crash due to missing var_info in struct attribute

Severity

Low Risk

Relevant GitHub Links

https://github.com/vyperlang/vyper/blob/3b310d5292c4d1448e673d7b3adb223f9353260e/vyper/semantics/analysis/base.py#L249-L253

Summary

Compiler crashes due to missing var_info in struct attribute when it validates modifications for immutable variables.

Vulnerability Details

For immutable variables, the number of modifications is tracked. If the surpasses 1, an exception is raised: https://github.com/vyperlang/vyper/blob/3b310d5292c4d1448e673d7b3adb223f9353260e/vyper/semantics/analysis/base.py#L249-L253

The tracking is done using the attribute var_info. In certain scenarios this attribute is missing and the compiler crashes.

PoC

Suppose the following contract:

#@version ^0.3.9

struct B:
    v1: int128
    v2: decimal

struct A:
    v: B

val: public(immutable(A))


@external
def __init__():
    val = A({v: B({v1: 0, v2: 0.0})})
    val.v.v1 += 666

When compiling the compiler crashes with:

AttributeError: 'NoneType' object has no attribute '_modification_count'

Impact

The compiler doesn't handle the modification checks (and possibly the var_info assignments) correctly for all contracts, this could lead to undefined behavior. However, we didn't find such a scenario. As such, the impact is mainly a confusing error for the developer, which can slow down the development process.

Tools Used

Manual testing.

Recommendations

The semantic analyzer most likely doesn't properly annotate all the relevant nodes with var_info (or annotates them too late). Ensure that the nodes have the necessary info needed to perform all the semantic passes.