896:. Assertions document logically impossible situations and discover programming errors: if the impossible occurs, then something fundamental is clearly wrong with the program. This is distinct from error handling: most error conditions are possible, although some may be extremely unlikely to occur in practice. Using assertions as a general-purpose error handling mechanism is unwise: assertions do not allow for recovery from errors; an assertion failure will normally halt the program's execution abruptly; and assertions are often disabled in production code. Assertions also do not display a user-friendly error message.
635:, the programmer will typically run the program with assertions enabled. When an assertion failure occurs, the programmer is immediately notified of the problem. Many assertion implementations will also halt the program's execution: this is useful, since if the program continued to run after an assertion violation occurred, it might corrupt its state and make the cause of the problem more difficult to locate. Using the information provided by the assertion failure (such as the location of the failure and perhaps a
1141:, in which they included assertions: "It may be true, that whenever C actually reaches a certain point in the flow diagram, one or more bound variables will necessarily possess certain specified values, or possess certain properties, or satisfy certain properties with each other. Furthermore, we may, at such a point, indicate the validity of these limitations. For this reason we will denote each area in which the validity of such limitations is being asserted, by a special box, which we call an assertion box."
659:, assertions are typically turned off, to avoid any overhead or side effects they may have. In some cases assertions are completely absent from deployed code, such as in C/C++ assertions via macros. In other cases, such as Java, assertions are present in the deployed code, and can be turned on in the field for debugging.
835:
Most languages allow assertions to be enabled or disabled globally, and sometimes independently. Assertions are often enabled during development and disabled during final testing and on release to the customer. Not checking assertions avoids the cost of evaluating the assertions while (assuming the
333:
or sometimes statically. If an assertion evaluates to false at runtime, an assertion failure results, which typically causes execution to abort. This draws attention to the location at which the logical inconsistency is detected and can be preferable to the behaviour that would otherwise result.
984:
was dereferenced, and possibly longer, depending on the specific hardware being used. So long as assertions are not disabled, an immediate exit is assured. But if a graceful failure is desired, the program has to handle the failure. For example, a server may have multiple clients, or may hold
988:
Another error is to rely on side effects of expressions used as arguments of an assertion. One should always keep in mind that assertions might not be executed at all, since their sole purpose is to verify that a condition which should always be true does in fact hold true. Consequently, if the
531:
A major advantage of this technique is that when an error does occur it is detected immediately and directly, rather than later through often obscure effects. Since an assertion failure usually reports the code location, one can often pin-point the error without further debugging.
1148:. In a talk "Checking a Large Routine" at Cambridge, June 24, 1949 Turing suggested: "How can one check a large routine in the sense of making sure that it's right? In order that the man who checks may not have too difficult a task, the programmer should make a number of definite
80:
For the latter, some programs check assertions by actually evaluating the predicate as they run. Then, if it is not in fact true – an assertion failure – the program considers itself to be broken and typically deliberately
840:) still producing the same result under normal conditions. Under abnormal conditions, disabling assertion checking can mean that a program that would have aborted will continue to run. This is sometimes preferable.
615:
The danger of assertions is that they may cause side effects either by changing memory data or by changing thread timing. Assertions should be implemented carefully so they cause no side effects on program code.
408:
An assertion may be used to verify that an assumption made by the programmer during the implementation of the program remains valid when the program is executed. For example, consider the following
400:
is that the program can check the assertions every time it runs; if the assertion no longer holds, an error can be reported. This prevents the code from getting out of sync with the assertions.
802:
part evaluates to false then the above code will not compile because arrays may not have a negative length. If in fact the compiler allows a negative length then the initialization byte (the
985:
resources that will not be released cleanly, or it may have uncommitted changes to write to a datastore. In such cases it is better to fail a single transaction than to abort abruptly.
73:
of a program) connected to a point in the program, that always should evaluate to true at that point in code execution. Assertions can help a programmer read the code, help a
555:. Any case which the programmer does not handle intentionally will raise an error and the program will abort rather than silently continuing in an erroneous state. In
734:
would be a valid expression in that context. This construct does not work at file scope (i.e. not inside a function), and so it must be wrapped inside a function.
520:), and in Java, if its first operand is negative, the result can also be negative (unlike the modulo used in mathematics). Here, the programmer has assumed that
182:
in his 1969 article. That notation cannot be used in existing mainstream programming languages. However, programmers can include unchecked assertions using the
884:
Programmers can build checks into their code that are always active by bypassing or manipulating the language's normal assertion-checking mechanisms.
980:
will succeed. If an out of memory error occurs the program will immediately abort. Without the assertion, the program would continue running until
873:
assertions. Absent the option, assertions are bypassed, but they always remain in the code unless optimised away by a JIT compiler at run-time or
396:
This approach is also useful in languages that do not explicitly support it: the advantage of using assertion statements rather than assertions in
389:
integrates such assertions into the language and automatically extracts them to document the class. This forms an important part of the method of
167:—an assertion placed at the beginning of a section of code—determines the set of states under which the programmer expects the code to execute. A
1330:
817:
preprocessor define that facilitates the construction of unique names, by returning monotonically increasing numbers for each compilation unit.
806:
part) should cause even such over-lenient compilers to complain. The boolean expression must be a compile-time constant value, for example
1410:
662:
Assertions may also be used to promise the compiler that a given edge condition is not actually reachable, thereby permitting certain
535:
Assertions are also sometimes placed at points the execution is not supposed to reach. For example, assertions could be placed at the
330:
35:
31:
524:
is non-negative, so that the remainder of a division with 2 will always be 0 or 1. The assertion makes this assumption explicit: if
866:
interpreter with "-O" (for "optimize") as an argument will cause the Python code generator to not emit any bytecode for asserts.
1415:
837:
397:
369:
Assertions can function as a form of documentation: they can describe the state the code expects to find before it runs (its
183:
54:
1236:
1161:
863:
386:
346:
1191:
378:
681:, but can also be used in low-level languages like C by introducing illegal code if (and only if) the assertion fails.
848:
571:
552:
501:
409:
354:
1347:
1298:
1313:
1219:
1114:
and/or difficult to track down. Programmers sometimes use a similar VERIFY(X) define to alleviate this problem.
989:
program is considered to be error-free and released, assertions may be disabled and will no longer be evaluated.
666:
that would not otherwise be possible. In this case, disabling the assertions could actually reduce performance.
163:
Programmers can use assertions to help specify programs and to reason about program correctness. For example, a
844:
820:
678:
579:
556:
544:
382:
350:
1232:
1405:
620:
326:
58:
1376:
by C.A.R. Hoare in: IEEE Annals of the
History of Computing, Volume: 25, Issue: 2 (2003), Page(s): 14 - 25
1186:
1090:
parameter is passed to the compiler, as when the program is considered to be error-free and released, the
663:
656:
647:), the programmer can usually fix the problem. Thus assertions provide a very powerful tool in debugging.
70:
46:
976:
if memory is not allocated. This is possible: the operating system does not guarantee that every call to
574:, assertions have been a part of the language since version 1.4. Assertion failures result in raising an
1152:
which can be checked individually, and from which the correctness of the whole program easily follows".
874:
578:
when the program is run with the appropriate flags, without which the assert statements are ignored. In
1372:
1327:
1181:
722:
part evaluates to false then the above code will not compile because the compiler will not allow two
42:
233:
66:
1368:
by Lori A. Clarke, David S. Rosenblum in: ACM SIGSOFT Software
Engineering Notes 31(3):25-37, 2006
726:
with the same constant. The boolean expression must be a compile-time constant value, for example
27:
In computer programming, statement that a predicate is always true at that point in code execution
1420:
1171:
1166:
1103:
893:
813:
Both of these methods require a method of constructing unique names. Modern compilers support a
390:
361:. In both cases, they can be checked for validity at runtime but can usually also be suppressed.
86:
632:
82:
596:
as a macro that signals an error in the case of failure, usually terminating the program. In
30:
This article is about the computer programming concept. For assertions in the context of the
1130:
1126:
723:
516:
230:
The braces included in the comment help distinguish this use of a comment from other uses.
1334:
1350:, 1949; quoted in C. A. R. Hoare, "The Emperor's Old Clothes", 1980 Turing Award lecture.
693:. In earlier C versions, a static assertion can be implemented, for example, like this:
337:
The use of assertions helps the programmer design, develop, and reason about a program.
1210:
358:
179:
17:
171:—placed at the end—describes the expected state at the end of execution. For example:
1399:
374:
168:
1107:
970:
856:
370:
164:
1176:
1145:
1134:
1110:
error much further down the line in program execution, causing bugs that may be
636:
62:
1365:
A historical perspective on runtime assertion checking in software development
1249:
1380:
1364:
1274:
1144:
The assertional method for proving correctness of programs was advocated by
1138:
1111:
640:
510:
373:), and the state the code expects to result in when it is finished running (
1262:
1214:
674:
Assertions that are checked at compile time are called static assertions.
899:
Consider the following example of using an assertion to handle an error:
644:
584:
74:
1388:
1328:"Planning and Coding of problems for an Electronic Computing Instrument"
869:
Java requires an option to be passed to the run-time engine in order to
686:
1117:
Modern compilers may issue a warning when encountering the above code.
349:, assertions form part of the design process; other languages, such as
1263:
GNU, "GCC 4.3 Release Series — Changes, New
Features, and Fixes"
965:
729:
178:
The example above uses the notation for including assertions used by
105:, and they are indeed true at the indicated points during execution:
852:
597:
548:
187:
1054:// use ptr: ptr isn't initialised when compiling with -NDEBUG!
325:
Several modern programming languages include checked assertions –
237:
236:
may provide assertion features as well. For example, in C using
1062:
This might look like a smart way to assign the return value of
682:
1082:
is a side effect of evaluating the expression that forms the
877:
via the programmer manually placing each assertion behind an
855:, can completely remove assertions at compile time using the
639:, or even the full program state if the environment supports
1314:"Warning Options (Using the GNU Compiler Collection (GCC))"
1012:// but is not executed at all when compiling with -NDEBUG!
677:
Static assertions are particularly useful in compile time
528:
does return a negative value, the program may have a bug.
737:
Another popular way of implementing assertions in C is:
77:
compile it, or help the program detect its own defects.
1137:, they described algorithms using an early version of
36:
Security
Assertion Markup Language § Assertions
698:#define SASSERT(pred) switch(0){case 0:case pred:;}
1384:by Poul-Henning Kamp in: ACM Queue 10(5), May 2012
1102:uninitialised. This could potentially result in a
1009:// Statement below fails if malloc() returns NULL,
992:Consider another version of the previous example:
619:Assertion constructs in a language allow for easy
623:(TDD) without the use of a third-party library.
559:such an assertion is added automatically when a
186:of their programming language. For example, in
823:provides static assertions through the use of
810:would be a valid expression in that context.
8:
97:The following code contains two assertions,
1215:An axiomatic basis for computer programming
689:support static assertions directly through
582:, they are added on by the standard header
1337:. Part II, Volume I, 1 April 1947, p. 12.
357:, use them only to check assumptions at
1203:
627:Assertions during the development cycle
892:Assertions are distinct from routine
7:
651:Assertions in production environment
963:Here, the programmer is aware that
1381:My Compiler Does Not Understand Me
1373:Assertions: a personal perspective
643:or if the program is running in a
32:Security Assertion Markup Language
25:
1237:Enabling and Disabling Assertions
471:// total is odd and non-negative
404:Assertions for run-time checking
365:Assertions in design by contract
543:statement in languages such as
85:or throws an assertion failure
888:Comparison with error handling
655:When a program is deployed to
45:, specifically when using the
1:
1162:Assertion definition language
1250:Compile Time Assertions in C
1192:Invariant (computer science)
563:statement doesn't contain a
1326:Goldstine and von Neumann.
1281:. The D Language Foundation
1233:Programming With Assertions
1078:call and the assignment to
1437:
843:Some languages, including
34:(SAML) open standard, see
29:
1411:Logic in computer science
1220:Communications of the ACM
1094:statement is removed, so
862:Similarly, launching the
377:); they can also specify
173:x > 0 { x++ } x > 1
65:, usually expressed as a
1348:Checking a Large Routine
1133:on their design for the
1098:isn't called, rendering
994:
901:
875:excluded at compile time
739:
695:
679:template metaprogramming
414:
242:
192:
107:
836:assertions are free of
621:test-driven development
59:Boolean-valued function
18:Assertion (programming)
1416:Conditional constructs
1299:Official Python Docs,
1187:Java Modeling Language
47:imperative programming
1074:in one step, but the
345:In languages such as
1279:D Language Reference
1182:Static code analysis
1086:condition. When the
831:Disabling assertions
608:headers provide the
329:that are checked at
43:computer programming
1275:"Static Assertions"
1125:In 1947 reports by
1070:and check if it is
800:(BOOLEAN CONDITION)
720:(BOOLEAN CONDITION)
67:logical proposition
1333:2018-11-12 at the
1172:Exception handling
1167:Design by contract
1104:segmentation fault
808:(sizeof(int) == 4)
526:countNumberOfUsers
426:countNumberOfUsers
391:design by contract
240:with C99 support:
1389:Use of Assertions
670:Static assertions
633:development cycle
16:(Redirected from
1428:
1351:
1344:
1338:
1324:
1318:
1317:
1310:
1304:
1301:assert statement
1296:
1290:
1289:
1287:
1286:
1271:
1265:
1260:
1254:
1245:
1239:
1230:
1224:
1208:
1101:
1097:
1093:
1089:
1085:
1081:
1077:
1073:
1069:
1065:
1058:
1055:
1052:
1049:
1046:
1043:
1040:
1037:
1034:
1031:
1028:
1025:
1022:
1019:
1016:
1013:
1010:
1007:
1004:
1001:
998:
983:
979:
973:
968:
959:
956:
953:
950:
947:
944:
941:
938:
935:
932:
929:
926:
923:
920:
917:
914:
911:
908:
905:
880:
826:
816:
809:
805:
801:
794:
791:
788:
785:
782:
779:
776:
773:
770:
767:
764:
761:
758:
755:
752:
751:static_assertion
749:
746:
743:
733:
721:
714:
711:
708:
705:
702:
699:
692:
611:
607:
603:
595:
587:
577:
566:
562:
542:
538:
527:
523:
507:
496:
493:
490:
487:
484:
481:
478:
475:
472:
469:
466:
463:
460:
459:// total is even
457:
454:
451:
448:
445:
442:
439:
436:
433:
430:
427:
424:
421:
418:
321:
318:
315:
312:
309:
306:
303:
300:
297:
294:
291:
288:
285:
282:
279:
276:
273:
270:
267:
264:
261:
258:
255:
252:
249:
248:<assert.h>
246:
226:
223:
220:
217:
214:
211:
208:
205:
202:
199:
196:
174:
159:
156:
153:
150:
147:
144:
141:
138:
135:
132:
129:
126:
123:
120:
117:
114:
111:
104:
100:
21:
1436:
1435:
1431:
1430:
1429:
1427:
1426:
1425:
1396:
1395:
1360:
1355:
1354:
1345:
1341:
1335:Wayback Machine
1325:
1321:
1312:
1311:
1307:
1297:
1293:
1284:
1282:
1273:
1272:
1268:
1261:
1257:
1246:
1242:
1231:
1227:
1209:
1205:
1200:
1158:
1123:
1099:
1095:
1091:
1087:
1083:
1079:
1075:
1071:
1067:
1063:
1060:
1059:
1056:
1053:
1050:
1047:
1044:
1041:
1038:
1035:
1032:
1029:
1026:
1023:
1020:
1017:
1014:
1011:
1008:
1005:
1002:
999:
996:
981:
977:
971:
964:
961:
960:
957:
954:
951:
948:
945:
942:
939:
936:
933:
930:
927:
924:
921:
918:
915:
912:
909:
906:
903:
890:
878:
833:
824:
814:
807:
803:
799:
796:
795:
792:
789:
786:
783:
780:
777:
774:
771:
768:
765:
762:
759:
756:
753:
750:
747:
744:
741:
727:
719:
716:
715:
712:
709:
706:
703:
700:
697:
690:
672:
653:
629:
609:
605:
601:
589:
583:
575:
564:
560:
540:
536:
525:
521:
505:
498:
497:
494:
491:
488:
485:
482:
479:
476:
473:
470:
467:
464:
461:
458:
455:
452:
449:
446:
443:
440:
437:
434:
431:
428:
425:
422:
419:
416:
406:
367:
343:
323:
322:
319:
316:
313:
310:
307:
304:
301:
298:
295:
292:
289:
286:
283:
280:
277:
274:
271:
268:
265:
262:
259:
256:
253:
250:
247:
244:
228:
227:
224:
221:
218:
215:
212:
209:
206:
203:
200:
197:
194:
184:comment feature
172:
161:
160:
157:
154:
151:
148:
145:
142:
139:
136:
133:
130:
127:
124:
121:
118:
115:
112:
109:
102:
98:
95:
39:
28:
23:
22:
15:
12:
11:
5:
1434:
1432:
1424:
1423:
1418:
1413:
1408:
1406:Formal methods
1398:
1397:
1394:
1393:
1392:by John Regehr
1385:
1377:
1369:
1359:
1358:External links
1356:
1353:
1352:
1339:
1319:
1305:
1291:
1266:
1255:
1240:
1225:
1211:C. A. R. Hoare
1202:
1201:
1199:
1196:
1195:
1194:
1189:
1184:
1179:
1174:
1169:
1164:
1157:
1154:
1122:
1119:
995:
969:will return a
902:
894:error-handling
889:
886:
832:
829:
740:
696:
671:
668:
652:
649:
628:
625:
576:AssertionError
539:clause of the
415:
405:
402:
375:postconditions
366:
363:
342:
339:
243:
193:
180:C. A. R. Hoare
108:
94:
91:
26:
24:
14:
13:
10:
9:
6:
4:
3:
2:
1433:
1422:
1419:
1417:
1414:
1412:
1409:
1407:
1404:
1403:
1401:
1391:
1390:
1386:
1383:
1382:
1378:
1375:
1374:
1370:
1367:
1366:
1362:
1361:
1357:
1349:
1346:Alan Turing.
1343:
1340:
1336:
1332:
1329:
1323:
1320:
1315:
1309:
1306:
1303:
1302:
1295:
1292:
1280:
1276:
1270:
1267:
1264:
1259:
1256:
1252:
1251:
1244:
1241:
1238:
1234:
1229:
1226:
1222:
1221:
1216:
1212:
1207:
1204:
1197:
1193:
1190:
1188:
1185:
1183:
1180:
1178:
1175:
1173:
1170:
1168:
1165:
1163:
1160:
1159:
1155:
1153:
1151:
1147:
1142:
1140:
1136:
1132:
1128:
1120:
1118:
1115:
1113:
1109:
1105:
993:
990:
986:
975:
967:
900:
897:
895:
887:
885:
882:
876:
872:
867:
865:
860:
858:
854:
850:
846:
841:
839:
830:
828:
825:static assert
822:
818:
811:
738:
735:
731:
725:
694:
691:static_assert
688:
684:
680:
675:
669:
667:
665:
664:optimizations
660:
658:
650:
648:
646:
642:
638:
634:
626:
624:
622:
617:
613:
599:
593:
586:
581:
573:
568:
558:
554:
550:
546:
533:
529:
519:
518:
513:
512:
503:
413:
411:
403:
401:
399:
394:
392:
388:
384:
380:
376:
372:
371:preconditions
364:
362:
360:
356:
352:
348:
340:
338:
335:
332:
328:
241:
239:
235:
231:
225:// {x > 1}
191:
189:
185:
181:
176:
170:
169:postcondition
166:
106:
92:
90:
88:
84:
78:
76:
72:
68:
64:
60:
56:
52:
49:paradigm, an
48:
44:
37:
33:
19:
1387:
1379:
1371:
1363:
1342:
1322:
1308:
1300:
1294:
1283:. Retrieved
1278:
1269:
1258:
1248:
1247:Jon Jagger,
1243:
1228:
1218:
1206:
1149:
1143:
1124:
1116:
1108:null pointer
1061:
991:
987:
962:
898:
891:
883:
870:
868:
861:
857:preprocessor
842:
838:side effects
834:
819:
812:
797:
736:
717:
676:
673:
661:
654:
630:
618:
614:
591:
569:
534:
530:
515:
509:
499:
407:
395:
368:
344:
336:
324:
232:
229:
177:
165:precondition
162:
96:
79:
50:
40:
1177:Hoare logic
1146:Alan Turing
1139:flow charts
1135:IAS machine
1127:von Neumann
1106:or similar
815:__COUNTER__
790:'!'
724:case labels
637:stack trace
631:During the
63:state space
1400:Categories
1285:2022-03-16
1198:References
1150:assertions
955:// use ptr
879:if (false)
657:production
641:core dumps
514:operator (
379:invariants
327:statements
69:using the
1421:Debugging
1131:Goldstine
763:CONDITION
732:(int)==4)
710:CONDITION
592:assertion
588:defining
511:remainder
234:Libraries
87:exception
71:variables
61:over the
55:predicate
51:assertion
1331:Archived
1156:See also
1112:sporadic
1096:malloc()
1092:assert()
881:clause.
645:debugger
602:assert.h
590:assert (
585:assert.h
567:clause.
398:comments
245:#include
103:x > 1
99:x > 0
75:compiler
1253:, 1999.
1223:, 1969.
1121:History
974:pointer
798:If the
760:BOOLEAN
718:If the
707:BOOLEAN
701:SASSERT
612:macro.
606:cassert
600:, both
565:default
537:default
508:is the
359:runtime
331:runtime
93:Details
83:crashes
1088:NDEBUG
1084:assert
1076:malloc
1064:malloc
1033:sizeof
1027:malloc
1015:assert
978:malloc
966:malloc
943:assert
922:sizeof
916:malloc
871:enable
864:Python
742:static
730:sizeof
610:assert
561:switch
551:, and
541:switch
517:modulo
474:assert
412:code:
387:Eiffel
347:Eiffel
302:assert
146:assert
122:assert
748:const
687:C++11
522:total
477:total
438:total
420:total
383:class
381:of a
341:Usage
238:glibc
53:is a
1129:and
1072:NULL
972:NULL
851:and
849:YASS
745:char
685:and
604:and
572:Java
553:Java
502:Java
465:else
410:Java
355:Java
353:and
311:>
260:void
152:>
128:>
101:and
1100:ptr
1080:ptr
1068:ptr
1066:to
1057:...
1051:));
1039:int
1021:ptr
1003:ptr
997:int
982:ptr
958:...
949:ptr
928:int
910:ptr
904:int
859:.
853:C++
804:'!'
683:C11
598:C++
570:In
549:C++
500:In
429:();
417:int
269:int
251:int
188:C++
57:(a
41:In
1402::
1277:.
1235:,
1217:,
1213:,
1048:10
952:);
940:);
937:10
847:,
827:.
793:};
778:-1
713:);
594:)
547:,
504:,
486:==
447:==
432:if
393:.
385:.
317:);
190::
175:.
140:++
89:.
1316:.
1288:.
1045:*
1042:)
1036:(
1030:(
1024:=
1018:(
1006:;
1000:*
946:(
934:*
931:)
925:(
919:(
913:=
907:*
845:C
821:D
787:{
784:=
781:]
775::
772:1
769:?
766:)
757:(
754:[
728:(
704:(
580:C
557:D
545:C
506:%
495:}
492:;
489:1
483:2
480:%
468:{
462:}
456:{
453:)
450:0
444:2
441:%
435:(
423:=
351:C
320:}
314:1
308:x
305:(
299:;
296:1
293:+
290:x
287:=
284:x
281:;
278:5
275:=
272:x
266:{
263:)
257:(
254:f
222:;
219:1
216:+
213:x
210:=
207:x
204:;
201:5
198:=
195:x
158:;
155:1
149:x
143:;
137:x
134:;
131:0
125:x
119:;
116:1
113:=
110:x
38:.
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.