fix 2 bugs, Phase 1D split predicate blind to current-decl orelse, Phase 1D split predicate missing next-decl VLA trigger

Author: dawnlarsson

.github/SPEC.md

@@ -680,7 +680,7 @@ GNU statement expressions `({…})` are supported. They get their own scope in t
 
 **Multi-declarator split trigger:** `should_split_multi_decl` forces a statement split at a comma when there are pending `typeof` memsets (`typeof_var_count > 0`) and the next declarator either has an explicit initializer (`has_init`) or is itself a VLA (`is_vla`) — the latter prevents VLA dimension evaluation before a preceding declarator's memset has run (e.g., `int arr[n], matrix[arr[0]][n];` where `arr[0]` must not be evaluated before `memset(&arr, ...)`). Bracket orelse on the next declarator also triggers a split.
 
-**Multi-declarator VM-type split restriction:** When `process_declarators` must split a multi-declarator statement (due to the triggers above), it re-emits the type specifier for the new declaration. If the type specifier contains a variably-modified type — `typeof(expr)` with VLA dimensions (`has_typeof && is_vla`) or `_Atomic(type)` with VLA dimensions (`has_atomic && is_vla`) — the VLA dimension expression would be evaluated a second time at runtime by the backend compiler (ISO C11 §6.7.2.5 — VM type specifiers are evaluated when the declaration is reached). This causes double evaluation of side effects (function calls, `++`, etc.) in the VLA dimension. Prism rejects such splits with a hard error: the user must declare each variable on a separate line. The guard condition is `(type->has_typeof || type->has_atomic) && type->is_vla`. The `_Atomic(...)` VLA detection was added because `parse_type_specifier` now scans `_Atomic(...)` contents for VLA array dimensions (same pattern as the `typeof(...)` scan), including the `)` predecessor for parenthesized pointer types like `_Atomic(int(*)[n])`. This also covers the orelse `stop_comma` continuation paths (const orelse fallback, orelse action). Anonymous struct/union splits are separately rejected because re-emitting the body produces two incompatible anonymous types.
+**Multi-declarator VM-type split restriction:** When `process_declarators` must split a multi-declarator statement (due to the triggers above), it re-emits the type specifier for the new declaration. If the type specifier contains a variably-modified type — `typeof(expr)` with VLA dimensions (`has_typeof && is_vla`) or `_Atomic(type)` with VLA dimensions (`has_atomic && is_vla`) — the VLA dimension expression would be evaluated a second time at runtime by the backend compiler (ISO C11 §6.7.2.5 — VM type specifiers are evaluated when the declaration is reached). This causes double evaluation of side effects (function calls, `++`, etc.) in the VLA dimension. Prism rejects such splits with a hard error: the user must declare each variable on a separate line. The guard condition is `(type->has_typeof || type->has_atomic) && type->is_vla`. The `_Atomic(...)` VLA detection was added because `parse_type_specifier` now scans `_Atomic(...)` contents for VLA array dimensions (same pattern as the `typeof(...)` scan), including the `)` predecessor for parenthesized pointer types like `_Atomic(int(*)[n])`. This also covers the orelse `stop_comma` continuation paths (const orelse fallback, orelse action). Anonymous struct/union splits are separately rejected because re-emitting the body produces two incompatible anonymous types. **Two-Pass Invariant for split detection:** Phase 1D's `p1d_check_multi_decl_constraints` must perfectly simulate Pass 2's split logic. The `split` predicate includes three triggers: (1) `current_decl_has_orelse` — the current declarator's initializer contains an `orelse` keyword, which unconditionally forces a split via `process_init_orelse_hit` in Pass 2; (2) `any_would_memset` — a preceding declarator requires a typeof/VLA memset and the next declarator has an initializer; (3) bracket orelse on the next declarator. Without the first trigger, Phase 1D would approve VM-type and anonymous struct multi-declarators where the current declarator's orelse forces a split invisible to the static analyzer, causing Pass 2 to crash mid-emission (violating the Two-Pass Invariant). The `any_would_memset` arm also checks `nd.is_vla` (next declarator has VLA dimensions), matching Pass 2's `should_split_multi_decl` which splits when `typeof_var_count > 0 && (next_decl.has_init || next_decl.is_vla)` — without the VLA check, a `typeof(int[n]) arr, buf[get_n()]` declaration would bypass Phase 1D and crash in Pass 2.
 
 **Const orelse VM-type restriction:** `handle_const_orelse_fallback` emits the type specifier twice — once for the mutable temporary and once for the final `const` declaration. When the type is variably-modified (`type->is_vla || decl.is_vla`), this forces the C compiler to evaluate VLA size expressions twice at runtime (ISO C11 §6.7.2.5). Prism rejects const-qualified VM-type orelse with a hard error: the user must hoist the value to a non-const variable first. This covers both VLA dimensions in the declarator suffix (e.g. `const int (*p)[get_size()]`) and in the type specifier via typeof (e.g. `const typeof(int[n]) *p`).
 

.github/test.orelse.c

@@ -1400,7 +1400,7 @@ static void test_const_typedef_breaks_orelse_temp(void) {
 }
 
 static void test_anon_struct_orelse_type_corruption(void) {
-	printf("\n--- Anonymous Struct Type Corruption in Multi-Declarator orelse ---\n");
+	printf("\n--- Anonymous Struct Multi-Declarator orelse Rejected ---\n");
 
 	const char *code =
 	    "#include <stdlib.h>\n"
@@ -1420,28 +1420,93 @@ static void test_anon_struct_orelse_type_corruption(void) {
 
 	PrismFeatures features = prism_defaults();
 	PrismResult result = prism_transpile_file(path, features);
-	CHECK_EQ(result.status, PRISM_OK, "anon struct orelse: transpiles OK");
-	CHECK(result.output != NULL, "anon struct orelse: output not NULL");
-
-	// The second declarator must have the full anonymous struct body, not bare 'struct'.
-	// Look for two occurrences of 'struct { int a; }'.
-	const char *first = strstr(result.output, "struct { int a; }");
-	CHECK(first != NULL, "anon struct orelse: first declarator has struct body");
-	if (first) {
-		const char *second = strstr(first + 1, "struct { int a; }");
-		CHECK(second != NULL,
-		      "anon struct orelse: second declarator preserves anonymous struct body");
-	}
-
-	// Must NOT contain bare 'struct *' (the broken output).
-	CHECK(strstr(result.output, "struct *s2") == NULL,
-	      "anon struct orelse: no bare 'struct *s2' (type must be complete)");
+	// Multi-declarator with anonymous struct + orelse forces a split,
+	// producing two incompatible anonymous types in ISO C.
+	// Phase 1D must reject this.
+	CHECK(result.status != PRISM_OK,
+	      "anon struct orelse: must be rejected (split creates incompatible types)");
 
 	prism_free(&result);
 	unlink(path);
 	free(path);
 }
 
+static void test_orelse_multi_decl_split_invariant(void) {
+	printf("\n--- Two-Pass Invariant: orelse-forced split constraints ---\n");
+
+	// VM type: current decl orelse forces split, next decl has VM type
+	{
+		PrismResult r = prism_transpile_source(
+		    "void *get(void);\n"
+		    "void f(int n) {\n"
+		    "    typeof(int[n]) *x = get() orelse 0, *y = 0;\n"
+		    "}\n",
+		    "split_vm.c", prism_defaults());
+		CHECK(r.status != PRISM_OK,
+		      "orelse split invariant: VM type multi-decl rejected in Phase 1D");
+		prism_free(&r);
+	}
+	// Anonymous struct: current decl orelse forces split
+	{
+		PrismResult r = prism_transpile_source(
+		    "int *get(void);\n"
+		    "void f(void) {\n"
+		    "    struct { int a; } *p1 = get() orelse 0, *p2 = 0;\n"
+		    "}\n",
+		    "split_anon.c", prism_defaults());
+		CHECK(r.status != PRISM_OK,
+		      "orelse split invariant: anon struct multi-decl rejected in Phase 1D");
+		prism_free(&r);
+	}
+	// Single declarator with orelse is fine (no split)
+	{
+		PrismResult r = prism_transpile_source(
+		    "int *get(void);\n"
+		    "void f(void) {\n"
+		    "    struct { int a; } *p1 = get() orelse 0;\n"
+		    "}\n",
+		    "split_single.c", prism_defaults());
+		CHECK(r.status == PRISM_OK,
+		      "orelse split invariant: single anon struct orelse is fine");
+		prism_free(&r);
+	}
+	// Tagged struct with orelse multi-decl is fine (split produces compatible types)
+	{
+		PrismResult r = prism_transpile_source(
+		    "int *get(void);\n"
+		    "void f(void) {\n"
+		    "    struct S { int a; } *p1 = get() orelse 0, *p2 = 0;\n"
+		    "}\n",
+		    "split_tagged.c", prism_defaults());
+		CHECK(r.status == PRISM_OK,
+		      "orelse split invariant: tagged struct multi-decl is fine");
+		prism_free(&r);
+	}
+	// VLA next-declarator split: typeof memset pending + next is VLA (no init)
+	{
+		PrismResult r = prism_transpile_source(
+		    "int get_n(void);\n"
+		    "void f(int n) {\n"
+		    "    typeof(int[n]) arr, buf[get_n()];\n"
+		    "}\n",
+		    "split_vla_next.c", prism_defaults());
+		CHECK(r.status != PRISM_OK,
+		      "orelse split invariant: VM type + VLA next decl rejected in Phase 1D");
+		prism_free(&r);
+	}
+	// Non-VLA next-declarator with pending memset but no init: no split needed
+	{
+		PrismResult r = prism_transpile_source(
+		    "void f(int n) {\n"
+		    "    typeof(int[n]) arr, buf[3];\n"
+		    "}\n",
+		    "split_fixed_next.c", prism_defaults());
+		CHECK(r.status == PRISM_OK,
+		      "orelse split invariant: fixed-size next decl is fine (no split)");
+		prism_free(&r);
+	}
+}
+
 static void test_compound_literal_orelse_lifetime(void) {
 	printf("\n--- Compound Literal orelse Destroys Variable Lifetime ---\n");
 
@@ -7432,21 +7497,17 @@ static void test_orelse_ternary_promotion_hijack(void) {
 }
 
 static void test_orelse_sue_attr_body_strip(void) {
+	// Multi-declarator with anonymous struct + orelse forces a split,
+	// producing two incompatible anonymous types. Phase 1D must reject.
 	const char *code =
 	    "struct __attribute__((packed)) { int x; int y; } *get_anon(void);\n"
 	    "void f(void) {\n"
 	    "    struct __attribute__((packed)) { int x; int y; } *a = get_anon() orelse (void*)0, *b = get_anon();\n"
 	    "    (void)a; (void)b;\n"
 	    "}\n";
 	PrismResult r = prism_transpile_source(code, "sue_attr_body.c", prism_defaults());
-	CHECK_EQ(r.status, PRISM_OK, "sue-attr-body: transpiles OK");
-	CHECK(r.output != NULL, "sue-attr-body: output not NULL");
-	if (r.output) {
-		const char *first = strstr(r.output, "{ int x;");
-		CHECK(first != NULL, "sue-attr-body: first decl has struct body");
-		const char *second = first ? strstr(first + 1, "{ int x;") : NULL;
-		CHECK(second != NULL, "sue-attr-body: second decl must also preserve struct body");
-	}
+	CHECK(r.status != PRISM_OK,
+	      "sue-attr-body: anon struct multi-decl orelse must be rejected");
 	prism_free(&r);
 }
 
@@ -7557,6 +7618,7 @@ void run_orelse_tests(void) {
 	test_prism_oe_temp_var_namespace_collision();
 	test_const_typedef_breaks_orelse_temp();
 	test_anon_struct_orelse_type_corruption();
+	test_orelse_multi_decl_split_invariant();
 	test_compound_literal_orelse_lifetime();
 	test_orelse_bare_assign_double_eval();
 	test_orelse_vla_fallback_double_eval();

prism.c

@@ -6329,14 +6329,16 @@ static void p1d_validate_decl_orelse(Token *var_name, Token *type_tok,
 // break with anonymous structs or variably-modified type specifiers.
 static void p1d_check_multi_decl_constraints(Token *t, Token *type_tok,
 					     TypeSpecResult *type,
-					     bool any_would_memset, bool vm_type) {
+					     bool any_would_memset, bool vm_type,
+					     bool current_decl_has_orelse) {
 	// Check if the next declarator would require a split
 	Token *next_t = tok_next(t);
 	bool nr = false;
 	next_t = p1_skip_decl_raw(next_t, &nr);
 	DeclResult nd = parse_declarator(next_t, false);
 	if (!nd.var_name || !nd.end) return;
-	bool split = (any_would_memset && match_ch(nd.end, '=')) ||
+	bool split = (current_decl_has_orelse && FEAT(F_ORELSE)) ||
+	             (any_would_memset && (match_ch(nd.end, '=') || nd.is_vla)) ||
 	             (FEAT(F_ORELSE) && p1d_decl_has_bracket_orelse(next_t, nd.end));
 	if (!split) return;
 
@@ -6610,8 +6612,8 @@ static void p1d_probe_declaration(Token *tok, uint16_t cur_sid, int brace_depth,
 			}
 		}
 
+		bool decl_has_orelse = false;
 		if (has_init) {
-			bool decl_has_orelse = false;
 			Token *first_orelse = NULL;
 			t = p1d_scan_init_orelse(t, &decl_has_orelse, &first_orelse);
 
@@ -6633,7 +6635,7 @@ static void p1d_probe_declaration(Token *tok, uint16_t cur_sid, int brace_depth,
 		// Phase 1D: reject multi-declarator split constraints
 		if (t && match_ch(t, ',') && brace_depth > 0)
 			p1d_check_multi_decl_constraints(t, type_tok, &type,
-				any_would_memset, vm_type);
+				any_would_memset, vm_type, decl_has_orelse);
 
 		if (t && match_ch(t, ',')) { t = tok_next(t); } else break;
 	}