Under certain circumstances, terminating a destructor,
operator delete, or
operator delete by throwing an exception can trigger undefined behavior.
For instance, the C++ Standard, [basic.stc.dynamic.deallocation], paragraph 3 [ISO/IEC 14882-2014], in part, states the following:
If a deallocation function terminates by throwing an exception, the behavior is undefined.
In these situations, the function must logically be declared
noexcept because throwing an exception from the function can never have well-defined behavior. The C++ Standard, [except.spec], paragraph 15, states the following:
A deallocation function with no explicit exception-specification is treated as if it were specified with noexcept(true).
As such, deallocation functions (object, array, and placement forms at either global or class scope) must not terminate by throwing an exception. Do not declare such functions to be
noexcept(false). However, it is acceptable to rely on the implicit
noexcept(true) specification or declare
noexcept explicitly on the function signature.
Object destructors are likely to be called during stack unwinding as a result of an exception being thrown. If the destructor itself throws an exception, having been called as the result of an exception being thrown, then the function
std::terminate() is called with the default effect of calling
std::abort() [ISO/IEC 14882-2014]. When
std::abort() is called, no further objects are destroyed, resulting in an indeterminate program state and undefined behavior. Do not terminate a destructor by throwing an exception.
The C++ Standard, [class.dtor], paragraph 3, states [ISO/IEC 14882-2014] the following:
A declaration of a destructor that does not have an exception-specification is implicitly considered to have the same exception-specification as an implicit declaration.
An implicit declaration of a destructor is considered to be
noexcept(true) according to [except.spec], paragraph 14. As such, destructors must not be declared
noexcept(false) but may instead rely on the implicit
noexcept(true) or declare
noexcept function that terminates by throwing an exception violates ERR55-CPP. Honor exception specifications.
Noncompliant Code Example
In this noncompliant code example, the class destructor does not meet the implicit
noexcept guarantee because it may throw an exception even if it was called as the result of an exception being thrown. Consequently, it is declared as
noexcept(false) but still can trigger undefined behavior.
Noncompliant Code Example (
std::uncaught_exception() in the destructor solves the termination problem by avoiding the propagation of the exception if an existing exception is being processed, as demonstrated in this noncompliant code example. However, by circumventing normal destructor processing, this approach may keep the destructor from releasing important resources.
Noncompliant Code Example (function-try-block)
This noncompliant code example, as well as the following compliant solution, presumes the existence of a
Bad class with a destructor that can throw. Although the class violates this rule, it is presumed that the class cannot be modified to comply with this rule.
To safely use the
Bad class, the
SomeClass destructor attempts to handle exceptions thrown from the
Bad destructor by absorbing them.
However, the C++ Standard, [except.handle], paragraph 15 [ISO/IEC 14882-2014], in part, states the following:
The currently handled exception is rethrown if control reaches the end of a handler of the function-try-block of a constructor or destructor.
Consequently, the caught exception will inevitably escape from the
SomeClass destructor because it is implicitly rethrown when control reaches the end of the function-try-block handler.
A destructor should perform the same way whether or not there is an active exception. Typically, this means that it should invoke only operations that do not throw exceptions, or it should handle all exceptions and not rethrow them (even implicitly). This compliant solution differs from the previous noncompliant code example by having an explicit
return statement in the
SomeClass destructor. This statement prevents control from reaching the end of the exception handler. Consequently, this handler will catch the exception thrown by
bad_member is destroyed. It will also catch any exceptions thrown within the compound statement of the function-try-block, but the
SomeClass destructor will not terminate by throwing an exception.
Noncompliant Code Example
In this noncompliant code example, a global deallocation is declared
noexcept(false) and throws an exception if some conditions are not properly met. However, throwing from a deallocation function results in undefined behavior.
The compliant solution does not throw exceptions in the event the deallocation fails but instead fails as gracefully as possible.
Attempting to throw exceptions from destructors or deallocation functions can result in undefined behavior, leading to resource leaks or denial-of-service attacks.
|Axivion Bauhaus Suite|
|LDRA tool suite|
Never allow an exception to be thrown from a destructor, deallocation, and swap
|Polyspace Bug Finder|
|CERT C++: DCL57-CPP||Checks for class destructors exiting with an exception (rule partially covered)|
|SEI CERT C++ Coding Standard||ERR50-CPP. Do not abruptly terminate the program|
|MISRA C++:2008||Rule 15-5-1 (Required)|
|[Henricson 1997]||Recommendation 12.5, Do not let destructors called during stack unwinding throw exceptions|
Subclause 22.214.171.124, "Deallocation Functions"
|[Meyers 2005]||Item 8, "Prevent Exceptions from Leaving Destructors"|
|[Sutter 2000]||"Never allow exceptions from escaping destructors or from an overloaded |