Initial plan

Go: Improve two tests

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/logrus.go

@@ -13,7 +13,7 @@ func logSomething(entry *logrus.Entry) {
 	entry.Traceln(text) // $ logger=text
 }
 
-func logrusCalls() {
+func logrusCalls(selector int) {
 	err := errors.New("Error")
 	var fields logrus.Fields = nil
 	var fn logrus.LogFunction = nil
@@ -27,11 +27,15 @@ func logrusCalls() {
 	tmp = logrus.WithFields(fields) // $ logger=fields
 	logSomething(tmp)
 
-	logrus.Error(text)       // $ logger=text
-	logrus.Fatalf(fmt, text) // $ logger=fmt logger=text
-	logrus.Panicln(text)     // $ logger=text
-	logrus.Infof(fmt, text)  // $ logger=fmt logger=text
-	logrus.FatalFn(fn)       // $ logger=fn
+	logrus.Error(text)      // $ logger=text
+	logrus.Infof(fmt, text) // $ logger=fmt logger=text
+	if selector == 0 {
+		logrus.Fatalf(fmt, text) // $ logger=fmt logger=text
+	} else if selector == 1 {
+		logrus.Panicln(text) // $ logger=text
+	} else if selector == 2 {
+		logrus.FatalFn(fn) // $ logger=fn
+	}
 
 	// components corresponding to the format specifier "%T" are not considered vulnerable
 	logrus.Infof("%s: found type %T", text, v)  // $ logger="%s: found type %T" logger=text type-logger=v

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/main.go

@@ -8,6 +8,6 @@ var v []byte
 
 func main() {
 	glogTest(len(v))
-	stdlib()
+	stdlib(len(v))
 	slogTest()
 }

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/stdlib.go

@@ -4,37 +4,69 @@ import (
 	"log"
 )
 
-func stdlib() {
+func stdlib(selector int) {
 	var logger log.Logger
 	logger.SetPrefix("prefix: ")
-	logger.Fatal(text)       // $ logger=text
-	logger.Fatalf(fmt, text) // $ logger=fmt logger=text
-	logger.Fatalln(text)     // $ logger=text
-	logger.Panic(text)       // $ logger=text
-	logger.Panicf(fmt, text) // $ logger=fmt logger=text
-	logger.Panicln(text)     // $ logger=text
-	logger.Print(text)       // $ logger=text
-	logger.Printf(fmt, text) // $ logger=fmt logger=text
-	logger.Println(text)     // $ logger=text
+	switch selector {
+	case 0:
+		logger.Fatal(text) // $ logger=text
+	case 1:
+		logger.Fatalf(fmt, text) // $ logger=fmt logger=text
+	case 2:
+		logger.Fatalln(text) // $ logger=text
+	case 3:
+		logger.Panic(text) // $ logger=text
+	case 4:
+		logger.Panicf(fmt, text) // $ logger=fmt logger=text
+	case 5:
+		logger.Panicln(text) // $ logger=text
+	case 6:
+		logger.Print(text) // $ logger=text
+	case 7:
+		logger.Printf(fmt, text) // $ logger=fmt logger=text
+	case 8:
+		logger.Println(text) // $ logger=text
+	}
 
 	// components corresponding to the format specifier "%T" are not considered vulnerable
-	logger.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
-	logger.Panicf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
-	logger.Printf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	switch selector {
+	case 9:
+		logger.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	case 10:
+		logger.Panicf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	case 11:
+		logger.Printf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
 
 	log.SetPrefix("prefix: ")
-	log.Fatal(text)       // $ logger=text
-	log.Fatalf(fmt, text) // $ logger=fmt logger=text
-	log.Fatalln(text)     // $ logger=text
-	log.Panic(text)       // $ logger=text
-	log.Panicf(fmt, text) // $ logger=fmt logger=text
-	log.Panicln(text)     // $ logger=text
-	log.Print(text)       // $ logger=text
-	log.Printf(fmt, text) // $ logger=fmt logger=text
-	log.Println(text)     // $ logger=text
+	switch selector {
+	case 12:
+		log.Fatal(text) // $ logger=text
+	case 13:
+		log.Fatalf(fmt, text) // $ logger=fmt logger=text
+	case 14:
+		log.Fatalln(text) // $ logger=text
+	case 15:
+		log.Panic(text) // $ logger=text
+	case 16:
+		log.Panicf(fmt, text) // $ logger=fmt logger=text
+	case 17:
+		log.Panicln(text) // $ logger=text
+	case 18:
+		log.Print(text) // $ logger=text
+	case 19:
+		log.Printf(fmt, text) // $ logger=fmt logger=text
+	case 20:
+		log.Println(text) // $ logger=text
+	}
 
 	// components corresponding to the format specifier "%T" are not considered vulnerable
-	log.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
-	log.Panicf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
-	log.Printf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	switch selector {
+	case 21:
+		log.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	case 22:
+		log.Panicf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	case 23:
+		log.Printf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
 }

go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/ControlFlowNode_getASuccessor.expected

@@ -34,6 +34,265 @@
 | DuplicateSwitchCase.go:16:1:16:14 | function declaration | DuplicateSwitchCase.go:0:0:0:0 | exit |
 | DuplicateSwitchCase.go:16:6:16:9 | skip | DuplicateSwitchCase.go:16:1:16:14 | function declaration |
 | DuplicateSwitchCase.go:16:13:16:14 | skip | DuplicateSwitchCase.go:16:1:16:14 | exit |
+| epilogues.go:0:0:0:0 | entry | epilogues.go:3:1:3:12 | skip |
+| epilogues.go:3:1:3:12 | skip | epilogues.go:8:1:10:1 | skip |
+| epilogues.go:8:1:10:1 | skip | epilogues.go:12:21:12:23 | skip |
+| epilogues.go:12:1:14:1 | entry | epilogues.go:12:7:12:7 | argument corresponding to l |
+| epilogues.go:12:1:14:1 | function declaration | epilogues.go:16:20:16:27 | skip |
+| epilogues.go:12:7:12:7 | argument corresponding to l | epilogues.go:12:7:12:7 | initialization of l |
+| epilogues.go:12:7:12:7 | initialization of l | epilogues.go:12:25:12:27 | argument corresponding to msg |
+| epilogues.go:12:21:12:23 | skip | epilogues.go:12:1:14:1 | function declaration |
+| epilogues.go:12:25:12:27 | argument corresponding to msg | epilogues.go:12:25:12:27 | initialization of msg |
+| epilogues.go:12:25:12:27 | initialization of msg | epilogues.go:12:37:12:40 | argument corresponding to code |
+| epilogues.go:12:37:12:40 | argument corresponding to code | epilogues.go:12:37:12:40 | initialization of code |
+| epilogues.go:12:37:12:40 | initialization of code | epilogues.go:13:2:13:12 | selection of Println |
+| epilogues.go:13:2:13:12 | selection of Println | epilogues.go:13:14:13:14 | l |
+| epilogues.go:13:2:13:33 | call to Println | epilogues.go:12:1:14:1 | exit |
+| epilogues.go:13:14:13:14 | implicit dereference | epilogues.go:12:1:14:1 | exit |
+| epilogues.go:13:14:13:14 | implicit dereference | epilogues.go:13:14:13:21 | selection of prefix |
+| epilogues.go:13:14:13:14 | l | epilogues.go:13:14:13:14 | implicit dereference |
+| epilogues.go:13:14:13:21 | selection of prefix | epilogues.go:13:24:13:26 | msg |
+| epilogues.go:13:24:13:26 | msg | epilogues.go:13:29:13:32 | code |
+| epilogues.go:13:29:13:32 | code | epilogues.go:13:2:13:33 | call to Println |
+| epilogues.go:16:1:18:1 | entry | epilogues.go:16:7:16:7 | argument corresponding to l |
+| epilogues.go:16:1:18:1 | function declaration | epilogues.go:23:6:23:15 | skip |
+| epilogues.go:16:7:16:7 | argument corresponding to l | epilogues.go:16:7:16:7 | initialization of l |
+| epilogues.go:16:7:16:7 | initialization of l | epilogues.go:16:29:16:31 | argument corresponding to msg |
+| epilogues.go:16:20:16:27 | skip | epilogues.go:16:1:18:1 | function declaration |
+| epilogues.go:16:29:16:31 | argument corresponding to msg | epilogues.go:16:29:16:31 | initialization of msg |
+| epilogues.go:16:29:16:31 | initialization of msg | epilogues.go:17:2:17:12 | selection of Println |
+| epilogues.go:17:2:17:12 | selection of Println | epilogues.go:17:14:17:14 | l |
+| epilogues.go:17:2:17:27 | call to Println | epilogues.go:16:1:18:1 | exit |
+| epilogues.go:17:14:17:14 | l | epilogues.go:17:14:17:21 | selection of prefix |
+| epilogues.go:17:14:17:21 | selection of prefix | epilogues.go:17:24:17:26 | msg |
+| epilogues.go:17:24:17:26 | msg | epilogues.go:17:2:17:27 | call to Println |
+| epilogues.go:23:1:27:1 | entry | epilogues.go:24:5:24:5 | skip |
+| epilogues.go:23:1:27:1 | function declaration | epilogues.go:31:6:31:13 | skip |
+| epilogues.go:23:6:23:15 | skip | epilogues.go:23:1:27:1 | function declaration |
+| epilogues.go:24:5:24:5 | assignment to r | epilogues.go:24:21:24:21 | r |
+| epilogues.go:24:5:24:5 | skip | epilogues.go:24:10:24:16 | recover |
+| epilogues.go:24:10:24:16 | recover | epilogues.go:24:10:24:18 | call to recover |
+| epilogues.go:24:10:24:18 | call to recover | epilogues.go:24:5:24:5 | assignment to r |
+| epilogues.go:24:21:24:21 | r | epilogues.go:24:26:24:28 | nil |
+| epilogues.go:24:21:24:28 | ...!=... | epilogues.go:23:1:27:1 | exit |
+| epilogues.go:24:21:24:28 | ...!=... | epilogues.go:24:21:24:28 | ...!=... is false |
+| epilogues.go:24:21:24:28 | ...!=... | epilogues.go:24:21:24:28 | ...!=... is true |
+| epilogues.go:24:21:24:28 | ...!=... is false | epilogues.go:23:1:27:1 | exit |
+| epilogues.go:24:21:24:28 | ...!=... is true | epilogues.go:25:3:25:13 | selection of Println |
+| epilogues.go:24:26:24:28 | nil | epilogues.go:24:21:24:28 | ...!=... |
+| epilogues.go:25:3:25:13 | selection of Println | epilogues.go:25:15:25:26 | "recovered:" |
+| epilogues.go:25:3:25:30 | call to Println | epilogues.go:23:1:27:1 | exit |
+| epilogues.go:25:15:25:26 | "recovered:" | epilogues.go:25:29:25:29 | r |
+| epilogues.go:25:29:25:29 | r | epilogues.go:25:3:25:30 | call to Println |
+| epilogues.go:31:1:33:1 | entry | epilogues.go:31:15:31:15 | argument corresponding to x |
+| epilogues.go:31:1:33:1 | function declaration | epilogues.go:36:6:36:12 | skip |
+| epilogues.go:31:6:31:13 | skip | epilogues.go:31:1:33:1 | function declaration |
+| epilogues.go:31:15:31:15 | argument corresponding to x | epilogues.go:31:15:31:15 | initialization of x |
+| epilogues.go:31:15:31:15 | initialization of x | epilogues.go:32:9:32:9 | x |
+| epilogues.go:32:2:32:13 | return statement | epilogues.go:31:1:33:1 | exit |
+| epilogues.go:32:9:32:9 | x | epilogues.go:32:13:32:13 | 2 |
+| epilogues.go:32:9:32:13 | ...*... | epilogues.go:32:2:32:13 | return statement |
+| epilogues.go:32:13:32:13 | 2 | epilogues.go:32:9:32:13 | ...*... |
+| epilogues.go:36:1:38:1 | entry | epilogues.go:37:2:37:12 | selection of Println |
+| epilogues.go:36:1:38:1 | function declaration | epilogues.go:42:6:42:18 | skip |
+| epilogues.go:36:6:36:12 | skip | epilogues.go:36:1:38:1 | function declaration |
+| epilogues.go:37:2:37:12 | selection of Println | epilogues.go:37:14:37:19 | "void" |
+| epilogues.go:37:2:37:20 | call to Println | epilogues.go:36:1:38:1 | exit |
+| epilogues.go:37:14:37:19 | "void" | epilogues.go:37:2:37:20 | call to Println |
+| epilogues.go:42:1:48:1 | entry | epilogues.go:42:20:42:20 | argument corresponding to x |
+| epilogues.go:42:1:48:1 | function declaration | epilogues.go:51:6:51:21 | skip |
+| epilogues.go:42:6:42:18 | skip | epilogues.go:42:1:48:1 | function declaration |
+| epilogues.go:42:20:42:20 | argument corresponding to x | epilogues.go:42:20:42:20 | initialization of x |
+| epilogues.go:42:20:42:20 | initialization of x | epilogues.go:42:28:42:33 | zero value for result |
+| epilogues.go:42:28:42:33 | implicit read of result | epilogues.go:42:40:42:42 | implicit read of err |
+| epilogues.go:42:28:42:33 | initialization of result | epilogues.go:42:40:42:42 | zero value for err |
+| epilogues.go:42:28:42:33 | zero value for result | epilogues.go:42:28:42:33 | initialization of result |
+| epilogues.go:42:40:42:42 | implicit read of err | epilogues.go:42:1:48:1 | exit |
+| epilogues.go:42:40:42:42 | initialization of err | epilogues.go:43:5:43:5 | x |
+| epilogues.go:42:40:42:42 | zero value for err | epilogues.go:42:40:42:42 | initialization of err |
+| epilogues.go:43:5:43:5 | x | epilogues.go:43:9:43:9 | 0 |
+| epilogues.go:43:5:43:9 | ...<... | epilogues.go:43:5:43:9 | ...<... is false |
+| epilogues.go:43:5:43:9 | ...<... | epilogues.go:43:5:43:9 | ...<... is true |
+| epilogues.go:43:5:43:9 | ...<... is false | epilogues.go:47:9:47:9 | x |
+| epilogues.go:43:5:43:9 | ...<... is true | epilogues.go:44:3:44:8 | skip |
+| epilogues.go:43:9:43:9 | 0 | epilogues.go:43:5:43:9 | ...<... |
+| epilogues.go:44:3:44:8 | assignment to result | epilogues.go:45:3:45:8 | return statement |
+| epilogues.go:44:3:44:8 | skip | epilogues.go:44:13:44:13 | x |
+| epilogues.go:44:12:44:13 | -... | epilogues.go:44:3:44:8 | assignment to result |
+| epilogues.go:44:13:44:13 | x | epilogues.go:44:12:44:13 | -... |
+| epilogues.go:45:3:45:8 | return statement | epilogues.go:42:28:42:33 | implicit read of result |
+| epilogues.go:47:2:47:14 | return statement | epilogues.go:42:28:42:33 | implicit read of result |
+| epilogues.go:47:9:47:9 | implicit write of result | epilogues.go:47:12:47:14 | nil |
+| epilogues.go:47:9:47:9 | x | epilogues.go:47:9:47:9 | implicit write of result |
+| epilogues.go:47:12:47:14 | implicit write of err | epilogues.go:47:2:47:14 | return statement |
+| epilogues.go:47:12:47:14 | nil | epilogues.go:47:12:47:14 | implicit write of err |
+| epilogues.go:51:1:54:1 | entry | epilogues.go:51:23:51:23 | argument corresponding to x |
+| epilogues.go:51:1:54:1 | function declaration | epilogues.go:59:6:59:25 | skip |
+| epilogues.go:51:6:51:21 | skip | epilogues.go:51:1:54:1 | function declaration |
+| epilogues.go:51:23:51:23 | argument corresponding to x | epilogues.go:51:23:51:23 | initialization of x |
+| epilogues.go:51:23:51:23 | initialization of x | epilogues.go:51:31:51:31 | zero value for n |
+| epilogues.go:51:31:51:31 | implicit read of n | epilogues.go:51:1:54:1 | exit |
+| epilogues.go:51:31:51:31 | initialization of n | epilogues.go:52:2:52:2 | skip |
+| epilogues.go:51:31:51:31 | zero value for n | epilogues.go:51:31:51:31 | initialization of n |
+| epilogues.go:52:2:52:2 | assignment to n | epilogues.go:53:2:53:7 | return statement |
+| epilogues.go:52:2:52:2 | skip | epilogues.go:52:6:52:6 | x |
+| epilogues.go:52:6:52:6 | x | epilogues.go:52:10:52:10 | 1 |
+| epilogues.go:52:6:52:10 | ...+... | epilogues.go:52:2:52:2 | assignment to n |
+| epilogues.go:52:10:52:10 | 1 | epilogues.go:52:6:52:10 | ...+... |
+| epilogues.go:53:2:53:7 | return statement | epilogues.go:51:31:51:31 | implicit read of n |
+| epilogues.go:59:1:62:1 | entry | epilogues.go:59:27:59:27 | argument corresponding to l |
+| epilogues.go:59:1:62:1 | function declaration | epilogues.go:66:6:66:26 | skip |
+| epilogues.go:59:6:59:25 | skip | epilogues.go:59:1:62:1 | function declaration |
+| epilogues.go:59:27:59:27 | argument corresponding to l | epilogues.go:59:27:59:27 | initialization of l |
+| epilogues.go:59:27:59:27 | initialization of l | epilogues.go:59:41:59:45 | argument corresponding to items |
+| epilogues.go:59:41:59:45 | argument corresponding to items | epilogues.go:59:41:59:45 | initialization of items |
+| epilogues.go:59:41:59:45 | initialization of items | epilogues.go:60:8:60:8 | l |
+| epilogues.go:60:2:60:33 | defer statement | epilogues.go:61:2:61:12 | selection of Println |
+| epilogues.go:60:8:60:8 | l | epilogues.go:60:8:60:12 | selection of log |
+| epilogues.go:60:8:60:12 | selection of log | epilogues.go:60:14:60:20 | "count" |
+| epilogues.go:60:8:60:33 | call to log | epilogues.go:59:1:62:1 | exit |
+| epilogues.go:60:14:60:20 | "count" | epilogues.go:60:23:60:25 | len |
+| epilogues.go:60:23:60:25 | len | epilogues.go:60:27:60:31 | items |
+| epilogues.go:60:23:60:32 | call to len | epilogues.go:60:2:60:33 | defer statement |
+| epilogues.go:60:27:60:31 | items | epilogues.go:60:23:60:32 | call to len |
+| epilogues.go:61:2:61:12 | selection of Println | epilogues.go:61:14:61:25 | "processing" |
+| epilogues.go:61:2:61:38 | call to Println | epilogues.go:60:8:60:33 | call to log |
+| epilogues.go:61:14:61:25 | "processing" | epilogues.go:61:28:61:30 | len |
+| epilogues.go:61:28:61:30 | len | epilogues.go:61:32:61:36 | items |
+| epilogues.go:61:28:61:37 | call to len | epilogues.go:61:2:61:38 | call to Println |
+| epilogues.go:61:32:61:36 | items | epilogues.go:61:28:61:37 | call to len |
+| epilogues.go:66:1:71:1 | entry | epilogues.go:66:28:66:33 | argument corresponding to prefix |
+| epilogues.go:66:1:71:1 | function declaration | epilogues.go:77:6:77:20 | skip |
+| epilogues.go:66:6:66:26 | skip | epilogues.go:66:1:71:1 | function declaration |
+| epilogues.go:66:28:66:33 | argument corresponding to prefix | epilogues.go:66:28:66:33 | initialization of prefix |
+| epilogues.go:66:28:66:33 | initialization of prefix | epilogues.go:67:2:67:2 | skip |
+| epilogues.go:67:2:67:2 | assignment to l | epilogues.go:68:8:68:8 | l |
+| epilogues.go:67:2:67:2 | skip | epilogues.go:67:7:67:31 | struct literal |
+| epilogues.go:67:7:67:31 | struct literal | epilogues.go:67:25:67:30 | prefix |
+| epilogues.go:67:17:67:30 | init of key-value pair | epilogues.go:67:2:67:2 | assignment to l |
+| epilogues.go:67:25:67:30 | prefix | epilogues.go:67:17:67:30 | init of key-value pair |
+| epilogues.go:68:2:68:24 | defer statement | epilogues.go:69:10:69:10 | l |
+| epilogues.go:68:8:68:8 | l | epilogues.go:68:8:68:17 | selection of logValue |
+| epilogues.go:68:8:68:17 | selection of logValue | epilogues.go:68:19:68:23 | "bye" |
+| epilogues.go:68:8:68:24 | call to logValue | epilogues.go:66:1:71:1 | exit |
+| epilogues.go:68:19:68:23 | "bye" | epilogues.go:68:2:68:24 | defer statement |
+| epilogues.go:69:2:69:25 | defer statement | epilogues.go:70:2:70:12 | selection of Println |
+| epilogues.go:69:8:69:15 | selection of log | epilogues.go:69:17:69:21 | "ptr" |
+| epilogues.go:69:8:69:25 | call to log | epilogues.go:68:8:68:24 | call to logValue |
+| epilogues.go:69:9:69:10 | &... | epilogues.go:69:8:69:15 | selection of log |
+| epilogues.go:69:10:69:10 | l | epilogues.go:69:9:69:10 | &... |
+| epilogues.go:69:17:69:21 | "ptr" | epilogues.go:69:24:69:24 | 7 |
+| epilogues.go:69:24:69:24 | 7 | epilogues.go:69:2:69:25 | defer statement |
+| epilogues.go:70:2:70:12 | selection of Println | epilogues.go:70:14:70:19 | "body" |
+| epilogues.go:70:2:70:20 | call to Println | epilogues.go:69:8:69:25 | call to log |
+| epilogues.go:70:14:70:19 | "body" | epilogues.go:70:2:70:20 | call to Println |
+| epilogues.go:77:1:82:1 | entry | epilogues.go:77:22:77:22 | argument corresponding to x |
+| epilogues.go:77:1:82:1 | function declaration | epilogues.go:87:6:87:20 | skip |
+| epilogues.go:77:6:77:20 | skip | epilogues.go:77:1:82:1 | function declaration |
+| epilogues.go:77:22:77:22 | argument corresponding to x | epilogues.go:77:22:77:22 | initialization of x |
+| epilogues.go:77:22:77:22 | initialization of x | epilogues.go:78:8:80:2 | function literal |
+| epilogues.go:78:2:80:15 | defer statement | epilogues.go:81:2:81:12 | selection of Println |
+| epilogues.go:78:8:80:2 | entry | epilogues.go:78:13:78:17 | argument corresponding to label |
+| epilogues.go:78:8:80:2 | function literal | epilogues.go:80:4:80:9 | "done" |
+| epilogues.go:78:8:80:15 | function call | epilogues.go:77:1:82:1 | exit |
+| epilogues.go:78:13:78:17 | argument corresponding to label | epilogues.go:78:13:78:17 | initialization of label |
+| epilogues.go:78:13:78:17 | initialization of label | epilogues.go:78:27:78:27 | argument corresponding to n |
+| epilogues.go:78:27:78:27 | argument corresponding to n | epilogues.go:78:27:78:27 | initialization of n |
+| epilogues.go:78:27:78:27 | initialization of n | epilogues.go:79:3:79:13 | selection of Println |
+| epilogues.go:79:3:79:13 | selection of Println | epilogues.go:79:15:79:19 | label |
+| epilogues.go:79:3:79:23 | call to Println | epilogues.go:78:8:80:2 | exit |
+| epilogues.go:79:15:79:19 | label | epilogues.go:79:22:79:22 | n |
+| epilogues.go:79:22:79:22 | n | epilogues.go:79:3:79:23 | call to Println |
+| epilogues.go:80:4:80:9 | "done" | epilogues.go:80:12:80:12 | x |
+| epilogues.go:80:12:80:12 | x | epilogues.go:80:14:80:14 | 1 |
+| epilogues.go:80:12:80:14 | ...+... | epilogues.go:78:2:80:15 | defer statement |
+| epilogues.go:80:14:80:14 | 1 | epilogues.go:80:12:80:14 | ...+... |
+| epilogues.go:81:2:81:12 | selection of Println | epilogues.go:81:14:81:19 | "body" |
+| epilogues.go:81:2:81:23 | call to Println | epilogues.go:78:8:80:15 | function call |
+| epilogues.go:81:14:81:19 | "body" | epilogues.go:81:22:81:22 | x |
+| epilogues.go:81:22:81:22 | x | epilogues.go:81:2:81:23 | call to Println |
+| epilogues.go:87:1:98:1 | entry | epilogues.go:87:22:87:22 | argument corresponding to x |
+| epilogues.go:87:1:98:1 | function declaration | epilogues.go:102:6:102:24 | skip |
+| epilogues.go:87:6:87:20 | skip | epilogues.go:87:1:98:1 | function declaration |
+| epilogues.go:87:22:87:22 | argument corresponding to x | epilogues.go:87:22:87:22 | initialization of x |
+| epilogues.go:87:22:87:22 | initialization of x | epilogues.go:87:30:87:35 | zero value for result |
+| epilogues.go:87:30:87:35 | implicit read of result | epilogues.go:87:1:98:1 | exit |
+| epilogues.go:87:30:87:35 | initialization of result | epilogues.go:88:8:92:2 | function literal |
+| epilogues.go:87:30:87:35 | zero value for result | epilogues.go:87:30:87:35 | initialization of result |
+| epilogues.go:88:2:92:4 | defer statement | epilogues.go:93:5:93:5 | x |
+| epilogues.go:88:8:92:2 | entry | epilogues.go:89:6:89:6 | skip |
+| epilogues.go:88:8:92:2 | function literal | epilogues.go:88:2:92:4 | defer statement |
+| epilogues.go:88:8:92:4 | function call | epilogues.go:87:1:98:1 | exit |
+| epilogues.go:88:8:92:4 | function call | epilogues.go:87:30:87:35 | implicit read of result |
+| epilogues.go:89:6:89:6 | assignment to r | epilogues.go:89:22:89:22 | r |
+| epilogues.go:89:6:89:6 | skip | epilogues.go:89:11:89:17 | recover |
+| epilogues.go:89:11:89:17 | recover | epilogues.go:89:11:89:19 | call to recover |
+| epilogues.go:89:11:89:19 | call to recover | epilogues.go:89:6:89:6 | assignment to r |
+| epilogues.go:89:22:89:22 | r | epilogues.go:89:27:89:29 | nil |
+| epilogues.go:89:22:89:29 | ...!=... | epilogues.go:88:8:92:2 | exit |
+| epilogues.go:89:22:89:29 | ...!=... | epilogues.go:89:22:89:29 | ...!=... is false |
+| epilogues.go:89:22:89:29 | ...!=... | epilogues.go:89:22:89:29 | ...!=... is true |
+| epilogues.go:89:22:89:29 | ...!=... is false | epilogues.go:88:8:92:2 | exit |
+| epilogues.go:89:22:89:29 | ...!=... is true | epilogues.go:90:4:90:9 | skip |
+| epilogues.go:89:27:89:29 | nil | epilogues.go:89:22:89:29 | ...!=... |
+| epilogues.go:90:4:90:9 | assignment to result | epilogues.go:88:8:92:2 | exit |
+| epilogues.go:90:4:90:9 | skip | epilogues.go:90:13:90:14 | -... |
+| epilogues.go:90:13:90:14 | -... | epilogues.go:90:4:90:9 | assignment to result |
+| epilogues.go:93:5:93:5 | x | epilogues.go:93:9:93:9 | 0 |
+| epilogues.go:93:5:93:9 | ...<... | epilogues.go:93:5:93:9 | ...<... is false |
+| epilogues.go:93:5:93:9 | ...<... | epilogues.go:93:5:93:9 | ...<... is true |
+| epilogues.go:93:5:93:9 | ...<... is false | epilogues.go:96:2:96:7 | skip |
+| epilogues.go:93:5:93:9 | ...<... is true | epilogues.go:94:3:94:7 | panic |
+| epilogues.go:93:9:93:9 | 0 | epilogues.go:93:5:93:9 | ...<... |
+| epilogues.go:94:3:94:7 | panic | epilogues.go:94:9:94:13 | "neg" |
+| epilogues.go:94:3:94:14 | call to panic | epilogues.go:88:8:92:4 | function call |
+| epilogues.go:94:9:94:13 | "neg" | epilogues.go:94:3:94:14 | call to panic |
+| epilogues.go:96:2:96:7 | assignment to result | epilogues.go:97:9:97:14 | result |
+| epilogues.go:96:2:96:7 | skip | epilogues.go:96:11:96:11 | x |
+| epilogues.go:96:11:96:11 | x | epilogues.go:96:15:96:15 | x |
+| epilogues.go:96:11:96:15 | ...*... | epilogues.go:96:2:96:7 | assignment to result |
+| epilogues.go:96:15:96:15 | x | epilogues.go:96:11:96:15 | ...*... |
+| epilogues.go:97:2:97:14 | return statement | epilogues.go:88:8:92:4 | function call |
+| epilogues.go:97:9:97:14 | implicit write of result | epilogues.go:97:2:97:14 | return statement |
+| epilogues.go:97:9:97:14 | result | epilogues.go:97:9:97:14 | implicit write of result |
+| epilogues.go:102:1:110:1 | entry | epilogues.go:102:26:102:26 | argument corresponding to x |
+| epilogues.go:102:1:110:1 | function declaration | epilogues.go:115:6:115:22 | skip |
+| epilogues.go:102:6:102:24 | skip | epilogues.go:102:1:110:1 | function declaration |
+| epilogues.go:102:26:102:26 | argument corresponding to x | epilogues.go:102:26:102:26 | initialization of x |
+| epilogues.go:102:26:102:26 | initialization of x | epilogues.go:102:34:102:35 | zero value for ok |
+| epilogues.go:102:34:102:35 | implicit read of ok | epilogues.go:102:43:102:43 | implicit read of n |
+| epilogues.go:102:34:102:35 | initialization of ok | epilogues.go:102:43:102:43 | zero value for n |
+| epilogues.go:102:34:102:35 | zero value for ok | epilogues.go:102:34:102:35 | initialization of ok |
+| epilogues.go:102:43:102:43 | implicit read of n | epilogues.go:102:1:110:1 | exit |
+| epilogues.go:102:43:102:43 | initialization of n | epilogues.go:103:8:103:17 | epiRecover |
+| epilogues.go:102:43:102:43 | zero value for n | epilogues.go:102:43:102:43 | initialization of n |
+| epilogues.go:103:2:103:19 | defer statement | epilogues.go:104:5:104:5 | x |
+| epilogues.go:103:8:103:17 | epiRecover | epilogues.go:103:2:103:19 | defer statement |
+| epilogues.go:103:8:103:19 | call to epiRecover | epilogues.go:102:1:110:1 | exit |
+| epilogues.go:103:8:103:19 | call to epiRecover | epilogues.go:102:34:102:35 | implicit read of ok |
+| epilogues.go:104:5:104:5 | x | epilogues.go:104:10:104:10 | 0 |
+| epilogues.go:104:5:104:10 | ...==... | epilogues.go:104:5:104:10 | ...==... is false |
+| epilogues.go:104:5:104:10 | ...==... | epilogues.go:104:5:104:10 | ...==... is true |
+| epilogues.go:104:5:104:10 | ...==... is false | epilogues.go:107:2:107:2 | skip |
+| epilogues.go:104:5:104:10 | ...==... is true | epilogues.go:105:3:105:8 | return statement |
+| epilogues.go:104:10:104:10 | 0 | epilogues.go:104:5:104:10 | ...==... |
+| epilogues.go:105:3:105:8 | return statement | epilogues.go:103:8:103:19 | call to epiRecover |
+| epilogues.go:107:2:107:2 | assignment to n | epilogues.go:108:2:108:3 | skip |
+| epilogues.go:107:2:107:2 | skip | epilogues.go:107:6:107:6 | x |
+| epilogues.go:107:6:107:6 | x | epilogues.go:107:2:107:2 | assignment to n |
+| epilogues.go:108:2:108:3 | assignment to ok | epilogues.go:109:2:109:7 | return statement |
+| epilogues.go:108:2:108:3 | skip | epilogues.go:108:7:108:10 | true |
+| epilogues.go:108:7:108:10 | true | epilogues.go:108:2:108:3 | assignment to ok |
+| epilogues.go:109:2:109:7 | return statement | epilogues.go:103:8:103:19 | call to epiRecover |
+| epilogues.go:115:1:118:1 | entry | epilogues.go:116:8:116:17 | epiRecover |
+| epilogues.go:115:1:118:1 | function declaration | epilogues.go:0:0:0:0 | exit |
+| epilogues.go:115:6:115:22 | skip | epilogues.go:115:1:118:1 | function declaration |
+| epilogues.go:116:2:116:19 | defer statement | epilogues.go:117:2:117:6 | panic |
+| epilogues.go:116:8:116:17 | epiRecover | epilogues.go:116:2:116:19 | defer statement |
+| epilogues.go:116:8:116:19 | call to epiRecover | epilogues.go:115:1:118:1 | exit |
+| epilogues.go:117:2:117:6 | panic | epilogues.go:117:8:117:13 | "boom" |
+| epilogues.go:117:2:117:14 | call to panic | epilogues.go:116:8:116:19 | call to epiRecover |
+| epilogues.go:117:8:117:13 | "boom" | epilogues.go:117:2:117:14 | call to panic |
 | equalitytests.go:0:0:0:0 | entry | equalitytests.go:3:1:5:1 | skip |
 | equalitytests.go:3:1:5:1 | skip | equalitytests.go:7:1:9:1 | skip |
 | equalitytests.go:7:1:9:1 | skip | equalitytests.go:11:6:11:18 | skip |

go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/NoretFunctions.expected

@@ -1,3 +1,4 @@
+| epilogues.go:115:6:115:22 | epiRecoverUnnamed | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.epiRecoverUnnamed |
 | file://:0:0:0:0 | Exit | os.Exit |
 | file://:0:0:0:0 | Fatal | log.Fatal |
 | file://:0:0:0:0 | Fatal | log.Logger.Fatal |

go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/epilogues.go

@@ -0,0 +1,118 @@
+package main
+
+import "fmt"
+
+// epiLogger has methods with both pointer and value receivers, used to check
+// that the receiver and arguments of a deferred call are evaluated at the
+// `defer` statement rather than in the function epilogue.
+type epiLogger struct {
+	prefix string
+}
+
+func (l *epiLogger) log(msg string, code int) {
+	fmt.Println(l.prefix, msg, code)
+}
+
+func (l epiLogger) logValue(msg string) {
+	fmt.Println(l.prefix, msg)
+}
+
+// epiRecover recovers from a panic. It is used as a deferred function so we can
+// check that control flow returns to the result-read nodes and the normal exit
+// node after recovering.
+func epiRecover() {
+	if r := recover(); r != nil {
+		fmt.Println("recovered:", r)
+	}
+}
+
+// epiPlain has no named result variable and a single `return` with a child
+// expression.
+func epiPlain(x int) int {
+	return x * 2
+}
+
+// epiVoid has no named result variable and no `return` statement at all.
+func epiVoid() {
+	fmt.Println("void")
+}
+
+// epiNamedMixed has named result variables and a mix of a bare `return` (no
+// child expressions) and a `return` with child expressions.
+func epiNamedMixed(x int) (result int, err error) {
+	if x < 0 {
+		result = -x
+		return
+	}
+	return x, nil
+}
+
+// epiNamedBareOnly has a named result variable and only a bare `return`.
+func epiNamedBareOnly(x int) (n int) {
+	n = x + 1
+	return
+}
+
+// epiDeferReceiverArgs has a deferred call with a (pointer) receiver and
+// arguments that are expressions, so we can check the receiver `l` and the
+// arguments `"count"` and `len(items)` are evaluated at the `defer` statement.
+func epiDeferReceiverArgs(l *epiLogger, items []int) {
+	defer l.log("count", len(items))
+	fmt.Println("processing", len(items))
+}
+
+// epiDeferValueReceiver has deferred calls with a value receiver and an
+// address-of receiver, both with arguments evaluated at the `defer` statement.
+func epiDeferValueReceiver(prefix string) {
+	l := epiLogger{prefix: prefix}
+	defer l.logValue("bye")
+	defer (&l).log("ptr", 7)
+	fmt.Println("body")
+}
+
+// epiDeferFuncLit has a deferred function literal with parameters, so we can
+// check that the arguments `"done"` and `x+1` are evaluated at the `defer`
+// statement and that control flow enters the function literal body when it is
+// invoked at the function epilogue.
+func epiDeferFuncLit(x int) {
+	defer func(label string, n int) {
+		fmt.Println(label, n)
+	}("done", x+1)
+	fmt.Println("body", x)
+}
+
+// epiRecoverNamed has a named result variable and a deferred closure containing
+// `recover()`. After recovering on the panic path, control flow should return
+// to the result-read nodes and the normal exit node.
+func epiRecoverNamed(x int) (result int) {
+	defer func() {
+		if r := recover(); r != nil {
+			result = -1
+		}
+	}()
+	if x < 0 {
+		panic("neg")
+	}
+	result = x * x
+	return result
+}
+
+// epiRecoverNamedBare has named result variables, a deferred function
+// containing `recover()`, and only bare `return` statements.
+func epiRecoverNamedBare(x int) (ok bool, n int) {
+	defer epiRecover()
+	if x == 0 {
+		return
+	}
+	n = x
+	ok = true
+	return
+}
+
+// epiRecoverUnnamed has no named result variables and a deferred function
+// containing `recover()`; after recovering, control flow should reach the
+// normal exit node directly (there are no result-read nodes).
+func epiRecoverUnnamed() {
+	defer epiRecover()
+	panic("boom")
+}

python/ql/consistency-queries/CfgConsistency.ql

@@ -1,2 +0,0 @@
-import semmle.python.controlflow.internal.AstNodeImpl
-import ControlFlow::Consistency

python/ql/lib/change-notes/2026-05-19-add-shared-cfg.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* A new Python control flow graph implementation has been added under `semmle.python.controlflow.internal.Cfg` (backed by `AstNodeImpl.qll`), built on the shared `codeql.controlflow.ControlFlowGraph` library. It is not yet used by the dataflow library or any production query; the legacy CFG in `semmle/python/Flow.qll` remains the default. The new library is exposed for tests and for upcoming migrations.

python/ql/lib/change-notes/2026-05-19-add-shared-ssa.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* A new SSA adapter has been added under `semmle.python.dataflow.new.internal.SsaImpl`, built on the shared `codeql.ssa.Ssa` library and the new shared CFG (`semmle.python.controlflow.internal.Cfg`). It is not yet used by the dataflow library or any production query; the legacy ESSA SSA in `semmle/python/essa/*` remains the default. The new SSA adapter is exposed for tests and for the upcoming dataflow migration.

python/ql/lib/printCfgNew.ql

@@ -1,45 +0,0 @@
-/**
- * @name Print CFG (New)
- * @description Produces a representation of a file's Control Flow Graph
- *              using the new shared control flow library.
- *              This query is used by the VS Code extension.
- * @id python/print-cfg
- * @kind graph
- * @tags ide-contextual-queries/print-cfg
- */
-
-private import python as Py
-import semmle.python.controlflow.internal.AstNodeImpl
-
-external string selectedSourceFile();
-
-private predicate selectedSourceFileAlias = selectedSourceFile/0;
-
-external int selectedSourceLine();
-
-private predicate selectedSourceLineAlias = selectedSourceLine/0;
-
-external int selectedSourceColumn();
-
-private predicate selectedSourceColumnAlias = selectedSourceColumn/0;
-
-module ViewCfgQueryInput implements ControlFlow::ViewCfgQueryInputSig<Py::File> {
-  predicate selectedSourceFile = selectedSourceFileAlias/0;
-
-  predicate selectedSourceLine = selectedSourceLineAlias/0;
-
-  predicate selectedSourceColumn = selectedSourceColumnAlias/0;
-
-  predicate cfgScopeSpan(
-    Ast::Callable callable, Py::File file, int startLine, int startColumn, int endLine,
-    int endColumn
-  ) {
-    exists(Py::Scope scope |
-      scope = callable.asScope() and
-      file = scope.getLocation().getFile() and
-      scope.getLocation().hasLocationInfo(_, startLine, startColumn, endLine, endColumn)
-    )
-  }
-}
-
-import ControlFlow::ViewCfgQuery<Py::File, ViewCfgQueryInput>

python/ql/lib/semmle/python/Flow.qll

@@ -1,7 +1,7 @@
 overlay[local]
 module;
 
-import python as Py
+import python
 private import semmle.python.internal.CachedStages
 private import codeql.controlflow.BasicBlock as BB
 
@@ -17,7 +17,7 @@ private import codeql.controlflow.BasicBlock as BB
  */
 
 private predicate augstore(ControlFlowNode load, ControlFlowNode store) {
-  exists(Py::Expr load_store | exists(Py::AugAssign aa | aa.getTarget() = load_store) |
+  exists(Expr load_store | exists(AugAssign aa | aa.getTarget() = load_store) |
     toAst(load) = load_store and
     toAst(store) = load_store and
     load.strictlyDominates(store)
@@ -25,7 +25,7 @@ private predicate augstore(ControlFlowNode load, ControlFlowNode store) {
 }
 
 /** A non-dispatched getNode() to avoid negative recursion issues */
-private Py::AstNode toAst(ControlFlowNode n) { py_flow_bb_node(n, result, _, _) }
+private AstNode toAst(ControlFlowNode n) { py_flow_bb_node(n, result, _, _) }
 
 /**
  * A control flow node. Control flow nodes have a many-to-one relation with syntactic nodes,
@@ -35,19 +35,19 @@ private Py::AstNode toAst(ControlFlowNode n) { py_flow_bb_node(n, result, _, _)
 class ControlFlowNode extends @py_flow_node {
   /** Whether this control flow node is a load (including those in augmented assignments) */
   predicate isLoad() {
-    exists(Py::Expr e | e = toAst(this) | py_expr_contexts(_, 3, e) and not augstore(_, this))
+    exists(Expr e | e = toAst(this) | py_expr_contexts(_, 3, e) and not augstore(_, this))
   }
 
   /** Whether this control flow node is a store (including those in augmented assignments) */
   predicate isStore() {
-    exists(Py::Expr e | e = toAst(this) | py_expr_contexts(_, 5, e) or augstore(_, this))
+    exists(Expr e | e = toAst(this) | py_expr_contexts(_, 5, e) or augstore(_, this))
   }
 
   /** Whether this control flow node is a delete */
-  predicate isDelete() { exists(Py::Expr e | e = toAst(this) | py_expr_contexts(_, 2, e)) }
+  predicate isDelete() { exists(Expr e | e = toAst(this) | py_expr_contexts(_, 2, e)) }
 
   /** Whether this control flow node is a parameter */
-  predicate isParameter() { exists(Py::Expr e | e = toAst(this) | py_expr_contexts(_, 4, e)) }
+  predicate isParameter() { exists(Expr e | e = toAst(this) | py_expr_contexts(_, 4, e)) }
 
   /** Whether this control flow node is a store in an augmented assignment */
   predicate isAugStore() { augstore(_, this) }
@@ -57,61 +57,61 @@ class ControlFlowNode extends @py_flow_node {
 
   /** Whether this flow node corresponds to a literal */
   predicate isLiteral() {
-    toAst(this) instanceof Py::Bytes
+    toAst(this) instanceof Bytes
     or
-    toAst(this) instanceof Py::Dict
+    toAst(this) instanceof Dict
     or
-    toAst(this) instanceof Py::DictComp
+    toAst(this) instanceof DictComp
     or
-    toAst(this) instanceof Py::Set
+    toAst(this) instanceof Set
     or
-    toAst(this) instanceof Py::SetComp
+    toAst(this) instanceof SetComp
     or
-    toAst(this) instanceof Py::Ellipsis
+    toAst(this) instanceof Ellipsis
     or
-    toAst(this) instanceof Py::GeneratorExp
+    toAst(this) instanceof GeneratorExp
     or
-    toAst(this) instanceof Py::Lambda
+    toAst(this) instanceof Lambda
     or
-    toAst(this) instanceof Py::ListComp
+    toAst(this) instanceof ListComp
     or
-    toAst(this) instanceof Py::List
+    toAst(this) instanceof List
     or
-    toAst(this) instanceof Py::Num
+    toAst(this) instanceof Num
     or
-    toAst(this) instanceof Py::Tuple
+    toAst(this) instanceof Tuple
     or
-    toAst(this) instanceof Py::Unicode
+    toAst(this) instanceof Unicode
     or
-    toAst(this) instanceof Py::NameConstant
+    toAst(this) instanceof NameConstant
   }
 
   /** Whether this flow node corresponds to an attribute expression */
-  predicate isAttribute() { toAst(this) instanceof Py::Attribute }
+  predicate isAttribute() { toAst(this) instanceof Attribute }
 
   /** Whether this flow node corresponds to an subscript expression */
-  predicate isSubscript() { toAst(this) instanceof Py::Subscript }
+  predicate isSubscript() { toAst(this) instanceof Subscript }
 
   /** Whether this flow node corresponds to an import member */
-  predicate isImportMember() { toAst(this) instanceof Py::ImportMember }
+  predicate isImportMember() { toAst(this) instanceof ImportMember }
 
   /** Whether this flow node corresponds to a call */
-  predicate isCall() { toAst(this) instanceof Py::Call }
+  predicate isCall() { toAst(this) instanceof Call }
 
   /** Whether this flow node is the first in a module */
-  predicate isModuleEntry() { this.isEntryNode() and toAst(this) instanceof Py::Module }
+  predicate isModuleEntry() { this.isEntryNode() and toAst(this) instanceof Module }
 
   /** Whether this flow node corresponds to an import */
-  predicate isImport() { toAst(this) instanceof Py::ImportExpr }
+  predicate isImport() { toAst(this) instanceof ImportExpr }
 
   /** Whether this flow node corresponds to a conditional expression */
-  predicate isIfExp() { toAst(this) instanceof Py::IfExp }
+  predicate isIfExp() { toAst(this) instanceof IfExp }
 
   /** Whether this flow node corresponds to a function definition expression */
-  predicate isFunction() { toAst(this) instanceof Py::FunctionExpr }
+  predicate isFunction() { toAst(this) instanceof FunctionExpr }
 
   /** Whether this flow node corresponds to a class definition expression */
-  predicate isClass() { toAst(this) instanceof Py::ClassExpr }
+  predicate isClass() { toAst(this) instanceof ClassExpr }
 
   /** Gets a predecessor of this flow node */
   ControlFlowNode getAPredecessor() { this = result.getASuccessor() }
@@ -123,25 +123,25 @@ class ControlFlowNode extends @py_flow_node {
   ControlFlowNode getImmediateDominator() { py_idoms(this, result) }
 
   /** Gets the syntactic element corresponding to this flow node */
-  Py::AstNode getNode() { py_flow_bb_node(this, result, _, _) }
+  AstNode getNode() { py_flow_bb_node(this, result, _, _) }
 
   /** Gets a textual representation of this element. */
   cached
   string toString() {
     Stages::AST::ref() and
     // Since modules can have ambigous names, entry nodes can too, if we do not collate them.
-    exists(Py::Scope s | s.getEntryNode() = this |
+    exists(Scope s | s.getEntryNode() = this |
       result = "Entry node for " + concat( | | s.toString(), ",")
     )
     or
-    exists(Py::Scope s | s.getANormalExit() = this | result = "Exit node for " + s.toString())
+    exists(Scope s | s.getANormalExit() = this | result = "Exit node for " + s.toString())
     or
-    not exists(Py::Scope s | s.getEntryNode() = this or s.getANormalExit() = this) and
+    not exists(Scope s | s.getEntryNode() = this or s.getANormalExit() = this) and
     result = "ControlFlowNode for " + this.getNode().toString()
   }
 
   /** Gets the location of this ControlFlowNode */
-  Py::Location getLocation() { result = this.getNode().getLocation() }
+  Location getLocation() { result = this.getNode().getLocation() }
 
   /** Whether this flow node is the first in its scope */
   predicate isEntryNode() { py_scope_flow(this, _, -1) }
@@ -151,9 +151,9 @@ class ControlFlowNode extends @py_flow_node {
 
   /** Gets the scope containing this flow node */
   cached
-  Py::Scope getScope() {
+  Scope getScope() {
     Stages::AST::ref() and
-    if this.getNode() instanceof Py::Scope
+    if this.getNode() instanceof Scope
     then
       /* Entry or exit node */
       result = this.getNode()
@@ -161,7 +161,7 @@ class ControlFlowNode extends @py_flow_node {
   }
 
   /** Gets the enclosing module */
-  Py::Module getEnclosingModule() { result = this.getScope().getEnclosingModule() }
+  Module getEnclosingModule() { result = this.getScope().getEnclosingModule() }
 
   /** Gets a successor for this node if the relevant condition is True. */
   ControlFlowNode getATrueSuccessor() {
@@ -188,7 +188,7 @@ class ControlFlowNode extends @py_flow_node {
   }
 
   /** Whether the scope may be exited as a result of this node raising an exception */
-  predicate isExceptionalExit(Py::Scope s) { py_scope_flow(this, s, 1) }
+  predicate isExceptionalExit(Scope s) { py_scope_flow(this, s, 1) }
 
   /** Whether this node is a normal (non-exceptional) exit */
   predicate isNormalExit() { py_scope_flow(this, _, 0) or py_scope_flow(this, _, 2) }
@@ -236,7 +236,7 @@ class ControlFlowNode extends @py_flow_node {
   /* join-ordering helper for `getAChild() */
   pragma[noinline]
   private ControlFlowNode getExprChild(BasicBlock dom) {
-    this.getNode().(Py::Expr).getAChildNode() = result.getNode() and
+    this.getNode().(Expr).getAChildNode() = result.getNode() and
     result.getBasicBlock().dominates(dom) and
     not this instanceof UnaryExprNode
   }
@@ -249,16 +249,16 @@ class ControlFlowNode extends @py_flow_node {
  */
 
 private class AnyNode extends ControlFlowNode {
-  override Py::AstNode getNode() { result = super.getNode() }
+  override AstNode getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to a call expression, such as `func(...)` */
 class CallNode extends ControlFlowNode {
-  CallNode() { toAst(this) instanceof Py::Call }
+  CallNode() { toAst(this) instanceof Call }
 
   /** Gets the flow node corresponding to the function expression for the call corresponding to this flow node */
   ControlFlowNode getFunction() {
-    exists(Py::Call c |
+    exists(Call c |
       this.getNode() = c and
       c.getFunc() = result.getNode() and
       result.getBasicBlock().dominates(this.getBasicBlock())
@@ -267,7 +267,7 @@ class CallNode extends ControlFlowNode {
 
   /** Gets the flow node corresponding to the n'th positional argument of the call corresponding to this flow node */
   ControlFlowNode getArg(int n) {
-    exists(Py::Call c |
+    exists(Call c |
       this.getNode() = c and
       c.getArg(n) = result.getNode() and
       result.getBasicBlock().dominates(this.getBasicBlock())
@@ -276,7 +276,7 @@ class CallNode extends ControlFlowNode {
 
   /** Gets the flow node corresponding to the named argument of the call corresponding to this flow node */
   ControlFlowNode getArgByName(string name) {
-    exists(Py::Call c, Py::Keyword k |
+    exists(Call c, Keyword k |
       this.getNode() = c and
       k = c.getANamedArg() and
       k.getValue() = result.getNode() and
@@ -292,7 +292,7 @@ class CallNode extends ControlFlowNode {
     result = this.getArgByName(_)
   }
 
-  override Py::Call getNode() { result = super.getNode() }
+  override Call getNode() { result = super.getNode() }
 
   predicate isDecoratorCall() {
     this.isClassDecoratorCall()
@@ -301,11 +301,11 @@ class CallNode extends ControlFlowNode {
   }
 
   predicate isClassDecoratorCall() {
-    exists(Py::ClassExpr cls | this.getNode() = cls.getADecoratorCall())
+    exists(ClassExpr cls | this.getNode() = cls.getADecoratorCall())
   }
 
   predicate isFunctionDecoratorCall() {
-    exists(Py::FunctionExpr func | this.getNode() = func.getADecoratorCall())
+    exists(FunctionExpr func | this.getNode() = func.getADecoratorCall())
   }
 
   /** Gets the first tuple (*) argument of this call, if any. */
@@ -323,11 +323,11 @@ class CallNode extends ControlFlowNode {
 
 /** A control flow corresponding to an attribute expression, such as `value.attr` */
 class AttrNode extends ControlFlowNode {
-  AttrNode() { toAst(this) instanceof Py::Attribute }
+  AttrNode() { toAst(this) instanceof Attribute }
 
   /** Gets the flow node corresponding to the object of the attribute expression corresponding to this flow node */
   ControlFlowNode getObject() {
-    exists(Py::Attribute a |
+    exists(Attribute a |
       this.getNode() = a and
       a.getObject() = result.getNode() and
       result.getBasicBlock().dominates(this.getBasicBlock())
@@ -339,7 +339,7 @@ class AttrNode extends ControlFlowNode {
    * with the matching name
    */
   ControlFlowNode getObject(string name) {
-    exists(Py::Attribute a |
+    exists(Attribute a |
       this.getNode() = a and
       a.getObject() = result.getNode() and
       a.getName() = name and
@@ -348,57 +348,57 @@ class AttrNode extends ControlFlowNode {
   }
 
   /** Gets the attribute name of the attribute expression corresponding to this flow node */
-  string getName() { exists(Py::Attribute a | this.getNode() = a and a.getName() = result) }
+  string getName() { exists(Attribute a | this.getNode() = a and a.getName() = result) }
 
-  override Py::Attribute getNode() { result = super.getNode() }
+  override Attribute getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to a `from ... import ...` expression */
 class ImportMemberNode extends ControlFlowNode {
-  ImportMemberNode() { toAst(this) instanceof Py::ImportMember }
+  ImportMemberNode() { toAst(this) instanceof ImportMember }
 
   /**
    * Gets the flow node corresponding to the module in the import-member expression corresponding to this flow node,
    * with the matching name
    */
   ControlFlowNode getModule(string name) {
-    exists(Py::ImportMember i | this.getNode() = i and i.getModule() = result.getNode() |
+    exists(ImportMember i | this.getNode() = i and i.getModule() = result.getNode() |
       i.getName() = name and
       result.getBasicBlock().dominates(this.getBasicBlock())
     )
   }
 
-  override Py::ImportMember getNode() { result = super.getNode() }
+  override ImportMember getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to an artificial expression representing an import */
 class ImportExprNode extends ControlFlowNode {
-  ImportExprNode() { toAst(this) instanceof Py::ImportExpr }
+  ImportExprNode() { toAst(this) instanceof ImportExpr }
 
-  override Py::ImportExpr getNode() { result = super.getNode() }
+  override ImportExpr getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to a `from ... import *` statement */
 class ImportStarNode extends ControlFlowNode {
-  ImportStarNode() { toAst(this) instanceof Py::ImportStar }
+  ImportStarNode() { toAst(this) instanceof ImportStar }
 
   /** Gets the flow node corresponding to the module in the import-star corresponding to this flow node */
   ControlFlowNode getModule() {
-    exists(Py::ImportStar i | this.getNode() = i and i.getModuleExpr() = result.getNode() |
+    exists(ImportStar i | this.getNode() = i and i.getModuleExpr() = result.getNode() |
       result.getBasicBlock().dominates(this.getBasicBlock())
     )
   }
 
-  override Py::ImportStar getNode() { result = super.getNode() }
+  override ImportStar getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to a subscript expression, such as `value[slice]` */
 class SubscriptNode extends ControlFlowNode {
-  SubscriptNode() { toAst(this) instanceof Py::Subscript }
+  SubscriptNode() { toAst(this) instanceof Subscript }
 
   /** flow node corresponding to the value of the sequence in a subscript operation */
   ControlFlowNode getObject() {
-    exists(Py::Subscript s |
+    exists(Subscript s |
       this.getNode() = s and
       s.getObject() = result.getNode() and
       result.getBasicBlock().dominates(this.getBasicBlock())
@@ -407,23 +407,23 @@ class SubscriptNode extends ControlFlowNode {
 
   /** flow node corresponding to the index in a subscript operation */
   ControlFlowNode getIndex() {
-    exists(Py::Subscript s |
+    exists(Subscript s |
       this.getNode() = s and
       s.getIndex() = result.getNode() and
       result.getBasicBlock().dominates(this.getBasicBlock())
     )
   }
 
-  override Py::Subscript getNode() { result = super.getNode() }
+  override Subscript getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to a comparison operation, such as `x<y` */
 class CompareNode extends ControlFlowNode {
-  CompareNode() { toAst(this) instanceof Py::Compare }
+  CompareNode() { toAst(this) instanceof Compare }
 
   /** Whether left and right are a pair of operands for this comparison */
-  predicate operands(ControlFlowNode left, Py::Cmpop op, ControlFlowNode right) {
-    exists(Py::Compare c, Py::Expr eleft, Py::Expr eright |
+  predicate operands(ControlFlowNode left, Cmpop op, ControlFlowNode right) {
+    exists(Compare c, Expr eleft, Expr eright |
       this.getNode() = c and left.getNode() = eleft and right.getNode() = eright
     |
       eleft = c.getLeft() and eright = c.getComparator(0) and op = c.getOp(0)
@@ -436,26 +436,26 @@ class CompareNode extends ControlFlowNode {
     right.getBasicBlock().dominates(this.getBasicBlock())
   }
 
-  override Py::Compare getNode() { result = super.getNode() }
+  override Compare getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to a conditional expression such as, `body if test else orelse` */
 class IfExprNode extends ControlFlowNode {
-  IfExprNode() { toAst(this) instanceof Py::IfExp }
+  IfExprNode() { toAst(this) instanceof IfExp }
 
   /** flow node corresponding to one of the operands of an if-expression */
   ControlFlowNode getAnOperand() { result = this.getAPredecessor() }
 
-  override Py::IfExp getNode() { result = super.getNode() }
+  override IfExp getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to an assignment expression such as `lhs := rhs`. */
 class AssignmentExprNode extends ControlFlowNode {
-  AssignmentExprNode() { toAst(this) instanceof Py::AssignExpr }
+  AssignmentExprNode() { toAst(this) instanceof AssignExpr }
 
   /** Gets the flow node corresponding to the left-hand side of the assignment expression */
   ControlFlowNode getTarget() {
-    exists(Py::AssignExpr a |
+    exists(AssignExpr a |
       this.getNode() = a and
       a.getTarget() = result.getNode() and
       result.getBasicBlock().dominates(this.getBasicBlock())
@@ -464,27 +464,27 @@ class AssignmentExprNode extends ControlFlowNode {
 
   /** Gets the flow node corresponding to the right-hand side of the assignment expression */
   ControlFlowNode getValue() {
-    exists(Py::AssignExpr a |
+    exists(AssignExpr a |
       this.getNode() = a and
       a.getValue() = result.getNode() and
       result.getBasicBlock().dominates(this.getBasicBlock())
     )
   }
 
-  override Py::AssignExpr getNode() { result = super.getNode() }
+  override AssignExpr getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to a binary expression, such as `x + y` */
 class BinaryExprNode extends ControlFlowNode {
-  BinaryExprNode() { toAst(this) instanceof Py::BinaryExpr }
+  BinaryExprNode() { toAst(this) instanceof BinaryExpr }
 
   /** flow node corresponding to one of the operands of a binary expression */
   ControlFlowNode getAnOperand() { result = this.getLeft() or result = this.getRight() }
 
-  override Py::BinaryExpr getNode() { result = super.getNode() }
+  override BinaryExpr getNode() { result = super.getNode() }
 
   ControlFlowNode getLeft() {
-    exists(Py::BinaryExpr b |
+    exists(BinaryExpr b |
       this.getNode() = b and
       result.getNode() = b.getLeft() and
       result.getBasicBlock().dominates(this.getBasicBlock())
@@ -492,7 +492,7 @@ class BinaryExprNode extends ControlFlowNode {
   }
 
   ControlFlowNode getRight() {
-    exists(Py::BinaryExpr b |
+    exists(BinaryExpr b |
       this.getNode() = b and
       result.getNode() = b.getRight() and
       result.getBasicBlock().dominates(this.getBasicBlock())
@@ -500,11 +500,11 @@ class BinaryExprNode extends ControlFlowNode {
   }
 
   /** Gets the operator of this binary expression node. */
-  Py::Operator getOp() { result = this.getNode().getOp() }
+  Operator getOp() { result = this.getNode().getOp() }
 
   /** Whether left and right are a pair of operands for this binary expression */
-  predicate operands(ControlFlowNode left, Py::Operator op, ControlFlowNode right) {
-    exists(Py::BinaryExpr b, Py::Expr eleft, Py::Expr eright |
+  predicate operands(ControlFlowNode left, Operator op, ControlFlowNode right) {
+    exists(BinaryExpr b, Expr eleft, Expr eright |
       this.getNode() = b and left.getNode() = eleft and right.getNode() = eright
     |
       eleft = b.getLeft() and eright = b.getRight() and op = b.getOp()
@@ -516,20 +516,20 @@ class BinaryExprNode extends ControlFlowNode {
 
 /** A control flow node corresponding to a boolean shortcut (and/or) operation */
 class BoolExprNode extends ControlFlowNode {
-  BoolExprNode() { toAst(this) instanceof Py::BoolExpr }
+  BoolExprNode() { toAst(this) instanceof BoolExpr }
 
   /** flow node corresponding to one of the operands of a boolean expression */
   ControlFlowNode getAnOperand() {
-    exists(Py::BoolExpr b | this.getNode() = b and result.getNode() = b.getAValue()) and
+    exists(BoolExpr b | this.getNode() = b and result.getNode() = b.getAValue()) and
     this.getBasicBlock().dominates(result.getBasicBlock())
   }
 
-  override Py::BoolExpr getNode() { result = super.getNode() }
+  override BoolExpr getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to a unary expression: (`+x`), (`-x`) or (`~x`) */
 class UnaryExprNode extends ControlFlowNode {
-  UnaryExprNode() { toAst(this) instanceof Py::UnaryExpr }
+  UnaryExprNode() { toAst(this) instanceof UnaryExpr }
 
   /**
    * Gets flow node corresponding to the operand of a unary expression.
@@ -540,7 +540,7 @@ class UnaryExprNode extends ControlFlowNode {
    */
   ControlFlowNode getOperand() { result = this.getAPredecessor() }
 
-  override Py::UnaryExpr getNode() { result = super.getNode() }
+  override UnaryExpr getNode() { result = super.getNode() }
 
   override ControlFlowNode getAChild() { result = this.getAPredecessor() }
 }
@@ -555,22 +555,22 @@ class DefinitionNode extends ControlFlowNode {
   cached
   DefinitionNode() {
     Stages::AST::ref() and
-    exists(Py::Assign a | this.getNode() = a.getATarget())
+    exists(Assign a | this.getNode() = a.getATarget())
     or
-    exists(Py::AssignExpr a | this.getNode() = a.getTarget())
+    exists(AssignExpr a | this.getNode() = a.getTarget())
     or
-    exists(Py::AnnAssign a | this.getNode() = a.getTarget() and exists(a.getValue()))
+    exists(AnnAssign a | this.getNode() = a.getTarget() and exists(a.getValue()))
     or
-    exists(Py::Alias a | this.getNode() = a.getAsname())
+    exists(Alias a | this.getNode() = a.getAsname())
     or
     augstore(_, this)
     or
     // `x, y = 1, 2` where LHS is a combination of list or tuples
-    exists(Py::Assign a | this.getNode() = list_or_tuple_nested_element(a.getATarget()))
+    exists(Assign a | this.getNode() = list_or_tuple_nested_element(a.getATarget()))
     or
-    exists(Py::For for | this.getNode() = for.getTarget())
+    exists(For for | this.getNode() = for.getTarget())
     or
-    exists(Py::Parameter param | this.getNode() = param.asName() and exists(param.getDefault()))
+    exists(Parameter param | this.getNode() = param.asName() and exists(param.getDefault()))
   }
 
   /** flow node corresponding to the value assigned for the definition corresponding to this flow node */
@@ -584,16 +584,16 @@ class DefinitionNode extends ControlFlowNode {
       // since the default value for a parameter is evaluated in the same basic block as
       // the function definition, but the parameter belongs to the basic block of the function,
       // there is no dominance relationship between the two.
-      exists(Py::Parameter param | this.getNode() = param.asName())
+      exists(Parameter param | this.getNode() = param.asName())
     )
   }
 }
 
-private Py::Expr list_or_tuple_nested_element(Py::Expr list_or_tuple) {
-  exists(Py::Expr elt |
-    elt = list_or_tuple.(Py::Tuple).getAnElt()
+private Expr list_or_tuple_nested_element(Expr list_or_tuple) {
+  exists(Expr elt |
+    elt = list_or_tuple.(Tuple).getAnElt()
     or
-    elt = list_or_tuple.(Py::List).getAnElt()
+    elt = list_or_tuple.(List).getAnElt()
   |
     result = elt
     or
@@ -603,12 +603,12 @@ private Py::Expr list_or_tuple_nested_element(Py::Expr list_or_tuple) {
 
 /**
  * A control flow node corresponding to a deletion statement, such as `del x`.
- * There can be multiple `DeletionNode`s for each `Py::Delete` such that each
+ * There can be multiple `DeletionNode`s for each `Delete` such that each
  * target has own `DeletionNode`. The CFG for `del a, x.y` looks like:
  * `NameNode('a') -> DeletionNode -> NameNode('b') -> AttrNode('y') -> DeletionNode`.
  */
 class DeletionNode extends ControlFlowNode {
-  DeletionNode() { toAst(this) instanceof Py::Delete }
+  DeletionNode() { toAst(this) instanceof Delete }
 
   /** Gets the unique target of this deletion node. */
   ControlFlowNode getTarget() { result.getASuccessor() = this }
@@ -617,9 +617,9 @@ class DeletionNode extends ControlFlowNode {
 /** A control flow node corresponding to a sequence (tuple or list) literal */
 abstract class SequenceNode extends ControlFlowNode {
   SequenceNode() {
-    toAst(this) instanceof Py::Tuple
+    toAst(this) instanceof Tuple
     or
-    toAst(this) instanceof Py::List
+    toAst(this) instanceof List
   }
 
   /** Gets the control flow node for an element of this sequence */
@@ -632,11 +632,11 @@ abstract class SequenceNode extends ControlFlowNode {
 
 /** A control flow node corresponding to a tuple expression such as `( 1, 3, 5, 7, 9 )` */
 class TupleNode extends SequenceNode {
-  TupleNode() { toAst(this) instanceof Py::Tuple }
+  TupleNode() { toAst(this) instanceof Tuple }
 
   override ControlFlowNode getElement(int n) {
     Stages::AST::ref() and
-    exists(Py::Tuple t | this.getNode() = t and result.getNode() = t.getElt(n)) and
+    exists(Tuple t | this.getNode() = t and result.getNode() = t.getElt(n)) and
     (
       result.getBasicBlock().dominates(this.getBasicBlock())
       or
@@ -647,10 +647,10 @@ class TupleNode extends SequenceNode {
 
 /** A control flow node corresponding to a list expression, such as `[ 1, 3, 5, 7, 9 ]` */
 class ListNode extends SequenceNode {
-  ListNode() { toAst(this) instanceof Py::List }
+  ListNode() { toAst(this) instanceof List }
 
   override ControlFlowNode getElement(int n) {
-    exists(Py::List l | this.getNode() = l and result.getNode() = l.getElt(n)) and
+    exists(List l | this.getNode() = l and result.getNode() = l.getElt(n)) and
     (
       result.getBasicBlock().dominates(this.getBasicBlock())
       or
@@ -661,10 +661,10 @@ class ListNode extends SequenceNode {
 
 /** A control flow node corresponding to a set expression, such as `{ 1, 3, 5, 7, 9 }` */
 class SetNode extends ControlFlowNode {
-  SetNode() { toAst(this) instanceof Py::Set }
+  SetNode() { toAst(this) instanceof Set }
 
   ControlFlowNode getAnElement() {
-    exists(Py::Set s | this.getNode() = s and result.getNode() = s.getElt(_)) and
+    exists(Set s | this.getNode() = s and result.getNode() = s.getElt(_)) and
     (
       result.getBasicBlock().dominates(this.getBasicBlock())
       or
@@ -675,20 +675,20 @@ class SetNode extends ControlFlowNode {
 
 /** A control flow node corresponding to a dictionary literal, such as `{ 'a': 1, 'b': 2 }` */
 class DictNode extends ControlFlowNode {
-  DictNode() { toAst(this) instanceof Py::Dict }
+  DictNode() { toAst(this) instanceof Dict }
 
   /**
    * Gets a key of this dictionary literal node, for those items that have keys
    * E.g, in {'a':1, **b} this returns only 'a'
    */
   ControlFlowNode getAKey() {
-    exists(Py::Dict d | this.getNode() = d and result.getNode() = d.getAKey()) and
+    exists(Dict d | this.getNode() = d and result.getNode() = d.getAKey()) and
     result.getBasicBlock().dominates(this.getBasicBlock())
   }
 
   /** Gets a value of this dictionary literal node */
   ControlFlowNode getAValue() {
-    exists(Py::Dict d | this.getNode() = d and result.getNode() = d.getAValue()) and
+    exists(Dict d | this.getNode() = d and result.getNode() = d.getAValue()) and
     result.getBasicBlock().dominates(this.getBasicBlock())
   }
 }
@@ -712,23 +712,21 @@ class IterableNode extends ControlFlowNode {
   }
 }
 
-private Py::AstNode assigned_value(Py::Expr lhs) {
+private AstNode assigned_value(Expr lhs) {
   /* lhs = result */
-  exists(Py::Assign a | a.getATarget() = lhs and result = a.getValue())
+  exists(Assign a | a.getATarget() = lhs and result = a.getValue())
   or
   /* lhs := result */
-  exists(Py::AssignExpr a | a.getTarget() = lhs and result = a.getValue())
+  exists(AssignExpr a | a.getTarget() = lhs and result = a.getValue())
   or
   /* lhs : annotation = result */
-  exists(Py::AnnAssign a | a.getTarget() = lhs and result = a.getValue())
+  exists(AnnAssign a | a.getTarget() = lhs and result = a.getValue())
   or
   /* import result as lhs */
-  exists(Py::Alias a | a.getAsname() = lhs and result = a.getValue())
+  exists(Alias a | a.getAsname() = lhs and result = a.getValue())
   or
   /* lhs += x  =>  result = (lhs + x) */
-  exists(Py::AugAssign a, Py::BinaryExpr b |
-    b = a.getOperation() and result = b and lhs = b.getLeft()
-  )
+  exists(AugAssign a, BinaryExpr b | b = a.getOperation() and result = b and lhs = b.getLeft())
   or
   /*
    * ..., lhs, ... = ..., result, ...
@@ -736,31 +734,31 @@ private Py::AstNode assigned_value(Py::Expr lhs) {
    * ..., (..., lhs, ...), ... = ..., (..., result, ...), ...
    */
 
-  exists(Py::Assign a | nested_sequence_assign(a.getATarget(), a.getValue(), lhs, result))
+  exists(Assign a | nested_sequence_assign(a.getATarget(), a.getValue(), lhs, result))
   or
   /* for lhs in seq: => `result` is the `for` node, representing the `iter(next(seq))` operation. */
-  result.(Py::For).getTarget() = lhs
+  result.(For).getTarget() = lhs
   or
-  exists(Py::Parameter param | lhs = param.asName() and result = param.getDefault())
+  exists(Parameter param | lhs = param.asName() and result = param.getDefault())
 }
 
 predicate nested_sequence_assign(
-  Py::Expr left_parent, Py::Expr right_parent, Py::Expr left_result, Py::Expr right_result
+  Expr left_parent, Expr right_parent, Expr left_result, Expr right_result
 ) {
-  exists(Py::Assign a |
+  exists(Assign a |
     a.getATarget().getASubExpression*() = left_parent and
     a.getValue().getASubExpression*() = right_parent
   ) and
-  exists(int i, Py::Expr left_elem, Py::Expr right_elem |
+  exists(int i, Expr left_elem, Expr right_elem |
     (
-      left_elem = left_parent.(Py::Tuple).getElt(i)
+      left_elem = left_parent.(Tuple).getElt(i)
       or
-      left_elem = left_parent.(Py::List).getElt(i)
+      left_elem = left_parent.(List).getElt(i)
     ) and
     (
-      right_elem = right_parent.(Py::Tuple).getElt(i)
+      right_elem = right_parent.(Tuple).getElt(i)
       or
-      right_elem = right_parent.(Py::List).getElt(i)
+      right_elem = right_parent.(List).getElt(i)
     )
   |
     left_result = left_elem and right_result = right_elem
@@ -771,9 +769,9 @@ predicate nested_sequence_assign(
 
 /** A flow node for a `for` statement. */
 class ForNode extends ControlFlowNode {
-  ForNode() { toAst(this) instanceof Py::For }
+  ForNode() { toAst(this) instanceof For }
 
-  override Py::For getNode() { result = super.getNode() }
+  override For getNode() { result = super.getNode() }
 
   /** Holds if this `for` statement causes iteration over `sequence` storing each step of the iteration in `target` */
   predicate iterates(ControlFlowNode target, ControlFlowNode sequence) {
@@ -784,7 +782,7 @@ class ForNode extends ControlFlowNode {
 
   /** Gets the sequence node for this `for` statement. */
   ControlFlowNode getSequence() {
-    exists(Py::For for |
+    exists(For for |
       toAst(this) = for and
       for.getIter() = result.getNode()
     |
@@ -794,7 +792,7 @@ class ForNode extends ControlFlowNode {
 
   /** A possible `target` for this `for` statement, not accounting for loop unrolling */
   private ControlFlowNode possibleTarget() {
-    exists(Py::For for |
+    exists(For for |
       toAst(this) = for and
       for.getTarget() = result.getNode() and
       this.getBasicBlock().dominates(result.getBasicBlock())
@@ -811,11 +809,11 @@ class ForNode extends ControlFlowNode {
 
 /** A flow node for a `raise` statement */
 class RaiseStmtNode extends ControlFlowNode {
-  RaiseStmtNode() { toAst(this) instanceof Py::Raise }
+  RaiseStmtNode() { toAst(this) instanceof Raise }
 
   /** Gets the control flow node for the exception raised by this raise statement */
   ControlFlowNode getException() {
-    exists(Py::Raise r |
+    exists(Raise r |
       r = toAst(this) and
       r.getException() = toAst(result) and
       result.getBasicBlock().dominates(this.getBasicBlock())
@@ -829,36 +827,36 @@ class RaiseStmtNode extends ControlFlowNode {
  */
 class NameNode extends ControlFlowNode {
   NameNode() {
-    exists(Py::Name n | py_flow_bb_node(this, n, _, _))
+    exists(Name n | py_flow_bb_node(this, n, _, _))
     or
-    exists(Py::PlaceHolder p | py_flow_bb_node(this, p, _, _))
+    exists(PlaceHolder p | py_flow_bb_node(this, p, _, _))
   }
 
   /** Whether this flow node defines the variable `v`. */
-  predicate defines(Py::Variable v) {
-    exists(Py::Name d | this.getNode() = d and d.defines(v)) and
+  predicate defines(Variable v) {
+    exists(Name d | this.getNode() = d and d.defines(v)) and
     not this.isLoad()
   }
 
   /** Whether this flow node deletes the variable `v`. */
-  predicate deletes(Py::Variable v) { exists(Py::Name d | this.getNode() = d and d.deletes(v)) }
+  predicate deletes(Variable v) { exists(Name d | this.getNode() = d and d.deletes(v)) }
 
   /** Whether this flow node uses the variable `v`. */
-  predicate uses(Py::Variable v) {
+  predicate uses(Variable v) {
     this.isLoad() and
-    exists(Py::Name u | this.getNode() = u and u.uses(v))
+    exists(Name u | this.getNode() = u and u.uses(v))
     or
-    exists(Py::PlaceHolder u |
-      this.getNode() = u and u.getVariable() = v and u.getCtx() instanceof Py::Load
+    exists(PlaceHolder u |
+      this.getNode() = u and u.getVariable() = v and u.getCtx() instanceof Load
     )
     or
     Scopes::use_of_global_variable(this, v.getScope(), v.getId())
   }
 
   string getId() {
-    result = this.getNode().(Py::Name).getId()
+    result = this.getNode().(Name).getId()
     or
-    result = this.getNode().(Py::PlaceHolder).getId()
+    result = this.getNode().(PlaceHolder).getId()
   }
 
   /** Whether this is a use of a local variable. */
@@ -870,39 +868,37 @@ class NameNode extends ControlFlowNode {
   /** Whether this is a use of a global (including builtin) variable. */
   predicate isGlobal() { Scopes::use_of_global_variable(this, _, _) }
 
-  predicate isSelf() {
-    exists(Py::SsaVariable selfvar | selfvar.isSelf() and selfvar.getAUse() = this)
-  }
+  predicate isSelf() { exists(SsaVariable selfvar | selfvar.isSelf() and selfvar.getAUse() = this) }
 }
 
 /** A control flow node corresponding to a named constant, one of `None`, `True` or `False`. */
 class NameConstantNode extends NameNode {
-  NameConstantNode() { exists(Py::NameConstant n | py_flow_bb_node(this, n, _, _)) }
+  NameConstantNode() { exists(NameConstant n | py_flow_bb_node(this, n, _, _)) }
   /*
    * We ought to override uses as well, but that has
    * a serious performance impact.
-   *    deprecated predicate uses(Py::Variable v) { none() }
+   *    deprecated predicate uses(Variable v) { none() }
    */
 
   }
 
 /** A control flow node corresponding to a starred expression, `*a`. */
 class StarredNode extends ControlFlowNode {
-  StarredNode() { toAst(this) instanceof Py::Starred }
+  StarredNode() { toAst(this) instanceof Starred }
 
-  ControlFlowNode getValue() { toAst(result) = toAst(this).(Py::Starred).getValue() }
+  ControlFlowNode getValue() { toAst(result) = toAst(this).(Starred).getValue() }
 }
 
 /** The ControlFlowNode for an 'except' statement. */
 class ExceptFlowNode extends ControlFlowNode {
-  ExceptFlowNode() { this.getNode() instanceof Py::ExceptStmt }
+  ExceptFlowNode() { this.getNode() instanceof ExceptStmt }
 
   /**
    * Gets the type handled by this exception handler.
-   * `Py::ExceptionType` in `except Py::ExceptionType as e:`
+   * `ExceptionType` in `except ExceptionType as e:`
    */
   ControlFlowNode getType() {
-    exists(Py::ExceptStmt ex |
+    exists(ExceptStmt ex |
       this.getBasicBlock().dominates(result.getBasicBlock()) and
       ex = this.getNode() and
       result.getNode() = ex.getType()
@@ -911,10 +907,10 @@ class ExceptFlowNode extends ControlFlowNode {
 
   /**
    * Gets the name assigned to the handled exception, if any.
-   * `e` in `except Py::ExceptionType as e:`
+   * `e` in `except ExceptionType as e:`
    */
   ControlFlowNode getName() {
-    exists(Py::ExceptStmt ex |
+    exists(ExceptStmt ex |
       this.getBasicBlock().dominates(result.getBasicBlock()) and
       ex = this.getNode() and
       result.getNode() = ex.getName()
@@ -924,30 +920,30 @@ class ExceptFlowNode extends ControlFlowNode {
 
 /** The ControlFlowNode for an 'except*' statement. */
 class ExceptGroupFlowNode extends ControlFlowNode {
-  ExceptGroupFlowNode() { this.getNode() instanceof Py::ExceptGroupStmt }
+  ExceptGroupFlowNode() { this.getNode() instanceof ExceptGroupStmt }
 
   /**
    * Gets the type handled by this exception handler.
-   * `Py::ExceptionType` in `except* Py::ExceptionType as e:`
+   * `ExceptionType` in `except* ExceptionType as e:`
    */
   ControlFlowNode getType() {
     this.getBasicBlock().dominates(result.getBasicBlock()) and
-    result.getNode() = this.getNode().(Py::ExceptGroupStmt).getType()
+    result.getNode() = this.getNode().(ExceptGroupStmt).getType()
   }
 
   /**
    * Gets the name assigned to the handled exception, if any.
-   * `e` in `except* Py::ExceptionType as e:`
+   * `e` in `except* ExceptionType as e:`
    */
   ControlFlowNode getName() {
     this.getBasicBlock().dominates(result.getBasicBlock()) and
-    result.getNode() = this.getNode().(Py::ExceptGroupStmt).getName()
+    result.getNode() = this.getNode().(ExceptGroupStmt).getName()
   }
 }
 
 private module Scopes {
   private predicate fast_local(NameNode n) {
-    exists(Py::FastLocalVariable v |
+    exists(FastLocalVariable v |
       n.uses(v) and
       v.getScope() = n.getScope()
     )
@@ -956,15 +952,15 @@ private module Scopes {
   predicate local(NameNode n) {
     fast_local(n)
     or
-    exists(Py::SsaVariable var |
+    exists(SsaVariable var |
       var.getAUse() = n and
-      n.getScope() instanceof Py::Class and
+      n.getScope() instanceof Class and
       exists(var.getDefinition())
     )
   }
 
   predicate non_local(NameNode n) {
-    exists(Py::FastLocalVariable flv |
+    exists(FastLocalVariable flv |
       flv.getALoad() = n.getNode() and
       not flv.getScope() = n.getScope()
     )
@@ -972,20 +968,20 @@ private module Scopes {
 
   // magic is fine, but we get questionable join-ordering of it
   pragma[nomagic]
-  predicate use_of_global_variable(NameNode n, Py::Module scope, string name) {
+  predicate use_of_global_variable(NameNode n, Module scope, string name) {
     n.isLoad() and
     not non_local(n) and
-    not exists(Py::SsaVariable var | var.getAUse() = n |
-      var.getVariable() instanceof Py::FastLocalVariable
+    not exists(SsaVariable var | var.getAUse() = n |
+      var.getVariable() instanceof FastLocalVariable
       or
-      n.getScope() instanceof Py::Class and
+      n.getScope() instanceof Class and
       not maybe_undefined(var)
     ) and
     name = n.getId() and
     scope = n.getEnclosingModule()
   }
 
-  private predicate maybe_undefined(Py::SsaVariable var) {
+  private predicate maybe_undefined(SsaVariable var) {
     not exists(var.getDefinition()) and not py_ssa_phi(var, _)
     or
     var.getDefinition().isDelete()
@@ -1062,13 +1058,13 @@ class BasicBlock extends @py_flow_node {
   private predicate oneNodeBlock() { this.firstNode() = this.getLastNode() }
 
   private predicate startLocationInfo(string file, int line, int col) {
-    if this.firstNode().getNode() instanceof Py::Scope
+    if this.firstNode().getNode() instanceof Scope
     then this.firstNode().getASuccessor().getLocation().hasLocationInfo(file, line, col, _, _)
     else this.firstNode().getLocation().hasLocationInfo(file, line, col, _, _)
   }
 
   private predicate endLocationInfo(int endl, int endc) {
-    if this.getLastNode().getNode() instanceof Py::Scope and not this.oneNodeBlock()
+    if this.getLastNode().getNode() instanceof Scope and not this.oneNodeBlock()
     then this.getLastNode().getAPredecessor().getLocation().hasLocationInfo(_, _, _, endl, endc)
     else this.getLastNode().getLocation().hasLocationInfo(_, _, _, endl, endc)
   }
@@ -1085,7 +1081,7 @@ class BasicBlock extends @py_flow_node {
 
   /** Whether flow from this basic block reaches a normal exit from its scope */
   predicate reachesExit() {
-    exists(Py::Scope s | s.getANormalExit().getBasicBlock() = this)
+    exists(Scope s | s.getANormalExit().getBasicBlock() = this)
     or
     this.getASuccessor().reachesExit()
   }
@@ -1126,7 +1122,7 @@ class BasicBlock extends @py_flow_node {
 
   /** Gets the scope of this block */
   pragma[nomagic]
-  Py::Scope getScope() {
+  Scope getScope() {
     exists(ControlFlowNode n | n.getBasicBlock() = this |
       /* Take care not to use an entry or exit node as that node's scope will be the outer scope */
       not py_scope_flow(n, _, -1) and
@@ -1149,17 +1145,17 @@ class BasicBlock extends @py_flow_node {
   predicate reaches(BasicBlock other) { this = other or this.strictlyReaches(other) }
 
   /**
-   * Gets the `Py::ConditionBlock`, if any, that controls this block and
-   * does not control any other `Py::ConditionBlock`s that control this block.
-   * That is the `Py::ConditionBlock` that is closest dominator.
+   * Gets the `ConditionBlock`, if any, that controls this block and
+   * does not control any other `ConditionBlock`s that control this block.
+   * That is the `ConditionBlock` that is closest dominator.
    */
-  Py::ConditionBlock getImmediatelyControllingBlock() {
+  ConditionBlock getImmediatelyControllingBlock() {
     result = this.nonControllingImmediateDominator*().getImmediateDominator()
   }
 
   private BasicBlock nonControllingImmediateDominator() {
     result = this.getImmediateDominator() and
-    not result.(Py::ConditionBlock).controls(this, _)
+    not result.(ConditionBlock).controls(this, _)
   }
 
   /**
@@ -1179,7 +1175,7 @@ private class ControlFlowNodeAlias = ControlFlowNode;
 
 final private class FinalBasicBlock = BasicBlock;
 
-module Cfg implements BB::CfgSig<Py::Location> {
+module Cfg implements BB::CfgSig<Location> {
   private import codeql.controlflow.SuccessorType
 
   class ControlFlowNode = ControlFlowNodeAlias;
@@ -1190,7 +1186,7 @@ module Cfg implements BB::CfgSig<Py::Location> {
     // Using the location of the first node is simple
     // and we just need a way to identify the basic block
     // during debugging, so this will be serviceable.
-    Py::Location getLocation() { result = super.getNode(0).getLocation() }
+    Location getLocation() { result = super.getNode(0).getLocation() }
 
     int length() { result = count(int i | exists(this.getNode(i))) }
 

python/ql/lib/semmle/python/dataflow/new/internal/SsaImpl.qll

@@ -1,547 +0,0 @@
-/**
- * Provides the Python SSA implementation built on the new (shared) CFG.
- *
- * Mirrors the Java SSA adapter at
- * `java/ql/lib/semmle/code/java/dataflow/internal/SsaImpl.qll`:
- * an `InputSig` is defined in terms of positional `(BasicBlock, int)`
- * variable references, and the shared
- * `codeql.ssa.Ssa::Make<Location, Cfg, Input>` module is then
- * instantiated.
- *
- * `SourceVariable` is the AST-level `Py::Variable`. Variable references
- * are looked up via the CFG facade's `NameNode.defines`/`uses`/`deletes`
- * predicates, which themselves are one-line bridges to AST-level
- * `Name.defines`/`uses`/`deletes`.
- *
- * Implicit-entry definitions are inserted for:
- *   - non-local / global / builtin variables that are read in the scope
- *     but never assigned (no enclosing CFG node defines them),
- *   - captured variables (variables defined in an enclosing scope that
- *     are read inside the scope), and
- *   - parameters, but only if the corresponding parameter name is *not*
- *     itself a CFG node. With the C#-style parameter wiring already
- *     installed in `AstNodeImpl.qll`, parameter names *are* CFG nodes,
- *     so the regular `variableWrite` path handles them — no `i = -1`
- *     entry is needed for ordinary parameters.
- */
-overlay[local?]
-module;
-
-private import python as Py
-private import semmle.python.controlflow.internal.AstNodeImpl as CfgImpl
-private import semmle.python.controlflow.internal.Cfg as Cfg
-private import codeql.ssa.Ssa as SsaImplCommon
-private import codeql.controlflow.BasicBlock as BB
-
-/**
- * Adapts the Python `Cfg` facade to the shared SSA library's `CfgSig`.
- * All members are inherited from `Cfg::ControlFlowNode` and
- * `Cfg::BasicBlock`.
- */
-private module CfgForSsa implements BB::CfgSig<Py::Location> {
-  class ControlFlowNode = CfgImpl::ControlFlowNode;
-
-  class BasicBlock = CfgImpl::BasicBlock;
-
-  class EntryBasicBlock = CfgImpl::Cfg::EntryBasicBlock;
-
-  predicate dominatingEdge = CfgImpl::Cfg::dominatingEdge/2;
-}
-
-/**
- * A source variable for SSA, wrapping a Python AST `Variable`.
- *
- * We only track variables that are read at least once in their scope —
- * tracking write-only variables would be unnecessary work — *except*
- * for module-scope globals, where the "read" can be external (e.g.
- * `import mymodule; mymodule.x`). Such globals are tracked
- * unconditionally so that import-resolution can find their defining
- * write.
- */
-private newtype TSsaSourceVariable =
-  TPyVar(Py::Variable v) {
-    // Has a use somewhere — read-relevant for SSA.
-    exists(Cfg::NameNode n | n.uses(v))
-    or
-    // Or has a deletion (treated as a write that destroys the value).
-    exists(Cfg::NameNode n | n.deletes(v))
-    or
-    // Or is a module-scope global written in this module — must be
-    // tracked even if never read locally, because importers may read
-    // it as an attribute on the module object.
-    v.getScope() instanceof Py::Module and
-    exists(Cfg::NameNode n | n.defines(v))
-    or
-    // Or is a parameter — parameters must always have a
-    // `ParameterDefinition` for dataflow argument-routing to work,
-    // even if the parameter is never read in its scope. Mirrors
-    // legacy ESSA's `ParameterDefinition` (which fired for every
-    // parameter binding regardless of liveness).
-    exists(Py::Parameter p | p.asName() = v.getAStore())
-  }
-
-/**
- * A source variable for SSA, wrapping a Python AST `Variable`.
- */
-class SsaSourceVariable extends TSsaSourceVariable {
-  /** Gets the underlying Python AST variable. */
-  Py::Variable getVariable() { this = TPyVar(result) }
-
-  /** Gets the (textual) name of this variable. */
-  string getName() { result = this.getVariable().getId() }
-
-  /** Gets a textual representation of this source variable. */
-  string toString() { result = this.getVariable().toString() }
-
-  /** Gets the location of this source variable. */
-  Py::Location getLocation() { result = this.getVariable().getScope().getLocation() }
-
-  /** Gets the scope in which this variable lives. */
-  Py::Scope getScope() { result = this.getVariable().getScope() }
-
-  /**
-   * Gets a use of this variable as it appears in the source — a `NameNode`
-   * that loads or deletes the variable. Mirrors legacy
-   * `SsaSourceVariable.getASourceUse()`.
-   */
-  Cfg::ControlFlowNode getASourceUse() {
-    exists(Cfg::NameNode n | result = n |
-      n.uses(this.getVariable()) or n.deletes(this.getVariable())
-    )
-  }
-
-  /**
-   * Gets an implicit use of this variable. The new SSA does not have
-   * implicit-use refinements, but we keep this for API parity — every
-   * normal-exit of the variable's scope counts as a sink, ensuring
-   * variables stay live to scope exit for taint-tracking.
-   */
-  Cfg::ControlFlowNode getAnImplicitUse() {
-    result.isNormalExit() and result.getScope() = this.getScope()
-  }
-
-  /**
-   * Gets a use of this variable — either an explicit source use or an
-   * implicit use at scope exit. Mirrors legacy `SsaSourceVariable.getAUse()`.
-   */
-  Cfg::ControlFlowNode getAUse() {
-    result = this.getASourceUse() or result = this.getAnImplicitUse()
-  }
-}
-
-/**
- * Holds if `v` is a non-local read in scope `s`, in the sense that `s`
- * uses `v` but does not write it within `s`. This includes globals,
- * builtins, and variables captured from an enclosing function scope.
- *
- * The `Py::Variable` `v` lives in some defining scope (the module for
- * globals, an outer function for closures, etc.); the reading scope
- * `s` is the scope where the use of `v` occurs.
- */
-private predicate nonLocalReadIn(Py::Variable v, Py::Scope s) {
-  exists(Cfg::NameNode n |
-    n.uses(v) and
-    n.getScope() = s and
-    not exists(Cfg::NameNode def | def.defines(v) and def.getScope() = s)
-  ) and
-  // Match legacy ESSA: only create entry defs for variables that have
-  // at least one defining store somewhere — otherwise the entry def
-  // represents "nothing reaches here", which is the default anyway and
-  // introduces no useful flow. (Legacy's `ModuleVariable` required a
-  // store; this is the closure-aware generalisation.)
-  exists(Cfg::NameNode store | store.defines(v))
-}
-
-/**
- * Holds if `bb` is the entry basic block of a scope where `v` should
- * have an implicit entry definition. This covers:
- *   - non-local / global / builtin variables read in `s`, and
- *   - captured variables (defined in an enclosing scope but read in `s`).
- *
- * Each reading scope gets its own entry def, so a closure variable can
- * have multiple entry defs across all functions/methods that read it.
- *
- * Parameters are *not* included: their bound `Name` is itself a CFG
- * node (per the C#-style parameter wiring), so `variableWrite` fires at
- * the parameter's natural CFG index.
- */
-private predicate hasEntryDefIn(SsaSourceVariable v, CfgImpl::BasicBlock bb) {
-  exists(Py::Scope s |
-    nonLocalReadIn(v.getVariable(), s) and
-    bb = entryBlock(s)
-  )
-}
-
-/**
- * Gets the entry basic block of scope `s`, where implicit entry
- * definitions are placed (at synthetic index `-1`).
- */
-private CfgImpl::BasicBlock entryBlock(Py::Scope s) {
-  exists(CfgImpl::ControlFlowNode entry |
-    entry instanceof CfgImpl::ControlFlow::EntryNode and
-    entry.getEnclosingCallable().asScope() = s and
-    result = entry.getBasicBlock()
-  )
-}
-
-/**
- * The SSA `InputSig` for Python. References are positional
- * `(BasicBlock, int)` pairs into the new CFG.
- */
-private module SsaImplInput implements SsaImplCommon::InputSig<Py::Location, CfgImpl::BasicBlock> {
-  class SourceVariable = SsaSourceVariable;
-
-  predicate variableWrite(CfgImpl::BasicBlock bb, int i, SourceVariable v, boolean certain) {
-    // Explicit binding at a CFG node — includes assignments,
-    // parameter Names (wired in via the C# pattern), exception-handler
-    // `as`-bindings, import aliases, and match-pattern captures.
-    exists(Cfg::NameNode n |
-      bb.getNode(i) = n and
-      n.defines(v.getVariable()) and
-      certain = true
-    )
-    or
-    // `del x` — removes the binding. Modelled as a certain write that
-    // makes any subsequent read invalid.
-    exists(Cfg::NameNode n |
-      bb.getNode(i) = n and
-      n.deletes(v.getVariable()) and
-      certain = true
-    )
-    or
-    // Implicit entry definition for non-local / captured / global /
-    // builtin variables read in some scope. Each reading scope's entry
-    // block gets one such write, allowing closures: e.g. when `x` is a
-    // parameter of an outer function and read inside a nested
-    // function, both scopes get entry defs for `x`.
-    hasEntryDefIn(v, bb) and
-    i = -1 and
-    certain = true
-    or
-    // `from X import *` — possibly rebinds every name in the importing
-    // scope. Modelled as an uncertain write at the import-star's CFG
-    // position for every variable that lives in (or is referenced
-    // from) the same scope as the import-star. Mirrors legacy ESSA's
-    // `ImportStarRefinement` (see `essa/SsaDefinitions.qll`'s
-    // `import_star_refinement` predicate). The write is uncertain so
-    // that prior definitions of the variable remain available — the
-    // shared-SSA `SsaUncertainWrite` merges the new value with the
-    // immediately preceding definition.
-    exists(Cfg::ImportStarNode imp |
-      bb.getNode(i) = imp and
-      certain = false and
-      (
-        v.getVariable().getScope() = imp.getScope()
-        or
-        // Variable is defined in some other scope but referenced in
-        // the same scope as the import-star (matches legacy clause 2:
-        // `other.uses(v) and def.getScope() = other.getScope()`).
-        exists(Cfg::NameNode other |
-          other.uses(v.getVariable()) and
-          imp.getScope() = other.getScope()
-        )
-      )
-    )
-  }
-
-  predicate variableRead(CfgImpl::BasicBlock bb, int i, SourceVariable v, boolean certain) {
-    // Explicit source use — a `Name` load or a `del x` of the variable.
-    exists(Cfg::NameNode n |
-      bb.getNode(i) = n and
-      n.uses(v.getVariable()) and
-      certain = true
-    )
-    or
-    // Synthetic use at the normal exit of the variable's defining scope.
-    // This keeps every variable live to scope exit so that callers (e.g.
-    // `module_export` in ImportResolution.qll, or taint-tracking pass-through
-    // through unread locals) can ask "which definition reaches end of
-    // scope?". Mirrors legacy ESSA's `SsaSourceVariable.getAUse()` which
-    // included `getScope().getANormalExit()`.
-    exists(Cfg::ControlFlowNode exit |
-      exit.isNormalExit() and
-      exit.getScope() = v.getVariable().getScope() and
-      bb.getNode(i) = exit and
-      certain = true
-    )
-  }
-}
-
-/**
- * The shared SSA instantiation for Python.
- *
- * Members:
- *   - `Definition` — the union of explicit, uncertain, and phi definitions
- *   - `WriteDefinition`, `UncertainWriteDefinition`, `PhiNode`
- *   - the standard SSA predicates (`getAUse`, `getAnUltimateDefinition`, ...).
- */
-module Ssa = SsaImplCommon::Make<Py::Location, CfgForSsa, SsaImplInput>;
-
-final class Definition = Ssa::Definition;
-
-final class WriteDefinition = Ssa::WriteDefinition;
-
-final class UncertainWriteDefinition = Ssa::UncertainWriteDefinition;
-
-final class PhiNode = Ssa::PhiNode;
-
-// ===========================================================================
-// ESSA-shaped adapter layer
-//
-// The dataflow library (`python/ql/lib/semmle/python/dataflow/new/`) and
-// related modules (`ApiGraphs.qll`, etc.) consume the legacy ESSA API
-// (`EssaVariable`, `EssaDefinition`, `AssignmentDefinition`,
-// `ScopeEntryDefinition`, `ParameterDefinition`, `WithDefinition`,
-// `PhiFunction`, plus the `AdjacentUses` module). To migrate them off
-// the legacy CFG, we expose the same API surface on top of the
-// shared SSA built above.
-//
-// This adapter is intentionally narrow: it covers only the predicates
-// that new dataflow consumes. The richer legacy ESSA — refinement
-// nodes, attribute refinements, edge refinements — stays available
-// via `semmle.python.essa.Essa` for points-to / legacy code.
-// ===========================================================================
-/**
- * Gets the CFG node at which a write definition's binding takes place.
- *
- * For ordinary writes (assignment, deletion, parameter) this is the
- * canonical CFG node of the bound Name. For implicit entry definitions
- * (synthesised at position `-1` of a scope's entry BB) this is the
- * scope's entry node.
- */
-private Cfg::ControlFlowNode writeDefNode(Ssa::WriteDefinition def) {
-  exists(CfgImpl::BasicBlock bb, int i | def.definesAt(_, bb, i) |
-    i >= 0 and result = bb.getNode(i)
-    or
-    i = -1 and result = bb.getNode(0)
-  )
-}
-
-/**
- * A write definition whose binding has a corresponding CFG node — i.e.
- * everything that's not a phi node. Mirrors legacy ESSA's
- * `EssaNodeDefinition`.
- */
-class EssaNodeDefinition extends Ssa::WriteDefinition {
-  /** Gets the CFG node where this definition's binding takes place. */
-  Cfg::ControlFlowNode getDefiningNode() { result = writeDefNode(this) }
-
-  /** Gets the variable defined here (legacy name). */
-  SsaSourceVariable getVariable() { result = this.getSourceVariable() }
-
-  /** Gets the enclosing scope. */
-  Py::Scope getScope() {
-    exists(Cfg::ControlFlowNode n | n = this.getDefiningNode() | result = n.getScope())
-  }
-
-  /**
-   * Holds if this definition defines source variable `v` at CFG node
-   * `defNode`. Flatter form of `getSourceVariable()` +
-   * `getDefiningNode()`, matching legacy ESSA's `definedBy`.
-   */
-  predicate definedBy(SsaSourceVariable v, Cfg::ControlFlowNode defNode) {
-    v = this.getSourceVariable() and defNode = this.getDefiningNode()
-  }
-}
-
-/**
- * An assignment definition: any binding where the value being assigned
- * is statically known via `Cfg::DefinitionNode.getValue()`. Includes
- * plain assignments, walrus, annotated assignments, augmented
- * assignments, import aliases (`import x` / `from m import x [as y]`),
- * `with ... as x`, and for-target bindings (where `getValue()` returns
- * the iter expression's CFG node). Excludes parameter bindings —
- * those are modelled by `ParameterDefinition`.
- */
-class AssignmentDefinition extends EssaNodeDefinition {
-  AssignmentDefinition() {
-    exists(Cfg::NameNode n | n = this.getDefiningNode() |
-      exists(n.(Cfg::DefinitionNode).getValue()) and
-      not n.(Cfg::ControlFlowNode).isParameter()
-    )
-  }
-
-  /** Gets the CFG node for the value being assigned, if statically known. */
-  Cfg::ControlFlowNode getValue() {
-    result = this.getDefiningNode().(Cfg::DefinitionNode).getValue()
-  }
-}
-
-/**
- * A parameter definition — the binding of a parameter name in a
- * function's scope.
- */
-class ParameterDefinition extends EssaNodeDefinition {
-  ParameterDefinition() { this.getDefiningNode().isParameter() }
-
-  /** Gets the AST `Parameter` (a `Py::Name` in param context). */
-  Py::Name getParameter() { result = this.getDefiningNode().getNode() }
-}
-
-/**
- * A definition introduced by a `with ... as x:` clause.
- */
-class WithDefinition extends EssaNodeDefinition {
-  WithDefinition() {
-    exists(Cfg::NameNode n, Py::With w |
-      n = this.getDefiningNode() and
-      w.getOptionalVars() = n.getNode()
-    )
-  }
-}
-
-/**
- * An assignment where the LHS is a tuple/list and the RHS is unpacked:
- * `a, b = (1, 2)` or `a, *rest = xs`. The SSA def lives at the inner
- * `Name` CFG node, but for IterableUnpacking integration we expose
- * the enclosing `StarredNode` as the `getDefiningNode()` for `*rest`
- * patterns — mirroring legacy ESSA's `multi_assignment_definition`,
- * which placed the def at the StarredNode CFG node.
- */
-class MultiAssignmentDefinition extends EssaNodeDefinition {
-  MultiAssignmentDefinition() {
-    exists(Cfg::NameNode n | n = super.getDefiningNode() |
-      exists(Py::Assign a, Py::Expr lhs |
-        a.getATarget() = lhs and
-        (lhs instanceof Py::Tuple or lhs instanceof Py::List) and
-        lhs.getASubExpression+() = n.getNode()
-      )
-      or
-      // For-loop with tuple/list target: `for a, b in xs:` —
-      // tuple-unpacking semantics applies to the for-target.
-      exists(Py::For f, Py::Expr lhs |
-        f.getTarget() = lhs and
-        (lhs instanceof Py::Tuple or lhs instanceof Py::List) and
-        lhs.getASubExpression+() = n.getNode()
-      )
-    )
-  }
-
-  override Cfg::ControlFlowNode getDefiningNode() {
-    // Default: the underlying `Name` CFG node (where the SSA def lives).
-    not exists(Cfg::StarredNode s |
-      s.getNode().(Py::Starred).getValue() = super.getDefiningNode().getNode()
-    ) and
-    result = super.getDefiningNode()
-    or
-    // Exception: for `*rest`, expose the enclosing `Starred` CFG node
-    // so that `IterableUnpacking::iterableUnpackingStarredElementStoreStep`
-    // can attach the rest-list to it.
-    exists(Cfg::StarredNode s |
-      s.getNode().(Py::Starred).getValue() = super.getDefiningNode().getNode()
-    |
-      result = s
-    )
-  }
-}
-
-/**
- * An implicit entry definition for a non-local / captured / global /
- * builtin variable read in a scope but not defined there.
- *
- * Inherits from `EssaNodeDefinition` and exposes the scope's entry node
- * as its defining node (matching legacy ESSA semantics).
- */
-class ScopeEntryDefinition extends EssaNodeDefinition {
-  ScopeEntryDefinition() {
-    exists(CfgImpl::BasicBlock bb |
-      this.definesAt(_, bb, -1) and
-      bb instanceof CfgImpl::Cfg::EntryBasicBlock
-    )
-  }
-
-  /** Gets the enclosing scope (the scope whose entry block this def is in). */
-  override Py::Scope getScope() {
-    exists(CfgImpl::BasicBlock bb |
-      this.definesAt(_, bb, -1) and
-      result = bb.getNode(0).(Cfg::ControlFlowNode).getScope()
-    )
-  }
-}
-
-/** A phi node (alias matching legacy naming). */
-class PhiFunction extends PhiNode {
-  /**
-   * Gets an input to this phi function (a definition that flows into
-   * the phi from one of its predecessor blocks). Mirrors legacy
-   * ESSA's `PhiFunction.getAnInput()`.
-   */
-  Ssa::Definition getAnInput() { Ssa::phiHasInputFromBlock(this, result, _) }
-}
-
-/** Base class for all ESSA definitions (legacy-shaped). */
-class EssaDefinition = Ssa::Definition;
-
-/**
- * An adapter representing a single SSA-defined "variable" — wrapping
- * one `Ssa::Definition`. Mirrors legacy `EssaVariable` API.
- */
-class EssaVariable extends Ssa::Definition {
-  /** Gets the underlying SSA definition (legacy name). */
-  Ssa::Definition getDefinition() { result = this }
-
-  /**
-   * Gets a CFG node where this definition is used. Includes regular
-   * `Name` reads as well as the synthetic scope-exit "use" registered
-   * via `SsaImplInput::variableRead` — mirrors legacy ESSA's
-   * `EssaVariable.getAUse()` which inherited the synthetic exit-use
-   * from `SsaSourceVariable`.
-   */
-  Cfg::ControlFlowNode getAUse() {
-    exists(CfgImpl::BasicBlock bb, int i |
-      Ssa::ssaDefReachesRead(this.getSourceVariable(), this, bb, i) and
-      bb.getNode(i) = result
-    )
-  }
-
-  /** Gets the (textual) name of the underlying variable. */
-  string getName() { result = this.getSourceVariable().getVariable().getId() }
-
-  /** Gets the scope in which this variable lives. */
-  Py::Scope getScope() { result = this.getSourceVariable().getVariable().getScope() }
-
-  /** Gets an ultimate non-phi ancestor of this definition. */
-  EssaVariable getAnUltimateDefinition() {
-    if this instanceof PhiNode
-    then
-      exists(Ssa::Definition input |
-        Ssa::phiHasInputFromBlock(this, input, _) and
-        result = input.(EssaVariable).getAnUltimateDefinition()
-      )
-    else result = this
-  }
-}
-
-/**
- * Adjacent use-use and def-use relations exposed by the shared SSA
- * library. Provides the same interface as legacy
- * `semmle.python.essa.SsaCompute::AdjacentUses`.
- */
-module AdjacentUses {
-  /** Holds if `nodeFrom` and `nodeTo` are adjacent uses of the same SSA variable. */
-  predicate adjacentUseUse(Cfg::NameNode nodeFrom, Cfg::NameNode nodeTo) {
-    exists(SsaSourceVariable v, CfgImpl::BasicBlock bb1, int i1, CfgImpl::BasicBlock bb2, int i2 |
-      Ssa::adjacentUseUse(bb1, i1, bb2, i2, v, _) and
-      nodeFrom = bb1.getNode(i1) and
-      nodeTo = bb2.getNode(i2)
-    )
-  }
-
-  /** Holds if `use` is a first use of definition `def`. */
-  predicate firstUse(Ssa::Definition def, Cfg::NameNode use) {
-    exists(CfgImpl::BasicBlock bb, int i |
-      Ssa::firstUse(def, bb, i, _) and
-      use = bb.getNode(i)
-    )
-  }
-
-  /**
-   * Holds if `use` is any reachable use of definition `def`. Combines
-   * `firstUse` with transitive use-use adjacency.
-   */
-  predicate useOfDef(Ssa::Definition def, Cfg::NameNode use) {
-    firstUse(def, use)
-    or
-    exists(Cfg::NameNode mid | useOfDef(def, mid) and adjacentUseUse(mid, use))
-  }
-}

python/ql/test/extractor-tests/syntax_error/CONSISTENCY/CfgConsistency.expected

@@ -1,4 +0,0 @@
-consistencyOverview
-| deadEnd | 1 |
-deadEnd
-| without_loop.py:7:5:7:9 | Break |

python/ql/test/library-tests/ControlFlow/bindings/BindingsTest.ql

@@ -1,32 +0,0 @@
-/**
- * Phase -1 of the dataflow CFG migration: verifies that every variable
- * binding visible to the AST (`Name.defines(v)`) corresponds to a CFG node
- * in the new CFG (`semmle.python.controlflow.internal.AstNodeImpl`).
- *
- * The expected tag is `cfgdefines=<name>`. Each binding annotation in the
- * test sources looks like `# $ cfgdefines=x` for a binding currently
- * covered by the new CFG, or `# $ MISSING: cfgdefines=x` for a binding
- * that is known to be uncovered (a "red" test case that should be
- * green-flipped once the corresponding `cfg-ext-*` extension lands).
- */
-
-import python
-import semmle.python.controlflow.internal.AstNodeImpl as CfgImpl
-import utils.test.InlineExpectationsTest
-
-module CfgBindingsTest implements TestSig {
-  string getARelevantTag() { result = "cfgdefines" }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(Name n, Variable v, CfgImpl::ControlFlowNode cfg |
-      n.defines(v) and
-      cfg.getAstNode().asExpr() = n and
-      location = n.getLocation() and
-      element = n.toString() and
-      tag = "cfgdefines" and
-      value = v.getId()
-    )
-  }
-}
-
-import MakeTest<CfgBindingsTest>

python/ql/test/library-tests/ControlFlow/bindings/annassign.py

@@ -1,13 +0,0 @@
-# Annotated assignment (PEP 526). Both with and without an initializer.
-
-a: int = 1  # $ cfgdefines=a
-b: str = "hi"  # $ cfgdefines=b
-
-# Annotation without value: the AST records `c` as defined,
-# and the new CFG now visits it via the AnnAssignStmt wrapper.
-c: int  # $ cfgdefines=c
-
-class K:  # $ cfgdefines=K
-    field: int = 0  # $ cfgdefines=field
-
-

python/ql/test/library-tests/ControlFlow/bindings/compound.py

@@ -1,14 +0,0 @@
-# Compound (tuple/list) assignment targets — actually wired in the new CFG.
-
-a, b = (1, 2)  # $ cfgdefines=a cfgdefines=b
-[c, d] = [3, 4]  # $ cfgdefines=c cfgdefines=d
-
-# Nested unpacking.
-(e, (f, g)) = (1, (2, 3))  # $ cfgdefines=e cfgdefines=f cfgdefines=g
-
-# Star unpacking.
-h, *i = [1, 2, 3]  # $ cfgdefines=h cfgdefines=i
-
-# Chained assignment with compound target.
-j = k, l = (5, 6)  # $ cfgdefines=j cfgdefines=k cfgdefines=l
-

python/ql/test/library-tests/ControlFlow/bindings/comprehension.py

@@ -1,21 +0,0 @@
-# Comprehension and `for` loop targets — wired in the new CFG.
-# Comprehensions are nested function scopes with a synthetic `.0` parameter
-# bound to the iterable.
-
-# Bare-name `for` target.
-for i in range(3):  # $ cfgdefines=i
-    pass
-
-# Compound `for` target.
-for k, v in [(1, 2)]:  # $ cfgdefines=k cfgdefines=v
-    pass
-
-# Comprehension targets.
-_ = [x for x in range(3)]  # $ cfgdefines=_ cfgdefines=x cfgdefines=.0
-_ = {y: z for y, z in []}  # $ cfgdefines=_ cfgdefines=y cfgdefines=z cfgdefines=.0
-_ = (a for a in [])  # $ cfgdefines=_ cfgdefines=a cfgdefines=.0
-
-# Nested comprehensions.
-_ = [b for c in [] for b in c]  # $ cfgdefines=_ cfgdefines=c cfgdefines=b cfgdefines=.0
-
-

python/ql/test/library-tests/ControlFlow/bindings/dead_under_no_raise.py

@@ -1,52 +0,0 @@
-# Dead bindings under the "no expressions raise" CFG abstraction.
-#
-# The new CFG does not currently model raise edges from arbitrary
-# expressions. As a consequence, code that is only reachable through
-# exception flow is (correctly) classified as dead and has no CFG node.
-# Variable bindings in dead code do not need CFG nodes - SSA / dataflow
-# over dead code is moot.
-#
-# These tests act as a regression guard: the bindings below intentionally
-# have no `cfgdefines=` annotations. If raise modelling is later added,
-# the BindingsTest infrastructure will surface the new CFG nodes as
-# unexpected results, and this file will need to be revisited.
-
-
-def f(obj):  # $ cfgdefines=f cfgdefines=obj
-    try:
-        return len(obj)
-    except TypeError:
-        pass
-
-    # The first try's body always returns; its except handler does not
-    # raise or otherwise transfer control, so under "no expressions
-    # raise" the only paths out of the try-statement are dead. Everything
-    # below is unreachable.
-    try:
-        hint = type(obj).__length_hint__
-    except AttributeError:
-        return None
-    return hint
-
-
-def g():  # $ cfgdefines=g
-    try:
-        raise Exception("inner")
-    except:
-        raise Exception("outer")
-    else:
-        # Unreachable: the inner try body always raises, so the `else:`
-        # clause never runs.
-        hit_inner_else = True
-
-
-def h(cache, key):  # $ cfgdefines=h cfgdefines=cache cfgdefines=key
-    try:
-        return cache[key]
-    except KeyError:
-        pass
-
-    # Same pattern as `f`: dead under "no expressions raise".
-    value = compute(key)
-    cache[key] = value
-    return value

python/ql/test/library-tests/ControlFlow/bindings/decorated.py

@@ -1,30 +0,0 @@
-# Decorated `def`/`class` — wired in the new CFG.
-
-
-def deco(f):  # $ cfgdefines=deco cfgdefines=f
-    return f
-
-
-@deco
-def decorated_func():  # $ cfgdefines=decorated_func
-    pass
-
-
-@deco
-class DecoratedClass:  # $ cfgdefines=DecoratedClass
-    pass
-
-
-# Stacked decorators.
-@deco
-@deco
-def doubly():  # $ cfgdefines=doubly
-    pass
-
-
-# Inside a class body.
-class Outer:  # $ cfgdefines=Outer
-    @staticmethod
-    def inner():  # $ cfgdefines=inner
-        pass
-

python/ql/test/library-tests/ControlFlow/bindings/except_handler.py

@@ -1,19 +0,0 @@
-# Exception-handler name bindings. These are already wired in the new
-# CFG provided the try body can raise; `raise` statements are reliably
-# treated as exception sources.
-
-try:
-    raise ValueError("oops")
-except ValueError as e:  # $ cfgdefines=e
-    pass
-
-try:
-    raise TypeError("oops")
-except (TypeError, KeyError) as err:  # $ cfgdefines=err
-    pass
-
-# Exception groups (Python 3.11+).
-try:
-    raise ValueError("oops")
-except* ValueError as eg:  # $ cfgdefines=eg
-    pass

python/ql/test/library-tests/ControlFlow/bindings/imports.py

@@ -1,14 +0,0 @@
-# Import aliases — all bound names below are now reachable via the new
-# CFG's `ImportStmt` wrapper.
-
-import os  # $ cfgdefines=os
-import os.path  # $ cfgdefines=os
-import os as o  # $ cfgdefines=o
-from os import path  # $ cfgdefines=path
-from os import path as p  # $ cfgdefines=p
-from os import sep, linesep  # $ cfgdefines=sep cfgdefines=linesep
-from os import (
-    getcwd,  # $ cfgdefines=getcwd
-    getcwdb,  # $ cfgdefines=getcwdb
-)
-

python/ql/test/library-tests/ControlFlow/bindings/match_pattern.py

@@ -1,24 +0,0 @@
-# Match-statement pattern bindings — wired in the new CFG.
-
-def f(subject):  # $ cfgdefines=f cfgdefines=subject
-    match subject:
-        case x:  # $ cfgdefines=x
-            pass
-        case [a, b]:  # $ cfgdefines=a cfgdefines=b
-            pass
-        case {"k": v}:  # $ cfgdefines=v
-            pass
-        case Point(p, q):  # $ cfgdefines=p cfgdefines=q
-            pass
-        case [_, *rest]:  # $ cfgdefines=rest
-            pass
-        case (1 | 2) as n:  # $ cfgdefines=n
-            pass
-
-
-class Point:  # $ cfgdefines=Point
-    __match_args__ = ("x", "y")  # $ cfgdefines=__match_args__
-    x: int  # $ cfgdefines=x
-    y: int  # $ cfgdefines=y
-
-

python/ql/test/library-tests/ControlFlow/bindings/parameters.py

@@ -1,42 +0,0 @@
-# Function parameters.
-
-def positional(a, b):  # $ cfgdefines=positional cfgdefines=a cfgdefines=b
-    pass
-
-
-def with_default(x=1, y=2):  # $ cfgdefines=with_default cfgdefines=x cfgdefines=y
-    pass
-
-
-def with_vararg(*args):  # $ cfgdefines=with_vararg cfgdefines=args
-    pass
-
-
-def with_kwarg(**kwargs):  # $ cfgdefines=with_kwarg cfgdefines=kwargs
-    pass
-
-
-def with_kwonly(*, k1, k2=5):  # $ cfgdefines=with_kwonly cfgdefines=k1 cfgdefines=k2
-    pass
-
-
-def kitchen_sink(a, b=2, *args, k1, k2=5, **kw):  # $ cfgdefines=kitchen_sink cfgdefines=a cfgdefines=b cfgdefines=args cfgdefines=k1 cfgdefines=k2 cfgdefines=kw
-    pass
-
-
-# Methods get `self` / `cls`.
-class C:  # $ cfgdefines=C
-    def method(self, x):  # $ cfgdefines=method cfgdefines=self cfgdefines=x
-        pass
-
-    @classmethod
-    def cmethod(cls, x):  # $ cfgdefines=cmethod cfgdefines=cls cfgdefines=x
-        pass
-
-
-# Lambda parameter.
-_ = lambda p: p + 1  # $ cfgdefines=_ cfgdefines=p
-
-# PEP 570 positional-only.
-def pos_only(a, b, /, c):  # $ cfgdefines=pos_only cfgdefines=a cfgdefines=b cfgdefines=c
-    pass

python/ql/test/library-tests/ControlFlow/bindings/simple.py

@@ -1,14 +0,0 @@
-# Simple bindings that should already work in the new CFG.
-# No MISSING annotations expected.
-
-x = 1  # $ cfgdefines=x
-y = x + 1  # $ cfgdefines=y
-
-def f():  # $ cfgdefines=f
-    pass
-
-class C:  # $ cfgdefines=C
-    pass
-
-# Re-assignment.
-x = 2  # $ cfgdefines=x

python/ql/test/library-tests/ControlFlow/bindings/type_params.py

@@ -1,21 +0,0 @@
-# PEP 695 type parameters (Python 3.12+).
-
-# PEP 695 type-param names on `def`/`class` bind in an annotation scope
-# that nests the function/class body — they have no CFG node in the
-# enclosing scope (matching the legacy CFG).
-def func[T](x: T) -> T:  # $ cfgdefines=func cfgdefines=x
-    return x
-
-
-class Box[T]:  # $ cfgdefines=Box
-    item: T  # $ cfgdefines=item
-
-
-# Multi-parameter, with bound and variadics.
-def multi[T: int, *Ts, **P](x: T, *args: *Ts, **kwargs: P.kwargs) -> T:  # $ cfgdefines=multi cfgdefines=x cfgdefines=args cfgdefines=kwargs
-    return x
-
-
-# `type` statement (PEP 695).
-type Alias[T] = list[T]  # $ cfgdefines=Alias cfgdefines=T
-

python/ql/test/library-tests/ControlFlow/bindings/walrus_starred.py

@@ -1,14 +0,0 @@
-# Walrus and starred-target edge cases — wired in the new CFG.
-
-# Walrus in expression context.
-if (y := 5) > 0:  # $ cfgdefines=y
-    pass
-
-# Walrus in a comprehension. The comprehension introduces a synthetic
-# `.0` parameter bound to the iterable.
-_ = [w for _ in range(3) if (w := 1)]  # $ cfgdefines=_ cfgdefines=w cfgdefines=.0
-
-# Starred target in a Tuple LHS.
-*head, tail = [1, 2, 3]  # $ cfgdefines=head cfgdefines=tail
-
-

python/ql/test/library-tests/ControlFlow/bindings/with_stmt.py

@@ -1,21 +0,0 @@
-# `with cm() as x:` bindings — wired in the new CFG.
-
-class CM:  # $ cfgdefines=CM
-    def __enter__(self): return self  # $ cfgdefines=__enter__ cfgdefines=self
-    def __exit__(self, *a): pass  # $ cfgdefines=__exit__ cfgdefines=self cfgdefines=a
-
-with CM() as x:  # $ cfgdefines=x
-    pass
-
-# Multiple items.
-with CM() as a, CM() as b:  # $ cfgdefines=a cfgdefines=b
-    pass
-
-# Parenthesised form (Python 3.10+).
-with (CM() as p, CM() as q):  # $ cfgdefines=p cfgdefines=q
-    pass
-
-# Compound target in `with`.
-with CM() as (m, n):  # $ cfgdefines=m cfgdefines=n
-    pass
-

python/ql/test/library-tests/ControlFlow/evaluation-order/AllLiveReachable.ql

@@ -5,8 +5,6 @@
  * have separate CFGs and are excluded from this check.
  */
 
-import python
-import TimerUtils
 import OldCfgImpl
 
 private module Utils = EvalOrderCfgUtils<OldCfg>;

python/ql/test/library-tests/ControlFlow/evaluation-order/AnnotationHasCfgNode.ql

@@ -2,8 +2,6 @@
  * Checks that every timer annotation has a corresponding CFG node.
  */
 
-import python
-import TimerUtils
 import OldCfgImpl
 
 private module Utils = EvalOrderCfgUtils<OldCfg>;

python/ql/test/library-tests/ControlFlow/evaluation-order/BasicBlockAnnotationGap.ql

@@ -8,8 +8,6 @@
  * edge leaves the basic block and the normal successor may be dead.
  */
 
-import python
-import TimerUtils
 import OldCfgImpl
 
 private module Utils = EvalOrderCfgUtils<OldCfg>;

python/ql/test/library-tests/ControlFlow/evaluation-order/BasicBlockOrdering.expected

@@ -1,7 +1,7 @@
 | test_boolean.py:9:10:9:43 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:9:59:9:59 | IntegerLiteral | timestamp 2 | test_boolean.py:9:19:9:19 | IntegerLiteral | timestamp 0 |
 | test_boolean.py:15:10:15:43 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:15:50:15:50 | IntegerLiteral | timestamp 1 | test_boolean.py:15:20:15:20 | IntegerLiteral | timestamp 0 |
 | test_boolean.py:21:10:21:42 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:21:49:21:49 | IntegerLiteral | timestamp 1 | test_boolean.py:21:19:21:19 | IntegerLiteral | timestamp 0 |
-| test_boolean.py:27:10:27:43 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:27:59:27:59 | IntegerLiteral | timestamp 2 | test_boolean.py:27:20:27:20 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:27:10:27:34 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:27:50:27:50 | IntegerLiteral | timestamp 2 | test_boolean.py:27:20:27:20 | IntegerLiteral | timestamp 0 |
 | test_boolean.py:40:10:40:61 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:40:86:40:86 | IntegerLiteral | timestamp 3 | test_boolean.py:40:16:40:16 | IntegerLiteral | timestamp 0 |
 | test_boolean.py:46:10:46:61 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:46:86:46:86 | IntegerLiteral | timestamp 3 | test_boolean.py:46:16:46:16 | IntegerLiteral | timestamp 0 |
 | test_boolean.py:52:10:52:95 | ControlFlowNode for BoolExpr | Basic block ordering: $@ appears before $@ | test_boolean.py:52:120:52:120 | IntegerLiteral | timestamp 4 | test_boolean.py:52:20:52:20 | IntegerLiteral | timestamp 0 |

python/ql/test/library-tests/ControlFlow/evaluation-order/BasicBlockOrdering.ql

@@ -3,8 +3,6 @@
  * increasing minimum-timestamp order.
  */
 
-import python
-import TimerUtils
 import OldCfgImpl
 
 private module Utils = EvalOrderCfgUtils<OldCfg>;

python/ql/test/library-tests/ControlFlow/evaluation-order/ConsecutiveTimestamps.ql

@@ -11,8 +11,6 @@
  * lambdas that have annotations in nested scopes).
  */
 
-import python
-import TimerUtils
 import OldCfgImpl
 
 private module Utils = EvalOrderCfgUtils<OldCfg>;

python/ql/test/library-tests/ControlFlow/evaluation-order/ContiguousTimestamps.ql

@@ -4,7 +4,6 @@
  * in at least one annotation (live or dead).
  */
 
-import python
 import TimerUtils
 
 from TestFunction f, int missing, int maxTs, TimerAnnotation maxAnn

python/ql/test/library-tests/ControlFlow/evaluation-order/NeverReachable.ql

@@ -4,8 +4,6 @@
  * entry (including within the same basic block).
  */
 
-import python
-import TimerUtils
 import OldCfgImpl
 
 private module Utils = EvalOrderCfgUtils<OldCfg>;

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgAllLiveReachable.ql

@@ -1,14 +0,0 @@
-/** New-CFG version of AllLiveReachable. */
-
-import python
-import TimerUtils
-import NewCfgImpl
-
-private module Utils = EvalOrderCfgUtils<NewCfg>;
-
-private import Utils
-private import Utils::CfgTests
-
-from TimerCfgNode a, TestFunction f
-where allLiveReachable(a, f)
-select a, "Unreachable live annotation; entry of $@ does not reach this node", f, f.getName()

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgAnnotationHasCfgNode.expected

@@ -1 +0,0 @@
-

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgAnnotationHasCfgNode.ql

@@ -1,18 +0,0 @@
-/**
- * New-CFG version of AnnotationHasCfgNode.
- *
- * Checks that every timer annotation has a corresponding CFG node.
- */
-
-import python
-import TimerUtils
-import NewCfgImpl
-
-private module Utils = EvalOrderCfgUtils<NewCfg>;
-
-private import Utils::CfgTests
-
-from TimerAnnotation ann
-where annotationWithoutCfgNode(ann)
-select ann, "Annotation in $@ has no CFG node", ann.getTestFunction(),
-  ann.getTestFunction().getName()

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgBasicBlockAnnotationGap.ql

@@ -1,26 +0,0 @@
-/**
- * New-CFG version of BasicBlockAnnotationGap.
- *
- * Original:
- * Checks that within a basic block, if a node is annotated then its
- * successor is also annotated (or excluded). A gap in annotations
- * within a basic block indicates a missing annotation, since there
- * are no branches to justify the gap.
- *
- * Nodes with exceptional successors are excluded, as the exception
- * edge leaves the basic block and the normal successor may be dead.
- */
-
-import python
-import TimerUtils
-import NewCfgImpl
-
-private module Utils = EvalOrderCfgUtils<NewCfg>;
-
-private import Utils
-private import Utils::CfgTests
-
-from TimerCfgNode a, CfgNode succ
-where basicBlockAnnotationGap(a, succ)
-select a, "Annotated node followed by unannotated $@ in the same basic block", succ,
-  succ.getNode().toString()

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgBasicBlockOrdering.ql

@@ -1,21 +0,0 @@
-/**
- * New-CFG version of BasicBlockOrdering.
- *
- * Original:
- * Checks that within a single basic block, annotations appear in
- * increasing minimum-timestamp order.
- */
-
-import python
-import TimerUtils
-import NewCfgImpl
-
-private module Utils = EvalOrderCfgUtils<NewCfg>;
-
-private import Utils
-private import Utils::CfgTests
-
-from TimerCfgNode a, TimerCfgNode b, int minA, int minB
-where basicBlockOrdering(a, b, minA, minB)
-select a, "Basic block ordering: $@ appears before $@", a.getTimestampExpr(minA),
-  "timestamp " + minA, b.getTimestampExpr(minB), "timestamp " + minB

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgBranchTimestamps.ql

@@ -1,80 +0,0 @@
-/**
- * New-CFG version of BranchTimestamps.
- *
- * Checks that when a node has both a true and false successor, the
- * live timestamps on one branch are marked as dead on the other.
- * This ensures that boolean branches are fully annotated with dead()
- * markers for the paths not taken.
- *
- * Limitation: the `@ t[ts, ...]` / `dead(ts)` annotation scheme can only
- * model branch-dead-ness for plain boolean control flow that reconverges
- * linearly after the split — i.e. `if`-with-else and `if`-expression.
- * It cannot model:
- *
- *   * loops (`while` / `for`): body timestamps repeat across iterations,
- *     so the loop-exit annotation can't list them as dead;
- *   * `match` statements: each `case` body is a syntactically distinct
- *     sub-tree, and the branches don't reconverge through a common
- *     annotation point in the timeline;
- *   * `try` / `with` and `raise` / `assert`: exception edges are modelled
- *     as true/false but flow to syntactically distinct handlers, with no
- *     reconvergence in the linear annotation order;
- *   * short-circuit `and` / `or` (`BoolExpr`): the branches reconverge at
- *     the BoolExpr's after-node, so timestamps on one branch are live
- *     downstream of the other rather than dead;
- *   * `if` without an `else` clause, and `if`/`elif` chains: the false
- *     branch reconverges with the true branch at the post-if statement
- *     (no-else) or fans out across multiple elif-test annotations,
- *     neither of which fit the binary annotation scheme.
- *
- * Branch nodes inside those constructs are therefore whitelisted out
- * below. The check still fires (and is useful) for plain `if`/`else`
- * and conditional-expression branching.
- */
-
-import python
-import TimerUtils
-import NewCfgImpl
-
-private module Utils = EvalOrderCfgUtils<NewCfg>;
-
-private import Utils
-private import Utils::CfgTests
-
-/**
- * Holds if `f` contains a construct whose branches the linear-timestamp
- * annotation scheme cannot describe (see file-level comment).
- */
-private predicate hasUnmodellableBranching(Function f) {
-  exists(AstNode bad |
-    bad.getScope() = f and
-    (
-      bad instanceof While
-      or
-      bad instanceof For
-      or
-      bad instanceof MatchStmt
-      or
-      bad instanceof Try
-      or
-      bad instanceof With
-      or
-      bad instanceof Raise
-      or
-      bad instanceof Assert
-      or
-      bad instanceof BoolExpr
-      or
-      bad instanceof If and
-      (not exists(bad.(If).getAnOrelse()) or bad.(If).isElif())
-    )
-  )
-}
-
-from TimerCfgNode node, int ts, string branch
-where
-  missingBranchTimestamp(node, ts, branch) and
-  not hasUnmodellableBranching(node.getTestFunction())
-select node,
-  "Timestamp " + ts + " on true/false branch is missing a dead() annotation on the " + branch +
-    " successor in $@", node.getTestFunction(), node.getTestFunction().getName()

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgConsecutivePredecessorTimestamps.expected

@@ -1 +0,0 @@
-

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgConsecutivePredecessorTimestamps.ql

@@ -1,22 +0,0 @@
-/**
- * New-CFG version of ConsecutivePredecessorTimestamps.
- *
- * Checks that each annotated node (except the minimum timestamp) has
- * a predecessor annotation with timestamp `a - 1`. This is the reverse
- * of ConsecutiveTimestamps: it catches nodes that are reachable but
- * arrived at from the wrong place (skipping an intermediate node).
- */
-
-import python
-import TimerUtils
-import NewCfgImpl
-
-private module Utils = EvalOrderCfgUtils<NewCfg>;
-
-private import Utils
-private import Utils::CfgTests
-
-from TimerAnnotation ann, int a
-where consecutivePredecessorTimestamps(ann, a)
-select ann, "$@ in $@ has no consecutive predecessor (expected " + (a - 1) + ")",
-  ann.getTimestampExpr(a), "Timestamp " + a, ann.getTestFunction(), ann.getTestFunction().getName()

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgConsecutiveTimestamps.ql

@@ -1,29 +0,0 @@
-/**
- * New-CFG version of ConsecutiveTimestamps.
- *
- * Original:
- * Checks that consecutive annotated nodes have consecutive timestamps:
- * for each annotation with timestamp `a`, some CFG node for that annotation
- * must have a next annotation containing `a + 1`.
- *
- * Handles CFG splitting (e.g., finally blocks duplicated for normal/exceptional
- * flow) by checking that at least one split has the required successor.
- *
- * Only applies to functions where all annotations are in the function's
- * own scope (excludes tests with generators, async, comprehensions, or
- * lambdas that have annotations in nested scopes).
- */
-
-import python
-import TimerUtils
-import NewCfgImpl
-
-private module Utils = EvalOrderCfgUtils<NewCfg>;
-
-private import Utils
-private import Utils::CfgTests
-
-from TimerAnnotation ann, int a
-where consecutiveTimestamps(ann, a)
-select ann, "$@ in $@ has no consecutive successor (expected " + (a + 1) + ")",
-  ann.getTimestampExpr(a), "Timestamp " + a, ann.getTestFunction(), ann.getTestFunction().getName()

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgImpl.qll

@@ -1,101 +0,0 @@
-/**
- * Implementation of the evaluation-order CFG signature using the new
- * shared control flow graph from AstNodeImpl.
- */
-
-private import python as Py
-import TimerUtils
-private import semmle.python.controlflow.internal.AstNodeImpl as CfgImpl
-private import codeql.controlflow.SuccessorType
-
-private class NewControlFlowNode = CfgImpl::ControlFlowNode;
-
-private class NewBasicBlock = CfgImpl::BasicBlock;
-
-/** New (shared) CFG implementation of the evaluation-order signature. */
-module NewCfg implements EvalOrderCfgSig {
-  class CfgNode instanceof NewControlFlowNode {
-    // Use the post-order representative for each AST node: the "after" node.
-    // For simple leaf nodes this is the merged before/after node. For
-    // post-order expressions this is the TAstNode. For pre-order expressions
-    // (and/or/not/ternary) this uses an AfterValueNode, which places the
-    // expression after its operands — matching the timer test expectations.
-    CfgNode() { NewControlFlowNode.super.isAfter(_) }
-
-    string toString() { result = NewControlFlowNode.super.toString() }
-
-    Py::Location getLocation() { result = NewControlFlowNode.super.getLocation() }
-
-    Py::AstNode getNode() {
-      result = CfgImpl::astNodeToPyNode(NewControlFlowNode.super.getAstNode())
-    }
-
-    CfgNode getASuccessor() { nextCfgNode(this, result) }
-
-    CfgNode getATrueSuccessor() {
-      NewControlFlowNode.super.isAfterTrue(_) and
-      // Only where there's also a false branch (true boolean split)
-      exists(NewControlFlowNode other | other.isAfterFalse(NewControlFlowNode.super.getAstNode())) and
-      nextCfgNodeFrom(this, result)
-    }
-
-    CfgNode getAFalseSuccessor() {
-      NewControlFlowNode.super.isAfterFalse(_) and
-      // Only where there's also a true branch (true boolean split)
-      exists(NewControlFlowNode other | other.isAfterTrue(NewControlFlowNode.super.getAstNode())) and
-      nextCfgNodeFrom(this, result)
-    }
-
-    CfgNode getAnExceptionalSuccessor() {
-      exists(NewControlFlowNode mid |
-        mid = NewControlFlowNode.super.getAnExceptionSuccessor() and
-        nextCfgNodeFrom(mid, result)
-      )
-    }
-
-    Py::Scope getScope() { result = NewControlFlowNode.super.getEnclosingCallable().asScope() }
-
-    BasicBlock getBasicBlock() {
-      exists(NewBasicBlock bb, int i | bb.getNode(i) = this and result = bb)
-    }
-  }
-
-  /**
-   * Holds if `next` is the nearest CfgNode reachable from `n` via
-   * one or more raw CFG successor edges, skipping non-CfgNode intermediaries.
-   */
-  private predicate nextCfgNodeFrom(NewControlFlowNode n, CfgNode next) {
-    next = n.getASuccessor()
-    or
-    exists(NewControlFlowNode mid |
-      mid = n.getASuccessor() and
-      not mid instanceof CfgNode and
-      nextCfgNodeFrom(mid, next)
-    )
-  }
-
-  /**
-   * Holds if `next` is the nearest CfgNode successor of `n`,
-   * skipping synthetic intermediate nodes.
-   */
-  private predicate nextCfgNode(CfgNode n, CfgNode next) { nextCfgNodeFrom(n, next) }
-
-  class BasicBlock instanceof NewBasicBlock {
-    string toString() { result = NewBasicBlock.super.toString() }
-
-    CfgNode getNode(int n) { result = NewBasicBlock.super.getNode(n) }
-
-    predicate reaches(BasicBlock bb) { this = bb or this.strictlyReaches(bb) }
-
-    predicate strictlyReaches(BasicBlock bb) { NewBasicBlock.super.getASuccessor+() = bb }
-
-    predicate strictlyDominates(BasicBlock bb) { NewBasicBlock.super.strictlyDominates(bb) }
-  }
-
-  CfgNode scopeGetEntryNode(Py::Scope s) {
-    exists(CfgImpl::ControlFlow::EntryNode entry |
-      entry.getEnclosingCallable().asScope() = s and
-      nextCfgNodeFrom(entry, result)
-    )
-  }
-}

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgNeverReachable.ql

@@ -1,21 +0,0 @@
-/**
- * New-CFG version of NeverReachable.
- *
- * Original:
- * Checks that expressions annotated with `t.never` either have no CFG
- * node, or if they do, that the node is not reachable from its scope's
- * entry (including within the same basic block).
- */
-
-import python
-import TimerUtils
-import NewCfgImpl
-
-private module Utils = EvalOrderCfgUtils<NewCfg>;
-
-private import Utils::CfgTests
-
-from TimerAnnotation ann
-where neverReachable(ann)
-select ann, "Node annotated with t.never is reachable in $@", ann.getTestFunction(),
-  ann.getTestFunction().getName()

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgNoBackwardFlow.ql

@@ -1,22 +0,0 @@
-/**
- * New-CFG version of NoBackwardFlow.
- *
- * Original:
- * Checks that time never flows backward between consecutive timer annotations
- * in the CFG. For each pair of consecutive annotated nodes (A -> B), there must
- * exist timestamps a in A and b in B with a < b.
- */
-
-import python
-import TimerUtils
-import NewCfgImpl
-
-private module Utils = EvalOrderCfgUtils<NewCfg>;
-
-private import Utils
-private import Utils::CfgTests
-
-from TimerCfgNode a, TimerCfgNode b, int minA, int maxB
-where noBackwardFlow(a, b, minA, maxB)
-select a, "Backward flow: $@ flows to $@ (max timestamp $@)", a.getTimestampExpr(minA),
-  minA.toString(), b, b.getNode().toString(), b.getTimestampExpr(maxB), maxB.toString()

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgNoBasicBlock.expected

@@ -1 +0,0 @@
-

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgNoBasicBlock.ql

@@ -1,18 +0,0 @@
-/**
- * New-CFG version of NoBasicBlock.
- *
- * Checks that every annotated CFG node belongs to a basic block.
- */
-
-import python
-import TimerUtils
-import NewCfgImpl
-
-private module Utils = EvalOrderCfgUtils<NewCfg>;
-
-private import Utils
-private import Utils::CfgTests
-
-from CfgNode n, TestFunction f
-where noBasicBlock(n, f)
-select n, "CFG node in $@ does not belong to any basic block", f, f.getName()

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgNoSharedReachable.ql

@@ -1,21 +0,0 @@
-/**
- * New-CFG version of NoSharedReachable.
- *
- * Original:
- * Checks that two annotations sharing a timestamp value are on
- * mutually exclusive CFG paths (neither can reach the other).
- */
-
-import python
-import TimerUtils
-import NewCfgImpl
-
-private module Utils = EvalOrderCfgUtils<NewCfg>;
-
-private import Utils
-private import Utils::CfgTests
-
-from TimerCfgNode a, TimerCfgNode b, int ts
-where noSharedReachable(a, b, ts)
-select a, "Shared timestamp $@ but this node reaches $@", a.getTimestampExpr(ts), ts.toString(), b,
-  b.getNode().toString()

python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgStrictForward.ql

@@ -1,22 +0,0 @@
-/**
- * New-CFG version of StrictForward.
- *
- * Original:
- * Stronger version of NoBackwardFlow: for consecutive annotated nodes
- * A -> B that both have a single timestamp (non-loop code) and B does
- * NOT dominate A (forward edge), requires max(A) < min(B).
- */
-
-import python
-import TimerUtils
-import NewCfgImpl
-
-private module Utils = EvalOrderCfgUtils<NewCfg>;
-
-private import Utils
-private import Utils::CfgTests
-
-from TimerCfgNode a, TimerCfgNode b, int maxA, int minB
-where strictForward(a, b, maxA, minB)
-select a, "Strict forward violation: $@ flows to $@", a.getTimestampExpr(maxA), "timestamp " + maxA,
-  b.getTimestampExpr(minB), "timestamp " + minB

python/ql/test/library-tests/ControlFlow/evaluation-order/NoBackwardFlow.expected

@@ -1,7 +1,7 @@
 | test_boolean.py:9:10:9:43 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:9:59:9:59 | IntegerLiteral | 2 | test_boolean.py:9:10:9:13 | ControlFlowNode for True | True | test_boolean.py:9:19:9:19 | IntegerLiteral | 0 |
 | test_boolean.py:15:10:15:43 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:15:50:15:50 | IntegerLiteral | 1 | test_boolean.py:15:10:15:14 | ControlFlowNode for False | False | test_boolean.py:15:20:15:20 | IntegerLiteral | 0 |
 | test_boolean.py:21:10:21:42 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:21:49:21:49 | IntegerLiteral | 1 | test_boolean.py:21:10:21:13 | ControlFlowNode for True | True | test_boolean.py:21:19:21:19 | IntegerLiteral | 0 |
-| test_boolean.py:27:10:27:43 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:27:59:27:59 | IntegerLiteral | 2 | test_boolean.py:27:10:27:14 | ControlFlowNode for False | False | test_boolean.py:27:20:27:20 | IntegerLiteral | 0 |
+| test_boolean.py:27:10:27:34 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:27:50:27:50 | IntegerLiteral | 2 | test_boolean.py:27:10:27:14 | ControlFlowNode for False | False | test_boolean.py:27:20:27:20 | IntegerLiteral | 0 |
 | test_boolean.py:40:10:40:61 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:40:86:40:86 | IntegerLiteral | 3 | test_boolean.py:40:10:40:10 | ControlFlowNode for IntegerLiteral | IntegerLiteral | test_boolean.py:40:16:40:16 | IntegerLiteral | 0 |
 | test_boolean.py:46:10:46:61 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:46:86:46:86 | IntegerLiteral | 3 | test_boolean.py:46:10:46:10 | ControlFlowNode for IntegerLiteral | IntegerLiteral | test_boolean.py:46:16:46:16 | IntegerLiteral | 0 |
 | test_boolean.py:52:10:52:95 | ControlFlowNode for BoolExpr | Backward flow: $@ flows to $@ (max timestamp $@) | test_boolean.py:52:120:52:120 | IntegerLiteral | 4 | test_boolean.py:52:11:52:47 | ControlFlowNode for BoolExpr | BoolExpr | test_boolean.py:52:63:52:63 | IntegerLiteral | 2 |

python/ql/test/library-tests/ControlFlow/evaluation-order/NoBackwardFlow.ql

@@ -4,8 +4,6 @@
  * exist timestamps a in A and b in B with a < b.
  */
 
-import python
-import TimerUtils
 import OldCfgImpl
 
 private module Utils = EvalOrderCfgUtils<OldCfg>;

python/ql/test/library-tests/ControlFlow/evaluation-order/NoBasicBlock.ql

@@ -2,8 +2,6 @@
  * Checks that every annotated CFG node belongs to a basic block.
  */
 
-import python
-import TimerUtils
 import OldCfgImpl
 
 private module Utils = EvalOrderCfgUtils<OldCfg>;

python/ql/test/library-tests/ControlFlow/evaluation-order/NoSharedReachable.ql

@@ -3,8 +3,6 @@
  * mutually exclusive CFG paths (neither can reach the other).
  */
 
-import python
-import TimerUtils
 import OldCfgImpl
 
 private module Utils = EvalOrderCfgUtils<OldCfg>;

python/ql/test/library-tests/ControlFlow/evaluation-order/OldCfgImpl.qll

@@ -3,14 +3,14 @@
  * Python control flow graph.
  */
 
-private import python as Py
+private import python as PY
 import TimerUtils
 
 /** Existing Python CFG implementation of the evaluation-order signature. */
 module OldCfg implements EvalOrderCfgSig {
-  class CfgNode = Py::ControlFlowNode;
+  class CfgNode = PY::ControlFlowNode;
 
-  class BasicBlock = Py::BasicBlock;
+  class BasicBlock = PY::BasicBlock;
 
-  CfgNode scopeGetEntryNode(Py::Scope s) { result = s.getEntryNode() }
+  CfgNode scopeGetEntryNode(PY::Scope s) { result = s.getEntryNode() }
 }

python/ql/test/library-tests/ControlFlow/evaluation-order/StrictForward.expected

@@ -1,7 +1,7 @@
 | test_boolean.py:9:10:9:43 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:9:59:9:59 | IntegerLiteral | timestamp 2 | test_boolean.py:9:19:9:19 | IntegerLiteral | timestamp 0 |
 | test_boolean.py:15:10:15:43 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:15:50:15:50 | IntegerLiteral | timestamp 1 | test_boolean.py:15:20:15:20 | IntegerLiteral | timestamp 0 |
 | test_boolean.py:21:10:21:42 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:21:49:21:49 | IntegerLiteral | timestamp 1 | test_boolean.py:21:19:21:19 | IntegerLiteral | timestamp 0 |
-| test_boolean.py:27:10:27:43 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:27:59:27:59 | IntegerLiteral | timestamp 2 | test_boolean.py:27:20:27:20 | IntegerLiteral | timestamp 0 |
+| test_boolean.py:27:10:27:34 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:27:50:27:50 | IntegerLiteral | timestamp 2 | test_boolean.py:27:20:27:20 | IntegerLiteral | timestamp 0 |
 | test_boolean.py:40:10:40:61 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:40:86:40:86 | IntegerLiteral | timestamp 3 | test_boolean.py:40:16:40:16 | IntegerLiteral | timestamp 0 |
 | test_boolean.py:46:10:46:61 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:46:86:46:86 | IntegerLiteral | timestamp 3 | test_boolean.py:46:16:46:16 | IntegerLiteral | timestamp 0 |
 | test_boolean.py:52:10:52:95 | ControlFlowNode for BoolExpr | Strict forward violation: $@ flows to $@ | test_boolean.py:52:120:52:120 | IntegerLiteral | timestamp 4 | test_boolean.py:52:63:52:63 | IntegerLiteral | timestamp 2 |

python/ql/test/library-tests/ControlFlow/evaluation-order/StrictForward.ql

@@ -4,8 +4,6 @@
  * NOT dominate A (forward edge), requires max(A) < min(B).
  */
 
-import python
-import TimerUtils
 import OldCfgImpl
 
 private module Utils = EvalOrderCfgUtils<OldCfg>;

python/ql/test/library-tests/ControlFlow/evaluation-order/test_boolean.py

@@ -24,7 +24,7 @@ def test_or_short_circuit(t):
 @test
 def test_or_both_sides(t):
     # False or X — both operands evaluated, result is X
-    x = (False @ t[0] or 42 @ t[1, dead(2)]) @ t[dead(1), 2]
+    x = (False @ t[0] or 42 @ t[1]) @ t[dead(1), 2]
 
 
 @test

python/ql/test/library-tests/ControlFlow/evaluation-order/test_if.py

@@ -85,7 +85,7 @@ def test_nested_if_else(t):
         else:
             z = 2 @ t[dead(4)]
     else:
-        z = 3 @ t[dead(3), dead(4)]
+        z = 3 @ t[dead(4)]
     w = 0 @ t[5]
 
 

python/ql/test/library-tests/ControlFlow/store-load/StoreLoadTest.ql

@@ -1,41 +0,0 @@
-/**
- * Inline-expectations test for the store/load/delete/parameter
- * classification predicates on the new-CFG facade.
- *
- * Each tag fires when the corresponding predicate (`isLoad`,
- * `isStore`, `isDelete`, `isParameter`, `isAugLoad`, `isAugStore`)
- * holds on the canonical CFG node wrapping a `Py::Name` with the
- * given identifier. Subscript and attribute stores are not covered
- * by these tags — only the `Name`-typed targets/loads they involve.
- */
-
-import python
-import semmle.python.controlflow.internal.Cfg as Cfg
-import utils.test.InlineExpectationsTest
-
-module StoreLoadTest implements TestSig {
-  string getARelevantTag() { result = ["load", "store", "delete", "param", "augload", "augstore"] }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(Cfg::NameNode n |
-      location = n.getLocation() and
-      element = n.toString() and
-      value = n.getId() and
-      (
-        n.isLoad() and not n.isAugLoad() and tag = "load"
-        or
-        n.isStore() and not n.isAugStore() and tag = "store"
-        or
-        n.isDelete() and tag = "delete"
-        or
-        n.isParameter() and tag = "param"
-        or
-        n.isAugLoad() and tag = "augload"
-        or
-        n.isAugStore() and tag = "augstore"
-      )
-    )
-  }
-}
-
-import MakeTest<StoreLoadTest>

python/ql/test/library-tests/ControlFlow/store-load/test.py

@@ -1,56 +0,0 @@
-# Store/load/delete/parameter classification on the new-CFG facade.
-#
-# Each annotated location carries the (sorted, deduplicated) set of
-# kinds the CFG facade reports there. Comparing against the legacy
-# 'semmle.python.Flow' classification is done by the comparison query
-# 'StoreLoadParity.ql' — annotations here are only the positive
-# assertions for the new facade.
-#
-# Tags:
-#   load=<id>       -- isLoad() fires on the Name
-#   store=<id>      -- isStore() fires
-#   delete=<id>     -- isDelete() fires
-#   param=<id>      -- isParameter() fires
-#   augload=<id>    -- isAugLoad() fires (the LHS of x += ... when read)
-#   augstore=<id>   -- isAugStore() fires (the LHS of x += ... when written)
-
-
-# --- plain load / store / delete ---
-
-x = 1  # $ store=x
-y = x + 1  # $ store=y load=x
-print(y)  # $ load=print load=y
-del x  # $ delete=x
-
-
-# --- function definitions (parameters) ---
-
-def f(a, b=2, *args, c, **kwargs):  # $ store=f param=a param=b param=args param=c param=kwargs
-    return a + b + c  # $ load=a load=b load=c
-
-
-# --- augmented assignment splits one Name into load + store halves ---
-
-def aug():  # $ store=aug
-    n = 0  # $ store=n
-    n += 1  # $ augload=n augstore=n
-    return n  # $ load=n
-
-
-# --- subscript / attribute stores ---
-
-class C:  # $ store=C
-    pass
-
-
-def stores(obj, container, idx):  # $ store=stores param=obj param=container param=idx
-    obj.attr = 1  # $ load=obj
-    container[idx] = 2  # $ load=container load=idx
-    return obj  # $ load=obj
-
-
-# --- tuple unpacking ---
-
-def unpack(pair):  # $ store=unpack param=pair
-    a, b = pair  # $ store=a store=b load=pair
-    return a + b  # $ load=a load=b

python/ql/test/library-tests/dataflow-new-ssa-vs-legacy/CmpTest.expected

@@ -1,6 +0,0 @@
-| def-only-old | $:0:0 |
-| def-only-old | __name__:0:0 |
-| def-only-old | __package__:0:0 |
-| def-only-old | e:37:1 |
-| def-only-old | e:40:25 |
-| def-only-old | x:20:1 |

python/ql/test/library-tests/dataflow-new-ssa-vs-legacy/CmpTest.ql

@@ -1,59 +0,0 @@
-/**
- * Compares the new-CFG SSA against the legacy ESSA on the same Python
- * sources. Reports definitions present in one implementation but not
- * the other, identified by variable name + source position.
- *
- * The `.expected` file records the current diff as a snapshot: as the
- * new SSA matures (closing captured-variable gap, exception bindings,
- * etc.) and tracks more variables, the snapshot should monotonically
- * shrink.
- *
- * Known categories of `def-only-old` mismatches:
- *   - Function / class / global definitions with no in-scope read
- *     (intentional: SSA is liveness-pruned, write-only variables are
- *     not tracked).
- *   - Captured / closure variables (gap: new SSA does not yet model
- *     closure captures).
- *   - Module variables `__name__`, `__package__`, `$` (legacy ESSA
- *     adds implicit bindings the new SSA does not).
- *   - Exception-handler `as` bindings (depend on raise modelling).
- *
- * `def-only-new` mismatches would indicate the new SSA produces spurious
- * definitions; currently none are expected.
- */
-
-import python
-import semmle.python.dataflow.new.internal.SsaImpl as NewSsa
-import semmle.python.controlflow.internal.Cfg as Cfg
-import semmle.python.essa.Essa
-
-string newDefSig(NewSsa::EssaNodeDefinition def) {
-  exists(Cfg::ControlFlowNode n | n = def.getDefiningNode() |
-    result =
-      def.getVariable().getVariable().getId() + ":" + n.getLocation().getStartLine() + ":" +
-        n.getLocation().getStartColumn()
-  )
-}
-
-string legacyDefSig(EssaNodeDefinition def) {
-  exists(ControlFlowNode n | n = def.getDefiningNode() |
-    result =
-      def.getSourceVariable().getName() + ":" + n.getLocation().getStartLine() + ":" +
-        n.getLocation().getStartColumn()
-  )
-}
-
-from string kind, string sig
-where
-  kind = "def-only-new" and
-  exists(NewSsa::EssaNodeDefinition def |
-    sig = newDefSig(def) and
-    not exists(EssaNodeDefinition legacyDef | sig = legacyDefSig(legacyDef))
-  )
-  or
-  kind = "def-only-old" and
-  exists(EssaNodeDefinition legacyDef |
-    sig = legacyDefSig(legacyDef) and
-    not exists(NewSsa::EssaNodeDefinition def | sig = newDefSig(def))
-  )
-select kind, sig

python/ql/test/library-tests/dataflow-new-ssa-vs-legacy/test.py

@@ -1,53 +0,0 @@
-def simple_assign():
-    x = 1
-    return x
-
-
-def reassignment():
-    x = 1
-    x = 2
-    return x
-
-
-def if_else_branch(cond):
-    if cond:
-        x = 1
-    else:
-        x = 2
-    return x
-
-
-def loop(xs):
-    total = 0
-    for x in xs:
-        total = total + x
-    return total
-
-
-def parameter(a, b=2, *args, **kwargs):
-    return a + b + sum(args)
-
-
-def closure(x):
-    def inner():
-        return x
-    return inner
-
-
-def exception_binding():
-    try:
-        compute()
-    except Exception as e:
-        return e
-
-
-def with_binding():
-    with open("file") as f:
-        return f.read()
-
-
-GLOBAL = 1
-
-
-def read_global():
-    return GLOBAL

python/ql/test/library-tests/dataflow-new-ssa/SsaTest.expected

@@ -1,6 +0,0 @@
-| test.py:14:5:14:15 | basic_param | Unexpected result: def=basic_param |
-| test.py:18:5:18:16 | basic_assign | Unexpected result: def=basic_assign |
-| test.py:23:5:23:16 | reassignment | Unexpected result: def=reassignment |
-| test.py:29:5:29:15 | if_else_phi | Unexpected result: def=if_else_phi |
-| test.py:37:5:37:14 | use_global | Unexpected result: def=use_global |
-| test.py:38:28:38:49 | Comment # $ use=some_undefined | Missing result: use=some_undefined |

python/ql/test/library-tests/dataflow-new-ssa/SsaTest.ql

@@ -1,59 +0,0 @@
-/**
- * Inline-expectations test for the new-CFG SSA adapter
- * (`semmle.python.dataflow.new.internal.SsaImpl`).
- *
- * Tags:
- *   - `def=<var>`: there is an SSA write definition of `<var>` at this
- *     line (parameter init, plain assignment, augmented assignment,
- *     exception-handler binding, deletion, etc.).
- *   - `use=<var>`: `<var>` is used at this line, and some SSA definition
- *     of `<var>` reaches the read.
- *   - `phi=<var>`: there is an SSA phi definition of `<var>` whose BB
- *     starts on this line.
- */
-
-import python
-import semmle.python.dataflow.new.internal.SsaImpl as SsaImpl
-import semmle.python.controlflow.internal.AstNodeImpl as CfgImpl
-import semmle.python.controlflow.internal.Cfg as Cfg
-import utils.test.InlineExpectationsTest
-
-module SsaTest implements TestSig {
-  string getARelevantTag() { result = ["def", "use", "phi"] }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    // A `def=<id>` fires when an SSA WriteDefinition is at a CFG node
-    // on the given line.
-    exists(SsaImpl::Ssa::WriteDefinition def, CfgImpl::BasicBlock bb, int i, Cfg::NameNode n |
-      def.definesAt(_, bb, i) and
-      bb.getNode(i) = n and
-      tag = "def" and
-      location = n.getLocation() and
-      element = n.toString() and
-      value = n.getId()
-    )
-    or
-    // A `use=<id>` fires when an SSA Definition reaches a read at this
-    // CFG node.
-    exists(SsaImpl::Ssa::Definition def, CfgImpl::BasicBlock bb, int i, Cfg::NameNode n |
-      SsaImpl::Ssa::ssaDefReachesRead(_, def, bb, i) and
-      bb.getNode(i) = n and
-      tag = "use" and
-      location = n.getLocation() and
-      element = n.toString() and
-      value = n.getId()
-    )
-    or
-    // A `phi=<id>` fires when there is a phi node whose BB's first
-    // CFG node is on the given line.
-    exists(SsaImpl::Ssa::PhiNode phi, CfgImpl::BasicBlock bb |
-      phi.definesAt(_, bb, _) and
-      tag = "phi" and
-      location = bb.getNode(0).getLocation() and
-      element = bb.toString() and
-      value = phi.getSourceVariable().(SsaImpl::SsaSourceVariable).getVariable().getId()
-    )
-  }
-}
-
-import MakeTest<SsaTest>

python/ql/test/library-tests/dataflow-new-ssa/test.py

@@ -1,40 +0,0 @@
-# Basic SSA tests for the new-CFG SSA adapter.
-#
-# The shared SSA implementation prunes its construction by liveness:
-# definitions of variables that are not read are never materialised.
-# This is by design — write-only variables would only bloat the SSA
-# graph. Tests therefore must always include a read of each variable
-# being verified.
-#
-# Annotations:
-#   def=<var>: there is an SSA write definition of <var> at this line
-#   use=<var>: <var> is used here and the read resolves to some def
-
-
-def basic_param(x):  # $ def=x
-    return x  # $ use=x
-
-
-def basic_assign():
-    y = 1  # $ def=y
-    return y  # $ use=y
-
-
-def reassignment():
-    x = 1
-    x = 2  # $ def=x
-    return x  # $ use=x
-
-
-def if_else_phi(cond):  # $ def=cond
-    if cond:  # $ use=cond phi=x
-        x = 1  # $ def=x
-    else:
-        x = 2  # $ def=x
-    return x  # $ use=x
-
-
-def use_global():
-    return some_undefined  # $ use=some_undefined
-
-

shared/controlflow/codeql/controlflow/ControlFlowGraph.qll

@@ -224,31 +224,6 @@ signature module AstSig<LocationSig Location> {
    */
   default AstNode getTryElse(TryStmt try) { none() }
 
-  /**
-   * Gets the `else` block of this `while` loop statement, if any.
-   *
-   * Only some languages (e.g. Python) support `while-else` constructs.
-   */
-  default AstNode getWhileElse(WhileStmt loop) { none() }
-
-  /**
-   * Gets the `else` block of this `foreach` loop statement, if any.
-   *
-   * Only some languages (e.g. Python) support `for-else` constructs.
-   */
-  default AstNode getForeachElse(ForeachStmt loop) { none() }
-
-  /**
-   * Gets the type expression of this catch clause, if any.
-   *
-   * In Python, the catch type is a runtime-evaluated expression
-   * (e.g. `except SomeException:` where `SomeException` is an
-   * arbitrary expression). For languages where the catch type is
-   * statically resolved, this defaults to `none()` and no CFG node
-   * is created.
-   */
-  default Expr getCatchType(CatchClause catch) { none() }
-
   /** A catch clause in a try statement. */
   class CatchClause extends AstNode {
     /** Gets the variable declared by this catch clause. */
@@ -1602,33 +1577,20 @@ module Make0<LocationSig Location, AstSig<Location> Ast> {
           n1.isAfterValue(cond, any(BooleanSuccessor b | b.getValue() = while)) and
           n2.isBefore(loopstmt.getBody())
           or
-          n1.isAfterFalse(cond) and
-          (
-            n2.isBefore(getWhileElse(loopstmt))
-            or
-            not exists(getWhileElse(loopstmt)) and n2.isAfter(loopstmt)
-          )
+          n1.isAfterValue(cond, any(BooleanSuccessor b | b.getValue() = while.booleanNot())) and
+          n2.isAfter(loopstmt)
           or
           n1.isAfter(loopstmt.getBody()) and
           n2.isAdditional(loopstmt, loopHeaderTag())
         )
         or
-        exists(WhileStmt whilestmt |
-          n1.isAfter(getWhileElse(whilestmt)) and
-          n2.isAfter(whilestmt)
-        )
-        or
         exists(ForeachStmt foreachstmt |
           n1.isBefore(foreachstmt) and
           n2.isBefore(foreachstmt.getCollection())
           or
           n1.isAfterValue(foreachstmt.getCollection(),
             any(EmptinessSuccessor t | t.getValue() = true)) and
-          (
-            n2.isBefore(getForeachElse(foreachstmt))
-            or
-            not exists(getForeachElse(foreachstmt)) and n2.isAfter(foreachstmt)
-          )
+          n2.isAfter(foreachstmt)
           or
           n1.isAfterValue(foreachstmt.getCollection(),
             any(EmptinessSuccessor t | t.getValue() = false)) and
@@ -1641,17 +1603,10 @@ module Make0<LocationSig Location, AstSig<Location> Ast> {
           n2.isAdditional(foreachstmt, loopHeaderTag())
           or
           n1.isAdditional(foreachstmt, loopHeaderTag()) and
-          (
-            n2.isBefore(getForeachElse(foreachstmt))
-            or
-            not exists(getForeachElse(foreachstmt)) and n2.isAfter(foreachstmt)
-          )
+          n2.isAfter(foreachstmt)
           or
           n1.isAdditional(foreachstmt, loopHeaderTag()) and
           n2.isBefore(foreachstmt.getVariable())
-          or
-          n1.isAfter(getForeachElse(foreachstmt)) and
-          n2.isAfter(foreachstmt)
         )
         or
         exists(ForStmt forstmt, PreControlFlowNode condentry |
@@ -1743,16 +1698,6 @@ module Make0<LocationSig Location, AstSig<Location> Ast> {
         exists(CatchClause catchclause |
           exists(MatchingSuccessor t |
             n1.isBefore(catchclause) and
-            (
-              n2.isBefore(getCatchType(catchclause))
-              or
-              not exists(getCatchType(catchclause)) and n2.isAfterValue(catchclause, t)
-            ) and
-            if Input1::catchAll(catchclause) then t.getValue() = true else any()
-          )
-          or
-          exists(MatchingSuccessor t |
-            n1.isAfter(getCatchType(catchclause)) and
             n2.isAfterValue(catchclause, t) and
             if Input1::catchAll(catchclause) then t.getValue() = true else any()
           )