Consider the code:

public class Members {
    // Members is a mutable record of organization membership
    // AF: Collect the list as a set
    // rep-inv1: members != null
    // rep-inv2: members != null && no duplicates in members
    // for simplicity, assume null can be a member...

    List<Person> members;   // the representation

    //  Post: this_post is empty
    public Members() { members = new ArrayList<Person>();

    //  Post: person becomes a member
    //        i.e., this_post = this + {person}
    public void join (Person person) { members.add   (person);}

    //  Post: person is no longer a member
    //        i.e., this_post = this - {person}
    public void leave(Person person) { members.remove(person);}

    //  Post: returns whether or not a person is a member
    public boolean isMember(Person person) { return members.contains(person);}

• Does join() maintain rep-inv?
• Does join() satisfy contract?
• Does leave() maintain rep-inv?
• Does leave() satisfy contract?


1. Analyze these 4 questions for rep-inv 1.
   For cases where the rep-invariant is not maintained or the contract is not satisfied, construct a JUnit test that reveals the problem.
   
   
2. Repeat for rep-inv 2.
   
   
3. Recode join() to make the verification go through. Which rep-invariant do you use?
   
   
4. Recode leave() to make the verification go through. Which rep-invariant do you use?
   
   
5. Complete the verification exercise by addressing the constructor and the observer.