circle-ir 3.9.8 → 3.9.10

package/dist/browser/circle-ir.js

@@ -10483,7 +10483,8 @@ function findSinks(calls, patterns) {
             cwe: pattern.cwe,
             location,
             line: call.location.line,
-            confidence
+            confidence,
+            method: call.method_name
           });
         }
       }
@@ -11278,6 +11279,71 @@ var CodeGraph = class {
   }
 };
 
+// src/graph/exception-flow-graph.ts
+var ExceptionFlowGraph = class {
+  /** All try/catch pairs found in the CFG. */
+  pairs;
+  /** Block IDs that are catch-handler entry blocks. */
+  catchEntryIds;
+  /** Block IDs that are try-body entry blocks. */
+  tryEntryIds;
+  tryCatchMap;
+  // tryEntryId → [catchEntryId, …]
+  catchTryMap;
+  // catchEntryId → tryEntryId
+  constructor(cfg, blockById) {
+    this.pairs = [];
+    this.catchEntryIds = /* @__PURE__ */ new Set();
+    this.tryEntryIds = /* @__PURE__ */ new Set();
+    this.tryCatchMap = /* @__PURE__ */ new Map();
+    this.catchTryMap = /* @__PURE__ */ new Map();
+    for (const edge of cfg.edges) {
+      if (edge.type !== "exception") continue;
+      const tryBlock = blockById.get(edge.from);
+      const catchBlock = blockById.get(edge.to);
+      if (!tryBlock || !catchBlock) continue;
+      this.tryEntryIds.add(edge.from);
+      this.catchEntryIds.add(edge.to);
+      const catches = this.tryCatchMap.get(edge.from) ?? [];
+      catches.push(edge.to);
+      this.tryCatchMap.set(edge.from, catches);
+      this.catchTryMap.set(edge.to, edge.from);
+      this.pairs.push({
+        tryEntryId: edge.from,
+        catchEntryId: edge.to,
+        tryBlock,
+        catchBlock
+      });
+    }
+  }
+  /** True if at least one try/catch pair was found. */
+  get hasTryCatch() {
+    return this.pairs.length > 0;
+  }
+  /** True if the given block ID is a catch-handler entry block. */
+  isCatchEntry(blockId) {
+    return this.catchEntryIds.has(blockId);
+  }
+  /** True if the given block ID is a try-body entry block. */
+  isTryEntry(blockId) {
+    return this.tryEntryIds.has(blockId);
+  }
+  /**
+   * Returns the catch-entry block IDs for the given try-entry block.
+   * Multiple values mean multiple catch clauses for the same try.
+   */
+  catchBlocksFor(tryEntryId) {
+    return this.tryCatchMap.get(tryEntryId) ?? [];
+  }
+  /**
+   * Returns the try-entry block ID corresponding to a catch-entry block,
+   * or `undefined` if the block is not a catch entry.
+   */
+  tryBlockFor(catchEntryId) {
+    return this.catchTryMap.get(catchEntryId);
+  }
+};
+
 // src/graph/analysis-pass.ts
 var AnalysisPipeline = class {
   passes = [];
@@ -17422,7 +17488,8 @@ function filterCleanVariableSinks(sinks, calls, taintedVars, symbols, dfg, sanit
   return sinks.filter((sink) => {
     const callsAtSink = callsByLine.get(sink.line) ?? [];
     const isInSynchronizedBlock = synchronizedLines?.has(sink.line) ?? false;
-    for (const call of callsAtSink) {
+    const relevantCalls = sink.method ? callsAtSink.filter((c) => c.method_name === sink.method) : callsAtSink;
+    for (const call of relevantCalls) {
       let allArgsAreClean = true;
       const methodName = call.in_method;
       for (const arg of call.arguments) {
@@ -19690,6 +19757,431 @@ var ReactInlineJsxPass = class {
   }
 };
 
+// src/analysis/passes/swallowed-exception-pass.ts
+var MEANINGFUL_ACTION_RE = /\b(throw|raise|log|logger|console\.(error|warn|log|debug|info)|System\.(out|err)\.|print(?:ln|f)?|warn|error|debug|info|fatal|LOGGER|LOG|logging\.(warning|error|debug|info|critical))\b|\breturn\s+\S/;
+var SwallowedExceptionPass = class {
+  name = "swallowed-exception";
+  category = "reliability";
+  run(ctx) {
+    const { graph, code, language } = ctx;
+    if (language === "rust" || language === "bash") {
+      return { swallowed: [] };
+    }
+    const { cfg } = graph.ir;
+    if (cfg.blocks.length === 0) return { swallowed: [] };
+    const exGraph = new ExceptionFlowGraph(cfg, graph.blockById);
+    if (!exGraph.hasTryCatch) return { swallowed: [] };
+    const file = graph.ir.meta.file;
+    const codeLines = code.split("\n");
+    const swallowed = [];
+    const reported = /* @__PURE__ */ new Set();
+    for (const pair of exGraph.pairs) {
+      const catchLine = pair.catchBlock.start_line;
+      if (reported.has(catchLine)) continue;
+      const methodInfo = graph.methodAtLine(catchLine);
+      const scanEnd = methodInfo ? methodInfo.method.end_line : codeLines.length;
+      const catchBodyEnd = this.findCatchBodyEnd(codeLines, catchLine, scanEnd);
+      let hasAction = false;
+      for (let ln = catchLine; ln <= catchBodyEnd && ln <= codeLines.length; ln++) {
+        if (MEANINGFUL_ACTION_RE.test(codeLines[ln - 1] ?? "")) {
+          hasAction = true;
+          break;
+        }
+      }
+      if (!hasAction) {
+        reported.add(catchLine);
+        swallowed.push({ line: catchLine });
+        const snippet = (codeLines[catchLine - 1] ?? "").trim();
+        ctx.addFinding({
+          id: `swallowed-exception-${file}-${catchLine}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: "CWE-390",
+          severity: "medium",
+          level: "warning",
+          message: `Swallowed exception: catch block at line ${catchLine} has no throw, log, or return \u2014 the exception is silently discarded`,
+          file,
+          line: catchLine,
+          snippet,
+          fix: "At minimum log the exception, or re-throw it; never silently discard exceptions"
+        });
+      }
+    }
+    return { swallowed };
+  }
+  /**
+   * Walks source lines starting at `startLine` counting brace depth.
+   * Returns the line where the brace depth first returns to zero after
+   * the opening brace (i.e., the closing brace of the catch block).
+   * Capped at `maxLine`.
+   */
+  findCatchBodyEnd(lines, startLine, maxLine) {
+    let depth = 0;
+    let started = false;
+    for (let ln = startLine; ln <= maxLine && ln <= lines.length; ln++) {
+      const text = lines[ln - 1] ?? "";
+      for (const ch of text) {
+        if (ch === "{") {
+          depth++;
+          started = true;
+        } else if (ch === "}" && started) {
+          depth--;
+        }
+      }
+      if (started && depth <= 0) return ln;
+    }
+    return maxLine;
+  }
+};
+
+// src/analysis/passes/broad-catch-pass.ts
+var JAVA_BROAD_RE = /catch\s*\(\s*(Exception|Throwable|RuntimeException|Error)\s/;
+var PYTHON_BROAD_RE = /^\s*except\s*:|except\s+(Exception|BaseException)\b/;
+var BroadCatchPass = class {
+  name = "broad-catch";
+  category = "reliability";
+  run(ctx) {
+    const { graph, code, language } = ctx;
+    if (language !== "java" && language !== "python") {
+      return { broadCatches: [] };
+    }
+    const { cfg } = graph.ir;
+    if (cfg.blocks.length === 0) return { broadCatches: [] };
+    const exGraph = new ExceptionFlowGraph(cfg, graph.blockById);
+    if (!exGraph.hasTryCatch) return { broadCatches: [] };
+    const file = graph.ir.meta.file;
+    const codeLines = code.split("\n");
+    const broadCatches = [];
+    const reported = /* @__PURE__ */ new Set();
+    const pattern = language === "java" ? JAVA_BROAD_RE : PYTHON_BROAD_RE;
+    for (const pair of exGraph.pairs) {
+      const catchLine = pair.catchBlock.start_line;
+      if (reported.has(catchLine)) continue;
+      const lineText = codeLines[catchLine - 1] ?? "";
+      const match = pattern.exec(lineText);
+      if (!match) continue;
+      const caughtType = match[1] ?? "Exception";
+      reported.add(catchLine);
+      broadCatches.push({ line: catchLine, type: caughtType });
+      const snippet = lineText.trim();
+      ctx.addFinding({
+        id: `broad-catch-${file}-${catchLine}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-396",
+        severity: "low",
+        level: "warning",
+        message: `Broad catch: catching \`${caughtType}\` at line ${catchLine} suppresses unexpected errors and hides bugs`,
+        file,
+        line: catchLine,
+        snippet,
+        fix: language === "java" ? `Catch the specific exception types your code can handle (e.g., \`IOException\`, \`SQLException\`)` : `Catch the specific exception types your code can handle (e.g., \`ValueError\`, \`KeyError\`)`,
+        evidence: { caughtType }
+      });
+    }
+    return { broadCatches };
+  }
+};
+
+// src/analysis/passes/unhandled-exception-pass.ts
+var JS_THROW_RE = /^\s*throw\s+/;
+var PYTHON_RAISE_RE = /^\s*raise\b/;
+var UnhandledExceptionPass = class {
+  name = "unhandled-exception";
+  category = "reliability";
+  run(ctx) {
+    const { graph, code, language } = ctx;
+    if (language !== "javascript" && language !== "typescript" && language !== "python") {
+      return { unhandled: [] };
+    }
+    const { cfg } = graph.ir;
+    const file = graph.ir.meta.file;
+    const codeLines = code.split("\n");
+    const exGraph = new ExceptionFlowGraph(cfg, graph.blockById);
+    const coveredRanges = [];
+    for (const pair of exGraph.pairs) {
+      if (pair.catchBlock.start_line > pair.tryBlock.start_line) {
+        coveredRanges.push({
+          start: pair.tryBlock.start_line,
+          end: pair.catchBlock.start_line - 1
+        });
+      }
+    }
+    const catchStarts = new Set(
+      exGraph.pairs.map((p) => p.catchBlock.start_line)
+    );
+    const throwRe = language === "python" ? PYTHON_RAISE_RE : JS_THROW_RE;
+    const unhandled = [];
+    const reportedMethods = /* @__PURE__ */ new Set();
+    for (let ln = 1; ln <= codeLines.length; ln++) {
+      const lineText = codeLines[ln - 1] ?? "";
+      if (!throwRe.test(lineText)) continue;
+      let inCatch = false;
+      for (const cs of catchStarts) {
+        if (ln >= cs) {
+          inCatch = true;
+          break;
+        }
+      }
+      inCatch = false;
+      for (const pair of exGraph.pairs) {
+        if (ln >= pair.catchBlock.start_line) {
+          const mThrow = graph.methodAtLine(ln);
+          const mCatch = graph.methodAtLine(pair.catchBlock.start_line);
+          if (mThrow && mCatch && mThrow.method.start_line === mCatch.method.start_line) {
+            inCatch = true;
+            break;
+          }
+        }
+      }
+      if (inCatch) continue;
+      const isCovered = coveredRanges.some((r) => ln >= r.start && ln <= r.end);
+      if (isCovered) continue;
+      const methodInfo = graph.methodAtLine(ln);
+      const methodKey = methodInfo ? `${methodInfo.method.start_line}-${methodInfo.method.end_line}` : `global-${ln}`;
+      if (reportedMethods.has(methodKey)) continue;
+      reportedMethods.add(methodKey);
+      const methodName = methodInfo?.method.name ?? "<anonymous>";
+      unhandled.push({ line: ln, method: methodName });
+      const snippet = lineText.trim();
+      ctx.addFinding({
+        id: `unhandled-exception-${file}-${ln}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-390",
+        severity: "medium",
+        level: "warning",
+        message: `Unhandled exception: \`throw\` at line ${ln} in \`${methodName}\` is not inside a try/catch \u2014 callers receive an unexpected exception`,
+        file,
+        line: ln,
+        snippet,
+        fix: "Wrap throwing code in a try/catch, or document the exception in the function signature",
+        evidence: { method: methodName }
+      });
+    }
+    return { unhandled };
+  }
+};
+
+// src/analysis/passes/double-close-pass.ts
+var RESOURCE_CTORS2 = /* @__PURE__ */ new Set([
+  "FileInputStream",
+  "FileOutputStream",
+  "FileReader",
+  "FileWriter",
+  "BufferedReader",
+  "BufferedWriter",
+  "PrintWriter",
+  "InputStreamReader",
+  "OutputStreamWriter",
+  "RandomAccessFile",
+  "DataInputStream",
+  "DataOutputStream",
+  "ObjectInputStream",
+  "ObjectOutputStream",
+  "ZipInputStream",
+  "ZipOutputStream",
+  "JarInputStream",
+  "JarOutputStream",
+  "GZIPInputStream",
+  "GZIPOutputStream",
+  "FileChannel",
+  "Socket",
+  "ServerSocket",
+  "DatagramSocket"
+]);
+var RESOURCE_FACTORY_METHODS2 = /* @__PURE__ */ new Set([
+  "openConnection",
+  "openStream",
+  "newInputStream",
+  "newOutputStream",
+  "newBufferedReader",
+  "newBufferedWriter",
+  "newByteChannel",
+  "open",
+  "createReadStream",
+  "createWriteStream",
+  "createConnection"
+]);
+var CLOSE_METHODS2 = /* @__PURE__ */ new Set([
+  "close",
+  "dispose",
+  "shutdown",
+  "disconnect",
+  "release",
+  "destroy",
+  "free",
+  "shutdownNow",
+  "terminate"
+]);
+var DoubleClosePass = class {
+  name = "double-close";
+  category = "reliability";
+  run(ctx) {
+    const { graph, code } = ctx;
+    if (ctx.language === "bash") return { doubleCloses: [] };
+    const file = graph.ir.meta.file;
+    const codeLines = code.split("\n");
+    const doubleCloses = [];
+    for (const call of graph.ir.calls) {
+      const name2 = call.method_name;
+      const isConstructor = call.is_constructor === true && RESOURCE_CTORS2.has(name2);
+      const isFactory = !call.is_constructor && RESOURCE_FACTORY_METHODS2.has(name2);
+      if (!isConstructor && !isFactory) continue;
+      const openLine = call.location.line;
+      const defs = graph.defsAtLine(openLine);
+      if (defs.length === 0) continue;
+      const resourceVar = defs[0].variable;
+      const methodInfo = graph.methodAtLine(openLine);
+      if (!methodInfo) continue;
+      const { start_line: methodStart, end_line: methodEnd } = methodInfo.method;
+      const closeCalls = graph.ir.calls.filter(
+        (c) => CLOSE_METHODS2.has(c.method_name) && c.receiver === resourceVar && c.location.line > openLine && c.location.line <= methodEnd
+      );
+      if (closeCalls.length < 2) continue;
+      const closeLines = closeCalls.map((c) => c.location.line);
+      const allInFinally = closeLines.every(
+        (cl) => this.isInFinallyBlock(codeLines, cl, methodStart, methodEnd)
+      );
+      if (allInFinally) continue;
+      doubleCloses.push({ openLine, closeLines, variable: resourceVar });
+      const snippet = (codeLines[openLine - 1] ?? "").trim();
+      const linesStr = closeLines.join(" and ");
+      ctx.addFinding({
+        id: `double-close-${file}-${openLine}`,
+        pass: this.name,
+        category: this.category,
+        rule_id: this.name,
+        cwe: "CWE-675",
+        severity: "medium",
+        level: "warning",
+        message: `Double close: \`${resourceVar}\` is closed at lines ${linesStr} \u2014 closing an already-closed resource may throw`,
+        file,
+        line: openLine,
+        snippet,
+        fix: `Close the resource exactly once in a finally block; add a null/isClosed guard before the second close if closing on multiple paths`,
+        evidence: { variable: resourceVar, close_lines: closeLines }
+      });
+    }
+    return { doubleCloses };
+  }
+  /** True if the given line is inside a `finally` block in the method. */
+  isInFinallyBlock(lines, targetLine, methodStart, methodEnd) {
+    for (let ln = methodStart; ln <= targetLine && ln <= methodEnd && ln <= lines.length; ln++) {
+      if (/\bfinally\b/.test(lines[ln - 1] ?? "")) return true;
+    }
+    return false;
+  }
+};
+
+// src/analysis/passes/use-after-close-pass.ts
+var RESOURCE_CTORS3 = /* @__PURE__ */ new Set([
+  "FileInputStream",
+  "FileOutputStream",
+  "FileReader",
+  "FileWriter",
+  "BufferedReader",
+  "BufferedWriter",
+  "PrintWriter",
+  "InputStreamReader",
+  "OutputStreamWriter",
+  "RandomAccessFile",
+  "DataInputStream",
+  "DataOutputStream",
+  "ObjectInputStream",
+  "ObjectOutputStream",
+  "ZipInputStream",
+  "ZipOutputStream",
+  "JarInputStream",
+  "JarOutputStream",
+  "GZIPInputStream",
+  "GZIPOutputStream",
+  "FileChannel",
+  "Socket",
+  "ServerSocket",
+  "DatagramSocket"
+]);
+var RESOURCE_FACTORY_METHODS3 = /* @__PURE__ */ new Set([
+  "openConnection",
+  "openStream",
+  "newInputStream",
+  "newOutputStream",
+  "newBufferedReader",
+  "newBufferedWriter",
+  "newByteChannel",
+  "open",
+  "createReadStream",
+  "createWriteStream",
+  "createConnection"
+]);
+var CLOSE_METHODS3 = /* @__PURE__ */ new Set([
+  "close",
+  "dispose",
+  "shutdown",
+  "disconnect",
+  "release",
+  "destroy",
+  "free",
+  "shutdownNow",
+  "terminate"
+]);
+var UseAfterClosePass = class {
+  name = "use-after-close";
+  category = "reliability";
+  run(ctx) {
+    const { graph, code } = ctx;
+    if (ctx.language === "bash") return { useAfterCloses: [] };
+    const file = graph.ir.meta.file;
+    const codeLines = code.split("\n");
+    const useAfterCloses = [];
+    for (const call of graph.ir.calls) {
+      const name2 = call.method_name;
+      const isConstructor = call.is_constructor === true && RESOURCE_CTORS3.has(name2);
+      const isFactory = !call.is_constructor && RESOURCE_FACTORY_METHODS3.has(name2);
+      if (!isConstructor && !isFactory) continue;
+      const openLine = call.location.line;
+      const defs = graph.defsAtLine(openLine);
+      if (defs.length === 0) continue;
+      const resourceVar = defs[0].variable;
+      const methodInfo = graph.methodAtLine(openLine);
+      if (!methodInfo) continue;
+      const methodEnd = methodInfo.method.end_line;
+      const firstClose = graph.ir.calls.filter(
+        (c) => CLOSE_METHODS3.has(c.method_name) && c.receiver === resourceVar && c.location.line > openLine && c.location.line <= methodEnd
+      ).sort((a, b) => a.location.line - b.location.line)[0];
+      if (!firstClose) continue;
+      const closeLine = firstClose.location.line;
+      const usesAfterClose = graph.ir.calls.filter(
+        (c) => c.receiver === resourceVar && c.location.line > closeLine && c.location.line <= methodEnd && !CLOSE_METHODS3.has(c.method_name)
+      );
+      for (const use of usesAfterClose) {
+        const useLine = use.location.line;
+        useAfterCloses.push({ openLine, closeLine, useLine, variable: resourceVar });
+        const snippet = (codeLines[useLine - 1] ?? "").trim();
+        ctx.addFinding({
+          id: `use-after-close-${file}-${useLine}`,
+          pass: this.name,
+          category: this.category,
+          rule_id: this.name,
+          cwe: "CWE-672",
+          severity: "high",
+          level: "error",
+          message: `Use after close: \`${resourceVar}.${use.method_name}()\` at line ${useLine} is called after \`${resourceVar}.close()\` at line ${closeLine}`,
+          file,
+          line: useLine,
+          snippet,
+          fix: `Do not use a resource after closing it; keep \`${resourceVar}\` open until all uses are complete`,
+          evidence: { variable: resourceVar, close_line: closeLine, open_line: openLine }
+        });
+      }
+    }
+    return { useAfterCloses };
+  }
+};
+
 // src/analysis/metrics/passes/size-metrics-pass.ts
 var SizeMetricsPass = class {
   name = "size-metrics";
@@ -20489,7 +20981,7 @@ async function analyze(code, filePath, language, options = {}) {
     enriched: {}
   });
   const config = options.taintConfig ?? getDefaultConfig();
-  const { results, findings } = new AnalysisPipeline().add(new TaintMatcherPass()).add(new ConstantPropagationPass(tree)).add(new LanguageSourcesPass()).add(new SinkFilterPass()).add(new TaintPropagationPass()).add(new InterproceduralPass()).add(new DeadCodePass()).add(new MissingAwaitPass()).add(new NPlusOnePass()).add(new MissingPublicDocPass()).add(new TodoInProdPass()).add(new StringConcatLoopPass()).add(new SyncIoAsyncPass()).add(new UncheckedReturnPass()).add(new NullDerefPass()).add(new ResourceLeakPass()).add(new VariableShadowingPass()).add(new LeakedGlobalPass()).add(new UnusedVariablePass()).add(new DependencyFanOutPass()).add(new StaleDocRefPass()).add(new InfiniteLoopPass()).add(new DeepInheritancePass()).add(new RedundantLoopPass()).add(new UnboundedCollectionPass()).add(new SerialAwaitPass()).add(new ReactInlineJsxPass()).run(graph, code, language, config);
+  const { results, findings } = new AnalysisPipeline().add(new TaintMatcherPass()).add(new ConstantPropagationPass(tree)).add(new LanguageSourcesPass()).add(new SinkFilterPass()).add(new TaintPropagationPass()).add(new InterproceduralPass()).add(new DeadCodePass()).add(new MissingAwaitPass()).add(new NPlusOnePass()).add(new MissingPublicDocPass()).add(new TodoInProdPass()).add(new StringConcatLoopPass()).add(new SyncIoAsyncPass()).add(new UncheckedReturnPass()).add(new NullDerefPass()).add(new ResourceLeakPass()).add(new VariableShadowingPass()).add(new LeakedGlobalPass()).add(new UnusedVariablePass()).add(new DependencyFanOutPass()).add(new StaleDocRefPass()).add(new InfiniteLoopPass()).add(new DeepInheritancePass()).add(new RedundantLoopPass()).add(new UnboundedCollectionPass()).add(new SerialAwaitPass()).add(new ReactInlineJsxPass()).add(new SwallowedExceptionPass()).add(new BroadCatchPass()).add(new UnhandledExceptionPass()).add(new DoubleClosePass()).add(new UseAfterClosePass()).run(graph, code, language, config);
   const sinkFilter = results.get("sink-filter");
   const interProc = results.get("interprocedural");
   const taint = {

package/dist/core/circle-ir-core.cjs

@@ -10591,7 +10591,8 @@ function findSinks(calls, patterns) {
             cwe: pattern.cwe,
             location,
             line: call.location.line,
-            confidence
+            confidence,
+            method: call.method_name
           });
         }
       }

package/dist/core/circle-ir-core.js

@@ -10526,7 +10526,8 @@ function findSinks(calls, patterns) {
             cwe: pattern.cwe,
             location,
             line: call.location.line,
-            confidence
+            confidence,
+            method: call.method_name
           });
         }
       }

package/dist/graph/exception-flow-graph.d.ts

@@ -0,0 +1,44 @@
+/**
+ * ExceptionFlowGraph — lightweight wrapper over CFG exception edges.
+ *
+ * The CFG builder emits edges with `type === 'exception'` connecting the
+ * first block of a try body (`from`) to the first block of the corresponding
+ * catch handler (`to`).  This class indexes those edges so exception-aware
+ * passes can query try/catch structure without re-scanning the edge list.
+ */
+import type { CFG, CFGBlock } from '../types/index.js';
+export interface TryCatchInfo {
+    tryEntryId: number;
+    catchEntryId: number;
+    /** First block of the try body. */
+    tryBlock: CFGBlock;
+    /** First block of the catch handler. */
+    catchBlock: CFGBlock;
+}
+export declare class ExceptionFlowGraph {
+    /** All try/catch pairs found in the CFG. */
+    readonly pairs: TryCatchInfo[];
+    /** Block IDs that are catch-handler entry blocks. */
+    readonly catchEntryIds: Set<number>;
+    /** Block IDs that are try-body entry blocks. */
+    readonly tryEntryIds: Set<number>;
+    private readonly tryCatchMap;
+    private readonly catchTryMap;
+    constructor(cfg: CFG, blockById: Map<number, CFGBlock>);
+    /** True if at least one try/catch pair was found. */
+    get hasTryCatch(): boolean;
+    /** True if the given block ID is a catch-handler entry block. */
+    isCatchEntry(blockId: number): boolean;
+    /** True if the given block ID is a try-body entry block. */
+    isTryEntry(blockId: number): boolean;
+    /**
+     * Returns the catch-entry block IDs for the given try-entry block.
+     * Multiple values mean multiple catch clauses for the same try.
+     */
+    catchBlocksFor(tryEntryId: number): number[];
+    /**
+     * Returns the try-entry block ID corresponding to a catch-entry block,
+     * or `undefined` if the block is not a catch entry.
+     */
+    tryBlockFor(catchEntryId: number): number | undefined;
+}

package/dist/graph/exception-flow-graph.js

@@ -0,0 +1,75 @@
+/**
+ * ExceptionFlowGraph — lightweight wrapper over CFG exception edges.
+ *
+ * The CFG builder emits edges with `type === 'exception'` connecting the
+ * first block of a try body (`from`) to the first block of the corresponding
+ * catch handler (`to`).  This class indexes those edges so exception-aware
+ * passes can query try/catch structure without re-scanning the edge list.
+ */
+// ---------------------------------------------------------------------------
+// ExceptionFlowGraph
+// ---------------------------------------------------------------------------
+export class ExceptionFlowGraph {
+    /** All try/catch pairs found in the CFG. */
+    pairs;
+    /** Block IDs that are catch-handler entry blocks. */
+    catchEntryIds;
+    /** Block IDs that are try-body entry blocks. */
+    tryEntryIds;
+    tryCatchMap; // tryEntryId → [catchEntryId, …]
+    catchTryMap; // catchEntryId → tryEntryId
+    constructor(cfg, blockById) {
+        this.pairs = [];
+        this.catchEntryIds = new Set();
+        this.tryEntryIds = new Set();
+        this.tryCatchMap = new Map();
+        this.catchTryMap = new Map();
+        for (const edge of cfg.edges) {
+            if (edge.type !== 'exception')
+                continue;
+            const tryBlock = blockById.get(edge.from);
+            const catchBlock = blockById.get(edge.to);
+            if (!tryBlock || !catchBlock)
+                continue;
+            this.tryEntryIds.add(edge.from);
+            this.catchEntryIds.add(edge.to);
+            const catches = this.tryCatchMap.get(edge.from) ?? [];
+            catches.push(edge.to);
+            this.tryCatchMap.set(edge.from, catches);
+            this.catchTryMap.set(edge.to, edge.from);
+            this.pairs.push({
+                tryEntryId: edge.from,
+                catchEntryId: edge.to,
+                tryBlock,
+                catchBlock,
+            });
+        }
+    }
+    /** True if at least one try/catch pair was found. */
+    get hasTryCatch() {
+        return this.pairs.length > 0;
+    }
+    /** True if the given block ID is a catch-handler entry block. */
+    isCatchEntry(blockId) {
+        return this.catchEntryIds.has(blockId);
+    }
+    /** True if the given block ID is a try-body entry block. */
+    isTryEntry(blockId) {
+        return this.tryEntryIds.has(blockId);
+    }
+    /**
+     * Returns the catch-entry block IDs for the given try-entry block.
+     * Multiple values mean multiple catch clauses for the same try.
+     */
+    catchBlocksFor(tryEntryId) {
+        return this.tryCatchMap.get(tryEntryId) ?? [];
+    }
+    /**
+     * Returns the try-entry block ID corresponding to a catch-entry block,
+     * or `undefined` if the block is not a catch entry.
+     */
+    tryBlockFor(catchEntryId) {
+        return this.catchTryMap.get(catchEntryId);
+    }
+}
+//# sourceMappingURL=exception-flow-graph.js.map

package/dist/graph/exception-flow-graph.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"exception-flow-graph.js","sourceRoot":"","sources":["../../src/graph/exception-flow-graph.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAiBH,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E,MAAM,OAAO,kBAAkB;IAC7B,4CAA4C;IACnC,KAAK,CAAiB;IAE/B,qDAAqD;IAC5C,aAAa,CAAc;IAEpC,gDAAgD;IACvC,WAAW,CAAc;IAEjB,WAAW,CAAwB,CAAC,iCAAiC;IACrE,WAAW,CAAsB,CAAG,4BAA4B;IAEjF,YAAY,GAAQ,EAAE,SAAgC;QACpD,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;QAChB,IAAI,CAAC,aAAa,GAAG,IAAI,GAAG,EAAE,CAAC;QAC/B,IAAI,CAAC,WAAW,GAAG,IAAI,GAAG,EAAE,CAAC;QAC7B,IAAI,CAAC,WAAW,GAAG,IAAI,GAAG,EAAE,CAAC;QAC7B,IAAI,CAAC,WAAW,GAAG,IAAI,GAAG,EAAE,CAAC;QAE7B,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;YAC7B,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW;gBAAE,SAAS;YAExC,MAAM,QAAQ,GAAG,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC1C,MAAM,UAAU,GAAG,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAC1C,IAAI,CAAC,QAAQ,IAAI,CAAC,UAAU;gBAAE,SAAS;YAEvC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAChC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAEhC,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACtD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACtB,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAEzC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;YAEzC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;gBACd,UAAU,EAAE,IAAI,CAAC,IAAI;gBACrB,YAAY,EAAE,IAAI,CAAC,EAAE;gBACrB,QAAQ;gBACR,UAAU;aACX,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,qDAAqD;IACrD,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;IAC/B,CAAC;IAED,iEAAiE;IACjE,YAAY,CAAC,OAAe;QAC1B,OAAO,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACzC,CAAC;IAED,4DAA4D;IAC5D,UAAU,CAAC,OAAe;QACxB,OAAO,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACvC,CAAC;IAED;;;OAGG;IACH,cAAc,CAAC,UAAkB;QAC/B,OAAO,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;IAChD,CAAC;IAED;;;OAGG;IACH,WAAW,CAAC,YAAoB;QAC9B,OAAO,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAC5C,CAAC;CACF"}

package/dist/graph/index.d.ts

@@ -2,4 +2,5 @@ export { CodeGraph } from './code-graph.js';
 export { ProjectGraph } from './project-graph.js';
 export { ImportGraph } from './import-graph.js';
 export { DominatorGraph } from './dominator-graph.js';
+export { ExceptionFlowGraph, type TryCatchInfo } from './exception-flow-graph.js';
 export { AnalysisPipeline, type AnalysisPass, type PassContext, type PipelineRunResult, } from './analysis-pass.js';