Python: remove Function.getAReturnValueFlowNode() and rewrite callers

Follow-up to the getAFlowNode removal in the same PR: same AST→legacy-CFG
bridge pattern. Rewrite the 11 call sites (across objects/, types/,
frameworks/, and TypeTrackingImpl) to bind a `Return ret` explicitly,
then constrain via `ret.getScope() = f and n.getNode() = ret.getValue()`.

Semantic noop.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: yoff

python/ql/lib/semmle/python/Function.qll

@@ -153,14 +153,6 @@ class Function extends Function_, Scope, AstNode {
 
   override predicate contains(AstNode inner) { Scope.super.contains(inner) }
 
-  /** Gets a control flow node for a return value of this function */
-  ControlFlowNode getAReturnValueFlowNode() {
-    exists(Return ret |
-      ret.getScope() = this and
-      ret.getValue() = result.getNode()
-    )
-  }
-
   /** Gets the minimum number of positional arguments that can be correctly passed to this function. */
   int getMinPositionalArguments() {
     result = count(this.getAnArg()) - count(this.getDefinition().getArgs().getADefault())

python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackingImpl.qll

@@ -94,8 +94,10 @@ private module SummaryTypeTrackerInput implements SummaryTypeTracker::Input {
   Node returnOf(Node callable, SummaryComponent return) {
     return = FlowSummaryImpl::Private::SummaryComponent::return() and
     // `result` should be the return value of a callable expression (lambda or function) referenced by `callable`
-    result.asCfgNode() =
-      callable.getALocalSource().asExpr().(CallableExpr).getInnerScope().getAReturnValueFlowNode()
+    exists(Return ret |
+      ret.getScope() = callable.getALocalSource().asExpr().(CallableExpr).getInnerScope() and
+      result.asCfgNode().getNode() = ret.getValue()
+    )
   }
 
   // Relating callables to nodes

python/ql/lib/semmle/python/frameworks/Bottle.qll

@@ -73,7 +73,10 @@ module Bottle {
       /** A response returned by a view callable. */
       class BottleReturnResponse extends Http::Server::HttpResponse::Range {
         BottleReturnResponse() {
-          this.asCfgNode() = any(View::ViewCallable vc).getAReturnValueFlowNode()
+          exists(Return ret |
+            ret.getScope() = any(View::ViewCallable vc) and
+            this.asCfgNode().getNode() = ret.getValue()
+          )
         }
 
         override DataFlow::Node getBody() { result = this }

python/ql/lib/semmle/python/frameworks/Django.qll

@@ -2872,7 +2872,10 @@ module PrivateDjango {
     DataFlow::CfgNode
   {
     DjangoRedirectViewGetRedirectUrlReturn() {
-      node = any(GetRedirectUrlFunction f).getAReturnValueFlowNode()
+      exists(Return ret |
+        ret.getScope() = any(GetRedirectUrlFunction f) and
+        node.getNode() = ret.getValue()
+      )
     }
 
     override DataFlow::Node getRedirectLocation() { result = this }

python/ql/lib/semmle/python/frameworks/FastApi.qll

@@ -309,7 +309,10 @@ module FastApi {
       FastApiRouteSetup routeSetup;
 
       FastApiRequestHandlerReturn() {
-        node = routeSetup.getARequestHandler().getAReturnValueFlowNode()
+        exists(Return ret |
+          ret.getScope() = routeSetup.getARequestHandler() and
+          node.getNode() = ret.getValue()
+        )
       }
 
       override DataFlow::Node getBody() { result = this }

python/ql/lib/semmle/python/frameworks/Pyramid.qll

@@ -166,7 +166,10 @@ module Pyramid {
     /** A response returned by a view callable. */
     private class PyramidReturnResponse extends Http::Server::HttpResponse::Range {
       PyramidReturnResponse() {
-        this.asCfgNode() = any(View::ViewCallable vc).getAReturnValueFlowNode() and
+        exists(Return ret |
+          ret.getScope() = any(View::ViewCallable vc) and
+          this.asCfgNode().getNode() = ret.getValue()
+        ) and
         not this = instance()
       }
 

python/ql/lib/semmle/python/frameworks/Stdlib.qll

@@ -2254,8 +2254,9 @@ module StdlibPrivate {
       DataFlow::CfgNode
     {
       WsgirefSimpleServerApplicationReturn() {
-        exists(WsgirefSimpleServerApplication requestHandler |
-          node = requestHandler.getAReturnValueFlowNode()
+        exists(WsgirefSimpleServerApplication requestHandler, Return ret |
+          ret.getScope() = requestHandler and
+          node.getNode() = ret.getValue()
         )
       }
 

python/ql/lib/semmle/python/frameworks/Twisted.qll

@@ -182,7 +182,10 @@ private module Twisted {
     DataFlow::CfgNode
   {
     TwistedResourceRenderMethodReturn() {
-      this.asCfgNode() = any(TwistedResourceRenderMethod meth).getAReturnValueFlowNode()
+      exists(Return ret |
+        ret.getScope() = any(TwistedResourceRenderMethod meth) and
+        this.asCfgNode().getNode() = ret.getValue()
+      )
     }
 
     override DataFlow::Node getBody() { result = this }

python/ql/lib/semmle/python/objects/Callables.qll

@@ -81,11 +81,12 @@ class PythonFunctionObjectInternal extends CallableObjectInternal, TPythonFuncti
 
   pragma[nomagic]
   override predicate callResult(PointsToContext callee, ObjectInternal obj, CfgOrigin origin) {
-    exists(Function func, ControlFlowNode rval, ControlFlowNode forigin |
+    exists(Function func, Return ret, ControlFlowNode rval, ControlFlowNode forigin |
       func = this.getScope() and
       callee.appliesToScope(func)
     |
-      rval = func.getAReturnValueFlowNode() and
+      ret.getScope() = func and
+      rval.getNode() = ret.getValue() and
       PointsToInternal::pointsTo(rval, callee, obj, forigin) and
       origin = CfgOrigin::fromCfgNode(forigin)
     )

python/ql/lib/semmle/python/objects/ObjectAPI.qll

@@ -745,7 +745,12 @@ class PythonFunctionValue extends FunctionValue {
   override int maxParameters() { result = this.getScope().getMaxPositionalArguments() }
 
   /** Gets a control flow node corresponding to a return statement in this function */
-  ControlFlowNode getAReturnedNode() { result = this.getScope().getAReturnValueFlowNode() }
+  ControlFlowNode getAReturnedNode() {
+    exists(Return ret |
+      ret.getScope() = this.getScope() and
+      result.getNode() = ret.getValue()
+    )
+  }
 
   override ClassValue getARaisedType() { scope_raises(result, this.getScope()) }