fix: detect virtual inheritance in add_base to prevent pointer offset crash (#6017)

Virtual inheritance places the base subobject at a dynamic offset, but load_impl Case 2a uses reinterpret_cast which assumes a fixed offset. This caused segfaults when dispatching inherited methods through virtual bases (e.g. SftVirtDerived2::name()). Add an is_static_downcastable SFINAE trait that detects whether static_cast<Derived*>(Base*) is valid. When it is not (virtual inheritance), set multiple_inheritance = true in add_base to force the implicit_casts path, which correctly adjusts pointers at runtime. Remove the workaround .def("name", &SftVirtDerived2::name) from test_smart_ptr.cpp that was papering over the issue. Made-with: Cursor
2026-05-14 02:03:34 +00:00 · 2026-03-30 10:49:27 +07:00
parent 524d72b36d
commit 83f71d8b82
3 changed files with 18 additions and 4 deletions
--- a/include/pybind11/detail/common.h
+++ b/include/pybind11/detail/common.h
@@ -1039,6 +1039,17 @@ struct is_instantiation<Class, Class<Us...>> : std::true_type {};
 template <typename T>
 using is_shared_ptr = is_instantiation<std::shared_ptr, T>;

+/// Detects whether static_cast<Derived*>(Base*) is valid, i.e. the inheritance is non-virtual.
+/// Used to detect virtual bases: if this is false, pointer adjustments require the implicit_casts
+/// chain rather than reinterpret_cast.
+template <typename Base, typename Derived, typename = void>
+struct is_static_downcastable : std::false_type {};
+template <typename Base, typename Derived>
+struct is_static_downcastable<Base,
+                              Derived,
+                              void_t<decltype(static_cast<Derived *>(std::declval<Base *>()))>>
+    : std::true_type {};
+
 /// Check if T looks like an input iterator
 template <typename T, typename = void>
 struct is_input_iterator : std::false_type {};
--- a/include/pybind11/pybind11.h
+++ b/include/pybind11/pybind11.h
@@ -2416,6 +2416,13 @@ public:
        rec.add_base(typeid(Base), [](void *src) -> void * {
            return static_cast<Base *>(reinterpret_cast<type *>(src));
        });
+        // Virtual inheritance means the base subobject is at a dynamic offset,
+        // so the reinterpret_cast shortcut in load_impl Case 2a is invalid.
+        // Force the MI path (implicit_casts) for correct pointer adjustment.
+        // Detection: static_cast<Derived*>(Base*) is ill-formed for virtual bases.
+        if PYBIND11_MAYBE_CONSTEXPR (!detail::is_static_downcastable<Base, type>::value) {
+            rec.multiple_inheritance = true;
+        }
    }

    template <typename Base, detail::enable_if_t<!is_base<Base>::value, int> = 0>
--- a/tests/test_smart_ptr.cpp
+++ b/tests/test_smart_ptr.cpp
@@ -553,10 +553,6 @@ TEST_SUBMODULE(smart_ptr, m) {
    py::class_<SftVirtDerived2, SftVirtDerived, std::shared_ptr<SftVirtDerived2>>(
        m, "SftVirtDerived2")
        .def(py::init<>(&SftVirtDerived2::create))
-        // TODO: Remove this once inherited methods work through virtual bases.
-        //       Without it, d2.name() segfaults because pybind11 uses an incorrect
-        //       pointer offset when dispatching through the virtual inheritance chain.
-        .def("name", &SftVirtDerived2::name)
        .def("call_name", &SftVirtDerived2::call_name, py::arg("d2"));

    // test_move_only_holder