rigortype 0.1.19 → 0.2.0

data/lib/rigor/inference/parameter_inference_collector.rb

@@ -0,0 +1,367 @@
+# frozen_string_literal: true
+
+require "prism"
+
+require_relative "scope_indexer"
+require_relative "../source/node_walker"
+
+module Rigor
+  module Inference
+    # Pure argument-type classification for {ParameterInferenceCollector} — no
+    # collector state, so it lives outside the orchestration class. Decides which
+    # argument types may seed a parameter (concrete enough for the protection
+    # metric to bite) and widens a literal argument to its nominal.
+    module ParameterArgTypes
+      module_function
+
+      CONSTANT_CLASSES = {
+        Integer => "Integer", Float => "Float", String => "String",
+        Symbol => "Symbol", Range => "Range", TrueClass => "TrueClass",
+        FalseClass => "FalseClass", NilClass => "NilClass"
+      }.freeze
+
+      # A parameter holds a *value of* a type across its lifetime, not a pinned
+      # literal — so a `Constant<"text">` argument widens to its nominal
+      # (`String`); recurses through unions so `Constant<"a"> | Constant<"b">`
+      # collapses to `String`.
+      def widen_for_param(type)
+        case type
+        when Type::Constant
+          name = constant_class_name(type.value)
+          name ? Type::Combinator.nominal_of(name) : type
+        when Type::Union
+          Type::Combinator.union(*type.members.map { |member| widen_for_param(member) })
+        else
+          type
+        end
+      end
+
+      def constant_class_name(value)
+        CONSTANT_CLASSES.each { |klass, name| return name if value.is_a?(klass) }
+        nil
+      end
+
+      # The dispatch class for a receiver type, for the subset the collector
+      # resolves to a user `def` (mirrors `CheckRules#concrete_class_name` for the
+      # carriers a user-method receiver is typed as). `class_name_of` is the
+      # Nominal/Singleton-only variant for an implicit-self `self_type`.
+      def concrete_class_name(type)
+        case type
+        when Type::Nominal, Type::Singleton then type.class_name
+        when Type::Tuple then "Array"
+        when Type::HashShape then "Hash"
+        end
+      end
+
+      def class_name_of(type)
+        type.class_name if type.is_a?(Type::Nominal) || type.is_a?(Type::Singleton)
+      end
+
+      # Whether `type` is too gradual to seed (not a concrete dispatch target) —
+      # the negation of `ProtectionScanner#concrete_receiver?` (a union is
+      # concrete only when every arm is).
+      def non_concrete?(type)
+        case type
+        when Type::Dynamic, Type::Top, Type::Bot then true
+        when Type::Union then type.members.any? { |member| non_concrete?(member) }
+        else false
+        end
+      end
+    end
+
+    # ADR-67 WD3 + WD5 — call-site parameter type inference (capped fixpoint).
+    #
+    # A `def` parameter with no RBS signature types `untyped` (the gradual entry
+    # point), so a param flowing into an ivar or a receiver drains everything
+    # downstream to `Dynamic`. This pass closes that hole: it walks every project
+    # file, types each call's positional arguments in their lexical scope,
+    # resolves which user-defined `def` each call targets, and records the
+    # **union of resolved call-site argument types** per parameter — TypeProf's
+    # "a parameter's type is the union of every actual argument across all call
+    # sites". WD5: it iterates (cap {DEFAULT_ROUNDS}), re-seeding each round with
+    # the previous round's inferred parameters, so a parameter passed *another*
+    # parameter is typed one hop further per round (round 1 alone is the
+    # single-level pass).
+    #
+    # The result is keyed by `[class_name, method_name, kind]` — the same triple
+    # `StatementEvaluator#build_method_entry_scope` reconstructs from the lexical
+    # class path — so the consumer can seed an undeclared parameter with its
+    # inferred type. The table is precision-additive only: it never feeds a
+    # parameter-boundary diagnostic (an inferred type lives solely as a body
+    # local, and the boundary rules consult RBS, not body locals — see ADR-67
+    # WD1), so being wrong cannot manufacture a false positive at a caller.
+    #
+    # Soundness (WD4): the inferred type is a sound over-approximation only when
+    # every contributed call site resolves to a concrete argument type. Any
+    # `Dynamic` / `Top` / `Bot` argument (a `send`/dynamic-dispatch caller, or a
+    # parameter not yet typed in an earlier round) **poisons** the parameter,
+    # which then contributes nothing this round (it may type in a later round
+    # once its own argument resolves). Unresolved call sites do not contribute.
+    #
+    # What it does NOT do yet (deferred — the check-wiring slice): feeding the
+    # table into the `check` walk (only `coverage --protection` consumes it
+    # today), keyword / optional / rest / block parameters, inherited-method
+    # receivers, top-level helpers, and a rigorous closed-call-site-set proof
+    # (the union is optimistic over resolved sites — acceptable because the only
+    # consumer is the protection metric, which runs no diagnostics).
+    class ParameterInferenceCollector
+      EMPTY = {}.freeze
+
+      # A defensive widening cap (ADR-41): a parameter unioned from more than
+      # this many distinct concrete call-site types is widened to `untyped`
+      # (poisoned) rather than carrying an unbounded union.
+      MAX_CALL_SITE_TYPES = 16
+
+      # WD5 — the call-site union is a worklist fixpoint: each round re-types the
+      # project with the previous round's inferred parameters seeded, so a
+      # parameter passed *another* parameter is typed one hop further per round.
+      # Capped (no true-convergence requirement — the metric tolerates a bounded
+      # approximation, and the table can oscillate at the margin since a newly
+      # resolved receiver can surface a fresh untyped-argument call site). The
+      # cap matches the `Inference::BodyFixpoint` cap-3 convention. Round 1 alone
+      # is the single-level pass.
+      DEFAULT_ROUNDS = 3
+
+      # @param files [Array<String>] project `.rb` paths to scan for call sites.
+      # @param environment [Rigor::Environment]
+      # @param target_ruby [String, nil] Prism parse target.
+      # @param max_rounds [Integer] the WD5 fixpoint cap (1 = single-level).
+      # @return [Hash{[String,Symbol,Symbol] => Hash{Symbol => Rigor::Type}}] frozen.
+      def self.collect(files:, environment:, target_ruby: nil, max_rounds: DEFAULT_ROUNDS)
+        new(files: files, environment: environment, target_ruby: target_ruby, max_rounds: max_rounds).collect
+      end
+
+      def initialize(files:, environment:, target_ruby: nil, max_rounds: DEFAULT_ROUNDS)
+        @files = files
+        @environment = environment
+        @target_ruby = target_ruby
+        @max_rounds = max_rounds
+        # Reset per round (see {#run_round}). `[[class, method, kind], param_sym]`
+        # => [Type] of observed concrete arguments (a default-block Hash, not a
+        # `{}` literal, so the analyzer types its reads generically — {#finalize}),
+        # plus the ids widened to `untyped` (an untyped / over-cap argument).
+        @type_observations = Hash.new { |hash, id| hash[id] = [] }
+        @poisoned_params = Set.new
+      end
+
+      def collect
+        parsed = parse_all
+        discovery = discovery_seed_tables
+        table = EMPTY
+        @max_rounds.times do
+          rounded = run_round(parsed, discovery, table)
+          return rounded if rounded == table # fixpoint reached
+
+          table = rounded
+        end
+        table
+      end
+
+      private
+
+      # Parse every project file once; rounds re-index the cached ASTs against an
+      # evolving seed rather than re-parsing.
+      def parse_all
+        @files.filter_map do |path|
+          result = Prism.parse(File.read(path), filepath: path, version: @target_ruby)
+          [path, result.value] if result.errors.empty?
+        rescue Errno::ENOENT, Errno::EISDIR, Errno::EACCES
+          nil
+        end
+      end
+
+      # One fixpoint round: re-type every file with `seed_table` (the previous
+      # round's inferred parameters) seeded, collecting the next round's table.
+      def run_round(parsed, discovery_tables, seed_table)
+        @type_observations = Hash.new { |hash, id| hash[id] = [] }
+        @poisoned_params = Set.new
+        seed_scope = build_seed_scope(discovery_tables, seed_table)
+        parsed.each do |path, ast|
+          index = ScopeIndexer.index(ast, default_scope: seed_scope.with_source_path(path))
+          Source::NodeWalker.each(ast) do |node|
+            record_call(node, index) if node.is_a?(Prism::CallNode)
+          end
+        end
+        finalize
+      end
+
+      # A scope carrying the cross-file discovery index (so `Foo.new` receivers
+      # and implicit-self calls resolve to a user `def`) plus the prior round's
+      # inferred parameters (so an argument that reads a parameter types to its
+      # current inferred type — the WD5 propagation).
+      def build_seed_scope(discovery_tables, seed_table)
+        base = Scope.empty(environment: @environment)
+        tables = discovery_tables
+        tables = tables.merge(param_inferred_types: seed_table) unless seed_table.empty?
+        return base if tables.empty?
+
+        base.with_discovery(base.discovery.with(**tables))
+      end
+
+      def discovery_seed_tables
+        classes = ScopeIndexer.discovered_classes_for_paths(@files)
+        def_index = ScopeIndexer.discovered_def_index_for_paths(@files)
+        tables = {}
+        tables[:discovered_classes] = classes unless classes.empty?
+        DISCOVERY_FIELD.each do |index_key, field|
+          table = def_index.fetch(index_key)
+          tables[field] = table unless table.empty?
+        end
+        tables
+      rescue StandardError
+        # Discovery is best-effort; a malformed corner of the project must not
+        # crash the protection scan. Without discovery the collector simply
+        # resolves fewer call sites.
+        {}
+      end
+
+      DISCOVERY_FIELD = {
+        def_nodes: :discovered_def_nodes,
+        singleton_def_nodes: :discovered_singleton_def_nodes,
+        def_sources: :discovered_def_sources,
+        superclasses: :discovered_superclasses,
+        includes: :discovered_includes,
+        class_sources: :discovered_class_sources,
+        method_visibilities: :discovered_method_visibilities,
+        methods: :discovered_methods,
+        data_member_layouts: :data_member_layouts,
+        struct_member_layouts: :struct_member_layouts
+      }.freeze
+      private_constant :DISCOVERY_FIELD
+
+      def record_call(call_node, index)
+        args = positional_args(call_node)
+        return if args.nil?
+
+        scope = index[call_node]
+        return if scope.nil?
+
+        callee = resolve_callee(call_node, scope, index)
+        return if callee.nil?
+
+        class_name, method, kind, def_node = callee
+        requireds = simple_requireds(def_node)
+        return if requireds.nil? || requireds.size != args.size
+
+        key = [class_name, method, kind]
+        args.each_with_index do |arg, i|
+          arg_scope = index[arg]
+          accumulate(key, requireds[i].name, arg_scope&.type_of(arg))
+        end
+      end
+
+      # The plain positional arguments, or nil when the call carries any
+      # non-plain argument (splat / keyword / block-pass / forwarding) — those
+      # break the positional-index ↔ parameter mapping, so the call site is
+      # skipped rather than mis-attributed.
+      def positional_args(call_node)
+        arguments = call_node.arguments
+        return [] if arguments.nil?
+
+        list = arguments.arguments
+        return nil if list.any? { |arg| non_plain_argument?(arg) }
+
+        list
+      end
+
+      def non_plain_argument?(arg)
+        arg.is_a?(Prism::SplatNode) ||
+          arg.is_a?(Prism::KeywordHashNode) ||
+          arg.is_a?(Prism::BlockArgumentNode) ||
+          arg.is_a?(Prism::ForwardingArgumentsNode) ||
+          arg.is_a?(Prism::AssocNode) ||
+          arg.is_a?(Prism::AssocSplatNode)
+      end
+
+      # @return [[String, Symbol, Symbol, Prism::DefNode], nil]
+      def resolve_callee(call_node, scope, index)
+        if call_node.receiver.nil?
+          class_name, kind = implicit_self_target(scope)
+        else
+          class_name, kind = explicit_receiver_target(call_node.receiver, index, scope)
+        end
+        return nil if class_name.nil?
+
+        def_node = lookup_def(scope, class_name, call_node.name, kind)
+        return nil if def_node.nil?
+
+        [class_name, call_node.name, kind, def_node]
+      end
+
+      def implicit_self_target(scope)
+        self_type = scope.self_type
+        return [nil, nil] if self_type.nil?
+
+        [ParameterArgTypes.class_name_of(self_type), self_type.is_a?(Type::Singleton) ? :singleton : :instance]
+      end
+
+      def explicit_receiver_target(receiver, index, scope)
+        receiver_type = (index[receiver] || scope).type_of(receiver)
+        [ParameterArgTypes.concrete_class_name(receiver_type),
+         receiver_type.is_a?(Type::Singleton) ? :singleton : :instance]
+      end
+
+      def lookup_def(scope, class_name, method, kind)
+        table = kind == :singleton ? scope.discovered_singleton_def_nodes : scope.discovered_def_nodes
+        per_class = table[class_name]
+        per_class && per_class[method]
+      end
+
+      # The required-positional parameters, or nil when the method's parameter
+      # list is not a simple all-required shape (matching the single-level
+      # contract `ExpressionTyper#user_method_param_shape_simple?` uses) or
+      # contains a destructured `(a, b)` slot (no bindable name).
+      def simple_requireds(def_node)
+        params = def_node.parameters
+        return [] if params.nil?
+        return nil unless params.is_a?(Prism::ParametersNode)
+        return nil unless params.optionals.empty? && params.rest.nil? && params.posts.empty? &&
+                          params.keywords.empty? && params.keyword_rest.nil? && params.block.nil?
+        return nil unless params.requireds.all?(Prism::RequiredParameterNode)
+
+        params.requireds
+      end
+
+      def accumulate(key, param_name, arg_type)
+        id = [key, param_name.to_sym]
+        return if @poisoned_params.include?(id)
+
+        if arg_type.nil? || ParameterArgTypes.non_concrete?(arg_type)
+          poison(id)
+        else
+          observations = @type_observations[id]
+          observations << ParameterArgTypes.widen_for_param(arg_type)
+          poison(id) if observations.length > MAX_CALL_SITE_TYPES
+        end
+      end
+
+      # A poisoned parameter is dropped from the observation store and recorded
+      # so later call sites short-circuit. `id` is the `[[class, method, kind],
+      # param]` pair.
+      def poison(id)
+        @poisoned_params << id
+        @type_observations.delete(id)
+      end
+
+      def finalize
+        # `result` is a default-block Hash (not a `{}` literal) so the analyzer
+        # types its reads generically rather than folding the empty shape — the
+        # nesting writes stay plain assignments, no literal-fold conditions.
+        result = Hash.new { |hash, key| hash[key] = {} }
+        @type_observations.each do |id, observations|
+          next if @poisoned_params.include?(id)
+          next if observations.empty?
+
+          union = Type::Combinator.union(*observations)
+          # A union that collapsed to a non-concrete shape (e.g. a gradual arm
+          # leaked in) is no better than `untyped`; drop it.
+          next if ParameterArgTypes.non_concrete?(union)
+
+          key, param = id
+          result[key][param] = union
+        end
+        result.transform_values(&:freeze).freeze
+      end
+    end
+  end
+end

data/lib/rigor/inference/project_patched_methods.rb

@@ -13,13 +13,10 @@ module Rigor
     # project-side `lib/core_ext/string_extensions.rb` patches
     # are visible to cross-file dispatch.
     #
-    # Slice 2 ships the registry at the **floor**: the dispatcher
-    # answers `Type::Combinator.untyped` (Dynamic[Top]) on a hit;
-    # return-type inference for patched methods stays deferred
-    # (a separate slice when concrete demand surfaces — most
-    # real-world `core_ext` patches return shapes the analyzer
-    # could heuristically extract via the same machinery the
-    # ADR-10 walker uses, but slice 2 keeps the surface narrow).
+    # The dispatcher answers `Dynamic[T]` (with a heuristic static
+    # facet) when `Entry#return_type` is non-nil, or `Dynamic[Top]`
+    # when the heuristic declined (`nil`). See {Entry} for the
+    # per-field contract.
     class ProjectPatchedMethods
       # Frozen value-object recording one `def` observed by the
       # pre-pass. `class_name` is the qualified prefix

data/lib/rigor/inference/project_patched_scanner.rb

@@ -4,6 +4,7 @@ require "prism"
 
 require_relative "project_patched_methods"
 require_relative "../analysis/dependency_source_inference/return_type_heuristic"
+require_relative "../source/constant_path"
 
 module Rigor
   module Inference
@@ -161,7 +162,7 @@ module Rigor
       private_class_method :walk_children
 
       def descend_class_or_module(node, qualified_prefix, in_singleton_class, source_path, entries)
-        name = qualified_name_for(node.constant_path)
+        name = Source::ConstantPath.qualified_name_or_nil(node.constant_path)
         if name && node.body
           walk_node(node.body, qualified_prefix + [name], in_singleton_class, source_path, entries)
         else
@@ -193,18 +194,6 @@ module Rigor
         )
       end
       private_class_method :record_def_node
-
-      def qualified_name_for(node)
-        case node
-        when Prism::ConstantReadNode then node.name.to_s
-        when Prism::ConstantPathNode
-          parent = node.parent.nil? ? nil : qualified_name_for(node.parent)
-          return nil if !node.parent.nil? && parent.nil?
-
-          parent.nil? ? node.name.to_s : "#{parent}::#{node.name}"
-        end
-      end
-      private_class_method :qualified_name_for
     end
   end
 end

data/lib/rigor/inference/protection_scanner.rb

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+
+require_relative "scope_indexer"
+require_relative "../source/node_walker"
+
+module Rigor
+  module Inference
+    # ADR-63 Tier 1 — the static type-protection proxy. Walks every dispatch
+    # site (a method call with an explicit receiver) and classifies it by
+    # whether the receiver types to a concrete (non-`Dynamic`) type — i.e. a
+    # site where Rigor's call rules *can* bite (undefined-method / wrong-arity /
+    # argument-type-mismatch). A `Dynamic` / `Top` receiver (or a union with such
+    # an arm — gradually valid) is *unprotected*: Rigor is blind there, and a
+    # type annotation on it would buy real catching power.
+    #
+    # This is a sound UPPER BOUND on protection — a concrete receiver is
+    # necessary but not sufficient for a diagnostic to actually fire — and it is
+    # one `type_of` pass, so it runs interactively and in CI. The truth tier
+    # (does a diagnostic fire) is the phased mutation tier.
+    class ProtectionScanner
+      # A single unprotected call site.
+      Site = Data.define(:line, :receiver, :method_name)
+
+      FileResult = Data.define(:protected_count, :unprotected_count, :sites) do
+        def total = protected_count + unprotected_count
+
+        # Protected ratio; a file with no dispatch sites is vacuously fully
+        # protected (nothing to get wrong).
+        def ratio = total.zero? ? 1.0 : protected_count.to_f / total
+      end
+
+      def initialize(scope: nil)
+        @scope = scope || Scope.empty
+      end
+
+      # @param root [Prism::Node] the parsed AST
+      # @return [FileResult]
+      def scan(root)
+        index = ScopeIndexer.index(root, default_scope: @scope)
+        protected_count = 0
+        sites = []
+
+        Source::NodeWalker.each(root) do |node|
+          next unless dispatch_site?(node)
+
+          receiver_type = index[node.receiver].type_of(node.receiver)
+          if concrete_receiver?(receiver_type)
+            protected_count += 1
+          else
+            sites << Site.new(
+              line: node.location.start_line,
+              receiver: safe_describe(receiver_type),
+              method_name: node.name.to_s
+            )
+          end
+        end
+
+        FileResult.new(protected_count: protected_count, unprotected_count: sites.size, sites: sites)
+      end
+
+      private
+
+      def dispatch_site?(node)
+        node.is_a?(Prism::CallNode) && !node.receiver.nil?
+      end
+
+      # A receiver Rigor can reason about: anything that is not `Dynamic` /
+      # `Top`, and (for a union) only when every arm is concrete — a single
+      # `Dynamic` arm makes the whole call gradually valid, so the rules stay
+      # silent there.
+      def concrete_receiver?(type)
+        case type
+        when Type::Dynamic, Type::Top then false
+        when Type::Union then type.members.all? { |member| concrete_receiver?(member) }
+        else true
+        end
+      end
+
+      def safe_describe(type)
+        type.respond_to?(:describe) ? type.describe(:short) : type.to_s
+      rescue StandardError
+        type.class.name
+      end
+    end
+  end
+end