CS.CTOR.VIRTUAL

Constructor calls a virtual method defined in its class

Vulnerability and risk

When a virtual method is called, the actual type that executes the method is not selected until run time. When a constructor calls a virtual method, it is possible that the constructor for the instance that invokes the method has not yet executed.

Example 1

1  namespace NameSpace {
2      class BadlyConstructedType {
3          public BadlyConstructedType() {
4              DoBusiness();         // defect - call to a virtual method
5          }
6          public virtual void DoBusiness() {
7              // doing business...
8          }
9      }
10 
11     public class DerivedType : BadlyConstructedType {
12         public DerivedType () {}
13         public override void DoBusiness() {
14             // this method is may be called when the corresponding object is not constructed...
15         }
16     }
17 }