9 Declarations [dcl.dcl]

9.11 Attributes [dcl.attr]

9.11.4 Contract attributes [dcl.attr.contract]

9.11.4.3 Checking contracts [dcl.attr.contract.check]

If the contract-level of a contract-attribute-specifier is absent, it is assumed to be default.
[Note
:
A default contract-level is expected to be used for those contracts where the cost of run-time checking is assumed to be small (or at least not expensive) compared to the cost of executing the function.
An audit contract-level is expected to be used for those contracts where the cost of run-time checking is assumed to be large (or at least significant) compared to the cost of executing the function.
An axiom contract-level is expected to be used for those contracts that are formal comments and are not evaluated at run-time.
end note
]
[Note
:
Multiple contract conditions may be applied to a function type with the same or different contract-levels.
[Example
:
int z;

bool is_prime(int k);

void f(int x)
  [[expects: x > 0]]
  [[expects audit: is_prime(x)]]
  [[ensures: z > 10]]
{
  /* ... */
}
end example
]
end note
]
A translation may be performed with one of the following build levels: off, default, or audit.
A translation with build level set to off performs no checking for any contract.
A translation with build level set to default performs checking for default contracts.
A translation with build level set to audit performs checking for default and audit contracts.
If no build level is explicitly selected, the build level is default.
The mechanism for selecting the build level is implementation-defined.
The translation of a program consisting of translation units where the build level is not the same in all translation units is conditionally-supported.
There should be no programmatic way of setting, modifying, or querying the build level of a translation unit.
During constant expression evaluation, only predicates of checked contracts are evaluated.
In other contexts, it is unspecified whether the predicate for a contract that is not checked under the current build level is evaluated; if the predicate of such a contract would evaluate to false, the behavior is undefined.
The violation handler of a program is a function of type “noexcept function of (lvalue reference to const std::contract_­violation) returning void”, and is specified in an implementation-defined manner.
The violation handler is invoked when the predicate of a checked contract evaluates to false (called a contract violation).
There should be no programmatic way of setting or modifying the violation handler.
It is implementation-defined how the violation handler is established for a program and how the std​::​contract_­violation argument value is set, except as specified below.
If a precondition is violated, the source location of the violation is implementation-defined.
[Note
:
Implementations are encouraged but not required to report the caller site.
end note
]
If a postcondition is violated, the source location of the violation is the source location of the function definition.
If an assertion is violated, the source location of the violation is the source location of the statement to which the assertion is applied.
If a violation handler exits by throwing an exception and a contract is violated on a call to a function with a non-throwing exception specification, then the behavior is as if the exception escaped the function body.
[Note
:
The function std​::​terminate is invoked.
end note
]
[Example
:
void f(int x) noexcept [[expects: x > 0]];

void g() {
  f(0);                                         // std​::​terminate() if violation handler throws
  /* ... */
}
end example
]
A translation may be performed with one of the following violation continuation modes: off or on.
A translation with violation continuation mode set to off terminates execution by invoking the function std::terminate ([except.terminate]) after completing the execution of the violation handler.
A translation with a violation continuation mode set to on continues execution after completing the execution of the violation handler.
If no continuation mode is explicitly selected, the default continuation mode is off.
[Note
:
A continuation mode set to on provides the opportunity to install a logging handler to instrument a pre-existing code base and fix errors before enforcing checks.
end note
]
[Example
:
void f(int x) [[expects: x > 0]];

void g() {
  f(0);         // std​::​terminate() after handler if continuation mode is off;
                // proceeds after handler if continuation mode is on
  /* ... */
}
end example
]