Noexcept? Enabling Testing of Contract Checks Pablo Halpern and Timur Doumler This work by Pablo Halpern & Timur Doumler is licensed under a Creative Commons Attribution 4.0 International License contracts require good enforcement. • Contract checks help catch bugs early in the process. • Observation: Good enforcement requires good oversight. • Contract checks should themselves be tested. 4-Oct-23 Pablo slower • Only works on some specific platforms TakeawaysAgenda 2 – Let's Go Deeper • Contract checks and testing in depth • noexcept in depth • Best practices • A proposed noexcept alternative without

intended Documented ReviewsReliability Efficiency Security Maintainability SizeHigh quality software is cheaper to produce! –Developer FrustrationFrustration Points Major % Managing libraries NULL pointers, part 1: https://lwn.net/Articles/342330/Why code analysis – ● Improve software quality ● Lower developer frustration ● Avoid UBLanguageLanguage helps! – ● Lifetime safety: http://wg21 version Set of checks is defined by compiler vendor Custom checks are possible Standard to everyone Depends on the toolToolingWhat do you use for guideline enforcement or other code quality/analysis? –Code

looking to improve their code, whether to modernize it or to find hidden bugs with its built-in checks. Static analysis is great, but you also get tons of false positives. Now that you’re hooked Core Guidelines Checker docs.microsoft.com/en-us/cpp/code-quality/quick-start-code-analysis-for-c-cpp docs.microsoft.com/en-us/cpp/code-quality/code-analysis-for-cpp-corecheck devblogs.microsoft.com/ Victor Ciura | @ciura_victor - 2020: The Year of Sanitizers? docs.microsoft.com/en-us/cpp/code-quality/code-analysis-for-cpp-corecheck ...17 2020 Victor Ciura | @ciura_victor - 2020: The Year of

everywhere at run time” is not an acceptable answer • Hygiene rules + Static analysis + Run-time checks Stroustrup - C++ safety -CppCon - October 2023 36 Not discussed in this talkUninitialized variables p) { if (p) *p = 7; } // OK • void f2(not_null p) { *p = 7; } // OK (not_null constructor checks) • void f3(span s) { s[2] = 2; } // OK (for checked span) • Except in the implementation of • Serious design constraint • There are billions of lines of C++ • Much critical • Much high quality • Gradual adoption is essential • Partial adoption is essential (“safety critical code only”) •

Non-linear/indirect interactions between components or systems ❖ Demand for complex systems outpaces quality standards ❖ Perhaps less restrictive than automative and avionic Think Safety Is Good Enough, 0.0 Enable run-time checks for stack-based buffer overflows. Can impact performance. -fno-delete-null-pointer-checks GCC 3.0.0, Clang 7.0.0 Force retention of null pointer checks -fno-strict-overflow Enable implicit conversion warnings -fstack-clash-protection GCC 8.0.0, Clang 11.0.0 Enable run-time checks for variable-size stack allocation validityCompiler Hardening 32 Prioritize Memory and type safety

) Key static safety rules Profiles: most known, “shift-left” to compile time Add dynamic safety checks as needed (e.g., bounds, null) Ty In Li Bo24 performance & control by default, safety always generation more safety profiles checks guarantees less undefined behavior37 more compile-time programming consteval reflection generation more safety profiles checks guarantees less undefined may not contain data members" ); } // etc. for other kinds of interface constraint checks } return ret; }50 interface An abstract class having only pure virtual functions polymorphic_base

can't modify elements • const span can't be reassigned, can modify elements • MSVC's std::span checks debug; gsl::span always 22Contiguous Range Constructor • GH-142, GH-500, GH-587 implemented by preserving ABI • Every PR is extensively reviewed by 2 maintainers • Keeps code at production quality: always ready to ship • Helps the team understand the code and related features 32Code Review Philosophy an incredible amount of time • Our parallelize tool runs it quickly, only on C++ files • Failed checks display the edits that clang-format wants • Building all architectures is very fast • Testing x86/x64

can't modify elements • const span can't be reassigned, can modify elements • MSVC's std::span checks debug; gsl::span always23 Contiguous Range Constructor • GH-142, GH-500, GH-587 implemented by preserving ABI • Every PR is extensively reviewed by 2 maintainers • Keeps code at production quality: always ready to ship • Helps the team understand the code and related features33 Code Review Philosophy an incredible amount of time • Our parallelize tool runs it quickly, only on C++ files • Failed checks display the edits that clang-format wants • Building all architectures is very fast • Testing x86/x64

9/21/2020 1 Herb Sutter 4 We’re “paying taxes” all the time Productivity Correctness and quality Tooling Teaching, learning, hiring, training 2 4Quantifying Accidental Complexity: An empirical & Alexandrescu: C++ Coding Standards (in progress) PVS-Studio CERT: CERT standard checks Clang: clang-tidy checks Lockheed-Martin & Stroustrup: Joint Strike Fighter Air Vehicle coding std. for C++

called conan-center which is moderated, and packages are reviewed before being accepted to ensure quality. 1.3 Binary management One of the most powerful features of Conan is that it can manage pre-compiled command conan install . --settings os="Linux" --settings compiler="gcc", per- forms these steps: • Checks if the package recipe (for Poco/1.9.0@pocoproject/stable package) exists in the local cache. If we will be approved. Keep in mind that it is your responsibility to maintain acceptable standards of quality for all packages you submit for inclusion in conan- center. • If you are packaging a third-party