Fix cleanup storage

Author: r0qs

docs/bugs.json

@@ -1,6 +1,6 @@
 [
     {
-        "uid": "SOL-2025-4",
+        "uid": "SOL-2025-1",
         "name": "InconsistentTreatmentOfStorageArraysOnSlotOverflowBoundary",
         "summary": "Fixed-length storage arrays crossing the 2^256 slot boundary can exhibit unexpected behavior when cleared (using the delete operator) or partially assigned, leading to silent data retention and inconsistent results.",
         "description": "Large static arrays in storage risk overlapping the 2^256 storage slot boundary. Partial assignments or delete operations may not properly reset all elements in such conditions, causing inconsistency during deletion and unexpected data retention. Although such situations are exceedingly rare in typical contracts, overflow on array deletion become more plausible when arrays are extremely large or the storage is manually positioned close to the storage boundaries. The compiler already warns about potential storage collisions in such scenarios.",

libsolidity/codegen/ArrayUtils.cpp

@@ -290,9 +290,9 @@ void ArrayUtils::copyArrayToStorage(ArrayType const& _targetType, ArrayType cons
 			_context << Instruction::POP << Instruction::SWAP1 << Instruction::POP;
 			// stack: target_ref target_data_end target_data_pos_updated
 			if (targetBaseType->storageBytes() < 32)
-				utils.clearStorageLoop(TypeProvider::uint256(), false); // TODO: check the boolean
+				utils.clearStorageLoop(TypeProvider::uint256(), !targetType->isDynamicallySized());
 			else
-				utils.clearStorageLoop(targetBaseType, false); // TODO: check the boolean
+				utils.clearStorageLoop(targetBaseType, !targetType->isDynamicallySized());
 			_context << Instruction::POP;
 		}
 	);
@@ -590,9 +590,9 @@ void ArrayUtils::clearArray(ArrayType const& _typeIn) const
 				ArrayUtils(_context).convertLengthToSize(_type);
 				_context << Instruction::ADD << Instruction::SWAP1;
 				if (_type.baseType()->storageBytes() < 32)
-					ArrayUtils(_context).clearStorageLoop(TypeProvider::uint256(), !_type.isDynamicallySized()); // TODO: check boolean
+					ArrayUtils(_context).clearStorageLoop(TypeProvider::uint256(), !_type.isDynamicallySized());
 				else
-					ArrayUtils(_context).clearStorageLoop(_type.baseType(), !_type.isDynamicallySized()); // TODO: check boolean
+					ArrayUtils(_context).clearStorageLoop(_type.baseType(), !_type.isDynamicallySized());
 				_context << Instruction::POP;
 			}
 			solAssert(_context.stackHeight() == stackHeightStart - 2, "");
@@ -631,9 +631,9 @@ void ArrayUtils::clearDynamicArray(ArrayType const& _type) const
 		<< Instruction::SWAP1;
 	// stack: data_pos_end data_pos
 	if (_type.storageStride() < 32)
-		clearStorageLoop(TypeProvider::uint256(), false); // TODO: check boolean
+		clearStorageLoop(TypeProvider::uint256(), /* _canOverflow */ false);
 	else
-		clearStorageLoop(_type.baseType(), false); // TODO: check boolean
+		clearStorageLoop(_type.baseType(), /* _canOverflow */ false);
 	// cleanup
 	m_context << endTag;
 	m_context << Instruction::POP;
@@ -771,14 +771,14 @@ void ArrayUtils::popStorageArrayElement(ArrayType const& _type) const
 	}
 }
 
-void ArrayUtils::clearStorageLoop(Type const* _type, bool _assumeEndAfterStart) const
+void ArrayUtils::clearStorageLoop(Type const* _type, bool _canOverflow) const
 {
 	solAssert(_type->storageBytes() >= 32, "");
 	m_context.callLowLevelFunction(
 		"$clearStorageLoop_" + _type->identifier(),
 		2,
 		1,
-		[_type, _assumeEndAfterStart](CompilerContext& _context)
+		[_type, _canOverflow](CompilerContext& _context)
 		{
 			unsigned stackHeightStart = _context.stackHeight();
 			if (_type->category() == Type::Category::Mapping)
@@ -794,7 +794,7 @@ void ArrayUtils::clearStorageLoop(Type const* _type, bool _assumeEndAfterStart)
 			_context <<
 				Instruction::DUP1 <<
 				Instruction::DUP3;
-			if (_assumeEndAfterStart)
+			if (_canOverflow)
 				_context << Instruction::EQ;
 			else
 				_context << Instruction::GT << Instruction::ISZERO;

libsolidity/codegen/ArrayUtils.h

@@ -73,9 +73,10 @@ class ArrayUtils
 	/// Stack post:
 	void popStorageArrayElement(ArrayType const& _type) const;
 	/// Appends a loop that clears a sequence of storage slots of the given type (excluding end).
+	/// @param _canOverflow whether the storage is treated as circular when clearing.
 	/// Stack pre: end_ref start_ref
 	/// Stack post: end_ref
-	void clearStorageLoop(Type const* _type, bool _assumeEndAfterStart) const;
+	void clearStorageLoop(Type const* _type, bool _canOverflow) const;
 	/// Converts length to size (number of storage slots or calldata/memory bytes).
 	/// if @a _pad then add padding to multiples of 32 bytes for calldata/memory.
 	/// Stack pre: length

libsolidity/codegen/YulUtilFunctions.cpp

@@ -1431,7 +1431,7 @@ std::string YulUtilFunctions::cleanUpStorageArrayEndFunction(ArrayType const& _t
 		)")
 		("convertToSize", arrayConvertLengthToSize(_type))
 		("dataPosition", arrayDataAreaFunction(_type))
-		("clearStorageRange", clearStorageRangeFunction(*_type.baseType(), false))
+		("clearStorageRange", clearStorageRangeFunction(*_type.baseType(), !_type.isDynamicallySized()))
 		("packed", _type.baseType()->storageBytes() <= 16)
 		("itemsPerSlot", std::to_string(32 / _type.baseType()->storageBytes()))
 		("storageBytes", std::to_string(_type.baseType()->storageBytes()))
@@ -1483,7 +1483,7 @@ std::string YulUtilFunctions::cleanUpDynamicByteArrayEndSlotsFunction(ArrayType
 		)")
 		("dataLocation", arrayDataAreaFunction(_type))
 		("div32Ceil", divide32CeilFunction())
-		("clearStorageRange", clearStorageRangeFunction(*_type.baseType(), false))
+		("clearStorageRange", clearStorageRangeFunction(*_type.baseType(), /* _canOverflow */ false))
 		.render();
 	});
 }
@@ -1523,7 +1523,7 @@ std::string YulUtilFunctions::decreaseByteArraySizeFunction(ArrayType const& _ty
 			("functionName", functionName)
 			("dataPosition", arrayDataAreaFunction(_type))
 			("partialClearStorageSlot", partialClearStorageSlotFunction())
-			("clearStorageRange", clearStorageRangeFunction(*_type.baseType(), true))
+			("clearStorageRange", clearStorageRangeFunction(*_type.baseType(), /* _canOverflow */ true))
 			("transitLongToShort", byteArrayTransitLongToShortFunction(_type))
 			("div32Ceil", divide32CeilFunction())
 			("encodeUsedSetLen", shortByteArrayEncodeUsedAreaSetLengthFunction())
@@ -1817,7 +1817,7 @@ std::string YulUtilFunctions::partialClearStorageSlotFunction()
 	});
 }
 
-std::string YulUtilFunctions::clearStorageRangeFunction(Type const& _type, bool _assumeEndAfterStart)
+std::string YulUtilFunctions::clearStorageRangeFunction(Type const& _type, bool _canOverflow)
 {
 	if (_type.storageBytes() < 32)
 		solAssert(_type.isValueType(), "");
@@ -1834,7 +1834,7 @@ std::string YulUtilFunctions::clearStorageRangeFunction(Type const& _type, bool
 			}
 		)")
 		("functionName", functionName)
-		("compare", _assumeEndAfterStart ? "sub" : "lt")
+		("compare", _canOverflow ? "sub" : "lt")
 		("setToZero", storageSetToZeroFunction(_type.storageBytes() < 32 ? *TypeProvider::uint256() : _type, VariableDeclaration::Location::Unspecified))
 		("increment", _type.storageSize().str())
 		.render();
@@ -1872,7 +1872,7 @@ std::string YulUtilFunctions::clearStorageArrayFunction(ArrayType const& _type)
 		(
 			"clearRange",
 			_type.baseType()->category() != Type::Category::Mapping ?
-			clearStorageRangeFunction((_type.baseType()->storageBytes() < 32) ? *TypeProvider::uint256() : *_type.baseType(), true) :
+			clearStorageRangeFunction((_type.baseType()->storageBytes() < 32) ? *TypeProvider::uint256() : *_type.baseType(), /* _canOverflow */ true) :
 			""
 		)
 		("lenToSize", arrayConvertLengthToSize(_type))

libsolidity/codegen/YulUtilFunctions.h

@@ -268,7 +268,8 @@ class YulUtilFunctions
 	/// @returns the name of a function that will clear the storage area given
 	/// by the start and end (exclusive) parameters (slots).
 	/// signature: (start, end)
-	std::string clearStorageRangeFunction(Type const& _type, bool _assumeEndAfterStart);
+	/// if _canOverflow is true, it treats the storage as circular and clears by wrapping around.
+	std::string clearStorageRangeFunction(Type const& _type, bool _canOverflow);
 
 	/// @returns the name of a function that will clear the given storage array
 	/// signature: (slot) ->
@@ -618,7 +619,7 @@ class YulUtilFunctions
 	std::string cleanUpDynamicByteArrayEndSlotsFunction(ArrayType const& _type);
 
 	/// @returns the name of a function that increases size of byte array
-	/// when we resize byte array frextractUsedSetLenom < 32 elements to >= 32 elements or we push to byte array of size 31 copying of data will  occur
+	/// when we resize byte array from < 32 elements to >= 32 elements or we push to byte array of size 31 copying of data will  occur
 	/// signature: (array, data, oldLen, newLen)
 	std::string increaseByteArraySizeFunction(ArrayType const& _type);
 

test/libsolidity/semanticTests/array/push/array_push_struct.sol

@@ -22,4 +22,4 @@ contract c {
 // test() -> 2, 3, 4, 5
 // gas irOptimized: 135329
 // gas legacy: 147437
-// gas legacyOptimized: 146429
+// gas legacyOptimized: 148715

test/libsolidity/semanticTests/storage/delete_overflow_bug.sol

@@ -0,0 +1,27 @@
+contract C {
+    function getArray() internal pure returns (uint256[10][1] storage _x) {
+        assembly {
+            _x.slot := sub(0, 5)
+        }
+    }
+
+    function assignArray(uint256[10] memory y) public {
+        uint256[10][1] storage _x = getArray();
+        _x[0] = y;
+    }
+
+    function x() public view returns (uint256[10] memory) {
+        return getArray()[0];
+    }
+}
+// ----
+// x() -> 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+// assignArray(uint256[10]): 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 ->
+// gas irOptimized: 245236
+// gas legacyOptimized: 245441
+// x() -> 1, 2, 3, 4, 5, 6, 7, 8, 9, 10
+// assignArray(uint256[10]): 10, 20, 30, 40, 50, 60, 70, 80, 90, 100 ->
+// x() -> 10, 0x14, 0x1e, 0x28, 0x32, 0x3c, 0x46, 0x50, 0x5a, 0x64
+// gas irOptimized: 198025
+// gas legacy: 200268
+// gas legacyOptimized: 198058

test/libsolidity/semanticTests/storage/storage_boundary_array_assignment.sol

@@ -0,0 +1,33 @@
+contract C {
+    function getArray() internal pure returns (uint256[10][1] storage _x) {
+        assembly {
+            _x.slot := sub(0, 5)
+        }
+    }
+
+    function fillArray() public {
+        uint256[10][1] storage _x = getArray();
+        for (uint i = 1; i < 10; i++)
+            _x[0][i] = i;
+    }
+
+    function clearArray() public {
+        uint256[10][1] storage _x = getArray();
+        delete _x[0];
+    }
+
+    function x() public view returns (uint256[10] memory) {
+        return getArray()[0];
+    }
+}
+// ----
+// x() -> 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+// fillArray()
+// gas irOptimized: 220705
+// gas legacyOptimized: 220871
+// x() -> 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
+// clearArray()
+// x() -> 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+// gas irOptimized: 181920
+// gas legacy: 184143
+// gas legacyOptimized: 181899

test/libsolidity/semanticTests/storage/storage_boundary_array_delete.sol

@@ -0,0 +1,39 @@
+contract C {
+    uint256 public y = 42;
+
+    function getArray() internal pure returns (uint256[10][1] storage _x) {
+        assembly {
+            _x.slot := sub(0, 5)
+        }
+    }
+
+    function fillArray() public {
+        uint256[10][1] storage _x = getArray();
+        for (uint i = 1; i < 10; i++)
+            _x[0][i] = i;
+    }
+
+    function clearArray() public {
+        uint256[10][1] storage _x = getArray();
+        delete _x[0];
+    }
+
+    function x() public view returns (uint256[10] memory) {
+        return getArray()[0];
+    }
+}
+
+// ----
+// y() -> 42
+// x() -> 0, 0, 0, 0, 0, 0x2a, 0, 0, 0, 0
+// fillArray()
+// gas irOptimized: 203627
+// gas legacyOptimized: 203793
+// y() -> 5
+// x() -> 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
+// clearArray()
+// y() -> 0
+// x() -> 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+// gas irOptimized: 168243
+// gas legacy: 170463
+// gas legacyOptimized: 168219