`jolt::provable` attribute omits subsequent attributes

[cre-mer]

The jolt::provable proc_macro_attribute does not take into account subsequent attributes when generating the token stream of a function. For instance, the make_execute_function's quote! does not output any used attributes alongside the function itself. This can lead to arbitrary behavior. If a user adds a custom safety-attribute or logical-attribute, this attribute will be omitted, which could introduce an unknown vulnerability or prevent the program from compiling. For example, the following code will fail to compile:

// guest code
#[jolt::provable]
#[allow(arithmetic_overflow)]
pub fn overflow_add() -> u8 {
    let x = u8::MAX + u8::MAX;
    x // should return 254
}

with the following error:

error: this arithmetic operation will overflow
  --> guest/src/lib.rs:21:13
   |
21 |     let x = u8::MAX + u8::MAX;
   |             ^^^^^^^^^^^^^^^^^ attempt to compute `u8::MAX + u8::MAX`, which would overflow
   |
   = note: `#[deny(arithmetic_overflow)]` on by default

error: could not compile `guest` (lib) due to 1 previous error

In this case, this issue is preventing the program from compiling, but other attributes if omitted could introduce undefined behavior.

Consider either allowing the usage of further attributes, or parsing all function attributes and whitelisting a defined subset of those attributes to prevent undefined behavior.

[cre-mer]

This pattern could also be present across other proc macros and should be checked carefully

[ncitron]

Good catch. We should look to see if it is possible to copy over subsequent attributes into our functions that are generated internally.

[cre-mer]

This is possible by extracting the attributes and outputting them like so:

fn make_execute_function(&self) -> TokenStream2 {
        let fn_name = self.get_func_name();
        let inputs = &self.func.sig.inputs;
        let output = &self.func.sig.output;
        let body = &self.func.block;
+       let attr = &self.func.attrs;

        quote! {
            #[cfg(not(target_arch = "wasm32"))]
+           #(#fn_attrs)* // retain other macros
             pub fn #fn_name(#inputs) #output {
                 #body
             }
        }
    }

However, there could be valid cases where you want to prevent other attributes or whitelist other attributes. Attribute ordering can also play a role – I also noticed that preceding jold::provable with an attribute can also cause failure. For example:

// guest code
#[allow(arithmetic_overflow)]
#[jolt::provable]
pub fn overflow_add() -> u8 {
    let x = u8::MAX + u8::MAX;
    x // should return 254
}

also fails with:

error: this arithmetic operation will overflow
  --> guest/src/lib.rs:21:13
   |
21 |     let x = u8::MAX + u8::MAX;
   |             ^^^^^^^^^^^^^^^^^ attempt to compute `u8::MAX + u8::MAX`, which would overflow
   |
   = note: `#[deny(arithmetic_overflow)]` on by default

error: could not compile `guest` (lib) due to 1 previous error