hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-23 05:37:02 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
9c41238eee05fe457ecdb8d488136d3e8159a033
codeql/python/ql/src/Statements/SideEffectInAssert.ql
Copilot 717ff62d70 Python: deprecate AstNode.getAFlowNode() and rewrite internal callers 
Preparatory refactor for the shared-CFG dataflow migration.

Deprecates the AstNode.getAFlowNode() cached predicate on the public
Python QL API and rewrites all ~140 internal callers across lib/, src/,
test/, and tools/ from `expr.getAFlowNode() = cfgNode` to
`cfgNode.getNode() = expr`, using ControlFlowNode.getNode() which
already exists in Flow.qll.

The predicate itself is preserved (with a deprecation note pointing at
the new pattern) so external users do not experience churn — they can
migrate at their own pace and the AST/CFG hierarchies still get the
intended untangling once the deprecation eventually elapses.

Semantic noop verified by:
- All 361 lib/ + src/ queries compile clean.
- All 122 ControlFlow + PointsTo library-tests pass.
- All 64 dataflow library-tests pass.
- All 113 Variables/Exceptions/Expressions/Statements/Functions/Imports/
  Security/CWE-798/ModificationOfParameterWithDefault query-tests pass.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-22 14:55:19 +02:00

50 lines
1.4 KiB
Plaintext
Raw Blame History

/**
* @name An assert statement has a side-effect
* @description Side-effects in assert statements result in differences between normal
* and optimized behavior.
* @kind problem
* @tags quality
* reliability
* correctness
* @problem.severity error
* @sub-severity low
* @precision high
* @id py/side-effect-in-assert
*/
import python
private import semmle.python.ApiGraphs
predicate func_with_side_effects(Expr e) {
exists(string name | name = e.(Attribute).getName() or name = e.(Name).getId() |
name in [
"print", "write", "append", "pop", "remove", "discard", "delete", "close", "open", "exit"
]
)
}
predicate call_with_side_effect(Call e) {
exists(ControlFlowNode eCfg | eCfg.getNode() = e |
eCfg =
API::moduleImport("subprocess")
.getMember(["call", "check_call", "check_output"])
.getACall()
.asCfgNode()
)
}
predicate probable_side_effect(Expr e) {
// Only consider explicit yields, not artificial ones in comprehensions
e instanceof Yield and not exists(Comp c | c.contains(e))
or
e instanceof YieldFrom
or
e instanceof Call and func_with_side_effects(e.(Call).getFunc())
or
e instanceof Call and call_with_side_effect(e)
}
from Assert a, Expr e
where probable_side_effect(e) and a.contains(e)
select a, "This 'assert' statement contains an $@ which may have side effects.", e, "expression"
Reference in New Issue View Git Blame Copy Permalink