Fixed data dependencies for ReferenceVariable

[YanhuiJessica]

In an Index operation, ir.lvalue depends on ir.variable_left and ir.variable_right.

Summary by CodeRabbit

• New Features
  • Introduced a feature to check dependencies between state variables in smart contracts, enhancing the analysis of data interactions within contracts.

[coderabbitai]

Important

Auto Review Skipped

Auto reviews are disabled on base/target branches other than the default branch. Please add the base/target branch pattern to the list of additional branches to be reviewed in the settings.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository.

To trigger a single review, invoke the @coderabbitai review command.

Walkthrough

The recent update introduces a functionality for checking dependencies between state variables in a smart contract named "Index". It specifically adds an is_dependent function to assess the relationship among variables like ref, mapping_var, and msgsender. Additionally, an enhancement in the data dependency analysis logic now includes certain variables in the read list under specific conditions, improving the precision of dependency tracking.

Changes

Files	Change Summary
examples/scripts/data_dependency.*	Added is_dependent function to check dependencies between variables.
.../data_dependency/data_dependency.py	Updated to include variables in read list if conditions are met.

🐰✨

In the realm of code, where logic entwines,
A rabbit hopped in, fixing lines.
With a whisk of its tail, dependencies clear,
A smarter contract, now here to revere.
🌟📜

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

---

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit-tests for this file.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit tests for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository from git and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit tests.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

CodeRabbit Discord Community

Join our Discord Community to get help, request features, and share feedback.

[coderabbitai]

Review Status

Actionable comments generated: 0

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between e3dcf1e and ea3df51.

Files selected for processing (3)

• examples/scripts/data_dependency.py (1 hunks)
• examples/scripts/data_dependency.sol (1 hunks)
• slither/analyses/data_dependency/data_dependency.py (1 hunks)

Additional comments: 3

examples/scripts/data_dependency.sol (1)

• 119-127: The Index contract is correctly implemented with a public mapping and a function to update the ref variable based on the sender's address. This follows Solidity best practices for mapping usage and function visibility.

examples/scripts/data_dependency.py (1)

• 130-144: The script correctly implements functionality to check dependencies between state variables in the Index contract. It uses the is_dependent function effectively to verify dependencies between ref, mapping_var, and msg.sender. This addition follows Python best practices and is logically sound.

slither/analyses/data_dependency/data_dependency.py (1)

• 423-424: The modification to include ir.variable_right in the read list when lvalue is an instance of ReferenceVariable is correctly implemented. This change ensures that data dependencies are accurately captured, addressing the issue highlighted in the PR description.

[0xalpharush]

I think it makes sense to consider both the lefthand and righthand side as tainted for Index, but I'd prefer to to do it by modifying what is considered "read" (in the read attribute of the IR operation) as was done in an unmerged fix for this issue (5083c82). Then, we can just taint ir.read as is done for the operations and not special case it in the data dependency.

[YanhuiJessica]

if isinstance(ir, OperationWithLValue) and ir.lvalue:
    if isinstance(ir.lvalue, LocalIRVariable) and ir.lvalue.is_storage:
        continue
    if isinstance(ir.lvalue, ReferenceVariable):
        lvalue = ir.lvalue.points_to
        if lvalue:
            add_dependency(lvalue, function, ir, is_protected)
    add_dependency(ir.lvalue, function, ir, is_protected)

For an Index operation, add_dependency() will be called twice, one for ir.lvalue.points_to and one for ir.lvalue. They share ir.read. I still think it's a special case in the data dependency :)

[0xalpharush]

Sorry, I miss understood and this is a separate issue. Index does consider both ir.variable_left and ir.variable_right as read here, so I think we can accomplish the same thing by changing this code in add_dependency to the following:

    if isinstance(ir, InternalCall) and ir.function:
        read = ir.function.return_values_ssa
    else:
        read = ir.read

[YanhuiJessica]

I have simplified the condition.
We can not just use ir.read. Consider the following Index operation:

REF_1(uint256) -> mapping_var_1[msg.sender]

add_dependency(lvalue,function,ir) will be called with (ir.lvalue.points_to,function,ir) and (ir.lvalue,function,ir), i.e. (mapping_var_1,function,ir) and (REF_1,function,ir).
ir.read is mapping_var_1 and msg.sender, but mapping_var_1 should not depend on msg.sender.

[0xalpharush]

Thanks for the example as it helped me understand the changes. As I understand, previously the data dependency would not consider ref tainted by msg.sender but now it will with these changes for the following:

ref = mapping[msg.sender]

I think this makes sense, but I want to double check with @montyly considering this may be a purposeful under-approximation to prevent additional false positives in detectors that use the data dependency analysis.