feat(migrate): add session Release() migration with scope-aware tracking

[sixcolors]

Summary

Implements migration to add defer sess.Release() calls for Fiber v3 session Store Pattern usage. In v3, sessions obtained via store.Get() and store.GetByID() must be manually released back to the pool to prevent memory leaks. Fixes gofiber/recipes#3841

Key Features

• Import parsing: Detects v3 session package, skips v2 imports
• Variable tracking: Identifies session.NewStore() assignments
• Scope-aware verification: Prevents false positives by verifying store variables are from session.NewStore() in current function scope
• AST + source-level type checks: Uses AST inspection and source-level regex checks to verify *session.Store usage (not full go/types resolution)
• Closure support: Handles anonymous functions accessing parent scope variables
• Smart placement: Adds defer Release() after error checks or immediately if no error handling
• Duplicate prevention: Checks for existing Release() calls before adding
• Nil-safe: Works correctly when Get() returns nil on error (Release() has nil guard)

Migration Approach

// Before (v2)
store := session.New()
sess, err := store.Get(c)
if err != nil {
    return err
}
sess.Set("key", "value")
return sess.Save()

// After (v3) - migration adds defer
store := session.NewStore()
sess, err := store.Get(c)
if err != nil {
    return err
}
defer sess.Release() // Important: Manual cleanup required
sess.Set("key", "value")
return sess.Save()

Edge Cases Handled

✅ Correctly Adds Release()

• sess, err := store.Get(c) with error check
• sess, _ := store.Get(c) error ignored
• sess, err := store.Get(c) no error check (just continues)
• sess, err := store.GetByID(ctx, id) background tasks
• Multiple store variables (store, sessionStore, myStore)
• Closures accessing parent scope (e.g., store in main() used in app.Post(func...))

✅ Correctly Excludes (No False Positives)

• Middleware pattern: session.FromContext(c) - middleware manages lifecycle
• Other packages: cache.Get(), Ent ORM client.Get(), CSRF session from c.Locals()
• V2 imports: Files still using v2 session package (skipped entirely)
• Cross-function collisions: Same variable name in different functions for different types

  func sessionHandler() {
      store := session.NewStore()  // Tracked
      sess, _ := store.Get(c)      // ✅ Adds Release()
  }
  func cacheHandler() {
      store := cache.NewStore()    // Different type
      data, _ := store.Get(key)    // ✅ NO Release() - correctly excluded
  }

✅ Duplicate Prevention

• Skips files that already have defer sess.Release()
• Searches ahead to avoid adding multiple Release() calls

Real-World Testing

Verified against actual gofiber/recipes examples:

• ✅ csrf-with-session: Correctly adds Release() for store.Get() in multiple handlers
• ✅ ent-mysql: Correctly ignores Ent ORM Get() methods (no session import)

Test Coverage

13 comprehensive tests covering:

• Basic store.Get() pattern
• store.GetByID() pattern
• Already has defer (no duplicate)
• Multiline error blocks
• Middleware pattern (correctly excluded)
• False positives (CSRF, Ent, cache - correctly excluded)
• Various store variable names
• V2 imports (correctly skipped)
• Cross-function variable collision (critical edge case)
• Closures accessing parent scope (csrf-with-session pattern)
• Real-world recipes examples

All tests passing, 0 linting issues.

Implementation Details

Type / Source Verification Algorithm

The migration uses AST inspection plus source-level regex-based checks (not Go's full type checker) to identify *session.Store.Get() calls:

1. Parses imports to find session package aliases (e.g., session, sess, etc.)
2. Source-level type checks: Uses identHasType() and identAssignedFrom() to match *session.Store or session.NewStore() in the analyzed source text
3. Scope verification: Ensures type/assignment is within same function scope (or closure) where Get() was called
4. Eliminates false positives: Only adds Release() for recognized session stores, not cache/ORM variables

This approach is robust for most real-world code and prevents the main false positives, but it does not use go/types full type resolution and thus intentionally avoids complex cross-package type analysis.

Why Source-level Checks Matter

Without type verification we'd incorrectly add Release():

func handler1() {
    store := session.NewStore()  // Type: *session.Store
    sess, _ := store.Get(c)      // ✅ Adds Release()
}

func handler2() {
    store := cache.NewStore()    // Type: *cache.Store - different type!
    data, _ := store.Get(key)    // ✅ NO Release() - source checks exclude
}

Review Notes for Maintainers

Critical areas to review:

1. Source/type verification logic in isSessionStoreInFunction() - handles aliases and source-level type declarations
2. Regex patterns - ensure they match intended patterns and reject non-session stores
3. Test coverage - particularly the cross-function collision test
4. Brace counting - simplified heuristic that works for typical Go code but may fail on edge cases like braces in strings/comments

Known limitations:

• Store variables passed as function parameters/returns won't be tracked (acceptable - rare pattern)
• Store fields in structs won't be tracked (acceptable - rare pattern, users can add manually)
• Brace counting fallback still exists when AST parsing of error blocks fails (acceptable migration heuristic)

Recommendation: Run migration on gofiber/recipes repository to verify real-world usage patterns.

Migration Execution Order

This migration runs as part of the v3 migration chain:

1. MigrateContribPackages - Changes imports v2→v3
2. MigrateSessionStore - Changes session.New() → session.NewStore()
3. MigrateStorageVersions - Updates storage package versions
4. MigrateSessionRelease ← This migration (runs after imports are v3)

Checklist

• Tests pass (13/13 session release tests)
• Linting passes (0 issues)
• Real-world examples verified (csrf-with-session, ent-mysql)
• Edge cases documented
• Source-level checks prevent false positives
• Handles closures correctly
• Migration order documented
• Code cleaned up (removed debugging comments and redundant code)

<- This is an auto-generated comment: release notes by coderabbit.ai -->

Summary by CodeRabbit

• Bug Fixes

  • Enhanced session migration accuracy with improved detection and validation mechanisms.

• Tests

  • Expanded test coverage for session cleanup scenarios, including multiple variable naming patterns, aliased imports, and real-world edge cases.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

<- end of auto-generated comment: release notes by coderabbit.ai -->

Summary by CodeRabbit

• Tests

  • Expanded coverage for session migration across middleware patterns, non-session getters, aliased imports, multiple variable names, varied error-handling layouts, and real-world scenarios.

• Refactor

  • More robust, type-aware detection and safer insertion of session cleanup calls with resilient fallback parsing and duplicate-release avoidance.

• New Features

  • User-facing feedback: prints messages when cleanup insertions are performed.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[gemini-code-assist]

Summary of Changes

Hello @sixcolors, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request delivers a critical migration tool for Fiber v3, automating the insertion of defer sess.Release() calls. This change is essential for proper session lifecycle management in v3, addressing potential memory leaks. The migration is designed with high precision, using scope-aware analysis to correctly identify and modify only relevant session-related code, while meticulously avoiding unintended changes to other parts of the codebase or older v2 implementations. It aims to provide a seamless and safe upgrade experience for developers.

Highlights

• New Migration for Fiber v3 Sessions: Introduces a new migration (MigrateSessionRelease) to automatically add defer sess.Release() calls after store.Get() and store.GetByID() in Fiber v3 applications. This is crucial for preventing memory leaks as v3 requires manual session lifecycle management.
• Intelligent Scope-Aware Tracking: The migration employs advanced logic to accurately identify session store variables within their function scope, preventing false positives from similarly named variables in different contexts (e.g., cache.NewStore() vs. session.NewStore()). It also supports closures accessing parent scope variables.
• Robust Edge Case Handling: The implementation handles various scenarios, including different error checking patterns (or lack thereof), multiple store variable names, and existing Release() calls to prevent duplicates. It explicitly avoids adding Release() for middleware patterns, v2 imports, or non-session Get() methods from other packages.
• Comprehensive Testing and Verification: The migration is backed by 13 detailed tests covering basic usage, complex edge cases (like cross-function variable collisions and closures), and real-world examples from the gofiber/recipes repository, ensuring reliability and correctness.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This is a very well-structured pull request that significantly improves the session release migration logic. The breakdown into multiple steps (finding alias, finding store variables, and then adding release calls with scope-awareness) is excellent and much more robust than the previous implementation. The detailed PR description and the comprehensive test suite covering numerous edge cases are also commendable.

I found one critical issue in the scope verification logic that would cause the migration to fail for projects using a custom alias for the session package. I've provided a detailed comment with a suggested fix and a recommendation to add a test case for this scenario.

Once that is addressed, this will be a fantastic improvement.

[Copilot]

Pull request overview

This PR implements a migration to automatically add defer sess.Release() calls for Fiber v3 session Store Pattern usage, preventing memory leaks by ensuring sessions are returned to the pool. The migration uses scope-aware tracking to avoid false positives when the same variable names are reused across different functions or for different types.

Key Changes:

• Adds import detection to identify v3 session package and its alias
• Implements variable tracking to find session.NewStore() assignments
• Adds scope verification via backward search to prevent false positives across function boundaries
• Handles closures accessing parent scope variables
• Smart placement of defer Release() after error checks or immediately if no error handling exists

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 8 comments.

File	Description
cmd/internal/migrations/v3/session_release.go	Implements the core migration logic with import detection, store variable tracking, scope-aware verification, and Release() call insertion
cmd/internal/migrations/v3/session_release_test.go	Adds 9 comprehensive test cases covering middleware patterns, false positives, variable naming, v2 imports, real-world examples, cross-function collisions, and closure support

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Replaces regex/line-based injection with an AST- and type-checked pass that finds session.Store Get/GetByID calls, computes function-scoped insertion points, and inserts defer <sess>.Release() calls while avoiding duplicates; expands tests to cover many edge cases including aliased imports.

Changes

Cohort / File(s)	Summary
Session release migration core logic cmd/internal/migrations/v3/session_release.go	Replaces regex-based detection with AST/type-check analysis to find Store.Get/GetByID calls, validates the store is a session.Store within the function, computes releasePoints, and inserts defer <sess>.Release() statements while skipping existing releases. Adds addReleaseCallsWithTypes, findReleasePoints, isSessionStoreInFunction, findSessionPackageAliases, insertDeferStatements, findErrorBlockEnd (AST + fallback), findErrorBlockEndFallback, hasExistingRelease, releasePoint struct, and related helpers. Returns explicit errors on parse failures and emits cmd.Println when insertions occur. Public API unchanged.
Session release migration tests cmd/internal/migrations/v3/session_release_test.go	Adds setupTestModule for isolated module/type-checking and many new tests: middleware/no-release, non-session Get methods, different session store variable names, v2-import skipping, real-world scenarios (CSRF, Ent/MySQL), no-error-check variants, other packages with New, same variable name across functions, and aliased session imports. Verifies defer placement, counts, and avoids duplicate releases.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Focus areas:
  • Correctness for shadowed/reused variables and alias detection in isSessionStoreInFunction.
  • Robustness and edge cases of findErrorBlockEnd and its brace-counting fallback.
  • Accurate insert-position computation and duplicate detection (hasExistingRelease).
  • Test harness assumptions in setupTestModule for module layout and type-checking.

Possibly related PRs

• feat: add storage version and session release migrations for v3 #248 — Prior/related changes to cmd/internal/migrations/v3/session_release.go implementing session Release insertion; closely related to this AST/type-check–driven refactor.

Suggested reviewers

• gaby
• ReneWerner87
• efectn

Poem

🐰 I hopped through nodes and types with glee,
I sniffed each import, alias, and decree.
With tidy paws I placed each timely Release,
Functions now rest, their sessions freed in peace. 🥕

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 69.23% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding a session Release() migration with scope-aware tracking for Fiber v3.
Description check	✅ Passed	The PR description provides comprehensive detail on the problem solved (memory leaks in v3 session handling), implementation approach, edge cases, testing, and migration context.
Linked Issues check	✅ Passed	The PR fulfills the coding requirement from issue #3841 by implementing a migration component that updates code to v3 (session Release() calls) as part of the broader v3 migration tool.
Out of Scope Changes check	✅ Passed	All changes are directly related to implementing the session Release() migration for v3; modifications to session_release.go and session_release_test.go are scoped to this feature.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/session-migration-pr-3841

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

cmd/internal/migrations/v3/session_release_test.go (1)

178-181: Test assertion logic is incorrect.

strings.Index(result, "}") finds the first } in the file, which is the closing brace of the import block, not the error handling block. The test may pass coincidentally but doesn't verify the intended behavior.

-	// Verify defer comes after the error block
-	deferIdx := strings.Index(result, "defer sess.Release()")
-	errorBlockEnd := strings.Index(result, "}")
-	assert.Greater(t, deferIdx, errorBlockEnd, "defer should come after error block")
+	// Verify defer comes after the error block (find the "return err" followed by "}")
+	errorBlockPattern := "return err\n    }\n"
+	errorBlockEnd := strings.Index(result, errorBlockPattern) + len(errorBlockPattern)
+	deferIdx := strings.Index(result, "defer sess.Release()")
+	assert.Greater(t, deferIdx, errorBlockEnd, "defer should come after error block")

🧹 Nitpick comments (2)

cmd/internal/migrations/v3/session_release.go (1)

191-211: Consider extracting magic number and improving scope detection.

The 30-line look-ahead is reasonable but could be a named constant for clarity. The scope check at line 204 using len(indent) == 0 may not reliably detect function boundaries since function bodies typically have indentation.

+const releaseSearchAhead = 30 // Lines to search ahead for existing Release() calls
+
 // Check if Release() is already present for this session variable
 // Search from right after the Get() line
 hasRelease := false
-searchEnd := i + 30 // Look ahead up to 30 lines
+searchEnd := i + releaseSearchAhead

cmd/internal/migrations/v3/session_release_test.go (1)

676-751: Critical edge case test - but missing aliased import coverage.

This test validates the crucial scope-aware tracking to prevent false positives across functions. However, the test suite is missing coverage for aliased imports (e.g., sshadow "github.com/gofiber/fiber/v3/middleware/session"), which would expose the bug in isSessionStoreInScope where session.NewStore() is hardcoded.

Consider adding a test case for aliased imports:

func Test_MigrateSessionRelease_AliasedImport(t *testing.T) {
	t.Parallel()

	dir, err := os.MkdirTemp("", "msessionrelease")
	require.NoError(t, err)
	defer func() { require.NoError(t, os.RemoveAll(dir)) }()

	content := `package main

import (
	"github.com/gofiber/fiber/v3"
	sess "github.com/gofiber/fiber/v3/middleware/session"
)

func handler(c fiber.Ctx) error {
	store := sess.NewStore()
	session, err := store.Get(c)
	if err != nil {
		return err
	}

	session.Set("key", "value")
	return session.Save()
}
`

	err = os.WriteFile(filepath.Join(dir, "main.go"), []byte(content), 0o600)
	require.NoError(t, err)

	cmd := &cobra.Command{}
	err = MigrateSessionRelease(cmd, dir, nil, nil)
	require.NoError(t, err)

	data, err := os.ReadFile(filepath.Join(dir, "main.go"))
	require.NoError(t, err)

	result := string(data)
	assert.Contains(t, result, "defer session.Release() // Important: Manual cleanup required")
}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 14ad351 and ed6f2e8.

📒 Files selected for processing (2)

• cmd/internal/migrations/v3/session_release.go (2 hunks)
• cmd/internal/migrations/v3/session_release_test.go (5 hunks)

🧰 Additional context used

🧬 Code graph analysis (2)

cmd/internal/migrations/v3/session_release.go (1)

cmd/internal/helpers.go (1)

• ChangeFileContent (54-110)

cmd/internal/migrations/v3/session_release_test.go (1)

cmd/internal/migrations/v3/session_release.go (1)

• MigrateSessionRelease (25-55)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Agent
• GitHub Check: Build (1.25.x, macos-latest)
• GitHub Check: Build (1.25.x, macos-13)
• GitHub Check: Build (1.25.x, ubuntu-latest)
• GitHub Check: Build (1.25.x, windows-latest)

🔇 Additional comments (10)

cmd/internal/migrations/v3/session_release.go (5)

16-55: LGTM! Clean three-step migration logic.

The function is well-structured with clear separation of concerns: finding the session package alias, identifying store variables, and adding Release() calls. The early returns for files without session imports or stores are efficient.

---

57-77: LGTM! Correct import alias detection.

The regex correctly handles both default imports and aliased imports for the v3 session package. Returning empty string for non-v3 imports ensures v2 code is properly skipped.

---

79-108: LGTM! Properly uses the session package alias.

The function correctly incorporates sessionPkgAlias into the regex patterns, handling both NewStore() calls and type declarations with the appropriate alias.

---

226-231: Silent skip when error block parsing fails may leave sessions unreleased.

If findErrorBlockEnd returns an invalid index, the code continues without adding defer sess.Release(). This could result in memory leaks for edge cases with unusual error block formatting.

Consider adding a fallback to insert the defer immediately after the Get() call when block parsing fails, or at minimum log a warning:

 if blockEnd < 0 || blockEnd >= len(lines) {
-	continue
+	// Fallback: add defer immediately after Get() if we can't parse the error block
+	deferLine := indent + "defer " + sessVar + ".Release() " + releaseComment
+	result = append(result, deferLine)
+	continue
 }

---

256-287: LGTM! Reasonable heuristic with documented limitations.

The brace-counting approach handles typical Go error patterns. The limitation regarding braces in strings/comments is documented appropriately.

cmd/internal/migrations/v3/session_release_test.go (5)

184-230: Good coverage for middleware pattern exclusion.

This test correctly verifies that session.FromContext() usage (middleware pattern) doesn't trigger Release() injection, as the middleware manages the lifecycle.

---

232-287: LGTM! Good false-positive prevention test.

Covers multiple non-session Get patterns (CSRF locals, Ent GetX, cache.Get) to ensure they don't trigger Release() injection.

---

289-389: LGTM! Good coverage for variable naming patterns and v2 skip behavior.

The variable name test validates that different naming conventions (store, sessionStore, myStore) all receive Release() calls. The v2 import test confirms the migration correctly skips files that haven't been upgraded to v3 imports yet.

---

391-555: Excellent real-world validation tests.

Testing against actual patterns from gofiber/recipes (CSRF-with-session, Ent-MySQL) provides confidence that the migration handles real codebases correctly.

---

557-674: Good edge case coverage for error handling variations and similar APIs.

The nil-safe Release() documentation in the test comments helps explain why it's safe to add Release() even without error checking.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

cmd/internal/migrations/v3/session_release.go (1)

230-261: Consider handling more error check pattern variations.

Line 233's check strings.HasPrefix(nextLine, "if "+errVar+" != nil") is rigid and won't match common variations:

• if err!=nil (no spaces)
• if nil != err (reversed comparison)
• if errors.Is(err, ...) (wrapped checks)

Since there's a fallback (lines 258-260) that inserts defer immediately, the migration will still work but may place defer before the error check in these cases.

Consider using a more flexible regex pattern:

-		if strings.HasPrefix(nextLine, "if "+errVar+" != nil") {
+		errCheckPattern := regexp.MustCompile(fmt.Sprintf(`^if\s+(%s\s*!=\s*nil|nil\s*!=\s*%s|errors\.`, regexp.QuoteMeta(errVar), regexp.QuoteMeta(errVar)))
+		if errCheckPattern.MatchString(nextLine) {

However, this adds complexity, and the current implementation is acceptable for a migration tool.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ed6f2e8 and d762930.

📒 Files selected for processing (2)

• cmd/internal/migrations/v3/session_release.go (4 hunks)
• cmd/internal/migrations/v3/session_release_test.go (5 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

cmd/internal/migrations/v3/session_release.go (1)

cmd/internal/helpers.go (1)

• ChangeFileContent (54-110)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Build (1.25.x, ubuntu-latest)
• GitHub Check: Build (1.25.x, windows-latest)
• GitHub Check: Build (1.25.x, macos-13)
• GitHub Check: Build (1.25.x, macos-latest)

🔇 Additional comments (5)

cmd/internal/migrations/v3/session_release.go (2)

28-58: LGTM! Clean multi-step pipeline with early returns.

The refactored implementation properly separates concerns into discovery (alias, store variables) and transformation (adding Release calls). Early returns when no session package or stores are found optimize performance.

---

113-160: Excellent scope verification - addresses all previous critical feedback.

The implementation now:

• Accepts sessionPkgAlias parameter and uses it for verification (lines 122-125, 137)
• Pre-compiles regex patterns outside the loop for efficiency
• Captures and verifies the package alias matches the session package (lines 134-142)
• Stops at named function boundaries while allowing closures (line 153)

This properly prevents false positives when the same variable name is reused in different functions or with different packages.

cmd/internal/migrations/v3/session_release_test.go (3)

178-184: LGTM! Proper verification of defer placement after error blocks.

These assertions validate that the AST-based error block detection correctly places defer sess.Release() after the error handling block, not before or inside it.

---

678-753: Excellent critical test for scope verification!

This test validates the most important aspect of the migration: ensuring defer Release() is only added for actual session stores, not for other packages that happen to use the same variable name. The scope verification in isSessionStoreInScope must correctly distinguish between:

• store := session.NewStore() in sessionHandler (SHOULD add Release)
• store := cache.NewStore() in cacheHandler (should NOT add Release)

The assertions properly verify that only the session store gets defer sess.Release(), confirming the scope-aware tracking works correctly.

---

755-811: LGTM! Validates custom import alias support.

This test confirms the migration correctly handles custom session package aliases (e.g., sess "github.com/gofiber/fiber/v3/middleware/session"). The assertions verify that both Get() and GetByID() receive defer Release() calls when the session package is imported with a custom alias.

This validates the fix for past review comments about hardcoded "session" strings.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

cmd/internal/migrations/v3/session_release.go (1)

350-368: Clarify the line number calculation and comment.

The line number calculation at line 354 (lineNum := pos.Line - 3) is confusing, and the inline comment doesn't explain why 3 is subtracted. Given that only 2 wrapper lines are added (lines 334: "package main\nfunc f() {\n"), the subtraction of 3 seems counterintuitive.

Consider adding a clearer comment explaining the calculation:

-			lineNum := pos.Line - 3
+			// AST line is 1-based. Subtract 3 to account for:
+			// - 1 for 1-based indexing
+			// - 2 for the wrapper lines (package main + func f())
+			lineNum := pos.Line - 3

Or if the math is incorrect, adjust accordingly and verify with a test case.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d762930 and 798a9bf.

📒 Files selected for processing (2)

• cmd/internal/migrations/v3/session_release.go (2 hunks)
• cmd/internal/migrations/v3/session_release_test.go (12 hunks)

🧰 Additional context used

🧬 Code graph analysis (2)

cmd/internal/migrations/v3/session_release.go (1)

cmd/internal/helpers.go (1)

• ChangeFileContent (54-110)

cmd/internal/migrations/v3/session_release_test.go (1)

cmd/internal/migrations/v3/session_release.go (1)

• MigrateSessionRelease (31-61)

🪛 GitHub Actions: golangci-lint

cmd/internal/migrations/v3/session_release.go

[error] 334-334: golangci-lint: Error return value of sb.WriteString is not checked (errcheck)

🪛 GitHub Check: lint

cmd/internal/migrations/v3/session_release.go

[failure] 377-377:
enforce-switch-style: switch must have a default case clause (revive)

---

[failure] 341-341:
Error return value of sb.WriteString is not checked (errcheck)

---

[failure] 339-339:
Error return value of sb.WriteString is not checked (errcheck)

---

[failure] 338-338:
Error return value of sb.WriteString is not checked (errcheck)

---

[failure] 334-334:
Error return value of sb.WriteString is not checked (errcheck)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Build (1.25.x, windows-latest)
• GitHub Check: Build (1.25.x, macos-latest)
• GitHub Check: Build (1.25.x, macos-13)
• GitHub Check: Build (1.25.x, ubuntu-latest)

🔇 Additional comments (11)

cmd/internal/migrations/v3/session_release.go (3)

31-61: LGTM! Good defensive error handling.

The implementation correctly:

• Early-exits for files without session imports
• Skips v2 imports (this migration runs after v2→v3 import migration)
• Falls back gracefully to returning original content if type checking fails (line 47)
• Provides user feedback when changes are made (line 59)

---

87-150: LGTM! Well-structured AST analysis.

The findReleasePoints function correctly:

• Identifies assignment patterns matching sess, err := store.Get(c)
• Supports both Get and GetByID methods
• Validates the store variable is actually a session.Store via isSessionStoreInFunction
• Handles ignored errors with underscore (lines 130-135)
• Captures all necessary information for insertion

---

245-292: LGTM! Correct insertion logic.

The insertDeferStatements function correctly:

• Processes points in reverse order to maintain accurate line numbers (line 256)
• Calculates proper indentation (lines 249-254)
• Skips duplicate insertions via hasExistingRelease check (line 263)
• Places defer after error-handling blocks when present (lines 277-283)
• Falls back to immediate placement when no error check exists (lines 284-288)

cmd/internal/migrations/v3/session_release_test.go (8)

14-28: LGTM! Good test scaffolding improvement.

The setupTestModule helper correctly:

• Creates temp directory within the project (line 20) to inherit go.mod
• Returns absolute path for consistent handling
• Is properly cleaned up in each test with defer

This is essential for the type-checking approach used in the migration.

---

198-204: LGTM! Correct defer placement verification.

The test correctly verifies that:

• The error return statement exists (line 201)
• The defer Release() statement exists (line 202)
• The defer is placed after the error block (line 203)

This ensures the migration respects error-handling flow.

---

206-253: LGTM! Critical test for middleware pattern exclusion.

This test correctly verifies that sessions obtained via session.FromContext(c) (line 231) do NOT receive Release() calls, as the middleware manages their lifecycle. This is a key requirement per the PR objectives.

---

706-782: Excellent! Critical edge case test for function-scoped type verification.

This test validates the most important aspect of the migration: ensuring that the same variable name "store" in different functions is correctly distinguished by type. The test verifies:

• Session store in sessionHandler gets Release() (lines 727-728)
• Cache store in cacheHandler does NOT get Release() (lines 739-740)
• Only one defer is added total (line 762)
• Placement verification confirms it's in the correct function (lines 766-781)

This directly validates the type-checking approach and prevents false positives.

---

784-841: LGTM! Validates custom package alias handling.

This test correctly verifies that custom session package aliases (line 799: sess "github.com/gofiber/fiber/v3/middleware/session") are properly detected and handled. Both store.Get() and store.GetByID() receive Release() calls when using the aliased import (lines 838-840).

---

417-489: LGTM! Validates real-world usage from gofiber/recipes.

This test uses a simplified version of the CSRF-with-session pattern from gofiber/recipes, ensuring the migration works on actual production patterns. The assertion correctly verifies that both store.Get() calls (lines 443, 458) each receive a defer Release() statement.

---

491-583: LGTM! Validates no false positives for ORM Get methods.

This test ensures that Ent ORM's Get and GetX methods (lines 553, 558) do NOT trigger Release() insertion since there's no session import. The assertion correctly verifies the file remains completely unchanged (line 582).

---

30-841: Excellent test coverage! Comprehensive validation of migration behavior.

The test suite thoroughly covers:

• ✅ Basic scenarios (Get, GetByID, existing defer, multiline error checks)
• ✅ Critical edge cases (same variable name in different functions, function-scoped type checking)
• ✅ Negative cases (middleware pattern, non-session Get methods, v2 imports, ORM methods)
• ✅ Real-world patterns (CSRF with session, Ent MySQL)
• ✅ Import variants (aliased imports, multiple store variables)
• ✅ Error handling (ignored errors, no error checks)

The tests directly validate the type-checking approach and ensure no false positives. Well done!

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

cmd/internal/migrations/v3/session_release.go (2)

189-221: Function boundary detection may miss edge cases.

The findFunctionBoundaries function uses simple string prefix matching for "func ", which could incorrectly match:

• Function declarations in comments
• The word "func" in string literals
• Method receivers: func (r *Receiver) Method()

While this works for typical code, consider using AST-based function boundary detection for robustness:

func findFunctionBoundaries(src string, lineNum int) (start, end int) {
    fset := token.NewFileSet()
    file, err := parser.ParseFile(fset, "", src, 0)
    if err != nil {
        return -1, -1
    }
    
    var fnStart, fnEnd int = -1, -1
    ast.Inspect(file, func(n ast.Node) bool {
        if fn, ok := n.(*ast.FuncDecl); ok {
            start := fset.Position(fn.Pos()).Line
            end := fset.Position(fn.End()).Line
            if start <= lineNum && lineNum <= end {
                fnStart, fnEnd = start-1, end
                return false
            }
        }
        return true
    })
    return fnStart, fnEnd
}

---

223-243: Import alias detection could be more robust.

The findSessionPackageAliases function uses simple string matching which could fail if:

• Import is within a block: import ( ... )
• Multiple spaces/tabs between alias and path
• Comments appear on the same line

Consider using AST-based import parsing:

func findSessionPackageAliases(src string) []string {
    fset := token.NewFileSet()
    file, err := parser.ParseFile(fset, "", src, parser.ImportsOnly)
    if err != nil {
        return []string{"session"} // fallback
    }
    
    var aliases []string
    for _, imp := range file.Imports {
        if imp.Path.Value == `"github.com/gofiber/fiber/v3/middleware/session"` {
            if imp.Name != nil {
                aliases = append(aliases, imp.Name.Name)
            } else {
                aliases = append(aliases, "session")
            }
        }
    }
    return aliases
}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 798a9bf and a0758b4.

📒 Files selected for processing (2)

• cmd/internal/migrations/v3/session_release.go (2 hunks)
• cmd/internal/migrations/v3/session_release_test.go (12 hunks)

🧰 Additional context used

🧬 Code graph analysis (2)

cmd/internal/migrations/v3/session_release.go (1)

cmd/internal/helpers.go (1)

• ChangeFileContent (54-110)

cmd/internal/migrations/v3/session_release_test.go (1)

cmd/internal/migrations/v3/session_release.go (1)

• MigrateSessionRelease (31-61)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Build (1.25.x, ubuntu-latest)
• GitHub Check: Build (1.25.x, windows-latest)
• GitHub Check: Build (1.25.x, macos-latest)
• GitHub Check: Build (1.25.x, macos-13)

🔇 Additional comments (6)

cmd/internal/migrations/v3/session_release.go (4)

31-61: LGTM with minor observation on error handling.

The migration function structure is sound. The silent fallback on parse errors (line 47) means users won't see migration failures, which could hide issues but also provides robustness. This appears intentional since the function returns the original content unchanged.

---

71-150: Well-structured AST traversal for finding Store.Get() patterns.

The logic correctly identifies assignment statements with the pattern sess, err := store.Get(c) or sess, err := store.GetByID(ctx, id) by checking:

• Two left-hand side variables
• One right-hand side expression (call)
• Define token (:=)
• Method name is "Get" or "GetByID"

The delegation to isSessionStoreInFunction for validation is the right approach.

---

245-314: Defer insertion logic is well-designed.

The implementation correctly:

• Iterates in reverse to avoid line number shifts during insertion
• Preserves indentation from the original Get() line
• Checks for existing Release() calls to avoid duplicates
• Places defer after error handling blocks when present
• Falls back to immediate placement when no error check exists

The deduplication logic in hasExistingRelease using a small search window (±2 to +5 lines) is a pragmatic approach.

---

316-391: AST-based error block detection with sensible fallback.

The implementation correctly:

• Wraps code snippet for parsing (adds 2 lines: package + func declaration)
• Uses AST to find if statement end position
• Adjusts line numbers accounting for wrapper lines (line 354: -3 accounts for 2 wrapper lines + 1-based numbering)
• Falls back to brace counting when AST parsing fails
• Handles linter issues with nolint directives (lines 334, 338, 339, 341)
• Includes default case in switch statement (line 385) to satisfy linter

The brace-counting fallback is simple but adequate for typical error handling blocks.

cmd/internal/migrations/v3/session_release_test.go (2)

14-28: Well-designed test helper for module isolation.

The setupTestModule helper creates temporary directories within the project (using "." as base) so tests inherit the parent go.mod, enabling proper type resolution. The use of t.Helper() ensures accurate error reporting.

---

30-840: Comprehensive test coverage for migration scenarios.

The test suite covers all critical scenarios:

• ✅ Basic patterns (Get, GetByID)
• ✅ Deduplication of existing Release() calls
• ✅ Multiline error handling blocks
• ✅ Middleware patterns that should NOT trigger insertion
• ✅ False positives from non-session Get methods
• ✅ Multiple store variable naming patterns
• ✅ v2 import exclusion
• ✅ Real-world code patterns (CSRF, Ent ORM)
• ✅ Edge case: same variable name across different functions
• ✅ Import aliasing

The test setup using setupTestModule for proper type resolution context is well-designed.

Note: These tests depend on fixing the critical issue with undefined functions (identHasType and identAssignedFrom) in the main code. Once that's resolved, this test suite should provide solid validation.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

cmd/internal/migrations/v3/session_release_test.go (3)

14-28: Consider using t.Cleanup for more robust cleanup.

The helper delegates cleanup to the caller's defer, which works but could leave directories behind if a test panics before setting up the defer. Using t.Cleanup directly in the helper would be more robust:

 func setupTestModule(t *testing.T) string {
 	t.Helper()
 
 	// Create temp dir inside the project so it inherits go.mod
 	dir, err := os.MkdirTemp(".", "test_migration_")
 	require.NoError(t, err)
 
 	// Ensure it's absolute path
 	absDir, err := filepath.Abs(dir)
 	require.NoError(t, err)
 
+	t.Cleanup(func() {
+		_ = os.RemoveAll(absDir)
+	})
+
 	return absDir
 }

This would also allow removing the defer statements from each test.

---

362-368: Consider more precise assertion pattern.

The count assertion uses "defer sess" which is a partial match. While it works for this specific test content, a more precise pattern would be safer for future modifications:

-	assert.Equal(t, 3, strings.Count(result, "defer sess"), "Should add defer for all 3 store.Get() calls")
+	assert.Equal(t, 3, strings.Count(result, ".Release() // Important:"), "Should add defer for all 3 store.Get() calls")

This counts the actual injected Release() calls rather than partial variable name matches.

---

812-821: Variable shadows import alias - edge case worth documenting.

On line 814, the variable sess shadows the import alias sess (from line 798). This is intentional edge case testing but could benefit from a comment explaining this is deliberate:

 func backgroundTask(sessionID string) {
 	store := sess.NewStore()
+	// Note: variable 'sess' below intentionally shadows the import alias to test edge case handling
 	sess, err := store.GetByID(context.Background(), sessionID)

The test correctly expects the migration to use the local variable name for the Release() call.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a0758b4 and cbc032d.

📒 Files selected for processing (1)

• cmd/internal/migrations/v3/session_release_test.go (12 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

cmd/internal/migrations/v3/session_release_test.go (1)

cmd/internal/migrations/v3/session_release.go (1)

• MigrateSessionRelease (31-61)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Build (1.25.x, ubuntu-latest)
• GitHub Check: Build (1.25.x, windows-latest)
• GitHub Check: Build (1.25.x, macos-13)
• GitHub Check: Build (1.25.x, macos-latest)

🔇 Additional comments (6)

cmd/internal/migrations/v3/session_release_test.go (6)

30-69: LGTM!

The basic test correctly validates that defer sess.Release() is injected after store.Get(c) calls with proper error checking.

---

205-252: LGTM!

Good coverage for the middleware pattern exclusion - session.FromContext should not receive Release() calls since the middleware manages the session lifecycle.

---

416-488: LGTM!

This real-world test case correctly validates that both closures accessing the parent-scoped store variable receive proper defer sess.Release() calls. The test properly verifies count and content of injected Release() calls.

---

705-781: LGTM!

Excellent test coverage for the critical scope isolation edge case. The verification logic correctly ensures that defer sess.Release() is only added within sessionHandler (where store is from session.NewStore()) and not in cacheHandler (where store is from cache.NewStore()).

---

254-310: LGTM!

Good negative test coverage ensuring non-session Get methods (CSRF locals, Ent ORM, cache) don't trigger false positive Release() injections. The test content correctly represents various common patterns that should be excluded.

---

584-635: LGTM!

This test correctly validates that Release() calls are added even when errors are ignored (blank identifier _) or not checked. The comment at lines 585-586 helpfully explains why this is safe (nil check in Release()).

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

cmd/internal/migrations/v3/session_release.go (1)

155-183: Scope/alias detection is correct but can be optimized and centralized.

isSessionStoreInFunction + checkStoreAssignment do the right thing semantically, but they recompute session aliases and compile a fresh regexp on every call, scanning potentially large substrings each time. For large files with many assignments this can add noticeable overhead during a repo-wide migration.

You could make this cheaper and easier to reason about by:

• Computing aliases := findSessionPackageAliases(src) once in findReleasePoints and passing it down.
• Precompiling a small set of regex patterns per (varName, alias) pair (or just using simple strings.Contains + a cheaper structural check) instead of regexp.MustCompile inside the loop.

This keeps behavior identical while reducing repeated work in the hot path.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cbc032d and 9d8fdba.

📒 Files selected for processing (1)

• cmd/internal/migrations/v3/session_release.go (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

cmd/internal/migrations/v3/session_release.go (1)

cmd/internal/helpers.go (1)

• ChangeFileContent (54-110)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

cmd/internal/migrations/v3/session_release.go (1)

74-74: Remove unused cwd parameter.

The cwd parameter is marked as unused with _ but is still part of the function signature. If it's not needed, consider removing it entirely to clean up the API surface.

Apply this diff if the parameter is truly unnecessary:

-func addReleaseCallsWithTypes(content, _ string) (string, error) {
+func addReleaseCallsWithTypes(content string) (string, error) {

Then update the call site on line 46:

-		result, err := addReleaseCallsWithTypes(content, cwd)
+		result, err := addReleaseCallsWithTypes(content)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9d8fdba and a71f36a.

📒 Files selected for processing (1)

• cmd/internal/migrations/v3/session_release.go (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

cmd/internal/migrations/v3/session_release.go (1)

cmd/internal/helpers.go (1)

• ChangeFileContent (54-110)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Build (1.25.x, ubuntu-latest)
• GitHub Check: Build (1.25.x, macos-13)
• GitHub Check: Build (1.25.x, macos-latest)
• GitHub Check: Build (1.25.x, windows-latest)

🔇 Additional comments (8)

cmd/internal/migrations/v3/session_release.go (8)

22-32: Documentation accurately reflects implementation limitations.

The updated doc comment correctly describes the heuristic-based approach and explicitly calls out that stores passed via parameters, returned from functions, or stored in structs are not tracked. This addresses the previous review concern about overstating capabilities.

---

154-184: LGTM! Store assignment verification is correctly implemented.

The refactored approach using checkStoreAssignment with regex-based pattern matching properly handles both := and = assignment operators, escapes variable and alias names correctly, and supports custom import aliases. This addresses the previous critical issue about undefined functions.

---

186-218: Function boundary detection is adequate for the heuristic approach.

The simple prefix matching for "func " aligns with the documented limitations of using source-level heuristics rather than full type checking. While this won't handle edge cases like functions mentioned in comments, it's appropriate for the stated design goals.

---

220-240: Alias detection logic is correct.

The function properly handles both default (unaliased) and custom-aliased session package imports. The string-based parsing is appropriate for this use case and aligns with the heuristic approach.

---

242-289: Defer insertion logic is well-structured.

The reverse iteration to maintain line indices, duplicate prevention via hasExistingRelease, and conditional placement after error blocks or immediately after the Get() call all demonstrate careful implementation. The indentation preservation ensures the inserted code respects the existing formatting.

---

313-365: Error block detection correctly implemented with AST parsing.

The line number calculation at lines 351-353 correctly maps AST positions back to the original source by accounting for the 2-line wrapper ("package main\nfunc f() {\n") and 1-based line numbering. The use of AST parsing as the primary method with a brace-counting fallback provides good robustness. The nolint comments for strings.Builder.WriteString appropriately document that these calls never fail.

---

367-435: Fallback brace-counting implementation is thorough and correct.

The function properly handles string literals (including escape sequences), both line and block comments, and counts braces accurately. The addition of the default case (lines 429-431) addresses the linter requirement. This provides a solid fallback when AST parsing fails.

---

99-101: The current implementation already handles all existing patterns in the codebase. A comprehensive search confirms that every store.Get() and store.GetByID() call uses short variable declaration (:=), not regular assignment (=). No patterns like sess, err = store.Get(c) exist in the code. The DEFINE-only check is therefore not a limitation in practice.

Likely an incorrect or invalid review comment.