When a thread terminates under normal conditions, thread-specific resources such as the initial stack space and thread-specific
HANDLE objects are released automatically by the system and notifications are sent to other parts of the application, such as
DLL_THREAD_DETACH messages being sent to DLLs. However, if a thread is forcibly terminated by calling
TerminateThread(), the cleanup and notifications do not have the chance to run. MSDN states
TerminateThread is a dangerous function that should only be used in the most extreme cases. You should call TerminateThread only if you know exactly what the target thread is doing, and you control all of the code that the target thread could possibly be running at the time of the termination. For example, TerminateThread can result in the following problems:
- If the target thread owns a critical section, the critical section will not be released.
- If the target thread is allocating memory from the heap, the heap lock will not be released.
- If the target thread is executing certain kernel32 calls when it is terminated, the kernel32 state for the thread's process could be inconsistent.
- If the target thread is manipulating the global state of a shared DLL, the state of the DLL could be destroyed, affecting other users of the DLL.
On some platforms (such as Microsoft Windows XP and Microsoft Windows Server 2003), the thread's initial stack is not freed, causing a resource leak.
Processes behave similar to threads, and so share the same concerns. Do not use the
TerminateProcess() APIs. Instead, you should prefer to exit threads and processes by returning from the entrypoint, by calling
ExitThread(), or by calling
Noncompliant Code Example
In the following example,
TerminateThread() is used to forcibly terminate another thread, which can leak resources and leave the application in an indeterminate state.
The compliant solution avoids calling
TerminateThread() by requesting the thread terminate itself by exiting its entrypoint. It does so in a lock-free, thread-safe manner by using the
InterlockedExchange() Win32 APIs.
Incorrectly using threads that asynchronously cancel may result in silent corruption, resource leaks, and, in the worst case, unpredictable interactions.
Users can add a custom check for all uses of
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
TODO (notably, should be one about using
ExitThread() from C++ code.