Add contracts docs for order-of-evaluation and contract predicates

BOOTSTRAP NOTE FOR CONTRIBUTORS: After taking this commit, just remember to build cppfront from the Cpp1 sources first as usual (see https://hsutter.github.io/cppfront/#how-do-i-get-and-build-cppfront ). Then you'll be able to compile the updated reflect.h2 in this commit just fine.

Renamed the provided contract groups to lowercase descriptive names; e.g., Type -> type_safety
Closes #1018

Renamed .has_handler to .is_active, which makes more sense for contract groups that don't have replaceable handlers

Reordered violation test to check predicates first, before grp.is_active

Author: hsutter

docs/cpp2/contracts.md

@@ -15,13 +15,23 @@ Notes:
 
 - Optionally, `condition` may be followed by `, "message"`, a message to include if a violation occurs. For example, `pre(condition, "message")`.
 
-- Optionally, a `<Group>` can be written inside `<` `>` angle brackets immediately before the `(`, to designate that this test is part of the [contract group](#contract-groups) named `Group`. If a violation occurs, `Group.report_violation()` will be called. For example, `pre<Group>(condition)`.
+- Optionally, a `<group, pred1, pred2>` can be written inside `<` `>` angle brackets immediately before the `(`, to designate that this test is part of the [contract group](#groups) named `group` and (also optionally) [contract predicates](#predicates) `pred1` and `pred2. If a violation occurs, `Group.report_violation()` will be called. For example, `pre<group>(condition)`.
+
+The order of evaluation is:
+
+- First, predicates are evaluated in order. If any predicte evaluates to `#!cpp false`, stop.
+
+- Next, `group.is_active()` is evaluated. If that evaluates to `#!cpp false`, stop.
+
+- Next, `condition` is evaluated. If that evaluates to `#!cpp true`, stop.
+
+- Finally, if all the predicates were true and the group is active and the condition was false, `group.report_violation()` is called.
 
 For example:
 
 ``` cpp title="Precondition and postcondition examples" hl_lines="2 3"
 insert_at: (container, where: int, val: int)
-    pre<Bounds>( 0 <= where <= vec.ssize(), "position (where)$ is outside 'val'" )
+    pre<bounds>( 0 <= where <= vec.ssize(), "position (where)$ is outside 'val'" )
     post       ( container.ssize() == container.ssize()$ + 1 )
 = {
     _ = container.insert( container.begin()+where, val );
@@ -37,27 +47,31 @@ In this example:
 - The postcondition is part of the `Default` safety contract group.  If the check fails, then `#!cpp cpp2::Default.report_violation()` is called.
 
 
-## <a id="contract-groups"></a> Contract groups
+## <a id="groups"></a> Contract groups
+
+Contract groups are useful to enable or disable or [set custom handlers](#violation-handlers) independently for different groups of contracts. A contract group `grp` is just the name of an object that can be called with:
 
-Contract groups are useful to enable or disable or [set custom handlers](#violation-handlers) independently for different groups of contracts. A contract group `G` is just the name of an object that can be called with `G.report_violation()` and `G.report_violation(message)`, where `message` is a `* const char` C-style text string.
+- `grp.report_violation()` and `grp.report_violation(message)`, where `message` is a `* const char` C-style text string
+
+- `grp.is_active()`, which returns `#!cpp true` if and only if the group is enabled
 
 You can create new contract groups just by creating new objects that have a `.report_violation` function. The object's name is the contract group's name. The object can be at any scope: local, global, or heap.
 
 For example, here are some ways to use contract groups, for convenience using [`cpp2::contract_group`](#violation_handlers) which is a convenient group type:
 
 ``` cpp title="Using contract groups" hl_lines="1 4 6 10-12"
-GroupA: cpp2::contract_group = ();          // a global group
+group_a: cpp2::contract_group = ();          // a global group
 
 func: () = {
-    GroupB: cpp2::contract_group = ();      // a local group
+    group_b: cpp2::contract_group = ();      // a local group
 
-    GroupC := new<cpp2::contract_group>();  // a dynamically allocated group
+    group_c := new<cpp2::contract_group>();  // a dynamically allocated group
 
     // ...
 
-    assert<GroupA >( some    && condition );
-    assert<GroupB >( another && condition );
-    assert<GroupC*>( another && condition );
+    assert<group_a >( some    && condition );
+    assert<group_g >( another || condition );
+    assert<group_c*>( another && condition );
 }
 ```
 
@@ -81,6 +95,36 @@ function_declaration: @copyable type =
 ```
 
 
+## <a id="predicates"></a> Contract predicates
+
+Contract predicates are useful to conditionally check specific contracts as a static or dynamic property. Importantly, if any predicate is `#!cpp false`, the check's conditional expression will not be evaluated.
+
+For example:
+
+``` cpp title="Using contract predicates" hl_lines="1 3 4 7"
+is_checked_build: bool == SEE_BUILD_FLAG;   // a static (compile-time) predicate
+
+checking_enabled: bool =  /*...*/ ;         // a dynamic (run-time) predicate,
+                                            // could change as the program runs
+
+func: () = {
+    assert<audit, is_checked_build, checking_enabled>( condition );
+}
+```
+
+In this example, the order of evaluation is:
+
+- `is_checked_build` is evaluated. Since it is a compile-time value, the evaluation can happen at compile time. If it evaluates to `#!cpp false`, then stop; the entire contract could be optimized away by the compiler.
+
+- Otherwise, next `checking_enabled` is evaluated at run time. If it evaluates to `#!cpp false`, then stop.
+
+- Otherwise, next `audit.is_active()` is evaluated. If it evaluates to `#!cpp false`, then stop.
+
+- Otherwise, next `condition` is evaluated. If it evaluates to `#!cpp true`, then stop.
+
+- Otherwise, `audit.report_violation()` is called.
+
+
 ## <a id="violation-handlers"></a> `cpp2::contract_group`, and customizable violation handling
 
 The contract group object could also provide additional functionality. For example, Cpp2 comes with the `cpp2::contract_group` type which allows installing a customizable handler for each object. Each object can only have one handler at a time, but the handler can change during the course of the program. `contract_group` supports:
@@ -89,34 +133,35 @@ The contract group object could also provide additional functionality. For examp
 
 - `.get_handler()` returns the current handler function pointer, or null if none is installed.
 
-- `.has_handler()` returns whether there is a current handler installed.
+- `.is_active()` returns whether there is a current handler installed.
 
 - `.enforce(condition, message)` evaluates `condition`, and if it is `false` then calls `.report_violation(message)`.
 
 Cpp2 comes with five predefined `contract group` global objects in namespace `cpp2`:
 
-- `Default`, which is used as the default contract group for contracts that don't specify a group.
+- `default`, which is used as the default contract group for contracts that don't specify a group.
 
-- `Type` for type safety checks.
+- `type_safety` for type safety checks.
 
-- `Bounds` for bounds safety checks.
+- `bounds_safety` for bounds safety checks.
 
-- `Null` for null safety checks.
+- `null_safety` for null safety checks.
 
-- `Testing` for general test checks.
+- `testing` for general test checks.
 
 For these groups, the default handler is `cpp2::report_and_terminate`, which prints information about the violation to `std::cerr` and then calls `std::terminate()`. But you can customize it to do anything you want, including to integrate with any third-party or in-house error reporting system your project is already using. For example:
 
-``` cpp title="Example of customized contract violation handler" hl_lines="2 8-9"
+``` cpp title="Example of customized contract violation handler" hl_lines="2 8-9 17"
 main: () -> int = {
-    cpp2::Default.set_handler(call_my_framework&);
-    assert<Default>(false, "this is a test, this is only a test");
+    cpp2::default.set_handler(call_my_framework&);
+    assert<default>(false, "this is a test, this is only a test");
     std::cout << "done\n";
 }
 
 call_my_framework: (msg: * const char) = {
     //  You can do anything you like here, including arbitrary work
-    //  and integration with your current error reporting libraries
+    //  and integration with your current error reporting libraries,
+    //  log-and-continue, throw an exception, whatever is wanted...
     std::cout
         << "sending error to my framework... ["
         << msg << "]\n";

include/cpp2util.h

@@ -409,8 +409,7 @@ class contract_group {
 
     constexpr contract_group  (handler h = {}) : reporter{h} { }
     constexpr auto set_handler(handler h = {}) { reporter = h; }
-    constexpr auto get_handler() const -> handler { return reporter; }
-    constexpr auto has_handler() const -> bool    { return reporter != handler{}; }
+    constexpr auto is_active  () const -> bool    { return reporter != handler{}; }
 
     constexpr auto enforce(bool b, CPP2_MESSAGE_PARAM msg = "" CPP2_SOURCE_LOCATION_PARAM_WITH_DEFAULT)
                                           -> void { if (!b) report_violation(msg CPP2_SOURCE_LOCATION_ARG); }
@@ -435,27 +434,27 @@ class contract_group {
     std::terminate();
 }
 
-auto inline Default = contract_group(
+auto inline cpp2_default = contract_group(
     [](CPP2_MESSAGE_PARAM msg CPP2_SOURCE_LOCATION_PARAM)noexcept {
         report_and_terminate("Contract",      msg CPP2_SOURCE_LOCATION_ARG);
     }
 );
-auto inline Bounds  = contract_group(
+auto inline bounds_safety = contract_group(
     [](CPP2_MESSAGE_PARAM msg CPP2_SOURCE_LOCATION_PARAM)noexcept {
         report_and_terminate("Bounds safety", msg CPP2_SOURCE_LOCATION_ARG);
     }
 );
-auto inline Null    = contract_group(
+auto inline null_safety = contract_group(
     [](CPP2_MESSAGE_PARAM msg CPP2_SOURCE_LOCATION_PARAM)noexcept {
         report_and_terminate("Null safety",   msg CPP2_SOURCE_LOCATION_ARG);
     }
 );
-auto inline Type    = contract_group(
+auto inline type_safety = contract_group(
     [](CPP2_MESSAGE_PARAM msg CPP2_SOURCE_LOCATION_PARAM)noexcept {
         report_and_terminate("Type safety",   msg CPP2_SOURCE_LOCATION_ARG);
     }
 );
-auto inline Testing = contract_group(
+auto inline testing = contract_group(
     [](CPP2_MESSAGE_PARAM msg CPP2_SOURCE_LOCATION_PARAM)noexcept {
         report_and_terminate("Testing",       msg CPP2_SOURCE_LOCATION_ARG);
     }
@@ -496,28 +495,28 @@ auto assert_not_null(auto&& arg CPP2_SOURCE_LOCATION_PARAM_WITH_DEFAULT) -> decl
     //        STL iterator has the default-constructed value. So use it only for raw *...
     if constexpr (std::is_pointer_v<CPP2_TYPEOF(arg)>) {
         if (arg == CPP2_TYPEOF(arg){}) {
-            Null.report_violation("dynamic null dereference attempt detected" CPP2_SOURCE_LOCATION_ARG);
+            null_safety.report_violation("dynamic null dereference attempt detected" CPP2_SOURCE_LOCATION_ARG);
         };
     }
     else if constexpr (UniquePtr<CPP2_TYPEOF(arg)>) {
         if (!arg) {
-            Null.report_violation("std::unique_ptr is empty" CPP2_SOURCE_LOCATION_ARG);
+            null_safety.report_violation("std::unique_ptr is empty" CPP2_SOURCE_LOCATION_ARG);
         }
     }
     else if constexpr (SharedPtr<CPP2_TYPEOF(arg)>) {
         if (!arg) {
-            Null.report_violation("std::shared_ptr is empty" CPP2_SOURCE_LOCATION_ARG);
+            null_safety.report_violation("std::shared_ptr is empty" CPP2_SOURCE_LOCATION_ARG);
         }
     }
     else if constexpr (Optional<CPP2_TYPEOF(arg)>) {
         if (!arg.has_value()) {
-            Null.report_violation("std::optional does not contain a value" CPP2_SOURCE_LOCATION_ARG);
+            null_safety.report_violation("std::optional does not contain a value" CPP2_SOURCE_LOCATION_ARG);
         }
     }
 #ifdef __cpp_lib_expected
     else if constexpr (Expected<CPP2_TYPEOF(arg)>) {
         if (!arg.has_value()) {
-            Null.report_violation("std::expected has an unexpected value" CPP2_SOURCE_LOCATION_ARG);
+            null_safety.report_violation("std::expected has an unexpected value" CPP2_SOURCE_LOCATION_ARG);
         }
     }
 #endif
@@ -543,7 +542,7 @@ auto assert_not_null(auto&& arg CPP2_SOURCE_LOCATION_PARAM_WITH_DEFAULT) -> decl
         msg += "but container is empty"; \
     } \
     if (!(0 <= arg && arg < max())) { \
-        Bounds.report_violation(msg.c_str()  CPP2_SOURCE_LOCATION_ARG); \
+        bounds_safety.report_violation(msg.c_str()  CPP2_SOURCE_LOCATION_ARG); \
     } \
     return CPP2_FORWARD(x) [ arg ]; \
 }
@@ -591,7 +590,7 @@ auto assert_in_bounds(auto&& x, auto&& arg CPP2_SOURCE_LOCATION_PARAM_WITH_DEFAU
     if (msg) {
         err += " and the message \"" + msg + "\"";
     }
-    Type.report_violation( err );
+    type_safety.report_violation( err );
     std::terminate();
 #else
     throw CPP2_FORWARD(x);
@@ -609,7 +608,7 @@ inline auto Uncaught_exceptions() -> int {
 template<typename T>
 auto Dynamic_cast( [[maybe_unused]] auto&& x ) -> decltype(auto) {
 #ifdef CPP2_NO_RTTI
-    Type.report_violation( "'as' dynamic casting is disabled with -fno-rtti" );
+    type_safety.report_violation( "'as' dynamic casting is disabled with -fno-rtti" );
     return nullptr;
 #else
     return dynamic_cast<T>(CPP2_FORWARD(x));
@@ -619,15 +618,15 @@ auto Dynamic_cast( [[maybe_unused]] auto&& x ) -> decltype(auto) {
 template<typename T>
 auto Typeid() -> decltype(auto) {
 #ifdef CPP2_NO_RTTI
-    Type.report_violation( "'any' dynamic casting is disabled with -fno-rtti" );
+    type_safety.report_violation( "'any' dynamic casting is disabled with -fno-rtti" );
 #else
     return typeid(T);
 #endif
 }
 
 auto Typeid( [[maybe_unused]] auto&& x ) -> decltype(auto) {
 #ifdef CPP2_NO_RTTI
-    Type.report_violation( "'typeid' is disabled with -fno-rtti" );
+    type_safety.report_violation( "'typeid' is disabled with -fno-rtti" );
 #else
     return typeid(CPP2_FORWARD(x));
 #endif
@@ -743,9 +742,9 @@ class deferred_init {
 public:
     deferred_init() noexcept       { }
    ~deferred_init() noexcept       { destroy(); }
-    auto value()    noexcept -> T& { Default.enforce(init);  return t(); }
+    auto value()    noexcept -> T& { cpp2_default.enforce(init);  return t(); }
 
-    auto construct(auto&& ...args) -> void { Default.enforce(!init);  new (&data) T{CPP2_FORWARD(args)...};  init = true; }
+    auto construct(auto&& ...args) -> void { cpp2_default.enforce(!init);  new (&data) T{CPP2_FORWARD(args)...};  init = true; }
 };
 
 
@@ -765,9 +764,9 @@ class out {
     bool called_construct_ = false;
 
 public:
-    out(T*                 t_) noexcept :  t{ t_}, has_t{true}       { Default.enforce( t); }
-    out(deferred_init<T>* dt_) noexcept : dt{dt_}, has_t{false}      { Default.enforce(dt); }
-    out(out<T>*           ot_) noexcept : ot{ot_}, has_t{ot_->has_t} { Default.enforce(ot);
+    out(T*                 t_) noexcept :  t{ t_}, has_t{true}       { cpp2_default.enforce( t); }
+    out(deferred_init<T>* dt_) noexcept : dt{dt_}, has_t{false}      { cpp2_default.enforce(dt); }
+    out(out<T>*           ot_) noexcept : ot{ot_}, has_t{ot_->has_t} { cpp2_default.enforce(ot);
         if (has_t) {  t = ot->t;  }
         else       { dt = ot->dt; }
     }
@@ -781,7 +780,7 @@ class out {
     //  then leave it in the same state on exit (strong guarantee)
     ~out() {
         if (called_construct() && uncaught_count != Uncaught_exceptions()) {
-            Default.enforce(!has_t);
+            cpp2_default.enforce(!has_t);
             dt->destroy();
             called_construct() = false;
         }
@@ -790,21 +789,21 @@ class out {
     auto construct(auto&& ...args) -> void {
         if (has_t || called_construct()) {
             if constexpr (requires { *t = T(CPP2_FORWARD(args)...); }) {
-                Default.enforce( t );
+                cpp2_default.enforce( t );
                 *t = T(CPP2_FORWARD(args)...);
             }
             else {
-                Default.report_violation("attempted to copy assign, but copy assignment is not available");
+                cpp2_default.report_violation("attempted to copy assign, but copy assignment is not available");
             }
         }
         else {
-            Default.enforce( dt );
+            cpp2_default.enforce( dt );
             if (dt->init) {
                 if constexpr (requires { *t = T(CPP2_FORWARD(args)...); }) {
                     dt->value() = T(CPP2_FORWARD(args)...);
                 }
                 else {
-                    Default.report_violation("attempted to copy assign, but copy assignment is not available");
+                    cpp2_default.report_violation("attempted to copy assign, but copy assignment is not available");
                 }
             }
             else {
@@ -816,11 +815,11 @@ class out {
 
     auto value() noexcept -> T& {
         if (has_t) {
-            Default.enforce( t );
+            cpp2_default.enforce( t );
             return *t;
         }
         else {
-            Default.enforce( dt );
+            cpp2_default.enforce( dt );
             return dt->value();
         }
     }
@@ -1251,7 +1250,7 @@ auto as(X const& x CPP2_SOURCE_LOCATION_PARAM_WITH_DEFAULT) -> decltype(auto) {
     }
     //  Signed/unsigned conversions to a not-smaller type are handled as a precondition,
     //  and trying to cast from a value that is in the half of the value space that isn't
-    //  representable in the target type C is flagged as a Type safety contract violation
+    //  representable in the target type C is flagged as a type_safety contract violation
     else if constexpr (
         std::is_integral_v<C> &&
         std::is_integral_v<CPP2_TYPEOF(x)> &&
@@ -1260,7 +1259,7 @@ auto as(X const& x CPP2_SOURCE_LOCATION_PARAM_WITH_DEFAULT) -> decltype(auto) {
     )
     {
         const C c = static_cast<C>(x);
-        Type.enforce(   // precondition check: must be round-trippable => not lossy
+        type_safety.enforce(   // precondition check: must be round-trippable => not lossy
             static_cast<CPP2_TYPEOF(x)>(c) == x && (c < C{}) == (x < CPP2_TYPEOF(x){}),
             "dynamic lossy narrowing conversion attempt detected" CPP2_SOURCE_LOCATION_ARG
         );

regression-tests/mixed-bounds-safety-with-assert-2.cpp2

@@ -9,8 +9,8 @@ main: () -> int = {
 
 add_42_to_subrange: (inout rng:_, start:int, end:int)
 = {
-    assert<Bounds>( 0 <= start );
-    assert<Bounds>( end <= rng.ssize() );
+    assert<bounds_safety>( 0 <= start );
+    assert<bounds_safety>( end <= rng.ssize() );
 
     count := 0;
     for  rng

regression-tests/mixed-bounds-safety-with-assert.cpp2

@@ -7,8 +7,8 @@ main: () -> int = {
 }
 
 print_subrange: (rng:_, start:int, end:int) = {
-    assert<Bounds>( 0 <= start );
-    assert<Bounds>( end <= rng.ssize() );
+    assert<bounds_safety>( 0 <= start );
+    assert<bounds_safety>( end <= rng.ssize() );
 
     count := 0;
     for  rng

regression-tests/mixed-lifetime-safety-and-null-contracts.cpp2

@@ -4,7 +4,7 @@
 #include <string>
 
 main: () -> int = {
-    cpp2::Null.set_handler(call_my_framework&);
+    cpp2::null_safety.set_handler(call_my_framework&);
     try_pointer_stuff();
     std::cout << "done\n";
 }