Merge bitcoin#22454: fuzz: Limit max ops in tx_pool fuzz targets

MarcoFalke · PastaPastaPasta · commit 3b317db95f47 · 2024-02-14T14:57:37.000-06:00
fa33ed4 fuzz: Limit max ops in tx_pool fuzz targets (MarcoFalke) Pull request description: Without a size limit on the input data, the runtime is unbounded. Fix this by picking an upper bound on the maximum number of fuzz operations. Reproducer from OSS-Fuzz (without bug report): [clusterfuzz-testcase-tx_pool_standard-5963992253202432.log](https://github.com/bitcoin/bitcoin/files/6822465/clusterfuzz-testcase-tx_pool_standard-5963992253202432.log) ACKs for top commit: practicalswift: cr ACK fa33ed4 Tree-SHA512: 32098d573880afba12d510ac83519dc886a6c65d5207edb810f92c7c61edf5e2fc9c57e7b7a1ae656c02ce14e3595707dd6b93caf7956beb2bc817609e14d23d
diff --git a/src/test/fuzz/tx_pool.cpp b/src/test/fuzz/tx_pool.cpp
@@ -78,6 +78,10 @@ void SetMempoolConstraints(ArgsManager& args, FuzzedDataProvider& fuzzed_data_pr
 
 FUZZ_TARGET_INIT(tx_pool_standard, initialize_tx_pool)
 {
+    // Pick an arbitrary upper bound to limit the runtime and avoid timeouts on
+    // inputs.
+    int limit_max_ops{300};
+
     FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
     const auto& node = g_setup->m_node;
     auto& chainstate = node.chainman->ActiveChainstate();
@@ -108,7 +112,7 @@ FUZZ_TARGET_INIT(tx_pool_standard, initialize_tx_pool)
         return c.out.nValue;
     };
 
-    while (fuzzed_data_provider.ConsumeBool()) {
+    while (--limit_max_ops >= 0 && fuzzed_data_provider.ConsumeBool()) {
         {
             // Total supply is all outpoints
             CAmount supply_now{0};
@@ -259,6 +263,10 @@ FUZZ_TARGET_INIT(tx_pool_standard, initialize_tx_pool)
 
 FUZZ_TARGET_INIT(tx_pool, initialize_tx_pool)
 {
+    // Pick an arbitrary upper bound to limit the runtime and avoid timeouts on
+    // inputs.
+    int limit_max_ops{300};
+
     FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
     const auto& node = g_setup->m_node;
 
@@ -274,7 +282,7 @@ FUZZ_TARGET_INIT(tx_pool, initialize_tx_pool)
 
     CTxMemPool tx_pool{/* estimator */ nullptr, /* check_ratio */ 1};
 
-    while (fuzzed_data_provider.ConsumeBool()) {
+    while (--limit_max_ops >= 0 && fuzzed_data_provider.ConsumeBool()) {
         const auto mut_tx = ConsumeTransaction(fuzzed_data_provider, txids);
 
         const auto tx = MakeTransactionRef(mut_tx);
