Linter: prevent orphaning of dynamic fields

MystenLabs / sui

Sui, a next-generation smart contract platform with high throughput, low latency, and an asset-oriented programming model powered by the Move programming language

https://sui.io

Apache License 2.0

6.22k stars 11.2k forks source link

Linter: prevent orphaning of dynamic fields #13816

Open awelc opened 1 year ago

awelc commented 1 year ago

Description

Why: The values bound to these dynamic fields will get orphaned when the struct value goes out of scope

Severity: High. Orphaning objects loses $$ because the storage rebate associated with the orphaned object can never be recovered

awelc commented 1 year ago

Another variant of this.

A struct may have multiple IDs:

struct X { 
  id: UID
  id2: UID
  id3: UID
}

struct Y {
  ids: vector<vector<UID>>
}

struct Z {
  ids: Table<String, UID>
}

We could try to figure out which UIDs have dynamic fields attached to them (step 1) and yell if you object::deleted on on of these UIDs.

awelc commented 1 year ago

Possible implementation strategy:

Basically implement a version of god’s borrow checker, that is a simple, set-based reference analysis that tracks references by their created path.
- We can be a bit lossy here so we could literally take the version of god’s borrow checker from the paper, and do not need to worry about the missing expressivity
- When you see a call to a dynamic (object) field API, record any fields that have dynamic fields added.
With the recorded map of what fields have had dynamic fields added, we proceed to the next analysis…
Implement a second version of something that looks like god’s borrow tracker, but instead tracking references it tracks UID values. Either newly created or struct fields
- When you see object::delete, check the source of that UID value (potentially more than 1 possible source). If the field of that source was in the recorded map generated in the first analysis (or if the UID was newly created in this scope), we give a lint warning.