refactor: simplify type-arg matching with specialized matcher and condition-on-Result

- Encode return-type constraints as IsType conditions on
PositionBase.Result
  rather than via SerializedSignatureMatcher.Partial.return; drop the
now-unused
  return field on Partial.
- Make ClassPattern.typeArgs nullable (null = no type-args / raw match).
- Specialize SerializedTypeNameMatcher into TypeArgMatcher during rule
  resolution: name matchers are pre-compiled into ConditionNameMatcher,
so the
  runtime evaluator dispatches on a small structural shape instead of
running
  matchErasedName on a serialized matcher.
- Replace JIRBasicAtomEvaluator's typedMethod+ASM-debug-info path with a
  PositionResolver<JIRType?> for resolving the typed view at a position.
- Treat WildcardType as AnyType: collapse it at action translation, then
drop
  the now-dead SerializedTypeNameMatcher.Wildcard /
TypeArgMatcher.Wildcard
  variants. Java's <?> is the supertype of any concrete
parameterization, so
  ResponseEntity<?> accepts any ResponseEntity<X>; A5 sample updated to
flip
  the parameterized form from Negative to Positive.
- resolveIsType now forces a typed-view check for ClassPattern/Array
(instead
  of returning mkTrue early on erased-name match) so a raw pattern
correctly
  rejects parameterized forms when the typed view is available.

Author: misonijnik

core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/SerializedTypeMatching.kt

@@ -30,18 +30,18 @@ fun SerializedTypeNameMatcher.matchType(
     type: JIRType,
     erasedMatch: SerializedTypeNameMatcher.(String) -> Boolean,
 ): Boolean = when {
-    this is SerializedTypeNameMatcher.Wildcard -> type is JIRUnboundWildcard
-
-    this is SerializedTypeNameMatcher.ClassPattern && typeArgs.isEmpty() && type is JIRClassType ->
+    this is SerializedTypeNameMatcher.ClassPattern && typeArgs == null && type is JIRClassType ->
         erasedMatch(type.erasedName()) && type.isRawLike()
 
-    this is SerializedTypeNameMatcher.ClassPattern && typeArgs.isEmpty() ->
+    this is SerializedTypeNameMatcher.ClassPattern && typeArgs == null ->
         erasedMatch(type.erasedName())
 
-    this is SerializedTypeNameMatcher.ClassPattern && type is JIRClassType ->
+    this is SerializedTypeNameMatcher.ClassPattern && type is JIRClassType -> {
+        val args = typeArgs!!
         erasedMatch(type.erasedName()) &&
-            typeArgs.size == type.typeArguments.size &&
-            typeArgs.zip(type.typeArguments).all { (m, a) -> m.matchType(a, erasedMatch) }
+            args.size == type.typeArguments.size &&
+            args.zip(type.typeArguments).all { (m, a) -> m.matchType(a, erasedMatch) }
+    }
 
     this is SerializedTypeNameMatcher.Array && type is JIRArrayType ->
         element.matchType(type.elementType, erasedMatch)
@@ -57,7 +57,7 @@ fun SerializedTypeNameMatcher.matchType(
  * pass-through rules whose return/parameter types show up as type variables
  * when resolved via the declaring class (e.g. `List.get` returns `E`).
  */
-private fun JIRType.erasedName(): String = when (this) {
+fun JIRType.erasedName(): String = when (this) {
     is JIRClassType -> jIRClass.name
     is JIRTypeVariable -> jIRClass.name
     is JIRUnboundWildcard -> jIRClass.name

core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/TaintCondition.kt

@@ -1,6 +1,5 @@
 package org.opentaint.dataflow.configuration.jvm
 
-import org.opentaint.dataflow.configuration.jvm.serialized.SerializedTypeNameMatcher
 import org.opentaint.ir.api.jvm.JIRType
 import java.util.Objects
 
@@ -117,10 +116,22 @@ sealed interface ConditionNameMatcher {
     data class PatternStartsWith(val prefix: String) : ConditionNameMatcher
 }
 
+fun ConditionNameMatcher.match(name: String): Boolean = when (this) {
+    is ConditionNameMatcher.PatternEndsWith -> name.endsWith(suffix)
+    is ConditionNameMatcher.PatternStartsWith -> name.startsWith(prefix)
+    is ConditionNameMatcher.Simple -> match(name)
+}
+
+fun ConditionNameMatcher.Simple.match(name: String): Boolean = when (this) {
+    is ConditionNameMatcher.Pattern -> pattern.containsMatchIn(name)
+    is ConditionNameMatcher.Concrete -> this.name == name
+    is ConditionNameMatcher.AnyName -> true
+}
+
 data class TypeMatchesPattern(
     val position: Position,
     val pattern: ConditionNameMatcher,
-    val typeArgs: List<SerializedTypeNameMatcher> = emptyList(),
+    val typeArgs: List<TypeArgMatcher>? = null,
 ) : Condition {
     override fun <R> accept(conditionVisitor: ConditionVisitor<R>): R = conditionVisitor.visit(this)
 }

core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/TypeArgMatcher.kt

@@ -0,0 +1,37 @@
+package org.opentaint.dataflow.configuration.jvm
+
+import org.opentaint.ir.api.jvm.JIRArrayType
+import org.opentaint.ir.api.jvm.JIRClassType
+import org.opentaint.ir.api.jvm.JIRType
+
+/**
+ * A type-argument matcher that has been pre-resolved during rule resolution:
+ * the erased-name matchers are already compiled to [ConditionNameMatcher],
+ * so runtime evaluation only needs to dispatch on the structure.
+ */
+sealed interface TypeArgMatcher {
+    fun matchType(type: JIRType): Boolean
+
+    data class Class(
+        val name: ConditionNameMatcher,
+        // null = no type-args constraint (matches raw / declared erasure).
+        val typeArgs: List<TypeArgMatcher>?,
+    ) : TypeArgMatcher {
+        override fun matchType(type: JIRType): Boolean {
+            if (!name.match(type.erasedName())) return false
+
+            if (typeArgs == null) {
+                return if (type is JIRClassType) type.isRawLike() else true
+            }
+
+            if (type !is JIRClassType) return true
+            if (typeArgs.size != type.typeArguments.size) return false
+            return typeArgs.zip(type.typeArguments).all { (m, a) -> m.matchType(a) }
+        }
+    }
+
+    data class Array(val element: TypeArgMatcher) : TypeArgMatcher {
+        override fun matchType(type: JIRType): Boolean =
+            type is JIRArrayType && element.matchType(type.elementType)
+    }
+}

core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedNameMatcher.kt

@@ -19,19 +19,13 @@ sealed interface SerializedTypeNameMatcher {
     data class ClassPattern(
         val `package`: SerializedSimpleNameMatcher,
         val `class`: SerializedSimpleNameMatcher,
-        val typeArgs: List<SerializedTypeNameMatcher> = emptyList()
+        // null = no type-args constraint (matches raw / declared erasure).
+        // empty list is reserved for an explicit zero-arg parameterization.
+        val typeArgs: List<SerializedTypeNameMatcher>? = null
     ) : SerializedTypeNameMatcher
 
     @Serializable
     data class Array(val element: SerializedTypeNameMatcher) : SerializedTypeNameMatcher
-
-    /**
-     * Matches only an unbounded Java wildcard (`?`) at a type-argument slot.
-     * Distinct from an "any" [ClassPattern] so a pattern like `Foo<?>` does not
-     * match a concrete parameterization like `Foo<String>`.
-     */
-    @Serializable
-    data object Wildcard : SerializedTypeNameMatcher
 }
 
 @Serializable(with = SimpleNameMatcherSerializer::class)

core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedSignatureMatcher.kt

@@ -27,7 +27,6 @@ sealed interface SerializedSignatureMatcher {
     @Serializable
     data class Partial(
         val params: List<SerializedArgMatcher>? = null,
-        val `return`: SerializedTypeNameMatcher? = null
     ) : SerializedSignatureMatcher
 }
 

core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/JIRMarkAwareConditionRewriter.kt

@@ -11,24 +11,24 @@ import org.opentaint.dataflow.jvm.ap.ifds.analysis.JIRMethodAnalysisContext
 import org.opentaint.dataflow.jvm.ap.ifds.taint.ContainsMarkOnAnyField
 import org.opentaint.dataflow.jvm.ap.ifds.taint.JIRBasicAtomEvaluator
 import org.opentaint.ir.api.common.cfg.CommonInst
-import org.opentaint.ir.api.jvm.JIRTypedMethod
+import org.opentaint.ir.api.jvm.JIRType
 
 /**
- * [typedMethod] enables generic-type-argument matching in `TypeMatchesPattern`
- * atoms (see [JIRBasicAtomEvaluator.resolveGenericType]). When null, matching
- * falls back to erased-name comparison — type-arg predicates in the rule will
- * silently pass regardless of the runtime parameterization. Pass the typed
- * view of the analyzed method whenever available.
+ * [positionTypeResolver] enables generic-type-argument matching in
+ * `TypeMatchesPattern` atoms by resolving each position to a typed
+ * [JIRType]. When null, matching falls back to erased-name comparison —
+ * type-arg predicates in the rule will silently pass regardless of the
+ * runtime parameterization.
  */
 class JIRMarkAwareConditionRewriter(
     positionResolver: PositionResolver<CallPositionValue>,
     factTypeChecker: JIRFactTypeChecker,
     aliasAnalysis: JIRLocalAliasAnalysis?,
     statement: CommonInst,
-    typedMethod: JIRTypedMethod? = null,
+    positionTypeResolver: PositionResolver<JIRType?>? = null,
 ) {
-    private val positiveAtomEvaluator = JIRBasicAtomEvaluator(negated = false, positionResolver, factTypeChecker, aliasAnalysis, statement, typedMethod)
-    private val negativeAtomEvaluator = JIRBasicAtomEvaluator(negated = true, positionResolver, factTypeChecker, aliasAnalysis, statement, typedMethod)
+    private val positiveAtomEvaluator = JIRBasicAtomEvaluator(negated = false, positionResolver, factTypeChecker, aliasAnalysis, statement, positionTypeResolver)
+    private val negativeAtomEvaluator = JIRBasicAtomEvaluator(negated = true, positionResolver, factTypeChecker, aliasAnalysis, statement, positionTypeResolver)
 
     constructor(
         positionResolver: PositionResolver<CallPositionValue>,

core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt

@@ -29,15 +29,12 @@ import org.opentaint.dataflow.jvm.ap.ifds.JIRLocalAliasAnalysis
 import org.opentaint.dataflow.jvm.ap.ifds.JIRLocalAliasAnalysis.AliasAllocInfo
 import org.opentaint.dataflow.jvm.ap.ifds.JIRLocalAliasAnalysis.AliasApInfo
 import org.opentaint.dataflow.jvm.ap.ifds.JIRLocalAliasAnalysis.AliasInfo
-import org.opentaint.dataflow.configuration.jvm.matchType
-import org.opentaint.dataflow.configuration.jvm.serialized.SerializedSimpleNameMatcher
-import org.opentaint.dataflow.configuration.jvm.serialized.SerializedTypeNameMatcher
+import org.opentaint.dataflow.configuration.jvm.match
 import org.opentaint.ir.api.common.cfg.CommonInst
 import org.opentaint.ir.api.common.cfg.CommonValue
 import org.opentaint.ir.api.jvm.JIRClassType
 import org.opentaint.ir.api.jvm.JIRRefType
 import org.opentaint.ir.api.jvm.JIRType
-import org.opentaint.ir.api.jvm.JIRTypedMethod
 import org.opentaint.ir.api.jvm.cfg.JIRBool
 import org.opentaint.ir.api.jvm.cfg.JIRCallExpr
 import org.opentaint.ir.api.jvm.cfg.JIRConstant
@@ -57,7 +54,7 @@ class JIRBasicAtomEvaluator(
     private val typeChecker: JIRFactTypeChecker,
     private val aliasAnalysis: JIRLocalAliasAnalysis?,
     private val statement: CommonInst,
-    private val typedMethod: JIRTypedMethod? = null,
+    private val positionTypeResolver: PositionResolver<JIRType?>? = null,
 ) : ConditionVisitor<Boolean> {
     override fun visit(condition: Not): Boolean = error("Non-atomic condition")
     override fun visit(condition: And): Boolean = error("Non-atomic condition")
@@ -356,12 +353,13 @@ class JIRBasicAtomEvaluator(
             }
         }
 
-        if (condition.typeArgs.isNotEmpty()) {
-            val genericType = resolveGenericType(value)
+        val typeArgs = condition.typeArgs
+        if (typeArgs != null) {
+            val genericType = positionTypeResolver?.resolve(condition.position)
             if (genericType is JIRClassType) {
-                if (genericType.typeArguments.size != condition.typeArgs.size) return false
-                return condition.typeArgs.zip(genericType.typeArguments).all { (matcher, arg) ->
-                    matcher.matchType(arg) { name -> matchErasedName(name) }
+                if (genericType.typeArguments.size != typeArgs.size) return false
+                return typeArgs.zip(genericType.typeArguments).all { (matcher, arg) ->
+                    matcher.matchType(arg)
                 }
             }
             return true
@@ -370,53 +368,6 @@ class JIRBasicAtomEvaluator(
         return true
     }
 
-    private fun resolveGenericType(value: JIRValue): JIRType? {
-        val localVar = value as? JIRLocalVar ?: return null
-        val typedMethod = typedMethod ?: return null
-        val method = (statement as? JIRInst)?.location?.method ?: return null
-        val localVarNode = method.withAsmNode { methodNode ->
-            methodNode.localVariables?.find { lvn -> lvn.index == localVar.index }
-        } ?: return null
-        // typedMethod.typeOf can throw on unresolved references / malformed
-        // debug info; skip generic-aware matching rather than aborting the
-        // atom evaluation.
-        return try {
-            typedMethod.typeOf(localVarNode)
-        } catch (_: Exception) {
-            null
-        }
-    }
-
-    private fun SerializedTypeNameMatcher.matchErasedName(name: String): Boolean = when (this) {
-        is SerializedSimpleNameMatcher.Simple -> value == name || name.endsWith(".$value")
-        is SerializedSimpleNameMatcher.Pattern -> Regex(pattern).containsMatchIn(name)
-        is SerializedTypeNameMatcher.ClassPattern -> {
-            val lastDot = name.lastIndexOf('.')
-            val pkgName = if (lastDot >= 0) name.substring(0, lastDot) else ""
-            val clsName = if (lastDot >= 0) name.substring(lastDot + 1) else name
-            `package`.matchErasedName(pkgName) && `class`.matchErasedName(clsName)
-        }
-        is SerializedTypeNameMatcher.Array -> {
-            val nameWithout = name.removeSuffix("[]")
-            name != nameWithout && element.matchErasedName(nameWithout)
-        }
-        // A wildcard matcher is only meaningful at a type-argument slot; it has
-        // no erased-name projection to compare against a string.
-        is SerializedTypeNameMatcher.Wildcard -> false
-    }
-
-    private fun ConditionNameMatcher.match(name: String): Boolean = when (this) {
-        is ConditionNameMatcher.PatternEndsWith -> name.endsWith(suffix)
-        is ConditionNameMatcher.PatternStartsWith -> name.startsWith(prefix)
-        is ConditionNameMatcher.Simple -> match(name)
-    }
-
-    private fun ConditionNameMatcher.Simple.match(name: String): Boolean = when (this) {
-        is ConditionNameMatcher.Pattern -> pattern.containsMatchIn(name)
-        is ConditionNameMatcher.Concrete -> this.name == name
-        is ConditionNameMatcher.AnyName -> true
-    }
-
     private fun Position.eval(
         none: Boolean = false,
         value: (value: JIRValue) -> Boolean,

core/opentaint-java-querylang/samples/src/main/java/example/RuleWithWildcardGeneric.java

@@ -20,8 +20,8 @@ ResponseEntity<String> methodReturningResponseEntityString(String data) {
     }
 
     /**
-     * Wildcard ResponseEntity&lt;?&gt; is a valid Java construct that the rule
-     * pattern also expresses. Keeping it as a Positive to pin the current behavior.
+     * Wildcard ResponseEntity&lt;?&gt; trivially matches the &lt;?&gt; rule
+     * pattern.
      */
     final static class PositiveWildcard extends RuleWithWildcardGeneric {
         @Override
@@ -32,10 +32,12 @@ public void entrypoint() {
     }
 
     /**
-     * ResponseEntity&lt;String&gt; is a concrete parameterized form and must not
-     * match a wildcard &lt;?&gt; type argument in the rule pattern.
+     * ResponseEntity&lt;String&gt; is a concrete parameterization. Java's
+     * unbounded wildcard `?` is the supertype of any `X`, so `&lt;?&gt;`
+     * accepts any concrete type argument — `ResponseEntity&lt;String&gt;`
+     * matches.
      */
-    final static class NegativeConcreteDoesNotMatch extends RuleWithWildcardGeneric {
+    final static class PositiveConcreteMatchesWildcard extends RuleWithWildcardGeneric {
         @Override
         public void entrypoint() {
             String data = "tainted";

core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/ParamCondition.kt

@@ -31,9 +31,10 @@ sealed interface TypeNamePattern {
     }
 
     /**
-     * Java unbounded wildcard `?` as a type argument. Unlike [AnyType], which
-     * is an unconstrained matcher that subsumes any type, [WildcardType] only
-     * matches an unbounded wildcard at the corresponding type-argument slot.
+     * Java unbounded wildcard `?` as a type argument. Java's `?` is the
+     * supertype of any concrete parameterization, so a `Foo<?>` pattern
+     * accepts any `Foo<X>` — semantically equivalent to [AnyType] at a
+     * type-argument slot.
      */
     @Serializable
     data object WildcardType : TypeNamePattern {

core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt

@@ -566,21 +566,16 @@ private fun TaintRuleGenerationCtx.evaluateFormulaSignature(
         }
     }
 
-    // Convert return type to signature matcher (must apply to all builder paths)
+    // Encode the return-type constraint as an IsType condition on the Result
+    // position rather than on the signature matcher.
     val returnType = signature.returnType
     if (returnType != null) {
         val returnTypeFormula = typeMatcher(returnType, semgrepRuleTrace)
-        val returnTypeMatcher = when (returnTypeFormula) {
-            null -> null
-            is MetaVarConstraintFormula.Constraint -> returnTypeFormula.constraint
-            else -> null
-        }
-        if (returnTypeMatcher != null) {
+        if (returnTypeFormula != null) {
             for (builder in buildersWithMethodName) {
-                builder.signature = SerializedSignatureMatcher.Partial(
-                    params = null,
-                    `return` = returnTypeMatcher
-                )
+                builder.conditions += returnTypeFormula.toSerializedCondition { typeNameMatcher ->
+                    SerializedCondition.IsType(typeNameMatcher, PositionBase.Result)
+                }
             }
         }
     }
@@ -628,10 +623,6 @@ private fun TaintRuleGenerationCtx.evaluateFormulaSignature(
             is Pattern -> {
                 TODO("Signature class name pattern")
             }
-
-            is SerializedTypeNameMatcher.Wildcard -> {
-                TODO("Signature class is a wildcard")
-            }
         }
 
         builders.mapTo(buildersWithClass) { builder ->
@@ -854,8 +845,8 @@ private fun TaintRuleGenerationCtx.typeMatcher(
             // Preserve arity of typeArgs: a metavar like $T or AnyType that
             // produces null still takes a slot in the type-arg list with an
             // "any" matcher, so the outer matcher remains distinguishable
-            // from a raw (zero-type-arg) form.
-            val serializedTypeArgs = typeName.typeArgs.map {
+            // from a raw (no-type-arg) form.
+            val serializedTypeArgs = typeName.typeArgs.takeIf { it.isNotEmpty() }?.map {
                 (typeMatcher(it, semgrepRuleTrace) as? MetaVarConstraintFormula.Constraint<SerializedTypeNameMatcher>)?.constraint
                     ?: anyClassPattern()
             }
@@ -901,11 +892,11 @@ private fun TaintRuleGenerationCtx.typeMatcher(
             }
         }
 
-        is TypeNamePattern.AnyType -> null
-
-        is TypeNamePattern.WildcardType -> MetaVarConstraintFormula.Constraint(
-            SerializedTypeNameMatcher.Wildcard
-        )
+        // `<?>` is the supertype of any concrete parameterization, so a
+        // wildcard slot has the same matching semantics as an unconstrained
+        // matcher — collapse it into [AnyType] at translation time.
+        is TypeNamePattern.AnyType,
+        is TypeNamePattern.WildcardType -> null
 
         is TypeNamePattern.MetaVar -> {
             val constraints = metaVarInfo.constraints[typeName.metaVar]