Subtype Condition 1 for Engineering Software - Slides | CS 2220, Study notes of Software Engineering

Material Type: Notes; Class: Engineering Software; Subject: Computer Science; University: University of Virginia; Term: Fall 2006;

Typology: Study notes

Pre 2010

Uploaded on 03/09/2009

koofers-user-4m0
koofers-user-4m0 🇺🇸

10 documents

1 / 4

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
cs205: engineering software
university of virginia fall 2006
David Evans
www.cs.virginia.edu/cs205
Substitution
Principle
2
cs205: engineering software
How do we know if saying
Bis a subtype of A
is safe?
Substitution Principle: If Bis a
subtype of A, everywhere the code
expects an A, a Bcan be used instead
and the program still satisfies its
specification
3
cs205: engineering software
Subtype Condition 1: Signature Rule
We can use a subtype method where
a supertype methods is expected:
Subtype must implement all of the
supertype methods
Argument types must not be more
restrictive
Result type must be at least as restrictive
Subtype method must not throw
exceptions that are not subtypes of
exceptions thrown by supertype
4
cs205: engineering software
Signature Rule
class A {
public RAm (PAp) ;
}
class B extends A {
public RBm (PBp) ;
}
RBmust be a subtype of RA: RB<= RA
PBmust be a
super
type of PA: PB>= PA
covariant for results, contravariant for parameters
5
cs205: engineering software
Precondition of the subtype method
must be weaker than the precondition
of the supertype method.
mA.pre mB.pre
Postcondition of the subtype method
must be stronger than the
postcondition of the supertype
method.
mB.post mA.post
Subtype Condition 2: Methods Rule
6
cs205: engineering software
public int f (a A, x X) {
// REQUIRES: a is initialized
// EFFECTS: returns a.value * x.value
return a.m (x);
}
public class A {
// An A may be initialized or uninitialized.
// An initialized A has an associated int value.
public int m (x X) {
// REQUIRES: this is initialized
}public class B extends A {
// A B may be initialized or uninitialized.
// A B may be awake or asleep.
// An initialized B has an associated int value.
public int m (x X) {
// REQUIRES: this is initialized and awake
}Can’t make the precondition
stronger! The callsite might
not satisfy it.
pf3
pf4

Partial preview of the text

Download Subtype Condition 1 for Engineering Software - Slides | CS 2220 and more Study notes Software Engineering in PDF only on Docsity!

cs205: engineering software university of virginia fall 2006

David Evans

www.cs.virginia.edu/cs

Substitution

Principle

cs205: engineering software 2

How do we know if saying

B is a subtype of A

is safe?

Substitution Principle: If B is a

subtype of A, everywhere the code

expects an A, a B can be used instead

and the program still satisfies its

specification

cs205: engineering software 3

Subtype Condition 1: Signature Rule

We can use a subtype method where

a supertype methods is expected:

  • Subtype must implement all of the supertype methods
  • Argument types must not be more restrictive
  • Result type must be at least as restrictive
  • Subtype method must not throw exceptions that are not subtypes of exceptions thrown by supertype

cs205: engineering software 4

Signature Rule

class A { public RA m (PA p) ; } class B extends A { public RB m (PB p) ; } RB must be a subtype of RA: RB <= RA PB must be a supertype of PA: PB >= PA covariant for results, contravariant for parameters

cs205: engineering software 5

  • Precondition of the subtype method

must be weaker than the precondition

of the supertype method.

mA.pre ⇒ mB.pre

  • Postcondition of the subtype method

must be stronger than the

postcondition of the supertype

method.

mB.post ⇒ mA.post

Subtype Condition 2: Methods Rule

cs205: engineering software 6

public int f (a A, x X) { // REQUIRES: a is initialized // EFFECTS: returns a.value * x.value return a.m (x); public class A { } // An A may be initialized or uninitialized. // An initialized A has an associated int value. public int m (x X) { // REQUIRES: this is initialized } (^) public class B extends A { // A B may be initialized or uninitialized. // A B may be awake or asleep. // An initialized B has an associated int value. public int m (x X) { // REQUIRES: this is initialized and awake } Can’t make the precondition stronger! The callsite might not satisfy it.

cs205: engineering software 7

public int f (a A, x X) { // REQUIRES: a is initialized // EFFECTS: returns a.value * x.value return a.m (x); } public class A { // An A may be initialized or uninitialized. // An initialized A has an associated int value. public int m (x X) { // REQUIRES: this is initialized } public class B extends A { // A B may be initialized or uninitialized. // A B may be awake or asleep. // An initialized B has an associated int value. public int m (x X) { // REQUIRES: nothing } Okay, precondition is weaker cs205: engineering software 8

Subtypes must preserve all

properties described in the

overview specification of the

supertype.

Subtype Condition 3: Properties

cs205: engineering software 9

Properties Example

public class StringSet {

// Overview: An immutable set of Strings.

public class MutStringSet extends StringSet {

// Overview: A mutable set of Strings.

MutStringSet cannot be a subtype

of StringSet, since it does not

satisfy unchangable property.

cs205: engineering software 10

Properties Example

public class StringSet extends MutStringSet {

// Overview: An immutable set of Strings.

public class MutStringSet {

// Overview: A mutable set of Strings.

StringSet could be a subtype of MutStringSet

according to the properties rule.

...but couldn’t satisfy methods rule

cs205: engineering software 11

Substitution Principle Summary

  • Signatures: subtype methods must be type correct in supertype callsites: result is a subtype (covariant), parameters are supertypes (contravariant)
  • Methods: subtype preconditions must be weaker than supertype preconditions (covariant); subtype postconditions must be stronger than supertype postconditions (contravariant)
  • Properties: subtype must preserve all properties specified in supertype overview

cs205: engineering software 12

Substitution Mystery

… (in client code) MysteryType1 mt1; MysteryType2 mt2; MysteryType3 mt3; … (anything could be here) mt1 = mt2.m (mt3); If the Java compiler accepts this code, which of these are guaranteed to be true: a. The apparent type of mt2 is MysteryType b. At the last statement, the actual type of mt2 is MysteryType c. MysteryType2 has a method named m d. The MysteryType2.m method takes a parameter of type MysteryType e. The MysteryType2.m method returns a subtype of MysteryType f. After the last statement, the actual type of mt1 is MysteryType

cs205: engineering software 19

Eiffel Rules

Skier set_roommate (Skier)

Boy (^) Girl

The types of the parameters in the subtype method may be subtypes of the supertype parameters.

How can Girl override set_roomate? set_roommate (Girl g) set_roommate (Boy b)

Opposite of substitution principle!

cs205: engineering software 20

Substitution Principle / Eiffel

class A { public RA m (PA p) ; } class B extends A { public RB m (PB a); }

… (in client code) MysteryType1 mt1; MysteryType2 mt2; MysteryType3 mt3; … mt1 = mt2.m (mt3); Substitution Principle Eiffel Parameters Psub ≥≥≥≥ Psuper Psub ≤≤≤≤ Psuper Preconditions pre_sub ⇒ pre_super pre_sub ⇒⇒⇒⇒ pre_super

Result Rsup ≤ Rsuper Postconditions post_sup ⇒ post_super

cs205: engineering software 21

Eiffel and I Can’t Get Up?

s: skier; g: girl; b:

boy;

s := g;

s.set_roommate (b);

Skier set_roommate (Skier)

Boy (^) Girl set_roomate (Girl)

Meyer’s paper is all about the

contortions Eiffel needs to deal with

non-substitutable subtypes

cs205: engineering software 22

Charge

Must it be assumed that because we are engineers beauty is not our concern, and that while we make our constructions robust and durable we do not also strive to make them elegant?

Is it not true that the genuine conditions of strength always comply with the secret conditions of harmony? Gustav Eiffel