Add to collection(s) Add to saved
  1. No category

Java Semantics and Specifying Procedures

advertisement 
cs205: engineering software
university of virginia
Specifying
Procedures
David Evans
www.cs.virginia.edu/cs205
fall 2006
Procedural Specifications
• Specification for a procedure
describes:
– What its inputs are
– What the mapping between inputs and
outputs are
– What it can do the state of the world
cs205: engineering software
2
Requires and Effects
• Header: name of procedure, types of
parameters and return value
– Java declaration
• Clauses (comments in Java)
– REQUIRES - precondition the client
must satisfy before calling
– EFFECTS – postcondition the
implementation satisfy at return
cs205: engineering software
3
Contract
• Client promises to satisfy the
precondition in the requires clause
• Implementer promises if client
satisfies the precondition, the return
value and state when the function
returns will satisfy the postcondition.
cs205: engineering software
4
Specification Contract
f ()
REQUIRES: precondition
EFFECTS: postcondition
precondition
{ f (); }
postcondition
cs205: engineering software
If the precondition is true,
after we call f (),
the postcondition is true.
5
Specification Example
public String bestStock ()
// REQUIRES: false
// EFFECTS: Returns the name of the
//
best stock to buy on the NASDAQ
//
tomorrow.
Can we implement a
procedure that
satisfies this
specification?
cs205: engineering software
Yes, any implementation will satisfy this
specification! If the precondition in the
requires clause is not satisfied, the
procedure can do anything and still
satisfy its specification!
6
Specification Example
public String bestStock ()
// REQUIRES: true
// EFFECTS: Returns the name of the
//
best stock to buy on the NASDAQ
//
tomorrow.
Can we implement a
procedure that satisfies
this specification?
cs205: engineering software
7
Requires Clauses
• The weaker (more easy to make true)
the requires clause:
– The more useful a procedure is for clients
– The more difficult it is to implement
correctly
• Avoid requires clauses unless there is a
good reason to have one
– Default requires clause is: REQUIRES true
– Client doesn’t need to satisfy anything
before calling
cs205: engineering software
8
Specification Example
public static int biggest (int [ ] a)
// REQUIRES: true
// EFFECTS: Returns the value of the
//
biggest element of a.
Is this a reasonable specification?
No, what should client expect to happen if a is empty.
cs205: engineering software
9
Specification Example
public static int biggest (int [ ] a)
// REQUIRES: a has at least one element.
// EFFECTS: Returns the value of the
//
biggest element of a.
Is this a good specification?
Maybe, depends on the client. Its risky…
cs205: engineering software
10
Specification Example
public static int biggest (int [ ] a)
// REQUIRES: true
// EFFECTS: If a has at least one
//
element, returns the value biggest
//
element of a. Otherwise, returns
//
Integer.MIN_VALUE (smallest int
//
value).
Better, but client has to deal with special case now.
Best would probably be to use an exception…
cs205: engineering software
11
Bad Use of Requires Clause
• Bug discovered in Microsoft Outlook
that treats messages that start with
“begin ” as empty attachments (can
be exploited by viruses)
To workaround this problem:
• Do not start messages with the word "begin" followed by two spaces.
• Use only one space between the word "begin" and the following data.
• Capitalize the word "begin" so that it is reads "Begin."
• Use a different word such as "start" or "commence".
from http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q265230&
(this is no longer available, was “revoked” by Microsoft)
cs205: engineering software
12
Modifies
• How does a client know a is the same
after biggest returns?
public static int biggest (int [ ] a)
// REQUIRES: true
// EFFECTS: If a has at least one element,
//
returns the value biggest element of a.
//
Otherwise, returns Integer.MIN_VALUE
//
(smallest int value).
Reading the effects clause is enough – if biggest modifies
anything, it should describe it. But, that’s a lot of work.
cs205: engineering software
13
Modifies
• Modifies clause: any state not listed
in the modifies clause may not be
changed by the procedure.
public static int biggest (int [ ] a)
// REQUIRES: true
// MODIFIES: nothing
// EFFECTS: If a has at least one element,
//
returns the value biggest element of a.
//
Otherwise, returns Integer.MIN_VALUE
//
(smallest int value).
cs205: engineering software
14
Modifies Example
public static int replaceBiggest (int [ ] a, int [] b)
// REQUIRES: a and b both have at least one
// element
// MODIFIES: a
// EFFECTS: Replaces the value of the biggest
//
element in a with the value of the biggest
//
element in b.
cs205: engineering software
15
Defaults
• What should it mean when there is
no requires clause?
REQUIRES: true
• What should it mean when there is
no modifies clause?
MODIFIES: nothing
• What should it mean when there is
no effects clause?
Meaningless.
cs205: engineering software
16
PS1
• Question 2 was very ambiguous:
Modify the program so that instead of
dying instantly, cells go through a dying
state where they are displayed in a
different color for one step before they die.
How should the life rules deal with
dying cells?
cs205: engineering software
17
Dealing with Bad Specs
• When a specification is ambiguous:
– Ask the provider to figure out what it
means
– Or, state very clearly what additional
assumptions you make
• Good (easy to implement) assumption
here: dying cells are not alive (as far as
neighbors are concerned), and don’t
become alive (whatever their neighbor
states are)
cs205: engineering software
18
Avoid Changing Interfaces
boolean isAlive()
// EFFECTS: Returns true if the cell is
alive, false otherwise.
• If we change this, need to examine
all code that uses isAlive
• If we just change its implementation,
don’t need to examine anything else
cs205: engineering software
19
enum (added to Java 1.5)
public enum StateValue {
dead, dying, alive
};
...
public Color getColor()
{
switch (alive) {
case alive: return Color.green;
case dying: return Color.red;
case dead: return Color.white;
}
}
cs205: engineering software
20
PS1 Grading
• Full credit even for inelegant code
• Later assignments: need clear,
elegant, economical code for full
credit
cs205: engineering software
21
PS2
• You will need to write a fair bit of
code yourself
• Challenge is to make your
specification and implementation
cover all possible inputs
• Next class: some hints on PS2
cs205: engineering software
22
Charge
• Specifications in CS205
– Will be informal: written in English
(aided by common mathematical
notations)
– ...but must be precise and clear
– REQUIRES/MODIFIES/EFFECTS style
cs205: engineering software
23
Related documents
Running Untrustworthy Code Project
Running Untrustworthy Code Project
public static void - University of Virginia
public static void - University of Virginia
Adjective Clauses Friday 11-2-12 Objective To
Adjective Clauses Friday 11-2-12 Objective To
Nic Hayward - Spectrum of Opportunity - 3 mins
Nic Hayward - Spectrum of Opportunity - 3 mins
Bjorn Lomborg: Global priorities bigger than climate change
Bjorn Lomborg: Global priorities bigger than climate change
Misplaced Modifiers!
Misplaced Modifiers!
This is “Halstead`s Software Science”
This is “Halstead`s Software Science”
Reasoning about Data Abstractions
Reasoning about Data Abstractions
Download
advertisement