Address PR review findings on #673

aallan · Claude · aallan · commit 3bf7e7434384 · 2026-05-13T22:02:30.000+01:00
Comprehensive PR review (code-reviewer + pr-test-analyzer + comment-analyzer + silent-failure-hunter, all in parallel) surfaced 9 actionable items. Addressed 7, deferred 2 with reasons. **Critical** 1. **CHANGELOG test count** (comment-analyzer + code-reviewer). The Tests section said "5 new tests" but the class actually has 6 (the JSON sibling added in round 3 wasn't back- propagated). Updated to 6 with the new bullet. 2. **`host_html_parse` broad-except swallowed `_wrap_handle` invariant violations** (silent-failure-hunter). The `except Exception as exc:` at `vera/codegen/api.py:2784` converted any RuntimeError (including the new #578 range- check raise) into a user-domain `Result.Err` string, masking real invariant violations as "malformed HTML" errors. Narrowed to `(ValueError, TypeError, AttributeError)` matching the sibling `host_json_parse` pattern. **Important** 3. **`_wrap_handle` range guard had zero unit tests** (pr-test- analyzer, rating 7). Extracted the validator to a module- level `_validate_wrap_handle` helper so it can be unit- tested directly without standing up a wasmtime instance. `_wrap_handle` now calls the helper. Added 5 tests covering all failure modes: - `test_validate_wrap_handle_accepts_valid_range` (0, 1, 12345, 0x7FFFFFFE, 0x7FFFFFFF) - `test_validate_wrap_handle_rejects_negative` (-1, -12345) - `test_validate_wrap_handle_rejects_at_2gb_boundary` (0x80000000) - `test_validate_wrap_handle_rejects_above_32bit` (0x100000000, 0x100000001 — the round-1 bit-only check would have missed these) - `test_validate_wrap_handle_rejects_non_int` (None, "5", 1.5, [1], {}) 4. **GC mark phase missing defense-in-depth narrative** (silent- failure-hunter). The conservative scan's heap-range check relies on the disjointness invariant (`heap_ptr < 2 GiB` so tagged handles `>= 2 GiB` can never match). Added a substantial comment block at the scan site documenting the invariant and pointing at the two structural tests that pin it. Comment-only (no runtime cost in the GC hot path); the structural tests are the mechanical defense. **Comment accuracy** (comment-analyzer) 5. `test_json_round_trip_uses_host_side_mask` referenced `json_serde.py` line 213 by hardcoded number — drifts on any nearby edit. Replaced with the "unknown JObject handle" warning reference. 6. `2 GB` → `2 GiB` throughout (assembly.py + tests/test_ codegen.py). Strictly `0x80000000 = 2 GiB` (binary), not 2 GB (decimal = ~1.86 GiB). 7. `"Practical Vera programs use <100 MB"` was an unsubstantiated claim stated as fact. Reworded to `"Programs we have measured stay well below the 2 GiB ceiling"`. 8. The class docstring's `gc_heap_start (~147 KiB)` figure actually depends on the string-pool size (`data_end + 144 KiB`). Softened to `~144 KiB above the data section, so roughly 144 KiB plus the string-pool size`. **Deferred with reason** 9. `$alloc` heap-ceiling trap is bare `unreachable`, surfaces via the trap classifier as `"unreachable"` kind with the match-arm Fix message (silent-failure-hunter, Important). Polishing this requires either a host-import call from `$alloc` to populate `last_violation` (cost on the hot path) or a new classifier kind with a heuristic detector (brittle). Practical programs never reach this trap (heap << 2 GiB), so deferred. Marked with a TODO inside `assembly.py` as a Python comment (NOT a WAT comment — a WAT comment between `if` and `unreachable` would break the adjacent-sequence regex in `test_alloc_emits_heap_ceiling_ guard`). The other declined findings from the agents: - silent-failure-hunter `read_json` warn → raise (pre-existing behavior, separate concern) - silent-failure-hunter `_call_register_wrapper` early-return → assert (pre-existing pattern, out of scope) - silent-failure-hunter wasmtime trap-text enrichment (would need last_violation channel work; separate PR) - code-reviewer i32.add wraparound at heap-ceiling guard (confidence 60 — self-flagged; defended upstream by `memory.grow` and 31-bit-size invariant) Validation: pytest 3,874/3,874 ✓ (added 5 new tests), mypy clean, ruff S clean, all 18 pre-commit hooks green, doc-counts consistent (1,111 → 1,116 tests in test_codegen.py; total 3,899 → 3,904). Co-Authored-By: Claude <noreply@anthropic.invalid>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,7 +17,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ### Tests
 
-- `tests/test_codegen.py::TestWrapperHandleTagging578` — 5 new tests pinning the contract: (1) wrap site emits `i32.const 0x80000000; i32.or`, (2) unwrap site emits `i32.load offset=4; i32.const 0x7FFFFFFF; i32.and`, (3) `$alloc` body contains the heap-ceiling guard, (4) end-to-end wrap/unwrap round trip preserves the original handle (a Map insert + lookup), (5) `html_to_string` produces the correct length output — pinning that the host-side `read_html` mask is in place (without it the attribute dict lookup would miss and the rendered HTML would be missing the `title="..."` attribute).
+- `tests/test_codegen.py::TestWrapperHandleTagging578` — 6 new tests pinning the contract: (1) wrap site emits `i32.const 0x80000000; i32.or`, (2) unwrap site emits `i32.load offset=4; i32.const 0x7FFFFFFF; i32.and`, (3) `$alloc` body contains the heap-ceiling guard (ordered 8-instruction sequence pinned by adjacent-sequence regex), (4) end-to-end wrap/unwrap round trip preserves the original handle (a Map insert + lookup), (5) `html_to_string` produces the correct length output — pinning that the host-side `read_html` mask is in place (without it the attribute dict lookup would miss and the rendered HTML would be missing the `title="..."` attribute), (6) `json_stringify(JObject(...))` produces the correct length — sibling test for the host-side `read_json` mask (which lives in `vera/wasm/json_serde.py` and bypasses the WAT unwrap helper just like `read_html` does).
 
 ### Documentation
 
diff --git a/README.md b/README.md
@@ -181,7 +181,7 @@ cp /path/to/vera/SKILL.md ~/.claude/skills/vera-language/SKILL.md
 
 ## Project status
 
-Vera is in **active development** at v0.0.155 — 810+ commits, 155 releases, 3,899 tests, 96% code coverage, 86 conformance programs, 34 examples, and a 13-chapter specification. See **[HISTORY.md](HISTORY.md)** for how the compiler was built.
+Vera is in **active development** at v0.0.155 — 810+ commits, 155 releases, 3,904 tests, 96% code coverage, 86 conformance programs, 34 examples, and a 13-chapter specification. See **[HISTORY.md](HISTORY.md)** for how the compiler was built.
 
 The reference compiler — parser, AST, type checker, contract verifier (Z3), WASM code generator, module system, browser runtime, and runtime contract insertion — is working. The language specification is in draft across [13 chapters](spec/).
 
diff --git a/ROADMAP.md b/ROADMAP.md
@@ -4,7 +4,7 @@ Where the project is going.  See [HISTORY.md](HISTORY.md) for what's been built
 
 ## Where we are
 
-3,899 tests, 86 conformance programs, 34 examples, 13 spec chapters.
+3,904 tests, 86 conformance programs, 34 examples, 13 spec chapters.
 
 ## What's next
 
diff --git a/TESTING.md b/TESTING.md
@@ -6,7 +6,7 @@ This is the single source of truth for Vera's testing infrastructure, coverage d
 
 | Metric | Value |
 |--------|-------|
-| **Tests** | 3,899 across 32 files (~53,184 lines of test code; 3,869 passed + 16 stress, 14 skipped) |
+| **Tests** | 3,904 across 32 files (~53,241 lines of test code; 3,874 passed + 16 stress, 14 skipped) |
 | **Compiler code coverage** | 96% of 15,149 statements (CI minimum: 80%) |
 | **Conformance programs** | 86 programs across 9 spec chapters, validating every language feature |
 | **Example programs** | 34, all validated through `vera check` + `vera verify` |
@@ -58,7 +58,7 @@ python scripts/fix_allowlists.py --fix               # auto-fix stale allowlists
 | `test_ast.py` | 127 | 1,130 | AST transformation, node structure, serialisation, string escape sequences, ability declarations |
 | `test_checker.py` | 521 | 5,939 | Type synthesis, slot resolution, effects, effect subtyping, contracts, exhaustiveness, cross-module typing, visibility, error codes, string built-ins, generic rejection, IO operation types, Markdown types, Regex types, abilities, Map collection, Set collection, Decimal type, Json type, Html type, Http effect, Inference effect, removed legacy name regression |
 | `test_verifier.py` | 145 | 2,094 | Z3 verification, counterexamples, tier classification, call-site preconditions, branch-aware preconditions, pipe operator, cross-module contracts, match/ADT verification, decreases verification, mutual recursion, refined Bool/String/Float64 param sorts, **@Nat subtraction underflow obligation** (#520 — Path-A obligation discharge via requires/path-conditions/path-aware Z3 refutation, pure-literal exclusion, Int-Int and Nat-Int → Int exemptions) |
-| `test_codegen.py` | 1,111 | 18,861 | WASM compilation, arithmetic, Float64, Byte, arrays (incl. compound element types), ADTs, match (incl. nested patterns), generics, State\<T\>, Exn\<E\> handlers, control flow, strings, string escape sequences, IO (read\_line, read\_file, write\_file, args, exit, get\_env, sleep, time, stderr), bounds checking, quantifiers, assert/assume, refinement type aliases, pipe operator, string built-ins, built-in shadowing, parse\_nat Result, GC, Markdown host bindings, Regex host bindings, Map collection, Set collection, Decimal type, Json type, Html type, Http effect, Inference effect, Random effect, example round-trips, GC shadow stack overflow, **WASM tail-call optimization** (#517 — `return_call` emission for tail-position calls, 50K- and 1M-iteration stress, structural assertions on `return_call`/plain `call` boundary, **GC-aware TCO for allocating fns (#549 — `$gc_sp` restore before each `return_call`)**, postcondition-fallback regression (still reverts to plain `call`), analyzer unit tests covering Block-trailing / IfExpr-both-branches / MatchExpr-arm-bodies / let-value-NOT-marked / call-args-NOT-marked / ExprStmt-statement-NOT-marked / IfExpr-condition-NOT-marked / MatchExpr-scrutinee-NOT-marked) |
+| `test_codegen.py` | 1,116 | 18,918 | WASM compilation, arithmetic, Float64, Byte, arrays (incl. compound element types), ADTs, match (incl. nested patterns), generics, State\<T\>, Exn\<E\> handlers, control flow, strings, string escape sequences, IO (read\_line, read\_file, write\_file, args, exit, get\_env, sleep, time, stderr), bounds checking, quantifiers, assert/assume, refinement type aliases, pipe operator, string built-ins, built-in shadowing, parse\_nat Result, GC, Markdown host bindings, Regex host bindings, Map collection, Set collection, Decimal type, Json type, Html type, Http effect, Inference effect, Random effect, example round-trips, GC shadow stack overflow, **WASM tail-call optimization** (#517 — `return_call` emission for tail-position calls, 50K- and 1M-iteration stress, structural assertions on `return_call`/plain `call` boundary, **GC-aware TCO for allocating fns (#549 — `$gc_sp` restore before each `return_call`)**, postcondition-fallback regression (still reverts to plain `call`), analyzer unit tests covering Block-trailing / IfExpr-both-branches / MatchExpr-arm-bodies / let-value-NOT-marked / call-args-NOT-marked / ExprStmt-statement-NOT-marked / IfExpr-condition-NOT-marked / MatchExpr-scrutinee-NOT-marked) |
 | `test_codegen_contracts.py` | 32 | 576 | Runtime pre/postconditions, contract fail messages, old/new state postconditions |
 | `test_codegen_monomorphize.py` | 71 | 1,326 | Generic instantiation, type inference, monomorphization edge cases, ability constraint satisfaction (Eq/Ord/Hash/Show), operation rewriting (eq/compare), show/hash dispatch, ADT auto-derivation, array operations (slice/map/filter/fold) |
 | `test_codegen_closures.py` | 50 | 1,624 | Closure lifting, captured variables, higher-order functions, iterative-builder shadow-stack regressions (#570), closure return-value shadow-push balance for both i32-pair and i32-ADT branches across array_map and array_mapi, plus VERA_EAGER_GC injection self-test (#593), IndexExpr-of-FnCall element-type inference (#614), non-contiguous capture and walker-order miscompiles (#615) |
diff --git a/tests/test_codegen.py b/tests/test_codegen.py
@@ -15436,7 +15436,8 @@ class TestWrapperHandleTagging578:
 
     Pre-#578 the raw host handle (a small positive integer) was
     stored at offset 4.  For typical programs the handle stays
-    below `gc_heap_start` (~147 KiB) so the heap-range check
+    below `gc_heap_start` (~144 KiB above the data section, so
+    roughly 144 KiB plus the string-pool size) so the heap-range check
     rejects it.  But for very-long-running programs allocating
     >100K host handles per `execute()`, the handle counter could
     exceed `gc_heap_start` and (with the right alignment) be
@@ -15446,7 +15447,7 @@ class TestWrapperHandleTagging578:
     retention for long sessions.
 
     Post-#578 the handle is stored as `handle | 0x80000000` so
-    the in-heap field is always >= 2 GB, structurally outside
+    the in-heap field is always >= 2 GiB, structurally outside
     any heap-range check (the `$alloc` heap-ceiling guard
     enforces `heap_ptr < 0x80000000`).  The unwrap site ANDs
     with 0x7FFFFFFF to recover the raw handle.  Two host-side
@@ -15515,8 +15516,8 @@ def test_alloc_emits_heap_ceiling_guard(self) -> None:
 
         The structural counterpart to the wrap-site tag: the
         guard ensures `heap_ptr < 0x80000000` always, so tagged
-        handles (>= 2 GB) and heap pointers (< 2 GB) are
-        guaranteed disjoint.  Without this guard a 3+ GB heap
+        handles (>= 2 GiB) and heap pointers (< 2 GiB) are
+        guaranteed disjoint.  Without this guard a 3+ GiB heap
         could produce real pointers in the tagged-handle range,
         reintroducing the spurious-retention bug.
 
@@ -15568,7 +15569,7 @@ def test_alloc_emits_heap_ceiling_guard(self) -> None:
         )
         assert guard_match is not None, (
             f"Heap-ceiling guard sequence not found (ordered) in "
-            f"$alloc body.  Without it, a >2 GB heap would let "
+            f"$alloc body.  Without it, a >2 GiB heap would let "
             f"real heap pointers collide with the tagged-handle "
             f"pattern, reintroducing #578.  $alloc body:\n"
             f"{alloc_body[:2000]}"
@@ -15637,9 +15638,9 @@ def test_json_round_trip_uses_host_side_mask(self) -> None:
         helper.  Post-#578 that read sees the TAGGED value and
         must AND with 0x7FFFFFFF before looking up the host-side
         `map_store`.  Without the mask the lookup would miss,
-        `read_json` would fall through to the warning + empty-
-        dict path (`json_serde.py` line 213), and
-        `json_stringify` would emit `{}` instead of the object.
+        `read_json` would fall through to the "unknown JObject
+        handle" warning + empty-dict path, and `json_stringify`
+        would emit `{}` instead of the object.
         """
         source = """\
 public fn main(-> @Int)
@@ -15655,6 +15656,62 @@ def test_json_round_trip_uses_host_side_mask(self) -> None:
         # empty and json_stringify would emit `{}` = 2 characters.
         assert _run(source) == 14
 
+    # --- Unit tests for the _validate_wrap_handle helper ---
+    #
+    # The validator is module-scope in `vera/codegen/api.py` so it
+    # can be tested directly without standing up a wasmtime
+    # instance.  `_wrap_handle` (nested inside `execute()`) calls
+    # this helper.  These tests pin all 5 failure modes the
+    # validator rejects.
+
+    def test_validate_wrap_handle_accepts_valid_range(self) -> None:
+        """[0, 0x80000000) is the accepted range — no raise."""
+        from vera.codegen.api import _validate_wrap_handle
+        # Boundary lo, mid, boundary hi (last valid).
+        for raw in (0, 1, 12345, 0x7FFFFFFE, 0x7FFFFFFF):
+            _validate_wrap_handle(raw, kind=1, body_ptr=0x1000)
+
+    def test_validate_wrap_handle_rejects_negative(self) -> None:
+        """Negative ints have bit 31 set in two's complement."""
+        from vera.codegen.api import _validate_wrap_handle
+        with pytest.raises(RuntimeError, match="#578.*outside the valid"):
+            _validate_wrap_handle(-1, kind=1, body_ptr=0x1000)
+        with pytest.raises(RuntimeError, match="#578"):
+            _validate_wrap_handle(-12345, kind=2, body_ptr=0x2000)
+
+    def test_validate_wrap_handle_rejects_at_2gb_boundary(self) -> None:
+        """0x80000000 is the FIRST invalid value (range is half-open)."""
+        from vera.codegen.api import _validate_wrap_handle
+        with pytest.raises(RuntimeError, match="0x80000000"):
+            _validate_wrap_handle(0x80000000, kind=1, body_ptr=0x1000)
+
+    def test_validate_wrap_handle_rejects_above_32bit(self) -> None:
+        """Values >= 2^32 truncate on _write_i32 — must be caught here.
+
+        The pre-tightening (round 1) bit-31-only check let these
+        through: `0x100000001 & 0x80000000 == 0`, so the check
+        passed, but `_write_i32` would truncate to `0x00000001`
+        and the unwrap mask would return that — a silent wrong
+        handle.
+        """
+        from vera.codegen.api import _validate_wrap_handle
+        with pytest.raises(RuntimeError, match="#578"):
+            _validate_wrap_handle(0x100000000, kind=1, body_ptr=0x1000)
+        with pytest.raises(RuntimeError, match="#578"):
+            _validate_wrap_handle(0x100000001, kind=1, body_ptr=0x1000)
+
+    def test_validate_wrap_handle_rejects_non_int(self) -> None:
+        """Non-int sentinels surface here, not deeper in the stack.
+
+        Without the isinstance check, `None` / `"5"` / etc. would
+        raise `TypeError` from the bitwise `&` operation in the
+        old check, producing a less actionable error.
+        """
+        from vera.codegen.api import _validate_wrap_handle
+        for bad in (None, "5", 1.5, [1], {}):
+            with pytest.raises(RuntimeError, match="#578"):
+                _validate_wrap_handle(bad, kind=1, body_ptr=0x1000)
+
 
 # =====================================================================
 # @Nat subtraction underflow runtime guard (#520)
diff --git a/vera/codegen/api.py b/vera/codegen/api.py
@@ -40,6 +40,53 @@ class ConstructorLayout:
     total_size: int  # total bytes, 8-byte aligned
 
 
+def _validate_wrap_handle(
+    raw_handle: object, kind: int, body_ptr: int,
+) -> None:
+    """#578 invariant: raw_handle must fit in 31 unsigned bits.
+
+    Wrapper ADTs store ``raw_handle | 0x80000000`` at body offset 4 so
+    the in-heap field is structurally outside the conservative-scan
+    heap-range check (`heap_ptr` is hard-capped at 0x80000000 by the
+    `$alloc` heap-ceiling guard).  The unwrap site recovers the raw
+    handle with ``& 0x7FFFFFFF``.  Both directions break silently
+    outside ``[0, 0x80000000)``:
+
+    - Negative ints have bit 31 set in two's complement.
+      ``raw_handle | 0x80000000`` is a no-op and the unwrap mask
+      returns the WRONG handle.
+    - Values ``>= 0x80000000`` alias into the top half and collide
+      with the tag-bit pattern.
+    - Values ``>= 0x100000000`` truncate on ``_write_i32`` and
+      silently lose information.
+    - Non-int values would ``TypeError`` deeper in the stack;
+      catching them here makes the diagnostic actionable.
+
+    Practical alloc counters are bounded well below 2^31 — a 2B-handle
+    session is wall-clock infeasible — but a silent round-trip
+    failure is exactly the corruption class #578 sought to eliminate.
+    Fail fast.
+
+    Module-level helper so it can be unit-tested directly without
+    standing up a wasmtime instance (``_wrap_handle`` is nested
+    inside ``execute()`` and not importable on its own).
+    """
+    if not (
+        isinstance(raw_handle, int)
+        and 0 <= raw_handle < 0x80000000
+    ):
+        raise RuntimeError(
+            f"#578: raw_handle={raw_handle!r} (kind={kind!r}, "
+            f"body_ptr={body_ptr!r}) is outside the valid "
+            f"range [0, 0x80000000); cannot tag for the "
+            f"conservative-scan disjointness invariant.  "
+            f"Host-store handle counters must be unsigned "
+            f"31-bit integers.  Either a counter overflowed, "
+            f"a negative sentinel flowed in, or a non-integer "
+            f"value flowed into _wrap_handle."
+        )
+
+
 def _wasm_type_size(wt: str) -> int:
     """Byte size of a WASM value type."""
     if wt == "i32":
@@ -956,37 +1003,11 @@ def _wrap_handle(
             raise ValueError(f"#573: unknown wrap kind {kind}")
         body_ptr = _call_alloc(caller, _WRAPPER_BODY_SIZE)
         _write_i32(caller, body_ptr, tag)
-        # #578 invariant: raw_handle must be an unsigned 31-bit
-        # integer so ``raw_handle | 0x80000000`` round-trips
-        # cleanly through the unwrap mask ``& 0x7FFFFFFF`` and
-        # through ``_write_i32``'s 32-bit truncation.  Both
-        # directions break silently outside [0, 0x80000000):
-        # - Negative ints have bit 31 set in two's complement,
-        #   so `_write_i32` truncates and the unwrap returns a
-        #   wrong handle.
-        # - Values >= 0x80000000 alias into the top half and
-        #   collide with the tag-bit pattern.
-        # - Values >= 0x100000000 wrap on ``_write_i32`` and
-        #   silently truncate to a wrong handle.
-        # Practical alloc counters are bounded well below 2^31
-        # — a 2B-handle session is wall-clock infeasible — but
-        # a silent round-trip failure is exactly the kind of
-        # latent corruption #578 itself sought to eliminate.
-        # Fail fast.
-        if not (
-            isinstance(raw_handle, int)
-            and 0 <= raw_handle < 0x80000000
-        ):
-            raise RuntimeError(
-                f"#578: raw_handle={raw_handle!r} (kind={kind!r}, "
-                f"body_ptr={body_ptr!r}) is outside the valid "
-                f"range [0, 0x80000000); cannot tag for the "
-                f"conservative-scan disjointness invariant.  "
-                f"Host-store handle counters must be unsigned "
-                f"31-bit integers.  Either a counter overflowed, "
-                f"a negative sentinel flowed in, or a non-integer "
-                f"value flowed into _wrap_handle."
-            )
+        # #578: validate raw_handle is in the unsigned-31-bit range
+        # before tagging.  See ``_validate_wrap_handle`` at module
+        # scope (extracted so unit tests can exercise the 5 failure
+        # modes without standing up a wasmtime instance).
+        _validate_wrap_handle(raw_handle, kind, body_ptr)
         # #578: store the handle ORed with 0x80000000 so the
         # in-heap field can't be mistaken for a heap pointer by
         # the conservative GC scan.  Mirrors the WAT-side
@@ -2781,7 +2802,16 @@ def host_html_parse(
                         _alloc_string, _alloc_map_wrapper, root,
                     )
                     return _alloc_result_ok_i32(caller, html_ptr)
-                except Exception as exc:
+                except (ValueError, TypeError, AttributeError) as exc:
+                    # Narrow catch matches `host_json_parse` above —
+                    # parser failures surface as Result.Err.  We
+                    # deliberately do NOT catch invariant violations
+                    # (e.g. the `_wrap_handle` RuntimeError from #578
+                    # for an out-of-range handle, or any AssertionError
+                    # from internal compiler bugs); those propagate
+                    # to wasmtime as traps so the diagnostic text
+                    # reaches the user instead of being repackaged
+                    # as a user-domain parse error.
                     return _alloc_result_err_string(caller, str(exc))
 
             linker.define_func(
diff --git a/vera/codegen/assembly.py b/vera/codegen/assembly.py
