unit 1: preliminaries part 2: design by contract › av › old › teaching › 4892 › notes ›...
TRANSCRIPT
Unit 1: PreliminariesPart 2: Design by Contract
Engineering 4892:Data Structures
Faculty of Engineering & Applied ScienceMemorial University of Newfoundland
April 23, 2010
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 1 / 15
1 Specification
1 Preconditions
1 Postconditions
1 Pre- and postconditions and testing
1 Self-checking code
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 2 / 15
Specification
A specification is a description of how a piece of software should behave
.It may be provided in two ways:
as internal documentation (i.e. as comments in source code)
externally as a separate document
The style of specification we will use is known as design by contract.
Design by contract provides something like a legal contract between theuser and the implementer of an operation (a regular function or a memberfunction of a class). This contract is expressed in terms of preconditionsand postconditions.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 3 / 15
Specification
A specification is a description of how a piece of software should behave.It may be provided in two ways:
as internal documentation (i.e. as comments in source code)
externally as a separate document
The style of specification we will use is known as design by contract.
Design by contract provides something like a legal contract between theuser and the implementer of an operation (a regular function or a memberfunction of a class). This contract is expressed in terms of preconditionsand postconditions.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 3 / 15
Specification
A specification is a description of how a piece of software should behave.It may be provided in two ways:
as internal documentation (i.e. as comments in source code)
externally as a separate document
The style of specification we will use is known as design by contract.
Design by contract provides something like a legal contract between theuser and the implementer of an operation (a regular function or a memberfunction of a class). This contract is expressed in terms of preconditionsand postconditions.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 3 / 15
Specification
A specification is a description of how a piece of software should behave.It may be provided in two ways:
as internal documentation (i.e. as comments in source code)
externally as a separate document
The style of specification we will use is known as design by contract.
Design by contract provides something like a legal contract between theuser and the implementer of an operation (a regular function or a memberfunction of a class). This contract is expressed in terms of preconditionsand postconditions.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 3 / 15
Specification
A specification is a description of how a piece of software should behave.It may be provided in two ways:
as internal documentation (i.e. as comments in source code)
externally as a separate document
The style of specification we will use is known as design by contract.
Design by contract provides something like a legal contract between theuser and the implementer of an operation (a regular function or a memberfunction of a class). This contract is expressed in terms of preconditionsand postconditions.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 3 / 15
Specification
A specification is a description of how a piece of software should behave.It may be provided in two ways:
as internal documentation (i.e. as comments in source code)
externally as a separate document
The style of specification we will use is known as design by contract.
Design by contract provides something like a legal contract between theuser and the implementer of an operation (a regular function or a memberfunction of a class). This contract is expressed in terms of preconditionsand postconditions.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 3 / 15
Specification
A specification is a description of how a piece of software should behave.It may be provided in two ways:
as internal documentation (i.e. as comments in source code)
externally as a separate document
The style of specification we will use is known as design by contract.
Design by contract provides something like a legal contract between theuser and the implementer of an operation (a regular function or a memberfunction of a class)
. This contract is expressed in terms of preconditionsand postconditions.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 3 / 15
Specification
A specification is a description of how a piece of software should behave.It may be provided in two ways:
as internal documentation (i.e. as comments in source code)
externally as a separate document
The style of specification we will use is known as design by contract.
Design by contract provides something like a legal contract between theuser and the implementer of an operation (a regular function or a memberfunction of a class). This contract is expressed in terms of preconditionsand postconditions.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 3 / 15
Specification
A specification is a description of how a piece of software should behave.It may be provided in two ways:
as internal documentation (i.e. as comments in source code)
externally as a separate document
The style of specification we will use is known as design by contract.
Design by contract provides something like a legal contract between theuser and the implementer of an operation (a regular function or a memberfunction of a class). This contract is expressed in terms of preconditionsand postconditions.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 3 / 15
Preconditions
Preconditions describe the conditions under which an operation should andshould not be invoked.
e.g. Life jackets come with weight limitations. Suppose a life jacket islisted as being for a child of 20 to 40 kg.
If you put a child who is 45 kg in this life jacket, it might providesufficient buoyancy but it might not
the precondition is not satisfied
If you put a child of 30 kg, then there is a guarantee that the lifejacket will ”do its job”
the precondition is satisfied
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 4 / 15
Preconditions
Preconditions describe the conditions under which an operation should andshould not be invoked.
e.g. Life jackets come with weight limitations
. Suppose a life jacket islisted as being for a child of 20 to 40 kg.
If you put a child who is 45 kg in this life jacket, it might providesufficient buoyancy but it might not
the precondition is not satisfied
If you put a child of 30 kg, then there is a guarantee that the lifejacket will ”do its job”
the precondition is satisfied
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 4 / 15
Preconditions
Preconditions describe the conditions under which an operation should andshould not be invoked.
e.g. Life jackets come with weight limitations. Suppose a life jacket islisted as being for a child of 20 to 40 kg
.
If you put a child who is 45 kg in this life jacket, it might providesufficient buoyancy but it might not
the precondition is not satisfied
If you put a child of 30 kg, then there is a guarantee that the lifejacket will ”do its job”
the precondition is satisfied
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 4 / 15
Preconditions
Preconditions describe the conditions under which an operation should andshould not be invoked.
e.g. Life jackets come with weight limitations. Suppose a life jacket islisted as being for a child of 20 to 40 kg.
If you put a child who is 45 kg in this life jacket, it might providesufficient buoyancy but it might not
the precondition is not satisfied
If you put a child of 30 kg, then there is a guarantee that the lifejacket will ”do its job”
the precondition is satisfied
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 4 / 15
Preconditions
Preconditions describe the conditions under which an operation should andshould not be invoked.
e.g. Life jackets come with weight limitations. Suppose a life jacket islisted as being for a child of 20 to 40 kg.
If you put a child who is 45 kg in this life jacket, it might providesufficient buoyancy but it might not
the precondition is not satisfied
If you put a child of 30 kg, then there is a guarantee that the lifejacket will ”do its job”
the precondition is satisfied
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 4 / 15
Preconditions
Preconditions describe the conditions under which an operation should andshould not be invoked.
e.g. Life jackets come with weight limitations. Suppose a life jacket islisted as being for a child of 20 to 40 kg.
If you put a child who is 45 kg in this life jacket, it might providesufficient buoyancy but it might not
the precondition is not satisfied
If you put a child of 30 kg, then there is a guarantee that the lifejacket will ”do its job”
the precondition is satisfied
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 4 / 15
Preconditions
Preconditions describe the conditions under which an operation should andshould not be invoked.
e.g. Life jackets come with weight limitations. Suppose a life jacket islisted as being for a child of 20 to 40 kg.
If you put a child who is 45 kg in this life jacket, it might providesufficient buoyancy but it might not
the precondition is not satisfied
If you put a child of 30 kg, then there is a guarantee that the lifejacket will ”do its job”
the precondition is satisfied
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 4 / 15
Suppose that we want to write a function to sort an array of integers:
// P r e c o n d i t i o n : A i s an a r r a y o f n i n t e g e r s .void sort ( int A [ ] , int n ) ;
This means that if the arguments satisfy this condition, the function will”do its job”.
If the argument does not satisfy the precondition the function may or maynot ”do its job”.
The precondition imposes an obligation on the programmer who writes aninvocation of the operation: the invoker
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 5 / 15
Suppose that we want to write a function to sort an array of integers:
// P r e c o n d i t i o n : A i s an a r r a y o f n i n t e g e r s .void sort ( int A [ ] , int n ) ;
This means that if the arguments satisfy this condition, the function will”do its job”.
If the argument does not satisfy the precondition the function may or maynot ”do its job”.
The precondition imposes an obligation on the programmer who writes aninvocation of the operation: the invoker
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 5 / 15
Suppose that we want to write a function to sort an array of integers:
// P r e c o n d i t i o n : A i s an a r r a y o f n i n t e g e r s .void sort ( int A [ ] , int n ) ;
This means that if the arguments satisfy this condition, the function will”do its job”.
If the argument does not satisfy the precondition the function may or maynot ”do its job”.
The precondition imposes an obligation on the programmer who writes aninvocation of the operation: the invoker
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 5 / 15
Suppose that we want to write a function to sort an array of integers:
// P r e c o n d i t i o n : A i s an a r r a y o f n i n t e g e r s .void sort ( int A [ ] , int n ) ;
This means that if the arguments satisfy this condition, the function will”do its job”.
If the argument does not satisfy the precondition the function may or maynot ”do its job”.
The precondition imposes an obligation on the programmer who writes aninvocation of the operation: the invoker
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 5 / 15
Suppose that we want to write a function to sort an array of integers:
// P r e c o n d i t i o n : A i s an a r r a y o f n i n t e g e r s .void sort ( int A [ ] , int n ) ;
This means that if the arguments satisfy this condition, the function will”do its job”.
If the argument does not satisfy the precondition the function may or maynot ”do its job”.
The precondition imposes an obligation on the programmer who writes aninvocation of the operation: the invoker
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 5 / 15
For example, if I write the following code:
int size = 5 0 ;int ∗A = new int [ size ] ;randomFill (A , size ) ; // S i z e i s p a s s e d by v a l u esort (A , size ) ;
then I have fulfilled the obligation. If instead I write the following code:
int size = 5 0 ;int ∗A = new int [ size ] ;randomFill (A , size++);sort (A , size ) ;
then I have violated my obligation to the sort function. Therefore, Icannot expect sort to ”do its job”.
For example, if I write the following code:
int size = 5 0 ;
int ∗A = new int [ size ] ;randomFill (A , size ) ; // S i z e i s p a s s e d by v a l u esort (A , size ) ;
then I have fulfilled the obligation. If instead I write the following code:
int size = 5 0 ;int ∗A = new int [ size ] ;randomFill (A , size++);sort (A , size ) ;
then I have violated my obligation to the sort function. Therefore, Icannot expect sort to ”do its job”.
For example, if I write the following code:
int size = 5 0 ;int ∗A = new int [ size ] ;
randomFill (A , size ) ; // S i z e i s p a s s e d by v a l u esort (A , size ) ;
then I have fulfilled the obligation. If instead I write the following code:
int size = 5 0 ;int ∗A = new int [ size ] ;randomFill (A , size++);sort (A , size ) ;
then I have violated my obligation to the sort function. Therefore, Icannot expect sort to ”do its job”.
For example, if I write the following code:
int size = 5 0 ;int ∗A = new int [ size ] ;randomFill (A , size ) ; // S i z e i s p a s s e d by v a l u e
sort (A , size ) ;
then I have fulfilled the obligation. If instead I write the following code:
int size = 5 0 ;int ∗A = new int [ size ] ;randomFill (A , size++);sort (A , size ) ;
then I have violated my obligation to the sort function. Therefore, Icannot expect sort to ”do its job”.
For example, if I write the following code:
int size = 5 0 ;int ∗A = new int [ size ] ;randomFill (A , size ) ; // S i z e i s p a s s e d by v a l u esort (A , size ) ;
then I have fulfilled the obligation. If instead I write the following code:
int size = 5 0 ;int ∗A = new int [ size ] ;randomFill (A , size++);sort (A , size ) ;
then I have violated my obligation to the sort function. Therefore, Icannot expect sort to ”do its job”.
For example, if I write the following code:
int size = 5 0 ;int ∗A = new int [ size ] ;randomFill (A , size ) ; // S i z e i s p a s s e d by v a l u esort (A , size ) ;
then I have fulfilled the obligation
. If instead I write the following code:
int size = 5 0 ;int ∗A = new int [ size ] ;randomFill (A , size++);sort (A , size ) ;
then I have violated my obligation to the sort function. Therefore, Icannot expect sort to ”do its job”.
For example, if I write the following code:
int size = 5 0 ;int ∗A = new int [ size ] ;randomFill (A , size ) ; // S i z e i s p a s s e d by v a l u esort (A , size ) ;
then I have fulfilled the obligation. If instead I write the following code:
int size = 5 0 ;int ∗A = new int [ size ] ;randomFill (A , size++);sort (A , size ) ;
then I have violated my obligation to the sort function. Therefore, Icannot expect sort to ”do its job”.
For example, if I write the following code:
int size = 5 0 ;int ∗A = new int [ size ] ;randomFill (A , size ) ; // S i z e i s p a s s e d by v a l u esort (A , size ) ;
then I have fulfilled the obligation. If instead I write the following code:
int size = 5 0 ;int ∗A = new int [ size ] ;
randomFill (A , size++);sort (A , size ) ;
then I have violated my obligation to the sort function. Therefore, Icannot expect sort to ”do its job”.
For example, if I write the following code:
int size = 5 0 ;int ∗A = new int [ size ] ;randomFill (A , size ) ; // S i z e i s p a s s e d by v a l u esort (A , size ) ;
then I have fulfilled the obligation. If instead I write the following code:
int size = 5 0 ;int ∗A = new int [ size ] ;randomFill (A , size++);
sort (A , size ) ;
then I have violated my obligation to the sort function. Therefore, Icannot expect sort to ”do its job”.
For example, if I write the following code:
int size = 5 0 ;int ∗A = new int [ size ] ;randomFill (A , size ) ; // S i z e i s p a s s e d by v a l u esort (A , size ) ;
then I have fulfilled the obligation. If instead I write the following code:
int size = 5 0 ;int ∗A = new int [ size ] ;randomFill (A , size++);sort (A , size ) ;
then I have violated my obligation to the sort function. Therefore, Icannot expect sort to ”do its job”.
For example, if I write the following code:
int size = 5 0 ;int ∗A = new int [ size ] ;randomFill (A , size ) ; // S i z e i s p a s s e d by v a l u esort (A , size ) ;
then I have fulfilled the obligation. If instead I write the following code:
int size = 5 0 ;int ∗A = new int [ size ] ;randomFill (A , size++);sort (A , size ) ;
then I have violated my obligation to the sort function. Therefore, Icannot expect sort to ”do its job”.
For example, if I write the following code:
int size = 5 0 ;int ∗A = new int [ size ] ;randomFill (A , size ) ; // S i z e i s p a s s e d by v a l u esort (A , size ) ;
then I have fulfilled the obligation. If instead I write the following code:
int size = 5 0 ;int ∗A = new int [ size ] ;randomFill (A , size++);sort (A , size ) ;
then I have violated my obligation to the sort function. Therefore, Icannot expect sort to ”do its job”.
For the programmer who is implementing the function (the implementer),the precondition confers a benefit.
If my job is to write the sort function, then I have the benefit of nothaving to worry about mismatches between the actual size of the array,and the value of argument size.
Invoker (caller) Implementer
Precondition: Obligation: To ensure theprecondition is true at thebeginning of the invoca-tion.
Benefit: May assume thatthe precondition is true atthe beginning of the invo-cation.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 7 / 15
For the programmer who is implementing the function (the implementer),the precondition confers a benefit.
If my job is to write the sort function, then I have the benefit of nothaving to worry about mismatches between the actual size of the array,and the value of argument size.
Invoker (caller) Implementer
Precondition: Obligation: To ensure theprecondition is true at thebeginning of the invoca-tion.
Benefit: May assume thatthe precondition is true atthe beginning of the invo-cation.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 7 / 15
For the programmer who is implementing the function (the implementer),the precondition confers a benefit.
If my job is to write the sort function, then I have the benefit of nothaving to worry about mismatches between the actual size of the array,and the value of argument size.
Invoker (caller) Implementer
Precondition: Obligation: To ensure theprecondition is true at thebeginning of the invoca-tion.
Benefit: May assume thatthe precondition is true atthe beginning of the invo-cation.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 7 / 15
Postconditions
A postcondition describes what it is for a function to ”do its job”.
Postconditions in everyday life: Postconditions are implicit in numerouscontracts. Consider a vending machine: ”If you pay a dollar, a candy bar isdispensed”. The postcondition describes a final state in which a candy barhas been dispensed.
For example:
// P r e c o n d i t i o n : A i s an a r r a y o f n i n t e g e r s// P o s t c o n d i t i o n : A [ 0 ] <= A [ 1 ] <= . . . <= A [ n−1]void sort ( int A [ ] , int n ) ;
Here the postcondition says that the array has been sorted intonon-decreasing order. Actually, this is a bit imprecise. We should add thatthe final array is a permutation of the original array (we will make thischange later).
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 8 / 15
Postconditions
A postcondition describes what it is for a function to ”do its job”.
Postconditions in everyday life: Postconditions are implicit in numerouscontracts
. Consider a vending machine: ”If you pay a dollar, a candy bar isdispensed”. The postcondition describes a final state in which a candy barhas been dispensed.
For example:
// P r e c o n d i t i o n : A i s an a r r a y o f n i n t e g e r s// P o s t c o n d i t i o n : A [ 0 ] <= A [ 1 ] <= . . . <= A [ n−1]void sort ( int A [ ] , int n ) ;
Here the postcondition says that the array has been sorted intonon-decreasing order. Actually, this is a bit imprecise. We should add thatthe final array is a permutation of the original array (we will make thischange later).
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 8 / 15
Postconditions
A postcondition describes what it is for a function to ”do its job”.
Postconditions in everyday life: Postconditions are implicit in numerouscontracts. Consider a vending machine: ”If you pay a dollar, a candy bar isdispensed”
. The postcondition describes a final state in which a candy barhas been dispensed.
For example:
// P r e c o n d i t i o n : A i s an a r r a y o f n i n t e g e r s// P o s t c o n d i t i o n : A [ 0 ] <= A [ 1 ] <= . . . <= A [ n−1]void sort ( int A [ ] , int n ) ;
Here the postcondition says that the array has been sorted intonon-decreasing order. Actually, this is a bit imprecise. We should add thatthe final array is a permutation of the original array (we will make thischange later).
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 8 / 15
Postconditions
A postcondition describes what it is for a function to ”do its job”.
Postconditions in everyday life: Postconditions are implicit in numerouscontracts. Consider a vending machine: ”If you pay a dollar, a candy bar isdispensed”. The postcondition describes a final state in which a candy barhas been dispensed.
For example:
// P r e c o n d i t i o n : A i s an a r r a y o f n i n t e g e r s// P o s t c o n d i t i o n : A [ 0 ] <= A [ 1 ] <= . . . <= A [ n−1]void sort ( int A [ ] , int n ) ;
Here the postcondition says that the array has been sorted intonon-decreasing order. Actually, this is a bit imprecise. We should add thatthe final array is a permutation of the original array (we will make thischange later).
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 8 / 15
Postconditions
A postcondition describes what it is for a function to ”do its job”.
Postconditions in everyday life: Postconditions are implicit in numerouscontracts. Consider a vending machine: ”If you pay a dollar, a candy bar isdispensed”. The postcondition describes a final state in which a candy barhas been dispensed.
For example:
// P r e c o n d i t i o n : A i s an a r r a y o f n i n t e g e r s// P o s t c o n d i t i o n : A [ 0 ] <= A [ 1 ] <= . . . <= A [ n−1]void sort ( int A [ ] , int n ) ;
Here the postcondition says that the array has been sorted intonon-decreasing order. Actually, this is a bit imprecise. We should add thatthe final array is a permutation of the original array (we will make thischange later).
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 8 / 15
Postconditions
A postcondition describes what it is for a function to ”do its job”.
Postconditions in everyday life: Postconditions are implicit in numerouscontracts. Consider a vending machine: ”If you pay a dollar, a candy bar isdispensed”. The postcondition describes a final state in which a candy barhas been dispensed.
For example:
// P r e c o n d i t i o n : A i s an a r r a y o f n i n t e g e r s// P o s t c o n d i t i o n : A [ 0 ] <= A [ 1 ] <= . . . <= A [ n−1]void sort ( int A [ ] , int n ) ;
Here the postcondition says that the array has been sorted intonon-decreasing order
. Actually, this is a bit imprecise. We should add thatthe final array is a permutation of the original array (we will make thischange later).
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 8 / 15
Postconditions
A postcondition describes what it is for a function to ”do its job”.
Postconditions in everyday life: Postconditions are implicit in numerouscontracts. Consider a vending machine: ”If you pay a dollar, a candy bar isdispensed”. The postcondition describes a final state in which a candy barhas been dispensed.
For example:
// P r e c o n d i t i o n : A i s an a r r a y o f n i n t e g e r s// P o s t c o n d i t i o n : A [ 0 ] <= A [ 1 ] <= . . . <= A [ n−1]void sort ( int A [ ] , int n ) ;
Here the postcondition says that the array has been sorted intonon-decreasing order. Actually, this is a bit imprecise
. We should add thatthe final array is a permutation of the original array (we will make thischange later).
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 8 / 15
Postconditions
A postcondition describes what it is for a function to ”do its job”.
Postconditions in everyday life: Postconditions are implicit in numerouscontracts. Consider a vending machine: ”If you pay a dollar, a candy bar isdispensed”. The postcondition describes a final state in which a candy barhas been dispensed.
For example:
// P r e c o n d i t i o n : A i s an a r r a y o f n i n t e g e r s// P o s t c o n d i t i o n : A [ 0 ] <= A [ 1 ] <= . . . <= A [ n−1]void sort ( int A [ ] , int n ) ;
Here the postcondition says that the array has been sorted intonon-decreasing order. Actually, this is a bit imprecise. We should add thatthe final array is a permutation of the original array (we will make thischange later).
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 8 / 15
The postcondition imposes an obligation on the implementer of thefunction.
If I have the job of implementing the sort function, then I have anobligation to ensure the postcondition will be true when the invocationreturns (provided, of course, the precondition was true at the beginning).
If I call the function, then I get the benefit of being able to assume thepostcondition is true after the function returns.
Invoker (caller) Implementer
Precondition: Obligation: To ensure theprecondition is true at thebeginning of the invoca-tion.
Benefit: May assume thatthe precondition is true atthe beginning of the invo-cation.
Postcondition: Benefit: May assume thepostcondition is true atthe end of the invocation.
Obligation: Must ensurethat the postcondition willbe true at the end of theinvocation.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 9 / 15
The postcondition imposes an obligation on the implementer of thefunction.
If I have the job of implementing the sort function, then I have anobligation to ensure the postcondition will be true when the invocationreturns (provided, of course, the precondition was true at the beginning).
If I call the function, then I get the benefit of being able to assume thepostcondition is true after the function returns.
Invoker (caller) Implementer
Precondition: Obligation: To ensure theprecondition is true at thebeginning of the invoca-tion.
Benefit: May assume thatthe precondition is true atthe beginning of the invo-cation.
Postcondition: Benefit: May assume thepostcondition is true atthe end of the invocation.
Obligation: Must ensurethat the postcondition willbe true at the end of theinvocation.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 9 / 15
The postcondition imposes an obligation on the implementer of thefunction.
If I have the job of implementing the sort function, then I have anobligation to ensure the postcondition will be true when the invocationreturns (provided, of course, the precondition was true at the beginning).
If I call the function, then I get the benefit of being able to assume thepostcondition is true after the function returns.
Invoker (caller) Implementer
Precondition: Obligation: To ensure theprecondition is true at thebeginning of the invoca-tion.
Benefit: May assume thatthe precondition is true atthe beginning of the invo-cation.
Postcondition: Benefit: May assume thepostcondition is true atthe end of the invocation.
Obligation: Must ensurethat the postcondition willbe true at the end of theinvocation.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 9 / 15
The postcondition imposes an obligation on the implementer of thefunction.
If I have the job of implementing the sort function, then I have anobligation to ensure the postcondition will be true when the invocationreturns (provided, of course, the precondition was true at the beginning).
If I call the function, then I get the benefit of being able to assume thepostcondition is true after the function returns.
Invoker (caller) Implementer
Precondition: Obligation: To ensure theprecondition is true at thebeginning of the invoca-tion.
Benefit: May assume thatthe precondition is true atthe beginning of the invo-cation.
Postcondition: Benefit: May assume thepostcondition is true atthe end of the invocation.
Obligation: Must ensurethat the postcondition willbe true at the end of theinvocation.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 9 / 15
In postconditions we sometimes need to refer to the value of a variable attwo times:
The initial value of a variable at the start of the invocation: x
The final value of a variable when the invocation returns: x’
e.g. We could fix up the postcondition given above for sort as follows,
// P r e c o n d i t i o n : A i s an a r r a y o f n i n t e g e r s// P o s t c o n d i t i o n :// A ’ [ 0 ] <= A ’ [ 1 ] <= . . . <= A ’ [ n−1]// A ’ i s a p e r m u t a t i o n o f A .void sort ( int A [ ] , int n ) ;
Note that conditions on separate lines are assumed to be AND’edtogether.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 10 / 15
In postconditions we sometimes need to refer to the value of a variable attwo times:
The initial value of a variable at the start of the invocation: x
The final value of a variable when the invocation returns: x’
e.g. We could fix up the postcondition given above for sort as follows,
// P r e c o n d i t i o n : A i s an a r r a y o f n i n t e g e r s// P o s t c o n d i t i o n :// A ’ [ 0 ] <= A ’ [ 1 ] <= . . . <= A ’ [ n−1]// A ’ i s a p e r m u t a t i o n o f A .void sort ( int A [ ] , int n ) ;
Note that conditions on separate lines are assumed to be AND’edtogether.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 10 / 15
In postconditions we sometimes need to refer to the value of a variable attwo times:
The initial value of a variable at the start of the invocation: x
The final value of a variable when the invocation returns: x’
e.g. We could fix up the postcondition given above for sort as follows,
// P r e c o n d i t i o n : A i s an a r r a y o f n i n t e g e r s// P o s t c o n d i t i o n :// A ’ [ 0 ] <= A ’ [ 1 ] <= . . . <= A ’ [ n−1]// A ’ i s a p e r m u t a t i o n o f A .void sort ( int A [ ] , int n ) ;
Note that conditions on separate lines are assumed to be AND’edtogether.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 10 / 15
In postconditions we sometimes need to refer to the value of a variable attwo times:
The initial value of a variable at the start of the invocation: x
The final value of a variable when the invocation returns: x’
e.g. We could fix up the postcondition given above for sort as follows,
// P r e c o n d i t i o n : A i s an a r r a y o f n i n t e g e r s// P o s t c o n d i t i o n :// A ’ [ 0 ] <= A ’ [ 1 ] <= . . . <= A ’ [ n−1]// A ’ i s a p e r m u t a t i o n o f A .void sort ( int A [ ] , int n ) ;
Note that conditions on separate lines are assumed to be AND’edtogether.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 10 / 15
In postconditions we sometimes need to refer to the value of a variable attwo times:
The initial value of a variable at the start of the invocation: x
The final value of a variable when the invocation returns: x’
e.g. We could fix up the postcondition given above for sort as follows,
// P r e c o n d i t i o n : A i s an a r r a y o f n i n t e g e r s// P o s t c o n d i t i o n :// A ’ [ 0 ] <= A ’ [ 1 ] <= . . . <= A ’ [ n−1]// A ’ i s a p e r m u t a t i o n o f A .void sort ( int A [ ] , int n ) ;
Note that conditions on separate lines are assumed to be AND’edtogether.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 10 / 15
In postconditions we sometimes need to refer to the value of a variable attwo times:
The initial value of a variable at the start of the invocation: x
The final value of a variable when the invocation returns: x’
e.g. We could fix up the postcondition given above for sort as follows,
// P r e c o n d i t i o n : A i s an a r r a y o f n i n t e g e r s// P o s t c o n d i t i o n :// A ’ [ 0 ] <= A ’ [ 1 ] <= . . . <= A ’ [ n−1]// A ’ i s a p e r m u t a t i o n o f A .void sort ( int A [ ] , int n ) ;
Note that conditions on separate lines are assumed to be AND’edtogether.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 10 / 15
In postconditions we sometimes need to refer to the value of a variable attwo times:
The initial value of a variable at the start of the invocation: x
The final value of a variable when the invocation returns: x’
e.g. We could fix up the postcondition given above for sort as follows,
// P r e c o n d i t i o n : A i s an a r r a y o f n i n t e g e r s// P o s t c o n d i t i o n :// A ’ [ 0 ] <= A ’ [ 1 ] <= . . . <= A ’ [ n−1]// A ’ i s a p e r m u t a t i o n o f A .void sort ( int A [ ] , int n ) ;
Note that conditions on separate lines are assumed to be AND’edtogether.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 10 / 15
Another example:
// P r e c o n d i t i o n : The q u a d r a t i c e q u a t i o n i n x// a ∗ x ∗ x + b ∗ x + c == 0// has a t l e a s t one i n t e g e r s o l u t i o n// P o s t c o n d i t i o n :// a ∗ t ’ ∗ t ’ + b ∗ t ’ + c == 0void solveQuadratic ( int a , int b , int c , int &t ) ;
When returning a value from a function, we refer to the return value asresult in the postcondition:
// P r e c o n d i t i o n : The q u a d r a t i c e q u a t i o n i n x// a ∗ x ∗ x + b ∗ x + c == 0// has a t l e a s t one i n t e g e r s o l u t i o n// P o s t c o n d i t i o n :// a ∗ r e s u l t ∗ r e s u l t + b ∗ r e s u l t + c == 0int solveQuadratic ( int a , int b , int c ) ;
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 11 / 15
Another example:
// P r e c o n d i t i o n : The q u a d r a t i c e q u a t i o n i n x// a ∗ x ∗ x + b ∗ x + c == 0// has a t l e a s t one i n t e g e r s o l u t i o n// P o s t c o n d i t i o n :// a ∗ t ’ ∗ t ’ + b ∗ t ’ + c == 0void solveQuadratic ( int a , int b , int c , int &t ) ;
When returning a value from a function, we refer to the return value asresult in the postcondition:
// P r e c o n d i t i o n : The q u a d r a t i c e q u a t i o n i n x// a ∗ x ∗ x + b ∗ x + c == 0// has a t l e a s t one i n t e g e r s o l u t i o n// P o s t c o n d i t i o n :// a ∗ r e s u l t ∗ r e s u l t + b ∗ r e s u l t + c == 0int solveQuadratic ( int a , int b , int c ) ;
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 11 / 15
Another example:
// P r e c o n d i t i o n : The q u a d r a t i c e q u a t i o n i n x// a ∗ x ∗ x + b ∗ x + c == 0// has a t l e a s t one i n t e g e r s o l u t i o n// P o s t c o n d i t i o n :// a ∗ t ’ ∗ t ’ + b ∗ t ’ + c == 0void solveQuadratic ( int a , int b , int c , int &t ) ;
When returning a value from a function, we refer to the return value asresult in the postcondition:
// P r e c o n d i t i o n : The q u a d r a t i c e q u a t i o n i n x// a ∗ x ∗ x + b ∗ x + c == 0// has a t l e a s t one i n t e g e r s o l u t i o n// P o s t c o n d i t i o n :// a ∗ r e s u l t ∗ r e s u l t + b ∗ r e s u l t + c == 0int solveQuadratic ( int a , int b , int c ) ;
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 11 / 15
Another example:
// P r e c o n d i t i o n : The q u a d r a t i c e q u a t i o n i n x// a ∗ x ∗ x + b ∗ x + c == 0// has a t l e a s t one i n t e g e r s o l u t i o n// P o s t c o n d i t i o n :// a ∗ t ’ ∗ t ’ + b ∗ t ’ + c == 0void solveQuadratic ( int a , int b , int c , int &t ) ;
When returning a value from a function, we refer to the return value asresult in the postcondition:
// P r e c o n d i t i o n : The q u a d r a t i c e q u a t i o n i n x// a ∗ x ∗ x + b ∗ x + c == 0// has a t l e a s t one i n t e g e r s o l u t i o n// P o s t c o n d i t i o n :// a ∗ r e s u l t ∗ r e s u l t + b ∗ r e s u l t + c == 0int solveQuadratic ( int a , int b , int c ) ;
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 11 / 15
Pre- and postconditions and testing
Consider the following decrement function.
// P r e c o n d i t i o n : x >= 0// P o s t c o n d i t i o n : x ’ == max ( 0 , x−1)void decrement ( int &x )
We will test an implementation of the function with a number of testinputs. We can determine whether the implemented function passed alltests by looking at the pre- and post-conditions:
Input Final State Precond. Postcond. Pass
x == 0 x’ == 0 true true Yesx == 1 x’ == 0 true true Yesx == -1 x’ == -2 false false Yesx == -2 x’ == 0 false true Yesx == 2 x’ == 0 true false No!
Pre- and postconditions and testing
Consider the following decrement function.
// P r e c o n d i t i o n : x >= 0// P o s t c o n d i t i o n : x ’ == max ( 0 , x−1)void decrement ( int &x )
We will test an implementation of the function with a number of testinputs.
We can determine whether the implemented function passed alltests by looking at the pre- and post-conditions:
Input Final State Precond. Postcond. Pass
x == 0 x’ == 0 true true Yesx == 1 x’ == 0 true true Yesx == -1 x’ == -2 false false Yesx == -2 x’ == 0 false true Yesx == 2 x’ == 0 true false No!
Pre- and postconditions and testing
Consider the following decrement function.
// P r e c o n d i t i o n : x >= 0// P o s t c o n d i t i o n : x ’ == max ( 0 , x−1)void decrement ( int &x )
We will test an implementation of the function with a number of testinputs. We can determine whether the implemented function passed alltests by looking at the pre- and post-conditions:
Input Final State Precond. Postcond. Pass
x == 0 x’ == 0 true true Yesx == 1 x’ == 0 true true Yesx == -1 x’ == -2 false false Yesx == -2 x’ == 0 false true Yesx == 2 x’ == 0 true false No!
Pre- and postconditions and testing
Consider the following decrement function.
// P r e c o n d i t i o n : x >= 0// P o s t c o n d i t i o n : x ’ == max ( 0 , x−1)void decrement ( int &x )
We will test an implementation of the function with a number of testinputs. We can determine whether the implemented function passed alltests by looking at the pre- and post-conditions:
Input Final State Precond. Postcond. Pass
x == 0 x’ == 0
true true Yesx == 1 x’ == 0 true true Yesx == -1 x’ == -2 false false Yesx == -2 x’ == 0 false true Yesx == 2 x’ == 0 true false No!
Pre- and postconditions and testing
Consider the following decrement function.
// P r e c o n d i t i o n : x >= 0// P o s t c o n d i t i o n : x ’ == max ( 0 , x−1)void decrement ( int &x )
We will test an implementation of the function with a number of testinputs. We can determine whether the implemented function passed alltests by looking at the pre- and post-conditions:
Input Final State Precond. Postcond. Pass
x == 0 x’ == 0 true
true Yesx == 1 x’ == 0 true true Yesx == -1 x’ == -2 false false Yesx == -2 x’ == 0 false true Yesx == 2 x’ == 0 true false No!
Pre- and postconditions and testing
Consider the following decrement function.
// P r e c o n d i t i o n : x >= 0// P o s t c o n d i t i o n : x ’ == max ( 0 , x−1)void decrement ( int &x )
We will test an implementation of the function with a number of testinputs. We can determine whether the implemented function passed alltests by looking at the pre- and post-conditions:
Input Final State Precond. Postcond. Pass
x == 0 x’ == 0 true true
Yesx == 1 x’ == 0 true true Yesx == -1 x’ == -2 false false Yesx == -2 x’ == 0 false true Yesx == 2 x’ == 0 true false No!
Pre- and postconditions and testing
Consider the following decrement function.
// P r e c o n d i t i o n : x >= 0// P o s t c o n d i t i o n : x ’ == max ( 0 , x−1)void decrement ( int &x )
We will test an implementation of the function with a number of testinputs. We can determine whether the implemented function passed alltests by looking at the pre- and post-conditions:
Input Final State Precond. Postcond. Pass
x == 0 x’ == 0 true true Yes
x == 1 x’ == 0 true true Yesx == -1 x’ == -2 false false Yesx == -2 x’ == 0 false true Yesx == 2 x’ == 0 true false No!
Pre- and postconditions and testing
Consider the following decrement function.
// P r e c o n d i t i o n : x >= 0// P o s t c o n d i t i o n : x ’ == max ( 0 , x−1)void decrement ( int &x )
We will test an implementation of the function with a number of testinputs. We can determine whether the implemented function passed alltests by looking at the pre- and post-conditions:
Input Final State Precond. Postcond. Pass
x == 0 x’ == 0 true true Yesx == 1 x’ == 0
true true Yesx == -1 x’ == -2 false false Yesx == -2 x’ == 0 false true Yesx == 2 x’ == 0 true false No!
Pre- and postconditions and testing
Consider the following decrement function.
// P r e c o n d i t i o n : x >= 0// P o s t c o n d i t i o n : x ’ == max ( 0 , x−1)void decrement ( int &x )
We will test an implementation of the function with a number of testinputs. We can determine whether the implemented function passed alltests by looking at the pre- and post-conditions:
Input Final State Precond. Postcond. Pass
x == 0 x’ == 0 true true Yesx == 1 x’ == 0 true
true Yesx == -1 x’ == -2 false false Yesx == -2 x’ == 0 false true Yesx == 2 x’ == 0 true false No!
Pre- and postconditions and testing
Consider the following decrement function.
// P r e c o n d i t i o n : x >= 0// P o s t c o n d i t i o n : x ’ == max ( 0 , x−1)void decrement ( int &x )
We will test an implementation of the function with a number of testinputs. We can determine whether the implemented function passed alltests by looking at the pre- and post-conditions:
Input Final State Precond. Postcond. Pass
x == 0 x’ == 0 true true Yesx == 1 x’ == 0 true true
Yesx == -1 x’ == -2 false false Yesx == -2 x’ == 0 false true Yesx == 2 x’ == 0 true false No!
Pre- and postconditions and testing
Consider the following decrement function.
// P r e c o n d i t i o n : x >= 0// P o s t c o n d i t i o n : x ’ == max ( 0 , x−1)void decrement ( int &x )
We will test an implementation of the function with a number of testinputs. We can determine whether the implemented function passed alltests by looking at the pre- and post-conditions:
Input Final State Precond. Postcond. Pass
x == 0 x’ == 0 true true Yesx == 1 x’ == 0 true true Yes
x == -1 x’ == -2 false false Yesx == -2 x’ == 0 false true Yesx == 2 x’ == 0 true false No!
Pre- and postconditions and testing
Consider the following decrement function.
// P r e c o n d i t i o n : x >= 0// P o s t c o n d i t i o n : x ’ == max ( 0 , x−1)void decrement ( int &x )
We will test an implementation of the function with a number of testinputs. We can determine whether the implemented function passed alltests by looking at the pre- and post-conditions:
Input Final State Precond. Postcond. Pass
x == 0 x’ == 0 true true Yesx == 1 x’ == 0 true true Yesx == -1 x’ == -2
false false Yesx == -2 x’ == 0 false true Yesx == 2 x’ == 0 true false No!
Pre- and postconditions and testing
Consider the following decrement function.
// P r e c o n d i t i o n : x >= 0// P o s t c o n d i t i o n : x ’ == max ( 0 , x−1)void decrement ( int &x )
We will test an implementation of the function with a number of testinputs. We can determine whether the implemented function passed alltests by looking at the pre- and post-conditions:
Input Final State Precond. Postcond. Pass
x == 0 x’ == 0 true true Yesx == 1 x’ == 0 true true Yesx == -1 x’ == -2 false
false Yesx == -2 x’ == 0 false true Yesx == 2 x’ == 0 true false No!
Pre- and postconditions and testing
Consider the following decrement function.
// P r e c o n d i t i o n : x >= 0// P o s t c o n d i t i o n : x ’ == max ( 0 , x−1)void decrement ( int &x )
We will test an implementation of the function with a number of testinputs. We can determine whether the implemented function passed alltests by looking at the pre- and post-conditions:
Input Final State Precond. Postcond. Pass
x == 0 x’ == 0 true true Yesx == 1 x’ == 0 true true Yesx == -1 x’ == -2 false false
Yesx == -2 x’ == 0 false true Yesx == 2 x’ == 0 true false No!
Pre- and postconditions and testing
Consider the following decrement function.
// P r e c o n d i t i o n : x >= 0// P o s t c o n d i t i o n : x ’ == max ( 0 , x−1)void decrement ( int &x )
We will test an implementation of the function with a number of testinputs. We can determine whether the implemented function passed alltests by looking at the pre- and post-conditions:
Input Final State Precond. Postcond. Pass
x == 0 x’ == 0 true true Yesx == 1 x’ == 0 true true Yesx == -1 x’ == -2 false false Yes
x == -2 x’ == 0 false true Yesx == 2 x’ == 0 true false No!
Pre- and postconditions and testing
Consider the following decrement function.
// P r e c o n d i t i o n : x >= 0// P o s t c o n d i t i o n : x ’ == max ( 0 , x−1)void decrement ( int &x )
We will test an implementation of the function with a number of testinputs. We can determine whether the implemented function passed alltests by looking at the pre- and post-conditions:
Input Final State Precond. Postcond. Pass
x == 0 x’ == 0 true true Yesx == 1 x’ == 0 true true Yesx == -1 x’ == -2 false false Yesx == -2 x’ == 0
false true Yesx == 2 x’ == 0 true false No!
Pre- and postconditions and testing
Consider the following decrement function.
// P r e c o n d i t i o n : x >= 0// P o s t c o n d i t i o n : x ’ == max ( 0 , x−1)void decrement ( int &x )
We will test an implementation of the function with a number of testinputs. We can determine whether the implemented function passed alltests by looking at the pre- and post-conditions:
Input Final State Precond. Postcond. Pass
x == 0 x’ == 0 true true Yesx == 1 x’ == 0 true true Yesx == -1 x’ == -2 false false Yesx == -2 x’ == 0 false
true Yesx == 2 x’ == 0 true false No!
Pre- and postconditions and testing
Consider the following decrement function.
// P r e c o n d i t i o n : x >= 0// P o s t c o n d i t i o n : x ’ == max ( 0 , x−1)void decrement ( int &x )
We will test an implementation of the function with a number of testinputs. We can determine whether the implemented function passed alltests by looking at the pre- and post-conditions:
Input Final State Precond. Postcond. Pass
x == 0 x’ == 0 true true Yesx == 1 x’ == 0 true true Yesx == -1 x’ == -2 false false Yesx == -2 x’ == 0 false true
Yesx == 2 x’ == 0 true false No!
Pre- and postconditions and testing
Consider the following decrement function.
// P r e c o n d i t i o n : x >= 0// P o s t c o n d i t i o n : x ’ == max ( 0 , x−1)void decrement ( int &x )
We will test an implementation of the function with a number of testinputs. We can determine whether the implemented function passed alltests by looking at the pre- and post-conditions:
Input Final State Precond. Postcond. Pass
x == 0 x’ == 0 true true Yesx == 1 x’ == 0 true true Yesx == -1 x’ == -2 false false Yesx == -2 x’ == 0 false true Yes
x == 2 x’ == 0 true false No!
Pre- and postconditions and testing
Consider the following decrement function.
// P r e c o n d i t i o n : x >= 0// P o s t c o n d i t i o n : x ’ == max ( 0 , x−1)void decrement ( int &x )
We will test an implementation of the function with a number of testinputs. We can determine whether the implemented function passed alltests by looking at the pre- and post-conditions:
Input Final State Precond. Postcond. Pass
x == 0 x’ == 0 true true Yesx == 1 x’ == 0 true true Yesx == -1 x’ == -2 false false Yesx == -2 x’ == 0 false true Yesx == 2 x’ == 0
true false No!
Pre- and postconditions and testing
Consider the following decrement function.
// P r e c o n d i t i o n : x >= 0// P o s t c o n d i t i o n : x ’ == max ( 0 , x−1)void decrement ( int &x )
We will test an implementation of the function with a number of testinputs. We can determine whether the implemented function passed alltests by looking at the pre- and post-conditions:
Input Final State Precond. Postcond. Pass
x == 0 x’ == 0 true true Yesx == 1 x’ == 0 true true Yesx == -1 x’ == -2 false false Yesx == -2 x’ == 0 false true Yesx == 2 x’ == 0 true
false No!
Pre- and postconditions and testing
Consider the following decrement function.
// P r e c o n d i t i o n : x >= 0// P o s t c o n d i t i o n : x ’ == max ( 0 , x−1)void decrement ( int &x )
We will test an implementation of the function with a number of testinputs. We can determine whether the implemented function passed alltests by looking at the pre- and post-conditions:
Input Final State Precond. Postcond. Pass
x == 0 x’ == 0 true true Yesx == 1 x’ == 0 true true Yesx == -1 x’ == -2 false false Yesx == -2 x’ == 0 false true Yesx == 2 x’ == 0 true false
No!
Pre- and postconditions and testing
Consider the following decrement function.
// P r e c o n d i t i o n : x >= 0// P o s t c o n d i t i o n : x ’ == max ( 0 , x−1)void decrement ( int &x )
We will test an implementation of the function with a number of testinputs. We can determine whether the implemented function passed alltests by looking at the pre- and post-conditions:
Input Final State Precond. Postcond. Pass
x == 0 x’ == 0 true true Yesx == 1 x’ == 0 true true Yesx == -1 x’ == -2 false false Yesx == -2 x’ == 0 false true Yesx == 2 x’ == 0 true false No!
Pre- and postconditions and testing
Consider the following decrement function.
// P r e c o n d i t i o n : x >= 0// P o s t c o n d i t i o n : x ’ == max ( 0 , x−1)void decrement ( int &x )
We will test an implementation of the function with a number of testinputs. We can determine whether the implemented function passed alltests by looking at the pre- and post-conditions:
Input Final State Precond. Postcond. Pass
x == 0 x’ == 0 true true Yesx == 1 x’ == 0 true true Yesx == -1 x’ == -2 false false Yesx == -2 x’ == 0 false true Yesx == 2 x’ == 0 true false No!
Self-checking code
The assert statement is used as follows,
assert ( booleanExp ) ;
If booleanExp evaluates to true, then nothing happens.
If booleanExp evaluates to false, then a short message is printed, andthe program stops execution immediately.
We can use the C++ assert macro to check pre- and postconditions.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 13 / 15
Self-checking code
The assert statement is used as follows,
assert ( booleanExp ) ;
If booleanExp evaluates to true, then nothing happens.
If booleanExp evaluates to false, then a short message is printed, andthe program stops execution immediately.
We can use the C++ assert macro to check pre- and postconditions.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 13 / 15
Self-checking code
The assert statement is used as follows,
assert ( booleanExp ) ;
If booleanExp evaluates to true, then nothing happens.
If booleanExp evaluates to false, then a short message is printed, andthe program stops execution immediately.
We can use the C++ assert macro to check pre- and postconditions.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 13 / 15
Self-checking code
The assert statement is used as follows,
assert ( booleanExp ) ;
If booleanExp evaluates to true, then nothing happens.
If booleanExp evaluates to false, then a short message is printed, andthe program stops execution immediately.
We can use the C++ assert macro to check pre- and postconditions.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 13 / 15
Self-checking code
The assert statement is used as follows,
assert ( booleanExp ) ;
If booleanExp evaluates to true, then nothing happens.
If booleanExp evaluates to false, then a short message is printed, andthe program stops execution immediately.
We can use the C++ assert macro to check pre- and postconditions.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 13 / 15
Self-checking code
The assert statement is used as follows,
assert ( booleanExp ) ;
If booleanExp evaluates to true, then nothing happens.
If booleanExp evaluates to false, then a short message is printed, andthe program stops execution immediately.
We can use the C++ assert macro to check pre- and postconditions.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 13 / 15
#include <c a s s e r t >
void decrement ( int &x ) {// Check the p r e c o n d i t i o nassert ( x >= 0 ) ;
// Record the i n i t i a l v a l u e o f xconst int x0 = x ;
// THE ACTUAL IMPLEMENTATION . . .if ( x != 0 )
x−−;
// Check the p o s t c o n d i t i o nassert ( x == max (0 , x0−1) ) ;return ;
}
If the first assert trips, this indicates an error in the invocation code.The invoker has not fulfilled their obligation.
If the second assert trips, this indicates an error in theimplementation.
#include <c a s s e r t >
void decrement ( int &x ) {// Check the p r e c o n d i t i o nassert ( x >= 0 ) ;
// Record the i n i t i a l v a l u e o f xconst int x0 = x ;
// THE ACTUAL IMPLEMENTATION . . .if ( x != 0 )
x−−;
// Check the p o s t c o n d i t i o nassert ( x == max (0 , x0−1) ) ;return ;
}
If the first assert trips, this indicates an error in the invocation code.The invoker has not fulfilled their obligation.
If the second assert trips, this indicates an error in theimplementation.
#include <c a s s e r t >
void decrement ( int &x ) {// Check the p r e c o n d i t i o nassert ( x >= 0 ) ;
// Record the i n i t i a l v a l u e o f xconst int x0 = x ;
// THE ACTUAL IMPLEMENTATION . . .if ( x != 0 )
x−−;
// Check the p o s t c o n d i t i o nassert ( x == max (0 , x0−1) ) ;return ;
}
If the first assert trips, this indicates an error in the invocation code.The invoker has not fulfilled their obligation.
If the second assert trips, this indicates an error in theimplementation.
#include <c a s s e r t >
void decrement ( int &x ) {// Check the p r e c o n d i t i o nassert ( x >= 0 ) ;
// Record the i n i t i a l v a l u e o f xconst int x0 = x ;
// THE ACTUAL IMPLEMENTATION . . .
if ( x != 0 )x−−;
// Check the p o s t c o n d i t i o nassert ( x == max (0 , x0−1) ) ;return ;
}
If the first assert trips, this indicates an error in the invocation code.The invoker has not fulfilled their obligation.
If the second assert trips, this indicates an error in theimplementation.
#include <c a s s e r t >
void decrement ( int &x ) {// Check the p r e c o n d i t i o nassert ( x >= 0 ) ;
// Record the i n i t i a l v a l u e o f xconst int x0 = x ;
// THE ACTUAL IMPLEMENTATION . . .if ( x != 0 )
x−−;
// Check the p o s t c o n d i t i o nassert ( x == max (0 , x0−1) ) ;return ;
}
If the first assert trips, this indicates an error in the invocation code.The invoker has not fulfilled their obligation.
If the second assert trips, this indicates an error in theimplementation.
#include <c a s s e r t >
void decrement ( int &x ) {// Check the p r e c o n d i t i o nassert ( x >= 0 ) ;
// Record the i n i t i a l v a l u e o f xconst int x0 = x ;
// THE ACTUAL IMPLEMENTATION . . .if ( x != 0 )
x−−;
// Check the p o s t c o n d i t i o nassert ( x == max (0 , x0−1) ) ;
return ;}
If the first assert trips, this indicates an error in the invocation code.The invoker has not fulfilled their obligation.
If the second assert trips, this indicates an error in theimplementation.
#include <c a s s e r t >
void decrement ( int &x ) {// Check the p r e c o n d i t i o nassert ( x >= 0 ) ;
// Record the i n i t i a l v a l u e o f xconst int x0 = x ;
// THE ACTUAL IMPLEMENTATION . . .if ( x != 0 )
x−−;
// Check the p o s t c o n d i t i o nassert ( x == max (0 , x0−1) ) ;return ;
}
If the first assert trips, this indicates an error in the invocation code.The invoker has not fulfilled their obligation.
If the second assert trips, this indicates an error in theimplementation.
#include <c a s s e r t >
void decrement ( int &x ) {// Check the p r e c o n d i t i o nassert ( x >= 0 ) ;
// Record the i n i t i a l v a l u e o f xconst int x0 = x ;
// THE ACTUAL IMPLEMENTATION . . .if ( x != 0 )
x−−;
// Check the p o s t c o n d i t i o nassert ( x == max (0 , x0−1) ) ;return ;
}
If the first assert trips, this indicates an error in the invocation code.The invoker has not fulfilled their obligation.
If the second assert trips, this indicates an error in theimplementation.
#include <c a s s e r t >
void decrement ( int &x ) {// Check the p r e c o n d i t i o nassert ( x >= 0 ) ;
// Record the i n i t i a l v a l u e o f xconst int x0 = x ;
// THE ACTUAL IMPLEMENTATION . . .if ( x != 0 )
x−−;
// Check the p o s t c o n d i t i o nassert ( x == max (0 , x0−1) ) ;return ;
}
If the first assert trips, this indicates an error in the invocation code.The invoker has not fulfilled their obligation.
If the second assert trips, this indicates an error in theimplementation.
Tips on using assertions
Use an assert statement to check as much of the precondition asreasonable.
The assertion checked should be a boolean expression implied by theprecondition, and it should be the strongest such boolean expression ascan be checked without undue effort.
Use an assert statement to check as much of the postcondition aspossible.
Note: The default action for the assert macro is to stop the executionright away and to print a short error message. If you are producingcommercial software this might not be the best thing to do. For thisreason, some people suggest that one should ”turn off” the assert macrosin released code. C++ even provides a convenient mechanism to causethe compiler to ignore all the assert macros. However there is a significantdanger to having your customers use code that is not exactly the same aswhat you tested.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 15 / 15
Tips on using assertions
Use an assert statement to check as much of the precondition asreasonable.
The assertion checked should be a boolean expression implied by theprecondition, and it should be the strongest such boolean expression ascan be checked without undue effort.
Use an assert statement to check as much of the postcondition aspossible.
Note: The default action for the assert macro is to stop the executionright away and to print a short error message. If you are producingcommercial software this might not be the best thing to do. For thisreason, some people suggest that one should ”turn off” the assert macrosin released code. C++ even provides a convenient mechanism to causethe compiler to ignore all the assert macros. However there is a significantdanger to having your customers use code that is not exactly the same aswhat you tested.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 15 / 15
Tips on using assertions
Use an assert statement to check as much of the precondition asreasonable.
The assertion checked should be a boolean expression implied by theprecondition, and it should be the strongest such boolean expression ascan be checked without undue effort.
Use an assert statement to check as much of the postcondition aspossible.
Note: The default action for the assert macro is to stop the executionright away and to print a short error message. If you are producingcommercial software this might not be the best thing to do. For thisreason, some people suggest that one should ”turn off” the assert macrosin released code. C++ even provides a convenient mechanism to causethe compiler to ignore all the assert macros. However there is a significantdanger to having your customers use code that is not exactly the same aswhat you tested.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 15 / 15
Tips on using assertions
Use an assert statement to check as much of the precondition asreasonable.
The assertion checked should be a boolean expression implied by theprecondition, and it should be the strongest such boolean expression ascan be checked without undue effort.
Use an assert statement to check as much of the postcondition aspossible.
Note: The default action for the assert macro is to stop the executionright away and to print a short error message. If you are producingcommercial software this might not be the best thing to do. For thisreason, some people suggest that one should ”turn off” the assert macrosin released code. C++ even provides a convenient mechanism to causethe compiler to ignore all the assert macros. However there is a significantdanger to having your customers use code that is not exactly the same aswhat you tested.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 15 / 15
Tips on using assertions
Use an assert statement to check as much of the precondition asreasonable.
The assertion checked should be a boolean expression implied by theprecondition, and it should be the strongest such boolean expression ascan be checked without undue effort.
Use an assert statement to check as much of the postcondition aspossible.
Note: The default action for the assert macro is to stop the executionright away and to print a short error message. If you are producingcommercial software this might not be the best thing to do. For thisreason, some people suggest that one should ”turn off” the assert macrosin released code. C++ even provides a convenient mechanism to causethe compiler to ignore all the assert macros. However there is a significantdanger to having your customers use code that is not exactly the same aswhat you tested.
ENGI 4892 (MUN) Unit 1, Part 2 April 23, 2010 15 / 15