Memory corruption issues resulting in OOG from solc-v0.4.22-nightly.2018.4.5+commit.c6adad93.js onwards

[D-Nice]

Starting with this solc, usage of Oraclize's Random and Computation datasources (both dependent on array types and assembly), now fail in creating a query. The error appears to be at creation of the query (line) it pushes the datasource string onto the stack, does unexpected operations, like multiplying the bytes, and then eventually storing those bytes into the free memory pointer, causing an exception at the next MSTORE op.

Two changes that appear to affect this are the commit at be797cb and after the gas buffer was dropped with byzantium vm. Re-introducing pre-byzantium calls (where a little gas would be left over within calling contract, aka bringing back SUB opcode for calls via asm: call(sub(gas, 700), addy, 0, 0, 8, 0, 0x20) avoids the aforementioned corruption.

[chriseth]

Can you provide a bit more details about what oraclize actually does? What do you mean by "unexpected operations"?

[D-Nice]

The point at which it screws up is when using some assembly, namely Nick Johnson's cbor lib for converting a string array into cbor, but we also get an exception when our Random datasource is used, I haven't explored that one that much yet.

What I mean by unexpected operations is that is the string computation is loaded from memory (mistakenly) and then various operations are done to the bytes equivalent of computation on the stack such as ADD/MUL (as the region should be empty, but computation string is there from uncleared calldata that was used) and eventually this operated string finds its way into being stored into the freemem pointer.

That should be a quick summary, I'll try and pinpoint the exact points of issue for you here, so we can come up with a solution.

I would ask that you use this link to a debugged transaction that had this issue: http://rinkeby.etherscan.io/remix?txhash=0x9e81f89a75e8af1425e14a7a88e219242ee13415a362d5bd8e1ff8a4b8c9277f

The contract + function being debugged is the following: https://github.com/oraclize/ethereum-examples/blob/master/solidity/computation-datasource/url-requests/urlRequests.sol#L77

I'll mention @ step ####, which refers to the specific vm trace step in the debugger.

@ step 2219

buf.buf.length + 1 - link

The expected result here is 0x1 (that is what pre-solc 0.4.22 returns, will refer to as pre from now).

Current one gives 0xb636f6d7075746174696f6e0000000000000000000000000000000001 which is the computation string appended with a 1 byte. The memory region it's loading from should be empty, as it is in pre, however, here it is 'polluted' with the computation string, which it then picks up as the length of the buffer.

@ step 1633

oraclize.getPrice(datasource); - link

This is where the leftover computation string stems from. Call occurs @ 1706

@ step 2128

Buffer.buffer memory buf; - link

This appears to be the major deviation in modus operandi between the working and non-working solc which leads to newer solc failing.

What pre-does here is increment freemem from 0x460 to 0x4a0 and then 0x4c0, and starts clearing out the previous calldata slots.

Here's a view of the pertinent memory slots on solc 0.4.20

begin buffer declaration:

0x40: 00000000000000000000000000000000	????????????????
0x50: 00000000000000000000000000000460	????????????????
...
0x450: 00000000000000000000000000000000	????????????????
0x460: 00000020000000000000000000000000	????????????????
0x470: 00000000000000000000000000000000	????????????????
0x480: 0000000b636f6d7075746174696f6e00	????computation?
0x490: 00000000000000000000000000000000	????????????????

end buffer declaration:

0x40: 00000000000000000000000000000000	????????????????
0x50: 000000000000000000000000000004c0	????????????????
...
0x450: 00000000000000000000000000000000	????????????????
0x460: 00000000000000000000000000000000	????????????????
0x470: 000000000000000000000000000004a0	????????????????
0x480: 00000000000000000000000000000000	????????????????
0x490: 00000000000000000000000000000000	????????????????

Here's what happens to that memory region with solc 0.4.22 instead:

begin:

0x40: 00000000000000000000000000000000	????????????????
0x50: 00000000000000000000000000000360	????????????????
...
0x370: 00000000000000000015057aeb22d000	???????????z????
0x380: 00000020000000000000000000000000	????????????????
0x390: 00000000000000000000000000000000	????????????????
0x3a0: 0000000b636f6d7075746174696f6e00	????computation?
0x3b0: 00000000000000000000000000000000	????????????????

end @ 2151

0x40: 00000000000000000000000000000000	????????????????
0x50: 000000000000000000000000000003a0	????????????????
...
0x370: 00000000000000000000000000000060	????????????????
0x380: 00000000000000000000000000000000	????????????????
0x390: 00000000000000000000000000000000	????????????????
0x3a0: 0000000b636f6d7075746174696f6e00	????computation?
0x3b0: 00000000000000000000000000000000	????????????????

Let me know if this helps. I had also discussed this with @axic at a conference, and we weren't able to specifically diagnose this issue, but there were other oddities noticed by @axic with the newer solcs while trying to debug this.

[D-Nice]

Here's an isolated example:

pragma solidity ^0.4.19;

library Buffer {
    struct buffer {
        bytes buf;
        uint capacity;
    }
    
    function init(buffer memory buf, uint capacity) internal constant {
        if(capacity % 32 != 0) capacity += 32 - (capacity % 32);
        // Allocate space for the buffer data
        buf.capacity = capacity;
        assembly {
            let ptr := mload(0x40)
            mstore(buf, ptr) // this is the incompatibility, as it expects the memory to be clear beyond freemem
            mstore(0x40, add(ptr, capacity))
        }
    }
}

contract A {
    // function sig ends up as length of .buf
    function someExternalFnc() external {
    }
    
    function test() returns(bytes32) {
        this.someExternalFnc();
        Buffer.buffer memory buf;
        Buffer.init(buf, 64);
        return bytes32(buf.buf.length);
    }
}

Is every native type's memory initialization guaranteed not to be affected by the above issue, by clearing/overwriting the address space it will end up pointing to? It would be nice to mention to not assume any memory after the free memory pointer (even without dropping down to assembly), to actually be cleared/zeroed out, as this assumption was even made by an EF dev as seen above.

[axic]

I've tried the isolated example in Remix with 0.4.19 and 0.4.24, but both finish successfully when calling A.test().

Under what conditions is the isolated example failing for you?

[D-Nice]

Apologies, it's not made to fail, but it's showcasing the length of buf in the buffer struct being set to the function sig of the last external call. If some additional operation were done dependent on that length, it could cause issues/throws.

[androlo]

Memory at (and after) mload(0x40) can not be assumed to be empty. This has been the case for as long as i can remember: https://solidity.readthedocs.io/en/v0.4.24/miscellaneous.html#layout-in-memory

[D-Nice]

Got it, thanks @androlo. The worry of course is that some making libraries in assembly are working under the assumption that it in fact is, so at least I see that the official stance is it is not.

I would normally associate free memory with empty memory, so to me it may appear like a misnomer to call it free memory pointer, but more appropriate to refer as new memory pointer, as any new memory should point to that, but if doing it on a lower-level, you need to ensure that region is cleaned up for your use.

[androlo]

@D-Nice Maybe use msize instead of mload(0x40). I see some people use that. The memory at address msize (and beyond) should always be clear, since it is guaranteed to never have been used. From the YP, section 9.1: "All locations in both storage and memory are well-defined initially as zero".

EDIT: obviously 0x40 would still have to be updated like normal...

[axic]

I wouldn't advise using msize without updating the free memory point at 0x40. Is it a problem relying on 0x40, but zeroing out the memory before using, if that is a requirement for the use case?

[axic]

I would normally associate free memory with empty memory, so to me it may appear like a misnomer to call it free memory pointer

@D-Nice It actually matches how malloc libraries work on POSIX. Only calloc is guaranteed to be zeroed out by doing a manual zeroing after allocation. (Now a malloc library may decide to do some optimisations.)

[axic]

This should be less of an issue once built in helpers are made available to inline assembly, such as #474.

[D-Nice]

Thanks for that @axic I was contemplating on whether it is indeed better to zero out the memory using codecopy as solidity natively seems to do, or just extending freemem to msize, but I guess the former is recommended, and would have lower costs if working with more memory-hungry code.