tmp/tmp3ge6c03t/{from.md → to.md}
RENAMED
|
@@ -0,0 +1,221 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
### Evaluation <a id="basic.contract.eval">[[basic.contract.eval]]</a>
|
| 2 |
+
|
| 3 |
+
An evaluation of a contract assertion uses one of the following four
|
| 4 |
+
*evaluation semantics*: *ignore*, *observe*, *enforce*, or
|
| 5 |
+
*quick-enforce*. Observe, enforce, and quick-enforce are *checking
|
| 6 |
+
semantics*; enforce and quick-enforce are *terminating semantics*.
|
| 7 |
+
|
| 8 |
+
It is *implementation-defined* which evaluation semantic is used for any
|
| 9 |
+
given evaluation of a contract assertion.
|
| 10 |
+
|
| 11 |
+
[*Note 1*: The range and flexibility of available choices of evaluation
|
| 12 |
+
semantics depends on the implementation and need not allow all four
|
| 13 |
+
evaluation semantics as possibilities. The evaluation semantics can
|
| 14 |
+
differ for different evaluations of the same contract assertion,
|
| 15 |
+
including evaluations during constant evaluation. — *end note*]
|
| 16 |
+
|
| 17 |
+
*Recommended practice:* An implementation should provide the option to
|
| 18 |
+
translate a program such that all evaluations of contract assertions use
|
| 19 |
+
the ignore semantic as well as the option to translate a program such
|
| 20 |
+
that all evaluations of contract assertions use the enforce semantic. By
|
| 21 |
+
default, evaluations of contract assertions should use the enforce
|
| 22 |
+
semantic.
|
| 23 |
+
|
| 24 |
+
The evaluation of a contract assertion using the ignore semantic has no
|
| 25 |
+
effect.
|
| 26 |
+
|
| 27 |
+
[*Note 2*: The predicate is potentially evaluated [[basic.def.odr]],
|
| 28 |
+
but not evaluated. — *end note*]
|
| 29 |
+
|
| 30 |
+
The evaluation A of a contract assertion using a checking semantic
|
| 31 |
+
determines the value of the predicate. It is unspecified whether the
|
| 32 |
+
predicate is evaluated. Let B be the value that would result from
|
| 33 |
+
evaluating the predicate.
|
| 34 |
+
|
| 35 |
+
[*Note 3*:
|
| 36 |
+
|
| 37 |
+
To determine whether a predicate would evaluate to `true` or `false`, an
|
| 38 |
+
alternative evaluation that produces the same value as the predicate but
|
| 39 |
+
has no side effects can occur.
|
| 40 |
+
|
| 41 |
+
[*Example 1*:
|
| 42 |
+
|
| 43 |
+
``` cpp
|
| 44 |
+
struct S {
|
| 45 |
+
mutable int g = 5;
|
| 46 |
+
} s;
|
| 47 |
+
void f()
|
| 48 |
+
pre(( s.g++, false )); // #1
|
| 49 |
+
void g()
|
| 50 |
+
{
|
| 51 |
+
f(); // Increment of s.g might not occur, even if #1 uses a checking semantic.
|
| 52 |
+
}
|
| 53 |
+
```
|
| 54 |
+
|
| 55 |
+
— *end example*]
|
| 56 |
+
|
| 57 |
+
— *end note*]
|
| 58 |
+
|
| 59 |
+
There is an observable checkpoint [[intro.abstract]] C that happens
|
| 60 |
+
before A such that any other operation O that happens before A also
|
| 61 |
+
happens before C.
|
| 62 |
+
|
| 63 |
+
A *contract violation* occurs when
|
| 64 |
+
|
| 65 |
+
- B is `false`,
|
| 66 |
+
- the evaluation of the predicate exits via an exception, or
|
| 67 |
+
- the evaluation of the predicate is performed in a context that is
|
| 68 |
+
manifestly constant-evaluated [[expr.const]] and the predicate is not
|
| 69 |
+
a core constant expression.
|
| 70 |
+
|
| 71 |
+
[*Note 4*: If B is `true`, no contract violation occurs and control
|
| 72 |
+
flow continues normally after the point of evaluation of the contract
|
| 73 |
+
assertion. The evaluation of the predicate can fail to produce a value
|
| 74 |
+
without causing a contract violation, for example, by calling `longjmp`
|
| 75 |
+
[[csetjmp.syn]] or terminating the program. — *end note*]
|
| 76 |
+
|
| 77 |
+
If a contract violation occurs in a context that is manifestly
|
| 78 |
+
constant-evaluated [[expr.const]], and the evaluation semantic is a
|
| 79 |
+
terminating semantic, the program is ill-formed.
|
| 80 |
+
|
| 81 |
+
[*Note 5*: A diagnostic is produced if the evaluation semantic is
|
| 82 |
+
observe [[intro.compliance]]. — *end note*]
|
| 83 |
+
|
| 84 |
+
[*Note 6*:
|
| 85 |
+
|
| 86 |
+
Different evaluation semantics chosen for the same contract assertion in
|
| 87 |
+
different translation units can result in violations of the
|
| 88 |
+
one-definition rule [[basic.def.odr]] when a contract assertion has side
|
| 89 |
+
effects that alter the value produced by a constant expression.
|
| 90 |
+
|
| 91 |
+
[*Example 2*:
|
| 92 |
+
|
| 93 |
+
``` cpp
|
| 94 |
+
constexpr int f(int i)
|
| 95 |
+
{
|
| 96 |
+
contract_assert((++const_cast<int&>(i), true));
|
| 97 |
+
return i;
|
| 98 |
+
}
|
| 99 |
+
inline void g()
|
| 100 |
+
{
|
| 101 |
+
int a[f(1)]; // size dependent on the evaluation semantic of contract_assert above
|
| 102 |
+
}
|
| 103 |
+
```
|
| 104 |
+
|
| 105 |
+
— *end example*]
|
| 106 |
+
|
| 107 |
+
— *end note*]
|
| 108 |
+
|
| 109 |
+
When the program is *contract-terminated*, it is
|
| 110 |
+
*implementation-defined* (depending on context) whether
|
| 111 |
+
|
| 112 |
+
- `std::terminate` is called,
|
| 113 |
+
- `std::abort` is called, or
|
| 114 |
+
- execution is terminated. \[*Note 7*: No further execution steps occur
|
| 115 |
+
[[intro.progress]]. — *end note*]
|
| 116 |
+
|
| 117 |
+
[*Note 8*: Performing the actions of `std::terminate` or `std::abort`
|
| 118 |
+
without actually making a library call is a conforming implementation of
|
| 119 |
+
contract-termination [[intro.abstract]]. — *end note*]
|
| 120 |
+
|
| 121 |
+
If a contract violation occurs in a context that is not manifestly
|
| 122 |
+
constant-evaluated and the evaluation semantic is quick-enforce, the
|
| 123 |
+
program is contract-terminated.
|
| 124 |
+
|
| 125 |
+
If a contract violation occurs in a context that is not manifestly
|
| 126 |
+
constant-evaluated and the evaluation semantic is enforce or observe,
|
| 127 |
+
the contract-violation handler [[basic.contract.handler]] is invoked
|
| 128 |
+
with an lvalue referring to an object `v` of type
|
| 129 |
+
`const std::contracts::contract_violation`
|
| 130 |
+
[[support.contract.violation]] containing information about the contract
|
| 131 |
+
violation. Storage for `v` is allocated in an unspecified manner except
|
| 132 |
+
as noted in [[basic.stc.dynamic.allocation]]. The lifetime of `v`
|
| 133 |
+
persists for the duration of the invocation of the contract-violation
|
| 134 |
+
handler.
|
| 135 |
+
|
| 136 |
+
If the contract violation occurred because the evaluation of the
|
| 137 |
+
predicate exited via an exception, the contract-violation handler is
|
| 138 |
+
invoked from within an active implicit handler for that exception
|
| 139 |
+
[[except.handle]]. If the contract-violation handler returns normally
|
| 140 |
+
and the evaluation semantic is observe, that implicit handler is no
|
| 141 |
+
longer considered active.
|
| 142 |
+
|
| 143 |
+
[*Note 9*: The exception can be inspected or rethrown within the
|
| 144 |
+
contract-violation handler. — *end note*]
|
| 145 |
+
|
| 146 |
+
If the contract-violation handler returns normally and the evaluation
|
| 147 |
+
semantic is enforce, the program is contract-terminated; if violation
|
| 148 |
+
occurred as the result of an uncaught exception from the evaluation of
|
| 149 |
+
the predicate, the implicit handler remains active when contract
|
| 150 |
+
termination occurs.
|
| 151 |
+
|
| 152 |
+
[*Note 10*: If the contract-violation handler returns normally and the
|
| 153 |
+
evaluation semantic is observe, control flow continues normally after
|
| 154 |
+
the point of evaluation of the contract assertion. — *end note*]
|
| 155 |
+
|
| 156 |
+
There is an observable checkpoint [[intro.abstract]] C that happens
|
| 157 |
+
after the contract-violation handler returns normally such that any
|
| 158 |
+
other operation O that happens after the contract-violation handler
|
| 159 |
+
returns also happens after C.
|
| 160 |
+
|
| 161 |
+
[*Note 11*: The terminating semantics terminate the program if
|
| 162 |
+
execution would otherwise continue normally past a contract violation:
|
| 163 |
+
the enforce semantic provides the opportunity to log information about
|
| 164 |
+
the contract violation before terminating the program or to throw an
|
| 165 |
+
exception to avoid termination, and the quick-enforce semantic is
|
| 166 |
+
intended to terminate the program as soon as possible as well as to
|
| 167 |
+
minimize the impact of contract checks on the generated code size.
|
| 168 |
+
Conversely, the observe semantic provides the opportunity to log
|
| 169 |
+
information about the contract violation without having to terminate the
|
| 170 |
+
program. — *end note*]
|
| 171 |
+
|
| 172 |
+
If a contract-violation handler invoked from the evaluation of a
|
| 173 |
+
function contract assertion [[dcl.contract.func]] exits via an
|
| 174 |
+
exception, the behavior is as if the function body exits via that same
|
| 175 |
+
exception.
|
| 176 |
+
|
| 177 |
+
[*Note 12*: A *function-try-block* [[except.pre]] is the function body
|
| 178 |
+
when present and thus does not have an opportunity to catch the
|
| 179 |
+
exception. If the function has a non-throwing exception specification,
|
| 180 |
+
the function `std::terminate` is invoked
|
| 181 |
+
[[except.terminate]]. — *end note*]
|
| 182 |
+
|
| 183 |
+
[*Note 13*: If a contract-violation handler invoked from an
|
| 184 |
+
*assertion-statement* [[stmt.contract.assert]] exits via an exception,
|
| 185 |
+
the search for a handler continues from the execution of that
|
| 186 |
+
statement. — *end note*]
|
| 187 |
+
|
| 188 |
+
To *evaluate in sequence* a list R of contract assertions:
|
| 189 |
+
|
| 190 |
+
- Construct a list of contract assertions S such that
|
| 191 |
+
- all elements of R are in S,
|
| 192 |
+
- each element of R may be repeated an *implementation-defined* number
|
| 193 |
+
of times within S, and
|
| 194 |
+
- if a contract assertion A precedes another contract assertion B in
|
| 195 |
+
R, then the first occurrence of A precedes the first occurrence of B
|
| 196 |
+
in S.
|
| 197 |
+
- Evaluate each element of S such that, if a contract assertion A
|
| 198 |
+
precedes a contract assertion B in S, then the evaluation of A is
|
| 199 |
+
sequenced before the evaluation of B.
|
| 200 |
+
|
| 201 |
+
[*Example 3*:
|
| 202 |
+
|
| 203 |
+
``` cpp
|
| 204 |
+
void f(int i)
|
| 205 |
+
{
|
| 206 |
+
contract_assert(i > 0); // #1
|
| 207 |
+
contract_assert(i < 10); // #2
|
| 208 |
+
// valid sequence of evaluations: #1 #2
|
| 209 |
+
// valid sequence of evaluations: #1 #1 #2 #2
|
| 210 |
+
// valid sequence of evaluations: #1 #2 #1 #2
|
| 211 |
+
// valid sequence of evaluations: #1 #2 #2 #1
|
| 212 |
+
// invalid sequence of evaluations: #2 #1
|
| 213 |
+
}
|
| 214 |
+
```
|
| 215 |
+
|
| 216 |
+
— *end example*]
|
| 217 |
+
|
| 218 |
+
*Recommended practice:* An implementation should provide an option to
|
| 219 |
+
perform a specified number of repeated evaluations for contract
|
| 220 |
+
assertions. By default, no repeated evaluations should be performed.
|
| 221 |
+
|