Toward enforceable contracts for 'NET - PowerPoint PPT Presentation

1 / 24

About This Presentation

Title:

Toward enforceable contracts for 'NET

Description:

.NET primer for Java programmers. Type-safe programming language. Managed code. Java ... Building and maintaining large systems that are correct. Approach ... – PowerPoint PPT presentation

Number of Views:47

Avg rating:3.0/5.0

Slides: 25

Provided by: Rustan5

Category:

more less

Transcript and Presenter's Notes

Title: Toward enforceable contracts for 'NET

1
Towardenforceable contractsfor .NET
K. Rustan M. LeinoMicrosoft Research, Redmond,
WA, USAwithMike Barnett, Robert DeLine,Manuel
Fahndrich, and Wolfram Schulte

CASSIS 2004Marseille, France12 March 2004
2
.NET primer for Java programmers
Type-safe programming language
Java Virtual Machine (JVM)
Common Language Runtime (CLR)
Managed code
bytecode
Java
obj.myMethod()
Common Intermediate Language (CIL) also known
asMicrosoft Intermediate Language (MSIL)
CVisual BasicManaged CSpec
obj.MyMethod()
3
Software engineering problem

Building and maintaining large systems that are
correct

4
Approach

Specifications record design decisions
bridge intent and code
Tools amplify human effort
manage details
find inconsistencies
ensure quality

5
Design decisions examples and trends

procedural abstraction
int x
assert(x lt a.Length)
finite-state protocols
SpecStrings
Pre- and postconditions, and object invariants

Acquire()
Release()
Acquire()
Release()
int strlen(pre notnull char str)
Contracts
void Copy(int a, int start, int
count) requires startcount lt a.Length
6
Contracts today
StringBuilder.Append Method (Char, Int32,
Int32) Appends the string representation of a
specified subarray of Unicode characters to the
end of this instance. public StringBuilder
Append(char value, int startIndex, int
charCount) Parameters value A character
array. startIndex The starting position in
value. charCount The number of characters
append. Return Value A reference to this
instance after the append operation has
occurred. Exceptions
7
Spec contracts

Precondition
Callers are expected to establish precondition
before invoking method
Implementations can assume precondition holds
on entry

public StringBuilder Append( char value,
int startIndex, int charCount) requires
value ! null (charCount 0 startIndex
0) requires 0 lt charCount 0 lt
startIndex requires startIndex charCount
lt value.Length ensures result this

Postcondition
Implementations are expected to establish
postcondition on exit
Callers can assume postcondition upon return
from method invocation

8
Spec and Boogie
Compile-time error messages
Run-time exceptions
Boogie
Spec compiler
Code contracts in Spec
9
Boogie demo
10
Spec is C extended with

Non-null types
Preconditions
Postconditions
Object invariants
Checked exceptions
...

11
Spec Non-null types

T xThe value of x is null ora reference to an
object whose type is a subtype of T.
T! yThe value of y isa reference to an object
whose type is a subtype of T,not null.

12
Non-null instance fields

class C B T! x public C(T!
y) base() this.x y public
overrides int M() return x.f

Is this code type safe?
No! The base constructor can invoke the virtual
method M and C.M would then find x to be null.
13
Non-null instance fields

class C B T! x public C(T!
y) x(y), base() public overrides int
M() return x.f

Need to allow x to beassigned before
baseconstructor is called.
14
Spec Parameter validation
public virtual StringBuilder Append(char
value, int
startIndex,
int charCount) Parameters startIndex The
starting position in value. Exceptions

requires 0 lt startIndex otherwise
ArgumentException
requires 0 lt startIndex
15
Parameter-validation exceptions

requires 0 lt startIndex
requires 0 lt startIndex otherwise
ArgumentException
requires 0 lt startIndex otherwise new
ArgumentException(startIndex,
Resource.Load(Resource. Description_StringBu
ilder_Append_arg_startIndex))

precondition caller obligation
orpostcondition implementation promise ?
Complications for no good reason.E.g. name no
good without stack trace name superfluous
given stack trace

precondition caller obligation

16
Spec Taming exceptions

Introduce checked exceptions
An exception is checked if it implements
interface ICheckedException

Exception

Throwable

Java
Spec

ICheckedException

RuntimeException

CheckedException

Error
Checked exceptions Unchecked exceptions
17
Spec Taming exceptions

Introduce checked exceptions
An exception is checked if it implements
interface ICheckedException
Methods must declare which checked exceptions
they may throw

int MyMethod() throws MyException
int MyMethod() throws MyException ensures
stateClosed
18
Spec Taming exceptions

Introduce checked exceptions
An exception is checked if it implements
interface ICheckedException
Methods must declare which checked exceptions
they may throw
Soundness of throw statement

Exception x new MyCheckedException() throw x
If static type of x is not an ICheckedException,
then check !( x is ICheckedException ) at run
time.
19
Spec Object invariants

class C int x, y invariant x lt y

Object invariant always holds, except possibly
when the object is exposed
Joint work also with Peter Müller (ETH Zurich)
and David Naumann (Stevens Institute of
Technology)
20
Spec Object invariants

class C int x, y invariant x lt y
public void M(T! o) expose (this)
this.x this.y o.P() this.y

The object invariant may be temporarily violated
here
The object invariant is checked to hold here
Joint work also with Peter Müller (ETH Zurich)
and David Naumann (Stevens Institute of
Technology)
21
Spec Object invariants

class C int x, y invariant x lt y
public void M(T! o) expose (this)
this.x this.y o.P() this.y

The exposed/unexposed state of the object is
recorded, so as to detect possible bad re-entrancy
Joint work also with Peter Müller (ETH Zurich)
and David Naumann (Stevens Institute of
Technology)
22
Boogie Under the hood
MSIL
Boogie
translator
Inferenceengine
BoogiePL
weakest-preconditiongenerator
verification condition
Theoremprover
Warnings
23
Inference