Reasoning about Polymorphic Manifest Contracts

TL;DR

This paper develops a simplified polymorphic manifest contract calculus, proves its correctness properties, and justifies program transformations that optimize contract checking, advancing the theoretical foundations of hybrid contract verification.

Contribution

It introduces a simpler polymorphic manifest contract calculus and proves key properties like upcast elimination and contextual equivalence, supporting static contract verification techniques.

Findings

Proves upcast elimination holds for the new calculus

Justifies transformations like selfification and static cast decomposition

Defines semityped logical relations for reasoning about ill-typed terms

Abstract

Manifest contract calculi, which integrate cast-based dynamic contract checking and refinement type systems, have been studied as foundations for hybrid contract checking. In this article, we study techniques to reasoning about a polymorphic manifest contract calculus, including a few program transformations related to static contract verification. We first define a polymorphic manifest contract calculus $\mathrm{F}_{H}$, which is much simpler than a previously studied one with delayed substitution, and a logical relation for it and prove that the logical relation is sound with respect to contextual equivalence. Next, we show that the upcast elimination property, which has been studied as correctness of subtyping-based static cast verification, holds for $\mathrm{F}_{H}$. More specifically, we give a subtyping relation (which is not part of the calculus) for $\mathrm{F}_{H}$ types and prove that a term obtained by eliminating upcasts---casts from one type to a supertype of it---is logically related and so contextually equivalent to the original one. We also justify two other program transformations for casts: selfification and static cast decomposition, which help upcast elimination. A challenge is that, due to the subsumption-free approach to manifest contracts, these program transformations do not always preserve well-typedness of terms. To address it, the logical relation and contextual equivalence in this work are defined as semityped relations: only one side of the relations is required to be well typed and the other side may be ill typed.