fix(opt): ir_to_arm returns Result — panic-free optimized path, fuzz re-gated#132
Merged
Conversation
`ir_to_arm`'s `get_arm_reg` closure panicked ("synth internal compiler
error: vreg vN has no assigned ARM register...") when an IR vreg had no
mapping and no spill slot. PR #101 introduced that panic — correct then
(a loud crash beats a silent R0-fallback miscompilation), but it was the
last remaining panic site in the optimized lowering path.
Convert the `panic!` into `Err(Error::synthesis(...))` carrying the same
issue-#93 diagnostic, and change `ir_to_arm`'s signature from
`Vec<ArmOp>` to `Result<Vec<ArmOp>>`. All 166 `get_arm_reg` call sites
propagate via `?`. The defensive check is preserved — a genuine
`wasm_to_ir` bug still surfaces as a rich typed error, it just no longer
kills the process.
Callers updated: `arm_backend.rs` folds the `ir_to_arm` step into the
existing `optimize_full` fallback so an `Err` falls back to the direct
selector (honest degradation, same as the issue-#120 float path); the
`wasm_ops_lower_or_error` fuzz harness skips on `Err`. New regression
test `regression_ir_to_arm_panic_free` confirms a hand-built IR with an
unmapped src vreg now yields `Err` (not a panic) and that the error
keeps its issue-#93 diagnostic content.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The harness was demoted to `gating: false` in PR #117 pending the issue-#121 slot_stack refactor. That refactor landed, and the last panic site in the optimized path — `ir_to_arm`'s defensive `get_arm_reg` — now returns `Result` instead of `panic!`-ing. The whole `optimize_full` + `ir_to_arm` path is panic-free, so the harness (contract: "lower or Err, never panic") gates again. Update the matrix comment accordingly. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
Sibling fix to the panic-free `ir_to_arm` work in this PR: the `pop_i32_unary!` macro inside `wasm_to_ir` still used `.expect(...)`, which the earlier slot_stack Result conversion missed because the `.expect(...)` ended with `,` (the macro pattern) rather than `;` (the statement pattern the original sed targeted). The re-gated `wasm_ops_lower_or_error` fuzz harness — re-promoted to gating in this PR — found a malformed input that slips past the pre-flight check and reaches an i32 unary op via `pop_i32_unary!`, triggering the leftover `.expect()` panic. Converted to `.ok_or_else(...)?` matching `pop_i32_binary!`'s shape so the function-level `Result` propagates instead of panicking. This is exactly the bug class re-gating the harness exists to catch — the gating fuzz did its job here.
The catch-all comment still described downstream consumers failing 'loudly via slot_stack.pop().expect(...)'. After the Result conversion and the pop_i32_unary! macro fix in this PR, no .expect() remains; unknown-op back-references now surface as a typed Err via .ok_or_else(...)?. Same bug-finder semantics, different failure mode. The comment now matches the code.
Contributor
Author
|
Two follow-ups pushed: b47eaae fixes the leftover |
avrabe
added a commit
that referenced
this pull request
May 30, 2026
#185) Two fuzz/lint fixes surfaced while landing #180: - #185: `encoder_no_panic` found a pre-existing panic — feeding PC (R15) as a data operand to a Thumb-2 op guarded by `verify_reg_bits` aborts under `-Cdebug-assertions`. Convert the 11 `verify_reg_bits` debug-assert sites to a fallible `reg_bits_checked() -> Result<()>` that returns a typed Err, matching the established "return Err, not panic" pattern (#101/#120/#132). Add a deterministic unit test + seed the crash input into the fuzz corpus. - Clippy (CI rust 1.96.0) flagged a collapsible `if let { if }` in the #167 wast_compile test; rewrite as a let-chain. The encoder has further pre-existing totality gaps (arithmetic underflow in ARM32 BCond offset, etc.) tracked in #186 — out of scope for this bugfix. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
avrabe
added a commit
that referenced
this pull request
May 30, 2026
…cause #180, re-enable optimized memory path (#183) * fix(encoder): high-register Thumb ADD/ADDS/SUBS use 32-bit .W form (#180) Root-cause of the optimized linear-memory miscompilation (#178, mitigated in #179 by declining memory ops). The bug was in the Thumb *encoder*, not the optimizer lowering: `ArmOp::Add` (and `Adds`/`Subs`) reg-forms unconditionally emitted the 16-bit encoding, whose 3-bit register fields overflow for high registers. The MemLoad/MemStore base scratch is R12, so `add ip, ip, r0` was emitted as the corrupt `adds r4, r5, r1` (0x186C) — silently dropping the address operand, making every optimized pointer-deref read/write a fixed address. (i64 `Adds`/`Subs` low-word ops hit the same class via R8-R11 pairs.) Fix: guard the 16-bit form on rd/rn/rm < 8 and fall back to 32-bit ADD.W/ADDS.W/SUBS.W for high registers, exactly as the Sub handler already did. - arm_encoder.rs: high-reg guards + encode_thumb32_adds/subs_reg_raw helpers - optimizer_bridge.rs: remove the #179 decline + is_linear_memory_op (obsolete) - byte-level encoder regression tests (EB0C 0C00 / EB1A 0A08 / EBBA 0A08) - re-enable the 4 #[ignore]d issue_104 memory CSE tests - audit_optimized_aapcs: re-assert optimized memory codegen (not the decline) - wast_compile: rewrite the #178 CLI test to verify the address operand is used (no corrupt 6C 18; contains add.w ip, ip, rN) instead of byte-equality Verified: optimized `i32.load`/`i32.store` of a pointer param now lowers to `movw/movt ip; add.w ip, ip, r0; ldr/str [ip,#off]` (byte-checked via objdump), matching --no-optimize semantics. Full suite: 1282 passed, 0 failed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * chore(release): v0.11.4 — workspace pin sweep + CHANGELOG (#180) Bump [workspace.package] version and every path-dep version pin 0.11.3 → 0.11.4 in lockstep (Cargo.toml ×11 + MODULE.bazel + Cargo.lock), per the mandatory pre-tag pin-sweep. CHANGELOG [0.11.4] with falsification statement. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * fix(encoder): return Err (not panic) on PC operand; fix collapsible-if (#185) Two fuzz/lint fixes surfaced while landing #180: - #185: `encoder_no_panic` found a pre-existing panic — feeding PC (R15) as a data operand to a Thumb-2 op guarded by `verify_reg_bits` aborts under `-Cdebug-assertions`. Convert the 11 `verify_reg_bits` debug-assert sites to a fallible `reg_bits_checked() -> Result<()>` that returns a typed Err, matching the established "return Err, not panic" pattern (#101/#120/#132). Add a deterministic unit test + seed the crash input into the fuzz corpus. - Clippy (CI rust 1.96.0) flagged a collapsible `if let { if }` in the #167 wast_compile test; rewrite as a let-chain. The encoder has further pre-existing totality gaps (arithmetic underflow in ARM32 BCond offset, etc.) tracked in #186 — out of scope for this bugfix. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * style(backend): fix doc_lazy_continuation in #167 test doc comment CI clippy (rust 1.96.0) flags `-D clippy::doc-lazy-continuation`: the doc line starting with `>= num_imports` reads as a malformed blockquote. Wrap it in a code span so no doc line begins with `>`. Pre-existing on main; unblocks the v0.11.4 Clippy gate. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Makes synth's optimized ARM lowering path (
ir_to_arm) panic-free on malformed input — the last remaining panic site in that pipeline — and re-promotes thewasm_ops_lower_or_errorfuzz harness to gating. Closes debt open since v0.3.1.Background
wasm_to_irwas hardened across v0.3.1/v0.4.0 (returnsResult, pre-flightwasm_stack_check). Butir_to_arm'sget_arm_regclosure stillpanic!'d on an unmapped vreg (the PR #101 defensive panic). Because of that,wasm_ops_lower_or_errorwas demoted togating: falsein PR #117 and never re-promoted.Part 1 —
ir_to_armpanic-freeir_to_arm(...) -> Vec<ArmOp>→-> Result<Vec<ArmOp>>.get_arm_reg: thepanic!becameErr(Error::synthesis(...)), preserving the exact issue-memset/memcpy/memmove i64-codegen produces non-terminating loop on Cortex-M (silicon-blocking) #93 diagnostic. The mapped / spilled branches returnOk.?through all 166get_arm_regcall sites inir_to_arm.arm_backend.rsfoldsir_to_arminto the existingoptimize_full().and_then(...)chain — anErrfalls back to the direct selector (honest degradation, same shape as the issue-wasm_to_ir: unmapped vreg panic still trips on compiler_builtins (float::div) and gale_compute_ipi_mask after v0.2.1's #97 memset fix #120 float fallback, not a silent R0 swallow). The fuzz harness skips onErr.The defensive check is not removed — it's converted panic→Err. A malformed-input case and a genuine internal bug both now yield a typed
Errwith the rich diagnostic. The harness contract ("lower or Err, never panic") is satisfied.Part 2 — fuzz re-gated
.github/workflows/fuzz-smoke.yml:wasm_ops_lower_or_errorflippedgating: false→gating: true; the issue-#121/PR-#117 demote comment replaced with a note thatir_to_armnow returnsResult.Part 3 — regression test
New
crates/synth-synthesis/tests/regression_ir_to_arm_panic_free.rs, 5 tests: mixed i32 arith/shift, type-mismatched i64, i64-extend-into-shift, well-formed-program-lowers-to-Ok, and a hand-built IR instruction (Addwith unproduced src vregs) that reachesget_arm_reg's defensive branch directly and confirms it yieldsErr(with a diagnostic-content assertion) rather than panicking.Note: the
optimize_fullpre-flight catches WASM-op-level malformed shapes beforeir_to_arm; the hand-built-IR test is what exercises the now-Errpath directly.Validation
cargo test --workspace --exclude synth-verify— 0 regressions (+5 tests).cargo clippy --workspace --exclude synth-verify --all-targets -- -D warnings— clean.cargo fmt --check— clean.Test plan
wasm_ops_lower_or_errorfuzz harness🤖 Generated with Claude Code