Python: migrate src queries to new shared CFG types + reformat

Migrate 27 queries under python/ql/src/ from legacy CFG types
(CallNode/AttrNode/NameNode/etc.) to the shared-CFG-based 'Cfg::'
namespace, matching the dataflow API surface introduced earlier on
this branch. ModificationOfParameterWithDefaultCustomizations.qll
is rewritten on top of BarrierGuard, removing the last legacy ESSA
dependency in that file. UnguardedNextInGenerator.ql still uses
ESSA and bridges to the new CFG via Cfg::CallNode.getNode().

Also reformat 14 library and query files that had drifted from
the formatter.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: yoff

python/ql/lib/semmle/python/Exprs.qll

@@ -28,7 +28,9 @@ class Expr extends Expr_, AstNode {
   /** Whether this expression may have a side effect (as determined purely from its syntax) */
   predicate hasSideEffects() {
     /* If an exception raised by this expression handled, count that as a side effect */
-    exists(ControlFlowNode n | n.getNode() = this | n.getASuccessor().getNode() instanceof ExceptStmt)
+    exists(ControlFlowNode n | n.getNode() = this |
+      n.getASuccessor().getNode() instanceof ExceptStmt
+    )
     or
     this.getASubExpression().hasSideEffects()
   }
@@ -94,7 +96,6 @@ class Subscript extends Subscript_ {
   }
 
   Expr getObject() { result = Subscript_.super.getValue() }
-
 }
 
 /** A call expression, such as `func(...)` */
@@ -110,7 +111,6 @@ class Call extends Call_ {
 
   override string toString() { result = this.getFunc().toString() + "()" }
 
-
   /** Gets a tuple (*) argument of this call. */
   Expr getStarargs() { result = this.getAPositionalArg().(Starred).getValue() }
 
@@ -196,7 +196,6 @@ class IfExp extends IfExp_ {
   override Expr getASubExpression() {
     result = this.getTest() or result = this.getBody() or result = this.getOrelse()
   }
-
 }
 
 /** A starred expression, such as the `*rest` in the assignment `first, *rest = seq` */
@@ -405,7 +404,6 @@ class PlaceHolder extends PlaceHolder_ {
   override Expr getASubExpression() { none() }
 
   override string toString() { result = "$" + this.getId() }
-
 }
 
 /** A tuple expression such as `( 1, 3, 5, 7, 9 )` */
@@ -472,7 +470,6 @@ class Name extends Name_ {
 
   override string toString() { result = this.getId() }
 
-
   override predicate isArtificial() {
     /* Artificial variable names in comprehensions all start with "." */
     this.getId().charAt(0) = "."
@@ -578,7 +575,6 @@ abstract class NameConstant extends Name, ImmutableLiteral {
 
   override predicate isConstant() { any() }
 
-
   override predicate isArtificial() { none() }
 }
 

python/ql/lib/semmle/python/Flow.qll

@@ -726,7 +726,9 @@ private Py::AstNode assigned_value(Py::Expr lhs) {
   exists(Py::Alias a | a.getAsname() = lhs and result = a.getValue())
   or
   /* lhs += x  =>  result = (lhs + x) */
-  exists(Py::AugAssign a, Py::BinaryExpr b | b = a.getOperation() and result = b and lhs = b.getLeft())
+  exists(Py::AugAssign a, Py::BinaryExpr b |
+    b = a.getOperation() and result = b and lhs = b.getLeft()
+  )
   or
   /*
    * ..., lhs, ... = ..., result, ...
@@ -868,7 +870,9 @@ class NameNode extends ControlFlowNode {
   /** Whether this is a use of a global (including builtin) variable. */
   predicate isGlobal() { Scopes::use_of_global_variable(this, _, _) }
 
-  predicate isSelf() { exists(Py::SsaVariable selfvar | selfvar.isSelf() and selfvar.getAUse() = this) }
+  predicate isSelf() {
+    exists(Py::SsaVariable selfvar | selfvar.isSelf() and selfvar.getAUse() = this)
+  }
 }
 
 /** A control flow node corresponding to a named constant, one of `None`, `True` or `False`. */

python/ql/lib/semmle/python/Import.qll

@@ -162,7 +162,6 @@ class ImportMember extends ImportMember_ {
   string getImportedModuleName() {
     result = this.getModule().(ImportExpr).getImportedModuleName() + "." + this.getName()
   }
-
 }
 
 /** An import statement */

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowDispatch.qll

@@ -287,19 +287,19 @@ predicate isClassmethod(Function func) {
 
 /** Holds if the function `func` has a `property` decorator. */
 overlay[local]
-predicate hasPropertyDecorator(Function func) {
-  func.getADecorator().(Name).getId() = "property"
-}
+predicate hasPropertyDecorator(Function func) { func.getADecorator().(Name).getId() = "property" }
 
 /**
  * Holds if the function `func` has a `contextlib.contextmanager`.
  */
 overlay[local]
 predicate hasContextmanagerDecorator(Function func) {
   exists(Cfg::ControlFlowNode contextmanager |
-    contextmanager.(Cfg::NameNode).getId() = "contextmanager" and contextmanager.(Cfg::NameNode).isGlobal()
+    contextmanager.(Cfg::NameNode).getId() = "contextmanager" and
+    contextmanager.(Cfg::NameNode).isGlobal()
     or
-    contextmanager.(Cfg::AttrNode).getObject("contextmanager").(Cfg::NameNode).getId() = "contextlib"
+    contextmanager.(Cfg::AttrNode).getObject("contextmanager").(Cfg::NameNode).getId() =
+      "contextlib"
   |
     func.getADecorator() = contextmanager.getNode()
   )
@@ -1348,7 +1348,9 @@ predicate normalCallArg(Cfg::CallNode call, Node arg, ArgumentPosition apos) {
  * translated into `l.clear()`, and we can still have use-use flow.
  */
 cached
-predicate getCallArg(Cfg::CallNode call, Function target, CallType type, Node arg, ArgumentPosition apos) {
+predicate getCallArg(
+  Cfg::CallNode call, Function target, CallType type, Node arg, ArgumentPosition apos
+) {
   Stages::DataFlow::ref() and
   resolveCall(call, target, type) and
   (
@@ -1441,7 +1443,9 @@ private predicate sameEnclosingCallable(Node node1, Node node2) {
 // DataFlowCall
 // =============================================================================
 newtype TDataFlowCall =
-  TNormalCall(Cfg::CallNode call, Function target, CallType type) { resolveCall(call, target, type) } or
+  TNormalCall(Cfg::CallNode call, Function target, CallType type) {
+    resolveCall(call, target, type)
+  } or
   /** A call to the generated function inside a comprehension */
   TComprehensionCall(Comp c) or
   TPotentialLibraryCall(Cfg::CallNode call) or

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll

@@ -37,7 +37,9 @@ newtype TNode =
    * A node corresponding to a scope entry definition. That is, the value of a variable
    * as it enters a scope.
    */
-  TScopeEntryDefinitionNode(SsaImpl::ScopeEntryDefinition def) { not def.getScope() instanceof Module } or
+  TScopeEntryDefinitionNode(SsaImpl::ScopeEntryDefinition def) {
+    not def.getScope() instanceof Module
+  } or
   /**
    * A synthetic node representing the value of an object before a state change.
    *
@@ -656,11 +658,15 @@ private predicate outcomeOfGuard(
   )
   or
   // Recursive: comparisons against a boolean literal.
-  exists(Cfg::CompareNode cmpNode, Cmpop op, Cfg::ControlFlowNode otherOperand,
-         Cfg::ControlFlowNode guardOperand, boolean polarity, boolean cmpBranch
+  exists(
+    Cfg::CompareNode cmpNode, Cmpop op, Cfg::ControlFlowNode otherOperand,
+    Cfg::ControlFlowNode guardOperand, boolean polarity, boolean cmpBranch
   |
     guardOperand.getNode() = guard.getNode() and
-    (cmpNode.operands(guardOperand, op, otherOperand) or cmpNode.operands(otherOperand, op, guardOperand)) and
+    (
+      cmpNode.operands(guardOperand, op, otherOperand) or
+      cmpNode.operands(otherOperand, op, guardOperand)
+    ) and
     not guard.getNode() instanceof BooleanLiteral and
     (
       (op instanceof Eq or op instanceof Is) and
@@ -692,7 +698,9 @@ module BarrierGuard<guardChecksSig/3 guardChecks> {
     result = ParameterizedBarrierGuard<Unit, extendedGuardChecks/4>::getABarrierNode(_)
   }
 
-  private predicate extendedGuardChecks(GuardNode g, Cfg::ControlFlowNode node, boolean branch, Unit u) {
+  private predicate extendedGuardChecks(
+    GuardNode g, Cfg::ControlFlowNode node, boolean branch, Unit u
+  ) {
     guardChecks(g, node, branch) and
     u = u
   }
@@ -790,7 +798,11 @@ newtype TContent =
     or
     // d["key"] = ...
     key =
-      any(Cfg::SubscriptNode sub | sub.isStore() | sub.getIndex().getNode().(StringLiteral).getText())
+      any(Cfg::SubscriptNode sub |
+        sub.isStore()
+      |
+        sub.getIndex().getNode().(StringLiteral).getText()
+      )
     or
     // d.setdefault("key", ...)
     exists(Cfg::CallNode call | call.getFunction().(Cfg::AttrNode).getName() = "setdefault" |

python/ql/lib/semmle/python/dataflow/new/internal/IterableUnpacking.qll

@@ -233,7 +233,8 @@ class UnpackingAssignmentTarget extends Cfg::ControlFlowNode {
 }
 
 /** A (possibly recursive) target of an unpacking assignment which is also a sequence. */
-class UnpackingAssignmentSequenceTarget extends UnpackingAssignmentTarget instanceof Cfg::SequenceNode {
+class UnpackingAssignmentSequenceTarget extends UnpackingAssignmentTarget instanceof Cfg::SequenceNode
+{
   Cfg::ControlFlowNode getElement(int i) { result = super.getElement(i) }
 
   Cfg::ControlFlowNode getAnElement() { result = this.getElement(_) }

python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackingImpl.qll

@@ -97,8 +97,7 @@ private module SummaryTypeTrackerInput implements SummaryTypeTracker::Input {
     return = FlowSummaryImpl::Private::SummaryComponent::return() and
     // `result` should be the return value of a callable expression (lambda or function) referenced by `callable`
     exists(Return ret |
-      ret.getScope() =
-        callable.getALocalSource().asExpr().(CallableExpr).getInnerScope() and
+      ret.getScope() = callable.getALocalSource().asExpr().(CallableExpr).getInnerScope() and
       result.asCfgNode().getNode() = ret.getValue()
     )
   }
@@ -311,7 +310,9 @@ module TypeTrackingInput implements Shared::TypeTrackingInput<Location> {
     //
     // nodeFrom is `expr`
     // nodeTo is entry node for `f`
-    exists(SsaImpl::ScopeEntryDefinition e, SsaImpl::SsaSourceVariable var, Cfg::DefinitionNode def |
+    exists(
+      SsaImpl::ScopeEntryDefinition e, SsaImpl::SsaSourceVariable var, Cfg::DefinitionNode def
+    |
       e.getSourceVariable() = var and
       def.getNode() = var.getVariable().getAStore()
     |

python/ql/lib/semmle/python/dataflow/old/Implementation.qll

@@ -448,8 +448,7 @@ class TaintTrackingImplementation extends string instanceof TaintTracking::Confi
       context = TNoParam() and
       src = TTaintTrackingNode_(retval, TNoParam(), path, kind, this) and
       node.asCfgNode() = call and
-      retval.asCfgNode().getNode() =
-        any(Return ret | ret.getScope() = pyfunc.getScope()).getValue()
+      retval.asCfgNode().getNode() = any(Return ret | ret.getScope() = pyfunc.getScope()).getValue()
     ) and
     edgeLabel = "return"
   }
@@ -471,8 +470,7 @@ class TaintTrackingImplementation extends string instanceof TaintTracking::Confi
       this.callContexts(call, src, pyfunc, context, callee) and
       retnode = TTaintTrackingNode_(retval, callee, path, kind, this) and
       node.asCfgNode() = call and
-      retval.asCfgNode().getNode() =
-        any(Return ret | ret.getScope() = pyfunc.getScope()).getValue()
+      retval.asCfgNode().getNode() = any(Return ret | ret.getScope() = pyfunc.getScope()).getValue()
     ) and
     edgeLabel = "call"
   }

python/ql/src/Exceptions/UnguardedNextInGenerator.ql

@@ -12,24 +12,26 @@
 
 import python
 private import semmle.python.ApiGraphs
+private import semmle.python.controlflow.internal.Cfg as Cfg
+private import semmle.python.Flow as Flow
 
 API::Node iter() { result = API::builtin("iter") }
 
 API::Node next() { result = API::builtin("next") }
 
 API::Node stopIteration() { result = API::builtin("StopIteration") }
 
-predicate call_to_iter(CallNode call, EssaVariable sequence) {
-  call = iter().getACall().asCfgNode() and
+predicate call_to_iter(Flow::CallNode call, EssaVariable sequence) {
+  call.getNode() = iter().getACall().asCfgNode().(Cfg::CallNode).getNode() and
   call.getArg(0) = sequence.getAUse()
 }
 
-predicate call_to_next(CallNode call, ControlFlowNode iter) {
-  call = next().getACall().asCfgNode() and
+predicate call_to_next(Flow::CallNode call, Flow::ControlFlowNode iter) {
+  call.getNode() = next().getACall().asCfgNode().(Cfg::CallNode).getNode() and
   call.getArg(0) = iter
 }
 
-predicate call_to_next_has_default(CallNode call) {
+predicate call_to_next_has_default(Flow::CallNode call) {
   exists(call.getArg(1)) or exists(call.getArgByName("default"))
 }
 
@@ -49,14 +51,14 @@ predicate iter_not_exhausted(EssaVariable iterator) {
   )
 }
 
-predicate stop_iteration_handled(CallNode call) {
+predicate stop_iteration_handled(Flow::CallNode call) {
   exists(Try t |
     t.containsInScope(call.getNode()) and
     t.getAHandler().getType() = stopIteration().getAValueReachableFromSource().asExpr()
   )
 }
 
-from CallNode call
+from Flow::CallNode call
 where
   call_to_next(call, _) and
   not call_to_next_has_default(call) and

python/ql/src/Expressions/CallArgs.qll

@@ -116,9 +116,7 @@ FunctionValue get_function_or_initializer(Value func_or_cls) {
 predicate illegally_named_parameter_objectapi(Call call, Object func, string name) {
   not func.isC() and
   name = call.getANamedArgumentName() and
-  exists(ControlFlowNode callCfg | callCfg.getNode() = call |
-    callCfg = get_a_call_objectapi(func)
-  ) and
+  exists(ControlFlowNode callCfg | callCfg.getNode() = call | callCfg = get_a_call_objectapi(func)) and
   not get_function_or_initializer_objectapi(func).isLegalArgumentName(name)
 }