Last updated
Was this helpful?
Submitted on Mon Jun 17 2024 08:24:54 GMT-0400 (Atlantic Standard Time) by @anatomist for
Report ID: #32270
Report type: Smart Contract
Report severity: Low
Target: https://github.com/FuelLabs/sway/tree/7b56ec734d4a4fda550313d448f7f20dba818b59
Impacts:
Incorrect sway optimization leading to unexpected bytecode
The sway compiler may remove expressions that potentially has side affects during dce pass, and eventually change behavior of program.
The has_side_effect is used to check whether an operation may have untrackable effects. Any operation with untrackable effect should never be removed by dce . However, the function doesn't has_side_effect function doesn't correctly consider that all arithmetic opcodes may panic on illegal operands or overflows.
Thus if dce considers the output of an arithmetic instruction to be "dead", it would remove the instruction regardless of whether a panic may happen due to calculation.
To show what this means, we look at the test case below. Since the result of let c = 1 / 0 is never used, dce removed the div $r70 $one $zero instruction, changing the behavior of the program.
Source Script
Abstract instructions before dce
Abstract instructions after dce
This would potentially change the behavior of programs. The example provided is relatively harmless, but there could be cases where developers rely on a let c = a + b panic to check whether a + b overflows, but otherwise leaves c unused. The incorrect elimination of such instructions would result in removal of such checks.
https://github.com/FuelLabs/sway/blob/7b56ec734d4a4fda550313d448f7f20dba818b59/sway-core/src/asm_lang/virtual_ops.rs#L328
https://github.com/FuelLabs/sway/blob/7b56ec734d4a4fda550313d448f7f20dba818b59/sway-core/src/asm_generation/fuel/optimizations.rs#L239
