mirror
/
remix-project
mirror of https://github.com/ethereum/remix-project.git
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #508 from soad003/staticanalysis

Browse Source 
Static Analysis: Assembly, Checks Effetct Interaction, Constant Functions without modifiers.
pull/1/head
chriseth 8 years ago committed by GitHub
parent fc3e131423 7ef1afc331
commit a6f3391610
33 changed files with 3828 additions and 49 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 2
      .travis.yml
  2. 4
      README.md
  3. 152
      src/app/staticanalysis/modules/abstractAstView.js
  4. 3
      src/app/staticanalysis/modules/categories.js
  5. 88
      src/app/staticanalysis/modules/checksEffectsInteraction.js
  6. 94
      src/app/staticanalysis/modules/constantFunctions.js
  7. 114
      src/app/staticanalysis/modules/functionCallGraph.js
  8. 4
      src/app/staticanalysis/modules/gasCosts.js
  9. 29
      src/app/staticanalysis/modules/inlineAssembly.js
  10. 9
      src/app/staticanalysis/modules/list.js
  11. 687
      src/app/staticanalysis/modules/staticAnalysisCommon.js
  12. 5
      src/app/staticanalysis/modules/thisLocal.js
  13. 6
      src/app/staticanalysis/modules/txOrigin.js
  14. 4
      src/app/staticanalysis/staticAnalysisRunner.js
  15. 2
      test-browser/tests/staticanalysis.js
  16. 1
      test/index.js
  17. 1808
      test/staticanalysis/staticAnalysisCommon-test.js
  18. 207
      test/staticanalysis/staticAnalysisIntegration-test.js
  19. 23
      test/staticanalysis/test-contracts/KingOfTheEtherThrone.sol
  20. 29
      test/staticanalysis/test-contracts/assembly.sol
  21. 145
      test/staticanalysis/test-contracts/ballot.sol
  22. 101
      test/staticanalysis/test-contracts/ballot_reentrant.sol
  23. 31
      test/staticanalysis/test-contracts/ballot_withoutWarnings.sol
  24. 19
      test/staticanalysis/test-contracts/cross_contract.sol
  25. 57
      test/staticanalysis/test-contracts/globals.sol
  26. 40
      test/staticanalysis/test-contracts/inheritance.sol
  27. 54
      test/staticanalysis/test-contracts/library.sol
  28. 17
      test/staticanalysis/test-contracts/modifier1.sol
  29. 28
      test/staticanalysis/test-contracts/modifier2.sol
  30. 13
      test/staticanalysis/test-contracts/notReentrant.sol
  31. 49
      test/staticanalysis/test-contracts/reentrant.sol
  32. 36
      test/staticanalysis/test-contracts/structReentrant.sol
  33. 16
      test/staticanalysis/test-contracts/thisLocal.sol

2
.travis.yml
Unescape View File

@ -1,6 +1,6 @@
language: node_js language: node_js
node_js: node_js:
- stable - "7"
script: script:
- npm run lint && npm run test && npm run downloadsolc && npm run make-mock-compiler && npm run build - npm run lint && npm run test && npm run downloadsolc && npm run make-mock-compiler && npm run build
- ./ci/browser_tests.sh - ./ci/browser_tests.sh

4
README.md
Unescape View File

@ -53,6 +53,8 @@ Run the unit tests via: `npm test`
For local headless browser tests run `npm run test-browser` For local headless browser tests run `npm run test-browser`
(Requires selenium to be installed - can be done with `npm run selenium-install`) (Requires selenium to be installed - can be done with `npm run selenium-install`)
Running unit tests via `npm test` requires at least node v7.0.0
## Browser Testing ## Browser Testing
To run the Selenium tests via Nightwatch serve the app through a local web server: To run the Selenium tests via Nightwatch serve the app through a local web server:
@ -62,7 +64,7 @@ To run the Selenium tests via Nightwatch serve the app through a local web serve
Then you will need to either: Then you will need to either:
1. Have a Selenium server running locally on port 4444. 1. Have a Selenium server running locally on port 4444.
- Run: `npm run browser-test` - Run: `npm run test-browser`
2. Or, install and run SauceConnect. 2. Or, install and run SauceConnect.
- Run: `sc -u <USERNAME> -k <ACCESS_KEY>` (see `.travis.yml` for values) - Run: `sc -u <USERNAME> -k <ACCESS_KEY>` (see `.travis.yml` for values)
- Run: `npm run browser-test-sc` - Run: `npm run browser-test-sc`

152
src/app/staticanalysis/modules/abstractAstView.js
Unescape View File

@ -0,0 +1,152 @@
var common = require('./staticAnalysisCommon')
var AstWalker = require('ethereum-remix').util.AstWalker
function abstractAstView () {
this.contracts = []
this.currentContractIndex = null
this.currentFunctionIndex = null
this.currentModifierIndex = null
this.isFunctionNotModifier = false
/*
file1: contract c{}
file2: import "file1" as x; contract c{}
therefore we have two contracts with the same name c. At the moment this is not handled because alias name "x" is not
available in the current AST implementation thus can not be resolved.
Additionally the fullQuallified function names e.g. [contractName].[functionName](param1Type, param2Type, ... ) must be prefixed to
fully support this and when inheritance is resolved it must include alias resolving e.g x.c = file1.c
*/
this.multipleContractsWithSameName = false
}
/**
* Builds a higher level AST view. I creates a list with each contract as an object in it.
* Example contractsOut:
*
* {
* "node": {}, // actual AST Node of the contract
* "functions": [
* {
* "node": {}, // actual AST Node of the function
* "relevantNodes": [], // AST nodes in the function that are relevant for the anlysis of this function
* "modifierInvocations": [], // Modifier invocation AST nodes that are applied on this function
* "localVariables": [], // Local variable declaration nodes
* "parameters": [] // Parameter types of the function in order of definition
* }
* ],
* "modifiers": [], // Modifiers definded by the contract, format similar to functions
* "inheritsFrom": [], // Names of contract this one inherits from in order of definition
* "stateVariables": [] // AST nodes of all State variables
* }
*
* @relevantNodeFilter {ASTNode -> bool} function that selects relevant ast nodes for analysis on function level.
* @contractsOut {list} return list for high level AST view
* @return {ASTNode -> void} returns a function that can be used as visit function for static analysis modules, to build up a higher level AST view for further analysis.
*/
abstractAstView.prototype.build_visit = function (relevantNodeFilter) {
var that = this
return function (node) {
if (common.isContractDefinition(node)) {
setCurrentContract(that, {
node: node,
functions: [],
modifiers: [],
inheritsFrom: [],
stateVariables: common.getStateVariableDeclarationsFormContractNode(node)
})
} else if (common.isInheritanceSpecifier(node)) {
var currentContract = getCurrentContract(that)
var inheritsFromName = common.getInheritsFromName(node)
currentContract.inheritsFrom.push(inheritsFromName)
} else if (common.isFunctionDefinition(node)) {
setCurrentFunction(that, {
node: node,
relevantNodes: [],
modifierInvocations: [],
localVariables: getLocalVariables(node),
parameters: getLocalParameters(node)
})
} else if (common.isModifierDefinition(node)) {
setCurrentModifier(that, {
node: node,
relevantNodes: [],
localVariables: getLocalVariables(node),
parameters: getLocalParameters(node)
})
} else if (common.isModifierInvocation(node)) {
if (!that.isFunctionNotModifier) throw new Error('abstractAstView.js: Found modifier invocation outside of function scope.')
getCurrentFunction(that).modifierInvocations.push(node)
} else if (relevantNodeFilter(node)) {
((that.isFunctionNotModifier) ? getCurrentFunction(that) : getCurrentModifier(that)).relevantNodes.push(node)
}
}
}
abstractAstView.prototype.build_report = function (wrap) {
var that = this
return function (compilationResult) {
resolveStateVariablesInHierarchy(that.contracts)
return wrap(that.contracts, that.multipleContractsWithSameName)
}
}
function resolveStateVariablesInHierarchy (contracts) {
contracts.map((c) => {
resolveStateVariablesInHierarchyForContract(c, contracts)
})
}
function resolveStateVariablesInHierarchyForContract (currentContract, contracts) {
currentContract.inheritsFrom.map((inheritsFromName) => {
// add variables from inherited contracts
var inheritsFrom = contracts.find((contract) => common.getContractName(contract.node) === inheritsFromName)
if (inheritsFrom) {
currentContract.stateVariables = currentContract.stateVariables.concat(inheritsFrom.stateVariables)
} else {
console.log('abstractAstView.js: could not find contract defintion inherited from ' + inheritsFromName)
}
})
}
function setCurrentContract (that, contract) {
var name = common.getContractName(contract.node)
if (that.contracts.map((c) => common.getContractName(c.node)).filter((n) => n === name).length > 0) {
console.log('abstractAstView.js: two or more contracts with the same name dectected, import aliases not supported at the moment')
that.multipleContractsWithSameName = true
}
that.currentContractIndex = (that.contracts.push(contract) - 1)
}
function setCurrentFunction (that, func) {
that.isFunctionNotModifier = true
that.currentFunctionIndex = (getCurrentContract(that).functions.push(func) - 1)
}
function setCurrentModifier (that, modi) {
that.isFunctionNotModifier = false
that.currentModifierIndex = (getCurrentContract(that).modifiers.push(modi) - 1)
}
function getCurrentContract (that) {
return that.contracts[that.currentContractIndex]
}
function getCurrentFunction (that) {
return getCurrentContract(that).functions[that.currentFunctionIndex]
}
function getCurrentModifier (that) {
return getCurrentContract(that).modifiers[that.currentModifierIndex]
}
function getLocalParameters (funcNode) {
return getLocalVariables(common.getFunctionOrModifierDefinitionParameterPart(funcNode)).map(common.getType)
}
function getLocalVariables (funcNode) {
var locals = []
new AstWalker().walk(funcNode, {'*': function (node) {
if (common.isVariableDeclaration(node)) locals.push(node)
return true
}})
return locals
}
module.exports = abstractAstView

3
src/app/staticanalysis/modules/categories.js
Unescape View File

@ -1,4 +1,5 @@
module.exports = { module.exports = {
SECURITY: {displayName: 'Security', id: 'SEC'}, SECURITY: {displayName: 'Security', id: 'SEC'},
GAS: {displayName: 'Gas & Economy', id: 'GAS'} GAS: {displayName: 'Gas & Economy', id: 'GAS'},
MISC: {displayName: 'Miscellaneous', id: 'MISC'}
} }

88
src/app/staticanalysis/modules/checksEffectsInteraction.js
Unescape View File

@ -0,0 +1,88 @@
var name = 'Checks-Effects-Interaction pattern'
var desc = 'Avoid potential reentrancy bugs'
var categories = require('./categories')
var common = require('./staticAnalysisCommon')
var fcallGraph = require('./functionCallGraph')
var AbstractAst = require('./abstractAstView')
function checksEffectsInteraction () {
this.abstractAst = new AbstractAst()
this.visit = this.abstractAst.build_visit(
(node) => common.isInteraction(node) || common.isEffect(node) || common.isLocalCallGraphRelevantNode(node)
)
this.report = this.abstractAst.build_report(report)
}
checksEffectsInteraction.prototype.visit = function () { throw new Error('checksEffectsInteraction.js no visit function set upon construction') }
checksEffectsInteraction.prototype.report = function () { throw new Error('checksEffectsInteraction.js no report function set upon construction') }
function report (contracts, multipleContractsWithSameName) {
var warnings = []
var hasModifiers = contracts.some((item) => item.modifiers.length > 0)
var callGraph = fcallGraph.buildGlobalFuncCallGraph(contracts)
contracts.forEach((contract) => {
contract.functions.forEach((func) => {
func.changesState = checkIfChangesState(common.getFullQuallyfiedFuncDefinitionIdent(contract.node, func.node, func.parameters),
getContext(callGraph, contract, func))
})
contract.functions.forEach((func) => {
if (isPotentialVulnerableFunction(func, getContext(callGraph, contract, func))) {
var funcName = common.getFullQuallyfiedFuncDefinitionIdent(contract.node, func.node, func.parameters)
var comments = (hasModifiers) ? '<br/><i>Note:</i> Modifiers are currently not considered by this static analysis.' : ''
comments += (multipleContractsWithSameName) ? '<br/><i>Note:</i> Import aliases are currently not supported by this static analysis.' : ''
warnings.push({
warning: `Potential Violation of Checks-Effects-Interaction pattern in <i>${funcName}</i>: Could potentially lead to re-entrancy vulnerability. ${comments}`,
location: func.src,
more: 'http://solidity.readthedocs.io/en/develop/security-considerations.html#re-entrancy'
})
}
})
})
return warnings
}
function getContext (callGraph, currentContract, func) {
return { callGraph: callGraph, currentContract: currentContract, stateVariables: getStateVariables(currentContract, func) }
}
function getStateVariables (contract, func) {
return contract.stateVariables.concat(func.localVariables.filter(common.isStorageVariableDeclaration))
}
function isPotentialVulnerableFunction (func, context) {
var isPotentialVulnerable = false
var interaction = false
func.relevantNodes.forEach((node) => {
if (common.isInteraction(node)) {
interaction = true
} else if (interaction && (common.isWriteOnStateVariable(node, context.stateVariables) || isLocalCallWithStateChange(node, context))) {
isPotentialVulnerable = true
}
})
return isPotentialVulnerable
}
function isLocalCallWithStateChange (node, context) {
if (common.isLocalCallGraphRelevantNode(node)) {
var func = fcallGraph.resolveCallGraphSymbol(context.callGraph, common.getFullQualifiedFunctionCallIdent(context.currentContract.node, node))
return !func || (func && func.node.changesState)
}
return false
}
function checkIfChangesState (startFuncName, context) {
return fcallGraph.analyseCallGraph(context.callGraph, startFuncName, context, (node, context) => common.isWriteOnStateVariable(node, context.stateVariables))
}
module.exports = {
name: name,
description: desc,
category: categories.SECURITY,
Module: checksEffectsInteraction
}

94
src/app/staticanalysis/modules/constantFunctions.js
Unescape View File

@ -0,0 +1,94 @@
var name = 'Constant functions'
var desc = 'Check for potentially constant functions'
var categories = require('./categories')
var common = require('./staticAnalysisCommon')
var fcallGraph = require('./functionCallGraph')
var AbstractAst = require('./abstractAstView')
function constantFunctions () {
this.abstractAst = new AbstractAst()
this.visit = this.abstractAst.build_visit(
(node) => common.isLowLevelCall(node) || common.isTransfer(node) || common.isExternalDirectCall(node) || common.isEffect(node) || common.isLocalCallGraphRelevantNode(node) || common.isInlineAssembly(node) || common.isNewExpression(node)
)
this.report = this.abstractAst.build_report(report)
}
constantFunctions.prototype.visit = function () { throw new Error('constantFunctions.js no visit function set upon construction') }
constantFunctions.prototype.report = function () { throw new Error('constantFunctions.js no report function set upon construction') }
function report (contracts, multipleContractsWithSameName) {
var warnings = []
var hasModifiers = contracts.some((item) => item.modifiers.length > 0)
var callGraph = fcallGraph.buildGlobalFuncCallGraph(contracts)
contracts.forEach((contract) => {
contract.functions.forEach((func) => {
func.potentiallyshouldBeConst = checkIfShouldBeConstant(common.getFullQuallyfiedFuncDefinitionIdent(contract.node, func.node, func.parameters),
getContext(callGraph, contract, func))
})
contract.functions.filter((func) => common.hasFunctionBody(func.node)).forEach((func) => {
if (common.isConstantFunction(func.node) !== func.potentiallyshouldBeConst) {
var funcName = common.getFullQuallyfiedFuncDefinitionIdent(contract.node, func.node, func.parameters)
var comments = (hasModifiers) ? '<br/><i>Note:</i> Modifiers are currently not considered by this static analysis.' : ''
comments += (multipleContractsWithSameName) ? '<br/><i>Note:</i> Import aliases are currently not supported by this static analysis.' : ''
if (func.potentiallyshouldBeConst) {
warnings.push({
warning: `<i>${funcName}</i>: Potentially should be constant but is not. ${comments}`,
location: func.src,
more: 'http://solidity.readthedocs.io/en/develop/contracts.html#constant-functions'
})
} else {
warnings.push({
warning: `<i>${funcName}</i>: Is constant but potentially should not be. ${comments}`,
location: func.src,
more: 'http://solidity.readthedocs.io/en/develop/contracts.html#constant-functions'
})
}
}
})
})
return warnings
}
function getContext (callGraph, currentContract, func) {
return { callGraph: callGraph, currentContract: currentContract, stateVariables: getStateVariables(currentContract, func) }
}
function getStateVariables (contract, func) {
return contract.stateVariables.concat(func.localVariables.filter(common.isStorageVariableDeclaration))
}
function checkIfShouldBeConstant (startFuncName, context) {
return !fcallGraph.analyseCallGraph(context.callGraph, startFuncName, context, isConstBreaker)
}
function isConstBreaker (node, context) {
return common.isWriteOnStateVariable(node, context.stateVariables) ||
common.isLowLevelCall(node) ||
common.isTransfer(node) ||
isCallOnNonConstExternalInterfaceFunction(node, context) ||
common.isCallToNonConstLocalFunction(node) ||
common.isInlineAssembly(node) ||
common.isNewExpression(node)
}
function isCallOnNonConstExternalInterfaceFunction (node, context) {
if (common.isExternalDirectCall(node)) {
var func = fcallGraph.resolveCallGraphSymbol(context.callGraph, common.getFullQualifiedFunctionCallIdent(context.currentContract, node))
return !func || (func && !common.isConstantFunction(func.node.node))
}
return false
}
module.exports = {
name: name,
description: desc,
category: categories.MISC,
Module: constantFunctions
}

114
src/app/staticanalysis/modules/functionCallGraph.js
Unescape View File

@ -0,0 +1,114 @@
'use strict'
var common = require('./staticAnalysisCommon')
function buildLocalFuncCallGraphInternal (functions, nodeFilter, extractNodeIdent, extractFuncDefIdent) {
var callGraph = {}
functions.forEach((func) => {
var calls = func.relevantNodes
.filter(nodeFilter)
.map(extractNodeIdent)
.filter((name) => name !== extractFuncDefIdent(func)) // filter self recursive call
callGraph[extractFuncDefIdent(func)] = { node: func, calls: calls }
})
return callGraph
}
/**
* Builds a function call graph for the current contracts.
* Example Contract call graph:
*
* {
* "KingOfTheEtherThrone": {
* "contracts": {...}, // Contract node as defined in abstractAstView.js
* "functions": {
* "KingOfTheEtherThrone.claimThrone(string memory)": { // function in KingOfEtherThrone
* "node": {...}, // function node as defined in abstractAstView.js
* "calls": { // list of full qualified function names which are called form this function
* }
* }
* }
* },
* "foo": {
* "contract": {...}, // Contract node as definded in abstractAstView.js
* "functions": {} // map from full qualified function name to func node
* }
* }
*
* @contracts {list contracts} Expects as input the contract structure defined in abstractAstView.js
* @return {map (string -> Contract Call Graph)} returns map from contract name to contract call graph
*/
function buildGlobalFuncCallGraph (contracts) {
var callGraph = {}
contracts.forEach((contract) => {
var filterNodes = (node) => { return common.isLocalCallGraphRelevantNode(node) || common.isExternalDirectCall(node) }
var getNodeIdent = (node) => { return common.getFullQualifiedFunctionCallIdent(contract.node, node) }
var getFunDefIdent = (funcDef) => { return common.getFullQuallyfiedFuncDefinitionIdent(contract.node, funcDef.node, funcDef.parameters) }
callGraph[common.getContractName(contract.node)] = { contract: contract, functions: buildLocalFuncCallGraphInternal(contract.functions, filterNodes, getNodeIdent, getFunDefIdent) }
})
return callGraph
}
/**
* Walks through the call graph from a defined starting function, true if nodeCheck holds for every relevant node in the callgraph
* @callGraph {callGraph} As returned by buildGlobalFuncCallGraph
* @funcName {string} full qualified name of the starting function
* @context {Object} provides additional context information that can be used by the nodeCheck function
* @nodeCheck {(ASTNode, context) -> bool} applied on every relevant node in the call graph
* @return {bool} returns map from contract name to contract call graph
*/
function analyseCallGraph (callGraph, funcName, context, nodeCheck) {
return analyseCallGraphInternal(callGraph, funcName, context, (a, b) => a || b, nodeCheck, {})
}
function analyseCallGraphInternal (callGraph, funcName, context, combinator, nodeCheck, visited) {
var current = resolveCallGraphSymbol(callGraph, funcName)
if (current === undefined || visited[funcName] === true) return true
visited[funcName] = true
return combinator(current.node.relevantNodes.reduce((acc, val) => combinator(acc, nodeCheck(val, context)), false),
current.calls.reduce((acc, val) => combinator(acc, analyseCallGraphInternal(callGraph, val, context, combinator, nodeCheck, visited)), false))
}
function resolveCallGraphSymbol (callGraph, funcName) {
return resolveCallGraphSymbolInternal(callGraph, funcName, false)
}
function resolveCallGraphSymbolInternal (callGraph, funcName, silent) {
var current
if (funcName.includes('.')) {
var parts = funcName.split('.')
var contractPart = parts[0]
var functionPart = parts[1]
var currentContract = callGraph[contractPart]
if (!(currentContract === undefined)) {
current = currentContract.functions[funcName]
// resolve inheritance hierarchy
if (current === undefined) {
// resolve inheritance lookup in linearized fashion
var inheritsFromNames = currentContract.contract.inheritsFrom.reverse()
for (var i = 0; i < inheritsFromNames.length; i++) {
var res = resolveCallGraphSymbolInternal(callGraph, inheritsFromNames[i] + '.' + functionPart, true)
if (!(res === undefined)) return res
}
}
} else {
if (!silent) console.log(`static analysis functionCallGraph.js: Contract ${contractPart} not found in function call graph.`)
}
} else {
throw new Error('functionCallGraph.js: function does not have full qualified name.')
}
if (current === undefined && !silent) console.log(`static analysis functionCallGraph.js: ${funcName} not found in function call graph.`)
return current
}
module.exports = {
analyseCallGraph: analyseCallGraph,
buildGlobalFuncCallGraph: buildGlobalFuncCallGraph,
resolveCallGraphSymbol: resolveCallGraphSymbol
}

4
src/app/staticanalysis/modules/gasCosts.js
Unescape View File

@ -1,5 +1,5 @@
var name = 'gas costs: ' var name = 'Gas Costs: '
var desc = 'warn if the gas requiremets of functions are too high' var desc = 'Warn if the gas requiremets of functions are too high.'
var categories = require('./categories') var categories = require('./categories')
function gasCosts () { function gasCosts () {

29
src/app/staticanalysis/modules/inlineAssembly.js
Unescape View File

@ -0,0 +1,29 @@
var name = 'Inline Assembly'
var desc = 'Use of Inline Assembly'
var categories = require('./categories')
var common = require('./staticAnalysisCommon')
function inlineAssembly () {
this.inlineAssNodes = []
}
inlineAssembly.prototype.visit = function (node) {
if (common.isInlineAssembly(node)) this.inlineAssNodes.push(node)
}
inlineAssembly.prototype.report = function (compilationResults) {
return this.inlineAssNodes.map((node) => {
return {
warning: `CAUTION: The Contract uses inline assembly, this is only advised in rare cases. Additionally static analysis modules do not parse inline Assembly, this can lead to wrong analysis results.`,
location: node.src,
more: 'http://solidity.readthedocs.io/en/develop/assembly.html#solidity-assembly'
}
})
}
module.exports = {
name: name,
description: desc,
category: categories.SECURITY,
Module: inlineAssembly
}

9
src/app/staticanalysis/modules/list.js
Unescape View File

@ -1,5 +1,12 @@
module.exports = [ module.exports = [
require('./txOrigin'), require('./txOrigin'),
require('./gasCosts'), require('./gasCosts'),
require('./thisLocal') require('./thisLocal'),
require('./checksEffectsInteraction'),
require('./constantFunctions')
// require('./similarVariableNames.js'),
// require('./inlineAssembly'),
// require('./blockTimestamp'),
// require('./lowLevelCalls'),
// require('./blockBlockhash')
] ]

687
src/app/staticanalysis/modules/staticAnalysisCommon.js
Unescape View File

@ -5,7 +5,20 @@ var utils = require('../../utils')
var nodeTypes = { var nodeTypes = {
IDENTIFIER: 'Identifier', IDENTIFIER: 'Identifier',
MEMBERACCESS: 'MemberAccess', MEMBERACCESS: 'MemberAccess',
FUNCTIONCALL: 'FunctionCall' FUNCTIONCALL: 'FunctionCall',
FUNCTIONDEFINITION: 'FunctionDefinition',
VARIABLEDECLARATION: 'VariableDeclaration',
ASSIGNMENT: 'Assignment',
CONTRACTDEFINITION: 'ContractDefinition',
UNARYOPERATION: 'UnaryOperation',
EXPRESSIONSTATEMENT: 'ExpressionStatement',
MODIFIERDEFINITION: 'ModifierDefinition',
MODIFIERINVOCATION: 'ModifierInvocation',
INHERITANCESPECIFIER: 'InheritanceSpecifier',
USERDEFINEDTYPENAME: 'UserDefinedTypeName',
INLINEASSEMBLY: 'InlineAssembly',
BLOCK: 'Block',
NEWEXPRESSION: 'NewExpression'
} }
var basicTypes = { var basicTypes = {
@ -17,20 +30,41 @@ var basicTypes = {
var basicRegex = { var basicRegex = {
CONTRACTTYPE: '^contract ', CONTRACTTYPE: '^contract ',
FUNCTIONTYPE: '^function \\(' FUNCTIONTYPE: '^function \\(',
EXTERNALFUNCTIONTYPE: '^function \\(.*\\).* external',
CONSTANTFUNCTIONTYPE: '^function \\(.*\\).* constant',
REFTYPE: '( storage )|(mapping\\()|(\\[\\])',
FUNCTIONSIGNATURE: '^function \\(([^\\(]*)\\)',
LIBRARYTYPE: '^type\\(library (.*)\\)'
} }
var basicFunctionTypes = { var basicFunctionTypes = {
SEND: buildFunctionSignature([basicTypes.UINT], [basicTypes.BOOL], false), SEND: buildFunctionSignature([basicTypes.UINT], [basicTypes.BOOL], false),
CALL: buildFunctionSignature([], [basicTypes.BOOL], true), CALL: buildFunctionSignature([], [basicTypes.BOOL], true),
DELEGATECALL: buildFunctionSignature([], [basicTypes.BOOL], false) DELEGATECALL: buildFunctionSignature([], [basicTypes.BOOL], false),
TRANSFER: buildFunctionSignature([basicTypes.UINT], [], false)
}
var builtinFunctions = {
'keccak256()': true,
'sha3()': true,
'sha256()': true,
'ripemd160()': true,
'ecrecover(bytes32,uint8,bytes32,bytes32)': true,
'addmod(uint256,uint256,uint256)': true,
'mulmod(uint256,uint256,uint256)': true,
'selfdestruct(address)': true,
'revert()': true,
'assert(bool)': true,
'require(bool)': true
} }
var lowLevelCallTypes = { var lowLevelCallTypes = {
CALL: { ident: 'call', type: basicFunctionTypes.CALL }, CALL: { ident: 'call', type: basicFunctionTypes.CALL },
CALLCODE: { ident: 'callcode', type: basicFunctionTypes.CALL }, CALLCODE: { ident: 'callcode', type: basicFunctionTypes.CALL },
DELEGATECALL: { ident: 'delegatecall', type: basicFunctionTypes.DELEGATECALL }, DELEGATECALL: { ident: 'delegatecall', type: basicFunctionTypes.DELEGATECALL },
SEND: { ident: 'send', type: basicFunctionTypes.SEND } SEND: { ident: 'send', type: basicFunctionTypes.SEND },
TRANSFER: { ident: 'transfer', type: basicFunctionTypes.TRANSFER }
} }
var specialVariables = { var specialVariables = {
@ -42,26 +76,503 @@ var specialVariables = {
} }
} }
// usage of now special variable // #################### Trivial Getters
function getType (node) {
return node.attributes.type
}
// #################### Complex Getters
/**
* Returns the type parameter of function call AST nodes. Throws if not a function call node
* @func {ASTNode} Function call node
* @return {string} type of function call
*/
function getFunctionCallType (func) {
if (!(isExternalDirectCall(func) || isThisLocalCall(func) || isSuperLocalCall(func) || isLocalCall(func) || isLibraryCall(func))) throw new Error('staticAnalysisCommon.js: not function call Node')
if (isExternalDirectCall(func) || isThisLocalCall(func) || isSuperLocalCall(func) || isLibraryCall(func)) return func.attributes.type
return findFirstSubNodeLTR(func, exactMatch(nodeTypes.IDENTIFIER)).attributes.type
}
/**
* Get the variable name written to by a effect node, except for inline assembly because there is no information to find out where we write to. Trows if not a effect node or is inlineassmbly.
* Example: x = 10; => x
* @effectNode {ASTNode} Function call node
* @return {string} variable name written to
*/
function getEffectedVariableName (effectNode) {
if (!isEffect(effectNode) || isInlineAssembly(effectNode)) throw new Error('staticAnalysisCommon.js: not an effect Node or inline assembly')
return findFirstSubNodeLTR(effectNode, exactMatch(nodeTypes.IDENTIFIER)).attributes.value
}
/**
* Returns the identifier of a local call, Throws on wrong node.
* Example: f(103) => f
* @localCallNode {ASTNode} Function call node
* @return {string} name of the function called
*/
function getLocalCallName (localCallNode) {
if (!isLocalCall(localCallNode)) throw new Error('staticAnalysisCommon.js: not an local call Node')
return localCallNode.children[0].attributes.value
}
/**
* Returns the identifier of a this local call, Throws on wrong node.
* Example: this.f(103) => f
* @localCallNode {ASTNode} Function call node
* @return {string} name of the function called
*/
function getThisLocalCallName (localCallNode) {
if (!isThisLocalCall(localCallNode)) throw new Error('staticAnalysisCommon.js: not an this local call Node')
return localCallNode.attributes.value
}
/**
* Returns the identifier of a super local call, Throws on wrong node.
* Example: super.f(103) => f
* @localCallNode {ASTNode} Function call node
* @return {string} name of the function called
*/
function getSuperLocalCallName (localCallNode) {
if (!isSuperLocalCall(localCallNode)) throw new Error('staticAnalysisCommon.js: not an super local call Node')
return localCallNode.attributes.member_name
}
/**
* Returns the contract type of a external direct call, Throws on wrong node.
* Example:
* foo x = foo(0xdeadbeef...);
* x.f(103) => foo
* @extDirectCall {ASTNode} Function call node
* @return {string} name of the contract the function is defined in
*/
function getExternalDirectCallContractName (extDirectCall) {
if (!isExternalDirectCall(extDirectCall)) throw new Error('staticAnalysisCommon.js: not an external direct call Node')
return extDirectCall.children[0].attributes.type.replace(new RegExp(basicRegex.CONTRACTTYPE), '')
}
/**
* Returns the name of the contract of a this local call (current contract), Throws on wrong node.
* Example:
* Contract foo {
* ...
* this.f(103) => foo
* ...
* @thisLocalCall {ASTNode} Function call node
* @return {string} name of the contract the function is defined in
*/
function getThisLocalCallContractName (thisLocalCall) {
if (!isThisLocalCall(thisLocalCall)) throw new Error('staticAnalysisCommon.js: not an this local call Node')
return thisLocalCall.children[0].attributes.type.replace(new RegExp(basicRegex.CONTRACTTYPE), '')
}
/**
* Returns the function identifier of a external direct call, Throws on wrong node.
* Example:
* foo x = foo(0xdeadbeef...);
* x.f(103) => f
* @extDirectCall {ASTNode} Function call node
* @return {string} name of the function called
*/
function getExternalDirectCallMemberName (extDirectCall) {
if (!isExternalDirectCall(extDirectCall)) throw new Error('staticAnalysisCommon.js: not an external direct call Node')
return extDirectCall.attributes.member_name
}
/**
* Returns the name of a contract, Throws on wrong node.
* Example:
* Contract foo { => foo
* @contract {ASTNode} Contract Definition node
* @return {string} name of a contract defined
*/
function getContractName (contract) {
if (!isContractDefinition(contract)) throw new Error('staticAnalysisCommon.js: not an contractDefinition Node')
return contract.attributes.name
}
/**
* Returns the name of a function definition, Throws on wrong node.
* Example:
* func foo(uint bla) { => foo
* @funcDef {ASTNode} Function Definition node
* @return {string} name of a function defined
*/
function getFunctionDefinitionName (funcDef) {
if (!isFunctionDefinition(funcDef)) throw new Error('staticAnalysisCommon.js: not an functionDefinition Node')
return funcDef.attributes.name
}
/**
* Returns the identifier of an inheritance specifier, Throws on wrong node.
* Example:
* contract KingOfTheEtherThrone is b { => b
* @func {ASTNode} Inheritance specifier
* @return {string} name of contract inherited from
*/
function getInheritsFromName (inheritsNode) {
if (!isInheritanceSpecifier(inheritsNode)) throw new Error('staticAnalysisCommon.js: not an InheritanceSpecifier node Node')
return inheritsNode.children[0].attributes.name
}
/**
* Returns the identifier of a variable definition, Throws on wrong node.
* Example:
* var x = 10; => x
* @varDeclNode {ASTNode} Variable declaration node
* @return {string} variable name
*/
function getDeclaredVariableName (varDeclNode) {
if (!isVariableDeclaration(varDeclNode)) throw new Error('staticAnalysisCommon.js: not an variable declaration')
return varDeclNode.attributes.name
}
/**
* Returns state variable declaration nodes for a contract, Throws on wrong node.
* Example:
* contract foo {
* ...
* var y = true;
* var x = 10; => [y,x]
* @contractNode {ASTNode} Contract Definition node
* @return {list variable declaration} state variable node list
*/
function getStateVariableDeclarationsFormContractNode (contractNode) {
if (!isContractDefinition(contractNode)) throw new Error('staticAnalysisCommon.js: not an contract definition declaration')
return contractNode.children.filter((el) => isVariableDeclaration(el))
}
/**
* Returns parameter node for a function or modifier definition, Throws on wrong node.
* Example:
* function bar(uint a, uint b) => uint a, uint b
* @funcNode {ASTNode} Contract Definition node
* @return {parameterlist node} parameterlist node
*/
function getFunctionOrModifierDefinitionParameterPart (funcNode) {
if (!isFunctionDefinition(funcNode) && !isModifierDefinition(funcNode)) throw new Error('staticAnalysisCommon.js: not an function definition')
return funcNode.children[0]
}
/**
* Extracts the parameter types for a function type signature
* Example:
* function(uint a, uint b) returns (bool) => uint a, uint b
* @func {ASTNode} function call node
* @return {string} parameter signature
*/
function getFunctionCallTypeParameterType (func) {
return new RegExp(basicRegex.FUNCTIONSIGNATURE).exec(getFunctionCallType(func))[1]
}
/**
* Returns the name of the library called, Throws on wrong node.
* Example:
* library set{...}
* contract foo {
* ...
* function () { set.union() => set}
* @funcCall {ASTNode} function call node
* @return {string} name of the lib defined
*/
function getLibraryCallContractName (funcCall) {
if (!isLibraryCall(funcCall)) throw new Error('staticAnalysisCommon.js: not an this library call Node')
return new RegExp(basicRegex.LIBRARYTYPE).exec(funcCall.children[0].attributes.type)[1]
}
/**
* Returns the name of the function of a library call, Throws on wrong node.
* Example:
* library set{...}
* contract foo {
* ...
* function () { set.union() => uinion}
* @func {ASTNode} function call node
* @return {string} name of function called on the library
*/
function getLibraryCallMemberName (funcCall) {
if (!isLibraryCall(funcCall)) throw new Error('staticAnalysisCommon.js: not an library call Node')
return funcCall.attributes.member_name
}
/**
* Returns full qualified name for a function call, Throws on wrong node.
* Example:
* contract foo {
* ...
* function bar(uint b) { }
* function baz() {
* bar(10) => foo.bar(uint)
* @func {ASTNode} function call node
* @func {ASTNode} contract defintion
* @return {string} full qualified identifier for the function call
*/
function getFullQualifiedFunctionCallIdent (contract, func) {
if (isLocalCall(func)) return getContractName(contract) + '.' + getLocalCallName(func) + '(' + getFunctionCallTypeParameterType(func) + ')'
else if (isThisLocalCall(func)) return getThisLocalCallContractName(func) + '.' + getThisLocalCallName(func) + '(' + getFunctionCallTypeParameterType(func) + ')'
else if (isSuperLocalCall(func)) return getContractName(contract) + '.' + getSuperLocalCallName(func) + '(' + getFunctionCallTypeParameterType(func) + ')'
else if (isExternalDirectCall(func)) return getExternalDirectCallContractName(func) + '.' + getExternalDirectCallMemberName(func) + '(' + getFunctionCallTypeParameterType(func) + ')'
else if (isLibraryCall(func)) return getLibraryCallContractName(func) + '.' + getLibraryCallMemberName(func) + '(' + getFunctionCallTypeParameterType(func) + ')'
else throw new Error('staticAnalysisCommon.js: Can not get function name form non function call node')
}
function getFullQuallyfiedFuncDefinitionIdent (contract, func, paramTypes) {
return getContractName(contract) + '.' + getFunctionDefinitionName(func) + '(' + utils.concatWithSeperator(paramTypes, ',') + ')'
}
// #################### Trivial Node Identification
function isFunctionDefinition (node) {
return nodeType(node, exactMatch(nodeTypes.FUNCTIONDEFINITION))
}
function isModifierDefinition (node) {
return nodeType(node, exactMatch(nodeTypes.MODIFIERDEFINITION))
}
function isModifierInvocation (node) {
return nodeType(node, exactMatch(nodeTypes.MODIFIERINVOCATION))
}
function isVariableDeclaration (node) {
return nodeType(node, exactMatch(nodeTypes.VARIABLEDECLARATION))
}
function isInheritanceSpecifier (node) {
return nodeType(node, exactMatch(nodeTypes.INHERITANCESPECIFIER))
}
function isAssignment (node) {
return nodeType(node, exactMatch(nodeTypes.ASSIGNMENT))
}
function isContractDefinition (node) {
return nodeType(node, exactMatch(nodeTypes.CONTRACTDEFINITION))
}
function isInlineAssembly (node) {
return nodeType(node, exactMatch(nodeTypes.INLINEASSEMBLY))
}
function isNewExpression (node) {
return nodeType(node, exactMatch(nodeTypes.NEWEXPRESSION))
}
// #################### Complex Node Identification
/**
* True if function defintion has function body
* @funcNode {ASTNode} function defintion node
* @return {bool}
*/
function hasFunctionBody (funcNode) {
return findFirstSubNodeLTR(funcNode, exactMatch(nodeTypes.BLOCK)) != null
}
/**
* True if call to code within the current contracts context including (delegate) library call
* @node {ASTNode} some AstNode
* @return {bool}
*/
function isLocalCallGraphRelevantNode (node) {
return ((isLocalCall(node) || isSuperLocalCall(node) || isLibraryCall(node)) && !isBuiltinFunctionCall(node))
}
/**
* True if is builtin function like assert, sha3, erecover, ...
* @node {ASTNode} some AstNode
* @return {bool}
*/
function isBuiltinFunctionCall (node) {
return isLocalCall(node) && builtinFunctions[getLocalCallName(node) + '(' + getFunctionCallTypeParameterType(node) + ')'] === true
}
/**
* True if is storage variable declaration
* @node {ASTNode} some AstNode
* @return {bool}
*/
function isStorageVariableDeclaration (node) {
return isVariableDeclaration(node) && expressionType(node, basicRegex.REFTYPE)
}
/**
* True if is interaction with external contract (change in context, no delegate calls) (send, call of other contracts)
* @node {ASTNode} some AstNode
* @return {bool}
*/
function isInteraction (node) {
return isLLCall(node) || isLLSend(node) || isExternalDirectCall(node)
}
/**
* True if node changes state of a variable or is inline assembly (does not include check if it is a global state change, on a state variable)
* @node {ASTNode} some AstNode
* @return {bool}
*/
function isEffect (node) {
return isAssignment(node) || isPlusPlusUnaryOperation(node) || isMinusMinusUnaryOperation(node) || isInlineAssembly(node)
}
/**
* True if node changes state of a variable or is inline assembly (Checks if variable is a state variable via provided list)
* @node {ASTNode} some AstNode
* @node {list Variable declaration} state variable declaration currently in scope
* @return {bool}
*/
function isWriteOnStateVariable (effectNode, stateVariables) {
return isInlineAssembly(effectNode) || (isEffect(effectNode) && isStateVariable(getEffectedVariableName(effectNode), stateVariables))
}
/**
* True if there is a variable with name, name in stateVariables
* @node {ASTNode} some AstNode
* @node {list Variable declaration} state variable declaration currently in scope
* @return {bool}
*/
function isStateVariable (name, stateVariables) {
return stateVariables.some((item) => name === getDeclaredVariableName(item))
}
/**
* True if is function defintion that is flaged as constant
* @node {ASTNode} some AstNode
* @return {bool}
*/
function isConstantFunction (node) {
return isFunctionDefinition(node) && node.attributes.constant === true
}
/**
* True if unary increment operation
* @node {ASTNode} some AstNode
* @return {bool}
*/
function isPlusPlusUnaryOperation (node) {
return nodeType(node, exactMatch(nodeTypes.UNARYOPERATION)) && operator(node, exactMatch(utils.escapeRegExp('++')))
}
/**
* True if unary decrement operation
* @node {ASTNode} some AstNode
* @return {bool}
*/
function isMinusMinusUnaryOperation (node) {
return nodeType(node, exactMatch(nodeTypes.UNARYOPERATION)) && operator(node, exactMatch(utils.escapeRegExp('--')))
}
/**
* True if all functions on a contract are implemented
* @node {ASTNode} some AstNode
* @return {bool}
*/
function isFullyImplementedContract (node) {
return nodeType(node, exactMatch(nodeTypes.CONTRACTDEFINITION)) && node.attributes.fullyImplemented === true
}
/**
* True if it is a library contract defintion
* @node {ASTNode} some AstNode
* @return {bool}
*/
function isLibrary (node) {
return nodeType(node, exactMatch(nodeTypes.CONTRACTDEFINITION)) && node.attributes.isLibrary === true
}
/**
* True if it is a local call to non const function
* @node {ASTNode} some AstNode
* @return {bool}
*/
function isCallToNonConstLocalFunction (node) {
return isLocalCall(node) && !expressionType(node.children[0], basicRegex.CONSTANTFUNCTIONTYPE)
}
/**
* True if it is a call to a library
* @node {ASTNode} some AstNode
* @return {bool}
*/
function isLibraryCall (node) {
return isMemberAccess(node, basicRegex.FUNCTIONTYPE, undefined, basicRegex.LIBRARYTYPE, undefined)
}
/**
* True if it is an external call via defined interface (not low level call)
* @node {ASTNode} some AstNode
* @return {bool}
*/
function isExternalDirectCall (node) {
return isMemberAccess(node, basicRegex.EXTERNALFUNCTIONTYPE, undefined, basicRegex.CONTRACTTYPE, undefined) && !isThisLocalCall(node) && !isSuperLocalCall(node)
}
/**
* True if access to block.timestamp via now alias
* @node {ASTNode} some AstNode
* @return {bool}
*/
function isNowAccess (node) { function isNowAccess (node) {
return nodeType(node, nodeTypes.IDENTIFIER) && return nodeType(node, exactMatch(nodeTypes.IDENTIFIER)) &&
expressionType(node, basicTypes.UINT) && expressionType(node, exactMatch(basicTypes.UINT)) &&
name(node, 'now') name(node, exactMatch('now'))
} }
// usage of block timestamp /**
* True if access to block.timestamp
* @node {ASTNode} some AstNode
* @return {bool}
*/
function isBlockTimestampAccess (node) { function isBlockTimestampAccess (node) {
return isSpecialVariableAccess(node, specialVariables.BLOCKTIMESTAMP) return isSpecialVariableAccess(node, specialVariables.BLOCKTIMESTAMP)
} }
function isSpecialVariableAccess (node, varType) { /**
return isMemberAccess(node, varType.type, varType.obj, varType.obj, varType.member) * True if access to block.blockhash
* @node {ASTNode} some AstNode
* @return {bool}
*/
function isBlockBlockHashAccess (node) {
return isSpecialVariableAccess(node, specialVariables.BLOCKHASH)
} }
/**
* True if call to local function via this keyword
* @node {ASTNode} some AstNode
* @return {bool}
*/
function isThisLocalCall (node) { function isThisLocalCall (node) {
return isMemberAccess(node, basicRegex.FUNCTIONTYPE, 'this', basicRegex.CONTRACTTYPE, undefined) return isMemberAccess(node, basicRegex.FUNCTIONTYPE, exactMatch('this'), basicRegex.CONTRACTTYPE, undefined)
} }
/**
* True if access to local function via super keyword
* @node {ASTNode} some AstNode
* @return {bool}
*/
function isSuperLocalCall (node) {
return isMemberAccess(node, basicRegex.FUNCTIONTYPE, exactMatch('super'), basicRegex.CONTRACTTYPE, undefined)
}
/**
* True if call to local function
* @node {ASTNode} some AstNode
* @return {bool}
*/
function isLocalCall (node) {
return nodeType(node, exactMatch(nodeTypes.FUNCTIONCALL)) &&
minNrOfChildren(node, 1) &&
nodeType(node.children[0], exactMatch(nodeTypes.IDENTIFIER)) &&
expressionType(node.children[0], basicRegex.FUNCTIONTYPE) &&
!expressionType(node.children[0], basicRegex.EXTERNALFUNCTIONTYPE) &&
nrOfChildren(node.children[0], 0)
}
/**
* True if low level call (send, call, delegatecall, callcode)
* @node {ASTNode} some AstNode
* @return {bool}
*/
function isLowLevelCall (node) { function isLowLevelCall (node) {
return isLLCall(node) || return isLLCall(node) ||
isLLCallcode(node) || isLLCallcode(node) ||
@ -69,32 +580,65 @@ function isLowLevelCall (node) {
isLLSend(node) isLLSend(node)
} }
/**
* True if low level send
* @node {ASTNode} some AstNode
* @return {bool}
*/
function isLLSend (node) { function isLLSend (node) {
return isMemberAccess(node, return isMemberAccess(node,
utils.escapeRegExp(lowLevelCallTypes.SEND.type), exactMatch(utils.escapeRegExp(lowLevelCallTypes.SEND.type)),
undefined, basicTypes.ADDRESS, lowLevelCallTypes.SEND.ident) undefined, exactMatch(basicTypes.ADDRESS), exactMatch(lowLevelCallTypes.SEND.ident))
} }
/**
* True if low level call
* @node {ASTNode} some AstNode
* @return {bool}
*/
function isLLCall (node) { function isLLCall (node) {
return isMemberAccess(node, return isMemberAccess(node,
utils.escapeRegExp(lowLevelCallTypes.CALL.type), exactMatch(utils.escapeRegExp(lowLevelCallTypes.CALL.type)),
undefined, basicTypes.ADDRESS, lowLevelCallTypes.CALL.ident) undefined, exactMatch(basicTypes.ADDRESS), exactMatch(lowLevelCallTypes.CALL.ident))
} }
/**
* True if low level callcode
* @node {ASTNode} some AstNode
* @return {bool}
*/
function isLLCallcode (node) { function isLLCallcode (node) {
return isMemberAccess(node, return isMemberAccess(node,
utils.escapeRegExp(lowLevelCallTypes.CALLCODE.type), exactMatch(utils.escapeRegExp(lowLevelCallTypes.CALLCODE.type)),
undefined, basicTypes.ADDRESS, lowLevelCallTypes.CALLCODE.ident) undefined, exactMatch(basicTypes.ADDRESS), exactMatch(lowLevelCallTypes.CALLCODE.ident))
} }
/**
* True if low level delegatecall
* @node {ASTNode} some AstNode
* @return {bool}
*/
function isLLDelegatecall (node) { function isLLDelegatecall (node) {
return isMemberAccess(node, return isMemberAccess(node,
utils.escapeRegExp(lowLevelCallTypes.DELEGATECALL.type), exactMatch(utils.escapeRegExp(lowLevelCallTypes.DELEGATECALL.type)),
undefined, basicTypes.ADDRESS, lowLevelCallTypes.DELEGATECALL.ident) undefined, exactMatch(basicTypes.ADDRESS), exactMatch(lowLevelCallTypes.DELEGATECALL.ident))
}
/**
* True if transfer call
* @node {ASTNode} some AstNode
* @return {bool}
*/
function isTransfer (node) {
return isMemberAccess(node,
exactMatch(utils.escapeRegExp(lowLevelCallTypes.TRANSFER.type)),
undefined, exactMatch(basicTypes.ADDRESS), exactMatch(lowLevelCallTypes.TRANSFER.ident))
} }
// #################### Complex Node Identification - Private
function isMemberAccess (node, retType, accessor, accessorType, memberName) { function isMemberAccess (node, retType, accessor, accessorType, memberName) {
return nodeType(node, nodeTypes.MEMBERACCESS) && return nodeType(node, exactMatch(nodeTypes.MEMBERACCESS)) &&
expressionType(node, retType) && expressionType(node, retType) &&
name(node, memberName) && name(node, memberName) &&
nrOfChildren(node, 1) && nrOfChildren(node, 1) &&
@ -102,8 +646,18 @@ function isMemberAccess (node, retType, accessor, accessorType, memberName) {
expressionType(node.children[0], accessorType) expressionType(node.children[0], accessorType)
} }
function isSpecialVariableAccess (node, varType) {
return isMemberAccess(node, exactMatch(utils.escapeRegExp(varType.type)), varType.obj, varType.obj, varType.member)
}
// #################### Node Identification Primitives
function nrOfChildren (node, nr) { function nrOfChildren (node, nr) {
return (node && (nr === undefined || nr === null)) || (node && node.children && node.children.length === nr) return (node && (nr === undefined || nr === null)) || (node && nr === 0 && !node.children) || (node && node.children && node.children.length === nr)
}
function minNrOfChildren (node, nr) {
return (node && (nr === undefined || nr === null)) || (node && nr === 0 && !node.children) || (node && node.children && node.children.length >= nr)
} }
function expressionType (node, typeRegex) { function expressionType (node, typeRegex) {
@ -119,6 +673,16 @@ function name (node, nameRegex) {
return (node && !nameRegex) || (node && node.attributes && (regex.test(node.attributes.value) || regex.test(node.attributes.member_name))) return (node && !nameRegex) || (node && node.attributes && (regex.test(node.attributes.value) || regex.test(node.attributes.member_name)))
} }
function operator (node, opRegex) {
return (node && !opRegex) || (node && new RegExp(opRegex).test(node.attributes.operator))
}
// #################### Helpers
function exactMatch (regexStr) {
return '^' + regexStr + '$'
}
/** /**
* Builds an function signature as used in the AST of the solc-json AST * Builds an function signature as used in the AST of the solc-json AST
* @param {Array} paramTypes * @param {Array} paramTypes
@ -126,21 +690,96 @@ function name (node, nameRegex) {
* @param {Array} returnTypes * @param {Array} returnTypes
* list of return type names * list of return type names
* @return {Boolean} isPayable * @return {Boolean} isPayable
* CAUTION: only needed in low level call signature or message-calls (other contracts, this.)
*/ */
function buildFunctionSignature (paramTypes, returnTypes, isPayable) { function buildFunctionSignature (paramTypes, returnTypes, isPayable) {
return 'function (' + utils.concatWithSeperator(paramTypes, ',') + ')' + ((isPayable) ? ' payable' : '') + ((returnTypes.length) ? ' returns (' + utils.concatWithSeperator(returnTypes, ',') + ')' : '') return 'function (' + utils.concatWithSeperator(paramTypes, ',') + ')' + ((isPayable) ? ' payable' : '') + ((returnTypes.length) ? ' returns (' + utils.concatWithSeperator(returnTypes, ',') + ')' : '')
} }
/**
* Finds first node of a certain type under a specific node.
* @node {AstNode} node to start form
* @type {String} Type the ast node should have
* @return {AstNode} null or node found
*/
function findFirstSubNodeLTR (node, type) {
if (!node || !node.children) return null
for (let i = 0; i < node.children.length; ++i) {
var item = node.children[i]
if (nodeType(item, type)) return item
else {
var res = findFirstSubNodeLTR(item, type)
if (res) return res
}
}
return null
}
module.exports = { module.exports = {
// #################### Trivial Getters
getType: getType,
// #################### Complex Getters
getThisLocalCallName: getThisLocalCallName,
getSuperLocalCallName: getSuperLocalCallName,
getFunctionCallType: getFunctionCallType,
getContractName: getContractName,
getEffectedVariableName: getEffectedVariableName,
getDeclaredVariableName: getDeclaredVariableName,
getLocalCallName: getLocalCallName,
getInheritsFromName: getInheritsFromName,
getExternalDirectCallContractName: getExternalDirectCallContractName,
getThisLocalCallContractName: getThisLocalCallContractName,
getExternalDirectCallMemberName: getExternalDirectCallMemberName,
getFunctionDefinitionName: getFunctionDefinitionName,
getFunctionCallTypeParameterType: getFunctionCallTypeParameterType,
getLibraryCallContractName: getLibraryCallContractName,
getLibraryCallMemberName: getLibraryCallMemberName,
getFullQualifiedFunctionCallIdent: getFullQualifiedFunctionCallIdent,
getFullQuallyfiedFuncDefinitionIdent: getFullQuallyfiedFuncDefinitionIdent,
getStateVariableDeclarationsFormContractNode: getStateVariableDeclarationsFormContractNode,
getFunctionOrModifierDefinitionParameterPart: getFunctionOrModifierDefinitionParameterPart,
// #################### Complex Node Identification
hasFunctionBody: hasFunctionBody,
isInteraction: isInteraction,
isEffect: isEffect,
isNowAccess: isNowAccess, isNowAccess: isNowAccess,
isBlockTimestampAccess: isBlockTimestampAccess, isBlockTimestampAccess: isBlockTimestampAccess,
isBlockBlockHashAccess: isBlockBlockHashAccess,
isThisLocalCall: isThisLocalCall, isThisLocalCall: isThisLocalCall,
isSuperLocalCall: isSuperLocalCall,
isLibraryCall: isLibraryCall,
isLocalCallGraphRelevantNode: isLocalCallGraphRelevantNode,
isLocalCall: isLocalCall,
isWriteOnStateVariable: isWriteOnStateVariable,
isStateVariable: isStateVariable,
isTransfer: isTransfer,
isLowLevelCall: isLowLevelCall, isLowLevelCall: isLowLevelCall,
isLowLevelCallInst: isLLCall, isLowLevelCallInst: isLLCall,
isLowLevelCallcodeInst: isLLCallcode, isLowLevelCallcodeInst: isLLCallcode,
isLowLevelDelegatecallInst: isLLDelegatecall, isLowLevelDelegatecallInst: isLLDelegatecall,
isLowLevelSendInst: isLLSend, isLowLevelSendInst: isLLSend,
isExternalDirectCall: isExternalDirectCall,
isFullyImplementedContract: isFullyImplementedContract,
isLibrary: isLibrary,
isCallToNonConstLocalFunction: isCallToNonConstLocalFunction,
isPlusPlusUnaryOperation: isPlusPlusUnaryOperation,
isMinusMinusUnaryOperation: isMinusMinusUnaryOperation,
isBuiltinFunctionCall: isBuiltinFunctionCall,
// #################### Trivial Node Identification
isFunctionDefinition: isFunctionDefinition,
isModifierDefinition: isModifierDefinition,
isInheritanceSpecifier: isInheritanceSpecifier,
isModifierInvocation: isModifierInvocation,
isVariableDeclaration: isVariableDeclaration,
isStorageVariableDeclaration: isStorageVariableDeclaration,
isAssignment: isAssignment,
isContractDefinition: isContractDefinition,
isConstantFunction: isConstantFunction,
isInlineAssembly: isInlineAssembly,
isNewExpression: isNewExpression,
// #################### Constants
nodeTypes: nodeTypes, nodeTypes: nodeTypes,
basicTypes: basicTypes, basicTypes: basicTypes,
basicFunctionTypes: basicFunctionTypes, basicFunctionTypes: basicFunctionTypes,
@ -148,9 +787,11 @@ module.exports = {
specialVariables: specialVariables, specialVariables: specialVariables,
helpers: { helpers: {
nrOfChildren: nrOfChildren, nrOfChildren: nrOfChildren,
minNrOfChildren: minNrOfChildren,
expressionType: expressionType, expressionType: expressionType,
nodeType: nodeType, nodeType: nodeType,
name: name, name: name,
operator: operator,
buildFunctionSignature: buildFunctionSignature buildFunctionSignature: buildFunctionSignature
} }
} }

5
src/app/staticanalysis/modules/thisLocal.js
Unescape View File

@ -1,5 +1,5 @@
var name = 'this on local: ' var name = 'this on local calls: '
var desc = 'invocation of local functions via this' var desc = 'Invocation of local functions via this'
var categories = require('./categories') var categories = require('./categories')
var common = require('./staticAnalysisCommon') var common = require('./staticAnalysisCommon')
@ -12,7 +12,6 @@ thisLocal.prototype.visit = function (node) {
} }
thisLocal.prototype.report = function (compilationResults) { thisLocal.prototype.report = function (compilationResults) {
this.warningNowNodes = []
return this.warningNodes.map(function (item, i) { return this.warningNodes.map(function (item, i) {
return { return {
warning: `Use of "this" for local functions: Never use this to call functions in the same contract, it only consumes more gas than normal local calls.`, warning: `Use of "this" for local functions: Never use this to call functions in the same contract, it only consumes more gas than normal local calls.`,

6
src/app/staticanalysis/modules/txOrigin.js
Unescape View File

@ -1,5 +1,5 @@
var name = 'tx origin: ' var name = 'tx.origin: '
var desc = 'warn if tx.origin is used' var desc = 'Warn if tx.origin is used'
var categories = require('./categories') var categories = require('./categories')
function txOrigin () { function txOrigin () {
@ -20,7 +20,7 @@ txOrigin.prototype.visit = function (node) {
txOrigin.prototype.report = function () { txOrigin.prototype.report = function () {
return this.txOriginNodes.map(function (item, i) { return this.txOriginNodes.map(function (item, i) {
return { return {
warning: `use of tx.origin: "tx.origin" is useful only in very exceptional cases.<br /> warning: `Use of tx.origin: "tx.origin" is useful only in very exceptional cases.<br />
If you use it for authentication, you usually want to replace it by "msg.sender", because otherwise any contract you call can act on your behalf.`, If you use it for authentication, you usually want to replace it by "msg.sender", because otherwise any contract you call can act on your behalf.`,
location: item.src location: item.src
} }

4
src/app/staticanalysis/staticAnalysisRunner.js
Unescape View File

@ -12,6 +12,10 @@ staticAnalysisRunner.prototype.run = function (compilationResult, toRun, callbac
return { 'name': m.name, 'mod': new m.Module() } return { 'name': m.name, 'mod': new m.Module() }
}) })
this.runWithModuleList(compilationResult, modules, callback)
}
staticAnalysisRunner.prototype.runWithModuleList = function (compilationResult, modules, callback) {
// Also provide convenience analysis via the AST walker. // Also provide convenience analysis via the AST walker.
var walker = new AstWalker() var walker = new AstWalker()
for (var k in compilationResult.sources) { for (var k in compilationResult.sources) {

2
test-browser/tests/staticanalysis.js
Unescape View File

@ -38,7 +38,7 @@ function runTests (browser) {
.click('.staticanalysisView') .click('.staticanalysisView')
.click('#staticanalysisView button') .click('#staticanalysisView button')
.waitForElementPresent('#staticanalysisresult .warning', 2000, true, function () { .waitForElementPresent('#staticanalysisresult .warning', 2000, true, function () {
dom.listSelectorContains(['Untitled.sol:2:33: use of tx.origin', dom.listSelectorContains(['Untitled.sol:2:33: Use of tx.origin',
'Fallback function of contract Untitled.sol:TooMuchGas requires too much gas'], 'Fallback function of contract Untitled.sol:TooMuchGas requires too much gas'],
'#staticanalysisresult .warning span', '#staticanalysisresult .warning span',
browser, function () { browser, function () {

1
test/index.js
Unescape View File

@ -5,3 +5,4 @@ require('./gist-handler-test')
require('./query-params-test') require('./query-params-test')
require('./util-test') require('./util-test')
require('./staticanalysis/staticAnalysisCommon-test') require('./staticanalysis/staticAnalysisCommon-test')
require('./staticanalysis/staticAnalysisIntegration-test')

1808
test/staticanalysis/staticAnalysisCommon-test.js
View File

File diff suppressed because it is too large Load Diff

207
test/staticanalysis/staticAnalysisIntegration-test.js
Unescape View File

@ -0,0 +1,207 @@
var test = require('tape')
var StatRunner = require('../../src/app/staticanalysis/staticAnalysisRunner')
// const util = require('util')
var solc = require('solc/wrapper')
var compiler = solc(require('../../soljson'))
var fs = require('fs')
var path = require('path')
var testFiles = [
'KingOfTheEtherThrone.sol',
'assembly.sol',
'ballot.sol',
'ballot_reentrant.sol',
'ballot_withoutWarnings.sol',
'cross_contract.sol',
'inheritance.sol',
'modifier1.sol',
'modifier2.sol',
'notReentrant.sol',
'structReentrant.sol',
'thisLocal.sol',
'globals.sol',
'library.sol'
]
var testFileAsts = {}
testFiles.forEach((fileName) => {
var contents = fs.readFileSync(path.join(__dirname, 'test-contracts', fileName), 'utf8')
testFileAsts[fileName] = compiler.compile(contents, 0)
})
test('Integration test thisLocal.js', function (t) {
t.plan(testFiles.length)
var module = require('../../src/app/staticanalysis/modules/thisLocal')
var lengthCheck = {
'KingOfTheEtherThrone.sol': 0,
'assembly.sol': 0,
'ballot.sol': 0,
'ballot_reentrant.sol': 1,
'ballot_withoutWarnings.sol': 0,
'cross_contract.sol': 0,
'inheritance.sol': 0,
'modifier1.sol': 0,
'modifier2.sol': 0,
'notReentrant.sol': 0,
'structReentrant.sol': 0,
'thisLocal.sol': 1,
'globals.sol': 0,
'library.sol': 0
}
runModuleOnFiles(module, t, (file, report) => {
t.equal(report.length, lengthCheck[file], `${file} has right amount of this local warnings`)
})
})
test('Integration test checksEffectsInteraction.js', function (t) {
t.plan(testFiles.length)
var module = require('../../src/app/staticanalysis/modules/checksEffectsInteraction')
var lengthCheck = {
'KingOfTheEtherThrone.sol': 1,
'assembly.sol': 1,
'ballot.sol': 0,
'ballot_reentrant.sol': 1,
'ballot_withoutWarnings.sol': 0,
'cross_contract.sol': 0,
'inheritance.sol': 1,
'modifier1.sol': 0,
'modifier2.sol': 0,
'notReentrant.sol': 0,
'structReentrant.sol': 1,
'thisLocal.sol': 0,
'globals.sol': 1,
'library.sol': 1
}
runModuleOnFiles(module, t, (file, report) => {
t.equal(report.length, lengthCheck[file], `${file} has right amount of checks-effects-interaction warnings`)
})
})
test('Integration test constantFunctions.js', function (t) {
t.plan(testFiles.length)
var module = require('../../src/app/staticanalysis/modules/constantFunctions')
var lengthCheck = {
'KingOfTheEtherThrone.sol': 0,
'assembly.sol': 0,
'ballot.sol': 0,
'ballot_reentrant.sol': 0,
'ballot_withoutWarnings.sol': 0,
'cross_contract.sol': 1,
'inheritance.sol': 0,
'modifier1.sol': 1,
'modifier2.sol': 0,
'notReentrant.sol': 0,
'structReentrant.sol': 0,
'thisLocal.sol': 1,
'globals.sol': 0,
'library.sol': 1
}
runModuleOnFiles(module, t, (file, report) => {
t.equal(report.length, lengthCheck[file], `${file} has right amount of constant warnings`)
})
})
test('Integration test inlineAssembly.js', function (t) {
t.plan(testFiles.length)
var module = require('../../src/app/staticanalysis/modules/inlineAssembly')
var lengthCheck = {
'KingOfTheEtherThrone.sol': 0,
'assembly.sol': 2,
'ballot.sol': 0,
'ballot_reentrant.sol': 0,
'ballot_withoutWarnings.sol': 0,
'cross_contract.sol': 0,
'inheritance.sol': 0,
'modifier1.sol': 0,
'modifier2.sol': 0,
'notReentrant.sol': 0,
'structReentrant.sol': 0,
'thisLocal.sol': 0,
'globals.sol': 0,
'library.sol': 0
}
runModuleOnFiles(module, t, (file, report) => {
t.equal(report.length, lengthCheck[file], `${file} has right amount of inline assembly warnings`)
})
})
test('Integration test txOrigin.js', function (t) {
t.plan(testFiles.length)
var module = require('../../src/app/staticanalysis/modules/txOrigin')
var lengthCheck = {
'KingOfTheEtherThrone.sol': 0,
'assembly.sol': 1,
'ballot.sol': 0,
'ballot_reentrant.sol': 0,
'ballot_withoutWarnings.sol': 0,
'cross_contract.sol': 0,
'inheritance.sol': 0,
'modifier1.sol': 0,
'modifier2.sol': 0,
'notReentrant.sol': 0,
'structReentrant.sol': 0,
'thisLocal.sol': 0,
'globals.sol': 1,
'library.sol': 0
}
runModuleOnFiles(module, t, (file, report) => {
t.equal(report.length, lengthCheck[file], `${file} has right amount of tx.origin warnings`)
})
})
test('Integration test gasCosts.js', function (t) {
t.plan(testFiles.length)
var module = require('../../src/app/staticanalysis/modules/gasCosts')
var lengthCheck = {
'KingOfTheEtherThrone.sol': 2,
'assembly.sol': 2,
'ballot.sol': 3,
'ballot_reentrant.sol': 2,
'ballot_withoutWarnings.sol': 0,
'cross_contract.sol': 1,
'inheritance.sol': 1,
'modifier1.sol': 0,
'modifier2.sol': 1,
'notReentrant.sol': 1,
'structReentrant.sol': 1,
'thisLocal.sol': 2,
'globals.sol': 1,
'library.sol': 1
}
runModuleOnFiles(module, t, (file, report) => {
t.equal(report.length, lengthCheck[file], `${file} has right amount of gasCost warnings`)
})
})
// #################### Helpers
function runModuleOnFiles (module, t, cb) {
var statRunner = new StatRunner()
testFiles.forEach((fileName) => {
statRunner.runWithModuleList(testFileAsts[fileName], [{ name: module.name, mod: new module.Module() }], (reports) => {
cb(fileName, reports[0].report)
})
})
}

23
test/staticanalysis/test-contracts/KingOfTheEtherThrone.sol
Unescape View File

@ -0,0 +1,23 @@
// return value send
contract KingOfTheEtherThrone{
struct Monarch {
// address of the king .
address ethAddr ;
string name ;
// how much he pays to previous king
uint claimPrice ;
uint coronationTimestamp;
}
Monarch public currentMonarch ;
function claimThrone ( string name ) {
address wizardAddress;
uint compensation = 100;
uint valuePaid = 10;
if ( currentMonarch.ethAddr != wizardAddress )
if (currentMonarch.ethAddr.send( compensation )) throw;
currentMonarch = Monarch(msg.sender,name,valuePaid,block.timestamp);
}
}

29
test/staticanalysis/test-contracts/assembly.sol
Unescape View File

@ -0,0 +1,29 @@
pragma solidity ^0.4.9;
contract test {
address owner;
function at(address _addr) returns (bytes o_code) {
assembly {
// retrieve the size of the code, this needs assembly
let size := extcodesize(_addr)
// allocate output byte array - this could also be done without assembly
// by using o_code = new bytes(size)
o_code := mload(0x40)
// new "memory end" including padding
mstore(0x40, add(o_code, and(add(add(size, 0x20), 0x1f), not(0x1f))))
// store length in memory
mstore(o_code, size)
// actually retrieve the code, this needs assembly
extcodecopy(_addr, add(o_code, 0x20), 0, size)
}
}
function bla() {
if(tx.origin == owner)
msg.sender.send(19);
assembly {
}
}
}

145
test/staticanalysis/test-contracts/ballot.sol
Unescape View File

@ -0,0 +1,145 @@
pragma solidity ^0.4.0;
/// @title Voting with delegation.
contract Ballot {
// This declares a new complex type which will
// be used for variables later.
// It will represent a single voter.
struct Voter {
uint weight; // weight is accumulated by delegation
bool voted; // if true, that person already voted
address delegate; // person delegated to
uint vote; // index of the voted proposal
}
// This is a type for a single proposal.
struct Proposal
{
bytes32 name; // short name (up to 32 bytes)
uint voteCount; // number of accumulated votes
}
address public chairperson;
// This declares a state variable that
// stores a `Voter` struct for each possible address.
mapping(address => Voter) public voters;
// A dynamically-sized array of `Proposal` structs.
Proposal[] public proposals;
/// Create a new ballot to choose one of `proposalNames`.
function Ballot(bytes32[] proposalNames) {
chairperson = msg.sender;
voters[chairperson].weight = 1;
// For each of the provided proposal names,
// create a new proposal object and add it
// to the end of the array.
for (uint i = 0; i < proposalNames.length; i++) {
// `Proposal({...})` creates a temporary
// Proposal object and `proposals.push(...)`
// appends it to the end of `proposals`.
proposals.push(Proposal({
name: proposalNames[i],
voteCount: 0
}));
}
}
// Give `voter` the right to vote on this ballot.
// May only be called by `chairperson`.
function giveRightToVote(address voter) {
if (msg.sender != chairperson || voters[voter].voted) {
// `throw` terminates and reverts all changes to
// the state and to Ether balances. It is often
// a good idea to use this if functions are
// called incorrectly. But watch out, this
// will also consume all provided gas.
throw;
}
voters[voter].weight = 1;
}
/// Delegate your vote to the voter `to`.
function delegate(address to) {
// assigns reference
Voter sender = voters[msg.sender];
if (sender.voted)
throw;
// Forward the delegation as long as
// `to` also delegated.
// In general, such loops are very dangerous,
// because if they run too long, they might
// need more gas than is available in a block.
// In this case, the delegation will not be executed,
// but in other situations, such loops might
// cause a contract to get "stuck" completely.
while (
voters[to].delegate != address(0) &&
voters[to].delegate != msg.sender
) {
to = voters[to].delegate;
}
// We found a loop in the delegation, not allowed.
if (to == msg.sender) {
throw;
}
// Since `sender` is a reference, this
// modifies `voters[msg.sender].voted`
sender.voted = true;
sender.delegate = to;
Voter delegate = voters[to];
if (delegate.voted) {
// If the delegate already voted,
// directly add to the number of votes
proposals[delegate.vote].voteCount += sender.weight;
} else {
// If the delegate did not vote yet,
// add to her weight.
delegate.weight += sender.weight;
}
}
/// Give your vote (including votes delegated to you)
/// to proposal `proposals[proposal].name`.
function vote(uint proposal) {
Voter sender = voters[msg.sender];
if (sender.voted)
throw;
sender.voted = true;
sender.vote = proposal;
// If `proposal` is out of the range of the array,
// this will throw automatically and revert all
// changes.
proposals[proposal].voteCount += sender.weight;
}
/// @dev Computes the winning proposal taking all
/// previous votes into account.
function winningProposal() constant
returns (uint winningProposal)
{
uint winningVoteCount = 0;
for (uint p = 0; p < proposals.length; p++) {
if (proposals[p].voteCount > winningVoteCount) {
winningVoteCount = proposals[p].voteCount;
winningProposal = p;
}
}
}
// Calls winningProposal() function to get the index
// of the winner contained in the proposals array and then
// returns the name of the winner
function winnerName() constant
returns (bytes32 winnerName)
{
winnerName = proposals[winningProposal()].name;
}
}

101
test/staticanalysis/test-contracts/ballot_reentrant.sol
Unescape View File

@ -0,0 +1,101 @@
pragma solidity ^0.4.0;
contract InfoFeed {
function info() payable returns (uint ret);
function call1(uint a) payable returns (bool);
}
contract Ballot {
InfoFeed feed;
struct Voter {
uint weight;
bool voted;
uint8 vote;
address delegate;
}
struct Proposal {
uint voteCount;
}
address chairperson;
mapping(address => Voter) voters;
Proposal[] proposals;
function send1(address a) {
giveRightToVote(a,a);
}
/// Create a new ballot with $(_numProposals) different proposals.
function Ballot(uint8 _numProposals) {
address d;
if(!d.delegatecall.gas(800)('function_name', 'arg1', 'arg2')) throw;
if(!d.callcode.gas(800)('function_name', 'arg1', 'arg2')) throw;
if(!d.call.value(10).gas(800)('function_name', 'arg1', 'arg2')) throw;
if(!d.call.value(10).gas(800)('function_name', 'arg1', 'arg2')) throw;
if(!msg.sender.send(1 wei)) throw;
if(!d.call('function_name', 'arg1', 'arg2')) throw;
uint a = now;
uint c = block.timestamp;
if(block.timestamp < 100){}
chairperson = msg.sender;
voters[chairperson].weight = 1;
proposals.length = _numProposals;
if(!d.send(1 wei)) throw;
feed.info.value(10).gas(800)();
feed.call1(1);
this.send1(d);
}
/// Give $(voter) the right to vote on this ballot.
/// May only be called by $(chairperson).
function giveRightToVote(address voter, address b) payable returns (bool){
if (msg.sender != chairperson || voters[voter].voted) return;
voters[voter].weight = 1;
return true;
}
/// Delegate your vote to the voter $(to).
function delegate(address to) {
Voter sender = voters[msg.sender]; // assigns reference
if (sender.voted) return;
while (voters[to].delegate != address(0) && voters[to].delegate != msg.sender)
to = voters[to].delegate;
if (to == msg.sender) return;
sender.voted = true;
sender.delegate = to;
Voter delegate = voters[to];
if (delegate.voted)
proposals[delegate.vote].voteCount += sender.weight;
else
delegate.weight += sender.weight;
}
/// Give a single vote to proposal $(proposal).
function vote(uint8 proposal) {
Voter sender = voters[msg.sender];
if (sender.voted || proposal >= proposals.length) return;
sender.voted = true;
sender.vote = proposal;
proposals[proposal].voteCount += sender.weight;
}
function winningProposal() constant returns (uint8 winningProposal) {
uint256 winningVoteCount = 0;
for (uint8 proposal = 0; proposal < proposals.length; proposal++)
if (proposals[proposal].voteCount > winningVoteCount) {
winningVoteCount = proposals[proposal].voteCount;
winningProposal = proposal;
}
}
}

31
test/staticanalysis/test-contracts/ballot_withoutWarnings.sol
Unescape View File

@ -0,0 +1,31 @@
pragma solidity ^0.4.0;
/// @title Voting with delegation.
contract Ballot {
struct Proposal
{
bytes32 name; // short name (up to 32 bytes)
uint voteCount; // number of accumulated votes
}
// A dynamically-sized array of `Proposal` structs.
Proposal[] public proposals;
/// @dev Computes the winning proposal taking all
/// previous votes into account.
function winningProposal() constant
returns (uint winningProposal)
{
winningProposal = 0;
}
// Calls winningProposal() function to get the index
// of the winner contained in the proposals array and then
// returns the name of the winner
function winnerName() constant
returns (bytes32 winnerName)
{
winnerName = proposals[winningProposal()].name;
}
}

19
test/staticanalysis/test-contracts/cross_contract.sol
Unescape View File

@ -0,0 +1,19 @@
pragma solidity ^0.4.0;
contract a {
uint x;
function foo() {
x++;
}
}
contract b {
a x;
function bar() constant {
address a;
a.send(100 wei);
x.foo();
}
}

57
test/staticanalysis/test-contracts/globals.sol
Unescape View File

@ -0,0 +1,57 @@
pragma solidity ^0.4.9;
contract bla {
uint brr;
function duper() {
brr++;
}
}
contract a is bla {
function blub() {
brr++;
}
function r () {
address a;
bytes32 hash;
uint8 v;
bytes32 r;
bytes32 s;
block.blockhash(1);
block.coinbase;
block.difficulty;
block.gaslimit;
block.number;
block.timestamp;
msg.data;
msg.gas;
msg.sender;
msg.value;
now;
tx.gasprice;
tx.origin;
//assert(now == block.timestamp);
//require(now == block.timestamp);
keccak256(a);
sha3(a);
sha256(a);
ripemd160(a);
ecrecover(hash, v, r, s);
addmod(1, 2, 2);
mulmod(4,4,12);
a.balance;
blub();
a.send(a.balance);
super.duper();
//a.transfer(a.balance);
selfdestruct(a);
//revert();
}
}

40
test/staticanalysis/test-contracts/inheritance.sol
Unescape View File

@ -0,0 +1,40 @@
pragma solidity ^0.4.9;
contract r {
function s() constant {}
}
contract a is r {
uint x = 1;
function getX() constant returns (uint) {
return x;
}
}
contract b is a {
uint y = 2;
uint x = 3;
function getY(uint z, bool r) returns (uint) {
return y++;
}
function getY(string storage n) internal constant returns (uint) { return 10; }
}
contract c is b {
string x;
function d() returns (uint a, uint b) {
//d();
//sha3("bla");
msg.sender.call.gas(200000).value(this.balance)(bytes4(sha3("pay()")));
//x++;
getY(x);
a = getX() + getY(1, false);
b = getX() + getY(x);
}
}

54
test/staticanalysis/test-contracts/library.sol
Unescape View File

@ -0,0 +1,54 @@
pragma solidity ^0.4.0;
library Set {
// We define a new struct datatype that will be used to
// hold its data in the calling contract.
struct Data { mapping(uint => bool) flags; }
// Note that the first parameter is of type "storage
// reference" and thus only its storage address and not
// its contents is passed as part of the call. This is a
// special feature of library functions. It is idiomatic
// to call the first parameter 'self', if the function can
// be seen as a method of that object.
function insert(Data storage self, uint value)
returns (bool)
{
if (self.flags[value])
return false; // already there
self.flags[value] = true;
return true;
}
function remove(Data storage self, uint value)
returns (bool)
{
if (!self.flags[value])
return false; // not there
self.flags[value] = false;
return true;
}
function contains(Data storage self, uint value)
returns (bool)
{
return self.flags[value];
}
}
contract C {
Set.Data knownValues;
function register(uint value) {
// The library functions can be called without a
// specific instance of the library, since the
// "instance" will be the current contract.
address a;
a.send(10 wei);
if (!Set.insert(knownValues, value))
throw;
}
// In this contract, we can also directly access knownValues.flags, if we want.
}

17
test/staticanalysis/test-contracts/modifier1.sol
Unescape View File

@ -0,0 +1,17 @@
pragma solidity ^0.4.0;
contract test {
address owner;
modifier onlyOwner {
var a = 0;
if (msg.sender != owner)
throw;
_;
}
function b(address a) onlyOwner returns (bool) {
}
}

28
test/staticanalysis/test-contracts/modifier2.sol
Unescape View File

@ -0,0 +1,28 @@
pragma solidity ^0.4.0;
contract owned {
uint r=0;
modifier ntimes(uint n) {
for(uint i=0;i<n-1;i++){
_;
}
_;
}
modifier plus100 {
var bla=1;
r+=100;
_;
}
function a() ntimes(10) plus100 payable returns (uint) {
{
uint bla=5;
}
r += bla;
return r;
}
}

13
test/staticanalysis/test-contracts/notReentrant.sol
Unescape View File

@ -0,0 +1,13 @@
pragma solidity ^0.4.0;
contract Fund {
/// Mapping of ether shares of the contract.
mapping(address => uint) shares;
/// Withdraw your share.
function withdraw() {
var share = shares[msg.sender];
shares[msg.sender] = 0;
if (!msg.sender.send(share))
throw;
}
}

49
test/staticanalysis/test-contracts/reentrant.sol
Unescape View File

@ -0,0 +1,49 @@
pragma solidity ^0.4.0;
contract InfoFeed {
uint c;
function info() constant returns (uint ret) {return c;}
function call1(uint a) constant returns (bool) {return true;}
}
// THIS CONTRACT CONTAINS A BUG - DO NOT USE
contract Fund {
/// Mapping of ether shares of the contract.
//mapping(address => uint) shares;
/// Withdraw your share.
uint c = 0;
function withdraw() constant {
InfoFeed f;
//shares[msg.sender] /= 1;
f.info();
//if (msg.sender.send(shares[msg.sender])) throw;
// shares[msg.sender] = 0;
b(true, false);
//shares[msg.sender]++;
//c++;
}
mapping(address => uint) shares;
function b(bool a, bool b) returns (bool) {
mapping(address => uint) c = shares;
c[msg.sender] = 0;
//f();
//withdraw();
//shares[msg.sender]++;
//c++;
return true;
}
function f() {
c++;
withdraw();
}
}

36
test/staticanalysis/test-contracts/structReentrant.sol
Unescape View File

@ -0,0 +1,36 @@
pragma solidity ^0.4.9;
contract Ballot {
struct Voter {
uint weight;
bool voted;
uint8 vote;
address delegate;
baz foo;
}
struct baz{
uint bar;
}
mapping(address => Voter) voters;
/// Create a new ballot with $(_numProposals) different proposals.
function bla(address a) {
Voter x = voters[a];
if (!a.send(10))
throw;
//voters[a] = Voter(10,true,1,a);
//x.foo.bar *= 100;
bli(x);
}
//function bla(){}
function bli(Voter storage x) private {
x.foo.bar++;
}
}

16
test/staticanalysis/test-contracts/thisLocal.sol
Unescape View File

@ -0,0 +1,16 @@
pragma solidity ^0.4.0;
contract test {
function (){
address x;
this.b(x);
x.call('something');
x.send(1 wei);
}
function b(address a) returns (bool) {
}
}
Write Preview
Loading…
Cancel
Save