CS.CTOR.VIRTUAL

Constructor calls a virtual method defined in its class

Vulnerability and risk

When a virtual method is called, the actual type that executes the method is not selected until run time. When a constructor calls a virtual method, it is possible that the constructor for the instance that invokes the method has not yet executed.

External guidance

CWE-398: Indicator of Poor Code Quality

Example 1

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
  namespace NameSpace {
      class BadlyConstructedType {
          public BadlyConstructedType() {
              DoBusiness();         // defect - call to a virtual method
          }
          public virtual void DoBusiness() {
              // doing business...
          }
      }
 
     public class DerivedType : BadlyConstructedType {
         public DerivedType () {}
         public override void DoBusiness() {
             // this method is may be called when the corresponding object is not constructed...
         }
     }
 }