Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software Engineering Design by Contract 1 Design by Contract ™

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Software Engineering Design by Contract 1 Design by Contract ™"— Presentation transcript:

1 Software Engineering Design by Contract 1 Design by Contract ™

2 Software Engineering Design by Contract 2 Every software element is intended to satisfy a certain goal, for the benefit of other software elements (and ultimately of human users). This goal is the element’s contract. The contract of any software element should be  Explicit.  Part of the software element itself.

3 Software Engineering Design by Contract 3 Design by Contract: applications  Built-in correctness  Automatic documentation  Self-debugging, self-testing code  Get inheritance right  Get exceptions right  Give managers better control tools

4 Software Engineering Design by Contract 4 Constructing systems as structured collections of cooperating software elements — suppliers and clients — cooperating on the basis of clear definitions of obligations and benefits These definitions are the contracts Software construction: the underlying view

5 Software Engineering Design by Contract 5 Properties of contracts A contract:  Binds two parties (or more): supplier, client  Is explicit (written)  Specifies mutual obligations and benefits  Usually maps obligation for one of the parties into benefit for the other, and conversely  Has no hidden clauses: obligations are those specified  Often relies, implicitly or explicitly, on general rules applicable to all contracts (laws, regulations, standard practices)

6 Software Engineering Design by Contract 6 A human contract Client Supplier (Satisfy precondition:) Bring package before 4 p.m.; pay fee. (Satisfy postcondition:) Deliver package by 10 a.m. next day. OBLIGATIONS (From postcondition:) Get package delivered by 10 a.m. next day. (From precondition:) Not required to do anything if package delivered after 4 p.m., or fee not paid. BENEFITS deliver

7 Software Engineering Design by Contract 7 EiffelStudio documentation Produced automatically from class text Available in text, HTML, Postscript, RTF, FrameMaker and many other formats Numerous views, textual and graphical

8 Software Engineering Design by Contract 8 Contracts for documentation LINKED_LIST Documentation, generated by EiffelStudio Demo

9 Software Engineering Design by Contract 9 Contract form: Definition Simplified form of class text, retaining interface elements only:  Remove any non-exported (private) feature. For the exported (public) features:  Remove body (do clause).  Keep header comment if present.  Keep contracts: preconditions, postconditions, class invariant.  Remove any contract clause that refers to a secret feature. (What’s the problem?)

10 Software Engineering Design by Contract 10 The different forms of a class Elements from the class only Elements from the class and it’s ancestors Text view: text form All features and contract clauses Only the exported (non secret) elements Contract view: short form Flat view: flat form Interface view: flat short form

11 Software Engineering Design by Contract 11 Export rule for preconditions In some_property must be exported (at least) to A, B and C! No such requirement for postconditions and invariants. feature {A, B, C} r (…) is require some_property

12 Chair of Software Engineering deferred class VAT inherit TANK feature in_valve, out_valve: VALVE fill is -- Fill the vat. require in_valve. open out_valve. closed deferred ensure in_valve. closed out_valve. closed is_full end empty, is_full, is_empty, gauge, maximum,... [Other features]... invariant is_full = (gauge >= 0.97  maximum) and (gauge <= 1.03  maximum) end Contracts for analysis, specification

13 Software Engineering Design by Contract 13 Contracts for testing and debugging  Contracts express implicit assumptions behind code  A bug is a discrepancy between intent and code  Contracts state the intent! In EiffelStudio: select compilation option for run-time contract monitoring at level of:  Class  Cluster  System May disable monitoring when releasing software A revolutionary form of quality assurance

14 Software Engineering Design by Contract 14 Lists in EiffelBase “Iowa" Cursor item index count1 forthback finishstart afterbefore

15 Software Engineering Design by Contract 15 Trying to insert too far right Cursor (Already past last element!) count1 after "Iowa"

16 Software Engineering Design by Contract 16 A command and its contract Precondition Postcondition

17 Software Engineering Design by Contract 17 Moving the cursor forward "Iowa" Cursor index count1 forth afterbefore

18 Software Engineering Design by Contract 18 Two queries, and command “ forth″

19 Software Engineering Design by Contract 19 Where the cursor may go count+1 Valid cursor positions item count1 afterbefore 0

20 Software Engineering Design by Contract 20 From the invariant of class LIST Valid cursor positions

21 Software Engineering Design by Contract 21 Contract monitoring A contract violation always signals a bug:  Precondition violation: bug in client  Postcondition violation: bug in routine

22 Software Engineering Design by Contract 22 Contracts and inheritance Issues: what happens, under inheritance, to  Class invariants?  Routine preconditions and postconditions?

23 Software Engineering Design by Contract 23 Invariants Invariant Inheritance rule:  The invariant of a class automatically includes the invariant clauses from all its parents, “and”-ed. Accumulated result visible in flat and interface forms.

24 Software Engineering Design by Contract 24 Contracts and inheritance r is require  ensure  r is require  ensure  a1: A a1.r (…) … Correct call in C: if a1.  then a1.r (...) -- Here a1.  hold end r ++ CADB Client Inheritance ++ Redefinition

25 Software Engineering Design by Contract 25 Assertion redeclaration rule When redeclaring a routine, we may only:  Keep or weaken the precondition  Keep or strengthen the postcondition

26 Software Engineering Design by Contract 26 A simple language rule does the trick! Redefined version may have nothing (assertions kept by default), or require else new_pre ensure then new_post Resulting assertions are:  original_precondition or new_pre  original_postcondition and new_post Assertion redeclaration rule in Eiffel

27 Software Engineering Design by Contract 27 Contracts as a management tool High-level view of modules for the manager:  Follow what’s going on without reading the code  Enforce strict rules of cooperation between units of the system  Control outsourcing

28 Software Engineering Design by Contract 28 Checking input: filter modules Contracts are not input checking tests...... but they can help weed out undesirable input External objects Input & validation modules Processing modules Preconditions here only No preconditions! Postconditions 

29 Software Engineering Design by Contract 29 Precondition design The client must guarantee the precondition before the call. This does not necessarily mean testing for the precondition. Scheme 1 (testing): if not my_stack.is_full then my_stack.put (some_element) end Scheme 2 (guaranteeing without testing): my_stack.remove... my_stack.put (some_element)

30 Software Engineering Design by Contract 30 Another example sqrt (x, epsilon: REAL): REAL is -- Square root of x, precision epsilon require x >= 0 epsilon >= 0 do... ensure abs (Result ^ 2 – x) <= 2 * epsilon * Result end

31 Software Engineering Design by Contract 31 The contract Client Supplier (Satisfy precondition:) Provide non-negative value and precision that is not too small. (Satisfy postcondition:) Produce square root within requested precision. OBLIGATIONS (From postcondition:) Get square root within requested precision. (From precondition:) Simpler processing thanks to assumptions on value and precision. BENEFITS sqrt

32 Software Engineering Design by Contract 32 Not defensive programming It is not acceptable to have a routine of the form sqrt (x, epsilon: REAL): REAL is -- Square root of x, precision epsilon require x >= 0 epsilon >= 0 do if x < 0 then … Do something about it (?) … else … normal square root computation … end ensure abs (Result ^ 2 – x) <= 2 * epsilon * Result end

33 Software Engineering Design by Contract 33 Not defensive programming For every consistency condition that is required to perform a certain operation:  Assign responsibility for the condition to one of the contract’s two parties (supplier, client).  Stick to this decision: do not duplicate responsibility. Simplifies software and improves global reliability.

34 Software Engineering Design by Contract 34 Interpreters class BYTECODE_PROGRAM feature verified: BOOLEAN trustful_execute (program: BYTECODE) is require ok: verified do... end distrustful_execute (program: BYTECODE) is do verify if verified then trustful_execute (program) end end verify is do... end end

35 Software Engineering Design by Contract 35 How strong should a precondition be? Two opposite styles:  Tolerant: weak preconditions (including the weakest, True: no precondition).  Demanding: strong preconditions, requiring the client to make sure all logically necessary conditions are satisfied before each call. Partly a matter of taste. But: demanding style leads to a better distribution of roles, provided the precondition is:  Justifiable in terms of the specification only.  Documented (through the short form).  Reasonable!

36 Software Engineering Design by Contract 36 A demanding style sqrt (x, epsilon: REAL): REAL is -- Square root of x, precision epsilon -- Same version as before require x >= 0 epsilon >= 0 do... ensure abs (Result ^ 2 – x) <= 2 * epsilon * Result end

37 Software Engineering Design by Contract 37 sqrt (x, epsilon: REAL): REAL is -- Square root of x, precision epsilon require True do if x < 0 then … Do something about it (?) … else … normal square root computation … computed := True end ensure computed implies abs (Result ^ 2 – x) <= 2 * epsilon * Result end A tolerant style NO INPUT TOO BIG OR TOO SMALL!

38 Software Engineering Design by Contract 38 Contrasting styles put (x: G) is -- Push x on top of stack. require not is_full do.... end tolerant_put (x: G) is -- Push x if possible, otherwise set impossible to -- True. do if not is_full then put (x) else impossible := True end end

39 Software Engineering Design by Contract 39 Invariants and business rules Invariants are absolute consistency conditions. They can serve to represent business rules if knowledge is to be built into the software. Form 1 invariant not_under_minimum: balance >= Minimum_balance Form 2 invariant not_under_minimum_if_normal: normal_state implies (balance >= Minimum_balance)

40 Software Engineering Design by Contract 40 Power of the assertion language Assertion language:  Not first-order predicate calculus  But powerful through: Function calls  Even allows to express: Loop properties

41 Software Engineering Design by Contract 41 Loop trouble Loops can be hard to get right:  “Off-by-one”  Infinite loops  Improper handling of borderline cases For example: binary search feature

42 Software Engineering Design by Contract 42 The answer: loop contracts Use of loop variants and invariants. A loop is a way to compute a certain result by successive approximations. (e.g. computing the maximum value of an array of integers)

43 Software Engineering Design by Contract 43 Computing the max of an array highest (sl: LIST [STRING]): STRING is -- Greatest element of sl require sl /= Void not sl. is_empty do from sl.start ; Result := "" until sl.after loop Result := greater (Result, sl.item) sl.forth end

44 Software Engineering Design by Contract 44 Loop as approximation strategy s1s1 s2s2 sisi snsn Result = s 1 Result = Max (s 1, s 2 ) Result = Max (s 1, s 2,..., s i ) Result = Max (s 1, s 2,..., s i,..., s n )

45 Software Engineering Design by Contract 45 The loop invariant from sl.start ; Result := "“ invariant sl.index >= 1 sl.index <= sl.count + 1 -- Result is greatest of elements so far until sl.after loop Result := greater (Result, sl.item) sl.forth end

46 Software Engineering Design by Contract 46 Loop invariant (Do not confuse with class invariant) Property that is:  Satisfied after initialization (from clause)  Preserved by every loop iteration (loop clause) when executed with the exit condition (until clause) not satisfied

47 Software Engineering Design by Contract 47 The loop invariant from sl.start ; Result := "" invariant sl.index >= 1 sl.index <= sl.count + 1 -- Result is greatest of elements so far until sl.after loop Result := greater (Result, sl.item) sl.forth end

48 Software Engineering Design by Contract 48 The loop invariant (better) from sl.start ; Result := "" invariant sl.index >= 1 sl.index <= sl.count + 1 -- If there are any previous elements, Result is the greatest until sl.after loop Result := greater (Result, sl.item) sl.forth end

49 Software Engineering Design by Contract 49 The effect of the loop from sl.start ; Result := "" invariant sl.index >= 1 sl.index <= sl.count + 1 -- Result is greatest of elements so far until sl.after loop Result := greater (Result, sl.item) sl.forth end Invariant satisfied after initialization Invariant satisfied after each iteration Exit condition satisfied at end At end: invariant and exit condition All elements visited (sl.after ) Result is highest of their names

50 Software Engineering Design by Contract 50 Loop semantics rule The effect of a loop is the combination of:  Its invariant  Its exit condition

51 Software Engineering Design by Contract 51 How do we know the loop terminates? from sl.start ; Result := "“ invariant sl.index >= 1 sl.index <= sl.count + 1 -- If there are any previous elements, Result is the greatest until sl.after loop Result := greater (Result, sl.item) sl.forth end

52 Software Engineering Design by Contract 52 Loop variant Integer expression that must:  Be non-negative when after initialization (from)  Decrease (i.e. by at least one), while remaining non- negative, for every iteration of the body (loop) executed with exit condition not satisfied

53 Software Engineering Design by Contract 53 The variant for our loop from sl.start ; Result := "“ variant sl.count − sl.index + 1 invariant sl.index >= 1 sl.index <= sl.count + 1 -- If there are any previous elements, Result is the greatest until sl.after loop Result := greater (Result, sl.item) sl.forth end

54 Software Engineering Design by Contract 54 Another contract construct Check instruction: ensure that a property is True at a certain point of the routine execution. E.g. Tolerant style example: Adding a check clause for readability.

55 Software Engineering Design by Contract 55 Precondition design Scheme 2 (guaranteeing without testing): my_stack.remove check my_stack_not_full: not my_stack.is_full end my_stack.put (some_element)

Download ppt "Software Engineering Design by Contract 1 Design by Contract ™"

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Design by Contract.

Design by Contract.
Building Bug-Free O-O Software: An Introduction to Design By Contract A presentation about Design By Contract and the Eiffel software development tool.

Building Bug-Free O-O Software: An Introduction to Design By Contract A presentation about Design By Contract and the Eiffel software development tool.
© Bertrand Meyer and Yishai Feldman Notice Some of the material is taken from Object-Oriented Software Construction, 2nd edition, by Bertrand Meyer (Prentice.

© Bertrand Meyer and Yishai Feldman Notice Some of the material is taken from Object-Oriented Software Construction, 2nd edition, by Bertrand Meyer (Prentice.
Karlstad University Computer Science Design Contracts and Error Management Design Contracts and Errors A Software Development Strategy Eivind J. Nordby.

Karlstad University Computer Science Design Contracts and Error Management Design Contracts and Errors A Software Development Strategy Eivind J. Nordby.
Control Structures Ranga Rodrigo. Control Structures in Brief C++ or JavaEiffel if-elseif-elseif-else-end caseinspect for, while, do-whilefrom-until-loop-end.

Control Structures Ranga Rodrigo. Control Structures in Brief C++ or JavaEiffel if-elseif-elseif-else-end caseinspect for, while, do-whilefrom-until-loop-end.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Chair of Software Engineering OOSC - Summer Semester 2004 1 Object-Oriented Software Construction Bertrand Meyer.

Chair of Software Engineering OOSC - Summer Semester Object-Oriented Software Construction Bertrand Meyer.
Chair of Software Engineering Einführung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer Exercise Session 6.

Chair of Software Engineering Einführung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer Exercise Session 6.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.

1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.
1 - 7 - Design by Contract ™. 2 Design by Contract A discipline of analysis, design, implementation, management.

Design by Contract ™. 2 Design by Contract A discipline of analysis, design, implementation, management.
Chair of Software Engineering ATOT - Lecture 10, 5 May 2003 1 Advanced Topics in Object Technology Bertrand Meyer.

Chair of Software Engineering ATOT - Lecture 10, 5 May Advanced Topics in Object Technology Bertrand Meyer.
Design by Contract. Specifications Correctness formula (Hoare triple) {P} A {Q} – A is some operation (for example, a routine body) – P and Q are predicates.

Design by Contract. Specifications Correctness formula (Hoare triple) {P} A {Q} – A is some operation (for example, a routine body) – P and Q are predicates.
-5- Exception handling What is an exception? “An abnormal event” Not a very precise definition Informally: something that you don’t want to happen.

-5- Exception handling What is an exception? “An abnormal event” Not a very precise definition Informally: something that you don’t want to happen.
Chair of Software Engineering OOSC - Summer Semester 2004 1 Object-Oriented Software Construction Bertrand Meyer.

Chair of Software Engineering OOSC - Summer Semester Object-Oriented Software Construction Bertrand Meyer.
Software Testing and Quality Assurance

Software Testing and Quality Assurance
Chair of Software Engineering OOSC - Summer Semester 2005 1 Object-Oriented Software Construction Bertrand Meyer Lecture 11: Design by Contract™

Chair of Software Engineering OOSC - Summer Semester Object-Oriented Software Construction Bertrand Meyer Lecture 11: Design by Contract™
Chair of Software Engineering OOSC - Summer Semester 2005 1 Object-Oriented Software Construction Bertrand Meyer Lecture 10: Project Presentation Ilinca.

Chair of Software Engineering OOSC - Summer Semester Object-Oriented Software Construction Bertrand Meyer Lecture 10: Project Presentation Ilinca.

Similar presentations

Ads by Google