You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 42 Next »

Virtual functions allow for static dispatch of member function calls at runtime based on the dynamic type of the object the member function is being called on. This supports object-oriented programming practices commonly associated with object inheritance and function overriding. When calling a member function, if it is nonvirtual, or if a class member access expression is used to denote the call, that function is called. Otherwise, a virtual function call is made to the final overrider in the dynamic type of the object expression.

However, during the construction and destruction of an object, the rules for virtual method dispatch on that object are restricted. The C++ Standard, [class.cdtor], paragraph 4 [ISO/IEC 14882-2014], states:

Member functions, including virtual functions, can be called during construction or destruction. When a virtual function is called directly or indirectly from a constructor or from a destructor, including during the construction or destruction of the class’s non-static data members, and the object to which the call applies is the object (call it x) under construction or destruction, the function called is the final overrider in the constructor’s or destructor’s class and not one overriding it in a more-derived class. If the virtual function call uses an explicit class member access and the object expression refers to the complete object of x or one of that object’s base class subobjects but not x or one of its base class subobjects, the behavior is undefined.

Do not directly or indirectly invoke a virtual function from a constructor or destructor that attempts to call into the object under construction or destruction. Because the order of construction starts with base classes and moves to more-derived classes, attempting to call a derived class function from a base class under construction is dangerous. That is why calling a virtual function from a constructor does not result in a call to a function in a more-derived class – the derived class has not had the opportunity to initialize its resources. Similarly, an object is destroyed in reverse order from construction, and so attempting to call a function in a more-derived class from a destructor may access resources that have already been released.

Noncompliant Code Example

In this noncompliant code example, the base class attempts to seize and release an object's resources through calls to virtual functions from the constructor and destructor. However, it does not result in calling D::seize() or D::release().

struct B {
  B() { seize(); }
  virtual ~B() { release(); }
 
protected:
  virtual void seize();
  virtual void release();
};

struct D : B {
  virtual ~D() = default;
 
protected:
  void seize() override {
    B::seize();
    // get derived resources...
  }
 
  void release() override {
    // release derived resources...
    B::release();
  }
};

The result of running this code is that no derived class resources will be seized or released during the initialization and destruction of object of type D. At the time of the call to seize() from B::B(), the D constructor has not been entered, and the behavior of the under-construction object will be to invoke B::seize rather than D::seize. A similar situation occurs for the call to release in the base class destructor. If the functions seize and release were declared to be pure virtual functions, the result would be undefined behavior.

Compliant Solution

In this compliant solution, the constructors and destructors call a nonvirtual, private member function (suffixed with mine) instead of calling a virtual function. The end result is that each class is responsible for seizing and releasing its own resources.

class B {
  void seize_mine();
  void release_mine();
  
public:
  B() { seize_mine(); }
  virtual ~B() { release_mine(); }

protected:
  virtual void seize() { seize_mine(); }
  virtual void release() { release_mine(); }
};

class D : public B {
  void seize_mine();
  void release_mine();
  
public:
  D() { seize_mine(); }
  virtual ~D() { release_mine(); }

protected:
  void seize() override {
    B::seize();
    seize_mine();
  }
  
  void release() override {
    release_mine();
    B::release();
  }
};

Exceptions

OOP50-CPP-EX1: Since valid uses cases exist that involve calling (non-pure) virtual functions from the constructor of a class, it is permissible to call the virtual function with an explicitly qualified id. This signifies to code maintainers that the expected behavior is for the class under construction or destruction to be the final overrider for the function call.

class A {
  A() {
    // f();   // WRONG!
    A::f();   // okay
  }
  virtual void f();
};

OOP50-CPP-EX2: It is permissible to call a virtual function that has the final virt-specifier from a constructor or destructor, as in this example:

class A {
  A();
  virtual void f();
};
 
class B : public A {
  B() : A() {
    f();  // Okay
  }
  void f() override final;
};

Similarly, it is permissible to call a virtual function from a constructor or destructor of a class that has the final class-virt-specifier, as in this example:

class A {
  A();
  virtual void f();
};
 
class B final : public A {
  B() : A() {
    f();  // Okay
  }
  void f() override;
};

In either case, f() must be the final overrider, guaranteeing consistent behavior of the function being called.

Risk Assessment

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

OOP50-CPP

Low

Unlikely

Medium

P2

L3

Automated Detection

Tool

Version

Checker

Description

 PRQA QA-C++

 4.4

4260,4261,4273,4274,

4275,4276,4277,4278,

4279,4280,4281,4282

 

Related Vulnerabilities

Search for other vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

 

 

Bibliography

[ISO/IEC 14882-2014]

5.5, "Pointer-to-Member Operators"

[Dewhurst 03]Gotcha 75: Calling Virtual Functions in Constructors and Destructors
[Sutter 04]Item 49: Avoid calling virtual functions in constructors and destructors
[Lockheed Martin 05]AV Rule 71.1 A class'€™s virtual functions shall not be invoked from its destructor or any of its constructors.

 

  • No labels