search

nujan-io / nujan-ide

Web IDE, powered by Nujan, is your ultimate browser-based IDE designed to simplify the journey of writing, testing, compiling, deploying, and interacting with smart contracts on TON. Write smart contracts from anywhere, No setups, no downloads, just pure convenience and versatility.
https://ide.nujan.io
Other
112 stars 12 forks source link

Integrate misti static analyzer #92

Open anton-trunov opened 1 month ago

anton-trunov commented 1 month ago

https://github.com/nowarp/misti

I would imagine it could be a new button on the left bar, somewhere near the Build button.

rahulyadav-57 commented 1 month ago

@anton-trunov I think it would be better to display the analysis directly in the editor, similar to how ESLint works in VSCode, and also during the contract pre-build (with an option to enable it in the settings).

anton-trunov commented 1 month ago

Sure, that works. Just keep in mind that sometimes the analysis can take a lot of time to finish (it's not incremental), so we need also some kind of indication that Misti is working in the background.

jubnzv commented 1 week ago

@rahulyadav-57 Two questions on this:

  1. Is there a canonical way to configure tools used in the IDE? Misti uses a configuration file to select detectors and set up some options for them. These should be accessible to the user. Maybe we need an additional UI setting element to configure this.
  2. Where is the IDE hosted? Can we install Souffle on the server?
rahulyadav-57 commented 1 week ago

We can pass the configuration file without any issues, as we have a virtual file system in place. The IDE is just a static build and doesn't require any API, as everything is built and stored in the browser. Is there another option we can consider without using Souffle?

jubnzv commented 1 week ago

Is there another option we can consider without using Souffle?

Not really. Some of the detectors won't be available without it.

We could consider compiling Souffle to WASM as an ultimate hack, but it will be a PITA to maintain it.

rahulyadav-57 commented 1 week ago

Could you check it once if we can use any JavaScript alternative for Souffle?

jubnzv commented 1 week ago

We cannot.

Misti uses specific features to leverage the Souffle Datalog variant. It should not be changed, as we use a code generator for that Datalog variant, and this logic must remain unchanged.

rahulyadav-57 commented 1 week ago

@anton-trunov I won't be able to integrate it with the Web IDE due to the dependency on Souffle. The only remaining option we have is to sync the contract file for each project to the server and perform the static analysis there.

jubnzv commented 1 week ago

Actually, we have three possible solutions for this issue:

  1. Build a wasm binary for Soufflé. It might be non-trivial, but it seems possible, as demonstrated here: https://github.com/philzook58/souffle/tree/emscripten2
  2. Run the server part that provides an API to execute Misti. From my perspective, it seems generally useful to have this in the IDE.
  3. Run a simplified version of Misti that doesn't run Soufflé-based analyses.
anton-trunov commented 1 week ago

We can start with the third option and then explore the first one. For instance, we cannot expect the IDE to support running Soufflé for free during programming contests (we expect at least thousands of participants) as this can be used to DDoS us. So, let's postpone the second option until we can collaborate with the devops team on this.