Line data Source code
1 : // Copyright (c) 2021-2022 The Bitcoin Core developers
2 : // Distributed under the MIT software license, see the accompanying
3 : // file COPYING or http://www.opensource.org/licenses/mit-license.php.
4 :
5 : #include <consensus/validation.h>
6 : #include <node/context.h>
7 : #include <node/mempool_args.h>
8 : #include <node/miner.h>
9 : #include <test/fuzz/FuzzedDataProvider.h>
10 : #include <test/fuzz/fuzz.h>
11 2 : #include <test/fuzz/util.h>
12 2 : #include <test/fuzz/util/mempool.h>
13 2 : #include <test/util/mining.h>
14 2 : #include <test/util/script.h>
15 2 : #include <test/util/setup_common.h>
16 : #include <test/util/txmempool.h>
17 2 : #include <util/rbf.h>
18 2 : #include <validation.h>
19 : #include <validationinterface.h>
20 :
21 : using node::BlockAssembler;
22 : using node::NodeContext;
23 :
24 : namespace {
25 :
26 : const TestingSetup* g_setup;
27 2 : std::vector<COutPoint> g_outpoints_coinbase_init_mature;
28 2 : std::vector<COutPoint> g_outpoints_coinbase_init_immature;
29 :
30 : struct MockedTxPool : public CTxMemPool {
31 0 : void RollingFeeUpdate() EXCLUSIVE_LOCKS_REQUIRED(!cs)
32 : {
33 0 : LOCK(cs);
34 0 : lastRollingFeeUpdate = GetTime();
35 0 : blockSinceLastRollingFeeBump = true;
36 0 : }
37 : };
38 :
39 0 : void initialize_tx_pool()
40 : {
41 0 : static const auto testing_setup = MakeNoLogFileContext<const TestingSetup>();
42 0 : g_setup = testing_setup.get();
43 :
44 0 : for (int i = 0; i < 2 * COINBASE_MATURITY; ++i) {
45 0 : COutPoint prevout{MineBlock(g_setup->m_node, P2WSH_OP_TRUE)};
46 : // Remember the txids to avoid expensive disk access later on
47 0 : auto& outpoints = i < COINBASE_MATURITY ?
48 : g_outpoints_coinbase_init_mature :
49 : g_outpoints_coinbase_init_immature;
50 0 : outpoints.push_back(prevout);
51 0 : }
52 0 : SyncWithValidationInterfaceQueue();
53 0 : }
54 :
55 : struct TransactionsDelta final : public CValidationInterface {
56 : std::set<CTransactionRef>& m_removed;
57 : std::set<CTransactionRef>& m_added;
58 :
59 0 : explicit TransactionsDelta(std::set<CTransactionRef>& r, std::set<CTransactionRef>& a)
60 0 : : m_removed{r}, m_added{a} {}
61 :
62 0 : void TransactionAddedToMempool(const CTransactionRef& tx, uint64_t /* mempool_sequence */) override
63 : {
64 0 : Assert(m_added.insert(tx).second);
65 0 : }
66 :
67 0 : void TransactionRemovedFromMempool(const CTransactionRef& tx, MemPoolRemovalReason reason, uint64_t /* mempool_sequence */) override
68 : {
69 0 : Assert(m_removed.insert(tx).second);
70 0 : }
71 : };
72 :
73 0 : void SetMempoolConstraints(ArgsManager& args, FuzzedDataProvider& fuzzed_data_provider)
74 2 : {
75 0 : args.ForceSetArg("-limitancestorcount",
76 0 : ToString(fuzzed_data_provider.ConsumeIntegralInRange<unsigned>(0, 50)));
77 0 : args.ForceSetArg("-limitancestorsize",
78 0 : ToString(fuzzed_data_provider.ConsumeIntegralInRange<unsigned>(0, 202)));
79 0 : args.ForceSetArg("-limitdescendantcount",
80 0 : ToString(fuzzed_data_provider.ConsumeIntegralInRange<unsigned>(0, 50)));
81 0 : args.ForceSetArg("-limitdescendantsize",
82 0 : ToString(fuzzed_data_provider.ConsumeIntegralInRange<unsigned>(0, 202)));
83 0 : args.ForceSetArg("-maxmempool",
84 0 : ToString(fuzzed_data_provider.ConsumeIntegralInRange<unsigned>(0, 200)));
85 0 : args.ForceSetArg("-mempoolexpiry",
86 0 : ToString(fuzzed_data_provider.ConsumeIntegralInRange<unsigned>(0, 999)));
87 0 : }
88 :
89 0 : void Finish(FuzzedDataProvider& fuzzed_data_provider, MockedTxPool& tx_pool, Chainstate& chainstate)
90 : {
91 0 : WITH_LOCK(::cs_main, tx_pool.check(chainstate.CoinsTip(), chainstate.m_chain.Height() + 1));
92 : {
93 0 : BlockAssembler::Options options;
94 0 : options.nBlockMaxWeight = fuzzed_data_provider.ConsumeIntegralInRange(0U, MAX_BLOCK_WEIGHT);
95 0 : options.blockMinFeeRate = CFeeRate{ConsumeMoney(fuzzed_data_provider, /*max=*/COIN)};
96 0 : auto assembler = BlockAssembler{chainstate, &tx_pool, options};
97 0 : auto block_template = assembler.CreateNewBlock(CScript{} << OP_TRUE);
98 0 : Assert(block_template->block.vtx.size() >= 1);
99 0 : }
100 0 : const auto info_all = tx_pool.infoAll();
101 0 : if (!info_all.empty()) {
102 0 : const auto& tx_to_remove = *PickValue(fuzzed_data_provider, info_all).tx;
103 0 : WITH_LOCK(tx_pool.cs, tx_pool.removeRecursive(tx_to_remove, MemPoolRemovalReason::BLOCK /* dummy */));
104 0 : std::vector<uint256> all_txids;
105 0 : tx_pool.queryHashes(all_txids);
106 0 : assert(all_txids.size() < info_all.size());
107 0 : WITH_LOCK(::cs_main, tx_pool.check(chainstate.CoinsTip(), chainstate.m_chain.Height() + 1));
108 0 : }
109 0 : SyncWithValidationInterfaceQueue();
110 0 : }
111 :
112 0 : void MockTime(FuzzedDataProvider& fuzzed_data_provider, const Chainstate& chainstate)
113 : {
114 0 : const auto time = ConsumeTime(fuzzed_data_provider,
115 0 : chainstate.m_chain.Tip()->GetMedianTimePast() + 1,
116 0 : std::numeric_limits<decltype(chainstate.m_chain.Tip()->nTime)>::max());
117 0 : SetMockTime(time);
118 0 : }
119 :
120 0 : CTxMemPool MakeMempool(FuzzedDataProvider& fuzzed_data_provider, const NodeContext& node)
121 : {
122 : // Take the default options for tests...
123 0 : CTxMemPool::Options mempool_opts{MemPoolOptionsForTest(node)};
124 :
125 : // ...override specific options for this specific fuzz suite
126 0 : mempool_opts.estimator = nullptr;
127 0 : mempool_opts.check_ratio = 1;
128 0 : mempool_opts.require_standard = fuzzed_data_provider.ConsumeBool();
129 :
130 : // ...and construct a CTxMemPool from it
131 0 : return CTxMemPool{mempool_opts};
132 : }
133 :
134 4 : FUZZ_TARGET(tx_pool_standard, .init = initialize_tx_pool)
135 : {
136 0 : FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
137 0 : const auto& node = g_setup->m_node;
138 0 : auto& chainstate{static_cast<DummyChainState&>(node.chainman->ActiveChainstate())};
139 :
140 0 : MockTime(fuzzed_data_provider, chainstate);
141 :
142 : // All RBF-spendable outpoints
143 0 : std::set<COutPoint> outpoints_rbf;
144 : // All outpoints counting toward the total supply (subset of outpoints_rbf)
145 0 : std::set<COutPoint> outpoints_supply;
146 0 : for (const auto& outpoint : g_outpoints_coinbase_init_mature) {
147 0 : Assert(outpoints_supply.insert(outpoint).second);
148 : }
149 0 : outpoints_rbf = outpoints_supply;
150 :
151 : // The sum of the values of all spendable outpoints
152 0 : constexpr CAmount SUPPLY_TOTAL{COINBASE_MATURITY * 50 * COIN};
153 :
154 0 : SetMempoolConstraints(*node.args, fuzzed_data_provider);
155 0 : CTxMemPool tx_pool_{MakeMempool(fuzzed_data_provider, node)};
156 0 : MockedTxPool& tx_pool = *static_cast<MockedTxPool*>(&tx_pool_);
157 :
158 0 : chainstate.SetMempool(&tx_pool);
159 :
160 : // Helper to query an amount
161 0 : const CCoinsViewMemPool amount_view{WITH_LOCK(::cs_main, return &chainstate.CoinsTip()), tx_pool};
162 0 : const auto GetAmount = [&](const COutPoint& outpoint) {
163 0 : Coin c;
164 0 : Assert(amount_view.GetCoin(outpoint, c));
165 0 : return c.out.nValue;
166 0 : };
167 :
168 0 : LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), 300)
169 : {
170 : {
171 : // Total supply is the mempool fee + all outpoints
172 0 : CAmount supply_now{WITH_LOCK(tx_pool.cs, return tx_pool.GetTotalFee())};
173 0 : for (const auto& op : outpoints_supply) {
174 0 : supply_now += GetAmount(op);
175 : }
176 0 : Assert(supply_now == SUPPLY_TOTAL);
177 : }
178 0 : Assert(!outpoints_supply.empty());
179 :
180 : // Create transaction to add to the mempool
181 0 : const CTransactionRef tx = [&] {
182 0 : CMutableTransaction tx_mut;
183 0 : tx_mut.nVersion = CTransaction::CURRENT_VERSION;
184 0 : tx_mut.nLockTime = fuzzed_data_provider.ConsumeBool() ? 0 : fuzzed_data_provider.ConsumeIntegral<uint32_t>();
185 0 : const auto num_in = fuzzed_data_provider.ConsumeIntegralInRange<int>(1, outpoints_rbf.size());
186 0 : const auto num_out = fuzzed_data_provider.ConsumeIntegralInRange<int>(1, outpoints_rbf.size() * 2);
187 :
188 0 : CAmount amount_in{0};
189 0 : for (int i = 0; i < num_in; ++i) {
190 : // Pop random outpoint
191 0 : auto pop = outpoints_rbf.begin();
192 0 : std::advance(pop, fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, outpoints_rbf.size() - 1));
193 0 : const auto outpoint = *pop;
194 0 : outpoints_rbf.erase(pop);
195 0 : amount_in += GetAmount(outpoint);
196 :
197 : // Create input
198 0 : const auto sequence = ConsumeSequence(fuzzed_data_provider);
199 0 : const auto script_sig = CScript{};
200 0 : const auto script_wit_stack = std::vector<std::vector<uint8_t>>{WITNESS_STACK_ELEM_OP_TRUE};
201 0 : CTxIn in;
202 0 : in.prevout = outpoint;
203 0 : in.nSequence = sequence;
204 0 : in.scriptSig = script_sig;
205 0 : in.scriptWitness.stack = script_wit_stack;
206 :
207 0 : tx_mut.vin.push_back(in);
208 0 : }
209 0 : const auto amount_fee = fuzzed_data_provider.ConsumeIntegralInRange<CAmount>(-1000, amount_in);
210 0 : const auto amount_out = (amount_in - amount_fee) / num_out;
211 0 : for (int i = 0; i < num_out; ++i) {
212 0 : tx_mut.vout.emplace_back(amount_out, P2WSH_OP_TRUE);
213 0 : }
214 0 : auto tx = MakeTransactionRef(tx_mut);
215 : // Restore previously removed outpoints
216 0 : for (const auto& in : tx->vin) {
217 0 : Assert(outpoints_rbf.insert(in.prevout).second);
218 : }
219 0 : return tx;
220 0 : }();
221 :
222 0 : if (fuzzed_data_provider.ConsumeBool()) {
223 0 : MockTime(fuzzed_data_provider, chainstate);
224 0 : }
225 0 : if (fuzzed_data_provider.ConsumeBool()) {
226 0 : tx_pool.RollingFeeUpdate();
227 0 : }
228 0 : if (fuzzed_data_provider.ConsumeBool()) {
229 0 : const auto& txid = fuzzed_data_provider.ConsumeBool() ?
230 0 : tx->GetHash() :
231 0 : PickValue(fuzzed_data_provider, outpoints_rbf).hash;
232 0 : const auto delta = fuzzed_data_provider.ConsumeIntegralInRange<CAmount>(-50 * COIN, +50 * COIN);
233 0 : tx_pool.PrioritiseTransaction(txid, delta);
234 0 : }
235 :
236 : // Remember all removed and added transactions
237 0 : std::set<CTransactionRef> removed;
238 0 : std::set<CTransactionRef> added;
239 0 : auto txr = std::make_shared<TransactionsDelta>(removed, added);
240 0 : RegisterSharedValidationInterface(txr);
241 0 : const bool bypass_limits = fuzzed_data_provider.ConsumeBool();
242 :
243 : // Make sure ProcessNewPackage on one transaction works.
244 : // The result is not guaranteed to be the same as what is returned by ATMP.
245 0 : const auto result_package = WITH_LOCK(::cs_main,
246 : return ProcessNewPackage(chainstate, tx_pool, {tx}, true));
247 : // If something went wrong due to a package-specific policy, it might not return a
248 : // validation result for the transaction.
249 0 : if (result_package.m_state.GetResult() != PackageValidationResult::PCKG_POLICY) {
250 0 : auto it = result_package.m_tx_results.find(tx->GetWitnessHash());
251 0 : Assert(it != result_package.m_tx_results.end());
252 0 : Assert(it->second.m_result_type == MempoolAcceptResult::ResultType::VALID ||
253 : it->second.m_result_type == MempoolAcceptResult::ResultType::INVALID);
254 0 : }
255 :
256 0 : const auto res = WITH_LOCK(::cs_main, return AcceptToMemoryPool(chainstate, tx, GetTime(), bypass_limits, /*test_accept=*/false));
257 0 : const bool accepted = res.m_result_type == MempoolAcceptResult::ResultType::VALID;
258 0 : SyncWithValidationInterfaceQueue();
259 0 : UnregisterSharedValidationInterface(txr);
260 :
261 0 : Assert(accepted != added.empty());
262 0 : Assert(accepted == res.m_state.IsValid());
263 0 : Assert(accepted != res.m_state.IsInvalid());
264 0 : if (accepted) {
265 0 : Assert(added.size() == 1); // For now, no package acceptance
266 0 : Assert(tx == *added.begin());
267 0 : } else {
268 : // Do not consider rejected transaction removed
269 0 : removed.erase(tx);
270 : }
271 :
272 : // Helper to insert spent and created outpoints of a tx into collections
273 : using Sets = std::vector<std::reference_wrapper<std::set<COutPoint>>>;
274 0 : const auto insert_tx = [](Sets created_by_tx, Sets consumed_by_tx, const auto& tx) {
275 0 : for (size_t i{0}; i < tx.vout.size(); ++i) {
276 0 : for (auto& set : created_by_tx) {
277 0 : Assert(set.get().emplace(tx.GetHash(), i).second);
278 : }
279 0 : }
280 0 : for (const auto& in : tx.vin) {
281 0 : for (auto& set : consumed_by_tx) {
282 0 : Assert(set.get().insert(in.prevout).second);
283 : }
284 : }
285 0 : };
286 : // Add created outpoints, remove spent outpoints
287 : {
288 : // Outpoints that no longer exist at all
289 0 : std::set<COutPoint> consumed_erased;
290 : // Outpoints that no longer count toward the total supply
291 0 : std::set<COutPoint> consumed_supply;
292 0 : for (const auto& removed_tx : removed) {
293 0 : insert_tx(/*created_by_tx=*/{consumed_erased}, /*consumed_by_tx=*/{outpoints_supply}, /*tx=*/*removed_tx);
294 : }
295 0 : for (const auto& added_tx : added) {
296 0 : insert_tx(/*created_by_tx=*/{outpoints_supply, outpoints_rbf}, /*consumed_by_tx=*/{consumed_supply}, /*tx=*/*added_tx);
297 : }
298 0 : for (const auto& p : consumed_erased) {
299 0 : Assert(outpoints_supply.erase(p) == 1);
300 0 : Assert(outpoints_rbf.erase(p) == 1);
301 : }
302 0 : for (const auto& p : consumed_supply) {
303 0 : Assert(outpoints_supply.erase(p) == 1);
304 : }
305 0 : }
306 0 : }
307 0 : Finish(fuzzed_data_provider, tx_pool, chainstate);
308 0 : }
309 :
310 4 : FUZZ_TARGET(tx_pool, .init = initialize_tx_pool)
311 : {
312 0 : FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
313 0 : const auto& node = g_setup->m_node;
314 0 : auto& chainstate{static_cast<DummyChainState&>(node.chainman->ActiveChainstate())};
315 :
316 0 : MockTime(fuzzed_data_provider, chainstate);
317 :
318 0 : std::vector<uint256> txids;
319 0 : txids.reserve(g_outpoints_coinbase_init_mature.size());
320 0 : for (const auto& outpoint : g_outpoints_coinbase_init_mature) {
321 0 : txids.push_back(outpoint.hash);
322 : }
323 0 : for (int i{0}; i <= 3; ++i) {
324 : // Add some immature and non-existent outpoints
325 0 : txids.push_back(g_outpoints_coinbase_init_immature.at(i).hash);
326 0 : txids.push_back(ConsumeUInt256(fuzzed_data_provider));
327 0 : }
328 :
329 0 : SetMempoolConstraints(*node.args, fuzzed_data_provider);
330 0 : CTxMemPool tx_pool_{MakeMempool(fuzzed_data_provider, node)};
331 0 : MockedTxPool& tx_pool = *static_cast<MockedTxPool*>(&tx_pool_);
332 :
333 0 : chainstate.SetMempool(&tx_pool);
334 :
335 0 : LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), 300)
336 : {
337 0 : const auto mut_tx = ConsumeTransaction(fuzzed_data_provider, txids);
338 :
339 0 : if (fuzzed_data_provider.ConsumeBool()) {
340 0 : MockTime(fuzzed_data_provider, chainstate);
341 0 : }
342 0 : if (fuzzed_data_provider.ConsumeBool()) {
343 0 : tx_pool.RollingFeeUpdate();
344 0 : }
345 0 : if (fuzzed_data_provider.ConsumeBool()) {
346 0 : const auto& txid = fuzzed_data_provider.ConsumeBool() ?
347 0 : mut_tx.GetHash() :
348 0 : PickValue(fuzzed_data_provider, txids);
349 0 : const auto delta = fuzzed_data_provider.ConsumeIntegralInRange<CAmount>(-50 * COIN, +50 * COIN);
350 0 : tx_pool.PrioritiseTransaction(txid, delta);
351 0 : }
352 :
353 0 : const auto tx = MakeTransactionRef(mut_tx);
354 0 : const bool bypass_limits = fuzzed_data_provider.ConsumeBool();
355 0 : const auto res = WITH_LOCK(::cs_main, return AcceptToMemoryPool(chainstate, tx, GetTime(), bypass_limits, /*test_accept=*/false));
356 0 : const bool accepted = res.m_result_type == MempoolAcceptResult::ResultType::VALID;
357 0 : if (accepted) {
358 0 : txids.push_back(tx->GetHash());
359 0 : }
360 0 : }
361 0 : Finish(fuzzed_data_provider, tx_pool, chainstate);
362 0 : }
363 : } // namespace
|
