"Full Java support" does not mean rewriting everything in Rust. It means accepting all Java.
>
Approximately 60,000 differential test cases + SMT full 2³² input machine proof + Hybrid 330 programs + 1,053 exception boundaries + "first genuine non-vacuous" HybridDemo total=550 matches — SlimeJava walks a fundamentally different path from the LLM industry's "nearly equivalent."
Preamble — Why All-or-Nothing?
The modern software industry debate — "LLM-based transformation vs. formal methods," "probabilistic AI vs. deterministic AI," "neural vs. symbolic" — originates in the 1960 fork point when Lisp and COBOL were born almost simultaneously. SlimeJava is an attempt to repair 60 years of separation between mathematical theory and IT engineering using Java, the industry's central language.
This article focuses exclusively on SlimeJava itself, laying out its design philosophy, empirical data, honest limitation disclosure, and future roadmap in a single coherent narrative. It is an all-or-nothing exposition for all engineers working with Java, auditors, CTOs, and researchers.
Chapter 1 — Design Philosophy: "Don't understand meaning; transcribe structure"
"Understanding" is precisely why we fail at bit-exact
There is a structural defect in the approach of "understanding" Java semantics and rewriting it.
| | Semantic-understanding approach | SlimeJava |
|---|---|---|
| Interpretation varies by person | Structure is unambiguous and unique |
| Variation bleeds into migration | Structure preservation yields zero variation |
| "Nearly equivalent" is the limit | Exact match to 1 bit |
| LLM probabilistic generation | No LLM; zero probability in the path |
SlimeJava treats source as structure (unambiguous, unique), projects it onto Slot IR via homomorphism (π), and transcribes into Rust while preserving structure. Because it bypasses the semantic layer, the result is mathematically rigorous — output matches to 1 bit every time it runs.
Absolute rule: isolate, don't confabulate
We never output "nearly equivalent" or "semantically identical" results.
If input contains syntax outside the static subset, SlimeJava sends that function to the isolation barrier and silently does not translate it — it returns the reason why.
Rather than guess and convert, we choose not to convert.
This is a philosophical decision, not a technical one. It is the opposite stance from the LLM industry's "output at all costs."
Chapter 2 — Full Java Support: Hybrid Bit-Exact Isolate
Redefining "full Java support"
"Full Java support" does not mean rewriting everything in Rust
(Objects/String/double/reflection cannot be bit-exactly Rust-ified)
It means accepting all Java.
We automatically partition any Java into three regions, and apply the strongest honest guarantee for each:
| Region | Conversion target | Guarantee |
|---|---|---|
| Static core (integers/control/arrays/bitwise) | → Pure Rust | 100% bit-exact (+ SMT full-input formal proof possible) |
| Dynamic (objects/String/double/HashMap/reflection) | → Java as-is, deterministic JVM Isolate | Fixed JVM assumption 95–99% (CI maintained) |
| True non-determinism (seed-free random/wall-clock/I/O/true concurrency) | → reject | No bit-exact guarantee (explicit) |
Core insight: Do not reinvent dynamic Java in Rust. Let dynamic Java generate meaning in Java (deterministic JVM). Preserve bit-exactness by not understanding — extending SlimeJava's philosophy into the dynamic realm. Isomorphic structure with SlimePython §14.
Acceptance rate (measured) — Breaking the 37% wall of static-only
| Corpus (real code) | Static→Rust | Dynamic→JVM Isolate | Non-determinism→reject | Hybrid acceptance rate |
|---|---|---|---|---|
| Real OpenJDK Integer/Long/Math/Short | 17.5% | 82.1% | 0.4% | 99.6% |
| Real applications (19,950 methods) | 0.5% | 98.2% | 1.3% | 98.7% |
| Dynamic-heavy (reflection/lambdas) | 1.6% | 98.4% | 0% | 100% |
Honest separation: 99% acceptance ≠ "everything Rust-ified"
99% acceptance rate on the Hybrid means "we can handle all Java," but it does not mean "100% transmuted to Rust." The bit-exact Rust transpilation, reaping the benefits of lightness, 41× startup, and SMT full-input formal proof, applies only to the static core (left column of the table above). The rest stays as Java in the deterministic JVM Isolate (95–99% under fixed JVM assumption; cross-version drift suppressed by CI operations). True non-determinism is rejected. We never claim "Hybrid totality always 100%" (avoiding AI trap #17).
Chapter 3 — Gapless Proof: Differential Fuzzing ~60,000 Cases
Testing can prove "there are holes" but cannot rigorously prove "there are no holes." Therefore, we attack using differential fuzzing (Csmith style) — the method used in C compiler validation: generate massive quantities of random subset Java, byte-compare against Java (the authoritative two's-complement wrapping) and generated Rust. Any single byte deviation counts as a hole; we fix it.
| Technique | Contents | Cases | Result |
|---|---|---|---|
| Random differential fuzz (scalar) | 2,250 random subset Java programs | 53,932 | ✅ All bytes match |
| Random differential fuzz (with arrays) | 1,440 (adding array index read/write, length, new, OOB exception) | 50,460 | ✅ All bytes match |
| Exhaustive extreme-value sweep | All binary ops × extreme pairs² {MIN, MIN+1, −1, 0, 1, 2, MAX−1, MAX}, shift amounts, int↔long promotion | 2,900 | ✅ All bytes match |
| Real OpenJDK Integer/Long verbatim | 23 self-contained methods | 603 | ✅ All SHA-256 match |
Total: ~60,000 cases of perfect Java↔Rust byte alignment; zero deviation. Even across real 19,950 methods, zero false-accepts.
Honest caveat
Differential testing demonstrates the absence of holes in the tested space with high confidence. It is not formal proof (that requires verified validator / Coq). "Gapless" has a practical meaning. We avoid vacuous claims and do not call unmeasured ranges 100%.
Chapter 4 — Formal Verification: Machine Proof of All Inputs via SMT
Differential testing is sampling. We model integers as two's-complement = SMT bit-vector theory with strict formality, and have Z3 prove that all inputs of the transpiler output are equal to an independent mathematical specification (UNSAT = no counterexample = proof).
| Target | Specification | Result |
|---|---|---|
| bitCount (32 & 64-bit) | == popcount (SWAR hex-mask-chain population count) | ✅ Proved for all 2³² / all 2⁶⁴ inputs |
| reverseBytes / rotateLeft/Right / signum / lowestOneBit | byte reversal / rotate / sign / i&-i | ✅ Proved for both 32 & 64-bit (12 methods total) |
| Division (b≠0): a/b == bvsdiv, a%b == SRem | Round toward zero / sign is dividend's | ✅ Proved for both int and long |
| Div-mod invariant a==(a/b)*b+(a%b) | (division × multiplication non-linear) | ⏱ Timeout (undecided = requires bit-blast tuning; no counterexample) |
Tally: 20 formally proven cases / 0 counterexamples / 2 timeouts. Zero counterexamples = no input violates bit-exactness. The sole undecided is the non-linear div-mod invariant only (value and sign proved correct, correctness guaranteed).
Two-tier guarantee
Primitives are proved via SMT on all inputs; composition, loops, and arrays are verified via ~60,000 differential tests. We substantially eliminate the weakness that "it is not formal proof." This is a different order of magnitude from LLM transpilation tools ("semantically nearly equivalent").
Chapter 5 — Hidden Traps in Java Integers: Bit-Exact Reproduction in Rust
Java and Rust have different integer semantics. Naively mapping + to + silently breaks (Rust's + panics on overflow; if constant, compilation rejects). SlimeJava mechanically generates the right column, reproducing Java behavior to 1 bit exactly.
| Java syntax | Java semantics | Generated bit-exact Rust |
|---|---|---|
| a + b / a * b | Two's-complement wrap | a.wrapping_add(b) etc. |
| a / b / a % b | MIN/−1=MIN, round toward zero, divide-by-zero throws | Plain Result + ? where non-zero provable; Result + ? exceptions otherwise |
| a << b / >> / >>> | Shift amount & 31 (& 63 for long), arithmetic / logical | wrapping_shl/shr, >>> via as uN |
| -a (−MIN) | −MIN = MIN | a.wrapping_neg() |
| int × long | Numeric promotion → long | Each operand promoted to as i64 |
Exceptions are also bit-exact
Java's a/0 throws ArithmeticException: / by zero. SlimeJava does not discard this; it transcribes exception propagation via Rust Result + ?, so both languages output identical byte sequences on exception. Not just the happy path — the entire observable behavior of the program (including exceptions) matches.
Exception-boundary marshaling — 1,053 all match
When the static core (Rust) throws, we reproduce it at the Java boundary with identical exception (type + message):
EXN\t<toString>is output by Rust- Java stub dispatches by class name and re-throws isomorphic instance
toStringmatches exactly
Division-by-zero (ArithmeticException), array-out-of-bounds (Index N out of bounds for length L), negative-size allocation (new int[-n] → NegativeArraySizeException) — verified across 1,053 boundary cases, all match.
Chapter 6 — Automatic Partitioner + Scale Validation
Mixed Java in one command: classify → static core to Rust dispatcher → dynamic to Isolate Java (static calls delegated to Rust via boundary) → Hybrid execution → byte-match original Java + certificate.
$ slimejava-partition HybridDemo2.java
partition: STATIC=[sumw] ISOLATE=[main] REJECT=[]
Original Java : weighted=550 avg=110.0000 label=Q3-report
Hybrid : weighted=550 avg=110.0000 label=Q3-report
Verification : ✅ byte-identical (sha256 b46bd2e5…)Scale validation
Random mixed Java generated in bulk: 330 programs, all byte-identical; 10,800 static-core methods Rust-ified; 2,259 boundary calls verified (zero deviation).
Validated across HashMap, double, TreeMap, sort, String formatting, and cross-dynamic-feature implementations.
Chapter 7 — Performance: Value Is "Lightness, Predictability"
Hot steady-state throughput is a three-way tie. Rust wins on a different axis:
| Axis | JVM | GraalVM-native | Rust (SlimeJava output) |
|---|---|---|---|
| Hot throughput (steady) | Three-way tie — "Rust-ification speeds up" doesn't hold for hot integers | | |
| Startup (short-lived) | 23.4 ms | 1.25 ms | 0.57 ms (~41× vs. JVM) |
| Peak RSS | 41.2 MB | 7.7 MB | 1.9 MB (~22× smaller) |
| Deploy size | 39 MB (minimal JRE) | 8.8 MB | 432 KB (~90× smaller) |
| Tail p99 (GC pressure) | 9.92 ms (jitter 4.6×) | — | 2.29 ms (jitter 1.1×) |
Tail matters
Median is a tie (JVM 2.19 ms / Rust 2.09 ms), but JVM's p99 jumps 4.6× due to GC pauses; Rust has no GC and stays flat (1.1×). For p99/SLA-bounded work (trading, real-time, billing) this is decisive.
→ Value is not "fast" but "light, predictable, bit-exact." Output remains bit-exact under all conditions.
Chapter 8 — Reject Rescue via Seed Injection (Decisionism)
Non-determinism rejects (seed-free Random, wall-clock time) can be determinized by injecting fixed seed / fixed clock, thus promoted to the static core.
Honest crux
This changes behavior (fixed seed ≠ free randomness), so bit-exactness applies only to the "fixed-seed version" = deciding how much determinism to enforce (decisionism, isomorphic to PSDP safety profile). The original free randomness is not preserved.
Proof-of-concept: Inline the LCG of java.util.Random.nextInt(), confirm all seed matches with new Random(seed) → Rust-ify that deterministic sequence with zero byte-diff.
True I/O, true concurrency, native code remain rejected (honestly).
Chapter 9 — Three-Way Collaboration: AI Limits Exposed by Live Runs
Live run report (2026-06-13 → 2026-06-14 → third run)
| Run | Key findings |
|---|---|
| First (2026-06-13) | AI prediction collapse + 6 holes exposed |
| Second (2026-06-14) | Correction of my prior diagnosis (not compound assignment but i++) + 3 fixes |
| Third | Multiple declarations + extended for + LargeScaleMix true Hybrid |
AI itself is a subject of verification
When AI (LLM) produced test code and predictive classification, the live system structurally broke the prediction table. Moreover, AI's own diagnosis ("compound assignments += ^= are the cause") was wrong. The live system revealed the true cause: "++ missing in tokenizer; i++ splits into two + tokens."
This is a living proof of AI meaning-sway vs. bit-exactness.
| Agent | Sway state | Role |
|---|---|---|
| AI | Structurally sways | Propose, supplement |
| Live system / Slot IR | Structurally does not sway | Verify, judge |
| Verification harness | Can sway | Nearly caused false report via Java split(" ") bug |
| Human | Intelligence for structure discovery | Extract invariants, design boundaries, honest disclosure |
→ "AI sways, verification harness sways, only the live system does not sway, humans structure" — the three-way collaboration model. This is the Java-domain instantiation of oblique-reading domain engineering.
Cumulative progress
| Indicator | Before first live run | Current |
|---|---|---|
| Projected | 11 | 18 |
| True end-to-end Hybrid byte-diff | 0 (all vacuous) | 2 (HybridDemo / LargeScaleMix) |
| Holes fixed | — | 5 (++/−−, getenv, vacuous cert, multiple declarations, extended for) |
Chapter 10 — Remaining Holes and Next Actions
Remaining unfixed holes (breaking in integer core)
| Hole | Falling method | Nature |
|---|---|---|
| String literals throw new X("msg") | safeDiv, signDiv, signMod | Tokenizer extension needed |
| byte[] arguments | fnv1a64 | Type system extension needed |
| boolean type/literal | divModConsistent |