feat(lint): add shared analysis helpers for Solidity lints (foundry-rs#14706)

* feat(lint): add shared analysis helpers for Solidity lints

* refactor(lint): trim analysis helpers to used set and migrate consumers

* preserve original receiver_contract_id matching

* comments

---------

Co-authored-by: zerosnacks <95942363+zerosnacks@users.noreply.github.com>

Author: stevencartavia

crates/lint/src/sol/analysis/interface.rs

@@ -0,0 +1,27 @@
+//! Match contract function shapes (ABI signatures, receiver contract type).
+
+use solar::sema::hir::{self, ContractId, Expr, ExprKind, ItemId, Res, TypeKind, VariableId};
+
+/// True if `id`'s elementary type matches the given ABI string.
+pub fn is_elementary(hir: &hir::Hir<'_>, id: VariableId, abi: &str) -> bool {
+    matches!(&hir.variable(id).ty.kind, TypeKind::Elementary(ty) if ty.to_abi_str() == abi)
+}
+
+/// Static contract type of a method-call receiver: a contract-typed variable
+/// or an `IFoo(addr)` interface wrap.
+pub fn receiver_contract_id(hir: &hir::Hir<'_>, recv: &Expr<'_>) -> Option<ContractId> {
+    match &recv.kind {
+        ExprKind::Ident([Res::Item(ItemId::Variable(id)), ..]) => {
+            if let TypeKind::Custom(ItemId::Contract(cid)) = hir.variable(*id).ty.kind {
+                Some(cid)
+            } else {
+                None
+            }
+        }
+        ExprKind::Call(
+            Expr { kind: ExprKind::Ident([Res::Item(ItemId::Contract(cid))]), .. },
+            ..,
+        ) => Some(*cid),
+        _ => None,
+    }
+}

crates/lint/src/sol/analysis/mod.rs

@@ -0,0 +1,11 @@
+//! Shared analysis primitives reused by Solidity lints.
+//!
+//! - [`primitives`]: HIR probes (`is_address_type`, `is_require_or_assert`,
+//!   `address_call_receiver`, `branch_always_exits`).
+//! - [`interface`]: contract/library function-shape matching (`is_elementary`,
+//!   `receiver_contract_id`).
+//!
+//! All helpers borrow HIR and never mutate it.
+
+pub mod interface;
+pub mod primitives;

crates/lint/src/sol/analysis/primitives.rs

@@ -0,0 +1,74 @@
+//! Side-effect-free syntactic/semantic probes over solar HIR.
+
+use solar::{
+    ast::LitKind,
+    interface::{Symbol, kw, sym},
+    sema::hir::{self, ElementaryType, Expr, ExprKind, Res, Stmt, StmtKind, TypeKind, VariableId},
+};
+
+/// True if `expr` references the named global builtin (`msg`, `tx`, `this`, ...).
+fn is_builtin(expr: &Expr<'_>, name: Symbol) -> bool {
+    matches!(&expr.peel_parens().kind, ExprKind::Ident(reses)
+        if reses.iter().any(|r| matches!(r, Res::Builtin(b) if b.name() == name)))
+}
+
+/// True if `vid` is typed as `address`/`address payable`.
+pub fn is_address_type(hir: &hir::Hir<'_>, vid: VariableId) -> bool {
+    matches!(hir.variable(vid).ty.kind, TypeKind::Elementary(ElementaryType::Address(_)))
+}
+
+/// True if `callee` resolves to the builtin `require` or `assert`.
+pub fn is_require_or_assert(callee: &Expr<'_>) -> bool {
+    matches!(&callee.kind, ExprKind::Ident(reses)
+        if reses.iter().any(|r| matches!(r,
+            Res::Builtin(b) if b.name() == sym::require || b.name() == sym::assert)))
+}
+
+/// Receiver of `<expr>.{call,delegatecall,transfer,send}`, including the
+/// `.call{value: x}(...)` option form.
+pub fn address_call_receiver<'a>(callee: &'a Expr<'a>) -> Option<&'a Expr<'a>> {
+    // `addr.call{...}(..)` lowers as `Call(Member(receiver, "call"), ..)`.
+    let inner = match &callee.kind {
+        ExprKind::Call(inner, ..) => inner,
+        _ => callee,
+    };
+    let target = if matches!(inner.kind, ExprKind::Member(..)) { inner } else { callee };
+    if let ExprKind::Member(receiver, name) = &target.kind {
+        let n = name.name;
+        if n == kw::Call || n == kw::Delegatecall || n == sym::transfer || n == sym::send {
+            return Some(receiver);
+        }
+    }
+    None
+}
+
+/// True when executing `stmt` provably prevents control from continuing past
+/// it: a `return`, `revert`/`revert(...)`, `require(false, ...)`,
+/// `assert(false)`, a block containing any such statement (any subsequent
+/// statements are unreachable), or an `if` whose both arms exit.
+pub fn branch_always_exits(stmt: &Stmt<'_>) -> bool {
+    match &stmt.kind {
+        StmtKind::Return(_) | StmtKind::Revert(_) => true,
+        StmtKind::Expr(expr) => is_exit_call(expr),
+        StmtKind::Block(b) | StmtKind::UncheckedBlock(b) => b.stmts.iter().any(branch_always_exits),
+        StmtKind::If(_, t, Some(e)) => branch_always_exits(t) && branch_always_exits(e),
+        _ => false,
+    }
+}
+
+fn is_exit_call(expr: &Expr<'_>) -> bool {
+    let ExprKind::Call(callee, args, _) = &expr.kind else { return false };
+    if is_builtin(callee, kw::Revert) {
+        return true;
+    }
+    if is_require_or_assert(callee)
+        && let Some(first) = args.exprs().next()
+        && matches!(
+            &first.peel_parens().kind,
+            ExprKind::Lit(lit) if matches!(lit.kind, LitKind::Bool(false))
+        )
+    {
+        return true;
+    }
+    false
+}

crates/lint/src/sol/high/unchecked_calls.rs

@@ -1,7 +1,11 @@
 use super::{UncheckedCall, UncheckedTransferERC20};
 use crate::{
     linter::{EarlyLintPass, LateLintPass, LintContext},
-    sol::{Severity, SolLint, calls::is_low_level_call},
+    sol::{
+        Severity, SolLint,
+        analysis::interface::{is_elementary, receiver_contract_id},
+        calls::is_low_level_call,
+    },
 };
 use solar::{
     ast::{Expr, ExprKind, ItemFunction, Stmt, StmtKind, visit::Visit},
@@ -52,13 +56,6 @@ impl<'hir> LateLintPass<'hir> for UncheckedTransferERC20 {
 ///
 /// Validates the method name, the params (count + types), and the returns (count + types).
 fn is_erc20_transfer_call(hir: &hir::Hir<'_>, expr: &hir::Expr<'_>) -> bool {
-    let is_type = |var_id: hir::VariableId, type_str: &str| {
-        matches!(
-            &hir.variable(var_id).ty.kind,
-            hir::TypeKind::Elementary(ty) if ty.to_abi_str() == type_str
-        )
-    };
-
     // Ensure the expression is a call to a contract member function.
     let hir::ExprKind::Call(
         hir::Expr { kind: hir::ExprKind::Member(contract_expr, func_ident), .. },
@@ -77,27 +74,7 @@ fn is_erc20_transfer_call(hir: &hir::Hir<'_>, expr: &hir::Expr<'_>) -> bool {
         _ => return false,
     };
 
-    let Some(cid) = (match &contract_expr.kind {
-        // Call to pre-instantiated contract variable
-        hir::ExprKind::Ident([hir::Res::Item(hir::ItemId::Variable(id)), ..]) => {
-            if let hir::TypeKind::Custom(hir::ItemId::Contract(cid)) = hir.variable(*id).ty.kind {
-                Some(cid)
-            } else {
-                None
-            }
-        }
-        // Call to address wrapped by the contract interface
-        hir::ExprKind::Call(
-            hir::Expr {
-                kind: hir::ExprKind::Ident([hir::Res::Item(hir::ItemId::Contract(cid))]),
-                ..
-            },
-            ..,
-        ) => Some(*cid),
-        _ => None,
-    }) else {
-        return false;
-    };
+    let Some(cid) = receiver_contract_id(hir, contract_expr) else { return false };
 
     // Try to find a function in the contract that matches the expected signature.
     hir.contract_item_ids(cid).any(|item| {
@@ -108,8 +85,16 @@ fn is_erc20_transfer_call(hir: &hir::Hir<'_>, expr: &hir::Expr<'_>) -> bool {
             && func.mutates_state()
             && func.parameters.len() == expected_params.len()
             && func.returns.len() == expected_returns.len()
-            && func.parameters.iter().zip(expected_params).all(|(id, &ty)| is_type(*id, ty))
-            && func.returns.iter().zip(expected_returns).all(|(id, &ty)| is_type(*id, ty))
+            && func
+                .parameters
+                .iter()
+                .zip(expected_params)
+                .all(|(id, &ty)| is_elementary(hir, *id, ty))
+            && func
+                .returns
+                .iter()
+                .zip(expected_returns)
+                .all(|(id, &ty)| is_elementary(hir, *id, ty))
     })
 }
 

crates/lint/src/sol/low/missing_zero_check.rs

@@ -1,12 +1,17 @@
 use super::MissingZeroCheck;
 use crate::{
     linter::{LateLintPass, LintContext},
-    sol::{Severity, SolLint},
+    sol::{
+        Severity, SolLint,
+        analysis::primitives::{
+            address_call_receiver, branch_always_exits, is_address_type, is_require_or_assert,
+        },
+    },
 };
 use solar::{
     ast,
-    interface::{data_structures::Never, kw, sym},
-    sema::hir::{self, ElementaryType, ExprKind, ItemId, Res, StmtKind, TypeKind, Visit},
+    interface::data_structures::Never,
+    sema::hir::{self, ExprKind, ItemId, Res, StmtKind, Visit},
 };
 use std::{
     collections::{HashMap, HashSet},
@@ -32,7 +37,7 @@ impl<'hir> LateLintPass<'hir> for MissingZeroCheck {
         }
 
         let params: HashSet<hir::VariableId> =
-            func.parameters.iter().copied().filter(|id| is_address(hir, *id)).collect();
+            func.parameters.iter().copied().filter(|id| is_address_type(hir, *id)).collect();
 
         if params.is_empty() {
             return;
@@ -70,10 +75,6 @@ fn is_entry_point(func: &hir::Function<'_>) -> bool {
         && matches!(func.visibility, ast::Visibility::Public | ast::Visibility::External)
 }
 
-fn is_address(hir: &hir::Hir<'_>, id: hir::VariableId) -> bool {
-    matches!(hir.variable(id).ty.kind, TypeKind::Elementary(ElementaryType::Address(_)))
-}
-
 /// Tracks address-parameter taint, sinks reached, and guards observed in a function body.
 struct Analyzer<'hir> {
     hir: &'hir hir::Hir<'hir>,
@@ -248,7 +249,7 @@ impl<'hir> Visit<'hir> for Analyzer<'hir> {
             StmtKind::DeclSingle(var_id) => {
                 let v = self.hir.variable(var_id);
                 if let Some(init) = v.initializer
-                    && is_address(self.hir, var_id)
+                    && is_address_type(self.hir, var_id)
                 {
                     let srcs = self.taint_sources(init);
                     if !srcs.is_empty() {
@@ -299,7 +300,7 @@ impl<'hir> Visit<'hir> for Analyzer<'hir> {
                 }
                 // Taint propagation: assignment to an address local.
                 if let Some(local) = lhs_local_var(self.hir, lhs)
-                    && is_address(self.hir, local)
+                    && is_address_type(self.hir, local)
                 {
                     let srcs = self.taint_sources(rhs);
                     if !srcs.is_empty() {
@@ -334,60 +335,14 @@ impl<'hir> Visit<'hir> for Analyzer<'hir> {
     }
 }
 
-fn is_require_or_assert(callee: &hir::Expr<'_>) -> bool {
-    if let ExprKind::Ident(reses) = &callee.kind {
-        return reses.iter().any(|r| {
-            if let Res::Builtin(b) = r {
-                let n = b.name();
-                n == sym::require || n == sym::assert
-            } else {
-                false
-            }
-        });
-    }
-    false
-}
-
-/// If `callee` is `<receiver>.{call,delegatecall,transfer,send}` (with or without
-/// call options), returns the `<receiver>` expression.
-fn address_call_receiver<'hir>(callee: &'hir hir::Expr<'hir>) -> Option<&'hir hir::Expr<'hir>> {
-    // `addr.call{value: x}(..)` lowers as `Call(Member(receiver, "call"), ..)` — peel an
-    // outer call layer so the inner Member is reachable.
-    let inner = match &callee.kind {
-        ExprKind::Call(inner, ..) => inner,
-        _ => callee,
-    };
-    let target = if matches!(inner.kind, ExprKind::Member(..)) { inner } else { callee };
-    if let ExprKind::Member(receiver, name) = &target.kind {
-        let n = name.name;
-        if n == kw::Call || n == kw::Delegatecall || n == sym::transfer || n == sym::send {
-            return Some(receiver);
-        }
-    }
-    None
-}
-
-fn branch_always_exits(stmt: &hir::Stmt<'_>) -> bool {
-    match &stmt.kind {
-        StmtKind::Return(_) | StmtKind::Revert(_) => true,
-        StmtKind::Block(block) | StmtKind::UncheckedBlock(block) => {
-            block.stmts.last().is_some_and(branch_always_exits)
-        }
-        StmtKind::If(_, t, Some(e)) => branch_always_exits(t) && branch_always_exits(e),
-        _ => false,
-    }
-}
-
 fn is_address_state_var_lhs(hir: &hir::Hir<'_>, lhs: &hir::Expr<'_>) -> bool {
     if let ExprKind::Ident(reses) = &lhs.kind {
         for res in *reses {
-            if let Res::Item(ItemId::Variable(vid)) = res {
-                let v = hir.variable(*vid);
-                if v.kind.is_state()
-                    && matches!(v.ty.kind, TypeKind::Elementary(ElementaryType::Address(_)))
-                {
-                    return true;
-                }
+            if let Res::Item(ItemId::Variable(vid)) = res
+                && hir.variable(*vid).kind.is_state()
+                && is_address_type(hir, *vid)
+            {
+                return true;
             }
         }
     }

crates/lint/src/sol/med/incorrect_erc20_interface.rs

@@ -1,7 +1,7 @@
 use super::IncorrectERC20Interface;
 use crate::{
     linter::{LateLintPass, LintContext},
-    sol::{Severity, SolLint},
+    sol::{Severity, SolLint, analysis::interface::is_elementary},
 };
 use solar::sema::hir;
 
@@ -68,21 +68,12 @@ fn has_incorrect_erc20_signature(
     parameters: &[hir::VariableId],
     returns: &[hir::VariableId],
 ) -> bool {
-    let is_type = |var_id: hir::VariableId, type_str: &str| {
-        matches!(
-            &hir.variable(var_id).ty.kind,
-            hir::TypeKind::Elementary(ty) if ty.to_abi_str() == type_str
-        )
-    };
-
-    let params_match = |params: &[hir::VariableId], expected: &[&str]| -> bool {
-        params.len() == expected.len()
-            && params.iter().zip(expected).all(|(&id, &ty)| is_type(id, ty))
-    };
-
-    let returns_match = |rets: &[hir::VariableId], expected: &[&str]| -> bool {
-        rets.len() == expected.len() && rets.iter().zip(expected).all(|(&id, &ty)| is_type(id, ty))
+    let sig_match = |vars: &[hir::VariableId], expected: &[&str]| -> bool {
+        vars.len() == expected.len()
+            && vars.iter().zip(expected).all(|(&id, &ty)| is_elementary(hir, id, ty))
     };
+    let params_match = sig_match;
+    let returns_match = sig_match;
 
     match name {
         // function transfer(address,uint256) external returns (bool)

crates/lint/src/sol/med/incorrect_erc721_interface.rs

@@ -1,7 +1,7 @@
 use super::IncorrectERC721Interface;
 use crate::{
     linter::{LateLintPass, LintContext},
-    sol::{Severity, SolLint},
+    sol::{Severity, SolLint, analysis::interface::is_elementary},
 };
 use solar::sema::hir;
 
@@ -57,21 +57,12 @@ fn has_incorrect_erc721_signature(
     parameters: &[hir::VariableId],
     returns: &[hir::VariableId],
 ) -> bool {
-    let is_type = |var_id: hir::VariableId, type_str: &str| {
-        matches!(
-            &hir.variable(var_id).ty.kind,
-            hir::TypeKind::Elementary(ty) if ty.to_abi_str() == type_str
-        )
-    };
-
-    let params_match = |params: &[hir::VariableId], expected: &[&str]| -> bool {
-        params.len() == expected.len()
-            && params.iter().zip(expected).all(|(&id, &ty)| is_type(id, ty))
-    };
-
-    let returns_match = |rets: &[hir::VariableId], expected: &[&str]| -> bool {
-        rets.len() == expected.len() && rets.iter().zip(expected).all(|(&id, &ty)| is_type(id, ty))
+    let sig_match = |vars: &[hir::VariableId], expected: &[&str]| -> bool {
+        vars.len() == expected.len()
+            && vars.iter().zip(expected).all(|(&id, &ty)| is_elementary(hir, id, ty))
     };
+    let params_match = sig_match;
+    let returns_match = sig_match;
 
     match name {
         // function balanceOf(address) external view returns (uint256)

crates/lint/src/sol/mod.rs

@@ -37,6 +37,7 @@ use thiserror::Error;
 #[macro_use]
 pub mod macros;
 
+pub mod analysis;
 mod calls;
 pub mod codesize;
 pub mod gas;