Behavioral software contracts are a widely used mechanism for governing the flow of values between components. However, runtime monitoring and enforcement of contracts imposes significant overhead and delays discovery of faulty components to run-time.To overcome these issues, we present soft contract verification, which aims to statically prove either complete or partial contract correctness of components, written in an untyped, higher-order language with first-class contracts. Our approach uses higher-order symbolic execution, leveraging contracts as a source of symbolic values including unknown behavioral values, and employs an updatable heap of contract invariants to reason about flow-sensitive facts. We prove the symbolic execution soundly approximates the dynamic semantics and that verified programs can't be blamed.The approach is able to analyze first-class contracts, recursive data structures, unknown functions, and control-flow-sensitive refinements of values, which are all idiomatic in dynamic languages. It makes effective use of an off-the-shelf solver to decide problems without heavy encodings. The approach is competitive with a wide range of existing tools-including type systems, flow analyzers, and model checkers-on their own benchmarks. Contracts (Meyer 1991;Findler and Felleisen 2002) have become a prominent mechanism for specifying and enforcing invariants in dynamic languages (Disney 2013;Plosch 1997;Austin et al. 2011;Strickland et al. 2012;Hickey et al. 2013). They offer the expressivity and flexibility of programming in a dynamic language, while still giving strong guarantees about the interaction of components. However, there are two downsides: (1) contract monitoring is expensive, often prohibitively so, which causes programmers to write more lax specifications, compromising correctness for efficiency; and (2) contract violations are found only at run-time, which delays discovery of faulty components with the usual negative engineering consequences.
Categories and Subject Descriptors
Static verification for dynamic languagesPermission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org. ICFP '14, September 1-6, 2014, Gothenburg, Sweden. Copyright is held by the owner/author(s). Publication rights licensed to ACM. ACM 978-1-4503-2873-9/14/09. . . $15.00. http://dx.doi.org/10. 1145/2628136.2628156 Static verification of contracts would empower programmers to state stronger properties, get immediate feedback on the correctness of their software, and avoid worries abou...