Design by Contract - PowerPoint PPT Presentation

About This Presentation
Title:

Design by Contract

Description:

Design by Contract * Institute of Computer Software Nanjing University – PowerPoint PPT presentation

Number of Views:114
Avg rating:3.0/5.0
Slides: 86
Provided by: zf1
Category:

less

Transcript and Presenter's Notes

Title: Design by Contract


1
Design by Contract
  • ?????

2
??
  • ??
  • Eiffel ? DbC ??
  • DbC???
  • ????DbC

3
??
  • Design by Contract (DbC) ?????
  • ????????
  • ?????????????????????
  • Eiffel???????
  • Bertrand MeyerDbC????????????????!
  • James McKim???????,??????

4
??
  • A discipline of analysis, design, implementation,
    management
  • (?????????????,??????,??????,????????????)
  • Viewing the relationship between a class and its
    clients as a formal agreement, expressing each
    partys rights and obligations.
  • (?????????????????????,??????????)

5
??
  • Every software element is intended to satisfy a
    certain goal, for the benefit of other software
    elements (and ultimately of human users).
  • This goal is the elements contract.
  • The contract of any software element should be
  • Explicit.
  • Part of the software element itself.

6
A human contract
OBLIGATIONS(??)
BENEFITS(??/??)
deliver
(Satisfy precondition) Bring package before 4
p.m. pay fee.
(From postcondition) Get package delivered by
10 a.m. next day.
Client
(Satisfy postcondition) Deliver package by 10
a.m. next day.
(From precondition) Not required to do anything
if package delivered after 4 p.m., or fee not
paid.
Supplier

7
A view of software construction
  • Constructing systems as structured collections of
    cooperating software elements suppliers and
    clients cooperating on the basis of clear
    definitions of obligations and benefits.
  • These definitions are the contracts.


8
Properties of contracts
  • A contract
  • Binds two parties (or more) supplier, client.
  • Is explicit (written).
  • Specifies mutual obligations and benefits.
  • Usually maps obligation for one of the parties
    into benefit for the other, and conversely.
  • Has no hidden clauses obligations are those
    specified.
  • Often relies, implicitly or explicitly, on
    general rules applicable to all contracts (laws,
    regulations, standard practices).


9
Contracts for analysis
  • deferred class PLANE inherit
  • AIRCRAFT
  • feature
  • start_take_off is -- Initiate take-off
    procedures.
  • require controls.passed
  • assigned_runway.clear
  • deferred ensure assigned_runway.owner
    Current
  • moving
  • end
  • start_landing, increase_altitude,
    decrease_altitude, moving,
  • altitude, speed, time_since_take_off
  • ... Other features ...
  • invariant
  • (time_since_take_off lt 20) implies (assigned_run
    way.owner Current)
  • moving (speed gt 10)
  • end


10
Contracts for analysis (contd)
  • deferred class VAT inheritTANK
  • featurein_valve, out_valve VALVE
  • fill is -- Fill the vat.
  • require in_valve.open
  • out_valve.closed
  • deferred ensure in_valve.closed
  • out_valve.closed
  • is_full
  • end
  • empty, is_full, is_empty, gauge, maximum, ...
    Other features ...
  • invariant
  • is_full (gauge gt 0.97 maximum)  and  (gauge
    lt 1.03 maximum)
  • end


11
Contracts for analysis (contd)
OBLIGATIONS
BENEFITS
fill
(Satisfy precondition) Make sure input valve is
open, output valve is closed.
(From postcondition) Get filled-up vat, with
both valves closed.
Client
(Satisfy postcondition) Fill the vat and close
both valves.
(From precondition) Simpler processing thanks
to assumption that valves are in the proper
initial position.
Supplier

12
So, is it like assert.h?
  • (Source Reto Kramer)
  • Design by Contract goes further
  • Assert does not provide a contract.
  • Clients cannot see asserts as part of the
    interface.
  • Asserts do not have associated semantic
    specifications.
  • Not explicit whether an assert represents a
    precondition, post-conditions or invariant.
  • Asserts do not support inheritance.
  • Asserts do not yield automatic documentation.


13
Contracts
  • ?????????!
  • Precondition??method,???????????????????
  • Postcondition??method,?????????????????????
  • Invariant?????,????????????????????????

14
Correctness in software
  • Correctness is a relative notion consistency of
    implementation vis-a-vis specification. (This
    assumes there is a specification!)
  • Basic notation (P, Q assertions, i.e.
    properties of the state of the computation. A
    instructions).
  • P A Q
  • Hoare triple
  • What this means (total correctness)
  • Any execution of A started in a state satisfying
    P will terminate in a state satisfying Q.

15
Hoare triples a simple example
  • n gt 5 n n 9 n gt 13
  • Most interesting properties
  • Strongest postcondition (from given
    precondition).
  • Weakest precondition (from given postcondition).
  • P is stronger than or equal to Q means
  • P implies Q
  • QUIZ What is the strongest possible assertion?
    The weakest?

16
Software correctness
We are looking for someone whose work will be to
start from initial situations as characterized by
P, and deliver results as defined by Q
  • Consider
  • P A Q
  • Take this as a job ad in the classifieds.
  • Should a lazy employment candidate hope for a
    weak or strong P? What about Q?
  • Two special offers
  • 1. False A ...
  • 2. ... A True

Strongest precond.
Weakest postcond.
17
??
  • ??
  • Eiffel ? DbC ??
  • DbC???
  • ????DbC

18
Design by Contract The Mechanism
  • Preconditions and Postconditions
  • Class Invariant
  • Run-time effect

19
A contract (from EiffelBase)
  • extend (new G key H)
  • -- Assuming there is no item of key key, --
    insert new with key set inserted.
  • require
  • key_not_present not has (key)
  • ensure
  • insertion_done item (key) new
  • key_present has (key)
  • inserted inserted
  • one_more count old count 1


20
The contract
OBLIGATIONS
BENEFITS
Routine
Client
PRECONDITION
POSTCONDITION
Supplier
POSTCONDITION
PRECONDITION

21
A class without contracts
  • class ACCOUNT feature -- Access
  • balance INTEGER -- Balance
  • Minimum_balance INTEGER is 1000 -- Minimum
    balance
  • feature NONE -- Implementation of deposit and
    withdrawal add (sum INTEGER) is -- Add sum
    to the balance (secret procedure). do balance
    balance sum end


22
Without contracts (contd)
  • feature -- Deposit and withdrawal operations
  • deposit (sum INTEGER) is -- Deposit sum into
    the account. do add (sum) end withdraw
    (sum INTEGER) is -- Withdraw sum from the
    account. do add (sum) end
  • may_withdraw (sum INTEGER) BOOLEAN is -- Is
    it permitted to withdraw sum from the
    account? do Result (balance - sum gt
    Minimum_balance) end
  • end


23
Introducing contracts
  • class ACCOUNT create
  • make
  • feature NONE -- Initialization
  • make (initial_amount INTEGER) is -- Set
    up account with initial_amount.
  • require large_enough initial_amount
    gt Minimum_balance
  • do balance initial_amount
  • ensure balance_set balance
    initial_amount
  • end


24
Introducing contracts (contd)
  • feature -- Access
  • balance INTEGER -- Balance
  • Minimum_balance INTEGER is 1000 -- Minimum
    balance
  • feature NONE -- Implementation of deposit and
    withdrawal add (sum INTEGER) is -- Add sum
    to the balance (secret procedure). do balance
    balance sum
  • ensure
  • increased balance old balance sum
  • end


25
With contracts (contd)
  • feature -- Deposit and withdrawal operations
  • deposit (sum INTEGER) is -- Deposit sum into
    the account.
  • require
  • not_too_small sum gt 0
  • do add (sum) ensure
  • increased balance old balance sum
  • end


26
With contracts (contd)
  • withdraw (sum INTEGER) is -- Withdraw sum
    from the account. require
  • not_too_small sum gt 0
  • not_too_big
  • sum lt balance Minimum_balance
  • do add ( sum)
  • -- i.e. balance balance sum
  • ensure
  • decreased balance old balance - sum
  • end


27
The contract
OBLIGATIONS
BENEFITS
withdraw
(Satisfy precondition) Make sure sum is neither
too small nor too big.
(From postcondition) Get account updated with
sum withdrawn.
Client
(Satisfy postcondition) Update account for
withdrawal of sum.
(From precondition) Simpler processing may
assume sum is within allowable bounds.
Supplier

28
The imperative and the applicative
do balance balance - sum
ensure balance old balance - sum
PRESCRIPTIVE
DESCRIPTIVE
How?
What?
Operational
Denotational
Implementation
Specification
Command
Query
Instruction
Expression
Imperative
Applicative

29
With contracts (end)
  • may_withdraw (sum INTEGER) BOOLEAN is -- Is
    it permitted to withdraw sum from the
  • -- account?
  • do Result (balance - sum gt
    Minimum_balance) end
  • invariant
  • not_under_minimum balance gt Minimum_balance
  • end


30
The class invariant
  • Consistency constraint applicable to all
    instances of a class.
  • Must be satisfied
  • After creation.
  • After execution of any feature by any
    client.(Qualified calls only a.f (...))


31
The correctness of a class
  • For every creation procedure cp precp docp
    postcp and INV
  • For every exported routine r INV and prer
    dor postr and INV
  • The worst possible erroneous run-time situation
  • in object-oriented software development
  • Producing an object that does not satisfy
  • the invariant of its own class.


32
Example
deposits
(A1)
withdrawals
deposits
(A2)
withdrawals
balance
  • balance deposits.total withdrawals.total

33
A more sophisticated version
  • class ACCOUNT create
  • make
  • feature NONE -- Implementation
  • add (sum INTEGER) is -- Add sum to the
    balance (secret procedure). do balance
    balance sum ensure balance_increased
    balance old balance sum
  • end
  • deposits DEPOSIT_LIST
  • withdrawals WITHDRAWAL_LIST

34
New version (contd)
  • feature NONE -- Initialization
  • make (initial_amount INTEGER) is -- Set
    up account with initial_amount. require la
    rge_enough initial_amount gt Minimum_balance do
    balance
    initial_amount create
    deposits.make create withdrawals.make
    ensure balance_set balance
    initial_amount
  • end
  • feature -- Access balance
    INTEGER -- Balance Minimum_balance
    INTEGER is 1000 -- Minimum balance


35
New version (contd)
  • feature -- Deposit and withdrawal operations
  • deposit (sum INTEGER) is -- Deposit sum into
    the account.
  • require
  • not_too_small sum gt 0
  • do add (sum)
  • deposits.extend (create DEPOSIT.make
    (sum)) ensure
  • increased balance old balance sum
  • end


36
New version (contd)
  • withdraw (sum INTEGER) is -- Withdraw sum
    from the account. require
  • not_too_small sum gt 0
  • not_too_big sum lt balance Minimum_balance
  • do add (sum)
  • withdrawals.extend (create
    WITHDRAWAL.make (sum))
  • ensure
  • decreased balance old balance sum
  • one_more withdrawals.count old
    withdrawals.count 1
  • end


37
New version (end)
  • may_withdraw (sum INTEGER) BOOLEAN is -- Is
    it permitted to withdraw sum from the
  • -- account?
  • do Result (balance - sum gt
    Minimum_balance) end
  • invariant
  • not_under_minimum balance gt Minimum_balance
  • consistent balance deposits.total
    withdrawals.total
  • end


38
The correctness of a class
create a.make ()
S1
  • For every creation procedure cp precp docp
    postcp and INV
  • For every exported routine r INV and prer
    dor postr and INV

a.f ()
S2
a.g ()
S3
a.f ()
S4

39
Initial version
  • feature NONE -- Initialization
  • make (initial_amount INTEGER) is -- Set up
    account with initial_amount. require
    large_enough initial_amount gt
    Minimum_balance do
  • balance initial_amount
  • create deposits.make create
    withdrawals.make
  • ensure balance_set balance
    initial_amount
  • end


40
Correct version
40
  • feature NONE -- Initialization
  • make (initial_amount INTEGER) is -- Set up
    account with initial_amount. require large_e
    nough initial_amount gt Minimum_balance do
  • create deposits.make create
    withdrawals.make
  • deposit (initial_amount)
  • ensure balance_set balance
    initial_amount
  • end


41
Contracts run-time effect
41
  • Compilation options (per class, in Eiffel)
  • No assertion checking
  • Preconditions only
  • Preconditions and postconditions
  • Preconditions, postconditions, class invariants
  • All assertions


42
??
  • ??
  • Eiffel ? DbC ??
  • DbC???
  • ????DbC

43
??? Design by Contract
  • ??
  • ???????????????????
  • ??
  • ????????,???????????????
  • ???????????????????
  • ??
  • ?

44
Inheritance and assertions
Correct call if a1.? then a1.r
(...) else ... end
r is
C
A
a1 A
?

ensure
a1.r ()
?
r is
B
?
ensure
?
45
Contract
OBLIGATIONS
BENEFITS
delivery
(Satisfy precondition) ????????5kg???
(From postcondition) 3?????????
Client
(Satisfy postcondition) ?3?????????
(From precondition) ?????5kg???
Supplier
46
Contract
  • class COURIER
  • feature
  • deliver(pPackage, dDestination)
  • require
  • --???????5kg
  • ensure
  • --3????????????
  • end

47
More desirable contract
OBLIGATIONS
BENEFITS
delivery
(Satisfy precondition) ????????8kg???
(From postcondition) 2?????????
Client
(Satisfy postcondition) ?2?????????
(From precondition) ?????8kg???
Supplier
48
More desirable contract
  • class DIFFERENT_COURIER
  • Inherit COURIER
  • redefine deliver
  • feature
  • deliver(pPackage, dDestination)
  • require
  • --???????5kg
  • require else
  • --???????8kg
  • ensure
  • --3?????????
  • ensure then
  • --2?????????
  • end

require --???????8kg
ensure -- 2?????????
49
Assertion redeclaration rule
  • Redefined version may not have require or ensure.
  • May have nothing (assertions kept by default), or
  • require else new_pre
  • ensure then new_post
  • Resulting assertions are
  • original_precondition or new_pre
  • original_postcondition and new_post

50
Invariant accumulation
  • Every class inherits all the invariant clauses of
    its parents.
  • These clauses are conceptually and-ed.

51
???
  • ????require else??????
  • ????ensure then??????
  • ?and?????????????????????,????????

52
??
  • ??
  • Eiffel ? DbC ??
  • DbC???
  • ????DbC
  • ??

53
Design by Contract How to apply
  • ??????????
  • ??Contract violation
  • DbC?Quality Assurance(QA)
  • Precondition Design
  • Not defensive programming
  • Class Invariants and business logic

54
What are contracts good for?
  • Writing correct software (analysis, design,
    implementation, maintenance, reengineering).
  • Documentation (the contract form of a class).
  • Effective reuse.
  • Controlling inheritance.
  • Preserving the work of the best developers.
  • Quality assurance, testing, debugging (especially
    in connection with the use of libraries) .
  • Exception handling .

55
Some benefits technical
  • Development process becomes more focused. Writing
    to spec.
  • Sound basis for writing reusable software.
  • Exception handling guided by precise definition
    of normal and abnormal cases.
  • Interface documentation always up-to-date, can be
    trusted.
  • Documentation generated automatically.
  • Faults occur close to their cause. Found faster
    and more easily.
  • Guide for black-box test case generation.

56
Some benefits managerial
  • Library users can trust documentation.
  • They can benefit from preconditions to validate
    their own software.
  • Test manager can benefit from more accurate
    estimate of test effort.
  • Black-box specification for free.
  • Designers who leave bequeath not only code but
    intent.
  • Common vocabulary between all actors of the
    process developers, managers, potentially
    customers.
  • Component-based development possible on a solid
    basis.

57
A contract violation is not a special case
  • For special cases (e.g. if the sum is negative,
    report an error...)
  • use standard control structures (e.g. if ...
    then ... else...).
  • A run-time assertion violation is something else
    the manifestation of
  • A DEFECT (BUG)

58
Contracts and quality assurance
  • Precondition violation Bug in the client.
  • Postcondition violation Bug in the supplier.
  • Invariant violation Bug in the supplier.
  • P A Q

59
Contracts and bug types
  • Preconditions are particularly useful to find
    bugs in client code

YOUR APPLICATION
your_list.insert (y, a b 1)
COMPONENT LIBRARY
class LIST G

insert (x G i INTEGER) is
require
i gt 0
i lt count 1
60
Contracts and quality assurance
  • Use run-time assertion monitoring for quality
    assurance, testing, debugging.
  • Compilation options (reminder)
  • No assertion checking
  • Preconditions only
  • Preconditions and postconditions
  • Preconditions, postconditions, class invariants
  • All assertions

61
Contracts and quality assurance
  • Contracts enable QA activities to be based on a
    precise description of what they expect.
  • Profoundly transform the activities of testing,
    debugging and maintenance.
  • I believe that the use of Eiffel-like module
    contracts is the most important non-practice in
    software world today. By that I mean there is no
    other candidate practice presently being urged
    upon us that has greater capacity to improve the
    quality of software produced. ... This sort of
    contract mechanism is the sine-qua-non of
    sensible software reuse.
  •                       Tom de Marco, IEEE
    Computer, 1997

62
Contract monitoring
  • Enabled or disabled by compile-time options.
  • Default preconditions only.
  • In development use all assertions whenever
    possible.
  • During operation normally, should disable
    monitoring. But have an assertion-monitoring
    version ready for shipping.
  • Result of an assertion violation exception.
  • Ideally static checking (proofs) rather than
    dynamic monitoring.

63
Contracts and documentation
  • ?????????
  • ??????
  • ??????????????????
  • ??????
  • ????????,?????????????????????
  • ???????
  • ????????????,?????????
  • ??????
  • ??????????????,?????????????????????

64
Contract form Definition
  • Simplified form of class text, retaining
    interface elements only
  • Remove any non-exported (private) feature.
  • For the exported (public) features
  • Remove body (do clause).
  • Keep header comment if present.
  • Keep contracts preconditions, postconditions,
    class invariant.
  • Remove any contract clause that refers to a
    secret feature. (This raises a problem can you
    see it?)

65
Contract form of ACCOUNT class
  • class interface ACCOUNT create
  • make
  • feature
  • balance INTEGER -- Balance
  • Minimum_balance INTEGER is 1000 -- Minimum
    balance
  • deposit (sum INTEGER) -- Deposit sum into
    the account.
  • require
  • not_too_small sum gt 0
  • ensure
  • increased balance old balance sum

66
Contract form of ACCOUNT class (contd)
  • withdraw (sum INTEGER) -- Withdraw sum from
    the account. require
  • not_too_small sum gt 0
  • not_too_big sum lt balance Minimum_balance
  • ensure
  • decreased balance old balance sum
  • one_more withdrawals.count old
    withdrawals.count 1
  • may_withdraw (sum INTEGER) BOOLEAN -- Is
    it permitted to withdraw sum from the
  • -- account?
  • invariant
  • not_under_minimum balance gt Minimum_balance
  • consistent balance deposits.total
    withdrawals.total
  • end

67
Flat, interface
  • Flat form of a class reconstructed class with
    all the features at the same level (immediate and
    inherited). Takes renaming, redefinition etc.
    into account.
  • The flat form is an inheritance-free
    client-equivalent form of the class.
  • Interface form the contract form of the flat
    form. Full interface documentation.

68
Uses of the contract and interface forms
  • Documentation, manuals
  • Design
  • Communication between developers
  • Communication between developers and managers

69
Contracts and reuse
  • ???????????
  • ???????????????????????,??????????
  • ????????
  • ???????????????????????????
  • Reuse without a contract is sheer folly.

70
DbC vs. defensive programming
  • ?????????
  • ????????????
  • ??????????????????????

????????????????????????????,?????????????,??????
????????????????????????,??????????????????,??(?
?????)????????????????????? (Goodliffe, P
???????????)
71
DbC vs. defensive programming
  • ???????????
  • ?????????????????????
  • ????????
  • placeCard(cINTEGER,xINTEGER,yINTEGER) is
  • do
  • if (clt1) or (cgtMAXCARDS) then return
  • end

bulletproofing
not a good style
72
DbC vs defensive programming
  • ?????
  • placeCard(cINTEGER,xINTEGER,yINTEGER) is
  • --??(x,y)????C?
  • do
  • if (clt1) or (cgtMAXCARDS)
  • then
  • raise PRECONDITION_EXCEPTION(
  • Grid placeCard bad card
    number)
  • else
  • end

???????????????????
73
DbC vs. defensive programming
  • DbC
  • placeCard(cINTEGER,xINTEGER,yINTEGER) is
  • require
  • valid_card_number (cgt1) and
    (cltMAXCARDS)
  • do
  • end

????????????????
74
DbC vs. defensive programming
  • ??
  • DbC???????????????,????????????????????
  • ????????????????,?????????????????????????????????
    ???,??????????????

75
How strong should a precondition be?
  • Two opposite styles
  • Tolerant weak preconditions (including the
    weakest, True no precondition).
  • Demanding strong preconditions, requiring the
    client to make sure all logically necessary
    conditions are satisfied before each call.
  • Partly a matter of taste.
  • But demanding style leads to a better
    distribution of roles, provided the precondition
    is
  • Justifiable in terms of the specification only.
  • Documented (through the short form).
  • Reasonable!

76
A demanding style
  • sqrt (x, epsilon REAL) REAL is -- Square root
    of x, precision epsilon -- Same version as
    before
  • require
  • x gt 0 epsilon gt 0
  • do ...ensure
  • abs (Result 2 x) lt 2 epsilon Result
  • end

77
A tolerant style
  • sqrt (x, epsilon REAL) REAL is -- Square root
    of x, precision epsilon require True
    do
  • if x lt 0 then Do something about it
    (?) else normal square root
    computation
  • computed True end
  • ensure computed implies
  • abs (Result 2 x) lt 2 epsilon
    Result
  • end

NO INPUT TOO BIG OR TOO SMALL!
78
Contrasting styles
  • put (x G) is -- Push x on top of
    stack. require not is_full do .... end
  • tolerant_put (x G) is -- Push x if possible,
    otherwise set impossible to
  • -- True. do if not is_full then put
    (x) else impossible True end end

79
Invariants and business rules
  • Invariants are absolute consistency conditions.
  • They can serve to represent business rules if
    knowledge is to be built into the software.
  • Form 1
  • invariant
  • not_under_minimum balance gt Minimum_balance
  • Form 2
  • invariant
  • not_under_minimum_if_normal normal_state
    implies
  • (balance gt Minimum_balance)

80
DbC??????
  • Design by Contract by Example
  • ????(????)???(????)
  • ???????????
  • ???????????????,?????????????
  • ??????????????,??????????
  • ?????????,?????????
  • ???????????????

81
??tips
  • ??????????? (non-void?)
  • ??????????????
  • ????????????,??????????????????????
  • ????????
  • ??????????,????????????????,??????????????????????
    ???

82
??tips
  • ????(frame rule)?(???????)???????
  • ??????,????????????,??????

83
??????????
  • ???????
  • ????
  • ????
  • ??????????
  • ?????????(sequential program)
  • ???????

84
??
  • Design by Contract
  • ??
  • ??????,???????????,???????,???????
  • ??
  • ??

85
??
  • ????Contract??BoundedStack(??Java?Contract4J5)
  • BoundedStack ???????
Write a Comment
User Comments (0)
About PowerShow.com