SEI CERT C++ Coding Standard

Space shortcuts

Page tree

Nontrivial C++ programs are generally divided into multiple translation units that are later linked together to form an executable. To support such a model, C++ restricts named object definitions to ensure that linking will behave deterministically by requiring a single definition for an object across all translation units. This model is called the one-definition rule (ODR), which is defined by the C++ Standard, [basic.def.odr], in paragraph 4 [ISO/IEC 14882-2014]:

Every program shall contain exactly one definition of every non-inline function or variable that is odr-used in that program; no diagnostic required. The definition can appear explicitly in the program, it can be found in the standard or a user-defined library, or (when appropriate) it is implicitly-defined. An inline function shall be defined in every translation unit in which it is odr-used.

The most common approach to multitranslation unit compilation involves declarations residing in a header file that is subsequently made available to a source file via #include. These declarations are often also definitions, such as class and function template definitions. This approach is allowed by an exception defined in paragraph 6, which, in part, states the following:

There can be more than one definition of a class type, enumeration type, inline function with external linkage, class template, non-static function template, static data member of a class template, member function of a class template, or template specialization for which some template parameters are not specified in a program provided that each definition appears in a different translation unit, and provided the definitions satisfy the following requirements. Given such an entity named D defined in more than one translation unit....

If the definitions of D satisfy all these requirements, then the program shall behave as if there were a single definition of D. If the definitions of D do not satisfy these requirements, then the behavior is undefined.

The requirements specified by paragraph 6 essentially state that that two definitions must be identical (not simply equivalent). Consequently, a definition introduced in two separate translation units by an #include directive generally will not violate the ODR because the definitions are identical in both translation units.

However, it is possible to violate the ODR of a definition introduced via #include using block language linkage specifications, vendor-specific language extensions, and so on. A more likely scenario for ODR violations is that accidental definitions of differing objects will exist in different translation units.

Do not violate the one-definition rule; violations result in undefined behavior.

Noncompliant Code Example

In this noncompliant code example, two different translation units define a class of the same name with differing definitions. Although the two definitions are functionally equivalent (they both define a class named S with a single, public, nonstatic data member int a), they are not defined using the same sequence of tokens. This code example violates the ODR and results in undefined behavior.

// a.cpp
struct S {
  int a;
};
 
// b.cpp
class S {
public:
  int a;
};

Compliant Solution

The correct mitigation depends on programmer intent. If the programmer intends for the same class definition to be visible in both translation units because of common usage, the solution is to use a header file to introduce the object into both translation units, as shown in this compliant solution.

// S.h
struct S {
  int a;
};
 
// a.cpp
#include "S.h"
 
// b.cpp
#include "S.h"

Compliant Solution

If the ODR violation was a result of accidental name collision, the best mitigation solution is to ensure that both class definitions are unique, as in this compliant solution.

// a.cpp
namespace {
struct S {
  int a;
};
}
 
// b.cpp
namespace {
class S {
public:
  int a;
};
}

Alternatively, the classes could be given distinct names in each translation unit to avoid violating the ODR.

Noncompliant Code Example (Microsoft Visual Studio)

In this noncompliant code example, a class definition is introduced into two translation units using #include. However, one of the translation units uses an implementation-defined #pragma that is supported by Microsoft Visual Studio to specify structure field alignment requirements. Consequently, the two class definitions may have differing layouts in each translation unit, which is a violation of the ODR.

// s.h
struct S {
  char c;
  int a;
};
 
void init_s(S &s);
 
// s.cpp
#include "s.h"
 
void init_s(S &s); {
  s.c = 'a';
  s.a = 12;
}
 
// a.cpp
#pragma pack(push, 1)
#include "s.h"
#pragma pack(pop)
 
void f() {
  S s;
  init_s(s);
}

Implementation Details

It is possible for the preceding noncompliant code example to result in a.cpp allocating space for an object with a different size than expected by init_s() in s.cpp. When translating s.cpp, the layout of the structure may include padding bytes between the c and a data members. When translating a.cpp, the layout of the structure may remove those padding bytes as a result of the #pragma pack directive, so the object passed to init_s() may be smaller than expected. Consequently, when init_s() initializes the data members of s, it may result in a buffer overrun.

For more information on the behavior of #pragma pack, see the vendor documentation for your implementation, such as Microsoft Visual Studio or GCC.

Compliant Solution

In this compliant solution, the implementation-defined structure member-alignment directive is removed, ensuring that all definitions of S comply with the ODR.

// s.h
struct S {
  char c;
  int a;
};
 
void init_s(S &s);
 
// s.cpp
#include "s.h"
 
void init_s(S &s); {
  s.c = 'a';
  s.a = 12;
}
 
// a.cpp
#include "s.h"
 
void f() {
  S s;
  init_s(s);
}

Noncompliant Code Example

In this noncompliant code example, the constant object n has internal linkage but is odr-used within f(), which has external linkage. Because f() is declared as an inline function, the definition of f() must be identical in all translation units. However, each translation unit has a unique instance of n, resulting in a violation of the ODR.

const int n = 42;
 
int g(const int &lhs, const int &rhs);
 
inline int f(int k) {
  return g(k, n);
}

Compliant Solution

A compliant solution must change one of three factors: (1) it must not odr-use n within f(), (2) it must declare n such that it has external linkage, or (3) it must not use an inline definition of f().

If circumstances allow modification of the signature of g() to accept parameters by value instead of by reference, then n will not be odr-used within f() because n would then qualify as a constant expression. This solution is compliant but it is not ideal. It may not be possible (or desirable) to modify the signature of g(), such as if g() represented std::max() from <algorithm>. Also, because of the differing linkage used by n and f(), accidental violations of the ODR are still likely if the definition of f() is modified to odr-use n.

const int n = 42;
 
int g(int lhs, int rhs);
 
inline int f(int k) {
  return g(k, n);
}

Compliant Solution

In this compliant solution, the constant object n is replaced with an enumerator of the same name. Named enumerations defined at namespace scope have the same linkage as the namespace they are contained in. The global namespace has external linkage, so the definition of the named enumeration and its contained enumerators also have external linkage. Although less aesthetically pleasing, this compliant solution does not suffer from the same maintenance burdens of the previous code because n and f() have the same linkage.

enum Constants {
  N = 42
};

int g(const int &lhs, const int &rhs);
 
inline int f(int k) {
  return g(k, N);
}

Risk Assessment

Violating the ODR causes undefined behavior, which can result in exploits as well as denial-of-service attacks. As shown in "Support for Whole-Program Analysis and the Verification of the One-Definition Rule in C++" [Quinlan 06], failing to enforce the ODR enables a virtual function pointer attack known as the VPTR exploit. In this exploit, an object's virtual function table is corrupted so that calling a virtual function on the object results in malicious code being executed. See the paper by Quinlan and colleagues for more details. However, note that to introduce the malicious class, the attacker must have access to the system building the code.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

DCL60-CPP

High

Unlikely

High

P3

L3

Automated Detection

Tool

Version

Checker

Description

Astrée

22.10

type-compatibility
definition-duplicate
undefined-extern
undefined-extern-pure-virtual
external-file-spreading
type-file-spreading
Partially checked
Axivion Bauhaus Suite

7.2.0

CertC++-DCL60
CodeSonar
8.1p0

LANG.STRUCT.DEF.FDH
LANG.STRUCT.DEF.ODH

Function defined in header file
Object defined in header file
Helix QAC

2024.1

C++1067, C++1509, C++1510


LDRA tool suite
9.7.1

 

286 S, 287 S

Fully implemented

Parasoft C/C++test

2023.1

CERT_CPP-DCL60-a

A class, union or enum name (including qualification, if any) shall be a unique identifier

Polyspace Bug Finder

R2023b

CERT C++: DCL60-CPPChecks for inline constraints not respected (rule partially covered)
RuleChecker
22.10
type-compatibility
definition-duplicate
undefined-extern
undefined-extern-pure-virtual
external-file-spreading
type-file-spreading
Partially checked

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Bibliography

[ISO/IEC 14882-2014]

Subclause 3.2, "One Definition Rule"

[Quinlan 2006]


7 Comments

  1. Yishai Sered

    I do not understand the point of this rule. In the absence of tool chains that enforce this behavior, and given that an attacker would be writing malicious code to exploit the weakness, what is the point of a rule? Attackers do not obey rules.

     

    1. Aaron Ballman

      The advice from the rule is sound in that violations of the ODR result in undefined behavior, and once you have undefined behavior in your program, you have a potential security risk. It's no different than other UB-related rules in that regard.

      However, the exploits discussed are not particularly compelling (at least, to me) because they rely on the attacker to recompile the source code to implement the attack. If the attacker has that level of access to the code, there's nothing to be done regardless – and it still requires someone else to execute that code. That's probably why the "Likelihood" category is rated "Unlikely."

  2. William Ruppel

    Suggest that the compliant example for MSVC be changed to preserve the semantics of the non-compliant version. In particular, the struct S is no longer packed in the compliant example.

    But, what if we need the struct to be packed? We shouldn't imply that removing the pragams is the way to make the code compliant.

    Instead, we should simply move the pragmas into the header file.

    Thanks.

    1. Aaron Ballman

      That is a reasonable suggestion, though it would make the compliant solution nonportable (which we generally try to avoid when possible). I would hesitate to add another CS, or to replace the existing one with a nonportable one. I think that another way to solve this would be to put some extra text after the CS that says, "Alternatively, if the structure fields are required to be in packed alignment, the implementation-defined #pragma pack directive could be placed around the declaration of S within the header file." That should already be reasonably obvious to the reader already, but calling it out explicitly would not be amiss.

      Given that we're in the process of copyediting the standard for publication and I don't think this is a correctness issue, I am going to hold off on making this modification right now.

  3. Jenna Jungsun Goh

    Most compilers, including g++, check for multiple definitions during the linking phase. Do we need to check this rule during the general program development phase, even though the compiler and linker already check for multiple definitions? Static analysis tools that work at the compilation level often generate too many false positives with this rule.

    1. David Svoboda

      Our rules, including this one, indicate problems in C++ source code that are not required to be detected by compilers. If your compiler detects violations of this rule, that should make your job easier.  If your compiler detects *all* violations of the rule, then you might be able to ignore the output of static analysis tools...that is up to you and your organization.

      We make no recommendations regarding the use of particular compilers or static analysis tools....our rules are strictly based on the ISO C standard, and the behavior of the most common compilers available today.

      1. Jenna Jungsun Goh

        In a large project composed of lots of modules, independent modules can use multiple definitions, which does not violate the one-definition rule(ODR). However, static analysis tools which work at the compilation level cannot determine whether the modules are independent of each other and report significant false positives by reporting issues for all multiple definitions even if the modules are independent of each other. Based on your opinion, I fully understand that this may vary depending on the development environment. I just want to share the current status of this rule in actual development environment.