Merge branch 'main' into issue716v2

Author: jeshecdom

.eslintrc.cjs

@@ -15,6 +15,14 @@ module.exports = {
     es2021: true,
   },
   rules: {
+    "@typescript-eslint/consistent-type-imports": [
+      "error",
+      {
+        prefer: "type-imports",
+        fixStyle: "separate-type-imports",
+        disallowTypeAnnotations: true,
+      },
+    ],
     "@typescript-eslint/no-unused-vars": [
       "error",
       {

.github/actions/test/action.yml

@@ -0,0 +1,52 @@
+name: "Setup Node.js"
+description: "Set up Node.js and install dependencies"
+runs:
+  using: "composite"
+  steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Setup Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@v4
+      with:
+        node-version: ${{ matrix.node-version }}
+        cache: "yarn"
+
+    - name: Install dependencies
+      shell: bash
+      run: |
+        corepack enable
+        yarn install
+
+    - name: List installed packages
+      shell: bash
+      run: |
+        yarn list
+
+    - name: Print some environment info
+      shell: bash
+      run: |
+        yarn cross-env echo $NODE_ENV
+
+    - name: Build Tact compiler
+      shell: bash
+      run: |
+        yarn clean
+        yarn gen
+        yarn build
+
+    - name: Test Tact compiler
+      shell: bash
+      run: |
+        yarn coverage
+
+    - name: Show an example .pkg file on Windows
+      shell: pwsh
+      if: runner.os == 'Windows'
+      run: |
+        type examples\output\echo_Echo.pkg
+
+    - name: Link Tact yarn package
+      shell: bash
+      run: |
+        yarn link

.github/workflows/external-links.yml

@@ -1,4 +1,4 @@
-name: Link check
+name: External link check
 
 on:
   workflow_dispatch: # on demand launches, if needed
@@ -22,9 +22,15 @@ jobs:
             --exclude '\.(?:jpg|png)$'
             docs/README.md './docs/**/*.mdx'
           output: "/dev/stdout"
-          fail: false
+          fail: true
           failIfEmpty: false
 
+  linkcheck-dev:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
       - name: (dev-docs) Check broken HTTP(S) links
         uses: lycheeverse/lychee-action@v2
         id: lychee_dev
@@ -34,5 +40,22 @@ jobs:
             --exclude-path node_modules --exclude-path docs
             './**/*.md'
           output: "/dev/stdout"
-          fail: false
+          fail: true
+          failIfEmpty: false
+
+  linkcheck-stdlib:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: (stdlib) Check broken HTTP(S) links in doc comments
+        uses: lycheeverse/lychee-action@v2
+        id: lychee_dev
+        with:
+          args: >
+            -n -s https -s http
+            './src/stdlib/stdlib/**/*.tact'
+          output: "/dev/stdout"
+          fail: true
           failIfEmpty: false

.github/workflows/tact.yml

@@ -76,54 +76,43 @@ jobs:
       fail-fast: false
       matrix:
         node-version: [22]
-        os: [ubuntu-latest, windows-latest, macos-latest]
+        os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Setup Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v4
-        with:
-          node-version: ${{ matrix.node-version }}
-          cache: "yarn"
-
-      - name: Install dependencies
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/test
+      - name: Test compatibility with tact-template
         run: |
-          corepack enable
+          # !!!!!!! Don't forget to update test-windows below !!!!!!!
+          git clone https://github.com/tact-lang/tact-template.git
+          cd tact-template
+          # Hijack the dependency on Tact to avoid redundant npm downloads
+          jq 'del(.dependencies."@tact-lang/compiler")' package.json -M > temp.json
+          mv temp.json package.json
           yarn install
-
-      - name: List installed packages
-        run: |
-          yarn list
-
-      - name: Print some environment info
-        run: |
-          yarn cross-env echo $NODE_ENV
-
-      - name: Build Tact compiler
-        run: |
-          yarn clean
-          yarn gen
+          yarn link @tact-lang/compiler
           yarn build
+          yarn test
 
-      - name: Test Tact compiler
-        run: |
-          yarn coverage
-
-      - name: Show an example .pkg file on Windows
-        if: runner.os == 'Windows'
-        run: |
-          type examples\output\echo_Echo.pkg
-
-      - name: Link Tact yarn package
-        run: |
-          yarn link
-
+  test-windows:
+    strategy:
+      fail-fast: false
+      matrix:
+        node-version: [22]
+        os: [windows-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/test
       - name: Test compatibility with tact-template
         run: |
+          # !!!!!!! Don't forget to update test above !!!!!!!
+          $ErrorActionPreference = 'Stop'
           git clone https://github.com/tact-lang/tact-template.git
           cd tact-template
+          # Hijack the dependency on Tact to avoid redundant npm downloads
+          jq 'del(.dependencies."@tact-lang/compiler")' package.json -M | Set-Content temp.json
+          Move-Item temp.json package.json -Force
           yarn install
           yarn link @tact-lang/compiler
           yarn build

README.md

@@ -14,6 +14,11 @@ A next-gen smart contract language for TON focused on efficiency and simplicity.
 - [Tact Documentation](https://docs.tact-lang.org)
 - [Awesome Tact](https://github.com/tact-lang/awesome-tact)
 
+## Security
+
+- [Security audit of Tact by the Trail of Bits (2025, PDF)](https://tact-lang.org/assets/pdfs/2025-01-ton-studio-tact-compiler-securityreview.pdf)
+  - Backup link: [PDF Report](https://github.com/tact-lang/website/blob/416073ed4056034639de257cb1e2815227f497cb/pdfs/2025-01-ton-studio-tact-compiler-securityreview.pdf)
+
 ## Community
 
 - [Tact Discussion Group](https://t.me/tactlang)

dev-docs/CHANGELOG.md

@@ -24,6 +24,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - `nullChecks` config option to disable run-time null checks for the `!!` operator in order to save gas: PR [#1660](https://github.com/tact-lang/tact/pull/1660)
 - `loadVarInt16`, `loadVarUint16`, `loadVarInt32`, `loadVarUint32` methods for the `Slice` type: PR [#1667](https://github.com/tact-lang/tact/pull/1667)
 - New functions in stdlib from `stdlib.fc` and `math.fc`: `Builder.depth`, `Slice.skipLastBits`, `Slice.firstBits`, `Slice.lastBits`, `Slice.depth`, `Cell.computeDataSize`, `Slice.computeDataSize`, `Cell.depth`, `curLt`, `blockLt`, `setGasLimit`, `getSeed`, `setSeed`, `myCode`, `sign`, `divc`, `muldivc`, `mulShiftRight`, `mulShiftRightRound`, `mulShiftRightCeil`, `sqrt`: PR [#986](https://github.com/tact-lang/tact/pull/986)
+- The `--output` CLI flag for specifying custom output directory in single-contract compilation: PR [#1793](https://github.com/tact-lang/tact/pull/1793)
+- New functions `Slice.asAddressUnsafe` and `contractHash` in stdlib: PR [#1766](https://github.com/tact-lang/tact/pull/1766)
 
 ### Changed
 
@@ -45,6 +47,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Better error message for `unresolved name` error: PR [#1595](https://github.com/tact-lang/tact/pull/1595)
 - Better error message for `unresolved global function` error: PR [#1610](https://github.com/tact-lang/tact/pull/1610)
 - Better error message for `extend function without parameters` error: PR [#1624](https://github.com/tact-lang/tact/pull/1624)
+- Don't generate `lazy_deployment_completed` by default: PR [#1717](https://github.com/tact-lang/tact/pull/1717)
+- Optimized `emptyCell()` and `emptySlice()` functions: PR [#1696](https://github.com/tact-lang/tact/pull/1696)
+- Internal `crc16` function is now verifiable and covered with tests: PR [#1739](https://github.com/tact-lang/tact/pull/1739)
+- Rearrange parameters of some asm methods in order described in `AsmShuffle`: PR [#1702](https://github.com/tact-lang/tact/pull/1702)
+- Error message for invalid type for function argument now shows expected type: PR [#1738](https://github.com/tact-lang/tact/pull/1738)
 
 ### Fixed
 
@@ -80,13 +87,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Runtime `sha256` now work for arbitrary strings with length >= 128: PR [#1626](https://github.com/tact-lang/tact/pull/1626)
 - Generated code in TypeScript wrappers for contract with `init(init: Init)`: PR [#1709](https://github.com/tact-lang/tact/pull/1709)
 - Error message for comment (text) receivers with 124 bytes or more: PR [#1711](https://github.com/tact-lang/tact/pull/1711)
+- Support overriding constants and methods of BaseTrait: PR [#1591](https://github.com/tact-lang/tact/pull/1591)
+- Forbid traits inherit implicitly from BaseTrait: PR [#1591](https://github.com/tact-lang/tact/pull/1591)
+- Forbid the `override` modifier for constants without the corresponding super-constant: PR [#1591](https://github.com/tact-lang/tact/pull/1591)
+- Check map types for `deepEquals` method: PR [#1718](https://github.com/tact-lang/tact/pull/1718)
+- Remove "remainder" from error messages: PR [#1699](https://github.com/tact-lang/tact/pull/1699)
+- Check map types for `deepEquals` method: PR [#1718](https://github.com/tact-lang/tact/pull/1718)
 
 ### Docs
 
 - Added the `description` property to the frontmatter of the each page for better SEO: PR [#916](https://github.com/tact-lang/tact/pull/916)
 - Added Google Analytics tags per every page: PR [#921](https://github.com/tact-lang/tact/pull/921)
 - Added Ston.fi cookbook: PR [#956](https://github.com/tact-lang/tact/pull/956)
-- Added NFTs cookbook: PR [#958](https://github.com/tact-lang/tact/pull/958)
+- Added NFTs cookbook: PR [#958](https://github.com/tact-lang/tact/pull/958), PR [#1747](https://github.com/tact-lang/tact/pull/1747)
 - Added security best practices: PR [#1070](https://github.com/tact-lang/tact/pull/1070)
 - Added automatic links to Web IDE from all code blocks: PR [#994](https://github.com/tact-lang/tact/pull/994)
 - Added initial semi-automated Chinese translation of the documentation: PR [#942](https://github.com/tact-lang/tact/pull/942)
@@ -116,9 +129,34 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Removed the notion of the non-standard TL-B syntax `remainder<X>`: PR [#1599](https://github.com/tact-lang/tact/pull/1599)
 - Added description of `.boc`, `.ts`, `.abi`, `.pkg` files and completed Compilation page: PR [#1676](https://github.com/tact-lang/tact/pull/1676)
 - Marked gas-expensive functions and expressions: PR [#1703](https://github.com/tact-lang/tact/pull/1703)
+- Added a Security audits page, with the first assessment from the Trail of Bits: PR [#1791](https://github.com/tact-lang/tact/pull/1791)
+- Listed functions with implicit mode and further clarified the interactions of message sending functions and their modes: PR [#1634](https://github.com/tact-lang/tact/pull/1634)
 
 ### Release contributors
 
+## [1.5.4] - 2025-02-04
+
+### Fixed
+
+- Allowed importing FunC files with `.func` extension. Resolves the `TOB-TACT-1` issue
+- Issue understandable error on circular trait dependencies. Resolves the `TOB-TACT-2` issue
+- Forbade accessing files via symlinks. Resolves the `TOB-TACT-3` issue
+- Bit shift FunC compilation errors for incorrect bit widths. Partially resolves the `TOB-TACT-5` issue
+- Streamlined `renameModuleItems` function. Resolves the `TOB-TACT-6` issue
+- Documented the parser limitations for nested expressions. Alleviates the `TOB-TACT-7` issue
+- Bit shift FunC compilation errors for incorrect bit widths
+- Throwing from functions with non-trivial branching in the `try` statement
+
+### Notes
+
+Handling the Unicode in the Tact grammar as per the `TOB-TACT-4` issue has been left unchanged and will be addressed in the future Tact releases.
+
+### Release contributors
+
+- [Anton Trunov](https://github.com/anton-trunov): security audit fixes
+- [@verytactical](https://github.com/verytactical): internal review of the security audit fixes
+- [Trail of Bits](https://www.trailofbits.com): the security audit of the Tact compiler v1.5.0 (commit 0106ea14857bcf3c40dd10135243d0de96012871) and the audit of the fixes
+
 ## [1.5.3] - 2024-11-28
 
 ### Changed

dev-docs/CONTRIBUTING.md

@@ -210,8 +210,6 @@ Some other codegen tests are as follows:
 
 The entry point to the Tact AST pretty-printer is [src/ast/ast-printer.ts](../src/ast/ast-printer.ts). It is going to be used for the Tact source code formatter once the parser keeps comments and other relevant information.
 
-The AST comparator is defined in [src/ast/compare.ts](../src/ast/compare.ts). This is useful, for instance, for static analysis tools which can re-use the Tact TypeScript API.
-
 The corresponding test spec files can be found in [src/test](../src/test) folder with the test contracts in [src/test/contracts](../src/test/contracts) folder.
 
 ## Build scripts and test helpers

docs/astro.config.mjs

@@ -285,6 +285,7 @@ export default defineConfig({
 					},
 					items: [
 						{ slug: 'ecosystem' },
+						{ slug: 'ecosystem/security-audits' },
 						{
 							label: 'Tools',
 							translations: { 'zh-CN': '工具' },

docs/package.json

@@ -31,5 +31,11 @@
     "unist-util-visit": "^5.0.0"
   },
   "packageManager": "[email protected]",
-  "version": ""
+  "version": "",
+  "resolutions": {
+    "esbuild": "^0.25.0"
+  },
+  "overrides": {
+    "esbuild": "^0.25.0"
+  }
 }

docs/src/content/docs/book/assembly-functions.mdx

@@ -478,7 +478,7 @@ When there are literals involved, they'll be shown as is. Additionally, when val
 
 ```tact
 // Computes and returns the Keccak-256 hash as an 256-bit unsigned `Int`
-// from a passed `Slice` `s`. Uses the Ethereum-compatible implementation.
+// from a passed `Slice` `s`. Uses the Ethereum-compatible* implementation.
 asm fun keccak256(s: Slice): Int {
     // s:Slice → s:Slice, 1
     // —————————————————————
@@ -498,8 +498,8 @@ The [`HASHEXT_KECCAK512`](https://docs.ton.org/v3/documentation/tvm/instructions
 
 ```tact
 // Computes and returns the Keccak-512 hash in two 256-bit unsigned `Int`
-// values from a passed `Slice` `s`. Uses the Ethereum-compatible implementation.
-asm fun keccak256(s: Slice): Hash512 {
+// values from a passed `Slice` `s`. Uses the Ethereum-compatible* implementation.
+asm fun keccak512(s: Slice): Hash512 {
     // s:Slice → s:Slice, 1
     // —————————————————————
     // s0      → s1       s0
@@ -520,6 +520,12 @@ asm fun keccak256(s: Slice): Hash512 {
 struct Hash512 { h1: Int; h2: Int }
 ```
 
+While it is said that these sample `keccak256(){:tact}` and `keccak512(){:tact}` functions use the Ethereum-compatible implementation, note that the underlying `HASHEXT` family of [TVM][tvm] instructions has its own drawbacks.
+
+These drawbacks stem from the limitations of the [`Slice{:tact}`][slice] type itself — `HASHEXT_KECCAK256` and other hashing instructions of the `HASHEXT` family ignore any references present in the passed slice(s), i.e. only up to $1023$ bits of its data are used.
+
+To work around this, you can recursively load all the refs from the given [`Slice{:tact}`][slice], and then hash them all at once by specifying their exact number instead of the `ONE` [TVM][tvm] instruction used earlier. See an example below: [`onchainSha256`](#onchainsha256).
+
 :::note[Useful links:]
 
   [`HASHEXT_KECCAK256`](https://docs.ton.org/v3/documentation/tvm/instructions#F90403)\

docs/src/content/docs/book/compile.mdx

@@ -95,7 +95,15 @@ If you want to pin down a specific version of the compiler, run the following co
 
 A number of build artifacts can be produced per compilation of each contract. Some of the artifacts can be omitted using [configuration settings](/book/config).
 
-The location of the artifacts depends on the [`output`](/book/config#projects-output) field of the [`tact.config.json`](/book/config). In [Blueprint][bp]-based projects, `output` is not used and all generated files are always placed in `build/ProjectName/`.
+The location of the artifacts depends on the compilation method:
+- For projects using `tact.config.json`, use the [`output`](/book/config#projects-output) field in the config file
+- For single contract compilation, you can specify the output directory using the `-o` or `--output` flag:
+  ```shell
+  tact contract.tact --output ./custom-output
+  ```
+  If not specified, the files will be generated in the same directory as the input file.
+
+In [Blueprint][bp]-based projects, `output` is not used and all generated files are always placed in `build/ProjectName/`.
 
 ### Compilation report, `.md` {#report}