So if I understand correctly, this doesn't account for user-introduced unsafety? It only accounts for when users reference an unsafe function?

Depends on what you mean by "user-introduced", since users also introduce definitions. It will only catch unsafe operations if the unsafe operation is contained in a definition, and a reference to that definition is directly duplicated.

For example, exponentiation of church naturals (which I think should behave poorly in IC?)

unsf = @f @x (f (f x))
main = (unsf unsf)

This currently gets compiled to

@main = a
  & @unsf ~ (@unsf a)

@unsf = ({(b c) (a b)} (a c))

which is correctly marked as unsafe. We could also do

@main = a
  & ({(b c) (d b)} (d c)) ~ (({(b c) (d b)} (d c)) a)

which is not marked as unsafe, and does not terminate (loops forever)

@developedby this PR breaks (surprisingly only) one of the tests in Bend, guide_shader_dummy.bend:

# given a shader, returns a square image
def render(depth, shader):
  bend d = 0, i = 0:
    when d < depth:
      color = (fork(d+1, i*2+0), fork(d+1, i*2+1))
    else:
      width = depth / 2
      color = shader(i % width, i / width)
  return color

# given a position, returns a color
# for this demo, it just busy loops
def demo_shader(x, y):
  bend i = 0:
    when i < 10:
      color = fork(i + 1)
    else:
      color = 0x000001
  return color

# renders a 256x256 image using demo_shader
def main:
  return render(5, demo_shader)

demo_shader is marked as unsafe since it duplicates i, and the program fails with the "ERROR: attempt to clone a non-affine global reference." error when render duplicates that function.

This is a very natural program to write, and the safety check this PR introduces will probably break many more programs created by users of Bend. I'm not sure how to deal with this... Should we really add this check in the way it's done by this PR, or should we do something else?

@developedby this PR breaks (surprisingly only) one of the tests in Bend, guide_shader_dummy.bend:

# given a shader, returns a square image
def render(depth, shader):
  bend d = 0, i = 0:
    when d < depth:
      color = (fork(d+1, i*2+0), fork(d+1, i*2+1))
    else:
      width = depth / 2
      color = shader(i % width, i / width)
  return color

# given a position, returns a color
# for this demo, it just busy loops
def demo_shader(x, y):
  bend i = 0:
    when i < 10:
      color = fork(i + 1)
    else:
      color = 0x000001
  return color

# renders a 256x256 image using demo_shader
def main:
  return render(5, demo_shader)

demo_shader is marked as unsafe since it duplicates i, and the program fails with the "ERROR: attempt to clone a non-affine global reference." error when render duplicates that function.

This is a very natural program to write, and the safety check this PR introduces will probably break many more programs created by users of Bend. I'm not sure how to deal with this... Should we really add this check in the way it's done by this PR, or should we do something else?

Yes, this is the intended behaviour and a big limitation of hvm32

If we plan on continuing with hvm32 for a lot longer, I should probably add some monomorphization system to Bend to avoid hitting this limitation so often

All suggestions were resolved
Any other details or should we merge it? @enricozb @developedby @tjjfvi

fine by me, although slight nit: direct_dependencies_reversed could instead be named direct_dependents (with similar naming changes made elsewhere)