Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
Exception safety
open-in-new
<h2 id="history">History</h2> <p>As <a href="/facts/David_Abrahams_(computer_programmer)/qR3Sp0Bv">David Abrahams</a> writes, "nobody ever spoke of 'error-safety' before C++ had exceptions."<a class="footnote-ref" id="fnref:3" href="#fn:3"><sup>3</sup></a> The term appeared as the topic of publications in <a href="/facts/ISO/IEC_JTC_1/SC_22/lJPn05nl">JTC1/SC22/WG21</a>, the C++ standard committee, as early as 1994.<a class="footnote-ref" id="fnref:4" href="#fn:4"><sup>4</sup></a> Exception safety for the C++ standard library was first formalized for <a href="/facts/Standard_Template_Library/IxqpRzWU">STLport</a> by Abrahams, establishing the basic safety/strong safety distinction.<a class="footnote-ref" id="fnref:5" href="#fn:5"><sup>5</sup></a> This was extended to the modern basic/strong/nothrow guarantees in a later proposal.<a class="footnote-ref" id="fnref:6" href="#fn:6"><sup>6</sup></a> </p> <h2 id="background">Background</h2> <p>Exceptions provide a form of non-local control flow, in that an exception may "bubble up" from a called function. This bubbling can cause an exception safety bug by breaking invariants of a mutable data structure, as follows:<a class="footnote-ref" id="fnref:7" href="#fn:7"><sup>7</sup></a> </p> <ol><li>A step of an operation on a mutable data structure modifies the data and breaks an invariant.</li> <li>An exception is thrown and control "bubbles up", skipping the rest of the operation's code that would restore the invariant</li> <li>The exception is caught and recovered from, or a finally block is entered</li> <li>The data structure with broken invariant is used by code that assumes the invariant, resulting in a bug</li></ol> <p>Code with a bug such as the above can be said to be "exception unsafe".<a class="footnote-ref" id="fnref:8" href="#fn:8"><sup>8</sup></a> </p> <h2 id="classification">Classification</h2> <p>The <a href="/facts/C%2B%2B_standard_library/A5vQNSAD">C++ standard library</a> provides several levels of exception safety (in decreasing order of safety):<a class="footnote-ref" id="fnref:9" href="#fn:9"><sup>9</sup></a> </p> <ol><li>No-throw guarantee, also known as failure transparency: Operations are guaranteed to succeed and satisfy all requirements even in exceptional situations. If an exception occurs, it will be handled internally and not observed by clients.</li> <li>Strong exception safety, also known as commit or rollback semantics: Operations can fail, but failed operations are guaranteed to have no side effects, leaving the original values intact.<a class="footnote-ref" id="fnref:10" href="#fn:10"><sup>10</sup></a></li> <li>Basic exception safety: Partial execution of failed operations can result in side effects, but all <a href="/facts/Invariant_(computer_science)/9TeNN2ed">invariants</a> are preserved. Any stored data will contain valid values which may differ from the original values. <a href="/facts/Resource_leak/6zxNKPXA">Resource leaks</a> (including <a href="/facts/Memory_leak/JzufAL28">memory leaks</a>) are commonly ruled out by an invariant stating that all resources are accounted for and managed.</li> <li>No exception safety: No guarantees are made.</li></ol> <p>Usually, at least basic exception safety is required to write robust code. Higher levels of safety can sometimes be difficult to achieve, and might incur an overhead due to extra copying. A key mechanism for exception safety is a finally clause, or similar <a href="/facts/Exception_handling_syntax/b4sInxFV">exception handling syntax</a>, which ensure that certain code is <i>always</i> run when a block is exited, including by exceptions. Several languages have constructs that simplify this, notably using the <a href="/facts/Dispose_pattern/DRyCAepx">dispose pattern</a>, named as using, with, or try-with-resources. </p> <h2 id="example">Example</h2> <p>Consider a smart vector type, such as C++'s std::vector or Java's ArrayList. When an item x is added to a vector v, the vector must actually add x to the internal list of objects and update a count field that says how many objects are in v. It may also need to allocate new memory if the existing capacity isn't sufficient. </p><p>Exception safety alternatives: </p> No-throw guarantee Implemented by ensuring that memory allocation never fails, or by defining the insert function's behavior on allocation failure (for example, by having the function return a boolean result indicating whether the insertion took place). Strong exception safety Implemented by doing any necessary allocation first, and then swapping buffers if no errors are encountered (the copy-and-swap idiom). In this case, either the insertion of x into v succeeds, or v remains unchanged despite the allocation failure. Basic exception safety Implemented by ensuring that the count field is guaranteed to reflect the final size of v. For example, if an error is encountered, the insert function might completely deallocate v and reset its count field to zero. On failure, no resources are leaked, but v's old value is not preserved. No exception safety An insertion failure might lead to corrupted content in v, an incorrect value in the count field, or a <a href="/facts/Resource_leak/6zxNKPXA">resource leak</a>. <h2 id="external-links">External links</h2> <ul><li>Herb Sutter: Exceptional C++: 47 Engineering Puzzles, Programming Problems, and Solutions, 2000</li> <li>Jon Kalb: <a href="http://exceptionsafecode.com/">Exception-Safe Coding in C++</a>, with C++Now! 2012 presentations on exception safety.</li> <li>Related discussion on Stackoverflow: <a href="https://stackoverflow.com/questions/1853243/c-do-you-really-write-exception-safe-code">C++: do you (really) write exception safe code</a></li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>Crichton, Alex (24 July 2015). "Rust RFC: Stabilize catch_panic". The Rust Programming Language. Retrieved 26 May 2022. Code is exception safe if it works correctly even when the functions it calls into throw exceptions. <a href="https://github.com/rust-lang/rfcs/blob/master/text/1236-stabilize-catch-panic.md#background-what-is-exception-safety" target="_blank">https://github.com/rust-lang/rfcs/blob/master/text/1236-stabilize-catch-panic.md#background-what-is-exception-safety</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>Lau, Ron (10 November 2020). "Exception safety in JS world". Medium. <a href="https://medium.com/@ronlauhk01/exception-safety-in-js-world-7f1e980c409b" target="_blank">https://medium.com/@ronlauhk01/exception-safety-in-js-world-7f1e980c409b</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>Dave Abrahams (2000). Exception-Safety in Generic Components. Generic Programming. Lecture Notes in Computer Science. Vol. 1766. Springer. pp. 69–79. doi:10.1007/3-540-39953-4_6. ISBN 978-3-540-41090-4. Retrieved 2008-08-29. <a href="978-3-540-41090-4" target="_blank">978-3-540-41090-4</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>Colvin, Gregory (1994). "Exception Safe Exceptions" (PDF). C++ Standards Committee Papers. Retrieved 17 December 2021. <a href="http://www.open-std.org/jtc1/sc22/wg21/docs/papers/1994/N0553.pdf" target="_blank">http://www.open-std.org/jtc1/sc22/wg21/docs/papers/1994/N0553.pdf</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> <li id="fn:5"><p>Abrahams, David. "STLport: Exception Handling". www.stlport.org. Retrieved 17 December 2021. <a href="http://www.stlport.org/doc/exception_safety.html" target="_blank">http://www.stlport.org/doc/exception_safety.html</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li> <li id="fn:6"><p>Abrahams, Dave; Colvin, Greg. "Making the C++ Standard Library Exception Safe" (PDF). C++ Standards Committee Papers. Retrieved 17 December 2021. <a href="http://www.open-std.org/jtc1/sc22/wg21/docs/papers/1997/N1086.pdf" target="_blank">http://www.open-std.org/jtc1/sc22/wg21/docs/papers/1997/N1086.pdf</a> <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li> <li id="fn:7"><p>Crichton, Alex (24 July 2015). "Rust RFC: Stabilize catch_panic". The Rust Programming Language. Retrieved 26 May 2022. <a href="https://github.com/rust-lang/rfcs/blob/master/text/1236-stabilize-catch-panic.md#background-what-is-exception-safety" target="_blank">https://github.com/rust-lang/rfcs/blob/master/text/1236-stabilize-catch-panic.md#background-what-is-exception-safety</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></p></li> <li id="fn:8"><p>Crichton, Alex (24 July 2015). "Rust RFC: Stabilize catch_panic". The Rust Programming Language. Retrieved 26 May 2022. <a href="https://github.com/rust-lang/rfcs/blob/master/text/1236-stabilize-catch-panic.md#background-what-is-exception-safety" target="_blank">https://github.com/rust-lang/rfcs/blob/master/text/1236-stabilize-catch-panic.md#background-what-is-exception-safety</a> <a href="#fnref:8" class="footnote-back-ref">↩</a></p></li> <li id="fn:9"><p>Bjarne Stroustrup (1997). Appendix E: Standard-Library Exception Safety in "The C++ Programming Language" (PDF) (3rd ed.). Addison-Wesley. ISBN 0-201-88954-4. <a href="0-201-88954-4" target="_blank">0-201-88954-4</a> <a href="#fnref:9" class="footnote-back-ref">↩</a></p></li> <li id="fn:10"><p>Austern, Matt (30 May 1997). "Standard Library Exception Policy". C++ Standards Committee Papers. Retrieved 26 May 2022. <a href="https://www.open-std.org/jtc1/sc22/wg21/docs/papers/1997/N1077.asc" target="_blank">https://www.open-std.org/jtc1/sc22/wg21/docs/papers/1997/N1077.asc</a> <a href="#fnref:10" class="footnote-back-ref">↩</a></p></li> </ol>