Home Explore Help
Register Sign In
devn00b
/
EQ2EMu
9
3
Fork 0
Files Issues 59 Pull Requests 0 Wiki
Tree: ff02b05cfd
Branches Tags
EQ2EMu
/
EQ2
/
source
/
depends
/
boost_1_72_0
/
libs
/
outcome
/
doc
/
html
/
motivation
/
narrow_contract.html

narrow_contract.html 10 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131 
  1. <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
    2. 

  2. <html><meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    3. 

  3. <title>Narrow contracts - Boost.Outcome documentation</title>
    4. 

  4. <link rel="stylesheet" href="../css/boost.css" type="text/css">
    5. 

  5. <meta name="generator" content="Hugo 0.52 with Boostdoc theme">
    6. 

  6. <meta name="viewport" content="width=device-width,initial-scale=1.0"/>
    7. 

  7. 

  8. <link rel="icon" href="../images/favicon.ico" type="image/ico"/>
    9. 

  9. <body><div class="spirit-nav">
    10. 

  10. <a accesskey="p" href="../motivation/plug_error_code2.html"><img src="../images/prev.png" alt="Prev"></a>
    11. 

  11.     <a accesskey="u" href="../motivation.html"><img src="../images/up.png" alt="Up"></a>
    12. 

  12.     <a accesskey="h" href="../index.html"><img src="../images/home.png" alt="Home"></a><a accesskey="n" href="../tutorial.html"><img src="../images/next.png" alt="Next"></a></div><div id="content">
    13. 

  13.   <div class="titlepage"><div><div><h1 style="clear: both">Narrow contracts</h1></div></div></div>
    14. 

  14.   <p>A program&rsquo;s thread of execution can enter a &ldquo;disappointing&rdquo; state for two reasons:</p>
    15. 

  15. 

  16. <ul>
    17. 

  17. <li>due to disappointing situation in the environment (operating system, external input),
    18. 

  18. or</li>
    19. 

  19. <li>due to a bug in the program.</li>
    20. 

  20. </ul>
    21. 

  21. 

  22. <p>The key to handling these disappointments correctly is to identify to which
    23. 

  23. category they belong, and use the tools adequate for a given category. In this
    24. 

  24. tutorial when we say &ldquo;error&rdquo; or &ldquo;failure&rdquo; we only refer to the first category.
    25. 

  25. A bug is not an error.</p>
    26. 

  26. 

  27. <p>A bug is when a program is something else than what it is supposed to be. The
    28. 

  28. correct action in that case is to change the program so that it is exactly what
    29. 

  29. it is supposed to be. Unfortunately, sometimes the symptoms of a bug are only
    30. 

  30. detected when the system is running and at this point no code changes are possible.</p>
    31. 

  31. 

  32. <p>In contrast, a failure is when a correct function in a correct program reflects
    33. 

  33. some disappointing behavior in the environment. The correct action in that case
    34. 

  34. is for the program to take a control path different than usual, which will likely
    35. 

  35. cancel some operations and will likely result in different communication with the
    36. 

  36. outside world.</p>
    37. 

  37. 

  38. <p>Symptoms of bugs can sometimes be detected during compilation or static program
    39. 

  39. analysis or at run-time when observing certain values of objects that are declared
    40. 

  40. never to be valid at certain points. One classical example is passing a null pointer
    41. 

  41. to functions that expect a pointer to a valid object:</p>
    42. 

  42. <div class="highlight"><pre class="chroma"><code class="language-c++" data-lang="c++"><span class="kt">int</span> <span class="nf">f</span><span class="p">(</span><span class="kt">int</span> <span class="o">*</span> <span class="n">pi</span><span class="p">)</span> <span class="c1">// expects: pi != nullptr
    43. 

  43. </span><span class="c1"></span><span class="p">{</span>
    44. 

  44.   <span class="k">return</span> <span class="o">*</span><span class="n">pi</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span>
    45. 

  45. <span class="p">}</span>
    46. 

  46. </code></pre></div>
    47. 

  47. <p>Passing a null pointer where it is not expected is so common a bug that tools
    48. 

  48. are very good at finding them. For instance, static analyzers will usually detect
    49. 

  49. it without even executing your code. Similarly, tools like undefined behavior
    50. 

  50. sanitizers will compile a code as the one above so that a safety check is performed
    51. 

  51. to check if the pointer is null, and an error message will be logged and program
    52. 

  52. optionally terminated.</p>
    53. 

  53. 

  54. <p>More, compilers can perform optimizations based on undefined behavior caused by
    55. 

  55. dereferencing a null pointer. In the following code:</p>
    56. 

  56. <div class="highlight"><pre class="chroma"><code class="language-c++" data-lang="c++"><span class="n">pair</span><span class="o">&lt;</span><span class="kt">int</span><span class="p">,</span> <span class="kt">int</span><span class="o">&gt;</span> <span class="n">g</span><span class="p">(</span><span class="kt">int</span> <span class="o">*</span> <span class="n">pi</span><span class="p">)</span> <span class="c1">// expects: pi != nullptr
    57. 

  57. </span><span class="c1"></span><span class="p">{</span>
    58. 

  58.   <span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="o">*</span><span class="n">pi</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span>
    59. 

  59.   <span class="kt">int</span> <span class="n">j</span> <span class="o">=</span> <span class="p">(</span><span class="n">pi</span> <span class="o">==</span> <span class="k">nullptr</span><span class="p">)</span> <span class="o">?</span> <span class="mi">1</span> <span class="o">:</span> <span class="mi">0</span><span class="p">;</span>
    60. 

  60.   <span class="k">return</span> <span class="p">{</span><span class="n">i</span><span class="p">,</span> <span class="n">j</span><span class="p">};</span>
    61. 

  61. <span class="p">}</span>
    62. 

  62. </code></pre></div>
    63. 

  63. <p>The compiler can see that if <code>pi</code> is null, the program would have undefined
    64. 

  64. behavior. Since undefined behavior is required by the C++ standard to never
    65. 

  65. be the programmer&rsquo;s intention, the compiler
    66. 

  66. assumes that apparently this function is never called with <code>pi == nullptr</code>. If so,
    67. 

  67. <code>j</code> is always <code>0</code> and the code can be transformed to a faster one:</p>
    68. 

  68. <div class="highlight"><pre class="chroma"><code class="language-c++" data-lang="c++"><span class="n">pair</span><span class="o">&lt;</span><span class="kt">int</span><span class="p">,</span> <span class="kt">int</span><span class="o">&gt;</span> <span class="n">g</span><span class="p">(</span><span class="kt">int</span> <span class="o">*</span> <span class="n">pi</span><span class="p">)</span> <span class="c1">// expects: pi != nullptr
    69. 

  69. </span><span class="c1"></span><span class="p">{</span>
    70. 

  70.   <span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="o">*</span><span class="n">pi</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span>
    71. 

  71.   <span class="kt">int</span> <span class="n">j</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
    72. 

  72.   <span class="k">return</span> <span class="p">{</span><span class="n">i</span><span class="p">,</span> <span class="n">j</span><span class="p">};</span>
    73. 

  73. <span class="p">}</span>
    74. 

  74. </code></pre></div>
    75. 

  75. <p>Functions like the one above that declare that certain values of input parameters
    76. 

  76. must not be passed to them are said to have a <em>narrow contract</em>.</p>
    77. 

  77. 

  78. <p>Compilers give you non-standard tools to tell them about narrow contracts, so
    79. 

  79. that they can detect it and make use of it the same way as they are detecting
    80. 

  80. invalid null pointers. For instance, if a function in your library takes an <code>int</code>
    81. 

  81. and declares that the value of this <code>int</code> must never be negative. You can use
    82. 

  82. <code>__builtin_trap()</code> available in GCC and clang:</p>
    83. 

  83. <div class="highlight"><pre class="chroma"><code class="language-c++" data-lang="c++"><span class="kt">void</span> <span class="nf">h</span><span class="p">(</span><span class="kt">int</span> <span class="n">i</span><span class="p">)</span> <span class="c1">// expects: i &gt;= 0
    84. 

  84. </span><span class="c1"></span><span class="p">{</span>
    85. 

  85.   <span class="k">if</span> <span class="p">(</span><span class="n">i</span> <span class="o">&lt;</span> <span class="mi">0</span><span class="p">)</span> <span class="n">__builtin_trap</span><span class="p">();</span>
    86. 

  86. 

  87.   <span class="c1">// normal program logic follows ...
    88. 

  88. </span><span class="c1"></span><span class="p">}</span>
    89. 

  89. </code></pre></div>
    90. 

  90. <p>This instruction when hit, causes the program to exit abnormally, which means:</p>
    91. 

  91. 

  92. <ul>
    93. 

  93. <li>a debugger can be launched,</li>
    94. 

  94. <li>static analyzer can warn you if it can detect a program flow that reaches this
    95. 

  95. point,</li>
    96. 

  96. <li>UB-sanitizer can log error message when it hits it.</li>
    97. 

  97. </ul>
    98. 

  98. 

  99. <p>Another tool you could use is <code>__builtin_unreachable()</code>, also available in GCC
    100. 

  100. and clang:</p>
    101. 

  101. <div class="highlight"><pre class="chroma"><code class="language-c++" data-lang="c++"><span class="kt">void</span> <span class="nf">h</span><span class="p">(</span><span class="kt">int</span> <span class="n">i</span><span class="p">)</span> <span class="c1">// expects: i &gt;= 0
    102. 

  102. </span><span class="c1"></span><span class="p">{</span>
    103. 

  103.   <span class="k">if</span> <span class="p">(</span><span class="n">i</span> <span class="o">&lt;</span> <span class="mi">0</span><span class="p">)</span> <span class="n">__builtin_unreachable</span><span class="p">();</span>
    104. 

  104. 

  105.   <span class="c1">// normal program logic follows ...
    106. 

  106. </span><span class="c1"></span><span class="p">}</span>
    107. 

  107. </code></pre></div>
    108. 

  108. <p>This gives a hint to the tools: the programmer guarantees that the program flow
    109. 

  109. will never reach to the point of executing it. In other words, it is undefined
    110. 

  110. behavior if control reaches this point. Compiler and other tools can take this
    111. 

  111. for granted. This way they can deduce that expression <code>i &lt; 0</code> will never be true,
    112. 

  112. and they can further use this assumption to issue warnings or to optimize the code.
    113. 

  113. UB-sanitizers can use it to inject a log message and terminate if this point is
    114. 

  114. nonetheless reached.</p>
    115. 

  115. 

  116. <p>Allowing for some input values to be invalid works similarly to cyclic redundancy
    117. 

  117. checks. It allows for the possibility to observe the symptoms of the bugs (not
    118. 

  118. the bugs themselves), and if the symptom is revealed the hunt for the bug can start.
    119. 

  119. This is not only tools that can now easily detect symptoms of bugs, but also
    120. 

  120. humans during the code review. A reviewer can now say, &ldquo;hey, function <code>h()</code> is
    121. 

  121. expecting a non-negative value, but this <code>i</code> is actually <code>-1</code>; maybe you wanted
    122. 

  122. to pass <code>j</code> instead?&ldquo;.</p>
    123. 

  123. 

  124. 

  125.         </div><p><small>Last revised: April 26, 2019 at 17:43:41 &#43;0200</small></p>
    126. 

  126. <hr>
    127. 

  127. <div class="spirit-nav">
    128. 

  128. <a accesskey="p" href="../motivation/plug_error_code2.html"><img src="../images/prev.png" alt="Prev"></a>
    129. 

  129.     <a accesskey="u" href="../motivation.html"><img src="../images/up.png" alt="Up"></a>
    130. 

  130.     <a accesskey="h" href="../index.html"><img src="../images/home.png" alt="Home"></a><a accesskey="n" href="../tutorial.html"><img src="../images/next.png" alt="Next"></a></div></body>
    131. 

  131. </html>
    132.