From 3439c88a5d2d0bdcc30d949b9d400ca90b8a7d28 Mon Sep 17 00:00:00 2001
From: practicalswift <practicalswift@users.noreply.github.com>
Date: Sun, 26 Apr 2020 19:27:54 +0000
Subject: [PATCH 1/3] tests: Add fuzzing harness for CBlockPolicyEstimator

---
 src/Makefile.test.include          |  7 +++
 src/test/fuzz/policy_estimator.cpp | 69 ++++++++++++++++++++++++++++++
 src/test/fuzz/util.h               | 15 +++++++
 3 files changed, 91 insertions(+)
 create mode 100644 src/test/fuzz/policy_estimator.cpp

diff --git a/src/Makefile.test.include b/src/Makefile.test.include
index 48db60f0866..af03eee2005 100644
--- a/src/Makefile.test.include
+++ b/src/Makefile.test.include
@@ -67,6 +67,7 @@ FUZZ_TARGETS = \
   test/fuzz/parse_univalue \
   test/fuzz/partial_merkle_tree_deserialize \
   test/fuzz/partially_signed_transaction_deserialize \
+  test/fuzz/policy_estimator \
   test/fuzz/pow \
   test/fuzz/prefilled_transaction_deserialize \
   test/fuzz/prevector \
@@ -683,6 +684,12 @@ test_fuzz_partially_signed_transaction_deserialize_LDADD = $(FUZZ_SUITE_LD_COMMO
 test_fuzz_partially_signed_transaction_deserialize_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
 test_fuzz_partially_signed_transaction_deserialize_SOURCES = test/fuzz/deserialize.cpp
 
+test_fuzz_policy_estimator_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES)
+test_fuzz_policy_estimator_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
+test_fuzz_policy_estimator_LDADD = $(FUZZ_SUITE_LD_COMMON)
+test_fuzz_policy_estimator_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
+test_fuzz_policy_estimator_SOURCES = test/fuzz/policy_estimator.cpp
+
 test_fuzz_pow_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES)
 test_fuzz_pow_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
 test_fuzz_pow_LDADD = $(FUZZ_SUITE_LD_COMMON)
diff --git a/src/test/fuzz/policy_estimator.cpp b/src/test/fuzz/policy_estimator.cpp
new file mode 100644
index 00000000000..201f49c87b2
--- /dev/null
+++ b/src/test/fuzz/policy_estimator.cpp
@@ -0,0 +1,69 @@
+// Copyright (c) 2020 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <optional.h>
+#include <policy/fees.h>
+#include <primitives/transaction.h>
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+#include <txmempool.h>
+
+#include <cstdint>
+#include <string>
+#include <vector>
+
+void test_one_input(const std::vector<uint8_t>& buffer)
+{
+    FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
+    CBlockPolicyEstimator block_policy_estimator;
+    while (fuzzed_data_provider.ConsumeBool()) {
+        switch (fuzzed_data_provider.ConsumeIntegralInRange<int>(0, 3)) {
+        case 0: {
+            const Optional<CMutableTransaction> mtx = ConsumeDeserializable<CMutableTransaction>(fuzzed_data_provider);
+            if (!mtx) {
+                break;
+            }
+            const CTransaction tx{*mtx};
+            block_policy_estimator.processTransaction(ConsumeTxMemPoolEntry(fuzzed_data_provider, tx), fuzzed_data_provider.ConsumeBool());
+            if (fuzzed_data_provider.ConsumeBool()) {
+                (void)block_policy_estimator.removeTx(tx.GetHash(), /* inBlock */ fuzzed_data_provider.ConsumeBool());
+            }
+            break;
+        }
+        case 1: {
+            std::vector<CTxMemPoolEntry> mempool_entries;
+            while (fuzzed_data_provider.ConsumeBool()) {
+                const Optional<CMutableTransaction> mtx = ConsumeDeserializable<CMutableTransaction>(fuzzed_data_provider);
+                if (!mtx) {
+                    break;
+                }
+                const CTransaction tx{*mtx};
+                mempool_entries.push_back(ConsumeTxMemPoolEntry(fuzzed_data_provider, tx));
+            }
+            std::vector<const CTxMemPoolEntry*> ptrs;
+            ptrs.reserve(mempool_entries.size());
+            for (const CTxMemPoolEntry& mempool_entry : mempool_entries) {
+                ptrs.push_back(&mempool_entry);
+            }
+            block_policy_estimator.processBlock(fuzzed_data_provider.ConsumeIntegral<unsigned int>(), ptrs);
+            break;
+        }
+        case 2: {
+            (void)block_policy_estimator.removeTx(ConsumeUInt256(fuzzed_data_provider), /* inBlock */ fuzzed_data_provider.ConsumeBool());
+            break;
+        }
+        case 3: {
+            block_policy_estimator.FlushUnconfirmed();
+            break;
+        }
+        }
+        (void)block_policy_estimator.estimateFee(fuzzed_data_provider.ConsumeIntegral<int>());
+        EstimationResult result;
+        (void)block_policy_estimator.estimateRawFee(fuzzed_data_provider.ConsumeIntegral<int>(), fuzzed_data_provider.ConsumeFloatingPoint<double>(), fuzzed_data_provider.PickValueInArray({FeeEstimateHorizon::SHORT_HALFLIFE, FeeEstimateHorizon::MED_HALFLIFE, FeeEstimateHorizon::LONG_HALFLIFE}), fuzzed_data_provider.ConsumeBool() ? &result : nullptr);
+        FeeCalculation fee_calculation;
+        (void)block_policy_estimator.estimateSmartFee(fuzzed_data_provider.ConsumeIntegral<int>(), fuzzed_data_provider.ConsumeBool() ? &fee_calculation : nullptr, fuzzed_data_provider.ConsumeBool());
+        (void)block_policy_estimator.HighestTargetTracked(fuzzed_data_provider.PickValueInArray({FeeEstimateHorizon::SHORT_HALFLIFE, FeeEstimateHorizon::MED_HALFLIFE, FeeEstimateHorizon::LONG_HALFLIFE}));
+    }
+}
diff --git a/src/test/fuzz/util.h b/src/test/fuzz/util.h
index 9c7b0d47a29..98fe30fcecd 100644
--- a/src/test/fuzz/util.h
+++ b/src/test/fuzz/util.h
@@ -8,12 +8,15 @@
 #include <amount.h>
 #include <arith_uint256.h>
 #include <attributes.h>
+#include <consensus/consensus.h>
 #include <optional.h>
+#include <primitives/transaction.h>
 #include <script/script.h>
 #include <serialize.h>
 #include <streams.h>
 #include <test/fuzz/FuzzedDataProvider.h>
 #include <test/fuzz/fuzz.h>
+#include <txmempool.h>
 #include <uint256.h>
 #include <version.h>
 
@@ -97,6 +100,18 @@ NODISCARD inline arith_uint256 ConsumeArithUInt256(FuzzedDataProvider& fuzzed_da
     return UintToArith256(ConsumeUInt256(fuzzed_data_provider));
 }
 
+NODISCARD inline CTxMemPoolEntry ConsumeTxMemPoolEntry(FuzzedDataProvider& fuzzed_data_provider, const CTransaction& tx) noexcept
+{
+    // Avoid:
+    // policy/feerate.cpp:28:34: runtime error: signed integer overflow: 34873208148477500 * 1000 cannot be represented in type 'long'
+    const CAmount fee = ConsumeMoney(fuzzed_data_provider) / static_cast<CAmount>(100);
+    const int64_t time = fuzzed_data_provider.ConsumeIntegral<int64_t>();
+    const unsigned int entry_height = fuzzed_data_provider.ConsumeIntegral<unsigned int>();
+    const bool spends_coinbase = fuzzed_data_provider.ConsumeBool();
+    const unsigned int sig_op_cost = fuzzed_data_provider.ConsumeIntegralInRange<unsigned int>(0, MAX_BLOCK_SIGOPS_COST);
+    return CTxMemPoolEntry{MakeTransactionRef(tx), fee, time, entry_height, spends_coinbase, sig_op_cost, {}};
+}
+
 template <typename T>
 NODISCARD bool MultiplicationOverflow(const T i, const T j) noexcept
 {

From 13c1f6b24fa5e53f100d90d36b47b7dd3bc91b9f Mon Sep 17 00:00:00 2001
From: practicalswift <practicalswift@users.noreply.github.com>
Date: Sun, 26 Apr 2020 19:29:03 +0000
Subject: [PATCH 2/3] tests: Add fuzzing harness for IsRBFOptIn(...)

---
 src/Makefile.test.include |  7 ++++++
 src/test/fuzz/rbf.cpp     | 47 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 src/test/fuzz/rbf.cpp

diff --git a/src/Makefile.test.include b/src/Makefile.test.include
index af03eee2005..1fe4df80598 100644
--- a/src/Makefile.test.include
+++ b/src/Makefile.test.include
@@ -104,6 +104,7 @@ FUZZ_TARGETS = \
   test/fuzz/psbt_output_deserialize \
   test/fuzz/pub_key_deserialize \
   test/fuzz/random \
+  test/fuzz/rbf \
   test/fuzz/rolling_bloom_filter \
   test/fuzz/script \
   test/fuzz/script_deserialize \
@@ -900,6 +901,12 @@ test_fuzz_random_LDADD = $(FUZZ_SUITE_LD_COMMON)
 test_fuzz_random_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
 test_fuzz_random_SOURCES = test/fuzz/random.cpp
 
+test_fuzz_rbf_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES)
+test_fuzz_rbf_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
+test_fuzz_rbf_LDADD = $(FUZZ_SUITE_LD_COMMON)
+test_fuzz_rbf_LDFLAGS = $(RELDFLAGS) $(AM_LDFLAGS) $(LIBTOOL_APP_LDFLAGS)
+test_fuzz_rbf_SOURCES = test/fuzz/rbf.cpp
+
 test_fuzz_rolling_bloom_filter_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_INCLUDES)
 test_fuzz_rolling_bloom_filter_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
 test_fuzz_rolling_bloom_filter_LDADD = $(FUZZ_SUITE_LD_COMMON)
diff --git a/src/test/fuzz/rbf.cpp b/src/test/fuzz/rbf.cpp
new file mode 100644
index 00000000000..eb54b05df97
--- /dev/null
+++ b/src/test/fuzz/rbf.cpp
@@ -0,0 +1,47 @@
+// Copyright (c) 2020 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <optional.h>
+#include <policy/rbf.h>
+#include <primitives/transaction.h>
+#include <sync.h>
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+#include <txmempool.h>
+
+#include <cstdint>
+#include <string>
+#include <vector>
+
+void test_one_input(const std::vector<uint8_t>& buffer)
+{
+    FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
+    Optional<CMutableTransaction> mtx = ConsumeDeserializable<CMutableTransaction>(fuzzed_data_provider);
+    if (!mtx) {
+        return;
+    }
+    CTxMemPool pool;
+    while (fuzzed_data_provider.ConsumeBool()) {
+        const Optional<CMutableTransaction> another_mtx = ConsumeDeserializable<CMutableTransaction>(fuzzed_data_provider);
+        if (!another_mtx) {
+            break;
+        }
+        const CTransaction another_tx{*another_mtx};
+        if (fuzzed_data_provider.ConsumeBool() && !mtx->vin.empty()) {
+            mtx->vin[0].prevout = COutPoint{another_tx.GetHash(), 0};
+        }
+        LOCK2(cs_main, pool.cs);
+        pool.addUnchecked(ConsumeTxMemPoolEntry(fuzzed_data_provider, another_tx));
+    }
+    const CTransaction tx{*mtx};
+    if (fuzzed_data_provider.ConsumeBool()) {
+        LOCK2(cs_main, pool.cs);
+        pool.addUnchecked(ConsumeTxMemPoolEntry(fuzzed_data_provider, tx));
+    }
+    {
+        LOCK(pool.cs);
+        (void)IsRBFOptIn(tx, pool);
+    }
+}

From 2bcc2bd742392730b4f21e3d4f00438c34acac1f Mon Sep 17 00:00:00 2001
From: practicalswift <practicalswift@users.noreply.github.com>
Date: Thu, 30 Apr 2020 14:19:27 +0000
Subject: [PATCH 3/3] tests: Clarify how we avoid hitting the signed integer
 overflow in CFeeRate::GetFeePerK() when fuzzing

---
 src/test/fuzz/util.h | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/test/fuzz/util.h b/src/test/fuzz/util.h
index 98fe30fcecd..501bb1de5ae 100644
--- a/src/test/fuzz/util.h
+++ b/src/test/fuzz/util.h
@@ -104,7 +104,10 @@ NODISCARD inline CTxMemPoolEntry ConsumeTxMemPoolEntry(FuzzedDataProvider& fuzze
 {
     // Avoid:
     // policy/feerate.cpp:28:34: runtime error: signed integer overflow: 34873208148477500 * 1000 cannot be represented in type 'long'
-    const CAmount fee = ConsumeMoney(fuzzed_data_provider) / static_cast<CAmount>(100);
+    //
+    // Reproduce using CFeeRate(348732081484775, 10).GetFeePerK()
+    const CAmount fee = std::min<CAmount>(ConsumeMoney(fuzzed_data_provider), std::numeric_limits<CAmount>::max() / static_cast<CAmount>(100000));
+    assert(MoneyRange(fee));
     const int64_t time = fuzzed_data_provider.ConsumeIntegral<int64_t>();
     const unsigned int entry_height = fuzzed_data_provider.ConsumeIntegral<unsigned int>();
     const bool spends_coinbase = fuzzed_data_provider.ConsumeBool();