Fun with Design By Contract (DBC)

Mowing Lawns Example | DBC Concepts | Why DBC Is Used

Examples | Chemical Tank Example

Mowing Lawns Example

Scenario:

You (the supplier), offer to mow lawns for people. You don't want to take on any unrealistic jobs that would be impossible to complete. So you specify criteria (preconditions) to potential customers (the client) about restrictions on the kind of lawns you will mow. If customer's lawn meets the criteria, you will provide a mowed lawn (postcondition).
.

Example Preconditions:

The lawn must be shorter than 6 inches high.

The lawn must be dry.

The lawn must be free of leaves.

The ground must be level.

There must be fewer than 5 dog turds per 1000 square feet.

There must be no unleashed dogs in the vicinity. (Safety concern)

Example Postcondition:

The lawn is mowed to a height specified by the customer

The lawn clippings are disposed of in the green barrel or compost pile.

Example Exceptions

A sudden thunderstorm will cause the lawn to be left partially mowed.

DBC Concepts

DBC is a technique that addresses the design of interfaces between modules in a software system. It aims to reduce defects, improve reliability, and reduce development costs.

The Contract:

Has two participants, the supplier and the client, each who is willing to abide by certain restrictions in order to obtain certain benefits.
("The supplier" is provider of some service and "the client" is the user or consumer of that service. In software systems, the supplier is usually a low-level module and the client is a module which invokes it.)
Defines the rights and responsibilities of both parties.

Is an agreement to repercussions for breaking the contract.

Preconditions: (The client's responsibilities.)

Are how the method specifies its requirements to run correctly.

Must be true for the method to operate correctly.

Relies on the caller to pass valid parameters.

Postconditions: (The supplier's responsibilities.)

Are guaranteed by the supplier if the preconditions are met.

Will conclude the method. (There are no infinite loops.)

Exceptions: ("Outside world" events that would cause the postconditions to not be met.)

Must be explicitly specified.

Are outside of the control of the client and therefore not part of the preconditions.

Failure to meet the contract (by either party) is a defect.

DBC authors write "Lazy" code

Be strict in what you accept. (preconditions)

Promise little in return. (postconditions)

***DO NOT error check internally, but DO error check against the world.***

Diagram of scope of contracts showing events outside system boundary can't be subject to DBC.

Why DBC Is Used

No code for error checking means less bugs.
You are not responsible for any assumptions/errors the caller might make. Your method has strict requirements and promises only what you can give in return.
- If they enter a wrong precondition, you are not responsible for the error.
- If they assume that preconditions are invariants, it is not your problem.
There is less code to write.
DBC is cost-effective because less money goes toward error checking.
There is less overhead due to faster code.
Perhaps most importantly, DBC forces the developer to think in detail about the design specifications for each module. By increasing our understanding of what the module should do, we make it more likely that our design will be correct.

Assertions and Crashing Early

Assertions are an option to check for DBC problems during the testing phase. Their default is to crash the program at the site where the assertion fails. This is a good method to catch a problem and fix it where it originates rather than after it has infected the rest of the program.

In order for DBC to be kept in its purest form, the assertions should be turned off before shipping the product to the customer.

View a sublesson on this toic.

Code Samples

Here are code samples that illustrate why DBC is a better method than exception handling. Two programs were written to read in a string and convert it to upper case. If a string is passed containing numeric digits rather than letters, what will each program print?

Convert to upper case (Non - DBC)

Convert to upper case (DBC)

Why is DBC a better choice?

Compare code samples

The DBC sample is much shorter.

It was faster/easier to code the DBC sample. More time was spent debugging the non-DBC sample.

It takes less time to compile a program without error handling.

It takes less time to execute a program without error handling.

How many times will the error handling be used in comparison to the time and money spent to put it in the code and test it?

Only the client can adequately assess why the error occurred, so the supplier is not the place to handle the error.

There will often be redundant checks in both client and supplier, requiring twice the amount of testing.

Examples

Shoveling Snow

Scenario:

I (the supplier) offer to shovel someone's driveway and sidewalk. I want to be sure the job is manageable and I get paid in cash. Customers want a clean, safe sidewalk to walk on. I specify the criteria (preconditions) necessary for me to shovel snow. Customers who agree to the requirements (preconditions) receive a sidewalk free of snow.

Preconditions:

There must be no more than a foot of snow on the ground.

It must not be snowing at starting time of service.

You must request the service between the hours of 9 am and 4 pm.

You must not have driven more than three times over any of the area you want shoveled.

You must pay in cash.

Postconditions:

The customer's driveway and sidewalk have been cleared of all snow.

Exception:
It starts snowing after service has started, some surfaces will have fresh snow on them.

Car Mechanic

Scenario:
The customer (the client) must agree to the requirements (preconditions) about leaving their car for service. You the mechanic (the supplier) deliver a serviced car in good working order (postcondition).

Example Preconditions:

You must provide the car by 9am

You must leave the keys with the car.

You may not leave any pets or children in the car.

You must be willing to leave the car all day.

Example Postcondition:

The serviced car is available for pickup after 4 pm.

Hair Dryer Example

Scenario:
A student is going on London Study. She chooses to bring her own hair dryer with a plug adapter so it will fit in the different sockets that are used in the U.K..

Question: What will happen if the student plugs in the hair dryer?

It will work correctly.

It will blow up.

It will trip a circuit breaker.

The results are unpredictable.

Answer: 4. According to DBC, we aren't sure what will happen. It might work correctly. It might blow up. It might blow a circuit breaker.

Think about why this is the case and why the hair dryer was designed this way.

US Hair Dryer

Preconditions:

The hair dryer will be plugged into a 110 volt power source.

The two or three thin prongs of the plug fit into the socket (or adapter).

Postconditions:

The hair dryer works correctly.

UK Hair Dryer

Preconditions:

The hair dryer will be plugged into a 220 volt power source.

The three thick prongs fit into the socket (or adapter).

Postconditions:

The hair dryer works correctly.

Chemical Tank - Software Example

A class called ChemicalTank represents a tank full of liquid chemicals. It has five methods: isTankFull, turnOffBottomValve, turnOffTopValve, turnOnBottomValve, turnOnTopValve.

ChemicalTank using DBC show the class designed using DBC principles.

Design By Contract has two alternate approaches: error return and exception handling.
ChemicalTankWithErrorReturn
ChemicalTankWithExceptions

This paper is modified from the original paper by Amy Rideg.