Sommerville-Software-Engineering-10ed
21.01.2022 Views
Share Embed Flag

Sommerville-Software-Engineering-10ed

ePAPER READ
DOWNLOAD ePAPER
stavri.ch

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

366 Chapter 12 ■ Safety engineering

— The insulin dose to be delivered is a function of

— blood sugar level, the previous dose delivered and

— the time of delivery of the previous dose

currentDose = computeInsulin () ;

// Safety check—adjust currentDose if necessary.

// if statement 1

if (previousDose == 0)

{

if (currentDose > maxDose/2)

currentDose = maxDose/2 ;

}

else

if (currentDose > (previousDose * 2) )

currentDose = previousDose * 2 ;

// if statement 2

Figure 12.13 Insulin

dose computation with

safety checks

if ( currentDose < minimumDose )

currentDose = 0 ;

else if ( currentDose > maxDose )

currentDose = maxDose ;

administerInsulin (currentDose) ;

the program will not compute an unsafe dose of insulin. You can structure and present

the safety arguments graphically as shown in Figure 12.14.

The safety argument shown in Figure 12.14 presents three possible program paths

that lead to the call to the administerInsulin method. You have to show that the

amount of insulin delivered never exceeds maxDose. All possible program paths to

administerInsulin are considered:

1. Neither branch of if-statement 2 is executed. This can only happen if current-

Dose is outside of the range minimumDose..maxDose. The postcondition predicate

is therefore:

currentDose >= minimumDose and currentDose <= maxDose

2. The then-branch of if-statement 2 is executed. In this case, the assignment setting

currentDose to zero is executed. Therefore, its postcondition predicate is

currentDose = 0.

3. The else-if-branch of if-statement 2 is executed. In this case, the assignment setting

currentDose to maxDose is executed. Therefore, after this statement has

been executed, we know that the postcondition is currentDose = maxDose.

In all three cases, the postcondition predicates contradict the unsafe precondition

that currentDose > maxDose. As both cannot be true, we can claim that our initial

assumption was incorrect, and so the computation is safe.

To construct a structured argument that a program does not make an unsafe computation,

you first identify all possible paths through the code that could lead to a potentially

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!