NoQ added inline comments.
================ Comment at: clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp:440 + State, {std::make_pair(CC->getCXXThisVal(), ArgVal)}, + C.getLocationContext(), PSK_DirectEscapeOnCall, &Call); ---------------- RedDocMD wrote: > It seems to me that this pointer escape doesn't work. > For the following code: > ```lang=cpp > void foo() { > auto ptr = std::unique_ptr<int>(new int(13)); > // Leak warning emitted here > } > ``` > the exploded graph shows the SVal for `new int(13)` as allocated instead of > escaped (which eventually triggers the warning). It shouldn't work in this case. The variable is local. Write to a local variable doesn't constitute an escape because access to a local variable from elsewhere is impossible. I believe we should explicitly tell `MallocChecker` that memory is released, given that we know that this is exactly what happens. We could do this similarly to how `InnerPointerChecker` tells `MallocChecker` that `std::string::c_str()` is released when the string is destroyed. Another solution would be to force an escape by calling `escapeValue()` directly. That'll definitely notify all checkers that the raw pointer value should be dropped but that wouldn't allow us to ultimately find use-after-free of that value. Repository: rG LLVM Github Monorepo CHANGES SINCE LAST ACTION https://reviews.llvm.org/D105821/new/ https://reviews.llvm.org/D105821 _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits