Unexpected virtual function dispatch when using base class reference instead of pointer

Question

Let say I have a simple class hierarchy as follows with a common api:

#include <memory>

class Base {
    public:
        void api() {
            foo();
        }

    protected:
        virtual void foo() {
            std::cout << "Base" << std::endl;

        }
    };

    class FirstLevel : public Base {
    protected:
        virtual void foo() {
            std::cout << "FirstLevel" << std::endl;
        }
    };

when I use the base class pointer I get the correct dispatch as follow:

std::shared_ptr<Base> b = std::make_shared<Base>();
std::shared_ptr<Base> fl = std::make_shared<FirstLevel>();

b->api();
fl->api();

Which correctly prints :

Base
FirstLevel

However when I use the base class reference the behavior is unexpected:

Base &b_ref = *std::make_shared<Base>();
Base &fl_ref = *std::make_shared<FirstLevel>();

b_ref.api();
fl_ref.api();

which prints:

FirstLevel
FirstLevel

Why is the dispatch different when using references as opposed to pointers?

Answer 1

You have undefined behaviour, because the references are dangling at the point you use them to call api(). The objects managed by the shared pointers cease to exist after the lines used to initialize b_ref and fl_ref.

You can fix it by having references to objects that are still alive:

auto b = std::make_shared<Base>();
auto fl = std::make_shared<FirstLevel>();

Base &b_ref = *b;
Base &fl_ref = *fl;

Answer 2

The return value of std::make_shared in the last example is not bound to an rvalue (std::shared_ptr<...>&&) or const-qualified lvalue reference (const std::shared_ptr<...>&), its lifetime is hence not extended. Instead, the return value of std::shared_ptr::operator* of a temporary instance is bound to the left hand side of the expression (b_ref, l_ref), which results in undefined behavior.

If you want to access the virtual api() method through non-const lvalue references to Base and FirstLevel, you can fix this by

auto b = std::make_shared<Base>();
Base& b_ref = *b;

b_ref.api();

and similar for FirstLevel. Don't use b_ref after b goes out of scope, though. You can achieve lifetime extension by

auto&& b = std::make_shared<Base>();
Base& b_ref = *b;

b_ref.api();

though this is almost identical to the above.

Answer 3

Making a smart pointer (or any owing object) a temporary is bad design.

That design issue causes bad lifetime management, specifically the destruction of an object which is still used. That causes undefined behavior; undefined behavior by definition isn't defined or even bounded by the standard (it can be bounded by other principles, tools, devices).

We can still try to understand how code with UB is translated in practice in many cases. The specific behavior you observe:

which prints:

FirstLevel
FirstLevel

is certainly caused by interpreting the memory left by the destroyed object as if it was live object; because that memory was not reused at that time (due to chance, and any change to the program or the implementation may break that property), you see an object in the state it had during destruction.

In the destructor, the calls of virtual functions of the object being destructed always resolve to the overrider of the function in the class of the destructor: inside Base::~Base, the call to foo() resolves to Base::foo(); a compiler that uses vptrs and vtables (in practice, all compilers) makes sure the virtual calls are resolved that way by resetting the vptr to the vtable for Base at the beginning of the execution of the base class destructor.

So what you see is the vptr still pointing to the base class vtable.

Of course, a debugging implementation has the right to set the vptr to some other value at the end of the destructor of a base class to make sure that trying to call virtual functions on destroyed object fails in a clear and unambiguous way.