feat(resolver): resolve .call()/.apply() this-rebinding and add fun fixture (JS) (#1405)

* test(integration): pin prototype-method-resolution test to WASM engine

The test was using auto engine (native-preferred), causing it to pick the
published npm native binary which predates the prototype-method fixes.
WASM correctly extracts Dog.prototype.bark and resolves all call edges.

Fixes #1381

* test(integration): add TODO comment for WASM engine pin (#1400)

* fix(resolver): qualified callerName mismatch in class-scoped typeMap lookup

When a method is called without a receiver inside a class-qualified method
(e.g. `IsValidEmail()` inside `Validators.ValidateUser`), both the WASM and
native engines now try the class-qualified name as a fallback.

Root cause: the same-class method lookup in `resolveByMethodOrGlobal` was
gated on `call.receiver && callerName`, which excluded no-receiver calls.
Static sibling calls in C#/Java (e.g. `IsValidEmail()` inside a static class)
have no receiver — the guard prevented the `Validators.IsValidEmail` lookup.

Fixes:
- WASM (call-resolver.ts): `if (call.receiver && callerName)` → `if (callerName)`
- Native (edge_builder.rs): moves class-scoped exact lookup outside the
  `call.receiver.is_some()` guard; suffix scan remains gated on receiver-present
  to avoid false positives on global function calls inside class methods.

Also fixes a latent CHA re-classification bug exposed by this change: the Rust
orchestrator classifies roles before the CHA post-pass, so the global fan-out
median was computed from pre-CHA edges. After CHA added edges, the median
shifted but Validators.cs (not directly connected to CHA-affected files) was
excluded from the incremental re-classification, leaving stale roles. Fixed by
switching the post-CHA re-classification from incremental to full.

C# same-file recall: 0/2 → 2/2 (100%).
Overall C# recall: 73.9% → 82.6% (19/23 expected edges).
Remaining gap: receiver-typed (0/4) tracked in #1402.

* feat(resolver): resolve .call()/.apply() this-rebinding and add fun fixture (JS)

- add fun Jelly micro-test fixture (fun.js + expected-edges.json) with correct
  <root> source names; scores 4/4 named edges (baz/baz2/baz3/baz4 → bar)

- add ThisCallBinding type: extracts fn.call(namedCtx,...)/fn.apply(namedCtx,...)
  and seeds fn::this → namedCtx in the PTS map; when this() is called inside fn,
  the scoped key lookup resolves to namedCtx

- add extractThisCallsWalk: captures this(args) call expressions (where this is
  the callee, not a receiver) so they participate in PTS resolution

- fix extractCallbackReferenceCalls: skip identifier args for .call()/.apply()/.bind()
  invocations; those are the this-context and function arguments flowing into the
  delegated function, not callbacks for the current scope (was producing FPs)

- add buildThisCallBindingsPtsPostPass: native-engine post-pass that resolves
  this() calls the same way as WASM, mirroring buildFnRefBindingsPtsPostPass

- update JS benchmark fixture: add invoker.call(handler, 10) test case and two
  new expected edges (runCallThis→invoker dynamic, invoker→handler points-to);
  JS precision holds at 100%, total expected now 37

Closes #1380

* docs: document O(all_nodes) cost of full classifyNodeRoles after CHA pass

* perf(extractor): merge this-call walks into existing traversals to reduce O(n) passes

In extractSymbolsQuery, replace two separate extractThisCallsWalk +
extractThisCallBindingsWalk full-tree traversals with a single combined
extractThisCallAndBindingsWalk pass, halving the per-file traversal cost
for the query (WASM) path.

In extractSymbolsWalk, inline the this() call detection and .call()/.apply()
binding extraction into handleCallExpr, which is already called during the
main walkJavaScriptNode traversal, eliminating two extra O(n) passes from
the walk path entirely.

Author: carlos-alm

src/domain/graph/builder/stages/build-edges.ts

@@ -17,6 +17,7 @@ import type {
   ClassRelation,
   Definition,
   ExtractorOutput,
+  FnRefBinding,
   Import,
   NativeAddon,
   NodeRow,
@@ -709,6 +710,78 @@ function buildFnRefBindingsPtsPostPass(
   }
 }
 
+/**
+ * this-rebinding post-pass for the native call-edge path.
+ *
+ * When `fn.call(namedCtx, ...)` or `fn.apply(namedCtx, ...)` is extracted by the
+ * WASM layer, `thisCallBindings` records `{ callee: 'fn', thisArg: 'namedCtx' }`.
+ * The native Rust engine has no knowledge of these bindings, so `this()` calls
+ * inside `fn` remain unresolved. This JS post-pass adds the missing edges by
+ * resolving `this()` calls inside each `fn` that has a thisCallBinding.
+ */
+function buildThisCallBindingsPtsPostPass(
+  ctx: PipelineContext,
+  getNodeIdStmt: NodeIdStmt,
+  allEdgeRows: EdgeRowTuple[],
+  sharedLookup?: CallNodeLookup,
+): void {
+  const filesWithBindings = [...ctx.fileSymbols].filter(
+    ([, symbols]) => symbols.thisCallBindings && symbols.thisCallBindings.length > 0,
+  );
+  if (filesWithBindings.length === 0) return;
+
+  const seenByPair = new Set<string>();
+  for (const [srcId, tgtId] of allEdgeRows) {
+    seenByPair.add(`${srcId}|${tgtId}`);
+  }
+
+  const { barrelOnlyFiles, rootDir } = ctx;
+  const lookup = sharedLookup ?? makeContextLookup(ctx, getNodeIdStmt);
+
+  for (const [relPath, symbols] of filesWithBindings) {
+    if (barrelOnlyFiles.has(relPath)) continue;
+    const fileNodeRow = getNodeIdStmt.get(relPath, 'file', relPath, 0);
+    if (!fileNodeRow) continue;
+
+    const importedNames = buildImportedNamesMap(ctx, relPath, symbols, rootDir);
+    const typeMap: Map<string, TypeMapEntry | string> = symbols.typeMap || new Map();
+    const ptsMap = buildPointsToMapForFile(symbols, importedNames);
+    if (!ptsMap) continue;
+
+    // Only process calls named 'this' (callee-not-receiver usage)
+    for (const call of symbols.calls) {
+      if (call.name !== 'this' || call.receiver) continue;
+
+      const caller = findCaller(lookup, call, symbols.definitions, relPath, fileNodeRow);
+      if (caller.callerName == null) continue;
+
+      const scopedKey = `${caller.callerName}::this`;
+      if (!ptsMap.has(scopedKey)) continue;
+
+      for (const alias of resolveViaPointsTo(scopedKey, ptsMap)) {
+        const { targets: aliasTargets, importedFrom: aliasFrom } = resolveCallTargets(
+          lookup,
+          { name: alias },
+          relPath,
+          importedNames,
+          typeMap as Map<string, unknown>,
+        );
+        for (const t of aliasTargets) {
+          const edgeKey = `${caller.id}|${t.id}`;
+          if (t.id !== caller.id && !seenByPair.has(edgeKey)) {
+            const conf =
+              computeConfidence(relPath, t.file, aliasFrom ?? null) - PROPAGATION_HOP_PENALTY;
+            if (conf > 0) {
+              seenByPair.add(edgeKey);
+              allEdgeRows.push([caller.id, t.id, 'calls', conf, 0, 'points-to']);
+            }
+          }
+        }
+      }
+    }
+  }
+}
+
 /**
  * Phase 8.3f post-pass for the native call-edge path.
  *
@@ -1144,6 +1217,7 @@ function buildPointsToMapForFile(
   symbols: ExtractorOutput,
   importedNames: Map<string, string>,
 ): PointsToMap | null {
+  const hasThisCallBindings = !!symbols.thisCallBindings?.length;
   if (
     !symbols.fnRefBindings?.length &&
     !symbols.paramBindings?.length &&
@@ -1152,7 +1226,8 @@ function buildPointsToMapForFile(
     !symbols.forOfBindings?.length &&
     !symbols.arrayCallbackBindings?.length &&
     !symbols.objectRestParamBindings?.length &&
-    !symbols.objectPropBindings?.length
+    !symbols.objectPropBindings?.length &&
+    !hasThisCallBindings
   )
     return null;
   const defNames = new Set(
@@ -1161,8 +1236,21 @@ function buildPointsToMapForFile(
       .map((d) => d.name),
   );
   const definitionParams = buildDefinitionParamsMap(symbols.definitions);
+
+  // Convert thisCallBindings into scoped fnRefBindings: `fn::this → namedCtx`.
+  // The scoped key `fn::this` is looked up when `this()` calls are resolved inside
+  // function `fn` — caller.callerName='fn', call.name='this' → scopedPtsKey='fn::this'.
+  let allFnRefBindings: readonly FnRefBinding[] = symbols.fnRefBindings ?? [];
+  if (hasThisCallBindings) {
+    const extra: FnRefBinding[] = (symbols.thisCallBindings ?? []).map((b) => ({
+      lhs: `${b.callee}::this`,
+      rhs: b.thisArg,
+    }));
+    allFnRefBindings = [...allFnRefBindings, ...extra];
+  }
+
   return buildPointsToMap(
-    symbols.fnRefBindings ?? [],
+    allFnRefBindings,
     defNames,
     importedNames,
     symbols.paramBindings,
@@ -1816,6 +1904,9 @@ export async function buildEdges(ctx: PipelineContext): Promise<void> {
       // (e.g. `const f = fn.bind(ctx)`), so calls to bind-created aliases are
       // not resolved to their original function on the native path.
       buildFnRefBindingsPtsPostPass(ctx, getNodeIdStmt, allEdgeRows, sharedLookup);
+      // this-rebinding post-pass: resolve `this()` calls inside functions that
+      // were invoked via `.call(namedCtx, ...)` / `.apply(namedCtx, ...)`.
+      buildThisCallBindingsPtsPostPass(ctx, getNodeIdStmt, allEdgeRows, sharedLookup);
       // Phase 8.3f post-pass: augment native call edges with object rest-param
       // receiver resolution — typeMap[restName] → argName → typeMap[argName.method].
       buildObjectRestParamPostPass(ctx, getNodeIdStmt, allEdgeRows, sharedLookup);

src/domain/graph/builder/stages/native-orchestrator.ts

@@ -1617,6 +1617,11 @@ export async function tryNativeOrchestrator(
   // pre-CHA might be near the median, but post-CHA the median is higher, changing
   // its role from utility → core.) Using an incremental pass with a stale median
   // cache would produce incorrect roles outside the CHA-affected file set.
+  //
+  // Performance: classifyNodeRoles is O(all_nodes). For most repos this is sub-100ms;
+  // on very large codebases (100k+ nodes) it may add a few hundred ms per build.
+  // If this becomes a bottleneck, consider a two-pass strategy: incremental first
+  // (fast, slightly inaccurate), then full only when the median shifts by >N%.
   const chaEdgeCount = runPostNativeCha(ctx.db as unknown as BetterSqlite3Database);
   if (chaEdgeCount > 0) {
     try {

src/extractors/javascript.ts

@@ -16,6 +16,7 @@ import type {
   ParamBinding,
   SpreadArgBinding,
   SubDeclaration,
+  ThisCallBinding,
   TreeSitterNode,
   TreeSitterQuery,
   TreeSitterTree,
@@ -337,6 +338,7 @@ function extractSymbolsQuery(tree: TreeSitterTree, query: TreeSitterQuery): Extr
   const arrayCallbackBindings: ArrayCallbackBinding[] = [];
   const objectRestParamBindings: ObjectRestParamBinding[] = [];
   const objectPropBindings: ObjectPropBinding[] = [];
+  const thisCallBindings: ThisCallBinding[] = [];
 
   const matches = query.matches(tree.rootNode);
 
@@ -393,6 +395,9 @@ function extractSymbolsQuery(tree: TreeSitterTree, query: TreeSitterQuery): Extr
   const definePropertyReceivers: Map<string, string> = new Map();
   extractDefinePropertyReceiversWalk(tree.rootNode, definePropertyReceivers);
 
+  // this() calls + this-call bindings in a single pass (fn.call(ctx,...) / fn.apply(ctx,...))
+  extractThisCallAndBindingsWalk(tree.rootNode, calls, thisCallBindings);
+
   return {
     definitions,
     calls,
@@ -410,6 +415,7 @@ function extractSymbolsQuery(tree: TreeSitterTree, query: TreeSitterQuery): Extr
     arrayCallbackBindings,
     objectRestParamBindings,
     objectPropBindings,
+    thisCallBindings,
     newExpressions,
     ...(definePropertyReceivers.size > 0 ? { definePropertyReceivers } : {}),
   };
@@ -684,6 +690,7 @@ function extractSymbolsWalk(tree: TreeSitterTree): ExtractorOutput {
     arrayCallbackBindings: [],
     objectRestParamBindings: [],
     objectPropBindings: [],
+    thisCallBindings: [],
   };
 
   walkJavaScriptNode(tree.rootNode, ctx);
@@ -1124,11 +1131,44 @@ function handleCallExpr(node: TreeSitterNode, ctx: ExtractorOutput): void {
   if (fn.type === 'import') {
     handleDynamicImportCall(node, ctx.imports);
   } else {
+    // this() calls: `this` used as a function (not as a receiver).
+    if (fn.type === 'this') {
+      ctx.calls.push({ name: 'this', line: nodeStartLine(node) });
+      return; // no further processing needed for this()-style calls
+    }
     const callInfo = extractCallInfo(fn, node);
     if (callInfo) ctx.calls.push(callInfo);
     if (fn.type === 'member_expression') {
       const cbDef = extractCallbackDefinition(node, fn);
       if (cbDef) ctx.definitions.push(cbDef);
+      // this-call bindings: `fn.call(namedCtx, ...)` / `fn.apply(namedCtx, ...)`
+      const obj = fn.childForFieldName('object');
+      const prop = fn.childForFieldName('property');
+      if (
+        obj?.type === 'identifier' &&
+        prop &&
+        (prop.text === 'call' || prop.text === 'apply') &&
+        !BUILTIN_GLOBALS.has(obj.text)
+      ) {
+        const args = node.childForFieldName('arguments') || findChild(node, 'arguments');
+        if (args) {
+          for (let i = 0; i < args.childCount; i++) {
+            const child = args.child(i);
+            if (!child) continue;
+            const t = child.type;
+            if (t === '(' || t === ')' || t === ',') continue;
+            if (
+              t === 'identifier' &&
+              !BUILTIN_GLOBALS.has(child.text) &&
+              child.text !== 'undefined' &&
+              child.text !== 'null'
+            ) {
+              ctx.thisCallBindings!.push({ callee: obj.text, thisArg: child.text });
+            }
+            break;
+          }
+        }
+      }
     }
     ctx.calls.push(...extractCallbackReferenceCalls(node));
   }
@@ -2834,6 +2874,11 @@ function extractCallbackReferenceCalls(callNode: TreeSitterNode): Call[] {
   if (!args) return [];
 
   const calleeName = extractCalleeName(callNode);
+  // .call() / .apply() / .bind() — the first arg is the `this` context (not a callback of
+  // the enclosing function) and subsequent args flow into the delegated function's parameters.
+  // Emitting them here would produce false-positive edges from the *calling* function.
+  // This-rebinding (fn::this → ctx) is handled separately by extractThisCallBindingsWalk.
+  if (calleeName === 'call' || calleeName === 'apply' || calleeName === 'bind') return [];
   let memberExprArgsAllowed = calleeName !== null && CALLBACK_ACCEPTING_CALLEES.has(calleeName);
   if (memberExprArgsAllowed && calleeName !== null && HTTP_VERB_CALLEES.has(calleeName)) {
     // HTTP verbs require a string-literal route path to be treated as a
@@ -2864,6 +2909,62 @@ function extractCallbackReferenceCalls(callNode: TreeSitterNode): Call[] {
   return result;
 }
 
+/**
+ * Single-pass walk to collect both:
+ * - `this(args)` call expressions → `{name: 'this', ...}` entries in `calls`
+ *   (where `this` is used as a function, not as a receiver)
+ * - `fn.call(namedCtx, ...)` / `fn.apply(namedCtx, ...)` bindings →
+ *   `{ callee: 'fn', thisArg: 'namedCtx' }` entries in `thisCallBindings`
+ *
+ * Combining both into one traversal halves the AST walk cost compared to
+ * running two separate recursive passes.
+ */
+function extractThisCallAndBindingsWalk(
+  node: TreeSitterNode,
+  calls: Call[],
+  thisCallBindings: ThisCallBinding[],
+): void {
+  if (node.type === 'call_expression') {
+    const fn = node.childForFieldName('function');
+    if (fn?.type === 'this') {
+      calls.push({ name: 'this', line: nodeStartLine(node) });
+    } else if (fn?.type === 'member_expression') {
+      const obj = fn.childForFieldName('object');
+      const prop = fn.childForFieldName('property');
+      if (
+        obj?.type === 'identifier' &&
+        prop &&
+        (prop.text === 'call' || prop.text === 'apply') &&
+        !BUILTIN_GLOBALS.has(obj.text)
+      ) {
+        const args = node.childForFieldName('arguments') || findChild(node, 'arguments');
+        if (args) {
+          for (let i = 0; i < args.childCount; i++) {
+            const child = args.child(i);
+            if (!child) continue;
+            const t = child.type;
+            if (t === '(' || t === ')' || t === ',') continue;
+            // First real argument: only bind if it's a plain identifier
+            if (
+              t === 'identifier' &&
+              !BUILTIN_GLOBALS.has(child.text) &&
+              child.text !== 'undefined' &&
+              child.text !== 'null'
+            ) {
+              thisCallBindings.push({ callee: obj.text, thisArg: child.text });
+            }
+            break;
+          }
+        }
+      }
+    }
+  }
+  for (let i = 0; i < node.childCount; i++) {
+    const child = node.child(i);
+    if (child) extractThisCallAndBindingsWalk(child, calls, thisCallBindings);
+  }
+}
+
 function findAnonymousCallback(argsNode: TreeSitterNode): TreeSitterNode | null {
   for (let i = 0; i < argsNode.childCount; i++) {
     const child = argsNode.child(i);

src/types.ts

@@ -564,6 +564,18 @@ export interface ParamBinding {
   argName: string;
 }
 
+/**
+ * A this-context binding recorded when `fn.call(namedCtx, ...)` or
+ * `fn.apply(namedCtx, ...)` is seen. Seeds `fn::this → namedCtx` in the
+ * points-to map so that `this()` calls inside `fn` resolve to `namedCtx`.
+ */
+export interface ThisCallBinding {
+  /** The function being invoked via .call() or .apply(). */
+  callee: string;
+  /** The identifier passed as the `this` context (first argument). */
+  thisArg: string;
+}
+
 /**
  * An array-element binding: `const arr = [fn1, fn2]` records each named function
  * stored at a specific index. Phase 8.3e: array-element pts tracking.
@@ -673,6 +685,12 @@ export interface ExtractorOutput {
   objectRestParamBindings?: ObjectRestParamBinding[];
   /** Phase 8.3f: object-property bindings from `const obj = { fn }` patterns. */
   objectPropBindings?: ObjectPropBinding[];
+  /**
+   * This-context bindings from `fn.call(namedCtx, ...)` / `fn.apply(namedCtx, ...)`.
+   * Seeds `fn::this → namedCtx` in the points-to map so that `this()` calls inside
+   * `fn` resolve to `namedCtx` when `fn` is invoked via `.call()`/`.apply()`.
+   */
+  thisCallBindings?: ThisCallBinding[];
   /**
    * Phase 8.5 (RTA): constructor names from all `new X()` expressions in the file,
    * including unassigned ones (e.g. `doSomething(new Foo())`). Used to build the

tests/benchmarks/resolution/fixtures/javascript/bind-call-apply.js

@@ -22,3 +22,17 @@ export function runCall() {
 export function runApply() {
   return greet.apply(user, ['Hey']);
 }
+
+// call with this as a callable: fn.call(namedFn, args) where namedFn is the 'this' context.
+// Inside invoker, calling this(x) should resolve to the function passed as ctx.
+function invoker(x) {
+  return this(x);
+}
+
+function handler(n) {
+  return n * 2;
+}
+
+export function runCallThis() {
+  return invoker.call(handler, 10);
+}

tests/benchmarks/resolution/fixtures/javascript/expected-edges.json

@@ -192,6 +192,20 @@
       "mode": "dynamic",
       "notes": "greet.apply(user, ['Hey']) — .apply() extracts greet as the callee"
     },
+    {
+      "source": { "name": "runCallThis", "file": "bind-call-apply.js" },
+      "target": { "name": "invoker", "file": "bind-call-apply.js" },
+      "kind": "calls",
+      "mode": "dynamic",
+      "notes": "invoker.call(handler, 10) — .call() extracts invoker as the callee"
+    },
+    {
+      "source": { "name": "invoker", "file": "bind-call-apply.js" },
+      "target": { "name": "handler", "file": "bind-call-apply.js" },
+      "kind": "calls",
+      "mode": "points-to",
+      "notes": "invoker.call(handler, 10) — this-rebinding: this() inside invoker resolves to handler"
+    },
     {
       "source": { "name": "Dog.speak", "file": "inheritance.js" },
       "target": { "name": "Animal.speak", "file": "inheritance.js" },

tests/benchmarks/resolution/resolution-benchmark.test.ts

@@ -125,7 +125,9 @@ const THRESHOLDS: Record<string, { precision: number; recall: number }> = {
   //   adds bind/call/apply resolution (3 new edges in bind-call-apply.js), total expected now 33.
   //   Phase 8.3f adds Object.defineProperty accessor this-dispatch (#1335): getter→baz in
   //   define-property.js and accessorGetter→accessorTarget.accessMethod in define-property-accessor.js,
-  //   total expected now 35.
+  //   total expected now 35. call/apply this-rebinding adds 2 edges (runCallThis→invoker,
+  //   invoker→handler) and removes the false-positive from handler being extracted as a callback
+  //   arg of .call() — total expected now 37.
   javascript: { precision: 1.0, recall: 0.9 },
   // pts-javascript: hand-authored points-to JS fixture (for-of, Set, Array.from, spread) — patterns
   //   too broad for the main JS fixture. Patterns split per file to prevent intra-fixture FPs.