encouraging effective contract specifications
play

Encouraging Effective Contract Specifications Todd Schiller , Kellen - PowerPoint PPT Presentation

Apr 26, 2023 •227 likes •647 views

Contract.Requires (amount > 0.0); Contract.Ensures (Balance == Contract.OldValue (Balance) + amount); Contract.Invariant (Balance > 0.0); Encouraging Effective Contract Specifications Todd Schiller , Kellen Donohue, Forrest Coward, Michael

  1. Contract.Requires (amount > 0.0); Contract.Ensures (Balance == Contract.OldValue (Balance) + amount); Contract.Invariant (Balance > 0.0); Encouraging Effective Contract Specifications Todd Schiller , Kellen Donohue, Forrest Coward, Michael Ernst University of Washington

  2. Microsoft Code Contracts public class BankAccount { Precondition public void Deposit(decimal amount){ Contract.Requires (amount > 0.0); Contract.Ensures (Balance == Contract.OldValue (Balance) + amount); . . . Postcondition } • C# Syntax and Typing . . . • Run-time Checking } • Static Checking 2

  3. What contracts do developers write? What contracts could developers write? How do developers react when they are shown the difference? How can we use this information to make developers more effective? 3

  4. Developers use contracts ineffectively • Most contracts check for Introduce tooling to reduce missing values, e.g. != null annotation burden • Miss aspects of program Make suggestions key part behavior of tool ecosystem • Don’t (effectively) use Curate best practices. powerful features, e.g., It’s OK to be normative object invariants 4

  5. Goal: Move Developers Toward Using Contracts as Specifications Contracts as Contracts as Functional Assertions Specifications • Assumption Violations • What program should do • Object Invariants • Contracts on Interfaces 5

  6. Effective Contracts Have Many Benefits Design • Design by Contract [Meyer86] Development Maintenance • Static Checking • Refactoring [Fahndrich10] • Documentation • Refactoring [Cousot12] Testing Debugging • Test Generation • Runtime Checking [Barnett09] • Fault Localization • Runtime Checking 6

  7. Talk Outline 1. The contracts that developers write 2. The contracts that developers could write 3. How developers react when shown the difference 7

  8. Most Contracts Just Check for Missing Values Written Contracts • Subjects: The 90 C# projects with Code Contracts on Ohloh • Missing-Value: Null, Empty String, Empty Collection Missing-Value Checks 8

  9. Many Postconditions are Trivially Redundant with the Code Written Postconditions • 25% of contracts are postconditions • 15% of postconditions specify: – The value a method returns – The value a property is Missing-Value Checks set to Redundant with Code 9

  10. Smart Defaults Reduce Annotation Burden Nullness: Checker Framework [Papi08] for Java assumes parameters and return values are non-null Tool Annotations per 1K LOC Checker Framework w/ Defaults 1-2 annos. Defaults cut # of annotations Code Contracts 2-5 annos. needed in half Awkward to override restrictions using Contracts: x != null || x == null 10

  11. Microsoft Code Contracts public class BankAccount { public void Deposit(decimal amount){ Contract.Requires (amount > 0.0); Contract.Ensures (Balance == Contract.OldValue (Balance) + amount); . . . } • C# Syntax and Typing • Run-time Checking . . . • Static Checking } 11

  12. Why Don’t Developers Use Functional Specifications? They are Expensive • Verbose , especially involving return / pre-state expressions – Contract.Result <IEnumerable<TEdge>>() • High runtime cost – Contract.ForAll (collection, elt => elt > 0) • No static checking – dictionary[key] < array.Length 12

  13. Talk Outline 1. The contracts that developers write 2. The contracts that developers could write 3. How developers react when shown the difference 13

  14. Inferring Contracts From Runtime Traces with Daikon + Celeriac [Ernst99] Introduced in our paper Celeriac Run Daikon .NET Binary Instrumented Value Binary Contracts Trace Celeriac: code.google.com/p/daikon-dot-net-front-end 14

  15. There’s a Gap Between Written Contracts and Program Behavior Inferred Contracts Written Contracts Good candidates for smart defaults Functional Specifications 15

  16. Developer-Written Contracts Miss Aspects of Program Behavior Object State: • this.IsUsable == (this.Reader.GetRefCount != 0) Relations: • this.programElement.ColumnNumber >= 0 State update: • this.Reader.GetRefCount() >= Contract.OldValue( this.Reader.GetRefCount() ) 16

  17. Talk Outline 1. The contracts that developers write 2. The contracts that developers could write 3. How developers react when shown the difference 17

  18. Case Study Research Question How do developers decide which contracts to add if contracts can be added with a single click? 18

  19. Case Study Methodology Subjects: two developers and their projects • Sando Code Search: document indexer component • Mishra RSS Reader: model component Existing Contracts: • 28 contracts across 482 methods • All but 3 were checks for missing values Task : Developer used interface to insert inferred contracts 19

  20. 20

  21. Case Study Research Question How do developers decide which contracts to add if contracts can be added with a single click? 21

  22. Differing Viewpoints to Inserting Contracts • Sando: in favor of automatically inserting all contracts above some confidence threshold • Mishra Reader: chose not to insert many valid contracts – Avoiding code bloat – Fear of runtime overhead – Belief that contracts should only be written at module boundaries (public methods) 22

  23. Suggestions are Beneficial (Up to a Point) • Tool suggested types of contracts developers would not have thought of – e.g.: Contract.ForAll(collection, elt => elt > 0) • Not a perfect substitute for training – Sando developer, unaware of object invariant and interface contracts, overlooked tool’s suggestions 23

  24. Training Affects How Contracts Are Used Contracts as Contracts as Functional Assertions Specifications Opportunities to train developers via the tooling itself • Identifying features that developer is under- utilizing • Can supplement sound static-checker inference with more expressive inference 24

  25. UI Grouping Schemes to Encourage Functional Specifications ① ( this.PropertyX > 3) implies (this.FieldX != null) By antecedent / kind By variable By kind By antecedent / var Always: FieldX: Nullness: Always: Nullness: PropertyX: ① ① this.PropertyX > 3: this.PropertyX > 3: Nullness: PropertyX: Comparison: FieldX: ① ① Comparison: Led developers to Grouping by condition discover kinds of did not help the contracts they had not developers reason considered before about implications 25

  26. Related Work • Contracts in the Wild: – Chalin06: Eiffel programs have a lower proportion of non-null checks, higher proportion of postconditions – Estler14: Eiffel, JML, and C# contracts are stable over time; preconditions are larger than postconditions • Human Factors: – Polikarpova09: Daikon finds contracts that developers missed – Johnson13: false positives and inadequate presentation prevent uptake of static analysis tools 26

  27. Conclusion: Both Tooling and Training are Required for Usability • Most check missing values, Introduce tooling to reduce e.g. != null annotation burden • Miss aspects of program Make suggestions key part behavior of tool ecosystem • Don’t (effectively) use Curate best practices. It’s powerful features, e.g., OK to be normative object invariants Tools and Data: http://bit.ly/code-contracts 27

  28. 28

  29. Lifecycle Not Ideal in Practice Annotations are too heavy especially the Result/Old syntax is horrid. The visual studio editor extension is buggy […] Seeing contracts easily from the call site would be a huge factor in convincing less enthusiastic developers about the benefits. [The static checker is] too slow, complicated and not expressive enough. Increased build time is a big problem! I am not yet totally convinced that [Code Contracts] are ready for prime-time 29

  30. Subject Projects Other Quality Subject Program Domain Code Contract Use Tools Used Labs Framework API exploration Static checking StyleCop (11K SLOC) framework Mishra Reader RSS reader Debugging concurrent code Jetbrains R# (19K SLOC) Sando Code search Early runtime error detection (24K SLOC) Quick Graph Algorithms and Pex / Testing Pex (32K SLOC) data structures 30

  31. Contract Inserter Interface Four possible actions: – Add as contract – Add as documentation – Mark as false – Ignore as implementation detail 31

  32. Null-checks Can be Expressive public ComplicatedType Foo(. . .){ Contract.Ensures(Contract.Result< ComplicatedType >() != null ); . . . } Types + Contracts Guarantee: • Methods Signatures + Method Contracts • Object Invariants 32

  33. Tool Information Celeriac: Contract Inference via Runtime Tracing https://code.google.com/p/daikon-dot-net-front-end Contract Inserter: Visual Studio Add-in https://bitbucket.org/fmc3/scout 33

  34. Type-State Example: Degenerate Behavior Encoding public class Subscription{ public SubscriptionsList SubscriptionsList { get; private set; } public void AddItem(Item item) { Contract.Requires (SubscriptionsList != null, "Call Initialize first"); . . . All contracts use != null } [InvariantMethod] public void ObjectInvariant(){ . . . Can’t write an invariant } } 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SET50 Index Futures Contract Specifications www.tfex.co.th at 21 Mar 13 1 Single Stock

SET50 Index Futures Contract Specifications www.tfex.co.th at 21 Mar 13 1 Single Stock

SET50 Index Futures Contract Specifications www.tfex.co.th at 21 Mar 13 1 Single Stock Futures Contract Specifications www.tfex.co.th at 21 Mar 13 2 TFEXs SET 50 Index Futures SET 50 index spot = 880.7 www.tfex.co.th at 13 Jan

221 views • 6 slides
Ambiguities: Latent and Patent Hal Moeller, Contract Administrator UMDNJ TPAC May 18,

Ambiguities: Latent and Patent Hal Moeller, Contract Administrator UMDNJ TPAC May 18,

Ambiguities: Latent and Patent Hal Moeller, Contract Administrator UMDNJ TPAC May 18, 2011 Ambiguities Discrepancies in specifications Omissions Significant conflicts within the specifications Ambiguities = Unexpected

150 views • 12 slides
PRESENTATION GET THE MONEY!!!! BUILDING UNDER CONTRACT Requirements to be provided to NAB:

PRESENTATION GET THE MONEY!!!! BUILDING UNDER CONTRACT Requirements to be provided to NAB:

NAB BUIL ILDERS PRESENTATION GET THE MONEY!!!! BUILDING UNDER CONTRACT Requirements to be provided to NAB: Signed and dated fixed builder contract Plans and specifications ie Council approved plan and building permits Copy

430 views • 41 slides
Encouraging savings, rewarding effort Saver Plus: Encouraging Savings and increasing financial

Encouraging savings, rewarding effort Saver Plus: Encouraging Savings and increasing financial

Encouraging savings, rewarding effort Saver Plus: Encouraging Savings and increasing financial capabilities among low-income families Roslyn Russell, Sandra Mihajilo, Aruna Nair and Robert Brooks This presentation.. Provides an overview

555 views • 33 slides
{ Social Web by Adriano &amp; Brbara Summary Encouraging newbies: Encouraging newbies: 1.

{ Social Web by Adriano &amp; Brbara Summary Encouraging newbies: Encouraging newbies: 1.

Encouraging Newbies Without newbies, online communities cant survive! { Social Web by Adriano &amp; Brbara Summary Encouraging newbies: Encouraging newbies: 1. 2. Adrianos point of view Brbaras point of view Introduction A

451 views • 31 slides
1.14 Implementing Effective Contract Negotiation and Relationship Management Strategies 101 May

1.14 Implementing Effective Contract Negotiation and Relationship Management Strategies 101 May

1.14 Implementing Effective Contract Negotiation and Relationship Management Strategies 101 May 2020 Mary Schwartz, Abt Associates Fran Ledger, HUD SNAPS Office 1 Webinar Instructions Webinar will last about 60 minutes Participants in

474 views • 26 slides
BE at UP BACKGROUND Complement business with effective solutions through innovative contract

BE at UP BACKGROUND Complement business with effective solutions through innovative contract

Unit for Intelligent Digital Forensics BE at UP BACKGROUND Complement business with effective solutions through innovative contract research October 2011 &amp; consulting Introducing the Unit The Unit is housed in the EBIT Faculty under

195 views • 6 slides
Keeyask Engineering Review Jan 30 2017 Project Design Review Contract Cost Review

Keeyask Engineering Review Jan 30 2017 Project Design Review Contract Cost Review

Keeyask Engineering Review Jan 30 2017 Project Design Review Contract Cost Review Specifications &amp; Drawings Extra Work Order Review Unit Price Review Quantity Estimates Contract Payment Overview KCB Review Scope Project Costs

560 views • 36 slides
Working with Contractors: Habitat-Oriented RFPs and Specifications Objectives Revisit key

Working with Contractors: Habitat-Oriented RFPs and Specifications Objectives Revisit key

Working with Contractors: Habitat-Oriented RFPs and Specifications Objectives Revisit key take-aways from panel discussion that will help us find ways to incentivize habitat creation, enhancement, and management through contract mechanisms

549 views • 9 slides
Encouraging Contribu.on Social Web, 2010 Jakob Rogstadius

Encouraging Contribu.on Social Web, 2010 Jakob Rogstadius

Encouraging Contribu.on Social Web, 2010 Jakob Rogstadius Encouraging contribu.on Goal of lecture: Give examples of ways to make people do things

152 views • 11 slides
A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas

A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas

A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas State] John Hatcliff Work on specification patterns by Matthew Dwyer, Jay Corbett, and George Avrunin http://www.cis.ksu.edu/santos/bandera

303 views • 29 slides
Up-Down Wheelchair 2.009 Silver A Design Specifications Requirements Attributes Specifications

Up-Down Wheelchair 2.009 Silver A Design Specifications Requirements Attributes Specifications

Up-Down Wheelchair 2.009 Silver A Design Specifications Requirements Attributes Specifications Reach Lift System Seat height 9-33 Wheel brakes, Handles 100kg Sliding bearings without tipping Safety and stability Weight Hydraulic jack 1500N

298 views • 13 slides
Statussen in snapshot voor premiejaar 2019 Used contract: Not used Used Request

Statussen in snapshot voor premiejaar 2019 Used contract: Not used Used Request

INFOSS Statussen snapshot (UC15) Leen Van Looveren 05/05/2020 1 Definities herhaling (UC02) Used contract: contract on which the NIHDI premium will be transferred if nothing would change before the payment day Valid contract: a contract

377 views • 16 slides
Contract Termination / Renewal Decisions Life of a contract Contract life Contract Execution

Contract Termination / Renewal Decisions Life of a contract Contract life Contract Execution

Contract Termination / Renewal Decisions Life of a contract Contract life Contract Execution period Reporting Time Implementation closure activities period Warranty Contract period Signature (supply) or defect liability period

289 views • 12 slides
Mem checking axiomatic SAT specifications of memory models Emina Torlak Mandana Vaziri

Mem checking axiomatic SAT specifications of memory models Emina Torlak Mandana Vaziri

Mem checking axiomatic SAT specifications of memory models Emina Torlak Mandana Vaziri Julian Dolby MIT SAT/SMT Summer School June 16, 2011 Introduction x = 0, y = 0, y = 0 memory model contract between programmer r1 = x r2

1.27k views • 103 slides
Your Contract in Litigation You Negotiated and Executed a Contract and Now that Contract is in

Your Contract in Litigation You Negotiated and Executed a Contract and Now that Contract is in

From Boardroom to Courtroom: Your Contract in Litigation You Negotiated and Executed a Contract and Now that Contract is in Litigation, What Does that Mean for Your Company? Michelle D. Gambino | Greenberg Traurig, LLP | GambinoM@gtlaw.com

445 views • 25 slides
Privacy-preserving and Authenticated Data Cleaning on Outsourced Databases Thesis Defense

Privacy-preserving and Authenticated Data Cleaning on Outsourced Databases Thesis Defense

Privacy-preserving and Authenticated Data Cleaning on Outsourced Databases Thesis Defense Boxiang Dong THESIS COMMITTEE: Advisor: Prof. Wendy Hui Wang Prof. Yingying Chen Prof. David Naumann Prof. Antonio Nicolosi Department of Computer

1.11k views • 61 slides
University of Some enumeration formulas : lay |YsYdYIYhY Thm I Hurwitz , . , ( 23 )

University of Some enumeration formulas : lay |YsYdYIYhY Thm I Hurwitz , . , ( 23 )

Applications of geometric techniques Coxeter combinator Catalan in ics . Theo Douvropoulos Thesis Defense Minnesota University of Some enumeration formulas : lay |YsYdYIYhY Thm I Hurwitz , . , ( 23 ) ( l 3) ( 123J = - #

420 views • 24 slides
AGENDA ITEM #6: HRTPO PROJECT PRIORITIZATION: RECOMMENDED ENHANCEMENTS The HRTPO Project

AGENDA ITEM #6: HRTPO PROJECT PRIORITIZATION: RECOMMENDED ENHANCEMENTS The HRTPO Project

AGENDA ITEM #6: HRTPO PROJECT PRIORITIZATION: RECOMMENDED ENHANCEMENTS The HRTPO Project Prioritization Tool was developed to assist regional decision-makers in prioritizing transportation projects based off technical merits and regional

255 views • 21 slides
Fundamentals of vortex dynamics Andrew David Gilbert, Mathematics Department, University of Exeter,

Fundamentals of vortex dynamics Andrew David Gilbert, Mathematics Department, University of Exeter,

Fundamentals of vortex dynamics Andrew David Gilbert, Mathematics Department, University of Exeter, UK Leverhulme Trust Research Fellowship - 2019 Motivation: vortices and more vortices wing-tip vortices (NASA) draining Lake Texoma, USA

962 views • 39 slides
Neural Architectures for NLP Jindich Helcl, Jindich Libovick February 26, 2020 NPFL116

Neural Architectures for NLP Jindich Helcl, Jindich Libovick February 26, 2020 NPFL116

Neural Architectures for NLP Jindich Helcl, Jindich Libovick February 26, 2020 NPFL116 Compendium of Neural Machine Translation Charles University Faculty of Mathematics and Physics Institute of Formal and Applied Linguistics unless

769 views • 59 slides
Sequence-to-Sequence Learning using Recurrent Neural Networks Jindich Helcl, Jindich

Sequence-to-Sequence Learning using Recurrent Neural Networks Jindich Helcl, Jindich

Sequence-to-Sequence Learning using Recurrent Neural Networks Jindich Helcl, Jindich Libovick March 4, 2020 NPFL116 Compendium of Neural Machine Translation Charles University Faculty of Mathematics and Physics Institute of Formal and

1.29k views • 79 slides
Improving the Airflow User Experience Speakers Ry Walker Viraj Parekh Maxime Beauchemin

Improving the Airflow User Experience Speakers Ry Walker Viraj Parekh Maxime Beauchemin

Improving the Airflow User Experience Speakers Ry Walker Viraj Parekh Maxime Beauchemin Founder/CTO at Astronomer Head of Field Engineering Founder/CEO of Preset, Creator of at Astronomer Apache Airflow and Apache Superset @rywalker

987 views • 55 slides
SCALING INSTAGRAM INFRA Lisa Guo March 7th, 2017 lguo@instagram.com INSTAGRAM HISTORY 2010

SCALING INSTAGRAM INFRA Lisa Guo March 7th, 2017 lguo@instagram.com INSTAGRAM HISTORY 2010

SCALING INSTAGRAM INFRA Lisa Guo March 7th, 2017 lguo@instagram.com INSTAGRAM HISTORY 2010 2014/1 2012/4/9 2017 joined Facebook 600M users/month INSTAGRAM EVERYDAY 400 Million Users 4+ Billion likes 100 Million photo/video uploads

1.05k views • 87 slides

More recommend