gitnexus 1.6.8-rc.36 → 1.6.8-rc.37

package/dist/core/ingestion/cfg/cfg-builder.d.ts

@@ -13,6 +13,30 @@
  * before the tree-sitter visitor (U2) drives it.
  */
 import type { BasicBlockData, BindingEntry, CfgEdgeKind, FunctionCfg, StatementFacts } from './types.js';
+/**
+ * Hard ceiling on CFG recursive-descent scope-entry depth (#2195). A language
+ * `CfgVisitor` wraps each nested block scope in {@link CfgBuilder.withNesting} (its
+ * `visitBody` / `visitSeq` choke points), so the live count tracks scope entries,
+ * not statement width. NOTE the count is ~2× LEXICAL nesting for block-bodied
+ * constructs (visitBody → visitSeq both enter), so the effective lexical ceiling
+ * is ~250 levels for block bodies (~500 for single-statement bodies / bare
+ * blocks). Real source nests ≤ ~50 deep, so this fires only on machine-generated
+ * / adversarial input. Both effective ceilings sit far below the engine's native
+ * stack limit (~1.2k+ nesting even on the raised worker `stackSizeMb`), so the
+ * bail is a DETERMINISTIC, language-independent {@link CfgNestingDepthError}
+ * rather than a nondeterministic `RangeError` thrown somewhere mid-walk.
+ */
+export declare const MAX_CFG_NESTING_DEPTH = 500;
+/**
+ * Thrown by the visitor nesting-depth guard ({@link CfgBuilder.enterNesting})
+ * when lexical nesting exceeds {@link MAX_CFG_NESTING_DEPTH}. `collectFunctionCfgs`
+ * catches it and counts the function under `skipped.tooDeeplyNested`, isolating
+ * the bail to one function instead of risking a worker-wide stack overflow.
+ */
+export declare class CfgNestingDepthError extends Error {
+    readonly limit: number;
+    constructor(limit: number);
+}
 export declare class CfgBuilder {
     private readonly filePath;
     private readonly functionStartLine;
@@ -24,6 +48,8 @@ export declare class CfgBuilder {
     private readonly blocks;
     private readonly edges;
     private readonly edgeKeys;
+    /** Live recursive-descent nesting depth — see {@link enterNesting}. */
+    private nesting;
     readonly entryIndex: number;
     readonly exitIndex: number;
     constructor(filePath: string, functionStartLine: number, functionEndLine: number, 
@@ -48,6 +74,30 @@ export declare class CfgBuilder {
      */
     attachFacts(index: number, facts: StatementFacts): void;
     get blockCount(): number;
+    /**
+     * Run `fn` inside ONE nested block scope (#2195) — the single choke every
+     * visitor's `visitBody` / `visitSeq` funnels through. Enters on the way in and
+     * exits in a `finally`, so the live depth is balanced on every return AND every
+     * throw and the enter/exit can never drift out of pair (the reason this is one
+     * helper, not 24 hand-paired call sites). Throws {@link CfgNestingDepthError}
+     * when nesting exceeds {@link MAX_CFG_NESTING_DEPTH} — a proactive, deterministic
+     * bail before the native stack can overflow on a pathologically nested function.
+     *
+     * A block-bodied construct passes through BOTH visitBody and visitSeq, so it
+     * costs TWO scopes per lexical level: the effective structural ceiling is
+     * ~MAX_CFG_NESTING_DEPTH/2 (~250) lexical levels for block bodies (~500 for
+     * single-statement bodies / bare blocks, which hit only one of the two). Still
+     * an order of magnitude below the native limit and far above real code (≤ ~50).
+     */
+    withNesting<T>(fn: () => T): T;
+    /**
+     * Increment the nesting counter, throwing {@link CfgNestingDepthError} past the
+     * cap. Prefer {@link withNesting}, which pairs the exit in a `finally`; this is
+     * exposed for direct depth-accounting tests only.
+     */
+    enterNesting(): void;
+    /** Decrement the nesting counter — the partner of {@link enterNesting}. */
+    exitNesting(): void;
     /** Produce the serializable CFG. Caller is responsible for having wired the
      *  function's dangling exits to {@link exitIndex} before calling.
      *

package/dist/core/ingestion/cfg/cfg-builder.js

@@ -1,3 +1,31 @@
+/**
+ * Hard ceiling on CFG recursive-descent scope-entry depth (#2195). A language
+ * `CfgVisitor` wraps each nested block scope in {@link CfgBuilder.withNesting} (its
+ * `visitBody` / `visitSeq` choke points), so the live count tracks scope entries,
+ * not statement width. NOTE the count is ~2× LEXICAL nesting for block-bodied
+ * constructs (visitBody → visitSeq both enter), so the effective lexical ceiling
+ * is ~250 levels for block bodies (~500 for single-statement bodies / bare
+ * blocks). Real source nests ≤ ~50 deep, so this fires only on machine-generated
+ * / adversarial input. Both effective ceilings sit far below the engine's native
+ * stack limit (~1.2k+ nesting even on the raised worker `stackSizeMb`), so the
+ * bail is a DETERMINISTIC, language-independent {@link CfgNestingDepthError}
+ * rather than a nondeterministic `RangeError` thrown somewhere mid-walk.
+ */
+export const MAX_CFG_NESTING_DEPTH = 500;
+/**
+ * Thrown by the visitor nesting-depth guard ({@link CfgBuilder.enterNesting})
+ * when lexical nesting exceeds {@link MAX_CFG_NESTING_DEPTH}. `collectFunctionCfgs`
+ * catches it and counts the function under `skipped.tooDeeplyNested`, isolating
+ * the bail to one function instead of risking a worker-wide stack overflow.
+ */
+export class CfgNestingDepthError extends Error {
+    limit;
+    constructor(limit) {
+        super(`CFG nesting depth exceeded ${limit}`);
+        this.limit = limit;
+        this.name = 'CfgNestingDepthError';
+    }
+}
 export class CfgBuilder {
     filePath;
     functionStartLine;
@@ -6,6 +34,8 @@ export class CfgBuilder {
     blocks = [];
     edges = [];
     edgeKeys = new Set();
+    /** Live recursive-descent nesting depth — see {@link enterNesting}. */
+    nesting = 0;
     entryIndex;
     exitIndex;
     constructor(filePath, functionStartLine, functionEndLine, 
@@ -72,6 +102,43 @@ export class CfgBuilder {
     get blockCount() {
         return this.blocks.length;
     }
+    /**
+     * Run `fn` inside ONE nested block scope (#2195) — the single choke every
+     * visitor's `visitBody` / `visitSeq` funnels through. Enters on the way in and
+     * exits in a `finally`, so the live depth is balanced on every return AND every
+     * throw and the enter/exit can never drift out of pair (the reason this is one
+     * helper, not 24 hand-paired call sites). Throws {@link CfgNestingDepthError}
+     * when nesting exceeds {@link MAX_CFG_NESTING_DEPTH} — a proactive, deterministic
+     * bail before the native stack can overflow on a pathologically nested function.
+     *
+     * A block-bodied construct passes through BOTH visitBody and visitSeq, so it
+     * costs TWO scopes per lexical level: the effective structural ceiling is
+     * ~MAX_CFG_NESTING_DEPTH/2 (~250) lexical levels for block bodies (~500 for
+     * single-statement bodies / bare blocks, which hit only one of the two). Still
+     * an order of magnitude below the native limit and far above real code (≤ ~50).
+     */
+    withNesting(fn) {
+        this.enterNesting();
+        try {
+            return fn();
+        }
+        finally {
+            this.exitNesting();
+        }
+    }
+    /**
+     * Increment the nesting counter, throwing {@link CfgNestingDepthError} past the
+     * cap. Prefer {@link withNesting}, which pairs the exit in a `finally`; this is
+     * exposed for direct depth-accounting tests only.
+     */
+    enterNesting() {
+        if (++this.nesting > MAX_CFG_NESTING_DEPTH)
+            throw new CfgNestingDepthError(MAX_CFG_NESTING_DEPTH);
+    }
+    /** Decrement the nesting counter — the partner of {@link enterNesting}. */
+    exitNesting() {
+        this.nesting--;
+    }
     /** Produce the serializable CFG. Caller is responsible for having wired the
      *  function's dangling exits to {@link exitIndex} before calling.
      *

package/dist/core/ingestion/cfg/collect.d.ts

@@ -22,9 +22,30 @@ import type { CfgVisitor, FunctionCfg } from './types.js';
  * both expensive and low-value. Overridable via `PipelineOptions.pdgMaxFunctionLines`.
  */
 export declare const DEFAULT_PDG_MAX_FUNCTION_LINES = 2000;
+/**
+ * CFG-bearing functions skipped during the walk, bucketed by reason (#2195).
+ * Surfaced per-language in the parse telemetry (parsing-processor.ts) so a CFG
+ * coverage gap is observable, not silent. All-zero ⇒ nothing skipped.
+ */
+export interface CfgSkipCounts {
+    /** Source span exceeded `maxFunctionLines` (minified / generated code). */
+    readonly tooManyLines: number;
+    /**
+     * Recursive-descent nesting hit {@link MAX_CFG_NESTING_DEPTH} — a proactive,
+     * deterministic bail (see {@link CfgNestingDepthError}) before a worker stack
+     * overflow.
+     */
+    readonly tooDeeplyNested: number;
+    /**
+     * `buildFunctionCfg` threw an unexpected error. Caught PER FUNCTION so one
+     * malformed function no longer drops the whole file's CFGs (the throw used to
+     * escape to the worker's language-group catch).
+     */
+    readonly buildError: number;
+}
 export interface CollectedCfgs {
     readonly cfgs: readonly FunctionCfg[];
-    /** Functions skipped for exceeding `maxFunctionLines` (0 ⇒ none skipped). */
-    readonly skipped: number;
+    /** Per-reason skip counts (#2195). */
+    readonly skipped: CfgSkipCounts;
 }
-export declare function collectFunctionCfgs(root: SyntaxNode, visitor: CfgVisitor<SyntaxNode>, filePath: string, maxFunctionLines?: number): CollectedCfgs;
+export declare function collectFunctionCfgs(root: SyntaxNode, visitor: CfgVisitor<SyntaxNode>, filePath: string, maxFunctionLines?: number, lineOffset?: number): CollectedCfgs;

package/dist/core/ingestion/cfg/collect.js

@@ -1,3 +1,4 @@
+import { CfgNestingDepthError } from './cfg-builder.js';
 /**
  * Default per-function source-line cap used by the worker when the `--pdg` run
  * does not specify `pdgMaxFunctionLines`. A function longer than this (almost
@@ -5,21 +6,63 @@
  * both expensive and low-value. Overridable via `PipelineOptions.pdgMaxFunctionLines`.
  */
 export const DEFAULT_PDG_MAX_FUNCTION_LINES = 2000;
-export function collectFunctionCfgs(root, visitor, filePath, maxFunctionLines = 0) {
+/**
+ * Convert a CFG built from an EXTRACTED sub-document's AST (script-relative
+ * tree-sitter rows) into the enclosing file's coordinates by adding `offset` to
+ * every source-line field. Needed for embedded scripts — a Vue SFC `<script>`
+ * block parses at row 0 but lives at `lineOffset` in the `.vue` file, and every
+ * other worker-emitted graph node is already file-relative; without this, the
+ * CFG's `functionStartLine` would never join its Function/Method graph node
+ * (inter-procedural taint silently resolves nothing) and BasicBlock source
+ * lines would point at the wrong `.vue` line. A 0 offset returns the input
+ * unchanged (the common case: `.ts`/`.js`/etc. parse at the file root), keeping
+ * non-embedded languages byte-identical. Synthetic bindings keep `declLine` 0.
+ */
+function shiftCfgLines(cfg, offset) {
+    if (offset === 0)
+        return cfg;
+    return {
+        ...cfg,
+        functionStartLine: cfg.functionStartLine + offset,
+        functionEndLine: cfg.functionEndLine + offset,
+        blocks: cfg.blocks.map((b) => ({
+            ...b,
+            startLine: b.startLine + offset,
+            endLine: b.endLine + offset,
+            statements: b.statements?.map((s) => ({ ...s, line: s.line + offset })),
+        })),
+        bindings: cfg.bindings?.map((bd) => bd.declLine > 0 ? { ...bd, declLine: bd.declLine + offset } : bd),
+    };
+}
+export function collectFunctionCfgs(root, visitor, filePath, maxFunctionLines = 0, lineOffset = 0) {
     const cfgs = [];
-    let skipped = 0;
+    let tooManyLines = 0;
+    let tooDeeplyNested = 0;
+    let buildError = 0;
     const stack = [root];
     while (stack.length) {
         const node = stack.pop();
         if (visitor.isFunction(node)) {
             const lines = node.endPosition.row - node.startPosition.row + 1;
             if (maxFunctionLines > 0 && lines > maxFunctionLines) {
-                skipped++;
+                tooManyLines++;
             }
             else {
-                const cfg = visitor.buildFunctionCfg(node, filePath);
-                if (cfg)
-                    cfgs.push(cfg);
+                // Isolate the per-function build: a proactive deep-nesting bail
+                // (CfgNestingDepthError) or any other visitor throw is counted and
+                // skipped HERE, so it can't escape to the worker's language-group catch
+                // and silently drop every remaining function's CFG (#2195).
+                try {
+                    const cfg = visitor.buildFunctionCfg(node, filePath);
+                    if (cfg)
+                        cfgs.push(shiftCfgLines(cfg, lineOffset));
+                }
+                catch (err) {
+                    if (err instanceof CfgNestingDepthError)
+                        tooDeeplyNested++;
+                    else
+                        buildError++;
+                }
             }
         }
         // Descend regardless (a skipped mega-function may still contain small
@@ -30,5 +73,5 @@ export function collectFunctionCfgs(root, visitor, filePath, maxFunctionLines =
                 stack.push(child);
         }
     }
-    return { cfgs, skipped };
+    return { cfgs, skipped: { tooManyLines, tooDeeplyNested, buildError } };
 }

package/dist/core/ingestion/cfg/control-dependence.d.ts

@@ -1,15 +1,26 @@
 /**
- * Control dependence (#2085 M5 U3) — Ferrante, Ottenstein & Warren §3.1.1 over
- * the post-dominator tree. A block `dependent` is control-dependent on a branch
- * block `controller` when `controller` decides whether `dependent` executes:
- * formally, there is a CFG edge `controller → B` such that `dependent`
- * post-dominates `B` but does NOT strictly post-dominate `controller`.
+ * Control dependence (#2085 M5 U3) — Ferrante, Ottenstein & Warren §3.1.1
+ * semantics. A block `dependent` is control-dependent on a branch block
+ * `controller` when `controller` decides whether `dependent` executes: formally,
+ * there is a CFG edge `controller → B` such that `dependent` post-dominates `B`
+ * but does NOT strictly post-dominate `controller`.
  *
- * Construction (§3.1.1): for each CFG edge `(A, B)` where `B` does NOT
- * post-dominate `A`, walk UP the post-dom tree from `B` to (but not including)
- * `ipdom(A)`; every block on that path is control-dependent on `A`. The branch
- * SENSE of the edge ('T' | 'F') becomes the edge label (KTD4 / KTD3 — it rides
- * the persisted relation's `reason` column).
+ * Construction — the reverse-CFG dominance-frontier formulation (Cytron,
+ * Ferrante, Rosen, Wegman & Zadeck 1991): control dependence IS the dominance
+ * frontier of the reverse CFG, so `A ∈ PDF(X)` (the post-dominance frontier)
+ * ⟺ `X` is control-dependent on `A`. The PDF is computed bottom-up over the
+ * post-dom tree (`PDF_local` from a node's CFG predecessors + `PDF_up` from its
+ * post-dom-tree children) in O(N + E + output) — each up-step is charged to a
+ * distinct emitted edge, NOT re-walked per CFG edge as the original §3.1.1
+ * up-walk did (which was Θ(N²) on a deep post-dom chain). The two formulations
+ * enumerate the IDENTICAL full `(controller, dependent, label)` set (verified
+ * byte-identical on 3203 CFGs + ~1M-case differential fuzz); LLVM, Joern and WALA
+ * use the reverse-DF form. (Only the rare TRUNCATED prefix — when a function
+ * exceeds `maxEdges` — differs from the old prefix: it is now a sorted
+ * deterministic prefix rather than CFG-edge-iteration order. Both are valid,
+ * deterministic subsets; the full untruncated output is unchanged.)
+ * The branch SENSE ('T' | 'F') of the controlling edge becomes the edge label
+ * (KTD4 / KTD3 — it rides the persisted relation's `reason` column).
  *
  * PURE AND DETERMINISTIC (mirrors post-dominators.ts / reaching-defs.ts): no
  * graph, no logger, importable outside the worker; output is deduped per

package/dist/core/ingestion/cfg/control-dependence.js

@@ -1,15 +1,26 @@
 /**
- * Control dependence (#2085 M5 U3) — Ferrante, Ottenstein & Warren §3.1.1 over
- * the post-dominator tree. A block `dependent` is control-dependent on a branch
- * block `controller` when `controller` decides whether `dependent` executes:
- * formally, there is a CFG edge `controller → B` such that `dependent`
- * post-dominates `B` but does NOT strictly post-dominate `controller`.
+ * Control dependence (#2085 M5 U3) — Ferrante, Ottenstein & Warren §3.1.1
+ * semantics. A block `dependent` is control-dependent on a branch block
+ * `controller` when `controller` decides whether `dependent` executes: formally,
+ * there is a CFG edge `controller → B` such that `dependent` post-dominates `B`
+ * but does NOT strictly post-dominate `controller`.
  *
- * Construction (§3.1.1): for each CFG edge `(A, B)` where `B` does NOT
- * post-dominate `A`, walk UP the post-dom tree from `B` to (but not including)
- * `ipdom(A)`; every block on that path is control-dependent on `A`. The branch
- * SENSE of the edge ('T' | 'F') becomes the edge label (KTD4 / KTD3 — it rides
- * the persisted relation's `reason` column).
+ * Construction — the reverse-CFG dominance-frontier formulation (Cytron,
+ * Ferrante, Rosen, Wegman & Zadeck 1991): control dependence IS the dominance
+ * frontier of the reverse CFG, so `A ∈ PDF(X)` (the post-dominance frontier)
+ * ⟺ `X` is control-dependent on `A`. The PDF is computed bottom-up over the
+ * post-dom tree (`PDF_local` from a node's CFG predecessors + `PDF_up` from its
+ * post-dom-tree children) in O(N + E + output) — each up-step is charged to a
+ * distinct emitted edge, NOT re-walked per CFG edge as the original §3.1.1
+ * up-walk did (which was Θ(N²) on a deep post-dom chain). The two formulations
+ * enumerate the IDENTICAL full `(controller, dependent, label)` set (verified
+ * byte-identical on 3203 CFGs + ~1M-case differential fuzz); LLVM, Joern and WALA
+ * use the reverse-DF form. (Only the rare TRUNCATED prefix — when a function
+ * exceeds `maxEdges` — differs from the old prefix: it is now a sorted
+ * deterministic prefix rather than CFG-edge-iteration order. Both are valid,
+ * deterministic subsets; the full untruncated output is unchanged.)
+ * The branch SENSE ('T' | 'F') of the controlling edge becomes the edge label
+ * (KTD4 / KTD3 — it rides the persisted relation's `reason` column).
  *
  * PURE AND DETERMINISTIC (mirrors post-dominators.ts / reaching-defs.ts): no
  * graph, no logger, importable outside the worker; output is deduped per
@@ -18,7 +29,7 @@
  * control-dependent on ITSELF (`controller === dependent`) — the loop predicate
  * gates its own re-execution; this is standard PDG behavior, not a bug.
  */
-import { computePostDominators, postDominates, NO_IPDOM, } from './post-dominators.js';
+import { computePostDominators, NO_IPDOM } from './post-dominators.js';
 function buildArmSenses(cfg) {
     const n = cfg.blocks.length;
     const senses = Array.from({ length: n }, () => ({
@@ -65,56 +76,107 @@ function labelFor(kind, controller) {
  * module doc for the purity/determinism contract.
  */
 export function computeControlDependence(cfg, postDom, 
-// Heap-safety ceiling on materialized edges, mirroring computeReachingDefs'
-// `maxFacts` (#2188 review): the pre-dedup walk is O(edges × post-dom depth),
-// so bound it before it can spike. `0` ⇒ unbounded. On overflow `edges` is a
-// deterministic prefix and `truncated` is set — never a silent drop.
+// Output-size ceiling, mirroring computeReachingDefs' `maxFacts` (#2188 review).
+// The reverse-DF set is the bounded (controller, dependent, label) dependence
+// relation, so peak working set ≈ output here (no pre-dedup spike like the old
+// up-walk) — this caps the final edge COUNT, not transient memory. `0` ⇒
+// unbounded. On overflow `edges` is a deterministic SORTED prefix and
+// `truncated` is set — never a silent drop. (The sorted prefix is the prefix
+// CONTENTS may differ from the old up-walk's CFG-edge-iteration prefix at the
+// cap boundary; the FULL untruncated set is byte-identical — see the module doc.)
 maxEdges = 0) {
     const tree = postDom ?? computePostDominators(cfg);
     const { ipdom } = tree;
     const n = cfg.blocks.length;
     const armSenses = buildArmSenses(cfg);
     const cap = maxEdges > 0 ? maxEdges : Infinity;
-    const out = [];
-    const seen = new Set();
-    let truncated = false;
-    scan: for (const e of cfg.edges) {
-        const a = e.from;
-        const b = e.to;
-        if (a < 0 || a >= n || b < 0 || b >= n)
-            continue;
-        // No control dependence when B post-dominates A — every path leaving A
-        // through this edge still reaches B, so A does not decide B's execution.
-        // This guard is exactly AC2: a dependence exists IFF post-dominance fails.
-        if (postDominates(tree, b, a))
+    // Reverse-CFG post-dominance frontier (Cytron, Ferrante, Rosen, Wegman,
+    // Zadeck 1991): control dependence IS the dominance frontier of the reverse
+    // CFG. `A ∈ PDF(X)` ⟺ X is control-dependent on A, so emit (controller=A,
+    // dependent=X). Computing the PDF bottom-up over the post-dom tree charges
+    // each up-step to a DISTINCT emitted entry — O(N+E+output) — instead of the
+    // old Ferrante up-walk that re-climbs the ipdom chain per CFG edge (Θ(N²) on
+    // a deep post-dom chain). Output is the identical (controller, dependent,
+    // label) set (verified byte-identical on 3203 CFGs across all languages +
+    // fuzz) and 1-2 orders of magnitude faster. LLVM (ReverseIDFCalculator),
+    // Joern (CdgPass) and WALA use the same formulation.
+    const children = Array.from({ length: n }, () => []);
+    const inEdges = Array.from({ length: n }, () => []);
+    for (let b = 0; b < n; b++) {
+        const ip = ipdom[b];
+        if (ip !== NO_IPDOM && ip >= 0 && ip < n)
+            children[ip].push(b);
+    }
+    for (const e of cfg.edges) {
+        if (e.from < 0 || e.from >= n || e.to < 0 || e.to >= n)
             continue;
-        // Sense is read from the CONTROLLER's arms, not this edge's kind alone —
-        // seq/loop-back fall-through false arms would otherwise mislabel as 'T'
-        // (#2188 F1).
-        const label = labelFor(e.kind, armSenses[a]);
-        const stop = ipdom[a]; // walk up to ipdom(A), EXCLUSIVE (NO_IPDOM ⇒ to root)
-        let cur = b;
-        let steps = 0;
-        // `steps <= n` is defensive — the ipdom chain is a finite tree.
-        while (cur !== NO_IPDOM && cur !== stop && steps <= n) {
-            const key = `${a}:${cur}:${label}`;
-            if (!seen.has(key)) {
-                // Check BEFORE pushing so `truncated` means a genuine overflow (a new
-                // unique edge had to be dropped), not merely "reached the ceiling" —
-                // exactly `cap` edges is a full, non-truncated result.
-                if (out.length >= cap) {
-                    truncated = true;
-                    break scan;
-                }
-                seen.add(key);
-                out.push({ controllerBlock: a, dependentBlock: cur, label });
+        inEdges[e.to].push({ from: e.from, kind: e.kind });
+    }
+    // Post-dom-tree post-order (children before parents). Iterative — the post-dom
+    // forest can itself be chain-deep. Roots are the NO_IPDOM nodes (EXIT, plus
+    // any exit-unreachable region per #2188 F2). The reverse of a root-first DFS
+    // visits every parent AFTER all its descendants.
+    const dfs = [];
+    for (let r = 0; r < n; r++)
+        if (ipdom[r] === NO_IPDOM)
+            dfs.push(r);
+    const preorder = [];
+    while (dfs.length) {
+        const x = dfs.pop();
+        preorder.push(x);
+        for (const c of children[x])
+            dfs.push(c);
+    }
+    const order = preorder.reverse();
+    // PDF[X]: controller A → the label SET with which A controls X. A set (not one
+    // label) because a controller can reach X via opposite-sense arms (goto-
+    // cycles) — the old (a, cur, label) dedup kept both rows.
+    const pdf = Array.from({ length: n }, () => new Map());
+    const add = (x, a, label) => {
+        const set = pdf[x].get(a);
+        if (set)
+            set.add(label);
+        else
+            pdf[x].set(a, new Set([label]));
+    };
+    for (const x of order) {
+        // PDF_local: a CFG-predecessor A of X that X does not (immediately) post-
+        // dominate. `A !== X && ipdom[A] !== X` is exactly the production
+        // `!postDominates(X, A)` for one edge A→X (postDominates(X,A) ⟺ ipdom[A]===X),
+        // and it excludes self-edges + NO_IPDOM regions. Sense is read from the
+        // CONTROLLER's arms (seq/loop-back fall-through false arms would otherwise
+        // mislabel as 'T' — #2188 F1).
+        for (const { from: a, kind } of inEdges[x]) {
+            if (a !== x && ipdom[a] !== x)
+                add(x, a, labelFor(kind, armSenses[a]));
+        }
+        // PDF_up: inherit each post-dom child's frontier controller (with its label
+        // set) when X does not post-dominate it.
+        for (const z of children[x]) {
+            for (const [a, labels] of pdf[z]) {
+                if (ipdom[a] !== x)
+                    for (const l of labels)
+                        add(x, a, l);
             }
-            cur = ipdom[cur];
-            steps += 1;
+        }
+    }
+    const out = [];
+    for (const x of order) {
+        for (const [a, labels] of pdf[x]) {
+            for (const label of labels)
+                out.push({ controllerBlock: a, dependentBlock: x, label });
         }
     }
     out.sort((x, y) => x.controllerBlock - y.controllerBlock ||
         x.dependentBlock - y.dependentBlock ||
         (x.label < y.label ? -1 : x.label > y.label ? 1 : 0));
+    // `maxEdges` is a heap-safety backstop applied to the SORTED set (the DF makes
+    // overflow far rarer than the old per-edge walk). Deterministic prefix, never
+    // a silent drop; mirrors computeReachingDefs' `truncated`.
+    let truncated = false;
+    if (cap !== Infinity && out.length > cap) {
+        truncated = true;
+        out.length = cap;
+    }
     return { edges: out, truncated };
 }

package/dist/core/ingestion/cfg/emit.d.ts

@@ -76,6 +76,25 @@ export declare const POST_DOMINATE_DEBUG_ENV = "GITNEXUS_PDG_EMIT_POST_DOMINATE"
 export declare const REACHING_DEF_FACTS_PER_EDGE_CAP = 4;
 /** Derived emit-path fact limit at the default edge cap (bench/doc anchor). */
 export declare const DEFAULT_PDG_MAX_REACHING_DEF_FACTS_PER_FUNCTION: number;
+/**
+ * Fixpoint-iteration budget for {@link computeReachingDefs}, as a multiple of
+ * the function's block count ({@link emitFileReachingDefs} passes
+ * `blocks.length × this` as `maxBlockVisits`). Iterative reaching-defs on a
+ * reducible CFG converges in O(loop-nesting-depth) passes, so a worklist
+ * re-visits each block a small multiple of times for real code; this budget
+ * tolerates a nesting depth far beyond any hand-written function (real code is
+ * ≤ ~15 deep) while truncating the pathological deep nest that otherwise drives
+ * the solver to O(blocks²) — measured at seconds + GB on a machine-generated
+ * 2000-line all-loops function whose fact count stays linear (so `maxFacts`
+ * never fires). Truncation degrades to a sound empty REACHING_DEF for that one
+ * function (status `truncated`), never wrong facts.
+ *
+ * This ceiling is the SOUND backstop, not a perf fix: WTO / loop-aware iteration
+ * ordering was benchmarked and rejected (0% faster — the cost is dense-set
+ * propagation, not visitation order; see the no-go note in reaching-defs.ts at
+ * the RPO-order site). SSA-sparse reaching-defs is the deferred real fix.
+ */
+export declare const DEFAULT_PDG_MAX_REACHING_DEF_BLOCK_REVISITS = 64;
 export interface CfgEmitResult {
     blocks: number;
     edges: number;

package/dist/core/ingestion/cfg/emit.js

@@ -2,6 +2,7 @@ import { generateId } from '../../../lib/utils.js';
 import { computeReachingDefs } from './reaching-defs.js';
 import { computeControlDependence } from './control-dependence.js';
 import { computePostDominators, isExitReachableFromAllBlocks, NO_IPDOM, } from './post-dominators.js';
+import { augmentForPostDom } from './synthetic-escape.js';
 /**
  * Default per-function CFG edge cap. A pathological generated function could
  * otherwise emit an unbounded edge set; the cap bounds graph growth and is
@@ -58,6 +59,25 @@ export const POST_DOMINATE_DEBUG_ENV = 'GITNEXUS_PDG_EMIT_POST_DOMINATE';
 export const REACHING_DEF_FACTS_PER_EDGE_CAP = 4;
 /** Derived emit-path fact limit at the default edge cap (bench/doc anchor). */
 export const DEFAULT_PDG_MAX_REACHING_DEF_FACTS_PER_FUNCTION = REACHING_DEF_FACTS_PER_EDGE_CAP * DEFAULT_PDG_MAX_REACHING_DEF_EDGES_PER_FUNCTION;
+/**
+ * Fixpoint-iteration budget for {@link computeReachingDefs}, as a multiple of
+ * the function's block count ({@link emitFileReachingDefs} passes
+ * `blocks.length × this` as `maxBlockVisits`). Iterative reaching-defs on a
+ * reducible CFG converges in O(loop-nesting-depth) passes, so a worklist
+ * re-visits each block a small multiple of times for real code; this budget
+ * tolerates a nesting depth far beyond any hand-written function (real code is
+ * ≤ ~15 deep) while truncating the pathological deep nest that otherwise drives
+ * the solver to O(blocks²) — measured at seconds + GB on a machine-generated
+ * 2000-line all-loops function whose fact count stays linear (so `maxFacts`
+ * never fires). Truncation degrades to a sound empty REACHING_DEF for that one
+ * function (status `truncated`), never wrong facts.
+ *
+ * This ceiling is the SOUND backstop, not a perf fix: WTO / loop-aware iteration
+ * ordering was benchmarked and rejected (0% faster — the cost is dense-set
+ * propagation, not visitation order; see the no-go note in reaching-defs.ts at
+ * the RPO-order site). SSA-sparse reaching-defs is the deferred real fix.
+ */
+export const DEFAULT_PDG_MAX_REACHING_DEF_BLOCK_REVISITS = 64;
 /**
  * The single BasicBlock id template (module doc). Exported for the M3 taint
  * emit path (taint/emit.ts), whose TAINTED/SANITIZES edges must address the
@@ -266,7 +286,10 @@ export function emitFileReachingDefs(graph, cfgs, maxEdgesPerFunction = DEFAULT_
                 `REACHING_DEF skipped for this function; its CFG is unaffected`);
             continue;
         }
-        const r = computeReachingDefs(cfg, { maxFacts });
+        const r = computeReachingDefs(cfg, {
+            maxFacts,
+            maxBlockVisits: cfg.blocks.length * DEFAULT_PDG_MAX_REACHING_DEF_BLOCK_REVISITS,
+        });
         if (r.status === 'no-facts')
             continue;
         result.facts += r.facts.length;
@@ -374,24 +397,39 @@ export function emitFileCdg(graph, cfgs, maxEdgesPerFunction = DEFAULT_PDG_MAX_C
     const emitPostDom = postDominateDebugEnabled();
     for (const cfg of cfgs) {
         const { filePath, functionStartLine, functionStartColumn } = cfg;
+        // Synthetic-escape pass (#2197 U1): restore EXIT reverse-reachability for a
+        // genuine exit-unreachable CYCLE (an unconditional `goto`-cycle / infinite
+        // loop) so the post-dom / CDG pass runs instead of being withheld. A no-op
+        // (returns `cfg` unchanged) for terminating functions and properly-escaped
+        // loops — those stay byte-identical. The synthetic edges are ANALYSIS-ONLY:
+        // they live on the returned shallow clone, never on the persisted `cfg`, so
+        // CFG / REACHING_DEF and the byte-identical-off golden are unaffected. Both
+        // the gate below AND the post-dom / CDG passes must see the augmented view
+        // (KTD7 — the Ferrante walk re-reads `cfg.edges`).
+        const view = augmentForPostDom(cfg);
         // Sound post-dominance requires EXIT reachable from every entry-reachable
-        // block (#2188 review). A CFG that violates it — a future visitor's
-        // multi-terminal / non-terminating shape — would yield a CDG that both
-        // drops real and invents spurious dependences, so skip CDG for it. CFG and
-        // REACHING_DEF (emitted elsewhere, independent of post-dominance) are kept.
-        if (!isExitReachableFromAllBlocks(cfg)) {
+        // block (#2188 review). The synthetic-escape pass recovers genuine cycles;
+        // anything STILL unreachable after it is a residual non-cycle anomaly (a
+        // dangling/dead-end block, a branch-less trapping spin, or a construction
+        // error) — NOT something we bridge (that would mask the bug). Skip CDG for
+        // it and surface the skip. CFG and REACHING_DEF (emitted elsewhere,
+        // independent of post-dominance) are kept.
+        if (!isExitReachableFromAllBlocks(view)) {
             result.skippedUnsoundFunctions++;
             onWarn?.(`[cdg] ${filePath}:${functionStartLine}: EXIT not reachable from all ` +
                 `blocks — CDG skipped for this function (CFG/REACHING_DEF unaffected)`);
             continue;
         }
         // Compute the post-dom tree once and feed it to the control-dependence
-        // pass (avoids recomputing it) and to the optional POST_DOMINATE emit.
-        const tree = computePostDominators(cfg);
+        // pass (avoids recomputing it) and to the optional POST_DOMINATE emit. The
+        // CDG edges reference BLOCK INDICES, which are identical in `view` and `cfg`
+        // (the augmentation only appends edges), so persisting them keyed off the
+        // original block ids is correct.
+        const tree = computePostDominators(view);
         // Bound the pre-dedup materialization (heap parity with REACHING_DEF). The
         // fixed ceiling is a catastrophe backstop; the per-function edge cap below
         // remains the reporting authority. A ceiling hit is surfaced, not silent.
-        const { edges: cdgEdges, truncated } = computeControlDependence(cfg, tree, DEFAULT_PDG_MAX_CDG_MATERIALIZATION_PER_FUNCTION);
+        const { edges: cdgEdges, truncated } = computeControlDependence(view, tree, DEFAULT_PDG_MAX_CDG_MATERIALIZATION_PER_FUNCTION);
         if (truncated) {
             onWarn?.(`[cdg] ${filePath}:${functionStartLine}: control-dependence materialization ` +
                 `ceiling (${DEFAULT_PDG_MAX_CDG_MATERIALIZATION_PER_FUNCTION}) reached — ` +