Design by Contract

1
Design by Contract

• Where Agile Meets Formal Methods

2
What is Design by Contract?

• Motivation
• History
• Concept
• Integrate with Agile
• Example
• Reviews
• Current State

3
What is Design by Contract?

• Motivation
• History
• Concept
• Integrate with Agile
• Example
• Reviews
• Current State

4
Motivation

• Improve software quality and reliability
• Second NASA Formal Methods Symposium (April 13
  15, 2010)
• Verification and Validation of Flight-Critical
  Systems
• An Overview of Formal Methods at Intel
• Decision Engine for Software Analysis at
  Microsoft.

5
Motivation

• What are Formal Methods?
• mathematically rigorous techniques and tools
  for developing specification, design and
  verification of software and hardware systems
• -- Wikipedia

6
Motivation

• Agile Are we building the right product?
• making sure clients get what they want
• wont waste resources unnecessarily
• Formal Are we building the product right?
• making sure code does exactly as specified
• separate process to determine right product

7
Motivation

• Is there a common ground?
• Alloy (MIT)
• Object Constraint Language (IBM)
• Design by Contract (Effiel)

8
Motivation

• Why should the Agile community care?
• Tests often insufficient to safeguard changes
• Documentations are poorly-written or outdated
• Collective code ownership ? misinterpretation
• Why should the FM community care?
• Overemphasized full formalization of design
• Few people understand formal notations

9
What is Design by Contract?

• Motivation
• History
• Concept
• Integrate with Agile
• Example
• Reviews
• Current State

10
Design by Contract History

• Bertrand Meyer developed DbC in 1986
• The quality factors on which we have
  concentrated reusability, extendibility,
  compatibility must not be attained at the
  expense of reliability (correctness and
  robustness).
• -- Bertrand Meyer, Object Oriented Software
  Construction
• Correctness ? Assertions
• Robustness ? Exception Handling

11
What is Design by Contract?

• Motivation
• History
• Concept
• Integrate with Agile
• Example
• Reviews
• Current State

12
Design by Contract Concept
Example a contract between an airline and a
customer
Obligations Benefits
Customer (client) (Must ensure precondition)Be at the Pearson airport at least 5 minutes before scheduled departure time. Bring only acceptable baggage. Pay ticket price. (May benefit from postcondition)Reach Chicago.
Airline (supplier) (Must ensure postcondition)Bring customer to Chicago. (May assume precondition)No need to carry passenger who is late, has unacceptable baggage, or has not paid ticket price.
13
Design by Contract Concept

• Precondition
• an obligation for the client and a benefit for
  the supplier
• Postcondition
• a benefit for the client and an obligation for
  the supplier

14
Design by Contract Concept
Example a contract between an airline and a
customer
Before Purchase After Purchase
Airline (supplier) (Must ensure invariant)Ensures plane has certain number of free seats (Must ensure invariant)Number of free seats decreases appropriately

• Class Invariant
• global property of the instances of a class,
  which must be preserved by all routines

15
Design by Contract Concept
Example a contract between an airline and a
customer
Airline (General) Airline (Business)
Customer (client) Be at the Pearson airport at least 5 minutes before scheduled departure time. Bring only acceptable baggage. Pay ticket price. Be at the Pearson airport at least 30 minutes before scheduled departure time. Bring only acceptable baggage. Pay ticket price.
Airline (supplier) Bring customer to Chicago. Bring customer to OHare International Airport in Chicago.
16
Design by Contract Concept

• Subcontract
• Precondition can be weaken
• Postcondition can be strengthen

17
Design by Contract Concept
Example a contract between an airline and a
customer
While Loading Baggage Handling
Airline (supplier) Detected a snake in Customer As baggage Ask Customer A to leave the plane along with his baggage

• Exception
• a run-time event that may cause a routine call to
  fail

18
What is Design by Contract?

• Motivation
• History
• Concept
• Integrate with Agile
• Example
• Reviews
• Current State

19
Design by Contract Integrate

• "We will derive tremendous benefits from writing
  the assertions at the same time as we write the
  software, or indeed before we write the
  software."
• -- Bertran Meyer, Object Oriented Software
  Construction
• Differ from TDD, DbC checks for all cases
• ESC/Java2 checks spec consistency at runtime
• JMLUnit auto-generates test cases
• JMLDoc embeds JML in JavaDoc

20
What is Design by Contract?

• Motivation
• History
• Concept
• Integrate with Agile
• Example
• Reviews
• Current State

21
What is Design by Contract?

• Motivation
• History
• Concept
• Integrate with Agile
• Example
• Reviews
• Current State

22
Design by Contract Reviews

• I've tried to use DbC in a number of
  enterprise application settings, and I've found
  that in many situations it's as hard to write the
  pre and post conditions as it is to write the
  solution.
• -- Martin Fowler
• Design by Contract practice lessened the
  number of person-hours required to perform
  software testing.
• -- An Experience With Design by Contract

23
What is Design by Contract?

• Motivation
• History
• Concept
• Integrate with Agile
• Example
• Reviews
• Current State

24
Design by Contract Current State

• Effiel built into the language
• Java JCR305 submitted for JML
• Microsoft Spec and Boggie

25

• Q A