-
Notifications
You must be signed in to change notification settings - Fork 982
SlithIR
Slither possesses an intermediate representation, called SlithIR.
SlithIR allows:
- To simplify code analysis
- To write more precise detectors
- To support taint and value tracking
SlihtIR is an ongoing project, contact us for more information.
$ slither file.sol --printer-slithir
will output the IR for every function.
$ slither examples/printers/slihtir.sol --printer-slithir
Contract UnsafeMath
Function add(uint256,uint256)
Expression: a + b
IRs:
TMP_0(uint256) = a + b
RETURN TMP_0
Function min(uint256,uint256)
Expression: a - b
IRs:
TMP_0(uint256) = a - b
RETURN TMP_0
Contract MyContract
Function transfer(address,uint256)
Expression: balances[msg.sender] = balances[msg.sender].min(val)
IRs:
REF_3(uint256) -> balances[msg.sender]
REF_1(uint256) -> balances[msg.sender]
TMP_1(uint256) = LIBRARY_CALL, dest:UnsafeMath, function:min, arguments:['REF_1', 'val']
REF_3 := TMP_1
Expression: balances[to] = balances[to].add(val)
IRs:
REF_3(uint256) -> balances[to]
REF_1(uint256) -> balances[to]
TMP_1(uint256) = LIBRARY_CALL, dest:UnsafeMath, function:add, arguments:['REF_1', 'val']
REF_3 := TMP_1
StateVariable
LocalVariable
-
Constant
(string
orint
) SolidityVariable
TupleVariable
-
TemporaryVariable
(variables added by slithIR) -
ReferenceVariable
(variables added by slithIR, for mapping/index accesses)
In the following we use:
-
a
LVALUE
can be:StateVariable
,LocalVariable
,TemporaryVariable
,ReferenceVariable
orTupleVariable
-
a
RVALUE
can be:StateVariable
,LocalVariable
,Constant
,SolidityVariable
,TemporaryVariable
orReferenceVariable
-
All the operators inherit from
Operation
and have aread
attribute returning the list of variables read (see slither/slithir/operations/operation.py). -
All the operators writing to a
LVALUE
inherit fromOperationWithLValue
and have thelvalue
attribute (see slither/slithir/operations/lvalue.py).
LVALUE := RVALUE
LVALUE := Tuple
-
LVALUE := Function
(for dynamic function)
LVALUE = RVALUE ** RVALUE
LVALUE = RVALUE * RVALUE
LVALUE = RVALUE / RVALUE
LVALUE = RVALUE % RVALUE
LVALUE = RVALUE + RVALUE
LVALUE = RVALUE - RVALUE
LVALUE = RVALUE << RVALUE
LVALUE = RVALUE >> RVALUE
LVALUE = RVALUE & RVALUE
LVALUE = RVALUE ^ RVALUE
LVALUE = RVALUE | RVALUE
LVALUE = RVALUE < RVALUE
LVALUE = RVALUE > RVALUE
LVALUE = RVALUE <= RVALUE
LVALUE = RVALUE >= RVALUE
LVALUE = RVALUE == RVALUE
LVALUE = RVALUE != RVALUE
LVALUE = RVALUE && RVALUE
LVALUE = RVALUE -- RVALUE
LVALUE = ! RVALUE
LVALUE = ~ RVALUE
REFERENCE -> LVALUE [ RVALUE ]
Note: The reference points to the memory location
REFERENCE -> LVALUE . RVALUE
REFERENCE -> CONTRACT . RVALUE
REFERENCE -> ENUM . RVALUE
Note: The reference points to the memory location
LVALUE = NEW_ARRAY ARRAY_TYPE DEPTH(:int)
ARRAY_TYPE
is a solidity_types
DEPTH
is used for arrays of multi-dimension)
LVALUE = NEW_CONTRACT CONSTANT
LVALUE = NEW_STRUCTURE STRUCTURE
LVALUE = NEW_ELEMENTARY_TYPE ELEMENTARY_TYPE
ELEMENTARY_TYPE
is defined in slither/core/solidity_types/elementary_type.py
PUSH LVALUE RVALUE
DELETE LVALUE
CONVERT LVALUE RVALUE TYPE
TYPE is a solidity_types
LVALUE = UNPACK TUPLEVARIABLE INDEX(:int)
LVALUE = INIT_VALUES
INIT_VALUES
is a list of RVALUE
, or a list of list in case of a multi dimensions array.
In the following, ARG
is a variable as defined in SlithIR#variables
LVALUE = HIGH_LEVEL_CALL DESTINATION FUNCTION [ARG, ..]
LVALUE = LOW_LEVEL_CALL DESTINATION FUNCTION_NAME [ARG, ..]
FUNCTION_NAME
can only be call
/delegatecall
/codecall
LVALUE = SOLIDITY_CALL SOLIDITY_FUNCTION [ARG, ..]
SOLIDITY_FUNCTION
is defined in slither/core/declarations/solidity_variables.py
LVALUE = INTERNAL_CALL FUNCTION [ARG, ..]
LVALUE = INTERNAL_DYNAMIC_CALL FUNCTION_TYPE [ARG, ..]
INTERNAL_DYNAMIC_CALL
represent pointer of function.
FUNCTION_TYPE
is defined in slither/core/solidity_types/function_type.py
LVALUE = LIBRARY_CALL DESTINATION FUNCTION_NAME [ARG, ..]
LVALUE = EVENT_CALL EVENT_NAME [ARG, ..]
LVALUE = SEND DESTINATION VALUE
TRANSFER DESTINATION VALUE
Optional arguments:
-
GAS
andVALUE
forHIGH_LEVEL_CALL
/LOW_LEVEL_CALL
.
RETURN RVALUE
RETURN TUPLE
RETURN None
Return None
represents an empty return statement
CONDITION RVALUE
CONDITION
holds the condition in a conditional node.