Expert to Expert: Contract Oriented Programming and Spec#

Posted By: Charles | May 27th @ 11:27 AM

The Spec# programming system is a new attempt at a more cost effective way to develop and maintain high-quality software.  Spec# is pronounced "Spec sharp" and can be written (and searched for) as the "specsharp" or "Spec# programming system".  The Spec# system consists of:


The Spec# programming language.  Spec# is an extension of the object-oriented language C#.  It extends the type system to include non-null types and checked exceptions.  It provides method contracts in the form of pre- and postconditions as well as object invariants.

The Spec# compiler.  Integrated into the Microsoft Visual Studio development environment for the .NET platform, the compiler statically enforces non-null types, emits run-time checks for method contracts and invariants, and records the contracts as metadata for consumption by downstream tools.

The Spec# static program verifier.  This component (codenamed Boogie) generates logical verification conditions from a Spec# program.  Internally, it uses an automatic theorem prover that analyzes the verification conditions to prove the correctness of the program or find errors in it.

A unique feature of the Spec# programming system is its guarantee of maintaining invariants in object-oriented programs in the presence of callbacks, threads, and inter-object relationships.

The Spec# programming system is being developed as a research project at Microsoft Research in Redmond, primarily by the Programming Languages and Methods group.

Here, Expert to Expert guest expert and programming language guru Erik Meijer chats with MSR researchers and spec# designers Wolfram Schulte,  Rustan Leino and Peter Mueller. We dig into the details of Spec# and contract oriented programming in general. Plenty of code on the screen and lots of deep conversation. Just how we like it for Going Deep and Expert to Expert.

Enjoy!

LOW RES FILE

MP4

ZUNE
Tags: , , , , ,
Rating:
0
0
Views (25,203)
|
Comments (30)
|
|
#May 27th @ 1:09 PM
littleguru
littleguru
AWESOME! Thanks for this video, Charles. I love it already before having watched it *downloading*
#May 27th @ 2:23 PM
Cyonix
Cyonix
very cool, thanks for the video
#May 27th @ 3:04 PM
stevo_
stevo_
That was great, one of the most interesting videos for me in awhile..

I'd love to start working on this, I have some questions, is this based on C# 3.0? or is this an invariation of C# 2.0?

Its fascinating to think that maybe .NET, or I guess maybe even a predecessor to .NET could actually bake this sort of advanced contract into its native language..

Other than that, I'm really interested in seeing how far this can go to being an "alternative" to C# in some scenarios, or perhaps how languages like C# and VB can start to introduce these as core specifications..
#May 27th @ 3:15 PM
Charles
Charles
Glad you're liking this one. I know I really enjoyed the conversation (and learned a lot). It's too early to tell what will become of this type of functionality and how it will map to our general purpose programming languages like C# and VB.NET...

Keep in mind that Spec# is a research implementation and not intended for product-quality uses. The concept of Contract Orientation is alive and well today in langauges like Eiffel (though the implementation is different than Spec#'s...).


Stay tuned...
C
#May 27th @ 3:30 PM
adamjcooper
adamjcooper
This really is exciting stuff (in fact, I created a Channel9 user account just to respond to this video). Charles, I realize this isn't production-ready, but I can't tell you how much I'd like to start using this in my own work now.

I had the same question as stevo_ - What version of C# is this based on? Perhaps someone on the Spec# team can enlighten us on which, if any, newer features of C# are not currently supported in Spec#.

After the steady stream of language and CLR enhancements we've enjoyed--nullable types, generics, and all of the great new enhancements that have come with the dawn of LINQ--this seems like a natural next step. I'm very hopeful Microsoft will bake Design by Contract support into a future version of the CLR.

Here's my vote to see this make it's way into C# 4 and .NET 4.
#May 28th @ 2:08 AM
littleguru
littleguru
Wow this was a load of cool features and questions!

This video made wonder the following: are there tools around that do the stuff that the team does with their checker already on current C# code; or MSIL code? Anybody having come across a tool similar to their checker?
#May 28th @ 5:17 AM
adamjcooper
adamjcooper
Hi littleguru,

There are two Design by Contact frameworks I know of that you can use today in C#. They both enforce checks at runtime, but take very different approaches and will appeal to very different audiences.

Kevin McFarlane has created an easy-to-use API that always enforces checks at runtime via calls to a Check object, such as:

Check.Require(0 < x < 5);

Check.Ensure(result < 3);

Check.Invariant(B.a > 0 and B.b > 0);


Philip Laureano offers a more complicated Design by Contract library as part of a larger library called LinFu. He uses a language-neutral, attributes-based approach for declaring contract checks. The advantage--or disadvantage, depending on your point of view--to Philip's approach is that the library is completely ignorant of the contract checks you assign, which means that when you call your library as normal, none of the checks will be made. In order for the checks to actually be enforced, you must use LinFu to create proxy versions of your classes with all the checks injected into the proxies. I get the impression this DbC approach is best used in conjunction with some sort of Dependency Injection framework, either LinFu's own or something like Spring.NET or Castle Windsor.

If you want a simple and lightweight API that bakes checks into your library so that they are always performed regardless of the caller, Kevin's API is probably your best bet. If you require your checks to be completely separate from your library to the point that they are optional, and if you're already working on an enterprise project using Dependency Injection, take a look at LinFu.DesignByContract2.

Hope that helps,
Adam.
#May 28th @ 5:21 AM
umer_a
umer_a

Intersting Stuff. The media length looked too much but it was a short discussion at the end with many things left unaddressed.

Handling Overloaded Function

For overloaded function(s), there must be a single case specification, or each function must be addressed seperately.

Moreover, Unlike Java, C# allows funtion overloading based upon return types, which When called in code, tend to confuse reader/compiler.


For example,to multiply 2 integers, a class can include following overloaded functions:

..
int mult(int, int);  // call if result is less than max (int), return int
long mult(int, int);  // call if  max (int) <=result<=max (long), return long
float mult(int, int);  // call if  max (long) <=result<=max (float), return float
double mult(int, int);  // call if  max (long) <=result<=max (double), return double
...


Compiler Intelligence conflicting software design principles

This is a Programmer responsibility and Compiler responsibility case, that is, what a programmer need to specify and what a compiler must assume.

This C/C++ code is self explanatory without any documentation/comments

...
unsigned x=[some expresion];
..
if (x) 
...
...


The C/C++ compilers are intelligent enough to assume that condition will execute if x is a positive integer, and Java/ C# compilers require an explicit condition for that adding burden to programmer.


A fun case

As discussedm, Spec is applied on C code to catch/handle every possible case. Learning the languaage, this is the first piece of code developers eneter:

#include <stdio.h>

int main()
{
 printf("xyz"); //xyz can be any string
 return 0;
}


Going deep in the language, at a stage programmer discover that printf() in fact returns a value, which is usually a positive integer but in the most rare case, it can be negative indicating an exception. Applying spec on rare cases like this, perhaps once in a lifetime sort of case...