[kris-jusiak]

With C++20 almost anything can be used in constexpr context (vector, unique_ptr, virtual, function, etc.) and as long as it's in the scope it can be tested at compile time which guarantees memory safatey, no UB, etc. Additionally, since constexpr can be executed at run-time and code has been tested at compile-time already therefore 'static_assert' is (almost) all you need - https://godbolt.org/z/P4cqboGx6.

[AshamedCaptain]

I really don't think it works that way. You can for sure write code that will leak and otherwise be UB but run compile-time just fine.

[dgellow]

https://en.cppreference.com/w/cpp/language/constant_expressi...

Point 8:

> A core constant expression is any expression whose evaluation would not evaluate any one of the following:

> 8. an expression whose evaluation leads to any form of core language undefined behavior (including signed integer overflow, division by zero, pointer arithmetic outside array bounds, etc).

[AshamedCaptain]

This does not really "guarantee" anything. You can still have as much UB (incl leaks) as you want, as long as they are not evaluated at compile-time. i.e. it's at best equivalent to running valgrind.

[dgellow]

What would be examples of runtime UBs that wouldn’t be reported when used within a constexpr?

[simiones]

The point is that the code is only checked for UB with the arguments it is given at compile time. There is no guarantee that it can't invoke UB with other arguments it might receive at runtime.

For example, here is a modification of the original program that does invoke UB, but compiles just fine:

https://godbolt.org/z/MaqhcEYqn

[dgellow]

Oh yes, I see your point. Thanks for clarifying

[tlb]

Indeed, it fails if you invoke UB. For example, an int overflow in a constexpr causes a compile error:

  <source>:5:17: error: static assertion expression is not an integral constant expression
    static_assert(1024*1024*1024*3 != 0, "UB");

https://godbolt.org/z/Wc591En7E

[simiones]

That only works if you know the values at compile-time though:

  constexpr int foo(int x) {
    return 1024*1024*1024*x;
  }
  
  int main()
  {
    int y;
    std::cin >> y;
    static_assert(foo(1));  //all good
    foo(y);                 //oops, UB if user enters 7
  }

https://godbolt.org/z/K8h4Kj99s

Edit: small correction so that the numbers are big enough to cause problems...

[mort96]

Yeah, the tests will only fail if the tests trigger UB. It's like all testing, it only detects issues if you trigger the issues in the tests. Using static_assert as your test system obviously doesn't obviate the need for writing good tests.

[tsimionescu]

Many people in this thread think that if a constexpr function can be called at compile time successfully, it will also be guaranteed not to have UB at runtime, in general.

I was pointing out that this is only true for the cases you actually test, not the general case.

Even then, it's not fully true, as a function may have different behavior at runtime as opposed to compile time (e.g. because of multi-threading), and so it may display UB even when called with the same arguments that didn't display UB at compile-time.

Overall, this static_assert trick is just a nice way to make sure your tests don't accidentally pass while still invoking UB, to protect from false negatives.

[mgaunard]

Try forcing the call to happen at compile-time.

constexpr requires that the function be callable at compile-time, not that it is so.

[tsimionescu]

You can't call an expression whose value is IO-dependent in a compile-time context, obviously.

The tweet seems to imply that if you can call your functions at compile time, they will not present UB at runtime either. I am trying to point out that that is not the case at all.

[layer8]

I hope there’s also some text in the standard prohibiting implementations from allowing any other expressions as a constant expression (which they otherwise could as a language extension), and thus requires compilation failure for such expressions?

[kps]

Pragmatically, you can't stop extensions; if the fine print for `--std=cool++23` says that this mode is not actually C++23-compliant, nearly nobody will ever notice or care. Pragmatically, if a popular compiler makes `--std=cool++23` the default, and requires `--std=C++23 --iso-eic-jtc1-sc22-wg21 --pompous` to get standard-conforming behaviour, nearly nobody will do that; instead they will complain that other compilers lack the extensions.

[layer8]

Extensions can be standard-compliant, in the sense that they don’t violate any prescription by the standard, and thus a program cannot assume their absence. My question was whether the standard actually takes care to render the acceptance of constexprs-with-UB non-standard-compliant. That is, in addition to “must accept X”, does it also say “must only accept X”?

[kris-jusiak]

constexpr has to checked for leaks and UB so as long as there is coverage at compile-time (static_assert + constexpr) I would assume there shouldn't be neither leaks nor UB. But the context is limitted where that can be applied and actually compiles. For example, there is no way to do it with global variables but with limited scope that's possible.

[the_mitsuhiko]

I _think_ you cannot conclude from a constexpr not having UB at compile time that it won’t have UB at runtime.

[kris-jusiak]

I guess so, can't think of an example now but I'm pretty sure there are subtle corner cases (as always) and it depends on the testing, coverage and potential limitations of checking things at compile-time, though, IMHO, the technique is promissing and can help with a lot of use cases but defo not everything.

[layer8]

(nevermind)

[jcelerier]

Successful compilation of UB is explicitly disallowed by the standard in a constexpr context

[jvanderbot]

I think it's worth pointing out that your statement is true by definition, perhaps not true by implementation in these cases. It's not like UB produces _random_ behavior, it's just not specified what compilers _should_ do in those cases.

Of course, cannot be relied upon.

[DannyBee]

The standard explicitly disallows compiling of UB for constexpr.

Otherwise, what you write is provably correct - UB is not statically decidable in all cases (and depending on the type of UB, not even in a lot of cases).

[ithkuil]

Doesn't it depend on the actual values?

If your compile time evaluations don't trigger signed integer overflow (or any other UB) does it follow that at runtime you couldn't pass a parameter that would trigger signed overflow?

I mean it's still useful because at least you know your test code is not artificially passing because of some UB makes it look like passing

[tialaramex]

> it's still useful because at least you know your test code is not artificially passing because of some UB makes it look like passing

Right, that's the extent of what this does. When I saw it on r/cpp I thought OK, somebody realised now they can make their C++ tests work as a reasonable person would expect, or perhaps realised that without this C++ tests are almost worthless because they can invoke Undefined Behaviour silently.

But increasingly I suspect the OP mistook this for a breakthrough in correctness which it isn't, otherwise why post it to HN?

On the other hand, the prohibition on UB for constexpr doesn't reach up to where IFNDR lives, so I'd guess most non-trivial C++ software is technically nonsense with no defined meaning as a result of IFNDR regardless of how many or few unit tests were written or whether they use constexpr to prohibit Undefined Behaviour. A cheerful thought.

[Ill-Formed, No Diagnostic Required: A recurring statement in the C++ ISO document which basically says if you did this then too bad, that's not a well-formed C++ program, however your compiler may not notice that this isn't a C++ program, so, your program might compile, and even execute, but what if anything happens when you run it isn't specified in this ISO standard, good luck.]

[DannyBee]

No, it doesn't depend on the values. Yes, it does follow. The compiler is not allowed to compile constexpr code that could produce UB at runtime. period. :)

That is, conditional constepxr code that depends on values and could produce UB is not valid constexpr code, and a compiler is not supposed to compile it.

This is very explicit in the standard.

Think of it as a statically decidable set of code.

Now, it wouldn't shock me if compilers don't achieve this right now, but the standard is clear that constexpr code may not contain operations that could produce undefined behavior at runtime.

[jenadine]

Unless you used std::is_constant_evaluated() and the code running at runtime was not the one tested at compile time

[AshamedCaptain]

At the very minimum, you can simply do is_constant_evaluated to change behavior depending on runtime vs compile-time...

[soulbadguy]

>constexpr has to checked for leaks and UB so as long as there is coverage at compile-time

Source ?I am not sure constexpr give any garanty regarding UB and/or leaks

[3836293648]

Constexpr at compile times gives that guarantee, not constexpr in general. Hence static assert to force comptime evaluation

[soulbadguy]

> Constexpr at compile times gives that guarantee

Can you point to a source for that ? I am not trying to be pendantic, but genuilly curious

[mikepurvis]

From an overall performance point of view, I wonder how the timing works out for the compiler to run your unit tests like this vs to produce and invoke a binary.

I bet it's mostly a wash, and the ergonomics of conventional gtest macros look way better to my eye.

[ynik]

The idea to let the compiler run the tests only works if you constexpr everything, which means putting all code in headers. This effectively means giving up on separate compilation. Worse, if you use some mixture (most code in headers but you still have >1 compilation unit), your compile times completely explode as essentially all code is compiled repeatedly for each unit.

[cozzyd]

There are other ways to do this. I made a proof of concept of using linker sections to allow you to sprinkle tests within the implementation inline once... https://github.com/cozzyd/examc (this is obviously not production-ready, just serves as a proof of concept).

Basically the idea is that the test code gets written to a different linker section that your test runner can iterate through, when tests are enabled. This is easy on gcc because it generates automatic constants for the beginning and end of different linker sections. There may be away to do this with clang as well, but I never use clang.

[gpderetta]

Pragmatically you can write your code in such a way that you can get immediate feedback in your IDE as you write the code if a static assert fails as you are implementing your function.

You could of course set up your runtime tests in a similar way, having the ide run them back to back as you are writing code, but it is more complicated, especially if the code is in an intermediate state that it is not fully compilable.

So in the end it is not a huge breakthrough, but having compile time tests is still quite a nice feature.

[kris-jusiak]

Hmm, there are obvisouly trade offs (it depends on the compiler how many tests, how are they written, etc.) but for apples to apples comparision the gtest binary would have to be either compiled with sanitizers (that would be probably slower to compile than static_assert tests without sanitizers) or run with valgrind or similar (execution would be much slower, static_asserts tets don't have to be executed, compiles=green).

[zerr]

Depends on how you define a class. E.g. you are not using std::list in your example.

[saagarjha]

Have zero cost abstractions gone too far?