This is an archive of the discontinued LLVM Phabricator instance.

Differential D138777

[clang-tidy] Add check bugprone-multiple-new-in-one-expression.
ClosedPublic

Authored by balazske on Nov 28 2022, 1:05 AM.

Details

Reviewers
njames93
alexfh
aaron.ballman
hokein
gribozavr
whisperity
donat.nagy
carlosgalvezp
PiotrZSL
LegalizeAdulthood
Commits
rG852bf52cc957: [clang-tidy] Add check bugprone-multiple-new-in-one-expression.
rG1aa36da15369: [clang-tidy] Add check bugprone-multiple-new-in-one-expression.

Diff Detail

Event Timeline

balazske created this revision.Nov 28 2022, 1:05 AM
Herald added a reviewer: njames93. · View Herald TranscriptNov 28 2022, 1:05 AM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: carlosgalvezp, steakhal, martong and 4 others. · View Herald Transcript
balazske requested review of this revision.Nov 28 2022, 1:05 AM
Herald added a project: Restricted Project. · View Herald TranscriptNov 28 2022, 1:05 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
balazske added a comment.Nov 28 2022, 1:28 AM

Some of the code is copied from UnhandledExceptionAtNewCheck. Probably these checks can be merged into one NewExceptionHandlingCheck?

balazske added a reviewer: gamesh411.Nov 28 2022, 1:29 AM
Harbormaster completed remote builds in B199693: Diff 478151.Nov 28 2022, 2:01 AM
dkrupp added a comment.Nov 28 2022, 2:56 AM

Thanks for this new check. Could you please link here results of this checker on som relevant open source projects?

Eugene.Zelenko edited reviewers, added: alexfh, aaron.ballman, LegalizeAdulthood, hokein, gribozavr; removed: gamesh411.Nov 28 2022, 7:23 AM
Eugene.Zelenko added a subscriber: Eugene.Zelenko.Nov 28 2022, 7:27 AM
Eugene.Zelenko added inline comments.
clang-tools-extra/clang-tidy/bugprone/MultipleNewInOneExpressionCheck.h
26

I think check is applicable to early versions too.

clang-tools-extra/docs/clang-tidy/checks/bugprone/multiple-new-in-one-expression.rst
10

Please follow 80 characters limit.

balazske added a comment.Nov 28 2022, 7:55 AM

bitcoin, contour, qtbase, xerces was checked but nothing was detected by the check.

njames93 added a comment.Nov 28 2022, 10:37 AM

I'm really not sure this is the right approach to solve the problem. If the concern here is leaking on exceptions, then the goalpost should be flagging all calls to global new and recommend a smart pointer factory instead. I think that check could even be made as a cppcoreguideline check

balazske added a comment.Nov 29 2022, 3:06 AM

CppCoreGuidelines rule r13-perform-at-most-one-explicit-resource-allocation-in-a-single-expression-statement is applicable for this problem. The current check is more restricted. If the check is moved to cppcoreguidelines it should check for any multiple new in a single expression and probably for other "resource allocation" that is not new (if there is such case at all that can not be changed to a safe function call or is not deprecated by other rules). Probably we can have an option to switch the behavior (any 2 new or the current way) and move the check to cppcoreguidelines.

balazske added a reviewer: whisperity.Dec 7 2022, 12:04 AM

This check is not about removing any use of new. It is only about the memory leak problem that is easy to detect and mentioned in the CppCoreGuidelines and CERT MEM52-CPP rules. If it is moved to the cppcoreguidelines module I would add an option that makes the check work like it works in this patch now, if it is turned off the check can find any expression where multiple new occurs (even when || and similar operators are used). My question is would the reviewers accept the check in the current form or should it be moved to cppcoreguidelines?

Herald added a subscriber: rnkovacs. · View Herald TranscriptDec 7 2022, 12:04 AM
gamesh411 added a reviewer: donat.nagy.Jan 19 2023, 12:40 AM
donat.nagy added inline comments.Feb 14 2023, 6:23 AM
clang-tools-extra/clang-tidy/bugprone/MultipleNewInOneExpressionCheck.cpp
45–46

In general, a value can be stored by passing it to a CompoundAssignOperator. This is not relevant in the current application (pointers do not appear on the RHS of compound assignment operators); but perhaps it's worth to mention this in a short comment in case someone wishes to reuse this function in some other checker.

clang-tools-extra/docs/clang-tidy/checks/bugprone/multiple-new-in-one-expression.rst
10–15

I think the handling of the case of the short-circuiting operators is ambiguous in this long paragraph: without the examples it's unclear whether the checker reports e.g. f2(new A) || f1(new B); as an error ("Even if the order is fixed ... It is best to avoid any expression that contains more than one operator `new` call ... " suggests that even these cases are reported). Try to restructure this description, perhaps by splitting it into two paragraphs: (1) quote/state all the relevant rules of C++ evaluation order (2) describe how "bad" ordering of the two allocation causes a memory leak.

balazske updated this revision to Diff 497654.Feb 15 2023, 5:58 AM

make check available in all C++ versions, add compound operator related test and code

Harbormaster completed remote builds in B213882: Diff 497654.Feb 15 2023, 7:01 AM
LegalizeAdulthood resigned from this revision.Mar 29 2023, 8:07 AM
Herald added a subscriber: PiotrZSL. · View Herald TranscriptMar 29 2023, 8:07 AM
balazske updated this revision to Diff 512425.Apr 11 2023, 6:25 AM

Fixed documentation issues.
Check is added to list.rst.

balazske marked 2 inline comments as done.Apr 11 2023, 6:26 AM
Harbormaster completed remote builds in B224761: Diff 512425.Apr 11 2023, 7:04 AM
PiotrZSL added inline comments.Apr 11 2023, 7:04 AM
clang-tools-extra/clang-tidy/bugprone/MultipleNewInOneExpressionCheck.cpp
92

what about: `catch(...)`

103

this doesnt look valid, arg2 isn't known at this point yet, so this could be removed.
and this may not work for case like this:

callSomething({new A,  new B});

Most probably this equalsBoundNode should be on HasNewExpr2 level, to avoid duplicated newExpr, not arguments of call

and image situation like this:

try {
  something(std::shared_ptr<int>(new int), std::shared_ptr<int>(new int));
} catch(const std::bad_alloc&) {}

this in theory could also produce false-positive.

other issue is that first call could be anything, maloc, new, calloc, wzalloc, operator new(), it doesn't need to be just new.
You could try to use some simple way of checking this like, isBeforeInTransationUnit....

And this will also produce false-positive if we use new(std::nothrow) on second.
There are some "utils" to check sequence order, maybe would be good to investigate them.

106

To be honest, I don't see any reason, how this try-catch would change anything, there can be one in parent function, and we going to heave a leak if we have try-catch or not.

126

other issue I see is that same new could be matched multiple times by those Matchers

balazske marked an inline comment as done.Apr 11 2023, 9:07 AM
balazske added inline comments.
clang-tools-extra/clang-tidy/bugprone/MultipleNewInOneExpressionCheck.cpp
92

hasHandlerFor checks for it (and it is used in the test).

103

I am not an expert in how AST matchers work exactly, but this code works with the provided tests and the results look correct. I did not experience that two new in the same argument is matched, this is why the unless(equalsBoundNode(...)) is added. The "arg1" and "arg2" nodes are the direct expressions in the function call, not descendants, and a new in the same argument (any descendant) is not matched twice in this way. Otherwise this would show up in failed tests.

The code something(std::shared_ptr<int>(new int), std::shared_ptr<int>(new int)) should produce warning (it may be possible that result of the first new int is not passed to shared_ptr before the other new int is called that fails, good solution is use of std::make_shared in such case). The test code (void)f(g(new A), new B); is somewhat similar AST, the new A should be found in all cases because hasDescendant is used at HasNewExpr1 and 2.

Probably unless(equalsBoundNode("arg2")) can be removed, it is enough to have one of these checks.

InitListExpr is not handled by the current code, I need to add this case (it has fixed evaluation order).

103

The check only works with memory allocation failures that throw exceptions, but really only with new, this is the most often used. Functions like malloc do not throw exceptions.

106

The problem is that it is difficult to check if the parent function has a try-catch block, and the function can be called in different ways. This can results in false negatives. But without any try-catch block the program may not use exception handling at all (a failed new terminates the program), and it can be false positive to emit any warnings.

126

This may be possible but I think that if the same warning is found multiple times it is shown only once, otherwise every case found by the matchers is a valid warning case even if the same new is involved.

balazske updated this revision to Diff 512808.Apr 12 2023, 6:27 AM

Simplified AST matchers a bit.
Added check for list-initialization syntax at constructor call.
Added some tests.
Updated documentation.

balazske marked 2 inline comments as done.Apr 12 2023, 6:31 AM
balazske added inline comments.
clang-tools-extra/clang-tidy/bugprone/MultipleNewInOneExpressionCheck.cpp
45–46

It is mentioned now in the comment before the function.

Harbormaster completed remote builds in B225053: Diff 512808.Apr 12 2023, 7:20 AM
donat.nagy accepted this revision.Apr 18 2023, 1:12 PM
This revision is now accepted and ready to land.Apr 18 2023, 1:12 PM
Eugene.Zelenko added reviewers: carlosgalvezp, PiotrZSL.Apr 18 2023, 2:27 PM
This revision was landed with ongoing or failed builds.May 2 2023, 2:00 AM
Closed by commit rG1aa36da15369: [clang-tidy] Add check bugprone-multiple-new-in-one-expression. (authored by balazske). · Explain Why
This revision was automatically updated to reflect the committed changes.
balazske marked an inline comment as done.
balazske added a commit: rG1aa36da15369: [clang-tidy] Add check bugprone-multiple-new-in-one-expression..
balazske added a reverting change: rG7b7a6b641afd: Revert "[clang-tidy] Add check bugprone-multiple-new-in-one-expression.".May 2 2023, 2:24 AM
balazske added a commit: rG852bf52cc957: [clang-tidy] Add check bugprone-multiple-new-in-one-expression..May 2 2023, 3:30 AM

Revision Contents

PathSize
clang-tools-extra/
clang-tidy/
bugprone/
3 lines
1 line
35 lines
162 lines
docs/
6 lines
clang-tidy/
checks/
bugprone/
99 lines
1 line
test/
clang-tidy/
checkers/
bugprone/
197 lines

Diff 518654

clang-tools-extra/clang-tidy/bugprone/BugproneTidyModule.cpp

Show All 30 Lines
#include "IntegerDivisionCheck.h" #include "IntegerDivisionCheck.h"
#include "LambdaFunctionNameCheck.h" #include "LambdaFunctionNameCheck.h"
#include "MacroParenthesesCheck.h" #include "MacroParenthesesCheck.h"
#include "MacroRepeatedSideEffectsCheck.h" #include "MacroRepeatedSideEffectsCheck.h"
#include "MisplacedOperatorInStrlenInAllocCheck.h" #include "MisplacedOperatorInStrlenInAllocCheck.h"
#include "MisplacedPointerArithmeticInAllocCheck.h" #include "MisplacedPointerArithmeticInAllocCheck.h"
#include "MisplacedWideningCastCheck.h" #include "MisplacedWideningCastCheck.h"
#include "MoveForwardingReferenceCheck.h" #include "MoveForwardingReferenceCheck.h"
#include "MultipleNewInOneExpressionCheck.h"
#include "MultipleStatementMacroCheck.h" #include "MultipleStatementMacroCheck.h"
#include "NoEscapeCheck.h" #include "NoEscapeCheck.h"
#include "NonZeroEnumToBoolConversionCheck.h" #include "NonZeroEnumToBoolConversionCheck.h"
#include "NotNullTerminatedResultCheck.h" #include "NotNullTerminatedResultCheck.h"
#include "ParentVirtualCallCheck.h" #include "ParentVirtualCallCheck.h"
#include "PosixReturnCheck.h" #include "PosixReturnCheck.h"
#include "RedundantBranchConditionCheck.h" #include "RedundantBranchConditionCheck.h"
#include "ReservedIdentifierCheck.h" #include "ReservedIdentifierCheck.h"
▲ Show 20 LinesShow All 81 Lines▼ Show 20 Lines void addCheckFactories(ClangTidyCheckFactories &CheckFactories) override {
CheckFactories.registerCheck<MisplacedOperatorInStrlenInAllocCheck>( CheckFactories.registerCheck<MisplacedOperatorInStrlenInAllocCheck>(
"bugprone-misplaced-operator-in-strlen-in-alloc"); "bugprone-misplaced-operator-in-strlen-in-alloc");
CheckFactories.registerCheck<MisplacedPointerArithmeticInAllocCheck>( CheckFactories.registerCheck<MisplacedPointerArithmeticInAllocCheck>(
"bugprone-misplaced-pointer-arithmetic-in-alloc"); "bugprone-misplaced-pointer-arithmetic-in-alloc");
CheckFactories.registerCheck<MisplacedWideningCastCheck>( CheckFactories.registerCheck<MisplacedWideningCastCheck>(
"bugprone-misplaced-widening-cast"); "bugprone-misplaced-widening-cast");
CheckFactories.registerCheck<MoveForwardingReferenceCheck>( CheckFactories.registerCheck<MoveForwardingReferenceCheck>(
"bugprone-move-forwarding-reference"); "bugprone-move-forwarding-reference");
CheckFactories.registerCheck<MultipleNewInOneExpressionCheck>(
"bugprone-multiple-new-in-one-expression");
CheckFactories.registerCheck<MultipleStatementMacroCheck>( CheckFactories.registerCheck<MultipleStatementMacroCheck>(
"bugprone-multiple-statement-macro"); "bugprone-multiple-statement-macro");
CheckFactories.registerCheck<RedundantBranchConditionCheck>( CheckFactories.registerCheck<RedundantBranchConditionCheck>(
"bugprone-redundant-branch-condition"); "bugprone-redundant-branch-condition");
CheckFactories.registerCheck<cppcoreguidelines::NarrowingConversionsCheck>( CheckFactories.registerCheck<cppcoreguidelines::NarrowingConversionsCheck>(
"bugprone-narrowing-conversions"); "bugprone-narrowing-conversions");
CheckFactories.registerCheck<NoEscapeCheck>("bugprone-no-escape"); CheckFactories.registerCheck<NoEscapeCheck>("bugprone-no-escape");
CheckFactories.registerCheck<NonZeroEnumToBoolConversionCheck>( CheckFactories.registerCheck<NonZeroEnumToBoolConversionCheck>(
▲ Show 20 LinesShow All 85 LinesShow Last 20 Lines

clang-tools-extra/clang-tidy/bugprone/CMakeLists.txt

Show All 25 Linesadd_clang_library(clangTidyBugproneModule
IntegerDivisionCheck.cpp IntegerDivisionCheck.cpp
LambdaFunctionNameCheck.cpp LambdaFunctionNameCheck.cpp
MacroParenthesesCheck.cpp MacroParenthesesCheck.cpp
MacroRepeatedSideEffectsCheck.cpp MacroRepeatedSideEffectsCheck.cpp
MisplacedOperatorInStrlenInAllocCheck.cpp MisplacedOperatorInStrlenInAllocCheck.cpp
MisplacedPointerArithmeticInAllocCheck.cpp MisplacedPointerArithmeticInAllocCheck.cpp
MisplacedWideningCastCheck.cpp MisplacedWideningCastCheck.cpp
MoveForwardingReferenceCheck.cpp MoveForwardingReferenceCheck.cpp
MultipleNewInOneExpressionCheck.cpp
MultipleStatementMacroCheck.cpp MultipleStatementMacroCheck.cpp
NoEscapeCheck.cpp NoEscapeCheck.cpp
NonZeroEnumToBoolConversionCheck.cpp NonZeroEnumToBoolConversionCheck.cpp
NotNullTerminatedResultCheck.cpp NotNullTerminatedResultCheck.cpp
ParentVirtualCallCheck.cpp ParentVirtualCallCheck.cpp
PosixReturnCheck.cpp PosixReturnCheck.cpp
RedundantBranchConditionCheck.cpp RedundantBranchConditionCheck.cpp
ReservedIdentifierCheck.cpp ReservedIdentifierCheck.cpp
▲ Show 20 LinesShow All 56 LinesShow Last 20 Lines

clang-tools-extra/clang-tidy/bugprone/MultipleNewInOneExpressionCheck.h

  • This file was added.
//===--- MultipleNewInOneExpressionCheck.h - clang-tidy----------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_BUGPRONE_MULTIPLENEWINONEEXPRESSIONCHECK_H
#define LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_BUGPRONE_MULTIPLENEWINONEEXPRESSIONCHECK_H
#include "../ClangTidyCheck.h"
namespace clang {
namespace tidy {
namespace bugprone {
/// For the user-facing documentation see:
/// http://clang.llvm.org/extra/clang-tidy/checks/bugprone/multiple-new-in-one-expression.html
class MultipleNewInOneExpressionCheck : public ClangTidyCheck {
public:
MultipleNewInOneExpressionCheck(StringRef Name, ClangTidyContext *Context)
: ClangTidyCheck(Name, Context) {}
bool isLanguageVersionSupported(const LangOptions &LangOpts) const override {
return LangOpts.CPlusPlus;
}
Eugene.ZelenkoUnsubmitted
Done
ReplyInline Actions

I think check is applicable to early versions too.

Eugene.Zelenko: I think check is applicable to early versions too.
void registerMatchers(ast_matchers::MatchFinder *Finder) override;
void check(const ast_matchers::MatchFinder::MatchResult &Result) override;
};
} // namespace bugprone
} // namespace tidy
} // namespace clang
#endif // LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_BUGPRONE_MULTIPLENEWINONEEXPRESSIONCHECK_H

clang-tools-extra/clang-tidy/bugprone/MultipleNewInOneExpressionCheck.cpp

  • This file was added.
//===--- MultipleNewInOneExpressionCheck.cpp - clang-tidy------------------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#include "MultipleNewInOneExpressionCheck.h"
#include "clang/AST/ASTContext.h"
#include "clang/ASTMatchers/ASTMatchFinder.h"
#include "clang/Lex/Lexer.h"
using namespace clang::ast_matchers;
using namespace clang;
namespace {
// Determine if the result of an expression is "stored" in some way.
// It is true if the value is stored into a variable or used as initialization
// or passed to a function or constructor.
// For this use case compound assignments are not counted as a "store" (the 'E'
// expression should have pointer type).
bool isExprValueStored(const Expr *E, ASTContext &C) {
E = E->IgnoreParenCasts();
// Get first non-paren, non-cast parent.
ParentMapContext &PMap = C.getParentMapContext();
DynTypedNodeList P = PMap.getParents(*E);
if (P.size() != 1)
return false;
const Expr *ParentE;
while ((ParentE = P[0].get<Expr>()) && ParentE->IgnoreParenCasts() == E) {
P = PMap.getParents(P[0]);
if (P.size() != 1)
return false;
}
if (const auto *ParentVarD = P[0].get<VarDecl>())
return ParentVarD->getInit()->IgnoreParenCasts() == E;
if (!ParentE)
return false;
if (const auto *BinOp = dyn_cast<BinaryOperator>(ParentE))
return BinOp->getOpcode() == BO_Assign &&
BinOp->getRHS()->IgnoreParenCasts() == E;
donat.nagyUnsubmitted
Done
ReplyInline Actions

In general, a value can be stored by passing it to a CompoundAssignOperator. This is not relevant in the current application (pointers do not appear on the RHS of compound assignment operators); but perhaps it's worth to mention this in a short comment in case someone wishes to reuse this function in some other checker.

donat.nagy: In general, a value can be stored by passing it to a CompoundAssignOperator. This is not…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

It is mentioned now in the comment before the function.

balazske: It is mentioned now in the comment before the function.
return isa<CallExpr, CXXConstructExpr>(ParentE);
}
} // namespace
namespace clang {
namespace tidy {
namespace bugprone {
AST_MATCHER_P(CXXTryStmt, hasHandlerFor,
ast_matchers::internal::Matcher<QualType>, InnerMatcher) {
for (unsigned NH = Node.getNumHandlers(), I = 0; I < NH; ++I) {
const CXXCatchStmt *CatchS = Node.getHandler(I);
// Check for generic catch handler (match anything).
if (CatchS->getCaughtType().isNull())
return true;
ast_matchers::internal::BoundNodesTreeBuilder Result(*Builder);
if (InnerMatcher.matches(CatchS->getCaughtType(), Finder, &Result)) {
*Builder = std::move(Result);
return true;
}
}
return false;
}
AST_MATCHER(CXXNewExpr, mayThrow) {
FunctionDecl *OperatorNew = Node.getOperatorNew();
if (!OperatorNew)
return false;
return !OperatorNew->getType()->castAs<FunctionProtoType>()->isNothrow();
}
void MultipleNewInOneExpressionCheck::registerMatchers(MatchFinder *Finder) {
auto BadAllocType =
recordType(hasDeclaration(cxxRecordDecl(hasName("::std::bad_alloc"))));
auto ExceptionType =
recordType(hasDeclaration(cxxRecordDecl(hasName("::std::exception"))));
auto BadAllocReferenceType = referenceType(pointee(BadAllocType));
auto ExceptionReferenceType = referenceType(pointee(ExceptionType));
auto CatchBadAllocType =
qualType(hasCanonicalType(anyOf(BadAllocType, BadAllocReferenceType,
ExceptionType, ExceptionReferenceType)));
auto BadAllocCatchingTryBlock = cxxTryStmt(hasHandlerFor(CatchBadAllocType));
PiotrZSLUnsubmitted
Done
ReplyInline Actions

what about: `catch(...)`

PiotrZSL: what about: ```catch(...)```
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

hasHandlerFor checks for it (and it is used in the test).

balazske: `hasHandlerFor` checks for it (and it is used in the test).
auto NewExprMayThrow = cxxNewExpr(mayThrow());
auto HasNewExpr1 = expr(anyOf(NewExprMayThrow.bind("new1"),
hasDescendant(NewExprMayThrow.bind("new1"))));
auto HasNewExpr2 = expr(anyOf(NewExprMayThrow.bind("new2"),
hasDescendant(NewExprMayThrow.bind("new2"))));
Finder->addMatcher(
callExpr(
hasAnyArgument(
expr(HasNewExpr1).bind("arg1")),
hasAnyArgument(
PiotrZSLUnsubmitted
Not Done
ReplyInline Actions

this doesnt look valid, arg2 isn't known at this point yet, so this could be removed.
and this may not work for case like this:

callSomething({new A,  new B});

Most probably this equalsBoundNode should be on HasNewExpr2 level, to avoid duplicated newExpr, not arguments of call

and image situation like this:

try {
  something(std::shared_ptr<int>(new int), std::shared_ptr<int>(new int));
} catch(const std::bad_alloc&) {}

this in theory could also produce false-positive.

other issue is that first call could be anything, maloc, new, calloc, wzalloc, operator new(), it doesn't need to be just new.
You could try to use some simple way of checking this like, isBeforeInTransationUnit....

And this will also produce false-positive if we use new(std::nothrow) on second.
There are some "utils" to check sequence order, maybe would be good to investigate them.

PiotrZSL: this doesnt look valid, arg2 isn't known at this point yet, so this could be removed. and this…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

I am not an expert in how AST matchers work exactly, but this code works with the provided tests and the results look correct. I did not experience that two new in the same argument is matched, this is why the unless(equalsBoundNode(...)) is added. The "arg1" and "arg2" nodes are the direct expressions in the function call, not descendants, and a new in the same argument (any descendant) is not matched twice in this way. Otherwise this would show up in failed tests.

The code something(std::shared_ptr<int>(new int), std::shared_ptr<int>(new int)) should produce warning (it may be possible that result of the first new int is not passed to shared_ptr before the other new int is called that fails, good solution is use of std::make_shared in such case). The test code (void)f(g(new A), new B); is somewhat similar AST, the new A should be found in all cases because hasDescendant is used at HasNewExpr1 and 2.

Probably unless(equalsBoundNode("arg2")) can be removed, it is enough to have one of these checks.

InitListExpr is not handled by the current code, I need to add this case (it has fixed evaluation order).

balazske: I am not an expert in how AST matchers work exactly, but this code works with the provided…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

The check only works with memory allocation failures that throw exceptions, but really only with new, this is the most often used. Functions like malloc do not throw exceptions.

balazske: The check only works with memory allocation failures that throw exceptions, but really only…
expr(HasNewExpr2, unless(equalsBoundNode("arg1"))).bind("arg2")),
hasAncestor(BadAllocCatchingTryBlock)),
this);
PiotrZSLUnsubmitted
Not Done
ReplyInline Actions

To be honest, I don't see any reason, how this try-catch would change anything, there can be one in parent function, and we going to heave a leak if we have try-catch or not.

PiotrZSL: To be honest, I don't see any reason, how this try-catch would change anything, there can be…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

The problem is that it is difficult to check if the parent function has a try-catch block, and the function can be called in different ways. This can results in false negatives. But without any try-catch block the program may not use exception handling at all (a failed new terminates the program), and it can be false positive to emit any warnings.

balazske: The problem is that it is difficult to check if the parent function has a try-catch block, and…
Finder->addMatcher(
cxxConstructExpr(
hasAnyArgument(
expr(HasNewExpr1).bind("arg1")),
hasAnyArgument(
expr(HasNewExpr2, unless(equalsBoundNode("arg1"))).bind("arg2")),
unless(isListInitialization()),
hasAncestor(BadAllocCatchingTryBlock)),
this);
Finder->addMatcher(binaryOperator(hasLHS(HasNewExpr1), hasRHS(HasNewExpr2),
unless(hasAnyOperatorName("&&", "||", ",")),
hasAncestor(BadAllocCatchingTryBlock)),
this);
Finder->addMatcher(
cxxNewExpr(mayThrow(),
hasDescendant(NewExprMayThrow.bind("new2_in_new1")),
hasAncestor(BadAllocCatchingTryBlock))
.bind("new1"),
this);
}
PiotrZSLUnsubmitted
Not Done
ReplyInline Actions

other issue I see is that same new could be matched multiple times by those Matchers

PiotrZSL: other issue I see is that same new could be matched multiple times by those Matchers
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

This may be possible but I think that if the same warning is found multiple times it is shown only once, otherwise every case found by the matchers is a valid warning case even if the same new is involved.

balazske: This may be possible but I think that if the same warning is found multiple times it is shown…
void MultipleNewInOneExpressionCheck::check(
const MatchFinder::MatchResult &Result) {
const auto *NewExpr1 = Result.Nodes.getNodeAs<CXXNewExpr>("new1");
const auto *NewExpr2 = Result.Nodes.getNodeAs<CXXNewExpr>("new2");
const auto *NewExpr2InNewExpr1 =
Result.Nodes.getNodeAs<CXXNewExpr>("new2_in_new1");
if (!NewExpr2)
NewExpr2 = NewExpr2InNewExpr1;
assert(NewExpr1 && NewExpr2 && "Bound nodes not found.");
// No warning if both allocations are not stored.
// The value may be intentionally not stored (no deallocations needed or
// self-destructing object).
if (!isExprValueStored(NewExpr1, *Result.Context) &&
!isExprValueStored(NewExpr2, *Result.Context))
return;
// In C++17 sequencing of a 'new' inside constructor arguments of another
// 'new' is fixed. Still a leak can happen if the returned value from the
// first 'new' is not saved (yet) and the second fails.
if (getLangOpts().CPlusPlus17 && NewExpr2InNewExpr1)
diag(NewExpr1->getBeginLoc(),
"memory allocation may leak if an other allocation is sequenced after "
"it and throws an exception")
<< NewExpr1->getSourceRange() << NewExpr2->getSourceRange();
else
diag(NewExpr1->getBeginLoc(),
"memory allocation may leak if an other allocation is sequenced after "
"it and throws an exception; order of these allocations is undefined")
<< NewExpr1->getSourceRange() << NewExpr2->getSourceRange();
}
} // namespace bugprone
} // namespace tidy
} // namespace clang

clang-tools-extra/docs/ReleaseNotes.rst

Show First 20 LinesShow All 100 Lines▼ Show 20 Lines
- Support specifying `Checks` as a YAML list in the `.clang-tidy` configuration - Support specifying `Checks` as a YAML list in the `.clang-tidy` configuration
file. file.
- Fix a potential crash when using the `--dump-config` option. - Fix a potential crash when using the `--dump-config` option.
New checks New checks
^^^^^^^^^^ ^^^^^^^^^^
- New :doc:`bugprone-multiple-new-in-one-expression
<clang-tidy/checks/bugprone/multiple-new-in-one-expression>` check.
Finds multiple ``new`` operator calls in a single expression, where the allocated
memory by the first ``new`` may leak if the second allocation fails and throws exception.
- New :doc:`bugprone-non-zero-enum-to-bool-conversion - New :doc:`bugprone-non-zero-enum-to-bool-conversion
<clang-tidy/checks/bugprone/non-zero-enum-to-bool-conversion>` check. <clang-tidy/checks/bugprone/non-zero-enum-to-bool-conversion>` check.
Detect implicit and explicit casts of ``enum`` type into ``bool`` where ``enum`` type Detect implicit and explicit casts of ``enum`` type into ``bool`` where ``enum`` type
doesn't have a zero-value enumerator. doesn't have a zero-value enumerator.
- New :doc:`bugprone-unsafe-functions - New :doc:`bugprone-unsafe-functions
<clang-tidy/checks/bugprone/unsafe-functions>` check. <clang-tidy/checks/bugprone/unsafe-functions>` check.
▲ Show 20 LinesShow All 274 LinesShow Last 20 Lines

clang-tools-extra/docs/clang-tidy/checks/bugprone/multiple-new-in-one-expression.rst

  • This file was added.
.. title:: clang-tidy - bugprone-multiple-new-in-one-expression
bugprone-multiple-new-in-one-expression
=======================================
Finds multiple ``new`` operator calls in a single expression, where the
allocated memory by the first ``new`` may leak if the second allocation fails
and throws exception.
C++ does often not specify the exact order of evaluation of the operands of an
Eugene.ZelenkoUnsubmitted
Done
ReplyInline Actions

Please follow 80 characters limit.

Eugene.Zelenko: Please follow 80 characters limit.
operator or arguments of a function. Therefore if a first allocation succeeds
and a second fails, in an exception handler it is not possible to tell which
allocation has failed and free the memory. Even if the order is fixed the result
of a first ``new`` may be stored in a temporary location that is not reachable
at the time when a second allocation fails. It is best to avoid any expression
donat.nagyUnsubmitted
Done
ReplyInline Actions

I think the handling of the case of the short-circuiting operators is ambiguous in this long paragraph: without the examples it's unclear whether the checker reports e.g. f2(new A) || f1(new B); as an error ("Even if the order is fixed ... It is best to avoid any expression that contains more than one operator `new` call ... " suggests that even these cases are reported). Try to restructure this description, perhaps by splitting it into two paragraphs: (1) quote/state all the relevant rules of C++ evaluation order (2) describe how "bad" ordering of the two allocation causes a memory leak.

donat.nagy: I think the handling of the case of the short-circuiting operators is ambiguous in this long…
that contains more than one ``operator new`` call, if exception handling is
used to check for allocation errors.
Different rules apply for are the short-circuit operators ``||`` and ``&&`` and
the ``,`` operator, where evaluation of one side must be completed before the
other starts. Expressions of a list-initialization (initialization or
construction using ``{`` and ``}`` characters) are evaluated in fixed order.
Similarly, condition of a ``?`` operator is evaluated before the branches are
evaluated.
The check reports warning if two ``new`` calls appear in one expression at
different sides of an operator, or if ``new`` calls appear in different
arguments of a function call (that can be an object construction with ``()``
syntax). These ``new`` calls can be nested at any level.
For any warning to be emitted the ``new`` calls should be in a code block where
exception handling is used with catch for ``std::bad_alloc`` or
``std::exception``. At ``||``, ``&&``, ``,``, ``?`` (condition and one branch)
operators no warning is emitted. No warning is emitted if both of the memory
allocations are not assigned to a variable or not passed directly to a function.
The reason is that in this case the memory may be intentionally not freed or the
allocated objects can be self-destructing objects.
Examples:
.. code-block:: c++
struct A {
int Var;
};
struct B {
B();
B(A *);
int Var;
};
struct C {
int *X1;
int *X2;
};
void f(A *, B *);
int f1(A *);
int f1(B *);
bool f2(A *);
void foo() {
A *PtrA;
B *PtrB;
try {
// Allocation of 'B'/'A' may fail after memory for 'A'/'B' was allocated.
f(new A, new B); // warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception; order of these allocations is undefined
// List (aggregate) initialization is used.
C C1{new int, new int}; // no warning
// Allocation of 'B'/'A' may fail after memory for 'A'/'B' was allocated but not yet passed to function 'f1'.
int X = f1(new A) + f1(new B); // warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception; order of these allocations is undefined
// Allocation of 'B' may fail after memory for 'A' was allocated.
// From C++17 on memory for 'B' is allocated first but still may leak if allocation of 'A' fails.
PtrB = new B(new A); // warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception
// 'new A' and 'new B' may be performed in any order.
// 'new B'/'new A' may fail after memory for 'A'/'B' was allocated but not assigned to 'PtrA'/'PtrB'.
(PtrA = new A)->Var = (PtrB = new B)->Var; // warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception; order of these allocations is undefined
// Evaluation of 'f2(new A)' must be finished before 'f1(new B)' starts.
// If 'new B' fails the allocated memory for 'A' is supposedly handled correctly because function 'f2' could take the ownership.
bool Z = f2(new A) || f1(new B); // no warning
X = (f2(new A) ? f1(new A) : f1(new B)); // no warning
// No warning if the result of both allocations is not passed to a function
// or stored in a variable.
(new A)->Var = (new B)->Var; // no warning
// No warning if at least one non-throwing allocation is used.
f(new(std::nothrow) A, new B); // no warning
} catch(std::bad_alloc) {
}
// No warning if the allocation is outside a try block (or no catch handler exists for std::bad_alloc).
// (The fact if exceptions can escape from 'foo' is not taken into account.)
f(new A, new B); // no warning
}

clang-tools-extra/docs/clang-tidy/checks/list.rst

Show First 20 LinesShow All 96 Lines▼ Show 20 Lines.. csv-table::
`bugprone-integer-division <bugprone/integer-division.html>`_, `bugprone-integer-division <bugprone/integer-division.html>`_,
`bugprone-lambda-function-name <bugprone/lambda-function-name.html>`_, `bugprone-lambda-function-name <bugprone/lambda-function-name.html>`_,
`bugprone-macro-parentheses <bugprone/macro-parentheses.html>`_, "Yes" `bugprone-macro-parentheses <bugprone/macro-parentheses.html>`_, "Yes"
`bugprone-macro-repeated-side-effects <bugprone/macro-repeated-side-effects.html>`_, `bugprone-macro-repeated-side-effects <bugprone/macro-repeated-side-effects.html>`_,
`bugprone-misplaced-operator-in-strlen-in-alloc <bugprone/misplaced-operator-in-strlen-in-alloc.html>`_, "Yes" `bugprone-misplaced-operator-in-strlen-in-alloc <bugprone/misplaced-operator-in-strlen-in-alloc.html>`_, "Yes"
`bugprone-misplaced-pointer-arithmetic-in-alloc <bugprone/misplaced-pointer-arithmetic-in-alloc.html>`_, "Yes" `bugprone-misplaced-pointer-arithmetic-in-alloc <bugprone/misplaced-pointer-arithmetic-in-alloc.html>`_, "Yes"
`bugprone-misplaced-widening-cast <bugprone/misplaced-widening-cast.html>`_, `bugprone-misplaced-widening-cast <bugprone/misplaced-widening-cast.html>`_,
`bugprone-move-forwarding-reference <bugprone/move-forwarding-reference.html>`_, "Yes" `bugprone-move-forwarding-reference <bugprone/move-forwarding-reference.html>`_, "Yes"
`bugprone-multiple-new-in-one-expression <bugprone/multiple-new-in-one-expression.html>`_,
`bugprone-multiple-statement-macro <bugprone/multiple-statement-macro.html>`_, `bugprone-multiple-statement-macro <bugprone/multiple-statement-macro.html>`_,
`bugprone-no-escape <bugprone/no-escape.html>`_, `bugprone-no-escape <bugprone/no-escape.html>`_,
`bugprone-non-zero-enum-to-bool-conversion <bugprone/non-zero-enum-to-bool-conversion.html>`_, `bugprone-non-zero-enum-to-bool-conversion <bugprone/non-zero-enum-to-bool-conversion.html>`_,
`bugprone-not-null-terminated-result <bugprone/not-null-terminated-result.html>`_, "Yes" `bugprone-not-null-terminated-result <bugprone/not-null-terminated-result.html>`_, "Yes"
`bugprone-parent-virtual-call <bugprone/parent-virtual-call.html>`_, "Yes" `bugprone-parent-virtual-call <bugprone/parent-virtual-call.html>`_, "Yes"
`bugprone-posix-return <bugprone/posix-return.html>`_, "Yes" `bugprone-posix-return <bugprone/posix-return.html>`_, "Yes"
`bugprone-redundant-branch-condition <bugprone/redundant-branch-condition.html>`_, "Yes" `bugprone-redundant-branch-condition <bugprone/redundant-branch-condition.html>`_, "Yes"
`bugprone-reserved-identifier <bugprone/reserved-identifier.html>`_, "Yes" `bugprone-reserved-identifier <bugprone/reserved-identifier.html>`_, "Yes"
▲ Show 20 LinesShow All 400 LinesShow Last 20 Lines

clang-tools-extra/test/clang-tidy/checkers/bugprone/multiple-new-in-one-expression.cpp

  • This file was added.
// RUN: %check_clang_tidy -std=c++11 -check-suffixes=ALL,CPP11 %s bugprone-multiple-new-in-one-expression %t
// RUN: %check_clang_tidy -std=c++17 -check-suffixes=ALL,CPP17 %s bugprone-multiple-new-in-one-expression %t
namespace std {
typedef __typeof__(sizeof(0)) size_t;
enum class align_val_t : std::size_t {};
class exception {};
class bad_alloc : public exception {};
struct nothrow_t {};
extern const nothrow_t nothrow;
} // namespace std
void *operator new(std::size_t, const std::nothrow_t &) noexcept;
void *operator new(std::size_t, std::align_val_t, const std::nothrow_t &) noexcept;
void *operator new(std::size_t, void *) noexcept;
void *operator new(std::size_t, char);
struct B;
struct A { int VarI; int *PtrI; B *PtrB; };
struct B { int VarI; };
struct G {
G(A*, B*) {}
int operator+=(A *) { return 3; };
};
struct H {
int *a;
int *b;
};
int f(int);
int f(A*);
int f(A*, B*);
int f(int, B*);
int f(G, G);
int f(B*);
int f(const H &);
void f1(void *, void *);
A *g(A *);
G operator+(const G&, const G&);
void test_function_parameter(A *XA, B *XB) {
(void)f(new A, new B);
try {
(void)f(new A, new B);
}
catch (A) {};
try {
(void)f(new A, new B);
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:13: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception; order of these allocations is undefined [
(void)f(f(new A, new B));
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:15: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
int X = f(new A, new B);
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:15: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
X = f(new A, new B);
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:11: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
X = 1 + f(new A, new B);
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:15: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
(void)f(g(new A), new B);
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:15: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
(void)f(1 + f(new A), new B);
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:19: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
(void)f(XA = new A, new B);
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:18: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
(void)f(1 + f(new A), XB = new B);
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:19: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
}
catch (std::exception) {}
}
void test_operator(G *G1) {
(void)(f(new A) + f(new B));
try {
(void)(f(new A) + f(new B));
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:14: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
(void)f(f(new A) + f(new B));
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:15: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
int X = f(new A) + f(new B);
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:15: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
X = f(new A) + f(new B);
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:11: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
X = 1 + f(new A) + 1 + f(new B);
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:15: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
(void)(f(g(new A)) + f(new B));
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:16: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
(void)(f(1 + f(new A)) + f(new B));
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:20: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
(void)(f(1 + f(new A)) + f(1 + f(new B)));
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:20: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
(void)((new A)->VarI + (new A)->VarI);
(void)(f(new A) + ((*G1) += new A));
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:14: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
}
catch (std::bad_alloc) {}
}
void test_construct() {
(void)(G(new A, new B));
try {
(void)(G(new A, new B));
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:14: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
(void)(G(new A, nullptr) + G(nullptr, new B));
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:14: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
f(G(new A, nullptr), G(new A, nullptr));
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:9: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
(void)new G(new A, nullptr);
// CHECK-MESSAGES-CPP11: :[[@LINE-1]]:11: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
// CHECK-MESSAGES-CPP17: :[[@LINE-2]]:11: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception [
(void)new G(nullptr, (new A)->PtrB);
G *Z = new G(new A, nullptr);
// CHECK-MESSAGES-CPP11: :[[@LINE-1]]:12: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
// CHECK-MESSAGES-CPP17: :[[@LINE-2]]:12: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception [
Z = new G(g(new A), nullptr);
// CHECK-MESSAGES-CPP11: :[[@LINE-1]]:9: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
// CHECK-MESSAGES-CPP17: :[[@LINE-2]]:9: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception [
G *Z1, *Z2 = new G(nullptr, (new A)->PtrB), *Z3;
// CHECK-MESSAGES-CPP11: :[[@LINE-1]]:18: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
// CHECK-MESSAGES-CPP17: :[[@LINE-2]]:18: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception [
}
catch (const std::bad_alloc &) {}
}
void test_new_assign() {
A *X, *Y;
(X = new A)->VarI = (Y = new A)->VarI;
try {
(X = new A)->VarI = (Y = new A)->VarI;
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:10: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
(new A)->VarI = (Y = new A)->VarI;
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:6: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
(X = new A)->VarI = (new A)->VarI;
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:10: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
(new A)->VarI = (new A)->VarI;
(new A)->PtrI = new int;
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:6: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
(X = new A)->VarI += (new A)->VarI;
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:10: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
}
catch (...) {}
}
void test_operator_fixed_order(unsigned int L) {
(void)(f((f(new A) || f(0)) + f(new B[L])));
try {
(void)(f(new A) || f(new B));
(void)(f(new A) && f(new B));
(void)(f(new A) || f(new B) || f(new A));
(void)(f(new A), f(new B));
int Y = f(0, new B) ? f(new A) : f(new B);
Y = f(new A) ? 1 : f(new B);
Y = f(new A) ? f(new B) : 1;
G g{new A, new B};
H h{new int, new int};
f({new int, new int});
(void)f({new A, new B}, {nullptr, nullptr});
(void)f({new A, new B}, {new A, nullptr});
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:14: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
(void)(f((f(new A) || f(0)) + f(new B[L])));
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:17: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
}
catch (std::bad_alloc) {}
}
void test_cast() {
try {
f1(static_cast<void *>(new A), new B);
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:28: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
}
catch (std::bad_alloc &) {}
}
void test_nothrow(void *P) {
try {
(void)f(new(std::nothrow) A, new B);
(void)f(new A, new(std::nothrow) B);
(void)f(new(static_cast<std::align_val_t>(8), std::nothrow) A, new B);
(void)f(new(P) A, new B);
(void)f(new('a') A, new B);
// CHECK-MESSAGES-ALL: :[[@LINE-1]]:13: warning: memory allocation may leak if an other allocation is sequenced after it and throws an exception;
}
catch (std::exception) {}
}