Add callWithExactGas lib (#11009)

* add callWithExactGas lib

* add fuzz test

* dup code to make it more safe

* add _callWithExactGasEvenIfTargetIsNoContract

* make args order consistent

* add callWithExactGasEvenIfTargetIsNoContract tests

* improve tests

* update snapshot

* properly name fuzz test

* fix comments

* improve testing logic

* return gas used in _callWithExactGasSafeReturnData (#11106)

* fix function selector blacklist in fuzz test

* Update shared.gas-snapshot

* use constant revert reasons

* fix solhint

* fix ref

* style nits and let all return success

* fix solhint

contracts/GNUmakefile

@@ -18,6 +18,11 @@ ALL_FOUNDRY_PRODUCTS = llo-feeds functions shared
 snapshot: ## Make a snapshot for a specific product.
 	export FOUNDRY_PROFILE=$(FOUNDRY_PROFILE) && forge snapshot --nmt "testFuzz_\w{1,}?" --snap gas-snapshots/$(FOUNDRY_PROFILE).gas-snapshot
 
+.PHONY: snapshot-diff
+snapshot-diff: ## Make a snapshot for a specific product.
+	export FOUNDRY_PROFILE=$(FOUNDRY_PROFILE) && forge snapshot --nmt "testFuzz_\w{1,}?" --diff gas-snapshots/$(FOUNDRY_PROFILE).gas-snapshot
+
+
 .PHONY: snapshot-all
 snapshot-all: ## Make a snapshot for all products.
 	for foundry_profile in $(ALL_FOUNDRY_PRODUCTS) ; do \

contracts/gas-snapshots/shared.gas-snapshot

@@ -25,6 +25,22 @@ BurnMintERC677_mint:testSenderNotMinterReverts() (gas: 11195)
 BurnMintERC677_supportsInterface:testConstructorSuccess() (gas: 8685)
 BurnMintERC677_transfer:testInvalidAddressReverts() (gas: 10639)
 BurnMintERC677_transfer:testTransferSuccess() (gas: 39462)
+CallWithExactGas__callWithExactGas:test_CallWithExactGasReceiverErrorSuccess() (gas: 66918)
+CallWithExactGas__callWithExactGas:test_CallWithExactGasSafeReturnDataExactGas() (gas: 22615)
+CallWithExactGas__callWithExactGas:test_NoContractReverts() (gas: 11559)
+CallWithExactGas__callWithExactGas:test_NoGasForCallExactCheckReverts() (gas: 12908)
+CallWithExactGas__callWithExactGas:test_NotEnoughGasForCallReverts() (gas: 13361)
+CallWithExactGas__callWithExactGas:test_callWithExactGasSuccess(bytes,bytes4) (runs: 256, μ: 15477, ~: 15418)
+CallWithExactGas__callWithExactGasEvenIfTargetIsNoContract:test_CallWithExactGasEvenIfTargetIsNoContractExactGasSuccess() (gas: 19147)
+CallWithExactGas__callWithExactGasEvenIfTargetIsNoContract:test_CallWithExactGasEvenIfTargetIsNoContractReceiverErrorSuccess() (gas: 67096)
+CallWithExactGas__callWithExactGasEvenIfTargetIsNoContract:test_CallWithExactGasEvenIfTargetIsNoContractSuccess(bytes,bytes4) (runs: 256, μ: 15675, ~: 15616)
+CallWithExactGas__callWithExactGasEvenIfTargetIsNoContract:test_NoContractSuccess() (gas: 9816)
+CallWithExactGas__callWithExactGasEvenIfTargetIsNoContract:test_NoGasForCallExactCheckReturnFalseSuccess() (gas: 9578)
+CallWithExactGas__callWithExactGasEvenIfTargetIsNoContract:test_NotEnoughGasForCallReturnsFalseSuccess() (gas: 9890)
+CallWithExactGas__callWithExactGasSafeReturnData:test_CallWithExactGasSafeReturnDataExactGas() (gas: 19017)
+CallWithExactGas__callWithExactGasSafeReturnData:test_NoContractReverts() (gas: 13949)
+CallWithExactGas__callWithExactGasSafeReturnData:test_NoGasForCallExactCheckReverts() (gas: 13239)
+CallWithExactGas__callWithExactGasSafeReturnData:test_NotEnoughGasForCallReverts() (gas: 13670)
 OpStackBurnMintERC677_constructor:testConstructorSuccess() (gas: 1739317)
 OpStackBurnMintERC677_interfaceCompatibility:testBurnCompatibility() (gas: 263373)
 OpStackBurnMintERC677_interfaceCompatibility:testMintCompatibility() (gas: 137957)

contracts/package.json

@@ -18,7 +18,7 @@
     "prepublishOnly": "pnpm compile && ./scripts/prepublish_generate_abi_folder",
     "publish-beta": "pnpm publish --tag beta",
     "publish-prod": "npm dist-tag add @chainlink/[email protected] latest",
-    "solhint": "solhint --max-warnings 369 \"./src/v0.8/**/*.sol\""
+    "solhint": "solhint --max-warnings 376 \"./src/v0.8/**/*.sol\""
   },
   "files": [
     "src/v0.8",

contracts/src/v0.8/shared/call/CallWithExactGas.sol

@@ -0,0 +1,162 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.0;
+
+/// @notice This library contains various callWithExactGas functions. All of them are
+/// safe from gas bomb attacks.
+/// @dev There is code duplication in this library. This is done to not leave the assembly
+/// the blocks.
+library CallWithExactGas {
+  error NoContract();
+  error NoGasForCallExactCheck();
+  error NotEnoughGasForCall();
+
+  bytes4 internal constant NO_CONTRACT_SIG = 0x0c3b563c;
+  bytes4 internal constant NO_GAS_FOR_CALL_EXACT_CHECK_SIG = 0xafa32a2c;
+  bytes4 internal constant NOT_ENOUGH_GAS_FOR_CALL_SIG = 0x37c3be29;
+
+  /// @notice calls target address with exactly gasAmount gas and payload as calldata.
+  /// Accounts for gasForCallExactCheck gas that will be used by this function. Will revert
+  /// if the target is not a contact. Will revert when there is not enough gas to call the
+  /// target with gasAmount gas.
+  /// @dev Ignores the return data, which makes it immune to gas bomb attacks.
+  /// @return success whether the call succeeded
+  function _callWithExactGas(
+    bytes memory payload,
+    address target,
+    uint256 gasLimit,
+    uint16 gasForCallExactCheck
+  ) internal returns (bool success) {
+    assembly {
+      // solidity calls check that a contract actually exists at the destination, so we do the same
+      // Note we do this check prior to measuring gas so gasForCallExactCheck (our "cushion")
+      // doesn't need to account for it.
+      if iszero(extcodesize(target)) {
+        mstore(0x0, NO_CONTRACT_SIG)
+        revert(0x0, 0x4)
+      }
+
+      let g := gas()
+      // Compute g -= gasForCallExactCheck and check for underflow
+      // The gas actually passed to the callee is _min(gasAmount, 63//64*gas available).
+      // We want to ensure that we revert if gasAmount >  63//64*gas available
+      // as we do not want to provide them with less, however that check itself costs
+      // gas. gasForCallExactCheck ensures we have at least enough gas to be able
+      // to revert if gasAmount >  63//64*gas available.
+      if lt(g, gasForCallExactCheck) {
+        mstore(0x0, NO_GAS_FOR_CALL_EXACT_CHECK_SIG)
+        revert(0x0, 0x4)
+      }
+      g := sub(g, gasForCallExactCheck)
+      // if g - g//64 <= gasAmount, revert. We subtract g//64 because of EIP-150
+      if iszero(gt(sub(g, div(g, 64)), gasLimit)) {
+        mstore(0x0, NOT_ENOUGH_GAS_FOR_CALL_SIG)
+        revert(0x0, 0x4)
+      }
+
+      // call and return whether we succeeded. ignore return data
+      // call(gas,addr,value,argsOffset,argsLength,retOffset,retLength)
+      success := call(gasLimit, target, 0, add(payload, 0x20), mload(payload), 0x0, 0x0)
+    }
+    return success;
+  }
+
+  /// @notice calls target address with exactly gasAmount gas and payload as calldata.
+  /// Account for gasForCallExactCheck gas that will be used by this function. Will revert
+  /// if the target is not a contact. Will revert when there is not enough gas to call the
+  /// target with gasAmount gas.
+  /// @dev Caps the return data length, which makes it immune to gas bomb attacks.
+  /// @dev Return data cap logic borrowed from
+  /// https://github.com/nomad-xyz/ExcessivelySafeCall/blob/main/src/ExcessivelySafeCall.sol.
+  /// @return success whether the call succeeded
+  /// @return retData the return data from the call, capped at maxReturnBytes bytes
+  /// @return gasUsed the gas used by the external call. Does not include the overhead of this function.
+  function _callWithExactGasSafeReturnData(
+    bytes memory payload,
+    address target,
+    uint256 gasLimit,
+    uint16 gasForCallExactCheck,
+    uint16 maxReturnBytes
+  ) internal returns (bool success, bytes memory retData, uint256 gasUsed) {
+    // allocate retData memory ahead of time
+    retData = new bytes(maxReturnBytes);
+
+    assembly {
+      // solidity calls check that a contract actually exists at the destination, so we do the same
+      // Note we do this check prior to measuring gas so gasForCallExactCheck (our "cushion")
+      // doesn't need to account for it.
+      if iszero(extcodesize(target)) {
+        mstore(0x0, NO_CONTRACT_SIG)
+        revert(0x0, 0x4)
+      }
+
+      let g := gas()
+      // Compute g -= gasForCallExactCheck and check for underflow
+      // The gas actually passed to the callee is _min(gasAmount, 63//64*gas available).
+      // We want to ensure that we revert if gasAmount >  63//64*gas available
+      // as we do not want to provide them with less, however that check itself costs
+      // gas. gasForCallExactCheck ensures we have at least enough gas to be able
+      // to revert if gasAmount >  63//64*gas available.
+      if lt(g, gasForCallExactCheck) {
+        mstore(0x0, NO_GAS_FOR_CALL_EXACT_CHECK_SIG)
+        revert(0x0, 0x4)
+      }
+      g := sub(g, gasForCallExactCheck)
+      // if g - g//64 <= gasAmount, revert. We subtract g//64 because of EIP-150
+      if iszero(gt(sub(g, div(g, 64)), gasLimit)) {
+        mstore(0x0, NOT_ENOUGH_GAS_FOR_CALL_SIG)
+        revert(0x0, 0x4)
+      }
+
+      // We save the gas before the call so we can calculate how much gas the call used
+      let gasBeforeCall := gas()
+      // call and return whether we succeeded. ignore return data
+      // call(gas,addr,value,argsOffset,argsLength,retOffset,retLength)
+      success := call(gasLimit, target, 0, add(payload, 0x20), mload(payload), 0x0, 0x0)
+      gasUsed := sub(gasBeforeCall, gas())
+
+      // limit our copy to maxReturnBytes bytes
+      let toCopy := returndatasize()
+      if gt(toCopy, maxReturnBytes) {
+        toCopy := maxReturnBytes
+      }
+      // Store the length of the copied bytes
+      mstore(retData, toCopy)
+      // copy the bytes from retData[0:_toCopy]
+      returndatacopy(add(retData, 0x20), 0x0, toCopy)
+    }
+    return (success, retData, gasUsed);
+  }
+
+  /// @notice Calls target address with exactly gasAmount gas and payload as calldata
+  /// or reverts if at least gasLimit gas is not available.
+  /// @dev Does not check if target is a contract. If it is not a contract, the low-level
+  /// call will still be made and it will succeed.
+  /// @dev Ignores the return data, which makes it immune to gas bomb attacks.
+  /// @return success whether the call succeeded
+  /// @return sufficientGas Whether there was enough gas to make the call
+  function _callWithExactGasEvenIfTargetIsNoContract(
+    bytes memory payload,
+    address target,
+    uint256 gasLimit,
+    uint16 gasForCallExactCheck
+  ) internal returns (bool success, bool sufficientGas) {
+    assembly {
+      let g := gas()
+      // Compute g -= CALL_WITH_EXACT_GAS_CUSHION and check for underflow. We
+      // need the cushion since the logic following the above call to gas also
+      // costs gas which we cannot account for exactly. So cushion is a
+      // conservative upper bound for the cost of this logic.
+      if iszero(lt(g, gasForCallExactCheck)) {
+        g := sub(g, gasForCallExactCheck)
+        // If g - g//64 <= gasAmount, we don't have enough gas. We subtract g//64 because of EIP-150.
+        if gt(sub(g, div(g, 64)), gasLimit) {
+          // Call and ignore success/return data. Note that we did not check
+          // whether a contract actually exists at the target address.
+          success := call(gasLimit, target, 0, add(payload, 0x20), mload(payload), 0x0, 0x0)
+          sufficientGas := true
+        }
+      }
+    }
+    return (success, sufficientGas);
+  }
+}