...
Guarantee | Description | Example |
|---|---|---|
Strong | The strong exception safety guarantee is a property of an operation such that, in addition to satisfying the basic exception safety guarantee, if the operation terminates by raising an exception it has no observable effects on program state. (See strong exception safety.) | |
Basic | The basic exception safety guarantee is a property of an operation such that, if the operation terminates by raising an exception, it preserves program state invariants and prevents resource leaks. (See basic exception safety.) | |
None | Code that provides neither the strong nor the basic exception safety guarantee is not exception safe. |
Code that provides no exception safety guarantee is unsafe and must be considered defective.
| Anchor | ||||
|---|---|---|---|---|
|
Non-Compliant Code Example (No Exception Safety)
The following noncompliant example shows a flawed implementation of the copy assignment operator of a dynamically sizable array class. The implicit invariants of the class are that the array member is a valid (possibly null) pointer and that the nelems member stores the number of elements in the array pointed to by array.
...
| Anchor | ||||
|---|---|---|---|---|
|
Compliant Solution (Strong Exception Safety)
In the compliant solution below, the copy assignment operator provides the Strong Exception Safety guarantee. The function takes care to allocate new storage for the copy before changing the state of the object. Only after the allocation succeeds does the function proceed to change the state of the object. In addition, by copying the array to the newly allocated storage before deallocating the existing array the function avoids the test for self-assignment, thus improving the performance of the code in the common case.
| Code Block | ||||
|---|---|---|---|---|
| ||||
class IntArray {
int *array;
std::size_t nelems;
public:
// ...
~IntArray() {
delete[] array;
}
IntArray& operator=(const IntArray &rhs) {
int* const tmp = new int[rhs.nelems];
std::memcpy(tmp, rhs.array, nelems * sizeof *array);
delete[] array;
array = tmp;
nelems = rhs.nelems;
return *this;
}
// ...
};
|
Risk Assessment
Code that is not exception safe typically leads to resource leaks, causes the program to be left in an inconsistent or unexpected state, and ultimately results in undefined behavior at some point after the first exception is thrown.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
ERR39-CPP | high | likely | high | P9 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| 4075,4076 |
Other Languages
TO DO
Bibliography
[CWE] CWE-390: Detection of Error Condition Without Action
[CWE] CWE-460: Improper Cleanup on Thrown Exception
[CWE] CWE-703: Failure to Handle Exceptional Conditions
[CWE] CWE-754: Improper Check for Unusual or Exceptional Conditions
[CWE] CWE-755: Improper Handling of Exceptional Conditions
[ISO/IEC 14882-2003]
[MISRA 08] Rule 15-3-2, 15-3-4
[Sutter 00] Sutter, Herb. Exceptional C++: 47 Engineering Puzzles, Programming Problems, and Solutions
[Sutter 01] Sutter, Herb. More Exceptional C++: 40 New Engineering Puzzles, Programming Problems, and Solutions
...