CertC++-OOP58

Copy operations must not mutate the source object

Required inputs: IR

Copy operations (copy constructors and copy assignment operators) are expected to copy the salient properties of a source object into the destination object, with the resulting object being a "copy" of the original. What is considered to be a salient property of the type is type-dependent, but for types that expose comparison or equality operators, includes any properties used for those comparison operations. This expectation leads to assumptions in code that a copy operation results in a destination object with a value representation that is equivalent to the source object value representation. Violation of this basic assumption can lead to unexpected behavior.

Ideally, the copy operator should have an idiomatic signature. For copy constructors, that is  T(const T&); and for copy assignment operators, that is  T& operator=(const T&);. Copy constructors and copy assignment operators that do not use an idiomatic signature do not meet the requirements of the  CopyConstructible or  CopyAssignable concept, respectively. This precludes the type from being used with common standard library functionality [ ISO/IEC 14882-2014].

When implementing a copy operator, do not mutate any externally observable members of the source object operand or globally accessible information. Externally observable members include, but are not limited to, members that participate in comparison or equality operations, members whose values are exposed via public APIs, and global variables.

Before C++11, a copy operation that mutated the source operand was the only way to provide move-like semantics. However, the language did not provide a way to enforce that this operation only occurred when the source operand was at the end of its lifetime, which led to fragile APIs like  std::auto_ptr. In C++11 and later, such a situation is a good candidate for a move operation instead of a copy operation.

auto_ptr

For example, in C++03,  std::auto_ptr had the following copy operation signatures [ ISO/IEC 14882-2003]:

Copy constructor auto_ptr(auto_ptr &A);
Copy assignment auto_ptr& operator=(auto_ptr &A);

Both copy construction and copy assignment would mutate the source argument,  A, by effectively calling  this->reset(A.release()). However, this invalidated assumptions made by standard library algorithms such as  std::sort(), which may need to make a copy of an object for later comparisons [ Hinnant 05]. Consider the following implementation of  std::sort() that implements the quick sort algorithm. 

// ...
value_type pivot_element = *mid_point;
// ...

At this point, the sorting algorithm assumes that  pivot_element and  *mid_point have equivalent value representations and will compare equal. However, for  std::auto_ptr, this is not the case because *mid_point has been mutated and results in unexpected behavior.

In C++11, the  std::unique_ptr smart pointer class was introduced as a replacement for std::auto_ptr to better specify the ownership semantics of pointer objects. Rather than mutate the source argument in a copy operation,  std::unique_ptr explicitly deletes the copy constructor and copy assignment operator, and instead uses a move constructor and move assignment operator. Subsequently,  std::auto_ptr was deprecated in C++11.

Noncompliant Code Example

In this noncompliant code example, the copy operations for  A mutate the source operand by resetting its member variable  m to  0. When  std::fill() is called, the first element copied will have the original value of  obj.m12, at which point  obj.m is set to  0. The subsequent nine copies will all retain the value  0. 

#include <algorithm>
#include <vector>

class A {
  mutable int m;

public:
  A() : m(0) {}
  explicit A(int m) : m(m) {}

  A(const A &other) : m(other.m) {
    other.m = 0;
  }

  A& operator=(const A &other) {
    if (&other != this) {
      m = other.m;
      other.m = 0;
    }
    return *this;
  }
  
  int get_m() const { return m; }
};

void f() {
  std::vector<A> v{10};
  A obj(12);
  std::fill(v.begin(), v.end(), obj);
}
Compliant Solution

In this compliant solution, the copy operations for  A no longer mutate the source operand, ensuring that the vector contains equivalent copies of  obj. Instead,  A has been given move operations that perform the mutation when it is safe to do so. 

#include <algorithm>
#include <vector>

class A {
  int m;

public:
  A() : m(0) {}
  explicit A(int m) : m(m) {}

  A(const A &other) : m(other.m) {}
  A(A &&other) : m(other.m) { other.m = 0; }

  A& operator=(const A &other) {
    if (&other != this) {
      m = other.m;
    }
    return *this;
  }
 
  A& operator=(A &&other) {
    m = other.m;
    other.m = 0;
    return *this;
  }

  int get_m() const { return m; }
};

void f() {
  std::vector<A> v{10};
  A obj(12);
  std::fill(v.begin(), v.end(), obj);
}
Exceptions

OOP58-CPP-EX0: Reference counting, and implementations such as std::shared_ptr<> constitute an exception to this rule. Any copy or assignment operation of a reference-counted object requires the reference count to be incremented. The semantics of reference counting are well-understood, and it can be argued that the reference count is not a salient part of the shared_pointer object.

Risk Assessment

Copy operations that mutate the source operand or global state can lead to unexpected program behavior. Using such a type in a Standard Template Library container or algorithm can also lead to undefined behavior.

Rule Severity Likelihood Remediation Cost Priority Level
OOP58-CPP Low Likely Low P9 L2
Related Guidelines
SEI CERT C++ Coding Standard OOP54-CPP. Gracefully handle self-copy assignment
Bibliography
[ ISO/IEC 14882-2014] Subclause 12.8, "Copying and Moving Class Objects"
Table 21, "CopyConstructible Requirements"
Table 23, "CopyAssignable Requirements" 
[ ISO/IEC 14882-2003]
[ Hinnant 2005] "Rvalue Reference Recommendations for Chapter 20"
Excerpt from SEI CERT C++ Coding Standard [https://cmu-sei.github.io/secure-coding-standards/sei-cert-cpp-coding-standard/rules/object-oriented-programming-oop/oop58-cpp], Copyright (C) 1995-2026 Carnegie Mellon University. See section 9.4. "3rd-Party Licenses" in the documentation for full details.

Possible Messages

Key

Text

Severity

Disabled

copy_constructor_modifies_source

Copy constructor modifies source object.

None

False

copy_operator_modifies_source

Copy operator modifies source object.

None

False

Options

skip_functions

skip_functions : set[bauhaus.analysis.config.QualifiedName] = {'std::make_shared', 'std::make_unique'}

Set of functions for which modifications are allowed.
 

skip_types

skip_types

Type: set[bauhaus.analysis.config.QualifiedName]

Default: {'std::atomic', 'std::auto_ptr', 'std::basic_string', 'std::shared_ptr', 'std::unique_ptr', 'std::weak_ptr'}

Set of types for which modifications are allowed.