Computational contracts

Pre/post contracts for higher-order functions, as proposed by Findler and Felleisen and provided in Racket, allow run-time verification and blame assignment of higher-order functions. However these contracts treat contracted functions as black boxes, allowing verification of only input and output. It turns out that many interesting concerns about the behaviour of a function require going beyond that black-box approach, in order to control the actual computation that follows from a function. Examples are prohibiting or verifying that certain functions are called, checking access permissions, time or memory constraints, interaction protocols, etc. To address this need for grey-box verification, while preserving support for higher-order programming and blame assignment, we introduce the notion of computational contracts. A computational contract is a contract over the execution of a contracted entity. We show various applications of computational contracts, and explain how to assign blame in case of a violation. Computational contracts have been integrated with the existing contract system of Racket. Computational contracts is the first contract model with blame assignment in a higher-order setting that provides a systematic way to perform grey box verification.