You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Lambda expressions may capture objects with automatic storage duration from the set of enclosing scopes (called the reaching scope) for use in the lambda's function body. These captures may either be explicit, by specifying the object to capture in the lambdas capture-list, or implicit, by using a capture-default and referring to the object within the lambda function body. When capturing an object, explicitly or implicitly, that object is either captured by copy or captured by reference. When an object is captured by copy, the lambda object will contain an unnamed nonstatic data member that is initialized to the value of the object being captured. This nonstatic data member's lifetime is that of the lambda object's lifetime. However, when an object is captured by reference, the lifetime of the referent is not tied to the lifetime of the lambda object.

Because entities captured are objects with automatic storage duration, a general guideline is that functions returning a lambda object, or storing a lambda object in a member variable or global, should not capture an entity by reference because the lambda object will likely outlive the captured reference object.

When a lambda object outlives one of its reference captured objects, execution of the lambda object's function call operator results in undefined behavior once that reference captured object is accessed. Therefore, a lambda object must not outlive any of its reference captured objects. This is a specific instance of EXP54-CPP. Do not access an object outside of its lifetime.

Noncompliant Code Example

In this noncompliant code example, the function g() returns a lambda, which implicitly captures the automatic local variable i by reference. When that lambda is returned from the call, the reference it captured will refer to a variable whose lifetime has ended. As a result, when the lambda is executed in f(), the use of the dangling reference in the lambda results in undefined behavior.

auto g() {
  int i = 12;
  return [&] {
    i = 100;
    return i;
  };
}

void f() {
  int i = g()();
}

Compliant Solution

In this compliant solution, the lambda does not capture i by reference but instead captures it by copy. Consequently, the lambda contains an implicit nonstatic data member whose lifetime is that of the lambda.

auto g() {
  int i = 12;
  return [=] () mutable {
    i = 100;
    return i;
  };
}

void f() {
  int i = g()();
}

Risk Assessment

Referencing an object outside of its lifetime can result in an attacker being able to run arbitrary code.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXP61-CPP

High

Probable

High

P6

L2

Automated Detection

Tool

Version

Checker

Description

  

 

 

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Bibliography

[ISO/IEC 14882-2014]Subclause 3.8, "Object Lifetime"
Subclause 5.1.2, "Lambda Expressions" 

 


  

  • No labels