skip to main content
research-article
Open Access
Artifacts Available
Artifacts Evaluated & Functional

Soft contract verification for higher-order stateful programs

Published:27 December 2017Publication History
Skip Abstract Section

Abstract

Software contracts allow programmers to state rich program properties using the full expressive power of an object language. However, since they are enforced at runtime, monitoring contracts imposes significant overhead and delays error discovery. So contract veri cation aims to guarantee all or most of these properties ahead of time, enabling valuable optimizations and yielding a more general assurance of correctness. Existing methods for static contract verification satisfy the needs of more restricted target languages, but fail to address the challenges unique to those conjoining untyped, dynamic programming, higher-order functions, modularity, and statefulness. Our approach tackles all these features at once, in the context of the full Racket system—a mature environment for stateful, higher-order, multi-paradigm programming with or with- out types. Evaluating our method using a set of both pure and stateful benchmarks, we are able to verify 99.94% of checks statically (all but 28 of 49, 861).

Stateful, higher-order functions pose significant challenges for static contract verification in particular. In the presence of these features, a modular analysis must permit code from the current module to escape permanently to an opaque context (unspecified code from outside the current module) that may be stateful and therefore store a reference to the escaped closure. Also, contracts themselves, being predicates wri en in unrestricted Racket, may exhibit stateful behavior; a sound approach must be robust to contracts which are arbitrarily expressive and interwoven with the code they monitor. In this paper, we present and evaluate our solution based on higher-order symbolic execution, explain the techniques we used to address such thorny issues, formalize a notion of behavioral approximation, and use it to provide a mechanized proof of soundness.

Skip Supplemental Material Section

Supplemental Material

softcontractverification.webm

References

  1. Thomas H. Austin, Tim Disney, and Cormac Flanagan. 2011. Virtual values for language extension. In Proceedings of the 2011 ACM International Conference on Object Oriented Programming Systems Languages and Applications (OOPSLA). ACM, 921–938. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Gogul Balakrishnan and Thomas Reps. 2006. Recency-Abstraction for Heap-Allocated Storage Static Analysis. In International Static Analysis Symposium. Springer, 221–239. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. M. Barnett, M. Fähndrich, K. R. M. Leino, P. Müller, W. Schulte, and H. Venter. 2011. Specification and Verification: The Spec# Experience. Commun. ACM 54, 6 (June 2011), 81–91. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Clark Barrett, ChristopherL Conway, Morgan Deters, Liana Hadarean, Dejan Jovanović, Tim King, Andrew Reynolds, and Cesare Tinelli. 2011. CVC4. In Computer Aided Verification. Springer, 171–177.Google ScholarGoogle Scholar
  5. Lars Birkedal, Bernhard Reus, Jan Schwinghammer, and Hongseok Yang. 2008. A Simple Model of Separation Logic for Higher-Order Store. In Automata, Languages and Programming. Springer, 348–360. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Cristian Cadar, Daniel Dunbar, and Dawson Engler. 2008. KLEE: Unassisted and Automatic Generation of High-coverage Tests for Complex Systems Programs. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation. USENIX Association, 209–224.Google ScholarGoogle Scholar
  7. Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, and Dawson R. Engler. 2006. EXE: Automatically Generating Inputs of Death. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS). ACM, 322–335. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Ravi Chugh, David Herman, and Ranjit Jhala. 2012a. Dependent Types for JavaScript. In Proceedings of the ACM International Conference on Object Oriented Programming Systems Languages and Applications (OOPSLA). ACM, 587–606. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Ravi Chugh, Patrick M. Rondon, and Ranjit Jhala. 2012b. Nested Refinements: A Logic for Duck Typing. In Proceedings of the 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). ACM, 231–244. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. P. Cousot and R. Cousot. 1976. Static Determination of Dynamic Properties of Programs. In 2nd International Symposium on Programming. 106–130.Google ScholarGoogle Scholar
  11. Patrick Cousot and Radhia Cousot. 1977. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the 4th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages (POPL). ACM, 238–252. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Christos Dimoulas, Robert B. Findler, Cormac Flanagan, and Matthias Felleisen. 2011. Correct Blame for Contracts: No More Scapegoating. In Proceedings of the 38th Annual ACM Symposium on Principles of Programming Languages (POPL). ACM, 215–226. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Tim Disney. 2013. contracts.coffee. (July 2013). http://disnetdev.com/contracts.coffee/Google ScholarGoogle Scholar
  14. Manuel Fähndrich and Francesco Logozzo. 2011. Static contract checking with abstract interpretation. In Proceedings of the 2010 International Conference on Formal Verification of Object-Oriented Software (FoVeOOS). Springer, 10–30. Google ScholarGoogle ScholarCross RefCross Ref
  15. Robert B. Findler and Matthias Felleisen. 2002. Contracts for higher-order functions. In Proceedings of the seventh ACM SIGPLAN International Conference on Functional Programming (ICFP). ACM, 48–59. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Matthew Flatt and PLT. 2010. Reference: Racket. Technical Report PLT-TR-2010-1. PLT Inc.Google ScholarGoogle Scholar
  17. Tim Freeman and Frank Pfenning. 1991. Refinement Types for ML. In Proceedings of the ACM SIGPLAN 1991 Conference on Programming Language Design and Implementation (PLDI). ACM, 268–277. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Thomas Gilray, Michael D. Adams, and Matthew Might. 2016a. Allocation Characterizes Polyvariance: A Unified Methodology for Polyvariant Control-Flow Analysis. In Proceedings of the 21st ACM SIGPLAN International Conference on Functional Programming (ICFP). ACM, 407–420. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Thomas Gilray, Steven Lyde, Michael D. Adams, Matthew Might, and David Van Horn. 2016b. Pushdown control-flow analysis for free. In Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). ACM, 691–704. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Michael Greenberg, Benjamin C. Pierce, and Stephanie Weirich. 2010. Contracts made manifest. In Proceedings of the 37th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). ACM, 353–364. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Jessica Gronski and Cormac Flanagan. 2007. Unifying Hybrid Types and Contracts.. In Trends in Functional Programming. Citeseer, 54–70.Google ScholarGoogle Scholar
  22. Rich Hickey, Michael Fogus, and contributors. 2013. core.contracts. (July 2013). https://github.com/clojure/core.contractsGoogle ScholarGoogle Scholar
  23. James C. King. 1976. Symbolic Execution and Program Testing. Commun. ACM 19, 7 (1976), 385–394. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Kenneth Knowles and Cormac Flanagan. 2010. Hybrid Type Checking. ACM Trans. Program. Lang. Syst. 32, 2 (Feb. 2010), 1–34. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Naoki Kobayashi. 2009a. Model-checking higher-order functions. In Proceedings of the 11th ACM SIGPLAN Conference on Principles and Practice of Declarative Programming (PPDP). ACM, 25–36. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Naoki Kobayashi. 2009b. Types and higher-order recursion schemes for verification of higher-order programs. In Proceedings of the 36th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). ACM, 416–428. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Naoki Kobayashi and Atsushi Igarashi. 2013. Model-Checking Higher-Order Programs with Recursive Types. In European Symposium on Programming (ESOP). Springer, 431–450. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Naoki Kobayashi and C. H. Luke Ong. 2009. A Type System Equivalent to the Modal Mu-Calculus Model Checking of Higher-Order Recursion Schemes. In 2009 24th Annual IEEE Symposium on Logic In Computer Science (LICS). IEEE, 179– 188. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Naoki Kobayashi, Ryosuke Sato, and Hiroshi Unno. 2011. Predicate abstraction and CEGAR for higher-order model checking. In Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). ACM, 222–233. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Naoki Kobayashi, Naoshi Tabuchi, and Hiroshi Unno. 2010. Higher-order multi-parameter tree transducers and recursion schemes for program verification. In Proceedings of the 37th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). ACM, 495–508. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. James Laird. 2007. A fully abstract trace semantics for general references. Automata, Languages and Programming (2007), 667–679.Google ScholarGoogle Scholar
  32. R. Majumdar and K. Sen. 2007. Hybrid Concolic Testing. In 29th International Conference on Software Engineering (ICSE). IEEE, 416–426. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Bertrand Meyer. 1991. Eiffel : The Language. Prentice Hall.Google ScholarGoogle Scholar
  34. Matthew Might. 2011. Abstract interpreters for free. In International Symposium on Static Analysis (SAS). Springer, 407–421.Google ScholarGoogle Scholar
  35. Matthew Might and Panagiotis Manolios. 2009. A Posteriori Soundness for Non-deterministic Abstract Interpretations. In Proceedings of the 10th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI). Springer, 260–274.Google ScholarGoogle Scholar
  36. Matthew Might and Olin Shivers. 2006. Environment analysis via ∆CFA. In Conference record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). ACM, 127–140.Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: an efficient SMT solver. In Proceedings of the Theory and Practice of Software, 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS). Springer, 337–340. Google ScholarGoogle ScholarCross RefCross Ref
  38. P. Müller and J. N. Ruskiewicz. 2011. Using Debuggers to Understand Failed Verification Attempts. In Formal Methods (FM). Springer, 73–87. Google ScholarGoogle ScholarCross RefCross Ref
  39. Robin P Neatherway, Steven J Ramsay, and Chih-Hao Luke Ong. 2012. A traversal-based algorithm for higher-order model checking. In Proceedings of the 17th Annual International Conference on Functional Programming (ICFP). ACM, 353–364.Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Phúc C. Nguyễn and David Van Horn. 2015. Relatively Complete Counterexamples for Higher-order Programs. In Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). ACM, 446–456. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Phúc C. Nguyễ̂n, Sam Tobin-Hochstadt, and David Van Horn. 2014. Soft Contract Verification. In Proceedings of the 19th ACM SIGPLAN International Conference on Functional Programming (ICFP). ACM, 139–152. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Peter O’Hearn, John Reynolds, and Hongseok Yang. 2001. Local reasoning about programs that alter data structures. In Computer science logic (CSL). Springer, 1–19. Google ScholarGoogle ScholarCross RefCross Ref
  43. C. H. Luke Ong. 2006. On Model-Checking Trees Generated by Higher-Order Recursion Schemes. In Proceedings of the 21st Annual IEEE Symposium on Logic in Computer Science (LICS). IEEE, 81–90.Google ScholarGoogle Scholar
  44. C. H. Luke Ong and Steven J. Ramsay. 2011. Verifying Higher-order Functional Programs with Pattern-matching Algebraic Data Types. In Proceedings of the 38th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). ACM, 587–598. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. R. Plosch. 1997. Design by contract for Python. In Proceedings of the Joint Asia Pacific Software Engineering Conference and International Computer Science Conference. IEEE, 213–219. Google ScholarGoogle ScholarCross RefCross Ref
  46. John C Reynolds. 2002. Separation logic: A logic for shared mutable data structures. In Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science (LICS). IEEE, 55–74.Google ScholarGoogle ScholarCross RefCross Ref
  47. Patrick M. Rondon, Ming Kawaguci, and Ranjit Jhala. 2008. Liquid Types. In Proceedings of the 2008 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). ACM, 159–169. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Taro Sekiyama and Atsushi Igarashi. 2017. Stateful manifest contracts. In Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages (POPL). ACM, 530–544. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Taro Sekiyama, Yuki Nishida, and Atsushi Igarashi. 2015. Manifest Contracts for Datatypes. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). ACM, 195–207. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Koushik Sen. 2007. Concolic testing. In Proceedings of the Twenty-Second IEEE/ACM International Conference on Automated Software Engineering (ASE). ACM, 571–572. Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. Koushik Sen, Darko Marinov, and Gul Agha. 2005. CUTE: a concolic unit testing engine for C. SIGSOFT Softw. Eng. Notes 30, 5 (2005). Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. Olin Shivers. 1991. Control-flow analysis of higher-order languages. Ph.D. Dissertation. Carnegie Mellon University.Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. T. Stephen Strickland, Sam Tobin-Hochstadt, Robert B. Findler, and Matthew Flatt. 2012. Chaperones and Impersonators: Run-time Support for Reasonable Interposition. In Proceedings of the ACM International Conference on Object Oriented Programming Systems Languages and Applications (OOPSLA). ACM, 943–962. Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. Sam Tobin-Hochstadt and Matthias Felleisen. 2010. Logical Types for Untyped Languages. In Proceedings of the 15th ACM SIGPLAN International Conference on Functional Programming (ICFP). ACM, 117–128. Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. Sam Tobin-Hochstadt and David Van Horn. 2012. Higher-order symbolic execution via contracts. In Proceedings of the ACM International Conference on Object Oriented Programming Systems Languages and Applications (OOPSLA). ACM, 537–554. Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. Takeshi Tsukada and Naoki Kobayashi. 2010. Untyped recursion schemes and infinite intersection types. In Proceedings of the 13th International Conference on Foundations of Software Science and Computational Structures (FoSSaCS). Springer, 343–357. Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. David Van Horn and Matthew Might. 2010. Abstracting Abstract Machines. In Proceedings of the 15th ACM SIGPLAN International Conference on Functional Programming (ICFP). ACM, 51–62. Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. Niki Vazou, Patrick M. Rondon, and Ranjit Jhala. 2013. Abstract Refinement Types. In European Symposium on Programming (ESOP). Springer, 209–228. Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. Dimitrios Vytiniotis, Simon Peyton Jones, Koen Claessen, and Dan Rosén. 2013. HALO: Haskell to logic through denotational semantics. In Proceedings of the 40th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). ACM, 431–442. Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. Andrew K. Wright and Robert Cartwright. 1997. A practical soft type system for Scheme. ACM Trans. Program. Lang. Syst. 19, 1 (Jan. 1997). Google ScholarGoogle ScholarDigital LibraryDigital Library
  61. Dana N. Xu. 2012. Hybrid contract checking via symbolic simplification. In Proceedings of the ACM SIGPLAN 2012 Workshop on Partial Evaluation and Program Manipulation (PEPM). ACM, 107–116. Google ScholarGoogle ScholarDigital LibraryDigital Library
  62. Dana N. Xu, Simon Peyton Jones, and Simon Claessen. 2009. Static contract checking for Haskell. In Proceedings of the 36th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). ACM, 41–52. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Soft contract verification for higher-order stateful programs

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!