fuzz: Use LIMITED_WHILE instead of limit_max_ops

MarcoFalke · MarcoFalke · commit faa5fa9a78d6 · 2021-08-21T19:25:33.000+02:00
diff --git a/src/test/fuzz/banman.cpp b/src/test/fuzz/banman.cpp
@@ -41,10 +41,6 @@ static bool operator==(const CBanEntry& lhs, const CBanEntry& rhs)
 
 FUZZ_TARGET_INIT(banman, initialize_banman)
 {
-    // The complexity is O(N^2), where N is the input size, because each call
-    // might call DumpBanlist (or other methods that are at least linear
-    // complexity of the input size).
-    int limit_max_ops{300};
     FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
     SetMockTime(ConsumeTime(fuzzed_data_provider));
     fs::path banlist_file = gArgs.GetDataDirNet() / "fuzzed_banlist";
@@ -63,7 +59,11 @@ FUZZ_TARGET_INIT(banman, initialize_banman)
 
     {
         BanMan ban_man{banlist_file, /* client_interface */ nullptr, /* default_ban_time */ ConsumeBanTimeOffset(fuzzed_data_provider)};
-        while (--limit_max_ops >= 0 && fuzzed_data_provider.ConsumeBool()) {
+        // The complexity is O(N^2), where N is the input size, because each call
+        // might call DumpBanlist (or other methods that are at least linear
+        // complexity of the input size).
+        LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), 300)
+        {
             CallOneOf(
                 fuzzed_data_provider,
                 [&] {
diff --git a/src/test/fuzz/crypto.cpp b/src/test/fuzz/crypto.cpp
@@ -19,10 +19,6 @@
 
 FUZZ_TARGET(crypto)
 {
-    // Hashing is expensive with sanitizers enabled, so limit the number of
-    // calls
-    int limit_max_ops{30};
-
     FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
     std::vector<uint8_t> data = ConsumeRandomLengthByteVector(fuzzed_data_provider);
     if (data.empty()) {
@@ -40,7 +36,8 @@ FUZZ_TARGET(crypto)
     SHA3_256 sha3;
     CSipHasher sip_hasher{fuzzed_data_provider.ConsumeIntegral<uint64_t>(), fuzzed_data_provider.ConsumeIntegral<uint64_t>()};
 
-    while (--limit_max_ops >= 0 && fuzzed_data_provider.ConsumeBool()) {
+    LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), 30)
+    {
         CallOneOf(
             fuzzed_data_provider,
             [&] {
diff --git a/src/test/fuzz/fuzz.h b/src/test/fuzz/fuzz.h
@@ -11,6 +11,10 @@
 #include <functional>
 #include <string_view>
 
+/**
+ * Can be used to limit a theoretically unbounded loop. This caps the runtime
+ * to avoid timeouts or OOMs.
+ */
 #define LIMITED_WHILE(condition, limit) \
     for (unsigned _count{limit}; (condition) && _count; --_count)
 
diff --git a/src/test/fuzz/prevector.cpp b/src/test/fuzz/prevector.cpp
@@ -206,14 +206,11 @@ class prevector_tester
 
 FUZZ_TARGET(prevector)
 {
-    // Pick an arbitrary upper bound to limit the runtime and avoid timeouts on
-    // inputs.
-    int limit_max_ops{3000};
-
     FuzzedDataProvider prov(buffer.data(), buffer.size());
     prevector_tester<8, int> test;
 
-    while (--limit_max_ops >= 0 && prov.remaining_bytes()) {
+    LIMITED_WHILE(prov.remaining_bytes(), 3000)
+    {
         switch (prov.ConsumeIntegralInRange<int>(0, 13 + 3 * (test.size() > 0))) {
         case 0:
             test.insert(prov.ConsumeIntegralInRange<size_t>(0, test.size()), prov.ConsumeIntegral<int>());
diff --git a/src/test/fuzz/rolling_bloom_filter.cpp b/src/test/fuzz/rolling_bloom_filter.cpp
@@ -16,16 +16,13 @@
 
 FUZZ_TARGET(rolling_bloom_filter)
 {
-    // Pick an arbitrary upper bound to limit the runtime and avoid timeouts on
-    // inputs.
-    int limit_max_ops{3000};
-
     FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
 
     CRollingBloomFilter rolling_bloom_filter{
         fuzzed_data_provider.ConsumeIntegralInRange<unsigned int>(1, 1000),
         0.999 / fuzzed_data_provider.ConsumeIntegralInRange<unsigned int>(1, std::numeric_limits<unsigned int>::max())};
-    while (--limit_max_ops >= 0 && fuzzed_data_provider.remaining_bytes() > 0) {
+    LIMITED_WHILE(fuzzed_data_provider.remaining_bytes() > 0, 3000)
+    {
         CallOneOf(
             fuzzed_data_provider,
             [&] {
diff --git a/src/test/fuzz/tx_pool.cpp b/src/test/fuzz/tx_pool.cpp
@@ -112,10 +112,6 @@ void MockTime(FuzzedDataProvider& fuzzed_data_provider, const CChainState& chain
 
 FUZZ_TARGET_INIT(tx_pool_standard, initialize_tx_pool)
 {
-    // Pick an arbitrary upper bound to limit the runtime and avoid timeouts on
-    // inputs.
-    int limit_max_ops{300};
-
     FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
     const auto& node = g_setup->m_node;
     auto& chainstate = node.chainman->ActiveChainstate();
@@ -146,7 +142,8 @@ FUZZ_TARGET_INIT(tx_pool_standard, initialize_tx_pool)
         return c.out.nValue;
     };
 
-    while (--limit_max_ops >= 0 && fuzzed_data_provider.ConsumeBool()) {
+    LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), 300)
+    {
         {
             // Total supply is the mempool fee + all outpoints
             CAmount supply_now{WITH_LOCK(tx_pool.cs, return tx_pool.GetTotalFee())};
@@ -289,10 +286,6 @@ FUZZ_TARGET_INIT(tx_pool_standard, initialize_tx_pool)
 
 FUZZ_TARGET_INIT(tx_pool, initialize_tx_pool)
 {
-    // Pick an arbitrary upper bound to limit the runtime and avoid timeouts on
-    // inputs.
-    int limit_max_ops{300};
-
     FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
     const auto& node = g_setup->m_node;
     auto& chainstate = node.chainman->ActiveChainstate();
@@ -313,7 +306,8 @@ FUZZ_TARGET_INIT(tx_pool, initialize_tx_pool)
     CTxMemPool tx_pool_{/* estimator */ nullptr, /* check_ratio */ 1};
     MockedTxPool& tx_pool = *static_cast<MockedTxPool*>(&tx_pool_);
 
-    while (--limit_max_ops >= 0 && fuzzed_data_provider.ConsumeBool()) {
+    LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), 300)
+    {
         const auto mut_tx = ConsumeTransaction(fuzzed_data_provider, txids);
 
         if (fuzzed_data_provider.ConsumeBool()) {
