Lecture 1: Contracts Flashcards
(28 cards)
What are the four types of contracts?
precondition, postcondition, loop invariant, assertions
What are the objectives of this lesson? (3 main)
develop contracts to help you prove the safety and validity of your code; develop informal termination arguments for loops and recursion; specification vs implementation
What is the command to run the c0 interpreter with contracts?
coin -d filename.c0
When is the best place to tabulate values while tracing code? What is iteration 0?
right before the exit condition is tested; when we enter the loop for the first time
How do we prove the loop invariant?
By assuming that it holds before the loop is run, and showing that it holds after the loop is run
How do we prove the loop invariant? (two parts)
First, demonstrate that the invariant holds initially; second, assume that the invariant holds just before the exit condition is checked. We have to show it is true again when we reach the exit condition after one iteration of the loop
How do we show that a loop terminates
define some quantity that always gets strictly smaller during any arbitrary iteration of the loop, and can never become negative (or go below a certain value)
What do we need when something isn’t defined for a certain range of functions? (ex. x^(a negative irrational number)) How do you write the necessary contract?
a precondition; to require that the exponent cannot be negative: //@requires y>=0;
What is the syntax for preconditions? Where are they written? When are they checked?
//@requires; written right below the function name, above the body of the function; checked before the function runs (NOT linear in sequence)
What are the two parts/sides of a function contract?
The precondition that “requires” a certain type of input; the promise of a postcondition
How do you construct a post-condition if the language doesn’t have a built in function?
Make a “lemma” function of the simplest form, even if it is not computationally efficient. In the main function, promise that the post-condition will equal the result of this “lemma function”
What is the syntax for a postcondition?
//@ensures e; where e is a boolean expression
Where is the postcondition written relative to the function?
The postcondition comes under the function name, under the precondition (of the form //@requires) and right before the body of the function
What special variable can be used in the postcondition only that is the value returned by the function?
\result
What does the -d in compiling or calling the interpreter stand for?
dynamically checking
What does error: cannot assign to variable ‘x’ used in @ensures annotation come from?
We are changing the value of x in the body when the postcondition is counting on the initial value of x to remain unchanged; would violate the principle that we need only to look at the contract to decide whether or not to call the function, because reassigning x changes the postcondition
Do all contracts need to be boolean statements?
yes
When is @requires checked?
A precondition, checked just before the function body executes
When is @ensures checked?
A postcondition, checked just after function body has been executed; can use \result to refer to the value returned by the function to impose a condition on it
When is @loop_invariant checked?
checked every time just before the loop exit condition (or the loop guard) is checked
When is @assert checked?
acts like a statement, checked everytime it is encountered
For what two purposes are contracts important for?
Testing and Reasoning?
How do contracts help with testing?
they represent a generic test of a function; contracts talk about expected values of arbitrary values. Drawback is that they are only useful if we have good test cases b/c contracts not executed with values that cause them to fail cannot cause execution to abort
How does @requires contracts help with reasoning?
At the call sites, we have to prove that the precondition is satisfied for the given arguments, then assume if for reasoning in the body of the function
