util.h
1 // Copyright (c) 2009-present The Bitcoin Core developers 2 // Distributed under the MIT software license, see the accompanying 3 // file COPYING or http://www.opensource.org/licenses/mit-license.php. 4 5 #ifndef BITCOIN_TEST_FUZZ_UTIL_H 6 #define BITCOIN_TEST_FUZZ_UTIL_H 7 8 #include <addresstype.h> 9 #include <arith_uint256.h> 10 #include <coins.h> 11 #include <compat/compat.h> 12 #include <consensus/amount.h> 13 #include <consensus/consensus.h> 14 #include <key.h> 15 #include <merkleblock.h> 16 #include <primitives/transaction.h> 17 #include <script/script.h> 18 #include <serialize.h> 19 #include <streams.h> 20 #include <test/fuzz/FuzzedDataProvider.h> 21 #include <test/fuzz/fuzz.h> 22 #include <uint256.h> 23 24 #include <algorithm> 25 #include <array> 26 #include <cstdint> 27 #include <cstdio> 28 #include <optional> 29 #include <string> 30 #include <vector> 31 32 class PeerManager; 33 34 template <typename... Callables> 35 size_t CallOneOf(FuzzedDataProvider& fuzzed_data_provider, Callables... callables) 36 { 37 constexpr size_t call_size{sizeof...(callables)}; 38 static_assert(call_size >= 1); 39 const size_t call_index{fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, call_size - 1)}; 40 41 size_t i{0}; 42 ((i++ == call_index ? callables() : void()), ...); 43 return call_size; 44 } 45 46 template <typename Collection> 47 auto& PickValue(FuzzedDataProvider& fuzzed_data_provider, Collection& col) 48 { 49 auto sz{col.size()}; 50 assert(sz >= 1); 51 auto it = col.begin(); 52 std::advance(it, fuzzed_data_provider.ConsumeIntegralInRange<decltype(sz)>(0, sz - 1)); 53 return *it; 54 } 55 56 template<typename B = uint8_t> 57 [[nodiscard]] inline std::vector<B> ConsumeRandomLengthByteVector(FuzzedDataProvider& fuzzed_data_provider, const std::optional<size_t>& max_length = std::nullopt) noexcept 58 { 59 static_assert(sizeof(B) == 1); 60 const std::string s = max_length ? 61 fuzzed_data_provider.ConsumeRandomLengthString(*max_length) : 62 fuzzed_data_provider.ConsumeRandomLengthString(); 63 std::vector<B> ret(s.size()); 64 std::copy(s.begin(), s.end(), reinterpret_cast<char*>(ret.data())); 65 return ret; 66 } 67 68 [[nodiscard]] inline DataStream ConsumeDataStream(FuzzedDataProvider& fuzzed_data_provider, const std::optional<size_t>& max_length = std::nullopt) noexcept 69 { 70 return DataStream{ConsumeRandomLengthByteVector(fuzzed_data_provider, max_length)}; 71 } 72 73 [[nodiscard]] inline std::vector<std::string> ConsumeRandomLengthStringVector(FuzzedDataProvider& fuzzed_data_provider, const size_t max_vector_size = 16, const size_t max_string_length = 16) noexcept 74 { 75 const size_t n_elements = fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, max_vector_size); 76 std::vector<std::string> r; 77 r.reserve(n_elements); 78 for (size_t i = 0; i < n_elements; ++i) { 79 r.push_back(fuzzed_data_provider.ConsumeRandomLengthString(max_string_length)); 80 } 81 return r; 82 } 83 84 template <typename T> 85 [[nodiscard]] inline std::vector<T> ConsumeRandomLengthIntegralVector(FuzzedDataProvider& fuzzed_data_provider, const size_t max_vector_size = 16) noexcept 86 { 87 const size_t n_elements = fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, max_vector_size); 88 std::vector<T> r; 89 r.reserve(n_elements); 90 for (size_t i = 0; i < n_elements; ++i) { 91 r.push_back(fuzzed_data_provider.ConsumeIntegral<T>()); 92 } 93 return r; 94 } 95 96 template <typename P> 97 [[nodiscard]] P ConsumeDeserializationParams(FuzzedDataProvider& fuzzed_data_provider) noexcept; 98 99 template <typename T, typename P> 100 [[nodiscard]] std::optional<T> ConsumeDeserializable(FuzzedDataProvider& fuzzed_data_provider, const P& params, const std::optional<size_t>& max_length = std::nullopt) noexcept 101 { 102 const std::vector<uint8_t> buffer{ConsumeRandomLengthByteVector(fuzzed_data_provider, max_length)}; 103 SpanReader ds{buffer}; 104 T obj; 105 try { 106 ds >> params(obj); 107 } catch (const std::ios_base::failure&) { 108 return std::nullopt; 109 } 110 return obj; 111 } 112 113 template <typename T> 114 [[nodiscard]] inline std::optional<T> ConsumeDeserializable(FuzzedDataProvider& fuzzed_data_provider, const std::optional<size_t>& max_length = std::nullopt) noexcept 115 { 116 const std::vector<uint8_t> buffer = ConsumeRandomLengthByteVector(fuzzed_data_provider, max_length); 117 SpanReader ds{buffer}; 118 T obj; 119 try { 120 ds >> obj; 121 } catch (const std::ios_base::failure&) { 122 return std::nullopt; 123 } 124 return obj; 125 } 126 127 template <typename WeakEnumType, size_t size> 128 [[nodiscard]] WeakEnumType ConsumeWeakEnum(FuzzedDataProvider& fuzzed_data_provider, const WeakEnumType (&all_types)[size]) noexcept 129 { 130 return fuzzed_data_provider.ConsumeBool() ? 131 fuzzed_data_provider.PickValueInArray<WeakEnumType>(all_types) : 132 WeakEnumType(fuzzed_data_provider.ConsumeIntegral<std::underlying_type_t<WeakEnumType>>()); 133 } 134 135 [[nodiscard]] inline opcodetype ConsumeOpcodeType(FuzzedDataProvider& fuzzed_data_provider) noexcept 136 { 137 return static_cast<opcodetype>(fuzzed_data_provider.ConsumeIntegralInRange<uint32_t>(0, MAX_OPCODE)); 138 } 139 140 [[nodiscard]] CAmount ConsumeMoney(FuzzedDataProvider& fuzzed_data_provider, const std::optional<CAmount>& max = std::nullopt) noexcept; 141 142 [[nodiscard]] NodeSeconds ConsumeTime(FuzzedDataProvider& fuzzed_data_provider, const std::optional<int64_t>& min = std::nullopt, const std::optional<int64_t>& max = std::nullopt) noexcept; 143 144 template <class Dur> 145 // Having the compiler infer the template argument from the function argument 146 // is dangerous, because the desired return value generally has a different 147 // type than the function argument. So std::common_type is used to force the 148 // call site to specify the type of the return value. 149 [[nodiscard]] Dur ConsumeDuration(FuzzedDataProvider& fuzzed_data_provider, std::common_type_t<Dur> min, std::common_type_t<Dur> max) noexcept 150 { 151 return Dur{fuzzed_data_provider.ConsumeIntegralInRange(min.count(), max.count())}; 152 } 153 154 [[nodiscard]] CMutableTransaction ConsumeTransaction(FuzzedDataProvider& fuzzed_data_provider, const std::optional<std::vector<Txid>>& prevout_txids, int max_num_in = 10, int max_num_out = 10) noexcept; 155 156 [[nodiscard]] CScriptWitness ConsumeScriptWitness(FuzzedDataProvider& fuzzed_data_provider, size_t max_stack_elem_size = 32) noexcept; 157 158 [[nodiscard]] CScript ConsumeScript(FuzzedDataProvider& fuzzed_data_provider, bool maybe_p2wsh = false) noexcept; 159 160 [[nodiscard]] uint32_t ConsumeSequence(FuzzedDataProvider& fuzzed_data_provider) noexcept; 161 162 [[nodiscard]] inline CScriptNum ConsumeScriptNum(FuzzedDataProvider& fuzzed_data_provider) noexcept 163 { 164 return CScriptNum{fuzzed_data_provider.ConsumeIntegral<int64_t>()}; 165 } 166 167 [[nodiscard]] inline uint160 ConsumeUInt160(FuzzedDataProvider& fuzzed_data_provider) noexcept 168 { 169 const std::vector<uint8_t> v160 = fuzzed_data_provider.ConsumeBytes<uint8_t>(160 / 8); 170 if (v160.size() != 160 / 8) { 171 return {}; 172 } 173 return uint160{v160}; 174 } 175 176 [[nodiscard]] inline uint256 ConsumeUInt256(FuzzedDataProvider& fuzzed_data_provider) noexcept 177 { 178 const std::vector<uint8_t> v256 = fuzzed_data_provider.ConsumeBytes<uint8_t>(256 / 8); 179 if (v256.size() != 256 / 8) { 180 return {}; 181 } 182 return uint256{v256}; 183 } 184 185 [[nodiscard]] inline arith_uint256 ConsumeArithUInt256(FuzzedDataProvider& fuzzed_data_provider) noexcept 186 { 187 return UintToArith256(ConsumeUInt256(fuzzed_data_provider)); 188 } 189 190 [[nodiscard]] inline arith_uint256 ConsumeArithUInt256InRange(FuzzedDataProvider& fuzzed_data_provider, const arith_uint256& min, const arith_uint256& max) noexcept 191 { 192 assert(min <= max); 193 const arith_uint256 range = max - min; 194 const arith_uint256 value = ConsumeArithUInt256(fuzzed_data_provider); 195 arith_uint256 result = value; 196 // Avoid division by 0, in case range + 1 results in overflow. 197 if (range != ~arith_uint256(0)) { 198 const arith_uint256 quotient = value / (range + 1); 199 result = value - (quotient * (range + 1)); 200 } 201 result += min; 202 assert(result >= min && result <= max); 203 return result; 204 } 205 206 [[nodiscard]] std::map<COutPoint, Coin> ConsumeCoins(FuzzedDataProvider& fuzzed_data_provider) noexcept; 207 208 [[nodiscard]] CTxDestination ConsumeTxDestination(FuzzedDataProvider& fuzzed_data_provider) noexcept; 209 210 [[nodiscard]] CKey ConsumePrivateKey(FuzzedDataProvider& fuzzed_data_provider, std::optional<bool> compressed = std::nullopt) noexcept; 211 212 template <typename T> 213 [[nodiscard]] bool MultiplicationOverflow(const T i, const T j) noexcept 214 { 215 static_assert(std::is_integral_v<T>, "Integral required."); 216 if (std::numeric_limits<T>::is_signed) { 217 if (i > 0) { 218 if (j > 0) { 219 return i > (std::numeric_limits<T>::max() / j); 220 } else { 221 return j < (std::numeric_limits<T>::min() / i); 222 } 223 } else { 224 if (j > 0) { 225 return i < (std::numeric_limits<T>::min() / j); 226 } else { 227 return i != 0 && (j < (std::numeric_limits<T>::max() / i)); 228 } 229 } 230 } else { 231 return j != 0 && i > std::numeric_limits<T>::max() / j; 232 } 233 } 234 235 [[nodiscard]] bool ContainsSpentInput(const CTransaction& tx, const CCoinsViewCache& inputs) noexcept; 236 237 /** 238 * Sets errno to a value selected from the given std::array `errnos`. 239 */ 240 template <typename T, size_t size> 241 void SetFuzzedErrNo(FuzzedDataProvider& fuzzed_data_provider, const std::array<T, size>& errnos) 242 { 243 errno = fuzzed_data_provider.PickValueInArray(errnos); 244 } 245 246 /* 247 * Sets a fuzzed errno in the range [0, 133 (EHWPOISON)]. Can be used from functions emulating 248 * standard library functions that set errno, or in other contexts where the value of errno 249 * might be relevant for the execution path that will be taken. 250 */ 251 inline void SetFuzzedErrNo(FuzzedDataProvider& fuzzed_data_provider) noexcept 252 { 253 errno = fuzzed_data_provider.ConsumeIntegralInRange<int>(0, 133); 254 } 255 256 /** 257 * Returns a byte vector of specified size regardless of the number of remaining bytes available 258 * from the fuzzer. Pads with zero value bytes if needed to achieve the specified size. 259 */ 260 template<typename B = uint8_t> 261 [[nodiscard]] inline std::vector<B> ConsumeFixedLengthByteVector(FuzzedDataProvider& fuzzed_data_provider, const size_t length) noexcept 262 { 263 static_assert(sizeof(B) == 1); 264 auto random_bytes = fuzzed_data_provider.ConsumeBytes<B>(length); 265 random_bytes.resize(length); 266 return random_bytes; 267 } 268 269 class FuzzedFileProvider 270 { 271 FuzzedDataProvider& m_fuzzed_data_provider; 272 int64_t m_offset = 0; 273 274 public: 275 FuzzedFileProvider(FuzzedDataProvider& fuzzed_data_provider) : m_fuzzed_data_provider{fuzzed_data_provider} 276 { 277 } 278 279 FILE* open(); 280 281 static ssize_t read(void* cookie, char* buf, size_t size); 282 283 static ssize_t write(void* cookie, const char* buf, size_t size); 284 285 static int seek(void* cookie, int64_t* offset, int whence); 286 287 static int close(void* cookie); 288 }; 289 290 #define WRITE_TO_STREAM_CASE(type, consume) \ 291 [&] { \ 292 type o = consume; \ 293 stream << o; \ 294 } 295 template <typename Stream> 296 void WriteToStream(FuzzedDataProvider& fuzzed_data_provider, Stream& stream) noexcept 297 { 298 while (fuzzed_data_provider.ConsumeBool()) { 299 try { 300 CallOneOf( 301 fuzzed_data_provider, 302 WRITE_TO_STREAM_CASE(bool, fuzzed_data_provider.ConsumeBool()), 303 WRITE_TO_STREAM_CASE(int8_t, fuzzed_data_provider.ConsumeIntegral<int8_t>()), 304 WRITE_TO_STREAM_CASE(uint8_t, fuzzed_data_provider.ConsumeIntegral<uint8_t>()), 305 WRITE_TO_STREAM_CASE(int16_t, fuzzed_data_provider.ConsumeIntegral<int16_t>()), 306 WRITE_TO_STREAM_CASE(uint16_t, fuzzed_data_provider.ConsumeIntegral<uint16_t>()), 307 WRITE_TO_STREAM_CASE(int32_t, fuzzed_data_provider.ConsumeIntegral<int32_t>()), 308 WRITE_TO_STREAM_CASE(uint32_t, fuzzed_data_provider.ConsumeIntegral<uint32_t>()), 309 WRITE_TO_STREAM_CASE(int64_t, fuzzed_data_provider.ConsumeIntegral<int64_t>()), 310 WRITE_TO_STREAM_CASE(uint64_t, fuzzed_data_provider.ConsumeIntegral<uint64_t>()), 311 WRITE_TO_STREAM_CASE(std::string, fuzzed_data_provider.ConsumeRandomLengthString(32)), 312 WRITE_TO_STREAM_CASE(std::vector<uint8_t>, ConsumeRandomLengthIntegralVector<uint8_t>(fuzzed_data_provider))); 313 } catch (const std::ios_base::failure&) { 314 break; 315 } 316 } 317 } 318 319 #define READ_FROM_STREAM_CASE(type) \ 320 [&] { \ 321 type o; \ 322 stream >> o; \ 323 } 324 template <typename Stream> 325 void ReadFromStream(FuzzedDataProvider& fuzzed_data_provider, Stream& stream) noexcept 326 { 327 while (fuzzed_data_provider.ConsumeBool()) { 328 try { 329 CallOneOf( 330 fuzzed_data_provider, 331 READ_FROM_STREAM_CASE(bool), 332 READ_FROM_STREAM_CASE(int8_t), 333 READ_FROM_STREAM_CASE(uint8_t), 334 READ_FROM_STREAM_CASE(int16_t), 335 READ_FROM_STREAM_CASE(uint16_t), 336 READ_FROM_STREAM_CASE(int32_t), 337 READ_FROM_STREAM_CASE(uint32_t), 338 READ_FROM_STREAM_CASE(int64_t), 339 READ_FROM_STREAM_CASE(uint64_t), 340 READ_FROM_STREAM_CASE(std::string), 341 READ_FROM_STREAM_CASE(std::vector<uint8_t>)); 342 } catch (const std::ios_base::failure&) { 343 break; 344 } 345 } 346 } 347 348 #endif // BITCOIN_TEST_FUZZ_UTIL_H