evmasm: Fix unchecked overflow in legacy codegen array size computation

Author: r0qs

Changelog.md

@@ -1,6 +1,7 @@
 ### 0.8.34 (2026-02-18)
 
 Important Bugfixes:
+* Legacy Code Generator: Fix silent overflow when clearing storage arrays, which could leave array elements uncleared.
 * Yul IR Code Generation: Fix a bug that could result in clearing a storage variable instead of a transient storage variable at the same position in the layout (and vice-versa).
 
 

libsolidity/codegen/ArrayUtils.cpp

@@ -641,7 +641,14 @@ void ArrayUtils::convertLengthToSize(ArrayType const& _arrayType, bool _pad) con
 			}
 		}
 		else
-			m_context << _arrayType.baseType()->storageSize() << Instruction::MUL;
+		{
+			m_context << _arrayType.baseType()->storageSize();
+			m_context.callYulFunction(
+				m_context.utilFunctions().overflowCheckedIntMulFunction(*TypeProvider::uint256()),
+				2,
+				1
+			);
+		}
 	}
 	else
 	{

test/libsolidity/semanticTests/array/copying/array_copy_including_array.sol

@@ -36,11 +36,11 @@ contract c {
 // ----
 // test() -> 0x02000202
 // gas irOptimized: 4560468
-// gas legacy: 4536539
+// gas legacy: 4538699
 // gas legacyOptimized: 4456732
 // storageEmpty -> 1
 // clear() -> 0, 0
 // gas irOptimized: 4488719
-// gas legacy: 4407759
+// gas legacy: 4409439
 // gas legacyOptimized: 4385068
 // storageEmpty -> 1

test/libsolidity/semanticTests/array/delete_dynamic_array_size_overflow.sol

@@ -0,0 +1,31 @@
+contract C {
+    uint256[2**255][] data;
+
+    function fill() public {
+        data.push();
+        data.push();
+        data[0][0] = 111;
+        data[1][0] = 222;
+    }
+
+    function get(uint256 idx) public view returns (uint256) {
+        return data[idx][0];
+    }
+
+    function clear() public {
+        delete data;
+    }
+
+    function length() public view returns (uint256) {
+        return data.length;
+    }
+}
+// ----
+// fill() ->
+// get(uint256): 0 -> 111
+// get(uint256): 1 -> 222
+// length() -> 2
+// clear() -> FAILURE, hex"4e487b71", 0x11
+// get(uint256): 0 -> 111
+// get(uint256): 1 -> 222
+// length() -> 2

test/libsolidity/semanticTests/storage/storage_boundary_struct_array_mixed_types.sol

@@ -159,7 +159,7 @@ contract C {
 // gas legacyOptimized: 112505
 // deleteBoundaryArray()
 // gas irOptimized: 177968
-// gas legacy: 180995
+// gas legacy: 181187
 // gas legacyOptimized: 178182
 // canaryValue() -> 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 // boundaryArray() -> 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

test/libsolidity/semanticTests/storage/storage_boundary_struct_array_multislot.sol

@@ -121,7 +121,7 @@ contract C {
 // destArray() -> 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60
 // deleteBoundaryArray()
 // gas irOptimized: 137824
-// gas legacy: 137971
+// gas legacy: 138163
 // gas legacyOptimized: 137750
 // canaryValue() -> 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 // boundaryArray() -> 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0