Abstract
Software contracts allow programmers to state rich program properties using the full expressive power of an object language. However, since they are enforced at runtime, monitoring contracts imposes significant overhead and delays error discovery. So contract veri cation aims to guarantee all or most of these properties ahead of time, enabling valuable optimizations and yielding a more general assurance of correctness. Existing methods for static contract verification satisfy the needs of more restricted target languages, but fail to address the challenges unique to those conjoining untyped, dynamic programming, higher-order functions, modularity, and statefulness. Our approach tackles all these features at once, in the context of the full Racket system—a mature environment for stateful, higher-order, multi-paradigm programming with or with- out types. Evaluating our method using a set of both pure and stateful benchmarks, we are able to verify 99.94% of checks statically (all but 28 of 49, 861).
Stateful, higher-order functions pose significant challenges for static contract verification in particular. In the presence of these features, a modular analysis must permit code from the current module to escape permanently to an opaque context (unspecified code from outside the current module) that may be stateful and therefore store a reference to the escaped closure. Also, contracts themselves, being predicates wri en in unrestricted Racket, may exhibit stateful behavior; a sound approach must be robust to contracts which are arbitrarily expressive and interwoven with the code they monitor. In this paper, we present and evaluate our solution based on higher-order symbolic execution, explain the techniques we used to address such thorny issues, formalize a notion of behavioral approximation, and use it to provide a mechanized proof of soundness.
Supplemental Material
Available for Download
- Thomas H. Austin, Tim Disney, and Cormac Flanagan. 2011. Virtual values for language extension. In Proceedings of the 2011 ACM International Conference on Object Oriented Programming Systems Languages and Applications (OOPSLA). ACM, 921–938. Google Scholar
Digital Library
- Gogul Balakrishnan and Thomas Reps. 2006. Recency-Abstraction for Heap-Allocated Storage Static Analysis. In International Static Analysis Symposium. Springer, 221–239. Google Scholar
Digital Library
- M. Barnett, M. Fähndrich, K. R. M. Leino, P. Müller, W. Schulte, and H. Venter. 2011. Specification and Verification: The Spec# Experience. Commun. ACM 54, 6 (June 2011), 81–91. Google Scholar
Digital Library
- Clark Barrett, ChristopherL Conway, Morgan Deters, Liana Hadarean, Dejan Jovanović, Tim King, Andrew Reynolds, and Cesare Tinelli. 2011. CVC4. In Computer Aided Verification. Springer, 171–177.Google Scholar
- Lars Birkedal, Bernhard Reus, Jan Schwinghammer, and Hongseok Yang. 2008. A Simple Model of Separation Logic for Higher-Order Store. In Automata, Languages and Programming. Springer, 348–360. Google Scholar
Digital Library
- Cristian Cadar, Daniel Dunbar, and Dawson Engler. 2008. KLEE: Unassisted and Automatic Generation of High-coverage Tests for Complex Systems Programs. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation. USENIX Association, 209–224.Google Scholar
- Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, and Dawson R. Engler. 2006. EXE: Automatically Generating Inputs of Death. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS). ACM, 322–335. Google Scholar
Digital Library
- Ravi Chugh, David Herman, and Ranjit Jhala. 2012a. Dependent Types for JavaScript. In Proceedings of the ACM International Conference on Object Oriented Programming Systems Languages and Applications (OOPSLA). ACM, 587–606. Google Scholar
Digital Library
- Ravi Chugh, Patrick M. Rondon, and Ranjit Jhala. 2012b. Nested Refinements: A Logic for Duck Typing. In Proceedings of the 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). ACM, 231–244. Google Scholar
Digital Library
- P. Cousot and R. Cousot. 1976. Static Determination of Dynamic Properties of Programs. In 2nd International Symposium on Programming. 106–130.Google Scholar
- Patrick Cousot and Radhia Cousot. 1977. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the 4th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages (POPL). ACM, 238–252. Google Scholar
Digital Library
- Christos Dimoulas, Robert B. Findler, Cormac Flanagan, and Matthias Felleisen. 2011. Correct Blame for Contracts: No More Scapegoating. In Proceedings of the 38th Annual ACM Symposium on Principles of Programming Languages (POPL). ACM, 215–226. Google Scholar
Digital Library
- Tim Disney. 2013. contracts.coffee. (July 2013). http://disnetdev.com/contracts.coffee/Google Scholar
- Manuel Fähndrich and Francesco Logozzo. 2011. Static contract checking with abstract interpretation. In Proceedings of the 2010 International Conference on Formal Verification of Object-Oriented Software (FoVeOOS). Springer, 10–30. Google Scholar
Cross Ref
- Robert B. Findler and Matthias Felleisen. 2002. Contracts for higher-order functions. In Proceedings of the seventh ACM SIGPLAN International Conference on Functional Programming (ICFP). ACM, 48–59. Google Scholar
Digital Library
- Matthew Flatt and PLT. 2010. Reference: Racket. Technical Report PLT-TR-2010-1. PLT Inc.Google Scholar
- Tim Freeman and Frank Pfenning. 1991. Refinement Types for ML. In Proceedings of the ACM SIGPLAN 1991 Conference on Programming Language Design and Implementation (PLDI). ACM, 268–277. Google Scholar
Digital Library
- Thomas Gilray, Michael D. Adams, and Matthew Might. 2016a. Allocation Characterizes Polyvariance: A Unified Methodology for Polyvariant Control-Flow Analysis. In Proceedings of the 21st ACM SIGPLAN International Conference on Functional Programming (ICFP). ACM, 407–420. Google Scholar
Digital Library
- Thomas Gilray, Steven Lyde, Michael D. Adams, Matthew Might, and David Van Horn. 2016b. Pushdown control-flow analysis for free. In Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). ACM, 691–704. Google Scholar
Digital Library
- Michael Greenberg, Benjamin C. Pierce, and Stephanie Weirich. 2010. Contracts made manifest. In Proceedings of the 37th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). ACM, 353–364. Google Scholar
Digital Library
- Jessica Gronski and Cormac Flanagan. 2007. Unifying Hybrid Types and Contracts.. In Trends in Functional Programming. Citeseer, 54–70.Google Scholar
- Rich Hickey, Michael Fogus, and contributors. 2013. core.contracts. (July 2013). https://github.com/clojure/core.contractsGoogle Scholar
- James C. King. 1976. Symbolic Execution and Program Testing. Commun. ACM 19, 7 (1976), 385–394. Google Scholar
Digital Library
- Kenneth Knowles and Cormac Flanagan. 2010. Hybrid Type Checking. ACM Trans. Program. Lang. Syst. 32, 2 (Feb. 2010), 1–34. Google Scholar
Digital Library
- Naoki Kobayashi. 2009a. Model-checking higher-order functions. In Proceedings of the 11th ACM SIGPLAN Conference on Principles and Practice of Declarative Programming (PPDP). ACM, 25–36. Google Scholar
Digital Library
- Naoki Kobayashi. 2009b. Types and higher-order recursion schemes for verification of higher-order programs. In Proceedings of the 36th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). ACM, 416–428. Google Scholar
Digital Library
- Naoki Kobayashi and Atsushi Igarashi. 2013. Model-Checking Higher-Order Programs with Recursive Types. In European Symposium on Programming (ESOP). Springer, 431–450. Google Scholar
Digital Library
- Naoki Kobayashi and C. H. Luke Ong. 2009. A Type System Equivalent to the Modal Mu-Calculus Model Checking of Higher-Order Recursion Schemes. In 2009 24th Annual IEEE Symposium on Logic In Computer Science (LICS). IEEE, 179– 188. Google Scholar
Digital Library
- Naoki Kobayashi, Ryosuke Sato, and Hiroshi Unno. 2011. Predicate abstraction and CEGAR for higher-order model checking. In Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). ACM, 222–233. Google Scholar
Digital Library
- Naoki Kobayashi, Naoshi Tabuchi, and Hiroshi Unno. 2010. Higher-order multi-parameter tree transducers and recursion schemes for program verification. In Proceedings of the 37th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). ACM, 495–508. Google Scholar
Digital Library
- James Laird. 2007. A fully abstract trace semantics for general references. Automata, Languages and Programming (2007), 667–679.Google Scholar
- R. Majumdar and K. Sen. 2007. Hybrid Concolic Testing. In 29th International Conference on Software Engineering (ICSE). IEEE, 416–426. Google Scholar
Digital Library
- Bertrand Meyer. 1991. Eiffel : The Language. Prentice Hall.Google Scholar
- Matthew Might. 2011. Abstract interpreters for free. In International Symposium on Static Analysis (SAS). Springer, 407–421.Google Scholar
- Matthew Might and Panagiotis Manolios. 2009. A Posteriori Soundness for Non-deterministic Abstract Interpretations. In Proceedings of the 10th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI). Springer, 260–274.Google Scholar
- Matthew Might and Olin Shivers. 2006. Environment analysis via ∆CFA. In Conference record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). ACM, 127–140.Google Scholar
Digital Library
- Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: an efficient SMT solver. In Proceedings of the Theory and Practice of Software, 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS). Springer, 337–340. Google Scholar
Cross Ref
- P. Müller and J. N. Ruskiewicz. 2011. Using Debuggers to Understand Failed Verification Attempts. In Formal Methods (FM). Springer, 73–87. Google Scholar
Cross Ref
- Robin P Neatherway, Steven J Ramsay, and Chih-Hao Luke Ong. 2012. A traversal-based algorithm for higher-order model checking. In Proceedings of the 17th Annual International Conference on Functional Programming (ICFP). ACM, 353–364.Google Scholar
Digital Library
- Phúc C. Nguyễn and David Van Horn. 2015. Relatively Complete Counterexamples for Higher-order Programs. In Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). ACM, 446–456. Google Scholar
Digital Library
- Phúc C. Nguyễ̂n, Sam Tobin-Hochstadt, and David Van Horn. 2014. Soft Contract Verification. In Proceedings of the 19th ACM SIGPLAN International Conference on Functional Programming (ICFP). ACM, 139–152. Google Scholar
Digital Library
- Peter O’Hearn, John Reynolds, and Hongseok Yang. 2001. Local reasoning about programs that alter data structures. In Computer science logic (CSL). Springer, 1–19. Google Scholar
Cross Ref
- C. H. Luke Ong. 2006. On Model-Checking Trees Generated by Higher-Order Recursion Schemes. In Proceedings of the 21st Annual IEEE Symposium on Logic in Computer Science (LICS). IEEE, 81–90.Google Scholar
- C. H. Luke Ong and Steven J. Ramsay. 2011. Verifying Higher-order Functional Programs with Pattern-matching Algebraic Data Types. In Proceedings of the 38th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). ACM, 587–598. Google Scholar
Digital Library
- R. Plosch. 1997. Design by contract for Python. In Proceedings of the Joint Asia Pacific Software Engineering Conference and International Computer Science Conference. IEEE, 213–219. Google Scholar
Cross Ref
- John C Reynolds. 2002. Separation logic: A logic for shared mutable data structures. In Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science (LICS). IEEE, 55–74.Google Scholar
Cross Ref
- Patrick M. Rondon, Ming Kawaguci, and Ranjit Jhala. 2008. Liquid Types. In Proceedings of the 2008 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). ACM, 159–169. Google Scholar
Digital Library
- Taro Sekiyama and Atsushi Igarashi. 2017. Stateful manifest contracts. In Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages (POPL). ACM, 530–544. Google Scholar
Digital Library
- Taro Sekiyama, Yuki Nishida, and Atsushi Igarashi. 2015. Manifest Contracts for Datatypes. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). ACM, 195–207. Google Scholar
Digital Library
- Koushik Sen. 2007. Concolic testing. In Proceedings of the Twenty-Second IEEE/ACM International Conference on Automated Software Engineering (ASE). ACM, 571–572. Google Scholar
Digital Library
- Koushik Sen, Darko Marinov, and Gul Agha. 2005. CUTE: a concolic unit testing engine for C. SIGSOFT Softw. Eng. Notes 30, 5 (2005). Google Scholar
Digital Library
- Olin Shivers. 1991. Control-flow analysis of higher-order languages. Ph.D. Dissertation. Carnegie Mellon University.Google Scholar
Digital Library
- T. Stephen Strickland, Sam Tobin-Hochstadt, Robert B. Findler, and Matthew Flatt. 2012. Chaperones and Impersonators: Run-time Support for Reasonable Interposition. In Proceedings of the ACM International Conference on Object Oriented Programming Systems Languages and Applications (OOPSLA). ACM, 943–962. Google Scholar
Digital Library
- Sam Tobin-Hochstadt and Matthias Felleisen. 2010. Logical Types for Untyped Languages. In Proceedings of the 15th ACM SIGPLAN International Conference on Functional Programming (ICFP). ACM, 117–128. Google Scholar
Digital Library
- Sam Tobin-Hochstadt and David Van Horn. 2012. Higher-order symbolic execution via contracts. In Proceedings of the ACM International Conference on Object Oriented Programming Systems Languages and Applications (OOPSLA). ACM, 537–554. Google Scholar
Digital Library
- Takeshi Tsukada and Naoki Kobayashi. 2010. Untyped recursion schemes and infinite intersection types. In Proceedings of the 13th International Conference on Foundations of Software Science and Computational Structures (FoSSaCS). Springer, 343–357. Google Scholar
Digital Library
- David Van Horn and Matthew Might. 2010. Abstracting Abstract Machines. In Proceedings of the 15th ACM SIGPLAN International Conference on Functional Programming (ICFP). ACM, 51–62. Google Scholar
Digital Library
- Niki Vazou, Patrick M. Rondon, and Ranjit Jhala. 2013. Abstract Refinement Types. In European Symposium on Programming (ESOP). Springer, 209–228. Google Scholar
Digital Library
- Dimitrios Vytiniotis, Simon Peyton Jones, Koen Claessen, and Dan Rosén. 2013. HALO: Haskell to logic through denotational semantics. In Proceedings of the 40th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). ACM, 431–442. Google Scholar
Digital Library
- Andrew K. Wright and Robert Cartwright. 1997. A practical soft type system for Scheme. ACM Trans. Program. Lang. Syst. 19, 1 (Jan. 1997). Google Scholar
Digital Library
- Dana N. Xu. 2012. Hybrid contract checking via symbolic simplification. In Proceedings of the ACM SIGPLAN 2012 Workshop on Partial Evaluation and Program Manipulation (PEPM). ACM, 107–116. Google Scholar
Digital Library
- Dana N. Xu, Simon Peyton Jones, and Simon Claessen. 2009. Static contract checking for Haskell. In Proceedings of the 36th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL). ACM, 41–52. Google Scholar
Digital Library
Index Terms
Soft contract verification for higher-order stateful programs
Recommendations
Soft contract verification
ICFP '14Behavioral software contracts are a widely used mechanism for governing the flow of values between components. However, run-time monitoring and enforcement of contracts imposes significant overhead and delays discovery of faulty components to run-time.
...
Soft contract verification
ICFP '14: Proceedings of the 19th ACM SIGPLAN international conference on Functional programmingBehavioral software contracts are a widely used mechanism for governing the flow of values between components. However, run-time monitoring and enforcement of contracts imposes significant overhead and delays discovery of faulty components to run-time.
...
Higher-order symbolic execution via contracts
OOPSLA '12We present a new approach to automated reasoning about higher-order programs by extending symbolic execution to use behavioral contracts as symbolic values, thus enabling symbolic approximation of higher-order behavior.
Our approach is based on the idea ...






Comments