Code Contracts: Why are some invariants not considered outside the class?

Asked 29/7, 2010 at 14:19 Answered 13/8, 2015 at 19:9

c#.net static-analysis code-contracts design-by-contract

Consider this immutable type:

public class Settings
{
    public string Path { get; private set; }

    [ContractInvariantMethod]
    private void ObjectInvariants()
    {
        Contract.Invariant(Path != null);
    }

    public Settings(string path)
    {
        Contract.Requires(path != null);
        Path = path;
    }
}

Two things to notice here:

There is a contract invariant which ensures the Path property can never be null
The constructor checks the path argument value to respect the previous contract invariant

At this point, a Setting instance can never have a null Path property.

Now, look at this type:

public class Program
{
    private readonly string _path;

    [ContractInvariantMethod]
    private void ObjectInvariants()
    {
        Contract.Invariant(_path != null);
    }

    public Program(Settings settings)
    {
        Contract.Requires(settings != null);
        _path = settings.Path;
    } // <------ "CodeContracts: invariant unproven: _path != null"
}

Basically, it has its own contract invariant (on _path field) that can't be satisfied during static checking (cf. comment above). That sounds a bit weird to me, since it's easy to prove it:

settings is immutable
settings.Path can't be null (because Settings has the corresponding contract invariant)
so by assigning settings.Path to _path, _path can't be null

Did I miss something here?

Calvert answered 29/7, 2010 at 14:19 Comment(0)

After checking the code contracts forum, I found this similar question with the following answer from one of the developers:

I think the behavior you are experiencing is caused by some inter-method inference that is going on. The static checker first analyzes the constructors, then the properties and then the methods. When analyzing the constructor of Sample, it does not know that msgContainer.Something != null so it issues the warning. A way to solve it, is either by adding an assumption msgContainer.Something != null in the constuctor, or better to add the postcondition != null to Something.

So in other words, your options are:

Make the Settings.Path property explicit instead of automatic, and specify the invariant on the backing field instead. In order to satisfy your invariant, you will need to add a precondition to the property's set accessor: Contract.Requires(value != null).

You can optionally add a postcondition to the get accessor with Contract.Ensures(Contract.Result<string>() != null), but the static checker will not complain either way.
Add Contract.Assume(settings.Path != null) to the constructor of the Program class.

Unofficial answered 30/7, 2010 at 0:47 Comment(0)

Invariants don't work on private members, you cannot actually have the reason why it is this way, hope this helps.

Delbert answered 13/8, 2015 at 19:9 Comment(1)

Yes, they do. Otherwise invariants would be of very little help. – Carpel 7/1, 2016 at 22:11

Recommended topics

Hot tags