From b825c365596c67db661b322108e612607184e409 Mon Sep 17 00:00:00 2001 From: giles Date: Sat, 20 Jun 2026 04:07:51 +0000 Subject: [PATCH] vm-ext: document guard/PUSH_HANDLER fix + double-exec residual in plan Co-Authored-By: Claude Opus 4.8 (1M context) --- plans/jit-bytecode-correctness.md | 35 +++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/plans/jit-bytecode-correctness.md b/plans/jit-bytecode-correctness.md index d506a4d8..a6298074 100644 --- a/plans/jit-bytecode-correctness.md +++ b/plans/jit-bytecode-correctness.md @@ -168,3 +168,38 @@ Serving-mode JIT is now **opt-in via `SX_SERVING_JIT=1` (default OFF)** in page server opts in. This bounds risk: guests are validated and excluded incrementally; until then the default protects them. Common-Lisp's advanced suites still need investigation before CL is opt-in-clean. + +--- + +## guard / handler-bind under JIT — central recursive PUSH_HANDLER scan (2026-06-20) + +Combined-binary integration (my JIT + host render-page) surfaced a third +JIT-unsafe class beyond guest dispatch cores: **`guard`-based error handling**. +The VM's `OP_PUSH_HANDLER` (compiled `guard`) only intercepts a VM-level +`RAISE` (opcode 37) — it does NOT catch the OCaml `Eval_error` the `error` +primitive throws from a CALL/CALL_PRIM in a callee frame. So a JIT-compiled +`guard` silently fails to catch; the thrown error escapes across the JIT frame. + +- SOLID break: `host/wrap-errors -> dream-catch-with` (curried: + `(fn (on-error) (fn (next) (fn (req) (guard ...))))`) — middleware suite + 7/9 under JIT (9/9 CEK), "kaboom" escaped as Unhandled exception, NOT + fallback-saved (the guard is in an outer frame, the throw in an inner one). +- LATENT (turned out harmless): `host/blog--render-node`'s `guard` — it JIT- + failed then the hook RE-RAN it on CEK where the guard caught (pure render, no + duplicated effects). This is the double-execution residual firing live. + +Fix: `code_uses_handler` scans a JIT candidate's bytecode **recursively** +(including nested closure code in the constant pool) for `OP_PUSH_HANDLER`; +`jit_compile_lambda` skips JIT for any match. The recursion is essential — +curried `dream-catch-with` has no PUSH_HANDLER in its own body; the guard is in +a nested `OP_CLOSURE`. Verified: direct + curried cross-frame guards catch +under JIT; host "kaboom" escapes 2 -> 0. + +### Remaining (documented, gated): the double-execution residual +The serving hook still re-runs a failed VM execution via CEK (correct result, +duplicated side effects if the function is impure and fails mid-run). The guard +fix removes the common trigger (guard functions no longer JIT). The clean +general fix is propagate-don't-rerun (run_tests' hook semantics) but that +surfaces genuine mid-run miscompiles as errors and must land with fixing/ +excluding those — deferred (shared CEK/VM change). The default-OFF gate makes +all of this opt-in, so nothing regresses by default.