fix(arm): home i64 params per AAPCS register-pairs — close #518 silent miscompile (#242)

[avrabe]

What

Closes #518: an i64 binop reading an i64 parameter silently miscompiled on both ARM selectors. An i64 param occupies an AAPCS register pair (param0 = R0:R1), but both selectors treated a param as a single i32-width register. Found by footgun/adversarial differential testing; flip-independent, pre-existing.

Root cause + fix, by selector

• DIRECT (select_with_stack): infer_i64_locals learns i64-ness only from LocalSet/Tee, so a read-only i64 param stayed is_i64=false → its implicit hi register was unreserved and a following i64.const was allocated into it (movw r1,#K clobbered R1 = hi of an i64 param in R0:R1). Fixes: (a) seed i64_locals from self.params_i64; (b) reserve the hi half of a live i64 param in the arm regalloc: select_with_stack allocates param registers (r0-r3) for temps/results before live param reads — i64_lowering fuzz class #193 reservation; (c) map params to registers via the new aapcs_param_regs (even-aligned pairs — (i32,i64)→R0,R2:R3, not the sequential R1:R2 the old index_to_reg used). All-i32 signatures map identically, so non-i64-param functions are byte-identical.
• OPTIMIZED (ir_to_arm): the I64Load param-home guard num_params >= 2/4 conflated register-count with param-count and dropped the param (read from a fresh R4:R5 pair). Since ir_to_arm lacks per-param types it can't compute AAPCS pairing — decline any function that reads an i64 param to the direct selector (the Arg-register lowering drops/shifts the first arg for calls with 5 args + struct(sret) return (cortex-m4f, --native-pointer-abi) #359/fuzz: i64_lowering_doesnt_clobber_params flags Mov R0,R8 as AAPCS clobber — real clobber or harness false-positive? #188/Optimized path silently miscompiles br_table — selector elided, all arms fall through (#483/#500 family) #507 honest-degradation pattern).

Bounded: two sub-cases declined LOUDLY (Ok-or-Err, never silent wrong-code)

• an i64 param AAPCS-passed past R3 (stack) — the open arm: functions needing the AAPCS stack-arg path (>8 scalar params, or any 64-bit stack param) are skipped, not lowered #503-i64 case;
• an i64 param in a frame-backing function (has a call, or the pair-exhaustion retry) — the param_slots path sizes an i64 slot from a width set that excludes params, dropping the high half.

So no silent wrong-code remains: every i64-param function is either correctly compiled (leaf, register-resident — the common case) or loud-skipped.

Gate (oracle-first → correctness gate)

• scripts/repro/i64_param_518_differential.py flipped to the correctness gate (EXPECT_MISCOMPILE=False): 11 leaf cases match wasmtime on both paths across the full AAPCS matrix (single i64, (i32,i64), (i64,i64), second-i64-param), PLUS a decline-contract check (i64_param_518_decline.wat): d_past_r3 + d_call loud-skip, d_leaf emitted + executes correctly.
• Frozen anchors 3/3 byte-identical (control_step 0x00210A55 / flight_algo 0x07FDF307 / divseam — no i64 params).
• Updated the u64-packed FFI return: emit register-direct field access instead of generic 64-bit shift extraction #94 hi32-extract tests (backend + 5 optimizer_bridge unit tests) to source their i64 from a non-param value — the old i64-param shapes were themselves exercising the now-declined miscompile, masked by size-only assertions. Renamed test_ir_to_arm_i64_add_* to also pin the decline contract.
• Independently clean-room verified (correctness on both paths with adversarial inputs; bug confirmed real on the parent commit; fmt/clippy/tests/frozen all green).

Refs #242, #503 (the i64-stack-param follow-up the decline points at).

🤖 Generated with Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 82.11382% with 22 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
crates/synth-synthesis/src/instruction_selector.rs	77.31%	22 Missing ⚠️

📢 Thoughts on this report? Let us know!