Contract Attributes and Analyzers #296
Labels
🏗 Architectural
Related to architecture of the code
💢 Difficult
This issue is expected to be difficult to resolve
🛠 Enhancement
New feature or request
🛡 Hardening
Hardening up code through defensive programming techniques
Milestone
Microsoft Researches' Code Contracts was a failure for many reasons, and is essentially unused. I definitely agree with this given the way it was designed. Given it's pre-Roslyn history it required custom additions to the build process, as well as special build flags and many other issues. The contract behaviors were not included in documentation, nor anything reflection or code analyzers can access. Microsoft's approach was doomed from the start to fail.
For those who know my history, y'all know my origins as an Ada developer. The Spark extensions to Ada that added design contracts and static analysis of them did not have these issues. In fact, I found the approach worked extremely well.
I believe the kind of first class contract experience that languages like Ada and Eiffel provided could also be provided for .NET with the right approach. Furthermore, I believe attributes and analyzers are the right approach. Importantly, attributes show up to downstream in IntelliSense, and are accessible via reflection. They can also be statically analyzed and not require code weaving like Fody or PostSharp do. For those who do want this behavior, both options could easily provide this behavior. No additional tooling would be required at all.
PureAttribute
needs to be recreated, to avoid the conditional compilation that the legacy contracts approach has. Furthermore,ImpureAttribute
should also be defined. Then, analyzers can treat any unannotated code as just that: unannotated with unknown purity. Because of the collision, I suggest putting these in theSystem.Diagnostics.CodeAnalysis
namespace, as that matches the approach being taken far better. It should then be possible for the analyzers to do flow analysis to validate purity, at least to some level. Modification of globals or parameters would be impure, calling an impure function would be impure, etc. Core functions will have to be analyzed and understood manually.Other attributes can be done similarly, like
PositiveAttribute
for numeric parameters, etc.The text was updated successfully, but these errors were encountered: