Optimized (non-relocatable) path: exported leaf clobbers callee-saved r4-r8 without save/restore (potential AAPCS violation)

[avrabe]

Found while scoping VCR-RA-002 (#428). The optimized (non-relocatable) codegen path emits an exported leaf function that uses callee-saved registers r4-r8 as scratch and returns via bx lr with no push/pop — so an AAPCS caller's r4-r8 are corrupted across the call.

Repro (generic fixture)

(module (memory 1)
  (func (export "leaf3") (param $p i32) (result i32)
    (local $a i32) (local $b i32) (local $c i32)
    (local.set $a (i32.add (local.get $p) (i32.const 1)))
    (local.set $b (i32.add (local.get $a) (i32.const 2)))
    (local.set $c (i32.add (local.get $b) (i32.const 3)))
    (i32.add (i32.add (local.get $a) (local.get $b))
             (i32.add (local.get $c) (local.get $p)))))

synth compile leaf3.wat -o /tmp/leaf3.elf -b arm --target cortex-m4 --all-exports
arm-none-eabi-objdump -d -M force-thumb /tmp/leaf3.elf   # see <leaf3>

Output (abridged) — leaf3 is a global symbol:

leaf3:
  movs r7,#1 ; add.w r8,r0,r7 ; mov r4,r8 ; ... uses r4,r5,r6,r7,r8 ...
  mov r0,ip
  bx lr            <-- no push {r4-r8,lr} / pop {..,pc}

Scope / what it is NOT

• Independent of recent levers: reproduces with SYNTH_NO_LOCAL_PROMOTE=1 and with SYNTH_RANGE_REALLOC=0 (realloc+shrink disabled), so shrink_callee_saved_saves is not the cause — the non-relocatable path itself omits the callee-saved preservation.
• The --relocatable build of the same function is correct: it emits stmdb sp!, {r4,r5,r6,r7,r8,lr} / ldmia sp!, {..,pc}. So only the optimized/non-relocatable path is affected.
• Differential-blind: the existing *_differential.py checks compare the callee's result, not the caller's clobbered r4-r8, so they pass. This is the arm regalloc: select_with_stack allocates param registers (r0-r3) for temps/results before live param reads — i64_lowering fuzz class #193/v0.11.21 RISC-V backend: clobbers callee-saved s-registers (s1–s6) with no prologue/epilogue — ABI violation, corrupts caller #220 latent class.

Open questions (confirm before fixing)

1. Is the non-relocatable path a whole-program/self-contained model where synth controls every caller and exported entry points are only reached from the vector table / runtime that doesn't rely on r4-r8 preservation? If so this is benign by construction and should be documented as such.
2. If exported functions can be reached by external AAPCS code (host-link / native-pointer ABI), this corrupts caller state and needs the prologue restored.
3. Contrast: a non-leaf (with a call) on this same path reportedly does push {r4-r8,lr} — what determines the push, and why is the leaf case skipped?

Filing for investigation, not asserting a fix — needs (1) resolved first.

— issue-hunt loop (avrabe automation), not a maintainer decision.

[avrabe]

[issue-hunt loop] Investigated — by-design, not a bug. Resolved in PR #473 (analysis-only).

synth has two ABI models selected by --relocatable:

• optimized (default, non-reloc) = the self-contained bare-metal model, non-AAPCS by design. arm_backend.rs documents it: "does not preserve caller-saved registers across calls." The callee-saved clobber here is the same fact deeper — ir_to_arm emits no callee-saved push and its temp pool prefers r4-r8.
• --relocatable = the AAPCS/host-link path (select_with_stack, fp-relative, proper preservation).

Self-consistency verified (intra_module_callee_saved.wat): a call-containing function is declined to the direct selector, which holds across-call values on the frame — caller a: str [sp] before bl, ldr [sp] after, never relies on the callee preserving r4-r8 — and pushes/pops {r4-r8,lr} for its caller. So an optimized leaf's clobber ($b: clobbers r4-r6, no push) corrupts nothing intra-module. The only exposure is an external AAPCS caller holding live r4-r8 across the boundary — exactly the host-link case, for which --relocatable is the required documented path. No fix to the optimized path warranted.

Also clears the VCR-RA-002 (#471) baseline worry: the push {r4-r8,lr} measured on-target is on the call-containing/relocatable path, not optimized leaves — so this does not reset VCR-RA-002's baseline.

Closing via #473.

— issue-hunt loop (avrabe automation), not a maintainer decision.