...
| Page properties | ||
|---|---|---|
| ||
This rule could be argued to be more of a style recommendation than a rule. However, this is prevalent advice given by many sources, such as Google's coding style guidelines (http://google-styleguide.googlecode.com/svn/trunk/cppguide.html#Namespaces), and the behavior is subtle-but-surprising enough that it will trip up programmers. The most common rationale behind why unnamed namespaces are bad in a header file has to do with ODR violations, but from what I can research, the unnamed namespace in a header isn't to blame for those violations per-se, it's misunderstanding what an unnamed namespace does in conjunction with some other language feature, like inline functions. I am writing this to be a rule, but we'll see what kind of push-back happens in practice as to whether it remains a rule, or gets demoted to a strong recommendation. |
Noncompliant Code Example
In this noncompliant code example, the variable v is defined in an unnamed namespace within a header file and is accessed from two separate translation units. Each translation unit prints the current value of v and then assigns a new value into it. However, because v is defined within an unnamed namespace, each translation unit operates on its own instance of v, resulting in unexpected output.
...
| Code Block |
|---|
f(): 0 g(): 0 f(): 42 g(): 100 |
Compliant Solution
In this compliant solution, v is defined in only one translation unit but is externally visible to all translation units, resulting in the expected behavior:
...
| Code Block |
|---|
f(): 0 g(): 42 f(): 100 g(): 42 |
Noncompliant Code Example
In this noncompliant code example, the variable v is defined in an unnamed namespace within a header file, and an inline function, get_v(), is defined, which accesses that variable. ODR-using the inline function from multiple translation units (as shown in the implementation of f() and g()) violates the one-definition rule because the definition of get_v() is not identical in all translation units due to referencing a unique v in each translation unit.
...
See DCL60-CPP. Obey the One-Definition Rule for more information on violations of the one-definition rule.
Compliant Solution
In this compliant solution, v is defined in only one translation unit but is externally visible to all translation units and can be accessed from the inline get_v() function:
| Code Block | ||||
|---|---|---|---|---|
| ||||
// a.h
#ifndef A_HEADER_FILE
#define A_HEADER_FILE
extern int v;
inline int get_v() {
return v;
}
#endif // A_HEADER_FILE
// a.cpp
#include "a.h"
// Externally used by get_v();
int v;
void f() {
int i = get_v();
// ...
}
// b.cpp
#include "a.h"
void g() {
int i = get_v();
// ...
} |
Noncompliant Code Example
In this noncompliant code example, the function f() is defined within a header file. However, including the header file in multiple translation units causes a violation of the one-definition rule that usually results in an error diagnostic generated at link time due to multiple definitions of a function with the same name.
| Code Block | ||||
|---|---|---|---|---|
| ||||
// a.h
#ifndef A_HEADER_FILE
#define A_HEADER_FILE
void f() { /* ... */ }
#endif // A_HEADER_FILE
// a.cpp
#include "a.h"
// ...
// b.cpp
#include "a.h"
// ... |
Noncompliant Code Example
This noncompliant code example attempts to resolve the link-time errors by defining f() within an unnamed namespace. However, it produces multiple, unique definitions of f() in the resulting executable. If a.h is included from many translation units, it can lead to increased link times, a larger executable file, and reduced performance.
| Code Block | ||||
|---|---|---|---|---|
| ||||
// a.h
#ifndef A_HEADER_FILE
#define A_HEADER_FILE
namespace {
void f() { /* ... */ }
}
#endif // A_HEADER_FILE
// a.cpp
#include "a.h"
// ...
// b.cpp
#include "a.h"
// ... |
Compliant Solution
In this compliant solution, f() is not defined with an unnamed namespace and is instead defined as an inline function. Inline functions are required to be defined identically in all translation units in which they are used, which allows an implementation to generate only a single instance of the function at runtime in the event the body of the function does not get generated for each call site.
...
| Page properties | ||
|---|---|---|
| ||
I suspect that we may want an exception for allowing unnamed namespaces in header files under certain circumstances. For instance, it may be permissible for constant values in unnamed namespaces (but then again, those could still result in ODR violations). I know that some implementations of |
Risk Assessment
Defining an unnamed namespace within a header file can cause data integrity violations and performance problems but is unlikely to go unnoticed with sufficient testing. One-definition rule violations result in undefined behavior.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
DCL58DCL59-CPP | Medium | Unlikely | Medium | P4 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Clang |
| cert-dcl59-cpp | Checked by clang-tidy | ||||||
| LDRA tool suite |
| 286 S, 512 S | Fully implemented | ||||||
| Parasoft C/C++test | 9.5 | CODSTA-74 | |||||||
| SonarQube C/C++ Plugin |
| UnnamedNamespaceInHeader |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Bibliography
| [ISO/IEC 14882-2014] | Subclause 3.2, "One Definition Rule" |
...