Missing RETURNPRIVATE in TAC for Inline Assembly Switch Case #182
Description
Description
Gigahorse's TAC output incorrectly handles inline assembly switch statements in a Solidity contract. The switchFunc in the provided contract uses inline assembly to check the function selector, returning 0x...01 for 0xa9059cbb (transfer) and 0x...00 otherwise. In the TAC file, when the selector matches 0xa9059cbb and enters the corresponding block (e.g., 0x5c), there is no RETURNPRIVATE instruction to handle the return value, causing analysis errors.
Steps to Reproduce
-
Contract:
// SPDX-License-Identifier: MIT pragma solidity ^0.8.20; contract Switch { function switchFunc() public pure returns (bytes32 result) { assembly { let selector := shr(224, calldataload(0)) switch selector case 0xa9059cbb { result := 0x0000000000000000000000000000000000000000000000000000000000000001 } default { result := 0x0000000000000000000000000000000000000000000000000000000000000000 } } } }
-
Runtime Bytecode:
0x6080604052348015600e575f80fd5b50600436106026575f3560e01c8063ecc56f2f14602a575b5f80fd5b60306044565b604051603b9190607c565b60405180910390f35b5f803560e01c8063a9059cbb8114605c575f92506061565b600192505b505090565b5f819050919050565b6076816066565b82525050565b5f602082019050608d5f830184606f565b9291505056fea26469706673582212205d3632ef267ecc641af94231ff154a370ca81f4bfe4730698d849be01a4afecd64736f6c63430008140033 -
TAC Output:
Begin block 0xd5B0x2a prev=[0x44B0x2a], succ=[0x30] ================================= 0xd6S0x2a: vd6V2a(0x5c) = CONST 0xd7S0x2a: CALLPRIVATE vd6V2a(0x5c), v4aV2a, v4aV2a, v45V2a(0x0), v2b(0x30) function transfer(address,uint256)(v5carg0, v5carg1, v5carg2(0x0), v5carg3) public { Begin block 0x5c prev=[], succ=[0x610x5c] ================================= 0x5d: v5d(0x1) = CONST Begin block 0x610x5c prev=[0x5c], succ=[] ================================= 0x650x5c: JUMP v5carg3 }
Metadata
Metadata
Assignees
Labels
No labels