...
Based on the preceding effects, the following table distinguishes three kinds of exception safety guarantees from most to least desired.
Guarantee | Description | Example |
|---|---|---|
Strong | The strong exception safety guarantee is a property of an operation such that, in addition to satisfying the basic exception safety guarantee, if the operation terminates by raising an exception, it has no observable effects on program state. | |
Basic | The basic exception safety guarantee is a property of an operation such that, if the operation terminates by raising an exception, it preserves program state invariants and prevents resource leaks. | Basic Exception Safety |
None | Code that provides neither the strong nor basic exception safety guarantee is not exception safe. |
Code that guarantees strong exception safety also guarantees basic exception safety.
...
In this compliant solution, the copy assignment operator provides the strong exception safety guarantee. The function allocates new storage for the copy before changing the state of the object. Only after the allocation succeeds does the function proceed to change the state of the object. In addition, by copying the array to the newly allocated storage before deallocating the existing array, the function avoids the test for self-assignment, which improves the performance of the code in the common case [Sutter 2004].
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <cstring>
class IntArray {
int *array;
std::size_t nElems;
public:
// ...
~IntArray() {
delete[] array;
}
IntArray(const IntArray& that); // nontrivial copy constructor
IntArray& operator=(const IntArray &rhs) {
int *tmp = nullptr;
if (rhs.nElems) {
tmp = new int[rhs.nElems];
std::memcpy(tmp, rhs.array, rhs.nElems * sizeof(*array));
}
delete[] array;
array = tmp;
nElems = rhs.nElems;
return *this;
}
// ...
};
|
...
Code that is not exception safe typically leads to resource leaks, causes the program to be left in an inconsistent or unexpected state, and ultimately results in undefined behavior at some point after the first exception is thrown.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
ERR56-CPP | High | Likely | High | P9 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| ALLOC.LEAK | Leak | ||||||
| Helix QAC |
| C++4075, C++4076 | |||||||
| LDRA tool suite |
| 527 S, 56 D, 71 D | Partially implemented | ||||||
| Parasoft C/C++test |
|
CERT_CPP-ERR56-a | Always catch exceptions Do not leave 'catch' blocks empty | ||||||||
| Polyspace Bug Finder |
| CERT C++: ERR56-CPP | Checks for exceptions violating class invariant (rule fully covered). | ||||||
| PVS-Studio |
| V565, V1023, V5002 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| SEI CERT C++ Coding Standard | ERR51-CPP. Handle all exceptions |
| MITRE CWE | CWE-703, Failure to Handle Exceptional Conditions |
Bibliography
| [ISO/IEC 14882-2014] | Clause 15, "Exception Handling" |
| [Stroustrup 2001] |
| [Sutter 2000] |
| [Sutter 2001] |
| [Sutter 2004] | 55. "Prefer the canonical form of assignment." |
...
...