top | item 42133698

(no title)

I did my dissertation work on software contracts. They are generally useless: programmers won't write them, or will write them incorrectly. Moreover, the runtime enforcement dominates all but the most-expensive functions, and contracts become an antipattern for helper functions due to their enforcement cost.

Without intense compiler support and contract erasure such as David Van Horne's work, this is a dead idea that needs to stay that way.

discuss

tomasGiden|1 year ago

I worked in the telecom business 15 years ago on 4G (LTE) and there it was considered a big savior compared to how it was done before.

Basically before they had a lot of error handling code and it was a significant part of the code base (don’t remember but let’s say 50%) and this error handling code had the worst quality because it is very hard to inject faults everywhere. So basically the error handling code had a lot of bugs in it which made the system fail to recover properly.

But DbC was a godsend in the way that now you didn’t try to handle errors inside the program any longer. Now the only thing that mattered was that a service should be able to handle clients and other services failing. And failure in a few well defined interfaces is much easier to handle. So the quality became much better.

What about the crashes then? Well, by actually crashing and getting really good failure point detection it was much easier to find bugs and remove them. So the failures grew less and less. Also, at that time I believe there were 70 ms between voice packages so as long as the service could recover within that timeframe, no cell phone users would suffer.

Plus of course much less error prone error handling code to write.

And as someone else said, DbC should never be turned of in production. Of course, in embedded systems, speed is not so important as long as it is fast enough to not miss any deadlines. And you need to code it so it doesn’t miss deadlines during integration and verification with DbC so there is no reason to turn them off in production.

rramadass|1 year ago

Nice.

Bertrand Meyer in his usual painstakingly detailed manner explains how to integrate DbC with Exception/Error handling in his paper Applying Design by Contract linked to here - https://news.ycombinator.com/item?id=42133876

dataflow|1 year ago

It sounds like you're specifically talking about runtime-enforced contracts rather than ones that the compiler uses to prove compliance? Your first sentence makes it sound like you think all contracts are useless, but your last sentence makes it seem like you think they're useful if they're compile time.

johnisgood|1 year ago

Which they are (compile time) with Ada / SPARK, without any runtime costs.

pjmlp|1 year ago

Yet companies like Eiffel Software, and Ada vendors with Ada/SPARK, are still in business with people paying for using their tools, in a day and age where many devs refuse to pay for their tooling.

SvenL|1 year ago

Would be interesting if they pay because they want those tools or if they pay because they fear rewriting some old tools using those languages.

rramadass|1 year ago

Interesting. I am a fan of DbC (following Meyer's Applying "Design by Contract" - pdf at https://se.inf.ethz.ch/~meyer/publications/computer/contract...) though due to runtime costs (as you point out) i limit it to pre-conditions only everywhere (almost all "policy" part of the code and less on the "mechanism" side) and tighter pre/post-conditions on module boundaries only.

> programmers won't write them, or will write them incorrectly.

I think this is a matter of education and discipline and not an argument for not using DbC.

If it is okay with you could you share your dissertation and maybe highlight the key points which led you to your conclusion of "They are generally useless"? I think it would be useful to know.

mempko|1 year ago

I use them for all my code. They are far from useless. You never want to turn them off in production either since that's a source of important information. You are right programmers don't write them, but that says nothing about contracts and a lot about how programmers are trained.

int_19h|1 year ago

I find it a very dubious assertion particularly with respect to performance. Well-written idiomatic code in most languages should validate inputs anyway; it's just done in an ad-hoc way - stuff like ArgumentException in .NET or ValueError etc in Python, for example. Contracts are just a way to formalize it, not only for the benefit of static analyzers, but also for better integration with existing tooling (generated docs etc).

And no, you don't have to write a code contract for every single function. Code contracts are most useful in the same exact place you'd do other kinds of contracts, like say documenting the public API of a library. From there it's diminishing gains to extend them deeper into the implementation, but in any case, one can always find a balance between performance and enforced contract checks. Not all code needs to be blazing fast, and erring on the side of correctness is preferable.

fermigier|1 year ago

A reference for your dissertation?

The usefulness (or lack thereof) of contracts was famously discussed in 1997 in this paper: https://www.irisa.fr/pampa/EPEE/Ariane5.html (with additional comments here: https://www.irisa.fr/pampa/EPEE/Ariane5-comments.html ).

I have tried several times (a couple of decades ago) to introduce DBC in Python, using one of the many available libraries (for an overview: see https://lab.abilian.com/Tech/Python/DbC%20in%20Python/ ) but, like you, wasn't convinced.

I believe your argument on the performance penalty is right, and as a corollary, this implies that contracts are mostly useful if associated with a formal proof system. Contracts in production are probably a bad idea, in most cases.

pschanely|1 year ago

> I believe your argument on the performance penalty is right, and as a corollary, this implies that contracts are mostly useful if associated with a formal proof system. Contracts in production are probably a bad idea, in most cases.

Agree! There is a sliding scale between testing contracts and proving them too. My labor of love for the past several years has been a tool for checking Python contracts using an SMT solver (using symbolic inputs over concrete paths): https://github.com/pschanely/CrossHair

That said, these days I think property-based testing gets you the ~same benefits as contracts, and is easier for most people to apply.

mempko|1 year ago

Wow, people miss the point of contracts. You never want to turn them off in production, because that's where all the weird shit happens that you never thought of. Contracts catch bugs in those times. Maybe people find them useless precisely because they turn them off.

mgaunard|1 year ago

Contracts are widely used in the form of asserts throughout many codebases and are generally seen as improving code quality and enabling more efficient designs.

Even something like accessing an element in an array is subject to the contract that the index is less than the size.

quotemstr|1 year ago

SAL is wildly successful in the Windows world and is basically a contract language embedded in C macros.

zerr|1 year ago

Is anyone using Eiffel language in the real world? The community seems so tiny, barely existing.

rramadass|1 year ago

That doesn't matter when it comes to concepts/ideas which are useful overall. In this context DbC is a general idea/technique (derived from the Floyd/Hoare/Dijkstra school of "Program Correctness") useful for "large scale" Software Engineering.

pjmlp|1 year ago

Definitly, otherwise Eiffel Software would have closed shop by now.