22c:181 / 55:181 Formal Methods in Software Engineering

Size: px

Start display at page:

Download "22c:181 / 55:181 Formal Methods in Software Engineering"

Peregrine Glenn
6 years ago
Views:

1 22c:181 / 55:181 Formal Methods in Software Engineering Design by Contract Copyright , Matt Dwyer, John Hatcliff, Rod Howell, and Cesare Tinelli. Produced by Cesare Tinelli at the University of Iowa from notes originally developed by Matt Dwyer, John Hatcliff and Rod Howell at Kansas State University. These notes are copyrighted materials and may not be used in other course settings outside of the University of Iowa in their current form or modified form without the express written permission of one of the copyright holders. During this course, students are prohibited from selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of one of the copyright holders. 22c181: Formal Methods in Software Engineering Spring'11 1

2 From Models to Implementations Alloy, Lustre provide a means for designing systems and expressing their properties Early model refinement saves time Ultimately, we want this effort to impact the quality of implementations How can we transition design information to the code? State information (multiplicities, invariants, ) Operations info (pre, post, frame conditions, ) 22c181: Formal Methods in Software Engineering Spring'11 2

3 Design By Contract A method that emphasizes the precise description of interface semantics not just syntax, e.g., signatures but behavior, e.g., effects of a method call Supported by tools that allow semantic properties of the design (the model) to be propagated to the code support various forms of validation of those properties 22c181: Formal Methods in Software Engineering Spring'11 3

4 Basic Idea Software is viewed as a system of communicating components all interaction is governed by contracts contracts are precise specifications of mutual obligation Contracts are bi-directional both parties are obligated by them 22c181: Formal Methods in Software Engineering Spring'11 4

5 Contracts Two parties are involved in a contract The supplier performs a task The client requests that the task be performed Each party has obligations receives some benefits Contracts specify those obligations and benefits 22c181: Formal Methods in Software Engineering Spring'11 5

6 Air Travel Client (Traveler) Obligation check in 30 minutes before boarding <3 small carry-ons pay for ticket Benefit reach destination Supplier (Airline) Obligation Benefit take traveler to destination don t need to wait for late travelers don t need to store arbitrary amounts of luggage money 22c181: Formal Methods in Software Engineering Spring'11 6

7 Contracts Specify what should be done they are implementation independent This same idea can be applied to software using the building blocks we ve learned Pre-conditions Post-conditions Frame-conditions Invariants 22c181: Formal Methods in Software Engineering Spring'11 7

8 Taking a flight (Java syntax) Class Flight { /*@ requires time < this.takeoff 30 && l.number < 3 && p in this.ticketed ensures \result = Destination takeflight(person p, Luggage l) { 22c181: Formal Methods in Software Engineering Spring'11 8

9 Specification or Coding Language Why not both? Refinement methodology rather than develop signatures alone develop contract specification analyze client-supplier consistency fill in implementation details check that code satisfies contract Natural progression from design to code 22c181: Formal Methods in Software Engineering Spring'11 9

10 Java Example Class Mystack { private Object[] elems; private int top, size; public MyStack (int s) { public void push (Object obj) { public Object pop() {... public boolean isempty() {... public boolean isfull() {... 22c181: Formal Methods in Software Engineering Spring'11 10

11 Java Example invariant top >= -1 && top < Class Mystack { private Object[] elems; private int top, size; 22c181: Formal Methods in Software Engineering Spring'11 11

12 Java Example Class Mystack { private Object[] elems; private int top, size; public MyStack (int s) { 22c181: Formal Methods in Software Engineering Spring'11 12

13 Java Example Class Mystack { private Object[] elems; private int top, size; /*@ requires s > 0; ensures size == s && elems!= null && top = public MyStack (int s) { 22c181: Formal Methods in Software Engineering Spring'11 13

14 Java Example Class Mystack { private Object[] elems; private int top, size; public void push (Object obj) { public boolean isfull() {... 22c181: Formal Methods in Software Engineering Spring'11 14

15 Java Example Class Mystack { private Object[] elems; private int top, size; /*@ requires!isfull(); ensures top == \old(top) + 1 && elem[top] == public void push (Object obj) { public boolean isfull() {... 22c181: Formal Methods in Software Engineering Spring'11 15

16 Java Example Class Mystack { private Object[] elems; private int top, size; public Object pop() { public boolean isempty() {... 22c181: Formal Methods in Software Engineering Spring'11 16

17 Java Example Class Mystack { private Object[] elems; private int top, size; /*@ requires!isempty(); ensures top == \old(top) - 1 && \result == public Object pop() { public boolean isempty() {... 22c181: Formal Methods in Software Engineering Spring'11 17

18 Java Example Class Mystack { private Object[] elems; private int top, size; public boolean isempty() {... 22c181: Formal Methods in Software Engineering Spring'11 18

19 Java Example Class Mystack { private Object[] elems; private int top, size; /*@ ensures \result <==> top = public boolean isempty() {... 22c181: Formal Methods in Software Engineering Spring'11 19

20 Java Example Class Mystack { private Object[] elems; private int top, size; public boolean isfull() {... 22c181: Formal Methods in Software Engineering Spring'11 20

21 Java Example Class Mystack { private Object[] elems; private int top, size; /*@ ensures \result <==> top = size public boolean isfull() {... 22c181: Formal Methods in Software Engineering Spring'11 21

22 Java Example 2 import java.util.vector; public interface Company { public Vector getemployees(); public Vector getrooms(); public void hire(employee e); public void move(employee e, Room r); public boolean roomsavailable(); 22c181: Formal Methods in Software Engineering Spring'11 22

23 Java Example 2 import java.util.vector; public interface Company { public Vector getemployees(); public Vector getrooms(); public boolean roomsavailable(); /* Contract for hire(employee e) */ /*@ requires e!= null; requires!getemployees().contains(e); // do not employ twice requires!e.hasoffice(); // does not own an office somewhere else requires roomsavailable(); // there must be an office left ensures getemployees().contains(e); // added to list of employees ensures getrooms().contains(e.getoffice()); // assign one of our offices ensures e.hasoffice(); // office assigned ensures e.getoffice().getowner() == e; // correct office public void hire(employee e); 22c181: Formal Methods in Software Engineering Spring'11 23

24 Source Specifications Pre/post conditions Ideally: superset of (side-effect free) Boolean expressions in the host language What about all of the expressive power we have in, e.g., Alloy? Balance power against checkability Balance abstractness against language mapping No one right choice Different tools take different approaches 22c181: Formal Methods in Software Engineering Spring'11 24

25 Important Issues Contract enforcement code is executed It should be side-effect free If not, then contracts change behavior! Frame conditions Explicitly mention what can change Anything can change Failed contract conditions Most approaches will abort the execution How can we continue? 22c181: Formal Methods in Software Engineering Spring'11 25

26 Contract Inheritance Inheritance in most OO languages Sub-type can be used in place of super-type Sub-type provides at least the capability of supertype Sub-types weaken the pre-condition Require no more than the super-type Implicit disjunction of inherited pre-conditions Sub-types strengthen the post-condition Guarantee at least as much the super-type Implicit conjunction of inherited post-conditions Invariants are treated as post-conditions 22c181: Formal Methods in Software Engineering Spring'11 26

27 Tool Support Jtest (Jcontract) Commercial icontract Free, but with lots of support tools JML major research project several freely available tools 22c181: Formal Methods in Software Engineering Spring'11 27

28 Design by Contract in this Course We will focus on Java and use JML as the specification project ESC/Java 2 as the main checking tool 22c181: Formal Methods in Software Engineering Spring'11 28

Formal Methods in Software Engineering 1

Building Models with OCL Introduction Completing UML Diagrams Modeling Tips and Hints Summary Formal Methods in Software Engineering 1 What Is a Model? Simply put, a model is a high level system description.