I'm always disappointed with phrasing like "is not safe" or "not viable in the real world", because invariably the speakers do not show a working definition of "safe" and lack experience in safety critical software -- this puts the burden of education on one side, which ends up in volumes of pages that are simply never read.

They most certainly haven't read P3297 C++26 Needs Contract Checking -- which was approved by SG23 in St Louis -- nor P3578 What is "Safety"? which actually defines the "safety" with precision and clarity. We have been talking about this since P1517 Contract Requirements for Iterative High-Assurance Systems.

P2900 is "Safe", according to P3578 -- which itself follows decades of industry practice -- and is the reason you arrive at WG21 meetings alive. P2900 is "viable", because the industry has been using macro-based checks in our software since before most of us were programmers. To say the contrary is simply not sustainable.

If you want to have different checks on different "components", then this is a matter of library design -- something we've been doing for decades: compile the TUs you want with semantic X into a static library, and semantic Y into another static library, and then link the two together. Software design -- done.

P2900 is the result of one of the most rigorous design processes I've ever witnessed at WG21, and P2900 is intended to be a minimum viable product that adheres to a collection of use cases laid out in P1995 Contract Use cases from 2020. It has been derided as both not minimal enough, and overly complicated -- yet no one bothers to do a counter analysis to come to different conclusions. There are reams of pages in the papers that lead to P2900, but the pagers in the papers running counter are scant, hand-wavy, and abuse decades of industry standard jargon.

P2900 is safe, and is viable -- and no one has yet presented a serious argument to the contrary.

Cheers, 

On Thu, Oct 2, 2025 at 1:31 PM Andrzej Krzemienski via SG15 <sg15@lists.isocpp.org> wrote:


pon., 29 wrz 2025 o 22:14 John Spicer via SG21 <sg21@lists.isocpp.org> napisał(a):
I think that compile-time and link-time selection of semantics is a desirable feature.

But that misses the essential point of p3835r0 that the semantics need to apply to software “components” and not to translation units or to the entire program.

If you consider the example in the paper I referenced, it is essential that the check in l1.cpp fail.

There could be some other contract check in c1.cpp that is expected to be ignored.

The key issue is not, IMO, how you control a “checking mode” that applies to a TU or the program, the issue is how you apply various “checking modes” to different components (e.g., libraries).

There are a number of possible solutions to this problem, each of which have their own tradeoffs.

But the first step is the recognition that this is a problem that needs to be solved in order for contracts to be viable in the real world.

I would like to understand this expectation a bit more. Rather than talking about the details I would focus on the motivation. 

The scenario that I am familiar with is that when a program P uses a library L, it is likely that P will use L incorrectly, and additional measures need to be taken to test if P is using L correctly. This would mean that in the P2900 world we would want to runtime check the assertions *at the library boundary* but not necessarily *inside* the library. IOW, If I were the author of P, I would trust library L that it was thoroughly tested, and would not want to assertion-test its implementation. But I would like to test if I am *using* the library correctly. So I would like to enable every precondition in L's interface and some contract_asset statements close to library entry points that also function as preconditions. But only those. If libstdc++'s STL implementation offers control macros to enable STL-specific assertions, those assertions practically check if the user is using the STL correctly: not if STL has been correctly implemented.

But P3835 seems to be expressing a different need. So my question to the authors of P3835 is: is your motivating use case testing the library *usage* or really testing one library's implementation in a different way than another library's implementation? If it is the latter, that would be strange: you would have to mistrust the library L enough to want to keep checking its implementation, but at the same time trust it enough that the author put the right assertions in the right places with sufficient density.

Regards,
&rzej;


_______________________________________________
SG15 mailing list
SG15@lists.isocpp.org
https://lists.isocpp.org/mailman/listinfo.cgi/sg15