When a fuzz-test crashes it will print the error stack. The top will give you an idea what caused the issue, and the bottom will provide you with a text-formatted version of the crashing fuzz seed.

fuzz: ../../src/wallet/test/fuzz/coinselection.cpp:120: void wallet::coinselection_fuzz_target(FuzzBufferType): Assertion `result_bnb->GetChange(coin_params.m_cost_of_change, CAmount{0}) == 0' failed.
==2010034== ERROR: libFuzzer: deadly signal #0 0x55c5cfab4841 in __sanitizer_print_stack_trace (/home/murch/Workspace/pr-27585/fuzz-build/src/test/fuzz/fuzz+0x1611841) (BuildId: 7e7dce8b351f3ad01c4e9815f15265d8d7a64c61) … [skipped] …
artifact_prefix='./'; Test unit written to ./crash-05d2df3cebde688a5114737869a65484cecd9f45

To figure out what caused the crash, you can use run the fuzzer against just the crashing seed, and use your regular debugging approach e.g.:

$ FUZZ=coinselection src/test/fuzz/fuzz crash-05d2df3cebde688a5114737869a65484cecd9f45

If you are not the author of the PR that caused the crashing fuzz test, you can provide the fuzz seed to the other developer via the base64 encoding at the bottom of the error message. Leave them for example instructions like this in a comment on the PR:

$ echo "MP3//////wT/LzMBEABL////////Wv///yWyEABLAADoQP//PP//CAAAPQAAAAAAAAAAPQEAAAAA AAAA/V12+w==" | base64 -d > crash.input
$ FUZZ=coinselection src/test/fuzz/fuzz crash.input

The string in the quotation marks is simply the base64 encoding from above.

Leave a Reply

Your email address will not be published. Required fields are marked *