The C++ Standard, [expr.delete], paragraph 3 [ISO/IEC 14882-2014], states the following:
In the first alternative (delete object), if the static type of the object to be deleted is different from its dynamic type, the static type shall be a base class of the dynamic type of the object to be deleted and the static type shall have a virtual destructor or the behavior is undefined. In the second alternative (delete array) if the dynamic type of the object to be deleted differs from its static type, the behavior is undefined.
Do not delete an array object through a static pointer type that differs from the dynamic pointer type of the object. Deleting an array through a pointer to the incorrect type results in undefined behavior.
Noncompliant Code Example
In this noncompliant code example, an array of Derived
objects is created and the pointer is stored in a Base *
. Despite Base::~Base
() being declared virtual, it still results in undefined behavior. Further, attempting to perform pointer arithmetic on the static type Base *
violates CTR56-CPP. Do not use pointer arithmetic on polymorphic objects.
struct Base { virtual ~Base() = default; }; struct Derived final : Base {}; void f() { Base *b = new Derived[10]; // ... delete [] b; }
Compliant Solution
In this compliant solution, the static type of b
is Derived *
, which removes the undefined behavior when indexing into the array as well as when deleting the pointer.
struct Base { virtual ~Base() = default; }; struct Derived final : Base {}; void f() { Derived *b = new Derived[10]; // ... delete [] b; }
Risk Assessment
Attempting to destroy an array of polymorphic objects through the incorrect static type is undefined behavior. In practice, potential consequences include abnormal program execution and memory leaks.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
EXP51-CPP | Low | Unlikely | Medium | P2 | L3 |
Automated Detection
Tool | Version | Checker | Description |
---|---|---|---|
3.9 | -analyzer-checker=cplusplus | Checked with clang -cc1 or (preferably) scan-build | |
CodeSonar | 8.1p0 | ALLOC.TM | Type Mismatch |
Helix QAC | 2024.4 | C++3166 | |
Klocwork | 2024.4 | CERT.EXPR.DELETE_ARR.BASE_PTR | |
Parasoft C/C++test | 2023.1 | CERT_CPP-EXP51-a | Do not treat arrays polymorphically |
Parasoft Insure++ | Runtime detection | ||
Polyspace Bug Finder | R2024a | CERT C++: EXP51-CPP | Checks for delete operator used to destroy downcast object of different type. |
Related Vulnerabilities
Search for other vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
SEI CERT C++ Coding Standard | CTR56-CPP. Do not use pointer arithmetic on polymorphic objects OOP52-CPP. Do not delete a polymorphic object without a virtual destructor |
Bibliography
[ISO/IEC 14882-2014] | Subclause 5.3.5, "Delete" |