The preconditions and the postconditions of the public method form a contract between this method and its client.
1.According to, caller shouldn't verify postcondition and called method shouldn't verify preconditions:
Let us recall the precondition and the postcondition of the square root function sqrt, as shown in Program 49.2. A function that calls sqrt is responsible to pass a non-negative number to the function. If a negative number is passed, the square root function should do nothing at all to deal with it. If, on the other hand, a non-negative number is passed to sqrt, it is the responsibility of sqrt to deliver a result which fulfills the postcondition. Thus, the caller of sqrt should do nothing at all to check or rectify the result.
Blame the caller if a precondition of an operation fails Blame the called operation if the postcondition of an operation fails
But as seen in code included in another article, called method does verify preconditions:
/// <summary>Gets the user for the given ID.</summary>
public User GetUserWithIdOf(int id,
UserRepository userRepository) {
// Pre-conditions
if (userRepository == null)
throw new ArgumentNullException(
"userRepository");
if (id <= 0)
throw new ArgumentOutOfRangeException(
"id must be > 0");
User foundUser = userRepository.GetById(id);
// Post-conditions
if (foundUser == null)
throw new KeyNotFoundException("No user with " +
"an ID of " + id.ToString() +
" could be located.");
return foundUser;
}
a) Since it is a responsibility of a client to fulfill the preconditions of a method, should called method also check whether preconditions are fulfilled?
b) Since it is a responsibility of a called method to deliver result which fulfills the postcondition, should the caller check the postcondition?
2.One of the benefits mentioned in first article is that "Preconditions and postconditions can be used to divide the responsibility between classes in OOP", which I understand as also saying that it isn't the responsibility of called method to verify preconditions and it isn't the responsibility of a caller to verify postcondition.
But doesn't adhering to such philosophy make our code more vulnerable, since it blindly trusts that the other party ( other party being either a caller or a method ) will deliver on its promise?
3.If caller/called method doesn't blindly trust other party , then don't we loose much of the benefits provided by postconditions and preconditions, since now called method must take on the responsibility to also check precondition and caller must take on responsibility to verify the postcondition?
thanks
EDIT
3.
If caller/called method doesn't blindly trust other party , then don't we loose much of the benefits provided by postconditions and preconditions, since now called method must take on the responsibility to also check precondition and caller must take on responsibility to verify the postcondition?
Caller does not need to verify post-conditions because they should be ensured by the called method. Called method does need to verify pre-conditions because there is not other way to enforce the contract.
a) Are you assuming that postcondition should only ever state/guarantee that a return value is of specified type or null
(if return value is nullable)? Besides of what type the return value will be, can't postconditions also state other things ( which can't be verified by type system ), like whether return value is within specified range ( example: can't postcondition also state that return value of type int
will be within the range of 10-20
)? Wouldn't in this case client need to also check for postcondition?
b) Can we say then that first article is wrong with its claims that called method shouldn't check preconditions?
2. EDIT
No, a post condition can be anything, not just a null check. Either way, the client can assume that the post-condition has been verified so that, for example, you don't need to verify the int range if the contract states that it has been ensured.
a) You previously stated that preconditions need to be checked by called method in order to make code less vulnerable, but couldn't we also reason that caller needs to verify a postcondition ( e.g. verify that returned int
value is within range promised by postcondition ) in order to make caller's code less vulnerable?
b) If client can blindly trust claims made by postcondition ( I'd say it is a blind trust when postcondition makes claims like return value is within some range ), why can't called method also trust that caller will fulfill called method's preconditions?
a) Since it is a responsibility of a client to fulfill the preconditions of a method, should called method also check whether preconditions are fulfilled?
Yes, it is the responsibility of the client to ensure preconditions are satisfied, however the called method must verify this, hence the null checks in the example.
b) Since it is a responsibility of a called method to deliver result which fulfills the postcondition, should the caller check the postcondition?
The caller should be able to depend on the contract of the called method. In the example you provided, the method GetUserWithIdOf
ensures the post-condition is met, throwing an exception otherwise. The repository itself doesn't have a post-condition that it will always return a user, as a user may not be found.
2.One of the benefits mentioned in first article is that "Preconditions and postconditions can be used to divide the responsibility between classes in OOP", which I understand as also saying that it isn't the responsibility of called method to verify preconditions and it isn't the responsibility of a caller to verify postcondition.
It is still the responsibility of the called method to verify pre-conditions because they can't usually be verified by the type system. Languages such as Eiffel provide a greater degree of static contract verification, in which case one can utilize the language to enforce pre-conditions. Just like in Java/C# you can enforce that a method parameter is of a given type, Eiffel extends this type of verification to more complex contract declarations.
But doesn't adhering to such philosophy make our code more vulnerable, since it blindly trusts that the other party ( other party being either a caller or a method ) will deliver on its promise?
Yes, which is why pre-conditions must be verified.
3.If caller/called method doesn't blindly trust other party , then don't we loose much of the benefits provided by postconditions and preconditions, since now called method must take on the responsibility to also check precondition and caller must take on responsibility to verify the postcondition?
Caller does not need to verify post-conditions because they should be ensured by the called method. Called method does need to verify pre-conditions because there is not other way to enforce the contract.
UPDATE
a) No, a post condition can be anything, not just a null check. Either way, the client can assume that the post-condition has been verified so that, for example, you don't need to verify the int range if the contract states that it has been ensured.
b) I would say so yes. To quote:
If a negative number is passed, the square root function should do nothing at all to deal with it.
The if suggests that the called method already does some sort of verification. Doing nothing at all is a silent fail, which can be an anti-pattern.
A subsequent quote:
Blame the caller if a precondition of an operation fails Blame the called operation if the postcondition of an operation fails
The only way to blame the caller for a failed pre-condition is to first determine that a pre-condition has failed. Since the called method "owns" this pre-condition, it should be the last stop to flag the failure.
UPDATE 2
a,b) The reason a caller can trust post-conditions is because post-conditions can be ensured by the called method. The called method is what declares and owns the contract. The reason that the called method can't trust caller is because there nobody that guarantees that pre-conditions will be met. The called method doesn't know about all the various callers that it may have, therefore it has to verify on its own.