1 / 85

Design by Contract

Design by Contract. 契约式设计. 摘要. 引言 Eiffel 的 DbC 机制 DbC 与继承 如何应用 DbC. 引言. Design by Contract (DbC) 契约式设计 方法学层面的思想 以尽可能小的代价开发出可靠性出众的软件系统 Eiffel 语言的直接支持 Bertrand Meyer : DbC 是构建面向对象软件系统方法的核心! James McKim :“只要你会写程序,你就会写契约”. 引言.

trudy
Download Presentation

Design by Contract

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Design by Contract 契约式设计 Institute of Computer Software Nanjing University

  2. 摘要 • 引言 • Eiffel 的 DbC 机制 • DbC与继承 • 如何应用DbC Institute of Computer Software Nanjing University

  3. 引言 • Design by Contract (DbC) 契约式设计 • 方法学层面的思想 • 以尽可能小的代价开发出可靠性出众的软件系统 • Eiffel语言的直接支持 • Bertrand Meyer:DbC是构建面向对象软件系统方法的核心! • James McKim:“只要你会写程序,你就会写契约” Institute of Computer Software Nanjing University

  4. 引言 • A discipline of analysis, design, implementation, management (可以贯穿于软件创建的全过程,从分析到设计,从文档到调试,甚至可以渗透到项目管理中) • Viewing the relationship between a class and its clients as a formal agreement, expressing each party’s rights and obligations. (把类和它的客户程序之间的关系看做正式的协议,描述双方的权利和义务) Institute of Computer Software Nanjing University

  5. 引言 • Every software element is intended to satisfy a certain goal, for the benefit of other software elements (and ultimately of human users). • This goal is the element’s contract. • The contract of any software element should be • Explicit. • Part of the software element itself. Institute of Computer Software Nanjing University

  6. A human contract OBLIGATIONS(义务) BENEFITS(权益/权利) deliver (Satisfy precondition:) Bring package before 4 p.m.; pay fee. (From postcondition:) Get package delivered by 10 a.m. next day. Client (Satisfy postcondition:) Deliver package by 10 a.m. next day. (From precondition:) Not required to do anything if package delivered after 4 p.m., or fee not paid. Supplier Institute of Computer Software Nanjing University

  7. A view of software construction • Constructing systems as structured collections of cooperating software elements — suppliers and clients — cooperating on the basis of clear definitions of obligations and benefits. • These definitions are the contracts. Institute of Computer Software Nanjing University

  8. Properties of contracts • A contract: • Binds two parties (or more): supplier, client. • Is explicit (written). • Specifies mutual obligations and benefits. • Usually maps obligation for one of the parties into benefit for the other, and conversely. • Has no hidden clauses: obligations are those specified. • Often relies, implicitly or explicitly, on general rules applicable to all contracts (laws, regulations, standard practices). Institute of Computer Software Nanjing University

  9. deferred classPLANEinherit AIRCRAFT feature start_take_offis-- Initiate take-off procedures. requirecontrols.passed assigned_runway.clear deferredensureassigned_runway.owner =Current moving end start_landing, increase_altitude, decrease_altitude, moving, altitude, speed, time_since_take_off ... [Other features] ... invariant (time_since_take_off <= 20) implies(assigned_runway.owner = Current) moving = (speed > 10) end Contracts for analysis Precondition -- i.e. specified only. -- not implemented. Postcondition Class invariant Institute of Computer Software Nanjing University

  10. deferred classVATinheritTANK featurein_valve, out_valve: VALVE fillis-- Fill the vat. requirein_valve.open out_valve.closed deferredensurein_valve.closed out_valve.closed is_full end empty, is_full, is_empty, gauge, maximum, ... [Other features] ... invariant is_full = (gauge >= 0.97 * maximum)  and(gauge <= 1.03 * maximum) end Contracts for analysis (cont’d) Precondition -- i.e. specified only. -- not implemented. Postcondition Class invariant Institute of Computer Software Nanjing University

  11. Contracts for analysis (cont’d) OBLIGATIONS BENEFITS fill (Satisfy precondition:) Make sure input valve is open, output valve is closed. (From postcondition:) Get filled-up vat, with both valves closed. Client (Satisfy postcondition:) Fill the vat and close both valves. (From precondition:) Simpler processing thanks to assumption that valves are in the proper initial position. Supplier Institute of Computer Software Nanjing University

  12. So, is it like “assert.h”? (Source: Reto Kramer) • Design by Contract goes further: • “Assert” does not provide a contract. • Clients cannot see asserts as part of the interface. • Asserts do not have associated semantic specifications. • Not explicit whether an assert represents a precondition, post-conditions or invariant. • Asserts do not support inheritance. • Asserts do not yield automatic documentation. Institute of Computer Software Nanjing University

  13. Contracts • 契约就是“规范和检查”! • Precondition:针对method,它规定了在调用该方法之前必须为真的条件 • Postcondition:针对method,它规定了方法顺利执行完毕之后必须为真的条件 • Invariant:针对整个类,它规定了该类任何实例调用任何方法都必须为真的条件 Institute of Computer Software Nanjing University

  14. Correctness in software • Correctness is a relative notion: consistency of implementation vis-a-vis specification. (This assumes there is a specification!) • Basic notation: (P, Q: assertions, i.e. properties of the state of the computation. A: instructions). {P} A {Q} • “Hoare triple” • What this means (total correctness): • Any execution of A started in a state satisfying P will terminate in a state satisfying Q. Institute of Computer Software Nanjing University

  15. Hoare triples: a simple example {n > 5}n := n + 9 {n > 13} • Most interesting properties: • Strongest postcondition (from given precondition). • Weakest precondition (from given postcondition). • “P is stronger than or equal to Q” means: P implies Q • QUIZ: What is the strongest possible assertion? The weakest? Institute of Computer Software Nanjing University

  16. Software correctness “We are looking for someone whose work will be to start from initial situations as characterized by P, and deliver results as defined by Q • Consider {P} A {Q} • Take this as a job ad in the classifieds. • Should a lazy employment candidate hope for a weak or strong P?What about Q? • Two special offers: • 1. {False}A{...} • 2. {...}A{True} Strongest precond. Weakest postcond. Institute of Computer Software Nanjing University

  17. 摘要 • 引言 • Eiffel 的 DbC 机制 • DbC与继承 • 如何应用DbC Institute of Computer Software Nanjing University

  18. Design by Contract: The Mechanism • Preconditions and Postconditions • Class Invariant • Run-time effect Institute of Computer Software Nanjing University

  19. extend (new: G; key: H) -- Assuming there is no item of key key, -- insert new with key; set inserted. require key_not_present: nothas (key) ensure insertion_done: item (key) = new key_present: has (key) inserted: inserted one_more: count = oldcount + 1 A contract (from EiffelBase) Institute of Computer Software Nanjing University

  20. The contract OBLIGATIONS BENEFITS Routine Client PRECONDITION POSTCONDITION Supplier POSTCONDITION PRECONDITION Institute of Computer Software Nanjing University

  21. A class without contracts classACCOUNTfeature-- Access balance: INTEGER-- Balance Minimum_balance: INTEGERis 1000 -- Minimum balance feature {NONE} -- Implementation of deposit and withdrawaladd (sum: INTEGER) is-- Add sum to the balance (secret procedure).dobalance := balance + sumend Institute of Computer Software Nanjing University

  22. feature-- Deposit and withdrawal operations deposit (sum: INTEGER) is-- Deposit sum into the account.doadd (sum)endwithdraw (sum: INTEGER) is-- Withdraw sum from the account.doadd (–sum)end may_withdraw (sum: INTEGER): BOOLEANis-- Is it permitted to withdraw sum from the account?doResult := (balance - sum >= Minimum_balance)end end Without contracts (cont’d) Institute of Computer Software Nanjing University

  23. Introducing contracts classACCOUNTcreate make feature {NONE} -- Initialization make (initial_amount: INTEGER) is-- Set up account with initial_amount. requirelarge_enough: initial_amount >= Minimum_balance dobalance := initial_amount ensurebalance_set: balance = initial_amount end Institute of Computer Software Nanjing University

  24. feature -- Access balance: INTEGER-- Balance Minimum_balance: INTEGERis 1000 -- Minimum balance feature {NONE} -- Implementation of deposit and withdrawaladd (sum: INTEGER) is-- Add sum to the balance (secret procedure).dobalance := balance + sum ensure increased: balance = oldbalance + sum end Introducing contracts (cont’d) Institute of Computer Software Nanjing University

  25. feature-- Deposit and withdrawal operations deposit (sum: INTEGER) is-- Deposit sum into the account. require not_too_small: sum >= 0 doadd (sum)ensure increased: balance = oldbalance + sum end With contracts (cont’d) Institute of Computer Software Nanjing University

  26. With contracts (cont’d) withdraw (sum: INTEGER) is-- Withdraw sum from the account.require not_too_small: sum >= 0 not_too_big: sum <= balance – Minimum_balance doadd (– sum) -- i.e. balance := balance – sum ensure decreased: balance = oldbalance - sum end Institute of Computer Software Nanjing University

  27. The contract OBLIGATIONS BENEFITS withdraw (Satisfy precondition:) Make sure sum is neither too small nor too big. (From postcondition:) Get account updated with sum withdrawn. Client (Satisfy postcondition:) Update account for withdrawal of sum. (From precondition:) Simpler processing: may assume sum is within allowable bounds. Supplier Institute of Computer Software Nanjing University

  28. The imperative and the applicative do balance:=balance - sum ensure balance=oldbalance - sum PRESCRIPTIVE DESCRIPTIVE How? What? Operational Denotational Implementation Specification Command Query Instruction Expression Imperative Applicative Institute of Computer Software Nanjing University

  29. With contracts (end) may_withdraw (sum: INTEGER): BOOLEANis-- Is it permitted to withdraw sum from the -- account? doResult := (balance - sum >= Minimum_balance)end invariant not_under_minimum: balance >= Minimum_balance end Institute of Computer Software Nanjing University

  30. The class invariant • Consistency constraint applicable to all instances of a class. • Must be satisfied: • After creation. • After execution of any feature by any client.(Qualified calls only: a.f (...)) Institute of Computer Software Nanjing University

  31. createa.make (…) S1 a.f (…) S2 a.g (…) S3 a.f (…) S4 The correctness of a class • For every creation procedure cp: {precp} docp {postcp and INV} • For every exported routine r: {INV and prer} dor {postr and INV} • The worst possible erroneous run-time situation in object-oriented software development: • Producing an object that does not satisfy the invariant of its own class. Institute of Computer Software Nanjing University

  32. Example balance = deposits.total–withdrawals.total deposits (A1) withdrawals deposits (A2) withdrawals balance Institute of Computer Software Nanjing University

  33. classACCOUNTcreate make feature {NONE} -- Implementation add (sum: INTEGER) is-- Add sum to the balance (secret procedure).dobalance := balance + sumensure balance_increased: balance = oldbalance + sum end deposits: DEPOSIT_LIST withdrawals: WITHDRAWAL_LIST A more sophisticated version Institute of Computer Software Nanjing University

  34. New version (cont’d) feature {NONE} -- Initialization make (initial_amount: INTEGER) is-- Set up account with initial_amount.requirelarge_enough: initial_amount >= Minimum_balancedobalance := initial_amount createdeposits.makecreatewithdrawals.make ensurebalance_set: balance = initial_amount end feature -- Accessbalance: INTEGER-- Balance Minimum_balance: INTEGERis 1000 -- Minimum balance

  35. New version (cont’d) feature-- Deposit and withdrawal operations deposit (sum: INTEGER) is-- Deposit sum into the account. require not_too_small: sum >= 0 doadd (sum) deposits.extend (create {DEPOSIT}.make (sum))ensure increased: balance = oldbalance + sum end Institute of Computer Software Nanjing University

  36. withdraw (sum: INTEGER) is-- Withdraw sum from the account.require not_too_small: sum >= 0 not_too_big: sum <= balance – Minimum_balance doadd (–sum) withdrawals.extend (create {WITHDRAWAL}.make (sum)) ensure decreased: balance = oldbalance – sum one_more: withdrawals.count = oldwithdrawals.count + 1 end New version (cont’d) Institute of Computer Software Nanjing University

  37. may_withdraw (sum: INTEGER): BOOLEANis-- Is it permitted to withdraw sum from the -- account? doResult := (balance - sum >= Minimum_balance)end invariant not_under_minimum: balance >= Minimum_balance consistent: balance = deposits.total – withdrawals.total end New version (end) Institute of Computer Software Nanjing University

  38. The correctness of a class createa.make (…) S1 • For every creation procedure cp: {precp} docp {postcp and INV} • For every exported routine r: {INV and prer} dor {postr and INV} a.f (…) S2 a.g (…) S3 a.f (…) S4 Institute of Computer Software Nanjing University

  39. feature {NONE} -- Initialization make (initial_amount: INTEGER) is-- Set up account with initial_amount.requirelarge_enough: initial_amount >= Minimum_balancedo balance := initial_amount createdeposits.makecreatewithdrawals.make ensurebalance_set: balance = initial_amount end Initial version Institute of Computer Software Nanjing University

  40. feature {NONE} -- Initialization make (initial_amount: INTEGER) is-- Set up account with initial_amount.requirelarge_enough: initial_amount >= Minimum_balancedo createdeposits.makecreatewithdrawals.make deposit (initial_amount) ensurebalance_set: balance = initial_amount end Correct version 40 Institute of Computer Software Nanjing University

  41. Contracts: run-time effect 41 • Compilation options (per class, in Eiffel): • No assertion checking • Preconditions only • Preconditions and postconditions • Preconditions, postconditions, class invariants • All assertions Institute of Computer Software Nanjing University

  42. 摘要 • 引言 • Eiffel 的 DbC 机制 • DbC与继承 • 如何应用DbC Institute of Computer Software Nanjing University

  43. 继承与 Design by Contract • 问题: • 子类中的断言与父类中的断言是什么关系? • 依据 • 子类乃父类的特化,子类的实例也是父类的合法实例。 • 申明为父类的引用运行时可能指向子类实例 • 因而 • ? Institute of Computer Software Nanjing University

  44. Inheritance and assertions Correct call: ifa1.then a1.r (...) else ... end ris C A a1: A  … ensure a1.r (…)  B ris  ensure  Institute of Computer Software Nanjing University

  45. Contract OBLIGATIONS BENEFITS delivery (Satisfy precondition:) 不得要求投递超过5kg的包裹 (From postcondition:) 3个工作日内包裹到位 Client (Satisfy postcondition:) 在3个工作日内投送到位 (From precondition:) 不受理超过5kg的包裹 Supplier Institute of Computer Software Nanjing University

  46. Contract class COURIER feature deliver(p:Package, d:Destination) require --包裹重量不超过5kg ensure --3个工作日内投送到指定地点 … end Institute of Computer Software Nanjing University

  47. More desirable contract OBLIGATIONS BENEFITS delivery (Satisfy precondition:) 不得要求投递超过8kg的包裹 (From postcondition:) 2个工作日内包裹到位 Client (Satisfy postcondition:) 在2个工作日内投送到位 (From precondition:) 不受理超过8kg的包裹 Supplier Institute of Computer Software Nanjing University

  48. More desirable contract class DIFFERENT_COURIER Inherit COURIER redefine deliver feature deliver(p:Package, d:Destination) require --包裹重量不超过5kg require else --包裹重量不超过8kg ensure --3天内投送到指定地点 ensure then --2天内投送到指定地点 … end require --包裹重量不超过8kg ensure -- 2天内投送到指定地点 Institute of Computer Software Nanjing University

  49. Assertion redeclaration rule • Redefined version may not have require or ensure. • May have nothing (assertions kept by default), or require elsenew_pre ensure thennew_post • Resulting assertions are: • original_preconditionornew_pre • original_postconditionandnew_post Institute of Computer Software Nanjing University

  50. Invariant accumulation • Every class inherits all the invariant clauses of its parents. • These clauses are conceptually “and”-ed. Institute of Computer Software Nanjing University

More Related