Presentation is loading. Please wait.

Presentation is loading. Please wait.

Contract-Based Programming with/without Ada 2012

Published byΛαμία Μεταξάς Modified over 5 years ago

Similar presentations

Presentation on theme: "Contract-Based Programming with/without Ada 2012"— Presentation transcript:

1

2 Contract-Based Programming with/without Ada 2012
Patrick Rogers 9 May 2019

3 Contract-Based Programming
The idea of source code having roles of “client” and “supplier” under a binding “contract” Example: suppliers provide subprograms, clients call them “Contracts” Specifications that govern the interaction of software elements with their clients (Bertrand Meyer) “Binding contracts” require enforcement At run-time via exceptions At compile-time in some cases During static analysis prior to compilation Meyer, A Touch of Class, pg 68 and

4 Terminology Assertion: a boolean expression expected to be True
Said “to hold” when True Precondition: an assertion expected to hold prior to a call to a given subprogram Postcondition: an assertion expected to hold after a given subprogram call returns Invariant: an assertion expected to hold for all objects of a given abstract data type when viewed as a client (i.e., from outside the defining package) Other important forms of contract as well Type predicates, global object access (Ada 202x), etc. RM

5 Contracts In Ada 2012 Pre- and postconditions specify obligations
Type invariants ensure properties of ADT objects over their lifetimes procedure Push (This : in out Stack; Value : Element) with Pre => not Full (This), Post => not Empty (This) and Top_Element (This) = Value; function Top_Element (This : Stack) return Element with Pre => not Empty (This); function Full (This : Stack) return Boolean; Caller’s Arbitrary user-defined Boolean expressions Implementer’s Any object of the type type Airlock is limited private with Type_Invariant => not Both_Hatches_Open (Airlock); Arbitrary user-defined Boolean expression

6 Pre/Postcondition Semantics
If defined, evaluated automatically at run-time Each raises an exception if evaluates to False If defined Pre False Raise Assertion_Error exception Subprogram Call Post False If defined

7 Initial (Incomplete) Pre & Post Example
generic type Element is private; package Bounded_Stacks is type Stack (Capacity : Positive) is private; procedure Push (This : in out Stack; Value : Element) with Pre => not Full (This), Post => not Empty (This) and Top_Element (This) = Value; procedure Pop (This : in out Stack; Value : out Element) with Pre => not Empty (This), Post => not Full (This); function Top_Element (This : Stack) return Element with Pre => not Empty (This); function Empty (This : Stack) return Boolean; function Full (This : Stack) return Boolean; end Bounded_Stacks;

8 Pre & Post Example Body package body Bounded_Stacks is
procedure Reset (This : in out Stack) is begin This.Top := 0; end Reset; procedure Push (This : in out Stack; Item : Element) is This.Top := This.Top + 1; This.Values (This.Top) := Item; end Push; procedure Pop (This : in out Stack; Item : out Element) is Item := This.Values (This.Top); This.Top := This.Top - 1; end Pop; end Bounded_Stacks;

9 Referencing Prior Values In Post
Values as they were just before the call Uses language-defined attribute object'Old Can be applied to most any non-limited object visible procedure Push (This : in out Stack; Item : Element) with Pre => not Full (This), Post => not Empty (This) and Top_Element (This) = Item and Extent (This) = Extent (This'Old) + 1 and Unchanged (This'Old, Within => This); function Extent (This : Stack) return Element_Count; function Unchanged (Invariant_Part, Within : Stack) return Boolean; Value before call Value after call

10 Referencing Function Result In Post
I.e., the value returned by a call to the associated function Via attribute function-name'Result Only for functions, only in postconditions function Empty (This : Stack) return Boolean with Post => Empty'Result = (Extent (This) = 0), Result of call function Total (This : Transactions_List) return Currency with Pre => All_Positive (This), Post => (if Length (This) = 0 then Total'Result = 0.0 else Total'Result >= 0.0);

11 Advantages Over Explicit Checks
Pre/postconditions can be turned off Like language-defined checks Explicit checks cannot be disabled except by changing the source code Conditional compilation via preprocessor (“ifdef”) Conditional compilation via static Boolean constants procedure Push (This : in out Stack; Value : Element) is begin if Debugging then if Full (This) then raise Overflow; end if; end Push; see OOSC pg 343, 345… Debugging : constant Boolean := True;

12 Not Using Ada 2012? Not A Problem!
Use pragma form of Pre, Post, and Type_Invariant GNAT defines the pragmas GNAT back-ports attributes ‘Old and ‘Result You won’t have some of the convenient syntax Quantified Expressions Expression Functions Conditional Expressions Hence you’ll write more function bodies than in Ada 2012 Note the Containers packages came in Ada 2005

13 Pre/Post Example in Ada 95 and 2005
generic type Element is private; The type of values contained by objects of type Stack package Bounded_Stacks_95 is type Stack (Capacity : Physical_Capacity) is private; procedure Push (This : in out Stack; Item : Element); pragma Pre (not Full (This)); pragma Post ( not Empty (This) and Top_Element (This) = Item and Extent (This) = Extent (This'Old) + 1 and Unchanged (This'Old, Within => This)); procedure Pop (This : in out Stack; Item : out Element); pragma Pre (not Empty (This)); pragma Post ( not Full (This) and Item = Top_Element (This'Old) and Extent (This) = Extent (This'Old) - 1 and Unchanged (This, Within => This'Old)); function Top_Element (This : Stack) return Element; function Empty (This : Stack) return Boolean; pragma Post (Empty'Result = (Extent (This) = 0));

14 Type Invariants

15 Type Invariants Represent conditions that must hold over the lifetime of objects Pre/postconditions apply only to subprograms Other operations change state too Assignment Others… Invariants apply across such operations Therefore additional points where checked

16 Part of Abstract Data Type (ADT) Concept
Hence only allowed for private types Bertrand Meyer calls these “Class Invariants” Checked operations are those available to clients Those define the ADT interface The “primitive operations” for a type Internal operations are not checked Part of the implementation Not visible to client code See OOSC pg 363 for discussion of this topic (“Class Invariants”) Invariant for Bank Account ADT Consistent Balance: Total Deposits - Total Withdrawals = Balance

17 Bank Account ADT with Type Invariant
Consistent Balance: Total Deposits - Total Withdrawals = Balance package Bank is type Account is private with Type_Invariant => Consistent_Balance (Account); type Currency is delta 0.01 digits 12; function Consistent_Balance (This : Account) return Boolean; private end Bank; Any object of type Account The lists are used for tracking and reporting. Called automatically for all Account objects

18 Type Invariant Verifications
Automatically inserted by compiler Evaluated as a postcondition of any operation that creates, evaluates or returns a value of the type When objects first created Assignment by clients Type conversions since that creates new instances Not evaluated on internal state changes Internal routine calls Internal assignments Remember these are abstract data types These subprograms include both the primitive ops as well as those that have a mode out param or function result of a composite type containing the type in question, as long as the op is declared in the same scope as the type in question. So a level of indirection is included for these types as well.

19 Example Type Invariant Realization (Spec)
package Bank is type Account is private with Type_Invariant => Consistent_Balance (Account); type Currency is delta 0.01 digits 12; function Consistent_Balance (This : Account) return Boolean; private package Transactions is new Ada.Containers.Doubly_Linked_Lists (Element_Type => Currency); type Account is record Owner : Unbounded_String; Current_Balance : Currency := 0.0; Withdrawals : Transactions.List; -- initially empty Deposits : Transactions.List; -- initially empty end record; function Total (This : Transactions.List) return Currency; end Bank;

20 Example Type Invariant Realization (Body)
package body Bank is function Total (This : Transactions.List) return Currency is Result : Currency := 0.0; begin for Value of This loop Result := Result + Value; end loop; return Result; end Total; function Consistent_Balance (This : Account) return Boolean is (Total (This.Deposits) - Total (This.Withdrawals) = This.Current_Balance); end Bank; No iteration if list is empty

21 Invariants Are Not Foolproof
Access to ADT representation via pointer allows back door manipulation These are private types, so access to internals must be granted by the private type’s code Granting internal representation access for an ADT is a highly questionable design!

22 Type Invariant in Ada 95/2005 package Bank_95 is
type Account is private; pragma Type_Invariant (Account, Consistent_Balance (Account)); function Consistent_Balance (This : Account) return Boolean; type Currency is delta 0.01 digits 12; procedure Deposit (This : in out Account; Amount : Currency); pragma Pre (Open (This) and Amount > 0.0); pragma Post (Balance (This) = Balance (This)'Old + Amount); private … as before, but note Containers packages are as of Ada 2005 end Bank_95;

23 Closing Remarks

24 Contract-Based Programming Benefits
Facilitates building software with reliability built-in Software cannot work well unless “well” is carefully defined Clarifies the design by defining obligations Enhances readability and understandability Specification contains explicitly expressed properties of code Aids in development and debugging Facilitates unit testing Postconditions express the unit tests’ conditions Facilitates tool-based analysis CodePeer can use the pragmas even if your (non-GNAT) compiler ignores them

25 Things Not Shown Class-wide forms
Inherited by derived types Pre_Class Post_Class Type_Invariant_Class Pragma for (static and dynamic) predicates Pragma for Default_Initial_Condition Et cetera See the GNAT Reference Manual for details “Implementation Defined Pragmas” section

26

27 Questions?

Download ppt "Contract-Based Programming with/without Ada 2012"

Similar presentations

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Design by Contract.

Design by Contract.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Programming Languages and Paradigms

Programming Languages and Paradigms
Abstract Data Types Data abstraction, or abstract data types, is a programming methodology where one defines not only the data structure to be used, but.

Abstract Data Types Data abstraction, or abstract data types, is a programming methodology where one defines not only the data structure to be used, but.
Software Engineering and Design Principles Chapter 1.

Software Engineering and Design Principles Chapter 1.
ISBN 0- 321-49362-1 Chapter 11 Abstract Data Types and Encapsulation Concepts.

ISBN Chapter 11 Abstract Data Types and Encapsulation Concepts.
1 Specifying Object Interfaces. 2 Major tasks in this stage: --are there any missing attributes or operations? --how can we reduce coupling, make interface.

1 Specifying Object Interfaces. 2 Major tasks in this stage: --are there any missing attributes or operations? --how can we reduce coupling, make interface.
Software Testing and Quality Assurance

Software Testing and Quality Assurance
Static and Dynamic Contract Verifiers For Java Hongming Liu.

Static and Dynamic Contract Verifiers For Java Hongming Liu.
Lecture 9 Concepts of Programming Languages

Lecture 9 Concepts of Programming Languages
Eiffel Language and Design by Contract Contract –An agreement between the client and the supplier Characteristics –Expects some benefits and is prepared.

Eiffel Language and Design by Contract Contract –An agreement between the client and the supplier Characteristics –Expects some benefits and is prepared.
Adding Contracts to Ada Ehud Lamm Adding Design By Contract to Ada.

Adding Contracts to Ada Ehud Lamm Adding Design By Contract to Ada.
Abstract Data Types and Encapsulation Concepts

Abstract Data Types and Encapsulation Concepts
Computer Science 340 Software Design & Testing Design By Contract.

Computer Science 340 Software Design & Testing Design By Contract.
Ranga Rodrigo. Class is central to object oriented programming.

Ranga Rodrigo. Class is central to object oriented programming.
PZ11A Programming Language design and Implementation -4th Edition Copyright©Prentice Hall, 2000 1 PZ11A - Exception handling Programming Language Design.

PZ11A Programming Language design and Implementation -4th Edition Copyright©Prentice Hall, PZ11A - Exception handling Programming Language Design.
MT311 Java Application Development and Programming Languages Li Tak Sing( 李德成 )

MT311 Java Application Development and Programming Languages Li Tak Sing( 李德成 )
© Bertrand Meyer and Yishai Feldman Notice Some of the material is taken from Object-Oriented Software Construction, 2nd edition, by Bertrand Meyer (Prentice.

© Bertrand Meyer and Yishai Feldman Notice Some of the material is taken from Object-Oriented Software Construction, 2nd edition, by Bertrand Meyer (Prentice.
329-251 Chapter 25 Formal Methods. 329-252 Formal methods Specify program using math Develop program using math Prove program matches specification using.

Chapter 25 Formal Methods Formal methods Specify program using math Develop program using math Prove program matches specification using.

Similar presentations

Ads by Google