1 / 11

Design by Contract

Design by Contract. Specifications. Correctness formula (Hoare triple) {P} A {Q} A is some operation (for example, a routine body) P and Q are predicates P is called precondition Q is called postcondition Meaning of a correctness formula:

alfredmoore
Download Presentation

Design by Contract

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. DesignbyContract

  2. Specifications • Correctness formula (Hoare triple) • {P} A {Q} • A is some operation (for example, a routine body) • P and Q are predicates • P is called precondition • Q is called postcondition • Meaning of a correctness formula: • “Any execution of A, starting in a state where P holds, will terminate in a state where Q holds” • Example: • { x >= 9} x:=x+5 {x>=13}

  3. Eiffel Example • class STACK[G] • count: INTEGER • -- Number of stack elements • item: G • -- Top element • empty: BOOLEAN is • -- Is stack empty? • do … end • full: BOOLEAN is • -- Is stack representation full? • do ... end • …

  4. Eiffel Example (2) class STACK[G] … put (x: G) is -- Add x on top require not_full: not full do ... ensure not_empty: not empty added_to_top: item = x one_more_item: count = old count + 1 end …

  5. Invariant • A set of assertions that every instance of the class will • satisfy: • immediately following the creation • before and after any “remote” call to the routine of the class • Class invariant is an object “state” restriction • Correctness formula (revisited) • {P and INVARIANT} A {Q and INVARIANT} • class STACK[G] • … • invariant • non_negative_count: count >= 0 • end

  6. Loop Assertions • Loop invariant • the list of assertions, which will be validated before each loop cycle • Loop variant • designed to protect against infinite calculations • an integer expression, which is checked before each loop cycle • if one of the following is violated, the loop assertion is violated: • loop variant has to decrease properly each loop cycle • loop variant has to remain nonnegative

  7. Find the smallest element in an array from i:= a.lower s := a.item(i) invariant -- s is the smallest element in the set – -- {a.item (a.lower), ..., a.item(i)} variant a.upper – i until i= a.upper loop i:= i + 1 s := s.min(a.item(i)) end

  8. Assertion Redeclaration rule In the redeclared version of a routine, it is not permitted to use a require or ensure clause. Instead you may: • Introduce a new condition with require else, for booleanorwith the original precondition. • Introduce a new condition with ensure then, for booleanandwith the original postcondition. In the absence of such a clause, the original assertions are retained.

  9. Example (1) class A … foo (x : INTEGER ) is require r1 do… end end; class B inherit A … foo (x : INTEGER ) is require r2 do … end end; • The actual requirement is

  10. Example (2) class A … foo (x : INTEGER ) is do … ensure e1 end end; class B inherit A … foo (x : INTEGER ) is do… ensure e2 end end; • The actual promise is

  11. Invariants Redeclaration rule The invariant property of class is the boolean and of the assertions appearing in its invariant clause and of the invariant properties of its parents if any. class A … invariant i1 end; class B inherit A … invariant i2 end; The actual invariant is

More Related