contract based programming - doc.ic.ac.ukak6309/topics/docs/pbl-ai topics...

CONTRACT BASED PROGRAMMING

Alexander KarapetianFraser WatersAmélie Windel

Theorem Proving

Natural Deduction systems

Pandora – Functionally sound & complete

Limited – Relies on user’s introduction/elimination rules

Mathematical Theorem Proving

Automated deduction

E

Equational Calculus

Proof by refutation

Otter

First Order Logic

Dev. halted in 2004

Program Analysis

Contracts in programs

Pre conditions

Must be satisfied prior to program load

Assumed by the program to be satisfied

Indeterministic result if not satisfied

Post conditions

Describe state of output after execution

Assumed by higher order methods to be satisfied

Invariants

Code Checking Code

Programs proving correctness of code

Vampire theorem prover

Equinox first order theorem prover

Microsoft Research contract code enforcer

Code Checking Code

Programs proving correctness of code

Vampire theorem prover

Equinox first order theorem prover

Microsoft Research contract code enforcer

Microsoft Research – Spec#

Contract code – Visual Studio 2008/2010 RC

using System.Diagnostics.Contract;

Contract.Requires() // Pre condition

Contract.Ensures() // Post condition

Contract.Invariant()

Contract.Assume() // Truth assumed for condition

Tautology deletion

Reduction to Truth

Code Contracts

Available in all .NET 4.0 languages

VB, C#, F#

Static analysis engine

Infers loop invariants

Infers method contracts

Code Examples

Simple division methodpublic static int Divide(int dividend, int divisor)

{

return dividend / divisor;

}

Code Examples

Simple division method

Call with divisor argument 0

public static int Divide(int dividend, int divisor)

{

return dividend / divisor;

}

static void Main(string[] args)

{

Divide(5, 0);

}

Code Examples

Simple division method

Call with divisor argument 0

DivideByZero exception thrown

public static int Divide(int dividend, int divisor)

{

return dividend / divisor;

}

static void Main(string[] args)

{

Divide(5, 0);

}

Contract Code Enforcement

Pre-conditioning

Pre-conditioning

Using Contract.Requires()

public static int Divide(int dividend, int divisor)

{

Contract.Requires(divisor != 0);

return dividend / divisor;

}

Pre-conditioning

Using Contract.Requires()

Static checker: condition breach

public static int Divide(int dividend, int divisor)

{

Contract.Requires(divisor != 0);

return dividend / divisor;

}

Pre-conditioning

Using Contract.Requires()

Static checker: condition breach/possible overflow

public static int Divide(int dividend, int divisor)

{

Contract.Requires(divisor != 0);

return dividend / divisor;

}

Pre-conditioning

Possible overflow remedied

Change from divisor != 0 to divisor > 0

public static int Divide(int dividend, int divisor)

{

Contract.Requires(divisor > 0);

return dividend / divisor;

}

Contract Code Enforcement

Pre-conditioning

Post-conditioning

Post-conditioning

Add new method GetNumber()

public static int GetNumber(int i)

{

return i * 2;

}

Post-conditioning

Add new method GetNumber()

Call Divide with method

Divisor source unknown

public static int GetNumber(int i)

{

return i * 2;

}

static void Main(string[] args)

{

Divide(5, GetNumber(0));

}

Post-conditioning

Add new method GetNumber()

Call Divide with method

Divisor source unknown

Static checker warning Precondition unproven

public static int GetNumber(int i)

{

return i * 2;

}

static void Main(string[] args)

{

Divide(5, GetNumber(0));

}

Post-conditioning

Provide Contract.Ensures() code

Postcondition of returning int > 0

public static int GetNumber(int i)

{

Contract.Ensures(Contract.Result<int>() > 0);

return i * 2;

}

Post-conditioning

Provide Contract.Ensures() code

Postcondition of returning int > 0

Static checker warning upon compilation – postcondition unproven

public static int GetNumber(int i)

{

Contract.Ensures(Contract.Result<int>() > 0);

return i * 2;

}

Contract Code Enforcement

Pre-conditioning

Post-conditioning

Static checking

Static Checking

Remedy warning from static checker

Add precondition of i > 0

Checker verifies that i > 0 implies 2i > 0

public static int GetNumber(int i)

{

Contract.Requires(i > 0);

Contract.Ensures(Contract.Result<int>() > 0);

return i * 2;

}

Static Checking

Remedy warning from static checker

Add precondition of i > 0

Checker verifies that i > 0 implies 2i > 0

GetNumber() is now also contracted

public static int GetNumber(int i)

{

Contract.Requires(i > 0);

Contract.Ensures(Contract.Result<int>() > 0);

return i * 2;

}

Contract Code Enforcement

Pre-conditioning

Post-conditioning

Static checking

Runtime checking

Runtime Checking

Run preconditioned Divide() with 0 divisor

public static int Divide(int dividend, int divisor)

{

Contract.Requires(divisor != 0);

return dividend / divisor;

}

Runtime Checking

Run preconditioned Divide() with 0 divisor

Static checker warning shown

public static int Divide(int dividend, int divisor)

{

Contract.Requires(divisor != 0);

return dividend / divisor;

}

Runtime Checking

Run preconditioned Divide() with 0 divisor

Static checker warning shown

Runtime exception thrown if executed

public static int Divide(int dividend, int divisor)

{

Contract.Requires(divisor != 0);

return dividend / divisor;

}

Runtime Checking

Runtime contract checking can be disabled

Prevents slowdown due to verification

Example would throw DivideByZero exception

Contract Code Enforcement

Pre-conditioning

Post-conditioning

Static checking

Runtime checking

The Future

The Future

When will I see Contracts in widespread use?

The Future

When will I see Contracts in widespread use?

Languages implement native support

The Future

When will I see Contracts in widespread use?

Languages implement native support

Contract code libraries/extensions popularise

The Future

When will I see Contracts in widespread use?

Languages implement native support

Contract code libraries/extensions popularise

Microsoft releases .NET Framework 4.0

The Future

When will I see Contracts in widespread use?

Languages implement native support

Contract code libraries/extensions popularise

Microsoft releases .NET Framework 4.0 Tools in early stages

Static checker under development for stronger type support

Cleared for Release Candidate status – Feb 2010

Visual Studio 2010 RC – Quarter 1 – 2010

References

Images http://en.wikipedia.org/wiki/File:Agda_proof.jpg

http://en.wikipedia.org/wiki/File:First-order_tableau_with_unification.svg

http://www3.imperial.ac.uk/portal/page/portallive/computing/research/areas/LAI

http://commons.wikimedia.org/wiki/File:P_np_np-complete_np-hard.svg

http://members.deri.at/~michaels/phd/html-sources/images/sdcprototype-architecture.jpg

http://www.cs.miami.edu/~tptp/Seminars/ATP/THMPrf.gif

Information http://members.deri.at/~michaels/phd/html-sources/prototype.html

http://research.microsoft.com/en-us/projects/contracts/default.aspx

http://www.cs.miami.edu/~tptp/OverviewOfATP.html

http://plato.stanford.edu/entries/reasoning-automated/

Automated Theorem Proving: A Quarter Century Review - Donald W Loveland

Screenshots/Code Internally generated

Questions?

Alexander Karapetian

ak6309@doc.ic.ac.uk

Fraser Waters

fjw08@doc.ic.ac.uk

Amélie Windel

amelie.windel09@ic.ac.uk