fix(type-checker): restrict if (var x = expr) RHS to presence-producing exprs

congwang-mk · congwang-mk · commit 198fe92d7e5b · 2026-05-06T13:35:27.000-07:00
Reported by @SiyuanSun0736 on PR #19. Signed-off-by: Cong Wang <cwang@multikernel.io>
diff --git a/src/type_checker.ml b/src/type_checker.ml
@@ -2054,12 +2054,37 @@ and type_check_statement ctx stmt =
 
   | IfLet (name, expr, then_stmts, else_opt) ->
       (* `if (var name = expr) { ... }` — bind `name` only inside then-branch.
-         The bound type matches what `var name = expr` would normally produce:
-         the value type for map access (auto-deref via IRMapAccess), and
-         the pointer type for raw pointer expressions. We just type-check the
-         RHS and use its inferred type as the binding type. *)
+         The bound type matches what `var name = expr` would normally
+         produce: the value type for map access (auto-deref via
+         IRMapAccess), and the pointer type for raw pointer expressions.
+         We restrict the RHS to "presence-producing" expressions, since
+         the construct's truthiness is defined as "expr produced a present
+         value" — i.e., a map hit or a non-null pointer. Allowing arbitrary
+         scalar / struct RHS would let the codegen emit `x != NULL`
+         against a non-pointer value (clang -Wpointer-integer-compare,
+         invalid C for struct types) and would let the evaluator's general
+         truthy-falsy rule diverge from the codegen's pointer presence
+         check. The legal shapes are:
+           - `m[k]` where `m` is a known map (auto-deref'd value type at
+             this layer, but underlying-pointer-checked at codegen)
+           - any expression of pointer type. *)
       let typed_expr = type_check_expression ctx expr in
       let bound_type = typed_expr.texpr_type in
+      let is_map_access_rhs = match expr.expr_desc with
+        | ArrayAccess ({ expr_desc = Identifier mn; _ }, _) ->
+            Hashtbl.mem ctx.maps mn
+        | _ -> false
+      in
+      let is_pointer_rhs = match bound_type with
+        | Pointer _ -> true
+        | _ -> false
+      in
+      if not (is_map_access_rhs || is_pointer_rhs) then
+        type_error
+          ("`if (var " ^ name ^ " = expr)` requires expr to be a map access " ^
+           "(`m[k]`) or a pointer-typed expression; got " ^
+           string_of_bpf_type bound_type)
+          stmt.stmt_pos;
       let saved = Hashtbl.find_opt ctx.variables name in
       Hashtbl.replace ctx.variables name bound_type;
       let typed_then = List.map (type_check_statement ctx) then_stmts in
diff --git a/tests/test_iflet.ml b/tests/test_iflet.ml
@@ -273,6 +273,48 @@ var stats : hash<u32, Stats>(1024)
   check bool "field write goes through the underlying lookup pointer" true
     (contains_substr c "->count =")
 
+(** 11a. Reject: int-literal RHS — `if (var x = 5)` is not a presence check.
+        The construct only makes sense when the RHS is a map access (auto-
+        deref'd to a value but underlying-pointer-checked) or a pointer-typed
+        expression. An integer RHS would lower to `__u32 x; if (x != NULL)`,
+        which warns under -Wpointer-integer-compare and is semantically
+        incoherent — also the evaluator's truthiness rules diverge from the
+        codegen's `!= NULL` for non-pointer types. *)
+let test_reject_int_literal_rhs () =
+  let source = {|
+@xdp fn probe(ctx: *xdp_md) -> xdp_action {
+  if (var x = 5) {
+    return XDP_PASS
+  }
+  return XDP_DROP
+}
+|} in
+  try
+    let _ = typecheck source in
+    fail "expected rejection of integer-literal RHS"
+  with
+  | Kernelscript.Type_checker.Type_error _ -> ()
+
+(** 11b. Reject: non-pointer-returning function RHS. *)
+let test_reject_non_pointer_call_rhs () =
+  let source = {|
+@helper fn returns_zero() -> u32 {
+  return 0
+}
+
+@xdp fn probe(ctx: *xdp_md) -> xdp_action {
+  if (var x = returns_zero()) {
+    return XDP_PASS
+  }
+  return XDP_DROP
+}
+|} in
+  try
+    let _ = typecheck source in
+    fail "expected rejection of non-pointer-returning call as RHS"
+  with
+  | Kernelscript.Type_checker.Type_error _ -> ()
+
 (** 11. Codegen (shadowing): an outer binding of the same name as the IfLet
        binding must survive both branches and remain referenceable after the
        if. The branch-local invariant the frontend enforces (binding visible
@@ -325,6 +367,8 @@ let suite = [
   "codegen_scalar_value_binding",     `Quick, test_codegen_scalar_value_binding;
   "codegen_struct_value_binding_shape", `Quick, test_codegen_struct_value_binding_shape;
   "codegen_shadow_outer_binding",     `Quick, test_codegen_shadow_outer_binding;
+  "reject_int_literal_rhs",           `Quick, test_reject_int_literal_rhs;
+  "reject_non_pointer_call_rhs",      `Quick, test_reject_non_pointer_call_rhs;
 ]
 
 let () =
