Blame Assignment for Higher-Order Contracts with ...ajacs.inria.fr/files/2015-03-23-Thiemann.pdf ·...

Blame Assignment for Higher-Order Contracts

with Intersection and Union

Albert-Ludwigs-Universitat Freiburg

Matthias Keil Peter Thiemann

University of Freiburg

23 Mar 2015

Flat Contracts

Examples

Pos = {x | x > 0}

Even = {x | x%2 = 0}

Assertion

M@C : assert contract C to term M

10@Pos −→ 10

10@Even −→ 10

(2− 4)@Pos contract violation (by subject −2)

(2 + 3)@Even contract violation (by subject 5)

Keil & Thiemann Blame Assignment for Higher-Order Contracts with Intersection and Union23 Mar 2015 2 / 34

Flat Contracts

Examples

Pos = {x | x > 0}

Even = {x | x%2 = 0}

Assertion

10@Pos −→ 10

10@Even −→ 10

Flat Contracts

Examples

Pos = {x | x > 0}

Even = {x | x%2 = 0}

Assertion

10@Pos −→ 10

10@Even −→ 10

Flat Contracts

Examples

Pos = {x | x > 0}

Even = {x | x%2 = 0}

Assertion

10@Pos −→ 10

10@Even −→ 10

Flat Contracts

Examples

Pos = {x | x > 0}

Even = {x | x%2 = 0}

Assertion

10@Pos −→ 10

10@Even −→ 10

Flat Contracts

Examples

Pos = {x | x > 0}

Even = {x | x%2 = 0}

Assertion

10@Pos −→ 10

10@Even −→ 10

Higher-Order Contracts [Findler, Felleisen 2002]

Examples

Pos→ Pos Even→ Even Pos→ (Even→ Even)

Assertion (first-order function)

Let f = λx .x − 10

(f @(Pos→ Pos)) 100 −→ 90

(f @(Pos→ Pos)) 10 blame subject f

(f @(Pos→ Pos)) 0 blame context � 0

Examples

Let f = λx .x − 10

(f @(Pos→ Pos)) 100 −→ 90

Examples

Let f = λx .x − 10

(f @(Pos→ Pos)) 100 −→ 90

Examples

Let f = λx .x − 10

(f @(Pos→ Pos)) 100 −→ 90

Examples

Let f = λx .x − 10

(f @(Pos→ Pos)) 100 −→ 90

Higher-Order Contracts II

Assertion

Let add = λx .λy .x + y and C = Pos→ (Even→ Even)

(add@C ) 0 blame context � 0

((add@C ) 1) 1 blame context (� 1) 1

((add@C ) 1) 0 blame subject add

Assertion

Contracts vs. Types

Contracts ≈ dynamically checked types

flat contracts ≈ subset types

function contracts ≈ function types

Contract work driven by types . . .

pair contracts [Hinze, Loh]

sum contracts

polymorphic contracts [Ahmed, Findler, Guha,Krishnamurthi, Matthews, Wadler]

Contracts vs. Types

Contracts ≈ dynamically checked types

flat contracts ≈ subset types

function contracts ≈ function types

Contract work driven by types . . .

pair contracts [Hinze, Loh]

sum contracts

polymorphic contracts [Ahmed, Findler, Guha,Krishnamurthi, Matthews, Wadler]

This Work

What about intersection and union types?

Intersection types

modeling overloading

multiple inheritance

Union types

dual of intersection type

domain of overloaded function

XML typing and dynamic typing

This Work

Intersection types

Union types

This Work

Intersection types

Union types

This Work

Intersection types

Union types

Intersection Types

Intuition of intersection type

If a term has both type S and T , then it also possesses theintersection type S ∩ T .

A context for M : S ∩ T can choose to treat M as S or T .

Introduction and elimination for intersection [Pierce 1991]

Inter-IA ` V : S A ` V : T

A ` V : S ∩ T

Sub-Inter-L

S ∩ T <: SSub-Inter-R

S ∩ T <: T

Intersection for Overloading

An overloaded + operator

+ : Num × Num→ Num

+ : Str × Str → Str

hence + : (Num × Num→ Num) ∩ (Str × Str → Str)

If we had intersection contracts . . .

Let p = +@(Num × Num→ Num) ∩ (Str × Str → Str)

p(17, 4) −→ 21

p(”foo”, ”bar”) −→ ”foobar”

p(17, ”bar”) blame context � (17, ”bar”)

No subject blame because + fulfills the intersection contract

p(17, 4) −→ 21

Blaming Intersection

Let C = (Pos→ Pos) ∩ (Even→ Even)Let f = λx .if x > 2 then x − 10 else x + 1

(f @C ) (−1) blame context

(f @C ) 0 blame subject

(f @C ) 1 −→ 2

Blaming Rules for Intersection

Subject blame

L[M@(C ∩ D)] blames the subject iffL[M@C ] blames the subject or L[M@D] blames the subject.

A ` V : S ∩ T

Context blame

F [M@(C ∩ D)] blames the context iffF [M@C ] blames the context and F [M@D] blames the context.

F ::= E [�V ] | . . . an elimination context

Sub-Inter-LS ∩ T <: S

Sub-Inter-RS ∩ T <: T

Blaming Rules for Intersection

Subject blame

L[M@(C ∩ D)] blames the subject iffL[M@C ] blames the subject or L[M@D] blames the subject.

A ` V : S ∩ T

Context blame

F [M@(C ∩ D)] blames the context iffF [M@C ] blames the context and F [M@D] blames the context.

F ::= E [�V ] | . . . an elimination context

Sub-Inter-LS ∩ T <: S

Sub-Inter-RS ∩ T <: T

Union Types

Intuition of union type

If a term has type S or T , then it also possesses the uniontype S ∪ T .

A context for M : S ∪T must be able to deal with S and T .

Introduction and elimination for union [Pierce 1991]

Union-EA ` M : S ∪ T A, x : S ` N : R A, x : T ` N : R

A ` let x = M in N : R

Sub-Union-L

S <: S ∪ TSub-Union-R

T <: S ∪ T

Union Types

Sub-Union-L

T <: S ∪ T

Union Types

Sub-Union-L

T <: S ∪ T

Blaming Rules for Union

Dualize rules for intersection . . .

Subject blame

E [M@(C ∪ D)] blames the subject iffE [M@C ] blames the subject and E [M@D] blames the subject.Viz. introduction rule.

Context blame

L[M@(C ∪ D)] blames the context iffL[M@C ] blames the context or L[M@D] blames the context.Viz. elimination rules.

Subject blame

Context blame

Subject blame

Context blame

Blaming Union

Let C = (Pos→ Pos) ∪ (Even→ Even)Let g = λx .x − 4 (fulfills C because it fulfills Even→ Even)⇒ no subject blame arises!

(g@C ) 0 blame context

(g@C ) (−1) blame context

(g@C ) 2 −→ −2 because of Even→ Even

But there is a further twist . . .

Blaming Union

Blaming Union II

Let C = (Pos→ Pos) ∪ (Even→ Even)Let h = λx .if x%3 = 0 then − x else x + 1

Observation: h does not fulfill C

h is not Even→ Even because h(2) = 3

h is not Pos→ Pos because h(3) = −3

Blaming

(h@C ) 2 −→ 3 because of Pos→ Pos

(h@C ) 3 blame context: Even violated

(h@C ) 0 blame context: Pos violated

(h@C ) 6 −→ −6 because of Even→ Even

Problem: no single test can detect the violation

Blaming Union II

Blaming

Blaming Union II

Blaming

Blaming Union II

Blaming

Blaming Union II

Blaming

Blaming Union II

Blaming

Blaming Union II

Blaming

Blaming Union II

Blaming

⇒ Union must stick to one alternative

A Denotational Model of Contracts

Denotational Model of Contracts

Intuition

The semantics of a contract C comprises

1 a set of terms JCK+ that fulfill the contract and

2 a set of contexts JCK− that respect the contract.

Denotational Model

Flat contracts

1 J{x | P}K+ = {M | (λx .P) M 6−→∗ false}2 J{x | P}K− = {L | L is a context}

Example

JPosK+ = {M | M > 0 6−→∗ false}= {1, 2, 3, . . . } ∪{M | M diverges} ∪{M | (M > 0) gets stuck}

Denotational Model

Flat contracts

1 J{x | P}K+ = {M | (λx .P) M 6−→∗ false}2 J{x | P}K− = {L | L is a context}

Example

JPosK+ = {M | M > 0 6−→∗ false}= {1, 2, 3, . . . } ∪{M | M diverges} ∪{M | (M > 0) gets stuck}

Denotational Model

Function contracts

1 JC→DK+ = {M | ∀N ∈ JCK+.M N ∈ JDK+

∧ ∀N ∈ JDK−.N [M �] ∈ JCK−}2 JC→DK− = . . .

Standard function interpretation

NEW M acts on contexts by transforming a context thatrespects D into a context that respects C

Set of contexts that respect C→D

promise to only pass argument that fulfill Cpromise to put result in context respecting D

Defined by coinductive inference rules

Denotational Model

Function contracts

1 JC→DK+ = {M | ∀N ∈ JCK+.M N ∈ JDK+

∧ ∀N ∈ JDK−.N [M �] ∈ JCK−}2 JC→DK− = . . .

Denotational Model

Function contracts

1 JC→DK+ = {M | ∀N ∈ JCK+.M N ∈ JDK+

∧ ∀N ∈ JDK−.N [M �] ∈ JCK−}2 JC→DK− = . . .

Denotational Model

Function contracts

1 JC→DK+ = {M | ∀N ∈ JCK+.M N ∈ JDK+

∧ ∀N ∈ JDK−.N [M �] ∈ JCK−}2 JC→DK− = . . .

Denotational Model

Function contracts

1 JC→DK+ = {M | ∀N ∈ JCK+.M N ∈ JDK+

∧ ∀N ∈ JDK−.N [M �] ∈ JCK−}2 JC→DK− = . . .

Contexts for Function Contracts

Selected rules for P = JC→DK−

P-ApplyN ∈ JCK+ E ∈ JDK−

E [�N] ∈ P

P-ReduceN ∈ P M−→ N

M ∈ P

P-IrredM 6−→ M /∈ {E [(λx .N)�],E [�N]}

M ∈ P

E [�N] ∈ P

M ∈ P

P-IrredM 6−→ M /∈ {E [(λx .N)�],E [�N]}

M ∈ P

E [�N] ∈ P

M ∈ P

P-IrredM 6−→ M /∈ {E [(λx .N)�],E [�N]}

M ∈ P

M−→ N is context reduction

E [�N] ∈ P

M ∈ P

P-IrredM 6−→ M /∈ {E [(λx .N)�],E [�N]}

M ∈ P

Contexts for Function Contracts II

Beta redexes involving holes

P-Deletex /∈ free(M)

E [(λx .M)�] ∈ P

P-LinearM = F [x ] E [F ] ∈ P

E [(λx .M)�] ∈ P

P-Expand∀F ,V . λx .M = λx .F [x ]⇒ E [F{x 7→ V }] ∈ P

E [(λx .M)�] ∈ P

P-Delete and P-Linear are special cases of P-Expand

E [(λx .M)�] ∈ P

Semantics of Intersection and Union Contracts

Intersection

1 JC ∩ DK+ = JCK+ ∩ JDK+

2 JC ∩ DK− = JCK− ∪ JDK− ∪ . . .(defined by closing under P-Expand etc)

1 JC ∪ DK+ = JCK+ ∪ JDK+

2 JC ∪ DK− = JCK− ∩ JDK−

Cf. blaming rules and typing rules

Intersection

Provable from Denotational Model

Intersection for flat contracts

{x | P} ∩ {x | Q} = {x | P ∧ Q}

Union for flat contracts

{x | P} ∪ {x | Q} = {x | P ∨ Q}

proof: simple calculation

only subject blame

context blame does not arise

Contract Monitoring

Challenges

Small-step operational semantics

nondeterministic specificationdeterministic implementation (with simulation result)

Gathering blame for intersection and union

Gathering blame across different uses of same union

Operational Semantics

Reduction relation

%,M 7→ ς,N

M,N terms

%, ς lists of constraints in order of generation

one constraint for each contract operator →, ∪, ∩one constraint for each evaluated flat contract

cannot blame immediately: flat contract may be nested inintersection or union

instead: blame computed from list of constraints

Reduction relation

%,M 7→ ς,N

M,N terms

Reduction relation

%,M 7→ ς,N

M,N terms

one constraint for each contract operator →, ∪, ∩

one constraint for each evaluated flat contract

Reduction relation

%,M 7→ ς,N

M,N terms

Reduction relation

%,M 7→ ς,N

M,N terms

Reduction relation

%,M 7→ ς,N

M,N terms

Evaluation Rules

Flat contracts

I-Flat

ς,E [V @b flat(M)] −→ ς,E [V @b eval(M V )]

I-Unit

ς,E [V @b eval(W )] −→ b J (W ) : ς,E [V ]

Evaluation Rules

Flat contracts

I-Flat

ς,E [V @b flat(M)] −→ ς,E [V @b eval(M V )]

I-Unit

ς,E [V @b eval(W )] −→ b J (W ) : ς,E [V ]

Constraint Satisfaction

Solution of a constraint set

µ ∈ (LbM× {subject, context})→ B

for each blame identifier b

assign subject blame and context blame

drawn from B = {t, f}ordered by t @ f

Ordering reflects gathering of information with eachexecution step

False has “more” information because it indicates a failingcontract

Constraint Satisfaction II

Flat contracts

CT-Flatµ(b.subject) w τ(W ) µ(b.context) w t

µ |= b JW

Raise blame if b is a blame label from the source programand either µ(b.subject) w f or µ(b.context) w f

Constraint Satisfaction II

Flat contracts

CT-Flatµ(b.subject) w τ(W ) µ(b.context) w t

µ |= b JW

Raise blame if b is a blame label from the source programand either µ(b.subject) w f or µ(b.context) w f

Evaluation Rules

Function contracts

D-Funι1, ι2 6∈ ς

ς,E [(V @b (C→D)) W ]−→ b J (ι1→ ι2) : ς,E [(V (W @ι1 C )) @ι2 D]

Satisfaction for function constraints

CT-Functionµ(b.subject) w µ(ι1.context∧(ι1.subject⇒ι2.subject))

µ(b.context) w µ(ι1.subject∧ι2.context)

µ |= b J ι1→ ι2

Evaluation Rules

Function contracts

µ |= b J ι1→ ι2

Evaluation Rules

Function contracts

µ |= b J ι1→ ι2

Evaluation Rules

Intersection contracts

D-Interι1, ι2 6∈ ς

ς,E [(V @b (Q ∩ R)) W ]−→ b J (ι1 ∩ ι2) : ς,E [〈(V @ι1 Q) W 8 (V @ι2 R) W 〉]

Reduction proceeds independently in pair components

Shares the constraint list

Intersection constraints

CT-Intersectionµ(b.subject) w µ(ι1.subject∧ι2.subject)µ(b.context) w µ(ι1.context∨ι2.context)

µ |= b J ι1 ∩ ι2

Evaluation Rules

µ |= b J ι1 ∩ ι2

Evaluation Rules

µ |= b J ι1 ∩ ι2

Evaluation Rules

µ |= b J ι1 ∩ ι2

Evaluation Rules

µ |= b J ι1 ∩ ι2

Evaluation Rules

Union contracts

Unionι1, ι2 6∈ ς

ς,E [V @b (K[C ∪ D])]−→ b J (ι1 ∪ ι2) : ς,E [〈V @ι1 K[C ] 8 V @ι2 K[D]〉]

All uses of V refer to the same constraint on b

Inconsistent uses of the union are detected

Union constraints

CT-Unionµ(b.subject) w µ(ι1.subject∨ι2.subject)µ(b.context) w µ(ι1.context∧ι2.context)

µ |= b J ι1 ∪ ι2

Evaluation Rules

Union contracts

Union constraints

µ |= b J ι1 ∪ ι2

Evaluation Rules

Union contracts

Union constraints

µ |= b J ι1 ∪ ι2

Evaluation Rules

Union contracts

Union constraints

µ |= b J ι1 ∪ ι2

Evaluation Rules

Union contracts

Union constraints

µ |= b J ι1 ∪ ι2

Results

Contract soundness

1 M @[ C ∈ JCK+.

2 L[� @[ C ] ∈ JCK−.

Subject blame soundness (abridged)

Suppose that M ∈ JCK+.If %,E [M @b C ] 7−→∗ ς,N, then JςK(b, subject) v t.

Context blame soundness (abridged)

Suppose that L ∈ JCK−.If %,L[M @b C ] 7−→∗ ς,N, then JςK(b, context) v t.

Results

Contract soundness

1 M @[ C ∈ JCK+.

2 L[� @[ C ] ∈ JCK−.

Results

Contract soundness

1 M @[ C ∈ JCK+.

2 L[� @[ C ] ∈ JCK−.

Further Challenges Addressed

Deal with (A ∪ B) ∩ (C ∪ D)

Solutions don’t increase monotonically when new constraintsare added

Deterministic semantics and simulation

Implementation

Conclusions

First investigation of intersection and union contracts

Novel semantics of contracts (subject, context)

Implemented in TreatJS, a new contract system forJavaScript, which is available on the webhttp://proglang.informatik.uni-freiburg.de/treatjs/

Blame Assignment for Higher-Order Contracts with ...ajacs.inria.fr/files/2015-03-23-Thiemann.pdf ·...

Documents

The Law of Contracts - DelmarLearning.com50 CHAPTER 14 How does legal capacity affect the validity of contracts? How are contracts affected by assignment, performance, and discharge?

Monitors and Blame Assignment for Higher-Order Session Types

Assignment of Government Contracts as Collateral

blame mabel

Human-Robot Interaction · 2015. 6. 9. · -Self Blame-Team Blame-User Blame ... Chi-squared χ2(1,N=58)=28.458,p

Blame 360 Feedback Template Test Blame · Competency Summary Test Blame, 7/16/2009 Summary of all competency groups sorted by Rater group. € € Criteria Assigns credit and blame

Monitors and Blame Assignment for Higher-Order …fp/papers/popl16.pdfMonitors and Blame Assignment for Higher-Order Session Types Limin Jia Hannah Gommerstadt Frank Pfenning Carnegie

Shifting the Blame: Federalism, Media, and Public Assignment of

Government Contracts and Procurement - agc.gov.bn Slides/Govt...Government Contracts and Procurement ... Assignment and Sub-contract Compliance with Law Collusion Conflict of Interest

Contracts Lesson Three. Learning Objectives Understand the performance of contracts as related to time limits. Know about assignment of a contract

Subcontracting, Assignment, and Substitution for Legal Contracts …luigi/papers/20_ER.pdf · 2020. 10. 8. · subcontracting, assignment, delegation, and substitution. This paper

Blame game

Blame the pilgrims

Cause vs. Blame

Blame the Gods!

The Blame Game · 2017. 3. 3. · The Blame Game •Introduction •Chapter 1: The Nature of Credit and Blame •Chapter 2: The Nurture of Credit and Blame •Chapter 3: Typecasting

A Baseless Blame - Dedicated to Alahazrat Imam Ahmad Raza ... · PDF fileA Baseless Blame 2 A BASELESS BLAME (A critical View of the Blame on Imam Ahmad Raza Khan ... Allama Iqbal

Blame Cleanse

Correct Blame for Contracts

Blame of Genocide