[cloud-oak]

My understanding of this was that the UB starts only after the value is passed/returned. So if foo() has a contract to only return positive integers, the code within foo can check and ensure this, but if the calling code does it, the compiler might optimize it away.

[gku]

Unspecified behavior != UB https://en.wikipedia.org/wiki/Unspecified_behavior

[cwillu]

Assuming that is correct, it's still exactly the same footgun. Checks like that are introduced to guard against bugs: you are strictly safer to not declare such a constraint.