C++/Python: Better syntax for false positives and negatives in inline expectations#4571
Conversation
…now $ tag1,tag2=value MISSING: tag3=value3 SPURIOUS: tag4=value4.
geoffw0
left a comment
There was a problem hiding this comment.
👍 from me.
There's a failing test:
FAILED: /home/runner/work/semmle-code/semmle-code/ql/cpp/ql/test/library-tests/ir/points_to/points_to.ql
and as noted in the meeting today you need to mirror the changes in python/ql/test/TestUtilities/InlineExpectationsTest.qll (and update any affected test files)
Yep, I've not yet updated the Python tests, nor the IR tests. I'll run the sync and update the Python version when the |
|
Turns out there's a problem parsing the following expectation comment in Python: this worked previously because each expectation annotation was separated with a meant that we expected Previously we did this by splitting the string on occurrences of
I'm personally in favor of doing option 1 and just see how well it performs. Any thoughts? |
|
Option 1 sounds good to me. Anything that can be mostly contained within the regex engine should perform well. |
Done in ee77e98. |
78b96b7 to
0fa3aff
Compare
0fa3aff to
45b24a9
Compare
…ves-inline-expectation
|
Oh, you Python people are really pushing the inline expectation tests with tests like: responseBody='<img src="0" onerror="alert(1)">'(don't get me wrong, I love how you push the syntax forward!). I guess another round of syntax relaxations are in order: Both double quotes ( Edit: Done in 870ed00. |
… single-quote strings to support the existing Python use-cases, but let's do that in the next commit.
…n quotes if the value contains a space.
jbj
left a comment
There was a problem hiding this comment.
Excellent! Thanks for pushing through on this, Mathias.
I'll merge this PR tomorrow morning unless anyone (@github/codeql-python) objects.
|
Also cc @calumgrant, who is missing from https://github.com/orgs/github/teams/codeql-python. |
|
We also have this:
where |
And that has been updated correctly in this PR, right? https://github.com/github/codeql/pull/4571/files#diff-e193c8f3abbe30c8120fb21c82420636aa5aa0e001c2ee246eace1f575429ac1R24-R25 |
…alse-positives-and-negatives-inline-expectation Required fixing up semantic conflicts in tests. Conflicts: python/ql/test/experimental/library-tests/frameworks/stdlib/Decoding.py
Yes, if we can write it like that, that seems fine. I guess it is up to the implementations of |
yoff
left a comment
There was a problem hiding this comment.
LGTM
(basically, I am happy if the tests pass, I do not think the annotation have been mangled here.)
I'm not sure the quote handling is exactly what we want it to be in the long run, but at least the test annotations we have now look good. |
|
Sorry for being late to the party. Blame me for using the string contents as the value for the tag @MathiasVP 😬 it seemed like a neat solution, and would avoid us rewriting test-code to be more verbose such as -foo("bar") # $fooarg="bar"
+s = "bar"
+foo(s) # $fooarg=sWhen I encountered the first string that had a space in it I nervously ran the test, but it all worked, so I moved happily on my way without considering if I had done something terrible 😅
Good luck handling |
Fixes https://github.com/github/codeql-c-analysis-team/issues/75.
The syntax for annotating inline expectations is now:
// $ tag1,tag2=x MISSING: tag3=y SPURIOUS: tag4=zAny of the "columns" in the comment can be left out, so we don't have to yell all the time:
// $ tag1,tag2=xI had to replace some of the regex capture-group techniques with manual parsing as my regex skills didn't manage to do optional regex capture groups (Is that even possible?).
Commit 4be02a9 shows the new syntax in the C++ field-flow tests. If we like what that looks like I'll update the remaining tests.
(I assume Actions will complain a lot about the remaining test diffs until then)
By request from @dbartol, we should wait with merging this until #4432 is merged.