I stumbled across this question, which had an answer that used an odd construct:

typedef std::queue<int> Q;
typedef Q::container_type C;

C & get (Q &q)
    struct hack : private Q {
        static C & get (Q &q) {
            return q.*&hack::c;
    return hack::get(q);

I generally follow that q has access to its own c member that is being referenced by the get function. But, I am at a loss to clearly explain it. What is happening exactly with the .*&, and why is it allowed?

  • 1
  • 1
  • 69,070
  • 8
  • 110
  • 193

2 Answers2

typedef std::queue<int> Q;

Q is a queue adapted container.

typedef Q::container_type C;

C is the underlying container of the Q -- which is a deque<int>.

C & get (Q &q) {

get takes a queue and returns a deque. In fact it returns the deque that the queue wraps: by conventional means, this is not possible.

  struct hack : private Q {

hack is a type local to the function. It inherits from Q and has only one static member function. From its name, you may suspect it is a hack. You are right.

No hack is ever instantiated.

    static C & get (Q &q) {

hack::get has the same signature as get itself. In fact we delegate all of the work of get to this method.

      return q.*&hack::c;

this line needs to be broken down. I will do it in more lines:

      using mem_ptr_t = C Q::*; // aka typedef C Q::*mem_ptr_t;
      mem_ptr_t c_mem_ptr = &hack::c;
      C& ret = q.*c_mem_ptr;
      return ret;

The first line defines the type of a member pointer to a field of type C within a Q. Both the C++11 and C++03 ways of naming this type are ugly.

The second line gets a member pointer to the field c in Q. It does this through the hole in the type system of C++. &hack::c is logically of type C hack::* -- a pointer to a member of type C within a class of type hack. In fact, that is why we can access it in a static member of hack. But the c in question is actually in Q, so the actual type of the expression in C++ is C Q::*: a pointer to a member variable of Q.

You cannot directly get this member pointer within hack -- &Q::c is illegal, but &hack::c is not.

You can think of member pointers as 'typed offsets' into another type: &hack::c is the "offset" of c within Q together with knowing it is of type C. Now this isn't really true -- it is some opaque value that tells the compiler how to get c from Q -- but it helps to think about it that way (and it may be implemented that way in simple cases).

We then use this member pointer together with a Q& to get the c out of the Q. Getting a member pointer is constrained by protected: using it is not! The way we do it is with operator .*, which is the member dereference operator, which you can pass either member function pointers or members on the right, and class instances on the left.

instance .* member_ptr is an expression that finds the member "pointed to" by member_ptr within the instance. In the original code, everything was done on one line:

instance .* &class_name::member_name

so it looked like there was an operator .*&.


and then we close up the static method and hack class, and:

  return hack::get(q);

call it. This technique gives access to protected state: without it, protected members can only be accessed in child classes of the same instance. Using this, we can access protected members of any instance, without violating any bit of the standard.

Yakk - Adam Nevraumont
  • 262,606
  • 27
  • 330
  • 524
  • 2
    I notice you never gave the type of `c_mem_ptr`, although that's key to the entire trick (and a violation of type theory -- it ought to be `C& hack::*`) – Ben Voigt Mar 27 '15 at 01:08
  • 2
    @BenVoigt: Holly cow, that was a subtle comment. Thanks for that insight. I missed this from the referenced answer: *The key point is that the type of a member pointer is bound to the class that actually contains said member - not to the class that you specified when taking the address.* – jxh Mar 27 '15 at 01:20
  • @BenVoigt: No, it's C Q::*. – Jamboree Mar 27 '15 at 01:29
  • @Jamboree: That is Ben's point. That is what it is, but not what it ought to be. – jxh Mar 27 '15 at 01:30
  • @BenVoigt ok, I highlighted the hole in the type system, and included explicit types, and removed `auto`. Such a horrible way to name a type. – Yakk - Adam Nevraumont Mar 27 '15 at 01:37
  • 1
    @jxh On top of that, I added a paragraph or two extra about `.*&`. I like the line-by-line surrounds, as the entire bit of code is more than a bit obtuse, and understanding the context is important. I could have instead created a simpler example I suppose. – Yakk - Adam Nevraumont Mar 27 '15 at 01:38

It's a hack, as the nomenclature indicates.

.* takes an object on the left side, and a member pointer on the right side, and resolves the pointed-to member of the given object. & is, of course, the referencing operator; &Class::Member returns a member pointer, which cannot by itself be dereferenced but which can be used with the .* and ->* operators (the latter being the wackiest of all C++ operators). So obj .* &Class::Member has exactly the same effect as obj.Member.

The reason this more complicated version is being used comes down to a loophole in protection semantics; basically, it allows access to protected members of a base class object, even if the object is not of the same type as the class doing this dirty hack.

Personally, I think the trick is too clever by half. I'd ordinarily* write such code as:

struct hack : private Q {
    static C & get (Q &q) {
        return static_cast<hack &>(q).c;

Which is technically slightly less safe, but doesn't obscure what's going on.

.* Well, ordinarily I'd avoid writing such a thing at all. But I literally did this earlier today, so I can't really throw stones.

  • 40,271
  • 12
  • 71
  • 104
  • 7
    I wouldn't call UB "slightly less safe". – T.C. Mar 26 '15 at 22:40
  • @T.C. I would, since no compilers actually do something unexpected in that case. The only thing to worry about is future-proofing, though it's difficult to see how any compiler would ever behave differently. – Sneftel Mar 26 '15 at 22:42
  • Your 'less safe' version relies on parent classes being stored as prefixes, and/or the child adding no elements before it. This is only guaranteed for standard layout types: your `hack` may or may not be standard layout. Once a type is not standard layout, the compiler is free to (say) reposition elements based on profile guidance, insert profiling data that differs in size at the front of hack and Q that differs in size, add canary data to detect UB, or a whole myriad of other stuff your code would break on. – Yakk - Adam Nevraumont Mar 26 '15 at 23:07
  • Heck: it could prove no well defined path to access the field exists, and eliminate it. – Yakk - Adam Nevraumont Mar 26 '15 at 23:07
  • @Yakk Could, yes, but doesn't. As I said, despite what compilers *could* do, none of them *do it*. – Sneftel Mar 26 '15 at 23:13
  • Pasting in your code does not compile for me with the code in my example. – jxh Mar 26 '15 at 23:34
  • Your approach doesn't compile on gcc or clang. – Barry Jul 02 '15 at 19:15
  • @Barry was a stray `const`. – Sneftel Jul 03 '15 at 10:22