1.4.0: Fix getModulesPaginated

[mmv08]

This PR fixes #461 by checking if we reached the end of the modules list and conditionally returning either sentinel address signaling the end or the last element of the module list

Also added some test cases and validations for passed arguments

[coveralls]

Pull Request Test Coverage Report for Build 3912478679

• 8 of 8 (100.0%) changed or added relevant lines in 1 file are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage increased (+0.03%) to 98.511%

---

Totals
Change from base Build 3904293007:	0.03%
Covered Lines:	311
Relevant Lines:	312

---

💛 - Coveralls

[rmeissner]

Looking at this more we need to define a little bit more what is expected here.

E.g.

• What should happen if an invalid start is passed? (We also don'T have tests here)
• What should be returned at the end of the page? (0 vs 1 vs ?)
  • What should be returned for an empty page.

With the current solution we break even the flow for working use cases (e.g. we change what is returned of all entries fit into a single page), which I would avoid

[rmeissner]

This tests should not have to be adjusted. I would stick to the defined behavior for this case, meaning at the end of the page AddressOne is returned as next (signaling the end).

[mmv08]

I would stick to the defined behavior for this case, meaning at the end of the page AddressOne is returned as next (signaling the end).

It seems like this would require adjustments in the module manager contract, because unlike OwnerManager we don't have the last module pointing to a sentinel address. Do you think it's worth it?

[rmeissner]

we don't have the last module pointing to a sentinel address.

That should always be the case. This is required else a lot of logic will break

[mmv08]

Do we want to do something like this in getModulesPaginated method then:

if (next == address(0)) next = SENTINEL_ADDRESS;

[rmeissner]

why? I do not understand why this would be required. The linked list always starts with the sentinel and ends on the sentinel:

• Empty list: 0x1 -> 0x1
• List with one module: 0x1 -> 0xbaddad -> 0x1
• List with n modules: 0x1 -> 0xbaddad -> 0x.... -> 0x1

If next is 0x0 then something is wrong

[mmv08]

Ah, I was confused how this was possible until I saw that setupModules is called during the setup. Will investigate why this is not the case

[rmeissner]

array[0] (for the case that moduleCound == 0) would be undefined, right? In the best case it is 0 in the worst case it some random data (should normally not happen).

I still believe we should first clearly define the expected behavior for this method (and maybe even for the .

• start has to be a module else the method should revert
• pageSize needs to be greater 0, else the method should revert
• If all entries fit into a single page, then next should be Address One (as this is the current behavior)
• If another page is present then next should be the last element of the returned array (<- this was bugged before)

[mmv08]

array[0] (for the case that moduleCound == 0) would be undefined, right?

It's zero address I think

[rmeissner]

yeah it should be zero (at least with the current solidity management), but not sure if there is a guarantee for it.

if pageSize is 0 this should revert as array access should do bounds checks.

[mmv08]

@rmeissner a side question:

    function setupModules(address to, bytes memory data) internal {
        require(modules[SENTINEL_MODULES] == address(0), "GS100");
        modules[SENTINEL_MODULES] = SENTINEL_MODULES;
        if (to != address(0))
            // Setup has to complete successfully or transaction fails.
            require(execute(to, 0, data, Enum.Operation.DelegateCall, gasleft()), "GS000");
    }

Should we ensure here that to is a contract? or perhaps in the GnosisSafe setup? Might be valuable for highly modularly customised safes

[mmv08]

@rmeissner I gave it another go, please check it. I still had to adjust some test though.

[mmv08]

I changed 0x0 to 0 because within the file this was the only occurence of 0x0 and 0 was used everywhere else

[mmv08]

maybe it's worth noting that removing the pageSize check passes all the test except it doesn't revert when passed pageSize === 0 and instead returns an empty array

[rmeissner]

Besides adding a test case for a Safe that has no modules it looks good

[rmeissner]

Do we have a test for the case that this method is called when no modules are enabled?

[rmeissner]

Theoretically we should be able to use next instead of currentModule (merge these too), but not sure if that would make it really better

[mmv08]

good catch

[rmeissner]

Should we ensure here that to is a contract? or perhaps in the GnosisSafe setup? Might be valuable for highly modularly customised safes

Didn't see this comment. I like the addition, but would do it in a separate PR.