Page 1
Blame Assignment for Higher-Order Contractswith Intersection and Union
Roman Matthias Keil, Peter ThiemannUniversity of Freiburg, Germany
September 2, 2015, The 20th ACM SIGPLAN International Conference on Functional Programming, ICFP 2015Vancouver, British Columbia, Canada
Page 2
Higher-Order Contracts
Even = flat(λx .x%2 = 0)
Odd = flat(λx .x%2 = 1)
Assertion (Even→ Even)
Let add2Even = ((λx .x + 2) @ (Even→ Even))
(add2Even 2) −→∗ 4 3
(add2Even 1) −→∗ 7 blame context � 1
Assertion (Odd → Odd)
Let add2Odd = ((λx .x + 2) @ (Odd → Odd))
(add2Odd 1) −→∗ 3 3
(add2Odd 2) −→∗ 7 blame context � 2
Roman Keil, Peter Thiemann September 2, 2015 2 / 18
Page 3
Higher-Order Contracts
Even = flat(λx .x%2 = 0)
Odd = flat(λx .x%2 = 1)
Assertion (Even→ Even)
Let add2Even = ((λx .x + 2) @ (Even→ Even))
(add2Even 2) −→∗ 4 3
(add2Even 1) −→∗ 7 blame context � 1
Assertion (Odd → Odd)
Let add2Odd = ((λx .x + 2) @ (Odd → Odd))
(add2Odd 1) −→∗ 3 3
(add2Odd 2) −→∗ 7 blame context � 2
Roman Keil, Peter Thiemann September 2, 2015 2 / 18
Page 4
Higher-Order Contracts
Even = flat(λx .x%2 = 0)
Odd = flat(λx .x%2 = 1)
Assertion (Even→ Even)
Let add2Even = ((λx .x + 2) @ (Even→ Even))
(add2Even 2) −→∗ 4 3
(add2Even 1) −→∗ 7 blame context � 1
Assertion (Odd → Odd)
Let add2Odd = ((λx .x + 2) @ (Odd → Odd))
(add2Odd 1) −→∗ 3 3
(add2Odd 2) −→∗ 7 blame context � 2
Roman Keil, Peter Thiemann September 2, 2015 2 / 18
Page 5
Higher-Order Contracts
Even = flat(λx .x%2 = 0)
Odd = flat(λx .x%2 = 1)
Assertion (Even→ Even)
Let add2Even = ((λx .x + 2) @ (Even→ Even))
(add2Even 2) −→∗ 4 3
(add2Even 1) −→∗ 7 blame context � 1
Assertion (Odd → Odd)
Let add2Odd = ((λx .x + 2) @ (Odd → Odd))
(add2Odd 1) −→∗ 3 3
(add2Odd 2) −→∗ 7 blame context � 2
Roman Keil, Peter Thiemann September 2, 2015 2 / 18
Page 6
Higher-Order Contracts
Even = flat(λx .x%2 = 0)
Odd = flat(λx .x%2 = 1)
Assertion (Even→ Even)
Let add2Even = ((λx .x + 2) @ (Even→ Even))
(add2Even 2) −→∗ 4 3
(add2Even 1) −→∗ 7 blame context � 1
Assertion (Odd → Odd)
Let add2Odd = ((λx .x + 2) @ (Odd → Odd))
(add2Odd 1) −→∗ 3 3
(add2Odd 2) −→∗ 7 blame context � 2
Roman Keil, Peter Thiemann September 2, 2015 2 / 18
Page 7
Higher-Order Contracts
Even = flat(λx .x%2 = 0)
Odd = flat(λx .x%2 = 1)
Assertion (Even→ Even)
Let add2Even = ((λx .x + 2) @ (Even→ Even))
(add2Even 2) −→∗ 4 3
(add2Even 1) −→∗ 7 blame context � 1
Assertion (Odd → Odd)
Let add2Odd = ((λx .x + 2) @ (Odd → Odd))
(add2Odd 1) −→∗ 3 3
(add2Odd 2) −→∗ 7 blame context � 2
Roman Keil, Peter Thiemann September 2, 2015 2 / 18
Page 8
Combination of Contracts
Observation
λx .x + 2 works for even and odd arguments
λx .x + 2 fulfills Odd → Odd and Even→ Even
How can we express that with a single contract?
Intersection Contract!
Roman Keil, Peter Thiemann September 2, 2015 3 / 18
Page 9
Combination of Contracts
Observation
λx .x + 2 works for even and odd arguments
λx .x + 2 fulfills Odd → Odd and Even→ Even
How can we express that with a single contract?
Intersection Contract!
Roman Keil, Peter Thiemann September 2, 2015 3 / 18
Page 10
Combination of Contracts
Observation
λx .x + 2 works for even and odd arguments
λx .x + 2 fulfills Odd → Odd and Even→ Even
How can we express that with a single contract?
Intersection Contract!
Roman Keil, Peter Thiemann September 2, 2015 3 / 18
Page 11
Combination of Contracts
Observation
λx .x + 2 works for even and odd arguments
λx .x + 2 fulfills Odd → Odd and Even→ Even
How can we express that with a single contract?
Intersection Contract!
Roman Keil, Peter Thiemann September 2, 2015 3 / 18
Page 12
Inspiration
Intersection Type
V : S ∩ T
Models overloading
Models multiple inheritances
Union Type
V : S ∪ T
Dual of intersection type
Domain of overloaded functions
Roman Keil, Peter Thiemann September 2, 2015 4 / 18
Page 13
This Work
Extend higher-order contracts with intersection and union
Specification based on the type theoretic construction
Assertion (Even→ Even) ∩ (Odd → Odd)
Let add2 = ((λx .x + 2) @ (Even→ Even) ∩ (Odd → Odd))
(add2 2) −→∗ 4 3
(add2 1) −→∗ 3 3
No blame because of the intersection contract!
Roman Keil, Peter Thiemann September 2, 2015 5 / 18
Page 14
Flat Contract
Even = flat(λx .x%2 = 0)
Odd = flat(λx .x%2 = 1)
Pos = flat(λx .x > 0)
Examples
Pos ∩ Even
Flat Contract
flat(λx .P) ∩ flat(λx .Q) ≡ flat(λx .P ∧ Q)
Roman Keil, Peter Thiemann September 2, 2015 6 / 18
Page 15
Intersection Contract
Assertion
Let add1 = ((λx .x + 1) @ (Even→ Even) ∩ (Pos → Pos))
(add1 3) −→∗ 4 3
(add1 −1) −→∗ 7 blame context � −1
(add1 2) −→∗ 7 blame subject (λx .x + 1)
Definition
Context gets blamed for C ∩ D iff:(Context gets blamed for C) ∧ (Context gets blamed for D)
Subject M gets blamed for C ∩ D iff:(M gets blamed for C) ∨ (M gets blamed for D)
Roman Keil, Peter Thiemann September 2, 2015 7 / 18
Page 16
Intersection Contract
Assertion
Let add1 = ((λx .x + 1) @ (Even→ Even) ∩ (Pos → Pos))
(add1 3) −→∗ 4 3
(add1 −1) −→∗ 7 blame context � −1
(add1 2) −→∗ 7 blame subject (λx .x + 1)
Definition
Context gets blamed for C ∩ D iff:(Context gets blamed for C) ∧ (Context gets blamed for D)
Subject M gets blamed for C ∩ D iff:(M gets blamed for C) ∨ (M gets blamed for D)
Roman Keil, Peter Thiemann September 2, 2015 7 / 18
Page 17
Intersection Contract
Assertion
Let add1 = ((λx .x + 1) @ (Even→ Even) ∩ (Pos → Pos))
(add1 3) −→∗ 4 3
(add1 −1) −→∗ 7 blame context � −1
(add1 2) −→∗ 7 blame subject (λx .x + 1)
Definition
Context gets blamed for C ∩ D iff:(Context gets blamed for C) ∧ (Context gets blamed for D)
Subject M gets blamed for C ∩ D iff:(M gets blamed for C) ∨ (M gets blamed for D)
Roman Keil, Peter Thiemann September 2, 2015 7 / 18
Page 18
Intersection Contract
Assertion
Let add1 = ((λx .x + 1) @ (Even→ Even) ∩ (Pos → Pos))
(add1 3) −→∗ 4 3
(add1 −1) −→∗ 7 blame context � −1
(add1 2) −→∗ 7 blame subject (λx .x + 1)
Definition
Context gets blamed for C ∩ D iff:(Context gets blamed for C) ∧ (Context gets blamed for D)
Subject M gets blamed for C ∩ D iff:(M gets blamed for C) ∨ (M gets blamed for D)
Roman Keil, Peter Thiemann September 2, 2015 7 / 18
Page 19
Contract Assertion
Example
((λx .x + 1) @ (Even→ Even) ∩ (Pos → Pos)) 3 −→∗ 4
A failing contract must not signal a violation immediately
Violation depends on combinations of failures in differentsub-contracts
Contract assertion must connect each contract with theenclosing operations
Roman Keil, Peter Thiemann September 2, 2015 8 / 18
Page 20
Contract Assertion
Example
((λx .x + 1) @ (Even→ Even) ∩ (Pos → Pos)) 3 −→∗ 4
A failing contract must not signal a violation immediately
Violation depends on combinations of failures in differentsub-contracts
Contract assertion must connect each contract with theenclosing operations
Roman Keil, Peter Thiemann September 2, 2015 8 / 18
Page 21
Contract Assertion
Example
((λx .x + 1) @ (Even→ Even) ∩ (Pos → Pos)) 3 −→∗ 4
A failing contract must not signal a violation immediately
Violation depends on combinations of failures in differentsub-contracts
Contract assertion must connect each contract with theenclosing operations
Roman Keil, Peter Thiemann September 2, 2015 8 / 18
Page 22
Contract Assertion
Example
((λx .x + 1) @ (Even→ Even) ∩ (Pos → Pos)) 3 −→∗ 4 3
A failing contract must not signal a violation immediately
Violation depends on combinations of failures in differentsub-contracts
Contract assertion must connect each contract with theenclosing operations
Roman Keil, Peter Thiemann September 2, 2015 8 / 18
Page 23
Operational Semantics
Reduction Relation
ς,M −→ ς ′,N
M,N expressions
ς list of constraints
One constraint for each contract operator →, ∩, ∪One constraint for each flat contract
Blame calculation from a list of constraints
Roman Keil, Peter Thiemann September 2, 2015 9 / 18
Page 24
Flat Contract
Evaluation Rule
FlatM V −→∗ W ς ′ = [J(W ) : ς
ς,E [V @[ flat(M)] −→ ς ′,E [V ]
Roman Keil, Peter Thiemann September 2, 2015 10 / 18
Page 25
Interpretation
Interpretation of a constraint list
µ ∈ (L[M× {subject, context})→ B
An interpretation µ is a mapping from blame label [ torecords of elements of B = {t, f}, order t @ f
Ordering reflects gathering of information with eachexecution step
Each blame label [ is associated with two truth values,[.subject and [.context
Roman Keil, Peter Thiemann September 2, 2015 11 / 18
Page 26
Flat Contract (cont’d)
Evaluation Rule
FlatM V −→∗ W ς ′ = [J(W ) : ς
ς,E [V @[ flat(M)] −→ ς ′,E [V ]
Constraint Satisfaction
C-Flatµ([.subject) wW µ([.context) w t
µ |= [ JW
Roman Keil, Peter Thiemann September 2, 2015 12 / 18
Page 27
Blame Calculation
Definition
ς is a blame state if there exists a top-level blame label such that
µ([.subject) w f ∨ µ([.context) w f
Evaluation stops if a blame state is reached.
Roman Keil, Peter Thiemann September 2, 2015 13 / 18
Page 28
Function Contract
Evaluation Rule
Function[1, [2 6∈ ς ς ′ = [J([1→[2) : ς
ς,E [(V @[ (C→D)) W ] −→ ς ′,E [(V (W @[1 C)) @[2 D]
Constraint Satisfaction
C-Functionµ([.subject) w µ([1.context ∧ ([1.subject⇒ [2.subject))
µ([.context) w µ([1.subject ∧ [2.context)
µ |= [ J [1→[2
Roman Keil, Peter Thiemann September 2, 2015 14 / 18
Page 29
Intersection Contract
Evaluation Rule
Intersection[1, [2 6∈ ς ς ′ = [J([1 ∩ [2) : ς
ς,E [(V @[ (Q ∩ R)) W ] −→ ς ′,E [((V @[1 Q) @[2 R) W ]
Constraint Satisfaction
C-Intersectionµ([.subject) w µ([1.subject ∧ [2.subject)µ([.context) w µ([1.context ∨ [2.context)
µ |= [ J [1 ∩ [2
Roman Keil, Peter Thiemann September 2, 2015 15 / 18
Page 30
Union Contract
Dual of intersection contract
Exchange ∧ and ∨ in the blame calculation
Delayed evaluation changes to an immediate evaluation
Roman Keil, Peter Thiemann September 2, 2015 16 / 18
Page 31
In the Paper
Technical Results
Contract Rewriting
Deterministic and nondeterministic specification of contractmonitoring
Denotational specification of the semantics of contracts
Theorems for contract and blame soundness
Roman Keil, Peter Thiemann September 2, 2015 17 / 18
Page 32
Conclusion
Intersection and union contracts provide dynamic guaranteesequivalent to their type-theoretic counterparts
Constraint-based blame calculation enables higher-ordercontracts with unrestricted intersection and union
Formal basis of TreatJS, a language embedded, higher-ordercontract system implemented for JavaScript
Roman Keil, Peter Thiemann September 2, 2015 18 / 18
Page 33
Constraint Graph
[
... ∩
→
Even Even
→
Pos Pos
(t,t)
(t,t)
Reduction
ς,((λx .x + 1) @[ ((Even→ Even) ∩ (Pos → Pos))) 0
Roman Keil, Peter Thiemann September 2, 2015 1 / 15
Page 34
Constraint Graph
[
... ∩
→
Even Even
→
Pos Pos
(t,t)
(t,t) (t,t)
(t,t)(t,t)
Reduction
−→ [J([1 ∩ [2) : · · · ,(((λx .x + 1) @[1 (Even→ Even)) @[2 (Pos → Pos)) 0
Roman Keil, Peter Thiemann September 2, 2015 1 / 15
Page 35
Constraint Graph
[
... ∩
→
Even Even
→
Pos Pos
(t,t)
(t,t) (t,t)
(t,t)
(t,t) (t,t)
(t,t)
Reduction
−→ [2J([3→[4) : · · · ,(((λx .x + 1) @[1 (Even→ Even)) (0 @[3 Pos)) @[4 Pos
Roman Keil, Peter Thiemann September 2, 2015 1 / 15
Page 36
Constraint Graph
[
... ∩
→
Even Even
→
Pos Pos
(t,t)
(t,t) (t,t)
(t,t)(f,t)
(t,t) (t,t)(t,f)
(t,t)
Reduction
−→ [3J(false) : · · · ,(((λx .x + 1) @[1 (Even→ Even)) 0) @[4 Pos
Roman Keil, Peter Thiemann September 2, 2015 1 / 15
Page 37
Constraint Graph
[
... ∩
→
Even Even
→
Pos Pos
(t,t)
(t,t) (t,t)
(f,t)
(t,t)(t,f)
(t,t)
(t,t) (t,t)
Reduction
−→ [1J([5→[6) : · · · ,(((λx .x + 1) (0 @[5 Even)) @[6 Even) @[4 Pos
Roman Keil, Peter Thiemann September 2, 2015 1 / 15
Page 38
Constraint Graph
[
... ∩
→
Even Even
→
Pos Pos
(t,t)
(t,t) (t,t)
(f,t)
(t,t)(t,f)
(t,t)
(t,t) (t,t)(t,t)
Reduction
−→ [5J(true) : · · · ,(((λx .x + 1) 0) @[6 Even) @[4 Pos
Roman Keil, Peter Thiemann September 2, 2015 1 / 15
Page 39
Constraint Graph
[
... ∩
→
Even Even
→
Pos Pos
(t,t)
(t,t) (t,t)
(f,t)
(t,t)(t,f)
(t,t)
(t,t)(t,t)
Reduction
−→ · · · ,(1 @[6 Even) @[4 Pos
Roman Keil, Peter Thiemann September 2, 2015 1 / 15
Page 40
Constraint Graph
[
... ∩
→
Even Even
→
Pos Pos
(t,f)
(t,t) (t,f)
(f,t)
(t,t)(t,f)
(t,f)
(t,t)(t,t) (t,f)
Reduction
−→ [6J(false) : · · · ,blame[
Roman Keil, Peter Thiemann September 2, 2015 1 / 15
Page 41
Intersection and Union Types
Intersection Type
λx .x + 2 : Even→ Even
λx .x + 2 : Odd → Odd
λx .x + 2 : Even→ Even ∩ Odd → Odd
Union Type
λx .x − 2 : Even→ Even
λx .x − 2 : Even→ Even ∪ Pos → Pos
Roman Keil, Peter Thiemann September 2, 2015 2 / 15
Page 42
Flat Contract [Findler,Felleisen’02]
Pos = flat(λx .x > 0)
Even = flat(λx .x%2 = 0)
Assertion
1@Pos −→ 1 3
0@Pos −→ 7 blame subject 0
Definition
Subject V gets blamed for Flat Contract flat(M) iff:(M V ) −→∗ false
Roman Keil, Peter Thiemann September 2, 2015 3 / 15
Page 43
Flat Contract [Findler,Felleisen’02]
Pos = flat(λx .x > 0)
Even = flat(λx .x%2 = 0)
Assertion
1@Pos −→ 1 3
0@Pos −→ 7 blame subject 0
Definition
Subject V gets blamed for Flat Contract flat(M) iff:(M V ) −→∗ false
Roman Keil, Peter Thiemann September 2, 2015 3 / 15
Page 44
Flat Contract [Findler,Felleisen’02]
Pos = flat(λx .x > 0)
Even = flat(λx .x%2 = 0)
Assertion
1@Pos −→ 1 3
0@Pos −→ 7 blame subject 0
Definition
Subject V gets blamed for Flat Contract flat(M) iff:(M V ) −→∗ false
Roman Keil, Peter Thiemann September 2, 2015 3 / 15
Page 45
Higher-Order Contract [Findler,Felleisen’02]
Even→ Even
Assertion
((λx .x + 1)@Even→ Even) 1 −→∗ 7 blame context � 1
((λx .x + 1)@Even→ Even) 2 −→∗ 7 blame subject
Definition
Context gets blamed for C→D iff:Argument x gets blamed for C (as subject)
Subject M gets blamed for C→D at � V iff:¬ (Context gets blamed C) ∧ (M V gets blamed D)
Roman Keil, Peter Thiemann September 2, 2015 4 / 15
Page 46
Higher-Order Contract [Findler,Felleisen’02]
Even→ Even
Assertion
((λx .x + 1)@Even→ Even) 1 −→∗ 7 blame context � 1
((λx .x + 1)@Even→ Even) 2 −→∗ 7 blame subject
Definition
Context gets blamed for C→D iff:Argument x gets blamed for C (as subject)
Subject M gets blamed for C→D at � V iff:¬ (Context gets blamed C) ∧ (M V gets blamed D)
Roman Keil, Peter Thiemann September 2, 2015 4 / 15
Page 47
Higher-Order Contract [Findler,Felleisen’02]
Even→ Even
Assertion
((λx .x + 1)@Even→ Even) 1 −→∗ 7 blame context � 1
((λx .x + 1)@Even→ Even) 2 −→∗ 7 blame subject
Definition
Context gets blamed for C→D iff:Argument x gets blamed for C (as subject)
Subject M gets blamed for C→D at � V iff:¬ (Context gets blamed C) ∧ (M V gets blamed D)
Roman Keil, Peter Thiemann September 2, 2015 4 / 15
Page 48
Flat Contract
Examples
Odd ∪ Even
Flat Contract
flat(λx .P) ∪ flat(λx .Q) ≡ flat(λx .P ∨ Q)
Roman Keil, Peter Thiemann September 2, 2015 5 / 15
Page 49
Flat Contract
Examples
Odd ∪ Even
Flat Contract
flat(λx .P) ∪ flat(λx .Q) ≡ flat(λx .P ∨ Q)
Roman Keil, Peter Thiemann September 2, 2015 5 / 15
Page 50
Union Contract
Assertion
Let mod3 = ((λx .x%3) @ (Even→ Even) ∪ (Pos → Pos))
(mod3 4) −→∗ 1 3
(mod3 1) −→∗ 7 blame context � 1
(mod3 6) −→∗ 7 blame subject (λx .x%3)
Definition
Context gets blamed for C ∪ D iff:(Context gets blamed for C) ∨ (Context gets blamed for D)
Subject M gets blamed for C ∪ D iff:(M gets blamed for C) ∧ (M gets blamed for D)
Roman Keil, Peter Thiemann September 2, 2015 6 / 15
Page 51
Union Contract
Assertion
Let mod3 = ((λx .x%3) @ (Even→ Even) ∪ (Pos → Pos))
(mod3 4) −→∗ 1 3
(mod3 1) −→∗ 7 blame context � 1
(mod3 6) −→∗ 7 blame subject (λx .x%3)
Definition
Context gets blamed for C ∪ D iff:(Context gets blamed for C) ∨ (Context gets blamed for D)
Subject M gets blamed for C ∪ D iff:(M gets blamed for C) ∧ (M gets blamed for D)
Roman Keil, Peter Thiemann September 2, 2015 6 / 15
Page 52
Union Contract
Assertion
Let mod3 = ((λx .x%3) @ (Even→ Even) ∪ (Pos → Pos))
(mod3 4) −→∗ 1 3
(mod3 1) −→∗ 7 blame context � 1
(mod3 6) −→∗ 7 blame subject (λx .x%3)
Definition
Context gets blamed for C ∪ D iff:(Context gets blamed for C) ∨ (Context gets blamed for D)
Subject M gets blamed for C ∪ D iff:(M gets blamed for C) ∧ (M gets blamed for D)
Roman Keil, Peter Thiemann September 2, 2015 6 / 15
Page 53
Union Contract
Assertion
Let mod3 = ((λx .x%3) @ (Even→ Even) ∪ (Pos → Pos))
(mod3 4) −→∗ 1 3
(mod3 1) −→∗ 7 blame context � 1
(mod3 6) −→∗ 7 blame subject (λx .x%3)
Definition
Context gets blamed for C ∪ D iff:(Context gets blamed for C) ∨ (Context gets blamed for D)
Subject M gets blamed for C ∪ D iff:(M gets blamed for C) ∧ (M gets blamed for D)
Roman Keil, Peter Thiemann September 2, 2015 6 / 15
Page 54
Contract Assertion
Evaluation Rule
Assert[ 6∈ ς ς ′ = [J([) : ς
ς,E [V @[ C] −→∗ ς ′,E [V @[ C]
Constraint Satisfaction
C-Assertµ([.subject) w µ([1.subject) µ([.context) w µ([1.context)
µ |= [J([1)
Roman Keil, Peter Thiemann September 2, 2015 7 / 15
Page 55
Constraint List
Constraint Satisfaction
CS-Empty
µ |= ·
CS-Consµ |= κ µ |= ς
µ |= κ : ς
Roman Keil, Peter Thiemann September 2, 2015 8 / 15
Page 56
Union Contract
Evaluation Rule
Union[1, [2 6∈ ς ς ′ = [J([1 ∪ [2) : ς
ς,E [V @[ (C ∪ D)] −→ ς ′,E [(V @[1 C) @[2 D]
Constraint Satisfaction
C-Unionµ([.subject) w µ([1.subject ∨ [2.subject)µ([.context) w µ([1.context ∧ [2.context)
µ |= [ J [1 ∪ [2
Roman Keil, Peter Thiemann September 2, 2015 9 / 15
Page 57
Blame Calculation
Definition
ς is a blame state if there exists a top-level blame identifier suchthat
µ([.subject) w f ∨ µ([.context) w f
ς,M −→∗ ς ′,Nς is not a blame state
ς,M 7−→ ς ′,N
ς is blame state for [
ς,M 7−→ ς, blame[
Roman Keil, Peter Thiemann September 2, 2015 10 / 15
Page 58
Example Reduction
Reduction
·,((λx .x + 1) @[ ((Even→ Even) ∩ (Pos → Pos))) 0
Roman Keil, Peter Thiemann September 2, 2015 11 / 15
Page 59
Example Reduction
Reduction
·,((λx .x + 1) @[ ((Even→ Even) ∩ (Pos → Pos))) 0
−→ [J([0) : ·,((λx .x + 1) @[0 ((Even→ Even) ∩ (Pos → Pos))) 0
Roman Keil, Peter Thiemann September 2, 2015 11 / 15
Page 60
Example Reduction
Reduction
·,((λx .x + 1) @[ ((Even→ Even) ∩ (Pos → Pos))) 0
−→ [J([0) : ·,((λx .x + 1) @[0 ((Even→ Even) ∩ (Pos → Pos))) 0
−→ [0J([1 ∩ [2) : · · · ,(((λx .x + 1) @[1 (Even→ Even)) @[2 (Pos → Pos)) 0
Roman Keil, Peter Thiemann September 2, 2015 11 / 15
Page 61
Example Reduction
Reduction
·,((λx .x + 1) @[ ((Even→ Even) ∩ (Pos → Pos))) 0
−→ [J([0) : ·,((λx .x + 1) @[0 ((Even→ Even) ∩ (Pos → Pos))) 0
−→ [0J([1 ∩ [2) : · · · ,(((λx .x + 1) @[1 (Even→ Even)) @[2 (Pos → Pos)) 0
−→ [2J([3→[4) : · · · ,(((λx .x + 1) @[1 (Even→ Even)) (0 @[3 Pos)) @[4 Pos
Roman Keil, Peter Thiemann September 2, 2015 11 / 15
Page 62
Example Reduction
Reduction
·,((λx .x + 1) @[ ((Even→ Even) ∩ (Pos → Pos))) 0
−→ [J([0) : ·,((λx .x + 1) @[0 ((Even→ Even) ∩ (Pos → Pos))) 0
−→ [0J([1 ∩ [2) : · · · ,(((λx .x + 1) @[1 (Even→ Even)) @[2 (Pos → Pos)) 0
−→ [2J([3→[4) : · · · ,(((λx .x + 1) @[1 (Even→ Even)) (0 @[3 Pos)) @[4 Pos
−→ [3J(false) : · · · ,(((λx .x + 1) @[1 (Even→ Even)) 0) @[4 Pos
Roman Keil, Peter Thiemann September 2, 2015 11 / 15
Page 63
Example Reduction
Reduction
−→ [J([0) : ·,((λx .x + 1) @[0 ((Even→ Even) ∩ (Pos → Pos))) 0
−→ [0J([1 ∩ [2) : · · · ,(((λx .x + 1) @[1 (Even→ Even)) @[2 (Pos → Pos)) 0
−→ [2J([3→[4) : · · · ,(((λx .x + 1) @[1 (Even→ Even)) (0 @[3 Pos)) @[4 Pos
−→ [3J(false) : · · · ,(((λx .x + 1) @[1 (Even→ Even)) 0) @[4 Pos
−→ [1J([5→[6) : · · · ,(((λx .x + 1) (0 @[5 Even)) @[6 Even) @[4 Pos
Roman Keil, Peter Thiemann September 2, 2015 11 / 15
Page 64
Example Reduction
Reduction
−→ [0J([1 ∩ [2) : · · · ,(((λx .x + 1) @[1 (Even→ Even)) @[2 (Pos → Pos)) 0
−→ [2J([3→[4) : · · · ,(((λx .x + 1) @[1 (Even→ Even)) (0 @[3 Pos)) @[4 Pos
−→ [3J(false) : · · · ,(((λx .x + 1) @[1 (Even→ Even)) 0) @[4 Pos
−→ [1J([5→[6) : · · · ,(((λx .x + 1) (0 @[5 Even)) @[6 Even) @[4 Pos
−→ [5J(true) : · · · ,(((λx .x + 1) 0) @[6 Even) @[4 Pos
Roman Keil, Peter Thiemann September 2, 2015 11 / 15
Page 65
Example Reduction
Reduction
−→ [2J([3→[4) : · · · ,(((λx .x + 1) @[1 (Even→ Even)) (0 @[3 Pos)) @[4 Pos
−→ [3J(false) : · · · ,(((λx .x + 1) @[1 (Even→ Even)) 0) @[4 Pos
−→ [1J([5→[6) : · · · ,(((λx .x + 1) (0 @[5 Even)) @[6 Even) @[4 Pos
−→ [5J(true) : · · · ,(((λx .x + 1) 0) @[6 Even) @[4 Pos
−→ · · · ,(1 @[6 Even) @[4 Pos
Roman Keil, Peter Thiemann September 2, 2015 11 / 15
Page 66
Example Reduction
Reduction
−→ [3J(false) : · · · ,(((λx .x + 1) @[1 (Even→ Even)) 0) @[4 Pos
−→ [1J([5→[6) : · · · ,(((λx .x + 1) (0 @[5 Even)) @[6 Even) @[4 Pos
−→ [5J(true) : · · · ,(((λx .x + 1) 0) @[6 Even) @[4 Pos
−→ · · · ,(1 @[6 Even) @[4 Pos
−→ [6J(false) : · · · ,blame[
Roman Keil, Peter Thiemann September 2, 2015 11 / 15
Page 67
Example Reduction
Reduction
−→ [1J([5→[6) : · · · ,(((λx .x + 1) (0 @[5 Even)) @[6 Even) @[4 Pos
−→ [5J(true) : · · · ,(((λx .x + 1) 0) @[6 Even) @[4 Pos
−→ · · · ,(1 @[6 Even) @[4 Pos
−→ [6J(false) : · · · ,blame[
Roman Keil, Peter Thiemann September 2, 2015 11 / 15
Page 68
Example Reduction
Reduction
−→ [5J(true) : · · · ,(((λx .x + 1) 0) @[6 Even) @[4 Pos
−→ · · · ,(1 @[6 Even) @[4 Pos
−→ [6J(false) : · · · ,blame[
Roman Keil, Peter Thiemann September 2, 2015 11 / 15
Page 69
Example Reduction
Reduction
−→ · · · ,(1 @[6 Even) @[4 Pos
−→ [6J(false) : · · · ,blame[
Roman Keil, Peter Thiemann September 2, 2015 11 / 15
Page 70
Example Reduction
Reduction
−→ [6J(false) : · · · ,blame[
Roman Keil, Peter Thiemann September 2, 2015 11 / 15
Page 71
Constraint Graph
[
∩
→
Even Even
→
Pos Pos
∩
→
Even Even
→
Pos Pos
(t,t)
Example
((λx .x + 1) @[ ((Even→ Even)∩ (Pos → Pos))) 1 −→∗ 2 3
((λx .x + 1) @[ ((Even→ Even) ∩ (Pos → Pos))) 2 −→∗ 7
Roman Keil, Peter Thiemann September 2, 2015 12 / 15
Page 72
Constraint Graph
[
∩
→
Even Even
→
Pos Pos
∩
→
Even Even
→
Pos Pos
(t,t)
(t,t)
Example
((λx .x + 1) @[ ((Even→ Even)∩ (Pos → Pos))) 1 −→∗ 2 3
((λx .x + 1) @[ ((Even→ Even) ∩ (Pos → Pos))) 2 −→∗ 7
Roman Keil, Peter Thiemann September 2, 2015 12 / 15
Page 73
Constraint Graph
[
∩
→
Even Even
→
Pos Pos
∩
→
Even Even
→
Pos Pos
(t,t)
(t,t)
(t,t)
Example
((λx .x + 1) @[ ((Even→ Even)∩ (Pos → Pos))) 1 −→∗ 2 3
((λx .x + 1) @[ ((Even→ Even) ∩ (Pos → Pos))) 2 −→∗ 7
Roman Keil, Peter Thiemann September 2, 2015 12 / 15
Page 74
Constraint Graph
[
∩
→
Even Even
→
Pos Pos
∩
→
Even Even
→
Pos Pos
(t,t) (t,t)
(t,t)
(t,t)
Example
((λx .x + 1) @[ ((Even→ Even)∩ (Pos → Pos))) 1 −→∗ 2 3
((λx .x + 1) @[ ((Even→ Even) ∩ (Pos → Pos))) 2 −→∗ 7
Roman Keil, Peter Thiemann September 2, 2015 12 / 15
Page 75
Constraint Graph
[
∩
→
Even Even
→
Pos Pos
∩
→
Even Even
→
Pos Pos
(t,t)
(t,t) (t,t)
(t,t)
(t,t)
Example
((λx .x + 1) @[ ((Even→ Even)∩ (Pos → Pos))) 1 −→∗ 2 3
((λx .x + 1) @[ ((Even→ Even) ∩ (Pos → Pos))) 2 −→∗ 7
Roman Keil, Peter Thiemann September 2, 2015 12 / 15
Page 76
Constraint Graph
[
∩
→
Even Even
→
Pos Pos
∩
→
Even Even
→
Pos Pos
(t,f) (t,t)
(f,t) (t,t)
(t,t)
(t,t)
Example
((λx .x + 1) @[ ((Even→ Even)∩ (Pos → Pos))) 1 −→∗ 2 3
((λx .x + 1) @[ ((Even→ Even) ∩ (Pos → Pos))) 2 −→∗ 7
Roman Keil, Peter Thiemann September 2, 2015 12 / 15
Page 77
Constraint Graph
[
∩
→
Even Even
→
Pos Pos
∩
→
Even Even
→
Pos Pos
(t,f) (t,f) (t,t)
(f,t) (t,t)
(t,t)
(t,t)
Example
((λx .x + 1) @[ ((Even→ Even)∩ (Pos → Pos))) 1 −→∗ 2 3
((λx .x + 1) @[ ((Even→ Even) ∩ (Pos → Pos))) 2 −→∗ 7
Roman Keil, Peter Thiemann September 2, 2015 12 / 15
Page 78
Constraint Graph
[
∩
→
Even Even
→
Pos Pos
∩
→
Even Even
→
Pos Pos
(t,f) (t,f) (t,t) (t,t)
(f,t) (t,t)
(t,t)
(t,t)(t,t)
Example
((λx .x + 1) @[ ((Even→ Even)∩ (Pos → Pos))) 1 −→∗ 2 3
((λx .x + 1) @[ ((Even→ Even) ∩ (Pos → Pos))) 2 −→∗ 7
Roman Keil, Peter Thiemann September 2, 2015 12 / 15
Page 79
Constraint Graph
[
∩
→
Even Even
→
Pos Pos
∩
→
Even Even
→
Pos Pos
(t,t)
(t,t) (t,t)
(t,t)
Example
((λx .x + 1) @[ ((Even→ Even)∩ (Pos → Pos))) 1 −→∗ 2 3
((λx .x + 1) @[ ((Even→ Even) ∩ (Pos → Pos))) 2 −→∗ 7
Roman Keil, Peter Thiemann September 2, 2015 12 / 15
Page 80
Constraint Graph
[
∩
→
Even Even
→
Pos Pos
∩
→
Even Even
→
Pos Pos
(t,t)
(t,t)
(t,t) (t,t)
(t,t)
Example
((λx .x + 1) @[ ((Even→ Even)∩ (Pos → Pos))) 1 −→∗ 2 3
((λx .x + 1) @[ ((Even→ Even) ∩ (Pos → Pos))) 2 −→∗ 7
Roman Keil, Peter Thiemann September 2, 2015 12 / 15
Page 81
Constraint Graph
[
∩
→
Even Even
→
Pos Pos
∩
→
Even Even
→
Pos Pos
(t,t)
(t,t) (t,t)
(t,t) (t,t)
(t,t)
Example
((λx .x + 1) @[ ((Even→ Even)∩ (Pos → Pos))) 1 −→∗ 2 3
((λx .x + 1) @[ ((Even→ Even) ∩ (Pos → Pos))) 2 −→∗ 7
Roman Keil, Peter Thiemann September 2, 2015 12 / 15
Page 82
Constraint Graph
[
∩
→
Even Even
→
Pos Pos
∩
→
Even Even
→
Pos Pos
(t,t) (t,f) (t,t)
(t,f) (t,t)
(t,f)
(t,f)
Example
((λx .x + 1) @[ ((Even→ Even)∩ (Pos → Pos))) 1 −→∗ 2 3
((λx .x + 1) @[ ((Even→ Even) ∩ (Pos → Pos))) 2 −→∗ 7
Roman Keil, Peter Thiemann September 2, 2015 12 / 15
Page 83
Technical Results
Definition (Contract Satisfaction)
The semantics of a contract C defines
1 a set JCK+ of closed terms (subjects) that satisfy C2 a set JCK− of closed contexts that respect C
The definition is mutually inductive on the structure of C.
Roman Keil, Peter Thiemann September 2, 2015 13 / 15
Page 84
Technical Results (cont’d)
Theorem (Contract soundness for expressions)
For all M, C, [. M @[ C ∈ JCK+
Theorem (Contract soundness for contexts)
For all L, C, [. L[� @[ C] ∈ JCK−
Roman Keil, Peter Thiemann September 2, 2015 14 / 15
Page 85
Technical Results (cont’d)
Theorem (Subject blame soundness)
Suppose that M ∈ JCK+.If ς,E [M @[ C] 7−→∗ ς ′,N then Jς ′K([, subject) v t.
Theorem (Context blame soundness)
Suppose that L ∈ JCK−.If ς,L[M @[ C] 7−→∗ ς ′,N, then Jς ′K([, context) v t.
Roman Keil, Peter Thiemann September 2, 2015 15 / 15