DRAFT C++ Dynamic Library Support

ISO/IEC JTC1 SC22 WG21 N2425 = 07-0295 - 2007-10-21

Lawrence Crowl, crowl@google.com, Lawrence@Crowl.org

This paper is a revision of N2407 = 07-0267 - 2007-09-10.

NOTE: The committee has decided to defer work on dynamic libraries until after the C++0x standard. This paper represents a snapshot of that work, and hence is generally incomplete.

• Introduction
  • Features
  • Terminology
• Practice
  • Isolation
  • Resolution
• Proposal
  • Late Binding
  • Isolation
  • Resolution
    • Single Definition
    • Multiple Definitions
  • Conditional Loading
  • Removal
• Changes
  • 1.4 Implementation compliance [intro.compliance]
  • 1.9(new) The C++ program model [intro.program]
  • Chapter 2 Lexical conventions [lex]
  • 3.2 One definition rule [basic.def.odr]
  • 3.5 Program and linkage [basic.link]
  • Chapter 7 Declarations [dcl.dcl]
  • Chapter 10 Derived classes [class.derived]

Introduction

The construction and use of dynamic libraries has become a significant requirement on modern software development. Unfortunately, their interaction with C++ varies between implementations and is often underspecified on any given implementation.

The problem with dynamic libraries in C++ is that the benefits they provide introduce another layer of visibility. This additional layer of visibility is intended to provide for additional isolation, but is in direct contradiction to the one-definition rule.

See the following papers for more complete discussion of the issues. The latter paper has an extensive set of references.

• Matt Austern, N1400 Toward standardization of dynamic libraries
• Pete Becker, N1418 Dynamic Libraries in C++, Notes from the Technical Session in Santa Cruz, Oct. 21, 2002
• Benjamin Kosnik, N1976 Dynamic Shared Objects: Survey and Issues

In practice, programmers are able to work around the contradition and produce reliable programs. Changing the standard to recognize and guide existing practice will markedly improve program construction. Unfortunately, a coherent change to the standard may well require changes to some of the C++ ABIs, and hence should be done as part of the standard rather than as a Technical Report.

Features

The primary feature of dynamic libraries is the means to defer the binding of a library interface to an implementation of that interface until program execution. This defered binding provides a number of benefits to a program.

• The program may bind to an implementation of a library tuned to a particular hardware platform. For example, a numeric library vendor may provide different implementations of a library tuned to specific cache sizes.
• The program may be updated in parts. Newer versions of components may be distributed independently of each other. This independent update may be both within a vendor's components and between components of different vendors. For example, a database vendor may update its query interpreter library independently of the application using the interpreter and independently of the C run-time library used by the interpreter.
• The program may gain functionality after distribution by binding to libraries with functionality not originally anticipated. The libraries are often called "plug-in" libraries. One example is the a PDF display plug-in for a web browser.

The second feature of dynamic libraries is isolation. Isolation means that accidents of implementation are not exposed to the users of the library. That is, the set of bindable symbols provided by the library is exactly the set of symbols in its interface; none of the implementation-specific symbols are bindable.

The third feature of dynamic libraries is resolution. Resolution means that the system can resolve multiple definitions of a symbol. There are two general strategies for resolution, dependence and interposition. More colloquially, these are "the Windows way" and "the Unix way", respectively.

The fourth feature of dynamic libraries is conditional loading. Conditional loading means that the name of a dynamic library can be computed at run-time and then brought into the program. This feature is also known as "plug-in".

The fifth feature of dynamic libraries is removal. Removal means that a dynamic library can be taken out of the program. This process is also known as "closing" a dynamic library.

Terminology

We adopt the terminology of Matt Austern, N1400 Toward standardization of dynamic libraries:

load unit

A set of translation units linked together by a static linker.

executable

A load unit containing a definition for main. It is the load unit that the user runs.

dynamic library

A load unit that is not an executable.

program

The executable together with all dynamic libraries loaded at any one time during execution.

dependences

The load units available to the static linker to satisfy symbols undefined by load unit being linked.

In addition, we introduce additional terminology that is necessary to clarify the constraints of dynamic libraries.

linker symbol

A named function, type, or variable with external linkage. (Typedefs are not symbols.)

linker visibility

The visibility of a linker symbol is whether or not it is isolated.

exclusive definition

An object definition that may appear in only one translation unit. Regular functions have these definitions. Regular initialized variables have these definitions.

replicable definition

An object definition that may appear in multiple translation units, provided the definitions are the same. Inline functions and template functions have these definitions. Uninitialized variables sometimes have these definitions, which are also known as tentative definitions. Class definitions also have these definitions.

Practice

This section describes some existing practice. It is not a complete description; Benjamin Kosnik, N1976 Dynamic Shared Objects: Survey and Issues provides more details.

Isolation

There are several approaches to the syntax for specifying or retracting isolation for a symbol.

Microsoft

Symbols are isolated by default. The declaration specifier __declspec(dllexport) specifies that a symbol definition is not isolated. The declaration specifier __declspec(dllimport) specifies that a symbol declaration is satisfied by an non-isolated symbol.

GNU on Unix

Symbols are not isolated by default. A declaration attribute specifies that a symbol is isolated, e.g. __attribute__((visibility("hidden"))).

Sun

Default symbol isolation is defined by a command-line option, with the default of the option being that symbols are not isolated by default. For a given symbol, the visibility is specified with a storage class, e.g. __global or __hidden.

Pete Becker, N1428 /N1496 Draft Proposal for Dynamic Libraries in C++

The syntax is only notional, not a formal proposal. Symbols are isolated by default. For a given symbol, the visibility is specified with a storage class, e.g. shared.

Lawrence Crowl, N2117 Minimal Dynamic Library Support

The syntax is hinted as a storage class.

In addition to specifying (non-)isolation for a single symbol, it is convenient to have a syntax for specifying (non-)isolation for a region of code, particularly in header files. There are fewer examples of such syntax.

GNU on Unix

A pragma can push and pop default visibility.
#pragma GCC visibility push(hidden)
#pragma GCC visibility pop
A visibility attribute may be applied to a block extern declaration.
extern "C++" __attribute__((visibility("hidden"))) { .... }

Pete Becker, N1428 /N1496 Draft Proposal for Dynamic Libraries in C++

The syntax is only notional, but the shared storage class can be placed before a brace-enclosed region, much like extern "C".

Resolution

There are two primary approaches to resolution of multiple symbol definitions.

Windows

A reference is bound to the definition of a symbol in a statically dependent library. Thus a library may have not have a function replaced by the application. A consequence is that a library may not offer replaceable functions without substantial work. This work is necessary to meet the application-replaceable semantics of the global allocation operators.

Unix

The first definition of a symbol in the ordered list of load units is chosen for all references. That is, the first definition interposes on other definitions. A consequence is that a library may have any function replaced by the application.

As always, there are complications. Modern Unix systems provide for "protected" resolution, in which a reference to a protected symbol defined within the same load unit will bind to that definition irrespective of any prior definitions in the ordered list of load units.

Furthermore, some Unix systems, e.g. Sun and GNU/Linux, provide the ability to resolve a symbol to a dependent library in preference to normal interposition resolution.

Proposal

We propose C++ dynamic library support that exploits existing operating system facilities for dynamic libraries. Furthermore, we structure that support so that complexity rises with benefits. The Committee can choose the features that it needs. Finally, we specifically avoid trying to solve the whole problem, concentrating instead on those portions of the problem that affect large amounts of code. If an aspect of the program generally only affects a few lines of code, we leave it to programmers to write platform-specific code.

Late Binding

The first feature of dynamic library support is late binding. Late binding is entirely consistent with the current standard, and no change is necessary for this feature.

Isolation

The second feature of dynamic library support is isolation. To enable isolation, the standard must recognize the load unit as an intermediate layer of visibility between a translation unit and the program.

Once load units are present, the standard must provide a mechanism that specifies whether a symbol is isolated to a load unit or visible to all load units.

The primary mechanism for isolation is and should remain namespaces. Namespaces provide the best foundation for preventing symbol clashes. However, namespaces are insufficient for three reasons. First, they are transparent to functions with C linkage. Second, they are not sufficient to enable alternate implementations. Third, they are not robust to an adversarial use of implementation details. As a consequence, an additional mechanism is necessary.

Given a mechanism for isolation, the standard must admit multiple definitions for the same symbol, provided that those definitions are isolated from each other.

For the isolation syntax, we propose to avoid introducing a new keyword and extend the public, protected, and private labels to linker visibility for namespace-scoped symbols. Symbols with public or protected labels are not isolated. (The distinction between public and protected appears later.) Symbols with a private label are isolated to a load unit and are distinct from symbols declared in another load unit. Specifically, functions and variables have distict addresses while types have distinct typeids.

For class definitions, any meta-data must be isolated as well. Achieving distinct typeids for isolated types is most likely to require an implementation to change the ABI of the language.

The member function and static member variable symbols associated with a class have the linker visibility of their containing class. That is, within class definitions, the labels have their existing access-specifier meaning. Furthermore, class member definitions outside of a class definition ignore the prevailing linker visibility, and instead use the linker visibility of the class definition.

A label within a declarative region extends to the next label or to the end of the region, whichever comes first. Any label in effect immediately before a declarative region will be in effect immediately after that region. There are two applicable kinds of declarative regions, namespace and language linkage. Programmers can limit the scope of such labels at global scope, or within a namespace region, by enclosing them in language linkage (extern "C++" { }) regions. For example:

extern "C++" {
private:
    int my_helper( int a ) { return a+1; }
public:
    int give_me_more( int a ) { return my_helper( a+1 ); }
}

To assist in migration of existing code, the linker visibility in effect at the beginning of a translation unit is implementation-defined. Within headers, programmers should place all labels within a declarative region so as to preserve the implementation default.

We considered using the proposed annotation facility, Jens Maurer, Michael Wong, N2379 Towards support for attributes in C++, but decided against using it because the isolation specification does not meet the "ignorable" criteria for attributes. That is, removing the isolation indication would produce ill-formed programs.

Resolution

The third feature of dynamic library support is resolution of symbol references to multiple definitions. This topic is somewhat complicated, and we approach it via relaxing restrictions.

Single Definition

The simplest proposal is the most restrictive; define multiple definitions of non-isolated symbols as an error.

Because existing dynamic linker technology has only one category of definition, any replicable definition appears as though there were multiple exclusive definitions. Therefore, the simplest standard would simply prohibit non-isolated replicable definitions. A consequence is that the standard library would need careful thought as to which parts were applicable to a shared dynamic library and which parts were applicable to a replicated static library.

A more usable standard would support non-isolated replicable definitions provided that the definitions are identical. Doing so is not conceptially difficult; the primary problem is choosing a unique address or typeid. The dynamic linker can simply choose one of the definition artifacts. The existing Unix interposition resolution approach meets these semantics exactly. The existing Windows dependence resolution approach poses a problem, normally yielding different addresses within different load units. Potential solutions to this require each library obtain addresses from a shared table or to simply live with different addresses for what are conceptually the same function. Programmers rarely rely on inline functions having identical addresses; more problematic is identical typeids for exception handling.

Multiple Definitions

When multiple definitions are available for exclusive definitions, the implementation must resolve references to definitions. Unfortunately, neither the Unix approach nor the Windows approach appears to fully solve the problem. The Unix interposition approach leaves programs vunerable to inconsistent definitions when functions are both inlined and interposed. The Windows dependence approach prevents the interposition needed for the global allocation operators and other similar behavior. To resolve this issue, we propose to "do both".

Syntactically, we refine the label syntax introduced above for isolation. Semantically, we leave much implementation-defined because detailed specification of compile and link commands is beyond the scope of the standard.

• A symbol declared with the label public has interposition semantics. All references to a public symbol will resolve to a single definition within the program. The selection of definition is otherwise implementation-defined.
• A symbol declared with the label protected has dependence semantics. A load unit's reference to a protected symbol will resolve to a definition either in the current load unit or, failing that, in one of its dependences. The selection of definition is otherwise implementation-defined.

For example, and by way of illustration, the standard library would have the following declarations.

namespace std {
    typedef void (*new_handler)();
protected:
    new_handler set_new_handler( new_handler ) throw();
}
extern "C++" {
public:
    void * operator new( std::size_t ) throw( std::bad_alloc );
}

The primary problem with different replicable definitions is that current linker technology is unable to determine that two definitions are replicants of each other. Furthermore, replicants are often involved in inlining, and a non-inline call with different semantics from an inline expansion is bound to cause inconsistency and potentially failure. Therefore, we propose to prohibit public replicable definitions.

Furthermore, because replicable definitions are "baked in" to the object code, we propose to require that any use of a protected extern replicable definition have "the same" definition in all dependent libraries.

Conditional Loading

The fourth feature of dynamic library support is conditional loading. In terms of isolation and resolution, conditional loading introduces no new issues. The two new issues are initialization and destruction order for static-duration variables and finding a root symbol for the library.

We believe that the order of initialization and destruction as defined in Lawrence Crowl, N2382 Dynamic Initialization and Destruction with Concurrency provides for sufficiently late execution of initializers to admit conditional loading.

Finding the root symbol on a library generally involves converting a string containing some form of the symbol name into an address. As this code has low static frequency, we choose to not standardize it. Programmers will need to specialize their code for each supported platform.

Removal

The fifth feature of dynamic library support is library removal. This feature is also known as closing a dynamic library. The implications on order of destruction of static-duration and thread-duration variables could be severe. So, rather than try to define a precise meaning, we intend to provide advice to programmers on how to avoid the problems. In particular,

• Programmers shall terminate all threads that reference a thread-duration variable defined within a load unit before removing that load unit from the program. In practice, this means that a library intended to be conditionally loadable should only use thread-duration variables in threads that it creates and then terminates before removal.
• Programmers shall ensure that no static-duration variable is referenced from outside the removable load unit. In practice, this means that all variables in removable libraries have private visibility and that the library does not pass their addresses outside of the library.

As code to remove a dynamic library also has low static frequency, so we chose to not standardize it. Programmers will need to specialize their code for each supported platform.

Changes

The base document for these changes is Pete Becker, N2369 Working Draft, Standard for Programming Language C++.

The extent of those changes depends on which features the committee chooses to support. The paper covers core language changes only, leaving standard library changes to a separate paper.

1.4 Implementation compliance [intro.compliance]

Edit paragraph 6 as follows:

The templates, classes, functions, and objects in the library have external linkage (3.5). The implementation provides definitions for standard library entities, as necessary, while combining translation units to form a complete C++ program (2.1) (1.9).

1.9(new) The C++ program model [intro.program]

Add a new section between "1.8 The C++ object model [intro.object]" and the existing "1.9 Program execution [intro.execution]" with the following paragraphs.

The text of the program is kept in units called source files in this International Standard. A source file together with all the headers (17.4.1.2) and source files included (16.2) via the preprocessing directive #include, less any source lines skipped by any of the conditional inclusion (16.1) preprocessing directives, is called a translation unit.

A load unit is a set of translation units. A load unit may be either an executable, which contains a definition for main, or a dynamic library, which does not contain a definition for main. [ Note: The separate translation units of a load unit communicate (3.5) by (for example) calls to functions whose identifiers have external linkage, manipulation of objects whose identifiers have external linkage, or manipulation of data files. Translation units can be separately translated and then later linked to produce an load unit (3.5). A load unit is typically bound at program development time. — end note ]

A program is a set of load units. Each program may consist of one executable and zero or more dynamic libraries. [ Note: The separate load units of a program communicate (3.5) by (for example) calls to functions whose identifiers have external linkage and are not isolated, manipulation of objects whose identifiers have external linkage and are not isolated, or manipulation of data files. Load units can be separately statically linked, and then later dynamically linked together in an executing program (3.5). That is, programs may not be bound until execution. — end note ]

Chapter 2 Lexical conventions [lex]

Delete paragraph 1:

The text of the program is kept in units called source files in this International Standard. A source file together with all the headers (17.4.1.2) and source files included (16.2) via the preprocessing directive #include, less any source lines skipped by any of the conditional inclusion (16.1) preprocessing directives, is called a translation unit. [ Note: a C++ program need not all be translated at the same time. — end note ]

Delete paragraph 2:

[ Note: previously translated translation units and instantiation units can be preserved individually or in libraries. The separate translation units of a program communicate (3.5) by (for example) calls to functions whose identifiers have external linkage, manipulation of objects whose identifiers have external linkage, or manipulation of data files. Translation units can be separately translated and then later linked to produce an executable program (3.5). — end note ]

Insert a new paragraph 1:

[ Note: this clause presents the lexical interpretation of C++ source files. It describes the phases of translation, the character sets, and the resulting tokens. — end note ]

3.2 One definition rule [basic.def.odr]

Edit paragraph 3:

Every program load unit shall contain exactly one definition of every isolated non-inline function or isolated object that is used in that program load unit; no diagnostic required. The definition can appear explicitly in the program, it can be found in the standard or a user-defined dynamic library, or (when appropriate) it is implicitly defined (see 12.1, 12.4 and 12.8). An inline function shall be defined in every translation unit in which it is used.

Split and edit paragraph 5 as follows:

There can be more than one A definition of a class type (clause 9), enumeration type (7.2), inline function with external linkage (7.1.2), class template (clause 14), non-static function template (14.5.6), static data member of a class template (14.5.1.3), member function of a class template (14.5.1.1), or template specialization for which some template parameters are not specified (14.7, 14.5.5) is a replicable definition. Other functions and objects have exclusive definitions.

There may be more than one replicable definition for an entity in a program load unit provided that each definition appears in a different translation unit, and provided the definitions satisfy the following requirements. Given such an entity named D defined in more than one translation unit, then

• each definition of D shall consist of the same sequence of tokens; and
• in each definition of D, corresponding names, looked up according to 3.4, shall refer to an entity defined within the definition of D, or shall refer to the same entity, after overload resolution (13.3) and after matching of partial template specialization (14.8.3), except that a name can refer to a const object with internal or no linkage if the object has the same literal type in all definitions of D, and the object is initialized with a constant expression (5.19), and the value (but not the address) of the object is used, and the object has the same value in all definitions of D; and
• in each definition of D, the overloaded operators referred to, the implicit calls to conversion functions, constructors, operator new functions and operator delete functions, shall refer to the same function, or to a function defined within the definition of D; and
• in each definition of D, a default argument used by an (implicit or explicit) function call is treated as if its token sequence were present in the definition of D; that is, the default argument is subject to the three requirements described above (and, if the default argument has sub-expressions with default arguments, this requirement applies recursively).25)
• if D is a class with an implicitly-declared constructor (12.1), it is as if the constructor was implicitly defined in every translation unit where it is used, and the implicit definition in every translation unit shall call the same constructor for a base class or a class member of D. [ Example:

  
  // translation unit 1:
  struct X {
  X(int);
  X(int, int);
  };
  X::X(int = 0) { }
  class D: public X { };
  D d2; // X(int) called by D()
  
  // translation unit 2:
  struct X {
  X(int);
  X(int, int);
  };
  X::X(int = 0, int = 0) { }
  class D: public X { }; // X(int, int) called by D();
  // D()'s implicit definition
  // violates the ODR
  

  — end example ] If D is a template, and is defined in more than one translation unit, then the last four requirements from the list above shall apply to names from the template's enclosing scope used in the template definition (14.6.3), and also to dependent names at the point of instantiation (14.6.2). If the definitions of D satisfy all these requirements, then the program shall behave as if there were a single definition of D. If the definitions of D do not satisfy these requirements, then the behavior is undefined.

3.5 Program and linkage [basic.link]

Edit paragraph 1:

A program consists of one or more load units; a load unit consists of one or more translation units (clause 2) (1.9) linked together. A translation unit consists of a sequence of declarations.

translation-unit:

declaration-seq_opt

declaration-seq:

declaration declaration-seq_opt

visibility-specifier : declaration-seq_opt

visibility-specifier:

ppp-label

Add a new paragraph.

A name with external linkage can be

private

that is, its name can be used only by definitions within the load unit in which the name declared;

protected

that is, its name can be used by definitions within load units that depend on the load unit with the name's definition; and

public

that is, its name can be used anywhere without access restriction.

Add a new paragraph:

Declarations can be labeled by an visibility-specifier:

visibity-specifier : declaration-seq_opt

An visibility-specifier specifies the linker visibility for declarations following it until the end of the scope region namespace-body or until another visibility-specifier is encountered.

Any number of access specifiers is allowed and no particular order is required.

When a name is redeclared, the linkage visiblity remains that of its its initial declaration.

Chapter 7 Declarations [dcl.dcl]

Edit paragraph 1:

Declarations specify how names are to be interpreted. Declarations have the form

declaration-seq:

declaration

declaration-seq declaration

declaration:

block-declaration

function-definition

template-declaration

explicit-instantiation

explicit-specialization

linkage-specification

namespace-definition

block-declaration:

simple-declaration

asm-definition

namespace-alias-definition

using-declaration

using-directive

static_assert-declaration

alias-declaration

alias-declaration:

using identifier = type-id

simple-declaration:

decl-specifier-seq_opt init-declarator-list_opt ;

static_assert-declaration:

static_assert ( constant-expression , string-literal ) ;

[ Note: asm-definitions are described in 7.4, and linkage-specifications are described in 7.5. Function-definitions are described in 8.4 and template-declarations are described in clause 14. Namespace-definitions are described in 7.3.1, using-declarations are described in 7.3.3 and using-directives are described in 7.3.4. — end note ] The simple-declaration

decl-specifier-seq_opt init-declarator-list_opt ;

is divided into two parts: decl-specifiers, the components of a decl-specifier-seq, are described in 7.1 and declarators, the components of an init-declarator-list, are described in clause 8.

Chapter 10 Derived classes [class.derived]

Within paragraph 1, edit the grammar as follows:

access-specifier:

ppp-label

ppp-label:

private

protected

public