Autofix overwrites wrong line with multiple multiline matches

[JuliusDegesys]

Describe the bug
Incorrect chunks of the file are auto-fixed. Searching for assert_eq(True, $X) and replacing with assert $X will mangle the output when auto-fixing multiple multi-line matches.

To Reproduce
https://semgrep.dev/s/juliusdegesys:asserteqbug
Input file:

assert_eq(
    True, "a"
)
assert_eq(
    True, "b"
)
x = "abc"

Rule:

rules:
    - id: assert_eq-true
      message: Change assert_eq(True, x) to assert x
      severity: INFO
      languages:
      - python
      pattern: assert_eq(True, $ACTUAL)
      fix: assert $ACTUAL

The matches look correct, and so do the auto-fixes. But when you "Apply all fixes" or apply the first fix followed by the second, the following output is generated:

assert "a"
assert_eq(
    True, "b"
assert "b"

Expected behavior

assert "a"
assert "b"
x = "abc"

What is the priority of the bug to you?

• P0: blocking your adoption of Semgrep or workflow
• P1: important to fix or quite annoying
• P2: regular bug that should get fixed

Environment
If not using semgrep.dev: are you running off docker, an official binary, a local build?

pip install semgrep
$ semgrep --version
0.56.0

[colleend]

Hi! Thanks for filing this issue -- we'll look into it as soon as we get the time to. As a heads up, autofix is an alpha feature so it is not as well supported as other GA features!

[gordonwoodhull]

Understand 100% that autofix is in alpha, however I thought I would add that autofix also gets confused when applying multiple changes to the same line.

Here is the repro: https://semgrep.dev/s/gordonwoodhull:wrap-strings

On semgrep.dev it produces the correct individual suggestions. However, when running on the command line with --autofix, it looks like it confuses the two output positions.

The rule attempts to replace the expression pattern (String $S) with the fix wrap($S).

On input

        return "a" + "b";

it produces the output

        return wrap("wrap("b") + "b";

[colleend]

Thanks for commenting about this issue! Would you mind filing a separate autofix issue with the contents of the comment? 🙏

[stale]

This issue is being marked stale because there hasn't been any activity in 30 days. Please leave a comment if you think this issue is still relevant and should be prioritized, otherwise it will be automatically closed in 7 days (you can always reopen it later).

[gordonwoodhull]

It’s an important issue - please don’t close.