Change Details

``` Add fuzzing harness for ProcessMessage(...). Enables high-level fuzzing of the P2P layer. All code paths reachable from this fuzzer can be assumed to be reachable for an untrusted peer. Seeded from thin air (an empty corpus) this fuzzer reaches roughly 20 000 lines of code. To test this PR: $ make distclean $ ./autogen.sh $ CC=clang CXX=clang++ ./configure --enable-fuzz \ --with-sanitizers=address,fuzzer,undefined $ make $ src/test/fuzz/process_message … Worth noting about this fuzzing harness: To achieve a reasonable number of executions per seconds the state of the fuzzer is unfortunately not entirely reset between test_one_input calls. The set-up (FuzzingSetup ctor) and tear-down (~FuzzingSetup) work is simply too costly to be run on every iteration. There is a trade-off to handle here between a.) achieving high executions/second and b.) giving the fuzzer a totally blank slate for each call. Please let me know if you have any suggestion on how to improve this situation while maintaining >1000 executions/second. To achieve optimal results when using coverage-guided fuzzing I've chosen to create one specialised fuzzing binary per message type (process_message_addr, process_message_block, process_message_blocktxn , etc.) and one general fuzzing binary (process_message) which handles all messages types. The latter general fuzzer can be seeded with inputs generated by the former specialised fuzzers. Happy fuzzing friends! ``` Backport od core PR17989. Depends on D8004 (test plan only, fixes a fuzz fixture issue).

``` Add fuzzing harness for ProcessMessage(...). Enables high-level fuzzing of the P2P layer. All code paths reachable from this fuzzer can be assumed to be reachable for an untrusted peer. Seeded from thin air (an empty corpus) this fuzzer reaches roughly 20 000 lines of code. To test this PR: $ make distclean $ ./autogen.sh $ CC=clang CXX=clang++ ./configure --enable-fuzz \ --with-sanitizers=address,fuzzer,undefined $ make $ src/test/fuzz/process_message … Worth noting about this fuzzing harness: To achieve a reasonable number of executions per seconds the state of the fuzzer is unfortunately not entirely reset between test_one_input calls. The set-up (FuzzingSetup ctor) and tear-down (~FuzzingSetup) work is simply too costly to be run on every iteration. There is a trade-off to handle here between a.) achieving high executions/second and b.) giving the fuzzer a totally blank slate for each call. Please let me know if you have any suggestion on how to improve this situation while maintaining >1000 executions/second. To achieve optimal results when using coverage-guided fuzzing I've chosen to create one specialised fuzzing binary per message type (process_message_addr, process_message_block, process_message_blocktxn , etc.) and one general fuzzing binary (process_message) which handles all messages types. The latter general fuzzer can be seeded with inputs generated by the former specialised fuzzers. Happy fuzzing friends! ``` Backport od core [[https://github.com/bitcoin/bitcoin/pull/17989 | PR17989]]. Depends on D8004 (test plan only, fixes a fuzz fixture issue).

``` Add fuzzing harness for ProcessMessage(...). Enables high-level fuzzing of the P2P layer. All code paths reachable from this fuzzer can be assumed to be reachable for an untrusted peer. Seeded from thin air (an empty corpus) this fuzzer reaches roughly 20 000 lines of code. To test this PR: $ make distclean $ ./autogen.sh $ CC=clang CXX=clang++ ./configure --enable-fuzz \ --with-sanitizers=address,fuzzer,undefined $ make $ src/test/fuzz/process_message … Worth noting about this fuzzing harness: To achieve a reasonable number of executions per seconds the state of the fuzzer is unfortunately not entirely reset between test_one_input calls. The set-up (FuzzingSetup ctor) and tear-down (~FuzzingSetup) work is simply too costly to be run on every iteration. There is a trade-off to handle here between a.) achieving high executions/second and b.) giving the fuzzer a totally blank slate for each call. Please let me know if you have any suggestion on how to improve this situation while maintaining >1000 executions/second. To achieve optimal results when using coverage-guided fuzzing I've chosen to create one specialised fuzzing binary per message type (process_message_addr, process_message_block, process_message_blocktxn , etc.) and one general fuzzing binary (process_message) which handles all messages types. The latter general fuzzer can be seeded with inputs generated by the former specialised fuzzers. Happy fuzzing friends! ``` Backport od core [[https://github.com/bitcoin/bitcoin/pull/17989 | PR17989]]. Depends on D8004 (test plan only, fixes a fuzz fixture issue).