Document: P4020R0
Author: Andrzej Krzemieński
Date: 2026-02-23
Audience: EWG
Contracts (P2900R14) were voted into the C++26 CD. This paper raises concerns about the design. Krzemieński - who has been deeply involved in the contracts design for years - questions whether implementation experience with GCC and Clang library rewrites is sufficient, and identifies concerns specific to contract assertions including questions about how many vulnerabilities will actually be prevented. Discussed at EWG Croydon where contracts were confirmed to remain in the CD.
Reminder: be civil. Contract assertions are staying in C++26. The paper raises design concerns, not a removal request. Rule 2.
Contracts were in C++20. Then they were removed. Now they're in C++26. Now there's a paper raising concerns. I feel like I'm watching a TV show that keeps bringing characters back from the dead. At some point you just accept they're immortal and move on.
The C++20 contracts were a completely different design. P2900 started from scratch with SG21. Five years of work, fourteen revisions, plenary approval. Comparing them to the C++20 version is like comparing C++11 concepts to C++20 concepts - same name, different feature.
The implementation experience concern is the strongest part of the paper. Experiments with GCC and Clang rewrites of libraries are useful but they're experiments, not production deployments. The C++20 contracts had "implementation experience" too - and then the design fell apart when real use cases hit it. Krzemieński is asking whether we've learned from that.
SG21 spent five years on this. There are experimental implementations in GCC and Clang. Bloomberg has been testing contract annotations in their codebase. The Contracts Study Group processed hundreds of papers and design alternatives. At some point "more implementation experience" becomes "never ship."
Nobody's saying never ship. The paper is saying "here are specific concerns that should be addressed before the CD becomes the IS." That's what the CD ballot period is for - identifying and resolving concerns. This paper is doing exactly what the process asks for.
The paper asks how many vulnerabilities contract assertions will actually prevent. This is the right question. Contracts are being positioned partly as a safety feature. If the safety story is "contracts catch bugs at development time through assertions," that's useful but it's not what the government safety mandates are asking for. Profiles address the static analysis side. Contracts address the runtime assertion side. They're complementary but different.
Andrzej Krzemieński is a co-author of P2900 itself. When one of the design's own architects raises concerns, it's worth reading carefully. This isn't an outsider lobbing criticisms - it's an insider saying "I helped build this and here's what still worries me."
EWG at Croydon confirmed contracts stay in the CD. The concerns were heard, discussed, and the room decided the design is sound enough to proceed. This paper is part of the historical record now - a concern paper that was considered and addressed through the process.
"Considered and addressed" is doing some work. "Considered and voted to proceed" might be more accurate. Not all concerns get addressed - some get outvoted.
I've been using contract-like assertions (
GSL_EXPECTS, custom macros) for a decade. Even without standardization, the pattern catches bugs. Standardized contracts with compiler support and optimization hints will be strictly better than what I have now. Ship it, iterate, improve.The ghost of C++20 contracts haunts every contracts discussion. "We shipped it and then removed it" is the cautionary tale. But P2900 explicitly learned from that failure - no continuation semantics, no interaction with exception handling, simpler mental model. The design is different even if the trauma is the same.
This paper joins P4005R0 (guaranteed-enforced contracts) and P4009R0 (solving all contracts concerns) in the "contracts feedback" cluster. Three papers raising concerns from different angles. The committee heard them all at Croydon and contracts stayed. At least the process is thorough.
I just want to write
pre(ptr != nullptr)in function declarations and have the compiler check it. Is that too much to ask? We've been asking since 2015.76% upvoted. The most controversial thread this month. r/wg21's contracts opinions are as split as the committee's.
[removed by moderator]
This is why we can't have nice things. We finally get contracts after a decade of trying and immediately start publishing papers about why they might not be good enough.
Contracts: the feature that proves C++ will spend more time debating whether to ship something than it takes to actually use it.