Correctness conditions (2) for calling an agent
Following on from http://www.eiffelroom.com/blog/colin_adams/correctness_conditions_for_calling_an_agent, I have thought about the following scheme (it would require ECMA to be amended to require a tag on assertions, but this should be done anyway. Also, the tag would have to be unique with all the preconditions for a given feature - likewise for postconditions.):
class ROUTINE
feature -- Access
preconditions: !ARRAY [STRING]
-- All precondition tags for `Current'
ensure
no_void_results: not Result.has (Void)
no_empty_strings: Result.for_all (agent {STRING}.is_empty)
postconditions: !ARRAY [STRING]
-- All postcondition tags for `Current'
ensure
no_void_results: not Result.has (Void)
no_empty_strings: Result.for_all (agent {STRING}.is_empty)
has_precondition (a_tag: !STRING): BOOLEAN
-- Does `Current' have a precondition labeled `a_tag'?
has_postcondition (a_tag: !STRING): BOOLEAN
-- Does `Current' have a postcondition labeled `a_tag'?
precondition_holds (a_tag: !STRING; a_args: like operands): BOOLEAN
-- Does precondition `a_tag' evaluate to `True'?
require
has_precondition_a_tag: has_precondition (a_tag)
valid_arguments_for_current: valid_operands (a_args)
postcondition_holds (a_tag: !STRING; a_args: like operands): BOOLEAN
-- Does postcondition `a_tag' evaluate to `True'?
require
has_postcondition_a_tag: has_postcondition (a_tag)
valid_arguments_for_current: valid_operands (a_args)
preconditions_hold (a_args: like operands): BOOLEAN
-- Do all preconditions hold?
require
valid_arguments_for_current: valid_operands (a_args)
do
Result := preconditions.for_all (agent precondition_holds (?, a_args))
end
postconditions_hold (a_args: like operands): BOOLEAN
-- Do all postconditions hold?
require
valid_arguments_for_current: valid_operands (a_args)
do
Result := postconditions.for_all (agent postcondition_holds (?, a_args))
end
feature -- Basic operations
call (a_args: like operands)
-- Call `Current' passing `a_args' as actual arguments.
require
valid_operands: valid_operands (args)
preconditions_hold: preconditions_hold (a_args)
ensure
postconditions_hold: postconditions_hold (a_args)
feature -- Access
preconditions: !ARRAY [STRING]
-- All precondition tags for `Current'
ensure
no_void_results: not Result.has (Void)
no_empty_strings: Result.for_all (agent {STRING}.is_empty)
postconditions: !ARRAY [STRING]
-- All postcondition tags for `Current'
ensure
no_void_results: not Result.has (Void)
no_empty_strings: Result.for_all (agent {STRING}.is_empty)
has_precondition (a_tag: !STRING): BOOLEAN
-- Does `Current' have a precondition labeled `a_tag'?
has_postcondition (a_tag: !STRING): BOOLEAN
-- Does `Current' have a postcondition labeled `a_tag'?
precondition_holds (a_tag: !STRING; a_args: like operands): BOOLEAN
-- Does precondition `a_tag' evaluate to `True'?
require
has_precondition_a_tag: has_precondition (a_tag)
valid_arguments_for_current: valid_operands (a_args)
postcondition_holds (a_tag: !STRING; a_args: like operands): BOOLEAN
-- Does postcondition `a_tag' evaluate to `True'?
require
has_postcondition_a_tag: has_postcondition (a_tag)
valid_arguments_for_current: valid_operands (a_args)
preconditions_hold (a_args: like operands): BOOLEAN
-- Do all preconditions hold?
require
valid_arguments_for_current: valid_operands (a_args)
do
Result := preconditions.for_all (agent precondition_holds (?, a_args))
end
postconditions_hold (a_args: like operands): BOOLEAN
-- Do all postconditions hold?
require
valid_arguments_for_current: valid_operands (a_args)
do
Result := postconditions.for_all (agent postcondition_holds (?, a_args))
end
feature -- Basic operations
call (a_args: like operands)
-- Call `Current' passing `a_args' as actual arguments.
require
valid_operands: valid_operands (args)
preconditions_hold: preconditions_hold (a_args)
ensure
postconditions_hold: postconditions_hold (a_args)
This has the (unwanted, by me) additional effect that it is now safe to use inline agents in preconditions, as the client can test if the precondition for routine y holds by calling:
-- first build TUPLE l_args from l_arg1 and l_arg2 then:
if (agent y).preconditions_hold (l_args) then
y (l_arg1, l_arg2)
if (agent y).preconditions_hold (l_args) then
y (l_arg1, l_arg2)
Inline agents are still horrible for stylistic reasons, but my proposal for a replacement will wait for a later message.
Nothing new that the ECMA committee didn't know
When you wrote:
I guess you meant:
Note that it would have been less confusing to write:
! ;-)
Also, if routines `precondition' and `postcondition' (currently specified in ISE's ROUTINE class) were implemented, your proposal is not very different from the currently intended (but not explicitly specified, because not implemented) behavior:
-- Call `Current' passing `a_args' as actual arguments.
require
valid_operands: valid_operands (args)
preconditions_hold: precondition (a_args)
ensure
postconditions_hold: postcondition (a_args)
I think that the problem we are facing is not really how to specify things correctly (using tags or not), but rather how to implement it. I'm sure that if ISE knew how to implement their `precondition' and `postcondition' routines in ROUTINE then `call' would be properly specified with these contracts. For example even today you can write:
y (l_arg1, l_arg2)
but because `precondition' is not implemented and always returns True, this is useless.
Tags
Thanks for the correction, and the April Fool's joke.
But I think that with my tags proposal, implementation should be fairly straight-forward, I would have thought (this was the point of the posting). (It also has the advantage that in most cases you will be able to write lighter-weight code, by just testing a particular precondition, when you know most hold from the context). Colin Adams
Avoiding re-inventing the wheel
How is one supposed to know what the ECMA committee have and have-not considered? This is one of the chief points from my article Learning from the W3C process. Colin Adams
Closed standard design process
I'll let Manu (the ECMA Eiffel committe convener) answer this question about the way ECMA works. I for one would prefer a more open process, and feel lucky to be part of this committee.
ECMA process
Anyone can join the process as long as you are part of either a company/institution that is an ECMA member. The minutes and various proposals are currently only accessible by the ECMA members. As far as I know, the committee is free to decide whatever it wants regarding the publication of the various documents used (minutes, drafts, ...).
Maybe I am missing
Maybe I am missing something, but I still don't see how `postcondition_holds' can be implemented without calling the actual implementation? Or should the postcondition just be evaluated on the current state + arguments? If so, how can a `postcondition_holds' ever ealuate to True for a postcondition like `count = old count + 1'?
Calling the implementation
By "calling the implementation", do you mean the implementation of the body or of the postcondition code?
I don't see where the difficulty lies. It works in workbench mode.
Colin Adams
Transmitting old values
As usual, I answered too quickly, before thinking.
I now see that preservation of old values across the call might be tricky (or not possible, for an implementation in Eiffel code). Colin Adams
I think its not only about
I think its not only about the preservation. If you ask a routine whether a postcondition is satisfied, wich prestate and which poststate are you referring to? What is the meaning of `r.preconditions_hold ([1,2,3])'? Does it ask whether some past execution satisfied the postcondition, the last one, or maybe a hypthesized one?
I am not completely clear on it either, but at the moment the only thing that makes sense to me is to ask either:
1) Given this set of arguments, this prestate and this poststate, does the postcondition hold?
2) For the last execution of this agent, did the postcondition hold?
I think 1) is very tricky to implement. (What is a prestate and what is a poststate?) 2) is easier to implement, in fact it can be as simple as a variable. But in the end I am not sure about its usefulness, after all if the last execution failed I would have noticed because an exception was thrown. Btw, for 2) you don't need arguments either.
Andreas
removing dynamic postconditions mitigates the problem but...
You can escape old and state issues by not having postconditions in the ROUTINE interface. There's no use case I can think of for checking postcondition explicitly at runtime (a failed postcondition can only be a bug), while there's a use case for checking some preconditions as part of establishing the client fulfills its side of the contract and takes remedial action otherwise.
Although even there is does get a bit fuzzy in that the only preconditions a client should be entitled to check is the preconditions which are part of the _static_ agent interface, for instance let's say we have a classic Eiffel pattern:
feature
is_visible: BOOLEAN is
-- Is drawable target ready to receive instructions?
deferred
end
draw (a_shape: SHAPE) is
-- Draw a shape on some target.
require
a_shape_not_void: a_shape /= Void
visible: is_visible
deferred
end
end
which you would use as such:
...
if drawable.is_visible then
drawable.draw (a_tower)
end
In agentified Eiffel the same pattern becomes:
...
-- (1) generic preconditions checking
if drawable.preconditions_holds ([a_tower]) then
drawable.call ([a_tower])
end
-- or (2) tagged preconditions checking
if drawable.precondition_holds ("is_visible", [a_tower]) then
drawable.call ([a_tower])
end
(2) suffers a variant of the same problem, in that while semantically equivalent to the classic Eiffel pattern, it has also leaked compiler stuff into runtime, with some drawbacks for example the tag is a string, so there will be no compilation time error if is_visible is renamed etc, or if there's a typo in the first place, and the compiler cannot, or painfully, dead code away the 'debug' contracts that are always true in a correct program (and that damage extend to all routines with the same signature that are agent targets, and their descendants!). Also code analysis or automated verification becomes a harder problem.
Agent Contracts
I agree that exposing and then explicitly checking pre/postconditions is not desirable, at least not as a general solution to agent contracts. Here are some thoughts on a possible form of a solution.
We have code that wants to call a feature that is bound at runtime. We may statically specify the type of feature (query or function) and the number, order, and type of open arguments that this feature must have.
However, we cannot statically guarantee to the client that binds a feature and gives it to our code anything more about those arguments. Neither can we describe what we expect from the feature.
So, we can currently write that we want the following entity:
But, perhaps we want to write something more like
(using 'agent_interface' as a keyword) for a feature `prototype' defined as:
-- Defines the contract of an agent
require
precondition_1: ...
agent_interface
ensure
precondition_2: ...
end
The assignment
would require the feature `implementation' to effect `prototype' as if `prototype' were a feature inherited as deferred. That is, `implementation' would have to
Additionally, I think there are some more details such as feature calls with `Current' as the target probably cannot or should not be allowed in the assertions of the interface.
An example following the previously provided DRAWABLE/SHAPE example:
draw_shape(drawable: DRAWABLE; a_shape: SHAPE)
-- Draw a shape on the given target.
require
a_shape_not_void: a_shape /= Void
visible: drawable.is_visible
deferred
end
usage:
drawable: DRAWABLE
a_tower: SHAPE
...
to_do := agent {DRAWABLE}.draw
to_do.call([drawable, a_tower])
EDIT: corrected example usage
Exposing pre/postconditions of agent
I disagree with the point that opposes exposing the preconditions and postconditions of agents. It seems to me like the only way to get complete specifications of higher order routines (somewhat related to higher order functions). In simpler terms, the postcondition function of agents may be used in postconditions of routines that receive agents as parameters (directly or indirectly) to describe the work in terms of the given agent.
If I bring the problem in a functional context, we can see what could be desirable for Eiffel. I'll use a lisp-like syntax and presume a design by contract macro set to make my example. Let specify the map function (for non-lispers: this function applies a given function to every elements of a list and returns a list containing the results).
(def-dbc-function (map f list) (require (not (null? f))) (deferred) (ensure (implies (not (null? list)) (equal? result (cons (f (car list)) (map f (cdr list))))) (implies (null? list) (null? result))))We can see a parallel with iterators in Eiffel. The main problem is that we cannot specify a procedure like do_all as we did map since it applies a procedure object and we do not know what we may call the frame of the operation. I think that's why no easy definition comes up for the postcondition feature of routines.
The only alternative is to write the loop as the implementation and the specification and then freeze the implementation. This is not quite convenient because there may be reasons to redefine it.
Simon