bitcoin/src/test/fuzz/script.cpp

// Copyright (c) 2019-2020 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.

#include <chainparams.h>
#include <compressor.h>
#include <core_io.h>
#include <core_memusage.h>
#include <policy/policy.h>
#include <pubkey.h>
#include <script/descriptor.h>
#include <script/interpreter.h>
#include <script/script.h>
#include <script/script_error.h>
#include <script/sign.h>
#include <script/signingprovider.h>
#include <script/standard.h>
#include <streams.h>
#include <test/fuzz/FuzzedDataProvider.h>
#include <test/fuzz/fuzz.h>
#include <test/fuzz/util.h>
#include <univalue.h>
#include <util/memory.h>

#include <algorithm>
#include <cassert>
#include <cstdint>
#include <optional>
#include <string>
#include <vector>

void initialize_script()
{
    // Fuzzers using pubkey must hold an ECCVerifyHandle.
    static const ECCVerifyHandle verify_handle;

    SelectParams(CBaseChainParams::REGTEST);
}

FUZZ_TARGET_INIT(script, initialize_script)
{
    FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
    const std::optional<CScript> script_opt = ConsumeDeserializable<CScript>(fuzzed_data_provider);
    if (!script_opt) return;
    const CScript script{*script_opt};

    std::vector<unsigned char> compressed;
    if (CompressScript(script, compressed)) {
        const unsigned int size = compressed[0];
        compressed.erase(compressed.begin());
        assert(size <= 5);
        CScript decompressed_script;
        const bool ok = DecompressScript(decompressed_script, size, compressed);
        assert(ok);
        assert(script == decompressed_script);
    }

    CTxDestination address;
    (void)ExtractDestination(script, address);

    TxoutType type_ret;
    std::vector<CTxDestination> addresses;
    int required_ret;
    (void)ExtractDestinations(script, type_ret, addresses, required_ret);

    const FlatSigningProvider signing_provider;
    (void)InferDescriptor(script, signing_provider);

    (void)IsSegWitOutput(signing_provider, script);

    (void)IsSolvable(signing_provider, script);

    TxoutType which_type;
    bool is_standard_ret = IsStandard(script, which_type);
    if (!is_standard_ret) {
        assert(which_type == TxoutType::NONSTANDARD ||
               which_type == TxoutType::NULL_DATA ||
               which_type == TxoutType::MULTISIG);
    }
    if (which_type == TxoutType::NONSTANDARD) {
        assert(!is_standard_ret);
    }
    if (which_type == TxoutType::NULL_DATA) {
        assert(script.IsUnspendable());
    }
    if (script.IsUnspendable()) {
        assert(which_type == TxoutType::NULL_DATA ||
               which_type == TxoutType::NONSTANDARD);
    }

    (void)RecursiveDynamicUsage(script);

    std::vector<std::vector<unsigned char>> solutions;
    (void)Solver(script, solutions);

    (void)script.HasValidOps();
    (void)script.IsPayToScriptHash();
    (void)script.IsPayToWitnessScriptHash();
    (void)script.IsPushOnly();
    (void)script.GetSigOpCount(/* fAccurate= */ false);

    (void)FormatScript(script);
    (void)ScriptToAsmStr(script, false);
    (void)ScriptToAsmStr(script, true);

    UniValue o1(UniValue::VOBJ);
    ScriptPubKeyToUniv(script, o1, true);
    UniValue o2(UniValue::VOBJ);
    ScriptPubKeyToUniv(script, o2, false);
    UniValue o3(UniValue::VOBJ);
    ScriptToUniv(script, o3, true);
    UniValue o4(UniValue::VOBJ);
    ScriptToUniv(script, o4, false);

    {
        const std::vector<uint8_t> bytes = ConsumeRandomLengthByteVector(fuzzed_data_provider);
        // DecompressScript(..., ..., bytes) is not guaranteed to be defined if the bytes vector is too short
        if (bytes.size() >= 32) {
            CScript decompressed_script;
            DecompressScript(decompressed_script, fuzzed_data_provider.ConsumeIntegral<unsigned int>(), bytes);
        }
    }

    const std::optional<CScript> other_script = ConsumeDeserializable<CScript>(fuzzed_data_provider);
    if (other_script) {
        {
            CScript script_mut{script};
            (void)FindAndDelete(script_mut, *other_script);
        }
        const std::vector<std::string> random_string_vector = ConsumeRandomLengthStringVector(fuzzed_data_provider);
        const uint32_t u32{fuzzed_data_provider.ConsumeIntegral<uint32_t>()};
        const uint32_t flags{u32 | SCRIPT_VERIFY_P2SH};
        {
            CScriptWitness wit;
            for (const auto& s : random_string_vector) {
                wit.stack.emplace_back(s.begin(), s.end());
            }
            (void)CountWitnessSigOps(script, *other_script, &wit, flags);
            wit.SetNull();
        }
    }

    (void)GetOpName(ConsumeOpcodeType(fuzzed_data_provider));
    (void)ScriptErrorString(static_cast<ScriptError>(fuzzed_data_provider.ConsumeIntegralInRange<int>(0, SCRIPT_ERR_ERROR_COUNT)));

    {
        const std::vector<uint8_t> bytes = ConsumeRandomLengthByteVector(fuzzed_data_provider);
        CScript append_script{bytes.begin(), bytes.end()};
        append_script << fuzzed_data_provider.ConsumeIntegral<int64_t>();
        append_script << ConsumeOpcodeType(fuzzed_data_provider);
        append_script << CScriptNum{fuzzed_data_provider.ConsumeIntegral<int64_t>()};
        append_script << ConsumeRandomLengthByteVector(fuzzed_data_provider);
    }

    {
        WitnessUnknown witness_unknown_1{};
        witness_unknown_1.version = fuzzed_data_provider.ConsumeIntegral<int>();
        const std::vector<uint8_t> witness_unknown_program_1 = fuzzed_data_provider.ConsumeBytes<uint8_t>(40);
        witness_unknown_1.length = witness_unknown_program_1.size();
        std::copy(witness_unknown_program_1.begin(), witness_unknown_program_1.end(), witness_unknown_1.program);

        WitnessUnknown witness_unknown_2{};
        witness_unknown_2.version = fuzzed_data_provider.ConsumeIntegral<int>();
        const std::vector<uint8_t> witness_unknown_program_2 = fuzzed_data_provider.ConsumeBytes<uint8_t>(40);
        witness_unknown_2.length = witness_unknown_program_2.size();
        std::copy(witness_unknown_program_2.begin(), witness_unknown_program_2.end(), witness_unknown_2.program);

        (void)(witness_unknown_1 == witness_unknown_2);
        (void)(witness_unknown_1 < witness_unknown_2);
    }

    {
        const CTxDestination tx_destination_1 = ConsumeTxDestination(fuzzed_data_provider);
        const CTxDestination tx_destination_2 = ConsumeTxDestination(fuzzed_data_provider);
        (void)(tx_destination_1 == tx_destination_2);
        (void)(tx_destination_1 < tx_destination_2);
    }
}
scripted-diff: Bump copyright headers -BEGIN VERIFY SCRIPT- ./contrib/devtools/copyright_header.py update ./ -END VERIFY SCRIPT- 2020-04-16 13:14:08 -04:00			`// Copyright (c) 2019-2020 The Bitcoin Core developers`
tests: Add fuzzing harness for various CScript related functions 2019-10-08 11:36:57 -03:00			`// Distributed under the MIT software license, see the accompanying`
			`// file COPYING or http://www.opensource.org/licenses/mit-license.php.`

			`#include <chainparams.h>`
			`#include <compressor.h>`
			`#include <core_io.h>`
			`#include <core_memusage.h>`
			`#include <policy/policy.h>`
			`#include <pubkey.h>`
			`#include <script/descriptor.h>`
fuzz: Extend script fuzz test 2020-04-03 14:32:39 -03:00			`#include <script/interpreter.h>`
tests: Add fuzzing harness for various CScript related functions 2019-10-08 11:36:57 -03:00			`#include <script/script.h>`
tests: Fill fuzzing coverage gaps for functions in script/script.h, script/script_error.h and script/standard.h 2020-05-16 14:15:13 -04:00			`#include <script/script_error.h>`
tests: Add fuzzing harness for various CScript related functions 2019-10-08 11:36:57 -03:00			`#include <script/sign.h>`
			`#include <script/signingprovider.h>`
			`#include <script/standard.h>`
			`#include <streams.h>`
tests: Increase fuzzing coverage of DecompressScript(...) 2020-03-10 08:58:30 -03:00			`#include <test/fuzz/FuzzedDataProvider.h>`
tests: Add fuzzing harness for various CScript related functions 2019-10-08 11:36:57 -03:00			`#include <test/fuzz/fuzz.h>`
tests: Increase fuzzing coverage of DecompressScript(...) 2020-03-10 08:58:30 -03:00			`#include <test/fuzz/util.h>`
tests: Fuzz additional functions in the script fuzzing harness 2020-01-15 20:37:27 -03:00			`#include <univalue.h>`
tests: Add fuzzing harness for various CScript related functions 2019-10-08 11:36:57 -03:00			`#include <util/memory.h>`

tests: Fill fuzzing coverage gaps for functions in script/script.h, script/script_error.h and script/standard.h 2020-05-16 14:15:13 -04:00			`#include <algorithm>`
			`#include <cassert>`
Switch from Optional<T> to std::optional<T> (C++17). Run clang-format. 2020-05-10 14:35:55 -04:00			`#include <cstdint>`
			`#include <optional>`
			`#include <string>`
			`#include <vector>`

fuzz: Link all targets once 2020-12-03 12:42:49 -03:00			`void initialize_script()`
tests: Add fuzzing harness for various CScript related functions 2019-10-08 11:36:57 -03:00			`{`
			`// Fuzzers using pubkey must hold an ECCVerifyHandle.`
tests: Simplify code by removing unwarranted use of unique_ptr:s 2020-03-10 09:55:41 -03:00			`static const ECCVerifyHandle verify_handle;`
tests: Fuzz additional functions in the script fuzzing harness 2020-01-15 20:37:27 -03:00
			`SelectParams(CBaseChainParams::REGTEST);`
tests: Add fuzzing harness for various CScript related functions 2019-10-08 11:36:57 -03:00			`}`

fuzz: Link all targets once 2020-12-03 12:42:49 -03:00			`FUZZ_TARGET_INIT(script, initialize_script)`
tests: Add fuzzing harness for various CScript related functions 2019-10-08 11:36:57 -03:00			`{`
fuzz: Extend script fuzz test 2020-04-03 14:32:39 -03:00			`FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());`
Switch from Optional<T> to std::optional<T> (C++17). Run clang-format. 2020-05-10 14:35:55 -04:00			`const std::optional<CScript> script_opt = ConsumeDeserializable<CScript>(fuzzed_data_provider);`
fuzz: Extend script fuzz test 2020-04-03 14:32:39 -03:00			`if (!script_opt) return;`
			`const CScript script{*script_opt};`
tests: Add fuzzing harness for various CScript related functions 2019-10-08 11:36:57 -03:00
			`std::vector<unsigned char> compressed;`
tests: Fuzz additional functions in the script fuzzing harness 2020-01-15 20:37:27 -03:00			`if (CompressScript(script, compressed)) {`
			`const unsigned int size = compressed[0];`
fuzz: Add assert(script == decompressed_script) 2020-03-07 19:03:47 -03:00			`compressed.erase(compressed.begin());`
fuzz: add missing overrides to signature_checker and also - add missing parentheses in fuzz/scriptnum_ops.cpp - remove useless unsigned int conditional in fuzz/script.cpp These changes fix 5 compile warnings in gcc 10. 2020-07-18 14:27:56 -04:00			`assert(size <= 5);`
tests: Fuzz additional functions in the script fuzzing harness 2020-01-15 20:37:27 -03:00			`CScript decompressed_script;`
			`const bool ok = DecompressScript(decompressed_script, size, compressed);`
			`assert(ok);`
fuzz: Add assert(script == decompressed_script) 2020-03-07 19:03:47 -03:00			`assert(script == decompressed_script);`
tests: Fuzz additional functions in the script fuzzing harness 2020-01-15 20:37:27 -03:00			`}`

tests: Add fuzzing harness for various CScript related functions 2019-10-08 11:36:57 -03:00			`CTxDestination address;`
			`(void)ExtractDestination(script, address);`

scripted-diff: TxoutType C++11 scoped enum class -BEGIN VERIFY SCRIPT- # General rename helper: $1 -> $2 rename_global() { sed -i "s/\<$1\>/$2/g" $(git grep -l "$1"); } # Helper to rename TxoutType $1 rename_value() { sed -i "s/ TX_$1,/ $1,/g" src/script/standard.h; # First strip the prefix in the definition (header) rename_global TX_$1 "TxoutType::$1"; # Then replace globally } # Change the type globally to bring it in line with the style-guide # (clsses are UpperCamelCase) rename_global 'enum txnouttype' 'enum class TxoutType' rename_global 'txnouttype' 'TxoutType' # Now rename each enum value rename_value 'NONSTANDARD' rename_value 'PUBKEY' rename_value 'PUBKEYHASH' rename_value 'SCRIPTHASH' rename_value 'MULTISIG' rename_value 'NULL_DATA' rename_value 'WITNESS_V0_KEYHASH' rename_value 'WITNESS_V0_SCRIPTHASH' rename_value 'WITNESS_UNKNOWN' -END VERIFY SCRIPT- 2020-05-30 09:16:05 -04:00			`TxoutType type_ret;`
tests: Add fuzzing harness for various CScript related functions 2019-10-08 11:36:57 -03:00			`std::vector<CTxDestination> addresses;`
			`int required_ret;`
			`(void)ExtractDestinations(script, type_ret, addresses, required_ret);`

			`const FlatSigningProvider signing_provider;`
			`(void)InferDescriptor(script, signing_provider);`

			`(void)IsSegWitOutput(signing_provider, script);`

			`(void)IsSolvable(signing_provider, script);`

scripted-diff: TxoutType C++11 scoped enum class -BEGIN VERIFY SCRIPT- # General rename helper: $1 -> $2 rename_global() { sed -i "s/\<$1\>/$2/g" $(git grep -l "$1"); } # Helper to rename TxoutType $1 rename_value() { sed -i "s/ TX_$1,/ $1,/g" src/script/standard.h; # First strip the prefix in the definition (header) rename_global TX_$1 "TxoutType::$1"; # Then replace globally } # Change the type globally to bring it in line with the style-guide # (clsses are UpperCamelCase) rename_global 'enum txnouttype' 'enum class TxoutType' rename_global 'txnouttype' 'TxoutType' # Now rename each enum value rename_value 'NONSTANDARD' rename_value 'PUBKEY' rename_value 'PUBKEYHASH' rename_value 'SCRIPTHASH' rename_value 'MULTISIG' rename_value 'NULL_DATA' rename_value 'WITNESS_V0_KEYHASH' rename_value 'WITNESS_V0_SCRIPTHASH' rename_value 'WITNESS_UNKNOWN' -END VERIFY SCRIPT- 2020-05-30 09:16:05 -04:00			`TxoutType which_type;`
fuzz: check that certain script TxoutType are nonstandard 2020-12-24 16:48:30 -03:00			`bool is_standard_ret = IsStandard(script, which_type);`
			`if (!is_standard_ret) {`
			`assert(which_type == TxoutType::NONSTANDARD \|\|`
			`which_type == TxoutType::NULL_DATA \|\|`
			`which_type == TxoutType::MULTISIG);`
			`}`
			`if (which_type == TxoutType::NONSTANDARD) {`
			`assert(!is_standard_ret);`
			`}`
fuzz: Check that NULL_DATA is unspendable 2020-12-24 10:16:46 -03:00			`if (which_type == TxoutType::NULL_DATA) {`
			`assert(script.IsUnspendable());`
			`}`
			`if (script.IsUnspendable()) {`
			`assert(which_type == TxoutType::NULL_DATA \|\|`
			`which_type == TxoutType::NONSTANDARD);`
			`}`
tests: Add fuzzing harness for various CScript related functions 2019-10-08 11:36:57 -03:00
			`(void)RecursiveDynamicUsage(script);`

			`std::vector<std::vector<unsigned char>> solutions;`
			`(void)Solver(script, solutions);`

			`(void)script.HasValidOps();`
			`(void)script.IsPayToScriptHash();`
			`(void)script.IsPayToWitnessScriptHash();`
			`(void)script.IsPushOnly();`
			`(void)script.GetSigOpCount(/* fAccurate= */ false);`
tests: Fuzz additional functions in the script fuzzing harness 2020-01-15 20:37:27 -03:00
			`(void)FormatScript(script);`
			`(void)ScriptToAsmStr(script, false);`
			`(void)ScriptToAsmStr(script, true);`

			`UniValue o1(UniValue::VOBJ);`
			`ScriptPubKeyToUniv(script, o1, true);`
			`UniValue o2(UniValue::VOBJ);`
			`ScriptPubKeyToUniv(script, o2, false);`
			`UniValue o3(UniValue::VOBJ);`
			`ScriptToUniv(script, o3, true);`
			`UniValue o4(UniValue::VOBJ);`
			`ScriptToUniv(script, o4, false);`
tests: Increase fuzzing coverage of DecompressScript(...) 2020-03-10 08:58:30 -03:00
			`{`
			`const std::vector<uint8_t> bytes = ConsumeRandomLengthByteVector(fuzzed_data_provider);`
fuzz: Extend script fuzz test 2020-04-03 14:32:39 -03:00			`// DecompressScript(..., ..., bytes) is not guaranteed to be defined if the bytes vector is too short`
			`if (bytes.size() >= 32) {`
tests: Increase fuzzing coverage of DecompressScript(...) 2020-03-10 08:58:30 -03:00			`CScript decompressed_script;`
			`DecompressScript(decompressed_script, fuzzed_data_provider.ConsumeIntegral<unsigned int>(), bytes);`
			`}`
			`}`
fuzz: Extend script fuzz test 2020-04-03 14:32:39 -03:00
Switch from Optional<T> to std::optional<T> (C++17). Run clang-format. 2020-05-10 14:35:55 -04:00			`const std::optional<CScript> other_script = ConsumeDeserializable<CScript>(fuzzed_data_provider);`
fuzz: Extend script fuzz test 2020-04-03 14:32:39 -03:00			`if (other_script) {`
			`{`
			`CScript script_mut{script};`
			`(void)FindAndDelete(script_mut, *other_script);`
			`}`
			`const std::vector<std::string> random_string_vector = ConsumeRandomLengthStringVector(fuzzed_data_provider);`
			`const uint32_t u32{fuzzed_data_provider.ConsumeIntegral<uint32_t>()};`
			`const uint32_t flags{u32 \| SCRIPT_VERIFY_P2SH};`
			`{`
			`CScriptWitness wit;`
			`for (const auto& s : random_string_vector) {`
			`wit.stack.emplace_back(s.begin(), s.end());`
			`}`
			`(void)CountWitnessSigOps(script, *other_script, &wit, flags);`
			`wit.SetNull();`
			`}`
			`}`
tests: Fill fuzzing coverage gaps for functions in script/script.h, script/script_error.h and script/standard.h 2020-05-16 14:15:13 -04:00
			`(void)GetOpName(ConsumeOpcodeType(fuzzed_data_provider));`
			`(void)ScriptErrorString(static_cast<ScriptError>(fuzzed_data_provider.ConsumeIntegralInRange<int>(0, SCRIPT_ERR_ERROR_COUNT)));`

			`{`
			`const std::vector<uint8_t> bytes = ConsumeRandomLengthByteVector(fuzzed_data_provider);`
			`CScript append_script{bytes.begin(), bytes.end()};`
			`append_script << fuzzed_data_provider.ConsumeIntegral<int64_t>();`
			`append_script << ConsumeOpcodeType(fuzzed_data_provider);`
			`append_script << CScriptNum{fuzzed_data_provider.ConsumeIntegral<int64_t>()};`
			`append_script << ConsumeRandomLengthByteVector(fuzzed_data_provider);`
			`}`

			`{`
			`WitnessUnknown witness_unknown_1{};`
			`witness_unknown_1.version = fuzzed_data_provider.ConsumeIntegral<int>();`
			`const std::vector<uint8_t> witness_unknown_program_1 = fuzzed_data_provider.ConsumeBytes<uint8_t>(40);`
			`witness_unknown_1.length = witness_unknown_program_1.size();`
			`std::copy(witness_unknown_program_1.begin(), witness_unknown_program_1.end(), witness_unknown_1.program);`

			`WitnessUnknown witness_unknown_2{};`
			`witness_unknown_2.version = fuzzed_data_provider.ConsumeIntegral<int>();`
			`const std::vector<uint8_t> witness_unknown_program_2 = fuzzed_data_provider.ConsumeBytes<uint8_t>(40);`
			`witness_unknown_2.length = witness_unknown_program_2.size();`
			`std::copy(witness_unknown_program_2.begin(), witness_unknown_program_2.end(), witness_unknown_2.program);`

			`(void)(witness_unknown_1 == witness_unknown_2);`
			`(void)(witness_unknown_1 < witness_unknown_2);`
			`}`

			`{`
			`const CTxDestination tx_destination_1 = ConsumeTxDestination(fuzzed_data_provider);`
			`const CTxDestination tx_destination_2 = ConsumeTxDestination(fuzzed_data_provider);`
			`(void)(tx_destination_1 == tx_destination_2);`
			`(void)(tx_destination_1 < tx_destination_2);`
			`}`
tests: Add fuzzing harness for various CScript related functions 2019-10-08 11:36:57 -03:00			`}`