David Evans CS201j: Engineering Software? University of Virginia Computer Science Lecture 3: Abstraction by Specification.

Slides:



Advertisements
Similar presentations
Unit 4: OFFSIDE OFFSIDE.
Advertisements

TinyOS Tutorial, Part I Phil Levis et al. MobiSys 2003.
WS Choreography v.0-1 Overview This is work-in-progress David Burdett, Commerce One 18 June 2003.
TRACES TRAde Control and Expert System
Distributed AI an overview. D Goforth - COSC 4117, fall Why distributed AI? situated expert – the importance of general knowledge and incorporation.
EECE 310: Software Engineering Modular Decomposition, Abstraction and Specifications.
28 July Doors Creating Time Zones. 28 July What is a Time Zone? A designated period of time in which access can be granted to a secure area.
Algorithms and Data Structures Lecture III
David Evans cs302: Theory of Computation University of Virginia Computer Science Lecture 17: ProvingUndecidability.
Software for Traders real tools for real life September ITC Software. All Rights Reserved.
© McClureTech Inc System Engineering Applying Architectural Principles to Complex System Development.
SWCAP Budgeting July 30, 2003.
Offside Examples Compiled by Richard Baker. Richard Baker Should we declare “B” offside? Or should we wait ? declare wait Diagram 1 B A.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.
Cs205: engineering software university of virginia fall 2006 Specifying Procedures David Evans
Offside Examples. Should we declare “B” offside? Or should we wait ? declare wait Diagram 1 B A.
CompTest Residual Curing Stresses in Thin [0/90] Unsymmetric Composite Plates Marco Gigliotti°, Michael R. Wisnom, Kevin Potter Department of Aerospace.
Reading Mathematical Contracts
A. BobbioReggio Emilia, June 17-18, Dependability & Maintainability Theory and Methods 3. Reliability Block Diagrams Andrea Bobbio Dipartimento di.
May 21, 2003Wu and Dai, ICDCS A Generic Distributed Broadcast Scheme in Ad Hoc Wireless Networks Jie Wu and Fei Dai Dept. of Comp. Sci. & Eng. Florida.
Constraint Satisfaction taking advantage of internal structure of states when paths don’t matter.
David Evans CS201j: Engineering Software? University of Virginia Computer Science Lecture 2: Java Semantics, Validation.
David Evans CS201J: Engineering Software University of Virginia Computer Science Lecture 6: Reasoning about Data Abstractions.
Cs2220: Engineering Software Class 4: Specifying Procedures Fall 2010 University of Virginia David Evans.
Data Abstraction II SWE 619 Software Construction Last Modified, Spring 2009 Paul Ammann.
1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.
From Module Breakdown to Interface Specifications Completing the architectural design of Map Schematizer.
1 Offside Law At the end of this lesson the student will: Objectives identify offside position state what constitutes involvement in active play.
Cs205: engineering software university of virginia fall 2006 Semantics and Specifying Procedures David Evans
Cs205: engineering software university of virginia fall 2006 Validation David Evans
Cs3102: Theory of Computation Class 18: Proving Undecidability Spring 2010 University of Virginia David Evans.
1 Debugging and Testing Overview Defensive Programming The goal is to prevent failures Debugging The goal is to find cause of failures and fix it Testing.
Cs205: engineering software university of virginia fall 2006 Data Abstraction David Evans
Introduction Algorithms and Conventions The design and analysis of algorithms is the core subject matter of Computer Science. Given a problem, we want.
SWE 619 © Paul Ammann Procedural Abstraction and Design by Contract Paul Ammann Information & Software Engineering SWE 619 Software Construction cs.gmu.edu/~pammann/
Low-Level Detailed Design SAD (Soft Arch Design) Mid-level Detailed Design Low-Level Detailed Design Design Finalization Design Document.
Introduction CS 3358 Data Structures. What is Computer Science? Computer Science is the study of algorithms, including their  Formal and mathematical.
Cs2220: Engineering Software Class 6: Defensive Programming Fall 2010 University of Virginia David Evans.
David Evans These slides: Introduction to Static Analysis.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 12: Subtyping Rules What’s the.
Cs205: engineering software university of virginia fall 2006 David Evans Substitution Principle.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 14: Substitution Principle.
CSE 143 Lecture 4 More ArrayIntList : Pre/postconditions; exceptions; testing reading: slides created by Marty Stepp and Hélène Martin
Building Java Programs Chapter 15 Lecture 15-2: testing ArrayIntList; pre/post conditions and exceptions reading:
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 9: Designing Exceptionally.
Cs2220: Engineering Software Class 12: Substitution Principle Fall 2010 University of Virginia David Evans.
Cs2220: Engineering Software Class 13: Behavioral Subtyping Fall 2010 University of Virginia David Evans.
Lecture 3: Rules of Evaluation CS150: Computer Science
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 10: Programming Exceptionally.
Chapter 1 The Phases of Software Development. Software Development Phases ● Specification of the task ● Design of a solution ● Implementation of solution.
Cs205: engineering software university of virginia fall 2006 Programming Exceptionally David Evans
David Evans CS201J: Engineering Software University of Virginia Computer Science Lecture 5: Implementing Data Abstractions.
CSE 374 Programming Concepts & Tools Hal Perkins Fall 2015 Lecture 17 – Specifications, error checking & assert.
Modular Decomposition, Abstraction and Specifications
Algorithms and Problem Solving
Input Space Partition Testing CS 4501 / 6501 Software Testing
CSE 374 Programming Concepts & Tools
Accessible Formal Methods A Study of the Java Modeling Language
Design by Contract Fall 2016 Version.
Subroutines Idea: useful code can be saved and re-used, with different data values Example: Our function to find the largest element of an array might.
Testing Recap Testing can find problems, but cannot prove your program works Since exhaustive testing is impossible, select test cases with maximum likelihood.
Lecture 3: Abstraction by Specification CS201j: Engineering Software?
Data Abstraction David Evans cs205: engineering software
Lecture 4: Data Abstraction CS201j: Engineering Software
CSE 143 Lecture 4 More ArrayIntList:
Go to pollev.com/cse143.
Compiled by Richard Baker
Assertions References: internet notes; Bertrand Meyer, Object-Oriented Software Construction; 4/25/2019.
Lecture 13: Subtyping Rules Killer Bear Climber
Lecture 2: Java Semantics, Validation CS201j: Engineering Software?
Presentation transcript:

David Evans CS201j: Engineering Software? University of Virginia Computer Science Lecture 3: Abstraction by Specification

4 September 2003CS 201J Fall Menu Validation Abstraction by Specification

4 September 2003CS 201J Fall Testing Recap Testing can find problems, but can’t prove your program works –Since exhaustive testing is impossible, select test cases with maximum probability of finding bugs –A successful test case is one that reveals a bug in your program! If we can’t test all possible paths through a program, how can we increase our confidence that it works?

4 September 2003CS 201J Fall Analysis Make claims about all possible paths by examining the program code directly, not executing it Use formal semantics of programming language to know what things mean Use formal specifications of procedures to know that they do

4 September 2003CS 201J Fall Hopelessness of Analysis It is impossible to correctly determine if any interesting property is true for an arbitrary program! The Halting Problem: it is impossible to write a program that determines if an arbitrary program halts.

4 September 2003CS 201J Fall Compromises Accept unsoundness and incompleteness False positives: sometimes an analysis tool will report warnings for a program, when the program is actually okay (unsoundness) False negatives: sometimes an analysis tool will report no warnings for a program, even when the program violates properties it checks (incompleteness)

4 September 2003CS 201J Fall Extended Static Checking (ESC/Java) Analysis tool developed at DEC/Compaq/HP Research Lab Is unsound and incomplete: –False negatives: Just because it finds no warnings, doesn’t mean your code is correct –False positives: Sometimes it will warn even when your code is correct PS2: use without adding annotations Later: use annotations to document program assumptions

4 September 2003CS 201J Fall Abstraction by Specification

4 September 2003CS 201J Fall Managing Complexity Divide problem into subproblems that –Can be solved independently –Can be combined to solve the original problem How do we know they can be solved independently? How do we know they can be combined to solved the original problem?

4 September 2003CS 201J Fall Abstraction A I1I1 I2I2 I3I3 I4I4 An abstraction is a many-to-one map. I5I5

4 September 2003CS 201J Fall Using Abstractions A I1I1 I2I2 I3I3 I4I4 I5I5 Client When a client uses an abstraction, it should work as the client expects it to no matter with implementation is provided. How should client know what to expect?

4 September 2003CS 201J Fall Specification Tells the client of an abstraction what she can expect it to do Tells the implementer of an abstraction what the implementation must do to satisfy the client Contract between client and implementer: –Client will only rely on behavior described by specification –Implementer will provide an implementation that satisfies the specification

4 September 2003CS 201J Fall Good Specifications Clear, precise and unambiguous –Clients and implementers will agree on what they mean Complete –Describe the behavior of the abstraction in all situations Declarative –Describe what the abstraction should do, not how it should do it

4 September 2003CS 201J Fall Formality of Specifications Informal: written in a natural language (e.g., English) –People can disagree on what it means –Degrees of informality Formal: written in a specification language –Meaning is defined by specification language (whose meaning is defined precisely, but eventually informally) –May be analyzed by machines

4 September 2003CS 201J Fall What do you call people who decide what informal specifications mean?

4 September 2003CS 201J Fall Example Informal Specification Excessive bail shall not be required, nor excessive fines imposed, nor cruel and unusual punishments inflicted. 8 th Amendment

4 September 2003CS 201J Fall Correct Implementation? public static boolean violatesEigthAmendment (Punishment p) { // EFFECTS: Returns true if p violates the 8 th // amendment: cruel and unusual // punishments. return (p.isCruel () && p.isUnusual ()); } Or did they mean p.isCruel () || p.isUnusual () ?

4 September 2003CS 201J Fall A player is in an offside position if: he is nearer to his opponents’ goal line than both the ball and the second last opponent A player is not in an offside position if: he is in his own half of the field of play or he is level with the second last opponent or he is level with the last two opponents Offence A player in an offside position is only penalised if, at the moment the ball touches or is played by one of his team, he is, in the opinion of the referee, involved in active play by: interfering with play or interfering with an opponent or gaining an advantage by being in that position No Offence There is no offside offence if a player receives the ball directly from: a goal kick or a throw-in or a corner kick. Law 11 Example (Good?) Informal Specification

4 September 2003CS 201J Fall Procedural Specifications Specification for a procedure describes: –What its inputs are –What the mapping between inputs and outputs are –What it can do the state of the world

4 September 2003CS 201J Fall Requires and Effects Header: name of procedure, types of parameters and return value –Java declaration Clauses (comments in Java) –REQUIRES- precondition the client must satisfy before calling –EFFECTS – postcondition the implementation satisfy at return

4 September 2003CS 201J Fall Contract Client promises to satisfy the precondition in the requires clause Implementer promises if client satisfies the precondition, the return value and state when the function returns will satisfy the postcondition.

4 September 2003CS 201J Fall Specification Contract f () REQUIRES: precondition EFFECTS: postcondition precondition { f () ; } postcondition If the precondition is true, after we call f (), the postcondition is true.

4 September 2003CS 201J Fall Specification Example public String bestStock () // REQUIRES: false // EFFECTS: Returns the name of the // best stock to buy on the NASDAQ // tomorrow. Can we implement a procedure that satisfies this specification? Yes, any implementation will satisfy this specification! If the precondition in the requires clause is not satisfied, the procedure can do anything and still satisfy its specification!

4 September 2003CS 201J Fall Specification Example public String bestStock () // REQUIRES: true // EFFECTS: Returns the name of the // best stock to buy on the NASDAQ // tomorrow. Can we implement a procedure that satisfies this specification?

4 September 2003CS 201J Fall Requires Clauses The weaker (more easy to make true) the requires clause: –The more useful a procedure is for clients –The more difficult it is to implement correctly –The more difficult it is to test Avoid requires clauses unless there is a good reason to have one –Default requires clause is: REQUIRES true –Client doesn’t need to satisfy anything before calling

4 September 2003CS 201J Fall Specification Example public static int biggest (int [ ] a) // REQUIRES: true // EFFECTS: Returns the value of the // biggest element of a. Is this a reasonable specification? No, what should client expect to happen if a is empty.

4 September 2003CS 201J Fall Specification Example public static int biggest (int [ ] a) // REQUIRES: a has at least one element. // EFFECTS: Returns the value of the // biggest element of a. Is this a good specification? Maybe, depends on the client. Its risky…

4 September 2003CS 201J Fall Specification Example public static int biggest (int [ ] a) // REQUIRES: true // EFFECTS: If a has at least one // element, returns the value biggest // element of a. Otherwise, returns // Integer.MIN_VALUE (smallest int // value). Better, but client has to deal with special case now. Best would probably be to use an exception…

4 September 2003CS 201J Fall Bad Use of Requires Clause Bug discovered in Microsoft Outlook that treats messages that start with “begin ” as empty attachments (can be exploited by viruses) To workaround this problem: Do not start messages with the word "begin" followed by two spaces. Use only one space between the word "begin" and the following data. Capitalize the word "begin" so that it is reads "Begin." Use a different word such as "start" or "commence ". from

4 September 2003CS 201J Fall Modifies How does a client know a is the same after biggest returns? public static int biggest (int [ ] a) // REQUIRES: true // EFFECTS: If a has at least one element, // returns the value biggest element of a. // Otherwise, returns Integer.MIN_VALUE // (smallest int value). Reading the effects clause is enough – if biggest modifies anything, it should describe it. But, that’s a lot of work.

4 September 2003CS 201J Fall Modifies Modifies clause: any state not listed in the modifies clause may not be changed by the procedure. public static int biggest (int [ ] a) // REQUIRES: true // MODIFIES: nothing // EFFECTS: If a has at least one element, // returns the value biggest element of a. // Otherwise, returns Integer.MIN_VALUE // (smallest int value).

4 September 2003CS 201J Fall Modifies Example public static int replaceBiggest (int [ ] a, int [] b) // REQUIRES: a and b both have at least one // element // MODIFIES: a // EFFECTS: Replaces the value of the biggest // element in a with the value of the biggest // element in b.

4 September 2003CS 201J Fall Defaults What should it mean when there is no requires clause? What should it mean when there is no modifies clause? What should it mean when there is no effects clause? REQUIRES: true MODIFIES: nothing Meaningless. (Lose points for not writing a specification)

4 September 2003CS 201J Fall Specifications in CS201J PS2 –Informal, but precise –Use Requires/Modifies/Effects clauses Need a very good reason to have a precondition stronger than true (especially after we cover Exceptions). PS3 and later –Informal and some formal –Formal specifications as ESC/Java annotations Don’t describe all behavior (so still need the informal specs)

4 September 2003CS 201J Fall PS1 Informal Specification If a cell is currently dead cell and has three live neighbors, then it becomes a live cell. If a cell is currently alive and has two or three live cells it remains alive. Otherwise, the cell dies. Any ambiguities in this?

4 September 2003CS 201J Fall PS1 Comments Java has real Boolean type isAlive () means isAlive () == true Note this is not true in C++! Read the coding guidelines –Choose names wisely –Comment usefully, but not gratuitiously Don’t put your SSN on assignments –You should keep it as secret as possible –University shouldn’t use it as an identifier Ask for a student ID number that is not your SSN

4 September 2003CS 201J Fall Charge CS201J Bug Bounty –If you find a bug in the code we provide, you get 10 bonus points. –If you find a bug in the Java compiler or API code, you get 50 bonus points. –If you find a bug in ESC/Java or the ESC/Java Specs, you get 5 bonus points. PS2 Due Tuesday –Much longer than PS1

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.