Behavioral software contracts supplement interface information with logical assertions. A rigorous enforcement of contracts provides useful feedback to developers if it signals contract violations as soon as they occur and if it assigns blame to violators with precise explanations. Correct blame assignment gets programmers started with the debugging process and can significantly decrease the time needed to discover and fix bugs. Sadly the literature on contracts lacks a framework for making statements about the correctness of blame assignment and for validating such statements. This paper fills the gap and uses the framework to demonstrate how one of the proposed semantics for higher-order contracts satisfies this criteria and another semantics occasionally assigns blame to the wrong module. Concretely, the paper applies the framework to the lax enforcement of dependent higher-order contracts and the picky one. A higher-order dependent contract specifies constraints for the domain and range of higher-order functions and also relates arguments and results in auxiliary assertions. The picky semantics ensures that the use of arguments in the auxiliary assertion satisfies the domain contracts and the lax one does not. While the picky semantics discovers more contract violations than the lax one, it occasionally blames the wrong module. Hence the paper also introduces a third semantics, dubbed indy, which fixes the problems of the picky semantics without giving up its advantages.

Previous work on software contracts assumes fixed and statically known boundaries between the parties to a contract. Implementations of contract monitoring systems rely on this assumption to explain the nature of contract violations and to assign blame to violators. In this paper, we explain how to implement arbitrary, nested, and dynamic contract boundaries with two examples. First, we add nestable contract regions to a static, first-order module system. Second, we show that even a dynamic, higher-order, and hierarchical module system can be equipped with software contracts that support precise blame assignment.

Contracts are a popular mechanism for enhancing the interface of components. In the world of first-order functions, programmers embrace contracts because they write them in a familiar language and easily understand them as a pair of a precondition and a post-condition. In a higher-order world, contracts offer the same expressiveness to programmers but their meaning subtly differs from the familiar first-order notion. For instance, it is unclear what the behavior of dependent contracts for higher-order functions or of contracts for mutable data should be. As a consequence, it is difficult to design monitoring systems for such higher-order worlds. In response to this problem, this dissertation investigates complete monitors, a formal framework for deciding if a contract system is correct. The intuition behind the framework is that a correct contract system should: • mediate the exchange of values between contracted components • and blame correctly in case of contract violations.

Over the past two decades, Scheme macros have evolved into a pow-erful API for the compiler front-end. Like Lisp macros, their predecessors, Scheme macros expand source programs into a small core language; unlike Lisp systems, Scheme macro expanders preserve lexical scoping, and advanced Scheme macro systems handle other important properties such as source location. Using such macros, Scheme programmers now routinely develop the ultimate abstraction: embedded domain-specific programming languages. Unfortunately, a typical Scheme programming environment provides little support for macro development. The tools for understanding macro expansion are poor, which makes it difficult for experienced programmers to debug their macros and for novices to study the behavior of macros. At the same time, the language for specifying macros is limited in expressive power, and it fails to validate syntactic correctness of macro uses. This dissertation presents tools for macro development that specifically address these two needs. The first is a stepping debugger specialized to the pragmatics of hygienic macros. The second is a system for writing macros and specifying syntax that automatically validates macro uses and reports syntax errors.

Over the last 15 years, we have experienced a programming language renaissance. Numerous scripting languages have become widely used in industrial and open-source projects. They have supplemented the existing mainstream languages—C++ and Java— and, in contexts such as systems administration and web programming, they have started to play a dominant role. While each scripting language comes with its own philosophy, their designers share an antipathy to types. As a result, these languages come without a static type system. Most script developers initially welcome this freedom, but soon discover that the lack of a type system deprives them of an essential maintenance tool. My keynote explains my team’s approach to equip such languages with a type system. The goal of our work is to empower programmers so that they can gradually enrich scripts with types on a module-by-module basis as they perform maintenance work on the system. Naturally, we wish to ensure type soundness so that the type annotations are meaningful, and we wish to accommodate the programming idioms of the original language in order to keep the overhead of type enrichment low.

This dissertation introduces a framework enabling the dynamic verification of expressive specifications. Inspired by formal verification methods, this framework supports assertion, framing, and separation contracts. Assertion contracts specify what code should do, whereas framing contracts specify what code must not do. Separation contracts, inspired by separation logic, combine an explicit assertion contract with an implicit framing contract. In addition to supporting these expressive contracts, this framework also enables assertions to call existing code with side effects while ensuring that successful assertions do not affect the rest of the program. Contracts are guaranteed safe while remaining easy to write. This dissertation introduces a single interface, the delimited checkpoint, that supports all of the contracts listed above. Similar to previous work on equipping a programming language with first class stores, checkpoints represent a state in time. Computations can be run with memory restored to a checkpoint state. Checkpoints augment existing work with a novel family of difference operations that compare two checkpoints, revealing how the intervening computation interacted with memory. Additionally, checkpoints are delimited:

Contracts allow programmers to specify the expected behavior and use of program components separately from the code of the components themselves. Since Bertrand Meyer introduced contracts to working programmers via the Eiffel programming language, Eiffel-like contract systems have been designed for many other object-oriented languages. Contract systems are not limited to object-oriented programming; Findler and Felleisen showed how to add contracts to languages with higher-order functions and formalized the notions of contract boundaries and blame. Currently, contract systems come with two major omissions: monitoring the invariants of mutable data structures and protecting first-class components, which are used in the construction of large-scale software projects. This dissertation presents the design and implementation of contract systems that cover these language features. These contracts are expressive enough to describe the protection of these values and efficient enough that performance concerns do not preclude their use.