Presentation is loading. Please wait.

Presentation is loading. Please wait.

PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS 201300071-1B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013.

Published byJeffery Allison Modified over 9 years ago

Similar presentations

Presentation on theme: "PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS 201300071-1B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013."— Presentation transcript:

1 PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS 201300071-1B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013

2 Week 1 Values, conditions Classes, objects Week 2 Specifications Testing Week 3 Abstraction, inheritance Week 4 Interfaces, abstract classes Arrays Week 5 Collections Generic structures Week 6 Exceptions Stream I/O GUIs Week 7 Concurrency Networking Week 8 Security Week 9/10 Project Software Systems - Programming 2 OVERVIEW PROGRAMMING LINE

3  Preconditions, postconditions  Class invariants  Programming via contract Nino & Hosch: Chapter 5 Manual: JML appendix Tool support: OpenJML Software Systems - Programming 3 CONTENTS

4 Example: usage of class Counter public class TennisPlayer { Counter fh, bh; public void hitForehand() { fh.next(); } public void hitBackhand() {...} public int totalHits() { return fh.getValue() + bh.getValue(); } Software Systems - Programming 4 This is only correct if the result of getValue() always is positive +getValue() +reset() +next() Counter -value POSTCONDITIONS

5 public class Counter { private int value; public Counter( ) { value = 0; } // always returns a positive value //@ ensures \result >= 0; public int getValue( ) { return value; } // rest of class } Software Systems - Programming 5 POSTCONDITION OF GETVALUE Informal Formal

6  Unambiguous He ate the cookies on the couch Eating(p, cookies) /\ Sitting(p, couch) Or Eating(p, cookies) /\ Sitting(cookies, couch)  Can be checked  Clear connection with program code and variables  Often executable Software Systems - Programming 6 ADVANTAGES OF FORMAL SPECIFICATION

7  Property that always holds when the method terminates  Caller can rely on this Examples  The result of getValue() is always positive: \result >= 0  After a call to next() the result of getValue() is always equal to the result of getValue() before the call plus 1: getValue() == \old(getValue()) + 1 Software Systems - Programming 7 POSTCONDITION DEFINITION

8  Language for writing behaviour specifications of Java programs  Syntax: Java with specification-specific extensions  \result  \old(E)  ==> (implies)  \forall, \exists  Specifications written as special Java comments (start with @)  OpenJML: type checking of specifications  Complete language description: see jmlspecs.org Software Systems - Programming 8 JAVA MODELLING LANGUAGE (JML) Resembles language used in book, but with tool support Conditional expression in Java: ? : ;

9 //@ ensures getValue() == \old(getValue()) + 1; public void next( ) { value = value + 1; } Requires that getValue does not have side effects /*@ pure */ public int getValue() Allows to use getValue() in specification Checks purity separately Software Systems - Programming 9 METHOD CALLS IN SPECIFICATIONS If specifications can have side effects: execution with and without precondition check would have different behaviour

10 Suppose we add a method setValue(int v) to the Counter //@ requires v >= 0; //@ ensures getValue() == v; public void setValue(int v) {...}  This postcondition can only be guaranteed if v is positive (because specification of getValue() ensures this is always positive)  This is specified as a precondition (keyword: requires ) Software Systems - Programming 10 PRECONDITIONS Also okay: /*@ requires v >= 0 */ ensures getValue() == v */ public void setValue(int v) {...}

11 Class Lock public Lock(int code) public boolean isOpen() public void close() public void enterDigits(int digit) Only functions correctly if:  0 <= code and code <= 999  0 <= digit and digit <= 9 The caller has to ensure this The Lock implementation does not have to check this Software Systems - Programming 11 ANOTHER EXAMPLE Preconditions!

12  Condition that should always hold when a method is called  Caller has to ensure this Examples  The value of the code parameter in the Lock constructor should be between 0 en 999 requires 0 <= code && code <= 99;  The reset method can only be called when the counter has reached MAX requires getValue() == Counter.MAX; Software Systems - Programming 12 DEFINITION PRECONDITION

13 Example: Counter public int getValue() public void setValue(int v) public void next() public void previous() Possible preconditions  setValue(int v) : v >= 0  previous() : getValue() > 0 Why?  Pro: Saves a test in the implementation  Contra: forces the caller to do a call Software Systems - Programming 13 PRECONDITIONS SHOULD NOT BE TOO STRONG 

14  Pre- and postconditions are documentation about the behaviour of the class to the outside world  Therefore, they should respect visibility rules of the class  Private fields cannot be used in (public) specifications //@ ensures value == \old(value) + 1; public void next( ) { value = value + 1; } Reason: internal representation might change, but outside behaviour might be unchanged Software Systems - Programming 14 VISIBILITY OF PRE- AND POSTCONDITIONS X

15 Some properties hold for every internal reachable state of an object Example public invariant getValue() >= 0;  Public invariant: uses only publicly visible methods  Private invariant: about internal state, not visible as documentation of the class, but considers implementation private invariant value >= 0; Software Systems - Programming 15 INVARIANTS

16  In general: a property that always holds  In our setting:  A property that holds for all visible reachable states of all class instances  Can refer to internal state of the object (this is the definition of Nino & Hosch)  Can also be public documentation of the behaviour of a class Software Systems - Programming 16 DEFINITION INVARIANT

17 Basic principle  If caller respects preconditions, the method implementation guarantees postconditions  Class invariant helps to show that implementation ensures postconditions Problem  Can client be trusted?  What if client does not respect the postcondition?  Method will not guarantee postconditions  Next methods are called under wrong conditions  Program does not behave properly Software Systems - Programming 17 PROGRAMMING BY CONTRACT

18 Assumption Client will always respect preconditions Consequences No special precautions necessary Justified when client and server are developed together. Software Systems - Programming 18 ANSWER 1: TRUST CLIENT

19 Assumption  Client will not always respect preconditions  When this happens, program should stop, but in controlled manner Consequences  Implementation checks (some) preconditions  assert precondition  stop program when precondition not respected  In particular useful to make sure internal invariants are preserved  Applicable to larger programs Software Systems - Programming 19 ANSWER 2: GENERATE ERROR MESSAGE

20 Assumptions  Client will make mistake (might even be on purpose)  Program should not fail Consequences  Implementation checks all preconditions  Precondition not respected  choose appropriate emergency solution (for example: default values)  Postcondition and invariant always respected  Useful for critical applications Software Systems - Programming 20 ANSWER 3: DEFENSIVE PROGRAMMING

21  Use dedicated tool to insert pre- and postcondition checks during execution  Construct formal proof that  Preconditions hold at every method calls  Postconditions hold at every method exit OpenJML:  RAC – runtime assertion checking  ESC – extended static checking Software Systems - Programming 21 ANSWER 4: CHECK OR VERIFY Out of scope

22  Behaviour of methods formally specified  Precondition: what should hold when method is called  Postcondition: what does implementation guarantee when method finishes  Class invariant: property that holds throughout life of object  Specifications can be checked during execution  Insert checks manually (using asserts)  Use dedicated tool support Software Systems - Programming 22 MAIN POINTS

Download ppt "PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS 201300071-1B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013."

Similar presentations

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Rigorous Software Development CSCI-GA 3033-009 Instructor: Thomas Wies Spring 2013 Lecture 5 Disclaimer. These notes are derived from notes originally.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2013 Lecture 5 Disclaimer. These notes are derived from notes originally.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 8.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.
Addressing the Challenges of Current Software. Questions to Address Why? What? Where? How?

Addressing the Challenges of Current Software. Questions to Address Why? What? Where? How?
The Java Modeling Language JML Erik Poll Digital Security Radboud University Nijmegen.

The Java Modeling Language JML Erik Poll Digital Security Radboud University Nijmegen.
C++ Programming: Program Design Including Data Structures, Third Edition Chapter 7: User-Defined Functions II.

C++ Programming: Program Design Including Data Structures, Third Edition Chapter 7: User-Defined Functions II.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Object Oriented Design An object combines data and operations on that data (object is an instance of class) data: class variables operations: methods Three.

Object Oriented Design An object combines data and operations on that data (object is an instance of class) data: class variables operations: methods Three.
1 Specifying Object Interfaces. 2 Major tasks in this stage: --are there any missing attributes or operations? --how can we reduce coupling, make interface.

1 Specifying Object Interfaces. 2 Major tasks in this stage: --are there any missing attributes or operations? --how can we reduce coupling, make interface.
Software Testing and Quality Assurance

Software Testing and Quality Assurance
© 2006 Pearson Addison-Wesley. All rights reserved4-1 Chapter 4 Data Abstraction: The Walls.

© 2006 Pearson Addison-Wesley. All rights reserved4-1 Chapter 4 Data Abstraction: The Walls.
Chair of Software Engineering Einführung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer Lecture 4: The Interface of a Class.

Chair of Software Engineering Einführung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer Lecture 4: The Interface of a Class.
Chair of Software Engineering Einführung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer Lecture 4: The Interface of a Class.

Chair of Software Engineering Einführung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer Lecture 4: The Interface of a Class.
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.

OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
Page 1 Building Reliable Component-based Systems Chapter 6 - Semantic Integrity in Component Based Development Chapter 6 Semantic Integrity in Component.

Page 1 Building Reliable Component-based Systems Chapter 6 - Semantic Integrity in Component Based Development Chapter 6 Semantic Integrity in Component.
Chapter 1 Principles of Programming and Software Engineering.

Chapter 1 Principles of Programming and Software Engineering.
© 2006 Pearson Addison-Wesley. All rights reserved4-1 Chapter 4 Data Abstraction: The Walls.

© 2006 Pearson Addison-Wesley. All rights reserved4-1 Chapter 4 Data Abstraction: The Walls.
Data Abstraction and Object- Oriented Programming CS351 – Programming Paradigms.

Data Abstraction and Object- Oriented Programming CS351 – Programming Paradigms.
Chapter 11: Classes and Data Abstraction

Chapter 11: Classes and Data Abstraction
Describing Syntax and Semantics

Describing Syntax and Semantics

Similar presentations

Ads by Google