Menu
Search

Forums

Forum Index

Thread overview
Asking for code review - contract programming
Jan 07, 2022
chopchop
Jan 11, 2022
Ali Cehreli
Jan 12, 2022
chopchop
Jan 23, 2022
chopchop
Jan 23, 2022
Ali Çehreli
Jan 23, 2022
Vinod K Chandran
Jan 24, 2022
Mark
Jan 24, 2022
max haughton
Dlang contract programming - snake game - conclusion
Feb 13, 2022
chopchop
Jan 23, 2022
forkit
January 07, 2022
Gravatar of chopchopPosted by chopchopReply
chopchop
Gravatar of chopchop


Reply

Hi guys,

I am working on a personal - and FOSS - project, available here:
https://tinyurl.com/kv62kr7t
(Tiny url => becoz of results ranking on search engines)

The goal is too see if D contract programming features can help cover strong design requirements from the aeronautic industry. Those requirements are generated from the industry standard guideline called DO-178c

#step 1
So I found a github project by three Master students dealing with the DO-178, because I actually don't know much about this guideline :)
Their project involved to find an idea, write a design document following the DO guideline, code the idea, and verify through contracts code that the requirements are met.
Their project is using ADA.

#step 2
I wrote the same idea (a snake game) in Dlang, using as much contract techniques as I could think of, as a dlang hobbyist, and using Adam's lib for terminal. Please not that I did NOT test the game on Linux. Windows only. But technically it should work on Linux :)

#step 3
This post! I am actually asking the community for code review, to have a look at the code and:

  • correct any mistake you could find. Propose PR.
  • add contract programming features (in/out/do, invariant, unittest...) where you think it is necessary. Propose PR.

Important note: I discovered there are 2 levels of contract testing.

  1. Checking that the code is sound, like verifying func param, etc
  2. Ensuring that the game will work as a standard snake game! Think win/loose conditions, etc.

I kind of forgot point 2 so far. Feel free to propose PR for anything you think could be relevant to a snake game, on top of the nitpick.

#step 4 (the interesting part!)
I have already translated the document of the students from French to English. This step will involve to compare the requirements they chose in their design with the code coverage of our reviewed code, which has no external guideline.
Note that I did not check those requirements before starting coding my own version of the game. I just followed a rough guideline "let's make a game which works and put some contracts in it."
It will be interesting to see how much code coverage we can reach already.

#step 5
If necessary, fix the missing requirements coverage, and note how easy / hard it is to do so.

#step 6
Write a post-mortem document to be added to the repo.

Voilà! I am from the aero industry, and I think it is kind of awkward to have those jobs offers in ADA, because they become a dead-end for a career.
C/C++ is also used in the industry, but with the same problems which lead to the creation of Dlang, somehow. Buffer overflow on board a plane is not sexy!

I had been wondering for a while if D could be a part of the solution, hence this project. Thanks if you have time to contribute.

January 11, 2022
Gravatar of Ali CehreliPosted by Ali Cehreli
in reply to chopchop		Reply
Ali Cehreli
Gravatar of Ali Cehreli
Posted in reply to chopchop


Reply
On 1/7/22 06:03, chopchop wrote:

> I am actually asking the community for code review

I've just looked at this.

> - correct any mistake you could find

It looks fine to me. There are a few places that made me think:

In general, adding two Coordinates is suspicious to me:

  https://github.com/Fr3nchK1ss/SnakeD/blob/master/source/coordinate.d#L37

However, subtracting two Coordinates makes sense and should return a Distance object.

The following invariant check might be a 'static assert':

  https://github.com/Fr3nchK1ss/SnakeD/blob/master/source/ground.d#L26

(invariant has runtime cost.)

Accounting for the walls with +1, -1, etc. looks scary to me. I wonder whether the playground could be detached from the walls and you could use the familiar 0 indexed access. Perhaps by slicing inside a bigger area or by a special type that hides that logic from us.

A random thought about 'in' and 'out' contract blocks: Instead of adding statements inside these blocks, one can use functions to give a name to the check and also use the new contract syntax:

  https://github.com/Fr3nchK1ss/SnakeD/blob/master/source/snake.d#L78

So, instead of the following:

    in {
        // The snake shall not backtrack on itself
        assert(body[0] + unitMotion[direction] != body[1]);
    }

Something like this:

  bool updateBody(Direction direction)
  in (!doesBackTrack(direction), "Snake backtracks")
  {
    // The body of the function ...
  }

(Note 'do' is not used with the new syntax.)

> Important note: I discovered there are 2 levels of contract testing.
> 1. Checking that the code is sound, like verifying func param, etc

That is also a responsibility of unit testing.

> 2. Ensuring that the game will work as a standard snake game! Think
> win/loose conditions, etc.

That part is definitely outside of unit testing and is handled both by contract programming and by functional testing.

> I am from the aero industry [...] Buffer overflow on board a plane [...]
> I had been wondering for a while if D could be a part of the solution,
> hence this project.

What do you think? Can the industry guidelines be sufficient to make D safe enough? Otherwise, a D program can spend a long time during a GC cycle. (So can other languages where destruction of even a single object can spend a lot of time but nobody pays attention to that.) Also, the program can run out of memory unless run-time dynamic allocation is banned by guidelines.

Ali
January 12, 2022
Gravatar of chopchopPosted by chopchop
in reply to Ali Cehreli		Reply
chopchop
Gravatar of chopchop
Posted in reply to Ali Cehreli


Reply
On Tuesday, 11 January 2022 at 17:40:48 UTC, Ali Cehreli wrote:
> In general, adding two Coordinates is suspicious to me:
You are right, there should be Coordinate and Vector somehow

> Accounting for the walls with +1, -1, etc. looks scary to me. I wonder whether the playground could be detached from the walls and you could use the familiar 0 indexed access. Perhaps by slicing inside a bigger area or by a special type that hides that logic from us.
Yes, that's a bit disturbing at first. I just re-read Ground, in fact there is a lack of consistency in the use of those +1, which is probably confusing. I will work on it.
But I kept the walls as part of the playground, because indeed they are, and the snake can reach "into" the wall. This is of course a GameOver condition, but perfectly legit! I realized with those "+1" that loosing is part of the game :)
I discovered that the real problem is when the snake tries to reach "beyond" the wall, which is then a programming error, and there is a contract on that.

>use the new contract
I did not know about the new syntax! I am definitely going to use it.

> What do you think? Can the industry guidelines be sufficient to make D safe enough? Otherwise, a D program can spend a long time during a GC cycle. (So can other languages where destruction of even a single object can spend a lot of time but nobody pays attention to that.) Also, the program can run out of memory unless run-time dynamic allocation is banned by guidelines.
>
> Ali
I would say, planes don't do sharp turn :) Maybe small UAVs (drones) would be more sensitive to delays. Reliability is more a factor. But how much delay are we talking about? More like 1ms, 10ms, 100ms, 1sec? I mean, if you can give an example of a program and its delay, it's interesting.

Then my project has limited focus, GC is another thing. A lot of components for aero subsystems are in C, and BetterC retains unittesting... and contract if I am not mistaken? Also those subsystems have very precise requirements which can most often translate into static arrays, etc. There would be so much to explore...
January 23, 2022
Gravatar of chopchopPosted by chopchop
in reply to chopchop		Reply
chopchop
Gravatar of chopchop
Posted in reply to chopchop


Reply

Hello

So I modified the code according to Ali's review. For those interested in contracts, it took me a while to find the documentation about the new "expression-based" syntax that Ali is talking about:

https://dlang.org/changelog/2.081.0.html#expression-based_contract_syntax

Also, the game "kind of" work on Linux, you must:

  • download the project file
  • cd to SnakeD/
  • dub run
  • IMMEDIATELY hit the UP arrow key
  • then you can move with the UP DOWN LEFT RIGHT arrow key, but there is a bug which is unfortunately outside the scope of my project. It seems that on Linux the terminal (arsd lib) is only updating when pressing a key. Adam is you read this...
  • You can also go to ground.d and update the values of playgroundWidth/Height to have a bigger playground, as a work-around.

I will let another week pass, if everybody wants to make a review / give some feedback, then I will work on comparing the DO requirements to what I obtained with d contract practices.

Then maybe a few updates to the code

Then conclusion

CHeers

January 23, 2022
Gravatar of Ali ÇehreliPosted by Ali Çehreli
in reply to chopchop		Reply
Ali Çehreli
Gravatar of Ali Çehreli
Posted in reply to chopchop


Reply
On 1/23/22 07:33, chopchop wrote:

> it took me a while to find the documentation about the new
> "expression-based" syntax that Ali is talking about:
>
> https://dlang.org/changelog/2.081.0.html#expression-based_contract_syntax

Yeah, coming late to the party, that syntax gets just a brief mention here:


http://ddili.org/ders/d.en/contracts.html#ix_contracts.expression-based%20contracts

Ali
January 23, 2022
Gravatar of forkitPosted by forkit
in reply to chopchop		Reply
forkit
Gravatar of forkit
Posted in reply to chopchop


Reply
On Friday, 7 January 2022 at 14:03:23 UTC, chopchop wrote:
> Hi guys,
>
> I am working on a personal - and FOSS - project, available here:
> https://tinyurl.com/kv62kr7t
> (Tiny url => becoz of results ranking on search engines)

btw. please.. use full urls.

https://safecomputing.umich.edu/be-aware/phishing-and-suspicious-email/shortened-url-security
January 23, 2022
Gravatar of Vinod K ChandranPosted by Vinod K Chandran
in reply to Ali Çehreli		Reply
Vinod K Chandran
Gravatar of Vinod K Chandran
Posted in reply to Ali Çehreli


Reply

On Sunday, 23 January 2022 at 15:52:49 UTC, Ali Çehreli wrote:

>

On 1/23/22 07:33, chopchop wrote:

There is language called Odin. I just translated the example code of 'out' keyword from your book into Odin. See this--

daysInFebruary :: proc(year : int) -> (result : int) {
	defer assert((result == 28 ) || (result == 29), "Only 28 or 29 is allowed")
	return isLeapYear(year) ? 29 :  28
}

Odin using named return values. Defer keyword ensures the execution will be occur at the end of the function execution.

January 24, 2022
Gravatar of MarkPosted by Mark
in reply to Ali Cehreli		Reply
Mark
Gravatar of Mark
Posted in reply to Ali Cehreli


Reply
On Tuesday, 11 January 2022 at 17:40:48 UTC, Ali Cehreli wrote:
> The following invariant check might be a 'static assert':
>
>   https://github.com/Fr3nchK1ss/SnakeD/blob/master/source/ground.d#L26
>
> (invariant has runtime cost.)
>
> Ali

Does the compiler not rewrite `assert`s into `static assert`s if there is no dependence on runtime values? Maybe this is a worthwhile optimization to implement.
January 24, 2022
Gravatar of max haughtonPosted by max haughton
in reply to Mark		Reply
max haughton
Gravatar of max haughton
Posted in reply to Mark


Reply
On Monday, 24 January 2022 at 12:41:40 UTC, Mark wrote:
> On Tuesday, 11 January 2022 at 17:40:48 UTC, Ali Cehreli wrote:
>> The following invariant check might be a 'static assert':
>>
>>   https://github.com/Fr3nchK1ss/SnakeD/blob/master/source/ground.d#L26
>>
>> (invariant has runtime cost.)
>>
>> Ali
>
> Does the compiler not rewrite `assert`s into `static assert`s if there is no dependence on runtime values? Maybe this is a worthwhile optimization to implement.

https://d.godbolt.org/z/46q6osKjK The assertions must still happen at runtime, however if the compiler can prove (as it does with *any* function) that it cannot be called then it will elide the assert.
February 13, 2022
Gravatar of chopchopPosted by chopchop
in reply to max haughton		Reply
chopchop
Gravatar of chopchop
Posted in reply to max haughton


Reply
Hi guys,

I finished this little project about contract programming. Not much, but interesting to do.

This is a link to the github project (tinyed for google referencing)

https://tinyurl.com/yc8yvj6n

cheers