Fix negative calldata offset validations

[cameel]

Depends on #16483.

Fixes inconsistent offset validations in ABI coder v2. These sometimes miss cases that result in reading past calldatasize() and sometimes reject ones where negative offsets do not cause that and are therefore valid.

This is not a single bug, but rather a combination of multiple things. In some cases behavior even differs between evmasm and IR pipeline.

[cameel]

Note that this is still work in progress. For now it managed to add coverage that detects the inconsistencies and track one of the bugs (the one that caused evmasm and IR differences). The fix for that bug is still incomplete. The other inconsistencies, especially ones resulting from not using signed comparisons are not yet addressed.

[cameel]

The _abi_encode.sol test variants do not add much. I will probably remove them unless someone thinks they are are worth keeping.

Each one has a corresponding, slightly simpler test that just returns the value as calldata. I wrote the _abi_encode.sol ones first and only later realized that returning calldata will not trigger decoding either.

[cameel]

This is the fix for the first bug. The problem here is that the evmasm codegen is sometimes still using code written for ABI coder v1 even when v2 is selected. This is fine in terms of correctness of decoding, but does not account for the validations, since most of them were only introduced in v2.

This will happen for example when you try to access a bytes element of bytes[] calldata. Note that this is not even a v1 type, but the routine kicks in, because we're only accessing bytes inside it and that one is.

I'm not yet sure this change (i.e. replacing everything with a call to v2) is the right solution here. It will likely significantly increase the cost and still needs adjustment for types with a different number of slots (assertions are failing in tests). It at least fix the validations though.

[cameel]

This is the second bug. The input has negative offsets, but still pointing within calldata. None of these should result in a revert.

[cameel]

This is essentially the bug from the report. The output here should match negative_offset_negative_tail_position_dynamic_array.sol, i.e. every case except the first one in each group (which is there only to show what the output looks like in the equivalent non-negative-offset case) should revert.

[cameel]

The else here is actually yet another case that I only discovered while doing the fix - I don't have test coverage for it yet. It's the case with a dynamic array with statically-encoded elements that are not value types. E.g. S[] calldata, where S is a static struct.

[cameel]

There is a fourth bug. This one may result in accepting input that will result in reading beyond calldatasize(). This one is not covered by tests yet, but the problem is the faulty condition that produces a revert with this message.

The condition is:

solidity/libsolidity/codegen/ABIFunctions.cpp

Line 1291 in a99b6d8

if gt(add(src, length), end) { <revertStringLength>() }

Firstly, the error message is inaccurate. Note that it's not only invalid length that may cause this. It can also be the offset. If the offset is negative enough, the absolute start position ends up past the end due to underflow and the (unsigned) comparison fails.

However, when src is negative, but src + length still positive, the condition may be satisfied. This is wrong, because the initial part of the string is likely past calldatasize() in that case.

[github-actions]

This pull request is stale because it has been open for 14 days with no activity.
It will be closed in 7 days unless the stale label is removed.