Sound and complete models of contracts

Even in statically typed languages it is useful to have certain invariants checked dynamically. Findler and Felleisen gave an algorithm for dynamically checking expressive higher-order types called contracts. They did not, however, give a semantics of contracts. The lack of a semantics makes it impossible to define and prove soundness and completeness of the checking algorithm. (Given a semantics, a sound checker never reports violations that do not exist under that semantics; a complete checker is – in principle – able to find violations when violations exist.) Ideally, a semantics should capture what programmers intuitively feel is the meaning of a contract or otherwise clearly point out where intuition does not match reality. In this paper we give an interpretation of contracts for which we prove the Findler-Felleisen algorithm sound and (under reasonable assumptions) complete. While our semantics mostly matches intuition, it also exposes a problem with predicate contracts where an arguably more intuitive interpretation than ours would render the checking algorithm unsound. In our semantics we have to make use of a notion of safety (which we define in the paper) to avoid unsoundness. We are able to eliminate the “leakage” of safety into the semantics by changing the language, replacing the original version of unrestricted predicate contracts with a restricted form. The corresponding loss in expressive power can be recovered by making safety explicit as a contract. This can be done either in ad-hoc fashion or by including general recursive contracts. The addition of recursive contracts has far-reaching implications, deeply affecting the formulation of our model and requiring different techniques for proving soundness.

[1]  H. Rice Classes of recursively enumerable sets and their decision problems , 1953 .

[2]  Jr. Hartley Rogers Theory of Recursive Functions and Effective Computability , 1969 .

[3]  Edsger W. Dijkstra,et al.  A Discipline of Programming , 1976 .

[4]  C. A. R. Hoare,et al.  An axiomatic basis for computer programming , 1969, CACM.

[5]  Marko C. J. D. van Eekelen,et al.  CLEAN: A language for functional graph writing , 1987, FPCA.

[6]  Robin Milner,et al.  Definition of standard ML , 1990 .

[7]  Xavier Leroy,et al.  The ZINC experiment : an economical implementation of the ML language , 1990 .

[8]  Bertrand Meyer,et al.  Eiffel: The Language , 1991 .

[9]  Robert Hieb,et al.  The Revised Report on the Syntactic Theories of Sequential Control and State , 1992, Theor. Comput. Sci..

[10]  Luca Cardelli,et al.  Comparing Object Encodings , 1997, TACS.

[11]  David B. MacQueen,et al.  The Definition of Standard ML (Revised) , 1997 .

[12]  Matthias Felleisen,et al.  The DrScheme project: an overview , 1998, SIGP.

[13]  Matthias Felleisen,et al.  Behavioral contracts and behavioral subtyping , 2001, ESEC/FSE-9.

[14]  Andrew W. Appel,et al.  An indexed model of recursive types for foundational proof-carrying code , 2001, TOPL.

[15]  Matthias Felleisen,et al.  Contracts for higher-order functions , 2002, ICFP '02.

[16]  Matthias Felleisen,et al.  DrScheme: a programming environment for Scheme , 2002, J. Funct. Program..

[17]  Matthias Felleisen,et al.  An Investigation of Contracts as Projections , 2004 .

[18]  David A. McAllester,et al.  A sound (and complete) model of contracts , 2004, ICFP '04.