Eiffel's Design by Contract: Predecessors and Original Contributions (Bertrand Meyer/12 Mar 97)

Eiffel

Liberty

Vol.1

No.1

Bertrand Meyer

From comp.lang.eiffel discussion

[2nd Edition of OOSC (Object-Oriented Software Construction) by Bertrand Meyer]

OOSC2 Reviews

Eiffel's Design by Contract: Predecessors and Original Contributions

Bertrand Meyer
President, ISE
Santa Barbara (California)
Ph: 805-685-1006, fax 805-685-6869,
Email: Bertrand.Meyer@eiffel.com

The concepts of preconditions and postconditions to form a contract on a routine go back at least to Dijkstra and Hoare in the late 60's and early 70's. In the late 70's and early 80's there were a couple of experimental languages Alphard and Euclid that were designed to support assertions. It's not clear to me how much they succeeded in implementing these, however.
IMHO, Meyer made two major contributions in this area (along with a host of lesser ones). :

Brought the world Eiffel, the first commercial language to support Hoare's and Dijkstra's ideas.

Was the first to get the interaction of subtyping and assertions exactly right _and_ implement it in a commercial language.
For some reason I don't fully understand, Pierre America is often credited with #2.

Jim McKim
mailto:%20jcm@hgc.edu

I am most grateful for and honored by the credit. Let me point out, however, that James McKim's message both omits some important predecessors to Eiffel's Design by Contract principles, and under-represents the theory's own contributions.
On the predecessors, the following should be quoted:

Besides Dijkstra and Hoare, Bob Floyd's original paper "Assigning meanings to programs" (1967) which was the first to use assertions systematically for program proving. (Hoare also cites an early mention by Turing himself, but this was not fully developed.)

Besides Alphard and Euclid, the CLU language. (One may also mention Turing, but it is a contemporary rather than a predecessor.)

The formal languages Z by Abrial (especially the initial version developed in France) and VDM by Jones and Bjorner.

Work on abstract data types (Liskov and Zilles, Guttag and Horning, as well as my own which, however, was not widely circulated).
On the original aspects, apart from what James McKim mentions, one should note:

The importance of invariants, although the basic ideas come from Hoare ("Proof of Correctness of Data Representations") and VDM. Although both Alphard and CLU had a notion of invariant, it is less developed than in Eiffel.

The connection with exception handling. As far as I know Eiffel's exception handling mechanism is original (although influenced by earlier work, especially Randell's and Cristian's); it applies the notion of Design by Contract to the processing of abnormal cases. This is certainly one of the most important aspects of the approach.

The insistence on executability of assertions. (CLU assertions, for example, are more like comments.) Actually I have the impression that the idea of evaluating assertions would be anathema to Dijkstra. (The precedent here is Algol W, followed by C, but all they support is an assert instruction rather than a full-fledged assertion mechanism.)

The methododological consequences. Central to the theory of Design by Contract is the idea that to obtain more reliable software you should often have *fewer* checks (thanks to assertions). I have never seen any precursor to that apparently paradoxical idea - the rule that a routine should never test for its precondition; if you know of an earlier publication please tell me. As far as I can tell it is not only original but in fact runs contrary to the accepted ideas in software engineering, as found in many textbooks (e.g. in Liskov's and Guttag's otherwise excellent "Abstraction and Specification..."). In my experience it brings about a major change to software development, as important as the rest of object technology. (I realize that people who haven't yet tried Eiffel don't necessarily believe this, but it's the truth nevertheless.)

The notion of short form: taking advantage of the presence of contracts to permit self-documenting software. Again this is pretty much against everything I had read in the software engineering literature when Eiffel was designed.

The close connection with object-oriented structuring (not just the connection with redefinition, i.e. precondition weakening and postcondition strengthening, pointed out by James McKim).

Invariant accumulation in an inheritance hierarchy.

Some of the theoretical perspective (in particular the connection between object-oriented principles and the theory of abstract data types - this is mostly in "Object-Oriented Software Construction" second edition).

The old construct. (Although it has equivalents at least in Alphard and Z, these two languages are not executable. Z is a specification language, and for Alphard, as far as I was able to understand, there never was a released compiler or a fixed specification. Someone may correct me on this last point; my understanding is based on what I heard at the time - late seventies -, and on the Springer-Verlag book "Alphard: Form and Content" edited by Mary Shaw.)

The close integration of a full-fledged assertion mechanism in a commercial programming language. (The assertion facility of Algol W may be viewed as a precedent but, as noted, is of limited scope. If we remove the qualifier "commercial" this point is, however, less strong than the previous ones, as we can bring up Euclid and Turing.)

Bertrand Meyer - 12 Mar 97
President, ISE Inc., Santa Barbara (California)
805-685-1006, fax 805-685-6869, Bertrand.Meyer@eiffel.com
Web: http://www.eiffel.com/, with instructions for free download
== ISE Eiffel 4: Eiffel straight from those who invented it ==