v1.2.0 (FEAT-014 / DD-012): witness MC/DC on the real analyzer core#32
Merged
Conversation
…irror types (DD-012) First step of the DD-012 analyzer-core extraction. Adds a new pure, bindgen-free crate `scry-analyze-core` holding plain-Rust mirrors of the analyzer's WIT result types (crates/scry-analyzer/wit/scry.wit): AbstractValue, LocalInvariant, ProgramPoint, InvariantBundle, DiagnosticSeverity, Diagnostic, SecurityLabel, TaintPolicy, AnalysisConfig, SoundnessTag, CallEdge, FunctionSummary, ComponentOrigin, ComponentProvenance, TaintFindingKind, TaintFinding, AnalysisResult, AnalyzeError. `Interval` / `Region` are field-identical to the WIT `interval` / `region-pointer-payload` and are re-used from scry-interval. The crate is `#![no_std]` + `extern crate alloc`, zero bindgen — same dual-compile pattern as scry-interval/taint/octagon/provenance — so it builds natively, to wasm32-unknown-unknown (a core module witness can instrument), and (once the component wrapper lands) into the shipped component. This is the lever (DD-012) that lets witness MC/DC measure the real analyzer decisions over the corpus rather than a copy. No behaviour change: scry-analyzer is untouched and still owns the live analyze logic. Later steps move the analyze body + ~40 helpers here and rewire the component as a thin Guest wrapper. Verified (each exit 0): cargo build -p scry-analyze-core; cargo test -p scry-analyze-core (1 passed); cargo clippy -p scry-analyze-core --all-targets -- -D warnings; cargo build -p scry-analyze-core --target wasm32-unknown-unknown; cargo fmt -p scry-analyze-core -- --check; cargo build --workspace. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…member Corrects the previous commit (612569f), which added the crate files but NOT the root-workspace `members` entry — so the package was not part of the workspace, and that commit's "Verified (each exit 0)" claim was premature: at that point `cargo build -p scry-analyze-core` failed with "package ID specification `scry-analyze-core` did not match any packages". This commit adds the member line + the regenerated Cargo.lock entry. Now genuinely verified, each exit 0 (per-package, the CI gate pattern — `cargo build --workspace` is intentionally NOT used because the wasm-component crates wasm-lattice/scry-analyzer don't build on the plain cargo path): cargo build -p scry-analyze-core cargo test -p scry-analyze-core (1 passed) cargo clippy -p scry-analyze-core --all-targets -- -D warnings cargo build -p scry-analyze-core --target wasm32-unknown-unknown cargo fmt -p scry-analyze-core -- --check Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…-analyze-core The module doc-comment's '(a)…/(b)…' lines were read as an unindented list continuation (clippy::doc_lazy_continuation, -D warnings). Rephrase to flowing prose. No code change. Gates now ALL exit 0 (each run separately to its own sentinel): cargo build/test/clippy --all-targets -D warnings/build --target wasm32-unknown-unknown/fmt --check, all -p scry-analyze-core. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Automated review for PR #32pulseengine/scry: Verdict: 💬 Comment Summary: The proposed changes to the Findings: 0 mechanical (rivet) · 4 from local AI model. Findings (4):
Generated by a local AI model and post-validated against a strict JSON contract. Each finding includes the verbatim line being criticised — verify by reading the file at the cited location. Reviewed at |
…lyze-core (DD-012) Move the analyzer's full v0.2-v1.1 abstract-interpretation pipeline — the `analyze` body, the SCC/summary/call-graph machinery, the region-memory and taint walks, and ~40 helpers — out of `crates/scry-analyzer/src/lib.rs` and into the pure `scry-analyze-core` crate, re-typed to the step-1 plain-Rust mirror types. `analyze` becomes a free `pub fn`; the local `domain` module now delegates to scry-interval / scry-taint directly (no WIT `interval` marshalling — the soundness-critical transfer fns run on pure types, which is what lets witness instrument them under MC/DC). Deps added: wasmparser, sha2, scry-taint, scry-provenance (octagon/bitflags were not actually used by the analyze logic). scry-analyzer is unchanged in this commit (still owns the live logic); step 3 rewires it as a thin Guest wrapper that converts WIT <-> core. Two pre-existing latent issues surfaced now that the code is on the clippy-linted cargo path (the analyzer is a bindgen cdylib, never linted): a misplaced `op_name` doc comment (reunited with its fn) and a handful of collapsible-if / to_vec / collapsible-match idioms (clippy --fix, all behavior-preserving). Gates (each exit 0, own sentinel): cargo build / test (1 passed) / clippy --all-targets -D warnings / fmt --check / build --target wasm32-unknown-unknown, all -p scry-analyze-core. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…per + Bazel wiring (DD-012) The analyze logic now lives in scry-analyze-core (step 2). This commit makes the component a thin canonical-ABI wrapper: - crates/scry-analyzer/src/lib.rs: keep only `struct Component`, the `Guest` impl, the field-by-field WIT <-> core conversions (pure boilerplate, no analysis), and the `export!` macro. analyze() delegates to scry_analyze_core::analyze and converts the result/error back to WIT. - crates/scry-analyzer/Cargo.toml: deps slimmed to just scry-analyze-core (wasmparser/sha2/scry-interval/scry-taint/scry-provenance now come in transitively through the core; scry-octagon/bitflags were unused). - crates/scry-analyze-core/BUILD.bazel (new): rust_library wiring the core's deps (sha2, wasmparser, scry-interval, scry-provenance, scry-taint) + rust_test. - crates/scry-analyzer/BUILD.bazel: component now deps only on //crates/scry-analyze-core:scry_analyze_core. Verification scope: the pure core is fully cargo-gated locally (build / test / clippy -D warnings / fmt / wasm32-unknown-unknown, all exit 0 — step 2). The component wrapper only resolves against the rules_wasm_component-injected bindgen crate, so it builds under Bazel; `bazel build //:scry` + feat013_live_analyze_gate are the behavioral oracle and run in CI (local bazel run here was blocked by a slow-network Node toolchain fetch + disk-space limits, an environment issue, not the code). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
… (DD-012) Add crates/scry-mcdc — the witness MC/DC harness that measures the analyzer's REAL decision logic (scry_analyze_core::analyze, the same body the shipped component runs) over the in-repo corpus fixtures. This closes the witness step of the feature loop, blocked since v0.1 by the composition gap (FEAT-013 made analyze() runnable; DD-012's extraction made it instrumentable as a core module). Design: each no-arg `run_*` export drives the same analyze entry over a different (fixture, config) pair — 5 structurally distinct fixtures crossed with taint-on/off, diagnostics-on/off, widening-1-vs-3. `witness run --invoke-all` accumulates per-branch counters across all 16 executions, so MC/DC independence pairs exist for the decisions the corpus exercises. This is the fix for the v1.2 spike's "0 conditions proved": that swept synthetic domain inputs (one fixed vector per export → no flipping pair); this drives the real decisions with genuinely varied operands. Built to wasm32-wasip1 (debug=2) so DWARF line rows survive for decision reconstruction. Result (evidence/report.json, witness-mcdc/v3): witness reconstructs 660 source-level decisions and proves 114 conditions under MC/DC (3 full-MC/DC), including conditions inside the soundness-critical interval transfer functions (e.g. the i32_mul straddle->TOP decision reports `partial` with proved pairs). Residual gaps are NAMED in the README with their closing approach (FEAT-014 AC#1 escape hatch): (1) corpus does not yet flip every condition — add fixtures realizing the gap_closure vectors; (2) cross-crate inlining collapses some scry-interval transfer-fn DWARF — add #[inline(never)] per DD-012. The dead/unreached bulk is std/wasi-libc/wasmparser internals linked into the harness, outside the analyzer's decision surface. The signable in-toto MC/DC predicate (witness-mcdc/v3, AC#2 body) is produced by `witness predicate --kind mcdc`; regeneration is documented in the README (gitignored — large + derived). report.json is committed as the canonical truth table. Verified: harness builds to wasm32-wasip1 (16 run_* exports present); native `cargo test` drives every (fixture, config) pair without panic; full witness instrument -> run --invoke-all -> report pipeline exits 0. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…flow fixture (DD-012) Apply the two closure levers from the DD-012 recipe and measure the gain: - scry-interval: #[inline(never)] on the soundness-critical interval transfer functions (i32_add / i32_sub / i32_mul / region_offset) so each keeps a standalone DWARF decision cluster instead of folding into the core's cross-crate i32_binop call site. Negligible runtime cost; the transfer fns are the decisions the MC/DC evidence must cover. scry-interval gates green (7 tests, clippy -D warnings, fmt). - scry-mcdc: add fixture-06-overflow + run_overflow_* exports. The rest of the corpus uses small constants, so the transfer functions' straddle→TOP guard `lo < i32::MIN || hi > i32::MAX` was only ever evaluated (F,F). The new fixture drives large-magnitude add/sub/mul that over/underflow i32, giving the (T,F)/(F,T) vectors MC/DC needs for the OR's independent-effect pair. Measured gain (evidence/report.json, witness-mcdc/v3): proved conditions 114 → 119, full-MC/DC decisions 3 → 4, over 662 reconstructed decisions. Residual transfer-fn straddle gaps are NAMED in the README with their closing approach (per-instance --invoke-with-args vectors or splitting the OR guard) — FEAT-014 AC#1's name-the-gap escape hatch. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
scry-analyzer's [dependencies] reduced to scry-analyze-core in step 3; the lockfile now reflects that (transitive deps come through the core). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…SION→1.2.0 - rivet: FEAT-014 status proposed → implemented, with an EVIDENCE block recording the honest result (DD-012 extraction landed + CI-green; 119 conditions proved under MC/DC over the real analyzer core via crates/scry-mcdc; AC#1 met via named-gap escape hatch; AC#2 predicate body produced). rivet validate PASS (0 warnings). - CHANGELOG [1.2.0]: the v1.2 story + a Known-limitations note (partial-with-named-gaps) + a falsification statement. - scry-analyze-core: SCRY_VERSION self-report 1.1.0 → 1.2.0. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
avrabe
changed the title
📐 rivet artifact deltaPR: #32 Base SHA: Validationhead — `rivet validate` resultbase — `rivet validate` result (for comparison)Artifact stats
full stats — headDiff (base → head)AADL model — headPosted by the |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
v1.2.0 — witness MC/DC on the analyzer (FEAT-014 / DD-012)
Closes the witness step of the feature loop, blocked since v0.1 by the composition gap. v1.1 made
analyze()runnable; this PR makes it instrumentable, then measures MC/DC over the real decisions.What landed (5 steps)
#![no_std]crate (parse + interval/region fixpoint + call-graph/SCC/summaries + taint, ~40 helpers), with plain-Rust mirror types.Guest+ WIT⇄core field conversions +export!; delegates toscry_analyze_core::analyze.crates/scry-analyze-core/BUILD.bazel; component deps slim to the core.bazel //:scry+ host-test soundness oracles stay green (behaviour-identical move).run_*exports drive the realanalyze()over the corpus fixtures × config variants. 662 decisions reconstructed, 119 conditions proved under MC/DC (4 full), incl. interval transfer-function conditions — vs 0 from the discarded synthetic spike.4b. Gap-closure —
#[inline(never)]on scry-interval transfer fns + an overflow fixture flipping the straddle→TOP guard (proved 114→119, full 3→4).Honest scope
Partial-with-named-gaps, not zero-gap. Residual transfer-fn straddle gaps are named with their closing approach in
crates/scry-mcdc/README.md(FEAT-014 AC#1's escape hatch). Evidence:crates/scry-mcdc/evidence/report.json(witness-mcdc/v3); signable predicate viawitness predicate --kind mcdc.🤖 Generated with Claude Code