test_2fuzz_2utxo__snapshot_8cpp_source.html

// Copyright (c) 2021-present The Bitcoin Core developers

// Distributed under the MIT software license, see the accompanying

// file COPYING or http://www.opensource.org/licenses/mit-license.php.


#include <chain.h>

#include <chainparams.h>

#include <coins.h>

#include <consensus/consensus.h>

#include <consensus/validation.h>

#include <node/blockstorage.h>

#include <node/utxo_snapshot.h>

#include <primitives/block.h>

#include <primitives/transaction.h>

#include <serialize.h>

#include <span.h>

#include <streams.h>

#include <sync.h>

#include <test/fuzz/FuzzedDataProvider.h>

#include <test/fuzz/fuzz.h>

#include <test/fuzz/util.h>

#include <test/util/mining.h>

#include <test/util/setup_common.h>

#include <uint256.h>

#include <util/check.h>

#include <util/fs.h>

#include <util/result.h>

#include <validation.h>


#include <cstdint>

#include <functional>

#include <ios>

#include <memory>

#include <optional>

#include <vector>


using node::SnapshotMetadata;


namespace {


const std::vector<std::shared_ptr<CBlock>>* g_chain;

TestingSetup* g_setup;


template <bool INVALID>

void initialize_chain()

{

    const auto params{CreateChainParams(ArgsManager{}, ChainType::REGTEST)};

    static const auto chain{CreateBlockChain(2 * COINBASE_MATURITY, *params)};

    g_chain = &chain;

    static const auto setup{

        MakeNoLogFileContext<TestingSetup>(ChainType::REGTEST,

                                           TestOpts{

                                               .setup_net = false,

                                               .setup_validation_interface = false,

                                               .min_validation_cache = true,

                                           }),

    };

    if constexpr (INVALID) {

        auto& chainman{*setup->m_node.chainman};

        for (const auto& block : chain) {

            BlockValidationState dummy;

            bool processed{chainman.ProcessNewBlockHeaders({{block->GetBlockHeader()}}, true, dummy)};

            Assert(processed);

            const auto* index{WITH_LOCK(::cs_main, return chainman.m_blockman.LookupBlockIndex(block->GetHash()))};

            Assert(index);

        }

    }

    g_setup = setup.get();

}


template <bool INVALID>

void utxo_snapshot_fuzz(FuzzBufferType buffer)

{

    SeedRandomStateForTest(SeedRand::ZEROS);

    FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());

    auto& setup{*g_setup};

    bool dirty_chainman{false}; // Re-use the global chainman, but reset it when it is dirty

    auto& chainman{*setup.m_node.chainman};


    const auto snapshot_path = gArgs.GetDataDirNet() / "fuzzed_snapshot.dat";


    Assert(!chainman.SnapshotBlockhash());


    {

        AutoFile outfile{fsbridge::fopen(snapshot_path, "wb")};

        // Metadata

        if (fuzzed_data_provider.ConsumeBool()) {

            std::vector<uint8_t> metadata{ConsumeRandomLengthByteVector(fuzzed_data_provider)};

            outfile << Span{metadata};

        } else {

            auto msg_start = chainman.GetParams().MessageStart();

            int base_blockheight{fuzzed_data_provider.ConsumeIntegralInRange<int>(1, 2 * COINBASE_MATURITY)};

            uint256 base_blockhash{g_chain->at(base_blockheight - 1)->GetHash()};

            uint64_t m_coins_count{fuzzed_data_provider.ConsumeIntegralInRange<uint64_t>(1, 3 * COINBASE_MATURITY)};

            SnapshotMetadata metadata{msg_start, base_blockhash, m_coins_count};

            outfile << metadata;

        }

        // Coins

        if (fuzzed_data_provider.ConsumeBool()) {

            std::vector<uint8_t> file_data{ConsumeRandomLengthByteVector(fuzzed_data_provider)};

            outfile << Span{file_data};

        } else {

            int height{0};

            for (const auto& block : *g_chain) {

                auto coinbase{block->vtx.at(0)};

                outfile << coinbase->GetHash();

                WriteCompactSize(outfile, 1); // number of coins for the hash

                WriteCompactSize(outfile, 0); // index of coin

                outfile << Coin(coinbase->vout[0], height, /*fCoinBaseIn=*/1);

                height++;

            }

        }

        if constexpr (INVALID) {

            // Append an invalid coin to ensure invalidity. This error will be

            // detected late in PopulateAndValidateSnapshot, and allows the

            // INVALID fuzz target to reach more potential code coverage.

            const auto& coinbase{g_chain->back()->vtx.back()};

            outfile << coinbase->GetHash();

            WriteCompactSize(outfile, 1);   // number of coins for the hash

            WriteCompactSize(outfile, 999); // index of coin

            outfile << Coin{coinbase->vout[0], /*nHeightIn=*/999, /*fCoinBaseIn=*/0};

        }

    }


    const auto ActivateFuzzedSnapshot{[&] {

        AutoFile infile{fsbridge::fopen(snapshot_path, "rb")};

        auto msg_start = chainman.GetParams().MessageStart();

        SnapshotMetadata metadata{msg_start};

        try {

            infile >> metadata;

        } catch (const std::ios_base::failure&) {

            return false;

        }

        return !!chainman.ActivateSnapshot(infile, metadata, /*in_memory=*/true);

    }};


    if (fuzzed_data_provider.ConsumeBool()) {

        // Consume the bool, but skip the code for the INVALID fuzz target

        if constexpr (!INVALID) {

            for (const auto& block : *g_chain) {

                BlockValidationState dummy;

                bool processed{chainman.ProcessNewBlockHeaders({{block->GetBlockHeader()}}, true, dummy)};

                Assert(processed);

                const auto* index{WITH_LOCK(::cs_main, return chainman.m_blockman.LookupBlockIndex(block->GetHash()))};

                Assert(index);

            }

            dirty_chainman = true;

        }

    }


    if (ActivateFuzzedSnapshot()) {

        LOCK(::cs_main);

        Assert(!chainman.ActiveChainstate().m_from_snapshot_blockhash->IsNull());

        Assert(*chainman.ActiveChainstate().m_from_snapshot_blockhash ==

               *chainman.SnapshotBlockhash());

        const auto& coinscache{chainman.ActiveChainstate().CoinsTip()};

        for (const auto& block : *g_chain) {

            Assert(coinscache.HaveCoin(COutPoint{block->vtx.at(0)->GetHash(), 0}));

            const auto* index{chainman.m_blockman.LookupBlockIndex(block->GetHash())};

            Assert(index);

            Assert(index->nTx == 0);

            if (index->nHeight == chainman.GetSnapshotBaseHeight()) {

                auto params{chainman.GetParams().AssumeutxoForHeight(index->nHeight)};

                Assert(params.has_value());

                Assert(params.value().m_chain_tx_count == index->m_chain_tx_count);

            } else {

                Assert(index->m_chain_tx_count == 0);

            }

        }

        Assert(g_chain->size() == coinscache.GetCacheSize());

        dirty_chainman = true;

    } else {

        Assert(!chainman.SnapshotBlockhash());

        Assert(!chainman.ActiveChainstate().m_from_snapshot_blockhash);

    }

    // Snapshot should refuse to load a second time regardless of validity

    Assert(!ActivateFuzzedSnapshot());

    if constexpr (INVALID) {

        // Activating the snapshot, or any other action that makes the chainman

        // "dirty" can and must not happen for the INVALID fuzz target

        Assert(!dirty_chainman);

    }

    if (dirty_chainman) {

        setup.m_node.chainman.reset();

        setup.m_make_chainman();

        setup.LoadVerifyActivateChainstate();

    }

}


// There are two fuzz targets:

//

// The target 'utxo_snapshot', which allows valid snapshots, but is slow,

// because it has to reset the chainstate manager on almost all fuzz inputs.

// Otherwise, a dirty header tree or dirty chainstate could leak from one fuzz

// input execution into the next, which makes execution non-deterministic.

//

// The target 'utxo_snapshot_invalid', which is fast and does not require any

// expensive state to be reset.

FUZZ_TARGET(utxo_snapshot /*valid*/, .init = initialize_chain<false>) { utxo_snapshot_fuzz<false>(buffer); }

FUZZ_TARGET(utxo_snapshot_invalid, .init = initialize_chain<true>) { utxo_snapshot_fuzz<true>(buffer); }


} // namespace

FuzzedDataProvider.h

gArgs
ArgsManager gArgs
Definition: args.cpp:42

block.h

blockstorage.h

CreateChainParams
std::unique_ptr< const CChainParams > CreateChainParams(const ArgsManager &args, const ChainType chain)
Creates and returns a std::unique_ptr<CChainParams> of the chosen chain.
Definition: chainparams.cpp:112

ChainType::REGTEST
@ REGTEST

check.h

Assert
#define Assert(val)
Identity function.
Definition: check.h:85

ArgsManager
Definition: args.h:99

ArgsManager::GetDataDirNet
fs::path GetDataDirNet() const
Get data directory path with appended network identifier.
Definition: args.h:234

AutoFile
Non-refcounted RAII wrapper for FILE*.
Definition: streams.h:392

BlockValidationState
Definition: validation.h:127

COutPoint
An outpoint - a combination of a transaction hash and an index n into its vout.
Definition: transaction.h:29

Coin
A UTXO entry.
Definition: coins.h:33

FuzzedDataProvider
Definition: FuzzedDataProvider.h:32

Span
A Span is an object that can refer to a contiguous sequence of objects.
Definition: span.h:98

node::SnapshotMetadata
Metadata describing a serialized version of a UTXO set from which an assumeutxo Chainstate can be con...
Definition: utxo_snapshot.h:34

uint256
256-bit opaque blob.
Definition: uint256.h:190

validation.h

consensus.h

COINBASE_MATURITY
static const int COINBASE_MATURITY
Coinbase transaction outputs can only be spent after this number of new blocks (network rule)
Definition: consensus.h:19

cs_main
RecursiveMutex cs_main
Mutex to guard access to validation specific variables, such as reading or changing the chainstate.
Definition: cs_main.cpp:8

fs.h

fuzz.h

FUZZ_TARGET
#define FUZZ_TARGET(...)
Definition: fuzz.h:35

FuzzBufferType
std::span< const uint8_t > FuzzBufferType
Definition: fuzz.h:25

bech32::Encoding::INVALID
@ INVALID
Failed decoding.

fsbridge::fopen
FILE * fopen(const fs::path &p, const char *mode)
Definition: fs.cpp:26

init
Definition: bitcoin-gui.cpp:17

transaction.h

result.h

serialize.h

WriteCompactSize
void WriteCompactSize(SizeComputer &os, uint64_t nSize)
Definition: serialize.h:1095

setup_common.h

span.h

streams.h

BasicTestingSetup::m_node
node::NodeContext m_node
Definition: setup_common.h:65

TestOpts
Definition: setup_common.h:51

TestOpts::setup_net
bool setup_net
Definition: setup_common.h:55

TestingSetup
Testing setup that configures a complete environment.
Definition: setup_common.h:120

node::NodeContext::chainman
std::unique_ptr< ChainstateManager > chainman
Definition: context.h:72

sync.h

LOCK
#define LOCK(cs)
Definition: sync.h:257

WITH_LOCK
#define WITH_LOCK(cs, code)
Run code while locking a mutex.
Definition: sync.h:301

util.h

ConsumeRandomLengthByteVector
std::vector< B > ConsumeRandomLengthByteVector(FuzzedDataProvider &fuzzed_data_provider, const std::optional< size_t > &max_length=std::nullopt) noexcept
Definition: util.h:57

CreateBlockChain
std::vector< std::shared_ptr< CBlock > > CreateBlockChain(size_t total_height, const CChainParams &params)
Create a blockchain, starting from genesis.
Definition: mining.cpp:33

mining.h

SeedRandomStateForTest
void SeedRandomStateForTest(SeedRand seedtype)
Seed the global RNG state for testing and log the seed value.
Definition: random.cpp:19

SeedRand::ZEROS
@ ZEROS
Seed with a compile time constant of zeros.

uint256.h

utxo_snapshot.h

validation.h