lab/sx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: diagnose non-conforming protocol erasure instead of unreachable-thunk SIGABRT (issue 0176)

Browse Source 
Erasing a type to a protocol when it conforms only via a free function
(not an explicit impl P for T) built a vtable of unreachable thunks ->
SIGABRT on first dispatch, with no diagnostic. Per specs.md erasure is
impl-driven, not structural, so the erasure was never valid.

Add a conformance gate (firstUnimplementedMethod in buildProtocolValue,
src/ir/lower/protocol.zig): emit a located diagnostic when a protocol
method has no reachable impl, or when an impl method introduces its own
type params (signature mismatch — it bails lazyLowerFunction and would
reach the unreachable thunk). A std.debug.panic tripwire guards the
diagnostics==null path so a non-conforming erasure can never silently
ship as undef. Gate<->thunk equivalence verified bidirectional.

Regressions: protocols/0419 (positive struct-field dispatch),
diagnostics/1197 (no-impl) + 1198 (generic-method signature mismatch).
Updated memory/0808 (it erased a non-conforming type that never
dispatched). Verified by 3+1 adversarial reviews, suite 788/0. Filed
adjacent bug 0178 (protocol impl method type-mismatch silent miscompile).
This commit is contained in:
agra
2026-06-23 02:13:30 +03:00
parent 3605165398
commit 3c738695dc
16 changed files with 268 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
src/ir/lower/protocol.zig
View File

@@ -433,6 +433,63 @@ pub fn createProtocolThunk(self: *Lowering, proto_name: []const u8, concrete_typ
return func_id;
}
/// Why a concrete type fails to conform to a protocol method, named at the
/// specific method that fails. `kind` drives the diagnostic wording.
const NonConformance = struct {
method: []const u8,
kind: enum {
/// No `impl`/struct-method body resolves for `<Type>.<method>` at all.
missing,
/// A body exists, but it introduces its OWN type params
/// (`speak :: (self: *Dog, $T: Type)`). A protocol-method impl must
/// match the protocol's signature exactly — it may not be generic over
/// extra params. The thunk would call `lazyLowerFunction`, which bails
/// on `fd.type_params.len > 0` (decl.zig: "generics handled by
/// monomorphization"), leaving `resolveFuncByName` null → the thunk's
/// `else => unreachable` arm fires at the first dispatch.
signature_mismatch,
},
};
/// First protocol method of `proto_name` for which `concrete_type_name` does
/// NOT conform, or null if the type fully conforms. Conformance is IMPL-DRIVEN
/// (specs.md §"Storage and protocol conformance": protocol erasure requires an
/// explicit `impl P for T { ... }`, not structural / free-function matching).
///
/// This gate is primarily about DIAGNOSTIC QUALITY: turn a no-impl erasure
/// (which would otherwise SIGABRT) into a clean, located error. (Note: every
/// non-parameterized impl method is also eagerly `declareFunction`-stubbed by
/// `ProtocolResolver.registerImplBlock`, so `resolveFuncByName` rarely returns
/// null in practice — but the gate must still reject pairs that don't truly
/// conform.) It rejects a method when:
/// 1. `fn_ast_map["<Type>.<method>"]` is absent (no impl/struct-method body).
/// 2. The matched FnDecl has `type_params.len > 0` — a protocol-method impl
/// may NOT introduce its own type parameters (`$T: Type`); that is a
/// SIGNATURE MISMATCH against the protocol method, AND such a method bails
/// out of `lazyLowerFunction` (decl.zig: `type_params.len > 0` → return),
/// so the thunk would resolve to the `.unreachable` arm.
/// A generic-STRUCT instance method (`impl P for Box($T)`) is fine: the struct's
/// type params are bound by the instance, not introduced by the method, and
/// `monomorphizeFunction` always registers it. Conformance is IMPL-DRIVEN, so a
/// type satisfying the method only via a free / `ufcs` function does NOT conform.
fn firstUnimplementedMethod(self: *Lowering, proto_name: []const u8, concrete_type_name: []const u8) ?NonConformance {
const pd = self.program_index.protocol_decl_map.get(proto_name) orelse return null;
for (pd.methods) |m| {
const qualified = std.fmt.allocPrint(self.alloc, "{s}.{s}", .{ concrete_type_name, m.name }) catch
return .{ .method = m.name, .kind = .missing };
if (self.program_index.fn_ast_map.get(qualified)) |fd| {
// A direct impl/struct-method body exists. It only conforms if the
// thunk's `lazyLowerFunction(qualified)` would actually register it.
// A method with its own type params bails there → unreachable thunk.
if (fd.type_params.len > 0) return .{ .method = m.name, .kind = .signature_mismatch };
continue;
}
if (self.genericInstanceMethod(concrete_type_name, m.name) != null) continue;
return .{ .method = m.name, .kind = .missing };
}
return null;
}
/// Build a protocol value from a concrete pointer.
/// For inline protocols: struct_init { ctx, thunk1, thunk2, ... }
/// For vtable protocols: struct_init { ctx, vtable_ptr } where vtable is stack-allocated
@@ -441,6 +498,37 @@ pub fn createProtocolThunk(self: *Lowering, proto_name: []const u8, concrete_typ
/// When false, the pointer is used directly (user manages the pointee's lifetime).
pub fn buildProtocolValue(self: *Lowering, concrete_ptr: Ref, proto_name: []const u8, concrete_type_name: []const u8, proto_ty: TypeId, concrete_ty: TypeId, heap_copy: bool) Ref {
const pd = self.program_index.protocol_decl_map.get(proto_name) orelse return concrete_ptr;
// Conformance gate: a concrete type may only be erased to a protocol it
// actually `impl`-ements. Without this, `getOrCreateThunks` below would
// happily synthesize a vtable whose thunks fall through to `unreachable`
// (no resolvable concrete method) — a SILENT SIGABRT at the first dispatch
// with no diagnostic (issue 0176). Surface it as a hard error instead.
if (firstUnimplementedMethod(self, proto_name, concrete_type_name)) |nc| {
if (self.diagnostics) |d| {
const cs = self.builder.current_span;
const span = ast.Span{ .start = cs.start, .end = cs.end };
switch (nc.kind) {
.missing => d.addFmt(.err, span, "'{s}' does not implement protocol '{s}': no `impl {s} for {s}` provides method '{s}' (protocol erasure is impl-driven — a plain or `ufcs` free function with a matching receiver does not satisfy a protocol)", .{ concrete_type_name, proto_name, proto_name, concrete_type_name, nc.method }),
.signature_mismatch => d.addFmt(.err, span, "'{s}' does not implement protocol '{s}': method '{s}' has a mismatched signature — a protocol-method impl must not introduce its own type parameters (e.g. `$T: Type`); it must match the protocol's signature exactly", .{ concrete_type_name, proto_name, nc.method }),
}
} else {
// Gap 2 — no diagnostics channel (e.g. a comptime sub-lowering that
// never set `self.diagnostics`). Emitting the placeholder here would
// ship LLVM `undef` with `hasErrors() == false`: a non-conforming
// erasure reaching codegen silently. That is a compiler-invariant
// violation, so trip loudly per CLAUDE.md's "hard tripwire" guidance
// rather than fall through to the placeholder. The normal
// compilation path always sets `diagnostics`, so this never fires
// there — it only catches a future caller that forgets to plumb one.
std.debug.panic("protocol-erasure conformance failure with no diagnostics channel: '{s}' does not implement '{s}' (method '{s}'); cannot surface to the user — refusing to ship undef", .{ concrete_type_name, proto_name, nc.method });
}
// Return a placeholder TYPED AS THE PROTOCOL so a downstream coercion
// doesn't re-attempt erasure (and re-report) on a mistyped result. The
// build already has `hasErrors()`, so the placeholder never ships.
return self.builder.emit(.{ .placeholder = self.module.types.internString("protocol-erasure") }, proto_ty);
}
const thunks = self.getOrCreateThunks(proto_name, concrete_type_name);
if (thunks.len != pd.methods.len) return concrete_ptr;