Design and evaluation of contracts for gradual typing

Gradual typing aims to improve the correctness of dynamically typed programs by incrementally adding type information. Sound gradual typing performs static type checking and inserts run-time checks when a type cannot be guaranteed statically. This form of gradual typing offers many features, but also requires that the programmer uses a language with a specialised gradual type system. A lightweight form of gradual typing uses contracts to enforce types at run-time, assigning blame when a type assertion fails. Contracts can be implemented as a library, without requiring a specialised gradual type system. Contracts provide a lower barrier of entry into sound gradual typing. This thesis investigates the design and evaluation of contracts for gradual typing, focusing on bridging the gap between JavaScript (dynamic) and TypeScript (static). There are two key outcomes regarding theory and practice. Contracts for higher-order intersection and union types can be designed in a uniform way, using blame to derive the semantics of contracts satisfaction. Contracts and gradual typing can be evaluated using the DefinitelyTyped repository, where JavaScript libraries are annotated with TypeScript definition files. Contract composition is the fundamental method for building complex type assertions. Intersection and union types are well suited for describing patterns common to dynamically typed programs. Our first contribution is to present a calculus of contracts for intersection and union types with blame assignment, giving a uniform treatment to both operators. A correct model of contracts must include a definition of contract satisfaction. Our second contribution is to show that contract satisfaction can be defined using blame: satisfying programs are those that do not elicit blame when monitored. We define a series of properties mandating how contract satisfaction should compose, ensuring that a contract for a type behaves as one would expect for that type. Building on our technical developments, our third contribution is a practical evaluation of gradual typing using the DefinitelyTyped repository. We show that contracts can be used to enforce conformance to a definition file, detecting errors in the specification. Our evaluation also reveals that technical concerns associated with implementing contracts using JavaScript proxies are a problem in practice

TreatJS: Higher-Order Contracts for JavaScript

TreatJS is a language embedded, higher-order contract system for JavaScript which enforces contracts by run-time monitoring. Beyond providing the standard abstractions for building higher-order contracts (base, function, and object contracts), TreatJS's novel contributions are its guarantee of non-interfering contract execution, its systematic approach to blame assignment, its support for contracts in the style of union and intersection types, and its notion of a parameterized contract scope, which is the building block for composable run-time generated contracts that generalize dependent function contracts. TreatJS is implemented as a library so that all aspects of a contract can be specified using the full JavaScript language. The library relies on JavaScript proxies to guarantee full interposition for contracts. It further exploits JavaScript's reflective features to run contracts in a sandbox environment, which guarantees that the execution of contract code does not modify the application state. No source code transformation or change in the JavaScript run-time system is required. The impact of contracts on execution speed is evaluated using the Google Octane benchmark.Comment: Technical Repor

Declarative Policies for Capability Control

In capability-safe languages, components can access a resource only if they possess a capability for that resource. As a result, a programmer can prevent an untrusted component from accessing a sensitive resource by ensuring that the component never acquires the corresponding capability. In order to reason about which components may use a sensitive resource it is necessary to reason about how capabilities propagate through a system. This may be difficult, or, in the case of dynamically composed code, impossible to do before running the system. To counter this situation, we propose extensions to capability-safe languages that restrict the use of capabilities according to declarative policies. We introduce two independently useful semantic security policies to regulate capabilities and describe language-based mechanisms that enforce them. Access control policies restrict which components may use a capability and are enforced using higher-order contracts. Integrity policies restrict which components may influence (directly or indirectly) the use of a capability and are enforced using an information-flow type system. Finally, we describe how programmers can dynamically and soundly combine components that enforce access control or integrity policies with components that enforce different policies or even no policy at all.Engineering and Applied Science

Credit Where It’s Due: The Law and Norms of Attribution

The reputation we develop by receiving credit for the work we do proves to the world the nature of our human capital. If professional reputation were property, it would be the most valuable property that most people own because much human capital is difficult to measure. Although attribution is ubiquitous and important, it is largely unregulated by law. In the absence of law, economic sectors that value attribution have devised non-property regimes founded on social norms to acknowledge and reward employee effort and to attribute responsibility for the success or failure of products and projects. Extant contract-based and norms-based attribution regimes fail optimally to protect attribution interests. This article proposes a new approach to employment contracts designed to shore up the desirable characteristics of existing norms-based attribution systems while allowing legal intervention in cases of market failure. The right to public attribution would be waivable upon proof of a procedurally fair negotiation. The right to attribution necessary to build human capital, however, would be inalienable. Unlike an intellectual property right, attribution rights would not be enforced by restricting access to the misattributed work itself; the only remedy would be for the lost value of human capital. The variation in attribution norms that currently exists in different workplace cultures can and should be preserved through the proposed contract approach. The proposal strikes an appropriate balance between expansive and narrow legal protections for workplace knowledge and, in that respect, addresses one of the most vexing current debates at the intersection of intellectual property and employment law

Quantity Versus Quality in the Soviet Market for Weapons

Military market places display obvious inefficiencies under most arrangements, but the Soviet defense market was unusual for its degree of monopoly, exclusive relationships, and intense scrutiny (in its formative years) by a harsh dictator. This provided the setting for quality versus quantity in the delivery of weapons to the government. The paper discusses the power of the industrial contractor over the defense buyer in terms of a hold-up problem. The typical use that the contractor made of this power was to default on quality. The defense ministry’s counter-action took the form of deploying agents through industry with the authority to verify quality and reject substandard goods. The final compromise restored quality at the expense of quantity. Being illicit, it had to be hidden from the dictator.Contracts, Dictatorship, Hold-Up Problem, Soviet Economy

Quantity Versus Quality in the Soviet Market for Weapons

Military market places display obvious inefficiencies under most arrangements, but the Soviet defense market was unusual for its degree of monopoly, exclusive relationships, intensely scrutinized (in its formative years) by a harsh dictator. This provided the setting for quality versus quantity in the delivery of weapons to the government. The paper discusses the power of the industrial contractor over the defense buyer in terms of a hold-up problem. The typical use that the contractor made of this power was to default on quality. The defense ministry’s counter-action took the form of deploying agents through industry with the authority to verify quality and reject substandard goods. The final compromise restored quality at the expense of quantity. Being illicit, it had to be hidden from the dictator.Contracts ; Dictatorship ; Hold-Up Problem ; Soviet Economy