eiffelroom - Ecma - Comments

Exposing pre/postconditions of agent

maverick — Thu, 02 Aug 2007 10:59:44 -0700

I disagree with the point that opposes exposing the preconditions and postconditions of agents. It seems to me like the only way to get complete specifications of higher order routines (somewhat related to higher order functions). In simpler terms, the postcondition function of agents may be used in postconditions of routines that receive agents as parameters (directly or indirectly) to describe the work in terms of the given agent.

If I bring the problem in a functional context, we can see what could be desirable for Eiffel. I'll use a lisp-like syntax and presume a design by contract macro set to make my example. Let specify the map function (for non-lispers: this function applies a given function to every elements of a list and returns a list containing the results).

(def-dbc-function (map f list)
  (require
    (not (null? f)))
  (deferred)
  (ensure
    (implies (not (null? list)) 
              (equal? result 
                      (cons (f (car list))
                            (map f (cdr list)))))
    (implies (null? list)
              (null? result))))

We can see a parallel with iterators in Eiffel. The main problem is that we cannot specify a procedure like do_all as we did map since it applies a procedure object and we do not know what we may call the frame of the operation. I think that's why no easy definition comes up for the postcondition feature of routines.

The only alternative is to write the loop as the implementation and the specification and then freeze the implementation. This is not quite convenient because there may be reasons to redefine it.

Simon

Agent Contracts

harrah — Thu, 12 Apr 2007 05:52:43 -0700

I agree that exposing and then explicitly checking pre/postconditions is not desirable, at least not as a general solution to agent contracts. Here are some thoughts on a possible form of a solution.

We have code that wants to call a feature that is bound at runtime. We may statically specify the type of feature (query or function) and the number, order, and type of open arguments that this feature must have.

However, we cannot statically guarantee to the client that binds a feature and gives it to our code anything more about those arguments. Neither can we describe what we expect from the feature.

So, we can currently write that we want the following entity:

to_call: PROCEDURE[TARGET_TYPE, TUPLE[argument_1: TYPE_1; ...]]

But, perhaps we want to write something more like

to_call: agent_interface prototype

(using 'agent_interface' as a keyword) for a feature `prototype' defined as:

prototype(argument_1: TYPE_1; ...)

         -- Defines the contract of an agent

      require

         precondition_1: ...

      agent_interface

      ensure

         precondition_2: ...

      end

The assignment

to_call := agent implementation

would require the feature `implementation' to effect `prototype' as if `prototype' were a feature inherited as deferred. That is, `implementation' would have to

Be a procedure with arguments that conform to the arguments of `prototype' (as is currently required)
Use assertion extensions (that is, 'require else' and 'ensure then')
Have a combined precondition and combined postcondition (like a redeclaration of a feature)

Additionally, I think there are some more details such as feature calls with `Current' as the target probably cannot or should not be allowed in the assertions of the interface.

An example following the previously provided DRAWABLE/SHAPE example:

to_do: agent_interface draw_shape

draw_shape(drawable: DRAWABLE; a_shape: SHAPE)

         -- Draw a shape on the given target.

      require

         a_shape_not_void: a_shape /= Void

         visible: drawable.is_visible

      deferred

      end

usage:

   drawable: DRAWABLE

   a_tower: SHAPE

   ...

   to_do := agent {DRAWABLE}.draw

   to_do.call([drawable, a_tower])

EDIT: corrected example usage

removing dynamic postconditions mitigates the problem but...

nenieorg — Wed, 11 Apr 2007 04:23:32 -0700

You can escape old and state issues by not having postconditions in the ROUTINE interface. There's no use case I can think of for checking postcondition explicitly at runtime (a failed postcondition can only be a bug), while there's a use case for checking some preconditions as part of establishing the client fulfills its side of the contract and takes remedial action otherwise.

Although even there is does get a bit fuzzy in that the only preconditions a client should be entitled to check is the preconditions which are part of the _static_ agent interface, for instance let's say we have a classic Eiffel pattern:

deferred class DRAWABLE

feature

    is_visible: BOOLEAN is

           -- Is drawable target ready to receive instructions?

        deferred

        end

    draw (a_shape: SHAPE) is

           -- Draw a shape on some target.

        require

           a_shape_not_void: a_shape /= Void

           visible: is_visible

        deferred

        end

end

which you would use as such:

drawable: DRAWABLE

...

  if drawable.is_visible then

     drawable.draw (a_tower)

  end

In agentified Eiffel the same pattern becomes:

drawable: ROUTINE [ANY, TUPLE [SHAPE]]

...

    -- (1) generic preconditions checking

   if drawable.preconditions_holds ([a_tower]) then

      drawable.call ([a_tower])

   end

    -- or (2) tagged preconditions checking

   if drawable.precondition_holds ("is_visible", [a_tower]) then

      drawable.call ([a_tower])

   end

Both patterns suffer from problems. (1) is checking too much, leaking debug code into non-debug execution flow. This illustrate the major drawback of exposing preconditions, it leaks the internal programming language plumbing inside the program. I think it has been a great strength of Eiffel to have fairly limited reflection facilities, so that you don't have "bits of compilers" leaking into programs, both conceptually and as part of the runtime footprint. This stuff is moving in the wrong direction.

(2) suffers a variant of the same problem, in that while semantically equivalent to the classic Eiffel pattern, it has also leaked compiler stuff into runtime, with some drawbacks for example the tag is a string, so there will be no compilation time error if is_visible is renamed etc, or if there's a typo in the first place, and the compiler cannot, or painfully, dead code away the 'debug' contracts that are always true in a correct program (and that damage extend to all routines with the same signature that are agent targets, and their descendants!). Also code analysis or automated verification becomes a harder problem.

I think its not only about

aleitner — Mon, 02 Apr 2007 06:13:46 -0700

I think its not only about the preservation. If you ask a routine whether a postcondition is satisfied, wich prestate and which poststate are you referring to? What is the meaning of `r.preconditions_hold ([1,2,3])'? Does it ask whether some past execution satisfied the postcondition, the last one, or maybe a hypthesized one?

I am not completely clear on it either, but at the moment the only thing that makes sense to me is to ask either:

1) Given this set of arguments, this prestate and this poststate, does the postcondition hold?

2) For the last execution of this agent, did the postcondition hold?

I think 1) is very tricky to implement. (What is a prestate and what is a poststate?) 2) is easier to implement, in fact it can be as simple as a variable. But in the end I am not sure about its usefulness, after all if the last execution failed I would have noticed because an exception was thrown. Btw, for 2) you don't need arguments either.

Andreas

Transmitting old values

colin-adams — Mon, 02 Apr 2007 02:16:51 -0700

As usual, I answered too quickly, before thinking.

I now see that preservation of old values across the call might be tricky (or not possible, for an implementation in Eiffel code). Colin Adams

Calling the implementation

colin-adams — Mon, 02 Apr 2007 02:02:26 -0700

By "calling the implementation", do you mean the implementation of the body or of the postcondition code?

I don't see where the difficulty lies. It works in workbench mode.

Colin Adams

Maybe I am missing

aleitner — Mon, 02 Apr 2007 01:32:17 -0700

Maybe I am missing something, but I still don't see how `postcondition_holds' can be implemented without calling the actual implementation? Or should the postcondition just be evaluated on the current state + arguments? If so, how can a `postcondition_holds' ever ealuate to True for a postcondition like `count = old count + 1'?

ECMA process

manus_eiffel — Sun, 01 Apr 2007 10:36:16 -0700

Anyone can join the process as long as you are part of either a company/institution that is an ECMA member. The minutes and various proposals are currently only accessible by the ECMA members. As far as I know, the committee is free to decide whatever it wants regarding the publication of the various documents used (minutes, drafts, ...).

Relevance

colin-adams — Sun, 01 Apr 2007 10:29:33 -0700

The main benefit for homogeneous clusters is simpler heuristics - there is no possibility of confusing Latin-1 with UTF-8.

If you can't eliminate the possibility of one or another, I know of know way to disambiguate them, in general.

Of course, there are lots of cases where it is easier to see which of the two is meant. But in other cases, not.

So, starting from the case where the file is pure ASCII. Did the author intend it to be treated as Latin-1 or UTF-8?

In this case, it doesn't matter (the only possibility is the type of manifest string constants, but these are defined to be of type STRING).

But all we have to do is to mutate one character in a string literal, and immediately (if we choose the mutation carefully), the case becomes undecidable.

Colin Adams

Closed standard design process

ericb — Sun, 01 Apr 2007 02:42:42 -0700

I'll let Manu (the ECMA Eiffel committe convener) answer this question about the way ECMA works. I for one would prefer a more open process, and feel lucky to be part of this committee.

Avoiding re-inventing the wheel

colin-adams — Sun, 01 Apr 2007 00:16:58 -0700

How is one supposed to know what the ECMA committee have and have-not considered? This is one of the chief points from my article Learning from the W3C process. Colin Adams

Nothing new that the ECMA committee didn't know

ericb — Sat, 31 Mar 2007 23:58:30 -0700

When you wrote:

no_empty_strings: Result.for_all (agent {STRING}.is_empty)

I guess you meant:

no_empty_strings: not Result.there_exists (agent {STRING}.is_empty)

Note that it would have been less confusing to write:

no_empty_strings: Result.for_all (agent (s: STRING): BOOLEAN do Result := not s.is_empty end)

! ;-)

Also, if routines `precondition' and `postcondition' (currently specified in ISE's ROUTINE class) were implemented, your proposal is not very different from the currently intended (but not explicitly specified, because not implemented) behavior:

call (a_args: like operands)

         -- Call `Current' passing `a_args' as actual arguments.

      require

         valid_operands: valid_operands (args)

         preconditions_hold: precondition (a_args)

      ensure

         postconditions_hold: postcondition (a_args)

I think that the problem we are facing is not really how to specify things correctly (using tags or not), but rather how to implement it. I'm sure that if ISE knew how to implement their `precondition' and `postcondition' routines in ROUTINE then `call' would be properly specified with these contracts. For example even today you can write:

if (agent y).precondition (l_args) then

         y (l_arg1, l_arg2)

but because `precondition' is not implemented and always returns True, this is useless.

Is this relevant?

manus_eiffel — Fri, 30 Mar 2007 10:12:00 -0700

The source code will be using plain text file (i.e. sequence of character codes that are between 0 and 255), UTF-8 or any other Unicode encoding. Once you have the encoding then the semantics is properly defined.

Of course if one library author is using Unicode characters beyond 255, the user of that library will be forced to use a Unicode encoding for his source code, but is this relevant to the project specification? I don't think so.

Heuristics

colin-adams — Fri, 30 Mar 2007 10:07:50 -0700

See also Heuristics for detecting class text encoding. Colin Adams