design by contract versus doctest
Peter Hickman
peter at semantico.com
Tue Apr 6 08:51:29 EDT 2004
Colin Blackburn wrote:
> On Tue, 06 Apr 2004 12:41:45 +0100, Peter Hickman <peter at semantico.com>
> wrote:
>
>> Looking at the Eiffel site the contract is enforced within the called
>> function.
>
> Only while checking is turned on. It is a design philosophy. You
> specify the pre and post-conditions before code is even thought of, it
> is part of the design.
Sure but the checks are still made by the function that is called not by
the caller of the function. Which was my point and contrary to what aku
said.
aku wrote:
> But in "design by contract" this responsibility is squarely
> on the shoulders of the caller, and is *not* checked in
> the function.
>> put (x: ELEMENT; key: STRING) is
>> -- Insert x so that it will be retrievable through key.
>> require
>> count <= capacity
>> not key.empty
>> do
>> ... Some insertion algorithm ...
>> ensure
>> has (x)
>> item (key) = x
>> count = old count + 1
>> end
>
>
> This says that *if* the pre-conditions are met (by the caller) *then*
> the post-conditions will be guaranteed to be met (by the called
> method.)
No this is not entirely true, the require and ensure and both parts of
the contract. The function will not be called if the require section is
found to be false (such as count being greater than capacity). Then
after the function is executed (the do portion) then second half of the
contract is checked, the ensure section. If these conditions fail then
the contract is broken and the call fail just as if the require had failed.
The require is a contract between the caller and the called. The ensure
is, in effect, a contract between the called and itself. You might get
the require section correct, this would mean that valid parameters have
been passed to the called by the caller. But this is no guarantee that
the do section doesnt screw things up.
Which is why we have the ensure section, this checks that the do section
has not done anything stupid.
Take this as an example (hacked at the keyboard, probably wont work)
double (x: ELEMENT) is
require
x > 0
do
x = x * -2
ensure
x > 0
end
If you call it with double(-12) then the require section fails. If you
call it with double(12) then the require section passes but the do
section is creating a negative number and so the ensure section fails.
Getting the require section to pass is no guarantee that the
post-conditions (ensure section) will be met, the do section is code
like anything else and may get things wrong.
More information about the Python-list
mailing list