chickadee » simple-contracts

Design by contract for procedures

This is my third attempt to implement Bertrand Meyer's Design by contract in Chicken. The other two, contracts and dbc are now considered obsolete.

We enhance arguments and return values of lambda-expressions by pre- and postconditions respectively, thus marking a clear distinction between the duties of suppliers and clients. If the arguments of a procedure call pass the preconditions and a result-exception is raised, then the supplier is to blame. On the other hand, if a argument-exception is raised when a procedure-call is issued, then the client has violenced its duties and the supplier is not even forced to do anything at all. In other words, the supplier can safely assume a procedure is called with correct arguments, he or she need not and should not check tehem again.

Off course, pre- and postconditions must be stored in the procedure itself and a representation of them must be exportable, so that both parties of the contract know their duties.

Here is the syntax of xdefine, a macro to implement queries, i.e. routines without state changes. Two of the four versions are shown below, the first with exported documentation and fixed argument list, the second without documentation and variable argument list. Note that the documentations, post and pre, are placed next to their corresponding checks.

(xdefine ((r r? ...) .. #(post name pre) (a a? ...) ... ) xpr ....)
(xdefine ((r r? ...) .. name (a a? ...) ... as as? ...) xpr ....)

Here name is the name of the procedure, post and pre the documentation of post- and preconditions, r ... are return values with corresponding postconditions r? ..., a ... are argument variables with preconditions a? ... , as is the variable collecting rest arguments with preconditions as? ... for each such argument and xpr starts the body.

For state-changing routines, so called commands, mostly defined on top of a let, xlambda must be used. The syntax for a fixed resp. variable argument list is

(xlambda ((r r? ...) .. <- (a a? ...) ...) xpr ....)
(xlambda ((r r? ...) .. <- (a a? ...) ... as as? ...) xpr ....)

where <- separates the return values from the arguments. The other symbols have the same meaning as in xdefine above.

xlambda expressions return three values, the procedure itself, contract checked or not, depending on the value of the contract-check-level parameter, the precondition- and the postcondition-documentation in this order.

In previous versions of the library, instead of <-, you had to supply the number of return values, either explicitly or implicitly, meaning one. This is still working but deprecated and will propably be removed in future versions.

Note, that even state changing routines must return values, at best the values of state variables after and before a state change has taken place. This makes postcondition checks and command chaining easy.

Documentation

simple-contracts

simple-contracts sym ..procedure

documentation procedure. Shows the exported symbols and the syntax of such an exported symbol, respectively.

contract-check-level

contract-check-level n ..parameter

no contract checks if n is -1 only precondition checks if n is 0, the default pre- and postcondition checks if n is +1

xdefine

(xdefine ((r r? ...) .. name (a a? ...) ... ) xpr ....)syntax
(xdefine ((r r? ...) .. #(post name pre) (a a? ...) ... ) xpr ....)syntax
(xdefine ((r r? ...) .. name (a a? ...) ... as as? ...) xpr ....)syntax
(xdefine ((r r? ...) .. #(post name pre) (a a? ...) ... as as? ...) xpr ....)syntax

Contract guarded version of define for procedures, where name is the name of the procedure, post and pre document post- and preconditions r ... are return values with corresponding postconditions r? ... a ... are arguments with preconditions a? ... as is a variable collecting rest-parameters with preconditions as? for each such argument, and xpr starts the body..

xlambda

(xlambda ((r r? ...) .. <- (a a? ...) ...) xpr ....)syntax
(xlambda ((r r? ...) .. <- (a a? ...) ... as as? ...) xpr ....)syntax

where <- separates the results r with postconditions r? ... from the arguments a with preconditions a? ... a rest-parameter as with preconditions as? for each such argument and the body xpr .....

Each xlambda call returns three values, the procedure proper, contract-checked or not, depending on the value of contract-check-level, and documentation of pre- and postconditions in this order.

Deprecated versions of xlambda exist as well. Here k is the number of returned values, if provided, one otherwise.

(xlambda k ((r r? ...) ... (a a? ...) ... ) xpr ....)syntax
(xlambda k ((r r? ...) ... (a a? ...) ... as as? ...) xpr ....)syntax
(xlambda ((r r? ...) (a a? ...) ... ) xpr ....)syntax
(xlambda ((r r? ...) (a a? ...) ... as as? ...) xpr ....)syntax

procedures with state change should return the values of state variables after and before the state change.

Requirements

checks

Examples

(import simple-contracts checks)

(define-values (counter! counter)
  (let ((state 0))
    (values
      (xlambda ((new (cut = <> (add1 old)))
                ;integer? (lambda (x) (= x (add1 old))))
                (old integer?)
                <-)
        (let ((old state))
          (set! state (add1 state))
          (values state old)))
      (xlambda ((result (cut = <> state))
                <-)
        state))))

(counter) ; -> 0
(counter!)
(counter)  ; -> 1
(counter!)
(counter)  ; -> 2

(define-values (push pop top)
  (let ((stk '()))
    (let (
          (push
            (xlambda ((new list? (cut equal? <> (cons arg old))) 
                      (old list?)
                      <-
                      (arg))
              (let ((old stk))
                (set! stk (cons arg stk))
                (values stk old))))
          (pop
            (xlambda ((new list? (cut equal? <> (cdr old)))
                      (old list?)
                      <-)
              (let ((old (<<< 'pop stk (o not null?))))
                (set! stk (cdr stk))
                (values stk old))))
          (top
            (xlambda ((result) <-)
              (car (<<< 'top stk (o not null?)))))
          )
      (values push pop top)
      )))

;(top) ; precondition violated
;(pop) ; precondition violated
(push 0)
(push 1)
(top) ; -> 1
(call-with-values (lambda () (push 2)) list) ; -> '((2 1 0) (1 0))
(top) ; -> 2
(call-with-values (lambda () (pop)) list) ; -> '((1 0) (2 1 0))

(define-values (add add-pre add-post)
  (xlambda ((result integer? odd? (cut = <> (apply + x y ys)))
            <-
            (x integer? odd?) (y integer? even?) ys integer? even?)
    (apply + x y ys)))

(define-values (divide divide-pre divide-post)
  (xlambda ((q integer?)
            (r (lambda (x) (= (+ x (* n q)) m)))
            <-
            (m integer? (cut >= <> 0))
            (n integer? positive?))
    (let loop ((q 0) (r m))
      (if (< r n)
        (values q r)
        (loop (+ q 1) (- r n))))))

(xdefine ((result integer?)
          #(sum-post sum sum-pre)
          (a integer?) as integer?)
  (apply + a as))

Last update

Mar 27, 2019

Author

Juergen Lorenz

Repository

This egg is hosted on the CHICKEN Subversion repository:

https://anonymous@code.call-cc.org/svn/chicken-eggs/release/5/simple-contracts

If you want to check out the source code repository of this egg and you are not familiar with Subversion, see this page.

License

Copyright (c) 2011-2019, Juergen Lorenz
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:

Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.

Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
Neither the name of the author nor the names of its contributors may be
used to endorse or promote products derived from this software without
specific prior written permission. 
  
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Version History

1.0
port from chicken-4

Contents »