This document states general rules for cleanup.
The general rules for cleanup during the lifetime of an object are:
between the moment the object is allocated, and the moment that a pointer to that object is stored in a structure which would be accessible if a leave occurred, the object must be pushed to the clean-up stack if a leave could possibly occur
when a pointer to the object has been stored in an object which would be accessible if a leave occurred, then the object should be popped from the cleanup stack before a leave could possibly occur: normally, the object is popped first, and then the pointer is stored
an object is accessible
if a leave occurs, if either it is pushed to the cleanup stack, or there is
a reference to it from another object which would be accessible if a leave
occurred, or there is a reference to it from a stack frame which would not
be affected when a leave occurs (because of an appropriately-placed TRAP),
or there is a reference to it from a global variable
it should never be possible to clean up an object more than once, if a leave occurred
In practice, this means that an object must be referred to either by a
cleanup stack frame, or by a reference from another object. More rarely, the
object may be referred to by a stack frame which cannot be unwound during
the lifetime of that object, because of an appropriate TRAP.
More rarely still, the object may be referred to by a global variable.