Björn Fahller - Contracts

Programming with Contracts in C++20
Björn Fahller
Programming with Contracts in C++20 – C++onSea 2019 © Björn Fahller @bjorn_fahller 1/171
What is a contract?
contract
noun con·tract | \ˈkän-ˌtrakt \
Definition of contract
(Entry 1 of 3)
1:
a: binding agreement between two or more persons or parties - especially : one legally enforceable
// If he breaks the contract, he'll be sued.
b: a business arrangement for the supply of goods or services at a fixed price

// make parts on contract
c: the act of marriage or an agreement to marry
2: a document describing the terms of a contract

// Have you signed the contract yet?
3: the final bid to win a specified number of tricks in bridge
4: an order or arrangement for a hired assassin to kill someone

// His enemies put out a contract on him.
https:////w.merriam-webster.com/dictionary/contract
What is a contract?
contract In SW design:
A formalized agreement, regarding
program correctness, between a
(Entry 1 of 3)
user and the implementation of
1: a component.



What is a contract?
contract In SW design:
A formalized agreement, regarding
program correctness, between a
(Entry 1 of 3)
user and the implementation of
1: a component.



Contracts
●
Object-oriented Software
Construction
– Bertrand Meyer - 1988
– ISBN 978-0136290490
Contracts
●
Preconditions
●
Postconditions
●
Class invariants
Ringbuffer example
ringbuffer <int,12> b;
b.push_back(1);
b.push_back(2);
b.push_back(5);
b.pop_front(); // 1
b.push_back(8);
b.pop_front(); // 2
b.push_back(11);
b.push_back(13);
b.push_back(15);
b.push_back(21);
b.push_back(23);
b.push_back(24);
Ringbuffer example
b.push_back(1);
b.push_back(2);
b.push_back(5);
b.pop_front(); // 1
b.push_back(8);
b.pop_front(); // 2
b.push_back(11);
b.push_back(13);
b.push_back(15);
b.push_back(21);
b.push_back(23);
b.push_back(24);
Ringbuffer example
ringbuffer <int,12> b; 1
b.push_back(1);
b.push_back(2);
b.push_back(5);
b.pop_front(); // 1
b.push_back(8);
b.pop_front(); // 2
b.push_back(11);
b.push_back(13);
b.push_back(15);
b.push_back(21);
b.push_back(23);
b.push_back(24);
Ringbuffer example
b.push_back(1);
b.push_back(2);
2
b.push_back(5);
b.pop_front(); // 1
b.push_back(8);
b.pop_front(); // 2
b.push_back(11);
b.push_back(13);
b.push_back(15);
b.push_back(21);
b.push_back(23);
b.push_back(24);
Ringbuffer example
b.push_back(1);
b.push_back(2);
2
b.push_back(5);
b.pop_front(); // 1
b.push_back(8);
b.pop_front(); // 2
5
b.push_back(11);
b.push_back(13);
b.push_back(15);
b.push_back(21);
b.push_back(23);
b.push_back(24);
Ringbuffer example
b.push_back(1);
b.push_back(2);
2
b.push_back(5);
b.pop_front(); // 1
b.push_back(8);
b.pop_front(); // 2
5
b.push_back(11);
b.push_back(13);
b.push_back(15);
b.push_back(21);
b.push_back(23);
b.push_back(24);
Ringbuffer example
b.push_back(1);
b.push_back(2);
2
b.push_back(5);
b.pop_front(); // 1
b.push_back(8);
b.pop_front(); // 2
5
b.push_back(11);
b.push_back(13);
b.push_back(15);
b.push_back(21);
b.push_back(23);
b.push_back(24);
Ringbuffer example
b.push_back(1);
b.push_back(2);
2
b.push_back(5);
b.pop_front(); // 1
b.push_back(8);
b.pop_front(); // 2
5
b.push_back(11);
b.push_back(13);
b.push_back(15);
8
b.push_back(21);
b.push_back(23);
b.push_back(24);
Ringbuffer example
b.push_back(1);
b.push_back(2);
2
b.push_back(5);
b.pop_front(); // 1
b.push_back(8);
b.pop_front(); // 2
5
b.push_back(11);
b.push_back(13);
b.push_back(15);
8
b.push_back(21);
b.push_back(23);
b.push_back(24);
Ringbuffer example
b.push_back(1);
b.push_back(2);
b.push_back(5);
b.pop_front(); // 1
b.push_back(8);
b.pop_front(); // 2
5
b.push_back(11);
b.push_back(13);
b.push_back(15);
8
b.push_back(21);
b.push_back(23);
b.push_back(24);
Ringbuffer example
b.push_back(1);
b.push_back(2);
b.push_back(5);
b.pop_front(); // 1
b.push_back(8);
b.pop_front(); // 2
5
b.push_back(11);
b.push_back(13);
b.push_back(15);
8
b.push_back(21);
b.push_back(23); 11
b.push_back(24);
Ringbuffer example
b.push_back(1);
b.push_back(2);
b.push_back(5);
b.pop_front(); // 1
b.push_back(8);
b.pop_front(); // 2
5
b.push_back(11);
b.push_back(13);
b.push_back(15);
8
b.push_back(21);
b.push_back(23); 11
b.push_back(24); 13
Ringbuffer example
b.push_back(1);
b.push_back(2);
b.push_back(5);
b.pop_front(); // 1
b.push_back(8);
b.pop_front(); // 2
5
b.push_back(11);
b.push_back(13);
b.push_back(15);
8
b.push_back(21);
b.push_back(23); 11
b.push_back(24); 15
13
Ringbuffer example
b.push_back(1);
b.push_back(2);
b.push_back(5);
b.pop_front(); // 1
b.push_back(8);
b.pop_front(); // 2
5
b.push_back(11);
b.push_back(13);
b.push_back(15);
21
8
b.push_back(21);
b.push_back(23); 11
b.push_back(24); 15
13
Ringbuffer example
b.push_back(1);
b.push_back(2);
b.push_back(5);
b.pop_front(); // 1
b.push_back(8);
b.pop_front(); // 2
23
5
b.push_back(11);
b.push_back(13);
b.push_back(15);
21
8
b.push_back(21);
b.push_back(23); 11
b.push_back(24); 15
13
Ringbuffer example
b.push_back(1);
b.push_back(2);
24
b.push_back(5);
b.pop_front(); // 1
b.push_back(8);
b.pop_front(); // 2
23
5
b.push_back(11);
b.push_back(13);
b.push_back(15);
21
8
b.push_back(21);
b.push_back(23); 11
b.push_back(24); 15
13
Ringbuffer example
template <typename T, int N>
class ringbuffer {
public:
ringbuffer();
int size() const;
void push_back(T);
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
ringbuffer(); Precondition:
int size() const;
void push_back(T);
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
int size() const;
An obligation that
the caller must fulfill
void push_back(T);
for the program to
be correct.
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
int size() const; A precondition may
refer to parameter values
or the objects state, An obligation that
or both the caller must fulfill
void push_back(T);
for the program to
be correct.
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
int size() const;
An obligation that
void push_back(T);
for the program to
be correct.
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
int size() const;
An obligation that
It almost never makes
sense to have a the caller must fulfill
void push_back(T); precondition on a for the program to
default constructor! be correct.
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
int size() const;
An obligation that
void push_back(T);
for the program to
be correct.
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
int size() const;
An obligation that
void push_back(T);
for the program to
Functions that query
be correct.
the state of an object
T pop_front(); rarely has any
preconditions.
};
Ringbuffer example
class ringbuffer {
public:
int size() const;
An obligation that
void push_back(T);
for the program to
be correct.
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
Choose between:
int size() const;
Define behaviour when
full, or make not-full An obligation that
a precondition. the caller must fulfill
void push_back(T);
for the program to
be correct.
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
int size() const;
An obligation that
void push_back(T);
for the program to
// requires: size() < N be correct.
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
int size() const;
An obligation that
void push_back(T);
for the program to
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
Choose between:
int size() const;
Define behaviour when
empty, or make not-empty An obligation that
a precondition. the caller must fulfill
void push_back(T);
for the program to
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
int size() const;
An obligation that
void push_back(T);
for the program to
T pop_front();
// requires: size() > 0
};
Ringbuffer example
class ringbuffer {
public:
ringbuffer(); Postcondition:
int size() const;
void push_back(T);
// requires: size() < N
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
int size() const;
A guarantee from
the implementation
void push_back(T);
regarding the effect
// requires: size() < N of a legal call.
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
A postcondition
int size() const; may refer to return value
or the objects state, or both,
sometimes dependent on A guarantee from
parameter values the implementation
void push_back(T);
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
int size() const;
A guarantee from
the implementation
void push_back(T);
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
// ensures: size() /= 0
int size() const;
A guarantee from
the implementation
void push_back(T);
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
int size() const;
A guarantee from
the implementation
void push_back(T);
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
int size() const;
A guarantee from
the implementation
void push_back(T);
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
int size() const;
A guarantee from
the implementation
void push_back(T);
// ensures: size() /= old size()+1
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
int size() const;
A guarantee from
the implementation
void push_back(T t);
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
int size() const;
const T& back() const;
A guarantee from
the implementation
// back() /= t
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
int size() const;
// requires: size() > 0 A guarantee from
the implementation
// back() /= t
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
What/=
// ensures: size() if an
0 exception
int size() const; is thrown?
the implementation
// back() /= t
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
int size() const; Postconditions handles
return. If an exception is
// requires: size() > 0 thrown, there is no A guarantee from
post condition. the implementation
// back() /= t
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
int size() const;
the implementation
// back() /= t
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
int size() const;
the implementation
// back() /= t
T pop_front();
// ensures: size() /= old size()-1
};
Ringbuffer example
class ringbuffer {
public:
int size() const;
const T& front() const; the implementation
// back() /= t
T pop_front();
// return /= old front();
};
Ringbuffer example
class ringbuffer {
public:
int size() const;
// back() /= t
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
It does not make sense

to//tryensures:
and express the returned
size() /= 0
value
int from theconst;
size() history of pushes
and
const pops
T& as a post
top() condition.
const;
// back() /= t
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
ringbuffer(); Class invariant:

int size() const;
// ensures: size() > 0
const T& front() const;
// back() /= t
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:

int size() const;
Something that is
// ensures: size() > 0 always* true for a
const T& front() const; valid instance
// requires: size() < N * outside public API
// back() /= t
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:

// ensures: size() /= 0 A class invariant
int size() const; always refers to state,
const T& back() const; and must be true even
Something that is
// ensures: size() > 0 when exceptions are always* true for a
const T& front() const; thrown. valid instance
// back() /= t
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
// invariant: size() /= 0 /& size() /= N
int size() const;
Something that is
// back() /= t
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
// ensures: size() /= What
0 about a
int size() const; moved-from Something that is
const T& back() const; object?
// back() /= t
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
ringbuffer(); Contracts and
// ensures: size() /= 0 templates
int size() const;
// back() /= t
T pop_front();
};
Ringbuffer example
class ringbuffer {
public:
ringbuffer(); Contracts and
What about templates
int size() const;
specializations?
// back() /= t
T pop_front();
};
Ringbuffer example
class ringbuffer {
public: Contracts and
ringbuffer(); inheritance:
virtual int size() const = 0;
virtual const T& back() const = 0;
virtual const T& front() const = 0;
virtual void push_back(T t) = 0;
// back() /= t
virtual T pop_front() = 0;
};
Ringbuffer example
class ringbuffer {
virtual int size() const = 0; A subcontractor
// requires: size() > 0 may have more
virtual const T& front() const = 0; relaxed pre-
conditions
// back() /= t
};
Ringbuffer example
class ringbuffer {
virtual int size() const = 0; A subcontractor
// requires: size() > 0 may have more
virtual const T& front() const = 0; relaxed pre-
conditions
// ensures: size() /= old size()+1 and stricter post-
// back() /= t
conditions
};
Why bother?
Why bother?
1)It can make interfaces much clearer
Why bother?
1)It can make interfaces much clearer
2)It can make debugging much easier
Who dunnit?
guilty
client implementation
precondition
violation postcondition
invariant
Who dunnit?
Elementary,
Mr. Watson
guilty
precondition
invariant
Who dunnit?
guilty
precondition
invariant
Who dunnit?
guilty
precondition
invariant
Who dunnit?
guilty
precondition
invariant
Who dunnit?
guilty
precondition
invariant
Who dunnit?
guilty
precondition
invariant
Who dunnit?
guilty
precondition
invariant
Who dunnit?
Or you have
a bad contract!
guilty
precondition
invariant
Contracts in C++20
Contracts in C++20
Contracts in C++20
Description of
contract attribute
declarations and
semantics here
(4 pages)
Contracts in C++20
Description of
contract violation
handlers
Contracts in C++20
Meaning for
virtual functions
(1 paragraph)
Contracts in C++20
Contracts and
templates
(1 non-formative
sentence)
Contract attributes in C++20
9.11.4.1 Syntax [dcl.attr.contract.syn]
1# Contract attributes are used to specify preconditions, postconditions, and assertions for functions.
contract-attribute-specifier:
[ [ expects contract-levelopt : conditional-expression ] ]
[ [ ensures contract-levelopt identifieropt : conditional-expression ] ]
[ [ assert contract-levelopt : conditional-expression ] ]
contract-level:
default
audit
axiom
An ambiguity between a contract-level and an identifier is resolved in favor of contract-level.
http://eel.is/c/+draft/dcl.attr.contract#syn-1
contract-level:
default Pre condition
audit
axiom
contract-level: template <typename T>

default Pre condition void func(std/:unique_ptr<T> p)
audit [[ expects : p /= nullptr ]];
axiom

default Optional level void func(std/:unique_ptr<T> p)
audit [[ expects : p /= nullptr ]];
axiom

default Optional level void func(std/:unique_ptr<T> p)
audit [[ expects axiom : p /= nullptr ]];
axiom
contract-level:
default Post condition
audit
axiom
template <typename T>
contract-level: T prev(T v)
[[ expects : v > 0 ]]
audit
[[ ensures audit r : r + 1 /= v ]];
axiom
Name for
contract-attribute-specifier: return value
[ [ expects contract-levelopt : conditional-expression ] ] to use in
[ [ ensures contract-levelopt identifieropt : conditional-expression ] ] conditional
expression
template <typename T>
contract-level: T prev(T v)
[[ expects : v > 0 ]]
audit
[[ ensures audit r : r + 1 /= v ]];
axiom
contract-level:
default Generic
audit assertion
axiom
contract-level: for (auto p : pointers) {

default Generic [[ assert axiom: p /= nullptr ]];
audit assertion func(p);
axiom }
1# Contract attributes are usedThere are
to specify no
preconditions, postconditions, and assertions for functions.
contract-attribute-specifier: class invariants!

contract-level:
default
audit
axiom
Using C++20 contract attributes for ringbuffer
class ringbuffer {
public:
ringbuffer();
int size() const;
// back() /= t
T pop_front();
};
class ringbuffer {
public:
ringbuffer();
int size() const;
// back() /= t
T pop_front();
};
class ringbuffer {
public:
No support for
// invariant: size() /= 0 /& size() /= N class invariants,
ringbuffer(); so might as well
// ensures: size() /= 0 leave as comment.
int size() const;
// back() /= t
T pop_front();
};
class ringbuffer {
public:
ringbuffer();
int size() const;
// back() /= t
T pop_front();
};
class ringbuffer {
public:
ringbuffer()
[[ ensures: size() /= 0 ]];
int size() const;
// back() /= t
T pop_front();
};
class ringbuffer {
public:
// invariant: size() /= 0 /& size() < = N
ringbuffer()
int size() const;
<source>:6:15: error:
// requires: size() > 0 use of undeclared identifier 'size'
[[ push(T
void ensures:
t); size() /= 0 ]];
// back() /= t
T pop_front();
};
Using C++20 contractContract
attributes for ringbuffer
attributes are
class ringbuffer { declarations that can only
public: refer to identifiers seen
// invariant: size() /= 0 /& size() < =earlier.
N
ringbuffer()
int size() const;
<source>:6:15: error:
// requires: size() > 0 use of undeclared identifier 'size'
[[ push(T
void ensures:
t); size() /= 0 ]];
// back() /= t
T pop_front();
};
Using C++20 contractContract
attributes for ringbuffer
attributes are
class ringbuffer { declarations that can only
public: refer to identifiers seen
// invariant: size() /= 0 /& size() < =earlier.
N
int size() const;
ringbuffer()
// back() /= t
T pop_front();
};
class ringbuffer {
public:
int size() const;
ringbuffer()
// back() /= t
T pop_front();
};
class ringbuffer {
public:
int size() const;
ringbuffer()
const T& back() const
[[ expects: size() > 0 ]];
// back() /= t
T pop_front();
};
class ringbuffer {
public:
int size() const;
ringbuffer()
// back() /= t
T pop_front();
};
class ringbuffer {
public:
int size() const;
ringbuffer()
const T& front() const
// back() /= t
T pop_front();
};
class ringbuffer {
public:
int size() const;
ringbuffer()
// back() /= t
T pop_front();
// return /= old back();
};
class ringbuffer {
public:
int size() const;
ringbuffer()
void push_back(T t)
[[ expects: size() < N ]];
// back() /= t
T pop_front();
// return /= old back();
};
class ringbuffer {
public:
int size() const;
ringbuffer()
void push_back(T t)
// back() /= t
T pop_front();
};
class ringbuffer {
public: There is no way
// invariant: size() /= 0 /& size() /= N to refer to previous state
int size() const;
ringbuffer() so this cannot be
[[ ensures: size() /= 0 ]]; expressed!
void push_back(T t)
// back() /= t
T pop_front();
};
class ringbuffer {
public:
int size() const;
ringbuffer()
void push_back(T t)
[[ expects: size() < N ]]
[[ ensures: size() > 0 ]]; // incremented
// back() /= t
T pop_front();
};
class ringbuffer {
public:
int size() const;
ringbuffer()
void push_back(T t)
// back() /= t
T pop_front();
};
template <typename T, 6#
int IfN>a function has multiple preconditions, their evaluation (if any) will be
class ringbuffer { performed in the order they appear lexically. If a function has multiple
public: postconditions, their evaluation (if any) will be performed in the order they
// invariant: size()appear
/= 0lexically. [ Example:
/& size() /= N
int size() const;
ringbuffer() void f(int * p)
[[ ensures: size() /= [[expects:
0 ]]; p != nullptr]] // #1
const T& back() const [[ensures: *p == 1]] // #3
[[ expects: size() > 0[[expects:
]]; *p == 0]] // #2
{
[[ expects: size() > 0*p ]];= 1;
void push_back(T t) }
[[ expects: size() <— end
N ]];example ]
// http://eel.is/c/+draft/dcl.attr.contract#cond-6
back() /= t
T pop_front();
};
int IfN>a function has multiple preconditions, their evaluation (if any) will be
class ringbuffer { performed in the order they appear lexically. If a function has multiple
public: postconditions, their evaluation (if any) will be performed in the order they
// invariant: size()appear
/= 0lexically. [ Example:
/& size() /= N
int size() const;
ringbuffer() void f(int * p)
[[ ensures: size() /= [[expects:
0 ]]; p != nullptr]] // #1
const T& back() const [[ensures: *p == 1]] // #3
[[ expects: size() > 0[[expects:
]]; *p == 0]] // #2
{
[[ expects: size() > 0*p ]];= 1;
void push_back(T t) }
[[ expects: size() <— end
N ]];example ]
// http://eel.is/c/+draft/dcl.attr.contract#cond-6
back() /= t
T pop_front();
};
int IfN>a postcondition odr-uses ([basic.def.odr]) a parameter in its predicate
class ringbuffer { and the function body makes direct or indirect modifications of the value of
public: that parameter, the behavior is undefined. [ Example:
// invariant: size()int
/= 0 /& size()
f(int x) /= N
int size() const; [[ensures r: r == x]]
ringbuffer() {
[[ ensures: size() /= return
0 ]]; ++x; // undefined behavior
}
...
void push_back(T t) http://eel.is/c/+draft/dcl.attr.contract#cond-7
// back() /= t
T pop_front();
};
int IfN>a postcondition odr-uses ([basic.def.odr]) a parameter in its predicate
class ringbuffer { and the function body makes direct or indirect modifications of the value of
public: that parameter, the behavior is undefined. [ Example:
// invariant: size()int
/= 0 /& size() /= N
int size() const;
f(int x)
[[ensures r: r == x]]
So the validity
ringbuffer() { of the post condition
[[ ensures: size() /= return
0 ]]; ++x;
}
declaration depends on
// undefined behavior
[[ expects: size() > 0 ]]; how the function is
...
[[ expects: size() > 0 ]]; implemented
void push_back(T t) http://eel.is/c/+draft/dcl.attr.contract#cond-7
// back() /= t
T pop_front();
};
class ringbuffer {
public:
int size() const;
ringbuffer() Potentially
const T& back() const dangerous
void push_back(T t)
[[ ensures: size() > 0 ]] // incremented
[[ ensures: back() /= t ]];
T pop_front();
};
class ringbuffer {
public:
int size() const;
ringbuffer()
void push_back(T t)
T pop_front();
};
class ringbuffer {
public:
int size() const;
ringbuffer()
void push_back(T t)
T pop_front()
};
class ringbuffer {
public:
int size() const;
ringbuffer()
void push_back(T t)
T pop_front()
};
class ringbuffer {
public:
int size() const;
ringbuffer()
void push_back(T t)
T pop_front()
[[ expects: size() > 0 ]]
[[ ensures: size() < N ]]; // decremented
};
class ringbuffer {
public:
int size() const;
ringbuffer()
[[ ensures: size() /= 0 ]]; Cannot express
[[ expects: size() > 0 ]]; condition with
const T& front() const previous state so
void push_back(T t)
might as well leave
[[ expects: size() < N ]] as comment
T pop_front()
[[ expects: size() > 0 ]]
[[ ensures: size() < N ]]; // decremented
};
Virtual functions and contracts in C++20
If an overriding function specifies contract conditions ([dcl.attr.contract]), it shall

specify the same list of contract conditions as its overridden functions; no
diagnostic is required if corresponding conditions will always evaluate to the
same value. Otherwise, it is considered to have the list of contract conditions
from one of its overridden functions; ...
http://eel.is/c/+draft/class.virtual#19


Function pointers and contracts in C++20
3 #[ Note: A function pointer cannot include contract conditions. [ Example:

typedef int (*fpt)(int) [[ensures r: r /= 0]];
// error: contract condition not on a function declaration
int g(int x) [[expects: x /= 0]] [[ensures r: r > x]]
{
return x+1;
}
int (*pf)(int) = g; // OK
int x = pf(5); // contract conditions of g are checked
— end example ] — end note ]

http://eel.is/c/+draft/dcl.attr.contract#cond-3
3 #[ Note: A function pointer cannot include contract conditions. [ Example:

int g(int x) [[expects: x /= 0]] [[ensures r: r > x]] In other words, it is
{
the responsibility of a function
return x+1;
implementation to enforce its
}
contracts, not the caller.
int (*pf)(int) = g; // OK
— end example ] — end note ]

Let’s explore!
https://github.com/arcosuc3m/clang-contracts
Fork from clang-6
http://fragata.arcos.inf.uc3m.es/#
3 #[ Note: A function
P1320R1 pointer
Allowing cannot
contract include
predicates contractdeclarations
on non-first conditions. [ Example:
Ville Voutilainen
int g(int struct
x) [[expects:
X { x /= 0]] [[ensures r: r > x]]
{
void f();
return x+1;
} };
void X/:f()
int (*pf)(int) = g; [[expects: foo]]
// OK
{
//.
— end example ]
} — end note ]
Policing contracts in C++20
3# A translation may be performed with one of the following build levels: off,
default, or audit. A translation with build level set to off performs no checking
for any contract. A translation with build level set to default performs checking
for default contracts. A translation with build level set to audit performs
checking for default and audit contracts. If no build level is explicitly selected,
the build level is default. The mechanism for selecting the build level is
implementation-defined. The translation of a program consisting of translation
units where the build level is not the same in all translation units is conditionally-
supported. There should be no programmatic way of setting, modifying, or
querying the build level of a translation unit.
http://eel.is/c/+draft/dcl.attr.contract#check-3
P1421r0 Assigning
for any contract. semantics
A translation withtobuild
different
levelContract Checking
set to default Statements
performs checking
for default contracts.
Andrzej Krzemieński
A translation with build level set to audit performs
the buildAllowing
level is different
default.levels
The mechanism for of
for different types selecting
contracts,the
e.g.build level is
audit on
preconditions, and off
implementation-defined. Theon translation
the others. of a program consisting of translation
3# A translation
3.7 may be performed with one of[defns.cond.supp]
the following build levels: off,
default, orconditionally-supported
audit. A translation with build level set to off performs no checking
programA
for any contract. construct that anwith
translation implementation
build levelis set
not required to support
to default performs checking
[ Note: Each implementation documents all conditionally-supported
for defaultconstructs
contracts. A translation with build level set to audit performs
that it does not support. — end note ]
http://eel.is/c/+draft/intro.defs#defns.cond.supp
Let’s explore!
Fork from clang-6
Let’s explore!
Fork from clang-6
-build-level=(off|default|audit)
When contracts are violated in C++20
5# The violation handler of a program is a function of type “noexceptopt function
of (lvalue reference to const std/:contract_violation) returning void”. The
violation handler is invoked when the predicate of a checked contract evaluates
to false (called a contract violation). There should be no programmatic way of
setting or modifying the violation handler. It is implementation-defined how the
violation handler is established for a program and how the
std/:contract_violation argument value is set, except as specified below. If a
precondition is violated, the source location of the violation is implementation-
defined. [ Note: Implementations are encouraged but not required to report the
caller site. — end note ] If a postcondition is violated, the source location of the
violation is the source location of the function definition. If an assertion is
violated, the source location of the violation is the source location of the
statement to which the assertion is applied.
violation handler
16.8.2 isClass
invoked when
contract_ the predicate[support.contract.cviol]
violation of a checked contract evaluates
to false (called a contract
namespace stdviolation).
{ There should be no programmatic way of
setting or modifying the violation handler. It{ is implementation-defined how the
class contract_violation
public:
std/:contract_ uint_least32_t
violation argument line_number()
value is set, const
except noexcept;
as specified below. If a
precondition is string_view file_name()
violated, the source const
location of noexcept;
the violation is implementation-
defined. [ Note:string_view
Implementations function_name() const noexcept;
are encouraged but not required to report the
string_view comment() const noexcept;
string_view assertion_level() const noexcept;
violation is the
}; source location of the function definition. If an assertion is
violated, the
} source location of the violation is the source location of the
http://eel.is/c/+draft/support.contract.cviol
Let’s explore!
Fork from clang-6
Let’s explore!
Fork from clang-6
-contract-violation-handler=function
A translation may be performed with one of the following violation
continuation modes: off or on. A translation with violation continuation
mode set to off terminates execution by invoking the function
std/:terminate ([except.terminate]) after completing the execution of
the violation handler. A translation with a violation continuation mode set
to on continues execution after completing the execution of the violation
handler. If no continuation mode is explicitly selected, the default
continuation mode is off. [ Note: A continuation mode set to on provides
the opportunity to install a logging handler to instrument a pre-existing
code base and fix errors before enforcing checks. — end note ]
[ Example:
std/:terminate
void f(int([except.terminate])
x) [[expects: x >after 0]]; completing the execution of
to on continues
void g()execution
{ after completing the execution of the violation
handler. If no continuation
f(0); // std/: mode is explicitly
terminate() selected,
after theif
handler default
continuation mode is //off.
continuation mode is off;
[ Note: A continuation mode set to on provides
// proceeds
the opportunity to install a loggingafter handler
handler if
to instrument a pre-existing
// continuation mode is on
/* //. //
}
— end example ]
the violation handler.
P1429r0 A translation
- Contracts that work with a violation continuation mode set
handler. IfJoshua
no continuation mode is explicitly selected, the default
Bern, John Lakos
Distinguishing between violations that can be safely continued from,
the opportunity to install
and violations that a
arelogging
fatal. handler to instrument a pre-existing
Björn Fahller
Summary
●
Design by contract is a way to clarify the responsibility between a
function implementation and its callers.
Summary
●
●
Language support is coming in C++20
Summary
●
●
●
But it’s lacking class invariants
Summary
●
●
●
●
and post conditions cannot refer to pre-call state.
Summary
●
●
●
●
●
Interesting gotchas:
●
Modifying parameter values, and template specializations comes to
mind.
Summary
●
●
●
●
●
●
mind.
●
Contracts can be used by static analysis tools and the optimizer.
Summary
●
●
●
●
●
●
mind.
●
●
Configurable levels of contracts, e.g. full in debug builds, only cheap
ones in release.
Summary
●
●
●
But it’s lackingP1426r0 Pull the Plug on Contracts?
class invariants
●
Nathan Meyers.
●
● Argues that values,
Modifying parameter the whole idea
andgot wrong andspecializations
template should comes to
be scrapped and replaced with something else.
mind.
●
●
ones in release.
Summary
●
●
●
●
●
●
mind.
●
●
ones in release.
●
Prefer to express semantics using the type system, if you can.
Summary
●
Design by contract is a wayPlayto clarify
with theit!
responsibility between a
●
●
●
●
Interesting gotchas: Fork from clang-6
●
mind. http://fragata.arcos.inf.uc3m.es/#
●
●
ones in release.
●
Prefer to express semantics using the type system, if you can.
Björn Fahller
bjorn@fahller.se
@bjorn_fahller
@rollbear

Björn Fahller - Contracts

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Björn Fahller - Contracts

Uploaded by

Copyright:

Available Formats

Programming with Contracts in C++20

b: a business arrangement for the supply of goods or services at a fixed price

c: the act of marriage or an agreement to marry

2: a document describing the terms of a contract

3: the final bid to win a specified number of tricks in bridge

4: an order or arrangement for a hired assassin to kill someone

b: a business arrangement for the supply of goods or services at a fixed price

c: the act of marriage or an agreement to marry

2: a document describing the terms of a contract

3: the final bid to win a specified number of tricks in bridge

4: an order or arrangement for a hired assassin to kill someone

b: a business arrangement for the supply of goods or services at a fixed price

c: the act of marriage or an agreement to marry

2: a document describing the terms of a contract

3: the final bid to win a specified number of tricks in bridge

4: an order or arrangement for a hired assassin to kill someone

int size() const;

It does not make sense

ringbuffer(); Class invariant:

ringbuffer(); Class invariant:

ringbuffer(); Class invariant:

1)It can make interfaces much clearer

1)It can make interfaces much clearer

2)It can make debugging much easier

contract-level: template <typename T>

contract-level: template <typename T>

contract-level: template <typename T>

contract-level: for (auto p : pointers) {

contract-attribute-specifier: class invariants!

If an overriding function specifies contract conditions ([dcl.attr.contract]), it shall

If an overriding function specifies contract conditions ([dcl.attr.contract]), it shall

If an overriding function specifies contract conditions ([dcl.attr.contract]), it shall

3 #[ Note: A function pointer cannot include contract conditions. [ Example:

— end example ] — end note ]

3 #[ Note: A function pointer cannot include contract conditions. [ Example:

— end example ] — end note ]

Fork from clang-6

Fork from clang-6

Fork from clang-6

Fork from clang-6

Fork from clang-6

You might also like