design by contract versus doctest

[Peter Hickman]

Aku is correct, no checks are (necessarily) made by the function in
installed code. It is the caller's responsibility to satisfy the
pre-conditions.

True but the caller does not check the pre-conditions, that is done in
the called. The called does not trust the caller to get things right,
hence the contract.

In the installed code the pre-conditions are not necessarily
implemented therefore the function cannot refuse to run since it does
not know its pre-condition at this stage.

I can think of no good reason to turn off checking of the pre and post
conditions unless you can guarantee that the live system will never
encounter a combination of inputs and states that have not already been
tested for. You hardly need DbC for such hubris.

In correctly developed DbC that is precisely what is guaranteed. The
post-condition is *guaranteed* if the pre-condition is met. It is a
design tool.

Not sure I would want to state that, or rely on it. I would only go as
far as saying what I have tested is guaranteed. But then I am paranoid.

 

[Colin Blackburn]

True but the caller does not check the pre-conditions, that is done in
the called. The called does not trust the caller to get things right,
hence the contract.

You have DbC completely wrong. The contract is there to be trusted. As far
as I can tell you are seeing what looks like a parameter check at the
start of a method and assuming that that is a defensive check against the
caller providing incorrect parameters. That is not what the preconditions
are.

The preconditions (and other constraints) were developed early in the
design process. In fact, they guided the design process.

The preconditions are ultimately coded (in Eiffel) but they are not part
of the implementation of the method. They are not there to check for
errors in production code. They are there to specify the contract, to
specify what the caller must provide for the outcome to be guaranteed.

They form part of the documentation whereas the implementation code
(following do in Eiffel) does not. Writers of calling code can examine the
pre and post-condition to know what they must do and what they can expect
if the do things right.

In fact some pre-conditions cannot be expressed computationally, there are
put in as comments, and so cannot be checked by the called method.

It is entirely the responsibility of the caller to check that the
preconditions are satisfied, by providing correct parameters, say. It
might do this explicitely, or implicitely but it is the caller that must
satisfy those conditions. The called routine has no responsibility to
check the preconditions, in fact it has every reason to expect those
preconditions to be satisfied by the caller because that *is* the contract.

Colin
--

 

[aku]

In correctly developed DbC that is precisely what is guaranteed. The
post-condition is *guaranteed* if the pre-condition is met.

Exactly! postcondition is guaranteed if precondition is true.
And in addition to that - and that was part of what I was trying
to say in the original post - in
www.python.org/doc/current/lib/module-doctest.html, the 3 tests after
the line "import math" shouldn't be necessary because they should be
part of the precondition in the doc string if DBC was applied.

 

[aku]

But then this is the python news group so I expect the father of DbC,
Bertrand Meyer, is wrong.

No Smilley

If someone deserves the title "father of DBC" it surely must
be E. W. Dijkstra, the one who teached me in college

 

[aku]

True but the caller does not check the pre-conditions, that is done in
the called. The called does not trust the caller to get things right,
hence the contract.


I can think of no good reason to turn off checking of the pre and post
conditions unless you can guarantee that the live system will never
encounter a combination of inputs and states that have not already been
tested for. You hardly need DbC for such hubris.

Isn't that where doc/unit tests can serve a purpose? In other words:
These tests will test many combinations of states and inputs , so that
in the live system the DBC can be turned off.

Not sure I would want to state that, or rely on it. I would only go as
far as saying what I have tested is guaranteed. But then I am paranoid.

"program testing can best show the presence of errors
but never their absence" -- E. Dijkstra
His formal methods indeed *proved* and *guaranteed* that the
postcondition(s) are met IF the precondition(s) were true.

 

[Peter Hickman]

If someone deserves the title "father of DBC" it surely must
be E. W. Dijkstra, the one who teached me in college

How come? This is obviously some bit of CS history I have missed, do tell.

 

[aku]

How come? This is obviously some bit of CS history I have missed, do tell.

Well, probably anyone back in those who also studied mathematics and
computer science and took classes in mr Dijkstra's "programming 1"
and "programming 2" will remember it. When I read "OO software construction"
from B. Meyer years later - an excellent book btw - I think that, when
I recall correctly, the author himself mention's that DBC is squarely
based on dijkstra's earlier theoretical basis.....
The funny thing is that in those times most students were wondering:
How can this proof-that-a-program-does-what-it's-supposed-to-do thing
ever be practically applied? The real usefullness however only became
clear to me more and more as the years went by.

 

[Peter Hickman]

I recall correctly, the author himself mention's that DBC is squarely
based on dijkstra's earlier theoretical basis.....

Oh god I'm going to have to read it all again!