feat(dwarf): make --dwarf remap work on real DWARF + witness oracle (v0.20.0) (#209)

* feat(dwarf): make --dwarf remap work on real DWARF + witness oracle (#130)

Falsifying the v0.19.0 single-source remap against a real Rust component
(hello_rust.wasm) surfaced four address classes the synthetic oracle
missed, plus gimli's all-or-nothing failure mode. All fixed:

- low_pc is the function BODY START (locals-decl byte), not the first
  instruction — the locals/prefix region now maps linearly (locals are
  preserved verbatim). Previously every low_pc underflowed to a miss.
- Exclusive-end addresses (high_pc-as-addr, range ends, line
  end_sequence) map to output_body_end.
- LLVM emits fixed-width zero-padded LEBs for relocatable indices, so
  DWARF rows can land inside operand bytes — these resolve to the
  CONTAINING operator (exact on boundaries) for correct line attribution.
- Linear-memory/data addresses (DW_OP_addr) at/beyond the code extent
  pass through unchanged (correct under multi-memory fusion).
- Per-address tombstoning replaces all-or-nothing strip: gimli's
  Dwarf::from aborts on a single unmappable address, which on real
  modules (dead-code gaps) stripped ALL DWARF. convert_address is now
  total — correct offset where mappable, identity for data/tombstones,
  0xFFFF_FFFF for unmappable code. Guarantee strengthens to "every
  emitted address is correct or an ignored tombstone, never wrong".

Witness oracle (tests/dwarf_remap_witness.rs, gimli dev-dep): fuses a
real Rust component with --dwarf remap and asserts every non-tombstone
subprogram low_pc equals some fused function's component-provenance
code_range.start (the pulseengine/witness contract, in-tree). On the
fixture all but 9 of 225 functions map exactly; the 9 are dead code.

LS-D-1 amended with the v0.20.0 hardening. Multi-source still strips
(gimli writer-API blocker, see #208).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(dwarf): tombstone ambiguous function-boundary addresses (Mythos #209)

The Mythos auto-scan flagged that `AddressRemap::translate` could emit a
plausible-but-wrong address at a function boundary. Input bodies are
contiguous, so one address is both function A's exclusive end
(A.input_end) and the next function B's start (B.input_start); the
BTreeMap range lookup selects B and returned B.output_body_start, which
differs from A.output_body_end when A and B are not adjacent in the
fused output (interleaved / reordered functions). A's high_pc-as-addr,
range-list end, and end_sequence then mapped to a wrong offset.

`translate` now detects the divergent-boundary case (prev.output_body_end
!= span.output_body_start) and returns None so the caller tombstones the
address rather than emit a wrong one. When the two interpretations
coincide (input order preserved — the single-source case meld emits) the
boundary resolves cleanly. Pinned by
`translate_ambiguous_boundary_tombstones_when_reordered`; LS-D-1 amended.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(dwarf): code_extent covers dropped functions, not just survivors (Mythos #209)

Second Mythos auto-scan finding: AddressRemap::code_extent used the max
input_end over REGISTERED spans, so a source module's dropped trailing
function (DCE'd, no span) has input addresses exceeding code_extent.
convert_address then classified them as linear-memory data and passed
them through as stale input-module offsets instead of tombstoning.

code_extent is now the input module's full code-section extent (every
input function, via module_function_layouts which parses them all), so a
dropped function's address stays in the code range and tombstones.
Pinned by `code_extent_covers_dropped_trailing_function`; LS-D-1 amended.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: avrabe

CHANGELOG.md

@@ -4,6 +4,58 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+## [0.20.0] - 2026-05-29
+
+### Changed
+
+- **`DwarfHandling::Remap` now works on real compiler-emitted DWARF**
+  (#143 / #130, witness integration). Falsifying the v0.19.0 remap
+  against a real Rust component (`hello_rust.wasm`) surfaced four
+  address classes the synthetic oracle missed; all are now handled, and
+  the all-or-nothing gimli failure mode is replaced with per-address
+  tombstoning.
+  - **`low_pc` is the function body start.** WebAssembly DWARF measures
+    `DW_AT_low_pc` from the locals-declaration byte, not the first
+    instruction. The locals/prefix region now maps linearly (locals are
+    preserved verbatim during fusion). Previously every function's
+    `low_pc` underflowed to a miss.
+  - **Exclusive-end addresses** (`high_pc`-as-address, range-list ends,
+    line-program `end_sequence`) map to the output body end.
+  - **Padded LEBs.** LLVM emits fixed-width zero-padded LEBs for
+    relocatable indices, so DWARF rows can land inside an operator's
+    operand bytes; these now resolve to the **containing** operator
+    (exact on instruction boundaries), giving correct source-line
+    attribution.
+  - **Data addresses** (`DW_OP_addr` linear-memory locations) at or
+    beyond the code extent pass through unchanged (correct under
+    multi-memory fusion).
+  - **Per-address tombstoning replaces all-or-nothing strip.**
+    `gimli::write::Dwarf::from` aborts the entire conversion on a single
+    unmappable address, so on real modules (hundreds of functions,
+    dead-code gaps) the strict gate stripped *all* DWARF. The
+    `convert_address` closure is now total: correct fused offset where
+    mappable, identity for data/existing tombstones, and the DWARF
+    tombstone `0xFFFF_FFFF` for unmappable code (functions meld dropped).
+    The LS-D-1 guarantee strengthens to *"every emitted address is
+    correct or an ignored tombstone — never a plausible-but-wrong
+    address."*
+
+### Added
+
+- **DWARF remap falsification oracle** (`tests/dwarf_remap_witness.rs`,
+  #130). Fuses a real Rust component with `--dwarf remap` and asserts
+  every non-tombstone `DW_TAG_subprogram` `low_pc` in the *output* DWARF
+  equals some fused function's component-provenance `code_range.start` —
+  the `pulseengine/witness` code-offset → source-line contract, checked
+  in-tree with `gimli`. On the fixture all but 9 of 225 functions map
+  exactly (the 9 are dead code, tombstoned). Updates LS-D-1.
+
+### Notes
+
+- Multi-DWARF-source fusion still falls back to `strip` (merging
+  independent DWARF unit sets is blocked by gimli's writer API — see
+  issue #208 for the analysis and the relocator design).
+
 ## [0.19.0] - 2026-05-29
 
 ### Added

Cargo.lock

@@ -10,7 +10,7 @@ exclude = [
 ]
 
 [workspace.package]
-version = "0.19.0"
+version = "0.20.0"
 authors = ["PulseEngine <https://github.com/pulseengine>"]
 edition = "2024"
 license = "Apache-2.0"

Cargo.toml

@@ -43,6 +43,9 @@ petgraph = "0.8.3"
 [dev-dependencies]
 proptest.workspace = true
 wasmprinter.workspace = true
+# Re-declared for integration tests (tests/dwarf_remap_witness.rs) to
+# parse and validate the remapped DWARF in the fused output.
+gimli.workspace = true
 wat = "1.219"
 wasmtime = "41.0.1"
 wasmtime-wasi = "41.0.4"