fix(cellUnderflow): Dataflow processing of intermediate variables

nowarp · Nov 17, 2024 · 54a35d1 · 54a35d1
1 parent 083f5e8
commit 54a35d1
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 11 deletions.
diff --git a/src/detectors/builtin/cellUnderflow.ts b/src/detectors/builtin/cellUnderflow.ts
@@ -233,16 +233,13 @@ class CellUnderflowTransfer implements Transfer<CellUnderflowState> {
   /**
    * Processes the given statement, mutating `outState`.
    */
-  private processStatement(
-    outState: CellUnderflowState,
-    stmt: AstStatement,
-  ): void {
+  private processStatement(out: CellUnderflowState, stmt: AstStatement): void {
     if (stmt.kind === "statement_let") {
-      this.processLet(outState, stmt);
+      this.processLet(out, stmt);
     } else if (stmt.kind === "statement_assign") {
-      this.processAssignment(outState, stmt);
+      this.processAssignment(out, stmt);
     } else {
-      this.processIntermediateCalls(outState, stmt);
+      this.processIntermediateCalls(out, stmt);
     }
   }
 
@@ -656,18 +653,16 @@ class CellUnderflowTransfer implements Transfer<CellUnderflowState> {
     out: CellUnderflowState,
     stmt: AstStatement,
   ): void {
-    const visited: Set<AstNode["id"]> = new Set();
     forEachExpression(stmt, (expr) => {
       const callsChain = getMethodCallsChain(expr);
       if (callsChain === undefined) return;
 
       // Check if these calls were previously processed
       let hasUnvisited = false;
       callsChain.calls.forEach((c) => {
-        if (!visited.has(c.id)) {
+        if (!this.processedCalls.has(c.id)) {
           hasUnvisited = true;
         }
-        visited.add(c.id);
       });
       if (!hasUnvisited) return;
 

diff --git a/test/detectors/CellUnderflow.expected.out b/test/detectors/CellUnderflow.expected.out
@@ -13,7 +13,17 @@ test/detectors/CellUnderflow.tact:4:9:
   3 |     let ref1 = s1.loadRef(); // OK
 > 4 |     let ref2 = s1.loadRef(); // Bad: Cell Underflow
               ^
-  5 | }
+  5 | 
 The possible number of references stored (1) is less than loaded (2)
 Help: Remove extra .loadRef operations or store more refs first
+See: https://nowarp.io/tools/misti/docs/detectors/CellUnderflow
+
+[CRITICAL] CellUnderflow: Reference count might go below 0
+test/detectors/CellUnderflow.tact:7:5:
+  6 |     // Bad: Cell Underflow
+> 7 |     beginCell()
+          ^
+  8 |         .endCell()
+The possible number of references stored (0) is less than loaded (1)
+Help: Remove extra .loadRef operations or store more refs first
 See: https://nowarp.io/tools/misti/docs/detectors/CellUnderflow
diff --git a/test/detectors/CellUnderflow.tact b/test/detectors/CellUnderflow.tact
@@ -2,4 +2,10 @@ fun refs_num_bad(c: Cell) {
     let s1 = beginCell().storeRef(c).endCell().asSlice();
     let ref1 = s1.loadRef(); // OK
     let ref2 = s1.loadRef(); // Bad: Cell Underflow
+
+    // Bad: Cell Underflow
+    beginCell()
+        .endCell()
+        .asSlice()
+        .loadRef();
 }