fix(#372): i64.load/i64.store correctness + v0.11.47 (#373)

* track(#372): i64.load/i64.store 3-layer gap — repro + numeric oracle + decoder WIP

NOT a fix (partial WIP). Diagnosed why falcon loud-skips 39 i64.load/store sites
on v0.11.46. It's THREE layers, worse than the issue assumed (gale thought the
lowering was ready):
 L1 DECODER GAP: convert_operator decodes the narrow i64 loads (I64Load8..32)
    and I32Load/Store but has NO arm for full-width I64Load/I64Store -> _ => None
    -> dropped -> loud-skipped since v0.11.46 (GI-FPU-001). (decoder arm added
    here as WIP — INSUFFICIENT alone: see L2.)
 L2 OPTIMIZED-PATH STUB: with the op decoded, the default optimized path drops
    it -> stub (ld64 -> `bx lr`, st64 -> `mov r0,r1`). So the decoder arm ALONE
    is net-negative (turns the honest loud-skip into a silent stub again). Needs
    an optimizer decline -> direct-selector fallback (mirror #120/#188).
 L3 ENCODER DROPS THE ADDRESS: arm_encoder.rs:5303 I64Ldr/I64Str use addr.base
    + addr.offset but IGNORE addr.index (the address register). Emits
    [R11+offset]/[R11+offset+4], dropping the operand -> reads the WRONG location.
    Proven numerically: ld64(16) returns mem[0] (0xaa..), not mem[16]
    (i64_load_store_372_differential.py). Same class as #206 indexed-load drop.

Fix (next block): decoder arm + optimizer decline + I64Ldr/I64Str encoder index
(materialize ip = addr_reg + offset; ldr/str [R11, ip] {,+4}, like #206), gated
on the numeric differential. Frozen fixtures use no i64.load/store.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* fix(#372): lower i64.load/i64.store correctly (decoder + decline + encoder index)

falcon loud-skipped 39 i64.load/store sites on v0.11.46. The gap was 3 layers,
and the lowering itself was broken (not just unwired):

 L1 DECODER: convert_operator decoded the narrow i64 loads (I64Load8..32) and
    I32Load/Store but had NO arm for full-width I64Load/I64Store -> _ => None ->
    dropped -> loud-skipped. Added the two arms.
 L2 OPTIMIZER: the default optimized path has no IR opcode for them and dropped
    them to a stub (ld64 -> `bx lr`). optimize_full now DECLINES i64.load/store
    -> falls back to the direct selector (the #120/#188 pattern).
 L3 ENCODER (the real bug): arm_encoder.rs I64Ldr/I64Str used addr.base+offset
    and IGNORED addr.offset_reg -> emitted [R11+offset], dropping the address.
    Proven: ld64(16) returned mem[0], not mem[16]. New i64_effective_base()
    materializes `ADD.W ip, base, index` (byte-verified) then loads/stores via
    [ip,#off]/[ip,#off+4]; non-indexed frame access (offset_reg=None) is
    unchanged -> byte-identical. Same class as #206.

Verified: ld64(16)=mem[16] and st64 use the address on BOTH the optimized and
direct paths (i64_load_store_372_differential.py); frozen oracles byte-identical
(control_step 0x00210A55 13/13, flight_seam 0x07FDF307, div_const 338/338);
i64-FRAME fixtures byte-identical (u64_unpack); unit test
test_372_i64_ldr_indexed_materializes_address; 39 suites green; fmt+clippy clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* chore(release): v0.11.47 — #372 i64.load/store correctness

Pin sweep 0.11.46 -> 0.11.47 (workspace + 10 path-deps + MODULE.bazel +
Cargo.lock). CHANGELOG v0.11.47 with falsification. rivet GI-MEM-001 ->
implemented + GI-MEM-VER-001.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

Author: avrabe

CHANGELOG.md

@@ -7,6 +7,34 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.11.47] - 2026-06-18
+
+**CORRECTNESS — #372: `i64.load`/`i64.store` now lower correctly (they were
+dropped, then mis-addressed). Unblocks 39 falcon i64-memory sites.**
+
+- **#372 — full-width i64 load/store** (#373): three independent defects, the
+  deepest a real miscompile:
+  - **decoder** — `convert_operator` decoded the narrow forms
+    (`I64Load8..32`, `I64Store8..32`) and `I32Load/Store` but had **no arm for
+    full-width `I64Load`/`I64Store`**, so they fell through `_ => None`, were
+    dropped, and (since v0.11.46) loud-skipped. Added the two arms.
+  - **optimizer** — the optimized path has no IR opcode for them and dropped
+    them to a stub (`ld64` → `bx lr`). `optimize_full` now **declines**
+    `i64.load`/`i64.store` and falls back to the direct selector (the #120/#188
+    pattern), which lowers them as a lo/hi register pair.
+  - **encoder (the real bug)** — `I64Ldr`/`I64Str` used `addr.base + offset`
+    and **ignored `addr.offset_reg`**, emitting `[R11 + offset]` and **dropping
+    the address operand**: `ld64(16)` read `mem[0]`, not `mem[16]` (same class
+    as #206). The new `i64_effective_base` materializes `ADD.W ip, base, index`
+    then loads/stores via `[ip, #off]`/`[ip, #off+4]`. Non-indexed (frame) i64
+    access keeps the plain `[base, #off]` form → byte-identical.
+
+  **Falsification:** `ld64(addr)`/`st64(addr)` now read/write `mem[addr]` on
+  both the optimized and direct paths (`i64_load_store_372_differential.py`);
+  i64-*frame* access and the three frozen oracles stay bit-identical
+  (control_step `0x00210A55` 13/13, flight_seam `0x07FDF307`, div_const 338/338;
+  `u64_unpack` byte-identical). No fixture uses `i64.load`/`i64.store`.
+
 ## [0.11.46] - 2026-06-17
 
 **CORRECTNESS — #369: an op the backend cannot lower now LOUD-SKIPS its

Cargo.lock

@@ -27,7 +27,7 @@ resolver = "2"
 # semver to publish, so the convention now catches up: workspace
 # version follows the release tag, bumped pre-tag in the release
 # checklist. See docs/release-process.md.
-version = "0.11.46"
+version = "0.11.47"
 edition = "2024"
 rust-version = "1.88"
 authors = ["PulseEngine Team"]

Cargo.toml

@@ -7,7 +7,7 @@ module(
     name = "synth",
     # Kept in lockstep with [workspace.package] version in Cargo.toml.
     # Both are bumped pre-tag — see docs/release-process.md.
-    version = "0.11.46",
+    version = "0.11.47",
 )
 
 # Bazel dependencies

MODULE.bazel

@@ -695,3 +695,56 @@ artifacts:
       pass-criteria: >
         cargo test test_369 green; f32 module emits no fadd/dmul symbol;
         control_step / flight_seam / div_const differentials byte-identical.
+
+  - id: GI-MEM-001
+    type: sw-req
+    title: Full-width i64.load/i64.store lower correctly (#372)
+    description: >
+      gale/jess #372 (surfaced by the GI-FPU-001 loud-skip): full-width
+      `i64.load`/`i64.store` were a 3-layer gap blocking 39 falcon sites.
+      DECODER had no full-width I64Load/I64Store arm (only narrow I64Load8..32),
+      so they dropped to `_ => None` and loud-skipped. OPTIMIZER had no IR
+      opcode and stubbed them (`ld64` -> `bx lr`). ENCODER (the real bug)
+      I64Ldr/I64Str ignored `addr.offset_reg`, emitting `[R11+offset]` and
+      DROPPING the address (ld64(16) read mem[0], not mem[16] — #206 class).
+      IMPLEMENTED v0.11.47 (#373): decoder arms + optimizer decline->direct
+      fallback (#120/#188 pattern) + `i64_effective_base` materializing
+      `ADD.W ip, base, index` then `[ip,#off]`/`[ip,#off+4]`; non-indexed frame
+      i64 access unchanged (byte-identical). Verified value-level on both paths.
+    status: implemented
+    tags: [gale, jess, i64, memory, encoder, correctness, falcon, release-v0.11.47]
+    links:
+      - type: derives-from
+        target: GI-005
+      - type: traces-to
+        target: gale:372
+    fields:
+      req-type: functional
+      priority: must
+      verification-criteria: >
+        scripts/repro/i64_load_store_372_differential.py: ld64(16) returns
+        mem[16] (0x8877665544332211), not mem[0], on BOTH the optimized and
+        --no-optimize ELFs (unicorn); st64 materializes the index symmetrically;
+        unit test test_372_i64_ldr_indexed_materializes_address; the three frozen
+        oracles (control_step 0x00210A55, flight_seam 0x07FDF307, div_const
+        338/338) and i64-frame fixtures (u64_unpack) stay byte-identical.
+
+  - id: GI-MEM-VER-001
+    type: sw-verification
+    title: "i64.load/store value-level + frozen byte-identity (#372)"
+    description: >
+      Verifies GI-MEM-001 (v0.11.47). Numeric differential
+      i64_load_store_372_differential.py proves ld64 reads mem[addr] (was mem[0]
+      pre-fix) on both compile paths; unit test asserts indexed I64Ldr emits the
+      ADD.W index materialization and non-indexed does not; 39 suites green;
+      control_step/flight_seam/div_const + u64_unpack byte-identical.
+    status: implemented
+    tags: [gale, i64, verification, frozen, release-v0.11.47]
+    links:
+      - type: verifies
+        target: GI-MEM-001
+    fields:
+      method: test
+      pass-criteria: >
+        ld64(16)=0x8877665544332211 on optimized + direct ELFs; frozen oracles
+        + u64_unpack byte-identical; cargo test test_372 green.

artifacts/gale-integration.yaml

@@ -11,6 +11,6 @@ categories.workspace = true
 description = "aWsm backend integration for the Synth compiler"
 
 [dependencies]
-synth-core = { path = "../synth-core", version = "0.11.46" }
+synth-core = { path = "../synth-core", version = "0.11.47" }
 anyhow.workspace = true
 thiserror.workspace = true

crates/synth-backend-awsm/Cargo.toml

@@ -11,8 +11,8 @@ categories.workspace = true
 description = "RISC-V encoder, ELF builder, PMP allocator, and bare-metal startup for synth"
 
 [dependencies]
-synth-core = { path = "../synth-core", version = "0.11.46" }
-synth-synthesis = { path = "../synth-synthesis", version = "0.11.46" }
+synth-core = { path = "../synth-core", version = "0.11.47" }
+synth-synthesis = { path = "../synth-synthesis", version = "0.11.47" }
 anyhow.workspace = true
 thiserror.workspace = true
 tracing.workspace = true

crates/synth-backend-riscv/Cargo.toml

@@ -11,6 +11,6 @@ categories.workspace = true
 description = "Wasker backend integration for the Synth compiler"
 
 [dependencies]
-synth-core = { path = "../synth-core", version = "0.11.46" }
+synth-core = { path = "../synth-core", version = "0.11.47" }
 anyhow.workspace = true
 thiserror.workspace = true

crates/synth-backend-wasker/Cargo.toml

@@ -15,7 +15,7 @@ default = ["arm-cortex-m"]
 arm-cortex-m = ["synth-synthesis"]
 
 [dependencies]
-synth-core = { path = "../synth-core", version = "0.11.46" }
-synth-synthesis = { path = "../synth-synthesis", version = "0.11.46", optional = true }
+synth-core = { path = "../synth-core", version = "0.11.47" }
+synth-synthesis = { path = "../synth-synthesis", version = "0.11.47", optional = true }
 anyhow.workspace = true
 thiserror.workspace = true

crates/synth-backend/Cargo.toml

@@ -5307,10 +5307,20 @@ impl ArmEncoder {
                 } else {
                     addr.offset as u32
                 };
-                bytes.extend_from_slice(&self.encode_thumb32_ldr(rdlo, &addr.base, offset)?);
+                // #372: a memory `i64.load` carries an index register
+                // (`reg_imm(R11, addr_reg, offset)` = R11 + addr + offset). The
+                // immediate `encode_thumb32_ldr` below uses only base+offset and
+                // would SILENTLY DROP `offset_reg` — the #206 defect, here for
+                // i64. Materialize the effective base `ip = base + index` first
+                // (ADD.W ip, base, index — byte-verified), then load with
+                // immediate offsets. Frame i64 loads (no `offset_reg`, e.g. a
+                // spilled local at `[SP, #off]`) keep the plain `[base,#off]`
+                // form unchanged — so existing output is byte-identical.
+                let base = self.i64_effective_base(&mut bytes, addr);
+                bytes.extend_from_slice(&self.encode_thumb32_ldr(rdlo, &base, offset)?);
                 bytes.extend_from_slice(&self.encode_thumb32_ldr(
                     rdhi,
-                    &addr.base,
+                    &base,
                     offset.wrapping_add(4),
                 )?);
                 Ok(bytes)
@@ -5324,10 +5334,12 @@ impl ArmEncoder {
                 } else {
                     addr.offset as u32
                 };
-                bytes.extend_from_slice(&self.encode_thumb32_str(rdlo, &addr.base, offset)?);
+                // #372: same index-materialization as I64Ldr (see above).
+                let base = self.i64_effective_base(&mut bytes, addr);
+                bytes.extend_from_slice(&self.encode_thumb32_str(rdlo, &base, offset)?);
                 bytes.extend_from_slice(&self.encode_thumb32_str(
                     rdhi,
-                    &addr.base,
+                    &base,
                     offset.wrapping_add(4),
                 )?);
                 Ok(bytes)
@@ -6355,6 +6367,29 @@ impl ArmEncoder {
         Ok(bytes)
     }
 
+    /// #372: resolve the base register for an `I64Ldr`/`I64Str` whose address
+    /// may carry an index register. If `addr.offset_reg` is set (a memory
+    /// `i64.load`/`i64.store`: `R11 + addr + offset`), emit `ADD.W ip, base,
+    /// index` and return `ip` (R12) as the base for the two immediate-offset
+    /// halves. If unset (a frame access at `[base, #off]`), return `addr.base`
+    /// unchanged — emitting nothing — so non-indexed i64 access is byte-identical.
+    /// `ip = base + index` is computed BEFORE the halves load, so an `rdlo`
+    /// aliasing the index register is safe (the address is already materialized).
+    fn i64_effective_base(&self, bytes: &mut Vec<u8>, addr: &MemAddr) -> Reg {
+        match addr.offset_reg {
+            Some(idx) => {
+                let ip = Reg::R12;
+                // ADD.W ip, addr.base, idx  (Thumb-2, byte-verified vs as)
+                let hw1: u16 = 0xEB00 | reg_to_bits(&addr.base) as u16;
+                let hw2: u16 = 0x0C00 | reg_to_bits(&idx) as u16;
+                bytes.extend_from_slice(&hw1.to_le_bytes());
+                bytes.extend_from_slice(&hw2.to_le_bytes());
+                ip
+            }
+            None => addr.base,
+        }
+    }
+
     /// Encode Thumb-2 32-bit LDR
     fn encode_thumb32_ldr(&self, rd: &Reg, base: &Reg, offset: u32) -> Result<Vec<u8>> {
         let rd_bits = reg_to_bits(rd);
@@ -8775,6 +8810,41 @@ mod tests {
         assert!(code.len() >= 4, "I64Ldr should emit at least 4 bytes");
     }
 
+    #[test]
+    fn test_372_i64_ldr_indexed_materializes_address() {
+        // #372: a memory i64.load carries an index register (R11 + addr + off).
+        // The encoder must materialize `ip = base + index` (ADD.W) and load via
+        // `[ip,#off]` — NOT drop the index. A frame (non-indexed) i64.load must
+        // stay byte-identical (plain `[base,#off]`, no ADD).
+        let encoder = ArmEncoder::new_thumb2();
+        let indexed = encoder
+            .encode(&ArmOp::I64Ldr {
+                rdlo: Reg::R0,
+                rdhi: Reg::R1,
+                addr: MemAddr::reg_imm(Reg::R11, Reg::R0, 0),
+            })
+            .unwrap();
+        // ADD.W ip, fp, r0 = eb0b 0c00 (byte-verified vs arm-none-eabi-as).
+        assert_eq!(
+            &indexed[0..4],
+            &[0x0b, 0xeb, 0x00, 0x0c],
+            "indexed I64Ldr must start with ADD.W ip, base, index"
+        );
+        let frame = encoder
+            .encode(&ArmOp::I64Ldr {
+                rdlo: Reg::R0,
+                rdhi: Reg::R1,
+                addr: MemAddr::imm(Reg::SP, 8),
+            })
+            .unwrap();
+        // No index -> no ADD.W prefix (byte-identical frame access).
+        assert_ne!(
+            &frame[0..2],
+            &[0x0b, 0xeb],
+            "frame (non-indexed) I64Ldr must NOT emit an ADD.W"
+        );
+    }
+
     #[test]
     fn test_encode_i64_str_thumb2() {
         let encoder = ArmEncoder::new_thumb2();