ExContracts
This is an Elixir library that adds support for design by contract. See DbC for introductory description.
Theory
At the heart of Design by Contract is the idea that we choose to engage in economic activity because of mutual benefits that we derive when interacting with each other. Relevant to this notion is the relationship between a client and a supplier. We can view each Elixir module or function as either supplying a service or being a client of a module or function that supplies a service. A contract defines obligations and establishing benefits when interactions between modules and functions take place. This is similar, in many ways, to a business contract. As an example, a contract for a cellular service can be established between you and a cellular provider. Under this contract, terms clearly define obligations and benefits of each party. A cellular provider gets a benefit of your money but must provide you with a cellular service. On the other hand, you get a benefit of a service but must provide money in exchange. A contract clearly spells out benefits and obligations. To put it in another way, a pre-condition, a condition that must be true, or is required to be true before you can obtain a service, is the promise of money that you must pay for the service. The post-condition, the benefit that you get, or a condition that needs to be ensured by the supplier, is the service that you obtain when you make a phone call.
Design by contract benefits not just an object oriented language but also a functional one
including Elixir. After all, some functions are partial and we need to know what is expected from
us before calling them. More formally, we need to know what is a pre-condition that we need to
satisfy before making a call. With the help of this library, one can clearly define such an
requirement using ExContract.requires/1
macro. When we see that ExContract.requires/1
condition
failed, a bug can quickly be identified as being in the calling code. In summary, a function can
only be called if pre-condition is satisfied; all bets are off if this is not the case.
Pre-condition i.e. ExContract.requires/1
macro provides a benefit to the person implementing a
function. It makes the code simpler to implement as some possibilities are eliminated by ExContract.requires/1
. The implementation must only concern itself with the possibilities that are
still open as defined by pre-condition.
After calling an Elixir function, we need to know what is guaranteed by a function we just called.
This defines a benefit to the calling code. More formally we want to know what is guaranteed or
ensured by a function we just called. In this library, ExContract.ensures/1
macro expresses the
benefit we obtain from calling a function. If for some reason, there is a failure of the
ExContract.ensures/1
macro, we know the implementation of the function is incorrect as the code
does not live to its expectation. When this is the case, we can focus our effort on fixing the
function that promised but did not deliver.
ExContract.check/1
macro allows us to clearly define assumptions about our code that we believe to
be true at certain point of function execution. Were such assumption turn out to be incorrect, as
manifested by failure of ExContract.check/1
macro, we should go back and correct the code that was
written claiming these assumptions were true.
ExContract.fail/1
macro is useful when it is our understanding that certain portion of code
should never be executed or reached. If this proves not to be the case, we should re-examine the
code and make necessary corrections.
To summarize, contracts allow us to fail fast as recommended by Elixir and Erlang experts. We can clearly express what is required before calling a function and what benefit we obtain. Finally, failures of different types of contracts clearly give indication of which part of the code has bugs. This makes the exercise of correcting them simpler. Testing, including, property based testing and design by contract are trying to address our inability to implement formal proof for code correctness. Pre-conditions and post-conditions are useful even in functions with no side effects, as they limit input domains and output ranges making code easier to develop and reason about.
Accomplished Design Goals
- Allow for multiple requires and ensures clauses.
- Allow optional message parameters to be specified for ensures, requires, and check conditions.
- For a failed contract, print the code representation of the condition that failed.
- Do not modify AST (Abstract Syntax Tree) when no contract is specified or when certain contract
type is not present. For example, result variable is not created when there is no post-condition
ExContract.requires/1
. - Allow contract
ExContract.requires/1
andExContract.ensures/1
for private functions as there is no reason to limit contracts to only public ones. - Handle function definitions that contain implicit
try
block that is followed byrescue
,after
, orcatch
. Example:
requires x < y, "Called with x=#{inspect x} and y=#{inspect y}"
requires x > 5
@spec test_requires(x :: integer, y :: integer) :: integer | no_return
def test_requires(x, y) do
x * y
after
IO.puts("Cleanup")
end
Future Improvements
- Report individual values of the expression that led to failure just like in
ExUnit
.
Usage
The package is available in Hex and can be added as dependency into mix.exs file:
def deps do
[
{:ex_contract, "~> 0.1.1"}
]
end
Run mix deps.get followed by deps.compile. Every module where contracts are to be specified needs to
have use
statement:
defmodule SomeModule do
use ExContract
...
end
Pre-conditions: requires
Multiple requires contract clauses with optional message parameter can be defined. The first parameter specifies a condition that we expect to be true upon call to a function.
Example:
requires x < y, "called with x=#{inspect x} and y=#{inspect y}"
requires x > 5
@spec test_requires(x :: integer, y :: integer) :: integer | no_return
def test_requires(x, y) do
x * y
end
When condition provided to ExContract.requires/1
macro turns out to be false, the macro raises
ExContract.RequiresException
. The exception contains code representation of the condition that
failed followed by generic message related to type of contract that failed. The message embeds the
second parameter if such was specified in macro call.
Example of ExContract.requires/1
macro failure:
(ExContract.RequiresException) Pre-condition [x < y] violated. Invalid implementation of caller to function [test_requires/2] called with x=6 and y=5
(ex_contract) lib/ex_contract/assert.ex:16: ExContract.Assert.requires/4
(ex_contract) test/lib/ex_contract_test.ex:30: ExContractTest.test_requires/2
Post-conditions: ensures
The library allows to define multiple ensures conditions that can have optional message parameters.
A return value of a function can be checked via a pre-defined result
variable that is available in
the ensures condition. The first parameter specifies a condition that we expect to be true when
function exits.
Example:
ensures result == x * y
@spec test_ensures(x :: integer, y :: integer) :: integer | no_return
def test_ensures(x, y) do
x * y
end
When condition provided to ExContract.ensures/1
macro turns out to be false, the macro raises
ExContract.EnsuresException
. The exception contains code representation of the condition that
failed followed by generic message related to type of contract that failed. The message embeds the
second parameter if such was specified in macro call.
Example of ExContract.ensures/1
macro failure:
(ExContract.EnsuresException) Post-condition [result == x * y] violated. Invalid implementation of function [test_ensures/2]
(ex_contract) lib/ex_contract/assert.ex:22: ExContract.Assert.ensures/4
(ex_contract) test/lib/ex_contract_test.ex:129: ExContractTest.test_ensures/2
Check-condition: check
This macro can appear multiple times inside of function body. First parameter to ExContract.check/1
macro specifies a condition that we expect to be true at certain point of function execution.
Example:
@spec test_check(x :: integer) :: integer | no_return
def test_check(x) do
r = x * x
check r > x or r == 1
r
end
When condition provided to ExContract.check/1
macro turns out to be false, the macro raises
ExContract.CheckException
. The exception contains code representation of the condition that failed
followed by generic message related to type of contract that failed. The message embeds the second
parameter if such was specified in macro call.
Fail-condition: fail
ExContract.fail/1
macro can appear multiple times inside of function body. It raises
ExContract.FailException
when path of the code that we did not expect to execute is taken. The
only parameter to the macro is a message that should describe a reason for a failure.
Example:
@spec test_fail(x :: integer) :: integer | no_return
def test_fail(x) do
fail "This callback should never have been executed"
end
Installation
Package is available in Hex and can be installed
by adding ex_contract
to your list of dependencies in mix.exs
:
def deps do
[
{:ex_contract, "~> 0.1.1"}
]
end
Documentation generated with ExDoc and published on HexDocs. Docs can be found at https://hexdocs.pm/ex_contract.
Credits
AST generation based on idea in Elixir Contracts