Merge branch 'main' into bazookamusic/range-analysis-bound-move-to-shared

Shared: Local name resolution library

config/identical-files.json

@@ -11,10 +11,6 @@
     "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll"
   ],
-  "Bound Java/C#": [
-    "java/ql/lib/semmle/code/java/dataflow/Bound.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll"
-  ],
   "ModulusAnalysis Java/C#": [
     "java/ql/lib/semmle/code/java/dataflow/ModulusAnalysis.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/ModulusAnalysis.qll"

csharp/ql/lib/qlpack.yml

@@ -9,6 +9,7 @@ dependencies:
   codeql/controlflow: ${workspace}
   codeql/dataflow: ${workspace}
   codeql/mad: ${workspace}
+  codeql/rangeanalysis: ${workspace}
   codeql/ssa: ${workspace}
   codeql/threat-models: ${workspace}
   codeql/tutorial: ${workspace}

csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll

@@ -4,67 +4,11 @@
 overlay[local?]
 module;
 
+private import csharp as CS
 private import internal.rangeanalysis.BoundSpecific
+private import internal.rangeanalysis.BoundSpecific as BoundSpecific
+private import codeql.rangeanalysis.Bound as SharedBound
 
-private newtype TBound =
-  TBoundZero() or
-  TBoundSsa(SsaVariable v) { v.getSourceVariable().getType() instanceof IntegralType } or
-  TBoundExpr(Expr e) {
-    interestingExprBound(e) and
-    not exists(SsaVariable v | e = v.getAUse())
-  }
+private module BoundImpl = SharedBound::Bound<CS::Location, BoundSpecific::BoundDefs>;
 
-/**
- * A bound that may be inferred for an expression plus/minus an integer delta.
- */
-abstract class Bound extends TBound {
-  /** Gets a textual representation of this bound. */
-  abstract string toString();
-
-  /** Gets an expression that equals this bound plus `delta`. */
-  abstract Expr getExpr(int delta);
-
-  /** Gets an expression that equals this bound. */
-  Expr getExpr() { result = this.getExpr(0) }
-
-  /** Gets the location of this bound. */
-  abstract Location getLocation();
-}
-
-/**
- * The bound that corresponds to the integer 0. This is used to represent all
- * integer bounds as bounds are always accompanied by an added integer delta.
- */
-class ZeroBound extends Bound, TBoundZero {
-  override string toString() { result = "0" }
-
-  override Expr getExpr(int delta) { result.(ConstantIntegerExpr).getIntValue() = delta }
-
-  override Location getLocation() { result.hasLocationInfo("", 0, 0, 0, 0) }
-}
-
-/**
- * A bound corresponding to the value of an SSA variable.
- */
-class SsaBound extends Bound, TBoundSsa {
-  /** Gets the SSA variable that equals this bound. */
-  SsaVariable getSsa() { this = TBoundSsa(result) }
-
-  override string toString() { result = this.getSsa().toString() }
-
-  override Expr getExpr(int delta) { result = this.getSsa().getAUse() and delta = 0 }
-
-  override Location getLocation() { result = this.getSsa().getLocation() }
-}
-
-/**
- * A bound that corresponds to the value of a specific expression that might be
- * interesting, but isn't otherwise represented by the value of an SSA variable.
- */
-class ExprBound extends Bound, TBoundExpr {
-  override string toString() { result = this.getExpr().toString() }
-
-  override Expr getExpr(int delta) { this = TBoundExpr(result) and delta = 0 }
-
-  override Location getLocation() { result = this.getExpr().getLocation() }
-}
+import BoundImpl

csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/BoundSpecific.qll

@@ -1,22 +1,30 @@
 /**
  * Provides C#-specific definitions for bounds.
  */
+overlay[local?]
+module;
 
 private import csharp as CS
 private import semmle.code.csharp.dataflow.SSA::Ssa as Ssa
 private import semmle.code.csharp.dataflow.internal.rangeanalysis.ConstantUtils as CU
 private import semmle.code.csharp.dataflow.internal.rangeanalysis.RangeUtils as RU
 private import semmle.code.csharp.dataflow.internal.rangeanalysis.SsaUtils as SU
+private import codeql.rangeanalysis.Bound as SharedBound
 
-class SsaVariable = SU::SsaVariable;
+/** Provides C#-specific definitions for bounds. */
+module BoundDefs implements SharedBound::BoundDefinitions<CS::Location> {
+  class Type = CS::Type;
 
-class Expr = CS::ControlFlowNodes::ExprNode;
+  class SsaVariable = SU::SsaVariable;
 
-class Location = CS::Location;
+  class SsaSourceVariable = Ssa::SourceVariable;
 
-class IntegralType = CS::IntegralType;
+  class Expr = CS::ControlFlowNodes::ExprNode;
 
-class ConstantIntegerExpr = CU::ConstantIntegerExpr;
+  class IntegralType = CS::IntegralType;
 
-/** Holds if `e` is a bound expression and it is not an SSA variable read. */
-predicate interestingExprBound(Expr e) { CU::systemArrayLengthAccess(e.getExpr()) }
+  class ConstantIntegerExpr = CU::ConstantIntegerExpr;
+
+  /** Holds if `e` is a bound expression and it is not an SSA variable read. */
+  predicate interestingExprBound(Expr e) { CU::systemArrayLengthAccess(e.getExpr()) }
+}

java/ql/lib/semmle/code/java/dataflow/Bound.qll

@@ -4,67 +4,10 @@
 overlay[local?]
 module;
 
-private import internal.rangeanalysis.BoundSpecific
+private import java as J
+private import internal.rangeanalysis.BoundSpecific as BoundSpecific
+private import codeql.rangeanalysis.Bound as SharedBound
 
-private newtype TBound =
-  TBoundZero() or
-  TBoundSsa(SsaVariable v) { v.getSourceVariable().getType() instanceof IntegralType } or
-  TBoundExpr(Expr e) {
-    interestingExprBound(e) and
-    not exists(SsaVariable v | e = v.getAUse())
-  }
+private module BoundImpl = SharedBound::Bound<J::Location, BoundSpecific::BoundDefs>;
 
-/**
- * A bound that may be inferred for an expression plus/minus an integer delta.
- */
-abstract class Bound extends TBound {
-  /** Gets a textual representation of this bound. */
-  abstract string toString();
-
-  /** Gets an expression that equals this bound plus `delta`. */
-  abstract Expr getExpr(int delta);
-
-  /** Gets an expression that equals this bound. */
-  Expr getExpr() { result = this.getExpr(0) }
-
-  /** Gets the location of this bound. */
-  abstract Location getLocation();
-}
-
-/**
- * The bound that corresponds to the integer 0. This is used to represent all
- * integer bounds as bounds are always accompanied by an added integer delta.
- */
-class ZeroBound extends Bound, TBoundZero {
-  override string toString() { result = "0" }
-
-  override Expr getExpr(int delta) { result.(ConstantIntegerExpr).getIntValue() = delta }
-
-  override Location getLocation() { result.hasLocationInfo("", 0, 0, 0, 0) }
-}
-
-/**
- * A bound corresponding to the value of an SSA variable.
- */
-class SsaBound extends Bound, TBoundSsa {
-  /** Gets the SSA variable that equals this bound. */
-  SsaVariable getSsa() { this = TBoundSsa(result) }
-
-  override string toString() { result = this.getSsa().toString() }
-
-  override Expr getExpr(int delta) { result = this.getSsa().getAUse() and delta = 0 }
-
-  override Location getLocation() { result = this.getSsa().getLocation() }
-}
-
-/**
- * A bound that corresponds to the value of a specific expression that might be
- * interesting, but isn't otherwise represented by the value of an SSA variable.
- */
-class ExprBound extends Bound, TBoundExpr {
-  override string toString() { result = this.getExpr().toString() }
-
-  override Expr getExpr(int delta) { this = TBoundExpr(result) and delta = 0 }
-
-  override Location getLocation() { result = this.getExpr().getLocation() }
-}
+import BoundImpl

java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/BoundSpecific.qll

@@ -7,21 +7,26 @@ module;
 private import java as J
 private import semmle.code.java.dataflow.SSA as Ssa
 private import semmle.code.java.dataflow.RangeUtils as RU
+private import codeql.rangeanalysis.Bound as SharedBound
 
-class SsaVariable extends Ssa::SsaDefinition {
-  /** Gets a use of this variable. */
-  Expr getAUse() { result = super.getARead() }
-}
-
-class Expr = J::Expr;
-
-class Location = J::Location;
-
-class IntegralType = J::IntegralType;
-
-class ConstantIntegerExpr = RU::ConstantIntegerExpr;
-
-/** Holds if `e` is a bound expression and it is not an SSA variable read. */
-predicate interestingExprBound(Expr e) {
-  e.(J::FieldRead).getField() instanceof J::ArrayLengthField
+module BoundDefs implements SharedBound::BoundDefinitions<J::Location> {
+  class SsaVariable extends Ssa::SsaDefinition {
+    /** Gets a use of this variable. */
+    Expr getAUse() { result = super.getARead() }
+  }
+
+  class SsaSourceVariable = Ssa::SourceVariable;
+
+  class Type = J::Type;
+
+  class Expr = J::Expr;
+
+  class IntegralType = J::IntegralType;
+
+  class ConstantIntegerExpr = RU::ConstantIntegerExpr;
+
+  /** Holds if `e` is a bound expression and it is not an SSA variable read. */
+  predicate interestingExprBound(Expr e) {
+    e.(J::FieldRead).getField() instanceof J::ArrayLengthField
+  }
 }

python/ql/lib/LegacyPointsTo.qll

@@ -213,11 +213,9 @@ class ExprWithPointsTo extends Expr {
    * Gets what this expression might "refer-to" in the given `context`.
    */
   predicate refersTo(Context context, Object obj, ClassObject cls, AstNode origin) {
-    exists(ControlFlowNode this_, ControlFlowNode origin_ |
-      this_.getNode() = this and origin_.getNode() = origin
-    |
-      this_.(ControlFlowNodeWithPointsTo).refersTo(context, obj, cls, origin_)
-    )
+    this.getAFlowNode()
+        .(ControlFlowNodeWithPointsTo)
+        .refersTo(context, obj, cls, origin.getAFlowNode())
   }
 
   /**
@@ -228,11 +226,7 @@ class ExprWithPointsTo extends Expr {
    */
   pragma[nomagic]
   predicate refersTo(Object obj, AstNode origin) {
-    exists(ControlFlowNode this_, ControlFlowNode origin_ |
-      this_.getNode() = this and origin_.getNode() = origin
-    |
-      this_.(ControlFlowNodeWithPointsTo).refersTo(obj, origin_)
-    )
+    this.getAFlowNode().(ControlFlowNodeWithPointsTo).refersTo(obj, origin.getAFlowNode())
   }
 
   /**
@@ -246,22 +240,16 @@ class ExprWithPointsTo extends Expr {
    * in the given `context`.
    */
   predicate pointsTo(Context context, Value value, AstNode origin) {
-    exists(ControlFlowNode this_, ControlFlowNode origin_ |
-      this_.getNode() = this and origin_.getNode() = origin
-    |
-      this_.(ControlFlowNodeWithPointsTo).pointsTo(context, value, origin_)
-    )
+    this.getAFlowNode()
+        .(ControlFlowNodeWithPointsTo)
+        .pointsTo(context, value, origin.getAFlowNode())
   }
 
   /**
    * Holds if this expression might "point-to" to `value` which is from `origin`.
    */
   predicate pointsTo(Value value, AstNode origin) {
-    exists(ControlFlowNode this_, ControlFlowNode origin_ |
-      this_.getNode() = this and origin_.getNode() = origin
-    |
-      this_.(ControlFlowNodeWithPointsTo).pointsTo(value, origin_)
-    )
+    this.getAFlowNode().(ControlFlowNodeWithPointsTo).pointsTo(value, origin.getAFlowNode())
   }
 
   /**
@@ -487,10 +475,7 @@ class FunctionMetricsWithPointsTo extends FunctionMetrics {
     not non_coupling_method(result) and
     exists(Call call | call.getScope() = this |
       exists(FunctionObject callee | callee.getFunction() = result |
-        exists(CallNode call_ |
-          call_.getNode() = call and
-          call_.getFunction().(ControlFlowNodeWithPointsTo).refersTo(callee)
-        )
+        call.getAFlowNode().getFunction().(ControlFlowNodeWithPointsTo).refersTo(callee)
       )
       or
       exists(Attribute a | call.getFunc() = a |

python/ql/lib/analysis/DefinitionTracking.qll

@@ -64,7 +64,7 @@ private predicate jump_to_defn(ControlFlowNode use, Definition defn) {
 private predicate preferred_jump_to_defn(Expr use, Definition def) {
   not use instanceof ClassExpr and
   not use instanceof FunctionExpr and
-  exists(ControlFlowNode useNode | useNode.getNode() = use | jump_to_defn(useNode, def))
+  jump_to_defn(use.getAFlowNode(), def)
 }
 
 private predicate unique_jump_to_defn(Expr use, Definition def) {
@@ -452,7 +452,7 @@ private predicate self_parameter_jump_to_defn_attribute(
  * This exists primarily for testing use `getPreferredDefinition()` instead.
  */
 Definition getADefinition(Expr use) {
-  exists(ControlFlowNode useNode | useNode.getNode() = use | jump_to_defn(useNode, result)) and
+  jump_to_defn(use.getAFlowNode(), result) and
   not use instanceof Call and
   not use.isArtificial() and
   // Not the use itself

python/ql/lib/change-notes/2026-05-19-deprecate-getAFlowNode.md

@@ -1,5 +0,0 @@
----
-category: deprecated
----
-* The `AstNode.getAFlowNode()` predicate has been deprecated. Use `ControlFlowNode.getNode()` from the other direction instead: replace `e.getAFlowNode() = n` with `n.getNode() = e`. This is a preparatory step towards migrating the dataflow library off the legacy CFG; it has no semantic effect.
-

python/ql/lib/change-notes/2026-06-01-decorator-predicate-simplification.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Simplified the internal predicates that detect `@staticmethod`, `@classmethod` and `@property` decorators to match the decorator's AST `Name` directly, rather than going through the CFG and requiring the name to resolve globally. Code that shadows these three builtin decorators at the module-scope will now be classified by the decorator name alone; in practice, shadowing these names is extremely rare and the call-graph results are unchanged.

python/ql/lib/change-notes/2026-06-01-deprecate-getAReturnValueFlowNode.md

@@ -1,4 +0,0 @@
----
-category: deprecated
----
-* The `Function.getAReturnValueFlowNode()` predicate has been deprecated. Bind a `Return` node explicitly instead — `exists(Return ret | ret.getScope() = f and n.getNode() = ret.getValue())`. This is a preparatory step towards migrating the dataflow library off the legacy CFG; it has no semantic effect.

python/ql/lib/semmle/python/AstExtended.qll

@@ -16,26 +16,21 @@ abstract class AstNode extends AstNode_ {
   /** Gets the scope that this node occurs in */
   abstract Scope getScope();
 
-  /** Gets the location for this AST node */
-  cached
-  Location getLocation() { none() }
-
   /**
-   * DEPRECATED: use `ControlFlowNode.getNode()` from the other direction instead;
-   * that is, replace `e.getAFlowNode() = n` with `n.getNode() = e`. This API is
-   * being removed to untangle the AST and CFG hierarchies in preparation for
-   * migrating the dataflow library off the legacy CFG.
-   *
    * Gets a flow node corresponding directly to this node.
    * NOTE: For some statements and other purely syntactic elements,
-   * there may not be a `ControlFlowNode`.
+   * there may not be a `ControlFlowNode`
    */
   cached
-  deprecated ControlFlowNode getAFlowNode() {
+  ControlFlowNode getAFlowNode() {
     Stages::AST::ref() and
     py_flow_bb_node(result, this, _, _)
   }
 
+  /** Gets the location for this AST node */
+  cached
+  Location getLocation() { none() }
+
   /**
    * Whether this syntactic element is artificial, that is it is generated
    * by the compiler and is not present in the source

python/ql/lib/semmle/python/Exprs.qll

@@ -28,9 +28,7 @@ class Expr extends Expr_, AstNode {
   /** Whether this expression may have a side effect (as determined purely from its syntax) */
   predicate hasSideEffects() {
     /* If an exception raised by this expression handled, count that as a side effect */
-    exists(ControlFlowNode n | n.getNode() = this |
-      n.getASuccessor().getNode() instanceof ExceptStmt
-    )
+    this.getAFlowNode().getASuccessor().getNode() instanceof ExceptStmt
     or
     this.getASubExpression().hasSideEffects()
   }
@@ -70,6 +68,8 @@ class Attribute extends Attribute_ {
   /* syntax: Expr.name */
   override Expr getASubExpression() { result = this.getObject() }
 
+  override AttrNode getAFlowNode() { result = super.getAFlowNode() }
+
   /** Gets the name of this attribute. That is the `name` in `obj.name` */
   string getName() { result = Attribute_.super.getAttr() }
 
@@ -96,6 +96,8 @@ class Subscript extends Subscript_ {
   }
 
   Expr getObject() { result = Subscript_.super.getValue() }
+
+  override SubscriptNode getAFlowNode() { result = super.getAFlowNode() }
 }
 
 /** A call expression, such as `func(...)` */
@@ -111,6 +113,8 @@ class Call extends Call_ {
 
   override string toString() { result = this.getFunc().toString() + "()" }
 
+  override CallNode getAFlowNode() { result = super.getAFlowNode() }
+
   /** Gets a tuple (*) argument of this call. */
   Expr getStarargs() { result = this.getAPositionalArg().(Starred).getValue() }
 
@@ -196,6 +200,8 @@ class IfExp extends IfExp_ {
   override Expr getASubExpression() {
     result = this.getTest() or result = this.getBody() or result = this.getOrelse()
   }
+
+  override IfExprNode getAFlowNode() { result = super.getAFlowNode() }
 }
 
 /** A starred expression, such as the `*rest` in the assignment `first, *rest = seq` */
@@ -404,6 +410,8 @@ class PlaceHolder extends PlaceHolder_ {
   override Expr getASubExpression() { none() }
 
   override string toString() { result = "$" + this.getId() }
+
+  override NameNode getAFlowNode() { result = super.getAFlowNode() }
 }
 
 /** A tuple expression such as `( 1, 3, 5, 7, 9 )` */
@@ -470,6 +478,8 @@ class Name extends Name_ {
 
   override string toString() { result = this.getId() }
 
+  override NameNode getAFlowNode() { result = super.getAFlowNode() }
+
   override predicate isArtificial() {
     /* Artificial variable names in comprehensions all start with "." */
     this.getId().charAt(0) = "."
@@ -575,6 +585,8 @@ abstract class NameConstant extends Name, ImmutableLiteral {
 
   override predicate isConstant() { any() }
 
+  override NameConstantNode getAFlowNode() { result = Name.super.getAFlowNode() }
+
   override predicate isArtificial() { none() }
 }
 

python/ql/lib/semmle/python/Flow.qll

@@ -1,7 +1,7 @@
 overlay[local]
 module;
 
-import python as Py
+import python
 private import semmle.python.internal.CachedStages
 private import codeql.controlflow.BasicBlock as BB
 
@@ -17,7 +17,7 @@ private import codeql.controlflow.BasicBlock as BB
  */
 
 private predicate augstore(ControlFlowNode load, ControlFlowNode store) {
-  exists(Py::Expr load_store | exists(Py::AugAssign aa | aa.getTarget() = load_store) |
+  exists(Expr load_store | exists(AugAssign aa | aa.getTarget() = load_store) |
     toAst(load) = load_store and
     toAst(store) = load_store and
     load.strictlyDominates(store)
@@ -25,7 +25,7 @@ private predicate augstore(ControlFlowNode load, ControlFlowNode store) {
 }
 
 /** A non-dispatched getNode() to avoid negative recursion issues */
-private Py::AstNode toAst(ControlFlowNode n) { py_flow_bb_node(n, result, _, _) }
+private AstNode toAst(ControlFlowNode n) { py_flow_bb_node(n, result, _, _) }
 
 /**
  * A control flow node. Control flow nodes have a many-to-one relation with syntactic nodes,
@@ -35,19 +35,19 @@ private Py::AstNode toAst(ControlFlowNode n) { py_flow_bb_node(n, result, _, _)
 class ControlFlowNode extends @py_flow_node {
   /** Whether this control flow node is a load (including those in augmented assignments) */
   predicate isLoad() {
-    exists(Py::Expr e | e = toAst(this) | py_expr_contexts(_, 3, e) and not augstore(_, this))
+    exists(Expr e | e = toAst(this) | py_expr_contexts(_, 3, e) and not augstore(_, this))
   }
 
   /** Whether this control flow node is a store (including those in augmented assignments) */
   predicate isStore() {
-    exists(Py::Expr e | e = toAst(this) | py_expr_contexts(_, 5, e) or augstore(_, this))
+    exists(Expr e | e = toAst(this) | py_expr_contexts(_, 5, e) or augstore(_, this))
   }
 
   /** Whether this control flow node is a delete */
-  predicate isDelete() { exists(Py::Expr e | e = toAst(this) | py_expr_contexts(_, 2, e)) }
+  predicate isDelete() { exists(Expr e | e = toAst(this) | py_expr_contexts(_, 2, e)) }
 
   /** Whether this control flow node is a parameter */
-  predicate isParameter() { exists(Py::Expr e | e = toAst(this) | py_expr_contexts(_, 4, e)) }
+  predicate isParameter() { exists(Expr e | e = toAst(this) | py_expr_contexts(_, 4, e)) }
 
   /** Whether this control flow node is a store in an augmented assignment */
   predicate isAugStore() { augstore(_, this) }
@@ -57,61 +57,61 @@ class ControlFlowNode extends @py_flow_node {
 
   /** Whether this flow node corresponds to a literal */
   predicate isLiteral() {
-    toAst(this) instanceof Py::Bytes
+    toAst(this) instanceof Bytes
     or
-    toAst(this) instanceof Py::Dict
+    toAst(this) instanceof Dict
     or
-    toAst(this) instanceof Py::DictComp
+    toAst(this) instanceof DictComp
     or
-    toAst(this) instanceof Py::Set
+    toAst(this) instanceof Set
     or
-    toAst(this) instanceof Py::SetComp
+    toAst(this) instanceof SetComp
     or
-    toAst(this) instanceof Py::Ellipsis
+    toAst(this) instanceof Ellipsis
     or
-    toAst(this) instanceof Py::GeneratorExp
+    toAst(this) instanceof GeneratorExp
     or
-    toAst(this) instanceof Py::Lambda
+    toAst(this) instanceof Lambda
     or
-    toAst(this) instanceof Py::ListComp
+    toAst(this) instanceof ListComp
     or
-    toAst(this) instanceof Py::List
+    toAst(this) instanceof List
     or
-    toAst(this) instanceof Py::Num
+    toAst(this) instanceof Num
     or
-    toAst(this) instanceof Py::Tuple
+    toAst(this) instanceof Tuple
     or
-    toAst(this) instanceof Py::Unicode
+    toAst(this) instanceof Unicode
     or
-    toAst(this) instanceof Py::NameConstant
+    toAst(this) instanceof NameConstant
   }
 
   /** Whether this flow node corresponds to an attribute expression */
-  predicate isAttribute() { toAst(this) instanceof Py::Attribute }
+  predicate isAttribute() { toAst(this) instanceof Attribute }
 
   /** Whether this flow node corresponds to an subscript expression */
-  predicate isSubscript() { toAst(this) instanceof Py::Subscript }
+  predicate isSubscript() { toAst(this) instanceof Subscript }
 
   /** Whether this flow node corresponds to an import member */
-  predicate isImportMember() { toAst(this) instanceof Py::ImportMember }
+  predicate isImportMember() { toAst(this) instanceof ImportMember }
 
   /** Whether this flow node corresponds to a call */
-  predicate isCall() { toAst(this) instanceof Py::Call }
+  predicate isCall() { toAst(this) instanceof Call }
 
   /** Whether this flow node is the first in a module */
-  predicate isModuleEntry() { this.isEntryNode() and toAst(this) instanceof Py::Module }
+  predicate isModuleEntry() { this.isEntryNode() and toAst(this) instanceof Module }
 
   /** Whether this flow node corresponds to an import */
-  predicate isImport() { toAst(this) instanceof Py::ImportExpr }
+  predicate isImport() { toAst(this) instanceof ImportExpr }
 
   /** Whether this flow node corresponds to a conditional expression */
-  predicate isIfExp() { toAst(this) instanceof Py::IfExp }
+  predicate isIfExp() { toAst(this) instanceof IfExp }
 
   /** Whether this flow node corresponds to a function definition expression */
-  predicate isFunction() { toAst(this) instanceof Py::FunctionExpr }
+  predicate isFunction() { toAst(this) instanceof FunctionExpr }
 
   /** Whether this flow node corresponds to a class definition expression */
-  predicate isClass() { toAst(this) instanceof Py::ClassExpr }
+  predicate isClass() { toAst(this) instanceof ClassExpr }
 
   /** Gets a predecessor of this flow node */
   ControlFlowNode getAPredecessor() { this = result.getASuccessor() }
@@ -123,25 +123,25 @@ class ControlFlowNode extends @py_flow_node {
   ControlFlowNode getImmediateDominator() { py_idoms(this, result) }
 
   /** Gets the syntactic element corresponding to this flow node */
-  Py::AstNode getNode() { py_flow_bb_node(this, result, _, _) }
+  AstNode getNode() { py_flow_bb_node(this, result, _, _) }
 
   /** Gets a textual representation of this element. */
   cached
   string toString() {
     Stages::AST::ref() and
     // Since modules can have ambigous names, entry nodes can too, if we do not collate them.
-    exists(Py::Scope s | s.getEntryNode() = this |
+    exists(Scope s | s.getEntryNode() = this |
       result = "Entry node for " + concat( | | s.toString(), ",")
     )
     or
-    exists(Py::Scope s | s.getANormalExit() = this | result = "Exit node for " + s.toString())
+    exists(Scope s | s.getANormalExit() = this | result = "Exit node for " + s.toString())
     or
-    not exists(Py::Scope s | s.getEntryNode() = this or s.getANormalExit() = this) and
+    not exists(Scope s | s.getEntryNode() = this or s.getANormalExit() = this) and
     result = "ControlFlowNode for " + this.getNode().toString()
   }
 
   /** Gets the location of this ControlFlowNode */
-  Py::Location getLocation() { result = this.getNode().getLocation() }
+  Location getLocation() { result = this.getNode().getLocation() }
 
   /** Whether this flow node is the first in its scope */
   predicate isEntryNode() { py_scope_flow(this, _, -1) }
@@ -151,9 +151,9 @@ class ControlFlowNode extends @py_flow_node {
 
   /** Gets the scope containing this flow node */
   cached
-  Py::Scope getScope() {
+  Scope getScope() {
     Stages::AST::ref() and
-    if this.getNode() instanceof Py::Scope
+    if this.getNode() instanceof Scope
     then
       /* Entry or exit node */
       result = this.getNode()
@@ -161,7 +161,7 @@ class ControlFlowNode extends @py_flow_node {
   }
 
   /** Gets the enclosing module */
-  Py::Module getEnclosingModule() { result = this.getScope().getEnclosingModule() }
+  Module getEnclosingModule() { result = this.getScope().getEnclosingModule() }
 
   /** Gets a successor for this node if the relevant condition is True. */
   ControlFlowNode getATrueSuccessor() {
@@ -188,7 +188,7 @@ class ControlFlowNode extends @py_flow_node {
   }
 
   /** Whether the scope may be exited as a result of this node raising an exception */
-  predicate isExceptionalExit(Py::Scope s) { py_scope_flow(this, s, 1) }
+  predicate isExceptionalExit(Scope s) { py_scope_flow(this, s, 1) }
 
   /** Whether this node is a normal (non-exceptional) exit */
   predicate isNormalExit() { py_scope_flow(this, _, 0) or py_scope_flow(this, _, 2) }
@@ -236,7 +236,7 @@ class ControlFlowNode extends @py_flow_node {
   /* join-ordering helper for `getAChild() */
   pragma[noinline]
   private ControlFlowNode getExprChild(BasicBlock dom) {
-    this.getNode().(Py::Expr).getAChildNode() = result.getNode() and
+    this.getNode().(Expr).getAChildNode() = result.getNode() and
     result.getBasicBlock().dominates(dom) and
     not this instanceof UnaryExprNode
   }
@@ -249,16 +249,16 @@ class ControlFlowNode extends @py_flow_node {
  */
 
 private class AnyNode extends ControlFlowNode {
-  override Py::AstNode getNode() { result = super.getNode() }
+  override AstNode getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to a call expression, such as `func(...)` */
 class CallNode extends ControlFlowNode {
-  CallNode() { toAst(this) instanceof Py::Call }
+  CallNode() { toAst(this) instanceof Call }
 
   /** Gets the flow node corresponding to the function expression for the call corresponding to this flow node */
   ControlFlowNode getFunction() {
-    exists(Py::Call c |
+    exists(Call c |
       this.getNode() = c and
       c.getFunc() = result.getNode() and
       result.getBasicBlock().dominates(this.getBasicBlock())
@@ -267,7 +267,7 @@ class CallNode extends ControlFlowNode {
 
   /** Gets the flow node corresponding to the n'th positional argument of the call corresponding to this flow node */
   ControlFlowNode getArg(int n) {
-    exists(Py::Call c |
+    exists(Call c |
       this.getNode() = c and
       c.getArg(n) = result.getNode() and
       result.getBasicBlock().dominates(this.getBasicBlock())
@@ -276,7 +276,7 @@ class CallNode extends ControlFlowNode {
 
   /** Gets the flow node corresponding to the named argument of the call corresponding to this flow node */
   ControlFlowNode getArgByName(string name) {
-    exists(Py::Call c, Py::Keyword k |
+    exists(Call c, Keyword k |
       this.getNode() = c and
       k = c.getANamedArg() and
       k.getValue() = result.getNode() and
@@ -292,7 +292,7 @@ class CallNode extends ControlFlowNode {
     result = this.getArgByName(_)
   }
 
-  override Py::Call getNode() { result = super.getNode() }
+  override Call getNode() { result = super.getNode() }
 
   predicate isDecoratorCall() {
     this.isClassDecoratorCall()
@@ -301,11 +301,11 @@ class CallNode extends ControlFlowNode {
   }
 
   predicate isClassDecoratorCall() {
-    exists(Py::ClassExpr cls | this.getNode() = cls.getADecoratorCall())
+    exists(ClassExpr cls | this.getNode() = cls.getADecoratorCall())
   }
 
   predicate isFunctionDecoratorCall() {
-    exists(Py::FunctionExpr func | this.getNode() = func.getADecoratorCall())
+    exists(FunctionExpr func | this.getNode() = func.getADecoratorCall())
   }
 
   /** Gets the first tuple (*) argument of this call, if any. */
@@ -323,11 +323,11 @@ class CallNode extends ControlFlowNode {
 
 /** A control flow corresponding to an attribute expression, such as `value.attr` */
 class AttrNode extends ControlFlowNode {
-  AttrNode() { toAst(this) instanceof Py::Attribute }
+  AttrNode() { toAst(this) instanceof Attribute }
 
   /** Gets the flow node corresponding to the object of the attribute expression corresponding to this flow node */
   ControlFlowNode getObject() {
-    exists(Py::Attribute a |
+    exists(Attribute a |
       this.getNode() = a and
       a.getObject() = result.getNode() and
       result.getBasicBlock().dominates(this.getBasicBlock())
@@ -339,7 +339,7 @@ class AttrNode extends ControlFlowNode {
    * with the matching name
    */
   ControlFlowNode getObject(string name) {
-    exists(Py::Attribute a |
+    exists(Attribute a |
       this.getNode() = a and
       a.getObject() = result.getNode() and
       a.getName() = name and
@@ -348,57 +348,57 @@ class AttrNode extends ControlFlowNode {
   }
 
   /** Gets the attribute name of the attribute expression corresponding to this flow node */
-  string getName() { exists(Py::Attribute a | this.getNode() = a and a.getName() = result) }
+  string getName() { exists(Attribute a | this.getNode() = a and a.getName() = result) }
 
-  override Py::Attribute getNode() { result = super.getNode() }
+  override Attribute getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to a `from ... import ...` expression */
 class ImportMemberNode extends ControlFlowNode {
-  ImportMemberNode() { toAst(this) instanceof Py::ImportMember }
+  ImportMemberNode() { toAst(this) instanceof ImportMember }
 
   /**
    * Gets the flow node corresponding to the module in the import-member expression corresponding to this flow node,
    * with the matching name
    */
   ControlFlowNode getModule(string name) {
-    exists(Py::ImportMember i | this.getNode() = i and i.getModule() = result.getNode() |
+    exists(ImportMember i | this.getNode() = i and i.getModule() = result.getNode() |
       i.getName() = name and
       result.getBasicBlock().dominates(this.getBasicBlock())
     )
   }
 
-  override Py::ImportMember getNode() { result = super.getNode() }
+  override ImportMember getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to an artificial expression representing an import */
 class ImportExprNode extends ControlFlowNode {
-  ImportExprNode() { toAst(this) instanceof Py::ImportExpr }
+  ImportExprNode() { toAst(this) instanceof ImportExpr }
 
-  override Py::ImportExpr getNode() { result = super.getNode() }
+  override ImportExpr getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to a `from ... import *` statement */
 class ImportStarNode extends ControlFlowNode {
-  ImportStarNode() { toAst(this) instanceof Py::ImportStar }
+  ImportStarNode() { toAst(this) instanceof ImportStar }
 
   /** Gets the flow node corresponding to the module in the import-star corresponding to this flow node */
   ControlFlowNode getModule() {
-    exists(Py::ImportStar i | this.getNode() = i and i.getModuleExpr() = result.getNode() |
+    exists(ImportStar i | this.getNode() = i and i.getModuleExpr() = result.getNode() |
       result.getBasicBlock().dominates(this.getBasicBlock())
     )
   }
 
-  override Py::ImportStar getNode() { result = super.getNode() }
+  override ImportStar getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to a subscript expression, such as `value[slice]` */
 class SubscriptNode extends ControlFlowNode {
-  SubscriptNode() { toAst(this) instanceof Py::Subscript }
+  SubscriptNode() { toAst(this) instanceof Subscript }
 
   /** flow node corresponding to the value of the sequence in a subscript operation */
   ControlFlowNode getObject() {
-    exists(Py::Subscript s |
+    exists(Subscript s |
       this.getNode() = s and
       s.getObject() = result.getNode() and
       result.getBasicBlock().dominates(this.getBasicBlock())
@@ -407,23 +407,23 @@ class SubscriptNode extends ControlFlowNode {
 
   /** flow node corresponding to the index in a subscript operation */
   ControlFlowNode getIndex() {
-    exists(Py::Subscript s |
+    exists(Subscript s |
       this.getNode() = s and
       s.getIndex() = result.getNode() and
       result.getBasicBlock().dominates(this.getBasicBlock())
     )
   }
 
-  override Py::Subscript getNode() { result = super.getNode() }
+  override Subscript getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to a comparison operation, such as `x<y` */
 class CompareNode extends ControlFlowNode {
-  CompareNode() { toAst(this) instanceof Py::Compare }
+  CompareNode() { toAst(this) instanceof Compare }
 
   /** Whether left and right are a pair of operands for this comparison */
-  predicate operands(ControlFlowNode left, Py::Cmpop op, ControlFlowNode right) {
-    exists(Py::Compare c, Py::Expr eleft, Py::Expr eright |
+  predicate operands(ControlFlowNode left, Cmpop op, ControlFlowNode right) {
+    exists(Compare c, Expr eleft, Expr eright |
       this.getNode() = c and left.getNode() = eleft and right.getNode() = eright
     |
       eleft = c.getLeft() and eright = c.getComparator(0) and op = c.getOp(0)
@@ -436,26 +436,26 @@ class CompareNode extends ControlFlowNode {
     right.getBasicBlock().dominates(this.getBasicBlock())
   }
 
-  override Py::Compare getNode() { result = super.getNode() }
+  override Compare getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to a conditional expression such as, `body if test else orelse` */
 class IfExprNode extends ControlFlowNode {
-  IfExprNode() { toAst(this) instanceof Py::IfExp }
+  IfExprNode() { toAst(this) instanceof IfExp }
 
   /** flow node corresponding to one of the operands of an if-expression */
   ControlFlowNode getAnOperand() { result = this.getAPredecessor() }
 
-  override Py::IfExp getNode() { result = super.getNode() }
+  override IfExp getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to an assignment expression such as `lhs := rhs`. */
 class AssignmentExprNode extends ControlFlowNode {
-  AssignmentExprNode() { toAst(this) instanceof Py::AssignExpr }
+  AssignmentExprNode() { toAst(this) instanceof AssignExpr }
 
   /** Gets the flow node corresponding to the left-hand side of the assignment expression */
   ControlFlowNode getTarget() {
-    exists(Py::AssignExpr a |
+    exists(AssignExpr a |
       this.getNode() = a and
       a.getTarget() = result.getNode() and
       result.getBasicBlock().dominates(this.getBasicBlock())
@@ -464,27 +464,27 @@ class AssignmentExprNode extends ControlFlowNode {
 
   /** Gets the flow node corresponding to the right-hand side of the assignment expression */
   ControlFlowNode getValue() {
-    exists(Py::AssignExpr a |
+    exists(AssignExpr a |
       this.getNode() = a and
       a.getValue() = result.getNode() and
       result.getBasicBlock().dominates(this.getBasicBlock())
     )
   }
 
-  override Py::AssignExpr getNode() { result = super.getNode() }
+  override AssignExpr getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to a binary expression, such as `x + y` */
 class BinaryExprNode extends ControlFlowNode {
-  BinaryExprNode() { toAst(this) instanceof Py::BinaryExpr }
+  BinaryExprNode() { toAst(this) instanceof BinaryExpr }
 
   /** flow node corresponding to one of the operands of a binary expression */
   ControlFlowNode getAnOperand() { result = this.getLeft() or result = this.getRight() }
 
-  override Py::BinaryExpr getNode() { result = super.getNode() }
+  override BinaryExpr getNode() { result = super.getNode() }
 
   ControlFlowNode getLeft() {
-    exists(Py::BinaryExpr b |
+    exists(BinaryExpr b |
       this.getNode() = b and
       result.getNode() = b.getLeft() and
       result.getBasicBlock().dominates(this.getBasicBlock())
@@ -492,7 +492,7 @@ class BinaryExprNode extends ControlFlowNode {
   }
 
   ControlFlowNode getRight() {
-    exists(Py::BinaryExpr b |
+    exists(BinaryExpr b |
       this.getNode() = b and
       result.getNode() = b.getRight() and
       result.getBasicBlock().dominates(this.getBasicBlock())
@@ -500,11 +500,11 @@ class BinaryExprNode extends ControlFlowNode {
   }
 
   /** Gets the operator of this binary expression node. */
-  Py::Operator getOp() { result = this.getNode().getOp() }
+  Operator getOp() { result = this.getNode().getOp() }
 
   /** Whether left and right are a pair of operands for this binary expression */
-  predicate operands(ControlFlowNode left, Py::Operator op, ControlFlowNode right) {
-    exists(Py::BinaryExpr b, Py::Expr eleft, Py::Expr eright |
+  predicate operands(ControlFlowNode left, Operator op, ControlFlowNode right) {
+    exists(BinaryExpr b, Expr eleft, Expr eright |
       this.getNode() = b and left.getNode() = eleft and right.getNode() = eright
     |
       eleft = b.getLeft() and eright = b.getRight() and op = b.getOp()
@@ -516,20 +516,20 @@ class BinaryExprNode extends ControlFlowNode {
 
 /** A control flow node corresponding to a boolean shortcut (and/or) operation */
 class BoolExprNode extends ControlFlowNode {
-  BoolExprNode() { toAst(this) instanceof Py::BoolExpr }
+  BoolExprNode() { toAst(this) instanceof BoolExpr }
 
   /** flow node corresponding to one of the operands of a boolean expression */
   ControlFlowNode getAnOperand() {
-    exists(Py::BoolExpr b | this.getNode() = b and result.getNode() = b.getAValue()) and
+    exists(BoolExpr b | this.getNode() = b and result.getNode() = b.getAValue()) and
     this.getBasicBlock().dominates(result.getBasicBlock())
   }
 
-  override Py::BoolExpr getNode() { result = super.getNode() }
+  override BoolExpr getNode() { result = super.getNode() }
 }
 
 /** A control flow node corresponding to a unary expression: (`+x`), (`-x`) or (`~x`) */
 class UnaryExprNode extends ControlFlowNode {
-  UnaryExprNode() { toAst(this) instanceof Py::UnaryExpr }
+  UnaryExprNode() { toAst(this) instanceof UnaryExpr }
 
   /**
    * Gets flow node corresponding to the operand of a unary expression.
@@ -540,7 +540,7 @@ class UnaryExprNode extends ControlFlowNode {
    */
   ControlFlowNode getOperand() { result = this.getAPredecessor() }
 
-  override Py::UnaryExpr getNode() { result = super.getNode() }
+  override UnaryExpr getNode() { result = super.getNode() }
 
   override ControlFlowNode getAChild() { result = this.getAPredecessor() }
 }
@@ -555,27 +555,27 @@ class DefinitionNode extends ControlFlowNode {
   cached
   DefinitionNode() {
     Stages::AST::ref() and
-    exists(Py::Assign a | this.getNode() = a.getATarget())
+    exists(Assign a | a.getATarget().getAFlowNode() = this)
     or
-    exists(Py::AssignExpr a | this.getNode() = a.getTarget())
+    exists(AssignExpr a | a.getTarget().getAFlowNode() = this)
     or
-    exists(Py::AnnAssign a | this.getNode() = a.getTarget() and exists(a.getValue()))
+    exists(AnnAssign a | a.getTarget().getAFlowNode() = this and exists(a.getValue()))
     or
-    exists(Py::Alias a | this.getNode() = a.getAsname())
+    exists(Alias a | a.getAsname().getAFlowNode() = this)
     or
     augstore(_, this)
     or
     // `x, y = 1, 2` where LHS is a combination of list or tuples
-    exists(Py::Assign a | this.getNode() = list_or_tuple_nested_element(a.getATarget()))
+    exists(Assign a | list_or_tuple_nested_element(a.getATarget()).getAFlowNode() = this)
     or
-    exists(Py::For for | this.getNode() = for.getTarget())
+    exists(For for | for.getTarget().getAFlowNode() = this)
     or
-    exists(Py::Parameter param | this.getNode() = param.asName() and exists(param.getDefault()))
+    exists(Parameter param | this = param.asName().getAFlowNode() and exists(param.getDefault()))
   }
 
   /** flow node corresponding to the value assigned for the definition corresponding to this flow node */
   ControlFlowNode getValue() {
-    result.getNode() = assigned_value(this.getNode()) and
+    result = assigned_value(this.getNode()).getAFlowNode() and
     (
       result.getBasicBlock().dominates(this.getBasicBlock())
       or
@@ -584,16 +584,16 @@ class DefinitionNode extends ControlFlowNode {
       // since the default value for a parameter is evaluated in the same basic block as
       // the function definition, but the parameter belongs to the basic block of the function,
       // there is no dominance relationship between the two.
-      exists(Py::Parameter param | this.getNode() = param.asName())
+      exists(Parameter param | this = param.asName().getAFlowNode())
     )
   }
 }
 
-private Py::Expr list_or_tuple_nested_element(Py::Expr list_or_tuple) {
-  exists(Py::Expr elt |
-    elt = list_or_tuple.(Py::Tuple).getAnElt()
+private Expr list_or_tuple_nested_element(Expr list_or_tuple) {
+  exists(Expr elt |
+    elt = list_or_tuple.(Tuple).getAnElt()
     or
-    elt = list_or_tuple.(Py::List).getAnElt()
+    elt = list_or_tuple.(List).getAnElt()
   |
     result = elt
     or
@@ -603,12 +603,12 @@ private Py::Expr list_or_tuple_nested_element(Py::Expr list_or_tuple) {
 
 /**
  * A control flow node corresponding to a deletion statement, such as `del x`.
- * There can be multiple `DeletionNode`s for each `Py::Delete` such that each
+ * There can be multiple `DeletionNode`s for each `Delete` such that each
  * target has own `DeletionNode`. The CFG for `del a, x.y` looks like:
  * `NameNode('a') -> DeletionNode -> NameNode('b') -> AttrNode('y') -> DeletionNode`.
  */
 class DeletionNode extends ControlFlowNode {
-  DeletionNode() { toAst(this) instanceof Py::Delete }
+  DeletionNode() { toAst(this) instanceof Delete }
 
   /** Gets the unique target of this deletion node. */
   ControlFlowNode getTarget() { result.getASuccessor() = this }
@@ -617,9 +617,9 @@ class DeletionNode extends ControlFlowNode {
 /** A control flow node corresponding to a sequence (tuple or list) literal */
 abstract class SequenceNode extends ControlFlowNode {
   SequenceNode() {
-    toAst(this) instanceof Py::Tuple
+    toAst(this) instanceof Tuple
     or
-    toAst(this) instanceof Py::List
+    toAst(this) instanceof List
   }
 
   /** Gets the control flow node for an element of this sequence */
@@ -632,11 +632,11 @@ abstract class SequenceNode extends ControlFlowNode {
 
 /** A control flow node corresponding to a tuple expression such as `( 1, 3, 5, 7, 9 )` */
 class TupleNode extends SequenceNode {
-  TupleNode() { toAst(this) instanceof Py::Tuple }
+  TupleNode() { toAst(this) instanceof Tuple }
 
   override ControlFlowNode getElement(int n) {
     Stages::AST::ref() and
-    exists(Py::Tuple t | this.getNode() = t and result.getNode() = t.getElt(n)) and
+    exists(Tuple t | this.getNode() = t and result.getNode() = t.getElt(n)) and
     (
       result.getBasicBlock().dominates(this.getBasicBlock())
       or
@@ -647,10 +647,10 @@ class TupleNode extends SequenceNode {
 
 /** A control flow node corresponding to a list expression, such as `[ 1, 3, 5, 7, 9 ]` */
 class ListNode extends SequenceNode {
-  ListNode() { toAst(this) instanceof Py::List }
+  ListNode() { toAst(this) instanceof List }
 
   override ControlFlowNode getElement(int n) {
-    exists(Py::List l | this.getNode() = l and result.getNode() = l.getElt(n)) and
+    exists(List l | this.getNode() = l and result.getNode() = l.getElt(n)) and
     (
       result.getBasicBlock().dominates(this.getBasicBlock())
       or
@@ -661,10 +661,10 @@ class ListNode extends SequenceNode {
 
 /** A control flow node corresponding to a set expression, such as `{ 1, 3, 5, 7, 9 }` */
 class SetNode extends ControlFlowNode {
-  SetNode() { toAst(this) instanceof Py::Set }
+  SetNode() { toAst(this) instanceof Set }
 
   ControlFlowNode getAnElement() {
-    exists(Py::Set s | this.getNode() = s and result.getNode() = s.getElt(_)) and
+    exists(Set s | this.getNode() = s and result.getNode() = s.getElt(_)) and
     (
       result.getBasicBlock().dominates(this.getBasicBlock())
       or
@@ -675,20 +675,20 @@ class SetNode extends ControlFlowNode {
 
 /** A control flow node corresponding to a dictionary literal, such as `{ 'a': 1, 'b': 2 }` */
 class DictNode extends ControlFlowNode {
-  DictNode() { toAst(this) instanceof Py::Dict }
+  DictNode() { toAst(this) instanceof Dict }
 
   /**
    * Gets a key of this dictionary literal node, for those items that have keys
    * E.g, in {'a':1, **b} this returns only 'a'
    */
   ControlFlowNode getAKey() {
-    exists(Py::Dict d | this.getNode() = d and result.getNode() = d.getAKey()) and
+    exists(Dict d | this.getNode() = d and result.getNode() = d.getAKey()) and
     result.getBasicBlock().dominates(this.getBasicBlock())
   }
 
   /** Gets a value of this dictionary literal node */
   ControlFlowNode getAValue() {
-    exists(Py::Dict d | this.getNode() = d and result.getNode() = d.getAValue()) and
+    exists(Dict d | this.getNode() = d and result.getNode() = d.getAValue()) and
     result.getBasicBlock().dominates(this.getBasicBlock())
   }
 }
@@ -712,23 +712,21 @@ class IterableNode extends ControlFlowNode {
   }
 }
 
-private Py::AstNode assigned_value(Py::Expr lhs) {
+private AstNode assigned_value(Expr lhs) {
   /* lhs = result */
-  exists(Py::Assign a | a.getATarget() = lhs and result = a.getValue())
+  exists(Assign a | a.getATarget() = lhs and result = a.getValue())
   or
   /* lhs := result */
-  exists(Py::AssignExpr a | a.getTarget() = lhs and result = a.getValue())
+  exists(AssignExpr a | a.getTarget() = lhs and result = a.getValue())
   or
   /* lhs : annotation = result */
-  exists(Py::AnnAssign a | a.getTarget() = lhs and result = a.getValue())
+  exists(AnnAssign a | a.getTarget() = lhs and result = a.getValue())
   or
   /* import result as lhs */
-  exists(Py::Alias a | a.getAsname() = lhs and result = a.getValue())
+  exists(Alias a | a.getAsname() = lhs and result = a.getValue())
   or
   /* lhs += x  =>  result = (lhs + x) */
-  exists(Py::AugAssign a, Py::BinaryExpr b |
-    b = a.getOperation() and result = b and lhs = b.getLeft()
-  )
+  exists(AugAssign a, BinaryExpr b | b = a.getOperation() and result = b and lhs = b.getLeft())
   or
   /*
    * ..., lhs, ... = ..., result, ...
@@ -736,31 +734,31 @@ private Py::AstNode assigned_value(Py::Expr lhs) {
    * ..., (..., lhs, ...), ... = ..., (..., result, ...), ...
    */
 
-  exists(Py::Assign a | nested_sequence_assign(a.getATarget(), a.getValue(), lhs, result))
+  exists(Assign a | nested_sequence_assign(a.getATarget(), a.getValue(), lhs, result))
   or
   /* for lhs in seq: => `result` is the `for` node, representing the `iter(next(seq))` operation. */
-  result.(Py::For).getTarget() = lhs
+  result.(For).getTarget() = lhs
   or
-  exists(Py::Parameter param | lhs = param.asName() and result = param.getDefault())
+  exists(Parameter param | lhs = param.asName() and result = param.getDefault())
 }
 
 predicate nested_sequence_assign(
-  Py::Expr left_parent, Py::Expr right_parent, Py::Expr left_result, Py::Expr right_result
+  Expr left_parent, Expr right_parent, Expr left_result, Expr right_result
 ) {
-  exists(Py::Assign a |
+  exists(Assign a |
     a.getATarget().getASubExpression*() = left_parent and
     a.getValue().getASubExpression*() = right_parent
   ) and
-  exists(int i, Py::Expr left_elem, Py::Expr right_elem |
+  exists(int i, Expr left_elem, Expr right_elem |
     (
-      left_elem = left_parent.(Py::Tuple).getElt(i)
+      left_elem = left_parent.(Tuple).getElt(i)
       or
-      left_elem = left_parent.(Py::List).getElt(i)
+      left_elem = left_parent.(List).getElt(i)
     ) and
     (
-      right_elem = right_parent.(Py::Tuple).getElt(i)
+      right_elem = right_parent.(Tuple).getElt(i)
       or
-      right_elem = right_parent.(Py::List).getElt(i)
+      right_elem = right_parent.(List).getElt(i)
     )
   |
     left_result = left_elem and right_result = right_elem
@@ -771,9 +769,9 @@ predicate nested_sequence_assign(
 
 /** A flow node for a `for` statement. */
 class ForNode extends ControlFlowNode {
-  ForNode() { toAst(this) instanceof Py::For }
+  ForNode() { toAst(this) instanceof For }
 
-  override Py::For getNode() { result = super.getNode() }
+  override For getNode() { result = super.getNode() }
 
   /** Holds if this `for` statement causes iteration over `sequence` storing each step of the iteration in `target` */
   predicate iterates(ControlFlowNode target, ControlFlowNode sequence) {
@@ -784,7 +782,7 @@ class ForNode extends ControlFlowNode {
 
   /** Gets the sequence node for this `for` statement. */
   ControlFlowNode getSequence() {
-    exists(Py::For for |
+    exists(For for |
       toAst(this) = for and
       for.getIter() = result.getNode()
     |
@@ -794,7 +792,7 @@ class ForNode extends ControlFlowNode {
 
   /** A possible `target` for this `for` statement, not accounting for loop unrolling */
   private ControlFlowNode possibleTarget() {
-    exists(Py::For for |
+    exists(For for |
       toAst(this) = for and
       for.getTarget() = result.getNode() and
       this.getBasicBlock().dominates(result.getBasicBlock())
@@ -811,11 +809,11 @@ class ForNode extends ControlFlowNode {
 
 /** A flow node for a `raise` statement */
 class RaiseStmtNode extends ControlFlowNode {
-  RaiseStmtNode() { toAst(this) instanceof Py::Raise }
+  RaiseStmtNode() { toAst(this) instanceof Raise }
 
   /** Gets the control flow node for the exception raised by this raise statement */
   ControlFlowNode getException() {
-    exists(Py::Raise r |
+    exists(Raise r |
       r = toAst(this) and
       r.getException() = toAst(result) and
       result.getBasicBlock().dominates(this.getBasicBlock())
@@ -829,36 +827,36 @@ class RaiseStmtNode extends ControlFlowNode {
  */
 class NameNode extends ControlFlowNode {
   NameNode() {
-    exists(Py::Name n | py_flow_bb_node(this, n, _, _))
+    exists(Name n | py_flow_bb_node(this, n, _, _))
     or
-    exists(Py::PlaceHolder p | py_flow_bb_node(this, p, _, _))
+    exists(PlaceHolder p | py_flow_bb_node(this, p, _, _))
   }
 
   /** Whether this flow node defines the variable `v`. */
-  predicate defines(Py::Variable v) {
-    exists(Py::Name d | this.getNode() = d and d.defines(v)) and
+  predicate defines(Variable v) {
+    exists(Name d | this.getNode() = d and d.defines(v)) and
     not this.isLoad()
   }
 
   /** Whether this flow node deletes the variable `v`. */
-  predicate deletes(Py::Variable v) { exists(Py::Name d | this.getNode() = d and d.deletes(v)) }
+  predicate deletes(Variable v) { exists(Name d | this.getNode() = d and d.deletes(v)) }
 
   /** Whether this flow node uses the variable `v`. */
-  predicate uses(Py::Variable v) {
+  predicate uses(Variable v) {
     this.isLoad() and
-    exists(Py::Name u | this.getNode() = u and u.uses(v))
+    exists(Name u | this.getNode() = u and u.uses(v))
     or
-    exists(Py::PlaceHolder u |
-      this.getNode() = u and u.getVariable() = v and u.getCtx() instanceof Py::Load
+    exists(PlaceHolder u |
+      this.getNode() = u and u.getVariable() = v and u.getCtx() instanceof Load
     )
     or
     Scopes::use_of_global_variable(this, v.getScope(), v.getId())
   }
 
   string getId() {
-    result = this.getNode().(Py::Name).getId()
+    result = this.getNode().(Name).getId()
     or
-    result = this.getNode().(Py::PlaceHolder).getId()
+    result = this.getNode().(PlaceHolder).getId()
   }
 
   /** Whether this is a use of a local variable. */
@@ -870,84 +868,82 @@ class NameNode extends ControlFlowNode {
   /** Whether this is a use of a global (including builtin) variable. */
   predicate isGlobal() { Scopes::use_of_global_variable(this, _, _) }
 
-  predicate isSelf() {
-    exists(Py::SsaVariable selfvar | selfvar.isSelf() and selfvar.getAUse() = this)
-  }
+  predicate isSelf() { exists(SsaVariable selfvar | selfvar.isSelf() and selfvar.getAUse() = this) }
 }
 
 /** A control flow node corresponding to a named constant, one of `None`, `True` or `False`. */
 class NameConstantNode extends NameNode {
-  NameConstantNode() { exists(Py::NameConstant n | py_flow_bb_node(this, n, _, _)) }
+  NameConstantNode() { exists(NameConstant n | py_flow_bb_node(this, n, _, _)) }
   /*
    * We ought to override uses as well, but that has
    * a serious performance impact.
-   *    deprecated predicate uses(Py::Variable v) { none() }
+   *    deprecated predicate uses(Variable v) { none() }
    */
 
   }
 
 /** A control flow node corresponding to a starred expression, `*a`. */
 class StarredNode extends ControlFlowNode {
-  StarredNode() { toAst(this) instanceof Py::Starred }
+  StarredNode() { toAst(this) instanceof Starred }
 
-  ControlFlowNode getValue() { toAst(result) = toAst(this).(Py::Starred).getValue() }
+  ControlFlowNode getValue() { toAst(result) = toAst(this).(Starred).getValue() }
 }
 
 /** The ControlFlowNode for an 'except' statement. */
 class ExceptFlowNode extends ControlFlowNode {
-  ExceptFlowNode() { this.getNode() instanceof Py::ExceptStmt }
+  ExceptFlowNode() { this.getNode() instanceof ExceptStmt }
 
   /**
    * Gets the type handled by this exception handler.
-   * `Py::ExceptionType` in `except Py::ExceptionType as e:`
+   * `ExceptionType` in `except ExceptionType as e:`
    */
   ControlFlowNode getType() {
-    exists(Py::ExceptStmt ex |
+    exists(ExceptStmt ex |
       this.getBasicBlock().dominates(result.getBasicBlock()) and
       ex = this.getNode() and
-      result.getNode() = ex.getType()
+      result = ex.getType().getAFlowNode()
     )
   }
 
   /**
    * Gets the name assigned to the handled exception, if any.
-   * `e` in `except Py::ExceptionType as e:`
+   * `e` in `except ExceptionType as e:`
    */
   ControlFlowNode getName() {
-    exists(Py::ExceptStmt ex |
+    exists(ExceptStmt ex |
       this.getBasicBlock().dominates(result.getBasicBlock()) and
       ex = this.getNode() and
-      result.getNode() = ex.getName()
+      result = ex.getName().getAFlowNode()
     )
   }
 }
 
 /** The ControlFlowNode for an 'except*' statement. */
 class ExceptGroupFlowNode extends ControlFlowNode {
-  ExceptGroupFlowNode() { this.getNode() instanceof Py::ExceptGroupStmt }
+  ExceptGroupFlowNode() { this.getNode() instanceof ExceptGroupStmt }
 
   /**
    * Gets the type handled by this exception handler.
-   * `Py::ExceptionType` in `except* Py::ExceptionType as e:`
+   * `ExceptionType` in `except* ExceptionType as e:`
    */
   ControlFlowNode getType() {
     this.getBasicBlock().dominates(result.getBasicBlock()) and
-    result.getNode() = this.getNode().(Py::ExceptGroupStmt).getType()
+    result = this.getNode().(ExceptGroupStmt).getType().getAFlowNode()
   }
 
   /**
    * Gets the name assigned to the handled exception, if any.
-   * `e` in `except* Py::ExceptionType as e:`
+   * `e` in `except* ExceptionType as e:`
    */
   ControlFlowNode getName() {
     this.getBasicBlock().dominates(result.getBasicBlock()) and
-    result.getNode() = this.getNode().(Py::ExceptGroupStmt).getName()
+    result = this.getNode().(ExceptGroupStmt).getName().getAFlowNode()
   }
 }
 
 private module Scopes {
   private predicate fast_local(NameNode n) {
-    exists(Py::FastLocalVariable v |
+    exists(FastLocalVariable v |
       n.uses(v) and
       v.getScope() = n.getScope()
     )
@@ -956,15 +952,15 @@ private module Scopes {
   predicate local(NameNode n) {
     fast_local(n)
     or
-    exists(Py::SsaVariable var |
+    exists(SsaVariable var |
       var.getAUse() = n and
-      n.getScope() instanceof Py::Class and
+      n.getScope() instanceof Class and
       exists(var.getDefinition())
     )
   }
 
   predicate non_local(NameNode n) {
-    exists(Py::FastLocalVariable flv |
+    exists(FastLocalVariable flv |
       flv.getALoad() = n.getNode() and
       not flv.getScope() = n.getScope()
     )
@@ -972,20 +968,20 @@ private module Scopes {
 
   // magic is fine, but we get questionable join-ordering of it
   pragma[nomagic]
-  predicate use_of_global_variable(NameNode n, Py::Module scope, string name) {
+  predicate use_of_global_variable(NameNode n, Module scope, string name) {
     n.isLoad() and
     not non_local(n) and
-    not exists(Py::SsaVariable var | var.getAUse() = n |
-      var.getVariable() instanceof Py::FastLocalVariable
+    not exists(SsaVariable var | var.getAUse() = n |
+      var.getVariable() instanceof FastLocalVariable
       or
-      n.getScope() instanceof Py::Class and
+      n.getScope() instanceof Class and
       not maybe_undefined(var)
     ) and
     name = n.getId() and
     scope = n.getEnclosingModule()
   }
 
-  private predicate maybe_undefined(Py::SsaVariable var) {
+  private predicate maybe_undefined(SsaVariable var) {
     not exists(var.getDefinition()) and not py_ssa_phi(var, _)
     or
     var.getDefinition().isDelete()
@@ -1062,13 +1058,13 @@ class BasicBlock extends @py_flow_node {
   private predicate oneNodeBlock() { this.firstNode() = this.getLastNode() }
 
   private predicate startLocationInfo(string file, int line, int col) {
-    if this.firstNode().getNode() instanceof Py::Scope
+    if this.firstNode().getNode() instanceof Scope
     then this.firstNode().getASuccessor().getLocation().hasLocationInfo(file, line, col, _, _)
     else this.firstNode().getLocation().hasLocationInfo(file, line, col, _, _)
   }
 
   private predicate endLocationInfo(int endl, int endc) {
-    if this.getLastNode().getNode() instanceof Py::Scope and not this.oneNodeBlock()
+    if this.getLastNode().getNode() instanceof Scope and not this.oneNodeBlock()
     then this.getLastNode().getAPredecessor().getLocation().hasLocationInfo(_, _, _, endl, endc)
     else this.getLastNode().getLocation().hasLocationInfo(_, _, _, endl, endc)
   }
@@ -1085,7 +1081,7 @@ class BasicBlock extends @py_flow_node {
 
   /** Whether flow from this basic block reaches a normal exit from its scope */
   predicate reachesExit() {
-    exists(Py::Scope s | s.getANormalExit().getBasicBlock() = this)
+    exists(Scope s | s.getANormalExit().getBasicBlock() = this)
     or
     this.getASuccessor().reachesExit()
   }
@@ -1126,7 +1122,7 @@ class BasicBlock extends @py_flow_node {
 
   /** Gets the scope of this block */
   pragma[nomagic]
-  Py::Scope getScope() {
+  Scope getScope() {
     exists(ControlFlowNode n | n.getBasicBlock() = this |
       /* Take care not to use an entry or exit node as that node's scope will be the outer scope */
       not py_scope_flow(n, _, -1) and
@@ -1149,17 +1145,17 @@ class BasicBlock extends @py_flow_node {
   predicate reaches(BasicBlock other) { this = other or this.strictlyReaches(other) }
 
   /**
-   * Gets the `Py::ConditionBlock`, if any, that controls this block and
-   * does not control any other `Py::ConditionBlock`s that control this block.
-   * That is the `Py::ConditionBlock` that is closest dominator.
+   * Gets the `ConditionBlock`, if any, that controls this block and
+   * does not control any other `ConditionBlock`s that control this block.
+   * That is the `ConditionBlock` that is closest dominator.
    */
-  Py::ConditionBlock getImmediatelyControllingBlock() {
+  ConditionBlock getImmediatelyControllingBlock() {
     result = this.nonControllingImmediateDominator*().getImmediateDominator()
   }
 
   private BasicBlock nonControllingImmediateDominator() {
     result = this.getImmediateDominator() and
-    not result.(Py::ConditionBlock).controls(this, _)
+    not result.(ConditionBlock).controls(this, _)
   }
 
   /**
@@ -1179,7 +1175,7 @@ private class ControlFlowNodeAlias = ControlFlowNode;
 
 final private class FinalBasicBlock = BasicBlock;
 
-module Cfg implements BB::CfgSig<Py::Location> {
+module Cfg implements BB::CfgSig<Location> {
   private import codeql.controlflow.SuccessorType
 
   class ControlFlowNode = ControlFlowNodeAlias;
@@ -1190,7 +1186,7 @@ module Cfg implements BB::CfgSig<Py::Location> {
     // Using the location of the first node is simple
     // and we just need a way to identify the basic block
     // during debugging, so this will be serviceable.
-    Py::Location getLocation() { result = super.getNode(0).getLocation() }
+    Location getLocation() { result = super.getNode(0).getLocation() }
 
     int length() { result = count(int i | exists(this.getNode(i))) }
 

python/ql/lib/semmle/python/Function.qll

@@ -153,16 +153,8 @@ class Function extends Function_, Scope, AstNode {
 
   override predicate contains(AstNode inner) { Scope.super.contains(inner) }
 
-  /**
-   * DEPRECATED: bind a `Return` node explicitly instead, e.g.
-   * `exists(Return ret | ret.getScope() = this and n.getNode() = ret.getValue())`.
-   * This API is being phased out together with `AstNode.getAFlowNode()` to
-   * untangle the AST and CFG hierarchies in preparation for migrating the
-   * dataflow library off the legacy CFG.
-   *
-   * Gets a control flow node for a return value of this function.
-   */
-  deprecated ControlFlowNode getAReturnValueFlowNode() {
+  /** Gets a control flow node for a return value of this function */
+  ControlFlowNode getAReturnValueFlowNode() {
     exists(Return ret |
       ret.getScope() = this and
       ret.getValue() = result.getNode()

python/ql/lib/semmle/python/Import.qll

@@ -162,6 +162,8 @@ class ImportMember extends ImportMember_ {
   string getImportedModuleName() {
     result = this.getModule().(ImportExpr).getImportedModuleName() + "." + this.getName()
   }
+
+  override ImportMemberNode getAFlowNode() { result = super.getAFlowNode() }
 }
 
 /** An import statement */

python/ql/lib/semmle/python/SelfAttribute.qll

@@ -46,23 +46,20 @@ class SelfAttributeRead extends SelfAttribute {
   }
 
   predicate guardedByHasattr() {
-    exists(Variable var, ControlFlowNode n, ControlFlowNode this_, ControlFlowNode obj_ |
-      this_.getNode() = this and obj_.getNode() = this.getObject()
-    |
-      var.getAUse() = obj_ and
+    exists(Variable var, ControlFlowNode n |
+      var.getAUse() = this.getObject().getAFlowNode() and
       hasattr(n, var.getAUse(), this.getName()) and
-      n.strictlyDominates(this_)
+      n.strictlyDominates(this.getAFlowNode())
     )
   }
 
   pragma[noinline]
   predicate locallyDefined() {
-    exists(SelfAttributeStore store, ControlFlowNode store_, ControlFlowNode this_ |
-      store_.getNode() = store and this_.getNode() = this
-    |
+    exists(SelfAttributeStore store |
       this.getName() = store.getName() and
-      this.getScope() = store.getScope() and
-      store_.strictlyDominates(this_)
+      this.getScope() = store.getScope()
+    |
+      store.getAFlowNode().strictlyDominates(this.getAFlowNode())
     )
   }
 }

python/ql/lib/semmle/python/dataflow/new/BarrierGuards.qll

@@ -5,30 +5,24 @@ private import semmle.python.dataflow.new.DataFlow
 
 private predicate constCompare(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
   exists(CompareNode cn | cn = g |
-    exists(ImmutableLiteral const, Cmpop op, ControlFlowNode c |
-      c.getNode() = const and
-      (
-        op = any(Eq eq) and branch = true
-        or
-        op = any(NotEq ne) and branch = false
-      )
-    |
-      cn.operands(c, op, node)
+    exists(ImmutableLiteral const, Cmpop op |
+      op = any(Eq eq) and branch = true
       or
-      cn.operands(node, op, c)
+      op = any(NotEq ne) and branch = false
+    |
+      cn.operands(const.getAFlowNode(), op, node)
+      or
+      cn.operands(node, op, const.getAFlowNode())
     )
     or
-    exists(NameConstant const, Cmpop op, ControlFlowNode c |
-      c.getNode() = const and
-      (
-        op = any(Is is_) and branch = true
-        or
-        op = any(IsNot isn) and branch = false
-      )
-    |
-      cn.operands(c, op, node)
+    exists(NameConstant const, Cmpop op |
+      op = any(Is is_) and branch = true
       or
-      cn.operands(node, op, c)
+      op = any(IsNot isn) and branch = false
+    |
+      cn.operands(const.getAFlowNode(), op, node)
+      or
+      cn.operands(node, op, const.getAFlowNode())
     )
     or
     exists(IterableNode const_iterable, Cmpop op |

python/ql/lib/semmle/python/dataflow/new/internal/Attributes.qll

@@ -228,7 +228,7 @@ private class ClassDefinitionAsAttrWrite extends AttrWrite, CfgNode {
 
   override Node getValue() { result.asCfgNode() = node.getValue() }
 
-  override Node getObject() { result.asCfgNode().getNode() = cls }
+  override Node getObject() { result.asCfgNode() = cls.getAFlowNode() }
 
   override ExprNode getAttributeNameExpr() { none() }
 

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowDispatch.qll

@@ -256,12 +256,9 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
  */
 overlay[local]
 predicate isStaticmethod(Function func) {
-  // The decorator is *syntactically* a `Name` "staticmethod" — we don't
-  // care which variable it resolves to. `staticmethod` is a builtin and
-  // is almost never shadowed in a module-level scope; even if a class
-  // redefines `staticmethod` in its body, the class body has not started
-  // executing yet at the decorator position, so Python uses the builtin.
-  func.getADecorator().(Name).getId() = "staticmethod"
+  exists(NameNode id | id.getId() = "staticmethod" and id.isGlobal() |
+    func.getADecorator() = id.getNode()
+  )
 }
 
 /**
@@ -271,9 +268,9 @@ predicate isStaticmethod(Function func) {
  */
 overlay[local]
 predicate isClassmethod(Function func) {
-  // See `isStaticmethod` for the rationale for matching on the AST `Name`
-  // rather than going via the CFG and `isGlobal()`.
-  func.getADecorator().(Name).getId() = "classmethod"
+  exists(NameNode id | id.getId() = "classmethod" and id.isGlobal() |
+    func.getADecorator() = id.getNode()
+  )
   or
   exists(Class cls |
     cls.getAMethod() = func and
@@ -288,8 +285,9 @@ predicate isClassmethod(Function func) {
 /** Holds if the function `func` has a `property` decorator. */
 overlay[local]
 predicate hasPropertyDecorator(Function func) {
-  // See `isStaticmethod` for the rationale for matching on the AST `Name`.
-  func.getADecorator().(Name).getId() = "property"
+  exists(NameNode id | id.getId() = "property" and id.isGlobal() |
+    func.getADecorator() = id.getNode()
+  )
 }
 
 /**
@@ -1913,8 +1911,8 @@ abstract class ReturnNode extends Node {
 class ExtractedReturnNode extends ReturnNode, CfgNode {
   // See `TaintTrackingImplementation::returnFlowStep`
   ExtractedReturnNode() {
-    node.getNode() = any(Return ret).getValue() or
-    node.getNode() = any(Yield yield)
+    node = any(Return ret).getValue().getAFlowNode() or
+    node = any(Yield yield).getAFlowNode()
   }
 
   override ReturnKind getKind() { any() }
@@ -1932,7 +1930,7 @@ class ExtractedReturnNode extends ReturnNode, CfgNode {
 class YieldNodeInContextManagerFunction extends ReturnNode, CfgNode {
   YieldNodeInContextManagerFunction() {
     hasContextmanagerDecorator(node.getScope()) and
-    node.getNode() = any(Yield yield).getValue()
+    node = any(Yield yield).getValue().getAFlowNode()
   }
 
   override ReturnKind getKind() { any() }

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll

@@ -185,8 +185,8 @@ private predicate synthDictSplatArgumentNodeStoreStep(
  */
 predicate yieldStoreStep(Node nodeFrom, Content c, Node nodeTo) {
   exists(Yield yield |
-    nodeTo.asCfgNode().getNode() = yield and
-    nodeFrom.asCfgNode().getNode() = yield.getValue() and
+    nodeTo.asCfgNode() = yield.getAFlowNode() and
+    nodeFrom.asCfgNode() = yield.getValue().getAFlowNode() and
     // TODO: Consider if this will also need to transfer dictionary content
     // once dictionary comprehensions are supported.
     c instanceof ListElementContent

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll

@@ -485,7 +485,7 @@ class ModuleVariableNode extends Node, TModuleVariableNode {
 
   /** Gets a node that reads this variable, excluding reads that happen through `from ... import *`. */
   Node getALocalRead() {
-    result.asCfgNode().getNode() = var.getALoad() and
+    result.asCfgNode() = var.getALoad().getAFlowNode() and
     not result.getScope() = mod
   }
 

python/ql/lib/semmle/python/dataflow/new/internal/ImportResolution.qll

@@ -9,19 +9,7 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.internal.ImportStar
 private import semmle.python.dataflow.new.TypeTracking
 private import semmle.python.dataflow.new.internal.DataFlowPrivate
-
-/**
- * Holds if `init` is a package's `__init__.py` and `var` is a global variable in
- * `init` whose name matches a submodule of the package.
- *
- * Inlined from `SsaSource::init_module_submodule_defn` to avoid pulling
- * `semmle.python.essa.SsaDefinitions` into the new dataflow stack.
- */
-private predicate initModuleSubmoduleDefn(GlobalVariable var, Module init) {
-  init.isPackageInit() and
-  exists(init.getPackage().getSubModule(var.getId())) and
-  var.getScope() = init
-}
+private import semmle.python.essa.SsaDefinitions
 
 /**
  * Python modules and the way imports are resolved are... complicated. Here's a crash course in how
@@ -338,7 +326,7 @@ module ImportResolution {
     // imported yet.
     exists(string submodule, Module package, EssaVariable var |
       submodule = var.getName() and
-      initModuleSubmoduleDefn(var.getSourceVariable(), package) and
+      SsaSource::init_module_submodule_defn(var.getSourceVariable(), package.getEntryNode()) and
       m = getModuleFromName(package.getPackageName() + "." + submodule) and
       result.asCfgNode() = var.getDefinition().(EssaNodeDefinition).getDefiningNode()
     )

python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackingImpl.qll

@@ -94,10 +94,8 @@ private module SummaryTypeTrackerInput implements SummaryTypeTracker::Input {
   Node returnOf(Node callable, SummaryComponent return) {
     return = FlowSummaryImpl::Private::SummaryComponent::return() and
     // `result` should be the return value of a callable expression (lambda or function) referenced by `callable`
-    exists(Return ret |
-      ret.getScope() = callable.getALocalSource().asExpr().(CallableExpr).getInnerScope() and
-      result.asCfgNode().getNode() = ret.getValue()
-    )
+    result.asCfgNode() =
+      callable.getALocalSource().asExpr().(CallableExpr).getInnerScope().getAReturnValueFlowNode()
   }
 
   // Relating callables to nodes

python/ql/lib/semmle/python/dataflow/new/internal/VariableCapture.qll

@@ -61,7 +61,7 @@ private module CaptureInput implements Shared::InputSig<Location, Cfg::BasicBloc
   class VariableWrite extends ControlFlowNode {
     CapturedVariable v;
 
-    VariableWrite() { exists(DefinitionNode d | d.getNode() = v.getAStore() | this = d.getValue()) }
+    VariableWrite() { this = v.getAStore().getAFlowNode().(DefinitionNode).getValue() }
 
     CapturedVariable getVariable() { result = v }
 
@@ -71,7 +71,7 @@ private module CaptureInput implements Shared::InputSig<Location, Cfg::BasicBloc
   class VariableRead extends Expr {
     CapturedVariable v;
 
-    VariableRead() { this.getNode() = v.getALoad() }
+    VariableRead() { this = v.getALoad().getAFlowNode() }
 
     CapturedVariable getVariable() { result = v }
   }

python/ql/lib/semmle/python/dataflow/old/Implementation.qll

@@ -448,7 +448,8 @@ class TaintTrackingImplementation extends string instanceof TaintTracking::Confi
       context = TNoParam() and
       src = TTaintTrackingNode_(retval, TNoParam(), path, kind, this) and
       node.asCfgNode() = call and
-      retval.asCfgNode().getNode() = any(Return ret | ret.getScope() = pyfunc.getScope()).getValue()
+      retval.asCfgNode() =
+        any(Return ret | ret.getScope() = pyfunc.getScope()).getValue().getAFlowNode()
     ) and
     edgeLabel = "return"
   }
@@ -470,7 +471,8 @@ class TaintTrackingImplementation extends string instanceof TaintTracking::Confi
       this.callContexts(call, src, pyfunc, context, callee) and
       retnode = TTaintTrackingNode_(retval, callee, path, kind, this) and
       node.asCfgNode() = call and
-      retval.asCfgNode().getNode() = any(Return ret | ret.getScope() = pyfunc.getScope()).getValue()
+      retval.asCfgNode() =
+        any(Return ret | ret.getScope() = pyfunc.getScope()).getValue().getAFlowNode()
     ) and
     edgeLabel = "call"
   }
@@ -714,10 +716,8 @@ private class EssaTaintTracking extends string instanceof TaintTracking::Configu
       src = TTaintTrackingNode_(srcnode, context, path, srckind, this) and
       path.noAttribute()
     |
-      srcnode.asCfgNode().getNode() = assign.getValue() and
-      exists(SequenceNode left_parent | left_parent.getNode() = assign.getATarget() |
-        depth = iterable_unpacking_descent(left_parent, defn.getDefiningNode())
-      ) and
+      assign.getValue().getAFlowNode() = srcnode.asCfgNode() and
+      depth = iterable_unpacking_descent(assign.getATarget().getAFlowNode(), defn.getDefiningNode()) and
       kind = taint_at_depth(srckind, depth)
     )
   }
@@ -964,7 +964,7 @@ private TaintKind taint_at_depth(SequenceKind parent_kind, int depth) {
  * - with `left_defn` = `*y`, `left_parent` = `((x, *y), ...)`, result = 1
  */
 int iterable_unpacking_descent(SequenceNode left_parent, ControlFlowNode left_defn) {
-  exists(Assign a | left_parent.getNode() = a.getATarget().getASubExpression*()) and
+  exists(Assign a | a.getATarget().getASubExpression*().getAFlowNode() = left_parent) and
   left_parent.getAnElement() = left_defn and
   // Handle `a, *b = some_iterable`
   if left_defn instanceof StarredNode then result = 0 else result = 1

python/ql/lib/semmle/python/essa/SsaDefinitions.qll

@@ -56,7 +56,7 @@ module SsaSource {
   predicate with_definition(Variable v, ControlFlowNode defn) {
     exists(With with, Name var |
       with.getOptionalVars() = var and
-      defn.getNode() = var
+      var.getAFlowNode() = defn
     |
       var = v.getAStore()
     )
@@ -67,7 +67,7 @@ module SsaSource {
   predicate pattern_capture_definition(Variable v, ControlFlowNode defn) {
     exists(MatchCapturePattern capture, Name var |
       capture.getVariable() = var and
-      defn.getNode() = var
+      var.getAFlowNode() = defn
     |
       var = v.getAStore()
     )
@@ -78,7 +78,7 @@ module SsaSource {
   predicate pattern_alias_definition(Variable v, ControlFlowNode defn) {
     exists(MatchAsPattern pattern, Name var |
       pattern.getAlias() = var and
-      defn.getNode() = var
+      var.getAFlowNode() = defn
     |
       var = v.getAStore()
     )

python/ql/lib/semmle/python/frameworks/Bottle.qll

@@ -59,7 +59,7 @@ module Bottle {
 
         override Parameter getARoutedParameter() { none() }
 
-        override Function getARequestHandler() { node.getNode() = result.getADecorator() }
+        override Function getARequestHandler() { result.getADecorator().getAFlowNode() = node }
       }
     }
 
@@ -73,10 +73,7 @@ module Bottle {
       /** A response returned by a view callable. */
       class BottleReturnResponse extends Http::Server::HttpResponse::Range {
         BottleReturnResponse() {
-          exists(Return ret |
-            ret.getScope() = any(View::ViewCallable vc) and
-            this.asCfgNode().getNode() = ret.getValue()
-          )
+          this.asCfgNode() = any(View::ViewCallable vc).getAReturnValueFlowNode()
         }
 
         override DataFlow::Node getBody() { result = this }

python/ql/lib/semmle/python/frameworks/Django.qll

@@ -2872,10 +2872,7 @@ module PrivateDjango {
     DataFlow::CfgNode
   {
     DjangoRedirectViewGetRedirectUrlReturn() {
-      exists(Return ret |
-        ret.getScope() = any(GetRedirectUrlFunction f) and
-        node.getNode() = ret.getValue()
-      )
+      node = any(GetRedirectUrlFunction f).getAReturnValueFlowNode()
     }
 
     override DataFlow::Node getRedirectLocation() { result = this }

python/ql/lib/semmle/python/frameworks/FastApi.qll

@@ -129,7 +129,7 @@ module FastApi {
       result in [this.getArg(0), this.getArgByName("path")]
     }
 
-    override Function getARequestHandler() { node.getNode() = result.getADecorator() }
+    override Function getARequestHandler() { result.getADecorator().getAFlowNode() = node }
 
     override string getFramework() { result = "FastAPI" }
 
@@ -309,10 +309,7 @@ module FastApi {
       FastApiRouteSetup routeSetup;
 
       FastApiRequestHandlerReturn() {
-        exists(Return ret |
-          ret.getScope() = routeSetup.getARequestHandler() and
-          node.getNode() = ret.getValue()
-        )
+        node = routeSetup.getARequestHandler().getAReturnValueFlowNode()
       }
 
       override DataFlow::Node getBody() { result = this }

python/ql/lib/semmle/python/frameworks/Flask.qll

@@ -371,7 +371,7 @@ module Flask {
       result in [this.getArg(0), this.getArgByName("rule")]
     }
 
-    override Function getARequestHandler() { node.getNode() = result.getADecorator() }
+    override Function getARequestHandler() { result.getADecorator().getAFlowNode() = node }
   }
 
   /**
@@ -536,7 +536,7 @@ module Flask {
     FlaskRouteHandlerReturn() {
       exists(Function routeHandler |
         routeHandler = any(FlaskRouteSetup rs).getARequestHandler() and
-        exists(Return ret | ret.getScope() = routeHandler and node.getNode() = ret.getValue()) and
+        node = routeHandler.getAReturnValueFlowNode() and
         not this instanceof Flask::Response::InstanceSource
       )
     }

python/ql/lib/semmle/python/frameworks/FlaskAdmin.qll

@@ -38,7 +38,7 @@ private module FlaskAdmin {
       result in [this.getArg(0), this.getArgByName("url")]
     }
 
-    override Function getARequestHandler() { node.getNode() = result.getADecorator() }
+    override Function getARequestHandler() { result.getADecorator().getAFlowNode() = node }
   }
 
   /**
@@ -71,7 +71,7 @@ private module FlaskAdmin {
 
     override Function getARequestHandler() {
       exists(Flask::FlaskViewClass cls |
-        node.getNode() = cls.getADecorator() and
+        cls.getADecorator().getAFlowNode() = node and
         result = cls.getARequestHandler()
       )
     }

python/ql/lib/semmle/python/frameworks/Pyramid.qll

@@ -166,10 +166,7 @@ module Pyramid {
     /** A response returned by a view callable. */
     private class PyramidReturnResponse extends Http::Server::HttpResponse::Range {
       PyramidReturnResponse() {
-        exists(Return ret |
-          ret.getScope() = any(View::ViewCallable vc) and
-          this.asCfgNode().getNode() = ret.getValue()
-        ) and
+        this.asCfgNode() = any(View::ViewCallable vc).getAReturnValueFlowNode() and
         not this = instance()
       }
 

python/ql/lib/semmle/python/frameworks/Stdlib.qll

@@ -2254,9 +2254,8 @@ module StdlibPrivate {
       DataFlow::CfgNode
     {
       WsgirefSimpleServerApplicationReturn() {
-        exists(WsgirefSimpleServerApplication requestHandler, Return ret |
-          ret.getScope() = requestHandler and
-          node.getNode() = ret.getValue()
+        exists(WsgirefSimpleServerApplication requestHandler |
+          node = requestHandler.getAReturnValueFlowNode()
         )
       }
 

python/ql/lib/semmle/python/frameworks/Twisted.qll

@@ -182,10 +182,7 @@ private module Twisted {
     DataFlow::CfgNode
   {
     TwistedResourceRenderMethodReturn() {
-      exists(Return ret |
-        ret.getScope() = any(TwistedResourceRenderMethod meth) and
-        this.asCfgNode().getNode() = ret.getValue()
-      )
+      this.asCfgNode() = any(TwistedResourceRenderMethod meth).getAReturnValueFlowNode()
     }
 
     override DataFlow::Node getBody() { result = this }

python/ql/lib/semmle/python/internal/CachedStages.qll

@@ -77,7 +77,7 @@ module Stages {
       or
       exists(any(AstExtended::AstNode n).getParentNode())
       or
-      exists(PyFlow::ControlFlowNode cfg, AstExtended::AstNode n | cfg.getNode() = n)
+      exists(any(AstExtended::AstNode n).getAFlowNode())
       or
       exists(any(PyFlow::BasicBlock b).getImmediateDominator())
       or

python/ql/lib/semmle/python/objects/Callables.qll

@@ -56,9 +56,8 @@ abstract class CallableObjectInternal extends ObjectInternal {
 /** A Python function. */
 class PythonFunctionObjectInternal extends CallableObjectInternal, TPythonFunctionObject {
   override Function getScope() {
-    exists(CallableExpr expr, ControlFlowNode exprCfg |
-      exprCfg.getNode() = expr and
-      this = TPythonFunctionObject(exprCfg) and
+    exists(CallableExpr expr |
+      this = TPythonFunctionObject(expr.getAFlowNode()) and
       result = expr.getInnerScope()
     )
   }
@@ -81,12 +80,11 @@ class PythonFunctionObjectInternal extends CallableObjectInternal, TPythonFuncti
 
   pragma[nomagic]
   override predicate callResult(PointsToContext callee, ObjectInternal obj, CfgOrigin origin) {
-    exists(Function func, Return ret, ControlFlowNode rval, ControlFlowNode forigin |
+    exists(Function func, ControlFlowNode rval, ControlFlowNode forigin |
       func = this.getScope() and
       callee.appliesToScope(func)
     |
-      ret.getScope() = func and
-      rval.getNode() = ret.getValue() and
+      rval = func.getAReturnValueFlowNode() and
       PointsToInternal::pointsTo(rval, callee, obj, forigin) and
       origin = CfgOrigin::fromCfgNode(forigin)
     )
@@ -162,11 +160,10 @@ class PythonFunctionObjectInternal extends CallableObjectInternal, TPythonFuncti
 }
 
 private BasicBlock blockReturningNone(Function func) {
-  exists(Return ret, ControlFlowNode ret_ |
+  exists(Return ret |
     not exists(ret.getValue()) and
     ret.getScope() = func and
-    ret_.getNode() = ret and
-    result = ret_.getBasicBlock()
+    result = ret.getAFlowNode().getBasicBlock()
   )
 }
 

python/ql/lib/semmle/python/objects/Classes.qll

@@ -113,9 +113,8 @@ abstract class ClassObjectInternal extends ObjectInternal {
 class PythonClassObjectInternal extends ClassObjectInternal, TPythonClassObject {
   /** Gets the scope for this Python class */
   Class getScope() {
-    exists(ClassExpr expr, ControlFlowNode exprCfg |
-      exprCfg.getNode() = expr and
-      this = TPythonClassObject(exprCfg) and
+    exists(ClassExpr expr |
+      this = TPythonClassObject(expr.getAFlowNode()) and
       result = expr.getInnerScope()
     )
   }

python/ql/lib/semmle/python/objects/ObjectAPI.qll

@@ -745,12 +745,7 @@ class PythonFunctionValue extends FunctionValue {
   override int maxParameters() { result = this.getScope().getMaxPositionalArguments() }
 
   /** Gets a control flow node corresponding to a return statement in this function */
-  ControlFlowNode getAReturnedNode() {
-    exists(Return ret |
-      ret.getScope() = this.getScope() and
-      result.getNode() = ret.getValue()
-    )
-  }
+  ControlFlowNode getAReturnedNode() { result = this.getScope().getAReturnValueFlowNode() }
 
   override ClassValue getARaisedType() { scope_raises(result, this.getScope()) }
 

python/ql/lib/semmle/python/objects/TObject.qll

@@ -387,7 +387,7 @@ private PythonClassObjectInternal abcMetaClassObject() {
 private predicate neither_class_nor_static_method(Function f) {
   not exists(f.getADecorator())
   or
-  exists(ControlFlowNode deco | deco.getNode() = f.getADecorator() |
+  exists(ControlFlowNode deco | deco = f.getADecorator().getAFlowNode() |
     exists(ObjectInternal o | PointsToInternal::pointsTo(deco, _, o, _) |
       o != ObjectInternal::staticMethod() and
       o != ObjectInternal::classMethod()

python/ql/lib/semmle/python/pointsto/PointsTo.qll

@@ -711,7 +711,7 @@ private module InterModulePointsTo {
     ControlFlowNode f, PointsToContext context, ObjectInternal value, ControlFlowNode origin
   ) {
     exists(string name, ImportExpr i |
-      f.getNode() = i and
+      i.getAFlowNode() = f and
       i.getImportedModuleName() = name and
       PointsToInternal::module_imported_as(value, name) and
       origin = f and
@@ -2118,9 +2118,8 @@ module Types {
     result.getBuiltin() = cls.getBuiltin().getBaseClass() and n = 0
     or
     exists(Class pycls | pycls = cls.(PythonClassObjectInternal).getScope() |
-      exists(ObjectInternal base, ControlFlowNode baseNode |
-        baseNode.getNode() = pycls.getBase(n) and
-        PointsToInternal::pointsTo(baseNode, _, base, _)
+      exists(ObjectInternal base |
+        PointsToInternal::pointsTo(pycls.getBase(n).getAFlowNode(), _, base, _)
       |
         result = base and base != ObjectInternal::unknown()
         or
@@ -2224,10 +2223,7 @@ module Types {
   }
 
   private ControlFlowNode decorator_call_callee(PythonClassObjectInternal cls) {
-    exists(CallNode deco |
-      deco.getNode() = cls.getScope().getADecorator() and
-      result = deco.getFunction()
-    )
+    result = cls.getScope().getADecorator().getAFlowNode().(CallNode).getFunction()
   }
 
   private boolean has_six_add_metaclass(PythonClassObjectInternal cls) {
@@ -2266,7 +2262,7 @@ module Types {
   }
 
   private EssaVariable metaclass_var(Class cls) {
-    result.getASourceUse().getNode() = cls.getMetaClass()
+    result.getASourceUse() = cls.getMetaClass().getAFlowNode()
     or
     major_version() = 2 and
     not exists(cls.getMetaClass()) and

python/ql/lib/semmle/python/types/ClassObject.qll

@@ -181,7 +181,7 @@ class ClassObject extends Object {
     )
   }
 
-  ControlFlowNode declaredMetaClass() { result.getNode() = this.getPyClass().getMetaClass() }
+  ControlFlowNode declaredMetaClass() { result = this.getPyClass().getMetaClass().getAFlowNode() }
 
   /** Has type inference failed to compute the full class hierarchy for this class for the reason given. */
   predicate failedInference(string reason) { Types::failedInference(this.theClass(), reason) }
@@ -195,9 +195,8 @@ class ClassObject extends Object {
    * It is guaranteed that getProbableSingletonInstance() returns at most one Object for each ClassObject.
    */
   Object getProbableSingletonInstance() {
-    exists(ControlFlowNodeWithPointsTo use, Expr origin, ControlFlowNode origin_ |
-      origin_.getNode() = origin and
-      use.refersTo(result, this, origin_)
+    exists(ControlFlowNodeWithPointsTo use, Expr origin |
+      use.refersTo(result, this, origin.getAFlowNode())
     |
       this.hasStaticallyUniqueInstance() and
       /* Ensure that original expression will be executed only one. */

python/ql/lib/semmle/python/types/Exceptions.qll

@@ -427,7 +427,7 @@ class ExceptFlowNodeWithPointsTo extends ExceptFlowNode {
 }
 
 private ControlFlowNodeWithPointsTo element_from_tuple_objectapi(Object tuple) {
-  exists(Tuple t | t = tuple.getOrigin() and result.getNode() = t.getAnElt())
+  exists(Tuple t | t = tuple.getOrigin() and result = t.getAnElt().getAFlowNode())
 }
 
 /**

python/ql/lib/semmle/python/types/Extensions.qll

@@ -36,8 +36,8 @@ class RangeIterationVariableFact extends PointsToExtension {
   RangeIterationVariableFact() {
     exists(For f, ControlFlowNode iterable |
       iterable.getBasicBlock().dominates(this.(ControlFlowNode).getBasicBlock()) and
-      iterable.getNode() = f.getIter() and
-      this.(ControlFlowNode).getNode() = f.getTarget() and
+      f.getIter().getAFlowNode() = iterable and
+      f.getTarget().getAFlowNode() = this and
       exists(ObjectInternal range |
         PointsTo::pointsTo(iterable, _, range, _) and
         range.getClass() = ObjectInternal::builtin("range")

python/ql/lib/semmle/python/types/FunctionObject.qll

@@ -137,10 +137,7 @@ class PyFunctionObject extends FunctionObject {
 
   /** Gets a control flow node corresponding to the value of a return statement */
   ControlFlowNodeWithPointsTo getAReturnedNode() {
-    exists(Return ret |
-      ret.getScope() = this.getFunction() and
-      result.getNode() = ret.getValue()
-    )
+    result = this.getFunction().getAReturnValueFlowNode()
   }
 
   override string descriptiveString() {
@@ -173,7 +170,7 @@ class PyFunctionObject extends FunctionObject {
   predicate unconditionallyReturnsParameter(int n) {
     exists(SsaVariable pvar |
       exists(Parameter p | p = this.getFunction().getArg(n) |
-        pvar.getDefinition().getNode() = p.asName()
+        p.asName().getAFlowNode() = pvar.getDefinition()
       ) and
       exists(NameNode rval |
         rval = pvar.getAUse() and

python/ql/lib/semmle/python/types/Object.qll

@@ -337,7 +337,7 @@ class TupleObject extends SequenceObject {
     or
     this instanceof TupleNode
     or
-    exists(Function func | this.(ControlFlowNode).getNode() = func.getVararg())
+    exists(Function func | func.getVararg().getAFlowNode() = this)
   }
 }
 
@@ -352,9 +352,7 @@ module TupleObject {
 }
 
 class NonEmptyTupleObject extends TupleObject {
-  NonEmptyTupleObject() {
-    exists(Function func | this.(ControlFlowNode).getNode() = func.getVararg())
-  }
+  NonEmptyTupleObject() { exists(Function func | func.getVararg().getAFlowNode() = this) }
 
   override boolean booleanValue() { result = true }
 }

python/ql/src/Classes/ClassAttributes.qll

@@ -48,11 +48,9 @@ class CheckClass extends ClassObject {
         self_dict = sub.getObject()
         or
         /* Indirect assignment via temporary variable */
-        exists(SsaVariable v, ControlFlowNode subObjCfg, ControlFlowNode selfDictCfg |
-          subObjCfg.getNode() = sub.getObject() and selfDictCfg.getNode() = self_dict
-        |
-          v.getAUse() = subObjCfg and
-          v.getDefinition().(DefinitionNode).getValue() = selfDictCfg
+        exists(SsaVariable v |
+          v.getAUse() = sub.getObject().getAFlowNode() and
+          v.getDefinition().(DefinitionNode).getValue() = self_dict.getAFlowNode()
         )
       ) and
       a.getATarget() = sub and
@@ -64,10 +62,9 @@ class CheckClass extends ClassObject {
 
   pragma[nomagic]
   private predicate monkeyPatched(string name) {
-    exists(Attribute a, ControlFlowNode objCfg |
-      objCfg.getNode() = a.getObject() and
+    exists(Attribute a |
       a.getCtx() instanceof Store and
-      PointsTo::points_to(objCfg, _, this, _, _) and
+      PointsTo::points_to(a.getObject().getAFlowNode(), _, this, _, _) and
       a.getName() = name
     )
   }
@@ -87,9 +84,9 @@ class CheckClass extends ClassObject {
   }
 
   predicate interestingUndefined(SelfAttributeRead a) {
-    exists(string name, ControlFlowNode aCfg | name = a.getName() and aCfg.getNode() = a |
+    exists(string name | name = a.getName() |
       this.interestingContext(a, name) and
-      not this.definedInBlock(aCfg.getBasicBlock(), name)
+      not this.definedInBlock(a.getAFlowNode().getBasicBlock(), name)
     )
   }
 
@@ -112,9 +109,8 @@ class CheckClass extends ClassObject {
 
   pragma[nomagic]
   private predicate definitionInBlock(BasicBlock b, string name) {
-    exists(SelfAttributeStore sa, ControlFlowNode saCfg |
-      saCfg.getNode() = sa and
-      saCfg.getBasicBlock() = b and
+    exists(SelfAttributeStore sa |
+      sa.getAFlowNode().getBasicBlock() = b and
       sa.getName() = name and
       sa.getClass() = this.getPyClass()
     )

python/ql/src/Exceptions/CatchingBaseException.ql

@@ -15,9 +15,7 @@
 import python
 import semmle.python.ApiGraphs
 
-predicate doesnt_reraise(ExceptStmt ex) {
-  exists(ControlFlowNode exCfg | exCfg.getNode() = ex | exCfg.getBasicBlock().reachesExit())
-}
+predicate doesnt_reraise(ExceptStmt ex) { ex.getAFlowNode().getBasicBlock().reachesExit() }
 
 predicate catches_base_exception(ExceptStmt ex) {
   ex.getType() = API::builtin("BaseException").getAValueReachableFromSource().asExpr()

python/ql/src/Expressions/CallArgs.qll

@@ -116,7 +116,7 @@ FunctionValue get_function_or_initializer(Value func_or_cls) {
 predicate illegally_named_parameter_objectapi(Call call, Object func, string name) {
   not func.isC() and
   name = call.getANamedArgumentName() and
-  exists(ControlFlowNode callCfg | callCfg.getNode() = call | callCfg = get_a_call_objectapi(func)) and
+  call.getAFlowNode() = get_a_call_objectapi(func) and
   not get_function_or_initializer_objectapi(func).isLegalArgumentName(name)
 }
 
@@ -124,7 +124,7 @@ predicate illegally_named_parameter_objectapi(Call call, Object func, string nam
 predicate illegally_named_parameter(Call call, Value func, string name) {
   not func.isBuiltin() and
   name = call.getANamedArgumentName() and
-  exists(ControlFlowNode callCfg | callCfg.getNode() = call | callCfg = get_a_call(func)) and
+  call.getAFlowNode() = get_a_call(func) and
   not get_function_or_initializer(func).isLegalArgumentName(name)
 }
 
@@ -146,9 +146,7 @@ predicate too_few_args_objectapi(Call call, Object callable, int limit) {
     call = func.getAMethodCall().getNode() and limit = func.minParameters() - 1
     or
     callable instanceof ClassObject and
-    exists(ControlFlowNode callCfg | callCfg.getNode() = call |
-      callCfg = get_a_call_objectapi(callable)
-    ) and
+    call.getAFlowNode() = get_a_call_objectapi(callable) and
     limit = func.minParameters() - 1
   )
 }
@@ -174,7 +172,7 @@ predicate too_few_args(Call call, Value callable, int limit) {
     call = func.getAMethodCall().getNode() and limit = func.minParameters() - 1
     or
     callable instanceof ClassValue and
-    exists(ControlFlowNode callCfg | callCfg.getNode() = call | callCfg = get_a_call(callable)) and
+    call.getAFlowNode() = get_a_call(callable) and
     limit = func.minParameters() - 1
   )
 }
@@ -193,9 +191,7 @@ predicate too_many_args_objectapi(Call call, Object callable, int limit) {
     call = func.getAMethodCall().getNode() and limit = func.maxParameters() - 1
     or
     callable instanceof ClassObject and
-    exists(ControlFlowNode callCfg | callCfg.getNode() = call |
-      callCfg = get_a_call_objectapi(callable)
-    ) and
+    call.getAFlowNode() = get_a_call_objectapi(callable) and
     limit = func.maxParameters() - 1
   ) and
   positional_arg_count_for_call_objectapi(call, callable) > limit
@@ -215,7 +211,7 @@ predicate too_many_args(Call call, Value callable, int limit) {
     call = func.getAMethodCall().getNode() and limit = func.maxParameters() - 1
     or
     callable instanceof ClassValue and
-    exists(ControlFlowNode callCfg | callCfg.getNode() = call | callCfg = get_a_call(callable)) and
+    call.getAFlowNode() = get_a_call(callable) and
     limit = func.maxParameters() - 1
   ) and
   positional_arg_count_for_call(call, callable) > limit

python/ql/src/Expressions/DuplicateKeyInDictionaryLiteral.ql

@@ -36,15 +36,11 @@ where
   exists(string s | dict_key(d, k1, s) and dict_key(d, k2, s) and k1 != k2) and
   (
     exists(BasicBlock b, int i1, int i2 |
-      b.getNode(i1).getNode() = k1 and
-      b.getNode(i2).getNode() = k2 and
+      k1.getAFlowNode() = b.getNode(i1) and
+      k2.getAFlowNode() = b.getNode(i2) and
       i1 < i2
     )
     or
-    exists(ControlFlowNode k1Cfg, ControlFlowNode k2Cfg |
-      k1Cfg.getNode() = k1 and k2Cfg.getNode() = k2
-    |
-      k1Cfg.getBasicBlock().strictlyDominates(k2Cfg.getBasicBlock())
-    )
+    k1.getAFlowNode().getBasicBlock().strictlyDominates(k2.getAFlowNode().getBasicBlock())
   )
 select k1, "Dictionary key " + repr(k1) + " is subsequently $@.", k2, "overwritten"

python/ql/src/Expressions/Formatting/AdvancedFormatting.qll

@@ -98,18 +98,16 @@ private predicate brace_pair(PossibleAdvancedFormatString fmt, int start, int en
 }
 
 private predicate advanced_format_call(Call format_expr, PossibleAdvancedFormatString fmt, int args) {
-  exists(CallNode call, ControlFlowNode fmtCfg |
-    call.getNode() = format_expr and fmtCfg.getNode() = fmt
-  |
+  exists(CallNode call | call = format_expr.getAFlowNode() |
     call.getFunction().(ControlFlowNodeWithPointsTo).pointsTo(Value::named("format")) and
-    call.getArg(0).(ControlFlowNodeWithPointsTo).pointsTo(_, fmtCfg) and
+    call.getArg(0).(ControlFlowNodeWithPointsTo).pointsTo(_, fmt.getAFlowNode()) and
     args = count(format_expr.getAnArg()) - 1
     or
     call.getFunction()
         .(AttrNode)
         .getObject("format")
         .(ControlFlowNodeWithPointsTo)
-        .pointsTo(_, fmtCfg) and
+        .pointsTo(_, fmt.getAFlowNode()) and
     args = count(format_expr.getAnArg())
   )
 }

python/ql/src/Expressions/IncorrectComparisonUsingIs.ql

@@ -15,7 +15,7 @@ import python
 
 /** Holds if the comparison `comp` uses `is` or `is not` (represented as `op`) to compare its `left` and `right` arguments. */
 predicate comparison_using_is(Compare comp, ControlFlowNode left, Cmpop op, ControlFlowNode right) {
-  exists(CompareNode fcomp | fcomp.getNode() = comp |
+  exists(CompareNode fcomp | fcomp = comp.getAFlowNode() |
     fcomp.operands(left, op, right) and
     (op instanceof Is or op instanceof IsNot)
   )

python/ql/src/Expressions/IsComparisons.qll

@@ -5,7 +5,7 @@ private import LegacyPointsTo
 
 /** Holds if the comparison `comp` uses `is` or `is not` (represented as `op`) to compare its `left` and `right` arguments. */
 predicate comparison_using_is(Compare comp, ControlFlowNode left, Cmpop op, ControlFlowNode right) {
-  exists(CompareNode fcomp | fcomp.getNode() = comp |
+  exists(CompareNode fcomp | fcomp = comp.getAFlowNode() |
     fcomp.operands(left, op, right) and
     (op instanceof Is or op instanceof IsNot)
   )

python/ql/src/Expressions/TruncatedDivision.ql

@@ -19,7 +19,7 @@ where
   // Only relevant for Python 2, as all later versions implement true division
   major_version() = 2 and
   exists(BinaryExprNode bin, Value lval, Value rval |
-    bin.getNode() = div and
+    bin = div.getAFlowNode() and
     bin.getNode().getOp() instanceof Div and
     bin.getLeft().(ControlFlowNodeWithPointsTo).pointsTo(lval, left) and
     lval.getClass() = ClassValue::int_() and

python/ql/src/Functions/ExplicitReturnInInit.ql

@@ -19,9 +19,7 @@ where
   exists(Function init | init.isInitMethod() and r.getScope() = init) and
   r.getValue() = rv and
   not rv.pointsTo(Value::none_()) and
-  not exists(FunctionValue f, ControlFlowNode rvCfg | rvCfg.getNode() = rv |
-    f.getACall() = rvCfg and f.neverReturns()
-  ) and
+  not exists(FunctionValue f | f.getACall() = rv.getAFlowNode() | f.neverReturns()) and
   // to avoid double reporting, don't trigger if returning result from other __init__ function
   not exists(Attribute meth | meth = rv.(Call).getFunc() | meth.getName() = "__init__")
 select r, "Explicit return in __init__ method."

python/ql/src/Functions/ReturnValueIgnored.ql

@@ -69,12 +69,7 @@ where
   returns_meaningful_value(callee) and
   not wrapped_in_try_except(call) and
   exists(int unused |
-    unused =
-      count(ExprStmt e |
-        exists(ControlFlowNode eValCfg | eValCfg.getNode() = e.getValue() |
-          eValCfg = callee.getACall()
-        )
-      ) and
+    unused = count(ExprStmt e | e.getValue().getAFlowNode() = callee.getACall()) and
     total = count(callee.getACall())
   |
     percentage_used = (100.0 * (total - unused) / total).floor()

python/ql/src/Resources/FileOpen.qll

@@ -138,12 +138,12 @@ predicate function_opens_file(FunctionValue f) {
   f = Value::named("open")
   or
   exists(EssaVariable v, Return ret | ret.getScope() = f.getScope() |
-    v.getNode() = ret.getValue().getAUse() and
+    ret.getValue().getAFlowNode() = v.getAUse() and
     var_is_open(v, _)
   )
   or
   exists(Return ret, FunctionValue callee | ret.getScope() = f.getScope() |
-    callee.getNode() = ret.getValue().getACall() and
+    ret.getValue().getAFlowNode() = callee.getACall() and
     function_opens_file(callee)
   )
 }

python/ql/src/Security/CWE-798/HardcodedCredentials.ql

@@ -94,7 +94,7 @@ class CredentialSink extends DataFlow::Node {
         this.(DataFlow::ArgumentNode).argumentOf(_, pos)
       )
       or
-      exists(Keyword k | k.getArg() = name and this.asCfgNode().getNode() = k.getValue())
+      exists(Keyword k | k.getArg() = name and k.getValue().getAFlowNode() = this.asCfgNode())
       or
       exists(CompareNode cmp, NameNode n | n.getId() = name |
         cmp.operands(this.asCfgNode(), any(Eq eq), n)

python/ql/src/Statements/IterableStringOrSequence.ql

@@ -25,7 +25,7 @@ from
   For loop, ControlFlowNodeWithPointsTo iter, Value str, Value seq, ControlFlowNode seq_origin,
   ControlFlowNode str_origin
 where
-  iter.getNode() = loop.getIter() and
+  loop.getIter().getAFlowNode() = iter and
   iter.pointsTo(str, str_origin) and
   iter.pointsTo(seq, seq_origin) and
   has_string_type(str) and

python/ql/src/Statements/NestedLoopsSameVariableWithReuse.ql

@@ -15,7 +15,7 @@
 import python
 
 predicate loop_variable_ssa(For f, Variable v, SsaVariable s) {
-  s.getDefinition().getNode() = f.getTarget() and v = s.getVariable()
+  f.getTarget().getAFlowNode() = s.getDefinition() and v = s.getVariable()
 }
 
 predicate variableUsedInNestedLoops(For inner, For outer, Variable v, Name n) {

python/ql/src/Statements/NonIteratorInForLoop.ql

@@ -16,7 +16,7 @@ private import LegacyPointsTo
 
 from For loop, ControlFlowNodeWithPointsTo iter, Value v, ClassValue t, ControlFlowNode origin
 where
-  iter.getNode() = loop.getIter() and
+  loop.getIter().getAFlowNode() = iter and
   iter.pointsTo(_, v, origin) and
   v.getClass() = t and
   not t.isIterable() and

python/ql/src/Statements/SideEffectInAssert.ql

@@ -24,13 +24,11 @@ predicate func_with_side_effects(Expr e) {
 }
 
 predicate call_with_side_effect(Call e) {
-  exists(ControlFlowNode eCfg | eCfg.getNode() = e |
-    eCfg =
-      API::moduleImport("subprocess")
-          .getMember(["call", "check_call", "check_output"])
-          .getACall()
-          .asCfgNode()
-  )
+  e.getAFlowNode() =
+    API::moduleImport("subprocess")
+        .getMember(["call", "check_call", "check_output"])
+        .getACall()
+        .asCfgNode()
 }
 
 predicate probable_side_effect(Expr e) {

python/ql/src/Variables/Definition.qll

@@ -133,11 +133,7 @@ class ListComprehensionDeclaration extends ListComp {
     major_version() = 2 and
     this.getIterationVariable(_).getId() = result.getId() and
     result.getScope() = this.getScope() and
-    exists(ControlFlowNode thisCfg, ControlFlowNode resultCfg |
-      thisCfg.getNode() = this and resultCfg.getNode() = result
-    |
-      thisCfg.strictlyReaches(resultCfg)
-    ) and
+    this.getAFlowNode().strictlyReaches(result.getAFlowNode()) and
     result.isUse()
   }
 

python/ql/src/Variables/LeakingListComprehension.ql

@@ -13,21 +13,18 @@
 import python
 import Definition
 
-from
-  ListComprehensionDeclaration l, Name use, Name defn, ControlFlowNode lCfg, ControlFlowNode useCfg
+from ListComprehensionDeclaration l, Name use, Name defn
 where
   use = l.getALeakedVariableUse() and
   defn = l.getDefinition() and
-  lCfg.getNode() = l and
-  useCfg.getNode() = use and
-  lCfg.strictlyReaches(useCfg) and
+  l.getAFlowNode().strictlyReaches(use.getAFlowNode()) and
   /* Make sure we aren't in a loop, as the variable may be redefined */
-  not useCfg.strictlyReaches(lCfg) and
+  not use.getAFlowNode().strictlyReaches(l.getAFlowNode()) and
   not l.contains(use) and
   not use.deletes(_) and
   not exists(SsaVariable v |
-    v.getAUse() = useCfg and
-    not v.getDefinition().strictlyDominates(lCfg)
+    v.getAUse() = use.getAFlowNode() and
+    not v.getDefinition().strictlyDominates(l.getAFlowNode())
   )
 select use,
   use.getId() + " may have a different value in Python 3, as the $@ will not be in scope.", defn,

python/ql/src/Variables/Loop.qll

@@ -26,11 +26,8 @@ private Stmt loop_probably_defines(Variable v) {
 
 /** Holds if the variable used by `use` is probably defined in a loop */
 predicate probably_defined_in_loop(Name use) {
-  exists(Stmt loop, ControlFlowNode loopCfg, ControlFlowNode useCfg |
-    loop = loop_probably_defines(use.getVariable()) and
-    loopCfg.getNode() = loop and
-    useCfg.getNode() = use and
-    loopCfg.strictlyReaches(useCfg)
+  exists(Stmt loop | loop = loop_probably_defines(use.getVariable()) |
+    loop.getAFlowNode().strictlyReaches(use.getAFlowNode())
   )
 }
 

python/ql/src/Variables/MultiplyDefined.ql

@@ -24,8 +24,8 @@ predicate multiply_defined(AstNode asgn1, AstNode asgn2, Variable v) {
 
   forex(Definition def, Definition redef |
     def.getVariable() = v and
-    def.getNode() = asgn1 and
-    redef.getNode() = asgn2
+    def = asgn1.getAFlowNode() and
+    redef = asgn2.getAFlowNode()
   |
     def.isUnused() and
     def.getARedef() = redef and

python/ql/src/Variables/SuspiciousUnusedLoopIterationVariable.ql

@@ -88,9 +88,7 @@ predicate implicit_repeat(For f) {
  * E.g. gets `x` from `{ y for y in x }`.
  */
 ControlFlowNode get_comp_iterable(For f) {
-  exists(Comp c, ControlFlowNode cCfg |
-    c.getFunction().getStmt(0) = f and cCfg.getNode() = c and cCfg.getAPredecessor() = result
-  )
+  exists(Comp c | c.getFunction().getStmt(0) = f | c.getAFlowNode().getAPredecessor() = result)
 }
 
 from For f, Variable v, string msg

python/ql/src/Variables/Undefined.qll

@@ -19,10 +19,9 @@ private predicate loop_entry_variables(EssaVariable pred, EssaVariable succ) {
 private predicate loop_entry_edge(BasicBlock pred, BasicBlock loop) {
   pred = loop.getAPredecessor() and
   pred = loop.getImmediateDominator() and
-  exists(Stmt s, ControlFlowNode sCfg |
+  exists(Stmt s |
     loop_probably_executes_at_least_once(s) and
-    sCfg.getNode() = s and
-    sCfg.getBasicBlock() = loop
+    s.getAFlowNode().getBasicBlock() = loop
   )
 }
 

python/ql/src/Variables/UndefinedGlobal.ql

@@ -27,7 +27,7 @@ predicate guarded_against_name_error(Name u) {
   |
     globals.getFunc().(Name).getId() = "globals" and
     guard.controls(controlled, _) and
-    exists(ControlFlowNode uCfg | uCfg.getNode() = u | controlled.contains(uCfg))
+    controlled.contains(u.getAFlowNode())
   )
 }
 
@@ -101,18 +101,18 @@ predicate undefined_use(Name u) {
 }
 
 private predicate first_use_in_a_block(Name use) {
-  exists(GlobalVariable v, BasicBlock b, int i, ControlFlowNode useCfg | useCfg.getNode() = use |
-    i = min(int j | b.getNode(j).getNode() = v.getALoad()) and b.getNode(i) = useCfg
+  exists(GlobalVariable v, BasicBlock b, int i |
+    i = min(int j | b.getNode(j).getNode() = v.getALoad()) and b.getNode(i) = use.getAFlowNode()
   )
 }
 
 predicate first_undefined_use(Name use) {
   undefined_use(use) and
-  exists(GlobalVariable v, ControlFlowNode useCfg | v.getALoad() = use and useCfg.getNode() = use |
+  exists(GlobalVariable v | v.getALoad() = use |
     first_use_in_a_block(use) and
     not exists(ControlFlowNode other |
       other.getNode() = v.getALoad() and
-      other.getBasicBlock().strictlyDominates(useCfg.getBasicBlock())
+      other.getBasicBlock().strictlyDominates(use.getAFlowNode().getBasicBlock())
     )
   )
 }

python/ql/src/Variables/UndefinedPlaceHolder.ql

@@ -18,8 +18,8 @@ private import semmle.python.types.ImportTime
 
 /* Local variable part */
 predicate initialized_as_local(PlaceHolder use) {
-  exists(SsaVariableWithPointsTo l, Function f, ControlFlowNode useCfg |
-    f = use.getScope() and useCfg.getNode() = use and l.getAUse() = useCfg
+  exists(SsaVariableWithPointsTo l, Function f |
+    f = use.getScope() and l.getAUse() = use.getAFlowNode()
   |
     l.getVariable() instanceof LocalVariable and
     not l.maybeUndefined()

python/ql/src/Variables/UnusedModuleVariable.ql

@@ -54,7 +54,7 @@ predicate unused_global(Name unused, GlobalVariable v) {
       u.uses(v)
     |
       // That is reachable from this definition, directly
-      exists(ControlFlowNode uCfg | uCfg.getNode() = u | defn.strictlyReaches(uCfg))
+      defn.strictlyReaches(u.getAFlowNode())
       or
       // indirectly
       defn.getBasicBlock().reachesExit() and u.getScope() != unused.getScope()

python/ql/src/analysis/CrossProjectDefinitions.qll

@@ -48,17 +48,15 @@ class Symbol extends TSymbol {
   AstNode find() {
     this = TModule(result)
     or
-    exists(Symbol s, string name, ControlFlowNode resultCfg |
-      this = TMember(s, name) and resultCfg.getNode() = result
-    |
+    exists(Symbol s, string name | this = TMember(s, name) |
       exists(ClassObject cls |
         s.resolvesTo() = cls and
-        cls.attributeRefersTo(name, _, resultCfg)
+        cls.attributeRefersTo(name, _, result.getAFlowNode())
       )
       or
       exists(ModuleObject m |
         s.resolvesTo() = m and
-        m.attributeRefersTo(name, _, resultCfg)
+        m.attributeRefersTo(name, _, result.getAFlowNode())
       )
     )
   }

python/ql/src/analysis/ImportFailure.ql

@@ -80,11 +80,10 @@ class VersionGuard extends ConditionBlock {
   VersionGuard() { this.getLastNode() instanceof VersionTest }
 }
 
-from ImportExpr ie, ControlFlowNode ieCfg
+from ImportExpr ie
 where
-  ieCfg.getNode() = ie and
   not ie.(ExprWithPointsTo).refersTo(_) and
-  exists(Context c | c.appliesTo(ieCfg)) and
+  exists(Context c | c.appliesTo(ie.getAFlowNode())) and
   not ok_to_fail(ie) and
-  not exists(VersionGuard guard | guard.controls(ieCfg.getBasicBlock(), _))
+  not exists(VersionGuard guard | guard.controls(ie.getAFlowNode().getBasicBlock(), _))
 select ie, "Unable to resolve import of '" + ie.getImportedModuleName() + "'."

python/ql/src/analysis/KeyPointsToFailure.ql

@@ -11,13 +11,13 @@ import python
 import semmle.python.pointsto.PointsTo
 
 predicate points_to_failure(Expr e) {
-  exists(ControlFlowNode f | f.getNode() = e | not PointsTo::pointsTo(f, _, _, _))
+  exists(ControlFlowNode f | f = e.getAFlowNode() | not PointsTo::pointsTo(f, _, _, _))
 }
 
 predicate key_points_to_failure(Expr e) {
   points_to_failure(e) and
   not points_to_failure(e.getASubExpression()) and
-  not exists(SsaVariable ssa, ControlFlowNode eCfg | eCfg.getNode() = e and ssa.getAUse() = eCfg |
+  not exists(SsaVariable ssa | ssa.getAUse() = e.getAFlowNode() |
     points_to_failure(ssa.getAnUltimateDefinition().getDefinition().getNode())
   ) and
   not exists(Assign a | a.getATarget() = e)

python/ql/src/analysis/PointsToFailure.ql

@@ -12,5 +12,5 @@ import python
 private import LegacyPointsTo
 
 from Expr e
-where exists(ControlFlowNodeWithPointsTo f | f.getNode() = e | not f.refersTo(_))
+where exists(ControlFlowNodeWithPointsTo f | f = e.getAFlowNode() | not f.refersTo(_))
 select e, "Expression does not 'point-to' any object."

python/ql/src/semmle/python/functions/ModificationOfParameterWithDefaultCustomizations.qll

@@ -131,7 +131,7 @@ module ModificationOfParameterWithDefault {
       exists(DeletionNode d | d.getTarget().(SubscriptNode).getObject() = this.asCfgNode())
       or
       // augmented assignment to the value
-      exists(AugAssign a | this.asCfgNode().getNode() = a.getTarget())
+      exists(AugAssign a | a.getTarget().getAFlowNode() = this.asCfgNode())
       or
       // modifying function call
       exists(DataFlow::CallCfgNode c, DataFlow::AttrRead a | c.getFunction() = a |

python/ql/test/2/library-tests/comprehensions/ConsistencyCheck.ql

@@ -5,7 +5,5 @@
 import python
 
 select count(Comprehension c |
-    count(c.toString()) != 1 or
-    count(c.getLocation()) != 1 or
-    not exists(ControlFlowNode n | n.getNode() = c)
+    count(c.toString()) != 1 or count(c.getLocation()) != 1 or not exists(c.getAFlowNode())
   )

python/ql/test/experimental/import-resolution/importflow.ql

@@ -45,15 +45,13 @@ private class VersionGuardedNode extends DataFlow::Node {
 
   VersionGuardedNode() {
     version in [2, 3] and
-    exists(If parent, CompareNode c, ControlFlowNode litCfg |
-      parent.getBody().contains(this.asExpr()) and
-      litCfg.getNode() = any(IntegerLiteral lit | lit.getValue() = version)
-    |
+    exists(If parent, CompareNode c | parent.getBody().contains(this.asExpr()) |
       c.operands(API::moduleImport("sys")
             .getMember("version_info")
             .getASubscript()
             .asSource()
-            .asCfgNode(), any(Eq eq), litCfg)
+            .asCfgNode(), any(Eq eq),
+        any(IntegerLiteral lit | lit.getValue() = version).getAFlowNode())
     )
   }
 

python/ql/test/library-tests/ControlFlow/PointsToSupport/UseFromDefinition.ql

@@ -9,7 +9,7 @@ Expr assignedValue(Name n) {
 
 from Name def, DefinitionNode d
 where
-  d.getNode() = def and
+  d = def.getAFlowNode() and
   exists(assignedValue(def)) and
   not d.getValue().getNode() = assignedValue(def)
 select def.toString(), assignedValue(def)

python/ql/test/library-tests/ControlFlow/splitting/NodeCount.ql

@@ -8,4 +8,4 @@ where
   not a instanceof ExprStmt and
   a.getScope() = s and
   s instanceof Function
-select a.getLocation().getStartLine(), s.getName(), a, count(ControlFlowNode n | n.getNode() = a)
+select a.getLocation().getStartLine(), s.getName(), a, count(a.getAFlowNode())

python/ql/test/library-tests/PointsTo/global/Global.ql

@@ -3,6 +3,6 @@ private import LegacyPointsTo
 
 from ControlFlowNode f, PointsToContext ctx, Value obj, ControlFlowNode orig
 where
-  exists(ExprStmt s | f.getNode() = s.getValue()) and
+  exists(ExprStmt s | s.getValue().getAFlowNode() = f) and
   PointsTo::pointsTo(f, ctx, obj, orig)
 select ctx, f, obj.toString(), orig

python/ql/test/library-tests/PointsTo/local/LocalPointsTo.ql

@@ -4,6 +4,6 @@ import semmle.python.objects.ObjectInternal
 
 from ControlFlowNode f, ObjectInternal obj, ControlFlowNode orig
 where
-  exists(ExprStmt s | f.getNode() = s.getValue()) and
+  exists(ExprStmt s | s.getValue().getAFlowNode() = f) and
   PointsTo::pointsTo(f, _, obj, orig)
 select f, obj.toString(), orig

python/ql/test/library-tests/dataflow/tainttracking/TestTaintLib.qll

@@ -43,7 +43,7 @@ query predicate test_taint(string arg_location, string test_res, string scope_na
       // TODO: Replace with `hasFlowToExpr` once that is working
       if
         TestTaintTrackingFlow::flowTo(any(DataFlow::Node n |
-            n.(DataFlow::CfgNode).getNode().getNode() = arg
+            n.(DataFlow::CfgNode).getNode() = arg.getAFlowNode()
           ))
       then has_taint = true
       else has_taint = false

python/tools/recorded-call-graph-metrics/ql/lib/RecordedCalls.qll

@@ -238,10 +238,9 @@ module PointsToBasedCallGraph {
     Value calleeValue;
 
     ResolvableRecordedCall() {
-      exists(Call call, XmlCallee xmlCallee, ControlFlowNode callCfg |
+      exists(Call call, XmlCallee xmlCallee |
         call = this.getACall() and
-        callCfg.getNode() = call and
-        calleeValue.getACall() = callCfg and
+        calleeValue.getACall() = call.getAFlowNode() and
         xmlCallee = this.getXmlCallee() and
         (
           xmlCallee instanceof XmlPythonCallee and

ruby/ql/lib/codeql/ruby/ast/Parameter.qll

@@ -134,7 +134,7 @@ class BlockParameter extends NamedParameter, TBlockParameter {
   final override string getName() { result = g.getName().getValue() }
 
   final override LocalVariable getVariable() {
-    result = TLocalVariableReal(_, _, g.getName()) or
+    result.(LocalVariableReal).getDefiningNode() = g.getName() or
     result = TLocalVariableSynth(this, 0)
   }
 
@@ -164,7 +164,7 @@ class HashSplatParameter extends NamedParameter, THashSplatParameter {
   final override string getAPrimaryQlClass() { result = "HashSplatParameter" }
 
   final override LocalVariable getVariable() {
-    result = TLocalVariableReal(_, _, g.getName()) or
+    result.(LocalVariableReal).getDefiningNode() = g.getName() or
     result = TLocalVariableSynth(this, 0)
   }
 
@@ -212,7 +212,9 @@ class KeywordParameter extends NamedParameter, TKeywordParameter {
 
   final override string getAPrimaryQlClass() { result = "KeywordParameter" }
 
-  final override LocalVariable getVariable() { result = TLocalVariableReal(_, _, g.getName()) }
+  final override LocalVariable getVariable() {
+    result.(LocalVariableReal).getDefiningNode() = g.getName()
+  }
 
   /**
    * Gets the default value, i.e. the value assigned to the parameter when one
@@ -262,7 +264,9 @@ class OptionalParameter extends NamedParameter, TOptionalParameter {
    */
   final Expr getDefaultValue() { toGenerated(result) = g.getValue() }
 
-  final override LocalVariable getVariable() { result = TLocalVariableReal(_, _, g.getName()) }
+  final override LocalVariable getVariable() {
+    result.(LocalVariableReal).getDefiningNode() = g.getName()
+  }
 
   final override string toString() { result = this.getName() }
 
@@ -293,7 +297,7 @@ class SplatParameter extends NamedParameter, TSplatParameter {
   final override string getAPrimaryQlClass() { result = "SplatParameter" }
 
   final override LocalVariable getVariable() {
-    result = TLocalVariableReal(_, _, g.getName()) or
+    result.(LocalVariableReal).getDefiningNode() = g.getName() or
     result = TLocalVariableSynth(this, 0)
   }
 

ruby/ql/lib/codeql/ruby/ast/internal/AST.qll

@@ -207,9 +207,7 @@ private module Cached {
     TLambda(Ruby::Lambda g) or
     TLine(Ruby::Line g) or
     TLeftAssignmentList(Ruby::LeftAssignmentList g) or
-    TLocalVariableAccessReal(Ruby::Identifier g, TLocalVariableReal v) {
-      LocalVariableAccess::range(g, v)
-    } or
+    TLocalVariableAccessReal(Ruby::Identifier g, TLocalVariableReal v) { access(g, v) } or
     TLocalVariableAccessSynth(Ast::AstNode parent, int i, Ast::LocalVariable v) {
       mkSynthChild(LocalVariableAccessRealKind(v), parent, i)
       or

ruby/ql/lib/codeql/ruby/ast/internal/Parameter.qll

@@ -33,7 +33,7 @@ class SimpleParameterRealImpl extends SimpleParameterImpl, TSimpleParameterReal
 
   SimpleParameterRealImpl() { this = TSimpleParameterReal(g) }
 
-  override LocalVariable getVariableImpl() { result = TLocalVariableReal(_, _, g) }
+  override LocalVariable getVariableImpl() { result.(LocalVariableReal).getDefiningNode() = g }
 
   override string getNameImpl() { result = g.getValue() }
 }

ruby/ql/lib/codeql/ruby/ast/internal/Scope.qll

@@ -118,7 +118,7 @@ private Ruby::AstNode specialParentOf(Ruby::AstNode n) {
     ]
 }
 
-private Ruby::AstNode parentOf(Ruby::AstNode n) {
+Ruby::AstNode parentOf(Ruby::AstNode n) {
   n = getHereDocBody(result)
   or
   result = specialParentOf(n).getParent()
@@ -172,13 +172,15 @@ private module Cached {
   }
 }
 
-bindingset[n]
-pragma[inline_late]
-Scope::Range scopeOf(Ruby::AstNode n) { result = Cached::scopeOfImpl(n) }
+import Cached
 
 bindingset[n]
 pragma[inline_late]
-Scope scopeOfInclSynth(AstNode n) { result = Cached::scopeOfInclSynthImpl(n) }
+Scope::Range scopeOf(Ruby::AstNode n) { result = scopeOfImpl(n) }
+
+bindingset[n]
+pragma[inline_late]
+Scope scopeOfInclSynth(AstNode n) { result = scopeOfInclSynthImpl(n) }
 
 abstract class ScopeImpl extends AstNode, TScopeType {
   final Scope getOuterScopeImpl() { result = scopeOfInclSynth(this) }

ruby/ql/lib/codeql/ruby/ast/internal/Synthesis.qll

@@ -299,9 +299,12 @@ private predicate hasLocation(AstNode n, Location l) {
 private module ImplicitSelfSynthesis {
   pragma[nomagic]
   private predicate identifierMethodCallSelfSynthesis(AstNode mc, int i, Child child) {
-    child = SynthChild(SelfKind(TSelfVariable(scopeOf(toGenerated(mc)).getEnclosingSelfScope()))) and
-    mc = TIdentifierMethodCall(_) and
-    i = 0
+    exists(SelfVariableImpl self |
+      self.getDeclaringScopeImpl() = scopeOf(toGenerated(mc)).getEnclosingSelfScope() and
+      child = SynthChild(SelfKind(self)) and
+      mc = TIdentifierMethodCall(_) and
+      i = 0
+    )
   }
 
   private class IdentifierMethodCallSelfSynthesis extends Synthesis {
@@ -312,13 +315,14 @@ private module ImplicitSelfSynthesis {
 
   pragma[nomagic]
   private predicate regularMethodCallSelfSynthesis(TRegularMethodCall mc, int i, Child child) {
-    exists(Ruby::AstNode g |
+    exists(Ruby::AstNode g, SelfVariableImpl self |
       mc = TRegularMethodCall(g) and
       // If there's no explicit receiver, then the receiver is implicitly `self`.
-      not exists(g.(Ruby::Call).getReceiver())
-    ) and
-    child = SynthChild(SelfKind(TSelfVariable(scopeOf(toGenerated(mc)).getEnclosingSelfScope()))) and
-    i = 0
+      not exists(g.(Ruby::Call).getReceiver()) and
+      self.getDeclaringScopeImpl() = scopeOf(toGenerated(mc)).getEnclosingSelfScope() and
+      child = SynthChild(SelfKind(self)) and
+      i = 0
+    )
   }
 
   private class RegularMethodCallSelfSynthesis extends Synthesis {
@@ -341,9 +345,10 @@ private module ImplicitSelfSynthesis {
    */
   pragma[nomagic]
   private SelfKind getSelfKind(InstanceVariableAccess var) {
-    exists(Ruby::AstNode owner |
+    exists(Ruby::AstNode owner, SelfVariableImpl self |
+      self.getDeclaringScopeImpl() = scopeOf(owner).getEnclosingSelfScope() and
       owner = toGenerated(instanceVarAccessSynthParentStar(var)) and
-      result = SelfKind(TSelfVariable(scopeOf(owner).getEnclosingSelfScope()))
+      result = SelfKind(self)
     )
   }
 
@@ -1566,20 +1571,20 @@ private module ForLoopDesugar {
  * { a: a }
  * ```
  */
-private module ImplicitHashValueSynthesis {
-  private Ruby::AstNode keyWithoutValue(AstNode parent, int i) {
+module ImplicitHashValueSynthesis {
+  Ruby::AstNode keyWithoutValue(Ruby::AstNode parent, int i) {
     exists(Ruby::KeywordPattern pair |
       result = pair.getKey() and
-      result = toGenerated(parent.(HashPattern).getKey(i)) and
+      result = parent.(Ruby::HashPattern).getChild(i).(Ruby::KeywordPattern).getKey() and
       not exists(pair.getValue())
     )
     or
-    exists(Ruby::Pair pair |
-      i = 0 and
-      result = pair.getKey() and
-      pair = toGenerated(parent) and
-      not exists(pair.getValue())
-    )
+    parent =
+      any(Ruby::Pair pair |
+        i = 0 and
+        result = pair.getKey() and
+        not exists(pair.getValue())
+      )
   }
 
   private string keyName(Ruby::AstNode key) {
@@ -1589,7 +1594,7 @@ private module ImplicitHashValueSynthesis {
 
   private class ImplicitHashValueSynthesis extends Synthesis {
     final override predicate child(AstNode parent, int i, Child child) {
-      exists(Ruby::AstNode key | key = keyWithoutValue(parent, i) |
+      exists(Ruby::AstNode key | key = keyWithoutValue(toGenerated(parent), i) |
         exists(TVariableReal variable |
           access(key, variable) and
           child = SynthChild(LocalVariableAccessRealKind(variable))
@@ -1616,7 +1621,7 @@ private module ImplicitHashValueSynthesis {
     }
 
     final override predicate location(AstNode n, Location l) {
-      exists(AstNode p, int i | l = keyWithoutValue(p, i).getLocation() |
+      exists(AstNode p, int i | l = keyWithoutValue(toGenerated(p), i).getLocation() |
         n = p.(HashPattern).getValue(i)
         or
         i = 0 and n = p.(Pair).getValue()

ruby/ql/lib/codeql/ruby/ast/internal/Variable.qll

@@ -2,6 +2,7 @@ overlay[local]
 module;
 
 private import TreeSitter
+private import codeql.namebinding.LocalNameBinding
 private import codeql.ruby.AST
 private import codeql.ruby.CFG
 private import codeql.ruby.ast.internal.AST
@@ -94,10 +95,11 @@ predicate scopeDefinesParameterVariable(
   // In case of overlapping parameter names (e.g. `_`), only the first
   // parameter will give rise to a variable
   i =
-    min(Ruby::Identifier other |
-      parameterAssignment(scope, name, other, _)
+    min(Ruby::Identifier other, int startline, int startcolumn |
+      parameterAssignment(scope, name, other, _) and
+      other.getLocation().hasLocationInfo(_, startline, startcolumn, _, _)
     |
-      other order by other.getLocation().getStartLine(), other.getLocation().getStartColumn()
+      other order by startline, startcolumn
     ) and
   parameterAssignment(scope, name, _, pos)
   or
@@ -113,7 +115,8 @@ predicate scopeDefinesParameterVariable(
   )
 }
 
-pragma[nomagic]
+bindingset[i]
+pragma[inline_late]
 private string variableNameInScope(Ruby::AstNode i, Scope::Range scope) {
   scope = scopeOf(i) and
   (
@@ -137,40 +140,142 @@ private predicate scopeAssigns(Scope::Range scope, string name, Ruby::AstNode i)
   name = variableNameInScope(i, scope)
 }
 
+private module Input implements LocalNameBindingInputSig<Location> {
+  predicate cacheRevRef() { exists(TVariable v) implies any() }
+
+  class AstNode = Ruby::AstNode;
+
+  AstNode getChild(AstNode parent, int index) {
+    parent = parentOf(result) and
+    (
+      index = result.getParentIndex()
+      or
+      not exists(result.getParentIndex()) and
+      index = -1
+    )
+  }
+
+  class Conditional extends AstNode {
+    Conditional() { none() }
+
+    AstNode getCondition() { none() }
+
+    AstNode getThen() { none() }
+
+    AstNode getElse() { none() }
+  }
+
+  class SiblingShadowingDecl extends AstNode {
+    SiblingShadowingDecl() { none() }
+
+    AstNode getLhs() { none() }
+
+    AstNode getRhs() { none() }
+
+    AstNode getElse() { none() }
+  }
+
+  predicate isTopScope(AstNode scope) {
+    scope instanceof Scope::Range and
+    not (
+      scope instanceof Ruby::Block or
+      scope instanceof Ruby::DoBlock or
+      scope instanceof Ruby::Lambda
+    )
+  }
+
+  private Scope::Range getParentScope(Scope::Range scope) {
+    result = scopeOf(scope) and
+    not isTopScope(scope)
+  }
+
+  bindingset[name, scope]
+  pragma[inline_late]
+  private predicate declInScope0(AstNode definingNode, string name, AstNode scope) {
+    scopeDefinesParameterVariable(scope, name, definingNode, _) or
+    scopeAssigns(scope, name, definingNode)
+  }
+
+  predicate declInScope(AstNode definingNode, string name, AstNode scope) {
+    scopeDefinesParameterVariable(scope, name, definingNode, _)
+    or
+    /*
+     * Variables are not declared explicitly in Ruby, so we consider the _first_ assignment to
+     * be the declaration:
+     *
+     * ```rb
+     * a = 1 # declares `a`
+     * a = 2 # does not declare `a`
+     * 1.times do | x | # declares `x`
+     *   a = 2 # does not declare `a`
+     * end
+     * ```
+     */
+
+    scopeAssigns(scope, name, definingNode) and
+    not scopeDefinesParameterVariable(scope, name, _, _) and
+    not exists(AstNode prev, AstNode prevScope |
+      prevScope = getParentScope*(scope) and
+      declInScope0(prev, name, prevScope) and
+      prev.getLocation().strictlyBefore(definingNode.getLocation())
+    )
+  }
+
+  predicate implicitDeclInScope(string name, AstNode scope) {
+    name = "self" and
+    scope instanceof SelfBase::Range
+  }
+
+  predicate accessCand(AstNode n, string name) {
+    name = variableNameInScope(n, _) and
+    (
+      explicitAssignmentNode(n, _)
+      or
+      implicitAssignmentNode(n)
+      or
+      scopeDefinesParameterVariable(_, _, n, _)
+      or
+      vcall(n)
+      or
+      n = any(Ruby::VariableReferencePattern vr).getName()
+      or
+      n = ImplicitHashValueSynthesis::keyWithoutValue(_, _)
+    )
+    or
+    n instanceof Ruby::Self and
+    name = "self"
+  }
+}
+
+private import LocalNameBinding<Location, Input>
+
 cached
 private module Cached {
   cached
   newtype TVariable =
-    TGlobalVariable(string name) { name = any(Ruby::GlobalVariable var).getValue() } or
+    TGlobalVariable(string name) {
+      CachedStage::ref() and
+      name = any(Ruby::GlobalVariable var).getValue()
+    } or
     TClassVariable(Scope::Range scope, string name, Ruby::AstNode decl) {
       decl =
-        min(Ruby::ClassVariable other |
-          classVariableAccess(other, name, scope)
+        min(Ruby::ClassVariable other, int startline, int startcolumn |
+          classVariableAccess(other, name, scope) and
+          other.getLocation().hasLocationInfo(_, startline, startcolumn, _, _)
         |
-          other order by other.getLocation().getStartLine(), other.getLocation().getStartColumn()
+          other order by startline, startcolumn
         )
     } or
     TInstanceVariable(Scope::Range scope, string name, boolean instance, Ruby::AstNode decl) {
       decl =
-        min(Ruby::InstanceVariable other |
-          instanceVariableAccess(other, name, scope, instance)
+        min(Ruby::InstanceVariable other, int startline, int startcolumn |
+          instanceVariableAccess(other, name, scope, instance) and
+          other.getLocation().hasLocationInfo(_, startline, startcolumn, _, _)
         |
-          other order by other.getLocation().getStartLine(), other.getLocation().getStartColumn()
+          other order by startline, startcolumn
         )
     } or
-    TLocalVariableReal(Scope::Range scope, string name, Ruby::AstNode i) {
-      scopeDefinesParameterVariable(scope, name, i, _)
-      or
-      i =
-        min(Ruby::AstNode other |
-          scopeAssigns(scope, name, other)
-        |
-          other order by other.getLocation().getStartLine(), other.getLocation().getStartColumn()
-        ) and
-      not scopeDefinesParameterVariable(scope, name, _, _) and
-      not inherits(scope, name, _)
-    } or
-    TSelfVariable(SelfBase::Range scope) or
+    TLocalVariableReal(Local l) or
     TLocalVariableSynth(AstNode n, int i) { any(Synthesis s).localVariable(n, i) }
 
   // Db types that can be vcalls
@@ -321,39 +426,37 @@ private module Cached {
     i = any(Ruby::ExpressionReferencePattern x).getValue()
   }
 
-  pragma[nomagic]
-  private predicate hasScopeAndName(VariableReal variable, Scope::Range scope, string name) {
-    variable.getNameImpl() = name and
-    scope = variable.getDeclaringScopeImpl()
-  }
-
   cached
   predicate access(Ruby::AstNode access, VariableReal variable) {
-    exists(string name, Scope::Range scope |
-      pragma[only_bind_into](name) = variableNameInScope(access, scope)
+    exists(Local l |
+      variable = TLocalVariableReal(l) and
+      access = l.getAnAccess()
     |
-      hasScopeAndName(variable, scope, name) and
-      not access.getLocation().strictlyBefore(variable.getLocationImpl()) and
-      // In case of overlapping parameter names, later parameters should not
-      // be considered accesses to the first parameter
-      if parameterAssignment(_, _, access, _)
-      then scopeDefinesParameterVariable(_, _, access, _)
-      else any()
+      l instanceof ImplicitLocal
       or
-      exists(Scope::Range declScope |
-        hasScopeAndName(variable, declScope, pragma[only_bind_into](name)) and
-        inherits(scope, name, declScope)
-      )
+      /*
+       * In the example below, `a` is declared in the scope of `M`, but only the
+       * second mention of `a` is an actual access:
+       *
+       * ```rb
+       * module M
+       *   puts a # calls method `a`
+       *   a = 1  # declares `a`
+       *   puts a # accesses variable `a`
+       * end
+       * ```
+       */
+
+      not access.getLocation().strictlyBefore(l.getDefiningNode().getLocation())
     )
   }
 
   private class Access extends Ruby::Token {
     Access() {
-      access(this.(Ruby::Identifier), _) or
+      access(this, _) or
       this instanceof Ruby::GlobalVariable or
       this instanceof Ruby::InstanceVariable or
-      this instanceof Ruby::ClassVariable or
-      this instanceof Ruby::Self
+      this instanceof Ruby::ClassVariable
     }
   }
 
@@ -398,29 +501,6 @@ private module Cached {
 
 import Cached
 
-/** Holds if this scope inherits `name` from an outer scope `outer`. */
-private predicate inherits(Scope::Range scope, string name, Scope::Range outer) {
-  (
-    scope instanceof Ruby::Block or
-    scope instanceof Ruby::DoBlock or
-    scope instanceof Ruby::Lambda
-  ) and
-  not scopeDefinesParameterVariable(scope, name, _, _) and
-  (
-    outer = scope.getOuterScope() and
-    (
-      scopeDefinesParameterVariable(outer, name, _, _)
-      or
-      exists(Ruby::AstNode i |
-        scopeAssigns(outer, name, i) and
-        i.getLocation().strictlyBefore(scope.getLocation())
-      )
-    )
-    or
-    inherits(scope.getOuterScope(), name, outer)
-  )
-}
-
 abstract class VariableImpl extends TVariable {
   abstract string getNameImpl();
 
@@ -429,10 +509,9 @@ abstract class VariableImpl extends TVariable {
   abstract Location getLocationImpl();
 }
 
-class TVariableReal =
-  TGlobalVariable or TClassVariable or TInstanceVariable or TLocalVariableReal or TSelfVariable;
+class TVariableReal = TGlobalVariable or TClassVariable or TInstanceVariable or TLocalVariableReal;
 
-class TLocalVariable = TLocalVariableReal or TLocalVariableSynth or TSelfVariable;
+class TLocalVariable = TLocalVariableReal or TLocalVariableSynth;
 
 /**
  * A "real" (i.e. non-synthesized) variable. This class only exists to
@@ -458,19 +537,19 @@ private class VariableRealAdapter extends VariableImpl, TVariableReal instanceof
 }
 
 class LocalVariableReal extends VariableReal, TLocalVariableReal {
-  private Scope::Range scope;
-  private string name;
-  private Ruby::AstNode i;
+  private Local l;
 
-  LocalVariableReal() { this = TLocalVariableReal(scope, name, i) }
+  LocalVariableReal() { this = TLocalVariableReal(l) }
 
-  final override string getNameImpl() { result = name }
+  Ruby::AstNode getDefiningNode() { result = l.getDefiningNode() }
 
-  final override Location getLocationImpl() { result = i.getLocation() }
+  final override string getNameImpl() { result = l.getName() }
 
-  final override Scope::Range getDeclaringScopeImpl() { result = scope }
+  final override Location getLocationImpl() { result = l.getLocation() }
 
-  final VariableAccess getDefiningAccessImpl() { toGenerated(result) = i }
+  final override Scope::Range getDeclaringScopeImpl() { result = l.getScope() }
+
+  final VariableAccess getDefiningAccessImpl() { toGenerated(result) = l.getDefiningNode() }
 }
 
 class LocalVariableSynth extends VariableImpl, TLocalVariableSynth {
@@ -531,34 +610,16 @@ class ClassVariableImpl extends VariableReal, TClassVariable {
   final override Scope::Range getDeclaringScopeImpl() { result = scope }
 }
 
-class SelfVariableImpl extends VariableReal, TSelfVariable {
-  private SelfBase::Range scope;
+class SelfVariableImpl extends LocalVariableReal {
+  private ImplicitLocal l;
 
-  SelfVariableImpl() { this = TSelfVariable(scope) }
-
-  final override string getNameImpl() { result = "self" }
-
-  final override Location getLocationImpl() { result = scope.getLocation() }
-
-  final override Scope::Range getDeclaringScopeImpl() { result = scope }
+  SelfVariableImpl() { this = TLocalVariableReal(l) }
 }
 
 abstract class VariableAccessImpl extends Expr, TVariableAccess {
   abstract VariableImpl getVariableImpl();
 }
 
-module LocalVariableAccess {
-  predicate range(Ruby::Identifier id, TLocalVariableReal v) {
-    access(id, v) and
-    (
-      explicitWriteAccess(id, _) or
-      implicitWriteAccess(id) or
-      vcall(id) or
-      id = any(Ruby::VariableReferencePattern vr).getName()
-    )
-  }
-}
-
 class TVariableAccessReal =
   TLocalVariableAccessReal or TGlobalVariableAccess or TInstanceVariableAccess or
       TClassVariableAccess;
@@ -681,7 +742,8 @@ private class SelfVariableAccessReal extends SelfVariableAccessImpl, TSelfReal {
 
   SelfVariableAccessReal() {
     exists(Ruby::Self self |
-      this = TSelfReal(self) and var = TSelfVariable(scopeOf(self).getEnclosingSelfScope())
+      this = TSelfReal(self) and
+      access(self, var)
     )
   }
 

ruby/ql/lib/qlpack.yml

@@ -14,6 +14,7 @@ dependencies:
   codeql/ssa: ${workspace}
   codeql/tutorial: ${workspace}
   codeql/util: ${workspace}
+  codeql/namebinding: ${workspace}
 dataExtensions:
   - codeql/ruby/frameworks/**/model.yml
   - codeql/ruby/frameworks/**/*.model.yml

ruby/ql/test/library-tests/variables/parameter.expected

@@ -28,6 +28,7 @@ parameterVariable
 | parameters.rb:59:22:59:26 | (..., ...) | parameters.rb:59:25:59:25 | c |
 | scopes.rb:2:14:2:14 | x | scopes.rb:2:14:2:14 | x |
 | scopes.rb:9:14:9:14 | x | scopes.rb:9:14:9:14 | x |
+| scopes.rb:69:15:69:15 | x | scopes.rb:69:15:69:15 | x |
 | ssa.rb:1:7:1:7 | b | ssa.rb:1:7:1:7 | b |
 | ssa.rb:18:8:18:8 | x | ssa.rb:18:8:18:8 | x |
 | ssa.rb:25:8:25:15 | elements | ssa.rb:25:8:25:15 | elements |

ruby/ql/test/library-tests/variables/scopes.rb

@@ -47,3 +47,27 @@ module M
   #{var2}
  EOF
 end
+
+module ExceptionVariable
+  class MyException < Exception
+  end
+
+  x = 1
+  puts x
+
+  begin
+    raise MyException
+  rescue MyException => x # reuses `x` from above
+    puts x
+  end
+  puts x # prints `MyException`, not `1`
+end
+
+module ParameterShadowing
+  x = 1
+  xs = [1, 2, 3]
+  xs.each do |x|
+    puts x
+  end
+  puts x # prints `1`, not `3`
+end

ruby/ql/test/library-tests/variables/ssa.expected

@@ -86,12 +86,12 @@ definition
 | parameters.rb:59:20:59:20 | a | parameters.rb:59:20:59:20 | a |
 | parameters.rb:59:23:59:23 | b | parameters.rb:59:23:59:23 | b |
 | parameters.rb:59:25:59:25 | c | parameters.rb:59:25:59:25 | c |
-| scopes.rb:1:1:49:4 | self (scopes.rb) | scopes.rb:1:1:49:4 | self |
-| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:49:4 | self |
+| scopes.rb:1:1:73:3 | self (scopes.rb) | scopes.rb:1:1:73:3 | self |
+| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:73:3 | self |
 | scopes.rb:4:4:4:4 | a | scopes.rb:4:4:4:4 | a |
 | scopes.rb:7:1:7:1 | a | scopes.rb:7:1:7:1 | a |
 | scopes.rb:9:9:18:3 | <captured entry> a | scopes.rb:7:1:7:1 | a |
-| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:49:4 | self |
+| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:73:3 | self |
 | scopes.rb:11:4:11:4 | a | scopes.rb:7:1:7:1 | a |
 | scopes.rb:13:4:13:4 | a | scopes.rb:7:1:7:1 | a |
 | scopes.rb:13:7:13:7 | b | scopes.rb:13:7:13:7 | b |
@@ -99,13 +99,18 @@ definition
 | scopes.rb:13:11:13:11 | c | scopes.rb:13:11:13:11 | c |
 | scopes.rb:13:14:13:14 | d | scopes.rb:13:14:13:14 | d |
 | scopes.rb:13:19:13:32 | __synth__3 | scopes.rb:13:4:13:32 | __synth__3 |
-| scopes.rb:26:1:26:12 | self (A) | scopes.rb:26:1:26:12 | self |
 | scopes.rb:27:1:27:1 | x | scopes.rb:27:1:27:1 | x |
-| scopes.rb:28:1:30:3 | self (B) | scopes.rb:28:1:30:3 | self |
-| scopes.rb:34:1:36:3 | self (C) | scopes.rb:34:1:36:3 | self |
 | scopes.rb:41:1:49:3 | self (M) | scopes.rb:41:1:49:3 | self |
 | scopes.rb:42:2:42:4 | var | scopes.rb:42:2:42:4 | var |
 | scopes.rb:46:5:46:8 | var2 | scopes.rb:46:5:46:8 | var2 |
+| scopes.rb:51:1:64:3 | self (ExceptionVariable) | scopes.rb:51:1:64:3 | self |
+| scopes.rb:55:3:55:3 | x | scopes.rb:55:3:55:3 | x |
+| scopes.rb:60:25:60:25 | x | scopes.rb:55:3:55:3 | x |
+| scopes.rb:66:1:73:3 | self (ParameterShadowing) | scopes.rb:66:1:73:3 | self |
+| scopes.rb:67:3:67:3 | x | scopes.rb:67:3:67:3 | x |
+| scopes.rb:68:3:68:4 | xs | scopes.rb:68:3:68:4 | xs |
+| scopes.rb:69:11:71:5 | <captured entry> self | scopes.rb:66:1:73:3 | self |
+| scopes.rb:69:15:69:15 | x | scopes.rb:69:15:69:15 | x |
 | ssa.rb:1:1:16:3 | self (m) | ssa.rb:1:1:16:3 | self |
 | ssa.rb:1:7:1:7 | b | ssa.rb:1:7:1:7 | b |
 | ssa.rb:2:3:2:3 | i | ssa.rb:2:3:2:3 | i |
@@ -262,20 +267,20 @@ read
 | parameters.rb:59:20:59:20 | a | parameters.rb:59:20:59:20 | a | parameters.rb:60:11:60:11 | a |
 | parameters.rb:59:23:59:23 | b | parameters.rb:59:23:59:23 | b | parameters.rb:60:16:60:16 | b |
 | parameters.rb:59:25:59:25 | c | parameters.rb:59:25:59:25 | c | parameters.rb:60:21:60:21 | c |
-| scopes.rb:1:1:49:4 | self (scopes.rb) | scopes.rb:1:1:49:4 | self | scopes.rb:8:1:8:6 | self |
-| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:3:4:3:9 | self |
-| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:3:9:3:9 | self |
-| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:5:4:5:9 | self |
+| scopes.rb:1:1:73:3 | self (scopes.rb) | scopes.rb:1:1:73:3 | self | scopes.rb:8:1:8:6 | self |
+| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:3:4:3:9 | self |
+| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:3:9:3:9 | self |
+| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:5:4:5:9 | self |
 | scopes.rb:4:4:4:4 | a | scopes.rb:4:4:4:4 | a | scopes.rb:5:9:5:9 | a |
 | scopes.rb:7:1:7:1 | a | scopes.rb:7:1:7:1 | a | scopes.rb:8:6:8:6 | a |
 | scopes.rb:9:9:18:3 | <captured entry> a | scopes.rb:7:1:7:1 | a | scopes.rb:10:9:10:9 | a |
 | scopes.rb:9:9:18:3 | <captured entry> a | scopes.rb:7:1:7:1 | a | scopes.rb:11:4:11:4 | a |
-| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:10:4:10:9 | self |
-| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:12:4:12:9 | self |
-| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:14:4:14:9 | self |
-| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:15:4:15:9 | self |
-| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:16:4:16:9 | self |
-| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:17:4:17:9 | self |
+| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:10:4:10:9 | self |
+| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:12:4:12:9 | self |
+| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:14:4:14:9 | self |
+| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:15:4:15:9 | self |
+| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:16:4:16:9 | self |
+| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:17:4:17:9 | self |
 | scopes.rb:11:4:11:4 | a | scopes.rb:7:1:7:1 | a | scopes.rb:12:9:12:9 | a |
 | scopes.rb:13:4:13:4 | a | scopes.rb:7:1:7:1 | a | scopes.rb:14:9:14:9 | a |
 | scopes.rb:13:7:13:7 | b | scopes.rb:13:7:13:7 | b | scopes.rb:15:9:15:9 | b |
@@ -294,6 +299,18 @@ read
 | scopes.rb:41:1:49:3 | self (M) | scopes.rb:41:1:49:3 | self | scopes.rb:45:5:45:7 | self |
 | scopes.rb:42:2:42:4 | var | scopes.rb:42:2:42:4 | var | scopes.rb:44:5:44:7 | var |
 | scopes.rb:46:5:46:8 | var2 | scopes.rb:46:5:46:8 | var2 | scopes.rb:47:5:47:8 | var2 |
+| scopes.rb:51:1:64:3 | self (ExceptionVariable) | scopes.rb:51:1:64:3 | self | scopes.rb:56:3:56:8 | self |
+| scopes.rb:51:1:64:3 | self (ExceptionVariable) | scopes.rb:51:1:64:3 | self | scopes.rb:59:5:59:21 | self |
+| scopes.rb:51:1:64:3 | self (ExceptionVariable) | scopes.rb:51:1:64:3 | self | scopes.rb:61:5:61:10 | self |
+| scopes.rb:51:1:64:3 | self (ExceptionVariable) | scopes.rb:51:1:64:3 | self | scopes.rb:63:3:63:8 | self |
+| scopes.rb:55:3:55:3 | x | scopes.rb:55:3:55:3 | x | scopes.rb:56:8:56:8 | x |
+| scopes.rb:60:25:60:25 | x | scopes.rb:55:3:55:3 | x | scopes.rb:61:10:61:10 | x |
+| scopes.rb:60:25:60:25 | x | scopes.rb:55:3:55:3 | x | scopes.rb:63:8:63:8 | x |
+| scopes.rb:66:1:73:3 | self (ParameterShadowing) | scopes.rb:66:1:73:3 | self | scopes.rb:72:3:72:8 | self |
+| scopes.rb:67:3:67:3 | x | scopes.rb:67:3:67:3 | x | scopes.rb:72:8:72:8 | x |
+| scopes.rb:68:3:68:4 | xs | scopes.rb:68:3:68:4 | xs | scopes.rb:69:3:69:4 | xs |
+| scopes.rb:69:11:71:5 | <captured entry> self | scopes.rb:66:1:73:3 | self | scopes.rb:70:5:70:10 | self |
+| scopes.rb:69:15:69:15 | x | scopes.rb:69:15:69:15 | x | scopes.rb:70:10:70:10 | x |
 | ssa.rb:1:1:16:3 | self (m) | ssa.rb:1:1:16:3 | self | ssa.rb:3:3:3:8 | self |
 | ssa.rb:1:1:16:3 | self (m) | ssa.rb:1:1:16:3 | self | ssa.rb:4:3:4:12 | self |
 | ssa.rb:1:1:16:3 | self (m) | ssa.rb:1:1:16:3 | self | ssa.rb:7:5:7:10 | self |
@@ -443,12 +460,12 @@ firstRead
 | parameters.rb:59:20:59:20 | a | parameters.rb:59:20:59:20 | a | parameters.rb:60:11:60:11 | a |
 | parameters.rb:59:23:59:23 | b | parameters.rb:59:23:59:23 | b | parameters.rb:60:16:60:16 | b |
 | parameters.rb:59:25:59:25 | c | parameters.rb:59:25:59:25 | c | parameters.rb:60:21:60:21 | c |
-| scopes.rb:1:1:49:4 | self (scopes.rb) | scopes.rb:1:1:49:4 | self | scopes.rb:8:1:8:6 | self |
-| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:3:4:3:9 | self |
+| scopes.rb:1:1:73:3 | self (scopes.rb) | scopes.rb:1:1:73:3 | self | scopes.rb:8:1:8:6 | self |
+| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:3:4:3:9 | self |
 | scopes.rb:4:4:4:4 | a | scopes.rb:4:4:4:4 | a | scopes.rb:5:9:5:9 | a |
 | scopes.rb:7:1:7:1 | a | scopes.rb:7:1:7:1 | a | scopes.rb:8:6:8:6 | a |
 | scopes.rb:9:9:18:3 | <captured entry> a | scopes.rb:7:1:7:1 | a | scopes.rb:10:9:10:9 | a |
-| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:10:4:10:9 | self |
+| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:10:4:10:9 | self |
 | scopes.rb:11:4:11:4 | a | scopes.rb:7:1:7:1 | a | scopes.rb:12:9:12:9 | a |
 | scopes.rb:13:4:13:4 | a | scopes.rb:7:1:7:1 | a | scopes.rb:14:9:14:9 | a |
 | scopes.rb:13:7:13:7 | b | scopes.rb:13:7:13:7 | b | scopes.rb:15:9:15:9 | b |
@@ -460,6 +477,14 @@ firstRead
 | scopes.rb:41:1:49:3 | self (M) | scopes.rb:41:1:49:3 | self | scopes.rb:45:5:45:7 | self |
 | scopes.rb:42:2:42:4 | var | scopes.rb:42:2:42:4 | var | scopes.rb:44:5:44:7 | var |
 | scopes.rb:46:5:46:8 | var2 | scopes.rb:46:5:46:8 | var2 | scopes.rb:47:5:47:8 | var2 |
+| scopes.rb:51:1:64:3 | self (ExceptionVariable) | scopes.rb:51:1:64:3 | self | scopes.rb:56:3:56:8 | self |
+| scopes.rb:55:3:55:3 | x | scopes.rb:55:3:55:3 | x | scopes.rb:56:8:56:8 | x |
+| scopes.rb:60:25:60:25 | x | scopes.rb:55:3:55:3 | x | scopes.rb:61:10:61:10 | x |
+| scopes.rb:66:1:73:3 | self (ParameterShadowing) | scopes.rb:66:1:73:3 | self | scopes.rb:72:3:72:8 | self |
+| scopes.rb:67:3:67:3 | x | scopes.rb:67:3:67:3 | x | scopes.rb:72:8:72:8 | x |
+| scopes.rb:68:3:68:4 | xs | scopes.rb:68:3:68:4 | xs | scopes.rb:69:3:69:4 | xs |
+| scopes.rb:69:11:71:5 | <captured entry> self | scopes.rb:66:1:73:3 | self | scopes.rb:70:5:70:10 | self |
+| scopes.rb:69:15:69:15 | x | scopes.rb:69:15:69:15 | x | scopes.rb:70:10:70:10 | x |
 | ssa.rb:1:1:16:3 | self (m) | ssa.rb:1:1:16:3 | self | ssa.rb:3:3:3:8 | self |
 | ssa.rb:1:7:1:7 | b | ssa.rb:1:7:1:7 | b | ssa.rb:5:6:5:6 | b |
 | ssa.rb:2:3:2:3 | i | ssa.rb:2:3:2:3 | i | ssa.rb:3:8:3:8 | i |
@@ -532,14 +557,14 @@ adjacentReads
 | parameters.rb:25:1:28:3 | self (opt_param) | parameters.rb:25:1:28:3 | self | parameters.rb:26:3:26:11 | self | parameters.rb:27:3:27:11 | self |
 | parameters.rb:25:15:25:18 | name | parameters.rb:25:15:25:18 | name | parameters.rb:25:40:25:43 | name | parameters.rb:26:8:26:11 | name |
 | parameters.rb:54:9:57:3 | <captured entry> self | parameters.rb:1:1:62:1 | self | parameters.rb:55:4:55:9 | self | parameters.rb:56:4:56:9 | self |
-| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:3:4:3:9 | self | scopes.rb:3:9:3:9 | self |
-| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:3:9:3:9 | self | scopes.rb:5:4:5:9 | self |
+| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:3:4:3:9 | self | scopes.rb:3:9:3:9 | self |
+| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:3:9:3:9 | self | scopes.rb:5:4:5:9 | self |
 | scopes.rb:9:9:18:3 | <captured entry> a | scopes.rb:7:1:7:1 | a | scopes.rb:10:9:10:9 | a | scopes.rb:11:4:11:4 | a |
-| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:10:4:10:9 | self | scopes.rb:12:4:12:9 | self |
-| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:12:4:12:9 | self | scopes.rb:14:4:14:9 | self |
-| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:14:4:14:9 | self | scopes.rb:15:4:15:9 | self |
-| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:15:4:15:9 | self | scopes.rb:16:4:16:9 | self |
-| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:16:4:16:9 | self | scopes.rb:17:4:17:9 | self |
+| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:10:4:10:9 | self | scopes.rb:12:4:12:9 | self |
+| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:12:4:12:9 | self | scopes.rb:14:4:14:9 | self |
+| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:14:4:14:9 | self | scopes.rb:15:4:15:9 | self |
+| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:15:4:15:9 | self | scopes.rb:16:4:16:9 | self |
+| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:16:4:16:9 | self | scopes.rb:17:4:17:9 | self |
 | scopes.rb:13:10:13:15 | __synth__2__1 | scopes.rb:13:10:13:15 | __synth__2__1 | scopes.rb:13:11:13:11 | __synth__2__1 | scopes.rb:13:14:13:14 | __synth__2__1 |
 | scopes.rb:13:19:13:32 | __synth__3 | scopes.rb:13:4:13:32 | __synth__3 | scopes.rb:13:4:13:4 | __synth__3 | scopes.rb:13:7:13:7 | __synth__3 |
 | scopes.rb:13:19:13:32 | __synth__3 | scopes.rb:13:4:13:32 | __synth__3 | scopes.rb:13:7:13:7 | __synth__3 | scopes.rb:13:10:13:15 | __synth__3 |
@@ -547,6 +572,10 @@ adjacentReads
 | scopes.rb:27:1:27:1 | x | scopes.rb:27:1:27:1 | x | scopes.rb:31:10:31:10 | x | scopes.rb:34:7:34:7 | x |
 | scopes.rb:27:1:27:1 | x | scopes.rb:27:1:27:1 | x | scopes.rb:34:7:34:7 | x | scopes.rb:34:14:34:14 | x |
 | scopes.rb:27:1:27:1 | x | scopes.rb:27:1:27:1 | x | scopes.rb:34:14:34:14 | x | scopes.rb:37:5:37:5 | x |
+| scopes.rb:51:1:64:3 | self (ExceptionVariable) | scopes.rb:51:1:64:3 | self | scopes.rb:56:3:56:8 | self | scopes.rb:59:5:59:21 | self |
+| scopes.rb:51:1:64:3 | self (ExceptionVariable) | scopes.rb:51:1:64:3 | self | scopes.rb:59:5:59:21 | self | scopes.rb:61:5:61:10 | self |
+| scopes.rb:51:1:64:3 | self (ExceptionVariable) | scopes.rb:51:1:64:3 | self | scopes.rb:61:5:61:10 | self | scopes.rb:63:3:63:8 | self |
+| scopes.rb:60:25:60:25 | x | scopes.rb:55:3:55:3 | x | scopes.rb:61:10:61:10 | x | scopes.rb:63:8:63:8 | x |
 | ssa.rb:1:1:16:3 | self (m) | ssa.rb:1:1:16:3 | self | ssa.rb:3:3:3:8 | self | ssa.rb:4:3:4:12 | self |
 | ssa.rb:1:1:16:3 | self (m) | ssa.rb:1:1:16:3 | self | ssa.rb:4:3:4:12 | self | ssa.rb:7:5:7:10 | self |
 | ssa.rb:1:1:16:3 | self (m) | ssa.rb:1:1:16:3 | self | ssa.rb:4:3:4:12 | self | ssa.rb:11:5:11:10 | self |

ruby/ql/test/library-tests/variables/varaccess.expected

@@ -155,43 +155,43 @@ variableAccess
 | parameters.rb:60:16:60:16 | b | parameters.rb:59:23:59:23 | b | parameters.rb:59:1:61:3 | tuples_nested |
 | parameters.rb:60:21:60:21 | c | parameters.rb:59:25:59:25 | c | parameters.rb:59:1:61:3 | tuples_nested |
 | scopes.rb:2:14:2:14 | x | scopes.rb:2:14:2:14 | x | scopes.rb:2:9:6:3 | do ... end |
-| scopes.rb:3:4:3:9 | self | scopes.rb:1:1:49:4 | self | scopes.rb:1:1:49:4 | scopes.rb |
-| scopes.rb:3:9:3:9 | self | scopes.rb:1:1:49:4 | self | scopes.rb:1:1:49:4 | scopes.rb |
+| scopes.rb:3:4:3:9 | self | scopes.rb:1:1:73:3 | self | scopes.rb:1:1:73:3 | scopes.rb |
+| scopes.rb:3:9:3:9 | self | scopes.rb:1:1:73:3 | self | scopes.rb:1:1:73:3 | scopes.rb |
 | scopes.rb:4:4:4:4 | a | scopes.rb:4:4:4:4 | a | scopes.rb:2:9:6:3 | do ... end |
-| scopes.rb:5:4:5:9 | self | scopes.rb:1:1:49:4 | self | scopes.rb:1:1:49:4 | scopes.rb |
+| scopes.rb:5:4:5:9 | self | scopes.rb:1:1:73:3 | self | scopes.rb:1:1:73:3 | scopes.rb |
 | scopes.rb:5:9:5:9 | a | scopes.rb:4:4:4:4 | a | scopes.rb:2:9:6:3 | do ... end |
-| scopes.rb:7:1:7:1 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:49:4 | scopes.rb |
-| scopes.rb:8:1:8:6 | self | scopes.rb:1:1:49:4 | self | scopes.rb:1:1:49:4 | scopes.rb |
-| scopes.rb:8:6:8:6 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:49:4 | scopes.rb |
+| scopes.rb:7:1:7:1 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:73:3 | scopes.rb |
+| scopes.rb:8:1:8:6 | self | scopes.rb:1:1:73:3 | self | scopes.rb:1:1:73:3 | scopes.rb |
+| scopes.rb:8:6:8:6 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:73:3 | scopes.rb |
 | scopes.rb:9:14:9:14 | x | scopes.rb:9:14:9:14 | x | scopes.rb:9:9:18:3 | do ... end |
-| scopes.rb:10:4:10:9 | self | scopes.rb:1:1:49:4 | self | scopes.rb:1:1:49:4 | scopes.rb |
-| scopes.rb:10:9:10:9 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:49:4 | scopes.rb |
-| scopes.rb:11:4:11:4 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:49:4 | scopes.rb |
-| scopes.rb:11:4:11:4 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:49:4 | scopes.rb |
-| scopes.rb:12:4:12:9 | self | scopes.rb:1:1:49:4 | self | scopes.rb:1:1:49:4 | scopes.rb |
-| scopes.rb:12:9:12:9 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:49:4 | scopes.rb |
-| scopes.rb:13:4:13:4 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:49:4 | scopes.rb |
+| scopes.rb:10:4:10:9 | self | scopes.rb:1:1:73:3 | self | scopes.rb:1:1:73:3 | scopes.rb |
+| scopes.rb:10:9:10:9 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:73:3 | scopes.rb |
+| scopes.rb:11:4:11:4 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:73:3 | scopes.rb |
+| scopes.rb:11:4:11:4 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:73:3 | scopes.rb |
+| scopes.rb:12:4:12:9 | self | scopes.rb:1:1:73:3 | self | scopes.rb:1:1:73:3 | scopes.rb |
+| scopes.rb:12:9:12:9 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:73:3 | scopes.rb |
+| scopes.rb:13:4:13:4 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:73:3 | scopes.rb |
 | scopes.rb:13:7:13:7 | b | scopes.rb:13:7:13:7 | b | scopes.rb:9:9:18:3 | do ... end |
 | scopes.rb:13:11:13:11 | c | scopes.rb:13:11:13:11 | c | scopes.rb:9:9:18:3 | do ... end |
 | scopes.rb:13:14:13:14 | d | scopes.rb:13:14:13:14 | d | scopes.rb:9:9:18:3 | do ... end |
-| scopes.rb:14:4:14:9 | self | scopes.rb:1:1:49:4 | self | scopes.rb:1:1:49:4 | scopes.rb |
-| scopes.rb:14:9:14:9 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:49:4 | scopes.rb |
-| scopes.rb:15:4:15:9 | self | scopes.rb:1:1:49:4 | self | scopes.rb:1:1:49:4 | scopes.rb |
+| scopes.rb:14:4:14:9 | self | scopes.rb:1:1:73:3 | self | scopes.rb:1:1:73:3 | scopes.rb |
+| scopes.rb:14:9:14:9 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:73:3 | scopes.rb |
+| scopes.rb:15:4:15:9 | self | scopes.rb:1:1:73:3 | self | scopes.rb:1:1:73:3 | scopes.rb |
 | scopes.rb:15:9:15:9 | b | scopes.rb:13:7:13:7 | b | scopes.rb:9:9:18:3 | do ... end |
-| scopes.rb:16:4:16:9 | self | scopes.rb:1:1:49:4 | self | scopes.rb:1:1:49:4 | scopes.rb |
+| scopes.rb:16:4:16:9 | self | scopes.rb:1:1:73:3 | self | scopes.rb:1:1:73:3 | scopes.rb |
 | scopes.rb:16:9:16:9 | c | scopes.rb:13:11:13:11 | c | scopes.rb:9:9:18:3 | do ... end |
-| scopes.rb:17:4:17:9 | self | scopes.rb:1:1:49:4 | self | scopes.rb:1:1:49:4 | scopes.rb |
+| scopes.rb:17:4:17:9 | self | scopes.rb:1:1:73:3 | self | scopes.rb:1:1:73:3 | scopes.rb |
 | scopes.rb:17:9:17:9 | d | scopes.rb:13:14:13:14 | d | scopes.rb:9:9:18:3 | do ... end |
-| scopes.rb:24:1:24:6 | script | scopes.rb:24:1:24:6 | script | scopes.rb:1:1:49:4 | scopes.rb |
-| scopes.rb:27:1:27:1 | x | scopes.rb:27:1:27:1 | x | scopes.rb:1:1:49:4 | scopes.rb |
-| scopes.rb:28:8:28:8 | x | scopes.rb:27:1:27:1 | x | scopes.rb:1:1:49:4 | scopes.rb |
+| scopes.rb:24:1:24:6 | script | scopes.rb:24:1:24:6 | script | scopes.rb:1:1:73:3 | scopes.rb |
+| scopes.rb:27:1:27:1 | x | scopes.rb:27:1:27:1 | x | scopes.rb:1:1:73:3 | scopes.rb |
+| scopes.rb:28:8:28:8 | x | scopes.rb:27:1:27:1 | x | scopes.rb:1:1:73:3 | scopes.rb |
 | scopes.rb:29:3:29:3 | x | scopes.rb:29:3:29:3 | x | scopes.rb:28:1:30:3 | B |
-| scopes.rb:31:10:31:10 | x | scopes.rb:27:1:27:1 | x | scopes.rb:1:1:49:4 | scopes.rb |
+| scopes.rb:31:10:31:10 | x | scopes.rb:27:1:27:1 | x | scopes.rb:1:1:73:3 | scopes.rb |
 | scopes.rb:32:3:32:3 | x | scopes.rb:32:3:32:3 | x | scopes.rb:31:1:33:3 | class << ... |
-| scopes.rb:34:7:34:7 | x | scopes.rb:27:1:27:1 | x | scopes.rb:1:1:49:4 | scopes.rb |
-| scopes.rb:34:14:34:14 | x | scopes.rb:27:1:27:1 | x | scopes.rb:1:1:49:4 | scopes.rb |
+| scopes.rb:34:7:34:7 | x | scopes.rb:27:1:27:1 | x | scopes.rb:1:1:73:3 | scopes.rb |
+| scopes.rb:34:14:34:14 | x | scopes.rb:27:1:27:1 | x | scopes.rb:1:1:73:3 | scopes.rb |
 | scopes.rb:35:3:35:3 | x | scopes.rb:35:3:35:3 | x | scopes.rb:34:1:36:3 | C |
-| scopes.rb:37:5:37:5 | x | scopes.rb:27:1:27:1 | x | scopes.rb:1:1:49:4 | scopes.rb |
+| scopes.rb:37:5:37:5 | x | scopes.rb:27:1:27:1 | x | scopes.rb:1:1:73:3 | scopes.rb |
 | scopes.rb:38:3:38:3 | x | scopes.rb:38:3:38:3 | x | scopes.rb:37:1:39:3 | foo |
 | scopes.rb:42:2:42:4 | var | scopes.rb:42:2:42:4 | var | scopes.rb:41:1:49:3 | M |
 | scopes.rb:43:2:43:4 | foo | scopes.rb:43:2:43:4 | foo | scopes.rb:41:1:49:3 | M |
@@ -199,6 +199,23 @@ variableAccess
 | scopes.rb:45:5:45:7 | self | scopes.rb:41:1:49:3 | self | scopes.rb:41:1:49:3 | M |
 | scopes.rb:46:5:46:8 | var2 | scopes.rb:46:5:46:8 | var2 | scopes.rb:41:1:49:3 | M |
 | scopes.rb:47:5:47:8 | var2 | scopes.rb:46:5:46:8 | var2 | scopes.rb:41:1:49:3 | M |
+| scopes.rb:55:3:55:3 | x | scopes.rb:55:3:55:3 | x | scopes.rb:51:1:64:3 | ExceptionVariable |
+| scopes.rb:56:3:56:8 | self | scopes.rb:51:1:64:3 | self | scopes.rb:51:1:64:3 | ExceptionVariable |
+| scopes.rb:56:8:56:8 | x | scopes.rb:55:3:55:3 | x | scopes.rb:51:1:64:3 | ExceptionVariable |
+| scopes.rb:59:5:59:21 | self | scopes.rb:51:1:64:3 | self | scopes.rb:51:1:64:3 | ExceptionVariable |
+| scopes.rb:60:25:60:25 | x | scopes.rb:55:3:55:3 | x | scopes.rb:51:1:64:3 | ExceptionVariable |
+| scopes.rb:61:5:61:10 | self | scopes.rb:51:1:64:3 | self | scopes.rb:51:1:64:3 | ExceptionVariable |
+| scopes.rb:61:10:61:10 | x | scopes.rb:55:3:55:3 | x | scopes.rb:51:1:64:3 | ExceptionVariable |
+| scopes.rb:63:3:63:8 | self | scopes.rb:51:1:64:3 | self | scopes.rb:51:1:64:3 | ExceptionVariable |
+| scopes.rb:63:8:63:8 | x | scopes.rb:55:3:55:3 | x | scopes.rb:51:1:64:3 | ExceptionVariable |
+| scopes.rb:67:3:67:3 | x | scopes.rb:67:3:67:3 | x | scopes.rb:66:1:73:3 | ParameterShadowing |
+| scopes.rb:68:3:68:4 | xs | scopes.rb:68:3:68:4 | xs | scopes.rb:66:1:73:3 | ParameterShadowing |
+| scopes.rb:69:3:69:4 | xs | scopes.rb:68:3:68:4 | xs | scopes.rb:66:1:73:3 | ParameterShadowing |
+| scopes.rb:69:15:69:15 | x | scopes.rb:69:15:69:15 | x | scopes.rb:69:11:71:5 | do ... end |
+| scopes.rb:70:5:70:10 | self | scopes.rb:66:1:73:3 | self | scopes.rb:66:1:73:3 | ParameterShadowing |
+| scopes.rb:70:10:70:10 | x | scopes.rb:69:15:69:15 | x | scopes.rb:69:11:71:5 | do ... end |
+| scopes.rb:72:3:72:8 | self | scopes.rb:66:1:73:3 | self | scopes.rb:66:1:73:3 | ParameterShadowing |
+| scopes.rb:72:8:72:8 | x | scopes.rb:67:3:67:3 | x | scopes.rb:66:1:73:3 | ParameterShadowing |
 | ssa.rb:1:7:1:7 | b | ssa.rb:1:7:1:7 | b | ssa.rb:1:1:16:3 | m |
 | ssa.rb:2:3:2:3 | i | ssa.rb:2:3:2:3 | i | ssa.rb:1:1:16:3 | m |
 | ssa.rb:3:3:3:8 | self | ssa.rb:1:1:16:3 | self | ssa.rb:1:1:16:3 | m |
@@ -350,6 +367,9 @@ explicitWrite
 | scopes.rb:42:2:42:4 | var | scopes.rb:42:2:42:9 | ... = ... |
 | scopes.rb:43:2:43:4 | foo | scopes.rb:43:2:43:13 | ... = ... |
 | scopes.rb:46:5:46:8 | var2 | scopes.rb:46:5:46:13 | ... = ... |
+| scopes.rb:55:3:55:3 | x | scopes.rb:55:3:55:7 | ... = ... |
+| scopes.rb:67:3:67:3 | x | scopes.rb:67:3:67:7 | ... = ... |
+| scopes.rb:68:3:68:4 | xs | scopes.rb:68:3:68:16 | ... = ... |
 | ssa.rb:2:3:2:3 | i | ssa.rb:2:3:2:7 | ... = ... |
 | ssa.rb:6:5:6:5 | i | ssa.rb:6:5:6:9 | ... = ... |
 | ssa.rb:10:5:10:5 | i | ssa.rb:10:5:10:9 | ... = ... |
@@ -400,6 +420,8 @@ implicitWrite
 | parameters.rb:59:25:59:25 | c |
 | scopes.rb:2:14:2:14 | x |
 | scopes.rb:9:14:9:14 | x |
+| scopes.rb:60:25:60:25 | x |
+| scopes.rb:69:15:69:15 | x |
 | ssa.rb:1:7:1:7 | b |
 | ssa.rb:18:8:18:8 | x |
 | ssa.rb:25:8:25:15 | elements |
@@ -550,6 +572,18 @@ readAccess
 | scopes.rb:44:5:44:7 | var |
 | scopes.rb:45:5:45:7 | self |
 | scopes.rb:47:5:47:8 | var2 |
+| scopes.rb:56:3:56:8 | self |
+| scopes.rb:56:8:56:8 | x |
+| scopes.rb:59:5:59:21 | self |
+| scopes.rb:61:5:61:10 | self |
+| scopes.rb:61:10:61:10 | x |
+| scopes.rb:63:3:63:8 | self |
+| scopes.rb:63:8:63:8 | x |
+| scopes.rb:69:3:69:4 | xs |
+| scopes.rb:70:5:70:10 | self |
+| scopes.rb:70:10:70:10 | x |
+| scopes.rb:72:3:72:8 | self |
+| scopes.rb:72:8:72:8 | x |
 | ssa.rb:3:3:3:8 | self |
 | ssa.rb:3:8:3:8 | i |
 | ssa.rb:4:3:4:12 | self |
@@ -647,6 +681,7 @@ captureAccess
 | scopes.rb:15:4:15:9 | self |
 | scopes.rb:16:4:16:9 | self |
 | scopes.rb:17:4:17:9 | self |
+| scopes.rb:70:5:70:10 | self |
 | ssa.rb:26:7:26:10 | elem |
 | ssa.rb:27:5:27:13 | self |
 | ssa.rb:27:10:27:13 | elem |

ruby/ql/test/library-tests/variables/variable.expected

@@ -94,7 +94,7 @@
 | parameters.rb:59:23:59:23 | b |
 | parameters.rb:59:25:59:25 | c |
 | scopes.rb:1:1:1:15 | self |
-| scopes.rb:1:1:49:4 | self |
+| scopes.rb:1:1:73:3 | self |
 | scopes.rb:2:14:2:14 | x |
 | scopes.rb:4:4:4:4 | a |
 | scopes.rb:7:1:7:1 | a |
@@ -124,6 +124,13 @@
 | scopes.rb:42:2:42:4 | var |
 | scopes.rb:43:2:43:4 | foo |
 | scopes.rb:46:5:46:8 | var2 |
+| scopes.rb:51:1:64:3 | self |
+| scopes.rb:52:3:53:5 | self |
+| scopes.rb:55:3:55:3 | x |
+| scopes.rb:66:1:73:3 | self |
+| scopes.rb:67:3:67:3 | x |
+| scopes.rb:68:3:68:4 | xs |
+| scopes.rb:69:15:69:15 | x |
 | ssa.rb:1:1:16:3 | self |
 | ssa.rb:1:1:103:3 | self |
 | ssa.rb:1:7:1:7 | b |

ruby/ql/test/library-tests/variables/varscopes.expected

@@ -47,7 +47,7 @@
 | parameters.rb:54:9:57:3 | do ... end |
 | parameters.rb:59:1:61:3 | tuples_nested |
 | scopes.rb:1:1:1:15 | a |
-| scopes.rb:1:1:49:4 | scopes.rb |
+| scopes.rb:1:1:73:3 | scopes.rb |
 | scopes.rb:2:9:6:3 | do ... end |
 | scopes.rb:9:9:18:3 | do ... end |
 | scopes.rb:26:1:26:12 | A |
@@ -56,6 +56,10 @@
 | scopes.rb:34:1:36:3 | C |
 | scopes.rb:37:1:39:3 | foo |
 | scopes.rb:41:1:49:3 | M |
+| scopes.rb:51:1:64:3 | ExceptionVariable |
+| scopes.rb:52:3:53:5 | MyException |
+| scopes.rb:66:1:73:3 | ParameterShadowing |
+| scopes.rb:69:11:71:5 | do ... end |
 | ssa.rb:1:1:16:3 | m |
 | ssa.rb:1:1:103:3 | ssa.rb |
 | ssa.rb:18:1:23:3 | m1 |

rust/ql/.generated.list

@@ -332,7 +332,6 @@ lib/codeql/rust/elements/internal/NeverTypeReprConstructor.qll 2e0a9c75e389e9ef4
 lib/codeql/rust/elements/internal/OffsetOfExprConstructor.qll 616e146562adb3ac0fba4d6f55dd6ce60518ed377c0856f1f09ba49593e7bfab 80518ce90fc6d08011d6f5fc2a543958067739e1b0a6a5f2ed90fc9b1db078f0
 lib/codeql/rust/elements/internal/OffsetOfExprImpl.qll e52d4596068cc54719438121f7d5afcaab04e0c70168ac5e4df1a3a0969817a6 6ab37e659d79e02fb2685d6802ae124157bf14b6f790b31688f437c87f40f52c
 lib/codeql/rust/elements/internal/OrPatConstructor.qll 4ef583e07298487c0c4c6d7c76ffcc04b1e5fe58aba0c1da3e2c8446a9e0c92b 980a6bd176ae5e5b11c134569910c5468ba91f480982d846e222d031a6a05f1a
-lib/codeql/rust/elements/internal/ParamBaseImpl.qll fe11999c728c443c46c992e9bed7a2b3e23afa16ae99592e70054bc57ae371b8 df86fdb23266bdfb9ed8a8f02558a760b67f173943b9d075b081229eb5844f66
 lib/codeql/rust/elements/internal/ParamConstructor.qll b98a2d8969f289fdcc8c0fb11cbd19a3b0c71be038c4a74f5988295a2bae52f0 77d81b31064167945b79b19d9697b57ca24462c3a7cc19e462c4693ce87db532
 lib/codeql/rust/elements/internal/ParamListConstructor.qll 3123142ab3cab46fb53d7f3eff6ba2d3ff7a45b78839a53dc1979a9c6a54920e 165f3d777ea257cfcf142cc4ba9a0ebcd1902eb99842b8a6657c87087f3df6fe
 lib/codeql/rust/elements/internal/ParenExprConstructor.qll 104b67dc3fd53ab52e2a42ffde37f3a3a50647aa7bf35df9ba9528e9670da210 d1f5937756e87a477710c61698d141cdad0ccce8b07ecb51bab00330a1ca9835

rust/ql/.gitattributes

@@ -334,7 +334,6 @@
 /lib/codeql/rust/elements/internal/OffsetOfExprConstructor.qll linguist-generated
 /lib/codeql/rust/elements/internal/OffsetOfExprImpl.qll linguist-generated
 /lib/codeql/rust/elements/internal/OrPatConstructor.qll linguist-generated
-/lib/codeql/rust/elements/internal/ParamBaseImpl.qll linguist-generated
 /lib/codeql/rust/elements/internal/ParamConstructor.qll linguist-generated
 /lib/codeql/rust/elements/internal/ParamListConstructor.qll linguist-generated
 /lib/codeql/rust/elements/internal/ParenExprConstructor.qll linguist-generated

rust/ql/lib/codeql/rust/elements/internal/ParamBaseImpl.qll

@@ -1,4 +1,3 @@
-// generated by codegen, remove this comment if you wish to edit this file
 /**
  * This module provides a hand-modifiable wrapper around the generated class `ParamBase`.
  *
@@ -6,14 +5,19 @@
  */
 
 private import codeql.rust.elements.internal.generated.ParamBase
+private import codeql.rust.elements.Callable
 
 /**
  * INTERNAL: This module contains the customizable definition of `ParamBase` and should not
  * be referenced directly.
  */
 module Impl {
+  // the following QLdoc is generated: if you need to edit it, do it in the schema file
   /**
    * A normal parameter, `Param`, or a self parameter `SelfParam`.
    */
-  class ParamBase extends Generated::ParamBase { }
+  class ParamBase extends Generated::ParamBase {
+    /** Gets the callable this parameter belongs to. */
+    Callable getCallable() { this = result.getParamList().getAParamBase() }
+  }
 }