You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Under certain circumstances, terminating a function by throwing an exception will trigger undefined behavior. For instance, the C++ Standard, [basic.stc.dynamic.deallocation], paragraph 3, states in part [ISO/IEC 14882-2014]:

If a deallocation function terminates by throwing an exception, the behavior is undefined.

In these situations, the function should logically be declared noexcept, as throwing an exception from the function can never have well-defined behavior. The C++ Standard, [except.spec], paragraph 15, states [ISO/IEC 14882-2014]:

A deallocation function with no explicit exception-specification is treated as if it were specified with noexcept(true).

As such, deallocation functions (object, array, and placement forms at either global or class scope) must not be declared noexcept(false), but may instead rely on the implicit noexcept(true), or declare noexcept explicitly.

In other circumstances, terminating a function by throwing an exception has a strong potential to trigger undefined behavior. For instance, destructors are likely to be called during stack unwinding, as a result of an exception being thrown. If the destructor itself throws an exception, having been called as the result of an exception being thrown, then the function std::terminate() is called with the default effect of calling std::abort() [ISO/IEC 14882-2014]. When std::abort() is called, no further objects are destroyed, resulting in indeterminate program state and undefined behavior.

The C++ Standard, [class.dtor], paragraph 3, states [ISO/IEC 14882-2014]:

A declaration of a destructor that does not have an exception-specification is implicitly considered to have the same exception-specification as an implicit declaration.

An implicit declaration of a destructor is considered to be noexcept(true) according to [except.spec], paragraph 14. As such, destructors must not be declared noexcept(false), but may instead rely on the implicit noexcept(true), or declare noexcept explicitly.

Note, any function declared noexcept which terminates by throwing an exception does not conform to ERR55-CPP. Honor exception specifications.

Noncompliant Code Example

In this noncompliant code example, the class destructor does not meet the implicit noexcept guarantee because it may throw an exception even if it was called as the result of an exception being thrown. Thus, it is declared as noexcept(false), but can still trigger undefined behavior.

#include <stdexcept>
 
class S {
  bool shouldThrow() const;
 
public:
  ~S() noexcept(false) {
    // normal processing
    if (shouldThrow()) {
      throw std::logic_error("Something bad");
    }
  }
};

Noncompliant Code Example (std::uncaught_exception())

Use of std::uncaught_exception() in the destructor solves the termination problem by avoiding the propagation of the exception if an existing exception is being processed, as demonstrated in this noncompliant code example. However, by circumventing normal destructor processing, this approach may keep the destructor from releasing important resources.

#include <exception>
#include <stdexcept>
 
class S {
  bool shouldThrow() const;
 
public:
  ~S() {
    // normal processing
    if (shouldThrow() && !std::uncaught_exception()) {
      throw std::logic_error("Something bad");
    }
  }
};

Noncompliant Code Example (function-try-block)

In this noncompliant code example, class SomeClass destructor attempts to handle exceptions thrown from the destructor of the bad_member subobject, by absorbing them. However, the C++ Standard, [except.handle], paragraph 15 states in part [ISO/IEC 14882-2014]:

The currently handled exception is rethrown if control reaches the end of a handler of the function-try-block of a constructor or destructor.

Thus, the caught exception will inevitably escape from the SomeClass destructor. Note that exceptions thrown from noncompliant destructors of class member objects, or from base classes, cannot be handled as they are implicitly rethrown when control reaches the end of the function-try-block handler, which is the only way to catch such exceptions.

#include <stdexcept>
 
class SomeClass {
  class Bad {
    bool shouldThrow() const;
  public:
    ~Bad() noexcept(false) {
      if (shouldThrow()) {
        throw std::logic_error("Something bad");
      }
    }
  };

  Bad bad_member;

public:
  ~SomeClass()
  try {
    // ...
  } catch(...) {
    // Attempt to handle exceptions thrown from Bad destructor.
  }
}

Compliant Code Example (try-block)

A destructor should perform the same way whether or not there is an active exception. Typically, this means that it should invoke only operations that do not throw exceptions. If necessary, a try-block may be used if the destructor must invoke an operation that may throw an exception.

struct SomeClass {
  ~SomeClass()
    try { // function-try-block
      try {   // ordinary try-block
        // clean up
      } catch(...) {
        // catch and handle exceptions thrown during cleanup
      }
    } catch(...) {
      // catch and log exceptions thrown from non-compliant
      // destructors of member objects or base class subobjects

      // NOTE: returning from a destructor function-try-block
      // causes the caught exception to be implicitly rethrown
    }
};

Noncompliant Code Example

In this noncompliant code example, a global deallocation is declared noexcept(false) and throws an exception if some conditions are not properly met. However, throwing from a deallocation function results in undefined behavior.

#include <stdexcept>
 
bool performDealloc(void *);
 
void operator delete(void *ptr) noexcept(false) {
  if (performDealloc(ptr)) {
    throw std::logic_error("Something bad");
  }
}

Compliant Solution

The compliant solution does not throw exceptions in the event the deallocation fails, but instead fails as gracefully as possible:

#include <cstdlib>
#include <stdexcept>
 
bool performDealloc(void *);
void logFailure(const char *);
 
void operator delete(void *ptr) noexcept(false) {
  if (performDealloc(ptr)) {
    logFailure("Deallocation of pointer failed");
    std::exit(1); // Fail, but still call destructors
  }
}

Risk Assessment

Attempting to throw exceptions from destructors or deallocation functions can result in undefined behavior, leading to resource leaks or denial-of-service attacks.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

DCL58-CPP

Low

Likely

Medium

P6

L3

Automated Detection

Tool

Version

Checker

Description

    

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Bibliography

[ISO/IEC 14882-2014]

3.4.7.2, "Deallocation Functions"
15.2, "Constructors and Destructors"
15.3, "Handling an Exception"
15.4, "Exception Specifications"

[Meyers 05]Item 8, "Prevent exceptions from leaving destructors"
[Sutter 00]"Never allow exceptions from escaping destructors or from an overloaded operator delete()"
[Henricson 97]Recommendation 12.5, "Do not let destructors called during stack unwinding throw exceptions"

 


  • No labels