[FUZZ] Beaconfuzz_v2 crash-2f077c49ced2fa7947b81c8f16d62dce85c157ef in struct_proposer_slashing

[Daft-Wullie]

I've done and provided the following:

• [x] Checked to see if any other [FUZZ] issue already refers to that crasher
• [x] Attached the crashing input (either attached to the issue as a .zip or .gz, or as a link to a file sharing service)
• [x] Noted the beacon-fuzz version or commit used.
• [x] Provided crash output
• [x] Noted the command or fuzzer used to generate the crash
• [x] Name of the original crash file
• [x] (Optional but optimal) Checked if the crash can be consistently replicated by re-running the input.

Info to Reproduce

• Command run: e.g. make fuzz proposer_slashing-struct
• Crasher file name: crash-2f077c49ced2fa7947b81c8f16d62dce85c157ef crash-2f077c49ced2fa7947b81c8f16d62dce85c157ef.zip

*beaconstate file 24b880d379d5e964e5ecc215a13438c1.ssz

• Client exercised: Prysm
• Fuzzing engine used (if applicable): libfuzzer

Crash output and stacktrace

DBG 2020-10-02 18:06:06.187+02:00 slash_validator: ejecting validator via slashing (validator_leaving) tid=414286 file=beaconstate.nim:175 index=0 num_validators=256 current_epoch=6 validator_slashed=false validator_withdrawable_epoch=267 validator_exit_epoch=11 validator_effective_balance=32000000000
thread '<unnamed>' panicked at '[PRYSM] Mismatch post', /home/beacon-fuzz/beaconfuzz_v2/libs/prysm/src/proposer_slashing.rs:62:13
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Traceback (most recent call last, using override)
whereami error: could not get the program's path on this platform.
SIGABRT: Abnormal termination.
==414286== ERROR: libFuzzer: fuzz target exited
    #0 0x555acc624901  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xb8d901)
    #1 0x555acea85c80  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x2feec80)
    #2 0x555acea9a9eb  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x30039eb)
    #3 0x7f8ae134ea26  (/lib/x86_64-linux-gnu/libc.so.6+0x49a26)
    #4 0x7f8ae134ebdf  (/lib/x86_64-linux-gnu/libc.so.6+0x49bdf)
    #5 0x555acc85102c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xdba02c)
    #6 0x7f8ae134b20f  (/lib/x86_64-linux-gnu/libc.so.6+0x4620f)
    #7 0x7f8ae134b18a  (/lib/x86_64-linux-gnu/libc.so.6+0x4618a)
    #8 0x7f8ae132a858  (/lib/x86_64-linux-gnu/libc.so.6+0x25858)
    #9 0x555aceb4c866  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x30b5866)
    #10 0x555aceb35b55  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x309eb55)
    #11 0x555acea791c6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x2fe21c6)
    #12 0x555aceb3cd97  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x30a5d97)
    #13 0x555acc904394  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xe6d394)
    #14 0x555acc903f39  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xe6cf39)
    #15 0x555acc904234  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xe6d234)
    #16 0x555acc90d579  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xe76579)
    #17 0x555acc90e7fc  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xe777fc)
    #18 0x555acc73db8f  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xca6b8f)
    #19 0x555acc6c5e08  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xc2ee08)
    #20 0x555acea791f0  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x2fe21f0)
    #21 0x555acea78e4f  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x2fe1e4f)
    #22 0x555acea9ae4c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x3003e4c)
    #23 0x555aceaa3000  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x300c000)
    #24 0x555aceaa39bc  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x300c9bc)
    #25 0x555aceaa5dbf  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x300edbf)
    #26 0x555acea77399  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x2fe0399)
    #27 0x555acc5a14b6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xb0a4b6)
    #28 0x7f8ae132c0b2  (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #29 0x555acc5a165d  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xb0a65d)

SUMMARY: libFuzzer: fuzz target exited
MS: 4 ShuffleBytes-PersAutoDict-CopyPart-CMP- DE: "\x00\x00\x00\x00"-"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"-; base unit: 4ea487b313195cbeef767b23c3bac5ebe73dc98f
0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xa5,0x0,0x0,0x0,0x0,0x0,
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa5\x00\x00\x00\x00\x00
artifact_prefix='/home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_proposer_slashing/'; Test unit written to /home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_proposer_slashing/crash-2f077c49ced2fa7947b81c8f16d62dce85c157ef
Base64: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKUAAAAAAA==

────────────────────────────────────────────────────────────────────────────────

Failing input:

        fuzz/artifacts/struct_proposer_slashing/crash-2f077c49ced2fa7947b81c8f16d62dce85c157ef

Output of `std::fmt::Debug`:

        ProposerSlashing {
            signed_header_1: SignedBeaconBlockHeader {
                message: BeaconBlockHeader {
                    slot: Slot(0),
                    proposer_index: 0,
                    parent_root: 0x0000000000000000000000000000000000000000000000000000000000000000,
                    state_root: 0x0000000000000000000000000000000000000000000000000000000000000000,
                    body_root: 0x0000000000000000000000000000000000000000000000000000000000000000,
                },
                signature: 0xa50000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
            },
            signed_header_2: SignedBeaconBlockHeader {
                message: BeaconBlockHeader {
                    slot: Slot(0),
                    proposer_index: 0,
                    parent_root: 0x0000000000000000000000000000000000000000000000000000000000000000,
                    state_root: 0x0000000000000000000000000000000000000000000000000000000000000000,
                    body_root: 0x0000000000000000000000000000000000000000000000000000000000000000,
                },
                signature: 0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,
            },
        }

Reproduce with:

        cargo fuzz run struct_proposer_slashing fuzz/artifacts/struct_proposer_slashing/crash-2f077c49ced2fa7947b81c8f16d62dce85c157ef

Minimize test case with:

        cargo fuzz tmin struct_proposer_slashing fuzz/artifacts/struct_proposer_slashing/crash-2f077c49ced2fa7947b81c8f16d62dce85c157ef

re run crasher file with ETH2FUZZ_BEACONSTATE=../eth2fuzz/workspace/corpora/beaconstate cargo +nightly fuzz run struct_proposer_slashing fuzz/artifacts/struct_proposer_slashing/crash-2f077c49ced2fa7947b81c8f16d62dce85c157ef and got

    Finished release [optimized] target(s) in 0.50s
     Running `fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing -artifact_prefix=/home/beacon-fuzz/beaconfuzz_v2/fuzz/artifacts/struct_proposer_slashing/ fuzz/artifacts/struct_proposer_slashing/crash-2f077c49ced2fa7947b81c8f16d62dce85c157ef`
INFO: Seed: 4160818190
INFO: Loaded 1 modules   (201907 inline 8-bit counters): 201907 [0x562d91936461, 0x562d91967914),
INFO: Loaded 1 PC tables (201907 PCs): 201907 [0x562d91967918,0x562d91c7c448),
fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing: Running 1 inputs 1 time(s) each.
Running: fuzz/artifacts/struct_proposer_slashing/crash-2f077c49ced2fa7947b81c8f16d62dce85c157ef
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Could not get rough time result: no reply     prefix=roughtime
ERRO[0018] Failed to calculate roughtime offset          error="no valid responses" prefix=roughtime
thread '<unnamed>' panicked at '[PRYSM] Mismatch post', /home/beacon-fuzz/beaconfuzz_v2/libs/prysm/src/proposer_slashing.rs:62:13
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Traceback (most recent call last, using override)
/home/nim-beacon-chain/vendor/nimbus-build-system/vendor/Nim/lib/system/excpt.nim(614) signalHandler
SIGABRT: Abnormal termination.
==425557== ERROR: libFuzzer: fuzz target exited
    #0 0x562d8e2c0901  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xc0c901)
    #1 0x562d907739b0  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x30bf9b0)
    #2 0x562d9078871b  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x30d471b)
    #3 0x7f2871b27a26  (/lib/x86_64-linux-gnu/libc.so.6+0x49a26)
    #4 0x7f2871b27bdf  (/lib/x86_64-linux-gnu/libc.so.6+0x49bdf)
    #5 0x562d8e4f710c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xe4310c)
    #6 0x7f2871b2420f  (/lib/x86_64-linux-gnu/libc.so.6+0x4620f)
    #7 0x7f2871b2418a  (/lib/x86_64-linux-gnu/libc.so.6+0x4618a)
    #8 0x7f2871b03858  (/lib/x86_64-linux-gnu/libc.so.6+0x25858)
    #9 0x562d9083a846  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x3186846)
    #10 0x562d90823b35  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x316fb35)
    #11 0x562d90766ef6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x30b2ef6)
    #12 0x562d9082ad77  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x3176d77)
    #13 0x562d8e5aa454  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xef6454)
    #14 0x562d8e5a9ff9  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xef5ff9)
    #15 0x562d8e5aa2f4  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xef62f4)
    #16 0x562d8e5b3639  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xeff639)
    #17 0x562d8e5b48bc  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xf008bc)
    #18 0x562d8e3df68f  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xd2b68f)
    #19 0x562d8e365e49  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xcb1e49)
    #20 0x562d90766f20  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x30b2f20)
    #21 0x562d90766b7f  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x30b2b7f)
    #22 0x562d90788b7c  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x30d4b7c)
    #23 0x562d90759c89  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x30a5c89)
    #24 0x562d90763a82  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0x30afa82)
    #25 0x562d8e23d4b6  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xb894b6)
    #26 0x7f2871b050b2  (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #27 0x562d8e23d65d  (/home/beacon-fuzz/beaconfuzz_v2/fuzz/target/x86_64-unknown-linux-gnu/release/struct_proposer_slashing+0xb8965d)

SUMMARY: libFuzzer: fuzz target exited
────────────────────────────────────────────────────────────────────────────────

Error: Fuzz target exited with exit code: 77

Your Environment

• Fuzzer ran: beaconfuzz_v2
• Version/Commit used: 8e37c77
• Operating System and version: Ubuntu 20.04

[Daft-Wullie]

Almost certainly a duplicate of #82 , reporting anyway out of an abundance of caution.

[pventuzelo]

For analysis, here is a package with:

• beacon.ssz
• output_beaconfuzz_debug.txt
• proposerslashing.ssz
• prysm_post.ssz

issue_83_proposer_slashing.zip

FYI,

• lighthouse reject this proposerslashing processing with the error: ProposalsIdentical
• prysm process the proposerslashing processing
• nimbus reject the proposerslashing processing

Same error returned by lighthouse than issue #82

You can reproduce with:

../beaconfuzz_v2 debug beacon.ssz proposerslashing.ssz proposerslashing

[zedt3ster]

Confirming duplicate of #82 (and #74)