Update contracts to support Solidity 0.8.x

[andrekorol]

Fixes #2441

Contracts' solidity version pragmas were updated to support Solidity 0.8.x.

Changes include:

• Updated explicit type conversions that conform with the new restrictions.
• Functions that rely on chainid in inline assembly are now view instead of pure.

Important Note: Some tests are still not passing because since 0.8.0 failing assertions and other internal checks like division by zero or arithmetic overflow do not use the invalid opcode, but instead the revert opcode. And I believe that this is something worth discussing how to handle before making any changes to the current test cases.

[frangio]

Thanks @andrekorol! We in fact want to remove all uses of SafeMath from the library now that checked arithmetic is built into Solidity.

We have to discuss whether we want to remove SafeMath entirely, though. It may make sense to deprecate it but still keep the interface for a while for backwards compatibility, and removing the manual checks instead just relying on Solidity's checks. There are some subtleties like the custom error messages that are produced by some of the operations, but that has been reported recently to increase gas cost unnecessarily so I think we will want to remove it.

These changes will mean that Solidity 0.8 support will happen in a new major version of the library. We plan to release a final version of the current major before that happens, so we will merge the migration to Solidity 0.8 into a separate branch.

So I will ask, if you can, to change pragmas to pragma solidity ^0.8.0;, remove uses of SafeMath, and also to resolve conflicts because I merged a related PR that we had pending since before this one.

[andrekorol]

@frangio I can make and commit those changes, no problem! I agree with Solidity 0.8 support coming in a new major version of the library, I don't think it makes much sense to have all the changes you mentioned in a new minor version.

[andrekorol]

@frangio I've made the necessary changes. Some tests are still not passing because they expect custom error messages instead of just VM Exception while processing transaction: revert.

I still didn't make any change to the tests though, I wanted to confirm if the correct approach would be to change the expected custom error messages to the default VM Exception while processing transaction: revert.

Also, the Strings utility library seems to be broken now, and I'm still not sure why, the only thing changed was the version pragma. I suppose it's something to do with the new restrictions on type conversions...

[andrekorol]

So, apparently the Strings library wasn't working since solc-0.7 because it was not possible to explicitly convert from uint256 to bytes1.

But with 346fbe2, it's working again.

[lephleg]

Great work, @andrekorol! Thanks for your efforts on this.
Please let me know if you require a spare hand implementing or reviewing anything particular.

[frangio]

I still didn't make any change to the tests though, I wanted to confirm if the correct approach would be to change the expected custom error messages to the default VM Exception while processing transaction: revert.

The test helpers have an expectRevert.unspecified function that you can use.

[frangio]

Thanks @andrekorol. Most of the changes look good.

I'm now having doubts about what we should do regarding the custom revert reasons on subtraction overflow. Maybe we should keep them. What do other people think about this? Should we keep custom revert reasons such as "insufficient balance"?

Can you also change SafeMath to remove our manual checks and rely only on the built in checked arithmetic?

[frangio]

Since Solidity changed the type of msg.sender we should change the return type of our _msgSender function accordingly, instead of casting it here.

[frangio]

We can remove this function now and just use the built in.

[frangio]

Same here.

[frangio]

Same here.

[thegostep]

Should we keep custom revert reasons such as "insufficient balance"?

I generally prefer explicit revert messages now that it is convenient to test for them with waffle.

[aaronovz1]

Should we keep custom revert reasons such as "insufficient balance"?

I generally prefer explicit revert messages now that it is convenient to test for them with waffle.

Would custom messages undo the gas savings from using built in arithmetic checker? This is the best part of 0.8 IMO - we wouldn't want to lose that benefit.

[frangio]

We have to run some tests and measure the impact. I don't know if there is any special magic in the built in arithmetic checker that would make it more efficient than manual checks.

[andrekorol]

Great work, @andrekorol! Thanks for your efforts on this.
Please let me know if you require a spare hand implementing or reviewing anything particular.

@lephleg Help would be appreciated in fixing tests that are failing under coverage (solidity-coverage/ganache) 😄

[andrekorol]

Should we keep custom revert reasons such as "insufficient balance"?

One way to retain custom revert reasons would be to keep functions with different signatures like sub(uint256 a, uint256 b) and sub(uint256 a, uint256 b, string memory errorMessage), where in the one with the errorMessage, manual checks are performed as before, and the actual operation is performed inside an unchecked block.

[lephleg]

@lephleg Help would be appreciated in fixing tests that are failing under coverage (solidity-coverage/ganache) 😄

At first glance it seems there's a memory leak introduced in node. I wouldn't allocate more before ensuring there's nothing sketchy in the changes. Tricky one, I'll give it a shot with clear head tomorrow.

[axic]

Can you also change SafeMath to remove our manual checks and rely only on the built in checked arithmetic?

@frangio does it actually make sense to keep SafeMath as a weird wrapper? It adds no benefit, and the "special error message" versions are removed in this PR.

Perhaps it is better biting the bullet by removing it, and that could trigger users to review the new semantics and use them properly (checked vs. unchecked). And also be aware of the gas implications.

[andrekorol]

Can you also change SafeMath to remove our manual checks and rely only on the built in checked arithmetic?

@frangio does it actually make sense to keep SafeMath as a weird wrapper? It adds no benefit, and the "special error message" versions are removed in this PR.

Perhaps it is better biting the bullet by removing it, and that could trigger users to review the new semantics and use them properly (checked vs. unchecked). And also be aware of the gas implications.

@axic, as I've said in the comment above, it's possible to revert those changes that removed the "special error messages" and have SafeMath overload functions with two different signatures. One would be just that weird wrapper, and the other would perform the manual checks with custom error messages. The actual arithmetic operation would be wrapped in an unchecked block to avoid wasting gas with double-checking.

[hantuzun]

Removing SafeMath is tedious but a straightforward refactoring, but its benefit to the ecosystem would worth the effort. I'm against keeping it as a wrapper.

Edit: Happy holidays and thank you for the work going on in this PR ✨

[axic]

Should OpenZeppelin/openzeppelin-test-helpers#149 be implemented, tests like these would not lose precision as much as in this current PR.

[andrekorol]

@hantuzun Thanks, happy holidays to you as well!!

Should I remove SafeMath and the related tests, including cases like the one @axic mentioned on his last review?

[axic]

Just to be clear, I am not part of OpenZeppelin, so my suggestions are only suggestions, not an official review 😃

[andrekorol]

No problem, thanks for the review anyway!

[andrekorol]

@frangio is there a consensus on whether SafeMath should be removed?

Do you think setting up a poll before making any further changes is a good idea?

[Amxx]

Everything looks good to me.

I was expecting a change of the proxies, using the new fallback (bytes calldata _input) external [payable] returns (bytes memory _output) signature, but considering the assembly part is in the _delegate internal function, It might do more harm then good to embrace this change.

[Amxx]

My grain of salt:
I think the current version of SafeMath is usefull, and we should be kept in the codebase. Its just a wrapper around the solidity built-in op, so it should be optimized trivially ... and it makes old code more easily portable to 0.8.

Also, it can be used to force/enable safemath inside unchecked {} blocks:

contract Test {
    uint256 constant internal x = 0;
    uint256 constant internal y = 1;
    function a() public pure returns(uint256) { return x - y; } // revert
    function b() public pure returns(uint256) { unchecked { return x - y; } } // overflow
    function c() public pure returns(uint256) { return SafeMath.sub(x, y); } // revert
    function d() public pure returns(uint256) { unchecked { return SafeMath.sub(x, y); } } // revert
}
```

[Amxx]

Note for the future: Some "low level" functions, such as Array::findUpperBound or String::toString could probably benefit from using unchecked to reduce gas cost.

[frangio]

Let's keep SafeMath in this PR and discuss its removal separately. I've created an issue dedicated to it, please participate! Go to #2465.

We have to take a look at what's causing the coverage job to fail. Otherwise the PR seems good to go. Thanks for working on this @andrekorol!

[andrekorol]

It was my pleasure!

I think the coverage job failing has something to do with trufflesuite/ganache/issues/515.

It should be fixed in ganache@3.0.0-internal.0, but I'll take a closer look at it to see if that's really the case.

[andrekorol]

Initially, coverage was failing due to an out of memory error, which could be solved by either updating Node's version here to any version >= 14:

openzeppelin-contracts/.github/workflows/test.yml

Line 35 in 318c4b4

node-version: 10.x

or by increasing the heap memory as I did in 6a30dcc.

Now the coverage job is failing because of six different test cases that are not passing. Two of them (domain separator) I assume to be related to that chainId issue.

[frangio]

I think you have debugged it correctly, it's likely to be the chainId issue.

Something else we will have to do afterwards is review all of the expectRevert.unspecified in tests and add back the revert reasons. We will be able to bring them back with the functionality we're adding in #2462.

Thank you everyone! Please remember this is going in the solc-0.8 branch, and we will do our best to release it as soon as possible as version 4.0 of the library. We are now preparing 3.4 as the last release of the 3.x line.

[frangio]

A correction: while doing a last review of the changes in this PR I found that the chain id issue in Ganache already had a workaround and it was being removed here. It fixed the coverage for me locally and hopefully the CI will agree.