Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE 374 Programming Concepts & Tools Hal Perkins Fall 2015 Lecture 17 – Specifications, error checking & assert.

Published byClaribel O’Brien’ Modified over 8 years ago

Similar presentations

Presentation on theme: "CSE 374 Programming Concepts & Tools Hal Perkins Fall 2015 Lecture 17 – Specifications, error checking & assert."— Presentation transcript:

1 CSE 374 Programming Concepts & Tools Hal Perkins Fall 2015 Lecture 17 – Specifications, error checking & assert

2 Where we are Talked about testing, but not what (partially) correct was What does it mean to say a program is “correct”? How do we talk about what a program should “do”? What do we do when it “doesn’t”? 2

3 Specifying code? We made a big assumption, that we know what the code is supposed to do! Often, a complete specification is at least as difficult as writing the code. But: –It’s still worth thinking about –Partial specifications are better than none –Checking specifications (at compile-time and/or run-time) is great for finding bugs early and “assigning blame” 3

4 Full specification Often tractable for very simple stuff: “Given integers x,y>0, return their greatest common divisor.” What about sorting a doubly-linked list? –Precondition: Can input be NULL ? Can any prev and next fields be NULL ? Can the list be circular or not? –Postcondition: Sorted (how to specify?) And there’s often more than “pre” and “post” – time/space overhead, other effects (such as printing), things that may happen in parallel Specs should guide programming and testing! Should be declarative (“what” not “how”) to decouple implementation and use. 4

5 Pre/post conditions and invariants Pre- and post-conditions apply to any statement, not just functions –What is assumed before and guaranteed after Because a loop “calls itself” its body’s post-condition better imply the loop’s precondition –A loop invariant Example: find max (next slide) Meaning of “correct”: a segment of code is correct if, when it begins execution in a state where its precondition is true, it is guaranteed to terminate in a state in which the postcondition is true 5

6 Pre/post conditions and invariants // pre: arr has length len; len >= 1 int max = arr[0]; int i=1; while(i<len) { if(arr[i] > max) max = arr[i]; ++i; } // post: max >= all arr elements loop-invariant: For all j =arr[j]. to show it holds after the loop body, must assume it holds before loop body loop-invariant plus !(i<len) after body, enough to show post 6

7 Partial specifications The difficulty of full specifications need not mean abandoning all hope Useful partial specs: –Can args be NULL ? –Can args alias? –Are pointers to stack data allowed? Dangling pointers? –Are cycles in data structures allowed? –What is the minimum/maximum length of an array? –... Guides callers, callees, and testers 7

8 Beyond testing Specs are useful for more than “things to think about while coding” and testing and comments Sometimes you can check them dynamically, e.g., with assertions (all examples true for C and Java) –Easy: argument not NULL –Harder but doable: list not cyclic –Impossible: Does the caller have other pointers to this object? 8

9 assert in C #include void f(int *x, int*y) { assert(x!=NULL); assert(x!=y);... } assert is a macro; ignore argument if NDEBUG defined at time of #include, else evaluate and if zero (false!) exit program with file/line number in error message Watch Out! Be sure that none of the code in an assert has side effects that alter the program’s behavior. Otherwise you get different results when assertions are enabled vs. when they are not 9

10 assert style Many guidelines are overly simply and say “always” check everything you can., but: –Often not on “private” functions (caller already checked) –Unnecessary if checked statically “Disabled” in released code because: –executing them takes time –failures are not fixable by users anyway –assertions themselves could have bugs/vulnerabilities Others say: –Should leave enabled; corrupting data on real runs is worse than when debugging 10

11 assert vs exceptions; error checking Suppose a condition should be true at a given point in the program, but it’s not. What do we do? Common practice: –If the condition involves preconditions of a public interface (x  0, list not full, p not NULL,…), treat a failure as an error and throw an exception or terminate with an error code Don’t trust client code you don’t control! –If the condition is an internal matter, a failure represents a programming error (bug). Check this with assert 11

12 Static checking A stronger type system or other code-analysis tool might take a program and examine it for various kinds of errors –Plusses: earlier detection (“coverage” without running program), faster code –Minus: Potential “false positives” (spec couldn’t ever actually be violated, but tool can’t prove that) Deep CS theory fact: Every code-analysis tool proving a non-trivial fact has either false positives (unwarranted warning) or false negatives (missed bug) or both Deep real-world fact: That doesn’t make them unuseful 12

Download ppt "CSE 374 Programming Concepts & Tools Hal Perkins Fall 2015 Lecture 17 – Specifications, error checking & assert."

Similar presentations

Exceptions CSE301 University of Sunderland Harry Erwin, PhD.

Exceptions CSE301 University of Sunderland Harry Erwin, PhD.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 8.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Reasoning About Code; Hoare Logic, continued

Reasoning About Code; Hoare Logic, continued
CSE 331 Software Design & Implementation Dan Grossman Winter 2014 Lecture 2 – Reasoning About Code With Logic 1CSE 331 Winter 2014.

CSE 331 Software Design & Implementation Dan Grossman Winter 2014 Lecture 2 – Reasoning About Code With Logic 1CSE 331 Winter 2014.
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.

OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
Eiffel Language and Design by Contract Contract –An agreement between the client and the supplier Characteristics –Expects some benefits and is prepared.

Eiffel Language and Design by Contract Contract –An agreement between the client and the supplier Characteristics –Expects some benefits and is prepared.
Computer Science 340 Software Design & Testing Design By Contract.

Computer Science 340 Software Design & Testing Design By Contract.
Procedure specifications CSE 331. Outline Satisfying a specification; substitutability Stronger and weaker specifications - Comparing by hand - Comparing.

Procedure specifications CSE 331. Outline Satisfying a specification; substitutability Stronger and weaker specifications - Comparing by hand - Comparing.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.

Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
1 Debugging and Testing Overview Defensive Programming The goal is to prevent failures Debugging The goal is to find cause of failures and fix it Testing.

1 Debugging and Testing Overview Defensive Programming The goal is to prevent failures Debugging The goal is to find cause of failures and fix it Testing.
SWE 619 © Paul Ammann Procedural Abstraction and Design by Contract Paul Ammann Information & Software Engineering SWE 619 Software Construction cs.gmu.edu/~pammann/

SWE 619 © Paul Ammann Procedural Abstraction and Design by Contract Paul Ammann Information & Software Engineering SWE 619 Software Construction cs.gmu.edu/~pammann/
Low-Level Detailed Design SAD (Soft Arch Design) Mid-level Detailed Design Low-Level Detailed Design Design Finalization Design Document.

Low-Level Detailed Design SAD (Soft Arch Design) Mid-level Detailed Design Low-Level Detailed Design Design Finalization Design Document.
CS 261 – Data Structures Preconditions, Postconditions & Assert.

CS 261 – Data Structures Preconditions, Postconditions & Assert.
Exceptions and assertions CSE 331 University of Washington.

Exceptions and assertions CSE 331 University of Washington.
Cs2220: Engineering Software Class 6: Defensive Programming Fall 2010 University of Virginia David Evans.

Cs2220: Engineering Software Class 6: Defensive Programming Fall 2010 University of Virginia David Evans.
Reasoning about programs March 09 2011 CSE 403, Winter 2011, Brun.

Reasoning about programs March CSE 403, Winter 2011, Brun.
Pre- and postconditions, Using assertions and exceptions 1 Pre- and postconditions Using assertions and exceptions.

Pre- and postconditions, Using assertions and exceptions 1 Pre- and postconditions Using assertions and exceptions.
(c) University of Washington13-1 CSC 143 Java Specifications: Programming by Contract Reading: Ch. 5.

(c) University of Washington13-1 CSC 143 Java Specifications: Programming by Contract Reading: Ch. 5.
ANU COMP2110 Software Design in 2003 Lecture 10Slide 1 COMP2110 Software Design in 2004 Lecture 12 Documenting Detailed Design How to write down detailed.

ANU COMP2110 Software Design in 2003 Lecture 10Slide 1 COMP2110 Software Design in 2004 Lecture 12 Documenting Detailed Design How to write down detailed.

Similar presentations

Ads by Google