== 接口 ==
Classes that satisfy certain conditions are allowed, but not required, to end with an Interface suffix.
*只含有public纯虚("= 0")方法和静态方法(析构函数看下面)。
接口类不能被直接实例化,因为它声明了纯虚方法。为了确保这个接口的所有实现都正确地销毁了,这个接口也必须声明虚析构函数(作为第一条规则的例外,析构不能是纯虚的)。细节参见Stroustrup的《The C++ Programming Language》第三版,第12.4节。
== 操作符重载 ==
*有些操作符也能接受指针,更容易引入bug。Foo + 4做的是一件事情,而&Foo + 4则会做完全不同的事情。编译器不会报告其中任何一种情况,使得debug更困难。
总的来说,不要重载操作符。特别是赋值操作符(operator=)很危险,应该避免定义。如果需要的话,可以定义类似Equals()和 CopyFrom()的函数。同样,无论如何应该避免定义危险的一元操作符&,如果这个类有任何会被前置声明的可能性的话。
但是,在非常罕见的情况下,你需要重载操作符来与模板和“标准”C++类交互(比如用operator<<(ostream&, T const &)来记录日志)。如果条件完全满足的话也是可以接受的,但你应该试图尽量避免这些。特别是,不要仅仅为了让你的类可以在STL容器中用作key就重载operator==或operator<;取而代之的是,你在声明容器的时候应该建立相等和比较的仿函数类型。
== 访问控制 ==
== 声明顺序 ==
= 写短函数 =
= 其他C++特性 =
== 引用参数 ==
在C里,如果一个参数需要修改变量,参数就必须是指针,也就是,int foo(int* pval)。在C++里,函数也可以定义成引用参数:int foo(int& val)。
把参数定义成引用可以避免丑陋的代码,比如++ (*pval)。对于一些类似拷贝构造函数来说是必须的。需要注意的是,不像指针,NULL不被认为是个可能的值。
void Foo(string const & in, string* out);
但是,有些情况下用T const *比用T const &作为输入参数更好。比如:你要传进NULL。函数往输入中存入指针或引用。记住大部分时候输入参数应该指定为T const &。用T const *会告诉读者这个输入由于某些原因需要特别对待。所以如果你选了T const *而不是T const &,就需要一个合理的理由;否则会让读者感到混乱,他们会试图寻找一个不存在的解释。
const variables, data members, methods and arguments add a level of compile-time type checking; it is better to detect errors as soon as possible. Therefore we strongly recommend that you use const whenever it makes sense to do so:
*If a function does not modify an argument passed by reference or by pointer, that argument should be const.
*Declare methods to be const whenever possible. Accessors should almost always be const. Other methods should be const if they do not modify any data members, do not call any non-const methods, and do not return a non-const pointer or non-const reference to a data member.
*Consider making data members const whenever they do not need to be modified after construction.
Make data members private, and provide access to them through accessor functions as needed. Typically a variable would be called foo_ and the accessor function foo(). You may also want a mutator function set_foo(). Exception: static const data members (typically called Foo) need not be private.
However, do not go crazy with const. Something like const int * const * const x; is likely overkill, even if it accurately describes how const x is. Focus on what's really useful to know: in this case, const int** x is probably sufficient.
The definitions of accessors are usually inlined in the header file.
The mutable keyword is allowed but is unsafe when used with threads, so thread safety should be carefully considered first.
'''Where to put the const'''
Prefer int const * foo to const int* foo. It keeps the rule that const always follows the object it's describing.
Use the specified order of declarations within a class: public: before private:, methods before data members (variables), etc.
== Integer Types ==
Your class definition should start with its public: section, followed by its protected: section and then its private: section. If any of these sections are empty, omit them.
Of the built-in C++ integer types, the only one used is int. If a program needs a variable of a different size, use a precise-width integer type from <boost/stdint.hpp>, such as int16_t.
Within each section, the declarations generally should be in the following order:
C++ does not specify the sizes of its integer types. Typically people assume that short is 16 bits, int is 32 bits, long is 32 bits and long long is 64 bits.
*Typedefs and Enums
*Constants (static const data members)
Uniformity of declaration.
*Methods, including static methods
*Data Members (except static const data members)
Friend declarations should always be in the private section, and the copy constructor and assignment operator for disallow copying should be at the end of the private: section. It should be the last thing in the class. See [[#Copy Constructors|Copy Constructors]].
The sizes of integral types in C++ can vary based on compiler and architecture.
Method definitions in the corresponding .cpp file should be the same as the declaration order, as much as possible.
<boost/stdint.hpp> defines types like int16_t, uint32_t, int64_t, etc. You should always use those in preference to short, unsigned long long and the like, when you need a guarantee on the size of an integer. Of the C integer types, only int should be used. When appropriate, you are welcome to use standard types like size_t and ptrdiff_t.
Do not put large method definitions inline in the class definition. Usually, only trivial or performance-critical, and very short, methods may be defined inline. See C++ style guide#Inline Functions|Inline Functions]] for more details.
We use int very often, for integers we know are not going to be too big, e.g., loop counters. Use plain old int for such things. You should assume that an int is at least 32 bits, but don't assume that it has more than 32 bits. If you need a 64-bit integer type, use int64_t or uint64_t.
= 写短函数 =
For integers we know can be "big", use int64_t.
= 其他C++特性 =
You should not use the unsigned integer types such as uint32_t, unless the quantity you are representing is really a bit pattern rather than a number, or unless you need defined twos-complement overflow. In particular, do not use unsigned types to say a number will never be negative. Instead, use assertions for this.
'''On Unsigned Integers'''
Some people, including some textbook authors, recommend using unsigned types to represent numbers that are never negative. This is intended as a form of self-documentation. However, in C, the advantages of such documentation are outweighed by the real bugs it can introduce. Consider:
for (unsigned int i = foo.Length() - 1; i >= 0; -- i)
This code will never terminate! Sometimes gcc will notice this bug and warn you, but often it will not. Equally bad bugs can occur when comparing signed and unsigned variables. Basically, C's type-promotion scheme causes unsigned types to behave differently than one might expect.
So, document that a variable is non-negative using assertions. Don't use an unsigned type.
== 64-bit Portability ==
Code should be 64-bit and 32-bit friendly. Bear in mind problems of printing, comparisons, and structure alignment.
*printf() specifiers for some types are not cleanly portable between 32-bit and 64-bit systems. C99 defines some portable format specifiers. Unfortunately, MSVC 7.1 does not understand some of these specifiers and the standard is missing a few, so we have to define our own ugly versions in some cases (in the style of the standard include file inttypes.h):
// printf macros for size_t, in the style of inttypes.h
#ifdef _LP64
#define __PRIS_PREFIX "z"
#define __PRIS_PREFIX
// Use these macros after a % in a printf format string
// to get correct 32/64 bit behavior, like this:
// size_t size = records.size();
// printf("%"PRIuS"\n", size);
#define PRIdS __PRIS_PREFIX "d"
#define PRIxS __PRIS_PREFIX "x"
#define PRIuS __PRIS_PREFIX "u"
#define PRIoS __PRIS_PREFIX "o"
{| border="1" cellspacing="0" cellpadding="5" align="center"
!DO NOT use
!DO use
|void * (or any pointer)
|%qd, %lld
|%qu, %llu, %llx
|%"PRIu64", %"PRIx64"
|%"PRIuS", %"PRIxS"
|C99 specifies %zu
|C99 specifies %zd
Note that the PRI* macros expand to independent strings which are concatenated by the compiler. Hence if you are using a non-constant format string, you need to insert the value of the macro into the format, rather than the name. It is still possible, as usual, to include length specifiers, etc., after the % when using the PRI* macros. So, e.g. printf("x = %30"PRIuS"\n", x) would expand on 32-bit Linux to printf("x = %30" "u" "\n", x), which the compiler will treat as printf("x = %30u\n", x).
*Remember that sizeof(void*) != sizeof(int). Use intptr_t if you want a pointer-sized integer.
*You may need to be careful with structure alignments, particularly for structures being stored on disk. Any class/structure with a int64_t/uint64_t member will by default end up being 8-byte aligned on a 64-bit system. If you have such structures being shared on disk between 32-bit and 64-bit code, you will need to ensure that they are packed the same on both architectures. Most compilers offer a way to alter structure alignment. For both MSVC and gcc, you can use #pragma pack().
*Use the LL or ULL suffixes as needed to create 64-bit constants. For example:
int64_t my_value = 0x123456789LL;
uint64_t my_mask = 3ULL << 48;
If you really need different code on 32-bit and 64-bit systems, use #ifdef _LP64 to choose between the code variants. (But please avoid this if possible, and keep any such changes localized.)
== Preprocessor Macros ==
Be very cautious with macros. Prefer inline functions, enums, and const variables to macros.
Macros mean that the code you see is not the same as the code the compiler sees. This can introduce unexpected behavior, especially since macros have global scope.
Luckily, macros are not nearly as necessary in C++ as they are in C. Instead of using a macro to inline performance-critical code, use an inline function. Instead of using a macro to store a constant, use a const variable. Instead of using a macro to "abbreviate" a long variable name, use a reference. Instead of using a macro to conditionally compile code ... well, don't do that at all (except, of course, for the #define guards to prevent double inclusion of header files). It makes testing much more difficult.
Macros can do things these other techniques cannot, and you do see them in the codebase, especially in the lower-level libraries. And some of their special features (like stringifying, concatenation, and so forth) are not available through the language proper. But before using a macro, consider carefully whether there's a non-macro way to achieve the same result.
The following usage pattern will avoid many problems with macros; if you use macros, follow it whenever possible:
*Don't define macros in a .h file.
*#define macros right before you use them, and #undef them right after.
*Do not just #undef an existing macro before replacing it with your own; instead, pick a name that's likely to be unique.
*Try not to use macros that expand to unbalanced C++ constructs, or at least document that behavior well.
*Prefer not using ## to generate function/class/variable names.
== 0 and NULL ==
Use 0 for integers, 0.0 for reals, NULL for pointers, and '\0' for chars.
Use 0 for integers and 0.0 for reals. This is not controversial.
For pointers (address values), there is a choice between 0 and NULL. Bjarne Stroustrup prefers an unadorned 0. We prefer NULL because it looks like a pointer. In fact, some C++ compilers, such as gcc 4.1.0, provide special definitions of NULL which enable them to give useful warnings, particularly in situations where sizeof(NULL) is not equal to sizeof(0).
Use '\0' for chars. This is the correct type and also makes code more readable.
== sizeof ==
Use sizeof(varname) instead of sizeof(type) whenever possible.
Use sizeof(varname) because it will update appropriately if the type of the variable changes. sizeof(type) may make sense in some cases, but should generally be avoided because it can fall out of sync if the variable's type changes.
// Good
Struct data;
memset(&data, 0, sizeof(data));
// Bad
memset(&data, 0, sizeof(Struct));
== C++11 ==
Any libraries and language extensions from C++11 (formerly known as C++0x) must be inside #ifdef KLAYGE_CXX11_SUPPORT/#endif.
C++11 is the latest ISO C++ standard. It contains significant changes both to the language and libraries.
C++11 has become the official standard, and eventually will be supported by most C++ compilers. It standardizes some common C++ extensions that we use already, allows shorthands for some operations, and has some performance and safety improvements.
The C++11 standard is substantially more complex than its predecessor (1,300 pages versus 800 pages), and is unfamilar to many developers. The long-term effects of some features on code readability and maintenance are unknown. We cannot predict when its various features will be implemented uniformly by tools that may be of interest (gcc, icc, clang, Eclipse, etc.).
As with Boost, some C++11 extensions encourage coding practices that hamper readability - for example by removing checked redundancy (such as type names) that may be helpful to readers, or by encouraging template metaprogramming. Other extensions duplicate functionality available through existing mechanisms, which may lead to confusion and conversion costs.
Any C++11 libraries and language features must be separated by #ifdef KLAYGE_CXX11_SUPPORT/#endif. And implement a C++98 version for compatibility. Avoid writing code that is incompatible with C++11 (even though it works in C++03).
所有的头文件都应该同时有“#define防护”和“#pragma once”,以防止多次包含,并能加速编译。符号名的格式是_<FILE>_HPP。比如,文件foo.hpp应该有这样的防护:

#ifndef _FOO_HPP
#define _FOO_HPP

#pragma once


#endif		// _FOO_HPP




通过使用前置声明,你可以显著地减少在你的头文件中需要包含的其他头文件数量。比如,如果你的头文件使用了File类,但不需要访问到File类的定义,你的头文件只需要前置声明一个class File,而不用#include "base/file.hpp"。在KlayGE中,所有的类和结构都在"KlayGE/PreDeclare.hpp"中进行了前置声明。你可以在你的.hpp开头#include它。


  • 可以把数据成员的类型定义成Foo*或Foo&。
  • 在函数的声明(但不是定义)中,可以使用Foo类型的参数和/或返回类型。(例外之一是,如果一个参数Foo或Foo const &有非显式的、单参数构造函数,你就需要完整的定义才能支持自动类型转换。)
  • 可以声明Foo类型的静态数据成员。这是因为静态数据成员是在类定义之外进行定义的。
























#include <KlayGE/foo.hpp>


  1. KlayGE/KlayGE.hpp
  2. dir2/foo2.hpp (推荐的位置——细节参见下面)。
  3. C系统文件。
  4. C++系统文件
  5. 其他库的.hpp文件。
  6. 你项目的.hpp文件。




#include <KlayGE/KlayGE.hpp>

#include <KlayGE/foo.hpp>

#include <vector>

#include <boost/shared_ptr.hpp>

#include <KlayGE/Math.hpp>
#include <KlayGE/ResLoader.hpp>















  • 在.cpp文件中使用匿名命名空间是允许的,甚至鼓励的,可以避免运行期名字冲突:
	// 在.cpp文件里

	// 命名空间里的内容需要缩进
	};       // 常用的常量

	bool AtEof()
		return EOF == pos_;
	}  // 使用命名空间里的EOF


  • 不要在.hpp文件中使用匿名命名空间



  • 命名空间可以围绕整个源文件,在include、定义/声明、以及来自其他命名空间的类的前置声明之后:
// 在.hpp文件中
namespace mynamespace
	// 所有的声明都在命名空间的范围内
	// 注意缩进
	class MyClass
		void Foo();

// 在.cpp文件中
namespace mynamespace
	// 在命名空间范围内的函数定义
	void MyClass::Foo()


#include "a.hpp"

#define someflag "dummy flag"

class C;	// 在全局命名空间中类C的前置声明
namespace a
	class A;	// a::A的前置声明

namespace b
	...code for b...
  • 不要在std命名空间内声明任何东西,即使是标准库类的前置声明。在std命名空间中声明一个东西会导致未定义的行为,也就是,不可移植。要声明标准库中的东西,就包含适当的头文件。
  • 不能使用using指示符从一个命名空间中开放出所有的名字。


// 禁止 -- 污染了命名空间。
using namespace foo;
  • 可以在.cpp文件的任何地方使用using声明,在.hpp文件的函数、方法和类中使用using声明。


// 可以在.cpp文件中
// 在.hpp中的话,就必须在函数、方法或类中
using ::foo::bar;
  • 可以在.cpp文件的任何地方使用命名空间别名,在围绕整个.hpp文件的名字空间内的任何地方、以及函数和方法内使用命名空间别名。
// 在.cpp文件中把常用的名字缩短
namespace fbz = ::foo::bar::baz;

// 在.hpp文件中把常用的名字缩短
namespace librarian
	// 下面的别名可以用于任何包含着个头文件的地方
	// (在librarian命名空间中):
	// 别名应该在项目内保持一致
	namespace pd_s = ::pipeline_diagnostics::sidetable;

	inline void my_inline_function()
		// 命名空间别名在函数(或方法)内
		namespace fbz = ::foo::bar::baz;






class Foo
	// Bar是一个成员类,内嵌在Foo中
	class Bar





















int i;
i = f();	// 错误 -- 初始化和声明分开了


int j = g();	// 正确 -- 声明就初始化

注意,MSVC和gcc正确地实现了for (int i = 0; i < 10; ++ i)(i的生命期只在for循环的范围内),所以你在同范围的其他循环仍可以重用i。在if和while语句内,声明范围也是这样的规则,比如:

while (const char* p = strchr(str, '/'))
	str = p + 1;


// 低效的实现:
for (int i = 0; i < 1000000; ++ i)
	Foo f;  // 构造和析构各会调用1000000次


Foo f;  // 构造和析构只调用一次
for (int i = 0; i < 1000000; ++ i)



含有静态存储周期的对象,包括全局变量、静态变量、静态类成员变量、以及函数静态变量,必须是纯数据的类型(POD): int、char、floats、指针、或POD的数组或结构体。



结果我们只允许静态变量包含POD数据。这个规则完全禁止了vector(使用C数组来代替),或字符串(使用char const []来代替)。











  • 让构造函数发出错误信号很不容易,没法使用异常。
  • 如果失败了,就意味着你有了个初始化失败的对象,也就是处于一个不确定的状态。
  • 如果调用了虚函数,那么将不会调用到子类实现。即使你的类现在还没有子类,一旦以后做了修改,仍将会默默地引入一些问题,造成很多混乱。
  • 如果有人建立了这个类型的一个全局变量(这是违反规则的),构造函数的代码会在main()之前就被调用,可能会破坏构造函数代码中的一些隐含假设。


















通常,如果一个构造函数只有一个参数,它可能用作转换。比如,如果你定义了Foo::Foo(string name),然后把字符串传给一个希望得到Foo的函数,那么字符串会通过那个构造函数转换成Foo,然后把Foo传给那个函数。这看起来很方便,但同时也成为麻烦之源,你不希望出现的新对象被构造和转换。把构造函数定义成explicit就能阻止它以转换的形式被隐式调用。






我们要求所有单参数构造函数都定义成explicit。在类定义里,总是把explicit放在单参数构造函数的前面:explicit Foo(string name);













如果你的类不需要拷贝构造函数和赋值操作符,你必须显式禁止它们。方法是,在类的private:里加一个拷贝构造函数和赋值操作符的空声明,但不要提供任何相应的定义(所以试图使用它们一定会导致链接错误)。比如,在class Foo:

class Foo
	Foo(int f0, int f1);

	Foo(Foo const &);
	void operator=(Foo const &);



































  • 只含有public纯虚("= 0")方法和静态方法(析构函数看下面)。
  • 不能有非静态数据成员。
  • 不需要定义任何构造函数。如果提供了构造函数,它不能有参数而且必须是protected。
  • 如果是个子类,它只能从符合这些条件而且有Interface后缀的类继承而来。

接口类不能被直接实例化,因为它声明了纯虚方法。为了确保这个接口的所有实现都正确地销毁了,这个接口也必须声明虚析构函数(作为第一条规则的例外,析构不能是纯虚的)。细节参见Stroustrup的《The C++ Programming Language》第三版,第12.4节。















  • 它会愚弄你的直觉,让你以为昂贵的操作是廉价的内建操作。
  • 重载操作符让调用的位置更加难以寻找。搜索Equals()比搜索==的相关调用容易得多。
  • 有些操作符也能接受指针,更容易引入bug。Foo + 4做的是一件事情,而&Foo + 4则会做完全不同的事情。编译器不会报告其中任何一种情况,使得debug更困难。
  • 重载也会有意外的副作用。例如,如果一个类重载了一元操作符&,它就不能安全地进行前置声明。


总的来说,不要重载操作符。特别是赋值操作符(operator=)很危险,应该避免定义。如果需要的话,可以定义类似Equals()和 CopyFrom()的函数。同样,无论如何应该避免定义危险的一元操作符&,如果这个类有任何会被前置声明的可能性的话。

但是,在非常罕见的情况下,你需要重载操作符来与模板和“标准”C++类交互(比如用operator<<(ostream&, T const &)来记录日志)。如果条件完全满足的话也是可以接受的,但你应该试图尽量避免这些。特别是,不要仅仅为了让你的类可以在STL容器中用作key就重载operator==或operator<;取而代之的是,你在声明容器的时候应该建立相等和比较的仿函数类型。











  • Typedef和枚举
  • 常量(静态常量数据成员)
  • 构造函数
  • 析构函数
  • 函数,包括静态函数
  • 数据成员(除了静态常量数据成员)












定义: 在C里,如果一个参数需要修改变量,参数就必须是指针,也就是,int foo(int* pval)。在C++里,函数也可以定义成引用参数:int foo(int& val)。

优点: 把参数定义成引用可以避免丑陋的代码,比如++ (*pval)。对于一些类似拷贝构造函数来说是必须的。需要注意的是,不像指针,NULL不被认为是个可能的值。

缺点: 引用可能容易混淆,因为他们有值的语法,但是指针的语义。

决定: 函数参数里列出的所有引用都必须是const:

void Foo(string const & in, string* out);


但是,有些情况下用T const *比用T const &作为输入参数更好。比如:你要传进NULL。函数往输入中存入指针或引用。记住大部分时候输入参数应该指定为T const &。用T const *会告诉读者这个输入由于某些原因需要特别对待。所以如果你选了T const *而不是T const &,就需要一个合理的理由;否则会让读者感到混乱,他们会试图寻找一个不存在的解释。

Function Overloading

Use overloaded functions (including constructors) only if a reader looking at a call site can get a good idea of what is happening without having to first figure out exactly which overload is being called.

Definition: You may write a function that takes a const string& and overload it with another that takes char const *.

class MyClass
	void Analyze(string const & text);
	void Analyze(char const * text, size_t textlen);

Pros: Overloading can make code more intuitive by allowing an identically-named function to take different arguments. It may be necessary for templatized code, and it can be convenient for Visitors.

Cons: If a function is overloaded by the argument types alone, a reader may have to understand C++'s complex matching rules in order to tell what's going on. Also many people are confused by the semantics of inheritance if a derived class overrides only some of the variants of a function.

Decision: If you want to overload a function, consider qualifying the name with some information about the arguments, e.g., AppendString(), AppendInt() rather than just Append().

Default Arguments

We do not allow default function parameters, except in a few uncommon situations explained below.

Pros: Often you have a function that uses lots of default values, but occasionally you want to override the defaults. Default parameters allow an easy way to do this without having to define many functions for the rare exceptions.

Cons: People often figure out how to use an API by looking at existing code that uses it. Default parameters are more difficult to maintain because copy-and-paste from previous code may not reveal all the parameters. Copy-and-pasting of code segments can cause major problems when the default arguments are not appropriate for the new code.

Decision: Except as described below, we require all arguments to be explicitly specified, to force programmers to consider the API and the values they are passing for each argument rather than silently accepting defaults they may not be aware of.

One specific exception is when default arguments are used to simulate variable-length argument lists.

// Support up to 4 params by using a default empty AlphaNum.
string StrCat(AlphaNum const & a,
	AlphaNum const & b = EmptyAlphaNum,
	AlphaNum const &c = EmptyAlphaNum,
	AlphaNum const &d = EmptyAlphaNum);

Variable-Length Arrays and alloca()

We do not allow variable-length arrays or alloca().

Pros: Variable-length arrays have natural-looking syntax. Both variable-length arrays and alloca() are very efficient.

Cons: Variable-length arrays and alloca are not part of Standard C++. More importantly, they allocate a data-dependent amount of stack space that can trigger difficult-to-find memory overwriting bugs: "It ran fine on my machine, but dies mysteriously in production".

Decision: Use a safe allocator instead, such as scoped_ptr/scoped_array.


We allow use of friend classes and functions, within reason.

Friends should usually be defined in the same file so that the reader does not have to look in another file to find uses of the private members of a class. A common use of friend is to have a FooBuilder class be a friend of Foo so that it can construct the inner state of Foo correctly, without exposing this state to the world. In some cases it may be useful to make a unittest class a friend of the class it tests.

Friends extend, but do not break, the encapsulation boundary of a class. In some cases this is better than making a member public when you want to give only one other class access to it. However, most classes should interact with other classes solely through their public members.


We use C++ exceptions judiciously.


  • Exceptions allow higher levels of an application to decide how to handle "can't happen" failures in deeply nested functions, without the obscuring and error-prone bookkeeping of error codes.
  • Exceptions are used by most other modern languages. Using them in C++ would make it more consistent with Python, Java, and the C++ that others are familiar with.
  • Some third-party C++ libraries use exceptions, and turning them off internally makes it harder to integrate with those libraries.
  • Exceptions are the only way for a constructor to fail. We can simulate this with a factory function or an Init() method, but these require heap allocation or a new "invalid" state, respectively.
  • Exceptions are really handy in testing frameworks.


  • When you add a throw statement to an existing function, you must examine all of its transitive callers. Either they must make at least the basic exception safety guarantee, or they must never catch the exception and be happy with the program terminating as a result. For instance, if f() calls g() calls h(), and h throws an exception that f catches, g has to be careful or it may not clean up properly.
  • More generally, exceptions make the control flow of programs difficult to evaluate by looking at code: functions may return in places you don't expect. This causes maintainability and debugging difficulties. You can minimize this cost via some rules on how and where exceptions can be used, but at the cost of more that a developer needs to know and understand.
  • Exception safety requires both RAII and different coding practices. Lots of supporting machinery is needed to make writing correct exception-safe code easy. Further, to avoid requiring readers to understand the entire call graph, exception-safe code must isolate logic that writes to persistent state into a "commit" phase. This will have both benefits and costs (perhaps where you're forced to obfuscate code to isolate the commit). Allowing exceptions would force us to always pay those costs even when they're not worth it.
  • Turning on exceptions adds data to each binary produced, increasing compile time (probably slightly) and possibly increasing address space pressure.
  • The availability of exceptions may encourage developers to throw them when they are not appropriate or recover from them when it's not safe to do so. For example, invalid user input should not cause exceptions to be thrown. We would need to make the style guide even longer to document these restrictions!

Decision: Use exception to throw error, not passing a parameter or calling a function.

Run-Time Type Information (RTTI)

We do use Run Time Type Information (RTTI) carefully.

Definition: RTTI allows a programmer to query the C++ class of an object at run time.

Pros: It is useful in some unittests. For example, it is useful in tests of factory classes where the test has to verify that a newly created object has the expected dynamic type.

In rare circumstances, it is useful even outside of tests.

Cons: A query of type during run-time typically means a design problem. If you need to know the type of an object at runtime, that is often an indication that you should reconsider the design of your class.

Decision: Use RTTI carefully. If you find yourself in need of writing code that behaves differently based on the class of an object, consider one of the alternatives to querying the type.

Virtual methods are the preferred way of executing different code paths depending on a specific subclass type. This puts the work within the object itself.

If the work belongs outside the object and instead in some processing code, consider a double-dispatch solution, such as the Visitor design pattern. This allows a facility outside the object itself to determine the type of class using the built-in type system.

If you think you truly cannot use those ideas, you may use RTTI. But think twice about it. :-) Then think twice again. Do not hand-implement an RTTI-like workaround. The arguments against RTTI apply just as much to workarounds like class hierarchies with type tags.


Use C++ casts like static_cast<>(). Do not use other cast formats like int y = (int)x; or int y = int(x);.

Definition: C++ introduced a different cast system from C that distinguishes the types of cast operations.

Pros: The problem with C casts is the ambiguity of the operation; sometimes you are doing a conversion (e.g., (int)3.5) and sometimes you are doing a cast (e.g., (int)"hello"); C++ casts avoid this. Additionally C++ casts are more visible when searching for them.

Cons: The syntax is nasty.

Decision: Do not use C-style casts. Instead, use these C++-style casts.

Use static_cast as the equivalent of a C-style cast that does value conversion, or when you need to explicitly up-cast a pointer from a class to its superclass. Use const_cast to remove the const qualifier (see const). Use reinterpret_cast to do unsafe conversions of pointer types to and from integer and other pointer types. Use this only if you know what you are doing and you understand the aliasing issues. Use dynamic_cast carefully. If you need to know type information at runtime in this way outside of a unittest, you probably have a design flaw.

Preincrement and Predecrement

Use prefix form (++ i) of the increment and decrement operators with iterators and other template objects.

Definition: When a variable is incremented (++ i or i ++) or decremented (-- i or i --) and the value of the expression is not used, one must decide whether to preincrement (decrement) or postincrement (decrement).

Pros: When the return value is ignored, the "pre" form (++i) is never less efficient than the "post" form (i++), and is often more efficient. This is because post-increment (or decrement) requires a copy of i to be made, which is the value of the expression. If i is an iterator or other non-scalar type, copying i could be expensive. Since the two types of increment behave the same when the value is ignored, why not just always pre-increment?

Cons: The tradition developed, in C, of using post-increment when the expression value is not used, especially in for loops. Some find post-increment easier to read, since the "subject" (i) precedes the "verb" (++), just like in English.

Decision: For simple scalar (non-object) values there is no reason to prefer one form and we allow either. For iterators and other template types, use pre-increment.

Use of const

We strongly recommend that you use const whenever it makes sense to do so.

Definition: Declared variables and parameters can be preceded by the keyword const to indicate the variables are not changed (e.g., const int foo). Class functions can have the const qualifier to indicate the function does not change the state of the class member variables (e.g., class Foo { int Bar(char c) const; };).

Pros: Easier for people to understand how variables are being used. Allows the compiler to do better type checking, and, conceivably, generate better code. Helps people convince themselves of program correctness because they know the functions they call are limited in how they can modify your variables. Helps people know what functions are safe to use without locks in multi-threaded programs.

Cons: const is viral: if you pass a const variable to a function, that function must have const in its prototype (or the variable will need a const_cast). This can be a particular problem when calling library functions.

Decision: const variables, data members, methods and arguments add a level of compile-time type checking; it is better to detect errors as soon as possible. Therefore we strongly recommend that you use const whenever it makes sense to do so:

  • If a function does not modify an argument passed by reference or by pointer, that argument should be const.
  • Declare methods to be const whenever possible. Accessors should almost always be const. Other methods should be const if they do not modify any data members, do not call any non-const methods, and do not return a non-const pointer or non-const reference to a data member.
  • Consider making data members const whenever they do not need to be modified after construction.

However, do not go crazy with const. Something like const int * const * const x; is likely overkill, even if it accurately describes how const x is. Focus on what's really useful to know: in this case, const int** x is probably sufficient.

The mutable keyword is allowed but is unsafe when used with threads, so thread safety should be carefully considered first.

Where to put the const

Prefer int const * foo to const int* foo. It keeps the rule that const always follows the object it's describing.

Integer Types

Of the built-in C++ integer types, the only one used is int. If a program needs a variable of a different size, use a precise-width integer type from <boost/stdint.hpp>, such as int16_t.

Definition: C++ does not specify the sizes of its integer types. Typically people assume that short is 16 bits, int is 32 bits, long is 32 bits and long long is 64 bits.

Pros: Uniformity of declaration.

Cons: The sizes of integral types in C++ can vary based on compiler and architecture.

Decision: <boost/stdint.hpp> defines types like int16_t, uint32_t, int64_t, etc. You should always use those in preference to short, unsigned long long and the like, when you need a guarantee on the size of an integer. Of the C integer types, only int should be used. When appropriate, you are welcome to use standard types like size_t and ptrdiff_t.

We use int very often, for integers we know are not going to be too big, e.g., loop counters. Use plain old int for such things. You should assume that an int is at least 32 bits, but don't assume that it has more than 32 bits. If you need a 64-bit integer type, use int64_t or uint64_t.

For integers we know can be "big", use int64_t.

You should not use the unsigned integer types such as uint32_t, unless the quantity you are representing is really a bit pattern rather than a number, or unless you need defined twos-complement overflow. In particular, do not use unsigned types to say a number will never be negative. Instead, use assertions for this.

On Unsigned Integers

Some people, including some textbook authors, recommend using unsigned types to represent numbers that are never negative. This is intended as a form of self-documentation. However, in C, the advantages of such documentation are outweighed by the real bugs it can introduce. Consider:

for (unsigned int i = foo.Length() - 1; i >= 0; -- i)

This code will never terminate! Sometimes gcc will notice this bug and warn you, but often it will not. Equally bad bugs can occur when comparing signed and unsigned variables. Basically, C's type-promotion scheme causes unsigned types to behave differently than one might expect.

So, document that a variable is non-negative using assertions. Don't use an unsigned type.

64-bit Portability

Code should be 64-bit and 32-bit friendly. Bear in mind problems of printing, comparisons, and structure alignment.

  • printf() specifiers for some types are not cleanly portable between 32-bit and 64-bit systems. C99 defines some portable format specifiers. Unfortunately, MSVC 7.1 does not understand some of these specifiers and the standard is missing a few, so we have to define our own ugly versions in some cases (in the style of the standard include file inttypes.h):
// printf macros for size_t, in the style of inttypes.h
#ifdef _LP64
#define __PRIS_PREFIX "z"
#define __PRIS_PREFIX

// Use these macros after a % in a printf format string
// to get correct 32/64 bit behavior, like this:
// size_t size = records.size();
// printf("%"PRIuS"\n", size);

#define PRIdS __PRIS_PREFIX "d"
#define PRIxS __PRIS_PREFIX "x"
#define PRIuS __PRIS_PREFIX "u"
#define PRIoS __PRIS_PREFIX "o"
Type DO NOT use DO use Notes
void * (or any pointer) %lx %p
int64_t %qd, %lld %"PRId64"
uint64_t %qu, %llu, %llx %"PRIu64", %"PRIx64"
size_t %u %"PRIuS", %"PRIxS" C99 specifies %zu
ptrdiff_t %d %"PRIdS" C99 specifies %zd

Note that the PRI* macros expand to independent strings which are concatenated by the compiler. Hence if you are using a non-constant format string, you need to insert the value of the macro into the format, rather than the name. It is still possible, as usual, to include length specifiers, etc., after the % when using the PRI* macros. So, e.g. printf("x = %30"PRIuS"\n", x) would expand on 32-bit Linux to printf("x = %30" "u" "\n", x), which the compiler will treat as printf("x = %30u\n", x).

  • Remember that sizeof(void*) != sizeof(int). Use intptr_t if you want a pointer-sized integer.
  • You may need to be careful with structure alignments, particularly for structures being stored on disk. Any class/structure with a int64_t/uint64_t member will by default end up being 8-byte aligned on a 64-bit system. If you have such structures being shared on disk between 32-bit and 64-bit code, you will need to ensure that they are packed the same on both architectures. Most compilers offer a way to alter structure alignment. For both MSVC and gcc, you can use #pragma pack().
  • Use the LL or ULL suffixes as needed to create 64-bit constants. For example:
int64_t my_value = 0x123456789LL;
uint64_t my_mask = 3ULL << 48;

If you really need different code on 32-bit and 64-bit systems, use #ifdef _LP64 to choose between the code variants. (But please avoid this if possible, and keep any such changes localized.)

Preprocessor Macros

Be very cautious with macros. Prefer inline functions, enums, and const variables to macros.

Macros mean that the code you see is not the same as the code the compiler sees. This can introduce unexpected behavior, especially since macros have global scope.

Luckily, macros are not nearly as necessary in C++ as they are in C. Instead of using a macro to inline performance-critical code, use an inline function. Instead of using a macro to store a constant, use a const variable. Instead of using a macro to "abbreviate" a long variable name, use a reference. Instead of using a macro to conditionally compile code ... well, don't do that at all (except, of course, for the #define guards to prevent double inclusion of header files). It makes testing much more difficult.

Macros can do things these other techniques cannot, and you do see them in the codebase, especially in the lower-level libraries. And some of their special features (like stringifying, concatenation, and so forth) are not available through the language proper. But before using a macro, consider carefully whether there's a non-macro way to achieve the same result.

The following usage pattern will avoid many problems with macros; if you use macros, follow it whenever possible:

  • Don't define macros in a .h file.
    1. define macros right before you use them, and #undef them right after.
  • Do not just #undef an existing macro before replacing it with your own; instead, pick a name that's likely to be unique.
  • Try not to use macros that expand to unbalanced C++ constructs, or at least document that behavior well.
  • Prefer not using ## to generate function/class/variable names.

0 and NULL

Use 0 for integers, 0.0 for reals, NULL for pointers, and '\0' for chars.

Use 0 for integers and 0.0 for reals. This is not controversial.

For pointers (address values), there is a choice between 0 and NULL. Bjarne Stroustrup prefers an unadorned 0. We prefer NULL because it looks like a pointer. In fact, some C++ compilers, such as gcc 4.1.0, provide special definitions of NULL which enable them to give useful warnings, particularly in situations where sizeof(NULL) is not equal to sizeof(0).

Use '\0' for chars. This is the correct type and also makes code more readable.


Use sizeof(varname) instead of sizeof(type) whenever possible.

Use sizeof(varname) because it will update appropriately if the type of the variable changes. sizeof(type) may make sense in some cases, but should generally be avoided because it can fall out of sync if the variable's type changes.


// Good
Struct data;
memset(&data, 0, sizeof(data));


// Bad
memset(&data, 0, sizeof(Struct));


Any libraries and language extensions from C++11 (formerly known as C++0x) must be inside #ifdef KLAYGE_CXX11_SUPPORT/#endif.

Definition: C++11 is the latest ISO C++ standard. It contains significant changes both to the language and libraries.

Pros: C++11 has become the official standard, and eventually will be supported by most C++ compilers. It standardizes some common C++ extensions that we use already, allows shorthands for some operations, and has some performance and safety improvements.

Cons: The C++11 standard is substantially more complex than its predecessor (1,300 pages versus 800 pages), and is unfamilar to many developers. The long-term effects of some features on code readability and maintenance are unknown. We cannot predict when its various features will be implemented uniformly by tools that may be of interest (gcc, icc, clang, Eclipse, etc.).

As with Boost, some C++11 extensions encourage coding practices that hamper readability - for example by removing checked redundancy (such as type names) that may be helpful to readers, or by encouraging template metaprogramming. Other extensions duplicate functionality available through existing mechanisms, which may lead to confusion and conversion costs.

Decision: Any C++11 libraries and language features must be separated by #ifdef KLAYGE_CXX11_SUPPORT/#endif. And implement a C++98 version for compatibility. Avoid writing code that is incompatible with C++11 (even though it works in C++03).




