Panic when the same external CPI (returning Final) appears in multiple programs in the

Mohammad Fawaz · Mohammad Fawaz · commit e632f89b77df · 2026-04-06T10:49:35.000-04:00
import tree
diff --git a/crates/fmt/src/format.rs b/crates/fmt/src/format.rs
@@ -264,6 +264,15 @@ fn format_root(node: &SyntaxNode, out: &mut Output) {
 }
 
 fn format_program(node: &SyntaxNode, out: &mut Output) {
+    // AVM-style stub declarations (`program foo.aleo;`) have no L_BRACE.  The
+    // rowan parser treats the missing `{` as an error and may absorb the rest of
+    // the file as ERROR children via recovery.  Reformatting such a node would
+    // silently drop all that recovered content, so emit it verbatim instead.
+    if !has_token(node, L_BRACE) {
+        write_node_verbatim(node, out);
+        return;
+    }
+
     let elems = elements(node);
 
     // Check if there are any items in the program body.
diff --git a/crates/passes/src/code_generation/visitor.rs b/crates/passes/src/code_generation/visitor.rs
@@ -75,22 +75,6 @@ impl CodeGeneratingVisitor<'_> {
 
         match &self.state.ast {
             Ast::Program(program) => {
-                // Register all composites and mappings first for Aleo
-                // stubs since they are added afterterwards and are not in a
-                // topological order
-                for stub in program.stubs.values() {
-                    if let leo_ast::Stub::FromAleo { program, .. } = stub {
-                        for (name, _) in &program.mappings {
-                            self.global_mapping
-                                .insert(Location::new(program.stub_id.as_symbol(), vec![*name]), name.to_string());
-                        }
-                        for (name, leo_ast::Composite { is_record, .. }) in &program.composites {
-                            self.composite_mapping
-                                .insert(Location::new(program.stub_id.as_symbol(), vec![*name]), *is_record);
-                        }
-                    }
-                }
-
                 for stub in program.stubs.values() {
                     match stub {
                         leo_ast::Stub::FromLeo { program, .. } => {
@@ -116,7 +100,19 @@ impl CodeGeneratingVisitor<'_> {
                                 bytecode: bytecode.to_string(),
                             });
                         }
-                        leo_ast::Stub::FromAleo { .. } | leo_ast::Stub::FromLibrary { .. } => {}
+                        leo_ast::Stub::FromAleo { program, .. } => {
+                            for (name, _) in &program.mappings {
+                                self.global_mapping
+                                    .insert(Location::new(program.stub_id.as_symbol(), vec![*name]), name.to_string());
+                            }
+                            for (name, leo_ast::Composite { is_record, .. }) in &program.composites {
+                                self.composite_mapping
+                                    .insert(Location::new(program.stub_id.as_symbol(), vec![*name]), *is_record);
+                            }
+                        }
+                        leo_ast::Stub::FromLibrary { .. } => {
+                            // no-op
+                        }
                     }
                 }
             }
diff --git a/crates/passes/src/monomorphization/program.rs b/crates/passes/src/monomorphization/program.rs
@@ -275,6 +275,11 @@ impl ProgramReconstructor for MonomorphizationVisitor<'_> {
         // 5. FromLibrary/FromAleo stubs are processed AFTER program_scopes, so that
         //    reconstruct_library can collect monomorphized composites from reconstructed_composites.
 
+        // Capture the original stub insertion order before partitioning, so we can
+        // reassemble stubs in their original order after processing.  The type-checking
+        // pass that runs after monomorphization depends on this order.
+        let stub_key_order: Vec<_> = input.stubs.keys().cloned().collect();
+
         // Partition stubs early (non-consuming borrow not possible, so partition now and
         // process in two phases).
         let (from_leo_stubs, other_stubs): (Vec<_>, Vec<_>) =
@@ -388,8 +393,20 @@ impl ProgramReconstructor for MonomorphizationVisitor<'_> {
         let other_stubs: indexmap::IndexMap<_, _> =
             other_stubs.into_iter().map(|(id, stub)| (id, self.reconstruct_stub(stub))).collect();
 
-        // Combine stubs (FromLeo first, then others) preserving stable ordering.
-        let stubs = from_leo_stubs.into_iter().chain(other_stubs).collect();
+        // Reassemble stubs in their original insertion order so that the type-checking
+        // pass that follows sees them in the same sequence they had before monomorphization.
+        let mut from_leo_map = from_leo_stubs;
+        let mut other_map = other_stubs;
+        let stubs = stub_key_order
+            .into_iter()
+            .map(|id| {
+                let stub = from_leo_map
+                    .swap_remove(&id)
+                    .or_else(|| other_map.swap_remove(&id))
+                    .expect("every stub key must appear in exactly one partition");
+                (id, stub)
+            })
+            .collect();
 
         // Reconstruct modules after `self.reconstructed_composites` and `self.reconstructed_functions`
         // have been populated.
diff --git a/tests/expectations/compiler/dynamic_dispatch/shared_cpi_in_import_tree.out b/tests/expectations/compiler/dynamic_dispatch/shared_cpi_in_import_tree.out
@@ -0,0 +1,77 @@
+import credits.aleo;
+program program_b.aleo;
+
+function withdraw:
+    input r0 as address.private;
+    input r1 as u64.public;
+    call credits.aleo/transfer_public_to_private r0 r1 into r2 r3;
+    async withdraw r3 into r4;
+    output r2 as credits.aleo/credits.record;
+    output r4 as program_b.aleo/withdraw.future;
+
+finalize withdraw:
+    input r0 as credits.aleo/transfer_public_to_private.future;
+    await r0;
+
+constructor:
+    assert.eq edition 0u16;
+// --- Next Program --- //
+import program_b.aleo;
+import credits.aleo;
+program program_a.aleo;
+
+function payout:
+    input r0 as address.private;
+    input r1 as u64.public;
+    call credits.aleo/transfer_public_to_private r0 r1 into r2 r3;
+    async payout r3 into r4;
+    output r2 as credits.aleo/credits.record;
+    output r4 as program_a.aleo/payout.future;
+
+finalize payout:
+    input r0 as credits.aleo/transfer_public_to_private.future;
+    await r0;
+
+constructor:
+    assert.eq edition 0u16;
+
+
+---
+Note: Treating dependencies as Aleo produces different results:
+
+import credits.aleo;
+program program_b.aleo;
+
+function withdraw:
+    input r0 as address.private;
+    input r1 as u64.public;
+    call credits.aleo/transfer_public_to_private r0 r1 into r2 r3;
+    async withdraw r3 into r4;
+    output r2 as credits.aleo/credits.record;
+    output r4 as program_b.aleo/withdraw.future;
+
+finalize withdraw:
+    input r0 as credits.aleo/transfer_public_to_private.future;
+    await r0;
+
+constructor:
+    assert.eq edition 0u16;
+// --- Next Program --- //
+import credits.aleo;
+import program_b.aleo;
+program program_a.aleo;
+
+function payout:
+    input r0 as address.private;
+    input r1 as u64.public;
+    call credits.aleo/transfer_public_to_private r0 r1 into r2 r3;
+    async payout r3 into r4;
+    output r2 as credits.aleo/credits.record;
+    output r4 as program_a.aleo/payout.future;
+
+finalize payout:
+    input r0 as credits.aleo/transfer_public_to_private.future;
+    await r0;
+
+constructor:
+    assert.eq edition 0u16;
diff --git a/tests/tests/compiler/dynamic_dispatch/shared_cpi_in_import_tree.leo b/tests/tests/compiler/dynamic_dispatch/shared_cpi_in_import_tree.leo
@@ -0,0 +1,65 @@
+// Test that two programs in the import tree can each call the same external CPI
+// function that returns a Final without triggering "Finalization not found".
+//
+// The bug: when the FromAleo stub (credits.aleo) appears after the FromLeo stub
+// (program_b.aleo) in the stubs map, the type checker would try to look up finalize
+// types for credits.aleo before they were populated, causing a panic.
+
+// --- aleo stub --- //
+program credits.aleo;
+
+record credits:
+    owner as address.private;
+    amount as u64.private;
+
+function transfer_public_to_private:
+    input r0 as address.private;
+    input r1 as u64.private;
+    cast r0 r1 into r2 as credits.record;
+    async transfer_public_to_private into r3;
+    output r2 as credits.record;
+    output r3 as credits.aleo/transfer_public_to_private.future;
+
+finalize transfer_public_to_private:
+    assert.eq 1u8 1u8;
+
+// --- Next Program --- //
+
+import credits.aleo;
+
+program program_b.aleo {
+    @noupgrade
+    constructor() {}
+
+    fn withdraw(
+        owner: address,
+        public amount: u64,
+    ) -> (credits.aleo::credits, Final) {
+        let (c, f): (credits.aleo::credits, Final) =
+            credits.aleo::transfer_public_to_private(owner, amount);
+        return (c, final {
+            f.run();
+        });
+    }
+}
+
+// --- Next Program --- //
+
+import program_b.aleo;
+import credits.aleo;
+
+program program_a.aleo {
+    @noupgrade
+    constructor() {}
+
+    fn payout(
+        recipient: address,
+        public amount: u64,
+    ) -> (credits.aleo::credits, Final) {
+        let (c, f): (credits.aleo::credits, Final) =
+            credits.aleo::transfer_public_to_private(recipient, amount);
+        return (c, final {
+            f.run();
+        });
+    }
+}
