Design by contract

Last updated February 28, 2024

Design by contract (DbC), also known as contract programming, programming by contract and design-by-contract programming, is an approach for designing software.

It prescribes that software designers should define formal, precise and verifiable interface specifications for software components, which extend the ordinary definition of abstract data types with preconditions, postconditions and invariants. These specifications are referred to as "contracts", in accordance with a conceptual metaphor with the conditions and obligations of business contracts.

The DbC approach assumes all client components that invoke an operation on a server component will meet the preconditions specified as required for that operation.

Where this assumption is considered too risky (as in multi-channel or distributed computing), the inverse approach is taken, meaning that the server component tests that all relevant preconditions hold true (before, or while, processing the client component's request) and replies with a suitable error message if not.

History

The term was coined by Bertrand Meyer in connection with his design of the Eiffel programming language and first described in various articles starting in 1986^[1]^[2]^[3] and the two successive editions (1988, 1997) of his book Object-Oriented Software Construction . Eiffel Software applied for trademark registration for Design by Contract in December 2003, and it was granted in December 2004.^[4]^[5] The current owner of this trademark is Eiffel Software.^[6]^[7]

Design by contract has its roots in work on formal verification, formal specification and Hoare logic. The original contributions include:

A clear metaphor to guide the design process
The application to inheritance, in particular a formalism for redefinition and dynamic binding
The application to exception handling
The connection with automatic software documentation

Description

The central idea of DbC is a metaphor on how elements of a software system collaborate with each other on the basis of mutual obligations and benefits. The metaphor comes from business life, where a "client" and a "supplier" agree on a "contract" that defines, for example, that:

The supplier must provide a certain product (obligation) and is entitled to expect that the client has paid its fee (benefit).
The client must pay the fee (obligation) and is entitled to get the product (benefit).
Both parties must satisfy certain obligations, such as laws and regulations, applying to all contracts.

Similarly, if the method of a class in object-oriented programming provides a certain functionality, it may:

Expect a certain condition to be guaranteed on entry by any client module that calls it: the method's precondition—an obligation for the client, and a benefit for the supplier (the method itself), as it frees it from having to handle cases outside of the precondition.
Guarantee a certain property on exit: the method's postcondition—an obligation for the supplier, and obviously a benefit (the main benefit of calling the method) for the client.
Maintain a certain property, assumed on entry and guaranteed on exit: the class invariant.

The contract is semantically equivalent to a Hoare triple which formalises the obligations. This can be summarised by the "three questions" that the designer must repeatedly answer in the contract:

What does the contract expect?
What does the contract guarantee?
What does the contract maintain?

Many programming languages have facilities to make assertions like these. However, DbC considers these contracts to be so crucial to software correctness that they should be part of the design process. In effect, DbC advocates writing the assertions first.^{[ citation needed ]} Contracts can be written by code comments, enforced by a test suite, or both, even if there is no special language support for contracts.

The notion of a contract extends down to the method/procedure level; the contract for each method will normally contain the following pieces of information:^{[ citation needed ]}

Acceptable and unacceptable input values or types, and their meanings
Return values or types, and their meanings
Error and exception condition values or types that can occur, and their meanings
Side effects
Preconditions
Postconditions
Invariants
(more rarely) Performance guarantees, e.g. for time or space used

Subclasses in an inheritance hierarchy are allowed to weaken preconditions (but not strengthen them) and strengthen postconditions and invariants (but not weaken them). These rules approximate behavioural subtyping.

All class relationships are between client classes and supplier classes. A client class is obliged to make calls to supplier features where the resulting state of the supplier is not violated by the client call. Subsequently, the supplier is obliged to provide a return state and data that does not violate the state requirements of the client.

For instance, a supplier data buffer may require that data is present in the buffer when a delete feature is called. Subsequently, the supplier guarantees to the client that when a delete feature finishes its work, the data item will, indeed, be deleted from the buffer. Other design contracts are concepts of class invariant. The class invariant guarantees (for the local class) that the state of the class will be maintained within specified tolerances at the end of each feature execution.

When using contracts, a supplier should not try to verify that the contract conditions are satisfied—a practice known as offensive programming—the general idea being that code should "fail hard", with contract verification being the safety net.

DbC's "fail hard" property simplifies the debugging of contract behavior, as the intended behaviour of each method is clearly specified.

This approach differs substantially from that of defensive programming, where the supplier is responsible for figuring out what to do when a precondition is broken. More often than not, the supplier throws an exception to inform the client that the precondition has been broken, and in both cases—DbC and defensive programming alike—the client must figure out how to respond to that. In such cases, DbC makes the supplier's job easier.

Design by contract also defines criteria for correctness for a software module:

If the class invariant AND precondition are true before a supplier is called by a client, then the invariant AND the postcondition will be true after the service has been completed.
When making calls to a supplier, a software module should not violate the supplier's preconditions.

Design by contract can also facilitate code reuse, since the contract for each piece of code is fully documented. The contracts for a module can be regarded as a form of software documentation for the behavior of that module.

Performance implications

Contract conditions should never be violated during execution of a bug-free program. Contracts are therefore typically only checked in debug mode during software development. Later at release, the contract checks are disabled to maximize performance.

In many programming languages, contracts are implemented with assert. Asserts are by default compiled away in release mode in C/C++, and similarly deactivated in C#^[8] and Java.

Launching the Python interpreter with "-O" (for "optimize") as an argument will likewise cause the Python code generator to not emit any bytecode for asserts.^[9]

This effectively eliminates the run-time costs of asserts in production code—irrespective of the number and computational expense of asserts used in development—as no such instructions will be included in production by the compiler.

Relationship to software testing

Design by contract does not replace regular testing strategies, such as unit testing, integration testing and system testing. Rather, it complements external testing with internal self-tests that can be activated both for isolated tests and in production code during a test-phase.

The advantage of internal self-tests is that they can detect errors before they manifest themselves as invalid results observed by the client. This leads to earlier and more specific error detection.

The use of assertions can be considered to be a form of test oracle, a way of testing the design by contract implementation.

Language support

Languages with native support

Languages that implement most DbC features natively include:

Ada 2012
Ciao
Clojure
Cobra
D ^[10]
Dafny
Eiffel
Fortress
Kotlin
Mercury
Oxygene (formerly Chrome and Delphi Prism^[11])
Racket (including higher order contracts, and emphasizing that contract violations must blame the guilty party and must do so with an accurate explanation^[12])
Sather
Scala ^[13]^[14]
SPARK (via static analysis of Ada programs)
Vala
VDM

Additionally, the standard method combination in the Common Lisp Object System has the method qualifiers :before, :after and :around that allow writing contracts as auxiliary methods, among other uses.

Languages with third-party support

Various libraries, preprocessors and other tools have been developed for existing programming languages without native design by contract support:

Ada, via GNAT pragmas for preconditions and postconditions.
C
- DBC for C preprocessor
- GNU Nana
- eCv formal verification tools
C++:
- Boost.Contract
- eCv++ formal verification tools
- Digital Mars C++ compiler via CTESK extension of C
- Loki Library provides a mechanism named ContractChecker that verifies a class follows design by contract.
- DBC C++ Design by contract for C++
C# (and other .NET languages), via Code Contracts^[15] (a Microsoft Research project integrated into the .NET Framework 4.0)
Groovy via GContracts
Go via dbc or gocontracts
Java:
- Active:
  - OVal with AspectJ
  - Contracts for Java (Cofoja)
  - Java Modeling Language (JML)
  - Bean Validation (only pre- and postconditions)^[16]
  - valid4j
  - SafeR (with safe references)
- Inactive/unknown:
  - Jtest (active but DbC seems not to be supported anymore)^[17]
  - iContract2/JContracts
  - Contract4J
  - jContractor
  - C4J
  - Google CodePro Analytix
  - SpringContracts for the Spring Framework
  - Jass Archived 2003-04-03 at the Wayback Machine
  - Modern Jass (successor is Cofoja)^[18]^[19]
  - JavaDbC using AspectJ
  - JavaTESK using extension of Java
  - chex4j using javassist
  - highly customizable java-on-contracts
JavaScript, via decorator-contracts, AspectJS (specifically, AJS_Validator), Cerny.js, ecmaDebug, jsContract, dbc-code-contracts or jscategory.
Common Lisp, via the macro facility or the CLOS metaobject protocol.
Nemerle, via macros.
Nim, via macros.
Perl, via the CPAN modules Class::Contract (by Damian Conway) or Carp::Datum (by Raphael Manfredi).
PHP, via PhpDeal, Praspel or Stuart Herbert's ContractLib.
Python, using packages like deal, icontract, PyContracts, dpcontracts, or zope.interface. A permanent change to Python to support design by contracts was proposed in PEP-316 in 2003, but is deferred.
Ruby, via Brian McCallister's DesignByContract, Ruby DBC ruby-contract or contracts.ruby.
Rust via the contracts crate.
Swift via the cocoapod by Jim Boyd.
Tcl, via the XOTcl object-oriented extension.

Notes

↑ Meyer, Bertrand: Design by Contract, Technical Report TR-EI-12/CO, Interactive Software Engineering Inc., 1986
↑ Meyer, Bertrand: Design by Contract, in Advances in Object-Oriented Software Engineering, eds. D. Mandrioli and B. Meyer, Prentice Hall, 1991, pp. 1–50
↑ Meyer, Bertrand: "Applying "Design by Contract"", in Computer (IEEE), 25, 10, October 1992, pp. 40–51.
↑ "United States Patent and Trademark Office registration for "DESIGN BY CONTRACT"". Archived from the original on 2016-12-21. Retrieved 2009-06-22.^{[ dead link ]}
↑ "United States Patent and Trademark Office registration for the graphic design with words "Design by Contract"". Archived from the original on 2016-12-21. Retrieved 2009-06-22.^{[ dead link ]}
↑ "Trademark Status & Document Retrieval - 78342277". USPTO Trademark Application and Registration Retrieval.
↑ "Trademark Status & Document Retrieval - 78342308". USPTO Trademark Application and Registration Retrieval.
↑ "Assertions in Managed Code". Microsoft Developer Network. Archived from the original on Aug 22, 2018.
↑ Official Python Docs, assert statement
↑ Bright, Walter (2014-11-01). "D Programming Language, Contract Programming". Digital Mars. Retrieved 2014-11-10.
↑ Hodges, Nick. "Write Cleaner, Higher Quality Code with Class Contracts in Delphi Prism". Embarcadero Technologies. Archived from the original on 26 April 2021. Retrieved 20 January 2016.
↑ Findler, Felleisen Contracts for Higher-Order Functions
↑ "Scala Standard Library Docs - Assertions". EPFL. Retrieved 2019-05-24.
↑ Strong typing as another "contract enforcing" in Scala, see discussion at scala-lang.org/.
↑ "Code Contracts". Microsoft Developer Network. Archived from the original on Nov 15, 2018.
↑ "Bean Validation specification". beanvalidation.org.
↑ "Software Testing Help from the Experts | Parasoft Resources" (PDF). Archived (PDF) from the original on 2022-10-09.
↑ "Archived copy" (PDF). Archived from the original (PDF) on 2016-03-28. Retrieved 2016-03-25.{{cite web}}: CS1 maint: archived copy as title (link) p. 2
↑ "No chance of releasing under Apache/Eclipse/MIT/BSD license? · Issue #5 · nhatminhle/cofoja". GitHub.

Bibliography

Mitchell, Richard, and McKim, Jim: Design by Contract: by example, Addison-Wesley, 2002
A wikibook describing DBC closely to the original model.
McNeile, Ashley: A framework for the semantics of behavioral contracts. Proceedings of the Second International Workshop on Behaviour Modelling: Foundation and Applications (BM-FA '10). ACM, New York, NY, USA, 2010. This paper discusses generalized notions of Contract and Substitutability.

External links

The Power of Design by Contract(TM) A top-level description of DbC, with links to additional resources.
Building bug-free O-O software: An introduction to Design by Contract(TM) Older material on DbC.
Benefits and drawbacks; implementation in RPS-Obix
Using Code Contracts for Safer Code

Related Research Articles

In object-oriented programming, a class is an extensible program-code-template for creating objects, providing initial values for state and implementations of behavior.

Eiffel is an object-oriented programming language designed by Bertrand Meyer and Eiffel Software. Meyer conceived the language in 1985 with the goal of increasing the reliability of commercial software development; the first version becoming available in 1986. In 2005, Eiffel became an ISO-standardized language.

Python is a high-level, general-purpose programming language. Its design philosophy emphasizes code readability with the use of significant indentation.

In computer programming, a precondition is a condition or predicate that must always be true just prior to the execution of some section of code or before an operation in a formal specification.

In computer programming, a postcondition is a condition or predicate that must always be true just after the execution of some section of code or after an operation in a formal specification. Postconditions are sometimes tested using assertions within the code itself. Often, postconditions are simply included in the documentation of the affected section of code.

The Vienna Development Method (VDM) is one of the longest-established formal methods for the development of computer-based systems. Originating in work done at the IBM Laboratory Vienna in the 1970s, it has grown to include a group of techniques and tools based on a formal specification language—the VDM Specification Language (VDM-SL). It has an extended form, VDM++, which supports the modeling of object-oriented and concurrent systems. Support for VDM includes commercial and academic tools for analyzing models, including support for testing and proving properties of models and generating program code from validated VDM models. There is a history of industrial usage of VDM and its tools and a growing body of research in the formalism has led to notable contributions to the engineering of critical systems, compilers, concurrent systems and in logic for computer science.

In software systems, encapsulation refers to the bundling of data with the mechanisms or methods that operate on the data. It may also refer to the limiting of direct access to some of that data, such as an object's components. Essentially, encapsulation prevents external code from being concerned with the internal workings of an object.

In computer programming, unit testing is a software testing method by which individual units of source code—sets of one or more computer program modules together with associated control data, usage procedures, and operating procedures—are tested to determine whether they are fit for use. It is a standard step in development and implementation approaches such as Agile.

In computer programming, specifically when using the imperative programming paradigm, an assertion is a predicate connected to a point in the program, that always should evaluate to true at that point in code execution. Assertions can help a programmer read the code, help a compiler compile it, or help the program detect its own defects.

In the context of hardware and software systems, formal verification is the act of proving or disproving the correctness of a system with respect to a certain formal specification or property, using formal methods of mathematics. Formal verification is a key incentive for formal specification of systems, and is at the core of formal methods. It represents an important dimension of analysis and verification in electronic design automation and is one approach to software verification. The use of formal verification enables the highest Evaluation Assurance Level (EAL7) in the framework of common criteria for computer security certification.

In computer science, a loop invariant is a property of a program loop that is true before each iteration. It is a logical assertion, sometimes checked with a code assertion. Knowing its invariant(s) is essential in understanding the effect of a loop.

In computer programming, specifically object-oriented programming, a class invariant is an invariant used for constraining objects of a class. Methods of the class should preserve the invariant. The class invariant constrains the state stored in the object.

Modular programming is a software design technique that emphasizes separating the functionality of a program into independent, interchangeable modules, such that each contains everything necessary to execute only one aspect of the desired functionality.

In concurrent programming, a monitor is a synchronization construct that prevents threads from concurrently accessing a shared object's state and allows them to wait for the state to change. They provide a mechanism for threads to temporarily give up exclusive access in order to wait for some condition to be met, before regaining exclusive access and resuming their task. A monitor consists of a mutex (lock) and at least one condition variable. A condition variable is explicitly 'signalled' when the object's state is modified, temporarily passing the mutex to another thread 'waiting' on the conditional variable.

The Java Modeling Language (JML) is a specification language for Java programs, using Hoare style pre- and postconditions and invariants, that follows the design by contract paradigm. Specifications are written as Java annotation comments to the source files, which hence can be compiled with any Java compiler.

EiffelStudio is a development environment for the Eiffel programming language developed and distributed by Eiffel Software.

The ANSI/ISO C Specification Language (ACSL) is a specification language for C programs, using Hoare style pre- and postconditions and invariants, that follows the design by contract paradigm. Specifications are written as C annotation comments to the C program, which hence can be compiled with any C compiler.

<span class="mw-page-title-main">Object-oriented programming</span> Programming paradigm based on the concept of objects

Object-oriented programming (OOP) is a programming paradigm based on the concept of objects, which can contain data and code: data in the form of fields, and code in the form of procedures. In OOP, computer programs are designed by making them out of objects that interact with one another.

Whiley is an experimental programming language that combines features from the functional and imperative paradigms, and supports formal specification through function preconditions, postconditions and loop invariants. The language uses flow-sensitive typing also known as "flow typing."

Dafny is an imperative and functional compiled language that compiles to other programming languages, such as C#, Java, JavaScript, Go and Python. It supports formal specification through preconditions, postconditions, loop invariants, loop variants, termination specifications and read/write framing specifications. The language combines ideas from the functional and imperative paradigms; it includes support for object-oriented programming. Features include generic classes, dynamic allocation, inductive datatypes and a variation of separation logic known as implicit dynamic frames for reasoning about side effects. Dafny was created by Rustan Leino at Microsoft Research after his previous work on developing ESC/Modula-3, ESC/Java, and Spec#.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Meyer, Bertrand: Design by Contract, Technical Report TR-EI-12/CO, Interactive Software Engineering Inc., 1986

[2] Meyer, Bertrand: Design by Contract, in Advances in Object-Oriented Software Engineering, eds. D. Mandrioli and B. Meyer, Prentice Hall, 1991, pp. 1–50

[3] Meyer, Bertrand: "Applying "Design by Contract"", in Computer (IEEE), 25, 10, October 1992, pp. 40–51.

[DbC_tm_words-4] "United States Patent and Trademark Office registration for "DESIGN BY CONTRACT"". Archived from the original on 2016-12-21. Retrieved 2009-06-22.^{[ dead link ]}

[DbC_tm_design-5] "United States Patent and Trademark Office registration for the graphic design with words "Design by Contract"". Archived from the original on 2016-12-21. Retrieved 2009-06-22.^{[ dead link ]}

[DbC_tm_words2-6] "Trademark Status & Document Retrieval - 78342277". USPTO Trademark Application and Registration Retrieval.

[DbC_tm_design2-7] "Trademark Status & Document Retrieval - 78342308". USPTO Trademark Application and Registration Retrieval.

[8] "Assertions in Managed Code". Microsoft Developer Network. Archived from the original on Aug 22, 2018.

[9] Official Python Docs, assert statement

[d-contract-programming-10] Bright, Walter (2014-11-01). "D Programming Language, Contract Programming". Digital Mars. Retrieved 2014-11-10.

[11] Hodges, Nick. "Write Cleaner, Higher Quality Code with Class Contracts in Delphi Prism". Embarcadero Technologies. Archived from the original on 26 April 2021. Retrieved 20 January 2016.

[12] Findler, Felleisen Contracts for Higher-Order Functions

[scala-assertions-dbc-13] "Scala Standard Library Docs - Assertions". EPFL. Retrieved 2019-05-24.

[14] Strong typing as another "contract enforcing" in Scala, see discussion at scala-lang.org/.

[15] "Code Contracts". Microsoft Developer Network. Archived from the original on Nov 15, 2018.

[16] "Bean Validation specification". beanvalidation.org.

[17] "Software Testing Help from the Experts | Parasoft Resources" (PDF). Archived (PDF) from the original on 2022-10-09.

[18] "Archived copy" (PDF). Archived from the original (PDF) on 2016-03-28. Retrieved 2016-03-25.{{cite web}}: CS1 maint: archived copy as title (link) p. 2

[19] "No chance of releasing under Apache/Eclipse/MIT/BSD license? · Issue #5 · nhatminhle/cofoja". GitHub.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]