Presentation is loading. Please wait.

Presentation is loading. Please wait.

י"ח/תשרי/תשע"ח Design by Contract David Talby.

Published byFrederick Stewart Modified over 7 years ago

Similar presentations

Presentation on theme: "י"ח/תשרי/תשע"ח Design by Contract David Talby."— Presentation transcript:

1 י"ח/תשרי/תשע"ח Design by Contract David Talby

2 Object Oriented Design Course
י"ח/תשרי/תשע"ח Software Correctness When is a class correct? It’s a relative concept; what is required? But it’s the correct question: the class is the basic independent, reusable unit of software Theory flashback: class = Abstract Data Type Commands (push, pop, empty, full) Axioms (count == 0 iff empty) Preconditions (pop requires not empty) Why isn’t this reflected in programming? Object Oriented Design Course

3 Approaches to Correctness
י"ח/תשרי/תשע"ח Approaches to Correctness Testing Tests only cover specific cases Tests don’t affect extensions (inheritance) If something doesn’t work, where is the problem? It is difficult to (unit-) test individual classes Formal Verification Requires math & logic background Successful in hardware, not in software The assert() macro Introduced to Java only in JDK 1.4 Object Oriented Design Course

4 Object Oriented Design Course
י"ח/תשרי/תשע"ח Design by Contract Created by Bertrand Meyer, in Eiffel Each class defines a contract, by placing assertions inside the code Assertions are just Boolean expressions Eiffel: identified by language keywords iContract: identified by javadoc attributes Assertions have no effect on execution Assertions can be checked or ignored Object Oriented Design Course

5 Object Oriented Design Course
י"ח/תשרי/תשע"ח Methods Each feature is equipped with a precondition and a postcondition double sqrt (double x) require x >= 0 do ensure result * result == x end Object Oriented Design Course

6 Object Oriented Design Course
י"ח/תשרי/תשע"ח Methods II The same in iContract syntax: //** return Square root of x @pre x >= 0 @post return * return == x */ double sqrt (double x) { … } Assertions are just Boolean expressions Except result and old in postconditions Function calls are allowed, but… Don’t modify data: ++i, inc(x), a = b Object Oriented Design Course

7 Object Oriented Design Course
י"ח/תשרי/תשע"ח The Contract Object Oriented Design Course

8 Object Oriented Design Course
י"ח/תשרי/תשע"ח Class Invariants Each class has an explicit invariant class Stack[G] private int count; boolean isEmpty() { … } … other things … invariant isEmpty() == (count == 0) end Object Oriented Design Course

9 Theory: Hoare Clauses Hoare’s Notation for discussing correctness:
י"ח/תשרי/תשע"ח Theory: Hoare Clauses Hoare’s Notation for discussing correctness: { P } code { Q } For example: { x >= 10 } x = x + 2 { x >= 12 } Partial Correctness: If a program starts from a state satisfying P, runs the code and completes, then Q will be true. Full Correctness: If a program start from a state satisfying Q and runs the code, then eventually it will complete with Q being true. Object Oriented Design Course

10 When is a Class Correct? For every constructor:
י"ח/תשרי/תשע"ח When is a Class Correct? For every constructor: { Pre } code { Post /\ Inv } For every public method call: { Pre /\ Inv } code { Post /\ Inv } Origin is Abstract Data Type theory Private methods are not in the contract Undecidable at compile time Object Oriented Design Course

11 Object Oriented Design Course
י"ח/תשרי/תשע"ח Common Mistakes Not an input-checking mechanism Use if to test human or machine output Assertions are always true Not a control structure Assertion monitoring can be turned off They are applicative, not imperative, and must not include any side effects Besides, exceptions are inefficient An assertion violation is always a bug In precondition: client bug In postcondition or invariant: supplier bug Object Oriented Design Course

12 Object Oriented Design Course
י"ח/תשרי/תשע"ח Common Mistakes II Don’t use defensive programming The body of a routine must never check its pre- or post-conditions. This is inefficient, and raises complexity. Don’t hide the contract from clients All the queries in a method’s precondition must be at least as exported as the method Doesn’t have to be so in postconditions Object Oriented Design Course

13 Object Oriented Design Course
י"ח/תשרי/תשע"ח Inheritance and DbC The LSP Principle Functions that use references to base classes must also work with objects of derived classes without knowing it. Or: Derived classes inherit obligations as well How to break it Derived method has a stronger precondition Derived method has a weaker postcondition Derived class does not obey parent’s invariant Object Oriented Design Course

14 Object Oriented Design Course
י"ח/תשרי/תשע"ח Inheritance and DbC II class Parent { void f() { require PPre ensure PPost } invariant PInv class Child extends Parent{ void f() { require CPre ensure CPost } invariant CInv Derivation is only legal if: PPre  CPre CPost  PPost CInv  PInv Object Oriented Design Course

15 Inheritance and DbC III
י"ח/תשרי/תשע"ח Inheritance and DbC III The Eiffel way Child method’s precondition is PPre  CPre Child method’s postcondition is PPost  CPost Child’s invariant is PInv  CInv This is how the runtime monitors assertions Abstract Specifications Interfaces and Abstract methods can define preconditions, postconditions and invariants A very powerful technique for frameworks Object Oriented Design Course

16 Object Oriented Design Course
י"ח/תשרי/תשע"ח Loop Correctness Loops are hard to get right Off-by-one errors Bad handling of borderline cases Failure to terminate There are two kinds of loops Approximation (while and recursion) Traversal (traditional for) Object Oriented Design Course

17 Object Oriented Design Course
י"ח/תשרי/תשע"ח Approximation Loops Prove that progress is made each step State the invariant context of progress Object Oriented Design Course

18 Approximation Loops II
י"ח/תשרי/תשע"ח Approximation Loops II The loop is correct if: Variant is a decreasing positive integer Invariant is true before each iteration int gcd(int a, int b) { int x = a, y = b; while (x != y) variant max(x, y) invariant x > 0 && y > 0 // && gcd(x,y)=gcd(a,b) do if (x > y) x = x – y; else y = y – x; return x; } Object Oriented Design Course

19 Object Oriented Design Course
י"ח/תשרי/תשע"ח Traversal Loops Traverse a known collection or sequence for (int i=0; i < 10; i++) for (iterator<x> i = xlist.iterator(); ...) Invariant: Total number of elements Variant: Number of elements left Estimator: Number of elements left Can be imitated by approximation loops Use for only when variant = estimator Object Oriented Design Course

20 Why use Design by Contract?
י"ח/תשרי/תשע"ח Why use Design by Contract? Speed – find bugs faster Testing – per class, including privates Reliability – runtime monitoring Documentation – part of the interface Reusability – see Ariane 5 crash Improving programming languages Finding more bugs at compile time Intentions are more readable Object Oriented Design Course

21 An Example: Null Pointers
י"ח/תשרי/תשע"ח An Example: Null Pointers The #1 Java runtime error: NullPointerException How do we know that a call’s target is not null? {? x != null} x.use {use postconditions} Out of context: x := new C; x.use; Because we checked: if (x != null) x.use; while (x != null) { x.use; foo(x); } But this is not enough! Object Oriented Design Course

22 The Missing Ingredient
י"ח/תשרי/תשע"ח The Missing Ingredient Sometimes no checks should be done: A method’s caller must ensure x != null x is never null “by nature” We must document it as well We must be able to state that ensuring a property is someone else’s responsibility Object Oriented Design Course

23 Letting the Compiler Check
י"ח/תשרי/תשע"ח Letting the Compiler Check Rule: x.use does not compile if x != null can’t can’t be proved right before it Computation Assertions: x = new C x = y, assuming y != null if (x != null) … while (x != null) ... Object Oriented Design Course

24 Letting the Compiler Check II
י"ח/תשרי/תשע"ח Letting the Compiler Check II ADT Assertions: precondition when feature begins postcondition of called feature the class invariant Incremental, per-feature check Test can be optional per class All compile-time, yet fully flexible Object Oriented Design Course

25 Object Oriented Design Course
י"ח/תשרי/תשע"ח Sample Caught Bugs Infinite recursion: int count() { return 1 + left.count() + right.count(); } Forgotten initialization: Socket s = new BufferedSocket(); s.getBuffer().write(“x”); // s.connect() not yet called Neglecting the empty collection: do tok.getToken().print() while (!tok.done()); Using uncertain results: f = filemgr.find(filename); f.delete(); Object Oriented Design Course

26 Object Oriented Design Course
י"ח/תשרי/תשע"ח The Big Picture Contracts complement what is learnt from code Identifying a simple kind of assertions is enough But syntax is strict: not (x == null) won’t work This works even though: Assertions aren’t trusted to be correct They have no runtime cost, unless requested The same principle is used for language features x.foo(); y.foo(); can run in parallel iff x != y x.foo() can bind statically if x exact_instanceof C Object Oriented Design Course

27 Object Oriented Design Course
י"ח/תשרי/תשע"ח DbC in Real Life: C/C++ In C, the assert macro expands to an if statement and calls abort if it’s false assert(strlen(filename) > 0); Assertion checking can be turned off: #define NDEBUG In C++, redefine Assert to throw instead of terminating the program Every class should have an invariant Never use if() when assert() is required Object Oriented Design Course

28 Object Oriented Design Course
י"ח/תשרי/תשע"ח DbC in Real Life: UML UML supports pre- and post-conditions as part of each method’s properties Invariants are supported at class level Object Constraint Language is used Formal language - not code Readable, compared to its competitors Supports forall and exists conditions Object Oriented Design Course

29 Object Oriented Design Course
י"ח/תשרי/תשע"ח DbC in Real Life: Java Assertions that can be turned on and off are only supported from JDK 1.4 assert interval > 0 && interval <= 1 : interval; The most popular tool is iContract Assertions are Javadoc-style comments Instruments source code, handles inheritance Based on the OCL @invariant forall IEmployee e in getEmployees() | getRooms().contains(e.getOffice()) @post exists IRoom r in getRooms() | r.isAvailable() Object Oriented Design Course

30 Object Oriented Design Course
י"ח/תשרי/תשע"ח Exceptions Definition: a method succeeds if it terminates in a state satisfying its contract. It fails if it does not succeed. Definition: An exception is a runtime event that may cause a routine to fail. Exception cases An assertion violation (pre-, post-, invariant, loop) A hardware or operating system problem Intentional call to throw A failure in a method causes an exception in its caller Object Oriented Design Course

31 Disciplined Exception Handling
י"ח/תשרי/תשע"ח Disciplined Exception Handling Mistake 1: Handler doesn’t restore stable state Mistake 2: Handler silently fails its own contract There are two correct approaches Resumption: Change conditions, and retry method Termination: Clean up and fail (re-throw exception) Correctness of a catch clause Resumption: { True } Catch { Inv  Pre } Termination: { True } Catch { Inv } Object Oriented Design Course

32 Improper Flow of Control
י"ח/תשרי/תשע"ח Improper Flow of Control Mistake 3: Using exceptions for control flow try { value = hashtable.find(key); } catch ( NotFoundException e ) { value = null; } It’s bad design The contract should never include exceptions It’s extremely inefficient Global per-class data is initialized and stored Each try, catch, or exception specification cost time Throwing an exception is orders of magnitude slower than returning from a function call Object Oriented Design Course

33 Object Oriented Design Course
י"ח/תשרי/תשע"ח Goals Exception Neutrality Exceptions raised from inner code (called functions or class T) are propagated well Weak Exception Safety Exceptions (either from class itself or from inner code) do not cause resource leaks Strong Exception Safety If a method terminates due to an exception, the object’s state remains unchanged Object Oriented Design Course

34 Object Oriented Design Course
י"ח/תשרי/תשע"ח Summary Software Correctness & Fault Tolerance Design by Contract When is a class correct? Speed, Testing, Reliability, Documentation, Reusability, Improving Prog. Languages Exceptions What happens when the contract is broken? Neutrality, Weak Safety, Strong Safety Object Oriented Design Course

Download ppt "י"ח/תשרי/תשע"ח Design by Contract David Talby."

Similar presentations

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Copyright W. Howden1 Programming by Contract CSE 111 6/4/2014.

Copyright W. Howden1 Programming by Contract CSE 111 6/4/2014.
Ceg860(Prasad)L10DC1 Design by Contract Invariants Pre-post conditions : Rights and Obligations Exceptions : Contract Violations.

Ceg860(Prasad)L10DC1 Design by Contract Invariants Pre-post conditions : Rights and Obligations Exceptions : Contract Violations.
Exceptions CSE301 University of Sunderland Harry Erwin, PhD.

Exceptions CSE301 University of Sunderland Harry Erwin, PhD.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Chair of Software Engineering OOSC - Summer Semester 2004 1 Object-Oriented Software Construction Bertrand Meyer.

Chair of Software Engineering OOSC - Summer Semester Object-Oriented Software Construction Bertrand Meyer.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.

1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.
Exceptions Amit Shabtay. March 3rd, 2004 Object Oriented Design Course 2 Covariance\Contravariance Reminder class Parent { void test (covar : Mammal,

Exceptions Amit Shabtay. March 3rd, 2004 Object Oriented Design Course 2 Covariance\Contravariance Reminder class Parent { void test (covar : Mammal,
-5- Exception handling What is an exception? “An abnormal event” Not a very precise definition Informally: something that you don’t want to happen.

-5- Exception handling What is an exception? “An abnormal event” Not a very precise definition Informally: something that you don’t want to happen.
1 Specifying Object Interfaces. 2 Major tasks in this stage: --are there any missing attributes or operations? --how can we reduce coupling, make interface.

1 Specifying Object Interfaces. 2 Major tasks in this stage: --are there any missing attributes or operations? --how can we reduce coupling, make interface.
Design by Contract David Talby. Software Correctness When is a class correct? It ’ s a relative concept; what is required? But it ’ s the correct question:

Design by Contract David Talby. Software Correctness When is a class correct? It ’ s a relative concept; what is required? But it ’ s the correct question:
Chair of Software Engineering ATOT - Lecture 12, 12 May 2003 1 Advanced Topics in Object Technology Bertrand Meyer.

Chair of Software Engineering ATOT - Lecture 12, 12 May Advanced Topics in Object Technology Bertrand Meyer.
Static and Dynamic Contract Verifiers For Java Hongming Liu.

Static and Dynamic Contract Verifiers For Java Hongming Liu.
Exceptions David Rabinowitz. March 3rd, 2004 Object Oriented Design Course 2 The Role of Exceptions Definition: a method succeeds if it terminates in.

Exceptions David Rabinowitz. March 3rd, 2004 Object Oriented Design Course 2 The Role of Exceptions Definition: a method succeeds if it terminates in.
Design by Contract David Talby. Software Correctness When is a class correct? – It ’ s a relative concept; what is required? – But it ’ s the correct.

Design by Contract David Talby. Software Correctness When is a class correct? – It ’ s a relative concept; what is required? – But it ’ s the correct.
Describing Syntax and Semantics

Describing Syntax and Semantics
Eiffel Language and Design by Contract Contract –An agreement between the client and the supplier Characteristics –Expects some benefits and is prepared.

Eiffel Language and Design by Contract Contract –An agreement between the client and the supplier Characteristics –Expects some benefits and is prepared.
Adding Contracts to Ada Ehud Lamm Adding Design By Contract to Ada.

Adding Contracts to Ada Ehud Lamm Adding Design By Contract to Ada.

Similar presentations

Ads by Google