<!DOCTYPE html> <html> <head> <meta name="viewport" content="width=device-width, initial-scale=1"> <!-- Latest compiled and minified CSS --> <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous"> <!-- Optional theme --> <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap-theme.min.css" integrity="sha384-rHyoN1iRsVXV4nD0JutlnGaslCJuC7uwjduW9SVrLvRYooPp2bWYgmgJQIXwl/Sp" crossorigin="anonymous"> <!-- Latest compiled and minified JavaScript --> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script> <link rel="stylesheet" href="style.css" /> <title>Specifications</title> </head> <body> <p><a href="index.html">Back to table of contents</a></p> <img src="images/blueprint.jpg" class="img-responsive" /> <small>Credit: public domain</small> <h1>Specifications</h1> <div class="lead">Andrew J. Ko</div> <p>When you make something with code, you're probably used to figuring out a design as you go. You write a function, you choose some arguments, and if you don't like what you see, perhaps you add a new argument to that function and test again. This <a href="https://en.wikipedia.org/wiki/Cowboy_coding" target="_blank">cowboy coding</a> as some people like to call it can be great fun! It allows systems to emerge more organically, as you iteratively see your front-end design emerge, the design of your implementation emerges too, co-evolving with how you're feeling about the final product.</p> <p>As you've probably noticed by now, this type of process doesn't really scale, even when you're working with just a few other people. That argument you added? You just broke a bunch of functions one of your teammates was planning and when she commits her code, now she gets merge conflicts, which cost her an hour to fix because she has to catch up to whatever design change you made. This lack of planning quickly turns into an uncoordinated mess of individual decision making. Suddenly you're spending all of your time cleaning up coordination messes instead of writing code.</p> <p>The techniques we've discussed so far for avoiding this boil down to <em>specifying</em> what code should do, so everyone can write code according to a plan. We've talked about <a href="requirements.html">requirements specifications</a>, which are declarations of what software must do from a users' perspective. We've also talked about <a href="architecture.html">architectural specifications</a>, which are high-level declarations of how code will be organized, encapsulated, and coordinated. At the lowest level are <b>functional specifications</b>, which are declarations about the <em>properties of input and output of functions in a program</em>. <p>In their simplest form, a functional specification can be a just some natural language that says what an individual function is supposed to do:</p> <pre> // Return the smaller of the two numbers, or if they're equal, the second number. function min(a, b) { return a < b ? a : b; } </pre> <p>This comment achieves the core purpose of a specification: to help other developers understand what the requirements and intended behavior of a function are. As long as everyone sticks to this "plan" (everyone calls the function with only numbers and the function always returns the smaller of them), then there shouldn't be any problems.</p> <p>The comment above is okay, but it's not very precise. It says what is returned and what properties it has, but it only implies that numbers are allowed without saying anything about what kind of numbers. Are decimals allowed or just integers? What about not-a-number (the result of dividing 1 by 0). Or infinity?</p> <p>To make these clearer, many languages use <b>static typing</b> to allow developers to specify types explicitly:</p> <pre> // Return the smaller of the two integers, or if they're equal, the second number. function min(int a, int b) { return a < b ? a : b; } </pre> <p>Because an <code>int</code> is well-defined in most languages, the two inputs to the function are well-defined.</p> <p>Of course, if the above was JavaScript code (which doesn't support static typing), JavaScript does nothing to actually verify that the data given to <code>min()</code> are actually integers. It's entirely fine with someone sending a string and an object. This probably won't do what you intended, leading to defects.</p> <p>This brings us to a second purpose of writing functional specifications: to help <em>verify</em> that functions, their input, and their output are correct. Tests of functions and other low-level procedures are called <strong>unit tests</strong>. There are many ways to use specifications to verify correctness. By far, one of the simplest and most widely used kinds of unit tests are <b>assertions</b> (<a href="#clarke">Clarke & Rosenblum 2006</a>). Assertions consist of two things: 1) a check on some property of a function's input or output and 2) some action to notify about violations of these properties. For example, if we wanted to verify that the JavaScript function above had integer values as inputs, we would do this:</p> <pre> // Return the smaller of the two numbers, or if they're equal, the second number. function min(a, b) { if(!Number.isInteger(a)) alert("First input to min() isn't an integer!"); if(!Number.isInteger(b)) alert("Second input to min() isn't an integer!"); return a < b ? a : b; } </pre> <p>These two new lines of code are essentially functional specifications that declare "<em>If either of those inputs is not an integer, the caller of this function is doing something wrong</em>". This is useful to declare, but assertions have a bunch of problems: if your program <em>can</em> send a non-integer value to min, but you never test it in a way that does, you'll never see those alerts. This form of <strong>dynamic verification</strong> is therefore very limited, since it provides weaker guarantees about correctness. That said, a study of the use of assertions in a large database of GitHub projects shows that use of assertions <em>is</em> related to fewer defects (<a hef="#casalnuovo">Casalnuovo et al. 2015</a>) (though note that I said "related": we have no evidence that assertions actually prevent defects. It may be possible that developers who use assertions are just better at avoiding defects.)</p> <p>Assertions are related to the broader category of <strong>error handling</strong> language features. Error handling includes assertions, but also programming language features like exceptions and exception handlers. Error handling is a form of specification in that <em>checking</em> for errors usually entails explicitly specifying the conditions that determine an error. For example, in the code above, the condition <code>Number.isInteger(a)</code> specifies that the parameter <code>a</code> must be an integer. Other exception handling code such as the Java <code>throws</code> statement indicates the cases in which errors can occur and the corresponding <code>catch</code> statement indicates what is to done about errors. It is difficult to implement good exception handling that provides granular, clear ways of recovering from errors (<a href="#chen">Chen et al. 2009</a>). Evidence shows that modern developers are still exceptionally bad at designing for errors; one study found that errors are not designed for, few errors are tested for, and exception handling is often overly general, providing little ability for users to understand errors or for developers to debug them (<a href="#ebert">Ebert et al. 2015</a>). These difficulties appear to be because it is difficult to imagine the vast range of errors that can occur (<a href="#maxion">Maxion & Olszewski 2000</a>).</p> <p>Researchers have invented many forms of specification that require more work and more thought to write, but can be used to make stronger guarantees about correctness (<a href="#woodcock">Woodcock et al. 2009</a>). For example, many languages support the expression of formal <strong>pre-conditions</strong> and <strong>post-conditions</strong> that represent contracts that must be kept for the program to be corect. (<strong>Formal</strong> means mathematical, facilitating mathematical proofs that these conditions are met). Because these contracts are essentially mathematical promises, we can build tools that automatically read a function's code and verify that what it computes exhibits those mathematical properties using automated theorem proving systems. For example, suppose we wrote some formal specifications for our example above to replace our assertions (using a fictional notation for illustration purposes):</p> <pre> // pre-conditions: a in Integers, b in Integers // post-conditions: result <= a and result <= b function min(a, b) { return a < b ? a : b; } </pre> <p>The annotations above require that, no matter what, the inputs have to be integers and the output has to be less than or equal to both values. The automatic theorem prover can then start with the claim that result is always less than or equal to both and begin searching for a counterexample. Can you find a counterexample? Really try. Think about what you're doing while you try: you're probably experimenting with different inputs to identify arguments that violate the contract. That's similar to what automatic theorem provers do, but they use many tricks to explore large possible spaces of inputs all at once, and they do it very quickly.</p> <p>There are definite tradeoffs with writing detailed, formal specifications. The benefits are clear: many companies have written formal functional specifications in order to make <em>completely</em> unambiguous the required behavior of their code, particularly systems that are capable of killing people or losing money, such as flight automation software, banking systems, and even compilers that create executables from code (<a href="#woodcock">Woodcock et al. 2009</a>). In these settings, it's worth the effort of being 100% certain that the program is correct because if it's not, people can die.</p> <p>When the consequences aren't so high, other factors dominate: writing functional specifications is very hard and very time consuming, you need tools to verify the annotations themselves, and you have to maintain annotations. These barriers deter many developers from writing them (<a href="#schiller">Schiller et al. 2014</a>). Some forms of specifications, like the UML diagrams we described when discussing architecture, lack the benefits of formal specifications <em>and</em> require a lot of work to create, leading many practitioners to find them not worth the effort (<a href="#petre">Petre 2013</a>).</p> <p>Specifications can have other benefits. The very act of writing down what you expect a function to do in the form of test cases can slow developers down, causing to reflect more carefully and systematically about exactly what they expect a function to do (<a href="#fucci">Fucci et al. 2016</a>). Perhaps if this is true in general, there's value in simply stepping back before you write a function, mapping out pre-conditions and post-conditions in the form of simple natural language comments, and <em>then</em> writing the function to match your intentions.</p> <center class="lead"><a href="process.html">Next chapter: Process</a></center> <h2>Further reading</h2> <p id="casalnuovo">Casey Casalnuovo, Prem Devanbu, Abilio Oliveira, Vladimir Filkov, and Baishakhi Ray. 2015. <a href="http://dl.acm.org/citation.cfm?id=2818846" target="_blank">Assert use in GitHub projects</a>. In Proceedings of the 37th International Conference on Software Engineering - Volume 1 (ICSE '15), Vol. 1. IEEE Press, Piscataway, NJ, USA, 755-766.</p> <p id="chen">Chen, Chien-Tsun, Yu Chin Cheng, Chin-Yun Hsieh, and I-Lang Wu. "<a href="http://www.sciencedirect.com/science/article/pii/S0164121208001714" target="_blank">Exception handling refactorings: Directed by goals and driven by bug fixing</a>." Journal of Systems and Software 82, no. 2 (2009): 333-345.</p> <p id="clarke">Clarke, L. A., & Rosenblum, D. S. (2006). <a href="http://dl.acm.org/citation.cfm?id=1127900" target="_blank">A historical perspective on runtime assertion checking in software development</a>. ACM SIGSOFT Software Engineering Notes, 31(3), 25-37.</p> <p id="ebert">Ebert, F., Castor, F., and Serebrenik, A. (2015). <a href="http://www.sciencedirect.com/science/article/pii/S0164121215000862" target="_blank">An exploratory study on exception handling bugs in Java programs</a>." Journal of Systems and Software, 106, 82-101.</p> <p id="fucci">Fucci, D., Erdogmus, H., Turhan, B., Oivo, M., & Juristo, N. (2016). <a href="http://ieeexplore.ieee.org/document/7592412/" target="_blank">A Dissection of Test-Driven Development: Does It Really Matter to Test-First or to Test-Last?</a>. IEEE Transactions on Software Engineering.</p> <p id="maxion">Maxion, Roy A., and Robert T. Olszewski. <a href="http://ieeexplore.ieee.org/document/877848/" target="_blank">Eliminating exception handling errors with dependability cases: a comparative, empirical study</a>." IEEE Transactions on Software Engineering 26, no. 9 (2000): 888-906.</p> <p id="schiller">Schiller, T. W., Donohue, K., Coward, F., & Ernst, M. D. (2014, May). <a href="http://dl.acm.org/citation.cfm?id=2568285" target="_blank">Case studies and tools for contract specifications</a>. In Proceedings of the 36th International Conference on Software Engineering (pp. 596-607).</a> <p id="petre">Marian Petre. 2013. <a href="http://dl.acm.org/citation.cfm?id=2486883" target="_blank">UML in practice</a>. In Proceedings of the 2013 International Conference on Software Engineering (ICSE '13). IEEE Press, Piscataway, NJ, USA, 722-731.</p> <p id="woodcock">Jim Woodcock, Peter Gorm Larsen, Juan Bicarregui, and John Fitzgerald. 2009. <a href="http://dx.doi.org/10.1145/1592434.1592436" target="_blank">Formal methods: Practice and experience</a>. ACM Comput. Surv. 41, 4, Article 19 (October 2009), 36 pages.</p> <script type="text/javascript"> var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-10917999-1']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })(); </script> </body> </html>