CONTRACT BASED PROGRAMMING
Alexander Karapetian
Fraser Waters
Amélie Windel
Theorem Proving
 Natural Deduction systems
 Pandora – Functionally sound & complete
 Limited – Relies on user’s
introduction/elimination rules
Mathematical Theorem Proving
 Automated
deduction
 E
 Equational Calculus
 Proof by refutation
 Otter
 First Order Logic
 Dev. halted in 2004
Program Analysis
 Contracts in programs
 Pre conditions
 Must be satisfied prior to program load
 Assumed by the program to be satisfied
 Indeterministic result if not satisfied
 Post conditions
 Describe state of output after execution
 Assumed by higher order methods to be satisfied
 Invariants
Code Checking Code
 Programs proving correctness of code
 Vampire theorem prover
 Equinox first order theorem prover
 Microsoft Research contract code
Code Checking Code
 Programs proving correctness of code
 Vampire theorem prover
 Equinox first order theorem prover
 Microsoft Research contract code
Microsoft Research – Spec#
 Contract code – .NET 4.0
 using System.Diagnostics.Contracts;
 Contract.Requires() // Pre condition
 Contract.Ensures() // Post condition
 Contract.Invariant() // Object invariant
 Contract.Assume() // Truth assumed for condition
Code Contracts
 Available in the BCL of .NET Framework 4.0
 VB, C#, F#
 Static analysis engine cccheck
 Infers loop invariants
 Infers method contracts
 Runtime checking binary rewriter ccrewrite
 Rewrites method to do runtime checking
 Contract doc generation ccdoc
 Generates XML (Standard for .NET) documentation
Code Examples
 Simple division method
public static int Divide(int dividend, int divisor)
{
return dividend / divisor;
}
Code Examples
 Simple division method
public static int Divide(int dividend, int divisor)
{
return dividend / divisor;
}
 Call with divisor argument 0
static void Main(string[] args)
{
Divide(5, 0);
}
Code Examples
 Simple division method
public static int Divide(int dividend, int divisor)
{
return dividend / divisor;
}
 Call with divisor argument 0
static void Main(string[] args)
{
Divide(5, 0);
}
 DivideByZero exception thrown
Contract Code Enforcement
 Pre-conditioning
Pre-conditioning
 Using Contract.Requires()
public static int Divide(int dividend, int divisor)
{
Contract.Requires(divisor != 0);
return dividend / divisor;
}
Pre-conditioning
 Using Contract.Requires()
public static int Divide(int dividend, int divisor)
{
Contract.Requires(divisor != 0);
return dividend / divisor;
}
 Static checker: condition breach
Pre-conditioning
 Using Contract.Requires()
public static int Divide(int dividend, int divisor)
{
Contract.Requires(divisor != 0);
return dividend / divisor;
}
 Static checker: condition breach/possible overflow
Pre-conditioning
 Possible overflow remedied
 Change from divisor != 0 to divisor > 0
public static int Divide(int dividend, int divisor)
{
Contract.Requires(divisor > 0);
return dividend / divisor;
}
Contract Code Enforcement
 Pre-conditioning
 Post-conditioning
Post-conditioning
 Add new method
 GetNumber()
public static int GetNumber(int i)
{
return i * 2;
}
Post-conditioning
 Add new method
 GetNumber()
 Call Divide with method
 Divisor source unknown
public static int GetNumber(int i)
{
return i * 2;
}
static void Main(string[] args)
{
Divide(5, GetNumber(0));
}
Post-conditioning
 Add new method
 GetNumber()
 Call Divide with method
 Divisor source unknown
 Static checker warning
 Precondition unproven
public static int GetNumber(int i)
{
return i * 2;
}
static void Main(string[] args)
{
Divide(5, GetNumber(0));
}
Post-conditioning
 Provide Contract.Ensures() code
 Postcondition of returning int > 0
public static int GetNumber(int i)
{
Contract.Ensures(Contract.Result<int>() > 0);
return i * 2;
}
Post-conditioning
 Provide Contract.Ensures() code
 Postcondition of returning int > 0
public static int GetNumber(int i)
{
Contract.Ensures(Contract.Result<int>() > 0);
return i * 2;
}
 Static checker warning upon compilation – postcondition unproven
Contract Code Enforcement
 Pre-conditioning
 Post-conditioning
 Static checking
Static Checking
 Remedy warning from static checker
 Add precondition of i > 0
public static int GetNumber(int i)
{
Contract.Requires(i > 0);
Contract.Ensures(Contract.Result<int>() > 0);
return i * 2;
}
 Checker verifies that i > 0 implies 2i > 0
Static Checking
 Remedy warning from static checker
 Add precondition of i > 0
public static int GetNumber(int i)
{
Contract.Requires(i > 0);
Contract.Ensures(Contract.Result<int>() > 0);
return i * 2;
}
 Checker verifies that i > 0 implies 2i > 0
 GetNumber() is now also contracted
Contract Code Enforcement
 Pre-conditioning
 Post-conditioning
 Static checking
 Runtime checking
Runtime Checking
 Run preconditioned Divide() with 0 divisor
public static int Divide(int dividend, int divisor)
{
Contract.Requires(divisor != 0);
return dividend / divisor;
}
Runtime Checking
 Run preconditioned Divide() with 0 divisor
public static int Divide(int dividend, int divisor)
{
Contract.Requires(divisor != 0);
return dividend / divisor;
}
 Static checker warning shown
Runtime Checking
 Run preconditioned Divide() with 0 divisor
public static int Divide(int dividend, int divisor)
{
Contract.Requires(divisor != 0);
return dividend / divisor;
}
 Static checker warning shown
 Runtime exception thrown if executed
Runtime Checking
 In Release builds
 Only Requires<E>() is checked
 Prevents slowdown from lots of verification
 Example would throw DivideByZero exception
 In Debug build
 Assert() and Assume() are also checked
 Break into debugger
 Can be rewritten with ccrewrite
 Varying levels of checking





Full
Pre & Post only
Pre only
ReleaseRequires
None
Contract Code Enforcement
 Pre-conditioning
 Post-conditioning
 Static checking
 Runtime checking
 The Future
The Future
 When will I see Contracts in widespread use?
The Future
 When will I see Contracts in widespread use?
 Languages implement native support
The Future
 When will I see Contracts in widespread use?
 Languages implement native support
 Contract code libraries/extensions popularise
The Future
 When will I see Contracts in widespread use?
 Languages implement native support
 Contract code libraries/extensions popularise
 Microsoft releases .NET Framework 4.0
The Future
 When will I see Contracts in widespread use?
 Languages implement native support
 Contract code libraries/extensions popularise
 Microsoft releases .NET Framework 4.0




Tools in early stages
Static checker under development for stronger type support
Cleared for Release Candidate status – Feb 2010
Visual Studio 2010 RC out
References
 Images






http://en.wikipedia.org/wiki/File:Agda_proof.jpg
http://en.wikipedia.org/wiki/File:First-order_tableau_with_unification.svg
http://www3.imperial.ac.uk/portal/page/portallive/computing/research/areas/LAI
http://commons.wikimedia.org/wiki/File:P_np_np-complete_np-hard.svg
http://members.deri.at/~michaels/phd/html-sources/images/sdcprototype-architecture.jpg
http://www.cs.miami.edu/~tptp/Seminars/ATP/THMPrf.gif
 Information





http://members.deri.at/~michaels/phd/html-sources/prototype.html
http://research.microsoft.com/en-us/projects/contracts/default.aspx
http://www.cs.miami.edu/~tptp/OverviewOfATP.html
http://plato.stanford.edu/entries/reasoning-automated/
Automated Theorem Proving: A Quarter Century Review - Donald W Loveland
 Screenshots/Code

Internally generated
Questions?
Alexander Karapetian
[email protected]
Fraser Waters
[email protected]
Amélie Windel
[email protected]