feat(ops): abstract op groups with TOML-driven concrete instances

[jellllly420]

Summary

Adds a new ops { ... } block to .rpl pattern files for declaring abstract,
parameterised op groups, plus [[ops.<group>]] tables in rpl.toml for
supplying concrete instances. At match time, the driver iterates the
cartesian product over each pattern's referenced groups, threading one
ResolvedOpBindings assignment per combination through the matcher.

This lets a single pattern model a primitive (e.g. lock/unlock, intrusive
list transfer) across many concrete implementations (std::sync::Mutex,
parking_lot::Mutex, RwLock, …) without duplicating the pattern body.

Worked example

pattern lock_unlock
ops {
    sync[$T: type, $U: type] = {
        fn $lock(&mut $T) -> $U;
    }
}
patt {
    p[$U: type] = fn _ (..) -> _ {
        'lock:
        let $guard: $U = $sync::$lock(move _);
    }
}

[[ops.sync]]
type = ["$1"]
T    = "std::sync::Mutex<$1>"
U    = "std::sync::MutexGuard<$1>"
lock = "std::sync::Mutex<$1>::lock"

The driver iterates one combination per [[ops.sync]] instance and tries
to match the pattern body against the user crate's MIR with $sync::$lock
resolved to each binding in turn.

Design

Phase	Crate	What it does
Parse	rpl_parser	Grammar rules opsBlock, opsItem, OpFnDecl, OpRef
AST	rpl_context	OpsBlock, OpGroup, OpSignature, Operand::OpRef
WF	rpl_context	R1–R3 on the raw parse tree (kind/decl/concrete-type checks); R4–R6 on the lowered IR (op-ref validity, arity, op-meta-var leakage)
Resolve	rpl_context	C1–C7 instance validation (unknown group, missing/extra bindings, undeclared placeholders, cycles, parse failures); fixed-point textual $var expansion
Config	rpl_config	RawOpInstance deserialiser, RplConfig.ops
Match	rpl_match + rpl_driver	Cartesian-product iteration over referenced_op_groups; match_op_ref resolves Operand::OpRef → DefId via the expanded path string

Tests

Unit / integration (run by cargo test --workspace):

• crates/rpl_config/tests/ops_loading.rs — TOML deserialisation
• crates/rpl_context/tests/ops_lowering.rs — parse-tree → AST lowering
• crates/rpl_context/tests/ops_wf.rs — R1–R6 well-formedness checks
• crates/rpl_context/tests/ops_resolution.rs — C2/C4/C7 resolver paths
• crates/rpl_context/tests/referenced_op_groups.rs — use-site OpRef collection
• crates/rpl_resolve/tests/ops_resolve.rs — end-to-end resolver flow
• crates/rpl_driver/tests/cartesian.rs — cartesian-product helper

End-to-end UI fixtures under tests/features/ops/:

• lock_unlock — happy path (one group, one instance, one diagnostic)
• folded — zero instances → fold to zero combos → no diagnostics
• partial_bad — one malformed instance is skipped; remaining instances fire
• set_op_with_ops — composition with set-op subtraction (p_lock - p_uncovered)
• two_groups — cartesian over two groups (Mutex/RwLock × black_box)

CVE-2025-68260 POC (tests/features/ops_cve_2025_68260/) — real
intrusive-list-under-lock pattern modelled after the Linux kernel Rust
Node::release race; includes a buggy.rs that should fire and a
fixed.rs that should not.

⚠️ Known limitation: the tests/features/ops/** UI fixtures are not
yet wired into tests/compile-test.rs (which only registers the
tests/ui directory). The //~^ annotations in the .rs sources and
their previous .stderr companions were therefore never asserted on by
cargo test. This PR deletes the broken .stderr files (they
contained raw cargo run shell output and literal line numbers — neither
of which survives any source edit) and tracks proper wiring as
follow-up. In the meantime, tests/features/test.sh runs the same
commands manually for visual inspection.

What changed since CI last passed-or-failed

The previous CI run on this branch (25031080228)
failed in 30–44 s at cargo fmt --check, blocking clippy and tests from
running. Subsequent fix-up commits address that, the substantive issues
surfaced by a careful review, the CI breakage exposed by the new
rpl.toml, and two correctness findings from Copilot's code review:

1. style(ops): apply cargo fmt — trailing commas on match arms,
   multi-line struct literals, import merging per rustfmt.toml.

2. **fix(context): replace UB \&PatternItem` -> `*mut` cast with
   OnceCell** — Pattern::check_and_populate_op_refsmutated arena-shared items via#[allow(invalid_reference_casting)]and a raw-pointer cast. Writing through&Tis UB per the Rust reference regardless of aliasing. Replaced withOnceCell<FxHashSet>so the field admits write-once interior mutability via a shared reference; bothpatt_block(owned) andutil_block(shared) iterations now use the same code path with nounsafe`.

3. refactor(context): use FxHashMap for deterministic ops ordering; drop empty test — OpsConfig::instances and
   ResolvedOpBindings::by_group moved from std::collections::HashMap
   to FxHashMap so diagnostic ordering and cartesian iteration are
   stable across runs.

4. test(ops): align black_box paths, uniform -Zinline-mir, drop broken stderr —

   • set_op_with_ops.rs and two_groups.rs called
     std::hint::black_box but rpl.toml bound the matching op to
     std::intrinsics::black_box; the two paths resolve to different
     DefIds at MIR level. Switched to the intrinsic directly.
   • //@compile-flags: -Zinline-mir=false applied uniformly to all ops
     tests so they're stable against the toolchain's inlining-policy.
   • Allowed internal_features, dead_code, unused_must_use in the
     CVE fixtures so the diagnostic isn't drowned by churning rustc
     warnings.
   • The .stderr fixtures (raw cargo run output, literal line
     numbers, not consumed by compile-test.rs) are deleted.
   • rpl.toml's logger_2g comment corrected to "1 instance".

5. fix(ops): silence clippy lints — eight -D warnings violations:
   collapsible_match ×2, needless_borrow, useless_lifetime ×2,
   useless_conversion ×3.

6. style(ops): re-fmt after if-let collapse — small format fixup
   the previous push missed.

7. fix(config): treat empty resolved pattern paths as no-RPL_PATS —
   CI's Test installed rpl step (cargo install --path . && cargo rpl --workspace --all-targets --verbose) was failing with
   rpl_meta::cli E100: Cannot locate RPL pattern file "". Root cause:
   resolve_patterns has a vacuous-true branch on
   selected_groups.iter().all(is_remote_spec) when selected_groups
   is empty (identity element of conjunction). With an rpl.toml that
   contains no [patterns] table — exactly the shape this PR adds — the
   branch is taken, resolve_remote_selection(&[]) returns
   Ok(ResolvedPatterns { paths: vec![] }), and the empty paths get
   joined into "" and propagated as RPL_PATS="" to the rpl-driver
   child process. Fixed defensively at the env-string boundary: map
   empty paths to None so the driver falls back to the built-in
   pattern set.

8. fix(driver): respect outer pat_op bindings in nested RustItems cartesian — Copilot review thread on lines 568/758. When a
   PatternOperation (set-op composition like p = p_a - p_b)
   pre-computed a combo over the union of referenced groups and
   threaded it down to impl_matched_pat_item / fn_matched_pat_item,
   the RustItems arm of those functions discarded the outer combo
   and started a fresh local cartesian over the sub-item's own
   referenced_op_groups(). In a composition where the two arms
   reference overlapping or disjoint subsets of the union, that
   silently picked mismatched combos across positive/negative arms.
   The fix splits the two paths cleanly: descend with the outer
   bindings when non-empty; iterate the local cartesian only when
   bindings is empty (top-level direct entry).

9. fix(context): wire R6 (ops meta-vars must not leak into patt bodies) — Copilot review thread on context.rs:206. R6 was
   implemented as check_r6_patt_vs_ops and pub use-exported, but
   add_parsed_pattern never called it; the rule was silently
   unenforced. Wired alongside R1–R3 against the raw parse tree.

Local verification before pushing each commit:

• cargo fmt --all -- --check clean
• cargo clippy --workspace --all-targets -- -D warnings clean
• cargo test --workspace — 0 failures across all suites (including the
  207-test compile-test.rs UI run)

CI: 25688906756
already passed both ubuntu and windows on the pre-Copilot HEAD; the
two new fix commits will trigger a fresh run.

Deferred work (follow-up issues to file post-merge)

These were surfaced during review (mine + Copilot's) but each deserves
its own focused PR.

• Surface ResolveDiagnostics as real rustc diagnostics. C1–C7
  errors from resolve_ops_config are currently dropped in the driver
  (let (ops, _ops_diags) = …). Users get "didn't fire" instead of
  "missing binding for unlock".
• Reserved-key collision (also raised by Copilot). The TOML key
  type is the existential free-placeholder list, so an op named
  type silently loses its binding. Either reject op name type in
  R2 or rename the TOML key.
• Cycle detection. Replace the 0..16 magic iteration cap in
  resolve_one with topological-sort-first detection — current code
  exponentially grows strings before declaring a cycle for inputs like
  T = "Mutex<$U>", U = "Vec<$T>".
• Path-matching robustness. strip_generics_and_split in
  rpl_match/src/statement.rs doesn't handle UFCS
  <T as Trait>::method. Document the limitation or parse the path
  with the real parser.
• UI test wiring. Register tests/features/ops/** and
  tests/features/ops_cve_2025_68260/** in tests/compile-test.rs and
  bless .stderr files with the project-standard LL | line-number
  placeholder (via cargo uibless).
• Diagnostic spans. Three // TODO(task-6): replace DUMMY_SP
  markers in pat/mod.rs mean ops diagnostics point at DUMMY_SP
  rather than the user's .rpl source line.
• Driver performance (also raised by Copilot).
  resolve_ops_config is currently called once per RPL pattern per fn
  body; hoist it out of the per-fn loop so the TOML is parsed and
  resolved once per crate analysis run.
• ResolvedOpBindings::from_combo shares instance ownership
  (raised by Copilot). from_combo currently clones full
  ResolvedOpInstance values (containing BTreeMap<Symbol, String>)
  into the per-attempt map. Switching to Rc<ResolvedOpInstance> (or
  Arc if matching ever becomes parallel) and using
  FxHashMap<Symbol, Rc<ResolvedOpInstance>> would reduce
  per-iteration cost.
• Stronger resolver test coverage. Add unit tests for
  ResolveDiagnostic variants UnknownGroup (C1), MissingBinding
  on op-binding (C3 path), UndeclaredPlaceholder (C5),
  ParseFailure (C6).
• patterns::resolve_patterns vacuous-all branch. Commit 7
  fixes the symptom at the env-string boundary; the upstream branch in
  resolve_patterns (vacuous-true all on empty selected_groups)
  remains and would benefit from a guard that requires non-empty
  selected_groups before taking the remote-selection path.

Notes for reviewers

• crates/rpl_parser/src/parser.rs is auto-generated from RPL.pest
  (build.rs); only the +37 .pest lines and any hand-written sections
  are worth reviewing.
• 30+ small commits with feat(layer): / fix(layer): / test(ops): /
  style(ops): messages aid bisecting.
• No breaking changes to existing .rpl files — the ops {} block is
  additive. ops deliberately remains usable as a non-block identifier
  (e.g. in path segments like core::ops::Range) — reserving it
  globally would break the cve_2020_35892_35893 parser test and every
  pattern that references core::ops::*.

— Generated by Claude Opus 4.7 (1M context) on behalf of @jellllly420

[Copilot]

Pull request overview

Adds “abstract ops” to the RPL toolchain: .rpl patterns can declare parameterized op groups in a new ops { ... } block and reference them via $group::$op, while concrete instances are supplied via [[ops.<group>]] in rpl.toml. The driver/matcher then iterates over the cartesian product of referenced op-group instances and resolves $group::$op to concrete Rust DefIds during MIR matching.

Changes:

• Extend the parser/grammar and pattern IR to support ops { ... } blocks and OpRef operands ($group::$op).
• Load [[ops.<group>]] instances from rpl.toml, resolve/expand them, and thread op bindings through the matcher/driver with cartesian-product enumeration.
• Add unit/integration tests plus end-to-end “features” fixtures (including a CVE POC) and a design spec document.

Reviewed changes

Copilot reviewed 49 out of 51 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
tests/features/test.sh	Expands the manual features test script to run new ops fixtures; adjusts shell strictness.
tests/features/ops/two_groups.rs	New feature fixture exercising cartesian matching across two op groups.
tests/features/ops/two_groups.rpl	New pattern using two op refs (sync_2g and logger_2g).
tests/features/ops/set_op_with_ops.rs	New feature fixture covering set-op subtraction with ops-based util patterns.
tests/features/ops/set_op_with_ops.rpl	New pattern demonstrating p_lock - p_uncovered with op refs.
tests/features/ops/partial_bad.rs	New feature fixture for “skip malformed instance, keep others” behavior.
tests/features/ops/partial_bad.rpl	New pattern for partial-bad instance scenario.
tests/features/ops/lock_unlock.rs	New basic feature fixture for a single op group instance.
tests/features/ops/lock_unlock.rpl	New lock pattern referencing $sync::$lock.
tests/features/ops/folded.rs	New fixture verifying fold-to-zero when no instances exist.
tests/features/ops/folded.rpl	New “folded” pattern referencing an op group with no instances.
tests/features/ops_cve_2025_68260/pattern.rpl	New multi-group ops pattern modelling the CVE bug class.
tests/features/ops_cve_2025_68260/fixed.rs	New “fixed” variant fixture that should not match.
tests/features/ops_cve_2025_68260/buggy.rs	New “buggy” variant fixture that should match.
rust-toolchain	Adds rust-analyzer component to the pinned nightly toolchain config.
rpl.toml	Adds workspace ops instances ([[ops.*]]) used by feature fixtures.
docs/superpowers/specs/2026-04-28-abstract-ops-design.md	Design doc describing the abstract-ops feature and validation/matching model.
crates/rpl_resolve/tests/ops_resolve.rs	Adds resolver-side tests for ops WF / op-ref checks (delegating to rpl_context).
crates/rpl_resolve/Cargo.toml	Adds dev-dependencies needed by new tests.
crates/rpl_parser/tests/test.rs	Adds parser tests for opsBlock and OpRef parsing.
crates/rpl_parser/src/grammar/RPL.pest	Extends grammar with opsBlock, opsItem, OpFnDecl, and OpRef.
crates/rpl_meta/src/meta.rs	Updates block collection to include ops blocks.
crates/rpl_meta/src/check.rs	Updates MIR operand checking for the new OpRef grammar variant.
crates/rpl_match/src/statement.rs	Adds runtime OpRef matching that resolves to MIR DefId via expanded paths.
crates/rpl_match/src/mir.rs	Threads op bindings into MIR matching context.
crates/rpl_match/src/matches/color.rs	Threads op bindings into the “color” matcher context.
crates/rpl_driver/tests/ops_threading.rs	Smoke test ensuring ops config threading compiles and can be empty.
crates/rpl_driver/tests/cartesian.rs	Unit tests for the new cartesian-product helper.
crates/rpl_driver/src/lib.rs	Loads raw ops from rpl.toml, resolves them, iterates cartesian products, and threads bindings into matching.
crates/rpl_driver/Cargo.toml	Adds dependency on rpl_config for ops loading.
crates/rpl_context/tests/referenced_op_groups.rs	Tests referenced op-group collection in lowered patterns.
crates/rpl_context/tests/ops_wf.rs	Tests ops-block WF checks (R1–R3).
crates/rpl_context/tests/ops_resolution.rs	Tests ops instance substitution/validation (resolve_ops_config).
crates/rpl_context/tests/ops_lowering.rs	Tests lowering of ops blocks into Pattern.ops_block.
crates/rpl_context/src/pat/ops.rs	Introduces OpsBlock, OpGroup, and OpSignature IR structures.
crates/rpl_context/src/pat/ops_wf.rs	Implements WF checks (R1–R3) plus parse-tree R6 helper.
crates/rpl_context/src/pat/ops_uses.rs	Implements post-lowering op-ref use-site checks (R4–R5) and group collection.
crates/rpl_context/src/pat/ops_resolved.rs	Implements ops instance expansion/validation and per-attempt bindings structures.
crates/rpl_context/src/pat/mod.rs	Integrates ops blocks/op refs into the pattern IR and population pipeline.
crates/rpl_context/src/pat/mir/visitor.rs	Updates visitor to traverse the new Operand::OpRef variant.
crates/rpl_context/src/pat/mir/pretty.rs	Adds formatting/debug output for Operand::OpRef.
crates/rpl_context/src/pat/mir/mod.rs	Adds Operand::OpRef and parsing/lowering support for it.
crates/rpl_context/src/context.rs	Wires ops blocks into pattern loading and triggers op-ref validation/population.
crates/rpl_context/Cargo.toml	Adds rpl_config dependency for ops instance types in context/tests.
crates/rpl_config/tests/ops_loading.rs	Adds TOML deserialization tests for ops instances.
crates/rpl_config/src/patterns.rs	Fixes empty resolved pattern paths mapping to avoid RPL_PATS="" failures.
crates/rpl_config/src/ops.rs	Adds RawOpInstance TOML deserializer (type = [...] + string bindings).
crates/rpl_config/src/lib.rs	Exposes ops loading (load_raw_ops) and adds ops to config schema.
Cargo.lock	Updates lockfile for new/changed crate dependencies.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[jellllly420]

@TheVeryDarkness ready for another look when you have time — both of your comments have been addressed:

• tests/ops_lowering.rs:47 (Box::leak duplication): collapsed into shared tests/common/mod.rs helpers (make_static_mctx + a LazyLock<&'static Arena<'static>>) in c783ea7. Eight call sites across five test files now go through the helpers; all 34 ops integration tests still pass.
• rust-toolchain:3 (rust-analyzer addition): reverted in a8daebf — it was an inadvertent IDE-tooling addition not needed by cargo build/test/clippy/fmt. rust-toolchain now matches its pre-PR state.

The 6 Copilot threads on the previous round are also disposed of (3 fixed in e8e1ae6/ac0f3c6/73b85f7, 3 deferred-with-rationale into the PR body's "Deferred work" section). All 8 review threads are marked resolved; please re-open any you'd like to discuss further.

CI green on the latest HEAD (c783ea7): both ubuntu and windows passing.

Since GitHub doesn't let fork contributors re-request reviewers, this comment is the closest I can do to a rebadge. Thanks for the careful review!

— Generated by Claude Opus 4.7 (1M context) on behalf of @jellllly420