Affiliation:
1. IBM Research, Japan
2. Kyoto University, Japan
Abstract
This paper studies hybrid contract verification for an imperative higher-order language based on a so-called
manifest contract system
. In manifest contract systems, contracts are part of static types and contract verification is hybrid in the sense that some contracts are statically verified, typically by subtyping, but others are dynamically by casts. It is, however, not trivial to extend existing manifest contract systems, which have been designed mostly for pure functional languages, to imperative features, mainly because of the lack of flow-sensitivity, which should be taken into account in verifying imperative programs statically.
We develop an imperative higher-order manifest contract system λ
ref
H
for flow-sensitive hybrid contract verification. We introduce a
computational
variant of Nanevski et al's Hoare types, which are flow-sensitive types to represent pre- and postconditions of impure computation. Our Hoare types are computational in the sense that pre- and postconditions are given by Booleans in the same language as programs so that they are dynamically verifiable. λ
ref
H
also supports refinement types as in existing manifest contract systems to describe flow-insensitive, state-independent contracts of pure computation. While it is desirable that any-possibly state-manipulating-predicate can be used in contracts, abuse of stateful operations will break the system. To control stateful operations in contracts, we introduce a region-based effect system, which allows contracts in refinement types and computational Hoare types to manipulate states, as long as they are
observationally
pure and read-only, respectively. We show that dynamic contract checking in our calculus is consistent with static typing in the sense that the final result obtained without dynamic contract violations satisfies contracts in its static type. It in particular means that the state after stateful computations satisfies their postconditions.
As in some of prior manifest contract systems, static contract verification in this work is "post facto," that is, we first define our manifest contract system so that all contracts are checked at run time, formalize conditions when dynamic checks can be removed safely, and show that programs with and without such removable checks are contextually equivalent. We also apply the idea of post facto verification to
region-based
local reasoning, inspired by the frame rule of Separation Logic.
Funder
Japan Society for the Promotion of Science
Publisher
Association for Computing Machinery (ACM)
Subject
Computer Graphics and Computer-Aided Design,Software
Cited by
7 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
1. Signature restriction for polymorphic algebraic effects;Journal of Functional Programming;2024
2. Specification-guided component-based synthesis from effectful libraries;Proceedings of the ACM on Programming Languages;2022-10-31
3. Signature restriction for polymorphic algebraic effects;Proceedings of the ACM on Programming Languages;2020-08-02
4. Type-level computations for Ruby libraries;Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation;2019-06-08
5. Manifest Contracts with Intersection Types;Programming Languages and Systems;2019