Why Is "Design by Contract" Not More Popular? 178
Coryoth writes "Design by Contract, writing pre- and post-conditions on functions, seemed like straightforward common sense to me. Such conditions, in the form of executable code, not only provide more exacting API documentation, but also provide a test harness. Having easy to write unit tests, that are automatically integrated into the inheritance hierarchy in OO languages, 'just made sense'. However, despite being available (to varying degrees of completeness) for many languages other than Eiffel, including Java, C++, Perl, Python, Ruby, Ada, and even Haskell and Ocaml, the concept has never gained significant traction, particularly in comparison to unit testing frameworks (which DbC complements nicely), and hype like 'Extreme Programming'. So why did Design by Contract fail to take off?"
Comment removed (Score:5, Insightful)
Re:Management (Score:4, Insightful)
A good architect will help establish clear separation of authority, giving team members more autonomy to go do what they're good at without having other peoples fingers in their pies or needing to leave their area of scope.
There are a lot of people with pieces of paper from a school that are terrible at these things, and they muddle along leaving wreckage behind them. But that doesn't dismiss the value of having someone competent in those roles when you can find them.
Re: (Score:2)
A good business analyst ..., A good architect, There are a lot of people with pieces of paper from a school that are terrible at these things, and they muddle along leaving wreckage behind them. But that doesn't dismiss the value of having someone competent in those roles when you can find them.
So very true, but I (generally) haven't seen it. The problem is that people think that one can 'graduate' with the knowledge they need to produce good results. The last module that I worked specked out by a power-point presentation from the business analyst, and when we insisted on 'use cases' the 'architect' started poorly (from our template), and got worse with every function. Sorry, but it takes real experience and insight to properly design a system, the the best never think that they got it perfect. People have a tendency to confuse bluster and arrogance with ability and experience.
Re:Management (Score:5, Interesting)
They do, yet in my experience, these things are inversely correlated. This applies to all guidance/oversight roles, including business analysts, software architects, consultants, and indeed managers themselves. As I've commented here before, you can always identify a good leader by three characteristics:
The third one is usually the easiest way to identify morons. If you come across a leader in software development who places more value on reports and metrics so they can track things than they do on supporting the developers and test teams working for them, then you know you're dealing with an incompetent.
And yes, that does mean many leaders in software development organisations today are incompetent. That's why the genuinely good people are worth so much.
Re: (Score:2)
Fixed
Ask the people who actually use the stuff next time.
Re: (Score:2)
Re: (Score:2)
The problems is that developers, users and managers all speak somewhat different languages. It's all English but they all see things in a different way and that leads to confusion. In general developers should spend a considerable amount of time with the users in their domain to really understand the needs of those users.
Case in point, I worked for a CAD firm and our developers would be sent to different companies to observe how the engineers use our product. We would invite many of those eng
Contracts (Score:2, Funny)
I don't have relationships with random other programmers (even if they are female and cute).
Re: (Score:2)
Darl McBride, CEO of SCO.
Yes. I made a second, more serious post in this discussion as well. Any time I have a really bad joke, I do that so that the real post doesn't get dragged down by the moderation on the joke post. :P
Re: (Score:2)
Oh, him. Does anyone actually pay attention to him anymore?
Re: (Score:2)
Some folks [groklaw.net] still do... :-)
Who cares? (Score:3, Insightful)
Re: (Score:2, Insightful)
Re:Who cares? (Score:5, Insightful)
Two reasons: first, the more people use it, the wider it will be supported. It's nice to be involved with something on the upswing that more people are interested in than bored with. Second, it's nice to know why something's unpopular. Maybe it's hard to use, but you're a genius and will be able to put it to work. Or, maybe, everyone else realized that it's awful and moved on to something less heinous.
Re: (Score:2)
no bang for your buck (Score:3, Insightful)
Just what niche is design-by-contract supposed to fill? It's heavyweight, costly at runtime, undirected, and likely to catch bugs only after deployment -- too-little-too-late. Maybe it's unpopular because it's a poor tradeoff.
Re:no bang for your buck (Score:4, Insightful)
Assertions, whether invariants, preconditions or postconditions, can be viewed as extensions to the type system [1]. Since they are expressions of a boolean type and don't modify state (at least, no sane ones would mutate state), they're very easily analysed.
Combine that with a runtime like
The niche that DbC is supposed to fill is formalising what is already recognised good practice - stating your assumptions while writing your code. If you have much experience as a programmer, you'll know that it's useful to use assert, ASSERT, or some other feature of your environment at choice places where you make certain assumptions that you think can't be broken. And if you've read The Pragmatic Programmer, you'll know why you'll want to leave those assertions in the final release.
Most popular languages, such as C#, Java, C++ etc., capture very little programmer intent in their type systems. There's a lot more potential there - preconditions and postconditions can e.g. state that a variable will be in a certain range dependent on the values of other variables, and then automatically detect range mismatches with e.g. loop invariants. Basically, assertions are really useful extensions to the type system.
[1] For example, consider that a 'requires x != null' constraint and a notional non-nullable reference type from C# or Java, analogous to 'MyType!' in C-w (C Omega):
http://blogs.msdn.com/cyrusn/archive/2004/06/03/1
Re: (Score:2, Interesting)
I think you are being naive. In the real world they often want as many features as possible with the smallest staff possible. This means that things like formal testing are glossed over. It is an art-form to deliver tons of features on the cheap. Of course, it depends on the nature of the business. If it is the Space Shuttle or medical equipment, then you better spend the extra money or you will get sued up the wazoo. An intr
Re: (Score:2)
Someone once said (can't remember who) that making a program was like piling 100 bricks on top of one another, but using OO pro
Re: (Score:2)
However, you do raise an important point, in that we have different models for data and code, and thus there is an "impedance mismatch" between them. In this sense, combining OOP and relational is diff
Re: (Score:2)
Re: (Score:2)
In the real world they often want as many features as possible with the smallest staff possible.
I think you are being even more naive than the parent commenter. What businesses, including governments, want in the real world, is software that produces the most monetary benefit with the least monetary cost over the life of the system. Sometimes there are certain intermediary goals that effect this, but ultimately what I just said is the goal. If your are a software developer and are not attempting this same thing you are doing your client or employer a disservice at best, and at worst stealing. This
Re: (Score:2)
I think what they usually want is the best return on investment, which isn't necessarily the same as what you wrote there.
In any case, I think your entire post is backwards, though I've heard the same argument many times before. If you want to get lots of features working quickly, the only way to achieve it is to do the development properly. Neglecting QA is a false economy, as is dropping other defensive p
Re: (Score:2)
You write as if they are mutually exclusive. Why?
That makes no sense. The whole point of the interface/implementation separation is that you can change the implementation without changing the interface. If you change the interface, you will necessarily change the implementation at least enough to match.
I'm
Re: (Score:3, Insightful)
Unfortunately, hack-a-day cowboys gained control of both the house, the senate, and the clone army, so hack-a-day coding practices are now the accepted norm, and people look at you funny when you pinch your brow in abject frustration.
The problem with DbC is that the benefits are best understood by an examination of the system as a whole, rather than the culturally ascendant analysis that permits the cable companies and telcos to p
Re:no bang for your buck (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
Design by contract seems like a lot of extra work and runtime cost...
DBC in use is actually a lot less work and a lot less runtime cost. DBC, if used properly, produces software that has a much shorter testing and debugging period. Regression testing is much faster as the contract will not have changed on any of the prior built parts. The though that there is a performance reduction effect of DBC, which is what I assume is meant by "runtime cost" is a lack of understanding DBC. There is nothing in DBC that says there needs to be any runtime checking of the contract. In
Re: (Score:2)
Extreme Programming (Score:5, Funny)
Re: (Score:2)
Design by Contract (Score:3, Informative)
Of course, you don't actually need special constructs to check values on input then tossing an exception/returning an error when the data is not in the expected range. In fact, you should go back to remedial programming classes if you're not already doing this.
The last thing you should do is try to figure out what the caller really meant if the value is out of range. Assuming a default works in some cases (which, btw, wouldn't work with Design by Contract as I understand it), but most of the time it's just better to fail and make the programmer fix their mistake.
Sometimes more complexity is worth it (Score:2)
Sure, but so do writing explicit interfaces to modules, writing unit tests, and for that matter, writing comments. It's just a question of whether introducing that complexity at the time you write (and maintain) the code brings compensating benefits down the line.
Only a small proportion of development time is typically spent physically writing code, so these defensive progra
Re: (Score:2)
Re: (Score:2)
It is in fact used for input testing, to make sure that
It needs serious language support (Score:5, Informative)
If you're serious about design by contract, you need to use a language that supports it. Eiffel does, of course, and so does "Spec#", Microsoft's verifiable variant of C#, [microsoft.com] but other than that, "support" is a collection of half-baked add-ons that don't provide any strong assurances.
If you're going to take object invariants seriously, you have to take object invariance seriously. Objects can't be allowed to change other than when control is inside them, and when control is inside the object, no public method of the object can be called. This means you have to be able to catch cases where object A calls object B which then calls a public method of A. The invariant of A isn't established at that point, and so, calls into A are illegal. This strict notion of inside/outside is fundamental to class invariants, but many so-called "design by contract" approaches gloss over it. You need a way to explicitly say "control is now leaving this object temporarily" when calling out of an object, and the object's invariant must be true at that exit.
Threading and locking have to be handled in the language. The language needs to know which locks protect what data, or invariants aren't meaningful.
Then there's the problem of how to express an invariant, entry, or exit condition. Are quantifiers provided, or what? How do you talk about concepts like "forward and back pointers of the tree must be consistent"? There's known formalism for that sort of thing, but it's not something you can express cleanly in, say, C or C++.
Without smarts in the compiler, run time checking tends to be too expensive. The compiler needs to know that member function F can't change member variables X and Y, and therefore, invariants concerning X and Y don't have to be rechecked. Without optimizations like that, you end up rechecking everything on every call to every access function.
I'd like to see more design by contract, and I'd like to see it work well enough that when something breaks, you know which side of the interface to blame. I used to do proof of correctness work, and it's quite possible to do this. But you can't do it in C or C++; the languages are too loose. It's been done well for Modula and Java, and a DEC R&D group had a very nice system going just before Compaq canned DEC's Palo Alto research labs. The rise of C killed off verification work; the decline of C may bring it back.
But what kind of language? (Score:3, Insightful)
I'd agree with much of your post, but I think there's an unwritten assumption about programming style in what you wrote: you seem to be restricting your scope to imperative languages with mutable state (talking about locks and threading, for example).
If you're working in a language that doesn't permit generally mutable state, it's much easier to use concepts of design by contract, essentially because all you have to do is check that when you've finished constructing a new value, it is valid for whatever t
Re: (Score:2)
Re: (Score:3, Informative)
By whom? I'd like to look into it for my Java projects.
DEC R&D made ESC/Java (Extended Static Checking for Java) that used a theorem prover and specification annotations to verify contracts. Development stopped, but it is now open source as ESC/Java2 [secure.ucd.ie] which uses JML [iastate.edu] as annotation markup. I actually listed this as the Java DbC implementation in the article description.
Too many layers (Score:4, Insightful)
Re: (Score:2)
Instead of having the intrinsic type-safety checks and the social trust that the code author has run unit tests if necessary and makes the code do something reasonable, design-by-contract formalizes all this and makes you specify conditions on the code manually.
DbC doesn't force you to do anything. You can say as much, or as little, as you like for contracts (nothing at all if you prefer). The point, however, is to get benefits out of the situation where things can be expressed as a contract. You suggest that writing unit tests to assure code does something reasonable is a good idea, and it is. Writing contracts is no different, and complementary to unit tests if used properly. If your test an be expressed as a constraint then you write it as a method contract or
Re: (Score:2)
I wrote it about 15 seconds before falling sound asleep.
DbC is nothing more than extending strong typing
Precisely. If my function can be written as
uppercase_char[4] foo(int(0...10) x) {...}
I'd use it. If I can define my function as
char[4]:isUpper foo(int x:(lambda (x) (0
then I might consider it. If I have to write my function as
string foo(int x) {
assert(0
then there's no way I'm using it. I already have my language do the strong type checking for me. I'm not going
people do (Score:2, Insightful)
Yes, it is, and that's why everybody does it. It simply isn't called "design by contract" by most people, since it isn't actually design and isn't a contract. You also don't need language support for it. And people generally do this sort of thing in two parts: some conditions are always checked, but most are only checked in test frameworks.
If you can contract it it's coded already (Score:2, Insightful)
I feel that the reason why design by contract (DBC from now on) isn't popular is because the entire point of the paradigm is that it doubles or triples your code length without adding any actual information; first, you tell the computer what should be true so you can do what you're going to do, then you tell it what to do, then you tell it what you should have done. That's a lot of typing just to make sure the computer fucks up in exactly the way you told it to.
Re: (Score:3, Insightful)
Regardless, the theory remains: if you can write pre- and postconditions for a function, you already know what the function is supposed to be doing so you might as well have spent your time writing the function and doing something else.
Do you document your code at all? Do you test your code at all? That's all DbC is doing, it is just doing both at once for any tests that can be written as constraints. And remember DbC is as much about other people knowing what a function does as about you knowing - it provides clear conditions for anyone calling your code as to what they must provide, and what they can expect of any returned results, information that, for any decent DbC system, is automatically included in API documentation. You, the ori
Re: (Score:2)
Personally, I'd rather read
Re: (Score:2)
Of course with a s
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Actually, in your example I'd prefer the following. (Apologies for losing the indentation; how do you get Slashdot not to do that?)
The comments in English add no value at all: they simply repeat, in a more verbose and less precise fashion, what the code already says.
I'm not really sure what you're trying to demonstrate with the assertions
Re: (Score:2)
Apologies for losing the indentation; how do you get Slashdot not to do that?
Plain Old Text with <ecode> does the trick.
It took me awhile to figure this out, as there is no obvious link to help on formatting your posts (eventually found some help [slashdot.org] via Google).
Up until now I've been using HTML Formatted, since Plain Old Text sounded un-web like. <ecode> doesn't work very well with HTML Formatted, because it doesn't preserve the space and you can't add them with . Turns out Plain Old Text is what I wanted all along anyways. Just hit return twice when you want
Re: (Score:2)
Re: (Score:2)
Whether or not the effort of type-safety is worth it largely depends on your application domain. Duck typing may be fine by you, but for embedded code in a mission-critical application static type-checking buys you a lot of peace of mind.
That said, DbC is not the same as type safety. It provides both less (runtime checks only), and more (much more expressive constraints). Of course, some DbC systems do provide static checking of contr
Re: (Score:2)
Heh. Took me a moment to realize that you weren't talking about preprocessor #defines there :-) Why that's relevant will become obvious shortly. Anyway, I'd posit that typing '//', '--', or '%', followed by a comment is about as easy.
As for whether comments are "easier" than contracts, it depends on (as I said before) your application domain, and also what your timescale and environment is like. Example: I recently wrote some code in which I encoded some
I'd like to use DbC, but... (Score:2)
I don't want my software to fail in the field (at my day job, we write stock trading software - reliability is key because lack of availability can quickly become very expensive). If I could define a number of pre- and post-conditions for each function and have the compiler check these for
Re:I'd like to use DbC, but... (Score:5, Informative)
Finally contracts allow automated testing. That's where you automatically generate data to pass to the code and let the contracts act as a test oracle to catch and locate problems. With something like AutoTest for Eiffel the data generation can be purely random (constrained by preconditions of course), or designed to sample the input according to best coverage via genertic algorithms, etc. The result is that you find corner cases that you might not have anticipated with your unit tests - and you would be surprised how often that happens, AutoTest found a number of subtle bugs in Eiffel's base libraries which had been production code for years.
Re: (Score:2)
Re: (Score:2, Insightful)
Us table-heads who like to shift the processing burden to the database instead of application languages would point out that this resembles database constraints and triggers.
DBC requires more formalism in your approach (Score:2)
XP allows you to be more flexible in your approach, and supports the need
to constantly refactor your code.
In my experience, at the start of a complex project, we are never sure of
all the answers. The ability to pull together small pieces, to constantly
refactor as we learn more and to work in a close team outweighs the
big-systems sort of approach where everything is specified to the last
detail before you start.
Tried both, DBC stuck in the th
Re: (Score:2)
Re: (Score:2)
DBC has a greater requirement towards designing everything up front. XP allows you to be more flexible in your approach, and supports the need to constantly refactor your code.
That DbC is up front design is simply not true. You can do "Contract Driven Design" as well as you can do "Test Driven Design" (though of course combining tests and contracts, using each where they make sense - contrct for constraints, tests for explicit input to output mappings - is the best bet). Indeed there are even frameworks like ESpec [yorku.ca] which are specifically designed for doing XP in Eiffel using contracts. Try reading one of the ESpec papers on XP programming with ESpec [yorku.ca]. Think of it this way - DbC is
Already mostly done (Score:4, Informative)
As has been noted, most programmers already do design-by-contract, they just don't call it that. They call it argument checking. The first thing most routines do is validate their arguments, and return an error if any of them are invalid. The last thing done is to check the results and return an error if the results aren't valid. The calling code then checks for error codes or invalid results (eg. a search function returning a null pointer indicating the item wasn't found).
In the real world I often skip this overhead when the conditions are enforced elsewhere. For example, a data structure needed by an internal function may not have to be checked for existence since if it hadn't been created my initialization function would've detected this and signaled an error and the program would've exited. In cases like that, I either omit the check or wrap it in an ifdef so it's only done during development and ignored by the compiler during the release build.
Don't make the mistake of confusing the name of a concept with the concept itself. You'll find quite often that that nifty shiny-new concept someone's presenting as their own has actually been around for 30-40 years and they've just added some chrome, filed off the serial numbers and changed the name to keep you from noticing this.
Re: (Score:2)
As has been noted, most programmers already do design-by-contract, they just don't call it that. They call it argument checking.
The argument against this is that it is confusing implementation and specification. A contract is separate from the code implementing the function, and is automatically included in the API documentation for the function. That makes it easier for other people to use the code (they don't have to have access to the source code, or bother reading through all your code, just to be able to know they are calling your code correctly and what they can expect of the result), and for you to maintain your code. There'
Almost right by so far away (Score:2)
Let me modify that just a little bit: "The first thing most routines should do is validate their arguments."
A large majority of the security and stability problems we see in software occur precisely because (lazy|busy|rushed|incompetent) programmers didn't do this. When you're faced with that problem having the language force you to do the right thing can be helpful.
Also many languages don't have all the right tools to make argument checking easy.
Re: (Score:2)
Re: (Score:2)
Re: Absolutely not "Already mostly done" (Score:2)
Re: (Score:3, Insightful)
Unfortunately Mr. Meyer runs up against the halting problem. If the definition of a function, or the contract, says that a parameter must never be the NULL pointer, there are two choices: the code must check whether that pointer is NULL, or it must be proven that that pointer can never possibly be NULL. The second is, with the current state of the art, impossible no matter what language constructs are around to help. That means the check has to be done, the only question is whether it's done by the caller o
been doing that for years already (Score:5, Insightful)
Or, better yet... (Score:5, Informative)
And assert(condition && "Explanation of why it's bad and what to do to fix it") is even better. Don't make me read your code and figure out why the hell you put some obscure assert(n != 455) in there.
Re: (Score:2)
Or, just use assert (n != UNINITIALISED_DATA) instead of magic numbers, and avoid the obscure idiom. :-)
Re: (Score:2)
assert(condition) is your friend. It's not called a contract, it's not design (but a very good practice!) and it does the job well.
I agree that asserts do the job well. I'm just trying to point out that a good DbC system, such as some of the ones mentioned in the article, provide significant tool support which makes contracts considerably better than asserts. For example, DbC systems will have compilers that understand contracts, and extended syntax designed specifically for expressing constraints such and post conditions. A simple postcondition like x > old(x) is harder to manage with assert statements - you need extra code to sav
Re: (Score:2)
That is the difference.
If you only catch something at runtime with an assert it is already too late.
Among the Haskell programming community there is a tongue-in-cheek saying, "if it compiles it is correct." This happens because the type system is so strong, it is hard to write a program that compiles, but doesn't do what it is designed to do.
Design by contract offers similar benefits to more imperative languages.
Thou
Re: (Score:2)
Doesn't this depend on the language? Languages with lots of meta ability can intercept both ends of the inheritance tree.
But wait... you are the guy who does not need OO, so I guess "inheritance" or abstract data types are not needed either in your world.
You are right about that. Philosophers have shown t
Programmers don't find it easy (Score:2, Informative)
- confusing the signature of the function (in terms of the types of permitted input) with the pre-condition. It may be true for some implementations of pre-conditions that you need to include information of the form "input is a string" but it isn't for the way we do it in the course.
- ignoring input c
DbC and Unit Tests cover similar ground (Score:2, Insightful)
- You can write unit tests in any language, with or without a framework. (I saw a "mini-framework" for C that consisted of three macros and a coding convention.)
- In a test, you can specify assertions before and after each method call. It's a little more tedious to represent classic DbC assertions, but the Abstract Test pattern among others allows you to collect common code.
- You can strip out assertions in production code s
Side Effects (Score:2, Insightful)
Re: (Score:2)
The real reason why it is not more popular (Score:2)
Very simple (Score:3, Insightful)
It's great if you can specify that a piece of code is a 100% correct implementation of a given specification but in real life the requirements are sketchy at best & keep changing during development. So, you are likely to end up with the wrong system if you don't adjust your interpretation of them to reality during development. Besides, pre and post conditions need maintenance too if you are doing maintenance on your code, so effectively they increase the cost of what is the single most expensive development activity already: maintenance.
Besides there are other, much more useful tools for improving code quality: unit testing, integration testing, static code checkers, compile time type checking, inspections & reviews are all part of the toolkit of an experienced software engineer and largely remove the need for more formal approaches. Additionally clustering and redundant setups are a far cheaper way of guaranteeing uptime than proving the system to be correct. Risk management is better than trying to avoid risk at all cost.
And finally, the value of 100% correctness is overrated. Most commercial software functions acceptably despite the approximately 10 bugs per kloc. In theory disaster could strike any second, in practice it is a rare event that it does and the consequences are quite manageable usually. Of course things do go spectacularly wrong sometimes and usually people then find out a lot was wrong with the overall development process aside from not applying design by contract. So even then, the added value of design by contract is very questionable. You can't compensate for general incompetence with a couple of pre and post conditions.
Re: (Score:2)
Design by contract, like most formal method approaches, doesn't scale to interesting levels. If you are working on a 200KLOC project on a tight schedule, the last thing you can afford yourself is increasing time spent per line of code by equipping classes, loops and methods with pre & post conditions.
Well obviously if you're doing it post hoc it is going to be expensive, but that's a silly complaint. You should be developing contracts at the same time as you're developing code. That shouldn't be costing you much extra time because you are supposed to be writing documentation and tests for your code anyway, and contracts are as simple as writing the documentation of a function as constraints in the programming language itself (suitably extended with more expressive syntax for riting constraints) instead
Re: (Score:2)
I don't know what you mean by post hoc writing of contracts. Generally the idea of a contract is that you write the contract first and then the code. Generally the contract writing bit is a
Re: (Score:2)
By a similar argument, we should all give up with unit and integration testing, because the additional effort required to write automated tests for individual modules and then for interactions between t
What didn't take off, now? (Score:2)
If by "take off" you mean "why isn't every programmer doing it," well, for the same reason that every programmer doesn't do
Why not? Because most code is RAD (Score:2)
Don't fool yourselves. Even if the code is supposed to be into production it'll still end up being RAD, no matter what the design gooroos tell you how it should be.
As the famous quote goes: "In every project, it eventually becomes time to shoot the engineers and begin production".
Think I'll make that my sig.
Re: (Score:2)
Most software projects also produce crap at the end. As with much in life, you get what you pay for.
It's Trademarked (Score:2)
So the short answer is, DbC is extremely common, but it can't be called that by anyone but Bertrand Meyer and his licensees.
On the other hand, from my experience writing good unit tests gives you most of the benefits of DbC and a whole bunch of other benefits th
Re: (Score:2)
> but Bertrand Meyer and his licensees.
It can be called that by anyone who is not using it as a label to sell something.
No language supports design by contract (Score:2)
To have DbC you need to use 3rd party tools and ugly hacks. That basically means 2 compile steps, one where the standard compiler compiles your source language, e.g. Java, to byte code, and a second step where the extra tool analyzes the source code, the comments or the annotations and enhances/augments the byte code then.
OTOH, test driven development or Extreme Programming where the focus is on having so many
Boring and costs time, but necessary. (Score:2)
Re: (Score:2)
I was talking about the brunt of the custom developed applications that are really specialized front-ends for databases. Actually, I'm of the opinion that automatic testing of most user interfaces could be done much faster, cheaper and better by
Re: (Score:2)
I also disagree that test are primarily for finding bugs, and that regression tests diminish in usefulness as they are repeated. Tests do find bugs occasionally, which is nice, but mostly what they
Re: (Score:2)
Re: (Score:2)
I'm getting a bit tired of hearing "YOU MUST DO UNIT TESTING OR THE XP CABAL WILL COME AND RAPE YOUR DOG". The Wikipedia article reads like a goddamn advertisement. I'm not against it, I'm just pointing out that there are situations where it's a lot less useful.
Re: (Score:3, Funny)
I especially like contractual gems such as:
char *gets(char *s);
Re: (Score:2)
Well, just because you've got a contract, that doesn't mean it will do anything useful when you enforce it. ;-)
Re: (Score:2, Insightful)
How interesting for you to put these 2 questions together! Didn't your 2nd question just answered your first question (at least in theory)?
Now in practice, we obvious will be start developing before we got a complete set of requirements, which bring us to...
Re: (Score:2)
Secondly, in real systems that much of the code just doesn't lend it self to being described by pre/post conditions.... Subscriptions.get_expired() ... Seems pretty straightforward, get me a collection of expired Subscriptions...What kind of Contract would I use....
pre-conditions: Are there none?
post-conditions: All returned subscriptions are expired.....hmmm seems to be stating the obvious....
It seems simple enough to me. Presuming you don't already have an invariant to cover it you might end up with
But p
Re: (Score:2)
Translating the contract:
The third and fourth are simply a summary of the function's definition. The first lacks sense in a lot of languages because if the current object was null the method call itself would've generated an error. The second is an invalid requirement, the subscription list can very well be empty and the
Re: (Score:2)
Right. And that's a huge source of bugs. Bad assumptions, or assumptions that get violated during some calls are precisely the kind of things that produce produce behavioral errors. What DbC lets you do is state your assumptions, and do so in a format that is automatically checkable (either statically or at runtime). Note that you don't have to write contracts. But if, as you're coding, you realize that you're making a particular assumption about