Software Engineering I (02161) Design by Contract Assoc. Prof. - PowerPoint PPT Presentation

Software Engineering I (02161) Design by Contract Assoc. Prof. Hubert Baumeister DTU Compute Technical University of Denmark Spring 2020

◮ Contracts and Design by Contract ◮ Implementation of Contracts ◮ Inheritance and Contracts ◮ Defensive Programming

What does this function do? public List<Integer> f(List<Integer> list) { if (list.size() <= 1) return list; int p = list.elementAt(0); List<Integer> l1 = new ArrayList<Integer>(); List<Integer> l2 = new ArrayList<Integer>(); List<Integer> l3 = new ArrayList<Integer>(); g(p,list,l1,l2,l3); List<Integer> r = f(l1); r.addAll(l2); r.addAll(f(l3)); return r; } public void g(int p, List<Integer> list, List<Integer> l1, List<Integer> l2, List<Integer> l3) { for (int i : list) { if (i < p) l1.add(i); if (i == p) l3.add(i); if (i > p) l2.add(i); } }

Please stop the video and try to find the answer Continue with the video to see the solution

What does this function do? public List<Integer> f(List<Integer> list) { if (list.size() <= 1) return list; int p = list.elementAt(0); List<Integer> l1 = new ArrayList<Integer>(); List<Integer> l2 = new ArrayList<Integer>(); List<Integer> l3 = new ArrayList<Integer>(); g(p,list,l1,l2,l3); List<Integer> r = f(l1); r.addAll(l2); r.addAll(f(l3)); return r; } public void g(int p, List<Integer> list, List<Integer> l1, List<Integer> l2, List<Integer> l3) { for (int i : list) { if (i < p) l1.add(i); if (i == p) l3.add(i); if (i > p) l2.add(i); } }

What does this function do? public void testEmpy() { int[] a = {}; List<Integer> r = f(Array.asList(a)); assertTrue(r.isEmpty()); } public void testOneElement() { int[] a = { 3 }; List<Integer> r = f(Array.asList(a)); assertEquals(Array.asList(3),r); } public void testTwoElements() { int[] a = {2, 1}; List<Integer> r = f(Array.asList(a)); assertEquals(Array.asList(1,2),r); } public void testThreeElements() { int[] a = {2, 3, 1}; List<Integer> r = f(Array.asList(a)); assertEquals(Array.asList(1,2,3),r); } ...

What does this function do? List<Integer> f(List<Integer> a) Precondition: a is not null Postcondition: For all objects result and a of type List < Integer > : result == f ( a ) if and only if p1(result) and p2(a,result) where p1(a) if and only if for all 0 ≤ i , j < a . size () : i ≤ j implies a . get ( i ) ≤ a . get ( j ) and p2(a,b) if and only if for all i ∈ Integer : count ( a , i ) = count ( b , i )

What does this method do? Comparision Looking at the implementation ◮ Needs to understand the algorithm → Names help → Use intention revealing names

What does this method do? Comparision Looking at the tests ◮ Focus on what the system is doing not Looking at the how implementation → No knowledge of ◮ Needs to the algorithm is understand the needed algorithm ◮ Uses examples → Names help (test cases) to describe the → Use intention behaviour revealing names → extract common behaviour from examples

What does this method do? Comparision Looking at the tests Looking at its contract ◮ Focus on what the ◮ Focus on what the system is doing not system is doing not Looking at the how how implementation → No knowledge of → No knowledge of ◮ Needs to the algorithm is the algorithm is understand the needed needed algorithm ◮ Uses examples → Describes the → Names help (test cases) to external behaviour describe the in a compact form → Use intention behaviour revealing names ◮ Proof that the → extract common implementation behaviour from satisfies the examples contract

Design by contract ◮ Pre- and post conditions: Tony Hoare 1969 ◮ Semantics of statements/method, like x := 3 + y ◮ { Pre } Statements { Post } : ◮ If Pre is true and Statements are executed, then Post is true. ◮ { y = 4 } x := 3 + y { x = 7 } ◮ { true } x := 3 + y { x = 3 + y }

Design by contract ◮ Pre- and post conditions: Tony Hoare 1969 ◮ Semantics of statements/method, like x := 3 + y ◮ { Pre } Statements { Post } : ◮ If Pre is true and Statements are executed, then Post is true. ◮ { y = 4 } x := 3 + y { x = 7 } ◮ { true } x := 3 + y { x = 3 + y } ◮ Design by contract: Bertrand Meyer 1988 ◮ Pre- and post conditions in the context of object-orientation ◮ Contract between Caller and the Method ◮ Caller ensures precondition ◮ Method ensures postcondition → If the client violates precondition (the contract), then the method does not have to guarantee the postcondition → The method does not have to check the precondition!!

Example Counter Counter {context Counter inv: i >= 0} {context Counter :: dec ( ) i : int pre: i > 0 post: i = i@pre - 1 } inc() : void dec() : void {context Counter :: inc ( ) post: i = i@pre + 1} ◮ Caller of c . dec () has to ensure pre-condition ◮ Ex. c . i == 3 ◮ Caller can assume post-condition ◮ c . dec () → c . i == 2

Example Counter Counter {context Counter inv: i >= 0} {context Counter :: dec ( ) i : int pre: i > 0 post: i = i@pre - 1 } inc() : void dec() : void {context Counter :: inc ( ) post: i = i@pre + 1} ◮ Caller of c . dec () has ◮ Pre-Condition to ensure violated ... pre-condition if (c.i > 0) { ◮ c . i == 0 ◮ Ex. c . i == 3 c.dec(); ◮ Post-condition is not ◮ Caller can assume } guaranteed post-condition ... ◮ c . dec () → undefined ◮ c . dec () → c . i == 2

MinMax Example Code public class MinMax { int min, max; public void minmax(int[] array) { min = max = array[0]; for (int i = 1; i < array.length; i++) { int obs = array[i]; if (obs > max) max = obs; else if (min < obs) min = obs; } } }

Please stop the video and try to find the answer Continue with the video to see the solution

MinMax Example Code public class MinMax { int min, max; public void minmax(int[] array) { min = max = array[0]; for (int i = 1; i < array.length; i++) { int obs = array[i]; if (obs > max) max = obs; else if (min < obs) min = obs; } } } Contract public void minmax(int[] array) { pre: array != null && array.length > 1 post: array.contains(min) && array.contains(max) && forall i in array: min <= i <= max

MinMax Example Code public class MinMax { int min, max; public void minmax(int[] array) { min = max = array[0]; for (int i = 1; i < array.length; i++) { int obs = array[i]; if (obs > max) max = obs; else if (min < obs) min = obs; } } } Contract Client checks pre-condition public void minmax(int[] array) { if (array != null && array.length > 1) { pre: array != null && array.length > 1 MinMax mm = new MinMax().minmax(array) post: array.contains(min) && ... array.contains(max) && } forall i in array: min <= i <= max

LibraryApp Example: Code public void addMedium(Medium medium) { mediumRepository.addMedium(medium); }

LibraryApp Example: Code public void addMedium(Medium medium) { mediumRepository.addMedium(medium); } Contract Checking the pre-condition public void addMedium(Medium medium) { pre: adminLoggedIn; post: mediumRepository.allMedia() == if (libApp.adminLoggedIn()) { mediumRepository@pre libApp.addMedium(medium); .allAllMedia() } .add(medium); }

LibraryApp Example: Code public List<Medium> search(String searchText) { List<Medium> found = new ArrayList<>(); for (Medium m : mediumRepository.getAllMedia) { if (b.match(searchText)) { found.add(m); } } return found; }

LibraryApp Example: Code public List<Medium> search(String searchText) { List<Medium> found = new ArrayList<>(); for (Medium m : mediumRepository.getAllMedia) { if (b.match(searchText)) { found.add(m); } } return found; } Contract public List<Medium> search(String searchText) { post result == { m | m in mediumRepository.getAllMedia() && m.match(searchText) } }

Postcondition Assume that result denotes the result of the function f ( x : double ) : double . 1) post: result 2 = x 2) post: result = x 2 3) post: x 2 = result 4) post: x = result 2 Which of this statements describe a the postcondition of the square function? b the postcondition of the square root function?

Please stop the video and try to find the answer Continue with the video to see the solution

Postcondition Assume that result denotes the result of the function f ( x : double ) : double . 1) post: result 2 = x 2) post: result = x 2 3) post: x 2 = result 4) post: x = result 2 Which of this statements describe a the postcondition of the square function? b the postcondition of the square root function?

Precondition ◮ Given the contract for a method minmax ( int [] array ) in a class which has instance variables min and max of type int: pre: array � = null and array . length > 0 post: array.contains(min) && array.contains(max) && ∀ i ∈ array : min ≤ i ≤ max ◮ Which of the following statements is true: if the client calls minmax such the precondition is not satisfied a) A NullPointerException is thrown b) An IndexOutOfBoundsException is thrown c) Nothing happens d) What happens depends on the implementation of minmax

Please stop the video and try to find the answer Continue with the video to see the solution