Talk:Design by contract

From Wikipedia, the free encyclopedia

Ada needs to be added to the list of langs. Im suprised it is not there in a dbc article!

---

The two versions of this article need merging.

---

The executability of contracts is more a feature of "Programming By Contract". DBC is about software design, and so the executability of the contracts is not really relevant, and it's certainly not the primary way in which DBC is novel. Also, the difference between contracts and assertions is not merely a matter of "depth". The big deal with DBC is that the whole design of the system is based on the contracts, whereas C assertions are just sprinkled around in a rather ad-hoc manner and don't necessarily affect the system's design. P3d0

Contents 1 DBC failure causing hard failures. 2 Assertions not strong enough 3 Static Typing 4 References 5 Time/Space Contracts 6 "Fail Hard" 7 "Obliged" versus "obligated" 8 DBC contrasted to defensive programming?

[edit] DBC failure causing hard failures.

Its not a DBC issue that is the concern.

If any program has an error and fails it is a problem.

However, if a program has an error and continues on blindly, that is some circumstances even worse.

The assumption of those anti-dbc is that if our program accepts faults blindly, and carries on, then less harm will happen compared to the program failing. This assumption is false because it implies some analysis of the problem, which clearly hasn't happened because of the exception.

eg. A square root function is called with a negative number. The system fails. The called function cannot determine what to do, since it doesn't know its context. The only way to make a decision as to what to do is more analysis.

If you are careful, you can put in place a top level error handler that does something sensible. This is for DBC or non DBC.

The non DBC solution would be return something, anything, and hope everthing works.

There is a middle ground. If there's some way to tell what objects have probably been corrupted, then that subsystem could be shut down somewhat cleanly, and perhaps even re-initialized. For instance, if you're talking about a database interface, then each transaction could be wrapped with an exception handler that rolls back the transaction, cleans up some data structures, and reports an error in the appropriate manner. The functionality that led to the exception could be disabled until an admin re-enables it. And so on. --P3d0 20:24, Jan 31, 2005 (UTC)

[edit] Assertions not strong enough

Let's stick to the Sqrt(-1) idea. Suppose we have a Math class that has a Sqrt function, defined in pre/post conditions:

pre: x >= 0
post: Sqr(result) == x

This looks like a good contract. Now a smart person inherits the Math class, and derives a ComplexMath class, which can handle complex numbers in addition to real numbers. The Sqrt function would look like:

pre:
post: Sqr(result) == x

So now we have a weaker precondition and a stronger postcondition. Nothing surprising, but suppose we have some code that says:

Math math = new ComplexMath();
i = math.Sqrt(-1);

Now what should this do - should it compile, run, crash or what? Any implementation using assertions would simply call ComplexMath.Sqrt() and return a complex number. But that is not the contract the client intended to use. This code should should not be allowed to pass any Q.A. test, because the programmer expected Math behaviour and not ComplexMath. There's no telling what will happen if the next part of the program gets the complex result.

So because the client uses the Math contract (interface) here by declaring math as Math, the preconditions and postconditions of Math should apply too.

That is a good observation. Clearly, I agree with you. There's an extensive Usenet thread on the topic. (Look especially at article 74 which, I think, sums up the concensus that we all reached in that thread.) (Links removed because they triggered Wikipedia's stupid spam filter; see old version.)

I'm not sure how (or even if) it should be incorporated into the article though. --P3d0 16:46, 2 Sep 2004 (UTC)

[edit] Static Typing

In my book (figure of speech), static typing is a way of enforcing preconditions for a function at compile time, because it enforces the need that (for instance) the parameter x is always an integer. Do other agree with this view?

I agree, for whatever that's worth. That's exactly why covariant parameter redefinition is controversial: it's equivalent to strengthening a precondition. --P3d0 20:16, Jan 31, 2005 (UTC)

Shure it is. And static typing can be used for invariants as well - for example with ranges. So I wonder if languages like with powerfull static typing (i.E. Ada) should be considered DOC as well. -- Krischik 07:02, 1 Feb 2005 (UTC)

[edit] References

I'm interested in this topic but the article seems a bit cursory. Would someone mind putting up a few references to guide my research? - Drewish 21:22, 2005 Feb 6 (UTC)

we can't do anything you can't do as well. Google for "Design by contract" and add pages of interest. But apart from that you are right. --Krischik 06:28, 8 Feb 2005 (UTC)

While I agree with you in principle, I'm certain that there are contributors who could provide the titles of a few of the definitive papers on the topic. Besides it's the wikipedia way, as it says at the bottom of every edit page, "Please cite your sources so others can check your work." Drewish 20:58, 2005 Feb 9 (UTC)

[edit] Time/Space Contracts

Somebody added something here on time/space contracts. If the person who edited that article this way sees this (or someone else who knows), could he/she tell me where information can be found on that? Thanks! Wouter Lievens 15:35, 28 May 2005 (UTC)

[edit] "Fail Hard"

Using the DBC methodology, the program code itself must never try to verify the contract conditions; the whole idea is that code should "fail hard", with the contract verification being the safety net. (This stands in stark contrast to the defensive programming methodology.) DBC's "fail hard" property makes debugging for-contract behavior much easier because the intended behaviour of each routine is clearly specified.

As a DBC newbie, I didn't understand much of this paragraph, and I don't know what "fail hard" means. A couple of minutes Googling didn't turn up anything relevant. Can someone define this term, and clarify this paragraph a bit? Axlrosen 19:15, 6 November 2005 (UTC)

It's not jargon; it mean just what it says: when a program fails, it should "fail hard" rather than trying to continue to run. As the article says, this concept is a bit controvercial. (I for one heartily endorse it during all phases of development except perhaps final deployment.) --P3d0 22:21, 6 November 2005 (UTC)

[edit] "Obliged" versus "obligated"

The words "obliged" and "obligated" have exactly the same meaning, so I'm inclined to agree with User:Rich_Farmbrough and use the simpler of the two. I disagree with User:SimonP's revert, and I'll re-revert unless anyone has an objection. --P3d0 13:46, 14 February 2006 (UTC)

There two words can actually have a different meaning. Consider these sentences:

He was obliged to her because of her actions

He was obligated to her because of her actions

Also obligated is North American English, while obliged is British, so this would fall under our rule of using the spelling of the original author. - SimonP 16:02, 14 February 2006 (UTC)

There is no clear cut distinction. OED agrees that legal requirement is included in "oblige" (as opposed to obligate), in its lengthy articles. More accessibly the American Heritage Dictionary says " To constrain by physical, legal, social, or moral means." Mirrim Webster has "to constrain by physical, moral, or legal force or by the exigencies of circumstance".

Furthermore Websters 1828 made the reverse distinction, saying of "Obligate" "Until recently, the sense of this word has been restricted to positive and personal acts; and when moral duty or law binds a person to do something, the word oblige has been used. But this distinction is not now observed."

Both words have been in use in the UK for some considerable time.

There are of course cicumstances where "obligate" is to be preferred, in direct quotes and in the technical senses of the word from finance and more importantly biology.

Rich Farmbrough. 16:24, 21 February 2006 (UTC)

[edit] DBC contrasted to defensive programming?

The article currently says:

Using the DBC methodology, the program code itself must never try to verify the contract conditions; the whole idea is that code should "fail hard", with the contract verification being the safety net. (This stands in stark contrast to the defensive programming methodology.)

I believe this to be somewhat incorrect - while a "defensive programmer" may attempt to recover from contract (developer) errors, such as incorrect arguments, it needn't to, as far as I understand what defensive programming is about. In the case of DBC, runtime errors (e.g., network failures, hardware failures, privilege violations) still occur, and are part of the contract. Defensive programming still applies in the sense that these well-defined errors should always be handled. -- intgr 17:06, 24 November 2006 (UTC)

In defensive programming, the callee checks for errors. In DbC, the callee is allowed to assume that the caller has made no errors. I'm not sure what this has to do with network failures etc. --P3d0 17:38, 24 November 2006 (UTC)

Runtime errors like network failures, that would be part of the contract, are covered by "defensive programming". This means that the two approaches generally also work together – the client programmer will have to check for runtime errors defined by the contract. -- intgr 17:58, 24 November 2006 (UTC)