Reimplement higher-order array ops as iterative WASM loops

[aallan]

Problem

Vera's higher-order array combinators — array_map, array_filter, array_fold, and the helpers array_map_go, array_filter_go, array_fold_go — are currently implemented in vera/prelude.py as recursive Vera functions that get inlined into every program that uses them. Each element processed = one recursive call = one stack frame on the GC shadow stack.

This directly caused #464 (the GC shadow stack overflow). The fix in #464 / #472 raised the shadow stack from 4K to 16K and added a bounds-checking trap, which lets ~1,365 recursive frames fit. But recursion-per-element is the wrong complexity class: the stack grows linearly with the input size, not with the logical nesting depth of the program. A 10,000-element array mapped twice (nested calls) will still blow the stack even at 16K.

When the new combinators proposed in #466 land — especially array_mapi, array_reverse, array_sort, array_index_of, array_find — adding them to prelude.py as recursive Vera would re-expose the same concern. The #464 fix is a defense-in-depth trap, not a cure.

Approach

Reimplement these combinators so each operation is O(1) shadow stack space regardless of input size:

1. Direct WASM iterative loops — like string_concat, string_slice, array_append already are. The WASM translator in vera/wasm/calls_strings.py, calls_arrays.py etc. emits a loop / br_if loop with a single local index.
2. Host imports for complex ops — array_sort in particular should be a host import (Python sorted() uses Timsort, battle-tested, O(n log n) — implementing sort in Vera is 50+ error-prone lines).

The iterative-WASM approach keeps the work inside the Vera module (no host round-trip for simple maps), gets O(1) shadow stack usage, and handles arbitrary input sizes. The host-import approach is right for cases where the algorithm is non-trivial (sorting) or where the host language has a better implementation.

Scope

• Existing combinators to migrate (from vera/prelude.py):
  • array_map / array_map_go
  • array_filter / array_filter_go
  • array_fold / array_fold_go
• New combinators from #466 — implement iteratively from the start:
  • array_mapi, array_reverse, array_sort, array_sort_by, array_flatten
  • array_contains, array_index_of, array_find, array_any, array_all

Implementation sketch

Each iterative combinator follows the same template in vera/wasm/calls_arrays.py (already exists as a mixin for the arrays domain). For array_map<A, B>(arr, fn):

(local $idx i32)
(local $len i32)
(local $dst i32)
...
;; Evaluate arr → (ptr, len) on stack; save.
;; Allocate dst: len * sizeof(B) bytes.
;; Loop: for idx in [0, len):
;;   load arr[idx] into locals matching B's WASM shape
;;   call the closure via call_indirect
;;   store result at dst[idx]
;; Push (dst, len) as the result.

The closure dispatch reuses the existing call_indirect infrastructure from vera/wasm/closures.py.

Why this matters

• Correctness: closes a class of bugs similar to #464. A well-typed, contract-verified Vera program should not have stack-size failure modes that depend on input size.
• Benchmark story: VeraBench tasks that map or filter large arrays would currently hit the 16K ceiling at deep-enough nesting. Moving to iterative ops lifts that ceiling to "memory" rather than "stack depth".
• Prerequisite for #466: the new combinators should land iteratively from day one, not as recursive prelude functions that need migrating later.

Priority

Do this before or as part of #466. Retrofitting the existing three (array_map / array_filter / array_fold) is a bonus that can land in the same PR or separately.

Testing

• Existing tests/test_codegen.py coverage for array_map / array_filter / array_fold continues to pass (pure behavioural test).
• Add a stress test: iterate over 10,000 elements without blowing the stack (would fail under the current recursive implementation).
• Conformance tests using higher-order array ops still pass at their declared level.

Related

• #464 — the original GC shadow stack overflow this prevents recurring.
• #472 — the defensive fix that raised the shadow stack ceiling.
• #466 — adds new array combinators that depend on this structural choice.

[aallan]

Implementation plan

Recording here so it survives across PRs and context switches.

Approach

Make the three combinators built-ins rather than prelude-injected Vera source. Three pieces:

1. Remove from prelude.py — delete array_map, array_map_go, array_filter, array_filter_go, array_fold, array_fold_go.
2. Register in environment.py — add FunctionInfo entries with forall<A, B> / forall<A, B, R> type params. Same shape as option_map.
3. Add translators to calls_arrays.py — _translate_array_map, _translate_array_filter, _translate_array_fold, emitting iterative WASM that uses existing call_indirect + $closure_sig_N infrastructure from wasm/closures.py.

Monomorphization falls out naturally: since these are no longer generic declarations in the AST, monomorphize.py skips them. Concrete element types reach the codegen translator because monomorphization runs before codegen — no TypeVars to chase.

WASM skeleton for array_map<A, B>(arr, fn)

;; Inputs: arr on stack as (ptr, len), fn as i32 closure handle
local.set $fn
local.set $arr_len
local.set $arr_ptr

;; Allocate output: len * sizeof(B)
local.get $arr_len
i32.const <sizeof(B)>
i32.mul
call $alloc
local.set $dst
<gc_shadow_push $dst>
<gc_shadow_push $fn>

;; Loop 0..len
i32.const 0
local.set $idx
block $brk
  loop $lp
    local.get $idx
    local.get $arr_len
    i32.ge_u
    br_if $brk

    ;; Compute dst slot address
    local.get $dst
    local.get $idx
    i32.const <sizeof(B)>
    i32.mul
    i32.add

    ;; Invoke closure: env + element → B
    local.get $fn                     ;; env
    <load arr[idx]>                   ;; element A (possibly pair)
    local.get $fn
    i32.load offset=0                 ;; func_table_idx
    call_indirect (type $closure_sig_N)

    ;; Store result at dst slot
    <store op for B>

    local.get $idx
    i32.const 1
    i32.add
    local.set $idx
    br $lp
  end
end

local.get $dst
local.get $arr_len

array_filter uses the same skeleton but tracks a separate out_len local (incremented only when the predicate returns true), and pushes (dst, out_len) at the end. array_fold has no output array — it initialises an acc local from the init arg, updates it each iteration, and pushes acc at the end.

Reused infrastructure

• _element_mem_size, _element_store_op, _element_load_op, _is_pair_element_type from wasm/helpers.py — already handle pair vs scalar element layouts.
• gc_shadow_push from wasm/helpers.py — keeps the output array and closure handle alive across the loop.
• $closure_sig_N registration from wasm/closures.py — emits matching type descriptors on first use.
• call_indirect sequence from _translate_apply_fn in wasm/closures.py — identical call-site shape inside the loop.

PR sequencing

Split by combinator for independent review and easy bisect:

1. PR 1: array_map — establishes the pattern. Most commonly used combinator, best-tested path. ~300 lines of codegen + tests.
2. PR 2: array_filter — smaller delta, same skeleton + accumulator for output length.
3. PR 3: array_fold — different shape (no output array, accumulator-typed result). Preserves test_array_fold_with_map_accumulator (i32_pair accumulator).

Testing strategy

Each PR:

• Existing tests pass unchanged — behavioural equivalence is the contract. 12 existing tests in tests/test_codegen_monomorphize.py::TestArrayOperations cover the three combinators.
• Stress test: process a 10,000-element array without blowing the stack (would fail under recursive impl, passes under iterative).
• Pair-element coverage: map/filter/fold over arrays of String or Array<Int>; fold with a Map<String, Int> accumulator.
• Closure-capture test: combinator with a closure that captures outer variables — ensures the environment is loaded correctly inside the loop body.

Scope excluded

• option_map, result_map, option_and_then, result_unwrap_or, option_unwrap_or stay in prelude.py. They operate on a single wrapped value, not a collection — no iterative win.
• New combinators from #466 are not added here; they follow the pattern established by this issue.
• No surface-syntax change — array_map(arr, fn) looks identical to users; only the generated WASM changes.