Presentation is loading. Please wait.

Presentation is loading. Please wait.

(c) University of Washington13-1 CSC 143 Java Specifications: Programming by Contract Reading: Ch. 5.

Published byDoris Alexander Modified over 8 years ago

Similar presentations

Presentation on theme: "(c) University of Washington13-1 CSC 143 Java Specifications: Programming by Contract Reading: Ch. 5."— Presentation transcript:

1 (c) University of Washington13-1 CSC 143 Java Specifications: Programming by Contract Reading: Ch. 5

2 (c) University of Washington13-2 Interfaces Clients and implementers of an abstraction (e.g. a method or a class) agree on the interface A contract between the two parties Gives rights and responsibilities of each, to their mutual benefit “Interface” has a broad that goes beyond the Java keyword "Interface" in the narrow sense usually refers to the agreed- upon types of arguments and results and the possibly thrown exceptions Compliance enforced by Java's compile-time typechecker But this isn't a complete contract!

3 (c) University of Washington13-3 Specifications A specification is a (more) complete contract, that should include any restrictions on the allowed argument values [A constraint on the client, assumed by the implementer] what the return value must be, in terms of the argument values [A constraint on the implementer, assumed by the client] any changes in state that might happen, and when [A constraint on the implementer, assumed by the client] when any exceptions might be thrown (more on that later) [A constraint on the implementer, assumed by the client] Example: myAccount.deposit(double); //allowed args? state changes? aPerson.getAge( ); //return values? state changes?

4 (c) University of Washington13-4 Types vs Values Note the emphasis on values rather than types “any restrictions on the allowed argument values”… “what the return value must be, in terms of the argument values”… “any changes in state that might happen”… Compilers are good at checking types Compilers are weak at checking values Values are an aspect of the semantics (meaning) of a program.

5 (c) University of Washington13-5 Preconditions and Postconditions Two particularly common types of specifications are preconditions and postconditions Precondition: something that must be true before a method/constructor can be called A constraint on the client (the caller) Assumed true by the method implementation Postcondition: something that is guaranteed to be true after the method/constructor terminates execution A constraint on the implementer Assumed to be true by the client A postcondition is guaranteed only if the preconditions were true when method was called

6 (c) University of Washington13-6 Examples What would be reasonable preconditions for a square root function? a method to add a new item into a set? A method to find the earliest date on a file? What would be reasonable postconditions for a square root function? a method to add a new item into a set? A method to find the earliest date on a file?

7 (c) University of Washington13-7 Invariants An invariant is a condition that must be true at a particular point in a program Preconditions and postconditions are particular kinds of invariants But there are invariants which are neither pre- nor post-conditions There generally are an infinite number of invariants aPerson.getAge( ); "result is >= 0 and <= 150" is an invariant (postcondition) Others include "result is > -1", "result is > -2", "result is > -3", " result is < 200", "result is < 2000", "result is < 20000", etc. etc.

8 (c) University of Washington13-8 Loop Invariants Definition: something that is true on each execution of a loop body for (int index=1900; index <= 1999; index++) { /* point A */ rainfall += rainRecord[index]; /* point B */ } At points A and B, it is true that 0 <= index && index <= 1999. Other loop invariants may be harder to state. “The value of rainfall is equal to the sum of the values rainRecord[0]...rainRecord[index]” This is true at point B but not at point A!

9 (c) University of Washington13-9 Data and Class Invariants Data invariants express a relationship between variables, especially instance variables son.birthyear > mother.birthyear Data invariants often hold true over an extended portion of the program Compare with precondtions, postconditions, loop invariants: only guaranteed to be true at particular points

10 (c) University of Washington13-10 Class Invariants Class invariants express permanent requirements on the values or relationships of instance variables If employee.jobcode “Programmer”, then employee.salary > $50,000 0 <= this.size <= this.capacity The list data is stored in this.elements[0..this.size-1] A class invariant might not hold temporarily... while an object is being constructed while a method is in the middle of updating related variables,...but it must always be true by the time a constructor or method terminates Any class invariant is automatically: A postcondition of every constructor and method of that class A precondition of every method of every method of that class

11 (c) University of Washington13-11 Invariants and Inheritance When methods are overriden pre conditions can be weakened in overriding methods post conditions can be strengthened Class invariants... can be strengthened since only the class itself can ensure they are respected, can even be changed arbitrarily, as long as... inherited methods still have proper preconditions met when they're called and inheriting code only assumes inherited postconditions are true

12 (c) University of Washington13-12 Writing Bug-Free Software Program bugs can often be seen as unforeseen cases of invariants being violated Writing down invariants of all kinds is incredibly useful in design and understanding In principle: If you could write down all invariants, and have them checked as the program runs, practically all bugs would be found In reality: 1.Writing down all invariants is tedious to impossible 2.Languages give little direct support for documenting and checking invariants 3.Test cases may not sufficiently exercise invariant checking

13 (c) University of Washington13-13 Assertions – New Feature of Java 1.4 Long-time feature of C/C++ Idea: at any point in the code where some condition should hold, we can write this type of statement: assert ; If is true, execution continues normally If false, execution stops with an error, or drops into a debugger, … Asserts can be disabled without removing them from the source code Means there is no performance penalty for production code Guideline: use aggressively for consistency checking Powerful development tool; helps code to crash early Use to check all types of invariants, not just preconditions Unfortunately, not all invariants can be expressed by simple Boolean conditions.

14 (c) University of Washington13-14 Suggested Practice Include simple invariants as assert s Serves as documentation and for checking Include all non-trivial invariants as comments in the code (use @param, @return, @throws comments if appropriate) These are essential parts of the design If you don’t write them down, the reader (who may be you) will have to reconstruct them as best he/she can Whenever you update a variable, double-check any invariants that mention it to be sure the invariant still holds May need to update related variables to make this happen May need to add preconditions (e.g. no negative deposits) or explicit checks (e.g. for overdraft) to ensure they hold Helps to write the code for you!

15 (c) University of Washington13-15 Checking Preconditions: Issues Should preconditions be checked? In an ideal world, no: if all clients satisfy their preconditions, no implementations would need to check them In a world where programs have bugs: maybe we should Prefer programs that crash right away when a problem happens (controversial!) Who is responsible for checking? Most logical place is at the beginning of the called method How aggressive should we be about checking? If check all preconditions, can clutter up code Focus on checking preconditions that wouldn't crash already, and that would lead to obscure behavior if they weren't detected

16 (c) University of Washington13-16 Handling Violated Preconditions Goal: to force immediate termination Reason: the contract has been broken Assert the condition (and abort)? Throw a RuntimeException? Since these exceptions shouldn't ever be thrown, and clients shouldn't expect to handle them, they shouldn't be listed in throws clauses Not possible to handle the exception to produce some different output or clean-up operation Write error messages to System.out or System.err? Might help you during debug Of marginal help in a production environment Neither you nor the client may have access to the console window

17 (c) University of Washington13-17 Error Checking and Handling Toolbag Status returns Assert statements Throwing checked exceptions Throwing unchecked exceptions try/catch blocks Messages to console Messages to system log

18 (c) University of Washington13-18 When to do What? Some goals: Correct operation Efficient operation Uninterrupted operation Clarify of programming and design Detection of bugs Removal of bugs These goals are sometimes in conflict! Welcome to the real world...

19 (c) University of Washington13-19 Some advice 1.Draw a box around the code you are responsible for debugging 2.Inside the box, be aggressively aggressive 1.Lavish use of assert 2.Frequent invariant checking, even if redundant 3.Explicit subexpressions, single-assignment variables (helpful when using Debugger) 4.Console messages 3.Outside the box, be conservative 1.Raise exceptions 2.Write to system logs 3.Comments and documentation 4.Fail-safe recovery

Download ppt "(c) University of Washington13-1 CSC 143 Java Specifications: Programming by Contract Reading: Ch. 5."

Similar presentations

Chapter 17 Failures and exceptions. This chapter discusses n Failure. n The meaning of system failure. n Causes of failure. n Handling failure. n Exception.

Chapter 17 Failures and exceptions. This chapter discusses n Failure. n The meaning of system failure. n Causes of failure. n Handling failure. n Exception.
Design by Contract.

Design by Contract.
Exceptions CSE301 University of Sunderland Harry Erwin, PhD.

Exceptions CSE301 University of Sunderland Harry Erwin, PhD.
11-Jun-14 The assert statement. 2 About the assert statement The purpose of the assert statement is to give you a way to catch program errors early The.

11-Jun-14 The assert statement. 2 About the assert statement The purpose of the assert statement is to give you a way to catch program errors early The.
An Introduction to Java Programming and Object- Oriented Application Development Chapter 8 Exceptions and Assertions.

An Introduction to Java Programming and Object- Oriented Application Development Chapter 8 Exceptions and Assertions.
 Both System.out and System.err are streams—a sequence of bytes.  System.out (the standard output stream) displays output  System.err (the standard.

 Both System.out and System.err are streams—a sequence of bytes.  System.out (the standard output stream) displays output  System.err (the standard.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.

1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.
Www.ics.mq.edu.au/ppdp ITEC200 Week02 Program Correctness and Efficiency.

ITEC200 Week02 Program Correctness and Efficiency.
Software Engineering and Design Principles Chapter 1.

Software Engineering and Design Principles Chapter 1.
Software Testing and Quality Assurance

Software Testing and Quality Assurance
16-Jun-15 Exceptions. Errors and Exceptions An error is a bug in your program dividing by zero going outside the bounds of an array trying to use a null.

16-Jun-15 Exceptions. Errors and Exceptions An error is a bug in your program dividing by zero going outside the bounds of an array trying to use a null.
Chair of Software Engineering Einführung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer Lecture 4: The Interface of a Class.

Chair of Software Engineering Einführung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer Lecture 4: The Interface of a Class.
Chair of Software Engineering Einführung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer Lecture 4: The Interface of a Class.

Chair of Software Engineering Einführung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer Lecture 4: The Interface of a Class.
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.

OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
Describing Syntax and Semantics

Describing Syntax and Semantics
Eiffel Language and Design by Contract Contract –An agreement between the client and the supplier Characteristics –Expects some benefits and is prepared.

Eiffel Language and Design by Contract Contract –An agreement between the client and the supplier Characteristics –Expects some benefits and is prepared.
Fall 2007CS 225 Program Correctness and Efficiency Chapter 2.

Fall 2007CS 225 Program Correctness and Efficiency Chapter 2.
Computer Science 340 Software Design & Testing Design By Contract.

Computer Science 340 Software Design & Testing Design By Contract.
Ranga Rodrigo. Class is central to object oriented programming.

Ranga Rodrigo. Class is central to object oriented programming.

Similar presentations

Ads by Google