let mut b = Bar { f1: 0, f2: 10 };
baz(&mut b);
b.f2 = 100;
baz(&mut b);
b.f2 = -5;
// task '<main>' failed at 'invariant entering baz (x.f1 < x.f2)'
// baz(&mut b);}
nrc/ libhoare
Need help with libhoare?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.
About the developer
238 Stars 
17 Forks 
43 Commits 
8 Opened issues 
Description
Design by contract style assertions for Rust
Services available
Contributors list
Readme
LibHoare
Simple Rust support for design by contract-style assertions. Supports * preconditions (
precond), * postconditions (
postcond), * invariants (pre and post) (
invariant).
Each macro takes a predicate given as a string parameter. Each macro is available in a
debug_version which only checks the assertion in debug builds, they should be zero overhead in non-debug builds. You can use
resultinside a postcondition to get the value returned by the function.
Preconditions are checked on entry to a function. Postconditions are checked when leaving the function by any path.
(The library is named for Tony, not Graydon. Or rather it is named for the logic which was named after Tony).
Using libhoare
You can use libhoare with Cargo by adding
[dependencies.hoare] git = "https://github.com/nick29581/libhoare.git"
to your projects Cargo manifest.
Otherwise, download this repo, build it (see build instructions below), make sure the path to the compiled libhoare is on your library path in some way (one way of doing this is to
export LD_LIBRARY_PATH=/path/to/libhoare/objbefore building).
Then (whether or not you used Cargo), in your crate you will need the following boilerplate:
#![feature(plugin, custom_attribute)]#![plugin(hoare)]
Then you can use the macros as shown below.
Examples:
#[precond="x > 0"]
#[postcond="result > 1"]
fn foo(x: int) -> int {
let y = 45 / x;
y + 1
}
struct Bar {
f1: int,
f2: int
}
#[invariant="x.f1 < x.f2"]
fn baz(x: &mut Bar) {
x.f1 += 10;
x.f2 += 10;
}
fn main() {
foo(12);
foo(26);
// task '
' failed at 'precondition of foo (x > 0)'
// foo(-3);
You can use contracts on methods as well as functions, but they are not as well tested.
Contents
All the code for checking conditions is in
libhoare. Currently, there is only a single file,
lib.rs.
The
testdirectory contains unit tests for the library.
The
egdirectory contains a few examples of how to use the library:
- hello.rs is a very simple (hello world!) example of how to use an invariant (useful as a basic test case);
- doc.rs contains the examples above, so we can check they compiler and run;
- lexer.rs is a more realistic example of use - a simple (and certainly not industrial-strength) lexer for a very small language.
Building
To build libhoare from the top level of your checked out repo run
cargo build
(if using cargo) or
$RUSTC ./libhoare/lib.rs
This will create libhoare.rs in the current directory, you might want to specify an output file using
-o.
To build the examples run
eg.shin the top level and to run the tests run
tests.sh. Both of these assume that you have a sibling directory called
objand that you used
$RUSTC ./libhoare/lib.rs -o "../obj/libhoare.so"
to build libhoare. Examples are created in
../obj
TODO
- add tests to RustCI
- tests for debug_ versions of macros - what is the best way to test this?
- better use of macro stuff? (I'm a total beginner at syntax extensions, this all could probably be implemented better).
- better spans.
- better names for scopes ( rather than , etc. These appear in the user-visible error messages, so it would be nice if they could be informative).
Wish list:
- object invariants (I think this would need compiler support, if it is possible
at all. You would add
[#invariant="..."]
to a struct, enum, etc. and the invariant would be checked on entering and leaving every method defined in any impl for the object).