Yul expression simplifier: Don't substitute out of scope variables

clonker · clonker · commit b22b2a6d853f · 2025-08-15T09:07:05.000+02:00
In some circumstances (in particular if not the AST is not in SSA form), it could happen that the ExpressionSimplifier would substitute out-of-scope variables.
diff --git a/Changelog.md b/Changelog.md
@@ -7,6 +7,7 @@ Compiler Features:
 
 Bugfixes:
 * Assembler: Fix not using a fixed-width type for IDs being assigned to subassemblies nested more than one level away, resulting in inconsistent `--asm-json` output between target architectures.
+* Yul Optimizer: Fix edge case in which invalid Yul code is produced by ExpressionSimplifier due to expressions being substituted that contain out-of-scope variables.
 
 ### 0.8.30 (2025-05-07)
 
diff --git a/libyul/optimiser/ExpressionSimplifier.cpp b/libyul/optimiser/ExpressionSimplifier.cpp
@@ -25,6 +25,7 @@
 #include <libyul/optimiser/SimplificationRules.h>
 #include <libyul/optimiser/OptimiserStep.h>
 #include <libyul/optimiser/OptimizerUtilities.h>
+#include <libyul/optimiser/Semantics.h>
 #include <libyul/AST.h>
 #include <libyul/Utilities.h>
 
@@ -45,7 +46,19 @@ void ExpressionSimplifier::visit(Expression& _expression)
 	while (auto const* match = SimplificationRules::findFirstMatch(
 		_expression,
 		m_dialect,
-		[this](YulName _var) { return variableValue(_var); }
+		[this](YulName const& _var) -> AssignedValue const* {
+			AssignedValue const* value = variableValue(_var);
+			if (!value || !value->value)
+				return nullptr;
+
+			// check that all variables in the value expression are in current scope
+			MovableChecker const checker(m_dialect, *value->value);
+			for (YulName const& referencedVar: checker.referencedVariables())
+				if (!inScope(referencedVar))
+					return nullptr;  // don't substitute if any referenced var is out of scope
+
+			return value;
+		}
 	))
 	{
 		auto const* evmDialect = dynamic_cast<EVMDialect const*>(&m_dialect);
diff --git a/test/libyul/yulOptimizerTests/expressionSimplifier/invalid_match.yul b/test/libyul/yulOptimizerTests/expressionSimplifier/invalid_match.yul
@@ -0,0 +1,34 @@
+// regression test for https://github.com/ethereum/solidity/issues/16155
+{
+    function identity(value) -> ret { ret := value }
+
+    function f() -> ret
+    {
+        let id1 := identity(0x01)
+        let x := 0x05
+        {
+            let const_six := 0x06
+            let id2 := identity(0x01)
+            x := or(0x06, id2)
+        }
+        // check that we don't substitute `or(const_six, id2)` for `x`
+        ret := or(id1, x)
+    }
+
+    mstore(42, f())
+}
+// ----
+// step: expressionSimplifier
+//
+// {
+//     { mstore(42, f()) }
+//     function identity(value) -> ret
+//     { ret := value }
+//     function f() -> ret_1
+//     {
+//         let id1 := identity(0x01)
+//         let x := 0x05
+//         { x := or(0x06, id1) }
+//         ret_1 := or(id1, x)
+//     }
+// }
