Python: switch dataflow library to new (shared) CFG + SSA

Flips the Python dataflow trunk from the legacy CFG (semmle/python/Flow.qll)
and legacy ESSA SSA (semmle/python/essa/*) to the new shared CFG facade
(semmle.python.controlflow.internal.Cfg) and the new SSA adapter
(semmle.python.dataflow.new.internal.SsaImpl), both introduced
additively in the preceding PRs in this stack.

This is the trunk-flip equivalent of the original draft PR #21894 (kept
around as documentation), rebased on top of the four preparatory PRs:

  P1: Remove AstNode.getAFlowNode() and rewrite callers (#21919).
  P2: Qualify Flow.qll's AST references with Py:: prefix (#21920).
  P3: Add new shared-CFG-backed control flow graph (#21921).
  P4: Add new shared-SSA-backed SSA adapter (#21923).

The Python dataflow library (semmle/python/dataflow/new/) now imports
the new CFG facade and SSA adapter. All CFG-typed predicates
(ControlFlowNode, CallNode, BasicBlock, NameNode, AttrNode, ...) are
qualified with the Cfg:: prefix; SSA references switch from
EssaVariable/EssaDefinition to SsaImpl::Definition/SourceVariable.

GuardNode is redesigned to use the new CFG's outcome-node model
(isAfterTrue / isAfterFalse) instead of the legacy ConditionBlock +
flipped indirection. Only BarrierGuard<...> is preserved as public
API.

Framework files (Bottle, FastApi, Django, Tornado, Pyramid, Stdlib,
...) are updated to take CFG nodes from the new facade.

A handful of dataflow consistency tweaks for the new CFG:
- Augmented-assignment targets are treated as both load and store.
- 'from X import *' produces uncertain SSA writes for unknown names.
- CFG nodes are canonicalised so dataflow does not see equivalent
  pre/post-order pairs as distinct nodes.

Two AST tweaks for the new CFG:
- AstNodeImpl: omit PEP 695 type-parameter names from
  FunctionDefExpr / ClassDefExpr children.
- ImportResolution: drop the legacy essa import.

Test churn (~175 files): reblessed library- and query-test .expected
files reflect slightly different CFG granularity, different toString
output, and a handful of true alert deltas in security queries.

Verification: all 367 lib + src + consistency-queries compile clean.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: yoff

python/ql/consistency-queries/DataFlowConsistency.ql

@@ -9,6 +9,7 @@ private import semmle.python.dataflow.new.internal.DataFlowImplSpecific
 private import semmle.python.dataflow.new.internal.DataFlowDispatch
 private import semmle.python.dataflow.new.internal.TaintTrackingImplSpecific
 private import codeql.dataflow.internal.DataFlowImplConsistency
+private import semmle.python.controlflow.internal.Cfg as Cfg
 
 private module Input implements InputSig<Location, PythonDataFlow> {
   private import Private
@@ -72,7 +73,7 @@ private module Input implements InputSig<Location, PythonDataFlow> {
     // resolve to multiple functions), but we only make _one_ ArgumentNode for each
     // argument in the CallNode, we end up violating this consistency check in those
     // cases. (see `getCallArg` in DataFlowDispatch.qll)
-    exists(DataFlowCall other, CallNode cfgCall | other != call |
+    exists(DataFlowCall other, Cfg::CallNode cfgCall | other != call |
       call.getNode() = cfgCall and
       other.getNode() = cfgCall and
       isArgumentNode(arg, call, _) and
@@ -88,16 +89,16 @@ private module Input implements InputSig<Location, PythonDataFlow> {
       // allow it instead.
       (
         call.getScope() = attr.getScope() and
-        any(CfgNode n | n.asCfgNode() = call.getNode().(CallNode).getFunction()).getALocalSource() =
-          attr
+        any(CfgNode n | n.asCfgNode() = call.getNode().(Cfg::CallNode).getFunction())
+            .getALocalSource() = attr
         or
         not exists(call.getScope().(Function).getDefinition()) and
         call.getScope().getScope+() = attr.getScope()
       ) and
       (
         other.getScope() = attr.getScope() and
-        any(CfgNode n | n.asCfgNode() = other.getNode().(CallNode).getFunction()).getALocalSource() =
-          attr
+        any(CfgNode n | n.asCfgNode() = other.getNode().(Cfg::CallNode).getFunction())
+            .getALocalSource() = attr
         or
         not exists(other.getScope().(Function).getDefinition()) and
         other.getScope().getScope+() = attr.getScope()

python/ql/lib/change-notes/2026-06-02-deprecated-flow-nodes-use-new-cfg.md

@@ -0,0 +1,4 @@
+---
+category: breaking
+---
+* The deprecated `AstNode.getAFlowNode()` and `Function.getAReturnValueFlowNode()` predicates now return nodes from the new shared CFG (`Cfg::ControlFlowNode`) rather than from the legacy CFG (`ControlFlowNode`). Callers that still rely on these deprecated APIs and feed the result into legacy-CFG-aware predicates will no longer type-check; migrate to `n.getNode() = e` (or, for return values, the explicit `Return` pattern shown in the deprecation message) to get nodes from the dataflow library's current CFG.

python/ql/lib/semmle/python/ApiGraphs.qll

@@ -6,8 +6,9 @@
  * directed and labeled; they specify how the components represented by nodes relate to each other.
  */
 
-// Importing python under the `py` namespace to avoid importing `CallNode` from `Flow.qll` and thereby having a naming conflict with `API::CallNode`.
+// Importing python under the `PY` namespace to avoid pulling in `CallNode` from `Flow.qll` (via `import python`) and thereby having a naming conflict with `API::CallNode`.
 private import python as PY
+private import semmle.python.controlflow.internal.Cfg as Cfg
 import semmle.python.dataflow.new.DataFlow
 private import semmle.python.internal.CachedStages
 
@@ -282,15 +283,15 @@ module API {
       index = this.getIndex() and
       (
         // subscripting
-        exists(PY::SubscriptNode subscript |
+        exists(Cfg::SubscriptNode subscript |
           subscript.getObject() = this.getAValueReachableFromSource().asCfgNode() and
           subscript.getIndex() = index.asSink().asCfgNode()
         |
           // reading
           subscript = result.asSource().asCfgNode()
           or
           // writing
-          subscript.(PY::DefinitionNode).getValue() = result.asSink().asCfgNode()
+          subscript.(Cfg::DefinitionNode).getValue() = result.asSink().asCfgNode()
         )
         or
         // dictionary literals
@@ -684,7 +685,7 @@ module API {
      * Ignores relative imports, such as `from ..foo.bar import baz`.
      */
     private predicate imports(DataFlow::CfgNode imp, string name) {
-      exists(PY::ImportExprNode iexpr |
+      exists(Cfg::ImportExprNode iexpr |
         imp.getNode() = iexpr and
         not iexpr.getNode().isRelative() and
         name = iexpr.getNode().getImportedModuleName()
@@ -775,7 +776,7 @@ module API {
         // list literals, from `x` to `[x]`
         // TODO: once convenient, this should be done at a higher level than the AST,
         // at least at the CFG layer, to take splitting into account.
-        // Also consider `SequenceNode for generality.
+        // Also consider `Cfg::SequenceNode` for generality.
         exists(PY::List list | list = pred.(DataFlow::ExprNode).getNode().getNode() |
           rhs.(DataFlow::ExprNode).getNode().getNode() = list.getAnElt() and
           lbl = Label::subscript()
@@ -805,7 +806,7 @@ module API {
         subscript = trackUseNode(src).getSubscript(index)
       |
         // from `x` to a definition of `x[...]`
-        rhs.asCfgNode() = subscript.asCfgNode().(PY::DefinitionNode).getValue() and
+        rhs.asCfgNode() = subscript.asCfgNode().(Cfg::DefinitionNode).getValue() and
         lbl = Label::subscript()
         or
         // from `x` to `"key"` in `x["key"]`

python/ql/lib/semmle/python/AstExtended.qll

@@ -3,6 +3,7 @@ module;
 
 import python
 private import semmle.python.internal.CachedStages
+private import semmle.python.controlflow.internal.Cfg as Cfg
 
 /** A syntactic node (Class, Function, Module, Expr, Stmt or Comprehension) corresponding to a flow node */
 abstract class AstNode extends AstNode_ {
@@ -23,17 +24,16 @@ abstract class AstNode extends AstNode_ {
   /**
    * DEPRECATED: use `ControlFlowNode.getNode()` from the other direction instead;
    * that is, replace `e.getAFlowNode() = n` with `n.getNode() = e`. This API is
-   * being removed to untangle the AST and CFG hierarchies in preparation for
-   * migrating the dataflow library off the legacy CFG.
+   * being removed to untangle the AST and CFG hierarchies.
    *
-   * Gets a flow node corresponding directly to this node.
-   * NOTE: For some statements and other purely syntactic elements,
-   * there may not be a `ControlFlowNode`.
+   * Gets a flow node corresponding directly to this node, from the new
+   * (shared) CFG. NOTE: For some statements and other purely syntactic
+   * elements, there may not be a `ControlFlowNode`.
    */
   cached
-  deprecated ControlFlowNode getAFlowNode() {
+  deprecated Cfg::ControlFlowNode getAFlowNode() {
     Stages::AST::ref() and
-    py_flow_bb_node(result, this, _, _)
+    result.getNode() = this
   }
 
   /**

python/ql/lib/semmle/python/Concepts.qll

@@ -5,6 +5,7 @@
  */
 
 private import python
+private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.internal.DataFlowImplSpecific
 private import semmle.python.dataflow.new.RemoteFlowSources
@@ -214,7 +215,7 @@ module Path {
     SafeAccessCheck() { this = DataFlow::BarrierGuard<safeAccessCheck/3>::getABarrierNode() }
   }
 
-  private predicate safeAccessCheck(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
+  private predicate safeAccessCheck(DataFlow::GuardNode g, Cfg::ControlFlowNode node, boolean branch) {
     g.(SafeAccessCheck::Range).checks(node, branch)
   }
 
@@ -223,7 +224,7 @@ module Path {
     /** A data-flow node that checks that a path is safe to access in some way, for example by having a controlled prefix. */
     abstract class Range extends DataFlow::GuardNode {
       /** Holds if this guard validates `node` upon evaluating to `branch`. */
-      abstract predicate checks(ControlFlowNode node, boolean branch);
+      abstract predicate checks(Cfg::ControlFlowNode node, boolean branch);
     }
   }
 }

python/ql/lib/semmle/python/Exprs.qll

@@ -3,6 +3,7 @@ module;
 
 private import python
 private import semmle.python.internal.CachedStages
+private import semmle.python.controlflow.internal.Cfg as Cfg
 
 /** An expression */
 class Expr extends Expr_, AstNode {
@@ -70,7 +71,7 @@ class Attribute extends Attribute_ {
   /* syntax: Expr.name */
   override Expr getASubExpression() { result = this.getObject() }
 
-  deprecated override AttrNode getAFlowNode() { result = super.getAFlowNode() }
+  deprecated override Cfg::AttrNode getAFlowNode() { result = super.getAFlowNode() }
 
   /** Gets the name of this attribute. That is the `name` in `obj.name` */
   string getName() { result = Attribute_.super.getAttr() }
@@ -99,7 +100,7 @@ class Subscript extends Subscript_ {
 
   Expr getObject() { result = Subscript_.super.getValue() }
 
-  deprecated override SubscriptNode getAFlowNode() { result = super.getAFlowNode() }
+  deprecated override Cfg::SubscriptNode getAFlowNode() { result = super.getAFlowNode() }
 }
 
 /** A call expression, such as `func(...)` */
@@ -115,7 +116,7 @@ class Call extends Call_ {
 
   override string toString() { result = this.getFunc().toString() + "()" }
 
-  deprecated override CallNode getAFlowNode() { result = super.getAFlowNode() }
+  deprecated override Cfg::CallNode getAFlowNode() { result = super.getAFlowNode() }
 
   /** Gets a tuple (*) argument of this call. */
   Expr getStarargs() { result = this.getAPositionalArg().(Starred).getValue() }
@@ -203,7 +204,7 @@ class IfExp extends IfExp_ {
     result = this.getTest() or result = this.getBody() or result = this.getOrelse()
   }
 
-  deprecated override IfExprNode getAFlowNode() { result = super.getAFlowNode() }
+  deprecated override Cfg::IfExprNode getAFlowNode() { result = super.getAFlowNode() }
 }
 
 /** A starred expression, such as the `*rest` in the assignment `first, *rest = seq` */
@@ -413,7 +414,7 @@ class PlaceHolder extends PlaceHolder_ {
 
   override string toString() { result = "$" + this.getId() }
 
-  deprecated override NameNode getAFlowNode() { result = super.getAFlowNode() }
+  deprecated override Cfg::NameNode getAFlowNode() { result = super.getAFlowNode() }
 }
 
 /** A tuple expression such as `( 1, 3, 5, 7, 9 )` */
@@ -480,7 +481,7 @@ class Name extends Name_ {
 
   override string toString() { result = this.getId() }
 
-  deprecated override NameNode getAFlowNode() { result = super.getAFlowNode() }
+  deprecated override Cfg::NameNode getAFlowNode() { result = super.getAFlowNode() }
 
   override predicate isArtificial() {
     /* Artificial variable names in comprehensions all start with "." */
@@ -587,7 +588,7 @@ abstract class NameConstant extends Name, ImmutableLiteral {
 
   override predicate isConstant() { any() }
 
-  deprecated override NameConstantNode getAFlowNode() { result = Name.super.getAFlowNode() }
+  deprecated override Cfg::NameConstantNode getAFlowNode() { result = Name.super.getAFlowNode() }
 
   override predicate isArtificial() { none() }
 }

python/ql/lib/semmle/python/Function.qll

@@ -2,6 +2,7 @@ overlay[local]
 module;
 
 import python
+private import semmle.python.controlflow.internal.Cfg as Cfg
 
 /**
  * A function, independent of defaults and binding.
@@ -157,12 +158,12 @@ class Function extends Function_, Scope, AstNode {
    * DEPRECATED: bind a `Return` node explicitly instead, e.g.
    * `exists(Return ret | ret.getScope() = this and n.getNode() = ret.getValue())`.
    * This API is being phased out together with `AstNode.getAFlowNode()` to
-   * untangle the AST and CFG hierarchies in preparation for migrating the
-   * dataflow library off the legacy CFG.
+   * untangle the AST and CFG hierarchies.
    *
-   * Gets a control flow node for a return value of this function.
+   * Gets a control flow node for a return value of this function, from the
+   * new (shared) CFG.
    */
-  deprecated ControlFlowNode getAReturnValueFlowNode() {
+  deprecated Cfg::ControlFlowNode getAReturnValueFlowNode() {
     exists(Return ret |
       ret.getScope() = this and
       ret.getValue() = result.getNode()

python/ql/lib/semmle/python/Import.qll

@@ -4,6 +4,7 @@ module;
 import python
 private import semmle.python.types.Builtins
 private import semmle.python.internal.CachedStages
+private import semmle.python.controlflow.internal.Cfg as Cfg
 
 /**
  * An alias in an import statement, the `mod as name` part of `import mod as name`. May be artificial;
@@ -149,7 +150,7 @@ class ImportExpr extends ImportExpr_ {
 class ImportMember extends ImportMember_ {
   override Expr getASubExpression() { result = this.getModule() }
 
-  deprecated override ImportMemberNode getAFlowNode() { result = super.getAFlowNode() }
+  deprecated override Cfg::ImportMemberNode getAFlowNode() { result = super.getAFlowNode() }
 
   override predicate hasSideEffects() {
     /* Strictly this only has side-effects if the module is a package */