Conversation
add coveralls integration to circleci config
replace unused+gosimple with staticcheck
add coverade badge to README
buger
added a commit
to buger/graphql-go-tools
that referenced
this pull request
Apr 30, 2026
…nil-Item panic)
Builds five test-only harness scaffolds to push code-MC/DC coverage past
the 83.06% wall left by mocks-only rounds 1-5:
* mcdc_harness_subscription_test.go — drives executeSubscriptionUpdate's
failure paths (loader-error, resolve-error, flush-error, SkipLoader)
via direct sub construction with stub DataSource + AsyncErrorWriter
* mcdc_harness_filter_test.go — table-driven SubscriptionFieldFilter
cross-product (regex × type × byte-compare) with run-twice for
seenBit instrumentation
* mcdc_harness_extension_test.go — printExtensions 5-way gate combos
(auth × rate-limit × queryPlan × tracing × valueCompletion) with
skipValueCompletion=true and authorizer-no-data variants
* mcdc_harness_misc_test.go — small-file gaps: GetTrace req=nil/!nil,
ObjectVariable/HeaderVariable.Equals all arms, Resolvable.Init parse
error vs success, FetchTreeNode.queryPlan nil-receiver
* mcdc_harness_rerun_test.go — re-pump previously covered SubscriptionFilter
AND/OR/NOT/In recursive paths and printExtensions to flip seenBit T->F
Coverage delta (resolve-engine):
decisions: 1397/1682 (83.06%) -> 1410/1682 (83.83%) +0.77pt
conditions: 82.7% -> 83.5% +0.8pt
NEW BUG wundergraph#10 surfaced by harness construction:
v2/pkg/engine/resolve/fetchtree.go:307 — *FetchTreeNode.queryPlan
panics when Kind=FetchTreeNodeKindSingle and Item=nil. The receiver-nil
guard is in place but the type-switch dereferences n.Item without a
guard. Reproducer: TestCVE_BUG010_QueryPlanNilItemPanic.
Honest gap assessment:
90% target NOT reached. Empirical analysis of the analyzer
(pkg/mcdccode/measure.go validMCDCPair) shows that the residual ~16% of
decisions split between:
* ~115 seenBit-guard `if !__reqproofMCDCSeenBit(...) { Record1Slow }`
instrumentation lines that only emit one sample per unique (result,
state) signature by construction — Record1Slow only fires when the
bit is unset. The False arm of !seenBit ("already seen, skip
recording") leaves no trace event, so the analyzer cannot pair
opposite outcomes for these decisions.
* ~135 real production gaps clustered in subscription-dispatcher inner
err!=nil checks (executeSubscriptionUpdate, ResolveGraphQLSubscription,
AsyncResolveGraphQLSubscription, ArenaResolveGraphQLResponse) where
the error path is reachable only via a real subgraph fetch failure
or a BatchEntityFetch / InboundRequestSingleFlight inflight-coalesce
scenario that requires either a live HTTP server or substantial
production-code refactor (factor out the dispatcher).
CVE reproducer status:
TestCVE_BUG004_SkipFieldDepthPanic - still failing (intent)
TestCVE_BUG005_SkipFieldEmptyTypeNamesPanic - still failing (intent)
TestCVE_BUG008_NilAsyncErrorWriterPanic - still failing (intent)
TestCVE_BUG009_ResolvableResetNilXxhPanic - still failing (intent)
TestCVE_BUG010_QueryPlanNilItemPanic - NEW, failing (intent)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR will add coveralls integration to add code coverage visibility to the repo.