Outdated egg!
This is an egg for CHICKEN 4, the unsupported old release. You're almost certainly looking for the CHICKEN 5 version of this egg, if it exists.
If it does not exist, there may be equivalent functionality provided by another egg; have a look at the egg index. Otherwise, please consider porting this egg to the current version of CHICKEN.
TOC »
Design by contract for procedures
This is my third attempt to implement Bertrand Meyer's Design by contract in Chicken. The other two, contracts and dbc are now considered obsolete.
We enhance arguments and return values of lambda-expressions by pre- and postconditions respectively, thus marking a clear distinction between the duties of suppliers and clients. If the arguments of a procedure call pass the preconditions and a post-exception is raised, then the supplier is to blame. On the other hand, if a pre-exception is raised when a procedure-call is issued, then the client has violenced its duties and the supplier is not even forced to do anything at all. In other words, the supplier can safely assume a procedure is called with correct arguments, he or she need not and should not check them again.
Off course, pre- and postconditions must be stored in the procedure itself and a representation of them must be exportable, so that both parties of the contract know their duties.
Here is the syntax of xdefine, a macro to implement queries, i.e. routines without state changes. Two of the four versions are shown below, the first with exported documentation and fixed argument list, the second without documentation and variable argument list. Note that the documentations, post and pre, are placed next to their corresponding checks.
(xdefine ((r r? ...) .. #(post name pre) (a a? ...) ... ) xpr ....) (xdefine ((r r? ...) .. name (a a? ...) ... as as? ...) xpr ....)
Here name is the name of the procedure, post and pre the documentation of post- and preconditions, r ... are return values with corresponding postconditions r? ..., a ... are argument variables with preconditions a? ... , as is the variable collecting rest arguments with preconditions as? ... for each such argument and xpr starts the body.
For state-changing routines, so called commands, mostly defined on top of a let, xlambda must be used. The syntax for a fixed resp. variable argument list is
(xlambda ((r r? ...) .. <- (a a? ...) ...) xpr ....) (xlambda ((r r? ...) .. <- (a a? ...) ... as as? ...) xpr ....)
where <- separates the return values from the arguments. The other symbols have the same meaning as in xdefine above.
xlambda expressions return three values, the procedure itself, contract checked or not, depending on the value of the contract-check-level parameter, the precondition- and the postcondition-documentation in this order.
In previous versions of the library, instead of <-, you had to supply the number of return values, either explicitly or implicitly, meaning one. This is still working but deprecated and will propably be removed in future versions.
Note, that even state changing routines must return values, at best the values of state variables after and before a state change has taken place. This makes postcondition checks and command chaining easy.
Documentation
simple-contracts
- simple-contracts sym ..procedure
documentation procedure. Shows the exported symbols and the syntax of such an exported symbol, respectively.
contract-check-level
- contract-check-level n ..parameter
no contract checks if n is -1 only precondition checks if n is 0, the default pre- and postcondition checks if n is +1
xdefine
- (xdefine ((r r? ...) .. name (a a? ...) ... ) xpr ....)syntax
- (xdefine ((r r? ...) .. #(post name pre) (a a? ...) ... ) xpr ....)syntax
- (xdefine ((r r? ...) .. name (a a? ...) ... as as? ...) xpr ....)syntax
- (xdefine ((r r? ...) .. #(post name pre) (a a? ...) ... as as? ...) xpr ....)syntax
Contract guarded version of define for procedures, where name is the name of the procedure, post and pre document post- and preconditions r ... are return values with corresponding postconditions r? ... a ... are arguments with preconditions a? ... as is a variable collecting rest-parameters with preconditions as? for each such argument, and xpr starts the body..
xlambda
- (xlambda ((r r? ...) .. <- (a a? ...) ...) xpr ....)syntax
- (xlambda ((r r? ...) .. <- (a a? ...) ... as as? ...) xpr ....)syntax
where <- separates the results r with postconditions r? ... from the arguments a with preconditions a? ... a rest-parameter as with preconditions as? for each such argument and the body xpr .....
Each xlambda call returns three values, the procedure proper, contract-checked or not, depending on the value of contract-check-level, and documentation of pre- and postconditions in this order.
Deprecated versions of xlambda exist as well. Here k is the number of returned values, if provided, one otherwise.
- (xlambda k ((r r? ...) ... (a a? ...) ... ) xpr ....)syntax
- (xlambda k ((r r? ...) ... (a a? ...) ... as as? ...) xpr ....)syntax
- (xlambda ((r r? ...) (a a? ...) ... ) xpr ....)syntax
- (xlambda ((r r? ...) (a a? ...) ... as as? ...) xpr ....)syntax
procedures with state change should return the values of state variables after and before the state change.
%%
- %% procprocedure
multi argument version of flip, which can be used in pipe
pipe
- (pipe combination ...)syntax
sequencing curried combinations from left to right
Requirements
simple-exceptions 0.5
Usage
(use simple-contracts)
Examples
(use simple-contracts simple-exceptions) ((%% list)) ; -> '() ((%% list) 1) ; -> '(1) ((%% list) 1 2) ; -> '(2 1) ((%% list) 1 2 3 4) ; -> '(2 3 4 1) ((%% map) '(0 1 2) add1) ; -> '(1 2 3) ((pipe) 5) ; -> 5 ((pipe (+ 1)) 5) ; -> 6 ((pipe (- 10) (positive?)) 5) ; -> #f ((pipe (- 10) (negative?)) 5) ; -> #t ((pipe ((%% list) 1 2 3 4)) 10) ; -> '(1 2 3 4 10) ((pipe (list 1 2 3 4)) 10) ; -> '(10 1 2 3 4)) ((pipe ((%% map) add1)) '(0 1 2)) ; -> '(1 2 3)) ((pipe (list 1 2 3)) 0) ; - > '(0 1 2 3)) ((pipe ((%% list) 1 2 3)) 0) ; - > '(1 2 3 0)) (define-values (counter! counter) (let ((state 0)) (values (xlambda ((new (pipe (= (add1 old)))) ;integer? (pipe (= (add1 old)))) ;integer? (lambda (x) (= x (add1 old)))) (old integer?) <-) ; no arguments (let ((old state)) (set! state (add1 state)) (values state old))) (xlambda ((result (pipe (= state))) <-) ; no arguments state)))) (counter) ; -> 0 (counter!) (counter) ; -> 1 (counter!) (counter) ; -> 2 (define-values (push pop top) (let ((stk '())) (let ( (push (xlambda ((new list? (pipe (equal? (cons arg old)))) (old list?) <- (arg)) (let ((old stk)) (set! stk (cons arg stk)) (values stk old)))) (pop (xlambda ((new list? (pipe (equal? (cdr old)))) (old list?) <-) (let ((old (<< stk 'pop (pipe (null?) (not))))) (set! stk (cdr stk)) (values stk old)))) (top (xlambda ((result) <-) (car (<< stk 'top (pipe (null?) (not)))))) ) (values push pop top) ))) ;(top) ; precondition violated ;(pop) ; precondition violated (push 0) (push 1) (top) ; -> 1 (call-with-values (lambda () (push 2)) list) ; -> '((2 1 0) (1 0)) (top) ; -> 2 (call-with-values (lambda () (pop)) list) ; -> '((1 0) (2 1 0)) (define-values (add add-pre add-post) (xlambda ((result integer? odd? (pipe (= (apply + x y ys)))) <- (x integer? odd?) (y integer? even?) ys integer? even?) (apply + x y ys))) (add 1 2 4 6) ; -> 13 (condition-case (add 1 2 3) ((exn arguments) #f)) ; -> #f add-pre ; -> '((x (conjoin integer? odd?)) (y (conjoin integer? even?)) ys (conjoin integer? even?)) add-post ; -> '(result (conjoin integer? odd? (pipe (= (apply + x y ys))))) (define wrong-add (xlambda ((result integer? even?) <- (x integer? odd?) xs integer? even?) (apply + x xs))) (condition-case (wrong-add 1 2 4) ((exn results) #f)) ; -> #f (define-values (divide divide-pre divide-post) (xlambda ((q integer?) (r (pipe (+ (* n q)) (= m))) <- (m integer? (pipe (>= 0))) (n integer? positive?)) (let loop ((q 0) (r m)) (if (< r n) (values q r) (loop (+ q 1) (- r n)))))) (call-with-values (lambda () (divide 385 25)) list) ;-> '(15 10) divide-pre ; -> '((m (conjoin integer? (pipe (>= 0)))) (n (conjoin integer? positive?))) divide-post ; -> '((q integer?) (r (pipe (+ (* n q)) (= m)))) (xdefine ((result integer?) #(sum-post sum sum-pre) (a integer?) as integer?) (apply + a as)) (sum 1 2 3) ; -> 6 (condition-case (sum 1 2 #f) ((exn arguments) #f)) ; -> #f (xdefine ((result list?) wrong-sum (a integer?) as integer?) (apply + a as)) (condition-case (wrong-sum 1 2 3) ((exn results) #f)) ; -> #f
Last update
Sep 22, 2017
Author
License
Copyright (c) 2011-2017, Juergen Lorenz All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Neither the name of the author nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Version History
- 1.4
- syntax changes for xlambda and xdefine
- 1.3.1
- dependency on simple-exceptions updated
- 1.3
- error-messages improved
- 1.2
- <<, >>, pre- and post-exception outsourced to simple-exceptions
- 1.1
- number of return values in xlambda is only needed if not 1
- 1.0
- initial import