CapPython static verifier rules
Attribute assignment, such as x.y = z or x.y += z, may only be done when x is a self variable. In addition, y may not be a special attribute.
Reading attributes, e.g. x.y: If y is a private attribute, x must be a self variable. In addition, y may not be a special attribute.
print statements are forbidden, because they give access to mutable global state (sys.stdout).
exec statements are forbidden because they allow running unverified code.
import statements of the form from x import * are forbidden. They impede variable binding analysis. Actually these are not particularly harmful, because Python only allows them in global scope. But this will likely become significant in the future, if builtins such as super need to be allowed with restrictions.
- References to variables with special names are not allowed. This applies in all scopes (global, local and class), and it applies to both reading and assigning to variables.
Reason: Blocks defining __metaclass__ and __del__ on classes
Reason: Blocks access to __builtins__ global variable (just in case)
Definitions
Private attributes are attribute names starting with "_", "func_", "im_" or "gi_".
Special names are those beginning and ending with double underscores, such as __class__. The restrictions on special attributes prevent assignments to __class__, which has the effect of changing the type of an instance object.
Self variables are defined as follows: If a def f(v1, ...) statement appears immediately within a class statement, the function's first argument is a self variable, provided that:
the def is not preceded by any decorators, and
variable f is not read anywhere in class scope and is not declared as global.
The reason for these restrictions is to prevent the function object from leaking.