6

I have a collection of child items in my class and I have a public accessor to it. I want to provide a postcondition to ensure that items in the collection are not null (I know, that in tests 2 and 3 caller can change the collection, but for now my goal is just to make sure, that collection returned from the property doesn't contain null items).

I thought using Assume and ForAll would be enough, but that doesn't help

Here is the sample code with 3 classes that I tried. All 3 cases are allmost identical except that first exposes ReadOnlyObservableCollection, 2nd - ObservableCollection, and 3rd - List.

- ReadOnlyObservableCollection

class Test1
{
  public Test1()
  {
    _children = new ObservableCollection<A>();
    _childrenReadOnly = new ReadOnlyObservableCollection<A>(_children);
  }

  protected readonly ObservableCollection<A> _children;
  protected readonly ReadOnlyObservableCollection<A> _childrenReadOnly;

  public ReadOnlyObservableCollection<A> Children
  {
    get
    {
      Contract.Ensures(Contract.ForAll(Contract.Result<ReadOnlyObservableCollection<A>>(), i => i != null));
      Contract.Assume(Contract.ForAll(_childrenReadOnly, i => i != null));
      return _childrenReadOnly; // CodeContracts: ensures unproven: Contract.ForAll(Contract.Result<ReadOnlyObservableCollection<A>>(), i => i != null)
    }
  }

  [ContractInvariantMethod]
  private void ObjectInvariant()
  {
    Contract.Invariant(_children != null);
    Contract.Invariant(_childrenReadOnly != null);
  }
}

- ObservableCollection

class Test2
{
  public Test2()
  {
    _children = new ObservableCollection<A>();
  }

  protected readonly ObservableCollection<A> _children;

  public ObservableCollection<A> Children
  {
    get
    {
      Contract.Ensures(Contract.ForAll(Contract.Result<ObservableCollection<A>>(), i => i != null));
      Contract.Assume(Contract.ForAll(_children, i => i != null));
      return _children; // CodeContracts: ensures unproven: Contract.ForAll(Contract.Result<ObservableCollection<A>>(), i => i != null)
    }
  }

  [ContractInvariantMethod]
  private void ObjectInvariant()
  {
    Contract.Invariant(_children != null);
  }
}

- List

class Test3
{
  protected readonly List<A> _children = new List<A>();

  public List<A> Children
  {
    get
    {
      Contract.Ensures(Contract.ForAll(Contract.Result<List<A>>(), i => i != null));
      Contract.Assume(Contract.ForAll(_children, i => i != null));
      return _children; // No warning here when using List instead of ObservableCollection
    }
  }

  [ContractInvariantMethod]
  private void ObjectInvariant()
  {
    Contract.Invariant(_children != null);
  }
}

Here is the test code that uses this classes:

  Test1 t1 = new Test1();
  foreach (A child in t1.Children)
  {
    child.SomeMethod(); // CodeContracts: Possibly calling a method on a null reference 'child'
  }

  Test2 t2 = new Test2();
  foreach (A child in t2.Children)
  {
    child.SomeMethod(); // CodeContracts: Possibly calling a method on a null reference 'child'
  }

  Test3 t3 = new Test3();
  foreach (A child in t3.Children)
  {
    child.SomeMethod(); // CodeContracts: Possibly calling a method on a null reference 'child'
  }

Can I somehow define a contract, in order not to write Contract.Assume(child != null) every time I use Children property?

Update:

I tried to implement Enumerator that ensures not null condition in Current property getter, as was suggested by phoog. But the warning is still present (surprisingly for me).

public class NotNullEnumerable<T> : IEnumerable<T>
{
    private IEnumerable<T> _enumerable;
    public NotNullEnumerable(IEnumerable<T> enumerable)
    {
        _enumerable = enumerable;
    }

    #region IEnumerable<T> Members
    public IEnumerator<T> GetEnumerator()
    {
        return new NotNullEnumerator<T>(_enumerable.GetEnumerator());
    }
    #endregion

    #region IEnumerable Members
    System.Collections.IEnumerator System.Collections.IEnumerable.GetEnumerator()
    {
        return GetEnumerator();
    }
    #endregion
}

public class NotNullEnumerator<T> : IEnumerator<T>
{
    private readonly IEnumerator<T> _enumerator;
    public NotNullEnumerator(IEnumerator<T> enumerator)
    {
        _enumerator = enumerator;
    }

    #region IEnumerator<T> Members
    public T Current
    {
        get
        {
            Contract.Ensures(Contract.Result<T>() != null);
            return _enumerator.Current;
        }
    }
    #endregion

    #region IDisposable Members
    public void Dispose()
    {
        _enumerator.Dispose();
    }
    #endregion

    #region IEnumerator Members
    object System.Collections.IEnumerator.Current
    {
        get
        {
            Contract.Ensures(Contract.Result<object>() != null);
            return _enumerator.Current;
        }
    }

    public bool MoveNext()
    {
       return _enumerator.MoveNext();
    }

    public void Reset()
    {
        _enumerator.Reset();
    }
    #endregion
}

Usage in code:

        Test1 t1 = new Test1();
        var NonNullTest1 = new NotNullEnumerable<A>(t1.Children);
        foreach (A child in NonNullTest1)
        {
            child.SomeMethod(); // CodeContracts: Possibly calling a method on a null reference 'child'
        }

Any ideas?

nevermind
  • 2,300
  • 1
  • 20
  • 36

3 Answers3

1

I've tried to achieve same approach and most I've come into is:

  1. Declare generic INonNullable<T> interface with only one property ensured to return non-null value, implement it in NonNullable struct.
  2. Declare INonNullEnumerator<T> and INonNullEnumerable<T> interfaces (most probably that was useless), same as IEnumerator and IEnumerable, but INonNullEnumerable has IsEmpty property and GetEnumerator requires it to be false. NonNullEnumerator returns T, not INonNullable<T>.
  3. Declare my custom collection implementing INonNullEnumerable<T> and IList<INonNullable<T>> (for compatibility with common IEnumerable and common sense), based on array of NonNullable. Methods of IList implemented explicitly with INonNullable arguments, but with just same implicit methods accepting T values with contracts.

As a result, this hydra may be passed as a usual IEnumerable argument, returning INonNullable values (which is still reqired by static checker to be checked for nulls, as it is reference type), while T values with non-null guarantee may be used in methods and in foreach statement (because foreach uses implicit GetEnumerator() method, which returns INonNullEnumerator, which ensures to return non-null INonNullable, which is NonNullable struct, and all of this is supported by contracts).

But, honestly, this is a monster. I coded it just to try my best to make contracts guarantee that collection has no nulls. Yet, without complete success: Contract.ForAll(myList, item => item != null) could not be proved just because it's uses IEnumerable, neither foreach nor my INonNullEnumerable.

My bet, this is impossible, at least with current CodeContracts API.

Aberro
  • 620
  • 6
  • 10
  • 4 years passed and still not possible... Btw, I don't use CodeContracts anymore, just because I couldn't make it work the way I wanted. – nevermind Sep 25 '15 at 09:06
  • CodeContracts source code is an open sourced, so I think about trying to add some crutch for non-null collections, but with a big bit of scepticism if it would be too complicated. Do you use some other static checker? The possibility to add my own checks in contracts is bribes me a bit, so if there exists another static checking tool with same functionality and better API, it would be great. – Aberro Sep 25 '15 at 10:09
  • ReSharper has static checker capabilities. You can define contracts on your class be means of attributes: https://www.jetbrains.com/resharper/help/Code_Analysis__Code_Annotations.html . Minor disadvantage is that it uses own syntax, so you can't use any C# expression, like in CodeContracts. But I didn't look deep into it. – nevermind Sep 25 '15 at 16:21
1

I would create my own collection type. For example, you could implement IList<T> and "ensure" that the index getter never returns null, and "require" that Add() and the index setter never receive null as an argument.

EDIT:

To avoid the "possibly calling a method on a null reference" message in the foreach loop, you would probably also have to implement your own enumerator type and "ensure" that its Current property never returns null.

EDIT2:

Since ObservableCollection<> and ReadOnlyObservableCollection<> both decorate an IList<> instance and therefore implement IList<>, I tried the following. Note the inconsistency between the "ensures unproven" and the "assert is false". I got the same messages whether the static type of result was ReadOnlyObservableCollection<C> or IList<C>. I'm using Code Contracts version 1.4.40602.0.

namespace EnumerableContract
{
    public class C
    {
        public int Length { get; private set; }
    }

    public class P
    {
        public IList<C> Children
        {
            get
            {
                Contract.Ensures(Contract.Result<IList<C>>() != null);
                Contract.Ensures(Contract.ForAll(Contract.Result<IList<C>>(), c => c != null));

                var result = new ReadOnlyObservableCollection<C>(new ObservableCollection<C>(new[] { new C() }));

                Contract.Assume(Contract.ForAll(result, c => c != null));

                return result; //CodeContracts: ensures unproven Contract.ForAll(Contract.Result<IList<C>>(), c => c != null)
            }
        }

        public class Program
        {
            public static int Main(string[] args)
            {
                foreach (var item in new P().Children)
                {
                    Contract.Assert(item == null); //CodeContracts: assert is false
                    Console.WriteLine(item.Length);
                }

                return 0;
            }
        }
    }
}

EDIT3:

Found a good summary of the issues at http://social.msdn.microsoft.com/Forums/en-US/codecontracts/thread/af403bbc-ca4e-4546-8b7a-3fb3dba4bb4a/; basically, adding additional conditions to the contract of an implemented interface violates the Liskov substitution principle, because it means that the class with additional restrictions cannot be used in any context that accepts an object implementing that interface.

phoog
  • 42,068
  • 6
  • 79
  • 117
  • Seems, that doesn't work (see update to my answer), although I explicitly ensure that `Current` doesn't return **null** – nevermind Nov 25 '11 at 23:08
  • I too am surprised. I won't have a chance to try it myself before monday, though. I'll have a look at it then. – phoog Nov 27 '11 at 04:18
  • 1
    @nevermind I haven't had a chance to look at it, but I remembered that *you can't add conditions to `Current` because it implements `IEnumerator.Current`.* When I get to it tomorrow, I will try adding an explicit implementation of `IEnumerator.Current`, so the public method is not linked to either interface, and/or removing the interface entirely (since foreach loops depend on duck typing, not on implementing IEnumerable). Either approach should allow the programmer to specify conditions for `Current`. – phoog Nov 27 '11 at 15:21
  • Thank you, didn't know about duck typing. I tried it (just implement `Current`, `MoveNext` and `Reset` without implementing `IEnumerable`), and the warning went away. However it requires changing type of collection everywhere around the project, since now my collection cannot implement standard interfaces. I'll try to find out something tomorrow and post results here. Any suggestions would be helpful too. – nevermind Nov 27 '11 at 23:10
  • @nevermind: I looked at the decompiled code and ObservableCollection and ReadOnlyObservableCollection just don't have any contract code in them at all. So the contract analyzer doesn't have any way of knowing, for example, that the type doesn't swallow all objects into a black hole from which only `null` is returned. See EDIT2 edit for an interesting finding. – phoog Nov 28 '11 at 20:56
  • 1
    @nevermind found a good discussion (see EDIT3) at http://social.msdn.microsoft.com/Forums/en-US/codecontracts/thread/af403bbc-ca4e-4546-8b7a-3fb3dba4bb4a/ – phoog Nov 29 '11 at 18:14
  • Thanks. Of course, restrictions, described in the article make sense, but what I want to do is slightly different thing. I want to return from a function (or getter) a enumerable, and ensure that it (**my** object) does not contain null values. Here http://research.microsoft.com/en-us/projects/contracts/faq.aspx it is said that "Method contracts of overridden methods should have the same precondition as their parent methods, and _postconditions that are at least as strong as the parent method's postconditions_ " . But it seems, there is no easy way to do this thing. – nevermind Nov 29 '11 at 23:12
  • @nevermind yes, you're right. As you discovered, you can do it if you return a List, so it seems there's something missing in the contract of the ObservableCollection and ReadonlyObservableCollection that is present for List. I wouldn't find this surprising, because I've found lots of other cases where `Contract` annotations are missing from framework code. I can't think of a specific example now, since it has been a while, but mostly they are framework methods that never return null, but have no `Ensures` call to express that to the contract analyzer. – phoog Nov 29 '11 at 23:34
0

Update your ObjectInvariantto include checks to ensure that all items in the collections are non-null at the end of each method call.

  [ContractInvariantMethod]
  private void ObjectInvariant()
  {
    Contract.Invariant(_children != null && Contract.ForAll(_children, item => item != null));
    Contract.Invariant(_childrenReadOnly != null && Contract.ForAll(_childrenReadOnly, item => item != null);
  }
Ɖiamond ǤeezeƦ
  • 3,223
  • 3
  • 28
  • 40