Update pragma to 0.8.20 #4489
Update pragma to 0.8.20 #4489
Conversation
|
| Name | Type |
|---|---|
| openzeppelin-solidity | Major |
Click here to learn what changesets are, and how to add one.
Click here if you're a maintainer who wants to add a changeset to this PR
contracts/utils/Arrays.sol
Outdated
| @@ -57,7 +57,7 @@ library Arrays { | |||
| function unsafeAccess(address[] storage arr, uint256 pos) internal pure returns (StorageSlot.AddressSlot storage) { | |||
| bytes32 slot; | |||
| // We use assembly to calculate the storage slot of the element at index `pos` of the dynamic array `arr` | |||
| // following https://docs.soliditylang.org/en/v0.8.17/internals/layout_in_storage.html#mappings-and-dynamic-arrays. | |||
| // following https://docs.soliditylang.org/en/latest/internals/layout_in_storage.html#mappings-and-dynamic-arrays. | |||
There was a problem hiding this comment.
I think we don't use latest here in case the docs ever change in a way that would make the link invalid. For example the tag could change. I'd be ok with changing that to v0.8.20.
There was a problem hiding this comment.
Yeah I prefer using a fixed version.
There was a problem hiding this comment.
We have a few others using latest. I think we had this conversation in another PR and we decided to do latest iirc. No problem for now, just flagging in case it's worth discussing a better strategy.
There was a problem hiding this comment.
I would vote for using a fixed version in all links to Solidity docs.
There was a problem hiding this comment.
I'd vote for consistency, and I'd push for using 0.8.x or something that doesn't fixes the docs to an specific patch.
EDIT: Just tried with 0.8.x and 0.8 without success. So I guess we're fine with a fixed version then
|
Hey guys, could you quickly clarify the need for |
|
We want to benefit from some of the 0.8.20 (and beyond) features. In particular, better support for natspec comments. Release of our code, in particular compiled bytecode for the upgrade plugin is an issue with PUSH0. IMO we should stick with paris for the artefacts we provide (at least for a while). If the issue is about devs depending on our lib, using a recent version of the compiler, comilling with default settings, and deploying to chains that don't support PUSH0 ... I'd say its on them for not testing in a proper test network (all chains and L2 have a test duplicate that you should use before you go live). This is going to happen anyway, regardless of the pragma we use. |
Not if you use version |
|
Right, are you proposing that we prevent ourself and our knowledgable users from using new, more efficient, version of the compiler, in order to protect the less knowledgable users? |
No, I only propose to make the default compilation of the OpenZeppelin library "noob-safe" until |
|
Documenting this sounds like a good middle ground |
That is something that causes many internal dissagrements 😛 I'm personally expecting people that target polygon, to test their entier app (contracts + indexer + front +...) on mumbai first. Is that too much to expect?
And we thank you for doing so, that is really really valuable to us ! |
Well, yeah that's how it should work, but expectations usually don't meet reality. I just want to remind you that there was just recently an issue on zkSync where a project deployed a contract that uses Anyways, I personally think we should highlight this potentially breaking issue everywhere where devs interact in some sense with the OZ library, e.g. GitHub, Docs, NPM side, and the OZ Wizard. |
|
Do we need to document this issue if the pragma remains ^0.8.19? I'm interested in helping prevent these issues but I'm not even confident that people will see these warnings. And the issue is much larger than OpenZeppelin unfortunately. |
When you fork test, do you get the behavior of the forked chain, or just the state? Like if polygon doesn't have PUSH0, and I fork polygon using foundry or hardhat, does my local fork detect that the forked chain doesn't have PUSH0, or does it run a Shanghai node with the state of the remote chain? |
In any case, I would document it properly. Ultimately, it's all about education.
Agreed, and I don't know how to solve it really.
My understanding (and I can be wrong) is that fork tests are local simulations with accounts & states and storage slot information fetched from the RPC. I.e. you don't get the full chain behaviour and thus can't detect that specific issue. I think the desired behaviour would look like the following:
E.g. Foundry does default to The question is whether OZ fully delegates that responsibility to the tooling side at the end of the day. |
We, and other libraries like PRB math, already do that. We don't control the users development environment. We don't control the users compiler settings. If we were providing a We do provide compiled artefacts in the npm package, which are used by our upgrades plugin. That part we control, and IMO it should be targetting paris (see #4503). |
That's great. But you don't think any further documentation is necessary at all? |
|
I've opened an issue to set the Hardhat default to paris: With this change I would feel comfortable keeping the pragma at 0.8.20 and I think there would be less of a need for documentation. It's always nice to help towards education, but having to put warnings in every possible location is an indication that something else is wrong. |
|
I feel we got a good compromise. |
We could for sure use more documentation. I'm not sure where we would put that though. #4503 is a clear actionable. For the documentation part, its not that clear to me what the actionnable is. |
|
In the UI of the OpenZeppelin Wizard and maybe in the Security Center somewhere? |
Fixes hats-finance#17 This PR changes the pragmas in the passkeys contract to be: 1. More consistent: we use `^0.8.20` everywhere for "non-top-level" contracts. The version was chosen as this it the first version that supports all of the compiler features that we make use of. Notably, we have `@custom:` NatSpec items which are only officially supported as of v0.8.20 (incidentally, this is the same version used by OpenZeppelin contracts for similar reason: [source](OpenZeppelin/openzeppelin-contracts#4489)). The choice to use floating pragmas here is to make using these support contracts easier across other projects (namely, the `WebAuthn` and `P256` libraries are useful outside of this project). Furthermore, we use `^` versions so that breaking changes introduced in a potential Solidity v0.9 would not affect the security and integrity of the contract code. 2. Use fixed pragmas for "top-level" contracts that we deploy: - `SafeWebAuthnProxyFactory` - `SafeWebAuthnSharedSigner` - `FCLP256Verifier` I am aware that Solidity v0.8.20 doesn't play nice with chains like BNB by default, however this can be worked around by explicitly by setting the EVM version target (as we do in this project) and do not believe this is an issue.
We need 0.8.20 for better ERC-7201 compatibility.
Fixes #4460 (comment)
Fixes LIB-991