Skip to content

Python: add new shared-CFG-backed control flow graph (additive) #21921

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
yoff wants to merge 22 commits into
base: yoff/python-flow-py-namespace
Choose a base branch
from
Draft

Python: add new shared-CFG-backed control flow graph (additive) #21921

Changes from 1 commit
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
996777d
Shared: Add local name binding library
hvitved May 27, 2026
9fd266e
Rust: More local variable tests
hvitved May 21, 2026
15cd643
Rust: Adopt shared local name resolution library
hvitved May 27, 2026
51d752b
Rust: Run codegen
hvitved May 21, 2026
a08c24a
Ruby: Add more variable tests
hvitved May 27, 2026
5c3b231
Ruby: Adopt shared local name resolution library
hvitved May 28, 2026
fd7fbd4
Apply suggestions from code review
hvitved May 29, 2026
f2bb30e
Address review comments
hvitved May 29, 2026
9053c67
Recognize more non-returning logging functions
owen-mc Jun 13, 2024
f80d9ca
Improve noretFunctions test
owen-mc May 31, 2026
024fb74
Improve glog (and klog) modelling
owen-mc May 31, 2026
db22968
Improve glog and klog tests
owen-mc Jun 1, 2026
2d6a80c
Add change note
owen-mc Jun 1, 2026
06bf40c
(Trivial) Fix QLDoc grammar
owen-mc Jun 1, 2026
87f3c92
Add missing QLDocs
owen-mc Jun 1, 2026
22cefa0
Improve test for non-returning fns
owen-mc Jun 1, 2026
8402153
Accept changed test output
owen-mc Jun 1, 2026
6bc6051
Taint doesn't flow through panicking functions
owen-mc Jun 2, 2026
e38a5a5
Model panicking log functions better
owen-mc Jun 2, 2026
91a57f7
Update tests
owen-mc Jun 2, 2026
f0cdfbd
Shared CFG: add defaulted getWhileElse/getForeachElse/getCatchType to…
nischal Jun 2, 2026
6248d3a
Python: add new shared-CFG-backed control flow graph
Copilot Jun 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Shared CFG: add defaulted getWhileElse/getForeachElse/getCatchType to… 
… AstSig

Adds three new defaulted signature predicates to the shared CFG library:

- getWhileElse / getForeachElse: `else` block of a while/for loop, if
  any (used by Python's `while-else` / `for-else` constructs).
- getCatchType: type expression of a catch clause, if any (used by
  Python's `except SomeExpr:` where the catch type is a runtime
  expression that needs CFG evaluation).

Each predicate defaults to `none()`, so behaviour is unchanged for any
language that doesn't override it (verified by re-running
java/ql/test/library-tests/controlflow/).

The Make0 succession rules are extended:
- WhileStmt/ForeachStmt: route the loop-exit edge through the else
  block before reaching the after-position.
- CatchClause: route the matching-evaluation through the type
  expression (if present) before reaching the after-value position.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
  • Loading branch information
@nischal @yoff
2 people authored and yoff committed Jun 18, 2026
commit f0cdfbd9f4c9601b21d2adecfd351b84ef082c97
61 changes: 58 additions & 3 deletions shared/controlflow/codeql/controlflow/ControlFlowGraph.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -211,6 +211,31 @@ signature module AstSig<LocationSig Location> {
*/
default AstNode getTryElse(TryStmt try) { none() }

/**
* Gets the `else` block of this `while` loop statement, if any.
*
* Only some languages (e.g. Python) support `while-else` constructs.
*/
default AstNode getWhileElse(WhileStmt loop) { none() }

/**
* Gets the `else` block of this `foreach` loop statement, if any.
*
* Only some languages (e.g. Python) support `for-else` constructs.
*/
default AstNode getForeachElse(ForeachStmt loop) { none() }

/**
* Gets the type expression of this catch clause, if any.
*
* In Python, the catch type is a runtime-evaluated expression
* (e.g. `except SomeException:` where `SomeException` is an
* arbitrary expression). For languages where the catch type is
* statically resolved, this defaults to `none()` and no CFG node
* is created.
*/
default Expr getCatchType(CatchClause catch) { none() }

/** A catch clause in a try statement. */
class CatchClause extends AstNode {
/** Gets the variable declared by this catch clause. */
Expand Down Expand Up @@ -1549,19 +1574,32 @@ module Make0<LocationSig Location, AstSig<Location> Ast> {
n2.isBefore(loopstmt.getBody())
or
n1.isAfterFalse(cond) and
n2.isAfter(loopstmt)
(
n2.isBefore(getWhileElse(loopstmt))
or
not exists(getWhileElse(loopstmt)) and n2.isAfter(loopstmt)
)
or
n1.isAfter(loopstmt.getBody()) and
n2.isAdditional(loopstmt, loopHeaderTag())
)
or
exists(WhileStmt whilestmt |
n1.isAfter(getWhileElse(whilestmt)) and
n2.isAfter(whilestmt)
)
or
exists(ForeachStmt foreachstmt |
n1.isBefore(foreachstmt) and
n2.isBefore(foreachstmt.getCollection())
or
n1.isAfterValue(foreachstmt.getCollection(),
any(EmptinessSuccessor t | t.getValue() = true)) and
n2.isAfter(foreachstmt)
(
n2.isBefore(getForeachElse(foreachstmt))
or
not exists(getForeachElse(foreachstmt)) and n2.isAfter(foreachstmt)
)
or
n1.isAfterValue(foreachstmt.getCollection(),
any(EmptinessSuccessor t | t.getValue() = false)) and
Expand All @@ -1574,10 +1612,17 @@ module Make0<LocationSig Location, AstSig<Location> Ast> {
n2.isAdditional(foreachstmt, loopHeaderTag())
or
n1.isAdditional(foreachstmt, loopHeaderTag()) and
n2.isAfter(foreachstmt)
(
n2.isBefore(getForeachElse(foreachstmt))
or
not exists(getForeachElse(foreachstmt)) and n2.isAfter(foreachstmt)
)
or
n1.isAdditional(foreachstmt, loopHeaderTag()) and
n2.isBefore(foreachstmt.getVariable())
or
n1.isAfter(getForeachElse(foreachstmt)) and
n2.isAfter(foreachstmt)
)
or
exists(ForStmt forstmt, PreControlFlowNode condentry |
Expand Down Expand Up @@ -1671,6 +1716,16 @@ module Make0<LocationSig Location, AstSig<Location> Ast> {
exists(CatchClause catchclause |
exists(MatchingSuccessor t |
n1.isBefore(catchclause) and
(
n2.isBefore(getCatchType(catchclause))
or
not exists(getCatchType(catchclause)) and n2.isAfterValue(catchclause, t)
) and
if Input1::catchAll(catchclause) then t.getValue() = true else any()
)
or
exists(MatchingSuccessor t |
n1.isAfter(getCatchType(catchclause)) and
n2.isAfterValue(catchclause, t) and
if Input1::catchAll(catchclause) then t.getValue() = true else any()
)
Expand Down