However, if you debug the code in VC++, you can see the 'a.__vfptr' in the variable watch windows. Interesting ha?

Okay, now we'd like to see how we can access the virtual table even if the compiler doesn't want us to. Let's have class X with a virtual function fn() which simply prints a member variable and we want to access the virtual table of class X to call the function fn() using it. The following code does that.

  1 #include<iostream>
  2
  3 usingnamespacestd;
  4
  5 //a simple class
  6 classX
  7 {
  8 public:
  9  //fn is a simple virtual function
 10  virtualvoidfn()
 11  {
 12   cout<<"n = "<<n<<endl;
 13  }
 14
 15  //a member variable
 16  intn;
 17 };
 18
 19 intmain()
 20 {
 21  //create an object (obj) of class X
 22  X*obj=newX();
 23  obj->n=10;
 24
 25  //get the virtual table pointer of object obj
 26  int*vptr=*(int**)obj;
 27
 28  // we shall call the function fn, but first the following assembly code
 29  //  is required to make obj as 'this' pointer as we shall call
 30  //  function fn() directly from the virtual table
 31  __asm
 32  {
 33   movecx,obj
 34  }
 35
 36  //function fn is the first entry of the virtual table, so it's vptr[0]
 37  ((void(*)())vptr[0])();
 38
 39  //the above is the same as the following
 40  //obj->fn();
 41
 42  return0;
 43 }
 44 

Please note, this code is compiler dependent and may only work on VC++ compilers and it'll work correctly when you'll run it in 'Release' mode. Here goes some explanation of the code.

In line 26, we have:

 26  int*vptr=*(int**)obj;

The virtual table pointer __vfptr is available in the first 4 bytes of the object. In this line, we get the value of the pointer __vfptr or the address of the virtual table as an integer pointer (say as a pointer to an integer array).

The first entry of the virtual table is the function pointer of the virtual function 'fn'. We can access the first entry using vptr[0] (as this is just an array). So, in line 37, we just call the function using the function pointer. But wait, you might be asking why the following assembly line is there before that function call.

 33   movecx,obj

If you take another look into the implementation of function fn(), you can see that it prints out the member variable 'n', which is only avaliable to object 'obj'. Inside the function fn(), 'obj' needs to be set as 'this' pointer, to give the function fn() access to all it's members.

When we call the function fn() in this way: obj->fn(), the compiler does the job for us and sets 'obj' as 'this' before calling the function. But in line 37, we couldn't specify anything to the function fn() saying it is called for the object 'obj', so the function won't find out where to get the value of 'n' from. This is why we expicitly need to set the 'obj' as 'this' before we call the function fn() in line 37. We did that in line 33, in the assembly code. This line is again VC++ specific. In VC++, 'this' pointer is set in the register 'ECX'. Some other compiler may handle that differently.

If we had more virtual function, we could have access them using next indexes of vptr: vptr[1], vptr[2], etc.

We have learned some interesting facts about the virtual functions and the virtual table. We may not have any use of this kind of code where we need to directly access the virtual table in our general applications but this helps when you want to know more about C++ internals.

Enjoy!

July 12, 2008:
We assumed here that the vptr is placed in the beginning of the class object. here's a note on that:

Traditionally, the vptr has been placed after all the explicitly declared members of the class. More recently, it has been placed at the beginning of the class object. The C++ Standard allows the compiler the freedom to insert these internally generated members anywhere, even between those explicitly declared by the programmer.