Bitcoin Core  27.99.0
P2P Digital Currency
util.cpp
Go to the documentation of this file.
1 // Copyright (c) 2021-2022 The Bitcoin Core developers
2 // Distributed under the MIT software license, see the accompanying
3 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
4 
5 #include <consensus/amount.h>
6 #include <pubkey.h>
7 #include <test/fuzz/util.h>
8 #include <test/util/script.h>
9 #include <util/check.h>
10 #include <util/overflow.h>
11 #include <util/rbf.h>
12 #include <util/time.h>
13 
14 #include <memory>
15 
16 std::vector<uint8_t> ConstructPubKeyBytes(FuzzedDataProvider& fuzzed_data_provider, Span<const uint8_t> byte_data, const bool compressed) noexcept
17 {
18  uint8_t pk_type;
19  if (compressed) {
20  pk_type = fuzzed_data_provider.PickValueInArray({0x02, 0x03});
21  } else {
22  pk_type = fuzzed_data_provider.PickValueInArray({0x04, 0x06, 0x07});
23  }
24  std::vector<uint8_t> pk_data{byte_data.begin(), byte_data.begin() + (compressed ? CPubKey::COMPRESSED_SIZE : CPubKey::SIZE)};
25  pk_data[0] = pk_type;
26  return pk_data;
27 }
28 
29 CAmount ConsumeMoney(FuzzedDataProvider& fuzzed_data_provider, const std::optional<CAmount>& max) noexcept
30 {
31  return fuzzed_data_provider.ConsumeIntegralInRange<CAmount>(0, max.value_or(MAX_MONEY));
32 }
33 
34 int64_t ConsumeTime(FuzzedDataProvider& fuzzed_data_provider, const std::optional<int64_t>& min, const std::optional<int64_t>& max) noexcept
35 {
36  // Avoid t=0 (1970-01-01T00:00:00Z) since SetMockTime(0) disables mocktime.
37  static const int64_t time_min{946684801}; // 2000-01-01T00:00:01Z
38  static const int64_t time_max{4133980799}; // 2100-12-31T23:59:59Z
39  return fuzzed_data_provider.ConsumeIntegralInRange<int64_t>(min.value_or(time_min), max.value_or(time_max));
40 }
41 
42 CMutableTransaction ConsumeTransaction(FuzzedDataProvider& fuzzed_data_provider, const std::optional<std::vector<Txid>>& prevout_txids, const int max_num_in, const int max_num_out) noexcept
43 {
44  CMutableTransaction tx_mut;
45  const auto p2wsh_op_true = fuzzed_data_provider.ConsumeBool();
46  tx_mut.nVersion = fuzzed_data_provider.ConsumeBool() ?
48  fuzzed_data_provider.ConsumeIntegral<int32_t>();
49  tx_mut.nLockTime = fuzzed_data_provider.ConsumeIntegral<uint32_t>();
50  const auto num_in = fuzzed_data_provider.ConsumeIntegralInRange<int>(0, max_num_in);
51  const auto num_out = fuzzed_data_provider.ConsumeIntegralInRange<int>(0, max_num_out);
52  for (int i = 0; i < num_in; ++i) {
53  const auto& txid_prev = prevout_txids ?
54  PickValue(fuzzed_data_provider, *prevout_txids) :
55  Txid::FromUint256(ConsumeUInt256(fuzzed_data_provider));
56  const auto index_out = fuzzed_data_provider.ConsumeIntegralInRange<uint32_t>(0, max_num_out);
57  const auto sequence = ConsumeSequence(fuzzed_data_provider);
58  const auto script_sig = p2wsh_op_true ? CScript{} : ConsumeScript(fuzzed_data_provider);
59  CScriptWitness script_wit;
60  if (p2wsh_op_true) {
61  script_wit.stack = std::vector<std::vector<uint8_t>>{WITNESS_STACK_ELEM_OP_TRUE};
62  } else {
63  script_wit = ConsumeScriptWitness(fuzzed_data_provider);
64  }
65  CTxIn in;
66  in.prevout = COutPoint{txid_prev, index_out};
67  in.nSequence = sequence;
68  in.scriptSig = script_sig;
69  in.scriptWitness = script_wit;
70 
71  tx_mut.vin.push_back(in);
72  }
73  for (int i = 0; i < num_out; ++i) {
74  const auto amount = fuzzed_data_provider.ConsumeIntegralInRange<CAmount>(-10, 50 * COIN + 10);
75  const auto script_pk = p2wsh_op_true ?
77  ConsumeScript(fuzzed_data_provider, /*maybe_p2wsh=*/true);
78  tx_mut.vout.emplace_back(amount, script_pk);
79  }
80  return tx_mut;
81 }
82 
83 CScriptWitness ConsumeScriptWitness(FuzzedDataProvider& fuzzed_data_provider, const size_t max_stack_elem_size) noexcept
84 {
86  const auto n_elements = fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, max_stack_elem_size);
87  for (size_t i = 0; i < n_elements; ++i) {
88  ret.stack.push_back(ConsumeRandomLengthByteVector(fuzzed_data_provider));
89  }
90  return ret;
91 }
92 
93 CScript ConsumeScript(FuzzedDataProvider& fuzzed_data_provider, const bool maybe_p2wsh) noexcept
94 {
95  CScript r_script{};
96  {
97  // Keep a buffer of bytes to allow the fuzz engine to produce smaller
98  // inputs to generate CScripts with repeated data.
99  static constexpr unsigned MAX_BUFFER_SZ{128};
100  std::vector<uint8_t> buffer(MAX_BUFFER_SZ, uint8_t{'a'});
101  while (fuzzed_data_provider.ConsumeBool()) {
102  CallOneOf(
103  fuzzed_data_provider,
104  [&] {
105  // Insert byte vector directly to allow malformed or unparsable scripts
106  r_script.insert(r_script.end(), buffer.begin(), buffer.begin() + fuzzed_data_provider.ConsumeIntegralInRange(0U, MAX_BUFFER_SZ));
107  },
108  [&] {
109  // Push a byte vector from the buffer
110  r_script << std::vector<uint8_t>{buffer.begin(), buffer.begin() + fuzzed_data_provider.ConsumeIntegralInRange(0U, MAX_BUFFER_SZ)};
111  },
112  [&] {
113  // Push multisig
114  // There is a special case for this to aid the fuzz engine
115  // navigate the highly structured multisig format.
116  r_script << fuzzed_data_provider.ConsumeIntegralInRange<int64_t>(0, 22);
117  int num_data{fuzzed_data_provider.ConsumeIntegralInRange(1, 22)};
118  while (num_data--) {
119  auto pubkey_bytes{ConstructPubKeyBytes(fuzzed_data_provider, buffer, fuzzed_data_provider.ConsumeBool())};
120  if (fuzzed_data_provider.ConsumeBool()) {
121  pubkey_bytes.back() = num_data; // Make each pubkey different
122  }
123  r_script << pubkey_bytes;
124  }
125  r_script << fuzzed_data_provider.ConsumeIntegralInRange<int64_t>(0, 22);
126  },
127  [&] {
128  // Mutate the buffer
129  const auto vec{ConsumeRandomLengthByteVector(fuzzed_data_provider, /*max_length=*/MAX_BUFFER_SZ)};
130  std::copy(vec.begin(), vec.end(), buffer.begin());
131  },
132  [&] {
133  // Push an integral
134  r_script << fuzzed_data_provider.ConsumeIntegral<int64_t>();
135  },
136  [&] {
137  // Push an opcode
138  r_script << ConsumeOpcodeType(fuzzed_data_provider);
139  },
140  [&] {
141  // Push a scriptnum
142  r_script << ConsumeScriptNum(fuzzed_data_provider);
143  });
144  }
145  }
146  if (maybe_p2wsh && fuzzed_data_provider.ConsumeBool()) {
147  uint256 script_hash;
148  CSHA256().Write(r_script.data(), r_script.size()).Finalize(script_hash.begin());
149  r_script.clear();
150  r_script << OP_0 << ToByteVector(script_hash);
151  }
152  return r_script;
153 }
154 
155 uint32_t ConsumeSequence(FuzzedDataProvider& fuzzed_data_provider) noexcept
156 {
157  return fuzzed_data_provider.ConsumeBool() ?
158  fuzzed_data_provider.PickValueInArray({
162  }) :
163  fuzzed_data_provider.ConsumeIntegral<uint32_t>();
164 }
165 
166 std::map<COutPoint, Coin> ConsumeCoins(FuzzedDataProvider& fuzzed_data_provider) noexcept
167 {
168  std::map<COutPoint, Coin> coins;
169  LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), 10000) {
170  const std::optional<COutPoint> outpoint{ConsumeDeserializable<COutPoint>(fuzzed_data_provider)};
171  if (!outpoint) {
172  break;
173  }
174  const std::optional<Coin> coin{ConsumeDeserializable<Coin>(fuzzed_data_provider)};
175  if (!coin) {
176  break;
177  }
178  coins[*outpoint] = *coin;
179  }
180 
181  return coins;
182 }
183 
185 {
186  CTxDestination tx_destination;
187  const size_t call_size{CallOneOf(
188  fuzzed_data_provider,
189  [&] {
190  tx_destination = CNoDestination{};
191  },
192  [&] {
193  bool compressed = fuzzed_data_provider.ConsumeBool();
195  fuzzed_data_provider,
196  ConsumeFixedLengthByteVector(fuzzed_data_provider, (compressed ? CPubKey::COMPRESSED_SIZE : CPubKey::SIZE)),
197  compressed
198  )};
199  tx_destination = PubKeyDestination{pk};
200  },
201  [&] {
202  tx_destination = PKHash{ConsumeUInt160(fuzzed_data_provider)};
203  },
204  [&] {
205  tx_destination = ScriptHash{ConsumeUInt160(fuzzed_data_provider)};
206  },
207  [&] {
208  tx_destination = WitnessV0ScriptHash{ConsumeUInt256(fuzzed_data_provider)};
209  },
210  [&] {
211  tx_destination = WitnessV0KeyHash{ConsumeUInt160(fuzzed_data_provider)};
212  },
213  [&] {
214  tx_destination = WitnessV1Taproot{XOnlyPubKey{ConsumeUInt256(fuzzed_data_provider)}};
215  },
216  [&] {
217  std::vector<unsigned char> program{ConsumeRandomLengthByteVector(fuzzed_data_provider, /*max_length=*/40)};
218  if (program.size() < 2) {
219  program = {0, 0};
220  }
221  tx_destination = WitnessUnknown{fuzzed_data_provider.ConsumeIntegralInRange<unsigned int>(2, 16), program};
222  })};
223  Assert(call_size == std::variant_size_v<CTxDestination>);
224  return tx_destination;
225 }
226 
227 CKey ConsumePrivateKey(FuzzedDataProvider& fuzzed_data_provider, std::optional<bool> compressed) noexcept
228 {
229  auto key_data = fuzzed_data_provider.ConsumeBytes<uint8_t>(32);
230  key_data.resize(32);
231  CKey key;
232  bool compressed_value = compressed ? *compressed : fuzzed_data_provider.ConsumeBool();
233  key.Set(key_data.begin(), key_data.end(), compressed_value);
234  return key;
235 }
236 
237 bool ContainsSpentInput(const CTransaction& tx, const CCoinsViewCache& inputs) noexcept
238 {
239  for (const CTxIn& tx_in : tx.vin) {
240  const Coin& coin = inputs.AccessCoin(tx_in.prevout);
241  if (coin.IsSpent()) {
242  return true;
243  }
244  }
245  return false;
246 }
247 
249 {
252  return nullptr;
253  }
254  std::string mode;
255  CallOneOf(
257  [&] {
258  mode = "r";
259  },
260  [&] {
261  mode = "r+";
262  },
263  [&] {
264  mode = "w";
265  },
266  [&] {
267  mode = "w+";
268  },
269  [&] {
270  mode = "a";
271  },
272  [&] {
273  mode = "a+";
274  });
275 #if defined _GNU_SOURCE && (defined(__linux__) || defined(__FreeBSD__))
276  const cookie_io_functions_t io_hooks = {
281  };
282  return fopencookie(this, mode.c_str(), io_hooks);
283 #else
284  (void)mode;
285  return nullptr;
286 #endif
287 }
288 
289 ssize_t FuzzedFileProvider::read(void* cookie, char* buf, size_t size)
290 {
291  FuzzedFileProvider* fuzzed_file = (FuzzedFileProvider*)cookie;
293  if (buf == nullptr || size == 0 || fuzzed_file->m_fuzzed_data_provider.ConsumeBool()) {
294  return fuzzed_file->m_fuzzed_data_provider.ConsumeBool() ? 0 : -1;
295  }
296  const std::vector<uint8_t> random_bytes = fuzzed_file->m_fuzzed_data_provider.ConsumeBytes<uint8_t>(size);
297  if (random_bytes.empty()) {
298  return 0;
299  }
300  std::memcpy(buf, random_bytes.data(), random_bytes.size());
301  if (AdditionOverflow(fuzzed_file->m_offset, (int64_t)random_bytes.size())) {
302  return fuzzed_file->m_fuzzed_data_provider.ConsumeBool() ? 0 : -1;
303  }
304  fuzzed_file->m_offset += random_bytes.size();
305  return random_bytes.size();
306 }
307 
308 ssize_t FuzzedFileProvider::write(void* cookie, const char* buf, size_t size)
309 {
310  FuzzedFileProvider* fuzzed_file = (FuzzedFileProvider*)cookie;
312  const ssize_t n = fuzzed_file->m_fuzzed_data_provider.ConsumeIntegralInRange<ssize_t>(0, size);
313  if (AdditionOverflow(fuzzed_file->m_offset, (int64_t)n)) {
314  return 0;
315  }
316  fuzzed_file->m_offset += n;
317  return n;
318 }
319 
320 int FuzzedFileProvider::seek(void* cookie, int64_t* offset, int whence)
321 {
322  assert(whence == SEEK_SET || whence == SEEK_CUR || whence == SEEK_END);
323  FuzzedFileProvider* fuzzed_file = (FuzzedFileProvider*)cookie;
325  int64_t new_offset = 0;
326  if (whence == SEEK_SET) {
327  new_offset = *offset;
328  } else if (whence == SEEK_CUR) {
329  if (AdditionOverflow(fuzzed_file->m_offset, *offset)) {
330  return -1;
331  }
332  new_offset = fuzzed_file->m_offset + *offset;
333  } else if (whence == SEEK_END) {
334  const int64_t n = fuzzed_file->m_fuzzed_data_provider.ConsumeIntegralInRange<int64_t>(0, 4096);
335  if (AdditionOverflow(n, *offset)) {
336  return -1;
337  }
338  new_offset = n + *offset;
339  }
340  if (new_offset < 0) {
341  return -1;
342  }
343  fuzzed_file->m_offset = new_offset;
344  *offset = new_offset;
345  return fuzzed_file->m_fuzzed_data_provider.ConsumeIntegralInRange<int>(-1, 0);
346 }
347 
348 int FuzzedFileProvider::close(void* cookie)
349 {
350  FuzzedFileProvider* fuzzed_file = (FuzzedFileProvider*)cookie;
352  return fuzzed_file->m_fuzzed_data_provider.ConsumeIntegralInRange<int>(-1, 0);
353 }
std::variant< CNoDestination, PubKeyDestination, PKHash, ScriptHash, WitnessV0ScriptHash, WitnessV0KeyHash, WitnessV1Taproot, WitnessUnknown > CTxDestination
A txout script categorized into standard templates.
Definition: addresstype.h:131
static constexpr CAmount MAX_MONEY
No amount larger than this (in satoshi) is valid.
Definition: amount.h:26
int64_t CAmount
Amount in satoshis (Can be negative)
Definition: amount.h:12
static constexpr CAmount COIN
The amount of satoshis in one BTC.
Definition: amount.h:15
int ret
#define Assert(val)
Identity function.
Definition: check.h:77
CCoinsView that adds a memory cache for transactions to another CCoinsView.
Definition: coins.h:229
An encapsulated private key.
Definition: key.h:33
void Set(const T pbegin, const T pend, bool fCompressedIn)
Initialize using begin and end iterators to byte data.
Definition: key.h:99
An outpoint - a combination of a transaction hash and an index n into its vout.
Definition: transaction.h:29
An encapsulated public key.
Definition: pubkey.h:34
static constexpr unsigned int COMPRESSED_SIZE
Definition: pubkey.h:40
static constexpr unsigned int SIZE
secp256k1:
Definition: pubkey.h:39
A hasher class for SHA-256.
Definition: sha256.h:14
void Finalize(unsigned char hash[OUTPUT_SIZE])
Definition: sha256.cpp:728
CSHA256 & Write(const unsigned char *data, size_t len)
Definition: sha256.cpp:702
Serialized script, used inside transaction inputs and outputs.
Definition: script.h:414
The basic transaction that is broadcasted on the network and contained in blocks.
Definition: transaction.h:296
static const int32_t CURRENT_VERSION
Definition: transaction.h:299
An input of a transaction.
Definition: transaction.h:67
static const uint32_t MAX_SEQUENCE_NONFINAL
This is the maximum sequence number that enables both nLockTime and OP_CHECKLOCKTIMEVERIFY (BIP 65).
Definition: transaction.h:87
uint32_t nSequence
Definition: transaction.h:71
static const uint32_t SEQUENCE_FINAL
Setting nSequence to this value for every input in a transaction disables nLockTime/IsFinalTx().
Definition: transaction.h:81
CScript scriptSig
Definition: transaction.h:70
CScriptWitness scriptWitness
Only serialized through CTransaction.
Definition: transaction.h:72
COutPoint prevout
Definition: transaction.h:69
A UTXO entry.
Definition: coins.h:32
bool IsSpent() const
Either this coin never existed (see e.g.
Definition: coins.h:80
std::vector< T > ConsumeBytes(size_t num_bytes)
T ConsumeIntegralInRange(T min, T max)
static ssize_t write(void *cookie, const char *buf, size_t size)
Definition: util.cpp:308
FuzzedDataProvider & m_fuzzed_data_provider
Definition: util.h:248
int64_t m_offset
Definition: util.h:249
static int seek(void *cookie, int64_t *offset, int whence)
Definition: util.cpp:320
static int close(void *cookie)
Definition: util.cpp:348
static ssize_t read(void *cookie, char *buf, size_t size)
Definition: util.cpp:289
FILE * open()
Definition: util.cpp:248
A Span is an object that can refer to a contiguous sequence of objects.
Definition: span.h:98
constexpr unsigned char * begin()
Definition: uint256.h:68
static transaction_identifier FromUint256(const uint256 &id)
256-bit opaque blob.
Definition: uint256.h:106
#define LIMITED_WHILE(condition, limit)
Can be used to limit a theoretically unbounded loop.
Definition: fuzz.h:23
uint64_t sequence
bool AdditionOverflow(const T i, const T j) noexcept
Definition: overflow.h:13
std::vector< unsigned char > ToByteVector(const T &in)
Definition: script.h:66
@ OP_0
Definition: script.h:75
A mutable version of CTransaction.
Definition: transaction.h:378
std::vector< CTxOut > vout
Definition: transaction.h:380
std::vector< CTxIn > vin
Definition: transaction.h:379
std::vector< std::vector< unsigned char > > stack
Definition: script.h:569
CTxDestination subtype to encode any future Witness version.
Definition: addresstype.h:95
uint32_t ConsumeSequence(FuzzedDataProvider &fuzzed_data_provider) noexcept
Definition: util.cpp:155
CScript ConsumeScript(FuzzedDataProvider &fuzzed_data_provider, const bool maybe_p2wsh) noexcept
Definition: util.cpp:93
int64_t ConsumeTime(FuzzedDataProvider &fuzzed_data_provider, const std::optional< int64_t > &min, const std::optional< int64_t > &max) noexcept
Definition: util.cpp:34
bool ContainsSpentInput(const CTransaction &tx, const CCoinsViewCache &inputs) noexcept
Definition: util.cpp:237
std::map< COutPoint, Coin > ConsumeCoins(FuzzedDataProvider &fuzzed_data_provider) noexcept
Definition: util.cpp:166
CScriptWitness ConsumeScriptWitness(FuzzedDataProvider &fuzzed_data_provider, const size_t max_stack_elem_size) noexcept
Definition: util.cpp:83
CKey ConsumePrivateKey(FuzzedDataProvider &fuzzed_data_provider, std::optional< bool > compressed) noexcept
Definition: util.cpp:227
CMutableTransaction ConsumeTransaction(FuzzedDataProvider &fuzzed_data_provider, const std::optional< std::vector< Txid >> &prevout_txids, const int max_num_in, const int max_num_out) noexcept
Definition: util.cpp:42
CTxDestination ConsumeTxDestination(FuzzedDataProvider &fuzzed_data_provider) noexcept
Definition: util.cpp:184
CAmount ConsumeMoney(FuzzedDataProvider &fuzzed_data_provider, const std::optional< CAmount > &max) noexcept
Definition: util.cpp:29
std::vector< uint8_t > ConstructPubKeyBytes(FuzzedDataProvider &fuzzed_data_provider, Span< const uint8_t > byte_data, const bool compressed) noexcept
Definition: util.cpp:16
CScriptNum ConsumeScriptNum(FuzzedDataProvider &fuzzed_data_provider) noexcept
Definition: util.h:155
auto & PickValue(FuzzedDataProvider &fuzzed_data_provider, Collection &col)
Definition: util.h:47
uint256 ConsumeUInt256(FuzzedDataProvider &fuzzed_data_provider) noexcept
Definition: util.h:169
size_t CallOneOf(FuzzedDataProvider &fuzzed_data_provider, Callables... callables)
Definition: util.h:35
std::vector< B > ConsumeRandomLengthByteVector(FuzzedDataProvider &fuzzed_data_provider, const std::optional< size_t > &max_length=std::nullopt) noexcept
Definition: util.h:57
opcodetype ConsumeOpcodeType(FuzzedDataProvider &fuzzed_data_provider) noexcept
Definition: util.h:138
void SetFuzzedErrNo(FuzzedDataProvider &fuzzed_data_provider, const std::array< T, size > &errnos)
Sets errno to a value selected from the given std::array errnos.
Definition: util.h:218
uint160 ConsumeUInt160(FuzzedDataProvider &fuzzed_data_provider) noexcept
Definition: util.h:160
std::vector< B > ConsumeFixedLengthByteVector(FuzzedDataProvider &fuzzed_data_provider, const size_t length) noexcept
Returns a byte vector of specified size regardless of the number of remaining bytes available from th...
Definition: util.h:238
static const std::vector< uint8_t > WITNESS_STACK_ELEM_OP_TRUE
Definition: script.h:11
static const CScript P2WSH_OP_TRUE
Definition: script.h:12
static constexpr uint32_t MAX_BIP125_RBF_SEQUENCE
Definition: rbf.h:12
assert(!tx.IsCoinBase())