From 83f954d8c46da85990f6a16b6a77b80904c1225c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ernesto=20Garc=C3=ADa?= <ernestognw@gmail.com>
Date: Fri, 30 Aug 2024 05:44:05 -0600
Subject: [PATCH] Add memory side effects notes when using function pointers
 (#5174)

---
 contracts/utils/Arrays.sol                   | 6 ++++++
 contracts/utils/cryptography/MerkleProof.sol | 3 +++
 scripts/generate/templates/Arrays.js         | 2 ++
 scripts/generate/templates/MerkleProof.js    | 3 +++
 4 files changed, 14 insertions(+)

diff --git a/contracts/utils/Arrays.sol b/contracts/utils/Arrays.sol
index 14f4ce297ae..432c8602800 100644
--- a/contracts/utils/Arrays.sol
+++ b/contracts/utils/Arrays.sol
@@ -26,6 +26,8 @@ library Arrays {
      * array. Using it in view functions that are executed through `eth_call` is safe, but one should be very careful
      * when executing this as part of a transaction. If the array being sorted is too large, the sort operation may
      * consume more gas than is available in a block, leading to potential DoS.
+     *
+     * IMPORTANT: Consider memory side-effects when using custom comparator functions that access memory in an unsafe way.
      */
     function sort(
         uint256[] memory array,
@@ -53,6 +55,8 @@ library Arrays {
      * array. Using it in view functions that are executed through `eth_call` is safe, but one should be very careful
      * when executing this as part of a transaction. If the array being sorted is too large, the sort operation may
      * consume more gas than is available in a block, leading to potential DoS.
+     *
+     * IMPORTANT: Consider memory side-effects when using custom comparator functions that access memory in an unsafe way.
      */
     function sort(
         address[] memory array,
@@ -80,6 +84,8 @@ library Arrays {
      * array. Using it in view functions that are executed through `eth_call` is safe, but one should be very careful
      * when executing this as part of a transaction. If the array being sorted is too large, the sort operation may
      * consume more gas than is available in a block, leading to potential DoS.
+     *
+     * IMPORTANT: Consider memory side-effects when using custom comparator functions that access memory in an unsafe way.
      */
     function sort(
         bytes32[] memory array,
diff --git a/contracts/utils/cryptography/MerkleProof.sol b/contracts/utils/cryptography/MerkleProof.sol
index 6a0bc4d4e73..a2a21adb2c9 100644
--- a/contracts/utils/cryptography/MerkleProof.sol
+++ b/contracts/utils/cryptography/MerkleProof.sol
@@ -20,6 +20,9 @@ import {Hashes} from "./Hashes.sol";
  * OpenZeppelin's JavaScript library generates Merkle trees that are safe
  * against this attack out of the box.
  *
+ * IMPORTANT: Consider memory side-effects when using custom hashing functions
+ * that access memory in an unsafe way.
+ *
  * NOTE: This library supports proof verification for merkle trees built using
  * custom _commutative_ hashing functions (i.e. `H(a, b) == H(b, a)`). Proving
  * leaf inclusion in trees built using non-commutative hashing functions requires
diff --git a/scripts/generate/templates/Arrays.js b/scripts/generate/templates/Arrays.js
index 3a1e62237ee..0d3676a727d 100644
--- a/scripts/generate/templates/Arrays.js
+++ b/scripts/generate/templates/Arrays.js
@@ -26,6 +26,8 @@ const sort = type => `\
  * array. Using it in view functions that are executed through \`eth_call\` is safe, but one should be very careful
  * when executing this as part of a transaction. If the array being sorted is too large, the sort operation may
  * consume more gas than is available in a block, leading to potential DoS.
+ *
+ * IMPORTANT: Consider memory side-effects when using custom comparator functions that access memory in an unsafe way.
  */
 function sort(
     ${type}[] memory array,
diff --git a/scripts/generate/templates/MerkleProof.js b/scripts/generate/templates/MerkleProof.js
index 80df713c7a3..8f206c88056 100644
--- a/scripts/generate/templates/MerkleProof.js
+++ b/scripts/generate/templates/MerkleProof.js
@@ -26,6 +26,9 @@ import {Hashes} from "./Hashes.sol";
  * OpenZeppelin's JavaScript library generates Merkle trees that are safe
  * against this attack out of the box.
  *
+ * IMPORTANT: Consider memory side-effects when using custom hashing functions
+ * that access memory in an unsafe way.
+ *
  * NOTE: This library supports proof verification for merkle trees built using
  * custom _commutative_ hashing functions (i.e. \`H(a, b) == H(b, a)\`). Proving
  * leaf inclusion in trees built using non-commutative hashing functions requires