C++ Core Guidelines: A Short Detour to Contracts in C++20


My original plan was it to write in this post about the next rules to error handling. But I changed my plan to write about the future: contracts in C++20.

 Design by contract

By Fabuio - Own work, CC0, Link

Here are the rules I will skip.

Why did I change my plan? I did it for a few reasons.

  • The cited rules for error handling in the C++ core guidelines have not enough meat.
  • I already wrote about the rule E.6 an entire post: Garbage Collection - No Thanks. Of course, I don't want to repeat myself.
  • Four of the five rules are about design by contract.

The consequence of this points is quite simple. Contracts seem to be important for error handling, C++20 will presumably have contracts, therefore, I write in this post about contracts in C++20.

In case you want to have more details to contracts. This post is based on the proposals P0380R1 and P0542R5.

First of all.

What is a contract?

A contract specifies in a precise and checkable way interfaces for software components. This software components are typically functions and methods, that have to fulfil preconditions, postconditions, and invariants. Here are the shortened definitions from the proposals.

  • A precondition: a predicate that is supposed to hold upon entry in a function. It is placed outside the function definition.
  • A postcondition: a predicate that is supposed to hold upon exit from the function. It is placed outside the function definition.
  • An assertion: a predicate that is supposed to hold at its point in the computation. It is placed inside the function definition.

The precondition and the postconditon is in C++20 placed outside the function defintion but the invariant is placed inside the function definition. A predicate is a function which returns a boolean.

Here is a first example:
int push(queue& q, int val) 
  [[ expects: !q.full() ]]
  [[ ensures !q.empty() ]]{
  [[assert: q.is_ok() ]]
... }


The attribute expects is a precondition, the attribute ensures is a postcondition, and the attribute assert is an assertion.

The contracts for the function push are that the queue is not full before adding an element, that is not empty after adding and the assertion q.is_ok() holds.

Preconditions and postconditions are part of the function interface. This means they can't access local members of a function or private or protected members of a class. In contrast, assertions are part of the implementation and can, therefore, access local members of a function of private or protected members of a class.


class X {
    void f(int n)
        [[ expects: n<m ]]  // error; m is private
        [[ assert: n<m ]];  // OK
        // ...
    int m;


m is private and can, therefore, not be part of a precondition.

By default, a violation of a contract terminates the program. This is not the full story, let me give you more details.

More Details

Here is the full syntax of the contract attributes: [[contract-attribute modifier: conditional-expression ]]

  • contract-attribute: expects, ensures, and assert
  • modifier: specifies the contract level or the enforcement of the contract; possible values are default, audit, and axiom
    • default: the cost of run-time checking should be small; it is the default modifier
    • audit: the cost of run-time checking is assumed to be large
    • axiom: the predicate is not checked at run-time
  • conditional-expression: the predicate of the contract

For the ensures attribute, there is an additional identifier available. [[ensures modifier identifier: conditional-expression ]]

The identifier let you refer to the return value of the function.

int mul(int x, int y)
  [[expects: x > 0]]         // implicit default
  [[expects default: y > 0]]
  [[ensures audit res: res > 0]]{
  return x * y;


res as the identifier is, in this case, an arbitrary name. As shown in the example, you can use more contracts of the same kind.

Let me dive deeper into the modifiers and the handling of the contract violations.

Handling contract violations

A compilation has three assertion build levels:

  • off: no contracts are checked
  • default: default contracts are checked; this is the default
  • audit: default and audit contract are checked

If a contract violation occurs - that means the predicate evaluates to false -, the violation handler is invoked. The violation handler is a function of type noexcept which takes a const std::contract_violation and returns a void. Because the function is noexcept, this means that std::terminate is called in case of a violation of the contract. A user can set a violation handler.

The class std::contract_violation gives information about the violation of the contract.

namespace std{ 
  class contract_violation{
    uint_least32_t line_number() const noexcept;
    string_view file_name() const noexcept;
    string_view function_name() const noexcept;
    string_view comment() const noexcept;
    string_view assertion_level() const noexcept;

  • line_number: line number of the contract violation
  • file_name: file name of the contract violation
  • function_name: function name of the contract violation
  • comment: the predicate to the contract
  • assertion_level: assertion level to the contract

 There are a few rules to keep in mind if you declare a contract.

Declaration of contracts

A contract can be placed on the declaration of a function. This includes declarations of virtual functions or function templates.

  • The contracts declaration of a function must be identical. Any declaration different from the first one can omit the contract.
int f(int x) 
  [[expects: x>0]]
  [[ensures r: r>0]];

int f(int x); // OK. No contract.

int f(int x)
  [[expects: x>=0]]; // Error missing ensures and different expects condition


  • A contract can not be modified in an overriding function.


struct B{
  virtual void f(int x)[[expects: x > 0]];
  virtual void g(int x);

struct D: B{
  void f(int x)[[expects: x >= 0]];   // error
  void g(int x)[[expects: x != 0]];   // error

Both contract definitions of class D are erroneous. The contract of the method f differs from the one from B::f. The method D::g adds a contract to B::g.

Closing Thoughts

Impressed? Me too! I still can not imagine how fundamentally contracts will change the way we write functions and think about interfaces and exception handling. Maybe Herb Sutter's thoughts on Sutter's Mill give you an idea because for him "contracts is the most impactful feature of C++20 so far, and arguably the most impactful feature we have added to C++ since C++11."

What's next?

With my next post, I will continue with a step back to the present time and write about the rules to exception handling.

Further Information

 Wow! Almost 200 readers participated in the vote to the next pdf bundle. Here are the winners.

  • German pdf bundle: Embedded: Performanz zählt
  • English pdf bundle: C++ Core Guidelines: Concurrency and Parallelism
Here are the details to the vote:

I need at least a week to proofread and prepare the pdf bundles



Thanks a lot to my Patreon Supporters: Eric Pederson, Paul Baxter,  Meeting C++, Matt Braun, Avi Lachmish, Adrian Muntea, and Roman Postanciuc.



Get your e-book at leanpub:

The C++ Standard Library


Concurrency With Modern C++


Get Both as one Bundle

cover   ConcurrencyCoverFrame   bundle
With C++11, C++14, and C++17 we got a lot of new C++ libraries. In addition, the existing ones are greatly improved. The key idea of my book is to give you the necessary information to the current C++ libraries in about 200 pages.  

C++11 is the first C++ standard that deals with concurrency. The story goes on with C++17 and will continue with C++20.

I'll give you a detailed insight in the current and the upcoming concurrency in C++. This insight includes the theory and a lot of practice with more the 100 source files.


Get my books "The C++ Standard Library" (including C++17) and "Concurrency with Modern C++" in a bundle.

In sum, you get more than 600 pages full of modern C++ and more than 100 source files presenting concurrency in practice.


My Newest E-Books

Course: Modern C++ Concurrency in Practice

Course: C++ Standard Library including C++14 & C++17

Course: Embedded Programming with Modern C++

Course: Generic Programming (Templates)

Course: C++ Fundamentals for Professionals

Subscribe to the newsletter (+ pdf bundle)

Blog archive

Source Code


Today 6969

Yesterday 7978

Week 31534

Month 186129

All 4807023

Currently are 222 guests and no members online

Kubik-Rubik Joomla! Extensions

Latest comments