github · aschackmull · Mar 5, 2026 · Mar 5, 2026 · Mar 3, 2026 · Mar 9, 2026
@@ -13,17 +13,19 @@ import csharp
 import Solorigate
 import experimental.code.csharp.Cryptography.NonCryptographicHashes
 
+ControlFlowNode loopExitNode(LoopStmt loop) { result.isAfter(loop) }
+
 from Variable v, Literal l, LoopStmt loop, Expr additional_xor
 where
   maybeUsedInFnvFunction(v, _, _, loop) and
   (
     exists(BitwiseXorExpr xor2 | xor2.getAnOperand() = l and additional_xor = xor2 |
-      loop.getAControlFlowExitNode().getASuccessor*() = xor2.getAControlFlowNode() and
+      loopExitNode(loop).getASuccessor*() = xor2.getAControlFlowNode() and
       xor2.getAnOperand() = v.getAnAccess()
     )
     or
     exists(AssignXorExpr xor2 | xor2.getAnOperand() = l and additional_xor = xor2 |
-      loop.getAControlFlowExitNode().getASuccessor*() = xor2.getAControlFlowNode() and
+      loopExitNode(loop).getASuccessor*() = xor2.getAControlFlowNode() and
       xor2.getAnOperand() = v.getAnAccess()
     )
   )

@@ -1,5 +1,2 @@
 import csharp
-import semmle.code.csharp.controlflow.internal.Completion
-import ControlFlow
-import semmle.code.csharp.controlflow.internal.ControlFlowGraphImpl::Consistency
-import semmle.code.csharp.controlflow.internal.Splitting
+import ControlFlow::Consistency
@@ -1,26 +1,11 @@
 import csharp
-private import semmle.code.csharp.controlflow.internal.ControlFlowGraphImpl as ControlFlowGraphImpl
 private import semmle.code.csharp.dataflow.internal.DataFlowImplSpecific
 private import semmle.code.csharp.dataflow.internal.TaintTrackingImplSpecific
 private import codeql.dataflow.internal.DataFlowImplConsistency
 
 private module Input implements InputSig<Location, CsharpDataFlow> {
   private import CsharpDataFlow
 
-  private predicate isStaticAssignable(Assignable a) { a.(Modifiable).isStatic() }
-
-  predicate uniqueEnclosingCallableExclude(Node node) {
-    // TODO: Remove once static initializers are folded into the
-    // static constructors
-    isStaticAssignable(ControlFlowGraphImpl::getNodeCfgScope(node.getControlFlowNode()))
-  }
-
-  predicate uniqueCallEnclosingCallableExclude(DataFlowCall call) {
-    // TODO: Remove once static initializers are folded into the
-    // static constructors
-    isStaticAssignable(ControlFlowGraphImpl::getNodeCfgScope(call.getControlFlowNode()))
-  }
-
   predicate uniqueNodeLocationExclude(Node n) {
     // Methods with multiple implementations
     n instanceof ParameterNode
@@ -70,16 +55,6 @@ private module Input implements InputSig<Location, CsharpDataFlow> {
           init.getInitializer().getNumberOfChildren() > 1
         )
       or
-      exists(ControlFlow::Nodes::ElementNode cfn, ControlFlow::Nodes::Split split |
-        exists(arg.asExprAtNode(cfn))
-      |
-        split = cfn.getASplit() and
-        not split = call.getControlFlowNode().getASplit()
-        or
-        split = call.getControlFlowNode().getASplit() and
-        not split = cfn.getASplit()
-      )
-      or
       call.(NonDelegateDataFlowCall).getDispatchCall().isReflection()
     )
   }

@@ -1,13 +1,6 @@
 import csharp
 import semmle.code.csharp.dataflow.internal.DataFlowPrivate::VariableCapture::Flow::ConsistencyChecks
 private import semmle.code.csharp.dataflow.internal.DataFlowPrivate::VariableCapture::Flow::ConsistencyChecks as ConsistencyChecks
-private import semmle.code.csharp.controlflow.BasicBlocks
-private import semmle.code.csharp.controlflow.internal.ControlFlowGraphImpl
-
-query predicate uniqueEnclosingCallable(BasicBlock bb, string msg) {
-  ConsistencyChecks::uniqueEnclosingCallable(bb, msg) and
-  getNodeCfgScope(bb.getFirstNode()) instanceof Callable
-}
 
 query predicate consistencyOverview(string msg, int n) { none() }
 

@@ -7,7 +7,7 @@
  * @tags ide-contextual-queries/print-cfg
  */
 
-private import semmle.code.csharp.controlflow.internal.ControlFlowGraphImpl
+import csharp
 
 external string selectedSourceFile();
 
@@ -21,15 +21,15 @@ external int selectedSourceColumn();
 
 private predicate selectedSourceColumnAlias = selectedSourceColumn/0;
 
-module ViewCfgQueryInput implements ViewCfgQueryInputSig<File> {
+module ViewCfgQueryInput implements ControlFlow::ViewCfgQueryInputSig<File> {
   predicate selectedSourceFile = selectedSourceFileAlias/0;
 
   predicate selectedSourceLine = selectedSourceLineAlias/0;
 
   predicate selectedSourceColumn = selectedSourceColumnAlias/0;
 
   predicate cfgScopeSpan(
-    CfgScope scope, File file, int startLine, int startColumn, int endLine, int endColumn
+    Callable scope, File file, int startLine, int startColumn, int endLine, int endColumn
   ) {
     file = scope.getFile() and
     scope.getLocation().getStartLine() = startLine and
@@ -40,11 +40,20 @@ module ViewCfgQueryInput implements ViewCfgQueryInputSig<File> {
     |
       loc = scope.(Callable).getBody().getLocation()
       or
-      loc = scope.(Field).getInitializer().getLocation()
+      loc = any(AssignExpr init | scope.(ObjectInitMethod).initializes(init)).getLocation()
       or
-      loc = scope.(Property).getInitializer().getLocation()
+      exists(AssignableMember a, Constructor ctor |
+        scope = ctor and
+        ctor.isStatic() and
+        a.isStatic() and
+        a.getDeclaringType() = ctor.getDeclaringType()
+      |
+        loc = a.(Field).getInitializer().getLocation()
+        or
+        loc = a.(Property).getInitializer().getLocation()
+      )
     )
   }
 }
 
-import ViewCfgQuery<File, ViewCfgQueryInput>
+import ControlFlow::ViewCfgQuery<File, ViewCfgQueryInput>
@@ -83,7 +83,7 @@ class AssignableRead extends AssignableAccess {
   }
 
   pragma[noinline]
-  private ControlFlow::Node getAnAdjacentReadSameVar() {
+  private ControlFlowNode getAnAdjacentReadSameVar() {
     SsaImpl::adjacentReadPairSameVar(_, this.getAControlFlowNode(), result)
   }
 
@@ -113,7 +113,7 @@ class AssignableRead extends AssignableAccess {
    */
   pragma[nomagic]
   AssignableRead getANextRead() {
-    forex(ControlFlow::Node cfn | cfn = result.getAControlFlowNode() |
+    forex(ControlFlowNode cfn | cfn = result.getAControlFlowNode() |
       cfn = this.getAnAdjacentReadSameVar()
     )
   }
@@ -402,9 +402,7 @@ class AssignableDefinition extends TAssignableDefinition {
    * the definitions of `x` and `y` in `M(out x, out y)` and `(x, y) = (0, 1)`
    * relate to the same call to `M` and assignment node, respectively.
    */
-  deprecated ControlFlow::Node getAControlFlowNode() {
-    result = this.getExpr().getAControlFlowNode()
-  }
+  deprecated ControlFlowNode getAControlFlowNode() { result = this.getExpr().getAControlFlowNode() }
 
   /**
    * Gets the underlying expression that updates the targeted assignable when
@@ -477,7 +475,7 @@ class AssignableDefinition extends TAssignableDefinition {
    */
   pragma[nomagic]
   AssignableRead getAFirstRead() {
-    forex(ControlFlow::Node cfn | cfn = result.getAControlFlowNode() |
+    forex(ControlFlowNode cfn | cfn = result.getAControlFlowNode() |
       exists(Ssa::ExplicitDefinition def | result = def.getAFirstReadAtNode(cfn) |
         this = def.getADefinition()
       )
@@ -555,9 +553,7 @@ module AssignableDefinitions {
   }
 
   /** Holds if a node in basic block `bb` assigns to `ref` parameter `p` via definition `def`. */
-  private predicate basicBlockRefParamDef(
-    ControlFlow::BasicBlock bb, Parameter p, AssignableDefinition def
-  ) {
+  private predicate basicBlockRefParamDef(BasicBlock bb, Parameter p, AssignableDefinition def) {
     def = any(RefArg arg).getAnAnalyzableRefDef(p) and
     bb.getANode() = def.getExpr().getAControlFlowNode()
   }
@@ -568,17 +564,15 @@ module AssignableDefinitions {
    * any assignments to `p`.
    */
   pragma[nomagic]
-  private predicate parameterReachesWithoutDef(Parameter p, ControlFlow::BasicBlock bb) {
+  private predicate parameterReachesWithoutDef(Parameter p, BasicBlock bb) {
     forall(AssignableDefinition def | basicBlockRefParamDef(bb, p, def) |
       isUncertainRefCall(def.getTargetAccess())
     ) and
     (
       any(RefArg arg).isAnalyzable(p) and
       p.getCallable().getEntryPoint() = bb.getFirstNode()
       or
-      exists(ControlFlow::BasicBlock mid | parameterReachesWithoutDef(p, mid) |
-        bb = mid.getASuccessor()
-      )
+      exists(BasicBlock mid | parameterReachesWithoutDef(p, mid) | bb = mid.getASuccessor())
     )
   }
 
@@ -590,7 +584,7 @@ module AssignableDefinitions {
   cached
   predicate isUncertainRefCall(RefArg arg) {
     arg.isPotentialAssignment() and
-    exists(ControlFlow::BasicBlock bb, Parameter p | arg.isAnalyzable(p) |
+    exists(BasicBlock bb, Parameter p | arg.isAnalyzable(p) |
       parameterReachesWithoutDef(p, bb) and
       bb.getLastNode() = p.getCallable().getExitPoint()
     )
@@ -671,7 +665,7 @@ module AssignableDefinitions {
     /** Gets the underlying parameter. */
     Parameter getParameter() { result = p }
 
-    deprecated override ControlFlow::Node getAControlFlowNode() {
+    deprecated override ControlFlowNode getAControlFlowNode() {
       result = p.getCallable().getEntryPoint()
     }
 

@@ -7,23 +7,6 @@ private import csharp
  * in the same stage across different files.
  */
 module Stages {
-  cached
-  module ControlFlowStage {
-    private import semmle.code.csharp.controlflow.internal.Splitting
-
-    cached
-    predicate forceCachingInSameStage() { any() }
-
-    cached
-    private predicate forceCachingInSameStageRev() {
-      exists(Split s)
-      or
-      exists(ControlFlow::Node n)
-      or
-      forceCachingInSameStageRev()
-    }
-  }
-
   cached
   module GuardsStage {
     private import semmle.code.csharp.controlflow.Guards

@@ -22,7 +22,7 @@ private import TypeRef
  * an anonymous function (`AnonymousFunctionExpr`), or a local function
  * (`LocalFunction`).
  */
-class Callable extends Parameterizable, ExprOrStmtParent, @callable {
+class Callable extends Parameterizable, ControlFlowElementOrCallable, @callable {
   /** Gets the return type of this callable. */
   Type getReturnType() { none() }
 
@@ -157,10 +157,10 @@ class Callable extends Parameterizable, ExprOrStmtParent, @callable {
   final predicate hasExpressionBody() { exists(this.getExpressionBody()) }
 
   /** Gets the entry point in the control graph for this callable. */
-  ControlFlow::Nodes::EntryNode getEntryPoint() { result.getCallable() = this }
+  ControlFlow::EntryNode getEntryPoint() { result.getEnclosingCallable() = this }
 
   /** Gets the exit point in the control graph for this callable. */
-  ControlFlow::Nodes::ExitNode getExitPoint() { result.getCallable() = this }
+  ControlFlow::ExitNode getExitPoint() { result.getEnclosingCallable() = this }
 
   /**
    * Gets the enclosing callable of this callable, if any.

@@ -1,20 +1,21 @@
 /** Provides logic for determining constant expressions. */
 
 import csharp
+private import codeql.controlflow.SuccessorType
 private import semmle.code.csharp.commons.ComparisonTest
 private import semmle.code.csharp.commons.StructuralComparison as StructuralComparison
 
 pragma[noinline]
-private predicate isConstantCondition0(ControlFlow::Node cfn, boolean b) {
-  exists(cfn.getASuccessorByType(any(ControlFlow::BooleanSuccessor t | t.getValue() = b))) and
-  strictcount(ControlFlow::SuccessorType t | exists(cfn.getASuccessorByType(t))) = 1
+private predicate isConstantCondition0(ControlFlowNode cfn, boolean b) {
+  exists(cfn.getASuccessor(any(BooleanSuccessor t | t.getValue() = b))) and
+  strictcount(SuccessorType t | exists(cfn.getASuccessor(t))) = 1
 }
 
 /**
  * Holds if `e` is a condition that always evaluates to Boolean value `b`.
  */
 predicate isConstantCondition(Expr e, boolean b) {
-  forex(ControlFlow::Node cfn | cfn = e.getAControlFlowNode() | isConstantCondition0(cfn, b))
+  forex(ControlFlowNode cfn | cfn = e.getAControlFlowNode() | isConstantCondition0(cfn, b))
 }
 
 /**