<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="generator" content="Docutils 0.3.10: http://docutils.sourceforge.net/" />
<title>Proposal to add Contract Programming to C++ (revision 4)</title>
<meta name="author" content="Lawrence Crowl and Thorsten Ottosen" />
<meta name="organization" content="Sun Microsystems and Dezide Aps" />
<meta name="date" content="2006-02-25" />
<style type="text/css">

/*
:Author: David Goodger
:Contact: goodger@users.sourceforge.net
:date: $Date: 2004/01/12 02:49:54 $
:version: $Revision: 1.2 $
:copyright: This stylesheet has been placed in the public domain.

Default cascading style sheet for the HTML output of Docutils.
*/

.first {
  margin-top: 0 }

.last {
  margin-bottom: 0 }

a.toc-backref {
  text-decoration: none ;
  color: black }

dd {
  margin-bottom: 0.5em }

div.abstract {
  margin: 2em 5em }

div.abstract p.topic-title {
  font-weight: bold ;
  text-align: center }

div.attention, div.caution, div.danger, div.error, div.hint,
div.important, div.note, div.tip, div.warning, div.admonition {
  margin: 2em ;
  border: medium outset ;
  padding: 1em }

div.attention p.admonition-title, div.caution p.admonition-title,
div.danger p.admonition-title, div.error p.admonition-title,
div.warning p.admonition-title {
  color: red ;
  font-weight: bold ;
  font-family: sans-serif }

div.hint p.admonition-title, div.important p.admonition-title,
div.note p.admonition-title, div.tip p.admonition-title,
div.admonition p.admonition-title {
  font-weight: bold ;
  font-family: sans-serif }

div.dedication {
  margin: 2em 5em ;
  text-align: center ;
  font-style: italic }

div.dedication p.topic-title {
  font-weight: bold ;
  font-style: normal }

div.figure {
  margin-left: 2em }

div.footer, div.header {
  font-size: smaller }

div.sidebar {
  margin-left: 1em ;
  border: medium outset ;
  padding: 0em 1em ;
  background-color: #ffffee ;
  width: 40% ;
  float: right ;
  clear: right }

div.sidebar p.rubric {
  font-family: sans-serif ;
  font-size: medium }

div.system-messages {
  margin: 5em }

div.system-messages h1 {
  color: red }

div.system-message {
  border: medium outset ;
  padding: 1em }

div.system-message p.system-message-title {
  color: red ;
  font-weight: bold }

div.topic {
  margin: 2em }

h1.title {
  text-align: center }

h2.subtitle {
  text-align: center }

hr {
  width: 75% }

ol.simple, ul.simple {
  margin-bottom: 1em }

ol.arabic {
  list-style: decimal }

ol.loweralpha {
  list-style: lower-alpha }

ol.upperalpha {
  list-style: upper-alpha }

ol.lowerroman {
  list-style: lower-roman }

ol.upperroman {
  list-style: upper-roman }

p.attribution {
  text-align: right ;
  margin-left: 50% }

p.caption {
  font-style: italic }

p.credits {
  font-style: italic ;
  font-size: smaller }

p.label {
  white-space: nowrap }

p.rubric {
  font-weight: bold ;
  font-size: larger ;
  color: maroon ;
  text-align: center }

p.sidebar-title {
  font-family: sans-serif ;
  font-weight: bold ;
  font-size: larger }

p.sidebar-subtitle {
  font-family: sans-serif ;
  font-weight: bold }

p.topic-title {
  font-weight: bold }

pre.address {
  margin-bottom: 0 ;
  margin-top: 0 ;
  font-family: serif ;
  font-size: 100% }

pre.line-block {
  font-family: serif ;
  font-size: 100% }

pre.literal-block, pre.doctest-block {
  margin-left: 2em ;
  margin-right: 2em ;
  background-color: #eeeeee }

span.classifier {
  font-family: sans-serif ;
  font-style: oblique }

span.classifier-delimiter {
  font-family: sans-serif ;
  font-weight: bold }

span.interpreted {
  font-family: sans-serif }

span.option {
  white-space: nowrap }

span.option-argument {
  font-style: italic }

span.pre {
  white-space: pre }

span.problematic {
  color: red }

table {
  margin-top: 0.5em ;
  margin-bottom: 0.5em }

table.citation {
  border-left: solid thin gray ;
  padding-left: 0.5ex }

table.docinfo {
  margin: 2em 4em }

table.footnote {
  border-left: solid thin black ;
  padding-left: 0.5ex }

td, th {
  padding-left: 0.5em ;
  padding-right: 0.5em ;
  vertical-align: top }

th.docinfo-name, th.field-name {
  font-weight: bold ;
  text-align: left ;
  white-space: nowrap }

h1 tt, h2 tt, h3 tt, h4 tt, h5 tt, h6 tt {
  font-size: 100% }

tt {
  background-color: #eeeeee }

ul.auto-toc {
  list-style-type: none }
  
pre{
  BORDER-RIGHT: gray 1pt solid;
  PADDING-RIGHT: 2pt;
  BORDER-TOP: gray 1pt solid;
  DISPLAY: block;
  PADDING-LEFT: 2pt;
  PADDING-BOTTOM: 2pt;
  BORDER-LEFT: gray 1pt solid;
  MARGIN-RIGHT: 32pt;
  PADDING-TOP: 2pt;
  BORDER-BOTTOM: gray 1pt solid;
  FONT-FAMILY: "Courier New", Courier, mono; 
  background-color: #EEEEEE; 
}


.keyword{color: #0000FF;}
.identifier{}
.comment{font-style: italic; color: #008000;}
.special{color: #800040;}
.preprocessor{color: #3F007F;}
.string{font-style: italic; color: #666666;}
.literal{/*font-style: italic;*/ color: #000000;}


</style>
</head>
<body>
<div class="document" id="proposal-to-add-contract-programming-to-c-revision-4">
<h1 class="title">Proposal to add Contract Programming to C++ (revision 4)</h1>
<table class="docinfo" frame="void" rules="none">
<col class="docinfo-name" />
<col class="docinfo-content" />
<tbody valign="top">
<tr><th class="docinfo-name">Author:</th>
<td>Lawrence Crowl and Thorsten Ottosen</td></tr>
<tr><th class="docinfo-name">Contact:</th>
<td><a class="first reference" href="mailto:lawrence.crowl&#64;sun.com">lawrence.crowl&#64;sun.com</a> and <a class="last reference" href="mailto:tottosen&#64;dezide.com">tottosen&#64;dezide.com</a></td></tr>
<tr><th class="docinfo-name">Organization:</th>
<td>Sun Microsystems and Dezide Aps</td></tr>
<tr><th class="docinfo-name">Date:</th>
<td>2006-02-25</td></tr>
<tr class="field"><th class="docinfo-name">Number:</th><td class="field-body">WG21/N1962 and J16/06-0032. This proposal is a
revision of paper <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2005/n1866.html">n1866</a>.</td>
</tr>
<tr class="field"><th class="docinfo-name">Working Group:</th><td class="field-body">Evolution</td>
</tr>
</tbody>
</table>
<div class="abstract topic">
<p class="topic-title first">Abstract</p>
<p>Contract Programming is about providing the programmer with stronger tools 
for expressing correctness arguments directly in the source code. Moreover, the
contracts enable new and powerful optimization opportunities. 
The benefits 
are among others a higher degree of self-documenting source code,
better design tools, 
and easier debugging and testing. 
The proposal consists of largely orthogonal mechanisms which
may be pursued in isolation.</p>
</div>
<div class="contents topic">
<p class="topic-title first"><a id="table-of-contents" name="table-of-contents">Table of Contents</a></p>
<ul class="auto-toc simple">
<li><a class="reference" href="#motivation" id="id47" name="id47">1&nbsp;&nbsp;&nbsp;Motivation</a></li>
<li><a class="reference" href="#major-changes-from-n1866" id="id48" name="id48">2&nbsp;&nbsp;&nbsp;Major changes from n1866</a></li>
<li><a class="reference" href="#alternative-ways-to-realize-this-proposals" id="id49" name="id49">3&nbsp;&nbsp;&nbsp;Alternative ways to realize this proposals</a></li>
<li><a class="reference" href="#the-proposal" id="id50" name="id50">4&nbsp;&nbsp;&nbsp;The proposal</a><ul class="auto-toc">
<li><a class="reference" href="#assertions" id="id51" name="id51">4.1&nbsp;&nbsp;&nbsp;Assertions</a><ul class="auto-toc">
<li><a class="reference" href="#runtime-assertions" id="id52" name="id52">4.1.1&nbsp;&nbsp;&nbsp;Runtime assertions</a></li>
</ul>
</li>
<li><a class="reference" href="#function-pre-and-postconditions" id="id53" name="id53">4.2&nbsp;&nbsp;&nbsp;Function pre- and postconditions</a><ul class="auto-toc">
<li><a class="reference" href="#virtual-functions" id="id54" name="id54">4.2.1&nbsp;&nbsp;&nbsp;Virtual functions</a></li>
<li><a class="reference" href="#constructors" id="id55" name="id55">4.2.2&nbsp;&nbsp;&nbsp;Constructors</a></li>
<li><a class="reference" href="#function-pointers" id="id56" name="id56">4.2.3&nbsp;&nbsp;&nbsp;Function pointers</a></li>
</ul>
</li>
<li><a class="reference" href="#keyword-oldof" id="id57" name="id57">4.3&nbsp;&nbsp;&nbsp;Keyword <tt class="docutils literal"><span class="pre">oldof</span></tt></a></li>
<li><a class="reference" href="#class-invariants" id="id58" name="id58">4.4&nbsp;&nbsp;&nbsp;Class invariants</a></li>
<li><a class="reference" href="#block-invariants" id="id59" name="id59">4.5&nbsp;&nbsp;&nbsp;block invariants</a></li>
<li><a class="reference" href="#failure-handler-functions" id="id60" name="id60">4.6&nbsp;&nbsp;&nbsp;Failure handler functions</a></li>
<li><a class="reference" href="#changes-to-the-standard-library" id="id61" name="id61">4.7&nbsp;&nbsp;&nbsp;Changes to the standard library</a></li>
</ul>
</li>
<li><a class="reference" href="#contracts-for-performance" id="id62" name="id62">5&nbsp;&nbsp;&nbsp;Contracts for performance</a><ul class="auto-toc">
<li><a class="reference" href="#assert-is-evaluated-within-the-library" id="id63" name="id63">5.1&nbsp;&nbsp;&nbsp;<tt class="docutils literal"><span class="pre">assert()</span></tt> is evaluated within the library</a></li>
<li><a class="reference" href="#assert-fails-to-distinguish-between-checking-arguments-and-validating-computations" id="id64" name="id64">5.2&nbsp;&nbsp;&nbsp;<tt class="docutils literal"><span class="pre">assert()</span></tt> fails to distinguish between checking arguments and validating computations</a></li>
<li><a class="reference" href="#assert-is-indistinguishable-from-regular-code" id="id65" name="id65">5.3&nbsp;&nbsp;&nbsp;<tt class="docutils literal"><span class="pre">assert()</span></tt> is indistinguishable from regular code</a></li>
</ul>
</li>
<li><a class="reference" href="#implementation-model-for-contracts" id="id66" name="id66">6&nbsp;&nbsp;&nbsp;Implementation model for contracts</a></li>
<li><a class="reference" href="#list-of-proposals-that-could-be-affected-by-this-proposal" id="id67" name="id67">7&nbsp;&nbsp;&nbsp;List of proposals that could be affected by this proposal</a></li>
<li><a class="reference" href="#implementability" id="id68" name="id68">8&nbsp;&nbsp;&nbsp;Implementability</a></li>
<li><a class="reference" href="#alternative-syntax" id="id69" name="id69">9&nbsp;&nbsp;&nbsp;Alternative syntax</a></li>
<li><a class="reference" href="#list-of-examples" id="id70" name="id70">10&nbsp;&nbsp;&nbsp;List of examples</a><ul class="auto-toc">
<li><a class="reference" href="#vector-example-hpp" id="id71" name="id71">10.1&nbsp;&nbsp;&nbsp;vector_example.hpp</a></li>
<li><a class="reference" href="#subcontracting-example-hpp" id="id72" name="id72">10.2&nbsp;&nbsp;&nbsp;subcontracting_example.hpp</a></li>
<li><a class="reference" href="#recursion-example" id="id73" name="id73">10.3&nbsp;&nbsp;&nbsp;recursion example</a></li>
</ul>
</li>
<li><a class="reference" href="#comparison-of-contract-programming-in-d-eiffel-and-c" id="id74" name="id74">11&nbsp;&nbsp;&nbsp;Comparison of Contract Programming in D, Eiffel and C++</a></li>
<li><a class="reference" href="#list-of-contract-programming-resources" id="id75" name="id75">12&nbsp;&nbsp;&nbsp;List of Contract Programming resources</a></li>
<li><a class="reference" href="#acknowledgements" id="id76" name="id76">13&nbsp;&nbsp;&nbsp;Acknowledgements</a></li>
<li><a class="reference" href="#footnotes" id="id77" name="id77">14&nbsp;&nbsp;&nbsp;Footnotes</a></li>
</ul>
</div>
<div class="section">
<h1><a class="toc-backref" href="#id47" id="motivation" name="motivation">1&nbsp;&nbsp;&nbsp;Motivation</a></h1>
<blockquote>
<div class="line-block">
<div class="line">Fact 31: Error removal is the most time-consuming phase of the</div>
<div class="line">[software] life cycle.</div>
<div class="line"><br /></div>
<div class="line">Fact 36: Programmer-created built-in debug code, preferably optionally</div>
<div class="line">included in the object code based on compiler parameters,</div>
<div class="line">is an important supplement to testing tools.</div>
<div class="line"><br /></div>
<div class="line"><em>Excerpted from Robert L. Glass' fascinating book &quot;Facts and Fallacies of Software Engineering&quot;</em>.</div>
</div>
</blockquote>
<p>Language support for Contract Programming in C++ has several benefits:</p>
<ol class="arabic simple">
<li>It can minimize the need for separation of documentation and implementation.</li>
</ol>
<!--  -->
<ol class="arabic simple" start="2">
<li>It can enable the compiler to generate faster code <a class="footnote-reference" href="#id35" id="id1" name="id1">[0]</a>
(see also <a class="reference" href="#contracts-for-performance">Contracts for performance</a>).</li>
</ol>
<!--  -->
<ol class="arabic simple" start="3">
<li>It can make debugging and testing much easier.</li>
</ol>
<!--  -->
<ol class="arabic simple" start="4">
<li>It can improve communication between designers and programmers in large C++ projects.</li>
</ol>
<!--  -->
<ol class="arabic simple" start="5">
<li>It can make inheritance easier to use correctly (see <a class="reference" href="#subcontracting-example-hpp">subcontracting_example.hpp</a> and <a class="footnote-reference" href="#id43" id="id2" name="id2">[8]</a>).</li>
</ol>
<!--  -->
<ol class="arabic simple" start="6">
<li>It can ensure that every programmer understands the contract metaphors <a class="footnote-reference" href="#id36" id="id3" name="id3">[1]</a> .</li>
</ol>
<!--  -->
<ol class="arabic simple" start="7">
<li>It can enable more powerful static analysis tools.</li>
</ol>
<!--  -->
<ol class="arabic simple" start="8">
<li>It can make assertions easier to use and more expressive by avoiding infinite recursion
when checking postconditions and class invariants (see <a class="reference" href="#recursion-example">recursion example</a>).</li>
</ol>
<p>Please refer to <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2005/n1800.pdf">n1800</a> and <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2004/n1613.pdf">n1613</a> for an extensive discussion of these benefits.</p>
<p>Already with the current proposal, it is quite remarkable how much
of an interface that can be documented. For a good example, please
see how <tt class="docutils literal"><span class="pre">std::vector</span></tt> is declared in <a class="reference" href="#vector-example-hpp">vector_example.hpp</a>; there is only a small
portion of the specification of <tt class="docutils literal"><span class="pre">std::vector</span></tt> that cannot be described in the 
contracts.</p>
<p>We remind the reader that the proposal consists of
largely orthogonal mechanisms which may be pursued in isolation. 
See <a class="reference" href="#alternative-ways-to-realize-this-proposals">Alternative ways to realize this proposals</a> for a
discussion.</p>
<p>Work on Contract Programming exists in many other
languages and the most important may be found <a class="reference" href="#list-of-contract-programming-resources">below</a>.</p>
</div>
<div class="section">
<h1><a id="major-changes-from-n1866" name="major-changes-from-n1866">2&nbsp;&nbsp;&nbsp;Major changes from <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2005/n1866.html">n1866</a></a></h1>
<ol class="arabic simple">
<li>Removed support for alternative static assertions.</li>
</ol>
<!--  -->
<ol class="arabic simple" start="2">
<li>Removed support for namespace invariants.</li>
</ol>
<!--  -->
<ol class="arabic simple" start="3">
<li>Removed the notion of &quot;importance ordering&quot; <a class="footnote-reference" href="#id45" id="id5" name="id5">[10]</a>.</li>
</ol>
<!--  -->
</div>
<div class="section">
<h1><a class="toc-backref" href="#id49" id="alternative-ways-to-realize-this-proposals" name="alternative-ways-to-realize-this-proposals">3&nbsp;&nbsp;&nbsp;Alternative ways to realize this proposals</a></h1>
<p>This proposal should be viewed a collection of different
proposals each building on the basic notion of assertions
and adding more and more features.</p>
<p>This lead us to the following possible proposals:</p>
<ol class="arabic simple">
<li><a class="reference" href="#functionx">preconditions</a></li>
</ol>
<!--  -->
<ol class="arabic simple" start="2">
<li>preconditions + <a class="reference" href="#functionx">postconditions</a></li>
</ol>
<!--  -->
<ol class="arabic simple" start="3">
<li>preconditions + postconditions + <a class="reference" href="#keywordoldof">oldof</a></li>
</ol>
<!--  -->
<ol class="arabic simple" start="4">
<li><a class="reference" href="#class-invariants">class invariants</a></li>
</ol>
<!--  -->
<ol class="arabic simple" start="5">
<li>class invariants + <a class="reference" href="#block-invariants">block invariants</a></li>
</ol>
<!--  -->
<ol class="arabic simple" start="5">
<li>any one of 1,2,3 combined with 4 or 5</li>
</ol>
<p>Of course, it wouldn't make much sense to pursue only 
postconditions but not preconditions; clearly preconditions
are more essential than any of the other mechanisms.</p>
</div>
<div class="section">
<h1><a class="toc-backref" href="#id50" id="the-proposal" name="the-proposal">4&nbsp;&nbsp;&nbsp;The proposal</a></h1>
<p>The idea is to extend C++</p>
<ul class="simple">
<li>function declarations with <a class="reference" href="#functionx">pre- and postconditions</a>,</li>
</ul>
<!--  -->
<ul class="simple">
<li>class declarations with <a class="reference" href="#class-invariants">class invariants</a>,</li>
</ul>
<!--  -->
<ul class="simple">
<li>block scope with <a class="reference" href="#block-invariants">block invariants</a>.</li>
</ul>
<!-- - namespace declarations and block scope with `namespace invariants`_. -->
<p>These new <em>contract scopes</em> can contain <a class="reference" href="#assertions">assertions</a> that
may be evaluated either at compile-time or at
run-time as part of the program to verify their correctness.</p>
<div class="section">
<h2><a class="toc-backref" href="#id51" id="assertions" name="assertions">4.1&nbsp;&nbsp;&nbsp;Assertions</a></h2>
<p>The basic building blocks of contracts are 
<em>assertions</em>.</p>
<div class="section">
<h3><a class="toc-backref" href="#id52" id="runtime-assertions" name="runtime-assertions">4.1.1&nbsp;&nbsp;&nbsp;Runtime assertions</a></h3>
<p>There are two flavors of assertions:</p>
<ol class="arabic">
<li><p class="first"><em>default</em> assertions</p>
<blockquote>
<dl class="docutils">
<dt>syntax:</dt>
<dd><ol class="first last arabic simple">
<li><em>assertion</em> : <em>boolean-expression</em> <tt class="docutils literal"><span class="pre">;</span></tt></li>
</ol>
</dd>
<dt>example:</dt>
<dd><p class="first last"><tt class="docutils literal"><span class="pre">std::cout.good();</span></tt></p>
</dd>
</dl>
</blockquote>
</li>
<li><p class="first"><em>select</em> assertions</p>
<blockquote>
<dl class="docutils">
<dt>syntax:</dt>
<dd><ol class="first last arabic simple">
<li><em>assertion-sequence</em> : <em>assertion</em></li>
<li><em>assertion-sequence</em> : <em>assertion-sequence</em> <em>assertion</em></li>
<li><em>assertion-body</em> : <em>assertion</em></li>
<li><em>assertion-body</em> : <tt class="docutils literal"><span class="pre">{</span></tt> <em>assertion-sequence</em> <tt class="docutils literal"><span class="pre">}</span></tt></li>
<li><em>if-assertion</em> : <tt class="docutils literal"><span class="pre">if(</span></tt> <em>condition</em> <tt class="docutils literal"><span class="pre">)</span></tt> <em>assertion-body</em> <em>else-assertion</em> <sub>opt</sub></li>
<li><em>else-assertion</em> : <tt class="docutils literal"><span class="pre">else</span></tt> <em>assertion-body</em></li>
</ol>
</dd>
<dt>example:</dt>
<dd><dl class="first last docutils">
<dt><tt class="docutils literal"><span class="pre">if(</span> <span class="pre">empty()</span> <span class="pre">)</span></tt> </dt>
<dd><p class="first last"><tt class="docutils literal"><span class="pre">result</span> <span class="pre">==</span> <span class="pre">end();</span></tt></p>
</dd>
</dl>
</dd>
</dl>
</blockquote>
</li>
</ol>
<p>The following general points are worth noting:</p>
<ol class="arabic">
<li><p class="first">Default assertions defaults to calling <tt class="docutils literal"><span class="pre">terminate()</span></tt>, but the behavior can be <a class="reference" href="#failure-handler-functions">customized</a>.</p>
<blockquote>
</blockquote>
</li>
<li><p class="first">The select assertions remove the need for the implication operator that was discussed in <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2004/n1613.pdf">n1613</a>.</p>
</li>
<li><p class="first">The syntactic freedom has been kept minimal to ensure a good documentation effect.</p>
</li>
<li><p class="first">All visible functions and variables can be used within contract scope.</p>
</li>
<li><p class="first">Member reference within contract scope is subject to the same constraints as member reference within <tt class="docutils literal"><span class="pre">const</span></tt> member functions.</p>
</li>
</ol>
<!-- Wrt. constness, then contract scope behaves as if it was a const member function [2]_. -->
<ol class="arabic simple" start="6">
<li>If the compiler can determine that the condition of an assertion is true, it may choose not to evaluate 
that assertion.</li>
</ol>
<!-- James have alternative wording  -->
<!--  -->
<ol class="arabic simple" start="7">
<li>If the compiler can determine that the condition of an assertion is false, it may choose 
to call the <a class="reference" href="#failure-handler-functions">broken contract handler</a> or call the action without evaluating that condition.</li>
</ol>
</div>
</div>
<div class="section">
<h2><a class="toc-backref" href="#id53" id="function-pre-and-postconditions" name="function-pre-and-postconditions"><span id="functionx"></span><span id="function"></span>4.2&nbsp;&nbsp;&nbsp;Function pre- and postconditions</a></h2>
<p>The function declaration and definition
are changed into:</p>
<blockquote>
<blockquote>
<ol class="arabic simple">
<li><em>precontracted-function</em> : <em>function-head</em></li>
<li><em>precontracted-function</em> : <em>function-head</em> <em>precondition-contract</em></li>
<li><em>postcontracted-function</em> : <em>precontracted-function</em></li>
<li><em>postcontracted-function</em> : <em>precontracted-function</em> <em>postcondition-contract</em></li>
<li><em>function-declaration</em> : <em>postcontracted-function</em> <tt class="docutils literal"><span class="pre">;</span></tt></li>
<li><em>function-definition</em> : <em>postcontracted-function</em> <tt class="docutils literal"><span class="pre">{</span></tt> <em>function-body</em> <tt class="docutils literal"><span class="pre">}</span></tt></li>
<li><em>precondition-contract</em> : <tt class="docutils literal"><span class="pre">precondition</span> <span class="pre">{</span></tt> <em>assertion-sequence</em> <tt class="docutils literal"><span class="pre">}</span></tt></li>
<li><em>postcondition-contract</em> : <tt class="docutils literal"><span class="pre">postcondition</span></tt> <em>return-value-declaration</em><sub>opt</sub> <tt class="docutils literal"><span class="pre">{</span></tt> <em>assertion-sequence</em> <tt class="docutils literal"><span class="pre">}</span></tt></li>
<li><em>return-value-declaration</em>: <tt class="docutils literal"><span class="pre">(</span></tt> <em>identifier</em> <tt class="docutils literal"><span class="pre">)</span></tt></li>
</ol>
</blockquote>
<p>example:</p>
<pre class="literal-block">
double sqrt( double r )
    precondition
    {
        r &gt; 0.;
    }
    postcondition( result )
    {
        equal_within_precision( result * result, r );
    }
</pre>
</blockquote>
<p>In the <em>return-value-declaration</em> we declare a local variable that acts as a <tt class="docutils literal"><span class="pre">const</span></tt> reference to the computed 
return value. It follows that a <em>return-value-declaration</em> is illegal if the return type is <tt class="docutils literal"><span class="pre">void</span></tt>.</p>
<p>The following general rules apply:</p>
<ol class="arabic">
<li><p class="first">If a function has both a declaration and a definition, the contracts must appear on the declaration.</p>
</li>
<li><p class="first"><span class="target" id="the-execution-of-a-function">The execution of a function</span> is now</p>
<blockquote>
<ol class="loweralpha simple">
<li>evaluate the precondition assertion by assertion in order starting from the top,</li>
</ol>
<!--  -->
<ol class="loweralpha simple" start="2">
<li>evaluate <tt class="docutils literal"><span class="pre">oldof</span></tt> occurrences in the postcondition,</li>
</ol>
<!--  -->
<ol class="loweralpha simple" start="3">
<li>evaluate the function body,</li>
</ol>
<!--  -->
<ol class="loweralpha simple" start="4">
<li>evaluate the postcondition assertion by assertion in order starting from the top <a class="footnote-reference" href="#id46" id="id12" name="id12">[11]</a>.</li>
</ol>
</blockquote>
</li>
<li><p class="first">The execution of a member function is now as in 2, but</p>
<blockquote>
<ol class="loweralpha simple">
<li><tt class="docutils literal"><span class="pre">2.a</span></tt> is <em>followed</em> by a call to the class invariant <a class="footnote-reference" href="#id44" id="id13" name="id13">[9]</a></li>
</ol>
<!--  -->
<ol class="loweralpha simple" start="2">
<li><tt class="docutils literal"><span class="pre">2.d</span></tt> is <em>preceded</em> by a call to the class invariant,</li>
</ol>
</blockquote>
</li>
<li><p class="first">Function-try-blocks can appear together with pre- and postconditions on function
definitions.</p>
</li>
<li><p class="first">Pre- and postconditions are evaluated outside any function-try-block.</p>
</li>
<li><p class="first">During execution of the postcondition other contracts (recursively encountered) are <em>not</em> evaluated.</p>
</li>
</ol>
<div class="section">
<h3><a class="toc-backref" href="#id54" id="virtual-functions" name="virtual-functions">4.2.1&nbsp;&nbsp;&nbsp;Virtual functions</a></h3>
<p>If the function <tt class="docutils literal"><span class="pre">F</span></tt> is virtual, we require that</p>
<ol class="arabic simple">
<li>only the base virtual function of <tt class="docutils literal"><span class="pre">F</span></tt> can have a precondition.</li>
</ol>
<p>Section <tt class="docutils literal"><span class="pre">3.5</span></tt> of <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2004/n1613.pdf">n1613</a> explains how little redefinition of preconditions is used. Even though
subcontracting is theoretically sound, it ends up being fairly useless in practice <a class="footnote-reference" href="#id38" id="id14" name="id14">[3]</a>.</p>
<p>Postconditions can be made stronger in a derived class as seen in the <a class="reference" href="#subcontracting-example-hpp">subcontracting_example.hpp</a>.
We can summarize the remaining rules for virtual functions as</p>
<ol class="arabic simple" start="2">
<li>pure virtual functions can have contracts,</li>
</ol>
<!--  -->
<ol class="arabic simple" start="3">
<li>postconditions from a function in a base class and the overridden version in a derived class
are <em>AND</em>ed together <a class="footnote-reference" href="#id39" id="id15" name="id15">[4]</a>.</li>
</ol>
<p>The last rule ensures that the function in the derived class has a stronger postcondition <em>by design</em>.
A programmer can via a downcast obtain the stronger guarantee, but the runtime check must still
follow rule 3 above.</p>
<p>In connection with multiple inheritance we require special rules.
if <tt class="docutils literal"><span class="pre">F</span></tt> overrides more than one virtual function due to multiple inheritance,
it holds that</p>
<ol class="arabic simple" start="4">
<li>the precondition on <tt class="docutils literal"><span class="pre">F</span></tt> is an <em>OR</em>ing of the preconditions of all the
functions <tt class="docutils literal"><span class="pre">F</span></tt> override,</li>
</ol>
<!--  -->
<ol class="arabic simple" start="5">
<li>the postcondition on <tt class="docutils literal"><span class="pre">F</span></tt> is an <em>AND</em>ing of (1) the postconditions of all the
functions <tt class="docutils literal"><span class="pre">F</span></tt> override and (2) <tt class="docutils literal"><span class="pre">F</span></tt>'s own postcondition.</li>
</ol>
</div>
<div class="section">
<h3><a class="toc-backref" href="#id55" id="constructors" name="constructors">4.2.2&nbsp;&nbsp;&nbsp;Constructors</a></h3>
<p>Constructors behave much like member functions. This means that a constructor
can have a precondition and a postcondition. The precondition may not
reference member variables.</p>
</div>
<div class="section">
<h3><a class="toc-backref" href="#id56" id="function-pointers" name="function-pointers">4.2.3&nbsp;&nbsp;&nbsp;Function pointers</a></h3>
<p>If the address of a function is taken, it holds that</p>
<ol class="arabic simple">
<li>the precondition is evaluated before the function body when the function is called 
through the function pointer.</li>
</ol>
<p>Remark: A compiler might be able to determine that the precondition is satisfied, in that case
the compiler may generate a call directly to the function body 
(thus sharing implementation with the function pointer call).</p>
</div>
</div>
<div class="section">
<h2><a class="toc-backref" href="#id57" id="keyword-oldof" name="keyword-oldof"><span id="keywordoldof"></span>4.3&nbsp;&nbsp;&nbsp;Keyword <tt class="docutils literal docutils literal"><span class="pre">oldof</span></tt></a></h2>
<p>It is very useful to be able to take a copy of a variable to compare
it with other values later. In particular, this is true in <a class="reference" href="#function">function postconditions</a>.</p>
<p>Assume <tt class="docutils literal"><span class="pre">i</span></tt> is a visible <tt class="docutils literal"><span class="pre">int</span></tt>, then the compiler translates</p>
<pre class="literal-block">
{
    oldof i == 42;
}
</pre>
<p>into</p>
<pre class="literal-block">
{
    const int __old_i( i );
    __old_i == 42;
}
</pre>
<p>A set of rules govern how <tt class="docutils literal"><span class="pre">oldof</span></tt> behaves within a certain contract:</p>
<ol class="arabic simple">
<li>If it is applied to the same expression <em>n</em> times, that expression need only be
evaluated once and only one copy need to be stored.</li>
</ol>
<!--  -->
<ol class="arabic simple" start="2">
<li>The copy of its argument is taken <em>after</em> the precondition is evaluated and <em>before</em>
the function body is evaluated.</li>
</ol>
<p>The precondition should be evaluated first to allow it to report its errors first.
Notice that we can only apply <tt class="docutils literal"><span class="pre">oldof</span></tt> to objects of a type that defines a copy-constructor 
taking a <tt class="docutils literal"><span class="pre">const</span></tt> reference (ie., <tt class="docutils literal"><span class="pre">std::auto_ptr</span></tt> cannot be used).</p>
</div>
<div class="section">
<h2><a class="toc-backref" href="#id58" id="class-invariants" name="class-invariants">4.4&nbsp;&nbsp;&nbsp;Class invariants</a></h2>
<p>Within class scope it is possible to define a class invariant:</p>
<blockquote>
<dl class="docutils">
<dt>syntax:</dt>
<dd><ol class="first last arabic simple">
<li><em>class-invariant</em> : <tt class="docutils literal"><span class="pre">invariant</span> <span class="pre">{</span></tt> <em>assertion-sequence</em> <tt class="docutils literal"><span class="pre">}</span></tt></li>
</ol>
</dd>
<dt>example: </dt>
<dd>see <a class="reference" href="#vector-example-hpp">vector_example.hpp</a></dd>
</dl>
</blockquote>
<p>The class invariant has the following properties:</p>
<ol class="arabic">
<li><p class="first">It must appear in the declaration of a class.</p>
</li>
<li><p class="first">It is inherited in the sense that the invariant of a derived class <em>implicitly</em> will have the base-class invariant(s)
<em>AND</em>ed to it (see also item 6-7).</p>
<blockquote>
<p>example:</p>
<pre class="literal-block">
struct base { invariant { ... } };
struct derived : base
{
    invariant
    {
        base::invariant(); // implicitly generated
        ...
    }
};
</pre>
<p>(Remark: the above is pseudo-code and is <em>not</em> affected by the disabling of assertions within assertions.)</p>
</blockquote>
</li>
<li><p class="first">It is called <em>implicitly</em> from public</p>
<blockquote>
<ol class="loweralpha simple">
<li><a class="reference" href="#function">pre- and postconditions</a>,</li>
</ol>
<ol class="loweralpha" start="2">
<li><p class="first">constructors,</p>
<blockquote>
<ul class="simple">
<li>call the class invariant <em>before</em> the postcondition,</li>
</ul>
</blockquote>
</li>
<li><p class="first">destructors,</p>
<blockquote>
<ul class="simple">
<li>call the class invariant <em>before</em> the destructor body.</li>
</ul>
</blockquote>
</li>
<li><p class="first">member functions that exit abnormally via an exception <a class="footnote-reference" href="#id40" id="id18" name="id18">[5]</a></p>
</li>
</ol>
</blockquote>
</li>
<li><p class="first"><span class="target" id="it-is-always-called">It is always called</span> as if surrounded by a try-catch block:</p>
<pre class="literal-block">
try
{
    class_invariant();
}
catch( ... )
{
    std::class_invariant_broken();
}
</pre>
</li>
</ol>
<blockquote>
<ul class="simple">
<li>rationale: this ensures that exceptions thrown in the invariant cannot escape from functions 
and in particular not from the destructor. <a class="footnote-reference" href="#id41" id="id19" name="id19">[6]</a></li>
</ul>
</blockquote>
<ol class="arabic" start="5">
<li><p class="first">For its execution <em>during</em> construction <a class="footnote-reference" href="#id42" id="id20" name="id20">[7]</a> holds that:</p>
<blockquote>
<ol class="loweralpha">
<li><p class="first">each assertion is executed in order starting from the top <em>excluding</em> any part inherited,</p>
<blockquote>
<ul class="simple">
<li>rationale: if we do not exclude inherited parts, those parts would be evaluated multiple times.</li>
</ul>
</blockquote>
</li>
</ol>
</blockquote>
</li>
<li><p class="first">For its execution <em>after</em> construction holds that:</p>
<blockquote>
<ol class="loweralpha simple">
<li>each assertion is executed in order starting from the top <em>including</em> any part inherited,</li>
<li>if the class has any sub-classes, then the inherited portion is executed first,</li>
<li>if the class has several sub-classes the order of the classes in the base-clause is followed.</li>
</ol>
</blockquote>
</li>
<li><p class="first">During execution of the invariant other contracts (recursively encountered) are <em>not</em> evaluated.</p>
</li>
</ol>
</div>
<div class="section">
<h2><a class="toc-backref" href="#id59" id="block-invariants" name="block-invariants">4.5&nbsp;&nbsp;&nbsp;block invariants</a></h2>
<p>To better support assertions at block scope we use block invariants:</p>
<blockquote>
<dl class="docutils">
<dt>syntax:    </dt>
<dd><ol class="first last arabic simple">
<li><em>block-invariant</em>: <tt class="docutils literal"><span class="pre">invariant</span> <span class="pre">{</span></tt> <em>assertion-sequence</em> <tt class="docutils literal"><span class="pre">}</span></tt></li>
</ol>
</dd>
</dl>
<p>example:</p>
<pre class="literal-block">
void foo()
{
    int i = 0;
    for(;;)
    {
        invariant { i &lt; 10; }
        ...
    }
}
</pre>
</blockquote>
<p>The block invariants use the same syntax as the class invariant.
The properties of block invariants are:</p>
<ol class="arabic">
<li><p class="first">they can appear multiple times in the same scope,</p>
</li>
<li><p class="first">they are always called as if surrounded by a try-catch block:</p>
<pre class="literal-block">
try
{
    block_invariant(); // pseudo code
}
catch( ... )
{
    std::block_invariant_broken();
}
</pre>
</li>
<li><p class="first">the order of evaluation of the assertions in an invariant is from top to bottom,</p>
</li>
</ol>
</div>
<div class="section">
<h2><a class="toc-backref" href="#id60" id="failure-handler-functions" name="failure-handler-functions">4.6&nbsp;&nbsp;&nbsp;Failure handler functions</a></h2>
<p>The default behavior for all default assertions is to call <tt class="docutils literal"><span class="pre">terminate()</span></tt> via a call
to their respective handler. As seen below, we have a handler for each type of contract.
If the default behavior
is undesirable, the standard library provides the following handlers:</p>
<pre class="literal-block">
namespace std
{        
    void precondition_broken();
    void postcondition_broken();
    void class_invariant_broken();
    void block_invariant_broken();
    
    typedef void (*broken_contract_handler)();
    
    broken_contract_handler  set_precondition_broken_handler( broken_contract_handler r ) throw();
    broken_contract_handler  set_postcondition_broken_handler( broken_contract_handler r ) throw();
    broken_contract_handler  set_class_invariant_broken_handler( broken_contract_handler r ) throw();
    broken_contract_handler  set_block_invariant_handler( broken_contract_handler r ) throw();
}
</pre>
<p>This should provide plenty of room for customization. The precondition for all the <tt class="docutils literal"><span class="pre">set_XX_handler</span></tt>
functions should be <tt class="docutils literal"><span class="pre">r</span> <span class="pre">!=</span> <span class="pre">0</span></tt>.</p>
</div>
<div class="section">
<h2><a class="toc-backref" href="#id61" id="changes-to-the-standard-library" name="changes-to-the-standard-library">4.7&nbsp;&nbsp;&nbsp;Changes to the standard library</a></h2>
<p>We suggest that no required changes should be made to
the standard library. An implementation is free to
implement all standard guarantees in terms of contract
code, but not required to.</p>
<!-- ======================================
IDEA PROPOSAL VERSUS STANDARDS CHANGES
======================================

This proposal presents ideas and syntax.  It is not itself a proposal
for changes in the text of the standard.  It is not yet time for text
changes.  The distinction enables us to mention the following two
subjects. -->
</div>
</div>
<div class="section">
<h1><a class="toc-backref" href="#id62" id="contracts-for-performance" name="contracts-for-performance">5&nbsp;&nbsp;&nbsp;Contracts for performance</a></h1>
<p>This section discusses how contracts can help the compiler
to generate faster code.</p>
<p>A limited form of contract programming is the use of the <tt class="docutils literal"><span class="pre">assert()</span></tt>
macro.  Its use is standard practice in many software
projects.  Unfortunately, it suffers from several problems.  We
will evaluate these problems by distinguishing between a
library and its client.</p>
<div class="section">
<h2><a class="toc-backref" href="#id63" id="assert-is-evaluated-within-the-library" name="assert-is-evaluated-within-the-library">5.1&nbsp;&nbsp;&nbsp;<tt class="docutils literal docutils literal"><span class="pre">assert()</span></tt> is evaluated within the library</a></h2>
<p>As a consequence, the enabling or disabling of
assertion checking is a compile-time decision of the
library.  The result is generally either</p>
<ol class="arabic simple">
<li>no checking, in which case errors are lost, or</li>
<li>checking, in which case performance is lost.</li>
</ol>
<p>In contrast, preconditions may be evaluated in the
client.  The client decides on the acceptable tradeoff
between performance and checking.</p>
</div>
<div class="section">
<h2><a class="toc-backref" href="#id64" id="assert-fails-to-distinguish-between-checking-arguments-and-validating-computations" name="assert-fails-to-distinguish-between-checking-arguments-and-validating-computations">5.2&nbsp;&nbsp;&nbsp;<tt class="docutils literal docutils literal"><span class="pre">assert()</span></tt> fails to distinguish between checking arguments and validating computations</a></h2>
<p>In well-tested production code, validating computation
is rarely needed, because the function has proven
itself.  On the other hand, checking arguments has
continuing need because of the evolution of callers.
With only a single form, programmers that turn off
validating computation for performance, will also turn
off checking arguments.</p>
<p>In contrast, the proposed syntactic distinction between
preconditions, postconditions and invariants preserves the very
real need to enable them separately.</p>
</div>
<div class="section">
<h2><a class="toc-backref" href="#id65" id="assert-is-indistinguishable-from-regular-code" name="assert-is-indistinguishable-from-regular-code">5.3&nbsp;&nbsp;&nbsp;<tt class="docutils literal docutils literal"><span class="pre">assert()</span></tt> is indistinguishable from regular code</a></h2>
<p>As a consequence it is very difficult for a compiler to
make use of the contents of an <tt class="docutils literal"><span class="pre">assert()</span></tt> macro.</p>
<p>In contrast, preconditions, postconditions and invariants are very
visible to the compiler.  The compiler can use preconditions
and postconditions as a constraint on the value-space of
the code, which in turn enables optimization.</p>
<p>Explicit preconditions and postconditions enable optimization
in two ways.</p>
<ol class="arabic">
<li><p class="first">The compiler can eliminate conditions known statically.</p>
<blockquote>
<p>For example, given</p>
<pre class="literal-block">
char *foo()
postcondition( result ) { result != 0; };

void bar( char *arg )
precondition { arg != 0; }
...
bar( foo() )
</pre>
<p>the compiler can propagate the postcondition of <tt class="docutils literal"><span class="pre">foo()</span></tt>
to the precondition of <tt class="docutils literal"><span class="pre">bar()</span></tt> and entirely eliminate
the precondition checking in <tt class="docutils literal"><span class="pre">bar()</span></tt>.</p>
</blockquote>
</li>
<li><p class="first">The compiler can use conditions to guide code generation.</p>
<blockquote>
<p>For example, given</p>
<pre class="literal-block">
double sum( int count, double array[] )
precondition { count % 4 == 0; }
{
    double accum = 0.0;
    for ( int i = 0; i &lt; count; i++ )
            accum += array[i];
    return accum;
}
</pre>
<p>the compiler can unroll the loop four times, and avoid
generating the stuttering at the start of the loop.</p>
<p>Furthermore, given the same code but with a precondition of
<tt class="docutils literal"><span class="pre">count</span> <span class="pre">&gt;</span> <span class="pre">1000</span></tt>, the compiler could chose to implement the
loop in parallel.  Likewise, with <tt class="docutils literal"><span class="pre">count&lt;</span> <span class="pre">100</span></tt>, the
compiler may forgo any checking for the possibility of
parallelism.</p>
</blockquote>
</li>
</ol>
<!-- ``assert()`` does not allow the compiler to warn about side-effects
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -->
</div>
</div>
<div class="section">
<h1><a class="toc-backref" href="#id66" id="implementation-model-for-contracts" name="implementation-model-for-contracts">6&nbsp;&nbsp;&nbsp;Implementation model for contracts</a></h1>
<p>This section discusses the feasibility of
implementation.  We provide an
implementation model that is reasonable and consistent with the
above proposal.</p>
<p>Consider the function</p>
<pre class="literal-block">
int factorial( int n )
precondition 
{
    0 &lt;= n &amp;&amp; n &lt;= 12;
}
postcondition( result ) 
{
    result &gt;= 1;
}
{
    if ( n &lt; 2 )
        return 1;
    else
        return n * factorial( n - 1 );
}
</pre>
<p>When all conditions are enabled, the compiler generates three
functions:</p>
<ol class="arabic">
<li><p class="first">The <em>core function</em> without any surrounding condition checking.</p>
<blockquote>
<p>Call this function when compiler switches disable all
condition evaluation.</p>
</blockquote>
</li>
<li><p class="first">A <em>postcondition evaluator</em>, which</p>
<blockquote>
<ol class="loweralpha simple">
<li>saves <tt class="docutils literal"><span class="pre">oldof</span></tt> values</li>
</ol>
<!--  -->
<ol class="loweralpha simple" start="2">
<li>evaluates class invariant</li>
</ol>
<!--  -->
<ol class="loweralpha simple" start="3">
<li>calls core function</li>
</ol>
<!--  -->
<ol class="loweralpha simple" start="4">
<li>evaluates class invariant</li>
</ol>
<!--  -->
<ol class="loweralpha" start="5">
<li><p class="first">evaluates the postcondition.</p>
<blockquote>
<p>Call this function from normal code when the caller
evaluates the preconditions.</p>
</blockquote>
</li>
</ol>
</blockquote>
</li>
<li><p class="first">A <em>precondition evaluator</em>, which executes the precondition
and then calls the postcondition evaluator.</p>
<blockquote>
<p>Call this function when the caller does not or cannot
evaluate the preconditions. (Remark: the precondition evaluator
would for example be used when
a function is called via a function-pointer.)</p>
</blockquote>
</li>
</ol>
<p>When postconditions and invariants are disabled, probably a library-build-time
decision, the first two functions above are identical, and may
be implemented as a single function with two labels.</p>
<p>When preconditions are disabled, a client-build-time decision,
the client simply calls the second function.</p>
<p>As an additional performance option, compilers can turn
of invariant evaluation while still enabling other conditions.
Furthermore, a compiler might choose to provide a switch for
generating a single call to the invariant in the constructor.</p>
<!-- Inside postconditions, pre- and postconditions are disabled. This is 
for example implemented by dispatching directly to the core function. -->
</div>
<div class="section">
<h1><a class="toc-backref" href="#id67" id="list-of-proposals-that-could-be-affected-by-this-proposal" name="list-of-proposals-that-could-be-affected-by-this-proposal">7&nbsp;&nbsp;&nbsp;List of proposals that could be affected by this proposal</a></h1>
<ol class="arabic simple">
<li>Concepts as described in <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2003/n1510.pdf">n1510</a>, <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2003/n1522.pdf">n1522</a>, <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2003/n1536.pdf">n1536</a> and <a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2005/n1758.pdf">n1758</a>.</li>
</ol>
<!--  -->
<ol class="arabic simple" start="2">
<li>Any proposal that seeks to enhance meta-programming capabilities.</li>
</ol>
<!--  -->
<ol class="arabic simple" start="3">
<li>Proposals that seek to add special pragma-like attributes to 
block of code <a class="footnote-reference" href="#id45" id="id21" name="id21">[10]</a>.</li>
</ol>
</div>
<div class="section">
<h1><a class="toc-backref" href="#id68" id="implementability" name="implementability">8&nbsp;&nbsp;&nbsp;Implementability</a></h1>
<p>We expect that it will take about 3 man months to implement the proposal without
dedicating any time to optimizations.</p>
</div>
<div class="section">
<h1><a class="toc-backref" href="#id69" id="alternative-syntax" name="alternative-syntax">9&nbsp;&nbsp;&nbsp;Alternative syntax</a></h1>
<p>In Lillehammer it was suggested to
use normal C++ syntax for separation
of assertions. In particular it was suggested
to write an assertion-sequence as</p>
<pre class="literal-block">
{
    foo() &amp;&amp;
    bar() &amp;&amp;
    true;
}
</pre>
<p>instead of</p>
<pre class="literal-block">
{
    foo();
    bar();
    true;
} 
</pre>
<!-- A full example have been made with the proposed
syntax (see vector_example_alternative_syntax.hpp_). -->
<p>It is quite obvious that this syntax has the following
drawbacks:</p>
<ol class="arabic simple">
<li>it becomes harder for debuggers to break on
individual assertions, because the whole assertion-sequence
is a single statement</li>
</ol>
<!--  -->
<ol class="arabic simple" start="2">
<li>the ternary operator is much harder to read than if-statements</li>
</ol>
<!--  -->
</div>
<div class="section">
<h1><a class="toc-backref" href="#id70" id="list-of-examples" name="list-of-examples">10&nbsp;&nbsp;&nbsp;List of examples</a></h1>
<ul class="simple">
<li><a class="reference" href="#vector-example-hpp">vector_example.hpp</a></li>
<li><a class="reference" href="#subcontracting-example-hpp">subcontracting_example.hpp</a></li>
<li><a class="reference" href="#recursion-example">recursion example</a></li>
</ul>
<div class="section">
<h2><a class="toc-backref" href="#id71" id="vector-example-hpp" name="vector-example-hpp">10.1&nbsp;&nbsp;&nbsp;vector_example.hpp</a></h2>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title> </title>
<link rel="stylesheet" href="style.css" type="text/css">
</head>

<body>
<pre>

<span class=comment>///////////////////////////////////////
// Tools
///////////////////////////////////////</span>

<span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>Iter</span><span class=special>,</span> <span class=keyword>class</span> <span class=identifier>T</span> <span class=special>&gt;</span>
<span class=keyword>bool</span> <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>Iter</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>Iter</span> <span class=identifier>last</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span>
<span class=special>{</span> <span class=comment>/* for simplicity, let us assume T's can be compared */</span> <span class=special>}</span>

<span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>Iter</span><span class=special>,</span> <span class=keyword>class</span> <span class=identifier>Size</span> <span class=special>&gt;</span>
<span class=keyword>bool</span> <span class=identifier>equal_distance</span><span class=special>(</span> <span class=identifier>Iter</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>Iter</span> <span class=identifier>last</span><span class=special>,</span> <span class=identifier>Size</span> <span class=identifier>size</span> <span class=special>)</span>
<span class=special>{</span> <span class=comment>/* internal tagging mechnism so even input iterators can be passed */</span> <span class=special>}</span>

<span class=comment>///////////////////////////////////////
// New vector interface
///////////////////////////////////////</span>

<span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>T</span><span class=special>,</span> <span class=keyword>class</span> <span class=identifier>Alloc</span> <span class=special>=</span> <span class=identifier>allocator</span><span class=special>&lt;</span><span class=identifier>T</span><span class=special>&gt;</span> <span class=special>&gt;</span>
<span class=keyword>class</span> <span class=identifier>vector</span> 
<span class=special>{</span>
    <span class=keyword>invariant</span>
    <span class=special>{</span>
        <span class=special>(</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=number>0</span> <span class=special>)</span> <span class=special>==</span> <span class=identifier>empty</span><span class=special>();</span>
        <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>distance</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>()</span> <span class=special>);</span>
        <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>distance</span><span class=special>(</span> <span class=identifier>rbegin</span><span class=special>(),</span> <span class=identifier>rend</span><span class=special>()</span> <span class=special>);</span>
        <span class=identifier>size</span><span class=special>()</span> <span class=special>&lt;=</span> <span class=identifier>capacity</span><span class=special>();</span>
        <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&lt;=</span> <span class=identifier>max_size</span><span class=special>();</span>
    <span class=special>}</span>
    
    
<span class=keyword>public</span><span class=special>:</span>
    <span class=keyword>typedef</span> <span class=identifier>Alloc</span>                             <span class=identifier>allocator_type</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=keyword>typename</span> <span class=identifier>Alloc</span><span class=special>::</span><span class=identifier>pointer</span>           <span class=identifier>pointer</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=keyword>typename</span> <span class=identifier>Alloc</span><span class=special>::</span><span class=identifier>const_pointer</span>     <span class=identifier>const_pointer</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=keyword>typename</span> <span class=identifier>Alloc</span><span class=special>::</span><span class=identifier>reference</span>         <span class=identifier>reference</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=keyword>typename</span> <span class=identifier>Alloc</span><span class=special>::</span><span class=identifier>const_reference</span>   <span class=identifier>const_reference</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=keyword>typename</span> <span class=identifier>Alloc</span><span class=special>::</span><span class=identifier>value_type</span>        <span class=identifier>value_type</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=special>...</span>                               <span class=identifier>iterator</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=special>...</span>                               <span class=identifier>const_iterator</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=special>...</span>                               <span class=identifier>size_type</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=special>...</span>                               <span class=identifier>difference_type</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=identifier>reverse_iterator</span><span class=special>&lt;</span><span class=identifier>iterator</span><span class=special>&gt;</span>        <span class=identifier>reverse_iterator</span><span class=special>;</span>
    <span class=keyword>typedef</span> <span class=identifier>reverse_iterator</span><span class=special>&lt;</span><span class=identifier>const_iterator</span><span class=special>&gt;</span>  <span class=identifier>const_reverse_iterator</span><span class=special>;</span>

             <span class=identifier>vector</span><span class=special>()</span>                  
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span> 
                 
    <span class=keyword>explicit</span> <span class=identifier>vector</span><span class=special>(</span> <span class=keyword>const</span> <span class=identifier>Alloc</span><span class=special>&amp;</span> <span class=identifier>al</span> <span class=special>)</span> 
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>empty</span><span class=special>();</span> 
                                 <span class=identifier>al</span> <span class=special>==</span> <span class=identifier>get_allocator</span><span class=special>();</span> <span class=special>}</span>
                 
    <span class=keyword>explicit</span> <span class=identifier>vector</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>count</span> <span class=special>)</span> 
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>count</span><span class=special>;</span> 
                                 <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>T</span><span class=special>()</span> <span class=special>);</span> <span class=special>}</span>
                 
             <span class=identifier>vector</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>count</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span> 
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>count</span><span class=special>;</span> 
                                 <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>val</span> <span class=special>);</span> <span class=special>}</span>
             
             <span class=identifier>vector</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>count</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>Alloc</span><span class=special>&amp;</span> <span class=identifier>al</span> <span class=special>)</span> 
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>size</span> <span class=special>==</span> <span class=identifier>count</span><span class=special>;</span> 
                                 <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>val</span> <span class=special>);</span> 
                                 <span class=identifier>al</span> <span class=special>==</span> <span class=identifier>get_allocator</span><span class=special>();</span> <span class=special>}:</span>
             
             <span class=identifier>vector</span><span class=special>(</span> <span class=keyword>const</span> <span class=identifier>vector</span><span class=special>&amp;</span> <span class=identifier>right</span> <span class=special>)</span> 
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>right</span> <span class=special>==</span> <span class=special>*</span><span class=keyword>this</span><span class=special>;</span> <span class=special>}</span>
    
             <span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>InIt</span> <span class=special>&gt;</span>
             <span class=identifier>vector</span><span class=special>(</span> <span class=identifier>InIt</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>InIt</span> <span class=identifier>last</span> <span class=special>)</span> 
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>equal_distance</span><span class=special>(</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>last</span><span class=special>,</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>);</span> <span class=special>}</span>
                 
             <span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>InIt</span> <span class=special>&gt;</span>
             <span class=identifier>vector</span><span class=special>(</span> <span class=identifier>InIt</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>InIt</span> <span class=identifier>last</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>Alloc</span><span class=special>&amp;</span> <span class=identifier>al</span> <span class=special>);</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>equal_distance</span><span class=special>(</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>last</span><span class=special>,</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>);</span> 
                                 <span class=identifier>al</span> <span class=special>==</span> <span class=identifier>get_allocator</span><span class=special>();</span> <span class=special>}</span>

             <span class=keyword>void</span> <span class=identifier>reserve</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>count</span> <span class=special>)</span> 
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=identifier>count</span> <span class=special>&lt;</span> <span class=identifier>max_size</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>count</span><span class=special>;</span> <span class=special>}</span>
                 
             <span class=identifier>size_type</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>result</span> <span class=special>&gt;=</span> <span class=identifier>size</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=identifier>iterator</span> <span class=identifier>begin</span><span class=special>()</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>if</span><span class=special>(</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>)</span> <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>end</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>const_iterator</span> <span class=identifier>begin</span><span class=special>()</span> <span class=keyword>const</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>if</span><span class=special>(</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>)</span> <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>end</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>iterator</span> <span class=identifier>end</span><span class=special>();</span>
             <span class=identifier>const_iterator</span> <span class=identifier>end</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
             
             <span class=identifier>reverse_iterator</span> <span class=identifier>rbegin</span><span class=special>()</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>if</span><span class=special>(</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>)</span> <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>rend</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>const_reverse_iterator</span> <span class=identifier>rbegin</span><span class=special>()</span> <span class=keyword>const</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>if</span><span class=special>(</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>)</span> <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>rend</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>reverse_iterator</span> <span class=identifier>rend</span><span class=special>();</span>
             <span class=identifier>const_reverse_iterator</span> <span class=identifier>rend</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
             
             <span class=keyword>void</span> <span class=identifier>resize</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>newsize</span> <span class=special>)</span>
                 <span class=keyword>postcondition</span> <span class=comment>// version 1: with an if</span>
                 <span class=special>{</span> 
                     <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>newsize</span><span class=special>;</span> 
                     <span class=keyword>if</span><span class=special>(</span> <span class=identifier>newsize</span> <span class=special>&gt;</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>)</span>
                         <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>()</span> <span class=special>+</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>T</span><span class=special>()</span> <span class=special>);</span>
                 <span class=special>}</span>
             
             <span class=keyword>void</span> <span class=identifier>resize</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>newsize</span><span class=special>,</span> <span class=identifier>T</span> <span class=identifier>val</span> <span class=special>)</span>
                 <span class=keyword>postcondition</span> <span class=comment>// version 2: with ternary operator</span>
                 <span class=special>{</span>
                     <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>newsize</span><span class=special>;</span> 
                     <span class=identifier>newsize</span> <span class=special>&gt;</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>())</span> <span class=special>?</span> 
                         <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>()</span> <span class=special>+</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>val</span> <span class=special>)</span> <span class=special>:</span> <span class=keyword>true</span><span class=special>;</span>
                 <span class=special>}</span>
         
             <span class=identifier>size_type</span> <span class=identifier>size</span><span class=special>()</span> <span class=keyword>const</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>result</span> <span class=special>&lt;=</span> <span class=identifier>capacity</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=identifier>size_type</span> <span class=identifier>max_size</span><span class=special>()</span> <span class=keyword>const</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>result</span> <span class=special>&gt;=</span> <span class=identifier>capacity</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=keyword>bool</span> <span class=identifier>empty</span><span class=special>()</span> <span class=keyword>const</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> <span class=special>{</span> <span class=keyword>result</span> <span class=special>==</span> <span class=special>(</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=number>0</span> <span class=special>);</span> <span class=special>}</span>
             
             <span class=identifier>Alloc</span> <span class=identifier>get_allocator</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
             
             <span class=identifier>reference</span> <span class=identifier>at</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>off</span> <span class=special>);</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=identifier>off</span> <span class=special>&lt;</span> <span class=identifier>size</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>const_reference</span> <span class=identifier>at</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>off</span> <span class=special>)</span> <span class=keyword>const</span><span class=special>;</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=identifier>off</span> <span class=special>&lt;</span> <span class=identifier>size</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=identifier>reference</span> <span class=keyword>operator</span><span class=special>[](</span> <span class=identifier>size_type</span> <span class=identifier>off</span> <span class=special>)</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=identifier>off</span> <span class=special>&lt;</span> <span class=identifier>size</span><span class=special>();</span> <span class=special>}</span>

             <span class=identifier>const_reference</span> <span class=keyword>operator</span><span class=special>[](</span> <span class=identifier>size_type</span> <span class=identifier>off</span> <span class=special>)</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=identifier>off</span> <span class=special>&lt;</span> <span class=identifier>size</span><span class=special>();</span> <span class=special>}</span>
    
             <span class=identifier>reference</span> <span class=identifier>front</span><span class=special>();</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>const_reference</span> <span class=identifier>front</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
    
             <span class=identifier>reference</span> <span class=identifier>back</span><span class=special>()</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
             
             <span class=identifier>const_reference</span> <span class=identifier>back</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
                 <span class=keyword>precondition</span> <span class=special>{</span> <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=keyword>void</span> <span class=identifier>push_back</span><span class=special>(</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>&lt;</span> <span class=identifier>max_size</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>back</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>val</span><span class=special>;</span> 
                                 <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>+</span> <span class=number>1</span><span class=special>;</span> 
                                 <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>oldof</span> <span class=identifier>capacity</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=keyword>void</span> <span class=identifier>pop_back</span><span class=special>()</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>-</span> <span class=number>1</span><span class=special>;</span> <span class=special>}</span>
             
             <span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>InIt</span> <span class=special>&gt;</span>
             <span class=keyword>void</span> <span class=identifier>assign</span><span class=special>(</span> <span class=identifier>InIt</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>InIt</span> <span class=identifier>last</span> <span class=special>)</span>
                 <span class=keyword>precondition</span> <span class=special>{</span><span class=string>&quot;The range [first,last) is not a sub-range of [begin(),end())&quot;</span><span class=special>;</span><span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>equal_distance</span><span class=special>(</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>last</span><span class=special>,</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>);</span> <span class=special>}</span>
             
             <span class=keyword>void</span> <span class=identifier>assign</span><span class=special>(</span> <span class=identifier>size_type</span> <span class=identifier>count</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>count</span> <span class=special>&lt;=</span> <span class=identifier>max_size</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>begin</span><span class=special>(),</span> <span class=identifier>end</span><span class=special>(),</span> <span class=identifier>val</span> <span class=special>);</span> <span class=special>}</span>
                 
             <span class=identifier>iterator</span> <span class=identifier>insert</span><span class=special>(</span> <span class=identifier>iterator</span> <span class=identifier>where</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>&lt;</span> <span class=identifier>max_size</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> 
                 <span class=special>{</span>
                     <span class=special>*</span><span class=keyword>result</span> <span class=special>==</span> <span class=identifier>val</span><span class=special>;</span>
                     <span class=identifier>size</span><span class=special>()</span>  <span class=special>==</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>+</span> <span class=number>1</span><span class=special>;</span>
                     <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>oldof</span> <span class=identifier>capacity</span><span class=special>();</span>
                     
                     <span class=keyword>if</span><span class=special>(</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;</span> <span class=identifier>oldof</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>)</span>
                         <span class=string>&quot;All iterators have been invalidated&quot;</span><span class=special>;</span>
                     <span class=keyword>else</span>
                         <span class=string>&quot;All iterators in the range [where,end()) have been invalidated&quot;</span><span class=special>;</span>
                 <span class=special>}</span>
             
             <span class=keyword>void</span> <span class=identifier>insert</span><span class=special>(</span> <span class=identifier>iterator</span> <span class=identifier>where</span><span class=special>,</span> <span class=identifier>size_type</span> <span class=identifier>count</span><span class=special>,</span> <span class=keyword>const</span> <span class=identifier>T</span><span class=special>&amp;</span> <span class=identifier>val</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>+</span> <span class=identifier>count</span> <span class=special>&lt;=</span> <span class=identifier>max_size</span><span class=special>();</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span> 
                 <span class=special>{</span>
                     <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>+</span> <span class=identifier>count</span><span class=special>;</span>
                     <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>oldof</span> <span class=identifier>capacity</span><span class=special>();</span>
                     
                     <span class=keyword>if</span><span class=special>(</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>oldof</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>)</span>
                     <span class=special>{</span>
                         <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>oldof</span> <span class=identifier>prior</span><span class=special>(</span><span class=identifier>where</span><span class=special>),</span> <span class=identifier>oldof</span> <span class=identifier>prior</span><span class=special>(</span><span class=identifier>where</span><span class=special>)</span> <span class=special>+</span> <span class=identifier>count</span><span class=special>,</span> <span class=identifier>val</span> <span class=special>);</span>
                         <span class=string>&quot;All iterators in the range [where,end()) have been invalidated&quot;</span><span class=special>;</span>
                     <span class=special>}</span>
                     <span class=keyword>else</span>
                         <span class=string>&quot;All iterators have been invalidated&quot;</span><span class=special>;</span>
                 <span class=special>}</span>
                 
             <span class=keyword>template</span><span class=special>&lt;</span> <span class=keyword>class</span> <span class=identifier>InIt</span> <span class=special>&gt;</span>
             <span class=keyword>void</span> <span class=identifier>insert</span><span class=special>(</span> <span class=identifier>iterator</span> <span class=identifier>where</span><span class=special>,</span> <span class=identifier>InIt</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>InIt</span> <span class=identifier>last</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  
                 <span class=special>{</span> 
                     <span class=string>&quot;The range [first,last) is not a sub-range of [begin(),end())&quot;</span><span class=special>;</span>
                     <span class=identifier>size</span><span class=special>()</span> <span class=special>+</span> <span class=identifier>count</span> <span class=special>&lt;=</span> <span class=identifier>max_size</span><span class=special>();</span> 
                 <span class=special>}</span>
                 <span class=keyword>postcondition</span>
                 <span class=special>{</span>
                     <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>+</span> <span class=identifier>count</span><span class=special>;</span>
                     <span class=identifier>capacity</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>oldof</span> <span class=identifier>capacity</span><span class=special>();</span>
        
                     <span class=keyword>if</span><span class=special>(</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>oldof</span> <span class=identifier>capacity</span><span class=special>()</span> <span class=special>)</span>
                     <span class=special>{</span>
                         <span class=identifier>all_equals</span><span class=special>(</span> <span class=identifier>oldof</span> <span class=identifier>prior</span><span class=special>(</span><span class=identifier>where</span><span class=special>),</span> <span class=identifier>oldof</span> <span class=identifier>prior</span><span class=special>(</span><span class=identifier>where</span><span class=special>)</span> <span class=special>+</span> <span class=identifier>count</span><span class=special>,</span> <span class=identifier>val</span> <span class=special>);</span>
                         <span class=string>&quot;All iterators in the range [where,end()) have been invalidated&quot;</span><span class=special>;</span>
                     <span class=special>}</span>
                     <span class=keyword>else</span>
                         <span class=string>&quot;All iterators have been invalidated&quot;</span><span class=special>;</span>
                 <span class=special>}</span>

             <span class=identifier>iterator</span> <span class=identifier>erase</span><span class=special>(</span> <span class=identifier>iterator</span> <span class=identifier>where</span> <span class=special>);</span>
                 <span class=keyword>precondition</span>  
                 <span class=special>{</span> 
                     <span class=keyword>not</span> <span class=identifier>empty</span><span class=special>();</span> 
                     <span class=identifier>where</span> <span class=special>!=</span> <span class=identifier>end</span><span class=special>();</span>
                 <span class=special>}</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> 
                 <span class=special>{</span>
                      <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>-</span> <span class=number>1</span><span class=special>;</span> 
                      <span class=keyword>if</span><span class=special>(</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>)</span>
                          <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>end</span><span class=special>();</span>
                      <span class=string>&quot;All iterators in the range [where,end()) have been invalidated&quot;</span><span class=special>;</span>
                 <span class=special>}</span>
                 
             <span class=identifier>iterator</span> <span class=identifier>erase</span><span class=special>(</span> <span class=identifier>iterator</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>iterator</span> <span class=identifier>last</span> <span class=special>)</span>
                 <span class=keyword>precondition</span>  <span class=special>{</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>&gt;=</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>distance</span><span class=special>(</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>last</span> <span class=special>);</span> <span class=special>}</span>
                 <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> 
                 <span class=special>{</span>
                      <span class=identifier>size</span><span class=special>()</span> <span class=special>==</span> <span class=identifier>oldof</span> <span class=identifier>size</span><span class=special>()</span> <span class=special>-</span> <span class=identifier>std</span><span class=special>::</span><span class=identifier>distance</span><span class=special>(</span> <span class=identifier>first</span><span class=special>,</span> <span class=identifier>last</span> <span class=special>);</span> 
                      <span class=keyword>if</span><span class=special>(</span> <span class=identifier>empty</span><span class=special>()</span> <span class=special>)</span>
                          <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>end</span><span class=special>();</span>
                      <span class=string>&quot;All iterators in the range [first,end()) have been invalidated&quot;</span><span class=special>;</span>
                 <span class=special>}</span>

             <span class=keyword>void</span> <span class=identifier>clear</span><span class=special>();</span>
                 <span class=keyword>postcondition</span> <span class=special>{</span> <span class=identifier>empty</span><span class=special>();</span> <span class=special>}</span>
                 
             <span class=keyword>void</span> <span class=identifier>swap</span><span class=special>(</span> <span class=identifier>vector</span><span class=special>&amp;</span> <span class=identifier>right</span> <span class=special>)</span>
                 <span class=keyword>postcondition</span> 
                 <span class=special>{</span> 
                     <span class=identifier>oldof</span> <span class=special>*</span><span class=keyword>this</span> <span class=special>==</span> <span class=identifier>right</span><span class=special>;</span>
                     <span class=identifier>oldof</span> <span class=identifier>right</span> <span class=special>==</span> <span class=special>*</span><span class=keyword>this</span><span class=special>;</span>
                 <span class=special>}</span>
             
<span class=special>};</span> <span class=comment>// class 'vector'</span>

</pre>
</body>
</html>
</div>
<div class="section">
<h2><a class="toc-backref" href="#id72" id="subcontracting-example-hpp" name="subcontracting-example-hpp">10.2&nbsp;&nbsp;&nbsp;subcontracting_example.hpp</a></h2>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title> </title>
<link rel="stylesheet" href="style.css" type="text/css">
</head>

<body>

<pre>
<span class=comment>//
// This example shows how Contract Programming 
// allows one to keep the virtual function public 
// and still enforce the contract of the function
//</span>

<span class=keyword>class</span> <span class=identifier>shape</span>
<span class=special>{</span>
<span class=keyword>public</span><span class=special>:</span>
    <span class=keyword>virtual</span> <span class=special>~</span><span class=identifier>shape</span><span class=special>()</span> <span class=special>{}</span>
    
    <span class=keyword>virtual</span> <span class=keyword>int</span> <span class=identifier>compute_area</span><span class=special>()</span> <span class=keyword>const</span> <span class=special>=</span> <span class=number>0</span>
        <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span> 
        <span class=special>{</span>
            <span class=keyword>result</span> <span class=special>&gt;</span> <span class=number>0</span><span class=special>;</span>
        <span class=special>}</span>
<span class=special>};</span>

<span class=keyword>class</span> <span class=identifier>circle</span> <span class=special>:</span> <span class=keyword>public</span> <span class=identifier>shape</span>
<span class=special>{</span>
<span class=keyword>public</span><span class=special>:</span>
    <span class=keyword>int</span> <span class=identifier>radius</span><span class=special>()</span> <span class=keyword>const</span><span class=special>;</span>
    
    <span class=keyword>virtual</span> <span class=keyword>int</span> <span class=identifier>compute_area</span><span class=special>()</span> <span class=keyword>const</span>
        <span class=keyword>postcondition</span><span class=special>(</span> <span class=keyword>result</span> <span class=special>)</span>
        <span class=special>{</span>
            <span class=keyword>result</span> <span class=special>==</span> <span class=identifier>pi</span> <span class=special>*</span> <span class=identifier>radius</span><span class=special>()</span> <span class=special>*</span> <span class=identifier>radius</span><span class=special>();</span>
        <span class=special>}</span>
<span class=special>};</span>
</pre>


</body>
</html>



</div>
<div class="section">
<h2><a class="toc-backref" href="#id73" id="recursion-example" name="recursion-example">10.3&nbsp;&nbsp;&nbsp;recursion example</a></h2>
<p>Consider the relationship between these two comparison operators:</p>
<pre class="literal-block">
bool operator==( T l, T r )
    postcondition( result )
    {
        result == !( l != r );
    }
        
bool operator!=( T l, T r )
    postcondition( result )
    {
        result == !( l == r );
    }
</pre>
<p>There is no easy way we can express that using an <tt class="docutils literal"><span class="pre">assert()</span></tt>
in the body of the functions.</p>
</div>
</div>
<div class="section">
<h1><a class="toc-backref" href="#id74" id="comparison-of-contract-programming-in-d-eiffel-and-c" name="comparison-of-contract-programming-in-d-eiffel-and-c">11&nbsp;&nbsp;&nbsp;Comparison of Contract Programming in D, Eiffel and C++</a></h1>
<p>The table below contains a comparison of how Contract
Programming is implemented in D, Eiffel and C++.</p>
<table border="1" class="docutils">
<colgroup>
<col width="25%" />
<col width="21%" />
<col width="20%" />
<col width="34%" />
</colgroup>
<tbody valign="top">
<tr><td><strong>Feature</strong></td>
<td><strong>ISE Eiffel 5.4</strong></td>
<td><strong>D</strong></td>
<td><strong>C++ Proposal</strong></td>
</tr>
<tr><td><em>keywords</em></td>
<td><tt class="docutils literal"><span class="pre">require</span></tt>, <tt class="docutils literal"><span class="pre">ensure</span></tt>,
<tt class="docutils literal"><span class="pre">do</span></tt>, <tt class="docutils literal"><span class="pre">require</span> <span class="pre">else</span></tt>,
<tt class="docutils literal"><span class="pre">ensure</span> <span class="pre">then</span></tt>, <tt class="docutils literal"><span class="pre">invariant</span></tt>,
<tt class="docutils literal"><span class="pre">old</span></tt>, <tt class="docutils literal"><span class="pre">result</span></tt>,
<tt class="docutils literal"><span class="pre">variant</span></tt></td>
<td><tt class="docutils literal"><span class="pre">in</span></tt>, <tt class="docutils literal"><span class="pre">out</span></tt>, <tt class="docutils literal"><span class="pre">body</span></tt>,
<tt class="docutils literal"><span class="pre">invariant</span></tt>, <tt class="docutils literal"><span class="pre">assert</span></tt>,
<tt class="docutils literal"><span class="pre">static</span></tt></td>
<td><tt class="docutils literal"><span class="pre">precondition</span></tt>,
<tt class="docutils literal"><span class="pre">postcondition</span></tt>,
<tt class="docutils literal"><span class="pre">invariant</span></tt>, <tt class="docutils literal"><span class="pre">oldof</span></tt></td>
</tr>
<tr><td><em>on failure</em></td>
<td>throws exception</td>
<td>throws exception</td>
<td>defaults to <tt class="docutils literal"><span class="pre">terminate()</span></tt>,
defaults can be customized,
might throw</td>
</tr>
<tr><td><em>expression copying in postconditions</em></td>
<td>yes, <tt class="docutils literal"><span class="pre">old</span></tt> keyword</td>
<td>no</td>
<td>yes, <tt class="docutils literal"><span class="pre">oldof</span></tt> keyword</td>
</tr>
<tr><td><em>subcontracting</em></td>
<td>yes</td>
<td>yes</td>
<td>yes, but only considers
postconditions</td>
</tr>
<tr><td><em>contracts on abstract functions</em></td>
<td>yes</td>
<td>no (planned)</td>
<td>yes</td>
</tr>
<tr><td><em>arbitrary code contracts</em></td>
<td>yes</td>
<td>yes</td>
<td>no, must be const correct</td>
</tr>
<tr><td><em>function code ordering</em></td>
<td>pre -&gt; body -&gt; post</td>
<td>pre -&gt; post -&gt; body</td>
<td>pre -&gt; post -&gt; body</td>
</tr>
<tr><td><em>compile-time assertions</em></td>
<td>no</td>
<td>yes</td>
<td>no</td>
</tr>
<tr><td><em>loop invariants</em></td>
<td>yes</td>
<td>no</td>
<td>no</td>
</tr>
<tr><td><em>loop variants</em></td>
<td>yes</td>
<td>no</td>
<td>no</td>
</tr>
<tr><td><em>const-correct</em></td>
<td>no</td>
<td>no</td>
<td>yes</td>
</tr>
<tr><td><em>invariant calls</em></td>
<td><ul class="first last simple">
<li>end of &quot;constructor&quot;</li>
<li>around public functions</li>
</ul>
</td>
<td><ul class="first last simple">
<li>end of constructor</li>
<li>around public functions</li>
<li>start of destructor</li>
</ul>
</td>
<td><ul class="first last simple">
<li>as in D</li>
<li>when a function exits due to an exception</li>
</ul>
</td>
</tr>
<tr><td><em>disabling of checks during assertions</em></td>
<td>yes</td>
<td>no</td>
<td>yes, but not in preconditions</td>
</tr>
<tr><td><em>when public func. call public func.</em></td>
<td>disable all checks</td>
<td>disable nothing</td>
<td>disable nothing</td>
</tr>
<tr><td><em>removable from object code</em></td>
<td>yes</td>
<td>yes</td>
<td>yes</td>
</tr>
</tbody>
</table>
</div>
<div class="section">
<h1><a class="toc-backref" href="#id75" id="list-of-contract-programming-resources" name="list-of-contract-programming-resources">12&nbsp;&nbsp;&nbsp;List of Contract Programming resources</a></h1>
<p>This section provides links to a few of the many resources
on Contract Programming.</p>
<p>Earlier proposals:</p>
<ul class="simple">
<li><a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2005/n1866.html">n1866</a> (revision 3)</li>
</ul>
<!--  -->
<ul class="simple">
<li><a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2005/n1800.pdf">n1800</a> (motivation slides)</li>
</ul>
<ul class="simple">
<li><a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2005/n1773.html">n1773</a> (revision 2)</li>
</ul>
<!--  -->
<ul class="simple">
<li><a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2004/n1669.html">n1669</a> (revision 1)</li>
</ul>
<!--  -->
<ul class="simple">
<li><a class="reference" href="http://www.open-std.org/JTC1/SC22/WG21/docs/papers/2004/n1613.pdf">n1613</a> (initial paper)</li>
</ul>
<p>C++ Contract Programming:</p>
<ul class="simple">
<li><a class="reference" href="http://www.digitalmars.com/ctg/contract.html">Contracts in the Digital Mars C++ compiler</a></li>
</ul>
<ul class="simple">
<li>Beman Dave's <a class="reference" href="http://www.esva.net/~beman/early_program_error_detection.html">Early Program Error Detection</a></li>
</ul>
<ul class="simple">
<li>Matthew Wilson's <a class="reference" href="http://www.artima.com/cppsource/deepspace.html">Contract Programming 101</a></li>
</ul>
<ul class="simple">
<li>The <a class="reference" href="http://www.aechmea.de/html/german/home_00_index_e.htm">C^2 Contract Programming add-on for C++</a></li>
</ul>
<p>Contract Programming in other languages:</p>
<ul class="simple">
<li><a class="reference" href="http://www.digitalmars.com/d/dbc.html">Contracts in D</a></li>
</ul>
<ul class="simple">
<li><a class="reference" href="http://research.microsoft.com/specsharp/">The Spec# programming system</a> (C# extension)</li>
</ul>
<ul class="simple">
<li>Parasoft's <a class="reference" href="http://www.parasoft.com/jsp/products/home.jsp?product=Jcontract&amp;itemId=30">Jcontract</a> (Java preprocessor)</li>
</ul>
<ul class="simple">
<li>RemObject's <a class="reference" href="http://www.chromesville.com/page.asp?id={DFA00D71-D5A4-40A3-9FD0-251899EB30D8}">Contracts in Chrome</a> (Object pascal for .NET)</li>
</ul>
<ul class="simple">
<li>SparkAda's <a class="reference" href="http://www.praxis-his.com/sparkada/language.asp">Proof Contexts</a></li>
</ul>
</div>
<div class="section">
<h1><a class="toc-backref" href="#id76" id="acknowledgements" name="acknowledgements">13&nbsp;&nbsp;&nbsp;Acknowledgements</a></h1>
<p>The following people has been provided feedback and comments throughout the proposals
history: Reece Dunn, Douglas Gregor, Alf Steinbach, Matthew Wilson, 
Berend de Boer, Darren Cook, Pavel Vozenilek, Scott Meyers, Attila Fehér, Walter Bright,
Per Madsen, Kevlin Henney, Sergey Vlasov, Bob Bell, John Nagle, Daveed Vandevoorde,
Jaakko Jarvi, Christopher Diggins, John Torjo, Robert Kawulak, Dave Harris, Michael Wong, 
Thomas Witt, Tim Rowe, Scott Meyers and Andrei Alexandrescu.</p>
<p>Special thanks goes to David Abrahams and James Widman.</p>
<!-- ############################################### -->
<!-- ################## Links ###################### -->
<!-- ############################################### -->
</div>
<div class="section">
<h1><a class="toc-backref" href="#id77" id="footnotes" name="footnotes">14&nbsp;&nbsp;&nbsp;Footnotes</a></h1>
<!-- ############################################### -->
<!-- ################## Footnotes ################## -->
<!-- ############################################### -->
<table class="docutils footnote" frame="void" id="id35" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id1" name="id35">[0]</a></td><td>For example, if the compiler can determine that a precondition is satisfied,
it can call a function where the precondition is not checked. Also, the 
compiler can always assume contracts to be true; hence the compiler can take
advantage of the precondition in the function body.</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id36" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id3" name="id36">[1]</a></td><td><p class="first">Even experienced programmers can choke on the word &quot;invariant&quot; and what it
means for a class to have one. There are a few simple rules we want  
all programmers to learn:</p>
<ol class="last arabic simple">
<li>that classes can have invariants and that subclasses have stronger or equally strong invariants,</li>
<li>that functions have pre- and postconditions: the implementer has as his obligation to fulfill the 
postcondition assuming the precondition holds; the user has as his obligation to fulfill the precondition
and receives the benefits of the postcondition in return,</li>
<li>that public functions cannot break the class invariant.</li>
</ol>
</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id37" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a name="id37">[2]</a></td><td>A good compiler will emit warnings whenever a mutation is detected within a contract. This is 
a major advantage compared to the ad hoc solutions programmers use today; there is no special
scope and hence no way the compiler can emit those warnings.</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id38" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id14" name="id38">[3]</a></td><td>A weaker precondition can be taken advantage of if we know the particular type
of the object. If weaker preconditions should be allowed, then there exists two
alternatives: to allow reuse of an existing contract or to require a complete
redefinition. The former favours expressiveness, the latter favours
overview.</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id39" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id15" name="id39">[4]</a></td><td>In some cases the compiler will be able to determine overlapping expression and hence
optimize some assertions away.</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id40" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id18" name="id40">[5]</a></td><td>To ensure that the function gives the basic guarantee of exception-safety.</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id41" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id19" name="id41">[6]</a></td><td>One can imagine an approach where exceptions could escape from an invariant by not checking
invariants when functions exit via an exception. The benefits of such an approach are not
obvious and it will complicate flow analysis unnecessarily.</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id42" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id20" name="id42">[7]</a></td><td>During construction means until the post-condition of the constructor has ended.</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id43" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id2" name="id43">[8]</a></td><td><p class="first">An unfortunate problem is in OO-programming is
that a newly added virtual function in a base class <tt class="docutils literal"><span class="pre">B</span></tt> may suddenly be overridden by an
otherwise non-virtual member function in the derived class <tt class="docutils literal"><span class="pre">D</span></tt>. With a contract-enabled compiler we 
can avoid some of these problems:</p>
<ul class="last simple">
<li>If the virtual function <tt class="docutils literal"><span class="pre">B::foo(...)</span></tt> specifies a precondition, it is illegal for
<tt class="docutils literal"><span class="pre">D::foo(...)</span></tt> to also specify one. In this case we get a compile error.</li>
<li>If the virtual function <tt class="docutils literal"><span class="pre">B::foo(...)</span></tt> specifies pre- and/or postconditions and
<tt class="docutils literal"><span class="pre">D::foo(...)</span></tt> does  not have any contracts, the code compiles. However, if 
<tt class="docutils literal"><span class="pre">D::foo(...)</span></tt> is unsuited for overriding <tt class="docutils literal"><span class="pre">B::foo(...)</span></tt> with, we will quickly
get a runtime error when either the pre- or postconditions fails.</li>
<li>If <tt class="docutils literal"><span class="pre">B::foo(...)</span></tt> does not enforce any contract, we do not get any help.</li>
</ul>
</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id44" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id13" name="id44">[9]</a></td><td>Strictly speaking the invariant needs to hold <em>before</em> the precondition is executed
because the contracts might call public functions of the class which require the invariant to be established.
Currently we do not expect that to be a practical problem though, and the current specification
is easier to implement.</td></tr>
</tbody>
</table>
<!-- However, after an object has been constructed, we know that the invariant holds and so the
check is completely redundant. An implementation might insert the
check anyway merely as an additional debugging help.  -->
<table class="docutils footnote" frame="void" id="id45" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a name="id45">[10]</a></td><td><em>(<a class="fn-backref" href="#id5">1</a>, <a class="fn-backref" href="#id21">2</a>)</em> In many contexts it is useful to inform the compiler of certain properties. This is true for
efficient garbage collection as well as Contract Programming. The same mechanism may be reused
to tag a piece of code with some property; in this case we would like to tag individual
assertions.</td></tr>
</tbody>
</table>
<table class="docutils footnote" frame="void" id="id46" rules="none">
<colgroup><col class="label" /><col /></colgroup>
<tbody valign="top">
<tr><td class="label"><a class="fn-backref" href="#id12" name="id46">[11]</a></td><td>Note that if an exception is thrown in the function body, the postcondition is not
evaluated.</td></tr>
</tbody>
</table>
</div>
</div>
</body>
</html>
