Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 - 7 - Design by Contract ™. 2 Design by Contract A discipline of analysis, design, implementation, management.

Published byHelena Douglas Modified over 9 years ago

Similar presentations

Presentation on theme: "1 - 7 - Design by Contract ™. 2 Design by Contract A discipline of analysis, design, implementation, management."— Presentation transcript:

1 1 - 7 - Design by Contract ™

2 2 Design by Contract A discipline of analysis, design, implementation, management

3 3 Applications  Getting the software right  Analysis  Design  Implementation  Debugging  Testing  Management  Maintenance  Documentation

4 4 Background  Origin: work on “axiomatic semantics” (Floyd, Hoare, Dijkstra), early seventies  Some research languages had a built-in assertion mechanism: Euclid, Alphard  Eiffel introduced the connection with object- oriented programming and made contracts a software construction methodology and an integral part of the language  Mechanisms for other languages: Nana macro package for C++, JML for Java, Spec# (and dozens of others)

5 5 The basic idea Every software element is intended to satisfy a certain goal, for the benefit of other software elements (and ultimately of human users) This goal is the element’s contract The contract of any software element should be  Explicit  Part of the software element itself

6 6 Documenting a program Who will do the program documentation (technical writers, developers) ? How to ensure that it doesn’t diverge from the code (the French driver’s license / reverse Dorian Gray syndrome) ? Single product principle The product is the software!

7 7 The contract view of software construction Constructing systems as structured collections of cooperating software elements — suppliers and clients — cooperating on the basis of clear definitions of obligations and benefits These definitions are the contracts

8 8 Properties of contracts A contract:  Binds two parties (or more): supplier, client  Is explicit (written)  Specifies mutual obligations and benefits  Usually maps obligation for one of the parties into benefit for the other, and conversely  Has no hidden clauses: obligations are those specified  Often relies, implicitly or explicitly, on general rules applicable to all contracts: laws, regulations, standard practices

9 9 A human contract Client Supplier (Satisfy precondition:) Bring package before 4 p.m.; pay fee (Satisfy postcondition:) Deliver package by 10 a.m. next day OBLIGATIONS (From postcondition:) Get package delivered by 10 a.m. next day (From precondition:) Not required to do anything if package delivered after 4 p.m., or fee not paid BENEFITS deliver

10 10 Contracts for analysis Client Supplier (Satisfy precondition:) Make sure input valve is open, output valve closed (Satisfy postcondition:) Fill the tank and close both valves OBLIGATIONS (From postcondition:) Get filled-up tank, with both valves closed (From precondition:) Simpler processing thanks to assumption that valves are in the proper initial position BENEFITS fill

11 11 Correctness in software Correctness is a relative notion: consistency of implementation with specification Basic notation: (P, Q : assertions, i.e. properties of the state of the computation. A : instructions) {P } A {Q } “Hoare triple” What this means (total correctness):  Any execution of A started in a state satisfying P will terminate in a state satisfying Q

12 12 Hoare triples: a simple example {n > 5} n := n + 9 {n > 13} Most interesting properties:  Strongest postcondition (from given precondition).  Weakest precondition (from given postcondition). “P is stronger than or equal to Q ” means: P implies Q QUIZ:  What is the strongest possible assertion?  The weakest?

13 13 Specifying a square root routine {x >= 0}... Square root algorithm to compute y... {abs (y ^ 2 – x) <= 2  epsilon  y } -- i.e.: y approximates exact square root of x -- within epsilon

14 14 Software correctness (a quiz) Consider {P } A {Q } Take this as a job ad in the classifieds Should a lazy employment candidate hope for a weak or strong P ? What about Q ? Two “special offers”:  1. {False}A {...}  2. {...}A {True}

15 15 A contract (from EiffelBase) extend (new : G ; key : H) -- Assuming there is no item of key key, -- insert new with key ; set inserted. require key_not_present: not has (key) ensure insertion_done: item (key) = new key_present: has (key) inserted: inserted one_more: count = old count + 1

16 16 The contract Client Supplier PRECONDITION POSTCONDITION OBLIGATIONS POSTCONDITION PRECONDITION BENEFITS Routine

17 17 A class without contracts class ACCOUNT feature -- Access balance : INTEGER -- Balance Minimum_balance: INTEGER = 1000 -- Minimum balance feature {NONE } -- Deposit and withdrawal add (sum : INTEGER) -- Add sum to the balance. do balance := balance + sum end Secret features

18 18 A class without contracts feature -- Deposit and withdrawal operations deposit (sum : INTEGER) -- Deposit sum into the account. do add (sum) end withdraw (sum : INTEGER) -- Withdraw sum from the account. do add (– sum) end may_withdraw (sum : INTEGER): BOOLEAN -- Is it permitted to withdraw sum from the account? do Result := (balance - sum >= Minimum_balance) end end

19 19 Introducing contracts class ACCOUNT create make feature {NONE } -- Initialization make (initial_amount: INTEGER) -- Set up account with initial_amount. require large_enough: initial_amount >= Minimum_balance do balance := initial_amount ensure balance_set: balance = initial_amount end

20 20 Introducing contracts feature -- Access balance: INTEGER -- Balance Minimum_balance : INTEGER = 1000 -- Lowest permitted balance feature {NONE} -- Implementation of deposit and withdrawal add ( sum : INTEGER) -- Add sum to the balance. do balance := balance + sum ensure increased: balance = old balance + sum end

21 21 Introducing contracts feature -- Deposit and withdrawal operations deposit (sum : INTEGER) -- Deposit sum into the account. require not_too_small: sum >= 0 do add (sum) ensure increased: balance = old balance + sum end Precondition Postcondition

22 22 Introducing contracts withdraw (sum : INTEGER) -- Withdraw sum from the account. require not_too_small: sum >= 0 not_too_big: sum <= balance – Minimum_balance do add (–sum) -- i.e. balance := balance – sum ensure decreased: balance = old balance - sum end Value of balance, captured on entry to routine

23 23 The contract Client Supplier (Satisfy precondition:) Make sure sum is neither too small nor too big (Satisfy postcondition:) Update account for withdrawal of sum OBLIGATIONS (From postcondition:) Get account updated with sum withdrawn (From precondition:) Simpler processing: may assume sum is within allowable bounds BENEFITS withdraw

24 24 The imperative and the applicative do balance := balance - sum ensure balance = old balance - sum PRESCRIPTIVEDESCRIPTIVE How? Operational Implementation Command Instruction Imperative What? Denotational Specification Query Expression Applicative

25 25 Introducing contracts may_withdraw (sum : INTEGER ): BOOLEAN -- Is it permitted to withdraw sum from account? do Result := (balance - sum >= Minimum_balance) end invariant not_under_minimum: balance >= Minimum_balance end

26 26 The class invariant Consistency constraint applicable to all instances of a class. Must be satisfied:  After creation  After execution of any feature by any client Qualified calls only: x. f (...)

27 27 The correctness of a class For every creation procedure cp : {Pre cp } do cp {INV and Post cp } For every exported routine r : {INV and Pre r } do r {INV and Post r } x. f (…) x. g (…) x. h (…) create x. make (…) S1 S2 S3 S4

28 28 Uniform Access balance = deposits. total – withdrawals. total (A1) list_of_deposits list_of_withdrawals 2001005001000 800100 (A2) 2003005001000 800100 list_of_deposits list_of_withdrawals balance 1000

29 29 class ACCOUNT create make feature {NONE} – Implementation add (sum : INTEGER) -- Add sum to the balance. do balance := balance + sum ensure balance_increased: balance = old balance + sum end deposits : DEPOSIT_LIST withdrawals : WITHDRAWAL_LIST A slightly more sophisticated version

30 30 feature {NONE } -- Initialization make (initial_amount: INTEGER) -- Set up account with initial_amount. require large_enough: initial_amount >= Minimum_balance do balance := initial_amount create deposits. make create withdrawals. make ensure balance_set: balance = initial_amount end feature -- Access balance: INTEGER -- Balance Minimum_balance: INTEGER = 1000 -- Minimum balance New version

31 31 New version feature -- Deposit and withdrawal operations deposit (sum : INTEGER) -- Deposit sum into the account. require not_too_small: sum >= 0 do add (sum) deposits. extend (create {DEPOSIT }. make (sum)) ensure increased: balance = old balance + sum one_more: deposits. count = old deposits. count + 1 end

32 32 New version withdraw (sum : INTEGER) -- Withdraw sum from the account. require not_too_small: sum >= 0 not_too_big: sum <= balance – Minimum_balance do add (– sum) withdrawals. extend (create {WITHDRAWAL}. make (sum)) ensure decreased: balance = old balance – sum one_more: withdrawals. count = old withdrawals. count + 1 end

33 33 New version may_withdraw (sum : INTEGER): BOOLEAN -- Is it permitted to withdraw sum from account? do Result := (balance - sum >= Minimum_balance) end invariant not_under_minimum: balance >= Minimum_balance consistent: balance = deposits. total – withdrawals. total end

34 34 The correctness of a class For every creation procedure cp : {Pre cp } do cp {INV and Post cp } For every exported routine r : {INV and Pre r } do r {INV and Post r } x. f (…) x. g (…) x. h (…) create x. make (…) S1 S2 S3 S4

35 35 Uniform Access balance = deposits. total – withdrawals. total (A2) 2003005001000 800100 list_of_deposits list_of_withdrawals balance 1000

36 36 feature {NONE } – Initialization make (initial_amount : INTEGER) -- Set up account with initial_amount. require large_enough: initial_amount >= Minimum_balance do create deposits. make create withdrawals. make balance := initial_amount ensure balance_set: balance = initial_amount end Getting it right What’s wrong with this? deposit (initial_amount)

37 37 What are contracts good for? Writing correct software (analysis, design, implementation, maintenance, reengineering) Documentation (the “contract” form of a class) Effective reuse Controlling inheritance Preserving the work of the best developers Quality assurance, testing, debugging (especially in connection with the use of libraries) Exception handling

38 38 A contract violation is not a special case For special cases (e.g. “if the sum is negative, report an error...”) use standard control structures, such as if... then... else... A run-time assertion violation is something else: the manifestation of A DEFECT (“BUG”)

39 39 Contracts and quality assurance Precondition violation: Bug in the client. Postcondition violation: Bug in the supplier. Invariant violation: Bug in the supplier. {P }A{Q }

40 40 Contracts: run-time effect Compilation options (per class, in Eiffel):  No assertion checking  Preconditions only  Preconditions and postconditions  Preconditions, postconditions, class invariants  All assertions

41 41 Contracts for testing and debugging Contracts express implicit assumptions behind code  A bug is a discrepancy between intent and code  Contracts state the intent! In EiffelStudio: select compilation option for run-time contract monitoring at level of:  Class  Cluster  System May disable monitoring when releasing software A revolutionary form of quality assurance

42 42 Contract monitoring A contract violation always signals a bug:  Precondition violation: bug in client  Postcondition violation: bug in routine

Download ppt "1 - 7 - Design by Contract ™. 2 Design by Contract A discipline of analysis, design, implementation, management."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Formal techniques for getting software right: some old ideas and some new tools Applied Formal Methods Research Group 2012-11-02 David Lightfoot:

Formal techniques for getting software right: some old ideas and some new tools Applied Formal Methods Research Group David Lightfoot:
Design by Contract.

Design by Contract.
Ceg860(Prasad)L10DC1 Design by Contract Invariants Pre-post conditions : Rights and Obligations Exceptions : Contract Violations.

Ceg860(Prasad)L10DC1 Design by Contract Invariants Pre-post conditions : Rights and Obligations Exceptions : Contract Violations.
Building Bug-Free O-O Software: An Introduction to Design By Contract A presentation about Design By Contract and the Eiffel software development tool.

Building Bug-Free O-O Software: An Introduction to Design By Contract A presentation about Design By Contract and the Eiffel software development tool.
Control Structures Ranga Rodrigo. Control Structures in Brief C++ or JavaEiffel if-elseif-elseif-else-end caseinspect for, while, do-whilefrom-until-loop-end.

Control Structures Ranga Rodrigo. Control Structures in Brief C++ or JavaEiffel if-elseif-elseif-else-end caseinspect for, while, do-whilefrom-until-loop-end.
Design by Contract. Design by contract is the process of developing software based on the notion of contracts between objects, which are expressed as.

Design by Contract. Design by contract is the process of developing software based on the notion of contracts between objects, which are expressed as.
Building bug-free O-O software: An introduction to Design by Contract Eiffel Software Presented by Bert Bruce.

Building bug-free O-O software: An introduction to Design by Contract Eiffel Software Presented by Bert Bruce.
Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by.

Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by.
Chair of Software Engineering OOSC - Summer Semester 2004 1 Object-Oriented Software Construction Bertrand Meyer.

Chair of Software Engineering OOSC - Summer Semester Object-Oriented Software Construction Bertrand Meyer.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.

1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.
91.3913Feb 2003 R McFadyen1 Contracts (Ch 13) Used to help understand requirements more completely based on assertions; assertions are applicable to any.

Feb 2003 R McFadyen1 Contracts (Ch 13) Used to help understand requirements more completely based on assertions; assertions are applicable to any.
Chair of Software Engineering ATOT - Lecture 10, 5 May 2003 1 Advanced Topics in Object Technology Bertrand Meyer.

Chair of Software Engineering ATOT - Lecture 10, 5 May Advanced Topics in Object Technology Bertrand Meyer.
Design by Contract. Specifications Correctness formula (Hoare triple) {P} A {Q} – A is some operation (for example, a routine body) – P and Q are predicates.

Design by Contract. Specifications Correctness formula (Hoare triple) {P} A {Q} – A is some operation (for example, a routine body) – P and Q are predicates.
-5- Exception handling What is an exception? “An abnormal event” Not a very precise definition Informally: something that you don’t want to happen.

-5- Exception handling What is an exception? “An abnormal event” Not a very precise definition Informally: something that you don’t want to happen.
Chair of Software Engineering OOSC - Summer Semester 2004 1 Object-Oriented Software Construction Bertrand Meyer.

Chair of Software Engineering OOSC - Summer Semester Object-Oriented Software Construction Bertrand Meyer.
Software Testing and Quality Assurance

Software Testing and Quality Assurance
Chair of Software Engineering OOSC - Summer Semester 2005 1 Object-Oriented Software Construction Bertrand Meyer Lecture 11: Design by Contract™

Chair of Software Engineering OOSC - Summer Semester Object-Oriented Software Construction Bertrand Meyer Lecture 11: Design by Contract™
Chair of Software Engineering OOSC - Summer Semester 2005 1 Object-Oriented Software Construction Bertrand Meyer Lecture 10: Project Presentation Ilinca.

Chair of Software Engineering OOSC - Summer Semester Object-Oriented Software Construction Bertrand Meyer Lecture 10: Project Presentation Ilinca.

Similar presentations

Ads by Google