fuzz: Add fuzzing harness for LoadMempool(...) and DumpMempool(...) #19259

pull practicalswift wants to merge 3 commits into bitcoin:master from practicalswift:fuzzers-mempool-io changing 5 files +67 −9
  1. practicalswift commented at 2:35 PM on June 12, 2020: contributor

    Add fuzzing harness for LoadMempool(...) and DumpMempool(...).

    See doc/fuzzing.md for information on how to fuzz Bitcoin Core. Don't forget to contribute any coverage increasing inputs you find to the Bitcoin Core fuzzing corpus repo.

    Happy fuzzing :)

  2. DrahtBot added the label Build system on Jun 12, 2020
  3. DrahtBot added the label Tests on Jun 12, 2020
  4. DrahtBot added the label Validation on Jun 12, 2020
  5. practicalswift force-pushed on Jun 12, 2020
  6. MarcoFalke removed the label Build system on Jun 12, 2020
  7. MarcoFalke removed the label Validation on Jun 12, 2020
  8. DrahtBot commented at 2:51 AM on June 13, 2020: contributor

    <!--e57a25ab6845829454e8d69fc972939a-->

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    <!--174a7506f384e20aa4161008e828411d-->

    Conflicts

    Reviewers, this pull request conflicts with the following ones:

    • #21380 (versionbits: Refactor and add fuzzing harness by ajtowns)
    • #21377 (Speedy trial support for versionbits by ajtowns)
    • #21244 (Move GetDataDir to ArgsManager by kiminuo)
    • #21142 (fuzz: Add tx_pool fuzz target by MarcoFalke)

    If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

  9. DrahtBot cross-referenced this on Jun 13, 2020 from issue tests: Add fuzzing harness for BanMan by practicalswift
  10. DrahtBot cross-referenced this on Jun 13, 2020 from issue net: Add regression fuzz harness for CVE-2017-18350. Add FuzzedSocket. by practicalswift
  11. DrahtBot cross-referenced this on Jun 13, 2020 from issue tests: Add fuzzing harnesses for CAutoFile, CBufferedFile, LoadExternalBlockFile and other FILE* consumers by practicalswift
  12. DrahtBot cross-referenced this on Jun 13, 2020 from issue tests: Use BasicTestingSetup to initialise fuzzing environment by practicalswift
  13. DrahtBot cross-referenced this on Jun 16, 2020 from issue fuzz: Add fuzzing harness for TorController by practicalswift
  14. practicalswift cross-referenced this on Jun 16, 2020 from issue Three UBSan warnings when loading corrupt mempool.dat files by practicalswift
  15. practicalswift cross-referenced this on Jun 22, 2020 from issue Add seeds by practicalswift
  16. rajarshimaitra cross-referenced this on Jun 25, 2020 from issue Loadmempool fuzz corpus by rajarshimaitra
  17. rajarshimaitra cross-referenced this on Jun 25, 2020 from issue Fix UBSan warnings triggered when loading corrupt mempool.dat files by rajarshimaitra
  18. DrahtBot cross-referenced this on Jun 30, 2020 from issue net: Make DNS lookup mockable, add fuzzing harness by practicalswift
  19. DrahtBot added the label Needs rebase on Jul 11, 2020
  20. practicalswift force-pushed on Jul 11, 2020
  21. DrahtBot removed the label Needs rebase on Jul 11, 2020
  22. DrahtBot cross-referenced this on Jul 11, 2020 from issue Refactor mempool.dat to be extensible, and store missing info by luke-jr
  23. DrahtBot added the label Needs rebase on Jul 18, 2020
  24. practicalswift force-pushed on Jul 18, 2020
  25. practicalswift force-pushed on Jul 18, 2020
  26. DrahtBot removed the label Needs rebase on Jul 18, 2020
  27. Crypt-iQ commented at 1:48 PM on August 18, 2020: contributor

    I know this is sort of in-progress as there are outstanding UBSan warnings, but this won't compile on my macOS v10.15.4, clang 10.0.1. Needs a rebase I think.

    Making all in src
  CXX      test/fuzz/addition_overflow-addition_overflow.o
In file included from test/fuzz/addition_overflow.cpp:7:
./test/fuzz/util.h:347:13: error: no matching function for call to 'AdditionOverflow'
        if (AdditionOverflow((uint64_t)fuzzed_file->m_offset, random_bytes.size())) {
            ^~~~~~~~~~~~~~~~
./test/fuzz/util.h:201:16: note: candidate template ignored: deduced conflicting types for parameter 'T' ('unsigned long long' vs. 'unsigned long')
NODISCARD bool AdditionOverflow(const T i, const T j) noexcept
               ^
./test/fuzz/util.h:359:13: error: no matching function for call to 'AdditionOverflow'
        if (AdditionOverflow(fuzzed_file->m_offset, n)) {
            ^~~~~~~~~~~~~~~~
./test/fuzz/util.h:201:16: note: candidate template ignored: deduced conflicting types for parameter 'T' ('long long' vs. 'long')
NODISCARD bool AdditionOverflow(const T i, const T j) noexcept
               ^
2 errors generated.
make[2]: *** [test/fuzz/addition_overflow-addition_overflow.o] Error 1
make[1]: *** [all-recursive] Error 1
make: *** [all-recursive] Error 1
  28. practicalswift force-pushed on Aug 18, 2020
  29. practicalswift commented at 6:58 PM on August 18, 2020: contributor

    @Crypt-iQ Oh, thanks for letting me know. Now rebased and hopefully no compilation errors? :)

  30. Crypt-iQ commented at 2:34 AM on August 19, 2020: contributor

    @practicalswift now builds on my macOS :)

  31. MarcoFalke cross-referenced this on Sep 6, 2020 from issue Remove mempool global by MarcoFalke
  32. practicalswift force-pushed on Sep 17, 2020
  33. practicalswift commented at 1:30 PM on September 17, 2020: contributor

    Had to rebase also this one to make use of the new $(FUZZ_SUITE_LDFLAGS_COMMON).

    Review welcome :)

  34. Crypt-iQ commented at 3:25 PM on September 26, 2020: contributor

    Will review and run on DO while I figure out a better fuzzing setup!

  35. Crypt-iQ commented at 9:32 PM on October 4, 2020: contributor

    This input gives the following signed-integer-overflow on ubuntu with clang 10:

    <details> <summary>signed-integer-overflow</summary>

    txmempool.cpp:830:15: runtime error: signed integer overflow: -9223372036854775808 + -432345564227567616 cannot be represented in type 'long'
    [#0](/github-metadata-backup-bitcoin-bitcoin/0/) 0x562feec1bfbb in CTxMemPool::PrioritiseTransaction(uint256 const&, long const&) /root/bitcoin/src/txmempool.cpp:830:15
    [#1](/github-metadata-backup-bitcoin-bitcoin/1/) 0x562feed75db5 in LoadMempool(CTxMemPool&, std::function<_IO_FILE* (boost::filesystem::path const&, char const*)>) /root/bitcoin/src/validation.cpp:5074:22
    [#2](/github-metadata-backup-bitcoin-bitcoin/2/) 0x562feebdfaf4 in test_one_input(std::vector<unsigned char, std::allocator<unsigned char> > const&) /root/bitcoin/src/test/fuzz/validation_load_mempool.cpp:37:11
    [#3](/github-metadata-backup-bitcoin-bitcoin/3/) 0x562fefda9bd1 in LLVMFuzzerTestOneInput /root/bitcoin/src/test/fuzz/fuzz.cpp:45:5
    [#4](/github-metadata-backup-bitcoin-bitcoin/4/) 0x562feeae5331 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/root/bitcoin/src/test/fuzz/validation_load_mempool+0x1a50331)
    [#5](/github-metadata-backup-bitcoin-bitcoin/5/) 0x562feead0aa2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/root/bitcoin/src/test/fuzz/validation_load_mempool+0x1a3baa2)
    [#6](/github-metadata-backup-bitcoin-bitcoin/6/) 0x562feead6556 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/root/bitcoin/src/test/fuzz/validation_load_mempool+0x1a41556)
    [#7](/github-metadata-backup-bitcoin-bitcoin/7/) 0x562feeaff212 in main (/root/bitcoin/src/test/fuzz/validation_load_mempool+0x1a6a212)
    [#8](/github-metadata-backup-bitcoin-bitcoin/8/) 0x7f6de830db96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
    [#9](/github-metadata-backup-bitcoin-bitcoin/9/) 0x562feeaab149 in _start (/root/bitcoin/src/test/fuzz/validation_load_mempool+0x1a16149)

SUMMARY: UndefinedBehaviorSanitizer: signed-integer-overflow txmempool.cpp:830:15 in

    </details>

    The log is from an older commit before rebase, it occurs here . I think it happens because multiple identical transaction hashes are submitted to PrioritiseTransaction with different deltas, and then overflows due to the addition. Exact coverage of only this input run against the fuzzer here for more clarity.

  36. practicalswift commented at 7:35 PM on October 5, 2020: contributor

    @Crypt-iQ Thanks a lot for reviewing and reporting your finding. These signed integer overflows are covered in issue #19278 and fixed in PR #20089. Please consider reviewing the latter if you have time! :)

  37. DrahtBot cross-referenced this on Oct 5, 2020 from issue validation: Increase robustness when loading malformed mempool.dat files (LoadMempool) by practicalswift
  38. Crypt-iQ commented at 9:59 PM on October 11, 2020: contributor

    Currently trying to manually construct inputs that populate the mempool. Since FuzzedFileProvider is used in place of an actual file, the format is a little different and it seems the fuzzer has a hard time creating a valid transaction. The data stream is read from both the front (ConsumeBytes) and the back (ConsumeIntegralInRange). Also this fuzzer won't do anything on my Mac as _GNU_SOURCE isn't defined.

  39. DrahtBot cross-referenced this on Oct 15, 2020 from issue tree-wide: De-globalize ChainstateManager by dongcarl
  40. Crypt-iQ commented at 9:10 PM on October 17, 2020: contributor

    Code review ACK 08afafdfbaefba6a660436a3f94730f5976e69ae

    Still in the process of testing

  41. Crypt-iQ commented at 9:52 AM on November 8, 2020: contributor

    Tested ACK 08afafdfbaefba6a660436a3f94730f5976e69ae

    Can view coverage here: https://crypt-iq.github.io/19259_review/c0c5177b_cov_run_ubuntu_3/ (The coverage above was run on a different commit, but the coverage hasn't changed since then.)

    With more cores or time or a hand-crafted input, the transactions would actually be accepted into the mempool, but my fuzzed inputs always failed tx verification after about a week straight.

  42. practicalswift cross-referenced this on Nov 10, 2020 from issue test: Mock IBD in net_processing fuzzers by MarcoFalke
  43. practicalswift cross-referenced this on Nov 16, 2020 from issue Avoid signed integer overflow and invalid integer negation when loading malformed mempool.dat files by practicalswift
  44. practicalswift renamed this:
    tests: Add fuzzing harness for LoadMempool(...) and DumpMempool(...)
    test: Add fuzzing harness for LoadMempool(...) and DumpMempool(...)
    on Nov 24, 2020
  45. practicalswift renamed this:
    test: Add fuzzing harness for LoadMempool(...) and DumpMempool(...)
    fuzz: Add fuzzing harness for LoadMempool(...) and DumpMempool(...)
    on Nov 24, 2020
  46. in src/test/fuzz/validation_load_mempool.cpp:39 in 08afafdfba outdated 
      32 | +    FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
  33 | +    FuzzedFileProvider fuzzed_file_provider = ConsumeFile(fuzzed_data_provider);
  34 | +    fuzzed_file_provider_ptr = &fuzzed_file_provider;
  35 | +
  36 | +    CTxMemPool pool;
  37 | +    (void)LoadMempool(pool, fuzzed_fopen);
    Crypt-iQ commented at 8:31 PM on November 27, 2020:

    Time could be mocked since in LoadMempool there is a call to GetTime. It could either be static or based on fuzz data. What do you think?

    practicalswift commented at 1:17 PM on December 1, 2020:

    Good point! Now fixed. Please re-review :)

  47. practicalswift force-pushed on Dec 1, 2020
  48. DrahtBot cross-referenced this on Dec 4, 2020 from issue fuzz: Link all targets once by MarcoFalke
  49. DrahtBot added the label Needs rebase on Dec 15, 2020
  50. practicalswift force-pushed on Dec 16, 2020
  51. DrahtBot removed the label Needs rebase on Dec 16, 2020
  52. DrahtBot cross-referenced this on Dec 22, 2020 from issue [Bundle 2/n] Prune g_chainman usage in mempool-related validation functions by dongcarl
  53. Crypt-iQ commented at 1:51 AM on January 8, 2021: contributor

    Tested ACK 8939196

    On arch Linux, clang-11 with UBSAN+ASAN Coverage: https://crypt-iq.github.io/19259_review/vlmcoverage_01072021/index.html

  54. DrahtBot cross-referenced this on Feb 1, 2021 from issue [Bundle 3/n] Prune remaining g_chainman usage in validation functions by dongcarl
  55. DrahtBot cross-referenced this on Feb 2, 2021 from issue build: build fuzz tests by default by danben
  56. DrahtBot added the label Needs rebase on Feb 8, 2021
  57. practicalswift force-pushed on Feb 8, 2021
  58. DrahtBot removed the label Needs rebase on Feb 8, 2021
  59. DrahtBot cross-referenced this on Feb 10, 2021 from issue fuzz: Add tx_pool fuzz target by MarcoFalke
  60. practicalswift force-pushed on Feb 11, 2021
  61. DrahtBot added the label Needs rebase on Feb 20, 2021
  62. practicalswift force-pushed on Feb 22, 2021
  63. practicalswift force-pushed on Feb 22, 2021
  64. DrahtBot removed the label Needs rebase on Feb 22, 2021
  65. DrahtBot cross-referenced this on Feb 27, 2021 from issue Move GetDataDir to ArgsManager by kiminuo
  66. practicalswift force-pushed on Mar 1, 2021
  67. practicalswift commented at 11:44 AM on March 1, 2021: contributor

    Rebase number 12 completed :)

    Now using the recently introduced MakeNoLogFileContext which wasn't around when this fuzz testing PR was submitted nine months ago.

    At nine months PR pregnancy: is this fuzz testing PR baby getting ready to meet the world (master)? :)

  68. practicalswift force-pushed on Mar 3, 2021
  69. fanquake added this to the "Blockers" column in a project
  70. DrahtBot cross-referenced this on Mar 7, 2021 from issue tests: Add fuzzing harness for versionbits by ajtowns
  71. DrahtBot cross-referenced this on Mar 9, 2021 from issue BIP 341: Add Speedy Trial activation parameters by achow101
  72. DrahtBot cross-referenced this on Mar 9, 2021 from issue Implement BIP 8 based Speedy Trial activation by achow101
  73. DrahtBot cross-referenced this on Mar 9, 2021 from issue Speedy trial support for versionbits by ajtowns
  74. DrahtBot cross-referenced this on Mar 10, 2021 from issue Refactor versionbits deployments to avoid potential uninitialized variables by achow101
  75. in src/validation.cpp:5036 in d9b0d15607 outdated 
    5033 | +bool LoadMempool(CTxMemPool& pool, CChainState& active_chainstate, std::function<FILE*(const fs::path&, const char*)> mockable_fopen_function)
5034 |  {
5035 |      const CChainParams& chainparams = Params();
5036 |      int64_t nExpiryTimeout = gArgs.GetArg("-mempoolexpiry", DEFAULT_MEMPOOL_EXPIRY) * 60 * 60;
5037 | -    FILE* filestr = fsbridge::fopen(GetDataDir() / "mempool.dat", "rb");
5038 | +    FILE* filestr = mockable_fopen_function(GetDataDir() / "mempool.dat", "rb");
    jonatack commented at 6:39 PM on March 11, 2021:

    style nit, while touching this line, can update to braced initialization (same for line 5140)

    -    FILE* filestr = mockable_fopen_function(GetDataDir() / "mempool.dat", "rb");
+    FILE* filestr{mockable_fopen_function(GetDataDir() / "mempool.dat", "rb")};
  76. in src/test/fuzz/util.h:265 in d9b0d15607 outdated 
     259 | @@ -260,6 +260,16 @@ void SetFuzzedErrNo(FuzzedDataProvider& fuzzed_data_provider, const std::array<T
 260 |      errno = fuzzed_data_provider.PickValueInArray(errnos);
 261 |  }
 262 |  
 263 | +/*
 264 | + * Sets a fuzzed errno in the range [0, 133 (EHWPOISON)]. Can be used from functions emulating
 265 | + * standard library functions that sets errno, or in other contexts where the value of errno
    jonatack commented at 6:40 PM on March 11, 2021: 
     * standard library functions that set errno, or in other contexts where the value of errno
  77. jonatack commented at 6:51 PM on March 11, 2021: contributor

    Light code review ACK d9b0d15607167cbfef52bcc73b964f1201b71796 and ran the fuzzer

    $ FUZZ=validation_load_mempool src/test/fuzz/fuzz 
INFO: Seed: 2149651356
INFO: Loaded 1 modules   (643553 inline 8-bit counters): 643553 [0x5603d1a48d48, 0x5603d1ae5f29), 
INFO: Loaded 1 PC tables (643553 PCs): 643553 [0x5603d1ae5f30,0x5603d24b7d40), 
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
[#2](/github-metadata-backup-bitcoin-bitcoin/2/)	INITED cov: 2470 ft: 2469 corp: 1/1b exec/s: 0 rss: 194Mb
[#5](/github-metadata-backup-bitcoin-bitcoin/5/)	NEW    cov: 2470 ft: 2476 corp: 2/5b lim: 4 exec/s: 0 rss: 194Mb L: 4/4 MS: 3 CopyPart-CopyPart-CrossOver-
[#8](/github-metadata-backup-bitcoin-bitcoin/8/)	NEW    cov: 2470 ft: 2483 corp: 3/7b lim: 4 exec/s: 0 rss: 195Mb L: 2/4 MS: 3 ChangeByte-ChangeBit-CopyPart-
.../...
[#3035373](/github-metadata-backup-bitcoin-bitcoin/3035373/)	REDUCE cov: 12335 ft: 46498 corp: 1039/729Kb lim: 4096 exec/s: 1489 rss: 518Mb L: 1711/4096 MS: 2 ChangeByte-EraseBytes-
[#3036089](/github-metadata-backup-bitcoin-bitcoin/3036089/)	REDUCE cov: 12335 ft: 46498 corp: 1039/729Kb lim: 4096 exec/s: 1489 rss: 518Mb L: 132/4096 MS: 1 EraseBytes-
[#3036186](/github-metadata-backup-bitcoin-bitcoin/3036186/)	REDUCE cov: 12335 ft: 46498 corp: 1039/729Kb lim: 4096 exec/s: 1489 rss: 518Mb L: 291/4096 MS: 2 ChangeByte-EraseBytes-

    I'm not sure if there is a recent regression (unrelated to this patch) in our fuzzing utils or in a recent apt update on Debian testing or if I'm just doing something wrong, but like with the I2P fuzzing PR, I'm seeing OOM with qa-assets.

    <details><summary>fuzz output</summary><p>

    $ FUZZ=validation_load_mempool src/test/fuzz/fuzz ../qa-assets/fuzz_seed_corpus
INFO: Seed: 158284216
INFO: Loaded 1 modules   (643553 inline 8-bit counters): 643553 [0x5590b92c0d48, 0x5590b935df29), 
INFO: Loaded 1 PC tables (643553 PCs): 643553 [0x5590b935df30,0x5590b9d2fd40), 
INFO:   237105 files found in ../qa-assets/fuzz_seed_corpus
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 1048576 bytes
INFO: seed corpus: files: 237105 min: 1b max: 3986616b total: 4147898382b rss: 380Mb
[#4096](/github-metadata-backup-bitcoin-bitcoin/4096/)	pulse  cov: 2471 ft: 2489 corp: 5/15b exec/s: 2048 rss: 497Mb
[#8192](/github-metadata-backup-bitcoin-bitcoin/8192/)	pulse  cov: 2513 ft: 2578 corp: 14/83b exec/s: 2048 rss: 589Mb
[#16384](/github-metadata-backup-bitcoin-bitcoin/16384/)	pulse  cov: 2712 ft: 3173 corp: 23/175b exec/s: 2730 rss: 655Mb
[#32768](/github-metadata-backup-bitcoin-bitcoin/32768/)	pulse  cov: 2715 ft: 3207 corp: 32/307b exec/s: 2978 rss: 681Mb
[#65536](/github-metadata-backup-bitcoin-bitcoin/65536/)	pulse  cov: 4935 ft: 6993 corp: 42/695b exec/s: 3120 rss: 681Mb
[#131072](/github-metadata-backup-bitcoin-bitcoin/131072/)	pulse  cov: 5699 ft: 12269 corp: 53/1944b exec/s: 3196 rss: 681Mb
==13249== ERROR: libFuzzer: out-of-memory (used: 2160Mb; limit: 2048Mb)
   To change the out-of-memory limit use -rss_limit_mb=<N>

Live Heap Allocations: 93237649 bytes in 253456 chunks; quarantined: 249855423 bytes in 15591 chunks; 1526469 other chunks; total chunks: 1795516; showing top 95% (at most 8 unique contexts)
22440640 byte(s) (24%) in 237105 allocation(s)
    [#0](/github-metadata-backup-bitcoin-bitcoin/0/) 0x5590b517660d in malloc (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2d5760d)
    [#1](/github-metadata-backup-bitcoin-bitcoin/1/) 0x5590b5088ef7 in operator new(unsigned long) (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2c69ef7)
    [#2](/github-metadata-backup-bitcoin-bitcoin/2/) 0x5590b50a0bbc in fuzzer::ReadCorpora(std::Fuzzer::vector<std::Fuzzer::basic_string<char, std::Fuzzer::char_traits<char>, std::Fuzzer::allocator<char> >, fuzzer::fuzzer_allocator<std::Fuzzer::basic_string<char, std::Fuzzer::char_traits<char>, std::Fuzzer::allocator<char> > > > const&, std::Fuzzer::vector<std::Fuzzer::basic_string<char, std::Fuzzer::char_traits<char>, std::Fuzzer::allocator<char> >, fuzzer::fuzzer_allocator<std::Fuzzer::basic_string<char, std::Fuzzer::char_traits<char>, std::Fuzzer::allocator<char> > > > const&) (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2c81bbc)
    [#3](/github-metadata-backup-bitcoin-bitcoin/3/) 0x5590b50a0782 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2c81782)
    [#4](/github-metadata-backup-bitcoin-bitcoin/4/) 0x5590b50c9c22 in main (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2caac22)
    [#5](/github-metadata-backup-bitcoin-bitcoin/5/) 0x7ff6cc2bbd09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26d09)

21499328 byte(s) (23%) in 12 allocation(s)
    [#0](/github-metadata-backup-bitcoin-bitcoin/0/) 0x5590b517660d in malloc (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2d5760d)
    [#1](/github-metadata-backup-bitcoin-bitcoin/1/) 0x5590b5088ef7 in operator new(unsigned long) (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2c69ef7)
    [#2](/github-metadata-backup-bitcoin-bitcoin/2/) 0x5590b50c9c22 in main (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2caac22)
    [#3](/github-metadata-backup-bitcoin-bitcoin/3/) 0x7ff6cc2bbd09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26d09)

16777216 byte(s) (17%) in 1 allocation(s)
    [#0](/github-metadata-backup-bitcoin-bitcoin/0/) 0x5590b51a5d4d in operator new(unsigned long) (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2d86d4d)
    [#1](/github-metadata-backup-bitcoin-bitcoin/1/) 0x5590b52a03b5 in __gnu_cxx::new_allocator<uint256>::allocate(unsigned long, void const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/ext/new_allocator.h:115:27
    [#2](/github-metadata-backup-bitcoin-bitcoin/2/) 0x5590b52a03b5 in std::allocator_traits<std::allocator<uint256> >::allocate(std::allocator<uint256>&, unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/alloc_traits.h:460:20
    [#3](/github-metadata-backup-bitcoin-bitcoin/3/) 0x5590b52a03b5 in std::_Vector_base<uint256, std::allocator<uint256> >::_M_allocate(unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector.h:346:20
    [#4](/github-metadata-backup-bitcoin-bitcoin/4/) 0x5590b5bb7d1a in std::vector<uint256, std::allocator<uint256> >::_M_default_append(unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/vector.tcc:635:34
    [#5](/github-metadata-backup-bitcoin-bitcoin/5/) 0x5590b5bb7872 in std::vector<uint256, std::allocator<uint256> >::resize(unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector.h:940:4
    [#6](/github-metadata-backup-bitcoin-bitcoin/6/) 0x5590b5bb70c3 in CuckooCache::cache<uint256, SignatureCacheHasher>::setup(unsigned int) /home/jon/projects/bitcoin/bitcoin/src/./cuckoocache.h:344:15
    [#7](/github-metadata-backup-bitcoin-bitcoin/7/) 0x5590b5ddce16 in CuckooCache::cache<uint256, SignatureCacheHasher>::setup_bytes(unsigned long) /home/jon/projects/bitcoin/bitcoin/src/./cuckoocache.h:368:16
    [#8](/github-metadata-backup-bitcoin-bitcoin/8/) 0x5590b5ddce16 in InitScriptExecutionCache() /home/jon/projects/bitcoin/bitcoin/src/validation.cpp:1468:44
    [#9](/github-metadata-backup-bitcoin-bitcoin/9/) 0x5590b64f7a5f in BasicTestingSetup::BasicTestingSetup(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<char const*, std::allocator<char const*> > const&) /home/jon/projects/bitcoin/bitcoin/src/test/util/setup_common.cpp:110:5
    [#10](/github-metadata-backup-bitcoin-bitcoin/10/) 0x5590b64f9599 in ChainTestingSetup::ChainTestingSetup(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<char const*, std::allocator<char const*> > const&) /home/jon/projects/bitcoin/bitcoin/src/test/util/setup_common.cpp:130:7
    [#11](/github-metadata-backup-bitcoin-bitcoin/11/) 0x5590b64fbd3f in TestingSetup::TestingSetup(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<char const*, std::allocator<char const*> > const&) /home/jon/projects/bitcoin/bitcoin/src/test/util/setup_common.cpp:169:7
    [#12](/github-metadata-backup-bitcoin-bitcoin/12/) 0x5590b52e7bf7 in std::_MakeUniq<TestingSetup const>::__single_object std::make_unique<TestingSetup const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<char const*, std::allocator<char const*> > const&>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<char const*, std::allocator<char const*> > const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/unique_ptr.h:962:34
    [#13](/github-metadata-backup-bitcoin-bitcoin/13/) 0x5590b52dde12 in std::unique_ptr<TestingSetup const, std::default_delete<TestingSetup const> > MakeNoLogFileContext<TestingSetup const>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<char const*, std::allocator<char const*> > const&) /home/jon/projects/bitcoin/bitcoin/src/./test/util/setup_common.h:170:12
    [#14](/github-metadata-backup-bitcoin-bitcoin/14/) 0x5590b5665353 in initialize_validation_load_mempool() /home/jon/projects/bitcoin/bitcoin/src/test/fuzz/validation_load_mempool.cpp:28:39
    [#15](/github-metadata-backup-bitcoin-bitcoin/15/) 0x5590b51ac91c in void std::__invoke_impl<void, void (*&)()>(std::__invoke_other, void (*&)()) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:60:14
    [#16](/github-metadata-backup-bitcoin-bitcoin/16/) 0x5590b51ac91c in std::enable_if<is_invocable_r_v<void, void (*&)()>, void>::type std::__invoke_r<void, void (*&)()>(void (*&)()) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:110:2
    [#17](/github-metadata-backup-bitcoin-bitcoin/17/) 0x5590b51ac91c in std::_Function_handler<void (), void (*)()>::_M_invoke(std::_Any_data const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/std_function.h:291:9
    [#18](/github-metadata-backup-bitcoin-bitcoin/18/) 0x5590b579287c in std::function<void ()>::operator()() const /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/std_function.h:622:14
    [#19](/github-metadata-backup-bitcoin-bitcoin/19/) 0x5590b6b2b312 in initialize() /home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz.cpp:44:5
    [#20](/github-metadata-backup-bitcoin-bitcoin/20/) 0x5590b6b2c84d in LLVMFuzzerInitialize /home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz.cpp:70:5
    [#21](/github-metadata-backup-bitcoin-bitcoin/21/) 0x5590b509e9bc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2c7f9bc)
    [#22](/github-metadata-backup-bitcoin-bitcoin/22/) 0x5590b50c9c22 in main (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2caac22)
    [#23](/github-metadata-backup-bitcoin-bitcoin/23/) 0x7ff6cc2bbd09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26d09)

16777216 byte(s) (17%) in 1 allocation(s)
    [#0](/github-metadata-backup-bitcoin-bitcoin/0/) 0x5590b51a5d4d in operator new(unsigned long) (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2d86d4d)
    [#1](/github-metadata-backup-bitcoin-bitcoin/1/) 0x5590b52a03b5 in __gnu_cxx::new_allocator<uint256>::allocate(unsigned long, void const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/ext/new_allocator.h:115:27
    [#2](/github-metadata-backup-bitcoin-bitcoin/2/) 0x5590b52a03b5 in std::allocator_traits<std::allocator<uint256> >::allocate(std::allocator<uint256>&, unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/alloc_traits.h:460:20
    [#3](/github-metadata-backup-bitcoin-bitcoin/3/) 0x5590b52a03b5 in std::_Vector_base<uint256, std::allocator<uint256> >::_M_allocate(unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector.h:346:20
    [#4](/github-metadata-backup-bitcoin-bitcoin/4/) 0x5590b5bb7d1a in std::vector<uint256, std::allocator<uint256> >::_M_default_append(unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/vector.tcc:635:34
    [#5](/github-metadata-backup-bitcoin-bitcoin/5/) 0x5590b5bb7872 in std::vector<uint256, std::allocator<uint256> >::resize(unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector.h:940:4
    [#6](/github-metadata-backup-bitcoin-bitcoin/6/) 0x5590b5bb70c3 in CuckooCache::cache<uint256, SignatureCacheHasher>::setup(unsigned int) /home/jon/projects/bitcoin/bitcoin/src/./cuckoocache.h:344:15
    [#7](/github-metadata-backup-bitcoin-bitcoin/7/) 0x5590b5bb4862 in CuckooCache::cache<uint256, SignatureCacheHasher>::setup_bytes(unsigned long) /home/jon/projects/bitcoin/bitcoin/src/./cuckoocache.h:368:16
    [#8](/github-metadata-backup-bitcoin-bitcoin/8/) 0x5590b5bb4862 in (anonymous namespace)::CSignatureCache::setup_bytes(unsigned long) /home/jon/projects/bitcoin/bitcoin/src/script/sigcache.cpp:80:25
    [#9](/github-metadata-backup-bitcoin-bitcoin/9/) 0x5590b5bb4862 in InitSignatureCache() /home/jon/projects/bitcoin/bitcoin/src/script/sigcache.cpp:100:36
    [#10](/github-metadata-backup-bitcoin-bitcoin/10/) 0x5590b64f7a4f in BasicTestingSetup::BasicTestingSetup(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<char const*, std::allocator<char const*> > const&) /home/jon/projects/bitcoin/bitcoin/src/test/util/setup_common.cpp:109:5
    [#11](/github-metadata-backup-bitcoin-bitcoin/11/) 0x5590b64f9599 in ChainTestingSetup::ChainTestingSetup(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<char const*, std::allocator<char const*> > const&) /home/jon/projects/bitcoin/bitcoin/src/test/util/setup_common.cpp:130:7
    [#12](/github-metadata-backup-bitcoin-bitcoin/12/) 0x5590b64fbd3f in TestingSetup::TestingSetup(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<char const*, std::allocator<char const*> > const&) /home/jon/projects/bitcoin/bitcoin/src/test/util/setup_common.cpp:169:7
    [#13](/github-metadata-backup-bitcoin-bitcoin/13/) 0x5590b52e7bf7 in std::_MakeUniq<TestingSetup const>::__single_object std::make_unique<TestingSetup const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<char const*, std::allocator<char const*> > const&>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<char const*, std::allocator<char const*> > const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/unique_ptr.h:962:34
    [#14](/github-metadata-backup-bitcoin-bitcoin/14/) 0x5590b52dde12 in std::unique_ptr<TestingSetup const, std::default_delete<TestingSetup const> > MakeNoLogFileContext<TestingSetup const>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<char const*, std::allocator<char const*> > const&) /home/jon/projects/bitcoin/bitcoin/src/./test/util/setup_common.h:170:12
    [#15](/github-metadata-backup-bitcoin-bitcoin/15/) 0x5590b5665353 in initialize_validation_load_mempool() /home/jon/projects/bitcoin/bitcoin/src/test/fuzz/validation_load_mempool.cpp:28:39
    [#16](/github-metadata-backup-bitcoin-bitcoin/16/) 0x5590b51ac91c in void std::__invoke_impl<void, void (*&)()>(std::__invoke_other, void (*&)()) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:60:14
    [#17](/github-metadata-backup-bitcoin-bitcoin/17/) 0x5590b51ac91c in std::enable_if<is_invocable_r_v<void, void (*&)()>, void>::type std::__invoke_r<void, void (*&)()>(void (*&)()) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:110:2
    [#18](/github-metadata-backup-bitcoin-bitcoin/18/) 0x5590b51ac91c in std::_Function_handler<void (), void (*)()>::_M_invoke(std::_Any_data const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/std_function.h:291:9
    [#19](/github-metadata-backup-bitcoin-bitcoin/19/) 0x5590b579287c in std::function<void ()>::operator()() const /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/std_function.h:622:14
    [#20](/github-metadata-backup-bitcoin-bitcoin/20/) 0x5590b6b2b312 in initialize() /home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz.cpp:44:5
    [#21](/github-metadata-backup-bitcoin-bitcoin/21/) 0x5590b6b2c84d in LLVMFuzzerInitialize /home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz.cpp:70:5
    [#22](/github-metadata-backup-bitcoin-bitcoin/22/) 0x5590b509e9bc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2c7f9bc)
    [#23](/github-metadata-backup-bitcoin-bitcoin/23/) 0x5590b50c9c22 in main (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2caac22)
    [#24](/github-metadata-backup-bitcoin-bitcoin/24/) 0x7ff6cc2bbd09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26d09)

8388608 byte(s) (8%) in 1 allocation(s)
    [#0](/github-metadata-backup-bitcoin-bitcoin/0/) 0x5590b517660d in malloc (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2d5760d)
    [#1](/github-metadata-backup-bitcoin-bitcoin/1/) 0x5590b5088ef7 in operator new(unsigned long) (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2c69ef7)
    [#2](/github-metadata-backup-bitcoin-bitcoin/2/) 0x5590b50ac917 in fuzzer::GetSizedFilesFromDir(std::Fuzzer::basic_string<char, std::Fuzzer::char_traits<char>, std::Fuzzer::allocator<char> > const&, std::Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >*) (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2c8d917)
    [#3](/github-metadata-backup-bitcoin-bitcoin/3/) 0x5590b50a0bbc in fuzzer::ReadCorpora(std::Fuzzer::vector<std::Fuzzer::basic_string<char, std::Fuzzer::char_traits<char>, std::Fuzzer::allocator<char> >, fuzzer::fuzzer_allocator<std::Fuzzer::basic_string<char, std::Fuzzer::char_traits<char>, std::Fuzzer::allocator<char> > > > const&, std::Fuzzer::vector<std::Fuzzer::basic_string<char, std::Fuzzer::char_traits<char>, std::Fuzzer::allocator<char> >, fuzzer::fuzzer_allocator<std::Fuzzer::basic_string<char, std::Fuzzer::char_traits<char>, std::Fuzzer::allocator<char> > > > const&) (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2c81bbc)
    [#4](/github-metadata-backup-bitcoin-bitcoin/4/) 0x5590b50a0782 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2c81782)
    [#5](/github-metadata-backup-bitcoin-bitcoin/5/) 0x5590b50c9c22 in main (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2caac22)
    [#6](/github-metadata-backup-bitcoin-bitcoin/6/) 0x7ff6cc2bbd09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26d09)

1294000 byte(s) (1%) in 1 allocation(s)
    [#0](/github-metadata-backup-bitcoin-bitcoin/0/) 0x5590b51a5d4d in operator new(unsigned long) (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2d86d4d)
    [#1](/github-metadata-backup-bitcoin-bitcoin/1/) 0x5590b5376cf5 in __gnu_cxx::new_allocator<unsigned long>::allocate(unsigned long, void const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/ext/new_allocator.h:115:27
    [#2](/github-metadata-backup-bitcoin-bitcoin/2/) 0x5590b5376cf5 in std::allocator_traits<std::allocator<unsigned long> >::allocate(std::allocator<unsigned long>&, unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/alloc_traits.h:460:20
    [#3](/github-metadata-backup-bitcoin-bitcoin/3/) 0x5590b5376cf5 in std::_Vector_base<unsigned long, std::allocator<unsigned long> >::_M_allocate(unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector.h:346:20
    [#4](/github-metadata-backup-bitcoin-bitcoin/4/) 0x5590b60f606b in std::vector<unsigned long, std::allocator<unsigned long> >::_M_default_append(unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/vector.tcc:635:34
    [#5](/github-metadata-backup-bitcoin-bitcoin/5/) 0x5590b60f3042 in std::vector<unsigned long, std::allocator<unsigned long> >::resize(unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector.h:940:4
    [#6](/github-metadata-backup-bitcoin-bitcoin/6/) 0x5590b60f2c2b in CRollingBloomFilter::CRollingBloomFilter(unsigned int, double) /home/jon/projects/bitcoin/bitcoin/src/bloom.cpp:196:10
    [#7](/github-metadata-backup-bitcoin-bitcoin/7/) 0x5590b66056cb in (anonymous namespace)::PeerManagerImpl::PeerManagerImpl(CChainParams const&, CConnman&, BanMan*, CScheduler&, ChainstateManager&, CTxMemPool&, bool) /home/jon/projects/bitcoin/bitcoin/src/net_processing.cpp:1229:29
    [#8](/github-metadata-backup-bitcoin-bitcoin/8/) 0x5590b66056cb in std::_MakeUniq<(anonymous namespace)::PeerManagerImpl>::__single_object std::make_unique<(anonymous namespace)::PeerManagerImpl, CChainParams const&, CConnman&, BanMan*&, CScheduler&, ChainstateManager&, CTxMemPool&, bool&>(CChainParams const&, CConnman&, BanMan*&, CScheduler&, ChainstateManager&, CTxMemPool&, bool&) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/unique_ptr.h:962:34
    [#9](/github-metadata-backup-bitcoin-bitcoin/9/) 0x5590b660412f in PeerManager::make(CChainParams const&, CConnman&, BanMan*, CScheduler&, ChainstateManager&, CTxMemPool&, bool) /home/jon/projects/bitcoin/bitcoin/src/net_processing.cpp:1213:12
    [#10](/github-metadata-backup-bitcoin-bitcoin/10/) 0x5590b64fc949 in TestingSetup::TestingSetup(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<char const*, std::allocator<char const*> > const&) /home/jon/projects/bitcoin/bitcoin/src/test/util/setup_common.cpp:193:22
    [#11](/github-metadata-backup-bitcoin-bitcoin/11/) 0x5590b52e7bf7 in std::_MakeUniq<TestingSetup const>::__single_object std::make_unique<TestingSetup const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<char const*, std::allocator<char const*> > const&>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<char const*, std::allocator<char const*> > const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/unique_ptr.h:962:34
    [#12](/github-metadata-backup-bitcoin-bitcoin/12/) 0x5590b52dde12 in std::unique_ptr<TestingSetup const, std::default_delete<TestingSetup const> > MakeNoLogFileContext<TestingSetup const>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<char const*, std::allocator<char const*> > const&) /home/jon/projects/bitcoin/bitcoin/src/./test/util/setup_common.h:170:12
    [#13](/github-metadata-backup-bitcoin-bitcoin/13/) 0x5590b5665353 in initialize_validation_load_mempool() /home/jon/projects/bitcoin/bitcoin/src/test/fuzz/validation_load_mempool.cpp:28:39
    [#14](/github-metadata-backup-bitcoin-bitcoin/14/) 0x5590b51ac91c in void std::__invoke_impl<void, void (*&)()>(std::__invoke_other, void (*&)()) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:60:14
    [#15](/github-metadata-backup-bitcoin-bitcoin/15/) 0x5590b51ac91c in std::enable_if<is_invocable_r_v<void, void (*&)()>, void>::type std::__invoke_r<void, void (*&)()>(void (*&)()) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:110:2
    [#16](/github-metadata-backup-bitcoin-bitcoin/16/) 0x5590b51ac91c in std::_Function_handler<void (), void (*)()>::_M_invoke(std::_Any_data const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/std_function.h:291:9
    [#17](/github-metadata-backup-bitcoin-bitcoin/17/) 0x5590b579287c in std::function<void ()>::operator()() const /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/std_function.h:622:14
    [#18](/github-metadata-backup-bitcoin-bitcoin/18/) 0x5590b6b2b312 in initialize() /home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz.cpp:44:5
    [#19](/github-metadata-backup-bitcoin-bitcoin/19/) 0x5590b6b2c84d in LLVMFuzzerInitialize /home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz.cpp:70:5
    [#20](/github-metadata-backup-bitcoin-bitcoin/20/) 0x5590b509e9bc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2c7f9bc)
    [#21](/github-metadata-backup-bitcoin-bitcoin/21/) 0x5590b50c9c22 in main (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2caac22)
    [#22](/github-metadata-backup-bitcoin-bitcoin/22/) 0x7ff6cc2bbd09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26d09)

1049024 byte(s) (1%) in 2 allocation(s)
    [#0](/github-metadata-backup-bitcoin-bitcoin/0/) 0x5590b517660d in malloc (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2d5760d)
    [#1](/github-metadata-backup-bitcoin-bitcoin/1/) 0x5590b6d71072 in checked_malloc /home/jon/projects/bitcoin/bitcoin/src/secp256k1/./src/util.h:92:17
    [#2](/github-metadata-backup-bitcoin-bitcoin/2/) 0x5590b6d71072 in secp256k1_context_create /home/jon/projects/bitcoin/bitcoin/src/secp256k1/src/secp256k1.c:153:50

1048576 byte(s) (1%) in 1 allocation(s)
    [#0](/github-metadata-backup-bitcoin-bitcoin/0/) 0x5590b517660d in malloc (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2d5760d)
    [#1](/github-metadata-backup-bitcoin-bitcoin/1/) 0x5590b5088ef7 in operator new(unsigned long) (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2c69ef7)
    [#2](/github-metadata-backup-bitcoin-bitcoin/2/) 0x5590b50b2669 in fuzzer::Fuzzer::Loop(std::Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2c93669)
    [#3](/github-metadata-backup-bitcoin-bitcoin/3/) 0x5590b50a07d8 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2c817d8)
    [#4](/github-metadata-backup-bitcoin-bitcoin/4/) 0x5590b50c9c22 in main (/home/jon/projects/bitcoin/bitcoin/src/test/fuzz/fuzz+0x2caac22)
    [#5](/github-metadata-backup-bitcoin-bitcoin/5/) 0x7ff6cc2bbd09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26d09)

MS: 0 ; base unit: 0000000000000000000000000000000000000000


artifact_prefix='./'; Test unit written to ./oom-da39a3ee5e6b4b0d3255bfef95601890afd80709
Base64: 
SUMMARY: libFuzzer: out-of-memory

    </p></details>

  78. tests: Set errno in FuzzedFileProvider. Implement seek(..., ..., SEEK_END). af322c7494
  79. validation: Make DumpMempool(...) and LoadMempool(...) easier to test/fuzz/mock 91af6b97c9
  80. practicalswift force-pushed on Mar 11, 2021
  81. practicalswift commented at 10:46 PM on March 11, 2021: contributor

    @jonatack

    Thanks a lot for reviewing!

    All feedback addressed (+ added using FopenFn for readability): this PR should hopefully be ready for final review :)

  82. Crypt-iQ commented at 1:23 PM on March 12, 2021: contributor

    @jonatack libfuzzer is in-process fuzzing with an in-memory corpus and I have noticed on my Arch box, that more inputs and larger inputs will make rss increase significantly. In the crash log, I notice that the max length for inputs is 1MB. Just a thought.

  83. jonatack commented at 1:35 PM on March 12, 2021: contributor

    @Crypt-iQ yes, for me this is a new issue (after a couple years of testing fuzz patches on this project) and only with qa-assets.

  84. jonatack commented at 3:06 PM on March 12, 2021: contributor

    re-ACK f00061202867dd965fe8ca51253d1600776f8ab0 per git range-diff e0bc27a d9b0d15 f000612, looked over the changes again, fuzz build + ran fuzzer, debug non-fuzz build + ran/halted bitcoind a couple times on mainnet/signet, loading/dumping mempool seemed nominal

    Thanks for adding the FopenFn type alias. It's a nice improvement.

  85. in src/test/fuzz/validation_load_mempool.cpp:24 in f000612028 outdated 
      19 | +
  20 | +FILE* fuzzed_fopen(const fs::path&, const char*)
  21 | +{
  22 | +    return fuzzed_file_provider_ptr->open();
  23 | +}
  24 | +} // namespace
    MarcoFalke commented at 3:28 PM on March 12, 2021:

    Could avoid this namespace by making fuzzed_fopen a lambda with smallest scope possible?

    practicalswift commented at 3:49 PM on March 15, 2021:

    Good point! Now addressed.

  86. in src/test/fuzz/validation_load_mempool.cpp:32 in f000612028 outdated 
      34 | +    SetMockTime(ConsumeTime(fuzzed_data_provider));
  35 | +    FuzzedFileProvider fuzzed_file_provider = ConsumeFile(fuzzed_data_provider);
  36 | +    fuzzed_file_provider_ptr = &fuzzed_file_provider;
  37 | +
  38 | +    CTxMemPool pool{};
  39 | +    (void)LoadMempool(pool, ::ChainstateActive(), fuzzed_fopen);
    MarcoFalke commented at 3:32 PM on March 12, 2021:

    would be nice to not introduce a new global

    practicalswift commented at 3:49 PM on March 15, 2021:

    Good point! Now addressed.

    MarcoFalke commented at 5:56 PM on March 15, 2021:

    Not addressed?

    nvm. @dongcarl will fix this :grimacing:

    practicalswift commented at 6:46 PM on March 15, 2021:

    I thought you meant the introduction of fuzzed_fopen? What did you mean? :)

    MarcoFalke commented at 7:25 PM on March 15, 2021:

    Oh, the ::ChainstateActive()

  87. tests: Add fuzzing harness for LoadMempool(...) and DumpMempool(...) 68afd3eeec
  88. practicalswift force-pushed on Mar 15, 2021
  89. jonatack commented at 5:22 PM on March 15, 2021: contributor

    Tested re-ACK 68afd3eeec27a270765ad26cd62d87cd0935e99f

    Nice improvement.

    <details><summary><code>git diff f000612 68afd3e</code></summary><p>

    diff --git a/src/test/fuzz/validation_load_mempool.cpp b/src/test/fuzz/validation_load_mempool.cpp
index 97e705ef30..e1a21b6c53 100644
--- a/src/test/fuzz/validation_load_mempool.cpp
+++ b/src/test/fuzz/validation_load_mempool.cpp
@@ -14,15 +14,6 @@
 #include <cstdint>
 #include <vector>
 
-namespace {
-FuzzedFileProvider* fuzzed_file_provider_ptr = nullptr;
-
-FILE* fuzzed_fopen(const fs::path&, const char*)
-{
-    return fuzzed_file_provider_ptr->open();
-}
-} // namespace
-
 void initialize_validation_load_mempool()
 {
     static const auto testing_setup = MakeNoLogFileContext<const TestingSetup>();
@@ -33,11 +24,11 @@ FUZZ_TARGET_INIT(validation_load_mempool, initialize_validation_load_mempool)
     FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
     SetMockTime(ConsumeTime(fuzzed_data_provider));
     FuzzedFileProvider fuzzed_file_provider = ConsumeFile(fuzzed_data_provider);
-    fuzzed_file_provider_ptr = &fuzzed_file_provider;
 
     CTxMemPool pool{};
+    auto fuzzed_fopen = [&](const fs::path&, const char*) {
+        return fuzzed_file_provider.open();
+    };
     (void)LoadMempool(pool, ::ChainstateActive(), fuzzed_fopen);
     (void)DumpMempool(pool, fuzzed_fopen, true);
-
-    fuzzed_file_provider_ptr = nullptr;
 }

    </p></details>

  90. MarcoFalke merged this on Mar 15, 2021
  91. MarcoFalke closed this on Mar 15, 2021
  92. fanquake removed this from the "Blockers" column in a project
  93. sidhujag referenced this in commit 800e038062 on Mar 16, 2021
  94. practicalswift deleted the branch on Apr 10, 2021
  95. bitcoin locked this on Aug 16, 2022
Contributors
practicalswiftDrahtBotCrypt-iQjonatackMarcoFalke
Labels
Tests
Linked (view graph)
#19278 Three UBSan warnings when loading corrupt mempool.dat files#19381 Fix UBSan warnings triggered when loading corrupt mempool.dat files#19556 Remove mempool global#20089 validation: Increase robustness when loading malformed mempool.dat files (LoadMempool)#20332 test: Mock IBD in net_processing fuzzers#20383 Avoid signed integer overflow and invalid integer negation when loading malformed mempool.dat files
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-05-20 06:54 UTC