Skip to content

Python: hotfix - disable instanceFieldStep to avoid type-tracker blowup#22092

Merged
tausbn merged 1 commit into
codeql-cli-2.26.0from
tausbn/python-hotfix-disable-instance-field-step
Jun 30, 2026
Merged

Python: hotfix - disable instanceFieldStep to avoid type-tracker blowup#22092
tausbn merged 1 commit into
codeql-cli-2.26.0from
tausbn/python-hotfix-disable-instance-field-step

Conversation

@tausbn

@tausbn tausbn commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

The instanceFieldStep disjunct of TypeTrackingInput::levelStepCall that was added in 7.2.0 uses classInstanceTracker(cls) -- which is itself a type-tracker -- inside levelStepCall. That creates a structural mutual recursion between the main type-tracker fixpoint and classInstanceTracker, causing the type-tracker delta to blow up to ~100M tuples per iteration on some OOP-heavy Python codebases. Verified on the python/mypy database: SSRF query wall time goes from ~12s before the offending commit to >40 minutes after it.

This hotfix temporarily drops the instanceFieldStep disjunct and keeps only inheritedFieldStep, which does not pull on the call graph and is well-behaved (verified at ~12s on mypy). The instanceFieldStep helper predicate itself is kept in place, and the levelStepCall body has a commented-out call to it so the change is trivial to re-enable once the recursion issue is properly addressed. (Edit: actually, it's now commented out by adding and none() because otherwise we got compiler errors due to the unused predicate warning.)

The `instanceFieldStep` disjunct of `TypeTrackingInput::levelStepCall`
that was added in 7.2.0 uses `classInstanceTracker(cls)` -- which is
itself a type-tracker -- inside `levelStepCall`. That creates a
structural mutual recursion between the main type-tracker fixpoint and
`classInstanceTracker`, causing the type-tracker delta to blow up to
~100M tuples per iteration on some OOP-heavy Python codebases.
Verified on the python/mypy database: SSRF query wall time goes from
~12s before the offending commit to >40 minutes after it.

This hotfix temporarily drops the `instanceFieldStep` disjunct and
keeps only `inheritedFieldStep`, which does not pull on the call
graph and is well-behaved (verified at ~12s on mypy). The
`instanceFieldStep` helper predicate itself is kept in place, and
the `levelStepCall` body has a commented-out call to it so the
change is trivial to re-enable once the recursion issue is properly
addressed.
@tausbn tausbn force-pushed the tausbn/python-hotfix-disable-instance-field-step branch from 9a2eb34 to f251a57 Compare June 30, 2026 14:52
@tausbn tausbn marked this pull request as ready for review June 30, 2026 15:51
@tausbn tausbn requested a review from a team as a code owner June 30, 2026 15:51
Copilot AI review requested due to automatic review settings June 30, 2026 15:52

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR applies a performance hotfix to Python type-tracking by temporarily disabling the instanceFieldStep disjunct inside TypeTrackingInput::levelStepCall to avoid a mutual-recursion blowup in type-tracker fixpoint evaluation.

Changes:

  • Disabled instanceFieldStep within TypeTrackingInput::levelStepCall (while leaving the helper predicate in place) to prevent catastrophic type-tracker delta growth.
  • Updated affected Python security and library tests to reflect the temporary analysis regression.
  • Added a Python pack change note documenting the hotfix and its motivation.
Show a summary per file
File Description
python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackingImpl.qll Temporarily disables instanceFieldStep from levelStepCall with an in-code hotfix note.
python/ql/test/library-tests/dataflow/typetracking/attribute_tests.py Adjusts inline expectations for instance-attribute tracking behavior impacted by the hotfix.
python/ql/test/query-tests/Security/CWE-089-SqlInjection/app.py Marks the now-missed SQL injection source/alert annotations for /unsafe3/ as expected missing.
python/ql/test/query-tests/Security/CWE-089-SqlInjection/SqlInjection.expected Updates expected results/paths to reflect the removed /unsafe3/ finding.
python/ql/lib/change-notes/2026-06-30-disable-instance-field-step-hotfix.md Documents the hotfix in change notes.

Review details

  • Files reviewed: 5/5 changed files
  • Comments generated: 1
  • Review effort level: Low

category: minorAnalysis
---

- Temporarily disabled the `instanceFieldStep` disjunct of the internal `TypeTrackingInput::levelStepCall` predicate, which was introduced in 7.2.0 and caused catastrophic query slowdowns on some OOP-heavy Python codebases (e.g. `mypy` and `dask`).

@yoff yoff left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tausbn

tausbn commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

Performance comparison looks good. Merging.

@tausbn tausbn merged commit b12c67f into codeql-cli-2.26.0 Jun 30, 2026
15 checks passed
@tausbn tausbn deleted the tausbn/python-hotfix-disable-instance-field-step branch June 30, 2026 19:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants