contract based programming - doc.ic.ac.ukak6309/topics/docs/pbl-ai topics...
TRANSCRIPT
CONTRACT BASED PROGRAMMING
Alexander KarapetianFraser WatersAmélie Windel
Theorem Proving
Natural Deduction systems
Pandora – Functionally sound & complete
Limited – Relies on user’s introduction/elimination rules
Mathematical Theorem Proving
Automated deduction
E
Equational Calculus
Proof by refutation
Otter
First Order Logic
Dev. halted in 2004
Program Analysis
Contracts in programs
Pre conditions
Must be satisfied prior to program load
Assumed by the program to be satisfied
Indeterministic result if not satisfied
Post conditions
Describe state of output after execution
Assumed by higher order methods to be satisfied
Invariants
Code Checking Code
Programs proving correctness of code
Vampire theorem prover
Equinox first order theorem prover
Microsoft Research contract code enforcer
Code Checking Code
Programs proving correctness of code
Vampire theorem prover
Equinox first order theorem prover
Microsoft Research contract code enforcer
Microsoft Research – Spec#
Contract code – Visual Studio 2008/2010 RC
using System.Diagnostics.Contract;
Contract.Requires() // Pre condition
Contract.Ensures() // Post condition
Contract.Invariant()
Contract.Assume() // Truth assumed for condition
Tautology deletion
Reduction to Truth
Code Contracts
Available in all .NET 4.0 languages
VB, C#, F#
Static analysis engine
Infers loop invariants
Infers method contracts
Code Examples
Simple division methodpublic static int Divide(int dividend, int divisor)
{
return dividend / divisor;
}
Code Examples
Simple division method
Call with divisor argument 0
public static int Divide(int dividend, int divisor)
{
return dividend / divisor;
}
static void Main(string[] args)
{
Divide(5, 0);
}
Code Examples
Simple division method
Call with divisor argument 0
DivideByZero exception thrown
public static int Divide(int dividend, int divisor)
{
return dividend / divisor;
}
static void Main(string[] args)
{
Divide(5, 0);
}
Contract Code Enforcement
Pre-conditioning
Pre-conditioning
Using Contract.Requires()
public static int Divide(int dividend, int divisor)
{
Contract.Requires(divisor != 0);
return dividend / divisor;
}
Pre-conditioning
Using Contract.Requires()
Static checker: condition breach
public static int Divide(int dividend, int divisor)
{
Contract.Requires(divisor != 0);
return dividend / divisor;
}
Pre-conditioning
Using Contract.Requires()
Static checker: condition breach/possible overflow
public static int Divide(int dividend, int divisor)
{
Contract.Requires(divisor != 0);
return dividend / divisor;
}
Pre-conditioning
Possible overflow remedied
Change from divisor != 0 to divisor > 0
public static int Divide(int dividend, int divisor)
{
Contract.Requires(divisor > 0);
return dividend / divisor;
}
Contract Code Enforcement
Pre-conditioning
Post-conditioning
Post-conditioning
Add new method GetNumber()
public static int GetNumber(int i)
{
return i * 2;
}
Post-conditioning
Add new method GetNumber()
Call Divide with method
Divisor source unknown
public static int GetNumber(int i)
{
return i * 2;
}
static void Main(string[] args)
{
Divide(5, GetNumber(0));
}
Post-conditioning
Add new method GetNumber()
Call Divide with method
Divisor source unknown
Static checker warning Precondition unproven
public static int GetNumber(int i)
{
return i * 2;
}
static void Main(string[] args)
{
Divide(5, GetNumber(0));
}
Post-conditioning
Provide Contract.Ensures() code
Postcondition of returning int > 0
public static int GetNumber(int i)
{
Contract.Ensures(Contract.Result<int>() > 0);
return i * 2;
}
Post-conditioning
Provide Contract.Ensures() code
Postcondition of returning int > 0
Static checker warning upon compilation – postcondition unproven
public static int GetNumber(int i)
{
Contract.Ensures(Contract.Result<int>() > 0);
return i * 2;
}
Contract Code Enforcement
Pre-conditioning
Post-conditioning
Static checking
Static Checking
Remedy warning from static checker
Add precondition of i > 0
Checker verifies that i > 0 implies 2i > 0
public static int GetNumber(int i)
{
Contract.Requires(i > 0);
Contract.Ensures(Contract.Result<int>() > 0);
return i * 2;
}
Static Checking
Remedy warning from static checker
Add precondition of i > 0
Checker verifies that i > 0 implies 2i > 0
GetNumber() is now also contracted
public static int GetNumber(int i)
{
Contract.Requires(i > 0);
Contract.Ensures(Contract.Result<int>() > 0);
return i * 2;
}
Contract Code Enforcement
Pre-conditioning
Post-conditioning
Static checking
Runtime checking
Runtime Checking
Run preconditioned Divide() with 0 divisor
public static int Divide(int dividend, int divisor)
{
Contract.Requires(divisor != 0);
return dividend / divisor;
}
Runtime Checking
Run preconditioned Divide() with 0 divisor
Static checker warning shown
public static int Divide(int dividend, int divisor)
{
Contract.Requires(divisor != 0);
return dividend / divisor;
}
Runtime Checking
Run preconditioned Divide() with 0 divisor
Static checker warning shown
Runtime exception thrown if executed
public static int Divide(int dividend, int divisor)
{
Contract.Requires(divisor != 0);
return dividend / divisor;
}
Runtime Checking
Runtime contract checking can be disabled
Prevents slowdown due to verification
Example would throw DivideByZero exception
Contract Code Enforcement
Pre-conditioning
Post-conditioning
Static checking
Runtime checking
The Future
The Future
When will I see Contracts in widespread use?
The Future
When will I see Contracts in widespread use?
Languages implement native support
The Future
When will I see Contracts in widespread use?
Languages implement native support
Contract code libraries/extensions popularise
The Future
When will I see Contracts in widespread use?
Languages implement native support
Contract code libraries/extensions popularise
Microsoft releases .NET Framework 4.0
The Future
When will I see Contracts in widespread use?
Languages implement native support
Contract code libraries/extensions popularise
Microsoft releases .NET Framework 4.0 Tools in early stages
Static checker under development for stronger type support
Cleared for Release Candidate status – Feb 2010
Visual Studio 2010 RC – Quarter 1 – 2010
References
Images http://en.wikipedia.org/wiki/File:Agda_proof.jpg
http://en.wikipedia.org/wiki/File:First-order_tableau_with_unification.svg
http://www3.imperial.ac.uk/portal/page/portallive/computing/research/areas/LAI
http://commons.wikimedia.org/wiki/File:P_np_np-complete_np-hard.svg
http://members.deri.at/~michaels/phd/html-sources/images/sdcprototype-architecture.jpg
http://www.cs.miami.edu/~tptp/Seminars/ATP/THMPrf.gif
Information http://members.deri.at/~michaels/phd/html-sources/prototype.html
http://research.microsoft.com/en-us/projects/contracts/default.aspx
http://www.cs.miami.edu/~tptp/OverviewOfATP.html
http://plato.stanford.edu/entries/reasoning-automated/
Automated Theorem Proving: A Quarter Century Review - Donald W Loveland
Screenshots/Code Internally generated
Questions?
Alexander Karapetian
Fraser Waters
Amélie Windel