1 ////////////////////////////////////////////////////////////////////////////////
4 // Copyright (c) 2008 Rich Sposato
5 // The copyright on this file is protected under the terms of the MIT license.
7 // Permission to use, copy, modify, distribute and sell this software for any
8 // purpose is hereby granted without fee, provided that the above copyright
9 // notice appear in all copies and that both that copyright notice and this
10 // permission notice appear in supporting documentation.
12 // The author makes no representations about the suitability of this software
13 // for any purpose. It is provided "as is" without express or implied warranty.
15 ////////////////////////////////////////////////////////////////////////////////
19 /// @file Checker.h This file provides Loki's Checker facility.
22 // ----------------------------------------------------------------------------
24 #ifndef LOKI_CHECKER_H_INCLUDED
25 #define LOKI_CHECKER_H_INCLUDED
27 #include <exception> // needed for calls to uncaught_exception.
34 /** @par ContractChecker and StaticChecker Overview
35 The ContractChecker and StaticChecker classes have two purposes:
36 - provide a mechanism by which programmers can determine which functions
37 violate class/data invariants,
38 - and determine which exception safety a function provides.
40 @par Class & Data Invariants
41 The ContractChecker and StaticChecker define invariants as "expressions that
42 are true for particular data". They uses a function which returns true if all
43 data are valid, and returns false if any datum is invalid. This is called the
44 validator function, and the host class or function provides a pointer to it.
45 The validator could also assert for any invariant which fails rather than
46 return false. If the validator is a static member function, you can use it
47 with checkers in any function, but especially standalone functions and class
48 static functions. If the validator is a non-static member function, you can
49 use it only within non-static member functions.
51 @par Exception Safety Levels
52 Years ago, David Abrahams formalized a framework for assessing the exception
53 safety level a function provides. His framework describes three levels of
54 guarantees. Any function which does not provide any of these levels is
55 considered unsafe. ContractChecker and StaticChecker determine a function's
56 safety level through the use of policy classes. Checker's policy classes can
57 show if a function provides any of these three guarantees. Since there is no
58 universal way to detect leaks, this facility provides no mechanism for finding
59 leaks, but users may create their own validators which do. StaticChecker's
60 policy classes only provide direct checking for the no-throw and invariant
61 guarantees. With some finesse, a programmer can write a validator for
62 StaticChecker that checks for the Strong guarantee.
64 - No-throw guarantee: A function will not throw any exceptions.
65 - Strong guarantee: A function will not change data if an exception occurs.
66 (Which I call the no-change guarantee.)
67 - Basic guarantee: A function will not leak resources and data will remain
68 in a valid state if an exception occurs. (Which I call either the no-leak
69 or no-break guarantee depending on context.)
72 // ----------------------------------------------------------------------------
74 /** @class CheckForNoThrow
76 @par Exception Safety Level:
77 This exception-checking policy class for ContractChecker asserts if an
78 exception exists. Host classes can use this to show that a member function
79 provides the no-throw exception safety guarantees.
81 @par Requirements For Host Class:
82 This policy imposes no requirements on a host class.
84 template < class Host >
89 inline explicit CheckForNoThrow( const Host * ) {}
91 inline bool Check( const Host * ) const
93 const bool okay = ( !::std::uncaught_exception() );
99 // ----------------------------------------------------------------------------
101 /** @class CheckForNoChange
103 @par Exception Safety Level:
104 This exception-checking policy class for ContractChecker asserts only if a
105 copy of the host differs from the host object when an exception occurs. Host
106 classes can use this policy to show which member functions provide the strong
110 This policy requires hosts to provide both the copy-constructor and the
111 equality operator, and is intended for classes with value semantics.
115 template < class Host >
116 class CheckForNoChange
120 inline explicit CheckForNoChange( const Host *host ) :
121 m_compare( *host ) {}
123 inline bool Check( const Host *host ) const
125 const bool okay = ( !::std::uncaught_exception() )
126 || ( m_compare == *host );
135 // ----------------------------------------------------------------------------
137 /** @class CheckForNoChangeOrThrow
139 @par Exception Safety Level:
140 This exception-checking policy class for ContractChecker asserts either if a
141 copy of the host differs from the original host object, or if an exception
142 occurs. Host classes can use this policy to show which member functions provide
143 the no-throw exception guarantee, and would never change data anyway.
145 @par Requirements For Host Class:
146 This policy requires hosts to provide both the copy-constructor and the
147 equality operator, and is intended for classes with value semantics.
150 template < class Host >
151 class CheckForNoChangeOrThrow
155 inline explicit CheckForNoChangeOrThrow( const Host *host ) :
156 m_compare( *host ) {}
158 inline bool Check( const Host *host ) const
160 bool okay = ( !::std::uncaught_exception() );
162 okay = ( m_compare == *host );
171 // ----------------------------------------------------------------------------
173 /** @class CheckForEquality
175 @par Exception Safety Level:
176 This exception-checking policy class for ContractChecker asserts if a copy of the host differs from the host object regardless of whether an exception occurs.
177 Host classes can use this policy to show which member functions never change
178 data members, and thereby provide the strong exception safety level by default.
180 @par Requirements For Host Class:
181 This policy requires hosts to provide both the copy-constructor and the
182 equality operator, and is intended for classes with value semantics.
185 template < class Host >
186 class CheckForEquality
190 inline explicit CheckForEquality( const Host *host ) :
191 m_compare( *host ) {}
193 inline bool Check( const Host *host ) const
195 const bool okay = ( m_compare == *host );
204 // ----------------------------------------------------------------------------
206 /** @class CheckForNothing
208 @par Exception Safety Level:
209 This exception-checking policy class for ContractChecker does nothing when
210 called. Host classes can use this to show which member functions provide
211 neither the strong nor no-throw exception guarantees. The best guarantee such
212 functions can provide is that nothing gets leaked.
214 @par Requirements For Host Class:
215 This policy imposes no requirements on a host class.
218 template < class Host >
219 class CheckForNothing
222 inline explicit CheckForNothing( const Host * ) {}
223 inline bool Check( const Host * ) const
229 // ----------------------------------------------------------------------------
231 /** @class ContractChecker
232 This class determines if a function violated any class invariant, but it also
233 determines if a function fulfills its contract with client code. In the
234 "Design by Contract" paradigm, each function has certain pre-conditions and
235 post-conditions which may differ from the class invariants. This asserts if a
236 check for an invariant fails as well as if any pre- or post-condition fails.
237 It also demonstrate which exception safety level a function provides.
240 -# Implement a function that checks each class invariant. The function must
241 have the signature similar to the Validator type. Something like:
242 "bool Host::IsValid( void ) const;"
243 - The function should return true if everything is okay, but false if
245 - Or it could assert if anything is wrong.
246 - Ideally, it should be private.
247 -# Implement similar functions to check for pre-conditions and post-conditions.
248 Functions which verify pre-conditions and post-conditions do not need to
249 check all class invariants, just conditions specific to certain public
250 functions in the host class.
251 -# Declare some typedef's inside the class declaration like these. Make one
252 typedef for each exception policy you use. I typedef'ed the CheckForNothing
253 policy as CheckInvariants because even if a function can't provide either the
254 no-throw nor the no-change policies, it should still make sure the object
255 remains in a valid state.
256 - typedef ::Loki::ContractChecker< Host, ::Loki::CheckForNoThrow > CheckForNoThrow;
257 - typedef ::Loki::ContractChecker< Host, ::Loki::CheckForNoChange > CheckForNoChange;
258 - typedef ::Loki::ContractChecker< Host, ::Loki::CheckForEquality > CheckForEquality;
259 - typedef ::Loki::ContractChecker< Host, ::Loki::CheckForNothing > CheckInvariants;
260 -# Construct a checker near the top of each member function - except in the
261 validator member function. Pass the this pointer and the address of your
262 validator function into the checker's constructor. You may also pass in pointers
263 to function which check pre- and post-conditions.
264 - If the function never throws, then use the CheckForNoThrow policy.
265 - If the function never changes any data members, then use CheckForEquality
267 - If the function's normal execution flow changes data, but must make sure
268 data remains unchanged when any exceptions occur, then use the
269 CheckForNoChange policy.
270 - Otherwise use the CheckInvariants policy.
271 -# Recompile a debug version of your program, run the program and all the unit
272 tests, and look for which assertions failed.
278 template < class > class ExceptionPolicy
280 class ContractChecker : public ExceptionPolicy< Host >
282 /// Shorthand for the ExceptionPolicy class.
283 typedef ExceptionPolicy< Host > Ep;
287 /// Signature for the validation function.
288 typedef bool ( Host:: * Validator )( void ) const;
290 /** The constructor makes sure the host is valid at the time the checker
291 was created, thus insuring the host object was not corrupt from the start.
292 @par host Pointer to host object.
293 @par validator Pointer to function that checks class invariants.
294 @par pre Optional pointer to function that checks pre-conditions.
295 @par post Optional pointer to function that checks post-conditions.
297 inline ContractChecker( const Host *host, Validator validator,
298 Validator pre = 0, Validator post = 0 ) :
301 m_validator( validator ),
307 assert( ( m_host->*( m_pre ) )() );
310 /** The destructor checks if any Host invariants failed, and then calls the
311 ExceptionPolicy's Check function to determine what to do in case of an
314 inline ~ContractChecker( void )
318 assert( ( m_host->*( m_post ) )() );
319 assert( Ep::Check( m_host ) );
322 /** This first checks the invariants for ContractChecker, and then calls the
323 validator function for the host to make sure no class invariants were
324 broken by the host within the Host's member function body. The host
325 member function can call Check directly to verify the object remains valid
326 at any time. This does not care if the pre- and post-condition validator
327 pointers are null since a host class may pass in NULL pointers for either
328 to indicate the pre-conditions or post-conditions are the same as the
329 overall class invariants.
331 inline bool Check( void ) const
334 assert( 0 != m_host );
335 assert( 0 != m_validator );
336 // Now that this confirms the pointers to the host and validation
337 // functions are not null, go ahead and validate the host object.
338 const bool okay = ( m_host->*( m_validator ) )();
345 /// Default constructor is not implemented.
346 ContractChecker( void );
347 /// Copy constructor is not implemented.
348 ContractChecker( const ContractChecker & );
349 /// Copy-assignment operator is not implemented.
350 ContractChecker &operator = ( const ContractChecker & );
352 /// Pointer to the host object.
355 /// Pointer to member function that checks Host object's invariants.
356 Validator m_validator;
358 /// Pointer to member function that checks Host object's pre-conditions.
361 /// Pointer to member function that checks Host object's post-conditions.
366 // ----------------------------------------------------------------------------
368 /** @class CheckStaticForNoThrow
370 @par Exception Safety Level:
371 This exception-checking policy class for StaticChecker asserts if an exception
372 exists. Functions can use this to show they provide the no-throw exception
375 class CheckStaticForNoThrow
378 inline bool Check( void )
380 const bool okay = !::std::uncaught_exception();
386 // ----------------------------------------------------------------------------
388 /** @class CheckStaticForNothing
390 @par Exception Safety Level:
391 This exception-checking policy class for StaticChecker does nothing when called.
392 Functions can use this to show they might provide the weak exception guarantee.
393 The best guarantee such functions can provide is that nothing gets leaked.
395 class CheckStaticForNothing
398 inline bool Check( void )
404 // ----------------------------------------------------------------------------
406 /** @class StaticChecker
407 This class checks if a function provides the no-throw exception safety level
408 and if the function violated any invariants. Invariants for stand-alone and
409 static functions act as pre-conditions and post-conditions.
412 -# Implement a function that checks the invariants associated with a function,
413 or with the static data for a class. The function must
414 have the signature similar to the Validator type. Something like:
415 "static bool Host::StaticIsValid( void );" or "bool IsOkay( void );"
416 - The function should return true if everything is okay, but false if
418 - Or it could assert if anything is wrong.
419 -# If the checker is for static functions within a class, declare typedef's
420 inside the class declaration like these. Make one typedef for each policy
421 you use. I typedef'ed the CheckForNothing policy as CheckInvariants because
422 even if a function can't provide the no-throw guarantee, it should still
423 make sure that static data remains in a valid state.
424 - typedef ::Loki::StaticChecker< ::Loki::CheckForNoThrow > CheckStaticForNoThrow;
425 - typedef ::Loki::StaticChecker< ::Loki::CheckForNothing > CheckStaticInvariants;
426 -# Construct a checker near the top of each member function - except in the
427 validator member function. Pass the address of your validator function into
428 the checker's constructor.
429 - If the function never throws, then use the CheckForNoThrow policy.
430 - Otherwise use the CheckInvariants policy.
431 -# Recompile a debug version of your program, run it, and see if an assertion
437 class ExceptionPolicy
439 class StaticChecker : public ExceptionPolicy
441 /// Shorthand for the ExceptionPolicy class.
442 typedef ExceptionPolicy Ep;
446 /// Signature for the validation function.
447 typedef bool ( * Validator )( void );
449 /** The constructor makes sure the host is valid at the time the checker
450 was created, thus insuring the host object was not corrupt from the start.
451 @par validator Pointer to function that checks class invariants.
452 @par pre Optional pointer to function that checks pre-conditions.
453 @par post Optional pointer to function that checks post-conditions.
455 inline explicit StaticChecker( Validator validator,
456 Validator pre = 0, Validator post = 0 ) :
458 m_validator( validator ),
467 /** The destructor checks if any Host invariants failed, and then calls the
468 ExceptionPolicy's Check function to determine what to do in case of an
471 inline ~StaticChecker( void )
476 assert( Ep::Check() );
479 /** This first checks its own invariants, and then calls the validator
480 function to make sure no invariants were broken by the function which
481 created this checker. That function can call Check directly to verify the
482 data remains valid at any time. This does not care if the pre- and post-
483 condition validator pointers are null since a host class may pass in NULL
484 pointers for either to indicate the pre-conditions or post-conditions are
485 the same as the overall class invariants.
487 inline bool Check( void ) const
490 assert( 0 != m_validator );
491 // Now that this confirms the pointers to the host and validation
492 // functions are not null, go ahead and validate the host object.
493 const bool okay = m_validator();
500 /// Default constructor is not implemented.
501 StaticChecker( void );
502 /// Copy constructor is not implemented.
503 StaticChecker( const StaticChecker & );
504 /// Copy-assignment operator is not implemented.
505 StaticChecker &operator = ( const StaticChecker & );
507 /// Pointer to member function that checks Host object's invariants.
508 Validator m_validator;
510 /// Pointer to member function that checks Host object's pre-conditions.
513 /// Pointer to member function that checks Host object's post-conditions.
518 // ----------------------------------------------------------------------------
520 }; // end namespace Loki