Code Contracts - Make Coding Assumptions Explicit and Tool Discoverable in .NET

Contracts

Code Contracts provide a language-agnostic way to express coding assumptions in .NET programs. The contracts take the form of pre-conditions, post-conditions, and object invariants. Contracts act as checked documentation of your external and internal APIs. The contracts are used to improve testing via runtime checking, enable static contract verification, and documentation generation.

We were at PDC 2008: http://sessions.microsoftpdc.com/

If you missed us, you still get to watch the talk.

Code Contracts bring the advantages of design-by-contract programming to all .NET programming languages. Programming with contracts means writing pre-conditions, post-conditions, and object invariants in your code. The benefits of writing contracts are:

Improved testability

each contract acts as an oracle, giving a test run a pass/fail indication.
automatic testing tools, such as Pex, can take advantage of contracts to generate more meaningful unit tests by filtering out meaningless test arguments that don't satisfy the pre-conditions.

Static verification We have prototyped numerous static verification tools over the past years. Our current tool takes advantage of contracts to reduce false positives and produce more meaningful errors.

API documentation Our API documentation often lacks useful information. The same contracts used for runtime testing and static verification can also be used to generate better API documentation, such as which parameters need to be non-null, etc.

Our solution consists of using a set of static library methods for writing pre-conditions, post-conditions, and object invariants as well as two tools:

ccrewrite, for generating runtime checking from the contracts
cccheck, a static checker that verifies contracts at compile-time.

The plan is to add further tools for

Automatic API documentation generation
Intellisense integration

The use of a library has the advantage that all .NET languages can immediately take advantage of contracts. There is no need to write a special parser or compiler. Furthermore, the respective language compilers naturally check the contracts for well-formedness (type checking and name resolution) and produce a compiled form of the contracts as MSIL. Authoring contracts in Visual Studio allows programmers to take advantage of the standard intellisense provided by the language services. Previous approaches based on .NET attributes fall far short as they neither provide an expressive enough medium, nor can they take advantage of compile-time checks.

Contracts are expressed using static method calls at method entries. Tools take care to interpret these declarative contracts in the right places. These methods are found in the System.Diagnostics.Contracts namespace.

• Contract.Requires takes a boolean condition and expresses a pre-condition of the method. A pre-condition must be true on entry to the method. It is the caller's responsibility to make sure the pre-condition is met.

• Contract.Ensures takes a boolean condition and expresses a post-condition of the method. A post-condition must be true at all normal exit points of the method. It is the implementation's responsibility that the post-condition is met.

At the moment, the release works only for VS2008 with an academic license. It is available here. After installing, there is link to documentation under All Programs -> Microsoft Code Contracts to get you started. We are working on a version that will also work with VS2005. That should be ready soon, so please check back.

Currently we have only a mailing address codconfb _at_ microsoft _dot_ com that you can send mail to. Unfortunately it is a one-way only list. We are working on setting up a web forum so that everyone can see the discussions. Stay tuned for that!