GC synchronization cleanup

[2kai2kai2]

• Moved heap guard to bex_heap. This just requires that bex_heap have tokio as a dependency for synchronization primitives. This is fine because it is always used alongside bex_engine, which already has tokio.
• Replaced EpochGuard with PermitProof which integrates with the heap guard system
• Replaced with_gc_protection to also just use the heap guard system.

Summary by CodeRabbit

Release Notes

• Refactor

  • Heap access control switched from runtime guard closures to a lightweight, lifetime-bound permission model, simplifying API surface and re-export structure.
  • System-op and runtime IO paths now thread the permission through syscall and IO calls for consistent heap access.

• Tests

  • Added async unit tests covering permit manager and heap-permit behavior to ensure correct blocking and root-handling semantics.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
beps	Ready	Preview, Comment	Apr 23, 2026 10:08pm
promptfiddle	Error		Apr 23, 2026 10:08pm

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR replaces closure-based epoch guards with a lifetime-tied PermitProof<'_> permission model, removing EpochGuard/GcProtectedHeap, threading permit through all heap accessors, sys-op glue, codegen, and runtime IO, and adding a HeapPermitManager for permit acquisition and lifecycle.

Changes

Cohort / File(s)	Summary
EpochGuard removal & API deletion bex_external_types/src/epoch_guard.rs, bex_external_types/src/handle.rs, bex_external_types/src/lib.rs	Removes EpochGuard, its constructor, Handle::object_ptr(), and related public re-exports/documentation.
Permit & heap-guard types bex_heap/src/heap_guard.rs, bex_heap/src/lib.rs	Adds PermitProof<'a> and ActiveHeapPermit::proof(); re-exports new permit/guard types and removes GcProtectedHeap from public API.
Heap accessor API bex_heap/src/accessor.rs, bex_heap/src/tlab.rs	Replaces with_gc_protection/GcProtectedHeap usage with (heap: &BexHeap, permit: PermitProof<'_>) on all BexValue accessors and related methods; removes Tlab::alloc_index.
Codegen for accessors baml_builtins_codegen/src/codegen_accessors.rs, baml_builtins_macros/src/codegen_accessors.rs	Generated accessor/into_owned signatures and bodies now accept heap: &BexHeap and permit: PermitProof<'_>, and call heap conversion helpers with (heap, permit).
IO codegen & runtime IO adapter baml_builtins2_codegen/src/codegen_io.rs	Threads permit through view accessors, dispatch, glue extraction, and sys-op invocation; updates RuntimeIoAdapter and build_runtime_io to hold/receive a HeapPermitManager and forward permit.proof() to sys-op closures.
Engine conversions & core plumbing bex_engine/src/conversion.rs, bex_engine/src/lib.rs, bex_project/src/bex.rs	Swaps EpochGuard parameters for PermitProof in VM→external conversions; adds BexEngine::heap_permit_manager() and resolve_handle(permit); acquires permits for owned-result conversions.
Sys-op signatures & pipeline sys_types/src/lib.rs, sys_ops/src/lib.rs	Changes SysOpFn signature to accept PermitProof<'a>; updates generated IoSysOpsBuilder closures and tests to accept/forward permit; re-exports PermitProof/HeapPermitManager.
VM types / roots & tests bex_vm_types/src/roots.rs, bex_engine/tests/heap_guard.rs	Implements RootHaver for () to allow rootless permits; adds async unit test exercising HeapPermitManager blocking, root collection, and permit release.
Build / deps bex_heap/Cargo.toml	Adds tokio with the sync feature for permit/parking primitives used by HeapPermitManager.

Sequence Diagram(s)

sequenceDiagram
  participant Runtime as RuntimeIoAdapter
  participant PermitMgr as HeapPermitManager
  participant SysOp as SysOpFn (generated)
  participant Heap as BexHeap

  Runtime->>PermitMgr: acquire_permit(call_id)
  PermitMgr-->>Runtime: ActiveHeapPermit
  Runtime->>Runtime: permit = active.proof()
  Runtime->>SysOp: invoke(heap, permit, args, ctx, call_id)
  SysOp->>Heap: access fields using (heap, permit)
  Heap-->>SysOp: BexValue<'a> / owned conversions
  SysOp-->>Runtime: SysOpResult
  Runtime->>PermitMgr: drop permit / release(active)
  PermitMgr-->>Runtime: permit released

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• New garbage collector #3386: Directly related changes to GC/heap coordination and permit/guard plumbing; likely overlaps in types and call sites.
• SAP end-to-end #3303: Modifies sys_ops/io runtime plumbing and generated sys-op signatures that this PR further updates to include PermitProof.
• Move Media and PromptAst into baml_builtins ADTs; add BexExternalAdt and FunctionRef; drop bex_value #3085: Earlier VM↔external conversion and heap-access refactors that this PR extends by replacing epoch guards with permit proofs.

Poem

🐰 A tiny proof with phantom cheer,
I hop through heaps, no closures near.
Lifetimes hold what guards once did,
Permits pass safe, no roots to skid. 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'GC synchronization cleanup' directly and concisely captures the primary objective of the changeset: migrating from EpochGuard and with_gc_protection to PermitProof and heap guards.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch kai/gc

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

baml_language/crates/bex_heap/src/tlab.rs (3)

346-351: Assertion is weaker than the test name implies.

assert_ne!(ptr1, ptr2) only proves the two first allocations aren't literally the same slot; it doesn't prove the two TLABs got non-overlapping chunks (the original test likely checked chunk ranges). Since alloc_tlab_chunk bumps atomically, this is effectively guaranteed and not a correctness risk, but consider also asserting each chunk's remaining() is independent (e.g., allocate N < chunk_size from tlab1 only, then check tlab2.remaining() is unchanged) to better match the test's intent.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@baml_language/crates/bex_heap/src/tlab.rs` around lines 346 - 351, The test
currently only asserts ptr1 != ptr2 but should also verify TLAB chunks are
independent; after creating tlab1 and tlab2 and before any cross allocations,
record tlab2.remaining() (or compute chunk_size), then perform an allocation
from tlab1 (e.g., allocate N < chunk_size via tlab1.alloc or call
alloc_tlab_chunk on tlab1) and assert tlab2.remaining() is unchanged; reference
tlab1, tlab2, alloc, alloc_tlab_chunk, remaining() and chunk_size to locate
where to add the extra check so the test proves non-overlapping chunk
allocation.

---

327-335: Weak post-condition for compile-time isolation.

is_compile_time_ptr(ptr) confirms the runtime allocation isn't in the compile-time region, which is the main thing the old assertion was trying to express, so this is fine. Optional: strengthen by also reading back the value (e.g., ptr.get() → Object::String("runtime")) to prove the write actually landed in runtime space rather than only checking the pointer classification.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@baml_language/crates/bex_heap/src/tlab.rs` around lines 327 - 335, The
assertion only checks ptr classification; strengthen the post-condition by
reading back the stored object and asserting its value matches the runtime
string. After calling Tlab::alloc(Object::String("runtime".to_string())) (with
Tlab::new and tlab.alloc), fetch the object at ptr (e.g., via heap.get(ptr) or
ptr.get()) and add an assert that the fetched value equals
Object::String("runtime"), while keeping the existing assert using
heap.is_compile_time_ptr(ptr).

---

663-673: Align the dedup key styles for consistency.

Both tests compile and work correctly—HeapPtr derives Copy and implements Hash/Eq using only the raw pointer field (self.ptr), so seen.insert(ptr.as_ptr() as usize) (line 668) and seen.insert(*ptr) (line 732) detect duplicates identically. Aligning them on one style improves readability and makes the "uniqueness = pointer identity" invariant explicit.

Suggested alignment to match test_miri_concurrent_tlab_allocation:

-                assert!(
-                    seen.insert(*ptr),
-                    "Duplicate pointer from concurrent refill"
-                );
+                assert!(
+                    seen.insert(ptr.as_ptr() as usize),
+                    "Duplicate pointer {:?} from concurrent refill",
+                    ptr.as_ptr()
+                );

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@baml_language/crates/bex_heap/src/tlab.rs` around lines 663 - 673, The
deduplication uses two different key styles; align them to the HeapPtr raw-key
style used elsewhere: in the loop over all_pointers replace
seen.insert(ptr.as_ptr() as usize) with seen.insert(*ptr) (or vice versa
consistently) so the HashSet key matches HeapPtr's Hash/Eq implementation;
update the assert message to still include ptr.as_ptr() for human-readable
pointer output while using *ptr as the dedup key (symbols: seen, all_pointers,
ptr, HeapPtr).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@baml_language/crates/bex_engine/src/lib.rs`:
- Around line 715-729: The resolve_handle function currently returns a raw
HeapPtr while ignoring the PermitProof, which allows callers to drop the permit
and use the pointer after GC; change resolve_handle to accept a closure (e.g.,
fn resolve_handle<F, R>(&self, permit: bex_heap::PermitProof<'_>, handle:
&bex_external_types::Handle, f: F) -> Option<R> where F: for<'a>
FnOnce(HeapPtrBoundTo<'a>) -> R) and call self.heap.resolve_handle_ptr inside
that closure so the resolved pointer is only available within the permit-tied
callback (mirror the pattern used in accessor.rs/resolve_handle_ptr usage),
update call sites to pass closures, and add a unit test that attempts to cache
the pointer across a dropped permit to assert it is impossible/unsafe or that
the API prevents it.

In `@baml_language/crates/bex_heap/src/accessor.rs`:
- Around line 173-179: Change the permit parameter lifetime to tie it to the
returned borrows: update the signatures of as_object, as_string, as_array,
as_map, as_class, as_enum, and as_builtin_class to take PermitProof<'a> instead
of PermitProof<'_> (and adjust any internal helper types/closures that accept
the permit) so the proof lifetime 'a is the same as the returned &'a String /
Vec<BexValue<'a>> / BexClass<'a> etc.; also update the internal as_object helper
signature and any places that call it to propagate 'a, and modify the codegen
templates baml_builtins_macros/src/codegen_accessors.rs and
baml_builtins2_codegen/src/codegen_io.rs so generated wrappers use
PermitProof<'a> accordingly.

---

Nitpick comments:
In `@baml_language/crates/bex_heap/src/tlab.rs`:
- Around line 346-351: The test currently only asserts ptr1 != ptr2 but should
also verify TLAB chunks are independent; after creating tlab1 and tlab2 and
before any cross allocations, record tlab2.remaining() (or compute chunk_size),
then perform an allocation from tlab1 (e.g., allocate N < chunk_size via
tlab1.alloc or call alloc_tlab_chunk on tlab1) and assert tlab2.remaining() is
unchanged; reference tlab1, tlab2, alloc, alloc_tlab_chunk, remaining() and
chunk_size to locate where to add the extra check so the test proves
non-overlapping chunk allocation.
- Around line 327-335: The assertion only checks ptr classification; strengthen
the post-condition by reading back the stored object and asserting its value
matches the runtime string. After calling
Tlab::alloc(Object::String("runtime".to_string())) (with Tlab::new and
tlab.alloc), fetch the object at ptr (e.g., via heap.get(ptr) or ptr.get()) and
add an assert that the fetched value equals Object::String("runtime"), while
keeping the existing assert using heap.is_compile_time_ptr(ptr).
- Around line 663-673: The deduplication uses two different key styles; align
them to the HeapPtr raw-key style used elsewhere: in the loop over all_pointers
replace seen.insert(ptr.as_ptr() as usize) with seen.insert(*ptr) (or vice versa
consistently) so the HashSet key matches HeapPtr's Hash/Eq implementation;
update the assert message to still include ptr.as_ptr() for human-readable
pointer output while using *ptr as the dedup key (symbols: seen, all_pointers,
ptr, HeapPtr).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: f0bbc2d0-9182-4590-9df9-588f87c4875b

📥 Commits

Reviewing files that changed from the base of the PR and between 410a95f and c9797bc.

⛔ Files ignored due to path filters (1)

• baml_language/Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (18)

• baml_language/crates/baml_builtins2_codegen/src/codegen_io.rs
• baml_language/crates/baml_builtins_codegen/src/codegen_accessors.rs
• baml_language/crates/baml_builtins_macros/src/codegen_accessors.rs
• baml_language/crates/bex_engine/src/conversion.rs
• baml_language/crates/bex_engine/src/lib.rs
• baml_language/crates/bex_engine/tests/heap_guard.rs
• baml_language/crates/bex_external_types/src/epoch_guard.rs
• baml_language/crates/bex_external_types/src/handle.rs
• baml_language/crates/bex_external_types/src/lib.rs
• baml_language/crates/bex_heap/Cargo.toml
• baml_language/crates/bex_heap/src/accessor.rs
• baml_language/crates/bex_heap/src/heap_guard.rs
• baml_language/crates/bex_heap/src/lib.rs
• baml_language/crates/bex_heap/src/tlab.rs
• baml_language/crates/bex_project/src/bex.rs
• baml_language/crates/bex_vm_types/src/roots.rs
• baml_language/crates/sys_ops/src/lib.rs
• baml_language/crates/sys_types/src/lib.rs

💤 Files with no reviewable changes (3)

• baml_language/crates/bex_external_types/src/lib.rs
• baml_language/crates/bex_external_types/src/epoch_guard.rs
• baml_language/crates/bex_external_types/src/handle.rs

[codspeed-hq]

Merging this PR will not alter performance

⚠️ Unknown Walltime execution environment detected

Using the Walltime instrument on standard Hosted Runners will lead to inconsistent data.

For the most accurate results, we recommend using CodSpeed Macro Runners: bare-metal machines fine-tuned for performance measurement consistency.

✅ 15 untouched benchmarks
⏩ 105 skipped benchmarks¹

---

_{Comparing kai/gc (e74cf2b) with canary (410a95f)}

Footnotes

1. 105 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[github-actions]

Binary size checks passed

✅ 7 passed

	Artifact	Platform	Gzip	Baseline	Delta	Status
✅	bridge_cffi	Linux	6.0 MB	5.7 MB	+363.3 KB (+6.4%)	OK
✅	bridge_cffi-stripped	Linux	6.0 MB	5.7 MB	+333.1 KB (+5.9%)	OK
✅	bridge_cffi	macOS	5.0 MB	4.6 MB	+345.2 KB (+7.5%)	OK
✅	bridge_cffi-stripped	macOS	4.9 MB	4.7 MB	+275.9 KB (+5.9%)	OK
✅	bridge_cffi	Windows	5.0 MB	4.6 MB	+350.2 KB (+7.6%)	OK
✅	bridge_cffi-stripped	Windows	5.0 MB	4.7 MB	+289.8 KB (+6.2%)	OK
✅	bridge_wasm	WASM	3.3 MB	3.2 MB	+40.8 KB (+1.3%)	OK

---

Generated by cargo size-gate · workflow run

[coderabbitai]

🧹 Nitpick comments (3)

baml_language/crates/bex_heap/src/tlab.rs (2)

727-736: Nit: unify the duplicate-detection key across the two concurrent TLAB tests.

test_miri_concurrent_tlab_allocation (lines 664–672) inserts ptr.as_ptr() as usize into the HashSet, whereas this test inserts *ptr (relying on HeapPtr: Copy + Hash + Eq). Both are correct if HeapPtr's Hash/Eq are based on the underlying pointer address, but the divergent styles make it easy to assume the two tests check different invariants.

Pick one form for consistency — either hash HeapPtr directly in both, or go through as_ptr() as usize in both.

♻️ Suggested consolidation (mirror the other test)

-        let mut seen = std::collections::HashSet::new();
-        for thread_pointers in &all_pointers {
-            for ptr in thread_pointers {
-                assert!(
-                    seen.insert(*ptr),
-                    "Duplicate pointer from concurrent refill"
-                );
-            }
-        }
+        let mut seen = std::collections::HashSet::new();
+        for thread_pointers in &all_pointers {
+            for ptr in thread_pointers {
+                assert!(
+                    seen.insert(ptr.as_ptr() as usize),
+                    "Duplicate pointer {:?} from concurrent refill",
+                    ptr.as_ptr()
+                );
+            }
+        }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@baml_language/crates/bex_heap/src/tlab.rs` around lines 727 - 736, The two
concurrent TLAB tests use different keys for duplicate detection—one inserts
ptr.as_ptr() as usize, the other inserts *ptr—so unify them for consistency;
update the duplicate-check in tlab.rs to use the same form as
test_miri_concurrent_tlab_allocation (convert each HeapPtr to a raw address via
as_ptr() as usize before inserting into the HashSet), adjust the HashSet type to
HashSet<usize> if needed, and ensure the assert message remains the same so both
tests verify identical invariants.

---

346-351: Nit: assertion is weaker than the test name suggests.

The test is named test_multiple_tlabs_no_overlap, but only a single object is allocated from each TLAB and the assertion is just assert_ne!(ptr1, ptr2). That catches the worst case (identical chunk), but doesn't verify the TLAB regions are disjoint. Consider either renaming to reflect the current scope (e.g. test_multiple_tlabs_distinct_first_pointer) or strengthening by allocating enough from each TLAB to demonstrate non-overlapping ranges via heap.is_compile_time_ptr / pointer comparisons. Not blocking.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@baml_language/crates/bex_heap/src/tlab.rs` around lines 346 - 351, The test
test_multiple_tlabs_no_overlap only allocates one object per TLAB (using
tlab1.alloc and tlab2.alloc) and then asserts ptr1 != ptr2, which doesn't prove
regions are disjoint; either rename the test to reflect the weaker check or
strengthen it by allocating multiple objects from each TLAB (call tlab1.alloc
and tlab2.alloc in a loop) and then assert the address ranges do not overlap
using pointer comparisons or heap.is_compile_time_ptr/other range-check helpers
(compare lowest and highest pointers from each TLAB or verify one TLAB's high
pointer is less than the other's low pointer) to demonstrate non-overlapping
TLAB regions.

baml_language/crates/baml_builtins_codegen/src/codegen_accessors.rs (1)

435-444: Use PermitProof<'a> in into_owned for consistency and robustness.

The generated accessor methods require PermitProof<'a> (line 397), and into_owned forwards the permit parameter into them (e.g., self.#name(heap, permit)? at lines 350, 354, 356, 362). Using PermitProof<'_> in into_owned introduces a fresh, unconstrained lifetime that relies on variance and inference to satisfy the accessor's expected PermitProof<'a> — fragile and inconsistent with baml_builtins2_codegen/src/codegen_io.rs, which uses PermitProof<'a> for its equivalent method.

Proposed change

             pub fn into_owned(
                 self,
                 heap: &'a BexHeap,
-                permit: PermitProof<'_>,
+                permit: PermitProof<'a>,
             ) -> Result<owned::`#owned_name`, AccessError> {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@baml_language/crates/baml_builtins_codegen/src/codegen_accessors.rs` around
lines 435 - 444, The into_owned method currently takes permit: PermitProof<'_>
which creates a fresh unconstrained lifetime; change its signature to accept
permit: PermitProof<'a> so it matches the accessor methods (e.g.,
self.#name(heap, permit)?), the generated accessor lifetimes, and the pattern
used in baml_builtins2_codegen/src/codegen_io.rs; update the into_owned
declaration in the impl (the function on type owning owned::`#owned_name` that
also takes heap: &'a BexHeap) to use PermitProof<'a> to ensure lifetime
consistency and robustness when forwarding permit to the accessors.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@baml_language/crates/baml_builtins_codegen/src/codegen_accessors.rs`:
- Around line 435-444: The into_owned method currently takes permit:
PermitProof<'_> which creates a fresh unconstrained lifetime; change its
signature to accept permit: PermitProof<'a> so it matches the accessor methods
(e.g., self.#name(heap, permit)?), the generated accessor lifetimes, and the
pattern used in baml_builtins2_codegen/src/codegen_io.rs; update the into_owned
declaration in the impl (the function on type owning owned::`#owned_name` that
also takes heap: &'a BexHeap) to use PermitProof<'a> to ensure lifetime
consistency and robustness when forwarding permit to the accessors.

In `@baml_language/crates/bex_heap/src/tlab.rs`:
- Around line 727-736: The two concurrent TLAB tests use different keys for
duplicate detection—one inserts ptr.as_ptr() as usize, the other inserts *ptr—so
unify them for consistency; update the duplicate-check in tlab.rs to use the
same form as test_miri_concurrent_tlab_allocation (convert each HeapPtr to a raw
address via as_ptr() as usize before inserting into the HashSet), adjust the
HashSet type to HashSet<usize> if needed, and ensure the assert message remains
the same so both tests verify identical invariants.
- Around line 346-351: The test test_multiple_tlabs_no_overlap only allocates
one object per TLAB (using tlab1.alloc and tlab2.alloc) and then asserts ptr1 !=
ptr2, which doesn't prove regions are disjoint; either rename the test to
reflect the weaker check or strengthen it by allocating multiple objects from
each TLAB (call tlab1.alloc and tlab2.alloc in a loop) and then assert the
address ranges do not overlap using pointer comparisons or
heap.is_compile_time_ptr/other range-check helpers (compare lowest and highest
pointers from each TLAB or verify one TLAB's high pointer is less than the
other's low pointer) to demonstrate non-overlapping TLAB regions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 081b237e-1609-4544-be37-78582c0f383f

📥 Commits

Reviewing files that changed from the base of the PR and between c9797bc and e74cf2b.

📒 Files selected for processing (6)

• baml_language/crates/baml_builtins2_codegen/src/codegen_io.rs
• baml_language/crates/baml_builtins_codegen/src/codegen_accessors.rs
• baml_language/crates/baml_builtins_macros/src/codegen_accessors.rs
• baml_language/crates/bex_heap/src/accessor.rs
• baml_language/crates/bex_heap/src/tlab.rs
• baml_language/crates/sys_types/src/lib.rs