feat(fuzzing): add new fuzz crate and initial test

oleonardolima · oleonardolima · commit 2b885dcb81e2 · 2025-06-25T16:15:15.000-03:00
- creates a new `fuzz` crate, it's meant to run fuzz testing over
  bdk_wallet targets, with `cargo fuzz` (libFuzzer).
- creates an initial `wallet_update` fuzz target for `bdk_wallet`.
- creates an initial `fuzzed_data_provider` and `fuzz_utils` files with
  useful methods to consume the fuzzed data into `bdk_wallet` API-specific types.
diff --git a/.gitignore b/.gitignore
@@ -8,3 +8,9 @@ Cargo.lock
 # Example persisted files.
 *.db
 *.sqlite*
+
+# fuzz testing related
+fuzz/target
+fuzz/corpus
+fuzz/artifacts
+fuzz/coverage
diff --git a/Cargo.toml b/Cargo.toml
@@ -2,6 +2,7 @@
 resolver = "2"
 members = [
     "wallet",
+    "fuzz",
     "examples/example_wallet_electrum",
     "examples/example_wallet_esplora_blocking",
     "examples/example_wallet_esplora_async",
diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml
@@ -0,0 +1,26 @@
+[package]
+name = "bdk_wallet_fuzz"
+homepage = "https://bitcoindevkit.org"
+version = "0.0.1-alpha.0"
+repository = "https://github.com/bitcoindevkit/bdk_wallet"
+description = "A fuzz testing library for the Bitcoin Development Kit Wallet"
+keywords = ["fuzz", "testing", "fuzzing", "bitcoin", "wallet"]
+publish = false
+readme = "README.md"
+license = "MIT OR Apache-2.0"
+authors = ["Bitcoin Dev Kit Developers"]
+edition = "2021"
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+libfuzzer-sys = "0.4"
+bdk_wallet = { path = "../wallet" }
+
+[[bin]]
+name = "wallet"
+path = "fuzz_targets/wallet_update.rs"
+test = false
+doc = false
+bench = false
diff --git a/fuzz/README.md b/fuzz/README.md
@@ -0,0 +1,9 @@
+# Fuzzing
+
+## How does it work ?
+
+## How do I run the fuzz tests locally ?
+
+## How do I add a new fuzz test target ?
+
+## How do I reproduce a crashing fuzz test ?
diff --git a/fuzz/fuzz_targets/wallet_update.rs b/fuzz/fuzz_targets/wallet_update.rs
@@ -0,0 +1,74 @@
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+use std::collections::{BTreeMap, VecDeque};
+
+use bdk_wallet::{
+    bitcoin::{Network, Txid},
+    chain::TxUpdate,
+    descriptor::DescriptorError,
+    KeychainKind, Update, Wallet,
+};
+use bdk_wallet_fuzz::fuzz_utils::*;
+
+// descriptors
+const INTERNAL_DESCRIPTOR: &str = "wpkh(tprv8ZgxMBicQKsPdy6LMhUtFHAgpocR8GC6QmwMSFpZs7h6Eziw3SpThFfczTDh5rW2krkqffa11UpX3XkeTTB2FvzZKWXqPY54Y6Rq4AQ5R8L/84'/1'/0'/0/*)";
+const EXTERNAL_DESCRIPTOR: &str = "wpkh(tprv8ZgxMBicQKsPdy6LMhUtFHAgpocR8GC6QmwMSFpZs7h6Eziw3SpThFfczTDh5rW2krkqffa11UpX3XkeTTB2FvzZKWXqPY54Y6Rq4AQ5R8L/84'/1'/0'/1/*)";
+
+// network
+const NETWORK: Network = Network::Testnet;
+
+fuzz_target!(|data: &[u8]| {
+    // creates initial wallet.
+    let wallet: Result<Wallet, DescriptorError> =
+        Wallet::create(INTERNAL_DESCRIPTOR, EXTERNAL_DESCRIPTOR)
+            .network(NETWORK)
+            .create_wallet_no_persist();
+
+    // asserts that the wallet creation did not fail.
+    let mut wallet = match wallet {
+        Ok(wallet) => wallet,
+        Err(_) => return,
+    };
+
+    // fuzzed code goes here.
+    let mut new_data = data;
+
+    // generated fuzzed keychain indices.
+    let internal_indices = consume_keychain_indices(&mut new_data, KeychainKind::Internal);
+    let external_indices = consume_keychain_indices(&mut new_data, KeychainKind::External);
+
+    let mut last_active_indices: BTreeMap<KeychainKind, u32> = BTreeMap::new();
+    last_active_indices.extend(internal_indices);
+    last_active_indices.extend(external_indices);
+
+    // generate fuzzed tx update.
+    let txs = consume_txs(data, &mut wallet);
+
+    let unconfirmed_txids: VecDeque<Txid> = txs.iter().map(|tx| tx.compute_txid()).collect();
+
+    let txouts = consume_txouts(data);
+    let anchors = consume_anchors(data, unconfirmed_txids.clone());
+    let seen_ats = consume_seen_ats(data, unconfirmed_txids.clone());
+    let evicted_ats = consume_evicted_ats(data, unconfirmed_txids.clone());
+
+    // build the tx update with fuzzed data
+    let mut tx_update = TxUpdate::default();
+    tx_update.txs = txs;
+    tx_update.txouts = txouts;
+    tx_update.anchors = anchors;
+    tx_update.seen_ats = seen_ats;
+    tx_update.evicted_ats = evicted_ats;
+
+    // generate fuzzed chain.
+    let chain = consume_checkpoint(data, &mut wallet);
+
+    // apply fuzzed update.
+    let update = Update {
+        last_active_indices,
+        tx_update,
+        chain: Some(chain),
+    };
+
+    wallet.apply_update(update).unwrap();
+});
diff --git a/fuzz/src/fuzz_utils.rs b/fuzz/src/fuzz_utils.rs
@@ -0,0 +1,244 @@
+use std::{
+    cmp,
+    collections::{BTreeMap, BTreeSet, HashSet, VecDeque},
+    sync::Arc,
+};
+
+use bdk_wallet::{
+    bitcoin::{
+        self, absolute::LockTime, hashes::Hash, transaction::Version, Amount, BlockHash, OutPoint,
+        Transaction, TxIn, TxOut, Txid,
+    },
+    chain::{BlockId, CheckPoint, ConfirmationBlockTime},
+    KeychainKind, Wallet,
+};
+
+use crate::fuzzed_data_provider::{
+    consume_bool, consume_bytes, consume_u32, consume_u64, consume_u8,
+};
+
+pub fn consume_block_hash(data: &mut &[u8]) -> BlockHash {
+    let bytes: [u8; 32] = match consume_bytes(data, 32).try_into() {
+        Ok(bytes) => bytes,
+        Err(_) => [0; 32],
+    };
+
+    BlockHash::from_byte_array(bytes)
+}
+
+pub fn consume_txid(data: &mut &[u8]) -> Txid {
+    let bytes: [u8; 32] = match consume_bytes(data, 32).try_into() {
+        Ok(bytes) => bytes,
+        Err(_) => [0; 32],
+    };
+
+    Txid::from_byte_array(bytes)
+}
+
+pub fn consume_keychain_indices(
+    data: &mut &[u8],
+    keychain: KeychainKind,
+) -> BTreeMap<KeychainKind, u32> {
+    let mut indices = BTreeMap::new();
+    if consume_bool(data) {
+        let count = consume_u8(data) as u32;
+        let start = consume_u8(data) as u32;
+        indices.extend((start..count).map(|idx| (keychain, idx)))
+    }
+    indices
+}
+
+// TODO: (@leonardo) improve this implementation to not rely on UniqueHash
+pub fn consume_spk(data: &mut &[u8], wallet: &mut Wallet) -> bitcoin::ScriptBuf {
+    if data.is_empty() {
+        let bytes = consume_bytes(data, 32);
+        return bitcoin::ScriptBuf::from_bytes(bytes);
+    }
+
+    let flags = data[0];
+    *data = &data[1..];
+
+    match flags.trailing_zeros() {
+        0 => wallet
+            .next_unused_address(KeychainKind::External)
+            .script_pubkey(),
+        1 => wallet
+            .next_unused_address(KeychainKind::Internal)
+            .script_pubkey(),
+        _ => {
+            let bytes = consume_bytes(data, 32);
+            bitcoin::ScriptBuf::from_bytes(bytes)
+        }
+    }
+}
+
+// TODO: (@leonardo) improve this implementation to not rely on UniqueHash
+pub fn consume_txs(mut data: &[u8], wallet: &mut Wallet) -> Vec<Arc<Transaction>> {
+    // TODO: (@leonardo) should this be a usize ?
+
+    let count = consume_u8(&mut data);
+    let mut txs = Vec::with_capacity(count as usize);
+    for _ in 0..count {
+        let version = consume_u32(&mut data);
+        // TODO: (@leonardo) should we use the Version::consensus_decode instead ?
+        let version = Version(version as i32);
+
+        let locktime = consume_u32(&mut data);
+        let locktime = LockTime::from_consensus(locktime);
+
+        let txin_count = consume_u8(&mut data);
+        let mut tx_inputs = Vec::with_capacity(txin_count as usize);
+
+        for _ in 0..txin_count {
+            let prev_txid = consume_txid(&mut data);
+            let prev_vout = consume_u32(&mut data);
+            let prev_output = OutPoint::new(prev_txid, prev_vout);
+            let tx_input = TxIn {
+                previous_output: prev_output,
+                ..Default::default()
+            };
+            tx_inputs.push(tx_input);
+        }
+
+        let txout_count = consume_u8(&mut data);
+        let mut tx_outputs = Vec::with_capacity(txout_count as usize);
+
+        for _ in 0..txout_count {
+            let spk = consume_spk(&mut data, wallet);
+            let sats = (consume_u8(&mut data) as u64) * 1_000;
+            let amount = Amount::from_sat(sats);
+            let tx_output = TxOut {
+                value: amount,
+                script_pubkey: spk,
+            };
+            tx_outputs.push(tx_output);
+        }
+
+        let tx = Transaction {
+            version,
+            lock_time: locktime,
+            input: tx_inputs,
+            output: tx_outputs,
+        };
+
+        txs.push(tx.into());
+    }
+    txs
+}
+
+pub fn consume_txouts(mut data: &[u8]) -> BTreeMap<OutPoint, TxOut> {
+    // TODO: (@leonardo) should this be a usize ?
+    let count = consume_u8(&mut data);
+    let mut txouts = BTreeMap::new();
+    for _ in 0..count {
+        let prev_txid = consume_txid(&mut data);
+        let prev_vout = consume_u32(&mut data);
+        let prev_output = OutPoint::new(prev_txid, prev_vout);
+
+        let sats = (consume_u8(&mut data) as u64) * 1_000;
+        let amount = Amount::from_sat(sats);
+
+        // TODO: (@leonardo) should we use different spks ?
+        let txout = TxOut {
+            value: amount,
+            script_pubkey: Default::default(),
+        };
+
+        txouts.insert(prev_output, txout);
+    }
+    txouts
+}
+
+pub fn consume_anchors(
+    mut data: &[u8],
+    mut unconfirmed_txids: VecDeque<Txid>,
+) -> BTreeSet<(ConfirmationBlockTime, Txid)> {
+    let mut anchors = BTreeSet::new();
+
+    let count = consume_u8(&mut data);
+    // FIXME: (@leonardo) should we use while limited by a flag instead ? (as per antoine's impls)
+    for _ in 0..count {
+        let block_height = consume_u32(&mut data);
+        let block_hash = consume_block_hash(&mut data);
+
+        let block_id = BlockId {
+            height: block_height,
+            hash: block_hash,
+        };
+
+        let confirmation_time = consume_u64(&mut data);
+
+        let anchor = ConfirmationBlockTime {
+            block_id,
+            confirmation_time,
+        };
+
+        if let Some(txid) = unconfirmed_txids.pop_front() {
+            anchors.insert((anchor, txid));
+        } else {
+            break;
+        }
+    }
+    anchors
+}
+
+pub fn consume_seen_ats(
+    mut data: &[u8],
+    mut unconfirmed_txids: VecDeque<Txid>,
+) -> HashSet<(Txid, u64)> {
+    let mut seen_ats = HashSet::new();
+
+    let count = consume_u8(&mut data);
+    // FIXME: (@leonardo) should we use while limited by a flag instead ? (as per antoine's impls)
+    for _ in 0..count {
+        let time = cmp::min(consume_u64(&mut data), i64::MAX as u64 - 1);
+
+        if let Some(txid) = unconfirmed_txids.pop_front() {
+            seen_ats.insert((txid, time));
+        } else {
+            let txid = consume_txid(&mut data);
+            seen_ats.insert((txid, time));
+        }
+    }
+    seen_ats
+}
+
+pub fn consume_evicted_ats(
+    mut data: &[u8],
+    mut unconfirmed_txids: VecDeque<Txid>,
+) -> HashSet<(Txid, u64)> {
+    let mut evicted_at = HashSet::new();
+
+    let count = consume_u8(&mut data);
+    // FIXME: (@leonardo) should we use while limited by a flag instead ? (as per antoine's impls)
+    for _ in 0..count {
+        let time = cmp::min(consume_u64(&mut data), i64::MAX as u64 - 1);
+        if let Some(txid) = unconfirmed_txids.pop_front() {
+            evicted_at.insert((txid, time));
+        } else {
+            let txid = consume_txid(&mut data);
+            evicted_at.insert((txid, time));
+        }
+    }
+
+    evicted_at
+}
+
+pub fn consume_checkpoint(mut data: &[u8], wallet: &mut Wallet) -> CheckPoint {
+    let mut tip = wallet.latest_checkpoint();
+
+    let _tip_hash = tip.hash();
+    let tip_height = tip.height();
+
+    let count = consume_u8(&mut data);
+    // FIXME: (@leonardo) should we use while limited by a flag instead ? (as per antoine's impls)
+    for i in 1..count {
+        let height = tip_height + i as u32;
+        let hash = consume_block_hash(&mut data);
+
+        let block_id = BlockId { height, hash };
+
+        tip = tip.push(block_id).unwrap();
+    }
+    tip
+}
diff --git a/fuzz/src/fuzzed_data_provider.rs b/fuzz/src/fuzzed_data_provider.rs
diff --git a/fuzz/src/lib.rs b/fuzz/src/lib.rs
