Contracts programming for C++20

Contracts programming for C++20

Current proposal status

J. Daniel Garcia

ARCOS Group
University Carlos III of Madrid
Spain

February 27, 2018

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 1/55

Contracts programming for C++20

Warning

c This work is under Attribution-NonCommercial-

NoDerivatives 4.0 International (CC BY-NC-ND 4.0)
license.
You are free to Share — copy and redistribute the ma-
terial in any medium or format.
b You must give appropriate credit, provide a link to the
license, and indicate if changes were made. You may
do so in any reasonable manner, but not in any way that
suggests the licensor endorses you or your use.
e You may not use the material for commercial purposes.
d If you remix, transform, or build upon the material, you
may not distribute the modified material.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 2/55

Contracts programming for C++20

Who am I?

A C++ programmer.
Started writing C++ code in 1989.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 3/55

Contracts programming for C++20

Who am I?

A C++ programmer.
Started writing C++ code in 1989.

A university professor in Computer Architecture.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 3/55

Contracts programming for C++20

Who am I?

A C++ programmer.
Started writing C++ code in 1989.

A university professor in Computer Architecture.

A ISO C++ language standards committee member.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 3/55

Contracts programming for C++20

Who am I?

A C++ programmer.
Started writing C++ code in 1989.

A university professor in Computer Architecture.

A ISO C++ language standards committee member.

My goal: Improve applications programming.

Performance → faster applications.
Energy efficiency → better performance per Watt.
Maintainability → easier to modify.
Reliability → safer components.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 3/55

Contracts programming for C++20

ARCOS@uc3m
UC3M: A young international research oriented university.
ARCOS: An applied research group.
Lines: High Performance Computing, Big data,
Cyberphysical systems, Programming Models for
Applications Improvement.
Improving applications:
REPARA: Reengineering and Enabling Performance and
poweR of Applications. FP7-ICT (2013–2016).
RePhrase: REfactoring Parallel Heterogeneous Resource
Aware Applications. H2020-ICT (2015–2018).
ASPIDE: exAScale ProgrammIng models for extreme Data
procEssing. H2020-FET-HPC (2018–2020).
Standardization:
ISO/IEC JTC/SC22/WG21. ISO C++ Committee.
cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 4/55
Contracts programming for C++20
A brief history of contracts

1 A brief history of contracts

2 Introduction

3 Contracts in C++

4 Contract checking

5 Contracts on interfaces

6 Summary

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 5/55

Contracts programming for C++20
A brief history of contracts

Why are we here?

Because we are concerned about writing correct software.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 6/55

Contracts programming for C++20
A brief history of contracts

Why are we here?

Because we are concerned about writing correct software.

Isn’t a library solution enough?

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 6/55

Contracts programming for C++20
A brief history of contracts

Why are we here?

Because we are concerned about writing correct software.

Isn’t a library solution enough?

We already tried that!
Compilers and static analyzers do not understand that
approach.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 6/55

Contracts programming for C++20
A brief history of contracts

Why are we here?

Because we are concerned about writing correct software.

Isn’t a library solution enough?

We already tried that!
Compilers and static analyzers do not understand that
approach.

What did others do?

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 6/55

Contracts programming for C++20
A brief history of contracts

Why are we here?

Because we are concerned about writing correct software.

Isn’t a library solution enough?

We already tried that!
Compilers and static analyzers do not understand that
approach.

What did others do?

Several language solutions out there (D, Ada, C#).

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 6/55

Contracts programming for C++20
A brief history of contracts

Contracts in C++

First proposal for contracts programming in 2005.

N1613: Proposal to add Design by Contract to C++.
Throsten Ottosen.
Died during the C++0x process.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 7/55

Contracts programming for C++20
A brief history of contracts

Contracts in C++

First proposal for contracts programming in 2005.

N1613: Proposal to add Design by Contract to C++.
Throsten Ottosen.
Died during the C++0x process.

Next attempt in 2013.

N3604: Centralized Defensive-Programming Support for
Narrow Contracts. John Lakos, Alexei Zakharov.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 7/55

Contracts programming for C++20
A brief history of contracts

Current contracts effort

2014:Multiple proposals on contracts programming.

Discussions in the standards committee.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 8/55

Contracts programming for C++20
A brief history of contracts

Current contracts effort

2014:Multiple proposals on contracts programming.

Discussions in the standards committee.

2016: Joint proposal trying to consider trade-offs.

Gabriel Dos Reis, J. Daniel Garcia, John Lakos, Alisdair

Meredith, Nathan Myers, Bjarne Stroustrup.

Targeting C++20.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 8/55

Contracts programming for C++20
Introduction

1 A brief history of contracts

2 Introduction

3 Contracts in C++

4 Contract checking

5 Contracts on interfaces

6 Summary

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 9/55

Contracts programming for C++20
Introduction

Correctness and Robustness

In the design of a library there is a tension between two

related properties: robustness and correctness.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 10/55

Contracts programming for C++20
Introduction

Correctness and Robustness

In the design of a library there is a tension between two

related properties: robustness and correctness.

Correctness → Degree to which a software component

matches its specification.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 10/55

Contracts programming for C++20
Introduction

Correctness and Robustness

In the design of a library there is a tension between two

related properties: robustness and correctness.

Correctness → Degree to which a software component

matches its specification.
Robustness → Ability of a software component to react
appropriately to abnormal conditions.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 10/55

Contracts programming for C++20
Introduction

Correctness and Robustness

In the design of a library there is a tension between two

related properties: robustness and correctness.

Correctness → Degree to which a software component

matches its specification.
Robustness → Ability of a software component to react
appropriately to abnormal conditions.

Today many libraries use a single feature for managing

both properties: exception handling.
We need to revisit this approach!

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 10/55

Contracts programming for C++20
Introduction

Exceptions in use

When a failure happens, we use exceptions as an error

reporting mechanism.
Notify that an error has occurred and needs to be handled.
We decouple error identification from error handling.
Example: Throwing bad_alloc.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 11/55

Contracts programming for C++20
Introduction

Exceptions in use

When a failure happens, we use exceptions as an error

reporting mechanism.
Notify that an error has occurred and needs to be handled.
We decouple error identification from error handling.
Example: Throwing bad_alloc.
When library detects an assumption was not met, it needs
a mechanism to react.
Assumption not met ⇒ contract violation.
What do we do on contract violations?
Ignore reality → Do not call me!
Document.
Throw exceptions.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 11/55

Contracts programming for C++20
Introduction

Exceptions in use

When a failure happens, we use exceptions as an error

reporting mechanism.
Notify that an error has occurred and needs to be handled.
We decouple error identification from error handling.
Example: Throwing bad_alloc.
When library detects an assumption was not met, it needs
a mechanism to react.
Assumption not met ⇒ contract violation.
What do we do on contract violations?
Ignore reality → Do not call me!
Document.
Throw exceptions.
Robustness and correctness are orthogonal properties
and should be managed independently.
cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 11/55
Contracts programming for C++20
Introduction

Robustness in the C++ standard library

Robustness: Identification and handling of abnormal

situations.
Those situations occur in completely correct programs.
Example: Failure to allocate memory.
Is end of file a robustness issue?

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 12/55

Contracts programming for C++20
Introduction

Robustness in the C++ standard library

Robustness: Identification and handling of abnormal

situations.
Those situations occur in completely correct programs.
Example: Failure to allocate memory.
Is end of file a robustness issue?

The C++ standard library identifies those cases by

specifying
i the condition firing the situation.
ii the exception that will be thrown to notify.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 12/55

Contracts programming for C++20
Introduction

Robustness in the C++ standard library

Robustness: Identification and handling of abnormal

situations.
Those situations occur in completely correct programs.
Example: Failure to allocate memory.
Is end of file a robustness issue?

The C++ standard library identifies those cases by

specifying
i the condition firing the situation.
ii the exception that will be thrown to notify.

T * allocator<T>::allocate(std::size_t n);
Throws: bad_alloc if storage cannot be obtained.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 12/55

Contracts programming for C++20
Introduction

Correctness and contracts

Correctness → Finding programming errors.

Yes! Sometimes we write incorrect software.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 13/55

Contracts programming for C++20
Introduction

Correctness and contracts

Correctness → Finding programming errors.

Yes! Sometimes we write incorrect software.
Who’s guilty?
A contract violation happens because:
A caller does not fulfil the expectations before calling a
function.
A callee does not fulfill what should be ensured after its
own execution.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 13/55

Contracts programming for C++20
Introduction

Correctness and contracts

Correctness → Finding programming errors.

Yes! Sometimes we write incorrect software.
Who’s guilty?
A contract violation happens because:
A caller does not fulfil the expectations before calling a
function.
A callee does not fulfill what should be ensured after its
own execution.
A key difference:
A program failure is usually due to external conditions and
cannot be avoided.
A contract violation should never happen in a correct
program.
cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 13/55
Contracts programming for C++20
Introduction

Correctness in the C++ standard library

From the standard:

Violation of the preconditions specified in a function’s Requires:
paragraph results in undefined behavior unless the functions
Throws: paragraph specifies throwing an exception when the
precondition is violated.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 14/55

Contracts programming for C++20
Introduction

Correctness in the C++ standard library

From the standard:

Violation of the preconditions specified in a function’s Requires:
paragraph results in undefined behavior unless the functions
Throws: paragraph specifies throwing an exception when the
precondition is violated.

In practice, there are two approaches in the standard

library:
Do nothing → Undefined behaviour.
Notify → Throw an exception.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 14/55

Contracts programming for C++20
Contracts in C++

1 A brief history of contracts

2 Introduction

3 Contracts in C++

4 Contract checking

5 Contracts on interfaces

6 Summary

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 15/55

Contracts programming for C++20
Contracts in C++

What is a contract?

A contract is the set of preconditions, postconditions

and assertions associated to a function.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 16/55

Contracts programming for C++20
Contracts in C++

What is a contract?

A contract is the set of preconditions, postconditions

and assertions associated to a function.

Precondition: What are the expectations of the function?

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 16/55

Contracts programming for C++20
Contracts in C++

What is a contract?

A contract is the set of preconditions, postconditions

and assertions associated to a function.

Precondition: What are the expectations of the function?

Postconditions: What must the function ensure upon

termination?

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 16/55

Contracts programming for C++20
Contracts in C++

What is a contract?

A contract is the set of preconditions, postconditions

and assertions associated to a function.

Precondition: What are the expectations of the function?

Postconditions: What must the function ensure upon

termination?

Assertions: What predicates must be satisfied in specific

locations of a function body?

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 16/55

Contracts programming for C++20
Contracts in C++

Expectations

Precondition
A predicate that should hold upon entry into a function.
It expresses a function’s expectation on its arguments
and/or the state of objects that may be used by the function.
Expressed by attribute expects.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 17/55

Contracts programming for C++20
Contracts in C++

Expectations

Precondition
A predicate that should hold upon entry into a function.
It expresses a function’s expectation on its arguments
and/or the state of objects that may be used by the function.
Expressed by attribute expects.
double sqrt(double x) [[expects: x>0]];

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 17/55

Contracts programming for C++20
Contracts in C++

Expectations

Precondition
A predicate that should hold upon entry into a function.
It expresses a function’s expectation on its arguments
and/or the state of objects that may be used by the function.
Expressed by attribute expects.
double sqrt(double x) [[expects: x>0]];

class queue {
// ...
void push(const T & x) [[expects: ! full () ]];
// ...
};

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 17/55

Contracts programming for C++20
Contracts in C++

Expectations

Precondition
A predicate that should hold upon entry into a function.
It expresses a function’s expectation on its arguments
and/or the state of objects that may be used by the function.
Expressed by attribute expects.
double sqrt(double x) [[expects: x>0]];

class queue {
// ...
void push(const T & x) [[expects: ! full () ]];
// ...
};

Preconditions use a modified attribute syntax.

The expectation is part of the function declaration.
cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 17/55
Contracts programming for C++20
Contracts in C++

Assurances

Postcondition
A predicate that should hold upon exit from a function.
It expresses the conditions that a function should ensure for
the return value and/or the state of objects that may be
used by the function.
Postconditions are expressed by ensures attributes.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 18/55

Contracts programming for C++20
Contracts in C++

Assurances

Postcondition
A predicate that should hold upon exit from a function.
It expresses the conditions that a function should ensure for
the return value and/or the state of objects that may be
used by the function.
Postconditions are expressed by ensures attributes.

double sqrt(double x)
[[ expects: x>=0]]
[[ ensures result: result >=0]];

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 18/55

Contracts programming for C++20
Contracts in C++

Assurances

Postcondition
A predicate that should hold upon exit from a function.
It expresses the conditions that a function should ensure for
the return value and/or the state of objects that may be
used by the function.
Postconditions are expressed by ensures attributes.

double sqrt(double x)
[[ expects: x>=0]]
[[ ensures result: result >=0]];

Postconditions may introduce a name for the result of the

function.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 18/55

Contracts programming for C++20
Contracts in C++

Assertions

Assertions
A predicate that should hold at its point in a function body.
It expresses the conditions that must be satisfied, on
objects that are accessible at its point in a body.
Assertions are expressed by assert attributes.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 19/55

Contracts programming for C++20
Contracts in C++

Assertions

Assertions
A predicate that should hold at its point in a function body.
It expresses the conditions that must be satisfied, on
objects that are accessible at its point in a body.
Assertions are expressed by assert attributes.
double add_distances(const std::vector<double> & v)
[[ expects r: r>=0.0]]
{
double r = 0.0;
for (auto x : v) {
[[ assert: x >= 0.0]];
r += x;
}
return r ;
}
cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 19/55
Contracts programming for C++20
Contracts in C++

Effect of contracts

A contract has no observable effect on a correct program

(except performance).
The only semantic effect of a contract happens if it is
violated.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 20/55

Contracts programming for C++20
Contracts in C++

Effect of contracts

A contract has no observable effect on a correct program

(except performance).
The only semantic effect of a contract happens if it is
violated.

Why do we use attributes syntax?

Contract may be checked or not.
Attributes are not part of function type.
However, contracts are not an optional feature.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 20/55

Contracts programming for C++20
Contracts in C++

Effect of contracts

A contract has no observable effect on a correct program

(except performance).
The only semantic effect of a contract happens if it is
violated.

Why do we use attributes syntax?

Contract may be checked or not.
Attributes are not part of function type.
However, contracts are not an optional feature.

Contracts checking and corresponding effects depend on

build system settings.
Default: Contract violation ⇒ Program termination.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 20/55

Contracts programming for C++20
Contracts in C++

Repeating a contract

Any redeclaration of a function has either the same

contract or completely omits the contract.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 21/55

Contracts programming for C++20
Contracts in C++

Repeating a contract

Any redeclaration of a function has either the same

contract or completely omits the contract.
int f ( int x)
[[ expects: x>0]]
[[ ensures r: r >0]];

int f ( int x) ; // OK. No contract.

int f ( int x)
[[ expects: x>=0]]; // Error missing ensures and different expects

int f ( int x)
[[ expects: x>0]]
[[ ensures r: r >0]]; // OK. Same contract.
cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 21/55
Contracts programming for C++20
Contracts in C++

Repeating a contract

But argument names may differ.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 22/55

Contracts programming for C++20
Contracts in C++

Repeating a contract

But argument names may differ.

int f ( int x)
[[ expects: x>0]]
[[ ensures r: r >0]];

int f ( int y)
[[ expects: y>0]]
[[ ensures z: z >0]];

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 22/55

Contracts programming for C++20
Contract checking

1 A brief history of contracts

2 Introduction

3 Contracts in C++

4 Contract checking

5 Contracts on interfaces

6 Summary

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 23/55

Contracts programming for C++20
Contract checking

Assertion level

Every contract expression has an associated assertion

level.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 24/55

Contracts programming for C++20
Contract checking

Assertion level

Every contract expression has an associated assertion

level.
Contract levels: always, default, audit, axiom.
Checks will be effectively performed depending on build
mode.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 24/55

Contracts programming for C++20
Contract checking

Assertion level

Every contract expression has an associated assertion

level.
Contract levels: always, default, audit, axiom.
Checks will be effectively performed depending on build
mode.

Default level can be omitted.

void f (element & x) [[ expects: x.valid () ]];
void g(element & x) [[ expects default: x.valid () ]];

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 24/55

Contracts programming for C++20
Contract checking

Assertion level

Every contract expression has an associated assertion

level.
Contract levels: always, default, audit, axiom.
Checks will be effectively performed depending on build
mode.

Default level can be omitted.

void f (element & x) [[ expects: x.valid () ]];
void g(element & x) [[ expects default: x.valid () ]];

Cost of default checking is expected to be small compared

to function execution.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 24/55

Contracts programming for C++20
Contract checking

Audit checks

An audit assertion level is expected to be used in cases

where the cost of a run-time check is assumed to be large
compared to function execution.
Or at least significant.

template <typename It, typename T>

bool binary_search(It first , It last , const T & x)
[[ expects audit: is_sorted( first , last ) ]];

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 25/55

Contracts programming for C++20
Contract checking

Axiom checks

An axiom assertion level is expected to be used in cases

where the run-time check will never be performed.
Still they need to be valid C++.
They are formal comments for humans and/or static
analyzers.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 26/55

Contracts programming for C++20
Contract checking

Axiom checks

An axiom assertion level is expected to be used in cases

where the run-time check will never be performed.
Still they need to be valid C++.
They are formal comments for humans and/or static
analyzers.

template <typename InputIterator>

InputIterator my_algorithm(InputIterator first , InputIterator last )
[[ expects axiom: first != last && reachable(first , last ) ]];

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 26/55

Contracts programming for C++20
Contract checking

Axiom checks

An axiom assertion level is expected to be used in cases

where the run-time check will never be performed.
Still they need to be valid C++.
They are formal comments for humans and/or static
analyzers.

template <typename InputIterator>

InputIterator my_algorithm(InputIterator first , InputIterator last )
[[ expects axiom: first != last && reachable(first , last ) ]];

Axioms are not evaluated.

They may contain calls to declared but undefined functions.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 26/55

Contracts programming for C++20
Contract checking

Always checks

An always assertion level is expected to be used in cases

where the run-time check is so critical that it should never
be switched off.
It should be used only exceptionally.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 27/55

Contracts programming for C++20
Contract checking

Build levels

Every translation is performed in a build level:

off: No run-time checking is performed.
default: Checks with default levels are checked.
audit: Checks with default and audit levels are checked.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 28/55

Contracts programming for C++20
Contract checking

Build levels

Every translation is performed in a build level:

off: No run-time checking is performed.
default: Checks with default levels are checked.
audit: Checks with default and audit levels are checked.

How do you select the build level:

No way of selecting in source code.
An option from your compiler.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 28/55

Contracts programming for C++20
Contract checking

Contract checking

If a function has multiple preconditions or postconditions

that would be checked, their evaluation will be performed
in the order they appear

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 29/55

Contracts programming for C++20
Contract checking

Contract checking

If a function has multiple preconditions or postconditions

that would be checked, their evaluation will be performed
in the order they appear

void f ( int ∗ p)
[[ expects: p!=nullptr]]
[[ expects: ∗p == 0]] // Only checked when p!=nullptr
{
∗p = 1;
}

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 29/55

Contracts programming for C++20
Contract checking

Contract violation handlers

A translation unit has an associated contract violation

handler.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 30/55

Contracts programming for C++20
Contract checking

Contract violation handlers

A translation unit has an associated contract violation

handler.
A contract violation handler is the function to be called
when a contract is broken.
Function with specific signature.
void (const std:: contract_violation &);

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 30/55

Contracts programming for C++20
Contract checking

Contract violation handlers

A translation unit has an associated contract violation

handler.
A contract violation handler is the function to be called
when a contract is broken.
Function with specific signature.
void (const std:: contract_violation &);

If you do not supply a handler, the default is std::abort().

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 30/55

Contracts programming for C++20
Contract checking

Contract violation handlers

A translation unit has an associated contract violation

handler.
A contract violation handler is the function to be called
when a contract is broken.
Function with specific signature.
void (const std:: contract_violation &);

If you do not supply a handler, the default is std::abort().

If you want to supply a handler:

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 30/55

Contracts programming for C++20
Contract checking

Contract violation handlers

A translation unit has an associated contract violation

handler.
A contract violation handler is the function to be called
when a contract is broken.
Function with specific signature.
void (const std:: contract_violation &);

If you do not supply a handler, the default is std::abort().

If you want to supply a handler:
No way of setting through source code.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 30/55

Contracts programming for C++20
Contract checking

Contract violation handlers

A translation unit has an associated contract violation

handler.
A contract violation handler is the function to be called
when a contract is broken.
Function with specific signature.
void (const std:: contract_violation &);

If you do not supply a handler, the default is std::abort().

If you want to supply a handler:
No way of setting through source code.
No way of asking which is current handler.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 30/55

Contracts programming for C++20
Contract checking

Contract violation handlers

A translation unit has an associated contract violation

handler.
A contract violation handler is the function to be called
when a contract is broken.
Function with specific signature.
void (const std:: contract_violation &);

If you do not supply a handler, the default is std::abort().

If you want to supply a handler:
No way of setting through source code.
No way of asking which is current handler.
An option in your compiler to supply it.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 30/55

Contracts programming for C++20
Contract checking

Contract violation handlers

A translation unit has an associated contract violation

handler.
A contract violation handler is the function to be called
when a contract is broken.
Function with specific signature.
void (const std:: contract_violation &);

If you do not supply a handler, the default is std::abort().

If you want to supply a handler:
No way of setting through source code.
No way of asking which is current handler.
An option in your compiler to supply it.
Security sensitive systems may prevent arbitrary
handlers.
cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 30/55
Contracts programming for C++20
Contract checking

Information for the handler

Function with specific signature.

void (const std:: contract_violation &);

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 31/55

Contracts programming for C++20
Contract checking

Information for the handler

Function with specific signature.

void (const std:: contract_violation &);

Minimum information inf contract_violation:

class contract_violation {
public:
int line_number() const noexcept;
string_view file_name() const noexcept;
string_view function_name() const noexcept;
string_view comment() const noexcept;
};

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 31/55

Contracts programming for C++20
Contract checking

Information for the handler

Function with specific signature.

void (const std:: contract_violation &);

Minimum information inf contract_violation:

class contract_violation {
public:
int line_number() const noexcept;
string_view file_name() const noexcept;
string_view function_name() const noexcept;
string_view comment() const noexcept;
};

Might get simplified by

std::experimental::source_location.
cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 31/55
Contracts programming for C++20
Contract checking

What happens after the violation handler?

Two basic options:

Program finishes execution.
Program resumes execution.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 32/55

Contracts programming for C++20
Contract checking

What happens after the violation handler?

Two basic options:

Program finishes execution.
Program resumes execution.

An option in your compiler to select continuation mode:

off: Do not resume execution.
Default option.
on: Resume execution.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 32/55

Contracts programming for C++20
Contract checking

What happens after the violation handler?

Two basic options:

Program finishes execution.
Program resumes execution.

An option in your compiler to select continuation mode:

off: Do not resume execution.
Default option.
on: Resume execution.

But remember:

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 32/55

Contracts programming for C++20
Contract checking

What happens after the violation handler?

Two basic options:

Program finishes execution.
Program resumes execution.

An option in your compiler to select continuation mode:

off: Do not resume execution.
Default option.
on: Resume execution.

But remember:
No way of setting through source code.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 32/55

Contracts programming for C++20
Contract checking

What happens after the violation handler?

Two basic options:

Program finishes execution.
Program resumes execution.

An option in your compiler to select continuation mode:

off: Do not resume execution.
Default option.
on: Resume execution.

But remember:
No way of setting through source code.
No way of asking which is current mode.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 32/55

Contracts programming for C++20
Contract checking

Why do we want to continue?

Gradual introduction of contracts.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 33/55

Contracts programming for C++20
Contract checking

Why do we want to continue?

Gradual introduction of contracts.

Testing the contracts themselves.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 33/55

Contracts programming for C++20
Contract checking

Why do we want to continue?

Gradual introduction of contracts.

Testing the contracts themselves.

Plugin management.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 33/55

Contracts programming for C++20
Contract checking

Continuation mode and optimizations

Assertion information may be used by optimizers.

[[ assert: ptr !=nullptr ]];

// ...
if ( ptr !=nullptr) { // Can be optimized out
do_stuff () ;
}

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 34/55

Contracts programming for C++20
Contract checking

Continuation mode and optimizations

Assertion information may be used by optimizers.

[[ assert: ptr !=nullptr ]];

// ...
if ( ptr !=nullptr) { // Can be optimized out
do_stuff () ;
}

If continuation mode is off, then if is never reached.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 34/55

Contracts programming for C++20
Contract checking

Continuation mode and optimizations

Assertion information may be used by optimizers.

[[ assert: ptr !=nullptr ]];

// ...
if ( ptr !=nullptr) { // Can be optimized out
do_stuff () ;
}

If continuation mode is off, then if is never reached.

If continuation mode is on, then if would be reached.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 34/55

Contracts programming for C++20
Contract checking

Continuation mode and optimizations

Assertion information may be used by optimizers.

[[ assert: ptr !=nullptr ]];

// ...
if ( ptr !=nullptr) { // Can be optimized out
do_stuff () ;
}

If continuation mode is off, then if is never reached.

If continuation mode is on, then if would be reached.
But the if might get optimized out!

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 34/55

Contracts programming for C++20
Contract checking

Continuation mode and optimizations

Assertion information may be used by optimizers.

[[ assert: ptr !=nullptr ]];

// ...
if ( ptr !=nullptr) { // Can be optimized out
do_stuff () ;
}

If continuation mode is off, then if is never reached.

If continuation mode is on, then if would be reached.
But the if might get optimized out!
Continuation after violation is technically undefined
behavior.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 34/55

Contracts programming for C++20
Contract checking

Contracts and noexcept

What happens to noexcept function if its contract is

broken?
With continuation mode set to off program finishes.
With continuation mode set to on program resumes.
But, what if the handler throws an exception’
Program invokes terminate() as-if an exception was thrown
inside functions.

void f ( int x) [[ expects: x > 0]];

void g() {
f(−1); // Invokes terminate if handler throws
}

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 35/55

Contracts programming for C++20
Contracts on interfaces

1 A brief history of contracts

2 Introduction

3 Contracts in C++

4 Contract checking

5 Contracts on interfaces

6 Summary

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 36/55

Contracts programming for C++20
Contracts on interfaces

Repeating a contract

Any redeclaration of a function has either the same

contract or completely omits the contract.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 37/55

Contracts programming for C++20
Contracts on interfaces

Repeating a contract

Any redeclaration of a function has either the same

contract or completely omits the contract.
int f ( int x)
[[ expects: x>0]]
[[ ensures r: r >0]];

int f ( int x) ; // OK. No contract.

int f ( int x)
[[ expects: x>=0]]; // Error missing ensures and different expects

int f ( int x)
[[ expects: x>0]]
[[ ensures r: r >0]]; // OK. Same contract.
cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 37/55
Contracts programming for C++20
Contracts on interfaces

Preconditions on functions

The expression of a precondition from a function may use:

The function’s arguments.
Any non-local object.

constexpr int max = 100;

std :: string name{"Daniel"};

bool f( int x, std :: string s)

[[ expects: x>0]] // OK. x is an argument.
[[ expects: x<max]] // OK max is non−local
[[ expects: s.length() >0]] // OK. s is an argument
[[ expects: s!=name]]; // OK. name is non−local

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 38/55

Contracts programming for C++20
Contracts on interfaces

Preconditions on constexpr functions

The expression of a precondition from a constexpr

function may use:
The function’s arguments.
Any non-local object that is constexpr.
but it cannot access non-local objects that are not
constexpr.

constexpr int max = 100;

std :: string name{"Daniel"};

constexpr bool f(int x, std :: string s)

[[ expects: x>0]] // OK. x is an argument.
[[ expects: x<max]] // OK max is constexpr
[[ expects: s.length() >0]] // OK. s is an argument
[[ expects: s!=name]]; // Error name is a non−local variable

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 39/55

Contracts programming for C++20
Contracts on interfaces

Modifications in contracts

A program with a contract expression that performs an

observable modification of an object is ill-formed.
Your compiler might give a diagnostic.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 40/55

Contracts programming for C++20
Contracts on interfaces

Modifications in contracts

A program with a contract expression that performs an

observable modification of an object is ill-formed.
Your compiler might give a diagnostic.

int f ( int x)
[[ expects: x++ > 0]] // Error
[[ ensures r: r == ++x]]; // Error

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 40/55

Contracts programming for C++20
Contracts on interfaces

Modified arguments and postconditions

If a postcondition uses an argument and the function body

modifies that value, the program is ill-formed.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 41/55

Contracts programming for C++20
Contracts on interfaces

Modified arguments and postconditions

If a postcondition uses an argument and the function body

modifies that value, the program is ill-formed.
int f ( int x)
[[ ensures r: r==x]
{
return ++x; // Error x used in postcondition
}

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 41/55

Contracts programming for C++20
Contracts on interfaces

Modified arguments and postconditions

If a postcondition uses an argument and the function body

modifies that value, the program is ill-formed.
int f ( int x)
[[ ensures r: r==x]
{
return ++x; // Error x used in postcondition
}

Workaround:
int f ( int x) {
int oldx = x;
auto r = ++x;
[[ assert: r==oldx ]];
}
cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 41/55
Contracts programming for C++20
Contracts on interfaces

But you con modify pointer contents

A pointer value is different from the pointed value.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 42/55

Contracts programming for C++20
Contracts on interfaces

But you con modify pointer contents

A pointer value is different from the pointed value.

void f ( int ∗ ptr )

[[ ensures: ptr!=nullptr ]]
{
∗ptr = 42
}

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 42/55

Contracts programming for C++20
Contracts on interfaces

Contracts in templated function

The expression of a contract from a function template or a

member function of a class template may use the template
arguments.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 43/55

Contracts programming for C++20
Contracts on interfaces

Contracts in templated function

The expression of a contract from a function template or a

member function of a class template may use the template
arguments.

template <typename T, int size>

class table {
public:
// ...
T & operator[](int i )
[[ expects: 0<=i && i<size]];
};

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 43/55

Contracts programming for C++20
Contracts on interfaces

Contracts and visibility

The contract from a public function shall not use members

from protected or private interfaces.
The contract from a protected function shall not use
members from private interface.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 44/55

Contracts programming for C++20
Contracts on interfaces

Contracts and visibility

The contract from a public function shall not use members

from protected or private interfaces.
The contract from a protected function shall not use
members from private interface.
template <typename T>
class table {
public:
// ...
T & operator[](int i )
[[ expects: 0<=i && i<size_]]; // Error . size_ is private

private:
// ...
int size_;
};
cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 44/55
Contracts programming for C++20
Contracts on interfaces

Contracts and function pointers

A function pointer shall not include a contract.

A call through a function pointer to functions with a contract
shall perform contract assertions checking once.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 45/55

Contracts programming for C++20
Contracts on interfaces

Contracts and function pointers

A function pointer shall not include a contract.

A call through a function pointer to functions with a contract
shall perform contract assertions checking once.

using fpt = int (∗) ( int x)

[[ expects: x>=0]]
[[ ensures r: r >0]]; // Error .

int g(int x) [[ expects: x>=0]] [[ ensures r: r>0]]

{
return x+1;
}

int (∗pf) ( int ) = g; // OK

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 45/55

Contracts programming for C++20
Contracts on interfaces

Contracts and inheritance

An overriding function shall have exactly the same

contract that was declared for that function in the base
class.
But the contract may be omitted in the overridden function.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 46/55

Contracts programming for C++20
Contracts on interfaces

Contracts and inheritance

An overriding function shall have exactly the same

contract that was declared for that function in the base
class.
But the contract may be omitted in the overridden function.
struct B {
public:
virtual void f ( int x) [[ expects: x>0]];
// ...
};

struct D : public B {
public:
virtual void f ( int x) override; // OK. expects: x>0
// ...
};
cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 46/55
Contracts programming for C++20
Contracts on interfaces

Contracts and inheritance

An overriding function shall have exactly the same

contract that was declared for that function in the base
class.
Or it may be repeated.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 47/55

Contracts programming for C++20
Contracts on interfaces

Contracts and inheritance

An overriding function shall have exactly the same

contract that was declared for that function in the base
class.
Or it may be repeated.
struct B {
public:
virtual void f ( int x) [[ expects: x>0]];
// ...
};

struct D : public B {
public:
virtual void f ( int x) override [[expects: x>0]]; // OK
// ...
};
cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 47/55
Contracts programming for C++20
Contracts on interfaces

Contracts and inheritance

An overriding function shall have exactly the same

contract that was declared for that function in the base
class.
But the contract cannot be changed.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 48/55

Contracts programming for C++20
Contracts on interfaces

Contracts and inheritance

An overriding function shall have exactly the same

contract that was declared for that function in the base
class.
But the contract cannot be changed.
struct B {
public:
virtual void f ( int x) [[ expects: x>0]];
// ...
};

struct D : public B {
public:
virtual void f ( int x) override [[expects: x!=0]]; // Error
// ...
};
cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 48/55
Contracts programming for C++20
Contracts on interfaces

Contracts and inheritance

An overriding function shall have exactly the same

contract that was declared for that function in the base
class.
And it cannot be added.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 49/55

Contracts programming for C++20
Contracts on interfaces

Contracts and inheritance

An overriding function shall have exactly the same

contract that was declared for that function in the base
class.
And it cannot be added.
struct B {
public:
virtual void f ( int x) ;
// ...
};

struct D : public B {
public:
virtual void f ( int x) override [[expects: x>0]]; // Error .
// ...
};
cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 49/55
Contracts programming for C++20
Contracts on interfaces

Precondition weakening

Precondition weakening is not supported.

But can be simulated.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 50/55

Contracts programming for C++20
Contracts on interfaces

Precondition weakening

Precondition weakening is not supported.

But can be simulated.

class A { class B : public A {

pubic: pubic:
// ... // ...
virtual void f ( int x) virtual void f ( int x) override
[[ expects: x>0]] [[ expects: x>0]]
{ {
[[ assert: x<max]]; // ...
// .. }
} };
};

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 50/55

Contracts programming for C++20
Contracts on interfaces

Postcondition strengthening

Postcondition strengthening is not supported.

but can be simulated.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 51/55

Contracts programming for C++20
Contracts on interfaces

Postcondition strengthening

Postcondition strengthening is not supported.

but can be simulated.

class A { class B : public A {

pubic: pubic:
// ... // ...
virtual int g() virtual int g() override
[[ ensures r: r>=0]] [[ ensures r: r>=0]]
{ {
// .. // ...
} [[ assert: result <max]];
}; return result ;
}
};

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 51/55

Contracts programming for C++20
Summary

1 A brief history of contracts

2 Introduction

3 Contracts in C++

4 Contract checking

5 Contracts on interfaces

6 Summary

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 52/55

Contracts programming for C++20
Summary

Summary

Robustness and correctness are orthogonal properties.

Use exceptions for robustness.
Use contracts for correctness.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 53/55

Contracts programming for C++20
Summary

Summary

Robustness and correctness are orthogonal properties.

Use exceptions for robustness.
Use contracts for correctness.

Preconditions and postconditions are part of the

function’s interface.
Assertions are part of funciont implementation.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 53/55

Contracts programming for C++20
Summary

Summary

Robustness and correctness are orthogonal properties.

Use exceptions for robustness.
Use contracts for correctness.

Preconditions and postconditions are part of the

function’s interface.
Assertions are part of funciont implementation.

The assertion level specifies under which build levels the

checking should happen.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 53/55

Contracts programming for C++20
Summary

Summary

Robustness and correctness are orthogonal properties.

Use exceptions for robustness.
Use contracts for correctness.

Preconditions and postconditions are part of the

function’s interface.
Assertions are part of funciont implementation.

The assertion level specifies under which build levels the

checking should happen.
Start today expressing your contracts using the GSL
support library.
https://github.com/Microsoft/GSL.

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 53/55

Contracts programming for C++20
Summary

Work in progress implementation

Prototype with initial implementation:

Supports expects, ensures, assert.
Does not support: templates/ensures, static member
functions, contructors, destructors . . .
Aborts on contract violation.

Maintainer: Javier LOPEZ-GOMEZ.

https://github.com/arcosuc3m/clang-contracts

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 54/55

Contracts programming for C++20
Summary

Contracts programming for C++20

Current proposal status

J. Daniel Garcia

ARCOS Group
University Carlos III of Madrid
Spain

February 27, 2018

cb e d – J. Daniel Garcia – ARCOS@UC3M ([email protected]) – Twitter: @jdgarciauc3m 55/55