SEI CERT C++ Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 24

changes.mady.by.user Martin Sebor

Saved on

compared with

New Version Current

changes.mady.by.user Jill Britton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

An object deriving from a base class typically contains additional member variables that extend the base class. When by-value assigning or copying an object of the derived type to an object of the base type, those additional member variables are not copied because the base class contains insufficient space in which to store them. This action is commonly called slicing the object because the additional members are "sliced off" the resulting object.

Do not initialize an object of base class type with an object of derived class type, except through references, pointers, or pointer-like abstractions (such as std::unique_ptr, or std::shared_ptr).

Noncompliant Code Example

In this noncompliant code example, an object of the derived Manager type is passed by value to a function accepting a base Employee type. Consequently, the Manager objects are sliced, resulting in information loss and unexpected behavior when the print() function is called

Copying a polymorphic object by value can easily result in the object being sliced. That is, only part of the information associated with the object is copied, and the remaining information is lost.

Non-Compliant Code Example

This code example is non-compliant because of the unintended data loss.

Code Block
bgColor#FFCCCC
langcpp
#include <iostream>
#include <string>

class Employee {
public:
  Employee(std::string theName) : name(theName) {};
  string getName() const {return name;}
protected:
  virtual void print(std::ostream &os) const {
    coutos << "Employee: " << getNameget_name() << std::endl;      
  }
private  
public:
  Employee(const std::string &name) : name;
};

class Manager : public Employee {
public:
  Manager(string theName, Employee theEmployee) :name(name) {}
  const std::string &get_name() const { return name; }
  friend std::ostream &operator<<(std::ostream &os, const Employee &e) {
    Employeee.print(theName), assistant(theEmployee) {};
  Employee getAssistant() const {return assistant;}
  virtualos);
    return os;
  }
};
 
class Manager : public Employee {
  Employee assistant;
  
protected:
  void print(std::ostream &os) const override {
    coutos << "Manager: " << getNameget_name() << std::endl;
    coutos << "Assistant: " << assistant.getNamestd::endl << "\t" << get_assistant() << std::endl;      
  }
private  
public:
  Manager(const std::string &name, const Employee &assistant) : Employee(name), assistant(assistant) {}
  const Employee &get_assistant() const { return assistant; }
};

void f(Employee e) {
  std::cout << e;    
}

int main () {
  Employee coder("Joe Smith");
  Employee typist("Bill Jones");
  Manager designer("Jane Doe", typist);
  
  f(coder);
 = designer;  // slices Jane Doe!f(typist);
  coder.printf(designer);
}

In this code, class Manager is derived from class Employee and adds additional information, namely the data member assistant. In main, the object designer of class Manager, which contains an assistant data member typist, is copied by value to the object coder of class Employee. This results in the designer object being sliced, and only the Employee information is copied. Hence, the print() statement results in the When f() is called with the designer argument, the formal parameter in f() is sliced and information is lost. When the object e is printed, Employee::print() is called instead of Manager::print(), resulting in the following output:

Code Block

Employee: Jane Doe

...

Doe

...

Compliant Solution (Pointers)
Assuming exactly Using the same class structure as above, if pointers to the objects are used so that objects are copied by reference, then slicing does not occurdefinitions as the noncompliant code example, this compliant solution modifies the definition of f() to require raw pointers to the object, removing the slicing problem.
 Code Block
bgColor#ccccff
langcpp

int main (// Remainder of code unchanged...
 
void f(const Employee *e) {
  if (e) {
  Employee *coder = new Employee   std::cout << *e;
  }
}

int main() {
  Employee coder("Joe Smith");
  Employee *typist = new Employee("Bill Jones");
  Manager *designer = new Manager("Jane Doe", *typist);
  
  f(&coder);
 = designerf(&typist);
  coder->printf(&designer);
}

Now, the object designer is not sliced, and the output is:
This compliant solution also complies with EXP34-C. Do not dereference null pointers in the implementation of f(). With this definition, the program correctly outputs the following.
 Code Block
Employee: Joe Smith
Employee: Bill Jones

 Code Block

Manager: Jane Doe
Assistant: 
	Employee: Bill Jones

Compliant Solution (
...
References)
...
An improved compliant solution, which does not require guarding against null pointers within f(), uses references instead of pointers.
 Code Block
bgColor#ccccff
langcpp
// ... Remainder of code unchanged ...
 
void f(const Employee &e) {
  std::cout << e;
}

int main() {
  Employee coder("Joe Smith");
  Employee typist("Bill Jones");
  Manager designer("Jane Doe", typist);
  
  f(coder);
  f(typist);
  f(designer);
}
Compliant Solution (Noncopyable)
Both previous compliant solutions depend on consumers of the Employee and Manager types to be declared in a compliant manner with the expected usage of the class hierarchy. This compliant solution ensures that consumers are unable to accidentally slice objects by removing the ability to copy-initialize an object that derives from Noncopyable. If copy-initialization is attempted, as in the original definition of f(), the program is ill-formed and a diagnostic will be emitted. However, such a solution also restricts the Manager object from attempting to copy-initialize its Employee object, which subtly changes the semantics of the class hierarchy.
 Page properties
hiddentrue
I'm not entirely happy with this CS because it now has the chance to use a dangling reference to an Employee object within Manager. The original NCCE, and the previous two CSes both have a potential slicing issue with the Manager constructor as well, and that goes unaddressed. However, a case could be made that the slicing there is intentional if the author of the code does not wish to allow managers to manage other managers for some reason. It's a bit contrived, but the situation does arise in real world code where slicing is desirable, but those situations never involve virtual functions on the base class as they do here.
All told, I think the examples need a bit more love.
 Code Block
bgColor#ccccff
langcpp

int main () {
  auto_ptr<Employee> coder( new Employee("Joe Smith") );
  auto_ptr<Employee> typist( new Employee("Bill Jones") );
  auto_ptr<Manager> designer( new Manager("Jane Doe", *typist) );

  coder = designer; // Smith deleted, Doe xferred
  coder->print();
  // everyone deleted
}

Compliant Solution (References)
Alternatively, references may be used to refer to the various derived employee objects.
 Code Block
bgColor#ccccff

int main #include <iostream>
#include <string>

class Noncopyable {
  Noncopyable(const Noncopyable &) = delete;
  void operator=(const Noncopyable &) = delete;
  
protected:
  Noncopyable() = default;
};

class Employee : Noncopyable {
  // Remainder of the definition is unchanged.
  std::string name;
  
protected:
  virtual void print(std::ostream &os) const {
    os << "Employee: " << get_name() << std::endl;      
  }
  
public:
  Employee(const std::string &name) : name(name) {}
  const std::string &get_name() const { return name; }
  friend std::ostream &operator<<(std::ostream &os, const Employee &e) {
    e.print(os);
    return os;
  }
};
 
class Manager : public Employee {
  const Employee &assistant; // Note: The definition of Employee has been modified.

  // Remainder of the definition is unchanged.
protected:
  void print(std::ostream &os) const override {
    os << "Manager: " << get_name() << std::endl;
    os << "Assistant: " << std::endl << "\t" << get_assistant() << std::endl;      
  }
  
public:
  Manager(const std::string &name, const Employee &assistant) : Employee(name), assistant(assistant) {}
  const Employee &get_assistant() const { return assistant; }
};
 
// If f() were declared as accepting an Employee, the program would be
// ill-formed because Employee cannot be copy-initialized.
void f(const Employee &e) {
  std::cout << e;
}

int main() {
  Employee coder("Joe Smith");
  Employee typist("Bill Jones");
  Manager designer("Jane Doe", typist);

  Employee
 &toPrint = designer;  // Jane remains entire
  toPrint.print( f(coder);
  f(typist);
  f(designer);
}

Compliant Solution (Abstract Base Class)
Noncompliant Code Example
This noncompliant code example uses the same class definitions of Employee and Manager as in the previous noncompliant code example and attempts to store Employee objects in a std::vector. However, because std::vector requires a homogeneous list of elements, slicing occursThe most effective way to avoid slicing of objects is to ensure, whenever possible, that polymorphic base classes are abstract.
 Code Block
bgColor#ccccff

class Employee {
public:
  Employee(string theName) : name(theName) {};
  virtual ~Employee();
  string getName() const {return name;}
  virtual void print() const = 0;
private:
  string name;
};

...
#FFCCCC
langcpp
#include <iostream>
#include <string>
#include <vector>
 
void f(const std::vector<Employee> &v) {
  for (const auto &e : v) {
    std::cout << e;
  }
}

int main() {
  Employee typist("Joe Smith");
  std::vector<Employee> v{typist, Employee("Bill Jones"), Manager("Jane Doe", typist)};
  f(v);
}
Compliant Solution
This compliant solution uses a vector of std::unique_ptr objects, which eliminates the slicing problem.
 Code Block
bgColor#ccccff
langcpp
#include <iostream>
#include <memory>
#include <string>
#include <vector>

void f(const std::vector<std::unique_ptr<Employee>> &v) {
  for (const auto &e : v) {
    std::cout << *e;
  }
}

int main() {
  std::vector<std::unique_ptr<Employee>> v;
  
  v.emplace_back(new Employee("Joe Smith"));
  v.emplace_back(new Employee("Bill Jones"));
  v.emplace_back(new Manager("Jane Doe", *v.front()));
  
  f(v);
}
Risk Assessment
Slicing results in information being lostloss, which could lead to a program not working properly and hence to a abnormal program execution or denial-of-service  attackattacks.
Rule
Severity
Likelihood
Remediation Cost
Priority
Level
 OBJ33-CPP 
 1 (low) 
 2 (probable) 
 1 (high) 
 P2 
 L3 
References
 Wiki Markup
\[[Dewhurst 02|AA. References#Dewhurst 02]\] Gotcha #38, "Slicing"
\[[ISO/IEC 14882-2003|AA. References#ISO/IEC 14882-2003]\] Section 9, "Classes"
\[[Sutter 00|AA. References#Sutter 00]\] GotW #22: "Object Lifetimes - Part I"
OOP51-CPP
Low
Probable
Medium
 P4 
 L3 
Automated Detection
Tool
Version
Checker
Description
CodeSonar
 Include Page
CodeSonar_V
CodeSonar_V
LANG.CAST.OBJSLICE
Object Slicing
Helix QAC
 Include Page
Helix QAC_V
Helix QAC_V
C++3072
Parasoft C/C++test
 Include Page
Parasoft_V
Parasoft_V
CERT_CPP-OOP51-a
Avoid slicing function arguments / return value
Polyspace Bug Finder
 Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V
CERT C++: OOP51-CPPChecks for object slicing (rule partially covered)
PVS-Studio
 Include Page
PVS-Studio_V
PVS-Studio_V
V1054
Related Vulnerabilities
Search for other vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
SEI CERT C++ Coding Standard
ERR61-CPP. Catch exceptions by lvalue reference
CTR56-CPP. Do not use pointer arithmetic on polymorphic objects 
SEI CERT C Coding Standard 
EXP34-C. Do not dereference null pointers
Bibliography
[Dewhurst 2002]Gotcha #38, "Slicing"
[ISO/IEC 14882-2014]Subclause 12.8, "Copying and Moving Class Objects"
[Sutter 2000]Item 40, "Object Lifetimes—Part I"

...
 Image Added   Image Added   Image Added OBJ30-CPP. A class should not invoke its own virtual functions in its constructors or destructors      13. Object Oriented Programming (OOP)      OBJ34-CPP. Ensure the proper destructor is called for polymorphic objects