Naming convention from actual to formal is missing

[fredfeng]

Hi,

I am trying to build my analysis on top of vandal but I am very confused about the naming convention for the flow in function calls.

Here is my toy example:

contract SymVars {

function addTo(uint number) returns (uint) {
    var a = 1;
    var c = inc(a, number);
    return c;
}

function inc(uint k, uint v) returns (uint) {
    return (k + v + 100);
}

}

Technically, there should be flows a->k and number->v. However, the flows seem to be broken in the IR unless you are using some implicit naming convention: I am only listing the relevant IRs:

0xdd: JUMPDEST 0xde: V62 = 0x0 0xe1: V63 = 0x0 0xe3: V64 = 0x1 0xe7: V65 = 0xf3 0xeb: V66 = 0xff 0xed: V67 = AND 0xff 0x1 0xef: V68 = 0xff 0xf2: JUMP 0xff

0xff: JUMPDEST 0x100: V69 = 0x0 0x102: V70 = 0x64 0x106: V71 = ADD S1 S0 0x107: V72 = ADD V71 0x64 0x10e: JUMP {0xc7, 0xf3}

Here, it seems that you implicitly use S0 and S1 to represent the formal parameters of the caller (i.e., inc), but where do they come from? If I directly perform data flow analysis on the IRs generated by vandal, the results will be unsound. Could you please clarify?

Thanks,

[fredfeng]

"Def sites" is what I am looking for.