Stress-test harness: surface scale-dependent codegen/runtime bugs before users do

[aallan]

Summary

Build a stress-test harness (tests/test_stress.py or similar) that exercises Vera programs at scale to surface scale-dependent bugs before users do. Discovered the need while diagnosing #593 (Conway's Life corruption from gen 1+ at 12×30): the standard test suite has 3,747 small focused tests but no programs that exercise the runtime at the scale where #593 and #515-class GC bugs surface. We rely on user-reported bugs to find scale issues, which is the slowest way to find them.

Why now

The bug-killing campaign closed twelve runtime/codegen bugs from v0.0.119–v0.0.137. Several of those were scale-dependent:

• #515 (GC self-fault under sustained allocation) — surfaced by a 40×20 Game of Life running 200 generations
• #570 (iterative-builder shadow-stack overflow at ~4000 elements) — surfaced by an array_map over a 5000-element array
• #487 / #348 (worklist + multi-page grow) — surfaced by allocation pressure
• #593 (still open) — Life corruption from gen 1+ at 12×30; smaller variants pass

Every one of these required a real-world program to surface. None of them would have been caught by the existing test suite, which favours small, focused, fast-running programs.

Proposed scope

A new test module tests/test_stress.py (or a pytest marker like @pytest.mark.stress) running synthetic programs at scale. Each test:

1. Compiles + runs a Vera program designed to hit a specific scale axis
2. Asserts on observable correctness (final result, no traps, no memory corruption)
3. Has a budget (wall-clock, memory) so the suite runs in bounded time

Initial test programs

Program	Scale axis	Targets
array_map over a 10,000-element Array<Int>	iteration count	shadow-stack overflow class (#570)
array_map over a 5,000-element Array<Array<Bool>>	nested allocation	per-iteration root accumulation
1,000-deep tail recursion with allocating arg	call-stack + GC	TCO interaction (#549)
Conway's Life 20×20 × 100 generations (synthetic regression test, not the bug-report program)	mixed: deep recursion + array_mapi-of-array_mapi + render	#593, #595 territory
100,000-iteration array_fold over Map mutations	Map host-store + GC	#573 / #575 / #576 reclamation pressure
10,000 cross-module fn calls with String args	String allocation pressure	#573 wrap-table compaction
Long-running State<T> handler (1,000 ops)	effect handler scaffolding	handler / resume interaction
10,000 IO.prints with tee_stdout=True	host-import call-rate	host_print perf and capture buffer growth

Each test is self-contained with its own assertion. Failures should be diagnosable from the test name + assertion message alone — no need to read the test code.

Configuration

• Default: stress tests don't run on every PR (too slow). Marked with @pytest.mark.stress.
• Pre-commit: skipped (default).
• CI: runs nightly via a separate workflow file, OR on PRs that touch vera/codegen/ / vera/wasm/ (as a paths: filter in CI).
• Local invocation: pytest tests/test_stress.py -v or pytest -m stress.
• Budget: full suite under 5 minutes wall-clock on a normal CI runner.

Coverage hooks

Each test should exercise a SPECIFIC code path that's known to be scale-dependent. Tests should be DOCUMENTED with the issue / class they're guarding against:

@pytest.mark.stress
def test_array_map_over_10k_int_array() -> None:
    """Pre-#570 this would shadow-stack-overflow at ~4000 elements.
    Test pins the iterative-builder fix and acts as an early-warning
    for any future regression in shadow-stack hygiene under map.
    """

Acceptance

• tests/test_stress.py (or equivalent) lands with the eight initial test programs above.
• All tests pass on main post-merge (any that fail on current main should be filed as bugs first and fixed before adding the test, OR added with @pytest.mark.xfail and a tracking issue).
• CI integration: nightly workflow + path-filter on vera/codegen/ / vera/wasm/ PRs.
• Documented in TESTING.md under a new "Stress tests" subsection.
• One of the tests reliably reproduces Conway's Life at 12x30 still corrupts strings from gen 1 onwards (additional trigger beyond #588) #593 (or Conway's Life at 12x30 still corrupts strings from gen 1 onwards (additional trigger beyond #588) #593 is closed before this lands).

Why this matters

The recent stabilisation discussion identified two unknowns: #593's root cause hasn't been isolated, and we have no harness that would catch the next #593-class bug before it reaches users. This issue closes the second gap. It also gives us a concrete reproducer when narrowing #593.

Out of scope

• Performance benchmarking (different goal, different harness — VeraBench territory)
• Fuzz testing (different methodology; could be a follow-up using these programs as seed corpus)
• Browser-runtime stress tests (the current proposal is wasmtime-only; browser parity stress would be a separate harness)

Related

• #593 — Life corruption at 12×30 scale (would-have-been-caught)
• #595 — malloc abort in wasmtime trampoline (would-have-been-caught)
• #515 — GC self-fault under sustained allocation (was-caught-by-real-program-only)
• #570 — iterative-builder shadow-stack overflow (was-caught-by-real-program-only)

[aallan]

Add an eager-GC lane to the stress harness

When this lands, a subset of the stress tests should also run under VERA_EAGER_GC=1 (the debug knob added in v0.0.138 — see ENVIRONMENT.md and #593 for the back-story).

Why

VERA_EAGER_GC=1 makes $alloc call $gc_collect on every allocation rather than only when the bump pointer would overflow. This converts latent missing-shadow-stack-root bugs from "fires occasionally at scale" into "fires on the very next allocation."

That's exactly the bug class the stress harness is designed to catch. Running the harness in scale-only mode catches the bugs that already require scale to manifest; running a subset under eager-GC catches the bugs that might require scale today but only because GC fires rarely — they'd surface much faster (and on much smaller programs) if GC fired aggressively.

#593 is the canonical example: the rebuilt minimum reproducer crashed at gen ~20 normally but at gen 0 under eager-GC. Static analysis of the codegen for hours didn't find it; eager-GC found it in seconds. The same lane would have caught the bug pre-merge if a stress test had exercised the relevant shape.

Suggested shape

Two pytest markers, both gated off the default lane:

• @pytest.mark.stress — the existing planned scale-based lane (10K-element array_map, 1K-deep recursion, 20×20×100 Conway's Life, long-running State handlers)
• @pytest.mark.stress_eager_gc — a smaller subset that runs the same programs (or scaled-down versions, since eager-GC is orders of magnitude slower) with VERA_EAGER_GC=1 set during compilation

Both run nightly rather than per-PR. The eager-GC lane can run a smaller program set and still catch GC-rooting regressions because the bug surfaces on the first iteration; the scale lane catches things that compound only over many iterations (shadow-stack overflow, free-list fragmentation, etc.).

CI would invoke the eager-GC lane via VERA_EAGER_GC=1 pytest -m stress_eager_gc tests/test_stress.py. The Vera-side test bodies don't need to know the env var is set — it affects WAT emission only.

Reference programs to include

At minimum, the four shapes that cracked recent GC-rooting bugs:

• Recursive Life-shape — array_map of array_map over a captured grid, with non-allocating closures returning Strings. This is the Conway's Life at 12x30 still corrupts strings from gen 1 onwards (additional trigger beyond #588) #593 minimum reproducer at small scale. Pre-fix this trapped at gen 0 under eager-GC.
• Iterative builder — array_map over 4K+ elements with an i32-pair-returning closure (the GC shadow-stack overflow in array_map (and sibling iterative builders) at ~4000 heap-allocating elements #570 shape). Pre-fix this overflowed the shadow stack; post-fix it runs cleanly. Eager-GC would catch any regression in the closure-return unwind balance.
• Captured-array indexing in closure — the Indexing a captured Array<T> inside a closure body produces invalid WASM #588 shape (flat and nested). Eager-GC would catch any regression in _walk_free_vars's capture detection.
• Map / Set / Decimal handle reclamation — the Active reclamation of host-store handles (deferred from #346) #573 / Migrate Set<T> to heap-wrap-as-ADT (#573 phase 2) #575 / Migrate Decimal to heap-wrap-as-ADT (#573 phase 3) #576 / Wrap-table overflow trap: try GC compaction before unreachable (#573 follow-up) #579 shape. Eager-GC would surface any regression in the wrap-table sweep.

Each of these should be a 5–20-line Vera program asserting an exact output, so any corruption (NULL bytes, U+FFFD, table-OOB trap) fails the assertion.