Blame Assignment for Higher-Order Contracts with ...ajacs.inria.fr/files/2015-03-23-Thiemann.pdf · 3/23/2015 · Keil & Thiemann Blame Assignment for Higher-Order Contracts with

Blame Assignment for Higher-Order Contracts

with Intersection and Union

Albert-Ludwigs-Universitat Freiburg

Matthias Keil Peter Thiemann

University of Freiburg

23 Mar 2015

Flat Contracts

Examples

Pos = {x | x > 0}

Even = {x | x%2 = 0}

Assertion

M@C : assert contract C to term M

10@Pos −→ 10

10@Even −→ 10

(2− 4)@Pos contract violation (by subject −2)

(2 + 3)@Even contract violation (by subject 5)

Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 2 / 34

Flat Contracts

Examples

Pos = {x | x > 0}

Even = {x | x%2 = 0}

Assertion


10@Pos −→ 10

10@Even −→ 10




Flat Contracts

Examples

Pos = {x | x > 0}

Even = {x | x%2 = 0}

Assertion


10@Pos −→ 10

10@Even −→ 10




Flat Contracts

Examples

Pos = {x | x > 0}

Even = {x | x%2 = 0}

Assertion


10@Pos −→ 10

10@Even −→ 10




Flat Contracts

Examples

Pos = {x | x > 0}

Even = {x | x%2 = 0}

Assertion


10@Pos −→ 10

10@Even −→ 10




Flat Contracts

Examples

Pos = {x | x > 0}

Even = {x | x%2 = 0}

Assertion


10@Pos −→ 10

10@Even −→ 10




Higher-Order Contracts [Findler, Felleisen 2002]

Examples

Pos→ Pos Even→ Even Pos→ (Even→ Even)

Assertion (first-order function)

Let f = λx .x − 10

(f @(Pos→ Pos)) 100 −→ 90

(f @(Pos→ Pos)) 10 blame subject f

(f @(Pos→ Pos)) 0 blame context � 0



Examples



Let f = λx .x − 10

(f @(Pos→ Pos)) 100 −→ 90





Examples



Let f = λx .x − 10

(f @(Pos→ Pos)) 100 −→ 90





Examples



Let f = λx .x − 10

(f @(Pos→ Pos)) 100 −→ 90





Examples



Let f = λx .x − 10

(f @(Pos→ Pos)) 100 −→ 90




Higher-Order Contracts II

Assertion

Let add = λx .λy .x + y and C = Pos→ (Even→ Even)

(add@C ) 0 blame context � 0

((add@C ) 1) 1 blame context (� 1) 1

((add@C ) 1) 0 blame subject add



Assertion







Assertion







Assertion






Contracts vs. Types

Contracts ≈ dynamically checked types

flat contracts ≈ subset types

function contracts ≈ function types

Contract work driven by types . . .

pair contracts [Hinze, Loh]

sum contracts

polymorphic contracts [Ahmed, Findler, Guha,Krishnamurthi, Matthews, Wadler]


Contracts vs. Types

Contracts ≈ dynamically checked types

flat contracts ≈ subset types

function contracts ≈ function types

Contract work driven by types . . .

pair contracts [Hinze, Loh]

sum contracts

polymorphic contracts [Ahmed, Findler, Guha,Krishnamurthi, Matthews, Wadler]


This Work

What about intersection and union types?

Intersection types

modeling overloading

multiple inheritance

Union types

dual of intersection type

domain of overloaded function

XML typing and dynamic typing


This Work


Intersection types



Union types





This Work


Intersection types



Union types





This Work


Intersection types



Union types





Intersection Types

Intuition of intersection type

If a term has both type S and T , then it also possesses theintersection type S ∩ T .

A context for M : S ∩ T can choose to treat M as S or T .

Introduction and elimination for intersection [Pierce 1991]

Inter-IA ` V : S A ` V : T

A ` V : S ∩ T

Sub-Inter-L

S ∩ T <: SSub-Inter-R

S ∩ T <: T


Intersection for Overloading

An overloaded + operator

+ : Num × Num→ Num

+ : Str × Str → Str

hence + : (Num × Num→ Num) ∩ (Str × Str → Str)

If we had intersection contracts . . .

Let p = +@(Num × Num→ Num) ∩ (Str × Str → Str)

p(17, 4) −→ 21

p(”foo”, ”bar”) −→ ”foobar”

p(17, ”bar”) blame context � (17, ”bar”)

No subject blame because + fulfills the intersection contract









p(17, 4) −→ 21












p(17, 4) −→ 21












p(17, 4) −→ 21












p(17, 4) −→ 21












p(17, 4) −→ 21





Blaming Intersection

Let C = (Pos→ Pos) ∩ (Even→ Even)Let f = λx .if x > 2 then x − 10 else x + 1

(f @C ) (−1) blame context

(f @C ) 0 blame subject

(f @C ) 1 −→ 2









(f @C ) 1 −→ 2









(f @C ) 1 −→ 2









(f @C ) 1 −→ 2









(f @C ) 1 −→ 2









(f @C ) 1 −→ 2









(f @C ) 1 −→ 2





Blaming Rules for Intersection

Subject blame

L[M@(C ∩ D)] blames the subject iffL[M@C ] blames the subject or L[M@D] blames the subject.


A ` V : S ∩ T

Context blame

F [M@(C ∩ D)] blames the context iffF [M@C ] blames the context and F [M@D] blames the context.

F ::= E [�V ] | . . . an elimination context

Sub-Inter-LS ∩ T <: S

Sub-Inter-RS ∩ T <: T


Blaming Rules for Intersection

Subject blame

L[M@(C ∩ D)] blames the subject iffL[M@C ] blames the subject or L[M@D] blames the subject.


A ` V : S ∩ T

Context blame

F [M@(C ∩ D)] blames the context iffF [M@C ] blames the context and F [M@D] blames the context.

F ::= E [�V ] | . . . an elimination context

Sub-Inter-LS ∩ T <: S

Sub-Inter-RS ∩ T <: T


Union Types

Intuition of union type

If a term has type S or T , then it also possesses the uniontype S ∪ T .

A context for M : S ∪T must be able to deal with S and T .

Introduction and elimination for union [Pierce 1991]

Union-EA ` M : S ∪ T A, x : S ` N : R A, x : T ` N : R

A ` let x = M in N : R

Sub-Union-L

S <: S ∪ TSub-Union-R

T <: S ∪ T


Union Types







Sub-Union-L


T <: S ∪ T


Union Types







Sub-Union-L


T <: S ∪ T


Blaming Rules for Union

Dualize rules for intersection . . .

Subject blame

E [M@(C ∪ D)] blames the subject iffE [M@C ] blames the subject and E [M@D] blames the subject.Viz. introduction rule.

Context blame

L[M@(C ∪ D)] blames the context iffL[M@C ] blames the context or L[M@D] blames the context.Viz. elimination rules.




Subject blame


Context blame





Subject blame


Context blame



Blaming Union

Let C = (Pos→ Pos) ∪ (Even→ Even)Let g = λx .x − 4 (fulfills C because it fulfills Even→ Even)⇒ no subject blame arises!

(g@C ) 0 blame context


(g@C ) (−1) blame context

(g@C ) 2 −→ −2 because of Even→ Even

But there is a further twist . . .


Blaming Union








Blaming Union








Blaming Union








Blaming Union








Blaming Union II

Let C = (Pos→ Pos) ∪ (Even→ Even)Let h = λx .if x%3 = 0 then − x else x + 1

Observation: h does not fulfill C

h is not Even→ Even because h(2) = 3

h is not Pos→ Pos because h(3) = −3

Blaming

(h@C ) 2 −→ 3 because of Pos→ Pos

(h@C ) 3 blame context: Even violated

(h@C ) 0 blame context: Pos violated

(h@C ) 6 −→ −6 because of Even→ Even

Problem: no single test can detect the violation


Blaming Union II





Blaming







Blaming Union II





Blaming







Blaming Union II





Blaming







Blaming Union II





Blaming







Blaming Union II





Blaming







Blaming Union II





Blaming







Blaming Union II





Blaming





⇒ Union must stick to one alternative


A Denotational Model of Contracts


Denotational Model of Contracts

Intuition

The semantics of a contract C comprises

1 a set of terms JCK+ that fulfill the contract and

2 a set of contexts JCK− that respect the contract.


Denotational Model

Flat contracts

1 J{x | P}K+ = {M | (λx .P) M 6−→∗ false}2 J{x | P}K− = {L | L is a context}

Example

JPosK+ = {M | M > 0 6−→∗ false}= {1, 2, 3, . . . } ∪{M | M diverges} ∪{M | (M > 0) gets stuck}


Denotational Model

Flat contracts

1 J{x | P}K+ = {M | (λx .P) M 6−→∗ false}2 J{x | P}K− = {L | L is a context}

Example

JPosK+ = {M | M > 0 6−→∗ false}= {1, 2, 3, . . . } ∪{M | M diverges} ∪{M | (M > 0) gets stuck}


Denotational Model

Function contracts

1 JC→DK+ = {M | ∀N ∈ JCK+.M N ∈ JDK+

∧ ∀N ∈ JDK−.N [M �] ∈ JCK−}2 JC→DK− = . . .

Standard function interpretation

NEW M acts on contexts by transforming a context thatrespects D into a context that respects C

Set of contexts that respect C→D

promise to only pass argument that fulfill Cpromise to put result in context respecting D

Defined by coinductive inference rules


Denotational Model

Function contracts

1 JC→DK+ = {M | ∀N ∈ JCK+.M N ∈ JDK+

∧ ∀N ∈ JDK−.N [M �] ∈ JCK−}2 JC→DK− = . . .







Denotational Model

Function contracts

1 JC→DK+ = {M | ∀N ∈ JCK+.M N ∈ JDK+

∧ ∀N ∈ JDK−.N [M �] ∈ JCK−}2 JC→DK− = . . .







Denotational Model

Function contracts

1 JC→DK+ = {M | ∀N ∈ JCK+.M N ∈ JDK+

∧ ∀N ∈ JDK−.N [M �] ∈ JCK−}2 JC→DK− = . . .







Denotational Model

Function contracts

1 JC→DK+ = {M | ∀N ∈ JCK+.M N ∈ JDK+

∧ ∀N ∈ JDK−.N [M �] ∈ JCK−}2 JC→DK− = . . .







Contexts for Function Contracts

Selected rules for P = JC→DK−

P-ApplyN ∈ JCK+ E ∈ JDK−

E [�N] ∈ P

P-ReduceN ∈ P M−→ N

M ∈ P

P-IrredM 6−→ M /∈ {E [(λx .N)�],E [�N]}

M ∈ P





E [�N] ∈ P


M ∈ P

P-IrredM 6−→ M /∈ {E [(λx .N)�],E [�N]}

M ∈ P





E [�N] ∈ P


M ∈ P

P-IrredM 6−→ M /∈ {E [(λx .N)�],E [�N]}

M ∈ P

M−→ N is context reduction





E [�N] ∈ P


M ∈ P

P-IrredM 6−→ M /∈ {E [(λx .N)�],E [�N]}

M ∈ P


Contexts for Function Contracts II

Beta redexes involving holes

P-Deletex /∈ free(M)

E [(λx .M)�] ∈ P

P-LinearM = F [x ] E [F ] ∈ P

E [(λx .M)�] ∈ P

P-Expand∀F ,V . λx .M = λx .F [x ]⇒ E [F{x 7→ V }] ∈ P

E [(λx .M)�] ∈ P

P-Delete and P-Linear are special cases of P-Expand





E [(λx .M)�] ∈ P


E [(λx .M)�] ∈ P


E [(λx .M)�] ∈ P






E [(λx .M)�] ∈ P


E [(λx .M)�] ∈ P


E [(λx .M)�] ∈ P






E [(λx .M)�] ∈ P


E [(λx .M)�] ∈ P


E [(λx .M)�] ∈ P



Semantics of Intersection and Union Contracts

Intersection

1 JC ∩ DK+ = JCK+ ∩ JDK+

2 JC ∩ DK− = JCK− ∪ JDK− ∪ . . .(defined by closing under P-Expand etc)

Union

1 JC ∪ DK+ = JCK+ ∪ JDK+

2 JC ∪ DK− = JCK− ∩ JDK−

Cf. blaming rules and typing rules



Intersection



Union






Intersection



Union





Provable from Denotational Model

Intersection for flat contracts

{x | P} ∩ {x | Q} = {x | P ∧ Q}

Union for flat contracts

{x | P} ∪ {x | Q} = {x | P ∨ Q}

proof: simple calculation

only subject blame

context blame does not arise


Contract Monitoring


Contract Monitoring

Challenges

Small-step operational semantics

nondeterministic specificationdeterministic implementation (with simulation result)

Gathering blame for intersection and union

Gathering blame across different uses of same union


Operational Semantics

Reduction relation

%,M 7→ ς,N

M,N terms

%, ς lists of constraints in order of generation

one constraint for each contract operator →, ∪, ∩one constraint for each evaluated flat contract

cannot blame immediately: flat contract may be nested inintersection or union

instead: blame computed from list of constraints



Reduction relation

%,M 7→ ς,N

M,N terms







Reduction relation

%,M 7→ ς,N

M,N terms


one constraint for each contract operator →, ∪, ∩

one constraint for each evaluated flat contract





Reduction relation

%,M 7→ ς,N

M,N terms







Reduction relation

%,M 7→ ς,N

M,N terms







Reduction relation

%,M 7→ ς,N

M,N terms






Evaluation Rules

Flat contracts

I-Flat

ς,E [V @b flat(M)] −→ ς,E [V @b eval(M V )]

I-Unit

ς,E [V @b eval(W )] −→ b J (W ) : ς,E [V ]


Evaluation Rules

Flat contracts

I-Flat

ς,E [V @b flat(M)] −→ ς,E [V @b eval(M V )]

I-Unit

ς,E [V @b eval(W )] −→ b J (W ) : ς,E [V ]


Constraint Satisfaction

Solution of a constraint set

µ ∈ (LbM× {subject, context})→ B

for each blame identifier b

assign subject blame and context blame

drawn from B = {t, f}ordered by t @ f

Ordering reflects gathering of information with eachexecution step

False has “more” information because it indicates a failingcontract




















Constraint Satisfaction II

Flat contracts

CT-Flatµ(b.subject) w τ(W ) µ(b.context) w t

µ |= b JW

Raise blame if b is a blame label from the source programand either µ(b.subject) w f or µ(b.context) w f


Constraint Satisfaction II

Flat contracts

CT-Flatµ(b.subject) w τ(W ) µ(b.context) w t

µ |= b JW

Raise blame if b is a blame label from the source programand either µ(b.subject) w f or µ(b.context) w f


Evaluation Rules

Function contracts

D-Funι1, ι2 6∈ ς

ς,E [(V @b (C→D)) W ]−→ b J (ι1→ ι2) : ς,E [(V (W @ι1 C )) @ι2 D]

Satisfaction for function constraints

CT-Functionµ(b.subject) w µ(ι1.context∧(ι1.subject⇒ι2.subject))

µ(b.context) w µ(ι1.subject∧ι2.context)

µ |= b J ι1→ ι2


Evaluation Rules

Function contracts






µ |= b J ι1→ ι2


Evaluation Rules

Function contracts






µ |= b J ι1→ ι2


Evaluation Rules

Intersection contracts

D-Interι1, ι2 6∈ ς

ς,E [(V @b (Q ∩ R)) W ]−→ b J (ι1 ∩ ι2) : ς,E [〈(V @ι1 Q) W 8 (V @ι2 R) W 〉]

Reduction proceeds independently in pair components

Shares the constraint list

Intersection constraints

CT-Intersectionµ(b.subject) w µ(ι1.subject∧ι2.subject)µ(b.context) w µ(ι1.context∨ι2.context)

µ |= b J ι1 ∩ ι2


Evaluation Rules








µ |= b J ι1 ∩ ι2


Evaluation Rules








µ |= b J ι1 ∩ ι2


Evaluation Rules








µ |= b J ι1 ∩ ι2


Evaluation Rules








µ |= b J ι1 ∩ ι2


Evaluation Rules

Union contracts

Unionι1, ι2 6∈ ς

ς,E [V @b (K[C ∪ D])]−→ b J (ι1 ∪ ι2) : ς,E [〈V @ι1 K[C ] 8 V @ι2 K[D]〉]

All uses of V refer to the same constraint on b

Inconsistent uses of the union are detected

Union constraints

CT-Unionµ(b.subject) w µ(ι1.subject∨ι2.subject)µ(b.context) w µ(ι1.context∧ι2.context)

µ |= b J ι1 ∪ ι2


Evaluation Rules

Union contracts





Union constraints


µ |= b J ι1 ∪ ι2


Evaluation Rules

Union contracts





Union constraints


µ |= b J ι1 ∪ ι2


Evaluation Rules

Union contracts





Union constraints


µ |= b J ι1 ∪ ι2


Evaluation Rules

Union contracts





Union constraints


µ |= b J ι1 ∪ ι2


Results

Contract soundness

1 M @[ C ∈ JCK+.

2 L[� @[ C ] ∈ JCK−.

Subject blame soundness (abridged)

Suppose that M ∈ JCK+.If %,E [M @b C ] 7−→∗ ς,N, then JςK(b, subject) v t.

Context blame soundness (abridged)

Suppose that L ∈ JCK−.If %,L[M @b C ] 7−→∗ ς,N, then JςK(b, context) v t.


Results

Contract soundness

1 M @[ C ∈ JCK+.

2 L[� @[ C ] ∈ JCK−.






Results

Contract soundness

1 M @[ C ∈ JCK+.

2 L[� @[ C ] ∈ JCK−.






Further Challenges Addressed

Deal with (A ∪ B) ∩ (C ∪ D)

Solutions don’t increase monotonically when new constraintsare added

Deterministic semantics and simulation

Implementation


Conclusions

First investigation of intersection and union contracts

Novel semantics of contracts (subject, context)

Implemented in TreatJS, a new contract system forJavaScript, which is available on the webhttp://proglang.informatik.uni-freiburg.de/treatjs/


http://proglang.informatik.uni-freiburg.de/treatjs/

Documents

Blame Assignment for Higher-Order Contracts with ...ajacs.inria.fr/files/2015-03-23-Thiemann.pdf · 3/23/2015 · Keil & Thiemann Blame Assignment for Higher-Order Contracts with