CodeQL documentation

Throwing pointers

ID: cpp/throwing-pointer
Kind: problem
Security severity: 
Severity: warning
Precision: high
   - efficiency
   - correctness
   - exceptions
Query suites:
   - cpp-security-and-quality.qls

Click to see the query in the CodeQL repository

As C++ is not a garbage collected language, exceptions should not be dynamically allocated. Dynamically allocating an exception puts an onus on every catch site to ensure that the memory is freed.

As a special case, it is permissible to throw anything derived from Microsoft MFC’s CException class as a pointer. This is for historical reasons; modern code and modern frameworks should not throw pointer values.


The new keyword immediately following the throw keyword should be removed. Any catch sites which previously caught the pointer should be changed to catch by reference or const reference.


void bad() {
  throw new std::exception("This is how not to throw an exception");

void good() {
  throw std::exception("This is how to throw an exception");


  • © GitHub, Inc.
  • Terms
  • Privacy