Python: migrate remaining tests off getAFlowNode() and fix star-import SSA step

yoff · Copilot · yoff · commit 38985db33dc5 · 2026-05-28T13:13:11.000Z
Sweep the last few uses of legacy AstNode.getAFlowNode() in tests over to
explicit ControlFlowNode joins after the shared-CFG migration. importflow.ql
needs the new Cfg::ControlFlowNode/CompareNode types because DataFlow::Node.
asCfgNode() now returns the shared-CFG node.

Also extend ImportResolution::allowedEssaImportStep to walk back through
uncertain-write SSA inputs, so that a later 'from X import *' does not hide
the preceding explicit (re)assignment from module-export resolution. Without
this, a reassigned name that survives a wildcard import was no longer
recognised as the module export. Rebless ModuleExport.expected to drop the
legacy 'ControlFlowNode for' toString prefix and pick up the two correct rows
exposed by the fix.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/ImportResolution.qll b/python/ql/lib/semmle/python/dataflow/new/internal/ImportResolution.qll
@@ -87,8 +87,14 @@ module ImportResolution {
   ) {
     // to handle definitions guarded by if-then-else
     defFrom = defTo.(SsaImpl::PhiFunction).getAnInput()
+    or
+    // to handle uncertain writes such as `from X import *`, which create an
+    // uncertain SSA definition for every name in the importing scope. The
+    // immediately preceding definition is still potentially the value of the
+    // module export.
+    SsaImpl::Ssa::uncertainWriteDefinitionInput(defTo, defFrom)
     // Note: legacy ESSA refinement-step (e.g. for `foo.bar = X`) is
-    // not modelled in the new SSA. We rely on phi steps only.
+    // not modelled in the new SSA beyond the cases handled above.
   }
 
   /**
diff --git a/python/ql/test/2/library-tests/comprehensions/ConsistencyCheck.ql b/python/ql/test/2/library-tests/comprehensions/ConsistencyCheck.ql
@@ -5,5 +5,7 @@
 import python
 
 select count(Comprehension c |
-    count(c.toString()) != 1 or count(c.getLocation()) != 1 or not exists(c.getAFlowNode())
+    count(c.toString()) != 1 or
+    count(c.getLocation()) != 1 or
+    not exists(ControlFlowNode n | n.getNode() = c)
   )
diff --git a/python/ql/test/experimental/import-resolution/ModuleExport.expected b/python/ql/test/experimental/import-resolution/ModuleExport.expected
diff --git a/python/ql/test/experimental/import-resolution/importflow.ql b/python/ql/test/experimental/import-resolution/importflow.ql
@@ -3,6 +3,7 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.ApiGraphs
 import utils.test.InlineExpectationsTest
 import semmle.python.dataflow.new.internal.ImportResolution
+private import semmle.python.controlflow.internal.Cfg as Cfg
 
 /** A string that appears on the right hand side of an assignment. */
 private class SourceString extends DataFlow::Node {
@@ -45,13 +46,15 @@ private class VersionGuardedNode extends DataFlow::Node {
 
   VersionGuardedNode() {
     version in [2, 3] and
-    exists(If parent, CompareNode c | parent.getBody().contains(this.asExpr()) |
+    exists(If parent, Cfg::CompareNode c, Cfg::ControlFlowNode litCfg |
+      parent.getBody().contains(this.asExpr()) and
+      litCfg.getNode() = any(IntegerLiteral lit | lit.getValue() = version)
+    |
       c.operands(API::moduleImport("sys")
             .getMember("version_info")
             .getASubscript()
             .asSource()
-            .asCfgNode(), any(Eq eq),
-        any(IntegerLiteral lit | lit.getValue() = version).getAFlowNode())
+            .asCfgNode(), any(Eq eq), litCfg)
     )
   }
 
diff --git a/python/ql/test/library-tests/ControlFlow/PointsToSupport/UseFromDefinition.ql b/python/ql/test/library-tests/ControlFlow/PointsToSupport/UseFromDefinition.ql
@@ -9,7 +9,7 @@ Expr assignedValue(Name n) {
 
 from Name def, DefinitionNode d
 where
-  d = def.getAFlowNode() and
+  d.getNode() = def and
   exists(assignedValue(def)) and
   not d.getValue().getNode() = assignedValue(def)
 select def.toString(), assignedValue(def)
diff --git a/python/ql/test/library-tests/ControlFlow/splitting/NodeCount.ql b/python/ql/test/library-tests/ControlFlow/splitting/NodeCount.ql
@@ -8,4 +8,4 @@ where
   not a instanceof ExprStmt and
   a.getScope() = s and
   s instanceof Function
-select a.getLocation().getStartLine(), s.getName(), a, count(a.getAFlowNode())
+select a.getLocation().getStartLine(), s.getName(), a, count(ControlFlowNode n | n.getNode() = a)
diff --git a/python/ql/test/library-tests/dataflow/tainttracking/TestTaintLib.qll b/python/ql/test/library-tests/dataflow/tainttracking/TestTaintLib.qll
@@ -44,7 +44,7 @@ query predicate test_taint(string arg_location, string test_res, string scope_na
       // TODO: Replace with `hasFlowToExpr` once that is working
       if
         TestTaintTrackingFlow::flowTo(any(DataFlow::Node n |
-            n.(DataFlow::CfgNode).getNode() = arg.getAFlowNode()
+            n.(DataFlow::CfgNode).getNode().getNode() = arg
           ))
       then has_taint = true
       else has_taint = false

Original file line number	Diff line number	Diff line change
`@@ -5,5 +5,7 @@`
`5`	`5`	`import python`
`6`	`6`
`7`	`7`	`select count(Comprehension c \|`
`8`		`- count(c.toString()) != 1 or count(c.getLocation()) != 1 or not exists(c.getAFlowNode())`
	`8`	`+ count(c.toString()) != 1 or`
	`9`	`+ count(c.getLocation()) != 1 or`
	`10`	`+ not exists(ControlFlowNode n \| n.getNode() = c)`
`9`	`11`	`)`