Document number: n3205=10-0195
Date: 2010-11-11
David Svoboda
svoboda@cert.org

Delete operators default to noexcept

This proposal is similar to the proposal to have destructors with no explicit exception specification default to noexcept(true). The rationale behind this proposal is similar. Delete operators are typically called from destructors, and so a delete operator that throws an exception is likely to cause an exception to be thrown from a destructor.

Deallocate and destroy functions on allocators will be affected; this will be addressed in N3157 (More on noexcept for the General Utility Library).

Having deallocation functions default to noexcept improves the overall security of a program. Since deallocation functions are usually called by destructors, they will have the same restrictions as destructors. Document N3166 addresses the security improvements associated with making destructors default to noexcept.

GB 60 and CH 16 have also requested that instances of throw() be replaced with noexcept in the library. This is being proposed by N3148, and includes the global delete operators.

The CERT C++ Secure Coding rule ERR38-CPP forbids deallocation functions from throwing exceptions.

This paper presents proposed wording for this set of changes.

Identified changes

All changes in this paper are against N3126.

Wording

3.7.4 Dynamic storage duration

After p. 2
...
void operator delete(void*) throw()noexcept;
void operator delete[](void*) throw()noexcept;
This change is also proposed by N3148 for compatibility with that document.

12.5 Free Store

Add the following paragraph to the end:

[ Note: If a deallocation function has no explicit exception-specification, it is treated as if it were specified with noexcept(true) (15.4). —end note ]

15.4 Exception Specifications

Add the following paragraph after paragraph 14:

A deallocation function (3.7.4.2) with no explicit exception-specification is treated as if it were specified with noexcept(true).

References

CERT C++ Secure Coding Standard:
ERR38-CPP. Deallocation functions must not throw exceptions
https://www.securecoding.cert.org/confluence/x/GwBQAg

Becker, Pete, N3126=10-0116: Working Draft, Standard for Programming Language C++, 2010-08-21

Garcia, J. Daniel, N3148=10-0138: throw() becomes noexcept (Version 2), 2010-10-08

Garcia, J. Daniel, N3157: More on noexcept for the General Utility Library, (forthcoming)

Svoboda, David, N3166-10-0156: Destructors default to noexcept, 2010-10-15