Under certain circumstances, terminating a function by destructor, operator delete
, or operator delete[]
by throwing an exception will can trigger undefined behavior.
For instance, the C++ Standard, [basic.stc.dynamic.deallocation], paragraph 3 [ISO/IEC 14882-2014], states in part, states the following:
If a deallocation function terminates by throwing an exception, the behavior is undefined.
In these situations, the function should must logically be declared noexcept
because throwing an exception from the function can never have well-defined behavior. The C++ Standard, [except.spec], paragraph 15, states the following:
A deallocation function with no explicit exception-specification is treated as if it were specified with noexcept(true).
As such, deallocation functions (object, array, and placement forms at either global or class scope) must not be declared not terminate by throwing an exception. Do not declare such functions to be noexcept(false)
but may instead . However, it is acceptable to rely on the implicit noexcept(true)
specification or declare noexcept
explicitly .on the function signature.
Object destructors In other circumstances, terminating a function by throwing an exception has a strong potential to trigger undefined behavior. For instance, destructors are likely to be called during stack unwinding as a result of an exception being thrown. If the destructor itself throws an exception, having been called as the result of an exception being thrown, then the function std::terminate()
is called with the default effect of calling std::abort()
[ISO/IEC 14882-2014]. When std::abort()
is called, no further objects are destroyed, resulting in an indeterminate program state and undefined behavior. Do not terminate a destructor by throwing an exception.
The C++ Standard, [class.dtor], paragraph 3, states [ISO/IEC 14882-2014] the following:
A declaration of a destructor that does not have an exception-specification is implicitly considered to have the same exception-specification as an implicit declaration.
An implicit declaration of a destructor is considered to be noexcept(true)
according to [except.spec], paragraph 14. As such, destructors must not be declared noexcept(false)
but may instead rely on the implicit noexcept(true)
or declare noexcept
explicitly.
Note, any function declared noexcept
that Any noexcept
function that terminates by throwing an exception does not conform to violates ERR55-CPP. Honor exception specifications.
Noncompliant Code Example
In this noncompliant code example, the class destructor does not meet the implicit noexcept
guarantee because it may throw an exception even if it was called as the result of an exception being thrown. Consequently, it is declared as noexcept(false)
but still can trigger undefined behavior.
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdexcept> class S { bool shouldThrowhas_error() const; public: ~S() noexcept(false) { // Normal processing if (shouldThrowhas_error()) { throw std::logic_error("Something bad"); } } }; |
Noncompliant Code Example (std::uncaught_exception()
)
Use of std::uncaught_exception()
in the destructor solves the termination problem by avoiding the propagation of the exception if an existing exception is being processed, as demonstrated in this noncompliant code example. However, by circumventing normal destructor processing, this approach may keep the destructor from releasing important resources.
Code Block | ||||
---|---|---|---|---|
| ||||
#include <exception> #include <stdexcept> class S { bool shouldThrowhas_error() const; public: ~S() noexcept(false) { // Normal processing if (shouldThrowhas_error() && !std::uncaught_exception()) { throw std::logic_error("Something bad"); } } }; |
Noncompliant Code Example (function-try-block)
In this noncompliant This noncompliant code example, class SomeClass
destructor attempts to handle exceptions thrown from the destructor of the bad_member
subobject by absorbing them. However, the C++ Standard, [except.handle], paragraph 15 [ISO/IEC 14882-2014], states in part:
The currently handled exception is rethrown if control reaches the end of a handler of the function-try-block of a constructor or destructor.
Consequently, the caught exception will inevitably escape from the SomeClass
destructor. Note that exceptions thrown from noncompliant destructors of class member objects or from base classes cannot be handled because they are implicitly rethrown when control reaches the end of the function-try-block handler, which is the only way to catch such exceptionsas well as the following compliant solution, presumes the existence of a Bad
class with a destructor that can throw. Although the class violates this rule, it is presumed that the class cannot be modified to comply with this rule.
Code Block | ||||
---|---|---|---|---|
| ||||
// Assume that this class is provided by a 3rd party and it is not something
// that can be modified by the user.
class Bad {
~Bad() noexcept(false);
};
|
To safely use the Bad
class, the SomeClass
destructor attempts to handle exceptions thrown from the Bad
destructor by absorbing them.
Code Block | ||||
---|---|---|---|---|
| ||||
class SomeClass { #include <stdexcept> class SomeClass { class Bad { bool shouldThrow() const; public: ~Bad() noexcept(false) { if (shouldThrow()) { throw std::logic_error("Something bad"); } } }; Bad bad_member; public: ~SomeClass() try { // ... } catch(...) { // AttemptHandle tothe handle exceptionsexception thrown from the Bad destructor. } } |
...
;
|
However, the C++ Standard, [except.handle], paragraph 15 [ISO/IEC 14882-2014], in part, states the following:
The currently handled exception is rethrown if control reaches the end of a handler of the function-try-block of a constructor or destructor.
Consequently, the caught exception will inevitably escape from the SomeClass
destructor because it is implicitly rethrown when control reaches the end of the function-try-block handler.
Compliant Solution
A destructor should perform the same way whether or not there is an active exception. Typically, this means that it should invoke only operations that do not throw exceptions, or it should handle all exceptions . If necessary, a try-block may be used if the destructor must invoke an operation that may throw and not rethrow them (even implicitly). This compliant solution differs from the previous noncompliant code example by having an explicit return
statement in the SomeClass
destructor. This statement prevents control from reaching the end of the exception handler. Consequently, this handler will catch the exception thrown by Bad::~Bad()
when bad_member
is destroyed. It will also catch any exceptions thrown within the compound statement of the function-try-block, but the SomeClass
destructor will not terminate by throwing an exception.
Code Block | ||||
---|---|---|---|---|
| ||||
structclass SomeClass { Bad bad_member; public: ~SomeClass() try { // function-try-block try { // Ordinary try-block // Clean up } catch(...) { // Catch and handle exceptions thrown during cleanup } } catch(...) { // Catch and log exceptions thrown from noncompliant destructors of // destructors of member objects or base class subobjects. // NOTE: Returning fromFlowing off the end of a destructor function-try-block causes // causes the caught exception to be implicitly rethrown, but an explicit // return statement will prevent that from happening. return; } }; |
Noncompliant Code Example
In this noncompliant code example, a global deallocation is declared noexcept(false)
and throws an exception if some conditions are not properly met. However, throwing from a deallocation function results in undefined behavior.
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdexcept> bool performDeallocperform_dealloc(void *); void operator delete(void *ptr) noexcept(false) { if (performDeallocperform_dealloc(ptr)) { throw std::logic_error("Something bad"); } } |
Compliant Solution
The compliant solution does not throw exceptions in the event the deallocation fails but instead fails as gracefully as possible:.
Code Block | ||||
---|---|---|---|---|
| ||||
#include <cstdlib> #include <stdexcept> bool performDeallocperform_dealloc(void *); void logFailurelog_failure(const char *); void operator delete(void *ptr) noexcept(falsetrue) { if (performDeallocperform_dealloc(ptr)) { logFailurelog_failure("Deallocation of pointer failed"); std::exit(1); // Fail, but still call destructors } } |
Risk Assessment
Attempting to throw exceptions from destructors or deallocation functions can result in undefined behavior, leading to resource leaks or denial-of-service attacks.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|
DCL57-CPP | Low | Likely | Medium | P6 |
L2 |
Automated Detection
Tool | Version | Checker | Description |
---|
Astrée |
| destructor-without-noexcept delete-without-noexcept | Fully checked | ||||||
Axivion Bauhaus Suite |
| CertC++-DCL57 | |||||||
CodeSonar |
| LANG.STRUCT.EXCP.CATCH LANG.STRUCT.EXCP.THROW | Use of catch Use of throw | ||||||
Helix QAC |
| C++2045, C++2047, C++4032, C++4631 | |||||||
Klocwork |
| MISRA.DTOR.THROW | |||||||
LDRA tool suite |
| 453 S | Partially implemented | ||||||
Parasoft C/C++test |
| CERT_CPP-DCL57-a | Never allow an exception to be thrown from a destructor, deallocation, and swap | ||||||
Polyspace Bug Finder |
| CERT C++: DCL57-CPP | Checks for class destructors exiting with an exception (rule partially covered) | ||||||
PVS-Studio |
| V509, V1045 | |||||||
RuleChecker |
| destructor-without-noexcept delete-without-noexcept | Fully checked |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
SEI CERT C++ |
Coding Standard | ERR55-CPP. Honor exception specifications ERR50-CPP. Do not |
abruptly terminate the program |
MISRA C++:2008 |
Rule 15-5-1 (Required) |
Bibliography
[Henricson 1997] | Recommendation 12.5, Do not let destructors called during stack unwinding throw exceptions |
[ISO/IEC 14882-2014] | Subclause 3.4.7.2, "Deallocation Functions" |
[Meyers |
2005] | Item 8, "Prevent |
Exceptions from |
Leaving Destructors" |
[Sutter |
2000] | "Never allow exceptions from escaping destructors or from an overloaded operator delete() " (p. 29) |
...
...