Stateful manifest contracts

Taro Sekiyama, Atsushi Igarashi
{"title":"Stateful manifest contracts","authors":"Taro Sekiyama, Atsushi Igarashi","doi":"10.1145/3009837.3009875","DOIUrl":null,"url":null,"abstract":"This paper studies hybrid contract verification for an imperative higher-order language based on a so-called manifest contract system. In manifest contract systems, contracts are part of static types and contract verification is hybrid in the sense that some contracts are statically verified, typically by subtyping, but others are dynamically by casts. It is, however, not trivial to extend existing manifest contract systems, which have been designed mostly for pure functional languages, to imperative features, mainly because of the lack of flow-sensitivity, which should be taken into account in verifying imperative programs statically. We develop an imperative higher-order manifest contract system λrefH for flow-sensitive hybrid contract verification. We introduce a computational variant of Nanevski et al's Hoare types, which are flow-sensitive types to represent pre- and postconditions of impure computation. Our Hoare types are computational in the sense that pre- and postconditions are given by Booleans in the same language as programs so that they are dynamically verifiable. λrefH also supports refinement types as in existing manifest contract systems to describe flow-insensitive, state-independent contracts of pure computation. While it is desirable that any-possibly state-manipulating-predicate can be used in contracts, abuse of stateful operations will break the system. To control stateful operations in contracts, we introduce a region-based effect system, which allows contracts in refinement types and computational Hoare types to manipulate states, as long as they are observationally pure and read-only, respectively. We show that dynamic contract checking in our calculus is consistent with static typing in the sense that the final result obtained without dynamic contract violations satisfies contracts in its static type. It in particular means that the state after stateful computations satisfies their postconditions. As in some of prior manifest contract systems, static contract verification in this work is \"post facto,\" that is, we first define our manifest contract system so that all contracts are checked at run time, formalize conditions when dynamic checks can be removed safely, and show that programs with and without such removable checks are contextually equivalent. We also apply the idea of post facto verification to region-based local reasoning, inspired by the frame rule of Separation Logic.","PeriodicalId":20657,"journal":{"name":"Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages","volume":"16 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2017-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3009837.3009875","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 6

Abstract

This paper studies hybrid contract verification for an imperative higher-order language based on a so-called manifest contract system. In manifest contract systems, contracts are part of static types and contract verification is hybrid in the sense that some contracts are statically verified, typically by subtyping, but others are dynamically by casts. It is, however, not trivial to extend existing manifest contract systems, which have been designed mostly for pure functional languages, to imperative features, mainly because of the lack of flow-sensitivity, which should be taken into account in verifying imperative programs statically. We develop an imperative higher-order manifest contract system λrefH for flow-sensitive hybrid contract verification. We introduce a computational variant of Nanevski et al's Hoare types, which are flow-sensitive types to represent pre- and postconditions of impure computation. Our Hoare types are computational in the sense that pre- and postconditions are given by Booleans in the same language as programs so that they are dynamically verifiable. λrefH also supports refinement types as in existing manifest contract systems to describe flow-insensitive, state-independent contracts of pure computation. While it is desirable that any-possibly state-manipulating-predicate can be used in contracts, abuse of stateful operations will break the system. To control stateful operations in contracts, we introduce a region-based effect system, which allows contracts in refinement types and computational Hoare types to manipulate states, as long as they are observationally pure and read-only, respectively. We show that dynamic contract checking in our calculus is consistent with static typing in the sense that the final result obtained without dynamic contract violations satisfies contracts in its static type. It in particular means that the state after stateful computations satisfies their postconditions. As in some of prior manifest contract systems, static contract verification in this work is "post facto," that is, we first define our manifest contract system so that all contracts are checked at run time, formalize conditions when dynamic checks can be removed safely, and show that programs with and without such removable checks are contextually equivalent. We also apply the idea of post facto verification to region-based local reasoning, inspired by the frame rule of Separation Logic.
有状态舱单合同
本文研究了一种命令式高阶语言基于清单合同系统的混合合同验证。在清单合同系统中,合同是静态类型的一部分,合同验证在某种意义上是混合的,有些合同是静态验证的,通常是通过子类型验证,但其他合同是通过强制类型转换动态验证的。然而,将现有的主要为纯函数式语言设计的清单契约系统扩展到命令式特性并不是一件容易的事情,主要是因为缺乏流敏感性,在静态验证命令式程序时应该考虑到这一点。我们开发了一个命令式高阶舱单合同系统λrefH,用于流量敏感的混合合同验证。我们引入Nanevski等人的Hoare类型的计算变体,这些类型是流敏感类型,用于表示非纯计算的前置和后置条件。我们的Hoare类型是计算型的,因为前置条件和后置条件是由布尔人用与程序相同的语言给出的,因此它们是动态可验证的。λrefH还支持现有清单合约系统中的细化类型,以描述纯计算的流不敏感,状态独立的合约。虽然可以在契约中使用任何可能的状态操纵谓词是可取的,但滥用有状态操作将破坏系统。为了控制契约中的有状态操作,我们引入了一个基于区域的效果系统,该系统允许细化类型和计算Hoare类型的契约分别操作状态,只要它们在观察上是纯的和只读的。我们证明,在我们的演算中,动态契约检查与静态类型一致,因为在没有动态契约违反的情况下获得的最终结果满足其静态类型的契约。它特别意味着有状态计算后的状态满足其后置条件。正如在之前的一些清单合同系统中,静态合同验证在这项工作中是“事后的”,也就是说,我们首先定义了我们的清单合同系统,以便在运行时检查所有合同,形式化动态检查可以安全地删除的条件,并显示具有和不具有此类可删除检查的程序在上下文中是等效的。受分离逻辑框架规则的启发,我们还将事后验证的思想应用于基于区域的局部推理。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信