Differences

This shows you the differences between two versions of the page.

--- rfc:dbc2 [2015/02/10 06:52] – yohgaki
+++ rfc:dbc2 [2015/02/14 23:14] – fixed typo during review marcio
@@ Line 2: / Line 2: @@
   * Version: 0.1
   * Date: 2015-02-10
-  * Author: Yasuo Ohgaki <yohgaki@ohgaki.net>
+  * Author: Yasuo Ohgaki <yohgaki@ohgaki.net>, Dmitry Stogov <dmitry@zend.com>, Joe Watkins <pthreads@pthreads.org>
   * Status: Draft
   * First Published at: http://wiki.php.net/rfc/dbc2
-===== Important Note====
+===== Important Note =====
-This RFC is a part of "Native DbC support" RFC.
+This RFC is an alternative approach to "Native DbC support" RFC.
 http://wiki.php.net/rfc/dbc
-There are many way to achieve DbC. This RFC proposes DbC as function/method definition.
+Contracts can be defined without modification to the language, however, the D documentation calls the resulting implementation "clumsy and inconsistent".
-===== Introduction =====
+Other advantages of a native implementation, also taken from the D manual:
-Design by Contract (DbC) or Contract Programming is powerful program design concept based on **Contracts** that
+  * a consistent look and feel for the contracts
+  * tool support
+  * compiler optimizations
+  * easier management and enforcement of contracts
+  * handling of contract inheritance
-  - Define **precondition** contract for methods/functions. i.e. Define Parameter value specifications/conditions.
+All of the above applies to PHP.
-  - Define **postcondition** contract for methods/functions. i.e. Define Return value specifications/conditions.
-  - Define **invariant** contract for methods/functions. i.e. Define class state must be true always.
-These contracts are evaluated development time only. Therefore, there is **no performance penalty** with DbC.
+===== Introduction =====
-  * http://dlang.org/contracts.html
+The D manual contains the following succinct definition of contracts:
-  * http://en.wikipedia.org/wiki/Design_by_contract
-====DbC Changes the Way Program is Designed/Developed/Tested====
+> The idea of a contract is simple - it's just an expression that must evaluate to true. If it does not, the contract is broken, and by definition, the program has a bug in it. Contracts form part of the specification for a program, moving it from the documentation to the code itself. And as every programmer knows, documentation tends to be incomplete, out of date, wrong, or non-existent. Moving the contracts into the code makes them verifiable against the program.
-==CalleR and CalleE responsibility and validation:==
+This should be easily comprehensible, it further validates the argument that the best implementation is a native one, so that the programmer really can "move the specification from the documentation to the code".
-  * With modularized design without DbC, the more code is consolidated, the better code is. \\ Therefore, parameter validity is checked deep into the code. Parameter validity check is __calleE__ responsibility.
-  * With DbC, parameter checks are done as **precondition**. Passing valid parameter to a function is __calleR__ responsibility.
-==Exit value validation:==
+===== Proposal =====
-  * Without native DbC, return value validity cannot be checked without scattered assert() for every place function is used. \\ i.e. Programmers has to write "$ret = func(); assert($ret > 0);" everywhere func() is used or code must have assert() for each func().
-  * With native DbC, return value validity is checked as **postcondition**. It does not require scattered assert().
-==Class state validation:==
+Support for the following contracts will be introduced:
-  * With native DbC, **invariant** condition may be defined. **Invariant** allows programmers consolidate class state which must be TRUE for always. \\ e.g. $account_balance >= 0
-**precondition** check can be done with assert(), but other feature requires native DbC.
+  * precondition       "require"( **precondition-expression** [,'Error msg'])
+  * postcondition      "return"( **return_value**, **postcondition-expression** [,'Error msg'])
+  * invariant          "require"( **invariant-expression** [,'Error msg'])
-DbC reverses the responsibility caller and callee, ensures parameters, return value and class state validity without performance penalty. This helps PHP to achieve more efficient development by contract errors, faster execution for production.
+===== Pre and Post Condition =====
-DbC encourages users to control inputs/output/class state precisely. This helps application development. Languages designed lately have native DbC support. e.g. D language. Almost all languages have some kind of DbC supports today.
+These contracts should be defined after the function declaration, but before the function body.
-====Readability of Code / Testing Code====
+Multiple precondition and postcondition contracts may be used. The expressions are just a regular PHP expressions. They are evaluated in the function scope, and can access arguments and other scope variables, and return value (via a reserved name). Pre and post-conditions can't be defined for abstract methods and methods defined in interfaces.
-Since contracts are written in function/method definition, it's much easier to find function/method spec compared to conditions written in UnitTests. It also enables contract check for running applications operated by humans.
+<code>
+function add(int $a, int $b) : int
+	require($a > 0)
+	require($b > 0)
+	return($ret, $ret > 0, "something wrong")
+{
+	return $a + $b;
+}
+</code>
-DbC is __NOT__ a complement of UnitTest, but it provide additional way of testing programs. Programs should be tested by UnitTest with and without DbC. With this procedure, UnitTest condition coverage is improved and/or simplified.
+this code is going to be evaluated as
+<code>
+function add(int $a, int $b) : int
+{
+	assert($a > 0);
+	assert($b > 0);
+	$ret = $a + $b;
+	assert($ret > 0, "something wrong");
+	return $ret;
+}
+</code>
-====General Concern of Design by Contract====
+===== Invariant =====
-Some may concern that lack of checks under production environment. However, all inputs to programs should validate input parameter validity right after input parameters are passed to program.
+Invariant contracts are declared using **require** inside class body. Multiple invariant contracts may be used. They may access object or static properties through **$this** and **self**. Invariant contracts may be used for classes, abstract classes and traits, but not for interfaces.
-This is basic principle of secure programs. Users should not DbC everywhere. User should have proper defense in depth as security measure. Security standard like "ISO 27000" or security guideline like "[[http://cwe.mitre.org/top25/#Mitigations|SANS TOP 25 Monster Mitigations]]" suggests to have proper output controls, as well as input controls. This applies with or without DbC. **DbC encourages proper input/output controls compare to program design without DbC.**
+<code>
+class Accumulator {
+	private $sum = 0;
+	function add(int $a)
+		require($a > 0)
+	{
+		$this->sum += $a;
+	}
+	require($this->sum > 0, "overflow detected");
+}
+</code>
-===== Proposal =====
+this code is going to be evaluated as
-Introduce native contracts "require"( **precondition** ), "return"( **postcondition** ) definition to function/method and special "<nowiki>__invaliant()</nowiki>" method to class.
+<code>
+class Accumulator {
+	private $sum = 0;
+	function add(int $a)
+	{
+		assert($a > 0);
+		assert($this->sum > 0, "overflow detected");
+		$this->sum += $a;
+		assert($this->sum > 0, "overflow detected");
+	}
+}
+</code>
-While new usage of require, return may seem strange at first, users can use familiar PHP syntax for DbC definitions.
+**Invariant contracts are not evaluated when object properties are changed from outside the class scope.**
-  * require(assert-expr [,'Error msg']); Precondition in function/method and invariant in class
+====Contracts Inheritance Rules====
-  * return(assert-expr [,'Error msg']); Postcondition in function/method. "$>" is used as return value.
-**require**, **return** behave just like assert().
+Contracts are constant, this has the following implications:
+  * a derived class must satisfy invariant contracts of it's parent
+  * a derived class overriding a method must satisfy the pre and post condition contracts of it's prototype.
-====Example====
+Thus, given the following code:
-<code php>
-class Product {
-  protected $inventory;
-  require($this->$inventory >= 0); // Invariant - Should be always TRUE
-  // User is supposed to check inventory first
+<code>
-  function haveEnoughInventory($quantity)
+class Child {
-    require($quantity > 0)  // Precondition
+    require ($this->age < 18);
-  {
-    return (bool) ($this->inventory - $quantity) >= 0;
+    public function someMethod($input)
-  }
+        require(somethingAbout($input)) {
+        /* ... */
+    }
-  // Sell inventory
+    /* ... */
-  function sell($quantity)
-    require($quantity > 0) // Precondition
-    return($> >= 0) // Postcondition. $> is return value
-  {
-    return $this>inventory - $quantity;
-  }
 }
-</code>
+class Monster extends Child {
+    require ($this->odour == OBNOXIOUS);
-====Longer Class Definition Example - need better one====
+    public function someMethod($input)
-<code php>
+        require(somethingElseAbout($input)) {
-class MySession2 extends SessionHandler {
+        /* ... */
-    public $path;
-    require(is_string($this->path)) && !empty($this->path));
-    public function open($path, $name)
-        require(strlen($path) > 3 && strlen($name) > 3);
-        return(is_bool($>));
-    {
-        if (!$path) {
-            $path = sys_get_temp_dir();
-        }
-        $this->path = $path . '/u_sess_' . $name;
-        return true;
     }
-    public function close()
+    /* ... */
-        return(is_bool($>))
-    {
-        return true;
-    }
-    public function read($id)
-        return(is_string($>) && strlen($id) > 10)
-    {
-        return @file_get_contents($this->path . $id);
-    }
-    public function write($id, $data)
-        require(strlen($id) > 10 && strlen($data) > 10)
-        return(is_bool($>));
-    {
-        return file_put_contents($this->path . $id, $data);
-    }
-    public function destroy($id)
-        require(strlen($id) > 10)
-        return(is_bool($>))
-    {
-        @unlink($this->path . $id);
-    }
-    public function gc($maxlifetime)
-        require($maxfiletime > 60)
-        return($> > -1) // GC supposed to return number of deleted records. Code is wrong
-    {
-        foreach (glob($this->path . '*') as $filename) {
-            if (filemtime($filename) + $maxlifetime < time()) {
-                @unlink($filename);
-            }
-        }
-        return true;
-    }
 }
 </code>
+//Monster// must not break **any** contract in //Child//.
 ====Execution Control====
-Introduce "dbc" INI switch, Off by default. No additional CLI option for DbC.
+A new "dbc" INI switch is going to be introduced. It may get the following values:
-A method/function is executed as follows
+  * dbc=on        - generate code for contracts and check them at run-time. Program, at any time, may change this settion to dbc=off through ini_set().
+  * dbc=off       - generate code for contracts but don't check them at run-time. Program, at any time, may change this settion to dbc=on through ini_set().
+  * dbc=zero_cost - don't generate code for contracts. This may be set only in php.ini and can't be changed through ini_set().
-===Basic Execution===
+  The default value is "off".
-require() - executed before function body
+===Contracts Execution Order===
-return() - executed upon return
-invariant - executed after require() and before return(). There are few exceptions explained later.
-==Development mode: dbc=On ==
+If "dbc" is set to "on", the order of contracts validation is the following:
-  - require() conditions
+  - all require() contracts (precondition) defined for this function (and prototype where applicable)
-  - class invariant
+  - all require() contracts (invariant) for this class and parents
-  - method()
+  - method body
-  - class invariant
+  - all require() contracts (invariant) for this class and parents
-  - return() conditions
+  - all return() contracts (postcondition) defined for this function (and prototype where applicable)
-==Production mode: dbc=Off ==
-  - method()
-==Execution details when DbC is enabled==
 **Invariant and Special Methods**
-  * __constructs()/__wakeup()/__set_state() will NOT execute invariant on entry.
+  * <nowiki>__constructs()/__wakeup()/__set_state()</nowiki> will NOT execute invariant before method body.
-  * __destruct()/__sleep() will NOT execute invariant on exit
+  * <nowiki>__destruct()/__sleep()</nowiki> will NOT execute invariant after method body.
-**Class Inheritance**
-  * When parent class methods are called, DbC conditions are executed
-  * Special methods execution exception is the same
-**Abstract Class**
-  * The same as usual class.
-**Trait**
-  * The same as usual class.
-**Interface**
-  * Cannot define DbC contracts.
+**Static Call**
+  * Only pre and post conditions are executed.
 ===== Backward Incompatible Changes =====
@@ Line 221: / Line 186: @@
 ==== To Opcache ====
+Opcache will have to be extended to support contracts and store them in shared memory.
-Dmitry, could you write impact when discussion is finished?
 ==== New Constants ====
@@ Line 229: / Line 192: @@
 ==== php.ini Defaults ====
 dbc=Off for all (INI_ALL)
@@ Line 237: / Line 199: @@
 ===== Open Issues =====
+  * Contracts inheritance rules
+  * Consider introduction of **static require()** as class invariant for static methods
   * Need to discuss syntax
   * How to manage votes for 2 RFCs
 ===== Unaffected PHP Functionality =====

Differences

Page Tools