Python: migrate dataflow library to new CFG + shared SSA

Switches the trunk dataflow library and all in-tree consumers
(frameworks, ApiGraphs, Concepts, regexp, security customisations,
test harness) from the legacy Flow.qll/ESSA stack to the new
shared-CFG facade (Cfg.qll) and the ESSA-shaped adapter on the
shared-SSA library (SsaImpl.qll).

Highlights:

  * DataFlowPublic/Private/Dispatch, Attributes, VariableCapture,
    IterableUnpacking, ImportResolution, ImportStar, LocalSources,
    TaintTrackingPrivate, MatchUnpacking, TypeTrackingImpl,
    SsaImpl, Builtins all now qualify CFG/SSA references with
    Cfg:: / SsaImpl:: and stop pulling in semmle.python.essa.*.

  * AstNodeImpl.qll/Cfg.qll: ImportMember exposes its inner
    ImportExpr, DefinitionNode.getValue covers Alias / AnnAssign /
    AugAssign / AssignExpr / For-target / Parameter-default,
    ForNode is treated as an expression node, AnnotatedExitNode is
    canonical, and BoolExprNode.getAnOperand drops the dominance
    constraint that did not hold for short-circuit BBs.

  * SsaImpl.qll: parameters always get a ParameterDefinition (so
    unused parameters still have SSA defs), scope-entry defs for
    module globals require an actual store somewhere, scope-exit
    has a synthetic use so reaching-defs survives to module
    boundary, and the legacy SsaSourceVariable / EssaVariable
    surface (getName, getScope, getAUse, getASourceUse,
    getAnImplicitUse) is reinstated for downstream queries.

  * DataFlowPublic.qll: GuardNode redesigned around the new
    structural outcome nodes (isAfterTrue / isAfterFalse).  The
    legacy ConditionBlock + flipped indirection is gone;
    controlsBlock walks UP through 'not' / '==True' / 'is False'
    etc. via outcomeOfGuard, accumulating polarity cleanly.  Only
    BarrierGuard<...> is preserved as public API.

  * ModuleVariableNode.getAWrite and LocalFlow::definitionFlowStep
    bypass SSA and consult Cfg::NameNode.defines /
    Cfg::DefinitionNode.getValue directly, so that write defs
    pruned by shared SSA (because the variable has no in-scope
    read) still produce dataflow steps.

  * Frameworks + downstream consumers: replace
    EssaVariable.hasDefiningNode, getAReturnValueFlowNode,
    Parameter.getDefault, Scope.getEntryNode / getANormalExit etc.
    with CFG-side bridges through Cfg::ControlFlowNode.

The legacy Flow.qll / Essa.qll stack is untouched and remains
available for queries that import it directly.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: yoff

python/ql/lib/semmle/python/ApiGraphs.qll

@@ -6,8 +6,9 @@
  * directed and labeled; they specify how the components represented by nodes relate to each other.
  */
 
-// Importing python under the `py` namespace to avoid importing `CallNode` from `Flow.qll` and thereby having a naming conflict with `API::CallNode`.
+// Importing python under the `py` namespace to avoid importing `Cfg::CallNode` from `Flow.qll` and thereby having a naming conflict with `API::CallNode`.
 private import python as PY
+private import semmle.python.controlflow.internal.Cfg as Cfg
 import semmle.python.dataflow.new.DataFlow
 private import semmle.python.internal.CachedStages
 
@@ -282,15 +283,15 @@ module API {
       index = this.getIndex() and
       (
         // subscripting
-        exists(PY::SubscriptNode subscript |
+        exists(Cfg::SubscriptNode subscript |
           subscript.getObject() = this.getAValueReachableFromSource().asCfgNode() and
           subscript.getIndex() = index.asSink().asCfgNode()
         |
           // reading
           subscript = result.asSource().asCfgNode()
           or
           // writing
-          subscript.(PY::DefinitionNode).getValue() = result.asSink().asCfgNode()
+          subscript.(Cfg::DefinitionNode).getValue() = result.asSink().asCfgNode()
         )
         or
         // dictionary literals
@@ -684,7 +685,7 @@ module API {
      * Ignores relative imports, such as `from ..foo.bar import baz`.
      */
     private predicate imports(DataFlow::CfgNode imp, string name) {
-      exists(PY::ImportExprNode iexpr |
+      exists(Cfg::ImportExprNode iexpr |
         imp.getNode() = iexpr and
         not iexpr.getNode().isRelative() and
         name = iexpr.getNode().getImportedModuleName()
@@ -775,7 +776,7 @@ module API {
         // list literals, from `x` to `[x]`
         // TODO: once convenient, this should be done at a higher level than the AST,
         // at least at the CFG layer, to take splitting into account.
-        // Also consider `SequenceNode for generality.
+        // Also consider `Cfg::SequenceNode for generality.
         exists(PY::List list | list = pred.(DataFlow::ExprNode).getNode().getNode() |
           rhs.(DataFlow::ExprNode).getNode().getNode() = list.getAnElt() and
           lbl = Label::subscript()
@@ -805,7 +806,7 @@ module API {
         subscript = trackUseNode(src).getSubscript(index)
       |
         // from `x` to a definition of `x[...]`
-        rhs.asCfgNode() = subscript.asCfgNode().(PY::DefinitionNode).getValue() and
+        rhs.asCfgNode() = subscript.asCfgNode().(Cfg::DefinitionNode).getValue() and
         lbl = Label::subscript()
         or
         // from `x` to `"key"` in `x["key"]`

python/ql/lib/semmle/python/Concepts.qll

@@ -5,6 +5,7 @@
  */
 
 private import python
+private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.internal.DataFlowImplSpecific
 private import semmle.python.dataflow.new.RemoteFlowSources
@@ -214,7 +215,7 @@ module Path {
     SafeAccessCheck() { this = DataFlow::BarrierGuard<safeAccessCheck/3>::getABarrierNode() }
   }
 
-  private predicate safeAccessCheck(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
+  private predicate safeAccessCheck(DataFlow::GuardNode g, Cfg::ControlFlowNode node, boolean branch) {
     g.(SafeAccessCheck::Range).checks(node, branch)
   }
 
@@ -223,7 +224,7 @@ module Path {
     /** A data-flow node that checks that a path is safe to access in some way, for example by having a controlled prefix. */
     abstract class Range extends DataFlow::GuardNode {
       /** Holds if this guard validates `node` upon evaluating to `branch`. */
-      abstract predicate checks(ControlFlowNode node, boolean branch);
+      abstract predicate checks(Cfg::ControlFlowNode node, boolean branch);
     }
   }
 }

python/ql/lib/semmle/python/controlflow/internal/AstNodeImpl.qll

@@ -10,6 +10,9 @@
  *   - Intermediate nodes for multi-operand boolean expressions.
  */
 
+overlay[local?]
+module;
+
 private import python as Py
 private import codeql.controlflow.ControlFlowGraph
 private import codeql.controlflow.SuccessorType
@@ -1193,6 +1196,30 @@ module Ast implements AstSig<Py::Location> {
     override AstNode getChild(int index) { index = 0 and result = this.getObject() }
   }
 
+  /**
+   * An `import x.y` module expression. Modelled as a leaf — the dotted
+   * name is just a string.
+   */
+  additional class ImportExpression extends Expr {
+    ImportExpression() { this.asExpr() instanceof Py::ImportExpr }
+  }
+
+  /**
+   * A `from m import x` member access. The module sub-expression is a
+   * child so that the CFG visits both the module load and this
+   * attribute selection.
+   */
+  additional class ImportMemberExpr extends Expr {
+    private Py::ImportMember im;
+
+    ImportMemberExpr() { this = TPyExpr(im) }
+
+    /** Gets the module expression `m` in `from m import x`. */
+    Expr getModule() { result.asExpr() = im.getModule() }
+
+    override AstNode getChild(int index) { index = 0 and result = this.getModule() }
+  }
+
   /** A tuple literal. */
   additional class TupleExpr extends Expr {
     private Py::Tuple tuple;
@@ -1581,4 +1608,6 @@ Py::AstNode astNodeToPyNode(Ast::AstNode n) {
   result = n.asStmt()
   or
   result = n.asScope()
+  or
+  result = n.asPattern()
 }

python/ql/lib/semmle/python/controlflow/internal/Cfg.qll

@@ -20,6 +20,24 @@ module;
 private import python as Py
 private import semmle.python.controlflow.internal.AstNodeImpl as CfgImpl
 private import codeql.controlflow.SuccessorType
+private import codeql.controlflow.BasicBlock as BB
+
+/**
+ * A nested sub-module that explicitly implements `BB::CfgSig`, so this
+ * `Cfg` facade can be passed to parameterised shared modules such as
+ * `codeql.dataflow.VariableCapture::Flow<L, Cfg, ...>`. The sub-module
+ * exposes the *raw* shared-CFG types from `AstNodeImpl.qll` (where the
+ * signature is satisfied natively), not the facade's wrapped types.
+ */
+module CfgSigImpl implements BB::CfgSig<Py::Location> {
+  class ControlFlowNode = CfgImpl::ControlFlowNode;
+
+  class BasicBlock = CfgImpl::BasicBlock;
+
+  class EntryBasicBlock = CfgImpl::Cfg::EntryBasicBlock;
+
+  predicate dominatingEdge = CfgImpl::Cfg::dominatingEdge/2;
+}
 
 /**
  * Gets the Python AST node corresponding to CFG node `n`, if any.
@@ -51,6 +69,11 @@ private predicate isCanonical(CfgImpl::ControlFlowNode n) {
   n instanceof CfgImpl::ControlFlow::EntryNode
   or
   n instanceof CfgImpl::ControlFlow::ExitNode
+  or
+  // Annotated exit nodes (normal + abnormal) — needed so that dataflow
+  // consumers can ask "is this the normal-exit of a scope?" and also
+  // so that scope-exit synthetic uses in SsaImpl can attach here.
+  n instanceof CfgImpl::ControlFlow::AnnotatedExitNode
 }
 
 /**
@@ -369,6 +392,35 @@ class BasicBlock extends CfgImpl::BasicBlock {
     or
     forex(BasicBlock immsucc | immsucc = super.getASuccessor() | immsucc.alwaysReaches(succ))
   }
+
+  /**
+   * Holds if this basic block ends in a node that branches on a boolean
+   * outcome, and `other` is dominated by the corresponding successor
+   * for `branch` while not being reachable from the other branch
+   * without going through this BB.
+   *
+   * In other words: any execution that reaches `other` must have just
+   * evaluated the last node of this BB and taken the `branch` outcome.
+   * This mirrors the legacy `ConditionBlock.controls(BB, branch)`.
+   */
+  predicate controls(BasicBlock other, boolean branch) {
+    exists(BasicBlock succ |
+      branch = true and succ = this.getATrueSuccessor()
+      or
+      branch = false and succ = this.getAFalseSuccessor()
+    |
+      succ.dominates(other) and
+      // The other branch must not also reach `other` — otherwise
+      // `other` is not actually controlled by `branch`.
+      not exists(BasicBlock otherSucc |
+        branch = true and otherSucc = this.getAFalseSuccessor()
+        or
+        branch = false and otherSucc = this.getATrueSuccessor()
+      |
+        otherSucc.reaches(other)
+      )
+    )
+  }
 }
 
 // ===========================================================================
@@ -734,8 +786,7 @@ class BoolExprNode extends ControlFlowNode {
   ControlFlowNode getAnOperand() {
     exists(Py::BoolExpr be |
       be = toAst(this) and
-      be.getAValue() = toAst(result) and
-      result.getBasicBlock().dominates(this.getBasicBlock())
+      be.getAValue() = toAst(result)
     )
   }
 }
@@ -766,20 +817,79 @@ class DefinitionNode extends ControlFlowNode {
 
   /** Gets the value assigned, if any. */
   ControlFlowNode getValue() {
-    exists(Py::Expr target, Py::Expr value |
-      target = toAst(this) and
-      value = toAst(result) and
-      result.getBasicBlock().dominates(this.getBasicBlock())
-    |
-      // x = value
-      exists(Py::Assign a | a.getATarget() = target and a.getValue() = value)
-      or
-      // x = y = value  (nested chained-assign target)
-      exists(Py::Assign a | a.getATarget().(Py::Tuple).getElt(_) = target and a.getValue() = value)
+    // For-target: the value is the for-loop's iter expression (which
+    // is also where `Cfg::ForNode` lives — its `getNode()` returns the
+    // enclosing `Py::For` statement). Treated specially because there
+    // is no AST node holding the result of `iter(next(seq))`; we use
+    // the iter expression's CFG node as the stand-in.
+    exists(Py::For f |
+      f.getTarget() = toAst(this) and
+      toAst(result) = f.getIter()
+    )
+    or
+    exists(Py::AstNode value | value = assignedValue(toAst(this)) |
+      toAst(result) = value and
+      (
+        result.getBasicBlock().dominates(this.getBasicBlock())
+        or
+        result.isImport()
+        or
+        // The default value for a parameter is evaluated in the same basic block as
+        // the function definition, but the parameter belongs to the basic block of the
+        // function, so there is no dominance relationship between the two.
+        exists(Py::Parameter param | toAst(this) = param.asName())
+      )
     )
   }
 }
 
+/**
+ * Gets the AST node that holds the value assigned to `lhs` in a binding
+ * context. Mirrors `Flow.qll::assigned_value`.
+ */
+private Py::AstNode assignedValue(Py::Expr lhs) {
+  // lhs = result
+  exists(Py::Assign a | a.getATarget() = lhs and result = a.getValue())
+  or
+  // lhs := result
+  exists(Py::AssignExpr a | a.getTarget() = lhs and result = a.getValue())
+  or
+  // lhs: annotation = result
+  exists(Py::AnnAssign a | a.getTarget() = lhs and result = a.getValue())
+  or
+  // import result as lhs  (also covers plain `import lhs`, where alias.getAsname() = lhs)
+  exists(Py::Alias a | a.getAsname() = lhs and result = a.getValue())
+  or
+  // lhs += x  -> result is the (lhs + x) binary expression
+  exists(Py::AugAssign a, Py::BinaryExpr b |
+    b = a.getOperation() and result = b and lhs = b.getLeft()
+  )
+  or
+  // Nested sequence assign: ..., lhs, ... = ..., result, ...
+  exists(Py::Assign a | nestedSequenceAssign(a.getATarget(), a.getValue(), lhs, result))
+  or
+  // Parameter default
+  exists(Py::Parameter param | lhs = param.asName() and result = param.getDefault())
+}
+
+/**
+ * Helper for nested sequence assignments such as `(a, b), c = (1, 2), 3`.
+ */
+private predicate nestedSequenceAssign(
+  Py::Expr leftParent, Py::Expr rightParent, Py::Expr left, Py::Expr right
+) {
+  exists(int i |
+    leftParent.(Py::Tuple).getElt(i) = left and rightParent.(Py::Tuple).getElt(i) = right
+    or
+    leftParent.(Py::List).getElt(i) = left and rightParent.(Py::List).getElt(i) = right
+  )
+  or
+  exists(Py::Expr leftMid, Py::Expr rightMid |
+    nestedSequenceAssign(leftParent, rightParent, leftMid, rightMid) and
+    nestedSequenceAssign(leftMid, rightMid, left, right)
+  )
+}
+
 /** A control flow node corresponding to a deletion (`del x`). */
 class DeletionNode extends ControlFlowNode {
   DeletionNode() { this.isDelete() }
@@ -789,8 +899,6 @@ class DeletionNode extends ControlFlowNode {
 class ForNode extends ControlFlowNode {
   ForNode() { exists(Py::For f | toAst(this) = f.getIter()) }
 
-  override Py::For getNode() { exists(Py::For f | toAst(this) = f.getIter() | result = f) }
-
   /** Gets the iterable expression. */
   ControlFlowNode getIter() {
     result = this and result = result // canonical "after" of the iterable
@@ -943,8 +1051,15 @@ class DictNode extends ControlFlowNode {
 /** A control flow node corresponding to an iterable in a `for` loop. */
 class IterableNode extends ControlFlowNode {
   IterableNode() {
-    exists(Py::For f | toAst(this) = f.getIter())
+    this instanceof SequenceNode
+    or
+    this instanceof SetNode
+  }
+
+  /** Gets the control flow node for an element of this iterable. */
+  ControlFlowNode getAnElement() {
+    result = this.(SequenceNode).getAnElement()
     or
-    exists(Py::Comp c | toAst(this) = c.getIterable())
+    result = this.(SetNode).getAnElement()
   }
 }

python/ql/lib/semmle/python/dataflow/new/BarrierGuards.qll

@@ -1,11 +1,12 @@
 /** Provides commonly used BarrierGuards. */
 
 private import python
+private import semmle.python.controlflow.internal.Cfg as Cfg
 private import semmle.python.dataflow.new.DataFlow
 
-private predicate constCompare(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
-  exists(CompareNode cn | cn = g |
-    exists(ImmutableLiteral const, Cmpop op, ControlFlowNode c |
+private predicate constCompare(DataFlow::GuardNode g, Cfg::ControlFlowNode node, boolean branch) {
+  exists(Cfg::CompareNode cn | cn = g |
+    exists(ImmutableLiteral const, Cmpop op, Cfg::ControlFlowNode c |
       c.getNode() = const and
       (
         op = any(Eq eq) and branch = true
@@ -18,7 +19,7 @@ private predicate constCompare(DataFlow::GuardNode g, ControlFlowNode node, bool
       cn.operands(node, op, c)
     )
     or
-    exists(NameConstant const, Cmpop op, ControlFlowNode c |
+    exists(NameConstant const, Cmpop op, Cfg::ControlFlowNode c |
       c.getNode() = const and
       (
         op = any(Is is_) and branch = true
@@ -31,12 +32,12 @@ private predicate constCompare(DataFlow::GuardNode g, ControlFlowNode node, bool
       cn.operands(node, op, c)
     )
     or
-    exists(IterableNode const_iterable, Cmpop op |
+    exists(Cfg::IterableNode const_iterable, Cmpop op |
       op = any(In in_) and branch = true
       or
       op = any(NotIn ni) and branch = false
     |
-      forall(ControlFlowNode elem | elem = const_iterable.getAnElement() |
+      forall(Cfg::ControlFlowNode elem | elem = const_iterable.getAnElement() |
         elem.getNode() instanceof ImmutableLiteral
       ) and
       cn.operands(node, op, const_iterable)