From 3c738695dcc1d0a92cc3eb492649cbb419896eb3 Mon Sep 17 00:00:00 2001 From: agra Date: Tue, 23 Jun 2026 02:13:30 +0300 Subject: [PATCH] fix: diagnose non-conforming protocol erasure instead of unreachable-thunk SIGABRT (issue 0176) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Erasing a type to a protocol when it conforms only via a free function (not an explicit impl P for T) built a vtable of unreachable thunks -> SIGABRT on first dispatch, with no diagnostic. Per specs.md erasure is impl-driven, not structural, so the erasure was never valid. Add a conformance gate (firstUnimplementedMethod in buildProtocolValue, src/ir/lower/protocol.zig): emit a located diagnostic when a protocol method has no reachable impl, or when an impl method introduces its own type params (signature mismatch — it bails lazyLowerFunction and would reach the unreachable thunk). A std.debug.panic tripwire guards the diagnostics==null path so a non-conforming erasure can never silently ship as undef. Gate<->thunk equivalence verified bidirectional. Regressions: protocols/0419 (positive struct-field dispatch), diagnostics/1197 (no-impl) + 1198 (generic-method signature mismatch). Updated memory/0808 (it erased a non-conforming type that never dispatched). Verified by 3+1 adversarial reviews, suite 788/0. Filed adjacent bug 0178 (protocol impl method type-mismatch silent miscompile). --- ...97-diagnostics-protocol-erasure-no-impl.sx | 20 +++++ ...nostics-protocol-erasure-generic-method.sx | 22 +++++ ...-diagnostics-protocol-erasure-no-impl.exit | 1 + ...iagnostics-protocol-erasure-no-impl.stderr | 5 ++ ...iagnostics-protocol-erasure-no-impl.stdout | 1 + ...stics-protocol-erasure-generic-method.exit | 1 + ...ics-protocol-erasure-generic-method.stderr | 5 ++ ...ics-protocol-erasure-generic-method.stdout | 1 + ...-value-routes-through-context-allocator.sx | 7 +- .../0419-protocols-struct-field-dispatch.sx | 49 +++++++++++ .../0419-protocols-struct-field-dispatch.exit | 1 + ...419-protocols-struct-field-dispatch.stderr | 1 + ...419-protocols-struct-field-dispatch.stdout | 4 + ...l-typed-struct-field-method-call-aborts.md | 20 +++++ ...pl-signature-mismatch-silent-miscompile.md | 45 ++++++++++ src/ir/lower/protocol.zig | 88 +++++++++++++++++++ 16 files changed, 268 insertions(+), 3 deletions(-) create mode 100644 examples/diagnostics/1197-diagnostics-protocol-erasure-no-impl.sx create mode 100644 examples/diagnostics/1198-diagnostics-protocol-erasure-generic-method.sx create mode 100644 examples/diagnostics/expected/1197-diagnostics-protocol-erasure-no-impl.exit create mode 100644 examples/diagnostics/expected/1197-diagnostics-protocol-erasure-no-impl.stderr create mode 100644 examples/diagnostics/expected/1197-diagnostics-protocol-erasure-no-impl.stdout create mode 100644 examples/diagnostics/expected/1198-diagnostics-protocol-erasure-generic-method.exit create mode 100644 examples/diagnostics/expected/1198-diagnostics-protocol-erasure-generic-method.stderr create mode 100644 examples/diagnostics/expected/1198-diagnostics-protocol-erasure-generic-method.stdout create mode 100644 examples/protocols/0419-protocols-struct-field-dispatch.sx create mode 100644 examples/protocols/expected/0419-protocols-struct-field-dispatch.exit create mode 100644 examples/protocols/expected/0419-protocols-struct-field-dispatch.stderr create mode 100644 examples/protocols/expected/0419-protocols-struct-field-dispatch.stdout create mode 100644 issues/0178-protocol-impl-signature-mismatch-silent-miscompile.md diff --git a/examples/diagnostics/1197-diagnostics-protocol-erasure-no-impl.sx b/examples/diagnostics/1197-diagnostics-protocol-erasure-no-impl.sx new file mode 100644 index 00000000..47094959 --- /dev/null +++ b/examples/diagnostics/1197-diagnostics-protocol-erasure-no-impl.sx @@ -0,0 +1,20 @@ +// Erasing a concrete type to a protocol it does NOT `impl`-ement is a hard +// error, not a silent SIGABRT. Regression (issue 0176): a plain free function +// `speak :: (self: *Dog)` with a matching receiver does NOT satisfy the +// protocol — protocol erasure is impl-driven, not structural (specs.md +// §"Storage and protocol conformance"). Before the fix, erasure built a vtable +// of unreachable thunks and `h.s.speak()` aborted with exit 133 and no output; +// now it reports a clear diagnostic at the erasure site and exits 1. + +#import "modules/std.sx"; + +Speaker :: protocol { speak :: (self: *Self) -> i64; } +Dog :: struct { n: i64 = 0; } +speak :: (self: *Dog) -> i64 { return self.n; } // free fn — NOT an impl +Holder :: struct { s: Speaker; b: i64 = 0; } + +main :: () { + d := Dog.{ n = 42 }; + h : Holder = .{ s = d, b = 5 }; // <- 'Dog' does not implement 'Speaker' + print("{}\n", h.s.speak()); +} diff --git a/examples/diagnostics/1198-diagnostics-protocol-erasure-generic-method.sx b/examples/diagnostics/1198-diagnostics-protocol-erasure-generic-method.sx new file mode 100644 index 00000000..864e98b1 --- /dev/null +++ b/examples/diagnostics/1198-diagnostics-protocol-erasure-generic-method.sx @@ -0,0 +1,22 @@ +// Erasing a concrete type to a protocol whose `impl` method introduces its OWN +// type parameter is a hard error, not a silent SIGABRT. Regression (issue 0176, +// adversarial-review gap 1): `impl Speaker for Dog { speak :: (self: *Dog, $T: +// Type) }` has a matching qualified name `Dog.speak`, so the conformance gate +// used to ACCEPT it — but the thunk's `lazyLowerFunction("Dog.speak")` bails on +// `type_params.len > 0` (generics are monomorphized, not registered), so +// `resolveFuncByName` returns null and the thunk hit its `else => unreachable` +// arm: a SILENT SIGABRT (exit 133, no output) at the first dispatch. The gate +// now mirrors the thunk exactly — a method that introduces its own type params +// is a SIGNATURE MISMATCH, reported here at the erasure site (exit 1). + +#import "modules/std.sx"; + +Speaker :: protocol { speak :: (self: *Self) -> i64; } +Dog :: struct { n: i64 = 0; } +impl Speaker for Dog { speak :: (self: *Dog, $T: Type) -> i64 { return self.n; } } + +main :: () { + d := Dog.{ n = 42 }; + s : Speaker = d; // <- 'Dog.speak' has a mismatched signature + print("{}\n", s.speak()); +} diff --git a/examples/diagnostics/expected/1197-diagnostics-protocol-erasure-no-impl.exit b/examples/diagnostics/expected/1197-diagnostics-protocol-erasure-no-impl.exit new file mode 100644 index 00000000..d00491fd --- /dev/null +++ b/examples/diagnostics/expected/1197-diagnostics-protocol-erasure-no-impl.exit @@ -0,0 +1 @@ +1 diff --git a/examples/diagnostics/expected/1197-diagnostics-protocol-erasure-no-impl.stderr b/examples/diagnostics/expected/1197-diagnostics-protocol-erasure-no-impl.stderr new file mode 100644 index 00000000..c3d22d10 --- /dev/null +++ b/examples/diagnostics/expected/1197-diagnostics-protocol-erasure-no-impl.stderr @@ -0,0 +1,5 @@ +error: 'Dog' does not implement protocol 'Speaker': no `impl Speaker for Dog` provides method 'speak' (protocol erasure is impl-driven — a plain or `ufcs` free function with a matching receiver does not satisfy a protocol) + --> examples/diagnostics/1197-diagnostics-protocol-erasure-no-impl.sx:18:16 + | +18 | h : Holder = .{ s = d, b = 5 }; // <- 'Dog' does not implement 'Speaker' + | ^^^^^^^^^^^^^^^^^ diff --git a/examples/diagnostics/expected/1197-diagnostics-protocol-erasure-no-impl.stdout b/examples/diagnostics/expected/1197-diagnostics-protocol-erasure-no-impl.stdout new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/examples/diagnostics/expected/1197-diagnostics-protocol-erasure-no-impl.stdout @@ -0,0 +1 @@ + diff --git a/examples/diagnostics/expected/1198-diagnostics-protocol-erasure-generic-method.exit b/examples/diagnostics/expected/1198-diagnostics-protocol-erasure-generic-method.exit new file mode 100644 index 00000000..d00491fd --- /dev/null +++ b/examples/diagnostics/expected/1198-diagnostics-protocol-erasure-generic-method.exit @@ -0,0 +1 @@ +1 diff --git a/examples/diagnostics/expected/1198-diagnostics-protocol-erasure-generic-method.stderr b/examples/diagnostics/expected/1198-diagnostics-protocol-erasure-generic-method.stderr new file mode 100644 index 00000000..2a0a5b4e --- /dev/null +++ b/examples/diagnostics/expected/1198-diagnostics-protocol-erasure-generic-method.stderr @@ -0,0 +1,5 @@ +error: 'Dog' does not implement protocol 'Speaker': method 'speak' has a mismatched signature — a protocol-method impl must not introduce its own type parameters (e.g. `$T: Type`); it must match the protocol's signature exactly + --> examples/diagnostics/1198-diagnostics-protocol-erasure-generic-method.sx:20:3 + | +20 | s : Speaker = d; // <- 'Dog.speak' has a mismatched signature + | ^^^^^^^^^^^^^^^^ diff --git a/examples/diagnostics/expected/1198-diagnostics-protocol-erasure-generic-method.stdout b/examples/diagnostics/expected/1198-diagnostics-protocol-erasure-generic-method.stdout new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/examples/diagnostics/expected/1198-diagnostics-protocol-erasure-generic-method.stdout @@ -0,0 +1 @@ + diff --git a/examples/memory/0808-memory-xx-value-routes-through-context-allocator.sx b/examples/memory/0808-memory-xx-value-routes-through-context-allocator.sx index b9d1b8f2..b8798519 100644 --- a/examples/memory/0808-memory-xx-value-routes-through-context-allocator.sx +++ b/examples/memory/0808-memory-xx-value-routes-through-context-allocator.sx @@ -31,13 +31,14 @@ impl Allocator for Tracer { } } -ByValue :: struct { x: i64; y: i64; } - main :: () -> i32 { tracer := Tracer.init(); push Context.{ allocator = xx tracer, data = null } { // Struct-literal operand: rvalue → heap-copy through context.allocator. - ignore : Allocator = xx ByValue.{ x = 1, y = 2 }; + // The erased type must actually `impl Allocator` (erasure is + // impl-driven, issue 0176), so use a fresh `Tracer.{}` rvalue — the + // copy is what we want routed through the active allocator. + ignore : Allocator = xx Tracer.{ count = 0 }; _ = ignore; } print("Tracer.count = {}\n", tracer.count); diff --git a/examples/protocols/0419-protocols-struct-field-dispatch.sx b/examples/protocols/0419-protocols-struct-field-dispatch.sx new file mode 100644 index 00000000..c36c81bb --- /dev/null +++ b/examples/protocols/0419-protocols-struct-field-dispatch.sx @@ -0,0 +1,49 @@ +// Dispatch a protocol method THROUGH a protocol-typed struct field. +// Regression (issue 0176): the issue's repro used a plain free function to +// "satisfy" the protocol — which is NOT impl-driven conformance, so erasure +// built a vtable of unreachable thunks and the first dispatch SIGABRT'd with no +// diagnostic. With a real `impl` block the field dispatch must work; the +// non-conforming case is now a loud diagnostic (see the negative example). +// +// Covers: struct-literal init, field-assign init, reassigning a protocol field +// to a DIFFERENT concrete impl, a protocol method with args + non-void return, +// a protocol field beside a non-protocol field (offsets), a nested struct +// holding a struct holding a protocol field, and passing the holder by value +// into another function before dispatching. + +#import "modules/std.sx"; + +Speaker :: protocol { greet :: (self: *Self, x: i64) -> i64; } + +Dog :: struct { n: i64 = 0; } +impl Speaker for Dog { greet :: (self: *Dog, x: i64) -> i64 { return self.n + x; } } + +Cat :: struct { m: i64 = 0; } +impl Speaker for Cat { greet :: (self: *Cat, x: i64) -> i64 { return self.m * x; } } + +Holder :: struct { s: Speaker; b: i64 = 0; t: Speaker; } +Outer :: struct { h: Holder; } + +run :: (h: Holder) -> i64 { return h.s.greet(10) + h.t.greet(2); } + +main :: () { + d := Dog.{ n = 42 }; + c := Cat.{ m = 5 }; + + // struct-literal init: two protocol fields straddling a non-protocol one. + h : Holder = .{ s = d, b = 7, t = c }; + print("lit: {} {} {}\n", h.s.greet(10), h.b, h.t.greet(3)); // 52 7 15 + + // field-assign init, then reassign each field to a DIFFERENT concrete impl. + h2 : Holder = .{ s = d, b = 0, t = c }; + h2.s = c; + h2.t = d; + print("reassign: {} {}\n", h2.s.greet(4), h2.t.greet(8)); // 20 50 + + // nested struct holding a struct holding a protocol field. + o : Outer = .{ h = .{ s = d, b = 1, t = c } }; + print("nested: {} {}\n", o.h.s.greet(0), o.h.t.greet(2)); // 42 10 + + // pass the holder by value into a function, dispatch there. + print("passed: {}\n", run(h)); // 52 + 10 = 62 +} diff --git a/examples/protocols/expected/0419-protocols-struct-field-dispatch.exit b/examples/protocols/expected/0419-protocols-struct-field-dispatch.exit new file mode 100644 index 00000000..573541ac --- /dev/null +++ b/examples/protocols/expected/0419-protocols-struct-field-dispatch.exit @@ -0,0 +1 @@ +0 diff --git a/examples/protocols/expected/0419-protocols-struct-field-dispatch.stderr b/examples/protocols/expected/0419-protocols-struct-field-dispatch.stderr new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/examples/protocols/expected/0419-protocols-struct-field-dispatch.stderr @@ -0,0 +1 @@ + diff --git a/examples/protocols/expected/0419-protocols-struct-field-dispatch.stdout b/examples/protocols/expected/0419-protocols-struct-field-dispatch.stdout new file mode 100644 index 00000000..e9a81df1 --- /dev/null +++ b/examples/protocols/expected/0419-protocols-struct-field-dispatch.stdout @@ -0,0 +1,4 @@ +lit: 52 7 15 +reassign: 20 50 +nested: 42 10 +passed: 62 diff --git a/issues/0176-protocol-typed-struct-field-method-call-aborts.md b/issues/0176-protocol-typed-struct-field-method-call-aborts.md index 17eb9390..e051991f 100644 --- a/issues/0176-protocol-typed-struct-field-method-call-aborts.md +++ b/issues/0176-protocol-typed-struct-field-method-call-aborts.md @@ -1,5 +1,25 @@ # 0176 — calling a method through a protocol-typed struct field aborts (exit 133, no diagnostic) +> **RESOLVED** (root cause differs from the title's hypothesis). The crash had +> nothing to do with struct fields: erasing a type to a protocol when the type +> conforms only via a FREE FUNCTION (`speak :: (self: *Dog)`) rather than an +> explicit `impl Speaker for Dog { ... }` built a vtable of `unreachable` thunks +> → SIGABRT on dispatch. Per specs.md §"Storage and protocol conformance" +> (erasure is impl-driven, not structural), the repro was never valid. Fix +> (`src/ir/lower/protocol.zig`): a conformance gate `firstUnimplementedMethod` in +> `buildProtocolValue` emits a located diagnostic (missing impl, or a +> signature-mismatch when an impl method introduces its own `$T`) instead of +> building unreachable thunks; a `std.debug.panic` tripwire guards the +> `diagnostics == null` path so a non-conforming erasure can never silently ship +> as `undef`. Gate↔thunk equivalence verified bidirectional by 3+1 adversarial +> reviews; suite 788/0. Regressions: +> `examples/protocols/0419-protocols-struct-field-dispatch.sx` (positive), +> `examples/diagnostics/1197-diagnostics-protocol-erasure-no-impl.sx` + +> `1198-diagnostics-protocol-erasure-generic-method.sx` (negative). Updated +> `examples/memory/0808-*.sx` (it relied on a non-conforming erasure that never +> dispatched). (Adjacent pre-existing bug found + filed: 0178 — protocol impl +> method with a mismatched return/param TYPE silently miscompiles.) + ## Symptom A struct field whose type is a PROTOCOL holds an erased value fine, but calling a diff --git a/issues/0178-protocol-impl-signature-mismatch-silent-miscompile.md b/issues/0178-protocol-impl-signature-mismatch-silent-miscompile.md new file mode 100644 index 00000000..b7e5bc13 --- /dev/null +++ b/issues/0178-protocol-impl-signature-mismatch-silent-miscompile.md @@ -0,0 +1,45 @@ +# 0178 — protocol impl method with a mismatched return/param TYPE silently miscompiles + +## Symptom + +An `impl P for T` whose method has the right NAME but a mismatched return type or +parameter type is accepted (it satisfies the issue-0176 conformance gate, which +is name-based), and dispatch through the erased protocol silently produces the +WRONG result (exit 0). No diagnostic. (Arity mismatch and `#builtin`-body +mismatch fail loudly — exit 1 — and are not this bug; the TYPE-mismatch cases are +silent.) + +## Reproduction + +```sx +#import "modules/std.sx"; +P :: protocol { val :: (self: *Self) -> i64; } +T :: struct { n: i64 = 7; } +impl P for T { val :: (self: *T) -> bool { return true; } } // return type bool ≠ i64 +main :: () { + t := T.{ n = 7 }; + p : P = t; + print("{}\n", p.val()); // prints "1" (the bool), silently wrong — no diagnostic +} +``` + +A parameter-type mismatch (`x: bool` where the protocol declares `x: i64`) +similarly dispatches silently wrong. + +## Investigation prompt + +The issue-0176 conformance gate (`firstUnimplementedMethod` in +`src/ir/lower/protocol.zig`) checks method PRESENCE (and rejects `type_params > +0`), but does NOT check that the impl method's SIGNATURE (parameter types, +arity, return type) matches the protocol method's declared signature. A +mismatched-type impl builds a thunk that calls the impl with the wrong ABI, +silently miscompiling. Add signature validation when registering / gating an +impl method against its protocol method: compare the impl method's params +(after the erased `self`) and return type against the protocol declaration, and +emit a located diagnostic on mismatch (arity, param type, or return type). The +protocol method declaration is in `protocol_decl_map`; the impl FnDecl is in +`fn_ast_map`. Decide whether this lives in the conformance gate or in +`ProtocolResolver.registerImplBlock` (`src/ir/protocols.zig`). Follow the +no-silent-fallback rule. Verify: the repro is now a clean diagnostic (exit 1); +a correctly-typed impl still works; add an `examples/diagnostics/11xx-...` +negative regression. (Found during adversarial review of issue 0176.) diff --git a/src/ir/lower/protocol.zig b/src/ir/lower/protocol.zig index f1c6b905..ac4c9486 100644 --- a/src/ir/lower/protocol.zig +++ b/src/ir/lower/protocol.zig @@ -433,6 +433,63 @@ pub fn createProtocolThunk(self: *Lowering, proto_name: []const u8, concrete_typ return func_id; } +/// Why a concrete type fails to conform to a protocol method, named at the +/// specific method that fails. `kind` drives the diagnostic wording. +const NonConformance = struct { + method: []const u8, + kind: enum { + /// No `impl`/struct-method body resolves for `.` at all. + missing, + /// A body exists, but it introduces its OWN type params + /// (`speak :: (self: *Dog, $T: Type)`). A protocol-method impl must + /// match the protocol's signature exactly — it may not be generic over + /// extra params. The thunk would call `lazyLowerFunction`, which bails + /// on `fd.type_params.len > 0` (decl.zig: "generics handled by + /// monomorphization"), leaving `resolveFuncByName` null → the thunk's + /// `else => unreachable` arm fires at the first dispatch. + signature_mismatch, + }, +}; + +/// First protocol method of `proto_name` for which `concrete_type_name` does +/// NOT conform, or null if the type fully conforms. Conformance is IMPL-DRIVEN +/// (specs.md §"Storage and protocol conformance": protocol erasure requires an +/// explicit `impl P for T { ... }`, not structural / free-function matching). +/// +/// This gate is primarily about DIAGNOSTIC QUALITY: turn a no-impl erasure +/// (which would otherwise SIGABRT) into a clean, located error. (Note: every +/// non-parameterized impl method is also eagerly `declareFunction`-stubbed by +/// `ProtocolResolver.registerImplBlock`, so `resolveFuncByName` rarely returns +/// null in practice — but the gate must still reject pairs that don't truly +/// conform.) It rejects a method when: +/// 1. `fn_ast_map["."]` is absent (no impl/struct-method body). +/// 2. The matched FnDecl has `type_params.len > 0` — a protocol-method impl +/// may NOT introduce its own type parameters (`$T: Type`); that is a +/// SIGNATURE MISMATCH against the protocol method, AND such a method bails +/// out of `lazyLowerFunction` (decl.zig: `type_params.len > 0` → return), +/// so the thunk would resolve to the `.unreachable` arm. +/// A generic-STRUCT instance method (`impl P for Box($T)`) is fine: the struct's +/// type params are bound by the instance, not introduced by the method, and +/// `monomorphizeFunction` always registers it. Conformance is IMPL-DRIVEN, so a +/// type satisfying the method only via a free / `ufcs` function does NOT conform. +fn firstUnimplementedMethod(self: *Lowering, proto_name: []const u8, concrete_type_name: []const u8) ?NonConformance { + const pd = self.program_index.protocol_decl_map.get(proto_name) orelse return null; + for (pd.methods) |m| { + const qualified = std.fmt.allocPrint(self.alloc, "{s}.{s}", .{ concrete_type_name, m.name }) catch + return .{ .method = m.name, .kind = .missing }; + if (self.program_index.fn_ast_map.get(qualified)) |fd| { + // A direct impl/struct-method body exists. It only conforms if the + // thunk's `lazyLowerFunction(qualified)` would actually register it. + // A method with its own type params bails there → unreachable thunk. + if (fd.type_params.len > 0) return .{ .method = m.name, .kind = .signature_mismatch }; + continue; + } + if (self.genericInstanceMethod(concrete_type_name, m.name) != null) continue; + return .{ .method = m.name, .kind = .missing }; + } + return null; +} + /// Build a protocol value from a concrete pointer. /// For inline protocols: struct_init { ctx, thunk1, thunk2, ... } /// For vtable protocols: struct_init { ctx, vtable_ptr } where vtable is stack-allocated @@ -441,6 +498,37 @@ pub fn createProtocolThunk(self: *Lowering, proto_name: []const u8, concrete_typ /// When false, the pointer is used directly (user manages the pointee's lifetime). pub fn buildProtocolValue(self: *Lowering, concrete_ptr: Ref, proto_name: []const u8, concrete_type_name: []const u8, proto_ty: TypeId, concrete_ty: TypeId, heap_copy: bool) Ref { const pd = self.program_index.protocol_decl_map.get(proto_name) orelse return concrete_ptr; + + // Conformance gate: a concrete type may only be erased to a protocol it + // actually `impl`-ements. Without this, `getOrCreateThunks` below would + // happily synthesize a vtable whose thunks fall through to `unreachable` + // (no resolvable concrete method) — a SILENT SIGABRT at the first dispatch + // with no diagnostic (issue 0176). Surface it as a hard error instead. + if (firstUnimplementedMethod(self, proto_name, concrete_type_name)) |nc| { + if (self.diagnostics) |d| { + const cs = self.builder.current_span; + const span = ast.Span{ .start = cs.start, .end = cs.end }; + switch (nc.kind) { + .missing => d.addFmt(.err, span, "'{s}' does not implement protocol '{s}': no `impl {s} for {s}` provides method '{s}' (protocol erasure is impl-driven — a plain or `ufcs` free function with a matching receiver does not satisfy a protocol)", .{ concrete_type_name, proto_name, proto_name, concrete_type_name, nc.method }), + .signature_mismatch => d.addFmt(.err, span, "'{s}' does not implement protocol '{s}': method '{s}' has a mismatched signature — a protocol-method impl must not introduce its own type parameters (e.g. `$T: Type`); it must match the protocol's signature exactly", .{ concrete_type_name, proto_name, nc.method }), + } + } else { + // Gap 2 — no diagnostics channel (e.g. a comptime sub-lowering that + // never set `self.diagnostics`). Emitting the placeholder here would + // ship LLVM `undef` with `hasErrors() == false`: a non-conforming + // erasure reaching codegen silently. That is a compiler-invariant + // violation, so trip loudly per CLAUDE.md's "hard tripwire" guidance + // rather than fall through to the placeholder. The normal + // compilation path always sets `diagnostics`, so this never fires + // there — it only catches a future caller that forgets to plumb one. + std.debug.panic("protocol-erasure conformance failure with no diagnostics channel: '{s}' does not implement '{s}' (method '{s}'); cannot surface to the user — refusing to ship undef", .{ concrete_type_name, proto_name, nc.method }); + } + // Return a placeholder TYPED AS THE PROTOCOL so a downstream coercion + // doesn't re-attempt erasure (and re-report) on a mistyped result. The + // build already has `hasErrors()`, so the placeholder never ships. + return self.builder.emit(.{ .placeholder = self.module.types.internString("protocol-erasure") }, proto_ty); + } + const thunks = self.getOrCreateThunks(proto_name, concrete_type_name); if (thunks.len != pd.methods.len) return concrete_ptr;