0%

s13 — Unwinding + Exception Handling

Goal

Panics propagate correctly through native-compiled frames on every target: DWARF CFI + Itanium personality on ELF/Mach-O, SEH funclets on Windows, Invoke/Resume unwind edges fully lowered (replacing the s10 abort stubs), cleanup-edge RC exactly matching AIMS placement.

Implementation Sketch

  • Itanium path (linux/macos + qemu targets): .eh_frame CFI emission for every function (prologue/epilogue rules, callee-saved tracking from regalloc), LSDA call-site tables for Invoke landing-pad-equivalents, personality routine linkage (reuse the existing runtime personality contract — ori_panic is extern C-unwind; mirror ori_llvm’s Itanium model), Resume re-raise.
  • Cleanup-edge RC: unwind blocks carry AIMS-placed RcDec cleanups (unwind_cleanup pass output in realized ArcFunction) — BIR/MIR lower them verbatim; the s06 RC-preservation multiset check extends over unwind edges; double-panic abort bracketing via ori_drop_cleanup_enter/exit.
  • SEH path (Windows): funclet-based cleanup (the existing ori_llvm SEH model — cleanuppad-equivalent funclets, ori_try_call trampoline shape at seh_main_thunk precedent); CodeView-adjacent unwind info (.pdata/.xdata) for x64.
  • wasm: no unwinding in MVP wasm — panic maps to trap/abort per the existing wasm EH posture (EhModel::Itanium is configured for wasm in LLVM but traps in practice; mirror observable behavior; decision recorded).
  • Per-target CFI encoders: x86-64/aarch64/riscv64/s390x CFI directives differ (return-address column, save-slot conventions); the s390x 160-byte save area interacts with CFI.

Test Strategy

  • Matrix: {panic in leaf, panic through N frames, panic with live RC values needing cleanup, catch via ori_run_main boundary, double-panic} x targets (SEH cells on Windows CI or cross-validation fixture) — parity vs interpreter AND vs LLVM backend.
  • Semantic pin: cleanup-edge RC pin — a panic path drops exactly the AIMS-placed set (ORI_TRACE_RC trace compared against the LLVM twin); leak-check clean ACROSS a caught panic.
  • Negative pin: corrupted CFI fixture fails the unwind test (not silently absorbed); double-panic aborts with the canonical message.

Work Items

  • .eh_frame CFI emission per target (x86-64/aarch64/riscv64/s390x) driven by regalloc frame data.
  • LSDA + personality + Invoke/Resume lowering (unwind edges real; s10 stubs deleted); cleanup-edge RC multiset check extended.
  • Windows SEH funclets + .pdata/.xdata unwind info.
  • wasm trap posture decision + implementation matching observable LLVM-backend behavior.
  • Panic matrix green on all targets with cleanup-RC pins, cross-backend parity, leak-clean caught-panic, double-panic abort pin.