fix: cranelift JIT srt-after-map TLS desync silent miscompile

[danieljohnmorris]

Summary

Cranelift JIT silently returned nil from srt fn xs (and grp / uniqby / partition) when another HOF with an inline-lambda callback had run earlier in the same function. Tree and VM produced the correct sorted list. Caught by pdf-analyst rerun4 via the frq + mget + srt pattern, then minimised down to two inline lambdas in the same function body.

Repro

main>_;a=map (x:n>n;+x 1) [1 2 3];sk=srt (p:L _>n;p.0) [[2 "a"] [1 "b"]];sk

Before:

• --run-tree → [[1, b], [2, a]]
• --run-vm → [[1, b], [2, a]]
• --run-cranelift → nil

After: all three engines agree on [[1, b], [2, a]].

Root cause

The four TLS slots ACTIVE_REGISTRY, ACTIVE_FUNC_NAMES, ACTIVE_PROGRAM, ACTIVE_AST_PROGRAM had drop guards that NULL'd the slot unconditionally on scope exit. That is safe at the top-level Cranelift entry, but a per-element HOF callback re-enters the VM via jit_call_dyn -> VM::new(program).call(...); the inner execute()'s guards then NULL the slots when the inner returns, leaving the outer JIT with no TLS state.

The next tree-bridge HOF in the same Cranelift entry saw null ACTIVE_FUNC_NAMES, deserialised its FnRef arg to a synthetic <user_fn:N> placeholder Text, failed to dispatch it through the tree interpreter, and the bridge swallowed the failure as TAG_NIL (legacy nil-sweep gap, filed separately).

Regressed when the HOF dispatch chain (#277 / #278 / #279 / #280 / #283) introduced the sub-VM re-entry path. Pre-#277, map was tree-bridge-only and the inner-VM re-entry didn't exist, so the TLS desync never happened.

What is in the diff

Commit 1 — vm: save-restore TLS guards. The four guards now snapshot the previous pointer at construction and restore it on drop. Linear stack discipline across arbitrary nesting; the outermost restore still ends at null. clear_active_registry() retained for the AOT runtime tear-down path where there is no prior pointer to restore.

Commit 2 — test: cross-engine regression. Nine new tests in regression_lambdas_cross_engine.rs cover every native HOF (map/flt/fld/flatmap) followed by every tree-bridge HOF (srt/grp/uniqby/partition). Plus the original pdf-analyst frq + mget shape, and a native->bridge->native sandwich. New examples/srt-after-map-inline-lambda.ilo exercises the same pattern through tests/examples_engines.rs so the higher-level harness catches future drift too.

Test plan

• Repro from pdf-analyst rerun4 (min2.ilo) now matches tree/VM on Cranelift
• Nine new cross-engine regression tests pass on tree / VM / Cranelift
• New examples/srt-after-map-inline-lambda.ilo runs identically on every engine via tests/examples_engines.rs
• Full cargo test --release --features cranelift green (3071 + 24 + 30 + ... passes, 0 failures)
• cargo fmt --check and cargo clippy --release --features cranelift -- -D warnings clean

Follow-ups (filed, out of scope here)

• Promote tree-bridge errors from silent TAG_NIL to runtime errors for HOFs (srt, grp, uniqby, partition) so a callback failure surfaces as ILO-R instead of nil. Independent of this PR; logged in ilo_assessment_feedback.md parked section.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!