Impact
The bug affects addmod and mulmod instructions when a specific LLVM optimizer pass for EraVM finds patterns described below.
To model overflow flag setting instructions, LLVM Selection DAG provides uaddo (umulo, usubo) nodes. These nodes return wrapped computation result as well as an overflow flag. Unlike add! (mul!, sub!) the flag set by nodes is not perished if another flag setting node exists in cthe omputation, and scheduler is able to handle cases of circular dependencies.
result, of = uaddo a, b
c = another_flag ? result : d
e = of ? c : f
There is also a select DAG node which reflects the C ternary operator's ?: semantic. The bug happens when both uaddo result and flags are used in a way that a single add! instruction makes the correct scheduling impossible.
Analysis has shown that no contracts were affected by the date of publishing this advisory.
Patches
Fixed in version 1.3.13.
Workarounds
Upgrading and redeploying affected contracts is the only way.
Impact
The bug affects
addmodandmulmodinstructions when a specific LLVM optimizer pass for EraVM finds patterns described below.To model overflow flag setting instructions, LLVM Selection DAG provides
uaddo(umulo,usubo) nodes. These nodes return wrapped computation result as well as an overflow flag. Unlikeadd!(mul!,sub!) the flag set by nodes is not perished if another flag setting node exists in cthe omputation, and scheduler is able to handle cases of circular dependencies.There is also a
selectDAG node which reflects the C ternary operator's?:semantic. The bug happens when bothuaddoresult and flags are used in a way that a singleadd!instruction makes the correct scheduling impossible.Analysis has shown that no contracts were affected by the date of publishing this advisory.
Patches
Fixed in version 1.3.13.
Workarounds
Upgrading and redeploying affected contracts is the only way.