Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update pragma to 0.8.20 #4489

Merged
merged 7 commits into from
Jul 31, 2023
Merged

Update pragma to 0.8.20 #4489

merged 7 commits into from
Jul 31, 2023

Conversation

Amxx
Copy link
Collaborator

@Amxx Amxx commented Jul 31, 2023

We need 0.8.20 for better ERC-7201 compatibility.

Fixes #4460 (comment)
Fixes LIB-991

@changeset-bot
Copy link

changeset-bot bot commented Jul 31, 2023

⚠️ No Changeset found

Latest commit: 81aaffa

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes changesets to release 1 package
Name Type
openzeppelin-solidity Major

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@Amxx Amxx requested review from ernestognw and frangio July 31, 2023 12:14
ernestognw
ernestognw previously approved these changes Jul 31, 2023
Copy link
Member

@ernestognw ernestognw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚢

@@ -57,7 +57,7 @@ library Arrays {
function unsafeAccess(address[] storage arr, uint256 pos) internal pure returns (StorageSlot.AddressSlot storage) {
bytes32 slot;
// We use assembly to calculate the storage slot of the element at index `pos` of the dynamic array `arr`
// following https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html#mappings-and-dynamic-arrays.
// following https://docs.soliditylang.org/en/latest/internals/layout_in_storage.html#mappings-and-dynamic-arrays.
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we don't use latest here in case the docs ever change in a way that would make the link invalid. For example the tag could change. I'd be ok with changing that to v0.8.20.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I prefer using a fixed version.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have a few others using latest. I think we had this conversation in another PR and we decided to do latest iirc. No problem for now, just flagging in case it's worth discussing a better strategy.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would vote for using a fixed version in all links to Solidity docs.

Copy link
Member

@ernestognw ernestognw Jul 31, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd vote for consistency, and I'd push for using 0.8.x or something that doesn't fixes the docs to an specific patch.

EDIT: Just tried with 0.8.x and 0.8 without success. So I guess we're fine with a fixed version then

@frangio frangio merged commit 00cbf5a into OpenZeppelin:master Jul 31, 2023
@Amxx Amxx deleted the pragma-0-8-20 branch August 1, 2023 12:31
@pcaversaccio
Copy link
Contributor

pcaversaccio commented Aug 2, 2023

Hey guys, could you quickly clarify the need for 0.8.20? My recommendation I always give is to only use Solidity versions >=0.8.20 for EVM networks that support the opcode PUSH0 since solc defaults to shanghai for these versions. And the OZ library can't enforce the paris EVM version anyways, so I'm afraid that people will use it and deploy code on non-PUSH0 supporting EVM chains that either will fail at deployment time already or later at runtime.

@Amxx
Copy link
Collaborator Author

Amxx commented Aug 2, 2023

We want to benefit from some of the 0.8.20 (and beyond) features. In particular, better support for natspec comments.

Release of our code, in particular compiled bytecode for the upgrade plugin is an issue with PUSH0. IMO we should stick with paris for the artefacts we provide (at least for a while).

If the issue is about devs depending on our lib, using a recent version of the compiler, comilling with default settings, and deploying to chains that don't support PUSH0 ... I'd say its on them for not testing in a proper test network (all chains and L2 have a test duplicate that you should use before you go live). This is going to happen anyway, regardless of the pragma we use.

@pcaversaccio
Copy link
Contributor

This is going to happen anyway, regardless of the pragma we use.

Not if you use version 0.8.19. But in any case, please add warnings in the docs as well as in the OpenZeppelin wizard about the PUSH0.

@Amxx
Copy link
Collaborator Author

Amxx commented Aug 2, 2023

Right, are you proposing that we prevent ourself and our knowledgable users from using new, more efficient, version of the compiler, in order to protect the less knowledgable users?

@pcaversaccio
Copy link
Contributor

Right, are you proposing that we prevent ourself and our knowledgable users from using new, more efficient, version of the compiler, in order to protect the less knowledgable users?

No, I only propose to make the default compilation of the OpenZeppelin library "noob-safe" until shanghai is mainstream. Optimsim e.g. doesn't even support PUSH0 yet. Do you really believe that the majority of devs using OZ contracts are the knowledgeable ones? I understand that this is not a released version yet, I'm just raising potential issues if that version is released soon.

@JorgeAtPaladin
Copy link

Documenting this sounds like a good middle ground

@Amxx
Copy link
Collaborator Author

Amxx commented Aug 2, 2023

Do you really believe that the majority of devs using OZ contracts are the knowledgeable ones?

That is something that causes many internal dissagrements 😛

I'm personally expecting people that target polygon, to test their entier app (contracts + indexer + front +...) on mumbai first. Is that too much to expect?

I'm just raising potential issues if that version is released soon.

And we thank you for doing so, that is really really valuable to us !

@pcaversaccio
Copy link
Contributor

I'm personally expecting people that target polygon, to test their entier app (contracts + indexer + front +...) on mumbai first. Is that too much to expect?

Well, yeah that's how it should work, but expectations usually don't meet reality. I just want to remind you that there was just recently an issue on zkSync where a project deployed a contract that uses transfer instead of call to transfer native tokens out, but since zkSync uses AA with additional logic for which you need gas, every withdraw call reverted with OOG. They unit tested their code, they even fork-tested on mainnet, but didn't fork test on zkSync.

Anyways, I personally think we should highlight this potentially breaking issue everywhere where devs interact in some sense with the OZ library, e.g. GitHub, Docs, NPM side, and the OZ Wizard.

@frangio
Copy link
Contributor

frangio commented Aug 2, 2023

Do we need to document this issue if the pragma remains ^0.8.19?

I'm interested in helping prevent these issues but I'm not even confident that people will see these warnings. And the issue is much larger than OpenZeppelin unfortunately.

@Amxx
Copy link
Collaborator Author

Amxx commented Aug 2, 2023

but didn't fork test on zkSync

When you fork test, do you get the behavior of the forked chain, or just the state? Like if polygon doesn't have PUSH0, and I fork polygon using foundry or hardhat, does my local fork detect that the forked chain doesn't have PUSH0, or does it run a Shanghai node with the state of the remote chain?

@pcaversaccio
Copy link
Contributor

pcaversaccio commented Aug 2, 2023

Do we need to document this issue if the pragma remains ^0.8.19?

In any case, I would document it properly. Ultimately, it's all about education.

I'm interested in helping prevent these issues but I'm not even confident that people will see these warnings. And the issue is much larger than OpenZeppelin unfortunately.

Agreed, and I don't know how to solve it really.

When you fork test, do you get the behavior of the forked chain, or just the state? Like if polygon doesn't have PUSH0, and I fork polygon using foundry or hardhat, does my local fork detect that the forked chain doesn't have PUSH0, or does it run a Shanghai node with the state of the remote chain?

My understanding (and I can be wrong) is that fork tests are local simulations with accounts & states and storage slot information fetched from the RPC. I.e. you don't get the full chain behaviour and thus can't detect that specific issue.

I think the desired behaviour would look like the following:

  • Default compilation of any OZ contract defaults to the evm version paris
  • If dev wants to change it, he needs to adjust the config

E.g. Foundry does default to paris and not shanghai.

The question is whether OZ fully delegates that responsibility to the tooling side at the end of the day.

@Amxx
Copy link
Collaborator Author

Amxx commented Aug 2, 2023

The question is whether OZ fully delegates that responsibility to the tooling side at the end of the day.

We, and other libraries like PRB math, already do that. We don't control the users development environment. We don't control the users compiler settings. If we were providing a hardat.config.js for reuse we would indeed have a responsability, but that is not the case.

We do provide compiled artefacts in the npm package, which are used by our upgrades plugin. That part we control, and IMO it should be targetting paris (see #4503).

@pcaversaccio
Copy link
Contributor

We do provide compiled artefacts in the npm package, which are used by our upgrades plugin. That part we control, and IMO it should be targetting paris (see #4503).

That's great. But you don't think any further documentation is necessary at all?

@frangio
Copy link
Contributor

frangio commented Aug 2, 2023

I've opened an issue to set the Hardhat default to paris:

With this change I would feel comfortable keeping the pragma at 0.8.20 and I think there would be less of a need for documentation. It's always nice to help towards education, but having to put warnings in every possible location is an indication that something else is wrong.

@pcaversaccio
Copy link
Contributor

I feel we got a good compromise.

@Amxx
Copy link
Collaborator Author

Amxx commented Aug 3, 2023

But you don't think any further documentation is necessary at all?

We could for sure use more documentation. I'm not sure where we would put that though.

#4503 is a clear actionable. For the documentation part, its not that clear to me what the actionnable is.

@pcaversaccio
Copy link
Contributor

In the UI of the OpenZeppelin Wizard and maybe in the Security Center somewhere?

nlordell added a commit to safe-global/safe-modules that referenced this pull request Jul 5, 2024
Fixes
hats-finance#17

This PR changes the pragmas in the passkeys contract to be:
1. More consistent: we use `^0.8.20` everywhere for "non-top-level"
contracts. The version was chosen as this it the first version that
supports all of the compiler features that we make use of. Notably, we
have `@custom:` NatSpec items which are only officially supported as of
v0.8.20 (incidentally, this is the same version used by OpenZeppelin
contracts for similar reason:
[source](OpenZeppelin/openzeppelin-contracts#4489)).
The choice to use floating pragmas here is to make using these support
contracts easier across other projects (namely, the `WebAuthn` and
`P256` libraries are useful outside of this project). Furthermore, we
use `^` versions so that breaking changes introduced in a potential
Solidity v0.9 would not affect the security and integrity of the
contract code.
2. Use fixed pragmas for "top-level" contracts that we deploy:
    - `SafeWebAuthnProxyFactory`
    - `SafeWebAuthnSharedSigner`
    - `FCLP256Verifier`

I am aware that Solidity v0.8.20 doesn't play nice with chains like BNB
by default, however this can be worked around by explicitly by setting
the EVM version target (as we do in this project) and do not believe
this is an issue.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants