P3471R4 Standard library hardening

Author: Eisenwave

source/containers.tex

@@ -1861,6 +1861,10 @@
 \result
 \tcode{reference; const_reference} for constant \tcode{a}.
 
+\pnum
+\hardexpects
+\tcode{a.empty()} is \tcode{false}.
+
 \pnum
 \returns
 \tcode{*a.begin()}
@@ -1886,6 +1890,10 @@
 \result
 \tcode{reference; const_reference} for constant \tcode{a}.
 
+\pnum
+\hardexpects
+\tcode{a.empty()} is \tcode{false}.
+
 \pnum
 \effects
 Equivalent to:
@@ -2150,7 +2158,7 @@
 \keyword{void}
 
 \pnum
-\expects
+\hardexpects
 \tcode{a.empty()} is \tcode{false}.
 
 \pnum
@@ -2175,7 +2183,7 @@
 \keyword{void}
 
 \pnum
-\expects
+\hardexpects
 \tcode{a.empty()} is \tcode{false}.
 
 \pnum
@@ -2201,6 +2209,10 @@
 \result
 \tcode{reference; const_reference} for constant \tcode{a}.
 
+\pnum
+\hardexpects
+\tcode{n < a.size()} is \tcode{true}.
+
 \pnum
 \effects
 Equivalent to: \tcode{return *(a.begin() + n);}
@@ -19191,11 +19203,13 @@
 \begin{itemize}
 \item \range{first}{first + count} is a valid range.
 \item \tcode{It} models \libconcept{contiguous_iterator}.
-\item
-If \tcode{extent} is not equal to \tcode{dynamic_extent},
-then \tcode{count} is equal to \tcode{extent}.
 \end{itemize}
 
+\pnum
+\hardexpects
+If \tcode{extent} is not equal to \tcode{dynamic_extent},
+then \tcode{count == extent} is \tcode{true}.
+
 \pnum
 \effects
 Initializes \exposid{data_} with \tcode{to_address(first)} and
@@ -19231,14 +19245,16 @@
 \pnum
 \expects
 \begin{itemize}
-\item
-If \tcode{extent} is not equal to \tcode{dynamic_extent},
-then \tcode{last - first} is equal to \tcode{extent}.
 \item \range{first}{last} is a valid range.
 \item \tcode{It} models \libconcept{contiguous_iterator}.
 \item \tcode{End} models \tcode{\libconcept{sized_sentinel_for}<It>}.
 \end{itemize}
 
+\pnum
+\hardexpects
+If \tcode{extent} is not equal to \tcode{dynamic_extent},
+then \tcode{(last - first) == extent} is \tcode{true}.
+
 \pnum
 \effects
 Initializes \exposid{data_} with \tcode{to_address(first)} and
@@ -19309,14 +19325,17 @@
 \pnum
 \expects
 \begin{itemize}
-\item If \tcode{extent} is not equal to \tcode{dynamic_extent},
-then \tcode{ranges::size(r)} is equal to \tcode{extent}.
 \item \tcode{R} models \tcode{ranges::\libconcept{contiguous_range}} and
 \tcode{ranges::\libconcept{sized_range}}.
 \item If \tcode{is_const_v<element_type>} is \tcode{false},
 \tcode{R} models \tcode{ranges::\libconcept{borrowed_range}}.
 \end{itemize}
 
+\pnum
+\hardexpects
+If \tcode{extent} is not equal to \tcode{dynamic_extent},
+then \tcode{ranges::size(r) == extent} is \tcode{true}.
+
 \pnum
 \effects
 Initializes \exposid{data_} with \tcode{ranges::data(r)} and
@@ -19338,9 +19357,9 @@
 \tcode{is_const_v<element_type>} is \tcode{true}.
 
 \pnum
-\expects
-If \tcode{extent} is not equal to \tcode{dynamic_extent}, then
-\tcode{il.size()} is equal to \tcode{extent}.
+\hardexpects
+If \tcode{extent} is not equal to \tcode{dynamic_extent},
+then \tcode{il.size() == extent} is \tcode{true}.
 
 \pnum
 \effects
@@ -19378,9 +19397,9 @@
 \end{itemize}
 
 \pnum
-\expects
+\hardexpects
 If \tcode{extent} is not equal to \tcode{dynamic_extent},
-then \tcode{s.size()} is equal to \tcode{extent}.
+then \tcode{s.size() == extent} is \tcode{true}.
 
 \pnum
 \effects
@@ -19450,7 +19469,7 @@
 \tcode{Count <= Extent} is \tcode{true}.
 
 \pnum
-\expects
+\hardexpects
 \tcode{Count <= size()} is \tcode{true}.
 
 \pnum
@@ -19470,7 +19489,7 @@
 \tcode{Count <= Extent} is \tcode{true}.
 
 \pnum
-\expects
+\hardexpects
 \tcode{Count <= size()} is \tcode{true}.
 
 \pnum
@@ -19494,7 +19513,7 @@
 is \tcode{true}.
 
 \pnum
-\expects
+\hardexpects
 \begin{codeblock}
 Offset <= size() && (Count == dynamic_extent || Count <= size() - Offset)
 \end{codeblock}
@@ -19525,7 +19544,7 @@
 
 \begin{itemdescr}
 \pnum
-\expects
+\hardexpects
 \tcode{count <= size()} is \tcode{true}.
 
 \pnum
@@ -19540,7 +19559,7 @@
 
 \begin{itemdescr}
 \pnum
-\expects
+\hardexpects
 \tcode{count <= size()} is \tcode{true}.
 
 \pnum
@@ -19556,7 +19575,7 @@
 
 \begin{itemdescr}
 \pnum
-\expects
+\hardexpects
 \begin{codeblock}
 offset <= size() && (count == dynamic_extent || count <= size() - offset)
 \end{codeblock}
@@ -19614,7 +19633,7 @@
 
 \begin{itemdescr}
 \pnum
-\expects
+\hardexpects
 \tcode{idx < size()} is \tcode{true}.
 
 \pnum
@@ -19648,7 +19667,7 @@
 
 \begin{itemdescr}
 \pnum
-\expects
+\hardexpects
 \tcode{empty()} is \tcode{false}.
 
 \pnum
@@ -19667,7 +19686,7 @@
 
 \begin{itemdescr}
 \pnum
-\expects
+\hardexpects
 \tcode{empty()} is \tcode{false}.
 
 \pnum
@@ -23834,17 +23853,16 @@
 
 \pnum
 \expects
-\begin{itemize}
-\item
-For each rank index \tcode{r} of \tcode{extents_type},
-\tcode{static_extent(r) == dynamic_extent || static_extent(r) == other.extent(r)}
-is \tcode{true}.
-\item
 $[0, \tcode{\exposid{map_}.required_span_size()})$ is
 an accessible range of \exposid{ptr_} and \exposid{acc_}
 for values of \exposid{ptr_}, \exposid{map_}, and \exposid{acc_}
 after the invocation of this constructor.
-\end{itemize}
+
+\pnum
+\hardexpects
+For each rank index \tcode{r} of \tcode{extents_type},
+\tcode{static_extent(r) == dynamic_extent || static_extent(r) == other.extent(r)}
+is \tcode{true}.
 
 \pnum
 \effects
@@ -23890,7 +23908,7 @@
 Let \tcode{I} be \tcode{extents_type::\exposid{index-cast}(std::move(indices))}.
 
 \pnum
-\expects
+\hardexpects
 \tcode{I} is a multidimensional index in \tcode{extents()}.
 \begin{note}
 This implies that

source/intro.tex

@@ -833,7 +833,8 @@
 \indextext{conformance requirements!library|)}
 
 \pnum
-Two kinds of implementations are defined: a \defnadj{hosted}{implementation} and a
+An implementation is either a
+\defnadj{hosted}{implementation} or a
 \defnadj{freestanding}{implementation}.
 A freestanding
 implementation is one in which execution may take place without the benefit of
@@ -845,6 +846,15 @@
 described in \ref{lex} through \ref{\lastcorechapter} and
 the subset of the library facilities described in \ref{compliance}.
 
+\pnum
+It is
+\impldef{whether the implementation is a hardened implementation}
+whether the implementation is a
+\defnadj{hardened}{implementation}.
+If it is a hardened implementation,
+violating a hardened precondition
+results in a contract violation\iref{structure.specifications}.
+
 \pnum
 An implementation is encouraged to document its limitations in
 the size or complexity of the programs it can successfully process,

source/lib-intro.tex

@@ -370,15 +370,33 @@
 
 \item
 \expects
-the conditions
-that the function assumes to hold whenever it is called;
+conditions that the function assumes to hold whenever it is called;
 violation of any preconditions results in undefined behavior.
 \begin{example}
 An implementation can express some such conditions
 via the use of a contract assertion,
 such as a precondition assertion\iref{dcl.contract.func}.
 \end{example}
 
+\item
+\hardexpects
+conditions that the function assumes to hold whenever it is called.
+\begin{itemize}
+\item
+When invoking the function in a hardened implementation,
+prior to any other observable side effects of the function,
+one or more contract assertions
+whose predicates are as described in the hardened precondition
+are evaluated with a checking semantic\iref{basic.contract.eval}.
+If any of these assertions is evaluated with a non-terminating semantic
+and the contract-violation handler returns,
+the program has undefined behavior.
+\item
+When invoking the function in a non-hardened implementation,
+if any hardened precondition is violated,
+the program has undefined behavior.
+\end{itemize}
+
 \item
 \effects
 the actions performed by the function.
@@ -434,9 +452,18 @@
 If \tcode{F}'s semantics specifies any \Fundescx{Constraints} or \Fundescx{Mandates} elements,
 then those requirements are logically imposed prior to the \term{equivalent-to} semantics.
 Next, the semantics of the code sequence are determined by the
-\Fundescx{Constraints}, \Fundescx{Mandates}, \Fundescx{Preconditions}, \Fundescx{Effects},
-\Fundescx{Synchronization}, \Fundescx{Postconditions}, \Fundescx{Returns}, \Fundescx{Throws},
-\Fundescx{Complexity}, \Fundescx{Remarks}, and \Fundescx{Error conditions}
+\Fundescx{Constraints},
+\Fundescx{Mandates},
+\Fundescx{Preconditions},
+\Fundescx{Hardened preconditions},
+\Fundescx{Effects},
+\Fundescx{Synchronization},
+\Fundescx{Postconditions},
+\Fundescx{Returns},
+\Fundescx{Throws},
+\Fundescx{Complexity},
+\Fundescx{Remarks}, and
+\Fundescx{Error conditions}
 specified for the function invocations contained in the code sequence.
 The value returned from \tcode{F} is specified by \tcode{F}'s \Fundescx{Returns} element,
 or if \tcode{F} has no \Fundescx{Returns} element,

source/macros.tex

@@ -366,6 +366,7 @@
 \newcommand{\constraints}{\Fundesc{Constraints}}
 \newcommand{\mandates}{\Fundesc{Mandates}}
 \newcommand{\expects}{\Fundesc{Preconditions}}
+\newcommand{\hardexpects}{\Fundesc{Hardened preconditions}}
 \newcommand{\effects}{\Fundesc{Effects}}
 \newcommand{\ensures}{\Fundesc{Postconditions}}
 \newcommand{\returns}{\Fundesc{Returns}}

source/numerics.tex

@@ -7581,7 +7581,7 @@
 
 \begin{itemdescr}
 \pnum
-\expects
+\hardexpects
 \tcode{n < size()} is \tcode{true}.
 
 \pnum