Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integrate misti static analyzer #92

Open
anton-trunov opened this issue Aug 23, 2024 · 13 comments
Open

Integrate misti static analyzer #92

anton-trunov opened this issue Aug 23, 2024 · 13 comments
Milestone
2024 Q4

Comments

@anton-trunov
Copy link
Member

https://github.com/nowarp/misti

I would imagine it could be a new button on the left bar, somewhere near the Build button.
@anton-trunov anton-trunov mentioned this issue Aug 23, 2024
Closed
@rahulyadav-57
Copy link
Member

@anton-trunov I think it would be better to display the analysis directly in the editor, similar to how ESLint works in VSCode, and also during the contract pre-build (with an option to enable it in the settings).

@anton-trunov
Copy link
Member Author

Sure, that works. Just keep in mind that sometimes the analysis can take a lot of time to finish (it's not incremental), so we need also some kind of indication that Misti is working in the background.

@jubnzv
Copy link
Member

jubnzv commented Sep 19, 2024

@rahulyadav-57 Two questions on this:

  1. Is there a canonical way to configure tools used in the IDE? Misti uses a configuration file to select detectors and set up some options for them. These should be accessible to the user. Maybe we need an additional UI setting element to configure this.
  2. Where is the IDE hosted? Can we install Souffle on the server?

@rahulyadav-57
Copy link
Member

We can pass the configuration file without any issues, as we have a virtual file system in place. The IDE is just a static build and doesn't require any API, as everything is built and stored in the browser. Is there another option we can consider without using Souffle?

@jubnzv
Copy link
Member

jubnzv commented Sep 19, 2024

Is there another option we can consider without using Souffle?

Not really. Some of the detectors won't be available without it.

We could consider compiling Souffle to WASM as an ultimate hack, but it will be a PITA to maintain it.

@rahulyadav-57
Copy link
Member

Could you check it once if we can use any JavaScript alternative for Souffle?

@jubnzv
Copy link
Member

jubnzv commented Sep 19, 2024
edited
Loading

We cannot.

Misti uses specific features to leverage the Souffle Datalog variant. It should not be changed, as we use a code generator for that Datalog variant, and this logic must remain unchanged.

@rahulyadav-57
Copy link
Member

@anton-trunov I won't be able to integrate it with the Web IDE due to the dependency on Souffle. The only remaining option we have is to sync the contract file for each project to the server and perform the static analysis there.

@jubnzv
Copy link
Member

jubnzv commented Sep 19, 2024
edited
Loading

Actually, we have three possible solutions for this issue:

  1. Build a wasm binary for Soufflé. It might be non-trivial, but it seems possible, as demonstrated here: https://github.com/philzook58/souffle/tree/emscripten2
  2. Run the server part that provides an API to execute Misti. From my perspective, it seems generally useful to have this in the IDE.
  3. Run a simplified version of Misti that doesn't run Soufflé-based analyses.

@anton-trunov
Copy link
Member Author

We can start with the third option and then explore the first one. For instance, we cannot expect the IDE to support running Soufflé for free during programming contests (we expect at least thousands of participants) as this can be used to DDoS us. So, let's postpone the second option until we can collaborate with the devops team on this.

@anton-trunov anton-trunov added this to the 2024 Q4 milestone Nov 21, 2024
@jubnzv
Copy link
Member

jubnzv commented Nov 21, 2024
edited
Loading

@rahulyadav-57 here is the suggested implementation on how to integrate Misti using its API:

  1. Call createMistiCommand
  2. Call runMistiCommand passing ["--output-format", "json"] among its arguments.
  3. Process MistiResult resulted after execution.

See the implementation of blueprint-misti as an example: https://github.com/nowarp/blueprint-misti/blob/143cf423fc0ffe6cd04bfe10fc4664d41eb5364a/src/executor.ts#L67.

The output format for warnings is a subject of change: nowarp/misti#159.

@rahulyadav-57
Copy link
Member

Thanks @jubnzv for the resources. Today, I was reviewing the codebase of misti and blueprint-misti plugin to understand the flow and identify areas that might need adjustments to support browser compatibility.

Here are a couple of points I noticed that might need changes:

  1. File system read/write operations.
  2. The ability to pass a virtual file system (vFS) instead of directly using createNodeFileSystem.
  3. Other modules that have Node.js-specific dependencies.

I'll explore these further this week, try to run it, and share a finalized list of the required changes.

@jubnzv
Copy link
Member

jubnzv commented Nov 22, 2024
edited
Loading

Yes, we could definitely extend Misti's functionality, especially the aspects related to the virtual file system you mentioned. Please create issues in the Misti repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2024 Q4
Development

No branches or pull requests
3 participants
@anton-trunov @jubnzv @rahulyadav-57