DOCSLIB.ORG

Design by Contract Example Contract Issue

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Design by contract What is meant by "design by contract" or CS 619 Introduction to OO Design "programming by contract"? and Development contract: An agreement between classes/objects and their clients about how they will be used. Design by Contract ! used to assure that objects always have valid state ! non-software contracts: bank terms, product warning labels Fall 2013 ! To ensure every object is valid, show that: ! constructors create only valid objects ! all mutators preserve validity of the object ! How to enforce a contract? Example contract issue Design by Contract! " A potential problem situation: queue class with " Proposed by Bertrand Meyer for Eiffel remove or dequeue method " Organize communication between software elements – client may try to remove from an empty queue by organizing mutual obligations and benefits " What are some options for how to handle this? " Use a metaphor of – clients: receive services from suppliers ! declare it as an error (an exception) – suppliers: supply services ! tolerate the error (return null) ! print an error message inside the method Client Supplier ! bad because it should leave this up to the caller Obligation Satisfy supplier Guarantee service ! repair the error in some way (retry, etc.) requirement ! bad because it should leave this up to the caller Benefit Get service Impose requirements The decision we make here becomes part of the contract of the queue class! Example: Design by Contract == Dont accept anybody elses garbage! Client UPS Obligation Provide package of Deliver package to no more than 5kg, recipient in 24 hours each dimension less or less than 2 meters. Pay postage Benefit Get package No need to deal delivered in 24 with deliveries that hours or less are too big, too heavy or unpaid Client Supplier Obligation Precondition Post-condition Benefit Post-condition Precondition Pre-condition Post-conditions " Whose fault is it when a postcondition is not " What happens when a precondition is not met, and what should be done? met? ! postcondition: Something that must be true upon precondition: Something that must be true before object completion of the object's work. promises to do its work. ! Example: At end of sort(int[]), the array is in sorted order. ! Example: A hash map class has a put(key, value) and a get(key) ! Check them with statements at end of methods, if needed. method. ! A postcondition being violated is object's (your) own fault. ! A precondition of the get method is that the key was not modified since the time you put it into the hash map. ! Assert the postcondition, so it crashes if not met. ! If precondition is violated, object may choose any action it likes ! Don't throw an exception -- it's not the client's fault! ! If key was modified, the hash map may state that the key/value is not found, even though it is in the map. ! Document postconditions in Javadoc with tag @post.condition! ! Document preconditions in Javadoc with tag @pre.condition Class invariants Programming Language Support " How is it enforced? " Eiffel : Design as such, but limited usage class invariant: A logical condition that always holds " C++: for any object of a class. – assert() does not throw an exception ! Example: Our account's balance should never be negative. – ! Similar to loop invariants, which are statements that must Documentation extraction difficult be true on every iteration of a loop. " Java ! Can be tested at start or end of every method. – ASSERT is standard since Java 1.4 ! Assert your invariants, so it crashes if they are not met don't throw an exception -- it's not the client's fault! – JavaDoc annotation ! Document class invariants in the Javadoc comment header at the top of the class. (no special javaDoc tag) Programming Language Support Example:Effiel Example: Stack Specification Stack! Eiffel class stack Effiel Example: Map insert()! Implementors of stack promise • Eiffel is designed as such ... but only used in limited cases invariant: (isEmpty (this)) or that invariant will be true after all (! isEmpty (this)) methods return (incl. constructors) C++ • assert()put (inx: C++ELEMENT assert.h; keydoes: STRING not throw) isan exception public char pop () • It’s possible to mimic assertions (incl. compilation option) in C++ Clients of stack promise -- Insert x so that it will be retrievable through key. require: ! isEmpty (this) + (see “Another Mediocre Assertion Mechanism for C++” ensure: true precondition will be true before require calling pop() by Pedro Guerreiro count in TOOLS2008) <= capacity • Documentation extraction not is key.emptymore difficult but feasible public void push (char) do require: true Implementors of stack promise Java ... Some insertion algorithm ... ensure: (! isEmpty (this)) postcondition will be true after • ASSERT is standard ensure since Java 1.4 Design byand (topContract (this) = char)in UML push() returns Design by Contract in UML ... however limited “design has by (x )contract” only; acknowledge by Java designers + see http://java.sun.com/j2se/1.4/docs/guide/lang/assert.html item (key) = x public void top (char) : char Stack • Documentation extraction count using = JavaDocold count annotations + 1 <<precondition>> <<in require:variant>> ... pop Stack(): char Left as an exercise end (! isEmpty (this)) (isEmpt ensure:y (this)) ... or push (char) <<precondition>> public<<inv ariant>>void isEmpty () pop: boolean (): char (! isEmpty (this)) isEmpty(): boolean (! isEmpty (this)) require: ... (isEmpty (this)) or push (char) <<postcondition>> Smalltalk (and other languages) ensure: ... top(): char (! isEmpty (this)) isEmpty(): boolean (! isEmpty (this)) and • Possible to mimic; compilation option requires language idioms <<postcondition>> top(): char (top (this) = char) • Documentation extraction is possible (style Javadoc) 6. Design by Contract (! isEmpty (this)) and 8 (top (this) = char) So what: isn’t this pure documentation? Who will (a) Register these contracts for later reference (the book of laws)? 6. Design by Contract 15 (b) Verify that the parties satisfy their contracts (the police)? SoAnswer what: isn’t this pure documentation? Who will (a) The source code (a)(b) Register The running these contracts system for later reference (the book of laws)? Quiz: What happens when a pre-condition is NOT satisfied ? (b) Verify that the parties satisfy their contracts (the police)? Answer (a) The source code (b) The running system 6. Design by Contract Quiz: What happens when a pre-condition is NOT satisfied ? 9 Assertions Assertions in Source Code • assertion = any boolean expression we expect to be true at some point. 6. Design by Contract 9 public char pop() throws AssertionException { my_assert(!this.isEmpty()); Assertions.. return _store[_size--]; • Help in writing correct software my_assert(invariant()); ➡ formalizing invariants, and pre- and post-conditions my_assert(true); //empty postcondition • Aid in maintenance of documentation } ➡ specifying contracts IN THE SOURCE CODE ➡ tools to extract interfaces and contracts from source code • Serve as test coverage criterion private boolean invariant() { ➡ Generate test cases that falsify assertions at run-time return (_size >= 0) && (_size <= _capacity);} • Should be configured at compile-time ➡ to avoid performance penalties with trusted parties ➡ What happens if the contract is not satisfied? private void my_assert(boolean assertion) throws AssertionException { if (!assertion) { Should be turned on/off via Quiz: What happens when a pre-condition is NOT satisfied ? throw new AssertionException compilation option • = What should an object do if an assertion does not hold? ("Assertion failed");} ➡ Throw an exception. } 6. Design by Contract 11 6. Design by Contract 12 Assertion Violations Assertions in Java The assertions can be monitored dynamically at run-time " Java assert statements to debug the software – assert <condition> ; – A precondition violation would indicate a bug at the – assert <condition> : <message>; caller " will raise an AssertionError if " – A postcondition violation would indicate a bug at the <condition> is false. callee " enabling assertions – when compiling: javac -source 1.5 Our goal is to prevent assertion violations from happening ClassName.java – The pre and postconditions are not supposed to fail if – when running: java -ea ClassName the software is correct ( so they differ from exceptions and exception handling) " In C/C++, assert is a compile-time thing. In Java, can selectively en/disable assertions at runtime. Debug and ship builds Checking Pre-conditions! Most companies have at least two versions of their code: " debug build : has special code only for the developer Assert pre-conditions to inform clients when they – debug print statements or graphical output violate the contract. " – assertions for pre/postconditions, invariants " public Object top() {! " !assert(!this.isEmpty()); !// pre-condition! " ship build : meant to be used by customers " !return top.item;! – Users expect reasonable performance and reliability. }! – The app should not spend a lot of time checking for " pre/post or invariants (in ship build). ! " The same code is used to make debug and ship build. Always check pre-conditions, raising exceptions if they – special flags (e.g. DEBUG_MODE) turn on and off debug code fail.! – in Java, VM can be run with flags to turn on/off debug also Checking Post-conditions! Checking Class Invariants! Assert post-conditions and invariants to inform yourself when you violate the contract." Every class has its own invariant:!
Recommended publications
  • Contracts for System Design

    Contracts for System Design

    Contracts for System Design Albert Benveniste, Benoit Caillaud, Dejan Nickovic, Roberto Passerone, Jean-Baptiste Raclet, Philipp Reinkemeier, Alberto Sangiovanni-Vincentelli, Werner Damm, Thomas Henzinger, Kim Guldstrand Larsen To cite this version: Albert Benveniste, Benoit Caillaud, Dejan Nickovic, Roberto Passerone, Jean-Baptiste Raclet, et al.. Contracts for System Design. [Research Report] RR-8147, INRIA. 2012, pp.65. hal-00757488 HAL Id: hal-00757488 https://hal.inria.fr/hal-00757488 Submitted on 28 Nov 2012 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Contracts for Systems Design Albert Benveniste, Benoît Caillaud, Dejan Nickovic Roberto Passerone, Jean-Baptiste Raclet, Philipp Reinkemeier Alberto Sangiovanni-Vincentelli, Werner Damm Tom Henzinger, Kim Larsen RESEARCH REPORT N° 8147 November 2012 Project-Teams S4 ISSN 0249-6399 ISRN INRIA/RR--8147--FR+ENG Contracts for Systems Design Albert Benveniste∗, Benoît Caillaudy, Dejan Nickovicz Roberto Passeronex, Jean-Baptiste Raclet{, Philipp Reinkemeierk Alberto Sangiovanni-Vincentelli∗∗, Werner Dammyy Tom Henzingerzz, Kim Larsen Project-Teams S4 Research Report n° 8147 — November 2012 — 64 pages This work was funded in part by the European STREP-COMBEST project number 215543, the European projects CESAR of the ARTEMIS Joint Undertaking and the European IP DANSE, the Artist Design Network of Excellence number 214373, the MARCO FCRP TerraSwarm grant, the iCyPhy program sponsored by IBM and United Technology Corporation, the VKR Center of Excellence MT-LAB, and the German Innovation Alliance on Embedded Systems SPES2020.
  • Génération Automatique De Tests Unitaires Avec Praspel, Un Langage De Spécification Pour PHP the Art of Contract-Based Testing in PHP with Praspel

    Génération Automatique De Tests Unitaires Avec Praspel, Un Langage De Spécification Pour PHP the Art of Contract-Based Testing in PHP with Praspel

    CORE Metadata, citation and similar papers at core.ac.uk Provided by HAL - Université de Franche-Comté G´en´erationautomatique de tests unitaires avec Praspel, un langage de sp´ecificationpour PHP Ivan Enderlin To cite this version: Ivan Enderlin. G´en´eration automatique de tests unitaires avec Praspel, un langage de sp´ecificationpour PHP. Informatique et langage [cs.CL]. Universit´ede Franche-Comt´e,2014. Fran¸cais. <NNT : 2014BESA2067>. <tel-01093355v2> HAL Id: tel-01093355 https://hal.inria.fr/tel-01093355v2 Submitted on 19 Oct 2016 HAL is a multi-disciplinary open access L'archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destin´eeau d´ep^otet `ala diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publi´esou non, lished or not. The documents may come from ´emanant des ´etablissements d'enseignement et de teaching and research institutions in France or recherche fran¸caisou ´etrangers,des laboratoires abroad, or from public or private research centers. publics ou priv´es. Thèse de Doctorat école doctorale sciences pour l’ingénieur et microtechniques UNIVERSITÉ DE FRANCHE-COMTÉ No X X X THÈSE présentée par Ivan Enderlin pour obtenir le Grade de Docteur de l’Université de Franche-Comté K 8 k Génération automatique de tests unitaires avec Praspel, un langage de spécification pour PHP The Art of Contract-based Testing in PHP with Praspel Spécialité Informatique Instituts Femto-ST (département DISC) et INRIA (laboratoire LORIA) Soutenue publiquement
  • Assertions, Pre/Post- Conditions and Invariants

    Assertions, Pre/Post- Conditions and Invariants

    9/14/12 Assertions, pre/post- conditions and invariants Section 2.1 in Walls and Mirrors Section 4.5 Rosen Programming as a contract n Specifying what each method does q Specify it in a comment before method's header n Precondition q What is assumed to be true before the method is executed q Caller obligation n Postcondition q Specifies what will happen if the preconditions are met q Method obligation 1 9/14/12 Class Invariants n A class invariant is a condition that all objects of that class must satisfy while it can be observed by clients n What about Points in Cloud? q boundaries? q center? What is an assertion? n An assertion is a statement that says something about the state of your program n Should be true if there are no mistakes in the program //n == 1 while (n < limit) { n = 2 * n; } // what could you state here? 2 9/14/12 What is an assertion? n An assertion is a statement that says something about the state of your program n Should be true if there are no mistakes in the program //n == 1 while (n < limit) { n = 2 * n; } //n >= limit //more? What is an assertion? n An assertion is a statement that says something about the state of your program n Should be true if there are no mistakes in the program //n == 1 while (n < limit) { n = 2 * n; } //n >= limit //n is the smallest power of 2 >= limit 3 9/14/12 assert Using assert: assert n == 1; while (n < limit) { n = 2 * n; } assert n >= limit; When to use Assertions n We can use assertions to guarantee the behavior.
  • Cyber-Physical System Design Contracts

    Cyber-Physical System Design Contracts

    Cyber-Physical System Design Contracts Patricia Derler Edward A. Lee Martin Törngren University of California, University of California, KTH Royal Institute of Berkeley Berkeley Technology [email protected] [email protected] [email protected] Stavros Tripakis University of California, Berkeley [email protected] ABSTRACT tinct disciplines such as control engineering, software engineer- This paper introduces design contracts between control and em- ing, mechanical engineers, network engineering, etc. The com- bedded software engineers for building Cyber-Physical Systems plexity and heterogeneity of all the different design aspects require (CPS). CPS design involves a variety of disciplines mastered by methodologies for bridging the gaps between the disciplines in- teams of engineers with diverse backgrounds. Many system prop- volved. This is known to be challenging since the disciplines have erties influence the design in more than one discipline. The lack of different views, encompassing terminology, theories, techniques clearly defined interfaces between disciplines burdens the interac- and design approaches. tion and collaboration. We show how design contracts can facilitate In this paper, we focus on interactions between control and em- interaction between 2 groups: control and software engineers. A bedded software engineers. A multitude of modeling, analysis and design contract is an agreement on certain properties of the system. synthesis techniques that deal with codesign of control functions Every party specifies requirements and assumptions on the system and embedded software have been developed since the 1970s. We and the environment. This contract is the central point of inter- use the term codesign for approaches that provide an awareness of domain communication and negotiation.
  • Chapter 23 Three Design Principles

    Chapter 23 Three Design Principles

    23 Three Design Principles Chapter 23 ContaxT / Kodax Tri-X Nunnery — Chichen Itza, Mexico Three Design Principles Learning Objectives • List the preferred characteristics of an object-oriented application architecture • State the definition of the Liskov Substitution Principle (LSP) • State the definition of Bertrand Meyer's Design by Contract (DbC) programming • Describe the close relationship between the Liskov Substitution Principle and Design by Contract • State the purpose of class invariants • State the purpose of method preconditions and postconditions • Describe the effects weakening and strengthening preconditions have on subclass behavior • Describe the effects weakening and strengthening postconditions have on subclass behavior • State the purpose and use of the Open-Closed Principle (OCP) • State the purpose and use of the Dependency Inversion Principle (DIP) • State the purpose of Code Contracts and how they are used to enforce preconditions, postconditions, and class invariants C# For Artists © 2015 Rick Miller and Pulp Free Press — All Rights Reserved 757 Introduction Chapter 23: Three Design Principles Introduction Building complex, well-behaved, object-oriented software is a difficult task for several reasons. First, simply programming in C# does not automatically make your application object-oriented. Second, the pro- cess by which you become proficient at object-oriented design and programming is characterized by expe- rience. It takes a lot of time to learn the lessons of bad software architecture design and apply those lessons learned to create good object-oriented architectures. The objective of this chapter is to help you jump-start your object-oriented architectural design efforts. I begin with a discussion of the preferred characteristics of a well-designed object-oriented architecture.
  • Sound Invariant Checking Using Type Modifiers and Object Capabilities

    Sound Invariant Checking Using Type Modifiers and Object Capabilities

    Sound Invariant Checking Using Type Modifiers and Object Capabilities. Isaac Oscar Gariano Victoria University of Wellington [email protected] Marco Servetto Victoria University of Wellington [email protected] Alex Potanin Victoria University of Wellington [email protected] Abstract In this paper we use pre existing language support for type modifiers and object capabilities to enable a system for sound runtime verification of invariants. Our system guarantees that class invariants hold for all objects involved in execution. Invariants are specified simply as methods whose execution is statically guaranteed to be deterministic and not access any externally mutable state. We automatically call such invariant methods only when objects are created or the state they refer to may have been mutated. Our design restricts the range of expressible invariants but improves upon the usability and performance of our system compared to prior work. In addition, we soundly support mutation, dynamic dispatch, exceptions, and non determinism, while requiring only a modest amount of annotation. We present a case study showing that our system requires a lower annotation burden compared to Spec#, and performs orders of magnitude less runtime invariant checks compared to the widely used ‘visible state semantics’ protocols of D, Eiffel. We also formalise our approach and prove that such pre existing type modifier and object capability support is sufficient to ensure its soundness. 2012 ACM Subject Classification Theory of computation → Invariants, Theory of computation → Program verification, Software and its engineering → Object oriented languages Keywords and phrases type modifiers, object capabilities, runtime verification, class invariants Digital Object Identifier 10.4230/LIPIcs.CVIT.2016.23 1 Introduction Object oriented programming languages provide great flexibility through subtyping and arXiv:1902.10231v1 [cs.PL] 26 Feb 2019 dynamic dispatch: they allow code to be adapted and specialised to behave differently in different contexts.
  • Grammar-Based Testing Using Realistic Domains in PHP Ivan Enderlin, Frédéric Dadeau, Alain Giorgetti, Fabrice Bouquet

    Grammar-Based Testing Using Realistic Domains in PHP Ivan Enderlin, Frédéric Dadeau, Alain Giorgetti, Fabrice Bouquet

    Grammar-Based Testing using Realistic Domains in PHP Ivan Enderlin, Frédéric Dadeau, Alain Giorgetti, Fabrice Bouquet To cite this version: Ivan Enderlin, Frédéric Dadeau, Alain Giorgetti, Fabrice Bouquet. Grammar-Based Testing using Realistic Domains in PHP. A-MOST 2012, 8th Workshop on Advances in Model Based Testing, joint to the ICST’12 IEEE Int. Conf. on Software Testing, Verification and Validation, Jan 2012, Canada. pp.509–518. hal-00931662 HAL Id: hal-00931662 https://hal.archives-ouvertes.fr/hal-00931662 Submitted on 16 Jan 2014 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Grammar-Based Testing using Realistic Domains in PHP Ivan Enderlin, Fred´ eric´ Dadeau, Alain Giorgetti and Fabrice Bouquet Institut FEMTO-ST UMR CNRS 6174 - University of Franche-Comte´ - INRIA CASSIS Project 16 route de Gray - 25030 Besanc¸on cedex, France Email: fivan.enderlin,frederic.dadeau,alain.giorgetti,[email protected] Abstract—This paper presents an integration of grammar- Contract-based testing [5] has been introduced in part to based testing in a framework for contract-based testing in PHP. address these limitations. It is based on the notion of Design It relies on the notion of realistic domains, that make it possible by Contract (DbC) [6] introduced by Meyer with Eiffel [7].
  • Design by Contract: the Lessons of Ariane

    Design by Contract: the Lessons of Ariane

    . Editor: Bertrand Meyer, EiffelSoft, 270 Storke Rd., Ste. 7, Goleta, CA 93117; voice (805) 685-6869; [email protected] several hours (at least in earlier versions of Ariane), it was better to let the computa- tion proceed than to stop it and then have Design by to restart it if liftoff was delayed. So the SRI computation continues for 50 seconds after the start of flight mode—well into the flight period. After takeoff, of course, this com- Contract: putation is useless. In the Ariane 5 flight, Object Technology however, it caused an exception, which was not caught and—boom. The exception was due to a floating- point error during a conversion from a 64- The Lessons bit floating-point value, representing the flight’s “horizontal bias,” to a 16-bit signed integer: In other words, the value that was converted was greater than what of Ariane can be represented as a 16-bit signed inte- ger. There was no explicit exception han- dler to catch the exception, so it followed the usual fate of uncaught exceptions and crashed the entire software, hence the onboard computers, hence the mission. This is the kind of trivial error that we Jean-Marc Jézéquel, IRISA/CNRS are all familiar with (raise your hand if you Bertrand Meyer, EiffelSoft have never done anything of this sort), although fortunately the consequences are usually less expensive. How in the world everal contributions to this made up of respected experts from major department have emphasized the European countries, which produced a How in the world could importance of design by contract report in hardly more than a month.
  • Contracts for Concurrency Piotr Nienaltowski, Bertrand Meyer, Jonathan S

    Contracts for Concurrency Piotr Nienaltowski, Bertrand Meyer, Jonathan S

    Contracts for concurrency Piotr Nienaltowski, Bertrand Meyer, Jonathan S. Ostroff To cite this version: Piotr Nienaltowski, Bertrand Meyer, Jonathan S. Ostroff. Contracts for concurrency. Formal Aspects of Computing, Springer Verlag, 2008, 21 (4), pp.305-318. 10.1007/s00165-007-0063-2. hal-00477897 HAL Id: hal-00477897 https://hal.archives-ouvertes.fr/hal-00477897 Submitted on 30 Apr 2010 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. DOI 10.1007/s00165-007-0063-2 BCS © 2007 Formal Aspects Formal Aspects of Computing (2009) 21: 305–318 of Computing Contracts for concurrency Piotr Nienaltowski1, Bertrand Meyer2 and Jonathan S. Ostroff3 1 Praxis High Integrity Systems Limited, 20 Manvers Street, Bath BA1 1PX, UK E-mail: [email protected] 2 ETH Zurich, Zurich, Switzerland 3 York University, Toronto, Canada Abstract. The SCOOP model extends the Eiffel programming language to provide support for concurrent programming. The model is based on the principles of Design by Contract. The semantics of contracts used in the original proposal (SCOOP 97) is not suitable for concurrent programming because it restricts parallelism and complicates reasoning about program correctness. This article outlines a new contract semantics which applies equally well in concurrent and sequential contexts and permits a flexible use of contracts for specifying the mutual rights and obligations of clients and suppliers while preserving the potential for parallelism.
  • The Contract Pattern Permission Granted to Copy for Plop ’97 Conference

    The Contract Pattern Permission Granted to Copy for Plop ’97 Conference

    Copyright 1997, Michel de Champlain The Contract Pattern Permission granted to copy for PLoP ’97 Conference. All other rights reserved. Michel de Champlain Department of Computer Science University of Canterbury, Christchurch, New Zealand [email protected] http://www.cosc.canterbury.ac.nz/~michel 12 August 1997 Abstract This paper describes the Contract pattern, an idiom that lets you apply assertions to guarantee pre-conditions and post-conditions of methods and invariants on the state of objects. This pattern can be used to develop reliable classes by making the Design by Contract methodology—introduced by Meyer in the specific context of the Eiffel language—available in Java and possibly other object-oriented languages. Intent Provide an implementation of the Design by contract methodology [Meyer88] for developing reliable classes and create robust objects in Java. This programming pattern lets you apply assertions to guarantee the pre-conditions and post-conditions of methods and invariants on the state of objects. Also Known As Design by contract Motivation Sometimes it’s necessary to restrict a class interface because you don’t want to provide all the possible input combinations for all collaborators. One way to achieve this goal is to make minimal and consistent methods that impose pre-conditions on input parameters. Moreover, you might want to ensure the class behavior by imposing post-conditions before methods return. You might also need to make sure that the class is always in a stable state. Such an approach can result in reliable classes to create robust objects. Consider for example a bounded counter that has both a lower and upper bound.
  • City Council Agenda Page 1

    City Council Agenda Page 1

    CITY OF SANTA BARBARA CITY COUNCIL Helene Schneider James L. Armstrong Mayor City Administrator Randy Rowse Mayor Pro Tempore Grant House Stephen P. Wiley Ordinance Committee Chair City Attorney Dale Francisco Finance Committee Chair Frank Hotchkiss City Hall Cathy Murillo 735 Anacapa Street Bendy White http://www.SantaBarbaraCA.gov MAY 14, 2013 AGENDA ORDER OF BUSINESS: Regular meetings of the Finance Committee and the Ordinance Committee begin at 12:30 p.m. The regular City Council meeting begins at 2:00 p.m. in the Council Chamber at City Hall. REPORTS: Copies of the reports relating to agenda items are available for review in the City Clerk's Office, at the Central Library, and http://www.SantaBarbaraCA.gov. In accordance with state law requirements, this agenda generally contains only a brief general description of each item of business to be transacted or discussed at the meeting. Should you wish more detailed information regarding any particular agenda item, you are encouraged to obtain a copy of the Council Agenda Report (a "CAR") for that item from either the Clerk's Office, the Reference Desk at the City's Main Library, or online at the City's website (http://www.SantaBarbaraCA.gov). Materials related to an item on this agenda submitted to the City Council after distribution of the agenda packet are available for public inspection in the City Clerk’s Office located at City Hall, 735 Anacapa Street, Santa Barbara, CA 93101, during normal business hours. PUBLIC COMMENT: At the beginning of the 2:00 p.m. session of each regular City Council meeting, and at the beginning of each special City Council meeting, any member of the public may address the City Council concerning any item not on the Council's agenda.
  • Implementing Closures in Dafny Research Project Report

    Implementing Closures in Dafny Research Project Report

    Implementing Closures in Dafny Research Project Report • Author: Alexandru Dima 1 • Total number of pages: 22 • Date: Tuesday 28th September, 2010 • Location: Z¨urich, Switzerland 1E-mail: [email protected] Contents 1 Introduction 1 2 Background 1 2.1 Closures . .1 2.2 Dafny . .2 3 General approach 3 4 Procedural Closures 5 4.1 Procedural Closure Type . .5 4.2 Procedural Closure Specifications . .6 4.3 A basic procedural closure example . .6 4.3.1 Discussion . .6 4.3.2 Boogie output . .8 4.4 A counter factory example . 13 4.5 Delegation example . 17 5 Pure Closures 18 5.1 Pure Closure Type . 18 5.2 A recursive while . 19 6 Conclusions 21 6.1 Limitations . 21 6.2 Possible extensions . 21 6.3 Acknowledgments . 21 2 BACKGROUND 1 Introduction Closures represent a particularly useful language feature. They provide a means to keep the functionality linked together with state, providing a source of ex- pressiveness, conciseness and, when used correctly, give programmers a sense of freedom that few other language features do. Smalltalk's standard control structures, including branches (if/then/else) and loops (while and for) are very good examples of using closures, as closures de- lay evaluation; the state they capture may be used as a private communication channel between multiple closures closed over the same environment; closures may be used for handling User Interface events; the possibilities are endless. Although they have been used for decades, static verification has not yet tack- led the problems which appear when trying to reason modularly about closures.