 
                            Proper handling of errors and exceptional situations is essential for the continued correct operation of software (see ERR00-CPP. Adopt and implement a consistent and comprehensive error-handling policy). The preferred mechanism for reporting errors in a C++ program is exceptions (see ERR07-CPP. Use exception handling rather than error codes). A number of core language facilities, including dynamic_cast, operator new(), and typeid, report failures by throwing exceptions. In addition, the C++ standard library makes heavy use of exceptions to report several different kinds of failures. Few C++ programs manage to avoid using some of these facilities. Consequently, the vast majority of C++ programs must be prepared for exceptions to occur and must handle each appropriately (see ERR51-CPP. Handle all exceptions).
Because exceptions introduce code paths into a program that would not exist in their absence, it is important to consider the effects of code taking such paths and to avoid any undesirable effects that might arise otherwise. Some such effects include failure to release an acquired resource, thereby introducing a leak, and failure to reestablish a class invariant after a partial update to an object or even a partial object update while maintaining all invariants. Code that avoids any such undesirable effects is said to be exception safe.
Based on the preceding effects, the following table distinguishes three kinds of exception safety guarantee from most to least desired:
| Guarantee | Description | Example | 
|---|---|---|
| Strong | The strong exception safety guarantee is a property of an operation such that, in addition to satisfying the basic exception safety guarantee, if the operation terminates by raising an exception, it has no observable effects on program state. | |
| Basic | The basic exception safety guarantee is a property of an operation such that, if the operation terminates by raising an exception, it preserves program state invariants and prevents resource leaks. | |
| None | Code that provides neither the strong nor the basic exception safety guarantee is not exception safe. | 
Because all exceptions thrown in an application must be handled, it is critical that thrown exceptions do not leave the program in an indeterminate state where invariants are violated. Whether handling an exception is used to control the termination of the program, or is an attempt to recover from an exceptional situation, a violated invariant leaves the program in a state where graceful continued execution is likely to introduce security vulnerabilities. Thus, code that provides no exception safety guarantee is unsafe and must be considered defective.
Noncompliant Code Example (No Exception Safety)
The following noncompliant code example shows a flawed copy assignment operator. The implicit invariants of the class are that the array member is a valid (possibly null) pointer and that the nelems member stores the number of elements in the array pointed to by array. The function deallocates array and assigns the element counter, nelems, before allocating a new block of memory for the copy. As a result, if the new expression throws an exception, the function will have modified the state of both member variables in a way that violates the implicit invariants of the class. Consequently, such an object is in an indeterminate state and any operation on it, including its destruction, results in undefined behavior.
#include <cstring>
 
class IntArray {
  int *array;
  std::size_t nelems;
public:
  // ...
  ~IntArray() {
    delete[] array;
  }
  IntArray& operator=(const IntArray &rhs) {
    if (this != &rhs) {
      delete[] array;
      array = nullptr;
      nelems = rhs.nelems;
      if (nelems) {
        array = new int[nelems];
        std::memcpy(array, rhs.array, nelems * sizeof(*array));
      }
    }
    return *this;
  }
  // ...
};
Compliant Solution (Strong Exception Safety)
In this compliant solution, the copy assignment operator provides the strong exception safety guarantee. The function allocates new storage for the copy before changing the state of the object. Only after the allocation succeeds does the function proceed to change the state of the object. In addition, by copying the array to the newly allocated storage before deallocating the existing array, the function avoids the test for self-assignment, which improves the performance of the code in the common case.
#include <cstring>
 
class IntArray {
  int *array;
  std::size_t nelems;
public:
  // ...
  ~IntArray() {
    delete[] array;
  }
  IntArray& operator=(const IntArray &rhs) {
    int *tmp = nullptr;
    if (rhs.nelems) {
      tmp = new int[rhs.nelems];
      std::memcpy(tmp, rhs.array, nelems * sizeof(*array));
    }
    delete[] array;
    array = tmp;
    nelems = rhs.nelems;
    return *this;
  }
  // ...
};
Risk Assessment
Code that is not exception safe typically leads to resource leaks, causes the program to be left in an inconsistent or unexpected state, and ultimately results in undefined behavior at some point after the first exception is thrown.
| Rule | Severity | Likelihood | Remediation Cost | Priority | Level | 
|---|---|---|---|---|---|
| ERR56-CPP | High | Likely | High | P9 | L2 | 
Automated Detection
| Tool | Version | Checker | Description | 
|---|---|---|---|
| LDRA tool suite | 9.7.1 
 | 527 S, 56 D, 71 D | Partially implemented | 
| Parasoft C/C++test | 2024.2 | BD-RES-LEAKS | |
| 4.4 | 4075, 4076 | 
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| SEI CERT C++ Coding Standard | ERR51-CPP. Handle all exceptions | 
| MITRE CWE | CWE-703, Failure to Handle Exceptional Conditions | 
Bibliography
| [ISO/IEC 14882-2014] | Clause 15, "Exception Handling" | 
| [Stroustrup 01] | |
| [Sutter 00] | |
| [Sutter 01] | 


