<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Issue 309: Does sentry catch exceptions?</title>
<meta property="og:title" content="Issue 309: Does sentry catch exceptions?">
<meta property="og:description" content="C++ library issue. Status: NAD">
<meta property="og:url" content="https://cplusplus.github.io/LWG/issue309.html">
<meta property="og:type" content="website">
<meta property="og:image" content="http://cplusplus.github.io/LWG/images/cpp_logo.png">
<meta property="og:image:alt" content="C++ logo">
<style>
  p {text-align:justify}
  li {text-align:justify}
  pre code.backtick::before { content: "`" }
  pre code.backtick::after { content: "`" }
  blockquote.note
  {
    background-color:#E0E0E0;
    padding-left: 15px;
    padding-right: 15px;
    padding-top: 1px;
    padding-bottom: 1px;
  }
  ins {background-color:#A0FFA0}
  del {background-color:#FFA0A0}
  table.issues-index { border: 1px solid; border-collapse: collapse; }
  table.issues-index th { text-align: center; padding: 4px; border: 1px solid; }
  table.issues-index td { padding: 4px; border: 1px solid; }
  table.issues-index td:nth-child(1) { text-align: right; }
  table.issues-index td:nth-child(2) { text-align: left; }
  table.issues-index td:nth-child(3) { text-align: left; }
  table.issues-index td:nth-child(4) { text-align: left; }
  table.issues-index td:nth-child(5) { text-align: center; }
  table.issues-index td:nth-child(6) { text-align: center; }
  table.issues-index td:nth-child(7) { text-align: left; }
  table.issues-index td:nth-child(5) span.no-pr { color: red; }
  @media (prefers-color-scheme: dark) {
     html {
        color: #ddd;
        background-color: black;
     }
     ins {
        background-color: #225522
     }
     del {
        background-color: #662222
     }
     a {
        color: #6af
     }
     a:visited {
        color: #6af
     }
     blockquote.note
     {
        background-color: rgba(255, 255, 255, .10)
     }
  }
</style>
</head>
<body>
<hr>
<p><em>This page is a snapshot from the LWG issues list, see the <a href="lwg-active.html">Library Active Issues List</a> for more information and the meaning of <a href="lwg-active.html#NAD">NAD</a> status.</em></p>
<h3 id="309"><a href="lwg-closed.html#309">309</a>. Does sentry catch exceptions?</h3>
<p><b>Section:</b> 31.7 <a href="https://wg21.link/iostream.format">[iostream.format]</a> <b>Status:</b> <a href="lwg-active.html#NAD">NAD</a>
 <b>Submitter:</b> Martin Sebor <b>Opened:</b> 2001-03-19 <b>Last modified:</b> 2016-01-28</p>
<p><b>Priority: </b>Not Prioritized
</p>
<p><b>View all other</b> <a href="lwg-index.html#iostream.format">issues</a> in [iostream.format].</p>
<p><b>View all issues with</b> <a href="lwg-status.html#NAD">NAD</a> status.</p>
<p><b>Discussion:</b></p>
<p>
The descriptions of the constructors of basic_istream&lt;&gt;::sentry
( [istream::sentry]) and basic_ostream&lt;&gt;::sentry
( [ostream::sentry]) do not explain what the functions do in
case an exception is thrown while they execute. Some current
implementations allow all exceptions to propagate, others catch them
and set ios_base::badbit instead, still others catch some but let
others propagate.
</p>

<p>
The text also mentions that the functions may call setstate(failbit)
(without actually saying on what object, but presumably the stream
argument is meant).  That may have been fine for
basic_istream&lt;&gt;::sentry prior to issue <a href="lwg-defects.html#195" title="Should basic_istream::sentry's constructor ever set eofbit? (Status: TC1)">195</a><sup><a href="https://cplusplus.github.io/LWG/issue195" title="Latest snapshot">(i)</a></sup>, since
the function performs an input operation which may fail. However,
issue <a href="lwg-defects.html#195" title="Should basic_istream::sentry's constructor ever set eofbit? (Status: TC1)">195</a><sup><a href="https://cplusplus.github.io/LWG/issue195" title="Latest snapshot">(i)</a></sup> amends  [istream::sentry], p2 to
clarify that the function should actually call setstate(failbit |
eofbit), so the sentence in p3 is redundant or even somewhat
contradictory.
</p>

<p>
The same sentence that appears in  [ostream::sentry], p3
doesn't seem to be very meaningful for basic_istream&lt;&gt;::sentry
which performs no input. It is actually rather misleading since it
would appear to guide library implementers to calling
setstate(failbit) when os.tie()-&gt;flush(), the only called function,
throws an exception (typically, it's badbit that's set in response to
such an event).
</p>

<p><b>Additional comments from Martin, who isn't comfortable with the
    current proposed resolution</b> (see c++std-lib-11530)</p>

<p>
The istream::sentry ctor says nothing about how the function
deals with exemptions (27.6.1.1.2, p1 says that the class is
responsible for doing "exception safe"(*) prefix and suffix
operations but it doesn't explain what level of exception
safety the class promises to provide). The mockup example
of a "typical implementation of the sentry ctor" given in
27.6.1.1.2, p6, removed in ISO/IEC 14882:2003, doesn't show
exception handling, either. Since the ctor is not classified
as a formatted or unformatted input function, the text in
27.6.1.1, p1 through p4 does not apply. All this would seem
to suggest that the sentry ctor should not catch or in any
way handle exceptions thrown from any functions it may call.
Thus, the typical implementation of an istream extractor may
look something like [1].
</p>

<p>
The problem with [1] is that while it correctly sets ios::badbit
if an exception is thrown from one of the functions called from
the sentry ctor, if the sentry ctor reaches EOF while extracting
whitespace from a stream that has eofbit or failbit set in
exceptions(), it will cause an ios::failure to be thrown, which
will in turn cause the extractor to set ios::badbit.
</p>

<p>
The only straightforward way to prevent this behavior is to
move the definition of the sentry object in the extractor
above the try block (as suggested by the example in 22.2.8,
p9 and also indirectly supported by 27.6.1.3, p1). See [2].
But such an implementation will allow exceptions thrown from
functions called from the ctor to freely propagate to the
caller regardless of the setting of ios::badbit in the stream
object's exceptions().
</p>

<p>
So since neither [1] nor [2] behaves as expected, the only
possible solution is to have the sentry ctor catch exceptions
thrown from called functions, set badbit, and propagate those
exceptions if badbit is also set in exceptions(). (Another
solution exists that deals with both kinds of sentries, but
the code is non-obvious and cumbersome -- see [3].)
</p>

<p>
Please note that, as the issue points out, current libraries
do not behave consistently, suggesting  that implementors are
not quite clear on the exception handling in istream::sentry,
despite the fact that some LWG members might feel otherwise.
(As documented by the parenthetical comment here:
http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2003/n1480.html#309)
</p>

<p>
Also please note that those LWG members who in Copenhagen
felt that "a sentry's constructor should not catch exceptions,
because sentries should only be used within (un)formatted input
functions and that exception handling is the responsibility of
those functions, not of the sentries," as noted here
http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2001/n1310.html#309
would in effect be either arguing for the behavior described
in [1] or for extractors implemented along the lines of [3].
</p>

<p>
The original proposed resolution (Revision 25 of the issues
list) clarifies the role of the sentry ctor WRT exception
handling by making it clear that extractors (both library
or user-defined) should be implemented along the lines of
[2] (as opposed to [1]) and that no exception thrown from
the callees should propagate out of either function unless
badbit is also set in exceptions().
</p>


<p>[1] Extractor that catches exceptions thrown from sentry:</p>

<blockquote>
<pre>
struct S { long i; };

istream&amp; operator&gt;&gt; (istream &amp;strm, S &amp;s)
{
    ios::iostate err = ios::goodbit;
    try {
        const istream::sentry guard (strm, false);
        if (guard) {
            use_facet&lt;num_get&lt;char&gt; &gt;(strm.getloc ())
                .get (istreambuf_iterator&lt;char&gt;(strm),
                      istreambuf_iterator&lt;char&gt;(),
                      strm, err, s.i);
        }
    }
    catch (...) {
        bool rethrow;
        try {
            strm.setstate (ios::badbit);
            rethrow = false;
        }
        catch (...) {
            rethrow = true;
        }
        if (rethrow)
            throw;
    }
    if (err)
        strm.setstate (err);
    return strm;
}
</pre>
</blockquote>

<p>[2] Extractor that propagates exceptions thrown from sentry:</p>

<blockquote>
<pre>
istream&amp; operator&gt;&gt; (istream &amp;strm, S &amp;s)
{
    istream::sentry guard (strm, false);
    if (guard) {
        ios::iostate err = ios::goodbit;
        try {
            use_facet&lt;num_get&lt;char&gt; &gt;(strm.getloc ())
                .get (istreambuf_iterator&lt;char&gt;(strm),
                      istreambuf_iterator&lt;char&gt;(),
                      strm, err, s.i);
        }
        catch (...) {
            bool rethrow;
            try {
                strm.setstate (ios::badbit);
                rethrow = false;
            }
            catch (...) {
                rethrow = true;
            }
            if (rethrow)
                throw;
        }
        if (err)
            strm.setstate (err);
    }
    return strm;
}
</pre>
</blockquote>

<p>
[3] Extractor that catches exceptions thrown from sentry
but doesn't set badbit if the exception was thrown as a
result of a call to strm.clear().
</p>

<blockquote>
<pre>
istream&amp; operator&gt;&gt; (istream &amp;strm, S &amp;s)
{
    const ios::iostate state = strm.rdstate ();
    const ios::iostate except = strm.exceptions ();
    ios::iostate err = std::ios::goodbit;
    bool thrown = true;
    try {
        const istream::sentry guard (strm, false);
        thrown = false;
        if (guard) {
            use_facet&lt;num_get&lt;char&gt; &gt;(strm.getloc ())
                .get (istreambuf_iterator&lt;char&gt;(strm),
                      istreambuf_iterator&lt;char&gt;(),
                      strm, err, s.i);
        }
    }
    catch (...) {
        if (thrown &amp;&amp; state &amp; except)
            throw;
        try {
            strm.setstate (ios::badbit);
            thrown = false;
        }
        catch (...) {
            thrown = true;
        }
        if (thrown)
            throw;
    }
    if (err)
        strm.setstate (err);

    return strm;
}
</pre>
</blockquote>

<p>
[Pre-Berlin] Reopened at the request of Paolo Carlini and Steve Clamage.
</p>

<p>
[Pre-Portland] A relevant newsgroup post:
</p>

<p>
The current proposed resolution of issue #309 is
unacceptable.   I write commerical software and coding around this
makes my code ugly, non-intuitive, and requires comments referring
people to this very issue.   Following is the full explanation of my
experience.
</p>
<p>
In the course of writing software for commercial use, I constructed
std::ifstream's based on user-supplied pathnames on typical POSIX
systems.
</p>
<p>
It was expected that some files that opened successfully might not read
successfully -- such as a pathname which actually refered to a
directory.   Intuitively, I expected the streambuffer underflow() code
to throw an exception in this situation, and recent implementations of
libstdc++'s basic_filebuf do just that (as well as many of my own
custom streambufs).
</p>
<p>
I also intuitively expected that the istream code would convert these
exceptions to the "badbit' set on the stream object, because I had not
requested exceptions.    I refer to 27.6.1.1. P4.
</p>
<p>
However, this was not the case on at least two implementations -- if
the first thing I did with an istream was call operator>>( T&amp; ) for T
among the basic arithmetic types and std::string.   Looking further I
found that the sentry's constructor was invoking the exception when it
pre-scanned for whitespace, and the extractor function (operator>>())
was not catching exceptions in this situation.
</p>
<p>
So, I was in a situation where setting 'noskipws' would change the
istream's behavior even though no characters (whitespace or not) could
ever be successfully read.
</p>
<p>
Also, calling .peek() on the istream before calling the extractor()
changed the behavior (.peek() had the effect of setting the badbit
ahead of time).
</p>
<p>
I found this all to be so inconsistent and inconvenient for me and my
code design, that I filed a bugzilla entry for libstdc++.   I was then
told that the bug cannot be fixed until issue #309 is resolved by the
committee.
</p>

<p><i>[
2009-07 Frankfurt
]</i></p>


<blockquote>
<p>
Moved to NAD.
</p>
<p>
See the rationale in the issue. Paolo, who requested that the issue be
reopened, agreed with the rationale.
</p>
</blockquote>



<p id="res-309"><b>Proposed resolution:</b></p>


<p><b>Rationale:</b></p>
<p>The LWG agrees there is minor variation between implementations,
  but believes that it doesn't matter. This is a rarely used corner
  case. There is no evidence that this has any commercial importance
  or that it causes actual portability problems for customers trying
  to write code that runs on multiple implementations.</p>





</body>
</html>
