...
Do not violate the one-definition rule; violations result in undefined behavior.
Noncompliant Code Example
In this noncompliant code example, two different translation units define a class of the same name with differing definitions. Although the two definitions are functionally equivalent (they both define a class named S
with a single, public, nonstatic data member int a
), they are not defined using the same sequence of tokens. This code example violates the ODR and results in undefined behavior.
Code Block | ||||
---|---|---|---|---|
| ||||
// a.cpp struct S { int a; }; // b.cpp class S { public: int a; }; |
Compliant Solution
The compliant solution depends on programmer intent. If the programmer intends for the same class definition to be visible in both translation units because of common usage, the solution is to use a header file to introduce the object into both translation units, as shown in this compliant solution:
...
Alternatively, the classes could be given distinct names in each translation unit to avoid violating the ODR.
Noncompliant Code Example
In this noncompliant code example, a class definition is introduced into two translation units using #include
. However, one of the translation units uses a common, implementation-defined #pragma
to specify structure field alignment requirements. Consequently, the two class definitions may have differing layouts in each translation unit, which is a violation of the ODR.
Code Block | ||||
---|---|---|---|---|
| ||||
// s.h struct S { char c; int a; }; void init_s(S &s); // s.cpp #include "s.h" void init_s(S &s); { s.c = 'a'; s.a = 12; } // a.cpp #pragma pack(push, 1) #include "s.h" #pragma pack(pop) void f() { S s; init_s(s); } |
Implementation Details
It is possible for the preceding noncompliant code example to result in a.cpp
allocating space for an object with a different size than expected by init_s()
in s.cpp
. When translating s.cpp
, the layout of the structure may include padding bytes between the c
and a
data members. When translating a.cpp
, the layout of the structure may remove those padding bytes as a result of the #pragma pack
directive, and so the object passed to init_s()
may be smaller than expected. Consequently, when init_s()
initializes the data members of s
, it may result in a buffer overrun.
For more information on the behavior of #pragma pack
, see the vendor documentation for your implementation, such as Microsoft Visual Studio or GCC.
Compliant Solution
In this compliant solution, the implementation-defined structure member alignment directive is removed, ensuring that all definitions of S
comply with the ODR:
...
Page properties | ||
---|---|---|
| ||
I am uncertain whether it would be interesting or not, but another NCCE/CS pair that is specific to Microsoft Visual Studio would be the generic text mappings use by a lot of Win32 APIs (and Windows code in general). The IDE gives you a flag that you can toggle that specifies whether
I hesitate to add this as an NCCE/CS pair because it's so implementation-specific and I think the point is already made with other examples in this rule. However, this is one of those scenarios that can bite Win32 programmers if they're not observant, and the flag is relatively hidden. |
Noncompliant Code Example
In this noncompliant code example, the constant object n
has internal linkage but is odr-used within f()
, which has external linkage. Because f()
is declared as an inline function, the definition of f()
must be identical in all translation units. However, each translation unit has a unique instance of n
, resulting in a violation of the ODR.
Code Block | ||||
---|---|---|---|---|
| ||||
const int n = 42; int g(const int &lhs, const int &rhs); inline int f(int k) { return g(k, n); } |
Compliant Solution
A compliant solution must change one of three factors: it must not odr-use n
within f()
, it must declare n
such that it has external linkage, or it must not use an inline definition of f()
.
...
Code Block | ||||
---|---|---|---|---|
| ||||
enum Constants { n = 42 }; int g(const int &lhs, const int &rhs); inline int f(int k) { return g(k, n); } |
Risk Assessment
Violating the ODR causes undefined behavior, which can result in exploits as well as denial-of-service attacks. As shown in "Support for Whole-Program Analysis and the Verification of the One-Definition Rule in C++" [Quinlan 06], failing to enforce the ODR enables a virtual function pointer attack known as the VPTR exploit. In this exploit, an object's virtual function table is corrupted so that calling a virtual function on the object results in malicious code being executed. See the paper by Quinlan and colleagues for more details. However, note that to introduce the malicious class, the attacker must have access to the system building the code.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
MSC52-CPP | High | Unlikely | High | P3 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
PRQA QA-C++ |
| 1067 1509 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Bibliography
[ISO/IEC 14882-2014] | Subclause 3.2, "One Definition Rule" |
[Quinlan 06] |
...