Safe and effective contracts

This dissertation introduces a framework enabling the dynamic verification of expressive specifications. Inspired by formal verification methods, this framework supports assertion, framing, and separation contracts. Assertion contracts specify what code should do, whereas framing contracts specify what code must not do. Separation contracts, inspired by separation logic, combine an explicit assertion contract with an implicit framing contract. In addition to supporting these expressive contracts, this framework also enables assertions to call existing code with side effects while ensuring that successful assertions do not affect the rest of the program. Contracts are guaranteed safe while remaining easy to write. This dissertation introduces a single interface, the delimited checkpoint, that supports all of the contracts listed above. Similar to previous work on equipping a programming language with first class stores, checkpoints represent a state in time. Computations can be run with memory restored to a checkpoint state. Checkpoints augment existing work with a novel family of difference operations that compare two checkpoints, revealing how the intervening computation interacted with memory. Additionally, checkpoints are delimited: they can only be used within a limited scope. This interface suffices to build assertion contracts that support time travel, framing contracts, and separation contracts. Additionally, it supports a novel suppression contract, allowing assertions to safely run existing code by suppressing proscribed effects. A formal operational semantics precisely defines the checkpoint interface, enabling formal reasoning about derived contracts. In particular, the derived contracts provably satisfy key properties. For example, the defining property of separation logic, the frame rule, provably holds for the derived separation contract. Additionally, this dissertation notes the utility of restricting checkpoints to a given (dynamic) scope, giving rise to delimited checkpoints. Contracts do not need the full power of checkpoints, using checkpoints in only a delimited manner. This restriction is useful as it enables delimited checkpoints to reuse the infrastructure needed to support Software Transactional Memory systems. This dissertation presents a prototype implementation of delimited checkpoints based on this observation. Extending the GHC compiler for Haskell, the implementation supports all of the contracts previously discussed.

[1]  Na Xu Static contract checking for Haskell , 2009, POPL '09.

[2]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[3]  Wei-Ngan Chin,et al.  Runtime Checking for Separation Logic , 2008, VMCAI.

[4]  Matthias Felleisen,et al.  The theory and practice of first-class prompts , 1988, POPL '88.

[5]  Philip Wadler,et al.  Blame for all , 2011, POPL '11.

[6]  Bertrand Meyer,et al.  Object-oriented software construction (2nd ed.) , 1997 .

[7]  Peter W. O'Hearn,et al.  BI as an assertion language for mutable data structures , 2001, POPL '01.

[8]  Claude Marché,et al.  The KRAKATOA tool for certificationof JAVA/JAVACARD programs annotated in JML , 2004, J. Log. Algebraic Methods Program..

[9]  David Walker,et al.  Harmless advice , 2006, POPL '06.

[10]  Patrice Chalin,et al.  Early detection of JML specification errors using ESC/Java2 , 2006, SAVCBS '06.

[11]  Matthias Felleisen,et al.  Contracts for first-class modules , 2009, DLS '09.

[12]  Patrice Chalin,et al.  JML Runtime Assertion Checking: Improved Error Reporting and Efficiency Using Strong Validity , 2008, FM.

[13]  Simon Peyton Jones,et al.  Transactional memory with data invariants , 2006 .

[14]  Claude Marché,et al.  Reasoning About Java Programs with Aliasing and Frame Conditions , 2005, TPHOLs.

[15]  J. Gregory Morrisett,et al.  Monadic regions , 2006, J. Funct. Program..

[16]  Mark Plesko,et al.  Optimizing memory transactions , 2006, PLDI '06.

[17]  Peter Müller,et al.  Efficient Runtime Assertion Checking of Assignable Clauses with Datagroups , 2010, FASE.

[18]  Michael D. Ernst,et al.  An overview of JML tools and applications , 2003, Electron. Notes Theor. Comput. Sci..

[19]  Todd D. Millstein,et al.  Falling Back on Executable Specifications , 2010, ECOOP.

[20]  James R. Larus,et al.  Transactional Memory (Synthesis Lectures on Computer Architecture) , 2007 .

[21]  Manuel Fähndrich,et al.  Embedded contract languages , 2010, SAC '10.

[22]  Matthias Felleisen,et al.  Contracts for first-class classes , 2010, DLS '10.

[23]  Guy L. Steele,et al.  Java(TM) Language Specification, The (3rd Edition) (Java (Addison-Wesley)) , 2005 .

[24]  Rich Hickey,et al.  The Clojure programming language , 2008, DLS '08.

[25]  Chung-chieh Shan,et al.  Lightweight monadic regions , 2008, Haskell '08.

[26]  C. A. R. HOARE,et al.  An axiomatic basis for computer programming , 1969, CACM.

[27]  Yoonsik Cheon,et al.  A Runtime Assertion Checker for the Java Modeling Language (JML) , 2003, ICSE 2003.

[28]  François Pottier Hiding Local State in Direct Style: A Higher-Order Anti-Frame Rule , 2008, 2008 23rd Annual IEEE Symposium on Logic in Computer Science.

[29]  Amr Sabry,et al.  Delimited dynamic binding , 2006, ICFP '06.

[30]  Piotr Kosiuczenko,et al.  On the Implementation of @pre , 2009, FASE.

[31]  Gregory F. Johnson,et al.  Stores and partial continuations as first-class objects in a language and its environment , 1988, POPL '88.

[32]  Peter W. O'Hearn,et al.  Permission accounting in separation logic , 2005, POPL '05.

[33]  Andrew W. Appel,et al.  A Debugger for Standard ML , 1995, Journal of Functional Programming.

[34]  Matthias Felleisen,et al.  Correct blame for contracts: no more scapegoating , 2011, POPL '11.

[35]  Matthias Felleisen,et al.  Contracts for higher-order functions , 2002, ICFP '02.

[36]  Wen-mei W. Hwu,et al.  Modular interprocedural pointer analysis using access paths: design, implementation, and evaluation , 2000, PLDI '00.

[37]  Matthias Felleisen,et al.  Future contracts , 2009, PPDP '09.

[38]  Cliff B. Jones,et al.  Tentative steps toward a development method for interfering programs , 1983, TOPL.

[39]  Jennifer Widom,et al.  Database Systems: The Complete Book , 2001 .

[40]  Peyton Jones,et al.  Haskell 98 language and libraries : the revised report , 2003 .

[41]  K. Rustan M. Leino,et al.  The Spec# Programming System: Challenges and Directions , 2005, VSTTE.

[42]  Andrew Tolmach,et al.  Debugging standard ML , 1992 .

[43]  Robert E. Tarjan,et al.  Self-adjusting binary search trees , 1985, JACM.

[44]  Bjarne Steensgaard,et al.  Integrating support for undo with exception handling , 2004 .

[45]  Name M. Lastname Automatically Finding Patches Using Genetic Programming , 2013 .

[46]  Martin Rinard,et al.  Automatic detection and repair of errors in data structures , 2003, OOPSLA 2003.

[47]  Gary T. Leavens,et al.  Beyond Assertions: Advanced Specification and Verification with JML and ESC/Java2 , 2005, FMCO.

[48]  J. Gregory Morrisett,et al.  Toward a verified relational database management system , 2010, POPL '10.

[49]  David S. Rosenblum,et al.  A historical perspective on runtime assertion checking in software development , 2006, SOEN.

[50]  Eran Yahav,et al.  Asynchronous assertions , 2011, OOPSLA '11.

[51]  Yoonsik Cheon,et al.  A New Eclipse-Based JML Compiler Built Using AST Merging , 2010, 2010 Second World Congress on Software Engineering.

[52]  Adam Chlipala,et al.  Effective interactive proofs for higher-order imperative programs , 2009, ICFP.

[53]  Maurice Herlihy,et al.  Checkpoints and continuations instead of nested transactions , 2008, SPAA '08.

[54]  Cui Ye Improving JML's assignable clause analysis , 2006 .

[55]  Neil Immerman,et al.  What can the GC compute efficiently?: a language for heap assertions at GC time , 2010, SPLASH 2010.

[56]  James Noble,et al.  Simple Ownership Types for Object Containment , 2001, ECOOP.

[57]  J Gregory,et al.  Reening First-class Stores , 1993 .

[58]  Simon L. Peyton Jones,et al.  Composable memory transactions , 2005, CACM.

[59]  Andrew M. Pitts,et al.  A First Order Theory of Names and Binding , 2001 .