Title
The standard encourages redundant and confusing preconditions
Status
nad editorial
Section
[res.on.required]
Submitter
David Abrahams

Created on 2005-10-25.00:00:00 last changed 171 months ago

Messages

Date: 2010-10-21.18:28:33

[ Alan provided the survey N2121. ]

Date: 2010-10-21.18:28:33

[ Berlin: The LWG requests a detailed survey of part 2 of the proposed resolution. ]

Date: 2010-10-21.18:28:33

Proposed resolution:

1. Change 17.4.3.8/1 to read:

Violation of the preconditions specified in a function's Required behavior: paragraph results in undefined behavior unless the function's Throws: paragraph specifies throwing an exception when the precondition is violated.

2. Go through and remove redundant Requires: clauses. Specifics to be provided by Dave A.

Date: 2010-10-21.18:28:33

[ Bellevue: NAD Editorial, this group likes N2121, Pete agrees, accepting it is Pete's business. General agreement that precondition violations are synonymous with UB. ]

Date: 2010-10-21.18:28:33

[ Batavia: Alan and Pete to work. ]

Date: 2005-10-25.00:00:00

17.4.3.8/1 says:

Violation of the preconditions specified in a function's Required behavior: paragraph results in undefined behavior unless the function's Throws: paragraph specifies throwing an exception when the precondition is violated.

This implies that a precondition violation can lead to defined behavior. That conflicts with the only reasonable definition of precondition: that a violation leads to undefined behavior. Any other definition muddies the waters when it comes to analyzing program correctness, because precondition violations may be routinely done in correct code (e.g. you can use std::vector::at with the full expectation that you'll get an exception when your index is out of range, catch the exception, and continue). Not only is it a bad example to set, but it encourages needless complication and redundancy in the standard. For example:

  21 Strings library 
  21.3.3 basic_string capacity

  void resize(size_type n, charT c);

  5 Requires: n <= max_size()
  6 Throws: length_error if n > max_size().
  7 Effects: Alters the length of the string designated by *this as follows:

The Requires clause is entirely redundant and can be dropped. We could make that simplifying change (and many others like it) even without changing 17.4.3.8/1; the wording there just seems to encourage the redundant and error-prone Requires: clause.

History
Date User Action Args
2010-10-21 18:28:33adminsetmessages: + msg2962
2010-10-21 18:28:33adminsetmessages: + msg2961
2010-10-21 18:28:33adminsetmessages: + msg2960
2010-10-21 18:28:33adminsetmessages: + msg2959
2010-10-21 18:28:33adminsetmessages: + msg2958
2005-10-25 00:00:00admincreate