chair of software engineering software architecture bertrand meyer, carlo a. furia, martin nordio...
TRANSCRIPT
![Page 1: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/1.jpg)
Chair of Software Engineering
Software Architecture
Bertrand Meyer, Carlo A. Furia, Martin Nordio
ETH Zurich, February-May 2011
Lecture 15: Design by Contractand exception handling
![Page 2: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/2.jpg)
2
Topics
Part 1: Key conceptsPart 2: Contracts & documentationPart 3: Contracts & testingPart 4: Contracts & analysis, methodological notesPart 5: Contracts & inheritancePart 6: Contracts & loopsPart 7: Handling abnormal casesPart 8: Contracts in various languagesPart 9: New developmentsPart 10: Conclusion
![Page 3: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/3.jpg)
- 1 –
Overview of the
requirements task
- 1 -Key concepts
3
![Page 4: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/4.jpg)
4
Design by Contract
A discipline of analysis, design, implementation, management
Applications throughout the software lifecycle: Getting the software right: analysis, design ,
implementation Debugging & testing Automatic documentation Getting inheritance right Getting exception handling right Maintenance Management
![Page 5: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/5.jpg)
5
Background
Work on “axiomatic semantics”: R.W. Floyd (1967) C.A.R. Hoare (1969, 1972) E.W. Dijkstra (1978)
1970’s languages: CLU, AlphardEiffel (from 1985): connection with object
technology
90s and onward: contract additions to numerous languages: C++, Java, C#, UML
![Page 6: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/6.jpg)
6
Design by Contract
Every software element is intended to satisfy a certain goal, or contract
for the benefit of other software elements (and ultimately of human users)
The contract of any software element should be Explicit Part of the software element itself
![Page 7: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/7.jpg)
7
The three questions
What does it expect?
What does it promise?
What does it maintain?
Precondition
Postcondition
Classinvariant
![Page 8: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/8.jpg)
88
Contracting components
Definition of what each element of the functionality:
Expects (precondition) Promises (postcondition) Maintains (invariant)
Does not have to be complete (but wait)
![Page 9: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/9.jpg)
99
What we do with contracts
Write better softwareAnalyzeDesignReuseImplementUse inheritance properlyAvoid bugsDocument software automaticallyHelp project managers do their job
Perform systematic testingGuide the debugging
process
(with run-time monitoring)
![Page 10: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/10.jpg)
10
With and without contracts
.Net collections library
EiffelBase
with Karine
Arnout
(IEEE Computer)
![Page 11: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/11.jpg)
11
Software construction consists of buildingsystems as structured collections ofcooperating software elements — suppliersand clients — cooperating on the basis ofclear definitions of obligations and benefits
These definitions are the contracts
The underlying view
![Page 12: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/12.jpg)
12
Correctness in software
Correctness is a relative notion: consistency of implementation vis-à-vis specification.
Basic notation: (P, Q : assertions, i.e. properties of the state of the computation. A : instructions).
{P } A {Q }
“Hoare triple”
What this means (total correctness): Any execution of A started in a state satisfying P
will terminate in a state satisfying Q.
![Page 13: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/13.jpg)
13
Hoare triples: a simple example
{n > 5} n := n + 9 {n > 13}
Most interesting properties:
Strongest postcondition (from given precondition).
Weakest precondition (from given postcondition).
“P is stronger than or equal to Q ” means: P implies Q
QUIZ: What is the strongest possible assertion? The weakest?
![Page 14: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/14.jpg)
14
A contract (from EiffelBase)
extend (new : G; key : H) -- Assuming there is no item of key
key,-- insert new with key ; set inserted.
requirekey_not_present: not has (key)
ensureinsertion_done: item (key) = newkey_present: has (key)inserted: insertedone_more: count = old count + 1
![Page 15: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/15.jpg)
15
Software correctness (another quiz)
Consider
{P } A {Q }
Take this as a job ad in the classifieds
Should a lazy employment candidate hope for a weak or strong P ? What about Q ?
Two “special offers”:
1. {False} A {...} 2. {...} A {True}
![Page 16: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/16.jpg)
16
Properties of human contracts
A contract:
Binds two parties (or more): supplier, client Is explicit (written) Specifies mutual obligations and benefits Usually maps obligation for one of the parties
into benefit for the other, and conversely Has no hidden clauses: obligations are those
specified Often relies, implicitly or explicitly, on general
rules applicable to all contracts: laws, regulations, standard practices
![Page 17: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/17.jpg)
17
A human contract
Client
Supplier
(Satisfy precondition:)
Bring package before 4 p.m.; pay fee.
(Satisfy postcondition:)
Deliver package by 10 a.m. next day.
OBLIGATIONS
(From postcondition:)
Get package delivered by 10 a.m. next day.
(From precondition:)
Not required to do anything if package delivered after 4 p.m., or fee not paid.
BENEFITSdeliver
![Page 18: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/18.jpg)
18
Properties of human contracts
A contract:
Binds two parties (or more): supplier, client Is explicit (written) Specifies mutual obligations and benefits Usually maps obligation for one of the parties
into benefit for the other, and conversely Has no hidden clauses: obligations are those
specified Often relies, implicitly or explicitly, on general
rules applicable to all contracts: laws, regulations, standard practices
![Page 19: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/19.jpg)
19
deferred class VAT inherit
TANK
feature
in_valve, out_valve : VALVE
fill-- Fill the vat.
require in_valve.open out_valve.closed
deferred ensure
in_valve.closed out_valve.closed is_full
end
empty, is_full, is_empty, gauge, maximum, ... [Other features] ...
invariant
is_full = (gauge >= 0.97 * maximum) and (gauge <= 1.03 * maximum)
end
Contracts for analysis, specification
Precondition
Specified, but not implemented
Postcondition
Class invariant
![Page 20: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/20.jpg)
20
Contracts for analysis
Client
Supplier
(Satisfy precondition:)
Make sure input valve is open, output valve closed
(Satisfy postcondition:)
Fill the tank and close both valves
OBLIGATIONS
(From postcondition:)
Get filled-up tank, with both valves closed
(From precondition:)
Simpler processing thanks to assumption that valves are in the proper initial position
BENEFITSfill
![Page 21: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/21.jpg)
21
“So, it’s like assert.h?”
Design by Contract goes further: “Assert” does not provide a contract Clients cannot see asserts as part of the
interface Asserts do not have associated semantic
specifications Not explicit whether an assert represents a
precondition, post-conditions or invariant Asserts do not support inheritance Asserts do not yield automatic documentation
Source: Reto Kramer
![Page 22: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/22.jpg)
22
A class without contracts
classACCOUNT
feature -- Access
balance : INTEGER-- Balance
Minimum_balance: INTEGER = 1000-- Lowest permitted balance
feature {NONE } -- Deposit and withdrawal
Secret features
add (sum : INTEGER)-- Add sum to the
balance.do
balance := balance + sum
end
![Page 23: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/23.jpg)
23
A class without contracts
feature -- Deposit and withdrawal operations
deposit (sum : INTEGER)-- Deposit sum into the account.
doadd (sum)
end
withdraw (sum : INTEGER)-- Withdraw sum from the account.
doadd (– sum)
end
may_withdraw (sum : INTEGER): BOOLEAN-- Is it permitted to withdraw sum from the
account?do
Result := (balance - sum >= Minimum_balance)
endend
Value returned by
function
![Page 24: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/24.jpg)
24
Introducing contracts
classACCOUNT
create
make
feature {NONE } -- Initializationmake (initial_amount: INTEGER)
-- Set up account with initial_amount.
require
large_enough: initial_amount >= Minimum_balance
dobalance := initial_amount
ensure
balance_set: balance = initial_amountend
![Page 25: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/25.jpg)
25
Introducing contracts
feature -- Access
balance: INTEGER-- Balance
Minimum_balance : INTEGER = 1000-- Lowest permitted balance
feature {NONE} -- Implementation of deposit and withdrawal
add (sum : INTEGER)-- Add sum to the balance.do
balance := balance + sum ensure
increased: balance = old balance + sum end
![Page 26: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/26.jpg)
26
Introducing contracts
feature -- Deposit and withdrawal operations
deposit (sum : INTEGER)-- Deposit sum into the account.
requirenot_too_small: sum >= 0
doadd (sum)
ensureincreased: balance = old balance +
sumend
Precondition
Postcondition
![Page 27: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/27.jpg)
27
Introducing contracts
withdraw (sum : INTEGER)-- Withdraw sum from the account.
requirenot_too_small: sum >= 0not_too_big: sum <= balance –
Minimum_balancedo
add (–sum)
-- i.e. balance := balance – sumensure
decreased: balance = old balance - sum
end
Value of balance, captured on entry to routine
Precondition
Postcondition
![Page 28: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/28.jpg)
28
The imperative and the applicative
do
balance := balance - sum
ensure
balance = old balance - sum
PRESCRIPTIVE DESCRIPTIVE
How?
Operational
Implementation
Command
Instruction
Imperative
What?
Denotational
Specification
Query
Expression
Applicative
![Page 29: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/29.jpg)
29
The contract
Client
Supplier
(Satisfy precondition:)
Make sure sum is neither too small nor too big
(Satisfy postcondition:)
Update account for withdrawal of sum
OBLIGATIONS
(From postcondition:)
Get account updated with sum withdrawn
(From precondition:)
Simpler processing: may assume sum is within allowable bounds
BENEFITSwithdraw
![Page 30: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/30.jpg)
30
Introducing contracts
may_withdraw (sum : INTEGER ): BOOLEAN-- Is it permitted to withdraw sum from
account?do
Result := (balance - sum >= Minimum_balance)
end
invariantnot_under_minimum: balance >= Minimum_balance
end
![Page 31: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/31.jpg)
31
The class invariant
Consistency constraint applicable to all instances of a class.
Must be satisfied: After creation After execution of any feature by any client
Qualified calls only: x.f (...)
![Page 32: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/32.jpg)
32
The correctness of a class
For every creation procedure cp :
{Precp } docp {INV and Postcp }
For every exported routine r :
{INV and Prer } dor {INV and Postr }
x.f (…)
x.g (…)
x.h (…)
create x.make (…) S1
S2
S3
S4
![Page 33: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/33.jpg)
33
Lists in EiffelBase
Cursor
item
index
count1
forthback
finishstart
afterbefore
"Zurich"
![Page 34: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/34.jpg)
34
Moving the cursor forward
Cursor
index
forth
count1
afterbefore
"Zurich"
![Page 35: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/35.jpg)
35
Two queries, and command forth
![Page 36: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/36.jpg)
36
The contract language
Language of boolean expressions (plus old): No predicate calculus (i.e. no quantifiers, or ). Function calls permitted (e.g. in a STACK class):
put (x : G)
-- Push x on top of stack.
require
not is_full
do
…
ensure
not is_empty
end
remove
-- Pop top of stack.
require
not is_empty
do
…
ensure
not is_full
end
![Page 37: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/37.jpg)
37
The correctness of a class
For every creation procedure cp :
{Precp } docp {INV and Postcp }
For every exported routine r :
{INV and Prer } dor {INV and Postr }
x.f (…)
x.g (…)
x.h (…)
create x.make (…) S1
S2
S3
S4
![Page 38: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/38.jpg)
38
A slightly more sophisticated version
balance = deposits.total – withdrawals.total
deposits
withdrawals
balance
(A2)
![Page 39: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/39.jpg)
39
classACCOUNT
createmake
feature {NONE} – Implementation
add (sum : INTEGER)-- Add sum to the balance.
dobalance := balance + sum
ensurebalance_increased: balance = old balance
+ sumend
deposits : DEPOSIT_LIST
withdrawals : WITHDRAWAL_LIST
New version
![Page 40: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/40.jpg)
40
feature {NONE } -- Initializationmake (initial_amount: INTEGER)
-- Set up account with initial_amount.require
large_enough: initial_amount >= Minimum_balance
dobalance := initial_amount
create deposits.make
create withdrawals.makeensure
balance_set: balance = initial_amountend
feature -- Access
balance: INTEGER-- Balance
Minimum_balance: INTEGER = 1000-- Minimum balance
New version
![Page 41: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/41.jpg)
41
New version
feature -- Deposit and withdrawal operations
deposit (sum : INTEGER)-- Deposit sum into the account.
requirenot_too_small: sum >= 0
doadd (sum)
deposits.extend (create
{DEPOSIT }.make (sum))ensure
increased: balance = old balance + sum
one_more: deposits.count = old
deposits.count + 1end
![Page 42: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/42.jpg)
42
New version
withdraw (sum : INTEGER)-- Withdraw sum from the account.
requirenot_too_small: sum >= 0not_too_big: sum <= balance –
Minimum_balancedo
add (– sum)
withdrawals.extend (create
{WITHDRAWAL}.make (sum))
ensuredecreased: balance = old balance – sumone_more: withdrawals.count = old
withdrawals.count + 1end
![Page 43: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/43.jpg)
43
New version
may_withdraw (sum : INTEGER): BOOLEAN-- Is it permitted to withdraw sum from
account?do
Result := (balance - sum >= Minimum_balance)
end
invariant
not_under_minimum: balance >= Minimum_balance
consistent: balance = deposits.total – withdrawals.total
end
![Page 44: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/44.jpg)
44
The correctness of a class
For every creation procedure cp :
{Precp } docp {INV and Postcp }
For every exported routine r :
{INV and Prer } dor {INV and Postr }
x.f (…)
x.g (…)
x.h (…)
create x.make (…) S1
S2
S3
S4
![Page 45: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/45.jpg)
45
The new representation
balance = deposits.total – withdrawals.total
deposits
withdrawals
balance
(A2)
![Page 46: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/46.jpg)
46
feature {NONE } – Initialization
make (initial_amount : INTEGER)-- Set up account with initial_amount.
requirelarge_enough: initial_amount >=
Minimum_balancedo
create deposits.make
create withdrawals.make
balance := initial_amount
ensurebalance_set: balance = initial_amount
end
Getting it right
deposit (initial_amount)
What’s wrong with this?
![Page 47: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/47.jpg)
47
Design by contract: some applications
Getting the software right
Getting object-oriented development right: exceptions, inheritance…
Analysis and design
Automatic documentation
Project management
Maintenance
Testing and debugging
![Page 48: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/48.jpg)
- 1 –
Overview of the
requirements task
- 2 -Contracts &
documentation
48
![Page 49: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/49.jpg)
49
Contracts for documentation
Contract view of a class: simplified form of class text, retaining interface elements only: Remove any non-exported (private) feature
For the exported (public) features: Remove body (do clause) Keep header comment if present Keep contracts: preconditions, postconditions,
invariant Remove any contract clause that refers to a secret
feature(This raises a problem; can you see it?)
![Page 50: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/50.jpg)
50
classACCOUNT
createmake
feature {NONE } – Implementation
add (sum : INTEGER)-- Add sum to the balance.
dobalance := balance + sum
ensurebalance_increased: balance = old balance
+ sumend
deposits : DEPOSIT_LIST
withdrawals : WITHDRAWAL_LIST
The code (reminder)
![Page 51: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/51.jpg)
51
feature {NONE } -- Initializationmake (initial_amount: INTEGER)
-- Set up account with initial_amount.require
large_enough: initial_amount >= Minimum_balance
dobalance := initial_amount
create deposits.make
create withdrawals.makeensure
balance_set: balance = initial_amountend
feature -- Access
balance: INTEGER-- Balance
Minimum_balance: INTEGER = 1000-- Minimum balance
The code (reminder)
![Page 52: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/52.jpg)
52
The code (reminder)
feature -- Deposit and withdrawal operations
deposit (sum : INTEGER)-- Deposit sum into the account.
requirenot_too_small: sum >= 0
doadd (sum)
deposits.extend (create
{DEPOSIT }.make (sum))ensure
increased: balance = old balance + sum
one_more: deposits.count = old
deposits.count + 1end
![Page 53: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/53.jpg)
53
The code (reminder)
withdraw (sum : INTEGER)-- Withdraw sum from the account.
requirenot_too_small: sum >= 0not_too_big: sum <= balance –
Minimum_balancedo
add (– sum)
withdrawals.extend (create
{WITHDRAWAL}.make (sum))
ensuredecreased: balance = old balance – sumone_more: withdrawals.count = old
withdrawals.count + 1end
![Page 54: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/54.jpg)
54
The code (reminder)
may_withdraw (sum : INTEGER): BOOLEAN-- Is it permitted to withdraw sum from account?do
Result := (balance - sum >= Minimum_balance)
end
invariant
not_under_minimum: balance >= Minimum_balance
consistent: balance = deposits.total – withdrawals.total
end
![Page 55: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/55.jpg)
55
Contract view
class interface ACCOUNT createmake
featurebalance: INTEGER
-- Balance
Minimum_balance : INTEGER = 1000-- Minimum balance
deposit (sum: INTEGER) -- Deposit sum into the account.
requirenot_too_small: sum >= 0
ensureincreased: balance = old balance + sum
![Page 56: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/56.jpg)
56
Contract view (continued)
withdraw (sum: INTEGER)-- Withdraw sum from the account.
requirenot_too_small: sum >= 0not_too_big: sum <= balance –
Minimum_balanceensure
decreased: balance = old balance – sum
may_withdraw (sum: INTEGER): BOOLEAN-- Is it permitted to withdraw sum from the
account?
invariantnot_under_minimum: balance >= Minimum_balance
end
![Page 57: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/57.jpg)
57
Documenting a program
Who will do the program documentation (technical writers, developers) ?
How to ensure that it doesn’t diverge from the code (the reverse Dorian Gray syndrome) ?
The Single Product principle
The product is the software
![Page 58: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/58.jpg)
58
Export rule for preconditions
In
some_property must be exported!
No such requirement for postconditions and invariants.
feature
r (…)
require
some_property
![Page 59: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/59.jpg)
59
Flat, interface
Flat view of a class: reconstructed class with all the features at the same level (immediate and inherited). Takes renaming, redefinition etc. into account.
The flat view is an inheritance-free client-equivalent form of the class.
Interface view : the contract view of the flat view. Full interface documentation.
![Page 60: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/60.jpg)
- 1 –
Overview of the
requirements task
- 3 -Contracts and testing
60
![Page 61: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/61.jpg)
6161
Contracts for testing
Contracts provide the right basis: A fault is a discrepancy between intent and
reality Contracts describe intent
A contract violation always signals a fault: Precondition: in client Postcondition or invariant: in routine (supplier)
In EiffelStudio: select compilation option for contract monitoring at level of class, cluster or system.
![Page 62: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/62.jpg)
62
A contract violation is not a special case
For special cases(e.g. “if the sum is negative, report an error...”)
use standard control structures, such as if ... then ... else...
A run-time assertion violation is something else: the manifestation of
A DEFECT (“BUG”)
![Page 63: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/63.jpg)
63
Contracts: run-time effect
Compilation options (per class, in Eiffel): No assertion checking Preconditions only Preconditions and postconditions Preconditions, postconditions, class invariants All assertions
![Page 64: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/64.jpg)
64
Contracts for testing and debugging
Contracts express implicit assumptions behind code A bug is a discrepancy between intent and code Contracts state the intent!
In EiffelStudio: select compilation option for run-time contract monitoring at level of:
Class Cluster System
May disable monitoring when releasing softwareA revolutionary form of quality assurance
![Page 65: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/65.jpg)
65
Contract monitoring
Enabled or disabled by compile-time options. Default: preconditions only. In development: use “all assertions” whenever
possible. During operation: normally, should disable
monitoring. But have an assertion-monitoring version ready for shipping.
Result of an assertion violation: exception.
Ideally: static checking (proofs) rather than dynamic monitoring.
![Page 66: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/66.jpg)
66
Lists in EiffelBase
Cursor
item
index
count1
forthback
finishstart
afterbefore
"Zurich"
![Page 67: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/67.jpg)
67
Moving the cursor forward
Cursor
index
forth
count1
afterbefore
"Zurich"
![Page 68: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/68.jpg)
68
Two queries, and command forth
![Page 69: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/69.jpg)
69
Trying to insert too far right
Cursor
(Already past last element!)
count1
after
"Zurich"
![Page 70: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/70.jpg)
70
Where the cursor may go
Valid cursor positions
0 index1
afterbefore
"Zurich"
count count + 1
![Page 71: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/71.jpg)
71
From the invariant of class LIST
Valid cursor positions
![Page 72: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/72.jpg)
72
Contracts and bug types
Preconditions are particularly useful to find bugs in client code:
YOUR APPLICATION
COMPONENT LIBRARY
your_list.insert (y, a + b + 1)
i <= count + 1
insert (x : G ; i : INTEGER)require
i >= 0
class LIST [G ] feature
![Page 73: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/73.jpg)
73
Next step: automated testing”
What can be automated: Test suite execution Resilience (continue test process after
failure) Regression testing Test case generation Test result verification (oracles) Test extraction from failures Test case minimization
B. Meyer et al., Programs that test themselves, IEEE Computer, Sept. 2009
![Page 74: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/74.jpg)
7474
Contracts for testing
Contracts provide the right basis: A fault is a discrepancy between intent and reality Contracts describe intent
A contract violation always signals a fault: Precondition: in client Postcondition or invariant: in routine (supplier)
In EiffelStudio: select compilation option for contract monitoring at level of class, cluster or system.
![Page 75: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/75.jpg)
- 1 –
Overview of the
requirements task
- 4 -Contracts & analysis,methodological notes
75
![Page 76: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/76.jpg)
76
Precondition design
The client must guarantee the precondition before the call
This does not necessarily mean testing for the precondition
Scheme 1 (testing):
if not my_stack.is_full thenmy_stack.put (some_element)
end
Scheme 2 (guaranteeing without testing):
my_stack.remove...my_stack.put (some_element)
![Page 77: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/77.jpg)
77
Another example
sqrt (x, epsilon: REAL): REAL-- Square root of x, precision epsilon
require
x >= 0epsilon > 0
do...
ensure
abs (Result ^ 2 – x) <= 2 * epsilon * Result
end
![Page 78: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/78.jpg)
78
The contract
Client
Supplier
(Satisfy precondition:)
Provide non-negative value and precision that is not too small.
(Satisfy postcondition:)
Produce square root within requested precision.
OBLIGATIONS
(From postcondition:)
Get square root within requested precision.
(From precondition:)
Simpler processing thanks to assumptions on value and precision.
BENEFITSsqrt
![Page 79: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/79.jpg)
79
Not defensive programming!
It is never acceptable to have a routine of the form
sqrt (x, epsilon : REAL): REAL-- Square root of x, precision epsilon
requirex >= 0
epsilon > 0
doif x < 0 then
… Do something about it (?) …else
… Normal square root computation … end
ensureabs (Result ^ 2 – x) <= 2 *
epsilon * Result
end
![Page 80: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/80.jpg)
80
Not defensive programming
For every consistency condition that is required to perform a certain operation:
Assign responsibility for the condition to one of the contract’s two parties (supplier, client).
Stick to this decision: do not duplicate responsibility.
Simplifies software and improves global reliability.
![Page 81: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/81.jpg)
81
Interpreters
class BYTECODE_PROGRAM feature
verified : BOOLEAN
trustful_execute (program: BYTECODE)require
ok : verifieddo ... end
distrustful_execute (program: BYTECODE)do
verifyif verified then trustful_execute
( program) endend
verify do ... end
end
![Page 82: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/82.jpg)
82
How strong should a precondition be?
Two opposite styles:
Tolerant: weak preconditions (including the weakest, True: no precondition).
Demanding: strong preconditions, requiring the client to make sure all logically necessary conditions are satisfied before each call.
Partly a matter of taste.
But: demanding style leads to a better distribution of roles, provided the precondition is:
Justifiable in terms of the specification only. Documented (through the short form). Reasonable!
![Page 83: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/83.jpg)
83
The demanding style
sqrt (x, epsilon: REAL): REAL-- Square root of x, precision epsilonrequire
x >= 0epsilon > 0
do...
ensure
abs (Result ^ 2 – x) <= 2 * epsilon * Result
end
![Page 84: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/84.jpg)
84
sqrt (x, epsilon: REAL): REAL-- Square root of x, precision epsilon.
requireTrue
doif x < 0 then
… Do something about it (?) …else
… Normal square root computation … computed := True
endensure
computed implies abs (Result ^ 2 –
x) <= 2 * epsilon * Resultend
A tolerant style
NO INPUT TOO BIG OR TOO SMALL!
![Page 85: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/85.jpg)
85
Contrasting styles
put (x : G )-- Push x on top of stack.
requirenot is_full
do....
end
tolerant_put (x: G )-- Push x if possible, otherwise set impossible to
True.do
if not is_full thenput (x)
elseimpossible := True
endend
![Page 86: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/86.jpg)
- 1 –
Overview of the
requirements task
- 5 -Contracts and
inheritance
86
![Page 87: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/87.jpg)
87
Contracts and inheritance
Issues: what happens, under inheritance, to
Class invariants?
Routine preconditions and postconditions?
![Page 88: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/88.jpg)
88
Invariants
Invariant Inheritance rule: The invariant of a class automatically includes
the invariant clauses from all its parents, “and”-ed.
Accumulated result visible in flat and interface forms.
![Page 89: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/89.jpg)
89
Contracts and inheritance
rrequire
ensure
rrequire
ensure
a1: A
a1.r (…)…
Correct call in C:
if a1. then
a1.r (...)
-- Here a1. holds
end
r ++
C A
D B
ClientInheritance
++ Redefinition
![Page 90: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/90.jpg)
90
Assertion redeclaration rule
When redeclaring a routine, we may only:
Keep or weaken the precondition
Keep or strengthen the postcondition
![Page 91: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/91.jpg)
91
A simple language rule does the trick!
Redefined version may have nothing (assertions kept by default), or
require else new_preensure then new_post
Resulting assertions are: original_precondition or new_pre
original_postcondition and new_post
Assertion redeclaration rule
![Page 92: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/92.jpg)
- 1 –
Overview of the
requirements task
- 6 -Contracts & loops
92
![Page 93: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/93.jpg)
93
Quiz: what does this function compute?
euclid (a, b: INTEGER): INTEGER-- Greatest common divisor of a and b
requirea > 0 ; b > 0
localm, n : INTEGER
do from
m := a ; n := binvariant
-- “????????”variant
????????until
m = nloop
if m > n thenm := m − n
elsen := n − m
endendResult := m
end
![Page 94: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/94.jpg)
94
Quiz: what does this function compute?
euclid (a, b: INTEGER): INTEGER-- Greatest common divisor of a and b
requirea > 0 ; b > 0
localm, n : INTEGER
do from
m := a ; n := binvariant
-- “????????”variant
????????until
m = nloop
if m > n thenm := m − n
elsen := n − m
endendResult := m
end
![Page 95: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/95.jpg)
95
Quiz: what does this function compute?
euclid (a, b: INTEGER): INTEGER-- Greatest common divisor of a and b
requirea > 0 ; b > 0
localm, n : INTEGER
do from
m := a ; n := binvariant
-- gcd (m, n) = gcd (a, b)variant
????????until
m = nloop
if m > n thenm := m − n
elsen := n − m
endendResult := m
end
![Page 96: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/96.jpg)
96
Loop invariant
True after loop initializationPreserved by loop body (i.e. if true before, will be true afterwards) when exit condition not true
fromInit
untilExit
loopBody
end
![Page 97: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/97.jpg)
97
Quiz: what does this function compute?
euclid (a, b: INTEGER): INTEGER-- Greatest common divisor of a and b
requirea > 0 ; b > 0
localm, n : INTEGER
do from
m := a ; n := binvariant
-- gcd (m, n) = gcd (a, b)variant
????????until
m = nloop
if m > n thenm := m − n
elsen := n − m
endendResult := m
end
![Page 98: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/98.jpg)
98
Loop variant
Integer expression that must:
Be non-negative when after initialization (from)
Decrease (i.e. by at least one), while remaining non-negative, for every iteration of the body (loop) executed with exit condition not satisfied
![Page 99: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/99.jpg)
99
Quiz: what does this function compute?
euclid (a, b: INTEGER): INTEGER-- Greatest common divisor of a and b
requirea > 0 ; b > 0
localm, n : INTEGER
do from
m := a ; n := binvariant
-- gcd (m, n) = gcd (a, b)variant
max (m, n)until
m = nloop
if m > n thenm := m − n
elsen := n − m
endendResult := m
end
![Page 100: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/100.jpg)
100
Invariants: loops as problem-solving strategy
A loop invariant is a property that:
Is easy to establish initially(even to cover a trivial part of the
data)
Is easy to extend to cover a bigger part
If covering all data, gives the desired result!
![Page 101: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/101.jpg)
101
from
???
invariant
???
across structure as i loop
Result := max (Result, i.item)end
Computing the maximum of a list
![Page 102: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/102.jpg)
102
Reversing a list
frompivot := first_elementfirst_element := Void
until pivot = Void loopi := first_elementfirst_element := pivotpivot := pivot.rightfirst_element.put_right
(i )end
first_element pivot
right
i
1 2 3 4 5
![Page 103: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/103.jpg)
103
Reversing a list
frompivot := first_elementfirst_element := Void
until pivot = Void loopi := first_elementfirst_element := pivotpivot := pivot.rightfirst_element.put_right
(i )end
first_element pivot
right
i
1 2 3 4 5
![Page 104: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/104.jpg)
104
Reversing a list
frompivot := first_elementfirst_element := Void
until pivot = Void loopi := first_elementfirst_element := pivotpivot := pivot.rightfirst_element.put_right
(i )end
first_element pivot
right
i
1 2 3 4 5
![Page 105: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/105.jpg)
105
Reversing a list
frompivot := first_elementfirst_element := Void
until pivot = Void loopi := first_elementfirst_element := pivotpivot := pivot.rightfirst_element.put_right
(i )end
first_element pivot
right
i
1 2 3 4 5
![Page 106: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/106.jpg)
106
ii pivotpivot
Reversing a list
frompivot := first_elementfirst_element := Void
until pivot = Void loopi := first_elementfirst_element := pivotpivot := pivot.rightfirst_element.put_right
(i )end
first_element
right
1 2 3 4 5
![Page 107: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/107.jpg)
107
Why does it work?
frompivot := first_elementfirst_element := Void
until pivot = Void loopi := first_elementfirst_element := pivotpivot := pivot.rightfirst_element.put_right
(i )end
first_element pivot
right
i
1 2 3 4 5
Invariant: from first_elementfollowing right, initial itemsin inverse order; from pivot,rest of items in original order
![Page 108: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/108.jpg)
- 1 –
Overview of the
requirements task
- 6 -Handling abnormal
cases
108
![Page 109: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/109.jpg)
109
Abnormal case
An “abnormal case” is a case of applying a partial function outside of its domain
5 approaches: 1. A priori check 2. A posteriori check 3. Using agents 4. Return codes 5. Exception handling
![Page 110: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/110.jpg)
110
Exception handling
Things not always happen in the ideal way!
![Page 111: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/111.jpg)
111
Solution 1: Use standard control structures
if not end_of_file thenread_tokenif token /= “class” then
message (“File must start with class”)else
read_tokenif not token is_identifier then
message (“Invalid class name”)else
if token name is_taken thenmessage (“Class name in
use”)else
…
![Page 112: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/112.jpg)
112
Solution 1: a priori (check before)
if y property then
a f (y)
else
…
endf (x : T )
require
x.propertydo
…ensure
Result.other_propertyend
![Page 113: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/113.jpg)
113
Example: linear equation
Purpose: solve A * x = b, given matrix A and vector b(the result x will be a vector)
x := A solution (b )
if then
else
end
…
…A regular
![Page 114: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/114.jpg)
114
Solution 1: a priori (check before)
if y property then
a f (y)
else
…
endf (x : T )
require
x.propertydo
…ensure
Result.other_propertyend
![Page 115: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/115.jpg)
115
Solution 2: a posteriori (try and check)
f (x : T )require
x.propertydo
…ensure
Result.other_propertyend
Solution 1:
if y property thena f (y)
else…
end
a try_f (y)
if it_worked then
… Continue normally … else
…
end
![Page 116: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/116.jpg)
116
Linear equation with solution 2
if then
else
end…
A regular
Solution 1:
x := A solution (b )
A invert (b)
if A is_inverted then
x := A solution
… Continue normally … else
…
end
![Page 117: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/117.jpg)
117
Solution 3: using agents
Scheme 1:
action1if ok1 then
action2if ok2 then
action3-- More
processing,-- more nesting ...
endend
Scheme 2:
controlled_execute ([agent action1,agent action2 (...),agent action3 (...)])
if glitch thenwarning
(glitch_message)end
![Page 118: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/118.jpg)
118
Solution 4: return codes
if (file_open (f)) {… Continue with processing}
else{…}
![Page 119: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/119.jpg)
119
Solution 5: exceptions
In case of an abnormal situation: Interrupt execution Go up call chain If exception handler found, execute it Otherwise, program stops abnormally
r0
r1
r2
r3
r4
Routine call
![Page 120: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/120.jpg)
120
What is an exception?
“An abnormal event”
Not a very precise definition
Informally: something that you don’t want to happen…
![Page 121: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/121.jpg)
121
Exception vocabulary
“Raise”, “trigger” or “throw” an exception
“Handle” or “catch” an exception
![Page 122: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/122.jpg)
122
C++/Java exception handling style
try {… Normal instructions, during which an exception may occur …
} catch (ET1 e) {… Handle exceptions of type ET1, details in e …
} catch (ET2 e) {… Handle exceptions of type ET2, details in e …
}… Possibly more cases…finally {
… Processing common to all cases, exception or not…}
![Page 123: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/123.jpg)
123
Java exceptions
Exceptions are objects, descendants of Throwable:
![Page 124: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/124.jpg)
124
Java: raising an exception
Instruction:
throw my_exception
The enclosing routine should be of the form
my_routine (…) throws my_exception {…if abnormal_condition
throw my_exception;}
![Page 125: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/125.jpg)
125
How to use exceptions?
Two opposite styles:
Exceptions as a control structure:Use an exception to handle all casesother than the most favorable ones
(e.g. a key not found in a hash table triggers
an exception)
Exceptions as a technique of last resort
![Page 126: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/126.jpg)
126
Exception handling
A formal basis: Introduce notion of contract The need for exceptions arises when a contract
is broken by either of its parties (client, supplier)
Two concepts:
Failure: a routine, or other operation, is unable to fulfill its contract.
Exception: an undesirable event occurs during the execution of a routine — as a result of the failure of some operation called by the routine.
![Page 127: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/127.jpg)
127
The original strategy
r (...)require
...do
op1
op 2
...op i
...op n
ensure...
end
![Page 128: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/128.jpg)
128
Not going according to plan
r (...)require
...do
op 1
op 2
...op i
...opn
ensure...
end
Fails, triggering an exception in r (r is recipient of exception).
![Page 129: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/129.jpg)
129
Causes of exceptions in O-O programming
Three major kinds:
Operating system signal: arithmetic overflow, no more memory, interrupt ...
Assertion violation (if contracts are being monitored)
Void call (x.f with no object attached to x)
In Eiffel & Spec#, will go away
![Page 130: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/130.jpg)
130
Handling exceptions properly
Safe exception handling principle:
There are only two acceptable ways to react for the recipient of an exception:
Concede failure, and trigger an exception in caller:
“Organized Panic”
Try again, using a different strategy (or repeating the same strategy:
“Retrying”
(Rare third case: false alarm)
![Page 131: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/131.jpg)
131
How not to do it
(From an Ada textbook)
sqrt (x: REAL) return REAL isbegin
if x < 0.0 thenraise Negative;
elsenormal_square_root_computation;
endexception
when Negative =>put ("Negative argument");return;
when others => end; -- sqrt
![Page 132: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/132.jpg)
132
The call chain
r0
r1
r2
r3
r4
Routine call
![Page 133: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/133.jpg)
133
Exception mechanism
Two constructs: A routine may contain a rescue clause. A rescue clause may contain a retry instruction.
A rescue clause that does not execute a retry leads to failure of the routine (this is the organized panic case).
![Page 134: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/134.jpg)
134
Transmitting over an unreliable line (1)
Max_attempts: INTEGER = 100
attempt_transmission (message: STRING ) -- Transmit message in at most -- Max_attempts attempts.
localfailures : INTEGER
dounsafe_transmit (message)
rescuefailures := failures + 1if failures < Max_attempts then
retryend
end
![Page 135: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/135.jpg)
135
Transmitting over an unreliable line (2)
Max_attempts: INTEGER = 100
failed: BOOLEAN
attempt_transmission (message: STRING )-- Try to transmit message; -- if impossible in at most Max_attempts-- attempts, set failed to true.
localfailures: INTEGER
doif failures < Max_attempts then
unsafe_transmit (message )else
failed := Trueend
rescuefailures := failures + 1retry
end
![Page 136: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/136.jpg)
136
Another Ada textbook example
procedure attempt is begin<<Start>> -- Start is a labelloop begin algorithm_1; exit; -- Alg. 1 success exception when others => begin algorithm_2; exit; -- Alg. 2 success exception
when others => goto Start; end
end endend main;
attempt local even: BOOLEAN do if even then algorithm_2 else algorithm_1 end rescue even := not even; retry
end
In Eiffel
![Page 137: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/137.jpg)
137
Dealing with arithmetic overflow
quasi_inverse (x: REAL ): REAL-- 1/x if possible, otherwise 0
localdivision_tried: BOOLEAN
doif not division_tried then
Result := 1/xend
rescuedivision_tried := Trueretry
end
![Page 138: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/138.jpg)
138
If no exception clause (1)
Absence of a rescue clause is equivalent, in first approximation, to an empty rescue clause:
f (...)do
...end
is an abbreviation for
f (...)do
...rescue
-- Nothing hereend
(This is a provisional rule; see next.)
![Page 139: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/139.jpg)
139
The correctness of a class
For every creation procedure cp :
{Precp } docp {INV and Postcp }
For every exported routine r :
{INV and Prer } dor {INV and Postr }
x.f (…)
x.g (…)
x.h (…)
create x.make (…) S1
S2
S3
S4
![Page 140: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/140.jpg)
140
Bank accounts
balance := deposits.total – withdrawals.total
deposits
withdrawals
balance
(A2)
![Page 141: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/141.jpg)
141
Exception correctness
For the normal body:
{INV and Prer } dor {INV and Postr }
For the exception clause:
{???} rescuer {??? }
![Page 142: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/142.jpg)
142
Exception correctness
For the normal body:
{INV and Prer } dor {INV and Postr }
For the exception clause:
{True} rescuer {INV }
![Page 143: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/143.jpg)
143
If no exception clause (2)
Absence of a rescue clause is equivalent to a default rescue clause:
f (...)do
...end
is an abbreviation for
f (...)do
...rescue
default_rescueend
The task of default_rescue is to restore the invariant.
![Page 144: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/144.jpg)
144
For finer-grain exception handling
Every exception has a type, a descendant of the library class EXCEPTIONQuery last_exception gives an object representing the last exception that occurredSome features of class EXCEPTION:
name
is_assertion_violation, etc.
raise
![Page 145: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/145.jpg)
145
Another challenge today
Exceptions in a concurrent world
r0
r1
r2
r3
r4
What if the call chain is no longer available?
![Page 146: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/146.jpg)
146
Exception handling: summary and conclusion
Exceptions as a control structure (internally triggered): Benefits are dubious at best
An exception mechanism is needed for unexpected external events
Need precise methodology; must define what is “normal” and “abnormal”. Contracts provide that basis.
Next challenge is concurrency & distribution
![Page 147: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/147.jpg)
- 1 –
Overview of the
requirements task
- 8 -Design by Contract
in various languages
147
![Page 148: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/148.jpg)
148148
What we do with contracts
Write better softwareAnalyzeDesignReuseImplementUse inheritance properlyAvoid bugsDocument software automaticallyHelp project managers do their job
Perform systematic testingGuide the debugging
process
(with run-time monitoring)
![Page 149: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/149.jpg)
149
Emulating Design by Contract mechanisms
Basic step (programmer discipline): Add preconditions and postconditions Use switch to turn monitoring on or off Help for analysis, methodology, debugging, but
• No documentation help• No class invariants• No connection with O-O structure• No inherited assertions• No connection with exception handling
Other techniques: Macros (C, C++) Language extensions, e.g. preprocessor
![Page 150: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/150.jpg)
150
The macro approach
GNU Nana: improved support for contracts and logging in C and C++.
Set of C++ macros and commands for gdb debugger. Replaces assert.h.
Support for quantifiers (Forall, Exists, Exists1) corresponding to iterations on the STL (C++ Standard Template Library).Support for time-related contracts (“Function must execute in less than 1000 cycles”).
![Page 151: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/151.jpg)
151
Gnu Nana example
void intsqrt(int &r) { /* r’ = floor(sqrt(r)) */DS($r = r); /* save r away into $r for later use under gdb(1) */
DS($start = $cycles); /* real time constraints */...; /* code which changes r */DI($cycles – $start < 1000);
/* code must take less than 1000 cycles */DI(((r * r) <= $r) && ($r < (r + 1) * (r + 1)));
/* use $r in postcondition */}
![Page 152: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/152.jpg)
152
Design by Contract in Java
OAK 0.5 (pre-Java) contained an assertion mechanism, which was removed due to “lack of time”.Several different proposals. Gosling (May 1999, http://www.javaworld.com/javaworld/javaone99/j1-99-gosling.html): “The number one thing people have been asking for is an assertion mechanism. Of course, that [request] is all over the map: There are people who just want a compile-time switch. There are people who ... want something that's more analyzable. Then there are people who want a full-blown Eiffel kind of thing. We're probably going to start up a study group on the Java platform community process.”
![Page 153: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/153.jpg)
153
Java Modeling Language (JML)
Contract-equipped extension for Java
Assertions are in the form of JavaDoc comments
Rich tool suite for tests and proofs
![Page 154: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/154.jpg)
154
JML example (1)
public class BankingExample { public static final int MAX_BALANCE = 1000; private /*@ spec_public @*/ int balance; private /*@ spec_public @*/ boolean isLocked = false; //@ public invariant balance >= 0 && balance <= MAX_BALANCE; //@ assignable balance; //@ ensures balance == 0; public BankingExample() { balance = 0; }
//@ requires 0 < amount && amount + balance < MAX_BALANCE; //@ assignable balance; //@ ensures balance == \old(balance + amount); public void credit(int amount) { balance += amount; }
![Page 155: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/155.jpg)
155
JML example (2)
//@ requires 0 < amount && amount <= balance;
//@ assignable balance; //@ ensures balance == \old(balance) - amount; public void debit(int amount) { balance -= amount; }
//@ ensures isLocked == true; public void lockAccount() { isLocked = true; }
//@ requires !isLocked; //@ ensures \result == balance; //@ also //@ requires isLocked; //@ signals_only BankingException; public /*@ pure @*/ int getBalance() throws BankingException { if (!isLocked) { return balance; } else { throw new BankingException(); } }
![Page 156: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/156.jpg)
156
Object Constraint Language
Contract extension to UMLIncludes support for:
Invariants, preconditions, postconditions Guards (not further specified). Predefined types and collection types Associations Collection operations: ForAll, Exists, Iterate
![Page 157: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/157.jpg)
157
OCL example
Postconditions:post: result = collection–>iterate
(elem; acc : Integer = 0 | acc + 1) post: result = collection–>iterate
( elem; acc : Integer = 0 |if elem = object then acc + 1 else acc endif)
post: T.allInstances–>forAll(elem | result–>includes(elem) = set–>
includes(elem) and set2–>includes(elem))
![Page 158: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/158.jpg)
158
Spec#
Contract-equipped version of C# language
Originally developed at Microsoft Research
Includes non-null types
![Page 159: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/159.jpg)
159
Spec# contract example
static int min (int x, int y) requires 0 <= x && 0 <= y ; ensures x < y ? result == x: result == y;{ int m; if (x < y)
m = x; else
m = y; return m;
}
Source: Rustan
Leino
![Page 160: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/160.jpg)
160
The Spec# verifierst
ati
c veri
fier
(Boog
ie
tool)
MSIL (“bytecode”)
SMT solver (Z3)
V.C. generator
Inference engineTranslator
verification conditions
“correct” or list of errors
Spec# compiler
Spec#
Boogie languag
e
Source: Rustan
Leino
![Page 161: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/161.jpg)
161
Code contracts
Introduced in 2009 to provide a “language-agnostic way to express coding assumptions in .NET programs”(Microsoft)
Set of static library methods for writing preconditions, postconditions, and “object invariants”, with tools:
ccrewrite to generate run-time checking cccheck: static checker ccdoc: for documentation
Applied to large part of mscore library
![Page 162: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/162.jpg)
- 1 –
Overview of the
requirements task
- 9 -New developments
162
![Page 163: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/163.jpg)
163
The next steps
Pushing some properties to the type system: Void safety
More expressive specifications
Concurrency
Proofs
![Page 164: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/164.jpg)
164
Concurrency
SCOOP mechanism: General object-oriented notation for concurrent
programs
Based on reinterpretation of contracts: preconditions become wait conditions
![Page 165: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/165.jpg)
put (b : [G ] ; v : G )-- Store v into b.
require
not b.is_fulldo
…ensure
not b.is_empty end
QUEUE BUFFER
my_queue : [T ]
…
if not my_queue.is_full then
put (my_queue, t )
end
BUFFER QUEUE
put
item, remove
![Page 166: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/166.jpg)
166
Increasing expressive power
Eiffel Model Library
Components to prove(e.g. EiffelBase)
![Page 167: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/167.jpg)
167
Eiffel Model Library (MML)
Classes correspond to mathematical concepts:
SET [G], FUNCTION [G, H ], TOTAL_FUNCTION [G, H ], RELATION [G, H ], SEQUENCE [G ], …
Completely applicative: no attributes (fields), no implemented routines (all completely deferred)
Specified with contracts (unproven) reflecting mathematical properties
Expressed entirely in Eiffel
Bernd Schoeller, Tobias Widmer, Nadia Polikarpova
![Page 168: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/168.jpg)
168
Example MML class
class SEQUENCE [G] feature
count : NATURAL-- Number of items
last : G-- Last item
extended (x) : SEQUENCE [G]-- Identical sequence except x added at
end.ensure
Result.count = count + 1
Result.last = x
Result.sub (1, count ) ~ Current
mirrored : SEQUENCE [G]-- Same items in reverse order.
ensure
Result.count = count…
…end
![Page 169: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/169.jpg)
169
Specifying lists
classLINKED_LIST [G]
feature…remove_front
-- Remove first item.require
not emptydo
first := first.right
ensure
end …
end
first
right right right
count = old count – 1first = old item (2)
model = old
model.tail
![Page 170: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/170.jpg)
170
Principles
Very simple mathematics only Logic Set theory
![Page 171: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/171.jpg)
171
EiffelBase2
In progress: library of fully specified (MML) classes, covering fundamental data structures and algorithms, and designed for verification: tests and proofs
Nadia
Polikarpova
![Page 172: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/172.jpg)
172
Verification As a Matter Of Course
Arbiter
AutoProof
Aliasanalysis
AutoFix
Test case generation
EVE Test executio
n
Test results
Inter.prover
Sep. logic
prover
AutoTest
Invariantinferenc
e
Invariantinferenc
e
Suggestions
Suggestions
![Page 173: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/173.jpg)
- 1 –
Overview of the
requirements task
- 10 -Conclusion
173
![Page 174: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/174.jpg)
174
Design by Contract: technical benefits
More focused process: writing to spec
Sound basis for reuse
Exception handling guided by precise definition of “normal” and “abnormal” cases
Interface documentation automatically generated, up-to-date, can be trusted
Faults occur close to cause, found faster & more easily
Guide for black-box test case generation.
![Page 175: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/175.jpg)
175
Design by Contract: managerial benefits
Library users can trust documentation
They can benefit from preconditions to validate their own software
Test manager can benefit from more accurate estimate of test effort
Black-box specification for free
Designers who leave bequeath not only code but intent
Common vocabulary between all actors of the process: developers, managers, potentially customers
Component-based development possible on a solid basis
![Page 176: Chair of Software Engineering Software Architecture Bertrand Meyer, Carlo A. Furia, Martin Nordio ETH Zurich, February-May 2011 Lecture 15: Design by](https://reader037.vdocuments.mx/reader037/viewer/2022103022/56649cab5503460f9496cbb1/html5/thumbnails/176.jpg)
176
Tom de Marco (IEEE Computer, Feb 1997)
“I believe that the use of Eiffel-like module contracts is the most important non-practice in software today”