1. Design by contract for procedures
    1. Documentation
      1. simple-contracts
      2. contract-check-level
      3. xdefine
      4. xlambda
      5. %%
      6. pipe
    2. Requirements
    3. Usage
    4. Examples
  2. Last update
  3. Author
  4. License
  5. Version History

Design by contract for procedures

This is my third attempt to implement Bertrand Meyer's Design by contract in Chicken. The other two, contracts and dbc are now considered obsolete.

We enhance arguments and return values of lambda-expressions by pre- and postconditions respectively, thus marking a clear distinction between the duties of suppliers and clients. If the arguments of a procedure call pass the preconditions and a post-exception is raised, then the supplier is to blame. On the other hand, if a pre-exception is raised when a procedure-call is issued, then the client has violenced its duties and the supplier is not even forced to do anything at all. In other words, the supplier can safely assume a procedure is called with correct arguments, he or she need not and should not check tehem again.

Off course, pre- and postconditions must be stored in the procedure itself and a representation of them must be exportable, so that both parties of the contract know their duties.

Here is the syntax of xdefine, a macro to implement queries, i.e. routines without state changes. Two of the four versions are shown below, the first with exported documentation and fixed argument list, the second without documentation and variable argument list. Note that the documentations, post and pre, are placed next to their corresponding checks.

(xdefine ((r r? ...) .. #(post name pre) (a a? ...) ... ) xpr ....)
(xdefine ((r r? ...) .. name (a a? ...) ... as as? ...) xpr ....)

Here name is the name of the procedure, post and pre the documentation of post- and preconditions, r ... are return values with corresponding postconditions r? ..., a ... are argument variables with preconditions a? ... , as is the variable collecting rest arguments with preconditions as? ... for each such argument and xpr starts the body.

For state-changing routines, so called commands, mostly defined on top of a let, xlambda must be used. The syntax for a fixed resp. variable argument list is

(xlambda ((r r? ...) .. <- (a a? ...) ...) xpr ....)
(xlambda ((r r? ...) .. <- (a a? ...) ... as as? ...) xpr ....)

where <- separates the return values from the arguments. The other symbols have the same meaning as in xdefine above.

xlambda expressions return three values, the procedure itself, contract checked or not, depending on the value of the contract-check-level parameter, the precondition- and the postcondition-documentation in this order.

In previous versions of the library, instead of <-, you had to supply the number of return values, either explicitly or implicitly, meaning one. This is still working but deprecated and will propably be removed in future versions.

Note, that even state changing routines must return values, at best the values of state variables after and before a state change has taken place. This makes postcondition checks and command chaining easy.

Documentation

simple-contracts

[procedure] (simple-contracts sym ..)

documentation procedure. Shows the exported symbols and the syntax of such an exported symbol, respectively.

contract-check-level

[parameter] (contract-check-level n ..)

no contract checks if n is -1 only precondition checks if n is 0, the default pre- and postcondition checks if n is +1

xdefine

[syntax] (xdefine ((r r? ...) .. name (a a? ...) ... ) xpr ....)
[syntax] (xdefine ((r r? ...) .. #(post name pre) (a a? ...) ... ) xpr ....)
[syntax] (xdefine ((r r? ...) .. name (a a? ...) ... as as? ...) xpr ....)
[syntax] (xdefine ((r r? ...) .. #(post name pre) (a a? ...) ... as as? ...) xpr ....)

Contract guarded version of define for procedures, where name is the name of the procedure, post and pre document post- and preconditions r ... are return values with corresponding postconditions r? ... a ... are arguments with preconditions a? ... as is a variable collecting rest-parameters with preconditions as? for each such argument, and xpr starts the body..

xlambda

[syntax] (xlambda ((r r? ...) .. <- (a a? ...) ...) xpr ....)
[syntax] (xlambda ((r r? ...) .. <- (a a? ...) ... as as? ...) xpr ....)

where <- separates the results r with postconditions r? ... from the arguments a with preconditions a? ... a rest-parameter as with preconditions as? for each such argument and the body xpr .....

Each xlambda call returns three values, the procedure proper, contract-checked or not, depending on the value of contract-check-level, and documentation of pre- and postconditions in this order.

Deprecated versions of xlambda exist as well. Here k is the number of returned values, if provided, one otherwise.

[syntax] (xlambda k ((r r? ...) ... (a a? ...) ... ) xpr ....)
[syntax] (xlambda k ((r r? ...) ... (a a? ...) ... as as? ...) xpr ....)
[syntax] (xlambda ((r r? ...) (a a? ...) ... ) xpr ....)
[syntax] (xlambda ((r r? ...) (a a? ...) ... as as? ...) xpr ....)

procedures with state change should return the values of state variables after and before the state change.

%%

[procedure] (%% proc)

multi argument version of flip, which can be used in pipe

pipe

[syntax] (pipe combination ...)

sequencing curried combinations from left to right

Requirements

simple-exceptions 0.5

Usage

(use simple-contracts)

Examples


(use simple-contracts simple-exceptions)

((%% list)) ; -> '()
((%% list) 1) ; -> '(1)
((%% list) 1 2) ; -> '(2 1)
((%% list) 1 2 3 4) ; -> '(2 3 4 1)
((%% map) '(0 1 2) add1) ; -> '(1 2 3)

((pipe) 5) ; -> 5
((pipe (+ 1)) 5) ; -> 6
((pipe (- 10) (positive?)) 5) ; -> #f
((pipe (- 10) (negative?)) 5) ; -> #t
((pipe ((%% list) 1 2 3 4)) 10) ; -> '(1 2 3 4 10)
((pipe (list 1 2 3 4)) 10) ; -> '(10 1 2 3 4))
((pipe ((%% map) add1)) '(0 1 2)) ; -> '(1 2 3))
((pipe (list 1 2 3)) 0) ; - > '(0 1 2 3)) 
((pipe ((%% list) 1 2 3)) 0) ; - > '(1 2 3 0)) 

(define-values (counter! counter)
  (let ((state 0))
    (values
      (xlambda ((new (pipe (= (add1 old))))
                     ;integer? (pipe (= (add1 old))))
                     ;integer? (lambda (x) (= x (add1 old))))
                (old integer?)
                <-) ; no arguments
        (let ((old state))
          (set! state (add1 state))
          (values state old)))
      (xlambda ((result (pipe (= state)))
                <-) ; no arguments
        state))))
(counter) ; -> 0
(counter!)
(counter)  ; -> 1
(counter!)
(counter)  ; -> 2

(define-values (push pop top)
  (let ((stk '()))
    (let (
      (push
        (xlambda ((new list? (pipe (equal? (cons arg old))))
                  (old list?)
                  <-
                  (arg))
          (let ((old stk))
            (set! stk (cons arg stk))
            (values stk old))))
      (pop
        (xlambda ((new list? (pipe (equal? (cdr old))))
                  (old list?)
                  <-)
          (let ((old (<< stk 'pop (pipe (null?) (not)))))
            (set! stk (cdr stk))
            (values stk old))))
      (top
        (xlambda ((result) <-)
          (car (<< stk 'top (pipe (null?) (not))))))
      )
      (values push pop top)
      )))
;(top) ; precondition violated
;(pop) ; precondition violated
(push 0)
(push 1)
(top) ; -> 1
(call-with-values (lambda () (push 2)) list) ; -> '((2 1 0) (1 0))
(top) ; -> 2
(call-with-values (lambda () (pop)) list) ; -> '((1 0) (2 1 0))

(define-values (add add-pre add-post)
  (xlambda ((result integer? odd? (pipe (= (apply + x y ys))))
            <-
            (x integer? odd?) (y integer? even?) ys integer? even?)
    (apply + x y ys)))
(add 1 2 4 6) ; -> 13
(condition-case (add 1 2 3) ((exn arguments) #f)) ; -> #f
add-pre ; -> '((x (conjoin integer? odd?))
               (y (conjoin integer? even?))
               ys (conjoin integer?  even?))
add-post
 ; -> '(result (conjoin integer? odd? (pipe (= (apply + x y ys)))))

(define wrong-add
  (xlambda ((result integer? even?)
            <-
            (x integer? odd?) xs integer?  even?)
    (apply + x xs)))
(condition-case (wrong-add 1 2 4) ((exn results) #f)) ; -> #f

(define-values (divide divide-pre divide-post)
  (xlambda ((q integer?)
            (r (pipe (+ (* n q))
                     (= m)))
            <-
            (m integer? (pipe (>= 0)))
            (n integer? positive?))
    (let loop ((q 0) (r m))
      (if (< r n)
        (values q r)
        (loop (+ q 1) (- r n))))))
  (call-with-values
    (lambda () (divide 385 25))
    list) ;-> '(15 10)
divide-pre ; -> '((m (conjoin integer? (pipe (>= 0))))
                  (n (conjoin integer? positive?)))
divide-post ; -> '((q integer?)
                   (r (pipe (+ (* n q)) (= m))))
  

(xdefine ((result integer?) #(sum-post sum sum-pre) (a integer?) as integer?)
  (apply + a as))
(sum 1 2 3) ; -> 6
(condition-case (sum 1 2 #f) ((exn arguments) #f)) ; -> #f

(xdefine ((result list?) wrong-sum (a integer?) as integer?)
  (apply + a as))
(condition-case (wrong-sum 1 2 3) ((exn results) #f)) ; -> #f

Last update

Sep 22, 2017

Author

Juergen Lorenz

License

Copyright (c) 2011-2017, Juergen Lorenz
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:

Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.

Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
Neither the name of the author nor the names of its contributors may be
used to endorse or promote products derived from this software without
specific prior written permission. 
  
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Version History

1.4
syntax changes for xlambda and xdefine
1.3.1
dependency on simple-exceptions updated
1.3
error-messages improved
1.2
<<, >>, pre- and post-exception outsourced to simple-exceptions
1.1
number of return values in xlambda is only needed if not 1
1.0
initial import