A software specification indicates the task (or some aspect of the task) that is
supposed to be performed when software executes.
Types of Specifications
• Class Diagrams
Incomplete specs
• Object Diagrams
• Activity Diagrams (control flow diagrams)
• Assertions (preconditions, postconditions, invariants)
• Others
The Object of Data Abstraction
and Structure, David D. Riley
© Addison Wesley pub.
An assertion is a statement of fact that is presumed true relative to a code location(s).
Example
// assert: str is a String and str.length > 2
char firstChar, secondChar, bigChar;
firstChar = str.charAt(0);
secondChar = str.charAt(1);
if (firstChar > secondChar) {
bigChar = firstChar;
} else {
bigChar = secondChar;
}
/* assert:
str.length > 2
and (str.charAt(0) ≥ str.charAt(1)
implies bigChar == str.charAt(0))
and (str.charAt(0) ≤ str.charAt(1)
implies bigChar == str.charAt(1)) */
The Object of Data Abstraction
and Structure, David D. Riley
© Addison Wesley pub.
Assertion Notation
Assertions are based on logic and certain program notations (i.e., variable references
and possibly non-void method calls).
Assertions should NOT contain action verbs.
Logical Operators
not SubAssertion1
The subassertion must be false.
SubAssertion1 and SubAssertion2
Both subassertions must be true.
SubAssertion1 or SubAssertion2
One or both subassertion is true.
SubAssertion1 implies SubAssertion2
When the first subassertion is true,
the second must also be true.
The Object of Data Abstraction
and Structure, David D. Riley
© Addison Wesley pub.
Assertion Notation
Another logical notation, known as quantification, permits expressing assertions
about data structures.
Form (universal quantification)
forAll(type var : boundaryCondition | SubAssertion )
Example
forAll(Integer j : 0≤j≤3 | arr[j] > 0 )
meaning: arr[0] > 0 and arr[1] > 0 and arr[2] > 0 and arr[3] > 0
Form (existential quantification)
exists(type var : boundaryCondition | SubAssertion )
Example
exists(Integer j : 0≤j≤3 | arr[j] == 7 )
meaning: arr[0] ==7 or arr[1] == 7 or arr[2] == 7 or arr[3] == 7
Quantification Examples
Assume two arrays of double: arr1 and arr2
and arr1.length == arr2.length == 5
forAll (Integer r : 0 ≤ r ≤ 3 | arr1[r] < arr1[r+1] )
forAll (w : 0 ≤ w ≤ 4 | arr1[w] == arr2[w] )
exists (k : 0 ≤ k ≤ 4
| arr1[k] == 33 and arr2[k] == 33 )
exists (k : 0 ≤ k ≤ 4
| ( arr1[k] < 0
and forAll (j : k < j ≤ 4 | arr2[k] == arr1[j]) ) )
forAll (j,k : 0 ≤ j,k ≤ 4 and j != k | arr1[j] != arr2[k] )
The Object of Data Abstraction
and Structure, David D. Riley
© Addison Wesley pub.
Where to place Assertions?
An assertion can be located anywhere within executable instructions.
However, some locations have been found most effective:
Class Invariant
Method Precondition
Method Postcondition
Loop Invariant
The Object of Data Abstraction
and Structure, David D. Riley
© Addison Wesley pub.
Example
/** class invariant
distanceInMiles > 0 and timeInSeconds > 0 */
public class LapTime {
private double distanceInMiles, timeInSeconds;
/** pre: d > 0 and t > 0
post: distanceInMiles == d and timeInSeconds == t */
public LapTime(double d, double t) {
distanceInMiles = d;
timeInSeconds = t;
}
When is each
assertion
presumed to
be true?
/** post: distanceInMiles == 60
and timeInSeconds == 3600 */
public void setTo60MPH() {
distanceInMiles = 60;
timeInSeconds = 3600;
}
// more methods on later slides
}
The Object of Data Abstraction
and Structure, David D. Riley
© Addison Wesley pub.
Special Postcondition Notations
Return value (result)
// Within LapTime class
/** post: result == distanceInMiles / (timeInSeconds*3600) */
public double milesPerHour() {
double velocity;
velocity = distanceInMiles/(timeInSeconds*60*60);
return velocity
}
Previous value (@pre)
// Within LapTime class
/** post: distanceInMiles == distanceInMiles@pre * 2 */
public void doubleTheMileage() {
distanceInMiles = distanceInMiles * 2;
}
The Object of Data Abstraction
and Structure, David D. Riley
© Addison Wesley pub.
Method caller guarantees...
precondition & class invariant
(at time of method call)
Method is required to ensure...
postcondition & class invariant
(at time of method return)
Addendum: A modifies clause can stipulate
what alterations are permitted
The Object of Data Abstraction
and Structure, David D. Riley
© Addison Wesley pub.
Example:
the standard Color class.
java.awt.Color
- int redness
- int blueness
- int greenness
- int opaqueness «alpha»
«constructor»
+ Color(int r, int g, int b)
+ Color(float r, float g, float b, float a)
«query»
+ int getRed()
+ Color darker()
+ Color brighter()
...
What does this class diagram tell you?
What doesn’t it tell you?
Using method “contracts,” fills in more design details.
The Object of Data Abstraction
and Structure, David D. Riley
© Addison Wesley pub.
java.awt.Color Class Specifications
Invariant (for every Color object, c)
0 ≤ redness ≤ 255 and 0 ≤ greenness ≤ 255
and 0 ≤ blueness ≤ 255 and 0 ≤ opaqueness ≤ 255
Constructor Methods
public Color(int r, int g, int b)
pre: 0 ≤ r ≤ 255 and 0 ≤ g ≤ 255 and 0 ≤ b ≤ 255
(throws IllegalArgumentException)
modifies: redness, greenness, blueness, opaqueness
post: redness == r and greenness == g and blueness == b and opaqueness == 255
public Color(float r, float g, float b, float a)
pre: 0.0 ≤ r ≤ 1.0 and 0.0 ≤ g ≤ 1.0 and 0.0 ≤ b ≤ 1. 0 and 0.0 ≤ a ≤ 1.0
(throws IllegalArgumentException)
post: redness == r*255 and greenness == g*255
and blueness == b*255 and opaqueness == a*255
The Object of Data Abstraction
and Structure, David D. Riley
© Addison Wesley pub.
java.awt.Color Class Specifications
(continued)
Query Methods
public int getRed()
post: result == redness
public Color darker()
post: result.redness == redness * 0.7
and result. greenness == greenness * 0.7
and result. blueness == blueness * 0.7
and result. opaqueness == 255
public Color brighter()
post: (redness / 0.7) > 255 implies result.redness == 255
and (redness / 0.7) ≤ 255 implies result.redness == redness / 0.7
and (greenness / 0.7) > 255 implies result. greenness == 255
and (greenness / 0.7) ≤ 255 implies result. greenness == greenness / 0.7
and (blueness / 0.7) > 25 5 implies result. blueness == 255
and (blueness / 0.7) ≤ 255 implies result. blueness == blueness / 0.7
and result. opaqueness == 255
...
The Object of Data Abstraction
and Structure, David D. Riley
© Addison Wesley pub.