Merge Phase 19: JIT differential testing + fuel check

19.1: force_interpreter flag + 4 differential tests (interp vs JIT)
19.2: JIT fuel decrement at loop back-edges (ARM64 + x86_64)
  - jitSuppressed() no longer blocks JIT when fuel is set
  - jit_fuel i64 counter synced before/after JIT execution
  - Shared fuel exit stubs (1 per function, not per back-edge)

Author: chaploud

.dev/memo.md

@@ -4,33 +4,34 @@ Session handover document. Read at session start.
 
 ## Current State
 
-- Stages 0-46 + Phase 1, 3, 5, 8, 11, 15 complete. **v1.5.0** (tagged 48342ab).
+- Stages 0-46 + Phase 1, 3, 5, 8, 11, 15 complete. **v1.6.0** (tagged 503e73a).
 - Spec: 62,263/62,263 Mac+Ubuntu+Windows (100.0%, 0 skip). E2E: 792/792. Real-world: 50/50.
 - Wasm 3.0: all 9 proposals. WASI: 46/46 (100%). WAT parser complete.
 - JIT: Register IR + ARM64/x86_64 (macOS, Linux, Windows x86_64). Size: 1.22MB stripped.
 - **Windows x86_64**: First-class support (D129, PR #8). platform.zig abstraction,
   VEH guard pages, Win64 ABI, HostHandle WASI, Python test runners, CI 3-OS.
-- **C API**: `libzwasm` (.dll/.lib, .dylib/.a, .so/.a) — 25 exported functions (D126).
+- **C API**: `libzwasm` — 25 exported functions (D126). c_allocator + ReleaseSafe default.
+  Issue #11 fixed (Zig GPA PIC bug). 64-test FFI suite via dlopen.
+- **Rust FFI example**: PR #12 merged. edition 2024, CI integrated.
 - **Conditional compilation**: `-Djit=false`, `-Dcomponent=false`, `-Dwat=false` (D127).
-- **main = stable**: v1.5.0. ClojureWasm updated to v1.5.0.
+- **main = stable**: v1.6.0+. ClojureWasm updated to v1.5.0.
 
 ## Current Task
 
-**PR #8 Windows support review + merge** (branch: `fix/pr8-review-fixes`)
+**Phase 19: JIT Reliability — differential testing + fuel check**
 
-- [x] Code review: 26 files, platform.zig / guard.zig / wasi.zig / x86.zig / CI
-- [x] Fix run_compat.py rust_file_io regression (guest path alias)
-- [x] Fix path_filestat_get SYMLINK_NOFOLLOW restoration
-- [x] Fix README Stage 33 duplicate, run_spec.py .exe detection
-- [x] Code quality: VEH constant, HostHandle.close(), fd placeholder docs
-- [x] Doc updates: embedding.md, security.md, roadmap.md, decisions.md (D129)
-- [ ] Merge Gate (Mac + Ubuntu)
-- [ ] Benchmark recording
-- [ ] Push to PR branch → merge via GitHub
+Goal: make JIT a verifiably correct optimization layer over the interpreter.
 
-### Pending: JIT fuel bypass + PR #6 timeout
-Checklist: `@./.dev/checklist-jit-fuel-timeout.md`
-PR review: `@./private/pr6-timeout-review.md`
+- [ ] JIT differential testing infrastructure (interp vs JIT comparison)
+- [ ] JIT fuel/deadline check at back-edges (replaces jitSuppressed())
+- [ ] W35 ARM64 JIT OOB investigation (unpin CI Rust)
+
+### Design Principles
+
+1. **Interpreter = source of truth**. JIT must produce identical results.
+2. **Differential testing** catches JIT-only bugs automatically.
+3. **Incremental**: each step independently committable, all gates pass.
+4. **No existing behavior removed** — only new verification added.
 
 ## Handover Notes
 
@@ -42,6 +43,11 @@ PR review: `@./private/pr6-timeout-review.md`
   - Separate future task. See `@./private/pr6-timeout-review.md` §Fix Options and wasmtime research in `~/Documents/OSS/wasmtime/crates/cranelift/src/func_environ.rs`.
 - **Flaky compat tests**: W36 in checklist.md — `go_crypto_sha256`/`go_regex` intermittent DIFF on base code (pre-existing, likely W35-related).
 
+### Issue #11 root cause (2026-03-22)
+- Zig 0.15 GPA crashes in Debug-mode shared libraries on Linux x86_64 (PIC codegen).
+- Fix: c_allocator (libc malloc) + library builds default to ReleaseSafe.
+- Zig build system also has shuffle bug with same-named artifacts → shared-lib/static-lib split.
+
 ## References
 
 - `@./.dev/roadmap.md` (future phases), `@./.dev/roadmap-archive.md` (completed stages)
@@ -50,4 +56,3 @@ PR review: `@./private/pr6-timeout-review.md`
 - `@./.dev/decisions.md`, `@./.dev/checklist.md`, `@./.dev/spec-support.md`
 - `@./.dev/jit-debugging.md`, `@./.dev/bench-strategy.md`
 - External: wasmtime (`~/Documents/OSS/wasmtime/`), zware (`~/Documents/OSS/zware/`)
-

.dev/roadmap.md

@@ -160,6 +160,35 @@ Largest technical challenge.
 
 **Gate**: Windows x86_64 all tests pass. 3-OS CI complete.
 
+### Phase 19: JIT Reliability (2 days)
+
+Make JIT a verifiably correct optimization layer over the interpreter.
+Principle: interpreter is the source of truth; JIT must produce identical results.
+All changes incremental — no existing behavior removed, only verification added.
+
+**19.1 Differential Testing Infrastructure**
+
+- Add `force_interpreter` flag to Vm — bypass JIT/RegIR, use stack interpreter
+- Differential test harness: run same function via interpreter AND JIT, compare results
+- Integrate into spec runner (`--diff` mode), fuzz harness, real-world compat
+- Catches JIT-only bugs (W35, W36 class) automatically
+
+**19.2 JIT Fuel Check at Back-Edges**
+
+- Emit fuel decrement + conditional trampoline exit at loop back-edges
+- ARM64: `ldr x0, [x20, #fuel_offset]; subs x0, x0, #1; str; b.mi exit`
+- x86: `dec qword [vm+fuel_offset]; js exit`
+- Remove `jitSuppressed()` fuel condition (keep profile/deadline suppression initially)
+- Unblocks PR #6 (timeout support)
+
+**19.3 W35 ARM64 JIT OOB Investigation**
+
+- Diff serde_json.wasm between rustc 1.92.0 and 1.93.1
+- Identify wasm opcode pattern that triggers ARM64 JIT miscompilation
+- Create minimal reproducer, fix JIT codegen, unpin CI Rust version
+
+**Gate**: Differential test suite pass. Fuel+JIT coexist. CI Rust unpinned.
+
 ### Phase 18: Book i18n + Lazy Compilation + CLI Extensions (3 days)
 
 **18.1 Book i18n (1 day)**
@@ -197,6 +226,7 @@ JIT deferred to first call. Trampoline → direct jump patch.
 | **v1.4.0** | 5, 8 | C API, conditional compilation, 50+ real-world, WAT parity |
 | **v1.5.0** | 11     | Allocator injection, C API config, embedding docs |
 | **v1.6.0** | 15     | Windows x86_64, 3-OS CI, platform abstraction      |
+| **v1.7.0** | 19     | JIT differential testing, fuel check, W35 fix       |
 | **v2.0.0** | 13     | SIMD JIT (NEON/SSE)                                |
 
 ## Benchmark History

src/jit.zig

@@ -269,6 +269,11 @@ const a64 = struct {
         return 0xD1000000 | (@as(u32, imm12) << 10) | (@as(u32, rn) << 5) | rd;
     }
 
+    /// SUBS Xd, Xn, #imm12 (64-bit, sets flags)
+    fn subsImm64(rd: u5, rn: u5, imm12: u12) u32 {
+        return 0xF1000000 | (@as(u32, imm12) << 10) | (@as(u32, rn) << 5) | rd;
+    }
+
     /// SUB Wd, Wn, #imm12 (32-bit)
     fn subImm32(rd: u5, rn: u5, imm12: u12) u32 {
         return 0x51000000 | (@as(u32, imm12) << 10) | (@as(u32, rn) << 5) | rd;
@@ -887,6 +892,8 @@ pub const Compiler = struct {
     patches: std.ArrayList(Patch),
     /// Error stubs: branch-to-error sites to be patched at end of function.
     error_stubs: std.ArrayList(ErrorStub),
+    /// Branch indices from fuel checks — all patched to a single shared fuel exit.
+    fuel_check_branches: std.ArrayList(u32),
     alloc: Allocator,
     reg_count: u16,
     local_count: u16,
@@ -916,6 +923,7 @@ pub const Compiler = struct {
     param_count: u16,
     result_count: u16,
     reg_ptr_offset: u32,
+    jit_fuel_offset: u32,
     min_memory_bytes: u32,
     /// Bitmask of vregs that need loading in the prologue.
     /// Bit N = 1 means vreg N is read before written and must be loaded.
@@ -993,6 +1001,7 @@ pub const Compiler = struct {
             .pc_map = .empty,
             .patches = .empty,
             .error_stubs = .empty,
+            .fuel_check_branches = .empty,
             .alloc = alloc,
             .reg_count = 0,
             .local_count = 0,
@@ -1016,6 +1025,7 @@ pub const Compiler = struct {
             .param_count = 0,
             .result_count = 0,
             .reg_ptr_offset = 0,
+            .jit_fuel_offset = 0,
             .min_memory_bytes = 0,
             .prologue_load_mask = 0xFFFFF, // default: load all (20 vregs)
             .known_consts = .{null} ** 128,
@@ -1041,6 +1051,7 @@ pub const Compiler = struct {
         self.pc_map.deinit(self.alloc);
         self.patches.deinit(self.alloc);
         self.error_stubs.deinit(self.alloc);
+        self.fuel_check_branches.deinit(self.alloc);
     }
 
     fn emit(self: *Compiler, inst: u32) void {
@@ -2381,6 +2392,8 @@ pub const Compiler = struct {
             regalloc_mod.OP_BR => {
                 self.fpCacheEvictAll();
                 const target = instr.operand;
+                // Fuel check at back-edges (target <= current pc)
+                if (target <= pc.* - 1) self.emitFuelCheck();
                 const arm_idx = self.currentIdx();
                 self.emit(a64.b(0)); // placeholder
                 self.patches.append(self.alloc, .{
@@ -2391,6 +2404,8 @@ pub const Compiler = struct {
             },
             regalloc_mod.OP_BR_IF => {
                 self.fpCacheEvictAll();
+                // Fuel check at back-edges (before the conditional branch)
+                if (instr.operand <= pc.* - 1) self.emitFuelCheck();
                 // Branch if rd != 0
                 const cond_reg = self.getOrLoad(instr.rd, SCRATCH);
                 const arm_idx = self.currentIdx();
@@ -2403,6 +2418,8 @@ pub const Compiler = struct {
             },
             regalloc_mod.OP_BR_IF_NOT => {
                 self.fpCacheEvictAll();
+                // Fuel check at back-edges
+                if (instr.operand <= pc.* - 1) self.emitFuelCheck();
                 const cond_reg = self.getOrLoad(instr.rd, SCRATCH);
                 const arm_idx = self.currentIdx();
                 self.emit(a64.cbz32(cond_reg, 0)); // placeholder
@@ -3307,6 +3324,40 @@ pub const Compiler = struct {
         self.storeVreg(instr.rd, d);
     }
 
+    /// Emit fuel check at a loop back-edge.
+    /// Decrements jit_fuel in the VM struct; if negative, branches to a shared
+    /// fuel-exhausted exit (emitted once at end of function by emitErrorStubs).
+    fn emitFuelCheck(self: *Compiler) void {
+        // Skip when offset is 0 (unit tests without Vm struct)
+        if (self.jit_fuel_offset == 0) return;
+        // Load vm_ptr → SCRATCH (x8)
+        self.emitLoadVmPtr(SCRATCH);
+        const fuel_reg: u5 = 0; // x0: safe — not mapped to any vreg
+        // Compute address of jit_fuel: ADD SCRATCH, SCRATCH, #offset
+        // jit_fuel offset exceeds u16 (Vm struct is >500KB), so use ADD imm.
+        const fuel_off = self.jit_fuel_offset;
+        // ADD can encode up to 12-bit immediate (4095). If larger, use two-step.
+        if (fuel_off <= 4095) {
+            self.emit(a64.addImm64(SCRATCH, SCRATCH, @intCast(fuel_off)));
+        } else {
+            // MOVZ x0, #(fuel_off & 0xFFFF), LSL#0
+            self.emit(a64.movz64(fuel_reg, @truncate(fuel_off), 0));
+            if (fuel_off > 0xFFFF) {
+                self.emit(a64.movk64(fuel_reg, @truncate(fuel_off >> 16), 1));
+            }
+            self.emit(a64.add64(SCRATCH, SCRATCH, fuel_reg));
+        }
+        // Now SCRATCH points to &vm.jit_fuel
+        self.emit(a64.ldr64(fuel_reg, SCRATCH, 0));
+        self.emit(a64.subsImm64(fuel_reg, fuel_reg, 1));
+        self.emit(a64.str64(fuel_reg, SCRATCH, 0));
+        self.scratch_vreg = null;
+        // Branch to shared fuel exit (patched in emitErrorStubs)
+        const branch_idx = self.currentIdx();
+        self.emit(a64.bCond(.mi, 0)); // placeholder
+        self.fuel_check_branches.append(self.alloc, branch_idx) catch {};
+    }
+
     /// Emit conditional error: if condition is true, branch to shared error stub.
     /// Error stubs are emitted at function end by emitErrorStubs().
     fn emitCondError(self: *Compiler, cond: a64.Cond, error_code: u16) void {
@@ -4652,7 +4703,7 @@ pub const Compiler = struct {
     /// Emit error stubs and shared error epilogue at end of function.
     /// Each error site branches to a stub that sets x0 and jumps to shared exit.
     fn emitErrorStubs(self: *Compiler) void {
-        if (self.error_stubs.items.len == 0 and !self.use_guard_pages) return;
+        if (self.error_stubs.items.len == 0 and self.fuel_check_branches.items.len == 0 and !self.use_guard_pages) return;
 
         // Shared error epilogue: restore callee-saved regs and return (x0 has error code)
         const shared_exit = self.currentIdx();
@@ -4690,6 +4741,22 @@ pub const Compiler = struct {
                 }
             }
         }
+
+        // Emit shared fuel-exhausted exit and patch all fuel check branches.
+        // Single stub: MOVZ x0, #9 + B shared_exit. All back-edge checks branch here.
+        if (self.fuel_check_branches.items.len > 0) {
+            const fuel_stub_idx = self.currentIdx();
+            self.emit(a64.movz64(0, 9, 0)); // x0 = 9 (FuelExhausted)
+            const exit_offset: i26 = @intCast(@as(i32, @intCast(shared_exit)) - @as(i32, @intCast(self.currentIdx())));
+            self.emit(a64.b(exit_offset));
+
+            // Patch all fuel check B.MI branches to point to this stub
+            for (self.fuel_check_branches.items) |branch_idx| {
+                const offset: i32 = @as(i32, @intCast(fuel_stub_idx)) - @as(i32, @intCast(branch_idx));
+                const imm: u19 = @bitCast(@as(i19, @intCast(offset)));
+                self.code.items[branch_idx] = 0x54000000 | (@as(u32, imm) << 5) | @as(u32, @intFromEnum(a64.Cond.mi));
+            }
+        }
     }
 
     // --- Branch patching ---
@@ -5199,6 +5266,7 @@ pub fn compileFunction(
     compiler.use_guard_pages = use_guard_pages;
     compiler.osr_target_pc = osr_target_pc;
     compiler.gc_trampoline_addr = gc_trampoline_addr;
+    compiler.jit_fuel_offset = @intCast(@offsetOf(vm_mod.Vm, "jit_fuel"));
 
     // Dump JIT code before deinit (pc_map still alive, one-shot)
     if (trace) |tc| {

src/types.zig

@@ -457,6 +457,15 @@ pub const WasmModule = struct {
         try self.vm.invoke(&self.instance, name, args, results);
     }
 
+    /// Invoke using only the stack-based interpreter, bypassing RegIR and JIT.
+    /// Used by differential testing to get a reference result.
+    pub fn invokeInterpreterOnly(self: *WasmModule, name: []const u8, args: []u64, results: []u64) !void {
+        self.vm.reset();
+        self.vm.force_interpreter = true;
+        defer self.vm.force_interpreter = false;
+        try self.vm.invoke(&self.instance, name, args, results);
+    }
+
     /// Read bytes from linear memory at the given offset.
     /// The returned slice is owned by the caller and must be freed with `allocator`.
     pub fn memoryRead(self: *WasmModule, allocator: Allocator, offset: u32, length: u32) ![]const u8 {