Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Any noexcept function that terminates by throwing an exception violates ERR55-CPP. Honor exception specifications.

Noncompliant Code Example

In this noncompliant code example, the class destructor does not meet the implicit noexcept guarantee because it may throw an exception even if it was called as the result of an exception being thrown. Consequently, it is declared as noexcept(false) but still can trigger undefined behavior.

Code Block
bgColor#FFcccc
langcpp
#include <stdexcept>
 
class S {
  bool has_error() const;
 
public:
  ~S() noexcept(false) {
    // Normal processing
    if (has_error()) {
      throw std::logic_error("Something bad");
    }
  }
};

Noncompliant Code Example (std::uncaught_exception())

Use of std::uncaught_exception() in the destructor solves the termination problem by avoiding the propagation of the exception if an existing exception is being processed, as demonstrated in this noncompliant code example. However, by circumventing normal destructor processing, this approach may keep the destructor from releasing important resources.

Code Block
bgColor#FFcccc
langcpp
#include <exception>
#include <stdexcept>
 
class S {
  bool has_error() const;
 
public:
  ~S() {
    // Normal processing
    if (has_error() && !std::uncaught_exception()) {
      throw std::logic_error("Something bad");
    }
  }
};

Noncompliant Code Example (function-try-block)

In this noncompliant code example, class SomeClass destructor attempts to handle exceptions thrown from the destructor of the bad_member subobject by absorbing them. However, the C++ Standard, [except.handle], paragraph 15 [ISO/IEC 14882-2014], states in part:

...

Code Block
bgColor#FFcccc
langcpp
#include <stdexcept>
 
class SomeClass {
  class Bad {
    bool has_error() const;
  public:
    ~Bad() noexcept(false) {
      if (has_error()) {
        throw std::logic_error("Something bad");
      }
    }
  };

  Bad bad_member;

public:
  ~SomeClass()
  try {
    // ...
  } catch(...) {
    // Attempt to handle exceptions thrown from Bad destructor.
  }
};

Compliant Code Example (try-block)

A destructor should perform the same way whether or not there is an active exception. Typically, this means that it should invoke only operations that do not throw exceptions. If necessary, a try-block may be used if the destructor must invoke an operation that may throw an exception.

Code Block
bgColor#ccccff
langcpp
struct SomeClass {
  ~SomeClass()
    try { // function-try-block
      try {   // Ordinary try-block
        // Clean up
      } catch(...) {
        // Catch and handle exceptions thrown during cleanup
      }
    } catch(...) {
      // Catch and log exceptions thrown from noncompliant
      // destructors of member objects or base class subobjects

      // NOTE: Returning from a destructor function-try-block
      // causes the caught exception to be implicitly rethrown
    }
};

Noncompliant Code Example

In this noncompliant code example, a global deallocation is declared noexcept(false) and throws an exception if some conditions are not properly met. However, throwing from a deallocation function results in undefined behavior.

Code Block
bgColor#FFcccc
langcpp
#include <stdexcept>
 
bool perform_dealloc(void *);
 
void operator delete(void *ptr) noexcept(false) {
  if (perform_dealloc(ptr)) {
    throw std::logic_error("Something bad");
  }
}

Compliant Solution

The compliant solution does not throw exceptions in the event the deallocation fails but instead fails as gracefully as possible:

Code Block
bgColor#ccccff
langcpp
#include <cstdlib>
#include <stdexcept>
 
bool perform_dealloc(void *);
void log_failure(const char *);
 
void operator delete(void *ptr) noexcept(true) {
  if (perform_dealloc(ptr)) {
    log_failure("Deallocation of pointer failed");
    std::exit(1); // Fail, but still call destructors
  }
}

Risk Assessment

Attempting to throw exceptions from destructors or deallocation functions can result in undefined behavior, leading to resource leaks or denial-of-service attacks.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

DCL58-CPP

Low

Likely

Medium

P6

L3

Automated Detection

Tool

Version

Checker

Description

    

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Bibliography

[Henricson 97]Recommendation 12.5, Do not let destructors called during stack unwinding throw exceptions
[ISO/IEC 14882-2014]

Subclause 3.4.7.2, "Deallocation Functions"
Subclause 15.2, "Constructors and Destructors"
Subclause 15.3, "Handling an Exception"
Subclause 15.4, "Exception Specifications"

[Meyers 05]Item 8, "Prevent Exceptions from Leaving Destructors"
[Sutter 00]"Never allow exceptions from escaping destructors or from an overloaded operator delete()" (p. 29)

...