Fix playground CORS by deploying to gh-pages branch

Problem: GitHub Releases don't serve files with CORS headers, blocking
browser fetch() requests. CORS proxies are unreliable for large files.

Solution: Deploy playground to gh-pages branch with WASM files included.
- Main branch stays clean (no 63MB WASM files)
- Workflow downloads WASM from latest release
- Pushes to separate gh-pages branch (orphan, separate history)
- GitHub Pages serves with proper CORS headers
- Same-origin = no CORS issues

Changes:
- Updated deploy workflow to download WASM and push to gh-pages
- Simplified index.html to use local files (served via Pages)
- Added clangd files to .gitignore
- Added ?prod=1 URL param for local testing

Author: cs01

.github/workflows/deploy-playground.yml

@@ -7,32 +7,71 @@ on:
   workflow_dispatch:
 
 permissions:
-  contents: read
-  pages: write
-  id-token: write
-
-concurrency:
-  group: "pages"
-  cancel-in-progress: false
+  contents: write
 
 jobs:
   deploy:
-    environment:
-      name: github-pages
-      url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
 
-      - name: Setup Pages
-        uses: actions/configure-pages@v4
+      - name: Download latest WASM files from release
+        run: |
+          # Get the latest playground release
+          LATEST_RELEASE=$(curl -s https://api.github.com/repos/${{ github.repository }}/releases | \
+            jq -r '[.[] | select(.tag_name | startswith("playground-v"))] | first | .tag_name')
 
-      - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
-        with:
-          path: 'nullsafe-playground'
+          echo "Latest playground release: $LATEST_RELEASE"
+
+          if [ -z "$LATEST_RELEASE" ]; then
+            echo "No playground release found! Please create a release with tag 'playground-vX.X.X'"
+            exit 1
+          fi
+
+          # Download the WASM files into playground directory
+          cd nullsafe-playground
+          curl -L -o clang.wasm "https://github.com/${{ github.repository }}/releases/download/${LATEST_RELEASE}/clang-nullsafe.wasm"
+          curl -L -o clang.js "https://github.com/${{ github.repository }}/releases/download/${LATEST_RELEASE}/clang-nullsafe.js"
+          curl -L -o clangd.wasm "https://github.com/${{ github.repository }}/releases/download/${LATEST_RELEASE}/clangd-nullsafe.wasm"
+          curl -L -o clangd.js "https://github.com/${{ github.repository }}/releases/download/${LATEST_RELEASE}/clangd-nullsafe.js"
+
+          echo "Downloaded files:"
+          ls -lh clang.wasm clang.js clangd.wasm clangd.js
+
+      - name: Deploy to gh-pages
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+          # Check if gh-pages exists
+          if git ls-remote --exit-code --heads origin gh-pages; then
+            echo "gh-pages branch exists, checking out"
+            git fetch origin gh-pages
+            git checkout gh-pages
+          else
+            echo "Creating new orphan gh-pages branch"
+            git checkout --orphan gh-pages
+          fi
+
+          # Clear everything
+          git rm -rf . 2>/dev/null || true
+
+          # Copy playground files
+          git checkout null-safe-c-dev -- nullsafe-playground
+          mv nullsafe-playground/* .
+          rm -rf nullsafe-playground
+
+          # Add all files (including the downloaded WASM)
+          git add -A
+
+          # Commit
+          if git diff --staged --quiet; then
+            echo "No changes to deploy"
+          else
+            git commit -m "Deploy playground from ${{ github.sha }}"
+            git push origin gh-pages
+          fi
 
-      - name: Deploy to GitHub Pages
-        id: deployment
-        uses: actions/deploy-pages@v4

clang/lib/Sema/SemaExpr.cpp

@@ -14925,12 +14925,9 @@ static QualType CheckIndirectionOperand(Sema &S, Expr *Op, ExprValueKind &VK,
 
     if (auto Nullability = CheckType->getNullability()) {
       if (*Nullability == NullabilityKind::Nullable) {
-        // strict-nullability: Allow nullable dereferences in condition contexts (if/while/for).
-        // The dereference itself performs a null-check, so it's safe.
-        // The narrowing analysis will collect these and narrow the pointer for the body.
-        if (S.InConditionContext == 0) {
-          S.Diag(OpLoc, diag::warn_strict_nullability_dereference) << OpTy;
-        }
+        // strict-nullability: Warn about dereferencing nullable pointers.
+        // Dereferencing does NOT perform a null-check - it will crash if null!
+        S.Diag(OpLoc, diag::warn_strict_nullability_dereference) << OpTy;
       }
     }
   }

clang/test/Sema/strict-nullability.c

@@ -475,24 +475,24 @@ void test_while_and_narrowing(const unsigned char* input_pointer,
     }
 }
 
-// Test: dereference in while condition (condition context)
+// Test: dereference in while condition requires null check first
 void test_while_deref_condition(const char *ptr) {
-    while (*ptr != '\0') {  // OK - dereference allowed in condition
+    while (*ptr != '\0') {  // expected-warning {{dereferencing nullable pointer}}
         ptr++;
     }
 }
 
-// Test: dereference in for condition (condition context)
+// Test: dereference in for condition requires null check first
 void test_for_deref_condition(const char *input) {
     const char *ptr;
-    for (ptr = input; *ptr != '\0'; ptr++) {  // OK - dereference allowed in condition
+    for (ptr = input; *ptr != '\0'; ptr++) {  // expected-warning {{dereferencing nullable pointer}}
         // loop body
     }
 }
 
-// Test: dereference in if condition (condition context)
+// Test: dereference in if condition requires null check first
 void test_if_deref_condition(const char *str) {
-    if (*str == 'a') {  // OK - dereference allowed in condition
+    if (*str == 'a') {  // expected-warning {{dereferencing nullable pointer}}
         // then branch
     }
 }
@@ -501,17 +501,17 @@ void test_if_deref_condition(const char *str) {
 int is_digit_pure(char c) __attribute__((const));
 
 void test_pure_function_preserves_narrowing(const char *zDate) {
-    if (!is_digit_pure(*zDate)) {  // dereference in condition - narrows zDate to non-null
+    if (!is_digit_pure(*zDate)) {  // expected-warning {{dereferencing nullable pointer}}
         return;
     }
-    char val = *zDate - '0';  // Should be OK - zDate still non-null after pure function call
+    char val = *zDate - '0';  // OK after dereference above - if we got here, zDate is non-null
 }
 
 // Test: narrowing invalidated after impure function call
 int is_digit_impure(char c);
 
 void test_impure_function_invalidates_narrowing(const char *zDate) {
-    if (!is_digit_impure(*zDate)) {  // dereference in condition - narrows zDate to non-null
+    if (!is_digit_impure(*zDate)) {  // expected-warning {{dereferencing nullable pointer}}
         return;
     }
     char val = *zDate - '0';  // expected-warning {{dereferencing nullable pointer}}
@@ -521,10 +521,10 @@ void test_impure_function_invalidates_narrowing(const char *zDate) {
 int is_also_pure(char c) __attribute__((pure));
 
 void test_pure_attr_preserves_narrowing(const char *zDate) {
-    if (!is_also_pure(*zDate)) {  // dereference in condition - narrows zDate to non-null
+    if (!is_also_pure(*zDate)) {  // expected-warning {{dereferencing nullable pointer}}
         return;
     }
-    char val = *zDate - '0';  // Should be OK - zDate still non-null after pure function call
+    char val = *zDate - '0';  // OK after dereference above - if we got here, zDate is non-null
 }
 
 // ============================================================================

nullsafe-playground/.gitignore

@@ -1,8 +1,12 @@
 # Generated WASM files (too large to commit, will be built from source or downloaded from releases)
 clang.wasm
 clang.js
+clangd.wasm
+clangd.js
 clang-nullsafe.wasm
 clang-nullsafe.js
+clangd-nullsafe.wasm
+clangd-nullsafe.js
 clang-mainline.wasm
 clang-mainline.js
 

nullsafe-playground/index.html

@@ -573,7 +573,7 @@ <h1>Null-Safe Clang Playground</h1>
             <option value="and-pattern">7. AND Pattern Narrowing</option>
             <option value="else-branch">8. Else Branch Narrowing</option>
             <option value="loop-narrowing">9. Loop Condition Narrowing</option>
-            <option value="dereference-context">10. Dereference in Condition</option>
+            <option value="dereference-context">10. Null Check Before Deref</option>
         </select>
 
         <button id="shareBtn" class="btn btn-secondary">
@@ -677,8 +677,8 @@ <h1>Null-Safe Clang Playground</h1>
 int is_digit(char c) __attribute__((const));
 
 void parse(const char* str) {
-    if (is_digit(*str)) {  // narrows str
-        char val = *str - '0';  // OK - still narrowed
+    if (str && is_digit(*str)) {  // Check first, then call
+        char val = *str - '0';  // OK - narrowed by check
     }
 }`,
 
@@ -769,22 +769,22 @@ <h1>Null-Safe Clang Playground</h1>
     }
 }`,
 
-            'dereference-context': `// Dereference in condition is allowed
+            'dereference-context': `// Must null-check before dereferencing
 void while_str(const char* ptr) {
-    while (*ptr != '\\0') {  // OK - can deref
+    while (ptr && *ptr != '\\0') {  // Check first!
         ptr++;
     }
 }
 
 void if_check(const char* str) {
-    if (*str == 'a') {  // OK - can deref
+    if (str && *str == 'a') {  // Check first!
         // process...
     }
 }
 
 void for_check(const char* input) {
     const char* p;
-    for (p = input; *p; p++) {  // OK - can deref
+    for (p = input; p && *p; p++) {  // Check first!
         // process...
     }
 }`
@@ -1118,13 +1118,22 @@ <h1>Null-Safe Clang Playground</h1>
             try {
                 // Determine script URL
                 const isDev = window.location.hostname === 'localhost' || window.location.hostname === '127.0.0.1';
-                scriptUrl = isDev
-                    ? './clang.js'
-                    : 'https://github.com/cs01/llvm-project/releases/latest/download/clang-nullsafe.js';
 
-                const wasmUrl = isDev
-                    ? './clang.wasm'
-                    : 'https://github.com/cs01/llvm-project/releases/latest/download/clang-nullsafe.wasm';
+                // Allow testing production URLs on localhost with ?prod=1
+                const urlParams = new URLSearchParams(window.location.search);
+                const forceProd = urlParams.get('prod') === '1' || urlParams.get('mode') === 'prod';
+
+                if (isDev && !forceProd) {
+                    // Local development - files should be in the same directory
+                    scriptUrl = './clang.js';
+                    var wasmUrl = './clang.wasm';
+                    console.log('🔧 Development mode: Using local files');
+                } else {
+                    // Production - files are served from GitHub Pages (same origin, no CORS issues!)
+                    scriptUrl = './clang.js';
+                    var wasmUrl = './clang.wasm';
+                    console.log('🚀 Production mode: Using files from GitHub Pages');
+                }
 
                 // Pre-load the WASM binary ONCE with progress tracking
                 console.log('Downloading WASM binary...');