Qiskit / qiskit / 13858668360
89%
main: 88%

LAST BUILD BRANCH: add-pauli-lindblad-map-generators-15228
DEFAULT BRANCH: main
Ran
Jobs 1
Files 916
Run time 23min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 88.84% (-0.02%) from 88.86%
13858668360

push

github

web-flow 
 Introduce custom sympy srepr parser [stable/1.4] (#14022)

* Introduce custom sympy srepr parser

This commit introduces a custom parser to QPY for parameter expression
payloads that were generated using sympy. Prior to QPY version 10 this
was the only way we supported serializing parameter expressions in QPY.
For QPY version 10, 11, and 12 sympy could optionally be used if the
payload was generated explicitly to not use symengine (in qiskit 1.0 it
defaulted to use symengine).
This serialization format relied on sympy to generate a string
representation of the expression which we then put in the payload. On
deserialization we called sympy's `parse_expr()` function which
internally is calling sympy's `sympify()` internally. Sympy documents
that `sympify()` relies on Python's `eval()` for string input and
should not be used with untrusted input. But `parse_expr()` didn't have
such a warning (at the time, I plan to contribute adding one), so
using this function provides an avenue for arbitrary code execution
during QPY deserialization.

This commit fixes this issue by writing a custom parser for the string
repesentation in a QPY payload based on python's ast module. This parser
walks the abstract syntax tree and builds the sympy expression object as
it it goes. It is restricted to the operations that
`ParameterExpression` supports and if any part of the string tries to
use functionality outside that set it will error.

For `ScheduleBlock` objects which also serialize a symbolic expression
there is no new parser to securely load the payload. This is because
the data model of `ScheduleBlock` enables using any `sympy` expression
and the limited parser is not sufficient to represent the schedule
block. Since this functionality is deprecated and will be removed in
Qiskit 2.0.0, potentially vulnerable payloads are rejected by default
now. If the input is trusted by the user they can explicitly opt-in to
using it by setting a new flag to trust the input. This ... (continued)

67 of 87 new or added lines in 8 files covered. (77.01%)

23 existing lines in 3 files now uncovered.

79443 of 89423 relevant lines covered (88.84%)

357018.62 hits per line

New Missed Lines in Diff

Lines Coverage File
1
91.3
 -0.66% qiskit/circuit/tools/pi_check.py
1
90.24
 0.0% qiskit/qpy/interface.py
2
97.04
 -0.63% qiskit/circuit/parameterexpression.py
3
87.65
 -0.13% qiskit/qpy/binary_io/value.py
5
88.81
 -0.2% qiskit/qpy/binary_io/schedules.py
8
82.61
 qiskit/qpy/binary_io/parse_sympy_repr.py

Uncovered Existing Lines

Lines Coverage File
1
88.81
 -0.2% qiskit/qpy/binary_io/schedules.py
4
92.23
 0.0% crates/qasm2/src/lex.rs
18
96.69
 -0.92% crates/qasm2/src/parse.rs
Jobs
ID Job ID Ran Files Coverage
1 13858668360.1 916
88.84
 GitHub Action Run
Source Files on build 13858668360