False positive in clang-analyzer-cplusplus.NewDeleteLeaks for std::unique_ptr

[ns-osmolsky]

#include <memory>
#include <cstring>
#include <string>

struct Repro {
    std::unique_ptr<int> m_ptr;

    struct Other {
        char url[256];
    };
    char m_buff[1000];

    void CopyIn()
    {
        auto other = (Other *)m_buff;

        std::string local_url = "foo bar";
        strncpy(other->url, local_url.c_str(), sizeof(other->url) - 1);
    }
};

void
bug()
{
    Repro rep;
    rep.m_ptr = std::make_unique<int>();
    rep.CopyIn();
}

clang-tidy reports the following when building against the GCC-15's libstdc++:

repro.cpp:19:5: error: Potential leak of memory pointed to by field '_M_head_impl' [clang-analyzer-cplusplus.NewDeleteLeaks,-warnings-as-errors]
   19 |     }
      |     ^
repro.cpp:26:17: note: Calling 'make_unique<int, >'
   26 |     rep.m_ptr = std::make_unique<int>();
      |                 ^~~~~~~~~~~~~~~~~~~~~~~
/opt/gcc-15/lib/gcc/x86_64-pc-linux-gnu/15.1.1/../../../../include/c++/15.1.1/bits/unique_ptr.h:1085:30: note: Memory is allocated
 1085 |     { return unique_ptr<_Tp>(new _Tp(std::forward<_Args>(__args)...)); }
      |                              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:26:17: note: Returned allocated memory
   26 |     rep.m_ptr = std::make_unique<int>();
      |                 ^~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:27:5: note: Calling 'Repro::CopyIn'
   27 |     rep.CopyIn();
      |     ^~~~~~~~~~~~
repro.cpp:19:5: note: Potential leak of memory pointed to by field '_M_head_impl'
   19 |     }
      |     ^

There is clearly no leak here and the warning goes away if the code is tweaked just a little bit... I cannot understand

[ns-osmolsky]

I cannot understand why/how this code gets flagged by the analyzer... especially given that tiny changes such as this eliminate the warning:

    void CopyIn()
    {
        auto other = (Other *)m_buff;
        strncpy(other->url, "foo bar", sizeof(other->url) - 1);
    }

[llvmbot]

@llvm/issue-subscribers-clang-static-analyzer

Author: Oleg Smolsky (ns-osmolsky)

``` #include <memory> #include <cstring> #include <string>

struct Repro {
std::unique_ptr<int> m_ptr;

struct Other {
    char url[256];
};
char m_buff[1000];

void CopyIn()
{
    auto other = (Other *)m_buff;

    std::string local_url = "foo bar";
    strncpy(other->url, local_url.c_str(), sizeof(other->url) - 1);
}

};

void
bug()
{
Repro rep;
rep.m_ptr = std::make_unique<int>();
rep.CopyIn();
}

`clang-tidy` reports the following when building against the GCC-15's libstdc++:

repro.cpp:19:5: error: Potential leak of memory pointed to by field '_M_head_impl' [clang-analyzer-cplusplus.NewDeleteLeaks,-warnings-as-errors]
19 | }
| ^
repro.cpp:26:17: note: Calling 'make_unique<int, >'
26 | rep.m_ptr = std::make_unique<int>();
| ^~~~~~~~~~~~~~~~~~~~~~~
/opt/gcc-15/lib/gcc/x86_64-pc-linux-gnu/15.1.1/../../../../include/c++/15.1.1/bits/unique_ptr.h:1085:30: note: Memory is allocated
1085 | { return unique_ptr<_Tp>(new _Tp(std::forward<_Args>(__args)...)); }
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:26:17: note: Returned allocated memory
26 | rep.m_ptr = std::make_unique<int>();
| ^~~~~~~~~~~~~~~~~~~~~~~
repro.cpp:27:5: note: Calling 'Repro::CopyIn'
27 | rep.CopyIn();
| ^~~~~~~~~~~~
repro.cpp:19:5: note: Potential leak of memory pointed to by field '_M_head_impl'
19 | }
| ^

There is clearly no leak here and the warning goes away if the code is tweaked just a little bit... I cannot understand 
</details>

[steakhal]

Did you use clang tidy trunk?

[ns-osmolsky]

Did you use clang tidy trunk?

This issue is present in 20.1.3 and 20.1.6. I have not tried Trunk.

[ns-lwu]

Hope I get CE right.
Tried clang trunk and 20.1 both report the same issue
https://godbolt.org/z/MzWMxG6dr

[ns-osmolsky]

The issue is still present in Trunk. Here is a direct repro with the clang-tidy selected as the tool: https://godbolt.org/z/MbM4c1Pdr

[ns-osmolsky]

Here is a slightly reduced repro: eliminated casts and extra types.

#include <memory>
#include <cstring>
#include <string>

struct Repro {
    std::unique_ptr<int> m_ptr;
    char m_buff[1000];

    void CopyIn(const std::string &url)
    {
        strncpy(m_buff, url.c_str(), sizeof(m_buff) - 1);
    }
};

void Bug()
{
    Repro rep;
    rep.m_ptr = std::make_unique<int>();
    rep.CopyIn("foo bar");
}

[steakhal]

Thabk you.
/CC @necto

[necto]

I have stumbled upon a similar false positive raising when I use a custom deleter with std::unique_ptr. It seems to be caused by 9b2ec87
A partial fix b756c82 did not cover the case of a copy-initialized deleter, so the false-positive with a custom deleter remains in Clang-20.

In your case, seems to be somewhat different, though, so I encourage you to try if FP appears before or after 9b2ec87