Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exhaustive test improvements + exhaustive schnorrsig tests #808

Merged
merged 14 commits into from
Sep 26, 2020

Conversation

sipa
Copy link
Contributor

@sipa sipa commented Sep 6, 2020

A few miscellaneous improvements:

  • Just use EXHAUSTIVE_TEST_ORDER as order everywhere, rather than a variable
  • Move exhaustive tests for recovery module to the recovery module directory
  • Make secp256k1_scalar_set_b32 detect overflow correctly for scalar_low (a comment in the recovery exhaustive test indicated why this was the case, but this looks incorrect).
  • Change the small test groups so that they include a point with X coordinate 1.
  • Initialize the RNG seed, allowing configurating from the cmdline, and report it.
  • Permit changing the number of iterations (re-randomizing for each).
  • Support splitting the work across cores from the cmdline.

And a big one:

  • Add exhaustive tests for schnorrsig module (and limited ones for extrakeys).

Copy link
Contributor

@jonasnick jonasnick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK 634b3e9

I don't really see the point of removing the order variable - was less strenous to read.

Did you notice the low order scalar_set_b32 issue in the exhaustive schnorrsig tests?
I couldn't find a historic reason for the old comment about the infinite loop but the test clearly show that it's wrong.

@sipa
Copy link
Contributor Author

sipa commented Sep 6, 2020

I don't really see the point of removing the order variable - was less strenous to read.

I'm also ok with replacing it with order everywhere, but in the current code it's a mix, which makes no sense IMO. In theory using a compile-time constant should be faster (modulus operations are very slow for the CPU, but modulus with a known constant can be rewritten using multiply/shift/subtract by the compiler), so I chose that side. I can't measure a difference in performance though, so it probably doesn't matter much.

Did you notice the low order scalar_set_b32 issue in the exhaustive schnorrsig tests?

Sort of, I wanted to add a test that uses an out-of-range s value, but expected it would break things with the low-order scalar implementation that ignored overflows. In trying to fix that, I noticed it wasn't actually necessary in the first place.

@sipa
Copy link
Contributor Author

sipa commented Sep 6, 2020

Added a commit that changes the exhaustive test groups so they include a point with X coordinate 1 (suggested by @gmaxwell).

@sipa sipa force-pushed the 202009_exhaustive_scalar_overflow branch from ae40e87 to 27dd2f1 Compare September 7, 2020 00:28
@gmaxwell
Copy link
Contributor

gmaxwell commented Sep 7, 2020

nice, utack

Copy link
Contributor

@jonasnick jonasnick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice idea to create groups with an X=1 point!

src/group_impl.h Outdated Show resolved Hide resolved
src/group_impl.h Outdated Show resolved Hide resolved
@sipa sipa force-pushed the 202009_exhaustive_scalar_overflow branch from 27dd2f1 to aa48ca9 Compare September 7, 2020 21:47
@sipa
Copy link
Contributor Author

sipa commented Sep 8, 2020

I've updated https://github.com/sipa/secp256k1/commits/202009_schnorrsig_exhaustive to build on this, including tests with signatures that have R.x=(fieldsize+1). It now catches removing the check on the return value of secp256k1_fe_set_b32(&rx, &sig64[0]).

Copy link
Contributor

@real-or-random real-or-random left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK aa48ca9 careful code inspection

My two comments are strictly speaking not this PR. If these are real issues, I guess you could address them here or in another PR, either is fine.

src/group_impl.h Show resolved Hide resolved
src/group_impl.h Show resolved Hide resolved
Copy link
Contributor

@jonasnick jonasnick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK aa48ca9

sage/gen_exhaustive_groups.sage Outdated Show resolved Hide resolved
@sipa sipa force-pushed the 202009_exhaustive_scalar_overflow branch from aa48ca9 to c2835d9 Compare September 8, 2020 19:48
src/scalar_impl.h Outdated Show resolved Hide resolved
@sipa
Copy link
Contributor Author

sipa commented Sep 8, 2020

I made another change, making the exhaustive tests correctly initialize the RNG, and adding a way to split the workload (invoke with ./exhaustive_tests 1 "" 8 0 on CPU 0, ./exhaustive_tests 1 "" 8 1 on CPU 1, etc).

I'm done expanding the scope of this PR now. If this is too much I'm happy to split stuff off.

@sipa sipa force-pushed the 202009_exhaustive_scalar_overflow branch 3 times, most recently from d789ab2 to 8c5dfdf Compare September 9, 2020 06:58
@real-or-random
Copy link
Contributor

Valgrind fails on Travis:
https://travis-ci.org/github/bitcoin-core/secp256k1/jobs/725488761#L573

I made another change, making the exhaustive tests correctly initialize the RNG, and adding a way to split the workload (invoke with ./exhaustive_tests 1 "" 8 0 on CPU 0, ./exhaustive_tests 1 "" 8 1 on CPU 1, etc).

Really invoke the seed with "" ? Doesn't every instance get a different random seed then?

I'm done expanding the scope of this PR now. If this is too much I'm happy to split stuff off.

I think that's ok.

@gmaxwell
Copy link
Contributor

gmaxwell commented Sep 9, 2020

I don't think exhaustive_tests should be actually random. There is a need for 'random' values, but I don't see a lot of gain in having every run use different ones... and they make reproducing issues harder. Is there a reason to not just give it a constant seed?

@sipa
Copy link
Contributor Author

sipa commented Sep 9, 2020

Really invoke the seed with "" ? Doesn't every instance get a different random seed then?

Yes, for the random part. You can also specify a fixed seed by passing a non-empty hex string.

I don't think exhaustive_tests should be actually random. There is a need for 'random' values, but I don't see a lot of gain in having every run use different ones... and they make reproducing issues harder. Is there a reason to not just give it a constant seed?

Unsure.

At least the gej tests are explicitly rescaled with a random z in every run, and unfortunately, those cannot be selected from an tractably-sized set for exhaustive tests.

The main thing these tests hope to reveal shouldn't be dependent on the choice of the seed, though, so perhaps it's ok to just pick a fixed seed. If so, we can probably also do without the iteration count.

@real-or-random
Copy link
Contributor

Really invoke the seed with "" ? Doesn't every instance get a different random seed then?

Yes, for the random part. You can also specify a fixed seed by passing a non-empty hex string.

Ok, yes. I somehow wrongly assumed that the randomness affects the mapping of work to CPUs, but it does not of course.

I don't think exhaustive_tests should be actually random. There is a need for 'random' values, but I don't see a lot of gain in having every run use different ones... and they make reproducing issues harder. Is there a reason to not just give it a constant seed?

Unsure.

At least the gej tests are explicitly rescaled with a random z in every run, and unfortunately, those cannot be selected from an tractably-sized set for exhaustive tests.

The main thing these tests hope to reveal shouldn't be dependent on the choice of the seed, though, so perhaps it's ok to just pick a fixed seed. If so, we can probably also do without the iteration count.

"Unsure" was my first thought, too. Yes, the main thing here does not depend of on the choice of the seed but I still believe that randomness helps more than it hurts here. For example, it could detect a bug that occurs as a combination of special coordinate value 1 and some z value that we hit with probability 1/10000. This could be missed by the normal tests, even though they're randomized.

@gmaxwell
Copy link
Contributor

gmaxwell commented Sep 9, 2020

I suppose it doesn't hurt. If a user reports a bug that only happens with some particular seeds and they fail to provide their seed-- well that's a bug which wouldn't have otherwise been detected at all.

Just please no "expected failures", the situation in CI (common in bitcoin core but has happened here too) where people are responding to failures by retrying the CI rather than treating the failure as an emergency is a dangerous practice.

@sipa sipa force-pushed the 202009_exhaustive_scalar_overflow branch from 8c5dfdf to ee8b816 Compare September 9, 2020 23:28
@sipa
Copy link
Contributor Author

sipa commented Sep 10, 2020

Adding setbuf(stdout, NULL); seems to have fixed it...

Copy link
Contributor

@real-or-random real-or-random left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK dd29d2e code review and tests pass

@sipa sipa force-pushed the 202009_exhaustive_scalar_overflow branch from dd29d2e to 9737f95 Compare September 12, 2020 02:57
@sipa sipa changed the title Exhaustive test improvements Exhaustive test improvements + exhaustive schnorrsig tests Sep 12, 2020
@sipa
Copy link
Contributor Author

sipa commented Sep 12, 2020

Rebased on the now-merged #558, and added exhaustive tests for schnorrsig module too.

real-or-random added a commit that referenced this pull request Sep 27, 2020
a45c1fa Rename testrand functions to have test in name (Pieter Wuille)

Pull request description:

  Suggested here: #808 (comment)

ACKs for top commit:
  real-or-random:
    ACK a45c1fa diff looks good
  elichai:
    utACK a45c1fa

Tree-SHA512: a15c29b88877e0f1a099acab90cbfa1e70420527e07348a69c8a5b539319a3131b771b86852e772a669a1eb3475d508d0f7e10f37eec363dc6640d4eaf967536
deadalnix pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this pull request Sep 29, 2020
Summary: This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#808 | PR808]] : bitcoin-core/secp256k1@be31791

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7654
deadalnix pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this pull request Sep 29, 2020
Summary:
This is a parital backport of secp256k1 [[bitcoin-core/secp256k1#808 | PR808]] : bitcoin-core/secp256k1@c498366

Depends on D7654

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7655
deadalnix pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this pull request Sep 29, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#808 | PR808]] : bitcoin-core/secp256k1@8bcd78c

Depends on D7655

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7656
jasonbcox pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this pull request Sep 29, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#808 | PR808]] : bitcoin-core/secp256k1@d7f39ae

Depends on D7656

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7657
jasonbcox pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this pull request Sep 29, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#808 | PR808]] : bitcoin-core/secp256k1@78f6cdf

Depends on D7657

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7658
jasonbcox pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this pull request Sep 29, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#808 | PR808]] : bitcoin-core/secp256k1@cec7b18

Depends on D7658

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7659
jasonbcox pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this pull request Sep 29, 2020
Summary:
This enables testing overflow is correctly encoded in the recid, and
likely triggers more edge cases.

Also introduce a Sage script to generate the parameters.

This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#808 | PR808]] : bitcoin-core/secp256k1@b110c10

Depends on D7659

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7660
jasonbcox pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this pull request Sep 29, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#808 | PR808]] : bitcoin-core/secp256k1@49e6630

Depends on D7660

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7662
jasonbcox pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this pull request Sep 29, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#808 | PR808]] : bitcoin-core/secp256k1@e99b26f

Depends on D7662

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7663
jasonbcox pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this pull request Sep 29, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#808 | PR808]] : bitcoin-core/secp256k1@39f67dd

Depends on D7663

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7664
jasonbcox pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this pull request Sep 29, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#808 | PR808]] : bitcoin-core/secp256k1@63e1b2a

Depends on D7664

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7665
jasonbcox pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this pull request Sep 29, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#808 | PR808]] : bitcoin-core/secp256k1@87af00b

Depends on D7665

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7666
jasonbcox pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this pull request Sep 29, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#808 | PR808]] : bitcoin-core/secp256k1@08d7d89

Depends on D7666

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7667
jasonbcox pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this pull request Sep 29, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#808 | PR808]] : bitcoin-core/secp256k1@8b7dcdd

Depends on D7667

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7668
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this pull request Sep 30, 2020
Summary: This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#808 | PR808]] : bitcoin-core/secp256k1@be31791

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7654
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this pull request Sep 30, 2020
Summary:
This is a parital backport of secp256k1 [[bitcoin-core/secp256k1#808 | PR808]] : bitcoin-core/secp256k1@c498366

Depends on D7654

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7655
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this pull request Sep 30, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#808 | PR808]] : bitcoin-core/secp256k1@8bcd78c

Depends on D7655

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7656
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this pull request Sep 30, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#808 | PR808]] : bitcoin-core/secp256k1@d7f39ae

Depends on D7656

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7657
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this pull request Sep 30, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#808 | PR808]] : bitcoin-core/secp256k1@78f6cdf

Depends on D7657

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7658
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this pull request Sep 30, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#808 | PR808]] : bitcoin-core/secp256k1@cec7b18

Depends on D7658

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7659
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this pull request Sep 30, 2020
Summary:
This enables testing overflow is correctly encoded in the recid, and
likely triggers more edge cases.

Also introduce a Sage script to generate the parameters.

This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#808 | PR808]] : bitcoin-core/secp256k1@b110c10

Depends on D7659

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7660
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this pull request Sep 30, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#808 | PR808]] : bitcoin-core/secp256k1@49e6630

Depends on D7660

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7662
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this pull request Sep 30, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#808 | PR808]] : bitcoin-core/secp256k1@e99b26f

Depends on D7662

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7663
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this pull request Sep 30, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#808 | PR808]] : bitcoin-core/secp256k1@39f67dd

Depends on D7663

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7664
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this pull request Sep 30, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#808 | PR808]] : bitcoin-core/secp256k1@63e1b2a

Depends on D7664

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7665
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this pull request Sep 30, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#808 | PR808]] : bitcoin-core/secp256k1@87af00b

Depends on D7665

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7666
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this pull request Sep 30, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#808 | PR808]] : bitcoin-core/secp256k1@08d7d89

Depends on D7666

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7667
deadalnix pushed a commit to Bitcoin-ABC/secp256k1 that referenced this pull request Sep 30, 2020
Summary:
This is a partial backport of secp256k1 [[bitcoin-core/secp256k1#808 | PR808]] : bitcoin-core/secp256k1@8b7dcdd

Depends on D7667

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D7668
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants