onnxruntime

dbc55dbb - Prevent double-free in OrtModelEditorApi ownership transfer (#28123)

Prevent double-free in OrtModelEditorApi ownership transfer (#28123) ### Description The OrtModelEditorApi C API functions (AddNodeToGraph, AddGraphToModel, SetGraphInputs/SetGraphOutputs) take raw pointers and wrap them in unique_ptr to transfer ownership. Without guards, callers can pass the same pointer twice or call Release after ownership transfer, causing double-free on destruction. ### Changes - **AddInitializerToGraph**: Copy OrtValue internally instead of taking raw pointer ownership. OrtValue uses shared_ptr for its data, so copying is cheap (refcount increment). The caller retains ownership and is responsible for releasing. This eliminates the double-free class entirely for initializers. - **AddNodeToGraph**: Add \owned_\ flag to ModelEditorNode to reject double-add, add null check - **AddGraphToModel**: Reject if model already has a graph, add null check for model. Add \owned_\ flag to ModelEditorGraph to reject same graph added to two models. - **SetGraphInputs/SetGraphOutputs**: Add \owned_\ flag to ModelEditorValueInfo to reject already-owned ValueInfos. Detect duplicate pointers in input arrays. Pre-allocate vector capacity before ownership-transfer loop for exception safety. - **ReleaseNode/ReleaseGraph/ReleaseValueInfo**: Check \owned_\ flag before deleting. If already owned by a graph/model, the release is a safe no-op. - **C++ wrapper**: Remove initializer.release() in AddInitializer to match copy semantics. - **Regression tests**: Tests covering ownership-transfer guard paths, release-after-ownership, and duplicate detection. --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>