design by contract versus doctest
Colin Blackburn
colin.blackburn at durham.ac.uk
Tue Apr 6 09:51:00 EDT 2004
On Tue, 06 Apr 2004 13:51:29 +0100, Peter Hickman <peter at semantico.com>
wrote:
> Colin Blackburn wrote:
>
>> Only while checking is turned on. It is a design philosophy. You
>> specify the pre and post-conditions before code is even thought of, it
>> is part of the design.
>
> Sure but the checks are still made by the function that is called not by
> the caller of the function. Which was my point and contrary to what aku
> said.
>
> aku wrote:
> > But in "design by contract" this responsibility is squarely
> > on the shoulders of the caller, and is *not* checked in
> > the function.
Aku is correct, no checks are (necessarily) made by the function in
installed code. It is the caller's responsibility to satisfy the
pre-conditions.
>> This says that *if* the pre-conditions are met (by the caller) *then*
>> the post-conditions will be guaranteed to be met (by the called
>> method.)
>
> No this is not entirely true, the require and ensure and both parts of
> the contract. The function will not be called if the require section is
> found to be false (such as count being greater than capacity).
In the installed code the pre-conditions are not necessarily implemented
therefore the function cannot refuse to run since it does not know its
pre-condition at this stage.
> Then after the function is executed (the do portion) then second half of
> the contract is checked, the ensure section. If these conditions fail
> then the contract is broken and the call fail just as if the require had
> failed.
Again, not necessarily in the installed code since the post-conditions are
not known. However, the result will be guaranteed if the preconditions are
met even in the installed code since the code wil have been designed
properly.
> Take this as an example (hacked at the keyboard, probably wont work)
>
> double (x: ELEMENT) is
> require
> x > 0
> do
> x = x * -2
> ensure
> x > 0
> end
>
> If you call it with double(-12) then the require section fails. If you
> call it with double(12) then the require section passes but the do
> section is creating a negative number and so the ensure section fails.
Your post-condition is incorrect. The method must ensure that the result
is double the input parameter if that parameter is greater than zero.
Howver, yes in this case the ensure will barf but this is at the design
stage and is there to ensure you get the method right in the first place.
When you deliver this routine the ensure will not be implement but by then
you will have corrected your typo.
> Getting the require section to pass is no guarantee that the
> post-conditions (ensure section) will be met, the do section is code
> like anything else and may get things wrong.
In correctly developed DbC that is precisely what is guaranteed. The
post-condition is *guaranteed* if the pre-condition is met. It is a design
tool.
Colin
--
More information about the Python-list
mailing list