Design by Contract != Runtime Assertion

Jonathan M Davis jmdavisProg at gmx.com
Sun Nov 21 23:15:02 PST 2010


On Sunday 21 November 2010 22:46:38 %u wrote:
> Hello!
> 
> I just became an incredibly big fan of D; it has everything I've wanted,
> except one thing:
> It is said that D supports Design by Contract (DbC) programming, when in
> fact what it has is runtime assertions. There is, however, a big
> difference. DbC necessarily means that a compiler would have a theorem
> prover and would need to prove at /Compile/-time whether or not an
> expression can be satisfied (similar to what is done in the Spec# language
> by Microsoft Research), because the name is /Design/ by contract. It is
> not the same as assertions, which occur at run time.
> I was wondering if actual design-by-contract programming (rather than mere
> assertions) will be available in D at a later time?
> 
> Thank you!

As I recall, all design by contract says is that a function has a contract 
saying that if you give it input which follows a certain set of guidelines, it 
will give you output which follows a certain set of guidelines. It says nothing 
about enforcement or proving that a function actually follows the contract. If 
you violate the contract by giving it bad data, then it's implementation-defined 
as to what happens. And obviously, if the function doesn't follow the contract, 
then it's implementation-defined as to what happens.

What D does is give you a means of making sure that a function is following the 
contract that you intended for it. pre-conditions verify that it's given 
arguments which follow the contract, post-conditions verify that the function's 
output follows the contract, and invariants help guarantee that the state of an 
object is within _its_ contract. All of it is a way to verify that the contracts 
are kept.

All DbC says is that the contracts exist. How you guarantee that they're 
followed is another matter entirely. And having pre-conditions and post-
conditions verified programmatically at runtime is a classic way to do that.

Actually doing proofs of any sort - programmatically or otherwise - can be very 
difficult, and there's no way that that sort of thing is going to make it into the 
language. It's totally unnecessary, it would be an absolute nightmare to 
implement, and now you have another source of potential error: your proof. By 
verify that the contract is followed at runtime, D has implemented the _least_ 
error-prone solution to guaranteeing that function contracts are adhered to.

- Jonathan m Davis


More information about the Digitalmars-d mailing list