Python: add new shared-CFG-backed control flow graph

Preparatory refactor for the shared-CFG dataflow migration. Adds the
new Python CFG library additively, without changing any production
behaviour.

Library additions:

- semmle.python.controlflow.internal.AstNodeImpl — mediates between
  the Python AST and the shared codeql.controlflow.ControlFlowGraph
  signature. Wraps Python's Stmt/Expr/Scope/Pattern and adds two
  synthetic kinds of node (BlockStmt for body slots, intermediate
  nodes for multi-operand boolean expressions).

- semmle.python.controlflow.internal.Cfg — public facade
  re-exposing the same API surface as semmle/python/Flow.qll
  (ControlFlowNode, CallNode, BasicBlock, NameNode, DefinitionNode,
  CompareNode, ...), backed by the shared CFG.

- lib/printCfgNew.ql — debug/visualisation query for the new CFG.

- consistency-queries/CfgConsistency.ql — consistency query running
  the shared CFG's standard checks against Python.

Shared library:

- shared.controlflow.ControlFlowGraph — adds two defaulted
  getWhileElse / getForeachElse predicates to AstSig so Python can
  model while-else / for-else (no behavioural change for other
  languages).

Test additions:

- ControlFlow/bindings/* — annotation-driven SSA-binding tests for
  the new CFG (annassign, compound, comprehension, decorated,
  except_handler, imports, match_pattern, parameters, simple,
  type_params, walrus_starred, with_stmt, dead_under_no_raise).

- ControlFlow/store-load/* — basic store/load coverage.

- ControlFlow/evaluation-order/NewCfg*.ql — mirrors of the existing
  OldCfg evaluation-order self-validation suite, run against the
  new CFG via NewCfgImpl.qll.

- Minor extensions to existing test_if.py / test_boolean.py +
  cosmetic .expected churn on a handful of OldCfg tests.

No dataflow, SSA, or production query is migrated yet — that lands in
follow-up PRs. The new CFG library has zero callers in lib/ and src/.

Verified by:
- All lib + src + consistency-queries compile clean (367 queries).
- All 56 ControlFlow library-tests pass.
- All 474 dataflow + PointsTo library-tests + consistency tests pass.
- syntax_error/CONSISTENCY/CfgConsistency passes.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

python/ql/consistency-queries/CfgConsistency.ql

@@ -0,0 +1,2 @@
+import semmle.python.controlflow.internal.AstNodeImpl
+import ControlFlow::Consistency

python/ql/lib/change-notes/2026-05-19-add-shared-cfg.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* A new Python control flow graph implementation has been added under `semmle.python.controlflow.internal.Cfg` (backed by `AstNodeImpl.qll`), built on the shared `codeql.controlflow.ControlFlowGraph` library. It is not yet used by the dataflow library or any production query; the legacy CFG in `semmle/python/Flow.qll` remains the default. The new library is exposed for tests and for upcoming migrations.

python/ql/lib/printCfgNew.ql

@@ -0,0 +1,45 @@
+/**
+ * @name Print CFG (New)
+ * @description Produces a representation of a file's Control Flow Graph
+ *              using the new shared control flow library.
+ *              This query is used by the VS Code extension.
+ * @id python/print-cfg
+ * @kind graph
+ * @tags ide-contextual-queries/print-cfg
+ */
+
+private import python as Py
+import semmle.python.controlflow.internal.AstNodeImpl
+
+external string selectedSourceFile();
+
+private predicate selectedSourceFileAlias = selectedSourceFile/0;
+
+external int selectedSourceLine();
+
+private predicate selectedSourceLineAlias = selectedSourceLine/0;
+
+external int selectedSourceColumn();
+
+private predicate selectedSourceColumnAlias = selectedSourceColumn/0;
+
+module ViewCfgQueryInput implements ControlFlow::ViewCfgQueryInputSig<Py::File> {
+  predicate selectedSourceFile = selectedSourceFileAlias/0;
+
+  predicate selectedSourceLine = selectedSourceLineAlias/0;
+
+  predicate selectedSourceColumn = selectedSourceColumnAlias/0;
+
+  predicate cfgScopeSpan(
+    Ast::Callable callable, Py::File file, int startLine, int startColumn, int endLine,
+    int endColumn
+  ) {
+    exists(Py::Scope scope |
+      scope = callable.asScope() and
+      file = scope.getLocation().getFile() and
+      scope.getLocation().hasLocationInfo(_, startLine, startColumn, endLine, endColumn)
+    )
+  }
+}
+
+import ControlFlow::ViewCfgQuery<Py::File, ViewCfgQueryInput>

python/ql/lib/semmle/python/Flow.qll

@@ -1,7 +1,7 @@
 overlay[local]
 module;
 
-import python
+import python as Py
 private import semmle.python.internal.CachedStages
 private import codeql.controlflow.BasicBlock as BB
 
@@ -17,7 +17,7 @@ private import codeql.controlflow.BasicBlock as BB
  */
 
 private predicate augstore(ControlFlowNode load, ControlFlowNode store) {
-  exists(Expr load_store | exists(AugAssign aa | aa.getTarget() = load_store) |
+  exists(Py::Expr load_store | exists(Py::AugAssign aa | aa.getTarget() = load_store) |
     toAst(load) = load_store and
     toAst(store) = load_store and
     load.strictlyDominates(store)
@@ -25,7 +25,7 @@ private predicate augstore(ControlFlowNode load, ControlFlowNode store) {
 }
 
 /** A non-dispatched getNode() to avoid negative recursion issues */
-private AstNode toAst(ControlFlowNode n) { py_flow_bb_node(n, result, _, _) }
+private Py::AstNode toAst(ControlFlowNode n) { py_flow_bb_node(n, result, _, _) }
 
 /**
  * A control flow node. Control flow nodes have a many-to-one relation with syntactic nodes,
@@ -35,19 +35,19 @@ private AstNode toAst(ControlFlowNode n) { py_flow_bb_node(n, result, _, _) }
 class ControlFlowNode extends @py_flow_node {
   /** Whether this control flow node is a load (including those in augmented assignments) */
   predicate isLoad() {
-    exists(Expr e | e = toAst(this) | py_expr_contexts(_, 3, e) and not augstore(_, this))
+    exists(Py::Expr e | e = toAst(this) | py_expr_contexts(_, 3, e) and not augstore(_, this))
   }
 
   /** Whether this control flow node is a store (including those in augmented assignments) */
   predicate isStore() {
-    exists(Expr e | e = toAst(this) | py_expr_contexts(_, 5, e) or augstore(_, this))
+    exists(Py::Expr e | e = toAst(this) | py_expr_contexts(_, 5, e) or augstore(_, this))
   }
 
   /** Whether this control flow node is a delete */
-  predicate isDelete() { exists(Expr e | e = toAst(this) | py_expr_contexts(_, 2, e)) }
+  predicate isDelete() { exists(Py::Expr e | e = toAst(this) | py_expr_contexts(_, 2, e)) }
 
   /** Whether this control flow node is a parameter */
-  predicate isParameter() { exists(Expr e | e = toAst(this) | py_expr_contexts(_, 4, e)) }
+  predicate isParameter() { exists(Py::Expr e | e = toAst(this) | py_expr_contexts(_, 4, e)) }
 
   /** Whether this control flow node is a store in an augmented assignment */
   predicate isAugStore() { augstore(_, this) }
@@ -57,61 +57,61 @@ class ControlFlowNode extends @py_flow_node {
 
   /** Whether this flow node corresponds to a literal */
   predicate isLiteral() {
-    toAst(this) instanceof Bytes
+    toAst(this) instanceof Py::Bytes
     or
-    toAst(this) instanceof Dict
+    toAst(this) instanceof Py::Dict
     or
-    toAst(this) instanceof DictComp
+    toAst(this) instanceof Py::DictComp
     or
-    toAst(this) instanceof Set
+    toAst(this) instanceof Py::Set
     or
-    toAst(this) instanceof SetComp
+    toAst(this) instanceof Py::SetComp
     or
-    toAst(this) instanceof Ellipsis
+    toAst(this) instanceof Py::Ellipsis
     or
-    toAst(this) instanceof GeneratorExp
+    toAst(this) instanceof Py::GeneratorExp
     or
-    toAst(this) instanceof Lambda
+    toAst(this) instanceof Py::Lambda
     or
-    toAst(this) instanceof ListComp
+    toAst(this) instanceof Py::ListComp
     or
-    toAst(this) instanceof List
+    toAst(this) instanceof Py::List
     or
-    toAst(this) instanceof Num
+    toAst(this) instanceof Py::Num
     or
-    toAst(this) instanceof Tuple
+    toAst(this) instanceof Py::Tuple
     or
-    toAst(this) instanceof Unicode
+    toAst(this) instanceof Py::Unicode
     or
-    toAst(this) instanceof NameConstant
+    toAst(this) instanceof Py::NameConstant
   }
 
   /** Whether this flow node corresponds to an attribute expression */
-  predicate isAttribute() { toAst(this) instanceof Attribute }
+  predicate isAttribute() { toAst(this) instanceof Py::Attribute }
 
   /** Whether this flow node corresponds to an subscript expression */
-  predicate isSubscript() { toAst(this) instanceof Subscript }
+  predicate isSubscript() { toAst(this) instanceof Py::Subscript }
 
   /** Whether this flow node corresponds to an import member */
-  predicate isImportMember() { toAst(this) instanceof ImportMember }
+  predicate isImportMember() { toAst(this) instanceof Py::ImportMember }
 
   /** Whether this flow node corresponds to a call */
-  predicate isCall() { toAst(this) instanceof Call }
+  predicate isCall() { toAst(this) instanceof Py::Call }
 
   /** Whether this flow node is the first in a module */
-  predicate isModuleEntry() { this.isEntryNode() and toAst(this) instanceof Module }
+  predicate isModuleEntry() { this.isEntryNode() and toAst(this) instanceof Py::Module }
 
   /** Whether this flow node corresponds to an import */
-  predicate isImport() { toAst(this) instanceof ImportExpr }
+  predicate isImport() { toAst(this) instanceof Py::ImportExpr }
 
   /** Whether this flow node corresponds to a conditional expression */
-  predicate isIfExp() { toAst(this) instanceof IfExp }
+  predicate isIfExp() { toAst(this) instanceof Py::IfExp }
 
   /** Whether this flow node corresponds to a function definition expression */
-  predicate isFunction() { toAst(this) instanceof FunctionExpr }
+  predicate isFunction() { toAst(this) instanceof Py::FunctionExpr }
 
   /** Whether this flow node corresponds to a class definition expression */
-  predicate isClass() { toAst(this) instanceof ClassExpr }
+  predicate isClass() { toAst(this) instanceof Py::ClassExpr }
 
   /** Gets a predecessor of this flow node */
   ControlFlowNode getAPredecessor() { this = result.getASuccessor() }
@@ -123,25 +123,25 @@ class ControlFlowNode extends @py_flow_node {
   ControlFlowNode getImmediateDominator() { py_idoms(this, result) }
 
   /** Gets the syntactic element corresponding to this flow node */
-  AstNode getNode() { py_flow_bb_node(this, result, _, _) }
+  Py::AstNode getNode() { py_flow_bb_node(this, result, _, _) }
 
   /** Gets a textual representation of this element. */
   cached
   string toString() {
     Stages::AST::ref() and
     // Since modules can have ambigous names, entry nodes can too, if we do not collate them.
-    exists(Scope s | s.getEntryNode() = this |
+    exists(Py::Scope s | s.getEntryNode() = this |
       result = "Entry node for " + concat( | | s.toString(), ",")
     )
     or
-    exists(Scope s | s.getANormalExit() = this | result = "Exit node for " + s.toString())
+    exists(Py::Scope s | s.getANormalExit() = this | result = "Exit node for " + s.toString())
     or
-    not exists(Scope s | s.getEntryNode() = this or s.getANormalExit() = this) and
+    not exists(Py::Scope s | s.getEntryNode() = this or s.getANormalExit() = this) and
     result = "ControlFlowNode for " + this.getNode().toString()
   }
 
   /** Gets the location of this ControlFlowNode */
-  Location getLocation() { result = this.getNode().getLocation() }
+  Py::Location getLocation() { result = this.getNode().getLocation() }
 
   /** Whether this flow node is the first in its scope */
   predicate isEntryNode() { py_scope_flow(this, _, -1) }
@@ -151,9 +151,9 @@ class ControlFlowNode extends @py_flow_node {
 
   /** Gets the scope containing this flow node */
   cached
-  Scope getScope() {
+  Py::Scope getScope() {
     Stages::AST::ref() and
-    if this.getNode() instanceof Scope
+    if this.getNode() instanceof Py::Scope
     then
       /* Entry or exit node */
       result = this.getNode()
@@ -161,7 +161,7 @@ class ControlFlowNode extends @py_flow_node {
   }
 
   /** Gets the enclosing module */
-  Module getEnclosingModule() { result = this.getScope().getEnclosingModule() }
+  Py::Module getEnclosingModule() { result = this.getScope().getEnclosingModule() }
 
   /** Gets a successor for this node if the relevant condition is True. */
   ControlFlowNode getATrueSuccessor() {
@@ -188,7 +188,7 @@ class ControlFlowNode extends @py_flow_node {
   }
 
   /** Whether the scope may be exited as a result of this node raising an exception */
-  predicate isExceptionalExit(Scope s) { py_scope_flow(this, s, 1) }
+  predicate isExceptionalExit(Py::Scope s) { py_scope_flow(this, s, 1) }
 
   /** Whether this node is a normal (non-exceptional) exit */
   predicate isNormalExit() { py_scope_flow(this, _, 0) or py_scope_flow(this, _, 2) }
@@ -236,7 +236,7 @@ class ControlFlowNode extends @py_flow_node {
   /* join-ordering helper for `getAChild() */
   pragma[noinline]
   private ControlFlowNode getExprChild(BasicBlock dom) {
-    this.getNode().(Expr).getAChildNode() = result.getNode() and
+    this.getNode().(Py::Expr).getAChildNode() = result.getNode() and
     result.getBasicBlock().dominates(dom) and
     not this instanceof UnaryExprNode
   }
@@ -249,16 +249,16 @@ class ControlFlowNode extends @py_flow_node {
  */
 
 private class AnyNode extends ControlFlowNode {
-  override AstNode getNode() { result = super.getNode() }
+  override Py::AstNode getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to a call expression, such as `func(...)` */
 class CallNode extends ControlFlowNode {
-  CallNode() { toAst(this) instanceof Call }
+  CallNode() { toAst(this) instanceof Py::Call }
 
   /** Gets the flow node corresponding to the function expression for the call corresponding to this flow node */
   ControlFlowNode getFunction() {
-    exists(Call c |
+    exists(Py::Call c |
       this.getNode() = c and
       c.getFunc() = result.getNode() and
       result.getBasicBlock().dominates(this.getBasicBlock())
@@ -267,7 +267,7 @@ class CallNode extends ControlFlowNode {
 
   /** Gets the flow node corresponding to the n'th positional argument of the call corresponding to this flow node */
   ControlFlowNode getArg(int n) {
-    exists(Call c |
+    exists(Py::Call c |
       this.getNode() = c and
       c.getArg(n) = result.getNode() and
       result.getBasicBlock().dominates(this.getBasicBlock())
@@ -276,7 +276,7 @@ class CallNode extends ControlFlowNode {
 
   /** Gets the flow node corresponding to the named argument of the call corresponding to this flow node */
   ControlFlowNode getArgByName(string name) {
-    exists(Call c, Keyword k |
+    exists(Py::Call c, Py::Keyword k |
       this.getNode() = c and
       k = c.getANamedArg() and
       k.getValue() = result.getNode() and
@@ -292,7 +292,7 @@ class CallNode extends ControlFlowNode {
     result = this.getArgByName(_)
   }
 
-  override Call getNode() { result = super.getNode() }
+  override Py::Call getNode() { result = super.getNode() }
 
   predicate isDecoratorCall() {
     this.isClassDecoratorCall()
@@ -301,11 +301,11 @@ class CallNode extends ControlFlowNode {
   }
 
   predicate isClassDecoratorCall() {
-    exists(ClassExpr cls | this.getNode() = cls.getADecoratorCall())
+    exists(Py::ClassExpr cls | this.getNode() = cls.getADecoratorCall())
   }
 
   predicate isFunctionDecoratorCall() {
-    exists(FunctionExpr func | this.getNode() = func.getADecoratorCall())
+    exists(Py::FunctionExpr func | this.getNode() = func.getADecoratorCall())
   }
 
   /** Gets the first tuple (*) argument of this call, if any. */
@@ -323,11 +323,11 @@ class CallNode extends ControlFlowNode {
 
 /** A control flow corresponding to an attribute expression, such as `value.attr` */
 class AttrNode extends ControlFlowNode {
-  AttrNode() { toAst(this) instanceof Attribute }
+  AttrNode() { toAst(this) instanceof Py::Attribute }
 
   /** Gets the flow node corresponding to the object of the attribute expression corresponding to this flow node */
   ControlFlowNode getObject() {
-    exists(Attribute a |
+    exists(Py::Attribute a |
       this.getNode() = a and
       a.getObject() = result.getNode() and
       result.getBasicBlock().dominates(this.getBasicBlock())
@@ -339,7 +339,7 @@ class AttrNode extends ControlFlowNode {
    * with the matching name
    */
   ControlFlowNode getObject(string name) {
-    exists(Attribute a |
+    exists(Py::Attribute a |
       this.getNode() = a and
       a.getObject() = result.getNode() and
       a.getName() = name and
@@ -348,57 +348,57 @@ class AttrNode extends ControlFlowNode {
   }
 
   /** Gets the attribute name of the attribute expression corresponding to this flow node */
-  string getName() { exists(Attribute a | this.getNode() = a and a.getName() = result) }
+  string getName() { exists(Py::Attribute a | this.getNode() = a and a.getName() = result) }
 
-  override Attribute getNode() { result = super.getNode() }
+  override Py::Attribute getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to a `from ... import ...` expression */
 class ImportMemberNode extends ControlFlowNode {
-  ImportMemberNode() { toAst(this) instanceof ImportMember }
+  ImportMemberNode() { toAst(this) instanceof Py::ImportMember }
 
   /**
    * Gets the flow node corresponding to the module in the import-member expression corresponding to this flow node,
    * with the matching name
    */
   ControlFlowNode getModule(string name) {
-    exists(ImportMember i | this.getNode() = i and i.getModule() = result.getNode() |
+    exists(Py::ImportMember i | this.getNode() = i and i.getModule() = result.getNode() |
       i.getName() = name and
       result.getBasicBlock().dominates(this.getBasicBlock())
     )
   }
 
-  override ImportMember getNode() { result = super.getNode() }
+  override Py::ImportMember getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to an artificial expression representing an import */
 class ImportExprNode extends ControlFlowNode {
-  ImportExprNode() { toAst(this) instanceof ImportExpr }
+  ImportExprNode() { toAst(this) instanceof Py::ImportExpr }
 
-  override ImportExpr getNode() { result = super.getNode() }
+  override Py::ImportExpr getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to a `from ... import *` statement */
 class ImportStarNode extends ControlFlowNode {
-  ImportStarNode() { toAst(this) instanceof ImportStar }
+  ImportStarNode() { toAst(this) instanceof Py::ImportStar }
 
   /** Gets the flow node corresponding to the module in the import-star corresponding to this flow node */
   ControlFlowNode getModule() {
-    exists(ImportStar i | this.getNode() = i and i.getModuleExpr() = result.getNode() |
+    exists(Py::ImportStar i | this.getNode() = i and i.getModuleExpr() = result.getNode() |
       result.getBasicBlock().dominates(this.getBasicBlock())
     )
   }
 
-  override ImportStar getNode() { result = super.getNode() }
+  override Py::ImportStar getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to a subscript expression, such as `value[slice]` */
 class SubscriptNode extends ControlFlowNode {
-  SubscriptNode() { toAst(this) instanceof Subscript }
+  SubscriptNode() { toAst(this) instanceof Py::Subscript }
 
   /** flow node corresponding to the value of the sequence in a subscript operation */
   ControlFlowNode getObject() {
-    exists(Subscript s |
+    exists(Py::Subscript s |
       this.getNode() = s and
       s.getObject() = result.getNode() and
       result.getBasicBlock().dominates(this.getBasicBlock())
@@ -407,23 +407,23 @@ class SubscriptNode extends ControlFlowNode {
 
   /** flow node corresponding to the index in a subscript operation */
   ControlFlowNode getIndex() {
-    exists(Subscript s |
+    exists(Py::Subscript s |
       this.getNode() = s and
       s.getIndex() = result.getNode() and
       result.getBasicBlock().dominates(this.getBasicBlock())
     )
   }
 
-  override Subscript getNode() { result = super.getNode() }
+  override Py::Subscript getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to a comparison operation, such as `x<y` */
 class CompareNode extends ControlFlowNode {
-  CompareNode() { toAst(this) instanceof Compare }
+  CompareNode() { toAst(this) instanceof Py::Compare }
 
   /** Whether left and right are a pair of operands for this comparison */
-  predicate operands(ControlFlowNode left, Cmpop op, ControlFlowNode right) {
-    exists(Compare c, Expr eleft, Expr eright |
+  predicate operands(ControlFlowNode left, Py::Cmpop op, ControlFlowNode right) {
+    exists(Py::Compare c, Py::Expr eleft, Py::Expr eright |
       this.getNode() = c and left.getNode() = eleft and right.getNode() = eright
     |
       eleft = c.getLeft() and eright = c.getComparator(0) and op = c.getOp(0)
@@ -436,26 +436,26 @@ class CompareNode extends ControlFlowNode {
     right.getBasicBlock().dominates(this.getBasicBlock())
   }
 
-  override Compare getNode() { result = super.getNode() }
+  override Py::Compare getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to a conditional expression such as, `body if test else orelse` */
 class IfExprNode extends ControlFlowNode {
-  IfExprNode() { toAst(this) instanceof IfExp }
+  IfExprNode() { toAst(this) instanceof Py::IfExp }
 
   /** flow node corresponding to one of the operands of an if-expression */
   ControlFlowNode getAnOperand() { result = this.getAPredecessor() }
 
-  override IfExp getNode() { result = super.getNode() }
+  override Py::IfExp getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to an assignment expression such as `lhs := rhs`. */
 class AssignmentExprNode extends ControlFlowNode {
-  AssignmentExprNode() { toAst(this) instanceof AssignExpr }
+  AssignmentExprNode() { toAst(this) instanceof Py::AssignExpr }
 
   /** Gets the flow node corresponding to the left-hand side of the assignment expression */
   ControlFlowNode getTarget() {
-    exists(AssignExpr a |
+    exists(Py::AssignExpr a |
       this.getNode() = a and
       a.getTarget() = result.getNode() and
       result.getBasicBlock().dominates(this.getBasicBlock())
@@ -464,27 +464,27 @@ class AssignmentExprNode extends ControlFlowNode {
 
   /** Gets the flow node corresponding to the right-hand side of the assignment expression */
   ControlFlowNode getValue() {
-    exists(AssignExpr a |
+    exists(Py::AssignExpr a |
       this.getNode() = a and
       a.getValue() = result.getNode() and
       result.getBasicBlock().dominates(this.getBasicBlock())
     )
   }
 
-  override AssignExpr getNode() { result = super.getNode() }
+  override Py::AssignExpr getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to a binary expression, such as `x + y` */
 class BinaryExprNode extends ControlFlowNode {
-  BinaryExprNode() { toAst(this) instanceof BinaryExpr }
+  BinaryExprNode() { toAst(this) instanceof Py::BinaryExpr }
 
   /** flow node corresponding to one of the operands of a binary expression */
   ControlFlowNode getAnOperand() { result = this.getLeft() or result = this.getRight() }
 
-  override BinaryExpr getNode() { result = super.getNode() }
+  override Py::BinaryExpr getNode() { result = super.getNode() }
 
   ControlFlowNode getLeft() {
-    exists(BinaryExpr b |
+    exists(Py::BinaryExpr b |
       this.getNode() = b and
       result.getNode() = b.getLeft() and
       result.getBasicBlock().dominates(this.getBasicBlock())
@@ -492,7 +492,7 @@ class BinaryExprNode extends ControlFlowNode {
   }
 
   ControlFlowNode getRight() {
-    exists(BinaryExpr b |
+    exists(Py::BinaryExpr b |
       this.getNode() = b and
       result.getNode() = b.getRight() and
       result.getBasicBlock().dominates(this.getBasicBlock())
@@ -500,11 +500,11 @@ class BinaryExprNode extends ControlFlowNode {
   }
 
   /** Gets the operator of this binary expression node. */
-  Operator getOp() { result = this.getNode().getOp() }
+  Py::Operator getOp() { result = this.getNode().getOp() }
 
   /** Whether left and right are a pair of operands for this binary expression */
-  predicate operands(ControlFlowNode left, Operator op, ControlFlowNode right) {
-    exists(BinaryExpr b, Expr eleft, Expr eright |
+  predicate operands(ControlFlowNode left, Py::Operator op, ControlFlowNode right) {
+    exists(Py::BinaryExpr b, Py::Expr eleft, Py::Expr eright |
       this.getNode() = b and left.getNode() = eleft and right.getNode() = eright
     |
       eleft = b.getLeft() and eright = b.getRight() and op = b.getOp()
@@ -516,20 +516,20 @@ class BinaryExprNode extends ControlFlowNode {
 
 /** A control flow node corresponding to a boolean shortcut (and/or) operation */
 class BoolExprNode extends ControlFlowNode {
-  BoolExprNode() { toAst(this) instanceof BoolExpr }
+  BoolExprNode() { toAst(this) instanceof Py::BoolExpr }
 
   /** flow node corresponding to one of the operands of a boolean expression */
   ControlFlowNode getAnOperand() {
-    exists(BoolExpr b | this.getNode() = b and result.getNode() = b.getAValue()) and
+    exists(Py::BoolExpr b | this.getNode() = b and result.getNode() = b.getAValue()) and
     this.getBasicBlock().dominates(result.getBasicBlock())
   }
 
-  override BoolExpr getNode() { result = super.getNode() }
+  override Py::BoolExpr getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to a unary expression: (`+x`), (`-x`) or (`~x`) */
 class UnaryExprNode extends ControlFlowNode {
-  UnaryExprNode() { toAst(this) instanceof UnaryExpr }
+  UnaryExprNode() { toAst(this) instanceof Py::UnaryExpr }
 
   /**
    * Gets flow node corresponding to the operand of a unary expression.
@@ -540,7 +540,7 @@ class UnaryExprNode extends ControlFlowNode {
    */
   ControlFlowNode getOperand() { result = this.getAPredecessor() }
 
-  override UnaryExpr getNode() { result = super.getNode() }
+  override Py::UnaryExpr getNode() { result = super.getNode() }
 
   override ControlFlowNode getAChild() { result = this.getAPredecessor() }
 }
@@ -555,22 +555,22 @@ class DefinitionNode extends ControlFlowNode {
   cached
   DefinitionNode() {
     Stages::AST::ref() and
-    exists(Assign a | this.getNode() = a.getATarget())
+    exists(Py::Assign a | this.getNode() = a.getATarget())
     or
-    exists(AssignExpr a | this.getNode() = a.getTarget())
+    exists(Py::AssignExpr a | this.getNode() = a.getTarget())
     or
-    exists(AnnAssign a | this.getNode() = a.getTarget() and exists(a.getValue()))
+    exists(Py::AnnAssign a | this.getNode() = a.getTarget() and exists(a.getValue()))
     or
-    exists(Alias a | this.getNode() = a.getAsname())
+    exists(Py::Alias a | this.getNode() = a.getAsname())
     or
     augstore(_, this)
     or
     // `x, y = 1, 2` where LHS is a combination of list or tuples
-    exists(Assign a | this.getNode() = list_or_tuple_nested_element(a.getATarget()))
+    exists(Py::Assign a | this.getNode() = list_or_tuple_nested_element(a.getATarget()))
     or
-    exists(For for | this.getNode() = for.getTarget())
+    exists(Py::For for | this.getNode() = for.getTarget())
     or
-    exists(Parameter param | this.getNode() = param.asName() and exists(param.getDefault()))
+    exists(Py::Parameter param | this.getNode() = param.asName() and exists(param.getDefault()))
   }
 
   /** flow node corresponding to the value assigned for the definition corresponding to this flow node */
@@ -584,16 +584,16 @@ class DefinitionNode extends ControlFlowNode {
       // since the default value for a parameter is evaluated in the same basic block as
       // the function definition, but the parameter belongs to the basic block of the function,
       // there is no dominance relationship between the two.
-      exists(Parameter param | this.getNode() = param.asName())
+      exists(Py::Parameter param | this.getNode() = param.asName())
     )
   }
 }
 
-private Expr list_or_tuple_nested_element(Expr list_or_tuple) {
-  exists(Expr elt |
-    elt = list_or_tuple.(Tuple).getAnElt()
+private Py::Expr list_or_tuple_nested_element(Py::Expr list_or_tuple) {
+  exists(Py::Expr elt |
+    elt = list_or_tuple.(Py::Tuple).getAnElt()
     or
-    elt = list_or_tuple.(List).getAnElt()
+    elt = list_or_tuple.(Py::List).getAnElt()
   |
     result = elt
     or
@@ -603,12 +603,12 @@ private Expr list_or_tuple_nested_element(Expr list_or_tuple) {
 
 /**
  * A control flow node corresponding to a deletion statement, such as `del x`.
- * There can be multiple `DeletionNode`s for each `Delete` such that each
+ * There can be multiple `DeletionNode`s for each `Py::Delete` such that each
  * target has own `DeletionNode`. The CFG for `del a, x.y` looks like:
  * `NameNode('a') -> DeletionNode -> NameNode('b') -> AttrNode('y') -> DeletionNode`.
  */
 class DeletionNode extends ControlFlowNode {
-  DeletionNode() { toAst(this) instanceof Delete }
+  DeletionNode() { toAst(this) instanceof Py::Delete }
 
   /** Gets the unique target of this deletion node. */
   ControlFlowNode getTarget() { result.getASuccessor() = this }
@@ -617,9 +617,9 @@ class DeletionNode extends ControlFlowNode {
 /** A control flow node corresponding to a sequence (tuple or list) literal */
 abstract class SequenceNode extends ControlFlowNode {
   SequenceNode() {
-    toAst(this) instanceof Tuple
+    toAst(this) instanceof Py::Tuple
     or
-    toAst(this) instanceof List
+    toAst(this) instanceof Py::List
   }
 
   /** Gets the control flow node for an element of this sequence */
@@ -632,11 +632,11 @@ abstract class SequenceNode extends ControlFlowNode {
 
 /** A control flow node corresponding to a tuple expression such as `( 1, 3, 5, 7, 9 )` */
 class TupleNode extends SequenceNode {
-  TupleNode() { toAst(this) instanceof Tuple }
+  TupleNode() { toAst(this) instanceof Py::Tuple }
 
   override ControlFlowNode getElement(int n) {
     Stages::AST::ref() and
-    exists(Tuple t | this.getNode() = t and result.getNode() = t.getElt(n)) and
+    exists(Py::Tuple t | this.getNode() = t and result.getNode() = t.getElt(n)) and
     (
       result.getBasicBlock().dominates(this.getBasicBlock())
       or
@@ -647,10 +647,10 @@ class TupleNode extends SequenceNode {
 
 /** A control flow node corresponding to a list expression, such as `[ 1, 3, 5, 7, 9 ]` */
 class ListNode extends SequenceNode {
-  ListNode() { toAst(this) instanceof List }
+  ListNode() { toAst(this) instanceof Py::List }
 
   override ControlFlowNode getElement(int n) {
-    exists(List l | this.getNode() = l and result.getNode() = l.getElt(n)) and
+    exists(Py::List l | this.getNode() = l and result.getNode() = l.getElt(n)) and
     (
       result.getBasicBlock().dominates(this.getBasicBlock())
       or
@@ -661,10 +661,10 @@ class ListNode extends SequenceNode {
 
 /** A control flow node corresponding to a set expression, such as `{ 1, 3, 5, 7, 9 }` */
 class SetNode extends ControlFlowNode {
-  SetNode() { toAst(this) instanceof Set }
+  SetNode() { toAst(this) instanceof Py::Set }
 
   ControlFlowNode getAnElement() {
-    exists(Set s | this.getNode() = s and result.getNode() = s.getElt(_)) and
+    exists(Py::Set s | this.getNode() = s and result.getNode() = s.getElt(_)) and
     (
       result.getBasicBlock().dominates(this.getBasicBlock())
       or
@@ -675,20 +675,20 @@ class SetNode extends ControlFlowNode {
 
 /** A control flow node corresponding to a dictionary literal, such as `{ 'a': 1, 'b': 2 }` */
 class DictNode extends ControlFlowNode {
-  DictNode() { toAst(this) instanceof Dict }
+  DictNode() { toAst(this) instanceof Py::Dict }
 
   /**
    * Gets a key of this dictionary literal node, for those items that have keys
    * E.g, in {'a':1, **b} this returns only 'a'
    */
   ControlFlowNode getAKey() {
-    exists(Dict d | this.getNode() = d and result.getNode() = d.getAKey()) and
+    exists(Py::Dict d | this.getNode() = d and result.getNode() = d.getAKey()) and
     result.getBasicBlock().dominates(this.getBasicBlock())
   }
 
   /** Gets a value of this dictionary literal node */
   ControlFlowNode getAValue() {
-    exists(Dict d | this.getNode() = d and result.getNode() = d.getAValue()) and
+    exists(Py::Dict d | this.getNode() = d and result.getNode() = d.getAValue()) and
     result.getBasicBlock().dominates(this.getBasicBlock())
   }
 }
@@ -712,21 +712,23 @@ class IterableNode extends ControlFlowNode {
   }
 }
 
-private AstNode assigned_value(Expr lhs) {
+private Py::AstNode assigned_value(Py::Expr lhs) {
   /* lhs = result */
-  exists(Assign a | a.getATarget() = lhs and result = a.getValue())
+  exists(Py::Assign a | a.getATarget() = lhs and result = a.getValue())
   or
   /* lhs := result */
-  exists(AssignExpr a | a.getTarget() = lhs and result = a.getValue())
+  exists(Py::AssignExpr a | a.getTarget() = lhs and result = a.getValue())
   or
   /* lhs : annotation = result */
-  exists(AnnAssign a | a.getTarget() = lhs and result = a.getValue())
+  exists(Py::AnnAssign a | a.getTarget() = lhs and result = a.getValue())
   or
   /* import result as lhs */
-  exists(Alias a | a.getAsname() = lhs and result = a.getValue())
+  exists(Py::Alias a | a.getAsname() = lhs and result = a.getValue())
   or
   /* lhs += x  =>  result = (lhs + x) */
-  exists(AugAssign a, BinaryExpr b | b = a.getOperation() and result = b and lhs = b.getLeft())
+  exists(Py::AugAssign a, Py::BinaryExpr b |
+    b = a.getOperation() and result = b and lhs = b.getLeft()
+  )
   or
   /*
    * ..., lhs, ... = ..., result, ...
@@ -734,31 +736,31 @@ private AstNode assigned_value(Expr lhs) {
    * ..., (..., lhs, ...), ... = ..., (..., result, ...), ...
    */
 
-  exists(Assign a | nested_sequence_assign(a.getATarget(), a.getValue(), lhs, result))
+  exists(Py::Assign a | nested_sequence_assign(a.getATarget(), a.getValue(), lhs, result))
   or
   /* for lhs in seq: => `result` is the `for` node, representing the `iter(next(seq))` operation. */
-  result.(For).getTarget() = lhs
+  result.(Py::For).getTarget() = lhs
   or
-  exists(Parameter param | lhs = param.asName() and result = param.getDefault())
+  exists(Py::Parameter param | lhs = param.asName() and result = param.getDefault())
 }
 
 predicate nested_sequence_assign(
-  Expr left_parent, Expr right_parent, Expr left_result, Expr right_result
+  Py::Expr left_parent, Py::Expr right_parent, Py::Expr left_result, Py::Expr right_result
 ) {
-  exists(Assign a |
+  exists(Py::Assign a |
     a.getATarget().getASubExpression*() = left_parent and
     a.getValue().getASubExpression*() = right_parent
   ) and
-  exists(int i, Expr left_elem, Expr right_elem |
+  exists(int i, Py::Expr left_elem, Py::Expr right_elem |
     (
-      left_elem = left_parent.(Tuple).getElt(i)
+      left_elem = left_parent.(Py::Tuple).getElt(i)
       or
-      left_elem = left_parent.(List).getElt(i)
+      left_elem = left_parent.(Py::List).getElt(i)
     ) and
     (
-      right_elem = right_parent.(Tuple).getElt(i)
+      right_elem = right_parent.(Py::Tuple).getElt(i)
       or
-      right_elem = right_parent.(List).getElt(i)
+      right_elem = right_parent.(Py::List).getElt(i)
     )
   |
     left_result = left_elem and right_result = right_elem
@@ -769,9 +771,9 @@ predicate nested_sequence_assign(
 
 /** A flow node for a `for` statement. */
 class ForNode extends ControlFlowNode {
-  ForNode() { toAst(this) instanceof For }
+  ForNode() { toAst(this) instanceof Py::For }
 
-  override For getNode() { result = super.getNode() }
+  override Py::For getNode() { result = super.getNode() }
 
   /** Holds if this `for` statement causes iteration over `sequence` storing each step of the iteration in `target` */
   predicate iterates(ControlFlowNode target, ControlFlowNode sequence) {
@@ -782,7 +784,7 @@ class ForNode extends ControlFlowNode {
 
   /** Gets the sequence node for this `for` statement. */
   ControlFlowNode getSequence() {
-    exists(For for |
+    exists(Py::For for |
       toAst(this) = for and
       for.getIter() = result.getNode()
     |
@@ -792,7 +794,7 @@ class ForNode extends ControlFlowNode {
 
   /** A possible `target` for this `for` statement, not accounting for loop unrolling */
   private ControlFlowNode possibleTarget() {
-    exists(For for |
+    exists(Py::For for |
       toAst(this) = for and
       for.getTarget() = result.getNode() and
       this.getBasicBlock().dominates(result.getBasicBlock())
@@ -809,11 +811,11 @@ class ForNode extends ControlFlowNode {
 
 /** A flow node for a `raise` statement */
 class RaiseStmtNode extends ControlFlowNode {
-  RaiseStmtNode() { toAst(this) instanceof Raise }
+  RaiseStmtNode() { toAst(this) instanceof Py::Raise }
 
   /** Gets the control flow node for the exception raised by this raise statement */
   ControlFlowNode getException() {
-    exists(Raise r |
+    exists(Py::Raise r |
       r = toAst(this) and
       r.getException() = toAst(result) and
       result.getBasicBlock().dominates(this.getBasicBlock())
@@ -827,36 +829,36 @@ class RaiseStmtNode extends ControlFlowNode {
  */
 class NameNode extends ControlFlowNode {
   NameNode() {
-    exists(Name n | py_flow_bb_node(this, n, _, _))
+    exists(Py::Name n | py_flow_bb_node(this, n, _, _))
     or
-    exists(PlaceHolder p | py_flow_bb_node(this, p, _, _))
+    exists(Py::PlaceHolder p | py_flow_bb_node(this, p, _, _))
   }
 
   /** Whether this flow node defines the variable `v`. */
-  predicate defines(Variable v) {
-    exists(Name d | this.getNode() = d and d.defines(v)) and
+  predicate defines(Py::Variable v) {
+    exists(Py::Name d | this.getNode() = d and d.defines(v)) and
     not this.isLoad()
   }
 
   /** Whether this flow node deletes the variable `v`. */
-  predicate deletes(Variable v) { exists(Name d | this.getNode() = d and d.deletes(v)) }
+  predicate deletes(Py::Variable v) { exists(Py::Name d | this.getNode() = d and d.deletes(v)) }
 
   /** Whether this flow node uses the variable `v`. */
-  predicate uses(Variable v) {
+  predicate uses(Py::Variable v) {
     this.isLoad() and
-    exists(Name u | this.getNode() = u and u.uses(v))
+    exists(Py::Name u | this.getNode() = u and u.uses(v))
     or
-    exists(PlaceHolder u |
-      this.getNode() = u and u.getVariable() = v and u.getCtx() instanceof Load
+    exists(Py::PlaceHolder u |
+      this.getNode() = u and u.getVariable() = v and u.getCtx() instanceof Py::Load
     )
     or
     Scopes::use_of_global_variable(this, v.getScope(), v.getId())
   }
 
   string getId() {
-    result = this.getNode().(Name).getId()
+    result = this.getNode().(Py::Name).getId()
     or
-    result = this.getNode().(PlaceHolder).getId()
+    result = this.getNode().(Py::PlaceHolder).getId()
   }
 
   /** Whether this is a use of a local variable. */
@@ -868,37 +870,39 @@ class NameNode extends ControlFlowNode {
   /** Whether this is a use of a global (including builtin) variable. */
   predicate isGlobal() { Scopes::use_of_global_variable(this, _, _) }
 
-  predicate isSelf() { exists(SsaVariable selfvar | selfvar.isSelf() and selfvar.getAUse() = this) }
+  predicate isSelf() {
+    exists(Py::SsaVariable selfvar | selfvar.isSelf() and selfvar.getAUse() = this)
+  }
 }
 
 /** A control flow node corresponding to a named constant, one of `None`, `True` or `False`. */
 class NameConstantNode extends NameNode {
-  NameConstantNode() { exists(NameConstant n | py_flow_bb_node(this, n, _, _)) }
+  NameConstantNode() { exists(Py::NameConstant n | py_flow_bb_node(this, n, _, _)) }
   /*
    * We ought to override uses as well, but that has
    * a serious performance impact.
-   *    deprecated predicate uses(Variable v) { none() }
+   *    deprecated predicate uses(Py::Variable v) { none() }
    */
 
   }
 
 /** A control flow node corresponding to a starred expression, `*a`. */
 class StarredNode extends ControlFlowNode {
-  StarredNode() { toAst(this) instanceof Starred }
+  StarredNode() { toAst(this) instanceof Py::Starred }
 
-  ControlFlowNode getValue() { toAst(result) = toAst(this).(Starred).getValue() }
+  ControlFlowNode getValue() { toAst(result) = toAst(this).(Py::Starred).getValue() }
 }
 
 /** The ControlFlowNode for an 'except' statement. */
 class ExceptFlowNode extends ControlFlowNode {
-  ExceptFlowNode() { this.getNode() instanceof ExceptStmt }
+  ExceptFlowNode() { this.getNode() instanceof Py::ExceptStmt }
 
   /**
    * Gets the type handled by this exception handler.
-   * `ExceptionType` in `except ExceptionType as e:`
+   * `Py::ExceptionType` in `except Py::ExceptionType as e:`
    */
   ControlFlowNode getType() {
-    exists(ExceptStmt ex |
+    exists(Py::ExceptStmt ex |
       this.getBasicBlock().dominates(result.getBasicBlock()) and
       ex = this.getNode() and
       result.getNode() = ex.getType()
@@ -907,10 +911,10 @@ class ExceptFlowNode extends ControlFlowNode {
 
   /**
    * Gets the name assigned to the handled exception, if any.
-   * `e` in `except ExceptionType as e:`
+   * `e` in `except Py::ExceptionType as e:`
    */
   ControlFlowNode getName() {
-    exists(ExceptStmt ex |
+    exists(Py::ExceptStmt ex |
       this.getBasicBlock().dominates(result.getBasicBlock()) and
       ex = this.getNode() and
       result.getNode() = ex.getName()
@@ -920,30 +924,30 @@ class ExceptFlowNode extends ControlFlowNode {
 
 /** The ControlFlowNode for an 'except*' statement. */
 class ExceptGroupFlowNode extends ControlFlowNode {
-  ExceptGroupFlowNode() { this.getNode() instanceof ExceptGroupStmt }
+  ExceptGroupFlowNode() { this.getNode() instanceof Py::ExceptGroupStmt }
 
   /**
    * Gets the type handled by this exception handler.
-   * `ExceptionType` in `except* ExceptionType as e:`
+   * `Py::ExceptionType` in `except* Py::ExceptionType as e:`
    */
   ControlFlowNode getType() {
     this.getBasicBlock().dominates(result.getBasicBlock()) and
-    result.getNode() = this.getNode().(ExceptGroupStmt).getType()
+    result.getNode() = this.getNode().(Py::ExceptGroupStmt).getType()
   }
 
   /**
    * Gets the name assigned to the handled exception, if any.
-   * `e` in `except* ExceptionType as e:`
+   * `e` in `except* Py::ExceptionType as e:`
    */
   ControlFlowNode getName() {
     this.getBasicBlock().dominates(result.getBasicBlock()) and
-    result.getNode() = this.getNode().(ExceptGroupStmt).getName()
+    result.getNode() = this.getNode().(Py::ExceptGroupStmt).getName()
   }
 }
 
 private module Scopes {
   private predicate fast_local(NameNode n) {
-    exists(FastLocalVariable v |
+    exists(Py::FastLocalVariable v |
       n.uses(v) and
       v.getScope() = n.getScope()
     )
@@ -952,15 +956,15 @@ private module Scopes {
   predicate local(NameNode n) {
     fast_local(n)
     or
-    exists(SsaVariable var |
+    exists(Py::SsaVariable var |
       var.getAUse() = n and
-      n.getScope() instanceof Class and
+      n.getScope() instanceof Py::Class and
       exists(var.getDefinition())
     )
   }
 
   predicate non_local(NameNode n) {
-    exists(FastLocalVariable flv |
+    exists(Py::FastLocalVariable flv |
       flv.getALoad() = n.getNode() and
       not flv.getScope() = n.getScope()
     )
@@ -968,20 +972,20 @@ private module Scopes {
 
   // magic is fine, but we get questionable join-ordering of it
   pragma[nomagic]
-  predicate use_of_global_variable(NameNode n, Module scope, string name) {
+  predicate use_of_global_variable(NameNode n, Py::Module scope, string name) {
     n.isLoad() and
     not non_local(n) and
-    not exists(SsaVariable var | var.getAUse() = n |
-      var.getVariable() instanceof FastLocalVariable
+    not exists(Py::SsaVariable var | var.getAUse() = n |
+      var.getVariable() instanceof Py::FastLocalVariable
       or
-      n.getScope() instanceof Class and
+      n.getScope() instanceof Py::Class and
       not maybe_undefined(var)
     ) and
     name = n.getId() and
     scope = n.getEnclosingModule()
   }
 
-  private predicate maybe_undefined(SsaVariable var) {
+  private predicate maybe_undefined(Py::SsaVariable var) {
     not exists(var.getDefinition()) and not py_ssa_phi(var, _)
     or
     var.getDefinition().isDelete()
@@ -1058,13 +1062,13 @@ class BasicBlock extends @py_flow_node {
   private predicate oneNodeBlock() { this.firstNode() = this.getLastNode() }
 
   private predicate startLocationInfo(string file, int line, int col) {
-    if this.firstNode().getNode() instanceof Scope
+    if this.firstNode().getNode() instanceof Py::Scope
     then this.firstNode().getASuccessor().getLocation().hasLocationInfo(file, line, col, _, _)
     else this.firstNode().getLocation().hasLocationInfo(file, line, col, _, _)
   }
 
   private predicate endLocationInfo(int endl, int endc) {
-    if this.getLastNode().getNode() instanceof Scope and not this.oneNodeBlock()
+    if this.getLastNode().getNode() instanceof Py::Scope and not this.oneNodeBlock()
     then this.getLastNode().getAPredecessor().getLocation().hasLocationInfo(_, _, _, endl, endc)
     else this.getLastNode().getLocation().hasLocationInfo(_, _, _, endl, endc)
   }
@@ -1081,7 +1085,7 @@ class BasicBlock extends @py_flow_node {
 
   /** Whether flow from this basic block reaches a normal exit from its scope */
   predicate reachesExit() {
-    exists(Scope s | s.getANormalExit().getBasicBlock() = this)
+    exists(Py::Scope s | s.getANormalExit().getBasicBlock() = this)
     or
     this.getASuccessor().reachesExit()
   }
@@ -1122,7 +1126,7 @@ class BasicBlock extends @py_flow_node {
 
   /** Gets the scope of this block */
   pragma[nomagic]
-  Scope getScope() {
+  Py::Scope getScope() {
     exists(ControlFlowNode n | n.getBasicBlock() = this |
       /* Take care not to use an entry or exit node as that node's scope will be the outer scope */
       not py_scope_flow(n, _, -1) and
@@ -1145,17 +1149,17 @@ class BasicBlock extends @py_flow_node {
   predicate reaches(BasicBlock other) { this = other or this.strictlyReaches(other) }
 
   /**
-   * Gets the `ConditionBlock`, if any, that controls this block and
-   * does not control any other `ConditionBlock`s that control this block.
-   * That is the `ConditionBlock` that is closest dominator.
+   * Gets the `Py::ConditionBlock`, if any, that controls this block and
+   * does not control any other `Py::ConditionBlock`s that control this block.
+   * That is the `Py::ConditionBlock` that is closest dominator.
    */
-  ConditionBlock getImmediatelyControllingBlock() {
+  Py::ConditionBlock getImmediatelyControllingBlock() {
     result = this.nonControllingImmediateDominator*().getImmediateDominator()
   }
 
   private BasicBlock nonControllingImmediateDominator() {
     result = this.getImmediateDominator() and
-    not result.(ConditionBlock).controls(this, _)
+    not result.(Py::ConditionBlock).controls(this, _)
   }
 
   /**
@@ -1175,7 +1179,7 @@ private class ControlFlowNodeAlias = ControlFlowNode;
 
 final private class FinalBasicBlock = BasicBlock;
 
-module Cfg implements BB::CfgSig<Location> {
+module Cfg implements BB::CfgSig<Py::Location> {
   private import codeql.controlflow.SuccessorType
 
   class ControlFlowNode = ControlFlowNodeAlias;
@@ -1186,7 +1190,7 @@ module Cfg implements BB::CfgSig<Location> {
     // Using the location of the first node is simple
     // and we just need a way to identify the basic block
     // during debugging, so this will be serviceable.
-    Location getLocation() { result = super.getNode(0).getLocation() }
+    Py::Location getLocation() { result = super.getNode(0).getLocation() }
 
     int length() { result = count(int i | exists(this.getNode(i))) }
 

python/ql/test/extractor-tests/syntax_error/CONSISTENCY/CfgConsistency.expected

@@ -0,0 +1,4 @@
+consistencyOverview
+| deadEnd | 1 |
+deadEnd
+| without_loop.py:7:5:7:9 | Break |

python/ql/test/library-tests/ControlFlow/bindings/BindingsTest.ql

@@ -0,0 +1,32 @@
+/**
+ * Phase -1 of the dataflow CFG migration: verifies that every variable
+ * binding visible to the AST (`Name.defines(v)`) corresponds to a CFG node
+ * in the new CFG (`semmle.python.controlflow.internal.AstNodeImpl`).
+ *
+ * The expected tag is `cfgdefines=<name>`. Each binding annotation in the
+ * test sources looks like `# $ cfgdefines=x` for a binding currently
+ * covered by the new CFG, or `# $ MISSING: cfgdefines=x` for a binding
+ * that is known to be uncovered (a "red" test case that should be
+ * green-flipped once the corresponding `cfg-ext-*` extension lands).
+ */
+
+import python
+import semmle.python.controlflow.internal.AstNodeImpl as CfgImpl
+import utils.test.InlineExpectationsTest
+
+module CfgBindingsTest implements TestSig {
+  string getARelevantTag() { result = "cfgdefines" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(Name n, Variable v, CfgImpl::ControlFlowNode cfg |
+      n.defines(v) and
+      cfg.getAstNode().asExpr() = n and
+      location = n.getLocation() and
+      element = n.toString() and
+      tag = "cfgdefines" and
+      value = v.getId()
+    )
+  }
+}
+
+import MakeTest<CfgBindingsTest>

python/ql/test/library-tests/ControlFlow/bindings/annassign.py

@@ -0,0 +1,13 @@
+# Annotated assignment (PEP 526). Both with and without an initializer.
+
+a: int = 1  # $ cfgdefines=a
+b: str = "hi"  # $ cfgdefines=b
+
+# Annotation without value: the AST records `c` as defined,
+# and the new CFG now visits it via the AnnAssignStmt wrapper.
+c: int  # $ cfgdefines=c
+
+class K:  # $ cfgdefines=K
+    field: int = 0  # $ cfgdefines=field
+
+

python/ql/test/library-tests/ControlFlow/bindings/compound.py

@@ -0,0 +1,14 @@
+# Compound (tuple/list) assignment targets — actually wired in the new CFG.
+
+a, b = (1, 2)  # $ cfgdefines=a cfgdefines=b
+[c, d] = [3, 4]  # $ cfgdefines=c cfgdefines=d
+
+# Nested unpacking.
+(e, (f, g)) = (1, (2, 3))  # $ cfgdefines=e cfgdefines=f cfgdefines=g
+
+# Star unpacking.
+h, *i = [1, 2, 3]  # $ cfgdefines=h cfgdefines=i
+
+# Chained assignment with compound target.
+j = k, l = (5, 6)  # $ cfgdefines=j cfgdefines=k cfgdefines=l
+

python/ql/test/library-tests/ControlFlow/bindings/comprehension.py

@@ -0,0 +1,21 @@
+# Comprehension and `for` loop targets — wired in the new CFG.
+# Comprehensions are nested function scopes with a synthetic `.0` parameter
+# bound to the iterable.
+
+# Bare-name `for` target.
+for i in range(3):  # $ cfgdefines=i
+    pass
+
+# Compound `for` target.
+for k, v in [(1, 2)]:  # $ cfgdefines=k cfgdefines=v
+    pass
+
+# Comprehension targets.
+_ = [x for x in range(3)]  # $ cfgdefines=_ cfgdefines=x cfgdefines=.0
+_ = {y: z for y, z in []}  # $ cfgdefines=_ cfgdefines=y cfgdefines=z cfgdefines=.0
+_ = (a for a in [])  # $ cfgdefines=_ cfgdefines=a cfgdefines=.0
+
+# Nested comprehensions.
+_ = [b for c in [] for b in c]  # $ cfgdefines=_ cfgdefines=c cfgdefines=b cfgdefines=.0
+
+

python/ql/test/library-tests/ControlFlow/bindings/dead_under_no_raise.py

@@ -0,0 +1,52 @@
+# Dead bindings under the "no expressions raise" CFG abstraction.
+#
+# The new CFG does not currently model raise edges from arbitrary
+# expressions. As a consequence, code that is only reachable through
+# exception flow is (correctly) classified as dead and has no CFG node.
+# Variable bindings in dead code do not need CFG nodes - SSA / dataflow
+# over dead code is moot.
+#
+# These tests act as a regression guard: the bindings below intentionally
+# have no `cfgdefines=` annotations. If raise modelling is later added,
+# the BindingsTest infrastructure will surface the new CFG nodes as
+# unexpected results, and this file will need to be revisited.
+
+
+def f(obj):  # $ cfgdefines=f cfgdefines=obj
+    try:
+        return len(obj)
+    except TypeError:
+        pass
+
+    # The first try's body always returns; its except handler does not
+    # raise or otherwise transfer control, so under "no expressions
+    # raise" the only paths out of the try-statement are dead. Everything
+    # below is unreachable.
+    try:
+        hint = type(obj).__length_hint__
+    except AttributeError:
+        return None
+    return hint
+
+
+def g():  # $ cfgdefines=g
+    try:
+        raise Exception("inner")
+    except:
+        raise Exception("outer")
+    else:
+        # Unreachable: the inner try body always raises, so the `else:`
+        # clause never runs.
+        hit_inner_else = True
+
+
+def h(cache, key):  # $ cfgdefines=h cfgdefines=cache cfgdefines=key
+    try:
+        return cache[key]
+    except KeyError:
+        pass
+
+    # Same pattern as `f`: dead under "no expressions raise".
+    value = compute(key)
+    cache[key] = value
+    return value

python/ql/test/library-tests/ControlFlow/bindings/decorated.py

@@ -0,0 +1,30 @@
+# Decorated `def`/`class` — wired in the new CFG.
+
+
+def deco(f):  # $ cfgdefines=deco cfgdefines=f
+    return f
+
+
+@deco
+def decorated_func():  # $ cfgdefines=decorated_func
+    pass
+
+
+@deco
+class DecoratedClass:  # $ cfgdefines=DecoratedClass
+    pass
+
+
+# Stacked decorators.
+@deco
+@deco
+def doubly():  # $ cfgdefines=doubly
+    pass
+
+
+# Inside a class body.
+class Outer:  # $ cfgdefines=Outer
+    @staticmethod
+    def inner():  # $ cfgdefines=inner
+        pass
+

python/ql/test/library-tests/ControlFlow/bindings/except_handler.py

@@ -0,0 +1,19 @@
+# Exception-handler name bindings. These are already wired in the new
+# CFG provided the try body can raise; `raise` statements are reliably
+# treated as exception sources.
+
+try:
+    raise ValueError("oops")
+except ValueError as e:  # $ cfgdefines=e
+    pass
+
+try:
+    raise TypeError("oops")
+except (TypeError, KeyError) as err:  # $ cfgdefines=err
+    pass
+
+# Exception groups (Python 3.11+).
+try:
+    raise ValueError("oops")
+except* ValueError as eg:  # $ cfgdefines=eg
+    pass

python/ql/test/library-tests/ControlFlow/bindings/imports.py

@@ -0,0 +1,14 @@
+# Import aliases — all bound names below are now reachable via the new
+# CFG's `ImportStmt` wrapper.
+
+import os  # $ cfgdefines=os
+import os.path  # $ cfgdefines=os
+import os as o  # $ cfgdefines=o
+from os import path  # $ cfgdefines=path
+from os import path as p  # $ cfgdefines=p
+from os import sep, linesep  # $ cfgdefines=sep cfgdefines=linesep
+from os import (
+    getcwd,  # $ cfgdefines=getcwd
+    getcwdb,  # $ cfgdefines=getcwdb
+)
+

python/ql/test/library-tests/ControlFlow/bindings/match_pattern.py

@@ -0,0 +1,24 @@
+# Match-statement pattern bindings — wired in the new CFG.
+
+def f(subject):  # $ cfgdefines=f cfgdefines=subject
+    match subject:
+        case x:  # $ cfgdefines=x
+            pass
+        case [a, b]:  # $ cfgdefines=a cfgdefines=b
+            pass
+        case {"k": v}:  # $ cfgdefines=v
+            pass
+        case Point(p, q):  # $ cfgdefines=p cfgdefines=q
+            pass
+        case [_, *rest]:  # $ cfgdefines=rest
+            pass
+        case (1 | 2) as n:  # $ cfgdefines=n
+            pass
+
+
+class Point:  # $ cfgdefines=Point
+    __match_args__ = ("x", "y")  # $ cfgdefines=__match_args__
+    x: int  # $ cfgdefines=x
+    y: int  # $ cfgdefines=y
+
+

python/ql/test/library-tests/ControlFlow/bindings/parameters.py

@@ -0,0 +1,42 @@
+# Function parameters.
+
+def positional(a, b):  # $ cfgdefines=positional cfgdefines=a cfgdefines=b
+    pass
+
+
+def with_default(x=1, y=2):  # $ cfgdefines=with_default cfgdefines=x cfgdefines=y
+    pass
+
+
+def with_vararg(*args):  # $ cfgdefines=with_vararg cfgdefines=args
+    pass
+
+
+def with_kwarg(**kwargs):  # $ cfgdefines=with_kwarg cfgdefines=kwargs
+    pass
+
+
+def with_kwonly(*, k1, k2=5):  # $ cfgdefines=with_kwonly cfgdefines=k1 cfgdefines=k2
+    pass
+
+
+def kitchen_sink(a, b=2, *args, k1, k2=5, **kw):  # $ cfgdefines=kitchen_sink cfgdefines=a cfgdefines=b cfgdefines=args cfgdefines=k1 cfgdefines=k2 cfgdefines=kw
+    pass
+
+
+# Methods get `self` / `cls`.
+class C:  # $ cfgdefines=C
+    def method(self, x):  # $ cfgdefines=method cfgdefines=self cfgdefines=x
+        pass
+
+    @classmethod
+    def cmethod(cls, x):  # $ cfgdefines=cmethod cfgdefines=cls cfgdefines=x
+        pass
+
+
+# Lambda parameter.
+_ = lambda p: p + 1  # $ cfgdefines=_ cfgdefines=p
+
+# PEP 570 positional-only.
+def pos_only(a, b, /, c):  # $ cfgdefines=pos_only cfgdefines=a cfgdefines=b cfgdefines=c
+    pass

python/ql/test/library-tests/ControlFlow/bindings/simple.py

@@ -0,0 +1,14 @@
+# Simple bindings that should already work in the new CFG.
+# No MISSING annotations expected.
+
+x = 1  # $ cfgdefines=x
+y = x + 1  # $ cfgdefines=y
+
+def f():  # $ cfgdefines=f
+    pass
+
+class C:  # $ cfgdefines=C
+    pass
+
+# Re-assignment.
+x = 2  # $ cfgdefines=x

python/ql/test/library-tests/ControlFlow/bindings/type_params.py

@@ -0,0 +1,21 @@
+# PEP 695 type parameters (Python 3.12+).
+
+# PEP 695 type-param names on `def`/`class` bind in an annotation scope
+# that nests the function/class body — they have no CFG node in the
+# enclosing scope (matching the legacy CFG).
+def func[T](x: T) -> T:  # $ cfgdefines=func cfgdefines=x
+    return x
+
+
+class Box[T]:  # $ cfgdefines=Box
+    item: T  # $ cfgdefines=item
+
+
+# Multi-parameter, with bound and variadics.
+def multi[T: int, *Ts, **P](x: T, *args: *Ts, **kwargs: P.kwargs) -> T:  # $ cfgdefines=multi cfgdefines=x cfgdefines=args cfgdefines=kwargs
+    return x
+
+
+# `type` statement (PEP 695).
+type Alias[T] = list[T]  # $ cfgdefines=Alias cfgdefines=T
+

python/ql/test/library-tests/ControlFlow/bindings/walrus_starred.py

@@ -0,0 +1,14 @@
+# Walrus and starred-target edge cases — wired in the new CFG.
+
+# Walrus in expression context.
+if (y := 5) > 0:  # $ cfgdefines=y
+    pass
+
+# Walrus in a comprehension. The comprehension introduces a synthetic
+# `.0` parameter bound to the iterable.
+_ = [w for _ in range(3) if (w := 1)]  # $ cfgdefines=_ cfgdefines=w cfgdefines=.0
+
+# Starred target in a Tuple LHS.
+*head, tail = [1, 2, 3]  # $ cfgdefines=head cfgdefines=tail
+
+

python/ql/test/library-tests/ControlFlow/bindings/with_stmt.py

@@ -0,0 +1,21 @@
+# `with cm() as x:` bindings — wired in the new CFG.
+
+class CM:  # $ cfgdefines=CM
+    def __enter__(self): return self  # $ cfgdefines=__enter__ cfgdefines=self
+    def __exit__(self, *a): pass  # $ cfgdefines=__exit__ cfgdefines=self cfgdefines=a
+
+with CM() as x:  # $ cfgdefines=x
+    pass
+
+# Multiple items.
+with CM() as a, CM() as b:  # $ cfgdefines=a cfgdefines=b
+    pass
+
+# Parenthesised form (Python 3.10+).
+with (CM() as p, CM() as q):  # $ cfgdefines=p cfgdefines=q
+    pass
+
+# Compound target in `with`.
+with CM() as (m, n):  # $ cfgdefines=m cfgdefines=n
+    pass
+

python/ql/test/library-tests/ControlFlow/evaluation-order/AllLiveReachable.ql

@@ -5,6 +5,8 @@
  * have separate CFGs and are excluded from this check.
  */
 
+import python
+import TimerUtils
 import OldCfgImpl
 
 private module Utils = EvalOrderCfgUtils<OldCfg>;

python/ql/test/library-tests/ControlFlow/evaluation-order/AnnotationHasCfgNode.ql

@@ -2,6 +2,8 @@
  * Checks that every timer annotation has a corresponding CFG node.
  */
 
+import python
+import TimerUtils
 import OldCfgImpl
 
 private module Utils = EvalOrderCfgUtils<OldCfg>;

python/ql/test/library-tests/ControlFlow/evaluation-order/BasicBlockAnnotationGap.ql

@@ -8,6 +8,8 @@
  * edge leaves the basic block and the normal successor may be dead.
  */
 
+import python
+import TimerUtils
 import OldCfgImpl
 
 private module Utils = EvalOrderCfgUtils<OldCfg>;

python/ql/test/library-tests/ControlFlow/evaluation-order/BasicBlockOrdering.expected

@@ -1,7 +1,7 @@
 | test_boolean.py:9:10:9:43 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:9:59:9:59 | IntegerLiteral | timestamp 2 | test_boolean.py:9:19:9:19 | IntegerLiteral | timestamp 0 |
 | test_boolean.py:15:10:15:43 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:15:50:15:50 | IntegerLiteral | timestamp 1 | test_boolean.py:15:20:15:20 | IntegerLiteral | timestamp 0 |
 | test_boolean.py:21:10:21:42 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:21:49:21:49 | IntegerLiteral | timestamp 1 | test_boolean.py:21:19:21:19 | IntegerLiteral | timestamp 0 |
-| test_boolean.py:27:10:27:34 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:27:50:27:50 | IntegerLiteral | timestamp 2 | test_boolean.py:27:20:27:20 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:27:10:27:43 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:27:59:27:59 | IntegerLiteral | timestamp 2 | test_boolean.py:27:20:27:20 | IntegerLiteral | timestamp 0 |
 | test_boolean.py:40:10:40:61 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:40:86:40:86 | IntegerLiteral | timestamp 3 | test_boolean.py:40:16:40:16 | IntegerLiteral | timestamp 0 |
 | test_boolean.py:46:10:46:61 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:46:86:46:86 | IntegerLiteral | timestamp 3 | test_boolean.py:46:16:46:16 | IntegerLiteral | timestamp 0 |
 | test_boolean.py:52:10:52:95 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:52:120:52:120 | IntegerLiteral | timestamp 4 | test_boolean.py:52:20:52:20 | IntegerLiteral | timestamp 0 |

python/ql/test/library-tests/ControlFlow/evaluation-order/BasicBlockOrdering.ql

@@ -3,6 +3,8 @@
  * increasing minimum-timestamp order.
  */
 
+import python
+import TimerUtils
 import OldCfgImpl
 
 private module Utils = EvalOrderCfgUtils<OldCfg>;

python/ql/test/library-tests/ControlFlow/evaluation-order/ConsecutiveTimestamps.ql

@@ -11,6 +11,8 @@
  * lambdas that have annotations in nested scopes).
  */
 
+import python
+import TimerUtils
 import OldCfgImpl
 
 private module Utils = EvalOrderCfgUtils<OldCfg>;

python/ql/test/library-tests/ControlFlow/evaluation-order/ContiguousTimestamps.ql

@@ -4,6 +4,7 @@
  * in at least one annotation (live or dead).
  */
 
+import python
 import TimerUtils
 
 from TestFunction f, int missing, int maxTs, TimerAnnotation maxAnn

python/ql/test/library-tests/ControlFlow/evaluation-order/NeverReachable.ql

@@ -4,6 +4,8 @@
  * entry (including within the same basic block).
  */
 
+import python
+import TimerUtils
 import OldCfgImpl
 
 private module Utils = EvalOrderCfgUtils<OldCfg>;

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgAllLiveReachable.ql

@@ -0,0 +1,14 @@
+/** New-CFG version of AllLiveReachable. */
+
+import python
+import TimerUtils
+import NewCfgImpl
+
+private module Utils = EvalOrderCfgUtils<NewCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerCfgNode a, TestFunction f
+where allLiveReachable(a, f)
+select a, "Unreachable live annotation; entry of $@ does not reach this node", f, f.getName()

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgAnnotationHasCfgNode.expected

@@ -0,0 +1 @@
+

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgAnnotationHasCfgNode.ql

@@ -0,0 +1,18 @@
+/**
+ * New-CFG version of AnnotationHasCfgNode.
+ *
+ * Checks that every timer annotation has a corresponding CFG node.
+ */
+
+import python
+import TimerUtils
+import NewCfgImpl
+
+private module Utils = EvalOrderCfgUtils<NewCfg>;
+
+private import Utils::CfgTests
+
+from TimerAnnotation ann
+where annotationWithoutCfgNode(ann)
+select ann, "Annotation in $@ has no CFG node", ann.getTestFunction(),
+  ann.getTestFunction().getName()

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgBasicBlockAnnotationGap.ql

@@ -0,0 +1,26 @@
+/**
+ * New-CFG version of BasicBlockAnnotationGap.
+ *
+ * Original:
+ * Checks that within a basic block, if a node is annotated then its
+ * successor is also annotated (or excluded). A gap in annotations
+ * within a basic block indicates a missing annotation, since there
+ * are no branches to justify the gap.
+ *
+ * Nodes with exceptional successors are excluded, as the exception
+ * edge leaves the basic block and the normal successor may be dead.
+ */
+
+import python
+import TimerUtils
+import NewCfgImpl
+
+private module Utils = EvalOrderCfgUtils<NewCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerCfgNode a, CfgNode succ
+where basicBlockAnnotationGap(a, succ)
+select a, "Annotated node followed by unannotated $@ in the same basic block", succ,
+  succ.getNode().toString()

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgBasicBlockOrdering.ql

@@ -0,0 +1,21 @@
+/**
+ * New-CFG version of BasicBlockOrdering.
+ *
+ * Original:
+ * Checks that within a single basic block, annotations appear in
+ * increasing minimum-timestamp order.
+ */
+
+import python
+import TimerUtils
+import NewCfgImpl
+
+private module Utils = EvalOrderCfgUtils<NewCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerCfgNode a, TimerCfgNode b, int minA, int minB
+where basicBlockOrdering(a, b, minA, minB)
+select a, "Basic block ordering: $@ appears before $@", a.getTimestampExpr(minA),
+  "timestamp " + minA, b.getTimestampExpr(minB), "timestamp " + minB

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgBranchTimestamps.ql

@@ -0,0 +1,80 @@
+/**
+ * New-CFG version of BranchTimestamps.
+ *
+ * Checks that when a node has both a true and false successor, the
+ * live timestamps on one branch are marked as dead on the other.
+ * This ensures that boolean branches are fully annotated with dead()
+ * markers for the paths not taken.
+ *
+ * Limitation: the `@ t[ts, ...]` / `dead(ts)` annotation scheme can only
+ * model branch-dead-ness for plain boolean control flow that reconverges
+ * linearly after the split — i.e. `if`-with-else and `if`-expression.
+ * It cannot model:
+ *
+ *   * loops (`while` / `for`): body timestamps repeat across iterations,
+ *     so the loop-exit annotation can't list them as dead;
+ *   * `match` statements: each `case` body is a syntactically distinct
+ *     sub-tree, and the branches don't reconverge through a common
+ *     annotation point in the timeline;
+ *   * `try` / `with` and `raise` / `assert`: exception edges are modelled
+ *     as true/false but flow to syntactically distinct handlers, with no
+ *     reconvergence in the linear annotation order;
+ *   * short-circuit `and` / `or` (`BoolExpr`): the branches reconverge at
+ *     the BoolExpr's after-node, so timestamps on one branch are live
+ *     downstream of the other rather than dead;
+ *   * `if` without an `else` clause, and `if`/`elif` chains: the false
+ *     branch reconverges with the true branch at the post-if statement
+ *     (no-else) or fans out across multiple elif-test annotations,
+ *     neither of which fit the binary annotation scheme.
+ *
+ * Branch nodes inside those constructs are therefore whitelisted out
+ * below. The check still fires (and is useful) for plain `if`/`else`
+ * and conditional-expression branching.
+ */
+
+import python
+import TimerUtils
+import NewCfgImpl
+
+private module Utils = EvalOrderCfgUtils<NewCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+/**
+ * Holds if `f` contains a construct whose branches the linear-timestamp
+ * annotation scheme cannot describe (see file-level comment).
+ */
+private predicate hasUnmodellableBranching(Function f) {
+  exists(AstNode bad |
+    bad.getScope() = f and
+    (
+      bad instanceof While
+      or
+      bad instanceof For
+      or
+      bad instanceof MatchStmt
+      or
+      bad instanceof Try
+      or
+      bad instanceof With
+      or
+      bad instanceof Raise
+      or
+      bad instanceof Assert
+      or
+      bad instanceof BoolExpr
+      or
+      bad instanceof If and
+      (not exists(bad.(If).getAnOrelse()) or bad.(If).isElif())
+    )
+  )
+}
+
+from TimerCfgNode node, int ts, string branch
+where
+  missingBranchTimestamp(node, ts, branch) and
+  not hasUnmodellableBranching(node.getTestFunction())
+select node,
+  "Timestamp " + ts + " on true/false branch is missing a dead() annotation on the " + branch +
+    " successor in $@", node.getTestFunction(), node.getTestFunction().getName()

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgConsecutivePredecessorTimestamps.expected

@@ -0,0 +1 @@
+

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgConsecutivePredecessorTimestamps.ql

@@ -0,0 +1,22 @@
+/**
+ * New-CFG version of ConsecutivePredecessorTimestamps.
+ *
+ * Checks that each annotated node (except the minimum timestamp) has
+ * a predecessor annotation with timestamp `a - 1`. This is the reverse
+ * of ConsecutiveTimestamps: it catches nodes that are reachable but
+ * arrived at from the wrong place (skipping an intermediate node).
+ */
+
+import python
+import TimerUtils
+import NewCfgImpl
+
+private module Utils = EvalOrderCfgUtils<NewCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerAnnotation ann, int a
+where consecutivePredecessorTimestamps(ann, a)
+select ann, "$@ in $@ has no consecutive predecessor (expected " + (a - 1) + ")",
+  ann.getTimestampExpr(a), "Timestamp " + a, ann.getTestFunction(), ann.getTestFunction().getName()

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgConsecutiveTimestamps.ql

@@ -0,0 +1,29 @@
+/**
+ * New-CFG version of ConsecutiveTimestamps.
+ *
+ * Original:
+ * Checks that consecutive annotated nodes have consecutive timestamps:
+ * for each annotation with timestamp `a`, some CFG node for that annotation
+ * must have a next annotation containing `a + 1`.
+ *
+ * Handles CFG splitting (e.g., finally blocks duplicated for normal/exceptional
+ * flow) by checking that at least one split has the required successor.
+ *
+ * Only applies to functions where all annotations are in the function's
+ * own scope (excludes tests with generators, async, comprehensions, or
+ * lambdas that have annotations in nested scopes).
+ */
+
+import python
+import TimerUtils
+import NewCfgImpl
+
+private module Utils = EvalOrderCfgUtils<NewCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerAnnotation ann, int a
+where consecutiveTimestamps(ann, a)
+select ann, "$@ in $@ has no consecutive successor (expected " + (a + 1) + ")",
+  ann.getTimestampExpr(a), "Timestamp " + a, ann.getTestFunction(), ann.getTestFunction().getName()

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgImpl.qll

@@ -0,0 +1,101 @@
+/**
+ * Implementation of the evaluation-order CFG signature using the new
+ * shared control flow graph from AstNodeImpl.
+ */
+
+private import python as Py
+import TimerUtils
+private import semmle.python.controlflow.internal.AstNodeImpl as CfgImpl
+private import codeql.controlflow.SuccessorType
+
+private class NewControlFlowNode = CfgImpl::ControlFlowNode;
+
+private class NewBasicBlock = CfgImpl::BasicBlock;
+
+/** New (shared) CFG implementation of the evaluation-order signature. */
+module NewCfg implements EvalOrderCfgSig {
+  class CfgNode instanceof NewControlFlowNode {
+    // Use the post-order representative for each AST node: the "after" node.
+    // For simple leaf nodes this is the merged before/after node. For
+    // post-order expressions this is the TAstNode. For pre-order expressions
+    // (and/or/not/ternary) this uses an AfterValueNode, which places the
+    // expression after its operands — matching the timer test expectations.
+    CfgNode() { NewControlFlowNode.super.isAfter(_) }
+
+    string toString() { result = NewControlFlowNode.super.toString() }
+
+    Py::Location getLocation() { result = NewControlFlowNode.super.getLocation() }
+
+    Py::AstNode getNode() {
+      result = CfgImpl::astNodeToPyNode(NewControlFlowNode.super.getAstNode())
+    }
+
+    CfgNode getASuccessor() { nextCfgNode(this, result) }
+
+    CfgNode getATrueSuccessor() {
+      NewControlFlowNode.super.isAfterTrue(_) and
+      // Only where there's also a false branch (true boolean split)
+      exists(NewControlFlowNode other | other.isAfterFalse(NewControlFlowNode.super.getAstNode())) and
+      nextCfgNodeFrom(this, result)
+    }
+
+    CfgNode getAFalseSuccessor() {
+      NewControlFlowNode.super.isAfterFalse(_) and
+      // Only where there's also a true branch (true boolean split)
+      exists(NewControlFlowNode other | other.isAfterTrue(NewControlFlowNode.super.getAstNode())) and
+      nextCfgNodeFrom(this, result)
+    }
+
+    CfgNode getAnExceptionalSuccessor() {
+      exists(NewControlFlowNode mid |
+        mid = NewControlFlowNode.super.getAnExceptionSuccessor() and
+        nextCfgNodeFrom(mid, result)
+      )
+    }
+
+    Py::Scope getScope() { result = NewControlFlowNode.super.getEnclosingCallable().asScope() }
+
+    BasicBlock getBasicBlock() {
+      exists(NewBasicBlock bb, int i | bb.getNode(i) = this and result = bb)
+    }
+  }
+
+  /**
+   * Holds if `next` is the nearest CfgNode reachable from `n` via
+   * one or more raw CFG successor edges, skipping non-CfgNode intermediaries.
+   */
+  private predicate nextCfgNodeFrom(NewControlFlowNode n, CfgNode next) {
+    next = n.getASuccessor()
+    or
+    exists(NewControlFlowNode mid |
+      mid = n.getASuccessor() and
+      not mid instanceof CfgNode and
+      nextCfgNodeFrom(mid, next)
+    )
+  }
+
+  /**
+   * Holds if `next` is the nearest CfgNode successor of `n`,
+   * skipping synthetic intermediate nodes.
+   */
+  private predicate nextCfgNode(CfgNode n, CfgNode next) { nextCfgNodeFrom(n, next) }
+
+  class BasicBlock instanceof NewBasicBlock {
+    string toString() { result = NewBasicBlock.super.toString() }
+
+    CfgNode getNode(int n) { result = NewBasicBlock.super.getNode(n) }
+
+    predicate reaches(BasicBlock bb) { this = bb or this.strictlyReaches(bb) }
+
+    predicate strictlyReaches(BasicBlock bb) { NewBasicBlock.super.getASuccessor+() = bb }
+
+    predicate strictlyDominates(BasicBlock bb) { NewBasicBlock.super.strictlyDominates(bb) }
+  }
+
+  CfgNode scopeGetEntryNode(Py::Scope s) {
+    exists(CfgImpl::ControlFlow::EntryNode entry |
+      entry.getEnclosingCallable().asScope() = s and
+      nextCfgNodeFrom(entry, result)
+    )
+  }
+}

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgNeverReachable.ql

@@ -0,0 +1,21 @@
+/**
+ * New-CFG version of NeverReachable.
+ *
+ * Original:
+ * Checks that expressions annotated with `t.never` either have no CFG
+ * node, or if they do, that the node is not reachable from its scope's
+ * entry (including within the same basic block).
+ */
+
+import python
+import TimerUtils
+import NewCfgImpl
+
+private module Utils = EvalOrderCfgUtils<NewCfg>;
+
+private import Utils::CfgTests
+
+from TimerAnnotation ann
+where neverReachable(ann)
+select ann, "Node annotated with t.never is reachable in $@", ann.getTestFunction(),
+  ann.getTestFunction().getName()

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgNoBackwardFlow.ql

@@ -0,0 +1,22 @@
+/**
+ * New-CFG version of NoBackwardFlow.
+ *
+ * Original:
+ * Checks that time never flows backward between consecutive timer annotations
+ * in the CFG. For each pair of consecutive annotated nodes (A -> B), there must
+ * exist timestamps a in A and b in B with a < b.
+ */
+
+import python
+import TimerUtils
+import NewCfgImpl
+
+private module Utils = EvalOrderCfgUtils<NewCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerCfgNode a, TimerCfgNode b, int minA, int maxB
+where noBackwardFlow(a, b, minA, maxB)
+select a, "Backward flow: $@ flows to $@ (max timestamp $@)", a.getTimestampExpr(minA),
+  minA.toString(), b, b.getNode().toString(), b.getTimestampExpr(maxB), maxB.toString()

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgNoBasicBlock.expected

@@ -0,0 +1 @@
+

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgNoBasicBlock.ql

@@ -0,0 +1,18 @@
+/**
+ * New-CFG version of NoBasicBlock.
+ *
+ * Checks that every annotated CFG node belongs to a basic block.
+ */
+
+import python
+import TimerUtils
+import NewCfgImpl
+
+private module Utils = EvalOrderCfgUtils<NewCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from CfgNode n, TestFunction f
+where noBasicBlock(n, f)
+select n, "CFG node in $@ does not belong to any basic block", f, f.getName()

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgNoSharedReachable.ql

@@ -0,0 +1,21 @@
+/**
+ * New-CFG version of NoSharedReachable.
+ *
+ * Original:
+ * Checks that two annotations sharing a timestamp value are on
+ * mutually exclusive CFG paths (neither can reach the other).
+ */
+
+import python
+import TimerUtils
+import NewCfgImpl
+
+private module Utils = EvalOrderCfgUtils<NewCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerCfgNode a, TimerCfgNode b, int ts
+where noSharedReachable(a, b, ts)
+select a, "Shared timestamp $@ but this node reaches $@", a.getTimestampExpr(ts), ts.toString(), b,
+  b.getNode().toString()

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgStrictForward.ql

@@ -0,0 +1,22 @@
+/**
+ * New-CFG version of StrictForward.
+ *
+ * Original:
+ * Stronger version of NoBackwardFlow: for consecutive annotated nodes
+ * A -> B that both have a single timestamp (non-loop code) and B does
+ * NOT dominate A (forward edge), requires max(A) < min(B).
+ */
+
+import python
+import TimerUtils
+import NewCfgImpl
+
+private module Utils = EvalOrderCfgUtils<NewCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerCfgNode a, TimerCfgNode b, int maxA, int minB
+where strictForward(a, b, maxA, minB)
+select a, "Strict forward violation: $@ flows to $@", a.getTimestampExpr(maxA), "timestamp " + maxA,
+  b.getTimestampExpr(minB), "timestamp " + minB

python/ql/test/library-tests/ControlFlow/evaluation-order/NoBackwardFlow.expected

@@ -1,7 +1,7 @@
 | test_boolean.py:9:10:9:43 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:9:59:9:59 | IntegerLiteral | 2 | test_boolean.py:9:10:9:13 | ControlFlowNode for True | True | test_boolean.py:9:19:9:19 | IntegerLiteral | 0 |
 | test_boolean.py:15:10:15:43 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:15:50:15:50 | IntegerLiteral | 1 | test_boolean.py:15:10:15:14 | ControlFlowNode for False | False | test_boolean.py:15:20:15:20 | IntegerLiteral | 0 |
 | test_boolean.py:21:10:21:42 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:21:49:21:49 | IntegerLiteral | 1 | test_boolean.py:21:10:21:13 | ControlFlowNode for True | True | test_boolean.py:21:19:21:19 | IntegerLiteral | 0 |
-| test_boolean.py:27:10:27:34 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:27:50:27:50 | IntegerLiteral | 2 | test_boolean.py:27:10:27:14 | ControlFlowNode for False | False | test_boolean.py:27:20:27:20 | IntegerLiteral | 0 |
+| test_boolean.py:27:10:27:43 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:27:59:27:59 | IntegerLiteral | 2 | test_boolean.py:27:10:27:14 | ControlFlowNode for False | False | test_boolean.py:27:20:27:20 | IntegerLiteral | 0 |
 | test_boolean.py:40:10:40:61 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:40:86:40:86 | IntegerLiteral | 3 | test_boolean.py:40:10:40:10 | ControlFlowNode for IntegerLiteral | IntegerLiteral | test_boolean.py:40:16:40:16 | IntegerLiteral | 0 |
 | test_boolean.py:46:10:46:61 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:46:86:46:86 | IntegerLiteral | 3 | test_boolean.py:46:10:46:10 | ControlFlowNode for IntegerLiteral | IntegerLiteral | test_boolean.py:46:16:46:16 | IntegerLiteral | 0 |
 | test_boolean.py:52:10:52:95 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:52:120:52:120 | IntegerLiteral | 4 | test_boolean.py:52:11:52:47 | ControlFlowNode for BoolExpr | BoolExpr | test_boolean.py:52:63:52:63 | IntegerLiteral | 2 |

python/ql/test/library-tests/ControlFlow/evaluation-order/NoBackwardFlow.ql

@@ -4,6 +4,8 @@
  * exist timestamps a in A and b in B with a < b.
  */
 
+import python
+import TimerUtils
 import OldCfgImpl
 
 private module Utils = EvalOrderCfgUtils<OldCfg>;

python/ql/test/library-tests/ControlFlow/evaluation-order/NoBasicBlock.ql

@@ -2,6 +2,8 @@
  * Checks that every annotated CFG node belongs to a basic block.
  */
 
+import python
+import TimerUtils
 import OldCfgImpl
 
 private module Utils = EvalOrderCfgUtils<OldCfg>;

python/ql/test/library-tests/ControlFlow/evaluation-order/NoSharedReachable.ql

@@ -3,6 +3,8 @@
  * mutually exclusive CFG paths (neither can reach the other).
  */
 
+import python
+import TimerUtils
 import OldCfgImpl
 
 private module Utils = EvalOrderCfgUtils<OldCfg>;

python/ql/test/library-tests/ControlFlow/evaluation-order/OldCfgImpl.qll

@@ -3,14 +3,14 @@
  * Python control flow graph.
  */
 
-private import python as PY
+private import python as Py
 import TimerUtils
 
 /** Existing Python CFG implementation of the evaluation-order signature. */
 module OldCfg implements EvalOrderCfgSig {
-  class CfgNode = PY::ControlFlowNode;
+  class CfgNode = Py::ControlFlowNode;
 
-  class BasicBlock = PY::BasicBlock;
+  class BasicBlock = Py::BasicBlock;
 
-  CfgNode scopeGetEntryNode(PY::Scope s) { result = s.getEntryNode() }
+  CfgNode scopeGetEntryNode(Py::Scope s) { result = s.getEntryNode() }
 }

python/ql/test/library-tests/ControlFlow/evaluation-order/StrictForward.expected

@@ -1,7 +1,7 @@
 | test_boolean.py:9:10:9:43 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:9:59:9:59 | IntegerLiteral | timestamp 2 | test_boolean.py:9:19:9:19 | IntegerLiteral | timestamp 0 |
 | test_boolean.py:15:10:15:43 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:15:50:15:50 | IntegerLiteral | timestamp 1 | test_boolean.py:15:20:15:20 | IntegerLiteral | timestamp 0 |
 | test_boolean.py:21:10:21:42 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:21:49:21:49 | IntegerLiteral | timestamp 1 | test_boolean.py:21:19:21:19 | IntegerLiteral | timestamp 0 |
-| test_boolean.py:27:10:27:34 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:27:50:27:50 | IntegerLiteral | timestamp 2 | test_boolean.py:27:20:27:20 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:27:10:27:43 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:27:59:27:59 | IntegerLiteral | timestamp 2 | test_boolean.py:27:20:27:20 | IntegerLiteral | timestamp 0 |
 | test_boolean.py:40:10:40:61 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:40:86:40:86 | IntegerLiteral | timestamp 3 | test_boolean.py:40:16:40:16 | IntegerLiteral | timestamp 0 |
 | test_boolean.py:46:10:46:61 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:46:86:46:86 | IntegerLiteral | timestamp 3 | test_boolean.py:46:16:46:16 | IntegerLiteral | timestamp 0 |
 | test_boolean.py:52:10:52:95 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:52:120:52:120 | IntegerLiteral | timestamp 4 | test_boolean.py:52:63:52:63 | IntegerLiteral | timestamp 2 |

python/ql/test/library-tests/ControlFlow/evaluation-order/StrictForward.ql

@@ -4,6 +4,8 @@
  * NOT dominate A (forward edge), requires max(A) < min(B).
  */
 
+import python
+import TimerUtils
 import OldCfgImpl
 
 private module Utils = EvalOrderCfgUtils<OldCfg>;

python/ql/test/library-tests/ControlFlow/evaluation-order/test_boolean.py

@@ -24,7 +24,7 @@ def test_or_short_circuit(t):
 @test
 def test_or_both_sides(t):
     # False or X — both operands evaluated, result is X
-    x = (False @ t[0] or 42 @ t[1]) @ t[dead(1), 2]
+    x = (False @ t[0] or 42 @ t[1, dead(2)]) @ t[dead(1), 2]
 
 
 @test

python/ql/test/library-tests/ControlFlow/evaluation-order/test_if.py

@@ -85,7 +85,7 @@ def test_nested_if_else(t):
         else:
             z = 2 @ t[dead(4)]
     else:
-        z = 3 @ t[dead(4)]
+        z = 3 @ t[dead(3), dead(4)]
     w = 0 @ t[5]
 
 

python/ql/test/library-tests/ControlFlow/store-load/StoreLoadTest.ql

@@ -0,0 +1,41 @@
+/**
+ * Inline-expectations test for the store/load/delete/parameter
+ * classification predicates on the new-CFG facade.
+ *
+ * Each tag fires when the corresponding predicate (`isLoad`,
+ * `isStore`, `isDelete`, `isParameter`, `isAugLoad`, `isAugStore`)
+ * holds on the canonical CFG node wrapping a `Py::Name` with the
+ * given identifier. Subscript and attribute stores are not covered
+ * by these tags — only the `Name`-typed targets/loads they involve.
+ */
+
+import python
+import semmle.python.controlflow.internal.Cfg as Cfg
+import utils.test.InlineExpectationsTest
+
+module StoreLoadTest implements TestSig {
+  string getARelevantTag() { result = ["load", "store", "delete", "param", "augload", "augstore"] }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(Cfg::NameNode n |
+      location = n.getLocation() and
+      element = n.toString() and
+      value = n.getId() and
+      (
+        n.isLoad() and not n.isAugLoad() and tag = "load"
+        or
+        n.isStore() and not n.isAugStore() and tag = "store"
+        or
+        n.isDelete() and tag = "delete"
+        or
+        n.isParameter() and tag = "param"
+        or
+        n.isAugLoad() and tag = "augload"
+        or
+        n.isAugStore() and tag = "augstore"
+      )
+    )
+  }
+}
+
+import MakeTest<StoreLoadTest>

python/ql/test/library-tests/ControlFlow/store-load/test.py

@@ -0,0 +1,56 @@
+# Store/load/delete/parameter classification on the new-CFG facade.
+#
+# Each annotated location carries the (sorted, deduplicated) set of
+# kinds the CFG facade reports there. Comparing against the legacy
+# 'semmle.python.Flow' classification is done by the comparison query
+# 'StoreLoadParity.ql' — annotations here are only the positive
+# assertions for the new facade.
+#
+# Tags:
+#   load=<id>       -- isLoad() fires on the Name
+#   store=<id>      -- isStore() fires
+#   delete=<id>     -- isDelete() fires
+#   param=<id>      -- isParameter() fires
+#   augload=<id>    -- isAugLoad() fires (the LHS of x += ... when read)
+#   augstore=<id>   -- isAugStore() fires (the LHS of x += ... when written)
+
+
+# --- plain load / store / delete ---
+
+x = 1  # $ store=x
+y = x + 1  # $ store=y load=x
+print(y)  # $ load=print load=y
+del x  # $ delete=x
+
+
+# --- function definitions (parameters) ---
+
+def f(a, b=2, *args, c, **kwargs):  # $ store=f param=a param=b param=args param=c param=kwargs
+    return a + b + c  # $ load=a load=b load=c
+
+
+# --- augmented assignment splits one Name into load + store halves ---
+
+def aug():  # $ store=aug
+    n = 0  # $ store=n
+    n += 1  # $ augload=n augstore=n
+    return n  # $ load=n
+
+
+# --- subscript / attribute stores ---
+
+class C:  # $ store=C
+    pass
+
+
+def stores(obj, container, idx):  # $ store=stores param=obj param=container param=idx
+    obj.attr = 1  # $ load=obj
+    container[idx] = 2  # $ load=container load=idx
+    return obj  # $ load=obj
+
+
+# --- tuple unpacking ---
+
+def unpack(pair):  # $ store=unpack param=pair
+    a, b = pair  # $ store=a store=b load=pair
+    return a + b  # $ load=a load=b

rust/ql/test/query-tests/security/CWE-327/WeakSensitiveDataHashing/CryptographicOperations.expected

@@ -0,0 +1,12 @@
+| test.rs:19:9:19:34 | ...::compute(...) | HashingAlgorithm MD5 WEAK inputs:1 |
+| test.rs:20:9:20:40 | ...::compute(...) | HashingAlgorithm MD5 WEAK inputs:1 |
+| test.rs:21:9:21:34 | ...::compute(...) | HashingAlgorithm MD5 WEAK inputs:1 |
+| test.rs:22:9:22:44 | ...::compute(...) | HashingAlgorithm MD5 WEAK inputs:1 |
+| test.rs:67:26:67:40 | ...::new(...) | HashingAlgorithm MD5 WEAK  |
+| test.rs:73:9:73:23 | ...::new(...) | HashingAlgorithm MD5 WEAK  |
+| test.rs:74:9:74:23 | ...::new(...) | HashingAlgorithm MD5 WEAK  |
+| test.rs:133:26:133:40 | ...::new(...) | HashingAlgorithm MD5 WEAK  |
+| test.rs:156:26:156:40 | ...::new(...) | HashingAlgorithm MD5 WEAK  |
+| test.rs:176:13:176:24 | ...::new(...) | EncryptionAlgorithm SEED   |
+| test.rs:199:22:199:32 | ...::new(...) | HashingAlgorithm SHA1 WEAK  |
+| test.rs:211:13:211:35 | ...::compute(...) | HashingAlgorithm MD5 WEAK inputs:1 |

rust/ql/test/query-tests/security/CWE-327/WeakSensitiveDataHashing/CryptographicOperations.qlref

@@ -0,0 +1,3 @@
+query: queries/summary/CryptographicOperations.ql
+postprocess:
+ - utils/test/InlineExpectationsTestQuery.ql

rust/ql/test/query-tests/security/CWE-327/WeakSensitiveDataHashing/WeakSensitiveDataHashing.expected

@@ -1,9 +1,13 @@
 #select
 | test.rs:20:9:20:24 | ...::compute | test.rs:20:26:20:39 | credit_card_no | test.rs:20:9:20:24 | ...::compute | $@ is used in a hashing algorithm (MD5) that is insecure. | test.rs:20:26:20:39 | credit_card_no | Sensitive data (private) |
 | test.rs:21:9:21:24 | ...::compute | test.rs:21:26:21:33 | password | test.rs:21:9:21:24 | ...::compute | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test.rs:21:26:21:33 | password | Sensitive data (password) |
+| test.rs:211:13:211:28 | ...::compute | test.rs:226:29:226:36 | password | test.rs:211:13:211:28 | ...::compute | $@ is used in a hashing algorithm (MD5) that is insecure for password hashing, since it is not a computationally expensive hash function. | test.rs:226:29:226:36 | password | Sensitive data (password) |
 edges
 | test.rs:20:26:20:39 | credit_card_no | test.rs:20:9:20:24 | ...::compute | provenance | MaD:1 Sink:MaD:1 |
 | test.rs:21:26:21:33 | password | test.rs:21:9:21:24 | ...::compute | provenance | MaD:1 Sink:MaD:1 |
+| test.rs:210:20:210:30 | ...: ... | test.rs:211:30:211:34 | value | provenance |  |
+| test.rs:211:30:211:34 | value | test.rs:211:13:211:28 | ...::compute | provenance | MaD:1 Sink:MaD:1 |
+| test.rs:226:29:226:36 | password | test.rs:210:20:210:30 | ...: ... | provenance |  |
 models
 | 1 | Sink: md5::compute; Argument[0]; hasher-input |
 nodes
@@ -11,4 +15,8 @@ nodes
 | test.rs:20:26:20:39 | credit_card_no | semmle.label | credit_card_no |
 | test.rs:21:9:21:24 | ...::compute | semmle.label | ...::compute |
 | test.rs:21:26:21:33 | password | semmle.label | password |
+| test.rs:210:20:210:30 | ...: ... | semmle.label | ...: ... |
+| test.rs:211:13:211:28 | ...::compute | semmle.label | ...::compute |
+| test.rs:211:30:211:34 | value | semmle.label | value |
+| test.rs:226:29:226:36 | password | semmle.label | password |
 subpaths

rust/ql/test/query-tests/security/CWE-327/WeakSensitiveDataHashing/test.rs

@@ -16,10 +16,10 @@ fn test_hash_algorithms(
     _ = md5::Md5::digest(encrypted_password);
 
     // MD5 (alternative / older library)
-    _ = md5_alt::compute(harmless);
-    _ = md5_alt::compute(credit_card_no); // $ Alert[rust/weak-sensitive-data-hashing]
-    _ = md5_alt::compute(password); // $ Alert[rust/weak-sensitive-data-hashing]
-    _ = md5_alt::compute(encrypted_password);
+    _ = md5_alt::compute(harmless); // $ Alert[rust/summary/cryptographic-operations]
+    _ = md5_alt::compute(credit_card_no); // $ Alert[rust/summary/cryptographic-operations] Alert[rust/weak-sensitive-data-hashing]
+    _ = md5_alt::compute(password); // $ Alert[rust/summary/cryptographic-operations] Alert[rust/weak-sensitive-data-hashing]
+    _ = md5_alt::compute(encrypted_password); // $ Alert[rust/summary/cryptographic-operations]
 
     // SHA-1
     _ = sha1::Sha1::digest(harmless);
@@ -64,14 +64,14 @@ fn test_hash_code_patterns(
     _ = md5::Md5::digest(password_vec); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
 
     // hash through a hasher object
-    let mut md5_hasher = md5::Md5::new();
+    let mut md5_hasher = md5::Md5::new(); // $ Alert[rust/summary/cryptographic-operations]
     md5_hasher.update(b"abc");
     md5_hasher.update(harmless);
     md5_hasher.update(password); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
     _ = md5_hasher.finalize();
 
-    _ = md5::Md5::new().chain_update(harmless).chain_update(harmless).chain_update(harmless).finalize();
-    _ = md5::Md5::new().chain_update(harmless).chain_update(password).chain_update(harmless).finalize(); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
+    _ = md5::Md5::new().chain_update(harmless).chain_update(harmless).chain_update(harmless).finalize(); // $ Alert[rust/summary/cryptographic-operations]
+    _ = md5::Md5::new().chain_update(harmless).chain_update(password).chain_update(harmless).finalize(); // $ Alert[rust/summary/cryptographic-operations] MISSING: Alert[rust/weak-sensitive-data-hashing]
 
     _ = md5::Md5::new_with_prefix(harmless).finalize();
     _ = md5::Md5::new_with_prefix(password).finalize(); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
@@ -130,7 +130,7 @@ fn test_hash_structs() {
     let str3c = serde_urlencoded::to_string(&s3).unwrap();
 
     // hash with MD5
-    let mut md5_hasher = md5::Md5::new();
+    let mut md5_hasher = md5::Md5::new(); // $ Alert[rust/summary/cryptographic-operations]
     md5_hasher.update(s1.data);
     md5_hasher.update(s2.credit_card_no); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
     md5_hasher.update(s3.password); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
@@ -153,8 +153,75 @@ fn test_hash_file(
     let mut harmless_file = std::fs::File::open(harmless_filename).unwrap();
     let mut password_file = std::fs::File::open(password_filename).unwrap();
 
-    let mut md5_hasher = md5::Md5::new();
+    let mut md5_hasher = md5::Md5::new(); // $ Alert[rust/summary/cryptographic-operations]
     _ = std::io::copy(&mut harmless_file, &mut md5_hasher);
     _ = std::io::copy(&mut password_file, &mut md5_hasher); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
     _ = md5_hasher.finalize();
 }
+
+// ---
+
+struct Seed {
+}
+
+impl Seed {
+    fn new(_seed_value: u64) -> Self {
+        Seed { }
+    }
+}
+
+fn test_seed() {
+    // this will be misrecognized as a use of the SEED algorithm, but SEED is strong and the input
+    // is not sensitive data, so `rust/weak-sensitive-data-hashing` should not report a result here.
+    let _ = Seed::new(0); // $ Alert[rust/summary/cryptographic-operations]
+}
+
+// ---
+
+struct Sha1 {
+}
+
+impl Sha1 {
+    const fn new() -> Self {
+        Sha1 { }
+    }
+
+    const fn update(&mut self, _data: &[u8]) {
+        // ...
+    }
+
+    const fn finalize(self) -> [u8; 20] {
+        [0; 20]
+    }
+}
+
+fn sha1_test(password: &[u8]) {
+    let mut hasher = Sha1::new(); // $ Alert[rust/summary/cryptographic-operations]
+    hasher.update(password); // $ MISSING: Alert[rust/weak-sensitive-data-hashing]
+    _ = hasher.finalize();
+}
+
+// ---
+
+struct HashCollection {
+}
+
+impl HashCollection {
+    pub fn add_sig(value: &str) -> Self {
+        _ = md5_alt::compute(value); // $ Alert[rust/summary/cryptographic-operations] Alert[rust/weak-sensitive-data-hashing]
+
+        // ...
+
+        HashCollection { }
+    }
+}
+
+fn test_hash_collection() {
+    // this indirectly performs MD5 hashing, but the data is not sensitive
+    let id: &str = "my_id_1234567890";
+    HashCollection::add_sig(id);
+
+    // this indirectly performs MD5 hashing, and the data is sensitive; the result is reported here
+    let password: &str = "password123";
+    HashCollection::add_sig(password); // $ Source
+}

shared/controlflow/codeql/controlflow/ControlFlowGraph.qll

@@ -224,6 +224,31 @@ signature module AstSig<LocationSig Location> {
    */
   default AstNode getTryElse(TryStmt try) { none() }
 
+  /**
+   * Gets the `else` block of this `while` loop statement, if any.
+   *
+   * Only some languages (e.g. Python) support `while-else` constructs.
+   */
+  default AstNode getWhileElse(WhileStmt loop) { none() }
+
+  /**
+   * Gets the `else` block of this `foreach` loop statement, if any.
+   *
+   * Only some languages (e.g. Python) support `for-else` constructs.
+   */
+  default AstNode getForeachElse(ForeachStmt loop) { none() }
+
+  /**
+   * Gets the type expression of this catch clause, if any.
+   *
+   * In Python, the catch type is a runtime-evaluated expression
+   * (e.g. `except SomeException:` where `SomeException` is an
+   * arbitrary expression). For languages where the catch type is
+   * statically resolved, this defaults to `none()` and no CFG node
+   * is created.
+   */
+  default Expr getCatchType(CatchClause catch) { none() }
+
   /** A catch clause in a try statement. */
   class CatchClause extends AstNode {
     /** Gets the variable declared by this catch clause. */
@@ -1577,20 +1602,33 @@ module Make0<LocationSig Location, AstSig<Location> Ast> {
           n1.isAfterValue(cond, any(BooleanSuccessor b | b.getValue() = while)) and
           n2.isBefore(loopstmt.getBody())
           or
-          n1.isAfterValue(cond, any(BooleanSuccessor b | b.getValue() = while.booleanNot())) and
-          n2.isAfter(loopstmt)
+          n1.isAfterFalse(cond) and
+          (
+            n2.isBefore(getWhileElse(loopstmt))
+            or
+            not exists(getWhileElse(loopstmt)) and n2.isAfter(loopstmt)
+          )
           or
           n1.isAfter(loopstmt.getBody()) and
           n2.isAdditional(loopstmt, loopHeaderTag())
         )
         or
+        exists(WhileStmt whilestmt |
+          n1.isAfter(getWhileElse(whilestmt)) and
+          n2.isAfter(whilestmt)
+        )
+        or
         exists(ForeachStmt foreachstmt |
           n1.isBefore(foreachstmt) and
           n2.isBefore(foreachstmt.getCollection())
           or
           n1.isAfterValue(foreachstmt.getCollection(),
             any(EmptinessSuccessor t | t.getValue() = true)) and
-          n2.isAfter(foreachstmt)
+          (
+            n2.isBefore(getForeachElse(foreachstmt))
+            or
+            not exists(getForeachElse(foreachstmt)) and n2.isAfter(foreachstmt)
+          )
           or
           n1.isAfterValue(foreachstmt.getCollection(),
             any(EmptinessSuccessor t | t.getValue() = false)) and
@@ -1603,10 +1641,17 @@ module Make0<LocationSig Location, AstSig<Location> Ast> {
           n2.isAdditional(foreachstmt, loopHeaderTag())
           or
           n1.isAdditional(foreachstmt, loopHeaderTag()) and
-          n2.isAfter(foreachstmt)
+          (
+            n2.isBefore(getForeachElse(foreachstmt))
+            or
+            not exists(getForeachElse(foreachstmt)) and n2.isAfter(foreachstmt)
+          )
           or
           n1.isAdditional(foreachstmt, loopHeaderTag()) and
           n2.isBefore(foreachstmt.getVariable())
+          or
+          n1.isAfter(getForeachElse(foreachstmt)) and
+          n2.isAfter(foreachstmt)
         )
         or
         exists(ForStmt forstmt, PreControlFlowNode condentry |
@@ -1698,6 +1743,16 @@ module Make0<LocationSig Location, AstSig<Location> Ast> {
         exists(CatchClause catchclause |
           exists(MatchingSuccessor t |
             n1.isBefore(catchclause) and
+            (
+              n2.isBefore(getCatchType(catchclause))
+              or
+              not exists(getCatchType(catchclause)) and n2.isAfterValue(catchclause, t)
+            ) and
+            if Input1::catchAll(catchclause) then t.getValue() = true else any()
+          )
+          or
+          exists(MatchingSuccessor t |
+            n1.isAfter(getCatchType(catchclause)) and
             n2.isAfterValue(catchclause, t) and
             if Input1::catchAll(catchclause) then t.getValue() = true else any()
           )