Contracting for Reliability

Meyer[Ref] introduced the concept of contracting for Software reliability. A Class definition represents a statement of what an object of that class can and will do. Clients can expect a behavior defined by the class specification together with a set of assertions which aid with the semantics of a module. Assertions usually take the form of <#595#> preconditions<#595#> and <#596#> post conditions<#596#> that can be checked just before a method in the object is invoked and just after it returns. In a distributed system, these would be checked between receiving a request message and starting execution of the method procedure, and between completion of the procedure and returning a result message. Failure of these assertions leads to exceptions. These can be helpful when constructing <#597#> transaction<#597#> systems (see below). As well as pre and post conditions, an Object Oriented system allows the programmer to identify <#598#> class invariants<#598#>. For instance, in the class defined in chapter 1 for printer spooling, there is a queue which is a finite ordered set of items to be printed. A Class invariant for this might be:


The use of Class invariants, pre and post conditions decrease the number of states/cases in the event of failure in an object. Pre and Post conditions are also tested at well known points of synchronization and we shall see that this aids in isolating faults in the distributed execution (and decreases the time spent uselessly blocked in a distributed environment under error conditions). Of course many applications (e.g. interactive window systems like X-Windows) map exceptions into total failure. This gives us a strong hint as to the base method for exception handling in a distributed system! We shall see later how careful use of exceptions can help isolate problems in a distributed system. Another important concept in Meyer's approach is that of side effects in functions, and whether they should be allowed. In a distributed system, we have no choice but to allow side effects, in that state must be stored somewhere - it may simply be in the output to some static storage, or control of some device (Auto-teller outputting notes).