W-I3-RUNTIME-ASSERT (IV)+(III): BasicBlock::id immutability gate + sentinel

SonicField · SonicField · commit ebec018ddeeb · 2026-04-24T15:17:10.000-07:00
Per docs/w-i3-runtime-assert-spec.md (theologian 21:57:02Z, supervisor 22:10:02Z, librarian 22:05:19Z framework guidance). Closes pythia python#128 / python#131 python#1 named risk: I3 invariant (BasicBlock::id is allocation- monotonic AND never mutated post-allocation) is grep-only, not runtime-asserted. Phase B B-gamma's PhxBcBlockArray (Tier 8 SECOND-PILOT, push 40 4145fe3) indexes by BasicBlock::id. A future HIR pass that renumbers ids (SSA-destruction-style cache-locality renumbering, peephole block-splitter, speculative-inlining clone) would silently corrupt the dense-array lookup; I2 read-site check catches out-of- range, NOT stale-mapping-correct-range. (IV) CI grep gate — scripts/check_i3_invariant.sh + Step 1h wire: - Detects "->id =", ".id =", set_id(/setId( patterns in Python/jit/hir/. - Allow-list excludes legitimate non-BasicBlock matches: * HirLoadAttrSpecial::id (void* attribute identifier, different class) * next_register_id_, cache_id_ (different fields, trailing underscore) * test_*.c, hir_instr_c_verify.cpp (read-path testing, per W44 ALLOW_LIST precedent) - Falsification-tested: synthetic patch adding "block->id = 42;" to Python/jit/hir/synth_i3_violation.cpp triggers GATE FAIL EXIT=1 under --strict; removing the patch returns to GATE PASS EXIT=0. - Wired as Step 1h in scripts/gate_phoenix.sh per librarian 22:05:19Z framework guidance, mirroring Steps 1e/1g delegation shape (capture OUTPUT, tee to RESULTS_FILE, GATE_PASS=0 + FAILURES on nonzero). (III) JIT_DCHECK pydebug sentinel — PhxBcBlockEntry.sentinel_id: - Adds int sentinel_id field under #ifdef Py_DEBUG to PhxBcBlockEntry (zero release-build cost; pydebug entry size 8 -> 12 bytes). - Insert sets sentinel_id = block_id at insert time. - Lookup verifies sentinel_id == block_id via JIT_DCHECK_C; mismatch fires JIT_CHECK_C abort with diagnostic indicating either a post-allocation id mutation OR inserter/reader index disagreement. - catches the (IV) miss-class: id mutation via member function / indirect pointer write that grep doesn't pattern-match. Combined cost: zero release runtime; ~45min implementation. (I) sentinel-always and (II) generation-counter REJECTED per spec §3 as reverse perf trade without strong evidence the always-on detection is required vs (IV)+(III) catching at commit + pydebug. Build implications: Py_DEBUG-conditional layout change to PhxBcBlockEntry. Per JIT Header Change Protocol (CLAUDE.md), requires full distclean rebuild; testkeeper to verify both release (sentinel field absent, struct == 8 bytes) and pydebug (sentinel field present, struct == 12 bytes, JIT_DCHECK_C does not fire on normal workload). ARM64 verification via standard ARM64 retroactive-debt path once devgpu004 SSH-2FA infra restored. Auth: theologian spec 21:57:02Z + supervisor CONCUR 21:57:20Z + 22:10:02Z; librarian framework guidance 22:05:19Z (Step 1h shape mirroring 1e/1g, scripts/check_i3_invariant.sh --strict).
diff --git a/Python/jit/hir/builder_state_c.h b/Python/jit/hir/builder_state_c.h
@@ -28,6 +28,8 @@
 #include <stdlib.h>
 #include <string.h>
 
+#include "cinderx/Common/jit_log_c.h"  /* JIT_DCHECK_C (W-I3 (III) sentinel) */
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -234,6 +236,14 @@ static inline void *phx_block_map_lookup(const PhxBlockMap *m, int key) {
 typedef struct PhxBcBlockEntry {
     int start; /* BCIndex.value() */
     int end;   /* BCIndex.value() */
+#ifdef Py_DEBUG
+    /* W-I3-RUNTIME-ASSERT (III) per docs/w-i3-runtime-assert-spec.md §2:
+     * pydebug-only sentinel storing the block_id this entry was inserted
+     * for. Verified at lookup; mismatch => I3 invariant violation
+     * (BasicBlock::id mutated post-allocation, OR inserter/reader
+     * disagree on indexing). Zero release-build cost. */
+    int sentinel_id;
+#endif
 } PhxBcBlockEntry;
 
 typedef struct PhxBcBlockArray {
@@ -287,16 +297,28 @@ static inline void phx_bc_block_array_insert(
     }
     a->data[block_id].start = start;
     a->data[block_id].end = end;
+#ifdef Py_DEBUG
+    a->data[block_id].sentinel_id = block_id;  /* W-I3 (III) */
+#endif
     if (needed > a->count) {
         a->count = needed;
     }
 }
 
 /* Read array[block_id]. Caller must guarantee block_id < a->count
  * (invariant I2: never look up an id beyond createBlocks high-water).
- * Returns by value; entry is just 8 bytes. */
+ * Returns by value; entry is just 8 bytes (release) / 12 bytes (pydebug
+ * with W-I3 (III) sentinel field). */
 static inline PhxBcBlockEntry phx_bc_block_array_at(
         const PhxBcBlockArray *a, int block_id) {
+#ifdef Py_DEBUG
+    JIT_DCHECK_C(
+        a->data[block_id].sentinel_id == block_id,
+        "W-I3 invariant violation: bc_block_array[%d].sentinel_id=%d "
+        "(BasicBlock::id mutated post-allocation, OR inserter/reader "
+        "disagree on indexing)",
+        block_id, a->data[block_id].sentinel_id);
+#endif
     return a->data[block_id];
 }
 
diff --git a/scripts/check_i3_invariant.sh b/scripts/check_i3_invariant.sh
@@ -0,0 +1,151 @@
+#!/bin/bash
+# check_i3_invariant.sh — W-I3-RUNTIME-ASSERT (IV) gate. Detects
+# id-mutation patterns on BasicBlock-class objects that would violate
+# Tier 8 SECOND-PILOT Phase B's I3 invariant: BasicBlock::id is
+# allocation-monotonic AND never mutated post-allocation.
+#
+# I3 underpins PhxBcBlockArray's dense-array O(1) lookup at
+# Python/jit/hir/builder_state_c.h:298 (phx_bc_block_array_at). Any
+# future HIR pass that renumbers ids (SSA-destruction-style cache
+# locality renumbering, peephole block-splitter, speculative-inlining
+# clone) would silently corrupt the lookup.
+#
+# Per W-I3-RUNTIME-ASSERT spec docs/w-i3-runtime-assert-spec.md §2 (IV)
+# + §7 (theologian 21:57:02Z + librarian 22:05:19Z framework guidance):
+# this script is the (IV) layer. (III) JIT_DCHECK pydebug sentinel
+# lives in builder_state_c.h's PhxBcBlockEntry.
+#
+# Usage:
+#   scripts/check_i3_invariant.sh             # default scope (warn-only)
+#   scripts/check_i3_invariant.sh --files     # show file:line per match
+#   scripts/check_i3_invariant.sh --strict    # exit 1 on any violation
+#
+# Behavior:
+#   - Greps Python/jit/hir/ for id-mutation patterns:
+#       <var>->id = ...    (pointer-style)
+#       <var>.id = ...     (value-style)
+#       set_id(/setId(    (setter methods)
+#   - Filters via ALLOW_LIST to exclude:
+#       - HirLoadAttrSpecial::id (void* attribute-id field, not BasicBlock)
+#       - Test/verify files (read-path testing per W44 precedent)
+#       - The BasicBlock ctor itself (initializer-list, not mutation)
+#   - Reports any remaining matches as VIOLATIONS.
+#
+# Exit codes:
+#   0 — no violations (gate clean)
+#   1 — at least 1 violation (--strict) OR script error
+
+set -euo pipefail
+
+cd "$(dirname "$0")/.."
+REPO_ROOT="$(pwd)"
+
+STRICT=0
+SHOW_FILES=0
+for arg in "$@"; do
+    case "$arg" in
+        --strict) STRICT=1 ;;
+        --files)  SHOW_FILES=1 ;;
+        *) echo "ERROR: unknown arg '$arg'" >&2
+           echo "Usage: $0 [--strict] [--files]" >&2
+           exit 1 ;;
+    esac
+done
+
+SEARCH_PATHS="Python/jit/hir"
+
+# Allow-list patterns (file or file:line) for known-OK matches.
+# Each entry should be commented with WHY it is legitimate.
+#
+# - hir_c_api.cpp 'l->id = id' on HirLoadAttrSpecial: the .id field is
+#   a void* attribute identifier on HirLoadAttrSpecial, NOT a
+#   BasicBlock id. Different class, different field semantics.
+# - hir.h 'next_register_id_' / 'cache_id_': not BasicBlock id; trailing
+#   underscore disambiguates. Pattern uses \bid\b so these won't match.
+# - hir.h 'BasicBlock(int id_) : id(id_)': initializer-list assignment
+#   inside the ctor, NOT a post-allocation mutation. Pattern excludes
+#   ': id(' constructor-init form.
+# - test_phx_block_map.c, hir_instr_c_verify.cpp: tests/verify files
+#   exercising read-path. Per W44 ALLOW_LIST precedent.
+ALLOW_LIST_FILES_REGEX='/(test_.*\.c|.*_test\.c|hir_instr_c_verify\.cpp)$'
+
+# Allow-list specific symbols whose ".id" or "->id" mutation is
+# unrelated to BasicBlock::id. Add new entries with justification.
+# Each entry is a regex matching the FULL grep line.
+ALLOW_LIST_LINES_REGEX='HirLoadAttrSpecial|l->id\s*=\s*id;|next_register_id_|cache_id_'
+
+echo "=== check_i3_invariant.sh — W-I3-RUNTIME-ASSERT (IV) gate ==="
+echo "HEAD: $(git rev-parse HEAD)"
+echo "Search scope: $SEARCH_PATHS"
+echo "Allow-list files: $ALLOW_LIST_FILES_REGEX"
+echo "Allow-list lines: $ALLOW_LIST_LINES_REGEX"
+echo ""
+
+# Patterns to detect (all id-mutation forms targeting a presumed-BasicBlock):
+#   ->id = ...    (single = followed by non-= to exclude == comparisons)
+#   .id = ...     (same; but more permissive — many false positives, hence
+#                  ALLOW_LIST filtering)
+#   set_id(       (setter-method form)
+#   setId(        (camelCase setter)
+PATTERNS_PTR='->\s*id\s*=\s*[^=]'
+PATTERNS_VAL='\.\s*id\s*=\s*[^=]'
+PATTERNS_SET='\b(set_id|setId)\s*\('
+
+echo "=== Step 1: enumerate id-mutation candidates in $SEARCH_PATHS ==="
+ALL_TMP=$(mktemp)
+trap "rm -f $ALL_TMP" EXIT
+
+set +e
+{
+    grep -rnE -e "$PATTERNS_PTR" --include='*.c' --include='*.cpp' --include='*.h' $SEARCH_PATHS 2>/dev/null
+    grep -rnE -e "$PATTERNS_VAL" --include='*.c' --include='*.cpp' --include='*.h' $SEARCH_PATHS 2>/dev/null
+    grep -rnE -e "$PATTERNS_SET" --include='*.c' --include='*.cpp' --include='*.h' $SEARCH_PATHS 2>/dev/null
+} | sort -u > "$ALL_TMP"
+set -e
+
+N_RAW=$(wc -l < "$ALL_TMP")
+echo "Raw matches: $N_RAW"
+
+# Filter via allow-lists.
+echo ""
+echo "=== Step 2: filter via allow-lists ==="
+FILTERED_TMP=$(mktemp)
+trap "rm -f $ALL_TMP $FILTERED_TMP" EXIT
+
+set +e
+grep -vE "$ALLOW_LIST_FILES_REGEX" "$ALL_TMP" | grep -vE "$ALLOW_LIST_LINES_REGEX" > "$FILTERED_TMP"
+set -e
+
+N_VIOLATIONS=$(wc -l < "$FILTERED_TMP")
+echo "After allow-list filtering: $N_VIOLATIONS violation(s)"
+echo ""
+
+if [ "$N_VIOLATIONS" -eq 0 ]; then
+    echo "=== Verdict ==="
+    echo "GATE PASS: $N_RAW raw matches all in allow-list; zero I3-violation candidates."
+    exit 0
+fi
+
+echo "=== Violations ==="
+if [ "$SHOW_FILES" -eq 1 ]; then
+    cat "$FILTERED_TMP" | sed 's/^/  /'
+else
+    cat "$FILTERED_TMP" | cut -d: -f1-2 | sort -u | sed 's/^/  /'
+fi
+
+echo ""
+echo "=== Verdict ==="
+echo "GATE FAIL: $N_VIOLATIONS candidate I3 violation(s)."
+echo ""
+echo "I3 invariant: BasicBlock::id is allocation-monotonic AND never"
+echo "mutated post-allocation. PhxBcBlockArray's dense-array O(1)"
+echo "lookup depends on this. Each violation must be either:"
+echo "  - Fixed (remove the id mutation)"
+echo "  - Re-architected (drop PhxBcBlockArray's id-indexed shape; see"
+echo "    docs/w-i3-runtime-assert-spec.md (II) generation-counter as"
+echo "    fallback)"
+echo "  - Allow-listed (if NOT actually a BasicBlock::id mutation; add"
+echo "    to ALLOW_LIST_LINES_REGEX or ALLOW_LIST_FILES_REGEX with a"
+echo "    one-line justification comment)"
+[ "$STRICT" -eq 1 ] && exit 1
+exit 0
diff --git a/scripts/gate_phoenix.sh b/scripts/gate_phoenix.sh
@@ -219,6 +219,24 @@ else
     echo "W45 §3.5 derivation-drift falsifier: PASS" | tee -a "$RESULTS_FILE"
 fi
 
+# Step 1h: W-I3-RUNTIME-ASSERT (IV) gate — BasicBlock::id immutability.
+# Detects id-mutation patterns that would silently corrupt PhxBcBlockArray
+# dense-array O(1) lookup (Tier 8 SECOND-PILOT Phase B). Per
+# docs/w-i3-runtime-assert-spec.md §2 (IV) + §7. Wired per librarian
+# 22:05:19Z framework guidance (mirrors 1e/1g delegation shape).
+echo "" | tee -a "$RESULTS_FILE"
+echo "--- Step 1h: W-I3 Invariant Gate ---" | tee -a "$RESULTS_FILE"
+I3_OUTPUT=$("$SCRIPT_DIR/check_i3_invariant.sh" --strict 2>&1) && I3_EXIT=0 || I3_EXIT=$?
+echo "$I3_OUTPUT" | tee -a "$RESULTS_FILE"
+if [ "$I3_EXIT" -ne 0 ]; then
+    echo "GATE FAIL — W-I3 invariant gate detected BasicBlock::id mutation" | tee -a "$RESULTS_FILE"
+    GATE_PASS=0
+    I3_VIOLATIONS=$(echo "$I3_OUTPUT" | grep -c "candidate I3 violation" || true)
+    FAILURES="$FAILURES w_i3:$I3_VIOLATIONS"
+else
+    echo "W-I3 invariant gate: PASS" | tee -a "$RESULTS_FILE"
+fi
+
 # Step 2: Verify JIT compiles and executes
 echo "" | tee -a "$RESULTS_FILE"
 echo "--- Step 2: JIT Smoke Test ---" | tee -a "$RESULTS_FILE"
