A Practical Approach to Programming With Assertions

Size: px

Start display at page:

Download "A Practical Approach to Programming With Assertions"

Amelia Douglas
5 years ago
Views:

1 A Practical Approach to Programming With Assertions Ken Bell Christian-Albrechts Universität Kiel Department of Computer Science and Applied Mathematics Real-Time Systems and Embedded Systems Group July 5, 2005

2 Main Features Syntax Samples Customizing the Behaviour Type A: Function Interface Declarations Type B: Specification of Function Bodies

3 Assertions Outline first mentioned in 1967.

4 Assertions first mentioned in are formal constraints on software system behaviour.

5 Assertions first mentioned in are formal constraints on software system behaviour. specify what a software system is supposed to do rather than how it is to do it.

6 Assertions first mentioned in are formal constraints on software system behaviour. specify what a software system is supposed to do rather than how it is to do it. give an overview of the logical meaning of a function.

7 Availability of Assertions Basic features are available in most common programming languages like C, C++, Java and other

8 Availability of Assertions Basic features are available in most common programming languages like C, C++, Java and other e.g. in C the macro assert

9 Availability of Assertions Basic features are available in most common programming languages like C, C++, Java and other e.g. in C the macro assert #define a s s e r t ( ex ) \ ( ( ex )? 1 : \ ( e p r i n t f ( "Failed assertion " #ex \ " at line %d of \%s". \ n", \ LINE, FILE ), abort (), 0))

10 Usage of Assertions Outline Assertions are a basic concept in Design by Contract by Bertrand Meyer

11 Usage of Assertions Assertions are a basic concept in Design by Contract by Bertrand Meyer Testdriven Development as part of Extreme Programmings

12 Why are assertions used rather seldom?

13 Why are assertions used rather seldom? The tools for programming with assertions don t meet the need of average developers

14 Why are assertions used rather seldom? The tools for programming with assertions don t meet the need of average developers Customizing messages not possible

15 Why are assertions used rather seldom? The tools for programming with assertions don t meet the need of average developers Customizing messages not possible Enabling or disabling checking at runtime not possible

16 Why are assertions used rather seldom? The tools for programming with assertions don t meet the need of average developers Customizing messages not possible Enabling or disabling checking at runtime not possible The training gives no or little attention on assertions. So, developers have no

17 Why are assertions used rather seldom? The tools for programming with assertions don t meet the need of average developers Customizing messages not possible Enabling or disabling checking at runtime not possible The training gives no or little attention on assertions. So, developers have no clue what kinds of assertions are most effective in certain situations

18 Why are assertions used rather seldom? The tools for programming with assertions don t meet the need of average developers Customizing messages not possible Enabling or disabling checking at runtime not possible The training gives no or little attention on assertions. So, developers have no clue what kinds of assertions are most effective in certain situations idea what kind of checks to specify in assertions

19 Outline Main Features Syntax Samples Customizing the Behaviour The Annotation Pre Processor was designed to make assertions a natural and practical aid to software development. The main features of are

20 Outline Main Features Syntax Samples Customizing the Behaviour The Annotation Pre Processor was designed to make assertions a natural and practical aid to software development. The main features of are replacement of the standard preprocessor

21 Outline Main Features Syntax Samples Customizing the Behaviour The Annotation Pre Processor was designed to make assertions a natural and practical aid to software development. The main features of are replacement of the standard preprocessor flexibility in what information the error messages return

22 Outline Main Features Syntax Samples Customizing the Behaviour The Annotation Pre Processor was designed to make assertions a natural and practical aid to software development. The main features of are replacement of the standard preprocessor flexibility in what information the error messages return flexibility in how much checking is done by specifying runlevels

23 Outline Main Features Syntax Samples Customizing the Behaviour The Annotation Pre Processor was designed to make assertions a natural and practical aid to software development. The main features of are replacement of the standard preprocessor flexibility in what information the error messages return flexibility in how much checking is done by specifying runlevels Assertions are syntactically replaced by standard C code.

24 Outline Main Features Syntax Samples Customizing the Behaviour The Annotation Pre Processor was designed to make assertions a natural and practical aid to software development. The main features of are replacement of the standard preprocessor flexibility in what information the error messages return flexibility in how much checking is done by specifying runlevels Assertions are syntactically replaced by standard C code. Quantified expressions are translated into for-loops.

25 Syntax Outline Main Features Syntax Samples Customizing the Behaviour Annotations are written in extended

26 Syntax Outline Main Features Syntax Samples Customizing the Behaviour Annotations are written in extended Constraints are specified using C language.

27 Syntax Outline Main Features Syntax Samples Customizing the Behaviour Annotations are written in extended Constraints are specified using C language. Assertions must not have sideeffects. Usage of ++ and - - is disallowed.

28 Syntax Cont d Outline Main Features Syntax Samples Customizing the Behaviour recognizes the following keywords

29 Syntax Cont d Outline Main Features Syntax Samples Customizing the Behaviour recognizes the following keywords assume - precondition

30 Syntax Cont d Outline Main Features Syntax Samples Customizing the Behaviour recognizes the following keywords assume - precondition promise - postcondition

31 Syntax Cont d Outline Main Features Syntax Samples Customizing the Behaviour recognizes the following keywords assume - precondition promise - postcondition return - constraint on the return value

32 Syntax Cont d Outline Main Features Syntax Samples Customizing the Behaviour recognizes the following keywords assume - precondition promise - postcondition return - constraint on the return value assert - specifies a constraint as an intermediate state of a function body

33 Syntax Cont d Outline Main Features Syntax Samples Customizing the Behaviour The C language is enhanced by

34 Syntax Cont d Outline Main Features Syntax Samples Customizing the Behaviour The C language is enhanced by introducing exestential and universal quantifiers

35 Syntax Cont d Outline Main Features Syntax Samples Customizing the Behaviour The C language is enhanced by introducing exestential and universal quantifiers the operator in.

36 Syntax Example Main Features Syntax Samples Customizing the Behaviour i n t p o s s q u a r e r o o t ( x ) i n t x ; assume x >= 0 ; r e t u r n y where y >= 0 ; r e t u r n y where y y <= x && x < ( y +1) ( y {.... }

37 Syntax Example 2 Main Features Syntax Samples Customizing the Behaviour void swap ( x, y ) i n t x ; i n t y ; assume x && y && x!= y ; promise x == i n y ; promise y == i n x / {... a s s e r t y == i n x /...

38 Customizing s Behaviour Main Features Syntax Samples Customizing the Behaviour Diagnostic information can be customized.

39 Customizing s Behaviour Main Features Syntax Samples Customizing the Behaviour Diagnostic information can be customized. Can give informations unique to the context

40 Customizing s Behaviour Main Features Syntax Samples Customizing the Behaviour Diagnostic information can be customized. Can give informations unique to the context provides the following macros ANNONAME, FILE, ANNOLINE and FUNCTION.

41 Customizing s Behaviour Main Features Syntax Samples Customizing the Behaviour Diagnostic information can be customized. Can give informations unique to the context provides the following macros ANNONAME, FILE, ANNOLINE and FUNCTION. Debug levels can be introduced.

42 Customizing the Violation Message Main Features Syntax Samples Customizing the Behaviour promise x == i n y { p r i n t f ( "%s invalid: file %s, ", ANNONAME, F I L E ) ; p r i n t f ( "line %d, function %s:\n", ANNOLINE, FUNCTION ) ; p r i n t f ( "out *x == %d, out *y == %d\n", x, y ) ; }

43 Helped to Classify Assertions Type A: Function Interface Declarations Type B: Specification of Function Bodies Rosenblum used on many systems.

44 Helped to Classify Assertions Type A: Function Interface Declarations Type B: Specification of Function Bodies Rosenblum used on many systems. leads to classification.

45 Type A: Function Interface Assertions Type A: Function Interface Declarations Type B: Specification of Function Bodies Validate the behaviour of

46 Type A: Function Interface Assertions Type A: Function Interface Declarations Type B: Specification of Function Bodies Validate the behaviour of arguments,

47 Type A: Function Interface Assertions Type A: Function Interface Declarations Type B: Specification of Function Bodies Validate the behaviour of arguments, return values and

48 Type A: Function Interface Assertions Type A: Function Interface Declarations Type B: Specification of Function Bodies Validate the behaviour of arguments, return values and global states.

49 Type A: Function Interface Declarations Type B: Specification of Function Bodies Overview of Specification of Function Interface Types Assertion Code Description I Specification of Function Interfaces I1 Consistency Between Arguments I2 Dependency of Return Value on Arguments I3 Effect on Global State I4 Context in Which Function is Called I5 Frame Specifications I6 Subrange Membership of Data I7 Enumeration Membership of Data I8 Non-Null Pointers Table: Summary of Classification of Assertions (Part 1)

50 Consistency Between Arguments Type A: Function Interface Declarations Type B: Specification of Function Bodies Arguments of each function are often interdependent.

51 Consistency Between Arguments Type A: Function Interface Declarations Type B: Specification of Function Bodies Arguments of each function are often interdependent. Specifying these dependencies is cumbersome if possible at all.

52 Consistency Between Arguments Type A: Function Interface Declarations Type B: Specification of Function Bodies Arguments of each function are often interdependent. Specifying these dependencies is cumbersome if possible at all. Solution: Preconditions.

53 Sample for Interdependent Arguments Type A: Function Interface Declarations Type B: Specification of Function Bodies enum Token Kind { i d e n t i f i e r, number, s t r i n g } ; void s t o r e t o k e n { kind, token } enum Token Kind k i n d ; char token ; /... ( k i n d == i d e n t i f i e r && token [ 0 ] >= a && token [ 0 ] <= z ) ( k i n d == number && token [ 0 ] >= 0 && token [ 0 ] <= 9 ) ( k i n d == s t r i n g && token [ 0 ] == ) ;

54 More Classes of Assertions Type A: Function Interface Declarations Type B: Specification of Function Bodies

55 More Classes of Assertions Type A: Function Interface Declarations Type B: Specification of Function Bodies Dependency of Return Value on Arguments

56 More Classes of Assertions Type A: Function Interface Declarations Type B: Specification of Function Bodies Dependency of Return Value on Arguments return y where y y <= x && x < (y+1) (y+1);

57 More Classes of Assertions Type A: Function Interface Declarations Type B: Specification of Function Bodies Dependency of Return Value on Arguments return y where y y <= x && x < (y+1) (y+1); Effect on global state.

58 More Classes of Assertions Type A: Function Interface Declarations Type B: Specification of Function Bodies Dependency of Return Value on Arguments return y where y y <= x && x < (y+1) (y+1); Effect on global state. Calling Context.

59 Calling Context: Sample Type A: Function Interface Declarations Type B: Specification of Function Bodies void p r i n t w a r n i n g ( code, l i n e, f i l e ) i n t code ; i n t l i n e ; char f i l e ; assume w a r n i n g s o n /

60 Frame Specifications Outline Type A: Function Interface Declarations Type B: Specification of Function Bodies Explicitly state if an argument or global variable is to be left unchanged.

61 Frame Specifications Outline Type A: Function Interface Declarations Type B: Specification of Function Bodies Explicitly state if an argument or global variable is to be left unchanged. void d e l e t e n a m e ( name ) char name ; assume hashget ( symbols, name ) ; promise! hashget ( symbols, name ) ; promise strcmp ( i n name, i n s t r d u p ( name ) ) == 0 /

62 Subrange Membership of Data Type A: Function Interface Declarations Type B: Specification of Function Bodies Overrunning array bounds is very common.

63 Subrange Membership of Data Type A: Function Interface Declarations Type B: Specification of Function Bodies Overrunning array bounds is very common. Use Postconditions to ensure, that e.g. arrays were treated correctly.

64 More Classes of Assertions Type A: Function Interface Declarations Type B: Specification of Function Bodies Enumeration Membership of Data The weak type system leads to problems with enumeration types.

65 More Classes of Assertions Type A: Function Interface Declarations Type B: Specification of Function Bodies Enumeration Membership of Data The weak type system leads to problems with enumeration types. E.g. integers and literals as enumerators are interchangeable.

66 More Classes of Assertions Type A: Function Interface Declarations Type B: Specification of Function Bodies Enumeration Membership of Data The weak type system leads to problems with enumeration types. E.g. integers and literals as enumerators are interchangeable. Use assertions to ensure that the variables of an enumeration type contain valid values of the type.

67 More Classes of Assertions Type A: Function Interface Declarations Type B: Specification of Function Bodies Enumeration Membership of Data The weak type system leads to problems with enumeration types. E.g. integers and literals as enumerators are interchangeable. Use assertions to ensure that the variables of an enumeration type contain valid values of the type. Non-Null Pointers Assertions that state that a pointer is non-null have to be specified before all other assertions that use the same pointer.

68 Type A: Function Interface Declarations Type B: Specification of Function Bodies Overview of Specification of Function Interface Types Assertion Code B B1 B2 B3 B4 Description Specification of Function Bodies Condition of Else Part of If Statement Condition of Default Branch of Switch Statement Consistency Between Related Data Intermediate Snapshot of Computation Table: Summary of Classification of Assertions (Part 2)

69 Type A: Function Interface Declarations Type B: Specification of Function Bodies Condition of the Else Part of Complex If Statements C programs often use extensive control statements

70 Type A: Function Interface Declarations Type B: Specification of Function Bodies Condition of the Else Part of Complex If Statements C programs often use extensive control statements Use assertions to explicitly specify the implicit condition of the final else statement in an if statement.

71 Type A: Function Interface Declarations Type B: Specification of Function Bodies Condition of the Else Part of Complex If Statements C programs often use extensive control statements Use assertions to explicitly specify the implicit condition of the final else statement in an if statement. A default condition is often intended to be stronger than the simple negation of the disjunction of the if conditions.

72 Type A: Function Interface Declarations Type B: Specification of Function Bodies Condition of the Default Case of a Switch Statement If a switch statements contains a default case, explicitly state the condition, otherwise state a condition that always evaluates to false.

73 Type A: Function Interface Declarations Type B: Specification of Function Bodies Condition of the Default Case of a Switch Statement If a switch statements contains a default case, explicitly state the condition, otherwise state a condition that always evaluates to false. switch ( k i n d ) { case i d e n t i f i e r :... case number :... case s t r i n g :... d e f a u l t : a s s e r t 0 / break }

74 More Function Body Constraints Type A: Function Interface Declarations Type B: Specification of Function Bodies Consistency of related data.

75 More Function Body Constraints Type A: Function Interface Declarations Type B: Specification of Function Bodies Consistency of related data. Intermediate snapshot of computation.

76 Productive D. Rosenblum used to develop YEAST - Yet another Event Action Specification - tool.

77 Productive D. Rosenblum used to develop YEAST - Yet another Event Action Specification - tool. YEAST consists of 12k loc.

78 Productive D. Rosenblum used to develop YEAST - Yet another Event Action Specification - tool. YEAST consists of 12k loc. Debug-Executables grew about 3.7% in size but almost no difference in speed.

79 Productive D. Rosenblum used to develop YEAST - Yet another Event Action Specification - tool. YEAST consists of 12k loc. Debug-Executables grew about 3.7% in size but almost no difference in speed. 19 faults were discovered.

80 Outline Usage of can help to discover and remove faults.

81 Usage of can help to discover and remove faults. Generating and implementing assertions is still manual work to do.

82 Usage of can help to discover and remove faults. Generating and implementing assertions is still manual work to do. Besides being a basic concept in test-driven development, lacks the simplicity of modern bug tracer.

83 Usage of can help to discover and remove faults. Generating and implementing assertions is still manual work to do. Besides being a basic concept in test-driven development, lacks the simplicity of modern bug tracer. The usage of does not teach what to specify in assertions.

84 Usage of can help to discover and remove faults. Generating and implementing assertions is still manual work to do. Besides being a basic concept in test-driven development, lacks the simplicity of modern bug tracer. The usage of does not teach what to specify in assertions. The user s knowledge is still needed.

85 References David S. Rosenblum, A Practical Approach to Programming With Assertions. Wikipedia: Assertions schmidt/pdf/c++-assert4.pdf

Self-checking software insert specifications about the intent of a system

Self-checking software insert specifications about the intent of a system Assertions Reading assignment A. J. Offutt, A Practical System for Mutation Testing: Help for the Common Programmer, Proceedings of the 12th International Conference on Testing Computer Software, Washington,