Top Banner
Design by Contract Where Agile Meets Formal Methods
25
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Design by Contract Where Agile Meets Formal Methods.

Design by Contract

Where Agile Meets Formal Methods

Page 2: Design by Contract Where Agile Meets Formal Methods.

• Motivation

• History

• Concept

• Integrate with Agile

• Example

• Reviews

• Current State

What is Design by Contract?

Page 3: Design by Contract Where Agile Meets Formal Methods.

• Motivation

• History

• Concept

• Integrate with Agile

• Example

• Reviews

• Current State

What is Design by Contract?

Page 4: Design by Contract Where Agile Meets Formal Methods.

Motivation

• Improve software quality and reliability

• Second NASA Formal Methods Symposium (April 13 – 15, 2010)– Verification and Validation of Flight-Critical Systems– An Overview of Formal Methods at Intel

– Decision Engine for Software Analysis at Microsoft.

Page 5: Design by Contract Where Agile Meets Formal Methods.

• What are Formal Methods? “mathematically rigorous techniques and tools for

developing specification, design and verification of software and hardware systems”

-- Wikipedia

Motivation

Page 6: Design by Contract Where Agile Meets Formal Methods.

• Agile: Are we building the right product?– making sure clients get what they want– won’t waste resources unnecessarily

• Formal: Are we building the product right?– making sure code does exactly as specified– separate process to determine right product

Motivation

Page 7: Design by Contract Where Agile Meets Formal Methods.

• Is there a common ground?– Alloy (MIT)– Object Constraint Language (IBM)– Design by Contract (Effiel)

Motivation

Page 8: Design by Contract Where Agile Meets Formal Methods.

• Why should the Agile community care?– Tests often insufficient to safeguard changes– Documentations are poorly-written or outdated– Collective code ownership misinterpretation

• Why should the FM community care?– Overemphasized full formalization of design– Few people understand formal notations

Motivation

Page 9: Design by Contract Where Agile Meets Formal Methods.

What is Design by Contract?

• Motivation

• History

• Concept

• Integrate with Agile

• Example

• Reviews

• Current State

Page 10: Design by Contract Where Agile Meets Formal Methods.

Design by Contract – History

• Bertrand Meyer developed DbC in 1986“The quality factors on which we have concentrated — reusability, extendibility, compatibility — must not be attained at the expense of reliability (correctness and robustness).”

-- Bertrand Meyer, Object Oriented Software Construction

• Correctness Assertions

• Robustness Exception Handling

Page 11: Design by Contract Where Agile Meets Formal Methods.

What is Design by Contract?

• Motivation

• History

• Concept

• Integrate with Agile

• Example

• Reviews

• Current State

Page 12: Design by Contract Where Agile Meets Formal Methods.

Design by Contract – Concept

Obligations Benefits

Customer

(client)

(Must ensure precondition)

Be at the Pearson airport at least 5 minutes before scheduled departure time. Bring only acceptable baggage. Pay ticket price.

(May benefit from postcondition)

Reach Chicago.

Airline

(supplier)

(Must ensure postcondition)

Bring customer to Chicago.

(May assume precondition)

No need to carry passenger who is late, has unacceptable baggage, or has not paid ticket price.

Example: a contract between an airline and a customer

Page 13: Design by Contract Where Agile Meets Formal Methods.

Design by Contract – Concept

• Precondition: – an obligation for the client and a benefit for

the supplier

• Postcondition: – a benefit for the client and an obligation for

the supplier

Page 14: Design by Contract Where Agile Meets Formal Methods.

Design by Contract – Concept

Before Purchase After Purchase

Airline

(supplier)

(Must ensure invariant)

Ensures plane has certain number of free seats

(Must ensure invariant)

Number of free seats decreases appropriately

Example: a contract between an airline and a customer

• Class Invariant:– global property of the instances of a class,

which must be preserved by all routines

Page 15: Design by Contract Where Agile Meets Formal Methods.

Design by Contract – Concept

Airline (General) Airline (Business)

Customer

(client)

Be at the Pearson airport at least 5 minutes before scheduled departure time. Bring only acceptable baggage. Pay ticket price.

Be at the Pearson airport at least 30 minutes before scheduled departure time. Bring only acceptable baggage. Pay ticket price.

Airline

(supplier)

Bring customer to Chicago. Bring customer to O’Hare International Airport in Chicago.

Example: a contract between an airline and a customer

Page 16: Design by Contract Where Agile Meets Formal Methods.

Design by Contract – Concept

• Subcontract: – Precondition can be weaken– Postcondition can be strengthen

Page 17: Design by Contract Where Agile Meets Formal Methods.

Design by Contract – Concept

While Loading Baggage Handling

Airline

(supplier)

Detected a snake in Customer A’s baggage

Ask Customer A to leave the plane along with his baggage

Example: a contract between an airline and a customer

• Exception: – a run-time event that may cause a routine call

to fail

Page 18: Design by Contract Where Agile Meets Formal Methods.

What is Design by Contract?

• Motivation

• History

• Concept

• Integrate with Agile

• Example

• Reviews

• Current State

Page 19: Design by Contract Where Agile Meets Formal Methods.

Design by Contract – Integrate

"We will derive tremendous benefits from writing the assertions at the same time as we write the software, or indeed before we write the software."

-- Bertran Meyer, Object Oriented Software Construction

• Differ from TDD, DbC checks for all cases

• ESC/Java2 checks spec consistency at runtime

• JMLUnit auto-generates test cases

• JMLDoc embeds JML in JavaDoc

Page 20: Design by Contract Where Agile Meets Formal Methods.

What is Design by Contract?

• Motivation

• History

• Concept

• Integrate with Agile

• Example

• Reviews

• Current State

Page 21: Design by Contract Where Agile Meets Formal Methods.

What is Design by Contract?

• Motivation

• History

• Concept

• Integrate with Agile

• Example

• Reviews

• Current State

Page 22: Design by Contract Where Agile Meets Formal Methods.

Design by Contract – Reviews

“I've tried to use [DbC] in a number of enterprise application settings, and I've found that in many situations it's as hard to write the pre and post conditions as it is to write the solution.”

-- Martin Fowler

“Design by Contract practice lessened the number of person-hours required to perform software testing.”

-- An Experience With Design by Contract

Page 23: Design by Contract Where Agile Meets Formal Methods.

What is Design by Contract?

• Motivation

• History

• Concept

• Integrate with Agile

• Example

• Reviews

• Current State

Page 24: Design by Contract Where Agile Meets Formal Methods.

Design by Contract – Current State

• Effiel – built into the language

• Java – JCR305 submitted for JML

• Microsoft – Spec# and Boggie

Page 25: Design by Contract Where Agile Meets Formal Methods.

Q & A