Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Paul Ammann, 2008 Design by Contract Paul Ammann CS/SWE 332.

Published byAbraham Riley Modified over 8 years ago

Similar presentations

Presentation on theme: "© Paul Ammann, 2008 Design by Contract Paul Ammann CS/SWE 332."— Presentation transcript:

1 © Paul Ammann, 2008 Design by Contract Paul Ammann CS/SWE 332

2 © Paul Ammann, 2008 2 Abstraction by Specification Abstraction Implementation 1 Implementation N …

3 © Paul Ammann, 2008 3 Specifications n Way to Define Abstractions n Formality –As much as is useful –More than just English –Typically less than a language with a formal semantics –We will use industry standard (ie Javadoc) –Not intended to be a programming language!

4 © Paul Ammann, 2008 4 Parts of a Procedural Specification /** * Returns index of element in sorted list * * @param a[] array to search; must be sorted ascending * @param x int to search for in a * @return if x in a, index of x in a else -1 * @throws NullPointerException if a is null */ public static int sortedSearch (int[]a, int x) Header Precondition Postconditions

5 © Paul Ammann, 2008 5 Another Example /** * Searches for index of x in a. * * @param a[] array to be searched * @param x element to search for * @return index of x if x in a * else -1 if x not in a * @throws NullPointerException if a is null public static int search (int[]a, int x) No Precondition! (Precondition equals “true”) Underdetermined – what happens if x is in a more than once?

6 © Paul Ammann, 2008 6 Yet Another Example /** * sorts list into ascending order. * @param list list to sort * @throws NullPointerException if list is null * or list contains null elements * @throws ClassCastException if elements in list are not mutually comparable public static void sort (List list) // E.g. if list = [3,1,6,1] before the call, then // list = [1,1,3,6] after the call Notice implicit treatment of duplicates Alternate notation: // E.g. if list = [3,1,6,1], then list_post = [1,1,3,6]

7 © Paul Ammann, 2008 7 What does a Contract Look Like? n Consider the triple: {P} S {Q} –P is the precondition (Requires clause) –Q is the postcondition (Effects clause) –S is the program text n The Customer (client) is obligated to establish P. n The Implementor (service) may assume P n The Customer is entitled to Q n The Implementor is obligated to provide Q n That’s it!

8 © Paul Ammann, 2008 8 What happens when a Contract Breaks? n If everyone does their job, there is no problem! n If the precondition is not satisfied, the Customer is wrong! (The client has a bug). n If the precondition is satisfied, but the postcondition is not, then the Service is wrong (The server has a bug). n The Client can’t do the Server’s job! n The Server can’t do the Client’s job!

9 © Paul Ammann, 2008 9 n Suppose you are fixing a fault in a program. –What justification is there for a proposed change? n Example Context: code considered correct..... code identifed as wrong vs. proposed correct code..... more code considered correct Application of Contract Model to Debugging {P} {Q}

10 © Paul Ammann, 2008 10 /** * returns number of zeroes in arr. * @param arr[] array to count zeroes in * @throws NullPointerException if arr is null */ public static int numZero (int[] arr) { int count = 0; for (int i=1; i < arr.length; i++) { if (arr[i] == 0) {count++} }return count;} Example {inv: count has # zeros in arr[0..-1]} {inv: count has # zeros in arr[0..i-1]}

11 © Paul Ammann, 2008 11 What does the Client like? n Since preconditions are Client obligations, the Client would prefer not to have any! n From the Client’s perspective, “true” is the best precondition. In general, weaker preconditions are better. n The Client is happy to have any postcondition that is strong enough to meet the Client’s needs.

12 © Paul Ammann, 2008 12 What does the Server like? n Since preconditions are Server benefits, the Server would prefer to have lots of them! n From the Server’s perspective, “false” is the best precondition. In general, stronger preconditions mean an easier job with the implementation. n The Server prefers weak postconditions. Each additional constraint in a postcondition is an additional obligation on the Server.

13 © Paul Ammann, 2008 13 Problems with Eliminating Preconditions n Forcing the Server to handle “weird” cases can lead to inefficient, bulky (read “error prone”) code. n For “local” use, therefore, preconditions can be extremely powerful (and appropriate). n Example: Consider the “partition” method in a quicksort routine. It would be weird to handle the case where the array indices were out of bounds.

14 © Paul Ammann, 2008 14 More Problems with Eliminating Preconditions n What if the Implementer can’t provide a good “default” (ie Defensive Programming)? n Consider this (undocumented!) code: public static double sqrt (double x) { if (x < 0) { handle problem somehow return some value (what?) } else { proceed with normal square root computation return y such that y*y is approximately x }

15 © Paul Ammann, 2008 15 Dissecting the Square Root Example n What could possibly be a correct “default”? –Printing an error message? Not a comforting thought to certain end users (ie pilots). n What could possibly be a reasonable return value? n The Lesson: The Server is not in a position to define behavior. That’s the Client’s job. (through the contract mechanism).

Download ppt "© Paul Ammann, 2008 Design by Contract Paul Ammann CS/SWE 332."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Karlstad University Computer Science Design Contracts and Error Management Design Contracts and Errors A Software Development Strategy Eivind J. Nordby.

Karlstad University Computer Science Design Contracts and Error Management Design Contracts and Errors A Software Development Strategy Eivind J. Nordby.
Problem Solving 5 Using Java API for Searching and Sorting Applications ICS-201 Introduction to Computing II Semester 071.

Problem Solving 5 Using Java API for Searching and Sorting Applications ICS-201 Introduction to Computing II Semester 071.
Data Abstraction II SWE 619 Software Construction Last Modified, Spring 2009 Paul Ammann.

Data Abstraction II SWE 619 Software Construction Last Modified, Spring 2009 Paul Ammann.
 Both System.out and System.err are streams—a sequence of bytes.  System.out (the standard output stream) displays output  System.err (the standard.

 Both System.out and System.err are streams—a sequence of bytes.  System.out (the standard output stream) displays output  System.err (the standard.
Chapter 1. The Phases of Software Development. Data Structure 2 Chapter outline  Objectives  Use Javadoc to write a method’s complete specification.

Chapter 1. The Phases of Software Development. Data Structure 2 Chapter outline  Objectives  Use Javadoc to write a method’s complete specification.
Error Management with Design Contracts Karlstad University Computer Science Error Management with Design Contracts Eivind J. Nordby, Martin Blom, Anna.

Error Management with Design Contracts Karlstad University Computer Science Error Management with Design Contracts Eivind J. Nordby, Martin Blom, Anna.
1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.

1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.
On the Relation between Design Contracts and Errors Karlstad University Computer Science On the Relation Between Design Contracts and Errors A Software.

On the Relation between Design Contracts and Errors Karlstad University Computer Science On the Relation Between Design Contracts and Errors A Software.
Software Testing and Quality Assurance

Software Testing and Quality Assurance
Karlstad University Computer Science Design Contracts and Error Management Design Contracts and Errors A Software Development Strategy (anpassad för PUMA)

Karlstad University Computer Science Design Contracts and Error Management Design Contracts and Errors A Software Development Strategy (anpassad för PUMA)
Design by Contract David Talby. Software Correctness When is a class correct? – It ’ s a relative concept; what is required? – But it ’ s the correct.

Design by Contract David Talby. Software Correctness When is a class correct? – It ’ s a relative concept; what is required? – But it ’ s the correct.
CSC 395 – Software Engineering Lecture 21: Overview of the Term & What Goes in a Data Dictionary.

CSC 395 – Software Engineering Lecture 21: Overview of the Term & What Goes in a Data Dictionary.
Specifications Liskov Chapter 9 SWE 619 Last Updated Fall 2008.

Specifications Liskov Chapter 9 SWE 619 Last Updated Fall 2008.
Cs205: engineering software university of virginia fall 2006 Semantics and Specifying Procedures David Evans www.cs.virginia.edu/cs205.

Cs205: engineering software university of virginia fall 2006 Semantics and Specifying Procedures David Evans
Computer Science 340 Software Design & Testing Design By Contract.

Computer Science 340 Software Design & Testing Design By Contract.
Procedure specifications CSE 331. Outline Satisfying a specification; substitutability Stronger and weaker specifications - Comparing by hand - Comparing.

Procedure specifications CSE 331. Outline Satisfying a specification; substitutability Stronger and weaker specifications - Comparing by hand - Comparing.
Chapter 3 Introduction to Collections – Stacks Modified

Chapter 3 Introduction to Collections – Stacks Modified
Stacks - 2 Nour El-Kadri ITI 1121. 2 Implementing 2 stacks in one array and we don’t mean two stacks growing in the same direction: but two stacks growing.

Stacks - 2 Nour El-Kadri ITI Implementing 2 stacks in one array and we don’t mean two stacks growing in the same direction: but two stacks growing.
07 Coding Conventions. 2 Demonstrate Developing Local Variables Describe Separating Public and Private Members during Declaration Explore Using System.exit.

07 Coding Conventions. 2 Demonstrate Developing Local Variables Describe Separating Public and Private Members during Declaration Explore Using System.exit.

Similar presentations

Ads by Google