Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cs2220: Engineering Software Class 12: Substitution Principle Fall 2010 University of Virginia David Evans.

Published byCynthia Robbins Modified over 8 years ago

Similar presentations

Presentation on theme: "Cs2220: Engineering Software Class 12: Substitution Principle Fall 2010 University of Virginia David Evans."— Presentation transcript:

1 cs2220: Engineering Software Class 12: Substitution Principle Fall 2010 University of Virginia David Evans

2 static public boolean moreElements(ArrayList a, ArrayList b) // REQUIRES: a and b are not null // MODIFIES: nothing // EFFECTS: Returns true iff a has more elements than b. { return a.size() > b.size(); } Is this correct?

3 static public boolean moreElements(ArrayList a, ArrayList b) // REQUIRES: a and b are not null // MODIFIES: nothing // EFFECTS: Returns true iff a has more elements than b. { return a.size() > b.size(); } public static void main(String[] args) { // TODO Auto-generated method stub ArrayList a; ArrayList b; … a.add("Hello"); b.add("Ciao"); b.add("Goodbye"); System.out.println("More elements: " + moreElements(a, b)); }

4 Dangers of Subtyping public class SillyList extends ArrayList { @Override public int size() // REQUIRES: The alert level has reached DEFCON 5, all the missiles have // been targeted, and the President has issued a verified launch // command. // MODIFIES: Everything // EFFECTS: Launches the missiles. Returns the expected number of // elements in the object after all the computer’s memory has been // destroyed by radiation. { launchMissiles(); return 0; } public static void main(String[] args) { ArrayList a = new SillyList (); ArrayList b = new SillyList (); a.add("Hello"); b.add("Ciao"); b.add("Goodbye"); System.out.println("More elements: " + moreElements(a, b)); }

5 Reasoning about programs that can use unfettered subtyping is hopeless!

6 How can we solve this? static public String pasteTogether(String a, String b) // REQUIRES: a and b are not null // EFFECTS: Returns a String that is a followed by b. { return a.concat(b); } Could pasteTogether launch the missiles? public final class String extends Object implements Serializable, Comparable, CharSequence { … } public final class String extends Object implements Serializable, Comparable, CharSequence { … }

7 Reasoning with Subtyping Easy approach #1: don’t allow subtyping! Make all classes final (like java.lang.String) Easy approach #2: give up on reasoning Reason based on the apparent type specification and don’t make any claims about what happens with subtypes. Hard approach: impose constraints on subtypes to allow reasoning Substitution principle

8 How do we know if saying B is a subtype of A is safe? Substitution Principle: If B is a subtype of A, everywhere the code expects an A, a B can be used instead and the program still satisfies its specification

9 Subtype Condition 1: Signature Rule We can use a subtype method where a supertype methods is expected: – Subtype must implement all of the supertype methods – Argument types must not be more restrictive – Result type must be at least as restrictive – Subtype method must not throw exceptions that are not subtypes of exceptions thrown by supertype

10 Signature Rule class A { public R A m (P A p) ; } class B extends A { public R B m (P B p) ; } R B must be a subtype of R A : R B <= R A P B must be a supertype of P A : P B >= P A covariant for results, contravariant for parameters

11 Subtype Condition 2: Methods Rule Precondition of the subtype method must be weaker than the precondition of the supertype method. m A.pre  m B.pre Postcondition of the subtype method must be stronger than the postcondition of the supertype method. m B.post  m A.post

12 Subtype Condition 3: Properties Subtypes must preserve all properties described in the overview specification of the supertype.

13 Properties Example public class StringSet // Overview: An immutable set of Strings. public class MutStringSet extends StringSet // Overview: A mutable set of Strings. MutStringSet cannot be a subtype of StringSet, since it does not satisfy property that once a StringSet object is created its value never changes. Would it be okay for a subtype of a mutable type to be immutable?

14 Properties Example public class ImmutableStringSet extends MutStringSet // Overview: An immutable set of Strings. public class MutStringSet // Overview: A mutable set of Strings. ImmtableStringSet could be a subtype of MutStringSet according to the properties rule....but would be very difficult to satisfy the methods rule!

15 Substitution Principle Summary Signatures: subtype methods must be type correct in supertype callsites: result is a subtype (covariant), parameters are supertypes (contravariant) Methods: subtype preconditions must be weaker than supertype preconditions (covariant); subtype postconditions must be stronger than supertype postconditions (contravariant) Properties: subtype must preserve all properties specified in supertype overview

16 Substitution Principle Summary Param Types Psub  Psuper Preconditions pre_sub  pre_super Result TypeRsub  Rsuper Postconditions post_sub  post_super Propertiesproperties_sub  properties_super contravariant for inputs covariant for outputs These properties ensure code that is correct using an object of supertype is correct using an object of subtype.

17 Substitution Mystery …(in client code) MysteryType1 mt1; MysteryType2 mt2; MysteryType3 mt3; …(anything could be here) mt1 = mt2.m (mt3); If the Java compiler accepts this code, which of these are guaranteed to be true: a.The apparent type of mt2 is MysteryType2 b.At the last statement, the actual type of mt2 is MysteryType2 c.MysteryType2 has a method named m d.The MysteryType2.m method takes a parameter of type MysteryType3 e.The MysteryType2.m method returns a subtype of MysteryType1 f.After the last statement, the actual type of mt1 is MysteryType1 If the Java compiler accepts this code, which of these are guaranteed to be true: a.The apparent type of mt2 is MysteryType2 b.At the last statement, the actual type of mt2 is MysteryType2 c.MysteryType2 has a method named m d.The MysteryType2.m method takes a parameter of type MysteryType3 e.The MysteryType2.m method returns a subtype of MysteryType1 f.After the last statement, the actual type of mt1 is MysteryType1

Download ppt "Cs2220: Engineering Software Class 12: Substitution Principle Fall 2010 University of Virginia David Evans."

Similar presentations

Cs205: engineering software university of virginia fall 2006 Specifying Procedures David Evans www.cs.virginia.edu/cs205.

Cs205: engineering software university of virginia fall 2006 Specifying Procedures David Evans
Cs2220: Engineering Software Class 10: Generic Datatypes Fall 2010 University of Virginia David Evans.

Cs2220: Engineering Software Class 10: Generic Datatypes Fall 2010 University of Virginia David Evans.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.

INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
The Substitution Principle SWE 332 – Fall 2010. 2 Liskov Substitution Principle In any client code, if subtype object is substituted for supertype object,

The Substitution Principle SWE 332 – Fall Liskov Substitution Principle In any client code, if subtype object is substituted for supertype object,
Problem Solving 5 Using Java API for Searching and Sorting Applications ICS-201 Introduction to Computing II Semester 071.

Problem Solving 5 Using Java API for Searching and Sorting Applications ICS-201 Introduction to Computing II Semester 071.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 13: Concurring Concurrently.

David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 13: Concurring Concurrently.
David Evans CS201J: Engineering Software University of Virginia Computer Science Lecture 6: Reasoning about Data Abstractions.

David Evans CS201J: Engineering Software University of Virginia Computer Science Lecture 6: Reasoning about Data Abstractions.
Generic programming in Java

Generic programming in Java
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 16: Concurrent Programming.

David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 16: Concurrent Programming.
Utilities (Part 3) Implementing static features 1.

Utilities (Part 3) Implementing static features 1.
5/17/2015 OO Design: Liskov Substitution Principle 1.

5/17/2015 OO Design: Liskov Substitution Principle 1.
Chapter 8 Designing Classes. Assignment Chapter 9 Review Exercises (Written)  R8.1 – 8.3, 8.5 – 8.7, 8. 10, 8.11, 8.13, 8.15, 8.19, 8.20 Due Friday,

Chapter 8 Designing Classes. Assignment Chapter 9 Review Exercises (Written)  R8.1 – 8.3, 8.5 – 8.7, 8. 10, 8.11, 8.13, 8.15, 8.19, 8.20 Due Friday,
CSE341: Programming Languages Lecture 26 Subtyping for OOP Dan Grossman Fall 2011.

CSE341: Programming Languages Lecture 26 Subtyping for OOP Dan Grossman Fall 2011.
Subclasses and Subtypes CMPS 2143. Subclasses and Subtypes A class is a subclass if it has been built using inheritance. ▫ It says nothing about the meaning.

Subclasses and Subtypes CMPS Subclasses and Subtypes A class is a subclass if it has been built using inheritance. ▫ It says nothing about the meaning.
Cs205: engineering software university of virginia fall 2006 Semantics and Specifying Procedures David Evans www.cs.virginia.edu/cs205.

Cs205: engineering software university of virginia fall 2006 Semantics and Specifying Procedures David Evans
Procedure specifications CSE 331. Outline Satisfying a specification; substitutability Stronger and weaker specifications - Comparing by hand - Comparing.

Procedure specifications CSE 331. Outline Satisfying a specification; substitutability Stronger and weaker specifications - Comparing by hand - Comparing.
Cs2220: Engineering Software Class 11: Subtyping and Inheritance Fall 2010 University of Virginia David Evans.

Cs2220: Engineering Software Class 11: Subtyping and Inheritance Fall 2010 University of Virginia David Evans.
1 Abstraction  Identify important aspects and ignore the details  Permeates software development programming languages are abstractions built on hardware.

1 Abstraction  Identify important aspects and ignore the details  Permeates software development programming languages are abstractions built on hardware.
Cs205: engineering software university of virginia fall 2006 Data Abstraction David Evans www.cs.virginia.edu/cs205.

Cs205: engineering software university of virginia fall 2006 Data Abstraction David Evans
Contract based programming Using pre- and post-conditions, and object invariants Contract based programming1.

Contract based programming Using pre- and post-conditions, and object invariants Contract based programming1.

Similar presentations

Ads by Google