Page History

Namespaces introduce new declarative regions for declarations, reducing the likelihood of conflicting identifiers with other declarative regions. One feature of namespaces is that they can be further extended, even within separate translation units. For instance, the following declarations are well-formed.

namespace MyNamespace {
int length;
}
 
namespace MyNamespace {
int width;
}
 
void f() {
  MyNamespace::length = MyNamespace::width = 12;
}

The standard library introduces the namespace std for standards-provided declarations such as std::string, std::vector, and std::for_each. However, it is undefined behavior to introduce new declarations in namespace std except under special circumstances. The C++ Standard, [namespace.std], paragraphs 1 and 2 [ISO/IEC 14882-2014], states the following:

¹ The behavior of a C++ program is undefined if it adds

C++ places all standard definitions inside the std namespace. Furthermore, C++ 2003, Section 17.4.3.1 "Reserved names", says:

It is undefined for a C++ program to add declarations or definitions to namespace std or namespaces  or to a namespace within namespace std unless  unless otherwise specified. A program may add a template specializations for specialization for any standard library template to namespace std. Such a specialization (complete or partial) of a standard library template results in undefined behavior unless the declaration  only if the declaration depends on a user-defined type and the specialization meets the standard library requirements for the original template and is not explicitly prohibited.

² The behavior of a C++ program is undefined if it declares

— an explicit specialization of any member function of a standard library class template, or
— an explicit specialization of any member function template of a standard library class or class template, or
— an explicit or partial specialization of any member class template of a standard library class or class template.

In addition to restricting extensions to the the namespace std, the C++ Standard, [namespace.posix], paragraph 1, further states the following:

The behavior of a C++ program is undefined if it adds declarations or definitions to namespace posix or to a namespace within namespace posix unless otherwise specified. The namespace posix is reserved for use by ISO/IEC 9945 and other POSIX standards.

Do not add declarations or definitions to the standard namespaces std or posix, or to a namespace contained therein, except for a template specialization that depends on a user-defined type

...

that meets the standard library requirements for the original template.

The Library Working Group, responsible for the wording of the Standard Library section of the C++ Standard, has an unresolved issue on the definition of user-defined type. Although the Library Working Group has no official stance on the definition [INCITS 2014], we define it to be any class, struct, union, or enum that is not defined within namespace std or a namespace contained within namespace std. Effectively, it is a user-provided type instead of a standard library–provided type.

Noncompliant Code Example

In this noncompliant code example, the declaration of x is added to the namespace std, resulting in undefined behavior.

namespace std {
int x;
}

Compliant Solution

This compliant solution assumes the intention of the programmer was to place the declaration of x into a namespace to prevent collisions with other global identifiers. Instead of placing the declaration into the namespace std, the declaration is placed into a namespace without a reserved name.

namespace nonstd {
int x;
}

Noncompliant Code Example

In this noncompliant code is noncompliant because it alters the standard namespaceexample, a template specialization of std::plus is added to the namespace std in an attempt to allow std::plus to concatenate a std::string and MyString object. However, because the template specialization is of a standard library–provided type (std::string), this code results in undefined behavior.

#include <functional>
#include <iostream>
#include <string>

class MyString {
  std::string data;
  
public:
  MyString(const std::string &data) : data(data) {}
  
  const std::string &get_data() const { return data; }
};

namespace std {
template <>
struct plus<string> : binary_function<string, MyString, string> {
  string operator()(const string &lhs, const MyString &rhs) const {
    return lhs + rhs.get_data();
  }
};
}

void f() {
  std::string s1("My String");
  MyString s2(" + Your String");
  std::plus<std::string> p;
  
  std::cout << p(s1, s2) << std::endl;
}

Compliant Solution

The interface for std::plus requires that both arguments to the function call operator and the return type are of the same type. Because the attempted specialization in the noncompliant code example results in undefined behavior, this compliant solution defines a new std::binary_function derivative that can add a std::string to a MyString object without requiring modification of the namespace std.

#include <functional>
#include <iostream>
#include <string>

class MyString {
  std::string data;
  
public:
  MyString(const std::string &data) : data(data) {}
  
  const std::string &get_data() const { return data; }
};

struct my_plus : std::binary_function<std::string, MyString, std::string> {
  std::string operator()(const std::string &lhs, const  int x;
};

Compliant Solution

MyString &rhs) const {
    return lhs + rhs.get_data();
  }
};

void f() {
  std::string s1("My String");
  MyString s2(" + Your String");
  my_plus p;
  
  std::cout << p(s1, s2) << std::endl;
}

Compliant Solution

In this compliant solution, a specialization of std::plus is added to the std namespace, but the specialization depends on a user-defined type and meets the Standard Template Library requirements for the original template, so it complies with this rule. However, because MyString can be constructed from std::string, this compliant solution involves invoking a converting constructor whereas the previous compliant solution does not.

#include <functional>
#include <iostream>
#include <string>
 
class MyString {
  std::string data;
   
public:
  MyString(const std::string &data) : data(data) {}
   
  const std::string &get_data() const { return data; }
};
 
namespace nonstd std {
template <>
struct plus<MyString> {
  MyString operator()(const MyString &lhs, const MyString &rhs) const {
   int x;
};
 return lhs.get_data() + rhs.get_data();
  }
};
}
 
void f() {
  std::string s1("My String");
  MyString s2(" + Your String");
  std::plus<MyString> p;
   
  std::cout << p(s1, s2).get_data() << std::endl;
}

Risk Assessment

Altering the standard namespace can cause undefined behavior in the C++ standard library.

Automated Detection

Related Vulnerabilities

Search for other vulnerabilities resulting  resulting from the violation of this rule on the the CERT website.

Related Guidelines

Bibliography

...

[INCITS 2014]	Issue 2139, "What Is a User-Defined Type?"
[ISO/IEC 14882-2014]	Subclause 17.6.4.2.1, "Namespace std" Subclause 17.6.4.2.2, "Namespace posix"

...

Image Added Image Added Image Added 10646-2003|AA. Bibliography#ISO/IEC 10646-2003]\]MSC33-CPP. Obey the One Definition Rule      49. Miscellaneous (MSC)      MSC35-CPP. Do not use goto statement to take control inside the try and catch blocks