Merge pull request #508 from soad003/staticanalysis

Static Analysis: Assembly, Checks Effetct Interaction, Constant Functions without modifiers.

.travis.yml

@@ -1,6 +1,6 @@
 language: node_js
 node_js:
-  - stable
+  - "7"
 script:
   - npm run lint && npm run test && npm run downloadsolc && npm run make-mock-compiler && npm run build
   - ./ci/browser_tests.sh

README.md

@@ -53,6 +53,8 @@ Run the unit tests via: `npm test`
 For local headless browser tests run `npm run test-browser`
 (Requires selenium to be installed - can be done with `npm run selenium-install`)
 
+Running unit tests via `npm test` requires at least node v7.0.0
+
 ## Browser Testing
 
 To run the Selenium tests via Nightwatch serve the app through a local web server:
@@ -62,7 +64,7 @@ To run the Selenium tests via Nightwatch serve the app through a local web serve
 Then you will need to either:
 
 1. Have a Selenium server running locally on port 4444.
-	- Run: `npm run browser-test`
+	- Run: `npm run test-browser`
 2. Or, install and run SauceConnect.
 	- Run: `sc -u <USERNAME> -k <ACCESS_KEY>` (see `.travis.yml` for values)
 	- Run: `npm run browser-test-sc`

src/app/staticanalysis/modules/abstractAstView.js

@@ -0,0 +1,152 @@
+var common = require('./staticAnalysisCommon')
+var AstWalker = require('ethereum-remix').util.AstWalker
+
+function abstractAstView () {
+  this.contracts = []
+  this.currentContractIndex = null
+  this.currentFunctionIndex = null
+  this.currentModifierIndex = null
+  this.isFunctionNotModifier = false
+  /*
+    file1: contract c{}
+    file2: import "file1" as x; contract c{}
+    therefore we have two contracts with the same name c. At the moment this is not handled because alias name "x" is not
+    available in the current AST implementation thus can not be resolved.
+    Additionally the fullQuallified function names e.g. [contractName].[functionName](param1Type, param2Type, ... ) must be prefixed to
+    fully support this and when inheritance is resolved it must include alias resolving e.g x.c = file1.c
+  */
+  this.multipleContractsWithSameName = false
+}
+
+/**
+ * Builds a higher level AST view. I creates a list with each contract as an object in it.
+ * Example contractsOut:
+ *
+ * {
+ *  "node": {},                     // actual AST Node of the contract
+ *  "functions": [
+ *    {
+ *      "node": {},                // actual AST Node of the function
+ *      "relevantNodes": [],       // AST nodes in the function that are relevant for the anlysis of this function
+ *      "modifierInvocations": [], // Modifier invocation AST nodes that are applied on this function
+ *      "localVariables": [],      // Local variable declaration nodes
+ *      "parameters": []           // Parameter types of the function in order of definition
+ *    }
+ *  ],
+ *  "modifiers": [],              // Modifiers definded by the contract, format similar to functions
+ *  "inheritsFrom": [],           // Names of contract this one inherits from in order of definition
+ *  "stateVariables": []          // AST nodes of all State variables
+ * }
+ *
+ * @relevantNodeFilter {ASTNode -> bool} function that selects relevant ast nodes for analysis on function level.
+ * @contractsOut {list} return list for high level AST view
+ * @return {ASTNode -> void} returns a function that can be used as visit function for static analysis modules, to build up a higher level AST view for further analysis.
+ */
+abstractAstView.prototype.build_visit = function (relevantNodeFilter) {
+  var that = this
+  return function (node) {
+    if (common.isContractDefinition(node)) {
+      setCurrentContract(that, {
+        node: node,
+        functions: [],
+        modifiers: [],
+        inheritsFrom: [],
+        stateVariables: common.getStateVariableDeclarationsFormContractNode(node)
+      })
+    } else if (common.isInheritanceSpecifier(node)) {
+      var currentContract = getCurrentContract(that)
+      var inheritsFromName = common.getInheritsFromName(node)
+      currentContract.inheritsFrom.push(inheritsFromName)
+    } else if (common.isFunctionDefinition(node)) {
+      setCurrentFunction(that, {
+        node: node,
+        relevantNodes: [],
+        modifierInvocations: [],
+        localVariables: getLocalVariables(node),
+        parameters: getLocalParameters(node)
+      })
+    } else if (common.isModifierDefinition(node)) {
+      setCurrentModifier(that, {
+        node: node,
+        relevantNodes: [],
+        localVariables: getLocalVariables(node),
+        parameters: getLocalParameters(node)
+      })
+    } else if (common.isModifierInvocation(node)) {
+      if (!that.isFunctionNotModifier) throw new Error('abstractAstView.js: Found modifier invocation outside of function scope.')
+      getCurrentFunction(that).modifierInvocations.push(node)
+    } else if (relevantNodeFilter(node)) {
+      ((that.isFunctionNotModifier) ? getCurrentFunction(that) : getCurrentModifier(that)).relevantNodes.push(node)
+    }
+  }
+}
+
+abstractAstView.prototype.build_report = function (wrap) {
+  var that = this
+  return function (compilationResult) {
+    resolveStateVariablesInHierarchy(that.contracts)
+    return wrap(that.contracts, that.multipleContractsWithSameName)
+  }
+}
+
+function resolveStateVariablesInHierarchy (contracts) {
+  contracts.map((c) => {
+    resolveStateVariablesInHierarchyForContract(c, contracts)
+  })
+}
+function resolveStateVariablesInHierarchyForContract (currentContract, contracts) {
+  currentContract.inheritsFrom.map((inheritsFromName) => {
+    // add variables from inherited contracts
+    var inheritsFrom = contracts.find((contract) => common.getContractName(contract.node) === inheritsFromName)
+    if (inheritsFrom) {
+      currentContract.stateVariables = currentContract.stateVariables.concat(inheritsFrom.stateVariables)
+    } else {
+      console.log('abstractAstView.js: could not find contract defintion inherited from ' + inheritsFromName)
+    }
+  })
+}
+function setCurrentContract (that, contract) {
+  var name = common.getContractName(contract.node)
+  if (that.contracts.map((c) => common.getContractName(c.node)).filter((n) => n === name).length > 0) {
+    console.log('abstractAstView.js: two or more contracts with the same name dectected, import aliases not supported at the moment')
+    that.multipleContractsWithSameName = true
+  }
+  that.currentContractIndex = (that.contracts.push(contract) - 1)
+}
+
+function setCurrentFunction (that, func) {
+  that.isFunctionNotModifier = true
+  that.currentFunctionIndex = (getCurrentContract(that).functions.push(func) - 1)
+}
+
+function setCurrentModifier (that, modi) {
+  that.isFunctionNotModifier = false
+  that.currentModifierIndex = (getCurrentContract(that).modifiers.push(modi) - 1)
+}
+
+function getCurrentContract (that) {
+  return that.contracts[that.currentContractIndex]
+}
+
+function getCurrentFunction (that) {
+  return getCurrentContract(that).functions[that.currentFunctionIndex]
+}
+
+function getCurrentModifier (that) {
+  return getCurrentContract(that).modifiers[that.currentModifierIndex]
+}
+
+function getLocalParameters (funcNode) {
+  return getLocalVariables(common.getFunctionOrModifierDefinitionParameterPart(funcNode)).map(common.getType)
+}
+
+function getLocalVariables (funcNode) {
+  var locals = []
+  new AstWalker().walk(funcNode, {'*': function (node) {
+    if (common.isVariableDeclaration(node)) locals.push(node)
+    return true
+  }})
+  return locals
+}
+
+module.exports = abstractAstView

src/app/staticanalysis/modules/categories.js

@@ -1,4 +1,5 @@
 module.exports = {
   SECURITY: {displayName: 'Security', id: 'SEC'},
-  GAS: {displayName: 'Gas & Economy', id: 'GAS'}
+  GAS: {displayName: 'Gas & Economy', id: 'GAS'},
+  MISC: {displayName: 'Miscellaneous', id: 'MISC'}
 }

src/app/staticanalysis/modules/checksEffectsInteraction.js

@@ -0,0 +1,88 @@
+var name = 'Checks-Effects-Interaction pattern'
+var desc = 'Avoid potential reentrancy bugs'
+var categories = require('./categories')
+var common = require('./staticAnalysisCommon')
+var fcallGraph = require('./functionCallGraph')
+var AbstractAst = require('./abstractAstView')
+
+function checksEffectsInteraction () {
+  this.abstractAst = new AbstractAst()
+  this.visit = this.abstractAst.build_visit(
+    (node) => common.isInteraction(node) || common.isEffect(node) || common.isLocalCallGraphRelevantNode(node)
+  )
+
+  this.report = this.abstractAst.build_report(report)
+}
+
+checksEffectsInteraction.prototype.visit = function () { throw new Error('checksEffectsInteraction.js no visit function set upon construction') }
+
+checksEffectsInteraction.prototype.report = function () { throw new Error('checksEffectsInteraction.js no report function set upon construction') }
+
+function report (contracts, multipleContractsWithSameName) {
+  var warnings = []
+  var hasModifiers = contracts.some((item) => item.modifiers.length > 0)
+
+  var callGraph = fcallGraph.buildGlobalFuncCallGraph(contracts)
+
+  contracts.forEach((contract) => {
+    contract.functions.forEach((func) => {
+      func.changesState = checkIfChangesState(common.getFullQuallyfiedFuncDefinitionIdent(contract.node, func.node, func.parameters),
+                                                                                  getContext(callGraph, contract, func))
+    })
+
+    contract.functions.forEach((func) => {
+      if (isPotentialVulnerableFunction(func, getContext(callGraph, contract, func))) {
+        var funcName = common.getFullQuallyfiedFuncDefinitionIdent(contract.node, func.node, func.parameters)
+        var comments = (hasModifiers) ? '<br/><i>Note:</i> Modifiers are currently not considered by this static analysis.' : ''
+        comments += (multipleContractsWithSameName) ? '<br/><i>Note:</i> Import aliases are currently not supported by this static analysis.' : ''
+        warnings.push({
+          warning: `Potential Violation of Checks-Effects-Interaction pattern in <i>${funcName}</i>: Could potentially lead to re-entrancy vulnerability. ${comments}`,
+          location: func.src,
+          more: 'http://solidity.readthedocs.io/en/develop/security-considerations.html#re-entrancy'
+        })
+      }
+    })
+  })
+
+  return warnings
+}
+
+function getContext (callGraph, currentContract, func) {
+  return { callGraph: callGraph, currentContract: currentContract, stateVariables: getStateVariables(currentContract, func) }
+}
+
+function getStateVariables (contract, func) {
+  return contract.stateVariables.concat(func.localVariables.filter(common.isStorageVariableDeclaration))
+}
+
+function isPotentialVulnerableFunction (func, context) {
+  var isPotentialVulnerable = false
+  var interaction = false
+  func.relevantNodes.forEach((node) => {
+    if (common.isInteraction(node)) {
+      interaction = true
+    } else if (interaction && (common.isWriteOnStateVariable(node, context.stateVariables) || isLocalCallWithStateChange(node, context))) {
+      isPotentialVulnerable = true
+    }
+  })
+  return isPotentialVulnerable
+}
+
+function isLocalCallWithStateChange (node, context) {
+  if (common.isLocalCallGraphRelevantNode(node)) {
+    var func = fcallGraph.resolveCallGraphSymbol(context.callGraph, common.getFullQualifiedFunctionCallIdent(context.currentContract.node, node))
+    return !func || (func && func.node.changesState)
+  }
+  return false
+}
+
+function checkIfChangesState (startFuncName, context) {
+  return fcallGraph.analyseCallGraph(context.callGraph, startFuncName, context, (node, context) => common.isWriteOnStateVariable(node, context.stateVariables))
+}
+
+module.exports = {
+  name: name,
+  description: desc,
+  category: categories.SECURITY,
+  Module: checksEffectsInteraction
+}

src/app/staticanalysis/modules/constantFunctions.js

@@ -0,0 +1,94 @@
+var name = 'Constant functions'
+var desc = 'Check for potentially constant functions'
+var categories = require('./categories')
+var common = require('./staticAnalysisCommon')
+var fcallGraph = require('./functionCallGraph')
+var AbstractAst = require('./abstractAstView')
+
+function constantFunctions () {
+  this.abstractAst = new AbstractAst()
+
+  this.visit = this.abstractAst.build_visit(
+    (node) => common.isLowLevelCall(node) || common.isTransfer(node) || common.isExternalDirectCall(node) || common.isEffect(node) || common.isLocalCallGraphRelevantNode(node) || common.isInlineAssembly(node) || common.isNewExpression(node)
+  )
+
+  this.report = this.abstractAst.build_report(report)
+}
+
+constantFunctions.prototype.visit = function () { throw new Error('constantFunctions.js no visit function set upon construction') }
+
+constantFunctions.prototype.report = function () { throw new Error('constantFunctions.js no report function set upon construction') }
+
+function report (contracts, multipleContractsWithSameName) {
+  var warnings = []
+  var hasModifiers = contracts.some((item) => item.modifiers.length > 0)
+
+  var callGraph = fcallGraph.buildGlobalFuncCallGraph(contracts)
+
+  contracts.forEach((contract) => {
+    contract.functions.forEach((func) => {
+      func.potentiallyshouldBeConst = checkIfShouldBeConstant(common.getFullQuallyfiedFuncDefinitionIdent(contract.node, func.node, func.parameters),
+                                                              getContext(callGraph, contract, func))
+    })
+
+    contract.functions.filter((func) => common.hasFunctionBody(func.node)).forEach((func) => {
+      if (common.isConstantFunction(func.node) !== func.potentiallyshouldBeConst) {
+        var funcName = common.getFullQuallyfiedFuncDefinitionIdent(contract.node, func.node, func.parameters)
+        var comments = (hasModifiers) ? '<br/><i>Note:</i> Modifiers are currently not considered by this static analysis.' : ''
+        comments += (multipleContractsWithSameName) ? '<br/><i>Note:</i> Import aliases are currently not supported by this static analysis.' : ''
+        if (func.potentiallyshouldBeConst) {
+          warnings.push({
+            warning: `<i>${funcName}</i>: Potentially should be constant but is not. ${comments}`,
+            location: func.src,
+            more: 'http://solidity.readthedocs.io/en/develop/contracts.html#constant-functions'
+          })
+        } else {
+          warnings.push({
+            warning: `<i>${funcName}</i>: Is constant but potentially should not be. ${comments}`,
+            location: func.src,
+            more: 'http://solidity.readthedocs.io/en/develop/contracts.html#constant-functions'
+          })
+        }
+      }
+    })
+  })
+
+  return warnings
+}
+
+function getContext (callGraph, currentContract, func) {
+  return { callGraph: callGraph, currentContract: currentContract, stateVariables: getStateVariables(currentContract, func) }
+}
+
+function getStateVariables (contract, func) {
+  return contract.stateVariables.concat(func.localVariables.filter(common.isStorageVariableDeclaration))
+}
+
+function checkIfShouldBeConstant (startFuncName, context) {
+  return !fcallGraph.analyseCallGraph(context.callGraph, startFuncName, context, isConstBreaker)
+}
+
+function isConstBreaker (node, context) {
+  return common.isWriteOnStateVariable(node, context.stateVariables) ||
+        common.isLowLevelCall(node) ||
+        common.isTransfer(node) ||
+        isCallOnNonConstExternalInterfaceFunction(node, context) ||
+        common.isCallToNonConstLocalFunction(node) ||
+        common.isInlineAssembly(node) ||
+        common.isNewExpression(node)
+}
+
+function isCallOnNonConstExternalInterfaceFunction (node, context) {
+  if (common.isExternalDirectCall(node)) {
+    var func = fcallGraph.resolveCallGraphSymbol(context.callGraph, common.getFullQualifiedFunctionCallIdent(context.currentContract, node))
+    return !func || (func && !common.isConstantFunction(func.node.node))
+  }
+  return false
+}
+
+module.exports = {
+  name: name,
+  description: desc,
+  category: categories.MISC,
+  Module: constantFunctions
+}

src/app/staticanalysis/modules/functionCallGraph.js

@@ -0,0 +1,114 @@
+'use strict'
+
+var common = require('./staticAnalysisCommon')
+
+function buildLocalFuncCallGraphInternal (functions, nodeFilter, extractNodeIdent, extractFuncDefIdent) {
+  var callGraph = {}
+  functions.forEach((func) => {
+    var calls = func.relevantNodes
+      .filter(nodeFilter)
+      .map(extractNodeIdent)
+      .filter((name) => name !== extractFuncDefIdent(func)) // filter self recursive call
+
+    callGraph[extractFuncDefIdent(func)] = { node: func, calls: calls }
+  })
+
+  return callGraph
+}
+
+/**
+ * Builds a function call graph for the current contracts.
+ * Example Contract call graph:
+ *
+ * {
+ *  "KingOfTheEtherThrone": {
+ *    "contracts": {...},                                        // Contract node as defined in abstractAstView.js
+ *    "functions": {
+ *      "KingOfTheEtherThrone.claimThrone(string memory)": {    // function in KingOfEtherThrone
+ *        "node": {...},                                        // function node as defined in abstractAstView.js
+ *        "calls": {                                            // list of full qualified function names which are called form this function
+ *        }
+ *      }
+ *    }
+ *  },
+ *  "foo": {
+ *    "contract": {...},           // Contract node as definded in abstractAstView.js
+ *    "functions": {}             // map from full qualified function name to func node
+ *  }
+ * }
+ *
+ * @contracts {list contracts} Expects as input the contract structure defined in abstractAstView.js
+ * @return {map (string -> Contract Call Graph)} returns map from contract name to contract call graph
+ */
+function buildGlobalFuncCallGraph (contracts) {
+  var callGraph = {}
+  contracts.forEach((contract) => {
+    var filterNodes = (node) => { return common.isLocalCallGraphRelevantNode(node) || common.isExternalDirectCall(node) }
+    var getNodeIdent = (node) => { return common.getFullQualifiedFunctionCallIdent(contract.node, node) }
+    var getFunDefIdent = (funcDef) => { return common.getFullQuallyfiedFuncDefinitionIdent(contract.node, funcDef.node, funcDef.parameters) }
+
+    callGraph[common.getContractName(contract.node)] = { contract: contract, functions: buildLocalFuncCallGraphInternal(contract.functions, filterNodes, getNodeIdent, getFunDefIdent) }
+  })
+
+  return callGraph
+}
+
+/**
+ * Walks through the call graph from a defined starting function, true if nodeCheck holds for every relevant node in the callgraph
+ * @callGraph {callGraph} As returned by buildGlobalFuncCallGraph
+ * @funcName {string} full qualified name of the starting function
+ * @context {Object} provides additional context information that can be used by the nodeCheck function
+ * @nodeCheck {(ASTNode, context) -> bool} applied on every relevant node in the call graph
+ * @return {bool} returns map from contract name to contract call graph
+ */
+function analyseCallGraph (callGraph, funcName, context, nodeCheck) {
+  return analyseCallGraphInternal(callGraph, funcName, context, (a, b) => a || b, nodeCheck, {})
+}
+
+function analyseCallGraphInternal (callGraph, funcName, context, combinator, nodeCheck, visited) {
+  var current = resolveCallGraphSymbol(callGraph, funcName)
+
+  if (current === undefined || visited[funcName] === true) return true
+  visited[funcName] = true
+
+  return combinator(current.node.relevantNodes.reduce((acc, val) => combinator(acc, nodeCheck(val, context)), false),
+                        current.calls.reduce((acc, val) => combinator(acc, analyseCallGraphInternal(callGraph, val, context, combinator, nodeCheck, visited)), false))
+}
+
+function resolveCallGraphSymbol (callGraph, funcName) {
+  return resolveCallGraphSymbolInternal(callGraph, funcName, false)
+}
+
+function resolveCallGraphSymbolInternal (callGraph, funcName, silent) {
+  var current
+  if (funcName.includes('.')) {
+    var parts = funcName.split('.')
+    var contractPart = parts[0]
+    var functionPart = parts[1]
+    var currentContract = callGraph[contractPart]
+    if (!(currentContract === undefined)) {
+      current = currentContract.functions[funcName]
+       // resolve inheritance hierarchy
+      if (current === undefined) {
+        // resolve inheritance lookup in linearized fashion
+        var inheritsFromNames = currentContract.contract.inheritsFrom.reverse()
+        for (var i = 0; i < inheritsFromNames.length; i++) {
+          var res = resolveCallGraphSymbolInternal(callGraph, inheritsFromNames[i] + '.' + functionPart, true)
+          if (!(res === undefined)) return res
+        }
+      }
+    } else {
+      if (!silent) console.log(`static analysis functionCallGraph.js: Contract ${contractPart} not found in function call graph.`)
+    }
+  } else {
+    throw new Error('functionCallGraph.js: function does not have full qualified name.')
+  }
+  if (current === undefined && !silent) console.log(`static analysis functionCallGraph.js: ${funcName} not found in function call graph.`)
+  return current
+}
+
+module.exports = {
+  analyseCallGraph: analyseCallGraph,
+  buildGlobalFuncCallGraph: buildGlobalFuncCallGraph,
+  resolveCallGraphSymbol: resolveCallGraphSymbol
+}

src/app/staticanalysis/modules/gasCosts.js

@@ -1,5 +1,5 @@
-var name = 'gas costs: '
-var desc = 'warn if the gas requiremets of functions are too high'
+var name = 'Gas Costs: '
+var desc = 'Warn if the gas requiremets of functions are too high.'
 var categories = require('./categories')
 
 function gasCosts () {

src/app/staticanalysis/modules/inlineAssembly.js

@@ -0,0 +1,29 @@
+var name = 'Inline Assembly'
+var desc = 'Use of Inline Assembly'
+var categories = require('./categories')
+var common = require('./staticAnalysisCommon')
+
+function inlineAssembly () {
+  this.inlineAssNodes = []
+}
+
+inlineAssembly.prototype.visit = function (node) {
+  if (common.isInlineAssembly(node)) this.inlineAssNodes.push(node)
+}
+
+inlineAssembly.prototype.report = function (compilationResults) {
+  return this.inlineAssNodes.map((node) => {
+    return {
+      warning: `CAUTION: The Contract uses inline assembly, this is only advised in rare cases. Additionally static analysis modules do not parse inline Assembly, this can lead to wrong analysis results.`,
+      location: node.src,
+      more: 'http://solidity.readthedocs.io/en/develop/assembly.html#solidity-assembly'
+    }
+  })
+}
+
+module.exports = {
+  name: name,
+  description: desc,
+  category: categories.SECURITY,
+  Module: inlineAssembly
+}

src/app/staticanalysis/modules/list.js

@@ -1,5 +1,12 @@
 module.exports = [
   require('./txOrigin'),
   require('./gasCosts'),
-  require('./thisLocal')
+  require('./thisLocal'),
+  require('./checksEffectsInteraction'),
+  require('./constantFunctions')
+  // require('./similarVariableNames.js'),
+  // require('./inlineAssembly'),
+  // require('./blockTimestamp'),
+  // require('./lowLevelCalls'),
+  // require('./blockBlockhash')
 ]

src/app/staticanalysis/modules/staticAnalysisCommon.js

@@ -5,7 +5,20 @@ var utils = require('../../utils')
 var nodeTypes = {
   IDENTIFIER: 'Identifier',
   MEMBERACCESS: 'MemberAccess',
-  FUNCTIONCALL: 'FunctionCall'
+  FUNCTIONCALL: 'FunctionCall',
+  FUNCTIONDEFINITION: 'FunctionDefinition',
+  VARIABLEDECLARATION: 'VariableDeclaration',
+  ASSIGNMENT: 'Assignment',
+  CONTRACTDEFINITION: 'ContractDefinition',
+  UNARYOPERATION: 'UnaryOperation',
+  EXPRESSIONSTATEMENT: 'ExpressionStatement',
+  MODIFIERDEFINITION: 'ModifierDefinition',
+  MODIFIERINVOCATION: 'ModifierInvocation',
+  INHERITANCESPECIFIER: 'InheritanceSpecifier',
+  USERDEFINEDTYPENAME: 'UserDefinedTypeName',
+  INLINEASSEMBLY: 'InlineAssembly',
+  BLOCK: 'Block',
+  NEWEXPRESSION: 'NewExpression'
 }
 
 var basicTypes = {
@@ -17,20 +30,41 @@ var basicTypes = {
 
 var basicRegex = {
   CONTRACTTYPE: '^contract ',
-  FUNCTIONTYPE: '^function \\('
+  FUNCTIONTYPE: '^function \\(',
+  EXTERNALFUNCTIONTYPE: '^function \\(.*\\).* external',
+  CONSTANTFUNCTIONTYPE: '^function \\(.*\\).* constant',
+  REFTYPE: '( storage )|(mapping\\()|(\\[\\])',
+  FUNCTIONSIGNATURE: '^function \\(([^\\(]*)\\)',
+  LIBRARYTYPE: '^type\\(library (.*)\\)'
 }
 
 var basicFunctionTypes = {
   SEND: buildFunctionSignature([basicTypes.UINT], [basicTypes.BOOL], false),
   CALL: buildFunctionSignature([], [basicTypes.BOOL], true),
-  DELEGATECALL: buildFunctionSignature([], [basicTypes.BOOL], false)
+  DELEGATECALL: buildFunctionSignature([], [basicTypes.BOOL], false),
+  TRANSFER: buildFunctionSignature([basicTypes.UINT], [], false)
+}
+
+var builtinFunctions = {
+  'keccak256()': true,
+  'sha3()': true,
+  'sha256()': true,
+  'ripemd160()': true,
+  'ecrecover(bytes32,uint8,bytes32,bytes32)': true,
+  'addmod(uint256,uint256,uint256)': true,
+  'mulmod(uint256,uint256,uint256)': true,
+  'selfdestruct(address)': true,
+  'revert()': true,
+  'assert(bool)': true,
+  'require(bool)': true
 }
 
 var lowLevelCallTypes = {
   CALL: { ident: 'call', type: basicFunctionTypes.CALL },
   CALLCODE: { ident: 'callcode', type: basicFunctionTypes.CALL },
   DELEGATECALL: { ident: 'delegatecall', type: basicFunctionTypes.DELEGATECALL },
-  SEND: { ident: 'send', type: basicFunctionTypes.SEND }
+  SEND: { ident: 'send', type: basicFunctionTypes.SEND },
+  TRANSFER: { ident: 'transfer', type: basicFunctionTypes.TRANSFER }
 }
 
 var specialVariables = {
@@ -42,26 +76,503 @@ var specialVariables = {
   }
 }
 
-// usage of now special variable
+// #################### Trivial Getters
+
+function getType (node) {
+  return node.attributes.type
+}
+
+// #################### Complex Getters
+
+/**
+ * Returns the type parameter of function call AST nodes. Throws if not a function call node
+ * @func {ASTNode} Function call node
+ * @return {string} type of function call
+ */
+function getFunctionCallType (func) {
+  if (!(isExternalDirectCall(func) || isThisLocalCall(func) || isSuperLocalCall(func) || isLocalCall(func) || isLibraryCall(func))) throw new Error('staticAnalysisCommon.js: not function call Node')
+  if (isExternalDirectCall(func) || isThisLocalCall(func) || isSuperLocalCall(func) || isLibraryCall(func)) return func.attributes.type
+  return findFirstSubNodeLTR(func, exactMatch(nodeTypes.IDENTIFIER)).attributes.type
+}
+
+/**
+ * Get the variable name written to by a effect node, except for inline assembly because there is no information to find out where we write to. Trows if not a effect node or is inlineassmbly.
+ * Example: x = 10; => x
+ * @effectNode {ASTNode} Function call node
+ * @return {string} variable name written to
+ */
+function getEffectedVariableName (effectNode) {
+  if (!isEffect(effectNode) || isInlineAssembly(effectNode)) throw new Error('staticAnalysisCommon.js: not an effect Node or inline assembly')
+  return findFirstSubNodeLTR(effectNode, exactMatch(nodeTypes.IDENTIFIER)).attributes.value
+}
+
+/**
+ * Returns the identifier of a local call, Throws on wrong node.
+ * Example: f(103) => f
+ * @localCallNode {ASTNode} Function call node
+ * @return {string} name of the function called
+ */
+function getLocalCallName (localCallNode) {
+  if (!isLocalCall(localCallNode)) throw new Error('staticAnalysisCommon.js: not an local call Node')
+  return localCallNode.children[0].attributes.value
+}
+
+/**
+ * Returns the identifier of a this local call, Throws on wrong node.
+ * Example: this.f(103) => f
+ * @localCallNode {ASTNode} Function call node
+ * @return {string} name of the function called
+ */
+function getThisLocalCallName (localCallNode) {
+  if (!isThisLocalCall(localCallNode)) throw new Error('staticAnalysisCommon.js: not an this local call Node')
+  return localCallNode.attributes.value
+}
+
+/**
+ * Returns the identifier of a super local call, Throws on wrong node.
+ * Example: super.f(103) => f
+ * @localCallNode {ASTNode} Function call node
+ * @return {string} name of the function called
+ */
+function getSuperLocalCallName (localCallNode) {
+  if (!isSuperLocalCall(localCallNode)) throw new Error('staticAnalysisCommon.js: not an super local call Node')
+  return localCallNode.attributes.member_name
+}
+
+/**
+ * Returns the contract type of a external direct call, Throws on wrong node.
+ * Example:
+ *  foo x = foo(0xdeadbeef...);
+ *  x.f(103) => foo
+ * @extDirectCall {ASTNode} Function call node
+ * @return {string} name of the contract the function is defined in
+ */
+function getExternalDirectCallContractName (extDirectCall) {
+  if (!isExternalDirectCall(extDirectCall)) throw new Error('staticAnalysisCommon.js: not an external direct call Node')
+  return extDirectCall.children[0].attributes.type.replace(new RegExp(basicRegex.CONTRACTTYPE), '')
+}
+
+/**
+ * Returns the name of the contract of a this local call (current contract), Throws on wrong node.
+ * Example:
+ * Contract foo {
+ *    ...
+ *    this.f(103) => foo
+ *    ...
+ * @thisLocalCall {ASTNode} Function call node
+ * @return {string} name of the contract the function is defined in
+ */
+function getThisLocalCallContractName (thisLocalCall) {
+  if (!isThisLocalCall(thisLocalCall)) throw new Error('staticAnalysisCommon.js: not an this local call Node')
+  return thisLocalCall.children[0].attributes.type.replace(new RegExp(basicRegex.CONTRACTTYPE), '')
+}
+
+/**
+ * Returns the function identifier of a external direct call, Throws on wrong node.
+ * Example:
+ *  foo x = foo(0xdeadbeef...);
+ *  x.f(103) => f
+ * @extDirectCall {ASTNode} Function call node
+ * @return {string} name of the function called
+ */
+function getExternalDirectCallMemberName (extDirectCall) {
+  if (!isExternalDirectCall(extDirectCall)) throw new Error('staticAnalysisCommon.js: not an external direct call Node')
+  return extDirectCall.attributes.member_name
+}
+
+/**
+ * Returns the name of a contract, Throws on wrong node.
+ * Example:
+ *   Contract foo { => foo
+ * @contract {ASTNode} Contract Definition node
+ * @return {string} name of a contract defined
+ */
+function getContractName (contract) {
+  if (!isContractDefinition(contract)) throw new Error('staticAnalysisCommon.js: not an contractDefinition Node')
+  return contract.attributes.name
+}
+
+/**
+ * Returns the name of a function definition, Throws on wrong node.
+ * Example:
+ *   func foo(uint bla) { => foo
+ * @funcDef {ASTNode} Function Definition node
+ * @return {string} name of a function defined
+ */
+function getFunctionDefinitionName (funcDef) {
+  if (!isFunctionDefinition(funcDef)) throw new Error('staticAnalysisCommon.js: not an functionDefinition Node')
+  return funcDef.attributes.name
+}
+
+/**
+ * Returns the identifier of an inheritance specifier, Throws on wrong node.
+ * Example:
+ *   contract KingOfTheEtherThrone is b { => b
+ * @func {ASTNode} Inheritance specifier
+ * @return {string} name of contract inherited from
+ */
+function getInheritsFromName (inheritsNode) {
+  if (!isInheritanceSpecifier(inheritsNode)) throw new Error('staticAnalysisCommon.js: not an InheritanceSpecifier node Node')
+  return inheritsNode.children[0].attributes.name
+}
+
+/**
+ * Returns the identifier of a variable definition, Throws on wrong node.
+ * Example:
+ *   var x = 10; => x
+ * @varDeclNode {ASTNode} Variable declaration node
+ * @return {string} variable name
+ */
+function getDeclaredVariableName (varDeclNode) {
+  if (!isVariableDeclaration(varDeclNode)) throw new Error('staticAnalysisCommon.js: not an variable declaration')
+  return varDeclNode.attributes.name
+}
+
+/**
+ * Returns state variable declaration nodes for a contract, Throws on wrong node.
+ * Example:
+ * contract foo {
+ *     ...
+ *   var y = true;
+ *   var x = 10; => [y,x]
+ * @contractNode {ASTNode} Contract Definition node
+ * @return {list variable declaration} state variable node list
+ */
+function getStateVariableDeclarationsFormContractNode (contractNode) {
+  if (!isContractDefinition(contractNode)) throw new Error('staticAnalysisCommon.js: not an contract definition declaration')
+  return contractNode.children.filter((el) => isVariableDeclaration(el))
+}
+
+/**
+ * Returns parameter node for a function or modifier definition, Throws on wrong node.
+ * Example:
+ * function bar(uint a, uint b) => uint a, uint b
+ * @funcNode {ASTNode} Contract Definition node
+ * @return {parameterlist node} parameterlist node
+ */
+function getFunctionOrModifierDefinitionParameterPart (funcNode) {
+  if (!isFunctionDefinition(funcNode) && !isModifierDefinition(funcNode)) throw new Error('staticAnalysisCommon.js: not an function definition')
+  return funcNode.children[0]
+}
+
+/**
+ * Extracts the parameter types for a function type signature
+ * Example:
+ * function(uint a, uint b) returns (bool) => uint a, uint b
+ * @func {ASTNode} function call node
+ * @return {string} parameter signature
+ */
+function getFunctionCallTypeParameterType (func) {
+  return new RegExp(basicRegex.FUNCTIONSIGNATURE).exec(getFunctionCallType(func))[1]
+}
+
+/**
+ * Returns the name of the library called, Throws on wrong node.
+ * Example:
+ *  library set{...}
+ *  contract foo {
+ *    ...
+ *    function () { set.union() => set}
+ * @funcCall {ASTNode} function call node
+ * @return {string} name of the lib defined
+ */
+function getLibraryCallContractName (funcCall) {
+  if (!isLibraryCall(funcCall)) throw new Error('staticAnalysisCommon.js: not an this library call Node')
+  return new RegExp(basicRegex.LIBRARYTYPE).exec(funcCall.children[0].attributes.type)[1]
+}
+
+/**
+ * Returns the name of the function of a library call, Throws on wrong node.
+ * Example:
+ *  library set{...}
+ *  contract foo {
+ *    ...
+ *    function () { set.union() => uinion}
+ * @func {ASTNode} function call node
+ * @return {string} name of function called on the library
+ */
+function getLibraryCallMemberName (funcCall) {
+  if (!isLibraryCall(funcCall)) throw new Error('staticAnalysisCommon.js: not an library call Node')
+  return funcCall.attributes.member_name
+}
+
+/**
+ * Returns full qualified name for a function call, Throws on wrong node.
+ * Example:
+ *  contract foo {
+ *    ...
+ *    function bar(uint b) { }
+ *    function baz() {
+ *      bar(10) => foo.bar(uint)
+ * @func {ASTNode} function call node
+ * @func {ASTNode} contract defintion
+ * @return {string} full qualified identifier for the function call
+ */
+function getFullQualifiedFunctionCallIdent (contract, func) {
+  if (isLocalCall(func)) return getContractName(contract) + '.' + getLocalCallName(func) + '(' + getFunctionCallTypeParameterType(func) + ')'
+  else if (isThisLocalCall(func)) return getThisLocalCallContractName(func) + '.' + getThisLocalCallName(func) + '(' + getFunctionCallTypeParameterType(func) + ')'
+  else if (isSuperLocalCall(func)) return getContractName(contract) + '.' + getSuperLocalCallName(func) + '(' + getFunctionCallTypeParameterType(func) + ')'
+  else if (isExternalDirectCall(func)) return getExternalDirectCallContractName(func) + '.' + getExternalDirectCallMemberName(func) + '(' + getFunctionCallTypeParameterType(func) + ')'
+  else if (isLibraryCall(func)) return getLibraryCallContractName(func) + '.' + getLibraryCallMemberName(func) + '(' + getFunctionCallTypeParameterType(func) + ')'
+  else throw new Error('staticAnalysisCommon.js: Can not get function name form non function call node')
+}
+
+function getFullQuallyfiedFuncDefinitionIdent (contract, func, paramTypes) {
+  return getContractName(contract) + '.' + getFunctionDefinitionName(func) + '(' + utils.concatWithSeperator(paramTypes, ',') + ')'
+}
+
+// #################### Trivial Node Identification
+
+function isFunctionDefinition (node) {
+  return nodeType(node, exactMatch(nodeTypes.FUNCTIONDEFINITION))
+}
+
+function isModifierDefinition (node) {
+  return nodeType(node, exactMatch(nodeTypes.MODIFIERDEFINITION))
+}
+
+function isModifierInvocation (node) {
+  return nodeType(node, exactMatch(nodeTypes.MODIFIERINVOCATION))
+}
+
+function isVariableDeclaration (node) {
+  return nodeType(node, exactMatch(nodeTypes.VARIABLEDECLARATION))
+}
+
+function isInheritanceSpecifier (node) {
+  return nodeType(node, exactMatch(nodeTypes.INHERITANCESPECIFIER))
+}
+
+function isAssignment (node) {
+  return nodeType(node, exactMatch(nodeTypes.ASSIGNMENT))
+}
+
+function isContractDefinition (node) {
+  return nodeType(node, exactMatch(nodeTypes.CONTRACTDEFINITION))
+}
+
+function isInlineAssembly (node) {
+  return nodeType(node, exactMatch(nodeTypes.INLINEASSEMBLY))
+}
+
+function isNewExpression (node) {
+  return nodeType(node, exactMatch(nodeTypes.NEWEXPRESSION))
+}
+
+// #################### Complex Node Identification
+
+/**
+ * True if function defintion has function body
+ * @funcNode {ASTNode} function defintion node
+ * @return {bool}
+ */
+function hasFunctionBody (funcNode) {
+  return findFirstSubNodeLTR(funcNode, exactMatch(nodeTypes.BLOCK)) != null
+}
+
+/**
+ * True if call to code within the current contracts context including (delegate) library call
+ * @node {ASTNode} some AstNode
+ * @return {bool}
+ */
+function isLocalCallGraphRelevantNode (node) {
+  return ((isLocalCall(node) || isSuperLocalCall(node) || isLibraryCall(node)) && !isBuiltinFunctionCall(node))
+}
+
+/**
+ * True if is builtin function like assert, sha3, erecover, ...
+ * @node {ASTNode} some AstNode
+ * @return {bool}
+ */
+function isBuiltinFunctionCall (node) {
+  return isLocalCall(node) && builtinFunctions[getLocalCallName(node) + '(' + getFunctionCallTypeParameterType(node) + ')'] === true
+}
+
+/**
+ * True if is storage variable declaration
+ * @node {ASTNode} some AstNode
+ * @return {bool}
+ */
+function isStorageVariableDeclaration (node) {
+  return isVariableDeclaration(node) && expressionType(node, basicRegex.REFTYPE)
+}
+
+/**
+ * True if is interaction with external contract (change in context, no delegate calls) (send, call of other contracts)
+ * @node {ASTNode} some AstNode
+ * @return {bool}
+ */
+function isInteraction (node) {
+  return isLLCall(node) || isLLSend(node) || isExternalDirectCall(node)
+}
+
+/**
+ * True if node changes state of a variable or is inline assembly (does not include check if it is a global state change, on a state variable)
+ * @node {ASTNode} some AstNode
+ * @return {bool}
+ */
+function isEffect (node) {
+  return isAssignment(node) || isPlusPlusUnaryOperation(node) || isMinusMinusUnaryOperation(node) || isInlineAssembly(node)
+}
+
+/**
+ * True if node changes state of a variable or is inline assembly (Checks if variable is a state variable via provided list)
+ * @node {ASTNode} some AstNode
+ * @node {list Variable declaration} state variable declaration currently in scope
+ * @return {bool}
+ */
+function isWriteOnStateVariable (effectNode, stateVariables) {
+  return isInlineAssembly(effectNode) || (isEffect(effectNode) && isStateVariable(getEffectedVariableName(effectNode), stateVariables))
+}
+
+/**
+ * True if there is a variable with name, name in stateVariables
+ * @node {ASTNode} some AstNode
+ * @node {list Variable declaration} state variable declaration currently in scope
+ * @return {bool}
+ */
+function isStateVariable (name, stateVariables) {
+  return stateVariables.some((item) => name === getDeclaredVariableName(item))
+}
+
+/**
+ * True if is function defintion that is flaged as constant
+ * @node {ASTNode} some AstNode
+ * @return {bool}
+ */
+function isConstantFunction (node) {
+  return isFunctionDefinition(node) && node.attributes.constant === true
+}
+
+/**
+ * True if unary increment operation
+ * @node {ASTNode} some AstNode
+ * @return {bool}
+ */
+function isPlusPlusUnaryOperation (node) {
+  return nodeType(node, exactMatch(nodeTypes.UNARYOPERATION)) && operator(node, exactMatch(utils.escapeRegExp('++')))
+}
+
+/**
+ * True if unary decrement operation
+ * @node {ASTNode} some AstNode
+ * @return {bool}
+ */
+function isMinusMinusUnaryOperation (node) {
+  return nodeType(node, exactMatch(nodeTypes.UNARYOPERATION)) && operator(node, exactMatch(utils.escapeRegExp('--')))
+}
+
+/**
+ * True if all functions on a contract are implemented
+ * @node {ASTNode} some AstNode
+ * @return {bool}
+ */
+function isFullyImplementedContract (node) {
+  return nodeType(node, exactMatch(nodeTypes.CONTRACTDEFINITION)) && node.attributes.fullyImplemented === true
+}
+
+/**
+ * True if it is a library contract defintion
+ * @node {ASTNode} some AstNode
+ * @return {bool}
+ */
+function isLibrary (node) {
+  return nodeType(node, exactMatch(nodeTypes.CONTRACTDEFINITION)) && node.attributes.isLibrary === true
+}
+
+/**
+ * True if it is a local call to non const function
+ * @node {ASTNode} some AstNode
+ * @return {bool}
+ */
+function isCallToNonConstLocalFunction (node) {
+  return isLocalCall(node) && !expressionType(node.children[0], basicRegex.CONSTANTFUNCTIONTYPE)
+}
+
+/**
+ * True if it is a call to a library
+ * @node {ASTNode} some AstNode
+ * @return {bool}
+ */
+function isLibraryCall (node) {
+  return isMemberAccess(node, basicRegex.FUNCTIONTYPE, undefined, basicRegex.LIBRARYTYPE, undefined)
+}
+
+/**
+ * True if it is an external call via defined interface (not low level call)
+ * @node {ASTNode} some AstNode
+ * @return {bool}
+ */
+function isExternalDirectCall (node) {
+  return isMemberAccess(node, basicRegex.EXTERNALFUNCTIONTYPE, undefined, basicRegex.CONTRACTTYPE, undefined) && !isThisLocalCall(node) && !isSuperLocalCall(node)
+}
+
+/**
+ * True if access to block.timestamp via now alias
+ * @node {ASTNode} some AstNode
+ * @return {bool}
+ */
 function isNowAccess (node) {
-  return nodeType(node, nodeTypes.IDENTIFIER) &&
-        expressionType(node, basicTypes.UINT) &&
-        name(node, 'now')
+  return nodeType(node, exactMatch(nodeTypes.IDENTIFIER)) &&
+        expressionType(node, exactMatch(basicTypes.UINT)) &&
+        name(node, exactMatch('now'))
 }
 
-// usage of block timestamp
+/**
+ * True if access to block.timestamp
+ * @node {ASTNode} some AstNode
+ * @return {bool}
+ */
 function isBlockTimestampAccess (node) {
   return isSpecialVariableAccess(node, specialVariables.BLOCKTIMESTAMP)
 }
 
-function isSpecialVariableAccess (node, varType) {
-  return isMemberAccess(node, varType.type, varType.obj, varType.obj, varType.member)
+/**
+ * True if access to block.blockhash
+ * @node {ASTNode} some AstNode
+ * @return {bool}
+ */
+function isBlockBlockHashAccess (node) {
+  return isSpecialVariableAccess(node, specialVariables.BLOCKHASH)
 }
 
+/**
+ * True if call to local function via this keyword
+ * @node {ASTNode} some AstNode
+ * @return {bool}
+ */
 function isThisLocalCall (node) {
-  return isMemberAccess(node, basicRegex.FUNCTIONTYPE, 'this', basicRegex.CONTRACTTYPE, undefined)
+  return isMemberAccess(node, basicRegex.FUNCTIONTYPE, exactMatch('this'), basicRegex.CONTRACTTYPE, undefined)
 }
 
+/**
+ * True if access to local function via super keyword
+ * @node {ASTNode} some AstNode
+ * @return {bool}
+ */
+function isSuperLocalCall (node) {
+  return isMemberAccess(node, basicRegex.FUNCTIONTYPE, exactMatch('super'), basicRegex.CONTRACTTYPE, undefined)
+}
+
+/**
+ * True if call to local function
+ * @node {ASTNode} some AstNode
+ * @return {bool}
+ */
+function isLocalCall (node) {
+  return nodeType(node, exactMatch(nodeTypes.FUNCTIONCALL)) &&
+        minNrOfChildren(node, 1) &&
+        nodeType(node.children[0], exactMatch(nodeTypes.IDENTIFIER)) &&
+        expressionType(node.children[0], basicRegex.FUNCTIONTYPE) &&
+        !expressionType(node.children[0], basicRegex.EXTERNALFUNCTIONTYPE) &&
+        nrOfChildren(node.children[0], 0)
+}
+
+/**
+ * True if low level call (send, call, delegatecall, callcode)
+ * @node {ASTNode} some AstNode
+ * @return {bool}
+ */
 function isLowLevelCall (node) {
   return isLLCall(node) ||
           isLLCallcode(node) ||
@@ -69,32 +580,65 @@ function isLowLevelCall (node) {
           isLLSend(node)
 }
 
+/**
+ * True if low level send
+ * @node {ASTNode} some AstNode
+ * @return {bool}
+ */
 function isLLSend (node) {
   return isMemberAccess(node,
-          utils.escapeRegExp(lowLevelCallTypes.SEND.type),
-          undefined, basicTypes.ADDRESS, lowLevelCallTypes.SEND.ident)
+          exactMatch(utils.escapeRegExp(lowLevelCallTypes.SEND.type)),
+          undefined, exactMatch(basicTypes.ADDRESS), exactMatch(lowLevelCallTypes.SEND.ident))
 }
 
+/**
+ * True if low level call
+ * @node {ASTNode} some AstNode
+ * @return {bool}
+ */
 function isLLCall (node) {
   return isMemberAccess(node,
-          utils.escapeRegExp(lowLevelCallTypes.CALL.type),
-          undefined, basicTypes.ADDRESS, lowLevelCallTypes.CALL.ident)
+          exactMatch(utils.escapeRegExp(lowLevelCallTypes.CALL.type)),
+          undefined, exactMatch(basicTypes.ADDRESS), exactMatch(lowLevelCallTypes.CALL.ident))
 }
 
+/**
+ * True if low level callcode
+ * @node {ASTNode} some AstNode
+ * @return {bool}
+ */
 function isLLCallcode (node) {
   return isMemberAccess(node,
-          utils.escapeRegExp(lowLevelCallTypes.CALLCODE.type),
-          undefined, basicTypes.ADDRESS, lowLevelCallTypes.CALLCODE.ident)
+          exactMatch(utils.escapeRegExp(lowLevelCallTypes.CALLCODE.type)),
+          undefined, exactMatch(basicTypes.ADDRESS), exactMatch(lowLevelCallTypes.CALLCODE.ident))
 }
 
+/**
+ * True if low level delegatecall
+ * @node {ASTNode} some AstNode
+ * @return {bool}
+ */
 function isLLDelegatecall (node) {
   return isMemberAccess(node,
-          utils.escapeRegExp(lowLevelCallTypes.DELEGATECALL.type),
-          undefined, basicTypes.ADDRESS, lowLevelCallTypes.DELEGATECALL.ident)
+          exactMatch(utils.escapeRegExp(lowLevelCallTypes.DELEGATECALL.type)),
+          undefined, exactMatch(basicTypes.ADDRESS), exactMatch(lowLevelCallTypes.DELEGATECALL.ident))
+}
+
+/**
+ * True if transfer call
+ * @node {ASTNode} some AstNode
+ * @return {bool}
+ */
+function isTransfer (node) {
+  return isMemberAccess(node,
+          exactMatch(utils.escapeRegExp(lowLevelCallTypes.TRANSFER.type)),
+          undefined, exactMatch(basicTypes.ADDRESS), exactMatch(lowLevelCallTypes.TRANSFER.ident))
 }
 
+// #################### Complex Node Identification - Private
+
 function isMemberAccess (node, retType, accessor, accessorType, memberName) {
-  return nodeType(node, nodeTypes.MEMBERACCESS) &&
+  return nodeType(node, exactMatch(nodeTypes.MEMBERACCESS)) &&
         expressionType(node, retType) &&
         name(node, memberName) &&
         nrOfChildren(node, 1) &&
@@ -102,8 +646,18 @@ function isMemberAccess (node, retType, accessor, accessorType, memberName) {
         expressionType(node.children[0], accessorType)
 }
 
+function isSpecialVariableAccess (node, varType) {
+  return isMemberAccess(node, exactMatch(utils.escapeRegExp(varType.type)), varType.obj, varType.obj, varType.member)
+}
+
+// #################### Node Identification Primitives
+
 function nrOfChildren (node, nr) {
-  return (node && (nr === undefined || nr === null)) || (node && node.children && node.children.length === nr)
+  return (node && (nr === undefined || nr === null)) || (node && nr === 0 && !node.children) || (node && node.children && node.children.length === nr)
+}
+
+function minNrOfChildren (node, nr) {
+  return (node && (nr === undefined || nr === null)) || (node && nr === 0 && !node.children) || (node && node.children && node.children.length >= nr)
 }
 
 function expressionType (node, typeRegex) {
@@ -119,6 +673,16 @@ function name (node, nameRegex) {
   return (node && !nameRegex) || (node && node.attributes && (regex.test(node.attributes.value) || regex.test(node.attributes.member_name)))
 }
 
+function operator (node, opRegex) {
+  return (node && !opRegex) || (node && new RegExp(opRegex).test(node.attributes.operator))
+}
+
+// #################### Helpers
+
+function exactMatch (regexStr) {
+  return '^' + regexStr + '$'
+}
+
 /**
  * Builds an function signature as used in the AST of the solc-json AST
  * @param {Array} paramTypes
@@ -126,21 +690,96 @@ function name (node, nameRegex) {
  * @param {Array} returnTypes
  *  list of return type names
  * @return {Boolean} isPayable
- *  CAUTION: only needed in low level call signature or message-calls (other contracts, this.)
  */
 function buildFunctionSignature (paramTypes, returnTypes, isPayable) {
   return 'function (' + utils.concatWithSeperator(paramTypes, ',') + ')' + ((isPayable) ? ' payable' : '') + ((returnTypes.length) ? ' returns (' + utils.concatWithSeperator(returnTypes, ',') + ')' : '')
 }
 
+/**
+ * Finds first node of a certain type under a specific node.
+ * @node {AstNode} node to start form
+ * @type {String} Type the ast node should have
+ * @return {AstNode} null or node found
+ */
+function findFirstSubNodeLTR (node, type) {
+  if (!node || !node.children) return null
+  for (let i = 0; i < node.children.length; ++i) {
+    var item = node.children[i]
+    if (nodeType(item, type)) return item
+    else {
+      var res = findFirstSubNodeLTR(item, type)
+      if (res) return res
+    }
+  }
+  return null
+}
+
 module.exports = {
+  // #################### Trivial Getters
+  getType: getType,
+  // #################### Complex Getters
+  getThisLocalCallName: getThisLocalCallName,
+  getSuperLocalCallName: getSuperLocalCallName,
+  getFunctionCallType: getFunctionCallType,
+  getContractName: getContractName,
+  getEffectedVariableName: getEffectedVariableName,
+  getDeclaredVariableName: getDeclaredVariableName,
+  getLocalCallName: getLocalCallName,
+  getInheritsFromName: getInheritsFromName,
+  getExternalDirectCallContractName: getExternalDirectCallContractName,
+  getThisLocalCallContractName: getThisLocalCallContractName,
+  getExternalDirectCallMemberName: getExternalDirectCallMemberName,
+  getFunctionDefinitionName: getFunctionDefinitionName,
+  getFunctionCallTypeParameterType: getFunctionCallTypeParameterType,
+  getLibraryCallContractName: getLibraryCallContractName,
+  getLibraryCallMemberName: getLibraryCallMemberName,
+  getFullQualifiedFunctionCallIdent: getFullQualifiedFunctionCallIdent,
+  getFullQuallyfiedFuncDefinitionIdent: getFullQuallyfiedFuncDefinitionIdent,
+  getStateVariableDeclarationsFormContractNode: getStateVariableDeclarationsFormContractNode,
+  getFunctionOrModifierDefinitionParameterPart: getFunctionOrModifierDefinitionParameterPart,
+
+  // #################### Complex Node Identification
+  hasFunctionBody: hasFunctionBody,
+  isInteraction: isInteraction,
+  isEffect: isEffect,
   isNowAccess: isNowAccess,
   isBlockTimestampAccess: isBlockTimestampAccess,
+  isBlockBlockHashAccess: isBlockBlockHashAccess,
   isThisLocalCall: isThisLocalCall,
+  isSuperLocalCall: isSuperLocalCall,
+  isLibraryCall: isLibraryCall,
+  isLocalCallGraphRelevantNode: isLocalCallGraphRelevantNode,
+  isLocalCall: isLocalCall,
+  isWriteOnStateVariable: isWriteOnStateVariable,
+  isStateVariable: isStateVariable,
+  isTransfer: isTransfer,
   isLowLevelCall: isLowLevelCall,
   isLowLevelCallInst: isLLCall,
   isLowLevelCallcodeInst: isLLCallcode,
   isLowLevelDelegatecallInst: isLLDelegatecall,
   isLowLevelSendInst: isLLSend,
+  isExternalDirectCall: isExternalDirectCall,
+  isFullyImplementedContract: isFullyImplementedContract,
+  isLibrary: isLibrary,
+  isCallToNonConstLocalFunction: isCallToNonConstLocalFunction,
+  isPlusPlusUnaryOperation: isPlusPlusUnaryOperation,
+  isMinusMinusUnaryOperation: isMinusMinusUnaryOperation,
+  isBuiltinFunctionCall: isBuiltinFunctionCall,
+
+  // #################### Trivial Node Identification
+  isFunctionDefinition: isFunctionDefinition,
+  isModifierDefinition: isModifierDefinition,
+  isInheritanceSpecifier: isInheritanceSpecifier,
+  isModifierInvocation: isModifierInvocation,
+  isVariableDeclaration: isVariableDeclaration,
+  isStorageVariableDeclaration: isStorageVariableDeclaration,
+  isAssignment: isAssignment,
+  isContractDefinition: isContractDefinition,
+  isConstantFunction: isConstantFunction,
+  isInlineAssembly: isInlineAssembly,
+  isNewExpression: isNewExpression,
+
+  // #################### Constants
   nodeTypes: nodeTypes,
   basicTypes: basicTypes,
   basicFunctionTypes: basicFunctionTypes,
@@ -148,9 +787,11 @@ module.exports = {
   specialVariables: specialVariables,
   helpers: {
     nrOfChildren: nrOfChildren,
+    minNrOfChildren: minNrOfChildren,
     expressionType: expressionType,
     nodeType: nodeType,
     name: name,
+    operator: operator,
     buildFunctionSignature: buildFunctionSignature
   }
 }

src/app/staticanalysis/modules/thisLocal.js

@@ -1,5 +1,5 @@
-var name = 'this on local: '
-var desc = 'invocation of local functions via this'
+var name = 'this on local calls: '
+var desc = 'Invocation of local functions via this'
 var categories = require('./categories')
 var common = require('./staticAnalysisCommon')
 
@@ -12,7 +12,6 @@ thisLocal.prototype.visit = function (node) {
 }
 
 thisLocal.prototype.report = function (compilationResults) {
-  this.warningNowNodes = []
   return this.warningNodes.map(function (item, i) {
     return {
       warning: `Use of "this" for local functions: Never use this to call functions in the same contract, it only consumes more gas than normal local calls.`,

src/app/staticanalysis/modules/txOrigin.js

@@ -1,5 +1,5 @@
-var name = 'tx origin: '
-var desc = 'warn if tx.origin is used'
+var name = 'tx.origin: '
+var desc = 'Warn if tx.origin is used'
 var categories = require('./categories')
 
 function txOrigin () {
@@ -20,7 +20,7 @@ txOrigin.prototype.visit = function (node) {
 txOrigin.prototype.report = function () {
   return this.txOriginNodes.map(function (item, i) {
     return {
-      warning: `use of tx.origin: "tx.origin" is useful only in very exceptional cases.<br />
+      warning: `Use of tx.origin: "tx.origin" is useful only in very exceptional cases.<br />
                 If you use it for authentication, you usually want to replace it by "msg.sender", because otherwise any contract you call can act on your behalf.`,
       location: item.src
     }

src/app/staticanalysis/staticAnalysisRunner.js

@@ -12,6 +12,10 @@ staticAnalysisRunner.prototype.run = function (compilationResult, toRun, callbac
     return { 'name': m.name, 'mod': new m.Module() }
   })
 
+  this.runWithModuleList(compilationResult, modules, callback)
+}
+
+staticAnalysisRunner.prototype.runWithModuleList = function (compilationResult, modules, callback) {
   // Also provide convenience analysis via the AST walker.
   var walker = new AstWalker()
   for (var k in compilationResult.sources) {

test-browser/tests/staticanalysis.js

@@ -38,7 +38,7 @@ function runTests (browser) {
       .click('.staticanalysisView')
       .click('#staticanalysisView button')
       .waitForElementPresent('#staticanalysisresult .warning', 2000, true, function () {
-        dom.listSelectorContains(['Untitled.sol:2:33: use of tx.origin',
+        dom.listSelectorContains(['Untitled.sol:2:33: Use of tx.origin',
           'Fallback function of contract Untitled.sol:TooMuchGas requires too much gas'],
           '#staticanalysisresult .warning span',
           browser, function () {

test/index.js

@@ -5,3 +5,4 @@ require('./gist-handler-test')
 require('./query-params-test')
 require('./util-test')
 require('./staticanalysis/staticAnalysisCommon-test')
+require('./staticanalysis/staticAnalysisIntegration-test')

test/staticanalysis/staticAnalysisIntegration-test.js

@@ -0,0 +1,207 @@
+var test = require('tape')
+
+var StatRunner = require('../../src/app/staticanalysis/staticAnalysisRunner')
+// const util = require('util')
+
+var solc = require('solc/wrapper')
+var compiler = solc(require('../../soljson'))
+
+var fs = require('fs')
+var path = require('path')
+
+var testFiles = [
+  'KingOfTheEtherThrone.sol',
+  'assembly.sol',
+  'ballot.sol',
+  'ballot_reentrant.sol',
+  'ballot_withoutWarnings.sol',
+  'cross_contract.sol',
+  'inheritance.sol',
+  'modifier1.sol',
+  'modifier2.sol',
+  'notReentrant.sol',
+  'structReentrant.sol',
+  'thisLocal.sol',
+  'globals.sol',
+  'library.sol'
+]
+
+var testFileAsts = {}
+
+testFiles.forEach((fileName) => {
+  var contents = fs.readFileSync(path.join(__dirname, 'test-contracts', fileName), 'utf8')
+  testFileAsts[fileName] = compiler.compile(contents, 0)
+})
+
+test('Integration test thisLocal.js', function (t) {
+  t.plan(testFiles.length)
+
+  var module = require('../../src/app/staticanalysis/modules/thisLocal')
+
+  var lengthCheck = {
+    'KingOfTheEtherThrone.sol': 0,
+    'assembly.sol': 0,
+    'ballot.sol': 0,
+    'ballot_reentrant.sol': 1,
+    'ballot_withoutWarnings.sol': 0,
+    'cross_contract.sol': 0,
+    'inheritance.sol': 0,
+    'modifier1.sol': 0,
+    'modifier2.sol': 0,
+    'notReentrant.sol': 0,
+    'structReentrant.sol': 0,
+    'thisLocal.sol': 1,
+    'globals.sol': 0,
+    'library.sol': 0
+  }
+
+  runModuleOnFiles(module, t, (file, report) => {
+    t.equal(report.length, lengthCheck[file], `${file} has right amount of this local warnings`)
+  })
+})
+
+test('Integration test checksEffectsInteraction.js', function (t) {
+  t.plan(testFiles.length)
+
+  var module = require('../../src/app/staticanalysis/modules/checksEffectsInteraction')
+
+  var lengthCheck = {
+    'KingOfTheEtherThrone.sol': 1,
+    'assembly.sol': 1,
+    'ballot.sol': 0,
+    'ballot_reentrant.sol': 1,
+    'ballot_withoutWarnings.sol': 0,
+    'cross_contract.sol': 0,
+    'inheritance.sol': 1,
+    'modifier1.sol': 0,
+    'modifier2.sol': 0,
+    'notReentrant.sol': 0,
+    'structReentrant.sol': 1,
+    'thisLocal.sol': 0,
+    'globals.sol': 1,
+    'library.sol': 1
+  }
+
+  runModuleOnFiles(module, t, (file, report) => {
+    t.equal(report.length, lengthCheck[file], `${file} has right amount of checks-effects-interaction warnings`)
+  })
+})
+
+test('Integration test constantFunctions.js', function (t) {
+  t.plan(testFiles.length)
+
+  var module = require('../../src/app/staticanalysis/modules/constantFunctions')
+
+  var lengthCheck = {
+    'KingOfTheEtherThrone.sol': 0,
+    'assembly.sol': 0,
+    'ballot.sol': 0,
+    'ballot_reentrant.sol': 0,
+    'ballot_withoutWarnings.sol': 0,
+    'cross_contract.sol': 1,
+    'inheritance.sol': 0,
+    'modifier1.sol': 1,
+    'modifier2.sol': 0,
+    'notReentrant.sol': 0,
+    'structReentrant.sol': 0,
+    'thisLocal.sol': 1,
+    'globals.sol': 0,
+    'library.sol': 1
+  }
+
+  runModuleOnFiles(module, t, (file, report) => {
+    t.equal(report.length, lengthCheck[file], `${file} has right amount of constant warnings`)
+  })
+})
+
+test('Integration test inlineAssembly.js', function (t) {
+  t.plan(testFiles.length)
+
+  var module = require('../../src/app/staticanalysis/modules/inlineAssembly')
+
+  var lengthCheck = {
+    'KingOfTheEtherThrone.sol': 0,
+    'assembly.sol': 2,
+    'ballot.sol': 0,
+    'ballot_reentrant.sol': 0,
+    'ballot_withoutWarnings.sol': 0,
+    'cross_contract.sol': 0,
+    'inheritance.sol': 0,
+    'modifier1.sol': 0,
+    'modifier2.sol': 0,
+    'notReentrant.sol': 0,
+    'structReentrant.sol': 0,
+    'thisLocal.sol': 0,
+    'globals.sol': 0,
+    'library.sol': 0
+  }
+
+  runModuleOnFiles(module, t, (file, report) => {
+    t.equal(report.length, lengthCheck[file], `${file} has right amount of inline assembly warnings`)
+  })
+})
+
+test('Integration test txOrigin.js', function (t) {
+  t.plan(testFiles.length)
+
+  var module = require('../../src/app/staticanalysis/modules/txOrigin')
+
+  var lengthCheck = {
+    'KingOfTheEtherThrone.sol': 0,
+    'assembly.sol': 1,
+    'ballot.sol': 0,
+    'ballot_reentrant.sol': 0,
+    'ballot_withoutWarnings.sol': 0,
+    'cross_contract.sol': 0,
+    'inheritance.sol': 0,
+    'modifier1.sol': 0,
+    'modifier2.sol': 0,
+    'notReentrant.sol': 0,
+    'structReentrant.sol': 0,
+    'thisLocal.sol': 0,
+    'globals.sol': 1,
+    'library.sol': 0
+  }
+
+  runModuleOnFiles(module, t, (file, report) => {
+    t.equal(report.length, lengthCheck[file], `${file} has right amount of tx.origin warnings`)
+  })
+})
+
+test('Integration test gasCosts.js', function (t) {
+  t.plan(testFiles.length)
+
+  var module = require('../../src/app/staticanalysis/modules/gasCosts')
+
+  var lengthCheck = {
+    'KingOfTheEtherThrone.sol': 2,
+    'assembly.sol': 2,
+    'ballot.sol': 3,
+    'ballot_reentrant.sol': 2,
+    'ballot_withoutWarnings.sol': 0,
+    'cross_contract.sol': 1,
+    'inheritance.sol': 1,
+    'modifier1.sol': 0,
+    'modifier2.sol': 1,
+    'notReentrant.sol': 1,
+    'structReentrant.sol': 1,
+    'thisLocal.sol': 2,
+    'globals.sol': 1,
+    'library.sol': 1
+  }
+
+  runModuleOnFiles(module, t, (file, report) => {
+    t.equal(report.length, lengthCheck[file], `${file} has right amount of gasCost warnings`)
+  })
+})
+
+// #################### Helpers
+function runModuleOnFiles (module, t, cb) {
+  var statRunner = new StatRunner()
+
+  testFiles.forEach((fileName) => {
+    statRunner.runWithModuleList(testFileAsts[fileName], [{ name: module.name, mod: new module.Module() }], (reports) => {
+      cb(fileName, reports[0].report)
+    })
+  })
+}

test/staticanalysis/test-contracts/KingOfTheEtherThrone.sol

@@ -0,0 +1,23 @@
+// return value send
+contract KingOfTheEtherThrone{
+	struct Monarch {
+		// address of the king .
+		address ethAddr ;
+		string name ;
+		// how much he pays to previous king
+		uint claimPrice ;
+		uint coronationTimestamp;
+	}
+	Monarch public currentMonarch ;
+
+	function claimThrone ( string name ) {
+	    address wizardAddress;
+	    uint compensation = 100;
+	    uint valuePaid = 10;
+
+		if ( currentMonarch.ethAddr != wizardAddress )
+			if (currentMonarch.ethAddr.send( compensation )) throw;
+
+		currentMonarch = Monarch(msg.sender,name,valuePaid,block.timestamp);
+	}
+}

test/staticanalysis/test-contracts/assembly.sol

@@ -0,0 +1,29 @@
+ pragma solidity ^0.4.9;
+ contract test {
+     
+     address owner;
+     
+    function at(address _addr) returns (bytes o_code) {
+        assembly {
+            // retrieve the size of the code, this needs assembly
+            let size := extcodesize(_addr)
+            // allocate output byte array - this could also be done without assembly
+            // by using o_code = new bytes(size)
+            o_code := mload(0x40)
+            // new "memory end" including padding
+            mstore(0x40, add(o_code, and(add(add(size, 0x20), 0x1f), not(0x1f))))
+            // store length in memory
+            mstore(o_code, size)
+            // actually retrieve the code, this needs assembly
+            extcodecopy(_addr, add(o_code, 0x20), 0, size)
+        }
+    }
+     
+    function bla() {
+        if(tx.origin == owner)
+            msg.sender.send(19);
+        assembly {
+             
+        }
+    }
+ }

test/staticanalysis/test-contracts/ballot.sol

@@ -0,0 +1,145 @@
+pragma solidity ^0.4.0;
+
+/// @title Voting with delegation.
+contract Ballot {
+    // This declares a new complex type which will
+    // be used for variables later.
+    // It will represent a single voter.
+    struct Voter {
+        uint weight; // weight is accumulated by delegation
+        bool voted;  // if true, that person already voted
+        address delegate; // person delegated to
+        uint vote;   // index of the voted proposal
+    }
+
+    // This is a type for a single proposal.
+    struct Proposal
+    {
+        bytes32 name;   // short name (up to 32 bytes)
+        uint voteCount; // number of accumulated votes
+    }
+
+    address public chairperson;
+
+    // This declares a state variable that
+    // stores a `Voter` struct for each possible address.
+    mapping(address => Voter) public voters;
+
+    // A dynamically-sized array of `Proposal` structs.
+    Proposal[] public proposals;
+
+    /// Create a new ballot to choose one of `proposalNames`.
+    function Ballot(bytes32[] proposalNames) {
+        chairperson = msg.sender;
+        voters[chairperson].weight = 1;
+
+        // For each of the provided proposal names,
+        // create a new proposal object and add it
+        // to the end of the array.
+        for (uint i = 0; i < proposalNames.length; i++) {
+            // `Proposal({...})` creates a temporary
+            // Proposal object and `proposals.push(...)`
+            // appends it to the end of `proposals`.
+            proposals.push(Proposal({
+                name: proposalNames[i],
+                voteCount: 0
+            }));
+        }
+    }
+
+    // Give `voter` the right to vote on this ballot.
+    // May only be called by `chairperson`.
+    function giveRightToVote(address voter) {
+        if (msg.sender != chairperson || voters[voter].voted) {
+            // `throw` terminates and reverts all changes to
+            // the state and to Ether balances. It is often
+            // a good idea to use this if functions are
+            // called incorrectly. But watch out, this
+            // will also consume all provided gas.
+            throw;
+        }
+        voters[voter].weight = 1;
+    }
+
+    /// Delegate your vote to the voter `to`.
+    function delegate(address to) {
+        // assigns reference
+        Voter sender = voters[msg.sender];
+        if (sender.voted)
+            throw;
+
+        // Forward the delegation as long as
+        // `to` also delegated.
+        // In general, such loops are very dangerous,
+        // because if they run too long, they might
+        // need more gas than is available in a block.
+        // In this case, the delegation will not be executed,
+        // but in other situations, such loops might
+        // cause a contract to get "stuck" completely.
+        while (
+            voters[to].delegate != address(0) &&
+            voters[to].delegate != msg.sender
+        ) {
+            to = voters[to].delegate;
+        }
+
+        // We found a loop in the delegation, not allowed.
+        if (to == msg.sender) {
+            throw;
+        }
+
+        // Since `sender` is a reference, this
+        // modifies `voters[msg.sender].voted`
+        sender.voted = true;
+        sender.delegate = to;
+        Voter delegate = voters[to];
+        if (delegate.voted) {
+            // If the delegate already voted,
+            // directly add to the number of votes
+            proposals[delegate.vote].voteCount += sender.weight;
+        } else {
+            // If the delegate did not vote yet,
+            // add to her weight.
+            delegate.weight += sender.weight;
+        }
+    }
+
+    /// Give your vote (including votes delegated to you)
+    /// to proposal `proposals[proposal].name`.
+    function vote(uint proposal) {
+        Voter sender = voters[msg.sender];
+        if (sender.voted)
+            throw;
+        sender.voted = true;
+        sender.vote = proposal;
+
+        // If `proposal` is out of the range of the array,
+        // this will throw automatically and revert all
+        // changes.
+        proposals[proposal].voteCount += sender.weight;
+    }
+
+    /// @dev Computes the winning proposal taking all
+    /// previous votes into account.
+    function winningProposal() constant
+            returns (uint winningProposal)
+    {
+        uint winningVoteCount = 0;
+        for (uint p = 0; p < proposals.length; p++) {
+            if (proposals[p].voteCount > winningVoteCount) {
+                winningVoteCount = proposals[p].voteCount;
+                winningProposal = p;
+            }
+        }
+    }
+
+    // Calls winningProposal() function to get the index
+    // of the winner contained in the proposals array and then
+    // returns the name of the winner
+    function winnerName() constant
+            returns (bytes32 winnerName)
+    {
+        winnerName = proposals[winningProposal()].name;
+    }
+}
+

test/staticanalysis/test-contracts/ballot_reentrant.sol

@@ -0,0 +1,101 @@
+pragma solidity ^0.4.0;
+
+contract InfoFeed {
+    function info() payable returns (uint ret);
+    function call1(uint a) payable returns (bool);
+}
+
+
+contract Ballot {
+    
+    InfoFeed feed;
+
+    struct Voter {
+        uint weight;
+        bool voted;
+        uint8 vote;
+        address delegate;
+    }
+    struct Proposal {
+        uint voteCount;
+    }
+
+    address chairperson;
+    mapping(address => Voter) voters;
+    Proposal[] proposals;
+    
+    function send1(address a) {
+        giveRightToVote(a,a);
+    }
+    
+    /// Create a new ballot with $(_numProposals) different proposals.
+    function Ballot(uint8 _numProposals) {
+        address d;
+        if(!d.delegatecall.gas(800)('function_name', 'arg1', 'arg2')) throw;
+        if(!d.callcode.gas(800)('function_name', 'arg1', 'arg2')) throw;
+        if(!d.call.value(10).gas(800)('function_name', 'arg1', 'arg2')) throw;
+        if(!d.call.value(10).gas(800)('function_name', 'arg1', 'arg2')) throw;
+        
+        
+
+        if(!msg.sender.send(1 wei)) throw;
+        if(!d.call('function_name', 'arg1', 'arg2')) throw;
+        
+        
+        uint a = now;
+        uint c = block.timestamp;
+        if(block.timestamp < 100){}
+        chairperson = msg.sender;
+        voters[chairperson].weight = 1;
+        proposals.length = _numProposals;
+        if(!d.send(1 wei)) throw;
+        feed.info.value(10).gas(800)();
+        
+        feed.call1(1);
+        
+        this.send1(d);
+    }
+
+  
+    /// Give $(voter) the right to vote on this ballot.
+    /// May only be called by $(chairperson).
+    function giveRightToVote(address voter, address b) payable returns (bool){
+        if (msg.sender != chairperson || voters[voter].voted) return;
+        voters[voter].weight = 1;
+        return true;
+    }
+
+    /// Delegate your vote to the voter $(to).
+    function delegate(address to) {
+        Voter sender = voters[msg.sender]; // assigns reference
+        if (sender.voted) return;
+        while (voters[to].delegate != address(0) && voters[to].delegate != msg.sender)
+            to = voters[to].delegate;
+        if (to == msg.sender) return;
+        sender.voted = true;
+        sender.delegate = to;
+        Voter delegate = voters[to];
+        if (delegate.voted)
+            proposals[delegate.vote].voteCount += sender.weight;
+        else
+            delegate.weight += sender.weight;
+    }
+
+    /// Give a single vote to proposal $(proposal).
+    function vote(uint8 proposal) {
+        Voter sender = voters[msg.sender];
+        if (sender.voted || proposal >= proposals.length) return;
+        sender.voted = true;
+        sender.vote = proposal;
+        proposals[proposal].voteCount += sender.weight;
+    }
+
+    function winningProposal() constant returns (uint8 winningProposal) {
+        uint256 winningVoteCount = 0;
+        for (uint8 proposal = 0; proposal < proposals.length; proposal++)
+            if (proposals[proposal].voteCount > winningVoteCount) {
+                winningVoteCount = proposals[proposal].voteCount;
+                winningProposal = proposal;
+            }
+    }
+}

test/staticanalysis/test-contracts/ballot_withoutWarnings.sol

@@ -0,0 +1,31 @@
+pragma solidity ^0.4.0;
+
+/// @title Voting with delegation.
+contract Ballot {
+
+    struct Proposal
+    {
+        bytes32 name;   // short name (up to 32 bytes)
+        uint voteCount; // number of accumulated votes
+    }
+
+    // A dynamically-sized array of `Proposal` structs.
+    Proposal[] public proposals;
+
+    /// @dev Computes the winning proposal taking all
+    /// previous votes into account.
+    function winningProposal() constant
+            returns (uint winningProposal)
+    {
+        winningProposal = 0;
+    }
+
+    // Calls winningProposal() function to get the index
+    // of the winner contained in the proposals array and then
+    // returns the name of the winner
+    function winnerName() constant
+            returns (bytes32 winnerName)
+    {
+        winnerName = proposals[winningProposal()].name;
+    }
+}

test/staticanalysis/test-contracts/cross_contract.sol

@@ -0,0 +1,19 @@
+pragma solidity ^0.4.0;
+
+contract a {
+    
+    uint x;
+    
+    function foo() {
+        x++;
+    }
+}
+
+contract b {
+    a x;
+    function bar() constant {
+        address a;
+        a.send(100 wei);
+        x.foo();
+    }
+}

test/staticanalysis/test-contracts/globals.sol

@@ -0,0 +1,57 @@
+pragma solidity ^0.4.9;
+contract bla {
+    uint brr;
+    function duper() {
+        brr++;
+    }
+}
+
+contract a is bla {
+    
+    function blub() {
+        brr++;
+    }
+    
+    function r () {
+        address a;
+        bytes32 hash;
+        uint8 v;
+        bytes32 r;
+        bytes32 s;
+        
+        block.blockhash(1);
+        block.coinbase;
+        block.difficulty;
+        block.gaslimit;
+        block.number;
+        block.timestamp;
+        msg.data;
+        msg.gas;
+        msg.sender;
+        msg.value;
+        now;
+        tx.gasprice;
+        tx.origin;
+        //assert(now == block.timestamp);
+        //require(now == block.timestamp);
+        keccak256(a);
+        sha3(a);
+        sha256(a);
+        ripemd160(a);
+        ecrecover(hash, v, r, s);
+        addmod(1, 2, 2);
+        mulmod(4,4,12);
+        
+        a.balance;
+        blub();
+        a.send(a.balance);
+        
+        
+        
+        super.duper();
+        //a.transfer(a.balance);
+        selfdestruct(a);
+        //revert();
+    }
+    
+}

test/staticanalysis/test-contracts/inheritance.sol

@@ -0,0 +1,40 @@
+pragma solidity ^0.4.9;
+
+contract r {
+    function s() constant {}
+}
+
+contract a is r {
+    uint x = 1;
+    
+    function getX() constant returns (uint) {
+        return x;
+    }
+}
+
+contract b is a {
+    uint y = 2;
+    uint x = 3;
+    
+    
+    function getY(uint z, bool r) returns (uint) {
+        return y++;
+    }
+    
+    function getY(string storage n) internal constant returns (uint) { return 10; }
+    
+}
+
+contract c is b {
+    string x;
+    
+    function d() returns (uint a, uint b) {
+        //d();
+        //sha3("bla");
+        msg.sender.call.gas(200000).value(this.balance)(bytes4(sha3("pay()")));
+        //x++;
+        getY(x);
+        a = getX() + getY(1, false);
+        b = getX() + getY(x);
+    }
+}

test/staticanalysis/test-contracts/library.sol

@@ -0,0 +1,54 @@
+pragma solidity ^0.4.0;
+
+library Set {
+  // We define a new struct datatype that will be used to
+  // hold its data in the calling contract.
+  struct Data { mapping(uint => bool) flags; }
+
+  // Note that the first parameter is of type "storage
+  // reference" and thus only its storage address and not
+  // its contents is passed as part of the call.  This is a
+  // special feature of library functions.  It is idiomatic
+  // to call the first parameter 'self', if the function can
+  // be seen as a method of that object.
+  function insert(Data storage self, uint value)
+      returns (bool)
+  {
+      if (self.flags[value])
+          return false; // already there
+        self.flags[value] = true;
+
+      return true;
+  }
+
+  function remove(Data storage self, uint value)
+      returns (bool)
+  {
+      if (!self.flags[value])
+          return false; // not there
+      self.flags[value] = false;
+      return true;
+  }
+
+  function contains(Data storage self, uint value)
+      returns (bool)
+  {
+      return self.flags[value];
+  }
+}
+
+
+contract C {
+    Set.Data knownValues;
+
+    function register(uint value) {
+        // The library functions can be called without a
+        // specific instance of the library, since the
+        // "instance" will be the current contract.
+        address a;
+        a.send(10 wei);
+        if (!Set.insert(knownValues, value))
+            throw;
+    }
+    // In this contract, we can also directly access knownValues.flags, if we want.
+}

test/staticanalysis/test-contracts/modifier1.sol

@@ -0,0 +1,17 @@
+pragma solidity ^0.4.0;
+
+contract test {
+    
+    address owner;
+
+    modifier onlyOwner {
+        var a = 0;
+        if (msg.sender != owner)
+            throw;
+        _;
+    }
+
+    function b(address a) onlyOwner returns (bool) {
+
+    }
+}

test/staticanalysis/test-contracts/modifier2.sol

@@ -0,0 +1,28 @@
+pragma solidity ^0.4.0;
+
+contract owned {
+
+    uint r=0;
+
+    modifier ntimes(uint n) {
+       for(uint i=0;i<n-1;i++){
+           _;
+       }
+       _;
+    }
+    
+    modifier plus100 {
+        var bla=1;
+        r+=100;
+        _;
+    }
+    
+    function a() ntimes(10) plus100 payable returns (uint) { 
+        {
+            uint bla=5;
+        }
+        r += bla;
+        return r;
+    }
+}
+

test/staticanalysis/test-contracts/notReentrant.sol

@@ -0,0 +1,13 @@
+pragma solidity ^0.4.0;
+
+contract Fund {
+    /// Mapping of ether shares of the contract.
+    mapping(address => uint) shares;
+    /// Withdraw your share.
+    function withdraw() {
+        var share = shares[msg.sender];
+        shares[msg.sender] = 0;
+        if (!msg.sender.send(share))
+            throw;
+    }
+}

test/staticanalysis/test-contracts/reentrant.sol

@@ -0,0 +1,49 @@
+pragma solidity ^0.4.0;
+
+contract InfoFeed {
+    uint c;
+    function info() constant returns (uint ret) {return c;} 
+    function call1(uint a) constant returns (bool) {return true;}
+}
+
+// THIS CONTRACT CONTAINS A BUG - DO NOT USE
+contract Fund {
+    /// Mapping of ether shares of the contract.
+    //mapping(address => uint) shares;
+    /// Withdraw your share.
+    
+    uint c = 0;
+    function withdraw() constant {
+        InfoFeed f;
+        
+       
+        //shares[msg.sender] /= 1;
+        
+        f.info();
+       
+        //if (msg.sender.send(shares[msg.sender])) throw;
+        //    shares[msg.sender] = 0;
+            
+       
+       b(true, false);
+        //shares[msg.sender]++;
+        //c++;
+        
+    }
+    mapping(address => uint) shares;
+    
+    function b(bool a, bool b) returns (bool) {
+        mapping(address => uint) c = shares;
+        c[msg.sender] = 0;
+        //f();
+        //withdraw();
+        //shares[msg.sender]++;
+        //c++;
+        return true;
+    }
+    
+    function f() {
+        c++;
+        withdraw();
+    }
+}

test/staticanalysis/test-contracts/structReentrant.sol

@@ -0,0 +1,36 @@
+pragma solidity ^0.4.9;
+
+contract Ballot {
+    
+    struct Voter {
+        uint weight;
+        bool voted;
+        uint8 vote;
+        address delegate;
+        baz foo;
+    }
+    
+    struct baz{
+        uint bar;
+    }
+
+    mapping(address => Voter) voters;
+    
+    /// Create a new ballot with $(_numProposals) different proposals.
+    function bla(address a) {
+        Voter x = voters[a];
+        
+        if (!a.send(10))
+            throw;
+            
+        //voters[a] = Voter(10,true,1,a);
+        //x.foo.bar *= 100;
+        bli(x);
+    }
+    
+    //function bla(){}
+    
+    function bli(Voter storage x) private {
+        x.foo.bar++;
+    }
+}

test/staticanalysis/test-contracts/thisLocal.sol

@@ -0,0 +1,16 @@
+pragma solidity ^0.4.0;
+
+contract test {
+    
+    function (){
+        address x;
+        this.b(x);
+        x.call('something');
+        x.send(1 wei);
+        
+    }
+    
+    function b(address a) returns (bool) {
+
+    }
+}