Phase 3: pass-level tolerance classification in Analyzer.cs

ankushdesai · claude · ankushdesai · commit 50d0d6f28e0f · 2026-05-26T12:21:45.000-07:00
Stacks on Phase 2 (#965). Closes the multi-error type-checker initiative by adding per-item try/catch isolation to the analyzer's gathering passes and a HasErrors gate before the analysis passes that assume a clean AST. ## What changed ### `TolerantStep` helper New private helper in `Analyzer.cs`: private static void TolerantStep(ITranslationErrorHandler handler, Action body) { try { body(); } catch (TranslationException e) when (handler.Diagnostics.ContinueOnError) { handler.Diagnostics.Report(e); } } In strict mode (ContinueOnError == false) the `when` filter is false so the exception propagates exactly as before — bit-for-bit preservation of today's throw-on-first-error semantics. In collecting mode the catch captures the TranslationException into the collector and the loop continues with the next item. Only TranslationException is caught; NREs and other runtime exceptions still propagate so genuine bugs surface loudly. ### Tolerant gathering passes (2a, 2b, 3, 3b, 7) Each iteration wrapped in `TolerantStep`: - **2a MachineChecker.Validate** — per-machine. One bad machine no longer aborts MachineChecker for siblings. - **3 FunctionBody + Validator** — per-function. One bad function (TypeResolver throw on a bad var decl, missing-paths-return, etc.) no longer aborts pass 3 for the rest of the program. - **3b Invariants / Axioms / AssumeOnStarts / Pures / Foreign** — per-item across all five subgroups. One bad invariant no longer blocks axiom checking. - **2b ValidateNoStaticHandlers** — per-machine. - **7 InferMachineCreates** — per-machine. Already gated by HasErrors in practice, but the wrapper is cheap insurance. ### Gathering→analysis boundary New HasErrors gate placed after pass 2b (the last gathering pass) and before pass 4 (ApplyPropagations): if (handler.Diagnostics.HasErrors) return globalScope; If any gathering pass collected an error, the analysis passes (4-7) and the module-system passes (8-10) are skipped. The duplicate gate before pass 8 (added in Phase 2 robustness) is kept as defense-in-depth — once Phase 4+ converts pass-5 capability checks to Report, that second gate will earn its keep. ## Why this matters Without Phase 3, a single machine with a bad start state aborts MachineChecker mid-pass, so a sibling machine's MoreThanOneParameterForHandlers error never gets reported. A single function with a malformed var decl aborts pass 3, so none of the OTHER functions' bodies get type-checked at all. Combined with Phase 2's expression-level recovery, Phase 3 means a user with N independent errors (in any combination of expressions, statements, machines, or functions) sees ALL of them in one compile. ## Tests ### New: `MultiMachineErrors.p` + pinned counts Three machines, each with one independent error (bool->int, missing declaration, int+string binop). Pinned in MultiErrorAcceptanceTest: strict=1, collecting=3. Validates that one machine's error doesn't clobber its siblings' diagnostics in collecting mode. ### Existing: All Phase 2 acceptance tests unchanged MultipleErrors (1/4), NestedExprErrors (1/2), ForeachBodyErrors (1/2), SpecReceiveBodyError (1/3). Same counts as Phase 2 — Phase 3 doesn't change behavior within a single machine. ### Existing: Phase1DormancyTest baseline The "collecting >= strict count" invariant on every Correct/StaticError test still holds. Phase 3 only *adds* errors (when multi-machine / multi-function scenarios exist); it never removes. ## Phase 4 (deferred, NOT in this PR) Convert pass 5 (capability checks) and pass 6 (ControlFlowChecker) throw sites to Report so capability and control-flow violations also accumulate across machines instead of aborting on first. The current HasErrors gate already prevents these passes from running on a broken AST, so they remain RequiresClean for now. Estimated: ~1 day if warranted by user feedback. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/Src/PCompiler/CompilerCore/TypeChecker/Analyzer.cs b/Src/PCompiler/CompilerCore/TypeChecker/Analyzer.cs
@@ -18,88 +18,126 @@ public static Scope AnalyzeCompilationUnit(ICompilerConfiguration config,
 
             // Step 1: Build the global scope of declarations
             var globalScope = BuildGlobalScope(config, programUnits);
-            
-            // Step 2a: Validate machine specifications
+
+            // Phase 3 — Tolerant passes (gathering phase). Each iteration is
+            // wrapped in TolerantStep so a TranslationException on one item
+            // (machine, function, invariant, ...) reports and continues to the
+            // next instead of clobbering siblings. In strict mode the catch's
+            // `when (ContinueOnError)` filter is false, so the original
+            // throw-and-abort semantics are bit-for-bit preserved.
+
+            // Step 2a: Validate machine specifications — per-machine isolation.
             foreach (var machine in globalScope.Machines)
             {
-                
-                MachineChecker.Validate(handler, machine, config, globalScope);
+                TolerantStep(handler,
+                    () => MachineChecker.Validate(handler, machine, config, globalScope));
             }
 
-            // Step 3: Fill function bodies
+            // Step 3: Fill function bodies — per-function isolation.
             var allFunctions = globalScope.GetAllMethods().ToList();
             foreach (var machineFunction in allFunctions)
             {
-                FunctionBodyVisitor.PopulateMethod(config, machineFunction);
-                FunctionValidator.CheckAllPathsReturn(handler, machineFunction);
+                TolerantStep(handler, () =>
+                {
+                    FunctionBodyVisitor.PopulateMethod(config, machineFunction);
+                    FunctionValidator.CheckAllPathsReturn(handler, machineFunction);
+                });
             }
 
-            // Step 3b: for PVerifier, fill in body of Invariants, Axioms, Init conditions and Pure functions and functions with pre/post conditions
+            // Step 3b: for PVerifier, fill in body of Invariants, Axioms, Init
+            // conditions and Pure functions and functions with pre/post
+            // conditions — per-item isolation across all five subgroups.
             foreach (var inv in globalScope.Invariants)
             {
-                var ctx = (PParser.InvariantDeclContext)inv.SourceLocation;
-                var temporaryFunction = new Function(inv.Name, inv.SourceLocation)
+                TolerantStep(handler, () =>
                 {
-                    Scope = globalScope
-                };
-                inv.Body = PopulateExpr(temporaryFunction, ctx.body, PrimitiveType.Bool, handler);
+                    var ctx = (PParser.InvariantDeclContext)inv.SourceLocation;
+                    var temporaryFunction = new Function(inv.Name, inv.SourceLocation)
+                    {
+                        Scope = globalScope
+                    };
+                    inv.Body = PopulateExpr(temporaryFunction, ctx.body, PrimitiveType.Bool, handler);
+                });
             }
 
             foreach (var axiom in globalScope.Axioms)
             {
-                var ctx = (PParser.AxiomDeclContext) axiom.SourceLocation;
-                var temporaryFunction = new Function(axiom.Name, axiom.SourceLocation)
+                TolerantStep(handler, () =>
                 {
-                    Scope = globalScope
-                };
-                axiom.Body = PopulateExpr(temporaryFunction, ctx.body, PrimitiveType.Bool, handler);
+                    var ctx = (PParser.AxiomDeclContext)axiom.SourceLocation;
+                    var temporaryFunction = new Function(axiom.Name, axiom.SourceLocation)
+                    {
+                        Scope = globalScope
+                    };
+                    axiom.Body = PopulateExpr(temporaryFunction, ctx.body, PrimitiveType.Bool, handler);
+                });
             }
 
             foreach (var initCond in globalScope.AssumeOnStarts)
             {
-                var ctx = (PParser.AssumeOnStartDeclContext)initCond.SourceLocation;
-                var temporaryFunction = new Function(initCond.Name, initCond.SourceLocation)
+                TolerantStep(handler, () =>
                 {
-                    Scope = globalScope
-                };
-                initCond.Body = PopulateExpr(temporaryFunction, ctx.body, PrimitiveType.Bool, handler); 
+                    var ctx = (PParser.AssumeOnStartDeclContext)initCond.SourceLocation;
+                    var temporaryFunction = new Function(initCond.Name, initCond.SourceLocation)
+                    {
+                        Scope = globalScope
+                    };
+                    initCond.Body = PopulateExpr(temporaryFunction, ctx.body, PrimitiveType.Bool, handler);
+                });
             }
 
             foreach (var pure in globalScope.Pures)
             {
-                var temporaryFunction = new Function(pure.Name, pure.SourceLocation)
+                TolerantStep(handler, () =>
                 {
-                    Scope = pure.Scope
-                };
-                var context = (PParser.PureDeclContext) pure.SourceLocation;
-                if (context.body is not null)
-                {
-                    pure.Body = PopulateExpr(temporaryFunction, context.body, pure.Signature.ReturnType, handler);
-                }
+                    var temporaryFunction = new Function(pure.Name, pure.SourceLocation)
+                    {
+                        Scope = pure.Scope
+                    };
+                    var context = (PParser.PureDeclContext)pure.SourceLocation;
+                    if (context.body is not null)
+                    {
+                        pure.Body = PopulateExpr(temporaryFunction, context.body, pure.Signature.ReturnType, handler);
+                    }
+                });
             }
 
             foreach (var func in allFunctions.Where(func => func.Role.HasFlag(FunctionRole.Foreign)))
             {
-                // populate pre/post conditions
-                var ctx = (PParser.ForeignFunDeclContext)func.SourceLocation;
-                foreach (var req in ctx._requires)
-                {
-                    var preExpr = PopulateExpr(func, req, PrimitiveType.Bool, handler);
-                    func.AddRequire(preExpr);
-                }
-                foreach (var post in ctx._ensures)
+                TolerantStep(handler, () =>
                 {
-                    var postExpr = PopulateExpr(func, post, PrimitiveType.Bool, handler);
-                    func.AddEnsure(postExpr);
-                }
+                    // populate pre/post conditions
+                    var ctx = (PParser.ForeignFunDeclContext)func.SourceLocation;
+                    foreach (var req in ctx._requires)
+                    {
+                        var preExpr = PopulateExpr(func, req, PrimitiveType.Bool, handler);
+                        func.AddRequire(preExpr);
+                    }
+                    foreach (var post in ctx._ensures)
+                    {
+                        var postExpr = PopulateExpr(func, post, PrimitiveType.Bool, handler);
+                        func.AddEnsure(postExpr);
+                    }
+                });
             }
 
-            // Step 2b: Validate no static handlers
+            // Step 2b: Validate no static handlers — per-machine isolation.
             foreach (var machine in globalScope.Machines)
             {
-                MachineChecker.ValidateNoStaticHandlers(handler, machine);
+                TolerantStep(handler,
+                    () => MachineChecker.ValidateNoStaticHandlers(handler, machine));
             }
 
+            // Phase 3 gathering→analysis boundary. Everything above is
+            // "Tolerant" (per-item try/catch, errors collected); everything
+            // below is "RequiresClean" — assumes a fully-typed AST. If any
+            // gathering pass collected an error, skip the analysis passes
+            // entirely. Compiler.cs's flush at the end of compilation will
+            // surface what we have. The duplicate gate before pass 8 (further
+            // below) remains as defense-in-depth for the case where a future
+            // analysis pass converts its throws to Diagnostics.Report.
+            if (handler.Diagnostics.HasErrors) return globalScope;
+
             // Step 4: Propagate purity properties
             ApplyPropagations(allFunctions,
                 CreatePropagation(fn => fn.CanRaiseEvent, (fn, value) => fn.CanRaiseEvent = value,
@@ -147,10 +185,13 @@ public static Scope AnalyzeCompilationUnit(ICompilerConfiguration config,
             // Step 6: Check control flow well-formedness
             ControlFlowChecker.AnalyzeMethods(handler, allFunctions);
 
-            // Step 7: Infer the creates set for each machine.
+            // Step 7: Infer the creates set for each machine — per-machine
+            // isolation. Gated by the HasErrors check above so the partial-AST
+            // risk is low, but per-machine try/catch is cheap insurance.
             foreach (var machine in globalScope.Machines)
             {
-                InferMachineCreates.Populate(machine, handler);
+                TolerantStep(handler,
+                    () => InferMachineCreates.Populate(machine, handler));
             }
 
             // Phase 2 robustness gate: passes 8-10 ("RequiresClean" in the
@@ -193,6 +234,31 @@ public static Scope AnalyzeCompilationUnit(ICompilerConfiguration config,
             return globalScope;
         }
 
+        /// <summary>
+        /// Run a single analysis step (per-machine, per-function, per-item)
+        /// under cascade-suppression rules. In strict mode (default), any
+        /// TranslationException propagates as before — the <c>when</c> filter
+        /// is false so the catch doesn't fire. In collecting mode, the
+        /// exception is captured into the diagnostic collector and the loop
+        /// continues with the next item, so one bad machine / function /
+        /// invariant doesn't suppress siblings' diagnostics.
+        ///
+        /// Only TranslationException is caught: NREs and other unexpected
+        /// runtime exceptions still propagate so they surface as bugs to fix
+        /// rather than being silently swallowed.
+        /// </summary>
+        private static void TolerantStep(ITranslationErrorHandler handler, Action body)
+        {
+            try
+            {
+                body();
+            }
+            catch (TranslationException e) when (handler.Diagnostics.ContinueOnError)
+            {
+                handler.Diagnostics.Report(e);
+            }
+        }
+
         private static IPExpr PopulateExpr(Function func, ParserRuleContext ctx, PLanguageType type, ITranslationErrorHandler handler)
         {
             var exprVisitor = new ExprVisitor(func, handler, isPVerifier: true);
diff --git a/Tst/RegressionTests/Feature3Exprs/StaticError/MultiMachineErrors/MultiMachineErrors.p b/Tst/RegressionTests/Feature3Exprs/StaticError/MultiMachineErrors/MultiMachineErrors.p
@@ -0,0 +1,39 @@
+// Phase 3 acceptance test for per-machine error isolation.
+//
+// Three independent machines, each with one error. Validates that
+// Analyzer.cs's TolerantStep wrappers around pass 2a (MachineChecker) and
+// pass 3 (FunctionBodyVisitor) report errors from EACH machine without one
+// bad machine clobbering the diagnostics of its siblings.
+//
+// Errors (collecting mode):
+//   1. MachineA: `x = true`            — bool assigned to int
+//   2. MachineB: `y = undeclaredVar`   — missing declaration
+//   3. MachineC: `z = z + "str"`       — int + string binop mismatch
+//
+// Strict mode aborts on the first error: count = 1.
+// Collecting mode reports all three: count = 3.
+
+machine MachineA {
+    var x: int;
+    start state S {
+        entry { x = true; }
+    }
+}
+
+machine MachineB {
+    var y: int;
+    start state S {
+        entry { y = undeclaredVar; }
+    }
+}
+
+machine MachineC {
+    var z: int;
+    start state S {
+        entry { z = z + "str"; }
+    }
+}
+
+machine Main {
+    start state S { entry { } }
+}
diff --git a/Tst/UnitTests/TypeChecker/MultiErrorAcceptanceTest.cs b/Tst/UnitTests/TypeChecker/MultiErrorAcceptanceTest.cs
@@ -62,6 +62,16 @@ private static IEnumerable<TestCaseData> PinnedCases()
             "but is PVerifier-only syntax — covered by a separate PVerifier test suite.")
             .SetName("ForeachBodyErrors (body visit)");
 
+        yield return new TestCaseData(
+            "RegressionTests/Feature3Exprs/StaticError/MultiMachineErrors/MultiMachineErrors.p",
+            1, 3,
+            "Phase 3 per-machine isolation: 3 machines, one error each (bool->int, " +
+            "missing decl, int+string). Validates that TolerantStep wrappers around " +
+            "pass 2a / pass 3 in Analyzer.cs catch a TranslationException on one machine " +
+            "and continue to siblings. A regression here (count back to 1) means " +
+            "TolerantStep stopped re-Reporting or stopped iterating after a throw.")
+            .SetName("MultiMachineErrors (Phase 3 isolation)");
+
         yield return new TestCaseData(
             "RegressionTests/Feature3Exprs/StaticError/SpecReceiveBodyError/SpecReceiveBodyError.p",
             1, 3,
