C++ Logo

sg15

Advanced search

Contracts and tooling

From: Tom Honermann <tom_at_[hidden]>
Date: Thu, 9 Nov 2023 14:58:52 -0500
Cross-posting to SG15 and SG21.

My goal with this email is to encourage collaboration between SG21
(Contracts) and SG15 (Tooling) on the contracts MVP well in advance of
the design being presented and potentially approved by EWG.

SG23 (Safety and Security) discussed P2947 (Contracts must avoid
disclosing sensitive information) <https://wg21.link/p2947> yesterday
and agreed that SG15 (Tooling) should address these concerns.

Some regular attendees of SG15 have expressed concerns that a contracts
design (the MVP) might be accepted for C++26 without adequate tooling
consideration thereby potentially leading to a situation like we have
now with modules where we have a language feature with significant
adoption challenges. I share some of these concerns.

The following are concerns that I have in mind that are relevant to
tooling and that I believe will benefit from SG15 involvement.

 1. Use of contracts in production environments:
     1. Such use will be constrained, independently of the costs of the
        contract checks themselves, if enablement imposes considerable
        overhead.
     2. Such use will be constrained if enablement requires rebuilding
        code for different build modes (ignore, observe, enforce) or for
        different enablement labels (default, audit).
     3. Such use will be constrained for applications that have
        dependencies on packages provided by package managers. Package
        managers are unlikely to provide separate contract-disabled and
        contract-enabled builds, nor are system package managers likely
        to provide multiple builds (they don't provide separate
        assert-disabled and assert-enabled builds today for example).
        Use in production will require means to provide packages that,
        at run-time, can have any of the contract semantics (ignore,
        observe, enforce) enabled at load-time. This capability would
        require very low overhead means to enable such selection at
        load-time. Existing linker technologies like the GNU ifunc
        extension to ELF
        <https://jasoncc.github.io/gnu_gcc_glibc/gnu-ifunc.html> might
        pave the way to low overhead solutions.
 2. Discoverability of contract check labels/levels, particularly in
    situations where contract checks can be dynamically enabled.
 3. Protection of sensitive information per P2947 <https://wg21.link/p2947>.

Please reply with any additional concerns. I believe papers, probably
targeting SG15 and the ecosystem IS, will eventually be desired.

Tom.

Received on 2023-11-09 19:58:56