Conway's Life at 12x30 still corrupts strings from gen 1 onwards (additional trigger beyond #588)

[aallan]

Summary

After #588 fixed the captured-Array<T>-indexing-in-closure bug, the BUG_REPORT.md repro_min.vera and repro_nested.vera minimum reproducers run cleanly. However, the full Conway's Game of Life implementation (12×30 grid, 200 generations, recursive run_loop with IO.print and IO.sleep between frames) still produces silent string corruption from generation 1 onwards.

The bug report itself acknowledged this gap:

However, scaling this up to a real Conway's Game of Life implementation (12×30 grid, eight neighbour reads through a wrap-aware cell_at, array_mapi-of-array_mapi for the next-generation step, recursive run_loop with IO.print and IO.sleep between frames) still produces the trap or — more often — silent corruption where render_cell is bypassed and raw Bool bytes (�/�) leak into IO.print, which then chokes with UnicodeDecodeError. The minimum repros do not reproduce that variant. Either there is an additional trigger I haven't isolated or there are multiple closely-related codegen bugs.

#588's fix removes the UnicodeDecodeError (the v0.0.136 errors="replace" defensive layer surfaces invalid bytes as U+FFFD characters in output rather than crashing Python — see #589), but the underlying memory-corruption trigger remains.

Current symptom (post-#588 fix)

Running vera run life_full_program.vera with the BUG_REPORT.md attachment:

• Generation 0 renders cleanly (initial grid is correct).
• Generation 1+ shows widespread U+FFFD characters interleaved with valid block characters.
• ANSI escape sequences (\u{1B}[2J\u{1B}[H) appear partially stripped — the escape character (0x1B) is replaced/lost while the rest ([2J[H) leaks into stdout as visible text.

Bisection so far

I built a series of progressively-larger Life subsets and confirmed each works post-#588:

1. step alone (one array_mapi-of-array_mapi next-grid step over a 3×3 grid, no rendering, no recursion) — works.
2. render_grid (Array<Array> → String, no captures of grids) — works.
3. step + render_grid + one print step at 3×3 — works.
4. step + render_grid + one print step at 12×30 with full Life infrastructure (cell_at, count_neighbors, next_cell, make_initial) — works.
5. Mini Life with recursive run_loop at 3×3 over 2 generations — works.
6. Full Life at 12×30 with recursive run_loop over 200 generations — fails from generation 1+.

The bisection narrows the trigger to the combination of: 12×30 grid scale + recursive run_loop with allocating next_grid argument across the recursive call boundary. Smaller scales (~5×5) or non-recursive sweeps work cleanly.

Plausible hypothesis

The corruption pattern (full-block characters intact + U+FFFD between them + missing escape bytes) suggests per-byte string corruption inside the rendered output buffer rather than wholesale heap reuse. Plausible mechanisms:

1. GC reclamation of in-flight strings during string_join / string_concat while the destination buffer is still being filled. The rendered grid is built up via nested array_map over Strings; intermediate Array<String> values held only on the WASM operand stack across a string_join call could be swept if the operand stack isn't fully shadow-stack-rooted.

2. Shadow-stack overflow at scale — 12×30 = 360 inner-closure invocations × 8 neighbour calls × 5 contract violations or so per generation. If shadow-stack-pushes for in-flight String results aren't paired with pops, the stack could overflow and wrap, corrupting later rooting.

3. Closure-env corruption across allocating recursive call — run_loop(next_grid(@Array<Array<Bool>>.0), …) allocates a fresh grid as the first arg; if the closures inside next_grid capture pointers that get invalidated by the very allocation that's producing the new grid, captures could see freed memory.

Hypothesis 1 (GC during string_join) is the most likely candidate based on the corruption shape (per-byte rather than per-pointer).

Reproducer

Attached life_full_program.vera from the original BUG_REPORT.md. Bisection scripts reside in /tmp from the #588 investigation but are not preserved. To reproduce:

vera run life_full_program.vera   # interrupt after a few seconds
# Generation 0 renders cleanly; from Generation 1+, output is corrupt.

Acceptance

• Full Life program runs to completion across 200 generations with a clean rendered grid at every step.
• A new conformance test that reliably reproduces the residual trigger at the smallest possible scale.
• Any GC-rooting / shadow-stack / closure-capture invariant that needed strengthening is documented in the codegen comments.

Related

• #588 — captured-Array<T>-indexing-in-closure (closed in v0.0.137).
• #589 — host-runtime UTF-8 hygiene (closed in v0.0.136). Provides the errors="replace" defensive layer that prevents the residual corruption from escaping as a Python traceback.
• #570 — iterative-builder shadow-stack overflow (closed in v0.0.133). Different shape but adjacent to hypothesis 2.
• BUG_REPORT.md (attached to Indexing a captured Array<T> inside a closure body produces invalid WASM #588) explicitly acknowledged this as an unisolated additional trigger.

[aallan]

Investigation update (post-#588 fix, 2026-05-07)

Confirmed the bug still fires on current main. Also confirmed two distinct manifestations of what appears to be the same underlying bug class.

Reproducers

1. Original life_full_program.vera (from the BUG_REPORT.md attachment): completes all 200 generations, exits cleanly (exit code 0), but stdout contains 6,320 U+FFFD replacement characters scattered across frames. This is the canonical "silent corruption" symptom described in the issue body — the v0.0.136 errors="replace" defensive layer (host_print / host_stderr / host_contract_fail crash with raw Python UnicodeDecodeError on invalid UTF-8 bytes #589) substitutes U+FFFD for invalid UTF-8 instead of throwing, masking the corruption from the user as anything other than visible glyphs.

2. A rebuilt minimal Life (no ANSI escapes, no IO.sleep, no let-binding for the rendered Array): crashes hard at gen ~20 with wasm trap: undefined element: out of bounds table access.

Both reproducers exercise the same code shape (12×30 grid, recursive run_loop with allocating arg, array_mapi-of-array_mapi step, array_map-of-array_map render). They differ in render-loop let-binding and in IO timing.

Mechanism

Mark-sweep GC in vera/codegen/assembly.py::_emit_gc_collect marks only from shadow-stack roots (WAT locals are not roots). The sweep pass at assembly.py:1187+ builds the free list by writing the previous free_head (a heap pointer) into the unmarked object's user-visible offset 0. So when a heap object gets prematurely swept:

• If it's a closure env, its func_table_idx field at offset 0 is overwritten with a heap-address pointer. The next call_indirect reads that giant value as a table index → "out of bounds table access" trap.
• If it's a String heap buffer, its first 4 bytes (a UTF-8 prefix) are overwritten. Subsequent reads see the freed-buffer's bytes as garbage; errors="replace" produces U+FFFD on the host side.

Same bug, different victims.

What we've ruled out (static analysis of the codegen)

• _translate_anon_fn (vera/wasm/closures.py:60-105) correctly shadow-pushes the env after $alloc; capture stores between push and any subsequent alloc are pure i32.stores, no GC trigger.
• _translate_array_map and _translate_array_mapi (vera/wasm/calls_arrays.py:586, 1392) correctly shadow-push arr_ptr, fn_tmp, dst before any alloc.
• _compile_lifted_closure's split prologue (vera/codegen/closures.py:310-346) is sound: between gc_prologue, load_instrs, and gc_capture_pushes, only memory loads occur (no $alloc).
• b_needs_unwind accounting in array_map/array_mapi (calls_arrays.py:649-655, 1430-1439) matches: closure epilogue pushes one root for heap-pointer returns; loop body pops one. Balanced for both i32_pair and i32 ADT returns; absent for Bool/scalar where no push happens either.
• Pair-capture consecutive-locals invariant (closures.py:249-253) is enforced.
• Function-call protocol (vera/codegen/functions.py:280-322) correctly saves+restores $gc_sp.

Latent rooting bugs found (not the Life trigger, but real)

1. _translate_apply_fn (vera/wasm/closures.py:127-141): the closure pointer is stored in tmp but not shadow-rooted before the value_args evaluation loop. If any arg expression allocates, the closure can be swept. Doesn't fire on Life (Life doesn't use apply_fn).

2. _translate_string_concat/_translate_string_join/_translate_string_repeat (vera/wasm/calls_strings.py:104, 2414, 446): input pointers (ptr_a/ptr_b/arr_ptr/ptr_sep) are stored in WAT locals but never shadow-pushed before the destination $alloc. Doesn't fire in practice because inputs are typically rooted via leaked upstream array_map dst/anon_fn tmp pushes that survive across the sequence — but it's a fragile dependency. (Compare _translate_string_slice at calls_strings.py:257 which does shadow-push ptr_s correctly, with an explicit comment about why.)

Both are worth fixing regardless of #593.

What we don't yet know

The specific Life-trigger path. Static analysis didn't yield a smoking gun. The next investigation step is eager-GC mode — modify $alloc to call $gc_collect on every allocation (behind a VERA_EAGER_GC env var or build flag), then re-run both reproducers. The first failure point will identify the exact unrooted local. That's a more productive investigation than further static reading.

Adjacent finding worth tracking

The agent-rebuilt minimal Life crashed at the table-OOB symptom, not the U+FFFD symptom. That difference is interesting — it suggests the trigger condition isn't a single specific alloc site but rather "any alloc where heap pressure forces GC at a moment when a frequently-used closure env or string heap object happens to be the GC's victim." Eager-GC will collapse this to "the first alloc after any unrooted heap pointer is established," giving us a much sharper signal.