Date: Sun, 5 Oct 2025 12:00:48 -0700
I'm always disappointed with phrasing like "is not safe" or "not viable in
the real world", because invariably the speakers do not show a working
definition of "safe" and lack experience in safety critical software --
this puts the burden of education on one side, which ends up in volumes of
pages that are simply never read.
They most certainly haven't read P3297 C++26 Needs Contract Checking
<https://wg21.link/p3297> -- which was approved by SG23 in St Louis --
nor P3578
What is "Safety"? <https://isocpp.org/files/papers/P3578R1.pdf> which
actually defines the "safety" with precision and clarity. We have been
talking about this since P1517 Contract Requirements for Iterative
High-Assurance Systems <http://wg21.link/p1517>.
P2900 is "Safe", according to P3578 -- which itself follows decades of
industry practice -- and is the reason you arrive at WG21 meetings alive.
P2900 is "viable", because the industry has been using macro-based checks
in our software since before most of us were programmers. To say the
contrary is simply not sustainable.
If you want to have different checks on different "components", then this
is a matter of library design -- something we've been doing for decades:
compile the TUs you want with semantic X into a static library, and
semantic Y into another static library, and then link the two together.
Software design -- done.
P2900 is the result of one of the most rigorous design processes I've ever
witnessed at WG21, and P2900 is intended to be a minimum viable product
that adheres to a collection of use cases laid out in P1995 Contract Use
<http://wg21.link/p1995> cases from 2020. It has been derided as both not
minimal enough, and overly complicated -- yet no one bothers to do a
counter analysis to come to different conclusions. There are reams of pages
in the papers that lead to P2900, but the pagers in the papers running
counter are scant, hand-wavy, and abuse decades of industry standard jargon.
P2900 is safe, and is viable -- and no one has yet presented a serious
argument to the contrary.
Cheers,
On Thu, Oct 2, 2025 at 1:31 PM Andrzej Krzemienski via SG15 <
sg15_at_[hidden]> wrote:
>
>
> pon., 29 wrz 2025 o 22:14 John Spicer via SG21 <sg21_at_[hidden]>
> napisał(a):
>
>> I think that compile-time and link-time selection of semantics is a
>> desirable feature.
>>
>> But that misses the essential point of p3835r0 that the semantics need to
>> apply to software “components” and not to translation units or to the
>> entire program.
>>
>> If you consider the example in the paper I referenced, it is essential
>> that the check in l1.cpp fail.
>>
>> There could be some other contract check in c1.cpp that is expected to be
>> ignored.
>>
>> The key issue is not, IMO, how you control a “checking mode” that applies
>> to a TU or the program, the issue is how you apply various “checking modes”
>> to different components (e.g., libraries).
>>
>> There are a number of possible solutions to this problem, each of which
>> have their own tradeoffs.
>>
>> But the first step is the recognition that this is a problem that needs
>> to be solved in order for contracts to be viable in the real world.
>>
>
> I would like to understand this expectation a bit more. Rather than
> talking about the details I would focus on the motivation.
>
> The scenario that I am familiar with is that when a program P uses a
> library L, it is likely that P will use L incorrectly, and additional
> measures need to be taken to test if P is using L correctly. This would
> mean that in the P2900 world we would want to runtime check the assertions
> *at the library boundary* but not necessarily *inside* the library. IOW, If
> I were the author of P, I would trust library L that it was
> thoroughly tested, and would not want to assertion-test its implementation.
> But I would like to test if I am *using* the library correctly. So I would
> like to enable every precondition in L's interface and some contract_asset
> statements close to library entry points that also function as
> preconditions. But only those. If libstdc++'s STL implementation offers
> control macros to enable STL-specific assertions, those assertions
> practically check if the user is using the STL correctly: not if STL has
> been correctly implemented.
>
> But P3835 seems to be expressing a different need. So my question to the
> authors of P3835 is: is your motivating use case testing the library
> *usage* or really testing one library's implementation in a different way
> than another library's implementation? If it is the latter, that would be
> strange: you would have to mistrust the library L enough to want to keep
> checking its implementation, but at the same time trust it enough that the
> author put the right assertions in the right places with sufficient density.
>
> Regards,
> &rzej;
>
>
> _______________________________________________
> SG15 mailing list
> SG15_at_[hidden]
> https://lists.isocpp.org/mailman/listinfo.cgi/sg15
>
the real world", because invariably the speakers do not show a working
definition of "safe" and lack experience in safety critical software --
this puts the burden of education on one side, which ends up in volumes of
pages that are simply never read.
They most certainly haven't read P3297 C++26 Needs Contract Checking
<https://wg21.link/p3297> -- which was approved by SG23 in St Louis --
nor P3578
What is "Safety"? <https://isocpp.org/files/papers/P3578R1.pdf> which
actually defines the "safety" with precision and clarity. We have been
talking about this since P1517 Contract Requirements for Iterative
High-Assurance Systems <http://wg21.link/p1517>.
P2900 is "Safe", according to P3578 -- which itself follows decades of
industry practice -- and is the reason you arrive at WG21 meetings alive.
P2900 is "viable", because the industry has been using macro-based checks
in our software since before most of us were programmers. To say the
contrary is simply not sustainable.
If you want to have different checks on different "components", then this
is a matter of library design -- something we've been doing for decades:
compile the TUs you want with semantic X into a static library, and
semantic Y into another static library, and then link the two together.
Software design -- done.
P2900 is the result of one of the most rigorous design processes I've ever
witnessed at WG21, and P2900 is intended to be a minimum viable product
that adheres to a collection of use cases laid out in P1995 Contract Use
<http://wg21.link/p1995> cases from 2020. It has been derided as both not
minimal enough, and overly complicated -- yet no one bothers to do a
counter analysis to come to different conclusions. There are reams of pages
in the papers that lead to P2900, but the pagers in the papers running
counter are scant, hand-wavy, and abuse decades of industry standard jargon.
P2900 is safe, and is viable -- and no one has yet presented a serious
argument to the contrary.
Cheers,
On Thu, Oct 2, 2025 at 1:31 PM Andrzej Krzemienski via SG15 <
sg15_at_[hidden]> wrote:
>
>
> pon., 29 wrz 2025 o 22:14 John Spicer via SG21 <sg21_at_[hidden]>
> napisał(a):
>
>> I think that compile-time and link-time selection of semantics is a
>> desirable feature.
>>
>> But that misses the essential point of p3835r0 that the semantics need to
>> apply to software “components” and not to translation units or to the
>> entire program.
>>
>> If you consider the example in the paper I referenced, it is essential
>> that the check in l1.cpp fail.
>>
>> There could be some other contract check in c1.cpp that is expected to be
>> ignored.
>>
>> The key issue is not, IMO, how you control a “checking mode” that applies
>> to a TU or the program, the issue is how you apply various “checking modes”
>> to different components (e.g., libraries).
>>
>> There are a number of possible solutions to this problem, each of which
>> have their own tradeoffs.
>>
>> But the first step is the recognition that this is a problem that needs
>> to be solved in order for contracts to be viable in the real world.
>>
>
> I would like to understand this expectation a bit more. Rather than
> talking about the details I would focus on the motivation.
>
> The scenario that I am familiar with is that when a program P uses a
> library L, it is likely that P will use L incorrectly, and additional
> measures need to be taken to test if P is using L correctly. This would
> mean that in the P2900 world we would want to runtime check the assertions
> *at the library boundary* but not necessarily *inside* the library. IOW, If
> I were the author of P, I would trust library L that it was
> thoroughly tested, and would not want to assertion-test its implementation.
> But I would like to test if I am *using* the library correctly. So I would
> like to enable every precondition in L's interface and some contract_asset
> statements close to library entry points that also function as
> preconditions. But only those. If libstdc++'s STL implementation offers
> control macros to enable STL-specific assertions, those assertions
> practically check if the user is using the STL correctly: not if STL has
> been correctly implemented.
>
> But P3835 seems to be expressing a different need. So my question to the
> authors of P3835 is: is your motivating use case testing the library
> *usage* or really testing one library's implementation in a different way
> than another library's implementation? If it is the latter, that would be
> strange: you would have to mistrust the library L enough to want to keep
> checking its implementation, but at the same time trust it enough that the
> author put the right assertions in the right places with sufficient density.
>
> Regards,
> &rzej;
>
>
> _______________________________________________
> SG15 mailing list
> SG15_at_[hidden]
> https://lists.isocpp.org/mailman/listinfo.cgi/sg15
>
Received on 2025-10-05 19:01:07