Page History

...

Note, any function declared noexcept which terminates by throwing an exception does not conform to ERR37ERR55-CPP. Honor exception specifications.

Noncompliant Code Example

In this noncompliant code example, the class destructor does not meet the implicit noexcept guarantee because it may throw an exception even if it was called as the result of an exception being thrown. Thus, it is declared as noexcept(false), but can still trigger undefined behavior.

#include <stdexcept>
 
class S {
  bool shouldThrow() const;
 
public:
  ~S() noexcept(false) {
    // normal processing
    if (shouldThrow()) {
      throw std::logic_error("Something bad");
    }
  }
};

Noncompliant Code Example (std::uncaught_exception())

Use of std::uncaught_exception() in the destructor solves the termination problem by avoiding the propagation of the exception if an existing exception is being processed, as demonstrated in this noncompliant code example. However, by circumventing normal destructor processing, this approach may keep the destructor from releasing important resources.

#include <exception>
#include <stdexcept>
 
class S {
  bool shouldThrow() const;
 
public:
  ~S() {
    // normal processing
    if (shouldThrow() && !std::uncaught_exception()) {
      throw std::logic_error("Something bad");
    }
  }
};

Noncompliant Code Example (function-try-block)

In this noncompliant code example, class SomeClass destructor attempts to handle exceptions thrown from the destructor of the bad_member subobject, by absorbing them. However, the C++ Standard, [except.handle], paragraph 15 states in part [ISO/IEC 14882-2014]:

...

#include <stdexcept>
 
class SomeClass {
  class Bad {
    bool shouldThrow() const;
  public:
    ~Bad() noexcept(false) {
      if (shouldThrow()) {
        throw std::logic_error("Something bad");
      }
    }
  };

  Bad bad_member;

public:
  ~SomeClass()
  try {
    // ...
  } catch(...) {
    // Attempt to handle exceptions thrown from Bad destructor.
  }
}

Compliant Code Example (try-block)

A destructor should perform the same way whether or not there is an active exception. Typically, this means that it should invoke only operations that do not throw exceptions. If necessary, a try-block may be used if the destructor must invoke an operation that may throw an exception.

struct SomeClass {
  ~SomeClass()
    try { // function-try-block
      try {   // ordinary try-block
        // clean up
      } catch(...) {
        // catch and handle exceptions thrown during cleanup
      }
    } catch(...) {
      // catch and log exceptions thrown from non-compliant
      // destructors of member objects or base class subobjects

      // NOTE: returning from a destructor function-try-block
      // causes the caught exception to be implicitly rethrown
    }
};

Noncompliant Code Example

In this noncompliant code example, a global deallocation is declared noexcept(false) and throws an exception if some conditions are not properly met. However, throwing from a deallocation function results in undefined behavior.

#include <stdexcept>
 
bool performDealloc(void *);
 
void operator delete(void *ptr) noexcept(false) {
  if (performDealloc(ptr)) {
    throw std::logic_error("Something bad");
  }
}

Compliant Solution

The compliant solution does not throw exceptions in the event the deallocation fails, but instead fails as gracefully as possible:

#include <cstdlib>
#include <stdexcept>
 
bool performDealloc(void *);
void logFailure(const char *);
 
void operator delete(void *ptr) noexcept(false) {
  if (performDealloc(ptr)) {
    logFailure("Deallocation of pointer failed");
    std::exit(1); // Fail, but still call destructors
  }
}

Risk Assessment

Attempting to throw exceptions from destructors or deallocation functions can result in undefined behavior, leading to resource leaks or denial-of-service attacks.

Automated Detection

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Bibliography

...