Why Design by Contract! CS 619 Introduction to OO Design and Development. Design by Contract. Fall 2012

Similar documents
CHAPTER 6 Design by Contract. Literature. When Design by Contract? Why Design By Contract?

3. Design by Contract

Assertions, pre/postconditions

a correct statement? You need to know what the statement is supposed to do.

Contracts. Dr. C. Constantinides. June 5, Department of Computer Science and Software Engineering Concordia University Montreal, Canada 1/71

Readability [Skrien 4.0] Programs must be written for people to read, and only incidentally for machines to execute.

References: internet notes; Bertrand Meyer, Object-Oriented Software Construction; 10/14/2004 1

Assertions. Assertions - Example

Index. Index. More information. block statements 66 y 107 Boolean 107 break 55, 68 built-in types 107

Inheritance. Transitivity

Design by Contract in Eiffel

AP COMPUTER SCIENCE JAVA CONCEPTS IV: RESERVED WORDS

Adding Contracts to C#

17. Assertions. Outline. Built-in tests. Built-in tests 3/29/11. Jelle Slowack, Bart Smets, Glenn Van Loon, Tom Verheyen

CSC Advanced Object Oriented Programming, Spring Specification

17. Assertions. Jelle Slowack, Bart Smets, Glenn Van Loon, Tom Verheyen

Prelim 1 SOLUTION. CS 2110, September 29, 2016, 7:30 PM Total Question Name Loop invariants. Recursion OO Short answer

OO Design Principles

JAVA BASICS II. Example: FIFO

Violations of the contract are exceptions, and are usually handled by special language constructs. Design by contract

CS 315 Software Design Homework 3 Preconditions, Postconditions, Invariants Due: Sept. 29, 11:30 PM

Assertions & Design-by-Contract using JML Erik Poll University of Nijmegen

n Specifying what each method does q Specify it in a comment before method's header n Precondition q Caller obligation n Postcondition

The Contract Pattern. Design by contract

Subclassing for ADTs Implementation

CS 215 Software Design Homework 3 Due: February 28, 11:30 PM

Verifying and Documenting ADTs: Javadoc, Java Assertions and JUnits

Type Hierarchy. Comp-303 : Programming Techniques Lecture 9. Alexandre Denault Computer Science McGill University Winter 2004

Code Reuse: Inheritance

Java Overview An introduction to the Java Programming Language

CSE 331 Software Design & Implementation

CSE 331. Programming by contract: pre/post conditions; Javadoc

Stacks (5.1) Abstract Data Types (ADTs) CSE 2011 Winter 2011

Type Hierarchy. Lecture 6: OOP, autumn 2003

Weiss Chapter 1 terminology (parenthesized numbers are page numbers)

Programming II (CS300)

Object Oriented Programming: In this course we began an introduction to programming from an object-oriented approach.

Object Oriented Program Correctness with OOSimL

Programming II (CS300)

CS246 Software Abstraction and Specification Final Examination

JAVA MOCK TEST JAVA MOCK TEST II

CS 215 Software Design Sample midterm solutions

Designing Robust Classes

UC Santa Barbara. CS189A - Capstone. Christopher Kruegel Department of Computer Science UC Santa Barbara

Review sheet for Final Exam (List of objectives for this course)

22c:181 / 55:181 Formal Methods in Software Engineering

Self-checking software insert specifications about the intent of a system

Testing Object-Oriented Software. 22 November 2017

Implements vs. Extends When Defining a Class

Software Development. Modular Design and Algorithm Analysis

Control flow in Eiffel

Chapter 13 Object Oriented Programming. Copyright 2006 The McGraw-Hill Companies, Inc.

7032 Programmierung 2

Advanced JML Erik Poll Radboud University Nijmegen

JML Class Specifications The Java Modeling Language (Part 2) A Java Class

Note that if both p1 and p2 are null, equals returns true.

What can go wrong in a Java program while running?

Inheritance (Part 5) Odds and ends

The Java Modeling Language (Part 2)

Definition of DJ (Diminished Java)

Assoc. Prof. Marenglen Biba. (C) 2010 Pearson Education, Inc. All rights reserved.

Dynamic Analysis Techniques Part 2

Documenting, Using, and Testing Utility Classes

CSE 331 Final Exam 3/16/15 Sample Solution

Top Down Design vs. Modularization

Final Exam. Final Exam Review. Ch 1: Introduction: Object-oriented analysis, design, implementation. Exam Format

Programming with assertions Oracle guidelines

Pages and 68 in [JN] conventions for using exceptions in Java. Chapter 8 in [EJ] guidelines for more effective use of exceptions.

CMP-338 Solutions Midterm Spring Version 1

6.005 Elements of Software Construction Fall 2008

Prelim 1. Solution. CS 2110, 14 March 2017, 7:30 PM Total Question Name Short answer

Outline. Java Models for variables Types and type checking, type safety Interpretation vs. compilation. Reasoning about code. CSCI 2600 Spring

CMSC131. Inheritance. Object. When we talked about Object, I mentioned that all Java classes are "built" on top of that.

UNIT 3 ARRAYS, RECURSION, AND COMPLEXITY CHAPTER 11 CLASSES CONTINUED

Lecture 36: Cloning. Last time: Today: 1. Object 2. Polymorphism and abstract methods 3. Upcasting / downcasting

Outline. iterator review iterator implementation the Java foreach statement testing

Test-Driven Development (a.k.a. Design to Test) CSE260, Computer Science B: Honors Stony Brook University

Semantic Analysis. CSE 307 Principles of Programming Languages Stony Brook University

Absolute C++ Walter Savitch

M301: Software Systems & their Development. Unit 4: Inheritance, Composition and Polymorphism

Inheritance and object compatibility

Exceptions and Design

Conformance. Object-Oriented Programming Spring 2015

Introduction to Software Testing Chapter 2.4 Graph Coverage for Design Elements Paul Ammann & Jeff Offutt

Inheritance and Substitution (Budd chapter 8, 10)

Outline and Reading. The Stack ADT ( 2.1.1) Applications of Stacks ( 2.1.1) Array-based implementation ( 2.1.1) Growable array-based stack ( 1.

Synchronization SPL/2010 SPL/20 1

Java: advanced object-oriented features

Programming II (CS300)

Object-Oriented Design

With the popularity of the Web and the

OOP Design by Contract. Carsten Schuermann Kasper Østerbye IT University Copenhagen

Prelim 1. CS 2110, September 29, 2016, 7:30 PM Total Question Name Loop invariants

Please note that if you write the mid term in pencil, you will not be allowed to submit a remark request.

Introduction to Programming Using Java (98-388)

Highlights of Previous Lecture

Instantiation of Template class

Universe Type System for Eiffel. Annetta Schaad

DOWNLOAD PDF CORE JAVA APTITUDE QUESTIONS AND ANSWERS

CSCD 326 Data Structures I Stacks

Transcription:

Why Design by Contract What s the difference with Testing? CS 619 Introduction to OO Design and Development Design by Contract Fall 2012 Testing tries to diagnose (and cure) defects after the facts. Design by Contract tries to prevent certain types of defects. Design by Contract falls under Implementation/Design Design by Contract is particularly useful in an Object-Oriented context preventing errors in interfaces between classes (e.g. subclass and superclass via subcontracting) preventing errors while reusing classes (e.g. evolving systems, thus incremental and iterative development) Use Design by Contract in combination with Testing What is Design By Contract? View the relationship between two classes as a formal agreement, expressing each party s rights and obligations. ([Meye97a], Introduction to Chapter 11) Design by Contract == Dont accept anybody elses garbage Each party expects benefits (rights) and accepts obligations Usually, one party s benefits are the other party s obligations Contract is declarative: it is described so that both parties can understand what service will be guaranteed without saying how. Example: Airline reservation Obligations Rights Customer (Client Class) - Be at Brussels airport at least 1 hour before scheduled departure time - Bring acceptable baggage - Pay ticket price - Reach Chicago Airline (Supplier Class) - Bring customer to Chicago - No need to carry passenger who is late, - has unacceptable baggage, - or has not paid ticket

Class Invariants Those conditions that must exist for all visible methods of a class Coupled to objects, not methods Adding an invariant is similar to adding the same constraint as a precondition and postcondition for all methods in a class A class invariant characterizes the valid states of instances It must hold: 1. after construction 2. before and after every public method Method Pre- and Post-conditions The pre-condition binds clients: it defines what the data abstraction requires for a call to the operation to be legitimate it may involve initial state and arguments example: stack is not empty The post-condition, in return, binds the provider: it defines the conditions that the data abstraction ensures on return it may only involve the initial and final states, the arguments and the result example: size = old size + 1 Both are coupled to individual methods Redundant Checks Benefits and Obligations Redundant checks: naive way for including contracts in the source code A contract provides benefits and obligations for both clients and providers: Obligations Benefits public char pop () { if (isempty (this)) {... //Error-handling else {... This is redundant code: it is the responsibility of the client to ensure the pre-condition Client Provider Only call pop() on a nonempty stack Decrement the size. Remove the top element. Stack size decreases by 1. Top element is removed. No need to handle case when stack is empty Redundant Checks Considered Harmful Extra complexity Due to extra (possibly duplicated) code... which must be verified as well Performance penalty Redundant checks cost extra execution time Wrong context How severe is the fault? How to rectify the situation? A service provider cannot asses the situation, only the consumer can.

Example: Stack Specification class stack invariant: (isempty (this)) or ( isempty (this)) public char pop () require: isempty (this) ensure: true public void push (char) require: true ensure: ( isempty (this)) and (top (this) = char) <<invariant>> (isempty (this)) or ( isempty (this)) Stack pop (): char push (char) isempty(): boolean top(): char Implementors of stack promise that invariant will be true after all methods return (incl. constructors) Clients of stack promise precondition will be true before calling pop() Implementors of stack promise postcondition will be true after push() returns <<precondition>> ( isempty (this)) <<postcondition>> ( isempty (this)) and (top (this) = char) Programming Language Support Eiffel Eiffel is designed as such... but only used in limited cases C++ assert() in C++ assert.h does not throw an exception It s possible to mimic assertions (incl. compilation option) in C++ + (see Another Mediocre Assertion Mechanism for C++ by Pedro Guerreiro in TOOLS2008) Documentation extraction is more difficult but feasible Java ASSERT is standard since Java 1.4... however limited design by contract only; acknowledge by Java designers + see http://java.sun.com/j2se/1.4/docs/guide/lang/assert.html Documentation extraction using JavaDoc annotations Smalltalk (and other languages) Possible to mimic; compilation option requires language idioms Documentation extraction is possible (style Javadoc) Assertions assertion = any boolean expression we expect to be true at some point. Assertions.. Help in writing correct software formalizing invariants, and pre- and post-conditions Aid in maintenance of documentation specifying contracts IN THE SOURCE CODE tools to extract interfaces and contracts from source code Serve as test coverage criterion Generate test cases that falsify assertions at run-time Should be configured at compile-time to avoid performance penalties with trusted parties What happens if the contract is not satisfied? Assertions in Source Code public char pop() throws AssertionException { my_assert(this.isempty()); return _store[_size--]; my_assert(invariant()); my_assert(true); //empty postcondition private boolean invariant() { return (_size >= 0) && (_size <= _capacity); private void my_assert(boolean assertion) throws AssertionException { if (assertion) { throw new AssertionException ("Assertion failed"); Should be turned on/off via compilation option

Exception Handling public class AssertionException extends Exception { AssertionException() { super(); AssertionException(String s) { super(s); static public boolean testemptystack() { ArrayStack stack = new(); try { // pop() will raise an exception stack.pop(); catch(assertionexception err) { // we should get here return true; ; return false; If an AssertionException is raised within the try block...... we will fall into the catch block Assertions are not... Assertions look strikingly similar yet are different from... Redundant Checks + Assertions become part of a class interface + Compilation option to turn on/off Checking End User Input + Assertions check software-to-software communication, not software-to-human Control Structure + Raising an exception is a control structure mechanism +... violating an assertion is an error - precondition violation responsibility of the client of the class - postcondition violation responsibility of the supplier of the class Only turn off assertions with trusted parties Tests must verify whether exceptions are thrown Assertions in Java Checking pre-conditions assert is a keyword in Java since version 1.4 assert expression; will raise an AssertionError if expression is false. Be sure to enable exceptions in eclipse (And set the vm flag -enableassertions [-ea]) Assert pre-conditions to inform clients when they violate the contract. public Object top() { assert(this.isempty()); // pre-condition return top.item; When should you check pre-conditions to methods? Always check pre-conditions, raising exceptions if they fail.

Checking class invariants Every class has its own invariant: protected boolean invariant() { return (size >= 0) && ( (size == 0 && this.top == null) (size > 0 && this.top = null)); Checking post-conditions Assert post-conditions and invariants to inform yourself when you violate the contract. public void push(object item) { top = new Cell(item, top); size++; assert this.isempty(); // post-condition assert this.top() == item; // post-condition assert invariant(); When should you check post-conditions? Check them whenever the implementation is non-trivial. Preconditions, Postconditions and Class Invariants In Java Doc * @invariant gpa >= 0 class Student { protected _gpa; * GPA always >=0 * @pre gpa >= 0 void setgpa (double gpa){ * GPA always >=0 * @post return >= 0 double getgpa(){ Inheritance Liskov Substitution Principle Wherever an instance of a class is expected, an instance of one of its subclasses can be substituted. Therefore, A subclass may keep or weaken the preconditions of an overridden method A subclass may keep or strengthen the postconditions of an overridden method A subclass may keep or strengthen the invariants of a subclass

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback