1 / 22

Programming pre- and postconditions , invariants and method contracts

Programming pre- and postconditions , invariants and method contracts. 201300071-1B Module 2: Software Systems 13 November 2013. Overview programming line. Preconditions , postconditions Class invariants Programming via contract Nino & Hosch : Chapter 5 Manual: JML appendix

annora
Download Presentation

Programming pre- and postconditions , invariants and method contracts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Programmingpre- andpostconditions, invariantsandmethodcontracts 201300071-1B Module 2: Software Systems 13 November 2013

  2. Overview programming line Software Systems - Programming

  3. Preconditions, postconditions Class invariants Programming via contract Nino & Hosch: Chapter 5 Manual: JML appendix Tool support: OpenJML contents Software Systems - Programming

  4. Counter - value + getValue() + reset() + next() This is only correct if the result of getValue()always is positive Example: usage of class Counter public classTennisPlayer{ Counter fh, bh; public voidhitForehand() { fh.next(); } public voidhitBackhand() {...} public inttotalHits() { returnfh.getValue() + bh.getValue(); } } postconditions Software Systems - Programming

  5. public class Counter {privateint value; public Counter( ) { value = 0; } // always returns a positive value //@ ensures \result >= 0; public intgetValue( ) { return value; } // rest of class } Postcondition of getVAlue Informal Formal Software Systems - Programming

  6. Unambiguous He ate the cookies on the couch Eating(p, cookies) /\ Sitting(p, couch) Or Eating(p, cookies) /\ Sitting(cookies, couch) Can be checked • Clear connection with program code and variables • Often executable Advantages of formal specification Software Systems - Programming

  7. Property that always holds when the method terminates Caller can rely on this Examples The result of getValue() is always positive: \result >= 0 After a call to next()the result of getValue() is always equal to the result ofgetValue()before the call plus 1: getValue() == \old(getValue()) + 1 Postcondition definition Software Systems - Programming

  8. Language for writing behaviour specifications of Java programs Syntax: Java with specification-specific extensions • \result • \old(E) • ==> (implies) • \forall, \exists Specifications written as special Java comments (start with @) OpenJML: type checking of specifications Complete language description: see jmlspecs.org Java modelling language (JML) Conditional expression in Java: <Cond> ? <E1> : <E2>; Resembles language used in book, but with tool support Software Systems - Programming

  9. //@ ensures getValue() == \old(getValue()) + 1; public void next( ) { value = value + 1; } Requires that getValue does not have side effects /*@ pure */ public intgetValue() Allows to use getValue() in specification Checks purity separately Method calls in specifications If specifications can have side effects: execution with and without precondition check would have different behaviour Software Systems - Programming

  10. Also okay: • /*@ requires v >= 0 */ • ensures getValue() == v */ • public voidsetValue(int v) {...} Suppose we add a method setValue(int v) to the Counter //@ requires v >= 0; //@ ensures getValue() == v; public voidsetValue(int v) {...} This postcondition can only be guaranteed if v is positive (because specification of getValue() ensures this is always positive) This is specified as a precondition (keyword: requires) preconditions Software Systems - Programming

  11. Preconditions! Class Lock public Lock(int code) public booleanisOpen() public void close() public voidenterDigits(int digit) Only functions correctly if: • 0 <= code and code <= 999 • 0 <= digit and digit <= 9 The caller has to ensure this The Lock implementation does not have to check this Another example Software Systems - Programming

  12. Condition that should always hold when a method is called Caller has to ensure this Examples The value of the code parameter in the Lock constructor should be between 0 en 999 requires 0 <= code && code <= 99; The reset method can only be called when the counter has reached MAX requires getValue() == Counter.MAX; Definition precondition Software Systems - Programming

  13. Example: Counter public intgetValue() public voidsetValue(int v) public void next() public void previous() Possible preconditions • setValue(int v): v >= 0 • previous(): getValue() > 0 Why? • Pro: Saves a test in the implementation • Contra: forces the caller to do a call Preconditions should not be too strong   Software Systems - Programming

  14. Pre- and postconditions are documentation about the behaviour of the class to the outside world Therefore, they should respect visibility rules of the class Private fields cannot be used in (public) specifications //@ ensures value == \old(value) + 1; public void next( ) { value = value + 1; } Reason: internal representation might change, but outside behaviour might be unchanged Visibility of pre- and postconditions X Software Systems - Programming

  15. Some properties hold for every internal reachable state of an object Example public invariant getValue() >= 0; Public invariant: uses only publicly visible methods Private invariant: about internal state, not visible as documentation of the class, but considers implementation private invariant value >= 0; invariants Software Systems - Programming

  16. In general: a property that always holds In our setting: • A property that holds for all visible reachable states of all class instances • Can refer to internal state of the object (this is the definition of Nino & Hosch) • Can also be public documentation of the behaviour of a class Definition invariant Software Systems - Programming

  17. Basic principle • If caller respects preconditions, the method implementation guarantees postconditions • Class invariant helps to show that implementation ensures postconditions Problem • Can client be trusted? • What if client does not respect the postcondition? • Method will not guarantee postconditions • Next methods are called under wrong conditions • Program does not behave properly Programming by contract Software Systems - Programming

  18. Assumption Client will always respect preconditions Consequences No special precautions necessary Justified when client and server are developed together. Answer 1: trust client Software Systems - Programming

  19. Assumption • Client will not always respect preconditions • When this happens,program should stop, but in controlled manner Consequences • Implementation checks (some) preconditions • assert precondition  stop program when precondition not respected • In particular useful to make sure internal invariants are preserved • Applicable to larger programs Answer 2: generate error message Software Systems - Programming

  20. Assumptions • Client will make mistake (might even be on purpose) • Program should not fail Consequences • Implementation checks all preconditions • Precondition not respected choose appropriate emergency solution (for example: default values) • Postcondition and invariant always respected • Useful for critical applications Answer 3: defensive programming Software Systems - Programming

  21. Out of scope Use dedicated tool to insert pre- and postcondition checks during execution Construct formal proof that • Preconditions hold at every method calls • Postconditions hold at every method exit OpenJML: RAC – runtime assertion checking ESC – extended static checking Answer 4: CHECKor verify Software Systems - Programming

  22. Behaviour of methods formally specified Precondition: what should hold when method is called Postcondition: what does implementation guarantee when method finishes Class invariant: property that holds throughout life of object Specifications can be checked during execution • Insert checks manually (using asserts) • Use dedicated tool support Main points Software Systems - Programming

More Related