<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="generator" content="Docutils 0.3.2: http://docutils.sourceforge.net/" />
<title>Proposal to add Contract Programming to C++ (revision 1)</title>
<meta name="author" content="Thorsten Ottosen" />
<meta name="organization" content="Department of Computer Science, Aalborg University, and Dezide Aps" />
<meta name="date" content="10th of September 2004" />
<meta name="copyright" content="Thorsten Ottosen 2004. All rights reserved" />
<style type="text/css"><!--

/*
:Author: David Goodger
:Contact: goodger@users.sourceforge.net
:date: $Date: 2004/01/12 02:49:54 $
:version: $Revision: 1.2 $
:copyright: This stylesheet has been placed in the public domain.

Default cascading style sheet for the HTML output of Docutils.
*/

.first {
  margin-top: 0 }

.last {
  margin-bottom: 0 }

a.toc-backref {
  text-decoration: none ;
  color: black }

dd {
  margin-bottom: 0.5em }

div.abstract {
  margin: 2em 5em }

div.abstract p.topic-title {
  font-weight: bold ;
  text-align: center }

div.attention, div.caution, div.danger, div.error, div.hint,
div.important, div.note, div.tip, div.warning, div.admonition {
  margin: 2em ;
  border: medium outset ;
  padding: 1em }

div.attention p.admonition-title, div.caution p.admonition-title,
div.danger p.admonition-title, div.error p.admonition-title,
div.warning p.admonition-title {
  color: red ;
  font-weight: bold ;
  font-family: sans-serif }

div.hint p.admonition-title, div.important p.admonition-title,
div.note p.admonition-title, div.tip p.admonition-title,
div.admonition p.admonition-title {
  font-weight: bold ;
  font-family: sans-serif }

div.dedication {
  margin: 2em 5em ;
  text-align: center ;
  font-style: italic }

div.dedication p.topic-title {
  font-weight: bold ;
  font-style: normal }

div.figure {
  margin-left: 2em }

div.footer, div.header {
  font-size: smaller }

div.sidebar {
  margin-left: 1em ;
  border: medium outset ;
  padding: 0em 1em ;
  background-color: #ffffee ;
  width: 40% ;
  float: right ;
  clear: right }

div.sidebar p.rubric {
  font-family: sans-serif ;
  font-size: medium }

div.system-messages {
  margin: 5em }

div.system-messages h1 {
  color: red }

div.system-message {
  border: medium outset ;
  padding: 1em }

div.system-message p.system-message-title {
  color: red ;
  font-weight: bold }

div.topic {
  margin: 2em }

h1.title {
  text-align: center }

h2.subtitle {
  text-align: center }

hr {
  width: 75% }

ol.simple, ul.simple {
  margin-bottom: 1em }

ol.arabic {
  list-style: decimal }

ol.loweralpha {
  list-style: lower-alpha }

ol.upperalpha {
  list-style: upper-alpha }

ol.lowerroman {
  list-style: lower-roman }

ol.upperroman {
  list-style: upper-roman }

p.attribution {
  text-align: right ;
  margin-left: 50% }

p.caption {
  font-style: italic }

p.credits {
  font-style: italic ;
  font-size: smaller }

p.label {
  white-space: nowrap }

p.rubric {
  font-weight: bold ;
  font-size: larger ;
  color: maroon ;
  text-align: center }

p.sidebar-title {
  font-family: sans-serif ;
  font-weight: bold ;
  font-size: larger }

p.sidebar-subtitle {
  font-family: sans-serif ;
  font-weight: bold }

p.topic-title {
  font-weight: bold }

pre.address {
  margin-bottom: 0 ;
  margin-top: 0 ;
  font-family: serif ;
  font-size: 100% }

pre.line-block {
  font-family: serif ;
  font-size: 100% }

pre.literal-block, pre.doctest-block {
  margin-left: 2em ;
  margin-right: 2em ;
  background-color: #eeeeee }

span.classifier {
  font-family: sans-serif ;
  font-style: oblique }

span.classifier-delimiter {
  font-family: sans-serif ;
  font-weight: bold }

span.interpreted {
  font-family: sans-serif }

span.option {
  white-space: nowrap }

span.option-argument {
  font-style: italic }

span.pre {
  white-space: pre }

span.problematic {
  color: red }

table {
  margin-top: 0.5em ;
  margin-bottom: 0.5em }

table.citation {
  border-left: solid thin gray ;
  padding-left: 0.5ex }

table.docinfo {
  margin: 2em 4em }

table.footnote {
  border-left: solid thin black ;
  padding-left: 0.5ex }

td, th {
  padding-left: 0.5em ;
  padding-right: 0.5em ;
  vertical-align: top }

th.docinfo-name, th.field-name {
  font-weight: bold ;
  text-align: left ;
  white-space: nowrap }

h1 tt, h2 tt, h3 tt, h4 tt, h5 tt, h6 tt {
  font-size: 100% }

tt {
  background-color: #eeeeee }

ul.auto-toc {
  list-style-type: none }
  
pre{
  BORDER-RIGHT: gray 1pt solid;
  PADDING-RIGHT: 2pt;
  BORDER-TOP: gray 1pt solid;
  DISPLAY: block;
  PADDING-LEFT: 2pt;
  PADDING-BOTTOM: 2pt;
  BORDER-LEFT: gray 1pt solid;
  MARGIN-RIGHT: 32pt;
  PADDING-TOP: 2pt;
  BORDER-BOTTOM: gray 1pt solid;
  FONT-FAMILY: "Courier New", Courier, mono; 
  background-color: #EEEEEE; 
}


.keyword{color: #0000FF;}
.identifier{}
.comment{font-style: italic; color: #008000;}
.special{color: #800040;}
.preprocessor{color: #3F007F;}
.string{font-style: italic; color: #666666;}
.literal{/*font-style: italic;*/ color: #000000;}

--></style>
</head>
<body>
<h1 class="title">Proposal to add Contract Programming to C++ (revision 1)</h1>
<table class="docinfo" frame="void" rules="none">
<col class="docinfo-name" />
<col class="docinfo-content" />
<tbody valign="top">
<tr><th class="docinfo-name">Author:</th>
<td>Thorsten Ottosen</td></tr>
<tr><th class="docinfo-name">Contact:</th>
<td><a class="first last reference" href="mailto:nesotto&#64;cs.auc.dk">nesotto&#64;cs.auc.dk</a></td></tr>
<tr><th class="docinfo-name">Organization:</th>
<td><a class="first reference" href="http://www.cs.auc.dk">Department of Computer Science</a>, Aalborg University, and <a class="last reference" href="http://www.dezide.com">Dezide Aps</a></td></tr>
<tr><th class="docinfo-name">Date:</th>
<td>10th of September 2004</td></tr>
<tr class="field"><th class="docinfo-name">Number:</th><td class="field-body">WG21/N1669 and J16/04-0109. This proposal is a
revision of paper <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2004/n1613.pdf">n1613</a>.</td>
</tr>
<tr class="field"><th class="docinfo-name">Working Group:</th><td class="field-body">Evolution</td>
</tr>
<tr><th class="docinfo-name">Copyright:</th>
<td>Thorsten Ottosen 2004. All rights reserved</td></tr>
</tbody>
</table>
<div class="document" id="proposal-to-add-contract-programming-to-c-revision-1">
<div class="abstract topic">
<p class="topic-title">Abstract</p>
<p>Contract Programming <a class="footnote-reference" href="#id27" id="id1" name="id1"><sup>1</sup></a> is about providing the programmer with stronger tools 
for expressing correctness arguments directly in the source code. 
This proposal describes a small assertion sub-language 
that unifies compile-time and run-time assertions.
The benefits 
are among others a higher degree of self-documenting source code,
better design tools, 
and easier debugging and testing.</p>
</div>
<div class="contents topic" id="table-of-contents">
<p class="topic-title"><a name="table-of-contents">Table of Contents</a></p>
<ul class="auto-toc simple">
<li><a class="reference" href="#motivation" id="id36" name="id36">1   Motivation</a></li>
<li><a class="reference" href="#the-proposal" id="id37" name="id37">2   The proposal</a><ul class="auto-toc">
<li><a class="reference" href="#assertions" id="id38" name="id38">2.1   Assertions</a><ul class="auto-toc">
<li><a class="reference" href="#static-assertions" id="id39" name="id39">2.1.1   Static assertions</a></li>
<li><a class="reference" href="#runtime-assertions" id="id40" name="id40">2.1.2   Runtime assertions</a></li>
</ul>
</li>
<li><a class="reference" href="#function-std-old" id="id41" name="id41">2.2   Function <tt class="literal"><span class="pre">std::old()</span></tt></a></li>
<li><a class="reference" href="#function-pre-and-postconditions" id="id42" name="id42">2.3   Function pre- and postconditions</a><ul class="auto-toc">
<li><a class="reference" href="#virtual-functions" id="id43" name="id43">2.3.1   Virtual functions</a></li>
<li><a class="reference" href="#constructors" id="id44" name="id44">2.3.2   Constructors</a></li>
<li><a class="reference" href="#destructors" id="id45" name="id45">2.3.3   Destructors</a></li>
</ul>
</li>
<li><a class="reference" href="#class-invariants" id="id46" name="id46">2.4   Class invariants</a></li>
<li><a class="reference" href="#loop-invariants" id="id47" name="id47">2.5   Loop invariants</a><ul class="auto-toc">
<li><a class="reference" href="#for-loop" id="id48" name="id48">2.5.1   for-loop</a></li>
<li><a class="reference" href="#while-loop" id="id49" name="id49">2.5.2   while-loop</a></li>
<li><a class="reference" href="#do-while-loop" id="id50" name="id50">2.5.3   do-while-loop</a></li>
</ul>
</li>
<li><a class="reference" href="#namespace-invariants" id="id51" name="id51">2.6   Namespace invariants</a></li>
<li><a class="reference" href="#failure-handler-functions" id="id52" name="id52">2.7   Failure handler functions</a></li>
</ul>
</li>
<li><a class="reference" href="#open-issues" id="id53" name="id53">3   Open issues</a><ul class="auto-toc">
<li><a class="reference" href="#allow-more-statements-in-contracts" id="id54" name="id54">3.1   Allow more statements in contracts</a></li>
<li><a class="reference" href="#allow-mutable-functions-in-contracts" id="id55" name="id55">3.2   Allow mutable functions in contracts</a></li>
<li><a class="reference" href="#how-do-contracts-interact-with-function-try-blocks" id="id56" name="id56">3.3   How do contracts interact with function-try-blocks?</a></li>
<li><a class="reference" href="#should-we-allow-templated-contracts" id="id57" name="id57">3.4   Should we allow templated contracts?</a></li>
<li><a class="reference" href="#are-failure-handler-functions-wrongly-specified" id="id58" name="id58">3.5   Are failure handler functions wrongly specified?</a></li>
<li><a class="reference" href="#do-not-make-invariant-a-keyword" id="id59" name="id59">3.6   Do not make <tt class="literal"><span class="pre">invariant</span></tt> a keyword</a></li>
</ul>
</li>
<li><a class="reference" href="#major-changes-from-n1613" id="id60" name="id60">4   Major changes from n1613</a></li>
<li><a class="reference" href="#list-of-proposals-that-could-be-affected-by-this-proposal" id="id61" name="id61">5   List of proposals that could be affected by this proposal</a></li>
<li><a class="reference" href="#list-of-features-that-would-make-contract-programming-stronger" id="id62" name="id62">6   List of features that would make Contract Programming stronger</a><ul class="auto-toc">
<li><a class="reference" href="#more-compiler-magic" id="id63" name="id63">6.1   More compiler magic</a></li>
<li><a class="reference" href="#changing-exception-specifications" id="id64" name="id64">6.2   Changing exception specifications</a></li>
<li><a class="reference" href="#allow-test-of-any-precondition" id="id65" name="id65">6.3   Allow test of any precondition</a></li>
</ul>
</li>
<li><a class="reference" href="#implementability" id="id66" name="id66">7   Implementability</a></li>
<li><a class="reference" href="#list-of-examples" id="id67" name="id67">8   List of examples</a><ul class="auto-toc">
<li><a class="reference" href="#vector-example-hpp" id="id68" name="id68">8.1   vector_example.hpp</a></li>
<li><a class="reference" href="#factorial-example-hpp" id="id69" name="id69">8.2   factorial_example.hpp</a></li>
<li><a class="reference" href="#restrict-replacement-example-hpp" id="id70" name="id70">8.3   restrict_replacement_example.hpp</a></li>
<li><a class="reference" href="#subcontracting-example-hpp" id="id71" name="id71">8.4   subcontracting_example.hpp</a></li>
<li><a class="reference" href="#pointer-container-replace-example-hpp" id="id72" name="id72">8.5   pointer_container_replace_example.hpp</a></li>
</ul>
</li>
<li><a class="reference" href="#comparison-of-contract-programming-in-d-eiffel-and-c" id="id73" name="id73">9   Comparison of Contract Programming in D, Eiffel and C++</a></li>
<li><a class="reference" href="#acknowledgements" id="id74" name="id74">10   Acknowledgements</a></li>
<li><a class="reference" href="#footnotes" id="id75" name="id75">11   Footnotes</a></li>
</ul>
</div>
<div class="section" id="motivation">
<h1><a class="toc-backref" href="#id36" name="motivation">1   Motivation</a></h1>
<p>Language support for Contract Programming has several benefits:</p>
<ol class="arabic simple">
<li>it can remove the need for separation of documentation and implementation (see <a class="reference" href="#factorial-example-hpp">factorial_example.hpp</a>)</li>
<li>it can make debugging and testing much easier</li>
<li>it can improve communication between designers and programmers in large C++ projects</li>
<li>it can enable the compiler to generate faster code (see <a class="reference" href="#restrict-replacement-example-hpp">restrict_replacement_example.hpp</a>)</li>
<li>it can make inheritance easier to use correctly (see <a class="reference" href="#subcontracting-example-hpp">subcontracting_example.hpp</a> )</li>
<li>it can ensure that every programmer understands the contract metaphors <a class="footnote-reference" href="#id28" id="id2" name="id2"><sup>2</sup></a></li>
<li>it might make static analysis tools much more powerful</li>
</ol>
<p>Please refer to <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2004/n1613.pdf">n1613</a> for an extensive discussion of these benefits.</p>
<p>Already with the current proposal, it is quite remarkable how much
of an interface that can be documented. For a good example, please
see how <tt class="literal"><span class="pre">std::vector</span></tt> is declared in <a class="reference" href="#vector-example-hpp">vector_example.hpp</a>; there is only a small
portion of the specification of <tt class="literal"><span class="pre">std::vector</span></tt> that cannot be described in the 
contracts.</p>
</div>
<div class="section" id="the-proposal">
<h1><a class="toc-backref" href="#id37" name="the-proposal">2   The proposal</a></h1>
<p>The idea is to extend C++</p>
<ul class="simple">
<li>function declarations with <a class="reference" href="#function-pre-and-postconditions">pre- and postconditions</a>,</li>
<li>class declarations with <a class="reference" href="#class-invariants">class invariants</a>,</li>
<li>loops with <a class="reference" href="#loop-invariants">loop invariants</a>,</li>
<li>namespace declarations with <a class="reference" href="#namespace-invariants">namespace invariants</a>.</li>
</ul>
<p>These new <em>contract scopes</em> can contain <a class="reference" href="#assertions">assertions</a> that
may be evaluated either at compiler-time or at
run-time as part of the program to verify their correctness.</p>
<div class="section" id="assertions">
<h2><a class="toc-backref" href="#id38" name="assertions">2.1   Assertions</a></h2>
<p>The basic building blocks of contracts are 
<em>assertions</em>. Assertions come in two categories:</p>
<ul class="simple">
<li><a class="reference" href="#static-assertions">static assertions</a></li>
<li><a class="reference" href="#runtime-assertions">runtime assertions</a></li>
</ul>
<div class="section" id="static-assertions">
<h3><a class="toc-backref" href="#id39" name="static-assertions">2.1.1   Static assertions</a></h3>
<p>There are two flavors of <em>static</em> assertions:</p>
<ol class="arabic">
<li><p class="first"><em>default</em> assertions</p>
<blockquote>
<dl>
<dt>syntax: </dt>
<dd><p class="first last"><tt class="literal"><span class="pre">static</span></tt> <em>constant-expression</em> <tt class="literal"><span class="pre">:</span></tt> <em>string-literal</em> <tt class="literal"><span class="pre">;</span></tt></p>
</dd>
<dt>example: </dt>
<dd><p class="first last"><tt class="literal"><span class="pre">static</span> <span class="pre">is_pod&lt;T&gt;::value</span> <span class="pre">:</span> <span class="pre">&quot;T</span> <span class="pre">must</span> <span class="pre">model</span> <span class="pre">a</span> <span class="pre">POD&quot;;</span></tt></p>
</dd>
</dl>
</blockquote>
</li>
<li><p class="first"><em>select</em> assertions</p>
<blockquote>
<dl>
<dt>syntax:</dt>
<dd><ol class="first last arabic simple">
<li><tt class="literal"><span class="pre">if(</span></tt> <em>constant-expression</em> <tt class="literal"><span class="pre">)</span></tt> <em>static-assertion</em></li>
<li><tt class="literal"><span class="pre">if(</span></tt> <em>constant-expression</em> <tt class="literal"><span class="pre">)</span></tt> <em>static-assertion</em> <tt class="literal"><span class="pre">else</span></tt> <em>static-assertion</em></li>
</ol>
</dd>
<dt>example:</dt>
<dd><dl class="first last">
<dt><tt class="literal"><span class="pre">if(</span> <span class="pre">is_pod&lt;T&gt;::value</span> <span class="pre">)</span></tt></dt>
<dd><p class="first last"><tt class="literal"><span class="pre">static</span> <span class="pre">sizeof(</span> <span class="pre">T</span> <span class="pre">)</span> <span class="pre">&lt;=</span> <span class="pre">sizeof(</span> <span class="pre">long</span> <span class="pre">)</span> <span class="pre">:</span> <span class="pre">&quot;Only</span> <span class="pre">PODs</span> <span class="pre">smaller</span> <span class="pre">than</span> <span class="pre">long</span> <span class="pre">supported&quot;;</span></tt></p>
</dd>
</dl>
</dd>
</dl>
</blockquote>
</li>
</ol>
<p>The static assertions are exactly like the ones described in <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2004/n1617.html">n1617</a>. The 
main difference is that we</p>
<ol class="arabic simple">
<li>reuse the keyword <tt class="literal"><span class="pre">static</span></tt> instead of adding a new one,</li>
<li>confine the scope of the static assertion to contract scope, and</li>
<li>allow compile-time select statements to avoid duplication of conditions.</li>
</ol>
</div>
<div class="section" id="runtime-assertions">
<h3><a class="toc-backref" href="#id40" name="runtime-assertions">2.1.2   Runtime assertions</a></h3>
<p>There are three flavors of <em>runtime</em> assertions:</p>
<ol class="arabic">
<li><p class="first"><em>default</em> assertions</p>
<blockquote>
<dl>
<dt>syntax:</dt>
<dd><p class="first last"><em>boolean-expression</em> <tt class="literal"><span class="pre">;</span></tt></p>
</dd>
<dt>example:</dt>
<dd><p class="first last"><tt class="literal"><span class="pre">std::cout.good();</span></tt></p>
</dd>
</dl>
</blockquote>
</li>
<li><p class="first"><em>compound</em> assertions</p>
<blockquote>
<dl>
<dt>syntax:</dt>
<dd><p class="first last"><em>boolean-expression</em> <tt class="literal"><span class="pre">:</span></tt> <em>expression</em> <tt class="literal"><span class="pre">;</span></tt></p>
</dd>
<dt>example: </dt>
<dd><p class="first last"><tt class="literal"><span class="pre">std::cout.good()</span> <span class="pre">:</span> <span class="pre">terminate();</span></tt></p>
</dd>
</dl>
</blockquote>
</li>
<li><p class="first"><em>select</em> assertions</p>
<blockquote>
<dl>
<dt>syntax:</dt>
<dd><ol class="first last arabic simple">
<li><tt class="literal"><span class="pre">if(</span></tt> <em>condition</em> <tt class="literal"><span class="pre">)</span></tt> <em>runtime-assertion</em></li>
<li><tt class="literal"><span class="pre">if(</span></tt> <em>condition</em> <tt class="literal"><span class="pre">)</span></tt> <em>runtime-assertion</em> <tt class="literal"><span class="pre">else</span></tt> <em>runtime-assertion</em></li>
</ol>
</dd>
<dt>example:</dt>
<dd><dl class="first last">
<dt><tt class="literal"><span class="pre">if(</span> <span class="pre">empty()</span> <span class="pre">)</span></tt> </dt>
<dd><p class="first last"><tt class="literal"><span class="pre">result</span> <span class="pre">==</span> <span class="pre">end();</span></tt></p>
</dd>
</dl>
</dd>
</dl>
</blockquote>
</li>
</ol>
<p>We shall call the left hand side of a compound assertion the <em>condition</em>
and the right hand side the <em>action</em>.
The following general points are worth noting:</p>
<ol class="arabic simple">
<li>Default assertions defaults to calling <tt class="literal"><span class="pre">terminate()</span></tt>, but the behavior can be <a class="reference" href="#failure-handler-functions">customized</a>.</li>
</ol>
<ol class="arabic" start="2">
<li><p class="first">The select assertions remove the need for the implication operator that was discussed in <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2004/n1613.pdf">n1613</a>.</p>
</li>
<li><p class="first">The syntactic freedom have been kept minimal to ensure a good documentation effect (see also <a class="reference" href="#allow-more-statements-in-contracts">Allow more statements in contracts</a>).</p>
</li>
<li><p class="first"><a class="target" id="every-visible-variable-or-parameter" name="every-visible-variable-or-parameter">Every visible variable or parameter</a> is considered <tt class="literal"><span class="pre">const</span></tt> within the scope of contracts (even <tt class="literal"><span class="pre">mutable</span></tt> variables).</p>
</li>
<li><p class="first"><a class="target" id="every-function-call-within" name="every-function-call-within">Every function call within</a> the assertions must be either</p>
<blockquote>
<ol class="loweralpha simple">
<li>a <tt class="literal"><span class="pre">const</span></tt> member function with no non-<tt class="literal"><span class="pre">const</span></tt> reference or pointer arguments</li>
<li>a free-standing function with no non-<tt class="literal"><span class="pre">const</span></tt> reference or pointer arguments</li>
<li>if the return value is a non-<tt class="literal"><span class="pre">const</span></tt> reference or pointer, it must not be used in any context that would not
allow a <tt class="literal"><span class="pre">const</span></tt> qualified reference or pointer</li>
</ol>
</blockquote>
<p>(see also <a class="reference" href="#allow-mutable-functions-in-contracts">Allow mutable functions in contracts</a>.)</p>
</li>
<li><p class="first">Function calls within assertions do not check assertions; this is to prevent infinite recursion and to provide
reasonable performance (as seen in the <a class="reference" href="#factorial-example-hpp">factorial_example.hpp</a>).</p>
</li>
<li><p class="first">Throwing an exception is sometimes convenient; bounds-checking is a good example (see also how it is done in <a class="reference" href="#vector-example-hpp">vector_example.hpp</a> ).</p>
</li>
<li><p class="first">If the compiler can determine that the condition of an assertion is true, it may choose not to evaluate 
that assertion.</p>
</li>
<li><p class="first">If the compiler can determine that the condition of an assertion is false, it may choose 
to call the <a class="reference" href="#failure-handler-functions">broken contract handler</a> or call the action without evaluating that condition.</p>
</li>
</ol>
<ol class="arabic simple" start="10">
<li>Compound assertions can never be removed by the compiler <em>unless</em> the compiler can prove that the condition
is true <em>or unless</em> the action has no effect <a class="footnote-reference" href="#id29" id="id6" name="id6"><sup>3</sup></a>.</li>
</ol>
<p>The last rule opens up the door for other types of contracts where we can use the comma-operator as seen in the
<a class="reference" href="#pointer-container-replace-example-hpp">pointer_container_replace_example.hpp</a>.</p>
</div>
</div>
<div class="section" id="function-std-old">
<h2><a class="toc-backref" href="#id41" name="function-std-old">2.2   Function <tt class="literal"><span class="pre">std::old()</span></tt></a></h2>
<p>It is very useful to be able to take a copy of a variable to compare
it with other values later. In particular, this is true in <a class="reference" href="#function-pre-and-postconditions">function postconditions</a>
and in <a class="reference" href="#loop-invariants">loop invariants</a>. These two contract scopes are also the only scopes
where <tt class="literal"><span class="pre">std::old()</span></tt> is allowed to appear.</p>
<p>The function can be said to have the following pseudo-declaration:</p>
<pre class="literal-block">
namespace std
{
    template&lt; class T &gt;
    const T&amp; old( const T&amp; r )
        precondition 
        {
            static is_copy_constructible&lt;T&gt;::value : &quot;old() requires the type to be Copy Constructible&quot;;
        }
}
</pre>
<p>The function must return a reference to a temporary variable. Assume <tt class="literal"><span class="pre">i</span></tt> is a visible <tt class="literal"><span class="pre">int</span></tt>, then the compiler translates</p>
<pre class="literal-block">
{
    std::old( i ) == 42;
}
</pre>
<p>into</p>
<pre class="literal-block">
{
    const int __old_i( i );
    __old_i == 42;
}
</pre>
<p>A set of rules govern how <tt class="literal"><span class="pre">std::old()</span></tt> behaves within a certain contract:</p>
<ol class="arabic">
<li><p class="first">if it is applied to the same expression <em>n</em> times, that expression is only evaluated once and there only exists one
copy of the expression,</p>
</li>
<li><p class="first">the copy of its argument is taken</p>
<blockquote>
<ol class="loweralpha simple">
<li><em>after</em> the precondition is evaluated if <tt class="literal"><span class="pre">std::old()</span></tt> appears in <a class="reference" href="#function-pre-and-postconditions">function postconditions</a>,</li>
<li><em>before</em> each loop iteration if <tt class="literal"><span class="pre">std::old()</span></tt> appears in <a class="reference" href="#loop-invariants">loop invariants</a>.</li>
</ol>
</blockquote>
</li>
</ol>
<p>The precondition should be evaluated first to allow it to report its errors first.
Notice that we can only apply <tt class="literal"><span class="pre">std::old()</span></tt> to objects of a type that defines a copy-constructor 
taking a <tt class="literal"><span class="pre">const</span></tt> reference (ie., <tt class="literal"><span class="pre">std::auto_ptr</span></tt> cannot be used).</p>
</div>
<div class="section" id="function-pre-and-postconditions">
<h2><a class="toc-backref" href="#id42" name="function-pre-and-postconditions">2.3   Function pre- and postconditions</a></h2>
<p>The function declaration and definition
are changed into:</p>
<blockquote>
<blockquote>
<ol class="arabic simple">
<li><em>function-declaration1</em> : <em>function-head</em></li>
<li><em>function-declaration2</em> : <em>function-head</em> <em>function-contract</em></li>
<li><em>function-definition1</em> : <em>function-declaration1</em> <tt class="literal"><span class="pre">{</span></tt> <em>function-body</em> <tt class="literal"><span class="pre">}</span></tt></li>
<li><em>function-definition2</em> : <em>function-declaration2</em> <tt class="literal"><span class="pre">do</span> <span class="pre">{</span></tt> <em>function-body</em> <tt class="literal"><span class="pre">}</span></tt></li>
<li><em>function-contract</em> : <em>precondition-contract</em><sub>opt</sub> <em>postcondition-contract</em><sub>opt</sub></li>
<li><em>precondition-contract</em> : <tt class="literal"><span class="pre">precondition</span> <span class="pre">{</span></tt> <em>assertion-sequence</em> <tt class="literal"><span class="pre">}</span></tt></li>
<li><em>postcondition-contract</em> : <tt class="literal"><span class="pre">postcondition</span></tt> <em>return-value-declaration</em><sub>opt</sub> <tt class="literal"><span class="pre">{</span></tt> <em>assertion-sequence</em> <tt class="literal"><span class="pre">}</span></tt></li>
<li><em>return-value-declaration</em>: <tt class="literal"><span class="pre">(</span></tt> <em>identifier</em> <tt class="literal"><span class="pre">)</span></tt></li>
</ol>
</blockquote>
<p>example:</p>
<pre class="literal-block">
double sqrt( double r )
    precondition
    {
        r &gt; 0.;
    }
    postcondition( result )
    {
        equal_within_precision( result * result, r );
    }
</pre>
</blockquote>
<p>In the <em>return-value-declaration</em> we declare a local variable that acts as a <tt class="literal"><span class="pre">const</span></tt> reference to the computed 
return value. It follows that a <em>return-value-declaration</em> is illegal if the return type is <tt class="literal"><span class="pre">void</span></tt>.</p>
<p>The following general rules apply:</p>
<ol class="arabic">
<li><p class="first">If a function has both a declaration and a definition, the contracts must appear on the declaration.</p>
</li>
<li><p class="first"><a class="target" id="the-execution-of-a-function" name="the-execution-of-a-function">The execution of a function</a> is now</p>
<blockquote>
<ol class="loweralpha simple">
<li>evaluate the precondition assertion by assertion in order starting from the top,</li>
<li>evaluate <a class="reference" href="#function-std-old">std::old()</a> occurrences in the postcondition,</li>
<li>evaluate the function body,</li>
<li>evaluate the postcondition assertion by assertion in order starting from the top.</li>
</ol>
</blockquote>
</li>
</ol>
<ol class="arabic" start="3">
<li><p class="first">The execution of a member function is now as in 2, but</p>
<blockquote>
<ol class="loweralpha">
<li><p class="first"><tt class="literal"><span class="pre">2.a</span></tt> is <em>preceded</em> by a call to the <a class="reference" href="#class-invariants">class invariant</a>,</p>
</li>
<li><p class="first"><tt class="literal"><span class="pre">2.d</span></tt> is <em>preceded</em> by a call to the class invariant,</p>
<blockquote>
<ul class="simple">
<li>rationale: the contracts might call public functions in the class which require the invariant to be established.</li>
</ul>
</blockquote>
</li>
</ol>
</blockquote>
</li>
</ol>
<blockquote>
(See also <a class="reference" href="#if-the-body-of-a-public-function">when the class invariant is disabled</a>.)</blockquote>
<div class="section" id="virtual-functions">
<h3><a class="toc-backref" href="#id43" name="virtual-functions">2.3.1   Virtual functions</a></h3>
<p>If the function <tt class="literal"><span class="pre">F</span></tt> is virtual, we must require that</p>
<ol class="arabic simple">
<li>only the first declaration/definition of <tt class="literal"><span class="pre">F</span></tt> can have a precondition,</li>
<li>if subsequent declarations/definitions of <tt class="literal"><span class="pre">F</span></tt> in derived classes provide
a precondition anyway, it results in a compile time error.</li>
</ol>
<p>Section <tt class="literal"><span class="pre">3.5</span></tt> of <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2004/n1613.pdf">n1613</a> explains how little redefinition of preconditions is used. Even though
subcontracting is theoretically sound, it ends up being useless in practice since
the user cannot take advantage of the weaker precondition by performing a downcast <a class="footnote-reference" href="#id30" id="id12" name="id12"><sup>4</sup></a>.
Also, the derived class can provide a separate function with a weaker precondition or the
precondition can be specified via a virtual function.</p>
<p>Postconditions can be made stronger in a derived class as seen in the <a class="reference" href="#subcontracting-example-hpp">subcontracting_example.hpp</a>.
We can summarize the remaining rules for virtual functions as</p>
<ol class="arabic simple" start="3">
<li>pure virtual functions can have contracts</li>
<li>postconditions from a function in a base class and the overridden version in a derived class
are <em>AND</em>ed together</li>
</ol>
<p>The last rule ensures that the function in the derived class has a stronger postcondition <em>by design</em>.
A programmer can via a downcast obtain the stronger guarantee, but the runtime check must still
follow rule 4 above.</p>
</div>
<div class="section" id="constructors">
<h3><a class="toc-backref" href="#id44" name="constructors">2.3.2   Constructors</a></h3>
<p>Constructors behaves much like member functions. This means that a constructor</p>
<ol class="arabic simple">
<li>can have a precondition and a postcondition,</li>
<li>disables the <a class="reference" href="#class-invariants">class invariant</a> when calling public functions</li>
<li>calls the class invariant <em>before</em> the postcondition</li>
</ol>
<p>The differences are that a constructor:</p>
<ol class="arabic simple" start="4">
<li>does not evaluate the class invariant before the precondition,</li>
<li>has special rules for evaluating invariants of base-classes (see <a class="reference" href="#class-invariants">class invariants</a>).</li>
</ol>
</div>
<div class="section" id="destructors">
<h3><a class="toc-backref" href="#id45" name="destructors">2.3.3   Destructors</a></h3>
<p>Destructors cannot have preconditions and postconditions. The class invariant, however, is executed <em>before</em> the destructor body.
Notice that the <a class="reference" href="#it-is-always-called">rules</a> for evaluating the class invariant ensures that exceptions thrown during evaluation of the class invariant
cannot escape.</p>
</div>
</div>
<div class="section" id="class-invariants">
<h2><a class="toc-backref" href="#id46" name="class-invariants">2.4   Class invariants</a></h2>
<p>Within class scope it is possible to define a class invariant:</p>
<blockquote>
<dl>
<dt>syntax:        </dt>
<dd><tt class="literal"><span class="pre">invariant</span> <span class="pre">{</span></tt> <em>assertion-sequence</em> <tt class="literal"><span class="pre">}</span></tt></dd>
<dt>example: </dt>
<dd>see <a class="reference" href="#vector-example-hpp">vector_example.hpp</a></dd>
</dl>
</blockquote>
<p>The class invariant has the following properties:</p>
<ol class="arabic">
<li><p class="first">It must appear in the declaration of a class.</p>
</li>
<li><p class="first">It is inherited in the sense that the invariant of a derived class <em>implicitly</em> will have the super-class invariant
<em>AND</em>ed to it (see also item 6-7).</p>
<blockquote>
<p>example:</p>
<pre class="literal-block">
struct base { invariant { ... } };
struct derived : base
{
    invariant
    {
        base::invariant(); // implicitly generated
        ...
    }
};
</pre>
<p>(Remark: the above is pseudo-code and is <em>not</em> affected by the disabling of assertions within assertions.)</p>
</blockquote>
</li>
<li><p class="first">It can always be called from within or outside the class as if it was a member function with the declaration <tt class="literal"><span class="pre">void</span> <span class="pre">invariant()</span> <span class="pre">const;</span></tt>.</p>
</li>
<li><p class="first">It is called <em>implicitly</em> from public</p>
<blockquote>
<ol class="loweralpha simple">
<li><a class="reference" href="#the-execution-of-a-function">pre- and postconditions</a>,</li>
</ol>
<ol class="loweralpha simple" start="2">
<li><a class="reference" href="#constructors">constructors</a>,</li>
</ol>
<ol class="loweralpha simple" start="3">
<li><a class="reference" href="#destructors">destructors</a>,</li>
</ol>
<ol class="loweralpha simple" start="4">
<li>member functions that exit abnormally via an exception <a class="footnote-reference" href="#id31" id="id18" name="id18"><sup>5</sup></a></li>
</ol>
</blockquote>
</li>
<li><p class="first"><a class="target" id="it-is-always-called" name="it-is-always-called">It is always called</a> as if surrounded by a try-catch block:</p>
<pre class="literal-block">
try
{
    class_invariant();
}
catch( ... )
{
    std::class_invariant_broken();
}
</pre>
</li>
</ol>
<blockquote>
<ul class="simple">
<li>rationale: this ensures that exceptions thrown in the invariant cannot escape from functions 
and in particular not from the destructor. <a class="footnote-reference" href="#id32" id="id19" name="id19"><sup>6</sup></a></li>
</ul>
</blockquote>
<ol class="arabic" start="6">
<li><p class="first">For its execution <em>during</em> construction <a class="footnote-reference" href="#id33" id="id20" name="id20"><sup>7</sup></a> holds that:</p>
<blockquote>
<ol class="loweralpha">
<li><p class="first">each assertion is executed in order starting from the top <em>excluding</em> any part inherited,</p>
<blockquote>
<ul class="simple">
<li>rationale: if we do not exclude inherited parts, those parts would be evaluated multiple times.</li>
</ul>
</blockquote>
</li>
</ol>
</blockquote>
</li>
<li><p class="first">For its execution <em>after</em> construction holds that:</p>
<blockquote>
<ol class="loweralpha simple">
<li>each assertion is executed in order starting from the top <em>including</em> any part inherited,</li>
<li>if the class has any sub-classes, then the inherited portion is executed first,</li>
<li>if the class has several sub-classes the order of the classes in the base-clause is followed.</li>
</ol>
</blockquote>
</li>
<li><p class="first"><a class="target" id="if-the-body-of-a-public-function" name="if-the-body-of-a-public-function">If the body of a public function</a> <tt class="literal"><span class="pre">F1</span></tt> calls another public member function <tt class="literal"><span class="pre">F2</span></tt> <em>of the same instance</em>, the invariant is <em>not</em> called implicitly during that call. <a class="footnote-reference" href="#id34" id="id21" name="id21"><sup>8</sup></a></p>
</li>
</ol>
<p>Section <tt class="literal"><span class="pre">7.4</span></tt> of <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2004/n1613.pdf">n1613</a> discusses the last issue in more detail. In general it seems reasonable 
to enforce invariants across class boundaries, but to allow a class some more latitude internally.</p>
</div>
<div class="section" id="loop-invariants">
<h2><a class="toc-backref" href="#id47" name="loop-invariants">2.5   Loop invariants</a></h2>
<p>This revision introduces loop invariants. Loop invariants make it easier
to verify correct loop behavior. The syntax is</p>
<blockquote>
<em>loop-invariant</em>: <tt class="literal"><span class="pre">invariant</span> <span class="pre">{</span></tt> <em>assertion-sequence</em> <tt class="literal"><span class="pre">}</span></tt></blockquote>
<p>An example can be found in <a class="reference" href="#factorial-example-hpp">factorial_example.hpp</a>. The special function <a class="reference" href="#function-std-old">std::old()</a> has a particular meaning inside a loop invariant.
Assume <tt class="literal"><span class="pre">i</span></tt> is a visible <tt class="literal"><span class="pre">int</span></tt>; then when the compiler sees</p>
<pre class="literal-block">
invariant
{
    std::old( i ) == i + 2;
}
</pre>
<p>it is translated into something like</p>
<pre class="literal-block">
invariant
{
    const int __old_i = i; // this executes before each loop iteration
    __old_i == i + 2;      // this executes after each loop iteration
}
</pre>
<p>To summarize the rules, we have</p>
<ol class="arabic">
<li><p class="first"><tt class="literal"><span class="pre">std::old()</span></tt> takes its copy <em>before</em> each loop iteration,</p>
</li>
<li><p class="first">the assertions are evaluated <em>after</em> each loop iteration in order starting from the top,</p>
</li>
<li><p class="first">the entire loop-invariant is evaluated as if it was surrounded by a try-catch block:</p>
<pre class="literal-block">
try
{
    loop_invariant();
}
catch( ... ) 
{
    std::loop_invariant_broken();
}
</pre>
</li>
<li><p class="first">variables that have a greater scope than the loop are visible in the loop-invariant and <tt class="literal"><span class="pre">std::old()</span></tt>
can be applied to them,</p>
</li>
<li><p class="first">loop-variables declared in the loop-body are visible in the loop-invariant as well and <tt class="literal"><span class="pre">std::old()</span></tt>
can be applied to them. <a class="footnote-reference" href="#id35" id="id23" name="id23"><sup>9</sup></a></p>
</li>
</ol>
<p>Notice that <tt class="literal"><span class="pre">std::old()</span></tt> is used to specify <em>variant</em> behavior within the loop invariant---something
that usually requires another keyword.</p>
<div class="section" id="for-loop">
<h3><a class="toc-backref" href="#id48" name="for-loop">2.5.1   for-loop</a></h3>
<blockquote>
<p>syntax:</p>
<blockquote>
<tt class="literal"><span class="pre">for</span> <span class="pre">(</span></tt> <em>for-init-statement</em> <tt class="literal"><span class="pre">;</span></tt> <em>condition</em><sub>opt</sub> <tt class="literal"><span class="pre">;</span></tt> <em>expression</em><sub>opt</sub> <tt class="literal"><span class="pre">)</span></tt> <em>statement</em> <em>loop-invariant</em><sub>opt</sub></blockquote>
<p>example:</p>
<pre class="literal-block">
for( int i = 0; i != 10; ++i )
{
    std::cout &lt;&lt; i;
}
invariant
{
   i &gt;= 1 &amp;&amp; i &lt;= 10;
   i == std::old( i ) + 1; 
}
</pre>
</blockquote>
</div>
<div class="section" id="while-loop">
<h3><a class="toc-backref" href="#id49" name="while-loop">2.5.2   while-loop</a></h3>
<blockquote>
<p>syntax:</p>
<blockquote>
<tt class="literal"><span class="pre">while</span> <span class="pre">(</span></tt> <em>condition</em> <tt class="literal"><span class="pre">)</span></tt> <em>statement</em> <em>loop-invariant</em><sub>opt</sub></blockquote>
<p>example:</p>
<pre class="literal-block">
int i = 0;
while( i != 10 )
{
    std::cout &lt;&lt; i;
    ++i;
}
invariant 
{
    i &gt;= 1 &amp;&amp; i &lt;= 10;
    i == std::old( i ) + 1;
}
</pre>
</blockquote>
</div>
<div class="section" id="do-while-loop">
<h3><a class="toc-backref" href="#id50" name="do-while-loop">2.5.3   do-while-loop</a></h3>
<blockquote>
<p>syntax:</p>
<blockquote>
<tt class="literal"><span class="pre">do</span></tt> <em>statement</em> <em>loop-invariant</em><sub>opt</sub> <tt class="literal"><span class="pre">while</span> <span class="pre">(</span></tt> expression <tt class="literal"><span class="pre">)</span> <span class="pre">;</span></tt></blockquote>
<p>example:</p>
<pre class="literal-block">
int i = 0;
do
{
    std::cout &lt;&lt; i;
    ++i;
}
invariant
{
    i &gt;= 1 &amp;&amp; i &lt;= 10;
    i == std::old( i ) + 1;
}
while( i != 10 );
</pre>
</blockquote>
</div>
</div>
<div class="section" id="namespace-invariants">
<h2><a class="toc-backref" href="#id51" name="namespace-invariants">2.6   Namespace invariants</a></h2>
<p>To better support global state or namespace state this revision introduces namespace invariants:</p>
<blockquote>
<dl>
<dt>syntax:</dt>
<dd><em>namespace-invariant</em>: <tt class="literal"><span class="pre">invariant</span> <span class="pre">{</span></tt> <em>assertion-sequence</em> <tt class="literal"><span class="pre">}</span></tt></dd>
</dl>
<p>example:</p>
<pre class="literal-block">
namespace foo
{
    int     buffer_size;
    int*    buffer;

    invariant
    {
        static  sizeof( int ) &gt;= 4 : &quot;int must be 32 bit&quot;; 
        buffer_size &gt; 0;
        buffer     != 0;
    }
}
</pre>
</blockquote>
<p>The properties of namespace invariants are:</p>
<ol class="arabic">
<li><p class="first">they can appear multiple times in the same namespace across multiple translation units,</p>
</li>
<li><p class="first">for each translation unit, the present invariants are executed once 
after the static initialization phase, that is, conceptually as the 
last part of the static initialization phase,</p>
</li>
<li><p class="first">they are always called as if surrounded by a try-catch block:</p>
<pre class="literal-block">
try
{
    namespace_invariant();
}
catch( ... )
{
    std::namespace_invariant_broken();
}
</pre>
</li>
<li><p class="first">the order of evaluation of the invariants is unspecified,</p>
</li>
<li><p class="first">the order of evaluation of the assertions in an invariant is from top to bottom,</p>
</li>
<li><p class="first">for any namespace <tt class="literal"><span class="pre">N</span></tt>, <tt class="literal"><span class="pre">N::invariant()</span></tt> executes all invariants from namespace <tt class="literal"><span class="pre">N</span></tt>.</p>
</li>
</ol>
</div>
<div class="section" id="failure-handler-functions">
<h2><a class="toc-backref" href="#id52" name="failure-handler-functions">2.7   Failure handler functions</a></h2>
<p>The default behavior for all default assertions is to call <tt class="literal"><span class="pre">terminate()</span></tt> via a call
to their respective handler. As seen below, we have a handler for each type of contract.
If the default behavior
is undesirable, the standard library provides the following handlers:</p>
<pre class="literal-block">
namespace std
{        
    void precondition_broken();
    void postcondition_broken();
    void class_invariant_broken();
    void loop_invariant_broken();
    void namespace_invariant_broken();
    
    typedef void (*broken_contract_handler)();
    
    broken_contract_handler  set_precondition_broken_handler( broken_contract_handler r ) throw();
    broken_contract_handler  set_postcondition_broken_handler( broken_contract_handler r ) throw();
    broken_contract_handler  set_class_invariant_broken_handler( broken_contract_handler r ) throw();
    broken_contract_handler  set_loop_invariant_broken_handler( broken_contract_handler r ) throw();
    broken_contract_handler  set_namespace_invariant_broken_handler( broken_contract_handler r ) throw();
}
</pre>
<p>This should provide plenty of room for customization. The precondition for all the <tt class="literal"><span class="pre">set_XX_handler</span></tt>
functions should be <tt class="literal"><span class="pre">r</span> <span class="pre">!=</span> <span class="pre">0</span></tt>.</p>
</div>
</div>
<div class="section" id="open-issues">
<h1><a class="toc-backref" href="#id53" name="open-issues">3   Open issues</a></h1>
<ul class="simple">
<li><a class="reference" href="#allow-more-statements-in-contracts">Allow more statements in contracts</a></li>
<li><a class="reference" href="#allow-mutable-functions-in-contracts">Allow mutable functions in contracts</a></li>
<li><a class="reference" href="#how-do-contracts-interact-with-function-try-blocks">How do contracts interact with function-try-blocks?</a></li>
<li><a class="reference" href="#should-we-allow-templated-contracts">Should we allow templated contracts?</a></li>
<li><a class="reference" href="#are-failure-handler-functions-wrongly-specified">Are failure handler functions wrongly specified?</a></li>
<li><a class="reference" href="#do-not-make-invariant-a-keyword">Do not make invariant a keyword</a></li>
</ul>
<!-- - `Should std::old() be allowed in more contexts?`_ -->
<div class="section" id="allow-more-statements-in-contracts">
<h2><a class="toc-backref" href="#id54" name="allow-more-statements-in-contracts">3.1   Allow more statements in contracts</a></h2>
<p>The only control structure that this proposal allows inside contracts is 
an <tt class="literal"><span class="pre">if</span></tt>-statement. The questions are then</p>
<ol class="arabic">
<li><p class="first">why not allow all forms of control structures?</p>
<blockquote>
<p>example:</p>
<pre class="literal-block">
{
    for( size_type i = 0; i != size(); ++i )
        *this[i] == T();
} 
</pre>
</blockquote>
</li>
<li><p class="first">why not just treat a contract block as any normal C++ block?</p>
</li>
</ol>
<p>For the first question we can observe that</p>
<p><strong>pros:</strong></p>
<blockquote>
<ol class="arabic simple">
<li>one can avoid calling a function that embeds the control structure</li>
</ol>
</blockquote>
<p><strong>cons:</strong></p>
<blockquote>
<ol class="arabic simple">
<li>more complex specification</li>
<li>a reduced documentation effect since the abstraction level is lowered</li>
</ol>
</blockquote>
<p>If we make a contract block a normal C++ block, we make problem 2 above worse. 
In addition we must ask</p>
<p><strong>cons:</strong></p>
<blockquote>
<ol class="arabic simple" start="3">
<li>how should the compiler know what constitutes a run-time assertion?</li>
<li>how should the compiler know what constitutes a static assertion?</li>
</ol>
</blockquote>
<p>The obvious answer to the last question is to add a new special keyword as 
proposed in <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2004/n1617.html">n1617</a>.</p>
</div>
<div class="section" id="allow-mutable-functions-in-contracts">
<h2><a class="toc-backref" href="#id55" name="allow-mutable-functions-in-contracts">3.2   Allow mutable functions in contracts</a></h2>
<p>The current proposal prohibits side-effects <a class="reference" href="#every-visible-variable-or-parameter">as much as possible</a>. Otherwise 
we could end up with different run-time behavior depending on whether or not an assertion
is executed. Because C++ knows about constness, C++ really shines in this regard compared
to other languages.</p>
<p>So the question is</p>
<ul class="simple">
<li>should we allow mutable functions in contracts?</li>
</ul>
<p>If we were to provide a little more latitude, there could be
at least two different ways to reuse <tt class="literal"><span class="pre">mutable</span></tt>:</p>
<blockquote>
<ol class="arabic">
<li><p class="first">make the whole block mutable:</p>
<pre class="literal-block">
void X::foo( int i )
precondition mutable
{
    ...
}
</pre>
</li>
<li><p class="first">make individual assertions mutable:</p>
<pre class="literal-block">
void X::foo( int i )
precondition
{
    mutable foo( i );
}
</pre>
</li>
</ol>
</blockquote>
<!-- Should we allow/use ``else`` instead of a colon to separate condition from action
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

The question is simply if compound assertions

    *boolean-expression* ``:`` *expression* ``;`` 
    
should be written as

    *boolean-expression* ``else`` *expression* ``;`` 

instead? -->
</div>
<div class="section" id="how-do-contracts-interact-with-function-try-blocks">
<h2><a class="toc-backref" href="#id56" name="how-do-contracts-interact-with-function-try-blocks">3.3   How do contracts interact with function-try-blocks?</a></h2>
<p>There seems to be at least two solutions:</p>
<ol class="arabic">
<li><p class="first">Forbid function-try-blocks and contracts on the same function.</p>
</li>
<li><p class="first">Allow it as in this example:</p>
<pre class="literal-block">
void foo( int i )
    precondition
    {
        i &gt; 0;
    }
    try
    {
        // ...
    }
    catch( ... )
    {
    }
</pre>
</li>
</ol>
<p>In case of 2, then the question would be</p>
<ul class="simple">
<li>should the try-block catch exceptions from the pre- and postcondition?</li>
</ul>
</div>
<div class="section" id="should-we-allow-templated-contracts">
<h2><a class="toc-backref" href="#id57" name="should-we-allow-templated-contracts">3.4   Should we allow templated contracts?</a></h2>
<p>Pavel Vozenilek asks why contracts cannot be 
templated. Examples could be</p>
<pre class="literal-block">
template&lt; class T &gt;
class Foo
{
    invariant&lt;T*&gt; // partial specialization of invariant
    {
       // ...
    }
    
    invariant // default invariant here
    {
       // ...
    }
};    
    
template&lt; class T &gt;
void foo( T r )
    precondition&lt;double&gt;
    { /* only allow full specialization for functions */ }
    precondition
    { /* default */ }
</pre>
</div>
<div class="section" id="are-failure-handler-functions-wrongly-specified">
<h2><a class="toc-backref" href="#id58" name="are-failure-handler-functions-wrongly-specified">3.5   Are failure handler functions wrongly specified?</a></h2>
<p>Currently a <a class="reference" href="#failure-handler-functions">failure handler function</a> does not
allow one to</p>
<ol class="arabic simple">
<li>see the context of the broken assertion, or</li>
<li>use other functions than free-standing functions.</li>
</ol>
<p>It might be desirable to change the functions to</p>
<pre class="literal-block">
namespace std
{
    class assertion_context
    {
        contract_context( const char* where, const char* assertion ) throw();
        ~contract_context() throw();
        const char* context() const throw();
    };

    void precondition_broken( const assertion_context&amp; cc );
    // ... etc
}
</pre>
<p>or even</p>
<pre class="literal-block">
namespace std
{
    extern std::function&lt; void ( const assertion_context&amp; ) &gt; precondition_broken;
    // ... etc
}
</pre>
<p>This would hopefully ensure good error-messages.</p>
<!-- Question for verification people:
+++++++++++++++++++++++++++++++++
    
The specification of object state when an assertion is raised, either via an exceptional postcondition or an
exception predicate, is very desirable if programs are to be formally verified.

The Java Modeling Language fulfills this key point admirably, while Eiffel fails in this regard. -->
<!--  Should ``std::old()`` be allowed in more contexts?
++++++++++++++++++++++++++++++++++++++++++++++++++

It might possible to relax the rules about `where`__ ``std::old()`` can appear. 

__ `Function std::old()`_ -->
</div>
<div class="section" id="do-not-make-invariant-a-keyword">
<h2><a class="toc-backref" href="#id59" name="do-not-make-invariant-a-keyword">3.6   Do not make <tt class="literal"><span class="pre">invariant</span></tt> a keyword</a></h2>
<p>It could be considered that any static function</p>
<pre class="literal-block">
void invariant();
</pre>
<p>and any member function</p>
<pre class="literal-block">
void X::invariant() const;
</pre>
<p>automatically defines a namespace invariant and a class invariant,
respectively. This would have the following consequences:</p>
<p><strong>pros</strong>:</p>
<blockquote>
<ol class="arabic simple">
<li>it saves a keyword,</li>
</ol>
</blockquote>
<p><strong>cons</strong>:</p>
<blockquote>
<ol class="arabic simple">
<li>it could change the behavior of those programs that already defines
an invariant,</li>
<li>it would make the syntax and semantics of invariant contracts
different from pre- and postcondition contracts.</li>
</ol>
</blockquote>
<p>It might also be worth considering a <tt class="literal"><span class="pre">--no_invariant_keyword</span></tt> compiler
option for backward compatibility instead.</p>
</div>
</div>
<div class="section" id="major-changes-from-n1613">
<h1><a class="toc-backref" href="#id60" name="major-changes-from-n1613">4   Major changes from <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2004/n1613.pdf">n1613</a></a></h1>
<ol class="arabic">
<li><p class="first">added <a class="reference" href="#loop-invariants">loop invariants</a></p>
</li>
<li><p class="first">added <a class="reference" href="#namespace-invariants">namespace invariants</a></p>
</li>
<li><p class="first">added <a class="reference" href="#static-assertions">static assertions</a></p>
</li>
<li><p class="first">changed use of keywords:</p>
<blockquote>
<table border class="table">
<colgroup>
<col width="40%" />
<col width="60%" />
</colgroup>
<tbody valign="top">
<tr><td><p class="first last"><strong>before</strong></p>
</td>
<td><p class="first last"><strong>now</strong></p>
</td>
</tr>
<tr><td><p class="first last"><tt class="literal"><span class="pre">in</span></tt></p>
</td>
<td><p class="first last"><tt class="literal"><span class="pre">precondition</span></tt></p>
</td>
</tr>
<tr><td><p class="first last"><tt class="literal"><span class="pre">out</span></tt></p>
</td>
<td><p class="first last"><tt class="literal"><span class="pre">postcondition</span></tt></p>
</td>
</tr>
<tr><td><p class="first last"><tt class="literal"><span class="pre">return</span></tt></p>
</td>
<td><p class="first last">a local variable</p>
</td>
</tr>
<tr><td><p class="first last"><tt class="literal"><span class="pre">implies</span></tt></p>
</td>
<td><p class="first last"><tt class="literal"><span class="pre">if</span></tt></p>
</td>
</tr>
<tr><td><p class="first last"><tt class="literal"><span class="pre">in</span></tt></p>
</td>
<td><p class="first last"><tt class="literal"><span class="pre">std::old()</span></tt></p>
</td>
</tr>
</tbody>
</table>
</blockquote>
</li>
<li><p class="first">simplified <a class="reference" href="#virtual-functions">subcontracting</a>: now preconditions cannot be weakened</p>
</li>
</ol>
</div>
<div class="section" id="list-of-proposals-that-could-be-affected-by-this-proposal">
<h1><a class="toc-backref" href="#id61" name="list-of-proposals-that-could-be-affected-by-this-proposal">5   List of proposals that could be affected by this proposal</a></h1>
<ol class="arabic simple">
<li>static assertions as described in <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2004/n1617.html">n1617</a></li>
<li>concepts as described in <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2003/n1510.pdf">n1510</a>, <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2003/n1522.pdf">n1522</a> and <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2003/n1536.pdf">n1536</a></li>
<li>any proposal that seeks to enhance meta-programming capabilities</li>
</ol>
</div>
<div class="section" id="list-of-features-that-would-make-contract-programming-stronger">
<h1><a class="toc-backref" href="#id62" name="list-of-features-that-would-make-contract-programming-stronger">6   List of features that would make Contract Programming stronger</a></h1>
<p>This section describes some crazy ideas that might serve as
a basis for further discussion.</p>
<ul class="simple">
<li><a class="reference" href="#more-compiler-magic">More compiler magic</a></li>
<li><a class="reference" href="#changing-exception-specifications">Changing exception specifications</a></li>
<li><a class="reference" href="#allow-test-of-any-precondition">Allow test of any precondition</a></li>
</ul>
<div class="section" id="more-compiler-magic">
<h2><a class="toc-backref" href="#id63" name="more-compiler-magic">6.1   More compiler magic</a></h2>
<p>For the purpose of static analysis either by the compiler or
a special tool, it might be convenient to be able to indicate
certain functions were invalid for a period of time.</p>
<p>For example, calling <tt class="literal"><span class="pre">operator*()</span></tt>
on an iterator could be invalid, yet we cannot explain that to the
compiler.</p>
<p>Imagine a magic function <tt class="literal"><span class="pre">std::invalid_operation()</span></tt>:</p>
<pre class="literal-block">
iterator end()
    postcondition( result )
    {
        //
        // expression style
        //
        std::invalid_operation( *result, ++result, result++ );
        
        //
        // function style
        //
        std::invalid_operation( operator*(), operator++(), operator+() );
    }
</pre>
<p>These operations would then be invalid until a new member function
was called that did not have the same invalid operation. For example</p>
<pre class="literal-block">
iterator i = container.end();
--i;                  // now the operations becomes valid
*i         = a_value; // ok
++i;                  // ok 
</pre>
<p>A compiler could choose to either</p>
<ol class="arabic simple">
<li>treat the function as documentation only by doing a syntax check, or</li>
<li>see if it can deduce a compile-time error too.</li>
</ol>
</div>
<div class="section" id="changing-exception-specifications">
<h2><a class="toc-backref" href="#id64" name="changing-exception-specifications">6.2   Changing exception specifications</a></h2>
<p>C++'s exception specifications 
are not used very much in practice. This is unfortunate since
documenting what exceptions (if any) a function throws is important.</p>
<p>In other words, the exception specification seems to be an important
part of a functions <em>contract</em>. This proposal already checks the
basic guarantee of exception-safety (by checking invariants),
and we can already check the strong guarantee in a post-condition:</p>
<pre class="literal-block">
postcondition
{
   *this == std::old( *this );
}
</pre>
<p>But there seem two other important cases as well:</p>
<ol class="arabic simple">
<li>the nothrow exception-safety guarantee</li>
<li>a guarantee somewhere between the basic and the strong exception-safety guarantee in case an exception is thrown</li>
</ol>
<p>So what if we changed the rules for</p>
<pre class="literal-block">
iterator begin() throw();
</pre>
<p>to mean</p>
<ol class="loweralpha simple">
<li>this function <em>promises</em> not to throw exceptions and the compiler can assume that when optimizing</li>
<li>if it does, the behavior is undefined</li>
</ol>
<p>? If that were the case, <tt class="literal"><span class="pre">throw()</span></tt> would be used much more.</p>
<p>The second situation is when a function exits via an exception, but we still want to guarantee more than
the basic guarantee. Imagine that we could do something like this:</p>
<pre class="literal-block">
postcondition
{
    if( throws( std::exception ) )
    {
       std::old( foo ) == foo; // this variable has not changed
       std::old( bar ) != bar; // but this one has
    }
}
</pre>
<p>This might provide a way to make stronger assertions in the presence of exceptions.</p>
</div>
<div class="section" id="allow-test-of-any-precondition">
<h2><a class="toc-backref" href="#id65" name="allow-test-of-any-precondition">6.3   Allow test of any precondition</a></h2>
<p>Alf Steinbach suggests that preconditions
should be checkable without calling the function:</p>
<pre class="literal-block">
void foo( ... ) 
    precondition { ... }

// ... 
      
if( foo.precondition( ... ) ) 
   foo( ... )
else
   report_error();   
</pre>
</div>
</div>
<div class="section" id="implementability">
<h1><a class="toc-backref" href="#id66" name="implementability">7   Implementability</a></h1>
<p>Walter Bright has extensive experience from implementing Contract Programming in the 
C++ and D compilers from <a class="reference" href="http://www.digitalmars.com">Digital Mars</a>. He asserts that it will take about
one man month to implement this proposal.</p>
</div>
<div class="section" id="list-of-examples">
<h1><a class="toc-backref" href="#id67" name="list-of-examples">8   List of examples</a></h1>
<ul class="simple">
<li><a class="reference" href="#vector-example-hpp">vector_example.hpp</a></li>
<li><a class="reference" href="#factorial-example-hpp">factorial_example.hpp</a></li>
<li><a class="reference" href="#restrict-replacement-example-hpp">restrict_replacement_example.hpp</a></li>
<li><a class="reference" href="#subcontracting-example-hpp">subcontracting_example.hpp</a></li>
<li><a class="reference" href="#pointer-container-replace-example-hpp">pointer_container_replace_example.hpp</a></li>
</ul>
<div class="section" id="vector-example-hpp">
<h2><a class="toc-backref" href="#id68" name="vector-example-hpp">8.1   vector_example.hpp</a></h2>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title> </title>
<link rel="stylesheet" href="style.css" type="text/css">
</head>

<body>

<pre>
<span class=comment>///////////////////////////////////////
// Tools
///////////////////////////////////////</span>

<span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>Iter</span><span class=special>,</span> <span class=keyword>class</span> <span class=identifier>T</span> <span class=special>&gt;</span>
<span class=keyword>bool</span> <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>Iter</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>Iter</span> <span class=identifier>last</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span>
<span class=special>{</span> <span class=comment>/* for simplicity, let us assume T's can be compared */</span> <span class=special>}</span>

<span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>Iter</span><span class=special>,</span> <span class=keyword>class</span> <span class=identifier>Size</span> <span class=special>&gt;</span>
<span class=keyword>bool</span> <span class=identifier>equal_distance</span><span class=special>(</span> <span class=identifier>Iter</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>Iter</span> <span class=identifier>last</span><span class=special>,</span> <span class=identifier>Size</span> <span class=identifier>size</span> <span class=special>)</span>
<span class=special>{</span> <span class=comment>/* internal tagging mechnism so even input iterators can be passed */</span> <span class=special>}</span>

<span class=comment>///////////////////////////////////////
// New vector interface
///////////////////////////////////////</span>

<span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>T</span><span class=special>,</span> <span class=keyword>class</span> <span class=identifier>Alloc</span> <span class=special>=</span> <span class=identifier>allocator</span><span class=special>&lt;</span><span class=identifier>T</span><span class=special>&gt;</span> <span class=special>&gt;</span>
<span class=keyword>class</span> <span class=identifier>vector</span> 
<span class=special>{</span>
    <span class=keyword>invariant</span>
    <span class=special>{</span>
        <span class=special>(</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=number>0</span> <span class=special>)</span> <span class=special>==</span> <span class=identifier>empty</span><span class=special>();</span>
        <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>distance</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>()</span> <span class=special>);</span>
        <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>distance</span><span class=special>(</span> <span class=identifier>rbegin</span><span class=special>(),</span> <span class=identifier>rend</span><span class=special>()</span> <span class=special>);</span>
        <span class=identifier>size</span><span class=special>()</span> <span class=special>&lt;=</span> <span class=identifier>capacity</span><span class=special>();</span>
        <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&lt;=</span> <span class=identifier>max_size</span><span class=special>();</span>
        
        <span class=keyword>static</span> <span class=identifier>is_assignable</span><span class=special>&lt;</span><span class=identifier>T</span><span class=special>&gt;::</span><span class=identifier>value</span>         <span class=special>:</span> <span class=string>&quot;value_type must be Assignable&quot;</span> <span class=special>;</span>
        <span class=keyword>static</span> <span class=identifier>is_copy_constructible</span><span class=special>&lt;</span><span class=identifier>T</span><span class=special>&gt;::</span><span class=identifier>value</span> <span class=special>:</span> <span class=string>&quot;value_type must be CopyConstructible&quot;</span> <span class=special>;</span>
    <span class=special>}</span>
    
<span class=keyword>public</span><span class=special>:</span>
    <span class=keyword>typedef</span> <span class=identifier>Alloc</span>                             <span class=identifier>allocator_type</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=keyword>typename</span> <span class=identifier>Alloc</span><span class=special>::</span><span class=identifier>pointer</span>           <span class=identifier>pointer</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=keyword>typename</span> <span class=identifier>Alloc</span><span class=special>::</span><span class=identifier>const_pointer</span>     <span class=identifier>const_pointer</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=keyword>typename</span> <span class=identifier>Alloc</span><span class=special>::</span><span class=identifier>reference</span>         <span class=identifier>reference</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=keyword>typename</span> <span class=identifier>Alloc</span><span class=special>::</span><span class=identifier>const_reference</span>   <span class=identifier>const_reference</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=keyword>typename</span> <span class=identifier>Alloc</span><span class=special>::</span><span class=identifier>value_type</span>        <span class=identifier>value_type</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=special>...</span>                               <span class=identifier>iterator</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=special>...</span>                               <span class=identifier>const_iterator</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=special>...</span>                               <span class=identifier>size_type</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=special>...</span>                               <span class=identifier>difference_type</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=identifier>reverse_iterator</span><span class=special>&lt;</span><span class=identifier>iterator</span><span class=special>&gt;</span>        <span class=identifier>reverse_iterator</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=identifier>reverse_iterator</span><span class=special>&lt;</span><span class=identifier>const_iterator</span><span class=special>&gt;</span>  <span class=identifier>const_reverse_iterator</span><span class=special>;</span>

             <span class=identifier>vector</span><span class=special>()</span>                  
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span> 
                 
    <span class=keyword>explicit</span> <span class=identifier>vector</span><span class=special>(</span> <span class=keyword>const</span> <span class=identifier>Alloc</span><span class=special>&amp;</span> <span class=identifier>al</span> <span class=special>)</span> 
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>empty</span><span class=special>();</span> 
                                 <span class=identifier>al</span> <span class=special>==</span> <span class=identifier>get_allocator</span><span class=special>();</span> <span class=special>}</span>
                 
    <span class=keyword>explicit</span> <span class=identifier>vector</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>count</span> <span class=special>)</span> 
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>count</span><span class=special>;</span> 
                                 <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>T</span><span class=special>()</span> <span class=special>);</span> <span class=special>}</span>
                 
             <span class=identifier>vector</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>count</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span> 
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>count</span><span class=special>;</span> 
                                 <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>val</span> <span class=special>);</span> <span class=special>}</span>
             
             <span class=identifier>vector</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>count</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>Alloc</span><span class=special>&amp;</span> <span class=identifier>al</span> <span class=special>)</span> 
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>size</span> <span class=special>==</span> <span class=identifier>count</span><span class=special>;</span> 
                                 <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>val</span> <span class=special>);</span> 
                                 <span class=identifier>al</span> <span class=special>==</span> <span class=identifier>get_allocator</span><span class=special>();</span> <span class=special>}:</span>
             
             <span class=identifier>vector</span><span class=special>(</span> <span class=keyword>const</span> <span class=identifier>vector</span><span class=special>&amp;</span> <span class=identifier>right</span> <span class=special>)</span> 
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>right</span> <span class=special>==</span> <span class=special>*</span><span class=keyword>this</span><span class=special>;</span> <span class=special>}</span>
    
             <span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>InIt</span> <span class=special>&gt;</span>
             <span class=identifier>vector</span><span class=special>(</span> <span class=identifier>InIt</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>InIt</span> <span class=identifier>last</span> <span class=special>)</span> 
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=keyword>static</span> <span class=identifier>is_input_iterator</span><span class=special>&lt;</span><span class=identifier>InIt</span><span class=special>&gt;::</span><span class=identifier>value</span> <span class=special>:</span> <span class=string>&quot;Iterator argument must model an InputIterator&quot;</span><span class=special>;</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>equal_distance</span><span class=special>(</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>last</span><span class=special>,</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>);</span> <span class=special>}</span>
                 
             <span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>InIt</span> <span class=special>&gt;</span>
             <span class=identifier>vector</span><span class=special>(</span> <span class=identifier>InIt</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>InIt</span> <span class=identifier>last</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>Alloc</span><span class=special>&amp;</span> <span class=identifier>al</span> <span class=special>);</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=keyword>static</span> <span class=identifier>is_input_iterator</span><span class=special>&lt;</span><span class=identifier>InIt</span><span class=special>&gt;::</span><span class=identifier>value</span> <span class=special>:</span> <span class=string>&quot;Iterator argument must model an InputIterator&quot;</span><span class=special>;</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>equal_distance</span><span class=special>(</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>last</span><span class=special>,</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>);</span> 
                                 <span class=identifier>al</span> <span class=special>=</span> <span class=identifier>get_allocator</span><span class=special>();</span> <span class=special>}</span>

             <span class=keyword>void</span> <span class=identifier>reserve</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>count</span> <span class=special>)</span> 
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=identifier>count</span> <span class=special>&lt;</span> <span class=identifier>max_size</span><span class=special>()</span> <span class=special>:</span> <span class=keyword>throw</span> <span class=identifier>length_error</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>count</span><span class=special>;</span> <span class=special>}</span>
                 
             <span class=identifier>size_type</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>result</span> <span class=special>&gt;=</span> <span class=identifier>size</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=identifier>iterator</span> <span class=identifier>begin</span><span class=special>()</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>if</span><span class=special>(</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>)</span> <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>end</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>const_iterator</span> <span class=identifier>begin</span><span class=special>()</span> <span class=keyword>const</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>if</span><span class=special>(</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>)</span> <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>end</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>iterator</span> <span class=identifier>end</span><span class=special>();</span>
             <span class=identifier>const_iterator</span> <span class=identifier>end</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
             
             <span class=identifier>reverse_iterator</span> <span class=identifier>rbegin</span><span class=special>()</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>if</span><span class=special>(</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>)</span> <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>rend</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>const_reverse_iterator</span> <span class=identifier>rbegin</span><span class=special>()</span> <span class=keyword>const</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>if</span><span class=special>(</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>)</span> <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>rend</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>reverse_iterator</span> <span class=identifier>rend</span><span class=special>();</span>
             <span class=identifier>const_reverse_iterator</span> <span class=identifier>rend</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
             
             <span class=keyword>void</span> <span class=identifier>resize</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>newsize</span> <span class=special>)</span>
                 <span class=keyword>postcondition</span> <span class=comment>// version 1: with an if</span>
                 <span class=special>{</span> 
                     <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>newsize</span><span class=special>;</span> 
                     <span class=keyword>if</span><span class=special>(</span> <span class=identifier>newsize</span> <span class=special>&gt;</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>old</span><span class=special>(</span><span class=identifier>size</span><span class=special>())</span> <span class=special>)</span>
                         <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>()</span> <span class=special>+</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>old</span><span class=special>(</span><span class=identifier>size</span><span class=special>()),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>T</span><span class=special>()</span> <span class=special>);</span>
                 <span class=special>}</span>
             
             <span class=keyword>void</span> <span class=identifier>resize</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>newsize</span><span class=special>,</span> <span class=identifier>T</span> <span class=identifier>val</span> <span class=special>)</span>
                 <span class=keyword>postcondition</span> <span class=comment>// version 2: with ternary operator</span>
                 <span class=special>{</span>
                     <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>newsize</span><span class=special>;</span> 
                     <span class=identifier>newsize</span> <span class=special>&gt;</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>old</span><span class=special>(</span><span class=identifier>size</span><span class=special>())</span> <span class=special>?</span> 
                         <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>()</span> <span class=special>+</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>old</span><span class=special>(</span><span class=identifier>size</span><span class=special>()),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>val</span> <span class=special>)</span> <span class=special>:</span> <span class=keyword>true</span><span class=special>;</span>
                 <span class=special>}</span>
         
             <span class=identifier>size_type</span> <span class=identifier>size</span><span class=special>()</span> <span class=keyword>const</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>result</span> <span class=special>&lt;=</span> <span class=identifier>capacity</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=identifier>size_type</span> <span class=identifier>max_size</span><span class=special>()</span> <span class=keyword>const</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>result</span> <span class=special>&gt;=</span> <span class=identifier>capacity</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=keyword>bool</span> <span class=identifier>empty</span><span class=special>()</span> <span class=keyword>const</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>result</span> <span class=special>==</span> <span class=special>(</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=number>0</span> <span class=special>);</span> <span class=special>}</span>
             
             <span class=identifier>Alloc</span> <span class=identifier>get_allocator</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
             
             <span class=identifier>reference</span> <span class=identifier>at</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>off</span> <span class=special>);</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=identifier>off</span> <span class=special>&lt;</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>:</span> <span class=keyword>throw</span> <span class=identifier>out_of_range</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>const_reference</span> <span class=identifier>at</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>off</span> <span class=special>)</span> <span class=keyword>const</span><span class=special>;</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=identifier>off</span> <span class=special>&lt;</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>:</span> <span class=keyword>throw</span> <span class=identifier>out_of_range</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=identifier>reference</span> <span class=keyword>operator</span><span class=special>[](</span> <span class=identifier>size_type</span> <span class=identifier>off</span> <span class=special>)</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=identifier>off</span> <span class=special>&lt;</span> <span class=identifier>size</span><span class=special>();</span> <span class=special>}</span>

             <span class=identifier>const_reference</span> <span class=keyword>operator</span><span class=special>[](</span> <span class=identifier>size_type</span> <span class=identifier>off</span> <span class=special>)</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=identifier>off</span> <span class=special>&lt;</span> <span class=identifier>size</span><span class=special>();</span> <span class=special>}</span>
    
             <span class=identifier>reference</span> <span class=identifier>front</span><span class=special>();</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>const_reference</span> <span class=identifier>front</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
    
             <span class=identifier>reference</span> <span class=identifier>back</span><span class=special>()</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>const_reference</span> <span class=identifier>back</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=keyword>void</span> <span class=identifier>push_back</span><span class=special>(</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>&lt;</span> <span class=identifier>max_size</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>back</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>val</span><span class=special>;</span> 
                                 <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>old</span><span class=special>(</span><span class=identifier>size</span><span class=special>())</span> <span class=special>+</span> <span class=number>1</span><span class=special>;</span> 
                                 <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&lt;=</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>old</span><span class=special>(</span><span class=identifier>capacity</span><span class=special>());</span> <span class=special>}</span>
                 
             <span class=keyword>void</span> <span class=identifier>pop_back</span><span class=special>()</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>old</span><span class=special>(</span><span class=identifier>size</span><span class=special>())</span> <span class=special>-</span> <span class=number>1</span><span class=special>;</span> <span class=special>}</span>
             
             <span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>InIt</span> <span class=special>&gt;</span>
             <span class=keyword>void</span> <span class=identifier>assign</span><span class=special>(</span> <span class=identifier>InIt</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>InIt</span> <span class=identifier>last</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  
                 <span class=special>{</span>
                     <span class=keyword>static</span> <span class=identifier>is_input_iterator</span><span class=special>&lt;</span><span class=identifier>InIt</span><span class=special>&gt;::</span><span class=identifier>value</span> <span class=special>:</span> <span class=string>&quot;Iterator argument must model an InputIterator&quot;</span><span class=special>;</span> 
                     <span class=string>&quot;The range [first,last) is not a sub-range of [begin(),end())&quot;</span><span class=special>;</span>
                 <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>equal_distance</span><span class=special>(</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>last</span><span class=special>,</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>);</span> <span class=special>}</span>
             
             <span class=keyword>void</span> <span class=identifier>assign</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>count</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>count</span> <span class=special>&lt;=</span> <span class=identifier>max_size</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>val</span> <span class=special>);</span> <span class=special>}</span>
                 
             <span class=identifier>iterator</span> <span class=identifier>insert</span><span class=special>(</span> <span class=identifier>iterator</span> <span class=identifier>where</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>&lt;</span> <span class=identifier>max_size</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> 
                 <span class=special>{</span>
                     <span class=special>*</span><span class=keyword>result</span> <span class=special>==</span> <span class=identifier>val</span><span class=special>;</span>
                     <span class=identifier>size</span><span class=special>()</span>  <span class=special>==</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>old</span><span class=special>(</span><span class=identifier>size</span><span class=special>())</span> <span class=special>+</span> <span class=number>1</span><span class=special>;</span>
                     <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>old</span><span class=special>(</span><span class=identifier>capacity</span><span class=special>());</span>
                     
                     <span class=keyword>if</span><span class=special>(</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>old</span><span class=special>(</span><span class=identifier>capacity</span><span class=special>())</span> <span class=special>)</span>
                         <span class=string>&quot;All iterators have been invalidated&quot;</span><span class=special>;</span>
                     <span class=keyword>else</span>
                         <span class=string>&quot;All iterators in the range [where,end()) have been invalidated&quot;</span><span class=special>;</span>
                 <span class=special>}</span>
             
             <span class=keyword>void</span> <span class=identifier>insert</span><span class=special>(</span> <span class=identifier>iterator</span> <span class=identifier>where</span><span class=special>,</span> <span class=identifier>size_type</span> <span class=identifier>count</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>+</span> <span class=identifier>count</span> <span class=special>&lt;=</span> <span class=identifier>max_size</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> 
                 <span class=special>{</span>
                     <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>old</span><span class=special>(</span><span class=identifier>size</span><span class=special>())</span> <span class=special>+</span> <span class=identifier>count</span><span class=special>;</span>
                     <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>old</span><span class=special>(</span><span class=identifier>capacity</span><span class=special>());</span>
                     
                     <span class=keyword>if</span><span class=special>(</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>old</span><span class=special>(</span><span class=identifier>capacity</span><span class=special>())</span> <span class=special>)</span>
                     <span class=special>{</span>
                         <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>old</span><span class=special>(</span><span class=identifier>prior</span><span class=special>(</span><span class=identifier>where</span><span class=special>)),</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>old</span><span class=special>(</span><span class=identifier>prior</span><span class=special>(</span><span class=identifier>where</span><span class=special>))</span> <span class=special>+</span> <span class=identifier>count</span><span class=special>,</span> <span class=identifier>val</span> <span class=special>);</span>
                         <span class=string>&quot;All iterators in the range [where,end()) have been invalidated&quot;</span><span class=special>;</span>
                     <span class=special>}</span>
                     <span class=keyword>else</span>
                         <span class=string>&quot;All iterators have been invalidated&quot;</span><span class=special>;</span>
                 <span class=special>}</span>
                 
             <span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>InIt</span> <span class=special>&gt;</span>
             <span class=keyword>void</span> <span class=identifier>insert</span><span class=special>(</span> <span class=identifier>iterator</span> <span class=identifier>where</span><span class=special>,</span> <span class=identifier>InIt</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>InIt</span> <span class=identifier>last</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  
                 <span class=special>{</span> 
                     <span class=keyword>static</span> <span class=identifier>is_input_iterator</span><span class=special>&lt;</span><span class=identifier>InIt</span><span class=special>&gt;::</span><span class=identifier>value</span> <span class=special>:</span> <span class=string>&quot;Iterator argument must model an InputIterator&quot;</span><span class=special>;</span>
                     <span class=string>&quot;The range [first,last) is not a sub-range of [begin(),end())&quot;</span><span class=special>;</span>
                     <span class=identifier>size</span><span class=special>()</span> <span class=special>+</span> <span class=identifier>count</span> <span class=special>&lt;=</span> <span class=identifier>max_size</span><span class=special>();</span> 
                 <span class=special>}</span>
                 <span class=keyword>postcondition</span>
                 <span class=special>{</span>
                     <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>old</span><span class=special>(</span><span class=identifier>size</span><span class=special>())</span> <span class=special>+</span> <span class=identifier>count</span><span class=special>;</span>
                     <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>old</span><span class=special>(</span><span class=identifier>capacity</span><span class=special>());</span>
        
                     <span class=keyword>if</span><span class=special>(</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>old</span><span class=special>(</span><span class=identifier>capacity</span><span class=special>())</span> <span class=special>)</span>
                     <span class=special>{</span>
                         <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>old</span><span class=special>(</span><span class=identifier>prior</span><span class=special>(</span><span class=identifier>where</span><span class=special>)),</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>old</span><span class=special>(</span><span class=identifier>prior</span><span class=special>(</span><span class=identifier>where</span><span class=special>))</span> <span class=special>+</span> <span class=identifier>count</span><span class=special>,</span> <span class=identifier>val</span> <span class=special>);</span>
                         <span class=string>&quot;All iterators in the range [where,end()) have been invalidated&quot;</span><span class=special>;</span>
                     <span class=special>}</span>
                     <span class=keyword>else</span>
                         <span class=string>&quot;All iterators have been invalidated&quot;</span><span class=special>;</span>
                 <span class=special>}</span>

             <span class=identifier>iterator</span> <span class=identifier>erase</span><span class=special>(</span> <span class=identifier>iterator</span> <span class=identifier>where</span> <span class=special>);</span>
                 <span class=keyword>precondition</span>  
                 <span class=special>{</span> 
                     <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> 
                     <span class=identifier>where</span> <span class=special>!=</span> <span class=identifier>end</span><span class=special>();</span>
                 <span class=special>}</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> 
                 <span class=special>{</span>
                      <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>old</span><span class=special>(</span><span class=identifier>size</span><span class=special>())</span> <span class=special>-</span> <span class=number>1</span><span class=special>;</span> 
                      <span class=keyword>if</span><span class=special>(</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>)</span>
                          <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>end</span><span class=special>();</span>
                      <span class=string>&quot;All iterators in the range [where,end()) have been invalidated&quot;</span><span class=special>;</span>
                 <span class=special>}</span>
                 
             <span class=identifier>iterator</span> <span class=identifier>erase</span><span class=special>(</span> <span class=identifier>iterator</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>iterator</span> <span class=identifier>last</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>distance</span><span class=special>(</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>last</span> <span class=special>);</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> 
                 <span class=special>{</span>
                      <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>old</span><span class=special>(</span><span class=identifier>size</span><span class=special>())</span> <span class=special>-</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>distance</span><span class=special>(</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>last</span> <span class=special>);</span> 
                      <span class=keyword>if</span><span class=special>(</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>)</span>
                          <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>end</span><span class=special>();</span>
                      <span class=string>&quot;All iterators in the range [first,end()) have been invalidated&quot;</span><span class=special>;</span>
                 <span class=special>}</span>

             <span class=keyword>void</span> <span class=identifier>clear</span><span class=special>();</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=keyword>void</span> <span class=identifier>swap</span><span class=special>(</span> <span class=identifier>vector</span><span class=special>&amp;</span> <span class=identifier>right</span> <span class=special>)</span>
                 <span class=keyword>postcondition</span> 
                 <span class=special>{</span> 
                     <span class=identifier>std</span><span class=special>::</span><span class=identifier>old</span><span class=special>(</span> <span class=special>*</span><span class=keyword>this</span> <span class=special>)</span> <span class=special>==</span> <span class=identifier>right</span><span class=special>;</span>
                     <span class=identifier>std</span><span class=special>::</span><span class=identifier>old</span><span class=special>(</span> <span class=identifier>right</span> <span class=special>)</span> <span class=special>==</span> <span class=special>*</span><span class=keyword>this</span><span class=special>;</span>
                 <span class=special>}</span>
             
<span class=special>};</span> <span class=comment>// class 'vector'</span>
</pre>


</body>
</html>



</div>
<div class="section" id="factorial-example-hpp">
<h2><a class="toc-backref" href="#id69" name="factorial-example-hpp">8.2   factorial_example.hpp</a></h2>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title> </title>
<link rel="stylesheet" href="style.css" type="text/css">
</head>

<body>

<pre>
<span class=comment>//
// This example shows how Contract Programming removes duplicate
// knowledge because it can turn comments into code.
//
// It also shows a very interesting way of checking that 
// the function's postcondition holds: the implementation
// uses iteration, but the postcondition uses recursion
// to verify the return value.
//
// remark: there is no deep/infinite recursion because
//         contracts are not checked while evaluating
//         a contract. 
//

///////////////////////////////////////////////////////////
// Ordinary form of documentation
///////////////////////////////////////////////////////////

//! Factorial algorithm
/*!

   \pre 'n &gt;= 0'
   \post returns '1' if 'n == 0'
         returns 'factorial(n-1)*n' otherwise
*/</span>
          
<span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>T</span> <span class=special>&gt;</span>
<span class=keyword>inline</span> <span class=identifier>T</span> <span class=identifier>factorial</span><span class=special>(</span> <span class=identifier>T</span> <span class=identifier>n</span> <span class=special>)</span>
<span class=special>{</span>
    <span class=identifier>BOOST_ASSERT</span><span class=special>(</span> <span class=identifier>n</span> <span class=special>&gt;=</span> <span class=number>0</span> <span class=special>);</span>

    <span class=keyword>if</span><span class=special>(</span> <span class=identifier>n</span> <span class=special>==</span> <span class=number>0</span> <span class=special>)</span>
        <span class=keyword>return</span> <span class=number>1</span><span class=special>;</span>
    
    <span class=identifier>T</span> <span class=keyword>result</span>     <span class=special>=</span> <span class=identifier>n</span><span class=special>;</span>
    <span class=identifier>T</span> <span class=identifier>old_result</span> <span class=special>=</span> <span class=keyword>result</span><span class=special>;</span>
    <span class=keyword>for</span><span class=special>(</span> <span class=special>--</span><span class=identifier>n</span><span class=special>;</span> <span class=identifier>n</span> <span class=special>!=</span> <span class=number>0</span><span class=special>;</span> <span class=special>--</span><span class=identifier>n</span> <span class=special>)</span>
    <span class=special>{</span>
        <span class=keyword>result</span> <span class=special>*=</span> <span class=identifier>n</span><span class=special>;</span>
        <span class=identifier>BOOST_ASSERT</span><span class=special>(</span> <span class=identifier>n</span> <span class=special>&gt;</span> <span class=number>0</span> <span class=special>);</span>
        <span class=identifier>BOOST_ASSERT</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>&gt;</span> <span class=identifier>old_result</span> <span class=special>&amp;&amp;</span> <span class=string>&quot;integer has wrapped around&quot;</span> <span class=special>);</span>
        <span class=identifier>old_result</span> <span class=special>=</span> <span class=keyword>result</span><span class=special>;</span>
    <span class=special>}</span>
    
    <span class=keyword>return</span> <span class=keyword>result</span><span class=special>;</span>
<span class=special>}</span>

<span class=comment>///////////////////////////////////////////////////////////
// Contract Programming-style documentation
///////////////////////////////////////////////////////////</span>

<span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>T</span> <span class=special>&gt;</span>
<span class=keyword>inline</span> <span class=identifier>T</span> <span class=identifier>factorial</span><span class=special>(</span> <span class=identifier>T</span> <span class=identifier>n</span> <span class=special>)</span>
<span class=keyword>precondition</span> 
<span class=special>{</span>
    <span class=identifier>n</span> <span class=special>&gt;=</span> <span class=number>0</span><span class=special>;</span> 
<span class=special>}</span>
<span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span>
<span class=special>{</span>
    <span class=keyword>if</span><span class=special>(</span> <span class=identifier>n</span> <span class=special>==</span> <span class=number>0</span> <span class=special>)</span>
        <span class=keyword>result</span> <span class=special>==</span> <span class=number>1</span><span class=special>;</span>
    <span class=keyword>else</span>
        <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>n</span> <span class=special>*</span> <span class=identifier>factorial</span><span class=special>(</span><span class=identifier>n</span><span class=special>-</span><span class=number>1</span><span class=special>);</span>
<span class=special>}</span>
<span class=keyword>do</span>
<span class=special>{</span>
    <span class=keyword>if</span><span class=special>(</span> <span class=identifier>n</span> <span class=special>==</span> <span class=number>0</span> <span class=special>)</span>
        <span class=keyword>return</span> <span class=number>1</span><span class=special>;</span>
    
    <span class=identifier>T</span> <span class=keyword>result</span> <span class=special>=</span> <span class=identifier>n</span><span class=special>;</span>
    <span class=keyword>for</span><span class=special>(</span> <span class=special>--</span><span class=identifier>n</span><span class=special>;</span> <span class=identifier>n</span> <span class=special>!=</span> <span class=number>0</span><span class=special>;</span> <span class=special>--</span><span class=identifier>n</span> <span class=special>)</span>
        <span class=keyword>result</span> <span class=special>*=</span> <span class=identifier>n</span><span class=special>;</span>
    <span class=keyword>invariant</span>
    <span class=special>{</span>
        <span class=identifier>n</span> <span class=special>&gt;=</span> <span class=number>0</span><span class=special>;</span>
        <span class=keyword>result</span> <span class=special>&gt;</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>old</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>&amp;&amp;</span> <span class=string>&quot;integer has wrapped around&quot;</span><span class=special>;</span> 
    <span class=special>}</span>
    
    <span class=keyword>return</span> <span class=keyword>result</span><span class=special>;</span>
<span class=special>}</span>
</pre>


</body>
</html>



</div>
<div class="section" id="restrict-replacement-example-hpp">
<h2><a class="toc-backref" href="#id70" name="restrict-replacement-example-hpp">8.3   restrict_replacement_example.hpp</a></h2>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title> </title>
<link rel="stylesheet" href="style.css" type="text/css">
</head>

<body>

<pre>
<span class=comment>//
// This example shows how Contract Programming can
// provide all the functionality of the 'restrict'
// keyword. Moreover, it will work for iterators that
// are not just pointers.
//
// Caveat: The iterators of eg. std::deque are random-access, but will
//         still work erroneously with this example.
//</span>

<span class=keyword>namespace</span> <span class=identifier>std</span>
<span class=special>{</span>
    <span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>RandomAccessIterator</span> 
    <span class=keyword>bool</span> <span class=identifier>arrays_dont_overlap</span><span class=special>(</span> <span class=identifier>RandomAccessIterator</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>RandomAccessIterator</span> <span class=identifier>last</span><span class=special>,</span>
                              <span class=identifier>RandomAccessIterator</span> <span class=identifier>first2</span><span class=special>,</span> <span class=identifier>RandomAccessIterator</span> <span class=identifier>last2</span> <span class=special>)</span>
    <span class=special>{</span>
        <span class=keyword>return</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>less</span><span class=special>&lt;</span> <span class=keyword>typename</span> <span class=identifier>iterator_value</span><span class=special>&lt;</span><span class=identifier>T</span><span class=special>&gt;::</span><span class=identifier>type</span><span class=special>*</span> <span class=special>&gt;(</span> <span class=special>&amp;*</span><span class=identifier>prior</span><span class=special>(</span><span class=identifier>last</span><span class=special>),</span> <span class=special>&amp;*</span><span class=identifier>first2</span> <span class=special>)</span> <span class=special>||</span>
               <span class=identifier>std</span><span class=special>::</span><span class=identifier>less</span><span class=special>&lt;</span> <span class=keyword>typename</span> <span class=identifier>iterator_value</span><span class=special>&lt;</span><span class=identifier>T</span><span class=special>&gt;::</span><span class=identifier>type</span><span class=special>*</span> <span class=special>&gt;(</span> <span class=special>&amp;*</span><span class=identifier>prior</span><span class=special>(</span><span class=identifier>last2</span><span class=special>),</span> <span class=special>&amp;*</span><span class=identifier>first</span> <span class=special>);</span>
    <span class=special>}</span>
    
    
    
    <span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>RandomAccessIterator</span> <span class=special>&gt;</span>
    <span class=keyword>void</span> <span class=identifier>fast_copy</span><span class=special>(</span> <span class=identifier>RandomAccessIterator</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>RandomAccessIterator</span> <span class=identifier>last</span><span class=special>,</span>
                    <span class=identifier>RandomAccessIterator</span> <span class=keyword>out</span> <span class=special>)</span>
    <span class=keyword>precondition</span>
    <span class=special>{</span>
        <span class=keyword>static</span> <span class=identifier>is_pod</span><span class=special>&lt;</span> <span class=keyword>typename</span> <span class=identifier>iterator_value</span><span class=special>&lt;</span><span class=identifier>RandomAccessIterator</span><span class=special>&gt;::</span><span class=identifier>type</span> <span class=special>&gt;::</span><span class=identifier>value</span> <span class=special>:</span> <span class=string>&quot;Only PODs can be copied&quot;</span><span class=special>;</span>
        <span class=keyword>static</span> <span class=identifier>is_random_access_iterator</span><span class=special>&lt;</span><span class=identifier>RandomAccessIterator</span><span class=special>&gt;::</span><span class=identifier>value</span> <span class=special>:</span> <span class=string>&quot;The iterator must model a Random Access Iterator&quot;</span><span class=special>;</span>
        <span class=identifier>arrays_dont_overlap</span><span class=special>(</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>last</span><span class=special>,</span> <span class=keyword>out</span><span class=special>,</span> <span class=keyword>out</span> <span class=special>+</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>distance</span><span class=special>(</span><span class=identifier>first</span><span class=special>,</span><span class=identifier>last</span><span class=special>)</span> <span class=special>);</span>  
    <span class=special>}</span>
    <span class=keyword>do</span>
    <span class=special>{</span>
        <span class=identifier>memcpy</span><span class=special>(</span> <span class=special>&amp;*</span><span class=keyword>out</span><span class=special>,</span> <span class=special>&amp;*</span><span class=identifier>first</span><span class=special>,</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>distance</span><span class=special>(</span><span class=identifier>first</span><span class=special>,</span><span class=identifier>last</span><span class=special>)</span> <span class=special>);</span>
    <span class=special>}</span>
<span class=special>}</span>
</pre>


</body>
</html>



</div>
<div class="section" id="subcontracting-example-hpp">
<h2><a class="toc-backref" href="#id71" name="subcontracting-example-hpp">8.4   subcontracting_example.hpp</a></h2>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title> </title>
<link rel="stylesheet" href="style.css" type="text/css">
</head>

<body>

<pre>
<span class=comment>//
// This example shows how Contract Programming 
// allows one to keep the virtual function public 
// and still enforce the contract of the function
//</span>

<span class=keyword>class</span> <span class=identifier>shape</span>
<span class=special>{</span>
<span class=keyword>public</span><span class=special>:</span>
    <span class=keyword>virtual</span> <span class=special>~</span><span class=identifier>shape</span><span class=special>()</span> <span class=special>{}</span>
    
    <span class=keyword>virtual</span> <span class=keyword>int</span> <span class=identifier>compute_area</span><span class=special>()</span> <span class=keyword>const</span> <span class=special>=</span> <span class=number>0</span>
        <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> 
        <span class=special>{</span>
            <span class=keyword>result</span> <span class=special>&gt;</span> <span class=number>0</span><span class=special>;</span>
        <span class=special>}</span>
<span class=special>};</span>

<span class=keyword>class</span> <span class=identifier>circle</span> <span class=special>:</span> <span class=keyword>public</span> <span class=identifier>shape</span>
<span class=special>{</span>
<span class=keyword>public</span><span class=special>:</span>
    <span class=keyword>int</span> <span class=identifier>radius</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
    
    <span class=keyword>virtual</span> <span class=keyword>int</span> <span class=identifier>compute_area</span><span class=special>()</span> <span class=keyword>const</span>
        <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span>
        <span class=special>{</span>
            <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>pi</span> <span class=special>*</span> <span class=identifier>radius</span><span class=special>()</span> <span class=special>*</span> <span class=identifier>radius</span><span class=special>();</span>
        <span class=special>}</span>
<span class=special>};</span>
</pre>


</body>
</html>



</div>
<div class="section" id="pointer-container-replace-example-hpp">
<h2><a class="toc-backref" href="#id72" name="pointer-container-replace-example-hpp">8.5   pointer_container_replace_example.hpp</a></h2>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title> </title>
<link rel="stylesheet" href="style.css" type="text/css">
</head>

<body>

<pre>
<span class=comment>//
// This example shows how we can perform
// a clean-up action as a side-effect in a precondition.
//
// Side-effects are normally banned from contracts, but in this
// we do it to obhold exception-safety requirements.
//</span>

<span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>T</span> <span class=special>&gt;</span>
<span class=keyword>class</span> <span class=identifier>ptr_vector</span>
<span class=special>{</span>
<span class=keyword>public</span><span class=special>:</span>
    <span class=comment>// ...</span>
      
    <span class=keyword>void</span> <span class=identifier>replace</span><span class=special>(</span> <span class=identifier>T</span><span class=special>*</span> <span class=identifier>p</span><span class=special>,</span> <span class=identifier>size_type</span> <span class=identifier>where</span> <span class=special>)</span>
        <span class=keyword>precondition</span>
        <span class=special>{</span>
            <span class=identifier>p</span> <span class=special>!=</span> <span class=number>0</span>          <span class=special>:</span> <span class=keyword>throw</span> <span class=identifier>bad_ptr</span><span class=special>();</span>
            <span class=identifier>where</span> <span class=special>&lt;</span> <span class=identifier>size</span><span class=special>();</span> <span class=special>:</span> <span class=keyword>delete</span> <span class=identifier>p</span><span class=special>,</span> <span class=keyword>throw</span> <span class=identifier>bad_index</span><span class=special>();</span>
        <span class=special>}</span>
<span class=special>};</span>
</pre>


</body>
</html>



</div>
</div>
<div class="section" id="comparison-of-contract-programming-in-d-eiffel-and-c">
<h1><a class="toc-backref" href="#id73" name="comparison-of-contract-programming-in-d-eiffel-and-c">9   Comparison of Contract Programming in D, Eiffel and C++</a></h1>
<p>The table below contains a comparison of how Contract
Programming is implemented in D, Eiffel and C++.</p>
<table border class="table">
<colgroup>
<col width="25%" />
<col width="21%" />
<col width="20%" />
<col width="34%" />
</colgroup>
<tbody valign="top">
<tr><td><strong>Feature</strong></td>
<td><strong>ISE Eiffel 5.4</strong></td>
<td><strong>D</strong></td>
<td><strong>C++ Proposal</strong></td>
</tr>
<tr><td><em>keywords</em></td>
<td><tt class="literal"><span class="pre">require</span></tt>, <tt class="literal"><span class="pre">ensure</span></tt>,
<tt class="literal"><span class="pre">do</span></tt>, <tt class="literal"><span class="pre">require</span> <span class="pre">else</span></tt>,
<tt class="literal"><span class="pre">ensure</span> <span class="pre">then</span></tt>, <tt class="literal"><span class="pre">invariant</span></tt>,
<tt class="literal"><span class="pre">old</span></tt>, <tt class="literal"><span class="pre">result</span></tt>,
<tt class="literal"><span class="pre">variant</span></tt></td>
<td><tt class="literal"><span class="pre">in</span></tt>, <tt class="literal"><span class="pre">out</span></tt>, <tt class="literal"><span class="pre">body</span></tt>,
<tt class="literal"><span class="pre">invariant</span></tt>, <tt class="literal"><span class="pre">assert</span></tt>,
<tt class="literal"><span class="pre">static</span></tt></td>
<td><tt class="literal"><span class="pre">precondition</span></tt>,
<tt class="literal"><span class="pre">postcondition</span></tt>, <tt class="literal"><span class="pre">do</span></tt>,
<tt class="literal"><span class="pre">invariant</span></tt>, <tt class="literal"><span class="pre">static</span></tt></td>
</tr>
<tr><td><em>on failure</em></td>
<td>throws exception</td>
<td>throws exception</td>
<td>defaults to <tt class="literal"><span class="pre">terminate()</span></tt>,
defaults can be customized,
might throw</td>
</tr>
<tr><td><em>expression copying in postconditions</em></td>
<td>yes, <tt class="literal"><span class="pre">old</span></tt> keyword</td>
<td>no</td>
<td>yes, <tt class="literal"><span class="pre">std::old()</span></tt>
function</td>
</tr>
<tr><td><em>subcontracting</em></td>
<td>yes</td>
<td>yes</td>
<td>yes, but only considers
postconditions</td>
</tr>
<tr><td><em>contracts on abstract functions</em></td>
<td>yes</td>
<td>no</td>
<td>yes</td>
</tr>
<tr><td><em>arbitrary code contracts</em></td>
<td>yes</td>
<td>yes</td>
<td>no, must be const correct</td>
</tr>
<tr><td><em>function code ordering</em></td>
<td>pre -&gt; body -&gt; post</td>
<td>pre -&gt; post -&gt; body</td>
<td>pre -&gt; post -&gt; body</td>
</tr>
<tr><td><em>compile-time assertions</em></td>
<td>no</td>
<td>yes</td>
<td>yes</td>
</tr>
<tr><td><em>loop invariants</em></td>
<td>yes</td>
<td>no</td>
<td>yes</td>
</tr>
<tr><td><em>loop variants</em></td>
<td>yes</td>
<td>no</td>
<td>yes, <tt class="literal"><span class="pre">std::old()</span></tt> inside
loop invariants</td>
</tr>
<tr><td><em>const-correct</em></td>
<td>no</td>
<td>no</td>
<td>yes</td>
</tr>
<tr><td><em>invariant calls</em></td>
<td><ul class="first last simple">
<li>end of &quot;constructor&quot;</li>
<li>around public functions</li>
</ul>
</td>
<td><ul class="first last simple">
<li>end of constructor</li>
<li>around public functions</li>
<li>start of destructor</li>
</ul>
</td>
<td><ul class="first last simple">
<li>as in D</li>
<li>when a function exits due to an exception</li>
</ul>
</td>
</tr>
<tr><td><em>disabling of checks during assertions</em></td>
<td>yes</td>
<td>no</td>
<td>yes</td>
</tr>
<tr><td><em>when public func. call public func.</em></td>
<td>disable all checks</td>
<td>disable nothing</td>
<td>disable invariant</td>
</tr>
<tr><td><em>removable from object code</em></td>
<td>yes</td>
<td>yes</td>
<td>only default assertions</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="acknowledgements">
<h1><a class="toc-backref" href="#id74" name="acknowledgements">10   Acknowledgements</a></h1>
<p>Special thanks goes to</p>
<ul class="simple">
<li>Reece Dunn</li>
<li>Douglas Gregor</li>
<li>Alf Steinbach</li>
<li>Matthew Wilson</li>
<li>Berend de Boer</li>
<li>Darren Cook</li>
<li>Pavel Vozenilek</li>
<li>Scott Meyers</li>
<li>Attila Fehér</li>
<li>Walter Bright</li>
<li>Per Madsen</li>
<li>Kevlin Henney</li>
<li>Sergey Vlasov</li>
<li>Bob Bell</li>
<li>John Nagle</li>
</ul>
<!-- ############################################### -->
<!-- ################## Links ###################### -->
<!-- ############################################### -->
</div>
<div class="section" id="footnotes">
<h1><a class="toc-backref" href="#id75" name="footnotes">11   Footnotes</a></h1>
<!-- ############################################### -->
<!-- ################## Footnotes ################## -->
<!-- ############################################### -->
<table class="footnote" frame="void" id="id27" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id1" name="id27">[1]</a></td><td>The original term &quot;Design by Contract&quot; is abandoned 
for good since it appears to have been trademarked in 2003. The term &quot;Contract Programming&quot;
was suggested by Walter Bright.</td></tr>
</tbody>
</table>
<table class="footnote" frame="void" id="id28" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id2" name="id28">[2]</a></td><td><p>Even experienced programmers can choke on the word &quot;invariant&quot; and what it
means for a class to have one. There are a few simple rules we want  
all programmers to learn:</p>
<ol class="arabic simple">
<li>that classes can have invariants and that subclasses have stronger or equally strong invariants,</li>
<li>that functions have pre- and postconditions: the implementer has as his obligation to fulfill the 
postcondition assuming the precondition holds; the user has as his obligation to fulfill the precondition
and receives the benefits of the postcondition in return,</li>
<li>that public functions cannot break the class invariant.</li>
</ol>
</td></tr>
</tbody>
</table>
<!-- Specifying invariants also leads to simpler designs. -->
<table class="footnote" frame="void" id="id29" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id6" name="id29">[3]</a></td><td><p>This latitude allows programmers to turn off and on compound assertions using appropriate macros and can be helpful
if the more levels of assertions are wanted. For example, an assertion like</p>
<pre class="literal-block">
is_foo() : (void)0;
</pre>
<p>can be discarded.</p>
</td></tr>
</tbody>
</table>
<table class="footnote" frame="void" id="id30" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id12" name="id30">[4]</a></td><td><p>Assume we want to take advantage of a weaker precondition. Normally that precondition is weaker <em>by design</em>,
that is, the two preconditions are <em>OR</em>ed no matter
what they contain. Even <em>if</em> we perform a downcast, the runtime system must call first the 
original contract (which will then fail). Then the control is handled to the derived precondition
which can then fail or not. This seems extremely messy and might require <tt class="literal"><span class="pre">try-catch</span></tt> block around the 
first precondition.</p>
<p>The alternative is to only check the derived precondition if we have performed a downcast. The consequence
is that we might have a precondition that is in fact <em>stronger</em> than the original! In general it is probably
also impossible to verify that a contract is weaker given that it can contain arbitrary expressions.
This approach does not seem very attractive either.</p>
<p>If we also take into consideration that good examples with weakened preconditions are extremely rare,
it is be better to abandon the idea all together.</p>
<p>Thanks goes to Scott Meyers and Attila Fehér for their input on this issue.</p>
</td></tr>
</tbody>
</table>
<table class="footnote" frame="void" id="id31" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id18" name="id31">[5]</a></td><td>To ensure that the function gives the basic guarantee of exception-safety.</td></tr>
</tbody>
</table>
<table class="footnote" frame="void" id="id32" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id19" name="id32">[6]</a></td><td>One can imagine an approach where exceptions could escape from an invariant by not checking
invariants when functions exit via an exception. The benefits of such an approach are not
obvious and it will complicate flow analysis unnecessarily.</td></tr>
</tbody>
</table>
<table class="footnote" frame="void" id="id33" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id20" name="id33">[7]</a></td><td>During construction means until the post-condition of the constructor has ended.</td></tr>
</tbody>
</table>
<table class="footnote" frame="void" id="id34" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id21" name="id34">[8]</a></td><td>An implementation would not be required to detect when control leaves a class in general
but merely to disable invariants until the function returns. This means that if <tt class="literal"><span class="pre">A::foo()</span></tt>
calls <tt class="literal"><span class="pre">B::foo()</span></tt> which calls <tt class="literal"><span class="pre">A::bar()</span></tt>, then the invariant of <tt class="literal"><span class="pre">A</span></tt> will not be checked on entry
to or exit of <tt class="literal"><span class="pre">A::bar()</span></tt>. However, <tt class="literal"><span class="pre">B::foo()</span></tt> may choose to check the invariant of <tt class="literal"><span class="pre">A</span></tt> manually.</td></tr>
</tbody>
</table>
<table class="footnote" frame="void" id="id35" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id23" name="id35">[9]</a></td><td>This is contrary to the loop condition which cannot see these variables.</td></tr>
</tbody>
</table>
</div>
</div>
</body>
</html>
