Combining Manifest Contracts with State

Manifest contracts combine the rich specifications and runtime checking of higher-order contracts [11] with a static type discipline. Conventional type systems prevent simple errors, like calling a boolean as a function, but manifest contracts can prevent more complex errors. For example, we could give the sqrt function the very precise type {x:Float | x ≥ 0} → {y:Float | |x − y| < }, where subset types like {x:Float | x ≥ 0} refer to those floating-point numbers x such that x ≥ 0. Extending types with contract-like specifications in code yield powerful reasoning principles [5, 22] and better abstractions [14]. Sound manifest contract systems enjoy an inversion principle, invaluable for reasoning about parameters in function bodies: