OOSCCh11r1:DbC RJL 010928 Slide #1 OOSC: Ch11 vs. Predecessors [Meyer:] Equipped with the basic concepts of class, object and genericity, you can by now.

Slides:



Advertisements
Similar presentations
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Design by Contract.
Building Bug-Free O-O Software: An Introduction to Design By Contract A presentation about Design By Contract and the Eiffel software development tool.
Semantics Static semantics Dynamic semantics attribute grammars
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Design by Contract. Design by contract is the process of developing software based on the notion of contracts between objects, which are expressed as.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN Chapter 3 Describing Syntax and Semantics.
1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.
Design by Contract ™. 2 Design by Contract A discipline of analysis, design, implementation, management.
Software Engineering and Design Principles Chapter 1.
Design by Contract. Specifications Correctness formula (Hoare triple) {P} A {Q} – A is some operation (for example, a routine body) – P and Q are predicates.
Chair of Software Engineering OOSC - Summer Semester Object-Oriented Software Construction Bertrand Meyer.
Software Testing and Quality Assurance
Chair of Software Engineering Einführung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer Lecture 4: The Interface of a Class.
CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.
Chair of Software Engineering Einführung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer Lecture 4: The Interface of a Class.
Karlstad University Computer Science Design Contracts and Error Management Design Contracts and Errors A Software Development Strategy (anpassad för PUMA)
Chapter 1 Principles of Programming and Software Engineering.
1 Introduction to: Design by Contract Fall 2005 OOPD John Anthony.
CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.
Describing Syntax and Semantics
Eiffel Language and Design by Contract Contract –An agreement between the client and the supplier Characteristics –Expects some benefits and is prepared.
© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.
1 © Wolfgang Pelz Design by Contract Design by Contract™ Based on material drawn from: Bertrand.
Subclasses and Subtypes CMPS Subclasses and Subtypes A class is a subclass if it has been built using inheritance. ▫ It says nothing about the meaning.
Abstract data types What does ‘ abstract ’ mean? From Latin: to ‘ pull out ’— the essentials –To defer or hide the details –Abstraction emphasizes essentials.
Computer Science 340 Software Design & Testing Design By Contract.
Ranga Rodrigo. Class is central to object oriented programming.
© Bertrand Meyer and Yishai Feldman Notice Some of the material is taken from Object-Oriented Software Construction, 2nd edition, by Bertrand Meyer (Prentice.
Chapter 9 Integrity. Copyright © 2004 Pearson Addison-Wesley. All rights reserved.9-2 Topics in this Chapter Predicates and Propositions Internal vs.
Mathematical Modeling and Formal Specification Languages CIS 376 Bruce R. Maxim UM-Dearborn.
Analyzing the Requirements with Formal Specifications Vienna Development Method Specification Language (VDM-SL) Book: Formal Software Development From.
Ranga Rodrigo. The purpose of software engineering is to find ways of building quality software.
Design by Contract in Java Concept and Comparison.
SWE 619 © Paul Ammann Procedural Abstraction and Design by Contract Paul Ammann Information & Software Engineering SWE 619 Software Construction cs.gmu.edu/~pammann/
111 Protocols CS 4311 Wirfs Brock et al., Designing Object-Oriented Software, Prentice Hall, (Chapter 8) Meyer, B., Applying design by contract,
Low-Level Detailed Design SAD (Soft Arch Design) Mid-level Detailed Design Low-Level Detailed Design Design Finalization Design Document.
Introduction CS 3358 Data Structures. What is Computer Science? Computer Science is the study of algorithms, including their  Formal and mathematical.
CS Data Structures I Chapter 2 Principles of Programming & Software Engineering.
Design by Contract Ranga Rodrigo based on Mark Priestley's Lectures.
Chapter 3 Part II Describing Syntax and Semantics.
Semantics In Text: Chapter 3.
COP4020 Programming Languages Introduction to Axiomatic Semantics Prof. Robert van Engelen.
© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.
© 2006 Pearson Addison-Wesley. All rights reserved 2-1 Chapter 2 Principles of Programming & Software Engineering.
1 Devon M. Simmonds, Computer Science Department Design by Contract Devon M. Simmonds Computer Science Department University of North Carolina, Wilmington.
ANU COMP2110 Software Design in 2003 Lecture 10Slide 1 COMP2110 Software Design in 2004 Lecture 12 Documenting Detailed Design How to write down detailed.
L13: Design by Contract Definition Reliability Correctness Pre- and post-condition Asserts and Exceptions Weak & Strong Conditions Class invariants Conditions.
SWE 4743 Abstract Data Types Richard Gesick. SWE Abstract Data Types Object-oriented design is based on the theory of abstract data types Domain.
1 Assertions. 2 A boolean expression or predicate that evaluates to true or false in every state In a program they express constraints on the state that.
Defensive Programming CNS 3370 Copyright 2003, Fresh Sources, Inc.
PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013.
CSSE501 Object-Oriented Development. Chapter 10: Subclasses and Subtypes  In this chapter we will explore the relationships between the two concepts.
CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University
DBC NOTES. Design By Contract l A contract carries mutual obligations and benefits. l The client should only call a routine when the routine’s pre-condition.
Object Design More Design Patterns Object Constraint Language Object Design Specifying Interfaces Review Exam 2 CEN 4010 Class 18 – 11/03.
Design by Contract. The Goal Ensure the correctness of our software (correctness) Recover when it is not correct anyway (robustness) Correctness: Assertions.
© Bertrand Meyer and Yishai Feldman Notice Some of the material is taken from Object-Oriented Software Construction, 2nd edition, by Bertrand Meyer (Prentice.
Chapter 6 CS 3370 – C++ Functions.
Design by Contract Jim Fawcett CSE784 – Software Studio
Design by Contract Jim Fawcett CSE784 – Software Studio
Semantics In Text: Chapter 3.
Protocols CS 4311 Wirfs Brock et al., Designing Object-Oriented Software, Prentice Hall, (Chapter 8) Meyer, B., Applying design by contract, Computer,
Assertions References: internet notes; Bertrand Meyer, Object-Oriented Software Construction; 4/25/2019.
Computer Science 340 Software Design & Testing
Contract-Based Programming with/without Ada 2012
Design Contracts and Errors A Software Development Strategy
Presentation transcript:

OOSCCh11r1:DbC RJL Slide #1 OOSC: Ch11 vs. Predecessors [Meyer:] Equipped with the basic concepts of class, object and genericity, you can by now write software modules that implement possibly parameterized types of data structures. Congratulations. This is a significant step in the quest for better software architectures. [But] remember the role played by semantic properties, as expressed by the axioms and preconditions. They are essential to capture the true nature of the type’s instances.

OOSCCh11r1:DbC RJL Slide #2 OOSC Ch. 11 vs. Ch. 12 (a) Chapter 11: Design by Contract views the relationship between a class and its clients as a formal agreement, expressing each party’s rights and obligations. A key problem of software engineering is how to deal with run-time errors — with contract violations. This leads to the subject of exception handling, covered in the next chapter (12). Some important extensions to the basic ideas of Design by Contract will have to wait until the presentation of inheritance, polymorphism and dynamic binding, enabling us to go from contracts to subcontracting.

OOSCCh11r1:DbC RJL Slide #3 OOSC Ch. 11 vs. Ch. 12 (b) The distribution of roles between chapters 11 and 12 roughly reflects the distinction between the two components of reliability: –Correctness was defined as the software’s ability to perform according to its specification, and –Robustness was defined as its ability to react to cases not included in the specification. Assertions (this chapter) generally cover correctness, while exceptions (next chapter) generally cover robustness.

OOSCCh11r1:DbC RJL Slide #4 11.1: Basic Reliability Mechanisms (a) In studying classes, we have — temporarily — lost sight of this semantic aspect of the ADT concept. We will need to bring it back into the method if we want our software to be not just flexible and reusable, but also correct and robust. The effort to limit inter-module communication to the strict minimum resulted in the prohibition of such common reliability risks as global variables, and in the definition of restricted communication mechanisms, the client and inheritance relations.

OOSCCh11r1:DbC RJL Slide #5 11.1: Basic Reliability Mechanisms (b) Understandability : Constant emphasis on making our software elegant and readable. Automatic memory management (specifically, garbage collection) is a crucial reliability- enhancing component of any O-O environment [in Java and Eiffel, not C++]. Static typing: Without statically enforced type rules, we would be at the mercy of run-time typing errors. From these we can now take a closer look at what it will take for a software system to be correct and robust.

OOSCCh11r1:DbC RJL Slide #6 What it means for a software element to be correct: To consider this question meaningful, you need not only the program but also a precise description of what it is supposed to do — a specification. Correctness property: Correctness is a relative notion: Software elements are correct when they are consistent with their specifications. We express such specifications through assertions. Note that OOSC’s assertions are more than C’s “assert(p)” macro call (enabled by #include ): [C’s assert(p) tests whether a certain condition p holds at a point in the software’s execution. If p is true, assert does nothing; if p is false, it calls exit() to halt the program.]

OOSCCh11r1:DbC RJL Slide #7 Correctness formula {P} A {Q}: The meani ng of {P} A {Q}: “Any execution of A, starting in a state where P holds, will terminate in a state where Q holds.” P and Q are properties of the various entities involved. A denotes an operation; P is the pre-condition that A may assume; Q is the post-condition that A must satisfy. Correctness formulae (also called Hoare triples) are a mathematical notation, not a programming construct, that helps to express properties of software elements. Example: {x >= 9} x := x + 5 {x >= 13} (This valid formula is not the strongest possible one. )

OOSCCh11r1:DbC RJL Slide #8 The Danger of Strong Pre-conditions: The strongest possible precondition is: Sinecure 1: {False} A {Q} {P} = {False} can never be satisfied => A has no responsibility whatsoever. Q is a don’t-care post-condition. (Meyer: If you ever see such an ad, don’t bother reading post-condition Q; take the job right away :-) An A which satisfies weaker pre-conditions will handle a wider range of initial conditions (and thus impose fewer constraints on its client).

OOSCCh11r1:DbC RJL Slide #9 The Danger of Weak Post-conditions: The weakest possible post- condition is: Sinecure 2:{P } A {True} Q = True is always satisfied (will never be False). A’s behavior is arbitrary (as long as it terminates). P = ? is a don’t-care pre-condition. (Why does Meyer say that this is only the second- best job in the world?) A nontrivial A must satisfy stronger post- conditions (to specify all the services required by its clients).

OOSCCh11r1:DbC RJL Slide #10 Strong vs. Weak Terminology (1) The relative notion of “stronger” vs. “weaker” formulas is formally defined in terms of logical implication: P1 is said to be stronger than P2, and P2 weaker than P1, iff P1 implies P2 (P2 is true everywhere that P1 is true) and they are not equal (P2 is also true for at least one system ‘state’* where P1 is false). Therefore, we can legitimately speak of True as the U, and False as the U, of all possible assertions, or predicates, about object values. _______ * ‘State’ means the values of all relevant data items and objects.

OOSCCh11r1:DbC RJL Slide #11 Strong vs. Weak Terminology (2) We can regard a proposition P as ‘accepting’ just those states* where it evaluates to true, and rejecting those where it is false. Since every proposition implies True, True (weakly) rejects no state. False implies every proposition, so False (strongly) rejects every state. Therefore we can regard P’s relative strength as a measure of its ‘selectivity’ or discriminating power: –True is totally accepting (weakest of the P’s). –False is totally rejecting (strongest of the P’s). __________________ * ‘State’ means values of all relevant data items and objects.

OOSCCh11r1:DbC RJL Slide #12 Specification as Documentation Once we have defined the correctness of a software element as the consistency of its implementation with its specification, we should include the specification, as well as the implementation, in the software itself. This a novel idea: –we are accustomed to programs as defining the operations that we command our HW/SW machines to execute for us (the how); –It is less common to treat the description of the software’s purposes (the what) as being part of the software itself.

OOSCCh11r1:DbC RJL Slide # : Assertion Style Syntactically, pre- and post-conditions are simply boolean expressions, with a few extensions. (1) The ‘old’’ qualifier introduced later in OSC Ch. 11, is used to deal with temporal order. (2) The semicolon is used to represent conjunctive and: n > 0 ; x /= Void (Eiffel syntax) (n>0) && (x !=Void) (‘C’ syntax) Meyer (Eiffel) also names each clause, for readability and ease of reference. For example: Positive: n > 0 Not_void: x /= Void (The semicolon is optional at the end of a line.)

OOSCCh11r1:DbC RJL Slide # : Stack Example (1) Class methods implement an abstract specification of a useful task. The features of generic class Stack[G] are: –count, empty, full, put, remove, item; The specification of each feature includes –require ; –ensure ; –invariant ; –implementation; –[side effects if pre-conditions not met? - RJL].

OOSCCh11r1:DbC RJL Slide # : Stack Example (2) Class STACK[G] feature -- access / readout count: INTEGER; -- Number of stack elements item: G is -- Top element (parametric type G) require not empty do … end feature-- status report empty: BOOLEAN is--Is stack empty? do … end full: BOOLEAN is-- Is stack full? do … end -- to be continued

OOSCCh11r1:DbC RJL Slide # : Stack Example (3) -- Class STACK[G] declaration (continued) feature -- Element change put(x:G) is-- add x on top require - pre-condition not full do … ensure-- post-condition not empty; item = x; count = old count + 1 end remove is-- Remove top element require not empty do … ensure not full; count = old count - 1 end

OOSCCh11r1:DbC RJL Slide # : Contracts for SW Reliability By associating clauses ‘require ’ and ‘ensure ’ with a routine A, the class tells its clients (in Eiffel): “If you promise to call r with satisfied, then in return, I promise to deliver a final state in which is satisfied.” The supplier of A does not have to check that the pre-conditions are valid (except to debug the clients’ code - RJL).

OOSCCh11r1:DbC RJL Slide #18 Sample Contract for Stack::put() put(x) OBLIGATIONS BENEFITS Client(Satisfy pre-condition:) (From post- condition:) (Caller)Only call put (x) on Get stack updated: a non-full stack. not empty; x on top (item yields x); count increased by 1. Supplier (Satisfy post-condition:) (From precondition:) (Stack::)Update stack represen-Simpler processing, tation to have x on top thanks to the (item yields x); //andassumption that stack count increased by 1; //andis not full. not empty.

OOSCCh11r1:DbC RJL Slide #19 Non-Redundancy Principle “Under no circumstances shall the body of a routine ever test for the routine precondition.” (Exception: debugging - see next slide - RJL.) “To obtain reliable systems we must go from the microscopic view to a macroscopic view encompassing the entire architecture.” “If we take this global view, simplicity becomes a crucial criterion.”

OOSCCh11r1:DbC RJL Slide #20 Redundant Tests for Debugging Meyer’s View: You can insert extra checks, but if you choose to enable them you will rely on the development environment to carry them out for you, and then remove them once the software has been debugged. (RJL: assert’s exit-on-fail becomes more palatable if conditional on #ifndef NDEBUG)…#endif

OOSCCh11r1:DbC RJL Slide #21 Reliability - is about Interactions: “For any system of any significant size, the individual quality of the various elements involved is not enough;” “What will count most is the guarantee that for every interaction between two elements there is an explicit roster of mutual obligations and benefits — the contract.”

OOSCCh11r1:DbC RJL Slide #22 The Process “Identify the consistency conditions that are necessary to the proper functioning of each client-supplier cooperation (each contract); Specify, for each one of these conditions, whose responsibility it is to enforce it: the client’s, or the supplier’s. The answer may vary, and is partly a matter of design style. But once you have made the decision … stick to it:”

OOSCCh11r1:DbC RJL Slide #23 Assertions - Not for User Input A pre-condition will not take care of correcting user input: –You can’t enforce contracts on users Example: A routine read_positive_integer that expects the interactive user to enter a positive number: –It is wishful thinking to include a pre-condition of the form ‘require (input > 0)’. –Include a post-condition instead: insure … //user re-entry until non-zero // implemented as a method call?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.