Virtual Functions, vtable
And Other Monsters
C++ inheritance, virtual functions, and virtual tables are sometimes sees as obscure beasts, something most people will not mess with.
Casting an object to another one or calling a virtual function are probably two of the most common operations you can think of in C++, so it is a shame that such simple operations are not fully understood by everyone.
I have been programming in C
for many years, and one of the benefits of C
is that there is no real magic: when you define a structure, you can see the layout in memory, you can feel the pointers being padded, and every other operations, such as casting a pointer to another one (something you should only do with great care, by the way) are just re-interpreting memory addresses from one type to another one or shifting addresses a bit. No magic. No surprises. Accessing the second member of a pointer array ? This is just basic pointer arithmetic (indirect move with shifting and index, something that even the venerable 68000
processor had if my memory is correct)
Some people go straight in C++
(or even in Java
) when they start learning programming - which is in my point of view a bad thing - and tend to lose their focus on what’s really happening behind the curtains (ie. inside the memory)
But things are generally much simpler that you thought.
Back To Basis
Let’s first have a look at a very simple object. A C++ one:
class A {
private:
int id;
public:
A(): id(42) {
printf("yay, my address is %p, and my id is %d!\n", this, this->id);
}
};
This class contains only a constructor, and has one member (an integer). These two things are not of the same nature: variable members and functions are of different kind (yes, this is a really smart and insightful remark, I know).
To make things clearer, we can view this class as a C-structure, and its functions as global functions taking a (hidden) “this” member as first argument (the pointer to the structure itself). The instance members can be accessed implicitly, without the this->
pointer indirection, by the way: C++ will add the missing bits.
The code above can be rewritten in pure C as follows:
// this is the actual "class A" instance data layout!
struct A {
int id;
};
// this is the class A equivalent constructor (a global function)
void A_A(struct A* this) {
this->id = 42;
printf("yay, my address is %p, and my id is %d!\n", this, this->id);
}
… and, rather that just declaring:
A a;
… you’ll need to call the constructor manually:
struct A a;
A_A(&a); // call constructor manually!
Here it is! C++ in plain C! Of course a C++ compiler will hide everything behind the curtains when using regular classes, but the actual compiled code will be more or less the same.
If you add more members and/or more methods in this class, the principle is the same: extend the structure layout, and/or add more global functions that take an hidden this first argument.
Quizz: what is the size of a class A
object instance ? The answer is pretty simple: the class only contains one member (id
), which is an integer (32-bit here) ; the sizeof(A)
is therefore 4 (bytes). No magic.
Quizz: what will be the size of a class A
object instance if a regular member function is added ? The answer is pretty simple, too: its size won’t change, as it still contains only one member - only an additional global function will be added in the code.
What About Inheritance ? This Seems a Bit More Complicated!
No, no, not at all.
Let’s take a simple (yet representative) example: our previous A class, another B class with a single “age” member, and at last a final class C with a member “mode”, but inheriting from A and B.
class A {
public:
int id;
A(): id(42) {
printf("A: yay, my address is %p, my size is %zu, and my id is %d!\n",
this, sizeof(*this), this->id);
}
};
class B {
public:
int age;
B(): age(7) {
printf("B: yay, my address is %p, my size is %zu, and my age is %d!\n",
this, sizeof(*this), this->age);
}
};
class C: public A, public B {
public:
int mode;
C(): mode(-1) {
printf("C: yay, my address is %p, my size is %zu, my id, age and mode are %d, %d, %d!\n",
this, sizeof(*this), this->id, this->age, this->mode);
}
};
Instantiating an object from C (C c;
) will print something like:
A: yay, my address is 0x73620f9f5c20, my size is 4, and my id is 42!
B: yay, my address is 0x73620f9f5c24, my size is 4, and my age is 7!
C: yay, my address is 0x73620f9f5c20, my size is 12, my id, age and mode are 42, 7, -1!
The class C
constructor called first the upper inherited classes constructors (class A
constructor and class B
constructor), and therefore prints their information first. Here again, C++
hides everything behind curtains: the calls to base classes constructors are generated automatically, before your actual class C
constructor code.
You can note that the address seen by the constructors of A and C are identical, but not the one seen by B. How can it be ?
Let’s rewrite everything in plain C:
struct A {
int id;
};
// class A constructor
void A_A(struct A* this) {
this->id = 42;
printf("A: yay, my address is %p, my size is %zu, and my id is %d!\n",
this, sizeof(*this), this->id);
}
struct B {
int age;
};
// class B constructor
void B_B(struct B *this) {
this->age = 7;
printf("B: yay, my address is %p, my size is %zu, and my age is %d!\n",
this, sizeof(*this), this->age);
}
struct C {
struct A a;
struct B b;
int mode;
};
void C_C(struct C *this) {
// manually call base classes constructors first
A_A(&this->a);
B_B(&this->b);
// then, user code
this->mode = -1;
printf("C: yay, my address is %p, my size is %zu, my id, age and mode are %d, %d, %d!\n",
this, sizeof(*this), this->a.id, this->b.age, this->mode);
}
The struct C
layout is pretty straightforward: the first element is the struct A
members - the reason why constructors from class A and class C did see the same address, the second member is the member(s) of class B, and finally comes the member(s) of C.
In both C++ and C variants,
- the size of C is 12 bytes (the three integers)
- the location of A within C is at the beginning (the first four bytes)
- the location of B within C is after the area dedicated to A (the next four bytes)
- the location of members specific to C then follows
Casting will provide the same behavior, by the way:
static_cast<A*>(&c))
==&(&c)->a
== 0x73620f9f5c20static_cast<B*>(&c))
==&(&c)->b
== 0x73620f9f5c24static_cast<C*>(&c))
==&c
== 0x73620f9f5c20
Okay, But Virtual Functions ? Can You Do That In Plain C ?
Well, let’s consider a simple example: simply add a virtual function print
to our previous sample, aiming to print the object class name and parameters. The idea is that even if we cast
the high-level class C
instance into A*
or B*
, we’ll see the same behavior.
class A {
public:
int id;
A(): id(42) {
printf("A: yay, my address is %p, my size is %zu, and my id is %d!\n",
this, sizeof(*this), this->id);
}
virtual void print() {
printf("I am A(%d)\n", id);
}
};
class B {
public:
int age;
B(): age(7) {
printf("B: yay, my address is %p, my size is %zu, and my age is %d!\n",
this, sizeof(*this), this->age);
}
virtual void print() {
printf("I am B(%d)\n", age);
}
};
class C: public A, public B {
public:
int mode;
C(): mode(-1) {
printf("C: yay, my address is %p, my size is %zu, my id, age and mode are %d, %d, %d!\n",
this, sizeof(*this), this->id, this->age, this->mode);
}
virtual void print() {
printf("I am C(%d, %d, %d)\n", id, age, mode);
}
};
If we create an instance of C
called c
(C c;
), the following calls will produce exactly the same output:
- c.print();
- static_cast<A*>(&c)->print();
- static_cast<B*>(&c)->print();
- static_cast<C*>(&c)->print();
Where is the magic ? Let’s first have a look at the output, when creating this object:
A: yay, my address is 0x726fa25b7c00, my size is 16, and my id is 42!
B: yay, my address is 0x726fa25b7c10, my size is 16, and my age is 7!
C: yay, my address is 0x726fa25b7c00, my size is 32, my id, age and mode are 42, 7, -1!
We can see that A
and B
are not anymore 4 bytes, but 16. And C is 32 bytes! Somehow, the C++
compiler did add some bytes in our objects without telling us!
Let’s have a look at each object instance actual contents within each classes, by dumping data as pointers in constructors, to figure ou what has been added inside our beloved structures classes:
// simple dump function
static void print_object(const char *name, void *this_, size_t size) {
void **ugly = reinterpret_cast<void**>(this_);
size_t i;
printf("created %s at address %p of size %zu\n", name, this_, size);
for(i = 0 ; i < size / sizeof(void*) ; i++) {
printf(" pointer[%zu] == %p\n", i, ugly[i]);
}
}
And using print_object(__FUNCTION__, this, sizeof(*this));
inside each constructor.
Remember that the constructors are called as follows when creating an instance of C:
- base class A constructor is called magically (
this
points to the beginning of the allocated C structure) - base class B constructor is called magically (
this
starts at 16 bytes from the beginning of the allocated C structure) - top level C constructor user code is executed (
this
points to the beginning of the allocated C structure)
Here’s the result:
created A at address 0x7082f962ccb0 of size 16
pointer[0] == 0x400f20
pointer[1] == 0x2a
created B at address 0x7082f962ccc0 of size 16
pointer[0] == 0x400f00
pointer[1] == 0x7
created C at address 0x7082f962ccb0 of size 32
pointer[0] == 0x400ed0
pointer[1] == 0x2a
pointer[2] == 0x400ee8
pointer[3] == 0xffffffff00000007
We can see that:
- A contains an unknown additional pointer (
0x400f20
), and the id variable (0x2a
==42
) padded to 8 bytes - B contains another unknown additional pointer (
0x400f00
), and the age variable (7
) padded to 8 bytes - C embeds A and B, and the mode variable (-1): these are seen as
0x2a
, and0xffffffff00000007
(00000007
for the age variable, andffffffff
for the mode variable:-1
is0xffffffff
in two complement’s world) - and the two additional pointers
So it seems that the structure size change reason is that an hidden pointer member (8 bytes in the 64-bit world) has been added to the class instance - and the compiler probably padded the structure to 16 bytes, because you want to have 8-byte alignment when dealing with arrays: if you have an array of two objects, the second object hidden pointer has to be padded to 8 bytes, enforcing the structure to be a multiple of 8 bytes. The 4 bytes used for padding are unused, but useful to maintain the alignment.
Hey, wait! The two pointers are different, when printed inside the C constructor! Yes, good catch: the additional A pointer which was 0x400f20
inside the class A
constructor has been changed into 0x400ed0
inside the class C
constructor, and the additional B pointer which was 0x400f00
inside the class B
constructor has been changed into 0x400ee8
inside the class C
constructor.
Oh, and a last note: C is only 32 bytes.
- there is no additional hidden pointer for C!
- the compiler apparently used the padding area of
class B
for themode
variable (smart, isn’t it ?)
Okay, so two magical pointers have been added because we defined a virtual function. What does it mean ?
Let’s go back to basic: how would you implement this class hierarchy in pure C ?
Here’s what you may do:
struct A {
int id;
};
// class A constructor
void A_A(struct A *this) {
this->id = 42;
print_object(__FUNCTION__, this, sizeof(*this));
}
void A_print(struct A *this) {
printf("I am A(%d)\n", this->id);
}
struct B {
int age;
};
// class B constructor
void B_B(struct B *this) {
this->age = 7;
print_object(__FUNCTION__, this, sizeof(*this));
}
void B_print(struct B *this) {
printf("I am B(%d)\n", this->age);
}
struct C {
struct A a;
struct B b;
int mode;
};
void C_C(struct C *this) {
// manually call base classes constructors first
A_A(&this->a);
B_B(&this->b);
// then, user code
this->mode = -1;
print_object(__FUNCTION__, this, sizeof(*this));
}
void C_print(struct C *this) {
printf("I am C(%d, %d, %d)\n", this->a.id, this->b.age, this->mode);
}
Okay, looks more or less what we had previously. But what about the virtual function ? We have to be sure that we call the right function, even if we only have a A* or a B* pointer (and we don’t know that this is actually a C object class behind).
A solution can be to add a function pointer for every virtual function in each classes, and initialize inside the constructor!
Something like this:
struct A {
void (*print)(struct A *this);
int id;
};
// class A constructor
void A_A(struct A *this) {
this->print = A_print;
this->id = 42;
print_object(__FUNCTION__, this, sizeof(*this));
}
struct B {
void (*print)(struct B *this);
int age;
};
// class B constructor
void B_B(struct B *this) {
this->print = B_print;
this->age = 7;
print_object(__FUNCTION__, this, sizeof(*this));
}
void B_print(struct B *this) {
printf("I am B(%d)\n", this->age);
}
struct C {
struct A a;
struct B b;
void (*print)(struct C *this);
int mode;
};
void C_C(struct C *this) {
// manually call base classes constructors first
A_A(&this->a);
B_B(&this->b);
// then, user code
this->print = C_print;
this->a.print = C_print; // we patch our own A->print function !!
this->b.print = C_print; // and we need to do it for B->print too!!
this->mode = -1;
print_object(__FUNCTION__, this, sizeof(*this));
}
void C_print(struct C *this) {
printf("I am C(%d, %d, %d)\n", this->a.id, this->b.age, this->mode);
}
What did we do here ?
- A and B constructors initialize their versions of
print
- C constructor initialize its own version of
print
after A and B constructors, and overrides the one inside A and B
Neat, isn’t it ?
Now, whatever pointer you have, these three lines will produce identical behavior:
- a->print(a);
- b->print(b);
- c->print(c);
Hey, by the way, we do not need an additional pointer for C, because we already have the correct version in two locations: a.print
and b.print
. Let’s remove this useless pointer in C (and the useless initialization), and use:
- a->print(a);
- b->print(b);
- c->a.print(c);
There is a little problem, however, when using a C instance cast in A* or B*. When you call a->print(a)
, the a
pointer is of type A*. And therefore the assignment this->a.print = C_print
will produce a warning. Similarly, when you call b->print(b), the this
pointer will have a type of B*, and not only it is of the wrong type, but it has a different address, as c->b is located sixteen bytes after the beginning of C.
We need specialized versions with correct casts!
- casting from A* to C* is straightforward: we know that the address is the same, and the type can be safely cast
- casting from B* to C* requires to adjust the address to find the beginning of C, and a cast (B is in the middle of C, remember)
Here we go:
void C_print(struct C *this) {
printf("I am C(%d, %d, %d)\n", this->a.id, this->b.age, this->mode);
}
void CA_print(struct A *this) {
C_print((struct C*) this);
}
void CB_print(struct B *this) {
// we know that this points after the struct A layout
// so let's fix the pointer by ourselves!
size_t offset = (size_t) &((struct C*) NULL)->b;
C_print((struct C*) ( ( (char*) this ) - offset ) );
}
void C_C(struct C *this) {
// manually call base classes constructors first
A_A(&this->a);
B_B(&this->b);
// then, override functions
this->a.print = CA_print; // we patch our own function !!
this->b.print = CB_print; // and we need to do it for B too!!
// this->print = C_print; // useless
// then, user code
this->mode = -1;
print_object(__FUNCTION__, this, sizeof(*this));
}
With these adjustments, things are smooth:
c.a.print(&c.a)
==> I am C(42, 7, -1)c.b.print(&c.b)
==> I am C(42, 7, -1)c.print(&c)
==> I am C(42, 7, -1)
Perfect, isn’t it ?
Not yet: what if we add more virtual functions in our structures ? This will increase the object size, and require more pointer initialization in constructors! What a waste of space and time: we are assigning the same pointers each time. Could we prepare the set of pointers for each classes in a static, global structure, and just initialize a pointer to these static data inside the constructors ? Neat, isn’t it ?
Here’s the modified version - let’s call the global structure tables containing specialized function pointers vtbl
, as in virtual table, because this is actually what they are: table for virtual functions!
// type for global virtual function table structure A
// this structure enumerates all virtual functions of A
struct A;
struct table_A {
void (*print)(struct A *this);
};
struct A {
const struct table_A *vtbl;
int id;
};
void A_print(struct A *this) {
printf("I am A(%d)\n", this->id);
}
// the global, static table data for A
// this structure enumerates all virtual functions of B
static const struct table_A table_A_for_A = { A_print };
void A_A(struct A *this) {
this->vtbl = &table_A_for_A;
this->id = 42;
print_object(__FUNCTION__, this, sizeof(*this));
}
// type for global virtual function table structure B
struct B;
struct table_B {
void (*print)(struct B *this);
};
struct B {
const struct table_B *vtbl;
int age;
};
void B_print(struct B *this) {
printf("I am B(%d)\n", this->age);
}
// the global, static table data for B
static const struct table_B table_B_for_B = { B_print };
void B_B(struct B *this) {
this->vtbl = &table_B_for_B;
this->age = 7;
print_object(__FUNCTION__, this, sizeof(*this));
}
struct C {
struct A a;
struct B b;
int mode;
};
void C_print(struct C *this) {
printf("I am C(%d, %d, %d)\n", this->a.id, this->b.age, this->mode);
}
void CA_print(struct A *this) {
C_print((struct C*) this);
}
void CB_print(struct B *this) {
// we know that this points after the struct A layout
// so let's fix the pointer by ourselves!
size_t offset = (size_t) &((struct C*) NULL)->b;
C_print((struct C*) ( ( (char*) this ) - offset ) );
}
// the global, static tables data for A and B structures, for C
static const struct table_A table_A_for_C = { CA_print };
static const struct table_B table_B_for_C = { CB_print };
void C_C(struct C *this) {
// manually call base classes constructors first
A_A(&this->a);
B_B(&this->b);
// Override virtual function pointers that have just been initialized by
// A and B constructors with our own version. This allows to override all
// possible virtual functions in base classes!
this->a.vtbl = &table_A_for_C;
this->b.vtbl = &table_B_for_C;
this->mode = -1;
print_object(__FUNCTION__, this, sizeof(*this));
}
Neat, isn’t it ?
Well, I’m telling you a secret: this is more or less what the C++ compiler does (yes, behind the curtains) when implementing virtual functions. The virtual function tables are called virtual tables, and are static structures inside the compiled code. And inside each corresponding class constructor, additional code is inserted just between base class initialization calls, and user code, to set all virtual table pointers corresponding to the class type.
Some additional remarks on this design:
-
if you call a virtual function inside a base class constructor, you will not call the top-level function version, because the virtual table pointer has not yet been initialized (it will be initialized after the end of the base class constructor)
-
you need one static structure containing all necessary stuff for a given class
-
you can put additional information on these virtual table structures, which can be useful!
- the class name
- type information functions (what is this object’s real class ?), for example by implementing a hidden
getClassType()
virtual function - dynamic cast support
… and this is exactly what most compiler do, actually: Runtime Type Information data is generally included as soon as a virtual table needs to be created for a given class (ie. you can use dynamic_cast<>())
Now you know what’s going on when you define a virtual function: rather than calling the function directly, an indirection through a virtual table is done.
This has some drawbacks:
-
a little function call impact on performances, because you need to read the actual function pointer in a static table
-
a potentially huge impact on performances because you can not inline anymore function calls
A Deeper Look
Let’s dig a little bit more, using GCC version of the virtual tables.
If you run your program under GDB and examine an instance of class C
, you’ll see:
(gdb) p c
$1 = {<A> = {_vptr.A = 0x400e70 <vtable for C+16>, id = 42}, <B> = {_vptr.B = 0x400e88 <vtable for C+40>, age = 7}, mode = -1}
Note the _vptr.A = 0x400e70
and _vptr.B = 0x400e88
: these are the virtual tables.
What is behind these pointers ? Recent GCC releases allows you to dig a bit into an object’s virtual table:
(gdb) info vtbl c
vtable for 'C' @ 0x400e70 (subobject @ 0x775bfbf98600):
[0]: 0x400b00 <C::print()>
vtable for 'B' @ 0x400e88 (subobject @ 0x775bfbf98610):
[0]: 0x400b34 <non-virtual thunk to C::print()>
Otherwise, you can easily guess that each vtables starts with the same kind of function array we created for our C version:
(gdb) p ((void**)0x400e70)[0]
$5 = (void *) 0x400b00 <C::print()>
(gdb) p ((void**)0x400e88)[0]
$9 = (void *) 0x400b34 <non-virtual thunk to C::print()>
Easter Egg
Now you understand a bit more the concept or vtable, let’s see a dirty-but-fun hack (valid for GCC, possibly for Visual C++ too): how to override a specific object’s virtual function table, and rewire virtual functions at runtime
// Our patched version of C::printf (or A::printf)
static void our_function(C *thiz) {
printf("I am now a new C(%d, %d, %d)!\n", thiz->id, thiz->age, thiz->mode);
}
// Our patched version of B::printf
static void our_function_from_B(B *thiz) {
// This is the same boring arithmetic than before, except that
// we use a fake C instance located at a random (but non-NULL) address
// to compute the offset. Note that the actual instance address will
// never be dereferenced, so do not fear illegal accesses!.
C *dummy = reinterpret_cast<C*>(0x42);
B *dummy_B = static_cast<B*>(dummy);
char *dummy_ptr = reinterpret_cast<char*>(dummy);
char *dummy_B_ptr = reinterpret_cast<char*>(dummy_B);
size_t offset = dummy_B_ptr - dummy_ptr;
char *ptr = reinterpret_cast<char*>(thiz);
C *thiz_C = reinterpret_cast<C*>(ptr - offset);
our_function(thiz_C);
}
int main(int argc, char **argv) {
// create an instance of C
C c;
// Hack the c instance and override its print() function!
void *our_vtbl[1] = { reinterpret_cast<void*>(our_function) };
void *our_vtbl2[1] = { reinterpret_cast<void*>(our_function_from_B) };
// patch for A* and C*
*reinterpret_cast<void**>(static_cast<A*>(&c)) = our_vtbl;
// patch for B*
*reinterpret_cast<void**>(static_cast<B*>(&c)) = our_vtbl2;
// get the pointers (note: GCC will optimize direct calls to c.printf)
A *pa = &c;
B *pb = &c;
C *pc = &c;
// and call printf() ... what will be printed ?
pa->print();
pb->print();
pc->print();
return 0;
}
And yes, your object was hacked:
I am now a new C(42, 7, -1)!
I am now a new C(42, 7, -1)!
I am now a new C(42, 7, -1)!
Neat, isn’t it ? (yes, yes, not really portable though)
References
-
You may have a look at the Itanium C++ ABI, Virtual Table Layout description (GCC is using the Itanium ABI for vtables, or at least something very close)
-
For Windows coders, the Reversing Microsoft Visual C++ Part II page will be a goldmine, too
TL;DR: remember that C++ used to be enhanced C a long time ago, and most basic features can be easily implemented and understood through plain C code!