compiler crash during assert codegen

Severity

Low Risk

Summary

There is a crash bug when vyper generates assert code.

Vulnerability Details

Good Code:

@external
def __init__():
    pass

@external
def test():
    x: uint256 = 1
    s: String[100] = "error"
    assert x == 1, s

This code works well.

Bad Code:

s: public(String[100])

@external
def __init__():
    self.s = "error"


@external
def test():
    x: uint256 = 1
    assert x == 1, self.s

This code will cause the compiler to crash.

ROOT CAUSE:

vyper/vyper/semantics/analysis/annotation.py

class StatementAnnotationVisitor(_AnnotationVisitorBase):
ignored_types = (vy_ast.Break, vy_ast.Continue, vy_ast.Pass, vy_ast.Raise)

def __init__(self, fn_node: vy_ast.FunctionDef, namespace: dict) -> None:
    self.func = fn_node._metadata["type"]
    self.namespace = namespace
    self.expr_visitor = ExpressionAnnotationVisitor(self.func)

    assert self.func.n_keyword_args == len(fn_node.args.defaults)
    for kwarg in self.func.keyword_args:
        self.expr_visitor.visit(kwarg.default_value, kwarg.typ)

def visit(self, node):
    super().visit(node)

def visit_AnnAssign(self, node):
    type_ = get_exact_type_from_node(node.target)
    self.expr_visitor.visit(node.target, type_)
    self.expr_visitor.visit(node.value, type_)

def visit_Assert(self, node):
    self.expr_visitor.visit(node.test)

in visit_Assert(), it doesn't visit node.msg. Then in /vyper/codegen/expr.py, Expr::parse_Attribute(self) cannot get the type of expression and then the whole compiler crashes.

Impact

Low Risk

Recommendations