Thanks Artem for clarification. It is very clear and now I understand the situation. Sorry to bother again, but now I have yet another question.
I am now trying to make the checker work for pointer escape. Since I track the status of objects using MemRegion, so I am using checkRegionChanges. I've observed something weird.
Suppose I have free functions whose definitions are not seen by current TU: void f(const S*); void g(S*);
1. Suppose I have
S s;
f(&s);
Then in checkRegionChanges, s's region will appear in explicit_regions but not regions.
2. Suppose I have
S s;
g(&s);
Then in checkRegionChanges, t's region will appear in both explicit_regions and regions.
Based on the above observations, if I want to remove s from GDM in case 2 but not 1, then I need to iterate over all entries in GDM and remove the ones that are sub-regions of any one in `region` variable, not `explicit_regions` variable. However, this doesn't work for the following case
3. If I have struct T { S s; D d; }; and U has some non-const member void D::h(); for the following call:
T t;
t.d.h();
Then in checkRegionChanges, t.d is in explicit_regions and t is in regions. So t.s will be removed from GDM if I check 'regions' variable, which is incorrect.
My question is, is case 1 a bug or a feature that s appears in explicit_regions? If it is by design, how what is the blessed way to distinguish the above cases? Thanks.
BTW: the code that causes the behavior is
https://clang.llvm.org/doxygen/RegionStore_8cpp_source.html#l01256
if (const MemRegion *R = V.getAsRegion()) {
if (TopLevelRegions)
TopLevelRegions->push_back(R);
W.AddToWorkList(R);
continue;
}
All regions are added to TopLevelRegions, without checking RegionAndSymbolInvalidationTraits::TK_PreserveContents.