






Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The importance of using assertions for ensuring software correctness. It explains how specifications are expressed through assertions, which help determine program correctness, document the program, and provide a basis for testing and debugging. The document also covers the concept of correctness formulas, preconditions, and postconditions, and provides examples using java's assert statement.
Typology: Study notes
1 / 10
This page cannot be seen from the preview
Don't miss anything!







Using assertions for correctness How can we know that software is correct? It is only correct if it does what it is supposed to do. But how do we know what it is supposed to do? We need a specification. Outline for Lecture 19 I. Using assertions for correctness II. Class invariants III, Programming by contract For example, is x = y + 5 a correct statement? You need to know what the statement is supposed to do. If the specification is, “Make sure x and y have different values,” then the statement is But if the specification is, “Make sure that x has a negative value,” then the statement is So, software correctness is a relative notion. Specifications are expressed through assertions. Not only do assertions help us determine whether the program is correct, they also —
In this formula,
// If n is even, the positive n-th root // is returned. // If n is odd, the n-th root will have // the same sign as the value. // If // public double nthRoot(double value, int n) {...} Why is this better? Is it always good to check whether the (original) preconditions are satisfied? It is a very good idea to write our code so that preconditions and postconditions can be checked. This is done with the Java assert statement. The assert statement has the form assert expression 1 ; or assert expression 1 : expression 2 ; The first form simply raises an AssertionError if the assertion is not true. The second form associates the value of expression 2 with the AssertionError if an error is triggered. The value of expression 2 should be something that will be useful in debugging. We could code the postcondition checks at the end of the nthRoot method (assuming it returns result ): assert Math.pow(result, (float) n) = value); if (n % 2 == 0) assert result > 0; else assert result * value > 0; CSC/ECE 517 Lecture Notes ©2007, Edward F. Gehringer 4
Because checking of assertions may be quite expensive, it can be enabled or disabled at run time: To enable assertions at various granularities, use the
Programming by contract By associating pre- and postcondition assertions with a method m , the class tells its clients^1 “If you promise to call m with pre satisfied then I, in return, promise to deliver a final state in which post is satisfied. As in human relationships, any good contract between classes entails obligations as well as benefits for both parties (the “client” and the “supplier”).
It is shocking to some, but is one of the method’s main contributions to software reliability. Recall: If the precondition is not satisfied, the supplier doesn’t have to do anything at all. It can go into an infinite loop, or even crash the system without violating the contract. This implies that when you are writing a routine, it’s not your responsibility to check whether the preconditions are satisfied. For example, if a square-root function has the precondition x >= 0 you don’t need to check whether the argument really is ≥ 0. Actually, it is not only useless, but actually harmful, to test whether the precondition is met. This is Meyer’s non-redundancy principle: Under no circumstances shall the body of a routine ever test for the routine’s precondition. This rule is the reverse of “defensive programming” advocated by many software-engineering textbooks. What is the rationale for this rule? Design by contract invites you—
A good routine author “does not try to outsmart his clients.” If he is not sure what to do in a specific case, he excludes it in the precondition. We do not have time to go through it, but I recommend you look at the case study on overriding the equals method in Java, in Skrien § 4.7. CSC/ECE 517 Lecture Notes ©2007, Edward F. Gehringer 10