Skip to content

FunC optimizer incorrectly removes division-by-zero checks in muldiv, muldivc, and muldivr #1678

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Gusarich opened this issue May 20, 2025 · 0 comments
Open

FunC optimizer incorrectly removes division-by-zero checks in muldiv, muldivc, and muldivr #1678

Gusarich opened this issue May 20, 2025 · 0 comments

Comments

@Gusarich
Copy link

FunC’s optimizer improperly constant-folds expressions like muldiv(x, y, z), muldivc(x, y, z), and muldivr(x, y, z) to zero when either x or y is known to be zero, entirely ignoring the denominator z. According to TVM semantics, these instructions must fail with a division-by-zero error at runtime if z equals zero. The optimizer currently bypasses this check, causing incorrect behavior.

Minimal Example (muldiv):

Input FunC code:

int test(int z) {
    return muldiv(0, 1, z);
}

Incorrectly optimized output:

DECLPROC test
test PROC:<{
  DROP
  0 PUSHINT
}>

The same incorrect behavior occurs with muldivc and muldivr, since all three instructions share the same optimizer logic.

Expected Behavior:
The optimizer should not bypass runtime division-by-zero checks, allowing the TVM to correctly raise errors when the denominator (z) is zero.

Impact:
This bug silently prevents crucial runtime errors, potentially leading to incorrect or unintended behavior in deployed smart contracts.

LLM Fuzzing discovery (see tact-lang/tact#3123)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Gusarich