Open cyberthirst opened 2 months ago
Submitted by KuroHashDit.
There is a crash bug when vyper generates assert code.
Good Code:
@external def __init__(): pass @external def test(): x: uint256 = 1 s: String[100] = "error" assert x == 1, s
This code works well.
Bad Code:
s: public(String[100]) @external def __init__(): self.s = "error" @external def test(): x: uint256 = 1 assert x == 1, self.s
This code will cause the compiler to crash.
ROOT CAUSE:
vyper/vyper/semantics/analysis/annotation.py
class StatementAnnotationVisitor(_AnnotationVisitorBase): ignored_types = (vy_ast.Break, vy_ast.Continue, vy_ast.Pass, vy_ast.Raise) def __init__(self, fn_node: vy_ast.FunctionDef, namespace: dict) -> None: self.func = fn_node._metadata["type"] self.namespace = namespace self.expr_visitor = ExpressionAnnotationVisitor(self.func) assert self.func.n_keyword_args == len(fn_node.args.defaults) for kwarg in self.func.keyword_args: self.expr_visitor.visit(kwarg.default_value, kwarg.typ) def visit(self, node): super().visit(node) def visit_AnnAssign(self, node): type_ = get_exact_type_from_node(node.target) self.expr_visitor.visit(node.target, type_) self.expr_visitor.visit(node.value, type_) def visit_Assert(self, node): self.expr_visitor.visit(node.test)
in visit_Assert(), it doesn't visit node.msg. Then in /vyper/codegen/expr.py, Expr::parse_Attribute(self) cannot get the type of expression and then the whole compiler crashes.
compiles fine in the current master
Submitted by KuroHashDit.
Summary
There is a crash bug when vyper generates assert code.
Vulnerability Details
Good Code:
This code works well.
Bad Code:
This code will cause the compiler to crash.
ROOT CAUSE:
vyper/vyper/semantics/analysis/annotation.py
in visit_Assert(), it doesn't visit node.msg. Then in /vyper/codegen/expr.py, Expr::parse_Attribute(self) cannot get the type of expression and then the whole compiler crashes.