Should classes be resilient to double destroy?

Question

I have a situation in which an allocator for a container concurrently accessed needs to call both placement new and the destructor.

    template< class U > void destroy(U* p){
            p->~U();
    }

as it is I can end up calling the destruction repeatedly. This brought me to think whether something like this should be OK.

   std::vector<int>* p = (std::vector<int>*)malloc(sizeof(std::vector<int>));
   ::new (*p) std::vector<int>(30);
   (*p)[10] = 5;
   p->~std::vector<int>();
   p->~std::vector<int>();
   free(p);

I think this will work as long as the destruction of std::vector sets the data pointer to null or size to zero and when called again there is not a double free.

So, should classes be made such that accidental (or benign) double destruction should be equivalent to a single destruction?

In other words, should destruction be for example an idempotent operation?

(Note for simplicity that the destructor is not virtual in this example)

I find the question is similar to the problem of how to allow a moved class to be destructed later.

---

Some answers put runtime cost to make the case against supporting double destruction. There are costs, but they are similar to the cost of moving objects. In other words, if it is cheap to move, it is cheap to allow double destruction (if DD is not UB in the first place for other reasons, such as the standard).

To be specific:

class dummyvector{
   int* ptr;
   public:
   dummyvector() : ptr(new int[10]){}
   dummyvector(dummyvector const& other) = delete; // for simplicity
   dummyvector(dummyvector&& other) : ptr(other.ptr){
      other.ptr = nullptr; // this makes the moved object unusable (e.g. set) but still destructable 
   }
   dummyvector& operator=(dummyvector const&) = delete; // for simplicity
   void set(int val){for(int i = 0; i != 10; ++i) ptr[i]=val;}
   int sum(){int ret = 0; for(int i = 0; i != 10; ++i) ret += ptr[i]; return ret;}
   ~dummyvector(){
      delete[] ptr;
      ptr = nullptr; // this is the only extra cost for allowing double free (if it was not UB)
      // ^^ this line commented would be fine in general but not for double free (not even in principle)
   }
};

Answer 1

Given that destruction implies the end of the object's lifetime, handling double-destruction is paying a cost (the additional work to leave the memory in a redestructable state) for a benefit no well-formed code should ever encounter.

Saying double-destruction is okay is equivalent to saying use-after-free is fine; sure, an allocator that allows it in specific circumstances might keep buggy code working, but that doesn't mean it's a feature worth preserving in the allocator if it prevents the allocator from working efficiently and correctly in non-pathological cases.

If you're ever in a position where double destruction is a possibility, you're probably in a position where use-after-destruction is possible, and now you've got to make every operation on your class check for and "handle" (whatever that means) the possibility of being called on a destroyed instance. You've compromised normal operations to allow for misuse, and that's a terrible road to start down.

Short version: Don't protect against double-destruction; the moment you're double destroyed, the code in question was entering undefined behavior territory anyway, and it's not your job to handle it. Write code that doesn't do terrible things in the first place.

Answer 2

Well, it's not actually possible to do that. Or at least, not without significant pain.

See, after the destructor of a class has finished executing, all of its subobjects stop existing. So the moment the second call of your destructor tries to access any of its subobjects, you invoke UB.

So if you're going to be double-destruction safe, you would need to store state outside of the class to be able to tell if a particular instance was destroyed. And since you can have any number of instances of a class, the only way to handle this is to have the constructor allocate some memory and register the this pointer with something, which the destructor can check with.

And this has to happen for every instance of every double-destruction safe subobject of that object. That's a huge amount of overhead, all to stop something that shouldn't be happening.

---

And as Raymond Chen pointed out, merely the act of invoking double-destruction on any non-trivially-destructible type is undefined behavior.

[basic.life]/1 tells us that an object with a non-trivial destructor has its lifetime ended when the destructor is called. And [basic.life]/6 tells us:

Before the lifetime of an object has started but after the storage which the object will occupy has been allocated or, after the lifetime of an object has ended and before the storage which the object occupied is reused or released, any pointer that represents the address of the storage location where the object will be or was located may be used but only in limited ways. [...] Indirection through such a pointer is permitted but the resulting lvalue may only be used in limited ways, as described below. The program has undefined behavior if:

...

the pointer is used to access a non-static data member or call a non-static member function of the object, or

A destructor is a "non-static member function of the object". So in fact, it is impossible to make a C++ type double-destruction safe.

Answer 3

No, you should not try to protect against abusing the code. The power of C++ lets abuses like this be possible, but you have to trust (and document) that the intended use is obeyed.

Are we going to go around putting up 12-foot-high fences around all of our bridges to deter and protect jumpers (at high costs), or should we just use the efficient and normal guardrail and trust that everyone will adhere to the intended and reasonable use case?