Successfully reported this slideshow.                                                                                     Upcoming SlideShare
×
• Full Name
Comment goes here.

Are you sure you want to Yes No • Be the first to like this

### Blame Assignment for Higher-Order Contracts with Intersection and Union

1. 1. Blame Assignment for Higher-Order Contracts with Intersection and Union Roman Matthias Keil, Peter Thiemann University of Freiburg, Germany September 2, 2015, The 20th ACM SIGPLAN International Conference on Functional Programming, ICFP 2015 Vancouver, British Columbia, Canada
2. 2. Higher-Order Contracts Even = ﬂat(λx.x%2 = 0) Odd = ﬂat(λx.x%2 = 1) Assertion (Even → Even) Let add2Even = ((λx.x + 2) @ (Even → Even)) Roman Keil, Peter Thiemann September 2, 2015 2 / 18
3. 3. Higher-Order Contracts Even = ﬂat(λx.x%2 = 0) Odd = ﬂat(λx.x%2 = 1) Assertion (Even → Even) Let add2Even = ((λx.x + 2) @ (Even → Even)) (add2Even 2) −→∗ 4 Roman Keil, Peter Thiemann September 2, 2015 2 / 18
4. 4. Higher-Order Contracts Even = ﬂat(λx.x%2 = 0) Odd = ﬂat(λx.x%2 = 1) Assertion (Even → Even) Let add2Even = ((λx.x + 2) @ (Even → Even)) (add2Even 2) −→∗ 4 (add2Even 1) −→∗ blame context 1 Roman Keil, Peter Thiemann September 2, 2015 2 / 18
5. 5. Higher-Order Contracts Even = ﬂat(λx.x%2 = 0) Odd = ﬂat(λx.x%2 = 1) Assertion (Even → Even) Let add2Even = ((λx.x + 2) @ (Even → Even)) (add2Even 2) −→∗ 4 (add2Even 1) −→∗ blame context 1 Assertion (Odd → Odd) Let add2Odd = ((λx.x + 2) @ (Odd → Odd)) Roman Keil, Peter Thiemann September 2, 2015 2 / 18
6. 6. Higher-Order Contracts Even = ﬂat(λx.x%2 = 0) Odd = ﬂat(λx.x%2 = 1) Assertion (Even → Even) Let add2Even = ((λx.x + 2) @ (Even → Even)) (add2Even 2) −→∗ 4 (add2Even 1) −→∗ blame context 1 Assertion (Odd → Odd) Let add2Odd = ((λx.x + 2) @ (Odd → Odd)) (add2Odd 1) −→∗ 3 Roman Keil, Peter Thiemann September 2, 2015 2 / 18
7. 7. Higher-Order Contracts Even = ﬂat(λx.x%2 = 0) Odd = ﬂat(λx.x%2 = 1) Assertion (Even → Even) Let add2Even = ((λx.x + 2) @ (Even → Even)) (add2Even 2) −→∗ 4 (add2Even 1) −→∗ blame context 1 Assertion (Odd → Odd) Let add2Odd = ((λx.x + 2) @ (Odd → Odd)) (add2Odd 1) −→∗ 3 (add2Odd 2) −→∗ blame context 2 Roman Keil, Peter Thiemann September 2, 2015 2 / 18
8. 8. Combination of Contracts Observation λx.x + 2 works for even and odd arguments Roman Keil, Peter Thiemann September 2, 2015 3 / 18
9. 9. Combination of Contracts Observation λx.x + 2 works for even and odd arguments λx.x + 2 fulﬁlls Odd → Odd and Even → Even Roman Keil, Peter Thiemann September 2, 2015 3 / 18
10. 10. Combination of Contracts Observation λx.x + 2 works for even and odd arguments λx.x + 2 fulﬁlls Odd → Odd and Even → Even How can we express that with a single contract? Roman Keil, Peter Thiemann September 2, 2015 3 / 18
11. 11. Combination of Contracts Observation λx.x + 2 works for even and odd arguments λx.x + 2 fulﬁlls Odd → Odd and Even → Even How can we express that with a single contract? Intersection Contract! Roman Keil, Peter Thiemann September 2, 2015 3 / 18
12. 12. Inspiration Intersection Type V : S ∩ T Models overloading Models multiple inheritances Union Type V : S ∪ T Dual of intersection type Domain of overloaded functions Roman Keil, Peter Thiemann September 2, 2015 4 / 18
13. 13. This Work Extend higher-order contracts with intersection and union Speciﬁcation based on the type theoretic construction Assertion (Even → Even) ∩ (Odd → Odd) Let add2 = ((λx.x + 2) @ (Even → Even) ∩ (Odd → Odd)) (add2 2) −→∗ 4 (add2 1) −→∗ 3 No blame because of the intersection contract! Roman Keil, Peter Thiemann September 2, 2015 5 / 18
14. 14. Flat Contract Even = ﬂat(λx.x%2 = 0) Odd = ﬂat(λx.x%2 = 1) Pos = ﬂat(λx.x 0) Examples Pos ∩ Even Flat Contract ﬂat(λx.P) ∩ ﬂat(λx.Q) ≡ ﬂat(λx.P ∧ Q) Roman Keil, Peter Thiemann September 2, 2015 6 / 18
15. 15. Intersection Contract Assertion Let add1 = ((λx.x + 1) @ (Even → Even) ∩ (Pos → Pos)) Deﬁnition Context gets blamed for C ∩ D iﬀ: (Context gets blamed for C) ∧ (Context gets blamed for D) Subject M gets blamed for C ∩ D iﬀ: (M gets blamed for C) ∨ (M gets blamed for D) Roman Keil, Peter Thiemann September 2, 2015 7 / 18
16. 16. Intersection Contract Assertion Let add1 = ((λx.x + 1) @ (Even → Even) ∩ (Pos → Pos)) (add1 3) −→∗ 4 Deﬁnition Context gets blamed for C ∩ D iﬀ: (Context gets blamed for C) ∧ (Context gets blamed for D) Subject M gets blamed for C ∩ D iﬀ: (M gets blamed for C) ∨ (M gets blamed for D) Roman Keil, Peter Thiemann September 2, 2015 7 / 18
17. 17. Intersection Contract Assertion Let add1 = ((λx.x + 1) @ (Even → Even) ∩ (Pos → Pos)) (add1 3) −→∗ 4 (add1 −1) −→∗ blame context −1 Deﬁnition Context gets blamed for C ∩ D iﬀ: (Context gets blamed for C) ∧ (Context gets blamed for D) Subject M gets blamed for C ∩ D iﬀ: (M gets blamed for C) ∨ (M gets blamed for D) Roman Keil, Peter Thiemann September 2, 2015 7 / 18
18. 18. Intersection Contract Assertion Let add1 = ((λx.x + 1) @ (Even → Even) ∩ (Pos → Pos)) (add1 3) −→∗ 4 (add1 −1) −→∗ blame context −1 (add1 2) −→∗ blame subject (λx.x + 1) Deﬁnition Context gets blamed for C ∩ D iﬀ: (Context gets blamed for C) ∧ (Context gets blamed for D) Subject M gets blamed for C ∩ D iﬀ: (M gets blamed for C) ∨ (M gets blamed for D) Roman Keil, Peter Thiemann September 2, 2015 7 / 18
19. 19. Contract Assertion Example ((λx.x + 1) @ (Even → Even) ∩ (Pos → Pos)) 3 −→∗ 4 A failing contract must not signal a violation immediately Violation depends on combinations of failures in diﬀerent sub-contracts Contract assertion must connect each contract with the enclosing operations Roman Keil, Peter Thiemann September 2, 2015 8 / 18
20. 20. Contract Assertion Example ((λx.x + 1) @ (Even → Even) ∩ (Pos → Pos)) 3 −→∗ 4 A failing contract must not signal a violation immediately Violation depends on combinations of failures in diﬀerent sub-contracts Contract assertion must connect each contract with the enclosing operations Roman Keil, Peter Thiemann September 2, 2015 8 / 18
21. 21. Contract Assertion Example ((λx.x + 1) @ (Even → Even) ∩ (Pos → Pos)) 3 −→∗ 4 A failing contract must not signal a violation immediately Violation depends on combinations of failures in diﬀerent sub-contracts Contract assertion must connect each contract with the enclosing operations Roman Keil, Peter Thiemann September 2, 2015 8 / 18
22. 22. Contract Assertion Example ((λx.x + 1) @ (Even → Even) ∩ (Pos → Pos)) 3 −→∗ 4 A failing contract must not signal a violation immediately Violation depends on combinations of failures in diﬀerent sub-contracts Contract assertion must connect each contract with the enclosing operations Roman Keil, Peter Thiemann September 2, 2015 8 / 18
23. 23. Operational Semantics Reduction Relation ς, M −→ ς , N M, N expressions ς list of constraints One constraint for each contract operator →, ∩, ∪ One constraint for each ﬂat contract Blame calculation from a list of constraints Roman Keil, Peter Thiemann September 2, 2015 9 / 18
24. 24. Flat Contract Evaluation Rule Flat M V −→∗ W ς = (W ) : ς ς, E[V @ ﬂat(M)] −→ ς , E[V ] Roman Keil, Peter Thiemann September 2, 2015 10 / 18
25. 25. Interpretation Interpretation of a constraint list µ ∈ ( × {subject, context}) → B An interpretation µ is a mapping from blame label to records of elements of B = {t, f}, order t f Ordering reﬂects gathering of information with each execution step Each blame label is associated with two truth values, .subject and .context Roman Keil, Peter Thiemann September 2, 2015 11 / 18
26. 26. Flat Contract (cont’d) Evaluation Rule Flat M V −→∗ W ς = (W ) : ς ς, E[V @ ﬂat(M)] −→ ς , E[V ] Constraint Satisfaction C-Flat µ( .subject) W µ( .context) t µ |= W Roman Keil, Peter Thiemann September 2, 2015 12 / 18
27. 27. Blame Calculation Deﬁnition ς is a blame state if there exists a top-level blame label such that µ( .subject) f ∨ µ( .context) f Evaluation stops if a blame state is reached. Roman Keil, Peter Thiemann September 2, 2015 13 / 18
28. 28. Function Contract Evaluation Rule Function 1, 2 ∈ ς ς = ( 1 → 2) : ς ς, E[(V @ (C →D)) W ] −→ ς , E[(V (W @ 1 C)) @ 2 D] Constraint Satisfaction C-Function µ( .subject) µ( 1.context ∧ ( 1.subject ⇒ 2.subject)) µ( .context) µ( 1.subject ∧ 2.context) µ |= 1 → 2 Roman Keil, Peter Thiemann September 2, 2015 14 / 18
29. 29. Intersection Contract Evaluation Rule Intersection 1, 2 ∈ ς ς = ( 1 ∩ 2) : ς ς, E[(V @ (Q ∩ R)) W ] −→ ς , E[((V @ 1 Q) @ 2 R) W ] Constraint Satisfaction C-Intersection µ( .subject) µ( 1.subject ∧ 2.subject) µ( .context) µ( 1.context ∨ 2.context) µ |= 1 ∩ 2 Roman Keil, Peter Thiemann September 2, 2015 15 / 18
30. 30. Union Contract Dual of intersection contract Exchange ∧ and ∨ in the blame calculation Delayed evaluation changes to an immediate evaluation Roman Keil, Peter Thiemann September 2, 2015 16 / 18
31. 31. In the Paper Technical Results Contract Rewriting Deterministic and nondeterministic speciﬁcation of contract monitoring Denotational speciﬁcation of the semantics of contracts Theorems for contract and blame soundness Roman Keil, Peter Thiemann September 2, 2015 17 / 18
32. 32. Conclusion Intersection and union contracts provide dynamic guarantees equivalent to their type-theoretic counterparts Constraint-based blame calculation enables higher-order contracts with unrestricted intersection and union Formal basis of TreatJS, a language embedded, higher-order contract system implemented for JavaScript Roman Keil, Peter Thiemann September 2, 2015 18 / 18
33. 33. Constraint Graph ... ∩ → Even Even → Pos Pos (t,t) (t,t) Reduction ς, ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 0 Roman Keil, Peter Thiemann September 2, 2015 1 / 15
34. 34. Constraint Graph ... ∩ → Even Even → Pos Pos (t,t) (t,t) (t,t) (t,t)(t,t) Reduction −→ ( 1 ∩ 2) : · · · , (((λx.x + 1) @ 1 (Even → Even)) @ 2 (Pos → Pos)) 0 Roman Keil, Peter Thiemann September 2, 2015 1 / 15
35. 35. Constraint Graph ... ∩ → Even Even → Pos Pos (t,t) (t,t) (t,t) (t,t) (t,t) (t,t) (t,t) Reduction −→ 2 ( 3 → 4) : · · · , (((λx.x + 1) @ 1 (Even → Even)) (0 @ 3 Pos)) @ 4 Pos Roman Keil, Peter Thiemann September 2, 2015 1 / 15
36. 36. Constraint Graph ... ∩ → Even Even → Pos Pos (t,t) (t,t) (t,t) (t,t)(f,t) (t,t) (t,t)(t,f) (t,t) Reduction −→ 3 (false) : · · · , (((λx.x + 1) @ 1 (Even → Even)) 0) @ 4 Pos Roman Keil, Peter Thiemann September 2, 2015 1 / 15
37. 37. Constraint Graph ... ∩ → Even Even → Pos Pos (t,t) (t,t) (t,t) (f,t) (t,t)(t,f) (t,t) (t,t) (t,t) Reduction −→ 1 ( 5 → 6) : · · · , (((λx.x + 1) (0 @ 5 Even)) @ 6 Even) @ 4 Pos Roman Keil, Peter Thiemann September 2, 2015 1 / 15
38. 38. Constraint Graph ... ∩ → Even Even → Pos Pos (t,t) (t,t) (t,t) (f,t) (t,t)(t,f) (t,t) (t,t) (t,t)(t,t) Reduction −→ 5 (true) : · · · , (((λx.x + 1) 0) @ 6 Even) @ 4 Pos Roman Keil, Peter Thiemann September 2, 2015 1 / 15
39. 39. Constraint Graph ... ∩ → Even Even → Pos Pos (t,t) (t,t) (t,t) (f,t) (t,t)(t,f) (t,t) (t,t)(t,t) Reduction −→ · · · , (1 @ 6 Even) @ 4 Pos Roman Keil, Peter Thiemann September 2, 2015 1 / 15
40. 40. Constraint Graph ... ∩ → Even Even → Pos Pos (t,f) (t,t) (t,f) (f,t) (t,t)(t,f) (t,f) (t,t)(t,t) (t,f) Reduction −→ 6 (false) : · · · , blame Roman Keil, Peter Thiemann September 2, 2015 1 / 15
41. 41. Intersection and Union Types Intersection Type λx.x + 2 : Even → Even λx.x + 2 : Odd → Odd λx.x + 2 : Even → Even ∩ Odd → Odd Union Type λx.x − 2 : Even → Even λx.x − 2 : Even → Even ∪ Pos → Pos Roman Keil, Peter Thiemann September 2, 2015 2 / 15
42. 42. Flat Contract [Findler,Felleisen’02] Pos = ﬂat(λx.x 0) Even = ﬂat(λx.x%2 = 0) Roman Keil, Peter Thiemann September 2, 2015 3 / 15
43. 43. Flat Contract [Findler,Felleisen’02] Pos = ﬂat(λx.x 0) Even = ﬂat(λx.x%2 = 0) Assertion 1@Pos −→ 1 0@Pos −→ blame subject 0 Roman Keil, Peter Thiemann September 2, 2015 3 / 15
44. 44. Flat Contract [Findler,Felleisen’02] Pos = ﬂat(λx.x 0) Even = ﬂat(λx.x%2 = 0) Assertion 1@Pos −→ 1 0@Pos −→ blame subject 0 Deﬁnition Subject V gets blamed for Flat Contract ﬂat(M) iﬀ: (M V ) −→∗ false Roman Keil, Peter Thiemann September 2, 2015 3 / 15
45. 45. Higher-Order Contract [Findler,Felleisen’02] Even → Even Roman Keil, Peter Thiemann September 2, 2015 4 / 15
46. 46. Higher-Order Contract [Findler,Felleisen’02] Even → Even Assertion ((λx.x + 1)@Even → Even) 1 −→∗ blame context 1 Deﬁnition Context gets blamed for C →D iﬀ: Argument x gets blamed for C (as subject) Subject M gets blamed for C →D at V iﬀ: ¬ (Context gets blamed C) ∧ (M V gets blamed D) Roman Keil, Peter Thiemann September 2, 2015 4 / 15
47. 47. Higher-Order Contract [Findler,Felleisen’02] Even → Even Assertion ((λx.x + 1)@Even → Even) 1 −→∗ blame context 1 ((λx.x + 1)@Even → Even) 2 −→∗ blame subject Deﬁnition Context gets blamed for C →D iﬀ: Argument x gets blamed for C (as subject) Subject M gets blamed for C →D at V iﬀ: ¬ (Context gets blamed C) ∧ (M V gets blamed D) Roman Keil, Peter Thiemann September 2, 2015 4 / 15
48. 48. Flat Contract Examples Odd ∪ Even Roman Keil, Peter Thiemann September 2, 2015 5 / 15
49. 49. Flat Contract Examples Odd ∪ Even Flat Contract ﬂat(λx.P) ∪ ﬂat(λx.Q) ≡ ﬂat(λx.P ∨ Q) Roman Keil, Peter Thiemann September 2, 2015 5 / 15
50. 50. Union Contract Assertion Let mod3 = ((λx.x%3) @ (Even → Even) ∪ (Pos → Pos)) Deﬁnition Context gets blamed for C ∪ D iﬀ: (Context gets blamed for C) ∨ (Context gets blamed for D) Subject M gets blamed for C ∪ D iﬀ: (M gets blamed for C) ∧ (M gets blamed for D) Roman Keil, Peter Thiemann September 2, 2015 6 / 15
51. 51. Union Contract Assertion Let mod3 = ((λx.x%3) @ (Even → Even) ∪ (Pos → Pos)) (mod3 4) −→∗ 1 Deﬁnition Context gets blamed for C ∪ D iﬀ: (Context gets blamed for C) ∨ (Context gets blamed for D) Subject M gets blamed for C ∪ D iﬀ: (M gets blamed for C) ∧ (M gets blamed for D) Roman Keil, Peter Thiemann September 2, 2015 6 / 15
52. 52. Union Contract Assertion Let mod3 = ((λx.x%3) @ (Even → Even) ∪ (Pos → Pos)) (mod3 4) −→∗ 1 (mod3 1) −→∗ blame context 1 Deﬁnition Context gets blamed for C ∪ D iﬀ: (Context gets blamed for C) ∨ (Context gets blamed for D) Subject M gets blamed for C ∪ D iﬀ: (M gets blamed for C) ∧ (M gets blamed for D) Roman Keil, Peter Thiemann September 2, 2015 6 / 15
53. 53. Union Contract Assertion Let mod3 = ((λx.x%3) @ (Even → Even) ∪ (Pos → Pos)) (mod3 4) −→∗ 1 (mod3 1) −→∗ blame context 1 (mod3 6) −→∗ blame subject (λx.x%3) Deﬁnition Context gets blamed for C ∪ D iﬀ: (Context gets blamed for C) ∨ (Context gets blamed for D) Subject M gets blamed for C ∪ D iﬀ: (M gets blamed for C) ∧ (M gets blamed for D) Roman Keil, Peter Thiemann September 2, 2015 6 / 15
54. 54. Contract Assertion Evaluation Rule Assert ∈ ς ς = ( ) : ς ς, E[V @ C] −→∗ ς , E[V @ C] Constraint Satisfaction C-Assert µ( .subject) µ( 1.subject) µ( .context) µ( 1.context) µ |= ( 1) Roman Keil, Peter Thiemann September 2, 2015 7 / 15
55. 55. Constraint List Constraint Satisfaction CS-Empty µ |= · CS-Cons µ |= κ µ |= ς µ |= κ : ς Roman Keil, Peter Thiemann September 2, 2015 8 / 15
56. 56. Union Contract Evaluation Rule Union 1, 2 ∈ ς ς = ( 1 ∪ 2) : ς ς, E[V @ (C ∪ D)] −→ ς , E[(V @ 1 C) @ 2 D] Constraint Satisfaction C-Union µ( .subject) µ( 1.subject ∨ 2.subject) µ( .context) µ( 1.context ∧ 2.context) µ |= 1 ∪ 2 Roman Keil, Peter Thiemann September 2, 2015 9 / 15
57. 57. Blame Calculation Deﬁnition ς is a blame state if there exists a top-level blame identiﬁer such that µ( .subject) f ∨ µ( .context) f ς, M −→∗ ς , N ς is not a blame state ς, M −→ ς , N ς is blame state for ς, M −→ ς, blame Roman Keil, Peter Thiemann September 2, 2015 10 / 15
58. 58. Example Reduction Reduction ·, ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 0 Roman Keil, Peter Thiemann September 2, 2015 11 / 15
59. 59. Example Reduction Reduction ·, ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 0 −→ ( 0) : ·, ((λx.x + 1) @ 0 ((Even → Even) ∩ (Pos → Pos))) 0 Roman Keil, Peter Thiemann September 2, 2015 11 / 15
60. 60. Example Reduction Reduction ·, ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 0 −→ ( 0) : ·, ((λx.x + 1) @ 0 ((Even → Even) ∩ (Pos → Pos))) 0 −→ 0 ( 1 ∩ 2) : · · · , (((λx.x + 1) @ 1 (Even → Even)) @ 2 (Pos → Pos)) 0 Roman Keil, Peter Thiemann September 2, 2015 11 / 15
61. 61. Example Reduction Reduction ·, ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 0 −→ ( 0) : ·, ((λx.x + 1) @ 0 ((Even → Even) ∩ (Pos → Pos))) 0 −→ 0 ( 1 ∩ 2) : · · · , (((λx.x + 1) @ 1 (Even → Even)) @ 2 (Pos → Pos)) 0 −→ 2 ( 3 → 4) : · · · , (((λx.x + 1) @ 1 (Even → Even)) (0 @ 3 Pos)) @ 4 Pos Roman Keil, Peter Thiemann September 2, 2015 11 / 15
62. 62. Example Reduction Reduction ·, ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 0 −→ ( 0) : ·, ((λx.x + 1) @ 0 ((Even → Even) ∩ (Pos → Pos))) 0 −→ 0 ( 1 ∩ 2) : · · · , (((λx.x + 1) @ 1 (Even → Even)) @ 2 (Pos → Pos)) 0 −→ 2 ( 3 → 4) : · · · , (((λx.x + 1) @ 1 (Even → Even)) (0 @ 3 Pos)) @ 4 Pos −→ 3 (false) : · · · , (((λx.x + 1) @ 1 (Even → Even)) 0) @ 4 Pos Roman Keil, Peter Thiemann September 2, 2015 11 / 15
63. 63. Example Reduction Reduction −→ ( 0) : ·, ((λx.x + 1) @ 0 ((Even → Even) ∩ (Pos → Pos))) 0 −→ 0 ( 1 ∩ 2) : · · · , (((λx.x + 1) @ 1 (Even → Even)) @ 2 (Pos → Pos)) 0 −→ 2 ( 3 → 4) : · · · , (((λx.x + 1) @ 1 (Even → Even)) (0 @ 3 Pos)) @ 4 Pos −→ 3 (false) : · · · , (((λx.x + 1) @ 1 (Even → Even)) 0) @ 4 Pos −→ 1 ( 5 → 6) : · · · , (((λx.x + 1) (0 @ 5 Even)) @ 6 Even) @ 4 Pos Roman Keil, Peter Thiemann September 2, 2015 11 / 15
64. 64. Example Reduction Reduction −→ 0 ( 1 ∩ 2) : · · · , (((λx.x + 1) @ 1 (Even → Even)) @ 2 (Pos → Pos)) 0 −→ 2 ( 3 → 4) : · · · , (((λx.x + 1) @ 1 (Even → Even)) (0 @ 3 Pos)) @ 4 Pos −→ 3 (false) : · · · , (((λx.x + 1) @ 1 (Even → Even)) 0) @ 4 Pos −→ 1 ( 5 → 6) : · · · , (((λx.x + 1) (0 @ 5 Even)) @ 6 Even) @ 4 Pos −→ 5 (true) : · · · , (((λx.x + 1) 0) @ 6 Even) @ 4 Pos Roman Keil, Peter Thiemann September 2, 2015 11 / 15
65. 65. Example Reduction Reduction −→ 2 ( 3 → 4) : · · · , (((λx.x + 1) @ 1 (Even → Even)) (0 @ 3 Pos)) @ 4 Pos −→ 3 (false) : · · · , (((λx.x + 1) @ 1 (Even → Even)) 0) @ 4 Pos −→ 1 ( 5 → 6) : · · · , (((λx.x + 1) (0 @ 5 Even)) @ 6 Even) @ 4 Pos −→ 5 (true) : · · · , (((λx.x + 1) 0) @ 6 Even) @ 4 Pos −→ · · · , (1 @ 6 Even) @ 4 Pos Roman Keil, Peter Thiemann September 2, 2015 11 / 15
66. 66. Example Reduction Reduction −→ 3 (false) : · · · , (((λx.x + 1) @ 1 (Even → Even)) 0) @ 4 Pos −→ 1 ( 5 → 6) : · · · , (((λx.x + 1) (0 @ 5 Even)) @ 6 Even) @ 4 Pos −→ 5 (true) : · · · , (((λx.x + 1) 0) @ 6 Even) @ 4 Pos −→ · · · , (1 @ 6 Even) @ 4 Pos −→ 6 (false) : · · · , blame Roman Keil, Peter Thiemann September 2, 2015 11 / 15
67. 67. Example Reduction Reduction −→ 1 ( 5 → 6) : · · · , (((λx.x + 1) (0 @ 5 Even)) @ 6 Even) @ 4 Pos −→ 5 (true) : · · · , (((λx.x + 1) 0) @ 6 Even) @ 4 Pos −→ · · · , (1 @ 6 Even) @ 4 Pos −→ 6 (false) : · · · , blame Roman Keil, Peter Thiemann September 2, 2015 11 / 15
68. 68. Example Reduction Reduction −→ 5 (true) : · · · , (((λx.x + 1) 0) @ 6 Even) @ 4 Pos −→ · · · , (1 @ 6 Even) @ 4 Pos −→ 6 (false) : · · · , blame Roman Keil, Peter Thiemann September 2, 2015 11 / 15
69. 69. Example Reduction Reduction −→ · · · , (1 @ 6 Even) @ 4 Pos −→ 6 (false) : · · · , blame Roman Keil, Peter Thiemann September 2, 2015 11 / 15
70. 70. Example Reduction Reduction −→ 6 (false) : · · · , blame Roman Keil, Peter Thiemann September 2, 2015 11 / 15
71. 71. Constraint Graph ∩ → Even Even → Pos Pos ∩ → Even Even → Pos Pos (t,t) Example ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2 Roman Keil, Peter Thiemann September 2, 2015 12 / 15
72. 72. Constraint Graph ∩ → Even Even → Pos Pos ∩ → Even Even → Pos Pos (t,t) (t,t) Example ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2 Roman Keil, Peter Thiemann September 2, 2015 12 / 15
73. 73. Constraint Graph ∩ → Even Even → Pos Pos ∩ → Even Even → Pos Pos (t,t) (t,t) (t,t) Example ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2 Roman Keil, Peter Thiemann September 2, 2015 12 / 15
74. 74. Constraint Graph ∩ → Even Even → Pos Pos ∩ → Even Even → Pos Pos (t,t) (t,t) (t,t) (t,t) Example ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2 Roman Keil, Peter Thiemann September 2, 2015 12 / 15
75. 75. Constraint Graph ∩ → Even Even → Pos Pos ∩ → Even Even → Pos Pos (t,t) (t,t) (t,t) (t,t) (t,t) Example ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2 Roman Keil, Peter Thiemann September 2, 2015 12 / 15
76. 76. Constraint Graph ∩ → Even Even → Pos Pos ∩ → Even Even → Pos Pos (t,f) (t,t) (f,t) (t,t) (t,t) (t,t) Example ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2 Roman Keil, Peter Thiemann September 2, 2015 12 / 15
77. 77. Constraint Graph ∩ → Even Even → Pos Pos ∩ → Even Even → Pos Pos (t,f) (t,f) (t,t) (f,t) (t,t) (t,t) (t,t) Example ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2 Roman Keil, Peter Thiemann September 2, 2015 12 / 15
78. 78. Constraint Graph ∩ → Even Even → Pos Pos ∩ → Even Even → Pos Pos (t,f) (t,f) (t,t) (t,t) (f,t) (t,t) (t,t) (t,t)(t,t) Example ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2 Roman Keil, Peter Thiemann September 2, 2015 12 / 15
79. 79. Constraint Graph ∩ → Even Even → Pos Pos ∩ → Even Even → Pos Pos (t,t) (t,t) (t,t) (t,t) Example ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2 ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 2 −→∗ Roman Keil, Peter Thiemann September 2, 2015 12 / 15
80. 80. Constraint Graph ∩ → Even Even → Pos Pos ∩ → Even Even → Pos Pos (t,t) (t,t) (t,t) (t,t) (t,t) Example ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2 ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 2 −→∗ Roman Keil, Peter Thiemann September 2, 2015 12 / 15
81. 81. Constraint Graph ∩ → Even Even → Pos Pos ∩ → Even Even → Pos Pos (t,t) (t,t) (t,t) (t,t) (t,t) (t,t) Example ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2 ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 2 −→∗ Roman Keil, Peter Thiemann September 2, 2015 12 / 15
82. 82. Constraint Graph ∩ → Even Even → Pos Pos ∩ → Even Even → Pos Pos (t,t) (t,f) (t,t) (t,f) (t,t) (t,f) (t,f) Example ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2 ((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 2 −→∗ Roman Keil, Peter Thiemann September 2, 2015 12 / 15
83. 83. Technical Results Deﬁnition (Contract Satisfaction) The semantics of a contract C deﬁnes 1 a set C + of closed terms (subjects) that satisfy C 2 a set C − of closed contexts that respect C The deﬁnition is mutually inductive on the structure of C. Roman Keil, Peter Thiemann September 2, 2015 13 / 15
84. 84. Technical Results (cont’d) Theorem (Contract soundness for expressions) For all M, C, . M @ C ∈ C + Theorem (Contract soundness for contexts) For all L, C, . L[ @ C] ∈ C − Roman Keil, Peter Thiemann September 2, 2015 14 / 15
85. 85. Technical Results (cont’d) Theorem (Subject blame soundness) Suppose that M ∈ C +. If ς, E[M @ C] −→∗ ς , N then ς ( , subject) t. Theorem (Context blame soundness) Suppose that L ∈ C −. If ς, L[M @ C] −→∗ ς , N, then ς ( , context) t. Roman Keil, Peter Thiemann September 2, 2015 15 / 15