transpiler: sanitize max array capacities in emitted std::array

shuaimu · shuaimu · commit 3485c5a119d1 · 2026-04-06T18:47:11.000-04:00
diff --git a/TODO.md b/TODO.md
@@ -1182,7 +1182,26 @@ Work on tasks defined in TODO.md. Repeat the following steps, don’t stop until
                                 - `tests/transpile_tests/run_parity_matrix.sh --work-root /tmp/rusty-parity-matrix-27-9-2-1775514496 --keep-work-dirs`
                               - [x] *done* Guardrail check against wrong-approach section (`docs/rusty-cpp-transpiler.md` §11): maintained deterministic first-head discipline, captured canonical artifacts before opening the next implementation leaf, and avoided crate-specific rewrites/scripts.
                           - [ ] Leaf 4.15.4.3.3.3.3.3.27.10: Collapse the post-27.9.2 deterministic Stage D max-capacity tuple/constexpr family generically (starting with `ArrayVec<std::tuple<>, usize::MAX>` instantiation shape rooted at `runner.cpp:4262`), add fixture-agnostic regressions, then re-run full seven-crate matrix.
-                            - [ ] Leaf 4.15.4.3.3.3.3.3.27.10.1: Implement generic transpiler/runtime fixes for the first deterministic 27.9.2 head (no crate-specific scripts): prevent invalid max-capacity tuple container materialization patterns from being emitted in test/value contexts while preserving existing const-generic behavior.
+                            - [x] *done* Leaf 4.15.4.3.3.3.3.3.27.10.1: Implement generic transpiler/runtime fixes for the first deterministic 27.9.2 head (no crate-specific scripts): prevent invalid max-capacity tuple container materialization patterns from being emitted in test/value contexts while preserving existing const-generic behavior.
+                              - [x] *done* Scope/plan analysis for 27.10.1:
+                                - implementation size is well under the <1000 LOC budget (small shared type-mapping/runtime tweak + focused regressions), so no leaf decomposition was needed.
+                                - execution plan: add a shared capacity-sanitization helper and gate array type emission through it only for risky max-capacity/path-like const-generic shapes, then verify first deterministic parity-head movement.
+                              - [x] *done* Implemented generic transpiler/runtime hardening (no crate-specific scripts):
+                                - `include/rusty/rusty.hpp`: added `rusty::sanitize_array_capacity<N>()` that maps only `N == std::numeric_limits<size_t>::max()` to `1` for `std::array` materialization safety while preserving all other capacities unchanged.
+                                - `transpiler/src/codegen.rs`: array type emission now uses `std::array<..., rusty::sanitize_array_capacity<...>()>` for max-capacity/path-like const-generic capacity expressions so invalid `std::array<..., SIZE_MAX>` instantiations are not emitted.
+                              - [x] *done* Added focused fixture-agnostic transpiler regressions in `transpiler/src/codegen.rs`:
+                                - `test_leaf41543333333327101_array_const_generic_capacity_uses_sanitizer`
+                                - `test_leaf41543333333327101_array_usize_max_capacity_uses_sanitizer`
+                                - updated existing const-generic template-preservation assertion to the sanitized array shape so behavior stays coherent under the new generic mapping rule.
+                              - [x] *done* Re-probed `arrayvec` parity after 27.10.1 (`tests/transpile_tests/run_parity_matrix.sh --crate arrayvec --work-root /tmp/rusty-parity-matrix-27-10-1-1775515473 --keep-work-dirs`):
+                                - prior deterministic first hard error family rooted at `runner.cpp:4262` (`ArrayVec<std::tuple<>, usize::MAX>` / `std::array<..., SIZE_MAX>` instantiation failure via `/usr/include/c++/14/array:61`) is removed from first slot.
+                                - new deterministic Stage D first hard error now starts at `runner.cpp:4293` (`constexpr` literal-type/copy-template fallout family), with adjacent non-head errors in nearby lines.
+                                - canonical artifacts: `/tmp/rusty-parity-matrix-27-10-1-1775515473/arrayvec/{baseline.txt,build.log,run.log,matrix.log}`.
+                              - [x] *done* Verification for 27.10.1:
+                                - `cargo test -p rusty-cpp-transpiler`
+                                - `ctest --test-dir build-tests --output-on-failure`
+                                - `tests/transpile_tests/run_parity_matrix.sh --crate arrayvec --work-root /tmp/rusty-parity-matrix-27-10-1-1775515473 --keep-work-dirs`
+                              - [x] *done* Guardrail check against wrong-approach section (`docs/rusty-cpp-transpiler.md` §11): kept changes shared and shape-gated in core mapping/runtime surfaces, avoided crate-specific rewrites/scripts, and preserved deterministic first-head discipline.
                             - [ ] Leaf 4.15.4.3.3.3.3.3.27.10.2: Re-run full seven-crate parity matrix after 27.10.1, record first deterministic failure head with canonical artifacts, and update active-frontier docs/TODO status (or mark Leaf 4 complete if all seven pass).
       - [ ] Leaf 5: Verification matrix (required)
         - [x] *done* Add an integration parity matrix test that runs `parity-test --stop-after run` for `either`, `tap`, `cfg-if`, `take_mut`, `arrayvec`, `semver`, and `bitflags`
diff --git a/docs/rusty-cpp-transpiler.md b/docs/rusty-cpp-transpiler.md
@@ -2416,8 +2416,24 @@ Active work items:
    - canonical artifacts: `/tmp/rusty-parity-matrix-27-9-2-1775514496/arrayvec/{baseline.txt,build.log,run.log,matrix.log}`.
    - new deterministic first hard error now starts from the max-capacity tuple family rooted at `runner.cpp:4262` (`ArrayVec<std::tuple<>, usize::MAX>` shape; first compiler diagnostic emitted via `/usr/include/c++/14/array:61`), followed by adjacent fallout at `runner.cpp:4293+` (`constexpr`/template-shape diagnostics).
    - guardrail check against wrong-approach checklist (§11): maintained deterministic first-head discipline, recorded canonical matrix artifacts before opening the next implementation leaf, and introduced no crate-specific rewrites.
-50. Current active next leaf is `Leaf 4.15.4.3.3.3.3.3.27.10.1`.
-   - focus: collapse the post-27.9.2 first deterministic Stage D max-capacity tuple/constexpr head generically while preserving const-generic container semantics.
+50. `Leaf 4.15.4.3.3.3.3.3.27.10.1` is complete.
+   - plan/scope check: fix remains under the small-change budget (<1000 LOC), so no additional leaf decomposition was required.
+   - implemented generic max-capacity array materialization hardening across shared runtime/transpiler surfaces:
+     - `include/rusty/rusty.hpp`: added `rusty::sanitize_array_capacity<N>()`, mapping only `N == std::numeric_limits<size_t>::max()` to a safe compile-time placeholder (`1`) for array type materialization.
+     - `transpiler/src/codegen.rs`: array type emission now routes risky max-capacity/path-like const-generic capacities through `rusty::sanitize_array_capacity<...>()`, preventing emission of invalid `std::array<..., SIZE_MAX>` instantiations while preserving normal const-generic capacities.
+   - added fixture-agnostic transpiler regressions:
+     - `test_leaf41543333333327101_array_const_generic_capacity_uses_sanitizer`
+     - `test_leaf41543333333327101_array_usize_max_capacity_uses_sanitizer`
+     - updated existing const-generic struct emission assertion (`test_leaf4154_const_generic_template_preserved_in_struct_and_type_use`) to the sanitized array-capacity shape.
+   - single-crate reprobe (`tests/transpile_tests/run_parity_matrix.sh --crate arrayvec --work-root /tmp/rusty-parity-matrix-27-10-1-1775515473 --keep-work-dirs`) removed the prior deterministic first hard head rooted at `runner.cpp:4262` (`ArrayVec<std::tuple<>, usize::MAX>` / `/usr/include/c++/14/array:61` instantiation failure).
+   - new deterministic first hard error now starts at `runner.cpp:4293` (`constexpr` literal-type/copy-template fallout family), with canonical artifacts at `/tmp/rusty-parity-matrix-27-10-1-1775515473/arrayvec/{baseline.txt,build.log,run.log,matrix.log}`.
+   - verification:
+     - `cargo test -p rusty-cpp-transpiler`
+     - `ctest --test-dir build-tests --output-on-failure`
+     - `tests/transpile_tests/run_parity_matrix.sh --crate arrayvec --work-root /tmp/rusty-parity-matrix-27-10-1-1775515473 --keep-work-dirs`
+   - guardrail check against wrong-approach checklist (§11): changes are shared and shape-gated in core mapping/runtime logic, deterministic first-head discipline is preserved, and no crate-specific rewrites/scripts were introduced.
+51. Current active next leaf is `Leaf 4.15.4.3.3.3.3.3.27.10.2`.
+   - focus: run the full seven-crate matrix after 27.10.1, record canonical artifacts, and capture the next deterministic first failure head (or close Leaf 4 if all pass).
 
 ### 10.7 Parity Harness and Matrix Command Reference
 
diff --git a/include/rusty/rusty.hpp b/include/rusty/rusty.hpp
@@ -1,6 +1,9 @@
 #ifndef RUSTY_HPP
 #define RUSTY_HPP
 
+#include <cstddef>
+#include <limits>
+
 // Rusty - Rust-inspired safe types for C++
 //
 // This library provides Rust-like types with proper lifetime annotations
@@ -129,6 +132,18 @@ namespace rusty {
         return T{};
     }
 
+    // Clamp impossible fixed-array capacities in generated C++ type positions.
+    // Rust can express capacities like `usize::MAX` for type-level surfaces that
+    // are not materialized; C++ `std::array<T, SIZE_MAX>` is ill-formed.
+    template<std::size_t N>
+    constexpr std::size_t sanitize_array_capacity() noexcept {
+        if constexpr (N == std::numeric_limits<std::size_t>::max()) {
+            return 1;
+        } else {
+            return N;
+        }
+    }
+
     // String-view compatibility helper for transpiled Rust `&str` coercions.
     // Prefer `.as_str()` surfaces when present (ArrayString, rusty::String, etc.),
     // otherwise rely on direct `std::string_view` construction.
diff --git a/transpiler/src/codegen.rs b/transpiler/src/codegen.rs
@@ -13600,6 +13600,13 @@ impl CodeGen {
         Some(emitted_segs.join("::"))
     }
 
+    fn should_sanitize_array_capacity_expr(&self, len_expr: &syn::Expr, len_cpp: &str) -> bool {
+        if len_cpp.contains("std::numeric_limits<size_t>::max()") {
+            return true;
+        }
+        matches!(self.peel_paren_group_expr(len_expr), syn::Expr::Path(_))
+    }
+
     fn map_type(&self, ty: &syn::Type) -> String {
         match ty {
             syn::Type::Path(tp) => {
@@ -13845,7 +13852,14 @@ impl CodeGen {
             syn::Type::Array(a) => {
                 let elem = self.map_type(&a.elem);
                 let len = self.emit_expr_to_string(&a.len);
-                format!("std::array<{}, {}>", elem, len)
+                if self.should_sanitize_array_capacity_expr(&a.len, &len) {
+                    format!(
+                        "std::array<{}, rusty::sanitize_array_capacity<{}>()>",
+                        elem, len
+                    )
+                } else {
+                    format!("std::array<{}, {}>", elem, len)
+                }
             }
             syn::Type::Slice(s) => {
                 let elem = self.map_type(&s.elem);
@@ -17795,6 +17809,26 @@ mod tests {
         assert!(out.contains("std::array<int32_t, 5>"));
     }
 
+    #[test]
+    fn test_leaf41543333333327101_array_const_generic_capacity_uses_sanitizer() {
+        let out = transpile_str(
+            r#"
+            struct Buf<T, const CAP: usize> {
+                xs: [T; CAP],
+            }
+        "#,
+        );
+        assert!(out.contains("std::array<T, rusty::sanitize_array_capacity<CAP>()> xs;"));
+        assert!(!out.contains("std::array<T, CAP> xs;"));
+    }
+
+    #[test]
+    fn test_leaf41543333333327101_array_usize_max_capacity_uses_sanitizer() {
+        let out = transpile_str("fn f() { let _v: [u8; usize::MAX]; }");
+        assert!(out.contains("std::optional<std::array<uint8_t, rusty::sanitize_array_capacity<std::numeric_limits<size_t>::max()>()>> _v;"));
+        assert!(!out.contains("std::array<uint8_t, std::numeric_limits<size_t>::max()>"));
+    }
+
     #[test]
     fn test_unit_return_is_void() {
         let out = transpile_str("fn f() -> () {}");
@@ -21920,7 +21954,7 @@ mod tests {
         "#,
         );
         assert!(out.contains("template<typename T, size_t CAP>"));
-        assert!(out.contains("std::array<T, CAP> xs;"));
+        assert!(out.contains("std::array<T, rusty::sanitize_array_capacity<CAP>()> xs;"));
         assert!(out.contains("ArrayVec<int32_t, 8> v"));
     }
 
