This report evaluates the impact of
SIMD-0321
on existing Solana mainnet-beta programs by attempting to identify existing
uninitialized reads of register r2.
Profiling results were generated using Blueshift’s
program-sync tool.
cargo run --release -- dfg --uninit-reg 2
Date: February 4, 2026
Programs profiled: 16,670
Hits:
- With
--skip-calls: 2 - Without
--skip-calls: 14
The following two programs appear to read from register 2 without first loading a value into the register, thus they could experience breakage with the activation of SIMD-0321.
Entry: PC 0 | Hit: PC 3
<entrypoint>:
0: r10 += -0x40 ; adjust frame pointer
1: w0 = 0x0
2: <unknown> ; SBFv2 opcode (0xf7)
3: w2 %= w1 ; reads r2 directly
4: if r2 == 0x0 goto +0xadThis program directly reads r2 at instruction 3 via w2 %= w1 (32-bit modulo).
Contains SBFv2 opcodes (<unknown> at instruction 2). The program computes
w2 % w1 using the VM-provided register values.
Entry: PC 0 | Hit: PC 3
<entrypoint>:
0: r10 += -0x40
1: w0 = 0x0
2: <unknown> ; SBFv2 opcode (0xf7)
3: w2 %= w1 ; reads r2 directly
4: if r2 == 0x0 goto +0xadIdentical bytecode to #1 (MoRonGB1...). Same program deployed at a different
address. Same analysis applies — genuine read of r2.
The following 12 programs were flagged before the --skip-calls option was added.
All are false positives caused by call instructions conservatively reading
r1-r5 (argument registers).
Entry: PC 153 | Hit: PC 153 (same instruction)
<entrypoint>: ; entry = instruction 153
153: call 0x4c ; call internal function immediately
154: r6 = r0 ; save return value
155: r0 = 0x0
156: r1 = r6
157: r1 &= 0xffff
158: if r1 != 0x0 goto +0x1
159: exitThe very first instruction is a call. The DFG conservatively treats call
as reading r1-r5 (argument registers), so r2 is flagged as read at the call
site. However, this program never uses r2 for instruction data — it immediately
calls an internal function and works with the return value. The callee likely
ignores r2.
Entry: PC 12 | Hit: PC 14
<entrypoint>: ; entry = PC 12
12: r1 = r10 ; frame pointer
13: r1 += -0xe8 ; stack buffer
14: call -0x1 ; syscall (reloc placeholder)
15: if r0 != 0x0 goto +0x32Same pattern as #3. The entrypoint sets up r1 as a stack pointer and calls a
syscall. The call reads r1-r5 conservatively, flagging r2 even though it was
never written. The program doesn't use r2 — it only passes a stack buffer
address in r1 to the syscall.
Entry: PC 0 | Hit: PC 2
<entrypoint>:
0: r1 = r10 ; frame pointer
1: r1 += -0x28 ; stack buffer
2: call -0x1 ; syscall (reloc placeholder)
3: r2 = *(u64 *)(r10 - 0x18)
4: r1 = *(u64 *)(r10 - 0x28)Same pattern. Stack buffer setup in r1, then a syscall. The call reads r1-r5
conservatively. r2 is untouched before the call.
Entry: PC 0 | Hit: PC 1
<entrypoint>:
0: r6 = r1 ; save input pointer
1: call -0x1 ; syscall (reloc placeholder)
2: r0 = 0x200000000 ll
4: if r6 == 0x0 goto +0x9fSaves r1 (input pointer) to r6, then immediately calls a syscall. r2 is untouched before the call.
Entry: PC 0 | Hit: PC 3
<entrypoint>:
0: r6 = r1 ; save input pointer
1: r1 = r10 ; frame pointer
2: r1 += -0x28 ; stack buffer
3: call -0x1 ; syscall (reloc placeholder)
4: r0 = 0x200000000 llSaves r1 to r6, sets up a stack buffer in r1, then calls a syscall. r2 is untouched before the call.
Entry: PC 686 | Hit: PC 686 (same instruction)
<entrypoint>:
686: call 0x1 ; trampoline call
687: exit
688: r7 = r1 ; actual body starts here
689: r1 = *(u64 *)(r7 + 0x0)Trampoline pattern: entrypoint calls the function body at the next instruction.
The call passes all argument registers (r1-r5) through. r2 is passed but
the actual function body only uses r1 (via r7).
Entry: PC 1412 | Hit: PC 1413
<entrypoint>:
1412: r6 = r1 ; save input pointer
1413: call -0x1 ; syscall (reloc placeholder)
1414: if r0 != -0x1 goto +0x2
1415: r1 = r6
1416: call -0x1
1417: exitSaves r1 to r6, then calls a syscall. r2 is untouched before the call.
Entry: PC 97 | Hit: PC 97 (same instruction)
<entrypoint>:
97: call 0x1 ; trampoline call
98: exit
99: r6 = r1 ; actual body starts here
100: r1 = *(u16 *)(r6 + 0x8)Same trampoline pattern as #8 (riptK81h...). The call 0x1 passes r1-r5
through to the body. r2 is passed but never used by the actual code, which
only accesses r1 via r6.
Entry: PC 16741 | Hit: PC 16741 (same instruction)
<entrypoint>:
16741: call 0x4152 ; call internal function
16742: exit
16743: r3 = 0x300000000 ll
16745: r3 = *(u64 *)(r3 + 0x0)Same trampoline pattern. Immediately calls an internal function, passing all argument registers through. r2 is passed but the actual function body (starting at instruction 16743) only uses r3 and r4.
Entry: PC 1412 | Hit: PC 1413
<entrypoint>:
1412: r6 = r1 ; save input pointer
1413: call -0x1 ; syscall (reloc placeholder)
1414: if r0 != -0x1 goto +0x2
1415: r1 = r6
1416: call -0x1
1417: exitIdentical bytecode to #9 (pdvgysrh...). Same program deployed at a different
address. Same analysis — r2 untouched before the call.
Entry: PC 0 | Hit: PC 1
<entrypoint>:
0: r6 = r1 ; save input pointer
1: call -0x1 ; syscall (reloc placeholder)
2: r8 = 0x200000000 ll
4: if r6 == 0x0 goto +0x60Saves r1 to r6, then immediately calls a syscall. r2 is untouched before the call.
Entry: PC 211 | Hit: PC 211 (same instruction)
<entrypoint>:
211: call -0x1 ; syscall (reloc placeholder)
212: r0 = 0x0
213: exitMinimal 3-instruction program: calls a syscall, returns 0. The call reads
r1-r5 conservatively. r2 is untouched.
Only two genuine hits were identified out of 16,670 programs analyzed, both corresponding to the same program deployed at two distinct addresses. The first deployment has fewer than 100 transactions (address), and the second has a single recorded transaction (address).
Given the extremely limited scope and usage of the affected programs, I've assessed the ecosystem impact to be minimal and recommend that SIMD-0321 be activated promptly.