Date: Fri, 17 Oct 2025 10:22:27 +0200
A short question:
is it true that it is not specified how often and in which order
contracts (pre post conditions) are evaluated,
and if it is, I wonder what is means for 'as close as possible'
Thanks for the help!
/Harald
On 2025-10-14 23:40, Louis Dionne via SG15 wrote:
>
>
> On Tue, Oct 14, 2025 at 4:35 PM Gabriel Dos Reis via SG21
> <sg21_at_[hidden]> wrote:
>
> The point is that hardened standard library implementations are
> being delivered right now, today, for supported language versions,
> without being phrased in term of P2900, by GCC, Clang, MSVC, etc.
>
> Any rephrasing in terms of P2900 should bring tangible benefits
> over what is available today. I see none.
>
>
> I don't think that is accurate. Libc++'s implementation of hardening
> is basically as close as possible to Contracts without actually using
> the language feature. We provide `enforce`, `quick_enforce`, `observe`
> and `ignore`, which can be selected using macros. We allow users to
> customize the handlers for `enforce` and `observe` in a way similar to
> what Contracts proposes. All of these decisions basically came from
> deployment experience and user feedback / feature requests (in
> particular observe, which we didn't have originally). IMO, that
> demonstrates a tangible benefit of wording hardening on top of
> Contracts, backed by libc++'s experience. Folks are free not to
> believe it, but it is historically and factually accurate that libc++
> ended up where it is due to user demand and real world constraints.
> It's also the case that this has been deployed at a large scale and
> documented.
>
> By the way, I'm not disputing that other standard libraries also
> provide useful hardening-like modes that are not built on top of
> Contracts. But that doesn't make what I said above untrue.
>
> Louis
>
>
> -- Gaby
>
>
>
> ------------------------------------------------------------------------
> *From:* Ryan McDougall <mcdougall.ryan_at_[hidden]>
> *Sent:* Tuesday, October 14, 2025 4:27:27 PM
> *To:* sg21_at_[hidden] <sg21_at_[hidden]>
> *Cc:* sg15_at_[hidden] <sg15_at_[hidden]>; Gabriel Dos
> Reis <gdr_at_[hidden]>; Tom Honermann <tom_at_[hidden]>
> *Subject:* Re: [isocpp-sg21] [isocpp-sg15] P3835 -- Different
> contract checking for different libraries
> C++ is not in a vacuum -- people are building vehicles and robots
> now and making language choices. C++ will never ever beat Rust on
> Language Safety, but it has a lane for Functional Safety.
>
> If there was reason to believe there were insurmountable problems
> I'd be sympathetic, but all arguments have been of one of two
> forms: "P2900 is too minimal" or "P2900 is not minimal enough".
> EWG and Plenary have decided it's about as right as one can get in
> the committee model. There is no "here" here.
>
> On Tue, Oct 14, 2025 at 1:17 PM Gabriel Dos Reis via SG21
> <sg21_at_[hidden]> wrote:
>
> [Tom]
>
> * They are, or will be, once either of P3290 (Integrating
> Existing Assertions With Contracts)
> <https://wg21.link/p3290> or P3400 (Specifying Contract
> Assertion Properties with Labels)
> <https://wg21.link/p3400> is adopted.
>
> If that conjecture is true, then I would recommend to wait for
> those papers to be implemented, with deployment experience and
> adopted before phrasing the hardened standard library in terms
> of contracts.
>
> -- Gaby
>
> *From:*SG15 <sg15-bounces_at_[hidden]> *On Behalf Of *Tom
> Honermann via SG15
> *Sent:* Tuesday, October 14, 2025 4:00 PM
> *To:* sg21_at_[hidden]; Ville Voutilainen via SG15
> <sg15_at_[hidden]>
> *Cc:* Tom Honermann <tom_at_[hidden]>
> *Subject:* Re: [isocpp-sg15] [isocpp-sg21] P3835 -- Different
> contract checking for different libraries
>
> On 10/14/25 3:21 PM, Ran Regev via SG21 wrote:
>
> On Tue, Oct 14, 2025, 21:47 Ville Voutilainen via SG15
> <sg15_at_[hidden]> wrote:
>
> On Tue, 14 Oct 2025 at 21:42, Ryan McDougall
> <mcdougall.ryan_at_[hidden]> wrote:
> >
> > And there are existing deployments where it's not
> desired and not a requirement...
>
> That doesn't mean that hardening should be possible to
> be turned off
> by a contract evaluation semantic choice
>
> One of the fundamental aspects of p2900 is that the person
> who write the contract is not the one who selects the
> semantics for the application.
>
> Is this aspect of contracts aligned with hardened
> libraries needs? The discussion seems to reveal that not.
> And therefore the draft paper mentioned earlier seems to
> be correct - contracts are not good fit for standard
> library hardening.
>
> They are, or will be, once either of P3290 (Integrating
> Existing Assertions With Contracts)
> <https://wg21.link/p3290> or P3400 (Specifying Contract
> Assertion Properties with Labels) <https://wg21.link/p3400> is
> adopted.
>
> Tom.
>
> applying to other code. Or more in the opposite direction,
> it doesn't
> mean that the choice of a contract evaluation semantic
> for other code should turn the hardening off.
>
>
> > The original sin is thinking that any one engineer knows
> all domains and anything that doesn't fit their
> preconceptions is universally wrong.
>
> Funny, you seem to be the only person in this discussion
> stating that
> something is universally wrong, or otherwise I have
> misunderstood
> what you think "patently false" means.
>
> >P2900 has been in development for a long time, and is
> useful and needed. The idea it's "unsafe" shows a lack of
> understanding of what that word means.
>
> Oh sure, it's a likely story that the critics of P2900 simply
> misunderstand something. In fact, a story so unlikely that
> it's safe
> to say it's patently false.
> _______________________________________________
> SG15 mailing list
> SG15_at_[hidden]
> https://lists.isocpp.org/mailman/listinfo.cgi/sg15
>
>
>
> _______________________________________________
>
> SG21 mailing list
>
> SG21_at_[hidden]
>
> Subscription:https://lists.isocpp.org/mailman/listinfo.cgi/sg21
>
> Link to this post:http://lists.isocpp.org/sg21/2025/10/11273.php
>
> _______________________________________________
> SG21 mailing list
> SG21_at_[hidden]
> Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/sg21
> Link to this post: http://lists.isocpp.org/sg21/2025/10/11281.php
>
> _______________________________________________
> SG21 mailing list
> SG21_at_[hidden]
> Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/sg21
> Link to this post: http://lists.isocpp.org/sg21/2025/10/11285.php
>
>
> _______________________________________________
> SG15 mailing list
> SG15_at_[hidden]
> https://lists.isocpp.org/mailman/listinfo.cgi/sg15
is it true that it is not specified how often and in which order
contracts (pre post conditions) are evaluated,
and if it is, I wonder what is means for 'as close as possible'
Thanks for the help!
/Harald
On 2025-10-14 23:40, Louis Dionne via SG15 wrote:
>
>
> On Tue, Oct 14, 2025 at 4:35 PM Gabriel Dos Reis via SG21
> <sg21_at_[hidden]> wrote:
>
> The point is that hardened standard library implementations are
> being delivered right now, today, for supported language versions,
> without being phrased in term of P2900, by GCC, Clang, MSVC, etc.
>
> Any rephrasing in terms of P2900 should bring tangible benefits
> over what is available today. I see none.
>
>
> I don't think that is accurate. Libc++'s implementation of hardening
> is basically as close as possible to Contracts without actually using
> the language feature. We provide `enforce`, `quick_enforce`, `observe`
> and `ignore`, which can be selected using macros. We allow users to
> customize the handlers for `enforce` and `observe` in a way similar to
> what Contracts proposes. All of these decisions basically came from
> deployment experience and user feedback / feature requests (in
> particular observe, which we didn't have originally). IMO, that
> demonstrates a tangible benefit of wording hardening on top of
> Contracts, backed by libc++'s experience. Folks are free not to
> believe it, but it is historically and factually accurate that libc++
> ended up where it is due to user demand and real world constraints.
> It's also the case that this has been deployed at a large scale and
> documented.
>
> By the way, I'm not disputing that other standard libraries also
> provide useful hardening-like modes that are not built on top of
> Contracts. But that doesn't make what I said above untrue.
>
> Louis
>
>
> -- Gaby
>
>
>
> ------------------------------------------------------------------------
> *From:* Ryan McDougall <mcdougall.ryan_at_[hidden]>
> *Sent:* Tuesday, October 14, 2025 4:27:27 PM
> *To:* sg21_at_[hidden] <sg21_at_[hidden]>
> *Cc:* sg15_at_[hidden] <sg15_at_[hidden]>; Gabriel Dos
> Reis <gdr_at_[hidden]>; Tom Honermann <tom_at_[hidden]>
> *Subject:* Re: [isocpp-sg21] [isocpp-sg15] P3835 -- Different
> contract checking for different libraries
> C++ is not in a vacuum -- people are building vehicles and robots
> now and making language choices. C++ will never ever beat Rust on
> Language Safety, but it has a lane for Functional Safety.
>
> If there was reason to believe there were insurmountable problems
> I'd be sympathetic, but all arguments have been of one of two
> forms: "P2900 is too minimal" or "P2900 is not minimal enough".
> EWG and Plenary have decided it's about as right as one can get in
> the committee model. There is no "here" here.
>
> On Tue, Oct 14, 2025 at 1:17 PM Gabriel Dos Reis via SG21
> <sg21_at_[hidden]> wrote:
>
> [Tom]
>
> * They are, or will be, once either of P3290 (Integrating
> Existing Assertions With Contracts)
> <https://wg21.link/p3290> or P3400 (Specifying Contract
> Assertion Properties with Labels)
> <https://wg21.link/p3400> is adopted.
>
> If that conjecture is true, then I would recommend to wait for
> those papers to be implemented, with deployment experience and
> adopted before phrasing the hardened standard library in terms
> of contracts.
>
> -- Gaby
>
> *From:*SG15 <sg15-bounces_at_[hidden]> *On Behalf Of *Tom
> Honermann via SG15
> *Sent:* Tuesday, October 14, 2025 4:00 PM
> *To:* sg21_at_[hidden]; Ville Voutilainen via SG15
> <sg15_at_[hidden]>
> *Cc:* Tom Honermann <tom_at_[hidden]>
> *Subject:* Re: [isocpp-sg15] [isocpp-sg21] P3835 -- Different
> contract checking for different libraries
>
> On 10/14/25 3:21 PM, Ran Regev via SG21 wrote:
>
> On Tue, Oct 14, 2025, 21:47 Ville Voutilainen via SG15
> <sg15_at_[hidden]> wrote:
>
> On Tue, 14 Oct 2025 at 21:42, Ryan McDougall
> <mcdougall.ryan_at_[hidden]> wrote:
> >
> > And there are existing deployments where it's not
> desired and not a requirement...
>
> That doesn't mean that hardening should be possible to
> be turned off
> by a contract evaluation semantic choice
>
> One of the fundamental aspects of p2900 is that the person
> who write the contract is not the one who selects the
> semantics for the application.
>
> Is this aspect of contracts aligned with hardened
> libraries needs? The discussion seems to reveal that not.
> And therefore the draft paper mentioned earlier seems to
> be correct - contracts are not good fit for standard
> library hardening.
>
> They are, or will be, once either of P3290 (Integrating
> Existing Assertions With Contracts)
> <https://wg21.link/p3290> or P3400 (Specifying Contract
> Assertion Properties with Labels) <https://wg21.link/p3400> is
> adopted.
>
> Tom.
>
> applying to other code. Or more in the opposite direction,
> it doesn't
> mean that the choice of a contract evaluation semantic
> for other code should turn the hardening off.
>
>
> > The original sin is thinking that any one engineer knows
> all domains and anything that doesn't fit their
> preconceptions is universally wrong.
>
> Funny, you seem to be the only person in this discussion
> stating that
> something is universally wrong, or otherwise I have
> misunderstood
> what you think "patently false" means.
>
> >P2900 has been in development for a long time, and is
> useful and needed. The idea it's "unsafe" shows a lack of
> understanding of what that word means.
>
> Oh sure, it's a likely story that the critics of P2900 simply
> misunderstand something. In fact, a story so unlikely that
> it's safe
> to say it's patently false.
> _______________________________________________
> SG15 mailing list
> SG15_at_[hidden]
> https://lists.isocpp.org/mailman/listinfo.cgi/sg15
>
>
>
> _______________________________________________
>
> SG21 mailing list
>
> SG21_at_[hidden]
>
> Subscription:https://lists.isocpp.org/mailman/listinfo.cgi/sg21
>
> Link to this post:http://lists.isocpp.org/sg21/2025/10/11273.php
>
> _______________________________________________
> SG21 mailing list
> SG21_at_[hidden]
> Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/sg21
> Link to this post: http://lists.isocpp.org/sg21/2025/10/11281.php
>
> _______________________________________________
> SG21 mailing list
> SG21_at_[hidden]
> Subscription: https://lists.isocpp.org/mailman/listinfo.cgi/sg21
> Link to this post: http://lists.isocpp.org/sg21/2025/10/11285.php
>
>
> _______________________________________________
> SG15 mailing list
> SG15_at_[hidden]
> https://lists.isocpp.org/mailman/listinfo.cgi/sg15
Received on 2025-10-17 08:22:36