September 2, 2015, The 20th ACM SIGPLAN International Conference on Functional Programming, ICFP 2015 Vancouver, British Columbia, Canada

1. Blame Assignment for Higher-Order Contracts
with Intersection and Union
Roman Matthias Keil, Peter Thiemann
University of Freiburg, Germany
September 2, 2015, The 20th ACM SIGPLAN International Conference on Functional Programming, ICFP 2015
Vancouver, British Columbia, Canada

2. Higher-Order Contracts
Even = flat(λx.x%2 = 0)
Odd = flat(λx.x%2 = 1)
Assertion (Even → Even)
Let add2Even = ((λx.x + 2) @ (Even → Even))
Roman Keil, Peter Thiemann September 2, 2015 2 / 18

3. Higher-Order Contracts
Even = flat(λx.x%2 = 0)
Odd = flat(λx.x%2 = 1)
Assertion (Even → Even)
Let add2Even = ((λx.x + 2) @ (Even → Even))
(add2Even 2) −→∗ 4
Roman Keil, Peter Thiemann September 2, 2015 2 / 18

4. Higher-Order Contracts
Even = flat(λx.x%2 = 0)
Odd = flat(λx.x%2 = 1)
Assertion (Even → Even)
Let add2Even = ((λx.x + 2) @ (Even → Even))
(add2Even 2) −→∗ 4
(add2Even 1) −→∗ blame context 1
Roman Keil, Peter Thiemann September 2, 2015 2 / 18

5. Higher-Order Contracts
Even = flat(λx.x%2 = 0)
Odd = flat(λx.x%2 = 1)
Assertion (Even → Even)
Let add2Even = ((λx.x + 2) @ (Even → Even))
(add2Even 2) −→∗ 4
(add2Even 1) −→∗ blame context 1
Assertion (Odd → Odd)
Let add2Odd = ((λx.x + 2) @ (Odd → Odd))
Roman Keil, Peter Thiemann September 2, 2015 2 / 18

6. Higher-Order Contracts
Even = flat(λx.x%2 = 0)
Odd = flat(λx.x%2 = 1)
Assertion (Even → Even)
Let add2Even = ((λx.x + 2) @ (Even → Even))
(add2Even 2) −→∗ 4
(add2Even 1) −→∗ blame context 1
Assertion (Odd → Odd)
Let add2Odd = ((λx.x + 2) @ (Odd → Odd))
(add2Odd 1) −→∗ 3
Roman Keil, Peter Thiemann September 2, 2015 2 / 18

7. Higher-Order Contracts
Even = flat(λx.x%2 = 0)
Odd = flat(λx.x%2 = 1)
Assertion (Even → Even)
Let add2Even = ((λx.x + 2) @ (Even → Even))
(add2Even 2) −→∗ 4
(add2Even 1) −→∗ blame context 1
Assertion (Odd → Odd)
Let add2Odd = ((λx.x + 2) @ (Odd → Odd))
(add2Odd 1) −→∗ 3
(add2Odd 2) −→∗ blame context 2
Roman Keil, Peter Thiemann September 2, 2015 2 / 18

8. Combination of Contracts
Observation
λx.x + 2 works for even and odd arguments
Roman Keil, Peter Thiemann September 2, 2015 3 / 18

9. Combination of Contracts
Observation
λx.x + 2 works for even and odd arguments
λx.x + 2 fulfills Odd → Odd and Even → Even
Roman Keil, Peter Thiemann September 2, 2015 3 / 18

10. Combination of Contracts
Observation
λx.x + 2 works for even and odd arguments
λx.x + 2 fulfills Odd → Odd and Even → Even
How can we express that with a single contract?
Roman Keil, Peter Thiemann September 2, 2015 3 / 18

11. Combination of Contracts
Observation
λx.x + 2 works for even and odd arguments
λx.x + 2 fulfills Odd → Odd and Even → Even
How can we express that with a single contract?
Intersection Contract!
Roman Keil, Peter Thiemann September 2, 2015 3 / 18

12. Inspiration
Intersection Type
V : S ∩ T
Models overloading
Models multiple inheritances
Union Type
V : S ∪ T
Dual of intersection type
Domain of overloaded functions
Roman Keil, Peter Thiemann September 2, 2015 4 / 18

13. This Work
Extend higher-order contracts with intersection and union
Specification based on the type theoretic construction
Assertion (Even → Even) ∩ (Odd → Odd)
Let add2 = ((λx.x + 2) @ (Even → Even) ∩ (Odd → Odd))
(add2 2) −→∗ 4
(add2 1) −→∗ 3
No blame because of the intersection contract!
Roman Keil, Peter Thiemann September 2, 2015 5 / 18

14. Flat Contract
Even = flat(λx.x%2 = 0)
Odd = flat(λx.x%2 = 1)
Pos = flat(λx.x 0)
Examples
Pos ∩ Even
Flat Contract
flat(λx.P) ∩ flat(λx.Q) ≡ flat(λx.P ∧ Q)
Roman Keil, Peter Thiemann September 2, 2015 6 / 18

15. Intersection Contract
Assertion
Let add1 = ((λx.x + 1) @ (Even → Even) ∩ (Pos → Pos))
Definition
Context gets blamed for C ∩ D iff:
(Context gets blamed for C) ∧ (Context gets blamed for D)
Subject M gets blamed for C ∩ D iff:
(M gets blamed for C) ∨ (M gets blamed for D)
Roman Keil, Peter Thiemann September 2, 2015 7 / 18

16. Intersection Contract
Assertion
Let add1 = ((λx.x + 1) @ (Even → Even) ∩ (Pos → Pos))
(add1 3) −→∗ 4
Definition
Context gets blamed for C ∩ D iff:
(Context gets blamed for C) ∧ (Context gets blamed for D)
Subject M gets blamed for C ∩ D iff:
(M gets blamed for C) ∨ (M gets blamed for D)
Roman Keil, Peter Thiemann September 2, 2015 7 / 18

17. Intersection Contract
Assertion
Let add1 = ((λx.x + 1) @ (Even → Even) ∩ (Pos → Pos))
(add1 3) −→∗ 4
(add1 −1) −→∗ blame context −1
Definition
Context gets blamed for C ∩ D iff:
(Context gets blamed for C) ∧ (Context gets blamed for D)
Subject M gets blamed for C ∩ D iff:
(M gets blamed for C) ∨ (M gets blamed for D)
Roman Keil, Peter Thiemann September 2, 2015 7 / 18

18. Intersection Contract
Assertion
Let add1 = ((λx.x + 1) @ (Even → Even) ∩ (Pos → Pos))
(add1 3) −→∗ 4
(add1 −1) −→∗ blame context −1
(add1 2) −→∗ blame subject (λx.x + 1)
Definition
Context gets blamed for C ∩ D iff:
(Context gets blamed for C) ∧ (Context gets blamed for D)
Subject M gets blamed for C ∩ D iff:
(M gets blamed for C) ∨ (M gets blamed for D)
Roman Keil, Peter Thiemann September 2, 2015 7 / 18

19. Contract Assertion
Example
((λx.x + 1) @ (Even → Even) ∩ (Pos → Pos)) 3 −→∗ 4
A failing contract must not signal a violation immediately
Violation depends on combinations of failures in different
sub-contracts
Contract assertion must connect each contract with the
enclosing operations
Roman Keil, Peter Thiemann September 2, 2015 8 / 18

20. Contract Assertion
Example
((λx.x + 1) @ (Even → Even) ∩ (Pos → Pos)) 3 −→∗ 4
A failing contract must not signal a violation immediately
Violation depends on combinations of failures in different
sub-contracts
Contract assertion must connect each contract with the
enclosing operations
Roman Keil, Peter Thiemann September 2, 2015 8 / 18

21. Contract Assertion
Example
((λx.x + 1) @ (Even → Even) ∩ (Pos → Pos)) 3 −→∗ 4
A failing contract must not signal a violation immediately
Violation depends on combinations of failures in different
sub-contracts
Contract assertion must connect each contract with the
enclosing operations
Roman Keil, Peter Thiemann September 2, 2015 8 / 18

22. Contract Assertion
Example
((λx.x + 1) @ (Even → Even) ∩ (Pos → Pos)) 3 −→∗ 4
A failing contract must not signal a violation immediately
Violation depends on combinations of failures in different
sub-contracts
Contract assertion must connect each contract with the
enclosing operations
Roman Keil, Peter Thiemann September 2, 2015 8 / 18

23. Operational Semantics
Reduction Relation
ς, M −→ ς , N
M, N expressions
ς list of constraints
One constraint for each contract operator →, ∩, ∪
One constraint for each flat contract
Blame calculation from a list of constraints
Roman Keil, Peter Thiemann September 2, 2015 9 / 18

24. Flat Contract
Evaluation Rule
Flat
M V −→∗
W ς = (W ) : ς
ς, E[V @ flat(M)] −→ ς , E[V ]
Roman Keil, Peter Thiemann September 2, 2015 10 / 18

25. Interpretation
Interpretation of a constraint list
µ ∈ ( × {subject, context}) → B
An interpretation µ is a mapping from blame label to
records of elements of B = {t, f}, order t f
Ordering reflects gathering of information with each
execution step
Each blame label is associated with two truth values,
.subject and .context
Roman Keil, Peter Thiemann September 2, 2015 11 / 18

26. Flat Contract (cont’d)
Evaluation Rule
Flat
M V −→∗
W ς = (W ) : ς
ς, E[V @ flat(M)] −→ ς , E[V ]
Constraint Satisfaction
C-Flat
µ( .subject) W µ( .context) t
µ |= W
Roman Keil, Peter Thiemann September 2, 2015 12 / 18

27. Blame Calculation
Definition
ς is a blame state if there exists a top-level blame label such that
µ( .subject) f ∨ µ( .context) f
Evaluation stops if a blame state is reached.
Roman Keil, Peter Thiemann September 2, 2015 13 / 18

28. Function Contract
Evaluation Rule
Function
1, 2 ∈ ς ς = ( 1 → 2) : ς
ς, E[(V @ (C →D)) W ] −→ ς , E[(V (W @ 1
C)) @ 2
D]
Constraint Satisfaction
C-Function
µ( .subject) µ( 1.context ∧ ( 1.subject ⇒ 2.subject))
µ( .context) µ( 1.subject ∧ 2.context)
µ |= 1 → 2
Roman Keil, Peter Thiemann September 2, 2015 14 / 18

29. Intersection Contract
Evaluation Rule
Intersection
1, 2 ∈ ς ς = ( 1 ∩ 2) : ς
ς, E[(V @ (Q ∩ R)) W ] −→ ς , E[((V @ 1
Q) @ 2
R) W ]
Constraint Satisfaction
C-Intersection
µ( .subject) µ( 1.subject ∧ 2.subject)
µ( .context) µ( 1.context ∨ 2.context)
µ |= 1 ∩ 2
Roman Keil, Peter Thiemann September 2, 2015 15 / 18

30. Union Contract
Dual of intersection contract
Exchange ∧ and ∨ in the blame calculation
Delayed evaluation changes to an immediate evaluation
Roman Keil, Peter Thiemann September 2, 2015 16 / 18

31. In the Paper
Technical Results
Contract Rewriting
Deterministic and nondeterministic specification of contract
monitoring
Denotational specification of the semantics of contracts
Theorems for contract and blame soundness
Roman Keil, Peter Thiemann September 2, 2015 17 / 18

32. Conclusion
Intersection and union contracts provide dynamic guarantees
equivalent to their type-theoretic counterparts
Constraint-based blame calculation enables higher-order
contracts with unrestricted intersection and union
Formal basis of TreatJS, a language embedded, higher-order
contract system implemented for JavaScript
Roman Keil, Peter Thiemann September 2, 2015 18 / 18

33. Constraint Graph
... ∩
→
Even Even
→
Pos Pos
(t,t)
(t,t)
Reduction
ς,
((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 0
Roman Keil, Peter Thiemann September 2, 2015 1 / 15

34. Constraint Graph
... ∩
→
Even Even
→
Pos Pos
(t,t)
(t,t) (t,t)
(t,t)(t,t)
Reduction
−→ ( 1 ∩ 2) : · · · ,
(((λx.x + 1) @ 1 (Even → Even)) @ 2 (Pos → Pos)) 0
Roman Keil, Peter Thiemann September 2, 2015 1 / 15

35. Constraint Graph
... ∩
→
Even Even
→
Pos Pos
(t,t)
(t,t) (t,t)
(t,t)
(t,t) (t,t)
(t,t)
Reduction
−→ 2 ( 3 → 4) : · · · ,
(((λx.x + 1) @ 1 (Even → Even)) (0 @ 3 Pos)) @ 4 Pos
Roman Keil, Peter Thiemann September 2, 2015 1 / 15

36. Constraint Graph
... ∩
→
Even Even
→
Pos Pos
(t,t)
(t,t) (t,t)
(t,t)(f,t)
(t,t) (t,t)(t,f)
(t,t)
Reduction
−→ 3 (false) : · · · ,
(((λx.x + 1) @ 1 (Even → Even)) 0) @ 4 Pos
Roman Keil, Peter Thiemann September 2, 2015 1 / 15

37. Constraint Graph
... ∩
→
Even Even
→
Pos Pos
(t,t)
(t,t) (t,t)
(f,t)
(t,t)(t,f)
(t,t)
(t,t) (t,t)
Reduction
−→ 1 ( 5 → 6) : · · · ,
(((λx.x + 1) (0 @ 5 Even)) @ 6 Even) @ 4 Pos
Roman Keil, Peter Thiemann September 2, 2015 1 / 15

38. Constraint Graph
... ∩
→
Even Even
→
Pos Pos
(t,t)
(t,t) (t,t)
(f,t)
(t,t)(t,f)
(t,t)
(t,t) (t,t)(t,t)
Reduction
−→ 5 (true) : · · · ,
(((λx.x + 1) 0) @ 6 Even) @ 4 Pos
Roman Keil, Peter Thiemann September 2, 2015 1 / 15

39. Constraint Graph
... ∩
→
Even Even
→
Pos Pos
(t,t)
(t,t) (t,t)
(f,t)
(t,t)(t,f)
(t,t)
(t,t)(t,t)
Reduction
−→ · · · ,
(1 @ 6 Even) @ 4 Pos
Roman Keil, Peter Thiemann September 2, 2015 1 / 15

40. Constraint Graph
... ∩
→
Even Even
→
Pos Pos
(t,f)
(t,t) (t,f)
(f,t)
(t,t)(t,f)
(t,f)
(t,t)(t,t) (t,f)
Reduction
−→ 6 (false) : · · · ,
blame
Roman Keil, Peter Thiemann September 2, 2015 1 / 15

41. Intersection and Union Types
Intersection Type
λx.x + 2 : Even → Even
λx.x + 2 : Odd → Odd
λx.x + 2 : Even → Even ∩ Odd → Odd
Union Type
λx.x − 2 : Even → Even
λx.x − 2 : Even → Even ∪ Pos → Pos
Roman Keil, Peter Thiemann September 2, 2015 2 / 15

42. Flat Contract [Findler,Felleisen’02]
Pos = flat(λx.x 0)
Even = flat(λx.x%2 = 0)
Roman Keil, Peter Thiemann September 2, 2015 3 / 15

43. Flat Contract [Findler,Felleisen’02]
Pos = flat(λx.x 0)
Even = flat(λx.x%2 = 0)
Assertion
1@Pos −→ 1
0@Pos −→ blame subject 0
Roman Keil, Peter Thiemann September 2, 2015 3 / 15

44. Flat Contract [Findler,Felleisen’02]
Pos = flat(λx.x 0)
Even = flat(λx.x%2 = 0)
Assertion
1@Pos −→ 1
0@Pos −→ blame subject 0
Definition
Subject V gets blamed for Flat Contract flat(M) iff:
(M V ) −→∗ false
Roman Keil, Peter Thiemann September 2, 2015 3 / 15

45. Higher-Order Contract [Findler,Felleisen’02]
Even → Even
Roman Keil, Peter Thiemann September 2, 2015 4 / 15

46. Higher-Order Contract [Findler,Felleisen’02]
Even → Even
Assertion
((λx.x + 1)@Even → Even) 1 −→∗ blame context 1
Definition
Context gets blamed for C →D iff:
Argument x gets blamed for C (as subject)
Subject M gets blamed for C →D at V iff:
¬ (Context gets blamed C) ∧ (M V gets blamed D)
Roman Keil, Peter Thiemann September 2, 2015 4 / 15

47. Higher-Order Contract [Findler,Felleisen’02]
Even → Even
Assertion
((λx.x + 1)@Even → Even) 1 −→∗ blame context 1
((λx.x + 1)@Even → Even) 2 −→∗ blame subject
Definition
Context gets blamed for C →D iff:
Argument x gets blamed for C (as subject)
Subject M gets blamed for C →D at V iff:
¬ (Context gets blamed C) ∧ (M V gets blamed D)
Roman Keil, Peter Thiemann September 2, 2015 4 / 15

48. Flat Contract
Examples
Odd ∪ Even
Roman Keil, Peter Thiemann September 2, 2015 5 / 15

49. Flat Contract
Examples
Odd ∪ Even
Flat Contract
flat(λx.P) ∪ flat(λx.Q) ≡ flat(λx.P ∨ Q)
Roman Keil, Peter Thiemann September 2, 2015 5 / 15

50. Union Contract
Assertion
Let mod3 = ((λx.x%3) @ (Even → Even) ∪ (Pos → Pos))
Definition
Context gets blamed for C ∪ D iff:
(Context gets blamed for C) ∨ (Context gets blamed for D)
Subject M gets blamed for C ∪ D iff:
(M gets blamed for C) ∧ (M gets blamed for D)
Roman Keil, Peter Thiemann September 2, 2015 6 / 15

51. Union Contract
Assertion
Let mod3 = ((λx.x%3) @ (Even → Even) ∪ (Pos → Pos))
(mod3 4) −→∗ 1
Definition
Context gets blamed for C ∪ D iff:
(Context gets blamed for C) ∨ (Context gets blamed for D)
Subject M gets blamed for C ∪ D iff:
(M gets blamed for C) ∧ (M gets blamed for D)
Roman Keil, Peter Thiemann September 2, 2015 6 / 15

52. Union Contract
Assertion
Let mod3 = ((λx.x%3) @ (Even → Even) ∪ (Pos → Pos))
(mod3 4) −→∗ 1
(mod3 1) −→∗ blame context 1
Definition
Context gets blamed for C ∪ D iff:
(Context gets blamed for C) ∨ (Context gets blamed for D)
Subject M gets blamed for C ∪ D iff:
(M gets blamed for C) ∧ (M gets blamed for D)
Roman Keil, Peter Thiemann September 2, 2015 6 / 15

53. Union Contract
Assertion
Let mod3 = ((λx.x%3) @ (Even → Even) ∪ (Pos → Pos))
(mod3 4) −→∗ 1
(mod3 1) −→∗ blame context 1
(mod3 6) −→∗ blame subject (λx.x%3)
Definition
Context gets blamed for C ∪ D iff:
(Context gets blamed for C) ∨ (Context gets blamed for D)
Subject M gets blamed for C ∪ D iff:
(M gets blamed for C) ∧ (M gets blamed for D)
Roman Keil, Peter Thiemann September 2, 2015 6 / 15

54. Contract Assertion
Evaluation Rule
Assert
∈ ς ς = ( ) : ς
ς, E[V @ C] −→∗
ς , E[V @ C]
Constraint Satisfaction
C-Assert
µ( .subject) µ( 1.subject) µ( .context) µ( 1.context)
µ |= ( 1)
Roman Keil, Peter Thiemann September 2, 2015 7 / 15

55. Constraint List
Constraint Satisfaction
CS-Empty
µ |= ·
CS-Cons
µ |= κ µ |= ς
µ |= κ : ς
Roman Keil, Peter Thiemann September 2, 2015 8 / 15

56. Union Contract
Evaluation Rule
Union
1, 2 ∈ ς ς = ( 1 ∪ 2) : ς
ς, E[V @ (C ∪ D)] −→ ς , E[(V @ 1
C) @ 2
D]
Constraint Satisfaction
C-Union
µ( .subject) µ( 1.subject ∨ 2.subject)
µ( .context) µ( 1.context ∧ 2.context)
µ |= 1 ∪ 2
Roman Keil, Peter Thiemann September 2, 2015 9 / 15

57. Blame Calculation
Definition
ς is a blame state if there exists a top-level blame identifier such
that
µ( .subject) f ∨ µ( .context) f
ς, M −→∗
ς , N
ς is not a blame state
ς, M −→ ς , N
ς is blame state for
ς, M −→ ς, blame
Roman Keil, Peter Thiemann September 2, 2015 10 / 15

58. Example Reduction
Reduction
·,
((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 0
Roman Keil, Peter Thiemann September 2, 2015 11 / 15

59. Example Reduction
Reduction
·,
((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 0
−→ ( 0) : ·,
((λx.x + 1) @ 0 ((Even → Even) ∩ (Pos → Pos))) 0
Roman Keil, Peter Thiemann September 2, 2015 11 / 15

60. Example Reduction
Reduction
·,
((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 0
−→ ( 0) : ·,
((λx.x + 1) @ 0 ((Even → Even) ∩ (Pos → Pos))) 0
−→ 0 ( 1 ∩ 2) : · · · ,
(((λx.x + 1) @ 1 (Even → Even)) @ 2 (Pos → Pos)) 0
Roman Keil, Peter Thiemann September 2, 2015 11 / 15

61. Example Reduction
Reduction
·,
((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 0
−→ ( 0) : ·,
((λx.x + 1) @ 0 ((Even → Even) ∩ (Pos → Pos))) 0
−→ 0 ( 1 ∩ 2) : · · · ,
(((λx.x + 1) @ 1 (Even → Even)) @ 2 (Pos → Pos)) 0
−→ 2 ( 3 → 4) : · · · ,
(((λx.x + 1) @ 1 (Even → Even)) (0 @ 3 Pos)) @ 4 Pos
Roman Keil, Peter Thiemann September 2, 2015 11 / 15

62. Example Reduction
Reduction
·,
((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 0
−→ ( 0) : ·,
((λx.x + 1) @ 0 ((Even → Even) ∩ (Pos → Pos))) 0
−→ 0 ( 1 ∩ 2) : · · · ,
(((λx.x + 1) @ 1 (Even → Even)) @ 2 (Pos → Pos)) 0
−→ 2 ( 3 → 4) : · · · ,
(((λx.x + 1) @ 1 (Even → Even)) (0 @ 3 Pos)) @ 4 Pos
−→ 3 (false) : · · · ,
(((λx.x + 1) @ 1 (Even → Even)) 0) @ 4 Pos
Roman Keil, Peter Thiemann September 2, 2015 11 / 15

63. Example Reduction
Reduction
−→ ( 0) : ·,
((λx.x + 1) @ 0 ((Even → Even) ∩ (Pos → Pos))) 0
−→ 0 ( 1 ∩ 2) : · · · ,
(((λx.x + 1) @ 1 (Even → Even)) @ 2 (Pos → Pos)) 0
−→ 2 ( 3 → 4) : · · · ,
(((λx.x + 1) @ 1 (Even → Even)) (0 @ 3 Pos)) @ 4 Pos
−→ 3 (false) : · · · ,
(((λx.x + 1) @ 1 (Even → Even)) 0) @ 4 Pos
−→ 1 ( 5 → 6) : · · · ,
(((λx.x + 1) (0 @ 5 Even)) @ 6 Even) @ 4 Pos
Roman Keil, Peter Thiemann September 2, 2015 11 / 15

64. Example Reduction
Reduction
−→ 0 ( 1 ∩ 2) : · · · ,
(((λx.x + 1) @ 1 (Even → Even)) @ 2 (Pos → Pos)) 0
−→ 2 ( 3 → 4) : · · · ,
(((λx.x + 1) @ 1 (Even → Even)) (0 @ 3 Pos)) @ 4 Pos
−→ 3 (false) : · · · ,
(((λx.x + 1) @ 1 (Even → Even)) 0) @ 4 Pos
−→ 1 ( 5 → 6) : · · · ,
(((λx.x + 1) (0 @ 5 Even)) @ 6 Even) @ 4 Pos
−→ 5 (true) : · · · ,
(((λx.x + 1) 0) @ 6 Even) @ 4 Pos
Roman Keil, Peter Thiemann September 2, 2015 11 / 15

65. Example Reduction
Reduction
−→ 2 ( 3 → 4) : · · · ,
(((λx.x + 1) @ 1 (Even → Even)) (0 @ 3 Pos)) @ 4 Pos
−→ 3 (false) : · · · ,
(((λx.x + 1) @ 1 (Even → Even)) 0) @ 4 Pos
−→ 1 ( 5 → 6) : · · · ,
(((λx.x + 1) (0 @ 5 Even)) @ 6 Even) @ 4 Pos
−→ 5 (true) : · · · ,
(((λx.x + 1) 0) @ 6 Even) @ 4 Pos
−→ · · · ,
(1 @ 6 Even) @ 4 Pos
Roman Keil, Peter Thiemann September 2, 2015 11 / 15

66. Example Reduction
Reduction
−→ 3 (false) : · · · ,
(((λx.x + 1) @ 1 (Even → Even)) 0) @ 4 Pos
−→ 1 ( 5 → 6) : · · · ,
(((λx.x + 1) (0 @ 5 Even)) @ 6 Even) @ 4 Pos
−→ 5 (true) : · · · ,
(((λx.x + 1) 0) @ 6 Even) @ 4 Pos
−→ · · · ,
(1 @ 6 Even) @ 4 Pos
−→ 6 (false) : · · · ,
blame
Roman Keil, Peter Thiemann September 2, 2015 11 / 15

67. Example Reduction
Reduction
−→ 1 ( 5 → 6) : · · · ,
(((λx.x + 1) (0 @ 5 Even)) @ 6 Even) @ 4 Pos
−→ 5 (true) : · · · ,
(((λx.x + 1) 0) @ 6 Even) @ 4 Pos
−→ · · · ,
(1 @ 6 Even) @ 4 Pos
−→ 6 (false) : · · · ,
blame
Roman Keil, Peter Thiemann September 2, 2015 11 / 15

68. Example Reduction
Reduction
−→ 5 (true) : · · · ,
(((λx.x + 1) 0) @ 6 Even) @ 4 Pos
−→ · · · ,
(1 @ 6 Even) @ 4 Pos
−→ 6 (false) : · · · ,
blame
Roman Keil, Peter Thiemann September 2, 2015 11 / 15

69. Example Reduction
Reduction
−→ · · · ,
(1 @ 6 Even) @ 4 Pos
−→ 6 (false) : · · · ,
blame
Roman Keil, Peter Thiemann September 2, 2015 11 / 15

70. Example Reduction
Reduction
−→ 6 (false) : · · · ,
blame
Roman Keil, Peter Thiemann September 2, 2015 11 / 15

71. Constraint Graph
∩
→
Even Even
→
Pos Pos
∩
→
Even Even
→
Pos Pos
(t,t)
Example
((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2
Roman Keil, Peter Thiemann September 2, 2015 12 / 15

72. Constraint Graph
∩
→
Even Even
→
Pos Pos
∩
→
Even Even
→
Pos Pos
(t,t)
(t,t)
Example
((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2
Roman Keil, Peter Thiemann September 2, 2015 12 / 15

73. Constraint Graph
∩
→
Even Even
→
Pos Pos
∩
→
Even Even
→
Pos Pos
(t,t)
(t,t)
(t,t)
Example
((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2
Roman Keil, Peter Thiemann September 2, 2015 12 / 15

74. Constraint Graph
∩
→
Even Even
→
Pos Pos
∩
→
Even Even
→
Pos Pos
(t,t) (t,t)
(t,t)
(t,t)
Example
((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2
Roman Keil, Peter Thiemann September 2, 2015 12 / 15

75. Constraint Graph
∩
→
Even Even
→
Pos Pos
∩
→
Even Even
→
Pos Pos
(t,t)
(t,t) (t,t)
(t,t)
(t,t)
Example
((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2
Roman Keil, Peter Thiemann September 2, 2015 12 / 15

76. Constraint Graph
∩
→
Even Even
→
Pos Pos
∩
→
Even Even
→
Pos Pos
(t,f) (t,t)
(f,t) (t,t)
(t,t)
(t,t)
Example
((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2
Roman Keil, Peter Thiemann September 2, 2015 12 / 15

77. Constraint Graph
∩
→
Even Even
→
Pos Pos
∩
→
Even Even
→
Pos Pos
(t,f) (t,f) (t,t)
(f,t) (t,t)
(t,t)
(t,t)
Example
((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2
Roman Keil, Peter Thiemann September 2, 2015 12 / 15

78. Constraint Graph
∩
→
Even Even
→
Pos Pos
∩
→
Even Even
→
Pos Pos
(t,f) (t,f) (t,t) (t,t)
(f,t) (t,t)
(t,t)
(t,t)(t,t)
Example
((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2
Roman Keil, Peter Thiemann September 2, 2015 12 / 15

79. Constraint Graph
∩
→
Even Even
→
Pos Pos
∩
→
Even Even
→
Pos Pos
(t,t)
(t,t) (t,t)
(t,t)
Example
((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2
((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 2 −→∗
Roman Keil, Peter Thiemann September 2, 2015 12 / 15

80. Constraint Graph
∩
→
Even Even
→
Pos Pos
∩
→
Even Even
→
Pos Pos
(t,t)
(t,t)
(t,t) (t,t)
(t,t)
Example
((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2
((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 2 −→∗
Roman Keil, Peter Thiemann September 2, 2015 12 / 15

81. Constraint Graph
∩
→
Even Even
→
Pos Pos
∩
→
Even Even
→
Pos Pos
(t,t)
(t,t) (t,t)
(t,t) (t,t)
(t,t)
Example
((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2
((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 2 −→∗
Roman Keil, Peter Thiemann September 2, 2015 12 / 15

82. Constraint Graph
∩
→
Even Even
→
Pos Pos
∩
→
Even Even
→
Pos Pos
(t,t) (t,f) (t,t)
(t,f) (t,t)
(t,f)
(t,f)
Example
((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 1 −→∗ 2
((λx.x + 1) @ ((Even → Even) ∩ (Pos → Pos))) 2 −→∗
Roman Keil, Peter Thiemann September 2, 2015 12 / 15

83. Technical Results
Definition (Contract Satisfaction)
The semantics of a contract C defines
1 a set C + of closed terms (subjects) that satisfy C
2 a set C − of closed contexts that respect C
The definition is mutually inductive on the structure of C.
Roman Keil, Peter Thiemann September 2, 2015 13 / 15

84. Technical Results (cont’d)
Theorem (Contract soundness for expressions)
For all M, C, . M @ C ∈ C +
Theorem (Contract soundness for contexts)
For all L, C, . L[ @ C] ∈ C −
Roman Keil, Peter Thiemann September 2, 2015 14 / 15

85. Technical Results (cont’d)
Theorem (Subject blame soundness)
Suppose that M ∈ C +.
If ς, E[M @ C] −→∗ ς , N then ς ( , subject) t.
Theorem (Context blame soundness)
Suppose that L ∈ C −.
If ς, L[M @ C] −→∗ ς , N, then ς ( , context) t.
Roman Keil, Peter Thiemann September 2, 2015 15 / 15