tomoaki/hakorune
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(joinir): Phase 135 P1 - Contract checks Fail-Fast (二度と破れない設計)

Browse Source 
## Summary
Adds early Fail-Fast contract verification to prevent Phase 135 P0 issues from recurring.
Two new verifiers catch allocator SSOT violations and boundary inconsistencies before --verify.

## Changes

### Step 1: verify_condition_bindings_consistent
**Location**: `src/mir/builder/control_flow/joinir/merge/contract_checks.rs`

**Contract**: condition_bindings can have aliases (multiple names for same join_value),
but same join_value with different host_value is a violation.

**Example Error**:
```
[JoinIRVerifier/Phase135-P1] condition_bindings conflict:
  join_value ValueId(104) mapped to both ValueId(12) and ValueId(18)
```

**Catches**: ConditionLoweringBox bypassing SSOT allocator before BoundaryInjector

### Step 2: verify_header_phi_dsts_not_redefined
**Location**: `src/mir/builder/control_flow/joinir/merge/contract_checks.rs`

**Contract**: Loop header PHI dst ValueIds must not be reused as dst in non-PHI instructions.
Violation breaks MIR SSA (PHI dst overwrite).

**Example Error**:
```
[JoinIRVerifier/Phase135-P1] Header PHI dst ValueId(14) redefined by non-PHI instruction in block 3:
  Instruction: Call { dst: Some(ValueId(14)), ... }
```

**Catches**: ValueId collisions between header PHI dsts and lowered instructions

### Integration
**Location**: `src/mir/builder/control_flow/joinir/merge/mod.rs`

Added to `verify_joinir_contracts()`:
1. Step 1 runs before merge (validates boundary)
2. Step 2 runs after merge (validates func with PHI dst set)

### Documentation
- Updated `phase135_trim_mir_verify.sh` - Added P1 contract_checks description
- Updated `phase-135/README.md` - Added P1 section with contract details and effects

## Acceptance
 Build: SUCCESS
 Smoke: phase135_trim_mir_verify.sh - PASS
 Regression: phase132_exit_phi_parity.sh - 3/3 PASS
 Regression: phase133_json_skip_whitespace_llvm_exe.sh - PASS

## Effect
- **Prevention**: Future Box implementations catch SSOT violations immediately
- **Explicit Errors**: Phase 135-specific messages instead of generic --verify failures
- **Unbreakable**: Debug builds always detect violations, enforced by CI/CD

🤖 Generated with Claude Code

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
nyash-codex
2025-12-15 19:25:33 +09:00
parent b4ef8a0023
commit 22b0c14adb
4 changed files with 180 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

108
src/mir/builder/control_flow/joinir/merge/contract_checks.rs
View File

@ -2,6 +2,7 @@ use super::LoopHeaderPhiInfo;
use crate::mir::join_ir::lowering::inline_boundary::JoinInlineBoundary;
use crate::mir::join_ir::lowering::join_value_space::{LOCAL_MAX, PARAM_MAX, PARAM_MIN};
use crate::mir::{BasicBlockId, MirFunction, MirInstruction, ValueId};
use std::collections::HashMap;
#[cfg(debug_assertions)]
pub(super) fn verify_loop_header_phis(
@ -279,3 +280,110 @@ pub(super) fn verify_valueid_regions(loop_info: &LoopHeaderPhiInfo, boundary: &J
}
}
}
/// Phase 135 P1 Step 1: Verify condition_bindings consistency (alias allowed, conflict fails)
///
/// # Contract
///
/// condition_bindings can have multiple names (aliases) pointing to the same join_value,
/// but if the same join_value appears with different host_value, it's a contract violation.
///
/// This catches merge-time inconsistencies before BoundaryInjector tries to inject Copy
/// instructions, preventing MIR SSA breakage.
///
/// # Example Valid (alias):
/// ```text
/// condition_bindings: [
/// { name: "is_char_match", join_value: ValueId(104), host_value: ValueId(12) },
/// { name: "char", join_value: ValueId(104), host_value: ValueId(12) } // Same host_value - OK
/// ]
/// ```
///
/// # Example Invalid (conflict):
/// ```text
/// condition_bindings: [
/// { name: "is_char_match", join_value: ValueId(104), host_value: ValueId(12) },
/// { name: "char", join_value: ValueId(104), host_value: ValueId(18) } // Different host_value - FAIL
/// ]
/// ```
///
/// # Panics
///
/// Panics if the same join_value has conflicting host_value mappings.
#[cfg(debug_assertions)]
pub(super) fn verify_condition_bindings_consistent(boundary: &JoinInlineBoundary) {
let mut join_to_host: HashMap<ValueId, ValueId> = HashMap::new();
for binding in &boundary.condition_bindings {
if let Some(&existing_host) = join_to_host.get(&binding.join_value) {
if existing_host != binding.host_value {
panic!(
"[JoinIRVerifier/Phase135-P1] condition_bindings conflict: join_value {:?} mapped to both {:?} and {:?}\n\
Binding names with conflict: check all bindings with join_value={:?}\n\
Contract: Same join_value can have multiple names (alias) but must have same host_value.\n\
Fix: Ensure ConditionLoweringBox uses SSOT allocator (ConditionContext.alloc_value).",
binding.join_value, existing_host, binding.host_value, binding.join_value
);
}
} else {
join_to_host.insert(binding.join_value, binding.host_value);
}
}
}
/// Phase 135 P1 Step 2: Verify header PHI dsts are not redefined by non-PHI instructions
///
/// # Contract
///
/// Loop header PHI dst ValueIds must not be reused as dst in non-PHI instructions.
/// This prevents "PHI dst overwrite" where a Copy/BinOp/etc. instruction redefines
/// the PHI result, breaking MIR SSA.
///
/// # Example Invalid:
/// ```text
/// bb3 (header):
/// %14 = phi [%2, bb1], [%28, bb8] // Header PHI
/// %16 = copy %0
/// %14 = call %16.length() // INVALID: Redefines PHI dst %14
/// ```
///
/// This typically happens when:
/// - ConditionLoweringBox bypasses SSOT allocator and reuses PHI dst ValueIds
/// - JoinIR merge incorrectly remaps values to PHI dst range
///
/// # Panics
///
/// Panics if any header PHI dst is redefined by a non-PHI instruction in the function.
#[cfg(debug_assertions)]
pub(super) fn verify_header_phi_dsts_not_redefined(
func: &MirFunction,
header_block: BasicBlockId,
phi_dsts: &std::collections::HashSet<ValueId>,
) {
if phi_dsts.is_empty() {
return; // No PHI dsts to protect
}
// Check all blocks for non-PHI instructions that redefine PHI dsts
for (block_id, block) in &func.blocks {
for instr in &block.instructions {
// Skip PHIs in header block (they're the definitions we're protecting)
if *block_id == header_block && matches!(instr, MirInstruction::Phi { .. }) {
continue;
}
// Check if this instruction redefines a PHI dst
if let Some(dst) = get_instruction_dst(instr) {
if phi_dsts.contains(&dst) {
panic!(
"[JoinIRVerifier/Phase135-P1] Header PHI dst {:?} redefined by non-PHI instruction in block {}:\n\
Instruction: {:?}\n\
Contract: Header PHI dsts must not be reused as dst in other instructions.\n\
Fix: Ensure ConditionLoweringBox uses SSOT allocator (ConditionContext.alloc_value) to avoid ValueId collisions.",
dst, block_id.0, instr
);
}
}
}
}
}

11
src/mir/builder/control_flow/joinir/merge/mod.rs
View File

@ -1065,9 +1065,20 @@ fn verify_joinir_contracts(
loop_info: &LoopHeaderPhiInfo,
boundary: &JoinInlineBoundary,
) {
// Phase 135 P1 Step 1: Verify condition_bindings consistency (before merge)
contract_checks::verify_condition_bindings_consistent(boundary);
contract_checks::verify_loop_header_phis(func, header_block, loop_info, boundary);
verify_no_phi_dst_overwrite(func, header_block, loop_info); // Phase 204-2
verify_phi_inputs_defined(func, header_block); // Phase 204-3
contract_checks::verify_exit_line(func, exit_block, boundary);
contract_checks::verify_valueid_regions(loop_info, boundary); // Phase 205-4
// Phase 135 P1 Step 2: Verify header PHI dsts not redefined (after merge)
let phi_dsts: std::collections::HashSet<_> = loop_info
.carrier_phis
.values()
.map(|entry| entry.phi_dst)
.collect();
contract_checks::verify_header_phi_dsts_not_redefined(func, header_block, &phi_dsts);
}