Skip to content

Fix external_calls_as_expressions to exclude builtins and library calls #2906

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ep0chzer0 wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Fix external_calls_as_expressions to exclude builtins and library calls #2906

ep0chzer0 wants to merge 4 commits into from
+169 −15

Conversation

@ep0chzer0
Copy link

@ep0chzer0 ep0chzer0 commented Jan 16, 2026

Summary

  • Fixes --print function-summary incorrectly reporting builtins and library calls as external calls
  • Adds proper filtering to distinguish true external calls from internal/builtin/library calls
  • Applies fix consistently across Solidity, Vyper, and Yul parsers

Details

The function-summary printer was incorrectly reporting all member access expressions as external calls. This includes:

  • Solidity builtins like abi.encode, msg.sender, block.timestamp
  • Library calls like Address.sendValue, SafeMath.add
  • Struct field accesses

Root cause

The original logic was:

external_calls_as_expressions = [
    c for c in calls_as_expression if not isinstance(c.called, Identifier)
]

This only checked if the call target was an Identifier (internal call), but didn't account for MemberAccess expressions that could be builtins or library calls.

Fix

Added a helper function _is_external_call() that properly classifies calls:

  1. Identifier -> internal call (not external)
  2. MemberAccess where expression is SolidityVariable -> builtin (not external)
  3. MemberAccess where expression is a library Contract -> library call (not external)
  4. Everything else -> external call

Test plan

  • Applied to all three parsers (solc, vyper, yul)
  • Manual verification with test contracts

Fixes #2073

🤖 Generated with Claude Code

@ep0chzer0 ep0chzer0 requested a review from smonicas as a code owner January 16, 2026 11:21
@ep0chzer0
Copy link
Author

ep0chzer0 commented Jan 16, 2026

Hello maintainers! This fixes the bug where --print function-summary incorrectly reports builtins like abi.encode and library calls as external calls. The fix follows the guidance from @0xalpharush in the issue comments. Could you please approve the CI workflows to run? Thank you!

@ep0chzer0 ep0chzer0 force-pushed the fix/external-calls-filtering branch 2 times, most recently from 9e4e5ef to 395d75b Compare January 16, 2026 13:35
@ep0chzer0
Show detector name with exclude flag in output
e51bd0e 
Add a helpful line after the Reference URL showing how to exclude the
detector using --exclude flag. This helps users quickly suppress
specific findings without needing to look up the detector name.

Example output:
  Reference: https://github.com/crytic/slither/wiki/...#timestamp
  Use --exclude timestamp to suppress this detector.

Also updated the upgradeability checks for consistency.

Fixes crytic#1316
@ep0chzer0
Fix dead-code detector incorrectly flagging library functions
e66f13b 
The dead-code detector had a bug where it tried to index a Function
object as if it were a tuple. The `all_library_calls()` method returns
LibraryCall objects, and `item.function` extracts a Function, not a
tuple of (Contract, Function).

This fix:
- Corrects the type annotation from `list[tuple[Contract, Function]]`
  to `list[Function]`
- Fixes the set comprehension to access `f.canonical_name` directly
  instead of `lib[1].canonical_name`

This ensures library functions used via `using X for Y` syntax are
properly tracked and not incorrectly reported as dead code.

Fixes crytic#1265
@ep0chzer0
Fix external_calls_as_expressions to exclude builtins and library calls
0bc2879 
The function-summary printer was incorrectly reporting all member access
expressions as external calls, including:
- Solidity builtins (abi.encode, msg.sender, block.timestamp)
- Library calls (Address.sendValue, SafeMath.add)
- Struct field accesses

This fix adds a helper function `_is_external_call()` that properly
filters calls by checking:
1. If the called expression is an Identifier -> internal call
2. If it's a MemberAccess where the expression is a SolidityVariable
   -> builtin call (not external)
3. If it's a MemberAccess where the expression is a library Contract
   -> library call (not external)

The fix is applied consistently to all three parsers:
- slither/solc_parsing/cfg/node.py
- slither/vyper_parsing/cfg/node.py
- slither/solc_parsing/yul/parse_yul.py

Fixes crytic#2073
@ep0chzer0
style: apply ruff formatting
2016144
@ep0chzer0 ep0chzer0 force-pushed the fix/external-calls-filtering branch from 395d75b to 2016144 Compare January 16, 2026 23:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@smonicas smonicas Awaiting requested review from smonicas smonicas is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: all statements with . are reported as external calls

1 participant

@ep0chzer0