

# Modal Crash Types for Intermittent Computing<sup>\*</sup>

Farzaneh Derakhshan<sup>(⊠)</sup>, Myra Dotzel, Milijana Surbatovich, and Limin Jia

Carnegie Mellon University, Pittsburgh PA, USA {fderakhs,mdotzel,milijans,liminjia}@andrew.cmu.edu

Abstract. Intermittent computing is gaining traction in application domains such as Energy Harvesting Devices (EHDs) that experience arbitrary power failures during program execution. To make progress, programs require system support to checkpoint state and re-execute after power failure by restoring the last saved state. This re-execution should be *correct*, i.e., simulated by a continuously-powered execution. We study the logical underpinning of intermittent computing and model checkpoint, crash, restore, and re-execution operations as computation on Crash types. We draw inspiration from adjoint logic and define Crash types by introducing two adjoint modality operators to model persistent and transient memory values of partial (re-)executions and the transitions between them caused by checkpoints and restoration. We define a Crash type system for a core calculus. We prove the correctness of intermittent systems by defining a novel logical relation for Crash types.

Keywords: intermittent computing  $\cdot$  modal Crash type  $\cdot$  logical relation

## 1 Introduction

Intermittent computing is gaining importance in application domains that require inaccessible or large-scale device deployments, such as wildlife monitoring [28], tiny satellites [22,29], or smart civil infrastructure [1]. As battery maintenance may be infeasible in these environments, programs can instead run on batteryless Energy Harvesting Devices (EHDs). An EHD can run solely off energy harvested from its environment, at the cost of being powered intermittently. The device harvests energy (e.g., via solar panel) into a re-chargeable buffer. Once the energy buffer is full, the device turns on and begin to compute, consuming the stored energy. When the buffer drains, the device turns off at an arbitrary location until it can recharge and repeat this operational cycle. A power failure erases volatile execution state (e.g., the program counter), while

<sup>&</sup>lt;sup>\*</sup> This work was generously funded in part through National Science Foundation (NSF) Award 2007998, NSF Graduate Research Fellowship Program grants DGE1745016 and DGE2140739, and the CMU CyLab Security & Privacy Institute. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the sponsoring organizations.

T. Wies (Ed.): ESOP 2023, LNCS 13990, pp. 168–196, 2023. https://doi.org/10.1007/978-3-031-30044-8\_7

nonvolatile state persists. For programs to make progress, they require *intermittent system* support to save state at checkpoints and restore the saved state after power failure, potentially causing re-execution from the last checkpoint.

As EHDs aim to enable long-term deployments with little or no maintenance, intermittent systems must execute programs reliably despite frequent power failures and partial executions. Initial systems [35,43,24] relied only on informal notions of correctness that left them susceptible to memory consistency bugs caused by reading the results of partial executions [23] or by allowing sensor reads from past executions to remain in the nonvolatile memory [39]. More recent work [41,40,9,13] provides formal frameworks and correctness criteria for reasoning about intermittent execution. More concretely, all intermittent executions of a program must be simulated by some continuously-powered execution [41]. In other words, intermittent execution should be *idempotent*. Even if the system induces multiple partial executions of a program due to power failure, the program should not generate a different result than it would on a single execution.

The correctness of an intermittent execution relies on checkpointing, restoring, and finalizing state upon reaching the next checkpoint; mistakes in these operations can lead to incorrect, non-idempotent behavior. Few works have tried to understand the fundamental logical underpinning of these operations. This work fills this gap by formalizing checkpointing, crash, restoration, and re-execution as computation on *Crash types*. Crash types capture the core notion of intermittent computing: some values and computations persist across power failures and others do not. For instance, nonvolatile memory state persists across power failure and reboots, while volatile memory does not. Conversely, partially computed results do (or rather *should*) not persist across power failures, while completed/checkpointed computations do. We call the former *unstable* values and computations and the latter *stable* values and computations. Our key insight is that the interactions between these stable and unstable components bear close resemblance to shifts in adjoint logic [8,36]. Computation of a stable value can only rely on locations that store stable values, while computation on unstable values can rely on both stable and unstable values. Moreover, checkpoint and restore operations can turn values of one type to the other. We define terms and their associated types so that each of the key intermittent computing operations must be well-typed under our Crash types.

We define a core calculus for intermittent computing and develop a type system for Crash types by using the two adjoint modality operators. The Crash type of an intermittent computation is:  $C_{unit} = \downarrow(nat \rightsquigarrow \uparrow C_{unit}) \lor \downarrow \uparrow unit$ , which says that the computation will either encounter a power failure (the left disjunct), or succeed in producing a stable value (the right disjunct). In the former case, the computation is suspended until energy arrives, after which it will again act as an intermittent computation. This recursive definition captures the multiple re-executions of a computation under repeated power failures. To prove the correctness of intermittent systems, we define a novel logical relation for Crash types, indexed by the number of power failures, which relates a continuously-

powered execution to an intermittent execution. While intermittent computing motivates our results, the methods we develop are generally applicable to other system failures with the same effect on persistent and transient storage.

This paper makes the following technical contributions:

- The first logical interpretation of key operations of intermittent execution.
- Novel Crash types to specify how stable and unstable portions of the system and computation interact.
- A core calculus for Crash types with progress and preservation.
- A novel logical relation to prove the correctness of intermittent executions.

Detailed proofs and definitions can be found in the extended TR [15].

## 2 Background

We provide background on intermittent computing and detail how checkpoint systems work to store and restore program state to handle power failures.

Intermittent Computing on EHDs. EHDs need intermittent system support to save necessary state before power failure and to restore it after reboot. When and where such checkpoints occur governs the *intermittent execution model* under which software executes. The two prevailing intermittent execution models are just-in-time (JIT) checkpoints [5,4] and atomic execution [23,24,43,37]. Under a JIT model, state is saved immediately prior to power failure so that execution resumes from the same point after reboot. Under an atomic execution model, state is saved at the beginning of an *atomic region*. If power fails before the end of the region, the system will reboot to the beginning of the region, re-executing until the region completes without power failure (akin to software transactions [38]). State-of-the-art intermittent systems use a hybrid "JIT + Atomics" model that defaults to JIT checkpoints except when there is an explicit atomic region [40,25,19]. Our core calculus follows this hybrid model.

To ensure idempotence, an intermittent system must save the value of volatile state and often a portion of the *nonvolatile* state. To illustrate why, consider an execution of the simple program in Fig. 1. The program has four variables stored in nonvolatile memory: x, y, and z of type int and u of type bool. It consists of two code blocks: an atomic region declared with the Ckpt construct (lines 1-7 on the left of Fig. 1) and a regular code block executed in JIT mode (lines 8-14 on the right). A continuous execution of the atomic region with initial state x = 2, y = 0, z = 1, u = ff ends in x = 2, y = 1, z = 1, u = tt. Now, suppose power fails after the execution of Line 2. Once the device recharges, the program restarts from the start of the atomic region. If the system does not restore y's original value, this re-run computes an incorrect result: x = 2, y = 2, z = 1, u = ff. Thus, to ensure idempotent execution, an intermittent system must checkpoint, i.e., save the value of, both volatile and nonvolatile memory. We next explain correct execution of the program in Fig. 1 for atomic and JIT modes.

Atomic Region Execution. As EHDs are highly resource constrained, the system should save state judiciously; checkpointing all of nonvolatile memory is



Fig. 1. An example program with an atomic region and a JIT region



**Fig. 2.** Intermittent execution of an atomic region. We write i for int and b for bool.

expensive and unnecessary. For example, variables in an atomic region that are read-only (i.e., never updated) do not change value and need not be checkpointed. In our example, x and z are read-only, so checkpointing y and u is enough to ensure correct intermittent execution. Many intermittent systems follow this design of checkpointing all variables that are not read-only [37,19,17,26,44,12]. Given such a system, Fig. 2 shows an execution of the atomic region in Fig. 1. For now, ignore the last two columns about typing. To save and restore state, the system follows redo-log semantics. It records updates to checkpointed variables in a special volatile region, not main memory. This region clears if power fails, throwing out partial updates. Upon reaching the next atomic or JIT region, the system commits the updates by copying them back to main memory.

Row (0) shows initial nonvolatile locations, their values, and the mapping between variables and memory locations; locations  $\ell_1, \ell_2, \ell_3$ , and  $\ell_4$  in the nonvolatile memory correspond to variables x, y, z and u, respectively. When starting the atomic region (Row (1)), the system takes a snapshot of  $\ell_2$  and  $\ell_4$  and stores it in the volatile region  $V_1$ . We mark the original nonvolatile locations as checkpointed with the superscript ck. i.e.,  $\ell_2^{ck}$  and  $\ell_4^{ck}$ . Checkpointed locations  $\ell_2^{ck}$  and  $\ell_4^{ck}$  remain untouched for the remainder of the atomic region execution. Every access to variables y and u will instead be associated with their volatile copy  $\ell_2$ and  $\ell_4$ , e.g., the assignment in Line 2 is applied to the volatile logs of Row (2). On power failure, all volatile memory clears (Row (3)), throwing out the log. The system shuts down until more energy is harvested, at which point the system regenerates the volatile copies  $\ell_2$  and  $\ell_4$  (Row (4)) and resumes execution from Line 2. When the execution of the atomic region is complete (Row (5)), the system commits the updated values of the checkpointed locations ( $\ell_2$  and  $\ell_4$ ) from volatile memory to their original nonvolatile locations (Row (6)). During execution, local variables are stored to volatile memory via a let construct, e.g., location  $\ell_5$  for variable w on Line 3, corresponding to a volatile execution stack. On power failure, the device clears all volatile memory, but such stack allocated locations will be recreated upon re-execution.

**JIT Region Execution.** The JIT execution model prevents re-execution, so the intermittent system only saves and restores volatile state at checkpoints. Fig. 3 shows the details of executing the code on the right of Fig. 1 in JIT mode. Row (0) shows the initial nonvolatile locations, their values, and the mapping from variables to locations. The system starts the JIT region by creating an empty context to be populated by volatile locations (Row (1)). The let construct in Line 8 allocates a fresh location  $\ell_5$  in V<sub>2</sub> and updates the mapping to associate variable w to  $\ell_5$ . On a power failure in JIT mode, the system creates a nonvolatile copy of the volatile location  $\ell_5$  just before it loses the location (Row (3)). It marks the nonvolatile copy with the superscript ck. When restoring the program, the system restores these copies to volatile memory and dismisses the nonvolatile backups (Row (4)). The program then continues with the if clause on lines 9-12, finally dropping the volatile location  $\ell_5$ , as it is out of scope (Row (5)).



Fig. 3. Intermittent execution of a JIT region. We write i for int and b for bool.

## 3 Key Ideas of Crash Types

We present the intuition behind the stable and unstable memory types (Sec. 3.1), Crash types which internalize checkpointing, power failure/crash, restoration, reexecution, and finalization of atomic regions (Sec. 3.2), and the independence principle applied to intermittent computing (Sec. 3.3).

#### 3.1 Modal Store Types

An unstable value is an intermediate result of an execution towards a stable value and will be lost upon a power failure. However, if the result of a partial execution is committed to a nonvolatile location, it will persist and is thus stable. To reflect the behavior of a memory location in its type, we introduce two (adjoint) modalities  $\uparrow_u^s$  (read as "up shift from unstable to stable") and  $\downarrow_u^s$  (read as "down shift from stable to unstable"), where  $\uparrow_u^s \tau$  indicates that the location stores a stable value of type  $\tau$  and  $\downarrow_u^s \tau$  indicates that the location stores an intermediate result of an execution toward a value of type  $\tau$ . To fully capture how intermittent execution interacts with a memory location, we also annotate the type of a memory location with an access qualifier, RD or CK, that represents whether the location is read-only or checkpointed by the system, respectively.

In our example in Fig. 2, the read-only variable x is stored in nonvolatile memory, so it has type  $x :\uparrow_u^s \text{int}@RD$ . The checkpointed variable y has type  $y^{c^k} :\uparrow_u^s \text{int}@CK$  in the nonvolatile memory, while y's volatile copy has type  $y :\downarrow_u^s \uparrow_u^s \text{ int}@CK$ . We use the context  $\Omega$  to type nonvolatile memory and the context  $\Sigma$  to type volatile memory, as shown in the third columns of Figs. 2 and 3. We drop the superscript s and subscript u from the modalities for brevity.

#### 3.2 Crash Types

To capture the effects of intermittent execution in the type of expressions and commands, we introduce *Crash types*, as the notion of stable and unstable values is insufficient. One might expect the expression x - y to have the type  $\downarrow\uparrow$ int as it is a (partial) execution towards computing a stable integer value. However, this type does not account for steps due to power failure: the crash itself, waiting for the device to charge, restoration, and re-execution. To reflect these runtime system steps at the type level, we assign the expression a type in the form of a disjunction  $? \lor \downarrow\uparrow$ int, where ? is a type for computations that handle power failures. This type means that the expression either power fails, or completes its execution that evaluates to int. Next, we fill in ? for commands and expressions. ? is a recursive type since it handles re-execution.

**Commands.** The Crash type for commands is:  $C_{unit} = \downarrow (nat \rightsquigarrow \uparrow C_{unit}) \lor \downarrow \uparrow unit$ . The right disjunct states that if no power failure occurs while executing a command, then it computes a stable value of type unit. The left disjunct states that on power failure, the computation continues as a function; after receiving a (logical) energy input from the environment, it becomes a computation that yields a stable value of a command type, i.e.,  $C_{unit}$ . This computation will execute after the restore, which differs for atomic and JIT modes. In an atomic region, the system re-executes the region from the beginning, and in a JIT region, the system continues with the same command that was interrupted by the failure.

**Expressions.** The definition of the Crash type for expressions depends on the execution mode, just as the continuation of the program after a power failure depends on the mode. In an atomic region, the system restores an interrupted run of the expression to the original command enclosed in the region, so the type of an atomic mode expression is  $C_A^{atom} = \downarrow(nat \rightsquigarrow \uparrow C_{unit}) \lor \downarrow \uparrow A$ , where the left disjunct is the same as that of a command. On the other hand, an interrupted run of an expression in JIT mode will be restored to the expression itself. Hence, the type of a JIT mode expression is  $C_A^{jit} = \downarrow(nat \rightsquigarrow \uparrow C_A^{jit}) \lor \downarrow \uparrow A$ , where the left disjunct states that after power failure and reception of the energy input, the computation again yields a stable value of a JIT mode expression type.

#### 3.3 Independence Principle for Typing Intermittent Execution

We design our typing rules to follow the rules for  $\downarrow$  and  $\uparrow$  modalities in adjoint logic. We introduce two judgment categories. The first category  $(J_s)$  is for deriving stable types and corresponds to the judgments of the form  $\Omega \vdash \tau^s$ , meaning that the rules can rely only on stable locations to evaluate computation on a stable type. The second category  $(J_u)$  is for deriving unstable types and corresponds to the judgments of form  $\Omega; \Sigma \vdash \tau^u$ , meaning that the rules can rely on both stable and unstable locations to evaluate computation on an unstable type.

The adjoint modalities allow going back and forth between judgments  $J_s$ and  $J_u$ , mirroring checkpointing and restoration operations. The following four sequent calculus rules in the underlying logic govern this back-and-forth behavior in our system. The rules are derivable from the more general rules in prior work [8,34,36]—in particular, the  $\uparrow L^*$  rule can be derived from a cut rule and  $\downarrow L$ . Typical of sequent calculus style rules, we read them bottom-up and match each execution step of a command with the reading of a corresponding rule. Next, we illustrate this matching using the execution steps in Figs. 2 and 3.

$$\frac{\varOmega;\vdash\tau^{u}}{\varOmega\vdash\uparrow\tau^{u}}\uparrow R \quad \frac{\varOmega,\uparrow A^{u};\varSigma,\downarrow\uparrow A^{u}\vdash\tau^{u}}{\varOmega,\uparrow A^{u};\varSigma\vdash\tau^{u}}\uparrow L^{*} \qquad \frac{\varOmega\vdash\tau^{s}}{\varOmega;\varSigma\vdash\downarrow\tau^{s}}\downarrow R \quad \frac{\varOmega,\uparrow A^{u};\varSigma\vdash\tau^{u}}{\varOmega;\varSigma,\downarrow\uparrow A^{u}\vdash\tau^{u}}\downarrow L$$

Shifts in Atomic Mode (Fig. 2): A combination of  $\uparrow R$  and two  $\uparrow L^*$  rules corresponds to creating a volatile log from the nonvolatile locations when starting the atomic region, i.e., the step from Row (0) to Row (1). The last two columns in Row (0) correspond to the conclusion of a  $\uparrow R$  rule:  $\Omega_0 \vdash \uparrow C_{unit}$ . An application of  $\uparrow R$  from bottom to top drops the  $\uparrow$  modality from the type of the program and opens an empty volatile region, i.e.,  $\Omega_0; \vdash C_{unit}$ . Next, one application of  $\uparrow L^*$ , copies the variable y of type  $\uparrow$  int to the volatile memory with the type  $\downarrow \uparrow$  int. Similarly, the next application of  $\uparrow L^*$  copies the variable u of type  $\uparrow$  bool to the volatile memory with the type  $\downarrow \uparrow$  bool. The same combination corresponds to creating a volatile log from a nonvolatile location when restarting the atomic region, i.e., the step from Row (3) to Row (4), again copying variables y and uto the volatile memory.

The  $\downarrow R$  rule corresponds to a power failure, which erases the volatile memory  $\Sigma$ . From Row (2) to Row (3) in Fig. 2, the system loses the volatile locations of y

and u and closes off the volatile context. Row (2) corresponds to the conclusion of the rule, and Row (3) corresponds to its premise. The type of the command in Row (2) changes from  $C_{unit}$  to  $\downarrow$ (nat  $\rightsquigarrow \uparrow C_{unit}$ ) (by another  $\lor$ -R rule as a crash is detected), and then to the type (nat  $\rightsquigarrow \uparrow C_{unit}$ ) in Row (3).

Finally, a  $\downarrow L$  rule combined with a standard weakening rule and a  $\downarrow R$  rule corresponds to the final commit of the volatile context, i.e., stepping from Row (5) to Row (6), the nonvolatile context drops the locations y and u of types  $\uparrow$ int and  $\uparrow$ bool, respectively, by a weakening rule. These two variables map to the locations with outdated values. Next, the volatile locations of y and u in  $\Sigma'$ , which contain the up-to-date values, commit their values to the nonvolatile context, which contains w of type  $\downarrow \uparrow$ int. The type of the remaining volatile context, which contains w of type  $\downarrow \uparrow$ int. The type of the system detects a successful execution) and from that to type  $\uparrow$ int in Row (6).

Shifts in JIT Mode (Fig. 3): A  $\uparrow R$  rule corresponds to creating an empty volatile context  $\Sigma_1$  when starting the JIT region, i.e., the step from Row (0) to Row (1). A combination of the  $\downarrow L$  rule and  $\downarrow R$  rule corresponds to a power failure, i.e., the stepping from Row (2) to Row (3). A  $\downarrow L$  rule copies the location w of type  $\downarrow \uparrow$  bool from volatile memory  $\Sigma_2$  to nonvolatile memory  $\Omega_c$ . A  $\downarrow R$  rule closes off the (empty) nonvolatile memory. As in atomic mode, a combination of  $\uparrow R$  and  $\uparrow L^*$  rules corresponds to creating a volatile log from a nonvolatile location when restarting the command after the failure, i.e., the step from Row (3) to Row (4). The  $\uparrow R$  rule clears a portion of volatile memory, and the  $\uparrow L^*$ rule copies variable w from nonvolatile memory into volatile memory. We need an extra weakening rule to eliminate the remaining variable w in nonvolatile memory. The dropping of volatile memory at the end of execution (Row (5)) is not a modal step, but rather follows from a standard rule for the let clause.

## 4 A Basic Calculus for Intermittent Execution

We present the syntax, semantics, and the Crash type system for a basic calculus.

#### 4.1 Syntax

The syntactic constructs are summarized in Fig. 4. Expressions include constants, variables, and binary operations while commands include assignments, mutable let bindings, sequencing, and if branching. A program consists of sequenced blocks of commands and atomic regions, denoted  $\mathsf{Ckpt}[\mathsf{alD}, \rho](c)$  with a unique identifier  $\mathsf{alD}$ , read-only variables  $\rho$ , and the enclosed command c.

Nonvolatile memory (NV) and volatile memory (V) map locations  $\ell$  to values. Each location is annotated with its access mode q (RD or CK). The nonvolatile memory location  $\ell_{ck}$  is the checkpointed copy of location  $\ell$  in volatile memory. The context  $\gamma$  maps variable names to memory locations. Access mode qualifiers in V and NV have constrained values (to be discussed in the semantics).

| Command, expression, and memory                                                                          |                          |                                                            |  |
|----------------------------------------------------------------------------------------------------------|--------------------------|------------------------------------------------------------|--|
| $values \ v ::= n \mid tt \mid ff \mid x$                                                                | $access \ qualifier \ q$ | $::= CK \mid RD$                                           |  |
| $exprs e ::= v \mid e \odot e$                                                                           | $var\ loc\ map$ $\gamma$ | $::= \cdot \mid \gamma, x \mapsto \ell$                    |  |
| $cmds \ c ::= skip \mid let x = e in c \mid c; c$                                                        | nonvolatile mem $N$      | $\checkmark ::= \cdot \mid \ell @ q \hookrightarrow v, NV$ |  |
| $ $ if e then c else $c \mid x ::= e$                                                                    |                          | $\ell_{ck} @ CK \hookrightarrow v, NV$                     |  |
| $progs \ p ::= Ckpt[aID, \rho](c); p \mid c; p \mid skip$                                                | volatile mem  V          | $::= \cdot \mid l @ CK \hookrightarrow v, V$               |  |
| Instructions, statements, and configurations.                                                            |                          |                                                            |  |
| commands $c ::= \cdots c;_W c$ crash instry $i ::= \downarrow \varepsilon \# in(b > 0, \uparrow \kappa)$ |                          |                                                            |  |

Fig. 4. Summary of syntax

The runtime instruction  $c_{1;W} c_{2}$  is used for evaluating  $c_{1}$  under the execution context W. To model energy harvesting from the environment, we assume a unique external energy channel,  $\varepsilon$ , from which the system receives energy. Three crash instructions control the system in the event of a power failure. The instruction  $\downarrow \varepsilon \# in(b > 0, \uparrow \kappa)$  models the system that faces a power failure, where  $\kappa$  is the interrupted command or expression, and b > 0 is a guard to ensure that the bound incoming energy variable b is positive. The instruction  $\varepsilon \# in(b > 0, \uparrow \kappa)$  models the system awaiting an energy input to be bound to b. The instruction  $\uparrow \kappa$  models the system ready to restore memory and re-execute.

We write  $K_o$  to denote an *open* system configuration, consisting of the mapping  $\gamma$ , the mode of execution Md (i.e., atomic or JIT), energy available for this execution g, memories, and the statement s to be executed. The energy level (.) models the state right after power failure. We close an open configuration with  $[\chi \triangleright \varepsilon]$ ; we connect it via an external energy channel  $\varepsilon$  to an infinite charging stream  $\Xi$  of natural numbers, which models available energy the configuration harvests from the environment at each power failure point for re-execution.

We call a configuration that cannot take a step a value configuration (value for short). An open configuration of form  $(\cdots \mid g \mid \cdots \mid s)$  is a value, i.e.,  $Val(\cdots \mid g \mid \cdots \mid s)$ , if either s is a constant or skip, it has depleted all energy for this execution (g=0), or s is a crash instruction. The latter two cases are values because they cannot take a step without interacting with the environment or perform operations on the volatile and novolatile memory specific to handling power failures. A closed configuration is a value only if the statement s is skip with some energy left (g > 0). We list all values in the extended TR [15].

## 4.2 **Operational Semantics**

**Top-level Program Execution.** The top-level semantic rules for setting up and finalizing the atomic and JIT execution contexts are shown in Fig. 5. The P-CKPT rule applies if the next code block is an atomic region. The nonvolatile

$$\begin{split} n &> 0 \quad \text{InitWorld}_{d}(\mathsf{NV};\rho;\gamma) = \mathsf{NV}_{0}, V_{0} \\ [\chi \rhd \varepsilon] \otimes \gamma \mid \mathsf{alD}(c_{0}) \mid n \mid \mathsf{NV}_{0} \mid \mathsf{V}_{0} \mid c_{0} \Rightarrow^{*} [\chi' \rhd \varepsilon] \otimes \gamma' \mid \mathsf{alD}(c_{0}) \mid n' \mid \mathsf{NV}' \mid \mathsf{V}' \mid \mathsf{skip} \\ \frac{n' > 0 \quad \mathsf{NV}_{1} = \mathsf{FinWorld}_{d}(\mathsf{NV}';\mathsf{V}')}{[\chi \rhd \varepsilon] \otimes \gamma \mid n \mid \mathsf{NV} \mid \mathsf{Ckpt}[(\mathsf{alD};\rho)](c_{0});p \Rightarrow [\chi' \rhd \varepsilon] \otimes \gamma \mid n' \mid \mathsf{NV}_{1} \mid p} \quad (P\text{-}\mathsf{CKPT}) \\ \frac{n > 0 \quad n' > 0}{[\chi \rhd \varepsilon] \otimes \gamma \mid \mathsf{jit} \mid n \mid \mathsf{NV} \mid \cdot \mid c \Rightarrow^{*} [\chi' \rhd \varepsilon] \otimes \gamma' \mid \mathsf{jit} \mid n' \mid \mathsf{NV}' \mid \mathsf{V}' \mid \mathsf{skip}}{[\chi \rhd \varepsilon] \otimes \gamma \mid n \mid \mathsf{NV} \mid \cdot \mid c \Rightarrow^{*} [\chi' \rhd \varepsilon] \otimes \gamma' \mid \mathsf{jit} \mid n' \mid \mathsf{NV}' \mid \mathsf{V}' \mid \mathsf{skip}} \\ \frac{[\chi \rhd \varepsilon] \otimes \gamma \mid \mathsf{jit} \mid n \mid \mathsf{NV} \mid \cdot \mid c \Rightarrow^{*} [\chi' \rhd \varepsilon] \otimes \gamma' \mid \mathsf{jit} \mid n' \mid \mathsf{NV}' \mid \mathsf{V}' \mid \mathsf{skip}}{[\chi \rhd \varepsilon] \otimes \gamma \mid n \mid \mathsf{NV} \mid c; p \Rightarrow [\chi' \rhd \varepsilon] \otimes \gamma \mid n' \mid \mathsf{NV}' \mid p} \quad (P\text{-}\mathsf{SEQ}) \end{split}$$

Fig. 5. Closed configuration semantics for programs

NV<sub>0</sub> and volatile V<sub>0</sub> locations are initialized based on a given NV, declared readonly variables  $\rho$ , and their mapping  $\gamma$  to locations. The InitWorld<sub>d</sub> function (a) changes the qualifier of locations in NV that are declared as read-only in  $\rho$  from CK to RD, (b) creates V<sub>0</sub> by copying the rest of the locations of NV that still have qualifier CK, and (c) marks the original version of the locations  $\ell$  in NV that still have qualifier CK as checkpointed ( $\ell_{ck}$ ). This part corresponds to the step from Row (0) to Row (1) in Fig. 2. The closed configuration of  $c_0$  is evaluated until completion, using the rules in Fig. 6. This execution may undergo several power failures and corresponds to the steps from Row (1) to Row (5) in Fig. 2. Finally, the FinWorld<sub>d</sub> function closes off atomic regions, finalizing the volatile and nonvolatile locations. FinWorld<sub>d</sub> (a) copies the values of volatile locations in V' that have a checkpointed version into NV', (b) removes CK from the locations in NV', i.e., converts  $\ell_{ck}$  to  $\ell$ , and (c) replaces the RD qualifier of the locations in NV' with CK. This corresponds to the step from Row (5) to Row (6) in Fig. 2.

The P-SEQ rule applies when the next code block is a regular command c. The closed configuration of c with an empty initial set of volatile locations is fully evaluated. This corresponds to the steps from Row (0) to Row (1) and Row (1) to Row (5) in Fig. 3. Then the resulting volatile locations V' scoped in c are dropped, corresponding to the step from Row (5) to Row (6) in Fig. 3.

**Command Execution (Closed Config).** We summarize rules for a closed configuration in the top part of Fig. 6. Rule D-STEP steps the closed command configuration when the corresponding open configuration steps. Next, we explain the trio of power failure, charge, and restore rules. When the energy for this execution is depleted (i.e., g = 0), the D-CRASH rule applies, stepping the system to the crash instruction  $\downarrow \varepsilon \# in(b > 0; \uparrow \kappa)$ . Next, D-S-JIT or D-S-AID rules apply and operate on volatile memory based on the execution mode Md. In JIT mode, D-S-JIT checkpoints and stores all volatile memory in nonvolatile locations. In atomic mode, D-S-AID drops all volatile memory locations. Then, D-CHARGE applies and inputs a natural number n > 0 from the energy channel, replenishing the configuration's energy level for re-execution. Finally, the program is restored via D-RESTORE-JIT and D-RESTORE-AID which copy checkpointed locations into volatile memory. D-RESTORE-JIT drops the checkpointed regions and steps

## Closed Configuration Semantics for Commands and Crash Instructions

$$\frac{\gamma \mid \mathsf{Md} \mid n \mid \mathsf{NV} \mid \mathsf{V} \mid c \to \gamma \mid \mathsf{Md} \mid n' \mid \mathsf{NV}' \mid \mathsf{V}' \mid c'}{[\chi \rhd \varepsilon] \otimes \gamma \mid \mathsf{Md} \mid n \mid \mathsf{NV} \mid \mathsf{V} \mid c \Rightarrow [\chi \rhd \varepsilon] \otimes \gamma \mid \mathsf{Md} \mid n' \mid \mathsf{NV}' \mid \mathsf{V}' \mid c'} \quad \text{(D-STEP)}}$$
$$\frac{}{[\chi \rhd \varepsilon] \otimes \gamma \mid \mathsf{Md} \mid 0 \mid \mathsf{NV} \mid \mathsf{V} \mid c \Rightarrow [\chi \rhd \varepsilon] \otimes \gamma \mid \mathsf{Md} \mid \cdot \mid \mathsf{NV} \mid \mathsf{V} \mid \downarrow \varepsilon \text{ \# in}(b > 0; \uparrow c)} \quad \text{(D-CRASH)}}$$

$$\begin{array}{c} \mathsf{Md} = \mathsf{jit} \\ \hline [\chi \rhd \varepsilon] \otimes \gamma \, |\, \mathsf{Md} \, | \, \cdot \, |\, \mathsf{NV} \, |\, \mathsf{V} \, | \, \downarrow \varepsilon \ \texttt{\#} \ \mathsf{in}(b > 0; \uparrow \kappa) \\ \Rightarrow \ [\chi \rhd \varepsilon] \otimes \gamma \, |\, \mathsf{Md} \, | \, \mathsf{NV}, \mathsf{V}_{\mathsf{ck}} \, | \, \varepsilon \ \texttt{\#} \ \mathsf{in}(b > 0; \uparrow \kappa) \end{array}$$
(D-S-JIT)

$$\begin{array}{ll} \underbrace{\mathsf{Md}=\mathsf{alD}(c_0) & \gamma' \subseteq \gamma \quad range(\gamma') = dom(\mathsf{NV})}_{[\chi \vartriangleright \varepsilon] \otimes \gamma \mid \mathsf{Md} \mid \cdot \mid \mathsf{NV} \mid \mathsf{V} \mid \downarrow \varepsilon \ \texttt{\#} \ \mathsf{in}(b > 0; \uparrow \kappa) \\ \Rightarrow & [\chi \vartriangleright \varepsilon] \otimes \gamma' \mid \mathsf{Md} \mid \cdot \mid \mathsf{NV} \mid \varepsilon \ \texttt{\#} \ \mathsf{in}(b > 0; \uparrow \kappa) \end{array}$$
(D-S-AID)

 $\overline{[n::\chi \rhd \varepsilon] \otimes \gamma \,|\, \mathrm{Md}\,|\,\cdot\,|\, \mathrm{NV}\,|\,\varepsilon} \,\, \mathrm{\#\,in}(b>0;\uparrow\kappa) \Rightarrow [\chi \rhd \varepsilon] \otimes \gamma \,|\, \mathrm{Md}\,|\,n\,|\, \mathrm{NV}\,|\,\uparrow\kappa} \quad (\mathrm{D-charge})$ 

$$\frac{\mathsf{NV} = \mathsf{NV}', \mathsf{NV}_{ck}''}{[\chi \rhd \varepsilon] \otimes \gamma \,|\, \mathsf{jit} \,|\, n \,|\, \mathsf{NV} \,|\, \uparrow \kappa \implies [\chi \rhd \varepsilon] \otimes \gamma \,|\, \mathsf{jit} \,|\, n \,|\, \mathsf{NV}' \,|\, \kappa} \quad (D\text{-RESTORE-JIT})$$
$$\mathsf{NV} = \mathsf{NV}', \mathsf{NV}_{ck}'' \qquad (D\text{-RESTORE-AII})$$

 $\frac{1}{[\chi \rhd \varepsilon] \otimes \gamma | \mathsf{alD}(c_0) | n | \mathsf{NV} | \uparrow \kappa \Rightarrow [\chi \rhd \varepsilon] \otimes \gamma | \mathsf{alD}(c_0) | n | \mathsf{NV} | \mathsf{NV}'' | c_0}$ (D-restore-AID)

Selected expression and command semantics

$$\frac{\gamma = \gamma', [x \mapsto \ell] \quad \mathsf{V} = \ell @q \hookrightarrow v, \mathsf{V}' \quad n = n' + 1}{\gamma \mid \mathsf{Md} \mid n \mid \mathsf{NV} \mid \mathsf{V} \mid x \to \gamma \mid \mathsf{Md} \mid n' \mid \mathsf{NV} \mid \mathsf{V} \mid v} \text{ (D-V-Read)}$$

$$\begin{array}{c|c} Val(\gamma \mid \operatorname{Md} \mid n \mid \operatorname{NV} \mid \operatorname{V} \mid e) \\ \hline \mathsf{V} = \mathsf{V}', \ell@q \hookrightarrow v' \quad q \neq \operatorname{RD} \quad \gamma = \gamma', [x \to \ell] \quad n = n' + 1 \\ \gamma \mid \operatorname{Md} \mid n \mid \operatorname{NV} \mid \mathsf{V} \mid x := e \quad \to \ \gamma \mid \operatorname{Md} \mid n' \mid \operatorname{NV} \mid \mathsf{V}', \ell@q \hookrightarrow e \mid \mathsf{skip} \end{array} (\text{D-Assign-V})$$

Fig. 6. Statement steps

to the interrupted command  $\kappa$ , while D-RESTORE-AID keeps the checkpointed regions and steps to the original command  $c_0$  in the atomic region.

**Command/Expression Execution (Open Config).** The rules for executing commands and expressions in an open configuration are standard. We present a selection of them on the bottom of Fig. 6. Each step decrements the energy level by one. The rules ensure that checkpointed location  $\ell_{ck}$  in NV is not read by the program, as it could store outdated data, and is not written to, as this would tamper with the checkpointed value.

## 4.3 Types, Typing Contexts, and Judgments

This section introduces the typing judgments used in our static typing.

| $(J_u)$                   | $\texttt{Md} \   \ b  \mathcal{R}  0 : \texttt{nat} \   \ \varOmega; \varSigma \vdash c \ :: \texttt{C}_{\texttt{unit}}$                                                                    | c could crash              |
|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|
| $(J_u)$                   | $	extsf{Md} \mid b: 	extsf{nat} \mid arOmega; arDelta dash 	extsf{skip} ::: \downarrow \uparrow 	extsf{unit}$                                                                               | c will not crash           |
| $(J_s)$                   | $\texttt{Md} ~\mid~ b: \texttt{nat} ~\mid~ \varOmega \vdash skip ~:: \uparrow \texttt{unit}$                                                                                                | after commit               |
| $(J_u)$                   | $\texttt{Md} \ \mid \ b  \mathcal{R}  0 : \texttt{nat} \ \mid \ \varOmega; \varSigma \vdash_{\texttt{RD}} e \ :: \texttt{C}^{\texttt{Md}}_A$                                                | <i>e</i> read, could crash |
| $(J_s)$                   | $\texttt{Md} ~ ~ b: \texttt{nat} ~ ~ \Omega; \varSigma \vdash_{\texttt{RD}} v ~:: \downarrow \uparrow A$                                                                                    | e read no crash            |
| $(J_s)$                   | $\texttt{Md} ~\mid~ b: \texttt{nat} ~\mid~ \varOmega \vdash_{\texttt{RD}} v ~:: \uparrow A$                                                                                                 | e read, commit             |
| $(J_u)$                   | $\texttt{Md} ~\mid~ b: \texttt{nat} ~\mid~ \Omega; \varSigma \vdash_{\texttt{WT}} x ~:: \downarrow \uparrow A$                                                                              | write on $x$ , no crash    |
| $(J_s)$                   | $\texttt{Md} ~ ~ b: \texttt{nat} ~ ~ \varOmega \vdash_{\texttt{WT}} x ~:: \uparrow A$                                                                                                       | write on $x$ , commit      |
| $(J_s)$                   | $\texttt{Md} ~ ~ b: \texttt{nat} ~ ~ \varOmega \vdash p ~:: \uparrow \texttt{C}_{\texttt{unit}}$                                                                                            | before execution           |
| $\overline{(J_u)}$        | $\texttt{Md} \   \ b = 0: \texttt{nat} \   \ \varOmega; \varSigma \vdash \kappa \ :: \texttt{C}_T^{\texttt{Md}}$                                                                            | about to crash             |
| $(J_u) \operatorname{Md}$ | $ \cdot  \ \Omega; \varSigma \vdash {\downarrow} \varepsilon \ \texttt{\# in}(b > 0, \uparrow \kappa) \ :: {\downarrow}(\texttt{nat} \rightsquigarrow \uparrow \texttt{C}_T^{\texttt{Md}})$ | crash state                |
| $(J_s)$                   | $\texttt{Md} \   \cdot   \ \varOmega \vdash \varepsilon \ \texttt{\#in}(b > 0, \uparrow \kappa) \ :: \texttt{nat} \rightsquigarrow \uparrow \texttt{C}_T^{\texttt{Md}}$                     | waiting for energy         |
| $(J_s)$                   | $	extsf{Md} \mid b > 0: 	extsf{nat} \mid arOmega dash 	au : \uparrow 	extsf{C}_T^{	extsf{Md}}$                                                                                              | before re-execution        |

Table 1. Typing judgment summary

**Types and Static Context.** Our types are summarized below. The two modalities stratify types into the varieties stable  $(\tau^s)$  and unstable  $(\tau^u)$ . The base store types **int** and **bool** are considered unstable. A type variable  $v_t$  denotes a type in the set { $C_{unit}, C_A^{atom}, C_A^{jit}$ }, and implements the recursive nature of Crash types. We include the connectives  $\lor$  and  $\rightsquigarrow$  solely for the purpose of defining Crash types; they are not used elsewhere. Defining Crash types using these connectives will allow us to define the logical relation in Sec. 5 based on the intended meaning of its index type. Some well-formed types, e.g., **nat**  $\rightsquigarrow$  **nat**  $\rightsquigarrow$  **↑unit**, are not accepted by our type system introduced in Sec. 4.4. These types have no inhabitants, i.e., no well-typed configuration is of these types.

A nonvolatile store typing context  $\Omega$  assigns stable types to nonvolatile location variables, i.e. all variables in  $\Omega$  have a type of the form  $\uparrow_u^s A$ . A volatile store typing context  $\Sigma$  assigns unstable types to volatile location variables, i.e., variables in  $\Sigma$  are of the type  $\downarrow_u^s \uparrow_u^s A$ .  $x_{ck}$  refers to a location that has been checkpointed. In the atomic mode,  $x_{ck}$  has an active volatile log in  $\Sigma$ .

**Typing Judgments.** Table 1 summarizes all the typing judgments. These judgments are parameterized over the execution mode Md of the expression or command to be typed. The judgment also tracks a variable *b* corresponding to the current energy level of this execution. *b* ranges over natural numbers (nat) and is constrained by a relation  $\mathcal{R} \in \{\geq, >\}$  or is set to 0; where  $b \geq 0$  is unconstrained. The constraint on *b* determines whether or not a command can evaluate a value without power failure. There are three judgments for command typing. The first judgment is used when the command has not yet successfully finished

$$\frac{\mathsf{jit} \mid b \ge 0: \mathtt{nat} \mid \varOmega; \cdot \vdash_{\emptyset} c: \mathtt{C}_{\mathtt{unit}} \quad b: \mathtt{nat} \mid \varOmega \vdash p: \uparrow \mathtt{C}_{\mathtt{unit}}}{b: \mathtt{nat} \mid \varOmega \vdash c; p: \uparrow \mathtt{C}_{\mathtt{unit}}} \text{ (T-P-SEQ)}$$

$$\begin{split} \Omega_0 \mid \Sigma_0 = \mathsf{InitWorld}_t(\Omega; \rho) \\ \mathbf{Sig} &= \{\mathsf{alD}(c_0) \mid b \ge 0 : \mathtt{nat} \mid \Omega_0; \Sigma_0 \vdash c_0 : \mathtt{C_{unit}}\} \\ \frac{\mathsf{alD}(c_0) \mid b \ge 0 : \mathtt{nat} \mid \Omega_0; \ \Sigma_0 \vdash_{\mathtt{Sig}} c_0 : \mathtt{C_{unit}} \quad b : \mathtt{nat} \mid \Omega \vdash p : \uparrow \mathtt{C_{unit}}}{b : \mathtt{nat} \mid \Omega \vdash \mathsf{Ckpt}[\mathsf{alD}, \rho](c_0); p : \uparrow \mathtt{C_{unit}}} \end{split}$$
(T-P-CKPT)

Fig. 7. Program typing

executing; its next step, depending on its constraint  $\mathcal{R}$ , may or may not crash. When the command reaches type  $\downarrow\uparrow$ unit, b no longer needs to be constrained as the execution succeeded without power failure. The second judgment invokes the third judgment to type the configuration after the volatile log is committed: in the typing rule for committing the volatile log, the conclusion is of the form of the second judgment and the premise is of the form of the third. For expression typing, we distinguish expressions on the right of an assignment (being read) from those on the left of an assignment (being written to) via subscripts RD and WT, respectively. The expressions that are being written to are only of the simple form x. As no execution is required to evaluate x, we consider its judgment crash free, so no constraint is required on b. For program typing, we only have one judgment that refers to the type of the program before the execution of its next block starts. The rest of the judgments type states after a crash. The first judgment uses the constraint b = 0, which corresponds to the power failure condition. It invokes the second judgment, which types a state right after crash. The third judgment types the state awaiting energy to continue re-execution, and the final judgment types the state that is ready for restoration and re-execution.

#### 4.4 Typing Rules

**Program Typing.** Fig. 7 shows the typing rules for programs. The P-SEQ rule types program c; p by first typing c under jit mode, requiring  $b \ge 0$ , and then typing the rest of the program. The volatile memory context is empty for now, but will be populated when the let commands allocate new volatile locations.

The P-CKPT rule types the command  $c_0$  enclosed in an atomic region under the mode  $\mathsf{alD}(c_0)$  and then types the rest of the program p. The first premise sets up the initial typing contexts for nonvolatile and volatile memories, as illustrated in Fig. 2. The partial function  $\mathsf{InitWorld}_t$  initializes the volatile memory by creating a log of variables in  $\Omega$  that are not read-only.  $\Omega$  can be uniquely split into  $\Omega^c$  and  $\Omega^r$ , where  $\Omega^r$  is the set of all read-only locations in  $\Omega$ , and  $\Omega^c$ is the set of all locations that are not read-only. This function is defined below:

 $\Omega_0 \mid \Sigma_0 = \mathsf{InitWorld}_t(\Omega; \rho) \text{ iff } \rho \subseteq \mathsf{dom}(\Omega), \ \Omega_0 = \Omega^r, \Omega^c_{\mathsf{ck}} \text{ and } \Sigma_0 = \downarrow \Omega^c$ 

where  $\Omega = \Omega^c, \Omega^r$  and  $\Omega^r = \Omega \upharpoonright \rho$ .

Here  $\Omega^r = \Omega \upharpoonright \rho$  is a subset of  $\Omega$  where locations are declared in  $\rho$  to be read-only, and  $\Omega^c$  are all other locations in  $\Omega$ . The context  $\Omega^c_{ck}$ , is defined as

 $\Omega_{ck}^c = \{x_{ck}: \uparrow A@q \mid x: \uparrow A@q \in \Omega^c\}, \text{ and the context } \downarrow \Omega^c, \text{ is defined as } \downarrow \Omega^c = \{x: \downarrow \uparrow A@q \mid x: \uparrow A@q \in \Omega^c\}.$  If the set of read only variables,  $\rho$ , is not in the domain of  $\Omega$ , then the function  $\mathsf{InitWorld}_t$  is not defined.

In rules P-SEQ and P-CKPT, the command typing judgment in the premise makes use of a signature (subscripts  $\emptyset$  and Sig, respectively) to type check the command relative to the signature. The signature is populated at different stages of type checking the JIT and atomic regions. In an atomic region, rule T-P-CKPT populates the signature at the beginning of the region with the initial judgment which includes the region's original command  $c_0$  and static memory context  $\Omega_0$ ;  $\Sigma_0$ . The region is then typed relative to the signature. In JIT mode, the signature is populated later with the judgment just at the point of the failure (rule T-ENOUGH?). The program remembers that it built a typing derivation for the judgment in the signature such that when it restores from a power failure, it refers to the signature without needing to derive it again. This makes the typing derivations finitary and inductive.

**Command and Expression Typing.** Fig. 8 shows selected typing rules for commands. The T-SKIP rule declares the command skip as the stable type  $\uparrow$ unit. Rule T-V-SUCC applies when the command successfully completes its execution and still has one unit of energy available (b > 0) to conclude the execution. In this case, we close off the energy level variable and continue typing the command against the type  $\downarrow\uparrow$  unit. Rule T-C-SHIFT is invoked by T-V-SUCC and updates the memory typing contexts by removing checkpointed locations in  $\Omega$  as now they are not needed, and making locations in  $\Sigma$  stable as now they are committed. This corresponds to the last step of Fig. 2.

The rules T-LET and T-ASSIGN, are mostly standard except that we consider crashes. For example, in typing the assign command x := e, the first premise of T-ASSIGN considers the type of expression e to be the Crash type  $C_A^{Md}$ , but in the second premise we require the location x to be of type  $\downarrow \uparrow A$ , i.e., the location only considers the type corresponding to the case where execution of ecan be completed successfully. The reason is that the assignment only occurs if the execution of e is successful. The constraint on the energy levels for premises goes back to  $b \geq 0$ , as we use one energy unit to deconstruct these commands.

The rule T-ENOUGH? checks two premises based on the value of  $b \ge 0$ . The third premise, a crash judgment, corresponds to the case where b = 0 (typing rules for crash judgments are given later in this section) and the fourth premise corresponds to the case where b > 0. The condition b > 0 states that there is at least one unit of energy available to decompose one command construct, e.g., via T-LET or T-ASSIGN. This rule populates the signature for JIT commands. The second premise states that the signature remains intact if the mode is atomic, but is populated by Sig' if the mode is JIT. In the JIT mode, after a power failure, the command c is restored to itself, and Sig' remembers that the well-typedness of the command when the energy level is non-negative has been checked already.

Expression typing rules are very similar to those of the commands. Fig. 8 shows a few selected rules. The T-LOC-WRITE and T-LOC-READ rules match

#### Commands

$$\begin{split} \overline{\mathrm{Md} \mid b: \mathrm{nat} \mid \Omega \vdash_{\mathrm{Sig}} \mathrm{skip} : \uparrow \mathrm{unit}}^{\mathrm{(T-SKIP)}} \\ & \frac{\varSigma = \downarrow \varSigma' \quad \Omega = \Omega', \Omega_{\mathrm{ck}}' \quad \mathrm{Md} \mid b: \mathrm{nat} \mid \Omega', \varSigma' \vdash_{\mathrm{Sig}} \mathrm{skip} : \uparrow \mathrm{unit}}{\mathrm{Md} \mid b: \mathrm{nat} \mid \Omega; \varSigma \vdash_{\mathrm{Sig}} \mathrm{skip} : \downarrow \uparrow \mathrm{unit}} (\mathrm{T-C-SHIFT}) \\ & \frac{\mathrm{Md} \mid b: \mathrm{nat} \mid \Omega; \varSigma \vdash_{\mathrm{Sig}} \mathrm{skip} : \downarrow \uparrow \mathrm{unit}}{\mathrm{Md} \mid b > 0: \mathrm{nat} \mid \Omega; \varSigma \vdash_{\mathrm{Sig}} \mathrm{skip} : \tau \lor \downarrow \uparrow \mathrm{unit}} (\mathrm{T-V-SUCC}) \\ & \frac{\mathrm{Md} \mid b \ge 0: \mathrm{nat} \mid \Omega; \varSigma \vdash_{\mathrm{Sig}} \mathrm{skip} : \tau \lor \downarrow \uparrow \mathrm{unit}}{\mathrm{Md} \mid b \ge 0: \mathrm{nat} \mid \Omega; \varSigma \vdash_{\mathrm{Sig}} \mathrm{skip} : \tau \lor \downarrow \uparrow \mathrm{unit}} (\mathrm{T-V-SUCC}) \\ & \frac{\mathrm{Md} \mid b \ge 0: \mathrm{nat} \mid \Omega; \varSigma \vdash_{\mathrm{Sig}} \mathrm{skip} : \tau \lor \downarrow \uparrow \mathrm{unit}}{\mathrm{Md} \mid b \ge 0: \mathrm{nat} \mid \Omega; \varSigma \vdash_{\mathrm{Sig}} \mathrm{skip} : \tau \lor \downarrow \uparrow \mathrm{unit}} (\mathrm{T-LET}) \\ & \frac{\mathrm{Md} \mid b \ge 0: \mathrm{nat} \mid \Omega; \varSigma \vdash_{\mathrm{Sig}} \mathrm{eit} x = e_1 \mathrm{in} \, c: \tau}{\mathrm{Md} \mid b > 0: \mathrm{nat} \mid \Omega; \varSigma \vdash_{\mathrm{Sig}} \mathrm{eit} x = e_1 \mathrm{in} \, c: \tau} (\mathrm{T-LET}) \\ & \frac{\mathrm{Md} \mid b \ge 0: \mathrm{nat} \mid \Omega; \varSigma \vdash_{\mathrm{Sig}} e: \mathsf{C}_A^{\mathrm{Md}} \; \mathrm{Md} \mid b > 0: \mathrm{nat} \mid \Omega; \varSigma \vdash_{\mathrm{WT}} x: \downarrow \uparrow A}{\mathrm{Md} \mid b > 0: \mathrm{nat} \mid \Omega; \varSigma \vdash_{\mathrm{Sig}} x: = e: \mathsf{C}_{\mathrm{unit}}^{\mathrm{Md}} (\mathrm{T-ASSIGN}) \\ & \frac{\mathrm{Sig}' = \{\mathrm{Md} \mid b \ge 0: \mathrm{nat} \mid \Omega; \varSigma \vdash_{\mathrm{Sig}} x: = e: \mathsf{C}_{\mathrm{unit}}^{\mathrm{Md}} (\mathrm{Sig}' = if \, \mathrm{Md} = \mathrm{jit}, then \, \mathrm{Sig}', else \, \mathrm{Sig} \\ & \frac{\mathrm{Md} \mid b = 0: \mathrm{nat} \mid \Omega; \varSigma \vdash_{\mathrm{Sig}''} c: \tau \; \; \mathrm{Md} \mid b > 0: \mathrm{nat} \mid \Omega; \varSigma \vdash_{\mathrm{Sig}} c: \tau}{\mathrm{Md} \mid b \ge 0: \mathrm{nat} \mid \Omega; \varSigma \vdash_{\mathrm{Sig}} c: \tau} (\mathrm{T-NOUGH}?) \\ & \frac{\mathrm{Md} \mid b \ge 0: \mathrm{nat} \mid \Omega; \varSigma \vdash_{\mathrm{Sig}} c: \tau}{\mathrm{Md} \mid b \ge 0: \mathrm{nat} \mid \Omega; \varSigma \vdash_{\mathrm{Sig}} c: \tau} \end{split}$$

Expressions

$$\frac{\Omega, \Sigma' = x:\uparrow A@q, \Omega'_2 \quad q \neq \mathtt{RD}}{\mathtt{Md} \mid b: \mathtt{nat} \mid \Omega, \Sigma' \vdash_{Wt} x: \uparrow A} \quad (\text{T-Loc-Write})$$

$$\frac{\varOmega = x: \uparrow A @q, \Omega'}{\operatorname{Md} \mid b: \operatorname{nat} \mid \Omega \vdash_{\operatorname{RD}} x: \uparrow A} \xrightarrow{(\operatorname{T-Loc-Read})} \qquad \qquad \frac{\operatorname{Md} \mid b: \operatorname{nat} \mid \Omega \vdash_{\operatorname{RD}} \operatorname{tt} :\uparrow \operatorname{bool}}{\operatorname{Md} \mid b: \operatorname{nat} \mid \Omega \vdash_{\operatorname{RD}} \operatorname{tt} :\uparrow \operatorname{bool}} \xrightarrow{(\operatorname{T-Bool-T})}$$

Fig. 8. Selected command and expression typing

the location variable x with an existing variable inside the context. T-LOC-WRITE performs an extra check to make sure that x is not a read-only variable.

Statement typing Fig. 9 presents the typing rules for crash instructions. The crash is detected by the depleted energy level b = 0 in the T-V-CRASH rule. In the premise, the crash instruction  $\downarrow \varepsilon \# in(b > 0, \uparrow \kappa')$  is typed. In JIT mode, the T-JIT-STOP rule brings a checkpointed version of all the volatile variables in  $\Sigma$  inside  $\Omega$  since they are checkpointed then. In atomic mode, T-AID-STOP rule simply drops the volatile locations in  $\Sigma$ . The T-CHARGE rule inputs a new energy level from the energy channel  $\varepsilon$ , regardless of the mode. The first premise shows that the energy channel is needed to provide a natural number greater than zero. Finally, the T-JIT-RESTORE and T-AID-RESTORE rules prepare and check rebooted system in JIT and atomic modes, respectively. In both modes, volatile memory is restored from the checkpointed locations in  $\Omega$ . In the atomic mode, the checkpointed locations persist in  $\Omega$  as we may need them for the

$$\begin{split} \frac{\operatorname{Md} |\cdot| \ \Omega; \ \Sigma \vdash_{\operatorname{Sig}} \downarrow \varepsilon \ \# \operatorname{in}(b > 0, \uparrow \kappa') : \downarrow(\operatorname{nat} \rightsquigarrow \uparrow \mathsf{C}_{T'}^{\operatorname{Md}})}{\operatorname{Md} | \ b = 0 : \operatorname{nat} | \ \Omega; \ \Sigma \vdash_{\operatorname{Sig}} \kappa' : \downarrow(\operatorname{nat} \rightsquigarrow \uparrow \mathsf{C}_{T'}^{\operatorname{Md}}) \lor \downarrow \uparrow T} (\text{T-V-CRASH}) \\ \\ \frac{\Sigma = \downarrow \uparrow \Sigma' \quad \operatorname{jit} |\cdot| \ \Omega, \uparrow \Sigma'_{ck} \vdash_{\operatorname{Sig}} \varepsilon \ \# \operatorname{in}(b > 0, \uparrow \kappa') : (\operatorname{nat} \rightsquigarrow \uparrow \mathsf{C}_{T}^{s})}{\operatorname{jit} |\cdot| \ \Omega; \ \Sigma \vdash_{\operatorname{Sig}} \downarrow \varepsilon \ \# \operatorname{in}(b > 0, \uparrow \kappa') : \downarrow(\operatorname{nat} \rightsquigarrow \uparrow \mathsf{C}_{T}^{s})} (\text{T-JIT-STOP})} \\ \\ \frac{\operatorname{alD}(c_{0}) |\cdot| \ \Omega; \ \Sigma \vdash_{\operatorname{Sig}} \varepsilon \ \# \operatorname{in}(b > 0, \uparrow \kappa') : (\operatorname{nat} \rightsquigarrow \uparrow \mathsf{C}_{unit}^{s})}{\operatorname{alD}(c_{0}) |\cdot| \ \Omega; \ \Sigma \vdash_{\operatorname{Sig}} \downarrow \varepsilon \ \# \operatorname{in}(b > 0, \uparrow \kappa') : (\operatorname{nat} \rightsquigarrow \uparrow \mathsf{C}_{unit}^{s})} (\text{T-AID-STOP})} \\ \\ \frac{\varepsilon \ \# \operatorname{in}() : \operatorname{nat} > 0 \quad \operatorname{Md} | \ b > 0 : \operatorname{nat} | \ \Omega \vdash_{\operatorname{Sig}} \uparrow \kappa' : \uparrow \mathsf{C}_{T}^{s}}{\operatorname{Md} | \cdot| \ \Omega \vdash_{\operatorname{Sig}} \varepsilon \ \# \operatorname{in}(b > 0, \uparrow \kappa') : (\operatorname{nat} \rightsquigarrow \uparrow \mathsf{C}_{unit}^{s})} (\text{T-CHARGE})} \\ \\ \frac{\Omega = \Omega', \Omega_{ck}'' \quad \operatorname{jit} | \ b \ge 0 : \operatorname{nat} | \ \Omega \vdash_{\operatorname{Sig}} \uparrow \kappa' : \uparrow \mathsf{C}_{T}}{\operatorname{jit} | \ b > 0 : \operatorname{nat} | \ \Omega \vdash_{\operatorname{Sig}} \uparrow \kappa' : \uparrow \mathsf{C}_{T}} (\text{T-JIT-RESTORE})} \\ \\ \frac{\Omega = \Omega', \Omega_{ck}'' \quad \operatorname{alD}(c_{0}) | \ b \ge 0 : \operatorname{nat} | \ \Omega; \downarrow \Omega'' \vdash c_{0} : \operatorname{Cunit} \in \operatorname{Sig}}{\operatorname{alD}(c_{0}) | \ b \ge 0 : \operatorname{nat} | \ \Omega \vdash_{\operatorname{Sig}} \uparrow \kappa' : \uparrow \mathsf{C}_{T}} (\text{T-AID-RESTORE})} \\ \end{array}$$

Fig. 9. Crash, restore, and checkpoint typing

next power failure. Alternatively, in the JIT mode, checkpoints are dropped from  $\Omega$  and execution continues with the expression or command  $\kappa$ , which was running right before the crash. In the atomic mode, execution continues with the original command  $c_0$  enclosed in the atomic region. Instead of retyping the restored judgments, we check if there are already typing derivations by matching them up with the saved judgment in the signature.

## 5 Logical Relation for Intermittent Execution

We establish a logical relation to prove idempotency, which states that every intermittent execution of a program can be simulated by a continuous execution. The logical relation relates an intermittent execution with a continuous one and is indexed by Crash types. A continuous run is one with an infinite energy level,  $\infty$ . Crash types are recursive, yielding possible infinite atomic region re-executions. Thus, we use the maximum number of executions (also power failures) as a step index to stratify our logical relation to ensure its well-foundedness.

The logical relation (defined in Sec. 5.1) relies on PwOff, Restore, and Commit functions, referred to as power failure, restore, and commit policies, respectively. We establish specific policies for atomic and JIT execution modes. We formalize *semantic typing* as every atomic and JIT region of the program being logically-related to themselves. We prove that the semantically well-typed programs are idempotent across power failures in Sec. 5.2. The definitions match the memory operations in the dynamic rules that deal with crash, restore, and re-execution (D-S-AID/ D-S-JIT, D-R-AID/ D-R-JIT, and D-P-CKPT/  $\begin{array}{l} \operatorname{Md} \mid b \geq 0: \operatorname{nat} \mid \varOmega \mid \varSigma \Vdash c_1 \leq c_2: \mathtt{C}_{\operatorname{unit}} \\ \operatorname{iff} \forall n, m \geq 0. \; \forall \gamma, \mathsf{NV}, \mathsf{V.} s.t. \; \mathsf{NV} \mid \mathsf{V} \Vdash \gamma :: \varOmega \mid \varSigma \\ (\gamma \mid \operatorname{Md} \mid n \mid \mathsf{NV} \mid \mathsf{V} \mid c_1, \gamma \mid \operatorname{Md} \mid \infty \mid \mathsf{NV} \mid \mathsf{V} \mid c_2) \in \mathcal{E}[\![\mathtt{C}_{\operatorname{unit}}]\!]^m \end{array}$ 

### Term Relation

$$\begin{split} \mathcal{E}[\![\mathbf{C}_{\text{unit}}]\!]^{m+1} &= \{ (\gamma_1 \mid \mathsf{Md} \mid n_1 \mid \mathsf{NV}_1 \mid \mathsf{V}_1 \mid c_1, \gamma_2 \mid \mathsf{Md} \mid \infty \mid \mathsf{NV}_2 \mid \mathsf{V}_2 \mid c_2) \, s.t. \\ & \exists.(\gamma_1' \mid \mathsf{Md}' \mid n_1' \mid \mathsf{NV}_1' \mid \mathsf{V}_1' \mid c_1') \, s.t. \\ & \gamma_1 \mid \mathsf{Md} \mid n_1 \mid \mathsf{NV}_1 \mid \mathsf{V}_1 \mid c_1 \to_{irred}^* \gamma_1' \mid \mathsf{Md}' \mid n_1' \mid \mathsf{NV}_1' \mid \mathsf{V}_1' \mid c_1' \land \\ & \exists.(\gamma_2' \mid \mathsf{Md}' \mid \infty \mid \mathsf{NV}_2' \mid \mathsf{V}_2' \mid c_2') \, s.t. \\ & \gamma_2 \mid \mathsf{Md} \mid \infty \mid \mathsf{NV}_2 \mid \mathsf{V}_2 \mid c_2 \to^* \gamma_2' \mid \mathsf{Md}' \mid \infty \mid \mathsf{NV}_2' \mid \mathsf{V}_2' \mid c_2' \land \\ & (\gamma_1' \mid \mathsf{Md}' \mid n_1' \mid \mathsf{NV}_1' \mid \mathsf{V}_1' \mid c_1', \gamma_2' \mid \mathsf{Md}' \mid \infty \mid \mathsf{NV}_2' \mid \mathsf{V}_2' \mid c_2') \in \mathcal{V}[\![\mathsf{C}_{\text{unit}}]\!]^{m+1} \} \end{split}$$

 $\mathcal{E}\llbracket \mathtt{C}_{\mathtt{unit}} \rrbracket^0 \quad = \{ (\gamma_1 \mid \mathtt{Md} \mid n_1 \mid \mathsf{NV}_1 \mid \mathsf{V}_1 \mid c_1, \gamma_2 \mid \mathtt{Md} \mid \infty \mid \mathsf{NV}_2 \mid \mathsf{V}_2 \mid c_2 \,) \}$ 

## Value Relation

$$\begin{split} \mathcal{V}[\![\uparrow \text{unit}]\!]^m &= \{(\gamma \mid \mathsf{Md} \mid n_1 \mid \mathsf{NV}_1 \mid \mathsf{skip}, \gamma \mid \mathsf{Md} \mid \infty \mid \mathsf{NV}_2 \mid \mathsf{skip}) \, \mathsf{s.t.} \, \mathsf{NV}_1 = \mathsf{NV}_2\} \\ \mathcal{V}[\![\downarrow\uparrow \text{unit}]\!]^m &= \{(\gamma_1 \mid \mathsf{Md} \mid n_1 \mid \mathsf{NV}_1 \mid \mathsf{V}_1 \mid \mathsf{skip}, \gamma_2 \mid \mathsf{Md} \mid \infty \mid \mathsf{NV}_2 \mid \mathsf{V}_2 \mid \mathsf{skip}) \, \mathsf{s.t.} \\ \text{Commit}(\gamma_i \mid \mathsf{Md} \mid \mathsf{NV}_i \mid \mathsf{V}_i) = \gamma_1' \mid \mathsf{NV}_i' \land \\ (\gamma_1' \mid \mathsf{Md} \mid n_1 \mid \mathsf{NV}_1' \mid \mathsf{skip}, \gamma_2 \mid \mathsf{Md} \mid \infty \mid \mathsf{NV}_2 \mid \mathsf{skip}) \in \mathcal{V}[\![\uparrow \text{unit}]\!]^m \} \\ \mathcal{V}[\![\uparrow \mathsf{C}_{\text{unit}}]\!]^m &= \{(\gamma_1 \mid \mathsf{Md} \mid n \mid \mathsf{NV}_1 \mid \uparrow \kappa, \gamma_2 \mid \mathsf{Md} \mid \infty \mid \mathsf{NV}_2 \mid \mathsf{V}_2 \mid \mathsf{c}_2) \, \mathsf{s.t.} \\ \text{restore}(\gamma_1, \mathsf{Md}, \mathsf{NV}_1, \kappa) = \mathsf{NV}_0 \mid \mathsf{V}_0 \mid \mathsf{c}_0 \land \\ (\gamma_1 \mid \mathsf{Md} \mid n \mid \mathsf{NV}_1 \mid \circ \kappa, \gamma_2 \mid \mathsf{Md} \mid \infty \mid \mathsf{NV}_2 \mid \mathsf{V}_2 \mid \mathsf{c}_2) \in \mathcal{E}[\![\mathsf{C}_{\text{unit}}]\!]^m \} \\ \mathcal{V}[\![\mathsf{nat} \leadsto \uparrow \mathsf{C}_{\text{unit}}]\!]^m &= \{(\gamma_1 \mid \mathsf{Md} \mid \cdot \mid \mathsf{NV}_1 \mid \varepsilon \, \# \, \mathsf{in}(n > 0, \uparrow \kappa), \gamma_2 \mid \mathsf{Md} \mid \infty \mid \mathsf{NV}_2 \mid \mathsf{V}_2 \mid \mathsf{c}_2) \, \mathsf{s.t.} \\ \forall n > 0. \, (\gamma_1 \mid \mathsf{Md} \mid n \mid \mathsf{NV}_1 \mid \mathsf{V}_1 \mid \varepsilon \, \# \, \mathsf{in}(n > 0, \uparrow \kappa), \gamma_2 \mid \mathsf{Md} \mid \infty \mid \mathsf{NV}_2 \mid \mathsf{V}_2 \mid \mathsf{c}_2) \, \mathsf{s.t.} \\ \forall n > 0. \, (\gamma_1 \mid \mathsf{Md} \mid n \mid \mathsf{NV}_1 \mid \mathsf{V}_1 \mid \varepsilon \, \# \, \mathsf{in}(n > 0, \uparrow \kappa), \gamma_2 \mid \mathsf{Md} \mid \infty \mid \mathsf{NV}_2 \mid \mathsf{V}_2 \mid \mathsf{c}_2) \, \mathsf{s.t.} \\ \mathsf{NV}[\![\mathsf{cunit}]\!]^m &= \{(\gamma_1 \mid \mathsf{Md} \mid n \mid \mathsf{NV}_1 \mid \mathsf{V}_1 \mid \varepsilon \, \# \, \mathsf{in}(n > 0, \uparrow \kappa), \gamma_2 \mid \mathsf{Md} \mid \infty \mid \mathsf{NV}_2 \mid \mathsf{V}_2 \mid \mathsf{c}_2) \, \mathsf{s.t.} \\ \forall n > 0. \, (\gamma_1' \mid \mathsf{Md} \mid n \mid \mathsf{NV}_1 \mid \mathsf{V}_1 \mid \varepsilon \, \# \, \mathsf{in}(n > 0, \uparrow \mathsf{NV}_2 \mid \mathsf{V}_2 \mid \mathsf{c}_2) \, \mathsf{s.t.} \\ \mathsf{Cunit}]^m \} \\ \mathcal{V}[\![\mathsf{Cunit}]\!]^{m+1} &= \{(\gamma_1 \mid \mathsf{Md} \mid n \mid \mathsf{NV}_1 \mid \mathsf{V}_1 \mid \mathsf{c}_1, \gamma_2 \mid \mathsf{Md} \mid \infty \mid \mathsf{NV}_2 \mid \mathsf{V}_2 \mid \mathsf{c}_2) \, \mathsf{s.t.} \; \mathsf{stiher} \, n_1 = 0 \land (\gamma_1 \mid \mathsf{Md} \mid n \mid \mathsf{NV}_1 \mid \mathsf{V}_1 \mid \mathsf{L}_1 \, \mathsf{c}_1, \gamma_2 \mid \mathsf{Md} \mid \infty \mid \mathsf{NV}_2 \mid \mathsf{V}_2 \mid \mathsf{c}_2) \, \mathsf{s.t.} \\ \mathsf{V}(\mathsf{I} \mathsf{I} \mathsf{I} \mid \mathsf{I} \mid \mathsf{N}_1 \mid \mathsf{N}_1 \mid \mathsf{N}_1 \mid \mathsf{N}_1 \mid \mathsf{I} \mid \mathsf{I} \mid \mathsf{I} \mathsf{I} \mid \mathsf{I} ) \, \mathsf{N}_2 \mid \mathsf{N}_2 \mid \mathsf{I} \mathsf{I} ) \\ \mathsf{N}_1 \mathrel{N}_1 \mathrel{N}_1 \mid \mathsf{N}_1 \mid \mathsf{N}_1 \mid \mathsf{N}_1 \mid \mathsf{N}_1 \mid \mathsf{N}_1 \mid \mathsf{I} ) \; \mathsf{N}_1 \mathrel{N}_1 \mid \mathsf{I} ) \, \mathsf{N}_1 \mathrel{N}_1 \mathrel{N}_1 \mathrel{N}_1 \; \mathsf{I}$$

## Fig. 10. Logical relation

D-P-SEQ) for atomic and JIT regions, We prove that our syntactically well-typed programs are semantically well-typed. We generalize semantic typing rules, allowing custom power failure, restore, and commit policies (Sec. 5.3).

## 5.1 Semantic Typing via a Logical Relation

The logical relation, written  $\operatorname{Md} | b \ge 0$ : nat  $| \Omega | \Sigma \Vdash c_1 \le c_2$ :  $C_{\operatorname{unit}}$ , is defined in Fig. 10 by a lexicographic induction on the index m and the structure of the types. The judgment  $\mathsf{NV} | \mathsf{V} \Vdash \gamma :: \Omega | \Sigma$  in the definition states that  $\gamma$  maps the variables in  $\Sigma$  and  $\Omega$  to locations in  $\mathsf{V}$  and  $\mathsf{NV}$  resp., such that their qualifiers and types match. Similar to prior work [2,16,42], our definition consists of a term relation  $\mathcal{E}[\![\mathsf{C}_{unit}]\!]^m$  and a value relation  $\mathcal{V}[\![\tau]\!]^m$ .

**Term Relation.** A pair of open command configurations of type  $C_{unit}$  are in the term relation of index m if any intermittent execution of the first one after m power failures is indistinguishable from a continuous execution of the second one. In particular, for index m+1, the term relation relates two configurations at type  $C_{unit}$  if the first configuration eventually steps to a value (or "irreducible") configuration, i.e., it either evaluates to skip or its energy level depletes  $(n'_1 = 0)$ , and the second configuration can take zero or more steps such that the pair continue to be in the value relation of  $\mathcal{V}[\![C_{unit}]\!]^{m+1}$ . When the index is m = 0, no execution is observed, so any two configurations are in the term relation. Here, *irred* refers to  $\gamma'_1 | Md' | n'_1 | NV'_1 | V'_1 | c'_1$  being an irreducible configuration, i.e. it cannot take any more steps. Since our semantics for commands is deterministic, for each configuration  $\gamma_1 | Md | n_1 | NV_1 | V_1 | c_1$  there is exactly one such irreducible configuration.

Value Relation. The value relation is defined based on the intended meaning of the type, and relates two value configurations that will have the same effect on the stores. The value relation relates two open command configurations at type  $C_{unit}$  and index m + 1 if either (a) the first configuration has faced a power failure, and the two configurations continue to relate by  $\mathcal{V}[[\downarrow(\mathtt{nat} \rightsquigarrow \uparrow C_{unit})]]^m$ , or (b) the first configuration executed successfully without any power failures, and the two configurations are related by  $\mathcal{V}[[\downarrow\uparrow\mathtt{unit}]]^m$ . This definition matches the disjunctive nature of type  $C_{unit}$ , which is recursively defined in the signature as  $\downarrow(\mathtt{nat} \rightsquigarrow \uparrow C_{unit}) \lor \downarrow\uparrow\mathtt{unit}$ . Since we unfold the recursive definition of  $C_{unit}$ , we decrease the index from m+1 to m to ensure the relation's well-foundedness. Note that the value relation is neither defined nor called for  $C_{unit}$  at index 0.

The value relations in the third, fourth, and fifth rows of Fig. 10 are defined based on the type of the *first configuration*; the second configurations in these relations continue to be of type  $C_{unit}$ . Only in the relations defined in the first and second rows of Fig. 10 do the types of both configurations match the indexed type of the relation. Hence, the value relation has varying arity: in the first and second rows of Fig. 10, the relation is *binary* while in the rest, the relation degenerates to *unary*, with the second configuration as its Kripke world [18].

The value relation at type  $\downarrow$ (nat  $\rightsquigarrow \uparrow C_{unit}$ ) relates two configurations if the first one runs the crash instruction  $\downarrow \varepsilon \# in(n > 0, \uparrow \kappa)$  and a power failure policy creates a checkpoint of volatile locations such that the configurations continue to be in the value relation at type (nat  $\rightsquigarrow \uparrow C_{unit}$ ). The power failure function in an atomic mode is defined to checkpoint none of the volatile locations, i.e.,  $PwOff(\gamma, alD(c_0), NV_1, V_1) = \gamma' \mid \emptyset$ , where  $\gamma'$  is the largest restriction of  $\gamma$  with  $range(\gamma') = dom(NV_1)$ , and defined to checkpoint all volatile locations in JIT mode, i.e.,  $PwOff(\gamma, jit, NV_1, V_1) = \gamma \mid V_1$ .

The value relation at type  $(\texttt{nat} \rightsquigarrow \uparrow C_{\texttt{unit}})$  is defined similarly to a function type in a value relation and requires the configurations to be related at type  $(\uparrow C_{\texttt{unit}})$  for every energy input level *n* provided to the first configuration.

The value relation at type  $\uparrow C_{unit}$  requires the first configuration to run the crash instruction  $\uparrow \kappa$ . The defined restore policy restores the nonvolatile memory  $NV_0$ , volatile memory  $V_0$ , and re-execution command  $c_0$  such that the configurations continue to be related in the term interpretation at type  $C_{unit}$ . In an atomic mode, the restore function is defined as  $restore(\gamma, alD(c), NV_1, \kappa) = NV_1 \mid NV'' \mid c$  where  $NV_1 = NV', NV''_{ck}$ . In the JIT mode, the restore function is defined as  $restore(\gamma, jit(c), NV_1, \kappa) = NV'_1 \mid NV'' \mid c$  where  $NV_1 = NV', NV''_{ck}$ . We write  $NV_1 = NV', NV''_{ck}$  to state that  $NV_1$  can be uniquely partitioned into all locations  $(NV'_{ck})$  that are checkpointed, i.e., of the form  $\ell_{ck}$ , and regular locations (NV') of the form  $\ell$ . NV'' is the non-checkpointed version of  $NV''_{ck}$  which could be retrieved by removing the ck subscript from every location in  $NV''_{ck}$ .

The value relation at type  $\downarrow\uparrow$ unit requires both configurations to run skip, and the defined commit policy creates nonvolatile memories for both runs such that they continue to be related at type  $\uparrow$ unit. In an atomic mode, the commit function is defined to replace the checkpointed locations in the nonvolatile memory with their volatile log, i.e., Commit( $\gamma \mid aID(c_0) \mid NV_1 \mid V_1) = \gamma' \mid NV'_1 \mid V''$ , where  $NV_1 = NV'_1, NV''_{ck}$  and  $V_1 = V'_1, V''$  and dom(V'') = dom(NV''). Moreover,  $\gamma' \subseteq \gamma$ , with  $range(\gamma') = dom(NV_1) \cup dom(V'')$ . In the JIT mode, the commit function simply drops all volatile memory, i.e., Commit( $\gamma \mid jit \mid NV_1 \mid V_1) = \gamma' \mid$  $NV_1, \gamma' \subseteq \gamma$ , with  $range(\gamma') = dom(NV_1)$ .

The value relation at type  $\uparrow$ unit requires the successful executions to store the same values in their memories, i.e.,  $NV_1 = NV_2$ .

**Semantic Typing.** A program is semantically well-typed if every JIT and atomic region of it is self-related under our logical relation.

$$\frac{\mathsf{jit} \mid b \ge 0: \mathtt{nat} \mid \varOmega; \cdot \Vdash c \le c: \mathtt{C}_{\mathtt{unit}} \quad b: \mathtt{nat} \mid \varOmega \Vdash p: \uparrow \mathtt{C}_{\mathtt{unit}}}{b: \mathtt{nat} \mid \varOmega \Vdash c; p: \uparrow \mathtt{C}_{\mathtt{unit}}} (\mathsf{P}\text{-seq-semantic})$$

$$\begin{split} & \Omega_0 \mid \varSigma_0 = \mathsf{InitWorld}_t(\varOmega;\rho) \\ & \frac{\mathsf{alD}(c_0) \mid b \geq 0: \mathtt{nat} \mid \varOmega_0; \varSigma_0 \Vdash c_0 \leq c_0: \mathtt{C}_{\mathtt{unit}} \quad b: \mathtt{nat} \mid \varOmega \Vdash p: \uparrow \mathtt{C}_{\mathtt{unit}} \\ & b: \mathtt{nat} \mid \varOmega \Vdash \mathsf{Ckpt}[\mathsf{alD},\rho](c_0); p: \uparrow \mathtt{C}_{\mathtt{unit}} \end{split} (\text{P-Ckpt-semantic})$$

## 5.2 Semantic Typing for Idempotency

The fundamental theorem of our logical relation states that syntactically welltyped programs are also semantically well-typed by proving that syntactically well-typed JIT and atomic regions are self-related. We state and prove the theorem in Sec. 6 but devote this section to explaining why being self-related implies idempotency. We explain it separately for JIT and atomic blocks.

**Stepping a JIT block.** Consider a program of form  $[\chi_1 \triangleright \varepsilon] \otimes \gamma_1 \mid n \mid \mathsf{NV}_1 \mid c_1; p$  that can take a step to  $[\chi_k \triangleright \varepsilon] \otimes \gamma \mid n'_k \mid \mathsf{NV}'_k \mid p$  via the D-P-SEQ rule. By the D-P-SEQ rule, we know that the command  $c_1$  is successfully executed to completion with possibly *m*-many power failures along the way:  $[\chi_1 \triangleright \varepsilon] \otimes \gamma_1 \mid p \in [\chi_1 \models \xi] \otimes \gamma_1 \mid p \in [\chi_1 \models \xi$ 

jit  $|n| \text{NV}_1 | \cdot |c_1 \Rightarrow^* [\chi_k \rhd \varepsilon] \otimes \gamma'_k | \text{jit} | n'_k | \text{NV}'_k | \text{kip. Our goal is to simulate this execution in a continuous setting. To model a continuous run, we run the configuration with <math>\infty$ , an energy level:  $[\chi \rhd \varepsilon] \otimes \gamma_1 | \text{jit} | \infty | \text{NV}_1 | \cdot | c_1 \Rightarrow^* [\chi \rhd \varepsilon] \otimes \gamma'_j | \text{jit} | \infty | \text{NV}'_j | \text{V}'_j | \text{skip.}$ 

Fig. 11 shows the construction of the simulation. We start with the assumption that the configuration with n energy level is self-related when given energy level  $\infty$  for every index, including m + 1 (point (1) in Fig. 11). We show that if the first configuration takes one or more steps, the second configuration can take zero or more steps so that the intermediate regions continue to relate.

By definition of the term interpretation,  $c_1$  in the first configuration is executed until the first power failure occurs. Moreover, by the relation, we can execute  $c_1$  in the second configuration, too, such that the resulting configurations remain related (point (2) in Fig. 11) by the value interpretation at type  $C_{unit}$ . The first configuration takes a step from point (2) to point (3) using the D-CRASH rule by the computational semantics. By the definition of the logical relation, the two configurations continue to be related by the value interpretation at type  $\downarrow$ (nat  $\rightsquigarrow \uparrow C_{unit}$ ). Then the first configuration takes a step from point (3) to point (4) by the D-S-JIT rule; in this case, we know (by the assumptions of the rule)  $V' = V'_1$  and  $\gamma''_1 = \gamma$ . This matches the definition of the power-off policy for JIT blocks (see Sec. 5.1), and thus the two configurations remain related by the value relation at type nat  $\rightsquigarrow \uparrow C_{unit}$ . Next, the first configuration takes a step to point (5) by inputting a new energy level from the environment  $(n_2)$ . By the definition of the value relations, the two configurations will remain related by the value interpretation at type  $\uparrow C_{unit}$ .

Finally, the configuration steps to point (6) by D-RESTORE-JIT that copies all checkpointed locations inside the volatile memory and continues by running the interrupted command  $\kappa$ , i.e., here  $\mathsf{NV}_0 = \mathsf{NV}'_1$  and  $\mathsf{V}_0 = \mathsf{V}' = \mathsf{V}'_1$  and  $c_0 = \kappa$ . This matches the restore policy defined for JIT regions; thus, the configurations continue to be related by the *term relation* at type  $\mathsf{C}_{unit}$ , similar to what we had earlier at point (1) in Fig. 11, but with fewer power failures remaining.

Now, when the first configuration finally steps to point (8), by the definition of the logical relation, we know that the second configuration steps into skip too. Thus, we can apply the D-Ckpt rule on the second configuration. The volatile memory  $V'_j$  is dropped, and the mapping is reset to  $\gamma$ , i.e., it matches the commit policy defined for JIT blocks. in the logical relation. By Fig. 11-d, we get  $NV'_j = NV'_k$ , which completes deriving our goal.

**Stepping an atomic region.** We can build the desired simulation by taking the same steps described for a JIT region. Similarly, the key point is that the power-off and restore policies exactly match how the rules D-S-AID and D-RESTORE-AID, respectively, handle nonvolatile and volatile memories, and the commit policy corresponds to the FinWorld function in the D-CKPT rule.

We showed that our logical relation ensures idempotency for JIT and atomic regions. In the next section, we show that our logical relation formalizes a semantic typing to ensure idempotency of more general policies.

Fig. 11. Why the logical relation is enough.

## 5.3 More General Policies

We utilize our semantic typing to allow custom policies for power failure, restore, and commit. We extend the grammar of programs as  $p := \cdot | \text{Reg}[alD, \overline{arg}](c); p$ , where  $\overline{arg}$  refers to the arguments that the programmer decides to pass to the region for initialization. To each region, we assign a unique identifier alD that is associated with the three policies and two functions InitGeneral<sub>t</sub> and InitGeneral<sub>d</sub> to initialize the static and dynamic memories, respectively. We add the following semantic typing rule for the general regions:

$$\frac{c_0 \mid \Omega_0 \mid \Sigma_0 = \texttt{InitGeneral}_t(\Omega; \texttt{alD}; c; \overline{org})}{\texttt{alD}(c_0) \mid b \ge 0 : \texttt{nat} \mid \Omega_0; \Sigma_0 \Vdash c_0 \le c_0 : \texttt{C}_{\texttt{unit}} \quad b : \texttt{nat} \mid \Omega \Vdash p : \uparrow \texttt{C}_{\texttt{unit}}}{b : \texttt{nat} \mid \Omega \Vdash \texttt{Reg[alD}, \overline{arg}](c); p : \uparrow \texttt{C}_{\texttt{unit}}}$$
(P-Reg-SEMANTIC)

For a self-related region to be idempotent, its policies Commit, PwOff, and Restore must match the dynamics, so we add dynamic rules for custom regions in Fig. 12. The JIT and atomic region policies and their dynamic rules are instances of these general policies. As an example, the programmer can customize the policies of the first block of Fig. 1 to not checkpoint variable u. The program remains idempotent as the atomic region never reads u before writing to it. This

$$\begin{array}{l} \begin{array}{l} \begin{array}{c} \gamma_{0}\mid\mathsf{NV}_{0}\mid\mathsf{V}_{0}\mid\mathsf{c}_{0}=\mathsf{restore}(\mathsf{NV},\mathsf{V},\kappa,\mathsf{Md},\gamma) \\ \hline [\chi \rhd \varepsilon] \otimes \gamma \mid\mathsf{Md}\mid n\mid\mathsf{NV}\mid\uparrow\kappa \ \Rightarrow \ [\chi \rhd \varepsilon] \otimes \gamma_{0}\mid\mathsf{Md}\mid n\mid\mathsf{NV}_{0}\mid\mathsf{V}_{0}\mid\mathsf{c}_{0} \end{array} (\mathrm{D-R-Reg}) \\ \end{array} \\ \begin{array}{c} n>0 \quad \mathsf{InitGeneral}_{d}(\mathsf{NV};\mathsf{alD};c;\gamma;\overline{arg}) = c_{0},\mathsf{NV}_{0},\mathsf{V}_{0} \\ \hline [\chi \rhd \varepsilon] \otimes \mathsf{alD}(c_{0})\mid n\mid\mathsf{NV}_{0}\mid\mathsf{V}_{0}\mid c_{0} \Rightarrow^{*}\ [\chi' \rhd \varepsilon] \otimes \mathsf{alD}(c_{0})\mid n'\mid\mathsf{NV}'\mid\mathsf{V}'\mid\mathsf{skip} \\ \hline n'>0 \quad \mathsf{NV}_{1} = \mathsf{Commit}(\mathsf{NV}';\mathsf{V}';\mathsf{alD};\overline{arg}) \\ \hline [\chi \rhd \varepsilon] \otimes \gamma\mid n\mid\mathsf{NV}\mid\mathsf{Reg}[(\mathsf{alD};\overline{arg})](c);p \ \Rightarrow \ [\chi' \rhd \varepsilon] \otimes \gamma\mid n'\mid\mathsf{NV}_{1}\mid p \end{array} (\mathsf{D-Reg}) \\ \hline \begin{array}{c} \mathsf{V}' = \mathsf{PwOff}(\mathsf{NV},\mathsf{V},\mathsf{Md},\gamma) \\ \hline [\chi \rhd \varepsilon] \otimes \gamma\mid\mathsf{Md}\mid\cdot\mid\mathsf{NV}\mid\mathsf{V}\mid\mathsf{\downarrow}\varepsilon \ \# \operatorname{in}(b>0;\uparrow\kappa) \Rightarrow \\ [\chi \rhd \varepsilon] \otimes \gamma\mid\mathsf{Md}\mid\cdot\mid\mathsf{NV},\mathsf{V}'\mid\varepsilon \ \# \operatorname{in}(b>0;\uparrow\kappa) \end{array} \end{array} \end{array}$$

Fig. 12. Custom dynamic rules

policy is implemented by real systems [23,24,41]. Our static typing rules can be extended to reason about them as shown in the companion technical report.

## 6 Metatheory

This section establishes the main properties of the system, which are progress and preservation, adequacy, and the most important result: the fundamental theorem where we prove that statically well-typed programs are semantically well-typed. The theorems and their complete proofs are provided in the companion TR [15].

The progress and preservation theorems assume memory locations to be wellformed,  $\vdash_{\gamma}^{Md} NV \mid V : \Omega \mid \Sigma$ , which is defined similarly to the  $NV \mid V \Vdash \gamma : \Omega \mid \Sigma$ used in the logical relation, but imposes extra conditions based on the execution mode Md. It states that  $\gamma$  maps variables in contexts  $\Omega$  and  $\Sigma$  to the nonvolatile and volatile memories, NV and V, respectively, such that their qualifiers and the type of the stored values match. Moreover, it requires specific properties on the contexts depending on Md; in atomic mode, each checkpointed location in NV and  $\Omega$  must have copies in V and  $\Sigma$ . We state the theorems below.

**Theorem 1 (Progress for Commands).** If  $Md \mid b \mathcal{R} m : nat \mid \Omega; \Sigma \vdash_{Sig} c : \tau$ , then  $\forall n : nat$  with  $n\mathcal{R}m$  and  $\forall \gamma, NV, V$  with  $\vdash_{\gamma}^{Md} NV \mid V : \Omega \mid \Sigma$ , either  $\gamma \mid Md \mid$  $n \mid NV \mid V \mid c$  is a value, or for some configuration  $\gamma' \mid Md' \mid n' \mid NV' \mid V' \mid c'$  we have  $\gamma \mid Md \mid n \mid NV \mid V \mid c \rightarrow \gamma' \mid Md' \mid n' \mid NV' \mid V' \mid c'$ . Moreover, if Md is an atomic mode, we have NV' = NV.

**Theorem 2 (Preservation for Commands).** If  $\operatorname{Md} | b \ge 0$ :  $\operatorname{nat} | \Omega; \Sigma \vdash_{\operatorname{Sig}} c : \tau$ , and for some  $\vdash_{\gamma}^{\operatorname{Md}} \operatorname{NV} | \operatorname{V} : \Omega | \Sigma$  and  $n:\operatorname{nat} \ge 0$ , we have  $\gamma | \operatorname{Md} | n | \operatorname{NV} | \operatorname{V} | c \to \gamma' | \operatorname{Md} | n' | \operatorname{NV}' | \operatorname{V}' | c'$ , then for some  $\Sigma_1$ , we have  $\operatorname{Md} | b \ge 0$ :  $\operatorname{nat} | \Omega; \Sigma_1 \vdash_{\operatorname{Sig}} c' : \tau$ , where  $\vdash_{\gamma'}^{\operatorname{Md}} \operatorname{NV}' | \operatorname{V}' : \Omega | \Sigma_1$  and  $n' \ge 0$ .

**Theorem 3 (Fundamental Theorem).** If  $b : nat | \Omega \vdash p : \uparrow C_{unit}$ , then  $b : nat | \Omega \Vdash p : \uparrow C_{unit}$ .



Fig. 13. Proof of the fundamental theorem for P-Ckpt

The proof of Theorem 3 is by induction on the static typing derivation for pand considers the last step in the derivation. Fig. 13 explains the idea of the proof for the case where P-Ckpt is the last step of the derivation. By inversion,  $p = \mathsf{Ckpt}[\mathsf{alD}, \rho](c); p'$ . Also, c is well-typed for static contexts  $\Omega'$  and  $\Sigma$ , where  $\Omega' = \Omega'', \Sigma_{ck}$ . The goal is to establish point (1) in the figure: c is related to itself in the term interpretation for arbitrary  $n, m, \gamma$ , NV and V where NV | V  $\Vdash$  $\gamma::\Omega'', \Sigma_{ck} \mid \Sigma$ . The last condition enforces that the static contexts match the dynamic context. The condition also establishes the more refined well-formedness condition that  $\vdash_{\gamma}^{Md} \mathsf{NV} \mid \mathsf{V} : \Omega \mid \Sigma$  in atomic mode, required by progress and preservation, since it enforces that each checkpointed location in NV and  $\Omega$  have copies in V and  $\Sigma$ . In particular,  $NV = NV', V_{ck}$  and  $range(\gamma) = dom(NV)$ . When m = 0, the proof is trivial. Consider the case where m = k + 1. By the progress and preservation theorems, the first configuration can take multiple steps until it becomes a value  $\gamma_1 \mid \mathsf{alD}(c) \mid n' \mid \mathsf{NV} \mid \mathsf{V}_1 \mid c_1$  that continues to be well-typed. If n' > 0, the second configuration steps similarly to completion and establishes that the two resulting configurations are in the value relation. This case is not shown in the figure. If n' = 0, the second configuration does not step and instead reaches point (2) in Fig. 13. At point (2), the proof must show that the configurations are in the value interpretation at type  $C_{unit}$ .

The dashed line in the figure states that establishing point (2) implies the relation in point (1). The cascade of implications (dashed lines) follows the definition of the value relations at each type. At each step, we invert on the typing rule of the open configuration and show that runtime memories stay well-defined for static contexts. At point (4), we apply the power failure policy for atomic regions, which drops the volatile memory  $V_1$  and creates a mapping using the domain of NV. By the prior conditions established, we know the created mapping is the original mapping  $\gamma$ . At point (6), we apply the restore policy for atomic regions, which creates a new volatile memory based on NV. Again by the

prior conditions established, we know the volatile memory created is the original volatile V. The goal at point (6) is similar to our original goal at point (1), except that the proof uses an inductive argument to relate the two configurations at k.

Finally the Adequacy Theorem states that semantically well-typed programs are idempotent, defined below. The proof is illustrated in Section 5.2.

**Definition 1 (Idempotency).** A triple of a program p, nonvolatile memory NV, and a mapping  $\gamma$  is idempotent, if every intermittent execution of the program can be simulated by a continuous execution of it: for all  $n, n', \chi_1, \chi'_1, \mathsf{NV}', p'$ , if  $[\chi_1 \triangleright \varepsilon] \otimes \gamma \mid n \mid \mathsf{NV} \mid p \Rightarrow [\chi'_1 \triangleright \varepsilon] \otimes \gamma \mid n' \mid \mathsf{NV}' \mid p'$ , then  $[\chi_2 \triangleright \varepsilon] \otimes \gamma \mid \infty \mid$  $\mathsf{NV} \mid p \Rightarrow [\chi_2 \triangleright \varepsilon] \otimes \gamma \mid \infty \mid \mathsf{NV}' \mid p'$ .

**Theorem 4 (Adequacy).** Consider  $b : nat | \Omega || p : C_{unit}$ , a nonvolatile memory NV and a bijective map  $\gamma$  that matches qualifiers and types from variables in  $\Omega$  to locations in NV. The triple of p, NV, and  $\gamma$  is idempotent.

## 7 Discussion & Related Work

Intermittent Computing. Surbatovich et al. [41] provide the first formal framework for reasoning about intermittent execution, give the correctness definition that we use, and identify precise memory invariants needed for an execution to be correct. Our Crash types capture some of these invariants; capturing all requires reasoning about the effects of non-deterministic sensor inputs, which we leave to future work. This work is the first to treat intermittent operations at the type level and explore the logical interpretation of intermittent execution. We speculate that our type-based approach using logical relations will provide a cleaner foundation for reasoning about the correctness of more complex intermittent systems, e.g., concurrent ones. Other works that investigate the formal properties of intermittent computing either reason about the effects of intermittent execution on peripheral interactions [9] or enforce timeliness constraints on sensor readings [40], which are orthogonal to ours.

Adjoint Logic. Benton et al. [7,8] provided the first categorical foundation for using adjoint functors to combine linear and nonlinear logics and showed that a well-behaved calculus requires an independence principle: linear formulae cannot appear in the assumptions of a nonlinear sequent. Follow up works further generalized the system [20,21,36]. There, the relation to Pfenning and Davies's [30] formulation of the lax  $\bigcirc$  modality was noted;  $\bigcirc$  corresponds to UF, where F and U are adjunctions between truth and validity categories. Short of a full curry-howard correspondence for our type system and underlying logic, we designed the rules for  $\uparrow$  and  $\downarrow$  based on the above calculi. Our stable and unstable contexts correspond to the validity and truth contexts respectively. Thus, we speculate that the combination  $\uparrow\downarrow$  in our system corresponds to the lax modality.

Several prior works used type systems with adjoint modalities to model switching between program modes [6,14,34], e.g., switching a processes' mode between shared and unshared [6], or adding multicasting, replicable services, and cancellation modes to a session-typed message passing system [34]. We are

the first to use these modalities to handle unforeseen shut-downs and distinguish between stable and power-failure prone modes.

Logical Relations. Prior work [3,42] uses step indexing to ensure the wellfoundedness of logical relations that handle heaps with cyclic references, dynamic memory allocation, or recursive types. Our Crash types model the infinite computation that an atomic region can experience under a non-deterministic number of power failures and re-executions. This recursion necessitates an-indexed relation that limits the number of execution attempts a program can make.

Jung and Tiuryn introduced a logical relation for lambda definability that allows varying arities [18]. The idea is to increase the arity when passing to later worlds instead of starting with a large arity. Our logical relation can also be viewed as a relation with different arities; the initial type of the relation is binary, while after a crash the type of the value relation only corresponds to the intermittent configuration. During these value steps, the relation is unary, with the continuous configuration acting as a kripke world for the intermittent configuration. After restoration, the relation reverts to binary.

Logical relations have been widely used to prove program equivalence, e.g., [2,3,10,16]. At a high level, idempotency is similar to program equivalence, but it handles re-execution and requires us only to prove simulation from an intermittent to continuous run, not vice-versa.

Algebraic Effect Handlers. Algebraic effect handlers [27,31,32,33] give a unified theory for computational effects, e.g., exceptions and interactive input/output. A handler accesses the continuation to transform the computation. Following effect handler syntax, we write effectful environmental interactions of our system as  $\varepsilon \#in(b > 0, \uparrow \kappa)$ , where b refers to a natural number returned by the environment and  $\uparrow \kappa$  is the continuation. Our restore policy resembles a handler, in that it has access to the continuation, but an atomic region may dismiss the continuation, restarting from a saved command.

**Crash Hoare Logic.** Crash Hoare logic (CHL) [11] ensures the correctness of crash and restore operations in a file system. CHL extends Hoare logic with a crash condition and a recovery procedure. The crash condition states what happens to the state on a crash. The recovery procedure runs after the crash and manipulates the state before resuming. The system checks that if the program crashes, the storage system will recover to a state consistent with the specifications. Unlike us, they do not care about idempotency, requiring manual effort to formalize the crash condition and recovery policy. Our syntactic typing fixes the power failure, restore, and commit policies, and our formal results guarantee that following the policies ensures idempotency, the common correctness condition for intermittent execution. We also allow the programmer to formalize bespoke semantically well-typed policies.

## 8 Conclusion

This work provides the first logical interpretation of intermittent execution. It shows that adjoint logic can be applied to define Crash types, which internalize

the dualities between stable and unstable values, and complete versus partial (re-)executions of intermittent programs. The typing constraints capture invariants of power failure, restoration, and re-execution in intermittent systems. The proofs of progress, preservation, and the fundamental theorem imply the correctness of intermittent systems, i.e. idempotency of execution.

## References

- Adkins, J., Campbell, B., Ghena, B., Jackson, N., Pannuto, P., Dutta, P.: The signpost network: Demo abstract. In: Proceedings of the 14th ACM Conference on Embedded Network Sensor Systems CD-ROM. SenSys '16 (2016). https://doi.org/10.1145/2994551.2996542
- Ahmed, A., Dreyer, D., Rossberg, A.: State-dependent representation independence. In: Proceedings of the 36th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. p. 340–353. POPL '09, Association for Computing Machinery, New York, NY, USA (2009). https://doi.org/10.1145/1480881.1480925
- 3. Ahmed, A.J.: Semantics of types for mutable state. Princeton University (2004)
- Balsamo, D., Weddell, A., Das, A., Arreola, A., Brunelli, D., Al-Hashimi, B., Merrett, G., Benini, L.: Hibernus++: A self-calibrating and adaptive system for transiently-powered embedded devices. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems **PP**(99), 1–1 (2016). https://doi.org/10.1109/TCAD.2016.2547919
- Balsamo, D., Weddell, A.S., Merrett, G.V., Al-Hashimi, B.M., Brunelli, D., Benini, L.: Hibernus: Sustaining computation during intermittent supply for energy-harvesting systems. IEEE Embedded Systems Letters 7(1), 15–18 (2015). https://doi.org/10.1109/LES.2014.2371494
- Balzer, S., Toninho, B., Pfenning, F.: Manifest deadlock-freedom for shared session types. In: Proceedings of the 29th European Symposium on Programming. pp. 611– 639 (2019)
- Benton, N., Wadler, P.: Linear logic, monads and the lambda calculus. In: Proceedings 11th Annual IEEE Symposium on Logic in Computer Science. pp. 420–431. IEEE (1996)
- Benton, P.N.: A mixed linear and non-linear logic: Proofs, terms and models. In: International Workshop on Computer Science Logic. pp. 121–135. Springer (1994)
- Berthou, G., Dagand, P.E., Demange, D., Oudin, R., Risset, T.: Intermittent computing with peripherals, formally verified. In: The 21st ACM SIGPLAN/SIGBED Conference on Languages, Compilers, and Tools for Embedded Systems. pp. 85–96. LCTES '20, Association for Computing Machinery, New York, NY, USA (2020). https://doi.org/10.1145/3372799.3394365
- Birkedal, L., Støvring, K., Thamsborg, J.: Realizability semantics of parametric polymorphism, general references, and recursive types. In: International Conference on Foundations of Software Science and Computational Structures. pp. 456–470. FOSSACS '09, Springer (2009)
- Chen, H., Ziegler, D., Chajed, T., Chlipala, A., Kaashoek, M.F., Zeldovich, N.: Using crash hoare logic for certifying the fscq file system. In: Proceedings of the 25th Symposium on Operating Systems Principles. pp. 18–37. SOSP '15 (2015)

- Colin, A., Lucia, B.: Chain: Tasks and channels for reliable intermittent programs. In: Proceedings of the ACM International Conference on Object Oriented Programming Systems Languages and Applications. OOPSLA '16 (2016). https://doi.org/10.1145/2983990.2983995
- Dahiya, M., Bansal, S.: Automatic verification of intermittent systems. In: Dillig, I., Palsberg, J. (eds.) Verification, Model Checking, and Abstract Interpretation. VMCAI '18 (2018)
- Das, A., Balzer, S., Hoffmann, J., Pfenning, F., Santurkar, I.: Resource-aware session types for digital contracts. In: IEEE 34th Computer Security Foundations Symposium. pp. 1–16. CSF '21 (2021)
- Derakhshan, F., Dotzel, M., Surbatovich, M., Jia, L.: Technical report: Modal crash types for intermittent computing. Tech. rep., Carnegie Mellon University (2023). https://doi.org/10.1184/R1/21950804
- Dreyer, D., Neis, G., Birkedal, L.: The impact of higher-order state and control effects on local relational reasoning. Journal of Functional Programming 22(4-5), 477–528 (2012)
- Hester, J., Storer, K., Sorber, J.: Timely execution on intermittently powered batteryless sensors. In: Proceedings of the 15th ACM Conference on Embedded Network Sensor Systems (2017). https://doi.org/10.1145/3131672.3131673
- Jung, A., Tiuryn, J.: A new characterization of lambda definability. In: International Conference on Typed Lambda Calculi and Applications. pp. 245–257. Springer (1993)
- Kortbeek, V., Yildirim, K.S., Bakar, A., Sorber, J., Hester, J., Pawełczak, P.: Time-sensitive intermittent computing meets legacy software. In: Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems. pp. 85–99. ASP-LOS '20, Association for Computing Machinery, New York, NY, USA (2020). https://doi.org/10.1145/3373376.3378476
- Licata, D.R., Shulman, M.: Adjoint logic with a 2-category of modes. In: International Symposium on Logical Foundations of Computer Science. pp. 219–235. Springer (2016)
- Licata, D.R., Shulman, M., Riley, M.: A fibrational framework for substructural and modal logics. In: 2nd International Conference on Formal Structures for Computation and Deduction. FSCD '17, Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik (2017)
- Lucia, B., Denby, B., Manchester, Z., Desai, H., Ruppel, E., Colin, A.: Computational nanosatellite constellations: Opportunities and challenges. GetMobile: Mobile Comp. and Comm. 25(1), 16–23 (Jun 2021). https://doi.org/10.1145/3471440.3471446
- Lucia, B., Ransford, B.: A simpler, safer programming and execution model for intermittent systems. In: Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation. PLDI '15 (2015). https://doi.org/10.1145/2737924.2737978
- Maeng, K., Colin, A., Lucia, B.: Alpaca: Intermittent execution without checkpoints. Proc. ACM Program. Lang. 1(OOPSLA), 96:1–96:30 (Oct 2017). https://doi.org/10.1145/3133920
- Maeng, K., Lucia, B.: Supporting peripherals in intermittent systems with just-intime checkpoints. In: Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation. p. 1101–1116. PLDI '19 (2019). https://doi.org/10.1145/3314221.3314613

- Maeng, K., Lucia, B.: Adaptive low-overhead scheduling for periodic and reactive intermittent execution. In: Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation. pp. 1005–1021. PLDI '20, Association for Computing Machinery, New York, NY, USA (2020). https://doi.org/10.1145/3385412.3385998
- 27. Moggi, E.: Computational lambda-calculus and monads. University of Edinburgh, Department of Computer Science, Laboratory for Foundations of Computer Science (1988)
- Nardello, M., Desai, H., Brunelli, D., Lucia, B.: Camaroptera: A batteryless long-range remote visual sensing system. In: Proceedings of the 7th International Workshop on Energy Harvesting & Energy-Neutral Sensing Systems. pp. 8–14. ENSsys'19, ACM, New York, NY, USA (2019). https://doi.org/10.1145/3362053.3363491
- 29. NASA: What is KickSat-2? https://www.nasa.gov/ames/kicksat (2019), visited April 15th, 2022
- Pfenning, F., Davies, R.: A judgmental reconstruction of modal logic. Mathematical structures in computer science 11(4), 511–540 (2001)
- Plotkin, G., Power, J.: Semantics for algebraic operations. Electronic Notes in Theoretical Computer Science 45, 332–345 (2001)
- Plotkin, G., Pretnar, M.: Handlers of algebraic effects. In: Proceedings of the 19th European Symposium on Programming. pp. 80–94. Springer (2009)
- Pretnar, M., Plotkin, G.D.: Handling algebraic effects. Logical methods in computer science 9 (2013)
- Pruiksma, K., Pfenning, F.: A message-passing interpretation of adjoint logic. Journal of Logical and Algebraic Methods in Programming 120, 100637 (2021)
- Ransford, B., Sorber, J., Fu, K.: Mementos: System support for long-running computation on RFID-scale devices. In: Proceedings of the Sixteenth International Conference on Architectural Support for Programming Languages and Operating Systems. ASPLOS XVI (2011). https://doi.org/10.1145/1950365.1950386
- Reed, J.: A judgmental deconstruction of modal logic. Unpublished manuscript, January (2009)
- Ruppel, E., Lucia, B.: Transactional concurrency control for intermittent, energyharvesting computing systems. In: Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation. p. 1085–1100. PLDI '19 (2019). https://doi.org/10.1145/3314221.3314583
- Shavit, N., Touitou, D.: Software transactional memory. In: Proceedings of the fourteenth annual ACM symposium on Principles of distributed computing. pp. 204–213. PODC '95 (1995). https://doi.org/10.1145/224964.224987
- Surbatovich, M., Jia, L., Lucia, B.: I/o dependent idempotence bugs in intermittent systems. Proc. ACM Program. Lang. 3(OOPSLA), 183:1–183:31 (Oct 2019). https://doi.org/10.1145/3360609
- 40. Surbatovich, M., Jia, L., Lucia, B.: Automatically enforcing fresh and consistent inputs in intermittent systems. In: Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation. p. 851–866. PLDI '21, Association for Computing Machinery, New York, NY, USA (2021). https://doi.org/10.1145/3453483.3454081
- Surbatovich, M., Lucia, B., Jia, L.: Towards a formal foundation of intermittent computing. Proc. ACM Program. Lang. 4(OOPSLA) (Nov 2020). https://doi.org/10.1145/3428231
- 42. Thamsborg, J., Birkedal, L.: A kripke logical relation for effect-based program transformations. ACM SIGPLAN Notices **46**(9), 445–456 (2011)

- 43. Van Der Woude, J., Hicks, M.: Intermittent computation without hardware support or programmer intervention. In: Proceedings of OSDI'16: 12th USENIX Symposium on Operating Systems Design and Implementation (2016). https://doi.org/10.5555/3026877.3026880
- 44. Yildirim, K.S., Majid, A.Y., Patoukas, D., Schaper, K., Pawelczak, P., Hester, J.: Ink: Reactive kernel for tiny batteryless sensors. In: Proceedings of the 16th ACM Conference on Embedded Networked Sensor Systems. pp. 41–53. SenSys '18, ACM, New York, NY, USA (2018). https://doi.org/10.1145/3274783.3274837

**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

