已知bug列表——Solidity中文文檔(12)

image

寫在前面:HiBlock區塊鏈社區成立了翻譯小組,翻譯區塊鏈相關的技術文檔及資料,本文爲Solidity文檔翻譯的第十二部分《已知bug列表》,特發佈出來邀請solidity愛好者、開發者作公開的審校,您能夠添加微信baobaotalk_com,驗證輸入「solidity」,而後將您的意見和建議發送給咱們,也能夠在文末「留言」區留言,有效的建議咱們會採納及合併進下一版本,同時將送一份小禮物給您以示感謝。git

在下面,你能夠找到一個 JSON 格式的列表,上面列出了 Solidity 編譯器上一些已知的安全相關的 bug。 該文件被放置於 Github 倉庫(https://github.com/ethereum/solidity/blob/develop/docs/bugs.json) 。 該列表能夠追溯到 0.3.0 版本,只在此版本以前存在的 bug 沒有被列入。github

這裏,還有另一個 bugs_by_version.json 文件(https://github.com/ethereum/solidity/blob/develop/docs/bugs_by_version.json)。 該文件可用於查詢特定的某個編譯器版本會受哪些 bug 影響。express

合約的源文件檢查工具以及其餘與合約交互的工具,需基於如下規則查閱上述 bug 列表文件:json

  • 若是合約是用每日構建版本的編譯器編譯,而不是發佈版本的編譯器,那就有點可疑了。上述bug列表不跟蹤未發佈或每日構建版本的編譯器。數組

  • 若是一個合約並非由它被建立時點的最新版本編譯器所編譯的,那麼這也是值得懷疑的。對於由其餘合約建立的合約,您必須沿着建立鏈追溯最初交易,並使用該交易的日期做爲建立日期。安全

  • 高度可疑的狀況是,若是一份合約由一個包含已知 bug 的編譯器編譯,但在合約建立時,已修復了相應 bug 的新版編譯器已經發布了。微信

下面這份包含已知 bug 的 JSON 文件其實是一個對象數組,每一個對象對應一個 bug,幷包含如下的 keys :less

nameide

賦予該 bug 的惟一的名字工具

summary

對該 bug 的簡要描述

description

對該 bug 的詳細描述

link

包含更多詳盡信息的連接,可選

introduced

第一個包含該 bug 的編譯器的發佈版本,可選

fixed

第一個再也不包含該 bug 的編譯器的發佈版本

publish

該 bug 被公開的日期,可選

severity

bug 的嚴重性: very low, low, medium, high。綜合考慮了在合約測試中的可發現性、發生的可能性和被利用後的潛在損害。

conditions

觸發該 bug 所需知足的條件。當前,這是一個包含了 optimizer 布爾值的對象,這意味着只有打開優化器選項時,纔會觸發該 bug。 若是沒有給出任何條件,則意味着此 bug 始終存在。

[
   {
       "name": "OneOfTwoConstructorsSkipped",
       "summary": "If a contract has both a new-style constructor (using the constructor keyword) and an old-style constructor (a function with the same name as the contract) at the same time, one of them will be ignored.",
       "description": "If a contract has both a new-style constructor (using the constructor keyword) and an old-style constructor (a function with the same name as the contract) at the same time, one of them will be ignored. There will be a compiler warning about the old-style constructor, so contracts only using new-style constructors are fine.",
       "introduced": "0.4.22",
       "fixed": "0.4.23",
       "severity": "very low"
   },
   {
       "name": "ZeroFunctionSelector",
       "summary": "It is possible to craft the name of a function such that it is executed instead of the fallback function in very specific circumstances.",
       "description": "If a function has a selector consisting only of zeros, is payable and part of a contract that does not have a fallback function and at most five external functions in total, this function is called instead of the fallback function if Ether is sent to the contract without data.",
       "fixed": "0.4.18",
       "severity": "very low"
   },
   {
       "name": "DelegateCallReturnValue",
       "summary": "The low-level .delegatecall() does not return the execution outcome, but converts the value returned by the functioned called to a boolean instead.",
       "description": "The return value of the low-level .delegatecall() function is taken from a position in memory, where the call data or the return data resides. This value is interpreted as a boolean and put onto the stack. This means if the called function returns at least 32 zero bytes, .delegatecall() returns false even if the call was successuful.",
       "introduced": "0.3.0",
       "fixed": "0.4.15",
       "severity": "low"
   },
   {
       "name": "ECRecoverMalformedInput",
       "summary": "The ecrecover() builtin can return garbage for malformed input.",
       "description": "The ecrecover precompile does not properly signal failure for malformed input (especially in the 'v' argument) and thus the Solidity function can return data that was previously present in the return area in memory.",
       "fixed": "0.4.14",
       "severity": "medium"
   },
   {
       "name": "SkipEmptyStringLiteral",
       "summary": "If \"\" is used in a function call, the following function arguments will not be correctly passed to the function.",
       "description": "If the empty string literal \"\" is used as an argument in a function call, it is skipped by the encoder. This has the effect that the encoding of all arguments following this is shifted left by 32 bytes and thus the function call data is corrupted.",
       "fixed": "0.4.12",
       "severity": "low"
   },
   {
       "name": "ConstantOptimizerSubtraction",
       "summary": "In some situations, the optimizer replaces certain numbers in the code with routines that compute different numbers.",
       "description": "The optimizer tries to represent any number in the bytecode by routines that compute them with less gas. For some special numbers, an incorrect routine is generated. This could allow an attacker to e.g. trick victims about a specific amount of ether, or function calls to call different functions (or none at all).",
       "link": "https://blog.ethereum.org/2017/05/03/solidity-optimizer-bug/",
       "fixed": "0.4.11",
       "severity": "low",
       "conditions": {
           "optimizer": true
       }
   },
   {
       "name": "IdentityPrecompileReturnIgnored",
       "summary": "Failure of the identity precompile was ignored.",
       "description": "Calls to the identity contract, which is used for copying memory, ignored its return value. On the public chain, calls to the identity precompile can be made in a way that they never fail, but this might be different on private chains.",
       "severity": "low",
       "fixed": "0.4.7"
   },
   {
       "name": "OptimizerStateKnowledgeNotResetForJumpdest",
       "summary": "The optimizer did not properly reset its internal state at jump destinations, which could lead to data corruption.",
       "description": "The optimizer performs symbolic execution at certain stages. At jump destinations, multiple code paths join and thus it has to compute a common state from the incoming edges. Computing this common state was simplified to just use the empty state, but this implementation was not done properly. This bug can cause data corruption.",
       "severity": "medium",
       "introduced": "0.4.5",
       "fixed": "0.4.6",
       "conditions": {
           "optimizer": true
       }
   },
   {
       "name": "HighOrderByteCleanStorage",
       "summary": "For short types, the high order bytes were not cleaned properly and could overwrite existing data.",
       "description": "Types shorter than 32 bytes are packed together into the same 32 byte storage slot, but storage writes always write 32 bytes. For some types, the higher order bytes were not cleaned properly, which made it sometimes possible to overwrite a variable in storage when writing to another one.",
       "link": "https://blog.ethereum.org/2016/11/01/security-alert-solidity-variables-can-overwritten-storage/",
       "severity": "high",
       "introduced": "0.1.6",
       "fixed": "0.4.4"
   },
   {
       "name": "OptimizerStaleKnowledgeAboutSHA3",
       "summary": "The optimizer did not properly reset its knowledge about SHA3 operations resulting in some hashes (also used for storage variable positions) not being calculated correctly.",
       "description": "The optimizer performs symbolic execution in order to save re-evaluating expressions whose value is already known. This knowledge was not properly reset across control flow paths and thus the optimizer sometimes thought that the result of a SHA3 operation is already present on the stack. This could result in data corruption by accessing the wrong storage slot.",
       "severity": "medium",
       "fixed": "0.4.3",
       "conditions": {
           "optimizer": true
       }
   },
   {
       "name": "LibrariesNotCallableFromPayableFunctions",
       "summary": "Library functions threw an exception when called from a call that received Ether.",
       "description": "Library functions are protected against sending them Ether through a call. Since the DELEGATECALL opcode forwards the information about how much Ether was sent with a call, the library function incorrectly assumed that Ether was sent to the library and threw an exception.",
       "severity": "low",
       "introduced": "0.4.0",
       "fixed": "0.4.2"
   },
   {
       "name": "SendFailsForZeroEther",
       "summary": "The send function did not provide enough gas to the recipient if no Ether was sent with it.",
       "description": "The recipient of an Ether transfer automatically receives a certain amount of gas from the EVM to handle the transfer. In the case of a zero-transfer, this gas is not provided which causes the recipient to throw an exception.",
       "severity": "low",
       "fixed": "0.4.0"
   },
   {
       "name": "DynamicAllocationInfiniteLoop",
       "summary": "Dynamic allocation of an empty memory array caused an infinite loop and thus an exception.",
       "description": "Memory arrays can be created provided a length. If this length is zero, code was generated that did not terminate and thus consumed all gas.",
       "severity": "low",
       "fixed": "0.3.6"
   },
   {
       "name": "OptimizerClearStateOnCodePathJoin",
       "summary": "The optimizer did not properly reset its internal state at jump destinations, which could lead to data corruption.",
       "description": "The optimizer performs symbolic execution at certain stages. At jump destinations, multiple code paths join and thus it has to compute a common state from the incoming edges. Computing this common state was not done correctly. This bug can cause data corruption, but it is probably quite hard to use for targeted attacks.",
       "severity": "low",
       "fixed": "0.3.6",
       "conditions": {
           "optimizer": true
       }
   },
   {
       "name": "CleanBytesHigherOrderBits",
       "summary": "The higher order bits of short bytesNN types were not cleaned before comparison.",
       "description": "Two variables of type bytesNN were considered different if their higher order bits, which are not part of the actual value, were different. An attacker might use this to reach seemingly unreachable code paths by providing incorrectly formatted input data.",
       "severity": "medium/high",
       "fixed": "0.3.3"
   },
   {
       "name": "ArrayAccessCleanHigherOrderBits",
       "summary": "Access to array elements for arrays of types with less than 32 bytes did not correctly clean the higher order bits, causing corruption in other array elements.",
       "description": "Multiple elements of an array of values that are shorter than 17 bytes are packed into the same storage slot. Writing to a single element of such an array did not properly clean the higher order bytes and thus could lead to data corruption.",
       "severity": "medium/high",
       "fixed": "0.3.1"
   },
   {
       "name": "AncientCompiler",
       "summary": "This compiler version is ancient and might contain several undocumented or undiscovered bugs.",
       "description": "The list of bugs is only kept for compiler versions starting from 0.3.0, so older versions might contain undocumented bugs.",
       "severity": "high",
       "fixed": "0.3.0"
   }

]

延伸閱讀:智能合約-Solidity官方文檔(1)

安裝Solidity編譯器-Solidity官方文檔(2)

根據例子學習Solidity-Solidity官方文檔(3)

深刻理解Solidity之源文件及合約結構——Solidity中文文檔(4)

安全考量——Solidity中文文檔(5)

合約的元數據——Solidity中文文檔(6)

應用二進制接口(ABI) 說明——Solidity中文文檔(7)

使用編譯器——Solidity中文文檔(8)

Yul語言及對象說明——Solidity中文文檔(9)

風格指南——Solidity中文文檔(10)

通用模式——Solidity中文文檔(11)

點擊「閱讀原文」便可查看完整中文文檔

image

:本文爲solidity翻譯的第十二部分《已知bug列表》,特發佈出來邀請solidity愛好者、開發者作公開的審校,您能夠添加微信baobaotalk_com,驗證輸入「solidity」,而後將您的意見和建議發送給咱們,也可在文末「留言」區留言,或經過原文連接訪問咱們的Github。有效的建議咱們會收納並及時改進,同時將送一份小禮物給您以示感謝。

本文內容來源於HiBlock區塊鏈社區翻譯小組,感謝全體譯者的辛苦工做。點擊「閱讀原文」便可查看完整中文文檔。

線上課程推薦

線上課程:《8小時區塊鏈智能合約開發實踐》

培訓講師:《白話區塊鏈》做者 蔣勇

課程原價:999元,現價 399元

更多福利:

  • @全部人,識別下圖二維碼轉發課程邀請好友報名,便可得到報名費50%返利

  • @學員,報名學習課程並在規定時間內完成考試便可瓜分10000元獎金

image

點擊「閱讀原文」便可查看完整中文文檔

相關文章
相關標籤/搜索