In [1]:
#include "../common.hpp"

<h1>Table of Contents<span class="tocSkip"></span></h1>
<div class="toc" style="margin-top: 1em;"><ul class="toc-item"><li><span><a href="#Contracts" data-toc-modified-id="Contracts-1"><span class="toc-item-num">1&nbsp;&nbsp;</span>Contracts</a></span><ul class="toc-item"><li><span><a href="#History" data-toc-modified-id="History-1.1"><span class="toc-item-num">1.1&nbsp;&nbsp;</span>History</a></span></li><li><span><a href="#Preconditions" data-toc-modified-id="Preconditions-1.2"><span class="toc-item-num">1.2&nbsp;&nbsp;</span>Preconditions</a></span><ul class="toc-item"><li><span><a href="#operator[]()-and-at()" data-toc-modified-id="operator[]()-and-at()-1.2.1"><span class="toc-item-num">1.2.1&nbsp;&nbsp;</span><code>operator[]()</code> and <code>at()</code></a></span></li><li><span><a href="#Basic-Interface-Preconditions" data-toc-modified-id="Basic-Interface-Preconditions-1.2.2"><span class="toc-item-num">1.2.2&nbsp;&nbsp;</span>Basic Interface Preconditions</a></span></li></ul></li><li><span><a href="#Postconditions" data-toc-modified-id="Postconditions-1.3"><span class="toc-item-num">1.3&nbsp;&nbsp;</span>Postconditions</a></span><ul class="toc-item"><li><span><a href="#Basic-Interface-Postconditions" data-toc-modified-id="Basic-Interface-Postconditions-1.3.1"><span class="toc-item-num">1.3.1&nbsp;&nbsp;</span>Basic Interface Postconditions</a></span><ul class="toc-item"><li><span><a href="#Lifetime-of-reference-results" data-toc-modified-id="Lifetime-of-reference-results-1.3.1.1"><span class="toc-item-num">1.3.1.1&nbsp;&nbsp;</span>Lifetime of reference results</a></span></li><li><span><a href="#Exception-Guarantees" data-toc-modified-id="Exception-Guarantees-1.3.1.2"><span class="toc-item-num">1.3.1.2&nbsp;&nbsp;</span>Exception Guarantees</a></span></li></ul></li></ul></li><li><span><a href="#Invariants" data-toc-modified-id="Invariants-1.4"><span class="toc-item-num">1.4&nbsp;&nbsp;</span>Invariants</a></span></li></ul></li></ul></div>

# Contracts
## History

- _Design by contract_ comes from Bertrand Meyer's work on the Eiffel programming language
- Described in his book [Object-Oriented Software Construction](https://en.wikipedia.org/wiki/Object-Oriented_Software_Construction)
- The work builds on _Hoare logic_ and Dijkstra's _predicate transformer semantics_.
- Hoare logic is also known as _Floyd-Hoare logic_, Floyd being Robert Floyd who was Jim King's advisor

- A contract describes:
    - Operation pre- and postconditions
    - Class invariants
        - Class invariants are postconditions common to all operations on a class
        
- A contract is a _Hoare triple_
    - Expectation (precondition)
    - Guarantee (postcondition)
    - Maintains (invariants)

## Preconditions
- The preconditions of a function are what the function expects
    - Violation of a precondition is undefined behavior
    - A precondition can not be tested
    - _Some_ preconditions may be _asserted_ by the function
- It is not practical to assert all preconditions
    - Examples of preconditions which are impractical to test
        - A pair of pointers specify a valid range
        - A comparison function defines a strict-weak-ordering
### `operator[]()` and `at()`
- `vector::operator[]()` has _strong_ preconditions
    - If the index is out of range, behavior is undefined
    - You cannot test behavior for an out-of-range index
- `vector::at()` has _weaker_ preconditions
    - If the index is out of range it will throw `std::out_of_range`
    

In [None]:
template <typename T>
void test_indexing(T& x) {
    x.at
    
    const T& cx = x;
}

In [5]:
{
    vector<int> x{0, 1, 2};
    REQUIRE_THROWS_AS(x.at(2), std::out_of_range);
}

FAILED: REQUIRE_THROWS_AS(x.at(2))


### Basic Interface Preconditions
## Postconditions
### Basic Interface Postconditions
#### Lifetime of reference results
- A member function returning a reference to a _part_ of the object is valid until:
    - a mutable (non-const) member function call
    - or, the end of the objects lifetime
#### Exception Guarantees
## Invariants