blame assignment for higher-order contracts with ...ajacs.inria.fr/files/2015-03-23-thiemann.pdf ·...
TRANSCRIPT
Blame Assignment for Higher-Order Contracts
with Intersection and Union
Albert-Ludwigs-Universitat Freiburg
Matthias Keil Peter Thiemann
University of Freiburg
23 Mar 2015
Flat Contracts
Examples
Pos = {x | x > 0}
Even = {x | x%2 = 0}
Assertion
M@C : assert contract C to term M
10@Pos −→ 10
10@Even −→ 10
(2− 4)@Pos contract violation (by subject −2)
(2 + 3)@Even contract violation (by subject 5)
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 2 / 34
Flat Contracts
Examples
Pos = {x | x > 0}
Even = {x | x%2 = 0}
Assertion
M@C : assert contract C to term M
10@Pos −→ 10
10@Even −→ 10
(2− 4)@Pos contract violation (by subject −2)
(2 + 3)@Even contract violation (by subject 5)
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 2 / 34
Flat Contracts
Examples
Pos = {x | x > 0}
Even = {x | x%2 = 0}
Assertion
M@C : assert contract C to term M
10@Pos −→ 10
10@Even −→ 10
(2− 4)@Pos contract violation (by subject −2)
(2 + 3)@Even contract violation (by subject 5)
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 2 / 34
Flat Contracts
Examples
Pos = {x | x > 0}
Even = {x | x%2 = 0}
Assertion
M@C : assert contract C to term M
10@Pos −→ 10
10@Even −→ 10
(2− 4)@Pos contract violation (by subject −2)
(2 + 3)@Even contract violation (by subject 5)
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 2 / 34
Flat Contracts
Examples
Pos = {x | x > 0}
Even = {x | x%2 = 0}
Assertion
M@C : assert contract C to term M
10@Pos −→ 10
10@Even −→ 10
(2− 4)@Pos contract violation (by subject −2)
(2 + 3)@Even contract violation (by subject 5)
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 2 / 34
Flat Contracts
Examples
Pos = {x | x > 0}
Even = {x | x%2 = 0}
Assertion
M@C : assert contract C to term M
10@Pos −→ 10
10@Even −→ 10
(2− 4)@Pos contract violation (by subject −2)
(2 + 3)@Even contract violation (by subject 5)
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 2 / 34
Higher-Order Contracts [Findler, Felleisen 2002]
Examples
Pos→ Pos Even→ Even Pos→ (Even→ Even)
Assertion (first-order function)
Let f = λx .x − 10
(f @(Pos→ Pos)) 100 −→ 90
(f @(Pos→ Pos)) 10 blame subject f
(f @(Pos→ Pos)) 0 blame context � 0
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 3 / 34
Higher-Order Contracts [Findler, Felleisen 2002]
Examples
Pos→ Pos Even→ Even Pos→ (Even→ Even)
Assertion (first-order function)
Let f = λx .x − 10
(f @(Pos→ Pos)) 100 −→ 90
(f @(Pos→ Pos)) 10 blame subject f
(f @(Pos→ Pos)) 0 blame context � 0
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 3 / 34
Higher-Order Contracts [Findler, Felleisen 2002]
Examples
Pos→ Pos Even→ Even Pos→ (Even→ Even)
Assertion (first-order function)
Let f = λx .x − 10
(f @(Pos→ Pos)) 100 −→ 90
(f @(Pos→ Pos)) 10 blame subject f
(f @(Pos→ Pos)) 0 blame context � 0
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 3 / 34
Higher-Order Contracts [Findler, Felleisen 2002]
Examples
Pos→ Pos Even→ Even Pos→ (Even→ Even)
Assertion (first-order function)
Let f = λx .x − 10
(f @(Pos→ Pos)) 100 −→ 90
(f @(Pos→ Pos)) 10 blame subject f
(f @(Pos→ Pos)) 0 blame context � 0
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 3 / 34
Higher-Order Contracts [Findler, Felleisen 2002]
Examples
Pos→ Pos Even→ Even Pos→ (Even→ Even)
Assertion (first-order function)
Let f = λx .x − 10
(f @(Pos→ Pos)) 100 −→ 90
(f @(Pos→ Pos)) 10 blame subject f
(f @(Pos→ Pos)) 0 blame context � 0
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 3 / 34
Higher-Order Contracts II
Assertion
Let add = λx .λy .x + y and C = Pos→ (Even→ Even)
(add@C ) 0 blame context � 0
((add@C ) 1) 1 blame context (� 1) 1
((add@C ) 1) 0 blame subject add
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 4 / 34
Higher-Order Contracts II
Assertion
Let add = λx .λy .x + y and C = Pos→ (Even→ Even)
(add@C ) 0 blame context � 0
((add@C ) 1) 1 blame context (� 1) 1
((add@C ) 1) 0 blame subject add
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 4 / 34
Higher-Order Contracts II
Assertion
Let add = λx .λy .x + y and C = Pos→ (Even→ Even)
(add@C ) 0 blame context � 0
((add@C ) 1) 1 blame context (� 1) 1
((add@C ) 1) 0 blame subject add
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 4 / 34
Higher-Order Contracts II
Assertion
Let add = λx .λy .x + y and C = Pos→ (Even→ Even)
(add@C ) 0 blame context � 0
((add@C ) 1) 1 blame context (� 1) 1
((add@C ) 1) 0 blame subject add
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 4 / 34
Contracts vs. Types
Contracts ≈ dynamically checked types
flat contracts ≈ subset types
function contracts ≈ function types
Contract work driven by types . . .
pair contracts [Hinze, Loh]
sum contracts
polymorphic contracts [Ahmed, Findler, Guha,Krishnamurthi, Matthews, Wadler]
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 5 / 34
Contracts vs. Types
Contracts ≈ dynamically checked types
flat contracts ≈ subset types
function contracts ≈ function types
Contract work driven by types . . .
pair contracts [Hinze, Loh]
sum contracts
polymorphic contracts [Ahmed, Findler, Guha,Krishnamurthi, Matthews, Wadler]
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 5 / 34
This Work
What about intersection and union types?
Intersection types
modeling overloading
multiple inheritance
Union types
dual of intersection type
domain of overloaded function
XML typing and dynamic typing
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 6 / 34
This Work
What about intersection and union types?
Intersection types
modeling overloading
multiple inheritance
Union types
dual of intersection type
domain of overloaded function
XML typing and dynamic typing
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 6 / 34
This Work
What about intersection and union types?
Intersection types
modeling overloading
multiple inheritance
Union types
dual of intersection type
domain of overloaded function
XML typing and dynamic typing
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 6 / 34
This Work
What about intersection and union types?
Intersection types
modeling overloading
multiple inheritance
Union types
dual of intersection type
domain of overloaded function
XML typing and dynamic typing
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 6 / 34
Intersection Types
Intuition of intersection type
If a term has both type S and T , then it also possesses theintersection type S ∩ T .
A context for M : S ∩ T can choose to treat M as S or T .
Introduction and elimination for intersection [Pierce 1991]
Inter-IA ` V : S A ` V : T
A ` V : S ∩ T
Sub-Inter-L
S ∩ T <: SSub-Inter-R
S ∩ T <: T
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 7 / 34
Intersection for Overloading
An overloaded + operator
+ : Num × Num→ Num
+ : Str × Str → Str
hence + : (Num × Num→ Num) ∩ (Str × Str → Str)
If we had intersection contracts . . .
Let p = +@(Num × Num→ Num) ∩ (Str × Str → Str)
p(17, 4) −→ 21
p(”foo”, ”bar”) −→ ”foobar”
p(17, ”bar”) blame context � (17, ”bar”)
No subject blame because + fulfills the intersection contract
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 8 / 34
Intersection for Overloading
An overloaded + operator
+ : Num × Num→ Num
+ : Str × Str → Str
hence + : (Num × Num→ Num) ∩ (Str × Str → Str)
If we had intersection contracts . . .
Let p = +@(Num × Num→ Num) ∩ (Str × Str → Str)
p(17, 4) −→ 21
p(”foo”, ”bar”) −→ ”foobar”
p(17, ”bar”) blame context � (17, ”bar”)
No subject blame because + fulfills the intersection contract
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 8 / 34
Intersection for Overloading
An overloaded + operator
+ : Num × Num→ Num
+ : Str × Str → Str
hence + : (Num × Num→ Num) ∩ (Str × Str → Str)
If we had intersection contracts . . .
Let p = +@(Num × Num→ Num) ∩ (Str × Str → Str)
p(17, 4) −→ 21
p(”foo”, ”bar”) −→ ”foobar”
p(17, ”bar”) blame context � (17, ”bar”)
No subject blame because + fulfills the intersection contract
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 8 / 34
Intersection for Overloading
An overloaded + operator
+ : Num × Num→ Num
+ : Str × Str → Str
hence + : (Num × Num→ Num) ∩ (Str × Str → Str)
If we had intersection contracts . . .
Let p = +@(Num × Num→ Num) ∩ (Str × Str → Str)
p(17, 4) −→ 21
p(”foo”, ”bar”) −→ ”foobar”
p(17, ”bar”) blame context � (17, ”bar”)
No subject blame because + fulfills the intersection contract
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 8 / 34
Intersection for Overloading
An overloaded + operator
+ : Num × Num→ Num
+ : Str × Str → Str
hence + : (Num × Num→ Num) ∩ (Str × Str → Str)
If we had intersection contracts . . .
Let p = +@(Num × Num→ Num) ∩ (Str × Str → Str)
p(17, 4) −→ 21
p(”foo”, ”bar”) −→ ”foobar”
p(17, ”bar”) blame context � (17, ”bar”)
No subject blame because + fulfills the intersection contract
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 8 / 34
Intersection for Overloading
An overloaded + operator
+ : Num × Num→ Num
+ : Str × Str → Str
hence + : (Num × Num→ Num) ∩ (Str × Str → Str)
If we had intersection contracts . . .
Let p = +@(Num × Num→ Num) ∩ (Str × Str → Str)
p(17, 4) −→ 21
p(”foo”, ”bar”) −→ ”foobar”
p(17, ”bar”) blame context � (17, ”bar”)
No subject blame because + fulfills the intersection contract
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 8 / 34
Blaming Intersection
Let C = (Pos→ Pos) ∩ (Even→ Even)Let f = λx .if x > 2 then x − 10 else x + 1
(f @C ) (−1) blame context
(f @C ) 0 blame subject
(f @C ) 1 −→ 2
(f @C ) 2 blame subject
(f @C ) 3 blame subject
(f @C ) 4 blame subject
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 9 / 34
Blaming Intersection
Let C = (Pos→ Pos) ∩ (Even→ Even)Let f = λx .if x > 2 then x − 10 else x + 1
(f @C ) (−1) blame context
(f @C ) 0 blame subject
(f @C ) 1 −→ 2
(f @C ) 2 blame subject
(f @C ) 3 blame subject
(f @C ) 4 blame subject
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 9 / 34
Blaming Intersection
Let C = (Pos→ Pos) ∩ (Even→ Even)Let f = λx .if x > 2 then x − 10 else x + 1
(f @C ) (−1) blame context
(f @C ) 0 blame subject
(f @C ) 1 −→ 2
(f @C ) 2 blame subject
(f @C ) 3 blame subject
(f @C ) 4 blame subject
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 9 / 34
Blaming Intersection
Let C = (Pos→ Pos) ∩ (Even→ Even)Let f = λx .if x > 2 then x − 10 else x + 1
(f @C ) (−1) blame context
(f @C ) 0 blame subject
(f @C ) 1 −→ 2
(f @C ) 2 blame subject
(f @C ) 3 blame subject
(f @C ) 4 blame subject
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 9 / 34
Blaming Intersection
Let C = (Pos→ Pos) ∩ (Even→ Even)Let f = λx .if x > 2 then x − 10 else x + 1
(f @C ) (−1) blame context
(f @C ) 0 blame subject
(f @C ) 1 −→ 2
(f @C ) 2 blame subject
(f @C ) 3 blame subject
(f @C ) 4 blame subject
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 9 / 34
Blaming Intersection
Let C = (Pos→ Pos) ∩ (Even→ Even)Let f = λx .if x > 2 then x − 10 else x + 1
(f @C ) (−1) blame context
(f @C ) 0 blame subject
(f @C ) 1 −→ 2
(f @C ) 2 blame subject
(f @C ) 3 blame subject
(f @C ) 4 blame subject
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 9 / 34
Blaming Intersection
Let C = (Pos→ Pos) ∩ (Even→ Even)Let f = λx .if x > 2 then x − 10 else x + 1
(f @C ) (−1) blame context
(f @C ) 0 blame subject
(f @C ) 1 −→ 2
(f @C ) 2 blame subject
(f @C ) 3 blame subject
(f @C ) 4 blame subject
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 9 / 34
Blaming Rules for Intersection
Subject blame
L[M@(C ∩ D)] blames the subject iffL[M@C ] blames the subject or L[M@D] blames the subject.
Inter-IA ` V : S A ` V : T
A ` V : S ∩ T
Context blame
F [M@(C ∩ D)] blames the context iffF [M@C ] blames the context and F [M@D] blames the context.
F ::= E [�V ] | . . . an elimination context
Sub-Inter-LS ∩ T <: S
Sub-Inter-RS ∩ T <: T
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 10 / 34
Blaming Rules for Intersection
Subject blame
L[M@(C ∩ D)] blames the subject iffL[M@C ] blames the subject or L[M@D] blames the subject.
Inter-IA ` V : S A ` V : T
A ` V : S ∩ T
Context blame
F [M@(C ∩ D)] blames the context iffF [M@C ] blames the context and F [M@D] blames the context.
F ::= E [�V ] | . . . an elimination context
Sub-Inter-LS ∩ T <: S
Sub-Inter-RS ∩ T <: T
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 10 / 34
Union Types
Intuition of union type
If a term has type S or T , then it also possesses the uniontype S ∪ T .
A context for M : S ∪T must be able to deal with S and T .
Introduction and elimination for union [Pierce 1991]
Union-EA ` M : S ∪ T A, x : S ` N : R A, x : T ` N : R
A ` let x = M in N : R
Sub-Union-L
S <: S ∪ TSub-Union-R
T <: S ∪ T
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 11 / 34
Union Types
Intuition of union type
If a term has type S or T , then it also possesses the uniontype S ∪ T .
A context for M : S ∪T must be able to deal with S and T .
Introduction and elimination for union [Pierce 1991]
Union-EA ` M : S ∪ T A, x : S ` N : R A, x : T ` N : R
A ` let x = M in N : R
Sub-Union-L
S <: S ∪ TSub-Union-R
T <: S ∪ T
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 11 / 34
Union Types
Intuition of union type
If a term has type S or T , then it also possesses the uniontype S ∪ T .
A context for M : S ∪T must be able to deal with S and T .
Introduction and elimination for union [Pierce 1991]
Union-EA ` M : S ∪ T A, x : S ` N : R A, x : T ` N : R
A ` let x = M in N : R
Sub-Union-L
S <: S ∪ TSub-Union-R
T <: S ∪ T
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 11 / 34
Blaming Rules for Union
Dualize rules for intersection . . .
Subject blame
E [M@(C ∪ D)] blames the subject iffE [M@C ] blames the subject and E [M@D] blames the subject.Viz. introduction rule.
Context blame
L[M@(C ∪ D)] blames the context iffL[M@C ] blames the context or L[M@D] blames the context.Viz. elimination rules.
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 12 / 34
Blaming Rules for Union
Dualize rules for intersection . . .
Subject blame
E [M@(C ∪ D)] blames the subject iffE [M@C ] blames the subject and E [M@D] blames the subject.Viz. introduction rule.
Context blame
L[M@(C ∪ D)] blames the context iffL[M@C ] blames the context or L[M@D] blames the context.Viz. elimination rules.
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 12 / 34
Blaming Rules for Union
Dualize rules for intersection . . .
Subject blame
E [M@(C ∪ D)] blames the subject iffE [M@C ] blames the subject and E [M@D] blames the subject.Viz. introduction rule.
Context blame
L[M@(C ∪ D)] blames the context iffL[M@C ] blames the context or L[M@D] blames the context.Viz. elimination rules.
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 12 / 34
Blaming Union
Let C = (Pos→ Pos) ∪ (Even→ Even)Let g = λx .x − 4 (fulfills C because it fulfills Even→ Even)⇒ no subject blame arises!
(g@C ) 0 blame context
(g@C ) 1 blame context
(g@C ) (−1) blame context
(g@C ) 2 −→ −2 because of Even→ Even
But there is a further twist . . .
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 13 / 34
Blaming Union
Let C = (Pos→ Pos) ∪ (Even→ Even)Let g = λx .x − 4 (fulfills C because it fulfills Even→ Even)⇒ no subject blame arises!
(g@C ) 0 blame context
(g@C ) 1 blame context
(g@C ) (−1) blame context
(g@C ) 2 −→ −2 because of Even→ Even
But there is a further twist . . .
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 13 / 34
Blaming Union
Let C = (Pos→ Pos) ∪ (Even→ Even)Let g = λx .x − 4 (fulfills C because it fulfills Even→ Even)⇒ no subject blame arises!
(g@C ) 0 blame context
(g@C ) 1 blame context
(g@C ) (−1) blame context
(g@C ) 2 −→ −2 because of Even→ Even
But there is a further twist . . .
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 13 / 34
Blaming Union
Let C = (Pos→ Pos) ∪ (Even→ Even)Let g = λx .x − 4 (fulfills C because it fulfills Even→ Even)⇒ no subject blame arises!
(g@C ) 0 blame context
(g@C ) 1 blame context
(g@C ) (−1) blame context
(g@C ) 2 −→ −2 because of Even→ Even
But there is a further twist . . .
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 13 / 34
Blaming Union
Let C = (Pos→ Pos) ∪ (Even→ Even)Let g = λx .x − 4 (fulfills C because it fulfills Even→ Even)⇒ no subject blame arises!
(g@C ) 0 blame context
(g@C ) 1 blame context
(g@C ) (−1) blame context
(g@C ) 2 −→ −2 because of Even→ Even
But there is a further twist . . .
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 13 / 34
Blaming Union II
Let C = (Pos→ Pos) ∪ (Even→ Even)Let h = λx .if x%3 = 0 then − x else x + 1
Observation: h does not fulfill C
h is not Even→ Even because h(2) = 3
h is not Pos→ Pos because h(3) = −3
Blaming
(h@C ) 2 −→ 3 because of Pos→ Pos
(h@C ) 3 blame context: Even violated
(h@C ) 0 blame context: Pos violated
(h@C ) 6 −→ −6 because of Even→ Even
Problem: no single test can detect the violation
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 14 / 34
Blaming Union II
Let C = (Pos→ Pos) ∪ (Even→ Even)Let h = λx .if x%3 = 0 then − x else x + 1
Observation: h does not fulfill C
h is not Even→ Even because h(2) = 3
h is not Pos→ Pos because h(3) = −3
Blaming
(h@C ) 2 −→ 3 because of Pos→ Pos
(h@C ) 3 blame context: Even violated
(h@C ) 0 blame context: Pos violated
(h@C ) 6 −→ −6 because of Even→ Even
Problem: no single test can detect the violation
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 14 / 34
Blaming Union II
Let C = (Pos→ Pos) ∪ (Even→ Even)Let h = λx .if x%3 = 0 then − x else x + 1
Observation: h does not fulfill C
h is not Even→ Even because h(2) = 3
h is not Pos→ Pos because h(3) = −3
Blaming
(h@C ) 2 −→ 3 because of Pos→ Pos
(h@C ) 3 blame context: Even violated
(h@C ) 0 blame context: Pos violated
(h@C ) 6 −→ −6 because of Even→ Even
Problem: no single test can detect the violation
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 14 / 34
Blaming Union II
Let C = (Pos→ Pos) ∪ (Even→ Even)Let h = λx .if x%3 = 0 then − x else x + 1
Observation: h does not fulfill C
h is not Even→ Even because h(2) = 3
h is not Pos→ Pos because h(3) = −3
Blaming
(h@C ) 2 −→ 3 because of Pos→ Pos
(h@C ) 3 blame context: Even violated
(h@C ) 0 blame context: Pos violated
(h@C ) 6 −→ −6 because of Even→ Even
Problem: no single test can detect the violation
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 14 / 34
Blaming Union II
Let C = (Pos→ Pos) ∪ (Even→ Even)Let h = λx .if x%3 = 0 then − x else x + 1
Observation: h does not fulfill C
h is not Even→ Even because h(2) = 3
h is not Pos→ Pos because h(3) = −3
Blaming
(h@C ) 2 −→ 3 because of Pos→ Pos
(h@C ) 3 blame context: Even violated
(h@C ) 0 blame context: Pos violated
(h@C ) 6 −→ −6 because of Even→ Even
Problem: no single test can detect the violation
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 14 / 34
Blaming Union II
Let C = (Pos→ Pos) ∪ (Even→ Even)Let h = λx .if x%3 = 0 then − x else x + 1
Observation: h does not fulfill C
h is not Even→ Even because h(2) = 3
h is not Pos→ Pos because h(3) = −3
Blaming
(h@C ) 2 −→ 3 because of Pos→ Pos
(h@C ) 3 blame context: Even violated
(h@C ) 0 blame context: Pos violated
(h@C ) 6 −→ −6 because of Even→ Even
Problem: no single test can detect the violation
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 14 / 34
Blaming Union II
Let C = (Pos→ Pos) ∪ (Even→ Even)Let h = λx .if x%3 = 0 then − x else x + 1
Observation: h does not fulfill C
h is not Even→ Even because h(2) = 3
h is not Pos→ Pos because h(3) = −3
Blaming
(h@C ) 2 −→ 3 because of Pos→ Pos
(h@C ) 3 blame context: Even violated
(h@C ) 0 blame context: Pos violated
(h@C ) 6 −→ −6 because of Even→ Even
Problem: no single test can detect the violation
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 14 / 34
Blaming Union II
Let C = (Pos→ Pos) ∪ (Even→ Even)Let h = λx .if x%3 = 0 then − x else x + 1
Observation: h does not fulfill C
h is not Even→ Even because h(2) = 3
h is not Pos→ Pos because h(3) = −3
Blaming
(h@C ) 2 −→ 3 because of Pos→ Pos
(h@C ) 3 blame context: Even violated
(h@C ) 0 blame context: Pos violated
(h@C ) 6 −→ −6 because of Even→ Even
⇒ Union must stick to one alternative
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 14 / 34
A Denotational Model of Contracts
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 15 / 34
Denotational Model of Contracts
Intuition
The semantics of a contract C comprises
1 a set of terms JCK+ that fulfill the contract and
2 a set of contexts JCK− that respect the contract.
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 16 / 34
Denotational Model
Flat contracts
1 J{x | P}K+ = {M | (λx .P) M 6−→∗ false}2 J{x | P}K− = {L | L is a context}
Example
JPosK+ = {M | M > 0 6−→∗ false}= {1, 2, 3, . . . } ∪{M | M diverges} ∪{M | (M > 0) gets stuck}
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 17 / 34
Denotational Model
Flat contracts
1 J{x | P}K+ = {M | (λx .P) M 6−→∗ false}2 J{x | P}K− = {L | L is a context}
Example
JPosK+ = {M | M > 0 6−→∗ false}= {1, 2, 3, . . . } ∪{M | M diverges} ∪{M | (M > 0) gets stuck}
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 17 / 34
Denotational Model
Function contracts
1 JC→DK+ = {M | ∀N ∈ JCK+.M N ∈ JDK+
∧ ∀N ∈ JDK−.N [M �] ∈ JCK−}2 JC→DK− = . . .
Standard function interpretation
NEW M acts on contexts by transforming a context thatrespects D into a context that respects C
Set of contexts that respect C→D
promise to only pass argument that fulfill Cpromise to put result in context respecting D
Defined by coinductive inference rules
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 18 / 34
Denotational Model
Function contracts
1 JC→DK+ = {M | ∀N ∈ JCK+.M N ∈ JDK+
∧ ∀N ∈ JDK−.N [M �] ∈ JCK−}2 JC→DK− = . . .
Standard function interpretation
NEW M acts on contexts by transforming a context thatrespects D into a context that respects C
Set of contexts that respect C→D
promise to only pass argument that fulfill Cpromise to put result in context respecting D
Defined by coinductive inference rules
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 18 / 34
Denotational Model
Function contracts
1 JC→DK+ = {M | ∀N ∈ JCK+.M N ∈ JDK+
∧ ∀N ∈ JDK−.N [M �] ∈ JCK−}2 JC→DK− = . . .
Standard function interpretation
NEW M acts on contexts by transforming a context thatrespects D into a context that respects C
Set of contexts that respect C→D
promise to only pass argument that fulfill Cpromise to put result in context respecting D
Defined by coinductive inference rules
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 18 / 34
Denotational Model
Function contracts
1 JC→DK+ = {M | ∀N ∈ JCK+.M N ∈ JDK+
∧ ∀N ∈ JDK−.N [M �] ∈ JCK−}2 JC→DK− = . . .
Standard function interpretation
NEW M acts on contexts by transforming a context thatrespects D into a context that respects C
Set of contexts that respect C→D
promise to only pass argument that fulfill Cpromise to put result in context respecting D
Defined by coinductive inference rules
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 18 / 34
Denotational Model
Function contracts
1 JC→DK+ = {M | ∀N ∈ JCK+.M N ∈ JDK+
∧ ∀N ∈ JDK−.N [M �] ∈ JCK−}2 JC→DK− = . . .
Standard function interpretation
NEW M acts on contexts by transforming a context thatrespects D into a context that respects C
Set of contexts that respect C→D
promise to only pass argument that fulfill Cpromise to put result in context respecting D
Defined by coinductive inference rules
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 18 / 34
Contexts for Function Contracts
Selected rules for P = JC→DK−
P-ApplyN ∈ JCK+ E ∈ JDK−
E [�N] ∈ P
P-ReduceN ∈ P M−→ N
M ∈ P
P-IrredM 6−→ M /∈ {E [(λx .N)�],E [�N]}
M ∈ P
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 19 / 34
Contexts for Function Contracts
Selected rules for P = JC→DK−
P-ApplyN ∈ JCK+ E ∈ JDK−
E [�N] ∈ P
P-ReduceN ∈ P M−→ N
M ∈ P
P-IrredM 6−→ M /∈ {E [(λx .N)�],E [�N]}
M ∈ P
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 19 / 34
Contexts for Function Contracts
Selected rules for P = JC→DK−
P-ApplyN ∈ JCK+ E ∈ JDK−
E [�N] ∈ P
P-ReduceN ∈ P M−→ N
M ∈ P
P-IrredM 6−→ M /∈ {E [(λx .N)�],E [�N]}
M ∈ P
M−→ N is context reduction
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 19 / 34
Contexts for Function Contracts
Selected rules for P = JC→DK−
P-ApplyN ∈ JCK+ E ∈ JDK−
E [�N] ∈ P
P-ReduceN ∈ P M−→ N
M ∈ P
P-IrredM 6−→ M /∈ {E [(λx .N)�],E [�N]}
M ∈ P
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 19 / 34
Contexts for Function Contracts II
Beta redexes involving holes
P-Deletex /∈ free(M)
E [(λx .M)�] ∈ P
P-LinearM = F [x ] E [F ] ∈ P
E [(λx .M)�] ∈ P
P-Expand∀F ,V . λx .M = λx .F [x ]⇒ E [F{x 7→ V }] ∈ P
E [(λx .M)�] ∈ P
P-Delete and P-Linear are special cases of P-Expand
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 20 / 34
Contexts for Function Contracts II
Beta redexes involving holes
P-Deletex /∈ free(M)
E [(λx .M)�] ∈ P
P-LinearM = F [x ] E [F ] ∈ P
E [(λx .M)�] ∈ P
P-Expand∀F ,V . λx .M = λx .F [x ]⇒ E [F{x 7→ V }] ∈ P
E [(λx .M)�] ∈ P
P-Delete and P-Linear are special cases of P-Expand
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 20 / 34
Contexts for Function Contracts II
Beta redexes involving holes
P-Deletex /∈ free(M)
E [(λx .M)�] ∈ P
P-LinearM = F [x ] E [F ] ∈ P
E [(λx .M)�] ∈ P
P-Expand∀F ,V . λx .M = λx .F [x ]⇒ E [F{x 7→ V }] ∈ P
E [(λx .M)�] ∈ P
P-Delete and P-Linear are special cases of P-Expand
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 20 / 34
Contexts for Function Contracts II
Beta redexes involving holes
P-Deletex /∈ free(M)
E [(λx .M)�] ∈ P
P-LinearM = F [x ] E [F ] ∈ P
E [(λx .M)�] ∈ P
P-Expand∀F ,V . λx .M = λx .F [x ]⇒ E [F{x 7→ V }] ∈ P
E [(λx .M)�] ∈ P
P-Delete and P-Linear are special cases of P-Expand
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 20 / 34
Semantics of Intersection and Union Contracts
Intersection
1 JC ∩ DK+ = JCK+ ∩ JDK+
2 JC ∩ DK− = JCK− ∪ JDK− ∪ . . .(defined by closing under P-Expand etc)
Union
1 JC ∪ DK+ = JCK+ ∪ JDK+
2 JC ∪ DK− = JCK− ∩ JDK−
Cf. blaming rules and typing rules
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 21 / 34
Semantics of Intersection and Union Contracts
Intersection
1 JC ∩ DK+ = JCK+ ∩ JDK+
2 JC ∩ DK− = JCK− ∪ JDK− ∪ . . .(defined by closing under P-Expand etc)
Union
1 JC ∪ DK+ = JCK+ ∪ JDK+
2 JC ∪ DK− = JCK− ∩ JDK−
Cf. blaming rules and typing rules
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 21 / 34
Semantics of Intersection and Union Contracts
Intersection
1 JC ∩ DK+ = JCK+ ∩ JDK+
2 JC ∩ DK− = JCK− ∪ JDK− ∪ . . .(defined by closing under P-Expand etc)
Union
1 JC ∪ DK+ = JCK+ ∪ JDK+
2 JC ∪ DK− = JCK− ∩ JDK−
Cf. blaming rules and typing rules
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 21 / 34
Provable from Denotational Model
Intersection for flat contracts
{x | P} ∩ {x | Q} = {x | P ∧ Q}
Union for flat contracts
{x | P} ∪ {x | Q} = {x | P ∨ Q}
proof: simple calculation
only subject blame
context blame does not arise
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 22 / 34
Contract Monitoring
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 23 / 34
Contract Monitoring
Challenges
Small-step operational semantics
nondeterministic specificationdeterministic implementation (with simulation result)
Gathering blame for intersection and union
Gathering blame across different uses of same union
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 24 / 34
Operational Semantics
Reduction relation
%,M 7→ ς,N
M,N terms
%, ς lists of constraints in order of generation
one constraint for each contract operator →, ∪, ∩one constraint for each evaluated flat contract
cannot blame immediately: flat contract may be nested inintersection or union
instead: blame computed from list of constraints
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 25 / 34
Operational Semantics
Reduction relation
%,M 7→ ς,N
M,N terms
%, ς lists of constraints in order of generation
one constraint for each contract operator →, ∪, ∩one constraint for each evaluated flat contract
cannot blame immediately: flat contract may be nested inintersection or union
instead: blame computed from list of constraints
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 25 / 34
Operational Semantics
Reduction relation
%,M 7→ ς,N
M,N terms
%, ς lists of constraints in order of generation
one constraint for each contract operator →, ∪, ∩
one constraint for each evaluated flat contract
cannot blame immediately: flat contract may be nested inintersection or union
instead: blame computed from list of constraints
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 25 / 34
Operational Semantics
Reduction relation
%,M 7→ ς,N
M,N terms
%, ς lists of constraints in order of generation
one constraint for each contract operator →, ∪, ∩one constraint for each evaluated flat contract
cannot blame immediately: flat contract may be nested inintersection or union
instead: blame computed from list of constraints
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 25 / 34
Operational Semantics
Reduction relation
%,M 7→ ς,N
M,N terms
%, ς lists of constraints in order of generation
one constraint for each contract operator →, ∪, ∩one constraint for each evaluated flat contract
cannot blame immediately: flat contract may be nested inintersection or union
instead: blame computed from list of constraints
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 25 / 34
Operational Semantics
Reduction relation
%,M 7→ ς,N
M,N terms
%, ς lists of constraints in order of generation
one constraint for each contract operator →, ∪, ∩one constraint for each evaluated flat contract
cannot blame immediately: flat contract may be nested inintersection or union
instead: blame computed from list of constraints
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 25 / 34
Evaluation Rules
Flat contracts
I-Flat
ς,E [V @b flat(M)] −→ ς,E [V @b eval(M V )]
I-Unit
ς,E [V @b eval(W )] −→ b J (W ) : ς,E [V ]
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 26 / 34
Evaluation Rules
Flat contracts
I-Flat
ς,E [V @b flat(M)] −→ ς,E [V @b eval(M V )]
I-Unit
ς,E [V @b eval(W )] −→ b J (W ) : ς,E [V ]
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 26 / 34
Constraint Satisfaction
Solution of a constraint set
µ ∈ (LbM× {subject, context})→ B
for each blame identifier b
assign subject blame and context blame
drawn from B = {t, f}ordered by t @ f
Ordering reflects gathering of information with eachexecution step
False has “more” information because it indicates a failingcontract
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 27 / 34
Constraint Satisfaction
Solution of a constraint set
µ ∈ (LbM× {subject, context})→ B
for each blame identifier b
assign subject blame and context blame
drawn from B = {t, f}ordered by t @ f
Ordering reflects gathering of information with eachexecution step
False has “more” information because it indicates a failingcontract
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 27 / 34
Constraint Satisfaction
Solution of a constraint set
µ ∈ (LbM× {subject, context})→ B
for each blame identifier b
assign subject blame and context blame
drawn from B = {t, f}ordered by t @ f
Ordering reflects gathering of information with eachexecution step
False has “more” information because it indicates a failingcontract
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 27 / 34
Constraint Satisfaction II
Flat contracts
CT-Flatµ(b.subject) w τ(W ) µ(b.context) w t
µ |= b JW
Raise blame if b is a blame label from the source programand either µ(b.subject) w f or µ(b.context) w f
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 28 / 34
Constraint Satisfaction II
Flat contracts
CT-Flatµ(b.subject) w τ(W ) µ(b.context) w t
µ |= b JW
Raise blame if b is a blame label from the source programand either µ(b.subject) w f or µ(b.context) w f
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 28 / 34
Evaluation Rules
Function contracts
D-Funι1, ι2 6∈ ς
ς,E [(V @b (C→D)) W ]−→ b J (ι1→ ι2) : ς,E [(V (W @ι1 C )) @ι2 D]
Satisfaction for function constraints
CT-Functionµ(b.subject) w µ(ι1.context∧(ι1.subject⇒ι2.subject))
µ(b.context) w µ(ι1.subject∧ι2.context)
µ |= b J ι1→ ι2
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 29 / 34
Evaluation Rules
Function contracts
D-Funι1, ι2 6∈ ς
ς,E [(V @b (C→D)) W ]−→ b J (ι1→ ι2) : ς,E [(V (W @ι1 C )) @ι2 D]
Satisfaction for function constraints
CT-Functionµ(b.subject) w µ(ι1.context∧(ι1.subject⇒ι2.subject))
µ(b.context) w µ(ι1.subject∧ι2.context)
µ |= b J ι1→ ι2
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 29 / 34
Evaluation Rules
Function contracts
D-Funι1, ι2 6∈ ς
ς,E [(V @b (C→D)) W ]−→ b J (ι1→ ι2) : ς,E [(V (W @ι1 C )) @ι2 D]
Satisfaction for function constraints
CT-Functionµ(b.subject) w µ(ι1.context∧(ι1.subject⇒ι2.subject))
µ(b.context) w µ(ι1.subject∧ι2.context)
µ |= b J ι1→ ι2
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 29 / 34
Evaluation Rules
Intersection contracts
D-Interι1, ι2 6∈ ς
ς,E [(V @b (Q ∩ R)) W ]−→ b J (ι1 ∩ ι2) : ς,E [〈(V @ι1 Q) W 8 (V @ι2 R) W 〉]
Reduction proceeds independently in pair components
Shares the constraint list
Intersection constraints
CT-Intersectionµ(b.subject) w µ(ι1.subject∧ι2.subject)µ(b.context) w µ(ι1.context∨ι2.context)
µ |= b J ι1 ∩ ι2
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 30 / 34
Evaluation Rules
Intersection contracts
D-Interι1, ι2 6∈ ς
ς,E [(V @b (Q ∩ R)) W ]−→ b J (ι1 ∩ ι2) : ς,E [〈(V @ι1 Q) W 8 (V @ι2 R) W 〉]
Reduction proceeds independently in pair components
Shares the constraint list
Intersection constraints
CT-Intersectionµ(b.subject) w µ(ι1.subject∧ι2.subject)µ(b.context) w µ(ι1.context∨ι2.context)
µ |= b J ι1 ∩ ι2
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 30 / 34
Evaluation Rules
Intersection contracts
D-Interι1, ι2 6∈ ς
ς,E [(V @b (Q ∩ R)) W ]−→ b J (ι1 ∩ ι2) : ς,E [〈(V @ι1 Q) W 8 (V @ι2 R) W 〉]
Reduction proceeds independently in pair components
Shares the constraint list
Intersection constraints
CT-Intersectionµ(b.subject) w µ(ι1.subject∧ι2.subject)µ(b.context) w µ(ι1.context∨ι2.context)
µ |= b J ι1 ∩ ι2
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 30 / 34
Evaluation Rules
Intersection contracts
D-Interι1, ι2 6∈ ς
ς,E [(V @b (Q ∩ R)) W ]−→ b J (ι1 ∩ ι2) : ς,E [〈(V @ι1 Q) W 8 (V @ι2 R) W 〉]
Reduction proceeds independently in pair components
Shares the constraint list
Intersection constraints
CT-Intersectionµ(b.subject) w µ(ι1.subject∧ι2.subject)µ(b.context) w µ(ι1.context∨ι2.context)
µ |= b J ι1 ∩ ι2
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 30 / 34
Evaluation Rules
Intersection contracts
D-Interι1, ι2 6∈ ς
ς,E [(V @b (Q ∩ R)) W ]−→ b J (ι1 ∩ ι2) : ς,E [〈(V @ι1 Q) W 8 (V @ι2 R) W 〉]
Reduction proceeds independently in pair components
Shares the constraint list
Intersection constraints
CT-Intersectionµ(b.subject) w µ(ι1.subject∧ι2.subject)µ(b.context) w µ(ι1.context∨ι2.context)
µ |= b J ι1 ∩ ι2
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 30 / 34
Evaluation Rules
Union contracts
Unionι1, ι2 6∈ ς
ς,E [V @b (K[C ∪ D])]−→ b J (ι1 ∪ ι2) : ς,E [〈V @ι1 K[C ] 8 V @ι2 K[D]〉]
All uses of V refer to the same constraint on b
Inconsistent uses of the union are detected
Union constraints
CT-Unionµ(b.subject) w µ(ι1.subject∨ι2.subject)µ(b.context) w µ(ι1.context∧ι2.context)
µ |= b J ι1 ∪ ι2
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 31 / 34
Evaluation Rules
Union contracts
Unionι1, ι2 6∈ ς
ς,E [V @b (K[C ∪ D])]−→ b J (ι1 ∪ ι2) : ς,E [〈V @ι1 K[C ] 8 V @ι2 K[D]〉]
All uses of V refer to the same constraint on b
Inconsistent uses of the union are detected
Union constraints
CT-Unionµ(b.subject) w µ(ι1.subject∨ι2.subject)µ(b.context) w µ(ι1.context∧ι2.context)
µ |= b J ι1 ∪ ι2
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 31 / 34
Evaluation Rules
Union contracts
Unionι1, ι2 6∈ ς
ς,E [V @b (K[C ∪ D])]−→ b J (ι1 ∪ ι2) : ς,E [〈V @ι1 K[C ] 8 V @ι2 K[D]〉]
All uses of V refer to the same constraint on b
Inconsistent uses of the union are detected
Union constraints
CT-Unionµ(b.subject) w µ(ι1.subject∨ι2.subject)µ(b.context) w µ(ι1.context∧ι2.context)
µ |= b J ι1 ∪ ι2
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 31 / 34
Evaluation Rules
Union contracts
Unionι1, ι2 6∈ ς
ς,E [V @b (K[C ∪ D])]−→ b J (ι1 ∪ ι2) : ς,E [〈V @ι1 K[C ] 8 V @ι2 K[D]〉]
All uses of V refer to the same constraint on b
Inconsistent uses of the union are detected
Union constraints
CT-Unionµ(b.subject) w µ(ι1.subject∨ι2.subject)µ(b.context) w µ(ι1.context∧ι2.context)
µ |= b J ι1 ∪ ι2
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 31 / 34
Evaluation Rules
Union contracts
Unionι1, ι2 6∈ ς
ς,E [V @b (K[C ∪ D])]−→ b J (ι1 ∪ ι2) : ς,E [〈V @ι1 K[C ] 8 V @ι2 K[D]〉]
All uses of V refer to the same constraint on b
Inconsistent uses of the union are detected
Union constraints
CT-Unionµ(b.subject) w µ(ι1.subject∨ι2.subject)µ(b.context) w µ(ι1.context∧ι2.context)
µ |= b J ι1 ∪ ι2
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 31 / 34
Results
Contract soundness
1 M @[ C ∈ JCK+.
2 L[� @[ C ] ∈ JCK−.
Subject blame soundness (abridged)
Suppose that M ∈ JCK+.If %,E [M @b C ] 7−→∗ ς,N, then JςK(b, subject) v t.
Context blame soundness (abridged)
Suppose that L ∈ JCK−.If %,L[M @b C ] 7−→∗ ς,N, then JςK(b, context) v t.
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 32 / 34
Results
Contract soundness
1 M @[ C ∈ JCK+.
2 L[� @[ C ] ∈ JCK−.
Subject blame soundness (abridged)
Suppose that M ∈ JCK+.If %,E [M @b C ] 7−→∗ ς,N, then JςK(b, subject) v t.
Context blame soundness (abridged)
Suppose that L ∈ JCK−.If %,L[M @b C ] 7−→∗ ς,N, then JςK(b, context) v t.
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 32 / 34
Results
Contract soundness
1 M @[ C ∈ JCK+.
2 L[� @[ C ] ∈ JCK−.
Subject blame soundness (abridged)
Suppose that M ∈ JCK+.If %,E [M @b C ] 7−→∗ ς,N, then JςK(b, subject) v t.
Context blame soundness (abridged)
Suppose that L ∈ JCK−.If %,L[M @b C ] 7−→∗ ς,N, then JςK(b, context) v t.
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 32 / 34
Further Challenges Addressed
Deal with (A ∪ B) ∩ (C ∪ D)
Solutions don’t increase monotonically when new constraintsare added
Deterministic semantics and simulation
Implementation
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 33 / 34
Conclusions
First investigation of intersection and union contracts
Novel semantics of contracts (subject, context)
Implemented in TreatJS, a new contract system forJavaScript, which is available on the webhttp://proglang.informatik.uni-freiburg.de/treatjs/
Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 34 / 34