A bug in the solidity optimizer has been reported through the Ethereum Foundation Bonus Programby Christoph Jentzsch. This bug is corrected in 2017-05-03, with the release of Solidity 0.4.11.
Background
The bug in question wondered how the optimizer optimizes the constants in the byte code. By “constant of bytes code”, we mean everything that is PUSHEd on the battery (not to be confused with the solidity constants). For example, if the value 0xffffffffffffffffffffffffffffffffffffffffffffffffff East PUSHED, then the optimizer can do PUSH32 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffreor choose to code this as PUSH1 1; NOT;.
An error in the optimizer made optimizations of the constant of bytes code stranded for certain cases by producing a routine which did not properly recreate the original constant.
The behavior described in the reported bug was found in a contract in which a method has stopped operating when another method – completely unrelated – was added to the contract. After analysis, it was determined that a certain number of conditions should exist at the same time for the bug to trigger. Any combination of conditions that would trigger the bug would systematically have the following conditions:
- The constant must start with 0xff … And finish with a long series of zeros (or vice versa).
- The same constant should be used in several locations, so that the optimizer chooses to optimize this particular constant. Alternatively, it should be used in the manufacturer, which optimizes size rather than gas.
In addition to the two conditions above, additional and more complicated conditions are necessary.
Analysis
This bug has been present in all published versions of Solidey since at least as far as summer 2015 to the present day. Although the bug has been present since 2015, it seems very difficult to trigger by “random” code:
We carried out a static analysis of all the contractual code deployed on the blockchain, and we did not find any occurrence of such a generated routine. Note, the fact that we have not found a bug in all the contract code does not guarantee the absence of such events.
Improvement
In order to provide better transparency and increased awareness of bugs in solidity, we have started to export information on vulnerabilities linked to solidity as JSON-FILS in the repository of the solidity code (1,,2). We hope that Block Explorers will integrate this information as well as other information related to contracts.
Etherscan has already implemented this, which can be seen here And here.
Regarding the bug itself, we added a mini-EVM to the optimizer which checks the accuracy of each routine generated at the time of the compilation.
In addition, the work has already started on an entirely specified and more high level intermediate language. Future optimizer routines on this language will be much easier to understand and audit and it will replace the current optimizer.
