The vulnerability as documented in ISO/IEC TR 24772-1:2019 clause 6.50 exists for C++. In particular the issue of the failing dynamic initialization of namespace-scope objects exists in C++.
When dynamic initialization of a namespace-scope object fails with an exception, the exception cannot be caught and the program is terminated. Function-scope static objects, in contrast, are initialized the first time execution passes through the declaration. Using function-scope static objects in preference to dynamic initialization ensures that there is always an enclosing function that could catch the exception.
exception_prone_type troubling_object;
// An exception from the constructor could cause termination.
// The following function always returns a reference to the same object,
// which is initialized the first time this function is called.
// If initialization fails, it will be retried on the next call.
exception_prone_type& safer_object()
{static exception_prone_type the_safer_object;
return the_safer_object;
}
To avoid the vulnerability or mitigate its ill effects, C++ software developers can:
Expect functions not marked noexcept
to throw exceptions of arbitrary type, excluding all destructors, which are are implicitly noexcept
.
Follow the avoidance mechanisms of clause 6.36.2 for catching and handling exceptions.
Prefer function-scope static objects to namespace-scope objects for objects needing dynamic initialization.