fuzz: bound some miniscript operations to avoid fuzz timeouts #30197
Conversation
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. Code CoverageFor detailed information about the code coverage, see the test coverage report. ReviewsSee the guideline for information on the review process.
If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update. |
|
🚧 At least one of the CI tasks failed. Make sure to run all tests locally, according to the Possibly this is due to a silent merge conflict (the changes in this pull request being Leave a comment here, if you need help tracking down a confusing failure. |
src/test/fuzz/util/descriptor.cpp
Outdated
| { | ||
| auto count{0}; | ||
| // We iterate in reverse order to start counting when we encounter a colon. | ||
| for (const auto& ch: buff | std::views::reverse) { |
There was a problem hiding this comment.
This isn't available yet. You'll have to use a reverse iterator manually for now.
7ff2652 to
980fc9f
Compare
|
#30229 was merged if you want to rebase |
980fc9f to
178a1da
Compare
|
Rebased on master to take advantage of #30229. |
There was a problem hiding this comment.
Light ACK 178a1da
Code LGTM and approach seems reasonable, but there may be fuzzing and miniscript nuances I'm not considering.
178a1da to
63f62b5
Compare
|
Thank you both for the review. I addressed your comments and heavily documented the code. I think it can be helpful as it indeed relies on being familiar with the descriptor/miniscript syntax. If only to make the assumptions in the counting logic explicit, or for when we'll all have forgotten about the details of this syntax. I also modified two small things:
|
There was a problem hiding this comment.
Changes look good, thanks for adding more documentation. Nits can be ignored but I think HasTooManySubFrag needs some fixes wrt return statement and type narrowing before ACK.
This target may call into logic quadratic over the number of sub-fragments. Limit the number of sub-fragments to keep the runtime reasonable. Thanks to Marco Falke for reporting the fuzz timeouts with a minimized input.
The script building logic performs a quadratic number of copies in the number of nested wrappers in the miniscript. Limit the number of nested wrappers to avoid fuzz timeouts. Thanks to Marco Falke for reporting the fuzz timeouts and providing a minimal input to reproduce.
63f62b5 to
bc34bc2
Compare
There was a problem hiding this comment.
Light ACK bc34bc2
Code LGTM and approach seems reasonable, but there may be fuzzing and miniscript nuances I'm not considering.
|
Should the check be applied to miniscript_string, for example the |
|
Yes, makes sense. |
Some of the logic in the miniscript module is quadratic. It only becomes an issue for very large uninteresting descriptors (like a
threshwith 130k sub-fragments or a fragment with more than 60k nestedj:wrappers).This PR fixes the two types of fuzz timeouts reported by Marco in #28812 by trying to pinpoint the problematic descriptors through a simple analysis of the string, without limiting the size of the string itself. This is the same approach as was adopted for limiting the depth of derivation paths.