Computer programming Architecture by Arrangement

 21 June 15:18   This page about DbC focuses on Architecture by Arrangement added closely

    than its Architecture by contract. The cause is that

    Eiffels DbC (and that of actual few additional languages) accommodate abutting affiliation of

    complete DbC with all aspects of the corresponding language, and the corresponding languages

    definitions.

    __TOC__

    »Not after my abstruse data types.«

    First, Architecture by Arrangement applies to modules, to the routines in the

    modules, to loops in subroutines, and amid statements. Exceptions

    are involved, too. That is to say, you cannot accept partial

    contracts. Affairs absorb the accomplished bore at every akin of

    refinement.

    If you set up a module(!) contract, the affairs clauses

    apply to an absolute bore throughout its absolute activity time.

    If you use a bore that has a contract, you are obliged

    to obey its arresting rules.

    There are two angle of a module, the audience view, and

    the suppliers view. If you address a subroutine, and the subroutine

    calls additional subroutines independent in some module, then your subroutine

    becomes a applicant of the module. The applicant sees two parts

    of the modules contract:

    # the modules invariants and

    # the preconditions and the postconditions of the modules subroutines.

    The bore itself is advised a supplier from the audience point

    of view, it food subroutines.

    The supplier sees added of the bore and adds some centralized arrangement clauses,

    so to speak. The supplier will accept to provide, that is, write

    # the modules invariants,

    # the preconditions and the postconditions of the modules subroutines,

    # bend invariants and bend variants,

    # analysis instructions

    # constant barring handling

    All of these are assertions, or, in the case of exceptions, constant with assertions.

    Check the attendance of acknowledging accessories per accent here: Architecture by contract.

    The purpose of an affirmation is twofold: First, it states accepted ethics of (computed) variables and their relations. Second, it facilitates testing that the variables do accept the ethics declared and that the relations are absolutely true. Getting allotment of a program, assertions can be acclimated as run-time checks of variables and their relations. But at the aforementioned time, assertions acquiesce acumen about the program afore it is run. You use assertions for assuming that a module, subroutine, loop, etc. is correct.

    Each affirmation is a Boolean expression, and is either True or False.

    Example:

     $s\; =\; 0$ or abroad $g(s)\; =\; 2$

    There are two relations in the archetype involving two variables, some ethics are computed.

    The two adequation tests are either True or False, and are affiliated by or else,

    a Boolean operator.

    Taken to the bore level, assertions can accurate requirements that a applicant haveto satisfy

    when calling the modules subroutine. The requirements are declared as preconditions of

    a subroutine, that is, assertions involving the subroutines academic arguments and possibly additional appearance of the module.

    In return, a subroutines postcondition describes what the subroutine will accept to action as a result.

    Again, the postcondition is bidding using an affirmation involving the subroutines after-effects and

    possibly additional appearance of the module. A archetypal subroutine description, allotment of the modules contract

    might attending like this:

     pop

    

     require

     has_items: not is_empty

     ensure

     one_less: calculation = old calculation - 1

    The subroutine pop takes no argument, and it doesnt acknowledgment anything.

    However, it modifies the module, a stack. Accordingly the pre- and postconditions

    are assertions that accredit to additional appearance of the module, is_empty

    and count. Advantageous names are absorbed to the assertions for reference.

    To complete the contract, addition affirmation is added at the bore level,

    the bore invariant. The relations of the bore invariant acquaint the client

    about the accompaniment of the bore by adage what is affirmed amid anniversary alarm of a subroutine

    of the module. Example:

     invariant

     sensible_count: calculation >= 0

    Contract violations are assertions that appraise to False.

    Typically, if the program does not reside up to its assertions, an barring is raised, because the program is acutely wrong.

    The bearings is then handled using the barring mechanisms of the language, bridled by the rules that Architecture by Arrangement requires.

    Extensive program assay based on assertions can in some cases be performed at abridge time.

    This amounts in a automated affidavit that assertive checks are not necessary.

    The checks can then be bare from the aggregate program. See Atom programming language.

    ----

    :If an affirmation is false, there is a bug in the program!

    ----

    The cause is that the program does not aftermath the after-effects that it haveto produce

    according to the assertions. Actuality is a account of the accessible assertions in Architecture by Contract

    (C agency arresting to audience (outside the module),

    S agency arresting to supplier (inside the module)):

    ; Bore Invariants (C, S): Bore invariants advance what is true afterwards initialisation of the module. They aswell advance the aforementioned truths afore and afterwards any beheading of one of its subprograms.

    ; Preconditions (C, S): A arrangement of a subprogram states what haveto be true afore calling the subprogram. Usually, it expresses relations of (computed) bore variables and subprogram parameters. Alone if the arrangement is true can the subprogram assassinate in adjustment to accomplish its postcondition.

    ; Postconditions (C, S): Postconditions accompaniment what will be true about (computed) variables and relations if the subprogram has accomplished successfully.

    ; (Loop variants) (S): A bend alternative is an announcement (of blazon Natural) whose amount decreases appear aught on anniversary abundance of the loop. About one of the variables of the bend is acclimated to accurate this property. The bend alternative guarantees termination.

    ; Bend invariants (S): A bend invariant expresses a affiliation that is true if the bend is entered, or entered already more. The affiliation will name variables of absorption to the loop.

    ; Checks (S): If a account has executed, it will acceptable accept afflicted the amount of one or added variables by assignment. A analysis expresses the programmers apprehension of the affiliation amid these variables afterwards the assignment.

    Preconditions P and postconditions Q of a subprogram S frame

    the subprogram in the faculty of a Hoare_logic:

    

     S ,

    

    provided the bore invariant is True afore and after

    the call! Apprehension this endure requirement. The bore haveto be in a accepted acceptable state,

    because the preconditions and the postconditions may accredit to the modules state.

    By implication, the aphorism from aloft about false assertions agency that

    assertions are not to be acclimated as replacements for input

    validation. If you deceit assurance your input, use

    means provided by your accent in a conditional, like the

     aspect in Ada.

    For example, calling

    Sqrtx where

    x = 123

    is a bug in using Sqrt, a abuse of the contract.

    The addition has bootless to analysis x afore sending it to

    the algebraic routine.

    Can you canyon all kinds of numbers to Sqrt and just adapt to

    handle the barring aloft if the arrangement of Sqrt

    evaluates to false? In additional words, can you advisedly avoid the

    contract? The acknowledgment is, No, for at atomic two reasons.

    # If a bore has been apparent to be correct, affirmation blockage ability accept been angry off for this module, assured that audience will accomplish their allotment of the contract. A arrangement abuse by the addition could then go disregarded and ability aftermath a awfully erroneous computation.

    # If the alleged subprogram is not Sqrt but controls the acceleration of a train, you deceit just canyon invalid ascribe until it doesnt appear to create the speed-control subprogram abort with an exception. Worse, see 1.

    (This archetype is accustomed in actual basal Ada notation, alive that accent support

    for DbC is appealing good, in accurate in Ada 2005, but limited.

    Imagining require, ensure, and invariant in abode of

    the comments apparent pre, post, and inv

    will cede the afterward afterpiece to the Eiffel original. Use the facilities

    that your accent provides for cogent assertions and exception

    handling.)

    The assertion credibility (`!) beneath are alone a notational device.

    They angle for the accessories accessible with the corresponding languages.

    Their acceptation is alone advisory of the contract.

     Account

    

     Assemblage

    

     is_empty Boolean

    

    

     calculation Natural

    

     top Item

    

    

     pushx Item

    

    

    

    

     pop

    

    

    

    

    

    

     Stack

    Notice that up to this point, there is no executable account in the

    module. Its just a amalgamation blueprint with acknowledged pre- and

    postconditions, and a bore invariant. Yet the modules arrangement is

    complete as far as audience of this bore are concerned.

    The action top states as arrangement that there

    must be an aspect on the stack, contrarily it cannot succeed.

    To accurate this, it refers to addition action of the same

    module, is_empty.

    Note that the bore invariant does acquiesce an abandoned stack.

    The action count has neither arrangement nor postcondition,

    but is mentioned in a bore invariant. This agency that audience can still

    expect that count allotment a amount >= 0

    Now if

    is_empty False

    then by

    count 0,

    count 0

    must be true because

     is_empty

    if and alone if

    count 0.

    ----

    :A software basic is actual in the faculty of these affairs if you assuredly prove it, using the assertions and rules from the accent definition.

    ----

    The centralized appearance of the module, in this case a amalgamation body,

    shows how assertions can be placed in an program.

    It is important to unterstand that assert

    in Ada, crave in Eiffel, etc. are deeply integrated

    with the languages barring administration mechanisms. This is

    unlike what you ability be academic if you understand Cs assert.

    (The accomplishing of the archetype assemblage is infact based on Ada.Containers,

    similar to how Eiffels Assemblage classes are usually implemented. It could aswell be based on

    s

    , or whatever accent you choose.)

     Assertion_PolicyCheck

     ...

     s Vector

     ...

     top Account

    

     advance is_empty assemblage is empty

     sLast_Element

     top

    Think about the furnishings of axis affirmation checking

    on or off. Assertions accurate a contract, they do not

    handle invalid input.

    What if a arrangement is true, but some account from

    the active subprogram raises an exception?

    Chances are that the postcondition can no best be

    established by the subprogram. It will fail. However,

    what about the accompaniment of the module?

    The first acknowledgment to the catechism about the accompaniment of the module

    is accustomed by this rule:

    ----

    :When an barring is accustomed to bear from the subprogram, the bore invariant haveto first be established.

    ----

    The additional acknowledgment can be different, depending on the language.

    The Eiffel way, for reference, is to retry the accepted in case

    of an exception:

    If the barring is handled, and the subprogram should

    retry to fulfil its postcondition, then both its

    precondition, and the bore invariant haveto first be established.

    (Otherwise the arrangement cannot act like invoking the accepted again

    without actionable the contract.)

    Ada, like some additional languages, has nested blocks, so

    exception administration could alpha from a blocks preconditions.

    Hence if you administer to restore the blocks preconditions,

    you can retry the block. A block may be nested central a loop,

    for example. Then your abettor will accept to assign

    values to variables acceptable the all-important preconditions

    of a bend execution.

    TBD

    In brief, the preconditions of overriden methods are or-ed,

    the post-conditions are and-ed.

    For modules congenital about acquired types, it haveto be accessible to

    substitute an item of a acquired blazon for an item of the parent

    type such that a auctioning alarm can still await on the parents

    contract. Likewise, the postconditions of the affection that gets

    actually alleged haveto betoken the postconditions of the parents

    features.

    Given an OO ancestor blazon T, calm with one of its methods,

     T

     foox T n Calculation Natural

    and a blazon acquired from T, alleged D, with the adjustment overridden,

     D T

    

     foox D n Calculation Natural

    imagine a advertence to an OO capricious of some type

    in the T hierarchy. Then

     x T D

     xfoo42

    Who is to blame?

    TBD

    See aswell guards, SCOOP, Ada.

    Gries, David (1981), The Science of Programming. New York

    Findler, Robert Bruce; Latendresse, Mario; Felleisen, Matthias (2001),

    Behavioral Affairs and Behavioral Subtyping.

    http://doi.acm.org/10.1145/503209.503240 or

    http://www.ccs.neu.edu/scheme/pubs/fse01-flf.pdf

    Hoare, C. A. R. (1969), An Absolute Base for Computer Programming. CACM, Vol.12, Amount 10, pp.576--583. http://doi.acm.org/10.1145/357980.358001 , http://doi.acm.org/10.1145/363235.363259

    Liskov, Barbara H.; Wing, Jeannete M., A Behavioral Angle of Subtyping.

    http://doi.acm.org/10.1145/197320.197383 or

    http://www.cs.cmu.edu/afs/cs.cmu.edu/project/venari/papers/subtype-toplas/paper.ps

    Meyer, Bertrand (1997), Item Aggressive software Architecture (OOSC2). New Jersey. Affiliate 11.

    http://www.ecma-international.org/publications/standards/Ecma-367.htm

    Design by contract

    (and, of course, Dijkstra)