© Paul Ammann, 2008 Design by Contract Paul Ammann CS/SWE 332.

Slides:

Advertisements

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Advertisements

Karlstad University Computer Science Design Contracts and Error Management Design Contracts and Errors A Software Development Strategy Eivind J. Nordby.

Problem Solving 5 Using Java API for Searching and Sorting Applications ICS-201 Introduction to Computing II Semester 071.

Data Abstraction II SWE 619 Software Construction Last Modified, Spring 2009 Paul Ammann.

 Both System.out and System.err are streams—a sequence of bytes.  System.out (the standard output stream) displays output  System.err (the standard.

Chapter 1. The Phases of Software Development. Data Structure 2 Chapter outline  Objectives  Use Javadoc to write a method’s complete specification.

Error Management with Design Contracts Karlstad University Computer Science Error Management with Design Contracts Eivind J. Nordby, Martin Blom, Anna.

1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.

On the Relation between Design Contracts and Errors Karlstad University Computer Science On the Relation Between Design Contracts and Errors A Software.

Software Testing and Quality Assurance

Karlstad University Computer Science Design Contracts and Error Management Design Contracts and Errors A Software Development Strategy (anpassad för PUMA)

Design by Contract David Talby. Software Correctness When is a class correct? – It ’ s a relative concept; what is required? – But it ’ s the correct.

CSC 395 – Software Engineering Lecture 21: Overview of the Term & What Goes in a Data Dictionary.

Specifications Liskov Chapter 9 SWE 619 Last Updated Fall 2008.

Cs205: engineering software university of virginia fall 2006 Semantics and Specifying Procedures David Evans

Computer Science 340 Software Design & Testing Design By Contract.

Procedure specifications CSE 331. Outline Satisfying a specification; substitutability Stronger and weaker specifications - Comparing by hand - Comparing.

Chapter 3 Introduction to Collections – Stacks Modified

Stacks - 2 Nour El-Kadri ITI Implementing 2 stacks in one array and we don’t mean two stacks growing in the same direction: but two stacks growing.

07 Coding Conventions. 2 Demonstrate Developing Local Variables Describe Separating Public and Private Members during Declaration Explore Using System.exit.

Data Structures Chapter 1- Introduction Mohamed Mustaq.A.

SWE 619 © Paul Ammann Procedural Abstraction and Design by Contract Paul Ammann Information & Software Engineering SWE 619 Software Construction cs.gmu.edu/~pammann/

Copyright © 2002, Systems and Computer Engineering, Carleton University a-JavaReview.ppt * Object-Oriented Software Development Unit.

111 Protocols CS 4311 Wirfs Brock et al., Designing Object-Oriented Software, Prentice Hall, (Chapter 8) Meyer, B., Applying design by contract,

Best Practices. Contents Bad Practices Good Practices.

Software Testing Input Space Partition Testing. 2 Input Space Coverage Four Structures for Modeling Software Graphs Logic Input Space Syntax Use cases.

Today’s Agenda  Reminder: HW #1 Due next class  Quick Review  Input Space Partitioning Software Testing and Maintenance 1.

Data Abstractions EECE 310: Software Engineering.

Type Abstraction SWE Spring October 05Kaushik, Ammann Substitution Principle “In any client code, if supertype object is substituted.

CS-I MidTerm Review Hao Jiang Computer Science Department Boston College.

Computer Science 209 Software Development Handing Errors and Creating Documentation.

ANU COMP2110 Software Design in 2003 Lecture 10Slide 1 COMP2110 Software Design in 2004 Lecture 12 Documenting Detailed Design How to write down detailed.

L13: Design by Contract Definition Reliability Correctness Pre- and post-condition Asserts and Exceptions Weak & Strong Conditions Class invariants Conditions.

Programming Techniques Lec03 Procedural Abstraction Software Engineering Fall 2005.

SWE 4743 Abstract Data Types Richard Gesick. SWE Abstract Data Types Object-oriented design is based on the theory of abstract data types Domain.

CSE 143 Lecture 4 More ArrayIntList : Pre/postconditions; exceptions; testing reading: slides created by Marty Stepp and Hélène Martin

Building Java Programs Chapter 15 Lecture 15-2: testing ArrayIntList; pre/post conditions and exceptions reading:

Karlstad University Computer Science Design Contracts and Error Management External and internal errors and their contracts.

Abstraction, Specification and Verification. Comp 302, Spring Abstraction Hiding or overlooking detail that is not relevant for the task at hand.

The Vector Class. Vector Class Write a Vector class. This will be a container class that will hold objects. It should allow the following operations:

Exceptions Lecture 11 COMP 401, Fall /25/2014.

DBC NOTES. Design By Contract l A contract carries mutual obligations and benefits. l The client should only call a routine when the routine’s pre-condition.

Effective Java, Chapter 9: Exceptions Items Last modified Fall 2012 Paul Ammann.

CORRECTNESS ISSUES AND LOOP INVARIANTS Lecture 8 CS2110 – Fall 2014.

Interfaces CMSC 202. Public Interfaces Objects define their interaction with the outside world through the their public interface. A class' public interface.

© Bertrand Meyer and Yishai Feldman Notice Some of the material is taken from Object-Oriented Software Construction, 2nd edition, by Bertrand Meyer (Prentice.

Component-Based Software Engineering Components and Interfaces Paul Krause and Sotiris Moschoyiannis.

Modular Decomposition, Abstraction and Specifications

Software Development Handing Errors and Creating Documentation

Specifications Liskov Chapter 9

Faults, Errors, Failures CS 4501 / 6501 Software Testing

Binary Search one reason that we care about sorting is that it is much faster to search a sorted list compared to sorting an unsorted list the classic.

Java Review: Reference Types

Design by Contract Fall 2016 Version.

SWE 332 Last Modified Spring 2010 Paul Ammann

Preconditions, Postconditions & Assertions

CS Week 9 Jim Williams, PhD.

CMSC 202 Lesson 22 Templates I.

Effective Java, 3rd Edition Chapter 10: Exceptions

Algorithm Correctness

Method Verification CS/SWE 332 Paul Ammann.

Protocols CS 4311 Wirfs Brock et al., Designing Object-Oriented Software, Prentice Hall, (Chapter 8) Meyer, B., Applying design by contract, Computer,

IMPORTANT NOTE Some parts of these section slides deal with null ints. This was a mistake, as primitives cannot be null. These issues have been corrected.

Object Comparisons and Arrays

Assertions References: internet notes; Bertrand Meyer, Object-Oriented Software Construction; 4/25/2019.

SWE 619 Last modified Fall 2007 Saket Kaushik, Paul Ammann

Effective Java, Chapter 9: Exceptions

Computer Science 340 Software Design & Testing

Software Specifications

Design Contracts and Errors A Software Development Strategy

Presentation transcript:

© Paul Ammann, 2008 Design by Contract Paul Ammann CS/SWE 332

© Paul Ammann, Abstraction by Specification Abstraction Implementation 1 Implementation N …

© Paul Ammann, Specifications n Way to Define Abstractions n Formality –As much as is useful –More than just English –Typically less than a language with a formal semantics –We will use industry standard (ie Javadoc) –Not intended to be a programming language!

© Paul Ammann, Parts of a Procedural Specification /** * Returns index of element in sorted list * a[] array to search; must be sorted ascending x int to search for in a if x in a, index of x in a else -1 NullPointerException if a is null */ public static int sortedSearch (int[]a, int x) Header Precondition Postconditions

© Paul Ammann, Another Example /** * Searches for index of x in a. * a[] array to be searched x element to search for index of x if x in a * else -1 if x not in a NullPointerException if a is null public static int search (int[]a, int x) No Precondition! (Precondition equals “true”) Underdetermined – what happens if x is in a more than once?

© Paul Ammann, Yet Another Example /** * sorts list into ascending order. list list to sort NullPointerException if list is null * or list contains null elements ClassCastException if elements in list are not mutually comparable public static void sort (List list) // E.g. if list = [3,1,6,1] before the call, then // list = [1,1,3,6] after the call Notice implicit treatment of duplicates Alternate notation: // E.g. if list = [3,1,6,1], then list_post = [1,1,3,6]

© Paul Ammann, What does a Contract Look Like? n Consider the triple: {P} S {Q} –P is the precondition (Requires clause) –Q is the postcondition (Effects clause) –S is the program text n The Customer (client) is obligated to establish P. n The Implementor (service) may assume P n The Customer is entitled to Q n The Implementor is obligated to provide Q n That’s it!

© Paul Ammann, What happens when a Contract Breaks? n If everyone does their job, there is no problem! n If the precondition is not satisfied, the Customer is wrong! (The client has a bug). n If the precondition is satisfied, but the postcondition is not, then the Service is wrong (The server has a bug). n The Client can’t do the Server’s job! n The Server can’t do the Client’s job!

© Paul Ammann, n Suppose you are fixing a fault in a program. –What justification is there for a proposed change? n Example Context: code considered correct..... code identifed as wrong vs. proposed correct code..... more code considered correct Application of Contract Model to Debugging {P} {Q}

© Paul Ammann, /** * returns number of zeroes in arr. arr[] array to count zeroes in NullPointerException if arr is null */ public static int numZero (int[] arr) { int count = 0; for (int i=1; i < arr.length; i++) { if (arr[i] == 0) {count++} }return count;} Example {inv: count has # zeros in arr[0..-1]} {inv: count has # zeros in arr[0..i-1]}

© Paul Ammann, What does the Client like? n Since preconditions are Client obligations, the Client would prefer not to have any! n From the Client’s perspective, “true” is the best precondition. In general, weaker preconditions are better. n The Client is happy to have any postcondition that is strong enough to meet the Client’s needs.

© Paul Ammann, What does the Server like? n Since preconditions are Server benefits, the Server would prefer to have lots of them! n From the Server’s perspective, “false” is the best precondition. In general, stronger preconditions mean an easier job with the implementation. n The Server prefers weak postconditions. Each additional constraint in a postcondition is an additional obligation on the Server.

© Paul Ammann, Problems with Eliminating Preconditions n Forcing the Server to handle “weird” cases can lead to inefficient, bulky (read “error prone”) code. n For “local” use, therefore, preconditions can be extremely powerful (and appropriate). n Example: Consider the “partition” method in a quicksort routine. It would be weird to handle the case where the array indices were out of bounds.

© Paul Ammann, More Problems with Eliminating Preconditions n What if the Implementer can’t provide a good “default” (ie Defensive Programming)? n Consider this (undocumented!) code: public static double sqrt (double x) { if (x < 0) { handle problem somehow return some value (what?) } else { proceed with normal square root computation return y such that y*y is approximately x }

© Paul Ammann, Dissecting the Square Root Example n What could possibly be a correct “default”? –Printing an error message? Not a comforting thought to certain end users (ie pilots). n What could possibly be a reasonable return value? n The Lesson: The Server is not in a position to define behavior. That’s the Client’s job. (through the contract mechanism).