evmasm: Fix unchecked overflow in legacy codegen array size computation

r0qs · r0qs · commit 43c59b5fa64d · 2026-02-24T13:49:48.000+01:00
diff --git a/Changelog.md b/Changelog.md
@@ -4,6 +4,9 @@ Language Features:
 
 Compiler Features:
 
+Important Bugfixes:
+* Legacy Code Generator: Fix unchecked multiplication overflow when computing the storage size of dynamic arrays during deletion, which could result in ``delete`` silently leaving stale data in storage.
+
 Bugfixes:
 
 
diff --git a/docs/bugs.json b/docs/bugs.json
@@ -1,4 +1,17 @@
 [
+    {
+        "uid": "SOL-2026-2",
+        "name": "EvmasmCodegenUncheckedArraySizeOverflow",
+        "summary": "Deleting a dynamic array of large static arrays could silently skip storage clearing due to an unchecked multiplication overflow in the evmasm code generator.",
+        "description": "When the legacy (evmasm) code generator computes the total number of storage slots occupied by an array, it multiplies the array length by the storage size of its base type. This multiplication was performed without an overflow check, so when the product exceeded ``2**256``, the result would wrap to a small value (or zero). This caused the subsequent clearing loop to process fewer slots than necessary, leaving stale data in storage. The bug could be triggered by using the ``delete`` operator on a dynamic storage array whose base type is large enough for the product to overflow. The via-IR pipeline was not affected, because it already used overflow-checked arithmetic for this computation. With the fix, the legacy code generator now reverts with an arithmetic overflow panic in this situation, matching the via-IR behavior.",
+        "link": "",
+        "introduced": "0.1.0",
+        "fixed": "0.8.35",
+        "severity": "low",
+        "conditions": {
+            "viaIR": false
+        }
+    },
     {
         "uid": "SOL-2026-1",
         "name": "TransientStorageClearingHelperCollision",
diff --git a/libsolidity/codegen/ArrayUtils.cpp b/libsolidity/codegen/ArrayUtils.cpp
@@ -641,7 +641,14 @@ void ArrayUtils::convertLengthToSize(ArrayType const& _arrayType, bool _pad) con
 			}
 		}
 		else
-			m_context << _arrayType.baseType()->storageSize() << Instruction::MUL;
+		{
+			m_context << _arrayType.baseType()->storageSize();
+			m_context.callYulFunction(
+				m_context.utilFunctions().overflowCheckedIntMulFunction(*TypeProvider::uint256()),
+				2,
+				1
+			);
+		}
 	}
 	else
 	{
diff --git a/test/libsolidity/semanticTests/array/copying/array_copy_including_array.sol b/test/libsolidity/semanticTests/array/copying/array_copy_including_array.sol
@@ -36,11 +36,11 @@ contract c {
 // ----
 // test() -> 0x02000202
 // gas irOptimized: 4560468
-// gas legacy: 4536539
+// gas legacy: 4538699
 // gas legacyOptimized: 4456732
 // storageEmpty -> 1
 // clear() -> 0, 0
 // gas irOptimized: 4488719
-// gas legacy: 4407759
+// gas legacy: 4409439
 // gas legacyOptimized: 4385068
 // storageEmpty -> 1
diff --git a/test/libsolidity/semanticTests/array/delete_dynamic_array_size_overflow.sol b/test/libsolidity/semanticTests/array/delete_dynamic_array_size_overflow.sol
@@ -0,0 +1,31 @@
+contract C {
+    uint256[2**255][] data;
+
+    function fill() public {
+        data.push();
+        data.push();
+        data[0][0] = 111;
+        data[1][0] = 222;
+    }
+
+    function get(uint256 idx) public view returns (uint256) {
+        return data[idx][0];
+    }
+
+    function clear() public {
+        delete data;
+    }
+
+    function length() public view returns (uint256) {
+        return data.length;
+    }
+}
+// ----
+// fill() ->
+// get(uint256): 0 -> 111
+// get(uint256): 1 -> 222
+// length() -> 2
+// clear() -> FAILURE, hex"4e487b71", 0x11
+// get(uint256): 0 -> 111
+// get(uint256): 1 -> 222
+// length() -> 2
diff --git a/test/libsolidity/semanticTests/storage/storage_boundary_struct_array_mixed_types.sol b/test/libsolidity/semanticTests/storage/storage_boundary_struct_array_mixed_types.sol
@@ -159,7 +159,7 @@ contract C {
 // gas legacyOptimized: 112505
 // deleteBoundaryArray()
 // gas irOptimized: 177968
-// gas legacy: 180995
+// gas legacy: 181187
 // gas legacyOptimized: 178182
 // canaryValue() -> 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 // boundaryArray() -> 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
diff --git a/test/libsolidity/semanticTests/storage/storage_boundary_struct_array_multislot.sol b/test/libsolidity/semanticTests/storage/storage_boundary_struct_array_multislot.sol
@@ -121,7 +121,7 @@ contract C {
 // destArray() -> 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60
 // deleteBoundaryArray()
 // gas irOptimized: 137824
-// gas legacy: 137971
+// gas legacy: 138163
 // gas legacyOptimized: 137750
 // canaryValue() -> 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
 // boundaryArray() -> 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

Original file line number	Diff line number	Diff line change
`@@ -641,7 +641,14 @@ void ArrayUtils::convertLengthToSize(ArrayType const& _arrayType, bool _pad) con`
`641`	`641`	`}`
`642`	`642`	`}`
`643`	`643`	`else`
`644`		`- m_context << _arrayType.baseType()->storageSize() << Instruction::MUL;`
	`644`	`+ {`
	`645`	`+ m_context << _arrayType.baseType()->storageSize();`
	`646`	`+ m_context.callYulFunction(`
	`647`	`+ m_context.utilFunctions().overflowCheckedIntMulFunction(*TypeProvider::uint256()),`
	`648`	`+ 2,`
	`649`	`+ 1`
	`650`	`+ );`
	`651`	`+ }`
`645`	`652`	`}`
`646`	`653`	`else`
`647`	`654`	`{`