 
                            Copy operations (copy constructors and copy assignment operators) are expected to copy the salient properties of a source object into the destination object, with the resulting object being a "copy" of the original. What is considered to be a salient property of the type is type-dependent, but for types that expose comparison or equality operators, includes any properties used for those comparison operations. This expectation leads to assumptions in code that a copy operation results in a destination object with a value representation that is equivalent to the source object value representation. Violation of this basic assumption can lead to unexpected behavior, and do not meet the requirements for CopyConstructible or CopyAssignable constraints used with the STL [ISO/IEC 14882-2014].
When implementing a copy operator, do not mutate any externally observable members of the source object operand or globally accessible information. Externally observable members include, but are not limited to, members that participate in comparison or equality operations and members whose values are exposed via public APIs.
For example, in C++03, std::auto_ptr had the following copy operation signatures (note: std::auto_ptr was deprecated in C++11) [ISO/IEC 14882-2003]:
| Copy constructor | auto_ptr(auto_ptr &A); | 
| Copy assignment | auto_ptr& operator=(auto_ptr &A); | 
Both copy construction and copy assignment would mutate the source argument, A, by effectively calling this->reset(A.release()). However, this invalidated assumptions made by standard library algorithms such as std::sort(), which may need to make a copy of an object for later comparisons [Hinnant 05]. Consider an implementation of std::sort() that implements the quick sort algorithm:
// ... value_type pivot_element = *mid_point; // ...
At this point, the sorting algorithm assumes that pivot_element and *mid_point have equivalent value representations and will compare equal. However, for std::auto_ptr, this is not the case because *mid_point has been mutated, and results unexpected behavior.
Generally, a copy operation that mutates the source operand is a safe operation to perform only when the source operand is at the end of its lifetime, because the value representation of the source operand is not important. Such a situation is a good candidate for a move operation instead of a copy operation.
Noncompliant Code Example
In this noncompliant code example, the copy operations for A mutate the source operand by resetting its member variable M to 0. When std::fill() is called, the first element copied will have the original value of Obj.M, 12, at which point Obj.M is set to 0. The subsequent nine copies will all retain the value 0.
#include <algorithm>
#include <vector>
class A {
  mutable int M;
  
public:
  A() : M(0) {}
  explicit A(int I) : M(I) {}
  
  A(const A &Other) : M(Other.M) {
    Other.M = 0;
  }
  
  A& operator=(const A &Other) {
    if (&Other != this) {
      M = Other.M;
      Other.M = 0;
    }
    return *this;
  }
  
  int Get_M() const { return M; }
};
void f() {
  std::vector<A> V{10};
  A Obj(12);
  std::fill(V.begin(), V.end(), Obj);
}
Compliant Solution
In this compliant solution, the copy operations for A no longer mutate the source operand, ensuring that vector contains equivalent copies of Obj. Instead, A has been given move operations that perform the mutation when it is safe to do so.
#include <algorithm>
#include <vector>
class A {
  int M;
  
public:
  A() : M(0) {}
  explicit A(int I) : M(I) {}
  
  A(const A &Other) : M(Other.M) {}
  A(A &&Other) : M(Other.M) { Other.M = 0; }
  
  A& operator=(const A &Other) {
    if (&Other != this) {
      M = Other.M;
    }
    return *this;
  }
 
  A& operator=(A &&Other) {
    M = Other.M;
    Other.M = 0;
    return *this;
  }
  
  int Get_M() const { return M; }
};
void f() {
  std::vector<A> V{10};
  A Obj(12);
  std::fill(V.begin(), V.end(), Obj);
}
Risk Assessment
Copy operations that mutate the source operand or global state can lead to unexpected program behavior. In the case of using such a type in a Standard Template Library container or algorithm, this can also lead to undefined behavior.
| Rule | Severity | Likelihood | Remediation Cost | Priority | Level | 
|---|---|---|---|---|---|
| OOP58-CPP | Low | Likely | Low | P9 | L2 | 
Automated Detection
| Tool | Version | Checker | Description | 
|---|---|---|---|
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Bibliography
| [ISO/IEC 14882-2014] | Subclause 12.8, "Copying and Moving Class Objects" Table 21, "CopyConstructible Requirements" Table 23, "CopyAssignable Requirements" | 
| [ISO/IEC 14882-2003] | |
| [Hinnant 05] | "Rvalue Reference Recommendations for Chapter 20" | 


