# Week 05 Functions

The discussion of functions in the textbook is pretty thorough but has four significant omissions:

* it fails to emphasize that a function defines a contract between itself and the caller
* it fails to discuss function input validation
* it fails to discuss how to document a function in Python
* it's discussion of unit testing is lacking (at best)

This series of notebooks is intended to address these omissions.

# A function defines a contract between itself and the caller

Consider the following quote taken from [here](https://www.eiffel.org/doc/solutions/Design_by_Contract_and_Assertions):

> When you produce an element of software, how do you know that what you produced is correct?
>
> This is a difficult question for anyone to answer. Informally speaking, correct software is software 
> that does what it is supposed to do. That is what makes answering the question so tricky. Before you 
> can have any idea whether the software is correct, you must be able to express what it is supposed to 
> do ... and that proves to be quite difficult itself.
>
> In conventional software engineering, a document called a software specification is written in order 
> to describe what it is that a piece of software is supposed to do. Writers of software specifications 
> tend to pursue one of two approaches: the informal or the formal.
> 
> Informal specifications attempt to describe software behavior in the natural languages with which humans
> communicate on a daily basis. There are problems with this approach. Natural language is not precise. Informal
> specifications are subject to interpretation and affected by the ambiguities, noise, and contradiction inherent
> in natural language.
>
> In order to avoid these problems, proponents of formal methods of specification turn to the most precise 
> language they know: mathematics. It may be no exaggeration that the study of formal methods has produced more
> PhD's in Computer Science than it has well-specified software systems. Still the idea that the precision of 
> mathematics can be brought to bear on the problem of specifying software is quite appealing. But, problems lurk 
> here as well. Formal specifications are difficult and time-consuming to construct and verify against themselves,
> and most software engineers do not have a working knowledge of the mathematics required to work with formal 
> specifications. 

[Design by contract](https://en.wikipedia.org/wiki/Design_by_contract) is a techinique for designing
software where the software components have precisely defined contracts. A software component contract
is analagous to a business contract where a client and a supplier agree on a contract that defines for example:

* the supplier must supply a product (an obligation of the supplier)
* the supplier is entitled to receive a fee (a benefit to the supplier)
* the client must pay the fee (an obligation of the client)
* the client is entitled to receive the product (a benefit to the client)

Notice that the obligations of one party are often the benefits to the other party. A contract document protects
the client, by specifying what and how much should be done, and it protects the supplier, by stating that the
supplier is not obligated to carry out tasks outside of the specified scope.

A function can be viewed as defining a contract between itself (the supplier) and a caller (the client):

* the function must perform a well-defined computation (the obligations of the function; called the
*postconditions* of the function)
* the function is entitled to assume certain conditions regarding the arguments supplied by the caller
(a benefit to the function; called the *preconditions* of the function)
* the caller must ensure that the arguments supplied to the function are acceptable by the function
(an obligation of the caller; the caller must satisfy the preconditions of the function)
* the caller is entitled to the results of the computation performed by the function (a benefit to the caller;
the caller is entitled to assume that the *postconditions* of the function are satisfied)

***Preconditions***

For functions, a *precondition* is a condition (an expression that evaluates to true or false) that must 
be true when the function is called in order for the function to successfully perform its computation. A
precondition usually involves the parameters of the function. For example, the function call `max(t)`
where `t` refers to a list will return the maximum element of `t`; `max` has the precondition that list
not be empty which can be expressed as:

```python
len(t) > 0
```

For a second example, consider the function `math.factorial(x)` which
computes the factorial of $x$ equal to $x! = x(x-1)(x-2)...(3)(2)(1)$ where $x$ is an
integer value greater than or equal to $0$. The precondition for `math.factorial` can be expressed as:

```python
isinstance(x, numbers.Integral) and x >= 0
```

where `isinstance(x, numbers.Integral)` tests if `x` refers to some kind of integer type.

Note that preconditions can be easy to express in plain language but difficult to express formally.
For example, how would you formally specify the precondition that the elements of a list be unique
(no two elements of the list are equal)?

**Exercise 1** The function `max` has another precondition; can you identify the precondition?

**Exercise 2** Does the function `math.sqrt(x)` have the precondition `x >= 0`? Try testing the function
with negative numeric values to check if your answer is correct.


***Preconditions and exceptions***

The caller of a function is responsible for ensuring that the arguments supplied to the function satisfy 
the preconditions of the function, and the function is entitled to assume that the supplied arguments
satisfy the preconditions of the function. If the function preconditions are satisfied, then the function
is obligated to complete its contract with the caller. If the function preconditions are *not* satisfied, then the
function is *not* obligated to complete its contract with the caller. For example, run the following cell
to see what happens when `max` is called with an empty list:

In [None]:
max([])

Run the following cell to see what happens when `math.factorial` is called with a non-integer value:

In [None]:
import math
math.factorial(1.5)

Run the following cell to see what happens when `math.factorial` is called with a negative integer value:

In [None]:
import math
math.factorial(-1)

The functions in the Python standard libraries typically stop running if they are called with arguments that 
do not satisfy the preconditions of the function. They do so by *raising an exception*.

An exception is an object that represents an error that has occurred when a program is run. You have almost
certainly seen an exception that results from using an invalid index in a list (run the following cell, for example):

In [None]:
t = ['hello']
t[1]   # oops, t does not have 2 elements

Similarly, the `ValueError` exceptions that occur in the previous examples all occur when the programs are run.

When an exception is raised in a Python function, the function immediately stops running and in many cases,
the entire program stops running and an error message is output. This means that exceptions are impossible to
simply ignore. It is possible to recover from a raised exception, but this is beyond the scope of the current
discussion; see [The Python Tutorial](https://docs.python.org/3/tutorial/errors.html) for details on how to handle
raised exceptions.

***Postconditions***

A postcondition is a condition (an expression that evaluates to true or false) that the function is obligated
to ensure is true immediately before the function completes running. A postcondition is a formal statement
of what the function promises to compute assuming that the preconditions of the function are satisfied.

Like preconditions, postconditions are often easier to write in plain language compared to formally specifying
them. For example, the postcondition for `max(t)` where `t` is a list can be stated as: Returns the largest item
in the list `t`. To formally specify the postcondition, we would need to write something like:

* returns the value `val` where
    * `val` is an element of `t`, and
    * for every element `e` in `t`, `val >= e` is `True`
* does not modify `t`

Programmers who work on applications that have safety-critical implications or in projects where software errors
can have severe consequences will go to the effort to formally specify pre and postconditions (and probably
use a language that supports automated testing of pre and postconditions). For our purposes, postconditions 
written in plain language will suffice.

Some additional examples of postconditions include:

* `len(s)`
    * returns the number of items in the sequence or collection `s` without modifying `s`
* `math.ceil(x)`
    * returns the ceiling of `x`, the smallest integer greater than or equal to `x`
* `math.floor(x)`
    * returns the floor of `x`, the largest integer less than or equal to `x`


**Exercise 1** What are the preconditions and postconditions of the textbook function `harmonic` shown in the cell
below. You can find the `harmonic` function near the beginning of Chapter 2.1.

In [None]:
def harmonic(n):
    total = 0.0
    for i in range(1, n + 1):
        total += 1.0 / i
    return total

<div class="alert alert-info">
    Harmonic numbers are defined for natural numbers n >= 1 so the function has the preconditions that n >= 1
    and that n is an integer number.
    The postcondition is that the returned value is approximately equal to the sum 1 + 1/2 + 1/3 + ... + 1/n
    (approximately because the sum cannot be computed exactly using floating-point arithmetic.
</div>

**Exercise 2** What are the preconditions and postconditions of the textbook function `isPrime` shown in the cell 
below. You can find the `isPrime` function in Chapter 2.1 under the section *Multiple return statements*.

In [None]:
def isPrime(n):
    if n < 2: 
        return False
    i = 2
    while i*i <= n:
        if n % i == 0: return False
        i += 1
    return True

print(isPrime(float('inf')))

<div class="alert alert-info">
    Only natural numbers greater than 1 can be prime. The function handles negative values correctly
    without requiring the precondition n > 1. If n is a float value then there are cases where the function
    does not work correctly; therefore, there is a precondition that n be an integer value.
    The postcondition is that the returned value is equal to True if n is prime and the returned
    value is equal to False if n is not prime.
</div>

**Exercise 3** What are the preconditions and postconditions of the textbook function `exchange` shown in the cell 
below. You can find the `exchange` function in Chapter 2.1 under the section *Side effects with arrays*.

In [None]:
def exchange(a, i, j):
   temp = a[i]
   a[i] = a[j]
   a[j] = temp

<div class="alert alert-info">
    The preconditions are that a is a Python sequence, and that i and j are valid indexes for a.
    The postconditions are a little tricky: a[i] is a reference to the object formerly referred to
    by a[j], a[j] is a reference to the object formerly referred to by a[i], and all other elements
    in the sequence are unchanged.
</div>

**Exercise 4** What are the preconditions and postconditions of the textbook function `shuffle` shown in the cell 
below. You can find the `shuffle` function in Chapter 2.1 under the section *Side effects with arrays*.

In [None]:
def shuffle(a):
    n = len(a)
    for i in range(n):
        r = random.randrange(i, n)
        exchange(a, i, r)

<div class="alert alert-info">
    The precondition is that a is a Python sequence. The postcondition is difficult to express formally
    (by stating one or more boolean conditions), but fairly easy to express informally (by describing
    what the function does to a): The elements of a are placed in a random order.<br /><br />
    The shuffling algorithm is an implementation of the Fisher-Yates algorithm which is known
    to produce all permutations of the elements of the list with approximatley equal likelihood.
</div>

**Exercise 5** What are the preconditions and postconditions of the textbook function `randomarray` shown in the
cell below. You can find the `randomarray` function in Chapter 2.1 under the section *Arrays as return values*.

In [None]:
def randomarray(n):
    a = stdarray.create1D(n)
    for i in range(n):
        a[i] = random.random()
    return a

<div class="alert alert-info">
    The precondition is that n is an integer value greater than or equal to 0. The postcondition is difficult
    to state formally, but easy to state informally: Returns a list of length n where the elements are random
    values between 0.0 (inclusive) and 1.0 (exclusive).<br /><br />
    The function actually returns an empty list if n is less than zero, so we can remove the precondition 
    that n must be greater than or equal to 0 as long as we state that the postcondition is that the
    function returns an empty list when n is less than or equal to 0.
</div>