Fix Python/FastAPI/SQL parsing: route false positives, Depends() tracking, SQL size guard, DLL calls#66
Closed
kingchenc wants to merge 2 commits intoDeusData:mainfrom
Closed
Fix Python/FastAPI/SQL parsing: route false positives, Depends() tracking, SQL size guard, DLL calls#66kingchenc wants to merge 2 commits intoDeusData:mainfrom
kingchenc wants to merge 2 commits intoDeusData:mainfrom
Conversation
…king, SQL size guard, DLL calls - Fix DeusData#28: Restrict source-based route extractors (Go/Express/Laravel/Ktor) to their own file extensions. Prevents Python dict .get() from matching Ktor route regex and creating ~125 spurious Route nodes. - Fix DeusData#27: Track FastAPI Depends(func_ref) in parameter defaults as CALLS edges. Scans Python function signatures for Depends() patterns so dependency-injected functions (e.g. get_current_user) no longer appear as dead code with in_degree=0. - Fix DeusData#62: Add file size guard in cbmParseFile() to prevent tree-sitter SQL parser stack overflow on large .sql files (bulk INSERTs). SQL files >1MB and any file >4MB are skipped with a logged warning. - Fix DeusData#29: Detect dynamic DLL resolution patterns (GetProcAddress, dlsym, Resolve) in C/C++ source and create CALLS edges to synthetic stub nodes with dll_name/dll_function metadata.
…king, SQL size guard, DLL calls - Fix DeusData#28: Restrict source-based route extractors (Go/Express/Laravel/Ktor) to their own file extensions. Prevents Python dict .get() from matching Ktor route regex and creating ~125 spurious Route nodes. - Fix DeusData#27: Track FastAPI Depends(func_ref) in parameter defaults as CALLS edges. Scans Python function signatures for Depends() patterns so dependency-injected functions no longer appear as dead code (in_degree=0). Includes fallback for import aliases (e.g. `import X as _Y`). - Fix DeusData#62: Add file size guard in cbmParseFile() to prevent tree-sitter SQL parser stack overflow on large .sql files (bulk INSERTs). SQL files >1MB and any file >4MB are skipped with a logged warning. - Fix DeusData#29: Detect dynamic DLL resolution patterns (GetProcAddress, dlsym, Resolve) in C/C++ source and create CALLS edges to synthetic stub nodes with dll_name/dll_function metadata.
This was referenced Mar 16, 2026
3 tasks
DeusData
added a commit
that referenced
this pull request
Mar 20, 2026
- FastAPI Depends(func_ref): scans Python function signatures for Depends() patterns and creates CALLS edges to the dependency function. Without this, auth/DI functions appear as dead code (in_degree=0). - DLL resolve: scans C/C++ source for GetProcAddress/dlsym/Resolve patterns and creates CALLS edges to synthetic stub nodes, enabling call graph tracking across DLL boundaries. - Extension scoping (#28) was already ported in 6a2b1f5. - SQL size guard (#62) not needed: our C workers use 8MB stacks. Tests: 3 new (httplink_laravel_path_filter, pipeline_fastapi_depends_edges, pipeline_dll_resolve_edges). Total: 2041. Co-Authored-By: kingchenc <kingchenc@users.noreply.github.com> Co-Authored-By: mariomeyer <mariomeyer@users.noreply.github.com>
Owner
|
Thanks for the thorough work across four issues — the extension scoping, FastAPI Depends tracking, DLL resolve edges, and SQL analysis are all well-engineered. We've ported all applicable fixes to the C codebase:
All three ported features have integration tests (2041 total). You're credited as co-author on both commits. Closing since this is resolved on main — thanks for the contribution! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
dict.get()from creating spurious Route nodesDepends(func_ref)parameter defaults as CALLS edges with import alias resolution.sqlfilesGetProcAddress/dlsym/Resolve) in C/C++ and emit CALLS edges to stub nodesDetails
#28 — Python dict
.get()misidentified as Route nodesSource-based route extractors (
extractGoRoutes,extractExpressRoutes,extractLaravelRoutes,extractKtorRoutes) were running on all function nodes regardless of file type. The Ktor regex\b(get|post|...)\("..."matchedpayload.get("sub")in Python files, creating ~125 false Route nodes.Fix: File extension guard via
switch filepath.Ext()— each extractor only runs on its own language (.go, .js/.ts, .php, .kt).#27 — FastAPI
Depends()not trackedFunctions passed to
Depends()as parameter defaults (e.g.user = Depends(get_current_user)) were not extracted as calls — making critical auth/DI functions appear as dead code within_degree=0.Fix: New
extractPythonDependsEdges()scans Python function signatures forDepends(func_ref)patterns and emits CALLS edges (resolution_strategy: "fastapi_depends"). Includes fallback for import aliases (from X import Y as Z) by extracting the original function name from the import path.Tested: 392 Depends edges across 39 router files on a real FastAPI project.
require_adminwent fromin_degree: 64→in_degree: 180.#62 — Stack overflow in tree-sitter SQL parser
Large
.sqlfiles (bulk INSERT dumps ~4.5MB) cause deep recursion in the tree-sitter SQL grammar, exhausting the C stack (especially on Windows with 1MB default).Fix: Per-language file size guard in
cbmParseFile(): SQL >1MB skipped, any file >4MB skipped. Logged ascbm.skip.large_sql/cbm.skip.large_file.#29 — Dynamic DLL calling not tracked
C/C++ code using
GetProcAddress(handle, "Func"),dlsym(handle, "func"), or.Resolve("Func")for dynamic DLL loading had no call graph edges to the resolved functions.Fix: New
extractDLLResolveEdges()detects these patterns via regex, creates CALLS edges to synthetic stub nodes withdll_name/dll_functionmetadata. Stubs are created during the sequential flush phase (same path as LSP stub nodes).Test plan
go test ./internal/...— 12 packages)go vetclean on modified packages.get()on real FastAPI projectfastapi_dependsedges including aliased importsChanged files
internal/httplink/httplink.go— file extension guard indiscoverRoutes()internal/pipeline/pipeline_cbm.go— SQL size guard,extractPythonDependsEdges(),extractDLLResolveEdges()internal/pipeline/pipeline.go— extendcreateLSPStubNodes()to handledll_resolvestrategy