fix(codegen): #555 decision — back-port loud handler failure to core-WASM, JS-text, Deno-ESM (#566)

hyperpolymath · claude · web-flow · commit 3f2f326b7647 · 2026-06-12T01:43:43.000+01:00
Executes the decision requested in #555: **back-port the loud failure now, implement dispatch later.** - `lib/codegen.ml`: `ExprHandle`/`ExprResume` → `Error UnsupportedFeature`, mirroring `codegen_gc.ml:896-948`. The ADR-013/016 CPS line covers Async-effect *calls*, not `handle` expressions — async lowering unaffected (CPS harnesses stay green). - `lib/js_codegen.ml` + `lib/codegen_deno.ml`: `failwith` at handle/resume sites → converted to `Error` by each backend's existing entry wrapper. Declared `/ Async` rows on Deno-ESM still lower via `async function` (`fd_is_async`). - New regression suite **E2E Handler Fence (#555)** + fixture `handle_return_arm.affine` (the execution-proven 41-vs-42 probe): interpreter must keep evaluating it; all three compile backends must fail loudly naming the fence. Gate: 385 tests green (381 + 4 new). The first runtime-behaviour tests effect handlers have ever had on the compile backends. Does NOT close #555 — general handler dispatch remains open there; this removes the silent-wrong-value class only (v1 ledger #563, T0 item 2). Follow-up (deliberate, after #565 lands to avoid a doc conflict): one-line CAPABILITY-MATRIX effects-row touch-up from "silently drop handler arms" to "fail loudly (fence landed)". 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
diff --git a/.github/workflows/affine-vscode-publish.yml b/.github/workflows/affine-vscode-publish.yml
@@ -29,6 +29,7 @@ concurrency:
 jobs:
   publish:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/casket-pages.yml b/.github/workflows/casket-pages.yml
@@ -26,6 +26,7 @@ jobs:
   # point also keeps the workflow re-triggerable post-enablement.
   precheck:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     outputs:
       enabled: ${{ steps.check.outputs.enabled }}
     steps:
@@ -45,6 +46,7 @@ jobs:
     needs: precheck
     if: needs.precheck.outputs.enabled == 'true'
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
@@ -119,6 +121,7 @@ jobs:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     needs: [precheck, build]
     if: needs.precheck.outputs.enabled == 'true'
     steps:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -15,6 +15,8 @@ concurrency:
 jobs:
   build:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
+
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -70,6 +72,8 @@ jobs:
         run: opam exec -- dune build @fmt
   lint:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
+
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -93,6 +97,8 @@ jobs:
     # §"Bench standards". Does NOT block merge. Promotion to a
     # ratcheted gate requires a calibrated baseline first.
     runs-on: ubuntu-latest
+    timeout-minutes: 10
+
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -137,6 +143,8 @@ jobs:
     # docs/standards/TESTING.adoc §"Coverage (visibility-only)".
     # No merge-blocking floor today.
     runs-on: ubuntu-latest
+    timeout-minutes: 10
+
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -191,6 +199,8 @@ jobs:
     # (previously gated on #104's npm publish). A real regression should
     # turn this job red and gate, so no `continue-on-error`.
     runs-on: ubuntu-latest
+    timeout-minutes: 10
+
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -234,6 +244,8 @@ jobs:
     # commit still build cleanly and (b) gate `tools/res-to-affine/`
     # walker work that depends on the generated parser.
     runs-on: ubuntu-latest
+    timeout-minutes: 10
+
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -18,6 +18,7 @@ permissions: read-all
 jobs:
   analyze:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       contents: read
       security-events: write
diff --git a/.github/workflows/instant-sync.yml b/.github/workflows/instant-sync.yml
@@ -14,6 +14,7 @@ concurrency:
 jobs:
   dispatch:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     # Skip the dispatch job entirely when the FARM_DISPATCH_TOKEN secret is
     # not configured (e.g. on forks, or before the secret is provisioned).
     # Without this gate the action errors with "Parameter token or opts.auth
diff --git a/.github/workflows/panic-attack.yml b/.github/workflows/panic-attack.yml
@@ -28,6 +28,7 @@ permissions:
 jobs:
   scan:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/publish-jsr.yml b/.github/workflows/publish-jsr.yml
@@ -37,8 +37,9 @@ concurrency:
 jobs:
   publish:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
       - uses: denoland/setup-deno@v2
         with:
           deno-version: v2.x
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -30,6 +30,7 @@ concurrency:
 jobs:
   prepare:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -56,6 +57,7 @@ jobs:
           - os: macos-14
             target: macos-arm64
     runs-on: ${{ matrix.os }}
+    timeout-minutes: 10
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -93,6 +95,7 @@ jobs:
   checksums:
     needs: build
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - name: Collect binaries and publish SHA256SUMS
         env:
diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml
@@ -18,6 +18,7 @@ permissions: read-all
 jobs:
   scorecard:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       security-events: write
       id-token: write # For OIDC
@@ -38,6 +39,7 @@ jobs:
   # Check specific high-priority items
   check-critical:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
       - name: Check SECURITY.md exists
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -17,6 +17,7 @@ concurrency:
 jobs:
   semgrep:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       security-events: write
       contents: read
diff --git a/.github/workflows/stdlib-naming.yml b/.github/workflows/stdlib-naming.yml
@@ -25,6 +25,7 @@ concurrency:
 jobs:
   enforce-lowercase-stdlib:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Enforce lowercase .affine filenames in stdlib/
diff --git a/.github/workflows/workflow-linter.yml b/.github/workflows/workflow-linter.yml
@@ -17,6 +17,7 @@ concurrency:
 jobs:
   lint-workflows:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
       - name: Check SPDX headers
diff --git a/lib/codegen.ml b/lib/codegen.ml
@@ -1382,19 +1382,29 @@ let rec gen_expr (ctx : context) (expr : expr) : (context * instr list) result =
        the record pointer is unchanged (fields are still in memory). *)
     gen_expr ctx base
 
-  | ExprHandle eh ->
-    (* Effect handlers in WASM: compile the body expression.
-       Effect handling requires continuation support which WASM doesn't
-       natively have. We compile as a simple wrapper that evaluates the
-       body — unhandled effects will trap at runtime. *)
-    gen_expr ctx eh.eh_body
-
-  | ExprResume arg_opt ->
-    (* Resume passes through the argument value *)
-    begin match arg_opt with
-      | Some e -> gen_expr ctx e
-      | None -> Ok (ctx, [I32Const 0l])  (* unit *)
-    end
+  | ExprHandle _eh ->
+    (* Effect handler dispatch is not implementable on this backend today.
+       The previous behaviour — compile the body only, dropping every
+       handler arm and lowering `resume` as a passthrough — was SILENTLY
+       WRONG: an effects-free `handle 41 { return(v) => v + 1 }` evaluated
+       to 42 in the interpreter and 41 in compiled wasm (issue #555), and
+       performs trapped at op stubs instead of dispatching.  codegen_gc.ml
+       already fails loudly on this exact shape; this back-ports the fence.
+       Note: the ADR-013/ADR-016 CPS line covers Async-effect *calls*, not
+       `handle` expressions — failing here does not regress async support.
+       To use algebraic effects, run under the interpreter (`--interp`/`-i`). *)
+    Error (UnsupportedFeature
+      "effect handler (handle { ... }) in the WASM backend — \
+       handler arms cannot be dispatched (requires WASM EH proposal or a \
+       general-handler CPS transform; Refs #555); use `--interp` / `-i`")
+
+  | ExprResume _arg_opt ->
+    (* `resume` is only meaningful inside a handler arm; the enclosing
+       `handle` already fails above.  Fail consistently (was: silent
+       argument passthrough — issue #555). *)
+    Error (UnsupportedFeature
+      "`resume` expression in the WASM backend — \
+       only valid inside a `handle` block (Refs #555); use `--interp` / `-i`")
 
   | ExprTry et ->
     (* WASM 1.0 has no exception-handling proposal.
diff --git a/lib/codegen_deno.ml b/lib/codegen_deno.ml
@@ -1200,9 +1200,21 @@ let rec gen_expr ctx (expr : expr) : string =
        | _, name   -> Printf.sprintf "({ tag: %S })" name)
   | ExprSpan (inner, _) -> gen_expr ctx inner
   | ExprRowRestrict (e, _) -> gen_expr ctx e
-  | ExprHandle { eh_body; eh_handlers = _ } -> gen_expr ctx eh_body
-  | ExprResume (Some e) -> gen_expr ctx e
-  | ExprResume None     -> "Unit"
+  | ExprHandle _ ->
+      (* Was: silent erasure (body-only, handler arms dropped) — wrong-value
+         miscompiles even for effects-free return arms (issue #555).  Fail
+         loudly at compile time; `Failure` is converted to `Error` by
+         [codegen_deno]'s entry wrapper.  Declared `/ Async` rows are
+         unaffected — they lower via `async function` (fd_is_async), not
+         via `handle` expressions. *)
+      failwith
+        "effect handler (handle { ... }) is not supported by the Deno-ESM \
+         backend — handler arms cannot be dispatched (Refs #555); \
+         use `--interp` / `-i`"
+  | ExprResume _ ->
+      failwith
+        "`resume` is not supported by the Deno-ESM backend — only valid \
+         inside a `handle` block (Refs #555); use `--interp` / `-i`"
   | ExprUnsafe _ ->
       iife ctx "throw new Error('unsafe op not supported in Deno-ESM backend');"
 
diff --git a/lib/js_codegen.ml b/lib/js_codegen.ml
@@ -285,11 +285,19 @@ let rec gen_expr ctx (expr : expr) : string =
        | _, name    -> Printf.sprintf "({ tag: %S })" name)
   | ExprSpan (inner, _) -> gen_expr ctx inner
   | ExprRowRestrict (e, _field) -> gen_expr ctx e  (* runtime no-op *)
-  | ExprHandle { eh_body; eh_handlers = _ } ->
-      (* Effect handlers are erased at MVP — IO collapses to direct calls. *)
-      gen_expr ctx eh_body
-  | ExprResume (Some e) -> gen_expr ctx e
-  | ExprResume None     -> "Unit"
+  | ExprHandle _ ->
+      (* Was: silent erasure (body-only, handler arms dropped) — wrong-value
+         miscompiles even for effects-free return arms (issue #555).  Fail
+         loudly at compile time; `Failure` is converted to `Error` at this
+         backend's entry point. *)
+      failwith
+        "effect handler (handle { ... }) is not supported by the JS-text \
+         backend — handler arms cannot be dispatched (Refs #555); \
+         use `--interp` / `-i`"
+  | ExprResume _ ->
+      failwith
+        "`resume` is not supported by the JS-text backend — only valid \
+         inside a `handle` block (Refs #555); use `--interp` / `-i`"
   | ExprUnsafe _ ->
       "(() => { throw new Error('unsafe op not supported in JS backend'); })()"
 
diff --git a/test/e2e/fixtures/handle_return_arm.affine b/test/e2e/fixtures/handle_return_arm.affine
@@ -0,0 +1,7 @@
+// Issue #555 regression fixture: an effects-free handle with only a
+// return arm. Interpreter evaluates to 42; the WASM/JS/Deno backends
+// previously compiled body-only (silently dropping the arm → 41).
+// They must now fail loudly instead.
+fn main() -> Int {
+  return handle 41 { return(v) => v + 1 };
+}
diff --git a/test/test_e2e.ml b/test/test_e2e.ml
@@ -2199,6 +2199,75 @@ let try_catch_tests = [
   Alcotest.test_case "julia: full form"            `Quick test_try_julia_full;
 ]
 
+(* ============================================================================
+   Issue #555: effect-handler loud-fail fences
+   ============================================================================
+
+   The core-WASM / JS-text / Deno-ESM backends previously compiled `handle`
+   body-only (handler arms silently dropped; `resume` lowered as an argument
+   passthrough). An effects-free return-arm handle evaluated to 42 in the
+   interpreter and 41 in compiled wasm — a silent wrong-value miscompile.
+   These tests pin the fences: all three backends must fail loudly, and the
+   interpreter path must keep working. *)
+
+let contains_str needle haystack =
+  try let _ = Str.search_forward (Str.regexp_string needle) haystack 0 in true
+  with Not_found -> false
+
+let test_handle_interp_still_works () =
+  match run_interp_pipeline (fixture "handle_return_arm.affine") with
+  | Error msg -> Alcotest.fail msg
+  | Ok _ -> ()
+
+let test_handle_wasm_loud_fail () =
+  match run_wasm_pipeline (fixture "handle_return_arm.affine") with
+  | Ok _ ->
+      Alcotest.fail
+        "expected UnsupportedFeature for handle on core-WASM (Refs #555); \
+         got Ok — silent arm-drop has regressed"
+  | Error msg ->
+      Alcotest.(check bool) "error names the handler fence" true
+        (contains_str "effect handler" msg)
+
+let test_handle_js_loud_fail () =
+  let result =
+    let open Result in
+    let ( let* ) = bind in
+    let* (prog, resolve_ctx) = run_frontend (fixture "handle_return_arm.affine") in
+    Js_codegen.codegen_js prog resolve_ctx.symbols
+  in
+  match result with
+  | Ok _ ->
+      Alcotest.fail
+        "expected loud failure for handle on JS-text (Refs #555); \
+         got Ok — silent erasure has regressed"
+  | Error msg ->
+      Alcotest.(check bool) "error names the handler fence" true
+        (contains_str "effect handler" msg)
+
+let test_handle_deno_loud_fail () =
+  let result =
+    let open Result in
+    let ( let* ) = bind in
+    let* (prog, resolve_ctx) = run_frontend (fixture "handle_return_arm.affine") in
+    Codegen_deno.codegen_deno prog resolve_ctx.symbols
+  in
+  match result with
+  | Ok _ ->
+      Alcotest.fail
+        "expected loud failure for handle on Deno-ESM (Refs #555); \
+         got Ok — silent erasure has regressed"
+  | Error msg ->
+      Alcotest.(check bool) "error names the handler fence" true
+        (contains_str "effect handler" msg)
+
+let handler_fence_tests = [
+  Alcotest.test_case "interp: return-arm handle still evaluates" `Quick test_handle_interp_still_works;
+  Alcotest.test_case "wasm: handle → loud UnsupportedFeature"     `Quick test_handle_wasm_loud_fail;
+  Alcotest.test_case "js-text: handle → loud failure"             `Quick test_handle_js_loud_fail;
+  Alcotest.test_case "deno-esm: handle → loud failure"            `Quick test_handle_deno_loud_fail;
+]
+
 (* ============================================================================
    Section: Stage 7 — typed-wasm Ownership Verifier (Tw_verify)
    ============================================================================
@@ -4701,6 +4770,7 @@ let tests =
     ("E2E LSP Phase C", lsp_phase_c_tests);
     ("E2E LSP Phase D", lsp_phase_d_tests);
     ("E2E Try/Catch/Finally", try_catch_tests);
+    ("E2E Handler Fence (#555)", handler_fence_tests);
     ("E2E Ownership Verify", tw_verify_tests);
     ("E2E Cmd Linearity", cmd_linear_tests);
     ("E2E Boundary Verify", tw_interface_tests);
