fragment::WRAP_A:
813 case Fragment::WRAP_S:
814 case Fragment::WRAP_C:
815 case Fragment::WRAP_D:
816 case Fragment::WRAP_V:
817 case Fragment::WRAP_J:
818 case Fragment::WRAP_N:
819 case Fragment::AND_V:
820 case Fragment::AND_B:
821 case Fragment::OR_B:
822 case Fragment::OR_C:
823 case Fragment::OR_D:
824 case Fragment::OR_I:
825 case Fragment::ANDOR:
826 return {{subt, frag}};
827 case Fragment::THRESH: {
828 uint32_t children;
829 if (subt.size() < 2) {
830 children = subt.size();
831 } else {
832 // If we hit a thresh with 2 subnodes, artificially extend it to any number
833 // (2 or larger) by replicating the type of the last subnode.
834 children = provider.ConsumeIntegralInRange<uint32_t>(2, MAX_OPS_PER_SCRIPT / 2);
835 }
836 auto k = provider.ConsumeIntegralInRange<uint32_t>(1, children);
837 std::vector<Type> subs = subt;
838 while (subs.size() < children) subs.push_back(subs.back());
839 return {{std::move(subs), frag, k}};
840 }
841 }
842
843 assert(false);
844}
845
854template <typename F>
855std::optional<Node> GenNode(MsCtx script_ctx, F ConsumeNode, Type root_type, bool strict_valid = false)
856{
858 std::vector<Node> stack;
860 std::vector<std::pair<Type, std::optional<NodeInfo>>> todo{{root_type, {}}};
862 uint32_t ops{0};
865 uint32_t scriptsize{1};
866
867 while (!todo.empty()) {
868 // The expected type we have to construct.
869 auto type_needed = todo.back().first;
870 if (!todo.back().second) {
871 // Fragment/children have not been decided yet. Decide them.
872 auto node_info = ConsumeNode(type_needed);
873 if (!node_info) return {};
874 // Update predicted resource limits. Since every leaf Miniscript node is at least one
875 // byte long, we move one byte from each child to their parent. A similar technique is
876 // used in the miniscript::internal::Parse function to prevent runaway string parsing.
877 scriptsize += miniscript::internal::ComputeScriptLen(node_info->fragment, ""_mst, node_info->subtypes.size(), node_info->k, node_info->subtypes.size(),
878 node_info->keys.size(), script_ctx) - 1;
879 if (scriptsize > MAX_STANDARD_P2WSH_SCRIPT_SIZE) return {};
880 switch (node_info->fragment) {
881 case Fragment::JUST_0:
882 case Fragment::JUST_1:
883 break;
884 case Fragment::PK_K:
885 break;
886 case Fragment::PK_H:
887 ops += 3;
888 break;
889 case Fragment::OLDER:
890 case Fragment::AFTER:
891 ops += 1;
892 break;
893 case Fragment::RIPEMD160:
894 case Fragment::SHA256:
895 case Fragment::HASH160:
896 case Fragment::HASH256:
897 ops += 4;
898 break;
899 case Fragment::ANDOR:
900 ops += 3;
901 break;
902 case Fragment::AND_V:
903 break;
904 case Fragment::AND_B:
905 case Fragment::OR_B:
906 ops += 1;
907 break;
908 case Fragment::OR_C:
909 ops += 2;
910 break;
911 case Fragment::OR_D:
912 ops += 3;
913 break;
914 case Fragment::OR_I:
915 ops += 3;
916 break;
917 case Fragment::THRESH:
918 ops += node_info->subtypes.size();
919 break;
920 case Fragment::MULTI:
921 ops += 1;
922 break;
923 case Fragment::MULTI_A:
924 ops += node_info->keys.size() + 1;
925 break;
926 case Fragment::WRAP_A:
927 ops += 2;
928 break;
929 case Fragment::WRAP_S:
930 ops += 1;
931 break;
932 case Fragment::WRAP_C:
933 ops += 1;
934 break;
935 case Fragment::WRAP_D:
936 ops += 3;
937 break;
938 case Fragment::WRAP_V:
939 // We don't account for OP_VERIFY here; that will be corrected for when the actual
940 // node is constructed below.
941 break;
942 case Fragment::WRAP_J:
943 ops += 4;
944 break;
945 case Fragment::WRAP_N:
946 ops += 1;
947 break;
948 }
949 if (ops > MAX_OPS_PER_SCRIPT) return {};
950 auto subtypes = node_info->subtypes;
951 todo.back().second = std::move(node_info);
952 todo.reserve(todo.size() + subtypes.size());
953 // As elements on the todo stack are processed back to front, construct
954 // them in reverse order (so that the first subnode is generated first).
955 for (size_t i = 0; i < subtypes.size(); ++i) {
956 todo.emplace_back(*(subtypes.rbegin() + i), std::nullopt);
957 }
958 } else {
959 // The back of todo has fragment and number of children decided, and
960 // those children have been constructed at the back of stack. Pop
961 // that entry off todo, and use it to construct a new Node on
962 // stack.
963 NodeInfo& info = *todo.back().second;
964 // Gather children from the back of stack.
965 std::vector<Node> sub;
966 sub.reserve(info.subtypes.size());
967 for (size_t i = 0; i < info.subtypes.size(); ++i) {
968 sub.push_back(std::move(*(stack.end() - info.subtypes.size() + i)));
969 }
970 stack.erase(stack.end() - info.subtypes.size(), stack.end());
971 // Construct new Node.
972 Node node{[&] {
973 if (info.keys.empty()) {
974 return Node{miniscript::internal::NoDupCheck{}, script_ctx, info.fragment, std::move(sub), std::move(info.hash), info.k};
975 }
976 assert(sub.empty());
977 assert(info.hash.empty());
978 return Node{miniscript::internal::NoDupCheck{}, script_ctx, info.fragment, std::move(info.keys), info.k};
979 }()};
980 // Verify acceptability.
981 if ((node.GetType() & "KVWB"_mst) == ""_mst) {
982 assert(!strict_valid);
983 return {};
984 }
985 if (!(type_needed == ""_mst)) {
986 assert(node.GetType() << type_needed);
987 }
988 if (!node.IsValid()) return {};
989 // Update resource predictions.
990 if (node.Fragment() == Fragment::WRAP_V && node.Subs()[0].GetType() << "x"_mst) {
991 ops += 1;
992 scriptsize += 1;
993 }
994 if (!miniscript::IsTapscript(script_ctx) && ops > MAX_OPS_PER_SCRIPT) return {};
995 if (scriptsize > miniscript::internal::MaxScriptSize(script_ctx)) {
996 return {};
997 }
998 // Move it to the stack.
999 stack.push_back(std::move(node));
1000 todo.pop_back();
1001 }
1002 }
1003 assert(stack.size() == 1);
1004 assert(stack[0].GetStaticOps() == ops);
1005 assert(stack[0].ScriptSize() == scriptsize);
1006 stack[0].DuplicateKeyCheck(KEY_COMP);
1007 return std::move(stack[0]);
1008}
1009
1011CScript ScriptPubKey(MsCtx ctx, const CScript& script, TaprootBuilder& builder)
1012{
1013 if (!miniscript::IsTapscript(ctx)) return CScript() << OP_0 << WitnessV0ScriptHash(script);
1014
1015 // For Taproot outputs we always use a tree with a single script and a dummy internal key.
1016 builder.Add(0, script, TAPROOT_LEAF_TAPSCRIPT);
1017 builder.Finalize(XOnlyPubKey::NUMS_H);
1018 return GetScriptForDestination(builder.GetOutput());
1019}
1020
1022void SatisfactionToWitness(MsCtx ctx, CScriptWitness& witness, const CScript& script, TaprootBuilder& builder) {
1023 // For P2WSH, it's only the witness script.
1024 witness.stack.emplace_back(script.begin(), script.end());
1025 if (!miniscript::IsTapscript(ctx)) return;
1026 // For Tapscript we also need the control block.
1027 witness.stack.push_back(*builder.GetSpendData().scripts.begin()->second.begin());
1028}
1029
1031void TestNode(const MsCtx script_ctx, const std::optional<Node>& node, FuzzedDataProvider& provider)
1032{
1033 if (!node) return;
1034
1035 // Check that it roundtrips to text representation
1036 const ParserContext parser_ctx{script_ctx};
1037 std::optional<std::string> str{node->ToString(parser_ctx)};
1038 assert(str);
1039 auto parsed = miniscript::FromString(*str, parser_ctx);
1040 assert(parsed);
1041 assert(*parsed == *node);
1042
1043 // Check consistency between script size estimation and real size.
1044 auto script = node->ToScript(parser_ctx);
1045 assert(node->ScriptSize() == script.size());
1046
1047 // Check consistency of "x" property with the script (type K is excluded, because it can end
1048 // with a push of a key, which could match these opcodes).
1049 if (!(node->GetType() << "K"_mst)) {
1050 bool ends_in_verify = !(node->GetType() << "x"_mst);
1051 assert(ends_in_verify == (script.back() == OP_CHECKSIG || script.back() == OP_CHECKMULTISIG || script.back() == OP_EQUAL || script.back() == OP_NUMEQUAL));
1052 }
1053
1054 // The rest of the checks only apply when testing a valid top-level script.
1055 if (!node->IsValidTopLevel()) return;
1056
1057 // Check roundtrip to script
1058 auto decoded = miniscript::FromScript(script, parser_ctx);
1059 assert(decoded);
1060 // Note we can't use *decoded == *node because the miniscript representation may differ, so we check that:
1061 // - The script corresponding to that decoded form matches exactly
1062 // - The type matches exactly
1063 assert(decoded->ToScript(parser_ctx) == script);
1064 assert(decoded->GetType() == node->GetType());
1065
1066 // Optionally pad the script or the witness in order to increase the sensitivity of the tests of
1067 // the resources limits logic.
1068 CScriptWitness witness_mal, witness_nonmal;
1069 if (provider.ConsumeBool()) {
1070 // Under P2WSH, optionally pad the script with OP_NOPs to max op the ops limit of the constructed script.
1071 // This makes the script obviously not actually miniscript-compatible anymore, but the
1072 // signatures constructed in this test don't commit to the script anyway, so the same
1073 // miniscript satisfier will work. This increases the sensitivity of the test to the ops
1074 // counting logic being too low, especially for simple scripts.
1075 // Do this optionally because we're not solely interested in cases where the number of ops is
1076 // maximal.
1077 // Do not pad more than what would cause MAX_STANDARD_P2WSH_SCRIPT_SIZE to be reached, however,
1078 // as that also invalidates scripts.
1079 const auto node_ops{node->GetOps()};
1080 if (!IsTapscript(script_ctx) && node_ops && *node_ops < MAX_OPS_PER_SCRIPT
1081 && node->ScriptSize() < MAX_STANDARD_P2WSH_SCRIPT_SIZE) {
1082 int add = std::min<int>(
1083 MAX_OPS_PER_SCRIPT - *node_ops,
1084 MAX_STANDARD_P2WSH_SCRIPT_SIZE - node->ScriptSize());
1085 for (int i = 0; i < add; ++i) script.push_back(OP_NOP);
1086 }
1087
1088 // Under Tapscript, optionally pad the stack up to the limit minus the calculated maximum execution stack
1089 // size to assert a Miniscript would never add more elements to the stack during execution than anticipated.
1090 const auto node_exec_ss{node->GetExecStackSize()};
1091 if (miniscript::IsTapscript(script_ctx) && node_exec_ss && *node_exec_ss < MAX_STACK_SIZE) {
1092 unsigned add{(unsigned)MAX_STACK_SIZE - *node_exec_ss};
1093 witness_mal.stack.resize(add);
1094 witness_nonmal.stack.resize(add);
1095 script.reserve(add);
1096 for (unsigned i = 0; i < add; ++i) script.push_back(OP_NIP);
1097 }
1098 }
1099
1100 const SatisfierContext satisfier_ctx{script_ctx};
1101
1102 // Get the ScriptPubKey for this script, filling spend data if it's Taproot.
1103 TaprootBuilder builder;
1104 const CScript script_pubkey{ScriptPubKey(script_ctx, script, builder)};
1105
1106 // Run malleable satisfaction algorithm.
1107 std::vector<std::vector<unsigned char>> stack_mal;
1108 const bool mal_success = node->Satisfy(satisfier_ctx, stack_mal, false) == miniscript::Availability::YES;
1109
1110 // Run non-malleable satisfaction algorithm.
1111 std::vector<std::vector<unsigned char>> stack_nonmal;
1112 const bool nonmal_success = node->Satisfy(satisfier_ctx, stack_nonmal, true) == miniscript::Availability::YES;
1113
1114 if (nonmal_success) {
1115 // Non-malleable satisfactions are bounded by the satisfaction size plus:
1116 // - For P2WSH spends, the witness script
1117 // - For Tapscript spends, both the witness script and the control block
1118 const size_t max_stack_size{*node->GetStackSize() + 1 + miniscript::IsTapscript(script_ctx)};
1119 assert(stack_nonmal.size() <= max_stack_size);
1120 // If a non-malleable satisfaction exists, the malleable one must also exist, and be identical to it.
1121 assert(mal_success);
1122 assert(stack_nonmal == stack_mal);
1123 // Compute witness size (excluding script push, control block, and witness count encoding).
1124 const uint64_t wit_size{GetSerializeSize(stack_nonmal) - GetSizeOfCompactSize(stack_nonmal.size())};
1125 assert(wit_size <= *node->GetWitnessSize());
1126
1127 // Test non-malleable satisfaction.
1128 witness_nonmal.stack.insert(witness_nonmal.stack.end(), std::make_move_iterator(stack_nonmal.begin()), std::make_move_iterator(stack_nonmal.end()));
1129 SatisfactionToWitness(script_ctx, witness_nonmal, script, builder);
1130 ScriptError serror;
1131 bool res = VerifyScript(DUMMY_SCRIPTSIG, script_pubkey, &witness_nonmal, STANDARD_SCRIPT_VERIFY_FLAGS, CHECKER_CTX, &serror);
1132 // Non-malleable satisfactions are guaranteed to be valid if ValidSatisfactions().
1133 if (node->ValidSatisfactions()) assert(res);
1134 // More detailed: non-malleable satisfactions must be valid, or could fail with ops count error (if CheckOpsLimit failed),
1135 // or with a stack size error (if CheckStackSize check failed).
1136 assert(res ||
1137 (!node->CheckOpsLimit() && serror == ScriptError::SCRIPT_ERR_OP_COUNT) ||
1138 (!node->CheckStackSize() && serror == ScriptError::SCRIPT_ERR_STACK_SIZE));
1139 }
1140
1141 if (mal_success && (!nonmal_success || witness_mal.stack != witness_nonmal.stack)) {
1142 // Test malleable satisfaction only if it's different from the non-malleable one.
1143 witness_mal.stack.insert(witness_mal.stack.end(), std::make_move_iterator(stack_mal.begin()), std::make_move_iterator(stack_mal.end()));
1144 SatisfactionToWitness(script_ctx, witness_mal, script, builder);
1145 ScriptError serror;
1146 bool res = VerifyScript(DUMMY_SCRIPTSIG, script_pubkey, &witness_mal, STANDARD_SCRIPT_VERIFY_FLAGS, CHECKER_CTX, &serror);
1147 // Malleable satisfactions are not guaranteed to be valid under any conditions, but they can only
1148 // fail due to stack or ops limits.
1149 assert(res || serror == ScriptError::SCRIPT_ERR_OP_COUNT || serror == ScriptError::SCRIPT_ERR_STACK_SIZE);
1150 }
1151
1152 if (node->IsSane()) {
1153 // For sane nodes, the two algorithms behave identically.
1154 assert(mal_success == nonmal_success);
1155 }
1156
1157 // Verify that if a node is policy-satisfiable, the malleable satisfaction
1158 // algorithm succeeds. Given that under IsSane() both satisfactions
1159 // are identical, this implies that for such nodes, the non-malleable
1160 // satisfaction will also match the expected policy.
1161 const auto is_key_satisfiable = [script_ctx](const CPubKey& pubkey) -> bool {
1162 auto sig_ptr{TEST_DATA.GetSig(script_ctx, pubkey)};
1163 return sig_ptr != nullptr && sig_ptr->second;
1164 };
1165 bool satisfiable = node->IsSatisfiable([&](const Node& node) -> bool {
1166 switch (node.Fragment()) {
1167 case Fragment::PK_K:
1168 case Fragment::PK_H:
1169 return is_key_satisfiable(node.Keys()[0]);
1170 case Fragment::MULTI:
1171 case Fragment::MULTI_A: {
1172 size_t sats = std::ranges::count_if(node.Keys(), [&](const auto& key) {
1173 return size_t(is_key_satisfiable(key));
1174 });
1175 return sats >= node.K();
1176 }
1177 case Fragment::OLDER:
1178 case Fragment::AFTER:
1179 return node.K() & 1;
1180 case Fragment::SHA256:
1181 return TEST_DATA.sha256_preimages.contains(node.Data());
1182 case Fragment::HASH256:
1183 return TEST_DATA.hash256_preimages.contains(node.Data());
1184 case Fragment::RIPEMD160:
1185 return TEST_DATA.ripemd160_preimages.contains(node.Data());
1186 case Fragment::HASH160:
1187 return TEST_DATA.hash160_preimages.contains(node.Data());
1188 default:
1189 assert(false);
1190 }
1191 return false;
1192 });
1193 assert(mal_success == satisfiable);
1194}
1195
1196} // namespace
1197
1198void FuzzInit()
1199{
1200 static ECC_Context ecc_context{};
1201 TEST_DATA.Init();
1202}
1203
1204void FuzzInitSmart()
1205{
1206 FuzzInit();
1207 SMARTINFO.Init();
1208}
1209
1211FUZZ_TARGET(miniscript_stable, .init = FuzzInit)
1212{
1213 // Run it under both P2WSH and Tapscript contexts.
1214 for (const auto script_ctx: {MsCtx::P2WSH, MsCtx::TAPSCRIPT}) {
1215 FuzzedDataProvider provider(buffer.data(), buffer.size());
1216 TestNode(script_ctx, GenNode(script_ctx, [&](Type needed_type) {
1217 return ConsumeNodeStable(script_ctx, provider, needed_type);
1218 }, ""_mst), provider);
1219 }
1220}
1221
1223FUZZ_TARGET(miniscript_smart, .init = FuzzInitSmart)
1224{
1226 static constexpr std::array<Type, 4> BASE_TYPES{"B"_mst, "V"_mst, "K"_mst, "W"_mst};
1227
1228 FuzzedDataProvider provider(buffer.data(), buffer.size());
1229 const auto script_ctx{(MsCtx)provider.ConsumeBool()};
1230 TestNode(script_ctx, GenNode(script_ctx, [&](Type needed_type) {
1231 return ConsumeNodeSmart(script_ctx, provider, needed_type);
1232 }, PickValue(provider, BASE_TYPES), true), provider);
1233}
1234
1235/* Fuzz tests that test parsing from a string, and roundtripping via string. */
1236FUZZ_TARGET(miniscript_string, .init = FuzzInit)
1237{
1238 constexpr auto is_too_expensive{[](std::span<const uint8_t> buf) { return HasTooManySubFrag(buf) || HasTooManyWrappers(buf); }};
1239
1240 if (buffer.empty()) return;
1241 FuzzedDataProvider provider(buffer.data(), buffer.size());
1242 auto str = provider.ConsumeBytesAsString(provider.remaining_bytes() - 1);
1243 if (is_too_expensive(MakeUCharSpan(str))) return;
1244 const ParserContext parser_ctx{(MsCtx)provider.ConsumeBool()};
1245 auto parsed = miniscript::FromString(str, parser_ctx);
1246 if (!parsed) return;
1247
1248 const auto str2 = parsed->ToString(parser_ctx);
1249 assert(str2);
1250 auto parsed2 = miniscript::FromString(*str2, parser_ctx);
1251 assert(parsed2);
1252 assert(*parsed == *parsed2);
1253}
1254
1255/* Fuzz tests that test parsing from a script, and roundtripping via script. */
1256FUZZ_TARGET(miniscript_script)
1257{
1258 FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
1259 const std::optional<CScript> script = ConsumeDeserializable<CScript>(fuzzed_data_provider);
1260 if (!script) return;
1261
1262 const ScriptParserContext script_parser_ctx{(MsCtx)fuzzed_data_provider.ConsumeBool()};
1263 const auto ms = miniscript::FromScript(*script, script_parser_ctx);
1264 if (!ms) return;
1265
1266 assert(ms->ToScript(script_parser_ctx) == *script);
1267}
GetScriptForDestination
CScript GetScriptForDestination(const CTxDestination &dest)
Generate a Bitcoin scriptPubKey for the given CTxDestination.
Definition: addresstype.cpp:166
ecc_context
ECC_Context ecc_context
Definition: bitcoin-wallet.cpp:126
BaseSignatureChecker::CheckLockTime
virtual bool CheckLockTime(const CScriptNum &nLockTime) const
Definition: interpreter.h:287
BaseSignatureChecker::CheckSchnorrSignature
virtual bool CheckSchnorrSignature(std::span< const unsigned char > sig, std::span< const unsigned char > pubkey, SigVersion sigversion, ScriptExecutionData &execdata, ScriptError *serror=nullptr) const
Definition: interpreter.h:282
BaseSignatureChecker::CheckSequence
virtual bool CheckSequence(const CScriptNum &nSequence) const
Definition: interpreter.h:292
BaseSignatureChecker::CheckECDSASignature
virtual bool CheckECDSASignature(const std::vector< unsigned char > &scriptSig, const std::vector< unsigned char > &vchPubKey, const CScript &scriptCode, SigVersion sigversion) const
Definition: interpreter.h:277
CHash160
A hasher class for Bitcoin's 160-bit hash (SHA-256 + RIPEMD-160).
Definition: hash.h:49
CHash160::Write
CHash160 & Write(std::span< const unsigned char > input)
Definition: hash.h:62
CHash160::Finalize
void Finalize(std::span< unsigned char > output)
Definition: hash.h:55
CHash256
A hasher class for Bitcoin's 256-bit hash (double SHA-256).
Definition: hash.h:24
CHash256::Finalize
void Finalize(std::span< unsigned char > output)
Definition: hash.h:30
CHash256::Write
CHash256 & Write(std::span< const unsigned char > input)
Definition: hash.h:37
CKey
An encapsulated private key.
Definition: key.h:36
CKey::SignSchnorr
bool SignSchnorr(const uint256 &hash, std::span< unsigned char > sig, const uint256 *merkle_root, const uint256 &aux) const
Create a BIP-340 Schnorr signature, for the xonly-pubkey corresponding to *this, optionally tweaked b...
Definition: key.cpp:273
CKey::Sign
bool Sign(const uint256 &hash, std::vector< unsigned char > &vchSig, bool grind=true, uint32_t test_case=0) const
Create a DER-serialized signature.
Definition: key.cpp:209
CKey::GetPubKey
CPubKey GetPubKey() const
Compute the public key from a private key.
Definition: key.cpp:183
CKey::Set
void Set(const T pbegin, const T pend, bool fCompressedIn)
Initialize using begin and end iterators to byte data.
Definition: key.h:104
CKeyID
A reference to a CKey: the Hash160 of its serialized public key.
Definition: pubkey.h:24
CPubKey
An encapsulated public key.
Definition: pubkey.h:34
CRIPEMD160
A hasher class for RIPEMD-160.
Definition: ripemd160.h:13
CRIPEMD160::Write
CRIPEMD160 & Write(const unsigned char *data, size_t len)
Definition: ripemd160.cpp:247
CRIPEMD160::Finalize
void Finalize(unsigned char hash[OUTPUT_SIZE])
Definition: ripemd160.cpp:273
CSHA256
A hasher class for SHA-256.
Definition: sha256.h:14
CSHA256::Finalize
void Finalize(unsigned char hash[OUTPUT_SIZE])
Definition: sha256.cpp:725
CSHA256::Write
CSHA256 & Write(const unsigned char *data, size_t len)
Definition: sha256.cpp:699
CScript
Serialized script, used inside transaction inputs and outputs.
Definition: script.h:405
CScriptNum::GetInt64
int64_t GetInt64() const
Definition: script.h:334
ECC_Context
RAII class initializing and deinitializing global state for elliptic curve support.
Definition: key.h:326
FuzzedDataProvider::ConsumeBytesAsString
std::string ConsumeBytesAsString(size_t num_bytes)
Definition: FuzzedDataProvider.h:137
FuzzedDataProvider::ConsumeIntegralInRange
T ConsumeIntegralInRange(T min, T max)
Definition: FuzzedDataProvider.h:205
Init
Definition: init.h:13
TaprootBuilder
Utility class to construct Taproot outputs from internal key and script tree.
Definition: signingprovider.h:50
TaprootBuilder::GetOutput
WitnessV1Taproot GetOutput()
Compute scriptPubKey (after Finalize()).
Definition: signingprovider.cpp:467
TaprootBuilder::GetSpendData
TaprootSpendData GetSpendData() const
Compute spending data (after Finalize()).
Definition: signingprovider.cpp:469
TaprootBuilder::Add
TaprootBuilder & Add(int depth, std::span< const unsigned char > script, int leaf_version, bool track=true)
Add a new script at a certain depth in the tree.
Definition: signingprovider.cpp:433
TaprootBuilder::Finalize
TaprootBuilder & Finalize(const XOnlyPubKey &internal_key)
Finalize the construction.
Definition: signingprovider.cpp:456
XOnlyPubKey::begin
const unsigned char * begin() const
Definition: pubkey.h:295
XOnlyPubKey::NUMS_H
static const XOnlyPubKey NUMS_H
Nothing Up My Sleeve point H Used as an internal key for provably disabling the key path spend see BI...
Definition: pubkey.h:235
XOnlyPubKey::GetEvenCorrespondingCPubKey
CPubKey GetEvenCorrespondingCPubKey() const
Definition: pubkey.cpp:223
base_blob::size
static constexpr unsigned int size()
Definition: uint256.h:106
base_blob::begin
constexpr unsigned char * begin()
Definition: uint256.h:100
miniscript::Node
A node in a miniscript expression.
Definition: miniscript.h:533
miniscript::Type
This type encapsulates the miniscript type system properties.
Definition: miniscript.h:128
uint160
160-bit opaque blob.
Definition: uint256.h:183
uint256
256-bit opaque blob.
Definition: uint256.h:195
uint256::ZERO
static const uint256 ZERO
Definition: uint256.h:203
core_io.h
Hash160
uint160 Hash160(const T1 &in1)
Compute the 160-bit hash an object.
Definition: hash.h:92
RIPEMD160
uint160 RIPEMD160(std::span< const unsigned char > data)
Compute the 160-bit RIPEMD-160 hash of an array.
Definition: hash.h:222
T
#define T(expected, seed, data)
HexStr
std::string HexStr(const std::span< const uint8_t > s)
Convert a span of bytes to a lower-case hexadecimal string.
Definition: hex_base.cpp:30
VerifyScript
bool VerifyScript(const CScript &scriptSig, const CScript &scriptPubKey, const CScriptWitness *witness, script_verify_flags flags, const BaseSignatureChecker &checker, ScriptError *serror)
Definition: interpreter.cpp:2006
SigVersion
SigVersion
Definition: interpreter.h:201
TAPROOT_LEAF_TAPSCRIPT
static constexpr uint8_t TAPROOT_LEAF_TAPSCRIPT
Definition: interpreter.h:242
miniscript::internal::ComputeScriptLen
size_t ComputeScriptLen(Fragment fragment, Type sub0typ, size_t subsize, uint32_t k, size_t n_subs, size_t n_keys, MiniscriptContext ms_ctx)
Helper function for Node::CalcScriptLen.
Definition: miniscript.cpp:264
miniscript::internal::MaxScriptSize
constexpr uint32_t MaxScriptSize(MiniscriptContext ms_ctx)
The maximum size of a script depending on the context.
Definition: miniscript.h:282
miniscript::internal::ComputeType
Type ComputeType(Fragment fragment, Type x, Type y, Type z, const std::vector< Type > &sub_types, uint32_t k, size_t data_size, size_t n_subs, size_t n_keys, MiniscriptContext ms_ctx)
Helper function for Node::CalcType.
Definition: miniscript.cpp:39
miniscript::IsTapscript
constexpr bool IsTapscript(MiniscriptContext ms_ctx)
Whether the context Tapscript, ensuring the only other possibility is P2WSH.
Definition: miniscript.h:257
miniscript::FromScript
std::optional< Node< typename Ctx::Key > > FromScript(const CScript &script, const Ctx &ctx)
Definition: miniscript.h:2707
miniscript::FromString
std::optional< Node< typename Ctx::Key > > FromString(const std::string &str, const Ctx &ctx)
Definition: miniscript.h:2701
miniscript::Fragment
Fragment
The different node types in miniscript.
Definition: miniscript.h:211
node
Definition: messages.h:21
ripemd160
Internal RIPEMD-160 implementation.
Definition: ripemd160.cpp:16
sha256
Internal SHA-256 implementation.
Definition: sha256.cpp:68
test_vectors_musig2_generate.s
tuple s
Definition: test_vectors_musig2_generate.py:72
test_vectors_musig2_generate.data
data
Definition: test_vectors_musig2_generate.py:98
tests_wycheproof_generate_ecdh.pk
def pk
Definition: tests_wycheproof_generate_ecdh.py:115
util::ToString
std::string ToString(const T &t)
Locale-independent version of std::to_string.
Definition: string.h:246
STANDARD_SCRIPT_VERIFY_FLAGS
static constexpr script_verify_flags STANDARD_SCRIPT_VERIFY_FLAGS
Standard script verification flags that standard transactions will comply with.
Definition: policy.h:116
MAX_STANDARD_P2WSH_SCRIPT_SIZE
static constexpr unsigned int MAX_STANDARD_P2WSH_SCRIPT_SIZE
The maximum size in bytes of a standard witnessScript.
Definition: policy.h:57
OP_CHECKMULTISIG
@ OP_CHECKMULTISIG
Definition: script.h:192
OP_CHECKSIG
@ OP_CHECKSIG
Definition: script.h:190
OP_EQUAL
@ OP_EQUAL
Definition: script.h:146
OP_NUMEQUAL
@ OP_NUMEQUAL
Definition: script.h:171
OP_NOP
@ OP_NOP
Definition: script.h:102
OP_NIP
@ OP_NIP
Definition: script.h:126
OP_0
@ OP_0
Definition: script.h:76
MAX_STACK_SIZE
static const int MAX_STACK_SIZE
Definition: script.h:43
MAX_OPS_PER_SCRIPT
static const int MAX_OPS_PER_SCRIPT
Definition: script.h:31
ScriptError
enum ScriptError_t ScriptError
SCRIPT_ERR_OP_COUNT
@ SCRIPT_ERR_OP_COUNT
Definition: script_error.h:22
SCRIPT_ERR_STACK_SIZE
@ SCRIPT_ERR_STACK_SIZE
Definition: script_error.h:23
GetSizeOfCompactSize
constexpr unsigned int GetSizeOfCompactSize(uint64_t nSize)
Compact Size size < 253 – 1 byte size <= USHRT_MAX – 3 bytes (253 + 2 bytes) size <= UINT_MAX – 5 byt...
Definition: serialize.h:288
GetSerializeSize
uint64_t GetSerializeSize(const T &t)
Definition: serialize.h:1095
MakeUCharSpan
constexpr auto MakeUCharSpan(const V &v) -> decltype(UCharSpanCast(std::span{v}))
Like the std::span constructor, but for (const) unsigned char member types only.
Definition: span.h:111
ParseHex
std::vector< Byte > ParseHex(std::string_view hex_str)
Like TryParseHex, but returns an empty vector on invalid input.
Definition: strencodings.h:69
CScriptWitness::stack
std::vector< std::vector< unsigned char > > stack
Definition: script.h:580
TaprootSpendData::scripts
std::map< std::pair< std::vector< unsigned char >, int >, std::set< std::vector< unsigned char >, ShortestVectorFirstComparator > > scripts
Map from (script, leaf_version) to (sets of) control blocks.
Definition: signingprovider.h:43
FUZZ_TARGET
FUZZ_TARGET(miniscript_stable,.init=FuzzInit)
Fuzz target that runs TestNode on nodes generated using ConsumeNodeStable.
Definition: miniscript.cpp:1211
FuzzInit
void FuzzInit()
Definition: miniscript.cpp:1198
FuzzInitSmart
void FuzzInitSmart()
Definition: miniscript.cpp:1204
HasTooManySubFrag
bool HasTooManySubFrag(std::span< const uint8_t > buff, const int max_subs, const size_t max_nested_subs)
Whether the buffer, if it represents a valid descriptor, contains a fragment with more sub-fragments ...
Definition: descriptor.cpp:99
HasTooManyWrappers
bool HasTooManyWrappers(std::span< const uint8_t > buff, const int max_wrappers)
Whether the buffer, if it represents a valid descriptor, contains a fragment with more wrappers than ...
Definition: descriptor.cpp:123
ConsumeNode
auto ConsumeNode(FuzzedDataProvider &fuzzed_data_provider, const std::optional< NodeId > &node_id_in=std::nullopt) noexcept
Definition: net.h:270
PickValue
auto & PickValue(FuzzedDataProvider &fuzzed_data_provider, Collection &col)
Definition: util.h:47
_
consteval auto _(util::TranslatedLiteral str)
Definition: translation.h:79
assert
assert(!tx.IsCoinBase())
fuzzed_data_provider
FuzzedDataProvider & fuzzed_data_provider
Definition: fees.cpp:38
Generated on Mon Feb 2 2026 20:00:32 for Bitcoin Core by doxygen 1.9.4