Python: visit function parameter and return annotations in new CFG

The new (shared-CFG-based) Python control flow graph in `semmle.python.controlflow.internal.Cfg` previously did not emit CFG nodes for parameter type annotations (`def f(x: T): ...`) or for the return type annotation (`-> T`). The legacy CFG emitted both, and a small number of framework models rely on this: `LocalSources.qll`'s `annotatedInstance` walks the parameter annotation expression by way of its CFG node to track that a parameter receives an instance of the annotated class. After the dataflow flip to the new CFG/SSA this regression manifested as lost flows in any test exercising annotation-based parameter tracking: FastAPI `Depends()` receivers, Pydantic request bodies, Starlette `WebSocket`, the call-graph type-annotation test, and so on. Extend `FunctionDefExpr` to visit each annotation as a child of the function-def expression, in CPython evaluation order: positional parameter annotations, `*args` annotation, keyword-only parameter annotations, `**kwargs` annotation, then the return annotation. (Lambda expressions have no annotations in Python syntax, so `LambdaExpr` is unchanged.) PEP 695 type parameters remain out of scope; they belong to the inner annotation scope, not the enclosing CFG. Restored test results across `framework/aiohttp`, `framework/fastapi`, `framework/lxml`, the `CallGraph-type-annotations` test, and `CWE-022-PathInjection`. Two FastAPI list-comprehension MISSING markers become positive (`taint_test.py:41,55`). CPython CFG consistency remains clean. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Python: model exception edges for raise-prone expressions inside try/with
2026-06-30 09:05:28 +02:00 · 2026-06-29 19:37:01 +00:00 · 2026-06-29 19:37:01 +00:00 · 2026-06-29 19:37:01 +00:00 · 2026-06-29 18:49:41 +00:00 · 2026-06-29 12:28:53 +02:00
135 changed files with 6737 additions and 607 deletions
--- a/go/ql/lib/semmle/go/security/StoredXssCustomizations.qll
+++ b/go/ql/lib/semmle/go/security/StoredXssCustomizations.qll
@@ -33,9 +33,11 @@ module StoredXss {
        walkFn.getACall().getArgument(1) = f.getASuccessor*()
      )
      or
-      // A call to os.FileInfo.Name
-      exists(Method m | m.implements("io/fs", "FileInfo", "Name") |
-        m = this.(DataFlow::CallNode).getTarget()
+      // The return value of a call to `os.DirEntry.Name`, `os.FileInfo.Name`
+      // or `os.File.ReadDirNames`.
+      exists(DataFlow::CallNode cn, Method m | m = cn.getTarget() and this = cn.getResult(0) |
+        m.implements("io/fs", ["DirEntry", "FileInfo"], "Name") or
+        m.hasQualifiedName("os", "File", "ReadDirNames")
      )
    }
  }
--- a/go/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
+++ b/go/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
@@ -156,12 +156,3 @@ nodes
 | websocketXss.go:54:3:54:38 | ... := ...[1] | semmle.label | ... := ...[1] |
 | websocketXss.go:55:24:55:31 | gorilla3 | semmle.label | gorilla3 |
 subpaths
-testFailures
-| websocketXss.go:30:32:30:60 | comment | Missing result: Source[go/reflected-xss] |
-| websocketXss.go:31:11:31:14 | xnet [postupdate] | Unexpected result: Source |
-| websocketXss.go:34:30:34:58 | comment | Missing result: Source[go/reflected-xss] |
-| websocketXss.go:35:21:35:25 | xnet2 [postupdate] | Unexpected result: Source |
-| websocketXss.go:46:38:46:66 | comment | Missing result: Source[go/reflected-xss] |
-| websocketXss.go:47:26:47:35 | gorillaMsg [postupdate] | Unexpected result: Source |
-| websocketXss.go:50:33:50:61 | comment | Missing result: Source[go/reflected-xss] |
-| websocketXss.go:51:17:51:24 | gorilla2 [postupdate] | Unexpected result: Source |
--- a/go/ql/test/query-tests/Security/CWE-079/StoredXss.expected
+++ b/go/ql/test/query-tests/Security/CWE-079/StoredXss.expected
@@ -1,7 +1,9 @@
 #select
+| StoredXss.go:13:21:13:36 | ...+... | StoredXss.go:13:21:13:31 | call to Name | StoredXss.go:13:21:13:36 | ...+... | Stored cross-site scripting vulnerability due to $@. | StoredXss.go:13:21:13:31 | call to Name | stored value |
 | stored.go:30:22:30:25 | name | stored.go:18:3:18:28 | ... := ...[0] | stored.go:30:22:30:25 | name | Stored cross-site scripting vulnerability due to $@. | stored.go:18:3:18:28 | ... := ...[0] | stored value |
 | stored.go:61:22:61:25 | path | stored.go:59:30:59:33 | SSA def(path) | stored.go:61:22:61:25 | path | Stored cross-site scripting vulnerability due to $@. | stored.go:59:30:59:33 | SSA def(path) | stored value |
 edges
+| StoredXss.go:13:21:13:31 | call to Name | StoredXss.go:13:21:13:36 | ...+... | provenance |  |
 | stored.go:18:3:18:28 | ... := ...[0] | stored.go:25:14:25:17 | rows | provenance | Src:MaD:1  |
 | stored.go:25:14:25:17 | rows | stored.go:25:29:25:33 | &... [postupdate] | provenance | FunctionModel |
 | stored.go:25:29:25:33 | &... [postupdate] | stored.go:30:22:30:25 | name | provenance |  |
@@ -9,6 +11,8 @@ edges
 models
 | 1 | Source: database/sql; DB; true; Query; ; ; ReturnValue[0]; database; manual |
 nodes
+| StoredXss.go:13:21:13:31 | call to Name | semmle.label | call to Name |
+| StoredXss.go:13:21:13:36 | ...+... | semmle.label | ...+... |
 | stored.go:18:3:18:28 | ... := ...[0] | semmle.label | ... := ...[0] |
 | stored.go:25:14:25:17 | rows | semmle.label | rows |
 | stored.go:25:29:25:33 | &... [postupdate] | semmle.label | &... [postupdate] |
@@ -16,5 +20,3 @@ nodes
 | stored.go:59:30:59:33 | SSA def(path) | semmle.label | SSA def(path) |
 | stored.go:61:22:61:25 | path | semmle.label | path |
 subpaths
-testFailures
-| StoredXss.go:13:39:13:63 | comment | Missing result: Alert[go/stored-xss] |
--- a/go/ql/test/query-tests/Security/CWE-079/websocketXss.go
+++ b/go/ql/test/query-tests/Security/CWE-079/websocketXss.go
@@ -27,12 +27,12 @@ func xss(w http.ResponseWriter, r *http.Request) {
 	origin := "test"
 	{
 		ws, _ := websocket.Dial(uri, "", origin)
-		var xnet = make([]byte, 512) // $ Source[go/reflected-xss]
-		ws.Read(xnet)
+		var xnet = make([]byte, 512)
+		ws.Read(xnet)              // $ Source[go/reflected-xss]
 		fmt.Fprintf(w, "%v", xnet) // $ Alert[go/reflected-xss]
 		codec := &websocket.Codec{Marshal: marshal, Unmarshal: unmarshal}
-		xnet2 := make([]byte, 512) // $ Source[go/reflected-xss]
-		codec.Receive(ws, xnet2)
+		xnet2 := make([]byte, 512)
+		codec.Receive(ws, xnet2)    // $ Source[go/reflected-xss]
 		fmt.Fprintf(w, "%v", xnet2) // $ Alert[go/reflected-xss]
 	}
 	{
@@ -43,12 +43,12 @@ func xss(w http.ResponseWriter, r *http.Request) {
 	{
 		dialer := gorilla.Dialer{}
 		conn, _, _ := dialer.Dial(uri, nil)
-		var gorillaMsg = make([]byte, 512) // $ Source[go/reflected-xss]
-		gorilla.ReadJSON(conn, gorillaMsg)
-		fmt.Fprintf(w, "%v", gorillaMsg) // $ Alert[go/reflected-xss]
+		var gorillaMsg = make([]byte, 512)
+		gorilla.ReadJSON(conn, gorillaMsg) // $ Source[go/reflected-xss]
+		fmt.Fprintf(w, "%v", gorillaMsg)   // $ Alert[go/reflected-xss]

-		gorilla2 := make([]byte, 512) // $ Source[go/reflected-xss]
-		conn.ReadJSON(gorilla2)
+		gorilla2 := make([]byte, 512)
+		conn.ReadJSON(gorilla2)        // $ Source[go/reflected-xss]
 		fmt.Fprintf(w, "%v", gorilla2) // $ Alert[go/reflected-xss]

 		_, gorilla3, _ := conn.ReadMessage() // $ Source[go/reflected-xss]
--- a/java/ql/integration-tests/java/android-8-sample/settings.gradle
+++ b/java/ql/integration-tests/java/android-8-sample/settings.gradle
@@ -14,7 +14,9 @@ pluginManagement {
    repositories {
        gradlePluginPortal()
        google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
    }
 }
 dependencyResolutionManagement {
@@ -33,7 +35,9 @@ dependencyResolutionManagement {
    repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
    repositories {
        google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
    }
 }
 rootProject.name = "Android Sample"
--- a/java/ql/integration-tests/java/android-sample-kotlin-build-script-no-wrapper/settings.gradle.kts
+++ b/java/ql/integration-tests/java/android-sample-kotlin-build-script-no-wrapper/settings.gradle.kts
@@ -14,7 +14,9 @@ pluginManagement {
    repositories {
        gradlePluginPortal()
        google()
-        mavenCentral()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
    }
 }
 dependencyResolutionManagement {
@@ -33,7 +35,9 @@ dependencyResolutionManagement {
    repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
    repositories {
        google()
-        mavenCentral()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
    }
 }
 rootProject.name = "Android Sample"
--- a/java/ql/integration-tests/java/android-sample-kotlin-build-script/settings.gradle.kts
+++ b/java/ql/integration-tests/java/android-sample-kotlin-build-script/settings.gradle.kts
@@ -14,7 +14,9 @@ pluginManagement {
    repositories {
        gradlePluginPortal()
        google()
-        mavenCentral()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
    }
 }
 dependencyResolutionManagement {
@@ -33,7 +35,9 @@ dependencyResolutionManagement {
    repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
    repositories {
        google()
-        mavenCentral()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
    }
 }
 rootProject.name = "Android Sample"
--- a/java/ql/integration-tests/java/android-sample-no-wrapper/settings.gradle
+++ b/java/ql/integration-tests/java/android-sample-no-wrapper/settings.gradle
@@ -14,7 +14,9 @@ pluginManagement {
    repositories {
        gradlePluginPortal()
        google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
    }
 }
 dependencyResolutionManagement {
@@ -33,7 +35,9 @@ dependencyResolutionManagement {
    repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
    repositories {
        google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
    }
 }
 rootProject.name = "Android Sample"
--- a/java/ql/integration-tests/java/android-sample-old-style-kotlin-build-script-no-wrapper/build.gradle.kts
+++ b/java/ql/integration-tests/java/android-sample-old-style-kotlin-build-script-no-wrapper/build.gradle.kts
@@ -13,7 +13,9 @@ buildscript {

    repositories {
        google()
-        jcenter()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
    }

    /**
@@ -39,6 +41,8 @@ buildscript {
 allprojects {
    repositories {
        google()
-        jcenter()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
    }
 }
--- a/java/ql/integration-tests/java/android-sample-old-style-kotlin-build-script/build.gradle.kts
+++ b/java/ql/integration-tests/java/android-sample-old-style-kotlin-build-script/build.gradle.kts
@@ -13,7 +13,9 @@ buildscript {

    repositories {
        google()
-        jcenter()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
    }

    /**
@@ -39,6 +41,8 @@ buildscript {
 allprojects {
    repositories {
        google()
-        jcenter()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
    }
 }
--- a/java/ql/integration-tests/java/android-sample-old-style-no-wrapper/build.gradle
+++ b/java/ql/integration-tests/java/android-sample-old-style-no-wrapper/build.gradle
@@ -13,7 +13,9 @@ buildscript {

    repositories {
        google()
-        jcenter()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
    }

    /**
@@ -39,6 +41,8 @@ buildscript {
 allprojects {
    repositories {
        google()
-        jcenter()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
    }
 }
--- a/java/ql/integration-tests/java/android-sample-old-style/build.gradle
+++ b/java/ql/integration-tests/java/android-sample-old-style/build.gradle
@@ -13,7 +13,9 @@ buildscript {

    repositories {
        google()
-        jcenter()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
    }

    /**
@@ -32,13 +34,15 @@ buildscript {
 * dependencies used by all modules in your project, such as third-party plugins
 * or libraries. However, you should configure module-specific dependencies in
 * each module-level build.gradle file. For new projects, Android Studio
- * includes JCenter and Google's Maven repository by default, but it does not
+ * includes Maven Central and Google's Maven repository by default, but it does not
 * configure any dependencies (unless you select a template that requires some).
 */

 allprojects {
    repositories {
        google()
-        jcenter()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
    }
 }
--- a/java/ql/integration-tests/java/android-sample/settings.gradle
+++ b/java/ql/integration-tests/java/android-sample/settings.gradle
@@ -14,7 +14,9 @@ pluginManagement {
    repositories {
        gradlePluginPortal()
        google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
    }
 }
 dependencyResolutionManagement {
@@ -33,7 +35,9 @@ dependencyResolutionManagement {
    repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
    repositories {
        google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
    }
 }
 rootProject.name = "Android Sample"
--- a/java/ql/integration-tests/java/buildless-gradle-boms/build.gradle
+++ b/java/ql/integration-tests/java/buildless-gradle-boms/build.gradle
@@ -8,7 +8,9 @@
 apply plugin: 'java-library'

 repositories {
-  mavenCentral()
+  maven {
+    url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+  }
 }

 dependencies {
--- a/java/ql/integration-tests/java/buildless-gradle-boms/buildless-fetches.expected
+++ b/java/ql/integration-tests/java/buildless-gradle-boms/buildless-fetches.expected
@@ -1,5 +1,5 @@
-https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
-https://repo.maven.apache.org/maven2/org/apiguardian/apiguardian-api/1.1.2/apiguardian-api-1.1.2.jar
-https://repo.maven.apache.org/maven2/org/junit/jupiter/junit-jupiter-api/5.12.1/junit-jupiter-api-5.12.1.jar
-https://repo.maven.apache.org/maven2/org/junit/platform/junit-platform-commons/1.12.1/junit-platform-commons-1.12.1.jar
-https://repo.maven.apache.org/maven2/org/opentest4j/opentest4j/1.3.0/opentest4j-1.3.0.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/apiguardian/apiguardian-api/1.1.2/apiguardian-api-1.1.2.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/junit/jupiter/junit-jupiter-api/5.12.1/junit-jupiter-api-5.12.1.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/junit/platform/junit-platform-commons/1.12.1/junit-platform-commons-1.12.1.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/opentest4j/opentest4j/1.3.0/opentest4j-1.3.0.jar
--- a/java/ql/integration-tests/java/buildless-gradle-classifiers/build.gradle
+++ b/java/ql/integration-tests/java/buildless-gradle-classifiers/build.gradle
@@ -8,7 +8,9 @@
 apply plugin: 'java-library'

 repositories {
-  mavenCentral()
+  maven {
+    url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+  }
 }

 dependencies {
--- a/java/ql/integration-tests/java/buildless-gradle-classifiers/buildless-fetches.expected
+++ b/java/ql/integration-tests/java/buildless-gradle-classifiers/buildless-fetches.expected
@@ -1,2 +1,2 @@
-https://repo.maven.apache.org/maven2/joda-time/joda-time/2.12.7/joda-time-2.12.7-no-tzdb.jar
-https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
+https://maven-central.storage-download.googleapis.com/maven2/joda-time/joda-time/2.12.7/joda-time-2.12.7-no-tzdb.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
--- a/java/ql/integration-tests/java/buildless-gradle-timeout/build.gradle
+++ b/java/ql/integration-tests/java/buildless-gradle-timeout/build.gradle
@@ -12,9 +12,9 @@ apply plugin: 'java'

 // In this section you declare where to find the dependencies of your project
 repositories {
-    // Use 'jcenter' for resolving your dependencies.
-    // You can declare any Maven/Ivy/file repository here.
-    jcenter()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }

 // In this section you declare the dependencies for your production and test code
--- a/java/ql/integration-tests/java/buildless-gradle/build.gradle
+++ b/java/ql/integration-tests/java/buildless-gradle/build.gradle
@@ -8,7 +8,9 @@
 apply plugin: 'java-library'

 repositories {
-  mavenCentral()
+  maven {
+    url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+  }
 }

 dependencies {
--- a/java/ql/integration-tests/java/buildless-gradle/buildless-fetches.expected
+++ b/java/ql/integration-tests/java/buildless-gradle/buildless-fetches.expected
@@ -1 +1 @@
-https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
--- a/java/ql/integration-tests/java/buildless-proxy-gradle/build.gradle
+++ b/java/ql/integration-tests/java/buildless-proxy-gradle/build.gradle
@@ -8,7 +8,9 @@
 apply plugin: 'java-library'

 repositories {
-  mavenCentral()
+  maven {
+    url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+  }
 }

 dependencies {
--- a/java/ql/integration-tests/java/buildless-proxy-gradle/buildless-fetches.expected
+++ b/java/ql/integration-tests/java/buildless-proxy-gradle/buildless-fetches.expected
@@ -1 +1 @@
-https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
--- a/java/ql/integration-tests/java/buildless-sibling-projects/buildless-fetches.expected
+++ b/java/ql/integration-tests/java/buildless-sibling-projects/buildless-fetches.expected
@@ -1,6 +1,7 @@
-https://jcenter.bintray.com/junit/junit/4.12/junit-4.12.jar
-https://jcenter.bintray.com/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
-https://jcenter.bintray.com/org/slf4j/slf4j-api/1.7.21/slf4j-api-1.7.21.jar
+https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
+https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.12/junit-4.12.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/slf4j/slf4j-api/1.7.21/slf4j-api-1.7.21.jar
 https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
@@ -12,7 +13,6 @@ https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/r
 https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
 https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
 https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
-https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.jar
 https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
--- a/java/ql/integration-tests/java/buildless-sibling-projects/gradle-sample/build.gradle
+++ b/java/ql/integration-tests/java/buildless-sibling-projects/gradle-sample/build.gradle
@@ -12,9 +12,9 @@ apply plugin: 'java'

 // In this section you declare where to find the dependencies of your project
 repositories {
-    // Use 'jcenter' for resolving your dependencies.
-    // You can declare any Maven/Ivy/file repository here.
-    jcenter()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }

 // In this section you declare the dependencies for your production and test code
--- a/java/ql/integration-tests/java/buildless-sibling-projects/gradle-sample2/build.gradle
+++ b/java/ql/integration-tests/java/buildless-sibling-projects/gradle-sample2/build.gradle
@@ -12,9 +12,9 @@ apply plugin: 'java'

 // In this section you declare where to find the dependencies of your project
 repositories {
-    // Use 'jcenter' for resolving your dependencies.
-    // You can declare any Maven/Ivy/file repository here.
-    jcenter()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }

 // In this section you declare the dependencies for your production and test code
--- a/java/ql/integration-tests/java/buildless-sibling-projects/settings.xml
+++ b/java/ql/integration-tests/java/buildless-sibling-projects/settings.xml
@@ -0,0 +1,10 @@
+<settings>
+  <mirrors>
+    <mirror>
+      <id>google-maven-central</id>
+      <name>GCS Maven Central mirror</name>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <mirrorOf>central</mirrorOf>
+    </mirror>
+  </mirrors>
+</settings>
--- a/java/ql/integration-tests/java/buildless-sibling-projects/source_archive.expected
+++ b/java/ql/integration-tests/java/buildless-sibling-projects/source_archive.expected
@@ -26,4 +26,5 @@ maven-project-2/src/main/resources/my-app.properties
 maven-project-2/src/main/resources/page.xml
 maven-project-2/src/main/resources/struts.xml
 maven-project-2/src/test/java/com/example/AppTest4.java
+settings.xml
 test-db/working/settings.xml
--- a/java/ql/integration-tests/java/buildless-sibling-projects/test.py
+++ b/java/ql/integration-tests/java/buildless-sibling-projects/test.py
@@ -1,3 +1,5 @@
+import os
+
 def test(codeql, use_java_11, java, actions_toolchains_file, check_diagnostics_java):
    # The version of gradle used doesn't work on java 17
    codeql.database.create(
@@ -5,5 +7,6 @@ def test(codeql, use_java_11, java, actions_toolchains_file, check_diagnostics_j
            "CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS": "true",
            "CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_CLASSPATH_FROM_BUILD_FILES": "true",
            "LGTM_INDEX_MAVEN_TOOLCHAINS_FILE": str(actions_toolchains_file),
+            "LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
        }
    )
--- a/java/ql/integration-tests/java/diagnostics/android-gradle-incompatibility/settings.gradle
+++ b/java/ql/integration-tests/java/diagnostics/android-gradle-incompatibility/settings.gradle
@@ -14,7 +14,9 @@ pluginManagement {
    repositories {
        gradlePluginPortal()
        google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
    }
 }
 dependencyResolutionManagement {
@@ -33,7 +35,9 @@ dependencyResolutionManagement {
    repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
    repositories {
        google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
    }
 }
 rootProject.name = "Android Sample"
--- a/java/ql/integration-tests/java/diagnostics/java-version-too-old/build.gradle
+++ b/java/ql/integration-tests/java/diagnostics/java-version-too-old/build.gradle
@@ -12,9 +12,9 @@ apply plugin: 'java'

 // In this section you declare where to find the dependencies of your project
 repositories {
-    // Use 'jcenter' for resolving your dependencies.
-    // You can declare any Maven/Ivy/file repository here.
-    jcenter()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }

 // In this section you declare the dependencies for your production and test code
--- a/java/ql/integration-tests/java/diagnostics/no-gradle-wrapper/build.gradle
+++ b/java/ql/integration-tests/java/diagnostics/no-gradle-wrapper/build.gradle
@@ -12,9 +12,9 @@ apply plugin: 'java'

 // In this section you declare where to find the dependencies of your project
 repositories {
-    // Use 'jcenter' for resolving your dependencies.
-    // You can declare any Maven/Ivy/file repository here.
-    jcenter()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }

 // In this section you declare the dependencies for your production and test code
--- a/java/ql/integration-tests/java/gradle-sample-kotlin-script/app/build.gradle.kts
+++ b/java/ql/integration-tests/java/gradle-sample-kotlin-script/app/build.gradle.kts
@@ -12,8 +12,9 @@ plugins {
 }

 repositories {
-    // Use Maven Central for resolving dependencies.
-    mavenCentral()
+    maven {
+        url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+    }
 }

 dependencies {
--- a/java/ql/integration-tests/java/gradle-sample-without-wrapper-or-gradle-buildless/build.gradle
+++ b/java/ql/integration-tests/java/gradle-sample-without-wrapper-or-gradle-buildless/build.gradle
@@ -12,9 +12,9 @@ apply plugin: 'java'

 // In this section you declare where to find the dependencies of your project
 repositories {
-    // Use 'jcenter' for resolving your dependencies.
-    // You can declare any Maven/Ivy/file repository here.
-    jcenter()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }

 // In this section you declare the dependencies for your production and test code
--- a/java/ql/integration-tests/java/gradle-sample/build.gradle
+++ b/java/ql/integration-tests/java/gradle-sample/build.gradle
@@ -12,9 +12,9 @@ apply plugin: 'java'

 // In this section you declare where to find the dependencies of your project
 repositories {
-    // Use 'jcenter' for resolving your dependencies.
-    // You can declare any Maven/Ivy/file repository here.
-    jcenter()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }

 // In this section you declare the dependencies for your production and test code
--- a/java/ql/integration-tests/java/partial-gradle-sample-without-gradle/build.gradle
+++ b/java/ql/integration-tests/java/partial-gradle-sample-without-gradle/build.gradle
@@ -12,9 +12,9 @@ apply plugin: 'java'

 // In this section you declare where to find the dependencies of your project
 repositories {
-    // Use 'jcenter' for resolving your dependencies.
-    // You can declare any Maven/Ivy/file repository here.
-    jcenter()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }

 // In this section you declare the dependencies for your production and test code
--- a/java/ql/integration-tests/java/partial-gradle-sample/build.gradle
+++ b/java/ql/integration-tests/java/partial-gradle-sample/build.gradle
@@ -12,9 +12,9 @@ apply plugin: 'java'

 // In this section you declare where to find the dependencies of your project
 repositories {
-    // Use 'jcenter' for resolving your dependencies.
-    // You can declare any Maven/Ivy/file repository here.
-    jcenter()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }

 // In this section you declare the dependencies for your production and test code
--- a/java/ql/integration-tests/java/spring-boot-sample/build.gradle
+++ b/java/ql/integration-tests/java/spring-boot-sample/build.gradle
@@ -11,7 +11,9 @@ version = '0.0.1-SNAPSHOT'
 // but I omit it to test we recognise the Spring Boot plugin version.

 repositories {
-	mavenCentral()
+	maven {
+		url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+	}
 }

 dependencies {
--- a/java/ql/integration-tests/kotlin/all-platforms/compiler_arguments/app/build.gradle
+++ b/java/ql/integration-tests/kotlin/all-platforms/compiler_arguments/app/build.gradle
@@ -15,8 +15,9 @@ plugins {
 }

 repositories {
-    // Use Maven Central for resolving dependencies.
-    mavenCentral()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }

 application {
--- a/java/ql/integration-tests/kotlin/all-platforms/gradle_groovy_app/app/build.gradle
+++ b/java/ql/integration-tests/kotlin/all-platforms/gradle_groovy_app/app/build.gradle
@@ -15,8 +15,9 @@ plugins {
 }

 repositories {
-    // Use Maven Central for resolving dependencies.
-    mavenCentral()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }

 application {
--- a/java/ql/integration-tests/kotlin/all-platforms/gradle_kotlinx_serialization/app/build.gradle
+++ b/java/ql/integration-tests/kotlin/all-platforms/gradle_kotlinx_serialization/app/build.gradle
@@ -4,7 +4,9 @@ plugins {
 }

 repositories {
-    mavenCentral()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }

 dependencies {
--- a/java/ql/integration-tests/kotlin/all-platforms/kotlin_kfunction/app/build.gradle
+++ b/java/ql/integration-tests/kotlin/all-platforms/kotlin_kfunction/app/build.gradle
@@ -15,8 +15,9 @@ plugins {
 }

 repositories {
-    // Use Maven Central for resolving dependencies.
-    mavenCentral()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }

 application {
--- a/python/ql/consistency-queries/CfgConsistency.ql
+++ b/python/ql/consistency-queries/CfgConsistency.ql
@@ -0,0 +1,2 @@
+import semmle.python.controlflow.internal.AstNodeImpl
+import ControlFlow::Consistency
--- a/python/ql/lib/change-notes/2026-05-19-add-shared-cfg.md
+++ b/python/ql/lib/change-notes/2026-05-19-add-shared-cfg.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* A new Python control flow graph implementation has been added under `semmle.python.controlflow.internal.Cfg` (backed by `AstNodeImpl.qll`), built on the shared `codeql.controlflow.ControlFlowGraph` library. It is not yet used by the dataflow library or any production query; the legacy CFG in `semmle/python/Flow.qll` remains the default. The new library is exposed for tests and for upcoming migrations.
--- a/python/ql/lib/change-notes/2026-06-04-cfg-parameter-annotations.md
+++ b/python/ql/lib/change-notes/2026-06-04-cfg-parameter-annotations.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The new (shared-CFG-based) Python control flow graph now visits parameter and return type annotations as CFG nodes for function definitions, matching the legacy CFG. This restores annotation-based type tracking through framework models such as FastAPI's `Depends()`, Pydantic request models, Starlette `WebSocket` handlers, and any other models that flow a class reference through `Parameter.getAnnotation()` to identify instances of the annotated class.
--- a/python/ql/lib/ide-contextual-queries/printCfg.ql
+++ b/python/ql/lib/ide-contextual-queries/printCfg.ql
@@ -0,0 +1,42 @@
+/**
+ * @name Print CFG
+ * @description Produces a representation of a file's Control Flow Graph.
+ *              This query is used by the VS Code extension.
+ * @id py/print-cfg
+ * @kind graph
+ * @tags ide-contextual-queries/print-cfg
+ */
+
+import semmle.python.Files as Files
+// import semmle.python.Scope
+import semmle.python.controlflow.internal.AstNodeImpl
+
+external string selectedSourceFile();
+
+private predicate selectedSourceFileAlias = selectedSourceFile/0;
+
+external int selectedSourceLine();
+
+private predicate selectedSourceLineAlias = selectedSourceLine/0;
+
+external int selectedSourceColumn();
+
+private predicate selectedSourceColumnAlias = selectedSourceColumn/0;
+
+module ViewCfgQueryInput implements ControlFlow::ViewCfgQueryInputSig<Files::File> {
+  predicate selectedSourceFile = selectedSourceFileAlias/0;
+
+  predicate selectedSourceLine = selectedSourceLineAlias/0;
+
+  predicate selectedSourceColumn = selectedSourceColumnAlias/0;
+
+  predicate cfgScopeSpan(
+    Ast::Callable scope, Files::File file, int startLine, int startColumn, int endLine,
+    int endColumn
+  ) {
+    file = scope.getLocation().getFile() and
+    scope.getLocation().hasLocationInfo(_, startLine, startColumn, endLine, endColumn)
+  }
+}
+
+import ControlFlow::ViewCfgQuery<Files::File, ViewCfgQueryInput>
--- a/python/ql/lib/semmle/python/controlflow/internal/AstNodeImpl.qll
+++ b/python/ql/lib/semmle/python/controlflow/internal/AstNodeImpl.qll
--- a/python/ql/lib/semmle/python/controlflow/internal/Cfg.qll
+++ b/python/ql/lib/semmle/python/controlflow/internal/Cfg.qll
--- a/python/ql/test/extractor-tests/syntax_error/CONSISTENCY/CfgConsistency.expected
+++ b/python/ql/test/extractor-tests/syntax_error/CONSISTENCY/CfgConsistency.expected
@@ -0,0 +1,4 @@
+consistencyOverview
+| deadEnd | 1 |
+deadEnd
+| without_loop.py:7:5:7:9 | Break |
--- a/python/ql/test/library-tests/ControlFlow/bindings/BindingsTest.expected
+++ b/python/ql/test/library-tests/ControlFlow/bindings/BindingsTest.expected
--- a/python/ql/test/library-tests/ControlFlow/bindings/BindingsTest.ql
+++ b/python/ql/test/library-tests/ControlFlow/bindings/BindingsTest.ql
@@ -0,0 +1,32 @@
+/**
+ * Phase -1 of the dataflow CFG migration: verifies that every variable
+ * binding visible to the AST (`Name.defines(v)`) corresponds to a CFG node
+ * in the new CFG (`semmle.python.controlflow.internal.AstNodeImpl`).
+ *
+ * The expected tag is `cfgdefines=<name>`. Each binding annotation in the
+ * test sources looks like `# $ cfgdefines=x` for a binding currently
+ * covered by the new CFG, or `# $ MISSING: cfgdefines=x` for a binding
+ * that is known to be uncovered (a "red" test case that should be
+ * green-flipped once the corresponding `cfg-ext-*` extension lands).
+ */
+
+import python
+import semmle.python.controlflow.internal.AstNodeImpl as CfgImpl
+import utils.test.InlineExpectationsTest
+
+module CfgBindingsTest implements TestSig {
+  string getARelevantTag() { result = "cfgdefines" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(Name n, Variable v, CfgImpl::ControlFlowNode cfg |
+      n.defines(v) and
+      cfg.getAstNode().asExpr() = n and
+      location = n.getLocation() and
+      element = n.toString() and
+      tag = "cfgdefines" and
+      value = v.getId()
+    )
+  }
+}
+
+import MakeTest<CfgBindingsTest>
--- a/python/ql/test/library-tests/ControlFlow/bindings/annassign.py
+++ b/python/ql/test/library-tests/ControlFlow/bindings/annassign.py
@@ -0,0 +1,13 @@
+# Annotated assignment (PEP 526). Both with and without an initializer.
+
+a: int = 1  # $ cfgdefines=a
+b: str = "hi"  # $ cfgdefines=b
+
+# Annotation without value: the AST records `c` as defined,
+# and the new CFG now visits it via the AnnAssignStmt wrapper.
+c: int  # $ cfgdefines=c
+
+class K:  # $ cfgdefines=K
+    field: int = 0  # $ cfgdefines=field
+
+
--- a/python/ql/test/library-tests/ControlFlow/bindings/compound.py
+++ b/python/ql/test/library-tests/ControlFlow/bindings/compound.py
@@ -0,0 +1,14 @@
+# Compound (tuple/list) assignment targets — actually wired in the new CFG.
+
+a, b = (1, 2)  # $ cfgdefines=a cfgdefines=b
+[c, d] = [3, 4]  # $ cfgdefines=c cfgdefines=d
+
+# Nested unpacking.
+(e, (f, g)) = (1, (2, 3))  # $ cfgdefines=e cfgdefines=f cfgdefines=g
+
+# Star unpacking.
+h, *i = [1, 2, 3]  # $ cfgdefines=h cfgdefines=i
+
+# Chained assignment with compound target.
+j = k, l = (5, 6)  # $ cfgdefines=j cfgdefines=k cfgdefines=l
+
--- a/python/ql/test/library-tests/ControlFlow/bindings/comprehension.py
+++ b/python/ql/test/library-tests/ControlFlow/bindings/comprehension.py
@@ -0,0 +1,21 @@
+# Comprehension and `for` loop targets — wired in the new CFG.
+# Comprehensions are nested function scopes with a synthetic `.0` parameter
+# bound to the iterable.
+
+# Bare-name `for` target.
+for i in range(3):  # $ cfgdefines=i
+    pass
+
+# Compound `for` target.
+for k, v in [(1, 2)]:  # $ cfgdefines=k cfgdefines=v
+    pass
+
+# Comprehension targets.
+_ = [x for x in range(3)]  # $ cfgdefines=_ cfgdefines=x cfgdefines=.0
+_ = {y: z for y, z in []}  # $ cfgdefines=_ cfgdefines=y cfgdefines=z cfgdefines=.0
+_ = (a for a in [])  # $ cfgdefines=_ cfgdefines=a cfgdefines=.0
+
+# Nested comprehensions.
+_ = [b for c in [] for b in c]  # $ cfgdefines=_ cfgdefines=c cfgdefines=b cfgdefines=.0
+
+
--- a/python/ql/test/library-tests/ControlFlow/bindings/dead_under_no_raise.py
+++ b/python/ql/test/library-tests/ControlFlow/bindings/dead_under_no_raise.py
@@ -0,0 +1,53 @@
+# Reachability of code following a try whose body always returns.
+#
+# The new CFG models exception edges for raise-prone expressions when
+# they appear inside a `try` (or `with`) statement, mirroring Java's
+# `mayThrow`. This means the body of a `try` has both a normal
+# completion edge and an exception edge to its handlers, so code
+# following the try-statement is reachable via the except-handler path
+# even when the try-body would otherwise always return.
+#
+# Code that is not reachable under either normal or exception flow
+# (for example, the `else` clause of a try whose body unconditionally
+# raises) remains correctly classified as dead.
+
+
+def f(obj):  # $ cfgdefines=f cfgdefines=obj
+    try:
+        return len(obj)
+    except TypeError:
+        pass
+
+    # The try-body always returns, but `len(obj)` can raise (it is
+    # inside the try, so we model its exception edge). The
+    # `except TypeError: pass` handler falls through to here, making
+    # the code below reachable.
+    try:
+        hint = type(obj).__length_hint__  # $ cfgdefines=hint
+    except AttributeError:
+        return None
+    return hint
+
+
+def g():  # $ cfgdefines=g
+    try:
+        raise Exception("inner")
+    except:
+        raise Exception("outer")
+    else:
+        # Unreachable: the inner try body always raises (via an explicit
+        # `raise`, which is modelled unconditionally), so the `else:`
+        # clause never runs.
+        hit_inner_else = True
+
+
+def h(cache, key):  # $ cfgdefines=h cfgdefines=cache cfgdefines=key
+    try:
+        return cache[key]
+    except KeyError:
+        pass
+
+    # Same pattern as `f`: reachable via the except-handler fall-through.
+    value = compute(key)  # $ cfgdefines=value
+    cache[key] = value
+    return value
--- a/python/ql/test/library-tests/ControlFlow/bindings/decorated.py
+++ b/python/ql/test/library-tests/ControlFlow/bindings/decorated.py
@@ -0,0 +1,30 @@
+# Decorated `def`/`class` — wired in the new CFG.
+
+
+def deco(f):  # $ cfgdefines=deco cfgdefines=f
+    return f
+
+
+@deco
+def decorated_func():  # $ cfgdefines=decorated_func
+    pass
+
+
+@deco
+class DecoratedClass:  # $ cfgdefines=DecoratedClass
+    pass
+
+
+# Stacked decorators.
+@deco
+@deco
+def doubly():  # $ cfgdefines=doubly
+    pass
+
+
+# Inside a class body.
+class Outer:  # $ cfgdefines=Outer
+    @staticmethod
+    def inner():  # $ cfgdefines=inner
+        pass
+
--- a/python/ql/test/library-tests/ControlFlow/bindings/except_handler.py
+++ b/python/ql/test/library-tests/ControlFlow/bindings/except_handler.py
@@ -0,0 +1,19 @@
+# Exception-handler name bindings. These are already wired in the new
+# CFG provided the try body can raise; `raise` statements are reliably
+# treated as exception sources.
+
+try:
+    raise ValueError("oops")
+except ValueError as e:  # $ cfgdefines=e
+    pass
+
+try:
+    raise TypeError("oops")
+except (TypeError, KeyError) as err:  # $ cfgdefines=err
+    pass
+
+# Exception groups (Python 3.11+).
+try:
+    raise ValueError("oops")
+except* ValueError as eg:  # $ cfgdefines=eg
+    pass
--- a/python/ql/test/library-tests/ControlFlow/bindings/imports.py
+++ b/python/ql/test/library-tests/ControlFlow/bindings/imports.py
@@ -0,0 +1,14 @@
+# Import aliases — all bound names below are now reachable via the new
+# CFG's `ImportStmt` wrapper.
+
+import os  # $ cfgdefines=os
+import os.path  # $ cfgdefines=os
+import os as o  # $ cfgdefines=o
+from os import path  # $ cfgdefines=path
+from os import path as p  # $ cfgdefines=p
+from os import sep, linesep  # $ cfgdefines=sep cfgdefines=linesep
+from os import (
+    getcwd,  # $ cfgdefines=getcwd
+    getcwdb,  # $ cfgdefines=getcwdb
+)
+
--- a/python/ql/test/library-tests/ControlFlow/bindings/match_pattern.py
+++ b/python/ql/test/library-tests/ControlFlow/bindings/match_pattern.py
@@ -0,0 +1,24 @@
+# Match-statement pattern bindings — wired in the new CFG.
+
+def f(subject):  # $ cfgdefines=f cfgdefines=subject
+    match subject:
+        case x:  # $ cfgdefines=x
+            pass
+        case [a, b]:  # $ cfgdefines=a cfgdefines=b
+            pass
+        case {"k": v}:  # $ cfgdefines=v
+            pass
+        case Point(p, q):  # $ cfgdefines=p cfgdefines=q
+            pass
+        case [_, *rest]:  # $ cfgdefines=rest
+            pass
+        case (1 | 2) as n:  # $ cfgdefines=n
+            pass
+
+
+class Point:  # $ cfgdefines=Point
+    __match_args__ = ("x", "y")  # $ cfgdefines=__match_args__
+    x: int  # $ cfgdefines=x
+    y: int  # $ cfgdefines=y
+
+
--- a/python/ql/test/library-tests/ControlFlow/bindings/parameters.py
+++ b/python/ql/test/library-tests/ControlFlow/bindings/parameters.py
@@ -0,0 +1,42 @@
+# Function parameters.
+
+def positional(a, b):  # $ cfgdefines=positional cfgdefines=a cfgdefines=b
+    pass
+
+
+def with_default(x=1, y=2):  # $ cfgdefines=with_default cfgdefines=x cfgdefines=y
+    pass
+
+
+def with_vararg(*args):  # $ cfgdefines=with_vararg cfgdefines=args
+    pass
+
+
+def with_kwarg(**kwargs):  # $ cfgdefines=with_kwarg cfgdefines=kwargs
+    pass
+
+
+def with_kwonly(*, k1, k2=5):  # $ cfgdefines=with_kwonly cfgdefines=k1 cfgdefines=k2
+    pass
+
+
+def kitchen_sink(a, b=2, *args, k1, k2=5, **kw):  # $ cfgdefines=kitchen_sink cfgdefines=a cfgdefines=b cfgdefines=args cfgdefines=k1 cfgdefines=k2 cfgdefines=kw
+    pass
+
+
+# Methods get `self` / `cls`.
+class C:  # $ cfgdefines=C
+    def method(self, x):  # $ cfgdefines=method cfgdefines=self cfgdefines=x
+        pass
+
+    @classmethod
+    def cmethod(cls, x):  # $ cfgdefines=cmethod cfgdefines=cls cfgdefines=x
+        pass
+
+
+# Lambda parameter.
+_ = lambda p: p + 1  # $ cfgdefines=_ cfgdefines=p
+
+# PEP 570 positional-only.
+def pos_only(a, b, /, c):  # $ cfgdefines=pos_only cfgdefines=a cfgdefines=b cfgdefines=c
+    pass
--- a/python/ql/test/library-tests/ControlFlow/bindings/simple.py
+++ b/python/ql/test/library-tests/ControlFlow/bindings/simple.py
@@ -0,0 +1,14 @@
+# Simple bindings that should already work in the new CFG.
+# No MISSING annotations expected.
+
+x = 1  # $ cfgdefines=x
+y = x + 1  # $ cfgdefines=y
+
+def f():  # $ cfgdefines=f
+    pass
+
+class C:  # $ cfgdefines=C
+    pass
+
+# Re-assignment.
+x = 2  # $ cfgdefines=x
--- a/python/ql/test/library-tests/ControlFlow/bindings/type_params.py
+++ b/python/ql/test/library-tests/ControlFlow/bindings/type_params.py
@@ -0,0 +1,21 @@
+# PEP 695 type parameters (Python 3.12+).
+
+# PEP 695 type-param names on `def`/`class` bind in an annotation scope
+# that nests the function/class body — they have no CFG node in the
+# enclosing scope (matching the legacy CFG).
+def func[T](x: T) -> T:  # $ cfgdefines=func cfgdefines=x
+    return x
+
+
+class Box[T]:  # $ cfgdefines=Box
+    item: T  # $ cfgdefines=item
+
+
+# Multi-parameter, with bound and variadics.
+def multi[T: int, *Ts, **P](x: T, *args: *Ts, **kwargs: P.kwargs) -> T:  # $ cfgdefines=multi cfgdefines=x cfgdefines=args cfgdefines=kwargs
+    return x
+
+
+# `type` statement (PEP 695).
+type Alias[T] = list[T]  # $ cfgdefines=Alias cfgdefines=T
+
--- a/python/ql/test/library-tests/ControlFlow/bindings/walrus_starred.py
+++ b/python/ql/test/library-tests/ControlFlow/bindings/walrus_starred.py
@@ -0,0 +1,14 @@
+# Walrus and starred-target edge cases — wired in the new CFG.
+
+# Walrus in expression context.
+if (y := 5) > 0:  # $ cfgdefines=y
+    pass
+
+# Walrus in a comprehension. The comprehension introduces a synthetic
+# `.0` parameter bound to the iterable.
+_ = [w for _ in range(3) if (w := 1)]  # $ cfgdefines=_ cfgdefines=w cfgdefines=.0
+
+# Starred target in a Tuple LHS.
+*head, tail = [1, 2, 3]  # $ cfgdefines=head cfgdefines=tail
+
+
--- a/python/ql/test/library-tests/ControlFlow/bindings/with_stmt.py
+++ b/python/ql/test/library-tests/ControlFlow/bindings/with_stmt.py
@@ -0,0 +1,21 @@
+# `with cm() as x:` bindings — wired in the new CFG.
+
+class CM:  # $ cfgdefines=CM
+    def __enter__(self): return self  # $ cfgdefines=__enter__ cfgdefines=self
+    def __exit__(self, *a): pass  # $ cfgdefines=__exit__ cfgdefines=self cfgdefines=a
+
+with CM() as x:  # $ cfgdefines=x
+    pass
+
+# Multiple items.
+with CM() as a, CM() as b:  # $ cfgdefines=a cfgdefines=b
+    pass
+
+# Parenthesised form (Python 3.10+).
+with (CM() as p, CM() as q):  # $ cfgdefines=p cfgdefines=q
+    pass
+
+# Compound target in `with`.
+with CM() as (m, n):  # $ cfgdefines=m cfgdefines=n
+    pass
+
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgAllLiveReachable.expected
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgAllLiveReachable.expected
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgAllLiveReachable.ql
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgAllLiveReachable.ql
@@ -0,0 +1,14 @@
+/** New-CFG version of AllLiveReachable. */
+
+import python
+import TimerUtils
+import NewCfgImpl
+
+private module Utils = EvalOrderCfgUtils<NewCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerCfgNode a, TestFunction f
+where allLiveReachable(a, f)
+select a, "Unreachable live annotation; entry of $@ does not reach this node", f, f.getName()
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgAnnotationHasCfgNode.expected
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgAnnotationHasCfgNode.expected
@@ -0,0 +1 @@
+
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgAnnotationHasCfgNode.ql
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgAnnotationHasCfgNode.ql
@@ -0,0 +1,18 @@
+/**
+ * New-CFG version of AnnotationHasCfgNode.
+ *
+ * Checks that every timer annotation has a corresponding CFG node.
+ */
+
+import python
+import TimerUtils
+import NewCfgImpl
+
+private module Utils = EvalOrderCfgUtils<NewCfg>;
+
+private import Utils::CfgTests
+
+from TimerAnnotation ann
+where annotationWithoutCfgNode(ann)
+select ann, "Annotation in $@ has no CFG node", ann.getTestFunction(),
+  ann.getTestFunction().getName()
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgBasicBlockAnnotationGap.expected
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgBasicBlockAnnotationGap.expected
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgBasicBlockAnnotationGap.ql
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgBasicBlockAnnotationGap.ql
@@ -0,0 +1,26 @@
+/**
+ * New-CFG version of BasicBlockAnnotationGap.
+ *
+ * Original:
+ * Checks that within a basic block, if a node is annotated then its
+ * successor is also annotated (or excluded). A gap in annotations
+ * within a basic block indicates a missing annotation, since there
+ * are no branches to justify the gap.
+ *
+ * Nodes with exceptional successors are excluded, as the exception
+ * edge leaves the basic block and the normal successor may be dead.
+ */
+
+import python
+import TimerUtils
+import NewCfgImpl
+
+private module Utils = EvalOrderCfgUtils<NewCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerCfgNode a, CfgNode succ
+where basicBlockAnnotationGap(a, succ)
+select a, "Annotated node followed by unannotated $@ in the same basic block", succ,
+  succ.getNode().toString()
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgBasicBlockOrdering.expected
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgBasicBlockOrdering.expected
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgBasicBlockOrdering.ql
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgBasicBlockOrdering.ql
@@ -0,0 +1,21 @@
+/**
+ * New-CFG version of BasicBlockOrdering.
+ *
+ * Original:
+ * Checks that within a single basic block, annotations appear in
+ * increasing minimum-timestamp order.
+ */
+
+import python
+import TimerUtils
+import NewCfgImpl
+
+private module Utils = EvalOrderCfgUtils<NewCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerCfgNode a, TimerCfgNode b, int minA, int minB
+where basicBlockOrdering(a, b, minA, minB)
+select a, "Basic block ordering: $@ appears before $@", a.getTimestampExpr(minA),
+  "timestamp " + minA, b.getTimestampExpr(minB), "timestamp " + minB
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgBranchTimestamps.expected
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgBranchTimestamps.expected
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgBranchTimestamps.ql
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgBranchTimestamps.ql
@@ -0,0 +1,80 @@
+/**
+ * New-CFG version of BranchTimestamps.
+ *
+ * Checks that when a node has both a true and false successor, the
+ * live timestamps on one branch are marked as dead on the other.
+ * This ensures that boolean branches are fully annotated with dead()
+ * markers for the paths not taken.
+ *
+ * Limitation: the `@ t[ts, ...]` / `dead(ts)` annotation scheme can only
+ * model branch-dead-ness for plain boolean control flow that reconverges
+ * linearly after the split — i.e. `if`-with-else and `if`-expression.
+ * It cannot model:
+ *
+ *   * loops (`while` / `for`): body timestamps repeat across iterations,
+ *     so the loop-exit annotation can't list them as dead;
+ *   * `match` statements: each `case` body is a syntactically distinct
+ *     sub-tree, and the branches don't reconverge through a common
+ *     annotation point in the timeline;
+ *   * `try` / `with` and `raise` / `assert`: exception edges are modelled
+ *     as true/false but flow to syntactically distinct handlers, with no
+ *     reconvergence in the linear annotation order;
+ *   * short-circuit `and` / `or` (`BoolExpr`): the branches reconverge at
+ *     the BoolExpr's after-node, so timestamps on one branch are live
+ *     downstream of the other rather than dead;
+ *   * `if` without an `else` clause, and `if`/`elif` chains: the false
+ *     branch reconverges with the true branch at the post-if statement
+ *     (no-else) or fans out across multiple elif-test annotations,
+ *     neither of which fit the binary annotation scheme.
+ *
+ * Branch nodes inside those constructs are therefore whitelisted out
+ * below. The check still fires (and is useful) for plain `if`/`else`
+ * and conditional-expression branching.
+ */
+
+import python
+import TimerUtils
+import NewCfgImpl
+
+private module Utils = EvalOrderCfgUtils<NewCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+/**
+ * Holds if `f` contains a construct whose branches the linear-timestamp
+ * annotation scheme cannot describe (see file-level comment).
+ */
+private predicate hasUnmodellableBranching(Function f) {
+  exists(AstNode bad |
+    bad.getScope() = f and
+    (
+      bad instanceof While
+      or
+      bad instanceof For
+      or
+      bad instanceof MatchStmt
+      or
+      bad instanceof Try
+      or
+      bad instanceof With
+      or
+      bad instanceof Raise
+      or
+      bad instanceof Assert
+      or
+      bad instanceof BoolExpr
+      or
+      bad instanceof If and
+      (not exists(bad.(If).getAnOrelse()) or bad.(If).isElif())
+    )
+  )
+}
+
+from TimerCfgNode node, int ts, string branch
+where
+  missingBranchTimestamp(node, ts, branch) and
+  not hasUnmodellableBranching(node.getTestFunction())
+select node,
+  "Timestamp " + ts + " on true/false branch is missing a dead() annotation on the " + branch +
+    " successor in $@", node.getTestFunction(), node.getTestFunction().getName()
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgConsecutivePredecessorTimestamps.expected
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgConsecutivePredecessorTimestamps.expected
@@ -0,0 +1 @@
+
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgConsecutivePredecessorTimestamps.ql
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgConsecutivePredecessorTimestamps.ql
@@ -0,0 +1,22 @@
+/**
+ * New-CFG version of ConsecutivePredecessorTimestamps.
+ *
+ * Checks that each annotated node (except the minimum timestamp) has
+ * a predecessor annotation with timestamp `a - 1`. This is the reverse
+ * of ConsecutiveTimestamps: it catches nodes that are reachable but
+ * arrived at from the wrong place (skipping an intermediate node).
+ */
+
+import python
+import TimerUtils
+import NewCfgImpl
+
+private module Utils = EvalOrderCfgUtils<NewCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerAnnotation ann, int a
+where consecutivePredecessorTimestamps(ann, a)
+select ann, "$@ in $@ has no consecutive predecessor (expected " + (a - 1) + ")",
+  ann.getTimestampExpr(a), "Timestamp " + a, ann.getTestFunction(), ann.getTestFunction().getName()
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgConsecutiveTimestamps.expected
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgConsecutiveTimestamps.expected
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgConsecutiveTimestamps.ql
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgConsecutiveTimestamps.ql
@@ -0,0 +1,29 @@
+/**
+ * New-CFG version of ConsecutiveTimestamps.
+ *
+ * Original:
+ * Checks that consecutive annotated nodes have consecutive timestamps:
+ * for each annotation with timestamp `a`, some CFG node for that annotation
+ * must have a next annotation containing `a + 1`.
+ *
+ * Handles CFG splitting (e.g., finally blocks duplicated for normal/exceptional
+ * flow) by checking that at least one split has the required successor.
+ *
+ * Only applies to functions where all annotations are in the function's
+ * own scope (excludes tests with generators, async, comprehensions, or
+ * lambdas that have annotations in nested scopes).
+ */
+
+import python
+import TimerUtils
+import NewCfgImpl
+
+private module Utils = EvalOrderCfgUtils<NewCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerAnnotation ann, int a
+where consecutiveTimestamps(ann, a)
+select ann, "$@ in $@ has no consecutive successor (expected " + (a + 1) + ")",
+  ann.getTimestampExpr(a), "Timestamp " + a, ann.getTestFunction(), ann.getTestFunction().getName()
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgImpl.qll
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgImpl.qll
@@ -0,0 +1,120 @@
+/**
+ * Implementation of the evaluation-order CFG signature using the new
+ * shared control flow graph from AstNodeImpl.
+ */
+
+private import python as Py
+import TimerUtils
+private import semmle.python.controlflow.internal.AstNodeImpl as CfgImpl
+private import codeql.controlflow.SuccessorType
+
+private class NewControlFlowNode = CfgImpl::ControlFlowNode;
+
+private class NewBasicBlock = CfgImpl::BasicBlock;
+
+/** New (shared) CFG implementation of the evaluation-order signature. */
+module NewCfg implements EvalOrderCfgSig {
+  class CfgNode instanceof NewControlFlowNode {
+    // We must pick a *unique* representative CFG node for each AST node. The
+    // shared CFG has several nodes per AST node (before / in-post-order / after
+    // / after-value splits), but the timer test framework keys annotations on
+    // `getNode()` and assumes one CFG node per annotated AST node. Without a
+    // filter, an annotated `f()` would map to both `f()` and `After f()`, which
+    // breaks two framework invariants: (1) the "no shared reachable" check
+    // requires that two distinct nodes sharing a timestamp be mutually
+    // unreachable (true/false branches of a condition), but `Before f()`,
+    // `f()` and `After f()` share the annotation's timestamp *and* lie on one
+    // linear path; and (2) the annotation walk (`nextTimerAnnotation`) halts at
+    // the first reachable representative, so a second node for the same AST
+    // node would stall the walk on the same timestamp instead of advancing to
+    // the next evaluation event.
+    //
+    // We use the "after" node (`isAfter`) rather than the canonical `injects`
+    // node, because `injects` represents short-circuit / conditional
+    // expressions (`and`/`or`/`not`/ternary) by their *before* node, placing
+    // them ahead of their operands — wrong for evaluation order. `isAfter`
+    // instead picks the post-evaluation node: the merged before/after node for
+    // simple leaves, the `TAfterNode` for post-order expressions, and the
+    // `AfterValueNode`(s) for pre-order conditionals, all positioned after the
+    // operands. The two value-split nodes of a conditional are genuinely
+    // distinct evaluation outcomes (handled by `getATrueSuccessor` /
+    // `getAFalseSuccessor`), so they do not violate the uniqueness assumption.
+    CfgNode() { NewControlFlowNode.super.isAfter(_) }
+
+    string toString() { result = NewControlFlowNode.super.toString() }
+
+    Py::Location getLocation() { result = NewControlFlowNode.super.getLocation() }
+
+    Py::AstNode getNode() {
+      result = CfgImpl::astNodeToPyNode(NewControlFlowNode.super.getAstNode())
+    }
+
+    CfgNode getASuccessor() { nextCfgNode(this, result) }
+
+    CfgNode getATrueSuccessor() {
+      NewControlFlowNode.super.isAfterTrue(_) and
+      // Only where there's also a false branch (true boolean split)
+      exists(NewControlFlowNode other | other.isAfterFalse(NewControlFlowNode.super.getAstNode())) and
+      nextCfgNodeFrom(this, result)
+    }
+
+    CfgNode getAFalseSuccessor() {
+      NewControlFlowNode.super.isAfterFalse(_) and
+      // Only where there's also a true branch (true boolean split)
+      exists(NewControlFlowNode other | other.isAfterTrue(NewControlFlowNode.super.getAstNode())) and
+      nextCfgNodeFrom(this, result)
+    }
+
+    CfgNode getAnExceptionalSuccessor() {
+      exists(NewControlFlowNode mid |
+        mid = NewControlFlowNode.super.getAnExceptionSuccessor() and
+        nextCfgNodeFrom(mid, result)
+      )
+    }
+
+    Py::Scope getScope() { result = NewControlFlowNode.super.getEnclosingCallable().asScope() }
+
+    BasicBlock getBasicBlock() {
+      exists(NewBasicBlock bb, int i | bb.getNode(i) = this and result = bb)
+    }
+  }
+
+  /**
+   * Holds if `next` is the nearest CfgNode reachable from `n` via
+   * one or more raw CFG successor edges, skipping non-CfgNode intermediaries.
+   */
+  private predicate nextCfgNodeFrom(NewControlFlowNode n, CfgNode next) {
+    next = n.getASuccessor()
+    or
+    exists(NewControlFlowNode mid |
+      mid = n.getASuccessor() and
+      not mid instanceof CfgNode and
+      nextCfgNodeFrom(mid, next)
+    )
+  }
+
+  /**
+   * Holds if `next` is the nearest CfgNode successor of `n`,
+   * skipping synthetic intermediate nodes.
+   */
+  private predicate nextCfgNode(CfgNode n, CfgNode next) { nextCfgNodeFrom(n, next) }
+
+  class BasicBlock instanceof NewBasicBlock {
+    string toString() { result = NewBasicBlock.super.toString() }
+
+    CfgNode getNode(int n) { result = NewBasicBlock.super.getNode(n) }
+
+    predicate reaches(BasicBlock bb) { this = bb or this.strictlyReaches(bb) }
+
+    predicate strictlyReaches(BasicBlock bb) { NewBasicBlock.super.getASuccessor+() = bb }
+
+    predicate strictlyDominates(BasicBlock bb) { NewBasicBlock.super.strictlyDominates(bb) }
+  }
+
+  CfgNode scopeGetEntryNode(Py::Scope s) {
+    exists(CfgImpl::ControlFlow::EntryNode entry |
+      entry.getEnclosingCallable().asScope() = s and
+      nextCfgNodeFrom(entry, result)
+    )
+  }
+}
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgNeverReachable.expected
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgNeverReachable.expected
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgNeverReachable.ql
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgNeverReachable.ql
@@ -0,0 +1,21 @@
+/**
+ * New-CFG version of NeverReachable.
+ *
+ * Original:
+ * Checks that expressions annotated with `t.never` either have no CFG
+ * node, or if they do, that the node is not reachable from its scope's
+ * entry (including within the same basic block).
+ */
+
+import python
+import TimerUtils
+import NewCfgImpl
+
+private module Utils = EvalOrderCfgUtils<NewCfg>;
+
+private import Utils::CfgTests
+
+from TimerAnnotation ann
+where neverReachable(ann)
+select ann, "Node annotated with t.never is reachable in $@", ann.getTestFunction(),
+  ann.getTestFunction().getName()
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgNoBackwardFlow.expected
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgNoBackwardFlow.expected
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgNoBackwardFlow.ql
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgNoBackwardFlow.ql
@@ -0,0 +1,22 @@
+/**
+ * New-CFG version of NoBackwardFlow.
+ *
+ * Original:
+ * Checks that time never flows backward between consecutive timer annotations
+ * in the CFG. For each pair of consecutive annotated nodes (A -> B), there must
+ * exist timestamps a in A and b in B with a < b.
+ */
+
+import python
+import TimerUtils
+import NewCfgImpl
+
+private module Utils = EvalOrderCfgUtils<NewCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerCfgNode a, TimerCfgNode b, int minA, int maxB
+where noBackwardFlow(a, b, minA, maxB)
+select a, "Backward flow: $@ flows to $@ (max timestamp $@)", a.getTimestampExpr(minA),
+  minA.toString(), b, b.getNode().toString(), b.getTimestampExpr(maxB), maxB.toString()
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgNoBasicBlock.expected
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgNoBasicBlock.expected
@@ -0,0 +1 @@
+
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgNoBasicBlock.ql
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgNoBasicBlock.ql
@@ -0,0 +1,18 @@
+/**
+ * New-CFG version of NoBasicBlock.
+ *
+ * Checks that every annotated CFG node belongs to a basic block.
+ */
+
+import python
+import TimerUtils
+import NewCfgImpl
+
+private module Utils = EvalOrderCfgUtils<NewCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from CfgNode n, TestFunction f
+where noBasicBlock(n, f)
+select n, "CFG node in $@ does not belong to any basic block", f, f.getName()
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgNoSharedReachable.expected
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgNoSharedReachable.expected
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgNoSharedReachable.ql
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgNoSharedReachable.ql
@@ -0,0 +1,21 @@
+/**
+ * New-CFG version of NoSharedReachable.
+ *
+ * Original:
+ * Checks that two annotations sharing a timestamp value are on
+ * mutually exclusive CFG paths (neither can reach the other).
+ */
+
+import python
+import TimerUtils
+import NewCfgImpl
+
+private module Utils = EvalOrderCfgUtils<NewCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerCfgNode a, TimerCfgNode b, int ts
+where noSharedReachable(a, b, ts)
+select a, "Shared timestamp $@ but this node reaches $@", a.getTimestampExpr(ts), ts.toString(), b,
+  b.getNode().toString()
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgStrictForward.expected
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgStrictForward.expected
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgStrictForward.ql
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgStrictForward.ql
@@ -0,0 +1,22 @@
+/**
+ * New-CFG version of StrictForward.
+ *
+ * Original:
+ * Stronger version of NoBackwardFlow: for consecutive annotated nodes
+ * A -> B that both have a single timestamp (non-loop code) and B does
+ * NOT dominate A (forward edge), requires max(A) < min(B).
+ */
+
+import python
+import TimerUtils
+import NewCfgImpl
+
+private module Utils = EvalOrderCfgUtils<NewCfg>;
+
+private import Utils
+private import Utils::CfgTests
+
+from TimerCfgNode a, TimerCfgNode b, int maxA, int minB
+where strictForward(a, b, maxA, minB)
+select a, "Strict forward violation: $@ flows to $@", a.getTimestampExpr(maxA), "timestamp " + maxA,
+  b.getTimestampExpr(minB), "timestamp " + minB
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/OldCfgImpl.qll
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/OldCfgImpl.qll
@@ -3,14 +3,14 @@
 * Python control flow graph.
 */

-private import python as PY
+private import python as Py
 import TimerUtils

 /** Existing Python CFG implementation of the evaluation-order signature. */
 module OldCfg implements EvalOrderCfgSig {
-  class CfgNode = PY::ControlFlowNode;
+  class CfgNode = Py::ControlFlowNode;

-  class BasicBlock = PY::BasicBlock;
+  class BasicBlock = Py::BasicBlock;

-  CfgNode scopeGetEntryNode(PY::Scope s) { result = s.getEntryNode() }
+  CfgNode scopeGetEntryNode(Py::Scope s) { result = s.getEntryNode() }
 }
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/test_if.py
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/test_if.py
@@ -85,7 +85,7 @@ def test_nested_if_else(t):
        else:
            z = 2 @ t[dead(4)]
    else:
-        z = 3 @ t[dead(4)]
+        z = 3 @ t[dead(3), dead(4)]
    w = 0 @ t[5]


--- a/python/ql/test/library-tests/ControlFlow/store-load/StoreLoadTest.expected
+++ b/python/ql/test/library-tests/ControlFlow/store-load/StoreLoadTest.expected
--- a/python/ql/test/library-tests/ControlFlow/store-load/StoreLoadTest.ql
+++ b/python/ql/test/library-tests/ControlFlow/store-load/StoreLoadTest.ql
@@ -0,0 +1,41 @@
+/**
+ * Inline-expectations test for the store/load/delete/parameter
+ * classification predicates on the new-CFG facade.
+ *
+ * Each tag fires when the corresponding predicate (`isLoad`,
+ * `isStore`, `isDelete`, `isParameter`, `isAugLoad`, `isAugStore`)
+ * holds on the canonical CFG node wrapping a `Py::Name` with the
+ * given identifier. Subscript and attribute stores are not covered
+ * by these tags — only the `Name`-typed targets/loads they involve.
+ */
+
+import python
+import semmle.python.controlflow.internal.Cfg as Cfg
+import utils.test.InlineExpectationsTest
+
+module StoreLoadTest implements TestSig {
+  string getARelevantTag() { result = ["load", "store", "delete", "param", "augload", "augstore"] }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(Cfg::NameNode n |
+      location = n.getLocation() and
+      element = n.toString() and
+      value = n.getId() and
+      (
+        n.isLoad() and not n.isAugLoad() and tag = "load"
+        or
+        n.isStore() and not n.isAugStore() and tag = "store"
+        or
+        n.isDelete() and tag = "delete"
+        or
+        n.isParameter() and tag = "param"
+        or
+        n.isAugLoad() and tag = "augload"
+        or
+        n.isAugStore() and tag = "augstore"
+      )
+    )
+  }
+}
+
+import MakeTest<StoreLoadTest>
--- a/python/ql/test/library-tests/ControlFlow/store-load/test.py
+++ b/python/ql/test/library-tests/ControlFlow/store-load/test.py
@@ -0,0 +1,56 @@
+# Store/load/delete/parameter classification on the new-CFG facade.
+#
+# Each annotated location carries the (sorted, deduplicated) set of
+# kinds the CFG facade reports there. Comparing against the legacy
+# 'semmle.python.Flow' classification is done by the comparison query
+# 'StoreLoadParity.ql' — annotations here are only the positive
+# assertions for the new facade.
+#
+# Tags:
+#   load=<id>       -- isLoad() fires on the Name
+#   store=<id>      -- isStore() fires
+#   delete=<id>     -- isDelete() fires
+#   param=<id>      -- isParameter() fires
+#   augload=<id>    -- isAugLoad() fires (the LHS of x += ... when read)
+#   augstore=<id>   -- isAugStore() fires (the LHS of x += ... when written)
+
+
+# --- plain load / store / delete ---
+
+x = 1  # $ store=x
+y = x + 1  # $ store=y load=x
+print(y)  # $ load=print load=y
+del x  # $ delete=x
+
+
+# --- function definitions (parameters) ---
+
+def f(a, b=2, *args, c, **kwargs):  # $ store=f param=a param=b param=args param=c param=kwargs
+    return a + b + c  # $ load=a load=b load=c
+
+
+# --- augmented assignment splits one Name into load + store halves ---
+
+def aug():  # $ store=aug
+    n = 0  # $ store=n
+    n += 1  # $ augload=n augstore=n
+    return n  # $ load=n
+
+
+# --- subscript / attribute stores ---
+
+class C:  # $ store=C
+    pass
+
+
+def stores(obj, container, idx):  # $ store=stores param=obj param=container param=idx
+    obj.attr = 1  # $ load=obj
+    container[idx] = 2  # $ load=container load=idx
+    return obj  # $ load=obj
+
+
+# --- tuple unpacking ---
+
+def unpack(pair):  # $ store=unpack param=pair
+    a, b = pair  # $ store=a store=b load=pair
+    return a + b  # $ load=a load=b
--- a/ql/ql/src/codeql_ql/ast/internal/TreeSitter.qll
+++ b/ql/ql/src/codeql_ql/ast/internal/TreeSitter.qll
@@ -1312,6 +1312,244 @@ module QL {
    /** Gets a field or child node of this node. */
    final override AstNode getAFieldOrChild() { ql_variable_def(this, result) }
  }
+
+  /** Provides predicates for mapping AST nodes to their named children. */
+  module PrintAst {
+    /** Gets a child of `node` returned by the member predicate with the given `name`. If the predicate takes an index argument, `i` is bound to that index, otherwise `i` is `-1` (which is never a valid index). */
+    AstNode getChild(AstNode node, string name, int i) {
+      result = node.(AddExpr).getLeft() and i = -1 and name = "getLeft"
+      or
+      result = node.(AddExpr).getRight() and i = -1 and name = "getRight"
+      or
+      result = node.(AddExpr).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Aggregate).getChild(i) and name = "getChild"
+      or
+      result = node.(AnnotArg).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Annotation).getArgs(i) and name = "getArgs"
+      or
+      result = node.(Annotation).getName() and i = -1 and name = "getName"
+      or
+      result = node.(AritylessPredicateExpr).getName() and i = -1 and name = "getName"
+      or
+      result = node.(AritylessPredicateExpr).getQualifier() and i = -1 and name = "getQualifier"
+      or
+      result = node.(AsExpr).getChild(i) and name = "getChild"
+      or
+      result = node.(AsExprs).getChild(i) and name = "getChild"
+      or
+      result = node.(Body).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Bool).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(CallBody).getChild(i) and name = "getChild"
+      or
+      result = node.(CallOrUnqualAggExpr).getChild(i) and name = "getChild"
+      or
+      result = node.(Charpred).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(Charpred).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(ClassMember).getChild(i) and name = "getChild"
+      or
+      result = node.(ClasslessPredicate).getName() and i = -1 and name = "getName"
+      or
+      result = node.(ClasslessPredicate).getReturnType() and i = -1 and name = "getReturnType"
+      or
+      result = node.(ClasslessPredicate).getChild(i) and name = "getChild"
+      or
+      result = node.(CompTerm).getLeft() and i = -1 and name = "getLeft"
+      or
+      result = node.(CompTerm).getRight() and i = -1 and name = "getRight"
+      or
+      result = node.(CompTerm).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Conjunction).getLeft() and i = -1 and name = "getLeft"
+      or
+      result = node.(Conjunction).getRight() and i = -1 and name = "getRight"
+      or
+      result = node.(Dataclass).getExtends(i) and name = "getExtends"
+      or
+      result = node.(Dataclass).getInstanceof(i) and name = "getInstanceof"
+      or
+      result = node.(Dataclass).getName() and i = -1 and name = "getName"
+      or
+      result = node.(Dataclass).getChild(i) and name = "getChild"
+      or
+      result = node.(Datatype).getName() and i = -1 and name = "getName"
+      or
+      result = node.(Datatype).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(DatatypeBranch).getName() and i = -1 and name = "getName"
+      or
+      result = node.(DatatypeBranch).getChild(i) and name = "getChild"
+      or
+      result = node.(DatatypeBranches).getChild(i) and name = "getChild"
+      or
+      result = node.(Disjunction).getLeft() and i = -1 and name = "getLeft"
+      or
+      result = node.(Disjunction).getRight() and i = -1 and name = "getRight"
+      or
+      result = node.(ExprAggregateBody).getAsExprs() and i = -1 and name = "getAsExprs"
+      or
+      result = node.(ExprAggregateBody).getOrderBys() and i = -1 and name = "getOrderBys"
+      or
+      result = node.(ExprAnnotation).getAnnotArg() and i = -1 and name = "getAnnotArg"
+      or
+      result = node.(ExprAnnotation).getName() and i = -1 and name = "getName"
+      or
+      result = node.(ExprAnnotation).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Field).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(FullAggregateBody).getAsExprs() and i = -1 and name = "getAsExprs"
+      or
+      result = node.(FullAggregateBody).getGuard() and i = -1 and name = "getGuard"
+      or
+      result = node.(FullAggregateBody).getOrderBys() and i = -1 and name = "getOrderBys"
+      or
+      result = node.(FullAggregateBody).getChild(i) and name = "getChild"
+      or
+      result = node.(HigherOrderTerm).getName() and i = -1 and name = "getName"
+      or
+      result = node.(HigherOrderTerm).getChild(i) and name = "getChild"
+      or
+      result = node.(IfTerm).getCond() and i = -1 and name = "getCond"
+      or
+      result = node.(IfTerm).getFirst() and i = -1 and name = "getFirst"
+      or
+      result = node.(IfTerm).getSecond() and i = -1 and name = "getSecond"
+      or
+      result = node.(Implication).getLeft() and i = -1 and name = "getLeft"
+      or
+      result = node.(Implication).getRight() and i = -1 and name = "getRight"
+      or
+      result = node.(ImportDirective).getChild(i) and name = "getChild"
+      or
+      result = node.(ImportModuleExpr).getQualName(i) and name = "getQualName"
+      or
+      result = node.(ImportModuleExpr).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(InExpr).getLeft() and i = -1 and name = "getLeft"
+      or
+      result = node.(InExpr).getRight() and i = -1 and name = "getRight"
+      or
+      result = node.(InstanceOf).getChild(i) and name = "getChild"
+      or
+      result = node.(Literal).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(MemberPredicate).getName() and i = -1 and name = "getName"
+      or
+      result = node.(MemberPredicate).getReturnType() and i = -1 and name = "getReturnType"
+      or
+      result = node.(MemberPredicate).getChild(i) and name = "getChild"
+      or
+      result = node.(Module).getImplements(i) and name = "getImplements"
+      or
+      result = node.(Module).getName() and i = -1 and name = "getName"
+      or
+      result = node.(Module).getParameter(i) and name = "getParameter"
+      or
+      result = node.(Module).getChild(i) and name = "getChild"
+      or
+      result = node.(ModuleAliasBody).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(ModuleExpr).getName() and i = -1 and name = "getName"
+      or
+      result = node.(ModuleExpr).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(ModuleInstantiation).getName() and i = -1 and name = "getName"
+      or
+      result = node.(ModuleInstantiation).getChild(i) and name = "getChild"
+      or
+      result = node.(ModuleMember).getChild(i) and name = "getChild"
+      or
+      result = node.(ModuleName).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(ModuleParam).getParameter() and i = -1 and name = "getParameter"
+      or
+      result = node.(ModuleParam).getSignature() and i = -1 and name = "getSignature"
+      or
+      result = node.(MulExpr).getLeft() and i = -1 and name = "getLeft"
+      or
+      result = node.(MulExpr).getRight() and i = -1 and name = "getRight"
+      or
+      result = node.(MulExpr).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Negation).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(OrderBy).getChild(i) and name = "getChild"
+      or
+      result = node.(OrderBys).getChild(i) and name = "getChild"
+      or
+      result = node.(ParExpr).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(PredicateAliasBody).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(PredicateExpr).getChild(i) and name = "getChild"
+      or
+      result = node.(PrefixCast).getChild(i) and name = "getChild"
+      or
+      result = node.(Ql).getChild(i) and name = "getChild"
+      or
+      result = node.(QualifiedRhs).getName() and i = -1 and name = "getName"
+      or
+      result = node.(QualifiedRhs).getChild(i) and name = "getChild"
+      or
+      result = node.(QualifiedExpr).getChild(i) and name = "getChild"
+      or
+      result = node.(Quantified).getExpr() and i = -1 and name = "getExpr"
+      or
+      result = node.(Quantified).getFormula() and i = -1 and name = "getFormula"
+      or
+      result = node.(Quantified).getRange() and i = -1 and name = "getRange"
+      or
+      result = node.(Quantified).getChild(i) and name = "getChild"
+      or
+      result = node.(Range).getLower() and i = -1 and name = "getLower"
+      or
+      result = node.(Range).getUpper() and i = -1 and name = "getUpper"
+      or
+      result = node.(Select).getChild(i) and name = "getChild"
+      or
+      result = node.(SetLiteral).getChild(i) and name = "getChild"
+      or
+      result = node.(SignatureExpr).getModExpr() and i = -1 and name = "getModExpr"
+      or
+      result = node.(SignatureExpr).getPredicate() and i = -1 and name = "getPredicate"
+      or
+      result = node.(SignatureExpr).getTypeExpr() and i = -1 and name = "getTypeExpr"
+      or
+      result = node.(SpecialCall).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(SuperRef).getChild(i) and name = "getChild"
+      or
+      result = node.(TypeAliasBody).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(TypeExpr).getName() and i = -1 and name = "getName"
+      or
+      result = node.(TypeExpr).getQualifier() and i = -1 and name = "getQualifier"
+      or
+      result = node.(TypeExpr).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(TypeUnionBody).getChild(i) and name = "getChild"
+      or
+      result = node.(UnaryExpr).getChild(i) and name = "getChild"
+      or
+      result = node.(UnqualAggBody).getAsExprs(i) and name = "getAsExprs"
+      or
+      result = node.(UnqualAggBody).getGuard() and i = -1 and name = "getGuard"
+      or
+      result = node.(UnqualAggBody).getChild(i) and name = "getChild"
+      or
+      result = node.(VarDecl).getChild(i) and name = "getChild"
+      or
+      result = node.(VarName).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Variable).getChild() and i = -1 and name = "getChild"
+    }
+  }
 }

 overlay[local]
@@ -1669,6 +1907,60 @@ module Dbscheme {
    /** Gets the name of the primary QL class for this element. */
    final override string getAPrimaryQlClass() { result = "Varchar" }
  }
+
+  /** Provides predicates for mapping AST nodes to their named children. */
+  module PrintAst {
+    /** Gets a child of `node` returned by the member predicate with the given `name`. If the predicate takes an index argument, `i` is bound to that index, otherwise `i` is `-1` (which is never a valid index). */
+    AstNode getChild(AstNode node, string name, int i) {
+      result = node.(Annotation).getArgsAnnotation() and i = -1 and name = "getArgsAnnotation"
+      or
+      result = node.(Annotation).getSimpleAnnotation() and i = -1 and name = "getSimpleAnnotation"
+      or
+      result = node.(ArgsAnnotation).getName() and i = -1 and name = "getName"
+      or
+      result = node.(ArgsAnnotation).getChild(i) and name = "getChild"
+      or
+      result = node.(Branch).getQldoc() and i = -1 and name = "getQldoc"
+      or
+      result = node.(Branch).getChild(i) and name = "getChild"
+      or
+      result = node.(CaseDecl).getBase() and i = -1 and name = "getBase"
+      or
+      result = node.(CaseDecl).getDiscriminator() and i = -1 and name = "getDiscriminator"
+      or
+      result = node.(CaseDecl).getChild(i) and name = "getChild"
+      or
+      result = node.(ColType).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Column).getColName() and i = -1 and name = "getColName"
+      or
+      result = node.(Column).getColType() and i = -1 and name = "getColType"
+      or
+      result = node.(Column).getIsRef() and i = -1 and name = "getIsRef"
+      or
+      result = node.(Column).getIsUnique() and i = -1 and name = "getIsUnique"
+      or
+      result = node.(Column).getQldoc() and i = -1 and name = "getQldoc"
+      or
+      result = node.(Column).getReprType() and i = -1 and name = "getReprType"
+      or
+      result = node.(Dbscheme).getChild(i) and name = "getChild"
+      or
+      result = node.(Entry).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(ReprType).getChild(i) and name = "getChild"
+      or
+      result = node.(Table).getTableName() and i = -1 and name = "getTableName"
+      or
+      result = node.(Table).getChild(i) and name = "getChild"
+      or
+      result = node.(TableName).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(UnionDecl).getBase() and i = -1 and name = "getBase"
+      or
+      result = node.(UnionDecl).getChild(i) and name = "getChild"
+    }
+  }
 }

 overlay[local]
@@ -1803,6 +2095,24 @@ module Blame {
    /** Gets the name of the primary QL class for this element. */
    final override string getAPrimaryQlClass() { result = "Number" }
  }
+
+  /** Provides predicates for mapping AST nodes to their named children. */
+  module PrintAst {
+    /** Gets a child of `node` returned by the member predicate with the given `name`. If the predicate takes an index argument, `i` is bound to that index, otherwise `i` is `-1` (which is never a valid index). */
+    AstNode getChild(AstNode node, string name, int i) {
+      result = node.(BlameEntry).getDate() and i = -1 and name = "getDate"
+      or
+      result = node.(BlameEntry).getLine(i) and name = "getLine"
+      or
+      result = node.(BlameInfo).getFileEntry(i) and name = "getFileEntry"
+      or
+      result = node.(BlameInfo).getToday() and i = -1 and name = "getToday"
+      or
+      result = node.(FileEntry).getBlameEntry(i) and name = "getBlameEntry"
+      or
+      result = node.(FileEntry).getFileName() and i = -1 and name = "getFileName"
+    }
+  }
 }

 overlay[local]
@@ -1977,4 +2287,22 @@ module JSON {
    /** Gets the name of the primary QL class for this element. */
    final override string getAPrimaryQlClass() { result = "True" }
  }
+
+  /** Provides predicates for mapping AST nodes to their named children. */
+  module PrintAst {
+    /** Gets a child of `node` returned by the member predicate with the given `name`. If the predicate takes an index argument, `i` is bound to that index, otherwise `i` is `-1` (which is never a valid index). */
+    AstNode getChild(AstNode node, string name, int i) {
+      result = node.(Array).getChild(i) and name = "getChild"
+      or
+      result = node.(Document).getChild(i) and name = "getChild"
+      or
+      result = node.(Object).getChild(i) and name = "getChild"
+      or
+      result = node.(Pair).getKey() and i = -1 and name = "getKey"
+      or
+      result = node.(Pair).getValue() and i = -1 and name = "getValue"
+      or
+      result = node.(String).getChild(i) and name = "getChild"
+    }
+  }
 }
--- a/ruby/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
+++ b/ruby/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
@@ -1964,6 +1964,340 @@ module Ruby {
    /** Gets a field or child node of this node. */
    final override AstNode getAFieldOrChild() { ruby_yield_child(this, result) }
  }
+
+  /** Provides predicates for mapping AST nodes to their named children. */
+  module PrintAst {
+    /** Gets a child of `node` returned by the member predicate with the given `name`. If the predicate takes an index argument, `i` is bound to that index, otherwise `i` is `-1` (which is never a valid index). */
+    AstNode getChild(AstNode node, string name, int i) {
+      result = node.(Alias).getAlias() and i = -1 and name = "getAlias"
+      or
+      result = node.(Alias).getName() and i = -1 and name = "getName"
+      or
+      result = node.(AlternativePattern).getAlternatives(i) and name = "getAlternatives"
+      or
+      result = node.(ArgumentList).getChild(i) and name = "getChild"
+      or
+      result = node.(Array).getChild(i) and name = "getChild"
+      or
+      result = node.(ArrayPattern).getClass() and i = -1 and name = "getClass"
+      or
+      result = node.(ArrayPattern).getChild(i) and name = "getChild"
+      or
+      result = node.(AsPattern).getName() and i = -1 and name = "getName"
+      or
+      result = node.(AsPattern).getValue() and i = -1 and name = "getValue"
+      or
+      result = node.(Assignment).getLeft() and i = -1 and name = "getLeft"
+      or
+      result = node.(Assignment).getRight() and i = -1 and name = "getRight"
+      or
+      result = node.(BareString).getChild(i) and name = "getChild"
+      or
+      result = node.(BareSymbol).getChild(i) and name = "getChild"
+      or
+      result = node.(Begin).getChild(i) and name = "getChild"
+      or
+      result = node.(BeginBlock).getChild(i) and name = "getChild"
+      or
+      result = node.(Binary).getLeft() and i = -1 and name = "getLeft"
+      or
+      result = node.(Binary).getRight() and i = -1 and name = "getRight"
+      or
+      result = node.(Block).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(Block).getParameters() and i = -1 and name = "getParameters"
+      or
+      result = node.(BlockArgument).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(BlockBody).getChild(i) and name = "getChild"
+      or
+      result = node.(BlockParameter).getName() and i = -1 and name = "getName"
+      or
+      result = node.(BlockParameters).getLocals(i) and name = "getLocals"
+      or
+      result = node.(BlockParameters).getChild(i) and name = "getChild"
+      or
+      result = node.(BodyStatement).getChild(i) and name = "getChild"
+      or
+      result = node.(Break).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Call).getArguments() and i = -1 and name = "getArguments"
+      or
+      result = node.(Call).getBlock() and i = -1 and name = "getBlock"
+      or
+      result = node.(Call).getMethod() and i = -1 and name = "getMethod"
+      or
+      result = node.(Call).getOperator() and i = -1 and name = "getOperator"
+      or
+      result = node.(Call).getReceiver() and i = -1 and name = "getReceiver"
+      or
+      result = node.(Case).getValue() and i = -1 and name = "getValue"
+      or
+      result = node.(Case).getChild(i) and name = "getChild"
+      or
+      result = node.(CaseMatch).getClauses(i) and name = "getClauses"
+      or
+      result = node.(CaseMatch).getElse() and i = -1 and name = "getElse"
+      or
+      result = node.(CaseMatch).getValue() and i = -1 and name = "getValue"
+      or
+      result = node.(ChainedString).getChild(i) and name = "getChild"
+      or
+      result = node.(Class).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(Class).getName() and i = -1 and name = "getName"
+      or
+      result = node.(Class).getSuperclass() and i = -1 and name = "getSuperclass"
+      or
+      result = node.(Complex).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Conditional).getAlternative() and i = -1 and name = "getAlternative"
+      or
+      result = node.(Conditional).getCondition() and i = -1 and name = "getCondition"
+      or
+      result = node.(Conditional).getConsequence() and i = -1 and name = "getConsequence"
+      or
+      result = node.(DelimitedSymbol).getChild(i) and name = "getChild"
+      or
+      result = node.(DestructuredLeftAssignment).getChild(i) and name = "getChild"
+      or
+      result = node.(DestructuredParameter).getChild(i) and name = "getChild"
+      or
+      result = node.(Do).getChild(i) and name = "getChild"
+      or
+      result = node.(DoBlock).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(DoBlock).getParameters() and i = -1 and name = "getParameters"
+      or
+      result = node.(ElementReference).getBlock() and i = -1 and name = "getBlock"
+      or
+      result = node.(ElementReference).getObject() and i = -1 and name = "getObject"
+      or
+      result = node.(ElementReference).getChild(i) and name = "getChild"
+      or
+      result = node.(Else).getChild(i) and name = "getChild"
+      or
+      result = node.(Elsif).getAlternative() and i = -1 and name = "getAlternative"
+      or
+      result = node.(Elsif).getCondition() and i = -1 and name = "getCondition"
+      or
+      result = node.(Elsif).getConsequence() and i = -1 and name = "getConsequence"
+      or
+      result = node.(EndBlock).getChild(i) and name = "getChild"
+      or
+      result = node.(Ensure).getChild(i) and name = "getChild"
+      or
+      result = node.(ExceptionVariable).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Exceptions).getChild(i) and name = "getChild"
+      or
+      result = node.(ExpressionReferencePattern).getValue() and i = -1 and name = "getValue"
+      or
+      result = node.(FindPattern).getClass() and i = -1 and name = "getClass"
+      or
+      result = node.(FindPattern).getChild(i) and name = "getChild"
+      or
+      result = node.(For).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(For).getPattern() and i = -1 and name = "getPattern"
+      or
+      result = node.(For).getValue() and i = -1 and name = "getValue"
+      or
+      result = node.(Hash).getChild(i) and name = "getChild"
+      or
+      result = node.(HashPattern).getClass() and i = -1 and name = "getClass"
+      or
+      result = node.(HashPattern).getChild(i) and name = "getChild"
+      or
+      result = node.(HashSplatArgument).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(HashSplatParameter).getName() and i = -1 and name = "getName"
+      or
+      result = node.(HeredocBody).getChild(i) and name = "getChild"
+      or
+      result = node.(If).getAlternative() and i = -1 and name = "getAlternative"
+      or
+      result = node.(If).getCondition() and i = -1 and name = "getCondition"
+      or
+      result = node.(If).getConsequence() and i = -1 and name = "getConsequence"
+      or
+      result = node.(IfGuard).getCondition() and i = -1 and name = "getCondition"
+      or
+      result = node.(IfModifier).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(IfModifier).getCondition() and i = -1 and name = "getCondition"
+      or
+      result = node.(In).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(InClause).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(InClause).getGuard() and i = -1 and name = "getGuard"
+      or
+      result = node.(InClause).getPattern() and i = -1 and name = "getPattern"
+      or
+      result = node.(Interpolation).getChild(i) and name = "getChild"
+      or
+      result = node.(KeywordParameter).getName() and i = -1 and name = "getName"
+      or
+      result = node.(KeywordParameter).getValue() and i = -1 and name = "getValue"
+      or
+      result = node.(KeywordPattern).getKey() and i = -1 and name = "getKey"
+      or
+      result = node.(KeywordPattern).getValue() and i = -1 and name = "getValue"
+      or
+      result = node.(Lambda).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(Lambda).getParameters() and i = -1 and name = "getParameters"
+      or
+      result = node.(LambdaParameters).getChild(i) and name = "getChild"
+      or
+      result = node.(LeftAssignmentList).getChild(i) and name = "getChild"
+      or
+      result = node.(MatchPattern).getPattern() and i = -1 and name = "getPattern"
+      or
+      result = node.(MatchPattern).getValue() and i = -1 and name = "getValue"
+      or
+      result = node.(Method).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(Method).getName() and i = -1 and name = "getName"
+      or
+      result = node.(Method).getParameters() and i = -1 and name = "getParameters"
+      or
+      result = node.(MethodParameters).getChild(i) and name = "getChild"
+      or
+      result = node.(Module).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(Module).getName() and i = -1 and name = "getName"
+      or
+      result = node.(Next).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(OperatorAssignment).getLeft() and i = -1 and name = "getLeft"
+      or
+      result = node.(OperatorAssignment).getRight() and i = -1 and name = "getRight"
+      or
+      result = node.(OptionalParameter).getName() and i = -1 and name = "getName"
+      or
+      result = node.(OptionalParameter).getValue() and i = -1 and name = "getValue"
+      or
+      result = node.(Pair).getKey() and i = -1 and name = "getKey"
+      or
+      result = node.(Pair).getValue() and i = -1 and name = "getValue"
+      or
+      result = node.(ParenthesizedPattern).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(ParenthesizedStatements).getChild(i) and name = "getChild"
+      or
+      result = node.(Pattern).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Program).getChild(i) and name = "getChild"
+      or
+      result = node.(Range).getBegin() and i = -1 and name = "getBegin"
+      or
+      result = node.(Range).getEnd() and i = -1 and name = "getEnd"
+      or
+      result = node.(Rational).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Redo).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Regex).getChild(i) and name = "getChild"
+      or
+      result = node.(Rescue).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(Rescue).getExceptions() and i = -1 and name = "getExceptions"
+      or
+      result = node.(Rescue).getVariable() and i = -1 and name = "getVariable"
+      or
+      result = node.(RescueModifier).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(RescueModifier).getHandler() and i = -1 and name = "getHandler"
+      or
+      result = node.(RestAssignment).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Retry).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Return).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(RightAssignmentList).getChild(i) and name = "getChild"
+      or
+      result = node.(ScopeResolution).getName() and i = -1 and name = "getName"
+      or
+      result = node.(ScopeResolution).getScope() and i = -1 and name = "getScope"
+      or
+      result = node.(Setter).getName() and i = -1 and name = "getName"
+      or
+      result = node.(SingletonClass).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(SingletonClass).getValue() and i = -1 and name = "getValue"
+      or
+      result = node.(SingletonMethod).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(SingletonMethod).getName() and i = -1 and name = "getName"
+      or
+      result = node.(SingletonMethod).getObject() and i = -1 and name = "getObject"
+      or
+      result = node.(SingletonMethod).getParameters() and i = -1 and name = "getParameters"
+      or
+      result = node.(SplatArgument).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(SplatParameter).getName() and i = -1 and name = "getName"
+      or
+      result = node.(String).getChild(i) and name = "getChild"
+      or
+      result = node.(StringArray).getChild(i) and name = "getChild"
+      or
+      result = node.(Subshell).getChild(i) and name = "getChild"
+      or
+      result = node.(Superclass).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(SymbolArray).getChild(i) and name = "getChild"
+      or
+      result = node.(TestPattern).getPattern() and i = -1 and name = "getPattern"
+      or
+      result = node.(TestPattern).getValue() and i = -1 and name = "getValue"
+      or
+      result = node.(Then).getChild(i) and name = "getChild"
+      or
+      result = node.(Unary).getOperand() and i = -1 and name = "getOperand"
+      or
+      result = node.(Undef).getChild(i) and name = "getChild"
+      or
+      result = node.(Unless).getAlternative() and i = -1 and name = "getAlternative"
+      or
+      result = node.(Unless).getCondition() and i = -1 and name = "getCondition"
+      or
+      result = node.(Unless).getConsequence() and i = -1 and name = "getConsequence"
+      or
+      result = node.(UnlessGuard).getCondition() and i = -1 and name = "getCondition"
+      or
+      result = node.(UnlessModifier).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(UnlessModifier).getCondition() and i = -1 and name = "getCondition"
+      or
+      result = node.(Until).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(Until).getCondition() and i = -1 and name = "getCondition"
+      or
+      result = node.(UntilModifier).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(UntilModifier).getCondition() and i = -1 and name = "getCondition"
+      or
+      result = node.(VariableReferencePattern).getName() and i = -1 and name = "getName"
+      or
+      result = node.(When).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(When).getPattern(i) and name = "getPattern"
+      or
+      result = node.(While).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(While).getCondition() and i = -1 and name = "getCondition"
+      or
+      result = node.(WhileModifier).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(WhileModifier).getCondition() and i = -1 and name = "getCondition"
+      or
+      result = node.(Yield).getChild() and i = -1 and name = "getChild"
+    }
+  }
 }

 overlay[local]
@@ -2107,4 +2441,20 @@ module Erb {
    /** Gets a field or child node of this node. */
    final override AstNode getAFieldOrChild() { erb_template_child(this, _, result) }
  }
+
+  /** Provides predicates for mapping AST nodes to their named children. */
+  module PrintAst {
+    /** Gets a child of `node` returned by the member predicate with the given `name`. If the predicate takes an index argument, `i` is bound to that index, otherwise `i` is `-1` (which is never a valid index). */
+    AstNode getChild(AstNode node, string name, int i) {
+      result = node.(CommentDirective).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Directive).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(GraphqlDirective).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(OutputDirective).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Template).getChild(i) and name = "getChild"
+    }
+  }
 }
--- a/ruby/ql/test/library-tests/dataflow/string-flow/string-flow.expected
+++ b/ruby/ql/test/library-tests/dataflow/string-flow/string-flow.expected
@@ -28,8 +28,6 @@ nodes
 | string_flow.rb:227:10:227:10 | a | semmle.label | a |
 subpaths
 testFailures
-| string_flow.rb:85:10:85:10 | a | Unexpected result: hasValueFlow=a |
-| string_flow.rb:227:10:227:10 | a | Unexpected result: hasValueFlow=a |
 #select
 | string_flow.rb:3:10:3:22 | call to new | string_flow.rb:2:9:2:18 | call to source | string_flow.rb:3:10:3:22 | call to new | $@ | string_flow.rb:2:9:2:18 | call to source | call to source |
 | string_flow.rb:85:10:85:10 | a | string_flow.rb:83:9:83:18 | call to source | string_flow.rb:85:10:85:10 | a | $@ | string_flow.rb:83:9:83:18 | call to source | call to source |
--- a/ruby/ql/test/library-tests/dataflow/string-flow/string_flow.rb
+++ b/ruby/ql/test/library-tests/dataflow/string-flow/string_flow.rb
@@ -82,7 +82,7 @@ end
 def m_clear
    a = source "a"
    a.clear
-    sink a
+    sink a # $ SPURIOUS: hasValueFlow=a
 end

 # concat and prepend omitted because they clash with the summaries for
@@ -224,7 +224,7 @@ def m_replace
    b = source "b"
    sink a.replace(b) # $ hasTaintFlow=b
    # TODO: currently we get value flow for a, because we don't clear content
-    sink a # $ hasTaintFlow=b
+    sink a # $ hasTaintFlow=b SPURIOUS: hasValueFlow=a
 end

 def m_reverse
@@ -316,4 +316,4 @@ def m_upto(i)
    a.upto("b", true) { |x| sink x } # $ hasTaintFlow=a
    "b".upto(a) { |x| sink x } # $ hasTaintFlow=a
    "b".upto(a, true) { |x| sink x }
-end
+end
--- a/ruby/ql/test/library-tests/frameworks/action_controller/filter_flow.rb
+++ b/ruby/ql/test/library-tests/frameworks/action_controller/filter_flow.rb
@@ -9,7 +9,7 @@ end
 class OneController < ActionController::Base
  before_action :a
  after_action :c
-  
+
  def a
    @foo = params[:foo]
  end
@@ -18,14 +18,14 @@ class OneController < ActionController::Base
  end

  def c
-    sink @foo
+    sink @foo # $ hasTaintFlow
  end
 end

 class TwoController < ActionController::Base
  before_action :a
  after_action :c
-  
+
  def a
    @foo = params[:foo]
  end
@@ -35,14 +35,14 @@ class TwoController < ActionController::Base
  end

  def c
-    sink @foo
+    sink @foo # $ SPURIOUS: hasTaintFlow
  end
 end

 class ThreeController < ActionController::Base
  before_action :a
  after_action :c
-  
+
  def a
    @foo = params[:foo]
    @foo = "safe"
@@ -52,14 +52,14 @@ class ThreeController < ActionController::Base
  end

  def c
-    sink @foo
+    sink @foo # $ SPURIOUS: hasTaintFlow
  end
 end

 class FourController < ActionController::Base
  before_action :a
  after_action :c
-  
+
  def a
    @foo.bar = params[:foo]
  end
@@ -68,14 +68,14 @@ class FourController < ActionController::Base
  end

  def c
-    sink(@foo.bar)
+    sink(@foo.bar) # $ hasTaintFlow
  end
 end

 class FiveController < ActionController::Base
  before_action :a
  after_action :c
-  
+
  def a
    self.taint_foo
  end
@@ -84,10 +84,10 @@ class FiveController < ActionController::Base
  end

  def c
-    sink  @foo
+    sink  @foo # $ hasTaintFlow
  end
-  
+
  def taint_foo
    @foo = params[:foo]
  end
-end
+end
--- a/ruby/ql/test/library-tests/frameworks/action_controller/params-flow.expected
+++ b/ruby/ql/test/library-tests/frameworks/action_controller/params-flow.expected
@@ -270,11 +270,6 @@ nodes
 | params_flow.rb:205:10:205:10 | a | semmle.label | a |
 subpaths
 testFailures
-| filter_flow.rb:21:10:21:13 | @foo | Unexpected result: hasTaintFlow |
-| filter_flow.rb:38:10:38:13 | @foo | Unexpected result: hasTaintFlow |
-| filter_flow.rb:55:10:55:13 | @foo | Unexpected result: hasTaintFlow |
-| filter_flow.rb:71:10:71:17 | call to bar | Unexpected result: hasTaintFlow |
-| filter_flow.rb:87:11:87:14 | @foo | Unexpected result: hasTaintFlow |
 #select
 | filter_flow.rb:21:10:21:13 | @foo | filter_flow.rb:14:12:14:17 | call to params | filter_flow.rb:21:10:21:13 | @foo | $@ | filter_flow.rb:14:12:14:17 | call to params | call to params |
 | filter_flow.rb:38:10:38:13 | @foo | filter_flow.rb:30:12:30:17 | call to params | filter_flow.rb:38:10:38:13 | @foo | $@ | filter_flow.rb:30:12:30:17 | call to params | call to params |
--- a/shared/tree-sitter-extractor/src/extractor/mod.rs
+++ b/shared/tree-sitter-extractor/src/extractor/mod.rs
@@ -280,10 +280,11 @@ pub fn location_label(writer: &mut trap::Writer, location: trap::Location) -> tr
 }

 /// Extracts the source file at `path`, which is assumed to be canonicalized.
-/// When `yeast_runner` is `Some`, the parsed tree is first transformed
-/// through the supplied yeast `Runner` before TRAP extraction. Building the
-/// `Runner` (which parses YAML and constructs the schema) is the caller's
-/// responsibility, allowing it to be done once and shared across files.
+/// When `desugarer` is `Some`, the parsed tree is first transformed
+/// through the supplied yeast desugarer before TRAP extraction. Building
+/// the desugarer (which parses YAML and constructs the schema) is the
+/// caller's responsibility, allowing it to be done once and shared across
+/// files.
 #[allow(clippy::too_many_arguments)]
 pub fn extract(
    language: &Language,
@@ -295,7 +296,7 @@ pub fn extract(
    path: &Path,
    source: &[u8],
    ranges: &[Range],
-    yeast_runner: Option<&yeast::Runner<'_>>,
+    desugarer: Option<&dyn yeast::Desugarer>,
 ) {
    let path_str = file_paths::normalize_and_transform_path(path, transformer);
    let source_root = std::env::current_dir()
@@ -328,8 +329,8 @@ pub fn extract(
        schema,
    );

-    if let Some(yeast_runner) = yeast_runner {
-        let ast = yeast_runner
+    if let Some(desugarer) = desugarer {
+        let ast = desugarer
            .run_from_tree(&tree, source)
            .unwrap_or_else(|e| panic!("Desugaring failed for {path_str}: {e}"));
        traverse_yeast(&ast, &mut visitor);
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
yoff	e50e81390f	Python: visit function parameter and return annotations in new CFG The new (shared-CFG-based) Python control flow graph in `semmle.python.controlflow.internal.Cfg` previously did not emit CFG nodes for parameter type annotations (`def f(x: T): ...`) or for the return type annotation (`-> T`). The legacy CFG emitted both, and a small number of framework models rely on this: `LocalSources.qll`'s `annotatedInstance` walks the parameter annotation expression by way of its CFG node to track that a parameter receives an instance of the annotated class. After the dataflow flip to the new CFG/SSA this regression manifested as lost flows in any test exercising annotation-based parameter tracking: FastAPI `Depends()` receivers, Pydantic request bodies, Starlette `WebSocket`, the call-graph type-annotation test, and so on. Extend `FunctionDefExpr` to visit each annotation as a child of the function-def expression, in CPython evaluation order: positional parameter annotations, `args` annotation, keyword-only parameter annotations, `*kwargs` annotation, then the return annotation. (Lambda expressions have no annotations in Python syntax, so `LambdaExpr` is unchanged.) PEP 695 type parameters remain out of scope; they belong to the inner annotation scope, not the enclosing CFG. Restored test results across `framework/aiohttp`, `framework/fastapi`, `framework/lxml`, the `CallGraph-type-annotations` test, and `CWE-022-PathInjection`. Two FastAPI list-comprehension MISSING markers become positive (`taint_test.py:41,55`). CPython CFG consistency remains clean. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-06-29 19:37:01 +00:00
yoff	66900c7d62	Python: model exception edges for raise-prone expressions inside try/with The new CFG previously only emitted exception edges for explicit `raise` and `assert` statements. As a result, code that became reachable only via the exception path of an arbitrary expression (e.g., the body of an `except` handler following a try-body whose `call()` could raise) was classified as dead, breaking analyses like StackTraceExposure, FileNotAlwaysClosed, ExceptionInfo, UseOfExit, and CatchingBaseException. This commit adds a `mayThrow` predicate over expressions that are known sources of implicit exceptions in Python (calls, attribute access, subscripts, arithmetic/comparison operators, imports, await/yield/yield from) plus `from m import *` at the statement level, and routes them through the shared CFG's `beginAbruptCompletion(_, _, ExceptionSuccessor, always=false)` hook. The set of exception sources is restricted to nodes that are syntactically inside a `try`/`with` statement in the same scope. This mirrors Java's `ControlFlowGraph::mayThrow`, which only emits exception edges where local handling can observe them — outside such contexts, the edges add CFG complexity (weakening BarrierGuard precision and breaking SSA continuity around augmented assignments and subscript stores) without analysis benefit, since exceptions just propagate to the function exit anyway. Net effect on the test suite: ~100 alerts restored across the exception- related query tests (StackTraceExposure +29, ExceptionInfo +17, FileNotAlwaysClosed +52, UseOfExit +1, CatchingBaseException restored) with no precision regressions. Affected `.expected` files and the regression-guard `dead_under_no_raise.py` are updated accordingly. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-06-29 19:37:01 +00:00
yoff	956d2dbec4	Python: add new shared-CFG-backed control flow graph facade (Cfg) Adds the public facade on top of the AstNodeImpl adapter from the previous commit. Re-exposes the same API surface as semmle/python/Flow.qll (ControlFlowNode, CallNode, BasicBlock, NameNode, DefinitionNode, CompareNode, ...), backed by the shared codeql.controlflow.ControlFlowGraph library. - semmle.python.controlflow.internal.Cfg — public facade. - ControlFlow/store-load/* — basic store/load coverage via the facade. The new CFG library is added additively: it has zero callers in lib/ and src/, and the legacy CFG in semmle/python/Flow.qll remains the default. Dataflow, SSA, and production query migration land in follow-up PRs. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-06-29 19:37:01 +00:00
yoff	872c08148e	Python: add shared-CFG AstSig adapter (AstNodeImpl) Preparatory refactor for the shared-CFG dataflow migration. Adds the adapter that mediates between the Python AST and the shared codeql.controlflow.ControlFlowGraph signature, plus the test suites that validate the new CFG directly against this adapter. The public facade is added in the following commit. Library additions: - semmle.python.controlflow.internal.AstNodeImpl — wraps Python's Stmt/Expr/Scope/Pattern and adds two synthetic kinds of node (BlockStmt for body slots, intermediate nodes for multi-operand boolean expressions) to satisfy the shared CFG signature. - lib/ide-contextual-queries/printCfg.ql — the IDE "Print CFG" query, retargeted to the new CFG. - consistency-queries/CfgConsistency.ql — consistency query running the shared CFG's standard checks against Python. Test additions (all driven directly off AstNodeImpl): - ControlFlow/bindings/* — annotation-driven SSA-binding tests (annassign, compound, comprehension, decorated, except_handler, imports, match_pattern, parameters, simple, type_params, walrus_starred, with_stmt, dead_under_no_raise). - ControlFlow/evaluation-order/NewCfg*.ql — mirrors of the existing OldCfg evaluation-order self-validation suite, run against the new CFG via NewCfgImpl.qll. - Minor extensions to existing test_if.py / test_boolean.py + cosmetic .expected churn on a handful of OldCfg tests. No dataflow, SSA, or production query is migrated yet. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-06-29 18:49:41 +00:00
Taus	3983e4db29	Merge pull request #22070 from github/tausbn/yeast-add-raw-capture-syntax yeast: Extend `rule!` macro with support for raw captures	2026-06-29 12:28:53 +02:00
Geoffrey White	3058198c0d	Merge pull request #22078 from geoffw0/rubyinline Ruby: Address testFailures in inline expectations tests (part 1)	2026-06-29 11:06:10 +01:00
Asger F	2ef06c9f96	Merge pull request #22080 from asgerf/unified/commonast-followups unified: Add or_pattern and fix 'if case let' translation	2026-06-29 12:05:08 +02:00
Asger F	1842382e23	unified: regenerate QL	2026-06-29 11:06:14 +02:00
Asger F	db449dca6a	unified: Fix handling of 'if case let'	2026-06-29 11:03:20 +02:00
Asger F	7216d12b9a	unified: Avoid singleton or_pattern in Swift switch case mapping	2026-06-29 11:03:20 +02:00
Asger F	c4b4fde0d7	unified: Make switch_case pattern optional; add or_pattern disjunction node	2026-06-29 11:03:00 +02:00
Geoffrey White	46382cbc8e	Ruby: Address more inline expectation testFailures.	2026-06-26 17:56:37 +01:00
Mario Campos	da3d0cf977	Merge pull request #22062 from github/mario-campos/mirror-maven-central/gradle Replace `jcenter()` and `mavenCentral()` with Maven Central mirror URL	2026-06-26 11:35:10 -05:00
Geoffrey White	93439db87b	Ruby: Address inline expectation testFailures.	2026-06-26 17:11:56 +01:00
Taus	70ca7af04c	Address PR review comments - unified/swift: Mark `binding_kind` as a raw `@@` capture in the property_declaration rule. It is only used to read its source text (`ctx.ast.source_text`), never as a translated node. With `@` the auto-translate prefix would route the unnamed `let`/`var` token through the catch-all `_ @node => {node}` fallback for a no-op roundtrip; `@@` makes the intent explicit and removes that reliance. - shared/yeast/tests: Reword a stale comment in test_raw_capture_marker. The text claimed a "second assertion" exists in this test, but the explicit-translation check actually lives in the companion test_raw_capture_marker_explicit_translate. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-06-26 13:30:01 +00:00
Taus	664f0125b9	yeast: Remove now-unused `manual_rule!` The `manual_rule!` macro is now fully subsumed by `rule!` + `@@name`, so this commit simply gets rid of the now no longer needed code.	2026-06-26 12:07:22 +00:00
Taus	1b7f589000	unified/swift: Migrate `manual_rule!` sites to `rule!` + `@@` With `@@name` available, there's no longer a need to use `manual_rule!`. Every place where it is used, we can instead just mark the relevant raw captures as such. This results in quite a lot of cleanup! (Also, to me at least, it makes these rules a lot easier to reason about.) A first iteration of this approach resulted in a lot of `.map(Into::into)` being needed, because `SwiftContext` stores `Id`s, but captures produce `NodeRef`s. To avoid this, I swapped it around so that the context stores `NodeRef`s. This does require adding `.into()` in a few places, but it makes the rest of the code a lot more ergonomic.	2026-06-26 12:07:22 +00:00
Taus	eb7f8cc43d	yeast: Add `@@name` raw-capture syntax to `rule!` The `@@name` capture marker in `rule!` queries skips the auto-translate prefix for that specific capture, letting the body see the original capture (and thus delay its translation using `ctx.translate` until it becomes convenient). Regular `@name` captures continue to be auto-translated as before. Specifically these are translated _eagerly_, before the main body of the rewrite rule is run. I settled on `@@` as the syntax because it did not add new symbols that the user has to keep track of (it's still a kind of capture), but it's still visually distinct enough that the user should be able to tell that there's something special going on. In principle one could accidentally write one form of capture where the other was intended, but in practice this would result in code that did not compile (because the types would not match).	2026-06-26 12:07:21 +00:00
Asger F	2767b8dbbf	Merge pull request #22069 from asgerf/unified/build unified: Make build work in Bazel again	2026-06-26 13:51:45 +02:00
Asger F	b1f60acf2c	Merge pull request #22067 from asgerf/unified/printast Unified: Generate PrintAst helper and implement PrintAst query	2026-06-26 13:51:16 +02:00
Asger F	14acc7fcab	unified: Fixup generated QL The previous commit was generated from a wrong checkout	2026-06-26 12:04:51 +02:00
Owen Mansel-Chan	37ce885b0c	Merge pull request #22064 from owen-mc/go/fix-test-failures Go: fix tests with non-empty `testFailures`	2026-06-26 10:45:14 +01:00
Taus	52acaec03d	Merge pull request #22054 from github/tausbn/yeast-context-reification	2026-06-26 11:01:19 +02:00
Asger F	d6e8555f8b	Shared: auto-format tree sitter extractor	2026-06-26 10:48:11 +02:00
Asger F	b5ef15c70f	QL4QL: Regenerate raw AST	2026-06-26 10:29:17 +02:00
Asger F	5735ac330d	Ruby: Regenerate raw AST	2026-06-26 10:29:08 +02:00
Asger F	5348c7d07c	unified: Add PrintAst query	2026-06-26 10:28:55 +02:00
Asger F	f89f304e50	unified: Regenerate AST	2026-06-26 10:28:55 +02:00
Asger F	ff7dc297d5	Shared: Generate PrintAst helper in tree sitter extractor Auto-generating a helper for implementing the PrintAST query on top of the generated AST.	2026-06-26 10:28:06 +02:00
Mario Campos	1b6ff24642	Fix buildless-fetches.expected for buildless-sibling-projects	2026-06-25 22:57:35 -05:00
Owen Mansel-Chan	ac618e1cb2	Expand `FileNameSource` for stored xss	2026-06-25 22:50:21 +01:00
Mario Campos	221a54d22e	Add Maven Central mirror settings for Maven test project `buildless-sibling-projects`	2026-06-25 21:44:20 +00:00
Mario Campos	cc215858e4	Fix expected URL fetches for buildless-sibling-projects	2026-06-25 21:12:33 +00:00
Mario Campos	56a1b12c9e	Delete extra blank line Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>	2026-06-25 15:01:20 -05:00
Mario Campos	688213056c	Replace deprecated `jcenter()` with Maven Central mirror URL for dependency resolution in Gradle build scripts	2026-06-25 19:02:43 +00:00
Mario Campos	1c37688ec1	Replace mavenCentral() with Maven Central mirror URL for dependency resolution in Gradle build scripts	2026-06-25 19:02:37 +00:00
Owen Mansel-Chan	587f9c24ed	Fix inline test expectations comments	2026-06-25 18:11:03 +01:00
Taus	af7ae8c4cb	Apply rustfmt Format the touched Rust crates (shared/tree-sitter-extractor, shared/yeast, shared/yeast-macros, unified/extractor) so the tree-sitter-extractor CI fmt check passes. No functional changes. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-06-25 17:28:24 +02:00
Taus	1c4552edb0	unified/swift: Use `tree!` instead of ctx.node Cleans up a few places where we were constructing trees piece by piece rather than using the `tree!` macro. In the process, Copilot noticed an issue that should probably be addressed: the labeled_statement rule can never fire, since there are no such nodes in the input. This is possibly a simple as making _labeled_statement (which _does_ exist) named, but I haven't attempted this. Finally, a small change to yeast makes it so that the contents of a {} interpolation can be a Rust block (previously it could only be a single expression). This avoids the need to double-wrap instances where you want to interpolate a single node produced as the final value of some block.	2026-06-25 17:28:24 +02:00
Taus	5136d872ae	unified/swift: Replace reduce_left with Rust helpers (Both reduce_left and map are still supported, but we could remove them at this point.) I think this way of writing things makes the intent a lot clearer -- it avoids extending the yeast rule language with complicated constructs, pushing the complexity (such as it is) into Rust instead.	2026-06-25 17:28:24 +02:00
Taus	474bcd4dd1	unified/swift: Propagate property_declaration modifiers via context Gets rid of the final uses of mutation (via prepend_field). The approach is the same as in the preceding commits: we set the appropriate fields on the context when processing the outer node, and then access these fields on the inner nodes. The repeated use of `modifier` fields is a _bit_ clunky, but since we're likely moving to an out-of-band modifier mechanism at some point, I think it's good enough for now.	2026-06-25 17:28:24 +02:00
Taus	199489a225	unified/swift: Propagate enum_entry outer modifiers via context Same as in the preceding commit, we added a test beforehand for testing this syntax, and verified that it was unchanged by the cleanup in this commit.	2026-06-25 17:28:24 +02:00
Taus	ae4ccc651c	unified/swift: Translate protocol properties using context Avoids more "mutation after creation" via prepend_field. Also adds a test to the corpus for exercising this syntax. Although it's not evident, the test output was unchanged by this refactoring.	2026-06-25 17:28:24 +02:00
Taus	0d845c2ea9	unified/swift: Propagate parameter default values via context Extends the context with a field for keeping track of the default value. In the process, we also rename the context to SwiftContext as it now doesn't only concern itself with properties.	2026-06-25 17:28:24 +02:00
Taus	6d138c2bd4	yeast: Simplify Swift rules using the new machinery Propagates in name and type information for various property declarations, using the context mechanism. This avoids mutating already-translated nodes in-place, and is generally much easier to read.	2026-06-25 17:28:24 +02:00
Taus	85c39c04e0	yeast: Hide desugaring behind Desugarer trait This was necessary since otherwise the generic type of the user-specified context (which should only be a concern for yeast) starts to bleed out into the shared extractor. Instead, we type-erase it by putting it inside the aforementioned trait.	2026-06-25 17:28:24 +02:00
Taus	1ee142d8bd	yeast: Add macro for fine-grained rules Adds `manual_rule!` which provides a more low-level interface for defining rewrites. (I'm not entirely sold on the name, so any suggestions would be welcome.) Notably, the captures bound in the body of such rules have _not_ been translated yet -- they still come from the _input_ tree. It is the user's duty to call ctx.translate on these (which has the effect of recursively invoking the translation) before substituting them into the output. For _truly_ low-level access, the user can still construct a Rule directly, but this is now somewhat cumbersome as the closure contained therein takes quite a few parameters. Still, the possibility remains.	2026-06-25 17:28:24 +02:00
Taus	a523c7f47f	yeast: Pass raw captures to `Rule::new` rules This enables users to specify how and when these captures get translated. In conjunction with the context mechanism, this can be used to e.g. translate some piece of information (e.g. the type of something), record it in the context, and then recursively translate some other capture that relies on this information. This allows information to be cleanly passed into descendants (which can be written using context accesses in the `rule!` macro form). As a consequence of this change, we now need to pass around a TranslatorHandle to perform the manual translation. For Repeating rules, it doesn't really make sense to translate things, so in this case we simply signal an error. Also, the implementation of the `rule!` macro changes slightly (without changing semantics): it now essentially delegates to `Rule::new`, receiving raw captures, but then immediately applies the translation to those captures (which, for the majority of cases, is likely the desired behaviour).	2026-06-25 17:28:24 +02:00
Taus	5f73754b95	yeast: Make transforms return `Result` This will enable us to actually capture and log errors in complicated rules (e.g. ones written in Rust) rather than just panicking.	2026-06-25 17:28:24 +02:00
Taus	e0fa6cf785	yeast: Reify the context and allow user-defined data in it Renames what was previously called `__yeast_ctx` into just `ctx`, and adds a new field `user_ctx` to this context. Said field can contain a struct of any user type (necessitating making various parts of the implementation generic in said type). Through some Deref magic, field accesses are delegated to the inner struct (assuming they are not already defined on `ctx`), which should hopefully make the interface a bit more ergonomic.	2026-06-25 17:28:24 +02:00