Refactored event order checker with the new custom policy mechanism

merendamattia · merendamattia · commit 06fd3d0ef298 · 2025-10-14T17:13:28.000+02:00
diff --git a/src/main/java/it/unipr/crosschain/xEVMLiSA.java b/src/main/java/it/unipr/crosschain/xEVMLiSA.java
@@ -263,7 +263,7 @@ public static void runCrossChainCheckers(Bridge bridge) {
 		List<Future<?>> futures = new ArrayList<>();
 		for (SmartContract contract : bridge) {
 			futures.add(
-					EVMLiSAExecutor.submit(xEVMLiSA.class, () -> runEventOrderChecker(bridge, contract)));
+					EVMLiSAExecutor.submit(xEVMLiSA.class, () -> runEventOrderChecker(contract, bridge.getPolicy())));
 			futures.add(
 					EVMLiSAExecutor.submit(xEVMLiSA.class,
 							() -> runMissingEventNotificationChecker(contract, bridge.getPolicy())));
@@ -354,15 +354,14 @@ public static void runAccessControlIncompleteness(SmartContract contract) {
 	/**
 	 * Executes the Event Order Checker on a single contract. For each public
 	 * function: (i) Follow only successful return paths (STOP for void, RETURN
-	 * otherwise). (ii) Collect any SSTORE and LOG instructions on that path.
-	 * (iii) If LOGs occur without a preceding SSTORE, flag an event-order
-	 * issue. (iv) Classify as definite if across a cross‑chain edge, else
-	 * possible.
+	 * otherwise). (ii) Collect any SSTORE and events emission instructions on
+	 * that path. (iii) If events occur without a preceding SSTORE, flag an
+	 * event-order warning.
 	 *
-	 * @param bridge   the Bridge providing the cross-chain CFG context
 	 * @param contract the specific SmartContract to analyze
+	 * @param policy   the CustomPolicy used for cross-chain links
 	 */
-	public static void runEventOrderChecker(Bridge bridge, SmartContract contract) {
+	public static void runEventOrderChecker(SmartContract contract, CustomPolicy policy) {
 		log.info("[IN] Running event order checker on {}.", contract.getName());
 
 		EVMCFG cfg = contract.getCFG();
@@ -396,55 +395,51 @@ public static void runEventOrderChecker(Bridge bridge, SmartContract contract) {
 							&& exitpoint instanceof Return)
 						continue;
 
-					/* We take only the state updates inside the function */
-					Set<Statement> sstores = cfg.getStatementsInAPathWithTypes(entrypoint, exitpoint,
-							Set.of(Sstore.class));
-					/* We take only the log instructions inside the function */
-					Set<Statement> logs = cfg.getStatementsInAPathWithTypes(entrypoint, exitpoint,
-							Set.of(Log1.class, Log2.class, Log3.class, Log4.class));
-
-					/*
-					 * If there is no state update but at least a LOG
-					 * instruction, a (possible) warning is raised
-					 */
-					if (sstores.isEmpty() && !logs.isEmpty()) {
-						for (Statement emitEvent : logs) {
-							ProgramCounterLocation entrypointLocation = (ProgramCounterLocation) entrypoint
-									.getLocation();
-							ProgramCounterLocation emitEventLocation = (ProgramCounterLocation) emitEvent.getLocation();
+					Set<String> eventsPolicy = policy.getEventsForFunction(function.getName());
+					Set<Signature> eventsContract = contract.getEventsSignature();
+					Set<Statement> eventsExitpoints = new HashSet<>();
 
-							if (bridge.getXCFG().hasAtLeastOneCrossChainEdge(emitEvent)) {
-								String warn = "[DEFINITE] Event Order vulnerability at " + emitEventLocation.getPc();
+					for (String eventPolicy : eventsPolicy) {
+						for (Signature eventContract : eventsContract) {
+							if (!eventPolicy.equalsIgnoreCase(eventContract.getName()))
+								continue;
+							eventsExitpoints.addAll(eventContract.getExitPoints());
+						}
+					}
 
-								log.warn(
-										"[DEFINITE] Event Order vulnerability at pc {} (line {}) coming from pc {} (line {}).",
-										emitEventLocation.getPc(),
-										emitEventLocation.getSourceCodeLine(),
-										entrypointLocation.getPc(),
-										entrypointLocation.getSourceCodeLine());
+					/* Skip if we have no event exitpoints */
+					if (eventsExitpoints.isEmpty())
+						continue;
 
-								MyCache.getInstance().addEventOrderWarning(cfg.hashCode(), warn);
+					/* We take only state updates inside the function */
+					Set<Statement> sstores = cfg.getStatementsInAPathWithTypes(entrypoint, exitpoint, Sstore.class);
 
-								warn = "[DEFINITE] Event Order vulnerability in " + contract.getName() + " at "
-										+ function.getFullSignature()
-										+ " (pc: " + emitEventLocation.getPc() + ", "
-										+ "line: " + emitEventLocation.getSourceCodeLine() + ")";
-								MyCache.getInstance().addVulnerabilityPerFunction(cfg.hashCode(), warn);
+					for (Statement emitEvent : eventsExitpoints) {
+						if (cfg.reachableFromWithoutStatements(entrypoint, emitEvent, sstores)) {
 
-							} else {
-								String warn = "[POSSIBLE] Event Order vulnerability at " + emitEventLocation.getPc();
+							ProgramCounterLocation entrypointLocation = (ProgramCounterLocation) entrypoint
+									.getLocation();
+							ProgramCounterLocation emitEventLocation = (ProgramCounterLocation) emitEvent.getLocation();
 
-								log.warn(
-										"[POSSIBLE] Event Order vulnerability at pc {} (line {}) coming from pc {} (line {}).",
-										emitEventLocation.getPc(),
-										emitEventLocation.getSourceCodeLine(),
-										entrypointLocation.getPc(),
-										entrypointLocation.getSourceCodeLine());
+							String warn = "Event Order warning at " + emitEventLocation.getPc();
 
-								MyCache.getInstance().addPossibleEventOrderWarning(cfg.hashCode(), warn);
-							}
+							log.warn(
+									"Event Order warning at pc {} (line {}) coming from pc {} (line {}).",
+									emitEventLocation.getPc(),
+									emitEventLocation.getSourceCodeLine(),
+									entrypointLocation.getPc(),
+									entrypointLocation.getSourceCodeLine());
+
+							MyCache.getInstance().addEventOrderWarning(cfg.hashCode(), warn);
+
+							warn = "Event Order warning in " + contract.getName() + " at "
+									+ function.getFullSignature()
+									+ " (pc: " + emitEventLocation.getPc() + ", "
+									+ "line: " + emitEventLocation.getSourceCodeLine() + ")";
+							MyCache.getInstance().addVulnerabilityPerFunction(cfg.hashCode(), warn);
 						}
 					}
+
 				}
 			}
 		}
@@ -464,6 +459,7 @@ public static void runEventOrderChecker(Bridge bridge, SmartContract contract) {
 	 * missing notifications as vulnerabilities.
 	 *
 	 * @param contract the SmartContract to analyze for missing event logs
+	 * @param policy   the CustomPolicy used for cross-chain links
 	 */
 	public static void runMissingEventNotificationChecker(SmartContract contract, CustomPolicy policy) {
 		log.info("[IN] Running missing event notification checker on {}.", contract.getName());
diff --git a/src/test/java/it/unipr/analysis/cron/SmartaxeBenchmark.java b/src/test/java/it/unipr/analysis/cron/SmartaxeBenchmark.java
@@ -116,7 +116,7 @@ private void runBenchmark() {
 		for (Bridge bridge : bridges)
 			for (SmartContract contract : bridge) {
 				futures.add(EVMLiSAExecutor.submit(SmartaxeBenchmark.class,
-						() -> xEVMLiSA.runEventOrderChecker(bridge, contract)));
+						() -> xEVMLiSA.runEventOrderChecker(contract, bridge.getPolicy())));
 				futures.add(EVMLiSAExecutor.submit(SmartaxeBenchmark.class,
 						() -> xEVMLiSA.runAccessControlIncompleteness(contract)));
 				futures.add(EVMLiSAExecutor.submit(SmartaxeBenchmark.class,
