Python: hotfix - disable instanceFieldStep to avoid type-tracker blowup#22092
Merged
tausbn merged 1 commit intoJun 30, 2026
Merged
Conversation
The `instanceFieldStep` disjunct of `TypeTrackingInput::levelStepCall` that was added in 7.2.0 uses `classInstanceTracker(cls)` -- which is itself a type-tracker -- inside `levelStepCall`. That creates a structural mutual recursion between the main type-tracker fixpoint and `classInstanceTracker`, causing the type-tracker delta to blow up to ~100M tuples per iteration on some OOP-heavy Python codebases. Verified on the python/mypy database: SSRF query wall time goes from ~12s before the offending commit to >40 minutes after it. This hotfix temporarily drops the `instanceFieldStep` disjunct and keeps only `inheritedFieldStep`, which does not pull on the call graph and is well-behaved (verified at ~12s on mypy). The `instanceFieldStep` helper predicate itself is kept in place, and the `levelStepCall` body has a commented-out call to it so the change is trivial to re-enable once the recursion issue is properly addressed.
9a2eb34 to
f251a57
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR applies a performance hotfix to Python type-tracking by temporarily disabling the instanceFieldStep disjunct inside TypeTrackingInput::levelStepCall to avoid a mutual-recursion blowup in type-tracker fixpoint evaluation.
Changes:
- Disabled
instanceFieldStepwithinTypeTrackingInput::levelStepCall(while leaving the helper predicate in place) to prevent catastrophic type-tracker delta growth. - Updated affected Python security and library tests to reflect the temporary analysis regression.
- Added a Python pack change note documenting the hotfix and its motivation.
Show a summary per file
| File | Description |
|---|---|
| python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackingImpl.qll | Temporarily disables instanceFieldStep from levelStepCall with an in-code hotfix note. |
| python/ql/test/library-tests/dataflow/typetracking/attribute_tests.py | Adjusts inline expectations for instance-attribute tracking behavior impacted by the hotfix. |
| python/ql/test/query-tests/Security/CWE-089-SqlInjection/app.py | Marks the now-missed SQL injection source/alert annotations for /unsafe3/ as expected missing. |
| python/ql/test/query-tests/Security/CWE-089-SqlInjection/SqlInjection.expected | Updates expected results/paths to reflect the removed /unsafe3/ finding. |
| python/ql/lib/change-notes/2026-06-30-disable-instance-field-step-hotfix.md | Documents the hotfix in change notes. |
Review details
- Files reviewed: 5/5 changed files
- Comments generated: 1
- Review effort level: Low
| category: minorAnalysis | ||
| --- | ||
|
|
||
| - Temporarily disabled the `instanceFieldStep` disjunct of the internal `TypeTrackingInput::levelStepCall` predicate, which was introduced in 7.2.0 and caused catastrophic query slowdowns on some OOP-heavy Python codebases (e.g. `mypy` and `dask`). |
Contributor
Author
|
Performance comparison looks good. Merging. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
instanceFieldStepdisjunct ofTypeTrackingInput::levelStepCallthat was added in 7.2.0 usesclassInstanceTracker(cls)-- which is itself a type-tracker -- insidelevelStepCall. That creates a structural mutual recursion between the main type-tracker fixpoint andclassInstanceTracker, causing the type-tracker delta to blow up to ~100M tuples per iteration on some OOP-heavy Python codebases. Verified on the python/mypy database: SSRF query wall time goes from ~12s before the offending commit to >40 minutes after it.This hotfix temporarily drops the
instanceFieldStepdisjunct and keeps onlyinheritedFieldStep, which does not pull on the call graph and is well-behaved (verified at ~12s on mypy). TheinstanceFieldStephelper predicate itself is kept in place, and thelevelStepCallbody has a commented-out call to it so the change is trivial to re-enable once the recursion issue is properly addressed. (Edit: actually, it's now commented out by addingand none()because otherwise we got compiler errors due to the unused predicate warning.)