Design by Contract in C The Legal / Software Engineering Approach to Program Design Some material from Horton et al
What is a contract? A contract is a “binding agreement between two parties, the supplier and the client : the client buys the products or services from the supplier. Contracts specify the obligations and benefits of the two parties.
An example contract Provided that the client appears at the airport 2 hours early, pays the full fare in advance, and brings acceptable luggage, the airline will ensure that the client and their luggage will be taken to West Palm Beach. What are the obligations & benefits to each party?
Contracts in Programming Design by Contract: Bertrand Meyer in the late 1980’s, used first in Eiffel, built around concept of assertions Assertion: a boolean valued statement that describes the program state at a point in the program’s execution. The code that follows an assertion can be written relying on that assertion.
Assertions in Practice /* example 1: */ if (i % 2 == 0) { /* Assertion: i is even */ } else { /* Assertion: i is odd */ … /* example 2: */ if (head != null && head->data > n) { … } /* Assertion: head is a valid linked-list & n does not belong at the head of the list */
Function Contracts Every function provides services, and thus is a supplier. A legal contract describes the services provided by a supplier. A function comment describes the services provided by that function.
The Function Contract If the function precondition holds (evaluates to true) before a function call, then (1) the function will halt without crashing, and (2) after the function is executed the postcondition will hold. Note that this states WHAT is done, not HOW it will be done.
Writing pre & post conditions From now on, you will write your method contracts like this: /* * Function description * Requires: … [preconditions] * Ensures: … [postconditions] */ Postconditions are often described in the method description, rather than as an explicit separate statement.
Why this legal stuff? Design by Contract means viewing software as a set of contracts. This is helpful! • It helps you write programs, and track down bugs. • It helps other programmers use the functions you write. • Helps you maintain your code. • Helps you to convince that your code is correct.
Audiences There are two audiences for your code: • Programmers who use your code – External to the project – Can see only your .h files, need to know only what the functions are for. • Programmers who maintain your code – Internal to the project – See and edit both .h and .c files, need to know why something was done a certain way.
External Comments Think of the c library functions. You access only the .h files (“stdio.h”, “stdlib.h”, etc). You can’t see the code for the functions, just their headers. Implications: • The .h files can’t mention specifics from the code. • The .h files can’t mention particular algorithms.
Internal Comments Internal comments explain how the code works and why it was designed that way. They Explain design decisions, algorithm choices, tricky bits of code, and the purpose of each local variable Internal comments belong inside function bodies.
Types of Comments • File Comments (external) A brief summary comment at the top of each file should be included to state the purpose of the file, who wrote it, and when.
• Function comments (external) – Function comments specify the function’s contract. They include: • Function summary : a concise and complete summary of the function’s purpose. Must mention every parameter. Must describe the function’s effects. • Precondition : Properties that the method depends on. • Important performance facts (if any). – They should describe the function only in terms of its parameters and other functions.
Comments Inside Functions • Algorithm overview – EVERY FUNCTION! • Local variable descriptions, include their relationships • Descriptions of tricky bits of code. Every loop should have a comment saying in general what it does. • Reasons for choice of algorithms. (eg: performance vs ease of programming)
Function Contract Examples Identify the flaws in the following function comments: /* Returns the last data value in the list */ int getLast(int_node_t *head); /* Add an int to the linked list */ int_node_t * insert(int_node_t *head, int n); /* Use a loop to find the smallest value in the list and return it */ int smallest(int_node_t *head);
Recommend
More recommend