🐞 Fix p extend memory bug (#1372)

Vectorized · web-flow · commit 15be9843d4da · 2025-03-10T12:22:49.000+08:00
diff --git a/src/utils/DynamicArrayLib.sol b/src/utils/DynamicArrayLib.sol
@@ -567,7 +567,7 @@ library DynamicArrayLib {
                 // Approximately more than double the capacity to ensure more than enough space.
                 let newCap := add(cap, or(cap, newArrBytesLen))
                 // If the memory is contiguous, we can simply expand it.
-                if iszero(or(xor(mload(0x40), add(arrData, add(0x20, cap))), eq(arrData, 0x60))) {
+                if iszero(or(xor(mload(0x40), add(arrData, add(0x20, cap))), iszero(cap))) {
                     mstore(sub(arrData, 0x20), mul(prime, newCap)) // Store the capacity.
                     mstore(0x40, add(arrData, add(0x20, newCap))) // Expand the memory allocation.
                     break
diff --git a/src/utils/DynamicBufferLib.sol b/src/utils/DynamicBufferLib.sol
@@ -101,7 +101,7 @@ library DynamicBufferLib {
                 // Approximately more than double the capacity to ensure more than enough space.
                 let newCap := and(add(cap, add(or(cap, newBufDataLen), 0x20)), w)
                 // If the memory is contiguous, we can simply expand it.
-                if iszero(or(xor(mload(0x40), add(bufData, add(0x40, cap))), eq(bufData, 0x60))) {
+                if iszero(or(xor(mload(0x40), add(bufData, add(0x40, cap))), iszero(cap))) {
                     // Store `cap * prime` in the word before the length.
                     mstore(add(bufData, w), mul(prime, newCap))
                     mstore(0x40, add(bufData, add(0x40, newCap))) // Expand the memory allocation.
diff --git a/src/utils/g/DynamicArrayLib.sol b/src/utils/g/DynamicArrayLib.sol
@@ -571,7 +571,7 @@ library DynamicArrayLib {
                 // Approximately more than double the capacity to ensure more than enough space.
                 let newCap := add(cap, or(cap, newArrBytesLen))
                 // If the memory is contiguous, we can simply expand it.
-                if iszero(or(xor(mload(0x40), add(arrData, add(0x20, cap))), eq(arrData, 0x60))) {
+                if iszero(or(xor(mload(0x40), add(arrData, add(0x20, cap))), iszero(cap))) {
                     mstore(sub(arrData, 0x20), mul(prime, newCap)) // Store the capacity.
                     mstore(0x40, add(arrData, add(0x20, newCap))) // Expand the memory allocation.
                     break
diff --git a/src/utils/g/DynamicBufferLib.sol b/src/utils/g/DynamicBufferLib.sol
@@ -105,7 +105,7 @@ library DynamicBufferLib {
                 // Approximately more than double the capacity to ensure more than enough space.
                 let newCap := and(add(cap, add(or(cap, newBufDataLen), 0x20)), w)
                 // If the memory is contiguous, we can simply expand it.
-                if iszero(or(xor(mload(0x40), add(bufData, add(0x40, cap))), eq(bufData, 0x60))) {
+                if iszero(or(xor(mload(0x40), add(bufData, add(0x40, cap))), iszero(cap))) {
                     // Store `cap * prime` in the word before the length.
                     mstore(add(bufData, w), mul(prime, newCap))
                     mstore(0x40, add(bufData, add(0x40, newCap))) // Expand the memory allocation.
diff --git a/test/DynamicArrayLib.t.sol b/test/DynamicArrayLib.t.sol
@@ -239,10 +239,73 @@ contract DynamicArrayLibTest is SoladyTest {
         }
     }
 
-    function testDynamicArrayCopy(uint256[] memory data) public {
+    function testDynamicArrayCopyOrAllSlice() public {
+        uint256[] memory data;
+        uint256[] memory data2 = new uint256[](1);
+        data2[0] = 600972374956821603611096798192277940001591154517179782006087886208744463727;
+        this.testDynamicArrayCopyOrAllSlice(data, data2, 0);
+    }
+
+    function testDynamicArrayCopyOrAllSlice(
+        uint256[] calldata data,
+        uint256[] calldata data2,
+        uint256 r
+    ) public {
+        DynamicArrayLib.DynamicArray memory a;
+        DynamicArrayLib.DynamicArray memory b;
+        DynamicArrayLib.DynamicArray memory aCopy;
+        for (uint256 i; i < data.length; ++i) {
+            a.p(data[i] & (2 ** 160 - 1));
+            b.p(data[i]);
+            if (r & 2 == 0) {
+                _checkMemory(a.data);
+                _checkMemory(b.data);
+            }
+        }
+        bytes32 h = keccak256(abi.encodePacked(b.data));
+        aCopy = r & 1 == 0 ? a.copy() : a.slice(0);
+        /// @solidity memory-safe-assembly
+        assembly {
+            log0(a, 0x20)
+            log0(b, 0x20)
+            log0(aCopy, 0x20)
+        }
+        for (uint256 i; i < data2.length; ++i) {
+            aCopy.p(data2[i]);
+        }
+        /// @solidity memory-safe-assembly
+        assembly {
+            log0(a, 0x20)
+            log0(b, 0x20)
+            log0(aCopy, 0x20)
+        }
+        for (uint256 i; i < data2.length; ++i) {
+            a.p(data2[i]);
+        }
+        /// @solidity memory-safe-assembly
+        assembly {
+            log0(a, 0x20)
+            log0(b, 0x20)
+            log0(aCopy, 0x20)
+        }
+        assertEq(a.data, aCopy.data);
+        assertEq(keccak256(abi.encodePacked(b.data)), h);
+    }
+
+    function testDynamicArrayCopy(uint256[] memory data, uint256 r) public {
+        if (r & 0xff00 == 0) {
+            /// @solidity memory-safe-assembly
+            assembly {
+                data := 0x60
+            }
+        }
         DynamicArrayLib.DynamicArray memory a;
         a.data = data;
         DynamicArrayLib.DynamicArray memory b = a.copy();
+        if (r & 2 == 0) {
+            _checkMemory(a.data);
+            _checkMemory(b.data);
+        }
         assertEq(a.data, b.data);
         a.p(1);
         assertNotEq(a.data, b.data);
