conflux-rust icon indicating copy to clipboard operation
conflux-rust copied to clipboard

Published 20 hours ago verified publisher icon Conflux-Chain

potential arithmetic overflow in `fn finalize`

Open yangzhe1990 opened this issue 4 years ago • 9 comments

let charge_all = (gas_left + gas_left + gas_left) >= gas_used;

yangzhe1990 avatar Jun 03 '20 10:06 yangzhe1990

Actually can we use some tool to detect all potential arithmetic overflow?

yangzhe1990 avatar Jun 03 '20 10:06 yangzhe1990

The particular place has very low severity since It's not likely to happen outside testing environment, as nobody could spend extremely high gas fee. But how about other places?

yangzhe1990 avatar Jun 03 '20 10:06 yangzhe1990

BTW, "charge_all" actually means to charge_75_percent in the code.

yangzhe1990 avatar Jun 03 '20 10:06 yangzhe1990

The gas used in a transaction can not exceed the maximum gas allowed in one block, which is must less than 2^256

ChenxingLi avatar Jun 03 '20 10:06 ChenxingLi

BTW, "charge_all" actually means to charge_75_percent in the code.

Yes, we will refund at most 1/4 * tx.gas.

ChenxingLi avatar Jun 03 '20 10:06 ChenxingLi

The gas used in a transaction can not exceed the maximum gas allowed in one block, which is must less than 2^256

3*gas_left may overflow in theory. But unlikely since nobody has too much CFX. I raise this issue mainly to ask if we have a way to find out all potential overflow.

yangzhe1990 avatar Jun 03 '20 10:06 yangzhe1990

3*gas_left may overflow in theory. But unlikely since nobody has too much CFX.

It is not because of the transanction fee, because the gas_price cound equal to 0. But the maximum gas allowed in the whole block is limited.

ChenxingLi avatar Jun 03 '20 10:06 ChenxingLi

I raise this issue mainly to ask if we have a way to find out all potential overflow.

If an overflow happens for struct U256 and U512, the basic operation will cause a panic. You can read the source code of crate uint, which provides a macro implementing fixed-length big integer like U256 and U512.

impl<T> $crate::core_::ops::Add<T> for $name where T: Into<$name> {
    type Output = $name;

    fn add(self, other: T) -> $name {
        let (result, overflow) = self.overflowing_add(other.into());
        $crate::panic_on_overflow!(overflow);
        result
    }
}

impl $crate::core_::ops::Mul<$other> for $name {
    type Output = $name;

    fn mul(self, other: $other) -> $name {
        let bignum: $name = other.into();
        let (result, overflow) = self.overflowing_mul(bignum);
        $crate::panic_on_overflow!(overflow);
        result
    }
}

But the addition overflow in u64 will not cause a panic in release mode. I'm sorry for forgotting where I read this.

ChenxingLi avatar Jun 03 '20 10:06 ChenxingLi

please, the code is hard to understand. please add more description here. add TODO here, if someone clearly and provides some elegant way, he will fix it later.

xiaods avatar Jun 16 '20 04:06 xiaods