[Development] Disavowing the Lakos Rule for Q_ASSERT

Marc Mutz marc.mutz at qt.io
Tue Sep 3 17:34:20 CEST 2024


On 31.08.24 20:01, Ville Voutilainen wrote:
> On Fri, 30 Aug 2024 at 19:21, Thiago Macieira <thiago.macieira at intel.com> wrote:
>> For the non-simple cases, we may need two macros, one that expands to:
>>
>>    noexcept(noexcept(std::string_view{"", 1}))
>>
>> and the other that expands to the pre() specifier.
> 
> Right. Maybe
> 
> void f(int x) Q_NARROW_CONTRACT_NOEXCEPT Q_PRE(x >= 0) ;
> 
> and then, if contracts are enabled, that noexcept expands to nothing,
> and if contracts are disabled,
> the pre expands to nothing and that noexcept expands to a noexcept.

I'm really doubting the wisdom of adding another dimension of build to 
Qt. We already have release/debug, and Q_NARROW_CONTRACT_NOEXCEPT would 
mean an orthogonal build mode. So on Windows we'd need four builds per 
compiler. Assuming, as I do, that that feature will be in high demand by 
users once available. Nothing we haven't done before (Qt 3 had 
debug/release × multi/single-threaded), but just like Qt 4 ditched the 
non-MT build mode, I expect we'd be ditching the 
non-contracts-checking-supporting (noexcept enabled) build mode ere 
long, because it turns out to be too much of burden to carry around with 
(presumably) too little a benefit.

As is well-known, not all users of Qt build Qt from scratch. Think Linux 
distributions. The Lakos Rule ensures that a single build can be used 
for both checked and unchecked contract mode, with the control lying in 
the hands of the owner of main(), where we seem to agree it belongs.


I also question the notion of "we don't do exceptions in Qt" popping up 
between the lines in this thread. We _do_ support them in QtCore and 
QtTest, and it's Core you're proposing to plaster with noexcept. 
Exception-unsafe code is also prone to Static Analyzer complaints, and, 
once again, legislators are working on forcing software companies to do 
more for security, not less (and one of the ways TQtC has decided to 
take this is to listen to SA tools more (Axivion, but Qt is also covered 
by Clang-SA and Coverity)). I believe one goal of contracts is to make 
C++ an (optionally) checked language.

We need _more_ exception (= resource) safety and not less. Exception 
safety doesn't mean QT_TRY and QT_CATCH, but, in 95% of cases, RAII, and 
RAII helps also against laissez-faire coding practices (see 
https://codereview.qt-project.org/c/qt/qtbase/+/551854 for a recent 
example) that have nothing to do with exceptions. Build-conditional 
noexcept and ignoring exception safety is heading into the opposite 
direction of where I, at least, see that Qt needs to go. Besides, libc++ 
recently ditched their build-conditional noexcept approach, AFAIK. We 
needn't make mistakes others have already done for us.
	
Thanks,
Marc

-- 
Marc Mutz <marc.mutz at qt.io> (he/his)
Principal Software Engineer

The Qt Company
Erich-Thilo-Str. 10 12489
Berlin, Germany
www.qt.io

Geschäftsführer: Mika Pälsi, Juha Varelius, Jouni Lintunen
Sitz der Gesellschaft: Berlin,
Registergericht: Amtsgericht Charlottenburg,
HRB 144331 B



More information about the Development mailing list