Lambda expressions may capture objects with automatic storage duration from the set of enclosing scopes (called the reaching scope) for use in the lambda's function body. These captures may be either be explicit, by specifying the object to capture in the lambdas lambda's capture-list, or implicit, by using a capture-default and and referring to the object within the lambda's function body. When capturing an object , explicitly or implicitly, the capture-default indicates that the object is either captured by copy or (using =)
or captured by reference (using &
). When an object is captured by copy, the lambda object will contain an unnamed nonstatic data member that is initialized to the value of the object being captured. This nonstatic data member's lifetime is that of the lambda object's lifetime. However, when an object is captured by reference, the lifetime of the referent is not tied to the lifetime of the lambda object.
Because entities captured are objects with automatic storage duration (or this
), a general guideline is that functions returning a lambda object (including returning via a reference parameter), or storing a lambda object in a member variable or global, should not capture an entity by reference because the lambda object will likely outlive often outlives the captured reference object.
When a lambda object outlives one of its reference-captured objects, execution of the lambda object's function call operator results in undefined behavior once that reference-captured object is accessed. Therefore, a lambda object must not outlive any of its reference-captured objects. This is a specific instance of EXP54-CPP. Do not access an object outside of its lifetime.
...
Code Block | ||||
---|---|---|---|---|
| ||||
auto g() { int i = 12; return [&] { i = 100; return i; }; } void f() { int ij = g()(); } |
Compliant Solution
...
Code Block | ||||
---|---|---|---|---|
| ||||
auto g() { int i = 12; return [=] () mutable { i = 100; return i; }; } void f() { int ij = g()(); } |
Noncompliant Code Example
...
Code Block | ||||
---|---|---|---|---|
| ||||
auto g(int val) { auto outer = [val] { int i = val; auto inner = [&] { i += 30; return i; }; return inner; }; return outer(); } void f() { auto fn = g(12); int ij = fn(); } |
Compliant Solution
In this compliant solution, the inner lambda captures i
by copy instead of by reference:.
Code Block | ||||
---|---|---|---|---|
| ||||
auto g(int val) { auto outer = [val] { int i = val; auto inner = [i] { return i + 30; }; return inner; }; return outer(); } void f() { auto fn = g(12); int ij = fn(); } |
Risk Assessment
Referencing an object outside of its lifetime can result in an attacker being able to run arbitrary code.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
EXP61-CPP | High | Probable | High | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description |
---|
Astrée |
| invalid_pointer_dereference | |||||||
Helix QAC |
| DF4706, DF4707, DF4708 | |||||||
Klocwork |
| LOCRET.RET | |||||||
Parasoft C/C++test |
| CERT_CPP-EXP61-a | Never return lambdas that capture local objects by reference | ||||||
Polyspace Bug Finder |
| CERT C++: EXP61-CPP | Checks for situations where object escapes scope through lambda expressions (rule fully covered) | ||||||
PVS-Studio |
| V1047 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Bibliography
...