bug(linking): unused libraries may be deployed #6215
Description
Component
Forge
Describe the feature you would like
Right now unused libraries may be deployed even if there is no usage of them outside of broadcasting:
- bug(
forge script): libraries that are used in a deployment are deployed even if their use isn't within avm.start/stopBroadcast#3295 - Non-used external library being deployed in script #5375
This happens because from perspective of Solidity compiler, script contract depends on all libraries which are used in it regardeless of part of code they are used in.
One possible solution is as follows:
- After script simulation, go through all
CREATE's and match bytecodes to artifacts. - Determine which libraries are actually going to be used in newly created contracts. This can be done via existing code for dependency resolution
- If any unnecessary libraries are found, recompile the code and rerun the script, predeploying only the necessary libraries. This step is necessary because modifying the pre-deployed libraries list affects the sender nonce. All other libraries can be injected by some way similar to what
vm.etchdoes
This approach has several drawbacks:
- Current code matching bytecode to artifacts uses diff_score which may result in false positives/negatives in some cases. Right now such fails are accepted because they are only affecting verification and trace decoding. However, in case of library linking it becomes much more dangerous as it may lead to contracts being deployed without needed libraries
- Recompiling code and re-running script with new libraries is pretty expensive.
Would be happy to get other opinions on this
Additional context
No response