Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Blame Assignment for Higher-Order Contracts with Intersection and Union

September 2, 2015, The 20th ACM SIGPLAN International Conference on Functional Programming, ICFP 2015
Vancouver, British Columbia, Canada

Related Books

Free with a 30 day trial from Scribd

See all
  • Login to see the comments

  • Be the first to like this

Blame Assignment for Higher-Order Contracts with Intersection and Union

  1. 1. Blame Assignment for Higher-Order Contracts with Intersection and Union Roman Matthias Keil, Peter Thiemann University of Freiburg, Germany September 2, 2015, The 20th ACM SIGPLAN International Conference on Functional Programming, ICFP 2015 Vancouver, British Columbia, Canada
  2. 2. Higher-Order Contracts Even = flat(λx.x%2 = 0) Odd = flat(λx.x%2 = 1) Assertion (Even → Even) Let add2Even = ((λx.x + 2) @ (Even → Even)) Roman Keil, Peter Thiemann September 2, 2015 2 / 18
  3. 3. Higher-Order Contracts Even = flat(λx.x%2 = 0) Odd = flat(λx.x%2 = 1) Assertion (Even → Even) Let add2Even = ((λx.x + 2) @ (Even → Even)) (add2Even 2) −→∗ 4 Roman Keil, Peter Thiemann September 2, 2015 2 / 18
  4. 4. Higher-Order Contracts Even = flat(λx.x%2 = 0) Odd = flat(λx.x%2 = 1) Assertion (Even → Even) Let add2Even = ((λx.x + 2) @ (Even → Even)) (add2Even 2) −→∗ 4 (add2Even 1) −→∗ blame context 1 Roman Keil, Peter Thiemann September 2, 2015 2 / 18
  5. 5. Higher-Order Contracts Even = flat(λx.x%2 = 0) Odd = flat(λx.x%2 = 1) Assertion (Even → Even) Let add2Even = ((λx.x + 2) @ (Even → Even)) (add2Even 2) −→∗ 4 (add2Even 1) −→∗ blame context 1 Assertion (Odd → Odd) Let add2Odd = ((λx.x + 2) @ (Odd → Odd)) Roman Keil, Peter Thiemann September 2, 2015 2 / 18
  6. 6. Higher-Order Contracts Even = flat(λx.x%2 = 0) Odd = flat(λx.x%2 = 1) Assertion (Even → Even) Let add2Even = ((λx.x + 2) @ (Even → Even)) (add2Even 2) −→∗ 4 (add2Even 1) −→∗ blame context 1 Assertion (Odd → Odd) Let add2Odd = ((λx.x + 2) @ (Odd → Odd)) (add2Odd 1) −→∗ 3 Roman Keil, Peter Thiemann September 2, 2015 2 / 18
  7. 7. Higher-Order Contracts Even = flat(λx.x%2 = 0) Odd = flat(λx.x%2 = 1) Assertion (Even → Even) Let add2Even = ((λx.x + 2) @ (Even → Even)) (add2Even 2) −→∗ 4 (add2Even 1) −→∗ blame context 1 Assertion (Odd → Odd) Let add2Odd = ((λx.x + 2) @ (Odd → Odd)) (add2Odd 1) −→∗ 3 (add2Odd 2) −→∗ blame context 2 Roman Keil, Peter Thiemann September 2, 2015 2 / 18
  8. 8. Combination of Contracts Observation λx.x + 2 works for even and odd arguments Roman Keil, Peter Thiemann September 2, 2015 3 / 18
  9. 9. Combination of Contracts Observation λx.x + 2 works for even and odd arguments λx.x + 2 fulfills Odd → Odd and Even → Even Roman Keil, Peter Thiemann September 2, 2015 3 / 18
  10. 10. Combination of Contracts Observation λx.x + 2 works for even and odd arguments λx.x + 2 fulfills Odd → Odd and Even → Even How can we express that with a single contract? Roman Keil, Peter Thiemann September 2, 2015 3 / 18
  11. 11. Combination of Contracts Observation λx.x + 2 works for even and odd arguments λx.x + 2 fulfills Odd → Odd and Even → Even How can we express that with a single contract? Intersection Contract! Roman Keil, Peter Thiemann September 2, 2015 3 / 18
  12. 12. Inspiration Intersection Type V : S ∩ T Models overloading Models multiple inheritances Union Type V : S ∪ T Dual of intersection type Domain of overloaded functions Roman Keil, Peter Thiemann September 2, 2015 4 / 18
  13. 13. This Work Extend higher-order contracts with intersection and union Specification based on the type theoretic construction Assertion (Even → Even) ∩ (Odd → Odd) Let add2 = ((λx.x + 2) @ (Even → Even) ∩ (Odd → Odd)) (add2 2) −→∗ 4 (add2 1) −→∗ 3 No blame because of the intersection contract! Roman Keil, Peter Thiemann September 2, 2015 5 / 18
  14. 14. Flat Contract Even = flat(λx.x%2 = 0) Odd = flat(λx.x%2 = 1) Pos = flat(λx.x 0) Examples Pos ∩ Even Flat Contract flat(λx.P) ∩ flat(λx.Q) ≡ flat(λx.P ∧ Q) Roman Keil, Peter Thiemann September 2, 2015 6 / 18
  15. 15. Intersection Contract Assertion Let add1 = ((λx.x + 1) @ (Even → Even) ∩ (Pos → Pos)) Definition Context gets blamed for C ∩ D iff: (Context gets blamed for C) ∧ (Context gets blamed for D) Subject M gets blamed for C ∩ D iff: (M gets blamed for C) ∨ (M gets blamed for D) Roman Keil, Peter Thiemann September 2, 2015 7 / 18
  16. 16. Intersection Contract Assertion Let add1 = ((λx.x + 1) @ (Even → Even) ∩ (Pos → Pos)) (add1 3) −→∗ 4 Definition Context gets blamed for C ∩ D iff: (Context gets blamed for C) ∧ (Context gets blamed for D) Subject M gets blamed for C ∩ D iff: (M gets blamed for C) ∨ (M gets blamed for D) Roman Keil, Peter Thiemann September 2, 2015 7 / 18
  17. 17. Intersection Contract Assertion Let add1 = ((λx.x + 1) @ (Even → Even) ∩ (Pos → Pos)) (add1 3) −→∗ 4 (add1 −1) −→∗ blame context −1 Definition Context gets blamed for C ∩ D iff: (Context gets blamed for C) ∧ (Context gets blamed for D) Subject M gets blamed for C ∩ D iff: (M gets blamed for C) ∨ (M gets blamed for D) Roman Keil, Peter Thiemann September 2, 2015 7 / 18
  18. 18. Intersection Contract Assertion Let add1 = ((λx.x + 1) @ (Even → Even) ∩ (Pos → Pos)) (add1 3) −→∗ 4 (add1 −1) −→∗ blame context −1 (add1 2) −→∗ blame subject (λx.x + 1) Definition Context gets blamed for C ∩ D iff: (Context gets blamed for C) ∧ (Context gets blamed for D) Subject M gets blamed for C ∩ D iff: (M gets blamed for C) ∨ (M gets blamed for D) Roman Keil, Peter Thiemann September 2, 2015 7 / 18
  19. 19. Contract Assertion Example ((λx.x + 1) @ (Even → Even) ∩ (Pos → Pos)) 3 −→∗ 4 A failing contract must not signal a violation immediately Violation depends on combinations of failures in different sub-contracts Contract assertion must connect each contract with the enclosing operations Roman Keil, Peter Thiemann September 2, 2015 8 / 18
  20. 20. Contract Assertion Example ((λx.x + 1) @ (Even → Even) ∩ (Pos → Pos)) 3 −→∗ 4 A failing contract must not signal a violation immediately Violation depends on combinations of failures in different sub-contracts Contract assertion must connect each contract with the enclosing operations Roman Keil, Peter Thiemann September 2, 2015 8 / 18
  21. 21. Contract Assertion Example ((λx.x + 1) @ (Even → Even) ∩ (Pos → Pos)) 3 −→∗ 4 A failing contract must not signal a violation immediately Violation depends on combinations of failures in different sub-contracts Contract assertion must connect each contract with the enclosing operations Roman Keil, Peter Thiemann September 2, 2015 8 / 18
  22. 22. Contract Assertion Example ((λx.x + 1) @ (Even → Even) ∩ (Pos → Pos)) 3 −→∗ 4 A failing contract must not signal a violation immediately Violation depends on combinations of failures in different sub-contracts Contract assertion must connect each contract with the enclosing operations Roman Keil, Peter Thiemann September 2, 2015 8 / 18
  23. 23. Operational Semantics Reduction Relation ς, M −→ ς , N M, N expressions ς list of constraints One constraint for each contract operator →, ∩, ∪ One constraint for each flat contract Blame calculation from a list of constraints Roman Keil, Peter Thiemann September 2, 2015 9 / 18
  24. 24. Flat Contract Evaluation Rule Flat M V −→∗ W ς = (W ) : ς ς, E[V @ flat(M)] −→ ς , E[V ] Roman Keil, Peter Thiemann September 2, 2015 10 / 18
  25. 25. Interpretation Interpretation of a constraint list µ ∈ ( × {subject, context}) → B An interpretation µ is a mapping from blame label to records of elements of B = {t, f}, order t f Ordering reflects gathering of information with each execution step Each blame label is associated with two truth values, .subject and .context Roman Keil, Peter Thiemann September 2, 2015 11 / 18
  26. 26. Flat Contract (cont’d) Evaluation Rule Flat M V −→∗ W ς = (W ) : ς ς, E[V @ flat(M)] −→ ς , E[V ] Constraint Satisfaction C-Flat µ( .subject) W µ( .context) t µ |= W Roman Keil, Peter Thiemann September 2, 2015 12 / 18
  27. 27. Blame Calculation Definition ς is a blame state if there exists a top-level blame label such that µ( .subject) f ∨ µ( .context) f Evaluation stops if a blame state is reached. Roman Keil, Peter Thiemann September 2, 2015 13 / 18
  28. 28. Function Contract Evaluation Rule Function 1, 2 ∈ ς ς = ( 1 → 2) : ς ς, E[(V @ (C →D)) W ] −→ ς , E[(V (W @ 1 C)) @ 2 D] Constraint Satisfaction C-Function µ( .subject) µ( 1.context ∧ ( 1.subject ⇒ 2.subject)) µ( .context) µ( 1.subject ∧ 2.context) µ |= 1 → 2 Roman Keil, Peter Thiemann September 2, 2015 14 / 18
  29. 29. Intersection Contract Evaluation Rule Intersection 1, 2 ∈ ς ς = ( 1 ∩ 2) : ς ς, E[(V @ (Q ∩ R)) W ] −→ ς , E[((V @ 1 Q) @ 2 R) W ] Constraint Satisfaction C-Intersection µ( .subject) µ( 1.subject ∧ 2.subject) µ( .context) µ( 1.context ∨ 2.context) µ |= 1 ∩ 2 Roman Keil, Peter Thiemann September 2, 2015 15 / 18
  30. 30. Union Contract Dual of intersection contract Exchange ∧ and ∨ in the blame calculation Delayed evaluation changes to an immediate evaluation Roman Keil, Peter Thiemann September 2, 2015 16 / 18
  31. 31. In the Paper Technical Results Contract Rewriting Deterministic and nondeterministic specification of contract monitoring Denotational specification of the semantics of contracts Theorems for contract and blame soundness Roman Keil, Peter Thiemann September 2, 2015 17 / 18
  32. 32. Conclusion Intersection and union contracts provide dynamic guarantees equivalent to their type-theoretic counterparts Constraint-based blame calculation enables higher-order contracts with unrestricted intersection and union Formal basis of TreatJS, a language embedded, higher-order contract system implemented for JavaScript Roman Keil, Peter Thiemann September 2, 2015 18 / 18
  33. 33. Constraint Graph ... ∩ → Even Even → Pos Pos (t,t) (t,t) Reduction ς, ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 0 Roman Keil, Peter Thiemann September 2, 2015 1 / 15
  34. 34. Constraint Graph ... ∩ → Even Even → Pos Pos (t,t) (t,t) (t,t) (t,t)(t,t) Reduction −→ ( 1 ∩ 2) : · · · , (((λx.x + 1) @ 1 (Even → Even)) @ 2 (Pos → Pos)) 0 Roman Keil, Peter Thiemann September 2, 2015 1 / 15
  35. 35. Constraint Graph ... ∩ → Even Even → Pos Pos (t,t) (t,t) (t,t) (t,t) (t,t) (t,t) (t,t) Reduction −→ 2 ( 3 → 4) : · · · , (((λx.x + 1) @ 1 (Even → Even)) (0 @ 3 Pos)) @ 4 Pos Roman Keil, Peter Thiemann September 2, 2015 1 / 15
  36. 36. Constraint Graph ... ∩ → Even Even → Pos Pos (t,t) (t,t) (t,t) (t,t)(f,t) (t,t) (t,t)(t,f) (t,t) Reduction −→ 3 (false) : · · · , (((λx.x + 1) @ 1 (Even → Even)) 0) @ 4 Pos Roman Keil, Peter Thiemann September 2, 2015 1 / 15
  37. 37. Constraint Graph ... ∩ → Even Even → Pos Pos (t,t) (t,t) (t,t) (f,t) (t,t)(t,f) (t,t) (t,t) (t,t) Reduction −→ 1 ( 5 → 6) : · · · , (((λx.x + 1) (0 @ 5 Even)) @ 6 Even) @ 4 Pos Roman Keil, Peter Thiemann September 2, 2015 1 / 15
  38. 38. Constraint Graph ... ∩ → Even Even → Pos Pos (t,t) (t,t) (t,t) (f,t) (t,t)(t,f) (t,t) (t,t) (t,t)(t,t) Reduction −→ 5 (true) : · · · , (((λx.x + 1) 0) @ 6 Even) @ 4 Pos Roman Keil, Peter Thiemann September 2, 2015 1 / 15
  39. 39. Constraint Graph ... ∩ → Even Even → Pos Pos (t,t) (t,t) (t,t) (f,t) (t,t)(t,f) (t,t) (t,t)(t,t) Reduction −→ · · · , (1 @ 6 Even) @ 4 Pos Roman Keil, Peter Thiemann September 2, 2015 1 / 15
  40. 40. Constraint Graph ... ∩ → Even Even → Pos Pos (t,f) (t,t) (t,f) (f,t) (t,t)(t,f) (t,f) (t,t)(t,t) (t,f) Reduction −→ 6 (false) : · · · , blame Roman Keil, Peter Thiemann September 2, 2015 1 / 15
  41. 41. Intersection and Union Types Intersection Type λx.x + 2 : Even → Even λx.x + 2 : Odd → Odd λx.x + 2 : Even → Even ∩ Odd → Odd Union Type λx.x − 2 : Even → Even λx.x − 2 : Even → Even ∪ Pos → Pos Roman Keil, Peter Thiemann September 2, 2015 2 / 15
  42. 42. Flat Contract [Findler,Felleisen’02] Pos = flat(λx.x 0) Even = flat(λx.x%2 = 0) Roman Keil, Peter Thiemann September 2, 2015 3 / 15
  43. 43. Flat Contract [Findler,Felleisen’02] Pos = flat(λx.x 0) Even = flat(λx.x%2 = 0) Assertion 1@Pos −→ 1 0@Pos −→ blame subject 0 Roman Keil, Peter Thiemann September 2, 2015 3 / 15
  44. 44. Flat Contract [Findler,Felleisen’02] Pos = flat(λx.x 0) Even = flat(λx.x%2 = 0) Assertion 1@Pos −→ 1 0@Pos −→ blame subject 0 Definition Subject V gets blamed for Flat Contract flat(M) iff: (M V ) −→∗ false Roman Keil, Peter Thiemann September 2, 2015 3 / 15
  45. 45. Higher-Order Contract [Findler,Felleisen’02] Even → Even Roman Keil, Peter Thiemann September 2, 2015 4 / 15
  46. 46. Higher-Order Contract [Findler,Felleisen’02] Even → Even Assertion ((λx.x + 1)@Even → Even) 1 −→∗ blame context 1 Definition Context gets blamed for C →D iff: Argument x gets blamed for C (as subject) Subject M gets blamed for C →D at V iff: ¬ (Context gets blamed C) ∧ (M V gets blamed D) Roman Keil, Peter Thiemann September 2, 2015 4 / 15
  47. 47. Higher-Order Contract [Findler,Felleisen’02] Even → Even Assertion ((λx.x + 1)@Even → Even) 1 −→∗ blame context 1 ((λx.x + 1)@Even → Even) 2 −→∗ blame subject Definition Context gets blamed for C →D iff: Argument x gets blamed for C (as subject) Subject M gets blamed for C →D at V iff: ¬ (Context gets blamed C) ∧ (M V gets blamed D) Roman Keil, Peter Thiemann September 2, 2015 4 / 15
  48. 48. Flat Contract Examples Odd ∪ Even Roman Keil, Peter Thiemann September 2, 2015 5 / 15
  49. 49. Flat Contract Examples Odd ∪ Even Flat Contract flat(λx.P) ∪ flat(λx.Q) ≡ flat(λx.P ∨ Q) Roman Keil, Peter Thiemann September 2, 2015 5 / 15
  50. 50. Union Contract Assertion Let mod3 = ((λx.x%3) @ (Even → Even) ∪ (Pos → Pos)) Definition Context gets blamed for C ∪ D iff: (Context gets blamed for C) ∨ (Context gets blamed for D) Subject M gets blamed for C ∪ D iff: (M gets blamed for C) ∧ (M gets blamed for D) Roman Keil, Peter Thiemann September 2, 2015 6 / 15
  51. 51. Union Contract Assertion Let mod3 = ((λx.x%3) @ (Even → Even) ∪ (Pos → Pos)) (mod3 4) −→∗ 1 Definition Context gets blamed for C ∪ D iff: (Context gets blamed for C) ∨ (Context gets blamed for D) Subject M gets blamed for C ∪ D iff: (M gets blamed for C) ∧ (M gets blamed for D) Roman Keil, Peter Thiemann September 2, 2015 6 / 15
  52. 52. Union Contract Assertion Let mod3 = ((λx.x%3) @ (Even → Even) ∪ (Pos → Pos)) (mod3 4) −→∗ 1 (mod3 1) −→∗ blame context 1 Definition Context gets blamed for C ∪ D iff: (Context gets blamed for C) ∨ (Context gets blamed for D) Subject M gets blamed for C ∪ D iff: (M gets blamed for C) ∧ (M gets blamed for D) Roman Keil, Peter Thiemann September 2, 2015 6 / 15
  53. 53. Union Contract Assertion Let mod3 = ((λx.x%3) @ (Even → Even) ∪ (Pos → Pos)) (mod3 4) −→∗ 1 (mod3 1) −→∗ blame context 1 (mod3 6) −→∗ blame subject (λx.x%3) Definition Context gets blamed for C ∪ D iff: (Context gets blamed for C) ∨ (Context gets blamed for D) Subject M gets blamed for C ∪ D iff: (M gets blamed for C) ∧ (M gets blamed for D) Roman Keil, Peter Thiemann September 2, 2015 6 / 15
  54. 54. Contract Assertion Evaluation Rule Assert ∈ ς ς = ( ) : ς ς, E[V @ C] −→∗ ς , E[V @ C] Constraint Satisfaction C-Assert µ( .subject) µ( 1.subject) µ( .context) µ( 1.context) µ |= ( 1) Roman Keil, Peter Thiemann September 2, 2015 7 / 15
  55. 55. Constraint List Constraint Satisfaction CS-Empty µ |= · CS-Cons µ |= κ µ |= ς µ |= κ : ς Roman Keil, Peter Thiemann September 2, 2015 8 / 15
  56. 56. Union Contract Evaluation Rule Union 1, 2 ∈ ς ς = ( 1 ∪ 2) : ς ς, E[V @ (C ∪ D)] −→ ς , E[(V @ 1 C) @ 2 D] Constraint Satisfaction C-Union µ( .subject) µ( 1.subject ∨ 2.subject) µ( .context) µ( 1.context ∧ 2.context) µ |= 1 ∪ 2 Roman Keil, Peter Thiemann September 2, 2015 9 / 15
  57. 57. Blame Calculation Definition ς is a blame state if there exists a top-level blame identifier such that µ( .subject) f ∨ µ( .context) f ς, M −→∗ ς , N ς is not a blame state ς, M −→ ς , N ς is blame state for ς, M −→ ς, blame Roman Keil, Peter Thiemann September 2, 2015 10 / 15
  58. 58. Example Reduction Reduction ·, ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 0 Roman Keil, Peter Thiemann September 2, 2015 11 / 15
  59. 59. Example Reduction Reduction ·, ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 0 −→ ( 0) : ·, ((λx.x + 1) @ 0 ((Even → Even) ∩ (Pos → Pos))) 0 Roman Keil, Peter Thiemann September 2, 2015 11 / 15
  60. 60. Example Reduction Reduction ·, ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 0 −→ ( 0) : ·, ((λx.x + 1) @ 0 ((Even → Even) ∩ (Pos → Pos))) 0 −→ 0 ( 1 ∩ 2) : · · · , (((λx.x + 1) @ 1 (Even → Even)) @ 2 (Pos → Pos)) 0 Roman Keil, Peter Thiemann September 2, 2015 11 / 15
  61. 61. Example Reduction Reduction ·, ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 0 −→ ( 0) : ·, ((λx.x + 1) @ 0 ((Even → Even) ∩ (Pos → Pos))) 0 −→ 0 ( 1 ∩ 2) : · · · , (((λx.x + 1) @ 1 (Even → Even)) @ 2 (Pos → Pos)) 0 −→ 2 ( 3 → 4) : · · · , (((λx.x + 1) @ 1 (Even → Even)) (0 @ 3 Pos)) @ 4 Pos Roman Keil, Peter Thiemann September 2, 2015 11 / 15
  62. 62. Example Reduction Reduction ·, ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 0 −→ ( 0) : ·, ((λx.x + 1) @ 0 ((Even → Even) ∩ (Pos → Pos))) 0 −→ 0 ( 1 ∩ 2) : · · · , (((λx.x + 1) @ 1 (Even → Even)) @ 2 (Pos → Pos)) 0 −→ 2 ( 3 → 4) : · · · , (((λx.x + 1) @ 1 (Even → Even)) (0 @ 3 Pos)) @ 4 Pos −→ 3 (false) : · · · , (((λx.x + 1) @ 1 (Even → Even)) 0) @ 4 Pos Roman Keil, Peter Thiemann September 2, 2015 11 / 15
  63. 63. Example Reduction Reduction −→ ( 0) : ·, ((λx.x + 1) @ 0 ((Even → Even) ∩ (Pos → Pos))) 0 −→ 0 ( 1 ∩ 2) : · · · , (((λx.x + 1) @ 1 (Even → Even)) @ 2 (Pos → Pos)) 0 −→ 2 ( 3 → 4) : · · · , (((λx.x + 1) @ 1 (Even → Even)) (0 @ 3 Pos)) @ 4 Pos −→ 3 (false) : · · · , (((λx.x + 1) @ 1 (Even → Even)) 0) @ 4 Pos −→ 1 ( 5 → 6) : · · · , (((λx.x + 1) (0 @ 5 Even)) @ 6 Even) @ 4 Pos Roman Keil, Peter Thiemann September 2, 2015 11 / 15
  64. 64. Example Reduction Reduction −→ 0 ( 1 ∩ 2) : · · · , (((λx.x + 1) @ 1 (Even → Even)) @ 2 (Pos → Pos)) 0 −→ 2 ( 3 → 4) : · · · , (((λx.x + 1) @ 1 (Even → Even)) (0 @ 3 Pos)) @ 4 Pos −→ 3 (false) : · · · , (((λx.x + 1) @ 1 (Even → Even)) 0) @ 4 Pos −→ 1 ( 5 → 6) : · · · , (((λx.x + 1) (0 @ 5 Even)) @ 6 Even) @ 4 Pos −→ 5 (true) : · · · , (((λx.x + 1) 0) @ 6 Even) @ 4 Pos Roman Keil, Peter Thiemann September 2, 2015 11 / 15
  65. 65. Example Reduction Reduction −→ 2 ( 3 → 4) : · · · , (((λx.x + 1) @ 1 (Even → Even)) (0 @ 3 Pos)) @ 4 Pos −→ 3 (false) : · · · , (((λx.x + 1) @ 1 (Even → Even)) 0) @ 4 Pos −→ 1 ( 5 → 6) : · · · , (((λx.x + 1) (0 @ 5 Even)) @ 6 Even) @ 4 Pos −→ 5 (true) : · · · , (((λx.x + 1) 0) @ 6 Even) @ 4 Pos −→ · · · , (1 @ 6 Even) @ 4 Pos Roman Keil, Peter Thiemann September 2, 2015 11 / 15
  66. 66. Example Reduction Reduction −→ 3 (false) : · · · , (((λx.x + 1) @ 1 (Even → Even)) 0) @ 4 Pos −→ 1 ( 5 → 6) : · · · , (((λx.x + 1) (0 @ 5 Even)) @ 6 Even) @ 4 Pos −→ 5 (true) : · · · , (((λx.x + 1) 0) @ 6 Even) @ 4 Pos −→ · · · , (1 @ 6 Even) @ 4 Pos −→ 6 (false) : · · · , blame Roman Keil, Peter Thiemann September 2, 2015 11 / 15
  67. 67. Example Reduction Reduction −→ 1 ( 5 → 6) : · · · , (((λx.x + 1) (0 @ 5 Even)) @ 6 Even) @ 4 Pos −→ 5 (true) : · · · , (((λx.x + 1) 0) @ 6 Even) @ 4 Pos −→ · · · , (1 @ 6 Even) @ 4 Pos −→ 6 (false) : · · · , blame Roman Keil, Peter Thiemann September 2, 2015 11 / 15
  68. 68. Example Reduction Reduction −→ 5 (true) : · · · , (((λx.x + 1) 0) @ 6 Even) @ 4 Pos −→ · · · , (1 @ 6 Even) @ 4 Pos −→ 6 (false) : · · · , blame Roman Keil, Peter Thiemann September 2, 2015 11 / 15
  69. 69. Example Reduction Reduction −→ · · · , (1 @ 6 Even) @ 4 Pos −→ 6 (false) : · · · , blame Roman Keil, Peter Thiemann September 2, 2015 11 / 15
  70. 70. Example Reduction Reduction −→ 6 (false) : · · · , blame Roman Keil, Peter Thiemann September 2, 2015 11 / 15
  71. 71. Constraint Graph ∩ → Even Even → Pos Pos ∩ → Even Even → Pos Pos (t,t) Example ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2 Roman Keil, Peter Thiemann September 2, 2015 12 / 15
  72. 72. Constraint Graph ∩ → Even Even → Pos Pos ∩ → Even Even → Pos Pos (t,t) (t,t) Example ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2 Roman Keil, Peter Thiemann September 2, 2015 12 / 15
  73. 73. Constraint Graph ∩ → Even Even → Pos Pos ∩ → Even Even → Pos Pos (t,t) (t,t) (t,t) Example ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2 Roman Keil, Peter Thiemann September 2, 2015 12 / 15
  74. 74. Constraint Graph ∩ → Even Even → Pos Pos ∩ → Even Even → Pos Pos (t,t) (t,t) (t,t) (t,t) Example ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2 Roman Keil, Peter Thiemann September 2, 2015 12 / 15
  75. 75. Constraint Graph ∩ → Even Even → Pos Pos ∩ → Even Even → Pos Pos (t,t) (t,t) (t,t) (t,t) (t,t) Example ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2 Roman Keil, Peter Thiemann September 2, 2015 12 / 15
  76. 76. Constraint Graph ∩ → Even Even → Pos Pos ∩ → Even Even → Pos Pos (t,f) (t,t) (f,t) (t,t) (t,t) (t,t) Example ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2 Roman Keil, Peter Thiemann September 2, 2015 12 / 15
  77. 77. Constraint Graph ∩ → Even Even → Pos Pos ∩ → Even Even → Pos Pos (t,f) (t,f) (t,t) (f,t) (t,t) (t,t) (t,t) Example ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2 Roman Keil, Peter Thiemann September 2, 2015 12 / 15
  78. 78. Constraint Graph ∩ → Even Even → Pos Pos ∩ → Even Even → Pos Pos (t,f) (t,f) (t,t) (t,t) (f,t) (t,t) (t,t) (t,t)(t,t) Example ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2 Roman Keil, Peter Thiemann September 2, 2015 12 / 15
  79. 79. Constraint Graph ∩ → Even Even → Pos Pos ∩ → Even Even → Pos Pos (t,t) (t,t) (t,t) (t,t) Example ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2 ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 2 −→∗ Roman Keil, Peter Thiemann September 2, 2015 12 / 15
  80. 80. Constraint Graph ∩ → Even Even → Pos Pos ∩ → Even Even → Pos Pos (t,t) (t,t) (t,t) (t,t) (t,t) Example ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2 ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 2 −→∗ Roman Keil, Peter Thiemann September 2, 2015 12 / 15
  81. 81. Constraint Graph ∩ → Even Even → Pos Pos ∩ → Even Even → Pos Pos (t,t) (t,t) (t,t) (t,t) (t,t) (t,t) Example ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2 ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 2 −→∗ Roman Keil, Peter Thiemann September 2, 2015 12 / 15
  82. 82. Constraint Graph ∩ → Even Even → Pos Pos ∩ → Even Even → Pos Pos (t,t) (t,f) (t,t) (t,f) (t,t) (t,f) (t,f) Example ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2 ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 2 −→∗ Roman Keil, Peter Thiemann September 2, 2015 12 / 15
  83. 83. Technical Results Definition (Contract Satisfaction) The semantics of a contract C defines 1 a set C + of closed terms (subjects) that satisfy C 2 a set C − of closed contexts that respect C The definition is mutually inductive on the structure of C. Roman Keil, Peter Thiemann September 2, 2015 13 / 15
  84. 84. Technical Results (cont’d) Theorem (Contract soundness for expressions) For all M, C, . M @ C ∈ C + Theorem (Contract soundness for contexts) For all L, C, . L[ @ C] ∈ C − Roman Keil, Peter Thiemann September 2, 2015 14 / 15
  85. 85. Technical Results (cont’d) Theorem (Subject blame soundness) Suppose that M ∈ C +. If ς, E[M @ C] −→∗ ς , N then ς ( , subject) t. Theorem (Context blame soundness) Suppose that L ∈ C −. If ς, L[M @ C] −→∗ ς , N, then ς ( , context) t. Roman Keil, Peter Thiemann September 2, 2015 15 / 15

×