chore: crypto primitives external audit response 1#22272
Open
johnathan79717 wants to merge 1 commit intomerge-train/barretenbergfrom
Open
chore: crypto primitives external audit response 1#22272johnathan79717 wants to merge 1 commit intomerge-train/barretenbergfrom
johnathan79717 wants to merge 1 commit intomerge-train/barretenbergfrom
Conversation
johnathan79717
force-pushed
the
jh/crypto-primitives-external-audit-response-1
branch
from
ddfb651 to
1d0754e
Compare
johnathan79717
added
ci-full
johnathan79717
force-pushed
the
jh/crypto-primitives-external-audit-response-1
branch
from
ea7899c to
4de984d
Compare
ludamad
approved these changes
Apr 2, 2026
johnathan79717
force-pushed
the
jh/crypto-primitives-external-audit-response-1
branch
3 times, most recently
from
390d74d to
d6aa879
Compare
Collaborator
Flakey Tests🤖 says: This CI run detected 1 tests that failed, but were tolerated due to a .test_patterns.yml entry. |
ludamad
reviewed
Apr 7, 2026
| // NOLINTNEXTLINE(cppcoreguidelines-avoid-non-const-global-variables) | ||
| static char last_error_message[ERROR_BUF_SIZE]; // NOLINT(cppcoreguidelines-avoid-c-arrays) | ||
| // NOLINTNEXTLINE(cppcoreguidelines-avoid-non-const-global-variables) | ||
| static size_t last_error_length = 0; |
Collaborator
There was a problem hiding this comment.
this doesnt feel right. this should just be stored by the JS operation that controls this maybe? we have a js callback whenever we have an error. this feels weird. why not call js when we have the error instead of giving the a way to get this later
ludamad
requested changes
Apr 7, 2026
In WASM builds, BB_NO_EXCEPTIONS is defined. The C++ definition of
throw_or_abort_impl calls std::abort(), killing the WASM process on
any error. Meanwhile, the header declares it as WASM_IMPORT from JS,
where it throws a catchable Error. But the local C++ definition
shadows the import.
Fix: guard out the C++ definition with #ifndef __wasm__ so the JS
import is used in WASM builds. For wasmtime (non-JS WASM runtime
used in CI tests), add -Wunknown-imports-trap=y so the import is
stubbed with a trap (correct behavior: errors in wasmtime should
still abort).
Before: any throw_or_abort in WASM kills the process, PXE crashes.
After: the JS caller gets a catchable Error("actual error message").
johnathan79717
force-pushed
the
jh/crypto-primitives-external-audit-response-1
branch
from
d6aa879 to
9818015
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Audit Context
Addresses finding #2 from the "Aztec - Cryptographic Primitives" external audit: WASM Process DOS via Oversized Polynomial in Prover Commit Path.
In WASM builds,
BB_NO_EXCEPTIONSis defined. The C++ definition ofthrow_or_abort_implcallsstd::abort(), killing the WASM process on any error. Meanwhile, the header (throw_or_abort_impl.hpp) declares the same function as aWASM_IMPORTfrom JavaScript, where it throws a catchable JSError. But the local C++ definition shadows the import, so the JS throw is never used.Changes Made
throw_or_abort_impl.cpp: Guard out the C++ definition with
#ifndef __wasm__so the JS-provided import is used in WASM builds. The header already declares it asWASM_IMPORT("throw_or_abort_impl")with the comment "For a WASM build, this is provided by the JavaScript environment."wasmtime.sh: Add
-Wunknown-imports-trap=yso wasmtime (non-JS WASM runtime used in CI tests) stubs the import with a trap instead of failing with "unknown import". This is correct behavior: errors in wasmtime should still abort.No TypeScript changes needed. The JS side already provides the import that throws a catchable
Errorwith the actual error message.Before: Any
throw_or_abortin WASM callsabort_with_message()->std::abort()-> WASM process dies, PXE crashes with no error message.After:
throw_or_abortin WASM calls the JS import which throwsnew Error(msg). The JS caller catches this as a normal exception. The WASM instance stays alive.Testing
Verified with
barretenberg/ts/src/bbapi/exception_handling.test.ts(full WASM build + TS test):Checklist