How do I test code written using Design by contract?
Very interesting question.Design by contract is a way of writing code that allows for runtime verification. Three types of conditions are enforced for each method:Preconditions: what has to be true before executing the methodPostconditions: what has to be true after executing the methodInvariants: what shouldn't change during the method's executionThese three types of verifications define the method and class contract. That is, how a class behaves with its clients (aka callers). Any contract breach results in an exception.Typically, contracts are implemented with asserts and disabled in production. Bertrand Meyer, who introduced the idea, does not agree. Instead, I've read that he said contracts should be enforced in production especially because they allow for runtime validation of the program.And here comes the testing part. Since contracts are another type of verification, should we use unit tests as well? Or are contracts enough?If the contracts are disabled in production, there's no good reason to test them.If however contracts are checked in production, they also need validation. I used to evaluate them through reviews. However, after a discussion with Rebecca Wirfs-Brock, she convinced me that contracts should be unit tested as well. This is simple for preconditions and postconditions, but not easy for invariants.So, to the best of my knowledge: Enable contracts in productionUnit test them to make sure they're correctThe difficulty I've seen is that it's not easy to find a good design by contract library. I haven't much time to investigate thoroughly though, so maybe there are some good ones out there.
Are there any languages similar to Java that compile down to machine code?
All computer languages are translated into machine code either by an interpreter or a compiler, since CPUs only understand machine code or assembly language. The difference between an interpreter and a compiler is that an interpreter compiles machine code in small segments at a time and sends them to the CPU for execution and then moves onto the next segment and so on, whereas a compiler translates the entire source code into machine code (numbers) and then saves it as an .exe file, ready to be sent to the CPU for execution. Thus, interpreted code is much slower than compiled code. Java uses a JVM which interprets Java source code into byte-code, a pseudo machine code, which is then translated to machine code specific for the machine it is on, i.e. Mac/PC.
What if we treated contracts as an iterated stream instead of an immutable invariant?
There is no reason in law why a contract needs to be ‘immutable’ or ‘invariant’ or both. Even if the drafting does not provide for processes to vary the contract, which many contracts do, the parties can themselves usually vary their terms by an amendment or addendum.The law only requires that the agreement can be ‘determined’ with precision. SO if your ‘iterated stream’ can result in a certainty, after ‘iterating’ (calculating) the ‘stream’ (assuming facts, numbers date) this can be done.I’m supplying some ‘content’ to your rather vague terms. ‘iterated stream’ and ‘immutable invariant’ are rather odd concepts with no legal meaning. In fact the last one ‘immutable invariant’ is literally unintelligibly because of the floating double negatives.One of the thinks modern lawyers strive for is ‘plane language.’ So If I’ve misunderstood your questions, the fault is yours.RegardsGavin Weiman
When should a function throw an exception?
This was added to both C++ and Java categories, so I'll answer for C++. There are some situations where exceptions must be thrown and some situations where they may be thrown.A function must throw an exception ifit cannot satisfy its stated postconditionit cannot satisfy the precondition of a function it is about to callit is a public member function and it cannot re-establish the class invariantThose situations include the failure to acquire a resource in a constructor, which is the basis of RAII, the most important feature of C++.Now for more contentious situations, what if a function has a precondition and the caller violated it? There are two camps: those who favor narrow-contract functions and those who favor wide-contract functions.Narrow-contract function (such as vector::operator[]) has undefined behavior if its precondition is violatedWide-contract function (such as vector::at()) throws an exception if its precondition is violatedFinally, there is another situation, commonly encountered in library code: what if the library function calls a user-provided callback or functor, and that terminates by exception? There are different approaches again: throwing the user exception out of the library function untouched, replacing it with a different exception, modifying, or perhaps throw_with_nested, and throwing that, and not throwing anything, but swallowing the user exception and using another mechanism to report the error.
In Java, what are good habits for using asserts?
The idea for assert is Design by Contract in the area of Formal Verification of Programs. This means if a programmer has to implement some specification it is useful to specify, and maybe to check, for preconditions, postconditions and invariants of the algorithm’s state. This is useful in proving that an implementation is mathematically correct. If all the procedures in the program are proven correct then the program is also correct. That’s how Computer Scientists from 1980s were approaching software quality problems.The main technical obstacle is that easy-to-write mathematical condition can be computationally complex, e.g. verifying precondition that input array is sorted in binary search would take O(n) thus making this procedure useless. That’s why “asserts off” mode is important.Realistically not every program has a specification (Agile is a reflection that often people don’t know what exactly they want and keep changing their mind). But if there is, e.g. for some well-known and fixed algorithm, why not add asserts? But put them wise because maybe it’s you who has wrong assumption and users will suffer because of this (lot of C++ programs were full of “this should not happen” fatal errors, usually after checking external data). Don’t mix asserts on business logic (which can change e.g.by future laws) and on specific algorithms.