Impact
The bug affects addmod
and mulmod
instructions when a specific LLVM optimizer pass for EraVM finds patterns described below.
To model overflow flag setting instructions, LLVM Selection DAG provides uaddo
(umulo
, usubo
) nodes. These nodes return wrapped computation result as well as an overflow flag. Unlike add!
(mul!
, sub!
) the flag set by nodes is not perished if another flag setting node exists in cthe omputation, and scheduler is able to handle cases of circular dependencies.
result, of = uaddo a, b
c = another_flag ? result : d
e = of ? c : f
There is also a select
DAG node which reflects the C ternary operator's ?:
semantic. The bug happens when both uaddo
result and flags are used in a way that a single add!
instruction makes the correct scheduling impossible.
Analysis has shown that no contracts were affected by the date of publishing this advisory.
Patches
Fixed in version 1.3.16.
Workarounds
Upgrading and redeploying affected contracts is the only way.
Impact
The bug affects
addmod
andmulmod
instructions when a specific LLVM optimizer pass for EraVM finds patterns described below.To model overflow flag setting instructions, LLVM Selection DAG provides
uaddo
(umulo
,usubo
) nodes. These nodes return wrapped computation result as well as an overflow flag. Unlikeadd!
(mul!
,sub!
) the flag set by nodes is not perished if another flag setting node exists in cthe omputation, and scheduler is able to handle cases of circular dependencies.There is also a
select
DAG node which reflects the C ternary operator's?:
semantic. The bug happens when bothuaddo
result and flags are used in a way that a singleadd!
instruction makes the correct scheduling impossible.Analysis has shown that no contracts were affected by the date of publishing this advisory.
Patches
Fixed in version 1.3.16.
Workarounds
Upgrading and redeploying affected contracts is the only way.