bundle: simple client fuzzer

riptl · ripatel-fd · commit f5e167394fa3 · 2025-07-03T07:50:34.000Z
diff --git a/src/disco/bundle/Local.mk b/src/disco/bundle/Local.mk
@@ -9,6 +9,7 @@ $(call add-objs,fd_bundle_auth fd_bundle_client,fd_disco)
 ifdef FD_HAS_HOSTED
 ifdef FD_HAS_SSE
 $(call make-unit-test,test_bundle_client,test_bundle_client,fd_disco fd_waltz fd_flamenco fd_tango fd_ballet fd_util,$(OPENSSL_LIBS))
+$(call make-fuzz-test,fuzz_bundle_client,fuzz_bundle_client,fd_disco fd_waltz fd_flamenco fd_tango fd_ballet fd_util,$(OPENSSL_LIBS))
 endif
 $(call make-fuzz-test,fuzz_bundle_auth_resp,fuzz_bundle_auth_resp,fd_disco fd_waltz fd_flamenco fd_tango fd_ballet fd_util,$(OPENSSL_LIBS))
 endif
diff --git a/src/disco/bundle/fd_bundle_client.c b/src/disco/bundle/fd_bundle_client.c
@@ -22,6 +22,11 @@
 
 #define FD_BUNDLE_CLIENT_REQUEST_TIMEOUT ((long)8e9) /* 8 seconds */
 
+__attribute__((weak)) long
+fd_bundle_tickcount( void ) {
+  return fd_tickcount();
+}
+
 void
 fd_bundle_client_reset( fd_bundle_tile_t * ctx ) {
   if( FD_UNLIKELY( ctx->tcp_sock >= 0 ) ) {
@@ -49,7 +54,7 @@ fd_bundle_client_reset( fd_bundle_tile_t * ctx ) {
   }
 # endif
 
-  fd_bundle_tile_backoff( ctx, fd_tickcount() );
+  fd_bundle_tile_backoff( ctx, fd_bundle_tickcount() );
 
   fd_bundle_auther_reset( &ctx->auther );
   fd_grpc_client_reset( ctx->grpc_client );
@@ -154,7 +159,7 @@ fd_bundle_client_create_conn( fd_bundle_tile_t * ctx ) {
 # endif /* FD_HAS_OPENSSL */
 
   fd_grpc_client_reset( ctx->grpc_client );
-  ctx->last_ping_tx_ticks = fd_tickcount();
+  ctx->last_ping_tx_ticks = fd_bundle_tickcount();
   ctx->last_ping_tx_nanos = fd_log_wallclock();
 }
 
@@ -245,7 +250,7 @@ fd_bundle_client_send_ping( fd_bundle_tile_t * ctx ) {
   fd_h2_rbuf_t * rbuf_tx = fd_grpc_client_rbuf_tx( ctx->grpc_client );
 
   if( FD_LIKELY( fd_h2_tx_ping( conn, rbuf_tx ) ) ) {
-    ctx->last_ping_tx_ticks = fd_tickcount();
+    ctx->last_ping_tx_ticks = fd_bundle_tickcount();
     ctx->last_ping_tx_nanos = fd_log_wallclock();
     ctx->ping_randomize     = fd_rng_ulong( ctx->rng );
   }
@@ -338,7 +343,7 @@ fd_bundle_client_step1( fd_bundle_tile_t * ctx,
   /* gRPC conn died? */
   if( FD_UNLIKELY( !ctx->grpc_client ) ) {
   reconnect:
-    if( FD_UNLIKELY( fd_bundle_tile_should_stall( ctx, fd_tickcount() ) ) ) {
+    if( FD_UNLIKELY( fd_bundle_tile_should_stall( ctx, fd_bundle_tickcount() ) ) ) {
       return;
     }
     fd_bundle_client_create_conn( ctx );
@@ -347,7 +352,7 @@ fd_bundle_client_step1( fd_bundle_tile_t * ctx,
   }
 
   /* Did a HTTP/2 PING time out */
-  long check_ts = fd_tickcount();
+  long check_ts = fd_bundle_tickcount();
   if( FD_UNLIKELY( fd_bundle_client_ping_is_timeout( ctx, check_ts ) ) ) {
     FD_LOG_WARNING(( "Bundle gRPC timed out (HTTP/2 PING went unanswered for %.2f seconds)",
                     ( (double)ctx->ping_deadline_ticks / fd_tempo_tick_per_ns( NULL ) )*1e-9 ));
@@ -367,7 +372,7 @@ fd_bundle_client_step1( fd_bundle_tile_t * ctx,
 
   /* Are we ready to issue a new request? */
   if( FD_UNLIKELY( fd_grpc_client_request_is_blocked( ctx->grpc_client ) ) ) return;
-  long io_ts = fd_tickcount();
+  long io_ts = fd_bundle_tickcount();
   if( FD_UNLIKELY( fd_bundle_tile_should_stall( ctx, io_ts ) ) ) return;
 
   *charge_busy |= fd_bundle_client_step_reconnect( ctx, io_ts );
@@ -471,7 +476,7 @@ fd_bundle_tile_publish_bundle_txn(
     FD_LOG_CRIT(( "ctx->stem not set. This is a bug." ));
   }
 
-  ulong tspub = (ulong)fd_frag_meta_ts_comp( fd_tickcount() );
+  ulong tspub = (ulong)fd_frag_meta_ts_comp( fd_bundle_tickcount() );
   fd_stem_publish( ctx->stem, ctx->verify_out.idx, sig, ctx->verify_out.chunk, sz, 0UL, 0UL, tspub );
   ctx->verify_out.chunk = fd_dcache_compact_next( ctx->verify_out.chunk, sz, ctx->verify_out.chunk0, ctx->verify_out.wmark );
   ctx->metrics.txn_received_cnt++;
@@ -506,7 +511,7 @@ fd_bundle_tile_publish_txn(
     FD_LOG_CRIT(( "ctx->stem not set. This is a bug." ));
   }
 
-  ulong tspub = (ulong)fd_frag_meta_ts_comp( fd_tickcount() );
+  ulong tspub = (ulong)fd_frag_meta_ts_comp( fd_bundle_tickcount() );
   fd_stem_publish( ctx->stem, ctx->verify_out.idx, sig, ctx->verify_out.chunk, sz, 0UL, 0UL, tspub );
   ctx->verify_out.chunk = fd_dcache_compact_next( ctx->verify_out.chunk, sz, ctx->verify_out.chunk0, ctx->verify_out.wmark );
   ctx->metrics.txn_received_cnt++;
@@ -716,7 +721,7 @@ fd_bundle_client_handle_builder_fee_info(
 
   long validity_duration_ticks = (long)( fd_tempo_tick_per_ns( NULL ) * (60e9 * 5.) ); /* 5 minutes */
   ctx->builder_info_avail = 1;
-  ctx->builder_info_valid_until_ticks = fd_tickcount() + validity_duration_ticks;
+  ctx->builder_info_valid_until_ticks = fd_bundle_tickcount() + validity_duration_ticks;
 }
 
 static void
@@ -758,13 +763,13 @@ fd_bundle_client_grpc_rx_msg(
   case FD_BUNDLE_CLIENT_REQ_Auth_GenerateAuthChallenge:
     if( FD_UNLIKELY( !fd_bundle_auther_handle_challenge_resp( &ctx->auther, protobuf, protobuf_sz ) ) ) {
       ctx->metrics.decode_fail_cnt++;
-      fd_bundle_tile_backoff( ctx, fd_tickcount() );
+      fd_bundle_tile_backoff( ctx, fd_bundle_tickcount() );
     }
     break;
   case FD_BUNDLE_CLIENT_REQ_Auth_GenerateAuthTokens:
     if( FD_UNLIKELY( !fd_bundle_auther_handle_tokens_resp( &ctx->auther, protobuf, protobuf_sz ) ) ) {
       ctx->metrics.decode_fail_cnt++;
-      fd_bundle_tile_backoff( ctx, fd_tickcount() );
+      fd_bundle_tile_backoff( ctx, fd_bundle_tickcount() );
     }
     break;
   case FD_BUNDLE_CLIENT_REQ_Bundle_SubscribeBundles:
@@ -784,7 +789,7 @@ fd_bundle_client_grpc_rx_msg(
 static void
 fd_bundle_client_request_failed( fd_bundle_tile_t * ctx,
                                  ulong              request_ctx ) {
-  fd_bundle_tile_backoff( ctx, fd_tickcount() );
+  fd_bundle_tile_backoff( ctx, fd_bundle_tickcount() );
   switch( request_ctx ) {
   case FD_BUNDLE_CLIENT_REQ_Auth_GenerateAuthChallenge:
   case FD_BUNDLE_CLIENT_REQ_Auth_GenerateAuthTokens:
@@ -816,15 +821,15 @@ fd_bundle_client_grpc_rx_end(
   case FD_BUNDLE_CLIENT_REQ_Bundle_SubscribePackets:
     ctx->packet_subscription_live = 0;
     ctx->packet_subscription_wait = 0;
-    fd_bundle_tile_backoff( ctx, fd_tickcount() );
+    fd_bundle_tile_backoff( ctx, fd_bundle_tickcount() );
     ctx->defer_reset = 1;
     FD_LOG_INFO(( "SubscribePackets stream failed (gRPC status %u-%s). Reconnecting ...",
                   resp->grpc_status, fd_grpc_status_cstr( resp->grpc_status ) ));
     return;
   case FD_BUNDLE_CLIENT_REQ_Bundle_SubscribeBundles:
     ctx->bundle_subscription_live = 0;
     ctx->bundle_subscription_wait = 0;
-    fd_bundle_tile_backoff( ctx, fd_tickcount() );
+    fd_bundle_tile_backoff( ctx, fd_bundle_tickcount() );
     ctx->defer_reset = 1;
     FD_LOG_INFO(( "SubscribeBundles stream failed (gRPC status %u-%s). Reconnecting ...",
                   resp->grpc_status, fd_grpc_status_cstr( resp->grpc_status ) ));
@@ -864,7 +869,7 @@ fd_bundle_client_grpc_rx_timeout(
 static void
 fd_bundle_client_grpc_ping_ack( void * app_ctx ) {
   fd_bundle_tile_t * ctx = app_ctx;
-  ctx->last_ping_rx_ticks = fd_tickcount();
+  ctx->last_ping_rx_ticks = fd_bundle_tickcount();
   ctx->metrics.ping_ack_cnt++;
   long rtt_sample = fd_log_wallclock() - ctx->last_ping_tx_nanos;
   fd_rtt_sample( ctx->rtt, (float)rtt_sample, 0 );
@@ -921,7 +926,7 @@ fd_bundle_client_status( fd_bundle_tile_t const * ctx ) {
     return CONNECTING; /* not fully connected */
   }
 
-  if( FD_UNLIKELY( fd_bundle_client_ping_is_timeout( ctx, fd_tickcount() ) ) ) {
+  if( FD_UNLIKELY( fd_bundle_client_ping_is_timeout( ctx, fd_bundle_tickcount() ) ) ) {
     return DISCONNECTED; /* possible timeout */
   }
 
diff --git a/src/disco/bundle/fd_bundle_tile.c b/src/disco/bundle/fd_bundle_tile.c
@@ -115,7 +115,7 @@ fd_bundle_tile_publish_block_engine_update(
 
   update->status = (uchar)ctx->bundle_status_recent;
 
-  ulong tspub = (ulong)fd_frag_meta_ts_comp( fd_tickcount() );
+  ulong tspub = (ulong)fd_frag_meta_ts_comp( fd_bundle_tickcount() );
   fd_stem_publish(
       stem,
       ctx->plugin_out.idx,
diff --git a/src/disco/bundle/fd_bundle_tile_private.h b/src/disco/bundle/fd_bundle_tile_private.h
@@ -144,6 +144,13 @@ typedef struct fd_bundle_tile fd_bundle_tile_t;
 
 FD_PROTOTYPES_BEGIN
 
+/* fd_bundle_tickcount is an externally linked function wrapping
+   fd_tickcount().  This is backed by a weak symbol, allowing tests to
+   override the clock source. */
+
+long
+fd_bundle_tickcount( void );
+
 /* fd_bundle_client_grpc_callbacks provides callbacks for grpc_client. */
 
 extern fd_grpc_client_callbacks_t fd_bundle_client_grpc_callbacks;
diff --git a/src/disco/bundle/fuzz_bundle_client.c b/src/disco/bundle/fuzz_bundle_client.c
@@ -0,0 +1,86 @@
+/* fuzz_bundle_client injects HTTP/2 frames into a bundle tile state. */
+
+#include "test_bundle_common.c"
+#include "fd_bundle_tile_private.h"
+#include <errno.h>
+#include <stdlib.h>
+
+/* Override the clock source weak symbol.
+   For now, this fuzzer does not support timeouts. */
+
+long
+fd_bundle_tickcount( void ) {
+  return 2UL;
+}
+
+static fd_wksp_t * g_wksp;
+
+int
+LLVMFuzzerInitialize( int *    pargc,
+                      char *** pargv ) {
+  putenv( "FD_LOG_BACKTRACE=0" );
+
+  fd_boot( pargc, pargv );
+
+  ulong cpu_idx = fd_tile_cpu_id( fd_tile_idx() );
+  if( cpu_idx>fd_shmem_cpu_cnt() ) cpu_idx = 0UL;
+  char const * _page_sz = fd_env_strip_cmdline_cstr ( pargc, pargv, "--page-sz",  NULL, "normal"                     );
+  ulong        page_cnt = fd_env_strip_cmdline_ulong( pargc, pargv, "--page-cnt", NULL, 256UL                        );
+  ulong        numa_idx = fd_env_strip_cmdline_ulong( pargc, pargv, "--numa-idx", NULL, fd_shmem_numa_idx( cpu_idx ) );
+  fd_wksp_t * wksp = fd_wksp_new_anonymous( fd_cstr_to_shmem_page_sz( _page_sz ), page_cnt, fd_shmem_cpu_idx( numa_idx ), "wksp", 16UL );
+  FD_TEST( wksp );
+  g_wksp = wksp;
+
+  atexit( fd_halt );
+
+  fd_log_level_core_set( 4 );
+  fd_log_level_stderr_set( 4 );
+  fd_log_level_logfile_set( 4 );
+
+  return 0;
+}
+
+int
+LLVMFuzzerTestOneInput( uchar const * data,
+                        ulong         size ) {
+  fd_wksp_t * const wksp = g_wksp;
+  if( size<8UL ) return -1;
+
+  test_bundle_env_t env[1];
+  test_bundle_env_create( env, wksp );
+  test_bundle_env_mock_conn_empty( env );
+
+  fd_bundle_tile_t * const ctx      = env->state;
+  fd_h2_rbuf_t *     const frame_rx = ctx->grpc_client->frame_rx;
+  fd_h2_rbuf_t *     const frame_tx = ctx->grpc_client->frame_tx;
+
+  ctx->grpc_client->conn->ping_tx = 2; /* allow PING ACKs */
+
+  ulong const seed = fd_ulong_hash( FD_LOAD( ulong, data+size-8 ) );
+  if( seed &  1 ) test_bundle_env_mock_h2_hs( env->state );
+  if( seed &  2 ) test_bundle_env_mock_builder_info( env->state );
+  if( seed &  4 ) test_bundle_env_mock_bundle_stream( env->state );
+  if( seed &  8 ) test_bundle_env_mock_packet_stream( env->state );
+  if( seed & 16 ) test_bundle_env_mock_builder_info_req( env->state );
+
+  while( size ) {
+    // ulong chunk_sz = 1UL;
+    ulong const chunk_sz = fd_ulong_min( size, fd_h2_rbuf_free_sz( frame_rx ) );
+    fd_h2_rbuf_push( frame_rx, data, chunk_sz );
+    data += chunk_sz;
+    size -= chunk_sz;
+    int charge_busy = 0;
+    fd_bundle_client_step( ctx, &charge_busy );
+    fd_h2_rbuf_skip( frame_tx, fd_h2_rbuf_used_sz( frame_tx ) );
+    if( ctx->defer_reset ) break;
+  }
+
+  test_bundle_env_destroy( env );
+
+  /* Check for memory leaks */
+  fd_wksp_usage_t wksp_usage;
+  FD_TEST( fd_wksp_usage( wksp, NULL, 0UL, &wksp_usage ) );
+  FD_TEST( wksp_usage.free_cnt==wksp_usage.total_cnt );
+
+  return 0;
+}
diff --git a/src/disco/bundle/test_bundle_client.c b/src/disco/bundle/test_bundle_client.c
diff --git a/src/disco/bundle/test_bundle_common.c b/src/disco/bundle/test_bundle_common.c
