This special Guru of the Week series focuses on contracts. We covered some basics of preconditions in GotW #100. This time, let’s see how we can use preconditions in some practical examples…
1. Consider these functions, expanded from an article by Andrzej Krzemieński: [1] … How many ways could a caller of each function get the arguments wrong, but that would silently compile without error? Name as many different ways as you can.
There are several ways to break this down. I’ll use three major categories of possible mistakes, the first two of which overlap:
- wrong order: passing an argument in the wrong position
- wrong value: passing an argument with a valid but wrong value (e.g., index out of range)
- invalid value: passing an argument that is already invalid (e.g., an invalid iterator)
Let’s see how these play out with our three examples, starting with (a).
(a) is_in_values (int val, int min, int max)
// Example 1: Adapted from [1]
auto is_in_values (int val, int min, int max)
-> bool; // true iff val is in the values [min, max]
Oh my, three identically typed integer parameters… what could be confusing about that?!
Wrong order (5 ways): First, there are five ways to pass these in the wrong order, because there are 3! = 6 permutations, all of which compile but only the first of which is correct:
is_in_values( v, lo, hi ); // correct
is_in_values( v, hi, lo ); // all these are wrong, but compile :(
is_in_values( lo, v, hi );
is_in_values( lo, hi, v );
is_in_values( hi, v, lo );
is_in_values( hi, lo, v );
Some of these argument orders may seem strange, but some are orders other libraries’ similar APIs might use which makes confusion easier, we all make mistakes… and the type system isn’t helping us at all.
Wrong value (1 way): Second, there is an implicit precondition that min <= max, so passing arguments where min > max would be wrong, but would silently compile. Some of these are exercised by the “wrong order” permutations above, but even call sites that remember the right argument order can make mistakes about the actual values.
Invalid value (0 ways): Finally, all possible values of an int are valid — some may be suspiciously big or small, but int doesn’t have the concept of “not a number” (NaN) as we have with floats, or the concept of “invalidated” like we have with iterators.
(b) is_in_container (int val, int idx_min, int idx_max)
It sure doesn’t help that the next function has the identical signature as is_in_values, but with very different meaning:
auto is_in_container (int val, int idx_min, int idx_max)
-> bool; // true iff container[i]==val for some i in [idx_min, idx_max]
Wrong order (5 ways): As in (a), we again have five ways to pass these in the wrong order, all of which compile but only the first is correct:
is_in_container( v, lo, hi ); // correct
is_in_container( v, hi, lo ); // all these are wrong, but compile :(
is_in_container( lo, v, hi );
is_in_container( lo, hi, v );
is_in_container( hi, v, lo );
is_in_container( hi, lo, v );
Wrong value (3 ways): Again as in (a), we have the implicit precondition that idx_min <= idx_max, so passing idx_min > idx_max would be wrong, but would silently compile. But this time there are two additional ways to go wrong, because idx_min and idx_max must both be valid subscripts into container, so if either is outside the range [0, container.size()) it is a valid integer but an out of bounds value for this use.
Invalid value (0 ways): Again as in (a), all possible values of an int are valid — though some may be wrong values if they’re out of bounds as we noted above, they’re still valid integers.
(c) is_in_range (T val, Iter first, Iter last)
template <typename T, typename Iter>
auto is_in_range (T val, Iter first, Iter last)
-> bool; // true iff *i==val for some i in [first,last)
Wrong order (1 way): This time there’s only one way to pass the parameters in the wrong order (ignoring pathological cases where the same argument might convert both T and Iter):
is_in_container( v, istart, iend ); // correct
is_in_container( v, iend, istart ); // wrong, but compiles :(
Wrong value (2 ways): We could pass a first and last that are not a valid range in two ways:
- they point into the same container, but
first doesn’t precede last - they point into different containers
Invalid value (2 ways): And finally, either of first or last could actually be an invalidated iterator (e.g., dangling). For example, the container they point into may be destroyed so that both are invalid; or one of the two iterators might have been calculated before a more recent operation like vector::push_back that could have invalidated it.
But if the sight of these function signatures has had you pulling your hair and shouting “use the type system, Luke!” at your screen, you’re not alone… now let’s make things better.
2. Show how can you improve the function declarations in Question 1 by …
(a) just grouping parameters, using a struct with public variables
Interestingly, we actually get a lot of benefit simply by grouping ‘parameters that go together,’ using an creating an aggregate or “grouping” helper struct.[3] For example:
// Example 2(a)(i): Improving Example 1 with aggregate types
struct min_max { int min, max; };
auto is_in_values (int val, min_max minmax) -> bool;
auto is_in_container (int val, min_max rng) -> bool;
template <typename Iter> struct two_iters { Iter first, last; };
template <typename T, typename Iter>
auto is_in_range (T val, two_iters<Iter> rng) -> bool;
Or even just venerable anonymous std::pair is better than no grouping:
// Example 2(a)(ii): Improving Example 1 with aggregate types
auto is_in_values (int val, std::pair<int,int> minmax) -> bool;
auto is_in_container (int val, std::pair<int,int> rng) -> bool;
template <typename T, typename Iter>
auto is_in_range (T val, std::pair<Iter,Iter> rng) -> bool;
With either of the above, there’s only one way for callers to get the argument order wrong. And it requires only two extra characters at call sites, because we can use { } to group the arguments without creating actual named objects of the helper struct:
is_in_values( v, {lo, hi} ); // correct
is_in_values( v, {hi, lo} ); // wrong, but compiles
is_in_container( v, {lo, hi} ); // correct
is_in_container( v, {hi, lo} ); // wrong, but compiles
is_in_range( v, {i1, i2} ); // correct
is_in_range( v, {i2, i1} ); // wrong, but compiles
So just grouping parameters using a struct eliminates some errors. But really using the type system is even better…
(b) just using an encapsulated class, using a class with private variables (an abstraction with its own invariant)
Clearly all three functions are crying out for a “range”-like abstraction for its pair of parameters, in the first two cases a range of values and in the third a range of iterators. How do we know? Because:
Here’s one way we can apply class types we can find in the standard library or Boost today:
// Example 2(b): Improving Example 1 with encapsulated class types
auto is_in_values (int val, boost::integer_range<int> rng) -> bool;
auto is_in_container (int val, boost::integer_range<int> rng) -> bool;
template <typename T, std::ranges::input_range Range>
auto is_in_range (T val, Range&& rng) -> bool;
This gives us all the mistake-reduction goodness we got in (a), plus more.
First, as in (a), absent pathological conversions, it’s very difficult to get arguments in the wrong order simply because of being forced to group the parameters:
auto minmax = boost::irange(10, 100);
is_in_values( 42, minmax );
auto minmax2 = boost::irange(0, ssize(myvec)-1);
is_in_container( 42, minmax2 );
auto myvec = std::vector<int>();
is_in_range( 42, myvec );
But, unlike our helper structs in (a), we now get additional safety because the types can express constructor preconditions that move some of those mistakes (such as (hi,lo) misordering) to constructors of class abstractions that can then preserve them as invariants [4] – so the mistake can still be made but in fewer places, to where we construct or modify the abstracted object (e.g., range), rather than every time we use un-abstracted separately values (e.g., a couple of iterator objects we have lying around and whose relationship we have to maintain by hand over time). This is why we sometimes say “types are predicates,” because a type encapsulates a predicate, namely its invariant.
GUIDELINE: When multiple functions state the same precondition, it’s a telltale sign there’s a missing class that should turn it into an invariant. A repeated precondition is nearly always a “naked invariant” that should be encapsulated up inside a type. This is more obvious when the precondition involves multiple parameters (or ordinary variables for that matter); a poster child is the STL’s pervasive use of iterator pairs, which have long been crying out to be encapsulated using a range abstraction, and fortunately we now have that in C++20. Consider using a class instead.
GUIDELINE: Remember that a key reason why encapsulated classes are powerful is that they wrap up preconditions and turn them into invariants. Hiding data members is good dependency management because it limits the code that can depend on the details of the data and is responsible for maintaining the correct relationship among the data members.
(c) just using post-C++20 contract preconditions (not yet valid C++, but something like the syntax in [2])
Preconditions test values, so they can let us eliminate the “wrong values” kinds of mistakes. Consider this code:
// Example 2(c): Improving Example 1 with boolean preconditions
auto is_in_values (int val, int min, int max)
-> bool // true iff val is in the values [min, max]
[[pre (min <= max)]]
;
auto is_in_container (int val, int idx_min, int idx_max)
-> bool // true iff container[i]==val for i in [idx_min, idx_max]
[[pre (0 <= idx_min
&& idx_min <= idx_max
&& idx_max < container.size())]] // see note [5]
;
template <typename T, typename Iter>
auto is_in_range (T val, Iter first, Iter last)
-> bool // true iff *i==val for some i in [first,last)
[[pre (/*... is_reachable? is_not_dangling? hmm ...*/)]]
;
For the first two functions, we can write clear preconditions that can check the “wrong value” bugs.
In these particular examples, the best place to write the preconditions is right on the constructors of the class types we saw in (b), and if we write them there then we don’t have to repeat them as explicit contracts on every function.
But is (b) always better than (c), in other examples? This brings us to our last question, which is all about “can” versus “should”…
3. Consider these three examples, where each shows expressing a boolean condition either as a function precondition or as an encapsulated invariant inside a new type… In each of these cases, which way is better? Explain your answer.
In Question 2, writing a type was often the best choice, but it isn’t always.
The benefits to writing a type include:
- Encapsulation. We limit the code that is responsible for maintaining the boolean condition.
- Language support. We get the help of the type system to statically enforce requirements.
But there are costs and limitations too:
- What’s the abstraction? There may not be a suitable one. We can’t write a good type unless we can discover a useful abstraction that the type’s interface should support. A good type represents a useful reusable domain abstraction that programmers can understand and that makes their code clearer by elevating the vocabulary of the code. There won’t always be a practical and reusable abstraction; when there isn’t, we won’t be able to write a useful and reusable type. — Even when there is, we have to design that all ahead of time, which requires a lot more advance knowledge and engineering than just writing ad-hoc boolean conditions on individual functions.
- What’s the cost? It may not be feasible to maintain the invariant. We have to do any extra work it takes to maintain the invariant, and it has to be practical to do. When it isn’t, we can’t maintain the invariant without help from outside code, and so we won’t be able to really encapsulate it properly.
- Does it make sense as an independent abstraction? Will the user be carrying around objects of this type, or are we just jamming a precondition common to a few functions (or only one) into a type and calling it useful? Occam’s Razor: Don’t multiply entities beyond necessity.
- What’s the type the caller is using? This is where a real usable abstraction shines, because many callers will be using it independently of calling our function. But if the caller isn’t using this type, then there typically has to be an implicit or explicit conversion (because inheritance from all argument types our callers might already have usually isn’t an option), and that conversion would need to be usable and sufficiently cheap.
GUIDELINE: Remember that types and contracts are “better together.” Use both. They are complementary, neither is a substitute for the other. All we are trying to accomplish with contracts is to augment the language’s static type checking with runtime checking where that is more appropriate because we can’t design a practical abstraction. And this is why we want contracts on functions (preconditions, postconditions) even though we already have types, and why we also want contracts on types (invariants).
Let’s consider the three examples.
(a) A vector that is sorted
template <typename T>
void f( vector<T> const& v ) [[pre( is_sorted(v) )]] ;
template <typename T>
void f( sorted<vector<T>> const& v );
If this looks familiar, it’s because is_sorted is one of the classic examples we saw in GotW #98 of conditions that are often impractical to check and enforce as an assertion, in this case a precondition.
Can we do better by making it a type, perhaps a sorted wrapper around a container like vector that maintains the guarantee that it’s always sorted? Well, we have to answer some questions about a sorted<T>:
- What’s the abstraction it provides? It can’t easily fulfill the requirements of a sequence container like
vector itself; for example, push_back doesn’t make much sense because letting the caller insert an arbitrary value at a specific location would easily cause the container to be unsorted. Instead, it would naturally want a more general insert function instead, and the interface would be more like set. This part could be workable. - What’s the cost? This where it starts to breaks down: Keeping a
vector sorted all the time means that every insertion would cost O(N) work all the time. Which leads into… - Does it make sense as an independent abstraction? … that it’s very common for code to maintain an “almost-sorted”
vector, such as by inserting new elements at the end which is fast (and, hmm, affects our abstraction design, because then it would make sense to have push_back after all, wouldn’t it? hmm) but leaves a suffix of unsorted elements in the container, and then periodically sorting the whole container so that the sorting cost is amortized. But an almost-sorted vector isn’t good enough, and so doesn’t fit the bill. We don’t have empirical evidence of such types in general use. - What’s the type the caller is using? And now we’re busted all the way, because we want this interface to be usable by anyone who has a
vector<T>, which would require a conversion to sorted<vector<T>>. If we do a deep copy, that’s prohibitively expensive. Even if the conversion is lightweight by avoiding a deep copy, such as by just wrapping an existing vector object, it wouldn’t be very useful unless it did O(N) work every time unconditionally to verify the invariant. And even then the abstraction design is affected and compromised: If the user can still see and modify the original vector, then that’s still part of the accessible interface to the data, so the user can make the container be not fully sorted and we’re unable to really encapsulate and maintain our intended invariant.
So is_sorted is much better as a function precondition.
// (b) A vector that is not empty
template <typename T>
void f( vector<T> const& v ) [[pre( !v.empty() )]] ;
template <typename T>
void f( not_empty<vector<T>> const& v );
This one is more feasible as a type, but still not ideal:
- What’s the abstraction it provides? It’s a
vector, and we can make the interface identical to vector with just extra preconditions on pop and erase functions to not remove the last element in the container. - What’s the cost? Emptiness is cheap enough to check and maintain.
- Does it make sense as an independent abstraction? This is where it starts to get questionable… the answer is at best “maybe.” It’s not clear to me than a “nonempty
vector” is a generally useful abstraction. - What’s the type the caller is using? This is where I think we break down again. Again, we want this interface to be usable by anyone who has a
vector<T>, and that means a conversion to not_empty<vector<T>>. If we do a deep copy, that’s prohibitively expensive. This time if we just wrap an existing vector object to avoid the deep copy, the check is cheap. But then we still have the problem that the abstraction design is affected and compromised so that it can’t maintain its invariant, because if the user can still see and modify the original vector, they can remove the last element on us.
So not_empty seems better as a function precondition.
(c) A pointer that is not null
void f( int* p ) [[pre( p != nullptr )]] ;
void f( not_null<int*> p );
This time we can do better:
- What’s the abstraction it provides? This one’s easy to state: It’s a not-null pointer. That’s a far simpler interface than a container, because we just need
operator* and operator->, construction, destruction, and copying. Even so it’s not totally without subtlety, because not_null should not have move operations that modify the source object. This means that a not_null<unique_ptr<T>> is legal but there’s not much you can do with it besides dereference it and destroy it: It can’t be copyable because unique_ptr isn’t copyable, and it must not be movable because moving a unique_ptr leaves the source null. - What’s the cost? Nullness is cheap enough to check and maintain.
- Does it make sense as an independent abstraction? Definitely. A “non-null pointer” has been widely rediscovered and reinvented as a generally useful abstraction.
- What’s the type the caller is using? A
not_null<int*> is a useful object in its own right in the calling code, independently of calling this particular function. And if our function is invoked by someone who has only an ordinary int*, doing a full copy of the pointer is cheap, and applying the nullness check as a precondition on that converting constructor is exactly equivalent to writing the precondition by hand, but is automated.
So not_null seems better as a type, primarily because it is independently useful. This is why it has been reinvented a number of times, including as gsl::not_null. [6]
GUIDELINE: Wherever practical, design interfaces so that incorrect call sites are illegal (won’t compile, using the type system) or loud (won’t pass unit tests, using preconditions). This is a key part of achieving the goal to “make interfaces easy to use correctly, and hard to use incorrectly.” Preconditions directly help with that by letting us catch entire groups of errors at test time, and are a complement to the type system which makes incorrect uses “not fit” through the compiler and also carries extra preconditions around for us in the form of invariants.
GUIDELINE: Remember that the type system is a hammer, and not every precondition is a nail. The type system is a powerful tool, but not every precondition is naturally (part of) an invariant of a useful type that provides a good reusable abstraction that’s generally useful independently of this function.
Notes
[1] A. Krzemieński. “Contracts, preconditions and invariants” (Andrzej’s C++ blog, December 2020).
[2] G. Dos Reis, J. D. Garcia, J. Lakos, A. Meredith, N. Myers, and B. Stroustrup. “P0542: Support for contract based programming in C++” (WG21 paper, June 2018). Subsequent EWG discussion favored changing “expects” to “pre” and “ensures” to “post,” and to keep it as legal compilable (if unenforced) C++20 for this article I also modified the syntax from : to ( ), and to name the return value _return_ for postconditions. That’s not a statement of preference, it’s just so the examples can compile today to make them easier to check.
[3] For 2(a) and 2(b), on platform ABIs that do not pass small structs/classes in registers, turning individual parameters into a struct/class could cause them to be passed in stack memory instead of in registers.
[4] Upcoming GotWs will cover invariants and violation handling.
[5] If C++ gets chained comparisons as proposed in P0515 and P0893 we could write this much more clearly, and with fewer opportunities for mistakes, as:
[[pre( 0 <= idx_min <= idx_max < container.size() )]]
[6] B. Stroustrup and H. Sutter (eds.) “I.12 Declare a pointer that must not be null as not_null” (C++ Core Guidelines.) If the not_null<T> type we are using is implicitly convertible from T, which is the intent of I.12 to provide a drop-in replacement for pointer parameters, then the usability is the same as with the precondition. Otherwise, the caller has to provide a not_null argument at the call site, either by doing an explicit conversion or by just using a not_null local variable in their own body.
Acknowledgments
Thank you to the following for their feedback on this material: Joshua Berne, Gabriel Dos Reis, J. Daniel Garcia, Gábor Horváth, Andrzej Krzemieński, Bjarne Stroustrup, Andrew Sutton, Ville Voutilainen
Sutter’s Mill 