Unit 16: Liskov Substitution Principle
Learning Objectives
Students should
- understand the type of bugs that reckless developers can introduce when using inheritance and polymorphism.
- understand the Liskov Substitution Principle and thus be aware that not all IS-A relationships should be modeled with inheritance.
- know how to explicitly disallow inheritance when writing a class or disallow overriding with the
final
keyword.
The Responsibility When Using Inheritance
As you have seen in Unit 14, polymorphism is a powerful tool that allows a client to change the behavior of existing code written by the implementer, behind the abstraction barrier.
As Ben Parker (aka Uncle Ben) said, "With great power, comes great responsibility." The client must use overriding and inheritance carefully. Since they can affect how existing code behaves, they can easily break existing code and introduce bugs. Since the client may not have access to the existing code behind the abstraction barrier, it is often tricky to trace and debug. Furthermore, the implementer would not appreciate it if their code was working perfectly until one day, someone overriding a method causes their code to fail, even without the implementer changing anything in their code.
Ensuring this responsibility cannot be done by the compiler, unfortunately. It thus becomes a developer's responsibility to ensure that any inheritance with method overriding does not introduce bugs to existing code. This brings us to the Liskov Substitution Principle (LSP), which says:
Liskov Substitution Principle
"Let \(\phi(x)\) be a property provable about objects \(x\) of type \(T\). Then \(\phi(y)\) should be true for objects \(y\) of type \(S\) where \(S <: T\)."
Barbara Liskov
In English,
Is \(S\) is a subclass of \(T\), then an object of type \(T\) can be replaced by that of type \(S\) without changing the desirable property of the program.
or in simpler terms,
A subclass should not break the expectations set by the superclass.
This is consistent with the definition of subtyping, \(S <: T\), but spelled out more formally. We can use many ways to specify the desirable property but the most common is the use of program specification.
Example #1: Module
Specification
We define a class called Module
with a method Module::marksToGrade
. The desirable property of this method is that it takes in a double
as input and returns a character (i.e., of type char
). The character that are returned is one of the following: 'A'
, 'B'
, 'C'
, or 'F'
. How the method Module::marksToGrade
is implemented is irrelevant as long as it returns one of the characters above.
Usage
1 2 3 4 5 6 7 8 9 10 11 12 |
|
Subclass
Consider a subclass of Module
called CSCUModule
. CSCUModule
overrides marksToGrade
method such that it now returns only 'S'
or 'U'
. Does this violates LSP?
Since CSCUModule
is a subclass of Module
, we can pass an instance to displayGrade
:
1 |
|
and suddenly displayGrade
is displaying retake again
even if the student is scoring 100 marks.
The example above shows that we may be violating the LSP unintentionally. The object m
has the following property: m.marksToGrade
always returns something from the set { 'A'
, 'B'
, 'C'
, 'F'
}, that the method displayGrade
depends on explicitly. The subclass CSCUModule
violated that and makes m.marksToGrade
returns 'S'
or 'U'
, sabotaging displayGrade
and causing it to fail.
LSP cannot be enforced by the compiler1. The properties of an object have to be managed and agreed upon among programmers. A common way is to document these properties as part of the code documentation.
LSP Through the Lens of Testing
Another way to develop an intuition of the LSP is through the lens of testing. When we write a method, we may want to introduce test cases to check that our method is working correctly. These test cases are designed based on the specification of our method and not its implementation details2. That is, we test based on the expected inputs and resultant outputs.
Example #2: Restaurant
Specification
We would like to model a restaurant booking system for a restaurant chain. Every restaurant in the chain opens at 12 pm and closes at 10 pm, and has a singular method canMakeReservation
which allows us to check if the restaurant is available for reservations at a certain time
. The requirement given is that, the system must be able to process a reservation during its opening hours. On the other hand, we do not care about the behavior outside of the opening hour.
We may then arrive at the following class:
1 2 3 4 5 6 7 8 9 10 11 |
|
Usage (i.e., Test)
The method canMakeReservation
returns true
when the argument passed in to time
is between 12 pm and 10 pm. Let's think about how we would test this method. Two important edge cases to test is to check if the method returns true for the stated restaurant opening and closing hours.
1 2 3 4 |
|
Note that these are simple jshell
tests, in software engineering modules (e.g., CS2103/T) you will learn better ways to design and formalise these tests.
Subclass #1
Consider a subclass of Restaurant
called LunchRestaurant
with the following implementation:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
|
LunchRestaurant
does not take reservation during peak hours (i.e., 1200 to 1400). As LunchRestaurant
\(<:\) Restaurant
, we can point our variable r
to a new instance of LunchRestaurant
and run the test cases of the parent class, as can be seen in the code below.
1 2 3 4 |
|
Whilst the second test passes, the first test does not since it falls within the peak lunch hour. Therefore LunchRestaurant
is not substitutable for Restaurant
and the LSP is violated. We have changed the expectation of the method in the child class.
Subclass #2
Let's suppose the restaurant chain starts to roll out online reservation system for a subset of its restaurants. These restaurants can take reservations any time. We create a subclass DigitalReadyRestaurant
, as follows:
1 2 3 4 5 6 7 |
|
Similarly, as DigitalReadyRestaurant
\(<:\) Restaurant
, we can point our variable r
to a new instance of DigitalReadyRestaurant
and run the test cases of the parent class, as can be seen in the code below.
1 2 3 4 |
|
Both test cases pass. In fact, all test cases that pass for Restaurant
would pass for DigitalReadyRestaurant
. Therefore DigitalReadyRestaurant
is substitutable for Restaurant
. Anywhere we can use an object of type Restaurant
, we can use DigitalReadyRestaurant
without breaking any previously written code.
We can now rephrase our LSP in terms of testing. A subclass should not break the expectations set by the superclass. If a class B
is substitutable for a parent class A
then it should be able to pass all test cases of the parent class A
. If it does not, then it is not substitutable and the LSP is violated.
Preventing Inheritance and Method Overriding
Sometimes, it is useful for a developer to explicitly prevent a class to be inherited. Not allowing inheritance would make it much easier to argue for the correctness of programs, something that is important when it comes to writing secure programs. Both the two java classes you have seen, java.lang.Math
and java.lang.String
, cannot be inherited from. In Java, we use the keyword final
when declaring a class to tell Java that we ban this class from being inherited.
1 2 3 |
|
Alternatively, we can allow inheritance but still prevent a specific method from being overridden, by declaring a method as final
. Usually, we do this on methods that are critical for the correctness of the class.
For instance,
1 2 3 4 5 6 |
|
In short, we have learnt that the final
keyword can be used in three places:
- In a class declaration to prevent inheritance.
- In a method declaration to prevent overriding.
- In a field declaration to prevent re-assignment.
Code
1 2 3 |
|
Test
1 2 3 |
|
Error Message
1 2 3 4 |
|
Note
Preventing inheritance also prevents overriding.
Code
1 2 3 4 5 6 |
|
Test
1 2 3 4 5 6 7 |
|
Error Message
1 2 3 4 5 |
|
Code & Test
1 2 3 4 5 6 7 8 9 10 11 12 13 |
|
Error Message
1 2 3 4 |
|
Note
The check if an assignment is the first assignment or a re-assignment may produce false positive. In general, if the assignment to the field is done in the constructor, then it is allowed unless the field has already been initialized before (e.g., private final double r = 0.0;
). This is because a constructor can only be called once for each instance.
On the other hand, if we have an assignment to a field not on the constructor like in the mutator, we cannot guarantee such a mutator will only be invoked exactly once. Therefore, there is a possibility that there is a re-assignment. The choice is to either prevent compilation or give a runtime error during the re-assignment. Since compiler is our friend, they want to tell us about the problem early.