Spec# Writing and checking contracts in a .NET language K. Rustan M. Leino Microsoft Research, Redmond, WA, USA with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte ¨ .NET Technologies 2004 Plzeň, Czech Republic 1 June 2004

Interoperable pronunciation x := E current a == b x = E ; this “equals” “gets”, “receives” “self” ;

Software engineering problem Building and maintaining large systems that are correct

Approach Specifications record design decisions bridge intent and code Tools amplify human effort manage details find inconsistencies ensure quality

Design decisions – examples and trends int x; assert(x < a.Length); finite-state protocols SpecStrings Pre- and postconditions, and object invariants Acquire() Release() Acquire() Release() int strlen(pre notnull char * str);   Contracts void Copy(int[] a, int start, int count) requires start+count <= a.Length;  

Contracts today StringBuilder.Append Method (Char[], Int32, Int32) Appends the string representation of a specified subarray of Unicode characters to the end of this instance. public StringBuilder Append(char[] value, int startIndex, int charCount); Parameters value A character array. startIndex The starting position in value. charCount The number of characters append. Return Value A reference to this instance after the append operation has occurred. Exceptions Exception Type Condition ArgumentNullException value is a null reference, and startIndex and charCount are not zero. ArgumentOutOfRangeException charCount is less than zero. -or- startIndex is less than zero. startIndex + charCount is less than the length of value.

Spec# contracts Precondition Callers are expected to establish precondition before invoking method Implementations can assume precondition holds on entry public StringBuilder Append( char[] value, int startIndex, int charCount); requires value != null || (charCount == 0 && startIndex == 0); requires 0 <= charCount && 0 <= startIndex; requires startIndex + charCount <= value.Length; ensures result == this; Postcondition Implementations are expected to establish postcondition on exit Callers can assume postcondition upon return from method invocation

Spec# programming system Run-time exceptions Compile-time error messages Spec# compiler Boogie Code + contracts in Spec#

Boogie demo

Spec# is C# extended with: Non-null types Preconditions Postconditions Object invariants Checked exceptions ...

Spec#: Non-null types T x; The value of x is null or a reference to an object whose type is a subtype of T. T! y; The value of y is a reference to an object whose type is a subtype of T, not null.

Non-null instance fields class C : B { T! x; public C(T! y) : base() { this.x = y; } public overrides int M() { return x.f; } Is this code type safe? No! The base constructor can invoke the virtual method M and C.M would then find x to be null.

Non-null instance fields class C : B { T! x; public C(T! y) : x = y, base() { } public overrides int M() { return x.f; } Need to allow x to be assigned before base constructor is called.

Spec#: Parameter validation public virtual StringBuilder Append(char[] value, int startIndex, int charCount) Parameters … startIndex The starting position in value. Exceptions ; requires 0 <= startIndex otherwise ArgumentException; requires 0 <= startIndex; Exception Type Condition ArgumentException startIndex is less than zero. -or- …

Simplifying today's code public virtual int BinarySearch(int index, int count, object val, IComparer comparer) { if (index < 0 || count < 0) { throw new ArgumentOutOfRangeException( (index < 0 ? ”index” : ”count”), Environment.GetResourceString( ”ArgumentOutOfRange_NeedNonNegNum”)); } ... } requires 0 <= index && 0 <= count otherwise ArgumentOutOfRangeException; new old But what about these parameters? supported but discouraged

Uses of exceptions What do exceptions signal? Domain failures Range failures Admissible failures Detected program errors What to do with exceptions? caller handles never handled or caught by backstop (ArgumentException, …) (EndOfFileException, …) (IndexOutOfBoundsException, …, OutOfMemoryException, …) checked exceptions unchecked exceptions

Spec#: Taming exceptions Introduce checked exceptions An exception is checked if it implements interface ICheckedException Throwable Exception Java Spec# ICheckedException RuntimeException CheckedException Error Checked exceptions Unchecked exceptions

Spec#: Taming exceptions Methods must declare which checked exceptions they may throw Soundness of throw statement int MyMethod() throws MyException ensures state==Closed; int MyMethod() throws MyException; Exception x = new MyCheckedException(); throw x; If static type of x is not an ICheckedException, then check: !( x is ICheckedException ) at run time.

Spec#: Object invariants class C { int x, y; invariant x < y; Object invariant always holds, except possibly when the object is exposed Joint work also with Peter Müller (ETH Zurich) and David Naumann (Stevens Institute of Technology)

Spec#: Object invariants class C { int x, y; invariant x < y; public void M(T! o) { … expose (this) { this.x = this.y; o.P(); this.y++; } … } The object invariant may be temporarily violated here The object invariant is checked to hold here Joint work also with Peter Müller (ETH Zurich) and David Naumann (Stevens Institute of Technology)

Spec#: Object invariants class C { int x, y; invariant x < y; public void M(T! o) { … expose (this) { this.x = this.y; o.P(); this.y++; } … } The exposed/unexposed state of the object is recorded, so as to detect possible bad re-entrancy Joint work also with Peter Müller (ETH Zurich) and David Naumann (Stevens Institute of Technology)

Third-party tools, and debug vs. retail builds All Spec# contracts can have custom attributes int BinarySearch(int[]! a, int lo, int hi) requires 0 <= lo && lo <= hi && hi <= a.Length; [MyToolIgnore] [Conditional(“DEBUG”)] requires IsSorted(a); { ... }

Compilation Spec#: void M(int x, out int y) requires 0 <= x; ensures 0 <= y; { ... } Contracts are compiled into metadata and specially tagged code “MSIL”: [Contract(“requires 0 <= x; ensures 0 <= y;”)] void M(int x, out int y) { if (!(0 <= x)) { throw new RequiresException(); } ... if (!(0 <= y)) { throw new EnsuresException(); } }

weakest-precondition generator Boogie: Under the hood MSIL Boogie translator inference engine BoogiePL weakest-precondition generator verification condition theorem prover error messages

Summary Evolution Spec# adds contracts to C# Compiler inserts dynamic checks to enforce contracts Boogie enforces contracts statically Evolution C# managed code  Spec# non-null types, parameter validation  Boogie verification

new! http://research.microsoft.com/~leino