<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="generator" content="Docutils 0.3.9: http://docutils.sourceforge.net/" />
<title>Proposal to add Contract Programming to C++ (revision 3)</title>
<meta name="author" content="Lawrence Crowl and Thorsten Ottosen" />
<meta name="organization" content="Sun Microsystems and Dezide Aps" />
<meta name="date" content="2005-08-24" />
<style type="text/css">

/*
:Author: David Goodger
:Contact: goodger@users.sourceforge.net
:date: $Date: 2004/01/12 02:49:54 $
:version: $Revision: 1.2 $
:copyright: This stylesheet has been placed in the public domain.

Default cascading style sheet for the HTML output of Docutils.
*/

.first {
  margin-top: 0 }

.last {
  margin-bottom: 0 }

a.toc-backref {
  text-decoration: none ;
  color: black }

dd {
  margin-bottom: 0.5em }

div.abstract {
  margin: 2em 5em }

div.abstract p.topic-title {
  font-weight: bold ;
  text-align: center }

div.attention, div.caution, div.danger, div.error, div.hint,
div.important, div.note, div.tip, div.warning, div.admonition {
  margin: 2em ;
  border: medium outset ;
  padding: 1em }

div.attention p.admonition-title, div.caution p.admonition-title,
div.danger p.admonition-title, div.error p.admonition-title,
div.warning p.admonition-title {
  color: red ;
  font-weight: bold ;
  font-family: sans-serif }

div.hint p.admonition-title, div.important p.admonition-title,
div.note p.admonition-title, div.tip p.admonition-title,
div.admonition p.admonition-title {
  font-weight: bold ;
  font-family: sans-serif }

div.dedication {
  margin: 2em 5em ;
  text-align: center ;
  font-style: italic }

div.dedication p.topic-title {
  font-weight: bold ;
  font-style: normal }

div.figure {
  margin-left: 2em }

div.footer, div.header {
  font-size: smaller }

div.sidebar {
  margin-left: 1em ;
  border: medium outset ;
  padding: 0em 1em ;
  background-color: #ffffee ;
  width: 40% ;
  float: right ;
  clear: right }

div.sidebar p.rubric {
  font-family: sans-serif ;
  font-size: medium }

div.system-messages {
  margin: 5em }

div.system-messages h1 {
  color: red }

div.system-message {
  border: medium outset ;
  padding: 1em }

div.system-message p.system-message-title {
  color: red ;
  font-weight: bold }

div.topic {
  margin: 2em }

h1.title {
  text-align: center }

h2.subtitle {
  text-align: center }

hr {
  width: 75% }

ol.simple, ul.simple {
  margin-bottom: 1em }

ol.arabic {
  list-style: decimal }

ol.loweralpha {
  list-style: lower-alpha }

ol.upperalpha {
  list-style: upper-alpha }

ol.lowerroman {
  list-style: lower-roman }

ol.upperroman {
  list-style: upper-roman }

p.attribution {
  text-align: right ;
  margin-left: 50% }

p.caption {
  font-style: italic }

p.credits {
  font-style: italic ;
  font-size: smaller }

p.label {
  white-space: nowrap }

p.rubric {
  font-weight: bold ;
  font-size: larger ;
  color: maroon ;
  text-align: center }

p.sidebar-title {
  font-family: sans-serif ;
  font-weight: bold ;
  font-size: larger }

p.sidebar-subtitle {
  font-family: sans-serif ;
  font-weight: bold }

p.topic-title {
  font-weight: bold }

pre.address {
  margin-bottom: 0 ;
  margin-top: 0 ;
  font-family: serif ;
  font-size: 100% }

pre.line-block {
  font-family: serif ;
  font-size: 100% }

pre.literal-block, pre.doctest-block {
  margin-left: 2em ;
  margin-right: 2em ;
  background-color: #eeeeee }

span.classifier {
  font-family: sans-serif ;
  font-style: oblique }

span.classifier-delimiter {
  font-family: sans-serif ;
  font-weight: bold }

span.interpreted {
  font-family: sans-serif }

span.option {
  white-space: nowrap }

span.option-argument {
  font-style: italic }

span.pre {
  white-space: pre }

span.problematic {
  color: red }

table {
  margin-top: 0.5em ;
  margin-bottom: 0.5em }

table.citation {
  border-left: solid thin gray ;
  padding-left: 0.5ex }

table.docinfo {
  margin: 2em 4em }

table.footnote {
  border-left: solid thin black ;
  padding-left: 0.5ex }

td, th {
  padding-left: 0.5em ;
  padding-right: 0.5em ;
  vertical-align: top }

th.docinfo-name, th.field-name {
  font-weight: bold ;
  text-align: left ;
  white-space: nowrap }

h1 tt, h2 tt, h3 tt, h4 tt, h5 tt, h6 tt {
  font-size: 100% }

tt {
  background-color: #eeeeee }

ul.auto-toc {
  list-style-type: none }
  
pre{
  BORDER-RIGHT: gray 1pt solid;
  PADDING-RIGHT: 2pt;
  BORDER-TOP: gray 1pt solid;
  DISPLAY: block;
  PADDING-LEFT: 2pt;
  PADDING-BOTTOM: 2pt;
  BORDER-LEFT: gray 1pt solid;
  MARGIN-RIGHT: 32pt;
  PADDING-TOP: 2pt;
  BORDER-BOTTOM: gray 1pt solid;
  FONT-FAMILY: "Courier New", Courier, mono; 
  background-color: #EEEEEE; 
}


.keyword{color: #0000FF;}
.identifier{}
.comment{font-style: italic; color: #008000;}
.special{color: #800040;}
.preprocessor{color: #3F007F;}
.string{font-style: italic; color: #666666;}
.literal{/*font-style: italic;*/ color: #000000;}

</style>
</head>
<body>
<div class="document" id="proposal-to-add-contract-programming-to-c-revision-3">
<h1 class="title">Proposal to add Contract Programming to C++ (revision 3)</h1>
<table class="docinfo" frame="void" rules="none">
<col class="docinfo-name" />
<col class="docinfo-content" />
<tbody valign="top">
<tr><th class="docinfo-name">Author:</th>
<td>Lawrence Crowl and Thorsten Ottosen</td></tr>
<tr><th class="docinfo-name">Contact:</th>
<td><a class="first reference" href="mailto:lawrence.crowl&#64;sun.com">lawrence.crowl&#64;sun.com</a> and <a class="last reference" href="mailto:nesotto&#64;cs.aau.dk">nesotto&#64;cs.aau.dk</a></td></tr>
<tr><th class="docinfo-name">Organization:</th>
<td>Sun Microsystems and Dezide Aps</td></tr>
<tr><th class="docinfo-name">Date:</th>
<td>2005-08-24</td></tr>
<tr class="field"><th class="docinfo-name">Number:</th><td class="field-body">WG21/N1866 and J16/05-0126. This proposal is a
revision of paper <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2005/n1773.html">n1773</a>.</td>
</tr>
<tr class="field"><th class="docinfo-name">Working Group:</th><td class="field-body">Evolution</td>
</tr>
</tbody>
</table>
<div class="abstract topic">
<p class="topic-title first">Abstract</p>
<p>Contract Programming is about providing the programmer with stronger tools 
for expressing correctness arguments directly in the source code. Moreover, the
contracts enable new and powerful optimization opportunities. 
This proposal describes a small assertion sub-language 
that unifies compile-time and run-time assertions.
The benefits 
are among others a higher degree of self-documenting source code,
better design tools, 
and easier debugging and testing.</p>
</div>
<div class="contents topic" id="table-of-contents">
<p class="topic-title first"><a name="table-of-contents">Table of Contents</a></p>
<ul class="auto-toc simple">
<li><a class="reference" href="#motivation" id="id23" name="id23">1&nbsp;&nbsp;&nbsp;Motivation</a></li>
<li><a class="reference" href="#the-proposal" id="id24" name="id24">2&nbsp;&nbsp;&nbsp;The proposal</a><ul class="auto-toc">
<li><a class="reference" href="#assertions" id="id25" name="id25">2.1&nbsp;&nbsp;&nbsp;Assertions</a><ul class="auto-toc">
<li><a class="reference" href="#static-assertions" id="id26" name="id26">2.1.1&nbsp;&nbsp;&nbsp;Static assertions</a></li>
<li><a class="reference" href="#runtime-assertions" id="id27" name="id27">2.1.2&nbsp;&nbsp;&nbsp;Runtime assertions</a></li>
</ul>
</li>
<li><a class="reference" href="#function-pre-and-postconditions" id="id28" name="id28">2.2&nbsp;&nbsp;&nbsp;Function pre- and postconditions</a><ul class="auto-toc">
<li><a class="reference" href="#virtual-functions" id="id29" name="id29">2.2.1&nbsp;&nbsp;&nbsp;Virtual functions</a></li>
<li><a class="reference" href="#constructors" id="id30" name="id30">2.2.2&nbsp;&nbsp;&nbsp;Constructors</a></li>
<li><a class="reference" href="#function-pointers" id="id31" name="id31">2.2.3&nbsp;&nbsp;&nbsp;Function pointers</a></li>
</ul>
</li>
<li><a class="reference" href="#keyword-oldof" id="id32" name="id32">2.3&nbsp;&nbsp;&nbsp;Keyword <tt class="docutils literal"><span class="pre">oldof</span></tt></a></li>
<li><a class="reference" href="#class-invariants" id="id33" name="id33">2.4&nbsp;&nbsp;&nbsp;Class invariants</a></li>
<li><a class="reference" href="#namespace-invariants" id="id34" name="id34">2.5&nbsp;&nbsp;&nbsp;Namespace invariants</a></li>
<li><a class="reference" href="#failure-handler-functions" id="id35" name="id35">2.6&nbsp;&nbsp;&nbsp;Failure handler functions</a></li>
<li><a class="reference" href="#changes-to-the-standard-library" id="id36" name="id36">2.7&nbsp;&nbsp;&nbsp;Changes to the standard library</a></li>
</ul>
</li>
<li><a class="reference" href="#contracts-for-performance" id="id37" name="id37">3&nbsp;&nbsp;&nbsp;Contracts for performance</a><ul class="auto-toc">
<li><a class="reference" href="#assert-is-evaluated-within-the-library" id="id38" name="id38">3.1&nbsp;&nbsp;&nbsp;<tt class="docutils literal"><span class="pre">assert()</span></tt> is evaluated within the library</a></li>
<li><a class="reference" href="#assert-fails-to-distinguish-between-checking-arguments-and-validating-computations" id="id39" name="id39">3.2&nbsp;&nbsp;&nbsp;<tt class="docutils literal"><span class="pre">assert()</span></tt> fails to distinguish between checking arguments and validating computations</a></li>
<li><a class="reference" href="#assert-is-indistinguishable-from-regular-code" id="id40" name="id40">3.3&nbsp;&nbsp;&nbsp;<tt class="docutils literal"><span class="pre">assert()</span></tt> is indistinguishable from regular code</a></li>
</ul>
</li>
<li><a class="reference" href="#implementation-model-for-contracts" id="id41" name="id41">4&nbsp;&nbsp;&nbsp;Implementation model for contracts</a></li>
<li><a class="reference" href="#open-issues" id="id42" name="id42">5&nbsp;&nbsp;&nbsp;Open issues</a><ul class="auto-toc">
<li><a class="reference" href="#are-failure-handler-functions-wrongly-specified" id="id43" name="id43">5.1&nbsp;&nbsp;&nbsp;Are failure handler functions wrongly specified?</a></li>
</ul>
</li>
<li><a class="reference" href="#major-changes-from-n1773" id="id44" name="id44">6&nbsp;&nbsp;&nbsp;Major changes from n1773</a></li>
<li><a class="reference" href="#list-of-proposals-that-could-be-affected-by-this-proposal" id="id45" name="id45">7&nbsp;&nbsp;&nbsp;List of proposals that could be affected by this proposal</a></li>
<li><a class="reference" href="#implementability" id="id46" name="id46">8&nbsp;&nbsp;&nbsp;Implementability</a></li>
<li><a class="reference" href="#alternative-syntax" id="id47" name="id47">9&nbsp;&nbsp;&nbsp;Alternative syntax</a></li>
<li><a class="reference" href="#list-of-examples" id="id48" name="id48">10&nbsp;&nbsp;&nbsp;List of examples</a><ul class="auto-toc">
<li><a class="reference" href="#vector-example-hpp" id="id49" name="id49">10.1&nbsp;&nbsp;&nbsp;vector_example.hpp</a></li>
<li><a class="reference" href="#vector-example-alternative-syntax-hpp" id="id50" name="id50">10.2&nbsp;&nbsp;&nbsp;vector_example_alternative_syntax.hpp</a></li>
<li><a class="reference" href="#subcontracting-example-hpp" id="id51" name="id51">10.3&nbsp;&nbsp;&nbsp;subcontracting_example.hpp</a></li>
</ul>
</li>
<li><a class="reference" href="#comparison-of-contract-programming-in-d-eiffel-and-c" id="id52" name="id52">11&nbsp;&nbsp;&nbsp;Comparison of Contract Programming in D, Eiffel and C++</a></li>
<li><a class="reference" href="#acknowledgements" id="id53" name="id53">12&nbsp;&nbsp;&nbsp;Acknowledgements</a></li>
<li><a class="reference" href="#footnotes" id="id54" name="id54">13&nbsp;&nbsp;&nbsp;Footnotes</a></li>
</ul>
</div>
<div class="section" id="motivation">
<h1><a class="toc-backref" href="#id23" name="motivation">1&nbsp;&nbsp;&nbsp;Motivation</a></h1>
<p>Language support for Contract Programming has several benefits:</p>
<ol class="arabic simple">
<li>It can remove the need for separation of documentation and implementation.</li>
</ol>
<!--  -->
<ol class="arabic simple" start="2">
<li>It can enable the compiler to generate faster code <a class="footnote-reference" href="#id15" id="id1" name="id1">[0]</a>
(see also <a class="reference" href="#contracts-for-performance">Contracts for performance</a>).</li>
</ol>
<!--  -->
<ol class="arabic simple" start="3">
<li>It can make debugging and testing much easier.</li>
</ol>
<!--  -->
<ol class="arabic simple" start="4">
<li>It can improve communication between designers and programmers in large C++ projects.</li>
</ol>
<!--  -->
<ol class="arabic simple" start="5">
<li>It can make inheritance easier to use correctly (see <a class="reference" href="#subcontracting-example-hpp">subcontracting_example.hpp</a> ).</li>
</ol>
<!--  -->
<ol class="arabic simple" start="6">
<li>It can ensure that every programmer understands the contract metaphors <a class="footnote-reference" href="#id16" id="id2" name="id2">[1]</a> .</li>
</ol>
<!--  -->
<ol class="arabic simple" start="7">
<li>It can enable more powerful static analysis tools.</li>
</ol>
<p>Please refer to <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2005/n1800.pdf">n1800</a> and <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2004/n1613.pdf">n1613</a> for an extensive discussion of these benefits.</p>
<p>Already with the current proposal, it is quite remarkable how much
of an interface that can be documented. For a good example, please
see how <tt class="docutils literal"><span class="pre">std::vector</span></tt> is declared in <a class="reference" href="#vector-example-hpp">vector_example.hpp</a>; there is only a small
portion of the specification of <tt class="docutils literal"><span class="pre">std::vector</span></tt> that cannot be described in the 
contracts.</p>
</div>
<div class="section" id="the-proposal">
<h1><a class="toc-backref" href="#id24" name="the-proposal">2&nbsp;&nbsp;&nbsp;The proposal</a></h1>
<p>The idea is to extend C++</p>
<ul class="simple">
<li>function declarations with <a class="reference" href="#functionx">pre- and postconditions</a>,</li>
</ul>
<!--  -->
<ul class="simple">
<li>class declarations with <a class="reference" href="#class-invariants">class invariants</a>,</li>
</ul>
<!--  -->
<ul class="simple">
<li>namespace declarations and function scope with <a class="reference" href="#namespace-invariants">namespace invariants</a>.</li>
</ul>
<p>These new <em>contract scopes</em> can contain <a class="reference" href="#assertions">assertions</a> that
may be evaluated either at compiler-time or at
run-time as part of the program to verify their correctness.</p>
<div class="section" id="assertions">
<h2><a class="toc-backref" href="#id25" name="assertions">2.1&nbsp;&nbsp;&nbsp;Assertions</a></h2>
<p>The basic building blocks of contracts are 
<em>assertions</em>. Assertions come in two categories:</p>
<ul class="simple">
<li><a class="reference" href="#static-assertions">static assertions</a></li>
</ul>
<!--  -->
<ul class="simple">
<li><a class="reference" href="#runtime-assertions">runtime assertions</a></li>
</ul>
<div class="section" id="static-assertions">
<h3><a class="toc-backref" href="#id26" name="static-assertions">2.1.1&nbsp;&nbsp;&nbsp;Static assertions</a></h3>
<p>There are two flavors of <em>static</em> assertions:</p>
<ol class="arabic">
<li><p class="first"><em>default</em> assertions</p>
<blockquote>
<dl class="docutils">
<dt>syntax: </dt>
<dd><ol class="first last arabic simple">
<li><em>static-assertion</em>:  <em>constant-expression</em> <tt class="docutils literal"><span class="pre">:</span></tt> <em>string-literal</em> <tt class="docutils literal"><span class="pre">;</span></tt></li>
</ol>
</dd>
<dt>example: </dt>
<dd><p class="first last"><tt class="docutils literal"><span class="pre">is_pod&lt;T&gt;::value</span> <span class="pre">:</span> <span class="pre">&quot;T</span> <span class="pre">must</span> <span class="pre">model</span> <span class="pre">a</span> <span class="pre">POD&quot;;</span></tt></p>
</dd>
</dl>
</blockquote>
</li>
<li><p class="first"><em>select</em> assertions</p>
<blockquote>
<dl class="docutils">
<dt>syntax:</dt>
<dd><ol class="first last arabic simple">
<li><em>static-assertion-sequence</em>:</li>
<li><em>static-assertion-sequence</em>: <em>static-assertion-sequence</em> <em>static-assertion</em></li>
<li><em>static-body</em>: <em>static-assertion</em></li>
<li><em>static-body</em>: <tt class="docutils literal"><span class="pre">{</span></tt> <em>static-assertion-sequence</em> <tt class="docutils literal"><span class="pre">}</span></tt></li>
<li><em>static-if-assertion</em> : <tt class="docutils literal"><span class="pre">if(</span></tt> <em>constant-expression</em> <tt class="docutils literal"><span class="pre">)</span></tt> <em>static-body</em> <em>static-else-assertion</em> <sub>opt</sub></li>
<li><em>static-else-assertion</em> : <tt class="docutils literal"><span class="pre">else</span></tt> <em>static-body</em></li>
</ol>
</dd>
<dt>example:</dt>
<dd><dl class="first last docutils">
<dt><tt class="docutils literal"><span class="pre">if(</span> <span class="pre">is_pod&lt;T&gt;::value</span> <span class="pre">)</span></tt></dt>
<dd><p class="first last"><tt class="docutils literal"><span class="pre">sizeof(</span> <span class="pre">T</span> <span class="pre">)</span> <span class="pre">&lt;=</span> <span class="pre">sizeof(</span> <span class="pre">long</span> <span class="pre">)</span> <span class="pre">:</span> <span class="pre">&quot;Only</span> <span class="pre">PODs</span> <span class="pre">smaller</span> <span class="pre">than</span> <span class="pre">long</span> <span class="pre">supported&quot;;</span></tt></p>
</dd>
</dl>
</dd>
</dl>
</blockquote>
</li>
</ol>
<p>The <em>contant-expression</em> is implicitly converted to <tt class="docutils literal"><span class="pre">bool</span></tt>.</p>
<p>The static assertions are exactly like the ones described in <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2004/n1617.html">n1617</a>. The 
main difference is that we</p>
<!-- 1. reuse the keyword ``static`` instead of adding a new one,  -->
<!--  -->
<ol class="arabic simple">
<li>confine the scope of the static assertion to contract scope, and</li>
</ol>
<!--  -->
<ol class="arabic simple" start="2">
<li>allow compile-time select statements to avoid duplication of conditions.</li>
</ol>
</div>
<div class="section" id="runtime-assertions">
<h3><a class="toc-backref" href="#id27" name="runtime-assertions">2.1.2&nbsp;&nbsp;&nbsp;Runtime assertions</a></h3>
<p>There are two flavors of <em>runtime</em> assertions:</p>
<ol class="arabic">
<li><p class="first"><em>default</em> assertions</p>
<blockquote>
<dl class="docutils">
<dt>syntax:</dt>
<dd><ol class="first last arabic simple">
<li><em>runtime-assertion</em> : <em>boolean-expression</em> <em>importance-ordering</em> <sub>opt</sub> <tt class="docutils literal"><span class="pre">;</span></tt></li>
<li><em>importance-ordering</em> : <tt class="docutils literal"><span class="pre">:</span></tt> <em>integer-constant</em></li>
</ol>
</dd>
<dt>example:</dt>
<dd><p class="first last"><tt class="docutils literal"><span class="pre">std::cout.good();</span></tt></p>
</dd>
</dl>
</blockquote>
</li>
<li><p class="first"><em>select</em> assertions</p>
<blockquote>
<dl class="docutils">
<dt>syntax:</dt>
<dd><ol class="first last arabic simple">
<li><em>runtime-assertion-sequence</em> :</li>
<li><em>runtime-assertion-sequence</em> : <em>runtime-assertion-sequence</em> <em>runtime-assertion</em></li>
<li><em>runtime-body</em> : <em>runtime-assertion</em></li>
<li><em>runtime-body</em> : <tt class="docutils literal"><span class="pre">{</span></tt> <em>runtime-assertion-sequence</em> <tt class="docutils literal"><span class="pre">}</span></tt></li>
<li><em>runtime-if-assertion</em> : <tt class="docutils literal"><span class="pre">if(</span></tt> <em>condition</em> <tt class="docutils literal"><span class="pre">)</span></tt> <em>runtime-body</em> <em>runtime-else-assertion</em> <sub>opt</sub></li>
<li><em>runtime-else-assertion</em> : <tt class="docutils literal"><span class="pre">else</span></tt> <em>runtime-body</em></li>
</ol>
</dd>
<dt>example:</dt>
<dd><dl class="first last docutils">
<dt><tt class="docutils literal"><span class="pre">if(</span> <span class="pre">empty()</span> <span class="pre">)</span></tt> </dt>
<dd><p class="first last"><tt class="docutils literal"><span class="pre">result</span> <span class="pre">==</span> <span class="pre">end();</span></tt></p>
</dd>
</dl>
</dd>
</dl>
</blockquote>
</li>
</ol>
<p>The following general points are worth noting:</p>
<ol class="arabic">
<li><p class="first">Default assertions defaults to calling <tt class="docutils literal"><span class="pre">terminate()</span></tt>, but the behavior can be <a class="reference" href="#failure-handler-functions">customized</a>.</p>
<blockquote>
</blockquote>
</li>
<li><p class="first">The select assertions remove the need for the implication operator that was discussed in <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2004/n1613.pdf">n1613</a>.</p>
</li>
<li><p class="first">The syntactic freedom has been kept minimal to ensure a good documentation effect.</p>
</li>
<li><p class="first">All visible functions and variables can be used within contract scope.</p>
</li>
<li><p class="first">Member reference within constract scope is subject to the same constraints as member reference within <tt class="docutils literal"><span class="pre">const</span></tt> member functions.</p>
</li>
</ol>
<!-- Wrt. constness, then contract scope behaves as if it was a const member function [2]_. -->
<ol class="arabic simple" start="6">
<li>If the compiler can determine that the condition of an assertion is true, it may choose not to evaluate 
that assertion.</li>
</ol>
<!-- James have alternative wording  -->
<!--  -->
<ol class="arabic simple" start="7">
<li>If the compiler can determine that the condition of an assertion is false, it may choose 
to call the <a class="reference" href="#failure-handler-functions">broken contract handler</a> or call the action without evaluating that condition.</li>
</ol>
<!--  -->
<ol class="arabic simple" start="8">
<li>Importance ordering allows users to specify multiple levels of assertions.
The higher an integer, the more crucial it is to keep an assertion in the
object code.</li>
</ol>
<!--  -->
<ol class="arabic simple" start="9">
<li>The default importance ordering is <tt class="docutils literal"><span class="pre">0</span></tt> and is in effect
when no integer is specified.</li>
</ol>
<p>It is possible to mix static and runtime assertions. In that case talk about
assertion sequences:</p>
<blockquote>
<ol class="arabic simple">
<li><em>assertion-sequence</em> :</li>
<li><em>assertion-sequence</em> : <em>assertion-sequence</em> <em>static-assertion-sequence</em></li>
<li><em>assertion-sequence</em> : <em>assertion-sequence</em> <em>runtime-assertion-sequence</em></li>
</ol>
</blockquote>
</div>
</div>
<span id="functionx"></span><span id="function"></span><div class="section" id="function-pre-and-postconditions">
<h2><a class="toc-backref" href="#id28" name="function-pre-and-postconditions">2.2&nbsp;&nbsp;&nbsp;Function pre- and postconditions</a></h2>
<p>The function declaration and definition
are changed into:</p>
<blockquote>
<blockquote>
<ol class="arabic simple">
<li><em>precontracted-function</em> : <em>function-head</em></li>
<li><em>precontracted-function</em> : <em>function-head</em> <em>precondition-contract</em></li>
<li><em>postcontracted-function</em> : <em>precontracted-function</em></li>
<li><em>postcontracted-function</em> : <em>precontracted-function</em> <em>postcondition-contract</em></li>
<li><em>function-declaration</em> : <em>postcontracted-function</em> <tt class="docutils literal"><span class="pre">;</span></tt></li>
<li><em>function-definition</em> : <em>postcontracted-function</em> <tt class="docutils literal"><span class="pre">{</span></tt> <em>function-body</em> <tt class="docutils literal"><span class="pre">}</span></tt></li>
<li><em>precondition-contract</em> : <tt class="docutils literal"><span class="pre">precondition</span> <span class="pre">{</span></tt> <em>assertion-sequence</em> <tt class="docutils literal"><span class="pre">}</span></tt></li>
<li><em>postcondition-contract</em> : <tt class="docutils literal"><span class="pre">postcondition</span></tt> <em>return-value-declaration</em><sub>opt</sub> <tt class="docutils literal"><span class="pre">{</span></tt> <em>assertion-sequence</em> <tt class="docutils literal"><span class="pre">}</span></tt></li>
<li><em>return-value-declaration</em>: <tt class="docutils literal"><span class="pre">(</span></tt> <em>identifier</em> <tt class="docutils literal"><span class="pre">)</span></tt></li>
</ol>
</blockquote>
<p>example:</p>
<pre class="literal-block">
double sqrt( double r )
    precondition
    {
        r &gt; 0.;
    }
    postcondition( result )
    {
        equal_within_precision( result * result, r );
    }
</pre>
</blockquote>
<p>In the <em>return-value-declaration</em> we declare a local variable that acts as a <tt class="docutils literal"><span class="pre">const</span></tt> reference to the computed 
return value. It follows that a <em>return-value-declaration</em> is illegal if the return type is <tt class="docutils literal"><span class="pre">void</span></tt>.</p>
<p>The following general rules apply:</p>
<ol class="arabic">
<li><p class="first">If a function has both a declaration and a definition, the contracts must appear on the declaration.</p>
</li>
<li><p class="first"><span class="target" id="the-execution-of-a-function">The execution of a function</span> is now</p>
<blockquote>
<ol class="loweralpha simple">
<li>evaluate the precondition assertion by assertion in order starting from the top,</li>
<li>evaluate <tt class="docutils literal"><span class="pre">oldof</span></tt> occurrences in the postcondition,</li>
<li>evaluate the function body,</li>
<li>evaluate the postcondition assertion by assertion in order starting from the top.</li>
</ol>
</blockquote>
</li>
<li><p class="first">The execution of a member function is now as in 2, but</p>
<blockquote>
<ol class="loweralpha">
<li><p class="first"><tt class="docutils literal"><span class="pre">2.a</span></tt> is <em>preceded</em> by a call to the <a class="reference" href="#class-invariants">class invariant</a>,</p>
</li>
<li><p class="first"><tt class="docutils literal"><span class="pre">2.d</span></tt> is <em>preceded</em> by a call to the class invariant,</p>
<blockquote>
<ul class="simple">
<li>rationale: the contracts might call public functions in the class which require the invariant to be established.</li>
</ul>
</blockquote>
</li>
</ol>
</blockquote>
</li>
<li><p class="first">Function-try-blocks can appear together with pre- and postconditions on function
definitions.</p>
</li>
<li><p class="first">Pre- and postconditions are evaluated outside any function-try-block.</p>
</li>
</ol>
<ol class="arabic simple" start="6">
<li>During execution of the postcondition other contracts (recursively encountered) are <em>not</em> evaluated.</li>
</ol>
<div class="section" id="virtual-functions">
<h3><a class="toc-backref" href="#id29" name="virtual-functions">2.2.1&nbsp;&nbsp;&nbsp;Virtual functions</a></h3>
<p>If the function <tt class="docutils literal"><span class="pre">F</span></tt> is virtual, we require that</p>
<ol class="arabic simple">
<li>only the first declaration/definition of <tt class="docutils literal"><span class="pre">F</span></tt> can have a precondition.</li>
</ol>
<p>Section <tt class="docutils literal"><span class="pre">3.5</span></tt> of <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2004/n1613.pdf">n1613</a> explains how little redefinition of preconditions is used. Even though
subcontracting is theoretically sound, it ends up being fairly useless in practice <a class="footnote-reference" href="#id18" id="id7" name="id7">[3]</a>.</p>
<p>Postconditions can be made stronger in a derived class as seen in the <a class="reference" href="#subcontracting-example-hpp">subcontracting_example.hpp</a>.
We can summarize the remaining rules for virtual functions as</p>
<ol class="arabic simple" start="2">
<li>pure virtual functions can have contracts,</li>
</ol>
<!--  -->
<ol class="arabic simple" start="3">
<li>postconditions from a function in a base class and the overridden version in a derived class
are <em>AND</em>ed together <a class="footnote-reference" href="#id19" id="id8" name="id8">[4]</a>.</li>
</ol>
<p>The last rule ensures that the function in the derived class has a stronger postcondition <em>by design</em>.
A programmer can via a downcast obtain the stronger guarantee, but the runtime check must still
follow rule 3 above.</p>
<p>In connection with multiple inheritance we require special rules.
if <tt class="docutils literal"><span class="pre">F</span></tt> overrides more than one virtual function due to multiple inheritance,
it holds that</p>
<ol class="arabic simple" start="4">
<li>the precondition on <tt class="docutils literal"><span class="pre">F</span></tt> is an <em>OR</em>ing of the preconditions of all the
functions <tt class="docutils literal"><span class="pre">F</span></tt> override,</li>
</ol>
<!--  -->
<ol class="arabic simple" start="5">
<li>the postcondition on <tt class="docutils literal"><span class="pre">F</span></tt> is an <em>AND</em>ing of (1) the postconditions of all the
functions <tt class="docutils literal"><span class="pre">F</span></tt> override and (2) <tt class="docutils literal"><span class="pre">F</span></tt>'s own postcondition.</li>
</ol>
</div>
<div class="section" id="constructors">
<h3><a class="toc-backref" href="#id30" name="constructors">2.2.2&nbsp;&nbsp;&nbsp;Constructors</a></h3>
<p>Constructors behave much like member functions. This means that a constructor
can have a precondition and a postcondition.</p>
</div>
<div class="section" id="function-pointers">
<h3><a class="toc-backref" href="#id31" name="function-pointers">2.2.3&nbsp;&nbsp;&nbsp;Function pointers</a></h3>
<p>If the address of a function is taken, it holds that</p>
<ol class="arabic simple">
<li>the precondition is evaluated before the function body when the function is called 
through the function pointer.</li>
</ol>
<p>Remark: A compiler might be able to determine that the precondition is satisfied, in that case
the compiler may generate a call directly to the function body 
(thus sharing implementation with the function pointer call).</p>
</div>
</div>
<div class="section" id="keyword-oldof">
<h2><a class="toc-backref" href="#id32" name="keyword-oldof">2.3&nbsp;&nbsp;&nbsp;Keyword <tt class="docutils literal docutils literal"><span class="pre">oldof</span></tt></a></h2>
<p>It is very useful to be able to take a copy of a variable to compare
it with other values later. In particular, this is true in <a class="reference" href="#function">function postconditions</a>.</p>
<p>Assume <tt class="docutils literal"><span class="pre">i</span></tt> is a visible <tt class="docutils literal"><span class="pre">int</span></tt>, then the compiler translates</p>
<pre class="literal-block">
{
    oldof i == 42;
}
</pre>
<p>into</p>
<pre class="literal-block">
{
    const int __old_i( i );
    __old_i == 42;
}
</pre>
<p>A set of rules govern how <tt class="docutils literal"><span class="pre">oldof</span></tt> behaves within a certain contract:</p>
<ol class="arabic simple">
<li>If it is applied to the same expression <em>n</em> times, that expression need only be
evaluated once and only one copy need to be stored.</li>
</ol>
<!--  -->
<ol class="arabic simple" start="2">
<li>The copy of its argument is taken <em>after</em> the precondition is evaluated.</li>
</ol>
<p>The precondition should be evaluated first to allow it to report its errors first.
Notice that we can only apply <tt class="docutils literal"><span class="pre">oldof</span></tt> to objects of a type that defines a copy-constructor 
taking a <tt class="docutils literal"><span class="pre">const</span></tt> reference (ie., <tt class="docutils literal"><span class="pre">std::auto_ptr</span></tt> cannot be used).</p>
</div>
<div class="section" id="class-invariants">
<h2><a class="toc-backref" href="#id33" name="class-invariants">2.4&nbsp;&nbsp;&nbsp;Class invariants</a></h2>
<p>Within class scope it is possible to define a class invariant:</p>
<blockquote>
<dl class="docutils">
<dt>syntax:</dt>
<dd><ol class="first last arabic simple">
<li><em>class-invariant</em> : <tt class="docutils literal"><span class="pre">invariant</span> <span class="pre">{</span></tt> <em>assertion-sequence</em> <tt class="docutils literal"><span class="pre">}</span></tt></li>
</ol>
</dd>
<dt>example: </dt>
<dd>see <a class="reference" href="#vector-example-hpp">vector_example.hpp</a></dd>
</dl>
</blockquote>
<p>The class invariant has the following properties:</p>
<ol class="arabic">
<li><p class="first">It must appear in the declaration of a class.</p>
</li>
<li><p class="first">It is inherited in the sense that the invariant of a derived class <em>implicitly</em> will have the base-class invariant(s)
<em>AND</em>ed to it (see also item 6-7).</p>
<blockquote>
<p>example:</p>
<pre class="literal-block">
struct base { invariant { ... } };
struct derived : base
{
    invariant
    {
        base::invariant(); // implicitly generated
        ...
    }
};
</pre>
<p>(Remark: the above is pseudo-code and is <em>not</em> affected by the disabling of assertions within assertions.)</p>
</blockquote>
</li>
<li><p class="first">It can always be called from within or outside the class as if it was a member function with the declaration <tt class="docutils literal"><span class="pre">void</span> <span class="pre">invariant()</span> <span class="pre">const;</span></tt>.</p>
</li>
<li><p class="first">It is called <em>implicitly</em> from public</p>
<blockquote>
<ol class="loweralpha simple">
<li><a class="reference" href="#function">pre- and postconditions</a>,</li>
</ol>
<ol class="loweralpha" start="2">
<li><p class="first">constructors,</p>
<blockquote>
<ul class="simple">
<li>call the class invariant <em>before</em> the postcondition,</li>
</ul>
</blockquote>
</li>
<li><p class="first">destructors,</p>
<blockquote>
<ul class="simple">
<li>call the class invariant <em>before</em> the destructor body.</li>
</ul>
</blockquote>
</li>
<li><p class="first">member functions that exit abnormally via an exception <a class="footnote-reference" href="#id20" id="id11" name="id11">[5]</a></p>
</li>
</ol>
</blockquote>
</li>
<li><p class="first"><span class="target" id="it-is-always-called">It is always called</span> as if surrounded by a try-catch block:</p>
<pre class="literal-block">
try
{
    class_invariant();
}
catch( ... )
{
    std::class_invariant_broken();
}
</pre>
</li>
</ol>
<blockquote>
<ul class="simple">
<li>rationale: this ensures that exceptions thrown in the invariant cannot escape from functions 
and in particular not from the destructor. <a class="footnote-reference" href="#id21" id="id12" name="id12">[6]</a></li>
</ul>
</blockquote>
<ol class="arabic" start="6">
<li><p class="first">For its execution <em>during</em> construction <a class="footnote-reference" href="#id22" id="id13" name="id13">[7]</a> holds that:</p>
<blockquote>
<ol class="loweralpha">
<li><p class="first">each assertion is executed in order starting from the top <em>excluding</em> any part inherited,</p>
<blockquote>
<ul class="simple">
<li>rationale: if we do not exclude inherited parts, those parts would be evaluated multiple times.</li>
</ul>
</blockquote>
</li>
</ol>
</blockquote>
</li>
<li><p class="first">For its execution <em>after</em> construction holds that:</p>
<blockquote>
<ol class="loweralpha simple">
<li>each assertion is executed in order starting from the top <em>including</em> any part inherited,</li>
<li>if the class has any sub-classes, then the inherited portion is executed first,</li>
<li>if the class has several sub-classes the order of the classes in the base-clause is followed.</li>
</ol>
</blockquote>
</li>
</ol>
</div>
<div class="section" id="namespace-invariants">
<h2><a class="toc-backref" href="#id34" name="namespace-invariants">2.5&nbsp;&nbsp;&nbsp;Namespace invariants</a></h2>
<p>To better support assertions at namespace scope or
function-scope we use namespace invariants:</p>
<blockquote>
<dl class="docutils">
<dt>syntax:    </dt>
<dd><ol class="first last arabic simple">
<li><em>namespace-invariant</em>: <tt class="docutils literal"><span class="pre">invariant</span> <span class="pre">{</span></tt> <em>assertion-sequence</em> <tt class="docutils literal"><span class="pre">}</span></tt></li>
</ol>
</dd>
</dl>
<p>example:</p>
<pre class="literal-block">
namespace foo
{
    int     buffer_size;
    int*    buffer;

    invariant
    {
        buffer_size &gt; 0;
        buffer     != 0;
        sizeof( int ) &gt;= 4 : &quot;int must be 32 bit&quot;; 
    }
    
    void foo()
    {
        int i = 0;
        for(;;)
        {
            invariant { i &lt; 10; }
            ...
        }
    }
}
</pre>
</blockquote>
<p>The namespace invariants use the same syntax as the class invariant, 
but appears in different scopes and is called in different ways.</p>
<p>The properties of namespace invariants are:</p>
<ol class="arabic">
<li><p class="first">they can appear multiple times in the same namespace across multiple translation units,</p>
</li>
<li><p class="first">for each translation unit, the present invariants are executed once 
after the static initialization phase, that is, conceptually as the 
last part of the static initialization phase,</p>
</li>
<li><p class="first">they are always called as if surrounded by a try-catch block:</p>
<pre class="literal-block">
try
{
    namespace_invariant(); // pseudo code
}
catch( ... )
{
    std::namespace_invariant_broken();
}
</pre>
</li>
<li><p class="first">the order of evaluation of the invariants is unspecified,</p>
</li>
<li><p class="first">the order of evaluation of the assertions in an invariant is from top to bottom,</p>
</li>
<li><p class="first">for any namespace <tt class="docutils literal"><span class="pre">N</span></tt>, <tt class="docutils literal"><span class="pre">N::invariant()</span></tt> executes all invariants from namespace <tt class="docutils literal"><span class="pre">N</span></tt>.</p>
</li>
</ol>
</div>
<div class="section" id="failure-handler-functions">
<h2><a class="toc-backref" href="#id35" name="failure-handler-functions">2.6&nbsp;&nbsp;&nbsp;Failure handler functions</a></h2>
<p>The default behavior for all default assertions is to call <tt class="docutils literal"><span class="pre">terminate()</span></tt> via a call
to their respective handler. As seen below, we have a handler for each type of contract.
If the default behavior
is undesirable, the standard library provides the following handlers:</p>
<pre class="literal-block">
namespace std
{        
    void precondition_broken();
    void postcondition_broken();
    void class_invariant_broken();
    void namespace_invariant_broken();
    
    typedef void (*broken_contract_handler)();
    
    broken_contract_handler  set_precondition_broken_handler( broken_contract_handler r ) throw();
    broken_contract_handler  set_postcondition_broken_handler( broken_contract_handler r ) throw();
    broken_contract_handler  set_class_invariant_broken_handler( broken_contract_handler r ) throw();
    broken_contract_handler  set_namespace_invariant_broken_handler( broken_contract_handler r ) throw();
}
</pre>
<p>This should provide plenty of room for customization. The precondition for all the <tt class="docutils literal"><span class="pre">set_XX_handler</span></tt>
functions should be <tt class="docutils literal"><span class="pre">r</span> <span class="pre">!=</span> <span class="pre">0</span></tt>.</p>
</div>
<div class="section" id="changes-to-the-standard-library">
<h2><a class="toc-backref" href="#id36" name="changes-to-the-standard-library">2.7&nbsp;&nbsp;&nbsp;Changes to the standard library</a></h2>
<p>We suggest that no required changes should be made to
the standard library. An implementation is free to
implement all standard guarantees in terms of contract
code, but not required to.</p>
<!-- ======================================
IDEA PROPOSAL VERSUS STANDARDS CHANGES
======================================

This proposal presents ideas and syntax.  It is not itself a proposal
for changes in the text of the standard.  It is not yet time for text
changes.  The distinction enables us to mention the following two
subjects. -->
</div>
</div>
<div class="section" id="contracts-for-performance">
<h1><a class="toc-backref" href="#id37" name="contracts-for-performance">3&nbsp;&nbsp;&nbsp;Contracts for performance</a></h1>
<p>This section discusses how contracts can help the compiler
to generate faster code.</p>
<p>A limited form of contract programming is the use of the <tt class="docutils literal"><span class="pre">assert()</span></tt>
macro.  Its use is standard practice in many software
projects.  Unfortunately, it suffers from several problems.  We
will evaluate these problems by distinguishing between a
library and its client.</p>
<div class="section" id="assert-is-evaluated-within-the-library">
<h2><a class="toc-backref" href="#id38" name="assert-is-evaluated-within-the-library">3.1&nbsp;&nbsp;&nbsp;<tt class="docutils literal docutils literal"><span class="pre">assert()</span></tt> is evaluated within the library</a></h2>
<p>As a consequence, the enabling or disabling of
assertion checking is a compile-time decision of the
library.  The result is generally either</p>
<ol class="arabic simple">
<li>no checking, in which case errors are lost, or</li>
<li>checking, in which case performance is lost.</li>
</ol>
<p>In contrast, preconditions may be evaluated in the
client.  The client decides on the acceptable tradeoff
between performance and checking.</p>
</div>
<div class="section" id="assert-fails-to-distinguish-between-checking-arguments-and-validating-computations">
<h2><a class="toc-backref" href="#id39" name="assert-fails-to-distinguish-between-checking-arguments-and-validating-computations">3.2&nbsp;&nbsp;&nbsp;<tt class="docutils literal docutils literal"><span class="pre">assert()</span></tt> fails to distinguish between checking arguments and validating computations</a></h2>
<p>In well-tested production code, validating computation
is rarely needed, because the function has proven
itself.  On the other hand, checking arguments has
continuing need because of the evolution of callers.
With only a single form, programmers that turn off
validating computation for performance, will also turn
off checking arguments.</p>
<p>In contrast, the proposed syntactic distinction between
preconditions, postconditions and invariants preserves the very
real need to enable them separately.</p>
</div>
<div class="section" id="assert-is-indistinguishable-from-regular-code">
<h2><a class="toc-backref" href="#id40" name="assert-is-indistinguishable-from-regular-code">3.3&nbsp;&nbsp;&nbsp;<tt class="docutils literal docutils literal"><span class="pre">assert()</span></tt> is indistinguishable from regular code</a></h2>
<p>As a consequence it is very difficult for a compiler to
make use of the contents of an <tt class="docutils literal"><span class="pre">assert()</span></tt> macro.</p>
<p>In contrast, preconditions, postconditions and invariants are very
visible to the compiler.  The compiler can use preconditions
and postconditions as a constraint on the value-space of
the code, which in turn enables optimization.</p>
<p>Explicit preconditions and postconditions enable optimization
in two ways.</p>
<ol class="arabic">
<li><p class="first">The compiler can eliminate conditions known statically.</p>
<blockquote>
<p>For example, given</p>
<pre class="literal-block">
char *foo()
postcondition( result ) { result != 0; };

void bar( char *arg )
precondition { arg != 0; }
...
bar( foo() )
</pre>
<p>the compiler can propagate the postcondition of <tt class="docutils literal"><span class="pre">foo()</span></tt>
to the precondition of <tt class="docutils literal"><span class="pre">bar()</span></tt> and entirely eliminate
the precondition checking in <tt class="docutils literal"><span class="pre">bar()</span></tt>.</p>
</blockquote>
</li>
<li><p class="first">The compiler can use conditions to guide code generation.</p>
<blockquote>
<p>For example, given</p>
<pre class="literal-block">
double sum( int count, double array[] )
precondition { count % 4 == 0; }
{
    double accum = 0.0;
    for ( int i = 0; i &lt; count; i++ )
            accum += array[i];
    return accum;
}
</pre>
<p>the compiler can unroll the loop four times, and avoid
generating the stuttering at the start of the loop.</p>
<p>Furthermore, given the same code but with a precondition of
<tt class="docutils literal"><span class="pre">count</span> <span class="pre">&gt;</span> <span class="pre">1000</span></tt>, the compiler could chose to implement the
loop in parallel.  Likewise, with <tt class="docutils literal"><span class="pre">count&lt;</span> <span class="pre">100</span></tt>, the
compiler may forgo any checking for the possibility of
parallelism.</p>
</blockquote>
</li>
</ol>
<!-- ``assert()`` does not allow the compiler to warn about side-effects
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -->
</div>
</div>
<div class="section" id="implementation-model-for-contracts">
<h1><a class="toc-backref" href="#id41" name="implementation-model-for-contracts">4&nbsp;&nbsp;&nbsp;Implementation model for contracts</a></h1>
<p>This section discusses the feasibility of
implementation.  We provide an
implementation model that is reasonable and consistent with the
above proposal.</p>
<p>Consider the function</p>
<pre class="literal-block">
int factorial( int n )
precondition 
{
    0 &lt;= n &amp;&amp; n &lt;= 12;
}
postcondition( result ) 
{
    result &gt;= 1;
}
{
    if ( n &lt; 2 )
        return 1;
    else
        return n * factorial( n - 1 );
}
</pre>
<p>When all conditions are enabled, the compiler generates three
functions:</p>
<ol class="arabic">
<li><p class="first">The <em>core function</em> without any condition checking.</p>
<blockquote>
<p>Call this function when compiler switches disable all
condition evaluation.</p>
</blockquote>
</li>
<li><p class="first">A <em>postcondition evaluator</em>, which calls core function and then
executes the postcondition.</p>
<blockquote>
<p>Call this function from normal code when the caller
evaluates the preconditions.</p>
</blockquote>
</li>
<li><p class="first">A <em>precondition evaluator</em>, which executes the precondition
and then calls the postcondition evaluator.</p>
<blockquote>
<p>Call this function when the caller does not or cannot
evaluate the preconditions. (Remark: the precondition evaluator
would for example be used when
a function is called via a function-pointer.)</p>
</blockquote>
</li>
</ol>
<p>When postconditions are disabled, a library-build-time
decision, the first two functions above are identical, and may
be implemented as a single function with two labels.</p>
<p>When preconditions are disabled, a client-build-time decision,
the client simply calls the second function.</p>
<p>The evaluation of class invariants is dependent on the
evaluation of the preconditions and postconditions that call
them.  As an additional performance option, compilers can turn
of invariant evaluation while still enabling other conditions.</p>
<p>Furthermore, a compiler might choose to provide a switch for
generating a single call to the invariant in the constructor.</p>
</div>
<div class="section" id="open-issues">
<h1><a class="toc-backref" href="#id42" name="open-issues">5&nbsp;&nbsp;&nbsp;Open issues</a></h1>
<ul class="simple">
<li><a class="reference" href="#are-failure-handler-functions-wrongly-specified">Are failure handler functions wrongly specified?</a></li>
</ul>
<div class="section" id="are-failure-handler-functions-wrongly-specified">
<h2><a class="toc-backref" href="#id43" name="are-failure-handler-functions-wrongly-specified">5.1&nbsp;&nbsp;&nbsp;Are failure handler functions wrongly specified?</a></h2>
<p>Currently a <a class="reference" href="#failure-handler-functions">failure handler function</a> does not
allow one to</p>
<ol class="arabic simple">
<li>see the context of the broken assertion, or</li>
<li>use other functions than free-standing functions.</li>
</ol>
<p>It might be desirable to change the functions to</p>
<pre class="literal-block">
namespace std
{
    class assertion_context
    {
        contract_context( const char* where, const char* assertion ) throw();
        ~contract_context() throw();
        const char* context() const throw();
    };

    void precondition_broken( const assertion_context&amp; cc );
    // ... etc
}
</pre>
<p>or even</p>
<pre class="literal-block">
namespace std
{
    extern std::function&lt; void ( const assertion_context&amp; ) &gt; precondition_broken;
    // ... etc
}
</pre>
<p>This would hopefully ensure good error-messages.</p>
</div>
</div>
<div class="section" id="major-changes-from-n1773">
<h1><a name="major-changes-from-n1773">6&nbsp;&nbsp;&nbsp;Major changes from <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2005/n1773.html">n1773</a></a></h1>
<ol class="arabic">
<li><p class="first">reformulated the syntax of <a class="reference" href="#static-assertions">static assertions</a> 
(no use of <tt class="docutils literal"><span class="pre">static</span></tt> keyword).</p>
</li>
<li><p class="first">reformulated the syntax of <a class="reference" href="#runtime-assertions">runtime assertions</a>
(we now allow importance ordering).</p>
</li>
<li><p class="first">the invariant mechanisms have been
merged (hence now much simpler).</p>
</li>
<li><p class="first">changed use of keyword:</p>
<blockquote>
<table border="1" class="docutils">
<colgroup>
<col width="44%" />
<col width="56%" />
</colgroup>
<tbody valign="top">
<tr><td><p class="first last"><strong>before</strong></p>
</td>
<td><p class="first last"><strong>now</strong></p>
</td>
</tr>
<tr><td><p class="first last"><tt class="docutils literal"><span class="pre">__old</span></tt></p>
</td>
<td><p class="first last"><tt class="docutils literal"><span class="pre">oldof</span></tt></p>
</td>
</tr>
</tbody>
</table>
</blockquote>
</li>
</ol>
</div>
<div class="section" id="list-of-proposals-that-could-be-affected-by-this-proposal">
<h1><a class="toc-backref" href="#id45" name="list-of-proposals-that-could-be-affected-by-this-proposal">7&nbsp;&nbsp;&nbsp;List of proposals that could be affected by this proposal</a></h1>
<ol class="arabic simple">
<li>static assertions as described in <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2004/n1617.html">n1617</a></li>
<li>concepts as described in <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2003/n1510.pdf">n1510</a>, <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2003/n1522.pdf">n1522</a>, <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2003/n1536.pdf">n1536</a> and <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2005/n1758.pdf">n1758</a></li>
<li>any proposal that seeks to enhance meta-programming capabilities</li>
</ol>
</div>
<div class="section" id="implementability">
<h1><a class="toc-backref" href="#id46" name="implementability">8&nbsp;&nbsp;&nbsp;Implementability</a></h1>
<p>We expect that it will take about 3 man months to implement the proposal without
dedicating any time to optimizations.</p>
</div>
<div class="section" id="alternative-syntax">
<h1><a class="toc-backref" href="#id47" name="alternative-syntax">9&nbsp;&nbsp;&nbsp;Alternative syntax</a></h1>
<p>In Lillehammer it was suggested to
use normal C++ syntax for separation
of assertions. In particular it was suggested
to write an assertion-sequence as</p>
<pre class="literal-block">
{
    foo() &amp;&amp;
    bar() &amp;&amp;
    true;
}
</pre>
<p>instead of</p>
<pre class="literal-block">
{
    foo();
    bar();
    true;
} 
</pre>
<p>A full example have been made with the proposed
syntax (see <a class="reference" href="#vector-example-alternative-syntax-hpp">vector_example_alternative_syntax.hpp</a>).</p>
<p>It is quite obvious that this syntax has the following
drawbacks:</p>
<ol class="arabic simple">
<li>it becomes harder for debuggers to break on
individual assertions, because the whole assertion-sequence
is a single statement</li>
</ol>
<!--  -->
<ol class="arabic simple" start="2">
<li>the ternary operator is harder to read than if-statements</li>
</ol>
<!--  -->
<ol class="arabic simple" start="3">
<li>the combination of <tt class="docutils literal"><span class="pre">assertion</span> <span class="pre">:</span> <span class="pre">&quot;string&quot;</span></tt> and
<tt class="docutils literal"><span class="pre">assertion</span> <span class="pre">:</span> <span class="pre">2</span></tt> do not look good.</li>
</ol>
</div>
<div class="section" id="list-of-examples">
<h1><a class="toc-backref" href="#id48" name="list-of-examples">10&nbsp;&nbsp;&nbsp;List of examples</a></h1>
<ul class="simple">
<li><a class="reference" href="#vector-example-hpp">vector_example.hpp</a></li>
<li><a class="reference" href="#vector-example-alternative-syntax-hpp">vector_example_alternative_syntax.hpp</a></li>
<li><a class="reference" href="#subcontracting-example-hpp">subcontracting_example.hpp</a></li>
</ul>
<div class="section" id="vector-example-hpp">
<h2><a class="toc-backref" href="#id49" name="vector-example-hpp">10.1&nbsp;&nbsp;&nbsp;vector_example.hpp</a></h2>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title> </title>
<link rel="stylesheet" href="style.css" type="text/css">
</head>

<body>
<pre>

<span class=comment>///////////////////////////////////////
// Tools
///////////////////////////////////////</span>

<span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>Iter</span><span class=special>,</span> <span class=keyword>class</span> <span class=identifier>T</span> <span class=special>&gt;</span>
<span class=keyword>bool</span> <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>Iter</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>Iter</span> <span class=identifier>last</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span>
<span class=special>{</span> <span class=comment>/* for simplicity, let us assume T's can be compared */</span> <span class=special>}</span>

<span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>Iter</span><span class=special>,</span> <span class=keyword>class</span> <span class=identifier>Size</span> <span class=special>&gt;</span>
<span class=keyword>bool</span> <span class=identifier>equal_distance</span><span class=special>(</span> <span class=identifier>Iter</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>Iter</span> <span class=identifier>last</span><span class=special>,</span> <span class=identifier>Size</span> <span class=identifier>size</span> <span class=special>)</span>
<span class=special>{</span> <span class=comment>/* internal tagging mechnism so even input iterators can be passed */</span> <span class=special>}</span>

<span class=comment>///////////////////////////////////////
// New vector interface
///////////////////////////////////////</span>

<span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>T</span><span class=special>,</span> <span class=keyword>class</span> <span class=identifier>Alloc</span> <span class=special>=</span> <span class=identifier>allocator</span><span class=special>&lt;</span><span class=identifier>T</span><span class=special>&gt;</span> <span class=special>&gt;</span>
<span class=keyword>class</span> <span class=identifier>vector</span> 
<span class=special>{</span>
    <span class=keyword>invariant</span>
    <span class=special>{</span>
	<span class=identifier>is_assignable</span><span class=special>&lt;</span><span class=identifier>T</span><span class=special>&gt;::</span><span class=identifier>value</span>         <span class=special>:</span> <span class=string>&quot;value_type must be Assignable&quot;</span> <span class=special>;</span>
	<span class=identifier>is_copy_constructible</span><span class=special>&lt;</span><span class=identifier>T</span><span class=special>&gt;::</span><span class=identifier>value</span> <span class=special>:</span> <span class=string>&quot;value_type must be CopyConstructible&quot;</span> <span class=special>;</span>

        <span class=special>(</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=number>0</span> <span class=special>)</span> <span class=special>==</span> <span class=identifier>empty</span><span class=special>();</span>
        <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>distance</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>()</span> <span class=special>);</span>
        <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>distance</span><span class=special>(</span> <span class=identifier>rbegin</span><span class=special>(),</span> <span class=identifier>rend</span><span class=special>()</span> <span class=special>);</span>
        <span class=identifier>size</span><span class=special>()</span> <span class=special>&lt;=</span> <span class=identifier>capacity</span><span class=special>();</span>
        <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&lt;=</span> <span class=identifier>max_size</span><span class=special>();</span>
    <span class=special>}</span>
    
    
<span class=keyword>public</span><span class=special>:</span>
    <span class=keyword>typedef</span> <span class=identifier>Alloc</span>                             <span class=identifier>allocator_type</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=keyword>typename</span> <span class=identifier>Alloc</span><span class=special>::</span><span class=identifier>pointer</span>           <span class=identifier>pointer</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=keyword>typename</span> <span class=identifier>Alloc</span><span class=special>::</span><span class=identifier>const_pointer</span>     <span class=identifier>const_pointer</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=keyword>typename</span> <span class=identifier>Alloc</span><span class=special>::</span><span class=identifier>reference</span>         <span class=identifier>reference</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=keyword>typename</span> <span class=identifier>Alloc</span><span class=special>::</span><span class=identifier>const_reference</span>   <span class=identifier>const_reference</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=keyword>typename</span> <span class=identifier>Alloc</span><span class=special>::</span><span class=identifier>value_type</span>        <span class=identifier>value_type</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=special>...</span>                               <span class=identifier>iterator</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=special>...</span>                               <span class=identifier>const_iterator</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=special>...</span>                               <span class=identifier>size_type</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=special>...</span>                               <span class=identifier>difference_type</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=identifier>reverse_iterator</span><span class=special>&lt;</span><span class=identifier>iterator</span><span class=special>&gt;</span>        <span class=identifier>reverse_iterator</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=identifier>reverse_iterator</span><span class=special>&lt;</span><span class=identifier>const_iterator</span><span class=special>&gt;</span>  <span class=identifier>const_reverse_iterator</span><span class=special>;</span>

             <span class=identifier>vector</span><span class=special>()</span>                  
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span> 
                 
    <span class=keyword>explicit</span> <span class=identifier>vector</span><span class=special>(</span> <span class=keyword>const</span> <span class=identifier>Alloc</span><span class=special>&amp;</span> <span class=identifier>al</span> <span class=special>)</span> 
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>empty</span><span class=special>();</span> 
                                 <span class=identifier>al</span> <span class=special>==</span> <span class=identifier>get_allocator</span><span class=special>();</span> <span class=special>}</span>
                 
    <span class=keyword>explicit</span> <span class=identifier>vector</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>count</span> <span class=special>)</span> 
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>count</span><span class=special>;</span> 
                                 <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>T</span><span class=special>()</span> <span class=special>);</span> <span class=special>}</span>
                 
             <span class=identifier>vector</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>count</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span> 
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>count</span><span class=special>;</span> 
                                 <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>val</span> <span class=special>);</span> <span class=special>}</span>
             
             <span class=identifier>vector</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>count</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>Alloc</span><span class=special>&amp;</span> <span class=identifier>al</span> <span class=special>)</span> 
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>size</span> <span class=special>==</span> <span class=identifier>count</span><span class=special>;</span> 
                                 <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>val</span> <span class=special>);</span> 
                                 <span class=identifier>al</span> <span class=special>==</span> <span class=identifier>get_allocator</span><span class=special>();</span> <span class=special>}:</span>
             
             <span class=identifier>vector</span><span class=special>(</span> <span class=keyword>const</span> <span class=identifier>vector</span><span class=special>&amp;</span> <span class=identifier>right</span> <span class=special>)</span> 
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>right</span> <span class=special>==</span> <span class=special>*</span><span class=keyword>this</span><span class=special>;</span> <span class=special>}</span>
    
             <span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>InIt</span> <span class=special>&gt;</span>
             <span class=identifier>vector</span><span class=special>(</span> <span class=identifier>InIt</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>InIt</span> <span class=identifier>last</span> <span class=special>)</span> 
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>is_input_iterator</span><span class=special>&lt;</span><span class=identifier>InIt</span><span class=special>&gt;::</span><span class=identifier>value</span> <span class=special>:</span> <span class=string>&quot;Iterator argument must model an InputIterator&quot;</span><span class=special>;</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>equal_distance</span><span class=special>(</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>last</span><span class=special>,</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>);</span> <span class=special>}</span>
                 
             <span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>InIt</span> <span class=special>&gt;</span>
             <span class=identifier>vector</span><span class=special>(</span> <span class=identifier>InIt</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>InIt</span> <span class=identifier>last</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>Alloc</span><span class=special>&amp;</span> <span class=identifier>al</span> <span class=special>);</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>is_input_iterator</span><span class=special>&lt;</span><span class=identifier>InIt</span><span class=special>&gt;::</span><span class=identifier>value</span> <span class=special>:</span> <span class=string>&quot;Iterator argument must model an InputIterator&quot;</span><span class=special>;</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>equal_distance</span><span class=special>(</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>last</span><span class=special>,</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>);</span> 
                                 <span class=identifier>al</span> <span class=special>==</span> <span class=identifier>get_allocator</span><span class=special>();</span> <span class=special>}</span>

             <span class=keyword>void</span> <span class=identifier>reserve</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>count</span> <span class=special>)</span> 
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=identifier>count</span> <span class=special>&lt;</span> <span class=identifier>max_size</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>count</span><span class=special>;</span> <span class=special>}</span>
                 
             <span class=identifier>size_type</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>result</span> <span class=special>&gt;=</span> <span class=identifier>size</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=identifier>iterator</span> <span class=identifier>begin</span><span class=special>()</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>if</span><span class=special>(</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>)</span> <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>end</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>const_iterator</span> <span class=identifier>begin</span><span class=special>()</span> <span class=keyword>const</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>if</span><span class=special>(</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>)</span> <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>end</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>iterator</span> <span class=identifier>end</span><span class=special>();</span>
             <span class=identifier>const_iterator</span> <span class=identifier>end</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
             
             <span class=identifier>reverse_iterator</span> <span class=identifier>rbegin</span><span class=special>()</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>if</span><span class=special>(</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>)</span> <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>rend</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>const_reverse_iterator</span> <span class=identifier>rbegin</span><span class=special>()</span> <span class=keyword>const</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>if</span><span class=special>(</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>)</span> <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>rend</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>reverse_iterator</span> <span class=identifier>rend</span><span class=special>();</span>
             <span class=identifier>const_reverse_iterator</span> <span class=identifier>rend</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
             
             <span class=keyword>void</span> <span class=identifier>resize</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>newsize</span> <span class=special>)</span>
                 <span class=keyword>postcondition</span> <span class=comment>// version 1: with an if</span>
                 <span class=special>{</span> 
                     <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>newsize</span><span class=special>;</span> 
                     <span class=keyword>if</span><span class=special>(</span> <span class=identifier>newsize</span> <span class=special>&gt;</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>)</span>
                         <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>()</span> <span class=special>+</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>T</span><span class=special>()</span> <span class=special>);</span>
                 <span class=special>}</span>
             
             <span class=keyword>void</span> <span class=identifier>resize</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>newsize</span><span class=special>,</span> <span class=identifier>T</span> <span class=identifier>val</span> <span class=special>)</span>
                 <span class=keyword>postcondition</span> <span class=comment>// version 2: with ternary operator</span>
                 <span class=special>{</span>
                     <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>newsize</span><span class=special>;</span> 
                     <span class=identifier>newsize</span> <span class=special>&gt;</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>())</span> <span class=special>?</span> 
                         <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>()</span> <span class=special>+</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>val</span> <span class=special>)</span> <span class=special>:</span> <span class=keyword>true</span><span class=special>;</span>
                 <span class=special>}</span>
         
             <span class=identifier>size_type</span> <span class=identifier>size</span><span class=special>()</span> <span class=keyword>const</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>result</span> <span class=special>&lt;=</span> <span class=identifier>capacity</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=identifier>size_type</span> <span class=identifier>max_size</span><span class=special>()</span> <span class=keyword>const</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>result</span> <span class=special>&gt;=</span> <span class=identifier>capacity</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=keyword>bool</span> <span class=identifier>empty</span><span class=special>()</span> <span class=keyword>const</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>result</span> <span class=special>==</span> <span class=special>(</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=number>0</span> <span class=special>);</span> <span class=special>}</span>
             
             <span class=identifier>Alloc</span> <span class=identifier>get_allocator</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
             
             <span class=identifier>reference</span> <span class=identifier>at</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>off</span> <span class=special>);</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=identifier>off</span> <span class=special>&lt;</span> <span class=identifier>size</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>const_reference</span> <span class=identifier>at</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>off</span> <span class=special>)</span> <span class=keyword>const</span><span class=special>;</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=identifier>off</span> <span class=special>&lt;</span> <span class=identifier>size</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=identifier>reference</span> <span class=keyword>operator</span><span class=special>[](</span> <span class=identifier>size_type</span> <span class=identifier>off</span> <span class=special>)</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=identifier>off</span> <span class=special>&lt;</span> <span class=identifier>size</span><span class=special>();</span> <span class=special>}</span>

             <span class=identifier>const_reference</span> <span class=keyword>operator</span><span class=special>[](</span> <span class=identifier>size_type</span> <span class=identifier>off</span> <span class=special>)</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=identifier>off</span> <span class=special>&lt;</span> <span class=identifier>size</span><span class=special>();</span> <span class=special>}</span>
    
             <span class=identifier>reference</span> <span class=identifier>front</span><span class=special>();</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>const_reference</span> <span class=identifier>front</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
    
             <span class=identifier>reference</span> <span class=identifier>back</span><span class=special>()</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>const_reference</span> <span class=identifier>back</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=keyword>void</span> <span class=identifier>push_back</span><span class=special>(</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>&lt;</span> <span class=identifier>max_size</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>back</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>val</span><span class=special>;</span> 
                                 <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>+</span> <span class=number>1</span><span class=special>;</span> 
                                 <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>oldof</span> <span class=identifier>capacity</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=keyword>void</span> <span class=identifier>pop_back</span><span class=special>()</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>-</span> <span class=number>1</span><span class=special>;</span> <span class=special>}</span>
             
             <span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>InIt</span> <span class=special>&gt;</span>
             <span class=keyword>void</span> <span class=identifier>assign</span><span class=special>(</span> <span class=identifier>InIt</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>InIt</span> <span class=identifier>last</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  
                 <span class=special>{</span>
                     <span class=identifier>is_input_iterator</span><span class=special>&lt;</span><span class=identifier>InIt</span><span class=special>&gt;::</span><span class=identifier>value</span> <span class=special>:</span> <span class=string>&quot;Iterator argument must model an InputIterator&quot;</span><span class=special>;</span> 
                     <span class=string>&quot;The range [first,last) is not a sub-range of [begin(),end())&quot;</span><span class=special>;</span>
                 <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>equal_distance</span><span class=special>(</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>last</span><span class=special>,</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>);</span> <span class=special>}</span>
             
             <span class=keyword>void</span> <span class=identifier>assign</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>count</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>count</span> <span class=special>&lt;=</span> <span class=identifier>max_size</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>val</span> <span class=special>);</span> <span class=special>}</span>
                 
             <span class=identifier>iterator</span> <span class=identifier>insert</span><span class=special>(</span> <span class=identifier>iterator</span> <span class=identifier>where</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>&lt;</span> <span class=identifier>max_size</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> 
                 <span class=special>{</span>
                     <span class=special>*</span><span class=keyword>result</span> <span class=special>==</span> <span class=identifier>val</span><span class=special>;</span>
                     <span class=identifier>size</span><span class=special>()</span>  <span class=special>==</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>+</span> <span class=number>1</span><span class=special>;</span>
                     <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>oldof</span> <span class=identifier>capacity</span><span class=special>();</span>
                     
                     <span class=keyword>if</span><span class=special>(</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;</span> <span class=identifier>oldof</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>)</span>
                         <span class=string>&quot;All iterators have been invalidated&quot;</span><span class=special>;</span>
                     <span class=keyword>else</span>
                         <span class=string>&quot;All iterators in the range [where,end()) have been invalidated&quot;</span><span class=special>;</span>
                 <span class=special>}</span>
             
             <span class=keyword>void</span> <span class=identifier>insert</span><span class=special>(</span> <span class=identifier>iterator</span> <span class=identifier>where</span><span class=special>,</span> <span class=identifier>size_type</span> <span class=identifier>count</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>+</span> <span class=identifier>count</span> <span class=special>&lt;=</span> <span class=identifier>max_size</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> 
                 <span class=special>{</span>
                     <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>+</span> <span class=identifier>count</span><span class=special>;</span>
                     <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>oldof</span> <span class=identifier>capacity</span><span class=special>();</span>
                     
                     <span class=keyword>if</span><span class=special>(</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>oldof</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>)</span>
                     <span class=special>{</span>
                         <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>oldof</span> <span class=identifier>prior</span><span class=special>(</span><span class=identifier>where</span><span class=special>),</span> <span class=identifier>oldof</span> <span class=identifier>prior</span><span class=special>(</span><span class=identifier>where</span><span class=special>)</span> <span class=special>+</span> <span class=identifier>count</span><span class=special>,</span> <span class=identifier>val</span> <span class=special>);</span>
                         <span class=string>&quot;All iterators in the range [where,end()) have been invalidated&quot;</span><span class=special>;</span>
                     <span class=special>}</span>
                     <span class=keyword>else</span>
                         <span class=string>&quot;All iterators have been invalidated&quot;</span><span class=special>;</span>
                 <span class=special>}</span>
                 
             <span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>InIt</span> <span class=special>&gt;</span>
             <span class=keyword>void</span> <span class=identifier>insert</span><span class=special>(</span> <span class=identifier>iterator</span> <span class=identifier>where</span><span class=special>,</span> <span class=identifier>InIt</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>InIt</span> <span class=identifier>last</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  
                 <span class=special>{</span> 
                     <span class=identifier>is_input_iterator</span><span class=special>&lt;</span><span class=identifier>InIt</span><span class=special>&gt;::</span><span class=identifier>value</span> <span class=special>:</span> <span class=string>&quot;Iterator argument must model an InputIterator&quot;</span><span class=special>;</span>
                     <span class=string>&quot;The range [first,last) is not a sub-range of [begin(),end())&quot;</span><span class=special>;</span>
                     <span class=identifier>size</span><span class=special>()</span> <span class=special>+</span> <span class=identifier>count</span> <span class=special>&lt;=</span> <span class=identifier>max_size</span><span class=special>();</span> 
                 <span class=special>}</span>
                 <span class=keyword>postcondition</span>
                 <span class=special>{</span>
                     <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>+</span> <span class=identifier>count</span><span class=special>;</span>
                     <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>oldof</span> <span class=identifier>capacity</span><span class=special>();</span>
        
                     <span class=keyword>if</span><span class=special>(</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>oldof</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>)</span>
                     <span class=special>{</span>
                         <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>oldof</span> <span class=identifier>prior</span><span class=special>(</span><span class=identifier>where</span><span class=special>),</span> <span class=identifier>oldof</span> <span class=identifier>prior</span><span class=special>(</span><span class=identifier>where</span><span class=special>)</span> <span class=special>+</span> <span class=identifier>count</span><span class=special>,</span> <span class=identifier>val</span> <span class=special>);</span>
                         <span class=string>&quot;All iterators in the range [where,end()) have been invalidated&quot;</span><span class=special>;</span>
                     <span class=special>}</span>
                     <span class=keyword>else</span>
                         <span class=string>&quot;All iterators have been invalidated&quot;</span><span class=special>;</span>
                 <span class=special>}</span>

             <span class=identifier>iterator</span> <span class=identifier>erase</span><span class=special>(</span> <span class=identifier>iterator</span> <span class=identifier>where</span> <span class=special>);</span>
                 <span class=keyword>precondition</span>  
                 <span class=special>{</span> 
                     <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> 
                     <span class=identifier>where</span> <span class=special>!=</span> <span class=identifier>end</span><span class=special>();</span>
                 <span class=special>}</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> 
                 <span class=special>{</span>
                      <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>-</span> <span class=number>1</span><span class=special>;</span> 
                      <span class=keyword>if</span><span class=special>(</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>)</span>
                          <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>end</span><span class=special>();</span>
                      <span class=string>&quot;All iterators in the range [where,end()) have been invalidated&quot;</span><span class=special>;</span>
                 <span class=special>}</span>
                 
             <span class=identifier>iterator</span> <span class=identifier>erase</span><span class=special>(</span> <span class=identifier>iterator</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>iterator</span> <span class=identifier>last</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>distance</span><span class=special>(</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>last</span> <span class=special>);</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> 
                 <span class=special>{</span>
                      <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>-</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>distance</span><span class=special>(</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>last</span> <span class=special>);</span> 
                      <span class=keyword>if</span><span class=special>(</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>)</span>
                          <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>end</span><span class=special>();</span>
                      <span class=string>&quot;All iterators in the range [first,end()) have been invalidated&quot;</span><span class=special>;</span>
                 <span class=special>}</span>

             <span class=keyword>void</span> <span class=identifier>clear</span><span class=special>();</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=keyword>void</span> <span class=identifier>swap</span><span class=special>(</span> <span class=identifier>vector</span><span class=special>&amp;</span> <span class=identifier>right</span> <span class=special>)</span>
                 <span class=keyword>postcondition</span> 
                 <span class=special>{</span> 
                     <span class=identifier>oldof</span> <span class=special>*</span><span class=keyword>this</span> <span class=special>==</span> <span class=identifier>right</span><span class=special>;</span>
                     <span class=identifier>oldof</span> <span class=identifier>right</span> <span class=special>==</span> <span class=special>*</span><span class=keyword>this</span><span class=special>;</span>
                 <span class=special>}</span>
             
<span class=special>};</span> <span class=comment>// class 'vector'</span>

</pre>
</body>
</html>
</div>
<div class="section" id="vector-example-alternative-syntax-hpp">
<h2><a class="toc-backref" href="#id50" name="vector-example-alternative-syntax-hpp">10.2&nbsp;&nbsp;&nbsp;vector_example_alternative_syntax.hpp</a></h2>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title> </title>
<link rel="stylesheet" href="style.css" type="text/css">
</head>

<body>
<pre>
<span class=comment>///////////////////////////////////////
// Tools
///////////////////////////////////////</span>

<span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>Iter</span><span class=special>,</span> <span class=keyword>class</span> <span class=identifier>T</span> <span class=special>&gt;</span>
<span class=keyword>bool</span> <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>Iter</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>Iter</span> <span class=identifier>last</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span>
<span class=special>{</span> <span class=comment>/* for simplicity, let us assume T's can be compared */</span> <span class=special>}</span>

<span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>Iter</span><span class=special>,</span> <span class=keyword>class</span> <span class=identifier>Size</span> <span class=special>&gt;</span>
<span class=keyword>bool</span> <span class=identifier>equal_distance</span><span class=special>(</span> <span class=identifier>Iter</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>Iter</span> <span class=identifier>last</span><span class=special>,</span> <span class=identifier>Size</span> <span class=identifier>size</span> <span class=special>)</span>
<span class=special>{</span> <span class=comment>/* internal tagging mechnism so even input iterators can be passed */</span> <span class=special>}</span>

<span class=comment>///////////////////////////////////////
// New vector interface
///////////////////////////////////////</span>

<span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>T</span><span class=special>,</span> <span class=keyword>class</span> <span class=identifier>Alloc</span> <span class=special>=</span> <span class=identifier>allocator</span><span class=special>&lt;</span><span class=identifier>T</span><span class=special>&gt;</span> <span class=special>&gt;</span>
<span class=keyword>class</span> <span class=identifier>vector</span> 
<span class=special>{</span>
    <span class=keyword>invariant</span>
    <span class=special>{</span>
	<span class=identifier>is_assignable</span><span class=special>&lt;</span><span class=identifier>T</span><span class=special>&gt;::</span><span class=identifier>value</span>         <span class=special>:</span> <span class=string>&quot;value_type must be Assignable&quot;</span> <span class=special>&amp;&amp;</span>
	<span class=identifier>is_copy_constructible</span><span class=special>&lt;</span><span class=identifier>T</span><span class=special>&gt;::</span><span class=identifier>value</span> <span class=special>:</span> <span class=string>&quot;value_type must be CopyConstructible&quot;</span> <span class=special>&amp;&amp;</span>
        <span class=special>(</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=number>0</span> <span class=special>)</span> <span class=special>==</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>&amp;&amp;</span>
        <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>distance</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>()</span> <span class=special>)</span> <span class=special>&amp;&amp;</span>
        <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>distance</span><span class=special>(</span> <span class=identifier>rbegin</span><span class=special>(),</span> <span class=identifier>rend</span><span class=special>()</span> <span class=special>)</span> <span class=special>&amp;&amp;</span>
        <span class=identifier>size</span><span class=special>()</span> <span class=special>&lt;=</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&amp;&amp;</span>
        <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&lt;=</span> <span class=identifier>max_size</span><span class=special>();</span>
    <span class=special>}</span>
    
    
<span class=keyword>public</span><span class=special>:</span>
    <span class=keyword>typedef</span> <span class=identifier>Alloc</span>                             <span class=identifier>allocator_type</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=keyword>typename</span> <span class=identifier>Alloc</span><span class=special>::</span><span class=identifier>pointer</span>           <span class=identifier>pointer</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=keyword>typename</span> <span class=identifier>Alloc</span><span class=special>::</span><span class=identifier>const_pointer</span>     <span class=identifier>const_pointer</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=keyword>typename</span> <span class=identifier>Alloc</span><span class=special>::</span><span class=identifier>reference</span>         <span class=identifier>reference</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=keyword>typename</span> <span class=identifier>Alloc</span><span class=special>::</span><span class=identifier>const_reference</span>   <span class=identifier>const_reference</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=keyword>typename</span> <span class=identifier>Alloc</span><span class=special>::</span><span class=identifier>value_type</span>        <span class=identifier>value_type</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=special>...</span>                               <span class=identifier>iterator</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=special>...</span>                               <span class=identifier>const_iterator</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=special>...</span>                               <span class=identifier>size_type</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=special>...</span>                               <span class=identifier>difference_type</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=identifier>reverse_iterator</span><span class=special>&lt;</span><span class=identifier>iterator</span><span class=special>&gt;</span>        <span class=identifier>reverse_iterator</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=identifier>reverse_iterator</span><span class=special>&lt;</span><span class=identifier>const_iterator</span><span class=special>&gt;</span>  <span class=identifier>const_reverse_iterator</span><span class=special>;</span>

             <span class=identifier>vector</span><span class=special>()</span>                  
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span> 
                 
    <span class=keyword>explicit</span> <span class=identifier>vector</span><span class=special>(</span> <span class=keyword>const</span> <span class=identifier>Alloc</span><span class=special>&amp;</span> <span class=identifier>al</span> <span class=special>)</span> 
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>&amp;&amp;</span> 
                                 <span class=identifier>al</span> <span class=special>==</span> <span class=identifier>get_allocator</span><span class=special>();</span> <span class=special>}</span>
                 
    <span class=keyword>explicit</span> <span class=identifier>vector</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>count</span> <span class=special>)</span> 
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>count</span> <span class=special>&amp;&amp;</span> 
                                 <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>T</span><span class=special>()</span> <span class=special>);</span> <span class=special>}</span>
                 
             <span class=identifier>vector</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>count</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span> 
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>count</span> <span class=special>&amp;&amp;</span>
                                 <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>val</span> <span class=special>);</span> <span class=special>}</span>
             
             <span class=identifier>vector</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>count</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>Alloc</span><span class=special>&amp;</span> <span class=identifier>al</span> <span class=special>)</span> 
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>size</span> <span class=special>==</span> <span class=identifier>count</span> <span class=special>&amp;&amp;</span> 
                                 <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>val</span> <span class=special>)</span> <span class=special>&amp;&amp;</span> 
                                 <span class=identifier>al</span> <span class=special>==</span> <span class=identifier>get_allocator</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>vector</span><span class=special>(</span> <span class=keyword>const</span> <span class=identifier>vector</span><span class=special>&amp;</span> <span class=identifier>right</span> <span class=special>)</span> 
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>right</span> <span class=special>==</span> <span class=special>*</span><span class=keyword>this</span><span class=special>;</span> <span class=special>}</span>
    
             <span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>InIt</span> <span class=special>&gt;</span>
             <span class=identifier>vector</span><span class=special>(</span> <span class=identifier>InIt</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>InIt</span> <span class=identifier>last</span> <span class=special>)</span> 
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>is_input_iterator</span><span class=special>&lt;</span><span class=identifier>InIt</span><span class=special>&gt;::</span><span class=identifier>value</span> <span class=special>:</span> <span class=string>&quot;Iterator argument must model an InputIterator&quot;</span><span class=special>;</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>equal_distance</span><span class=special>(</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>last</span><span class=special>,</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>);</span> <span class=special>}</span>
                 
             <span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>InIt</span> <span class=special>&gt;</span>
             <span class=identifier>vector</span><span class=special>(</span> <span class=identifier>InIt</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>InIt</span> <span class=identifier>last</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>Alloc</span><span class=special>&amp;</span> <span class=identifier>al</span> <span class=special>);</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>is_input_iterator</span><span class=special>&lt;</span><span class=identifier>InIt</span><span class=special>&gt;::</span><span class=identifier>value</span> <span class=special>:</span> <span class=string>&quot;Iterator argument must model an InputIterator&quot;</span><span class=special>;</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>equal_distance</span><span class=special>(</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>last</span><span class=special>,</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>)</span> <span class=special>&amp;&amp;</span> 
                                 <span class=identifier>al</span> <span class=special>==</span> <span class=identifier>get_allocator</span><span class=special>();</span> <span class=special>}</span>

             <span class=keyword>void</span> <span class=identifier>reserve</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>count</span> <span class=special>)</span> 
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=identifier>count</span> <span class=special>&lt;</span> <span class=identifier>max_size</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>count</span><span class=special>;</span> <span class=special>}</span>
                 
             <span class=identifier>size_type</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>result</span> <span class=special>&gt;=</span> <span class=identifier>size</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=identifier>iterator</span> <span class=identifier>begin</span><span class=special>()</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>?</span> <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>end</span><span class=special>()</span> <span class=special>:</span> <span class=keyword>true</span><span class=special>;</span> <span class=special>}</span>
             
             <span class=identifier>const_iterator</span> <span class=identifier>begin</span><span class=special>()</span> <span class=keyword>const</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>?</span> <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>end</span><span class=special>()</span> <span class=special>:</span> <span class=keyword>true</span><span class=special>;</span> <span class=special>}</span>
             
             <span class=identifier>iterator</span> <span class=identifier>end</span><span class=special>();</span>
             <span class=identifier>const_iterator</span> <span class=identifier>end</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
             
             <span class=identifier>reverse_iterator</span> <span class=identifier>rbegin</span><span class=special>()</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>?</span> <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>rend</span><span class=special>()</span> <span class=special>:</span> <span class=keyword>true</span><span class=special>;</span> <span class=special>}</span>
             
             <span class=identifier>const_reverse_iterator</span> <span class=identifier>rbegin</span><span class=special>()</span> <span class=keyword>const</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>?</span> <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>rend</span><span class=special>()</span> <span class=special>:</span> <span class=keyword>true</span><span class=special>;</span> <span class=special>}</span>
             
             <span class=identifier>reverse_iterator</span> <span class=identifier>rend</span><span class=special>();</span>
             <span class=identifier>const_reverse_iterator</span> <span class=identifier>rend</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
             
             <span class=keyword>void</span> <span class=identifier>resize</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>newsize</span> <span class=special>)</span>
                 <span class=keyword>postcondition</span> <span class=comment>// version 1: with an if</span>
                 <span class=special>{</span> 
                     <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>newsize</span> <span class=special>&amp;&amp;</span>
                     <span class=identifier>newsize</span> <span class=special>&gt;</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>?</span>
                         <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>()</span> <span class=special>+</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>T</span><span class=special>()</span> <span class=special>)</span> <span class=special>:</span> <span class=keyword>true</span><span class=special>;</span>
                 <span class=special>}</span>
             
             <span class=keyword>void</span> <span class=identifier>resize</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>newsize</span><span class=special>,</span> <span class=identifier>T</span> <span class=identifier>val</span> <span class=special>)</span>
                 <span class=keyword>postcondition</span> <span class=comment>// version 2: with ternary operator</span>
                 <span class=special>{</span>
                     <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>newsize</span> <span class=special>&amp;&amp;</span> 
                     <span class=identifier>newsize</span> <span class=special>&gt;</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>())</span> <span class=special>?</span> 
                         <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>()</span> <span class=special>+</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>val</span> <span class=special>)</span> <span class=special>:</span> <span class=keyword>true</span><span class=special>;</span>
                 <span class=special>}</span>
         
             <span class=identifier>size_type</span> <span class=identifier>size</span><span class=special>()</span> <span class=keyword>const</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>result</span> <span class=special>&lt;=</span> <span class=identifier>capacity</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=identifier>size_type</span> <span class=identifier>max_size</span><span class=special>()</span> <span class=keyword>const</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>result</span> <span class=special>&gt;=</span> <span class=identifier>capacity</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=keyword>bool</span> <span class=identifier>empty</span><span class=special>()</span> <span class=keyword>const</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>result</span> <span class=special>==</span> <span class=special>(</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=number>0</span> <span class=special>);</span> <span class=special>}</span>
             
             <span class=identifier>Alloc</span> <span class=identifier>get_allocator</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
             
             <span class=identifier>reference</span> <span class=identifier>at</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>off</span> <span class=special>);</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=identifier>off</span> <span class=special>&lt;</span> <span class=identifier>size</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>const_reference</span> <span class=identifier>at</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>off</span> <span class=special>)</span> <span class=keyword>const</span><span class=special>;</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=identifier>off</span> <span class=special>&lt;</span> <span class=identifier>size</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=identifier>reference</span> <span class=keyword>operator</span><span class=special>[](</span> <span class=identifier>size_type</span> <span class=identifier>off</span> <span class=special>)</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=identifier>off</span> <span class=special>&lt;</span> <span class=identifier>size</span><span class=special>();</span> <span class=special>}</span>

             <span class=identifier>const_reference</span> <span class=keyword>operator</span><span class=special>[](</span> <span class=identifier>size_type</span> <span class=identifier>off</span> <span class=special>)</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=identifier>off</span> <span class=special>&lt;</span> <span class=identifier>size</span><span class=special>();</span> <span class=special>}</span>
    
             <span class=identifier>reference</span> <span class=identifier>front</span><span class=special>();</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>const_reference</span> <span class=identifier>front</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
    
             <span class=identifier>reference</span> <span class=identifier>back</span><span class=special>()</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>const_reference</span> <span class=identifier>back</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=keyword>void</span> <span class=identifier>push_back</span><span class=special>(</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>&lt;</span> <span class=identifier>max_size</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>back</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>val</span> <span class=special>&amp;&amp;</span> 
                                 <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>+</span> <span class=number>1</span> <span class=special>&amp;&amp;</span> 
                                 <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>oldof</span> <span class=identifier>capacity</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=keyword>void</span> <span class=identifier>pop_back</span><span class=special>()</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>-</span> <span class=number>1</span><span class=special>;</span> <span class=special>}</span>
             
             <span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>InIt</span> <span class=special>&gt;</span>
             <span class=keyword>void</span> <span class=identifier>assign</span><span class=special>(</span> <span class=identifier>InIt</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>InIt</span> <span class=identifier>last</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  
                 <span class=special>{</span>
                     <span class=identifier>is_input_iterator</span><span class=special>&lt;</span><span class=identifier>InIt</span><span class=special>&gt;::</span><span class=identifier>value</span> <span class=special>:</span> <span class=string>&quot;Iterator argument must model an InputIterator&quot;</span> <span class=special>&amp;&amp;</span> 
                     <span class=string>&quot;The range [first,last) is not a sub-range of [begin(),end())&quot;</span><span class=special>;</span>
                 <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>equal_distance</span><span class=special>(</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>last</span><span class=special>,</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>);</span> <span class=special>}</span>
             
             <span class=keyword>void</span> <span class=identifier>assign</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>count</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>count</span> <span class=special>&lt;=</span> <span class=identifier>max_size</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>val</span> <span class=special>);</span> <span class=special>}</span>
                 
             <span class=identifier>iterator</span> <span class=identifier>insert</span><span class=special>(</span> <span class=identifier>iterator</span> <span class=identifier>where</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>&lt;</span> <span class=identifier>max_size</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> 
                 <span class=special>{</span>
                     <span class=special>*</span><span class=keyword>result</span> <span class=special>==</span> <span class=identifier>val</span> <span class=special>&amp;&amp;</span>
                     <span class=identifier>size</span><span class=special>()</span>  <span class=special>==</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>+</span> <span class=number>1</span> <span class=special>&amp;&amp;</span>
                     <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>oldof</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&amp;&amp;</span>
                     
                     <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;</span> <span class=identifier>oldof</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>?</span>
                         <span class=string>&quot;All iterators have been invalidated&quot;</span> <span class=special>:</span>
                         <span class=string>&quot;All iterators in the range [where,end()) have been invalidated&quot;</span><span class=special>;</span>
                 <span class=special>}</span>
             
             <span class=keyword>void</span> <span class=identifier>insert</span><span class=special>(</span> <span class=identifier>iterator</span> <span class=identifier>where</span><span class=special>,</span> <span class=identifier>size_type</span> <span class=identifier>count</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>+</span> <span class=identifier>count</span> <span class=special>&lt;=</span> <span class=identifier>max_size</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> 
                 <span class=special>{</span>
                     <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>+</span> <span class=identifier>count</span> <span class=special>&amp;&amp;</span>
                     <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>oldof</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&amp;&amp;</span>
                     
                     <span class=identifier>capacity</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>oldof</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>?</span>
                         <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>oldof</span> <span class=identifier>prior</span><span class=special>(</span><span class=identifier>where</span><span class=special>),</span> <span class=identifier>oldof</span> <span class=identifier>prior</span><span class=special>(</span><span class=identifier>where</span><span class=special>)</span> <span class=special>+</span> <span class=identifier>count</span><span class=special>,</span> <span class=identifier>val</span> <span class=special>)</span> <span class=special>&amp;&amp;</span>
                         <span class=string>&quot;All iterators in the range [where,end()) have been invalidated&quot;</span> <span class=special>:</span>
                         <span class=string>&quot;All iterators have been invalidated&quot;</span><span class=special>;</span>
                 <span class=special>}</span>
                 
             <span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>InIt</span> <span class=special>&gt;</span>
             <span class=keyword>void</span> <span class=identifier>insert</span><span class=special>(</span> <span class=identifier>iterator</span> <span class=identifier>where</span><span class=special>,</span> <span class=identifier>InIt</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>InIt</span> <span class=identifier>last</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  
                 <span class=special>{</span> 
                     <span class=identifier>is_input_iterator</span><span class=special>&lt;</span><span class=identifier>InIt</span><span class=special>&gt;::</span><span class=identifier>value</span> <span class=special>:</span> <span class=string>&quot;Iterator argument must model an InputIterator&quot;</span> <span class=special>&amp;&amp;</span>
                     <span class=string>&quot;The range [first,last) is not a sub-range of [begin(),end())&quot;</span> <span class=special>&amp;&amp;</span>
                     <span class=identifier>size</span><span class=special>()</span> <span class=special>+</span> <span class=identifier>count</span> <span class=special>&lt;=</span> <span class=identifier>max_size</span><span class=special>();</span> 
                 <span class=special>}</span>
                 <span class=keyword>postcondition</span>
                 <span class=special>{</span>
                     <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>+</span> <span class=identifier>count</span> <span class=special>&amp;&amp;</span>
                     <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>oldof</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&amp;&amp;</span>
        
                     <span class=identifier>capacity</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>oldof</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>?</span>
                         <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>oldof</span> <span class=identifier>prior</span><span class=special>(</span><span class=identifier>where</span><span class=special>),</span> <span class=identifier>oldof</span> <span class=identifier>prior</span><span class=special>(</span><span class=identifier>where</span><span class=special>)</span> <span class=special>+</span> <span class=identifier>count</span><span class=special>,</span> <span class=identifier>val</span> <span class=special>)</span> <span class=special>&amp;&amp;</span>
                         <span class=string>&quot;All iterators in the range [where,end()) have been invalidated&quot;</span><span class=special>:</span>
                         <span class=string>&quot;All iterators have been invalidated&quot;</span><span class=special>;</span>
                 <span class=special>}</span>

             <span class=identifier>iterator</span> <span class=identifier>erase</span><span class=special>(</span> <span class=identifier>iterator</span> <span class=identifier>where</span> <span class=special>);</span>
                 <span class=keyword>precondition</span>  
                 <span class=special>{</span> 
                     <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>&amp;&amp;</span> 
                     <span class=identifier>where</span> <span class=special>!=</span> <span class=identifier>end</span><span class=special>();</span>
                 <span class=special>}</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> 
                 <span class=special>{</span>
                      <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>-</span> <span class=number>1</span> <span class=special>&amp;&amp;</span>
						   
                      <span class=identifier>empty</span><span class=special>()</span> <span class=special>?</span> <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>end</span><span class=special>()</span> <span class=special>:</span> <span class=keyword>true</span> <span class=special>&amp;&amp;</span>
						  
                      <span class=string>&quot;All iterators in the range [where,end()) have been invalidated&quot;</span><span class=special>;</span>
                 <span class=special>}</span>
                 
             <span class=identifier>iterator</span> <span class=identifier>erase</span><span class=special>(</span> <span class=identifier>iterator</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>iterator</span> <span class=identifier>last</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>distance</span><span class=special>(</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>last</span> <span class=special>);</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> 
                 <span class=special>{</span>
                      <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>-</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>distance</span><span class=special>(</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>last</span> <span class=special>)</span> <span class=special>&amp;&amp;</span> 
                      <span class=identifier>empty</span><span class=special>()</span> <span class=special>?</span> <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>end</span><span class=special>()</span> <span class=special>&amp;&amp;</span>
                      <span class=string>&quot;All iterators in the range [first,end()) have been invalidated&quot;</span><span class=special>;</span>
                 <span class=special>}</span>

             <span class=keyword>void</span> <span class=identifier>clear</span><span class=special>();</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=keyword>void</span> <span class=identifier>swap</span><span class=special>(</span> <span class=identifier>vector</span><span class=special>&amp;</span> <span class=identifier>right</span> <span class=special>)</span>
                 <span class=keyword>postcondition</span> 
                 <span class=special>{</span> 
                     <span class=identifier>oldof</span> <span class=special>*</span><span class=keyword>this</span> <span class=special>==</span> <span class=identifier>right</span> <span class=special>&amp;&amp;</span>
                     <span class=identifier>oldof</span> <span class=identifier>right</span> <span class=special>==</span> <span class=special>*</span><span class=keyword>this</span><span class=special>;</span>
                 <span class=special>}</span>
             
<span class=special>};</span> <span class=comment>// class 'vector'</span>

</pre>
</body>
</html>
</div>
<div class="section" id="subcontracting-example-hpp">
<h2><a class="toc-backref" href="#id51" name="subcontracting-example-hpp">10.3&nbsp;&nbsp;&nbsp;subcontracting_example.hpp</a></h2>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title> </title>
<link rel="stylesheet" href="style.css" type="text/css">
</head>

<body>

<pre>
<span class=comment>//
// This example shows how Contract Programming 
// allows one to keep the virtual function public 
// and still enforce the contract of the function
//</span>

<span class=keyword>class</span> <span class=identifier>shape</span>
<span class=special>{</span>
<span class=keyword>public</span><span class=special>:</span>
    <span class=keyword>virtual</span> <span class=special>~</span><span class=identifier>shape</span><span class=special>()</span> <span class=special>{}</span>
    
    <span class=keyword>virtual</span> <span class=keyword>int</span> <span class=identifier>compute_area</span><span class=special>()</span> <span class=keyword>const</span> <span class=special>=</span> <span class=number>0</span>
        <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> 
        <span class=special>{</span>
            <span class=keyword>result</span> <span class=special>&gt;</span> <span class=number>0</span><span class=special>;</span>
        <span class=special>}</span>
<span class=special>};</span>

<span class=keyword>class</span> <span class=identifier>circle</span> <span class=special>:</span> <span class=keyword>public</span> <span class=identifier>shape</span>
<span class=special>{</span>
<span class=keyword>public</span><span class=special>:</span>
    <span class=keyword>int</span> <span class=identifier>radius</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
    
    <span class=keyword>virtual</span> <span class=keyword>int</span> <span class=identifier>compute_area</span><span class=special>()</span> <span class=keyword>const</span>
        <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span>
        <span class=special>{</span>
            <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>pi</span> <span class=special>*</span> <span class=identifier>radius</span><span class=special>()</span> <span class=special>*</span> <span class=identifier>radius</span><span class=special>();</span>
        <span class=special>}</span>
<span class=special>};</span>
</pre>


</body>
</html>



</div>
</div>
<div class="section" id="comparison-of-contract-programming-in-d-eiffel-and-c">
<h1><a class="toc-backref" href="#id52" name="comparison-of-contract-programming-in-d-eiffel-and-c">11&nbsp;&nbsp;&nbsp;Comparison of Contract Programming in D, Eiffel and C++</a></h1>
<p>The table below contains a comparison of how Contract
Programming is implemented in D, Eiffel and C++.</p>
<table border="1" class="docutils">
<colgroup>
<col width="25%" />
<col width="21%" />
<col width="20%" />
<col width="34%" />
</colgroup>
<tbody valign="top">
<tr><td><strong>Feature</strong></td>
<td><strong>ISE Eiffel 5.4</strong></td>
<td><strong>D</strong></td>
<td><strong>C++ Proposal</strong></td>
</tr>
<tr><td><em>keywords</em></td>
<td><tt class="docutils literal"><span class="pre">require</span></tt>, <tt class="docutils literal"><span class="pre">ensure</span></tt>,
<tt class="docutils literal"><span class="pre">do</span></tt>, <tt class="docutils literal"><span class="pre">require</span> <span class="pre">else</span></tt>,
<tt class="docutils literal"><span class="pre">ensure</span> <span class="pre">then</span></tt>, <tt class="docutils literal"><span class="pre">invariant</span></tt>,
<tt class="docutils literal"><span class="pre">old</span></tt>, <tt class="docutils literal"><span class="pre">result</span></tt>,
<tt class="docutils literal"><span class="pre">variant</span></tt></td>
<td><tt class="docutils literal"><span class="pre">in</span></tt>, <tt class="docutils literal"><span class="pre">out</span></tt>, <tt class="docutils literal"><span class="pre">body</span></tt>,
<tt class="docutils literal"><span class="pre">invariant</span></tt>, <tt class="docutils literal"><span class="pre">assert</span></tt>,
<tt class="docutils literal"><span class="pre">static</span></tt></td>
<td><tt class="docutils literal"><span class="pre">precondition</span></tt>,
<tt class="docutils literal"><span class="pre">postcondition</span></tt>,
<tt class="docutils literal"><span class="pre">invariant</span></tt>, <tt class="docutils literal"><span class="pre">static</span></tt></td>
</tr>
<tr><td><em>on failure</em></td>
<td>throws exception</td>
<td>throws exception</td>
<td>defaults to <tt class="docutils literal"><span class="pre">terminate()</span></tt>,
defaults can be customized,
might throw</td>
</tr>
<tr><td><em>expression copying in postconditions</em></td>
<td>yes, <tt class="docutils literal"><span class="pre">old</span></tt> keyword</td>
<td>no</td>
<td>yes, <tt class="docutils literal"><span class="pre">oldof</span></tt> keyword</td>
</tr>
<tr><td><em>subcontracting</em></td>
<td>yes</td>
<td>yes</td>
<td>yes, but only considers
postconditions</td>
</tr>
<tr><td><em>contracts on abstract functions</em></td>
<td>yes</td>
<td>no</td>
<td>yes</td>
</tr>
<tr><td><em>arbitrary code contracts</em></td>
<td>yes</td>
<td>yes</td>
<td>no, must be const correct</td>
</tr>
<tr><td><em>function code ordering</em></td>
<td>pre -&gt; body -&gt; post</td>
<td>pre -&gt; post -&gt; body</td>
<td>pre -&gt; post -&gt; body</td>
</tr>
<tr><td><em>compile-time assertions</em></td>
<td>no</td>
<td>yes</td>
<td>yes</td>
</tr>
<tr><td><em>loop invariants</em></td>
<td>yes</td>
<td>no</td>
<td>no</td>
</tr>
<tr><td><em>loop variants</em></td>
<td>yes</td>
<td>no</td>
<td>no</td>
</tr>
<tr><td><em>const-correct</em></td>
<td>no</td>
<td>no</td>
<td>yes</td>
</tr>
<tr><td><em>invariant calls</em></td>
<td><ul class="first last simple">
<li>end of &quot;constructor&quot;</li>
<li>around public functions</li>
</ul>
</td>
<td><ul class="first last simple">
<li>end of constructor</li>
<li>around public functions</li>
<li>start of destructor</li>
</ul>
</td>
<td><ul class="first last simple">
<li>as in D</li>
<li>when a function exits due to an exception</li>
</ul>
</td>
</tr>
<tr><td><em>disabling of checks during assertions</em></td>
<td>yes</td>
<td>no</td>
<td>no</td>
</tr>
<tr><td><em>when public func. call public func.</em></td>
<td>disable all checks</td>
<td>disable nothing</td>
<td>disable nothing</td>
</tr>
<tr><td><em>removable from object code</em></td>
<td>yes</td>
<td>yes</td>
<td>yes</td>
</tr>
</tbody>
</table>
</div>
<div class="section" id="acknowledgements">
<h1><a class="toc-backref" href="#id53" name="acknowledgements">12&nbsp;&nbsp;&nbsp;Acknowledgements</a></h1>
<p>The following people has been provided feedback and comments throughout the proposals
history: Reece Dunn, Douglas Gregor, Alf Steinbach, Matthew Wilson, 
Berend de Boer, Darren Cook, Pavel Vozenilek, Scott Meyers, Attila Fehér, Walter Bright,
Per Madsen, Kevlin Henney, Sergey Vlasov, Bob Bell, John Nagle, Daveed Vandevoorde,
Jaakko Jarvi, Christopher Diggins, John Torjo, Robert Kawulak, Dave Harris, Michael Wong, 
Thomas Witt, Tim Rowe.</p>
<p>Special thanks goes to David Abrahams and James Widman.</p>
<!-- ############################################### -->
<!-- ################## Links ###################### -->
<!-- ############################################### -->
</div>
<div class="section" id="footnotes">
<h1><a class="toc-backref" href="#id54" name="footnotes">13&nbsp;&nbsp;&nbsp;Footnotes</a></h1>
<!-- ############################################### -->
<!-- ################## Footnotes ################## -->
<!-- ############################################### -->
<table class="docutils footnote" frame="void" id="id15" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id1" name="id15">[0]</a></td><td>For example, if the compiler can determine that a precondition is satisfied,
it can call a function where the precondition is not checked. Also, the 
compiler can always assume contracts to be true; hence the compiler can take
advantage of the precondition in the function body.</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id16" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id2" name="id16">[1]</a></td><td><p class="first">Even experienced programmers can choke on the word &quot;invariant&quot; and what it
means for a class to have one. There are a few simple rules we want  
all programmers to learn:</p>
<ol class="last arabic simple">
<li>that classes can have invariants and that subclasses have stronger or equally strong invariants,</li>
<li>that functions have pre- and postconditions: the implementer has as his obligation to fulfill the 
postcondition assuming the precondition holds; the user has as his obligation to fulfill the precondition
and receives the benefits of the postcondition in return,</li>
<li>that public functions cannot break the class invariant.</li>
</ol>
</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id17" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a name="id17">[2]</a></td><td>A good compiler will emit warnings whenever a mutation is detected within a contract. This is 
a major advantage compared to the ad hoc solutions programmers use today; there is no special
scope and hence no way the compiler can emit those warnings.</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id18" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id7" name="id18">[3]</a></td><td>A weaker precondition can be taken advantage of if we know the particular type
of the object. If weaker preconditions should be allowed, then there exists two
alternatives: to allow reuse of an existing contract or to require a complete
redefinition. The former favours expressiveness, the latter favours
overview.</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id19" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id8" name="id19">[4]</a></td><td>In some cases the compiler will be able to determine overlapping expression and hence
optimize some assertions away.</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id20" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id11" name="id20">[5]</a></td><td>To ensure that the function gives the basic guarantee of exception-safety.</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id21" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id12" name="id21">[6]</a></td><td>One can imagine an approach where exceptions could escape from an invariant by not checking
invariants when functions exit via an exception. The benefits of such an approach are not
obvious and it will complicate flow analysis unnecessarily.</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id22" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id13" name="id22">[7]</a></td><td>During construction means until the post-condition of the constructor has ended.</td></tr>
</tbody>
</table>
</div>
</div>
</body>
</html>
