[analyzer][test] Refactor smart pointer leak suppression and combine tests

ivanmurashko · ivanmurashko · commit 96a0370bb808 · 2025-08-09T16:37:27.000+01:00
- Applied requested refactoring in MallocChecker (API cleanup, code reuse, duplication reduction).
- Merged unique_ptr and shared_ptr PR60896 tests into a single file.
diff --git a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
@@ -52,8 +52,6 @@
 #include "clang/AST/DeclTemplate.h"
 #include "clang/AST/Expr.h"
 #include "clang/AST/ExprCXX.h"
-#include "clang/AST/TemplateBase.h"
-#include "clang/AST/Type.h"
 
 #include "clang/AST/ParentMap.h"
 #include "clang/ASTMatchers/ASTMatchFinder.h"
@@ -1113,17 +1111,23 @@ class StopTrackingCallback final : public SymbolVisitor {
 /// The visitor traverses reachable symbols from a given set of memory regions
 /// (typically smart pointer field regions) and marks any allocated symbols as
 /// escaped. Escaped symbols are not reported as leaks by checkDeadSymbols.
-///
-/// Usage:
-///   auto Scan =
-///   State->scanReachableSymbols<EscapeTrackedCallback>(RootRegions);
-///   ProgramStateRef NewState = Scan.getState();
-///   if (NewState != State) C.addTransition(NewState);
 class EscapeTrackedCallback final : public SymbolVisitor {
   ProgramStateRef State;
 
-public:
   explicit EscapeTrackedCallback(ProgramStateRef S) : State(std::move(S)) {}
+
+public:
+  /// Escape tracked regions reachable from the given roots.
+  static ProgramStateRef
+  EscapeTrackedRegionsReachableFrom(ArrayRef<const MemRegion *> Roots,
+                                    ProgramStateRef State) {
+    EscapeTrackedCallback Visitor(State);
+    for (const MemRegion *R : Roots) {
+      State->scanReachableSymbols(loc::MemRegionVal(R), Visitor);
+    }
+    return Visitor.getState();
+  }
+
   ProgramStateRef getState() const { return State; }
 
   bool VisitSymbol(SymbolRef Sym) override {
@@ -3108,18 +3112,11 @@ void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper,
 }
 
 static QualType canonicalStrip(QualType QT) {
-  return QT.getCanonicalType().getUnqualifiedType();
+  return QT->getCanonicalTypeUnqualified();
 }
 
-static bool isInStdNamespace(const DeclContext *DC) {
-  while (DC) {
-    if (const auto *NS = dyn_cast<NamespaceDecl>(DC))
-      if (NS->isStdNamespace())
-        return true;
-    DC = DC->getParent();
-  }
-  return false;
-}
+// Use isWithinStdNamespace from CheckerHelpers.h instead of custom
+// implementation
 
 // Allowlist of owning smart pointers we want to recognize.
 // Start with unique_ptr and shared_ptr. (intentionally exclude weak_ptr)
@@ -3138,8 +3135,7 @@ static bool isSmartOwningPtrType(QualType QT) {
       return false;
 
     // Check if it's in std namespace
-    const DeclContext *DC = ND->getDeclContext();
-    if (!isInStdNamespace(DC))
+    if (!isWithinStdNamespace(ND))
       return false;
 
     StringRef Name = ND->getName();
@@ -3162,6 +3158,44 @@ static bool isSmartOwningPtrType(QualType QT) {
   return false;
 }
 
+static bool hasSmartPtrField(const CXXRecordDecl *CRD) {
+  return llvm::any_of(CRD->fields(), [](const FieldDecl *FD) {
+    return isSmartOwningPtrType(FD->getType());
+  });
+}
+
+static bool isRvalueByValueRecord(const Expr *AE) {
+  if (AE->isGLValue())
+    return false;
+
+  QualType T = AE->getType();
+  if (!T->isRecordType() || T->isReferenceType())
+    return false;
+
+  // Accept common temp/construct forms but don't overfit.
+  return isa<CXXTemporaryObjectExpr, MaterializeTemporaryExpr, CXXConstructExpr,
+             InitListExpr, ImplicitCastExpr, CXXBindTemporaryExpr>(AE);
+}
+
+static bool isRvalueByValueRecordWithSmartPtr(const Expr *AE) {
+  if (!isRvalueByValueRecord(AE))
+    return false;
+
+  const auto *CRD = AE->getType()->getAsCXXRecordDecl();
+  return CRD && hasSmartPtrField(CRD);
+}
+
+static ProgramStateRef escapeAllAllocatedSymbols(ProgramStateRef State) {
+  RegionStateTy RS = State->get<RegionState>();
+  ProgramStateRef NewState = State;
+  for (auto [Sym, RefSt] : RS) {
+    if (RefSt.isAllocated() || RefSt.isAllocatedOfSizeZero()) {
+      NewState = NewState->set<RegionState>(Sym, RefState::getEscaped(&RefSt));
+    }
+  }
+  return NewState;
+}
+
 static void collectDirectSmartOwningPtrFieldRegions(
     const MemRegion *Base, QualType RecQT, CheckerContext &C,
     SmallVectorImpl<const MemRegion *> &Out) {
@@ -3195,38 +3229,7 @@ void MallocChecker::checkPostCall(const CallEvent &Call,
       continue;
     AE = AE->IgnoreParenImpCasts();
 
-    QualType T = AE->getType();
-
-    // **Relaxation 1**: accept *any rvalue* by-value record (not only strict
-    // PRVALUE).
-    if (AE->isGLValue())
-      continue;
-
-    // By-value record only (no refs).
-    if (!T->isRecordType() || T->isReferenceType())
-      continue;
-
-    // **Relaxation 2**: accept common temp/construct forms but don't overfit.
-    const bool LooksLikeTemp =
-        isa<CXXTemporaryObjectExpr>(AE) || isa<MaterializeTemporaryExpr>(AE) ||
-        isa<CXXConstructExpr>(AE) || isa<InitListExpr>(AE) ||
-        isa<ImplicitCastExpr>(AE) ||   // handle common rvalue materializations
-        isa<CXXBindTemporaryExpr>(AE); // handle CXXBindTemporaryExpr
-    if (!LooksLikeTemp)
-      continue;
-
-    // Require at least one direct smart owning pointer field by type.
-    const auto *CRD = T->getAsCXXRecordDecl();
-    if (!CRD)
-      continue;
-    bool HasSmartPtrField = false;
-    for (const FieldDecl *FD : CRD->fields()) {
-      if (isSmartOwningPtrType(FD->getType())) {
-        HasSmartPtrField = true;
-        break;
-      }
-    }
-    if (!HasSmartPtrField)
+    if (!isRvalueByValueRecordWithSmartPtr(AE))
       continue;
 
     // Find a region for the argument.
@@ -3237,32 +3240,26 @@ void MallocChecker::checkPostCall(const CallEvent &Call,
 
     const MemRegion *Base = RCall ? RCall : RExpr;
     if (!Base) {
-      // Fallback: if we have a by-value record with unique_ptr fields but no
+      // Fallback: if we have a by-value record with smart pointer fields but no
       // region, mark all allocated symbols as escaped
       ProgramStateRef State = C.getState();
-      RegionStateTy RS = State->get<RegionState>();
-      ProgramStateRef NewState = State;
-      for (auto [Sym, RefSt] : RS) {
-        if (RefSt.isAllocated() || RefSt.isAllocatedOfSizeZero()) {
-          NewState =
-              NewState->set<RegionState>(Sym, RefState::getEscaped(&RefSt));
-        }
-      }
+      ProgramStateRef NewState = escapeAllAllocatedSymbols(State);
       if (NewState != State)
         C.addTransition(NewState);
       continue;
     }
 
     // Push direct smart owning pointer field regions only (precise root set).
-    collectDirectSmartOwningPtrFieldRegions(Base, T, C, SmartPtrFieldRoots);
+    collectDirectSmartOwningPtrFieldRegions(Base, AE->getType(), C,
+                                            SmartPtrFieldRoots);
   }
 
   // Escape only from those field roots; do nothing if empty.
   if (!SmartPtrFieldRoots.empty()) {
     ProgramStateRef State = C.getState();
-    auto Scan =
-        State->scanReachableSymbols<EscapeTrackedCallback>(SmartPtrFieldRoots);
-    ProgramStateRef NewState = Scan.getState();
+    ProgramStateRef NewState =
+        EscapeTrackedCallback::EscapeTrackedRegionsReachableFrom(
+            SmartPtrFieldRoots, State);
     if (NewState != State) {
       C.addTransition(NewState);
     } else {
@@ -3276,44 +3273,15 @@ void MallocChecker::checkPostCall(const CallEvent &Call,
           continue;
         AE = AE->IgnoreParenImpCasts();
 
-        if (AE->isGLValue())
-          continue;
-        QualType T = AE->getType();
-        if (!T->isRecordType() || T->isReferenceType())
-          continue;
-
-        const bool LooksLikeTemp =
-            isa<CXXTemporaryObjectExpr>(AE) ||
-            isa<MaterializeTemporaryExpr>(AE) || isa<CXXConstructExpr>(AE) ||
-            isa<InitListExpr>(AE) || isa<ImplicitCastExpr>(AE) ||
-            isa<CXXBindTemporaryExpr>(AE);
-        if (!LooksLikeTemp)
-          continue;
-
-        // Check if this record type has smart pointer fields
-        const auto *CRD = T->getAsCXXRecordDecl();
-        if (CRD) {
-          for (const FieldDecl *FD : CRD->fields()) {
-            if (isSmartOwningPtrType(FD->getType())) {
-              hasByValueRecordWithSmartPtr = true;
-              break;
-            }
-          }
-        }
-        if (hasByValueRecordWithSmartPtr)
+        if (isRvalueByValueRecordWithSmartPtr(AE)) {
+          hasByValueRecordWithSmartPtr = true;
           break;
+        }
       }
 
       if (hasByValueRecordWithSmartPtr) {
         ProgramStateRef State = C.getState();
-        RegionStateTy RS = State->get<RegionState>();
-        ProgramStateRef NewState = State;
-        for (auto [Sym, RefSt] : RS) {
-          if (RefSt.isAllocated() || RefSt.isAllocatedOfSizeZero()) {
-            NewState =
-                NewState->set<RegionState>(Sym, RefState::getEscaped(&RefSt));
-          }
-        }
+        ProgramStateRef NewState = escapeAllAllocatedSymbols(State);
         if (NewState != State)
           C.addTransition(NewState);
       }
@@ -3439,7 +3407,6 @@ void MallocChecker::checkEscapeOnReturn(const ReturnStmt *S,
   if (!Sym)
     // If we are returning a field of the allocated struct or an array element,
     // the callee could still free the memory.
-    // TODO: This logic should be a part of generic symbol escape callback.
     if (const MemRegion *MR = RetVal.getAsRegion())
       if (isa<FieldRegion, ElementRegion>(MR))
         if (const SymbolicRegion *BMR =
diff --git a/clang/test/Analysis/NewDeleteLeaks-PR60896-shared.cpp b/clang/test/Analysis/NewDeleteLeaks-PR60896-shared.cpp
diff --git a/clang/test/Analysis/NewDeleteLeaks-PR60896.cpp b/clang/test/Analysis/NewDeleteLeaks-PR60896.cpp
@@ -11,7 +11,7 @@
 //===----------------------------------------------------------------------===//
 namespace unique_ptr_temporary_PR60896 {
 
-// We use a custom implementation of unique_ptr for testing purposes
+// Custom unique_ptr implementation for testing
 template <typename T>
 struct unique_ptr {
   T* ptr;
@@ -42,3 +42,39 @@ void test() {
 }
 
 } // namespace unique_ptr_temporary_PR60896
+
+//===----------------------------------------------------------------------===//
+// Check that we don't report leaks for shared_ptr in temporary objects
+//===----------------------------------------------------------------------===//
+namespace shared_ptr_temporary_PR60896 {
+
+// Custom shared_ptr implementation for testing
+template <typename T>
+struct shared_ptr {
+  T* ptr;
+  shared_ptr(T* p) : ptr(p) {}
+  ~shared_ptr() { delete ptr; }
+  shared_ptr(shared_ptr&& other) : ptr(other.ptr) { other.ptr = nullptr; }
+  T* get() const { return ptr; }
+};
+
+template <typename T, typename... Args>
+shared_ptr<T> make_shared(Args&&... args) {
+  return shared_ptr<T>(new T(args...));
+}
+
+struct Foo { 
+  shared_ptr<int> i;
+};
+
+void add(Foo foo) {
+  // The shared_ptr destructor will be called when foo goes out of scope
+}
+
+void test() {
+  // No warning should be emitted for this - the memory is managed by shared_ptr 
+  // in the temporary Foo object, which will properly clean up the memory
+  add({make_shared<int>(1)});
+}
+
+} // namespace shared_ptr_temporary_PR60896
