Initial plan

Merge pull request #22027 from owen-mc/go/improve-tests
Go: Improve two tests
2026-06-23 05:37:02 +02:00 · 2026-06-22 22:23:18 +00:00 · 2026-06-22 17:19:40 +01:00 · 2026-06-20 22:04:45 +01:00 · 2026-06-20 22:04:43 +01:00
328 changed files with 6860 additions and 11063 deletions
--- a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/logrus.go
+++ b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/logrus.go
@@ -13,7 +13,7 @@ func logSomething(entry *logrus.Entry) {
 	entry.Traceln(text) // $ logger=text
 }

-func logrusCalls() {
+func logrusCalls(selector int) {
 	err := errors.New("Error")
 	var fields logrus.Fields = nil
 	var fn logrus.LogFunction = nil
@@ -27,11 +27,15 @@ func logrusCalls() {
 	tmp = logrus.WithFields(fields) // $ logger=fields
 	logSomething(tmp)

-	logrus.Error(text)       // $ logger=text
-	logrus.Fatalf(fmt, text) // $ logger=fmt logger=text
-	logrus.Panicln(text)     // $ logger=text
-	logrus.Infof(fmt, text)  // $ logger=fmt logger=text
-	logrus.FatalFn(fn)       // $ logger=fn
+	logrus.Error(text)      // $ logger=text
+	logrus.Infof(fmt, text) // $ logger=fmt logger=text
+	if selector == 0 {
+		logrus.Fatalf(fmt, text) // $ logger=fmt logger=text
+	} else if selector == 1 {
+		logrus.Panicln(text) // $ logger=text
+	} else if selector == 2 {
+		logrus.FatalFn(fn) // $ logger=fn
+	}

 	// components corresponding to the format specifier "%T" are not considered vulnerable
 	logrus.Infof("%s: found type %T", text, v)  // $ logger="%s: found type %T" logger=text type-logger=v
--- a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/main.go
+++ b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/main.go
@@ -8,6 +8,6 @@ var v []byte

 func main() {
 	glogTest(len(v))
-	stdlib()
+	stdlib(len(v))
 	slogTest()
 }
--- a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/stdlib.go
+++ b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/stdlib.go
@@ -4,37 +4,69 @@ import (
 	"log"
 )

-func stdlib() {
+func stdlib(selector int) {
 	var logger log.Logger
 	logger.SetPrefix("prefix: ")
-	logger.Fatal(text)       // $ logger=text
-	logger.Fatalf(fmt, text) // $ logger=fmt logger=text
-	logger.Fatalln(text)     // $ logger=text
-	logger.Panic(text)       // $ logger=text
-	logger.Panicf(fmt, text) // $ logger=fmt logger=text
-	logger.Panicln(text)     // $ logger=text
-	logger.Print(text)       // $ logger=text
-	logger.Printf(fmt, text) // $ logger=fmt logger=text
-	logger.Println(text)     // $ logger=text
+	switch selector {
+	case 0:
+		logger.Fatal(text) // $ logger=text
+	case 1:
+		logger.Fatalf(fmt, text) // $ logger=fmt logger=text
+	case 2:
+		logger.Fatalln(text) // $ logger=text
+	case 3:
+		logger.Panic(text) // $ logger=text
+	case 4:
+		logger.Panicf(fmt, text) // $ logger=fmt logger=text
+	case 5:
+		logger.Panicln(text) // $ logger=text
+	case 6:
+		logger.Print(text) // $ logger=text
+	case 7:
+		logger.Printf(fmt, text) // $ logger=fmt logger=text
+	case 8:
+		logger.Println(text) // $ logger=text
+	}

 	// components corresponding to the format specifier "%T" are not considered vulnerable
-	logger.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
-	logger.Panicf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
-	logger.Printf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	switch selector {
+	case 9:
+		logger.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	case 10:
+		logger.Panicf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	case 11:
+		logger.Printf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}

 	log.SetPrefix("prefix: ")
-	log.Fatal(text)       // $ logger=text
-	log.Fatalf(fmt, text) // $ logger=fmt logger=text
-	log.Fatalln(text)     // $ logger=text
-	log.Panic(text)       // $ logger=text
-	log.Panicf(fmt, text) // $ logger=fmt logger=text
-	log.Panicln(text)     // $ logger=text
-	log.Print(text)       // $ logger=text
-	log.Printf(fmt, text) // $ logger=fmt logger=text
-	log.Println(text)     // $ logger=text
+	switch selector {
+	case 12:
+		log.Fatal(text) // $ logger=text
+	case 13:
+		log.Fatalf(fmt, text) // $ logger=fmt logger=text
+	case 14:
+		log.Fatalln(text) // $ logger=text
+	case 15:
+		log.Panic(text) // $ logger=text
+	case 16:
+		log.Panicf(fmt, text) // $ logger=fmt logger=text
+	case 17:
+		log.Panicln(text) // $ logger=text
+	case 18:
+		log.Print(text) // $ logger=text
+	case 19:
+		log.Printf(fmt, text) // $ logger=fmt logger=text
+	case 20:
+		log.Println(text) // $ logger=text
+	}

 	// components corresponding to the format specifier "%T" are not considered vulnerable
-	log.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
-	log.Panicf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
-	log.Printf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	switch selector {
+	case 21:
+		log.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	case 22:
+		log.Panicf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	case 23:
+		log.Printf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
 }
--- a/go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/ControlFlowNode_getASuccessor.expected
+++ b/go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/ControlFlowNode_getASuccessor.expected
@@ -34,6 +34,265 @@
 | DuplicateSwitchCase.go:16:1:16:14 | function declaration | DuplicateSwitchCase.go:0:0:0:0 | exit |
 | DuplicateSwitchCase.go:16:6:16:9 | skip | DuplicateSwitchCase.go:16:1:16:14 | function declaration |
 | DuplicateSwitchCase.go:16:13:16:14 | skip | DuplicateSwitchCase.go:16:1:16:14 | exit |
+| epilogues.go:0:0:0:0 | entry | epilogues.go:3:1:3:12 | skip |
+| epilogues.go:3:1:3:12 | skip | epilogues.go:8:1:10:1 | skip |
+| epilogues.go:8:1:10:1 | skip | epilogues.go:12:21:12:23 | skip |
+| epilogues.go:12:1:14:1 | entry | epilogues.go:12:7:12:7 | argument corresponding to l |
+| epilogues.go:12:1:14:1 | function declaration | epilogues.go:16:20:16:27 | skip |
+| epilogues.go:12:7:12:7 | argument corresponding to l | epilogues.go:12:7:12:7 | initialization of l |
+| epilogues.go:12:7:12:7 | initialization of l | epilogues.go:12:25:12:27 | argument corresponding to msg |
+| epilogues.go:12:21:12:23 | skip | epilogues.go:12:1:14:1 | function declaration |
+| epilogues.go:12:25:12:27 | argument corresponding to msg | epilogues.go:12:25:12:27 | initialization of msg |
+| epilogues.go:12:25:12:27 | initialization of msg | epilogues.go:12:37:12:40 | argument corresponding to code |
+| epilogues.go:12:37:12:40 | argument corresponding to code | epilogues.go:12:37:12:40 | initialization of code |
+| epilogues.go:12:37:12:40 | initialization of code | epilogues.go:13:2:13:12 | selection of Println |
+| epilogues.go:13:2:13:12 | selection of Println | epilogues.go:13:14:13:14 | l |
+| epilogues.go:13:2:13:33 | call to Println | epilogues.go:12:1:14:1 | exit |
+| epilogues.go:13:14:13:14 | implicit dereference | epilogues.go:12:1:14:1 | exit |
+| epilogues.go:13:14:13:14 | implicit dereference | epilogues.go:13:14:13:21 | selection of prefix |
+| epilogues.go:13:14:13:14 | l | epilogues.go:13:14:13:14 | implicit dereference |
+| epilogues.go:13:14:13:21 | selection of prefix | epilogues.go:13:24:13:26 | msg |
+| epilogues.go:13:24:13:26 | msg | epilogues.go:13:29:13:32 | code |
+| epilogues.go:13:29:13:32 | code | epilogues.go:13:2:13:33 | call to Println |
+| epilogues.go:16:1:18:1 | entry | epilogues.go:16:7:16:7 | argument corresponding to l |
+| epilogues.go:16:1:18:1 | function declaration | epilogues.go:23:6:23:15 | skip |
+| epilogues.go:16:7:16:7 | argument corresponding to l | epilogues.go:16:7:16:7 | initialization of l |
+| epilogues.go:16:7:16:7 | initialization of l | epilogues.go:16:29:16:31 | argument corresponding to msg |
+| epilogues.go:16:20:16:27 | skip | epilogues.go:16:1:18:1 | function declaration |
+| epilogues.go:16:29:16:31 | argument corresponding to msg | epilogues.go:16:29:16:31 | initialization of msg |
+| epilogues.go:16:29:16:31 | initialization of msg | epilogues.go:17:2:17:12 | selection of Println |
+| epilogues.go:17:2:17:12 | selection of Println | epilogues.go:17:14:17:14 | l |
+| epilogues.go:17:2:17:27 | call to Println | epilogues.go:16:1:18:1 | exit |
+| epilogues.go:17:14:17:14 | l | epilogues.go:17:14:17:21 | selection of prefix |
+| epilogues.go:17:14:17:21 | selection of prefix | epilogues.go:17:24:17:26 | msg |
+| epilogues.go:17:24:17:26 | msg | epilogues.go:17:2:17:27 | call to Println |
+| epilogues.go:23:1:27:1 | entry | epilogues.go:24:5:24:5 | skip |
+| epilogues.go:23:1:27:1 | function declaration | epilogues.go:31:6:31:13 | skip |
+| epilogues.go:23:6:23:15 | skip | epilogues.go:23:1:27:1 | function declaration |
+| epilogues.go:24:5:24:5 | assignment to r | epilogues.go:24:21:24:21 | r |
+| epilogues.go:24:5:24:5 | skip | epilogues.go:24:10:24:16 | recover |
+| epilogues.go:24:10:24:16 | recover | epilogues.go:24:10:24:18 | call to recover |
+| epilogues.go:24:10:24:18 | call to recover | epilogues.go:24:5:24:5 | assignment to r |
+| epilogues.go:24:21:24:21 | r | epilogues.go:24:26:24:28 | nil |
+| epilogues.go:24:21:24:28 | ...!=... | epilogues.go:23:1:27:1 | exit |
+| epilogues.go:24:21:24:28 | ...!=... | epilogues.go:24:21:24:28 | ...!=... is false |
+| epilogues.go:24:21:24:28 | ...!=... | epilogues.go:24:21:24:28 | ...!=... is true |
+| epilogues.go:24:21:24:28 | ...!=... is false | epilogues.go:23:1:27:1 | exit |
+| epilogues.go:24:21:24:28 | ...!=... is true | epilogues.go:25:3:25:13 | selection of Println |
+| epilogues.go:24:26:24:28 | nil | epilogues.go:24:21:24:28 | ...!=... |
+| epilogues.go:25:3:25:13 | selection of Println | epilogues.go:25:15:25:26 | "recovered:" |
+| epilogues.go:25:3:25:30 | call to Println | epilogues.go:23:1:27:1 | exit |
+| epilogues.go:25:15:25:26 | "recovered:" | epilogues.go:25:29:25:29 | r |
+| epilogues.go:25:29:25:29 | r | epilogues.go:25:3:25:30 | call to Println |
+| epilogues.go:31:1:33:1 | entry | epilogues.go:31:15:31:15 | argument corresponding to x |
+| epilogues.go:31:1:33:1 | function declaration | epilogues.go:36:6:36:12 | skip |
+| epilogues.go:31:6:31:13 | skip | epilogues.go:31:1:33:1 | function declaration |
+| epilogues.go:31:15:31:15 | argument corresponding to x | epilogues.go:31:15:31:15 | initialization of x |
+| epilogues.go:31:15:31:15 | initialization of x | epilogues.go:32:9:32:9 | x |
+| epilogues.go:32:2:32:13 | return statement | epilogues.go:31:1:33:1 | exit |
+| epilogues.go:32:9:32:9 | x | epilogues.go:32:13:32:13 | 2 |
+| epilogues.go:32:9:32:13 | ...*... | epilogues.go:32:2:32:13 | return statement |
+| epilogues.go:32:13:32:13 | 2 | epilogues.go:32:9:32:13 | ...*... |
+| epilogues.go:36:1:38:1 | entry | epilogues.go:37:2:37:12 | selection of Println |
+| epilogues.go:36:1:38:1 | function declaration | epilogues.go:42:6:42:18 | skip |
+| epilogues.go:36:6:36:12 | skip | epilogues.go:36:1:38:1 | function declaration |
+| epilogues.go:37:2:37:12 | selection of Println | epilogues.go:37:14:37:19 | "void" |
+| epilogues.go:37:2:37:20 | call to Println | epilogues.go:36:1:38:1 | exit |
+| epilogues.go:37:14:37:19 | "void" | epilogues.go:37:2:37:20 | call to Println |
+| epilogues.go:42:1:48:1 | entry | epilogues.go:42:20:42:20 | argument corresponding to x |
+| epilogues.go:42:1:48:1 | function declaration | epilogues.go:51:6:51:21 | skip |
+| epilogues.go:42:6:42:18 | skip | epilogues.go:42:1:48:1 | function declaration |
+| epilogues.go:42:20:42:20 | argument corresponding to x | epilogues.go:42:20:42:20 | initialization of x |
+| epilogues.go:42:20:42:20 | initialization of x | epilogues.go:42:28:42:33 | zero value for result |
+| epilogues.go:42:28:42:33 | implicit read of result | epilogues.go:42:40:42:42 | implicit read of err |
+| epilogues.go:42:28:42:33 | initialization of result | epilogues.go:42:40:42:42 | zero value for err |
+| epilogues.go:42:28:42:33 | zero value for result | epilogues.go:42:28:42:33 | initialization of result |
+| epilogues.go:42:40:42:42 | implicit read of err | epilogues.go:42:1:48:1 | exit |
+| epilogues.go:42:40:42:42 | initialization of err | epilogues.go:43:5:43:5 | x |
+| epilogues.go:42:40:42:42 | zero value for err | epilogues.go:42:40:42:42 | initialization of err |
+| epilogues.go:43:5:43:5 | x | epilogues.go:43:9:43:9 | 0 |
+| epilogues.go:43:5:43:9 | ...<... | epilogues.go:43:5:43:9 | ...<... is false |
+| epilogues.go:43:5:43:9 | ...<... | epilogues.go:43:5:43:9 | ...<... is true |
+| epilogues.go:43:5:43:9 | ...<... is false | epilogues.go:47:9:47:9 | x |
+| epilogues.go:43:5:43:9 | ...<... is true | epilogues.go:44:3:44:8 | skip |
+| epilogues.go:43:9:43:9 | 0 | epilogues.go:43:5:43:9 | ...<... |
+| epilogues.go:44:3:44:8 | assignment to result | epilogues.go:45:3:45:8 | return statement |
+| epilogues.go:44:3:44:8 | skip | epilogues.go:44:13:44:13 | x |
+| epilogues.go:44:12:44:13 | -... | epilogues.go:44:3:44:8 | assignment to result |
+| epilogues.go:44:13:44:13 | x | epilogues.go:44:12:44:13 | -... |
+| epilogues.go:45:3:45:8 | return statement | epilogues.go:42:28:42:33 | implicit read of result |
+| epilogues.go:47:2:47:14 | return statement | epilogues.go:42:28:42:33 | implicit read of result |
+| epilogues.go:47:9:47:9 | implicit write of result | epilogues.go:47:12:47:14 | nil |
+| epilogues.go:47:9:47:9 | x | epilogues.go:47:9:47:9 | implicit write of result |
+| epilogues.go:47:12:47:14 | implicit write of err | epilogues.go:47:2:47:14 | return statement |
+| epilogues.go:47:12:47:14 | nil | epilogues.go:47:12:47:14 | implicit write of err |
+| epilogues.go:51:1:54:1 | entry | epilogues.go:51:23:51:23 | argument corresponding to x |
+| epilogues.go:51:1:54:1 | function declaration | epilogues.go:59:6:59:25 | skip |
+| epilogues.go:51:6:51:21 | skip | epilogues.go:51:1:54:1 | function declaration |
+| epilogues.go:51:23:51:23 | argument corresponding to x | epilogues.go:51:23:51:23 | initialization of x |
+| epilogues.go:51:23:51:23 | initialization of x | epilogues.go:51:31:51:31 | zero value for n |
+| epilogues.go:51:31:51:31 | implicit read of n | epilogues.go:51:1:54:1 | exit |
+| epilogues.go:51:31:51:31 | initialization of n | epilogues.go:52:2:52:2 | skip |
+| epilogues.go:51:31:51:31 | zero value for n | epilogues.go:51:31:51:31 | initialization of n |
+| epilogues.go:52:2:52:2 | assignment to n | epilogues.go:53:2:53:7 | return statement |
+| epilogues.go:52:2:52:2 | skip | epilogues.go:52:6:52:6 | x |
+| epilogues.go:52:6:52:6 | x | epilogues.go:52:10:52:10 | 1 |
+| epilogues.go:52:6:52:10 | ...+... | epilogues.go:52:2:52:2 | assignment to n |
+| epilogues.go:52:10:52:10 | 1 | epilogues.go:52:6:52:10 | ...+... |
+| epilogues.go:53:2:53:7 | return statement | epilogues.go:51:31:51:31 | implicit read of n |
+| epilogues.go:59:1:62:1 | entry | epilogues.go:59:27:59:27 | argument corresponding to l |
+| epilogues.go:59:1:62:1 | function declaration | epilogues.go:66:6:66:26 | skip |
+| epilogues.go:59:6:59:25 | skip | epilogues.go:59:1:62:1 | function declaration |
+| epilogues.go:59:27:59:27 | argument corresponding to l | epilogues.go:59:27:59:27 | initialization of l |
+| epilogues.go:59:27:59:27 | initialization of l | epilogues.go:59:41:59:45 | argument corresponding to items |
+| epilogues.go:59:41:59:45 | argument corresponding to items | epilogues.go:59:41:59:45 | initialization of items |
+| epilogues.go:59:41:59:45 | initialization of items | epilogues.go:60:8:60:8 | l |
+| epilogues.go:60:2:60:33 | defer statement | epilogues.go:61:2:61:12 | selection of Println |
+| epilogues.go:60:8:60:8 | l | epilogues.go:60:8:60:12 | selection of log |
+| epilogues.go:60:8:60:12 | selection of log | epilogues.go:60:14:60:20 | "count" |
+| epilogues.go:60:8:60:33 | call to log | epilogues.go:59:1:62:1 | exit |
+| epilogues.go:60:14:60:20 | "count" | epilogues.go:60:23:60:25 | len |
+| epilogues.go:60:23:60:25 | len | epilogues.go:60:27:60:31 | items |
+| epilogues.go:60:23:60:32 | call to len | epilogues.go:60:2:60:33 | defer statement |
+| epilogues.go:60:27:60:31 | items | epilogues.go:60:23:60:32 | call to len |
+| epilogues.go:61:2:61:12 | selection of Println | epilogues.go:61:14:61:25 | "processing" |
+| epilogues.go:61:2:61:38 | call to Println | epilogues.go:60:8:60:33 | call to log |
+| epilogues.go:61:14:61:25 | "processing" | epilogues.go:61:28:61:30 | len |
+| epilogues.go:61:28:61:30 | len | epilogues.go:61:32:61:36 | items |
+| epilogues.go:61:28:61:37 | call to len | epilogues.go:61:2:61:38 | call to Println |
+| epilogues.go:61:32:61:36 | items | epilogues.go:61:28:61:37 | call to len |
+| epilogues.go:66:1:71:1 | entry | epilogues.go:66:28:66:33 | argument corresponding to prefix |
+| epilogues.go:66:1:71:1 | function declaration | epilogues.go:77:6:77:20 | skip |
+| epilogues.go:66:6:66:26 | skip | epilogues.go:66:1:71:1 | function declaration |
+| epilogues.go:66:28:66:33 | argument corresponding to prefix | epilogues.go:66:28:66:33 | initialization of prefix |
+| epilogues.go:66:28:66:33 | initialization of prefix | epilogues.go:67:2:67:2 | skip |
+| epilogues.go:67:2:67:2 | assignment to l | epilogues.go:68:8:68:8 | l |
+| epilogues.go:67:2:67:2 | skip | epilogues.go:67:7:67:31 | struct literal |
+| epilogues.go:67:7:67:31 | struct literal | epilogues.go:67:25:67:30 | prefix |
+| epilogues.go:67:17:67:30 | init of key-value pair | epilogues.go:67:2:67:2 | assignment to l |
+| epilogues.go:67:25:67:30 | prefix | epilogues.go:67:17:67:30 | init of key-value pair |
+| epilogues.go:68:2:68:24 | defer statement | epilogues.go:69:10:69:10 | l |
+| epilogues.go:68:8:68:8 | l | epilogues.go:68:8:68:17 | selection of logValue |
+| epilogues.go:68:8:68:17 | selection of logValue | epilogues.go:68:19:68:23 | "bye" |
+| epilogues.go:68:8:68:24 | call to logValue | epilogues.go:66:1:71:1 | exit |
+| epilogues.go:68:19:68:23 | "bye" | epilogues.go:68:2:68:24 | defer statement |
+| epilogues.go:69:2:69:25 | defer statement | epilogues.go:70:2:70:12 | selection of Println |
+| epilogues.go:69:8:69:15 | selection of log | epilogues.go:69:17:69:21 | "ptr" |
+| epilogues.go:69:8:69:25 | call to log | epilogues.go:68:8:68:24 | call to logValue |
+| epilogues.go:69:9:69:10 | &... | epilogues.go:69:8:69:15 | selection of log |
+| epilogues.go:69:10:69:10 | l | epilogues.go:69:9:69:10 | &... |
+| epilogues.go:69:17:69:21 | "ptr" | epilogues.go:69:24:69:24 | 7 |
+| epilogues.go:69:24:69:24 | 7 | epilogues.go:69:2:69:25 | defer statement |
+| epilogues.go:70:2:70:12 | selection of Println | epilogues.go:70:14:70:19 | "body" |
+| epilogues.go:70:2:70:20 | call to Println | epilogues.go:69:8:69:25 | call to log |
+| epilogues.go:70:14:70:19 | "body" | epilogues.go:70:2:70:20 | call to Println |
+| epilogues.go:77:1:82:1 | entry | epilogues.go:77:22:77:22 | argument corresponding to x |
+| epilogues.go:77:1:82:1 | function declaration | epilogues.go:87:6:87:20 | skip |
+| epilogues.go:77:6:77:20 | skip | epilogues.go:77:1:82:1 | function declaration |
+| epilogues.go:77:22:77:22 | argument corresponding to x | epilogues.go:77:22:77:22 | initialization of x |
+| epilogues.go:77:22:77:22 | initialization of x | epilogues.go:78:8:80:2 | function literal |
+| epilogues.go:78:2:80:15 | defer statement | epilogues.go:81:2:81:12 | selection of Println |
+| epilogues.go:78:8:80:2 | entry | epilogues.go:78:13:78:17 | argument corresponding to label |
+| epilogues.go:78:8:80:2 | function literal | epilogues.go:80:4:80:9 | "done" |
+| epilogues.go:78:8:80:15 | function call | epilogues.go:77:1:82:1 | exit |
+| epilogues.go:78:13:78:17 | argument corresponding to label | epilogues.go:78:13:78:17 | initialization of label |
+| epilogues.go:78:13:78:17 | initialization of label | epilogues.go:78:27:78:27 | argument corresponding to n |
+| epilogues.go:78:27:78:27 | argument corresponding to n | epilogues.go:78:27:78:27 | initialization of n |
+| epilogues.go:78:27:78:27 | initialization of n | epilogues.go:79:3:79:13 | selection of Println |
+| epilogues.go:79:3:79:13 | selection of Println | epilogues.go:79:15:79:19 | label |
+| epilogues.go:79:3:79:23 | call to Println | epilogues.go:78:8:80:2 | exit |
+| epilogues.go:79:15:79:19 | label | epilogues.go:79:22:79:22 | n |
+| epilogues.go:79:22:79:22 | n | epilogues.go:79:3:79:23 | call to Println |
+| epilogues.go:80:4:80:9 | "done" | epilogues.go:80:12:80:12 | x |
+| epilogues.go:80:12:80:12 | x | epilogues.go:80:14:80:14 | 1 |
+| epilogues.go:80:12:80:14 | ...+... | epilogues.go:78:2:80:15 | defer statement |
+| epilogues.go:80:14:80:14 | 1 | epilogues.go:80:12:80:14 | ...+... |
+| epilogues.go:81:2:81:12 | selection of Println | epilogues.go:81:14:81:19 | "body" |
+| epilogues.go:81:2:81:23 | call to Println | epilogues.go:78:8:80:15 | function call |
+| epilogues.go:81:14:81:19 | "body" | epilogues.go:81:22:81:22 | x |
+| epilogues.go:81:22:81:22 | x | epilogues.go:81:2:81:23 | call to Println |
+| epilogues.go:87:1:98:1 | entry | epilogues.go:87:22:87:22 | argument corresponding to x |
+| epilogues.go:87:1:98:1 | function declaration | epilogues.go:102:6:102:24 | skip |
+| epilogues.go:87:6:87:20 | skip | epilogues.go:87:1:98:1 | function declaration |
+| epilogues.go:87:22:87:22 | argument corresponding to x | epilogues.go:87:22:87:22 | initialization of x |
+| epilogues.go:87:22:87:22 | initialization of x | epilogues.go:87:30:87:35 | zero value for result |
+| epilogues.go:87:30:87:35 | implicit read of result | epilogues.go:87:1:98:1 | exit |
+| epilogues.go:87:30:87:35 | initialization of result | epilogues.go:88:8:92:2 | function literal |
+| epilogues.go:87:30:87:35 | zero value for result | epilogues.go:87:30:87:35 | initialization of result |
+| epilogues.go:88:2:92:4 | defer statement | epilogues.go:93:5:93:5 | x |
+| epilogues.go:88:8:92:2 | entry | epilogues.go:89:6:89:6 | skip |
+| epilogues.go:88:8:92:2 | function literal | epilogues.go:88:2:92:4 | defer statement |
+| epilogues.go:88:8:92:4 | function call | epilogues.go:87:1:98:1 | exit |
+| epilogues.go:88:8:92:4 | function call | epilogues.go:87:30:87:35 | implicit read of result |
+| epilogues.go:89:6:89:6 | assignment to r | epilogues.go:89:22:89:22 | r |
+| epilogues.go:89:6:89:6 | skip | epilogues.go:89:11:89:17 | recover |
+| epilogues.go:89:11:89:17 | recover | epilogues.go:89:11:89:19 | call to recover |
+| epilogues.go:89:11:89:19 | call to recover | epilogues.go:89:6:89:6 | assignment to r |
+| epilogues.go:89:22:89:22 | r | epilogues.go:89:27:89:29 | nil |
+| epilogues.go:89:22:89:29 | ...!=... | epilogues.go:88:8:92:2 | exit |
+| epilogues.go:89:22:89:29 | ...!=... | epilogues.go:89:22:89:29 | ...!=... is false |
+| epilogues.go:89:22:89:29 | ...!=... | epilogues.go:89:22:89:29 | ...!=... is true |
+| epilogues.go:89:22:89:29 | ...!=... is false | epilogues.go:88:8:92:2 | exit |
+| epilogues.go:89:22:89:29 | ...!=... is true | epilogues.go:90:4:90:9 | skip |
+| epilogues.go:89:27:89:29 | nil | epilogues.go:89:22:89:29 | ...!=... |
+| epilogues.go:90:4:90:9 | assignment to result | epilogues.go:88:8:92:2 | exit |
+| epilogues.go:90:4:90:9 | skip | epilogues.go:90:13:90:14 | -... |
+| epilogues.go:90:13:90:14 | -... | epilogues.go:90:4:90:9 | assignment to result |
+| epilogues.go:93:5:93:5 | x | epilogues.go:93:9:93:9 | 0 |
+| epilogues.go:93:5:93:9 | ...<... | epilogues.go:93:5:93:9 | ...<... is false |
+| epilogues.go:93:5:93:9 | ...<... | epilogues.go:93:5:93:9 | ...<... is true |
+| epilogues.go:93:5:93:9 | ...<... is false | epilogues.go:96:2:96:7 | skip |
+| epilogues.go:93:5:93:9 | ...<... is true | epilogues.go:94:3:94:7 | panic |
+| epilogues.go:93:9:93:9 | 0 | epilogues.go:93:5:93:9 | ...<... |
+| epilogues.go:94:3:94:7 | panic | epilogues.go:94:9:94:13 | "neg" |
+| epilogues.go:94:3:94:14 | call to panic | epilogues.go:88:8:92:4 | function call |
+| epilogues.go:94:9:94:13 | "neg" | epilogues.go:94:3:94:14 | call to panic |
+| epilogues.go:96:2:96:7 | assignment to result | epilogues.go:97:9:97:14 | result |
+| epilogues.go:96:2:96:7 | skip | epilogues.go:96:11:96:11 | x |
+| epilogues.go:96:11:96:11 | x | epilogues.go:96:15:96:15 | x |
+| epilogues.go:96:11:96:15 | ...*... | epilogues.go:96:2:96:7 | assignment to result |
+| epilogues.go:96:15:96:15 | x | epilogues.go:96:11:96:15 | ...*... |
+| epilogues.go:97:2:97:14 | return statement | epilogues.go:88:8:92:4 | function call |
+| epilogues.go:97:9:97:14 | implicit write of result | epilogues.go:97:2:97:14 | return statement |
+| epilogues.go:97:9:97:14 | result | epilogues.go:97:9:97:14 | implicit write of result |
+| epilogues.go:102:1:110:1 | entry | epilogues.go:102:26:102:26 | argument corresponding to x |
+| epilogues.go:102:1:110:1 | function declaration | epilogues.go:115:6:115:22 | skip |
+| epilogues.go:102:6:102:24 | skip | epilogues.go:102:1:110:1 | function declaration |
+| epilogues.go:102:26:102:26 | argument corresponding to x | epilogues.go:102:26:102:26 | initialization of x |
+| epilogues.go:102:26:102:26 | initialization of x | epilogues.go:102:34:102:35 | zero value for ok |
+| epilogues.go:102:34:102:35 | implicit read of ok | epilogues.go:102:43:102:43 | implicit read of n |
+| epilogues.go:102:34:102:35 | initialization of ok | epilogues.go:102:43:102:43 | zero value for n |
+| epilogues.go:102:34:102:35 | zero value for ok | epilogues.go:102:34:102:35 | initialization of ok |
+| epilogues.go:102:43:102:43 | implicit read of n | epilogues.go:102:1:110:1 | exit |
+| epilogues.go:102:43:102:43 | initialization of n | epilogues.go:103:8:103:17 | epiRecover |
+| epilogues.go:102:43:102:43 | zero value for n | epilogues.go:102:43:102:43 | initialization of n |
+| epilogues.go:103:2:103:19 | defer statement | epilogues.go:104:5:104:5 | x |
+| epilogues.go:103:8:103:17 | epiRecover | epilogues.go:103:2:103:19 | defer statement |
+| epilogues.go:103:8:103:19 | call to epiRecover | epilogues.go:102:1:110:1 | exit |
+| epilogues.go:103:8:103:19 | call to epiRecover | epilogues.go:102:34:102:35 | implicit read of ok |
+| epilogues.go:104:5:104:5 | x | epilogues.go:104:10:104:10 | 0 |
+| epilogues.go:104:5:104:10 | ...==... | epilogues.go:104:5:104:10 | ...==... is false |
+| epilogues.go:104:5:104:10 | ...==... | epilogues.go:104:5:104:10 | ...==... is true |
+| epilogues.go:104:5:104:10 | ...==... is false | epilogues.go:107:2:107:2 | skip |
+| epilogues.go:104:5:104:10 | ...==... is true | epilogues.go:105:3:105:8 | return statement |
+| epilogues.go:104:10:104:10 | 0 | epilogues.go:104:5:104:10 | ...==... |
+| epilogues.go:105:3:105:8 | return statement | epilogues.go:103:8:103:19 | call to epiRecover |
+| epilogues.go:107:2:107:2 | assignment to n | epilogues.go:108:2:108:3 | skip |
+| epilogues.go:107:2:107:2 | skip | epilogues.go:107:6:107:6 | x |
+| epilogues.go:107:6:107:6 | x | epilogues.go:107:2:107:2 | assignment to n |
+| epilogues.go:108:2:108:3 | assignment to ok | epilogues.go:109:2:109:7 | return statement |
+| epilogues.go:108:2:108:3 | skip | epilogues.go:108:7:108:10 | true |
+| epilogues.go:108:7:108:10 | true | epilogues.go:108:2:108:3 | assignment to ok |
+| epilogues.go:109:2:109:7 | return statement | epilogues.go:103:8:103:19 | call to epiRecover |
+| epilogues.go:115:1:118:1 | entry | epilogues.go:116:8:116:17 | epiRecover |
+| epilogues.go:115:1:118:1 | function declaration | epilogues.go:0:0:0:0 | exit |
+| epilogues.go:115:6:115:22 | skip | epilogues.go:115:1:118:1 | function declaration |
+| epilogues.go:116:2:116:19 | defer statement | epilogues.go:117:2:117:6 | panic |
+| epilogues.go:116:8:116:17 | epiRecover | epilogues.go:116:2:116:19 | defer statement |
+| epilogues.go:116:8:116:19 | call to epiRecover | epilogues.go:115:1:118:1 | exit |
+| epilogues.go:117:2:117:6 | panic | epilogues.go:117:8:117:13 | "boom" |
+| epilogues.go:117:2:117:14 | call to panic | epilogues.go:116:8:116:19 | call to epiRecover |
+| epilogues.go:117:8:117:13 | "boom" | epilogues.go:117:2:117:14 | call to panic |
 | equalitytests.go:0:0:0:0 | entry | equalitytests.go:3:1:5:1 | skip |
 | equalitytests.go:3:1:5:1 | skip | equalitytests.go:7:1:9:1 | skip |
 | equalitytests.go:7:1:9:1 | skip | equalitytests.go:11:6:11:18 | skip |
--- a/go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/NoretFunctions.expected
+++ b/go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/NoretFunctions.expected
@@ -1,3 +1,4 @@
+| epilogues.go:115:6:115:22 | epiRecoverUnnamed | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.epiRecoverUnnamed |
 | file://:0:0:0:0 | Exit | os.Exit |
 | file://:0:0:0:0 | Fatal | log.Fatal |
 | file://:0:0:0:0 | Fatal | log.Logger.Fatal |
--- a/go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/epilogues.go
+++ b/go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/epilogues.go
@@ -0,0 +1,118 @@
+package main
+
+import "fmt"
+
+// epiLogger has methods with both pointer and value receivers, used to check
+// that the receiver and arguments of a deferred call are evaluated at the
+// `defer` statement rather than in the function epilogue.
+type epiLogger struct {
+	prefix string
+}
+
+func (l *epiLogger) log(msg string, code int) {
+	fmt.Println(l.prefix, msg, code)
+}
+
+func (l epiLogger) logValue(msg string) {
+	fmt.Println(l.prefix, msg)
+}
+
+// epiRecover recovers from a panic. It is used as a deferred function so we can
+// check that control flow returns to the result-read nodes and the normal exit
+// node after recovering.
+func epiRecover() {
+	if r := recover(); r != nil {
+		fmt.Println("recovered:", r)
+	}
+}
+
+// epiPlain has no named result variable and a single `return` with a child
+// expression.
+func epiPlain(x int) int {
+	return x * 2
+}
+
+// epiVoid has no named result variable and no `return` statement at all.
+func epiVoid() {
+	fmt.Println("void")
+}
+
+// epiNamedMixed has named result variables and a mix of a bare `return` (no
+// child expressions) and a `return` with child expressions.
+func epiNamedMixed(x int) (result int, err error) {
+	if x < 0 {
+		result = -x
+		return
+	}
+	return x, nil
+}
+
+// epiNamedBareOnly has a named result variable and only a bare `return`.
+func epiNamedBareOnly(x int) (n int) {
+	n = x + 1
+	return
+}
+
+// epiDeferReceiverArgs has a deferred call with a (pointer) receiver and
+// arguments that are expressions, so we can check the receiver `l` and the
+// arguments `"count"` and `len(items)` are evaluated at the `defer` statement.
+func epiDeferReceiverArgs(l *epiLogger, items []int) {
+	defer l.log("count", len(items))
+	fmt.Println("processing", len(items))
+}
+
+// epiDeferValueReceiver has deferred calls with a value receiver and an
+// address-of receiver, both with arguments evaluated at the `defer` statement.
+func epiDeferValueReceiver(prefix string) {
+	l := epiLogger{prefix: prefix}
+	defer l.logValue("bye")
+	defer (&l).log("ptr", 7)
+	fmt.Println("body")
+}
+
+// epiDeferFuncLit has a deferred function literal with parameters, so we can
+// check that the arguments `"done"` and `x+1` are evaluated at the `defer`
+// statement and that control flow enters the function literal body when it is
+// invoked at the function epilogue.
+func epiDeferFuncLit(x int) {
+	defer func(label string, n int) {
+		fmt.Println(label, n)
+	}("done", x+1)
+	fmt.Println("body", x)
+}
+
+// epiRecoverNamed has a named result variable and a deferred closure containing
+// `recover()`. After recovering on the panic path, control flow should return
+// to the result-read nodes and the normal exit node.
+func epiRecoverNamed(x int) (result int) {
+	defer func() {
+		if r := recover(); r != nil {
+			result = -1
+		}
+	}()
+	if x < 0 {
+		panic("neg")
+	}
+	result = x * x
+	return result
+}
+
+// epiRecoverNamedBare has named result variables, a deferred function
+// containing `recover()`, and only bare `return` statements.
+func epiRecoverNamedBare(x int) (ok bool, n int) {
+	defer epiRecover()
+	if x == 0 {
+		return
+	}
+	n = x
+	ok = true
+	return
+}
+
+// epiRecoverUnnamed has no named result variables and a deferred function
+// containing `recover()`; after recovering, control flow should reach the
+// normal exit node directly (there are no result-read nodes).
+func epiRecoverUnnamed() {
+	defer epiRecover()
+	panic("boom")
+}
--- a/python/ql/consistency-queries/CfgConsistency.ql
+++ b/python/ql/consistency-queries/CfgConsistency.ql
@@ -1,2 +0,0 @@
-import semmle.python.controlflow.internal.AstNodeImpl
-import ControlFlow::Consistency
--- a/python/ql/consistency-queries/DataFlowConsistency.ql
+++ b/python/ql/consistency-queries/DataFlowConsistency.ql
@@ -9,7 +9,6 @@ private import semmle.python.dataflow.new.internal.DataFlowImplSpecific
 private import semmle.python.dataflow.new.internal.DataFlowDispatch
 private import semmle.python.dataflow.new.internal.TaintTrackingImplSpecific
 private import codeql.dataflow.internal.DataFlowImplConsistency
-private import semmle.python.controlflow.internal.Cfg as Cfg

 private module Input implements InputSig<Location, PythonDataFlow> {
  private import Private
@@ -75,7 +74,7 @@ private module Input implements InputSig<Location, PythonDataFlow> {
    // resolve to multiple functions), but we only make _one_ ArgumentNode for each
    // argument in the CallNode, we end up violating this consistency check in those
    // cases. (see `getCallArg` in DataFlowDispatch.qll)
-    exists(DataFlowCall other, Cfg::CallNode cfgCall | other != call |
+    exists(DataFlowCall other, CallNode cfgCall | other != call |
      call.getNode() = cfgCall and
      other.getNode() = cfgCall and
      isArgumentNode(arg, call, _) and
@@ -91,16 +90,16 @@ private module Input implements InputSig<Location, PythonDataFlow> {
      // allow it instead.
      (
        call.getScope() = attr.getScope() and
-        any(CfgNode n | n.asCfgNode() = call.getNode().(Cfg::CallNode).getFunction())
-            .getALocalSource() = attr
+        any(CfgNode n | n.asCfgNode() = call.getNode().(CallNode).getFunction()).getALocalSource() =
+          attr
        or
        not exists(call.getScope().(Function).getDefinition()) and
        call.getScope().getScope+() = attr.getScope()
      ) and
      (
        other.getScope() = attr.getScope() and
-        any(CfgNode n | n.asCfgNode() = other.getNode().(Cfg::CallNode).getFunction())
-            .getALocalSource() = attr
+        any(CfgNode n | n.asCfgNode() = other.getNode().(CallNode).getFunction()).getALocalSource() =
+          attr
        or
        not exists(other.getScope().(Function).getDefinition()) and
        other.getScope().getScope+() = attr.getScope()
--- a/python/ql/lib/change-notes/2026-05-19-add-shared-cfg.md
+++ b/python/ql/lib/change-notes/2026-05-19-add-shared-cfg.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* A new Python control flow graph implementation has been added under `semmle.python.controlflow.internal.Cfg` (backed by `AstNodeImpl.qll`), built on the shared `codeql.controlflow.ControlFlowGraph` library. It is not yet used by the dataflow library or any production query; the legacy CFG in `semmle/python/Flow.qll` remains the default. The new library is exposed for tests and for upcoming migrations.
--- a/python/ql/lib/change-notes/2026-05-19-add-shared-ssa.md
+++ b/python/ql/lib/change-notes/2026-05-19-add-shared-ssa.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* A new SSA adapter has been added under `semmle.python.dataflow.new.internal.SsaImpl`, built on the shared `codeql.ssa.Ssa` library and the new shared CFG (`semmle.python.controlflow.internal.Cfg`). It is not yet used by the dataflow library or any production query; the legacy ESSA SSA in `semmle/python/essa/*` remains the default. The new SSA adapter is exposed for tests and for the upcoming dataflow migration.
--- a/python/ql/lib/change-notes/2026-06-02-deprecated-flow-nodes-use-new-cfg.md
+++ b/python/ql/lib/change-notes/2026-06-02-deprecated-flow-nodes-use-new-cfg.md
@@ -1,4 +0,0 @@
---
-category: breaking
---
-* The deprecated `AstNode.getAFlowNode()` and `Function.getAReturnValueFlowNode()` predicates now return nodes from the new shared CFG (`Cfg::ControlFlowNode`) rather than from the legacy CFG (`ControlFlowNode`). Callers that still rely on these deprecated APIs and feed the result into legacy-CFG-aware predicates will no longer type-check; migrate to `n.getNode() = e` (or, for return values, the explicit `Return` pattern shown in the deprecation message) to get nodes from the dataflow library's current CFG.
--- a/python/ql/lib/change-notes/2026-06-04-cfg-parameter-annotations.md
+++ b/python/ql/lib/change-notes/2026-06-04-cfg-parameter-annotations.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The new (shared-CFG-based) Python control flow graph now visits parameter and return type annotations as CFG nodes for function definitions, matching the legacy CFG. This restores annotation-based type tracking through framework models such as FastAPI's `Depends()`, Pydantic request models, Starlette `WebSocket` handlers, and any other models that flow a class reference through `Parameter.getAnnotation()` to identify instances of the annotated class.
--- a/python/ql/lib/printCfgNew.ql
+++ b/python/ql/lib/printCfgNew.ql
@@ -1,45 +0,0 @@
-/**
- * @name Print CFG (New)
- * @description Produces a representation of a file's Control Flow Graph
- *              using the new shared control flow library.
- *              This query is used by the VS Code extension.
- * @id python/print-cfg
- * @kind graph
- * @tags ide-contextual-queries/print-cfg
- */
-
-private import python as Py
-import semmle.python.controlflow.internal.AstNodeImpl
-
-external string selectedSourceFile();
-
-private predicate selectedSourceFileAlias = selectedSourceFile/0;
-
-external int selectedSourceLine();
-
-private predicate selectedSourceLineAlias = selectedSourceLine/0;
-
-external int selectedSourceColumn();
-
-private predicate selectedSourceColumnAlias = selectedSourceColumn/0;
-
-module ViewCfgQueryInput implements ControlFlow::ViewCfgQueryInputSig<Py::File> {
-  predicate selectedSourceFile = selectedSourceFileAlias/0;
-
-  predicate selectedSourceLine = selectedSourceLineAlias/0;
-
-  predicate selectedSourceColumn = selectedSourceColumnAlias/0;
-
-  predicate cfgScopeSpan(
-    Ast::Callable callable, Py::File file, int startLine, int startColumn, int endLine,
-    int endColumn
-  ) {
-    exists(Py::Scope scope |
-      scope = callable.asScope() and
-      file = scope.getLocation().getFile() and
-      scope.getLocation().hasLocationInfo(_, startLine, startColumn, endLine, endColumn)
-    )
-  }
-}
-
-import ControlFlow::ViewCfgQuery<Py::File, ViewCfgQueryInput>
--- a/python/ql/lib/semmle/python/ApiGraphs.qll
+++ b/python/ql/lib/semmle/python/ApiGraphs.qll
@@ -6,9 +6,8 @@
 * directed and labeled; they specify how the components represented by nodes relate to each other.
 */

-// Importing python under the `PY` namespace to avoid pulling in `CallNode` from `Flow.qll` (via `import python`) and thereby having a naming conflict with `API::CallNode`.
+// Importing python under the `py` namespace to avoid importing `CallNode` from `Flow.qll` and thereby having a naming conflict with `API::CallNode`.
 private import python as PY
-private import semmle.python.controlflow.internal.Cfg as Cfg
 import semmle.python.dataflow.new.DataFlow
 private import semmle.python.internal.CachedStages

@@ -283,7 +282,7 @@ module API {
      index = this.getIndex() and
      (
        // subscripting
-        exists(Cfg::SubscriptNode subscript |
+        exists(PY::SubscriptNode subscript |
          subscript.getObject() = this.getAValueReachableFromSource().asCfgNode() and
          subscript.getIndex() = index.asSink().asCfgNode()
        |
@@ -291,7 +290,7 @@ module API {
          subscript = result.asSource().asCfgNode()
          or
          // writing
-          subscript.(Cfg::DefinitionNode).getValue() = result.asSink().asCfgNode()
+          subscript.(PY::DefinitionNode).getValue() = result.asSink().asCfgNode()
        )
        or
        // dictionary literals
@@ -685,7 +684,7 @@ module API {
     * Ignores relative imports, such as `from ..foo.bar import baz`.
     */
    private predicate imports(DataFlow::CfgNode imp, string name) {
-      exists(Cfg::ImportExprNode iexpr |
+      exists(PY::ImportExprNode iexpr |
        imp.getNode() = iexpr and
        not iexpr.getNode().isRelative() and
        name = iexpr.getNode().getImportedModuleName()
@@ -776,7 +775,7 @@ module API {
        // list literals, from `x` to `[x]`
        // TODO: once convenient, this should be done at a higher level than the AST,
        // at least at the CFG layer, to take splitting into account.
-        // Also consider `Cfg::SequenceNode` for generality.
+        // Also consider `SequenceNode for generality.
        exists(PY::List list | list = pred.(DataFlow::ExprNode).getNode().getNode() |
          rhs.(DataFlow::ExprNode).getNode().getNode() = list.getAnElt() and
          lbl = Label::subscript()
@@ -806,7 +805,7 @@ module API {
        subscript = trackUseNode(src).getSubscript(index)
      |
        // from `x` to a definition of `x[...]`
-        rhs.asCfgNode() = subscript.asCfgNode().(Cfg::DefinitionNode).getValue() and
+        rhs.asCfgNode() = subscript.asCfgNode().(PY::DefinitionNode).getValue() and
        lbl = Label::subscript()
        or
        // from `x` to `"key"` in `x["key"]`
--- a/python/ql/lib/semmle/python/AstExtended.qll
+++ b/python/ql/lib/semmle/python/AstExtended.qll
@@ -3,7 +3,6 @@ module;

 import python
 private import semmle.python.internal.CachedStages
-private import semmle.python.controlflow.internal.Cfg as Cfg

 /** A syntactic node (Class, Function, Module, Expr, Stmt or Comprehension) corresponding to a flow node */
 abstract class AstNode extends AstNode_ {
@@ -20,16 +19,17 @@ abstract class AstNode extends AstNode_ {
  /**
   * DEPRECATED: use `ControlFlowNode.getNode()` from the other direction instead;
   * that is, replace `e.getAFlowNode() = n` with `n.getNode() = e`. This API is
-   * being removed to untangle the AST and CFG hierarchies.
+   * being removed to untangle the AST and CFG hierarchies in preparation for
+   * migrating the dataflow library off the legacy CFG.
   *
-   * Gets a flow node corresponding directly to this node, from the new
-   * (shared) CFG. NOTE: For some statements and other purely syntactic
-   * elements, there may not be a `ControlFlowNode`.
+   * Gets a flow node corresponding directly to this node.
+   * NOTE: For some statements and other purely syntactic elements,
+   * there may not be a `ControlFlowNode`.
   */
  cached
-  deprecated Cfg::ControlFlowNode getAFlowNode() {
+  deprecated ControlFlowNode getAFlowNode() {
    Stages::AST::ref() and
-    result.getNode() = this
+    py_flow_bb_node(result, this, _, _)
  }

  /** Gets the location for this AST node */
--- a/python/ql/lib/semmle/python/Concepts.qll
+++ b/python/ql/lib/semmle/python/Concepts.qll
@@ -5,7 +5,6 @@
 */

 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.internal.DataFlowImplSpecific
 private import semmle.python.dataflow.new.RemoteFlowSources
@@ -215,7 +214,7 @@ module Path {
    SafeAccessCheck() { this = DataFlow::BarrierGuard<safeAccessCheck/3>::getABarrierNode() }
  }

-  private predicate safeAccessCheck(DataFlow::GuardNode g, Cfg::ControlFlowNode node, boolean branch) {
+  private predicate safeAccessCheck(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
    g.(SafeAccessCheck::Range).checks(node, branch)
  }

@@ -224,7 +223,7 @@ module Path {
    /** A data-flow node that checks that a path is safe to access in some way, for example by having a controlled prefix. */
    abstract class Range extends DataFlow::GuardNode {
      /** Holds if this guard validates `node` upon evaluating to `branch`. */
-      abstract predicate checks(Cfg::ControlFlowNode node, boolean branch);
+      abstract predicate checks(ControlFlowNode node, boolean branch);
    }
  }
 }
--- a/python/ql/lib/semmle/python/Exprs.qll
+++ b/python/ql/lib/semmle/python/Exprs.qll
@@ -3,7 +3,6 @@ module;

 private import python
 private import semmle.python.internal.CachedStages
-private import semmle.python.controlflow.internal.Cfg as Cfg

 /** An expression */
 class Expr extends Expr_, AstNode {
@@ -71,7 +70,7 @@ class Attribute extends Attribute_ {
  /* syntax: Expr.name */
  override Expr getASubExpression() { result = this.getObject() }

-  deprecated override Cfg::AttrNode getAFlowNode() { result = super.getAFlowNode() }
+  deprecated override AttrNode getAFlowNode() { result = super.getAFlowNode() }

  /** Gets the name of this attribute. That is the `name` in `obj.name` */
  string getName() { result = Attribute_.super.getAttr() }
@@ -100,7 +99,7 @@ class Subscript extends Subscript_ {

  Expr getObject() { result = Subscript_.super.getValue() }

-  deprecated override Cfg::SubscriptNode getAFlowNode() { result = super.getAFlowNode() }
+  deprecated override SubscriptNode getAFlowNode() { result = super.getAFlowNode() }
 }

 /** A call expression, such as `func(...)` */
@@ -116,7 +115,7 @@ class Call extends Call_ {

  override string toString() { result = this.getFunc().toString() + "()" }

-  deprecated override Cfg::CallNode getAFlowNode() { result = super.getAFlowNode() }
+  deprecated override CallNode getAFlowNode() { result = super.getAFlowNode() }

  /** Gets a tuple (*) argument of this call. */
  Expr getStarargs() { result = this.getAPositionalArg().(Starred).getValue() }
@@ -204,7 +203,7 @@ class IfExp extends IfExp_ {
    result = this.getTest() or result = this.getBody() or result = this.getOrelse()
  }

-  deprecated override Cfg::IfExprNode getAFlowNode() { result = super.getAFlowNode() }
+  deprecated override IfExprNode getAFlowNode() { result = super.getAFlowNode() }
 }

 /** A starred expression, such as the `*rest` in the assignment `first, *rest = seq` */
@@ -414,7 +413,7 @@ class PlaceHolder extends PlaceHolder_ {

  override string toString() { result = "$" + this.getId() }

-  deprecated override Cfg::NameNode getAFlowNode() { result = super.getAFlowNode() }
+  deprecated override NameNode getAFlowNode() { result = super.getAFlowNode() }
 }

 /** A tuple expression such as `( 1, 3, 5, 7, 9 )` */
@@ -481,7 +480,7 @@ class Name extends Name_ {

  override string toString() { result = this.getId() }

-  deprecated override Cfg::NameNode getAFlowNode() { result = super.getAFlowNode() }
+  deprecated override NameNode getAFlowNode() { result = super.getAFlowNode() }

  override predicate isArtificial() {
    /* Artificial variable names in comprehensions all start with "." */
@@ -588,7 +587,7 @@ abstract class NameConstant extends Name, ImmutableLiteral {

  override predicate isConstant() { any() }

-  deprecated override Cfg::NameConstantNode getAFlowNode() { result = Name.super.getAFlowNode() }
+  deprecated override NameConstantNode getAFlowNode() { result = Name.super.getAFlowNode() }

  override predicate isArtificial() { none() }
 }
--- a/python/ql/lib/semmle/python/Flow.qll
+++ b/python/ql/lib/semmle/python/Flow.qll
@@ -1,7 +1,7 @@
 overlay[local]
 module;

-import python as Py
+import python
 private import semmle.python.internal.CachedStages
 private import codeql.controlflow.BasicBlock as BB

@@ -17,7 +17,7 @@ private import codeql.controlflow.BasicBlock as BB
 */

 private predicate augstore(ControlFlowNode load, ControlFlowNode store) {
-  exists(Py::Expr load_store | exists(Py::AugAssign aa | aa.getTarget() = load_store) |
+  exists(Expr load_store | exists(AugAssign aa | aa.getTarget() = load_store) |
    toAst(load) = load_store and
    toAst(store) = load_store and
    load.strictlyDominates(store)
@@ -25,7 +25,7 @@ private predicate augstore(ControlFlowNode load, ControlFlowNode store) {
 }

 /** A non-dispatched getNode() to avoid negative recursion issues */
-private Py::AstNode toAst(ControlFlowNode n) { py_flow_bb_node(n, result, _, _) }
+private AstNode toAst(ControlFlowNode n) { py_flow_bb_node(n, result, _, _) }

 /**
 * A control flow node. Control flow nodes have a many-to-one relation with syntactic nodes,
@@ -35,19 +35,19 @@ private Py::AstNode toAst(ControlFlowNode n) { py_flow_bb_node(n, result, _, _)
 class ControlFlowNode extends @py_flow_node {
  /** Whether this control flow node is a load (including those in augmented assignments) */
  predicate isLoad() {
-    exists(Py::Expr e | e = toAst(this) | py_expr_contexts(_, 3, e) and not augstore(_, this))
+    exists(Expr e | e = toAst(this) | py_expr_contexts(_, 3, e) and not augstore(_, this))
  }

  /** Whether this control flow node is a store (including those in augmented assignments) */
  predicate isStore() {
-    exists(Py::Expr e | e = toAst(this) | py_expr_contexts(_, 5, e) or augstore(_, this))
+    exists(Expr e | e = toAst(this) | py_expr_contexts(_, 5, e) or augstore(_, this))
  }

  /** Whether this control flow node is a delete */
-  predicate isDelete() { exists(Py::Expr e | e = toAst(this) | py_expr_contexts(_, 2, e)) }
+  predicate isDelete() { exists(Expr e | e = toAst(this) | py_expr_contexts(_, 2, e)) }

  /** Whether this control flow node is a parameter */
-  predicate isParameter() { exists(Py::Expr e | e = toAst(this) | py_expr_contexts(_, 4, e)) }
+  predicate isParameter() { exists(Expr e | e = toAst(this) | py_expr_contexts(_, 4, e)) }

  /** Whether this control flow node is a store in an augmented assignment */
  predicate isAugStore() { augstore(_, this) }
@@ -57,61 +57,61 @@ class ControlFlowNode extends @py_flow_node {

  /** Whether this flow node corresponds to a literal */
  predicate isLiteral() {
-    toAst(this) instanceof Py::Bytes
+    toAst(this) instanceof Bytes
    or
-    toAst(this) instanceof Py::Dict
+    toAst(this) instanceof Dict
    or
-    toAst(this) instanceof Py::DictComp
+    toAst(this) instanceof DictComp
    or
-    toAst(this) instanceof Py::Set
+    toAst(this) instanceof Set
    or
-    toAst(this) instanceof Py::SetComp
+    toAst(this) instanceof SetComp
    or
-    toAst(this) instanceof Py::Ellipsis
+    toAst(this) instanceof Ellipsis
    or
-    toAst(this) instanceof Py::GeneratorExp
+    toAst(this) instanceof GeneratorExp
    or
-    toAst(this) instanceof Py::Lambda
+    toAst(this) instanceof Lambda
    or
-    toAst(this) instanceof Py::ListComp
+    toAst(this) instanceof ListComp
    or
-    toAst(this) instanceof Py::List
+    toAst(this) instanceof List
    or
-    toAst(this) instanceof Py::Num
+    toAst(this) instanceof Num
    or
-    toAst(this) instanceof Py::Tuple
+    toAst(this) instanceof Tuple
    or
-    toAst(this) instanceof Py::Unicode
+    toAst(this) instanceof Unicode
    or
-    toAst(this) instanceof Py::NameConstant
+    toAst(this) instanceof NameConstant
  }

  /** Whether this flow node corresponds to an attribute expression */
-  predicate isAttribute() { toAst(this) instanceof Py::Attribute }
+  predicate isAttribute() { toAst(this) instanceof Attribute }

  /** Whether this flow node corresponds to an subscript expression */
-  predicate isSubscript() { toAst(this) instanceof Py::Subscript }
+  predicate isSubscript() { toAst(this) instanceof Subscript }

  /** Whether this flow node corresponds to an import member */
-  predicate isImportMember() { toAst(this) instanceof Py::ImportMember }
+  predicate isImportMember() { toAst(this) instanceof ImportMember }

  /** Whether this flow node corresponds to a call */
-  predicate isCall() { toAst(this) instanceof Py::Call }
+  predicate isCall() { toAst(this) instanceof Call }

  /** Whether this flow node is the first in a module */
-  predicate isModuleEntry() { this.isEntryNode() and toAst(this) instanceof Py::Module }
+  predicate isModuleEntry() { this.isEntryNode() and toAst(this) instanceof Module }

  /** Whether this flow node corresponds to an import */
-  predicate isImport() { toAst(this) instanceof Py::ImportExpr }
+  predicate isImport() { toAst(this) instanceof ImportExpr }

  /** Whether this flow node corresponds to a conditional expression */
-  predicate isIfExp() { toAst(this) instanceof Py::IfExp }
+  predicate isIfExp() { toAst(this) instanceof IfExp }

  /** Whether this flow node corresponds to a function definition expression */
-  predicate isFunction() { toAst(this) instanceof Py::FunctionExpr }
+  predicate isFunction() { toAst(this) instanceof FunctionExpr }

  /** Whether this flow node corresponds to a class definition expression */
-  predicate isClass() { toAst(this) instanceof Py::ClassExpr }
+  predicate isClass() { toAst(this) instanceof ClassExpr }

  /** Gets a predecessor of this flow node */
  ControlFlowNode getAPredecessor() { this = result.getASuccessor() }
@@ -123,25 +123,25 @@ class ControlFlowNode extends @py_flow_node {
  ControlFlowNode getImmediateDominator() { py_idoms(this, result) }

  /** Gets the syntactic element corresponding to this flow node */
-  Py::AstNode getNode() { py_flow_bb_node(this, result, _, _) }
+  AstNode getNode() { py_flow_bb_node(this, result, _, _) }

  /** Gets a textual representation of this element. */
  cached
  string toString() {
    Stages::AST::ref() and
    // Since modules can have ambigous names, entry nodes can too, if we do not collate them.
-    exists(Py::Scope s | s.getEntryNode() = this |
+    exists(Scope s | s.getEntryNode() = this |
      result = "Entry node for " + concat( | | s.toString(), ",")
    )
    or
-    exists(Py::Scope s | s.getANormalExit() = this | result = "Exit node for " + s.toString())
+    exists(Scope s | s.getANormalExit() = this | result = "Exit node for " + s.toString())
    or
-    not exists(Py::Scope s | s.getEntryNode() = this or s.getANormalExit() = this) and
+    not exists(Scope s | s.getEntryNode() = this or s.getANormalExit() = this) and
    result = "ControlFlowNode for " + this.getNode().toString()
  }

  /** Gets the location of this ControlFlowNode */
-  Py::Location getLocation() { result = this.getNode().getLocation() }
+  Location getLocation() { result = this.getNode().getLocation() }

  /** Whether this flow node is the first in its scope */
  predicate isEntryNode() { py_scope_flow(this, _, -1) }
@@ -151,9 +151,9 @@ class ControlFlowNode extends @py_flow_node {

  /** Gets the scope containing this flow node */
  cached
-  Py::Scope getScope() {
+  Scope getScope() {
    Stages::AST::ref() and
-    if this.getNode() instanceof Py::Scope
+    if this.getNode() instanceof Scope
    then
      /* Entry or exit node */
      result = this.getNode()
@@ -161,7 +161,7 @@ class ControlFlowNode extends @py_flow_node {
  }

  /** Gets the enclosing module */
-  Py::Module getEnclosingModule() { result = this.getScope().getEnclosingModule() }
+  Module getEnclosingModule() { result = this.getScope().getEnclosingModule() }

  /** Gets a successor for this node if the relevant condition is True. */
  ControlFlowNode getATrueSuccessor() {
@@ -188,7 +188,7 @@ class ControlFlowNode extends @py_flow_node {
  }

  /** Whether the scope may be exited as a result of this node raising an exception */
-  predicate isExceptionalExit(Py::Scope s) { py_scope_flow(this, s, 1) }
+  predicate isExceptionalExit(Scope s) { py_scope_flow(this, s, 1) }

  /** Whether this node is a normal (non-exceptional) exit */
  predicate isNormalExit() { py_scope_flow(this, _, 0) or py_scope_flow(this, _, 2) }
@@ -236,7 +236,7 @@ class ControlFlowNode extends @py_flow_node {
  /* join-ordering helper for `getAChild() */
  pragma[noinline]
  private ControlFlowNode getExprChild(BasicBlock dom) {
-    this.getNode().(Py::Expr).getAChildNode() = result.getNode() and
+    this.getNode().(Expr).getAChildNode() = result.getNode() and
    result.getBasicBlock().dominates(dom) and
    not this instanceof UnaryExprNode
  }
@@ -249,16 +249,16 @@ class ControlFlowNode extends @py_flow_node {
 */

 private class AnyNode extends ControlFlowNode {
-  override Py::AstNode getNode() { result = super.getNode() }
+  override AstNode getNode() { result = super.getNode() }
 }

 /** A control flow node corresponding to a call expression, such as `func(...)` */
 class CallNode extends ControlFlowNode {
-  CallNode() { toAst(this) instanceof Py::Call }
+  CallNode() { toAst(this) instanceof Call }

  /** Gets the flow node corresponding to the function expression for the call corresponding to this flow node */
  ControlFlowNode getFunction() {
-    exists(Py::Call c |
+    exists(Call c |
      this.getNode() = c and
      c.getFunc() = result.getNode() and
      result.getBasicBlock().dominates(this.getBasicBlock())
@@ -267,7 +267,7 @@ class CallNode extends ControlFlowNode {

  /** Gets the flow node corresponding to the n'th positional argument of the call corresponding to this flow node */
  ControlFlowNode getArg(int n) {
-    exists(Py::Call c |
+    exists(Call c |
      this.getNode() = c and
      c.getArg(n) = result.getNode() and
      result.getBasicBlock().dominates(this.getBasicBlock())
@@ -276,7 +276,7 @@ class CallNode extends ControlFlowNode {

  /** Gets the flow node corresponding to the named argument of the call corresponding to this flow node */
  ControlFlowNode getArgByName(string name) {
-    exists(Py::Call c, Py::Keyword k |
+    exists(Call c, Keyword k |
      this.getNode() = c and
      k = c.getANamedArg() and
      k.getValue() = result.getNode() and
@@ -292,7 +292,7 @@ class CallNode extends ControlFlowNode {
    result = this.getArgByName(_)
  }

-  override Py::Call getNode() { result = super.getNode() }
+  override Call getNode() { result = super.getNode() }

  predicate isDecoratorCall() {
    this.isClassDecoratorCall()
@@ -301,11 +301,11 @@ class CallNode extends ControlFlowNode {
  }

  predicate isClassDecoratorCall() {
-    exists(Py::ClassExpr cls | this.getNode() = cls.getADecoratorCall())
+    exists(ClassExpr cls | this.getNode() = cls.getADecoratorCall())
  }

  predicate isFunctionDecoratorCall() {
-    exists(Py::FunctionExpr func | this.getNode() = func.getADecoratorCall())
+    exists(FunctionExpr func | this.getNode() = func.getADecoratorCall())
  }

  /** Gets the first tuple (*) argument of this call, if any. */
@@ -323,11 +323,11 @@ class CallNode extends ControlFlowNode {

 /** A control flow corresponding to an attribute expression, such as `value.attr` */
 class AttrNode extends ControlFlowNode {
-  AttrNode() { toAst(this) instanceof Py::Attribute }
+  AttrNode() { toAst(this) instanceof Attribute }

  /** Gets the flow node corresponding to the object of the attribute expression corresponding to this flow node */
  ControlFlowNode getObject() {
-    exists(Py::Attribute a |
+    exists(Attribute a |
      this.getNode() = a and
      a.getObject() = result.getNode() and
      result.getBasicBlock().dominates(this.getBasicBlock())
@@ -339,7 +339,7 @@ class AttrNode extends ControlFlowNode {
   * with the matching name
   */
  ControlFlowNode getObject(string name) {
-    exists(Py::Attribute a |
+    exists(Attribute a |
      this.getNode() = a and
      a.getObject() = result.getNode() and
      a.getName() = name and
@@ -348,57 +348,57 @@ class AttrNode extends ControlFlowNode {
  }

  /** Gets the attribute name of the attribute expression corresponding to this flow node */
-  string getName() { exists(Py::Attribute a | this.getNode() = a and a.getName() = result) }
+  string getName() { exists(Attribute a | this.getNode() = a and a.getName() = result) }

-  override Py::Attribute getNode() { result = super.getNode() }
+  override Attribute getNode() { result = super.getNode() }
 }

 /** A control flow node corresponding to a `from ... import ...` expression */
 class ImportMemberNode extends ControlFlowNode {
-  ImportMemberNode() { toAst(this) instanceof Py::ImportMember }
+  ImportMemberNode() { toAst(this) instanceof ImportMember }

  /**
   * Gets the flow node corresponding to the module in the import-member expression corresponding to this flow node,
   * with the matching name
   */
  ControlFlowNode getModule(string name) {
-    exists(Py::ImportMember i | this.getNode() = i and i.getModule() = result.getNode() |
+    exists(ImportMember i | this.getNode() = i and i.getModule() = result.getNode() |
      i.getName() = name and
      result.getBasicBlock().dominates(this.getBasicBlock())
    )
  }

-  override Py::ImportMember getNode() { result = super.getNode() }
+  override ImportMember getNode() { result = super.getNode() }
 }

 /** A control flow node corresponding to an artificial expression representing an import */
 class ImportExprNode extends ControlFlowNode {
-  ImportExprNode() { toAst(this) instanceof Py::ImportExpr }
+  ImportExprNode() { toAst(this) instanceof ImportExpr }

-  override Py::ImportExpr getNode() { result = super.getNode() }
+  override ImportExpr getNode() { result = super.getNode() }
 }

 /** A control flow node corresponding to a `from ... import *` statement */
 class ImportStarNode extends ControlFlowNode {
-  ImportStarNode() { toAst(this) instanceof Py::ImportStar }
+  ImportStarNode() { toAst(this) instanceof ImportStar }

  /** Gets the flow node corresponding to the module in the import-star corresponding to this flow node */
  ControlFlowNode getModule() {
-    exists(Py::ImportStar i | this.getNode() = i and i.getModuleExpr() = result.getNode() |
+    exists(ImportStar i | this.getNode() = i and i.getModuleExpr() = result.getNode() |
      result.getBasicBlock().dominates(this.getBasicBlock())
    )
  }

-  override Py::ImportStar getNode() { result = super.getNode() }
+  override ImportStar getNode() { result = super.getNode() }
 }

 /** A control flow node corresponding to a subscript expression, such as `value[slice]` */
 class SubscriptNode extends ControlFlowNode {
-  SubscriptNode() { toAst(this) instanceof Py::Subscript }
+  SubscriptNode() { toAst(this) instanceof Subscript }

  /** flow node corresponding to the value of the sequence in a subscript operation */
  ControlFlowNode getObject() {
-    exists(Py::Subscript s |
+    exists(Subscript s |
      this.getNode() = s and
      s.getObject() = result.getNode() and
      result.getBasicBlock().dominates(this.getBasicBlock())
@@ -407,23 +407,23 @@ class SubscriptNode extends ControlFlowNode {

  /** flow node corresponding to the index in a subscript operation */
  ControlFlowNode getIndex() {
-    exists(Py::Subscript s |
+    exists(Subscript s |
      this.getNode() = s and
      s.getIndex() = result.getNode() and
      result.getBasicBlock().dominates(this.getBasicBlock())
    )
  }

-  override Py::Subscript getNode() { result = super.getNode() }
+  override Subscript getNode() { result = super.getNode() }
 }

 /** A control flow node corresponding to a comparison operation, such as `x<y` */
 class CompareNode extends ControlFlowNode {
-  CompareNode() { toAst(this) instanceof Py::Compare }
+  CompareNode() { toAst(this) instanceof Compare }

  /** Whether left and right are a pair of operands for this comparison */
-  predicate operands(ControlFlowNode left, Py::Cmpop op, ControlFlowNode right) {
-    exists(Py::Compare c, Py::Expr eleft, Py::Expr eright |
+  predicate operands(ControlFlowNode left, Cmpop op, ControlFlowNode right) {
+    exists(Compare c, Expr eleft, Expr eright |
      this.getNode() = c and left.getNode() = eleft and right.getNode() = eright
    |
      eleft = c.getLeft() and eright = c.getComparator(0) and op = c.getOp(0)
@@ -436,26 +436,26 @@ class CompareNode extends ControlFlowNode {
    right.getBasicBlock().dominates(this.getBasicBlock())
  }

-  override Py::Compare getNode() { result = super.getNode() }
+  override Compare getNode() { result = super.getNode() }
 }

 /** A control flow node corresponding to a conditional expression such as, `body if test else orelse` */
 class IfExprNode extends ControlFlowNode {
-  IfExprNode() { toAst(this) instanceof Py::IfExp }
+  IfExprNode() { toAst(this) instanceof IfExp }

  /** flow node corresponding to one of the operands of an if-expression */
  ControlFlowNode getAnOperand() { result = this.getAPredecessor() }

-  override Py::IfExp getNode() { result = super.getNode() }
+  override IfExp getNode() { result = super.getNode() }
 }

 /** A control flow node corresponding to an assignment expression such as `lhs := rhs`. */
 class AssignmentExprNode extends ControlFlowNode {
-  AssignmentExprNode() { toAst(this) instanceof Py::AssignExpr }
+  AssignmentExprNode() { toAst(this) instanceof AssignExpr }

  /** Gets the flow node corresponding to the left-hand side of the assignment expression */
  ControlFlowNode getTarget() {
-    exists(Py::AssignExpr a |
+    exists(AssignExpr a |
      this.getNode() = a and
      a.getTarget() = result.getNode() and
      result.getBasicBlock().dominates(this.getBasicBlock())
@@ -464,27 +464,27 @@ class AssignmentExprNode extends ControlFlowNode {

  /** Gets the flow node corresponding to the right-hand side of the assignment expression */
  ControlFlowNode getValue() {
-    exists(Py::AssignExpr a |
+    exists(AssignExpr a |
      this.getNode() = a and
      a.getValue() = result.getNode() and
      result.getBasicBlock().dominates(this.getBasicBlock())
    )
  }

-  override Py::AssignExpr getNode() { result = super.getNode() }
+  override AssignExpr getNode() { result = super.getNode() }
 }

 /** A control flow node corresponding to a binary expression, such as `x + y` */
 class BinaryExprNode extends ControlFlowNode {
-  BinaryExprNode() { toAst(this) instanceof Py::BinaryExpr }
+  BinaryExprNode() { toAst(this) instanceof BinaryExpr }

  /** flow node corresponding to one of the operands of a binary expression */
  ControlFlowNode getAnOperand() { result = this.getLeft() or result = this.getRight() }

-  override Py::BinaryExpr getNode() { result = super.getNode() }
+  override BinaryExpr getNode() { result = super.getNode() }

  ControlFlowNode getLeft() {
-    exists(Py::BinaryExpr b |
+    exists(BinaryExpr b |
      this.getNode() = b and
      result.getNode() = b.getLeft() and
      result.getBasicBlock().dominates(this.getBasicBlock())
@@ -492,7 +492,7 @@ class BinaryExprNode extends ControlFlowNode {
  }

  ControlFlowNode getRight() {
-    exists(Py::BinaryExpr b |
+    exists(BinaryExpr b |
      this.getNode() = b and
      result.getNode() = b.getRight() and
      result.getBasicBlock().dominates(this.getBasicBlock())
@@ -500,11 +500,11 @@ class BinaryExprNode extends ControlFlowNode {
  }

  /** Gets the operator of this binary expression node. */
-  Py::Operator getOp() { result = this.getNode().getOp() }
+  Operator getOp() { result = this.getNode().getOp() }

  /** Whether left and right are a pair of operands for this binary expression */
-  predicate operands(ControlFlowNode left, Py::Operator op, ControlFlowNode right) {
-    exists(Py::BinaryExpr b, Py::Expr eleft, Py::Expr eright |
+  predicate operands(ControlFlowNode left, Operator op, ControlFlowNode right) {
+    exists(BinaryExpr b, Expr eleft, Expr eright |
      this.getNode() = b and left.getNode() = eleft and right.getNode() = eright
    |
      eleft = b.getLeft() and eright = b.getRight() and op = b.getOp()
@@ -516,20 +516,20 @@ class BinaryExprNode extends ControlFlowNode {

 /** A control flow node corresponding to a boolean shortcut (and/or) operation */
 class BoolExprNode extends ControlFlowNode {
-  BoolExprNode() { toAst(this) instanceof Py::BoolExpr }
+  BoolExprNode() { toAst(this) instanceof BoolExpr }

  /** flow node corresponding to one of the operands of a boolean expression */
  ControlFlowNode getAnOperand() {
-    exists(Py::BoolExpr b | this.getNode() = b and result.getNode() = b.getAValue()) and
+    exists(BoolExpr b | this.getNode() = b and result.getNode() = b.getAValue()) and
    this.getBasicBlock().dominates(result.getBasicBlock())
  }

-  override Py::BoolExpr getNode() { result = super.getNode() }
+  override BoolExpr getNode() { result = super.getNode() }
 }

 /** A control flow node corresponding to a unary expression: (`+x`), (`-x`) or (`~x`) */
 class UnaryExprNode extends ControlFlowNode {
-  UnaryExprNode() { toAst(this) instanceof Py::UnaryExpr }
+  UnaryExprNode() { toAst(this) instanceof UnaryExpr }

  /**
   * Gets flow node corresponding to the operand of a unary expression.
@@ -540,7 +540,7 @@ class UnaryExprNode extends ControlFlowNode {
   */
  ControlFlowNode getOperand() { result = this.getAPredecessor() }

-  override Py::UnaryExpr getNode() { result = super.getNode() }
+  override UnaryExpr getNode() { result = super.getNode() }

  override ControlFlowNode getAChild() { result = this.getAPredecessor() }
 }
@@ -555,22 +555,22 @@ class DefinitionNode extends ControlFlowNode {
  cached
  DefinitionNode() {
    Stages::AST::ref() and
-    exists(Py::Assign a | this.getNode() = a.getATarget())
+    exists(Assign a | this.getNode() = a.getATarget())
    or
-    exists(Py::AssignExpr a | this.getNode() = a.getTarget())
+    exists(AssignExpr a | this.getNode() = a.getTarget())
    or
-    exists(Py::AnnAssign a | this.getNode() = a.getTarget() and exists(a.getValue()))
+    exists(AnnAssign a | this.getNode() = a.getTarget() and exists(a.getValue()))
    or
-    exists(Py::Alias a | this.getNode() = a.getAsname())
+    exists(Alias a | this.getNode() = a.getAsname())
    or
    augstore(_, this)
    or
    // `x, y = 1, 2` where LHS is a combination of list or tuples
-    exists(Py::Assign a | this.getNode() = list_or_tuple_nested_element(a.getATarget()))
+    exists(Assign a | this.getNode() = list_or_tuple_nested_element(a.getATarget()))
    or
-    exists(Py::For for | this.getNode() = for.getTarget())
+    exists(For for | this.getNode() = for.getTarget())
    or
-    exists(Py::Parameter param | this.getNode() = param.asName() and exists(param.getDefault()))
+    exists(Parameter param | this.getNode() = param.asName() and exists(param.getDefault()))
  }

  /** flow node corresponding to the value assigned for the definition corresponding to this flow node */
@@ -584,16 +584,16 @@ class DefinitionNode extends ControlFlowNode {
      // since the default value for a parameter is evaluated in the same basic block as
      // the function definition, but the parameter belongs to the basic block of the function,
      // there is no dominance relationship between the two.
-      exists(Py::Parameter param | this.getNode() = param.asName())
+      exists(Parameter param | this.getNode() = param.asName())
    )
  }
 }

-private Py::Expr list_or_tuple_nested_element(Py::Expr list_or_tuple) {
-  exists(Py::Expr elt |
-    elt = list_or_tuple.(Py::Tuple).getAnElt()
+private Expr list_or_tuple_nested_element(Expr list_or_tuple) {
+  exists(Expr elt |
+    elt = list_or_tuple.(Tuple).getAnElt()
    or
-    elt = list_or_tuple.(Py::List).getAnElt()
+    elt = list_or_tuple.(List).getAnElt()
  |
    result = elt
    or
@@ -603,12 +603,12 @@ private Py::Expr list_or_tuple_nested_element(Py::Expr list_or_tuple) {

 /**
 * A control flow node corresponding to a deletion statement, such as `del x`.
- * There can be multiple `DeletionNode`s for each `Py::Delete` such that each
+ * There can be multiple `DeletionNode`s for each `Delete` such that each
 * target has own `DeletionNode`. The CFG for `del a, x.y` looks like:
 * `NameNode('a') -> DeletionNode -> NameNode('b') -> AttrNode('y') -> DeletionNode`.
 */
 class DeletionNode extends ControlFlowNode {
-  DeletionNode() { toAst(this) instanceof Py::Delete }
+  DeletionNode() { toAst(this) instanceof Delete }

  /** Gets the unique target of this deletion node. */
  ControlFlowNode getTarget() { result.getASuccessor() = this }
@@ -617,9 +617,9 @@ class DeletionNode extends ControlFlowNode {
 /** A control flow node corresponding to a sequence (tuple or list) literal */
 abstract class SequenceNode extends ControlFlowNode {
  SequenceNode() {
-    toAst(this) instanceof Py::Tuple
+    toAst(this) instanceof Tuple
    or
-    toAst(this) instanceof Py::List
+    toAst(this) instanceof List
  }

  /** Gets the control flow node for an element of this sequence */
@@ -632,11 +632,11 @@ abstract class SequenceNode extends ControlFlowNode {

 /** A control flow node corresponding to a tuple expression such as `( 1, 3, 5, 7, 9 )` */
 class TupleNode extends SequenceNode {
-  TupleNode() { toAst(this) instanceof Py::Tuple }
+  TupleNode() { toAst(this) instanceof Tuple }

  override ControlFlowNode getElement(int n) {
    Stages::AST::ref() and
-    exists(Py::Tuple t | this.getNode() = t and result.getNode() = t.getElt(n)) and
+    exists(Tuple t | this.getNode() = t and result.getNode() = t.getElt(n)) and
    (
      result.getBasicBlock().dominates(this.getBasicBlock())
      or
@@ -647,10 +647,10 @@ class TupleNode extends SequenceNode {

 /** A control flow node corresponding to a list expression, such as `[ 1, 3, 5, 7, 9 ]` */
 class ListNode extends SequenceNode {
-  ListNode() { toAst(this) instanceof Py::List }
+  ListNode() { toAst(this) instanceof List }

  override ControlFlowNode getElement(int n) {
-    exists(Py::List l | this.getNode() = l and result.getNode() = l.getElt(n)) and
+    exists(List l | this.getNode() = l and result.getNode() = l.getElt(n)) and
    (
      result.getBasicBlock().dominates(this.getBasicBlock())
      or
@@ -661,10 +661,10 @@ class ListNode extends SequenceNode {

 /** A control flow node corresponding to a set expression, such as `{ 1, 3, 5, 7, 9 }` */
 class SetNode extends ControlFlowNode {
-  SetNode() { toAst(this) instanceof Py::Set }
+  SetNode() { toAst(this) instanceof Set }

  ControlFlowNode getAnElement() {
-    exists(Py::Set s | this.getNode() = s and result.getNode() = s.getElt(_)) and
+    exists(Set s | this.getNode() = s and result.getNode() = s.getElt(_)) and
    (
      result.getBasicBlock().dominates(this.getBasicBlock())
      or
@@ -675,20 +675,20 @@ class SetNode extends ControlFlowNode {

 /** A control flow node corresponding to a dictionary literal, such as `{ 'a': 1, 'b': 2 }` */
 class DictNode extends ControlFlowNode {
-  DictNode() { toAst(this) instanceof Py::Dict }
+  DictNode() { toAst(this) instanceof Dict }

  /**
   * Gets a key of this dictionary literal node, for those items that have keys
   * E.g, in {'a':1, **b} this returns only 'a'
   */
  ControlFlowNode getAKey() {
-    exists(Py::Dict d | this.getNode() = d and result.getNode() = d.getAKey()) and
+    exists(Dict d | this.getNode() = d and result.getNode() = d.getAKey()) and
    result.getBasicBlock().dominates(this.getBasicBlock())
  }

  /** Gets a value of this dictionary literal node */
  ControlFlowNode getAValue() {
-    exists(Py::Dict d | this.getNode() = d and result.getNode() = d.getAValue()) and
+    exists(Dict d | this.getNode() = d and result.getNode() = d.getAValue()) and
    result.getBasicBlock().dominates(this.getBasicBlock())
  }
 }
@@ -712,23 +712,21 @@ class IterableNode extends ControlFlowNode {
  }
 }

-private Py::AstNode assigned_value(Py::Expr lhs) {
+private AstNode assigned_value(Expr lhs) {
  /* lhs = result */
-  exists(Py::Assign a | a.getATarget() = lhs and result = a.getValue())
+  exists(Assign a | a.getATarget() = lhs and result = a.getValue())
  or
  /* lhs := result */
-  exists(Py::AssignExpr a | a.getTarget() = lhs and result = a.getValue())
+  exists(AssignExpr a | a.getTarget() = lhs and result = a.getValue())
  or
  /* lhs : annotation = result */
-  exists(Py::AnnAssign a | a.getTarget() = lhs and result = a.getValue())
+  exists(AnnAssign a | a.getTarget() = lhs and result = a.getValue())
  or
  /* import result as lhs */
-  exists(Py::Alias a | a.getAsname() = lhs and result = a.getValue())
+  exists(Alias a | a.getAsname() = lhs and result = a.getValue())
  or
  /* lhs += x  =>  result = (lhs + x) */
-  exists(Py::AugAssign a, Py::BinaryExpr b |
-    b = a.getOperation() and result = b and lhs = b.getLeft()
-  )
+  exists(AugAssign a, BinaryExpr b | b = a.getOperation() and result = b and lhs = b.getLeft())
  or
  /*
   * ..., lhs, ... = ..., result, ...
@@ -736,31 +734,31 @@ private Py::AstNode assigned_value(Py::Expr lhs) {
   * ..., (..., lhs, ...), ... = ..., (..., result, ...), ...
   */

-  exists(Py::Assign a | nested_sequence_assign(a.getATarget(), a.getValue(), lhs, result))
+  exists(Assign a | nested_sequence_assign(a.getATarget(), a.getValue(), lhs, result))
  or
  /* for lhs in seq: => `result` is the `for` node, representing the `iter(next(seq))` operation. */
-  result.(Py::For).getTarget() = lhs
+  result.(For).getTarget() = lhs
  or
-  exists(Py::Parameter param | lhs = param.asName() and result = param.getDefault())
+  exists(Parameter param | lhs = param.asName() and result = param.getDefault())
 }

 predicate nested_sequence_assign(
-  Py::Expr left_parent, Py::Expr right_parent, Py::Expr left_result, Py::Expr right_result
+  Expr left_parent, Expr right_parent, Expr left_result, Expr right_result
 ) {
-  exists(Py::Assign a |
+  exists(Assign a |
    a.getATarget().getASubExpression*() = left_parent and
    a.getValue().getASubExpression*() = right_parent
  ) and
-  exists(int i, Py::Expr left_elem, Py::Expr right_elem |
+  exists(int i, Expr left_elem, Expr right_elem |
    (
-      left_elem = left_parent.(Py::Tuple).getElt(i)
+      left_elem = left_parent.(Tuple).getElt(i)
      or
-      left_elem = left_parent.(Py::List).getElt(i)
+      left_elem = left_parent.(List).getElt(i)
    ) and
    (
-      right_elem = right_parent.(Py::Tuple).getElt(i)
+      right_elem = right_parent.(Tuple).getElt(i)
      or
-      right_elem = right_parent.(Py::List).getElt(i)
+      right_elem = right_parent.(List).getElt(i)
    )
  |
    left_result = left_elem and right_result = right_elem
@@ -771,9 +769,9 @@ predicate nested_sequence_assign(

 /** A flow node for a `for` statement. */
 class ForNode extends ControlFlowNode {
-  ForNode() { toAst(this) instanceof Py::For }
+  ForNode() { toAst(this) instanceof For }

-  override Py::For getNode() { result = super.getNode() }
+  override For getNode() { result = super.getNode() }

  /** Holds if this `for` statement causes iteration over `sequence` storing each step of the iteration in `target` */
  predicate iterates(ControlFlowNode target, ControlFlowNode sequence) {
@@ -784,7 +782,7 @@ class ForNode extends ControlFlowNode {

  /** Gets the sequence node for this `for` statement. */
  ControlFlowNode getSequence() {
-    exists(Py::For for |
+    exists(For for |
      toAst(this) = for and
      for.getIter() = result.getNode()
    |
@@ -794,7 +792,7 @@ class ForNode extends ControlFlowNode {

  /** A possible `target` for this `for` statement, not accounting for loop unrolling */
  private ControlFlowNode possibleTarget() {
-    exists(Py::For for |
+    exists(For for |
      toAst(this) = for and
      for.getTarget() = result.getNode() and
      this.getBasicBlock().dominates(result.getBasicBlock())
@@ -811,11 +809,11 @@ class ForNode extends ControlFlowNode {

 /** A flow node for a `raise` statement */
 class RaiseStmtNode extends ControlFlowNode {
-  RaiseStmtNode() { toAst(this) instanceof Py::Raise }
+  RaiseStmtNode() { toAst(this) instanceof Raise }

  /** Gets the control flow node for the exception raised by this raise statement */
  ControlFlowNode getException() {
-    exists(Py::Raise r |
+    exists(Raise r |
      r = toAst(this) and
      r.getException() = toAst(result) and
      result.getBasicBlock().dominates(this.getBasicBlock())
@@ -829,36 +827,36 @@ class RaiseStmtNode extends ControlFlowNode {
 */
 class NameNode extends ControlFlowNode {
  NameNode() {
-    exists(Py::Name n | py_flow_bb_node(this, n, _, _))
+    exists(Name n | py_flow_bb_node(this, n, _, _))
    or
-    exists(Py::PlaceHolder p | py_flow_bb_node(this, p, _, _))
+    exists(PlaceHolder p | py_flow_bb_node(this, p, _, _))
  }

  /** Whether this flow node defines the variable `v`. */
-  predicate defines(Py::Variable v) {
-    exists(Py::Name d | this.getNode() = d and d.defines(v)) and
+  predicate defines(Variable v) {
+    exists(Name d | this.getNode() = d and d.defines(v)) and
    not this.isLoad()
  }

  /** Whether this flow node deletes the variable `v`. */
-  predicate deletes(Py::Variable v) { exists(Py::Name d | this.getNode() = d and d.deletes(v)) }
+  predicate deletes(Variable v) { exists(Name d | this.getNode() = d and d.deletes(v)) }

  /** Whether this flow node uses the variable `v`. */
-  predicate uses(Py::Variable v) {
+  predicate uses(Variable v) {
    this.isLoad() and
-    exists(Py::Name u | this.getNode() = u and u.uses(v))
+    exists(Name u | this.getNode() = u and u.uses(v))
    or
-    exists(Py::PlaceHolder u |
-      this.getNode() = u and u.getVariable() = v and u.getCtx() instanceof Py::Load
+    exists(PlaceHolder u |
+      this.getNode() = u and u.getVariable() = v and u.getCtx() instanceof Load
    )
    or
    Scopes::use_of_global_variable(this, v.getScope(), v.getId())
  }

  string getId() {
-    result = this.getNode().(Py::Name).getId()
+    result = this.getNode().(Name).getId()
    or
-    result = this.getNode().(Py::PlaceHolder).getId()
+    result = this.getNode().(PlaceHolder).getId()
  }

  /** Whether this is a use of a local variable. */
@@ -870,39 +868,37 @@ class NameNode extends ControlFlowNode {
  /** Whether this is a use of a global (including builtin) variable. */
  predicate isGlobal() { Scopes::use_of_global_variable(this, _, _) }

-  predicate isSelf() {
-    exists(Py::SsaVariable selfvar | selfvar.isSelf() and selfvar.getAUse() = this)
-  }
+  predicate isSelf() { exists(SsaVariable selfvar | selfvar.isSelf() and selfvar.getAUse() = this) }
 }

 /** A control flow node corresponding to a named constant, one of `None`, `True` or `False`. */
 class NameConstantNode extends NameNode {
-  NameConstantNode() { exists(Py::NameConstant n | py_flow_bb_node(this, n, _, _)) }
+  NameConstantNode() { exists(NameConstant n | py_flow_bb_node(this, n, _, _)) }
  /*
   * We ought to override uses as well, but that has
   * a serious performance impact.
-   *    deprecated predicate uses(Py::Variable v) { none() }
+   *    deprecated predicate uses(Variable v) { none() }
   */

  }

 /** A control flow node corresponding to a starred expression, `*a`. */
 class StarredNode extends ControlFlowNode {
-  StarredNode() { toAst(this) instanceof Py::Starred }
+  StarredNode() { toAst(this) instanceof Starred }

-  ControlFlowNode getValue() { toAst(result) = toAst(this).(Py::Starred).getValue() }
+  ControlFlowNode getValue() { toAst(result) = toAst(this).(Starred).getValue() }
 }

 /** The ControlFlowNode for an 'except' statement. */
 class ExceptFlowNode extends ControlFlowNode {
-  ExceptFlowNode() { this.getNode() instanceof Py::ExceptStmt }
+  ExceptFlowNode() { this.getNode() instanceof ExceptStmt }

  /**
   * Gets the type handled by this exception handler.
-   * `Py::ExceptionType` in `except Py::ExceptionType as e:`
+   * `ExceptionType` in `except ExceptionType as e:`
   */
  ControlFlowNode getType() {
-    exists(Py::ExceptStmt ex |
+    exists(ExceptStmt ex |
      this.getBasicBlock().dominates(result.getBasicBlock()) and
      ex = this.getNode() and
      result.getNode() = ex.getType()
@@ -911,10 +907,10 @@ class ExceptFlowNode extends ControlFlowNode {

  /**
   * Gets the name assigned to the handled exception, if any.
-   * `e` in `except Py::ExceptionType as e:`
+   * `e` in `except ExceptionType as e:`
   */
  ControlFlowNode getName() {
-    exists(Py::ExceptStmt ex |
+    exists(ExceptStmt ex |
      this.getBasicBlock().dominates(result.getBasicBlock()) and
      ex = this.getNode() and
      result.getNode() = ex.getName()
@@ -924,30 +920,30 @@ class ExceptFlowNode extends ControlFlowNode {

 /** The ControlFlowNode for an 'except*' statement. */
 class ExceptGroupFlowNode extends ControlFlowNode {
-  ExceptGroupFlowNode() { this.getNode() instanceof Py::ExceptGroupStmt }
+  ExceptGroupFlowNode() { this.getNode() instanceof ExceptGroupStmt }

  /**
   * Gets the type handled by this exception handler.
-   * `Py::ExceptionType` in `except* Py::ExceptionType as e:`
+   * `ExceptionType` in `except* ExceptionType as e:`
   */
  ControlFlowNode getType() {
    this.getBasicBlock().dominates(result.getBasicBlock()) and
-    result.getNode() = this.getNode().(Py::ExceptGroupStmt).getType()
+    result.getNode() = this.getNode().(ExceptGroupStmt).getType()
  }

  /**
   * Gets the name assigned to the handled exception, if any.
-   * `e` in `except* Py::ExceptionType as e:`
+   * `e` in `except* ExceptionType as e:`
   */
  ControlFlowNode getName() {
    this.getBasicBlock().dominates(result.getBasicBlock()) and
-    result.getNode() = this.getNode().(Py::ExceptGroupStmt).getName()
+    result.getNode() = this.getNode().(ExceptGroupStmt).getName()
  }
 }

 private module Scopes {
  private predicate fast_local(NameNode n) {
-    exists(Py::FastLocalVariable v |
+    exists(FastLocalVariable v |
      n.uses(v) and
      v.getScope() = n.getScope()
    )
@@ -956,15 +952,15 @@ private module Scopes {
  predicate local(NameNode n) {
    fast_local(n)
    or
-    exists(Py::SsaVariable var |
+    exists(SsaVariable var |
      var.getAUse() = n and
-      n.getScope() instanceof Py::Class and
+      n.getScope() instanceof Class and
      exists(var.getDefinition())
    )
  }

  predicate non_local(NameNode n) {
-    exists(Py::FastLocalVariable flv |
+    exists(FastLocalVariable flv |
      flv.getALoad() = n.getNode() and
      not flv.getScope() = n.getScope()
    )
@@ -972,20 +968,20 @@ private module Scopes {

  // magic is fine, but we get questionable join-ordering of it
  pragma[nomagic]
-  predicate use_of_global_variable(NameNode n, Py::Module scope, string name) {
+  predicate use_of_global_variable(NameNode n, Module scope, string name) {
    n.isLoad() and
    not non_local(n) and
-    not exists(Py::SsaVariable var | var.getAUse() = n |
-      var.getVariable() instanceof Py::FastLocalVariable
+    not exists(SsaVariable var | var.getAUse() = n |
+      var.getVariable() instanceof FastLocalVariable
      or
-      n.getScope() instanceof Py::Class and
+      n.getScope() instanceof Class and
      not maybe_undefined(var)
    ) and
    name = n.getId() and
    scope = n.getEnclosingModule()
  }

-  private predicate maybe_undefined(Py::SsaVariable var) {
+  private predicate maybe_undefined(SsaVariable var) {
    not exists(var.getDefinition()) and not py_ssa_phi(var, _)
    or
    var.getDefinition().isDelete()
@@ -1062,13 +1058,13 @@ class BasicBlock extends @py_flow_node {
  private predicate oneNodeBlock() { this.firstNode() = this.getLastNode() }

  private predicate startLocationInfo(string file, int line, int col) {
-    if this.firstNode().getNode() instanceof Py::Scope
+    if this.firstNode().getNode() instanceof Scope
    then this.firstNode().getASuccessor().getLocation().hasLocationInfo(file, line, col, _, _)
    else this.firstNode().getLocation().hasLocationInfo(file, line, col, _, _)
  }

  private predicate endLocationInfo(int endl, int endc) {
-    if this.getLastNode().getNode() instanceof Py::Scope and not this.oneNodeBlock()
+    if this.getLastNode().getNode() instanceof Scope and not this.oneNodeBlock()
    then this.getLastNode().getAPredecessor().getLocation().hasLocationInfo(_, _, _, endl, endc)
    else this.getLastNode().getLocation().hasLocationInfo(_, _, _, endl, endc)
  }
@@ -1085,7 +1081,7 @@ class BasicBlock extends @py_flow_node {

  /** Whether flow from this basic block reaches a normal exit from its scope */
  predicate reachesExit() {
-    exists(Py::Scope s | s.getANormalExit().getBasicBlock() = this)
+    exists(Scope s | s.getANormalExit().getBasicBlock() = this)
    or
    this.getASuccessor().reachesExit()
  }
@@ -1126,7 +1122,7 @@ class BasicBlock extends @py_flow_node {

  /** Gets the scope of this block */
  pragma[nomagic]
-  Py::Scope getScope() {
+  Scope getScope() {
    exists(ControlFlowNode n | n.getBasicBlock() = this |
      /* Take care not to use an entry or exit node as that node's scope will be the outer scope */
      not py_scope_flow(n, _, -1) and
@@ -1149,17 +1145,17 @@ class BasicBlock extends @py_flow_node {
  predicate reaches(BasicBlock other) { this = other or this.strictlyReaches(other) }

  /**
-   * Gets the `Py::ConditionBlock`, if any, that controls this block and
-   * does not control any other `Py::ConditionBlock`s that control this block.
-   * That is the `Py::ConditionBlock` that is closest dominator.
+   * Gets the `ConditionBlock`, if any, that controls this block and
+   * does not control any other `ConditionBlock`s that control this block.
+   * That is the `ConditionBlock` that is closest dominator.
   */
-  Py::ConditionBlock getImmediatelyControllingBlock() {
+  ConditionBlock getImmediatelyControllingBlock() {
    result = this.nonControllingImmediateDominator*().getImmediateDominator()
  }

  private BasicBlock nonControllingImmediateDominator() {
    result = this.getImmediateDominator() and
-    not result.(Py::ConditionBlock).controls(this, _)
+    not result.(ConditionBlock).controls(this, _)
  }

  /**
@@ -1179,7 +1175,7 @@ private class ControlFlowNodeAlias = ControlFlowNode;

 final private class FinalBasicBlock = BasicBlock;

-module Cfg implements BB::CfgSig<Py::Location> {
+module Cfg implements BB::CfgSig<Location> {
  private import codeql.controlflow.SuccessorType

  class ControlFlowNode = ControlFlowNodeAlias;
@@ -1190,7 +1186,7 @@ module Cfg implements BB::CfgSig<Py::Location> {
    // Using the location of the first node is simple
    // and we just need a way to identify the basic block
    // during debugging, so this will be serviceable.
-    Py::Location getLocation() { result = super.getNode(0).getLocation() }
+    Location getLocation() { result = super.getNode(0).getLocation() }

    int length() { result = count(int i | exists(this.getNode(i))) }

--- a/python/ql/lib/semmle/python/Function.qll
+++ b/python/ql/lib/semmle/python/Function.qll
@@ -2,7 +2,6 @@ overlay[local]
 module;

 import python
-private import semmle.python.controlflow.internal.Cfg as Cfg

 /**
 * A function, independent of defaults and binding.
@@ -158,12 +157,12 @@ class Function extends Function_, Scope, AstNode {
   * DEPRECATED: bind a `Return` node explicitly instead, e.g.
   * `exists(Return ret | ret.getScope() = this and n.getNode() = ret.getValue())`.
   * This API is being phased out together with `AstNode.getAFlowNode()` to
-   * untangle the AST and CFG hierarchies.
+   * untangle the AST and CFG hierarchies in preparation for migrating the
+   * dataflow library off the legacy CFG.
   *
-   * Gets a control flow node for a return value of this function, from the
-   * new (shared) CFG.
+   * Gets a control flow node for a return value of this function.
   */
-  deprecated Cfg::ControlFlowNode getAReturnValueFlowNode() {
+  deprecated ControlFlowNode getAReturnValueFlowNode() {
    exists(Return ret |
      ret.getScope() = this and
      ret.getValue() = result.getNode()
--- a/python/ql/lib/semmle/python/Import.qll
+++ b/python/ql/lib/semmle/python/Import.qll
@@ -4,7 +4,6 @@ module;
 import python
 private import semmle.python.types.Builtins
 private import semmle.python.internal.CachedStages
-private import semmle.python.controlflow.internal.Cfg as Cfg

 /**
 * An alias in an import statement, the `mod as name` part of `import mod as name`. May be artificial;
@@ -164,7 +163,7 @@ class ImportMember extends ImportMember_ {
    result = this.getModule().(ImportExpr).getImportedModuleName() + "." + this.getName()
  }

-  deprecated override Cfg::ImportMemberNode getAFlowNode() { result = super.getAFlowNode() }
+  deprecated override ImportMemberNode getAFlowNode() { result = super.getAFlowNode() }
 }

 /** An import statement */
--- a/python/ql/lib/semmle/python/controlflow/internal/AstNodeImpl.qll
+++ b/python/ql/lib/semmle/python/controlflow/internal/AstNodeImpl.qll
--- a/python/ql/lib/semmle/python/controlflow/internal/Cfg.qll
+++ b/python/ql/lib/semmle/python/controlflow/internal/Cfg.qll
--- a/python/ql/lib/semmle/python/dataflow/new/BarrierGuards.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/BarrierGuards.qll
@@ -1,12 +1,11 @@
 /** Provides commonly used BarrierGuards. */

 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow

-private predicate constCompare(DataFlow::GuardNode g, Cfg::ControlFlowNode node, boolean branch) {
-  exists(Cfg::CompareNode cn | cn = g |
-    exists(ImmutableLiteral const, Cmpop op, Cfg::ControlFlowNode c |
+private predicate constCompare(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
+  exists(CompareNode cn | cn = g |
+    exists(ImmutableLiteral const, Cmpop op, ControlFlowNode c |
      c.getNode() = const and
      (
        op = any(Eq eq) and branch = true
@@ -19,7 +18,7 @@ private predicate constCompare(DataFlow::GuardNode g, Cfg::ControlFlowNode node,
      cn.operands(node, op, c)
    )
    or
-    exists(NameConstant const, Cmpop op, Cfg::ControlFlowNode c |
+    exists(NameConstant const, Cmpop op, ControlFlowNode c |
      c.getNode() = const and
      (
        op = any(Is is_) and branch = true
@@ -32,12 +31,12 @@ private predicate constCompare(DataFlow::GuardNode g, Cfg::ControlFlowNode node,
      cn.operands(node, op, c)
    )
    or
-    exists(Cfg::IterableNode const_iterable, Cmpop op |
+    exists(IterableNode const_iterable, Cmpop op |
      op = any(In in_) and branch = true
      or
      op = any(NotIn ni) and branch = false
    |
-      forall(Cfg::ControlFlowNode elem | elem = const_iterable.getAnElement() |
+      forall(ControlFlowNode elem | elem = const_iterable.getAnElement() |
        elem.getNode() instanceof ImmutableLiteral
      ) and
      cn.operands(node, op, const_iterable)
--- a/python/ql/lib/semmle/python/dataflow/new/SensitiveDataSources.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/SensitiveDataSources.qll
@@ -4,7 +4,6 @@
 */

 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 // Need to import `semmle.python.Frameworks` since frameworks can extend `SensitiveDataSource::Range`
 private import semmle.python.Frameworks
@@ -106,7 +105,7 @@ private module SensitiveDataModeling {
      or
      // to cover functions that we don't have the definition for, and where the
      // reference to the function has not already been marked as being sensitive
-      this.getFunction().asCfgNode().(Cfg::NameNode).getId() = sensitiveString(classification)
+      this.getFunction().asCfgNode().(NameNode).getId() = sensitiveString(classification)
    }

    override SensitiveDataClassification getClassification() { result = classification }
@@ -252,12 +251,12 @@ private module SensitiveDataModeling {
    SensitiveDataClassification classification;

    SensitiveVariableAssignment() {
-      exists(Cfg::DefinitionNode def |
-        def.(Cfg::NameNode).getId() = sensitiveString(classification) and
+      exists(DefinitionNode def |
+        def.(NameNode).getId() = sensitiveString(classification) and
        (
          this.asCfgNode() = def.getValue()
          or
-          this.asCfgNode() = def.getValue().(Cfg::ForNode).getSequence()
+          this.asCfgNode() = def.getValue().(ForNode).getSequence()
        ) and
        not this.asExpr() instanceof FunctionExpr and
        not this.asExpr() instanceof ClassExpr
@@ -294,7 +293,7 @@ private module SensitiveDataModeling {
    SensitiveDataClassification classification;

    SensitiveSubscript() {
-      this.asCfgNode().(Cfg::SubscriptNode).getIndex() =
+      this.asCfgNode().(SubscriptNode).getIndex() =
        sensitiveLookupStringConst(classification).asCfgNode()
    }

--- a/python/ql/lib/semmle/python/dataflow/new/internal/Attributes.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/Attributes.qll
@@ -3,7 +3,6 @@ overlay[local]
 module;

 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 import DataFlowUtil
 import DataFlowPublic
 private import DataFlowPrivate
@@ -84,9 +83,9 @@ abstract class AttrWrite extends AttrRef {
 * ```python
 * object.attr = value
 * ```
- * Also gives access to the `value` being written, by extending `Cfg::DefinitionNode`.
+ * Also gives access to the `value` being written, by extending `DefinitionNode`.
 */
-private class AttributeAssignmentNode extends Cfg::DefinitionNode, Cfg::AttrNode { }
+private class AttributeAssignmentNode extends DefinitionNode, AttrNode { }

 /** A simple attribute assignment: `object.attr = value`. */
 private class AttributeAssignmentAsAttrWrite extends AttrWrite, CfgNode {
@@ -132,13 +131,13 @@ private class GlobalAttributeAssignmentAsAttrWrite extends AttrWrite, CfgNode {
  override string getAttributeName() { result = node.getName() }
 }

-/** Represents `Cfg::CallNode`s that may refer to calls to built-in functions or classes. */
-private class BuiltInCallNode extends Cfg::CallNode {
+/** Represents `CallNode`s that may refer to calls to built-in functions or classes. */
+private class BuiltInCallNode extends CallNode {
  string name;

  BuiltInCallNode() {
    // TODO disallow instances where the name of the built-in may refer to an in-scope variable of that name.
-    exists(Cfg::NameNode id |
+    exists(NameNode id |
      name = Builtins::getBuiltinName() and
      this.getFunction() = id and
      id.getId() = name and
@@ -146,7 +145,7 @@ private class BuiltInCallNode extends Cfg::CallNode {
    )
  }

-  /** Gets the name of the built-in function that is called at this `Cfg::CallNode` */
+  /** Gets the name of the built-in function that is called at this `CallNode` */
  string getBuiltinName() { result = name }
 }

@@ -158,20 +157,20 @@ private class BuiltinAttrCallNode extends BuiltInCallNode {
  BuiltinAttrCallNode() { name in ["setattr", "getattr", "hasattr", "delattr"] }

  /** Gets the control flow node for object on which the attribute is accessed. */
-  Cfg::ControlFlowNode getObject() { result in [this.getArg(0), this.getArgByName("object")] }
+  ControlFlowNode getObject() { result in [this.getArg(0), this.getArgByName("object")] }

  /**
   * Gets the control flow node for the value that is being written to the attribute.
   * Only relevant for `setattr` calls.
   */
-  Cfg::ControlFlowNode getValue() {
+  ControlFlowNode getValue() {
    // only valid for `setattr`
    name = "setattr" and
    result in [this.getArg(2), this.getArgByName("value")]
  }

  /** Gets the control flow node that defines the name of the attribute being accessed. */
-  Cfg::ControlFlowNode getName() { result in [this.getArg(1), this.getArgByName("name")] }
+  ControlFlowNode getName() { result in [this.getArg(1), this.getArgByName("name")] }
 }

 /** Represents calls to the built-in `setattr`. */
@@ -206,10 +205,10 @@ private class SetAttrCallAsAttrWrite extends AttrWrite, CfgNode {
 *     attr = value
 *     ...
 * ```
- * Instances of this class correspond to the `Cfg::NameNode` for `attr`, and also gives access to `value` by
- * virtue of being a `Cfg::DefinitionNode`.
+ * Instances of this class correspond to the `NameNode` for `attr`, and also gives access to `value` by
+ * virtue of being a `DefinitionNode`.
 */
-private class ClassAttributeAssignmentNode extends Cfg::DefinitionNode, Cfg::NameNode {
+private class ClassAttributeAssignmentNode extends DefinitionNode, NameNode {
  ClassAttributeAssignmentNode() { this.getScope() = any(ClassExpr c).getInnerScope() }
 }

@@ -249,7 +248,7 @@ abstract class AttrRead extends AttrRef, Node, LocalSourceNode {

 /** A simple attribute read, e.g. `object.attr` */
 private class AttributeReadAsAttrRead extends AttrRead, CfgNode {
-  override Cfg::AttrNode node;
+  override AttrNode node;

  AttributeReadAsAttrRead() { node.isLoad() }

@@ -286,7 +285,7 @@ private class GetAttrCallAsAttrRead extends AttrRead, CfgNode {
 * is treated as if it is a read of the attribute `module.attr`, even if `module` is not imported directly.
 */
 private class ModuleAttributeImportAsAttrRead extends AttrRead, CfgNode {
-  override Cfg::ImportMemberNode node;
+  override ImportMemberNode node;

  override Node getObject() { result.asCfgNode() = node.getModule(_) }

--- a/python/ql/lib/semmle/python/dataflow/new/internal/Builtins.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/Builtins.qll
@@ -3,7 +3,6 @@ overlay[local]
 module;

 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.internal.ImportStar

@@ -68,7 +67,7 @@ module Builtins {
  DataFlow::CfgNode likelyBuiltin(string name) {
    exists(Module m |
      result.getNode() =
-        any(Cfg::NameNode n |
+        any(NameNode n |
          possible_builtin_accessed_in_module(n, name, m) and
          not possible_builtin_defined_in_module(name, m)
        )
@@ -88,7 +87,7 @@ module Builtins {
   * Holds if `n` is an access of a global variable called `name` (which is also the name of a
   * built-in) inside the module `m`.
   */
-  private predicate possible_builtin_accessed_in_module(Cfg::NameNode n, string name, Module m) {
+  private predicate possible_builtin_accessed_in_module(NameNode n, string name, Module m) {
    n.isGlobal() and
    n.isLoad() and
    name = n.getId() and
--- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowDispatch.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowDispatch.qll
@@ -25,7 +25,7 @@
 * what callable this call might end up targeting.
 *
 * Specifically this means that we cannot use type-backtrackers from the function of a
- * `Cfg::CallNode`, since there is no `Cfg::CallNode` to backtrack from for `func` in the example
+ * `CallNode`, since there is no `CallNode` to backtrack from for `func` in the example
 * above.
 *
 * Note: This hasn't been 100% realized yet, so we don't currently expose a predicate to
@@ -35,7 +35,6 @@ overlay[local?]
 module;

 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import DataFlowPublic
 private import DataFlowPrivate
 private import FlowSummaryImpl as FlowSummaryImpl
@@ -163,7 +162,7 @@ newtype TArgumentPosition =
   */
  TLambdaSelfArgumentPosition() or
  TPositionalArgumentPosition(int index) {
-    exists(any(Cfg::CallNode c).getArg(index))
+    exists(any(CallNode c).getArg(index))
    or
    // since synthetic calls within a summarized callable could use a unique argument
    // position, we need to ensure we make these available (these are specified as
@@ -175,7 +174,7 @@ newtype TArgumentPosition =
    index = 0
  } or
  TKeywordArgumentPosition(string name) {
-    exists(any(Cfg::CallNode c).getArgByName(name))
+    exists(any(CallNode c).getArgByName(name))
    or
    // see comment for TPositionalArgumentPosition
    FlowSummaryImpl::ParsePositions::isParsedKeywordParameterPosition(_, name)
@@ -298,12 +297,10 @@ predicate hasPropertyDecorator(Function func) {
 */
 overlay[local]
 predicate hasContextmanagerDecorator(Function func) {
-  exists(Cfg::ControlFlowNode contextmanager |
-    contextmanager.(Cfg::NameNode).getId() = "contextmanager" and
-    contextmanager.(Cfg::NameNode).isGlobal()
+  exists(ControlFlowNode contextmanager |
+    contextmanager.(NameNode).getId() = "contextmanager" and contextmanager.(NameNode).isGlobal()
    or
-    contextmanager.(Cfg::AttrNode).getObject("contextmanager").(Cfg::NameNode).getId() =
-      "contextlib"
+    contextmanager.(AttrNode).getObject("contextmanager").(NameNode).getId() = "contextlib"
  |
    func.getADecorator() = contextmanager.getNode()
  )
@@ -319,10 +316,10 @@ predicate hasContextmanagerDecorator(Function func) {
 */
 overlay[local]
 private predicate hasOverloadDecorator(Function func) {
-  exists(Cfg::ControlFlowNode overload |
-    overload.(Cfg::NameNode).getId() = "overload" and overload.(Cfg::NameNode).isGlobal()
+  exists(ControlFlowNode overload |
+    overload.(NameNode).getId() = "overload" and overload.(NameNode).isGlobal()
    or
-    overload.(Cfg::AttrNode).getObject("overload").(Cfg::NameNode).isGlobal()
+    overload.(AttrNode).getObject("overload").(NameNode).isGlobal()
  |
    func.getADecorator() = overload.getNode()
  )
@@ -541,7 +538,7 @@ class LibraryCallableValue extends DataFlowCallable, TLibraryCallable {
 // =============================================================================
 /** Gets a call to `type`. */
 private CallCfgNode getTypeCall() {
-  exists(Cfg::NameNode id | id.getId() = "type" and id.isGlobal() |
+  exists(NameNode id | id.getId() = "type" and id.isGlobal() |
    result.getFunction().asCfgNode() = id
  )
 }
@@ -553,7 +550,7 @@ private CallCfgNode getSuperCall() {
  // link below), but otherwise only 2 edgecases. Overall it seems ok to ignore this complexity.
  //
  // https://github.com/python/cpython/blob/18b1782192f85bd26db89f5bc850f8bee4247c1a/Lib/unittest/mock.py#L48-L50
-  exists(Cfg::NameNode id | id.getId() = "super" and id.isGlobal() |
+  exists(NameNode id | id.getId() = "super" and id.isGlobal() |
    result.getFunction().asCfgNode() = id
  )
 }
@@ -1039,7 +1036,7 @@ private module MethodCalls {
   */
  pragma[nomagic]
  private predicate directCall(
-    Cfg::CallNode call, Function target, string functionName, Class cls, AttrRead attr, Node self
+    CallNode call, Function target, string functionName, Class cls, AttrRead attr, Node self
  ) {
    target = findFunctionAccordingToMroKnownStartingClass(cls, functionName) and
    directCall_join(call, functionName, cls, attr, self)
@@ -1048,7 +1045,7 @@ private module MethodCalls {
  /** Extracted to give good join order */
  pragma[nomagic]
  private predicate directCall_join(
-    Cfg::CallNode call, string functionName, Class cls, AttrRead attr, Node self
+    CallNode call, string functionName, Class cls, AttrRead attr, Node self
  ) {
    call.getFunction() = attrReadTracker(attr).asCfgNode() and
    attr.accesses(self, functionName) and
@@ -1065,7 +1062,7 @@ private module MethodCalls {
   */
  pragma[nomagic]
  private predicate callWithinMethodImplicitSelfOrCls(
-    Cfg::CallNode call, Function target, string functionName, Class classWithMethod, AttrRead attr,
+    CallNode call, Function target, string functionName, Class classWithMethod, AttrRead attr,
    Node self
  ) {
    target = findFunctionAccordingToMro(getADirectSubclass*(classWithMethod), functionName) and
@@ -1075,7 +1072,7 @@ private module MethodCalls {
  /** Extracted to give good join order */
  pragma[nomagic]
  private predicate callWithinMethodImplicitSelfOrCls_join(
-    Cfg::CallNode call, string functionName, Class classWithMethod, AttrRead attr, Node self
+    CallNode call, string functionName, Class classWithMethod, AttrRead attr, Node self
  ) {
    call.getFunction() = attrReadTracker(attr).asCfgNode() and
    attr.accesses(self, functionName) and
@@ -1087,7 +1084,7 @@ private module MethodCalls {
   * resolve the call to a known target (since the only super class might be the
   * builtin `object`, so we never have the implementation of `__new__` in the DB).
   */
-  predicate fromSuperNewCall(Cfg::CallNode call, Class classUsedInSuper, AttrRead attr, Node self) {
+  predicate fromSuperNewCall(CallNode call, Class classUsedInSuper, AttrRead attr, Node self) {
    fromSuper_join(call, "__new__", classUsedInSuper, attr, self) and
    self in [classTracker(_), clsArgumentTracker(_)]
  }
@@ -1109,7 +1106,7 @@ private module MethodCalls {
   */
  pragma[nomagic]
  predicate fromSuper(
-    Cfg::CallNode call, Function target, string functionName, Class classUsedInSuper, AttrRead attr,
+    CallNode call, Function target, string functionName, Class classUsedInSuper, AttrRead attr,
    Node self
  ) {
    target = findFunctionAccordingToMro(getNextClassInMro(classUsedInSuper), functionName) and
@@ -1119,7 +1116,7 @@ private module MethodCalls {
  /** Extracted to give good join order */
  pragma[nomagic]
  private predicate fromSuper_join(
-    Cfg::CallNode call, string functionName, Class classUsedInSuper, AttrRead attr, Node self
+    CallNode call, string functionName, Class classUsedInSuper, AttrRead attr, Node self
  ) {
    call.getFunction() = attrReadTracker(attr).asCfgNode() and
    (
@@ -1138,7 +1135,7 @@ private module MethodCalls {
    )
  }

-  predicate resolveMethodCall(Cfg::CallNode call, Function target, CallType type, Node self) {
+  predicate resolveMethodCall(CallNode call, Function target, CallType type, Node self) {
    (
      directCall(call, target, _, _, _, self)
      or
@@ -1185,7 +1182,7 @@ import MethodCalls
 * NOTE: We have this predicate mostly to be able to compare with old point-to
 * call-graph resolution. So it could be removed in the future.
 */
-predicate resolveClassCall(Cfg::CallNode call, Class cls) {
+predicate resolveClassCall(CallNode call, Class cls) {
  call.getFunction() = classTracker(cls).asCfgNode()
  or
  // `cls()` inside a classmethod (which also contains `type(self)()` inside a method)
@@ -1215,7 +1212,7 @@ Function invokedFunctionFromClassConstruction(Class cls, string funcName) {
 *
 * See https://docs.python.org/3/reference/datamodel.html#object.__call__
 */
-predicate resolveClassInstanceCall(Cfg::CallNode call, Function target, Node self) {
+predicate resolveClassInstanceCall(CallNode call, Function target, Node self) {
  exists(Class cls |
    call.getFunction() = classInstanceTracker(cls).asCfgNode() and
    target = findFunctionAccordingToMroKnownStartingClass(cls, "__call__")
@@ -1234,7 +1231,7 @@ predicate resolveClassInstanceCall(Cfg::CallNode call, Function target, Node sel
 * Holds if `call` is a call to the `target`, with call-type `type`.
 */
 cached
-predicate resolveCall(Cfg::CallNode call, Function target, CallType type) {
+predicate resolveCall(CallNode call, Function target, CallType type) {
  Stages::DataFlow::ref() and
  (
    type instanceof CallTypePlainFunction and
@@ -1259,11 +1256,11 @@ predicate resolveCall(Cfg::CallNode call, Function target, CallType type) {
 // =============================================================================
 /**
 * Holds if the argument of `call` at position `apos` is `arg`. This is just a helper
- * predicate that maps ArgumentPositions to the arguments of the underlying `Cfg::CallNode`.
+ * predicate that maps ArgumentPositions to the arguments of the underlying `CallNode`.
 */
 overlay[local]
 cached
-predicate normalCallArg(Cfg::CallNode call, Node arg, ArgumentPosition apos) {
+predicate normalCallArg(CallNode call, Node arg, ArgumentPosition apos) {
  exists(int index |
    apos.isPositional(index) and
    arg.asCfgNode() = call.getArg(index)
@@ -1278,7 +1275,7 @@ predicate normalCallArg(Cfg::CallNode call, Node arg, ArgumentPosition apos) {
  exists(int index |
    apos.isStarArgs(index) and
    arg.asCfgNode() = call.getStarArg() and
-    // since `Cfg::CallNode.getArg` doesn't include `*args`, we need to drop to the AST level
+    // since `CallNode.getArg` doesn't include `*args`, we need to drop to the AST level
    // to get the index. Notice that we only use the AST for getting the index, so we
    // don't need to check for dominance in regards to splitting.
    call.getStarArg().getNode() = call.getNode().getPositionalArg(index).(Starred).getValue()
@@ -1352,9 +1349,7 @@ predicate normalCallArg(Cfg::CallNode call, Node arg, ArgumentPosition apos) {
 * translated into `l.clear()`, and we can still have use-use flow.
 */
 cached
-predicate getCallArg(
-  Cfg::CallNode call, Function target, CallType type, Node arg, ArgumentPosition apos
-) {
+predicate getCallArg(CallNode call, Function target, CallType type, Node arg, ArgumentPosition apos) {
  Stages::DataFlow::ref() and
  resolveCall(call, target, type) and
  (
@@ -1447,12 +1442,10 @@ private predicate sameEnclosingCallable(Node node1, Node node2) {
 // DataFlowCall
 // =============================================================================
 newtype TDataFlowCall =
-  TNormalCall(Cfg::CallNode call, Function target, CallType type) {
-    call.injects(_) and resolveCall(call, target, type)
-  } or
+  TNormalCall(CallNode call, Function target, CallType type) { resolveCall(call, target, type) } or
  /** A call to the generated function inside a comprehension */
  TComprehensionCall(Comp c) or
-  TPotentialLibraryCall(Cfg::CallNode call) { call.injects(_) } or
+  TPotentialLibraryCall(CallNode call) or
  /** A synthesized call inside a summarized callable */
  TSummaryCall(
    FlowSummaryImpl::Public::SummarizedCallable c, FlowSummaryImpl::Private::SummaryNode receiver
@@ -1472,7 +1465,7 @@ abstract class DataFlowCall extends TDataFlowCall {
  abstract ArgumentNode getArgument(ArgumentPosition apos);

  /** Get the control flow node representing this call, if any. */
-  abstract Cfg::ControlFlowNode getNode();
+  abstract ControlFlowNode getNode();

  /** Gets the enclosing callable of this call. */
  DataFlowCallable getEnclosingCallable() { result = getCallableScope(this.getScope()) }
@@ -1503,28 +1496,28 @@ abstract class ExtractedDataFlowCall extends DataFlowCall {
 }

 /**
- * A resolved call in source code with an underlying `Cfg::CallNode`.
+ * A resolved call in source code with an underlying `CallNode`.
 *
 * This is considered normal, compared with special calls such as `obj[0]` calling the
 * `__getitem__` method on the object. However, this also includes calls that go to the
 * `__call__` special method.
 */
 class NormalCall extends ExtractedDataFlowCall, TNormalCall {
-  Cfg::CallNode call;
+  CallNode call;
  Function target;
  CallType type;

  NormalCall() { this = TNormalCall(call, target, type) }

  override string toString() {
-    // note: if we used toString directly on the Cfg::CallNode we would get
-    //     `Cfg::ControlFlowNode for func()`
-    // but the `Cfg::ControlFlowNode` part is just clutter, so we go directly to the AST node
+    // note: if we used toString directly on the CallNode we would get
+    //     `ControlFlowNode for func()`
+    // but the `ControlFlowNode` part is just clutter, so we go directly to the AST node
    // instead.
    result = call.getNode().toString()
  }

-  override Cfg::ControlFlowNode getNode() { result = call }
+  override ControlFlowNode getNode() { result = call }

  override Scope getScope() { result = call.getScope() }

@@ -1552,7 +1545,7 @@ class ComprehensionCall extends ExtractedDataFlowCall, TComprehensionCall {

  override string toString() { result = "comprehension call" }

-  override Cfg::ControlFlowNode getNode() { result.getNode() = c }
+  override ControlFlowNode getNode() { result.getNode() = c }

  override Scope getScope() { result = c.getScope() }

@@ -1575,14 +1568,14 @@ class ComprehensionCall extends ExtractedDataFlowCall, TComprehensionCall {
 * in this class.
 */
 class PotentialLibraryCall extends ExtractedDataFlowCall, TPotentialLibraryCall {
-  Cfg::CallNode call;
+  CallNode call;

  PotentialLibraryCall() { this = TPotentialLibraryCall(call) }

  override string toString() {
-    // note: if we used toString directly on the Cfg::CallNode we would get
-    //     `Cfg::ControlFlowNode for func()`
-    // but the `Cfg::ControlFlowNode` part is just clutter, so we go directly to the AST node
+    // note: if we used toString directly on the CallNode we would get
+    //     `ControlFlowNode for func()`
+    // but the `ControlFlowNode` part is just clutter, so we go directly to the AST node
    // instead.
    result = call.getNode().toString()
  }
@@ -1599,10 +1592,10 @@ class PotentialLibraryCall extends ExtractedDataFlowCall, TPotentialLibraryCall
    // potential self argument, from `foo.bar()` -- note that this could also just be a
    // module reference, but we really don't have a good way of knowing :|
    apos.isSelf() and
-    result.asCfgNode() = call.getFunction().(Cfg::AttrNode).getObject()
+    result.asCfgNode() = call.getFunction().(AttrNode).getObject()
  }

-  override Cfg::ControlFlowNode getNode() { result = call }
+  override ControlFlowNode getNode() { result = call }

  override Scope getScope() { result = call.getScope() }
 }
@@ -1634,7 +1627,7 @@ class SummaryCall extends DataFlowCall, TSummaryCall {

  override ArgumentNode getArgument(ArgumentPosition apos) { none() }

-  override Cfg::ControlFlowNode getNode() { none() }
+  override ControlFlowNode getNode() { none() }

  override string toString() { result = "[summary] call to " + receiver + " in " + c }

@@ -1776,12 +1769,12 @@ private class SummaryPostUpdateNode extends FlowSummaryNode, PostUpdateNodeImpl
 * This is used for tracking flow through captured variables.
 */
 class SynthCapturedVariablesArgumentNode extends Node, TSynthCapturedVariablesArgumentNode {
-  Cfg::ControlFlowNode callable;
+  ControlFlowNode callable;

  SynthCapturedVariablesArgumentNode() { this = TSynthCapturedVariablesArgumentNode(callable) }

-  /** Gets the `Cfg::CallNode` corresponding to this captured variables argument node. */
-  Cfg::CallNode getCallNode() { result.getFunction() = callable }
+  /** Gets the `CallNode` corresponding to this captured variables argument node. */
+  CallNode getCallNode() { result.getFunction() = callable }

  /** Gets the `CfgNode` that corresponds to this synthetic node. */
  CfgNode getUnderlyingNode() { result.asCfgNode() = callable }
@@ -1799,7 +1792,7 @@ class CapturedVariablesArgumentNodeAsArgumentNode extends ArgumentNode,
 {
  overlay[global]
  override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
-    exists(Cfg::CallNode callNode | callNode = this.getCallNode() |
+    exists(CallNode callNode | callNode = this.getCallNode() |
      callNode = call.getNode() and
      exists(Function target | resolveCall(callNode, target, _) |
        target = any(VariableCapture::CapturedVariable v).getACapturingScope()
@@ -1813,7 +1806,7 @@ class CapturedVariablesArgumentNodeAsArgumentNode extends ArgumentNode,
 class SynthCapturedVariablesArgumentPostUpdateNode extends PostUpdateNodeImpl,
  TSynthCapturedVariablesArgumentPostUpdateNode
 {
-  Cfg::ControlFlowNode callable;
+  ControlFlowNode callable;

  SynthCapturedVariablesArgumentPostUpdateNode() {
    this = TSynthCapturedVariablesArgumentPostUpdateNode(callable)
--- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll
@@ -2,9 +2,8 @@ overlay[local?]
 module;

 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import DataFlowPublic
-private import semmle.python.dataflow.new.internal.SsaImpl as SsaImpl
+private import semmle.python.essa.SsaCompute
 private import semmle.python.dataflow.new.internal.ImportResolution
 private import FlowSummaryImpl as FlowSummaryImpl
 private import semmle.python.frameworks.data.ModelsAsData
@@ -44,28 +43,13 @@ predicate isArgumentNode(ArgumentNode arg, DataFlowCall c, ArgumentPosition pos)
 // Nodes
 //--------
 overlay[local]
-predicate isExpressionNode(Cfg::ControlFlowNode node) {
-  // Restrict to the `injects` representative so the dataflow layer creates
-  // exactly one `TCfgNode` per AST expression.
-  node.injects(_) and
-  (
-    node.getNode() instanceof Expr
-    or
-    // `Cfg::ForNode` wraps a `For` statement's iter position, but
-    // overrides `.getNode()` to return the `Py::For` statement (for
-    // legacy parity). The underlying AST is still an `Expr` (the iter
-    // expression); we want a dataflow node here so that for-loop
-    // content reads (`for y in l`) have a source expression node to
-    // read content from.
-    node instanceof Cfg::ForNode
-  )
-}
+predicate isExpressionNode(ControlFlowNode node) { node.getNode() instanceof Expr }

 // =============================================================================
 // SyntheticPreUpdateNode
 // =============================================================================
 class SyntheticPreUpdateNode extends Node, TSyntheticPreUpdateNode {
-  Cfg::CallNode node;
+  CallNode node;

  SyntheticPreUpdateNode() { this = TSyntheticPreUpdateNode(node) }

@@ -167,7 +151,7 @@ predicate synthStarArgsElementParameterNodeStoreStep(
 * been passed in a `**kwargs` argument.
 */
 class SynthDictSplatArgumentNode extends Node, TSynthDictSplatArgumentNode {
-  Cfg::CallNode node;
+  CallNode node;

  SynthDictSplatArgumentNode() { this = TSynthDictSplatArgumentNode(node) }

@@ -181,7 +165,7 @@ class SynthDictSplatArgumentNode extends Node, TSynthDictSplatArgumentNode {
 private predicate synthDictSplatArgumentNodeStoreStep(
  ArgumentNode nodeFrom, DictionaryElementContent c, SynthDictSplatArgumentNode nodeTo
 ) {
-  exists(string name, Cfg::CallNode call, ArgumentPosition keywordPos |
+  exists(string name, CallNode call, ArgumentPosition keywordPos |
    nodeTo = TSynthDictSplatArgumentNode(call) and
    getCallArg(call, _, _, nodeFrom, keywordPos) and
    keywordPos.isKeyword(name) and
@@ -305,7 +289,7 @@ abstract class PostUpdateNodeImpl extends Node {
 * Synthetic post-update nodes for synthetic nodes need to be listed one by one.
 */
 class SyntheticPostUpdateNode extends PostUpdateNodeImpl, TSyntheticPostUpdateNode {
-  Cfg::ControlFlowNode node;
+  ControlFlowNode node;

  SyntheticPostUpdateNode() { this = TSyntheticPostUpdateNode(node) }

@@ -349,42 +333,16 @@ module LocalFlow {
    //   `x = f(42)`
    //   nodeFrom is `f(42)`
    //   nodeTo is `x`
-    //
-    // We use the CFG-level `DefinitionNode.getValue()` directly rather
-    // than going through SSA, because the new SSA library prunes write
-    // definitions that have no subsequent read in the same scope (e.g.
-    // a module-level `def f():` whose `f` is only read inside other
-    // functions). The CFG-level link is unconditional.
-    //
-    // The Name-target restriction mirrors legacy ESSA's
-    // `SsaDefinitions::assignment_definition`, which required
-    // `defn.(NameNode).defines(v)`. Subscript and attribute writes
-    // (`x[i] = 42`, `obj.attr = 42`) are intentionally excluded — their
-    // value flow is handled by the content-flow / `AttrWrite` machinery,
-    // not by a local-flow step *into* the Subscript/Attribute expression.
-    // Excluding them is essential for keeping augmented-assignment
-    // targets (`x[i] += 42`) classifiable as `LocalSourceNode` on the
-    // read side: the single canonical CFG node is both a load and a
-    // store, and any incoming local-flow step would disqualify it from
-    // being a local source.
-    exists(Cfg::DefinitionNode def |
+    exists(AssignmentDefinition def |
      nodeFrom.(CfgNode).getNode() = def.getValue() and
-      nodeTo.(CfgNode).getNode() = def and
-      def instanceof Cfg::NameNode and
-      // Parameter defaults are evaluated in the enclosing scope, while the
-      // parameter itself lives in the function's scope. The cross-scope
-      // edge is provided by `runtimeJumpStep` instead.
-      not exists(Py::Parameter param | def.getNode() = param.asName())
+      nodeTo.(CfgNode).getNode() = def.getDefiningNode()
    )
    or
    // With definition
    //   `with f(42) as x:`
    //   nodeFrom is `f(42)`
    //   nodeTo is `x`
-    exists(
-      With with, Cfg::ControlFlowNode contextManager, SsaImpl::WithDefinition withDef,
-      Cfg::ControlFlowNode var
-    |
+    exists(With with, ControlFlowNode contextManager, WithDefinition withDef, ControlFlowNode var |
      var = withDef.getDefiningNode()
    |
      nodeFrom.(CfgNode).getNode() = contextManager and
@@ -403,13 +361,13 @@ module LocalFlow {

  predicate expressionFlowStep(Node nodeFrom, Node nodeTo) {
    // If expressions
-    nodeFrom.asCfgNode() = nodeTo.asCfgNode().(Cfg::IfExprNode).getAnOperand()
+    nodeFrom.asCfgNode() = nodeTo.asCfgNode().(IfExprNode).getAnOperand()
    or
    // Assignment expressions
-    nodeFrom.asCfgNode() = nodeTo.asCfgNode().(Cfg::AssignmentExprNode).getValue()
+    nodeFrom.asCfgNode() = nodeTo.asCfgNode().(AssignmentExprNode).getValue()
    or
    // boolean inline expressions such as `x or y` or `x and y`
-    nodeFrom.asCfgNode() = nodeTo.asCfgNode().(Cfg::BoolExprNode).getAnOperand()
+    nodeFrom.asCfgNode() = nodeTo.asCfgNode().(BoolExprNode).getAnOperand()
    or
    // Flow inside an unpacking assignment
    iterableUnpackingFlowStep(nodeFrom, nodeTo)
@@ -418,25 +376,12 @@ module LocalFlow {
    matchFlowStep(nodeFrom, nodeTo)
  }

-  predicate useToNextUse(Cfg::NameNode nodeFrom, Cfg::NameNode nodeTo) {
-    // The SSA-level adjacent-use predicate works on specific CFG variants
-    // (e.g. boolean-outcome `[true]`/`[false]` or emptiness `[empty]`/`[non-empty]`
-    // splits of the same AST node), but dataflow values are insensitive to
-    // those splits — there is at most one `CfgNode` per AST. Project both
-    // ends through `.getNode()` so all variants contribute their use-use
-    // edges to the canonical pair.
-    exists(Cfg::NameNode fromVariant, Cfg::NameNode toVariant |
-      SsaImpl::AdjacentUses::adjacentUseUse(fromVariant, toVariant) and
-      fromVariant.getNode() = nodeFrom.getNode() and
-      toVariant.getNode() = nodeTo.getNode()
-    )
+  predicate useToNextUse(NameNode nodeFrom, NameNode nodeTo) {
+    AdjacentUses::adjacentUseUse(nodeFrom, nodeTo)
  }

-  predicate defToFirstUse(SsaImpl::EssaVariable var, Cfg::NameNode nodeTo) {
-    exists(Cfg::NameNode toVariant |
-      SsaImpl::AdjacentUses::firstUse(var.getDefinition(), toVariant) and
-      toVariant.getNode() = nodeTo.getNode()
-    )
+  predicate defToFirstUse(EssaVariable var, NameNode nodeTo) {
+    AdjacentUses::firstUse(var.getDefinition(), nodeTo)
  }

  predicate useUseFlowStep(Node nodeFrom, Node nodeTo) {
@@ -445,13 +390,12 @@ module LocalFlow {
    //   `x = f(y)`
    //   nodeFrom is `y` on first line
    //   nodeTo is `y` on second line
-    exists(SsaImpl::EssaDefinition def, Cfg::NameNode toVariant |
-      nodeFrom.(CfgNode).getNode() = def.(SsaImpl::EssaNodeDefinition).getDefiningNode()
+    exists(EssaDefinition def |
+      nodeFrom.(CfgNode).getNode() = def.(EssaNodeDefinition).getDefiningNode()
      or
      nodeFrom.(ScopeEntryDefinitionNode).getDefinition() = def
    |
-      SsaImpl::AdjacentUses::firstUse(def, toVariant) and
-      toVariant.getNode() = nodeTo.(CfgNode).getNode().getNode()
+      AdjacentUses::firstUse(def, nodeTo.(CfgNode).getNode())
    )
    or
    // Next use after use
@@ -613,9 +557,9 @@ predicate runtimeJumpStep(Node nodeFrom, Node nodeTo) {
  // a parameter with a default value, since the parameter will be in the scope of the
  // function, while the default value itself will be in the scope that _defines_ the
  // function.
-  exists(SsaImpl::ParameterDefinition param |
+  exists(ParameterDefinition param |
    // note: we go to the _control-flow node_ of the parameter, and not the ESSA node of the parameter, since for type-tracking, the ESSA node is not a LocalSourceNode, so we would get in trouble.
-    nodeFrom.asCfgNode().getNode() = param.getParameter().(Parameter).getDefault() and
+    nodeFrom.asCfgNode() = param.getDefault() and
    nodeTo.asCfgNode() = param.getDefiningNode()
  )
  or
@@ -719,7 +663,7 @@ predicate neverSkipInPathGraph(Node n) {
  // ```
  // we would end up saying that the path MUST not skip the x in `y = x`, which is just
  // annoying and doesn't help the path explanation become clearer.
-  n.asCfgNode() = any(SsaImpl::EssaNodeDefinition def).getDefiningNode()
+  n.asCfgNode() = any(EssaNodeDefinition def).getDefiningNode()
 }

 /**
@@ -930,7 +874,7 @@ predicate listStoreStep(CfgNode nodeFrom, ListElementContent c, CfgNode nodeTo)
  //   nodeFrom is `42`, cfg node
  //   nodeTo is the list, `[..., 42, ...]`, cfg node
  //   c denotes element of list
-  nodeTo.getNode().(Cfg::ListNode).getAnElement() = nodeFrom.getNode() and
+  nodeTo.getNode().(ListNode).getAnElement() = nodeFrom.getNode() and
  not nodeTo.getNode() instanceof UnpackingAssignmentSequenceTarget and
  // Suppress unused variable warning
  c = c
@@ -943,7 +887,7 @@ predicate setStoreStep(CfgNode nodeFrom, SetElementContent c, CfgNode nodeTo) {
  //   nodeFrom is `42`, cfg node
  //   nodeTo is the set, `{..., 42, ...}`, cfg node
  //   c denotes element of list
-  nodeTo.getNode().(Cfg::SetNode).getAnElement() = nodeFrom.getNode() and
+  nodeTo.getNode().(SetNode).getAnElement() = nodeFrom.getNode() and
  // Suppress unused variable warning
  c = c
 }
@@ -956,7 +900,7 @@ predicate tupleStoreStep(CfgNode nodeFrom, TupleElementContent c, CfgNode nodeTo
  //   nodeTo is the tuple, `(..., 42, ...)`, cfg node
  //   c denotes element of tuple and index of nodeFrom
  exists(int n |
-    nodeTo.getNode().(Cfg::TupleNode).getElement(n) = nodeFrom.getNode() and
+    nodeTo.getNode().(TupleNode).getElement(n) = nodeFrom.getNode() and
    not nodeTo.getNode() instanceof UnpackingAssignmentSequenceTarget and
    c.getIndex() = n
  )
@@ -970,7 +914,7 @@ predicate dictStoreStep(CfgNode nodeFrom, DictionaryElementContent c, Node nodeT
  //   nodeTo is the dict, `{..., "key" = 42, ...}`, cfg node
  //   c denotes element of dictionary and the key `"key"`
  exists(KeyValuePair item |
-    item = nodeTo.asCfgNode().(Cfg::DictNode).getNode().(Dict).getAnItem() and
+    item = nodeTo.asCfgNode().(DictNode).getNode().(Dict).getAnItem() and
    nodeFrom.getNode().getNode() = item.getValue() and
    c.getKey() = item.getKey().(StringLiteral).getS()
  )
@@ -985,9 +929,9 @@ predicate dictStoreStep(CfgNode nodeFrom, DictionaryElementContent c, Node nodeT
 private predicate moreDictStoreSteps(CfgNode nodeFrom, DictionaryElementContent c, Node nodeTo) {
  // NOTE: It's important to add logic to the newtype definition of
  // DictionaryElementContent if you add new cases here.
-  exists(Cfg::SubscriptNode subscript |
+  exists(SubscriptNode subscript |
    nodeTo.(PostUpdateNode).getPreUpdateNode().asCfgNode() = subscript.getObject() and
-    nodeFrom.asCfgNode() = subscript.(Cfg::DefinitionNode).getValue() and
+    nodeFrom.asCfgNode() = subscript.(DefinitionNode).getValue() and
    c.getKey() = subscript.getIndex().getNode().(StringLiteral).getText()
  )
  or
@@ -1000,8 +944,8 @@ private predicate moreDictStoreSteps(CfgNode nodeFrom, DictionaryElementContent
 }

 predicate dictClearStep(Node node, DictionaryElementContent c) {
-  exists(Cfg::SubscriptNode subscript |
-    subscript instanceof Cfg::DefinitionNode and
+  exists(SubscriptNode subscript |
+    subscript instanceof DefinitionNode and
    node.asCfgNode() = subscript.getObject() and
    c.getKey() = subscript.getIndex().getNode().(StringLiteral).getText()
  )
@@ -1080,7 +1024,7 @@ predicate subscriptReadStep(CfgNode nodeFrom, Content c, CfgNode nodeTo) {
  //   nodeFrom is `l`, cfg node
  //   nodeTo is `l[3]`, cfg node
  //   c is compatible with 3
-  nodeFrom.getNode() = nodeTo.getNode().(Cfg::SubscriptNode).getObject() and
+  nodeFrom.getNode() = nodeTo.getNode().(SubscriptNode).getObject() and
  (
    c instanceof ListElementContent
    or
@@ -1089,10 +1033,10 @@ predicate subscriptReadStep(CfgNode nodeFrom, Content c, CfgNode nodeTo) {
    c instanceof DictionaryElementAnyContent
    or
    c.(TupleElementContent).getIndex() =
-      nodeTo.getNode().(Cfg::SubscriptNode).getIndex().getNode().(IntegerLiteral).getValue()
+      nodeTo.getNode().(SubscriptNode).getIndex().getNode().(IntegerLiteral).getValue()
    or
    c.(DictionaryElementContent).getKey() =
-      nodeTo.getNode().(Cfg::SubscriptNode).getIndex().getNode().(StringLiteral).getS()
+      nodeTo.getNode().(SubscriptNode).getIndex().getNode().(StringLiteral).getS()
  )
 }

@@ -1147,7 +1091,7 @@ module Conversions {

  predicate formatReadStep(Node nodeFrom, ContentSet c, Node nodeTo) {
    // % formatting
-    exists(Cfg::BinaryExprNode fmt | fmt = nodeTo.asCfgNode() |
+    exists(BinaryExprNode fmt | fmt = nodeTo.asCfgNode() |
      fmt.getOp() instanceof Mod and
      fmt.getRight() = nodeFrom.asCfgNode()
    ) and
--- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll
@@ -5,14 +5,11 @@ overlay[local]
 module;

 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
-private import semmle.python.controlflow.internal.AstNodeImpl as CfgImpl
-private import codeql.controlflow.SuccessorType
 private import DataFlowPrivate
 import semmle.python.dataflow.new.TypeTracking
 import Attributes
 import LocalSources
-private import semmle.python.dataflow.new.internal.SsaImpl as SsaImpl
+private import semmle.python.essa.SsaCompute
 private import semmle.python.dataflow.new.internal.ImportStar
 private import semmle.python.frameworks.data.ModelsAsData
 private import FlowSummaryImpl as FlowSummaryImpl
@@ -30,18 +27,16 @@ private import semmle.python.frameworks.data.ModelsAsData
 overlay[local]
 newtype TNode =
  /** A node corresponding to a control flow node. */
-  TCfgNode(Cfg::ControlFlowNode node) {
+  TCfgNode(ControlFlowNode node) {
    isExpressionNode(node)
    or
-    node.injects(_) and node.getNode() instanceof Pattern
+    node.getNode() instanceof Pattern
  } or
  /**
   * A node corresponding to a scope entry definition. That is, the value of a variable
   * as it enters a scope.
   */
-  TScopeEntryDefinitionNode(SsaImpl::ScopeEntryDefinition def) {
-    not def.getScope() instanceof Module
-  } or
+  TScopeEntryDefinitionNode(ScopeEntryDefinition def) { not def.getScope() instanceof Module } or
  /**
   * A synthetic node representing the value of an object before a state change.
   *
@@ -52,15 +47,13 @@ newtype TNode =
  // NOTE: since we can't rely on the call graph, but we want to have synthetic
  // pre-update nodes for class calls, we end up getting synthetic pre-update nodes for
  // ALL calls :|
-  TSyntheticPreUpdateNode(Cfg::CallNode call) { call.injects(_) } or
+  TSyntheticPreUpdateNode(CallNode call) or
  /**
   * A synthetic node representing the value of an object after a state change.
   * See QLDoc for `PostUpdateNode`.
   */
-  TSyntheticPostUpdateNode(Cfg::ControlFlowNode node) {
-    node.injects(_) and
-    (
-    exists(Cfg::CallNode call |
+  TSyntheticPostUpdateNode(ControlFlowNode node) {
+    exists(CallNode call |
      node = call.getArg(_)
      or
      node = call.getArgByName(_)
@@ -69,12 +62,12 @@ newtype TNode =
      node = call.getFunction()
    )
    or
-    node = any(Cfg::AttrNode a).getObject()
+    node = any(AttrNode a).getObject()
    or
-    node = any(Cfg::SubscriptNode s).getObject()
+    node = any(SubscriptNode s).getObject()
    or
    // self parameter when used implicitly in `super()`
-    exists(Class cls, Function func, SsaImpl::ParameterDefinition def |
+    exists(Class cls, Function func, ParameterDefinition def |
      func = cls.getAMethod() and
      not isStaticmethod(func) and
      // this matches what we do in ExtractedParameterNode
@@ -84,7 +77,6 @@ newtype TNode =
    or
    // the iterable argument to the implicit comprehension function
    node.getNode() = any(Comp c).getIterable()
-    )
  } or
  /** A node representing a global (module-level) variable in a specific module. */
  TModuleVariableNode(Module m, GlobalVariable v) { v.getScope() = m } or
@@ -120,9 +112,7 @@ newtype TNode =
    exists(ParameterPosition ppos | ppos.isStarArgs(_) | exists(callable.getParameter(ppos)))
  } or
  /** A synthetic node to capture keyword arguments that are passed to a `**kwargs` parameter. */
-  TSynthDictSplatArgumentNode(Cfg::CallNode call) {
-    call.injects(_) and exists(call.getArgByName(_))
-  } or
+  TSynthDictSplatArgumentNode(CallNode call) { exists(call.getArgByName(_)) } or
  /** A synthetic node to allow flow to keyword parameters from a `**kwargs` argument. */
  TSynthDictSplatParameterNode(DataFlowCallable callable) {
    exists(ParameterPosition ppos | ppos.isKeyword(_) | exists(callable.getParameter(ppos)))
@@ -138,15 +128,15 @@ newtype TNode =
   * A synthetic node representing the values of the variables captured
   * by the callable being called.
   */
-  TSynthCapturedVariablesArgumentNode(Cfg::ControlFlowNode callable) {
-    callable.injects(_) and callable = any(Cfg::CallNode c).getFunction()
+  TSynthCapturedVariablesArgumentNode(ControlFlowNode callable) {
+    callable = any(CallNode c).getFunction()
  } or
  /**
   * A synthetic node representing the values of the variables captured
   * by the callable being called, after the output has been computed.
   */
-  TSynthCapturedVariablesArgumentPostUpdateNode(Cfg::ControlFlowNode callable) {
-    callable.injects(_) and callable = any(Cfg::CallNode c).getFunction()
+  TSynthCapturedVariablesArgumentPostUpdateNode(ControlFlowNode callable) {
+    callable = any(CallNode c).getFunction()
  } or
  /** A synthetic node representing the values of variables captured by a comprehension. */
  TSynthCompCapturedVariablesArgumentNode(Comp comp) {
@@ -204,7 +194,7 @@ class Node extends TNode {
  }

  /** Gets the control-flow node corresponding to this node, if any. */
-  Cfg::ControlFlowNode asCfgNode() { none() }
+  ControlFlowNode asCfgNode() { none() }

  /** Gets the expression corresponding to this node, if any. */
  Expr asExpr() { none() }
@@ -217,14 +207,14 @@ class Node extends TNode {

 /** A data-flow node corresponding to a control-flow node. */
 class CfgNode extends Node, TCfgNode {
-  Cfg::ControlFlowNode node;
+  ControlFlowNode node;

  CfgNode() { this = TCfgNode(node) }

-  /** Gets the `Cfg::ControlFlowNode` represented by this data-flow node. */
-  Cfg::ControlFlowNode getNode() { result = node }
+  /** Gets the `ControlFlowNode` represented by this data-flow node. */
+  ControlFlowNode getNode() { result = node }

-  override Cfg::ControlFlowNode asCfgNode() { result = node }
+  override ControlFlowNode asCfgNode() { result = node }

  /** Gets a textual representation of this element. */
  override string toString() { result = node.toString() }
@@ -234,9 +224,9 @@ class CfgNode extends Node, TCfgNode {
  override Location getLocation() { result = node.getLocation() }
 }

-/** A data-flow node corresponding to a `Cfg::CallNode` in the control-flow graph. */
+/** A data-flow node corresponding to a `CallNode` in the control-flow graph. */
 class CallCfgNode extends CfgNode, LocalSourceNode {
-  override Cfg::CallNode node;
+  override CallNode node;

  /**
   * Gets the data-flow node for the function component of the call corresponding to this data-flow
@@ -317,15 +307,15 @@ ExprNode exprNode(DataFlowExpr e) { result.getNode().getNode() = e }
 * as it enters a scope.
 */
 class ScopeEntryDefinitionNode extends Node, TScopeEntryDefinitionNode {
-  SsaImpl::ScopeEntryDefinition def;
+  ScopeEntryDefinition def;

  ScopeEntryDefinitionNode() { this = TScopeEntryDefinitionNode(def) }

-  /** Gets the `SsaImpl::ScopeEntryDefinition` associated with this node. */
-  SsaImpl::ScopeEntryDefinition getDefinition() { result = def }
+  /** Gets the `ScopeEntryDefinition` associated with this node. */
+  ScopeEntryDefinition getDefinition() { result = def }

  /** Gets the source variable represented by this node. */
-  SsaImpl::SsaSourceVariable getVariable() { result = def.getSourceVariable() }
+  SsaSourceVariable getVariable() { result = def.getSourceVariable() }

  override Location getLocation() { result = def.getLocation() }

@@ -347,7 +337,7 @@ class ParameterNode extends Node instanceof ParameterNodeImpl {
 /** A parameter node found in the source code (not in a summary). */
 class ExtractedParameterNode extends ParameterNodeImpl, CfgNode {
  //, LocalSourceNode {
-  SsaImpl::ParameterDefinition def;
+  ParameterDefinition def;

  ExtractedParameterNode() { node = def.getDefiningNode() }

@@ -378,10 +368,10 @@ Node getCallArgApproximation() {
  exists(Class c | result.asExpr() = c.getAMethod().getArg(0))
  or
  // the object part of an attribute expression (which might be a bound method)
-  result.asCfgNode() = any(Cfg::AttrNode a).getObject()
+  result.asCfgNode() = any(AttrNode a).getObject()
  or
  // the function part of any call
-  result.asCfgNode() = any(Cfg::CallNode c).getFunction()
+  result.asCfgNode() = any(CallNode c).getFunction()
 }

 /** Gets the extracted argument nodes that do not rely on `getCallArg`. */
@@ -390,7 +380,7 @@ private Node implicitArgumentNode() {
  normalCallArg(_, result, _)
  or
  // and self arguments
-  result.asCfgNode() = any(Cfg::CallNode c).getFunction().(Cfg::AttrNode).getObject()
+  result.asCfgNode() = any(CallNode c).getFunction().(AttrNode).getObject()
  or
  // for comprehensions, we allow the synthetic `iterable` argument
  result.asExpr() = any(Comp c).getIterable()
@@ -499,20 +489,17 @@ class ModuleVariableNode extends Node, TModuleVariableNode {
    not result.getScope() = mod
  }

-  /** Gets a CFG node that corresponds to an assignment of this global variable. */
+  /** Gets an `EssaNode` that corresponds to an assignment of this global variable. */
  Node getAWrite() {
-    exists(Cfg::NameNode n |
-      n.defines(var) and
-      result.asCfgNode() = n
-    )
+    any(EssaNodeDefinition def).definedBy(var, result.asCfgNode().(DefinitionNode))
  }

  /** Gets the possible values of the variable at the end of import time */
  CfgNode getADefiningWrite() {
-    exists(SsaImpl::EssaVariable def |
-      def = any(SsaImpl::EssaVariable ssa_var).getAnUltimateDefinition() and
-      def.getDefinition().(SsaImpl::EssaNodeDefinition).getDefiningNode() = result.asCfgNode() and
-      def.getSourceVariable().getVariable() = var
+    exists(SsaVariable def |
+      def = any(SsaVariable ssa_var).getAnUltimateDefinition() and
+      def.getDefinition() = result.asCfgNode() and
+      def.getVariable() = var
    )
  }

@@ -529,7 +516,7 @@ private ModuleVariableNode import_star_read(Node n) {
 overlay[global]
 pragma[nomagic]
 private predicate resolved_import_star_module(Module m, string name, Node n) {
-  exists(Cfg::NameNode nn | nn = n.asCfgNode() |
+  exists(NameNode nn | nn = n.asCfgNode() |
    ImportStar::importStarResolvesTo(pragma[only_bind_into](nn), m) and
    nn.getId() = name
  )
@@ -587,88 +574,88 @@ class StarPatternElementNode extends Node, TStarPatternElementNode {
 }

 /**
- * A node that participates in a conditional split: a CFG node whose
- * evaluation outcome (true/false) is used to choose between two
- * successor basic blocks. In the shared CFG, branching is detected
- * via typed successor edges (boolean successor types) on the unique
- * `injects` node for each AST expression.
+ * Gets a node that controls whether other nodes are evaluated.
 *
- * Users typically obtain a `GuardNode` by casting from a more specific
- * Cfg type: `g.(Cfg::CallNode)` for a call-based check, etc.
+ * In the base case, this is the last node of `conditionBlock`, and `flipped` is `false`.
+ * This definition accounts for (short circuting) `and`- and `or`-expressions, as the structure
+ * of basic blocks will reflect their semantics.
+ *
+ * However, in the program
+ * ```python
+ * if not is_safe(path):
+ *   return
+ * ```
+ * the last node in the `ConditionBlock` is `not is_safe(path)`.
+ *
+ * We would like to consider also `is_safe(path)` a guard node, albeit with `flipped` being `true`.
+ * Thus we recurse through `not`-expressions.
 */
-class GuardNode extends Cfg::ControlFlowNode {
-  GuardNode() {
-    // This node has boolean successor edges (directly or via wrapping).
-    outcomeOfGuard(this, _, _)
-  }
-
-  /** Holds if this guard controls block `b` upon evaluating to `branch`. */
-  predicate controlsBlock(Cfg::BasicBlock b, boolean branch) {
-    exists(CfgImpl::BasicBlock outcomeBB |
-      outcomeOfGuard(this, outcomeBB, branch) and
-      outcomeBB.dominates(b)
+ControlFlowNode guardNode(ConditionBlock conditionBlock, boolean flipped) {
+  // Base case: the last node truly does determine which successor is chosen
+  result = conditionBlock.getLastNode() and
+  flipped = false
+  or
+  // Recursive cases:
+  // if a guard node is a `not`-expression,
+  // the operand is also a guard node, but with inverted polarity.
+  exists(UnaryExprNode notNode |
+    result = notNode.getOperand() and
+    notNode.getNode().getOp() instanceof Not
+  |
+    notNode = guardNode(conditionBlock, flipped.booleanNot())
+  )
+  or
+  // if a guard node is compared to a boolean literal,
+  // the other operand is also a guard node,
+  // but with polarity depending on the literal (and on the comparison).
+  exists(CompareNode cmpNode, Cmpop op, ControlFlowNode b, boolean should_flip |
+    (
+      cmpNode.operands(result, op, b) or
+      cmpNode.operands(b, op, result)
+    ) and
+    not result.getNode() instanceof BooleanLiteral and
+    (
+      // comparing to the boolean
+      (op instanceof Eq or op instanceof Is) and
+      // we should flip if the value compared against, here the value of `b`, is false
+      should_flip = b.getNode().(BooleanLiteral).booleanValue().booleanNot()
+      or
+      // comparing to the negation of the boolean
+      (op instanceof NotEq or op instanceof IsNot) and
+      // again, we should flip if the value compared against, here the value of `not b`, is false.
+      // That is, if the value of `b` is true.
+      should_flip = b.getNode().(BooleanLiteral).booleanValue()
    )
-  }
+  |
+    // we flip `flipped` according to `should_flip` via the formula `flipped xor should_flip`.
+    flipped in [true, false] and
+    cmpNode = guardNode(conditionBlock, flipped.booleanXor(should_flip))
+  )
 }

 /**
- * Holds if `outcomeBB` is the basic block entered when `guard` evaluates
- * to `branch`.
+ * A node that controls whether other nodes are evaluated.
 *
- * For a direct guard `if g:`, the outcome BB starts at the after-value
- * node for the matching branch. For wrapped guards like `not g` or
- * `g == True`, we follow those wrappers up the AST to find the
- * outermost expression that actually branches, with an appropriate
- * polarity transform.
+ * The field `flipped` allows us to match `GuardNode`s underneath
+ * `not`-expressions and still choose the appropriate branch.
 */
-private predicate outcomeOfGuard(
-  Cfg::ControlFlowNode guard, CfgImpl::BasicBlock outcomeBB, boolean branch
-) {
-  // Base case: the guard has boolean successor edges.
-  // Only the canonical representative (injects) can act as a guard base.
-  guard.injects(_) and
-  exists(BooleanSuccessor t |
-    t.getValue() = branch and
-    outcomeBB = guard.(CfgImpl::ControlFlowNode).getASuccessor(t).getBasicBlock()
-  )
-  or
-  // Recursive: `not guard` — same outcome split as `guard`, flipped.
-  exists(Cfg::UnaryExprNode notNode, boolean notBranch |
-    notNode.injects(_) and
-    notNode.getOperand().getNode() = guard.getNode() and
-    notNode.getNode().getOp() instanceof Not and
-    outcomeOfGuard(notNode, outcomeBB, notBranch) and
-    branch = notBranch.booleanNot()
-  )
-  or
-  // Recursive: comparisons against a boolean literal.
-  exists(
-    Cfg::CompareNode cmpNode, Cmpop op, Cfg::ControlFlowNode otherOperand,
-    Cfg::ControlFlowNode guardOperand, boolean polarity, boolean cmpBranch
-  |
-    cmpNode.injects(_) and
-    guardOperand.getNode() = guard.getNode() and
-    (
-      cmpNode.operands(guardOperand, op, otherOperand) or
-      cmpNode.operands(otherOperand, op, guardOperand)
-    ) and
-    not guard.getNode() instanceof BooleanLiteral and
-    (
-      (op instanceof Eq or op instanceof Is) and
-      polarity = otherOperand.getNode().(BooleanLiteral).booleanValue()
-      or
-      (op instanceof NotEq or op instanceof IsNot) and
-      polarity = otherOperand.getNode().(BooleanLiteral).booleanValue().booleanNot()
-    ) and
-    outcomeOfGuard(cmpNode, outcomeBB, cmpBranch) and
-    branch = cmpBranch.booleanXor(polarity.booleanNot())
-  )
+class GuardNode extends ControlFlowNode {
+  ConditionBlock conditionBlock;
+  boolean flipped;
+
+  GuardNode() { this = guardNode(conditionBlock, flipped) }
+
+  /** Holds if this guard controls block `b` upon evaluating to `branch`. */
+  predicate controlsBlock(BasicBlock b, boolean branch) {
+    branch in [true, false] and
+    conditionBlock.controls(b, branch.booleanXor(flipped))
+  }
 }

 /**
 * Holds if the guard `g` validates `node` upon evaluating to `branch`.
 */
-signature predicate guardChecksSig(GuardNode g, Cfg::ControlFlowNode node, boolean branch);
+signature predicate guardChecksSig(GuardNode g, ControlFlowNode node, boolean branch);

 /**
 * Provides a set of barrier nodes for a guard that validates a node.
@@ -683,9 +670,7 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
    result = ParameterizedBarrierGuard<Unit, extendedGuardChecks/4>::getABarrierNode(_)
  }

-  private predicate extendedGuardChecks(
-    GuardNode g, Cfg::ControlFlowNode node, boolean branch, Unit u
-  ) {
+  private predicate extendedGuardChecks(GuardNode g, ControlFlowNode node, boolean branch, Unit u) {
    guardChecks(g, node, branch) and
    u = u
  }
@@ -695,7 +680,7 @@ bindingset[this]
 private signature class ParamSig;

 private module WithParam<ParamSig P> {
-  signature predicate guardChecksSig(GuardNode g, Cfg::ControlFlowNode node, boolean branch, P param);
+  signature predicate guardChecksSig(GuardNode g, ControlFlowNode node, boolean branch, P param);
 }

 /**
@@ -708,16 +693,10 @@ module ParameterizedBarrierGuard<ParamSig P, WithParam<P>::guardChecksSig/4 guar
  /** Gets a node that is safely guarded by the given guard check with parameter `param`. */
  overlay[global]
  ExprNode getABarrierNode(P param) {
-    exists(GuardNode g, SsaImpl::EssaDefinition def, Cfg::ControlFlowNode node, boolean branch |
-      SsaImpl::AdjacentUses::useOfDef(def, node) and
+    exists(GuardNode g, EssaDefinition def, ControlFlowNode node, boolean branch |
+      AdjacentUses::useOfDef(def, node) and
      guardChecks(g, node, branch, param) and
-      SsaImpl::AdjacentUses::useOfDef(def, result.asCfgNode()) and
-      // The protected use must be a different SSA position than the test
-      // position itself: `controlsBlock` is reflexive on dominance, and
-      // the test expression is an SSA-use position on the def-use chain.
-      // Without this guard, the test position would be returned as a
-      // barrier and block flow before it can reach genuine branch uses.
-      node != result.asCfgNode() and
+      AdjacentUses::useOfDef(def, result.asCfgNode()) and
      g.controlsBlock(result.asCfgNode().getBasicBlock(), branch)
    )
  }
@@ -733,7 +712,7 @@ module ExternalBarrierGuard {
  private import semmle.python.ApiGraphs

  overlay[global]
-  private predicate guardCheck(GuardNode g, Cfg::ControlFlowNode node, boolean branch, string kind) {
+  private predicate guardCheck(GuardNode g, ControlFlowNode node, boolean branch, string kind) {
    exists(API::CallNode call, API::Node parameter |
      parameter = call.getAParameter() and
      parameter = ModelOutput::getABarrierGuardNode(kind, branch)
@@ -769,10 +748,10 @@ newtype TContent =
  TSetElementContent() or
  /** An element of a tuple at a specific index. */
  TTupleElementContent(int index) {
-    exists(any(Cfg::TupleNode tn).getElement(index))
+    exists(any(TupleNode tn).getElement(index))
    or
    // Arguments can overflow and end up in the starred parameter tuple.
-    exists(any(Cfg::CallNode cn).getArg(index))
+    exists(any(CallNode cn).getArg(index))
    or
    // since flow summaries might use tuples, we ensure that we at least have valid
    // TTupleElementContent for the 0..7 (7 was picked to match `small_tuple` in
@@ -789,14 +768,10 @@ newtype TContent =
    or
    // d["key"] = ...
    key =
-      any(Cfg::SubscriptNode sub |
-        sub.isStore()
-      |
-        sub.getIndex().getNode().(StringLiteral).getText()
-      )
+      any(SubscriptNode sub | sub.isStore() | sub.getIndex().getNode().(StringLiteral).getText())
    or
    // d.setdefault("key", ...)
-    exists(Cfg::CallNode call | call.getFunction().(Cfg::AttrNode).getName() = "setdefault" |
+    exists(CallNode call | call.getFunction().(AttrNode).getName() = "setdefault" |
      key = call.getArg(0).getNode().(StringLiteral).getText()
    )
  } or
--- a/python/ql/lib/semmle/python/dataflow/new/internal/ImportResolution.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/ImportResolution.qll
@@ -5,18 +5,17 @@
 */

 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
-private import semmle.python.dataflow.new.internal.SsaImpl as SsaImpl
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.internal.ImportStar
 private import semmle.python.dataflow.new.TypeTracking
 private import semmle.python.dataflow.new.internal.DataFlowPrivate

 /**
- * Holds if the name of `var` refers to a submodule of a package and `init` is
- * the `__init__` module of that package. Locally inlined replacement for the
- * legacy `SsaSource::init_module_submodule_defn` so that this module has no
- * direct dependency on `semmle.python.essa.SsaDefinitions`.
+ * Holds if `init` is a package's `__init__.py` and `var` is a global variable in
+ * `init` whose name matches a submodule of the package.
+ *
+ * Inlined from `SsaSource::init_module_submodule_defn` to avoid pulling
+ * `semmle.python.essa.SsaDefinitions` into the new dataflow stack.
 */
 private predicate initModuleSubmoduleDefn(GlobalVariable var, Module init) {
  init.isPackageInit() and
@@ -82,19 +81,13 @@ module ImportResolution {
   * Holds if there is an ESSA step from `defFrom` to `defTo`, which should be allowed
   * for import resolution.
   */
-  private predicate allowedEssaImportStep(
-    SsaImpl::EssaDefinition defFrom, SsaImpl::EssaDefinition defTo
-  ) {
+  private predicate allowedEssaImportStep(EssaDefinition defFrom, EssaDefinition defTo) {
    // to handle definitions guarded by if-then-else
-    defFrom = defTo.(SsaImpl::PhiFunction).getAnInput()
+    defFrom = defTo.(PhiFunction).getAnInput()
    or
-    // to handle uncertain writes such as `from X import *`, which create an
-    // uncertain SSA definition for every name in the importing scope. The
-    // immediately preceding definition is still potentially the value of the
-    // module export.
-    SsaImpl::Ssa::uncertainWriteDefinitionInput(defTo, defFrom)
-    // Note: legacy ESSA refinement-step (e.g. for `foo.bar = X`) is
-    // not modelled in the new SSA beyond the cases handled above.
+    // refined variable
+    // example: https://github.com/nvbn/thefuck/blob/ceeaeab94b5df5a4fe9d94d61e4f6b0bbea96378/thefuck/utils.py#L25-L45
+    defFrom = defTo.(EssaNodeRefinement).getInput().getDefinition()
  }

  /**
@@ -111,32 +104,30 @@ module ImportResolution {
    // Definitions made inside `m` itself
    //
    // for code such as `foo = ...; foo.bar = ...` there will be TWO
-    // SsaImpl::EssaDefinition/SsaImpl::EssaVariable. One for `foo = ...` (SsaImpl::AssignmentDefinition) and one
+    // EssaDefinition/EssaVariable. One for `foo = ...` (AssignmentDefinition) and one
    // for `foo.bar = ...`. The one for `foo.bar = ...` (EssaNodeRefinement). The
    // EssaNodeRefinement is the one that will reach the end of the module (normal
    // exit).
    //
    // However, we cannot just use the EssaNodeRefinement as the `val`, because the
    // normal data-flow depends on use-use flow, and use-use flow targets CFG nodes not
-    // EssaNodes. So we need to go back from the SsaImpl::EssaDefinition/SsaImpl::EssaVariable that
+    // EssaNodes. So we need to go back from the EssaDefinition/EssaVariable that
    // reaches the end of the module, to the first definition of the variable, and then
    // track forwards using use-use flow to find a suitable CFG node that has flow into
    // it from use-use flow.
-    exists(SsaImpl::EssaVariable lastUseVar, SsaImpl::EssaVariable firstDef |
+    exists(EssaVariable lastUseVar, EssaVariable firstDef |
      lastUseVar.getName() = name and
      // we ignore special variable $ introduced by our analysis (not used for anything)
      // we ignore special variable * introduced by `from <pkg> import *` -- TODO: understand why we even have this?
      not name in ["$", "*"] and
-      exists(Cfg::ControlFlowNode exit |
-        exit.isNormalExit() and exit.getScope() = m and lastUseVar.getAUse() = exit
-      ) and
+      lastUseVar.getAUse() = m.getANormalExit() and
      allowedEssaImportStep*(firstDef, lastUseVar) and
      not allowedEssaImportStep(_, firstDef)
    |
      not LocalFlow::defToFirstUse(firstDef, _) and
-      val.asCfgNode() = firstDef.getDefinition().(SsaImpl::EssaNodeDefinition).getDefiningNode()
+      val.asCfgNode() = firstDef.getDefinition().(EssaNodeDefinition).getDefiningNode()
      or
-      exists(Cfg::ControlFlowNode mid, Cfg::ControlFlowNode end |
+      exists(ControlFlowNode mid, ControlFlowNode end |
        LocalFlow::defToFirstUse(firstDef, mid) and
        LocalFlow::useToNextUse*(mid, end) and
        not LocalFlow::useToNextUse(end, _) and
@@ -164,9 +155,9 @@ module ImportResolution {
   * handles simple cases where we can statically tell that this is the case.
   */
  private predicate all_mentions_name(Module m, string name) {
-    exists(Cfg::DefinitionNode def, Cfg::SequenceNode n |
+    exists(DefinitionNode def, SequenceNode n |
      def.getValue() = n and
-      def.(Cfg::NameNode).getId() = "__all__" and
+      def.(NameNode).getId() = "__all__" and
      def.getScope() = m and
      any(StringLiteral s | s.getText() = name) = n.getAnElement().getNode()
    )
@@ -179,20 +170,18 @@ module ImportResolution {
   */
  private predicate no_or_complicated_all(Module m) {
    // No mention of `__all__` in the module
-    not exists(Cfg::DefinitionNode def |
-      def.getScope() = m and def.(Cfg::NameNode).getId() = "__all__"
-    )
+    not exists(DefinitionNode def | def.getScope() = m and def.(NameNode).getId() = "__all__")
    or
    // `__all__` is set to a non-sequence value
-    exists(Cfg::DefinitionNode def |
-      def.(Cfg::NameNode).getId() = "__all__" and
+    exists(DefinitionNode def |
+      def.(NameNode).getId() = "__all__" and
      def.getScope() = m and
-      not def.getValue() instanceof Cfg::SequenceNode
+      not def.getValue() instanceof SequenceNode
    )
    or
    // `__all__` is used in some way that doesn't involve storing a value in it. This usually means
    // it is being mutated through `append` or `extend`, which we don't handle.
-    exists(Cfg::NameNode n | n.getId() = "__all__" and n.getScope() = m and n.isLoad())
+    exists(NameNode n | n.getId() = "__all__" and n.getScope() = m and n.isLoad())
  }

  private predicate potential_module_export(Module m, string name) {
@@ -200,7 +189,7 @@ module ImportResolution {
    or
    no_or_complicated_all(m) and
    (
-      exists(Cfg::NameNode n | n.getId() = name and n.getScope() = m and name.charAt(0) != "_")
+      exists(NameNode n | n.getId() = name and n.getScope() = m and name.charAt(0) != "_")
      or
      exists(Alias a | a.getAsname().(Name).getId() = name and a.getValue().getScope() = m)
    )
@@ -230,12 +219,12 @@ module ImportResolution {

  /** Gets a module that may have been added to `sys.modules`. */
  private Module sys_modules_module_with_name(string name) {
-    exists(Cfg::ControlFlowNode n, DataFlow::Node mod |
-      exists(Cfg::SubscriptNode sub |
+    exists(ControlFlowNode n, DataFlow::Node mod |
+      exists(SubscriptNode sub |
        sub.getObject() = sys_modules_reference().asCfgNode() and
        sub.getIndex() = n and
        n.getNode().(StringLiteral).getText() = name and
-        sub.(Cfg::DefinitionNode).getValue() = mod.asCfgNode() and
+        sub.(DefinitionNode).getValue() = mod.asCfgNode() and
        mod = getModuleReference(result)
      )
    )
@@ -347,11 +336,11 @@ module ImportResolution {
    // name as a submodule, we always consider that this attribute _could_ be a
    // reference to the submodule, even if we don't know that the submodule has been
    // imported yet.
-    exists(string submodule, Module package, SsaImpl::EssaVariable var |
+    exists(string submodule, Module package, EssaVariable var |
      submodule = var.getName() and
-      initModuleSubmoduleDefn(var.getSourceVariable().getVariable(), package) and
+      initModuleSubmoduleDefn(var.getSourceVariable(), package) and
      m = getModuleFromName(package.getPackageName() + "." + submodule) and
-      result.asCfgNode() = var.getDefinition().(SsaImpl::EssaNodeDefinition).getDefiningNode()
+      result.asCfgNode() = var.getDefinition().(EssaNodeDefinition).getDefiningNode()
    )
  }

--- a/python/ql/lib/semmle/python/dataflow/new/internal/ImportStar.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/ImportStar.qll
@@ -3,7 +3,6 @@ overlay[local]
 module;

 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.internal.Builtins
 private import semmle.python.dataflow.new.internal.ImportResolution
 private import semmle.python.dataflow.new.DataFlow
@@ -16,7 +15,7 @@ module ImportStar {
   */
  overlay[local]
  cached
-  predicate namePossiblyDefinedInImportStar(Cfg::NameNode n, string name, Scope s) {
+  predicate namePossiblyDefinedInImportStar(NameNode n, string name, Scope s) {
    n.isLoad() and
    name = n.getId() and
    s = n.getScope().getEnclosingScope*() and
@@ -53,7 +52,7 @@ module ImportStar {
  /** Holds if a global variable called `name` is assigned a value in the module `m`. */
  cached
  predicate globalNameDefinedInModule(string name, Module m) {
-    exists(Cfg::NameNode n |
+    exists(NameNode n |
      not exists(LocalVariable v | n.defines(v)) and
      n.isStore() and
      name = n.getId() and
@@ -67,7 +66,7 @@ module ImportStar {
   */
  overlay[global]
  cached
-  predicate importStarResolvesTo(Cfg::NameNode n, Module m) {
+  predicate importStarResolvesTo(NameNode n, Module m) {
    m = getStarImported+(n.getEnclosingModule()) and
    globalNameDefinedInModule(n.getId(), m) and
    not isDefinedLocally(n.getNode())
@@ -100,7 +99,7 @@ module ImportStar {
   */
  overlay[local]
  cached
-  Cfg::ControlFlowNode potentialImportStarBase(Scope s) {
-    result = any(Cfg::ImportStarNode n | n.getScope() = s).getModule()
+  ControlFlowNode potentialImportStarBase(Scope s) {
+    result = any(ImportStarNode n | n.getScope() = s).getModule()
  }
 }
--- a/python/ql/lib/semmle/python/dataflow/new/internal/IterableUnpacking.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/IterableUnpacking.qll
@@ -170,8 +170,6 @@ overlay[local]
 module;

 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
-private import semmle.python.dataflow.new.internal.SsaImpl as SsaImpl
 private import DataFlowPublic

 /**
@@ -180,7 +178,7 @@ private import DataFlowPublic
 * This class abstracts away the differing representations of comprehensions and
 * for statements.
 */
-class ForTarget extends Cfg::ControlFlowNode {
+class ForTarget extends ControlFlowNode {
  Expr source;

  ForTarget() {
@@ -200,7 +198,7 @@ class ForTarget extends Cfg::ControlFlowNode {
 }

 /** The LHS of an assignment, it also records the assigned value. */
-class AssignmentTarget extends Cfg::ControlFlowNode {
+class AssignmentTarget extends ControlFlowNode {
  Expr value;

  AssignmentTarget() {
@@ -211,7 +209,7 @@ class AssignmentTarget extends Cfg::ControlFlowNode {
 }

 /** A direct (or top-level) target of an unpacking assignment. */
-class UnpackingAssignmentDirectTarget extends Cfg::ControlFlowNode instanceof Cfg::SequenceNode {
+class UnpackingAssignmentDirectTarget extends ControlFlowNode instanceof SequenceNode {
  Expr value;

  UnpackingAssignmentDirectTarget() {
@@ -224,7 +222,7 @@ class UnpackingAssignmentDirectTarget extends Cfg::ControlFlowNode instanceof Cf
 }

 /** A (possibly recursive) target of an unpacking assignment. */
-class UnpackingAssignmentTarget extends Cfg::ControlFlowNode {
+class UnpackingAssignmentTarget extends ControlFlowNode {
  UnpackingAssignmentTarget() {
    this instanceof UnpackingAssignmentDirectTarget
    or
@@ -233,11 +231,10 @@ class UnpackingAssignmentTarget extends Cfg::ControlFlowNode {
 }

 /** A (possibly recursive) target of an unpacking assignment which is also a sequence. */
-class UnpackingAssignmentSequenceTarget extends UnpackingAssignmentTarget instanceof Cfg::SequenceNode
-{
-  Cfg::ControlFlowNode getElement(int i) { result = super.getElement(i) }
+class UnpackingAssignmentSequenceTarget extends UnpackingAssignmentTarget instanceof SequenceNode {
+  ControlFlowNode getElement(int i) { result = super.getElement(i) }

-  Cfg::ControlFlowNode getAnElement() { result = this.getElement(_) }
+  ControlFlowNode getAnElement() { result = this.getElement(_) }
 }

 /**
@@ -258,7 +255,7 @@ predicate iterableUnpackingAssignmentFlowStep(Node nodeFrom, Node nodeTo) {
 predicate iterableUnpackingForReadStep(CfgNode nodeFrom, Content c, Node nodeTo) {
  exists(ForTarget target |
    nodeFrom.getNode().getNode() = target.getSource() and
-    target instanceof Cfg::SequenceNode and
+    target instanceof SequenceNode and
    nodeTo = TIterableSequenceNode(target)
  ) and
  (
@@ -326,11 +323,11 @@ predicate iterableUnpackingConvertingStoreStep(Node nodeFrom, Content c, Node no
 */
 predicate iterableUnpackingElementReadStep(Node nodeFrom, Content c, Node nodeTo) {
  exists(
-    UnpackingAssignmentSequenceTarget target, int index, Cfg::ControlFlowNode element, int starIndex
+    UnpackingAssignmentSequenceTarget target, int index, ControlFlowNode element, int starIndex
  |
-    target.getElement(starIndex) instanceof Cfg::StarredNode
+    target.getElement(starIndex) instanceof StarredNode
    or
-    not exists(target.getAnElement().(Cfg::StarredNode)) and
+    not exists(target.getAnElement().(StarredNode)) and
    starIndex = -1
  |
    nodeFrom.(CfgNode).getNode() = target and
@@ -345,18 +342,18 @@ predicate iterableUnpackingElementReadStep(Node nodeFrom, Content c, Node nodeTo
        else c.(TupleElementContent).getIndex() >= index - 1
    ) and
    (
-      if element instanceof Cfg::SequenceNode
+      if element instanceof SequenceNode
      then
        // Step 5b
        nodeTo = TIterableSequenceNode(element)
      else
-        if element instanceof Cfg::StarredNode
+        if element instanceof StarredNode
        then
          // Step 5c
          nodeTo = TIterableElementNode(element)
        else
          // Step 5a
-          exists(SsaImpl::MultiAssignmentDefinition mad | element = mad.getDefiningNode() |
+          exists(MultiAssignmentDefinition mad | element = mad.getDefiningNode() |
            nodeTo.(CfgNode).getNode() = element
          )
    )
@@ -369,7 +366,7 @@ predicate iterableUnpackingElementReadStep(Node nodeFrom, Content c, Node nodeTo
 * content type `ListElementContent`.
 */
 predicate iterableUnpackingStarredElementStoreStep(Node nodeFrom, Content c, Node nodeTo) {
-  exists(Cfg::ControlFlowNode starred, SsaImpl::MultiAssignmentDefinition mad |
+  exists(ControlFlowNode starred, MultiAssignmentDefinition mad |
    starred.getNode() instanceof Starred and
    starred = mad.getDefiningNode()
  |
--- a/python/ql/lib/semmle/python/dataflow/new/internal/LocalSources.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/LocalSources.qll
@@ -9,7 +9,6 @@ overlay[local]
 module;

 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 import DataFlowPublic
 private import DataFlowPrivate
 private import semmle.python.internal.CachedStages
@@ -315,7 +314,7 @@ private module Cached {
   */
  cached
  predicate subscript(LocalSourceNode node, CfgNode subscript, CfgNode index) {
-    exists(CfgNode seq, Cfg::SubscriptNode subscriptNode | subscriptNode = subscript.getNode() |
+    exists(CfgNode seq, SubscriptNode subscriptNode | subscriptNode = subscript.getNode() |
      node.flowsTo(seq) and
      seq.getNode() = subscriptNode.getObject() and
      index.getNode() = subscriptNode.getIndex()
--- a/python/ql/lib/semmle/python/dataflow/new/internal/MatchUnpacking.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/MatchUnpacking.qll
@@ -91,7 +91,9 @@ predicate matchAsFlowStep(Node nodeFrom, Node nodeTo) {
    or
    // the interior pattern flows to the alias
    nodeFrom.(CfgNode).getNode().getNode() = subject.getPattern() and
-    nodeTo.(CfgNode).getNode().getNode() = alias
+    exists(PatternAliasDefinition pad | pad.getDefiningNode().getNode() = alias |
+      nodeTo.(CfgNode).getNode() = pad.getDefiningNode()
+    )
  )
 }

@@ -122,9 +124,11 @@ predicate matchLiteralFlowStep(Node nodeFrom, Node nodeTo) {
 * syntax (toplevel): `case var:`
 */
 predicate matchCaptureFlowStep(Node nodeFrom, Node nodeTo) {
-  exists(MatchCapturePattern capture |
+  exists(MatchCapturePattern capture, Name var | capture.getVariable() = var |
    nodeFrom.(CfgNode).getNode().getNode() = capture and
-    nodeTo.(CfgNode).getNode().getNode() = capture.getVariable()
+    exists(PatternCaptureDefinition pcd | pcd.getDefiningNode().getNode() = var |
+      nodeTo.(CfgNode).getNode() = pcd.getDefiningNode()
+    )
  )
 }

--- a/python/ql/lib/semmle/python/dataflow/new/internal/SsaImpl.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/SsaImpl.qll
@@ -1,548 +0,0 @@
-/**
- * Provides the Python SSA implementation built on the new (shared) CFG.
- *
- * Mirrors the Java SSA adapter at
- * `java/ql/lib/semmle/code/java/dataflow/internal/SsaImpl.qll`:
- * an `InputSig` is defined in terms of positional `(BasicBlock, int)`
- * variable references, and the shared
- * `codeql.ssa.Ssa::Make<Location, Cfg, Input>` module is then
- * instantiated.
- *
- * `SourceVariable` is the AST-level `Py::Variable`. Variable references
- * are looked up via the CFG facade's `NameNode.defines`/`uses`/`deletes`
- * predicates, which themselves are one-line bridges to AST-level
- * `Name.defines`/`uses`/`deletes`.
- *
- * Implicit-entry definitions are inserted for:
- *   - non-local / global / builtin variables that are read in the scope
- *     but never assigned (no enclosing CFG node defines them),
- *   - captured variables (variables defined in an enclosing scope that
- *     are read inside the scope), and
- *   - parameters, but only if the corresponding parameter name is *not*
- *     itself a CFG node. With the C#-style parameter wiring already
- *     installed in `AstNodeImpl.qll`, parameter names *are* CFG nodes,
- *     so the regular `variableWrite` path handles them — no `i = -1`
- *     entry is needed for ordinary parameters.
- */
-overlay[local?]
-module;
-
-private import python as Py
-private import semmle.python.controlflow.internal.AstNodeImpl as CfgImpl
-private import semmle.python.controlflow.internal.Cfg as Cfg
-private import codeql.ssa.Ssa as SsaImplCommon
-private import codeql.controlflow.BasicBlock as BB
-
-/**
- * Adapts the Python `Cfg` facade to the shared SSA library's `CfgSig`.
- * All members are inherited from `Cfg::ControlFlowNode` and
- * `Cfg::BasicBlock`.
- */
-private module CfgForSsa implements BB::CfgSig<Py::Location> {
-  class ControlFlowNode = CfgImpl::ControlFlowNode;
-
-  class BasicBlock = CfgImpl::BasicBlock;
-
-  class EntryBasicBlock = CfgImpl::Cfg::EntryBasicBlock;
-
-  predicate dominatingEdge = CfgImpl::Cfg::dominatingEdge/2;
-}
-
-/**
- * A source variable for SSA, wrapping a Python AST `Variable`.
- *
- * We only track variables that are read at least once in their scope —
- * tracking write-only variables would be unnecessary work — *except*
- * for module-scope globals, where the "read" can be external (e.g.
- * `import mymodule; mymodule.x`). Such globals are tracked
- * unconditionally so that import-resolution can find their defining
- * write.
- */
-private newtype TSsaSourceVariable =
-  TPyVar(Py::Variable v) {
-    // Has a use somewhere — read-relevant for SSA.
-    exists(Cfg::NameNode n | n.uses(v))
-    or
-    // Or has a deletion (treated as a write that destroys the value).
-    exists(Cfg::NameNode n | n.deletes(v))
-    or
-    // Or is a module-scope global written in this module — must be
-    // tracked even if never read locally, because importers may read
-    // it as an attribute on the module object.
-    v.getScope() instanceof Py::Module and
-    exists(Cfg::NameNode n | n.defines(v))
-    or
-    // Or is a parameter — parameters must always have a
-    // `ParameterDefinition` for dataflow argument-routing to work,
-    // even if the parameter is never read in its scope. Mirrors
-    // legacy ESSA's `ParameterDefinition` (which fired for every
-    // parameter binding regardless of liveness).
-    exists(Py::Parameter p | p.asName() = v.getAStore())
-  }
-
-/**
- * A source variable for SSA, wrapping a Python AST `Variable`.
- */
-class SsaSourceVariable extends TSsaSourceVariable {
-  /** Gets the underlying Python AST variable. */
-  Py::Variable getVariable() { this = TPyVar(result) }
-
-  /** Gets the (textual) name of this variable. */
-  string getName() { result = this.getVariable().getId() }
-
-  /** Gets a textual representation of this source variable. */
-  string toString() { result = this.getVariable().toString() }
-
-  /** Gets the location of this source variable. */
-  Py::Location getLocation() { result = this.getVariable().getScope().getLocation() }
-
-  /** Gets the scope in which this variable lives. */
-  Py::Scope getScope() { result = this.getVariable().getScope() }
-
-  /**
-   * Gets a use of this variable as it appears in the source — a `NameNode`
-   * that loads or deletes the variable. Mirrors legacy
-   * `SsaSourceVariable.getASourceUse()`.
-   */
-  Cfg::ControlFlowNode getASourceUse() {
-    exists(Cfg::NameNode n | result = n |
-      n.uses(this.getVariable()) or n.deletes(this.getVariable())
-    )
-  }
-
-  /**
-   * Gets an implicit use of this variable. The new SSA does not have
-   * implicit-use refinements, but we keep this for API parity — every
-   * normal-exit of the variable's scope counts as a sink, ensuring
-   * variables stay live to scope exit for taint-tracking.
-   */
-  Cfg::ControlFlowNode getAnImplicitUse() {
-    result.isNormalExit() and result.getScope() = this.getScope()
-  }
-
-  /**
-   * Gets a use of this variable — either an explicit source use or an
-   * implicit use at scope exit. Mirrors legacy `SsaSourceVariable.getAUse()`.
-   */
-  Cfg::ControlFlowNode getAUse() {
-    result = this.getASourceUse() or result = this.getAnImplicitUse()
-  }
-}
-
-/**
- * Holds if `v` is a non-local read in scope `s`, in the sense that `s`
- * uses `v` but does not write it within `s`. This includes globals,
- * builtins, and variables captured from an enclosing function scope.
- *
- * The `Py::Variable` `v` lives in some defining scope (the module for
- * globals, an outer function for closures, etc.); the reading scope
- * `s` is the scope where the use of `v` occurs.
- */
-private predicate nonLocalReadIn(Py::Variable v, Py::Scope s) {
-  exists(Cfg::NameNode n |
-    n.uses(v) and
-    n.getScope() = s and
-    not exists(Cfg::NameNode def | def.defines(v) and def.getScope() = s)
-  ) and
-  // Match legacy ESSA: only create entry defs for variables that have
-  // at least one defining store somewhere — otherwise the entry def
-  // represents "nothing reaches here", which is the default anyway and
-  // introduces no useful flow. (Legacy's `ModuleVariable` required a
-  // store; this is the closure-aware generalisation.)
-  exists(Cfg::NameNode store | store.defines(v))
-}
-
-/**
- * Holds if `bb` is the entry basic block of a scope where `v` should
- * have an implicit entry definition. This covers:
- *   - non-local / global / builtin variables read in `s`, and
- *   - captured variables (defined in an enclosing scope but read in `s`).
- *
- * Each reading scope gets its own entry def, so a closure variable can
- * have multiple entry defs across all functions/methods that read it.
- *
- * Parameters are *not* included: their bound `Name` is itself a CFG
- * node (per the C#-style parameter wiring), so `variableWrite` fires at
- * the parameter's natural CFG index.
- */
-private predicate hasEntryDefIn(SsaSourceVariable v, CfgImpl::BasicBlock bb) {
-  exists(Py::Scope s |
-    nonLocalReadIn(v.getVariable(), s) and
-    bb = entryBlock(s)
-  )
-}
-
-/**
- * Gets the entry basic block of scope `s`, where implicit entry
- * definitions are placed (at synthetic index `-1`).
- */
-private CfgImpl::BasicBlock entryBlock(Py::Scope s) {
-  exists(CfgImpl::ControlFlowNode entry |
-    entry instanceof CfgImpl::ControlFlow::EntryNode and
-    entry.getEnclosingCallable().asScope() = s and
-    result = entry.getBasicBlock()
-  )
-}
-
-/**
- * The SSA `InputSig` for Python. References are positional
- * `(BasicBlock, int)` pairs into the new CFG.
- */
-private module SsaImplInput implements SsaImplCommon::InputSig<Py::Location, CfgImpl::BasicBlock> {
-  class SourceVariable = SsaSourceVariable;
-
-  predicate variableWrite(CfgImpl::BasicBlock bb, int i, SourceVariable v, boolean certain) {
-    // Explicit binding at a CFG node — includes assignments,
-    // parameter Names (wired in via the C# pattern), exception-handler
-    // `as`-bindings, import aliases, and match-pattern captures.
-    exists(Cfg::NameNode n |
-      bb.getNode(i) = n and
-      n.defines(v.getVariable()) and
-      certain = true
-    )
-    or
-    // `del x` — removes the binding. Modelled as a certain write that
-    // makes any subsequent read invalid.
-    exists(Cfg::NameNode n |
-      bb.getNode(i) = n and
-      n.deletes(v.getVariable()) and
-      certain = true
-    )
-    or
-    // Implicit entry definition for non-local / captured / global /
-    // builtin variables read in some scope. Each reading scope's entry
-    // block gets one such write, allowing closures: e.g. when `x` is a
-    // parameter of an outer function and read inside a nested
-    // function, both scopes get entry defs for `x`.
-    hasEntryDefIn(v, bb) and
-    i = -1 and
-    certain = true
-    or
-    // `from X import *` — possibly rebinds every name in the importing
-    // scope. Modelled as an uncertain write at the import-star's CFG
-    // position for every variable that lives in (or is referenced
-    // from) the same scope as the import-star. Mirrors legacy ESSA's
-    // `ImportStarRefinement` (see `essa/SsaDefinitions.qll`'s
-    // `import_star_refinement` predicate). The write is uncertain so
-    // that prior definitions of the variable remain available — the
-    // shared-SSA `SsaUncertainWrite` merges the new value with the
-    // immediately preceding definition.
-    exists(Cfg::ImportStarNode imp |
-      imp.injects(_) and
-      bb.getNode(i) = imp and
-      certain = false and
-      (
-        v.getVariable().getScope() = imp.getScope()
-        or
-        // Variable is defined in some other scope but referenced in
-        // the same scope as the import-star (matches legacy clause 2:
-        // `other.uses(v) and def.getScope() = other.getScope()`).
-        exists(Cfg::NameNode other |
-          other.uses(v.getVariable()) and
-          imp.getScope() = other.getScope()
-        )
-      )
-    )
-  }
-
-  predicate variableRead(CfgImpl::BasicBlock bb, int i, SourceVariable v, boolean certain) {
-    // Explicit source use — a `Name` load or a `del x` of the variable.
-    exists(Cfg::NameNode n |
-      bb.getNode(i) = n and
-      n.uses(v.getVariable()) and
-      certain = true
-    )
-    or
-    // Synthetic use at the normal exit of the variable's defining scope.
-    // This keeps every variable live to scope exit so that callers (e.g.
-    // `module_export` in ImportResolution.qll, or taint-tracking pass-through
-    // through unread locals) can ask "which definition reaches end of
-    // scope?". Mirrors legacy ESSA's `SsaSourceVariable.getAUse()` which
-    // included `getScope().getANormalExit()`.
-    exists(Cfg::ControlFlowNode exit |
-      exit.isNormalExit() and
-      exit.getScope() = v.getVariable().getScope() and
-      bb.getNode(i) = exit and
-      certain = true
-    )
-  }
-}
-
-/**
- * The shared SSA instantiation for Python.
- *
- * Members:
- *   - `Definition` — the union of explicit, uncertain, and phi definitions
- *   - `WriteDefinition`, `UncertainWriteDefinition`, `PhiNode`
- *   - the standard SSA predicates (`getAUse`, `getAnUltimateDefinition`, ...).
- */
-module Ssa = SsaImplCommon::Make<Py::Location, CfgForSsa, SsaImplInput>;
-
-final class Definition = Ssa::Definition;
-
-final class WriteDefinition = Ssa::WriteDefinition;
-
-final class UncertainWriteDefinition = Ssa::UncertainWriteDefinition;
-
-final class PhiNode = Ssa::PhiNode;
-
-// ===========================================================================
-// ESSA-shaped adapter layer
-//
-// The dataflow library (`python/ql/lib/semmle/python/dataflow/new/`) and
-// related modules (`ApiGraphs.qll`, etc.) consume the legacy ESSA API
-// (`EssaVariable`, `EssaDefinition`, `AssignmentDefinition`,
-// `ScopeEntryDefinition`, `ParameterDefinition`, `WithDefinition`,
-// `PhiFunction`, plus the `AdjacentUses` module). To migrate them off
-// the legacy CFG, we expose the same API surface on top of the
-// shared SSA built above.
-//
-// This adapter is intentionally narrow: it covers only the predicates
-// that new dataflow consumes. The richer legacy ESSA — refinement
-// nodes, attribute refinements, edge refinements — stays available
-// via `semmle.python.essa.Essa` for points-to / legacy code.
-// ===========================================================================
-/**
- * Gets the CFG node at which a write definition's binding takes place.
- *
- * For ordinary writes (assignment, deletion, parameter) this is the
- * canonical CFG node of the bound Name. For implicit entry definitions
- * (synthesised at position `-1` of a scope's entry BB) this is the
- * scope's entry node.
- */
-private Cfg::ControlFlowNode writeDefNode(Ssa::WriteDefinition def) {
-  exists(CfgImpl::BasicBlock bb, int i | def.definesAt(_, bb, i) |
-    i >= 0 and result = bb.getNode(i)
-    or
-    i = -1 and result = bb.getNode(0)
-  )
-}
-
-/**
- * A write definition whose binding has a corresponding CFG node — i.e.
- * everything that's not a phi node. Mirrors legacy ESSA's
- * `EssaNodeDefinition`.
- */
-class EssaNodeDefinition extends Ssa::WriteDefinition {
-  /** Gets the CFG node where this definition's binding takes place. */
-  Cfg::ControlFlowNode getDefiningNode() { result = writeDefNode(this) }
-
-  /** Gets the variable defined here (legacy name). */
-  SsaSourceVariable getVariable() { result = this.getSourceVariable() }
-
-  /** Gets the enclosing scope. */
-  Py::Scope getScope() {
-    exists(Cfg::ControlFlowNode n | n = this.getDefiningNode() | result = n.getScope())
-  }
-
-  /**
-   * Holds if this definition defines source variable `v` at CFG node
-   * `defNode`. Flatter form of `getSourceVariable()` +
-   * `getDefiningNode()`, matching legacy ESSA's `definedBy`.
-   */
-  predicate definedBy(SsaSourceVariable v, Cfg::ControlFlowNode defNode) {
-    v = this.getSourceVariable() and defNode = this.getDefiningNode()
-  }
-}
-
-/**
- * An assignment definition: any binding where the value being assigned
- * is statically known via `Cfg::DefinitionNode.getValue()`. Includes
- * plain assignments, walrus, annotated assignments, augmented
- * assignments, import aliases (`import x` / `from m import x [as y]`),
- * `with ... as x`, and for-target bindings (where `getValue()` returns
- * the iter expression's CFG node). Excludes parameter bindings —
- * those are modelled by `ParameterDefinition`.
- */
-class AssignmentDefinition extends EssaNodeDefinition {
-  AssignmentDefinition() {
-    exists(Cfg::NameNode n | n = this.getDefiningNode() |
-      exists(n.(Cfg::DefinitionNode).getValue()) and
-      not n.(Cfg::ControlFlowNode).isParameter()
-    )
-  }
-
-  /** Gets the CFG node for the value being assigned, if statically known. */
-  Cfg::ControlFlowNode getValue() {
-    result = this.getDefiningNode().(Cfg::DefinitionNode).getValue()
-  }
-}
-
-/**
- * A parameter definition — the binding of a parameter name in a
- * function's scope.
- */
-class ParameterDefinition extends EssaNodeDefinition {
-  ParameterDefinition() { this.getDefiningNode().isParameter() }
-
-  /** Gets the AST `Parameter` (a `Py::Name` in param context). */
-  Py::Name getParameter() { result = this.getDefiningNode().getNode() }
-}
-
-/**
- * A definition introduced by a `with ... as x:` clause.
- */
-class WithDefinition extends EssaNodeDefinition {
-  WithDefinition() {
-    exists(Cfg::NameNode n, Py::With w |
-      n = this.getDefiningNode() and
-      w.getOptionalVars() = n.getNode()
-    )
-  }
-}
-
-/**
- * An assignment where the LHS is a tuple/list and the RHS is unpacked:
- * `a, b = (1, 2)` or `a, *rest = xs`. The SSA def lives at the inner
- * `Name` CFG node, but for IterableUnpacking integration we expose
- * the enclosing `StarredNode` as the `getDefiningNode()` for `*rest`
- * patterns — mirroring legacy ESSA's `multi_assignment_definition`,
- * which placed the def at the StarredNode CFG node.
- */
-class MultiAssignmentDefinition extends EssaNodeDefinition {
-  MultiAssignmentDefinition() {
-    exists(Cfg::NameNode n | n = super.getDefiningNode() |
-      exists(Py::Assign a, Py::Expr lhs |
-        a.getATarget() = lhs and
-        (lhs instanceof Py::Tuple or lhs instanceof Py::List) and
-        lhs.getASubExpression+() = n.getNode()
-      )
-      or
-      // For-loop with tuple/list target: `for a, b in xs:` —
-      // tuple-unpacking semantics applies to the for-target.
-      exists(Py::For f, Py::Expr lhs |
-        f.getTarget() = lhs and
-        (lhs instanceof Py::Tuple or lhs instanceof Py::List) and
-        lhs.getASubExpression+() = n.getNode()
-      )
-    )
-  }
-
-  override Cfg::ControlFlowNode getDefiningNode() {
-    // Default: the underlying `Name` CFG node (where the SSA def lives).
-    not exists(Cfg::StarredNode s |
-      s.getNode().(Py::Starred).getValue() = super.getDefiningNode().getNode()
-    ) and
-    result = super.getDefiningNode()
-    or
-    // Exception: for `*rest`, expose the enclosing `Starred` CFG node
-    // so that `IterableUnpacking::iterableUnpackingStarredElementStoreStep`
-    // can attach the rest-list to it.
-    exists(Cfg::StarredNode s |
-      s.getNode().(Py::Starred).getValue() = super.getDefiningNode().getNode()
-    |
-      result = s
-    )
-  }
-}
-
-/**
- * An implicit entry definition for a non-local / captured / global /
- * builtin variable read in a scope but not defined there.
- *
- * Inherits from `EssaNodeDefinition` and exposes the scope's entry node
- * as its defining node (matching legacy ESSA semantics).
- */
-class ScopeEntryDefinition extends EssaNodeDefinition {
-  ScopeEntryDefinition() {
-    exists(CfgImpl::BasicBlock bb |
-      this.definesAt(_, bb, -1) and
-      bb instanceof CfgImpl::Cfg::EntryBasicBlock
-    )
-  }
-
-  /** Gets the enclosing scope (the scope whose entry block this def is in). */
-  override Py::Scope getScope() {
-    exists(CfgImpl::BasicBlock bb |
-      this.definesAt(_, bb, -1) and
-      result = bb.getNode(0).(Cfg::ControlFlowNode).getScope()
-    )
-  }
-}
-
-/** A phi node (alias matching legacy naming). */
-class PhiFunction extends PhiNode {
-  /**
-   * Gets an input to this phi function (a definition that flows into
-   * the phi from one of its predecessor blocks). Mirrors legacy
-   * ESSA's `PhiFunction.getAnInput()`.
-   */
-  Ssa::Definition getAnInput() { Ssa::phiHasInputFromBlock(this, result, _) }
-}
-
-/** Base class for all ESSA definitions (legacy-shaped). */
-class EssaDefinition = Ssa::Definition;
-
-/**
- * An adapter representing a single SSA-defined "variable" — wrapping
- * one `Ssa::Definition`. Mirrors legacy `EssaVariable` API.
- */
-class EssaVariable extends Ssa::Definition {
-  /** Gets the underlying SSA definition (legacy name). */
-  Ssa::Definition getDefinition() { result = this }
-
-  /**
-   * Gets a CFG node where this definition is used. Includes regular
-   * `Name` reads as well as the synthetic scope-exit "use" registered
-   * via `SsaImplInput::variableRead` — mirrors legacy ESSA's
-   * `EssaVariable.getAUse()` which inherited the synthetic exit-use
-   * from `SsaSourceVariable`.
-   */
-  Cfg::ControlFlowNode getAUse() {
-    exists(CfgImpl::BasicBlock bb, int i |
-      Ssa::ssaDefReachesRead(this.getSourceVariable(), this, bb, i) and
-      bb.getNode(i) = result
-    )
-  }
-
-  /** Gets the (textual) name of the underlying variable. */
-  string getName() { result = this.getSourceVariable().getVariable().getId() }
-
-  /** Gets the scope in which this variable lives. */
-  Py::Scope getScope() { result = this.getSourceVariable().getVariable().getScope() }
-
-  /** Gets an ultimate non-phi ancestor of this definition. */
-  EssaVariable getAnUltimateDefinition() {
-    if this instanceof PhiNode
-    then
-      exists(Ssa::Definition input |
-        Ssa::phiHasInputFromBlock(this, input, _) and
-        result = input.(EssaVariable).getAnUltimateDefinition()
-      )
-    else result = this
-  }
-}
-
-/**
- * Adjacent use-use and def-use relations exposed by the shared SSA
- * library. Provides the same interface as legacy
- * `semmle.python.essa.SsaCompute::AdjacentUses`.
- */
-module AdjacentUses {
-  /** Holds if `nodeFrom` and `nodeTo` are adjacent uses of the same SSA variable. */
-  predicate adjacentUseUse(Cfg::NameNode nodeFrom, Cfg::NameNode nodeTo) {
-    exists(SsaSourceVariable v, CfgImpl::BasicBlock bb1, int i1, CfgImpl::BasicBlock bb2, int i2 |
-      Ssa::adjacentUseUse(bb1, i1, bb2, i2, v, _) and
-      nodeFrom = bb1.getNode(i1) and
-      nodeTo = bb2.getNode(i2)
-    )
-  }
-
-  /** Holds if `use` is a first use of definition `def`. */
-  predicate firstUse(Ssa::Definition def, Cfg::NameNode use) {
-    exists(CfgImpl::BasicBlock bb, int i |
-      Ssa::firstUse(def, bb, i, _) and
-      use = bb.getNode(i)
-    )
-  }
-
-  /**
-   * Holds if `use` is any reachable use of definition `def`. Combines
-   * `firstUse` with transitive use-use adjacency.
-   */
-  predicate useOfDef(Ssa::Definition def, Cfg::NameNode use) {
-    firstUse(def, use)
-    or
-    exists(Cfg::NameNode mid | useOfDef(def, mid) and adjacentUseUse(mid, use))
-  }
-}
--- a/python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll
@@ -1,6 +1,4 @@
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
-private import semmle.python.dataflow.new.internal.SsaImpl as SsaImpl
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.internal.DataFlowPrivate as DataFlowPrivate
 private import FlowSummaryImpl as FlowSummaryImpl
@@ -99,7 +97,7 @@ import Cached
 * and isn't a big problem in practice.
 */
 predicate concatStep(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
-  exists(Cfg::BinaryExprNode add | add = nodeTo.getNode() |
+  exists(BinaryExprNode add | add = nodeTo.getNode() |
    add.getOp() instanceof Add and add.getAnOperand() = nodeFrom.getNode()
  )
 }
@@ -108,7 +106,7 @@ predicate concatStep(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
 * Holds if taint can flow from `nodeFrom` to `nodeTo` with a step related to subscripting.
 */
 predicate subscriptStep(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
-  nodeTo.getNode().(Cfg::SubscriptNode).getObject() = nodeFrom.getNode()
+  nodeTo.getNode().(SubscriptNode).getObject() = nodeFrom.getNode()
 }

 /**
@@ -124,15 +122,15 @@ predicate stringManipulation(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeT
    (
      call = API::builtin(["str", "bytes", "unicode"]).getACall()
      or
-      call.getFunction().asCfgNode().(Cfg::NameNode).getId() in ["str", "bytes", "unicode"]
+      call.getFunction().asCfgNode().(NameNode).getId() in ["str", "bytes", "unicode"]
    ) and
    nodeFrom in [call.getArg(0), call.getArgByName("object")]
  )
  or
  // String methods. Note that this doesn't recognize `meth = "foo".upper; meth()`
-  exists(Cfg::CallNode call, string method_name, Cfg::ControlFlowNode object |
+  exists(CallNode call, string method_name, ControlFlowNode object |
    call = nodeTo.getNode() and
-    object = call.getFunction().(Cfg::AttrNode).getObject(method_name)
+    object = call.getFunction().(AttrNode).getObject(method_name)
  |
    nodeFrom.getNode() = object and
    method_name in [
@@ -158,7 +156,7 @@ predicate stringManipulation(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeT
  )
  or
  // % formatting
-  exists(Cfg::BinaryExprNode fmt | fmt = nodeTo.getNode() |
+  exists(BinaryExprNode fmt | fmt = nodeTo.getNode() |
    fmt.getOp() instanceof Mod and
    (
      fmt.getLeft() = nodeFrom.getNode()
@@ -168,7 +166,7 @@ predicate stringManipulation(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeT
  )
  or
  // string multiplication -- `"foo" * 10`
-  exists(Cfg::BinaryExprNode mult | mult = nodeTo.getNode() |
+  exists(BinaryExprNode mult | mult = nodeTo.getNode() |
    mult.getOp() instanceof Mult and
    mult.getLeft() = nodeFrom.getNode()
  )
@@ -215,8 +213,8 @@ predicate awaitStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
 * the variable `f` is tainted if the result of `open("foo")` is tainted.
 */
 predicate asyncWithStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-  exists(With with, Cfg::ControlFlowNode contextManager, Cfg::ControlFlowNode var |
-    var = any(SsaImpl::WithDefinition wd).getDefiningNode()
+  exists(With with, ControlFlowNode contextManager, ControlFlowNode var |
+    var = any(WithDefinition wd).getDefiningNode()
  |
    nodeFrom.(DataFlow::CfgNode).getNode() = contextManager and
    nodeTo.(DataFlow::CfgNode).getNode() = var and
--- a/python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackingImpl.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackingImpl.qll
@@ -2,8 +2,6 @@ import codeql.util.Unit
 import codeql.typetracking.TypeTracking as Shared
 import codeql.typetracking.internal.TypeTrackingImpl as SharedImpl
 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
-private import semmle.python.dataflow.new.internal.SsaImpl as SsaImpl
 private import semmle.python.internal.CachedStages
 private import semmle.python.dataflow.new.internal.DataFlowPublic as DataFlowPublic
 private import semmle.python.dataflow.new.internal.DataFlowPrivate as DataFlowPrivate
@@ -164,7 +162,7 @@ module TypeTrackingInput implements Shared::TypeTrackingInput<Location> {
    // ignore the flow steps from the synthetic sequence node to the real sequence node,
    // since we only support one level of content in type-trackers, and the nested
    // structure requires two levels at least to be useful.
-    not exists(Cfg::SequenceNode outer |
+    not exists(SequenceNode outer |
      outer.getAnElement() = nodeTo.asCfgNode() and
      IterableUnpacking::iterableUnpackingTupleFlowStep(nodeFrom, nodeTo)
    )
@@ -269,7 +267,7 @@ module TypeTrackingInput implements Shared::TypeTrackingInput<Location> {
    // Since we only support one level of content in type-trackers we don't actually
    // support `(aa, ab), (ba, bb) = ...`. Therefore we exclude the read-step from `(aa,
    // ab)` to `aa` (since it is not needed).
-    not exists(Cfg::SequenceNode outer |
+    not exists(SequenceNode outer |
      outer.getAnElement() = nodeFrom.asCfgNode() and
      IterableUnpacking::iterableUnpackingTupleFlowStep(_, nodeFrom)
    ) and
@@ -279,7 +277,7 @@ module TypeTrackingInput implements Shared::TypeTrackingInput<Location> {
      IterableUnpacking::iterableUnpackingForReadStep(_, _, seq) and
      IterableUnpacking::iterableUnpackingConvertingReadStep(seq, _, elem) and
      IterableUnpacking::iterableUnpackingConvertingStoreStep(elem, _, nodeFrom) and
-      nodeFrom.asCfgNode() instanceof Cfg::SequenceNode
+      nodeFrom.asCfgNode() instanceof SequenceNode
    )
    or
    TypeTrackerSummaryFlow::basicLoadStep(nodeFrom, nodeTo, DataFlowPublic::singleton(content))
@@ -317,15 +315,13 @@ module TypeTrackingInput implements Shared::TypeTrackingInput<Location> {
    //
    // nodeFrom is `expr`
    // nodeTo is entry node for `f`
-    exists(
-      SsaImpl::ScopeEntryDefinition e, SsaImpl::SsaSourceVariable var, Cfg::DefinitionNode def
-    |
+    exists(ScopeEntryDefinition e, SsaSourceVariable var, DefinitionNode def |
      e.getSourceVariable() = var and
-      def.getNode() = var.getVariable().getAStore()
+      var.hasDefiningNode(def)
    |
      nodeTo.(DataFlowPublic::ScopeEntryDefinitionNode).getDefinition() = e and
      nodeFrom.asCfgNode() = def and
-      var.getVariable().getScope().getScope*() = nodeFrom.getScope()
+      var.getScope().getScope*() = nodeFrom.getScope()
    )
  }

--- a/python/ql/lib/semmle/python/dataflow/new/internal/VariableCapture.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/VariableCapture.qll
@@ -3,9 +3,6 @@ overlay[local]
 module;

 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
-private import semmle.python.controlflow.internal.AstNodeImpl as CfgImpl
-private import semmle.python.dataflow.new.internal.SsaImpl as SsaImpl
 private import DataFlowPublic
 private import semmle.python.dataflow.new.internal.DataFlowPrivate
 private import codeql.dataflow.VariableCapture as Shared
@@ -17,10 +14,10 @@ private import codeql.dataflow.VariableCapture as Shared
 // The first is the main implementation, the second is a performance motivated restriction.
 // The restriction is to clear any `CapturedVariableContent` before writing a new one
 // to avoid long access paths (see the link for a nice explanation).
-private module CaptureInput implements Shared::InputSig<Location, CfgImpl::BasicBlock> {
+private module CaptureInput implements Shared::InputSig<Location, Cfg::BasicBlock> {
  private import python as PY

-  additional class ExprCfgNode extends Cfg::ControlFlowNode {
+  additional class ExprCfgNode extends ControlFlowNode {
    ExprCfgNode() { isExpressionNode(this) }
  }

@@ -28,9 +25,7 @@ private module CaptureInput implements Shared::InputSig<Location, CfgImpl::Basic
    predicate isConstructor() { none() }
  }

-  Callable basicBlockGetEnclosingCallable(CfgImpl::BasicBlock bb) {
-    result = bb.getEnclosingCallable().asScope()
-  }
+  Callable basicBlockGetEnclosingCallable(Cfg::BasicBlock bb) { result = bb.getScope() }

  class CapturedVariable extends LocalVariable {
    Function f;
@@ -56,23 +51,21 @@ private module CaptureInput implements Shared::InputSig<Location, CfgImpl::Basic
  class CapturedParameter extends CapturedVariable {
    CapturedParameter() { this.isParameter() }

-    Cfg::ControlFlowNode getCfgNode() { result.getNode().(Parameter) = this.getAnAccess() }
+    ControlFlowNode getCfgNode() { result.getNode().(Parameter) = this.getAnAccess() }
  }

  class Expr extends ExprCfgNode {
-    predicate hasCfgNode(CfgImpl::BasicBlock bb, int i) { this = bb.getNode(i) }
+    predicate hasCfgNode(Cfg::BasicBlock bb, int i) { this = bb.getNode(i) }
  }

-  class VariableWrite extends Cfg::ControlFlowNode {
+  class VariableWrite extends ControlFlowNode {
    CapturedVariable v;

-    VariableWrite() {
-      exists(Cfg::DefinitionNode d | d.getNode() = v.getAStore() | this = d.getValue())
-    }
+    VariableWrite() { exists(DefinitionNode d | d.getNode() = v.getAStore() | this = d.getValue()) }

    CapturedVariable getVariable() { result = v }

-    predicate hasCfgNode(CfgImpl::BasicBlock bb, int i) { this = bb.getNode(i) }
+    predicate hasCfgNode(Cfg::BasicBlock bb, int i) { this = bb.getNode(i) }
  }

  class VariableRead extends Expr {
@@ -87,14 +80,9 @@ private module CaptureInput implements Shared::InputSig<Location, CfgImpl::Basic
    // TODO: Other languages have an extra case here looking like
    //   simpleAstFlowStep(nodeFrom, nodeTo)
    // we should investigate the potential benefit of adding that.
-    exists(SsaImpl::EssaVariable def |
+    exists(SsaVariable def |
      def.getAUse() = nodeTo and
-      def.getAnUltimateDefinition()
-          .getDefinition()
-          .(SsaImpl::EssaNodeDefinition)
-          .getDefiningNode()
-          .(Cfg::DefinitionNode)
-          .getValue() = nodeFrom
+      def.getAnUltimateDefinition().getDefinition().(DefinitionNode).getValue() = nodeFrom
    )
  }

@@ -119,7 +107,7 @@ class CapturedVariable = CaptureInput::CapturedVariable;

 class ClosureExpr = CaptureInput::ClosureExpr;

-module Flow = Shared::Flow<Location, Cfg::CfgSigImpl, CaptureInput>;
+module Flow = Shared::Flow<Location, Cfg, CaptureInput>;

 private Flow::ClosureNode asClosureNode(Node n) {
  result = n.(SynthCaptureNode).getSynthesizedCaptureNode()
--- a/python/ql/lib/semmle/python/frameworks/Bottle.qll
+++ b/python/ql/lib/semmle/python/frameworks/Bottle.qll
@@ -4,7 +4,6 @@
 */

 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
 private import semmle.python.dataflow.new.RemoteFlowSources
@@ -158,9 +157,9 @@ module Bottle {
        DataFlow::Node value;

        HeaderWriteSubscript() {
-          exists(Cfg::SubscriptNode subscript |
+          exists(SubscriptNode subscript |
            this.asCfgNode() = subscript and
-            value.asCfgNode() = subscript.(Cfg::DefinitionNode).getValue() and
+            value.asCfgNode() = subscript.(DefinitionNode).getValue() and
            name.asCfgNode() = subscript.getIndex() and
            subscript.getObject() = headers().asSource().asCfgNode()
          )
--- a/python/ql/lib/semmle/python/frameworks/Django.qll
+++ b/python/ql/lib/semmle/python/frameworks/Django.qll
@@ -4,7 +4,6 @@
 */

 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.TaintTracking
@@ -1306,7 +1305,7 @@ module PrivateDjango {
                  dict.(DataFlow::MethodCallNode).calls(files, "dict")
                )
              |
-                this.asCfgNode().(Cfg::SubscriptNode).getObject() = dict.asCfgNode()
+                this.asCfgNode().(SubscriptNode).getObject() = dict.asCfgNode()
                or
                this.(DataFlow::MethodCallNode).calls(dict, "get")
              )
@@ -1315,7 +1314,7 @@ module PrivateDjango {
              exists(DataFlow::AttrRead files, DataFlow::MethodCallNode getlistCall |
                files.accesses(instance(), "FILES") and
                getlistCall.calls(files, "getlist") and
-                this.asCfgNode().(Cfg::SubscriptNode).getObject() = getlistCall.asCfgNode()
+                this.asCfgNode().(SubscriptNode).getObject() = getlistCall.asCfgNode()
              )
            }
          }
@@ -2217,7 +2216,7 @@ module PrivateDjango {
          DataFlow::Node value;

          DjangoResponseCookieSubscriptWrite() {
-            exists(Cfg::SubscriptNode subscript, DataFlow::AttrRead cookieLookup |
+            exists(SubscriptNode subscript, DataFlow::AttrRead cookieLookup |
              // To give `this` a value, we need to choose between either LHS or RHS,
              // and just go with the LHS
              this.asCfgNode() = subscript
@@ -2229,7 +2228,7 @@ module PrivateDjango {
              |
                cookieLookup.flowsTo(subscriptObj)
              ) and
-              value.asCfgNode() = subscript.(Cfg::DefinitionNode).getValue() and
+              value.asCfgNode() = subscript.(DefinitionNode).getValue() and
              index.asCfgNode() = subscript.getIndex()
            )
          }
@@ -2250,7 +2249,7 @@ module PrivateDjango {
          DataFlow::Node value;

          DjangoResponseHeaderSubscriptWrite() {
-            exists(Cfg::SubscriptNode subscript, DataFlow::AttrRead headerLookup |
+            exists(SubscriptNode subscript, DataFlow::AttrRead headerLookup |
              // To give `this` a value, we need to choose between either LHS or RHS,
              // and just go with the LHS
              this.asCfgNode() = subscript
@@ -2262,7 +2261,7 @@ module PrivateDjango {
              |
                headerLookup.flowsTo(subscriptObj)
              ) and
-              value.asCfgNode() = subscript.(Cfg::DefinitionNode).getValue() and
+              value.asCfgNode() = subscript.(DefinitionNode).getValue() and
              index.asCfgNode() = subscript.getIndex()
            )
          }
@@ -2285,14 +2284,14 @@ module PrivateDjango {
          DataFlow::Node value;

          DjangoResponseSubscriptWrite() {
-            exists(Cfg::SubscriptNode subscript |
+            exists(SubscriptNode subscript |
              // To give `this` a value, we need to choose between either LHS or RHS,
              // and just go with the LHS
              this.asCfgNode() = subscript
            |
              subscript.getObject() =
                DjangoImpl::DjangoHttp::Response::HttpResponse::instance().asCfgNode() and
-              value.asCfgNode() = subscript.(Cfg::DefinitionNode).getValue() and
+              value.asCfgNode() = subscript.(DefinitionNode).getValue() and
              index.asCfgNode() = subscript.getIndex()
            )
          }
@@ -2427,7 +2426,7 @@ module PrivateDjango {
    /** Gets a reference to the result of calling the `as_view` classmethod of this class. */
    private DataFlow::TypeTrackingNode asViewResult(DataFlow::TypeTracker t) {
      t.start() and
-      result.asCfgNode().(Cfg::CallNode).getFunction() = this.asViewRef().asCfgNode()
+      result.asCfgNode().(CallNode).getFunction() = this.asViewRef().asCfgNode()
      or
      exists(DataFlow::TypeTracker t2 | result = this.asViewResult(t2).track(t2, t))
    }
--- a/python/ql/lib/semmle/python/frameworks/FastApi.qll
+++ b/python/ql/lib/semmle/python/frameworks/FastApi.qll
@@ -4,7 +4,6 @@
 */

 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.TaintTracking
@@ -442,7 +441,7 @@ module FastApi {
      DataFlow::Node value;

      HeaderSubscriptWrite() {
-        exists(Cfg::SubscriptNode subscript, DataFlow::AttrRead headerLookup |
+        exists(SubscriptNode subscript, DataFlow::AttrRead headerLookup |
          // To give `this` a value, we need to choose between either LHS or RHS,
          // and just go with the LHS
          this.asCfgNode() = subscript
@@ -451,7 +450,7 @@ module FastApi {
          exists(DataFlow::Node subscriptObj | subscriptObj.asCfgNode() = subscript.getObject() |
            headerLookup.flowsTo(subscriptObj)
          ) and
-          value.asCfgNode() = subscript.(Cfg::DefinitionNode).getValue() and
+          value.asCfgNode() = subscript.(DefinitionNode).getValue() and
          index.asCfgNode() = subscript.getIndex()
        )
      }
--- a/python/ql/lib/semmle/python/frameworks/Gradio.qll
+++ b/python/ql/lib/semmle/python/frameworks/Gradio.qll
@@ -4,7 +4,6 @@
 */

 import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 import semmle.python.dataflow.new.RemoteFlowSources
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.ApiGraphs
@@ -52,9 +51,9 @@ module Gradio {
        // limit only to lists of parameters given to `inputs`.
        (
          (
-            call.getKeywordParameter("inputs").asSink().asCfgNode() instanceof Cfg::ListNode
+            call.getKeywordParameter("inputs").asSink().asCfgNode() instanceof ListNode
            or
-            call.getParameter(1).asSink().asCfgNode() instanceof Cfg::ListNode
+            call.getParameter(1).asSink().asCfgNode() instanceof ListNode
          ) and
          (
            this = call.getKeywordParameter("inputs").getASubscript().getAValueReachingSink()
@@ -76,8 +75,8 @@ module Gradio {
      exists(GradioInput call |
        this = call.getParameter(0, "fn").getParameter(_).asSource() and
        // exclude lists of parameters given to `inputs`
-        not call.getKeywordParameter("inputs").asSink().asCfgNode() instanceof Cfg::ListNode and
-        not call.getParameter(1).asSink().asCfgNode() instanceof Cfg::ListNode
+        not call.getKeywordParameter("inputs").asSink().asCfgNode() instanceof ListNode and
+        not call.getParameter(1).asSink().asCfgNode() instanceof ListNode
      )
    }

@@ -106,16 +105,16 @@ module Gradio {
        // handle cases where there are multiple arguments passed as a list to `inputs`
        (
          (
-            node.getKeywordParameter("inputs").asSink().asCfgNode() instanceof Cfg::ListNode
+            node.getKeywordParameter("inputs").asSink().asCfgNode() instanceof ListNode
            or
-            node.getParameter(1).asSink().asCfgNode() instanceof Cfg::ListNode
+            node.getParameter(1).asSink().asCfgNode() instanceof ListNode
          ) and
          exists(int i | nodeTo = node.getParameter(0, "fn").getParameter(i).asSource() |
            nodeFrom.asCfgNode() =
-              node.getKeywordParameter("inputs").asSink().asCfgNode().(Cfg::ListNode).getElement(i)
+              node.getKeywordParameter("inputs").asSink().asCfgNode().(ListNode).getElement(i)
            or
            nodeFrom.asCfgNode() =
-              node.getParameter(1).asSink().asCfgNode().(Cfg::ListNode).getElement(i)
+              node.getParameter(1).asSink().asCfgNode().(ListNode).getElement(i)
          )
        )
      )
--- a/python/ql/lib/semmle/python/frameworks/MarkupSafe.qll
+++ b/python/ql/lib/semmle/python/frameworks/MarkupSafe.qll
@@ -4,7 +4,6 @@
 */

 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.Concepts
@@ -47,7 +46,7 @@ module MarkupSafeModel {

    /** A direct instantiation of `markupsafe.Markup`. */
    private class ClassInstantiation extends InstanceSource, DataFlow::CallCfgNode {
-      override Cfg::CallNode node;
+      override CallNode node;

      ClassInstantiation() { this = classRef().getACall() }
    }
@@ -65,7 +64,7 @@ module MarkupSafeModel {

    /** A string concatenation with a `markupsafe.Markup` involved. */
    class StringConcat extends Markup::InstanceSource, DataFlow::CfgNode {
-      override Cfg::BinaryExprNode node;
+      override BinaryExprNode node;

      StringConcat() {
        node.getOp() instanceof Add and
@@ -80,7 +79,7 @@ module MarkupSafeModel {

    /** A %-style string format with `markupsafe.Markup` as the format string. */
    class PercentStringFormat extends Markup::InstanceSource, DataFlow::CfgNode {
-      override Cfg::BinaryExprNode node;
+      override BinaryExprNode node;

      PercentStringFormat() {
        node.getOp() instanceof Mod and
--- a/python/ql/lib/semmle/python/frameworks/Pycurl.qll
+++ b/python/ql/lib/semmle/python/frameworks/Pycurl.qll
@@ -7,7 +7,6 @@
 */

 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
 private import semmle.python.frameworks.data.ModelsAsData
@@ -57,7 +56,7 @@ module Pycurl {
    {
      OutgoingRequestCall() {
        this = setopt().getACall() and
-        this.getArg(0).asCfgNode().(Cfg::AttrNode).getName() = "URL"
+        this.getArg(0).asCfgNode().(AttrNode).getName() = "URL"
      }

      override DataFlow::Node getAUrlPart() {
@@ -82,7 +81,7 @@ module Pycurl {
    private class CurlSslCall extends Http::Client::Request::Range instanceof DataFlow::CallCfgNode {
      CurlSslCall() {
        this = setopt().getACall() and
-        this.getArg(0).asCfgNode().(Cfg::AttrNode).getName() = ["SSL_VERIFYPEER", "SSL_VERIFYHOST"]
+        this.getArg(0).asCfgNode().(AttrNode).getName() = ["SSL_VERIFYPEER", "SSL_VERIFYHOST"]
      }

      override DataFlow::Node getAUrlPart() { none() }
--- a/python/ql/lib/semmle/python/frameworks/Pydantic.qll
+++ b/python/ql/lib/semmle/python/frameworks/Pydantic.qll
@@ -7,7 +7,6 @@
 */

 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.Concepts
@@ -94,7 +93,7 @@ module Pydantic {
      // be a Pydantic model. So `model[0]` will be an overapproximation, but should not
      // really cause problems (since we don't expect real code to contain such accesses)
      nodeFrom = instance() and
-      nodeTo.asCfgNode().(Cfg::SubscriptNode).getObject() = nodeFrom.asCfgNode()
+      nodeTo.asCfgNode().(SubscriptNode).getObject() = nodeFrom.asCfgNode()
    }

    /**
--- a/python/ql/lib/semmle/python/frameworks/Stdlib.qll
+++ b/python/ql/lib/semmle/python/frameworks/Stdlib.qll
@@ -6,7 +6,6 @@ overlay[local?]
 module;

 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.dataflow.new.RemoteFlowSources
@@ -1247,7 +1246,7 @@ module StdlibPrivate {
  /** An additional taint step for calls to `os.path.join` */
  private class OsPathJoinCallAdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
    override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-      exists(Cfg::CallNode call |
+      exists(CallNode call |
        nodeTo.asCfgNode() = call and
        call = OS::OsPath::join().getACall().asCfgNode() and
        call.getAnArg() = nodeFrom.asCfgNode()
@@ -1318,13 +1317,13 @@ module StdlibPrivate {
          // run, so if we're able to, we only mark the first element as the command
          // (and not the arguments to the command).
          //
-          result.asCfgNode() = arg_args.asCfgNode().(Cfg::SequenceNode).getElement(0)
+          result.asCfgNode() = arg_args.asCfgNode().(SequenceNode).getElement(0)
          or
          // Either the "args" argument is not a sequence (which is valid) or we where
          // just not able to figure it out. Simply mark the "args" argument as the
          // command.
          //
-          not arg_args.asCfgNode() instanceof Cfg::SequenceNode and
+          not arg_args.asCfgNode() instanceof SequenceNode and
          result = arg_args
        )
      )
@@ -1543,7 +1542,7 @@ module StdlibPrivate {
   * See https://docs.python.org/3/library/functions.html#eval
   */
  private class BuiltinsEvalCall extends CodeExecution::Range, DataFlow::CallCfgNode {
-    override Cfg::CallNode node;
+    override CallNode node;

    BuiltinsEvalCall() { this = API::builtin("eval").getACall() }

@@ -1924,7 +1923,7 @@ module StdlibPrivate {
          nodeFrom = instance().getAValueReachableFromSource() and
          nodeTo = [getvalueRef(), getfirstRef(), getlistRef()].getAValueReachableFromSource()
          or
-          nodeFrom.asCfgNode() = nodeTo.asCfgNode().(Cfg::CallNode).getFunction() and
+          nodeFrom.asCfgNode() = nodeTo.asCfgNode().(CallNode).getFunction() and
          (
            nodeFrom = getvalueRef().getAValueReachableFromSource() and
            nodeTo = getvalueResult().asSource()
@@ -1940,7 +1939,7 @@ module StdlibPrivate {
          nodeFrom in [
              instance().getAValueReachableFromSource(), fieldList().getAValueReachableFromSource()
            ] and
-          nodeTo.asCfgNode().(Cfg::SubscriptNode).getObject() = nodeFrom.asCfgNode()
+          nodeTo.asCfgNode().(SubscriptNode).getObject() = nodeFrom.asCfgNode()
          or
          // Attributes on Field
          nodeFrom = field().getAValueReachableFromSource() and
@@ -2255,8 +2254,8 @@ module StdlibPrivate {
      DataFlow::CfgNode
    {
      WsgirefSimpleServerApplicationReturn() {
-        exists(Return ret |
-          ret.getScope() = any(WsgirefSimpleServerApplication requestHandler) and
+        exists(WsgirefSimpleServerApplication requestHandler, Return ret |
+          ret.getScope() = requestHandler and
          node.getNode() = ret.getValue()
        )
      }
@@ -2339,9 +2338,9 @@ module StdlibPrivate {
        DataFlow::Node value;

        HeaderWriteSubscript() {
-          exists(Cfg::SubscriptNode subscript |
+          exists(SubscriptNode subscript |
            this.asCfgNode() = subscript and
-            value.asCfgNode() = subscript.(Cfg::DefinitionNode).getValue() and
+            value.asCfgNode() = subscript.(DefinitionNode).getValue() and
            name.asCfgNode() = subscript.getIndex() and
            subscript.getObject() = instance().asCfgNode()
          )
@@ -2683,7 +2682,7 @@ module StdlibPrivate {
    or
    // Data injection
    //   Special handling of the `/` operator
-    exists(Cfg::BinaryExprNode slash, DataFlow::Node pathOperand, DataFlow::TypeTracker t2 |
+    exists(BinaryExprNode slash, DataFlow::Node pathOperand, DataFlow::TypeTracker t2 |
      slash.getOp() instanceof Div and
      pathOperand.asCfgNode() = slash.getAnOperand() and
      pathlibPath(t2).flowsTo(pathOperand) and
@@ -2808,7 +2807,7 @@ module StdlibPrivate {
      pathlibPath().flowsTo(nodeTo) and
      (
        // Special handling of the `/` operator
-        exists(Cfg::BinaryExprNode slash, DataFlow::Node pathOperand |
+        exists(BinaryExprNode slash, DataFlow::Node pathOperand |
          slash.getOp() instanceof Div and
          pathOperand.asCfgNode() = slash.getAnOperand() and
          pathlibPath().flowsTo(pathOperand)
@@ -4606,9 +4605,9 @@ module StdlibPrivate {
    }

    override predicate propagatesFlow(string input, string output, boolean preservesValue) {
-      exists(Cfg::CallNode c, string name, Cfg::ControlFlowNode n, DataFlow::AttributeContent ac |
-        c.getFunction().(Cfg::NameNode).getId() = "replace" or
-        c.getFunction().(Cfg::AttrNode).getName() = "replace"
+      exists(CallNode c, string name, ControlFlowNode n, DataFlow::AttributeContent ac |
+        c.getFunction().(NameNode).getId() = "replace" or
+        c.getFunction().(AttrNode).getName() = "replace"
      |
        n = c.getArgByName(name) and
        ac.getAttribute() = name and
@@ -5172,10 +5171,10 @@ module StdlibPrivate {
 * See https://docs.python.org/3.9/library/stdtypes.html#str.startswith
 */
 private class StartswithCall extends Path::SafeAccessCheck::Range {
-  StartswithCall() { this.(Cfg::CallNode).getFunction().(Cfg::AttrNode).getName() = "startswith" }
+  StartswithCall() { this.(CallNode).getFunction().(AttrNode).getName() = "startswith" }

-  override predicate checks(Cfg::ControlFlowNode node, boolean branch) {
-    node = this.(Cfg::CallNode).getFunction().(Cfg::AttrNode).getObject() and
+  override predicate checks(ControlFlowNode node, boolean branch) {
+    node = this.(CallNode).getFunction().(AttrNode).getObject() and
    branch = true
  }
 }
--- a/python/ql/lib/semmle/python/frameworks/Stdlib/Urllib.qll
+++ b/python/ql/lib/semmle/python/frameworks/Stdlib/Urllib.qll
@@ -8,7 +8,6 @@
 */

 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
 private import semmle.python.security.dataflow.UrlRedirectCustomizations
@@ -92,7 +91,7 @@ private module Urllib {
     * A read of the `netloc` attribute of a parsed URL as returned by `urllib.parse.urlparse`,
     * which is being checked in a way that is relevant for URL redirection vulnerabilities.
     */
-    private predicate netlocCheck(DataFlow::GuardNode g, Cfg::ControlFlowNode node, boolean branch) {
+    private predicate netlocCheck(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
      exists(DataFlow::CallCfgNode urlParseCall, DataFlow::AttrRead netlocRead |
        urlParseCall = getUrlParseCall() and
        netlocRead = urlParseCall.getAnAttributeRead("netloc") and
--- a/python/ql/lib/semmle/python/frameworks/Tornado.qll
+++ b/python/ql/lib/semmle/python/frameworks/Tornado.qll
@@ -4,7 +4,6 @@
 */

 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.TaintTracking
@@ -73,9 +72,9 @@ module Tornado {
      DataFlow::Node value;

      TornadoHeaderSubscriptWrite() {
-        exists(Cfg::SubscriptNode subscript |
+        exists(SubscriptNode subscript |
          subscript.getObject() = instance().asCfgNode() and
-          value.asCfgNode() = subscript.(Cfg::DefinitionNode).getValue() and
+          value.asCfgNode() = subscript.(DefinitionNode).getValue() and
          index.asCfgNode() = subscript.getIndex() and
          this.asCfgNode() = subscript
        )
@@ -423,7 +422,7 @@ module Tornado {
            // be able to do something more structured for providing modeling of the members
            // of a container-object.
            exists(DataFlow::AttrRead files | files.accesses(instance(), "cookies") |
-              this.asCfgNode().(Cfg::SubscriptNode).getObject() = files.asCfgNode()
+              this.asCfgNode().(SubscriptNode).getObject() = files.asCfgNode()
              or
              this.(DataFlow::MethodCallNode).calls(files, "get")
            )
@@ -480,20 +479,20 @@ module Tornado {
  // routing
  // ---------------------------------------------------------------------------
  /** Gets a sequence that defines a number of route rules */
-  Cfg::SequenceNode routeSetupRuleList() {
-    exists(Cfg::CallNode call |
+  SequenceNode routeSetupRuleList() {
+    exists(CallNode call |
      call = any(TornadoModule::Web::Application::ClassInstantiation c).asCfgNode()
    |
      result in [call.getArg(0), call.getArgByName("handlers")]
    )
    or
-    exists(Cfg::CallNode call |
+    exists(CallNode call |
      call.getFunction() = TornadoModule::Web::Application::add_handlers().asCfgNode()
    |
      result in [call.getArg(1), call.getArgByName("host_handlers")]
    )
    or
-    result = routeSetupRuleList().getElement(_).(Cfg::TupleNode).getElement(1)
+    result = routeSetupRuleList().getElement(_).(TupleNode).getElement(1)
  }

  /** A tornado route setup. */
@@ -516,12 +515,12 @@ module Tornado {

  /** A route setup using a tuple. */
  private class TornadoTupleRouteSetup extends TornadoRouteSetup, DataFlow::CfgNode {
-    override Cfg::TupleNode node;
+    override TupleNode node;

    TornadoTupleRouteSetup() {
      node = routeSetupRuleList().getElement(_) and
      count(node.getElement(_)) = 2 and
-      not node.getElement(1) instanceof Cfg::SequenceNode
+      not node.getElement(1) instanceof SequenceNode
    }

    override DataFlow::Node getUrlPatternArg() { result.asCfgNode() = node.getElement(0) }
--- a/python/ql/lib/semmle/python/frameworks/Werkzeug.qll
+++ b/python/ql/lib/semmle/python/frameworks/Werkzeug.qll
@@ -6,7 +6,6 @@
 */

 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.ApiGraphs
@@ -222,9 +221,9 @@ module Werkzeug {
      DataFlow::Node value;

      HeaderWriteSubscript() {
-        exists(Cfg::SubscriptNode subscript |
+        exists(SubscriptNode subscript |
          this.asCfgNode() = subscript and
-          value.asCfgNode() = subscript.(Cfg::DefinitionNode).getValue() and
+          value.asCfgNode() = subscript.(DefinitionNode).getValue() and
          name.asCfgNode() = subscript.getIndex() and
          subscript.getObject() = instance().asCfgNode()
        )
--- a/python/ql/lib/semmle/python/frameworks/Yaml.qll
+++ b/python/ql/lib/semmle/python/frameworks/Yaml.qll
@@ -8,7 +8,6 @@
 */

 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
@@ -29,7 +28,7 @@ private module Yaml {
   * See https://pyyaml.org/wiki/PyYAMLDocumentation (you will have to scroll down).
   */
  private class YamlLoadCall extends Decoding::Range, DataFlow::CallCfgNode {
-    override Cfg::CallNode node;
+    override CallNode node;
    string func_name;

    YamlLoadCall() {
--- a/python/ql/lib/semmle/python/frameworks/Yarl.qll
+++ b/python/ql/lib/semmle/python/frameworks/Yarl.qll
@@ -4,7 +4,6 @@
 */

 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.Concepts
@@ -112,7 +111,7 @@ module Yarl {
    }

    private predicate yarlUrlIsAbsoluteCall(
-      DataFlow::GuardNode g, Cfg::ControlFlowNode node, boolean branch
+      DataFlow::GuardNode g, ControlFlowNode node, boolean branch
    ) {
      exists(ClassInstantiation instance, DataFlow::MethodCallNode call |
        call.calls(instance, "is_absolute") and
--- a/python/ql/lib/semmle/python/frameworks/internal/SubclassFinder.qll
+++ b/python/ql/lib/semmle/python/frameworks/internal/SubclassFinder.qll
@@ -11,7 +11,6 @@ private import semmle.python.dataflow.new.internal.ImportResolution
 private import semmle.python.ApiGraphs
 private import semmle.python.filters.Tests
 private import semmle.python.Module
-private import semmle.python.controlflow.internal.Cfg as Cfg

 // very much inspired by the draft at https://github.com/github/codeql/pull/5632
 module NotExposed {
@@ -207,7 +206,7 @@ module NotExposed {
    string relevantName, Location loc
  ) {
    loc = mod.getLocation() and
-    exists(API::Node relevantClass, Cfg::ControlFlowNode value |
+    exists(API::Node relevantClass, ControlFlowNode value |
      relevantClass = newOrExistingModeling(spec).getASubclass*() and
      ImportResolution::module_export(mod, relevantName, def) and
      value = relevantClass.getAValueReachableFromSource().asCfgNode() and
--- a/python/ql/lib/semmle/python/regexp/internal/ParseRegExp.qll
+++ b/python/ql/lib/semmle/python/regexp/internal/ParseRegExp.qll
@@ -3,7 +3,6 @@
 */

 import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.Concepts as Concepts
 private import semmle.python.regex
@@ -79,7 +78,7 @@ private module FindRegexMode {
    t.start() and
    exists(API::Node flag | flag_name = canonical_name(flag) and result = flag.asSource())
    or
-    exists(Cfg::BinaryExprNode binop, DataFlow::Node operand |
+    exists(BinaryExprNode binop, DataFlow::Node operand |
      operand.getALocalSource() = re_flag_tracker(flag_name, t.continue()) and
      operand.asCfgNode() = binop.getAnOperand() and
      (binop.getOp() instanceof BitOr or binop.getOp() instanceof Add) and
--- a/python/ql/lib/semmle/python/security/dataflow/ExceptionInfo.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/ExceptionInfo.qll
@@ -3,7 +3,6 @@
 import python
 import semmle.python.dataflow.new.DataFlow
 private import semmle.python.ApiGraphs
-private import semmle.python.controlflow.internal.Cfg as Cfg

 /**
 * INTERNAL: Do not use.
@@ -30,7 +29,7 @@ private class TracebackFunctionCall extends ExceptionInfo, DataFlow::CallCfgNode
 private class CaughtException extends ExceptionInfo {
  CaughtException() {
    this.asExpr() = any(ExceptStmt s).getName() and
-    this.asCfgNode().(Cfg::NameNode).defines(_)
+    this.asCfgNode() = any(EssaNodeDefinition def).getDefiningNode()
  }
 }

--- a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll
@@ -11,7 +11,6 @@ private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.BarrierGuards
 private import semmle.python.ApiGraphs
 private import semmle.python.frameworks.data.internal.ApiGraphModels
-private import semmle.python.controlflow.internal.Cfg as Cfg

 /**
 * Provides default sources, sinks and sanitizers for detecting
@@ -96,7 +95,7 @@ module ServerSideRequestForgery {
  class StringConstructionAsFullUrlControlSanitizer extends FullUrlControlSanitizer {
    StringConstructionAsFullUrlControlSanitizer() {
      // string concat
-      exists(Cfg::BinaryExprNode add |
+      exists(BinaryExprNode add |
        add.getOp() instanceof Add and
        add.getRight() = this.asCfgNode() and
        not add.getLeft().getNode().(StringLiteral).getText().toLowerCase() in [
@@ -105,7 +104,7 @@ module ServerSideRequestForgery {
      )
      or
      // % formatting
-      exists(Cfg::BinaryExprNode fmt |
+      exists(BinaryExprNode fmt |
        fmt.getOp() instanceof Mod and
        fmt.getRight() = this.asCfgNode() and
        // detecting %-formatting is not super easy, so we simplify it to only handle
@@ -156,9 +155,7 @@ module ServerSideRequestForgery {
    }
  }

-  private predicate stringRestriction(
-    DataFlow::GuardNode g, Cfg::ControlFlowNode node, boolean branch
-  ) {
+  private predicate stringRestriction(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
    exists(DataFlow::MethodCallNode call, DataFlow::Node strNode |
      call.asCfgNode() = g and strNode.asCfgNode() = node
    |
--- a/python/ql/lib/semmle/python/security/dataflow/TarSlipCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/TarSlipCustomizations.qll
@@ -9,7 +9,6 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.Concepts
 private import semmle.python.dataflow.new.BarrierGuards
 private import semmle.python.ApiGraphs
-private import semmle.python.controlflow.internal.Cfg as Cfg

 /**
 * Provides default sources, sinks and sanitizers for detecting
@@ -140,8 +139,8 @@ module TarSlip {
   * where `<check_path>` is any function matching `"%path"`.
   * `info` is assumed to be a `TarInfo` instance.
   */
-  predicate tarFileInfoSanitizer(DataFlow::GuardNode g, Cfg::ControlFlowNode tarInfo, boolean branch) {
-    exists(Cfg::CallNode call, Cfg::AttrNode attr |
+  predicate tarFileInfoSanitizer(DataFlow::GuardNode g, ControlFlowNode tarInfo, boolean branch) {
+    exists(CallNode call, AttrNode attr |
      g = call and
      // We must test the name of the tar info object.
      attr = call.getAnArg() and
@@ -149,9 +148,9 @@ module TarSlip {
      attr.getObject() = tarInfo
    |
      // The assumption that any test that matches %path is a sanitizer might be too broad.
-      call.getAChild*().(Cfg::AttrNode).getName().matches("%path")
+      call.getAChild*().(AttrNode).getName().matches("%path")
      or
-      call.getAChild*().(Cfg::NameNode).getId().matches("%path")
+      call.getAChild*().(NameNode).getId().matches("%path")
    ) and
    branch = false
  }
--- a/python/ql/lib/semmle/python/security/dataflow/UrlRedirectCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/UrlRedirectCustomizations.qll
@@ -5,7 +5,6 @@
 */

 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.Concepts
 private import semmle.python.ApiGraphs
@@ -112,7 +111,7 @@ module UrlRedirect {
      // Url redirection is a problem only if the user controls the prefix of the URL.
      // TODO: This is a copy of the taint-sanitizer from the old points-to query, which doesn't
      // cover formatting.
-      exists(Cfg::BinaryExprNode string_concat | string_concat.getOp() instanceof Add |
+      exists(BinaryExprNode string_concat | string_concat.getOp() instanceof Add |
        string_concat.getRight() = this.asCfgNode()
      )
    }
--- a/python/ql/lib/utils/test/dataflow/MaximalFlowTest.qll
+++ b/python/ql/lib/utils/test/dataflow/MaximalFlowTest.qll
@@ -1,5 +1,4 @@
 import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.internal.DataFlowPrivate
 import FlowTest
@@ -24,7 +23,7 @@ import MakeTest<MakeTestSig<MaximalFlowTest>>
 module MaximalFlowsConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node node) {
    exists(node.getLocation().getFile().getRelativePath()) and
-    not node.asCfgNode() instanceof Cfg::CallNode and
+    not node.asCfgNode() instanceof CallNode and
    not node.asCfgNode().getNode() instanceof Return and
    not node instanceof DataFlow::ParameterNode and
    not node instanceof DataFlow::PostUpdateNode and
@@ -35,9 +34,9 @@ module MaximalFlowsConfig implements DataFlow::ConfigSig {

  predicate isSink(DataFlow::Node node) {
    exists(node.getLocation().getFile().getRelativePath()) and
-    not any(Cfg::CallNode c).getArg(_) = node.asCfgNode() and
+    not any(CallNode c).getArg(_) = node.asCfgNode() and
    not isArgumentNode(node, _, _) and
-    not node.asCfgNode().(Cfg::NameNode).getId().matches("SINK%") and
+    not node.asCfgNode().(NameNode).getId().matches("SINK%") and
    not DataFlow::localFlowStep(node, _)
  }
 }
--- a/python/ql/lib/utils/test/dataflow/NormalDataflowTest.qll
+++ b/python/ql/lib/utils/test/dataflow/NormalDataflowTest.qll
@@ -1,5 +1,4 @@
 import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 import utils.test.dataflow.FlowTest
 import utils.test.dataflow.testConfig
 private import semmle.python.dataflow.new.internal.PrintNode
@@ -20,7 +19,7 @@ query predicate missingAnnotationOnSink(Location location, string error, string
    TestConfig::isSink(sink) and
    // note: we only care about `SINK` and not `SINK_F`, so we have to reconstruct manually.
    exists(DataFlow::CallCfgNode call |
-      call.getFunction().asCfgNode().(Cfg::NameNode).getId() = "SINK" and
+      call.getFunction().asCfgNode().(NameNode).getId() = "SINK" and
      (sink = call.getArg(_) or sink = call.getArgByName(_))
    ) and
    location = sink.getLocation() and
--- a/python/ql/lib/utils/test/dataflow/NormalTaintTrackingTest.qll
+++ b/python/ql/lib/utils/test/dataflow/NormalTaintTrackingTest.qll
@@ -1,5 +1,4 @@
 import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 import utils.test.dataflow.FlowTest
 import utils.test.dataflow.testTaintConfig
 private import semmle.python.dataflow.new.internal.PrintNode
@@ -19,7 +18,7 @@ query predicate missingAnnotationOnSink(Location location, string error, string
  exists(DataFlow::Node sink |
    exists(DataFlow::CallCfgNode call |
      // note: we only care about `SINK` and not `SINK_F`, so we have to reconstruct manually.
-      call.getFunction().asCfgNode().(Cfg::NameNode).getId() = "SINK" and
+      call.getFunction().asCfgNode().(NameNode).getId() = "SINK" and
      (sink = call.getArg(_) or sink = call.getArgByName(_))
    ) and
    location = sink.getLocation() and
--- a/python/ql/lib/utils/test/dataflow/RoutingTest.qll
+++ b/python/ql/lib/utils/test/dataflow/RoutingTest.qll
@@ -1,5 +1,4 @@
 import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 import semmle.python.dataflow.new.DataFlow
 import utils.test.InlineExpectationsTest
 private import semmle.python.dataflow.new.internal.PrintNode
@@ -50,7 +49,7 @@ private string fromValue(DataFlow::Node fromNode) {

 pragma[inline]
 private string fromFunc(DataFlow::ArgumentNode fromNode) {
-  result = fromNode.getCall().getNode().(Cfg::CallNode).getFunction().getNode().(Name).getId()
+  result = fromNode.getCall().getNode().(CallNode).getFunction().getNode().(Name).getId()
 }

 pragma[inline]
--- a/python/ql/lib/utils/test/dataflow/UnresolvedCalls.qll
+++ b/python/ql/lib/utils/test/dataflow/UnresolvedCalls.qll
@@ -1,16 +1,15 @@
 import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.internal.PrintNode
 private import semmle.python.dataflow.new.internal.DataFlowPrivate as DataFlowPrivate
 private import semmle.python.ApiGraphs
 import utils.test.InlineExpectationsTest

 signature module UnresolvedCallExpectationsSig {
-  predicate unresolvedCall(Cfg::CallNode call);
+  predicate unresolvedCall(CallNode call);
 }

 module DefaultUnresolvedCallExpectations implements UnresolvedCallExpectationsSig {
-  predicate unresolvedCall(Cfg::CallNode call) {
+  predicate unresolvedCall(CallNode call) {
    not exists(DataFlowPrivate::DataFlowCall dfc |
      exists(dfc.getCallable()) and dfc.getNode() = call
    ) and
@@ -25,7 +24,7 @@ module MakeUnresolvedCallExpectations<UnresolvedCallExpectationsSig Impl> {

    predicate hasActualResult(Location location, string element, string tag, string value) {
      exists(location.getFile().getRelativePath()) and
-      exists(Cfg::CallNode call | Impl::unresolvedCall(call) and call.injects(_) |
+      exists(CallNode call | Impl::unresolvedCall(call) |
        location = call.getLocation() and
        tag = "unresolved_call" and
        value = prettyExpr(call.getNode()) and
--- a/python/ql/lib/utils/test/dataflow/testConfig.qll
+++ b/python/ql/lib/utils/test/dataflow/testConfig.qll
@@ -21,12 +21,11 @@
 */

 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 import semmle.python.dataflow.new.DataFlow

 module TestConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node node) {
-    node.(DataFlow::CfgNode).getNode().(Cfg::NameNode).getId() = "SOURCE"
+    node.(DataFlow::CfgNode).getNode().(NameNode).getId() = "SOURCE"
    or
    node.(DataFlow::CfgNode).getNode().getNode().(StringLiteral).getS() = "source"
    or
@@ -38,7 +37,7 @@ module TestConfig implements DataFlow::ConfigSig {

  predicate isSink(DataFlow::Node node) {
    exists(DataFlow::CallCfgNode call |
-      call.getFunction().asCfgNode().(Cfg::NameNode).getId() in ["SINK", "SINK_F"] and
+      call.getFunction().asCfgNode().(NameNode).getId() in ["SINK", "SINK_F"] and
      (node = call.getArg(_) or node = call.getArgByName(_)) and
      not node = call.getArgByName("not_present_at_runtime")
    )
--- a/python/ql/lib/utils/test/dataflow/testTaintConfig.qll
+++ b/python/ql/lib/utils/test/dataflow/testTaintConfig.qll
@@ -21,13 +21,12 @@
 */

 private import python
-private import semmle.python.controlflow.internal.Cfg as Cfg
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking

 module TestConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node node) {
-    node.(DataFlow::CfgNode).getNode().(Cfg::NameNode).getId() = "SOURCE"
+    node.(DataFlow::CfgNode).getNode().(NameNode).getId() = "SOURCE"
    or
    node.(DataFlow::CfgNode).getNode().getNode().(StringLiteral).getS() = "source"
    or
@@ -38,8 +37,8 @@ module TestConfig implements DataFlow::ConfigSig {
  }

  predicate isSink(DataFlow::Node node) {
-    exists(Cfg::CallNode call |
-      call.getFunction().(Cfg::NameNode).getId() in ["SINK", "SINK_F"] and
+    exists(CallNode call |
+      call.getFunction().(NameNode).getId() in ["SINK", "SINK_F"] and
      node.(DataFlow::CfgNode).getNode() = call.getAnArg()
    )
  }
--- a/python/ql/src/Exceptions/UnguardedNextInGenerator.ql
+++ b/python/ql/src/Exceptions/UnguardedNextInGenerator.ql
@@ -12,8 +12,6 @@

 import python
 private import semmle.python.ApiGraphs
-private import semmle.python.controlflow.internal.Cfg as Cfg
-private import semmle.python.Flow as Flow

 API::Node iter() { result = API::builtin("iter") }

@@ -21,17 +19,17 @@ API::Node next() { result = API::builtin("next") }

 API::Node stopIteration() { result = API::builtin("StopIteration") }

-predicate call_to_iter(Flow::CallNode call, EssaVariable sequence) {
-  call.getNode() = iter().getACall().asCfgNode().(Cfg::CallNode).getNode() and
+predicate call_to_iter(CallNode call, EssaVariable sequence) {
+  call = iter().getACall().asCfgNode() and
  call.getArg(0) = sequence.getAUse()
 }

-predicate call_to_next(Flow::CallNode call, Flow::ControlFlowNode iter) {
-  call.getNode() = next().getACall().asCfgNode().(Cfg::CallNode).getNode() and
+predicate call_to_next(CallNode call, ControlFlowNode iter) {
+  call = next().getACall().asCfgNode() and
  call.getArg(0) = iter
 }

-predicate call_to_next_has_default(Flow::CallNode call) {
+predicate call_to_next_has_default(CallNode call) {
  exists(call.getArg(1)) or exists(call.getArgByName("default"))
 }

@@ -51,14 +49,14 @@ predicate iter_not_exhausted(EssaVariable iterator) {
  )
 }

-predicate stop_iteration_handled(Flow::CallNode call) {
+predicate stop_iteration_handled(CallNode call) {
  exists(Try t |
    t.containsInScope(call.getNode()) and
    t.getAHandler().getType() = stopIteration().getAValueReachableFromSource().asExpr()
  )
 }

-from Flow::CallNode call
+from CallNode call
 where
  call_to_next(call, _) and
  not call_to_next_has_default(call) and
--- a/python/ql/src/Expressions/UseofApply.ql
+++ b/python/ql/src/Expressions/UseofApply.ql
@@ -11,9 +11,8 @@

 import python
 private import semmle.python.ApiGraphs
-private import semmle.python.controlflow.internal.Cfg as Cfg

-from Cfg::CallNode call
+from CallNode call
 where
  major_version() = 2 and
  call = API::builtin("apply").getACall().asCfgNode()
--- a/python/ql/src/Functions/SignatureOverriddenMethod.ql
+++ b/python/ql/src/Functions/SignatureOverriddenMethod.ql
@@ -15,7 +15,6 @@
 import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.internal.DataFlowDispatch
-private import semmle.python.controlflow.internal.Cfg as Cfg
 import codeql.util.Option

 /** Holds if `base` is overridden by `sub` */
@@ -144,7 +143,7 @@ predicate ignore(Function f) {

 /** Gets a function that `call` may resolve to. */
 Function resolveCall(Call call) {
-  exists(DataFlowCall dfc | call = dfc.getNode().(Cfg::CallNode).getNode() |
+  exists(DataFlowCall dfc | call = dfc.getNode().(CallNode).getNode() |
    result = viableCallable(dfc).(DataFlowFunction).getScope()
  )
 }
--- a/python/ql/src/Resources/FileNotAlwaysClosedQuery.qll
+++ b/python/ql/src/Resources/FileNotAlwaysClosedQuery.qll
@@ -4,7 +4,6 @@ import python
 import semmle.python.dataflow.new.internal.DataFlowDispatch
 import semmle.python.ApiGraphs
 private import semmle.python.dataflow.new.internal.ReExposedInstance
-private import semmle.python.controlflow.internal.Cfg as Cfg

 /** A CFG node where a file is opened. */
 abstract class FileOpenSource extends DataFlow::CfgNode { }
@@ -82,14 +81,12 @@ abstract class FileClose extends DataFlow::CfgNode {
  }
 }

-private predicate bbSuccessor(Cfg::BasicBlock src, Cfg::BasicBlock sink) {
-  sink = src.getASuccessor()
-}
+private predicate bbSuccessor(BasicBlock src, BasicBlock sink) { sink = src.getASuccessor() }

-private predicate bbReachableStrict(Cfg::BasicBlock src, Cfg::BasicBlock sink) =
+private predicate bbReachableStrict(BasicBlock src, BasicBlock sink) =
  fastTC(bbSuccessor/2)(src, sink)

-private predicate bbReachableRefl(Cfg::BasicBlock src, Cfg::BasicBlock sink) {
+private predicate bbReachableRefl(BasicBlock src, BasicBlock sink) {
  bbReachableStrict(src, sink) or src = sink
 }

--- a/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll
+++ b/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll
@@ -10,7 +10,6 @@ private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.ApiGraphs
 private import semmle.python.dataflow.new.internal.DataFlowPrivate as DataFlowPrivate
 private import semmle.python.dataflow.new.internal.TaintTrackingPrivate as TaintTrackingPrivate
-private import semmle.python.controlflow.internal.Cfg as Cfg

 /**
 * An external API that is considered "safe" from a security perspective.
@@ -72,7 +71,7 @@ string apiNodeToStringRepr(API::Node node) {
  )
 }

-predicate resolvedCall(Cfg::CallNode call) {
+predicate resolvedCall(CallNode call) {
  DataFlowPrivate::resolveCall(call, _, _) or
  DataFlowPrivate::resolveClassCall(call, _)
 }
--- a/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql
+++ b/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql
@@ -14,7 +14,6 @@
 import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.ApiGraphs
-private import semmle.python.controlflow.internal.Cfg as Cfg

 /*
 * Jinja 2 Docs:
@@ -37,8 +36,8 @@ private API::Node jinja2EnvironmentOrTemplate() {
 from API::CallNode call
 where
  call = jinja2EnvironmentOrTemplate().getACall() and
-  not exists(call.asCfgNode().(Cfg::CallNode).getNode().getStarargs()) and
-  not exists(call.asCfgNode().(Cfg::CallNode).getNode().getKwargs()) and
+  not exists(call.asCfgNode().(CallNode).getNode().getStarargs()) and
+  not exists(call.asCfgNode().(CallNode).getNode().getKwargs()) and
  (
    not exists(call.getArgByName("autoescape"))
    or
--- a/python/ql/src/Security/CWE-327/PyOpenSSL.qll
+++ b/python/ql/src/Security/CWE-327/PyOpenSSL.qll
@@ -5,7 +5,6 @@

 private import python
 private import semmle.python.ApiGraphs
-private import semmle.python.controlflow.internal.Cfg as Cfg
 import TlsLibraryModel

 class PyOpenSslContextCreation extends ContextCreation, DataFlow::CallCfgNode {
@@ -38,10 +37,10 @@ class ConnectionCall extends ConnectionCreation, DataFlow::CallCfgNode {
 // This cannot be used to unrestrict,
 // see https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.set_options
 class SetOptionsCall extends ProtocolRestriction, DataFlow::CallCfgNode {
-  SetOptionsCall() { node.getFunction().(Cfg::AttrNode).getName() = "set_options" }
+  SetOptionsCall() { node.getFunction().(AttrNode).getName() = "set_options" }

  override DataFlow::CfgNode getContext() {
-    result.getNode() = node.getFunction().(Cfg::AttrNode).getObject()
+    result.getNode() = node.getFunction().(AttrNode).getObject()
  }

  override ProtocolVersion getRestriction() {
--- a/python/ql/src/Security/CWE-327/Ssl.qll
+++ b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -5,7 +5,6 @@

 private import python
 private import semmle.python.ApiGraphs
-private import semmle.python.controlflow.internal.Cfg as Cfg
 import TlsLibraryModel

 class SslContextCreation extends ContextCreation, DataFlow::CallCfgNode {
@@ -54,7 +53,7 @@ class OptionsAugOr extends ProtocolRestriction, DataFlow::CfgNode {
  ProtocolVersion restriction;

  OptionsAugOr() {
-    exists(AugAssign aa, Cfg::AttrNode attr, Expr flag |
+    exists(AugAssign aa, AttrNode attr, Expr flag |
      aa.getOperation().getOp() instanceof BitOr and
      aa.getTarget() = attr.getNode() and
      attr.getName() = "options" and
@@ -81,7 +80,7 @@ class OptionsAugAndNot extends ProtocolUnrestriction, DataFlow::CfgNode {
  ProtocolVersion restriction;

  OptionsAugAndNot() {
-    exists(AugAssign aa, Cfg::AttrNode attr, Expr flag, UnaryExpr notFlag |
+    exists(AugAssign aa, AttrNode attr, Expr flag, UnaryExpr notFlag |
      aa.getOperation().getOp() instanceof BitAnd and
      aa.getTarget() = attr.getNode() and
      attr.getName() = "options" and
--- a/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
+++ b/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
@@ -19,7 +19,6 @@ import semmle.python.filters.Tests
 private import semmle.python.dataflow.new.internal.DataFlowDispatch as DataFlowDispatch
 private import semmle.python.dataflow.new.internal.Builtins::Builtins as Builtins
 private import semmle.python.frameworks.data.ModelsAsData
-private import semmle.python.controlflow.internal.Cfg as Cfg

 bindingset[char, fraction]
 predicate fewer_characters_than(StringLiteral str, string char, float fraction) {
@@ -49,7 +48,7 @@ predicate capitalized_word(StringLiteral str) { str.getText().regexpMatch("[A-Z]

 predicate format_string(StringLiteral str) { str.getText().matches("%{%}%") }

-predicate maybeCredential(Cfg::ControlFlowNode f) {
+predicate maybeCredential(ControlFlowNode f) {
  /* A string that is not too short and unlikely to be text or an identifier. */
  exists(StringLiteral str | str = f.getNode() |
    /* At least 10 characters */
@@ -97,7 +96,7 @@ class CredentialSink extends DataFlow::Node {
      or
      exists(Keyword k | k.getArg() = name and this.asCfgNode().getNode() = k.getValue())
      or
-      exists(Cfg::CompareNode cmp, Cfg::NameNode n | n.getId() = name |
+      exists(CompareNode cmp, NameNode n | n.getId() = name |
        cmp.operands(this.asCfgNode(), any(Eq eq), n)
        or
        cmp.operands(n, any(Eq eq), this.asCfgNode())
--- a/python/ql/src/Statements/ModificationOfLocals.ql
+++ b/python/ql/src/Statements/ModificationOfLocals.ql
@@ -14,9 +14,8 @@
 import python
 private import semmle.python.ApiGraphs
 private import semmle.python.dataflow.new.DataFlow
-private import semmle.python.controlflow.internal.Cfg as Cfg

-predicate originIsLocals(Cfg::ControlFlowNode n) {
+predicate originIsLocals(ControlFlowNode n) {
  // Only consider the `locals()` dictionary within the scope that called `locals()`.
  // Once the dictionary is passed to another scope (e.g. as an argument or via an
  // instance attribute) it is just an ordinary mapping, and modifying it is both
@@ -29,19 +28,19 @@ predicate originIsLocals(Cfg::ControlFlowNode n) {
  )
 }

-predicate modification_of_locals(Cfg::ControlFlowNode f) {
-  originIsLocals(f.(Cfg::SubscriptNode).getObject()) and
+predicate modification_of_locals(ControlFlowNode f) {
+  originIsLocals(f.(SubscriptNode).getObject()) and
  (f.isStore() or f.isDelete())
  or
-  exists(string mname, Cfg::AttrNode attr |
-    attr = f.(Cfg::CallNode).getFunction() and
+  exists(string mname, AttrNode attr |
+    attr = f.(CallNode).getFunction() and
    originIsLocals(attr.getObject(mname))
  |
    mname in ["pop", "popitem", "update", "clear"]
  )
 }

-from AstNode a, Cfg::ControlFlowNode f
+from AstNode a, ControlFlowNode f
 where
  modification_of_locals(f) and
  a = f.getNode() and
--- a/python/ql/src/Statements/SideEffectInAssert.ql
+++ b/python/ql/src/Statements/SideEffectInAssert.ql
@@ -14,7 +14,6 @@

 import python
 private import semmle.python.ApiGraphs
-private import semmle.python.controlflow.internal.Cfg as Cfg

 predicate func_with_side_effects(Expr e) {
  exists(string name | name = e.(Attribute).getName() or name = e.(Name).getId() |
@@ -25,7 +24,7 @@ predicate func_with_side_effects(Expr e) {
 }

 predicate call_with_side_effect(Call e) {
-  exists(Cfg::ControlFlowNode eCfg | eCfg.getNode() = e |
+  exists(ControlFlowNode eCfg | eCfg.getNode() = e |
    eCfg =
      API::moduleImport("subprocess")
          .getMember(["call", "check_call", "check_output"])
--- a/python/ql/src/Statements/UseOfExit.ql
+++ b/python/ql/src/Statements/UseOfExit.ql
@@ -13,9 +13,8 @@

 import python
 private import semmle.python.ApiGraphs
-private import semmle.python.controlflow.internal.Cfg as Cfg

-from Cfg::CallNode call, string name
+from CallNode call, string name
 where
  name = ["exit", "quit"] and
  call = API::builtin(name).getACall().asCfgNode()
--- a/python/ql/src/experimental/Security/CWE-022bis/TarSlipImprov.ql
+++ b/python/ql/src/experimental/Security/CWE-022bis/TarSlipImprov.ql
@@ -21,7 +21,6 @@ import semmle.python.ApiGraphs
 import semmle.python.dataflow.new.internal.Attributes
 import semmle.python.dataflow.new.BarrierGuards
 import semmle.python.dataflow.new.RemoteFlowSources
-private import semmle.python.controlflow.internal.Cfg as Cfg

 /**
 * Handle those three cases of Tarfile opens:
@@ -76,8 +75,8 @@ private module TarSlipImprovConfig implements DataFlow::ConfigSig {
        call = atfo.getReturn().getMember("extractall").getACall() and
        arg = call.getArgByName("members") and
        if
-          arg.asCfgNode() instanceof Cfg::NameConstantNode or
-          arg.asCfgNode() instanceof Cfg::ListNode
+          arg.asCfgNode() instanceof NameConstantNode or
+          arg.asCfgNode() instanceof ListNode
        then sink = call.getObject()
        else
          if arg.(MethodCallNode).getMethodName() = "getmembers"
--- a/python/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql
+++ b/python/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql
@@ -16,7 +16,6 @@ import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.ApiGraphs
 import semmle.python.dataflow.new.TaintTracking
-private import semmle.python.controlflow.internal.Cfg as Cfg

 class PredictableResultSource extends DataFlow::Node {
  PredictableResultSource() {
@@ -33,9 +32,7 @@ class PredictableResultSource extends DataFlow::Node {
 class TokenAssignmentValueSink extends DataFlow::Node {
  TokenAssignmentValueSink() {
    exists(string name | name.toLowerCase().matches(["%token", "%code"]) |
-      exists(Cfg::DefinitionNode n | n.getValue() = this.asCfgNode() |
-        name = n.(Cfg::NameNode).getId()
-      )
+      exists(DefinitionNode n | n.getValue() = this.asCfgNode() | name = n.(NameNode).getId())
      or
      exists(DataFlow::AttrWrite aw | aw.getValue() = this | name = aw.getAttributeName())
    )
--- a/python/ql/src/experimental/Security/CWE-346/CorsBypass.ql
+++ b/python/ql/src/experimental/Security/CWE-346/CorsBypass.ql
@@ -11,25 +11,25 @@
 import python
 import semmle.python.ApiGraphs
 import semmle.python.dataflow.new.TaintTracking
+import semmle.python.Flow
 import semmle.python.dataflow.new.RemoteFlowSources
-private import semmle.python.controlflow.internal.Cfg as Cfg

 /**
 * Returns true if the control flow node may be useful in the current context.
 *
 * Ideally for more completeness, we should alert on every `startswith` call and every remote flow source which gets partailly checked. But, as this can lead to lots of FPs, we apply heuristics to filter some calls. This predicate provides logic for this filteration.
 */
-private predicate maybeInteresting(Cfg::ControlFlowNode c) {
+private predicate maybeInteresting(ControlFlowNode c) {
  // Check if the name of the variable which calls the function matches the heuristic.
  // This would typically occur at the sink.
  // This should deal with cases like
  // `origin.startswith("bla")`
-  heuristics(c.(Cfg::CallNode).getFunction().(Cfg::AttrNode).getObject().(Cfg::NameNode).getId())
+  heuristics(c.(CallNode).getFunction().(AttrNode).getObject().(NameNode).getId())
  or
  // Check if the name of the variable passed as an argument to the functions matches the heuristic. This would typically occur at the sink.
  // This should deal with cases like
  // `bla.startswith(origin)`
-  heuristics(c.(Cfg::CallNode).getArg(0).(Cfg::NameNode).getId())
+  heuristics(c.(CallNode).getArg(0).(NameNode).getId())
  or
  // Check if the value gets written to any interesting variable. This would typically occur at the source.
  // This should deal with cases like
@@ -37,10 +37,8 @@ private predicate maybeInteresting(Cfg::ControlFlowNode c) {
  exists(Variable v | heuristics(v.getId()) | c.getASuccessor*().getNode() = v.getAStore())
 }

-private class StringStartswithCall extends Cfg::ControlFlowNode {
-  StringStartswithCall() {
-    this.(Cfg::CallNode).getFunction().(Cfg::AttrNode).getName() = "startswith"
-  }
+private class StringStartswithCall extends ControlFlowNode {
+  StringStartswithCall() { this.(CallNode).getFunction().(AttrNode).getName() = "startswith" }
 }

 bindingset[s]
@@ -68,8 +66,8 @@ module CorsBypassConfig implements DataFlow::ConfigSig {

  predicate isSink(DataFlow::Node node) {
    exists(StringStartswithCall s |
-      node.asCfgNode() = s.(Cfg::CallNode).getArg(0) or
-      node.asCfgNode() = s.(Cfg::CallNode).getFunction().(Cfg::AttrNode).getObject()
+      node.asCfgNode() = s.(CallNode).getArg(0) or
+      node.asCfgNode() = s.(CallNode).getFunction().(AttrNode).getObject()
    )
  }

--- a/python/ql/src/experimental/Security/CWE-770/UnicodeDoS.ql
+++ b/python/ql/src/experimental/Security/CWE-770/UnicodeDoS.ql
@@ -16,7 +16,6 @@ import semmle.python.Concepts
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.internal.DataFlowPublic
 import semmle.python.dataflow.new.RemoteFlowSources
-private import semmle.python.controlflow.internal.Cfg as Cfg

 // The Unicode compatibility normalization calls from unicodedata, unidecode, pyunormalize
 // and textnorm modules. The use of argIdx is to constraint the argument being normalized.
@@ -53,8 +52,8 @@ class UnicodeCompatibilityNormalize extends API::CallNode {
  DataFlow::Node getPathArg() { result = this.getArg(argIdx) }
 }

-predicate underAValue(DataFlow::GuardNode g, Cfg::ControlFlowNode node, boolean branch) {
-  exists(Cfg::CompareNode cn | cn = g |
+predicate underAValue(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
+  exists(CompareNode cn | cn = g |
    exists(API::CallNode lenCall, Cmpop op, Node n |
      lenCall = n.getALocalSource() and
      (
--- a/python/ql/src/experimental/Security/UnsafeUnpackQuery.qll
+++ b/python/ql/src/experimental/Security/UnsafeUnpackQuery.qll
@@ -9,7 +9,6 @@ import semmle.python.ApiGraphs
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.frameworks.Stdlib
 import semmle.python.dataflow.new.RemoteFlowSources
-private import semmle.python.controlflow.internal.Cfg as Cfg

 /**
 * Handle those three cases of Tarfile opens:
@@ -112,8 +111,8 @@ module UnsafeUnpackConfig implements DataFlow::ConfigSig {
        call = atfo.getReturn().getMember("extractall").getACall() and
        arg = call.getArgByName("members") and
        if
-          arg.asCfgNode() instanceof Cfg::NameConstantNode or
-          arg.asCfgNode() instanceof Cfg::ListNode
+          arg.asCfgNode() instanceof NameConstantNode or
+          arg.asCfgNode() instanceof ListNode
        then sink = call.getObject()
        else
          if arg.(MethodCallNode).getMethodName() = "getmembers"
--- a/python/ql/src/experimental/semmle/python/security/injection/CsvInjection.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/CsvInjection.qll
@@ -4,7 +4,6 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.BarrierGuards
 import semmle.python.dataflow.new.RemoteFlowSources
-private import semmle.python.controlflow.internal.Cfg as Cfg

 /**
 * A taint-tracking configuration for tracking untrusted user input used in file read.
@@ -22,7 +21,7 @@ private module CsvInjectionConfig implements DataFlow::ConfigSig {
  predicate observeDiffInformedIncrementalMode() { any() }
 }

-private predicate startsWithCheck(DataFlow::GuardNode g, Cfg::ControlFlowNode node, boolean branch) {
+private predicate startsWithCheck(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
  exists(DataFlow::MethodCallNode mc |
    g = mc.asCfgNode() and
    mc.calls(_, "startswith") and
--- a/python/ql/src/meta/analysis-quality/CallGraphQuality.qll
+++ b/python/ql/src/meta/analysis-quality/CallGraphQuality.qll
@@ -6,7 +6,6 @@
 import python
 import meta.MetaMetrics
 private import LegacyPointsTo
-private import semmle.python.controlflow.internal.Cfg as Cfg

 newtype TTarget =
  TFunction(Function func) or
@@ -51,7 +50,7 @@ class TargetClass extends Target, TClass {
 * A call that is (possibly) relevant for analysis quality.
 * See `IgnoredFile` for details on what is excluded.
 */
-class RelevantCall extends Cfg::CallNode {
+class RelevantCall extends CallNode {
  RelevantCall() { not this.getLocation().getFile() instanceof IgnoredFile }
 }

@@ -61,7 +60,7 @@ module PointsToBasedCallGraph {
  class ResolvableCall extends RelevantCall {
    Value targetValue;

-    ResolvableCall() { targetValue.getACall().getNode() = this.getNode() }
+    ResolvableCall() { targetValue.getACall() = this }

    /** Gets a resolved target of this call. */
    Target getTarget() {
--- a/python/ql/src/meta/analysis-quality/TTCallGraph.ql
+++ b/python/ql/src/meta/analysis-quality/TTCallGraph.ql
@@ -8,9 +8,8 @@

 import python
 import CallGraphQuality
-private import semmle.python.controlflow.internal.Cfg as Cfg

-from Cfg::CallNode call, Target target
+from CallNode call, Target target
 where
  target.isRelevant() and
  call.(TypeTrackingBasedCallGraph::ResolvableCall).getTarget() = target
--- a/python/ql/src/meta/analysis-quality/TTCallGraphMissing.ql
+++ b/python/ql/src/meta/analysis-quality/TTCallGraphMissing.ql
@@ -8,9 +8,8 @@

 import python
 import CallGraphQuality
-private import semmle.python.controlflow.internal.Cfg as Cfg

-from Cfg::CallNode call, Target target
+from CallNode call, Target target
 where
  target.isRelevant() and
  call.(PointsToBasedCallGraph::ResolvableCall).getTarget() = target and
--- a/python/ql/src/meta/analysis-quality/TTCallGraphNew.ql
+++ b/python/ql/src/meta/analysis-quality/TTCallGraphNew.ql
@@ -8,9 +8,8 @@

 import python
 import CallGraphQuality
-private import semmle.python.controlflow.internal.Cfg as Cfg

-from Cfg::CallNode call, Target target
+from CallNode call, Target target
 where
  target.isRelevant() and
  not call.(PointsToBasedCallGraph::ResolvableCall).getTarget() = target and
--- a/python/ql/src/meta/analysis-quality/TTCallGraphNewAmbiguous.ql
+++ b/python/ql/src/meta/analysis-quality/TTCallGraphNewAmbiguous.ql
@@ -8,9 +8,8 @@

 import python
 import CallGraphQuality
-private import semmle.python.controlflow.internal.Cfg as Cfg

-from Cfg::CallNode call, Target target
+from CallNode call, Target target
 where
  target.isRelevant() and
  not call.(PointsToBasedCallGraph::ResolvableCall).getTarget() = target and
--- a/python/ql/src/meta/analysis-quality/TTCallGraphOverview.ql
+++ b/python/ql/src/meta/analysis-quality/TTCallGraphOverview.ql
@@ -6,13 +6,12 @@

 import python
 import CallGraphQuality
-private import semmle.python.controlflow.internal.Cfg as Cfg

 from string tag, int c
 where
  tag = "SHARED" and
  c =
-    count(Cfg::CallNode call, Target target |
+    count(CallNode call, Target target |
      target.isRelevant() and
      call.(PointsToBasedCallGraph::ResolvableCall).getTarget() = target and
      call.(TypeTrackingBasedCallGraph::ResolvableCall).getTarget() = target
@@ -20,7 +19,7 @@ where
  or
  tag = "NEW" and
  c =
-    count(Cfg::CallNode call, Target target |
+    count(CallNode call, Target target |
      target.isRelevant() and
      not call.(PointsToBasedCallGraph::ResolvableCall).getTarget() = target and
      call.(TypeTrackingBasedCallGraph::ResolvableCall).getTarget() = target
@@ -28,7 +27,7 @@ where
  or
  tag = "MISSING" and
  c =
-    count(Cfg::CallNode call, Target target |
+    count(CallNode call, Target target |
      target.isRelevant() and
      call.(PointsToBasedCallGraph::ResolvableCall).getTarget() = target and
      not call.(TypeTrackingBasedCallGraph::ResolvableCall).getTarget() = target
--- a/python/ql/src/meta/analysis-quality/TTCallGraphShared.ql
+++ b/python/ql/src/meta/analysis-quality/TTCallGraphShared.ql
@@ -8,9 +8,8 @@

 import python
 import CallGraphQuality
-private import semmle.python.controlflow.internal.Cfg as Cfg

-from Cfg::CallNode call, Target target
+from CallNode call, Target target
 where
  target.isRelevant() and
  call.(PointsToBasedCallGraph::ResolvableCall).getTarget() = target and
--- a/python/ql/src/semmle/python/functions/ModificationOfParameterWithDefaultCustomizations.qll
+++ b/python/ql/src/semmle/python/functions/ModificationOfParameterWithDefaultCustomizations.qll
@@ -6,7 +6,6 @@
 private import python
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.BarrierGuards
-private import semmle.python.controlflow.internal.Cfg as Cfg

 /**
 * Provides default sources, sinks and sanitizers for detecting
@@ -77,7 +76,7 @@ module ModificationOfParameterWithDefault {
    boolean nonEmpty;

    MutableDefaultValue() {
-      nonEmpty = mutableDefaultValue(this.asCfgNode().(Cfg::NameNode).getNode()) and
+      nonEmpty = mutableDefaultValue(this.asCfgNode().(NameNode).getNode()) and
      // Ignore sources inside the standard library. These are unlikely to be true positives.
      exists(this.getLocation().getFile().getRelativePath())
    }
@@ -126,10 +125,10 @@ module ModificationOfParameterWithDefault {
  class Mutation extends Sink {
    Mutation() {
      // assignment to a subscript (includes slices)
-      exists(Cfg::DefinitionNode d | d.(Cfg::SubscriptNode).getObject() = this.asCfgNode())
+      exists(DefinitionNode d | d.(SubscriptNode).getObject() = this.asCfgNode())
      or
      // deletion of a subscript
-      exists(Cfg::DeletionNode d | d.(Cfg::SubscriptNode).getObject() = this.asCfgNode())
+      exists(DeletionNode d | d.getTarget().(SubscriptNode).getObject() = this.asCfgNode())
      or
      // augmented assignment to the value
      exists(AugAssign a | this.asCfgNode().getNode() = a.getTarget())
@@ -142,26 +141,54 @@ module ModificationOfParameterWithDefault {
    }
  }

-  /**
-   * Holds if `g` is a direct truthiness check that proves its (single
-   * operand-and-result) value truthy on the `true` branch — i.e. `if g:`.
-   */
-  private predicate truthyGuard(DataFlow::GuardNode g, Cfg::ControlFlowNode node, boolean branch) {
-    node = g and branch = true
-  }
+  // This to reimplement some of the functionality of the DataFlow::BarrierGuard
+  private import semmle.python.essa.SsaCompute

-  /** Holds if `g` is a direct falsiness check — i.e. `if g:` taken to the false branch. */
-  private predicate falseyGuard(DataFlow::GuardNode g, Cfg::ControlFlowNode node, boolean branch) {
-    node = g and branch = false
+  /**
+   * A data-flow node that is known to be either truthy or falsey.
+   *
+   * It handles the cases `if x` and `if not x`.
+   *
+   * For example, in the following code, `this` will be the `x` that is printed,
+   * which we will know is truthy:
+   *
+   * ```py
+   * if x:
+   *     print(x)
+   * ```
+   */
+  private class MustBe extends DataFlow::Node {
+    boolean truthy;
+
+    MustBe() {
+      exists(DataFlow::GuardNode guard, NameNode guarded, boolean branch |
+        // case: if x
+        guard = guarded and
+        branch = truthy
+        or
+        // case: if not x
+        guard.(UnaryExprNode).getNode().getOp() instanceof Not and
+        guarded = guard.(UnaryExprNode).getOperand() and
+        branch = truthy.booleanNot()
+      |
+        // guard controls this
+        guard.controlsBlock(this.asCfgNode().getBasicBlock(), branch) and
+        // there is a definition tying the guarded value to this
+        exists(EssaDefinition def |
+          AdjacentUses::useOfDef(def, this.asCfgNode()) and
+          AdjacentUses::useOfDef(def, guarded)
+        )
+      )
+    }
  }

  /** Simple guard detecting truthy values. */
-  private class MustBeTruthy extends MustBeNonEmpty {
-    MustBeTruthy() { this = DataFlow::BarrierGuard<truthyGuard/3>::getABarrierNode() }
+  private class MustBeTruthy extends MustBe, MustBeNonEmpty {
+    MustBeTruthy() { truthy = true }
  }

  /** Simple guard detecting falsey values. */
-  private class MustBeFalsey extends MustBeEmpty {
-    MustBeFalsey() { this = DataFlow::BarrierGuard<falseyGuard/3>::getABarrierNode() }
+  private class MustBeFalsey extends MustBe, MustBeEmpty {
+    MustBeFalsey() { truthy = false }
  }
 }
--- a/python/ql/test/2/query-tests/Exceptions/generators/UnguardedNextInGenerator.expected
+++ b/python/ql/test/2/query-tests/Exceptions/generators/UnguardedNextInGenerator.expected
@@ -1,5 +1,2 @@
 | test.py:5:15:5:22 | ControlFlowNode for next() | Call to 'next()' in a generator. |
 | test.py:10:20:10:27 | ControlFlowNode for next() | Call to 'next()' in a generator. |
-| test.py:34:15:34:24 | ControlFlowNode for next() | Call to 'next()' in a generator. |
-| test.py:41:19:41:28 | ControlFlowNode for next() | Call to 'next()' in a generator. |
-| test.py:62:19:62:28 | ControlFlowNode for next() | Call to 'next()' in a generator. |
--- a/python/ql/test/2/query-tests/Exceptions/raising/RaisingTuple.expected
+++ b/python/ql/test/2/query-tests/Exceptions/raising/RaisingTuple.expected
@@ -1,3 +1,3 @@
-| test.py:8:5:8:12 | Raise | Raising a $@ will result in the first element (recursively) being raised and all other elements being discarded. | test.py:7:10:7:29 | After Tuple | tuple |
-| test.py:11:5:11:32 | Raise | Raising a $@ will result in the first element (recursively) being raised and all other elements being discarded. | test.py:11:12:11:31 | After Tuple | tuple |
-| test.py:15:5:15:23 | Raise | Raising a $@ will result in the first element (recursively) being raised and all other elements being discarded. | test.py:14:10:14:19 | After Tuple | tuple |
+| test.py:8:5:8:12 | Raise | Raising a $@ will result in the first element (recursively) being raised and all other elements being discarded. | test.py:7:10:7:29 | ControlFlowNode for Tuple | tuple |
+| test.py:11:5:11:32 | Raise | Raising a $@ will result in the first element (recursively) being raised and all other elements being discarded. | test.py:11:12:11:31 | ControlFlowNode for Tuple | tuple |
+| test.py:15:5:15:23 | Raise | Raising a $@ will result in the first element (recursively) being raised and all other elements being discarded. | test.py:14:10:14:19 | ControlFlowNode for Tuple | tuple |
--- a/python/ql/test/2/query-tests/Expressions/UseofApply.expected
+++ b/python/ql/test/2/query-tests/Expressions/UseofApply.expected
@@ -1,2 +1,2 @@
-| UseofApply.py:19:3:19:17 | After apply() | Call to the obsolete builtin function 'apply'. |
-| expressions_test.py:2:5:2:21 | After apply() | Call to the obsolete builtin function 'apply'. |
+| UseofApply.py:19:3:19:17 | ControlFlowNode for apply() | Call to the obsolete builtin function 'apply'. |
+| expressions_test.py:2:5:2:21 | ControlFlowNode for apply() | Call to the obsolete builtin function 'apply'. |
--- a/python/ql/test/2/query-tests/Expressions/UseofInput.expected
+++ b/python/ql/test/2/query-tests/Expressions/UseofInput.expected
@@ -1 +1 @@
-| expressions_test.py:6:12:6:18 | After input() | The unsafe built-in function 'input' is used in Python 2. |
+| expressions_test.py:6:12:6:18 | ControlFlowNode for input() | The unsafe built-in function 'input' is used in Python 2. |
--- a/python/ql/test/experimental/attrs/AttrReads.expected
+++ b/python/ql/test/experimental/attrs/AttrReads.expected
@@ -1,2 +1,2 @@
-| test.py:10:1:10:9 | After Attribute | test.py:10:1:10:5 | myobj | foo |
-| test.py:13:1:13:21 | After getattr() | test.py:13:9:13:13 | myobj | foo |
+| test.py:10:1:10:9 | ControlFlowNode for Attribute | test.py:10:1:10:5 | ControlFlowNode for myobj | foo |
+| test.py:13:1:13:21 | ControlFlowNode for getattr() | test.py:13:9:13:13 | ControlFlowNode for myobj | foo |
--- a/python/ql/test/experimental/attrs/AttrWrites.expected
+++ b/python/ql/test/experimental/attrs/AttrWrites.expected
@@ -1,5 +1,5 @@
-| test.py:5:9:5:16 | __init__ | test.py:4:1:4:20 | After ClassExpr | __init__ | test.py:5:5:5:28 | FunctionExpr |
-| test.py:6:9:6:16 | After Attribute | test.py:6:9:6:12 | self | foo | test.py:6:20:6:22 | foo |
-| test.py:9:1:9:9 | After Attribute | test.py:0:0:0:0 | ModuleVariableNode in Module test for myobj | foo | test.py:9:13:9:17 | StringLiteral |
-| test.py:9:1:9:9 | After Attribute | test.py:9:1:9:5 | myobj | foo | test.py:9:13:9:17 | StringLiteral |
-| test.py:12:1:12:25 | After setattr() | test.py:12:9:12:13 | myobj | foo | test.py:12:23:12:24 | IntegerLiteral |
+| test.py:5:9:5:16 | ControlFlowNode for __init__ | test.py:4:1:4:20 | ControlFlowNode for ClassExpr | __init__ | test.py:5:5:5:28 | ControlFlowNode for FunctionExpr |
+| test.py:6:9:6:16 | ControlFlowNode for Attribute | test.py:6:9:6:12 | ControlFlowNode for self | foo | test.py:6:20:6:22 | ControlFlowNode for foo |
+| test.py:9:1:9:9 | ControlFlowNode for Attribute | test.py:0:0:0:0 | ModuleVariableNode in Module test for myobj | foo | test.py:9:13:9:17 | ControlFlowNode for StringLiteral |
+| test.py:9:1:9:9 | ControlFlowNode for Attribute | test.py:9:1:9:5 | ControlFlowNode for myobj | foo | test.py:9:13:9:17 | ControlFlowNode for StringLiteral |
+| test.py:12:1:12:25 | ControlFlowNode for setattr() | test.py:12:9:12:13 | ControlFlowNode for myobj | foo | test.py:12:23:12:24 | ControlFlowNode for IntegerLiteral |
--- a/python/ql/test/experimental/import-resolution-namespace-relative/test.ql
+++ b/python/ql/test/experimental/import-resolution-namespace-relative/test.ql
@@ -2,16 +2,15 @@ import python
 import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import utils.test.InlineExpectationsTest
-private import semmle.python.controlflow.internal.Cfg as Cfg

 private module TestConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node node) {
-    node.(DataFlow::CallCfgNode).getFunction().asCfgNode().(Cfg::NameNode).getId() = "source"
+    node.(DataFlow::CallCfgNode).getFunction().asCfgNode().(NameNode).getId() = "source"
  }

  predicate isSink(DataFlow::Node node) {
    exists(DataFlow::CallCfgNode call |
-      call.getFunction().asCfgNode().(Cfg::NameNode).getId() = "sink" and
+      call.getFunction().asCfgNode().(NameNode).getId() = "sink" and
      node = call.getArg(0)
    )
  }
--- a/python/ql/test/experimental/import-resolution/ModuleExport.expected
+++ b/python/ql/test/experimental/import-resolution/ModuleExport.expected
@@ -1,120 +1,120 @@
-| attr_clash.__init__ | __file__ | attr_clash/__init__.py:6:6:6:13 | __file__ |
-| attr_clash.__init__ | clashing_attr | attr_clash/__init__.py:4:1:4:13 | clashing_attr |
-| attr_clash.__init__ | enter | attr_clash/__init__.py:2:1:2:5 | enter |
-| attr_clash.__init__ | exit | attr_clash/__init__.py:6:1:6:4 | exit |
-| attr_clash.clashing_attr | __file__ | attr_clash/clashing_attr.py:4:6:4:13 | __file__ |
-| attr_clash.clashing_attr | enter | attr_clash/clashing_attr.py:2:1:2:5 | enter |
-| attr_clash.clashing_attr | exit | attr_clash/clashing_attr.py:4:1:4:4 | exit |
-| attr_clash.non_clashing_submodule | __file__ | attr_clash/non_clashing_submodule.py:4:6:4:13 | __file__ |
-| attr_clash.non_clashing_submodule | enter | attr_clash/non_clashing_submodule.py:2:1:2:5 | enter |
-| attr_clash.non_clashing_submodule | exit | attr_clash/non_clashing_submodule.py:4:1:4:4 | exit |
-| bar | __file__ | bar.py:6:6:6:13 | __file__ |
-| bar | bar_attr | bar.py:4:1:4:8 | bar_attr |
-| bar | enter | bar.py:2:1:2:5 | enter |
-| bar | exit | bar.py:6:1:6:4 | exit |
-| baz | __file__ | baz.py:6:6:6:13 | __file__ |
-| baz | baz_attr | baz.py:4:1:4:8 | baz_attr |
-| baz | enter | baz.py:2:1:2:5 | enter |
-| baz | exit | baz.py:6:1:6:4 | exit |
-| block_flow_check | SOURCE | block_flow_check.py:12:25:12:30 | SOURCE |
-| block_flow_check | __file__ | block_flow_check.py:14:6:14:13 | __file__ |
-| block_flow_check | check | block_flow_check.py:12:1:12:5 | check |
-| block_flow_check | enter | block_flow_check.py:2:1:2:5 | enter |
-| block_flow_check | exit | block_flow_check.py:14:1:14:4 | exit |
-| block_flow_check | globals | block_flow_check.py:12:33:12:39 | globals |
-| block_flow_check | object | block_flow_check.py:4:14:4:19 | object |
-| foo | __file__ | foo.py:14:6:14:13 | __file__ |
-| foo | __private_foo_attr | foo.py:8:1:8:18 | __private_foo_attr |
-| foo | bar_reexported | foo.py:11:8:11:10 | ImportExpr |
-| foo | bar_reexported | foo.py:12:34:12:47 | bar_reexported |
-| foo | check | foo.py:12:1:12:5 | check |
-| foo | enter | foo.py:2:1:2:5 | enter |
-| foo | exit | foo.py:14:1:14:4 | exit |
-| foo | foo_attr | foo.py:5:1:5:8 | foo_attr |
-| foo | globals | foo.py:12:71:12:77 | globals |
-| generous_export | Exception | generous_export.py:16:11:16:19 | Exception |
-| generous_export | SOURCE | generous_export.py:15:11:15:16 | SOURCE |
-| generous_export | SOURCE | generous_export.py:20:25:20:30 | SOURCE |
-| generous_export | __file__ | generous_export.py:22:6:22:13 | __file__ |
-| generous_export | check | generous_export.py:20:1:20:5 | check |
-| generous_export | enter | generous_export.py:2:1:2:5 | enter |
-| generous_export | eval | generous_export.py:10:4:10:7 | eval |
-| generous_export | exit | generous_export.py:22:1:22:4 | exit |
-| generous_export | globals | generous_export.py:20:33:20:39 | globals |
-| generous_export | object | generous_export.py:4:14:4:19 | object |
-| generous_export | print | generous_export.py:15:5:15:9 | print |
-| has_defined_all | __all__ | has_defined_all.py:7:1:7:7 | __all__ |
-| has_defined_all | __file__ | has_defined_all.py:9:6:9:13 | __file__ |
-| has_defined_all | all_defined_bar | has_defined_all.py:5:1:5:15 | all_defined_bar |
-| has_defined_all | all_defined_foo | has_defined_all.py:4:1:4:15 | all_defined_foo |
-| has_defined_all | enter | has_defined_all.py:2:1:2:5 | enter |
-| has_defined_all | exit | has_defined_all.py:9:1:9:4 | exit |
-| has_defined_all_copy | __all__ | has_defined_all_copy.py:9:1:9:7 | __all__ |
-| has_defined_all_copy | __file__ | has_defined_all_copy.py:11:6:11:13 | __file__ |
-| has_defined_all_copy | all_defined_bar_copy | has_defined_all_copy.py:7:1:7:20 | all_defined_bar_copy |
-| has_defined_all_copy | all_defined_foo_copy | has_defined_all_copy.py:6:1:6:20 | all_defined_foo_copy |
-| has_defined_all_copy | enter | has_defined_all_copy.py:4:1:4:5 | enter |
-| has_defined_all_copy | exit | has_defined_all_copy.py:11:1:11:4 | exit |
-| has_defined_all_indirection | __file__ | has_defined_all_indirection.py:6:6:6:13 | __file__ |
-| has_defined_all_indirection | all_defined_foo_copy | has_defined_all_copy.py:6:1:6:20 | all_defined_foo_copy |
-| has_defined_all_indirection | enter | has_defined_all_indirection.py:2:1:2:5 | enter |
-| has_defined_all_indirection | exit | has_defined_all_indirection.py:6:1:6:4 | exit |
-| if_then_else | __file__ | if_then_else.py:16:6:16:13 | __file__ |
-| if_then_else | enter | if_then_else.py:2:1:2:5 | enter |
-| if_then_else | eval | if_then_else.py:11:8:11:11 | eval |
-| if_then_else | exit | if_then_else.py:16:1:16:4 | exit |
-| if_then_else | if_then_else_defined | if_then_else.py:7:5:7:24 | if_then_else_defined |
-| if_then_else | if_then_else_defined | if_then_else.py:12:9:12:28 | if_then_else_defined |
-| if_then_else | if_then_else_defined | if_then_else.py:14:9:14:28 | if_then_else_defined |
-| if_then_else_refined | SOURCE | if_then_else_refined.py:11:11:11:16 | SOURCE |
-| if_then_else_refined | SOURCE | if_then_else_refined.py:13:11:13:16 | SOURCE |
-| if_then_else_refined | __file__ | if_then_else_refined.py:19:6:19:13 | __file__ |
-| if_then_else_refined | check | if_then_else_refined.py:17:1:17:5 | check |
-| if_then_else_refined | enter | if_then_else_refined.py:4:1:4:5 | enter |
-| if_then_else_refined | eval | if_then_else_refined.py:10:4:10:7 | eval |
-| if_then_else_refined | exit | if_then_else_refined.py:19:1:19:4 | exit |
-| if_then_else_refined | globals | if_then_else_refined.py:17:24:17:30 | globals |
-| if_then_else_refined | src | if_then_else_refined.py:17:19:17:21 | src |
-| package.__init__ | __file__ | package/__init__.py:7:6:7:13 | __file__ |
-| package.__init__ | attr_used_in_subpackage | package/__init__.py:4:1:4:23 | attr_used_in_subpackage |
-| package.__init__ | enter | package/__init__.py:2:1:2:5 | enter |
-| package.__init__ | exit | package/__init__.py:7:1:7:4 | exit |
-| package.__init__ | package_attr | package/__init__.py:5:1:5:12 | package_attr |
-| package.subpackage2.__init__ | __file__ | package/subpackage2/__init__.py:6:6:6:13 | __file__ |
-| package.subpackage2.__init__ | enter | package/subpackage2/__init__.py:2:1:2:5 | enter |
-| package.subpackage2.__init__ | exit | package/subpackage2/__init__.py:6:1:6:4 | exit |
-| package.subpackage2.__init__ | subpackage2_attr | package/subpackage2/__init__.py:4:1:4:16 | subpackage2_attr |
-| package.subpackage.__init__ | __file__ | package/subpackage/__init__.py:14:6:14:13 | __file__ |
-| package.subpackage.__init__ | check | package/subpackage/__init__.py:12:1:12:5 | check |
-| package.subpackage.__init__ | enter | package/subpackage/__init__.py:2:1:2:5 | enter |
-| package.subpackage.__init__ | exit | package/subpackage/__init__.py:14:1:14:4 | exit |
-| package.subpackage.__init__ | globals | package/subpackage/__init__.py:12:79:12:85 | globals |
-| package.subpackage.__init__ | imported_attr | package/subpackage/__init__.py:7:16:7:55 | After ImportMember |
-| package.subpackage.__init__ | imported_attr | package/subpackage/__init__.py:8:24:8:36 | imported_attr |
-| package.subpackage.__init__ | irrelevant_attr | package/subpackage/__init__.py:11:24:11:38 | After ImportMember |
-| package.subpackage.__init__ | irrelevant_attr | package/subpackage/__init__.py:11:24:11:38 | irrelevant_attr |
-| package.subpackage.__init__ | submodule | package/subpackage/__init__.py:12:35:12:43 | submodule |
-| package.subpackage.__init__ | subpackage_attr | package/subpackage/__init__.py:4:1:4:15 | subpackage_attr |
-| package.subpackage.submodule | __file__ | package/subpackage/submodule.py:7:6:7:13 | __file__ |
-| package.subpackage.submodule | enter | package/subpackage/submodule.py:2:1:2:5 | enter |
-| package.subpackage.submodule | exit | package/subpackage/submodule.py:7:1:7:4 | exit |
-| package.subpackage.submodule | irrelevant_attr | package/subpackage/submodule.py:5:1:5:15 | irrelevant_attr |
-| package.subpackage.submodule | submodule_attr | package/subpackage/submodule.py:4:1:4:14 | submodule_attr |
-| refined | SOURCE | refined.py:12:25:12:30 | SOURCE |
-| refined | __file__ | refined.py:14:6:14:13 | __file__ |
-| refined | check | refined.py:12:1:12:5 | check |
-| refined | enter | refined.py:2:1:2:5 | enter |
-| refined | exit | refined.py:14:1:14:4 | exit |
-| refined | globals | refined.py:12:33:12:39 | globals |
-| refined | object | refined.py:4:14:4:19 | object |
-| simplistic_reexport | __file__ | simplistic_reexport.py:19:6:19:13 | __file__ |
-| simplistic_reexport | bar_attr | simplistic_reexport.py:6:17:6:24 | After ImportMember |
-| simplistic_reexport | bar_attr | simplistic_reexport.py:10:19:10:26 | bar_attr |
-| simplistic_reexport | baz_attr | baz.py:4:1:4:8 | baz_attr |
-| simplistic_reexport | baz_attr | simplistic_reexport.py:17:19:17:26 | baz_attr |
-| simplistic_reexport | check | simplistic_reexport.py:17:1:17:5 | check |
-| simplistic_reexport | enter | baz.py:2:1:2:5 | enter |
-| simplistic_reexport | enter | simplistic_reexport.py:4:1:4:5 | enter |
-| simplistic_reexport | exit | baz.py:6:1:6:4 | exit |
-| simplistic_reexport | exit | simplistic_reexport.py:19:1:19:4 | exit |
-| simplistic_reexport | globals | simplistic_reexport.py:17:44:17:50 | globals |
+| attr_clash.__init__ | __file__ | attr_clash/__init__.py:6:6:6:13 | ControlFlowNode for __file__ |
+| attr_clash.__init__ | clashing_attr | attr_clash/__init__.py:4:1:4:13 | ControlFlowNode for clashing_attr |
+| attr_clash.__init__ | enter | attr_clash/__init__.py:2:1:2:5 | ControlFlowNode for enter |
+| attr_clash.__init__ | exit | attr_clash/__init__.py:6:1:6:4 | ControlFlowNode for exit |
+| attr_clash.clashing_attr | __file__ | attr_clash/clashing_attr.py:4:6:4:13 | ControlFlowNode for __file__ |
+| attr_clash.clashing_attr | enter | attr_clash/clashing_attr.py:2:1:2:5 | ControlFlowNode for enter |
+| attr_clash.clashing_attr | exit | attr_clash/clashing_attr.py:4:1:4:4 | ControlFlowNode for exit |
+| attr_clash.non_clashing_submodule | __file__ | attr_clash/non_clashing_submodule.py:4:6:4:13 | ControlFlowNode for __file__ |
+| attr_clash.non_clashing_submodule | enter | attr_clash/non_clashing_submodule.py:2:1:2:5 | ControlFlowNode for enter |
+| attr_clash.non_clashing_submodule | exit | attr_clash/non_clashing_submodule.py:4:1:4:4 | ControlFlowNode for exit |
+| bar | __file__ | bar.py:6:6:6:13 | ControlFlowNode for __file__ |
+| bar | bar_attr | bar.py:4:1:4:8 | ControlFlowNode for bar_attr |
+| bar | enter | bar.py:2:1:2:5 | ControlFlowNode for enter |
+| bar | exit | bar.py:6:1:6:4 | ControlFlowNode for exit |
+| baz | __file__ | baz.py:6:6:6:13 | ControlFlowNode for __file__ |
+| baz | baz_attr | baz.py:4:1:4:8 | ControlFlowNode for baz_attr |
+| baz | enter | baz.py:2:1:2:5 | ControlFlowNode for enter |
+| baz | exit | baz.py:6:1:6:4 | ControlFlowNode for exit |
+| block_flow_check | SOURCE | block_flow_check.py:12:25:12:30 | ControlFlowNode for SOURCE |
+| block_flow_check | __file__ | block_flow_check.py:14:6:14:13 | ControlFlowNode for __file__ |
+| block_flow_check | check | block_flow_check.py:12:1:12:5 | ControlFlowNode for check |
+| block_flow_check | enter | block_flow_check.py:2:1:2:5 | ControlFlowNode for enter |
+| block_flow_check | exit | block_flow_check.py:14:1:14:4 | ControlFlowNode for exit |
+| block_flow_check | globals | block_flow_check.py:12:33:12:39 | ControlFlowNode for globals |
+| block_flow_check | object | block_flow_check.py:4:14:4:19 | ControlFlowNode for object |
+| foo | __file__ | foo.py:14:6:14:13 | ControlFlowNode for __file__ |
+| foo | __private_foo_attr | foo.py:8:1:8:18 | ControlFlowNode for __private_foo_attr |
+| foo | bar_reexported | foo.py:11:8:11:10 | ControlFlowNode for ImportExpr |
+| foo | bar_reexported | foo.py:12:34:12:47 | ControlFlowNode for bar_reexported |
+| foo | check | foo.py:12:1:12:5 | ControlFlowNode for check |
+| foo | enter | foo.py:2:1:2:5 | ControlFlowNode for enter |
+| foo | exit | foo.py:14:1:14:4 | ControlFlowNode for exit |
+| foo | foo_attr | foo.py:5:1:5:8 | ControlFlowNode for foo_attr |
+| foo | globals | foo.py:12:71:12:77 | ControlFlowNode for globals |
+| generous_export | Exception | generous_export.py:16:11:16:19 | ControlFlowNode for Exception |
+| generous_export | SOURCE | generous_export.py:15:11:15:16 | ControlFlowNode for SOURCE |
+| generous_export | SOURCE | generous_export.py:20:25:20:30 | ControlFlowNode for SOURCE |
+| generous_export | __file__ | generous_export.py:22:6:22:13 | ControlFlowNode for __file__ |
+| generous_export | check | generous_export.py:20:1:20:5 | ControlFlowNode for check |
+| generous_export | enter | generous_export.py:2:1:2:5 | ControlFlowNode for enter |
+| generous_export | eval | generous_export.py:10:4:10:7 | ControlFlowNode for eval |
+| generous_export | exit | generous_export.py:22:1:22:4 | ControlFlowNode for exit |
+| generous_export | globals | generous_export.py:20:33:20:39 | ControlFlowNode for globals |
+| generous_export | object | generous_export.py:4:14:4:19 | ControlFlowNode for object |
+| generous_export | print | generous_export.py:15:5:15:9 | ControlFlowNode for print |
+| has_defined_all | __all__ | has_defined_all.py:7:1:7:7 | ControlFlowNode for __all__ |
+| has_defined_all | __file__ | has_defined_all.py:9:6:9:13 | ControlFlowNode for __file__ |
+| has_defined_all | all_defined_bar | has_defined_all.py:5:1:5:15 | ControlFlowNode for all_defined_bar |
+| has_defined_all | all_defined_foo | has_defined_all.py:4:1:4:15 | ControlFlowNode for all_defined_foo |
+| has_defined_all | enter | has_defined_all.py:2:1:2:5 | ControlFlowNode for enter |
+| has_defined_all | exit | has_defined_all.py:9:1:9:4 | ControlFlowNode for exit |
+| has_defined_all_copy | __all__ | has_defined_all_copy.py:9:1:9:7 | ControlFlowNode for __all__ |
+| has_defined_all_copy | __file__ | has_defined_all_copy.py:11:6:11:13 | ControlFlowNode for __file__ |
+| has_defined_all_copy | all_defined_bar_copy | has_defined_all_copy.py:7:1:7:20 | ControlFlowNode for all_defined_bar_copy |
+| has_defined_all_copy | all_defined_foo_copy | has_defined_all_copy.py:6:1:6:20 | ControlFlowNode for all_defined_foo_copy |
+| has_defined_all_copy | enter | has_defined_all_copy.py:4:1:4:5 | ControlFlowNode for enter |
+| has_defined_all_copy | exit | has_defined_all_copy.py:11:1:11:4 | ControlFlowNode for exit |
+| has_defined_all_indirection | __file__ | has_defined_all_indirection.py:6:6:6:13 | ControlFlowNode for __file__ |
+| has_defined_all_indirection | all_defined_foo_copy | has_defined_all_copy.py:6:1:6:20 | ControlFlowNode for all_defined_foo_copy |
+| has_defined_all_indirection | enter | has_defined_all_indirection.py:2:1:2:5 | ControlFlowNode for enter |
+| has_defined_all_indirection | exit | has_defined_all_indirection.py:6:1:6:4 | ControlFlowNode for exit |
+| if_then_else | __file__ | if_then_else.py:16:6:16:13 | ControlFlowNode for __file__ |
+| if_then_else | enter | if_then_else.py:2:1:2:5 | ControlFlowNode for enter |
+| if_then_else | eval | if_then_else.py:11:8:11:11 | ControlFlowNode for eval |
+| if_then_else | exit | if_then_else.py:16:1:16:4 | ControlFlowNode for exit |
+| if_then_else | if_then_else_defined | if_then_else.py:7:5:7:24 | ControlFlowNode for if_then_else_defined |
+| if_then_else | if_then_else_defined | if_then_else.py:12:9:12:28 | ControlFlowNode for if_then_else_defined |
+| if_then_else | if_then_else_defined | if_then_else.py:14:9:14:28 | ControlFlowNode for if_then_else_defined |
+| if_then_else_refined | SOURCE | if_then_else_refined.py:11:11:11:16 | ControlFlowNode for SOURCE |
+| if_then_else_refined | SOURCE | if_then_else_refined.py:13:11:13:16 | ControlFlowNode for SOURCE |
+| if_then_else_refined | __file__ | if_then_else_refined.py:19:6:19:13 | ControlFlowNode for __file__ |
+| if_then_else_refined | check | if_then_else_refined.py:17:1:17:5 | ControlFlowNode for check |
+| if_then_else_refined | enter | if_then_else_refined.py:4:1:4:5 | ControlFlowNode for enter |
+| if_then_else_refined | eval | if_then_else_refined.py:10:4:10:7 | ControlFlowNode for eval |
+| if_then_else_refined | exit | if_then_else_refined.py:19:1:19:4 | ControlFlowNode for exit |
+| if_then_else_refined | globals | if_then_else_refined.py:17:24:17:30 | ControlFlowNode for globals |
+| if_then_else_refined | src | if_then_else_refined.py:17:19:17:21 | ControlFlowNode for src |
+| package.__init__ | __file__ | package/__init__.py:7:6:7:13 | ControlFlowNode for __file__ |
+| package.__init__ | attr_used_in_subpackage | package/__init__.py:4:1:4:23 | ControlFlowNode for attr_used_in_subpackage |
+| package.__init__ | enter | package/__init__.py:2:1:2:5 | ControlFlowNode for enter |
+| package.__init__ | exit | package/__init__.py:7:1:7:4 | ControlFlowNode for exit |
+| package.__init__ | package_attr | package/__init__.py:5:1:5:12 | ControlFlowNode for package_attr |
+| package.subpackage2.__init__ | __file__ | package/subpackage2/__init__.py:6:6:6:13 | ControlFlowNode for __file__ |
+| package.subpackage2.__init__ | enter | package/subpackage2/__init__.py:2:1:2:5 | ControlFlowNode for enter |
+| package.subpackage2.__init__ | exit | package/subpackage2/__init__.py:6:1:6:4 | ControlFlowNode for exit |
+| package.subpackage2.__init__ | subpackage2_attr | package/subpackage2/__init__.py:4:1:4:16 | ControlFlowNode for subpackage2_attr |
+| package.subpackage.__init__ | __file__ | package/subpackage/__init__.py:14:6:14:13 | ControlFlowNode for __file__ |
+| package.subpackage.__init__ | check | package/subpackage/__init__.py:12:1:12:5 | ControlFlowNode for check |
+| package.subpackage.__init__ | enter | package/subpackage/__init__.py:2:1:2:5 | ControlFlowNode for enter |
+| package.subpackage.__init__ | exit | package/subpackage/__init__.py:14:1:14:4 | ControlFlowNode for exit |
+| package.subpackage.__init__ | globals | package/subpackage/__init__.py:12:79:12:85 | ControlFlowNode for globals |
+| package.subpackage.__init__ | imported_attr | package/subpackage/__init__.py:7:16:7:55 | ControlFlowNode for ImportMember |
+| package.subpackage.__init__ | imported_attr | package/subpackage/__init__.py:8:24:8:36 | ControlFlowNode for imported_attr |
+| package.subpackage.__init__ | irrelevant_attr | package/subpackage/__init__.py:11:24:11:38 | ControlFlowNode for ImportMember |
+| package.subpackage.__init__ | irrelevant_attr | package/subpackage/__init__.py:11:24:11:38 | ControlFlowNode for irrelevant_attr |
+| package.subpackage.__init__ | submodule | package/subpackage/__init__.py:12:35:12:43 | ControlFlowNode for submodule |
+| package.subpackage.__init__ | subpackage_attr | package/subpackage/__init__.py:4:1:4:15 | ControlFlowNode for subpackage_attr |
+| package.subpackage.submodule | __file__ | package/subpackage/submodule.py:7:6:7:13 | ControlFlowNode for __file__ |
+| package.subpackage.submodule | enter | package/subpackage/submodule.py:2:1:2:5 | ControlFlowNode for enter |
+| package.subpackage.submodule | exit | package/subpackage/submodule.py:7:1:7:4 | ControlFlowNode for exit |
+| package.subpackage.submodule | irrelevant_attr | package/subpackage/submodule.py:5:1:5:15 | ControlFlowNode for irrelevant_attr |
+| package.subpackage.submodule | submodule_attr | package/subpackage/submodule.py:4:1:4:14 | ControlFlowNode for submodule_attr |
+| refined | SOURCE | refined.py:12:25:12:30 | ControlFlowNode for SOURCE |
+| refined | __file__ | refined.py:14:6:14:13 | ControlFlowNode for __file__ |
+| refined | check | refined.py:12:1:12:5 | ControlFlowNode for check |
+| refined | enter | refined.py:2:1:2:5 | ControlFlowNode for enter |
+| refined | exit | refined.py:14:1:14:4 | ControlFlowNode for exit |
+| refined | globals | refined.py:12:33:12:39 | ControlFlowNode for globals |
+| refined | object | refined.py:4:14:4:19 | ControlFlowNode for object |
+| simplistic_reexport | __file__ | simplistic_reexport.py:19:6:19:13 | ControlFlowNode for __file__ |
+| simplistic_reexport | bar_attr | simplistic_reexport.py:6:17:6:24 | ControlFlowNode for ImportMember |
+| simplistic_reexport | bar_attr | simplistic_reexport.py:10:19:10:26 | ControlFlowNode for bar_attr |
+| simplistic_reexport | baz_attr | baz.py:4:1:4:8 | ControlFlowNode for baz_attr |
+| simplistic_reexport | baz_attr | simplistic_reexport.py:17:19:17:26 | ControlFlowNode for baz_attr |
+| simplistic_reexport | check | simplistic_reexport.py:17:1:17:5 | ControlFlowNode for check |
+| simplistic_reexport | enter | baz.py:2:1:2:5 | ControlFlowNode for enter |
+| simplistic_reexport | enter | simplistic_reexport.py:4:1:4:5 | ControlFlowNode for enter |
+| simplistic_reexport | exit | baz.py:6:1:6:4 | ControlFlowNode for exit |
+| simplistic_reexport | exit | simplistic_reexport.py:19:1:19:4 | ControlFlowNode for exit |
+| simplistic_reexport | globals | simplistic_reexport.py:17:44:17:50 | ControlFlowNode for globals |
--- a/python/ql/test/experimental/import-resolution/importflow.ql
+++ b/python/ql/test/experimental/import-resolution/importflow.ql
@@ -3,7 +3,6 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.ApiGraphs
 import utils.test.InlineExpectationsTest
 import semmle.python.dataflow.new.internal.ImportResolution
-private import semmle.python.controlflow.internal.Cfg as Cfg

 /** A string that appears on the right hand side of an assignment. */
 private class SourceString extends DataFlow::Node {
@@ -46,7 +45,7 @@ private class VersionGuardedNode extends DataFlow::Node {

  VersionGuardedNode() {
    version in [2, 3] and
-    exists(If parent, Cfg::CompareNode c, Cfg::ControlFlowNode litCfg |
+    exists(If parent, CompareNode c, ControlFlowNode litCfg |
      parent.getBody().contains(this.asExpr()) and
      litCfg.getNode() = any(IntegerLiteral lit | lit.getValue() = version)
    |
--- a/python/ql/test/experimental/library-tests/CallGraph-type-annotations/InlineCallGraphTest.expected
+++ b/python/ql/test/experimental/library-tests/CallGraph-type-annotations/InlineCallGraphTest.expected
@@ -2,6 +2,5 @@ testFailures
 debug_callableNotUnique
 pointsTo_found_typeTracker_notFound
 typeTracker_found_pointsTo_notFound
-| type_annotations.py:6:5:6:14 | Attribute() | Foo.method |
-| type_annotations.py:16:5:16:14 | Attribute() | Foo.method |
-| type_annotations.py:29:5:29:14 | Attribute() | Foo.method |
+| type_annotations.py:6:5:6:14 | ControlFlowNode for Attribute() | Foo.method |
+| type_annotations.py:16:5:16:14 | ControlFlowNode for Attribute() | Foo.method |
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
copilot-swe-agent[bot]	316b4144d3	Initial plan	2026-06-22 22:23:18 +00:00
Owen Mansel-Chan	f0576046b1	Merge pull request #22027 from owen-mc/go/improve-tests Go: Improve two tests	2026-06-22 17:19:40 +01:00
Owen Mansel-Chan	07cf89568f	Test CFG for function epilogue (read-result nodes and calls to defered functions)	2026-06-20 22:04:45 +01:00
Owen Mansel-Chan	42ebe56023	Make all lines in logging tests reachable	2026-06-20 22:04:43 +01:00