Close find_infer_type TK_TYPEALIASREF leak (#5203)

The TK_TYPEALIASREF case in find_infer_type allocates an unfolded tree
via typealias_unfold but never frees it. The original comment said this
was "to avoid a dangling pointer" — the actual reason was that ownership
of the recursive call's return is genuinely ambiguous (it can be unfolded
itself, an interior descendant, or a freshly-built tree from
type_union/type_isect), and the code punted by never freeing.

Dup the recursive result so the returned subtree is independent of the
unfolded tree, then free unfolded. Clear the dup's scope pointer first
because ast_dup copies it from result->parent, which can alias into the
soon-to-be-freed unfolded tree — the same defusing pattern reach.c uses
after deferred_reify.

Add full-program tests for the case (a) and case (c) branches that the
existing chained-tuple-destructure test doesn't reach, and cross-link
that test to this issue.

Closes #5199

Author: SeanTAllen

src/libponyc/expr/operator.c

@@ -99,14 +99,38 @@ static ast_t* find_infer_type(pass_opt_t* opt, ast_t* type, infer_path_t* path)
 
     case TK_TYPEALIASREF:
     {
-      // Don't free: find_infer_type may return a pointer into the unfolded
-      // tree (e.g., the TK_TUPLETYPE node itself or a child of it).
       ast_t* unfolded = typealias_unfold(type);
 
       if(unfolded == NULL)
         return NULL;
 
-      return find_infer_type(opt, unfolded, path);
+      ast_t* result = find_infer_type(opt, unfolded, path);
+
+      if(result == NULL)
+      {
+        ast_free_unattached(unfolded);
+        return NULL;
+      }
+
+      // The recursive call may return: (a) unfolded itself, (b) an
+      // interior descendant of unfolded, or (c) a freshly-built tree from
+      // type_union or type_isect. Dup result so the returned subtree is
+      // independent of unfolded. ast_dup copies the root's scope pointer
+      // from result->parent — which in cases (a) and (b) points inside
+      // the unfolded tree we are about to free — so clear it before the
+      // free. Do not remove the ast_set_scope call: no downstream pass
+      // reads this scope today, but any future code walking ast_parent
+      // or ast_get on the returned type would dereference freed memory.
+      // Free unfolded (collects cases a and b) and, separately, any
+      // fresh tree returned in case (c).
+      ast_t* dup_result = ast_dup(result);
+      ast_set_scope(dup_result, NULL);
+
+      if(result != unfolded)
+        ast_free_unattached(result);
+
+      ast_free_unattached(unfolded);
+      return dup_result;
     }
 
     default:

test/full-program-tests/type-alias-chained-tuple-destructure/main.pony

@@ -20,6 +20,12 @@
 //
 // The pre-fix counterfactual fires first at `operator.c:660`. With the
 // fix, all three sites are exercised end-to-end. See ponylang/ponyc#5195.
+//
+// This test also exercises the fix for ponylang/ponyc#5199 (memory leak
+// in `find_infer_type`'s TK_TYPEALIASREF case): the destructure routes
+// through `infer_local_inner` → `find_infer_type(TK_TYPEALIASREF, path)`
+// and hits case (b), where the recursive call returns an interior
+// descendant of the unfolded tree.
 
 use @pony_exitcode[None](code: I32)
 

test/full-program-tests/type-alias-nominal-infer/expected-exit-code.txt

@@ -0,0 +1 @@
+1

test/full-program-tests/type-alias-nominal-infer/main.pony

@@ -0,0 +1,25 @@
+// Regression test for find_infer_type's TK_TYPEALIASREF case (#5199),
+// case (a): the recursive find_infer_type call returns the unfolded
+// tree itself unchanged.
+//
+// `find_infer_type` in `src/libponyc/expr/operator.c` dispatches on
+// TK_TYPEALIASREF by unfolding the alias and recursing on the result.
+// When the right-hand side of an inferring let binding is an aliased
+// nominal type with no destructuring path, the recursive call hits the
+// default case with `path == NULL` and returns the unfolded pointer
+// unchanged. This exercises the `result == unfolded` branch of the fix
+// (where the inner free is skipped to avoid a double-free) and confirms
+// the dup-and-clear-scope sequence handles the result-equals-unfolded
+// case correctly.
+
+use @pony_exitcode[None](code: I32)
+
+type _Count is U64
+
+actor Main
+  new create(env: Env) =>
+    let x: _Count = U64(42)
+    let y = x
+    if y == 42 then
+      @pony_exitcode(1)
+    end

test/full-program-tests/type-alias-union-infer/expected-exit-code.txt

@@ -0,0 +1 @@
+1

test/full-program-tests/type-alias-union-infer/main.pony

@@ -0,0 +1,28 @@
+// Regression test for find_infer_type's TK_TYPEALIASREF case (#5199),
+// case (c): the recursive find_infer_type call returns a freshly-built
+// tree from `type_union` (or `type_isect`).
+//
+// `find_infer_type` in `src/libponyc/expr/operator.c` dispatches on
+// TK_TYPEALIASREF by unfolding the alias and recursing on the result.
+// When the right-hand side of an inferring let binding is an aliased
+// union type with no destructuring path, the recursive call hits the
+// TK_UNIONTYPE branch which iterates the variants and assembles a new
+// union via `type_union`. The recursive call returns a fresh tree that
+// does not share storage with `unfolded`, so the fix must free both the
+// fresh tree (via the `result != unfolded` inner free) and `unfolded`
+// itself. This exercises the case (c) branch of the fix and confirms
+// the inferred type still supports exhaustive matching against the
+// union variants.
+
+use @pony_exitcode[None](code: I32)
+
+type _Either is (U64 | String)
+
+actor Main
+  new create(env: Env) =>
+    let x: _Either = U64(42)
+    let y = x
+    match y
+    | let n: U64 => if n == 42 then @pony_exitcode(1) end
+    | let _: String => None
+    end