Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LGTM.com - false positive: py/unreachable-statement with assert #2506

Open
gpotter2 opened this issue Dec 9, 2019 · 2 comments
Open

LGTM.com - false positive: py/unreachable-statement with assert #2506

gpotter2 opened this issue Dec 9, 2019 · 2 comments
Labels
false-positive Python

Comments

@gpotter2
Copy link

gpotter2 commented Dec 9, 2019
edited
Loading

Platform: Python

Description of the false positive

assert calls will be ignored when using the -O option. Therefore some code shouldn't be considered as dead.

This is quite low priority. -O related bugs are very common, but no one really uses it. Linters have been fighting forever to know whether this should be taken into account, or simply discarded

test.py

def hello():
    assert False
    return 1

print(hello())

Results:

  • python test.py -> AssertionError
  • python -O test.py -> 1

Related doc:

-O
Remove assert statements and any code conditional on the value of __debug__. Augment the filename for compiled (bytecode) files by adding .opt-1 before the .pyc extension (see PEP 488). See also PYTHONOPTIMIZE.

URL to the alert on the project page on LGTM.com

https://lgtm.com/projects/g/secdev/scapy/snapshot/33177966dbe59a9c7cbed5b086f99b40c4b1ede7/files/scapy/fields.py?sort=name&dir=ASC&mode=heatmap#x551c9066f44c0ec2:1
@tausbn tausbn self-assigned this Dec 9, 2019
@tausbn tausbn added the Python label Dec 9, 2019
@gpotter2 gpotter2 changed the title LGTM.com - false positive: Unreachable code with assert LGTM.com - false positive: py/unreachable-statement with assert Dec 9, 2019
@tausbn
Copy link
Contributor

tausbn commented Dec 9, 2019

Alas, this is a case of "damned if you do, damned if you don't". If we were to treat assert as not always raising an exception, we would get people complaining in the other direction, saying that the code following the assert obviously isn't reachable, since the assert is there!

In fact, we already have a query that warns about uses of assert that may change if optimisations are applied: https://github.com/Semmle/ql/blob/master/python/ql/src/Statements/AssertLiteralConstant.ql

I'm curious, though, for the project alert you link, is there a good reason for ignoring the error when optimisations are enabled? It seems dangerous to me to have code that exhibits different behaviour depending on whether the code was "optimised" or not. (Assuming it is not tested thoroughly both with and without the -O flag.)

@gpotter2
Copy link
Author

gpotter2 commented Dec 9, 2019
edited
Loading

I'm curious, though, for the project alert you link, is there a good reason for ignoring the error when optimisations are enabled?

In my case, I actually removed the line anyways 😄.

I personally hate this corner case because some linters (Bandit used by codacy) will throw errors claiming that this qualifies as "Security Hazard".
37A6BF84-69E6-4E91-A601-E30A1026B9F0
Thus in my original message

Linters have been fighting forever to know whether this should be taken into account, or simply discarded

I see your point: it's impossible to please everyone.

I'd personally keep it the way it currently is: asserts are well used unlike -O. Still though, technically, this code is unsafe.

Feel free to pick the side LGTM will be on 😄

@tausbn tausbn removed their assignment Feb 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
false-positive Python
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tausbn @gpotter2