C++ Tips
TotW #1:
string_viewTotW #3: String Concatenation and
operator+vs.StrCat()TotW #3: String Concatenation and operator+ vs. StrCat()
TotW #5: Disappearing Act
TotW #5: Disappearing Act
Performance TotW #7: Optimizing for application productivity
Performance TotW #9: Optimizations past their prime
TotW #10: Splitting Strings, not Hairs
TotW #11: Return Policy
TotW #18: String Formatting with Substitute
Performance TotW #21: Improving the efficiency of your regular expressions
TotW #24: Copies, Abbrv.
TotW #36: New Join API
Performance TotW #39: Beware microbenchmarks bearing gifts
TotW #42: Prefer Factory Functions to Initializer Methods
TotW #45: Avoid Flags, Especially in Library Code
TotW #49: Argument-Dependent Lookup
Performance TotW #52: Configuration knobs considered harmful
Performance TotW #53: Precise C++ benchmark measurements with Hardware Performance Counters
TotW #55: Name Counting and unique_ptr
TotW #59: Joining Tuples
Performance TotW #60: In-process profiling: lessons learned
TotW #61: Default Member Initializers
Performance TotW #64: More Moore with better API design
TotW #64: Raw String Literals
TotW #65: Putting Things in their Place
Performance TotW #70: Defining and measuring optimization success
Performance TotW #74: Avoid sweeping street lights under rugs
TotW #74: Delegating and Inheriting Constructors
Performance TotW #75: How to microbenchmark
TotW #76: Use
absl::StatusTotW #77: Temporaries, Moves, and Copies
TotW #86: Enumerating with Class
TotW #88: Initialization: =, (), and {}
TotW #90: Retired Flags
TotW #93: using absl::Span
TotW #94: Callsite Readability and bool Parameters
TotW #99: Nonmember Interface Etiquette
TotW #101: Return Values, References, and Lifetimes
TotW #103: Flags Are Globals
TotW #107: Reference Lifetime Extension
TotW #108: Avoid
std::bindTotW #109: Meaningful `const` in Function Declarations
TotW #112: emplace vs. push_back
TotW #116: Keeping References on Arguments
TotW #117: Copy Elision and Pass-by-value
TotW #119: Using-declarations and namespace aliases
TotW #120: Return Values are Untouchable
TotW #122: Test Fixtures, Clarity, and Dataflow
TotW #123:
absl::optionalandstd::unique_ptrTotW #124:
absl::StrFormat()TotW #126: `make_unique` is the new `new`
TotW #130: Namespace Naming
TotW #131: Special Member Functions and `= default`
TotW #134:
make_uniqueandprivateConstructors.TotW #135: Test the Contract, not the Implementation
TotW #136: Unordered Containers
TotW #140: Constants: Safe Idioms
TotW #141: Beware Implicit Conversions to
boolTotW #142: Multi-parameter Constructors and
explicitTotW #143: C++11 Deleted Functions (
= delete)TotW #144: Heterogeneous Lookup in Associative Containers
TotW #146: Default vs Value Initialization
TotW #147: Use Exhaustive
switchStatements ResponsiblyTotW #148: Overload Sets
TotW #149: Object Lifetimes vs.
= deleteTotW #152:
AbslHashValueand YouTotW #153: Don't Use using-directives
TotW #158: Abseil Associative containers and
contains()TotW #161: Good Locals and Bad Locals
TotW #163: Passing
std::optionalparametersTotW #165:
ifandswitchstatements with initializersTotW #166: When a Copy is not a Copy
TotW #168:
inlineVariablesTotW #171: Avoid Sentinel Values
TotW #172: Designated Initializers
TotW #173: Wrapping Arguments in Option Structs
TotW #175: Changes to Literal Constants in C++14 and C++17.
TotW #176: Prefer Return Values to Output Parameters
TotW #177: Assignability vs. Data Member Types
TotW #180: Avoiding Dangling References
TotW #181: Accessing the value of a StatusOr<T>
TotW #182: Initialize Your Ints!
TotW #186: Prefer to Put Functions in the Unnamed Namespace
TotW #187:
std::unique_ptrMust Be MovedTotW #188: Be Careful With Smart-Pointer Function Parameters
TotW #198: Tag Types
TotW #215: Stringifying Custom Types with
AbslStringify()TotW #218: Designing Extension Points With FTADLE
TotW #224: Avoid
vector.at()TotW #227: Be Careful with Empty Containers and Unsigned Arithmetic
TotW #229: Ranked Overloads for Template Metaprogramming
Tip of the Week #147: Use Exhaustive switch Statements Responsibly
Originally posted as TotW #147 on April 25, 2018
By Jim Newsome
Updated 2020-04-06
Quicklink: abseil.io/tips/147
Introduction
Using the -Werror compiler flag, a switch statement over a value of an
enum type without a default label will fail to compile if any enumerator of
the enum doesn’t have a corresponding case. This is sometimes called an
exhaustive or defaultless switch statement.
An exhaustive switch statement is an excellent construct for ensuring at
compile time that every enumerator of a given enum is explicitly handled.
However, we must ensure that we handle the fall-through case when the variable
(legally!) has a non-enumerator value, and one of:
- The owner of the
enumguarantees no new enumerators will be added, - The owner of the
enumis willing and able to fix our code when new enumerators are added (e.g. theenumdefinition is part of the same project), - The owner of the
enumwill not be blocked by breaking our build (e.g. their code is in a separate source control repository), and we’re willing to be forced to update ourswitchstatements when updating to the latest version of theenum-owner’s code.
An Initial Attempt
Suppose we are writing a function that maps each enumerator of an enum to a
std::string. We decide to use an exhaustive switch statement to ensure we
didn’t forget to handle any of the enumerators:
std::string AnEnumToString(AnEnum an_enum) {
switch (an_enum) {
case AnEnum::kFoo:
return "kFoo";
case AnEnum::kBar:
return "kBar";
case AnEnum::kBaz:
return "kBaz";
}
}
Assuming that AnEnum indeed has only those three enumerators, this code will
compile, and will seem to have the desired effect. However, there are two
important issues that must be accounted for.
Enums with Non-Enumerator Values
In C++, enums are permitted to have values other than the explicit enumerators.
All enums can legally take on at least all of the values representable by an
integral type with just enough bits to represent every enumerator, and enums
with a fixed underlying type (e.g. those declared with enum class) can take on
any value representable by that type. This is sometimes intentionally leveraged
to use an enum as a bitfield or to represent enumerators that
didn’t exist when we compiled our code (as in
proto 3).
So what happens in our code if an_enum isn’t one of the handled enumerator
types?
In general when a switch statement doesn’t have a case matching the switch
condition and doesn’t have a default case, execution falls through past the
whole switch statement. This can lead to surprising behavior; in our example
it leads to undefined behavior. After execution falls through the switch
statement, it reaches the end of the function without returning a value, which
is undefined behavior for a function with a non-void return type.
We can address this issue by explicitly handling the case where execution falls
through the switch statement. This ensures we always get defined and
predictable behavior at run time, while continuing to benefit from the
compile-time check that all enumerators are explicitly handled.
In our example, we’ll log a warning and return a sentinel value. Another reasonable alternative, especially if we’re convinced that the function (currently) can’t receive a non-enumerator value, would be to immediately crash with a debuggable error message and stack trace.
std::string AnEnumToString(AnEnum an_enum) {
switch (an_enum) {
case AnEnum::kFoo:
return "kFoo";
case AnEnum::kBar:
return "kBar";
case AnEnum::kBaz:
return "kBaz";
}
LOG(ERROR) << "Unexpected value for AnEnum: " << static_cast<int>(an_enum);
return kUnknownAnEnumString;
}
We’ve now ensured that something reasonable happens for any possible value of
an_enum, but there’s still potentially a problem.
What Happens When a New Enumerator Is Added?
Suppose someone later wants to add a new enumerator to AnEnum. Doing so causes
AnEnumToString to no longer compile. Whether that’s a bug or a feature depends
on who owns AnEnum and what guarantees they provide.
If AnEnum is part of the same project as AnEnumToString, then the engineer
adding a new enumerator is likely to be blocked from submitting their change
before fixing AnEnumToString due to compilation errors. They are also
reasonably likely to be willing and able to do so. In this case our use of an
exhaustive switch statement is a win: it successfully ensured that the
switch statement is updated appropriately, and everyone is happy.
Similarly, if AnEnum is part of a different project in a different
repository, then the breakage won’t surface until the engineers on our project
try to update to a newer version of that code. If we expect that those engineers
will be willing and able to fix the switch statement, then all is well.
However, if AnEnum is owned by a different project in the same repository
the situation is a bit more precarious. A change to AnEnum might cause our
code to break at head, and the engineer making the change might not be willing
or able to fix it for us. Indeed, if there were many similar exhaustive switch
statements over AnEnum, it’d be extremely challenging for them to fix all such
usages.
For these reasons, it’s best to use exhaustive switch statements only on
enum types that either we own, or whose owner has explicitly guaranteed that
no new enumerators will be added.
In our example, let’s suppose that AnEnum is owned by a different project, but
the documentation promises that no new enumerators will be added. Let’s add a
comment so that future readers understand our reasoning.
std::string AnEnumToString(AnEnum an_enum) {
switch (an_enum) {
case AnEnum::kFoo:
return "kFoo";
case AnEnum::kBar:
return "kBar";
case AnEnum::kBaz:
return "kBaz";
// No default. The API of AnEnum guarantees no new enumerators will be
// added.
}
LOG(ERROR) << "Unexpected value for AnEnum: " << static_cast<int>(an_enum);
return kUnknownAnEnumString;
}
Conclusions
Exhaustive switch statements can be an excellent tool for ensuring that all
enumerators are explicitly handled, provided that we:
- Explicitly handle the case where the
enumhas a non-enumerator value, falling through the entireswitchstatement. In particular if the enclosing function has a return value, we must ensure that the function still either returns a value or crashes in a well-defined and debuggable way. - Ensure that one of:
- The owner of the
enumtype either guarantees no new enumerators will be added, - The owner of the
enumis willing and able to fix our code when new enumerators are added, - If our code uses exhaustive switch statements and is broken due to an
enumerator being added, the owner of the
enumis not blocked by this breakage.
- The owner of the
When making an enum type available to other projects, we should either:
- Explicitly guarantee that no new enumerators will be added, so that users
can take advantage of exhaustive
switchstatements. - Explicitly reserve the right to add new enumerators without notice, to
discourage consumers from writing exhaustive
switchstatements. One idiomatic way of doing so is to add a sentinel enumerator clearly not meant to be used in API consumers’ exhaustive switch statements; e.g.kNotForUseWithExhaustiveSwitchStatements.
FAQ
-
Why does the compiler allow omitting a
returnstatement after an exhaustiveswitch?Omitting a final return can be safe if additional steps are taken to ensure that the
enumvariable can only be one of its enumerators. It’s often better in such cases to still defensively add a finalreturn. -
The enum I’m switching on already has exhaustive switch statements all over the place. Since the owners are already effectively prevented from adding new enumerators, won’t adding my own exhaustive switch statement be harmless?
It’s usually better to get an explicit policy from the owner before further increasing their maintenance burden.
-
What about protobuf enums?
For authoritative guidance, see the protobuf documentation.
Exhaustive
switchstatements on proto3enumtypes are not recommended. The parser doesn’t guarantee thatenumfields will have enumerator values. Additionally, it’s not possible to write an exhaustiveswitchstatement over proto3enumtypes without referencing special sentinel enumerators that should be considered internal implementation details of the protobuf tools.Exhaustive
switchstatements on proto2enumtypes that you own (or whose owners guarantee will never be moved to proto3 and will never have new enumerators added) are safe and recommended by the protobuf team. The protobuf parser guarantees thatenumfields will be assigned a compile-time enumerator, though care should still be taken if theenumvalue isn’t guaranteed to have come from the parser (e.g. if it’s part of aprotoobject received as a function parameter). -
What about scoped enumerations (
enum class)?Everything in this tip applies to all enumeration types in C++ at time of writing (i.e. through at least C++20).
References
