fix(fuzz): address latest review feedback

thepastaclaw · claude · thepastaclaw · commit 9df19ad17017 · 2026-05-09T01:46:24.000-05:00
- Workflow corpus replay now classifies timeout/kill exits (124/137/143)
  distinctly from generic crashes in both log and FAILED_TARGETS, and
  captures the exit code in the non-empty-corpus branch like the empty
  branch does.
- Defer src/version.h lookup in seed_corpus_from_chain.py until a stream
  version prefix is actually needed; --help no longer requires an in-tree
  checkout. Add --stream-version CLI flag and DASH_FUZZ_STREAM_VERSION
  env override.
- Correct synthetic LLMQ seeds to match C++ serialization:
  CRecoveredSig now includes msgHash; CSigSesAnn uses VARINT(sessionId)
  + llmqType + quorumHash + id + msgHash; CSigShare adds quorumMember
  and 96-byte sigShare; CDKGComplaint includes a full 96-byte BLS
  signature after both DYNBITSETs. Self-checks assert the corrected
  byte sizes.
- Replace stale TODO above the MNAUTH skip in process_message.cpp with
  a pointer to process_message_dash, which already exercises the
  Dash-aware MNAUTH setup.
- Add src/test/fuzz/util_dash.h to non-backported.txt.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/test-fuzz.yml b/.github/workflows/test-fuzz.yml
@@ -107,8 +107,7 @@ jobs:
           # Layer 3: Generate synthetic seeds for Dash-specific targets (additive only —
           # gated on external corpus being present so we never pass on synthetic-only runs).
           if [ -f "contrib/fuzz/seed_corpus_from_chain.py" ]; then
-            python3 contrib/fuzz/seed_corpus_from_chain.py --synthetic-only -o /tmp/fuzz_corpus || \
-              echo "::warning::Synthetic seed generation failed; continuing with external corpus only"
+            python3 contrib/fuzz/seed_corpus_from_chain.py --synthetic-only -o /tmp/fuzz_corpus
           fi
         shell: bash
 
@@ -152,12 +151,57 @@ jobs:
           ARTIFACT_DIR=/tmp/fuzz_artifacts
           mkdir -p "$ARTIFACT_DIR"
 
+          # Allowlist of Dash-specific fuzz targets (names beginning with "dash_") that are
+          # permitted to run as smoke-only when no corpus is present. Keep this list small
+          # and documented: every entry is a target we have explicitly decided cannot have
+          # a meaningful corpus yet (e.g. trivially-stateless harnesses). Adding a Dash
+          # target here MUST be justified in review — the default for new dash_* targets
+          # is to fail when the corpus is missing so they do not silently degrade to a
+          # 10-second smoke run that produces no signal.
+          DASH_SMOKE_ONLY_ALLOWLIST=""
+
+          is_dash_smoke_allowed() {
+            local t="$1"
+            for allowed in $DASH_SMOKE_ONLY_ALLOWLIST; do
+              [ "$t" = "$allowed" ] && return 0
+            done
+            return 1
+          }
+
           while IFS= read -r target; do
             [ -z "$target" ] && continue
             corpus_dir="/tmp/fuzz_corpus/${target}"
             artifact_prefix="${ARTIFACT_DIR}/${target}-"
 
+            # Classify a non-zero exit code from `timeout`/libFuzzer. timeout(1) reports
+            # 124 when the time budget elapsed, and 128+SIGNAL when the child was killed
+            # (137 = SIGKILL, 143 = SIGTERM). Treat those as "timeout/kill" and any other
+            # non-zero status as a generic crash. Both still fail the job.
+            classify_exit() {
+              case "$1" in
+                124|137|143) echo "timeout" ;;
+                *) echo "crash" ;;
+              esac
+            }
+
             if [ ! -d "$corpus_dir" ] || [ -z "$(ls -A "$corpus_dir" 2>/dev/null)" ]; then
+              # Dash-specific targets (names beginning "dash_") MUST have corpus inputs from
+              # either the pinned dashpay/qa-assets layer or the synthetic seeder. Falling
+              # back to a 10-second empty-corpus smoke run produces no real signal and was
+              # masking missing-corpus regressions for newly added Dash harnesses. Inherited
+              # upstream/non-Dash targets are still allowed the smoke fallback so we do not
+              # regress on bitcoin-core targets that legitimately ship without a corpus.
+              case "$target" in
+                dash_*)
+                  if ! is_dash_smoke_allowed "$target"; then
+                    echo "::error::FAIL: $target has no corpus inputs in /tmp/fuzz_corpus/${target} — Dash-specific targets must ship with corpus data (qa-assets or synthetic seeder); refusing to silently smoke-test"
+                    FAILED=$((FAILED + 1))
+                    FAILED_TARGETS="${FAILED_TARGETS}  - ${target} (missing-corpus)\n"
+                    continue
+                  fi
+                  echo "::warning::${target} is on the documented Dash smoke-only allowlist — running 10s empty-corpus check"
+                  ;;
+              esac
               # No corpus for this target — run with empty input for 10s
               # This catches basic initialization crashes
               echo "::group::${target} (empty corpus, 10s run)"
@@ -174,9 +218,10 @@ jobs:
                 PASSED=$((PASSED + 1))
               else
                 EXIT_CODE=$?
-                echo "::error::FAIL: $target exited with code $EXIT_CODE"
+                KIND=$(classify_exit "$EXIT_CODE")
+                echo "::error::FAIL: $target exited with code $EXIT_CODE (${KIND})"
                 FAILED=$((FAILED + 1))
-                FAILED_TARGETS="${FAILED_TARGETS}  - ${target} (exit code ${EXIT_CODE})\n"
+                FAILED_TARGETS="${FAILED_TARGETS}  - ${target} (${KIND}, exit code ${EXIT_CODE})\n"
               fi
               echo "::endgroup::"
               continue
@@ -192,9 +237,11 @@ jobs:
               echo "PASS: $target"
               PASSED=$((PASSED + 1))
             else
-              echo "::error::FAIL: $target"
+              EXIT_CODE=$?
+              KIND=$(classify_exit "$EXIT_CODE")
+              echo "::error::FAIL: $target exited with code $EXIT_CODE (${KIND})"
               FAILED=$((FAILED + 1))
-              FAILED_TARGETS="${FAILED_TARGETS}  - ${target}\n"
+              FAILED_TARGETS="${FAILED_TARGETS}  - ${target} (${KIND}, exit code ${EXIT_CODE})\n"
             fi
             echo "::endgroup::"
           done <<< "$TARGETS"
diff --git a/contrib/fuzz/continuous_fuzz_daemon.sh b/contrib/fuzz/continuous_fuzz_daemon.sh
@@ -85,7 +85,7 @@ if ! [[ "$TIME_PER_TARGET" =~ ^[0-9]+$ ]] || (( TIME_PER_TARGET < 1 )); then
     echo "ERROR: --time-per-target must be a positive integer, got '$TIME_PER_TARGET'" >&2
     exit 1
 fi
-if ! [[ "$RSS_LIMIT_MB" =~ ^[0-9]+$ ]]; then
+if ! [[ "$RSS_LIMIT_MB" =~ ^[0-9]+$ ]] || (( RSS_LIMIT_MB < 1 )); then
     echo "ERROR: --rss-limit must be a positive integer, got '$RSS_LIMIT_MB'" >&2
     exit 1
 fi
diff --git a/contrib/fuzz/seed_corpus_from_chain.py b/contrib/fuzz/seed_corpus_from_chain.py
@@ -19,6 +19,7 @@
 import argparse
 import hashlib
 import json
+import os
 import re
 import subprocess
 import sys
@@ -52,9 +53,9 @@ def _read_protocol_version():
     return int(match.group(1))
 
 
-# Must match src/version.h PROTOCOL_VERSION. Several fuzz harnesses read a
-# 4-byte little-endian int from the start of the buffer and use it as the
-# stream version before deserializing the object:
+# The stream version is needed by several fuzz harnesses that read a 4-byte
+# little-endian int from the start of the buffer and use it as the stream
+# version before deserializing the object:
 #   * The Dash-specific helpers DashDeserializeFromFuzzingInput /
 #     DashRoundtripFromFuzzingInput (src/test/fuzz/deserialize_dash.cpp,
 #     src/test/fuzz/roundtrip_dash.cpp), used by dash_*_deserialize and
@@ -65,10 +66,37 @@ def _read_protocol_version():
 #     via DeserializeFromFuzzingInput when no explicit protocol_version is
 #     passed.
 # Chain data we extract is serialized at PROTOCOL_VERSION, so we prepend
-# that value to seeds for those targets.
-PROTOCOL_VERSION = _read_protocol_version()
-STREAM_VERSION = PROTOCOL_VERSION
-STREAM_VERSION_PREFIX = STREAM_VERSION.to_bytes(4, byteorder="little", signed=False)
+# that value to seeds for those targets. The lookup is deferred to first use
+# so `--help` and callers that supply --stream-version / DASH_FUZZ_STREAM_VERSION
+# don't require an in-tree src/version.h.
+_STREAM_VERSION_OVERRIDE = None
+_STREAM_VERSION_CACHE = None
+
+
+def _resolve_stream_version():
+    """Return the stream version, preferring an explicit override and falling back
+    to parsing src/version.h. Cached after first successful resolution."""
+    global _STREAM_VERSION_CACHE
+    if _STREAM_VERSION_CACHE is not None:
+        return _STREAM_VERSION_CACHE
+    if _STREAM_VERSION_OVERRIDE is not None:
+        _STREAM_VERSION_CACHE = _STREAM_VERSION_OVERRIDE
+        return _STREAM_VERSION_CACHE
+    env_override = os.environ.get("DASH_FUZZ_STREAM_VERSION")
+    if env_override:
+        try:
+            _STREAM_VERSION_CACHE = int(env_override)
+        except ValueError as e:
+            raise RuntimeError(
+                f"DASH_FUZZ_STREAM_VERSION must be an integer, got {env_override!r}"
+            ) from e
+        return _STREAM_VERSION_CACHE
+    _STREAM_VERSION_CACHE = _read_protocol_version()
+    return _STREAM_VERSION_CACHE
+
+
+def _stream_version_prefix():
+    return _resolve_stream_version().to_bytes(4, byteorder="little", signed=False)
 
 # Non-Dash targets (outside the dash_* naming convention) whose harnesses
 # also consume the 4-byte stream version prefix described above.
@@ -113,7 +141,7 @@ def save_corpus_input(output_dir, target_name, data_hex):
         return False
 
     if _needs_stream_version_prefix(target_name):
-        raw_bytes = STREAM_VERSION_PREFIX + raw_bytes
+        raw_bytes = _stream_version_prefix() + raw_bytes
 
     filename = hashlib.sha256(raw_bytes).hexdigest()[:16]
     filepath = target_dir / filename
@@ -1169,21 +1197,27 @@ def create_synthetic_seeds(output_dir):
             ((1).to_bytes(2, "little") + _serialize_uint32(0) + minimal_final_commitment).hex(),
         ],
         "dash_recovered_sig_deserialize": [
-            "64" + "00" * 32 + "00" * 32 + "00" * 96,  # llmqType + quorumHash + id + sig
+            # CRecoveredSig: llmqType (uint8) + quorumHash (32) + id (32) + msgHash (32) + sig (96)
+            "64" + "00" * 32 + "00" * 32 + "00" * 32 + "00" * 96,
         ],
         "dash_sig_ses_ann_deserialize": [
-            "64" + "00" * 32 + "00000000" + "00" * 32,  # llmqType + quorumHash + nSessionId + id
+            # CSigSesAnn: VARINT(sessionId=0) + llmqType (uint8) + quorumHash (32) + id (32) + msgHash (32)
+            "00" + "64" + "00" * 32 + "00" * 32 + "00" * 32,
         ],
         "dash_sig_share_deserialize": [
-            "64" + "00" * 32 + "00000000" + "00" * 32 + "0000" + "00" * 96,
+            # CSigShare: llmqType (uint8) + quorumHash (32) + quorumMember (uint16 LE)
+            #          + id (32) + msgHash (32) + sigShare (96, BLS lazy)
+            "64" + "00" * 32 + "0000" + "00" * 32 + "00" * 32 + "00" * 96,
         ],
         # MNAuth
         "dash_mnauth_deserialize": [
             "00" * 32 + "00" * 32 + "00" * 96,  # proRegTxHash + signChallenge + sig
         ],
         # DKG messages
         "dash_dkg_complaint_deserialize": [
-            "64" + "00" * 32 + "00" * 32 + "0000" + "00",  # minimal
+            # CDKGComplaint: llmqType + quorumHash + proTxHash + DYNBITSET(badMembers)
+            #              + DYNBITSET(complainForMembers) + sig (96 bytes)
+            "64" + "00" * 32 + "00" * 32 + "00" + "00" + "00" * 96,
         ],
         "dash_dkg_justification_deserialize": [
             # llmqType (uint8) + quorumHash (32) + proTxHash (32) +
@@ -1283,17 +1317,57 @@ def _run_helper_self_checks():
             "dash_bls_ies_multi_recipient_blobs_roundtrip",
             "dash_coinjoin_entry_deserialize",
             "dash_coinjoin_entry_roundtrip",
+            "dash_dkg_complaint_deserialize",
+            "dash_dkg_complaint_roundtrip",
             "dash_dkg_justification_deserialize",
             "dash_dkg_justification_roundtrip",
             "dash_sig_shares_inv_deserialize",
             "dash_sig_shares_inv_roundtrip",
             "dash_batched_sig_shares_deserialize",
             "dash_batched_sig_shares_roundtrip",
+            "dash_recovered_sig_deserialize",
+            "dash_recovered_sig_roundtrip",
+            "dash_sig_ses_ann_deserialize",
+            "dash_sig_ses_ann_roundtrip",
+            "dash_sig_share_deserialize",
+            "dash_sig_share_roundtrip",
+            "dash_mnauth_deserialize",
+            "dash_mnauth_roundtrip",
             "dash_mnhf_tx_deserialize",
         ]
         missing = [target for target in required_targets if not any((tmp_path / target).iterdir())]
         assert not missing, f"missing synthetic seeds for: {', '.join(missing)}"
 
+        # Assert the LLMQ seed sizes match the C++ serialization layouts so the
+        # synthetic seeds aren't silently truncated again (regression guard).
+        def _seed_bytes(target):
+            files = list((tmp_path / target).iterdir())
+            assert len(files) == 1, f"{target}: expected one synthetic seed, got {len(files)}"
+            return files[0].read_bytes()
+
+        # The Dash deserialize/roundtrip wrappers prepend a 4-byte stream version.
+        prefix = len(_stream_version_prefix())
+        # CRecoveredSig: 1 + 32 + 32 + 32 + 96 = 193
+        assert len(_seed_bytes("dash_recovered_sig_deserialize")) == prefix + 193
+        # CSigSesAnn (VARINT(0)=1 byte): 1 + 1 + 32 + 32 + 32 = 98
+        assert len(_seed_bytes("dash_sig_ses_ann_deserialize")) == prefix + 98
+        # CSigShare: 1 + 32 + 2 + 32 + 32 + 96 = 195
+        assert len(_seed_bytes("dash_sig_share_deserialize")) == prefix + 195
+        # CDKGComplaint with empty bitsets: 1 + 32 + 32 + 1 + 1 + 96 = 163
+        assert len(_seed_bytes("dash_dkg_complaint_deserialize")) == prefix + 163
+
+    # --stream-version override path: setting the override must not require
+    # src/version.h, and _stream_version_prefix must round-trip the value.
+    global _STREAM_VERSION_OVERRIDE, _STREAM_VERSION_CACHE
+    saved_override, saved_cache = _STREAM_VERSION_OVERRIDE, _STREAM_VERSION_CACHE
+    try:
+        _STREAM_VERSION_OVERRIDE = 0x12345678
+        _STREAM_VERSION_CACHE = None
+        assert _stream_version_prefix() == b"\x78\x56\x34\x12"
+    finally:
+        _STREAM_VERSION_OVERRIDE = saved_override
+        _STREAM_VERSION_CACHE = saved_cache
+
 
 def main():
     parser = argparse.ArgumentParser(
@@ -1317,8 +1391,22 @@ def main():
         action="store_true",
         help="Only generate synthetic seeds (no RPC required)"
     )
+    parser.add_argument(
+        "--stream-version",
+        type=int,
+        default=None,
+        help=(
+            "Stream version (4-byte LE prefix) to use for harnesses that consume one. "
+            "Overrides DASH_FUZZ_STREAM_VERSION and the src/version.h fallback. "
+            "Useful when running outside an in-tree source checkout."
+        ),
+    )
     args = parser.parse_args()
 
+    if args.stream_version is not None:
+        global _STREAM_VERSION_OVERRIDE
+        _STREAM_VERSION_OVERRIDE = args.stream_version
+
     output_dir = Path(args.output_dir)
     output_dir.mkdir(parents=True, exist_ok=True)
 
diff --git a/src/test/fuzz/process_message.cpp b/src/test/fuzz/process_message.cpp
@@ -63,9 +63,10 @@ FUZZ_TARGET(process_message, .init = initialize_process_message)
     if (!LIMIT_TO_MESSAGE_TYPE.empty() && random_message_type != LIMIT_TO_MESSAGE_TYPE) {
         return;
     }
-    // Skip Dash message types that require subsystem initialization not present in the fuzz harness.
-    // TODO: initialize the masternode/LLMQ contexts here (see process_message_dash.cpp) and remove
-    // this list so these handlers get real coverage.
+    // Skip Dash message types that require subsystem initialization not present in
+    // this upstream-style harness. MNAUTH coverage is provided by the Dash-aware
+    // `process_message_dash` harness (src/test/fuzz/process_message_dash.cpp), which
+    // sets up the masternode/LLMQ contexts the handler depends on.
     static constexpr std::array<std::string_view, 1> skip_message_types{"mnauth"};
     if (std::find(skip_message_types.begin(), skip_message_types.end(), random_message_type) != skip_message_types.end()) {
         return;
diff --git a/test/util/data/non-backported.txt b/test/util/data/non-backported.txt
@@ -70,6 +70,7 @@ src/test/fuzz/process_message_dash.cpp
 src/test/fuzz/roundtrip_dash.cpp
 src/test/fuzz/simplified_mn_list_diff.cpp
 src/test/fuzz/special_tx_validation.cpp
+src/test/fuzz/util_dash.h
 src/test/llmq*.cpp
 src/test/util/llmq_tests.h
 src/test/governance*.cpp
