Fuzion • Tutorial • Developing with pre- and postconditions

Developing with pre- and postconditions

The pre- and postconditions are a part of a feature's signature, not of its implementation. Ideally, we should start describing every feature's signature, including pre- and postconditions, before we implement it. In the case of the sqrt function above, this should have been

sqrt(a i32) i32
  pre
    a >= 0
  post
    result * result <= a
    (result + 1) > a / (result + 1)
    result >= 0
=>
{
  # NYI -- not yet implemented
}

1
2
3
4
5
6
7
8
9
10
11
12
sqrt(a i32) i32
  pre
    a >= 0
  post
    result * result <= a
    (result + 1) > a / (result + 1)
    result >= 0
=>
{
  # NYI -- not yet implemented
}
 
 
הההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההה
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

What are effects?

Ideally, the legal inputs and the results and effects of features can be fully described by their signature. In practice, however, a natural language description is also helpful or even required. Also, many conditions would be very expensive to verify. See the following example of a feature that modifies a value in an array:

Note that some of the examples cannot be executed interactively. Please modify the fully wrapped example further below.

modify_array(E type : mutate, arr container.Mutable_Array i32 E, new_value i32, ix i64)
  pre
    ix >= 0
    ix < arr.length
  post
    arr[ix] = new_value
    # NYI: arr.indices ∀ x -> x = ix || arr[x] = old (arr.clone)[x]  -- old, arr.clone not supported yet!
is
  arr[ix] := new_value

1
2
3
4
5
6
7
8
9
10
modify_array(E type : mutate, arr container.Mutable_Array i32 E, new_value i32, ix i64)
  pre
    ix >= 0
    ix < arr.length
  post
    arr[ix] = new_value
    # NYI: arr.indices ∀ x -> x = ix || arr[x] = old (arr.clone)[x]  -- old, arr.clone not supported yet!
is
  arr[ix] := new_value
 
 
הההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההה
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

What are effects?

The postcondition in this example is particularly expensive for large arrays. We probably do not want to check it at runtime unless we are debugging this part of the code. So we need some fine grain control over which conditions to check.

One way to use fine grain control is to add a qualifier in front of the condition, e.g., using the debug qualifier:

modify_array(E type : mutate, arr container.Mutable_Array(i32, E), new_value i32, ix i64)
  pre
    debug: ix >= 0
    debug: ix < arr.length
  post
    debug: arr[ix] = new_value
    # NYI: debug: arr.indices ∀ x -> x = ix || arr[x] = old (arr.clone)[x]  -- old, arr.clone not supported yet!
is
  arr[ix] := new_value

1
2
3
4
5
6
7
8
9
10
modify_array(E type : mutate, arr container.Mutable_Array(i32, E), new_value i32, ix i64)
  pre
    debug: ix >= 0
    debug: ix < arr.length
  post
    debug: arr[ix] = new_value
    # NYI: debug: arr.indices ∀ x -> x = ix || arr[x] = old (arr.clone)[x]  -- old, arr.clone not supported yet!
is
  arr[ix] := new_value
 
 
הההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההה
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

What are effects?

This qualifier is defined globally and can be set when compiling a Fuzion application, so we can choose between a debug- and a production version with different levels of runtime checks.

Alternatively, one can use a dedicated debug flag example_debug that could then be enabled or disabled manually to have local debug checks:

example is

  example_debug => true

  modify_array(E type : mutate, arr container.Mutable_Array(i32, E), new_value i32, ix i64)
    pre
      example_debug: ix >= 0
      example_debug: ix < arr.length
    post
      example_debug: arr[ix] = new_value
      # NYI: example_debug: arr.indices ∀ x -> x = ix || arr[x] = old (arr.clone)[x]  -- old, arr.clone not supported yet!
  is
    arr[ix] := new_value

1
2
3
4
5
6
7
8
9
10
11
12
13
14
example is
  example_debug => true
  modify_array(E type : mutate, arr container.Mutable_Array(i32, E), new_value i32, ix i64)
    pre
      example_debug: ix >= 0
      example_debug: ix < arr.length
    post
      example_debug: arr[ix] = new_value
      # NYI: example_debug: arr.indices ∀ x -> x = ix || arr[x] = old (arr.clone)[x]  -- old, arr.clone not supported yet!
  is
    arr[ix] := new_value
 
 
הההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההה
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

What are effects?

Setting it to false will disable these checks:

example is

  example_debug => false

  modify_array(E type : mutate, arr container.Mutable_Array(i32, E), new_value i32, ix i64)
    pre
      example_debug: ix >= 0
      example_debug: ix < arr.length
    post
      example_debug: arr[ix] = new_value
      # NYI: example_debug: arr.indices ∀ x -> x = ix || arr[x] = old (arr.clone)[x]  -- old, arr.clone not supported yet!
  is
    arr[ix] := new_value

1
2
3
4
5
6
7
8
9
10
11
12
13
14
example is
  example_debug => false
  modify_array(E type : mutate, arr container.Mutable_Array(i32, E), new_value i32, ix i64)
    pre
      example_debug: ix >= 0
      example_debug: ix < arr.length
    post
      example_debug: arr[ix] = new_value
      # NYI: example_debug: arr.indices ∀ x -> x = ix || arr[x] = old (arr.clone)[x]  -- old, arr.clone not supported yet!
  is
    arr[ix] := new_value
 
 
הההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההה
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

What are effects?

or setting it the global debug level will use the global default:

example is

  example_debug => debug

  modify_array(E type : mutate, arr container.Mutable_Array(i32, E), new_value i32, ix i64)
    pre
      example_debug: ix >= 0
      example_debug: ix < arr.length
    post
      example_debug: arr[ix] = new_value
      # NYI: example_debug: arr.indices ∀ x -> x = ix || arr[x] = old (arr.clone)[x]  -- old, arr.clone not supported yet!
  is
    arr[ix] := new_value

1
2
3
4
5
6
7
8
9
10
11
12
13
14
example is
  example_debug => debug
  modify_array(E type : mutate, arr container.Mutable_Array(i32, E), new_value i32, ix i64)
    pre
      example_debug: ix >= 0
      example_debug: ix < arr.length
    post
      example_debug: arr[ix] = new_value
      # NYI: example_debug: arr.indices ∀ x -> x = ix || arr[x] = old (arr.clone)[x]  -- old, arr.clone not supported yet!
  is
    arr[ix] := new_value
 
 
הההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההה
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

What are effects?

We can also distinguish different debug levels and, e.g., enable preconditions in the first debug level, add cheap postconditions in the second, but disable expensive ones for all levels less than 10:

modify_array(E type : mutate, arr container.Mutable_Array i32 E, new_value i32, ix i64)
  pre
    debug(1): ix >= 0
    debug(1): ix < arr.length
  post
    debug(2): arr[ix] = new_value
    # NYI: debug(10): arr.indices ∀ x -> x = ix || arr[x] = old (arr.clone)[x]  -- old, arr.clone not supported yet!
is
  arr[ix] := new_value

1
2
3
4
5
6
7
8
9
10
modify_array(E type : mutate, arr container.Mutable_Array i32 E, new_value i32, ix i64)
  pre
    debug(1): ix >= 0
    debug(1): ix < arr.length
  post
    debug(2): arr[ix] = new_value
    # NYI: debug(10): arr.indices ∀ x -> x = ix || arr[x] = old (arr.clone)[x]  -- old, arr.clone not supported yet!
is
  arr[ix] := new_value
 
 
הההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההה
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

What are effects?

last changed: 2025-05-12

next: Predefined Pre- and Postcondition Qualifiers