My original plan was it to write in this post about the next rules to error handling. But I changed my plan to write about the future: contracts in C++20.
Here are the rules I will skip.
- E.4: Design your error-handling strategy around invariants
- E.5: Let a constructor establish an invariant, and throw if it cannot
- E.6: Use RAII to prevent leaks
- E.7: State your preconditions
Why did I change my plan? I did it for a few reasons.
- The cited rules for error handling in the C++ core guidelines do not have enough meat.
- I wrote about rule E.6 in a post: Garbage Collection – No Thanks. Of course, I don’t want to repeat myself.
- Four of the five rules are about design by contract.
The consequence of these points is quite simple. Contracts seem necessary for error handling; C++20 will presumably have contracts. Therefore, I am writing this post about contracts in C++20.
First of all.
What is a contract?
A contract specifies in a precise and checkable way interfaces for software components. These software components are functions and methods that must fulfill preconditions, postconditions, and invariants. Here are the shortened definitions from the proposals.
- A precondition: a predicate that is supposed to hold upon entry in a function. It is placed outside the function definition.
- A postcondition: a predicate that is supposed to hold upon exit from the function. It is placed outside the function definition.
- An assertion: a predicate that is supposed to hold at its point in the computation. It is placed inside the function definition.
The precondition and the postcondition are in C++20, placed outside the function definition, but the invariant is placed inside the function definition. A predicate is a function that returns a boolean.
The attribute expects is a precondition, the attribute ensures is a postcondition, and the attribute assert is an assertion.
The contracts for the function push are that the queue is incomplete before adding an element that is not empty after adding, and the assertion q.is_ok() holds.
Preconditions and postconditions are part of the function interface. This means they can’t access local members of a function or private or protected members of a class. In contrast, assertions are part of the implementation and can, therefore, access local members of a function of private or protected class members.
m is private and can not be part of a precondition.
By default, a violation of a contract terminates the program. This is not the whole story; let me give you more details.
Here is the full syntax of the contract attributes: [[contract-attribute modifier: conditional-expression ]]
- contract-attribute: expects, ensures, and assert
- modifier: specifies the contract level or the enforcement of the contract; possible values are default, audit, and axiom
- default: the cost of run-time checking should be small; it is the default modifier
- audit: the cost of run-time checking is assumed to be large
- axiom: the predicate is not checked at run-time
- conditional-expression: the predicate of the contract
For the ensures attribute, there is an additional identifier available. [[ensures modifier identifier: conditional-expression ]]
The identifier lets you refer to the return value of the function.
res as the identifier is, in this case, an arbitrary name. As shown in the example, you can use more contracts of the same kind.
Let me dive deeper into the modifiers and the handling of the contract violations.
Handling contract violations
A compilation has three assertion build levels:
- off: no contracts are checked
- default: default contracts are checked; this is the default
- audit: default and audit contracts are checked
If a contract violation occurs – the predicate evaluates to false -, the violation handler is invoked. The violation handler is a function of type noexcept which takes a const std::contract_violation and returns a void. Because the function is noexcept, this means that std::terminate is called in case of a contract violation. A user can set a violation handler.
The class std::contract_violation gives information about the violation of the contract.
- line_number: the line number of the contract violation
- file_name: the filename of the contract violation
- function_name: function name of the contract violation
- comment: the predicate to the contract
- assertion_level: assertion level to the contract
There are a few rules to remember if you declare a contract.
Declaration of contracts
A contract can be placed on the declaration of a function. This includes declarations of virtual functions or function templates.
- The contract declaration of a function must be identical. Any declaration different from the first one can omit the contract.
- A contract can not be modified in an overriding function.
Both contract definitions of class D are erroneous. The contract of the method f differs from the one from B::f. The method D::g adds a contract to B::g.
Impressed? Me too! I still can not imagine how fundamentally contracts will change how we write functions and think about interfaces and exception handling. Maybe Herb Sutter’s thoughts on Sutter’s Mill give you an idea because, for him, “contracts is the most impactful feature of C++20 so far, and arguably the most impactful feature we have added to C++ since C++11.”
With my next post, I will continue with a step back to the present time and write about the rules for exception handling.
Wow! Almost 200 readers participated in the vote for the next pdf bundle. Here are the winners.
- German pdf bundle: Embedded: Performanz zählt
- English pdf bundle: C++ Core Guidelines: Concurrency and Parallelism
- German blog: Welches PDF-Päckchen soll ich zusammenstellen? Mache dein Kreuz!
- English Blog: Which PDF bundle should I provide? Make your choice!
I need at least a week to proofread and prepare the pdf bundles
Thanks a lot to my Patreon Supporters: Matt Braun, Roman Postanciuc, Tobias Zindl, G Prvulovic, Reinhold Dröge, Abernitzke, Frank Grimm, Sakib, Broeserl, António Pina, Sergey Agafyin, Андрей Бурмистров, Jake, GS, Lawton Shoemake, Jozo Leko, John Breland, Venkat Nandam, Jose Francisco, Douglas Tinkham, Kuchlong Kuchlong, Robert Blanch, Truels Wissneth, Kris Kafka, Mario Luoni, Friedrich Huber, lennonli, Pramod Tikare Muralidhara, Peter Ware, Daniel Hufschläger, Alessandro Pezzato, Bob Perry, Satish Vangipuram, Andi Ireland, Richard Ohnemus, Michael Dunsky, Leo Goodstadt, John Wiederhirn, Yacob Cohen-Arazi, Florian Tischler, Robin Furness, Michael Young, Holger Detering, Bernd Mühlhaus, Matthieu Bolt, Stephen Kelley, Kyle Dean, Tusar Palauri, Dmitry Farberov, Juan Dent, George Liao, Daniel Ceperley, Jon T Hess, Stephen Totten, Wolfgang Fütterer, Matthias Grün, Phillip Diekmann, Ben Atakora, Ann Shatoff, Rob North, Bhavith C Achar, and Marco Parri Empoli.
Thanks, in particular, to Jon Hess, Lakshman, Christian Wittenhorst, Sherhy Pyton, Dendi Suhubdy, Sudhakar Belagurusamy, Richard Sargeant, Rusty Fleming, John Nebel, Mipko, Alicja Kaminska, Slavko Radman, and David Poole.
|My special thanks to Embarcadero|
|My special thanks to PVS-Studio|
|My special thanks to Tipi.build|
|My special thanks to Take Up Code|
I’m happy to give online seminars or face-to-face seminars worldwide. Please call me if you have any questions.
- Embedded Programmierung mit modernem C++ 12.12.2023 – 14.12.2023 (Präsenzschulung, Termingarantie)
Standard Seminars (English/German)
Here is a compilation of my standard seminars. These seminars are only meant to give you a first orientation.
- C++ – The Core Language
- C++ – The Standard Library
- C++ – Compact
- C++11 and C++14
- Concurrency with Modern C++
- Design Pattern and Architectural Pattern with C++
- Embedded Programming with Modern C++
- Generic Programming (Templates) with C++
- Clean Code with Modern C++
- Phone: +49 7472 917441
- Mobil:: +49 176 5506 5086
- Mail: schulung@ModernesCpp.de
- German Seminar Page: www.ModernesCpp.de
- Mentoring Page: www.ModernesCpp.org
Modernes C++ Mentoring,