fix(component): skip indirect-call-table modules — stop silent miscompile (closes #196, v1.1.12)#197
Merged
Merged
Conversation
…op silent miscompile (closes #196) CRITICAL — flight-control silent miscompile. v1.1.11's #172 encoding fix made falcon's core module 0 encode validly, unmasking a worse pre-existing defect: loom's optimization of a module with a function-referencing element segment produces VALID-BUT-WRONG code. The fused pass changes function indices across several sub-passes but only remaps the call_indirect table in one of them, and the parse→re-encode round-trip has further corruption. Output passes wasm-tools validate AND loom --verify (both structural) yet flies wrong: falcon SIL run-position-hold 0.13m → 593.8m. v1.1.10 was ACCIDENTALLY safe (invalid → fallback); v1.1.11 removed that accident. Behavioral verification — not structural — is the only thing that catches this, and loom has none. Per the prime directive ("skip rather than risk incorrect"), skip optimization of any core module with a function- referencing element segment, keeping the original bytes, in BOTH the component path (optimize_core_module) and the standalone path (optimize_module). Restores v1.1.10's safe behavior deliberately. #172's segment-count fix is retained (real, just insufficient). Verified on falcon-flight-v1.34.wasm: optimized output now matches the original bit-for-bit under wasmtime — run-stabilization 0.023399856, run-position-hold 0.1317415 (was 0.329 / 593.79 on v1.1.11); validates. New tests: element_section_references_functions detection + per-slot element-remap identity. 395 lib + 85 integration pass. Limitation: indirect-call-table modules are now unoptimized (safe); re-enabling is gated on a behavioral differential in loom (#196). Bumps 1.1.11 -> 1.1.12. Closes #196. Trace: REQ-5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
CRITICAL — gale #196: flight-control silent miscompile
v1.1.11's #172 encoding fix made falcon's core module 0 encode validly, which unmasked a worse pre-existing defect: loom's optimization of a module with a function-referencing element segment produces valid-but-wrong code. The fused pass changes function indices across several sub-passes but only remaps the
call_indirecttable in one; the parse→re-encode round-trip corrupts further. Output passeswasm-tools validateand loom--verify(both structural) yet flies wrong — falcon SILrun-position-hold0.13 m → 593.8 m. v1.1.10 was accidentally safe (invalid → fallback); v1.1.11 removed the accident.Fix (correctness — prime directive)
Behavioral verification is the only thing that catches this, and loom has none. So per "skip rather than risk incorrect": skip optimization of any core module with a function-referencing element segment, keeping original bytes — in both
optimize_core_module(component) andoptimize_module(standalone). Restores v1.1.10's safe behavior deliberately. #172's segment-count fix is retained (real, just insufficient).Validation (behavioral, not just structural)
falcon-flight-v1.34.wasmoptimized output now matches the original bit-for-bit under wasmtime:run-stabilization0.023399856,run-position-hold0.1317415 (was 0.329 / 593.79); validates. New tests: detection + per-slot remap identity. 395 lib + 85 integration pass.Limitation / next
Indirect-call-table modules are now unoptimized (safe). Re-enabling is gated on a behavioral differential in loom CI (run exports before/after, compare) — structural
--verifyis insufficient, as #196 proved.Known-red (pre-existing)
Closes #196.
🤖 Generated with Claude Code