SEIF Project: ResourceContracts.NET Jonathan Tapicer, Diego Garbervetsky and Martin Rouaux Departamento de Computación, FCEyN, UBA Buenos Aires, Argentina {jtapicer, diegog, mrouaux}@dc.uba.ar March 4, 2011 Abstract We present an extension of the specification language of Code Con- tracts to support resource usage specifications in .NET programs. In particular, we focus on dynamic memory consumption, a resource that can be occupied and released during program execution by a memory manager. We propose a new set of annotations enabling specification of both memory consumption and lifetime properties in a modular fash- ion. To verify the correctness of these annotations we rely on the Code Contracts static verifier and a points-to analysis. In order to overcome some arithmetic limitations of the engine we incorporate a symbolic cal- culator capable of dealing with polynomial consumption. This approach was implemented in a tool which fully integrated with the Visual Studio tool-suite, available as an extension, providing facilities such us autocom- pletion and verification at build time. 1 Problem Statement Design by contract [14] is a programming discipline that prescribes that software designers should define formal, precise and verifiable interface specifications for software components, extending the ordinary definition of abstract data types with preconditions, postconditions and invariants. While there has been some success in the adoption of contracts for enforcing functional requirements and design decisions [13, 15], there have not been many signs of their usage to express non-functional requirements such as performance or resource utilization requirements. Possible causes are the inherent difficulty of writing quantitative requirements, the lack of a convenient language to ex- press them and tool support to verify them. However, in many settings it is crucial to enforce the fulfillment of this kind of requirements. Certifying mem- ory consumption is vital to ensure safety in embedded systems; understanding the number of messages sent through a network is useful to detect performance bottlenecks or reduce communication costs, etc. It is well known that inferring, and even checking, quantitative bounds (e.g., resource usage) is difficult [5]. 1