This document discusses code contracts, which extend abstract data types with preconditions, postconditions, and invariants. Code contracts allow programmers to specify conditions that must be true before, after, and during execution. The document outlines key contract terms like preconditions, postconditions, and invariants. It also discusses how to add contracts to code using Code Contracts in .NET and demonstrates contract verification, inheritance of contracts, and handling contract failures at runtime. Code Contracts allow formal specification and static/dynamic checking of interface behaviors to help catch errors and improve code quality.

1. Code ContractsDmytroMindraRnD Tech LeadLohikaLabsПятая встреча Microsoft .Net User Group Одесса, 2011

2. © Drake Emko & Jen Brodzik, 2001

3. © Drake Emko & Jen Brodzik, 2001

4. © Drake Emko & Jen Brodzik, 2001

5. Design by ContractBertrand MeyerDbC authorPublished 11 booksincluding “Object-Oriented Software Construction”First edition: 1988Second edition: 1997

6. TermsClient must pay the fee (obligation) and is entitled to get the product (benefit).Supplier must provide a certain product (obligation) and is entitled to expect that the client has paid its fee (benefit)Contract. Both parties must satisfy certain obligations, such as laws and regulations, applying to all contracts

7. Terms

8. ContractContract is precise and verifiable interface specifications for software components, which extend the ordinary definition of abstract data types with preconditions, postconditions and invariants. [8]

9. ContractPre-conditions [9]In computer programming, a precondition is a condition or predicate that must always be true just prior to the execution of some section of code or before an operation in a formal specification.Post-conditions [10] In computer programming, a postcondition is a condition or predicate that must always be true just after the execution of some section of code or after an operation in a formal specification.Invariants[11]In computer science, a predicate is called an invariant to a sequence of operations provided that: if the predicate is true before starting the sequence, then it is true at the end of the sequence.

10. Contract verificationPre-condition failsError in client codePost-condition or Invariant fails Error in supplier code

11. Other approachesIF-THEN-TROWif(condition1) throw Exception1if (condition2) throw Exception2Debug.AssertDrawbacks:No InheritanceInconvenient postconditions

12. Converting legacycontractsConverting if-throw void MyMethod(Foofoo){ if (foo == null) throw new ArgumentNullException(...); Contract.EndContractBlock(); ... normal method code ...}

13. Spec#class Example {int x; void Inc(int y)ensures old(x) < x; { x += y; }}

14. New GenerationSpec#Source code rewriteC# only (superset of C# v2.0)Code ContractsIL RewriteAny language from VB to C#Faster

15. Code ContractsHow to start using Code Contracts ?

16. Visual Studio 2010Declarative contracts are included in .NET 4.0 (System.Diagnostics.Contracts)Tools are needed to generate runtime checking from the contracts(ccrewrite)do a static check that verifies contracts at compile-time (cccheck)add contracts to the XML documentation files (ccdoc)LOCATION: [Program Files]\Microsoft\Contracts\Bin\

17. System.Diagnostics.ContractsContractAttributesContractClassAttributeContractClassForAttributeContractInvariantMethodAttributeContractPublicPropertyNameAttributeContractReferenceAssemblyAttributeContractRuntimeIgnoredAttributeContractVerificationAttributePureAttribute ( is not enforced by analysis tools )ContractFailedEventArgsContractFailureKind (enum)

18. Contract methodsPre-conditions: RequiresPost-conditions: EnsuresInvariants: InvariantSee also: EnsuresOnThrow<TException> Requires<TException>

19. Preconditions in Action public class Customer { private int _ID; public int ID { get { return _ID; } set { if (value <= 0) throw new ArgumentException(); _ID = value; } }}public class Customer{ private int _ID; public int ID { get { return _ID; } set {Contract.Requires(value > 0); _ID = value; } }}

20. Demo: Basic + IL Spy

21. Processing collectionsInteger rangeForAll(Int32, Int32, Predicate<Int32>)Exists(Int32, Int32, Predicate<Int32>)CollectionForAll<T>(IEnumerable<T>, Predicate<T>)Exists<T>(IEnumerable<T>, Predicate<T>)

22. Demo: Collections

23. Result processingOldValue<T>Result<T>ValueAtReturn<T>

24. Demo: Results

25. OtherAssert - Checks for a conditionAssume - Instructs code analysis tools to assume that the specified condition is true, even if it cannot be statically proven to always be true. Only for static checks. In runtime is treated like Assert. [3]EndContractBlock - for legacy contracts

26. Assert & Assumepublic void Invoke() { int x = CalculateSomeValues(); // Tell the checker to verify whether// x>0. // (The checker might // be unable to do it.) Contract.Assert( x>0 ); // Rest of the code }public void Invoke() { int x = CalculateSomeValues(); // Explicitly tell the checker that //x>0 Contract.Assume( x>0 );// Rest of the code }

27. InheritanceTwo rules[7]:When you override a method (or implement an interface method) you inherit its contracts.You can't add extra preconditions to inherited ones, but you can make invariants and postconditions stronger. E.g was require x>10Added require x>100Now x = 20 fulfills 1st require but violates 2nd;

28. Demo: Inheritance& Pitfalls

29. ContractFailed HandlingContract.ContractFailed += ContractContractFailed;static void ContractContractFailed( object sender, ContractFailedEventArgs e) { e.SetHandled(); // exception handledConsole.WriteLine(e.Message);}

30. Demo: ContractFailedfandling

31. custom contracts &custom rewriters methodspublic static class RuntimeFailureMethods { public static void Requires(bool cond, string userMsg, string condText) { } public static void Ensures(bool cond, string userMsg, string condText) { }…}See user manual 7.7. (page 34) [12]

32. Code snippetscrContract.Requires(...);ce Contract.Ensures(...);ci Contract.Invariant(...);More in user manual 6.3. (page 26) [12]

33. Why not validate everything?Performance!

34. Summary and prospectsCode Contracts are evolvingBCL is driven by Code ContractsStatic checkingCode Contracts may lead to better designAuto generated documentationAnother tool in your toolbelt

35. PEXPath-based program exploration

36. Pex Demo

37. Additional reading

38. References[1] Design by Contract - A Conversation with Bertrand Meyer, Part II by Bill Vennershttp://www.artima.com/intv/contracts.html[2] Defensive programminghttp://en.wikipedia.org/wiki/Defensive_programming[3] Dino Esposito, Code Contracts Preview: Preconditionshttp://dotnetslackers.com/articles/net/Code-Contracts-Preview-Preconditions.aspx[4] Dino Esposito, Code Contracts Preview: PostConditionshttp://dotnetslackers.com/articles/net/Code-Contracts-Preview-PostConditions.aspx[5] Dino Esposito, Code Contracts Preview: Invariantshttp://dotnetslackers.com/articles/net/Code-Contracts-Preview-Invariants.aspx[6] Dino Esposito, Code Contracts Preview: Assert & Assumehttp://dotnetslackers.com/articles/net/Code-Contracts-Preview-Assert-Assume.aspx[7] Jon Skeet, Code Contracts in C#http://www.infoq.com/articles/code-contracts-csharp

39. References[8] Design by Contract - Wikipediahttp://en.wikipedia.org/wiki/Design_by_contract[9] Precondition - Wikipediahttp://en.wikipedia.org/wiki/Precondition[10] Postcondition - Wikipediahttp://en.wikipedia.org/wiki/Postcondition[11] Invariant - Wikipediahttp://en.wikipedia.org/wiki/Invariant_(computer_science)[12] Code Contracts User Manualhttp://research.microsoft.com/en-us/projects/contracts/userdoc.pdf[13] Code contracts and inheritancehttp://stefanoricciardi.com/2009/07/17/code-contracts-and-inheritance/[14] Assertions in Managed Codehttp://msdn.microsoft.com/en-us/library/ttcc4x86.aspx

40. C# 4.0 in a nutshellPage 508

41. Object-Oriented Software ConstructionObject-Oriented Software ConstructionBertrand Meyer1988,1997

42. Questions ?

43. Thank YOU !