Laboratory Exercises For Computer Science 153

Program Correctness and Program Design

Goals: This laboratory exercise studies several elements of program correctness and design:

the specification of procedures using pre- and post-conditions,
the automated testing of pre-conditions using the error and warning procedures,
the encapsulation of pre-condition testing with husk-and-kernel programming.
the testing of post-conditions with test runs,

Pre- and Post-Conditions

Several of the Scheme procedures that we have written or studied in preceding labs presuppose that their arguments will meet specific pre-conditions. Pre-Conditions are constraints on the types or values of its arguments. For instance, the longest-on-list procedure from the lab on recursion won't work unless it is given a non-empty list of strings:

> (longest-on-list '(3 6 7))

Error in string-length: 6 is not a string.
Type (debug) to enter the debugger.
> (longest-on-list '())

Error in cdr: () is not a pair.
Type (debug) to enter the debugger.

Similarly, a post-condition specifies what should be true at the end of a procedure. In Scheme, a post-condition typically is a statement of what a procedure should return.

It is good programming style to state the pre- and post-conditions for each procedure as comments. Thus, a careful programmer would start the longest-on-list procedure as follows:


(define longest-on-list
  (lambda (ls)
  ;Pre-conditon:  ls is non-empty list of strings
  ;Post-condition:  procedure returns the string on ls of longest length

State pre-conditions and post-conditions for procedures power, countdown, replicate and square-each-element from the lab on recursion.

Pre- and Post-Conditions as a Contract

One can think of pre- and post-conditions as a type of contract between the developer of a procedure and the user of that procedure.

The user of a procedure is obligated to meet a procedure's pre-conditions when calling the procedure.
Assuming the pre-conditions of a procedure are met, the developer is obligated to perform processing that will produce the specified post-conditions.

As with a contract, pre- and post-conditions also have implications concerning who to blame if something goes wrong.

The developer of a procedure should be able to assume that pre-conditions are met.
If the user of a procedure fails to satisify any pre-conditions, the developer of a procedure has no obligations whatsoever -- the developer is blameless if procedure crashes or returns incorrect results.
If the user meets the pre-conditions, then any errors in processing or in the procedure's result are the sole fault of the developer.

The Error and Warning Procedures

While the user of a procedure has the responsiblity for meeting its pre-conditions, computer scientists continue to debate whether procedures should check that the pre-conditions actually are met. Here, in summary, are the two arguments.

Pre-conditions should always be checked as a safety matter; a procedure should be sufficiently robust that it will detect variances in incoming data and respond in a controlled way.
Since meeting pre-conditions is a user's responsibility, a developer should not add complexity to a procedure by handling unnecessary cases; further, the execution time should not be increased for a responsible user just to check situations that might arise by careless users.

Actual practice tends to acknowledge both perspectives in differing contexts. More checking is done when applications are more critical. As an extreme example, in software to launch a missle or administer drugs to a patient, software may perform extensive tests of correctness before taking an action -- the cost of checking may be much less than the consequences resulting from unmet pre-conditions.

As a less extreme position, it is common to check pre-conditions once -- especially when checking is relatively easy and quick, but not to check repeatedly when the results of a check can be inferred. (More about this shortly.)

The `error` procedure in Chez Scheme

So far, we've been relying on the underlying implementation of Chez Scheme to detect and report such errors. Sometimes this is an adequate way of dealing with them, but in other cases one might prefer to write the procedure in such a way that it checks and enforces its preconditions before performing any operations on its arguments.

In Chez Scheme, this can be done by adding, at the beginning of the body of the procedure, an if-expression that tests the precondition and invokes a procedure named error if the condition is not met:

(define longest-on-list
  (lambda (ls)
  ;Pre-condition:  ls is non-empty list of strings
  ;Post-condition:  returns the string on ls of longest length

    ;; Check pre-conditions
    (if (or (null? ls)
            (not (list-of-strings? ls)))
        (error 'longest-on-list
               "the argument must be a non-empty list of strings"))

    ;; Find the longest string on the list.

    (if (null? (cdr ls))
        (car ls)
        (longer-string (car ls)
                       (longest-on-list (cdr ls))))))

(define list-of-strings?
  (lambda (ls)
  ;Pre-condition:  none
  ;Post-condition:  returns #t if ls is a non-empty list of strings
    (or (null? ls)
        (and (pair? ls)
             (string? (car ls))      
             (list-of-strings? (cdr ls))))))

The list-of-strings? procedure tests whether its argument is a list in which each element is a string. (In English: ls is a list of strings if it is either the empty list or a pair in which the first element is a string and the rest is a list of strings.) The definition of the longest-on-list procedure is the same as the one provided in the lab on recursion, except that the precondition is now being tested: The error procedure is invoked if either the incoming argument is empty or it is something other than a list of strings.

With this version of longest-on-list, the error messages are different:

> (longest-on-list '(3 6 7))

Error in longest-on-list: the argument must be a non-empty list of strings.
Type (debug) to enter the debugger.
> (longest-on-list '())

Error in longest-on-list: the argument must be a non-empty list of strings.
Type (debug) to enter the debugger.

The error is detected and reported before the procedure gets down to the point where it might try to apply string-length to a number or cdr to an empty list.

Add tests of pre-conditions for procedures power and square-each-element from the lab on recursion.

Husk-and-kernel programming

When developing procedures, it is often useful to include pre-condition testing in your procedures, as this can simply the task of identifying what happened when something goes wrong.

However, as noted above, the inclusion of pre-condition testing increases execution time. Of course, a single test may be relatively fast, but repeated testing can slow execution execution considerably. Since time is often a scarce resource, it makes sense to save it by skipping the test when you can prove that the precondition will be met. This often happens when you, as programmer, control the context in which the procedure is called as well as the body of the procedure itself.

For example, in the preceding definition of longest-on-list, although it is useful to test the precondition when the procedure is invoked ``from outside'' by an irresponsible caller, it is a waste of time to repeat the test of the precondition for any of the recursive calls to the procedure. At the point of the recursive call, you already know that ls is a list of strings (because you tested that precondition on the way in) and that its cdr is not empty (because the body of the procedure explicitly tests for that condition and does something other than a recursive call if it is met), so the cdr must also be a non-empty list of strings. So it's unnecessary to confirm this again at the beginning of the recursive call.

One solution to this problem is to replace the definition of longest-on-list with two separate procedures, a ``husk'' and a ``kernel.'' The husk interacts with the outside world, performs the precondition test, and launches the recursion. The kernel is supposed to be invoked only when the precondition can be proven true; its job is to perform the main work of the original procedure, as efficiently as possible:

(define longest-on-list
  (lambda (ls)
  ;Pre-condition:  ls is non-empty list of strings
  ;Post-conditions:  returns error if pre-condition is not met
                     otherwise, returns the string on ls of longest length

    ;; Check pre-conditions
    (if (or (null? ls)
            (not (list-of-strings? ls)))
        (error 'longest-on-list
               "the argument must be a non-empty list of strings"))

    ;; Find the longest string on the list.
    (longest-on-list-kernel ls)))

(define longest-on-list-kernel
  (lambda (ls)
  ;Pre-condition:  ls is non-empty list of strings
  ;Post-conditions:  returns the string on ls of longest length
    (if (null? (cdr ls))
        (car ls)
        (longer-string (car ls)
                       (longest-on-list-kernel (cdr ls))))))

In later labs, we'll see that there are a couple of ways to put the kernel back inside the husk without losing the efficiency gained by dividing the labor in this way.

Write a husk-and-kernel version of the replicate procedure from the lab on recursion.

Chez Scheme provides another procedure that can be used like error and takes the same two arguments: The warning procedure prints out a warning message, but does not interrupt the computation in progress; instead, Chez Scheme rushes on and attempts to complete the job. (Often it eventually encounters an actual error and gives up, but one can call warning regardless of whether or not it presages an error.)

Write a procedure sum-of-list that takes any list of numbers and returns the sum of of the elements of the list. Have the procedure print a warning message if it is given an empty list. (The procedure should return 0 after issuing this warning message.)
Define a predicate author? that takes one argument and determines whether that argument is a list containing exactly three arguments, the first one a string and the second and third ones integers. (The predicate should return #t if all of these conditions are met, #f if any one of them is not satisfied.)

Testing and Debugging

Checking pre-conditions verifies that assumptions for a procedure are met. After writing code, a programmer also should provide evidence that the code is correct. Often, this means that the programmer should think carefully about how code should be tested. (While software-development companies normally have separate testing groups to check that an overall produce meets its specifications, individual programmers are responsible for checking their own code as well.)

In testing, the main goal should be to try to find all possible errors; that is, one should try to find test cases which might break the code. Note this is a different perspective than seeing if one can find many test cases that work correctly: if code works correctly for in one case, then the code may work correctly for many similar cases. Overall, one should identify and test as many types of circumstances as possible.

In identifying test cases, one useful strategy involves listing various circumstances that might occur. Consider, for example, the longest-on-list procedure described above. Since the procedure involves a search through the entire list, testing might include the following:

The longest string is first on a list -- does the procedure check the first item appropriately?
The longest string is last on a list -- is the last item on the list checked appropriately?
The longest string is in the middle of a list -- are intermediate values handled correctly?
The list contains exactly one item -- does processing handle the smallest valid list?

Each of these situations examines a different part of typical processing. More generally, before testing begins, we should identify different types of circumstances that might occur. Once these circumstances are determined, we should construct test data for each situation, so that our testing will cover a full range of possibilities.

In determining possible situations for testing, two approaches are commonly identified:

White-Box Testing: Code is examined to determine each of the possible conditions that may arise, and tests are developed to exercise each part of the code.
Black-Box Testing: The problem is examined to determine the logical cases that might arise. Test cases are developed without reference to details of code.

A list of potential situations together with specific test data that check each of those situations is called a test plan.

Identify tests cases that will cover each of the situations described above for the longest-on-string procedure.

Develop a test plan for the tally-by-parity problem from the lab on recursion.

Debugging in Chez Scheme

While the initial running of a program has been known to produce helpful and correct results, your past programming experience probably suggests that some errors usually arise somewhere in the problem-solving process. Specifications may be incomplete or inaccurate, algorithms may contain flaws, or the coding process may be incorrect. Edsger Dijkstra, a very distinguished computer scientist, has observed¹ that in most disciplines such difficulties are called errors or mistakes, but that in computing this terminology is usually softened, and flaws are called bugs. (It seems that people are often more willing to tolerate errors in computer programs than in other products.)²

Novice programmers sometimes approach the task of finding and correcting an error by trial and error, making successive small changes in the source code (``tweaking'' it), and reloading and re-testing it after each change, without giving much thought to the probable cause of the error or to how making the change will affect its operation. This approach to debugging is ineffective, for two reasons:

Tweaking is time-consuming. Novice programmers tend to have a naive confidence that the next small change in the source code, whatever it is, will fix the problem. This is seldom the case. If you detect an error in a procedure, and the first tweak doesn't fix it, the next twelve tweaks probably won't either -- so don't bother with them. Push yourself away from the keyboard and study the context. Don't make even one more change in the source code until you're ready to test a well-thought-out hypothesis about the cause of the error. (This is also a good time to make a separate copy of the procedure, in XEmacs, so that you can backtrack to the current version if subsequent experimentation requires extensive temporary rewriting.)
Tweaking usually fixes only a specific, local problem. Very often an error is a symptom of a general misunderstanding on the part of the programmer, one that affects the operation of the procedure in cases other than the one being tested. Unless you address this general problem, tweaking a procedure in such a way that it passes the particular test that it formerly failed is likely to make your program worse instead of better.

A much more time-efficient approach to debugging is to examine exactly what code is doing. While a variety of tools can help you analyze code, a primary technique involves carefully tracing through what a procedure is actually doing. While we'll explore several mechanisms to help with this process through the semester, one of the simplest and most effective is the trace-define capability found in Chez Scheme.

Chez Scheme allows you to examine every call and return of a procedure, by replacing define by trace-define at the start of a procedure definition.

Make this replacement for the defintion of longest-on-list in the code above, and then run several test cases. Observe that the Scheme environment displays all parameters sent into every call of the procedure as well as each return value.

Notes

Edsger Dijkstra, ``On the Cruelty of Really Teaching Computer Science,'' Communications of the ACM, Volume 32, Number 12, December 1989, p. 1402.
Paragraph modified from Henry M. Walker, The Limits of Computing, Jones and Bartlett, 1994, p. 6.

This document is available on the World Wide Web as

http://www.math.grin.edu/~walker/courses/153.sp00/lab-correctness.html

created January 13, 1998 by John David Stone and Henry M. Walker
last revised January 9, 2000 by Henry M. Walker