Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ceg860(Prasad)L10DC1 Design by Contract Invariants Pre-post conditions : Rights and Obligations Exceptions : Contract Violations.

Published byElias Halter Modified over 10 years ago

Similar presentations

Presentation on theme: "Ceg860(Prasad)L10DC1 Design by Contract Invariants Pre-post conditions : Rights and Obligations Exceptions : Contract Violations."— Presentation transcript:

1 ceg860(Prasad)L10DC1 Design by Contract Invariants Pre-post conditions : Rights and Obligations Exceptions : Contract Violations

2 ceg860(Prasad)L10DC2 Correctness correctImplementation is correct relative to a specification. { P } S { Q } Precondition binds the client. It is an obligation for the client and a benefit for the supplier. Postcondition binds the supplier (routine). It is an obligation for the supplier and a benefit for the client. Non-Redundancy Principle Non-Redundancy Principle

3 ceg860(Prasad)L10DC3 Spec vs Impl Spec: pre: x=0 /\ y=3 post: x=3 /\ y=0 Implementations x := 3; y := 0 x :=x+y; y:=x*y t=x; x=y; y=t; Spec? pre: true post: x*x = 2 Spec pre: > 0 post: x*x -2 <

4 ceg860(Prasad)L10DC4 Insertion Sort (define (insertion-sort lon) (if (null? lon) () (insert (car lon) (insertion-sort (cdr lon)) ) // car = first/head, cdr = rest/tail (insertion-sort '(2 3 1 4 7 5) ) = (1 2 3 4 5 7)

5 ceg860(Prasad)L10DC5 (define (insert n lon) (cond ((null? lon) (list n)) ((> n (car lon)) (cons (car lon) (insert n (cdr lon)) ) (else (cons n lon)) )) Precondition : lon is ordered. Postcondition : (insert n lon) is ordered.

6 ceg860(Prasad)L10DC6 Assertions In theory, assertions are first-order logic formulae. In a programming language, assertions are computable boolean expressions that can contain program variables, arithmetic/boolean operations, and possibly, user-defined functions.

7 ceg860(Prasad)L10DC7 (contd) In Eiffel, the expression OLD attr in postcondition denotes the value of the attribute attr on routine entry. In general, the preconditions must not use features hidden from the clients. However, the postconditions can use any feature, even though only clauses without hidden features are directly usable by the client.

8 ceg860(Prasad)L10DC8 Algebraic Specification Example

9 ceg860(Prasad)L10DC9 ADT GStack create: -> GStack push: Gstack x G -> GStack pop: Gstack -> GStack top: GStack -> G empty: Gstack -> boolean constructors : create, push observers : top, empty non-constructors :pop

10 ceg860(Prasad)L10DC10 Forall s GStack, x G : pop(push( s, x )) = s top(push( s, x )) = x empty(create()) = true empty(push( s, x )) = false Preconditions: pop( s ) requires s =/= create() top( s ) requires s =/= create()

11 ceg860(Prasad)L10DC11 ADT (Bounded) GStack create: int -> GStack push: Gstack x G -> GStack pop: Gstack -> GStack top: GStack -> G empty: Gstack -> boolean full: Gstack -> boolean constructors : create, push observers : top, empty, full non-constructors :pop

12 ceg860(Prasad)L10DC12 Auxiliary functions: Forall s Gstack Terms : n int, x G : n >0 : count(create( n )) = 0 count(push( s, x )) = 1 + count( s ) capacity(create( n )) = n capacity(push( s, x )) = capacity( s )

13 ceg860(Prasad)L10DC13 Preconditions: Forall s Gstack Terms, n int, x G : n >0 : pop( s ) requires s =/= create( n ) top( s ) requires s =/= create( n ) push( s,x ) requires capacity( s ) >= count( s ) + 1

14 ceg860(Prasad)L10DC14 Forall s GStack, n int, x G : n >0 : pop(push( s, x )) = s top(push( s, x )) = x empty(create( n )) = true empty(push( s, x )) = false full( s ) = (capacity( s ) = count( s ))

15 ceg860(Prasad)L10DC15 Specifying Class

16 ceg860(Prasad)L10DC16 Categories of Operations Creators ( … x … Constructors Queries (… x T x … …) Observers Commands (… x T x … Constructors, Non-constructors

17 ceg860(Prasad)L10DC17 class IntStack { private int capacity ; private int count; public IntStack(int c) {... // require: c >=0 // ensure: capacity = c // ensure: empty() // ensure: count = 0 } public void push(int e) {... // require: not full() // ensure: top() = e // ensure: not empty() // ensure: count = old count + 1 }

18 ceg860(Prasad)L10DC18 public void pop() {... // require: not empty() // ensure: not full() // ensure: count = old count - 1 } public int top() {... // require: not empty() } public boolean empty() {...} public boolean full() {...} // class invariants: // empty() = (count = 0) // full() = (count = capacity) // pop(push(e)) = identity-map }

19 ceg860(Prasad)L10DC19 Class Invariant class invariantA class invariant for C is a set of assertions that every instance of C must satisfy at all stable times. That is, immediately after its creation and before/after a public method call (by a client). The class invariant relates attributes and/or functions. E.g., 0 <= count <= capacity E.g., (count > 0) => (s[count] = top())

20 ceg860(Prasad)L10DC20 Role of Class Invariants in Software Engineering InvariantsInvariants not only apply to the routines actually written in the class, but also to any routines added later. Correctness of a method methCorrectness of a method meth {P and Inv} meth_body {Q and Inv} Role of constructor definitionsRole of constructor definitions If default initialization of the fields violates class invariant, an explicit constructor is needed.

21 ceg860(Prasad)L10DC21 From ADT specs to Pre-Post Conditions function routineA precondition for a specs function reappears as a precondition for the corresponding routine. command queries procedureAxioms involving a command (possibly with queries) reappear as postconditions of the corresponding procedure.

22 ceg860(Prasad)L10DC22 (contd) queries functionsclausesAxioms involving only queries reappear as postconditions of the corresponding functions or as clauses of the class invariant. creator constructor procedureAxioms involving a creator reappear in the postcondition of the corresponding constructor procedure.

23 ceg860(Prasad)L10DC23 Introducing Representation class IntStack { private int[] s ;... public IntStack(int c) {... // ensure: s =/= null }; public void push(int e) {... // ensure: s[count] = e // ensure: for i in [1..count-1] do // s[i] = old s[i] }; public void pop() {... // ensure: for i in [1..count-1] do // s[i] = old s[i] };... } //--FRAME AXIOMS--//

24 ceg860(Prasad)L10DC24 Model-based Spec. and Impl. Implementation/Representation invariant Assertion characterizing the set of concrete objects that are implementations of the abstract objects (cf. class invariant). Abstraction function Maps a concrete object (satisfying representation invariant) to the corresponding abstract object. ontonot one-oneUsually onto but not one-one.

25 ceg860(Prasad)L10DC25 Bugs A run-time assertion violation is a manifestation of a bug in the software. Precondition violation : Bug in the client. Postcondition violation : Bug in the supplier. Error A wrong decision made during software development. Defect The property of a software that may cause the system to depart from its intended behavior. Fault The event of a software departing from its intended behavior.

26 ceg860(Prasad)L10DC26 Failure failsA routine call fails if it terminates its execution in a state that does not satisfy the routines contract. Violates postcondition or class invariant. Calls a routine whose precondition is violated. Causes an abnormal OS signal such as arithmetic overflow, memory exhaustion, etc.

27 ceg860(Prasad)L10DC27 Exception exceptionAn exception is a run-time event that may cause a routine call to fail. Every failure results from an exception, but not every exception results in a failure (if the routine can recover from it).

28 ceg860(Prasad)L10DC28 Disciplined Exception Handling Rescue Clause –Retry Attempt to change the conditions that led to the exception and execute the routine again from the start (possibly, exploring alternatives). –Software fault tolerance. { true } Retry_Body { Inv and Pre } –Failure Clean-up the environment (restore the invariant), terminate the call and report failure to the caller. { true } Rescue_Body { Inv }

29 ceg860(Prasad)L10DC29 Developer Exceptions Exceptions are propagated up the call chain (dynamic). A supplier code can define an exception and raise it, to enable context-sensitive handling of the exception by the various clients. –In Java, an exception is a typed packet of information (object), which is useful in locating and diagnosing faults. Checked exceptions contribute to robustness by forcing the client to process exception explicitly, or propagate it explicitly.

Download ppt "Ceg860(Prasad)L10DC1 Design by Contract Invariants Pre-post conditions : Rights and Obligations Exceptions : Contract Violations."

Similar presentations

Chapter 17 Failures and exceptions. This chapter discusses n Failure. n The meaning of system failure. n Causes of failure. n Handling failure. n Exception.

Chapter 17 Failures and exceptions. This chapter discusses n Failure. n The meaning of system failure. n Causes of failure. n Handling failure. n Exception.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Building Bug-Free O-O Software: An Introduction to Design By Contract A presentation about Design By Contract and the Eiffel software development tool.

Building Bug-Free O-O Software: An Introduction to Design By Contract A presentation about Design By Contract and the Eiffel software development tool.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Data Abstraction II SWE 619 Software Construction Last Modified, Spring 2009 Paul Ammann.

Data Abstraction II SWE 619 Software Construction Last Modified, Spring 2009 Paul Ammann.
Chair of Software Engineering Software Architecture Prof. Dr. Bertrand Meyer Lecture 6: Exception Handling.

Chair of Software Engineering Software Architecture Prof. Dr. Bertrand Meyer Lecture 6: Exception Handling.
1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.

1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.
1 - 7 - Design by Contract ™. 2 Design by Contract A discipline of analysis, design, implementation, management.

Design by Contract ™. 2 Design by Contract A discipline of analysis, design, implementation, management.
1.7.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
Chair of Software Engineering ATOT - Lecture 25, 30 June 2003 1 Advanced Topics in Object Technology Bertrand Meyer.

Chair of Software Engineering ATOT - Lecture 25, 30 June Advanced Topics in Object Technology Bertrand Meyer.
Design by Contract. Specifications Correctness formula (Hoare triple) {P} A {Q} – A is some operation (for example, a routine body) – P and Q are predicates.

Design by Contract. Specifications Correctness formula (Hoare triple) {P} A {Q} – A is some operation (for example, a routine body) – P and Q are predicates.
Chair of Software Engineering OOSC - Summer Semester 2005 1 Object-Oriented Software Construction Bertrand Meyer Lecture 15: Exception handling.

Chair of Software Engineering OOSC - Summer Semester Object-Oriented Software Construction Bertrand Meyer Lecture 15: Exception handling.
-5- Exception handling What is an exception? “An abnormal event” Not a very precise definition Informally: something that you don’t want to happen.

-5- Exception handling What is an exception? “An abnormal event” Not a very precise definition Informally: something that you don’t want to happen.
Chair of Software Engineering Einführung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer Lecture 6: Object Creation.

Chair of Software Engineering Einführung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer Lecture 6: Object Creation.
JML and Class Specifications Class invariant JML definitions Queue example Running JML in Eclipse.

JML and Class Specifications Class invariant JML definitions Queue example Running JML in Eclipse.
Exceptions David Rabinowitz. March 3rd, 2004 Object Oriented Design Course 2 The Role of Exceptions Definition: a method succeeds if it terminates in.

Exceptions David Rabinowitz. March 3rd, 2004 Object Oriented Design Course 2 The Role of Exceptions Definition: a method succeeds if it terminates in.
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.

OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
Chair of Software Engineering Einführung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer Lecture 6: Object Creation.

Chair of Software Engineering Einführung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer Lecture 6: Object Creation.

Similar presentations

Ads by Google