<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="generator" content="Docutils 0.3.7: http://docutils.sourceforge.net/" />
<title>Proposal to add Contract Programming to C++ (revision 2)</title>
<meta name="author" content="David Abrahams, Lawrence Crowl, Thorsten Ottosen, James Widman" />
<meta name="date" content="2005-03-04" />
<style type="text/css">

/*
:Author: David Goodger
:Contact: goodger@users.sourceforge.net
:date: $Date: 2004/01/12 02:49:54 $
:version: $Revision: 1.2 $
:copyright: This stylesheet has been placed in the public domain.

Default cascading style sheet for the HTML output of Docutils.
*/

.first {
  margin-top: 0 }

.last {
  margin-bottom: 0 }

a.toc-backref {
  text-decoration: none ;
  color: black }

dd {
  margin-bottom: 0.5em }

div.abstract {
  margin: 2em 5em }

div.abstract p.topic-title {
  font-weight: bold ;
  text-align: center }

div.attention, div.caution, div.danger, div.error, div.hint,
div.important, div.note, div.tip, div.warning, div.admonition {
  margin: 2em ;
  border: medium outset ;
  padding: 1em }

div.attention p.admonition-title, div.caution p.admonition-title,
div.danger p.admonition-title, div.error p.admonition-title,
div.warning p.admonition-title {
  color: red ;
  font-weight: bold ;
  font-family: sans-serif }

div.hint p.admonition-title, div.important p.admonition-title,
div.note p.admonition-title, div.tip p.admonition-title,
div.admonition p.admonition-title {
  font-weight: bold ;
  font-family: sans-serif }

div.dedication {
  margin: 2em 5em ;
  text-align: center ;
  font-style: italic }

div.dedication p.topic-title {
  font-weight: bold ;
  font-style: normal }

div.figure {
  margin-left: 2em }

div.footer, div.header {
  font-size: smaller }

div.sidebar {
  margin-left: 1em ;
  border: medium outset ;
  padding: 0em 1em ;
  background-color: #ffffee ;
  width: 40% ;
  float: right ;
  clear: right }

div.sidebar p.rubric {
  font-family: sans-serif ;
  font-size: medium }

div.system-messages {
  margin: 5em }

div.system-messages h1 {
  color: red }

div.system-message {
  border: medium outset ;
  padding: 1em }

div.system-message p.system-message-title {
  color: red ;
  font-weight: bold }

div.topic {
  margin: 2em }

h1.title {
  text-align: center }

h2.subtitle {
  text-align: center }

hr {
  width: 75% }

ol.simple, ul.simple {
  margin-bottom: 1em }

ol.arabic {
  list-style: decimal }

ol.loweralpha {
  list-style: lower-alpha }

ol.upperalpha {
  list-style: upper-alpha }

ol.lowerroman {
  list-style: lower-roman }

ol.upperroman {
  list-style: upper-roman }

p.attribution {
  text-align: right ;
  margin-left: 50% }

p.caption {
  font-style: italic }

p.credits {
  font-style: italic ;
  font-size: smaller }

p.label {
  white-space: nowrap }

p.rubric {
  font-weight: bold ;
  font-size: larger ;
  color: maroon ;
  text-align: center }

p.sidebar-title {
  font-family: sans-serif ;
  font-weight: bold ;
  font-size: larger }

p.sidebar-subtitle {
  font-family: sans-serif ;
  font-weight: bold }

p.topic-title {
  font-weight: bold }

pre.address {
  margin-bottom: 0 ;
  margin-top: 0 ;
  font-family: serif ;
  font-size: 100% }

pre.line-block {
  font-family: serif ;
  font-size: 100% }

pre.literal-block, pre.doctest-block {
  margin-left: 2em ;
  margin-right: 2em ;
  background-color: #eeeeee }

span.classifier {
  font-family: sans-serif ;
  font-style: oblique }

span.classifier-delimiter {
  font-family: sans-serif ;
  font-weight: bold }

span.interpreted {
  font-family: sans-serif }

span.option {
  white-space: nowrap }

span.option-argument {
  font-style: italic }

span.pre {
  white-space: pre }

span.problematic {
  color: red }

table {
  margin-top: 0.5em ;
  margin-bottom: 0.5em }

table.citation {
  border-left: solid thin gray ;
  padding-left: 0.5ex }

table.docinfo {
  margin: 2em 4em }

table.footnote {
  border-left: solid thin black ;
  padding-left: 0.5ex }

td, th {
  padding-left: 0.5em ;
  padding-right: 0.5em ;
  vertical-align: top }

th.docinfo-name, th.field-name {
  font-weight: bold ;
  text-align: left ;
  white-space: nowrap }

h1 tt, h2 tt, h3 tt, h4 tt, h5 tt, h6 tt {
  font-size: 100% }

tt {
  background-color: #eeeeee }

ul.auto-toc {
  list-style-type: none }
  
pre{
  BORDER-RIGHT: gray 1pt solid;
  PADDING-RIGHT: 2pt;
  BORDER-TOP: gray 1pt solid;
  DISPLAY: block;
  PADDING-LEFT: 2pt;
  PADDING-BOTTOM: 2pt;
  BORDER-LEFT: gray 1pt solid;
  MARGIN-RIGHT: 32pt;
  PADDING-TOP: 2pt;
  BORDER-BOTTOM: gray 1pt solid;
  FONT-FAMILY: "Courier New", Courier, mono; 
  background-color: #EEEEEE; 
}


.keyword{color: #0000FF;}
.identifier{}
.comment{font-style: italic; color: #008000;}
.special{color: #800040;}
.preprocessor{color: #3F007F;}
.string{font-style: italic; color: #666666;}
.literal{/*font-style: italic;*/ color: #000000;}

</style>
</head>
<body>
<div class="document" id="proposal-to-add-contract-programming-to-c-revision-2">
<h1 class="title">Proposal to add Contract Programming to C++ (revision 2)</h1>
<table class="docinfo" frame="void" rules="none">
<col class="docinfo-name" />
<col class="docinfo-content" />
<tbody valign="top">
<tr><th class="docinfo-name">Author:</th>
<td>David Abrahams, Lawrence Crowl, Thorsten Ottosen, James Widman</td></tr>
<tr><th class="docinfo-name">Contact:</th>
<td><a class="first reference" href="mailto:dave&#64;boost-consulting.com">dave&#64;boost-consulting.com</a>, <a class="reference" href="mailto:lawrence.crowl&#64;sun.com">lawrence.crowl&#64;sun.com</a>, <a class="reference" href="mailto:nesotto&#64;cs.aau.dk">nesotto&#64;cs.aau.dk</a>, <a class="last reference" href="mailto:widman&#64;gimpel.com">widman&#64;gimpel.com</a></td></tr>
<tr class="field"><th class="docinfo-name">organizations:</th><td class="field-body">Boost-Consulting, Sun Microsystems, Dezide Aps, Gimpel Software</td>
</tr>
<tr><th class="docinfo-name">Date:</th>
<td>2005-03-04</td></tr>
<tr class="field"><th class="docinfo-name">Number:</th><td class="field-body">WG21/N1773 and J16/05-0033. This proposal is a
revision of paper <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2004/n1669.html">n1669</a>.</td>
</tr>
<tr class="field"><th class="docinfo-name">Working Group:</th><td class="field-body">Evolution</td>
</tr>
</tbody>
</table>
<div class="abstract topic">
<p class="topic-title first">Abstract</p>
<p>Contract Programming is about providing the programmer with stronger tools 
for expressing correctness arguments directly in the source code. Moreover, the
contracts enable new and powerful optimization opportunities. 
This proposal describes a small assertion sub-language 
that unifies compile-time and run-time assertions.
The benefits 
are among others a higher degree of self-documenting source code,
better design tools, 
and easier debugging and testing.</p>
</div>
<div class="contents topic" id="table-of-contents">
<p class="topic-title first"><a name="table-of-contents">Table of Contents</a></p>
<ul class="auto-toc simple">
<li><a class="reference" href="#motivation" id="id34" name="id34">1&nbsp;&nbsp;&nbsp;Motivation</a></li>
<li><a class="reference" href="#the-proposal" id="id35" name="id35">2&nbsp;&nbsp;&nbsp;The proposal</a><ul class="auto-toc">
<li><a class="reference" href="#assertions" id="id36" name="id36">2.1&nbsp;&nbsp;&nbsp;Assertions</a><ul class="auto-toc">
<li><a class="reference" href="#static-assertions" id="id37" name="id37">2.1.1&nbsp;&nbsp;&nbsp;Static assertions</a></li>
<li><a class="reference" href="#runtime-assertions" id="id38" name="id38">2.1.2&nbsp;&nbsp;&nbsp;Runtime assertions</a></li>
</ul>
</li>
<li><a class="reference" href="#keyword-old" id="id39" name="id39">2.2&nbsp;&nbsp;&nbsp;Keyword <tt class="docutils literal"><span class="pre">__old</span></tt></a></li>
<li><a class="reference" href="#function-pre-and-postconditions" id="id40" name="id40">2.3&nbsp;&nbsp;&nbsp;Function pre- and postconditions</a><ul class="auto-toc">
<li><a class="reference" href="#virtual-functions" id="id41" name="id41">2.3.1&nbsp;&nbsp;&nbsp;Virtual functions</a></li>
<li><a class="reference" href="#constructors" id="id42" name="id42">2.3.2&nbsp;&nbsp;&nbsp;Constructors</a></li>
<li><a class="reference" href="#function-pointers" id="id43" name="id43">2.3.3&nbsp;&nbsp;&nbsp;Function pointers</a></li>
</ul>
</li>
<li><a class="reference" href="#class-invariants" id="id44" name="id44">2.4&nbsp;&nbsp;&nbsp;Class invariants</a></li>
<li><a class="reference" href="#namespace-invariants" id="id45" name="id45">2.5&nbsp;&nbsp;&nbsp;Namespace invariants</a></li>
<li><a class="reference" href="#failure-handler-functions" id="id46" name="id46">2.6&nbsp;&nbsp;&nbsp;Failure handler functions</a></li>
</ul>
</li>
<li><a class="reference" href="#open-issues" id="id47" name="id47">3&nbsp;&nbsp;&nbsp;Open issues</a><ul class="auto-toc">
<li><a class="reference" href="#how-do-contracts-interact-with-function-try-blocks" id="id48" name="id48">3.1&nbsp;&nbsp;&nbsp;How do contracts interact with function-try-blocks?</a></li>
<li><a class="reference" href="#are-failure-handler-functions-wrongly-specified" id="id49" name="id49">3.2&nbsp;&nbsp;&nbsp;Are failure handler functions wrongly specified?</a></li>
<li><a class="reference" href="#changes-to-the-standard-library" id="id50" name="id50">3.3&nbsp;&nbsp;&nbsp;Changes to the standard library</a></li>
</ul>
</li>
<li><a class="reference" href="#major-changes-from-n1669" id="id51" name="id51">4&nbsp;&nbsp;&nbsp;Major changes from n1669</a></li>
<li><a class="reference" href="#list-of-proposals-that-could-affect-or-be-affected-by-this-proposal" id="id52" name="id52">5&nbsp;&nbsp;&nbsp;List of proposals that could affect or be affected by this proposal</a></li>
<li><a class="reference" href="#implementability" id="id53" name="id53">6&nbsp;&nbsp;&nbsp;Implementability</a></li>
<li><a class="reference" href="#list-of-examples" id="id54" name="id54">7&nbsp;&nbsp;&nbsp;List of examples</a><ul class="auto-toc">
<li><a class="reference" href="#vector-example-hpp" id="id55" name="id55">7.1&nbsp;&nbsp;&nbsp;vector_example.hpp</a></li>
<li><a class="reference" href="#subcontracting-example-hpp" id="id56" name="id56">7.2&nbsp;&nbsp;&nbsp;subcontracting_example.hpp</a></li>
</ul>
</li>
<li><a class="reference" href="#comparison-of-contract-programming-in-d-eiffel-and-c" id="id57" name="id57">8&nbsp;&nbsp;&nbsp;Comparison of Contract Programming in D, Eiffel and C++</a></li>
<li><a class="reference" href="#acknowledgements" id="id58" name="id58">9&nbsp;&nbsp;&nbsp;Acknowledgements</a></li>
<li><a class="reference" href="#footnotes" id="id59" name="id59">10&nbsp;&nbsp;&nbsp;Footnotes</a></li>
</ul>
</div>
<div class="section" id="motivation">
<h1><a class="toc-backref" href="#id34" name="motivation">1&nbsp;&nbsp;&nbsp;Motivation</a></h1>
<p>Language support for Contract Programming has several benefits:</p>
<ol class="arabic simple">
<li>It can remove the need for separation of documentation and implementation <a class="footnote-reference" href="#id21" id="id1" name="id1">[0]</a>.</li>
</ol>
<!--  -->
<ol class="arabic simple" start="2">
<li>It can enable the compiler to generate faster code <a class="footnote-reference" href="#id22" id="id2" name="id2">[1]</a>.</li>
</ol>
<!--  -->
<ol class="arabic simple" start="3">
<li>It can make debugging and testing much easier <a class="footnote-reference" href="#id23" id="id3" name="id3">[2]</a>.</li>
</ol>
<!--  -->
<ol class="arabic simple" start="4">
<li>It can improve communication between designers and programmers in large C++ projects <a class="footnote-reference" href="#id24" id="id4" name="id4">[3]</a>.</li>
</ol>
<!--  -->
<ol class="arabic simple" start="5">
<li>It can make inheritance easier to use correctly (see <a class="reference" href="#subcontracting-example-hpp">subcontracting_example.hpp</a> ).</li>
</ol>
<!--  -->
<ol class="arabic simple" start="6">
<li>It can ensure that every programmer understands the contract metaphors <a class="footnote-reference" href="#id25" id="id5" name="id5">[4]</a> .</li>
</ol>
<!--  -->
<ol class="arabic simple" start="7">
<li>It might make static analysis tools much more powerful <a class="footnote-reference" href="#id26" id="id6" name="id6">[5]</a>.</li>
</ol>
<!--  -->
<ol class="arabic simple" start="8">
<li>It will benefit C++'s image as a secure language <a class="footnote-reference" href="#id27" id="id7" name="id7">[6]</a>.</li>
</ol>
<p>Please refer to <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2004/n1613.pdf">n1613</a> for an extensive discussion of these benefits.</p>
<p>Already with the current proposal, it is quite remarkable how much
of an interface that can be documented. For a good example, please
see how <tt class="docutils literal"><span class="pre">std::vector</span></tt> is declared in <a class="reference" href="#vector-example-hpp">vector_example.hpp</a>; there is only a small
portion of the specification of <tt class="docutils literal"><span class="pre">std::vector</span></tt> that cannot be described in the 
contracts.</p>
</div>
<div class="section" id="the-proposal">
<h1><a class="toc-backref" href="#id35" name="the-proposal">2&nbsp;&nbsp;&nbsp;The proposal</a></h1>
<p>The idea is to extend C++</p>
<ul class="simple">
<li>function declarations with <a class="reference" href="#functionx">pre- and postconditions</a>,</li>
</ul>
<!--  -->
<ul class="simple">
<li>class declarations with <a class="reference" href="#class-invariants">class invariants</a>,</li>
</ul>
<!--  -->
<ul class="simple">
<li>namespace declarations with <a class="reference" href="#namespace-invariants">namespace invariants</a>.</li>
</ul>
<p>These new <em>contract scopes</em> can contain <a class="reference" href="#assertions">assertions</a> that
may be evaluated either at compiler-time or at
run-time as part of the program to verify their correctness.</p>
<div class="section" id="assertions">
<h2><a class="toc-backref" href="#id36" name="assertions">2.1&nbsp;&nbsp;&nbsp;Assertions</a></h2>
<p>The basic building blocks of contracts are 
<em>assertions</em>. Assertions come in two categories:</p>
<ul class="simple">
<li><a class="reference" href="#static-assertions">static assertions</a></li>
</ul>
<!--  -->
<ul class="simple">
<li><a class="reference" href="#runtime-assertions">runtime assertions</a></li>
</ul>
<div class="section" id="static-assertions">
<h3><a class="toc-backref" href="#id37" name="static-assertions">2.1.1&nbsp;&nbsp;&nbsp;Static assertions</a></h3>
<p>There are two flavors of <em>static</em> assertions:</p>
<ol class="arabic">
<li><p class="first"><em>default</em> assertions</p>
<blockquote>
<dl class="docutils">
<dt>syntax: </dt>
<dd><p class="first last"><em>static-assertion</em>: <tt class="docutils literal"><span class="pre">static</span></tt> <em>constant-expression</em> <tt class="docutils literal"><span class="pre">:</span></tt> <em>string-literal</em> <tt class="docutils literal"><span class="pre">;</span></tt></p>
</dd>
<dt>example: </dt>
<dd><p class="first last"><tt class="docutils literal"><span class="pre">static</span> <span class="pre">is_pod&lt;T&gt;::value</span> <span class="pre">:</span> <span class="pre">&quot;T</span> <span class="pre">must</span> <span class="pre">model</span> <span class="pre">a</span> <span class="pre">POD&quot;;</span></tt></p>
</dd>
</dl>
</blockquote>
</li>
<li><p class="first"><em>select</em> assertions</p>
<blockquote>
<dl class="docutils">
<dt>syntax:</dt>
<dd><ol class="first last arabic simple">
<li><em>static-assertion-sequence</em>: <em>static-assertion</em></li>
<li><em>static-assertion-sequence</em>: <em>static-assertion</em> <em>static-assertion-sequence</em></li>
<li><em>static-body</em>: <em>static-assertion</em></li>
<li><em>static-body</em>: <tt class="docutils literal"><span class="pre">{</span></tt> <em>static-assertion-sequence</em> <tt class="docutils literal"><span class="pre">}</span></tt></li>
<li><em>static-if-assertion</em> : <tt class="docutils literal"><span class="pre">if(</span></tt> <em>constant-expression</em> <tt class="docutils literal"><span class="pre">)</span></tt> <em>static-body</em> <em>static-else-assertion</em> <sub>opt</sub></li>
<li><em>static-else-assertion</em> : <tt class="docutils literal"><span class="pre">else</span></tt> <em>static-body</em></li>
</ol>
</dd>
<dt>example:</dt>
<dd><dl class="first last docutils">
<dt><tt class="docutils literal"><span class="pre">if(</span> <span class="pre">is_pod&lt;T&gt;::value</span> <span class="pre">)</span></tt></dt>
<dd><p class="first last"><tt class="docutils literal"><span class="pre">static</span> <span class="pre">sizeof(</span> <span class="pre">T</span> <span class="pre">)</span> <span class="pre">&lt;=</span> <span class="pre">sizeof(</span> <span class="pre">long</span> <span class="pre">)</span> <span class="pre">:</span> <span class="pre">&quot;Only</span> <span class="pre">PODs</span> <span class="pre">smaller</span> <span class="pre">than</span> <span class="pre">long</span> <span class="pre">supported&quot;;</span></tt></p>
</dd>
</dl>
</dd>
</dl>
</blockquote>
</li>
</ol>
<p>The static assertions are exactly like the ones described in <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2004/n1617.html">n1617</a>. The 
main difference is that we</p>
<ol class="arabic simple">
<li>reuse the keyword <tt class="docutils literal"><span class="pre">static</span></tt> instead of adding a new one,</li>
</ol>
<!--  -->
<ol class="arabic simple" start="2">
<li>confine the scope of the static assertion to contract scope, and</li>
</ol>
<!--  -->
<ol class="arabic simple" start="3">
<li>allow compile-time select statements to avoid duplication of conditions.</li>
</ol>
</div>
<div class="section" id="runtime-assertions">
<h3><a class="toc-backref" href="#id38" name="runtime-assertions">2.1.2&nbsp;&nbsp;&nbsp;Runtime assertions</a></h3>
<p>There are two flavors of <em>runtime</em> assertions:</p>
<ol class="arabic">
<li><p class="first"><em>default</em> assertions</p>
<blockquote>
<dl class="docutils">
<dt>syntax:</dt>
<dd><p class="first last"><em>runtime-assertion</em> : <em>boolean-expression</em> <tt class="docutils literal"><span class="pre">;</span></tt></p>
</dd>
<dt>example:</dt>
<dd><p class="first last"><tt class="docutils literal"><span class="pre">std::cout.good();</span></tt></p>
</dd>
</dl>
</blockquote>
</li>
<li><p class="first"><em>select</em> assertions</p>
<blockquote>
<dl class="docutils">
<dt>syntax:</dt>
<dd><ol class="first last arabic simple">
<li><em>runtime-assertion-sequence</em> : <em>runtime-assertion</em></li>
<li><em>runtime-assertion-sequence</em> : <em>runtime-assertion</em> <em>runtime-assertion-sequence</em></li>
<li><em>runtime-body</em> : <em>runtime-assertion</em></li>
<li><em>runtime-body</em> : <tt class="docutils literal"><span class="pre">{</span></tt> <em>runtime-assertion-sequence</em> <tt class="docutils literal"><span class="pre">}</span></tt></li>
<li><em>runtime-if-assertion</em> : <tt class="docutils literal"><span class="pre">if(</span></tt> <em>condition</em> <tt class="docutils literal"><span class="pre">)</span></tt> <em>runtime-body</em> <em>runtime-else-assertion</em> <sub>opt</sub></li>
<li><em>runtime-else-assertion</em> : <tt class="docutils literal"><span class="pre">else</span></tt> <em>runtime-body</em></li>
</ol>
</dd>
<dt>example:</dt>
<dd><dl class="first last docutils">
<dt><tt class="docutils literal"><span class="pre">if(</span> <span class="pre">empty()</span> <span class="pre">)</span></tt> </dt>
<dd><p class="first last"><tt class="docutils literal"><span class="pre">result</span> <span class="pre">==</span> <span class="pre">end();</span></tt></p>
</dd>
</dl>
</dd>
</dl>
</blockquote>
</li>
</ol>
<p>The following general points are worth noting:</p>
<ol class="arabic">
<li><p class="first">Default assertions defaults to calling <tt class="docutils literal"><span class="pre">terminate()</span></tt>, but the behavior can be <a class="reference" href="#failure-handler-functions">customized</a>.</p>
<blockquote>
</blockquote>
</li>
<li><p class="first">The select assertions remove the need for the implication operator that was discussed in <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2004/n1613.pdf">n1613</a>.</p>
</li>
<li><p class="first">The syntactic freedom have been kept minimal to ensure a good documentation effect.</p>
</li>
<li><p class="first">Wrt. constness, then contract scope behaves as if it was a const member function <a class="footnote-reference" href="#id28" id="id10" name="id10">[7]</a>.</p>
</li>
<li><p class="first">If the compiler can determine that an assertion is true, it may choose not to evaluate 
that assertion.</p>
</li>
<li><p class="first">If the compiler can determine that an assertion is false, it may choose 
to call the <a class="reference" href="#failure-handler-functions">broken contract handler</a> without evaluating that condition.</p>
</li>
</ol>
<p>It is possible to mix static and runtime assertions. In that case we talk about
assertion sequences:</p>
<blockquote>
<ol class="arabic simple">
<li><em>assertion-sequence</em> : <em>static-assertion-sequence</em></li>
<li><em>assertion-sequence</em> : <em>runtime-assertion-sequence</em></li>
<li><em>assertion-sequence</em> : <em>assertion-sequence</em> <em>assertion-sequence</em> <sub>opt</sub></li>
</ol>
</blockquote>
</div>
</div>
<div class="section" id="keyword-old">
<h2><a class="toc-backref" href="#id39" name="keyword-old">2.2&nbsp;&nbsp;&nbsp;Keyword <tt class="docutils literal"><span class="pre">__old</span></tt></a></h2>
<p>It is very useful to be able to take a copy of a variable to compare
it with other values later. In particular, this is true in <a class="reference" href="#function">function postconditions</a>.</p>
<p>Assume <tt class="docutils literal"><span class="pre">i</span></tt> is a visible <tt class="docutils literal"><span class="pre">int</span></tt>, then the compiler translates</p>
<pre class="literal-block">
{
    __old i == 42;
}
</pre>
<p>into</p>
<pre class="literal-block">
{
    const int __old_i( i );
    __old_i == 42;
}
</pre>
<p>A set of rules govern how <tt class="docutils literal"><span class="pre">__old</span></tt> behaves within a certain contract:</p>
<ol class="arabic simple">
<li>If it is applied to the same expression <em>n</em> times, that expression need only be
evaluated once and only one copy need to be stored.</li>
</ol>
<!--  -->
<ol class="arabic simple" start="2">
<li>The copy of its argument is taken <em>after</em> the precondition is evaluated.</li>
</ol>
<p>The precondition should be evaluated first to allow it to report its errors first.
Notice that we can only apply <tt class="docutils literal"><span class="pre">__old</span></tt> to objects of a type that defines a copy-constructor 
taking a <tt class="docutils literal"><span class="pre">const</span></tt> reference (ie., <tt class="docutils literal"><span class="pre">std::auto_ptr</span></tt> cannot be used).</p>
<a class="target" id="function" name="function"></a><a class="target" id="functionx" name="functionx"></a></div>
<div class="section" id="function-pre-and-postconditions">
<h2><a class="toc-backref" href="#id40" name="function-pre-and-postconditions">2.3&nbsp;&nbsp;&nbsp;Function pre- and postconditions</a></h2>
<p>The function declaration and definition
are changed into:</p>
<blockquote>
<blockquote>
<ol class="arabic simple">
<li><em>precontracted-function</em> : <em>function-head</em></li>
<li><em>precontracted-function</em> : <em>function-head</em> <em>precondition-contract</em></li>
<li><em>postcontracted-function</em> : <em>precontracted-function</em></li>
<li><em>postcontracted-function</em> : <em>precontracted-function</em> <em>postcondition-contract</em></li>
<li><em>function-declaration</em> : <em>postcontracted-function</em> <tt class="docutils literal"><span class="pre">;</span></tt></li>
<li><em>function-definition</em> : <em>postcontracted-function</em> <tt class="docutils literal"><span class="pre">{</span></tt> <em>function-body</em> <tt class="docutils literal"><span class="pre">}</span></tt></li>
<li><em>precondition-contract</em> : <tt class="docutils literal"><span class="pre">precondition</span> <span class="pre">{</span></tt> <em>assertion-sequence</em> <tt class="docutils literal"><span class="pre">}</span></tt></li>
<li><em>postcondition-contract</em> : <tt class="docutils literal"><span class="pre">postcondition</span></tt> <em>return-value-declaration</em><sub>opt</sub> <tt class="docutils literal"><span class="pre">{</span></tt> <em>assertion-sequence</em> <tt class="docutils literal"><span class="pre">}</span></tt></li>
<li><em>return-value-declaration</em>: <tt class="docutils literal"><span class="pre">(</span></tt> <em>identifier</em> <tt class="docutils literal"><span class="pre">)</span></tt></li>
</ol>
</blockquote>
<p>example:</p>
<pre class="literal-block">
double sqrt( double r )
    precondition
    {
        r &gt; 0.;
    }
    postcondition( result )
    {
        equal_within_precision( result * result, r );
    }
</pre>
</blockquote>
<p>In the <em>return-value-declaration</em> we declare a local variable that acts as a <tt class="docutils literal"><span class="pre">const</span></tt> reference to the computed 
return value. It follows that a <em>return-value-declaration</em> is illegal if the return type is <tt class="docutils literal"><span class="pre">void</span></tt>.</p>
<p>The following general rules apply:</p>
<ol class="arabic">
<li><p class="first">If a function has both a declaration and a definition, the contracts must appear on the declaration.</p>
</li>
<li><p class="first"><a class="target" id="the-execution-of-a-function" name="the-execution-of-a-function">The execution of a function</a> is now</p>
<blockquote>
<ol class="loweralpha simple">
<li>evaluate the precondition assertion by assertion in order starting from the top,</li>
<li>evaluate <tt class="docutils literal"><span class="pre">__old</span></tt> occurrences in the postcondition,</li>
<li>evaluate the function body,</li>
<li>evaluate the postcondition assertion by assertion in order starting from the top.</li>
</ol>
</blockquote>
</li>
<li><p class="first">The execution of a member function is now as in 2, but</p>
<blockquote>
<ol class="loweralpha">
<li><p class="first"><tt class="docutils literal"><span class="pre">2.a</span></tt> is <em>preceded</em> by a call to the <a class="reference" href="#class-invariants">class invariant</a>,</p>
</li>
<li><p class="first"><tt class="docutils literal"><span class="pre">2.d</span></tt> is <em>preceded</em> by a call to the class invariant,</p>
<blockquote>
<ul class="simple">
<li>rationale: the contracts might call public functions in the class which require the invariant to be established.</li>
</ul>
</blockquote>
</li>
</ol>
</blockquote>
</li>
</ol>
<div class="section" id="virtual-functions">
<h3><a class="toc-backref" href="#id41" name="virtual-functions">2.3.1&nbsp;&nbsp;&nbsp;Virtual functions</a></h3>
<p>If the function <tt class="docutils literal"><span class="pre">F</span></tt> is virtual, we must require that</p>
<ol class="arabic simple">
<li>only the first declaration/definition of <tt class="docutils literal"><span class="pre">F</span></tt> can have a precondition.</li>
</ol>
<p>Section <tt class="docutils literal"><span class="pre">3.5</span></tt> of <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2004/n1613.pdf">n1613</a> explains how little redefinition of preconditions is used. Even though
subcontracting is theoretically sound, it ends up being fairly useless in practice <a class="footnote-reference" href="#id29" id="id14" name="id14">[8]</a>.</p>
<p>Postconditions can be made stronger in a derived class as seen in the <a class="reference" href="#subcontracting-example-hpp">subcontracting_example.hpp</a>.
We can summarize the remaining rules for virtual functions as</p>
<ol class="arabic simple" start="2">
<li>pure virtual functions can have contracts,</li>
</ol>
<!--  -->
<ol class="arabic simple" start="3">
<li>postconditions from a function in a base class and the overridden version in a derived class
are <em>AND</em>ed together <a class="footnote-reference" href="#id30" id="id15" name="id15">[9]</a>.</li>
</ol>
<p>The last rule ensures that the function in the derived class has a stronger postcondition <em>by design</em>.
A programmer can via a downcast obtain the stronger guarantee, but the runtime check must still
follow rule 3 above.</p>
</div>
<div class="section" id="constructors">
<h3><a class="toc-backref" href="#id42" name="constructors">2.3.2&nbsp;&nbsp;&nbsp;Constructors</a></h3>
<p>Constructors behaves much like member functions. This means that a constructor</p>
<ol class="arabic simple">
<li>can have a precondition and a postcondition,</li>
</ol>
</div>
<div class="section" id="function-pointers">
<h3><a class="toc-backref" href="#id43" name="function-pointers">2.3.3&nbsp;&nbsp;&nbsp;Function pointers</a></h3>
<p>If the address of a function is taken, it holds that</p>
<ol class="arabic simple">
<li>the precondition is evaluated before the function body when the function is called 
through the function pointer.</li>
</ol>
<p>Remark: A compiler might be able to determine that the precondition is satisfied, in that case
the compiler may generate a call directly to the function body 
(thus sharing implementation with the function pointer call).</p>
</div>
</div>
<div class="section" id="class-invariants">
<h2><a class="toc-backref" href="#id44" name="class-invariants">2.4&nbsp;&nbsp;&nbsp;Class invariants</a></h2>
<p>Within class scope it is possible to define a class invariant:</p>
<blockquote>
<dl class="docutils">
<dt>syntax:</dt>
<dd><ol class="first last arabic simple">
<li><em>static-class-invariant</em> : <tt class="docutils literal"><span class="pre">static</span> <span class="pre">invariant</span> <span class="pre">{</span></tt> <em>static-assertion-sequence</em> <tt class="docutils literal"><span class="pre">}</span></tt></li>
<li><em>runtime-class-invariant</em> : <tt class="docutils literal"><span class="pre">invariant</span> <span class="pre">{</span></tt> <em>runtime-assertion-sequence</em> <tt class="docutils literal"><span class="pre">}</span></tt></li>
</ol>
</dd>
<dt>example: </dt>
<dd>see <a class="reference" href="#vector-example-hpp">vector_example.hpp</a></dd>
</dl>
</blockquote>
<p>The class invariant has the following properties:</p>
<ol class="arabic">
<li><p class="first">It must appear in the declaration of a class.</p>
</li>
<li><p class="first">It is inherited in the sense that the invariant of a derived class <em>implicitly</em> will have the base-class invariant(s)
<em>AND</em>ed to it (see also item 6-7).</p>
<blockquote>
<p>example:</p>
<pre class="literal-block">
struct base { invariant { ... } };
struct derived : base
{
    invariant
    {
        base::invariant(); // implicitly generated
        ...
    }
};
</pre>
<p>(Remark: the above is pseudo-code.)</p>
</blockquote>
</li>
<li><p class="first">It can always be called from within or outside the class as if it was a member function with the declaration <tt class="docutils literal"><span class="pre">void</span> <span class="pre">invariant()</span> <span class="pre">const;</span></tt>.</p>
</li>
<li><p class="first">It is called <em>implicitly</em> from public</p>
<blockquote>
<ol class="loweralpha simple">
<li>member functions' <a class="reference" href="#function">pre- and postconditions</a>,</li>
</ol>
<ol class="loweralpha" start="2">
<li><p class="first">constructors,</p>
<blockquote>
<ul class="simple">
<li>call the class invariant <em>before</em> the postcondition,</li>
</ul>
</blockquote>
</li>
<li><p class="first">destructors,</p>
<blockquote>
<ul class="simple">
<li>call the class invariant <em>before</em> the destructor body.</li>
</ul>
</blockquote>
</li>
<li><p class="first">member functions that exit abnormally via an exception <a class="footnote-reference" href="#id31" id="id17" name="id17">[10]</a></p>
</li>
</ol>
</blockquote>
</li>
<li><p class="first"><a class="target" id="it-is-always-called" name="it-is-always-called">It is always called</a> as if surrounded by a try-catch block:</p>
<pre class="literal-block">
try
{
    class_invariant();
}
catch( ... )
{
    std::class_invariant_broken();
}
</pre>
</li>
</ol>
<blockquote>
<ul class="simple">
<li>rationale: this ensures that exceptions thrown in the invariant cannot escape from functions 
and in particular not from the destructor. <a class="footnote-reference" href="#id32" id="id18" name="id18">[11]</a></li>
</ul>
</blockquote>
<ol class="arabic" start="6">
<li><p class="first">For its execution <em>during</em> construction <a class="footnote-reference" href="#id33" id="id19" name="id19">[12]</a> holds that:</p>
<blockquote>
<ol class="loweralpha">
<li><p class="first">each assertion is executed in order starting from the top <em>excluding</em> any part inherited,</p>
<blockquote>
<ul class="simple">
<li>rationale: if we do not exclude inherited parts, those parts would be evaluated multiple times.</li>
</ul>
</blockquote>
</li>
</ol>
</blockquote>
</li>
<li><p class="first">For its execution <em>after</em> construction holds that:</p>
<blockquote>
<ol class="loweralpha simple">
<li>each assertion is executed in order starting from the top <em>including</em> any part inherited,</li>
<li>if the class has any sub-classes, then the inherited portion is executed first,</li>
<li>if the class has several sub-classes the order of the classes in the base-clause is followed.</li>
</ol>
</blockquote>
</li>
</ol>
</div>
<div class="section" id="namespace-invariants">
<h2><a class="toc-backref" href="#id45" name="namespace-invariants">2.5&nbsp;&nbsp;&nbsp;Namespace invariants</a></h2>
<p>To better support global state or namespace state we introduces namespace invariants:</p>
<blockquote>
<dl class="docutils">
<dt>syntax:    </dt>
<dd><ol class="first last arabic simple">
<li><em>static-namespace-invariant</em>: <tt class="docutils literal"><span class="pre">static</span> <span class="pre">invariant</span> <span class="pre">{</span></tt> <em>static-assertion-sequence</em> <tt class="docutils literal"><span class="pre">}</span></tt></li>
<li><em>runtime-namespace-invariant</em>: <tt class="docutils literal"><span class="pre">invariant</span> <span class="pre">{</span></tt> <em>runtime-assertion-sequence</em> <tt class="docutils literal"><span class="pre">}</span></tt></li>
</ol>
</dd>
</dl>
<p>example:</p>
<pre class="literal-block">
namespace foo
{
    int     buffer_size;
    int*    buffer;

    invariant
    {
        buffer_size &gt; 0;
        buffer     != 0;
    }

    static invariant
    {
        static sizeof( int ) &gt;= 4 : &quot;int must be 32 bit&quot;; 
    }
}
</pre>
</blockquote>
<p>The properties of namespace invariants are:</p>
<ol class="arabic">
<li><p class="first">they can appear multiple times in the same namespace across multiple translation units,</p>
</li>
<li><p class="first">for each translation unit, the present invariants are executed once 
after the static initialization phase, that is, conceptually as the 
last part of the static initialization phase,</p>
</li>
<li><p class="first">they are always called as if surrounded by a try-catch block:</p>
<pre class="literal-block">
try
{
    namespace_invariant();
}
catch( ... )
{
    std::namespace_invariant_broken();
}
</pre>
</li>
<li><p class="first">the order of evaluation of the invariants is unspecified,</p>
</li>
<li><p class="first">the order of evaluation of the assertions in an invariant is from top to bottom,</p>
</li>
<li><p class="first">for any namespace <tt class="docutils literal"><span class="pre">N</span></tt>, <tt class="docutils literal"><span class="pre">N::invariant()</span></tt> executes all invariants from namespace <tt class="docutils literal"><span class="pre">N</span></tt>.</p>
</li>
</ol>
</div>
<div class="section" id="failure-handler-functions">
<h2><a class="toc-backref" href="#id46" name="failure-handler-functions">2.6&nbsp;&nbsp;&nbsp;Failure handler functions</a></h2>
<p>The default behavior for all default assertions is to call <tt class="docutils literal"><span class="pre">terminate()</span></tt> via a call
to their respective handler. As seen below, we have a handler for each type of contract.
If the default behavior
is undesirable, the standard library provides the following handlers:</p>
<pre class="literal-block">
namespace std
{        
    void precondition_broken();
    void postcondition_broken();
    void class_invariant_broken();
    void namespace_invariant_broken();
    
    typedef void (*broken_contract_handler)();
    
    broken_contract_handler  set_precondition_broken_handler( broken_contract_handler r ) throw();
    broken_contract_handler  set_postcondition_broken_handler( broken_contract_handler r ) throw();
    broken_contract_handler  set_class_invariant_broken_handler( broken_contract_handler r ) throw();
    broken_contract_handler  set_namespace_invariant_broken_handler( broken_contract_handler r ) throw();
}
</pre>
<p>This should provide plenty of room for customization. The precondition for all the <tt class="docutils literal"><span class="pre">set_XX_handler</span></tt>
functions should be <tt class="docutils literal"><span class="pre">r</span> <span class="pre">!=</span> <span class="pre">0</span></tt>.</p>
</div>
</div>
<div class="section" id="open-issues">
<h1><a class="toc-backref" href="#id47" name="open-issues">3&nbsp;&nbsp;&nbsp;Open issues</a></h1>
<ul class="simple">
<li><a class="reference" href="#how-do-contracts-interact-with-function-try-blocks">How do contracts interact with function-try-blocks?</a></li>
<li><a class="reference" href="#are-failure-handler-functions-wrongly-specified">Are failure handler functions wrongly specified?</a></li>
<li><a class="reference" href="#changes-to-the-standard-library">Changes to the standard library</a></li>
</ul>
<div class="section" id="how-do-contracts-interact-with-function-try-blocks">
<h2><a class="toc-backref" href="#id48" name="how-do-contracts-interact-with-function-try-blocks">3.1&nbsp;&nbsp;&nbsp;How do contracts interact with function-try-blocks?</a></h2>
<p>There seems to be at least two solutions:</p>
<ol class="arabic">
<li><p class="first">Forbid function-try-blocks and contracts on the same function.</p>
</li>
<li><p class="first">Allow it as in this example:</p>
<pre class="literal-block">
void foo( int i )
    precondition
    {
        i &gt; 0;
    }
    try
    {
        // ...
    }
    catch( ... )
    {
    }
</pre>
</li>
</ol>
<p>In case of 2, then the question would be</p>
<ul class="simple">
<li>should the try-block catch exceptions from the pre- and postcondition?</li>
</ul>
</div>
<div class="section" id="are-failure-handler-functions-wrongly-specified">
<h2><a class="toc-backref" href="#id49" name="are-failure-handler-functions-wrongly-specified">3.2&nbsp;&nbsp;&nbsp;Are failure handler functions wrongly specified?</a></h2>
<p>Currently a <a class="reference" href="#failure-handler-functions">failure handler function</a> does not
allow one to</p>
<ol class="arabic simple">
<li>see the context of the broken assertion, or</li>
<li>use other functions than free-standing functions.</li>
</ol>
<p>It might be desirable to change the functions to</p>
<pre class="literal-block">
namespace std
{
    class assertion_context
    {
        contract_context( const char* where, const char* assertion ) throw();
        ~contract_context() throw();
        const char* context() const throw();
    };

    void precondition_broken( const assertion_context&amp; cc );
    // ... etc
}
</pre>
<p>or even</p>
<pre class="literal-block">
namespace std
{
    extern std::function&lt; void ( const assertion_context&amp; ) &gt; precondition_broken;
    // ... etc
}
</pre>
<p>This would hopefully ensure good error-messages.</p>
</div>
<div class="section" id="changes-to-the-standard-library">
<h2><a class="toc-backref" href="#id50" name="changes-to-the-standard-library">3.3&nbsp;&nbsp;&nbsp;Changes to the standard library</a></h2>
<p>We suggest that no required changes should be made to
the standard library. An implementation is free to
implement all standard guarantees in terms of contract
code, but not required to.</p>
<p>Another possibility is to require certain contracts 
(in particular preconditions) to
be used in the standard library. This might be a way 
for the committee to guarantee a safer version of the 
standard library to novices.</p>
</div>
</div>
<div class="section" id="major-changes-from-n1669">
<h1><a class="toc-backref" href="#id51" name="major-changes-from-n1669">4&nbsp;&nbsp;&nbsp;Major changes from <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2004/n1669.html">n1669</a></a></h1>
<ol class="arabic">
<li><p class="first">removed loop invariants</p>
</li>
<li><p class="first">reformulated the syntax of <a class="reference" href="#static-assertions">static assertions</a></p>
</li>
<li><p class="first">reformulated the syntax of <a class="reference" href="#runtime-assertions">runtime assertions</a></p>
</li>
<li><p class="first">removed rules demanding assertions to be disabled within assertions</p>
</li>
<li><p class="first">removed rules demanding invariants to be disabled within public functions</p>
</li>
<li><p class="first">changed use of keyword:</p>
<blockquote>
<table border="1" class="docutils">
<colgroup>
<col width="44%" />
<col width="56%" />
</colgroup>
<tbody valign="top">
<tr><td><p class="first last"><strong>before</strong></p>
</td>
<td><p class="first last"><strong>now</strong></p>
</td>
</tr>
<tr><td><p class="first last"><tt class="docutils literal"><span class="pre">std::old()</span></tt></p>
</td>
<td><p class="first last"><tt class="docutils literal"><span class="pre">__old</span></tt></p>
</td>
</tr>
</tbody>
</table>
</blockquote>
</li>
</ol>
</div>
<div class="section" id="list-of-proposals-that-could-affect-or-be-affected-by-this-proposal">
<h1><a class="toc-backref" href="#id52" name="list-of-proposals-that-could-affect-or-be-affected-by-this-proposal">5&nbsp;&nbsp;&nbsp;List of proposals that could affect or be affected by this proposal</a></h1>
<ol class="arabic simple">
<li>static assertions as described in <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2004/n1617.html">n1617</a></li>
<li>concepts as described in <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2003/n1510.pdf">n1510</a>, <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2003/n1522.pdf">n1522</a>, <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2003/n1536.pdf">n1536</a> and <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2005/n1758.pdf">n1758</a></li>
<li>any proposal that seeks to enhance meta-programming capabilities</li>
<li><tt class="docutils literal"><span class="pre">reading()</span></tt> specifications as described in <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2004/n1664.pdf">n1664</a></li>
</ol>
</div>
<div class="section" id="implementability">
<h1><a class="toc-backref" href="#id53" name="implementability">6&nbsp;&nbsp;&nbsp;Implementability</a></h1>
<p>We expect that it will take about 3 man months to implement the proposal without
dedicating any time to optimizations.</p>
</div>
<div class="section" id="list-of-examples">
<h1><a class="toc-backref" href="#id54" name="list-of-examples">7&nbsp;&nbsp;&nbsp;List of examples</a></h1>
<ul class="simple">
<li><a class="reference" href="#vector-example-hpp">vector_example.hpp</a></li>
<li><a class="reference" href="#subcontracting-example-hpp">subcontracting_example.hpp</a></li>
</ul>
<div class="section" id="vector-example-hpp">
<h2><a class="toc-backref" href="#id55" name="vector-example-hpp">7.1&nbsp;&nbsp;&nbsp;vector_example.hpp</a></h2>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title> </title>
<link rel="stylesheet" href="style.css" type="text/css">
</head>

<body>

<pre>
<span class=comment>///////////////////////////////////////
// Tools
///////////////////////////////////////</span>

<span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>Iter</span><span class=special>,</span> <span class=keyword>class</span> <span class=identifier>T</span> <span class=special>&gt;</span>
<span class=keyword>bool</span> <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>Iter</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>Iter</span> <span class=identifier>last</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span>
<span class=special>{</span> <span class=comment>/* for simplicity, let us assume T's can be compared */</span> <span class=special>}</span>

<span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>Iter</span><span class=special>,</span> <span class=keyword>class</span> <span class=identifier>Size</span> <span class=special>&gt;</span>
<span class=keyword>bool</span> <span class=identifier>equal_distance</span><span class=special>(</span> <span class=identifier>Iter</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>Iter</span> <span class=identifier>last</span><span class=special>,</span> <span class=identifier>Size</span> <span class=identifier>size</span> <span class=special>)</span>
<span class=special>{</span> <span class=comment>/* internal tagging mechnism so even input iterators can be passed */</span> <span class=special>}</span>

<span class=comment>///////////////////////////////////////
// New vector interface
///////////////////////////////////////</span>

<span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>T</span><span class=special>,</span> <span class=keyword>class</span> <span class=identifier>Alloc</span> <span class=special>=</span> <span class=identifier>allocator</span><span class=special>&lt;</span><span class=identifier>T</span><span class=special>&gt;</span> <span class=special>&gt;</span>
<span class=keyword>class</span> <span class=identifier>vector</span> 
<span class=special>{</span>
    <span class=keyword>static</span> <span class=keyword>invariant</span>
    <span class=special>{</span>
        <span class=keyword>static</span> <span class=identifier>is_assignable</span><span class=special>&lt;</span><span class=identifier>T</span><span class=special>&gt;::</span><span class=identifier>value</span>         <span class=special>:</span> <span class=string>&quot;value_type must be Assignable&quot;</span> <span class=special>;</span>
        <span class=keyword>static</span> <span class=identifier>is_copy_constructible</span><span class=special>&lt;</span><span class=identifier>T</span><span class=special>&gt;::</span><span class=identifier>value</span> <span class=special>:</span> <span class=string>&quot;value_type must be CopyConstructible&quot;</span> <span class=special>;</span>
    <span class=special>}</span>
    
    <span class=keyword>invariant</span>
    <span class=special>{</span>
        <span class=special>(</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=number>0</span> <span class=special>)</span> <span class=special>==</span> <span class=identifier>empty</span><span class=special>();</span>
        <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>distance</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>()</span> <span class=special>);</span>
        <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>distance</span><span class=special>(</span> <span class=identifier>rbegin</span><span class=special>(),</span> <span class=identifier>rend</span><span class=special>()</span> <span class=special>);</span>
        <span class=identifier>size</span><span class=special>()</span> <span class=special>&lt;=</span> <span class=identifier>capacity</span><span class=special>();</span>
        <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&lt;=</span> <span class=identifier>max_size</span><span class=special>();</span>
    <span class=special>}</span>
    
    
<span class=keyword>public</span><span class=special>:</span>
    <span class=keyword>typedef</span> <span class=identifier>Alloc</span>                             <span class=identifier>allocator_type</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=keyword>typename</span> <span class=identifier>Alloc</span><span class=special>::</span><span class=identifier>pointer</span>           <span class=identifier>pointer</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=keyword>typename</span> <span class=identifier>Alloc</span><span class=special>::</span><span class=identifier>const_pointer</span>     <span class=identifier>const_pointer</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=keyword>typename</span> <span class=identifier>Alloc</span><span class=special>::</span><span class=identifier>reference</span>         <span class=identifier>reference</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=keyword>typename</span> <span class=identifier>Alloc</span><span class=special>::</span><span class=identifier>const_reference</span>   <span class=identifier>const_reference</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=keyword>typename</span> <span class=identifier>Alloc</span><span class=special>::</span><span class=identifier>value_type</span>        <span class=identifier>value_type</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=special>...</span>                               <span class=identifier>iterator</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=special>...</span>                               <span class=identifier>const_iterator</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=special>...</span>                               <span class=identifier>size_type</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=special>...</span>                               <span class=identifier>difference_type</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=identifier>reverse_iterator</span><span class=special>&lt;</span><span class=identifier>iterator</span><span class=special>&gt;</span>        <span class=identifier>reverse_iterator</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=identifier>reverse_iterator</span><span class=special>&lt;</span><span class=identifier>const_iterator</span><span class=special>&gt;</span>  <span class=identifier>const_reverse_iterator</span><span class=special>;</span>

             <span class=identifier>vector</span><span class=special>()</span>                  
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span> 
                 
    <span class=keyword>explicit</span> <span class=identifier>vector</span><span class=special>(</span> <span class=keyword>const</span> <span class=identifier>Alloc</span><span class=special>&amp;</span> <span class=identifier>al</span> <span class=special>)</span> 
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>empty</span><span class=special>();</span> 
                                 <span class=identifier>al</span> <span class=special>==</span> <span class=identifier>get_allocator</span><span class=special>();</span> <span class=special>}</span>
                 
    <span class=keyword>explicit</span> <span class=identifier>vector</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>count</span> <span class=special>)</span> 
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>count</span><span class=special>;</span> 
                                 <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>T</span><span class=special>()</span> <span class=special>);</span> <span class=special>}</span>
                 
             <span class=identifier>vector</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>count</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span> 
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>count</span><span class=special>;</span> 
                                 <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>val</span> <span class=special>);</span> <span class=special>}</span>
             
             <span class=identifier>vector</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>count</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>Alloc</span><span class=special>&amp;</span> <span class=identifier>al</span> <span class=special>)</span> 
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>size</span> <span class=special>==</span> <span class=identifier>count</span><span class=special>;</span> 
                                 <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>val</span> <span class=special>);</span> 
                                 <span class=identifier>al</span> <span class=special>==</span> <span class=identifier>get_allocator</span><span class=special>();</span> <span class=special>}:</span>
             
             <span class=identifier>vector</span><span class=special>(</span> <span class=keyword>const</span> <span class=identifier>vector</span><span class=special>&amp;</span> <span class=identifier>right</span> <span class=special>)</span> 
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>right</span> <span class=special>==</span> <span class=special>*</span><span class=keyword>this</span><span class=special>;</span> <span class=special>}</span>
    
             <span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>InIt</span> <span class=special>&gt;</span>
             <span class=identifier>vector</span><span class=special>(</span> <span class=identifier>InIt</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>InIt</span> <span class=identifier>last</span> <span class=special>)</span> 
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=keyword>static</span> <span class=identifier>is_input_iterator</span><span class=special>&lt;</span><span class=identifier>InIt</span><span class=special>&gt;::</span><span class=identifier>value</span> <span class=special>:</span> <span class=string>&quot;Iterator argument must model an InputIterator&quot;</span><span class=special>;</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>equal_distance</span><span class=special>(</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>last</span><span class=special>,</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>);</span> <span class=special>}</span>
                 
             <span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>InIt</span> <span class=special>&gt;</span>
             <span class=identifier>vector</span><span class=special>(</span> <span class=identifier>InIt</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>InIt</span> <span class=identifier>last</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>Alloc</span><span class=special>&amp;</span> <span class=identifier>al</span> <span class=special>);</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=keyword>static</span> <span class=identifier>is_input_iterator</span><span class=special>&lt;</span><span class=identifier>InIt</span><span class=special>&gt;::</span><span class=identifier>value</span> <span class=special>:</span> <span class=string>&quot;Iterator argument must model an InputIterator&quot;</span><span class=special>;</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>equal_distance</span><span class=special>(</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>last</span><span class=special>,</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>);</span> 
                                 <span class=identifier>al</span> <span class=special>==</span> <span class=identifier>get_allocator</span><span class=special>();</span> <span class=special>}</span>

             <span class=keyword>void</span> <span class=identifier>reserve</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>count</span> <span class=special>)</span> 
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=identifier>count</span> <span class=special>&lt;</span> <span class=identifier>max_size</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>count</span><span class=special>;</span> <span class=special>}</span>
                 
             <span class=identifier>size_type</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>result</span> <span class=special>&gt;=</span> <span class=identifier>size</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=identifier>iterator</span> <span class=identifier>begin</span><span class=special>()</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>if</span><span class=special>(</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>)</span> <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>end</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>const_iterator</span> <span class=identifier>begin</span><span class=special>()</span> <span class=keyword>const</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>if</span><span class=special>(</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>)</span> <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>end</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>iterator</span> <span class=identifier>end</span><span class=special>();</span>
             <span class=identifier>const_iterator</span> <span class=identifier>end</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
             
             <span class=identifier>reverse_iterator</span> <span class=identifier>rbegin</span><span class=special>()</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>if</span><span class=special>(</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>)</span> <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>rend</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>const_reverse_iterator</span> <span class=identifier>rbegin</span><span class=special>()</span> <span class=keyword>const</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>if</span><span class=special>(</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>)</span> <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>rend</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>reverse_iterator</span> <span class=identifier>rend</span><span class=special>();</span>
             <span class=identifier>const_reverse_iterator</span> <span class=identifier>rend</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
             
             <span class=keyword>void</span> <span class=identifier>resize</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>newsize</span> <span class=special>)</span>
                 <span class=keyword>postcondition</span> <span class=comment>// version 1: with an if</span>
                 <span class=special>{</span> 
                     <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>newsize</span><span class=special>;</span> 
                     <span class=keyword>if</span><span class=special>(</span> <span class=identifier>newsize</span> <span class=special>&gt;</span> <span class=identifier>__old</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>)</span>
                         <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>()</span> <span class=special>+</span> <span class=identifier>__old</span> <span class=identifier>size</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>T</span><span class=special>()</span> <span class=special>);</span>
                 <span class=special>}</span>
             
             <span class=keyword>void</span> <span class=identifier>resize</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>newsize</span><span class=special>,</span> <span class=identifier>T</span> <span class=identifier>val</span> <span class=special>)</span>
                 <span class=keyword>postcondition</span> <span class=comment>// version 2: with ternary operator</span>
                 <span class=special>{</span>
                     <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>newsize</span><span class=special>;</span> 
                     <span class=identifier>newsize</span> <span class=special>&gt;</span> <span class=identifier>__oldsize</span><span class=special>())</span> <span class=special>?</span> 
                         <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>()</span> <span class=special>+</span> <span class=identifier>__old</span> <span class=identifier>size</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>val</span> <span class=special>)</span> <span class=special>:</span> <span class=keyword>true</span><span class=special>;</span>
                 <span class=special>}</span>
         
             <span class=identifier>size_type</span> <span class=identifier>size</span><span class=special>()</span> <span class=keyword>const</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>result</span> <span class=special>&lt;=</span> <span class=identifier>capacity</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=identifier>size_type</span> <span class=identifier>max_size</span><span class=special>()</span> <span class=keyword>const</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>result</span> <span class=special>&gt;=</span> <span class=identifier>capacity</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=keyword>bool</span> <span class=identifier>empty</span><span class=special>()</span> <span class=keyword>const</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>result</span> <span class=special>==</span> <span class=special>(</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=number>0</span> <span class=special>);</span> <span class=special>}</span>
             
             <span class=identifier>Alloc</span> <span class=identifier>get_allocator</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
             
             <span class=identifier>reference</span> <span class=identifier>at</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>off</span> <span class=special>);</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=identifier>off</span> <span class=special>&lt;</span> <span class=identifier>size</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>const_reference</span> <span class=identifier>at</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>off</span> <span class=special>)</span> <span class=keyword>const</span><span class=special>;</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=identifier>off</span> <span class=special>&lt;</span> <span class=identifier>size</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=identifier>reference</span> <span class=keyword>operator</span><span class=special>[](</span> <span class=identifier>size_type</span> <span class=identifier>off</span> <span class=special>)</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=identifier>off</span> <span class=special>&lt;</span> <span class=identifier>size</span><span class=special>();</span> <span class=special>}</span>

             <span class=identifier>const_reference</span> <span class=keyword>operator</span><span class=special>[](</span> <span class=identifier>size_type</span> <span class=identifier>off</span> <span class=special>)</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=identifier>off</span> <span class=special>&lt;</span> <span class=identifier>size</span><span class=special>();</span> <span class=special>}</span>
    
             <span class=identifier>reference</span> <span class=identifier>front</span><span class=special>();</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>const_reference</span> <span class=identifier>front</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
    
             <span class=identifier>reference</span> <span class=identifier>back</span><span class=special>()</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>const_reference</span> <span class=identifier>back</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=keyword>void</span> <span class=identifier>push_back</span><span class=special>(</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>&lt;</span> <span class=identifier>max_size</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>back</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>val</span><span class=special>;</span> 
                                 <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>__old</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>+</span> <span class=number>1</span><span class=special>;</span> 
                                 <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>__old</span> <span class=identifier>capacity</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=keyword>void</span> <span class=identifier>pop_back</span><span class=special>()</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>__old</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>-</span> <span class=number>1</span><span class=special>;</span> <span class=special>}</span>
             
             <span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>InIt</span> <span class=special>&gt;</span>
             <span class=keyword>void</span> <span class=identifier>assign</span><span class=special>(</span> <span class=identifier>InIt</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>InIt</span> <span class=identifier>last</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  
                 <span class=special>{</span>
                     <span class=keyword>static</span> <span class=identifier>is_input_iterator</span><span class=special>&lt;</span><span class=identifier>InIt</span><span class=special>&gt;::</span><span class=identifier>value</span> <span class=special>:</span> <span class=string>&quot;Iterator argument must model an InputIterator&quot;</span><span class=special>;</span> 
                     <span class=string>&quot;The range [first,last) is not a sub-range of [begin(),end())&quot;</span><span class=special>;</span>
                 <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>equal_distance</span><span class=special>(</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>last</span><span class=special>,</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>);</span> <span class=special>}</span>
             
             <span class=keyword>void</span> <span class=identifier>assign</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>count</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>count</span> <span class=special>&lt;=</span> <span class=identifier>max_size</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>val</span> <span class=special>);</span> <span class=special>}</span>
                 
             <span class=identifier>iterator</span> <span class=identifier>insert</span><span class=special>(</span> <span class=identifier>iterator</span> <span class=identifier>where</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>&lt;</span> <span class=identifier>max_size</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> 
                 <span class=special>{</span>
                     <span class=special>*</span><span class=keyword>result</span> <span class=special>==</span> <span class=identifier>val</span><span class=special>;</span>
                     <span class=identifier>size</span><span class=special>()</span>  <span class=special>==</span> <span class=identifier>__old</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>+</span> <span class=number>1</span><span class=special>;</span>
                     <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>__old</span> <span class=identifier>capacity</span><span class=special>();</span>
                     
                     <span class=keyword>if</span><span class=special>(</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;</span> <span class=identifier>__old</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>)</span>
                         <span class=string>&quot;All iterators have been invalidated&quot;</span><span class=special>;</span>
                     <span class=keyword>else</span>
                         <span class=string>&quot;All iterators in the range [where,end()) have been invalidated&quot;</span><span class=special>;</span>
                 <span class=special>}</span>
             
             <span class=keyword>void</span> <span class=identifier>insert</span><span class=special>(</span> <span class=identifier>iterator</span> <span class=identifier>where</span><span class=special>,</span> <span class=identifier>size_type</span> <span class=identifier>count</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>+</span> <span class=identifier>count</span> <span class=special>&lt;=</span> <span class=identifier>max_size</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> 
                 <span class=special>{</span>
                     <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>__old</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>+</span> <span class=identifier>count</span><span class=special>;</span>
                     <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>__old</span> <span class=identifier>capacity</span><span class=special>();</span>
                     
                     <span class=keyword>if</span><span class=special>(</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>__old</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>)</span>
                     <span class=special>{</span>
                         <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>__old</span> <span class=identifier>prior</span><span class=special>(</span><span class=identifier>where</span><span class=special>),</span> <span class=identifier>__old</span> <span class=identifier>prior</span><span class=special>(</span><span class=identifier>where</span><span class=special>)</span> <span class=special>+</span> <span class=identifier>count</span><span class=special>,</span> <span class=identifier>val</span> <span class=special>);</span>
                         <span class=string>&quot;All iterators in the range [where,end()) have been invalidated&quot;</span><span class=special>;</span>
                     <span class=special>}</span>
                     <span class=keyword>else</span>
                         <span class=string>&quot;All iterators have been invalidated&quot;</span><span class=special>;</span>
                 <span class=special>}</span>
                 
             <span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>InIt</span> <span class=special>&gt;</span>
             <span class=keyword>void</span> <span class=identifier>insert</span><span class=special>(</span> <span class=identifier>iterator</span> <span class=identifier>where</span><span class=special>,</span> <span class=identifier>InIt</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>InIt</span> <span class=identifier>last</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  
                 <span class=special>{</span> 
                     <span class=keyword>static</span> <span class=identifier>is_input_iterator</span><span class=special>&lt;</span><span class=identifier>InIt</span><span class=special>&gt;::</span><span class=identifier>value</span> <span class=special>:</span> <span class=string>&quot;Iterator argument must model an InputIterator&quot;</span><span class=special>;</span>
                     <span class=string>&quot;The range [first,last) is not a sub-range of [begin(),end())&quot;</span><span class=special>;</span>
                     <span class=identifier>size</span><span class=special>()</span> <span class=special>+</span> <span class=identifier>count</span> <span class=special>&lt;=</span> <span class=identifier>max_size</span><span class=special>();</span> 
                 <span class=special>}</span>
                 <span class=keyword>postcondition</span>
                 <span class=special>{</span>
                     <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>__old</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>+</span> <span class=identifier>count</span><span class=special>;</span>
                     <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>__old</span> <span class=identifier>capacity</span><span class=special>();</span>
        
                     <span class=keyword>if</span><span class=special>(</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>__old</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>)</span>
                     <span class=special>{</span>
                         <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>__old</span> <span class=identifier>prior</span><span class=special>(</span><span class=identifier>where</span><span class=special>),</span> <span class=identifier>__old</span> <span class=identifier>prior</span><span class=special>(</span><span class=identifier>where</span><span class=special>)</span> <span class=special>+</span> <span class=identifier>count</span><span class=special>,</span> <span class=identifier>val</span> <span class=special>);</span>
                         <span class=string>&quot;All iterators in the range [where,end()) have been invalidated&quot;</span><span class=special>;</span>
                     <span class=special>}</span>
                     <span class=keyword>else</span>
                         <span class=string>&quot;All iterators have been invalidated&quot;</span><span class=special>;</span>
                 <span class=special>}</span>

             <span class=identifier>iterator</span> <span class=identifier>erase</span><span class=special>(</span> <span class=identifier>iterator</span> <span class=identifier>where</span> <span class=special>);</span>
                 <span class=keyword>precondition</span>  
                 <span class=special>{</span> 
                     <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> 
                     <span class=identifier>where</span> <span class=special>!=</span> <span class=identifier>end</span><span class=special>();</span>
                 <span class=special>}</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> 
                 <span class=special>{</span>
                      <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>__old</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>-</span> <span class=number>1</span><span class=special>;</span> 
                      <span class=keyword>if</span><span class=special>(</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>)</span>
                          <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>end</span><span class=special>();</span>
                      <span class=string>&quot;All iterators in the range [where,end()) have been invalidated&quot;</span><span class=special>;</span>
                 <span class=special>}</span>
                 
             <span class=identifier>iterator</span> <span class=identifier>erase</span><span class=special>(</span> <span class=identifier>iterator</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>iterator</span> <span class=identifier>last</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>distance</span><span class=special>(</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>last</span> <span class=special>);</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> 
                 <span class=special>{</span>
                      <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>__old</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>-</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>distance</span><span class=special>(</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>last</span> <span class=special>);</span> 
                      <span class=keyword>if</span><span class=special>(</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>)</span>
                          <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>end</span><span class=special>();</span>
                      <span class=string>&quot;All iterators in the range [first,end()) have been invalidated&quot;</span><span class=special>;</span>
                 <span class=special>}</span>

             <span class=keyword>void</span> <span class=identifier>clear</span><span class=special>();</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=keyword>void</span> <span class=identifier>swap</span><span class=special>(</span> <span class=identifier>vector</span><span class=special>&amp;</span> <span class=identifier>right</span> <span class=special>)</span>
                 <span class=keyword>postcondition</span> 
                 <span class=special>{</span> 
                     <span class=identifier>__old</span> <span class=special>*</span><span class=keyword>this</span> <span class=special>==</span> <span class=identifier>right</span><span class=special>;</span>
                     <span class=identifier>__old</span> <span class=identifier>right</span> <span class=special>==</span> <span class=special>*</span><span class=keyword>this</span><span class=special>;</span>
                 <span class=special>}</span>
             
<span class=special>};</span> <span class=comment>// class 'vector'</span>
</pre>


</body>
</html>



</div>
<div class="section" id="subcontracting-example-hpp">
<h2><a class="toc-backref" href="#id56" name="subcontracting-example-hpp">7.2&nbsp;&nbsp;&nbsp;subcontracting_example.hpp</a></h2>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title> </title>
<link rel="stylesheet" href="style.css" type="text/css">
</head>

<body>

<pre>
<span class=comment>//
// This example shows how Contract Programming 
// allows one to keep the virtual function public 
// and still enforce the contract of the function
//</span>

<span class=keyword>class</span> <span class=identifier>shape</span>
<span class=special>{</span>
<span class=keyword>public</span><span class=special>:</span>
    <span class=keyword>virtual</span> <span class=special>~</span><span class=identifier>shape</span><span class=special>()</span> <span class=special>{}</span>
    
    <span class=keyword>virtual</span> <span class=keyword>int</span> <span class=identifier>compute_area</span><span class=special>()</span> <span class=keyword>const</span> <span class=special>=</span> <span class=number>0</span>
        <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> 
        <span class=special>{</span>
            <span class=keyword>result</span> <span class=special>&gt;</span> <span class=number>0</span><span class=special>;</span>
        <span class=special>}</span>
<span class=special>};</span>

<span class=keyword>class</span> <span class=identifier>circle</span> <span class=special>:</span> <span class=keyword>public</span> <span class=identifier>shape</span>
<span class=special>{</span>
<span class=keyword>public</span><span class=special>:</span>
    <span class=keyword>int</span> <span class=identifier>radius</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
    
    <span class=keyword>virtual</span> <span class=keyword>int</span> <span class=identifier>compute_area</span><span class=special>()</span> <span class=keyword>const</span>
        <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span>
        <span class=special>{</span>
            <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>pi</span> <span class=special>*</span> <span class=identifier>radius</span><span class=special>()</span> <span class=special>*</span> <span class=identifier>radius</span><span class=special>();</span>
        <span class=special>}</span>
<span class=special>};</span>
</pre>


</body>
</html>



</div>
</div>
<div class="section" id="comparison-of-contract-programming-in-d-eiffel-and-c">
<h1><a class="toc-backref" href="#id57" name="comparison-of-contract-programming-in-d-eiffel-and-c">8&nbsp;&nbsp;&nbsp;Comparison of Contract Programming in D, Eiffel and C++</a></h1>
<p>The table below contains a comparison of how Contract
Programming is implemented in D, Eiffel and C++.</p>
<table border="1" class="docutils">
<colgroup>
<col width="25%" />
<col width="21%" />
<col width="20%" />
<col width="34%" />
</colgroup>
<tbody valign="top">
<tr><td><strong>Feature</strong></td>
<td><strong>ISE Eiffel 5.4</strong></td>
<td><strong>D</strong></td>
<td><strong>C++ Proposal</strong></td>
</tr>
<tr><td><em>keywords</em></td>
<td><tt class="docutils literal"><span class="pre">require</span></tt>, <tt class="docutils literal"><span class="pre">ensure</span></tt>,
<tt class="docutils literal"><span class="pre">do</span></tt>, <tt class="docutils literal"><span class="pre">require</span> <span class="pre">else</span></tt>,
<tt class="docutils literal"><span class="pre">ensure</span> <span class="pre">then</span></tt>, <tt class="docutils literal"><span class="pre">invariant</span></tt>,
<tt class="docutils literal"><span class="pre">old</span></tt>, <tt class="docutils literal"><span class="pre">result</span></tt>,
<tt class="docutils literal"><span class="pre">variant</span></tt></td>
<td><tt class="docutils literal"><span class="pre">in</span></tt>, <tt class="docutils literal"><span class="pre">out</span></tt>, <tt class="docutils literal"><span class="pre">body</span></tt>,
<tt class="docutils literal"><span class="pre">invariant</span></tt>, <tt class="docutils literal"><span class="pre">assert</span></tt>,
<tt class="docutils literal"><span class="pre">static</span></tt></td>
<td><tt class="docutils literal"><span class="pre">precondition</span></tt>,
<tt class="docutils literal"><span class="pre">postcondition</span></tt>,
<tt class="docutils literal"><span class="pre">invariant</span></tt>, <tt class="docutils literal"><span class="pre">static</span></tt></td>
</tr>
<tr><td><em>on failure</em></td>
<td>throws exception</td>
<td>throws exception</td>
<td>defaults to <tt class="docutils literal"><span class="pre">terminate()</span></tt>,
defaults can be customized,
might throw</td>
</tr>
<tr><td><em>expression copying in postconditions</em></td>
<td>yes, <tt class="docutils literal"><span class="pre">old</span></tt> keyword</td>
<td>no</td>
<td>yes, <tt class="docutils literal"><span class="pre">__old</span></tt> keyword</td>
</tr>
<tr><td><em>subcontracting</em></td>
<td>yes</td>
<td>yes</td>
<td>yes, but only considers
postconditions</td>
</tr>
<tr><td><em>contracts on abstract functions</em></td>
<td>yes</td>
<td>no</td>
<td>yes</td>
</tr>
<tr><td><em>arbitrary code contracts</em></td>
<td>yes</td>
<td>yes</td>
<td>no, must be const correct</td>
</tr>
<tr><td><em>function code ordering</em></td>
<td>pre -&gt; body -&gt; post</td>
<td>pre -&gt; post -&gt; body</td>
<td>pre -&gt; post -&gt; body</td>
</tr>
<tr><td><em>compile-time assertions</em></td>
<td>no</td>
<td>yes</td>
<td>yes</td>
</tr>
<tr><td><em>loop invariants</em></td>
<td>yes</td>
<td>no</td>
<td>no</td>
</tr>
<tr><td><em>loop variants</em></td>
<td>yes</td>
<td>no</td>
<td>no</td>
</tr>
<tr><td><em>const-correct</em></td>
<td>no</td>
<td>no</td>
<td>yes</td>
</tr>
<tr><td><em>invariant calls</em></td>
<td><ul class="first last simple">
<li>end of &quot;constructor&quot;</li>
<li>around public functions</li>
</ul>
</td>
<td><ul class="first last simple">
<li>end of constructor</li>
<li>around public functions</li>
<li>start of destructor</li>
</ul>
</td>
<td><ul class="first last simple">
<li>as in D</li>
<li>when a function exits due to an exception</li>
</ul>
</td>
</tr>
<tr><td><em>disabling of checks during assertions</em></td>
<td>yes</td>
<td>no</td>
<td>no</td>
</tr>
<tr><td><em>when public func. call public func.</em></td>
<td>disable all checks</td>
<td>disable nothing</td>
<td>disable nothing</td>
</tr>
<tr><td><em>removable from object code</em></td>
<td>yes</td>
<td>yes</td>
<td>yes</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="acknowledgements">
<h1><a class="toc-backref" href="#id58" name="acknowledgements">9&nbsp;&nbsp;&nbsp;Acknowledgements</a></h1>
<p>The following people has been provided feedback and comments throughout the proposals
history: Reece Dunn, Douglas Gregor, Alf Steinbach, Matthew Wilson, 
Berend de Boer, Darren Cook, Pavel Vozenilek, Scott Meyers, Attila Fehér, Walter Bright,
Per Madsen, Kevlin Henney, Sergey Vlasov, Bob Bell, John Nagle, Daveed Vandevoorde,
Jaakko Jarvi, Christopher Diggins, John Torjo, Robert Kawulak, Dave Harris, Michael Wong, 
Thomas Witt and Tim Rowe.</p>
<!-- ############################################### -->
<!-- ################## Links ###################### -->
<!-- ############################################### -->
</div>
<div class="section" id="footnotes">
<h1><a class="toc-backref" href="#id59" name="footnotes">10&nbsp;&nbsp;&nbsp;Footnotes</a></h1>
<!-- ############################################### -->
<!-- ################## Footnotes ################## -->
<!-- ############################################### -->
<table class="docutils footnote" frame="void" id="id21" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id1" name="id21">[0]</a></td><td>Today, a lot of redundancy is involved in maintaining documentation
and implementation separately. With this proposal a large amount
of comments can be made into code ensuring the documentation
stays updated and ensuring zero redundancy.</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id22" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id2" name="id22">[1]</a></td><td>For example, if the compiler can determine that a precondition is satisfied,
it can call a function where the precondition is not checked. Also, the 
compiler can always assume contracts to be true; hence the compiler can take
advantage of the precondition in the function body.</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id23" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id3" name="id23">[2]</a></td><td>Testing consists mainly of verifying that the functions' contracts
are actually fulfilled. With language support for Contract Programming,
the contracts are made explicit and hence it becomes easier to see what
to test. Furthermore, when testability is hard, the contracts
themselves provide an effective runtime test.</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id24" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id4" name="id24">[3]</a></td><td>Errors often happen when people have to communicate. With language
support for Contract Programming there is less need for an informal
specification language and hence less room for errors. For example,
it should no longer be necessary to translate manually the 
specifications from the &quot;designer language&quot; to the &quot;programmer language&quot;.</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id25" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id5" name="id25">[4]</a></td><td><p class="first">Even experienced programmers can choke on the word &quot;invariant&quot; and what it
means for a class to have one. There are a few simple rules we want  
all programmers to learn:</p>
<ol class="last arabic simple">
<li>that classes can have invariants and that subclasses have stronger or equally strong invariants,</li>
<li>that functions have pre- and postconditions: the implementer has as his obligation to fulfill the 
postcondition assuming the precondition holds; the user has as his obligation to fulfill the precondition
and receives the benefits of the postcondition in return,</li>
<li>that public functions cannot break the class invariant.</li>
</ol>
</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id26" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id6" name="id26">[5]</a></td><td>Static analysis tools (the compiler's optimizer included) might
be able to start their analysis at a higher level than usual. 
For example, instead of an analysis of the ins and outs of <tt class="docutils literal"><span class="pre">std::vector&lt;T&gt;</span></tt>,
then the tool might start its analysis with the definition of the
invariant of <tt class="docutils literal"><span class="pre">std::vector&lt;T&gt;</span></tt>.</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id27" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id7" name="id27">[6]</a></td><td>Security has been and is a big problem with C (and to a much lesser extend C++)
library functions. This insecurity is
tightly coupled to the fact that function preconditions
are violated and/or that function postconditions are misunderstood.
By making the contract aspects of programming more explicit,
we can improve the situation.</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id28" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id10" name="id28">[7]</a></td><td>A good compiler will emit warnings whenever a mutation is detected within a contract. This is 
a major advantage compared to the ad hoc solutions programmers use today; there is no special
scope and hence no way the compiler can emit those warnings.</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id29" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id14" name="id29">[8]</a></td><td>A weaker precondition can be taken advantage of if we know the particular type
of the object. If weaker preconditions should be allowed, then there exists two
alternatives: to allow reuse of an existing contract or to require a complete
redefinition. The former favours expressiveness, the latter favours
overview.</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id30" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id15" name="id30">[9]</a></td><td>In some cases the compiler will be able to determine overlapping expression and hence
optimize some assertions away.</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id31" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id17" name="id31">[10]</a></td><td>To ensure that the function gives the basic guarantee of exception-safety.</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id32" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id18" name="id32">[11]</a></td><td>One can imagine an approach where exceptions could escape from an invariant by not checking
invariants when functions exit via an exception. The benefits of such an approach are not
obvious and it will complicate flow analysis unnecessarily.</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id33" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id19" name="id33">[12]</a></td><td>During construction means until the post-condition of the constructor has ended.</td></tr>
</tbody>
</table>
</div>
</div>
</body>
</html>
