This vulnerability as specified in ISO/IEC 24772-1 clause 6.59 does not apply to C++, as long as the standard library facilities for creating threads are used.
Creating a thread using the std::async
function or the std::thread
or std::jthread
constructors is synchronized with the thread creation site.
Failure to create or start a thread due to lack of system resources will cause an exception to be thrown to the creating thread thus the thread object never exists. For the vulnerabilities with unhandled exceptions see clause 6.36 Ignored error status and unhandled exceptions [OYB].
Any exception thrown within a thread’s function, needs to be handled by that thread, otherwise such an exception will cause program termination. For handling such termination see clause 6.62 Concurrency - Premature termination [CGS].
TODO: talk about detach() and forgetting to join.
To avoid the vulnerability or mitigate its ill effects, C++ software developers can:
When using non-standard thread facilities, e.g., by making use of std::thread::native_handle
, use the avoidance mechanisms of ISO/IEC 24772-1 clause 6.59.5.
When handling the exception thrown due to failure to create a thread, ensure that potentially dependent other threads get informed.