tags:

views:

80

answers:

2
+2  Q: 

Understanding complex post-conditions in DbC

I have been reading over design-by-contract posts and examples, and there is something that I cannot seem to wrap my head around. In all of the examples I have seen, DbC is used on a trivial class testing its own state in the post-conditions (e.g. lots of Bank Accounts).

It seems to me that most of the time when you call a method of a class, it does much more work delegating method calls to its external dependencies. I understand how to check for this in a Unit-Test with specific scenarios using dependency inversion and mock objects that focus on the external behavior of the method, but how does this work with DbC and post-conditions?

My second question has to deal with understanding complex post-conditions. It seems to me that to write out a post-condition for many functions, that you basically have to re-write the body of the function for your post-condition to know what the new state is going to be. What is the point of that?

I really do like the notion of DbC and I think that it has great promise, particularly if I can figure out how to reproduce some failure state once I find a validated contract. Over the past couple of hours I have been reading some neat stuff wrt. automatic test generation in Eiffel. I am currently trying to improve my processes in C++ development, but I am open to learning something new if I can figure out how to not lose all of the ground I have made in my current projects. Thanks.

+1  A: 

but how does this work with DbC and post-conditions?

Every function is basically one of these:

  • A sequence of statements
  • A conditional statement
  • A loop

The idea is that you should check any postconditions about the results of the function that go beyond the union of the postconditions of all the functions called.

that you basically have to re-write the body of the function for your post-condition to know what the new state is going to be

Think about it the other way round. What made you write the function in the first place? What were you pursuing? Can that be expressed in a postcondition which is more simple than the function body itself? A postcondition will typically use queries (what in C++ are const functions), while the body usually combines commands and queries (methods that modify the object and methods which only get information from it).

In some cases, yes, you will find out that you can really add little value with postconditions. In these cases, writing a bunch of tests will typically be enough.

See also:

Daniel Daranas  2010-01-19 07:59:32
+1  A: 

Delegation at the contract level

most of the time when you call a method of a class, it does much more work delegating method calls to its external dependencies

As for this first question: the implementation of a function/method may call many other function/methods, but if the designer of the code had a clear mind, this does not imply that the specification of the caller is the concatenation of the specifications of the callees. For a method that calls many others, the size of the specification can remain contained if the method accomplishes a precise and well-defined task. Which it should if the whole system was well designed.

You are clearly asking your question from the point of view of run-time assertion checking. In this context, the above would perhaps be expressed as "you don't need to re-check in the post-condition of the caller that all the callees have respected their respective contracts. These checks will already be made on each call. In the post-condition of the caller, only check the functionally visible result of the caller."

Understanding complex post-conditions

You may find this "ACSL by example" document interesting (although probably different from what you're used to). It contains many examples of formal contracts for C functions. The language of the contracts is intended for static verification instead of run-time checking, with all the advantages and the drawbacks that it entails. They are a little more sophisticated than the "Bank Accounts" that you mention — these functions implement real algorithms, although simple ones. The document keeps the contracts short and readable by introducing well-thought-out auxiliary predicates (which would be called queries in Eiffel, as Daniel points out in his answer).

Pascal Cuoq  2010-01-27 15:14:41

related questions

Argument checking or Design-by-Contract in java (GWT). Where to start?
Design by Contract in C for use in Automated Theorem Proving
What are the best practices for Design by Contract programming.
What tooling do you use to do Design by Contract?
Design by Contract library (interface) thoughts?
Can Design-by-Contract be applied to dynamic languages as easily/well as to statically-typed ones?
What is the current best validation framework for asp.net apps?
Business entities / value objects framework with DbC support
Code Contracts, will you use them?
DbC (Design by Contract) and Unit Tests
Whats wrong with non nullable objects?
How can I show that a method will never return null (Design by contract) in C#
Design By Contract vs Test Driven Development ?
What do you think of the Managed Contract Tools library
What is the best way to write a contract for CSS usage in Web Development?
How do you do Design by Contract in Perl?
Is Spec# stable enough to use?
Compile time checking in Design by Contract?
Design By Contract and Test-Driven Development
How much null checking is enough?
'Design By Contract' in C#
Ruby and duck typing: design by contract impossible?
The best way to assert pre-condition and post-condition of arguments and values in .NET?
design by contract tests by assert or by exception?
Does Design By Contract Work For You?