build: register new Dash fuzz targets in Makefile.test.include

Add all new Dash-specific fuzz target source files to the build
system so they are compiled into the fuzz binary:
  asset_lock_unlock, bls_operations, coinjoin, deserialize_dash,
  deterministic_mn_list_diff, governance_proposal_validator,
  llmq_messages, process_message_dash, roundtrip_dash,
  special_tx_validation

# Conflicts:
#	src/test/fuzz/deterministic_mn_list_diff.cpp

Author: thepastaclaw

src/Makefile.test.include

@@ -279,18 +279,21 @@ test_fuzz_fuzz_SOURCES = \
  test/fuzz/addrman.cpp \
  test/fuzz/asmap.cpp \
  test/fuzz/asmap_direct.cpp \
+ test/fuzz/asset_lock_unlock.cpp \
  test/fuzz/autofile.cpp \
  test/fuzz/banman.cpp \
  test/fuzz/base_encode_decode.cpp \
  test/fuzz/bech32.cpp \
  test/fuzz/bip324.cpp \
+ test/fuzz/bls_operations.cpp \
  test/fuzz/block.cpp \
  test/fuzz/block_header.cpp \
  test/fuzz/blockfilter.cpp \
  test/fuzz/bloom_filter.cpp \
  test/fuzz/buffered_file.cpp \
  test/fuzz/chain.cpp \
  test/fuzz/checkqueue.cpp \
+ test/fuzz/coinjoin.cpp \
  test/fuzz/coins_view.cpp \
  test/fuzz/coinscache_sim.cpp \
  test/fuzz/connman.cpp \
@@ -306,18 +309,23 @@ test_fuzz_fuzz_SOURCES = \
  test/fuzz/decode_tx.cpp \
  test/fuzz/descriptor_parse.cpp \
  test/fuzz/deserialize.cpp \
+ test/fuzz/deserialize_dash.cpp \
+ test/fuzz/deterministic_mn_list_diff.cpp \
+ test/fuzz/simplified_mn_list_diff.cpp \
  test/fuzz/eval_script.cpp \
  test/fuzz/fee_rate.cpp \
  test/fuzz/fees.cpp \
  test/fuzz/flatfile.cpp \
  test/fuzz/float.cpp \
  test/fuzz/golomb_rice.cpp \
+ test/fuzz/governance_proposal_validator.cpp \
  test/fuzz/hex.cpp \
  test/fuzz/http_request.cpp \
  test/fuzz/integer.cpp \
  test/fuzz/key.cpp \
  test/fuzz/key_io.cpp \
  test/fuzz/kitchen_sink.cpp \
+ test/fuzz/llmq_messages.cpp \
  test/fuzz/load_external_block_file.cpp \
  test/fuzz/locale.cpp \
  test/fuzz/merkleblock.cpp \
@@ -343,11 +351,13 @@ test_fuzz_fuzz_SOURCES = \
  test/fuzz/prevector.cpp \
  test/fuzz/primitives_transaction.cpp \
  test/fuzz/process_message.cpp \
+ test/fuzz/process_message_dash.cpp \
  test/fuzz/process_messages.cpp \
  test/fuzz/protocol.cpp \
  test/fuzz/psbt.cpp \
  test/fuzz/random.cpp \
  test/fuzz/rolling_bloom_filter.cpp \
+ test/fuzz/roundtrip_dash.cpp \
  test/fuzz/rpc.cpp \
  test/fuzz/script.cpp \
  test/fuzz/script_bitcoin_consensus.cpp \
@@ -362,6 +372,7 @@ test_fuzz_fuzz_SOURCES = \
  test/fuzz/secp256k1_ec_seckey_import_export_der.cpp \
  test/fuzz/secp256k1_ecdsa_signature_parse_der_lax.cpp \
  test/fuzz/signature_checker.cpp \
+ test/fuzz/special_tx_validation.cpp \
  test/fuzz/socks5.cpp \
  test/fuzz/span.cpp \
  test/fuzz/spanparsing.cpp \

src/Makefile.test_fuzz.include

@@ -11,6 +11,7 @@ TEST_FUZZ_H = \
     test/fuzz/fuzz.h \
     test/fuzz/FuzzedDataProvider.h \
     test/fuzz/util.h \
+    test/fuzz/util_dash.h \
     test/util/mining.h \
     test/fuzz/util/net.h
 

src/test/fuzz/decode_tx.cpp

@@ -16,6 +16,5 @@ FUZZ_TARGET(decode_tx)
 {
     const std::string tx_hex = HexStr(std::string{buffer.begin(), buffer.end()});
     CMutableTransaction mtx;
-    const bool result_none = DecodeHexTx(mtx, tx_hex);
-    assert(!result_none);
+    (void)DecodeHexTx(mtx, tx_hex);
 }

src/test/fuzz/fuzz.cpp

@@ -7,6 +7,7 @@
 #include <fs.h>
 #include <netaddress.h>
 #include <netbase.h>
+#include <stats/client.h>
 #include <test/util/setup_common.h>
 #include <util/check.h>
 #include <util/sock.h>
@@ -98,6 +99,12 @@ void ResetCoverageCounters() {}
 
 void initialize()
 {
+    // Initialize a no-op stats client to prevent null dereferences in production
+    // code that unconditionally calls g_stats_client->timing()/inc()/count().
+    if (!::g_stats_client) {
+        ::g_stats_client = std::make_unique<StatsdClient>();
+    }
+
     // Terminate immediately if a fuzzing harness ever tries to create a TCP socket.
     CreateSock = [](const sa_family_t&) -> std::unique_ptr<Sock> { std::terminate(); };
 

src/test/fuzz/simplified_mn_list_diff.cpp

@@ -0,0 +1,186 @@
+// Copyright (c) 2026 The Dash Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <bls/bls.h>
+#include <evo/deterministicmns.h>
+#include <evo/netinfo.h>
+#include <evo/simplifiedmns.h>
+#include <evo/smldiff.h>
+#include <llmq/commitment.h>
+#include <script/script.h>
+#include <script/standard.h>
+#include <streams.h>
+#include <test/fuzz/FuzzedDataProvider.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/util.h>
+#include <test/fuzz/util_dash.h>
+#include <test/util/setup_common.h>
+#include <tinyformat.h>
+#include <version.h>
+
+#include <algorithm>
+#include <array>
+#include <cstddef>
+#include <cstdint>
+#include <stdexcept>
+#include <string>
+#include <vector>
+
+namespace {
+
+const TestingSetup* g_setup;
+
+std::vector<std::byte> SerializeMerkleTree(const CPartialMerkleTree& tree)
+{
+    CDataStream ds(SER_NETWORK, PROTOCOL_VERSION);
+    ds << tree;
+    return {ds.begin(), ds.end()};
+}
+
+bool MutableTxEqual(const CMutableTransaction& lhs, const CMutableTransaction& rhs)
+{
+    return lhs.vin == rhs.vin &&
+           lhs.vout == rhs.vout &&
+           lhs.nVersion == rhs.nVersion &&
+           lhs.nType == rhs.nType &&
+           lhs.nLockTime == rhs.nLockTime &&
+           lhs.vExtraPayload == rhs.vExtraPayload;
+}
+
+} // namespace
+
+void initialize_simplified_mn_list_diff()
+{
+    static const auto testing_setup = MakeNoLogFileContext<const TestingSetup>(CBaseChainParams::REGTEST);
+    g_setup = testing_setup.get();
+}
+
+FUZZ_TARGET(simplified_mn_list_diff, .init = initialize_simplified_mn_list_diff)
+{
+    FuzzedDataProvider fuzzed_data_provider(buffer.data(), buffer.size());
+
+    const int source_height = fuzzed_data_provider.ConsumeIntegralInRange<int>(0, 10000);
+    const uint256 source_hash = ConsumeUInt256(fuzzed_data_provider);
+    CDeterministicMNList list_from(source_hash, source_height, 0);
+
+    uint64_t next_internal_id = 1;
+    uint64_t next_unique_tag = 1;
+    const size_t initial_mn_count = fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 8);
+    for (size_t i = 0; i < initial_mn_count; ++i) {
+        const MnType mn_type = fuzzed_data_provider.ConsumeBool() ? MnType::Evo : MnType::Regular;
+        list_from.AddMN(MakeMasternode(next_internal_id++, next_unique_tag++, source_height, mn_type), /*fBumpTotalCount=*/true);
+    }
+
+    CDeterministicMNList list_to(list_from);
+    const size_t operation_count = fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 24);
+    for (size_t i = 0; i < operation_count; ++i) {
+        const uint8_t op = fuzzed_data_provider.ConsumeIntegralInRange<uint8_t>(0, 2);
+        if (op == 0) {
+            const MnType mn_type = fuzzed_data_provider.ConsumeBool() ? MnType::Evo : MnType::Regular;
+            list_to.AddMN(MakeMasternode(next_internal_id++, next_unique_tag++, source_height, mn_type), /*fBumpTotalCount=*/true);
+            continue;
+        }
+
+        const auto hashes = GetProTxHashes(list_to);
+        if (hashes.empty()) continue;
+        const size_t index = fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, hashes.size() - 1);
+
+        if (op == 1) {
+            list_to.RemoveMN(hashes[index]);
+            continue;
+        }
+
+        const auto old_mn = list_to.GetMN(hashes[index]);
+        if (!old_mn) continue;
+        auto new_state = std::make_shared<CDeterministicMNState>(*old_mn->pdmnState);
+        switch (fuzzed_data_provider.ConsumeIntegralInRange<uint8_t>(0, 9)) {
+        case 0:
+            new_state->confirmedHash = HashFromTag(next_unique_tag++ ^ 0x33333333ULL);
+            break;
+        case 1: {
+            CBLSSecretKey sk;
+            sk.MakeNewKey();
+            new_state->nVersion = ProTxVersion::BasicBLS;
+            new_state->pubKeyOperator.Set(sk.GetPublicKey(), /*specificLegacyScheme=*/false);
+            break;
+        }
+        case 2:
+            new_state->keyIDVoting = CKeyID(Uint160FromTag(next_unique_tag++ ^ 0x06060606ULL));
+            break;
+        case 3: {
+            auto net_info = NetInfoInterface::MakeNetInfo(new_state->nVersion);
+            if (net_info && net_info->AddEntry(NetInfoPurpose::CORE_P2P, AddressFromTag(next_unique_tag++)) == NetInfoStatus::Success) {
+                new_state->netInfo = std::move(net_info);
+            }
+            break;
+        }
+        case 4:
+            new_state->scriptPayout = CScript() << OP_DUP << OP_HASH160 << ToByteVector(Uint160FromTag(next_unique_tag++)) << OP_EQUALVERIFY << OP_CHECKSIG;
+            break;
+        case 5:
+            new_state->scriptOperatorPayout = CScript() << OP_DUP << OP_HASH160 << ToByteVector(Uint160FromTag(next_unique_tag++ ^ 0x08080808ULL)) << OP_EQUALVERIFY << OP_CHECKSIG;
+            break;
+        case 6:
+            new_state->BanIfNotBanned(fuzzed_data_provider.ConsumeIntegralInRange<int>(0, 100000));
+            break;
+        case 7:
+            new_state->platformNodeID = Uint160FromTag(next_unique_tag++ ^ 0x12121212ULL);
+            break;
+        case 8:
+            new_state->platformHTTPPort = fuzzed_data_provider.ConsumeIntegral<uint16_t>();
+            break;
+        case 9:
+            new_state->nRegisteredHeight = fuzzed_data_provider.ConsumeIntegralInRange<int>(0, 10000);
+            break;
+        }
+        list_to.UpdateMN(*old_mn, new_state);
+    }
+
+    list_to.SetBlockHash(ConsumeUInt256(fuzzed_data_provider));
+    list_to.SetHeight(fuzzed_data_provider.ConsumeIntegralInRange<int>(0, 100000));
+
+    CSimplifiedMNListDiff diff;
+    diff.baseBlockHash = list_from.GetBlockHash();
+    diff.blockHash = list_to.GetBlockHash();
+    diff.cbTx = CMutableTransaction{};
+    diff.cbTxMerkleTree = CPartialMerkleTree{};
+
+    list_to.ForEachMN(/*onlyValid=*/false, [&](const auto& to_mn) {
+        const auto from_mn = list_from.GetMN(to_mn.proTxHash);
+        if (!from_mn || to_mn.to_sml_entry() != from_mn->to_sml_entry()) {
+            diff.mnList.emplace_back(to_mn.to_sml_entry());
+        }
+    });
+    list_from.ForEachMN(/*onlyValid=*/false, [&](const auto& from_mn) {
+        if (!list_to.GetMN(from_mn.proTxHash)) {
+            diff.deletedMNs.emplace_back(from_mn.proTxHash);
+        }
+    });
+
+    CDataStream ds(SER_NETWORK, PROTOCOL_VERSION);
+    ds << diff;
+    CSimplifiedMNListDiff roundtrip;
+    ds >> roundtrip;
+
+    if (roundtrip.baseBlockHash != diff.baseBlockHash || roundtrip.blockHash != diff.blockHash ||
+        !MutableTxEqual(roundtrip.cbTx, diff.cbTx) ||
+        SerializeMerkleTree(roundtrip.cbTxMerkleTree) != SerializeMerkleTree(diff.cbTxMerkleTree) ||
+        roundtrip.deletedMNs != diff.deletedMNs || roundtrip.mnList.size() != diff.mnList.size() ||
+        roundtrip.nVersion != diff.nVersion || roundtrip.deletedQuorums != diff.deletedQuorums ||
+        roundtrip.newQuorums.size() != diff.newQuorums.size() || roundtrip.quorumsCLSigs != diff.quorumsCLSigs) {
+        throw std::runtime_error("simplified_mn_list_diff: serialized fields mismatch");
+    }
+    for (size_t i = 0; i < diff.mnList.size(); ++i) {
+        if (roundtrip.mnList[i] != diff.mnList[i]) {
+            throw std::runtime_error("simplified_mn_list_diff: mnList mismatch");
+        }
+    }
+
+    CDataStream ds_random(fuzzed_data_provider.ConsumeRemainingBytes<uint8_t>(), SER_NETWORK, PROTOCOL_VERSION);
+    try {
+        CSimplifiedMNListDiff random_diff;
+        ds_random >> random_diff;
+    } catch (const std::exception&) {
+    }
+}