POPL 2021 – Author Index 
Contents 
Abstracts 
Authors

A B C D E F G H J K L M N O P R S T V W X Y Z
Aanjaneya, Mridul 
POPL '21: "An Approach to Generate Correctly ..."
An Approach to Generate Correctly Rounded Math Libraries for New Floating Point Variants
Jay P. Lim , Mridul Aanjaneya , John Gustafson, and Santosh Nagarakatte (Rutgers University, USA; National University of Singapore, Singapore) Given the importance of floating point (FP) performance in numerous domains, several new variants of FP and its alternatives have been proposed (e.g., Bfloat16, TensorFloat32, and posits). These representations do not have correctly rounded math libraries. Further, the use of existing FP libraries for these new representations can produce incorrect results. This paper proposes a novel approach for generating polynomial approximations that can be used to implement correctly rounded math libraries. Existing methods generate polynomials that approximate the real value of an elementary function 𝑓 (𝑥) and produce wrong results due to approximation errors and rounding errors in the implementation. In contrast, our approach generates polynomials that approximate the correctly rounded value of 𝑓 (𝑥) (i.e., the value of 𝑓 (𝑥) rounded to the target representation). It provides more margin to identify efficient polynomials that produce correctly rounded results for all inputs. We frame the problem of generating efficient polynomials that produce correctly rounded results as a linear programming problem. Using our approach, we have developed correctly rounded, yet faster, implementations of elementary functions for multiple target representations. @Article{POPL21p29, author = {Jay P. Lim and Mridul Aanjaneya and John Gustafson and Santosh Nagarakatte}, title = {An Approach to Generate Correctly Rounded Math Libraries for New Floating Point Variants}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {29}, numpages = {30}, doi = {10.1145/3434310}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Abdulla, Parosh Aziz 
POPL '21: "Deciding Reachability under ..."
Deciding Reachability under Persistent x86TSO
Parosh Aziz Abdulla , Mohamed Faouzi Atig , Ahmed Bouajjani , K. Narayan Kumar , and Prakash Saivasan (Uppsala University, Sweden; University of Paris, France; Chennai Mathematical Institute, India; CNRS UMI ReLaX, India; Institute of Mathematical Sciences, India) We address the problem of verifying the reachability problem in programs running under the formal model Px86 defined recently by Raad et al. in POPL'20 for the persistent Intel x86 architecture. We prove that this problem is decidable. To achieve that, we provide a new formal model that is equivalent to Px86 and that has the feature of being a well structured system. Deriving this new model is the result of a deep investigation of the properties of Px86 and the interplay of its components. @Article{POPL21p56, author = {Parosh Aziz Abdulla and Mohamed Faouzi Atig and Ahmed Bouajjani and K. Narayan Kumar and Prakash Saivasan}, title = {Deciding Reachability under Persistent x86TSO}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {56}, numpages = {32}, doi = {10.1145/3434337}, year = {2021}, } Publisher's Version 

Acar, Umut A. 
POPL '21: "Provably SpaceEfficient Parallel ..."
Provably SpaceEfficient Parallel Functional Programming
Jatin Arora , Sam Westrick , and Umut A. Acar (Carnegie Mellon University, USA) Because of its many desirable properties, such as its ability to control effects and thus potentially disastrous race conditions, functional programming offers a viable approach to programming modern multicore computers. Over the past decade several parallel functional languages, typically based on dialects of ML and Haskell, have been developed. These languages, however, have traditionally underperformed procedural languages (such as C and Java). The primary reason for this is their hunger for memory, which only grows with parallelism, causing traditional memory management techniques to buckle under increased demand for memory. Recent work opened a new angle of attack on this problem by identifying a memory property of determinacyracefree parallel programs, called disentanglement, which limits the knowledge of concurrent computations about each other’s memory allocations. The work has showed some promise in delivering good time scalability. In this paper, we present provably spaceefficient automatic memory management techniques for determinacyracefree functional parallel programs, allowing both pure and imperative programs where memory may be destructively updated. We prove that for a program with sequential live memory of R^{*}, any Pprocessor garbagecollected parallel run requires at most O(R^{*} · P) memory. We also prove a work bound of O(W+R^{*}P) for Pprocessor executions, accounting also for the cost of garbage collection. To achieve these results, we integrate thread scheduling with memory management. The idea is to coordinate memory allocation and garbage collection with thread scheduling decisions so that each processor can allocate memory without synchronization and independently collect a portion of memory by consulting a collection policy, which we formulate. The collection policy is fully distributed and does not require communicating with other processors. We show that the approach is practical by implementing it as an extension to the MPL compiler for Parallel ML. Our experimental results confirm our theoretical bounds and show that the techniques perform and scale well. @Article{POPL21p18, author = {Jatin Arora and Sam Westrick and Umut A. Acar}, title = {Provably SpaceEfficient Parallel Functional Programming}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {18}, numpages = {33}, doi = {10.1145/3434299}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Accattoli, Beniamino 
POPL '21: "The (In)Efficiency of Interaction ..."
The (In)Efficiency of Interaction
Beniamino Accattoli , Ugo Dal Lago , and Gabriele Vanoni (Inria, France; École Polytechnique, France; University of Bologna, Italy) Evaluating higherorder functional programs through abstract machines inspired by the geometry of the interaction is known to induce space efficiencies, the price being time performances often poorer than those obtainable with traditional, environmentbased, abstract machines. Although families of lambdaterms for which the former is exponentially less efficient than the latter do exist, it is currently unknown how general this phenomenon is, and how far the inefficiencies can go, in the worst case. We answer these questions formulating four different wellknown abstract machines inside a common definitional framework, this way being able to give sharp results about the relative time efficiencies. We also prove that nonidempotent intersection type theories are able to precisely reflect the time performances of the interactive abstract machine, this way showing that its timeinefficiency ultimately descends from the presence of higherorder types. @Article{POPL21p51, author = {Beniamino Accattoli and Ugo Dal Lago and Gabriele Vanoni}, title = {The (In)Efficiency of Interaction}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {51}, numpages = {33}, doi = {10.1145/3434332}, year = {2021}, } Publisher's Version 

Aguirre, Alejandro 
POPL '21: "A Preexpectation Calculus ..."
A Preexpectation Calculus for Probabilistic Sensitivity
Alejandro Aguirre , Gilles Barthe , Justin Hsu , Benjamin Lucien Kaminski, JoostPieter Katoen , and Christoph Matheja (IMDEA Software Institute, Spain; Universidad Politécnica de Madrid, Spain; MPISP, Germany; University of WisconsinMadison, USA; University College London, UK; RWTH Aachen University, Germany; ETH Zurich, Switzerland) Sensitivity properties describe how changes to the input of a program affect the output, typically by upper bounding the distance between the outputs of two runs by a monotone function of the distance between the corresponding inputs. When programs are probabilistic, the distance between outputs is a distance between distributions. The Kantorovich lifting provides a general way of defining a distance between distributions by lifting the distance of the underlying sample space; by choosing an appropriate distance on the base space, one can recover other usual probabilistic distances, such as the Total Variation distance. We develop a relational preexpectation calculus to upper bound the Kantorovich distance between two executions of a probabilistic program. We illustrate our methods by proving algorithmic stability of a machine learning algorithm, convergence of a reinforcement learning algorithm, and fast mixing for card shuffling algorithms. We also consider some extensions: using our calculus to show convergence of Markov chains to the uniform distribution over states and an asynchronous extension to reason about pairs of program executions with different control flow. @Article{POPL21p52, author = {Alejandro Aguirre and Gilles Barthe and Justin Hsu and Benjamin Lucien Kaminski and JoostPieter Katoen and Christoph Matheja}, title = {A Preexpectation Calculus for Probabilistic Sensitivity}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {52}, numpages = {28}, doi = {10.1145/3434333}, year = {2021}, } Publisher's Version 

Ahman, Danel 
POPL '21: "Asynchronous Effects ..."
Asynchronous Effects
Danel Ahman and Matija Pretnar (University of Ljubljana, Slovenia) We explore asynchronous programming with algebraic effects. We complement their conventional synchronous treatment by showing how to naturally also accommodate asynchrony within them, namely, by decoupling the execution of operation calls into signalling that an operation’s implementation needs to be executed, and interrupting a running computation with the operation’s result, to which the computation can react by installing interrupt handlers. We formalise these ideas in a small core calculus, called λ_{æ}. We demonstrate the flexibility of λ_{æ} using examples ranging from a multiparty web application, to preemptive multithreading, to remote function calls, to a parallel variant of runners of algebraic effects. In addition, the paper is accompanied by a formalisation of λ_{æ}’s type safety proofs in Agda, and a prototype implementation of λ_{æ} in OCaml. @Article{POPL21p24, author = {Danel Ahman and Matija Pretnar}, title = {Asynchronous Effects}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {24}, numpages = {28}, doi = {10.1145/3434305}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Almagor, Shaull 
POPL '21: "Deciding ωRegular Properties ..."
Deciding ωRegular Properties on Linear Recurrence Sequences
Shaull Almagor , Toghrul Karimov , Edon Kelmendi, Joël Ouaknine , and James Worrell (Technion, Israel; MPISWS, Germany; University of Oxford, UK) We consider the problem of deciding ωregular properties on infinite traces produced by linear loops. Here we think of a given loop as producing a single infinite trace that encodes information about the signs of program variables at each time step. Formally, our main result is a procedure that inputs a prefixindependent ωregular property and a sequence of numbers satisfying a linear recurrence, and determines whether the sign description of the sequence (obtained by replacing each positive entry with “+”, each negative entry with “−”, and each zero entry with “0”) satisfies the given property. Our procedure requires that the recurrence be simple, i.e., that the update matrix of the underlying loop be diagonalisable. This assumption is instrumental in proving our key technical lemma: namely that the sign description of a simple linear recurrence sequence is almost periodic in the sense of Muchnik, Sem'enov, and Ushakov. To complement this lemma, we give an example of a linear recurrence sequence whose sign description fails to be almost periodic. Generalising from sign descriptions, we also consider the verification of properties involving semialgebraic predicates on program variables. @Article{POPL21p48, author = {Shaull Almagor and Toghrul Karimov and Edon Kelmendi and Joël Ouaknine and James Worrell}, title = {Deciding ωRegular Properties on Linear Recurrence Sequences}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {48}, numpages = {24}, doi = {10.1145/3434329}, year = {2021}, } Publisher's Version 

Angiuli, Carlo 
POPL '21: "Internalizing Representation ..."
Internalizing Representation Independence with Univalence
Carlo Angiuli , Evan Cavallo , Anders Mörtberg , and Max Zeuner (Carnegie Mellon University, USA; Stockholm University, Sweden) In their usual form, representation independence metatheorems provide an external guarantee that two implementations of an abstract interface are interchangeable when they are related by an operationpreserving correspondence. If our programming language is dependentlytyped, however, we would like to appeal to such invariance results within the language itself, in order to obtain correctness theorems for complex implementations by transferring them from simpler, related implementations. Recent work in proof assistants has shown that Voevodsky's univalence principle allows transferring theorems between isomorphic types, but many instances of representation independence in programming involve nonisomorphic representations. In this paper, we develop techniques for establishing internal relational representation independence results in dependent type theory, by using higher inductive types to simultaneously quotient two related implementation types by a heterogeneous correspondence between them. The correspondence becomes an isomorphism between the quotiented types, thereby allowing us to obtain an equality of implementations by univalence. We illustrate our techniques by considering applications to matrices, queues, and finite multisets. Our results are all formalized in Cubical Agda, a recent extension of Agda which supports univalence and higher inductive types in a computationally wellbehaved way. @Article{POPL21p12, author = {Carlo Angiuli and Evan Cavallo and Anders Mörtberg and Max Zeuner}, title = {Internalizing Representation Independence with Univalence}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {12}, numpages = {30}, doi = {10.1145/3434293}, year = {2021}, } Publisher's Version Artifacts Functional 

Arashloo, Mina Tahmasbi 
POPL '21: "Petr4: Formal Foundations ..."
Petr4: Formal Foundations for P4 Data Planes
Ryan Doenges , Mina Tahmasbi Arashloo, Santiago Bautista , Alexander Chang, Newton Ni, Samwise Parkinson, Rudy Peterson , Alaia SolkoBreslin, Amanda Xu, and Nate Foster (Cornell University, USA; ENS Rennes, France) P4 is a domainspecific language for programming and specifying packetprocessing systems. It is based on an elegant design with highlevel abstractions like parsers and matchaction pipelines that can be compiled to efficient implementations in software or hardware. Unfortunately, like many industrial languages, P4 has developed without a formal foundation. The P4 Language Specification is a 160page document with a mixture of informal prose, graphical diagrams, and pseudocode, leaving many aspects of the language semantics up to individual compilation targets. The P4 reference implementation is a complex system, running to over 40KLoC of C++ code, with support for only a few targets. Clearly neither of these artifacts is suitable for formal reasoning about P4 in general. This paper presents a new framework, called Petr4, that puts P4 on a solid foundation. Petr4 consists of a cleanslate definitional interpreter and a core calculus that models a fragment of P4. Petr4 is not tied to any particular target: the interpreter is parameterized over an interface that collects features delegated to targets in one place, while the core calculus overapproximates targetspecific behaviors using nondeterminism. We have validated the interpreter against a suite of over 750 tests from the P4 reference implementation, exercising our target interface with tests for different targets. We validated the core calculus with a proof of typepreserving termination. While developing Petr4, we reported dozens of bugs in the language specification and the reference implementation, many of which have been fixed. @Article{POPL21p41, author = {Ryan Doenges and Mina Tahmasbi Arashloo and Santiago Bautista and Alexander Chang and Newton Ni and Samwise Parkinson and Rudy Peterson and Alaia SolkoBreslin and Amanda Xu and Nate Foster}, title = {Petr4: Formal Foundations for P4 Data Planes}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {41}, numpages = {32}, doi = {10.1145/3434322}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Arora, Jatin 
POPL '21: "Provably SpaceEfficient Parallel ..."
Provably SpaceEfficient Parallel Functional Programming
Jatin Arora , Sam Westrick , and Umut A. Acar (Carnegie Mellon University, USA) Because of its many desirable properties, such as its ability to control effects and thus potentially disastrous race conditions, functional programming offers a viable approach to programming modern multicore computers. Over the past decade several parallel functional languages, typically based on dialects of ML and Haskell, have been developed. These languages, however, have traditionally underperformed procedural languages (such as C and Java). The primary reason for this is their hunger for memory, which only grows with parallelism, causing traditional memory management techniques to buckle under increased demand for memory. Recent work opened a new angle of attack on this problem by identifying a memory property of determinacyracefree parallel programs, called disentanglement, which limits the knowledge of concurrent computations about each other’s memory allocations. The work has showed some promise in delivering good time scalability. In this paper, we present provably spaceefficient automatic memory management techniques for determinacyracefree functional parallel programs, allowing both pure and imperative programs where memory may be destructively updated. We prove that for a program with sequential live memory of R^{*}, any Pprocessor garbagecollected parallel run requires at most O(R^{*} · P) memory. We also prove a work bound of O(W+R^{*}P) for Pprocessor executions, accounting also for the cost of garbage collection. To achieve these results, we integrate thread scheduling with memory management. The idea is to coordinate memory allocation and garbage collection with thread scheduling decisions so that each processor can allocate memory without synchronization and independently collect a portion of memory by consulting a collection policy, which we formulate. The collection policy is fully distributed and does not require communicating with other processors. We show that the approach is practical by implementing it as an extension to the MPL compiler for Parallel ML. Our experimental results confirm our theoretical bounds and show that the techniques perform and scale well. @Article{POPL21p18, author = {Jatin Arora and Sam Westrick and Umut A. Acar}, title = {Provably SpaceEfficient Parallel Functional Programming}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {18}, numpages = {33}, doi = {10.1145/3434299}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Atig, Mohamed Faouzi 
POPL '21: "Deciding Reachability under ..."
Deciding Reachability under Persistent x86TSO
Parosh Aziz Abdulla , Mohamed Faouzi Atig , Ahmed Bouajjani , K. Narayan Kumar , and Prakash Saivasan (Uppsala University, Sweden; University of Paris, France; Chennai Mathematical Institute, India; CNRS UMI ReLaX, India; Institute of Mathematical Sciences, India) We address the problem of verifying the reachability problem in programs running under the formal model Px86 defined recently by Raad et al. in POPL'20 for the persistent Intel x86 architecture. We prove that this problem is decidable. To achieve that, we provide a new formal model that is equivalent to Px86 and that has the feature of being a well structured system. Deriving this new model is the result of a deep investigation of the properties of Px86 and the interplay of its components. @Article{POPL21p56, author = {Parosh Aziz Abdulla and Mohamed Faouzi Atig and Ahmed Bouajjani and K. Narayan Kumar and Prakash Saivasan}, title = {Deciding Reachability under Persistent x86TSO}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {56}, numpages = {32}, doi = {10.1145/3434337}, year = {2021}, } Publisher's Version 

Atkinson, Eric 
POPL '21: "Simplifying Dependent Reductions ..."
Simplifying Dependent Reductions in the Polyhedral Model
Cambridge Yang, Eric Atkinson , and Michael Carbin (Massachusetts Institute of Technology, USA) A Reduction – an accumulation over a set of values, using an associative and commutative operator – is a common computation in many numerical computations, including scientific computations, machine learning, computer vision, and financial analytics. Contemporary polyhedralbased compilation techniques make it possible to optimize reductions, such as prefix sums, in which each component of the reduction’s output potentially shares computation with another component in the reduction. Therefore an optimizing compiler can identify the computation shared between multiple components and generate code that computes the shared computation only once. These techniques, however, do not support reductions that – when phrased in the language of the polyhedral model – span multiple dependent statements. In such cases, existing approaches can generate incorrect code that violates the data dependences of the original, unoptimized program. In this work, we identify and formalize the optimization of dependent reductions as an integer bilinear program. We present a heuristic optimization algorithm that uses an affine sequential schedule of the program to determine how to simplfy reductions yet still preserve the program’s dependences. We demonstrate that the algorithm provides optimal complexity for a set of benchmark programs from the literature on probabilistic inference algorithms, whose performance critically relies on simplifying these reductions. The complexities for 10 of the 11 programs improve siginifcantly by factors at least of the sizes of the input data, which are in the range of 10^{4} to 10^{6} for typical real application inputs. We also confirm the significance of the improvement by showing speedups in wallclock time that range from 1.1x to over 10^{6}x. @Article{POPL21p20, author = {Cambridge Yang and Eric Atkinson and Michael Carbin}, title = {Simplifying Dependent Reductions in the Polyhedral Model}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {20}, numpages = {33}, doi = {10.1145/3434301}, year = {2021}, } Publisher's Version 

Bahr, Patrick 
POPL '21: "Diamonds Are Not Forever: ..."
Diamonds Are Not Forever: Liveness in Reactive Programming with Guarded Recursion
Patrick Bahr , Christian Uldal Graulund, and Rasmus Ejlers Møgelberg (IT University of Copenhagen, Denmark) When designing languages for functional reactive programming (FRP) the main challenge is to provide the user with a simple, flexible interface for writing programs on a high level of abstraction while ensuring that all programs can be implemented efficiently in a lowlevel language. To meet this challenge, a new family of modal FRP languages has been proposed, in which variants of Nakano's guarded fixed point operator are used for writing recursive programs guaranteeing properties such as causality and productivity. As an apparent extension to this it has also been suggested to use Linear Temporal Logic (LTL) as a language for reactive programming through the CurryHoward isomorphism, allowing properties such as termination, liveness and fairness to be encoded in types. However, these two ideas are in conflict with each other, since the fixed point operator introduces nontermination into the inductive types that are supposed to provide termination guarantees. In this paper we show that by regarding the modal time step operator of LTL a submodality of the one used for guarded recursion (rather than equating them), one can obtain a modal type system capable of expressing liveness properties while retaining the power of the guarded fixed point operator. We introduce the language Lively RaTT, a modal FRP language with a guarded fixed point operator and an `until' type constructor as in LTL, and show how to program with events and fair streams. Using a stepindexed Kripke logical relation we prove operational properties of Lively RaTT including productivity and causality as well as the termination and liveness properties expected of types from LTL. Finally, we prove that the type system of Lively RaTT guarantees the absence of implicit space leaks. @Article{POPL21p2, author = {Patrick Bahr and Christian Uldal Graulund and Rasmus Ejlers Møgelberg}, title = {Diamonds Are Not Forever: Liveness in Reactive Programming with Guarded Recursion}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {2}, numpages = {28}, doi = {10.1145/3434283}, year = {2021}, } Publisher's Version 

Bañados Schwerter, Felipe 
POPL '21: "Abstracting Gradual Typing ..."
Abstracting Gradual Typing Moving Forward: Precise and SpaceEfficient
Felipe Bañados Schwerter, Alison M. Clark, Khurram A. Jafery, and Ronald Garcia (University of British Columbia, Canada; Amazon, Canada) Abstracting Gradual Typing (AGT) is a systematic approach to designing graduallytyped languages. Languages developed using AGT automatically satisfy the formal semantic criteria for gradual languages identified by Siek et al. Nonetheless, vanilla AGT semantics can still have important shortcomings. First, a gradual language's runtime checks should preserve the spaceefficiency guarantees inherent to the underlying static and dynamic languages. To the contrary, the default operational semantics of AGT break proper tail calls. Second, a gradual language's runtime checks should enforce basic modular typebased invariants expected from the static type discipline. To the contrary, the default operational semantics of AGT may fail to enforce some invariants in surprising ways. We demonstrate this in the GTFL_{≲} language of Garcia et al. This paper addresses both problems at once by refining the theory underlying AGT's dynamic checks. Garcia et al. observe that AGT involves two abstractions of static types: one for the static semantics and one for the dynamic semantics. We recast the latter as an abstract interpretation of subtyping itself, while gradual types still abstract static types. Then we show how forwardcompleteness (Giacobazzi and Quintarelli) is key to supporting both spaceefficient execution and reliable runtime type enforcement. @Article{POPL21p61, author = {Felipe Bañados Schwerter and Alison M. Clark and Khurram A. Jafery and Ronald Garcia}, title = {Abstracting Gradual Typing Moving Forward: Precise and SpaceEfficient}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {61}, numpages = {28}, doi = {10.1145/3434342}, year = {2021}, } Publisher's Version 

Banerjee, Anindya 
POPL '21: "On Algebraic Abstractions ..."
On Algebraic Abstractions for Concurrent Separation Logics
František Farka , Aleksandar Nanevski , Anindya Banerjee , Germán Andrés Delbianco , and Ignacio Fábregas (IMDEA Software Institute, Spain; Nomadic Labs, France; Complutense University of Madrid, Spain) Concurrent separation logic is distinguished by transfer of state ownership upon parallel composition and framing. The algebraic structure that underpins ownership transfer is that of partial commutative monoids (PCMs). Extant research considers ownership transfer primarily from the logical perspective while comparatively less attention is drawn to the algebraic considerations. This paper provides an algebraic formalization of ownership transfer in concurrent separation logic by means of structurepreserving partial functions (i.e., morphisms) between PCMs, and an associated notion of separating relations. Morphisms of structures are a standard concept in algebra and category theory, but haven't seen ubiquitous use in separation logic before. Separating relations. are binary relations that generalize disjointness and characterize the inputs on which morphisms preserve structure. The two abstractions facilitate verification by enabling concise ways of writing specs, by providing abstract views of threads' states that are preserved under ownership transfer, and by enabling userlevel construction of new PCMs out of existing ones. @Article{POPL21p5, author = {František Farka and Aleksandar Nanevski and Anindya Banerjee and Germán Andrés Delbianco and Ignacio Fábregas}, title = {On Algebraic Abstractions for Concurrent Separation Logics}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {5}, numpages = {32}, doi = {10.1145/3434286}, year = {2021}, } Publisher's Version Info Artifacts Reusable Artifacts Functional 

Barrière, Aurèle 
POPL '21: "Formally Verified Speculation ..."
Formally Verified Speculation and Deoptimization in a JIT Compiler
Aurèle Barrière , Sandrine Blazy , Olivier Flückiger , David Pichardie , and Jan Vitek (University of Rennes, France; Inria, France; CNRS, France; IRISA, France; Northeastern University, USA; Czech Technical University, Czechia) Justintime compilers for dynamic languages routinely generate code under assumptions that may be invalidated at runtime, this allows for specialization of program code to the common case in order to avoid unnecessary overheads due to uncommon cases. This form of software speculation requires support for deoptimization when some of the assumptions fail to hold. This paper presents a model justintime compiler with an intermediate representation that explicits the synchronization points used for deoptimization and the assumptions made by the compiler's speculation. We also present several common compiler optimizations that can leverage speculation to generate improved code. The optimizations are proved correct with the help of a proof assistant. While our work stops short of proving native code generation, we demonstrate how one could use the verified optimization to obtain significant speed ups in an endtoend setting. @Article{POPL21p46, author = {Aurèle Barrière and Sandrine Blazy and Olivier Flückiger and David Pichardie and Jan Vitek}, title = {Formally Verified Speculation and Deoptimization in a JIT Compiler}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {46}, numpages = {26}, doi = {10.1145/3434327}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Barthe, Gilles 
POPL '21: "Deciding Accuracy of Differential ..."
Deciding Accuracy of Differential Privacy Schemes
Gilles Barthe , Rohit Chadha, Paul Krogmeier , A. Prasad Sistla, and Mahesh Viswanathan (MPISP, Germany; University of Missouri, USA; University of Illinois at UrbanaChampaign, USA; University of Illinois at Chicago, USA) Differential privacy is a mathematical framework for developing statistical computations with provable guarantees of privacy and accuracy. In contrast to the privacy component of differential privacy, which has a clear mathematical and intuitive meaning, the accuracy component of differential privacy does not have a generally accepted definition; accuracy claims of differential privacy algorithms vary from algorithm to algorithm and are not instantiations of a general definition. We identify program discontinuity as a common theme in existing ad hoc definitions and introduce an alternative notion of accuracy parametrized by, what we call, — the of an input x w.r.t. a deterministic computation f and a distance d, is the minimal distance d(x,y) over all y such that f(y)≠ f(x). We show that our notion of accuracy subsumes the definition used in theoretical computer science, and captures known accuracy claims for differential privacy algorithms. In fact, our general notion of accuracy helps us prove better claims in some cases. Next, we study the decidability of accuracy. We first show that accuracy is in general undecidable. Then, we define a nontrivial class of probabilistic computations for which accuracy is decidable (unconditionally, or assuming Schanuel’s conjecture). We implement our decision procedure and experimentally evaluate the effectiveness of our approach for generating proofs or counterexamples of accuracy for common algorithms from the literature. @Article{POPL21p8, author = {Gilles Barthe and Rohit Chadha and Paul Krogmeier and A. Prasad Sistla and Mahesh Viswanathan}, title = {Deciding Accuracy of Differential Privacy Schemes}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {8}, numpages = {30}, doi = {10.1145/3434289}, year = {2021}, } Publisher's Version Artifacts Functional POPL '21: "A Preexpectation Calculus ..." A Preexpectation Calculus for Probabilistic Sensitivity Alejandro Aguirre , Gilles Barthe , Justin Hsu , Benjamin Lucien Kaminski, JoostPieter Katoen , and Christoph Matheja (IMDEA Software Institute, Spain; Universidad Politécnica de Madrid, Spain; MPISP, Germany; University of WisconsinMadison, USA; University College London, UK; RWTH Aachen University, Germany; ETH Zurich, Switzerland) Sensitivity properties describe how changes to the input of a program affect the output, typically by upper bounding the distance between the outputs of two runs by a monotone function of the distance between the corresponding inputs. When programs are probabilistic, the distance between outputs is a distance between distributions. The Kantorovich lifting provides a general way of defining a distance between distributions by lifting the distance of the underlying sample space; by choosing an appropriate distance on the base space, one can recover other usual probabilistic distances, such as the Total Variation distance. We develop a relational preexpectation calculus to upper bound the Kantorovich distance between two executions of a probabilistic program. We illustrate our methods by proving algorithmic stability of a machine learning algorithm, convergence of a reinforcement learning algorithm, and fast mixing for card shuffling algorithms. We also consider some extensions: using our calculus to show convergence of Markov chains to the uniform distribution over states and an asynchronous extension to reason about pairs of program executions with different control flow. @Article{POPL21p52, author = {Alejandro Aguirre and Gilles Barthe and Justin Hsu and Benjamin Lucien Kaminski and JoostPieter Katoen and Christoph Matheja}, title = {A Preexpectation Calculus for Probabilistic Sensitivity}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {52}, numpages = {28}, doi = {10.1145/3434333}, year = {2021}, } Publisher's Version 

Batz, Kevin 
POPL '21: "Relatively Complete Verification ..."
Relatively Complete Verification of Probabilistic Programs: An Expressive Language for ExpectationBased Reasoning
Kevin Batz , Benjamin Lucien Kaminski , JoostPieter Katoen , and Christoph Matheja (RWTH Aachen University, Germany; University College London, UK; ETH Zurich, Switzerland) We study a syntax for specifying quantitative assertions—functions mapping program states to numbers—for probabilistic program verification. We prove that our syntax is expressive in the following sense: Given any probabilistic program C, if a function f is expressible in our syntax, then the function mapping each initial state σ to the expected value of evaluated in the final states reached after termination of C on σ (also called the weakest preexpectation wp[C](f)) is also expressible in our syntax. As a consequence, we obtain a relatively complete verification system for reasoning about expected values and probabilities in the sense of Cook: Apart from proving a single inequality between two functions given by syntactic expressions in our language, given f, g, and C, we can check whether g ≼ wp[C](f). @Article{POPL21p39, author = {Kevin Batz and Benjamin Lucien Kaminski and JoostPieter Katoen and Christoph Matheja}, title = {Relatively Complete Verification of Probabilistic Programs: An Expressive Language for ExpectationBased Reasoning}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {39}, numpages = {30}, doi = {10.1145/3434320}, year = {2021}, } Publisher's Version 

Baumann, Pascal 
POPL '21: "ContextBounded Verification ..."
ContextBounded Verification of Liveness Properties for Multithreaded SharedMemory Programs
Pascal Baumann , Rupak Majumdar , Ramanathan S. Thinniyam , and Georg Zetzsche (MPISWS, Germany) We study contextbounded verification of liveness properties of multithreaded, sharedmemory programs, where each thread can spawn additional threads. Our main result shows that contextbounded fair termination is decidable for the model; contextbounded implies that each spawned thread can be context switched a fixed constant number of times. Our proof is technical, since fair termination requires reasoning about the composition of unboundedly many threads each with unboundedly large stacks. In fact, techniques for related problems, which depend crucially on replacing the pushdown threads with finitestate threads, are not applicable. Instead, we introduce an extension of vector addition systems with states (VASS), called VASS with balloons (VASSB), as an intermediate model; it is an infinitestate model of independent interest. A VASSB allows tokens that are themselves markings (balloons). We show that context bounded fair termination reduces to fair termination for VASSB. We show the latter problem is decidable by showing a series of reductions: from fair termination to configuration reachability for VASSB and thence to the reachability problem for VASS. For a lower bound, fair termination is known to be nonelementary already in the special case where threads run to completion (no context switches). We also show that the simpler problem of contextbounded termination is 2EXPSPACEcomplete, matching the complexity boundand indeed the techniquesfor safety verification. Additionally, we show the related problem of fair starvation, which checks if some thread can be starved along a fair run, is also decidable in the contextbounded case. The decidability employs an intricate reduction from fair starvation to fair termination. Like fair termination, this problem is also nonelementary. @Article{POPL21p44, author = {Pascal Baumann and Rupak Majumdar and Ramanathan S. Thinniyam and Georg Zetzsche}, title = {ContextBounded Verification of Liveness Properties for Multithreaded SharedMemory Programs}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {44}, numpages = {31}, doi = {10.1145/3434325}, year = {2021}, } Publisher's Version 

Bautista, Santiago 
POPL '21: "Petr4: Formal Foundations ..."
Petr4: Formal Foundations for P4 Data Planes
Ryan Doenges , Mina Tahmasbi Arashloo, Santiago Bautista , Alexander Chang, Newton Ni, Samwise Parkinson, Rudy Peterson , Alaia SolkoBreslin, Amanda Xu, and Nate Foster (Cornell University, USA; ENS Rennes, France) P4 is a domainspecific language for programming and specifying packetprocessing systems. It is based on an elegant design with highlevel abstractions like parsers and matchaction pipelines that can be compiled to efficient implementations in software or hardware. Unfortunately, like many industrial languages, P4 has developed without a formal foundation. The P4 Language Specification is a 160page document with a mixture of informal prose, graphical diagrams, and pseudocode, leaving many aspects of the language semantics up to individual compilation targets. The P4 reference implementation is a complex system, running to over 40KLoC of C++ code, with support for only a few targets. Clearly neither of these artifacts is suitable for formal reasoning about P4 in general. This paper presents a new framework, called Petr4, that puts P4 on a solid foundation. Petr4 consists of a cleanslate definitional interpreter and a core calculus that models a fragment of P4. Petr4 is not tied to any particular target: the interpreter is parameterized over an interface that collects features delegated to targets in one place, while the core calculus overapproximates targetspecific behaviors using nondeterminism. We have validated the interpreter against a suite of over 750 tests from the P4 reference implementation, exercising our target interface with tests for different targets. We validated the core calculus with a proof of typepreserving termination. While developing Petr4, we reported dozens of bugs in the language specification and the reference implementation, many of which have been fixed. @Article{POPL21p41, author = {Ryan Doenges and Mina Tahmasbi Arashloo and Santiago Bautista and Alexander Chang and Newton Ni and Samwise Parkinson and Rudy Peterson and Alaia SolkoBreslin and Amanda Xu and Nate Foster}, title = {Petr4: Formal Foundations for P4 Data Planes}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {41}, numpages = {32}, doi = {10.1145/3434322}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Bay, Johan 
POPL '21: "Mechanized Logical Relations ..."
Mechanized Logical Relations for TerminationInsensitive Noninterference
Simon Oddershede Gregersen , Johan Bay, Amin Timany , and Lars Birkedal (Aarhus University, Denmark) We present an expressive informationflow control type system with recursive types, existential types, label polymorphism, and impredicative type polymorphism for a higherorder programming language with higherorder state. We give a novel semantic model of this type system and show that welltyped programs satisfy terminationinsensitive noninterference. Our semantic approach supports compositional integration of syntactically welltyped and syntactically illtypedbut semantically soundcomponents, which we demonstrate through several interesting examples. We define our model using logical relations on top of the Iris program logic framework; to capture terminationinsensitivity, we develop a novel languageagnostic theory of Modal Weakest Preconditions. We formalize all of our theory and examples in the Coq proof assistant. @Article{POPL21p10, author = {Simon Oddershede Gregersen and Johan Bay and Amin Timany and Lars Birkedal}, title = {Mechanized Logical Relations for TerminationInsensitive Noninterference}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {10}, numpages = {29}, doi = {10.1145/3434291}, year = {2021}, } Publisher's Version Info Artifacts Reusable Artifacts Functional 

Benedikt, Michael 
POPL '21: "Generating Collection Transformations ..."
Generating Collection Transformations from Proofs
Michael Benedikt and Pierre Pradic (University of Oxford, UK) Nested relations, built up from atomic types via product and set types, form a rich data model. Over the last decades the nested relational calculus, NRC, has emerged as a standard language for defining transformations on nested collections. NRC is a stronglytyped functional language which allows building up transformations using tupling and projections, a singletonformer, and a map operation that lifts transformations on tuples to transformations on sets. In this work we describe an alternative declarative method of describing transformations in logic. A formula with distinguished inputs and outputs gives an implicit definition if one can prove that for each input there is only one output that satisfies it. Our main result shows that one can synthesize transformations from proofs that a formula provides an implicit definition, where the proof is in an intuitionistic calculus that captures a natural style of reasoning about nested collections. Our polynomial time synthesis procedure is based on an analog of Craig's interpolation lemma, starting with a provable containment between terms representing nested collections and generating an NRC expression that interpolates between them. We further show that NRC expressions that implement an implicit definition can be found when there is a classical proof of functionality, not just when there is an intuitionistic one. That is, whenever a formula implicitly defines a transformation, there is an NRC expression that implements it. @Article{POPL21p14, author = {Michael Benedikt and Pierre Pradic}, title = {Generating Collection Transformations from Proofs}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {14}, numpages = {28}, doi = {10.1145/3434295}, year = {2021}, } Publisher's Version 

Birkedal, Lars 
POPL '21: "Efficient and Provable Local ..."
Efficient and Provable Local Capability Revocation using Uninitialized Capabilities
Aïna Linn Georges , Armaël Guéneau , Thomas Van Strydonck, Amin Timany , Alix Trieu , Sander Huyghebaert , Dominique Devriese , and Lars Birkedal (Aarhus University, Denmark; KU Leuven, Belgium; Vrije Universiteit Brussel, Belgium) Capability machines are a special form of CPUs that offer finegrained privilege separation using a form of authoritycarrying values known as capabilities. The CHERI capability machine offers local capabilities, which could be used as a cheap but restricted form of capability revocation. Unfortunately, local capability revocation is unrealistic in practice because large amounts of stack memory need to be cleared as a security precaution. In this paper, we address this shortcoming by introducing uninitialized capabilities: a new form of capabilities that represent read/write authority to a block of memory without exposing the memory’s initial contents. We provide a mechanically verified program logic for reasoning about programs on a capability machine with the new feature and we formalize and prove capability safety in the form of a universal contract for untrusted code. We use uninitialized capabilities for making a previouslyproposed secure calling convention efficient and prove its security using the program logic. Finally, we report on a proofofconcept implementation of uninitialized capabilities on the CHERI capability machine. @Article{POPL21p6, author = {Aïna Linn Georges and Armaël Guéneau and Thomas Van Strydonck and Amin Timany and Alix Trieu and Sander Huyghebaert and Dominique Devriese and Lars Birkedal}, title = {Efficient and Provable Local Capability Revocation using Uninitialized Capabilities}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {6}, numpages = {30}, doi = {10.1145/3434287}, year = {2021}, } Publisher's Version Artifacts Functional POPL '21: "Distributed Causal Memory: ..." Distributed Causal Memory: Modular Specification and Verification in HigherOrder Distributed Separation Logic Léon Gondelman , Simon Oddershede Gregersen , Abel Nieto , Amin Timany , and Lars Birkedal (Aarhus University, Denmark) We present the first specification and verification of an implementation of a causallyconsistent distributed database that supports modular verification of full functional correctness properties of clients and servers. We specify and reason about the causallyconsistent distributed database in Aneris, a higherorder distributed separation logic for an MLlike programming language with network primitives for programming distributed systems. We demonstrate that our specifications are useful, by proving the correctness of small, but tricky, synthetic examples involving causal dependency and by verifying a session manager library implemented on top of the distributed database. We use Aneris's facilities for modular specification and verification to obtain a highly modular development, where each component is verified in isolation, relying only on the specifications (not the implementations) of other components. We have used the Coq formalization of the Aneris logic to formalize all the results presented in the paper in the Coq proof assistant. @Article{POPL21p42, author = {Léon Gondelman and Simon Oddershede Gregersen and Abel Nieto and Amin Timany and Lars Birkedal}, title = {Distributed Causal Memory: Modular Specification and Verification in HigherOrder Distributed Separation Logic}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {42}, numpages = {29}, doi = {10.1145/3434323}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional POPL '21: "Mechanized Logical Relations ..." Mechanized Logical Relations for TerminationInsensitive Noninterference Simon Oddershede Gregersen , Johan Bay, Amin Timany , and Lars Birkedal (Aarhus University, Denmark) We present an expressive informationflow control type system with recursive types, existential types, label polymorphism, and impredicative type polymorphism for a higherorder programming language with higherorder state. We give a novel semantic model of this type system and show that welltyped programs satisfy terminationinsensitive noninterference. Our semantic approach supports compositional integration of syntactically welltyped and syntactically illtypedbut semantically soundcomponents, which we demonstrate through several interesting examples. We define our model using logical relations on top of the Iris program logic framework; to capture terminationinsensitivity, we develop a novel languageagnostic theory of Modal Weakest Preconditions. We formalize all of our theory and examples in the Coq proof assistant. @Article{POPL21p10, author = {Simon Oddershede Gregersen and Johan Bay and Amin Timany and Lars Birkedal}, title = {Mechanized Logical Relations for TerminationInsensitive Noninterference}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {10}, numpages = {29}, doi = {10.1145/3434291}, year = {2021}, } Publisher's Version Info Artifacts Reusable Artifacts Functional 

Blazy, Sandrine 
POPL '21: "Formally Verified Speculation ..."
Formally Verified Speculation and Deoptimization in a JIT Compiler
Aurèle Barrière , Sandrine Blazy , Olivier Flückiger , David Pichardie , and Jan Vitek (University of Rennes, France; Inria, France; CNRS, France; IRISA, France; Northeastern University, USA; Czech Technical University, Czechia) Justintime compilers for dynamic languages routinely generate code under assumptions that may be invalidated at runtime, this allows for specialization of program code to the common case in order to avoid unnecessary overheads due to uncommon cases. This form of software speculation requires support for deoptimization when some of the assumptions fail to hold. This paper presents a model justintime compiler with an intermediate representation that explicits the synchronization points used for deoptimization and the assumptions made by the compiler's speculation. We also present several common compiler optimizations that can leverage speculation to generate improved code. The optimizations are proved correct with the help of a proof assistant. While our work stops short of proving native code generation, we demonstrate how one could use the verified optimization to obtain significant speed ups in an endtoend setting. @Article{POPL21p46, author = {Aurèle Barrière and Sandrine Blazy and Olivier Flückiger and David Pichardie and Jan Vitek}, title = {Formally Verified Speculation and Deoptimization in a JIT Compiler}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {46}, numpages = {26}, doi = {10.1145/3434327}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Bouajjani, Ahmed 
POPL '21: "Deciding Reachability under ..."
Deciding Reachability under Persistent x86TSO
Parosh Aziz Abdulla , Mohamed Faouzi Atig , Ahmed Bouajjani , K. Narayan Kumar , and Prakash Saivasan (Uppsala University, Sweden; University of Paris, France; Chennai Mathematical Institute, India; CNRS UMI ReLaX, India; Institute of Mathematical Sciences, India) We address the problem of verifying the reachability problem in programs running under the formal model Px86 defined recently by Raad et al. in POPL'20 for the persistent Intel x86 architecture. We prove that this problem is decidable. To achieve that, we provide a new formal model that is equivalent to Px86 and that has the feature of being a well structured system. Deriving this new model is the result of a deep investigation of the properties of Px86 and the interplay of its components. @Article{POPL21p56, author = {Parosh Aziz Abdulla and Mohamed Faouzi Atig and Ahmed Bouajjani and K. Narayan Kumar and Prakash Saivasan}, title = {Deciding Reachability under Persistent x86TSO}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {56}, numpages = {32}, doi = {10.1145/3434337}, year = {2021}, } Publisher's Version 

Carbin, Michael 
POPL '21: "Simplifying Dependent Reductions ..."
Simplifying Dependent Reductions in the Polyhedral Model
Cambridge Yang, Eric Atkinson , and Michael Carbin (Massachusetts Institute of Technology, USA) A Reduction – an accumulation over a set of values, using an associative and commutative operator – is a common computation in many numerical computations, including scientific computations, machine learning, computer vision, and financial analytics. Contemporary polyhedralbased compilation techniques make it possible to optimize reductions, such as prefix sums, in which each component of the reduction’s output potentially shares computation with another component in the reduction. Therefore an optimizing compiler can identify the computation shared between multiple components and generate code that computes the shared computation only once. These techniques, however, do not support reductions that – when phrased in the language of the polyhedral model – span multiple dependent statements. In such cases, existing approaches can generate incorrect code that violates the data dependences of the original, unoptimized program. In this work, we identify and formalize the optimization of dependent reductions as an integer bilinear program. We present a heuristic optimization algorithm that uses an affine sequential schedule of the program to determine how to simplfy reductions yet still preserve the program’s dependences. We demonstrate that the algorithm provides optimal complexity for a set of benchmark programs from the literature on probabilistic inference algorithms, whose performance critically relies on simplifying these reductions. The complexities for 10 of the 11 programs improve siginifcantly by factors at least of the sizes of the input data, which are in the range of 10^{4} to 10^{6} for typical real application inputs. We also confirm the significance of the improvement by showing speedups in wallclock time that range from 1.1x to over 10^{6}x. @Article{POPL21p20, author = {Cambridge Yang and Eric Atkinson and Michael Carbin}, title = {Simplifying Dependent Reductions in the Polyhedral Model}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {20}, numpages = {33}, doi = {10.1145/3434301}, year = {2021}, } Publisher's Version POPL '21: "𝜆ₛ: Computable Semantics ..." 𝜆ₛ: Computable Semantics for Differentiable Programming with HigherOrder Functions and Datatypes Benjamin Sherman, Jesse Michel, and Michael Carbin (Massachusetts Institute of Technology, USA) Deep learning is moving towards increasingly sophisticated optimization objectives that employ higherorder functions, such as integration, continuous optimization, and rootfinding. Since differentiable programming frameworks such as PyTorch and TensorFlow do not have firstclass representations of these functions, developers must reason about the semantics of such objectives and manually translate them to differentiable code. We present a differentiable programming language, λ_{S}, that is the first to deliver a semantics for higherorder functions, higherorder derivatives, and Lipschitz but nondifferentiable functions. Together, these features enableλ_{S} to expose differentiable, higherorder functions for integration, optimization, and rootfinding as firstclass functions with automatically computed derivatives. λ_{S}’s semantics is computable, meaning that values can be computed to arbitrary precision, and we implement λ_{S} as an embedded language in Haskell. We use λ_{S} to construct novel differentiable libraries for representing probability distributions, implicit surfaces, and generalized parametric surfaces – all as instances of higherorder datatypes – and present case studies that rely on computing the derivatives of these higherorder functions and datatypes. In addition to modeling existing differentiable algorithms, such as a differentiable ray tracer for implicit surfaces, without requiring any userlevel differentiation code, we demonstrate new differentiable algorithms, such as the Hausdorff distance of generalized parametric surfaces. @Article{POPL21p3, author = {Benjamin Sherman and Jesse Michel and Michael Carbin}, title = {𝜆ₛ: Computable Semantics for Differentiable Programming with HigherOrder Functions and Datatypes}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {3}, numpages = {31}, doi = {10.1145/3434284}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Cauligi, Sunjay 
POPL '21: "Automatically Eliminating ..."
Automatically Eliminating Speculative Leaks from Cryptographic Code with Blade
Marco Vassena, Craig Disselkoen , Klaus von Gleissenthall, Sunjay Cauligi, Rami Gökhan Kıcı, Ranjit Jhala , Dean Tullsen , and Deian Stefan (CISPA, Germany; University of California at San Diego, USA; Vrije Universiteit Amsterdam, Netherlands) We introduce Blade, a new approach to automatically and efficiently eliminate speculative leaks from cryptographic code. Blade is built on the insight that to stop leaks via speculative execution, it suffices to cut the dataflow from expressions that speculatively introduce secrets (sources) to those that leak them through the cache (sinks), rather than prohibit speculation altogether. We formalize this insight in a static type system that (1) types each expression as either transient, i.e., possibly containing speculative secrets or as being stable, and (2) prohibits speculative leaks by requiring that all sink expressions are stable. Blade relies on a new abstract primitive, protect, to halt speculation at fine granularity. We formalize and implement protect using existing architectural mechanisms, and show how Blade’s type system can automatically synthesize a minimal number of protects to provably eliminate speculative leaks. We implement Blade in the Cranelift WebAssembly compiler and evaluate our approach by repairing several verified, yet vulnerable WebAssembly implementations of cryptographic primitives. We find that Blade can fix existing programs that leak via speculation automatically, without user intervention, and efficiently even when using fences to implement protect. @Article{POPL21p49, author = {Marco Vassena and Craig Disselkoen and Klaus von Gleissenthall and Sunjay Cauligi and Rami Gökhan Kıcı and Ranjit Jhala and Dean Tullsen and Deian Stefan}, title = {Automatically Eliminating Speculative Leaks from Cryptographic Code with Blade}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {49}, numpages = {30}, doi = {10.1145/3434330}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Cavallo, Evan 
POPL '21: "Internalizing Representation ..."
Internalizing Representation Independence with Univalence
Carlo Angiuli , Evan Cavallo , Anders Mörtberg , and Max Zeuner (Carnegie Mellon University, USA; Stockholm University, Sweden) In their usual form, representation independence metatheorems provide an external guarantee that two implementations of an abstract interface are interchangeable when they are related by an operationpreserving correspondence. If our programming language is dependentlytyped, however, we would like to appeal to such invariance results within the language itself, in order to obtain correctness theorems for complex implementations by transferring them from simpler, related implementations. Recent work in proof assistants has shown that Voevodsky's univalence principle allows transferring theorems between isomorphic types, but many instances of representation independence in programming involve nonisomorphic representations. In this paper, we develop techniques for establishing internal relational representation independence results in dependent type theory, by using higher inductive types to simultaneously quotient two related implementation types by a heterogeneous correspondence between them. The correspondence becomes an isomorphism between the quotiented types, thereby allowing us to obtain an equality of implementations by univalence. We illustrate our techniques by considering applications to matrices, queues, and finite multisets. Our results are all formalized in Cubical Agda, a recent extension of Agda which supports univalence and higher inductive types in a computationally wellbehaved way. @Article{POPL21p12, author = {Carlo Angiuli and Evan Cavallo and Anders Mörtberg and Max Zeuner}, title = {Internalizing Representation Independence with Univalence}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {12}, numpages = {30}, doi = {10.1145/3434293}, year = {2021}, } Publisher's Version Artifacts Functional 

Cecchetti, Ethan 
POPL '21: "Giving Semantics to ProgramCounter ..."
Giving Semantics to ProgramCounter Labels via Secure Effects
Andrew K. Hirsch and Ethan Cecchetti (MPISWS, Germany; Cornell University, USA) Type systems designed for informationflow control commonly use a programcounter label to track the sensitivity of the context and rule out data leakage arising from effectful computation in a sensitive context. Currently, typesystem designers reason about this label informally except in security proofs, where they use adhoc techniques. We develop a framework based on monadic semantics for effects to give semantics to programcounter labels. This framework leads to three results about programcounter labels. First, we develop a new proof technique for noninterference, the core security theorem for informationflow control in effectful languages. Second, we unify notions of security for different types of effects, including state, exceptions, and nontermination. Finally, we formalize the folklore that programcounter labels are a lower bound on effects. We show that, while not universally true, this folklore has a good semantic foundation. @Article{POPL21p35, author = {Andrew K. Hirsch and Ethan Cecchetti}, title = {Giving Semantics to ProgramCounter Labels via Secure Effects}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {35}, numpages = {29}, doi = {10.1145/3434316}, year = {2021}, } Publisher's Version Info 

Chadha, Rohit 
POPL '21: "Deciding Accuracy of Differential ..."
Deciding Accuracy of Differential Privacy Schemes
Gilles Barthe , Rohit Chadha, Paul Krogmeier , A. Prasad Sistla, and Mahesh Viswanathan (MPISP, Germany; University of Missouri, USA; University of Illinois at UrbanaChampaign, USA; University of Illinois at Chicago, USA) Differential privacy is a mathematical framework for developing statistical computations with provable guarantees of privacy and accuracy. In contrast to the privacy component of differential privacy, which has a clear mathematical and intuitive meaning, the accuracy component of differential privacy does not have a generally accepted definition; accuracy claims of differential privacy algorithms vary from algorithm to algorithm and are not instantiations of a general definition. We identify program discontinuity as a common theme in existing ad hoc definitions and introduce an alternative notion of accuracy parametrized by, what we call, — the of an input x w.r.t. a deterministic computation f and a distance d, is the minimal distance d(x,y) over all y such that f(y)≠ f(x). We show that our notion of accuracy subsumes the definition used in theoretical computer science, and captures known accuracy claims for differential privacy algorithms. In fact, our general notion of accuracy helps us prove better claims in some cases. Next, we study the decidability of accuracy. We first show that accuracy is in general undecidable. Then, we define a nontrivial class of probabilistic computations for which accuracy is decidable (unconditionally, or assuming Schanuel’s conjecture). We implement our decision procedure and experimentally evaluate the effectiveness of our approach for generating proofs or counterexamples of accuracy for common algorithms from the literature. @Article{POPL21p8, author = {Gilles Barthe and Rohit Chadha and Paul Krogmeier and A. Prasad Sistla and Mahesh Viswanathan}, title = {Deciding Accuracy of Differential Privacy Schemes}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {8}, numpages = {30}, doi = {10.1145/3434289}, year = {2021}, } Publisher's Version Artifacts Functional 

Chang, Alexander 
POPL '21: "Petr4: Formal Foundations ..."
Petr4: Formal Foundations for P4 Data Planes
Ryan Doenges , Mina Tahmasbi Arashloo, Santiago Bautista , Alexander Chang, Newton Ni, Samwise Parkinson, Rudy Peterson , Alaia SolkoBreslin, Amanda Xu, and Nate Foster (Cornell University, USA; ENS Rennes, France) P4 is a domainspecific language for programming and specifying packetprocessing systems. It is based on an elegant design with highlevel abstractions like parsers and matchaction pipelines that can be compiled to efficient implementations in software or hardware. Unfortunately, like many industrial languages, P4 has developed without a formal foundation. The P4 Language Specification is a 160page document with a mixture of informal prose, graphical diagrams, and pseudocode, leaving many aspects of the language semantics up to individual compilation targets. The P4 reference implementation is a complex system, running to over 40KLoC of C++ code, with support for only a few targets. Clearly neither of these artifacts is suitable for formal reasoning about P4 in general. This paper presents a new framework, called Petr4, that puts P4 on a solid foundation. Petr4 consists of a cleanslate definitional interpreter and a core calculus that models a fragment of P4. Petr4 is not tied to any particular target: the interpreter is parameterized over an interface that collects features delegated to targets in one place, while the core calculus overapproximates targetspecific behaviors using nondeterminism. We have validated the interpreter against a suite of over 750 tests from the P4 reference implementation, exercising our target interface with tests for different targets. We validated the core calculus with a proof of typepreserving termination. While developing Petr4, we reported dozens of bugs in the language specification and the reference implementation, many of which have been fixed. @Article{POPL21p41, author = {Ryan Doenges and Mina Tahmasbi Arashloo and Santiago Bautista and Alexander Chang and Newton Ni and Samwise Parkinson and Rudy Peterson and Alaia SolkoBreslin and Amanda Xu and Nate Foster}, title = {Petr4: Formal Foundations for P4 Data Planes}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {41}, numpages = {32}, doi = {10.1145/3434322}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Chen, ChaoHong 
POPL '21: "A Computational Interpretation ..."
A Computational Interpretation of Compact Closed Categories: Reversible Programming with Negative and Fractional Types
ChaoHong Chen and Amr Sabry (Indiana University, USA) Compact closed categories include objects representing higherorder functions and are wellestablished as models of linear logic, concurrency, and quantum computing. We show that it is possible to construct such compact closed categories for conventional sum and product types by defining a dual to sum types, a negative type, and a dual to product types, a fractional type. Inspired by the categorical semantics, we define a sound operational semantics for negative and fractional types in which a negative type represents a computational effect that ``reverses execution flow'' and a fractional type represents a computational effect that ``garbage collects'' particular values or throws exceptions. Specifically, we extend a firstorder reversible language of type isomorphisms with negative and fractional types, specify an operational semantics for each extension, and prove that each extension forms a compact closed category. We furthermore show that both operational semantics can be merged using the standard combination of backtracking and exceptions resulting in a smooth interoperability of negative and fractional types. We illustrate the expressiveness of this combination by writing a reversible SAT solver that uses backtracking search along freshly allocated and deallocated locations. The operational semantics, most of its metatheoretic properties, and all examples are formalized in a supplementary Agda package. @Article{POPL21p9, author = {ChaoHong Chen and Amr Sabry}, title = {A Computational Interpretation of Compact Closed Categories: Reversible Programming with Negative and Fractional Types}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {9}, numpages = {29}, doi = {10.1145/3434290}, year = {2021}, } Publisher's Version Info Artifacts Reusable Artifacts Functional 

Choudhury, Pritam 
POPL '21: "A Graded Dependent Type System ..."
A Graded Dependent Type System with a UsageAware Semantics
Pritam Choudhury , Harley Eades III, Richard A. Eisenberg , and Stephanie Weirich (University of Pennsylvania, USA; Augusta University, USA; Tweag I/O, France; Bryn Mawr College, USA) Graded Type Theory provides a mechanism to track and reason about resource usage in type systems. In this paper, we develop GraD, a novel version of such a graded dependent type system that includes functions, tensor products, additive sums, and a unit type. Since standard operational semantics is resourceagnostic, we develop a heapbased operational semantics and prove a soundness theorem that shows correct accounting of resource usage. Several useful properties, including the standard type soundness theorem, noninterference of irrelevant resources in computation and single pointer property for linear resources, can be derived from this theorem. We hope that our work will provide a base for integrating linearity, irrelevance and dependent types in practical programming languages like Haskell. @Article{POPL21p50, author = {Pritam Choudhury and Harley Eades III and Richard A. Eisenberg and Stephanie Weirich}, title = {A Graded Dependent Type System with a UsageAware Semantics}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {50}, numpages = {32}, doi = {10.1145/3434331}, year = {2021}, } Publisher's Version Info Artifacts Reusable Artifacts Functional 

Clark, Alison M. 
POPL '21: "Abstracting Gradual Typing ..."
Abstracting Gradual Typing Moving Forward: Precise and SpaceEfficient
Felipe Bañados Schwerter, Alison M. Clark, Khurram A. Jafery, and Ronald Garcia (University of British Columbia, Canada; Amazon, Canada) Abstracting Gradual Typing (AGT) is a systematic approach to designing graduallytyped languages. Languages developed using AGT automatically satisfy the formal semantic criteria for gradual languages identified by Siek et al. Nonetheless, vanilla AGT semantics can still have important shortcomings. First, a gradual language's runtime checks should preserve the spaceefficiency guarantees inherent to the underlying static and dynamic languages. To the contrary, the default operational semantics of AGT break proper tail calls. Second, a gradual language's runtime checks should enforce basic modular typebased invariants expected from the static type discipline. To the contrary, the default operational semantics of AGT may fail to enforce some invariants in surprising ways. We demonstrate this in the GTFL_{≲} language of Garcia et al. This paper addresses both problems at once by refining the theory underlying AGT's dynamic checks. Garcia et al. observe that AGT involves two abstractions of static types: one for the static semantics and one for the dynamic semantics. We recast the latter as an abstract interpretation of subtyping itself, while gradual types still abstract static types. Then we show how forwardcompleteness (Giacobazzi and Quintarelli) is key to supporting both spaceefficient execution and reliable runtime type enforcement. @Article{POPL21p61, author = {Felipe Bañados Schwerter and Alison M. Clark and Khurram A. Jafery and Ronald Garcia}, title = {Abstracting Gradual Typing Moving Forward: Precise and SpaceEfficient}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {61}, numpages = {28}, doi = {10.1145/3434342}, year = {2021}, } Publisher's Version 

Cockx, Jesper 
POPL '21: "The Taming of the Rew: A Type ..."
The Taming of the Rew: A Type Theory with Computational Assumptions
Jesper Cockx , Nicolas Tabareau , and Théo Winterhalter (Delft University of Technology, Netherlands; Inria, France; LS2N, France) Dependently typed programming languages and proof assistants such as Agda and Coq rely on computation to automatically simplify expressions during type checking. To overcome the lack of certain programming primitives or logical principles in those systems, it is common to appeal to axioms to postulate their existence. However, one can only postulate the bare existence of an axiom, not its computational behaviour. Instead, users are forced to postulate equality proofs and appeal to them explicitly to simplify expressions, making axioms dramatically more complicated to work with than builtin primitives. On the other hand, the equality reflection rule from extensional type theory solves these problems by collapsing computation and equality, at the cost of having no practical type checking algorithm. This paper introduces Rewriting Type Theory (RTT), a type theory where it is possible to add computational assumptions in the form of rewrite rules. Rewrite rules go beyond the computational capabilities of intensional type theory, but in contrast to extensional type theory, they are applied automatically so type checking does not require input from the user. To ensure type soundness of RTT—as well as effective type checking—we provide a framework where confluence of userdefined rewrite rules can be checked modularly and automatically, and where adding new rewrite rules is guaranteed to preserve subject reduction. The properties of RTT have been formally verified using the MetaCoq framework and an implementation of rewrite rules is already available in the Agda proof assistant. @Article{POPL21p60, author = {Jesper Cockx and Nicolas Tabareau and Théo Winterhalter}, title = {The Taming of the Rew: A Type Theory with Computational Assumptions}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {60}, numpages = {29}, doi = {10.1145/3434341}, year = {2021}, } Publisher's Version Artifacts Functional 

Courant, Nathanaël 
POPL '21: "Verified Code Generation for ..."
Verified Code Generation for the Polyhedral Model
Nathanaël Courant and Xavier Leroy (Inria, France; Collège de France, France; PSL University, France) The polyhedral model is a highlevel intermediate representation for loop nests that supports elegantly a great many loop optimizations. In a compiler, after polyhedral loop optimizations have been performed, it is necessary and difficult to regenerate sequential or parallel loop nests before continuing compilation. This paper reports on the formalization and proof of semantic preservation of such a code generator that produces sequential code from a polyhedral representation. The formalization and proofs are mechanized using the Coq proof assistant. @Article{POPL21p40, author = {Nathanaël Courant and Xavier Leroy}, title = {Verified Code Generation for the Polyhedral Model}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {40}, numpages = {24}, doi = {10.1145/3434321}, year = {2021}, } Publisher's Version 

Dal Lago, Ugo 
POPL '21: "Intersection Types and (Positive) ..."
Intersection Types and (Positive) AlmostSure Termination
Ugo Dal Lago , Claudia Faggian , and Simona Ronchi Della Rocca (University of Bologna, Italy; University of Paris, France; IRIF, France; CNRS, France; University of Turin, Italy) Randomized higherorder computation can be seen as being captured by a λcalculus endowed with a single algebraic operation, namely a construct for binary probabilistic choice. What matters about such computations is the probability of obtaining any given result, rather than the possibility or the necessity of obtaining it, like in (non)deterministic computation. Termination, arguably the simplest kind of reachability problem, can be spelled out in at least two ways, depending on whether it talks about the probability of convergence or about the expected evaluation time, the second one providing a stronger guarantee. In this paper, we show that intersection types are capable of precisely characterizing both notions of termination inside a single system of types: the probability of convergence of any λterm can be underapproximated by its type, while the underlying derivation’s weight gives a lower bound to the term’s expected number of steps to normal form. Noticeably, both approximations are tight—not only soundness but also completeness holds. The crucial ingredient is nonidempotency, without which it would be impossible to reason on the expected number of reduction steps which are necessary to completely evaluate any term. Besides, the kind of approximation we obtain is proved to be optimal recursion theoretically: no recursively enumerable formal system can do better than that. @Article{POPL21p32, author = {Ugo Dal Lago and Claudia Faggian and Simona Ronchi Della Rocca}, title = {Intersection Types and (Positive) AlmostSure Termination}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {32}, numpages = {32}, doi = {10.1145/3434313}, year = {2021}, } Publisher's Version POPL '21: "The (In)Efficiency of Interaction ..." The (In)Efficiency of Interaction Beniamino Accattoli , Ugo Dal Lago , and Gabriele Vanoni (Inria, France; École Polytechnique, France; University of Bologna, Italy) Evaluating higherorder functional programs through abstract machines inspired by the geometry of the interaction is known to induce space efficiencies, the price being time performances often poorer than those obtainable with traditional, environmentbased, abstract machines. Although families of lambdaterms for which the former is exponentially less efficient than the latter do exist, it is currently unknown how general this phenomenon is, and how far the inefficiencies can go, in the worst case. We answer these questions formulating four different wellknown abstract machines inside a common definitional framework, this way being able to give sharp results about the relative time efficiencies. We also prove that nonidempotent intersection type theories are able to precisely reflect the time performances of the interactive abstract machine, this way showing that its timeinefficiency ultimately descends from the presence of higherorder types. @Article{POPL21p51, author = {Beniamino Accattoli and Ugo Dal Lago and Gabriele Vanoni}, title = {The (In)Efficiency of Interaction}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {51}, numpages = {33}, doi = {10.1145/3434332}, year = {2021}, } Publisher's Version 

D'Antoni, Loris 
POPL '21: "SemanticsGuided Synthesis ..."
SemanticsGuided Synthesis
Jinwoo Kim , Qinheping Hu, Loris D'Antoni , and Thomas Reps (University of WisconsinMadison, USA) This paper develops a new framework for program synthesis, called semanticsguided synthesis (SemGuS), that allows a user to provide both the syntax and the semantics for the constructs in the language. SemGuS accepts a recursively defined bigstep semantics, which allows it, for example, to be used to specify and solve synthesis problems over an imperative programming language that may contain loops with unbounded behavior. The customizable nature of SemGuS also allows synthesis problems to be defined over a nonstandard semantics, such as an abstract semantics. In addition to the SemGuS framework, we develop an algorithm for solving SemGuS problems that is capable of both synthesizing programs and proving unrealizability, by encoding a SemGuS problem as a proof search over Constrained Horn Clauses: in particular, our approach is the first that we are aware of that can prove unrealizabilty for synthesis problems that involve imperative programs with unbounded loops, over an infinite syntactic search space. We implemented the technique in a tool called MESSY, and applied it to SyGuS problems (i.e., over expressions), synthesis problems over an imperative programming language, and synthesis problems over regular expressions. @Article{POPL21p30, author = {Jinwoo Kim and Qinheping Hu and Loris D'Antoni and Thomas Reps}, title = {SemanticsGuided Synthesis}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {30}, numpages = {32}, doi = {10.1145/3434311}, year = {2021}, } Publisher's Version Artifacts Functional 

Delbianco, Germán Andrés 
POPL '21: "On Algebraic Abstractions ..."
On Algebraic Abstractions for Concurrent Separation Logics
František Farka , Aleksandar Nanevski , Anindya Banerjee , Germán Andrés Delbianco , and Ignacio Fábregas (IMDEA Software Institute, Spain; Nomadic Labs, France; Complutense University of Madrid, Spain) Concurrent separation logic is distinguished by transfer of state ownership upon parallel composition and framing. The algebraic structure that underpins ownership transfer is that of partial commutative monoids (PCMs). Extant research considers ownership transfer primarily from the logical perspective while comparatively less attention is drawn to the algebraic considerations. This paper provides an algebraic formalization of ownership transfer in concurrent separation logic by means of structurepreserving partial functions (i.e., morphisms) between PCMs, and an associated notion of separating relations. Morphisms of structures are a standard concept in algebra and category theory, but haven't seen ubiquitous use in separation logic before. Separating relations. are binary relations that generalize disjointness and characterize the inputs on which morphisms preserve structure. The two abstractions facilitate verification by enabling concise ways of writing specs, by providing abstract views of threads' states that are preserved under ownership transfer, and by enabling userlevel construction of new PCMs out of existing ones. @Article{POPL21p5, author = {František Farka and Aleksandar Nanevski and Anindya Banerjee and Germán Andrés Delbianco and Ignacio Fábregas}, title = {On Algebraic Abstractions for Concurrent Separation Logics}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {5}, numpages = {32}, doi = {10.1145/3434286}, year = {2021}, } Publisher's Version Info Artifacts Reusable Artifacts Functional 

De Vilhena, Paulo Emílio 
POPL '21: "A Separation Logic for Effect ..."
A Separation Logic for Effect Handlers
Paulo Emílio de Vilhena and François Pottier (Inria, France) Userdefined effects and effect handlers are advertised and advocated as a relatively easytounderstand and modular approach to delimited control. They offer the ability of suspending and resuming a computation and allow information to be transmitted both ways between the computation, which requests a certain service, and the handler, which provides this service. Yet, a key question remains, to this day, largely unanswered: how does one modularly specify and verify programs in the presence of both userdefined effect handlers and primitive effects, such as heapallocated mutable state? We answer this question by presenting a Separation Logic with builtin support for effect handlers, both shallow and deep. The specification of a program fragment includes a protocol that describes the effects that the program may perform as well as the replies that it can expect to receive. The logic allows local reasoning via a frame rule and a bind rule. It is based on Iris and inherits all of its advanced features, including support for higherorder functions, userdefined ghost state, and invariants. We illustrate its power via several case studies, including (1) a generic formulation of control inversion, which turns a producer that ``pushes'' elements towards a consumer into a producer from which one can ``pull'' elements on demand, and (2) a simple system for cooperative concurrency, where several threads execute concurrently, can spawn new threads, and communicate via promises. @Article{POPL21p33, author = {Paulo Emílio de Vilhena and François Pottier}, title = {A Separation Logic for Effect Handlers}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {33}, numpages = {28}, doi = {10.1145/3434314}, year = {2021}, } Publisher's Version Info Artifacts Reusable Artifacts Functional 

Devriese, Dominique 
POPL '21: "Efficient and Provable Local ..."
Efficient and Provable Local Capability Revocation using Uninitialized Capabilities
Aïna Linn Georges , Armaël Guéneau , Thomas Van Strydonck, Amin Timany , Alix Trieu , Sander Huyghebaert , Dominique Devriese , and Lars Birkedal (Aarhus University, Denmark; KU Leuven, Belgium; Vrije Universiteit Brussel, Belgium) Capability machines are a special form of CPUs that offer finegrained privilege separation using a form of authoritycarrying values known as capabilities. The CHERI capability machine offers local capabilities, which could be used as a cheap but restricted form of capability revocation. Unfortunately, local capability revocation is unrealistic in practice because large amounts of stack memory need to be cleared as a security precaution. In this paper, we address this shortcoming by introducing uninitialized capabilities: a new form of capabilities that represent read/write authority to a block of memory without exposing the memory’s initial contents. We provide a mechanically verified program logic for reasoning about programs on a capability machine with the new feature and we formalize and prove capability safety in the form of a universal contract for untrusted code. We use uninitialized capabilities for making a previouslyproposed secure calling convention efficient and prove its security using the program logic. Finally, we report on a proofofconcept implementation of uninitialized capabilities on the CHERI capability machine. @Article{POPL21p6, author = {Aïna Linn Georges and Armaël Guéneau and Thomas Van Strydonck and Amin Timany and Alix Trieu and Sander Huyghebaert and Dominique Devriese and Lars Birkedal}, title = {Efficient and Provable Local Capability Revocation using Uninitialized Capabilities}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {6}, numpages = {30}, doi = {10.1145/3434287}, year = {2021}, } Publisher's Version Artifacts Functional POPL '21: "On the Semantic Expressiveness ..." On the Semantic Expressiveness of Recursive Types Marco Patrignani , Eric Mark Martin, and Dominique Devriese (Stanford University, USA; CISPA, Germany; Vrije Universiteit Brussel, Belgium) Recursive types extend the simplytyped lambda calculus (STLC) with the additional expressive power to enable diverging computation and to encode recursive datatypes (e.g., lists). Two formulations of recursive types exist: isorecursive and equirecursive. The relative advantages of iso and equirecursion are well studied when it comes to their impact on typeinference. However, the relative semantic expressiveness of the two formulations remains unclear so far. This paper studies the semantic expressiveness of STLC with iso and equirecursive types, proving that these formulations are equally expressive. In fact, we prove that they are both as expressive as STLC with only termlevel recursion. We phrase these equiexpressiveness results in terms of full abstraction of three canonical compilers between these three languages (STLC with iso, with equirecursive types and with termlevel recursion). Our choice of languages allows us to study expressiveness when interacting over both a simplytyped and a recursivelytyped interface. The three proofs all rely on a typed version of a proof technique called approximate backtranslation. Together, our results show that there is no difference in semantic expressiveness between STLCs with iso and equirecursive types. In this paper, we focus on a simplytyped setting but we believe our results scale to more powerful type systems like System F. @Article{POPL21p21, author = {Marco Patrignani and Eric Mark Martin and Dominique Devriese}, title = {On the Semantic Expressiveness of Recursive Types}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {21}, numpages = {29}, doi = {10.1145/3434302}, year = {2021}, } Publisher's Version POPL '21: "Fully Abstract from Static ..." Fully Abstract from Static to Gradual Koen Jacobs , Amin Timany , and Dominique Devriese (KU Leuven, Belgium; Aarhus University, Denmark; Vrije Universiteit Brussel, Belgium) What is a good gradual language? Siek et al. have previously proposed the refined criteria, a set of formal ideas that characterize a range of guarantees typically expected from a gradual language. While these go a long way, they are mostly focused on syntactic and type safety properties and fail to characterize how richer semantic properties and reasoning principles that hold in the static language, like noninterference or parametricity for instance, should be upheld in the gradualization. In this paper, we investigate and argue for a new criterion previously hinted at by Devriese et al.: the embedding from the static to the gradual language should be fully abstract. Rather than preserving an arbitrarily chosen interpretation of source language types, this criterion requires that all source language equivalences are preserved. We demonstrate that the criterion weeds out erroneous gradualizations that nevertheless satisfy the refined criteria. At the same time, we demonstrate that the criterion is realistic by reporting on a mechanized proof that the property holds for a standard example: GTLC_{µ}, the natural gradualization of STLC_{µ}, the simply typed lambdacalculus with equirecursive types. We argue thus that the criterion is useful for understanding, evaluating, and guiding the design of gradual languages, particularly those which are intended to preserve source language guarantees in a rich way. @Article{POPL21p7, author = {Koen Jacobs and Amin Timany and Dominique Devriese}, title = {Fully Abstract from Static to Gradual}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {7}, numpages = {30}, doi = {10.1145/3434288}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Di Liberti, Ivan 
POPL '21: "Functorial Semantics for Partial ..."
Functorial Semantics for Partial Theories
Ivan Di Liberti, Fosco Loregian, Chad Nester, and Paweł Sobociński (Czech Academy of Sciences, Czechia; Tallinn University of Technology, Estonia) We provide a Lawverestyle definition for partial theories, extending the classical notion of equational theory by allowing partially defined operations. As in the classical case, our definition is syntactic: we use an appropriate class of string diagrams as terms. This allows for equational reasoning about the class of models defined by a partial theory. We demonstrate the expressivity of such equational theories by considering a number of examples, including partial combinatory algebras and cartesian closed categories. Moreover, despite the increase in expressivity of the syntax we retain a wellbehaved notion of semantics: we show that our categories of models are precisely locally finitely presentable categories, and that free models exist. @Article{POPL21p57, author = {Ivan Di Liberti and Fosco Loregian and Chad Nester and Paweł Sobociński}, title = {Functorial Semantics for Partial Theories}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {57}, numpages = {28}, doi = {10.1145/3434338}, year = {2021}, } Publisher's Version 

Dillig, Isil 
POPL '21: "Verifying Correct Usage of ..."
Verifying Correct Usage of ContextFree API Protocols
Kostas Ferles , Jon Stephens, and Isil Dillig (University of Texas at Austin, USA) Several realworld libraries (e.g., reentrant locks, GUI frameworks, serialization libraries) require their clients to use the provided API in a manner that conforms to a contextfree specification. Motivated by this observation, this paper describes a new technique for verifying the correct usage of contextfree API protocols. The key idea underlying our technique is to overapproximate the program’s feasible API call sequences using a contextfree grammar (CFG) and then check language inclusion between this grammar and the specification. However, since this inclusion check may fail due to imprecision in the program’s CFG abstraction, we propose a novel refinement technique to progressively improve the CFG. In particular, our method obtains counterexamples from CFG inclusion queries and uses them to introduce new nonterminals and productions to the grammar while still overapproximating the program’s relevant behavior. We have implemented the proposed algorithm in a tool called CFPChecker and evaluate it on 10 popular Java applications that use at least one API with a contextfree specification. Our evaluation shows that CFPChecker is able to verify correct usage of the API in clients that use it correctly and produces counterexamples for those that do not. We also compare our method against three relevant baselines and demonstrate that CFPChecker enables verification of safety properties that are beyond the reach of existing tools. @Article{POPL21p17, author = {Kostas Ferles and Jon Stephens and Isil Dillig}, title = {Verifying Correct Usage of ContextFree API Protocols}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {17}, numpages = {30}, doi = {10.1145/3434298}, year = {2021}, } Publisher's Version 

Disselkoen, Craig 
POPL '21: "Automatically Eliminating ..."
Automatically Eliminating Speculative Leaks from Cryptographic Code with Blade
Marco Vassena, Craig Disselkoen , Klaus von Gleissenthall, Sunjay Cauligi, Rami Gökhan Kıcı, Ranjit Jhala , Dean Tullsen , and Deian Stefan (CISPA, Germany; University of California at San Diego, USA; Vrije Universiteit Amsterdam, Netherlands) We introduce Blade, a new approach to automatically and efficiently eliminate speculative leaks from cryptographic code. Blade is built on the insight that to stop leaks via speculative execution, it suffices to cut the dataflow from expressions that speculatively introduce secrets (sources) to those that leak them through the cache (sinks), rather than prohibit speculation altogether. We formalize this insight in a static type system that (1) types each expression as either transient, i.e., possibly containing speculative secrets or as being stable, and (2) prohibits speculative leaks by requiring that all sink expressions are stable. Blade relies on a new abstract primitive, protect, to halt speculation at fine granularity. We formalize and implement protect using existing architectural mechanisms, and show how Blade’s type system can automatically synthesize a minimal number of protects to provably eliminate speculative leaks. We implement Blade in the Cranelift WebAssembly compiler and evaluate our approach by repairing several verified, yet vulnerable WebAssembly implementations of cryptographic primitives. We find that Blade can fix existing programs that leak via speculation automatically, without user intervention, and efficiently even when using fences to implement protect. @Article{POPL21p49, author = {Marco Vassena and Craig Disselkoen and Klaus von Gleissenthall and Sunjay Cauligi and Rami Gökhan Kıcı and Ranjit Jhala and Dean Tullsen and Deian Stefan}, title = {Automatically Eliminating Speculative Leaks from Cryptographic Code with Blade}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {49}, numpages = {30}, doi = {10.1145/3434330}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Doenges, Ryan 
POPL '21: "Petr4: Formal Foundations ..."
Petr4: Formal Foundations for P4 Data Planes
Ryan Doenges , Mina Tahmasbi Arashloo, Santiago Bautista , Alexander Chang, Newton Ni, Samwise Parkinson, Rudy Peterson , Alaia SolkoBreslin, Amanda Xu, and Nate Foster (Cornell University, USA; ENS Rennes, France) P4 is a domainspecific language for programming and specifying packetprocessing systems. It is based on an elegant design with highlevel abstractions like parsers and matchaction pipelines that can be compiled to efficient implementations in software or hardware. Unfortunately, like many industrial languages, P4 has developed without a formal foundation. The P4 Language Specification is a 160page document with a mixture of informal prose, graphical diagrams, and pseudocode, leaving many aspects of the language semantics up to individual compilation targets. The P4 reference implementation is a complex system, running to over 40KLoC of C++ code, with support for only a few targets. Clearly neither of these artifacts is suitable for formal reasoning about P4 in general. This paper presents a new framework, called Petr4, that puts P4 on a solid foundation. Petr4 consists of a cleanslate definitional interpreter and a core calculus that models a fragment of P4. Petr4 is not tied to any particular target: the interpreter is parameterized over an interface that collects features delegated to targets in one place, while the core calculus overapproximates targetspecific behaviors using nondeterminism. We have validated the interpreter against a suite of over 750 tests from the P4 reference implementation, exercising our target interface with tests for different targets. We validated the core calculus with a proof of typepreserving termination. While developing Petr4, we reported dozens of bugs in the language specification and the reference implementation, many of which have been fixed. @Article{POPL21p41, author = {Ryan Doenges and Mina Tahmasbi Arashloo and Santiago Bautista and Alexander Chang and Newton Ni and Samwise Parkinson and Rudy Peterson and Alaia SolkoBreslin and Amanda Xu and Nate Foster}, title = {Petr4: Formal Foundations for P4 Data Planes}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {41}, numpages = {32}, doi = {10.1145/3434322}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Dreyer, Derek 
POPL '21: "Transfinite StepIndexing ..."
Transfinite StepIndexing for Termination
Simon Spies , Neel Krishnaswami , and Derek Dreyer (MPISWS, Germany; University of Cambridge, UK) Stepindexed logical relations are an extremely useful technique for building operationalsemanticsbased models and program logics for realistic, richlytyped programming languages. They have proven to be indispensable for modeling features like higherorder state, which many languages support but which were difficult to accommodate using traditional denotational models. However, the conventional wisdom is that, because they only support reasoning about finite traces of computation, (unary) stepindexed models are only good for proving safety properties like “welltyped programs don’t go wrong”. There has consequently been very little work on using stepindexing to establish liveness properties, in particular termination. In this paper, we show that stepindexing can in fact be used to prove termination of welltyped programs—even in the presence of dynamicallyallocated, shared, mutable, higherorder state—so long as one’s type system enforces disciplined use of such state. Specifically, we consider a language with asynchronous channels, inspired by promises in JavaScript, in which higherorder state is used to implement communication, and linearity is used to ensure termination. The key to our approach is to generalize from natural number stepindexing to transfinite stepindexing, which enables us to compute termination bounds for program expressions in a compositional way. Although transfinite stepindexing has been proposed previously, we are the first to apply this technique to reasoning about termination in the presence of higherorder state. @Article{POPL21p13, author = {Simon Spies and Neel Krishnaswami and Derek Dreyer}, title = {Transfinite StepIndexing for Termination}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {13}, numpages = {29}, doi = {10.1145/3434294}, year = {2021}, } Publisher's Version Info 

Eades III, Harley 
POPL '21: "A Graded Dependent Type System ..."
A Graded Dependent Type System with a UsageAware Semantics
Pritam Choudhury , Harley Eades III, Richard A. Eisenberg , and Stephanie Weirich (University of Pennsylvania, USA; Augusta University, USA; Tweag I/O, France; Bryn Mawr College, USA) Graded Type Theory provides a mechanism to track and reason about resource usage in type systems. In this paper, we develop GraD, a novel version of such a graded dependent type system that includes functions, tensor products, additive sums, and a unit type. Since standard operational semantics is resourceagnostic, we develop a heapbased operational semantics and prove a soundness theorem that shows correct accounting of resource usage. Several useful properties, including the standard type soundness theorem, noninterference of irrelevant resources in computation and single pointer property for linear resources, can be derived from this theorem. We hope that our work will provide a base for integrating linearity, irrelevance and dependent types in practical programming languages like Haskell. @Article{POPL21p50, author = {Pritam Choudhury and Harley Eades III and Richard A. Eisenberg and Stephanie Weirich}, title = {A Graded Dependent Type System with a UsageAware Semantics}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {50}, numpages = {32}, doi = {10.1145/3434331}, year = {2021}, } Publisher's Version Info Artifacts Reusable Artifacts Functional 

Eisenberg, Richard A. 
POPL '21: "A Graded Dependent Type System ..."
A Graded Dependent Type System with a UsageAware Semantics
Pritam Choudhury , Harley Eades III, Richard A. Eisenberg , and Stephanie Weirich (University of Pennsylvania, USA; Augusta University, USA; Tweag I/O, France; Bryn Mawr College, USA) Graded Type Theory provides a mechanism to track and reason about resource usage in type systems. In this paper, we develop GraD, a novel version of such a graded dependent type system that includes functions, tensor products, additive sums, and a unit type. Since standard operational semantics is resourceagnostic, we develop a heapbased operational semantics and prove a soundness theorem that shows correct accounting of resource usage. Several useful properties, including the standard type soundness theorem, noninterference of irrelevant resources in computation and single pointer property for linear resources, can be derived from this theorem. We hope that our work will provide a base for integrating linearity, irrelevance and dependent types in practical programming languages like Haskell. @Article{POPL21p50, author = {Pritam Choudhury and Harley Eades III and Richard A. Eisenberg and Stephanie Weirich}, title = {A Graded Dependent Type System with a UsageAware Semantics}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {50}, numpages = {32}, doi = {10.1145/3434331}, year = {2021}, } Publisher's Version Info Artifacts Reusable Artifacts Functional 

Fábregas, Ignacio 
POPL '21: "On Algebraic Abstractions ..."
On Algebraic Abstractions for Concurrent Separation Logics
František Farka , Aleksandar Nanevski , Anindya Banerjee , Germán Andrés Delbianco , and Ignacio Fábregas (IMDEA Software Institute, Spain; Nomadic Labs, France; Complutense University of Madrid, Spain) Concurrent separation logic is distinguished by transfer of state ownership upon parallel composition and framing. The algebraic structure that underpins ownership transfer is that of partial commutative monoids (PCMs). Extant research considers ownership transfer primarily from the logical perspective while comparatively less attention is drawn to the algebraic considerations. This paper provides an algebraic formalization of ownership transfer in concurrent separation logic by means of structurepreserving partial functions (i.e., morphisms) between PCMs, and an associated notion of separating relations. Morphisms of structures are a standard concept in algebra and category theory, but haven't seen ubiquitous use in separation logic before. Separating relations. are binary relations that generalize disjointness and characterize the inputs on which morphisms preserve structure. The two abstractions facilitate verification by enabling concise ways of writing specs, by providing abstract views of threads' states that are preserved under ownership transfer, and by enabling userlevel construction of new PCMs out of existing ones. @Article{POPL21p5, author = {František Farka and Aleksandar Nanevski and Anindya Banerjee and Germán Andrés Delbianco and Ignacio Fábregas}, title = {On Algebraic Abstractions for Concurrent Separation Logics}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {5}, numpages = {32}, doi = {10.1145/3434286}, year = {2021}, } Publisher's Version Info Artifacts Reusable Artifacts Functional 

Faggian, Claudia 
POPL '21: "Intersection Types and (Positive) ..."
Intersection Types and (Positive) AlmostSure Termination
Ugo Dal Lago , Claudia Faggian , and Simona Ronchi Della Rocca (University of Bologna, Italy; University of Paris, France; IRIF, France; CNRS, France; University of Turin, Italy) Randomized higherorder computation can be seen as being captured by a λcalculus endowed with a single algebraic operation, namely a construct for binary probabilistic choice. What matters about such computations is the probability of obtaining any given result, rather than the possibility or the necessity of obtaining it, like in (non)deterministic computation. Termination, arguably the simplest kind of reachability problem, can be spelled out in at least two ways, depending on whether it talks about the probability of convergence or about the expected evaluation time, the second one providing a stronger guarantee. In this paper, we show that intersection types are capable of precisely characterizing both notions of termination inside a single system of types: the probability of convergence of any λterm can be underapproximated by its type, while the underlying derivation’s weight gives a lower bound to the term’s expected number of steps to normal form. Noticeably, both approximations are tight—not only soundness but also completeness holds. The crucial ingredient is nonidempotency, without which it would be impossible to reason on the expected number of reduction steps which are necessary to completely evaluate any term. Besides, the kind of approximation we obtain is proved to be optimal recursion theoretically: no recursively enumerable formal system can do better than that. @Article{POPL21p32, author = {Ugo Dal Lago and Claudia Faggian and Simona Ronchi Della Rocca}, title = {Intersection Types and (Positive) AlmostSure Termination}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {32}, numpages = {32}, doi = {10.1145/3434313}, year = {2021}, } Publisher's Version 

Farka, František 
POPL '21: "On Algebraic Abstractions ..."
On Algebraic Abstractions for Concurrent Separation Logics
František Farka , Aleksandar Nanevski , Anindya Banerjee , Germán Andrés Delbianco , and Ignacio Fábregas (IMDEA Software Institute, Spain; Nomadic Labs, France; Complutense University of Madrid, Spain) Concurrent separation logic is distinguished by transfer of state ownership upon parallel composition and framing. The algebraic structure that underpins ownership transfer is that of partial commutative monoids (PCMs). Extant research considers ownership transfer primarily from the logical perspective while comparatively less attention is drawn to the algebraic considerations. This paper provides an algebraic formalization of ownership transfer in concurrent separation logic by means of structurepreserving partial functions (i.e., morphisms) between PCMs, and an associated notion of separating relations. Morphisms of structures are a standard concept in algebra and category theory, but haven't seen ubiquitous use in separation logic before. Separating relations. are binary relations that generalize disjointness and characterize the inputs on which morphisms preserve structure. The two abstractions facilitate verification by enabling concise ways of writing specs, by providing abstract views of threads' states that are preserved under ownership transfer, and by enabling userlevel construction of new PCMs out of existing ones. @Article{POPL21p5, author = {František Farka and Aleksandar Nanevski and Anindya Banerjee and Germán Andrés Delbianco and Ignacio Fábregas}, title = {On Algebraic Abstractions for Concurrent Separation Logics}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {5}, numpages = {32}, doi = {10.1145/3434286}, year = {2021}, } Publisher's Version Info Artifacts Reusable Artifacts Functional 

Feldman, Yotam M. Y. 
POPL '21: "Learning the Boundary of Inductive ..."
Learning the Boundary of Inductive Invariants
Yotam M. Y. Feldman, Mooly Sagiv, Sharon Shoham , and James R. Wilcox (Tel Aviv University, Israel; Certora, USA) We study the complexity of invariant inference and its connections to exact concept learning. We define a condition on invariants and their geometry, called the fence condition, which permits applying theoretical results from exact concept learning to answer open problems in invariant inference theory. The condition requires the invariant's boundarythe states whose Hamming distance from the invariant is oneto be backwards reachable from the bad states in a small number of steps. Using this condition, we obtain the first polynomial complexity result for an interpolationbased invariant inference algorithm, efficiently inferring monotone DNF invariants with access to a SAT solver as an oracle. We further harness Bshouty's seminal result in concept learning to efficiently infer invariants of a larger syntactic class of invariants beyond monotone DNF. Lastly, we consider the robustness of inference under program transformations. We show that some simple transformations preserve the fence condition, and that it is sensitive to more complex transformations. @Article{POPL21p15, author = {Yotam M. Y. Feldman and Mooly Sagiv and Sharon Shoham and James R. Wilcox}, title = {Learning the Boundary of Inductive Invariants}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {15}, numpages = {30}, doi = {10.1145/3434296}, year = {2021}, } Publisher's Version 

Ferles, Kostas 
POPL '21: "Verifying Correct Usage of ..."
Verifying Correct Usage of ContextFree API Protocols
Kostas Ferles , Jon Stephens, and Isil Dillig (University of Texas at Austin, USA) Several realworld libraries (e.g., reentrant locks, GUI frameworks, serialization libraries) require their clients to use the provided API in a manner that conforms to a contextfree specification. Motivated by this observation, this paper describes a new technique for verifying the correct usage of contextfree API protocols. The key idea underlying our technique is to overapproximate the program’s feasible API call sequences using a contextfree grammar (CFG) and then check language inclusion between this grammar and the specification. However, since this inclusion check may fail due to imprecision in the program’s CFG abstraction, we propose a novel refinement technique to progressively improve the CFG. In particular, our method obtains counterexamples from CFG inclusion queries and uses them to introduce new nonterminals and productions to the grammar while still overapproximating the program’s relevant behavior. We have implemented the proposed algorithm in a tool called CFPChecker and evaluate it on 10 popular Java applications that use at least one API with a contextfree specification. Our evaluation shows that CFPChecker is able to verify correct usage of the API in clients that use it correctly and produces counterexamples for those that do not. We also compare our method against three relevant baselines and demonstrate that CFPChecker enables verification of safety properties that are beyond the reach of existing tools. @Article{POPL21p17, author = {Kostas Ferles and Jon Stephens and Isil Dillig}, title = {Verifying Correct Usage of ContextFree API Protocols}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {17}, numpages = {30}, doi = {10.1145/3434298}, year = {2021}, } Publisher's Version 

Flatt, Oliver 
POPL '21: "egg: Fast and Extensible Equality ..."
egg: Fast and Extensible Equality Saturation
Max Willsey , Chandrakana Nandi , Yisu Remy Wang , Oliver Flatt, Zachary Tatlock , and Pavel Panchekha (University of Washington, USA; University of Utah, USA) An egraph efficiently represents a congruence relation over many expressions. Although they were originally developed in the late 1970s for use in automated theorem provers, a more recent technique known as equality saturation repurposes egraphs to implement stateoftheart, rewritedriven compiler optimizations and program synthesizers. However, egraphs remain unspecialized for this newer use case. Equality saturation workloads exhibit distinct characteristics and often require adhoc egraph extensions to incorporate transformations beyond purely syntactic rewrites. This work contributes two techniques that make egraphs fast and extensible, specializing them to equality saturation. A new amortized invariant restoration technique called rebuilding takes advantage of equality saturation's distinct workload, providing asymptotic speedups over current techniques in practice. A general mechanism called eclass analyses integrates domainspecific analyses into the egraph, reducing the need for ad hoc manipulation. We implemented these techniques in a new opensource library called egg. Our case studies on three previously published applications of equality saturation highlight how egg's performance and flexibility enable stateoftheart results across diverse domains. @Article{POPL21p23, author = {Max Willsey and Chandrakana Nandi and Yisu Remy Wang and Oliver Flatt and Zachary Tatlock and Pavel Panchekha}, title = {egg: Fast and Extensible Equality Saturation}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {23}, numpages = {29}, doi = {10.1145/3434304}, year = {2021}, } Publisher's Version Info Artifacts Reusable Artifacts Functional 

Flückiger, Olivier 
POPL '21: "Formally Verified Speculation ..."
Formally Verified Speculation and Deoptimization in a JIT Compiler
Aurèle Barrière , Sandrine Blazy , Olivier Flückiger , David Pichardie , and Jan Vitek (University of Rennes, France; Inria, France; CNRS, France; IRISA, France; Northeastern University, USA; Czech Technical University, Czechia) Justintime compilers for dynamic languages routinely generate code under assumptions that may be invalidated at runtime, this allows for specialization of program code to the common case in order to avoid unnecessary overheads due to uncommon cases. This form of software speculation requires support for deoptimization when some of the assumptions fail to hold. This paper presents a model justintime compiler with an intermediate representation that explicits the synchronization points used for deoptimization and the assumptions made by the compiler's speculation. We also present several common compiler optimizations that can leverage speculation to generate improved code. The optimizations are proved correct with the help of a proof assistant. While our work stops short of proving native code generation, we demonstrate how one could use the verified optimization to obtain significant speed ups in an endtoend setting. @Article{POPL21p46, author = {Aurèle Barrière and Sandrine Blazy and Olivier Flückiger and David Pichardie and Jan Vitek}, title = {Formally Verified Speculation and Deoptimization in a JIT Compiler}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {46}, numpages = {26}, doi = {10.1145/3434327}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Foster, Nate 
POPL '21: "Petr4: Formal Foundations ..."
Petr4: Formal Foundations for P4 Data Planes
Ryan Doenges , Mina Tahmasbi Arashloo, Santiago Bautista , Alexander Chang, Newton Ni, Samwise Parkinson, Rudy Peterson , Alaia SolkoBreslin, Amanda Xu, and Nate Foster (Cornell University, USA; ENS Rennes, France) P4 is a domainspecific language for programming and specifying packetprocessing systems. It is based on an elegant design with highlevel abstractions like parsers and matchaction pipelines that can be compiled to efficient implementations in software or hardware. Unfortunately, like many industrial languages, P4 has developed without a formal foundation. The P4 Language Specification is a 160page document with a mixture of informal prose, graphical diagrams, and pseudocode, leaving many aspects of the language semantics up to individual compilation targets. The P4 reference implementation is a complex system, running to over 40KLoC of C++ code, with support for only a few targets. Clearly neither of these artifacts is suitable for formal reasoning about P4 in general. This paper presents a new framework, called Petr4, that puts P4 on a solid foundation. Petr4 consists of a cleanslate definitional interpreter and a core calculus that models a fragment of P4. Petr4 is not tied to any particular target: the interpreter is parameterized over an interface that collects features delegated to targets in one place, while the core calculus overapproximates targetspecific behaviors using nondeterminism. We have validated the interpreter against a suite of over 750 tests from the P4 reference implementation, exercising our target interface with tests for different targets. We validated the core calculus with a proof of typepreserving termination. While developing Petr4, we reported dozens of bugs in the language specification and the reference implementation, many of which have been fixed. @Article{POPL21p41, author = {Ryan Doenges and Mina Tahmasbi Arashloo and Santiago Bautista and Alexander Chang and Newton Ni and Samwise Parkinson and Rudy Peterson and Alaia SolkoBreslin and Amanda Xu and Nate Foster}, title = {Petr4: Formal Foundations for P4 Data Planes}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {41}, numpages = {32}, doi = {10.1145/3434322}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Gaboardi, Marco 
POPL '21: "A Unifying TypeTheory for ..."
A Unifying TypeTheory for HigherOrder (Amortized) Cost Analysis
Vineet Rajani , Marco Gaboardi , Deepak Garg , and Jan Hoffmann (MPISP, Germany; Boston University, USA; MPISWS, Germany; Carnegie Mellon University, USA) This paper presents λamor, a new typetheoretic framework for amortized cost analysis of higherorder functional programs and shows that existing type systems for cost analysis can be embedded in it. λamor introduces a new modal type for representing potentials – costs that have been accounted for, but not yet incurred, which are central to amortized analysis. Additionally, λamor relies on standard typetheoretic concepts like affineness, refinement types and an indexed cost monad. λamor is proved sound using a rather simple logical relation. We embed two existing type systems for cost analysis in λamor showing that, despite its simplicity, λamor can simulate cost analysis for different evaluation strategies (callbyname and callbyvalue), in different styles (effectbased and coeffectbased), and with or without amortization. One of the embeddings also implies that λamor is relatively complete for all terminating PCF programs. @Article{POPL21p27, author = {Vineet Rajani and Marco Gaboardi and Deepak Garg and Jan Hoffmann}, title = {A Unifying TypeTheory for HigherOrder (Amortized) Cost Analysis}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {27}, numpages = {28}, doi = {10.1145/3434308}, year = {2021}, } Publisher's Version 

Garcia, Ronald 
POPL '21: "Abstracting Gradual Typing ..."
Abstracting Gradual Typing Moving Forward: Precise and SpaceEfficient
Felipe Bañados Schwerter, Alison M. Clark, Khurram A. Jafery, and Ronald Garcia (University of British Columbia, Canada; Amazon, Canada) Abstracting Gradual Typing (AGT) is a systematic approach to designing graduallytyped languages. Languages developed using AGT automatically satisfy the formal semantic criteria for gradual languages identified by Siek et al. Nonetheless, vanilla AGT semantics can still have important shortcomings. First, a gradual language's runtime checks should preserve the spaceefficiency guarantees inherent to the underlying static and dynamic languages. To the contrary, the default operational semantics of AGT break proper tail calls. Second, a gradual language's runtime checks should enforce basic modular typebased invariants expected from the static type discipline. To the contrary, the default operational semantics of AGT may fail to enforce some invariants in surprising ways. We demonstrate this in the GTFL_{≲} language of Garcia et al. This paper addresses both problems at once by refining the theory underlying AGT's dynamic checks. Garcia et al. observe that AGT involves two abstractions of static types: one for the static semantics and one for the dynamic semantics. We recast the latter as an abstract interpretation of subtyping itself, while gradual types still abstract static types. Then we show how forwardcompleteness (Giacobazzi and Quintarelli) is key to supporting both spaceefficient execution and reliable runtime type enforcement. @Article{POPL21p61, author = {Felipe Bañados Schwerter and Alison M. Clark and Khurram A. Jafery and Ronald Garcia}, title = {Abstracting Gradual Typing Moving Forward: Precise and SpaceEfficient}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {61}, numpages = {28}, doi = {10.1145/3434342}, year = {2021}, } Publisher's Version 

Garg, Deepak 
POPL '21: "A Unifying TypeTheory for ..."
A Unifying TypeTheory for HigherOrder (Amortized) Cost Analysis
Vineet Rajani , Marco Gaboardi , Deepak Garg , and Jan Hoffmann (MPISP, Germany; Boston University, USA; MPISWS, Germany; Carnegie Mellon University, USA) This paper presents λamor, a new typetheoretic framework for amortized cost analysis of higherorder functional programs and shows that existing type systems for cost analysis can be embedded in it. λamor introduces a new modal type for representing potentials – costs that have been accounted for, but not yet incurred, which are central to amortized analysis. Additionally, λamor relies on standard typetheoretic concepts like affineness, refinement types and an indexed cost monad. λamor is proved sound using a rather simple logical relation. We embed two existing type systems for cost analysis in λamor showing that, despite its simplicity, λamor can simulate cost analysis for different evaluation strategies (callbyname and callbyvalue), in different styles (effectbased and coeffectbased), and with or without amortization. One of the embeddings also implies that λamor is relatively complete for all terminating PCF programs. @Article{POPL21p27, author = {Vineet Rajani and Marco Gaboardi and Deepak Garg and Jan Hoffmann}, title = {A Unifying TypeTheory for HigherOrder (Amortized) Cost Analysis}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {27}, numpages = {28}, doi = {10.1145/3434308}, year = {2021}, } Publisher's Version 

Georges, Aïna Linn 
POPL '21: "Efficient and Provable Local ..."
Efficient and Provable Local Capability Revocation using Uninitialized Capabilities
Aïna Linn Georges , Armaël Guéneau , Thomas Van Strydonck, Amin Timany , Alix Trieu , Sander Huyghebaert , Dominique Devriese , and Lars Birkedal (Aarhus University, Denmark; KU Leuven, Belgium; Vrije Universiteit Brussel, Belgium) Capability machines are a special form of CPUs that offer finegrained privilege separation using a form of authoritycarrying values known as capabilities. The CHERI capability machine offers local capabilities, which could be used as a cheap but restricted form of capability revocation. Unfortunately, local capability revocation is unrealistic in practice because large amounts of stack memory need to be cleared as a security precaution. In this paper, we address this shortcoming by introducing uninitialized capabilities: a new form of capabilities that represent read/write authority to a block of memory without exposing the memory’s initial contents. We provide a mechanically verified program logic for reasoning about programs on a capability machine with the new feature and we formalize and prove capability safety in the form of a universal contract for untrusted code. We use uninitialized capabilities for making a previouslyproposed secure calling convention efficient and prove its security using the program logic. Finally, we report on a proofofconcept implementation of uninitialized capabilities on the CHERI capability machine. @Article{POPL21p6, author = {Aïna Linn Georges and Armaël Guéneau and Thomas Van Strydonck and Amin Timany and Alix Trieu and Sander Huyghebaert and Dominique Devriese and Lars Birkedal}, title = {Efficient and Provable Local Capability Revocation using Uninitialized Capabilities}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {6}, numpages = {30}, doi = {10.1145/3434287}, year = {2021}, } Publisher's Version Artifacts Functional 

Ghilezan, Silvia 
POPL '21: "Precise Subtyping for Asynchronous ..."
Precise Subtyping for Asynchronous Multiparty Sessions
Silvia Ghilezan , Jovanka Pantović , Ivan Prokić , Alceste Scalas , and Nobuko Yoshida (University of Novi Sad, Serbia; DTU, Denmark; Aston University, UK; Imperial College London, UK) Session subtyping is a cornerstone of refinement of communicating processes: a process implementing a session type (i.e., a communication protocol) T can be safely used whenever a process implementing one of its supertypes T′ is expected, in any context, without introducing deadlocks nor other communication errors. As a consequence, whenever T T′ holds, it is safe to replace an implementation of T′ with an implementation of the subtype T, which may allow for more optimised communication patterns. We present the first formalisation of the precise subtyping relation for asynchronous multiparty sessions. We show that our subtyping relation is sound (ı.e., guarantees safe process replacement, as outlined above) and also complete: any extension of the relation is unsound. To achieve our results, we develop a novel session decomposition technique, from full session types (including internal/external choices) into single input/output session trees (without choices). Previous work studies precise subtyping for binary sessions (with just two participants), or multiparty sessions (with any number of participants) and synchronous interaction. Here, we cover multiparty sessions with asynchronous interaction, where messages are transmitted via FIFO queues (as in the TCP/IP protocol), and prove that our subtyping is both operationally and denotationally precise. In the asynchronous multiparty setting, finding the precise subtyping relation is a highly complex task: this is because, under some conditions, participants can permute the order of their inputs and outputs, by sending some messages earlier or receiving some later, without causing errors; the precise subtyping relation must capture all such valid permutations — and consequently, its formalisation, reasoning and proofs become challenging. Our session decomposition technique overcomes this complexity, expressing the subtyping relation as a composition of refinement relations between single input/output trees, and providing a simple reasoning principle for asynchronous message optimisations. @Article{POPL21p16, author = {Silvia Ghilezan and Jovanka Pantović and Ivan Prokić and Alceste Scalas and Nobuko Yoshida}, title = {Precise Subtyping for Asynchronous Multiparty Sessions}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {16}, numpages = {28}, doi = {10.1145/3434297}, year = {2021}, } Publisher's Version 

Gleissenthall, Klaus von 
POPL '21: "Automatically Eliminating ..."
Automatically Eliminating Speculative Leaks from Cryptographic Code with Blade
Marco Vassena, Craig Disselkoen , Klaus von Gleissenthall, Sunjay Cauligi, Rami Gökhan Kıcı, Ranjit Jhala , Dean Tullsen , and Deian Stefan (CISPA, Germany; University of California at San Diego, USA; Vrije Universiteit Amsterdam, Netherlands) We introduce Blade, a new approach to automatically and efficiently eliminate speculative leaks from cryptographic code. Blade is built on the insight that to stop leaks via speculative execution, it suffices to cut the dataflow from expressions that speculatively introduce secrets (sources) to those that leak them through the cache (sinks), rather than prohibit speculation altogether. We formalize this insight in a static type system that (1) types each expression as either transient, i.e., possibly containing speculative secrets or as being stable, and (2) prohibits speculative leaks by requiring that all sink expressions are stable. Blade relies on a new abstract primitive, protect, to halt speculation at fine granularity. We formalize and implement protect using existing architectural mechanisms, and show how Blade’s type system can automatically synthesize a minimal number of protects to provably eliminate speculative leaks. We implement Blade in the Cranelift WebAssembly compiler and evaluate our approach by repairing several verified, yet vulnerable WebAssembly implementations of cryptographic primitives. We find that Blade can fix existing programs that leak via speculation automatically, without user intervention, and efficiently even when using fences to implement protect. @Article{POPL21p49, author = {Marco Vassena and Craig Disselkoen and Klaus von Gleissenthall and Sunjay Cauligi and Rami Gökhan Kıcı and Ranjit Jhala and Dean Tullsen and Deian Stefan}, title = {Automatically Eliminating Speculative Leaks from Cryptographic Code with Blade}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {49}, numpages = {30}, doi = {10.1145/3434330}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Gondelman, Léon 
POPL '21: "Distributed Causal Memory: ..."
Distributed Causal Memory: Modular Specification and Verification in HigherOrder Distributed Separation Logic
Léon Gondelman , Simon Oddershede Gregersen , Abel Nieto , Amin Timany , and Lars Birkedal (Aarhus University, Denmark) We present the first specification and verification of an implementation of a causallyconsistent distributed database that supports modular verification of full functional correctness properties of clients and servers. We specify and reason about the causallyconsistent distributed database in Aneris, a higherorder distributed separation logic for an MLlike programming language with network primitives for programming distributed systems. We demonstrate that our specifications are useful, by proving the correctness of small, but tricky, synthetic examples involving causal dependency and by verifying a session manager library implemented on top of the distributed database. We use Aneris's facilities for modular specification and verification to obtain a highly modular development, where each component is verified in isolation, relying only on the specifications (not the implementations) of other components. We have used the Coq formalization of the Aneris logic to formalize all the results presented in the paper in the Coq proof assistant. @Article{POPL21p42, author = {Léon Gondelman and Simon Oddershede Gregersen and Abel Nieto and Amin Timany and Lars Birkedal}, title = {Distributed Causal Memory: Modular Specification and Verification in HigherOrder Distributed Separation Logic}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {42}, numpages = {29}, doi = {10.1145/3434323}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Graulund, Christian Uldal 
POPL '21: "Diamonds Are Not Forever: ..."
Diamonds Are Not Forever: Liveness in Reactive Programming with Guarded Recursion
Patrick Bahr , Christian Uldal Graulund, and Rasmus Ejlers Møgelberg (IT University of Copenhagen, Denmark) When designing languages for functional reactive programming (FRP) the main challenge is to provide the user with a simple, flexible interface for writing programs on a high level of abstraction while ensuring that all programs can be implemented efficiently in a lowlevel language. To meet this challenge, a new family of modal FRP languages has been proposed, in which variants of Nakano's guarded fixed point operator are used for writing recursive programs guaranteeing properties such as causality and productivity. As an apparent extension to this it has also been suggested to use Linear Temporal Logic (LTL) as a language for reactive programming through the CurryHoward isomorphism, allowing properties such as termination, liveness and fairness to be encoded in types. However, these two ideas are in conflict with each other, since the fixed point operator introduces nontermination into the inductive types that are supposed to provide termination guarantees. In this paper we show that by regarding the modal time step operator of LTL a submodality of the one used for guarded recursion (rather than equating them), one can obtain a modal type system capable of expressing liveness properties while retaining the power of the guarded fixed point operator. We introduce the language Lively RaTT, a modal FRP language with a guarded fixed point operator and an `until' type constructor as in LTL, and show how to program with events and fair streams. Using a stepindexed Kripke logical relation we prove operational properties of Lively RaTT including productivity and causality as well as the termination and liveness properties expected of types from LTL. Finally, we prove that the type system of Lively RaTT guarantees the absence of implicit space leaks. @Article{POPL21p2, author = {Patrick Bahr and Christian Uldal Graulund and Rasmus Ejlers Møgelberg}, title = {Diamonds Are Not Forever: Liveness in Reactive Programming with Guarded Recursion}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {2}, numpages = {28}, doi = {10.1145/3434283}, year = {2021}, } Publisher's Version 

Gregersen, Simon Oddershede 
POPL '21: "Distributed Causal Memory: ..."
Distributed Causal Memory: Modular Specification and Verification in HigherOrder Distributed Separation Logic
Léon Gondelman , Simon Oddershede Gregersen , Abel Nieto , Amin Timany , and Lars Birkedal (Aarhus University, Denmark) We present the first specification and verification of an implementation of a causallyconsistent distributed database that supports modular verification of full functional correctness properties of clients and servers. We specify and reason about the causallyconsistent distributed database in Aneris, a higherorder distributed separation logic for an MLlike programming language with network primitives for programming distributed systems. We demonstrate that our specifications are useful, by proving the correctness of small, but tricky, synthetic examples involving causal dependency and by verifying a session manager library implemented on top of the distributed database. We use Aneris's facilities for modular specification and verification to obtain a highly modular development, where each component is verified in isolation, relying only on the specifications (not the implementations) of other components. We have used the Coq formalization of the Aneris logic to formalize all the results presented in the paper in the Coq proof assistant. @Article{POPL21p42, author = {Léon Gondelman and Simon Oddershede Gregersen and Abel Nieto and Amin Timany and Lars Birkedal}, title = {Distributed Causal Memory: Modular Specification and Verification in HigherOrder Distributed Separation Logic}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {42}, numpages = {29}, doi = {10.1145/3434323}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional POPL '21: "Mechanized Logical Relations ..." Mechanized Logical Relations for TerminationInsensitive Noninterference Simon Oddershede Gregersen , Johan Bay, Amin Timany , and Lars Birkedal (Aarhus University, Denmark) We present an expressive informationflow control type system with recursive types, existential types, label polymorphism, and impredicative type polymorphism for a higherorder programming language with higherorder state. We give a novel semantic model of this type system and show that welltyped programs satisfy terminationinsensitive noninterference. Our semantic approach supports compositional integration of syntactically welltyped and syntactically illtypedbut semantically soundcomponents, which we demonstrate through several interesting examples. We define our model using logical relations on top of the Iris program logic framework; to capture terminationinsensitivity, we develop a novel languageagnostic theory of Modal Weakest Preconditions. We formalize all of our theory and examples in the Coq proof assistant. @Article{POPL21p10, author = {Simon Oddershede Gregersen and Johan Bay and Amin Timany and Lars Birkedal}, title = {Mechanized Logical Relations for TerminationInsensitive Noninterference}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {10}, numpages = {29}, doi = {10.1145/3434291}, year = {2021}, } Publisher's Version Info Artifacts Reusable Artifacts Functional 

Guéneau, Armaël 
POPL '21: "Efficient and Provable Local ..."
Efficient and Provable Local Capability Revocation using Uninitialized Capabilities
Aïna Linn Georges , Armaël Guéneau , Thomas Van Strydonck, Amin Timany , Alix Trieu , Sander Huyghebaert , Dominique Devriese , and Lars Birkedal (Aarhus University, Denmark; KU Leuven, Belgium; Vrije Universiteit Brussel, Belgium) Capability machines are a special form of CPUs that offer finegrained privilege separation using a form of authoritycarrying values known as capabilities. The CHERI capability machine offers local capabilities, which could be used as a cheap but restricted form of capability revocation. Unfortunately, local capability revocation is unrealistic in practice because large amounts of stack memory need to be cleared as a security precaution. In this paper, we address this shortcoming by introducing uninitialized capabilities: a new form of capabilities that represent read/write authority to a block of memory without exposing the memory’s initial contents. We provide a mechanically verified program logic for reasoning about programs on a capability machine with the new feature and we formalize and prove capability safety in the form of a universal contract for untrusted code. We use uninitialized capabilities for making a previouslyproposed secure calling convention efficient and prove its security using the program logic. Finally, we report on a proofofconcept implementation of uninitialized capabilities on the CHERI capability machine. @Article{POPL21p6, author = {Aïna Linn Georges and Armaël Guéneau and Thomas Van Strydonck and Amin Timany and Alix Trieu and Sander Huyghebaert and Dominique Devriese and Lars Birkedal}, title = {Efficient and Provable Local Capability Revocation using Uninitialized Capabilities}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {6}, numpages = {30}, doi = {10.1145/3434287}, year = {2021}, } Publisher's Version Artifacts Functional 

Gustafson, John 
POPL '21: "An Approach to Generate Correctly ..."
An Approach to Generate Correctly Rounded Math Libraries for New Floating Point Variants
Jay P. Lim , Mridul Aanjaneya , John Gustafson, and Santosh Nagarakatte (Rutgers University, USA; National University of Singapore, Singapore) Given the importance of floating point (FP) performance in numerous domains, several new variants of FP and its alternatives have been proposed (e.g., Bfloat16, TensorFloat32, and posits). These representations do not have correctly rounded math libraries. Further, the use of existing FP libraries for these new representations can produce incorrect results. This paper proposes a novel approach for generating polynomial approximations that can be used to implement correctly rounded math libraries. Existing methods generate polynomials that approximate the real value of an elementary function 𝑓 (𝑥) and produce wrong results due to approximation errors and rounding errors in the implementation. In contrast, our approach generates polynomials that approximate the correctly rounded value of 𝑓 (𝑥) (i.e., the value of 𝑓 (𝑥) rounded to the target representation). It provides more margin to identify efficient polynomials that produce correctly rounded results for all inputs. We frame the problem of generating efficient polynomials that produce correctly rounded results as a linear programming problem. Using our approach, we have developed correctly rounded, yet faster, implementations of elementary functions for multiple target representations. @Article{POPL21p29, author = {Jay P. Lim and Mridul Aanjaneya and John Gustafson and Santosh Nagarakatte}, title = {An Approach to Generate Correctly Rounded Math Libraries for New Floating Point Variants}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {29}, numpages = {30}, doi = {10.1145/3434310}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Gutsfeld, Jens Oliver 
POPL '21: "Automata and Fixpoints for ..."
Automata and Fixpoints for Asynchronous Hyperproperties
Jens Oliver Gutsfeld , Markus MüllerOlm, and Christoph Ohrem (University of Münster, Germany) Hyperproperties have received increasing attention in the last decade due to their importance e.g. for security analyses. Past approaches have focussed on synchronous analyses, i.e. techniques in which different paths are compared lockstepwise. In this paper, we systematically study asynchronous analyses for hyperproperties by introducing both a novel automata model (Alternating Asynchronous Parity Automata) and the temporal fixpoint calculus H_{µ}, the first fixpoint calculus that can systematically express hyperproperties in an asynchronous manner and at the same time subsumes the existing logic HyperLTL. We show that the expressive power of both models coincides over fixed path assignments. The high expressive power of both models is evidenced by the fact that decision problems of interest are highly undecidable, i.e. not even arithmetical. As a remedy, we propose approximative analyses for both models that also induce natural decidable fragments. @Article{POPL21p38, author = {Jens Oliver Gutsfeld and Markus MüllerOlm and Christoph Ohrem}, title = {Automata and Fixpoints for Asynchronous Hyperproperties}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {38}, numpages = {29}, doi = {10.1145/3434319}, year = {2021}, } Publisher's Version 

Hack, Sebastian 
POPL '21: "An Abstract Interpretation ..."
An Abstract Interpretation for SPMD Divergence on Reducible Control Flow Graphs
Julian Rosemann, Simon Moll, and Sebastian Hack (Saarland University, Germany; NEC, Germany) Vectorizing compilers employ divergence analysis to detect at which program point a specific variable is uniform, i.e. has the same value on all SPMD threads that execute this program point. They exploit uniformity to retain branching to counter branch divergence and defer computations to scalar processor units. Divergence is a hyperproperty and is closely related to noninterference and binding time. There exist several divergence, binding time, and noninterference analyses already but they either sacrifice precision or make significant restrictions to the syntactical structure of the program in order to achieve soundness. In this paper, we present the first abstract interpretation for uniformity that is general enough to be applicable to reducible CFGs and, at the same time, more precise than other analyses that achieve at least the same generality. Our analysis comes with a correctness proof that is to a large part mechanized in Coq. Our experimental evaluation shows that the compile time and the precision of our analysis is on par with LLVM's default divergence analysis that is only sound on more restricted CFGs. At the same time, our analysis is faster and achieves better precision than a stateoftheart noninterference analysis that is sound and at least as general as our analysis. @Article{POPL21p31, author = {Julian Rosemann and Simon Moll and Sebastian Hack}, title = {An Abstract Interpretation for SPMD Divergence on Reducible Control Flow Graphs}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {31}, numpages = {31}, doi = {10.1145/3434312}, year = {2021}, } Publisher's Version Info Artifacts Functional 

Hicks, Michael 
POPL '21: "A Verified Optimizer for Quantum ..."
A Verified Optimizer for Quantum Circuits
Kesha Hietala , Robert Rand , ShihHan Hung , Xiaodi Wu , and Michael Hicks (University of Maryland, USA; University of Chicago, USA) We present VOQC, the first fully verified optimizer for quantum circuits, written using the Coq proof assistant. Quantum circuits are expressed as programs in a simple, lowlevel language called SQIR, a simple quantum intermediate representation, which is deeply embedded in Coq. Optimizations and other transformations are expressed as Coq functions, which are proved correct with respect to a semantics of SQIR programs. SQIR uses a semantics of matrices of complex numbers, which is the standard for quantum computation, but treats matrices symbolically in order to reason about programs that use an arbitrary number of quantum bits. SQIR's careful design and our provided automation make it possible to write and verify a broad range of optimizations in VOQC, including fullcircuit transformations from cuttingedge optimizers. @Article{POPL21p37, author = {Kesha Hietala and Robert Rand and ShihHan Hung and Xiaodi Wu and Michael Hicks}, title = {A Verified Optimizer for Quantum Circuits}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {37}, numpages = {29}, doi = {10.1145/3434318}, year = {2021}, } Publisher's Version Info Artifacts Functional 

Hietala, Kesha 
POPL '21: "A Verified Optimizer for Quantum ..."
A Verified Optimizer for Quantum Circuits
Kesha Hietala , Robert Rand , ShihHan Hung , Xiaodi Wu , and Michael Hicks (University of Maryland, USA; University of Chicago, USA) We present VOQC, the first fully verified optimizer for quantum circuits, written using the Coq proof assistant. Quantum circuits are expressed as programs in a simple, lowlevel language called SQIR, a simple quantum intermediate representation, which is deeply embedded in Coq. Optimizations and other transformations are expressed as Coq functions, which are proved correct with respect to a semantics of SQIR programs. SQIR uses a semantics of matrices of complex numbers, which is the standard for quantum computation, but treats matrices symbolically in order to reason about programs that use an arbitrary number of quantum bits. SQIR's careful design and our provided automation make it possible to write and verify a broad range of optimizations in VOQC, including fullcircuit transformations from cuttingedge optimizers. @Article{POPL21p37, author = {Kesha Hietala and Robert Rand and ShihHan Hung and Xiaodi Wu and Michael Hicks}, title = {A Verified Optimizer for Quantum Circuits}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {37}, numpages = {29}, doi = {10.1145/3434318}, year = {2021}, } Publisher's Version Info Artifacts Functional 

Hirsch, Andrew K. 
POPL '21: "Giving Semantics to ProgramCounter ..."
Giving Semantics to ProgramCounter Labels via Secure Effects
Andrew K. Hirsch and Ethan Cecchetti (MPISWS, Germany; Cornell University, USA) Type systems designed for informationflow control commonly use a programcounter label to track the sensitivity of the context and rule out data leakage arising from effectful computation in a sensitive context. Currently, typesystem designers reason about this label informally except in security proofs, where they use adhoc techniques. We develop a framework based on monadic semantics for effects to give semantics to programcounter labels. This framework leads to three results about programcounter labels. First, we develop a new proof technique for noninterference, the core security theorem for informationflow control in effectful languages. Second, we unify notions of security for different types of effects, including state, exceptions, and nontermination. Finally, we formalize the folklore that programcounter labels are a lower bound on effects. We show that, while not universally true, this folklore has a good semantic foundation. @Article{POPL21p35, author = {Andrew K. Hirsch and Ethan Cecchetti}, title = {Giving Semantics to ProgramCounter Labels via Secure Effects}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {35}, numpages = {29}, doi = {10.1145/3434316}, year = {2021}, } Publisher's Version Info 

Hoffmann, Jan 
POPL '21: "Modeling and Analyzing Evaluation ..."
Modeling and Analyzing Evaluation Cost of CUDA Kernels
Stefan K. Muller and Jan Hoffmann (Illinois Institute of Technology, USA; Carnegie Mellon University, USA) Generalpurpose programming on GPUs (GPGPU) is becoming increasingly in vogue as applications such as machine learning and scientific computing demand high throughput in vectorparallel applications. NVIDIA's CUDA toolkit seeks to make GPGPU programming accessible by allowing programmers to write GPU functions, called kernels, in a small extension of C/C++. However, due to CUDA's complex execution model, the performance characteristics of CUDA kernels are difficult to predict, especially for novice programmers. This paper introduces a novel quantitative program logic for CUDA kernels, which allows programmers to reason about both functional correctness and resource usage of CUDA kernels, paying particular attention to a set of common but CUDAspecific performance bottlenecks. The logic is proved sound with respect to a novel operational cost semantics for CUDA kernels. The semantics, logic and soundness proofs are formalized in Coq. An inference algorithm based on LP solving automatically synthesizes symbolic resource bounds by generating derivations in the logic. This algorithm is the basis of RaCuda, an endtoend resourceanalysis tool for kernels, which has been implemented using an existing resourceanalysis tool for imperative programs. An experimental evaluation on a suite of CUDA benchmarks shows that the analysis is effective in aiding the detection of performance bugs in CUDA kernels. @Article{POPL21p25, author = {Stefan K. Muller and Jan Hoffmann}, title = {Modeling and Analyzing Evaluation Cost of CUDA Kernels}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {25}, numpages = {31}, doi = {10.1145/3434306}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional POPL '21: "A Unifying TypeTheory for ..." A Unifying TypeTheory for HigherOrder (Amortized) Cost Analysis Vineet Rajani , Marco Gaboardi , Deepak Garg , and Jan Hoffmann (MPISP, Germany; Boston University, USA; MPISWS, Germany; Carnegie Mellon University, USA) This paper presents λamor, a new typetheoretic framework for amortized cost analysis of higherorder functional programs and shows that existing type systems for cost analysis can be embedded in it. λamor introduces a new modal type for representing potentials – costs that have been accounted for, but not yet incurred, which are central to amortized analysis. Additionally, λamor relies on standard typetheoretic concepts like affineness, refinement types and an indexed cost monad. λamor is proved sound using a rather simple logical relation. We embed two existing type systems for cost analysis in λamor showing that, despite its simplicity, λamor can simulate cost analysis for different evaluation strategies (callbyname and callbyvalue), in different styles (effectbased and coeffectbased), and with or without amortization. One of the embeddings also implies that λamor is relatively complete for all terminating PCF programs. @Article{POPL21p27, author = {Vineet Rajani and Marco Gaboardi and Deepak Garg and Jan Hoffmann}, title = {A Unifying TypeTheory for HigherOrder (Amortized) Cost Analysis}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {27}, numpages = {28}, doi = {10.1145/3434308}, year = {2021}, } Publisher's Version 

Hsu, Justin 
POPL '21: "A Preexpectation Calculus ..."
A Preexpectation Calculus for Probabilistic Sensitivity
Alejandro Aguirre , Gilles Barthe , Justin Hsu , Benjamin Lucien Kaminski, JoostPieter Katoen , and Christoph Matheja (IMDEA Software Institute, Spain; Universidad Politécnica de Madrid, Spain; MPISP, Germany; University of WisconsinMadison, USA; University College London, UK; RWTH Aachen University, Germany; ETH Zurich, Switzerland) Sensitivity properties describe how changes to the input of a program affect the output, typically by upper bounding the distance between the outputs of two runs by a monotone function of the distance between the corresponding inputs. When programs are probabilistic, the distance between outputs is a distance between distributions. The Kantorovich lifting provides a general way of defining a distance between distributions by lifting the distance of the underlying sample space; by choosing an appropriate distance on the base space, one can recover other usual probabilistic distances, such as the Total Variation distance. We develop a relational preexpectation calculus to upper bound the Kantorovich distance between two executions of a probabilistic program. We illustrate our methods by proving algorithmic stability of a machine learning algorithm, convergence of a reinforcement learning algorithm, and fast mixing for card shuffling algorithms. We also consider some extensions: using our calculus to show convergence of Markov chains to the uniform distribution over states and an asynchronous extension to reason about pairs of program executions with different control flow. @Article{POPL21p52, author = {Alejandro Aguirre and Gilles Barthe and Justin Hsu and Benjamin Lucien Kaminski and JoostPieter Katoen and Christoph Matheja}, title = {A Preexpectation Calculus for Probabilistic Sensitivity}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {52}, numpages = {28}, doi = {10.1145/3434333}, year = {2021}, } Publisher's Version 

Hu, Qinheping 
POPL '21: "SemanticsGuided Synthesis ..."
SemanticsGuided Synthesis
Jinwoo Kim , Qinheping Hu, Loris D'Antoni , and Thomas Reps (University of WisconsinMadison, USA) This paper develops a new framework for program synthesis, called semanticsguided synthesis (SemGuS), that allows a user to provide both the syntax and the semantics for the constructs in the language. SemGuS accepts a recursively defined bigstep semantics, which allows it, for example, to be used to specify and solve synthesis problems over an imperative programming language that may contain loops with unbounded behavior. The customizable nature of SemGuS also allows synthesis problems to be defined over a nonstandard semantics, such as an abstract semantics. In addition to the SemGuS framework, we develop an algorithm for solving SemGuS problems that is capable of both synthesizing programs and proving unrealizability, by encoding a SemGuS problem as a proof search over Constrained Horn Clauses: in particular, our approach is the first that we are aware of that can prove unrealizabilty for synthesis problems that involve imperative programs with unbounded loops, over an infinite syntactic search space. We implemented the technique in a tool called MESSY, and applied it to SyGuS problems (i.e., over expressions), synthesis problems over an imperative programming language, and synthesis problems over regular expressions. @Article{POPL21p30, author = {Jinwoo Kim and Qinheping Hu and Loris D'Antoni and Thomas Reps}, title = {SemanticsGuided Synthesis}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {30}, numpages = {32}, doi = {10.1145/3434311}, year = {2021}, } Publisher's Version Artifacts Functional 

Hung, ShihHan 
POPL '21: "A Verified Optimizer for Quantum ..."
A Verified Optimizer for Quantum Circuits
Kesha Hietala , Robert Rand , ShihHan Hung , Xiaodi Wu , and Michael Hicks (University of Maryland, USA; University of Chicago, USA) We present VOQC, the first fully verified optimizer for quantum circuits, written using the Coq proof assistant. Quantum circuits are expressed as programs in a simple, lowlevel language called SQIR, a simple quantum intermediate representation, which is deeply embedded in Coq. Optimizations and other transformations are expressed as Coq functions, which are proved correct with respect to a semantics of SQIR programs. SQIR uses a semantics of matrices of complex numbers, which is the standard for quantum computation, but treats matrices symbolically in order to reason about programs that use an arbitrary number of quantum bits. SQIR's careful design and our provided automation make it possible to write and verify a broad range of optimizations in VOQC, including fullcircuit transformations from cuttingedge optimizers. @Article{POPL21p37, author = {Kesha Hietala and Robert Rand and ShihHan Hung and Xiaodi Wu and Michael Hicks}, title = {A Verified Optimizer for Quantum Circuits}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {37}, numpages = {29}, doi = {10.1145/3434318}, year = {2021}, } Publisher's Version Info Artifacts Functional 

Huyghebaert, Sander 
POPL '21: "Efficient and Provable Local ..."
Efficient and Provable Local Capability Revocation using Uninitialized Capabilities
Aïna Linn Georges , Armaël Guéneau , Thomas Van Strydonck, Amin Timany , Alix Trieu , Sander Huyghebaert , Dominique Devriese , and Lars Birkedal (Aarhus University, Denmark; KU Leuven, Belgium; Vrije Universiteit Brussel, Belgium) Capability machines are a special form of CPUs that offer finegrained privilege separation using a form of authoritycarrying values known as capabilities. The CHERI capability machine offers local capabilities, which could be used as a cheap but restricted form of capability revocation. Unfortunately, local capability revocation is unrealistic in practice because large amounts of stack memory need to be cleared as a security precaution. In this paper, we address this shortcoming by introducing uninitialized capabilities: a new form of capabilities that represent read/write authority to a block of memory without exposing the memory’s initial contents. We provide a mechanically verified program logic for reasoning about programs on a capability machine with the new feature and we formalize and prove capability safety in the form of a universal contract for untrusted code. We use uninitialized capabilities for making a previouslyproposed secure calling convention efficient and prove its security using the program logic. Finally, we report on a proofofconcept implementation of uninitialized capabilities on the CHERI capability machine. @Article{POPL21p6, author = {Aïna Linn Georges and Armaël Guéneau and Thomas Van Strydonck and Amin Timany and Alix Trieu and Sander Huyghebaert and Dominique Devriese and Lars Birkedal}, title = {Efficient and Provable Local Capability Revocation using Uninitialized Capabilities}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {6}, numpages = {30}, doi = {10.1145/3434287}, year = {2021}, } Publisher's Version Artifacts Functional 

Jacobs, Jules 
POPL '21: "Paradoxes of Probabilistic ..."
Paradoxes of Probabilistic Programming: And How to Condition on Events of Measure Zero with Infinitesimal Probabilities
Jules Jacobs (Radboud University Nijmegen, Netherlands; Delft University of Technology, Netherlands) Abstract Probabilistic programming languages allow programmers to write down conditional probability distributions that represent statistical and machine learning models as programs that use observe statements. These programs are run by accumulating likelihood at each observe statement, and using the likelihood to steer random choices and weigh results with inference algorithms such as importance sampling or MCMC. We argue that naive likelihood accumulation does not give desirable semantics and leads to paradoxes when an observe statement is used to condition on a measurezero event, particularly when the observe statement is executed conditionally on random data. We show that the paradoxes disappear if we explicitly model measurezero events as a limit of positive measure events, and that we can execute these type of probabilistic programs by accumulating infinitesimal probabilities rather than probability densities. Our extension improves probabilistic programming languages as an executable notation for probability distributions by making it more wellbehaved and more expressive, by allowing the programmer to be explicit about which limit is intended when conditioning on an event of measure zero. @Article{POPL21p58, author = {Jules Jacobs}, title = {Paradoxes of Probabilistic Programming: And How to Condition on Events of Measure Zero with Infinitesimal Probabilities}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {58}, numpages = {26}, doi = {10.1145/3434339}, year = {2021}, } Publisher's Version Artifacts Functional 

Jacobs, Koen 
POPL '21: "Fully Abstract from Static ..."
Fully Abstract from Static to Gradual
Koen Jacobs , Amin Timany , and Dominique Devriese (KU Leuven, Belgium; Aarhus University, Denmark; Vrije Universiteit Brussel, Belgium) What is a good gradual language? Siek et al. have previously proposed the refined criteria, a set of formal ideas that characterize a range of guarantees typically expected from a gradual language. While these go a long way, they are mostly focused on syntactic and type safety properties and fail to characterize how richer semantic properties and reasoning principles that hold in the static language, like noninterference or parametricity for instance, should be upheld in the gradualization. In this paper, we investigate and argue for a new criterion previously hinted at by Devriese et al.: the embedding from the static to the gradual language should be fully abstract. Rather than preserving an arbitrarily chosen interpretation of source language types, this criterion requires that all source language equivalences are preserved. We demonstrate that the criterion weeds out erroneous gradualizations that nevertheless satisfy the refined criteria. At the same time, we demonstrate that the criterion is realistic by reporting on a mechanized proof that the property holds for a standard example: GTLC_{µ}, the natural gradualization of STLC_{µ}, the simply typed lambdacalculus with equirecursive types. We argue thus that the criterion is useful for understanding, evaluating, and guiding the design of gradual languages, particularly those which are intended to preserve source language guarantees in a rich way. @Article{POPL21p7, author = {Koen Jacobs and Amin Timany and Dominique Devriese}, title = {Fully Abstract from Static to Gradual}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {7}, numpages = {30}, doi = {10.1145/3434288}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Jafery, Khurram A. 
POPL '21: "Abstracting Gradual Typing ..."
Abstracting Gradual Typing Moving Forward: Precise and SpaceEfficient
Felipe Bañados Schwerter, Alison M. Clark, Khurram A. Jafery, and Ronald Garcia (University of British Columbia, Canada; Amazon, Canada) Abstracting Gradual Typing (AGT) is a systematic approach to designing graduallytyped languages. Languages developed using AGT automatically satisfy the formal semantic criteria for gradual languages identified by Siek et al. Nonetheless, vanilla AGT semantics can still have important shortcomings. First, a gradual language's runtime checks should preserve the spaceefficiency guarantees inherent to the underlying static and dynamic languages. To the contrary, the default operational semantics of AGT break proper tail calls. Second, a gradual language's runtime checks should enforce basic modular typebased invariants expected from the static type discipline. To the contrary, the default operational semantics of AGT may fail to enforce some invariants in surprising ways. We demonstrate this in the GTFL_{≲} language of Garcia et al. This paper addresses both problems at once by refining the theory underlying AGT's dynamic checks. Garcia et al. observe that AGT involves two abstractions of static types: one for the static semantics and one for the dynamic semantics. We recast the latter as an abstract interpretation of subtyping itself, while gradual types still abstract static types. Then we show how forwardcompleteness (Giacobazzi and Quintarelli) is key to supporting both spaceefficient execution and reliable runtime type enforcement. @Article{POPL21p61, author = {Felipe Bañados Schwerter and Alison M. Clark and Khurram A. Jafery and Ronald Garcia}, title = {Abstracting Gradual Typing Moving Forward: Precise and SpaceEfficient}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {61}, numpages = {28}, doi = {10.1145/3434342}, year = {2021}, } Publisher's Version 

Jhala, Ranjit 
POPL '21: "Automatically Eliminating ..."
Automatically Eliminating Speculative Leaks from Cryptographic Code with Blade
Marco Vassena, Craig Disselkoen , Klaus von Gleissenthall, Sunjay Cauligi, Rami Gökhan Kıcı, Ranjit Jhala , Dean Tullsen , and Deian Stefan (CISPA, Germany; University of California at San Diego, USA; Vrije Universiteit Amsterdam, Netherlands) We introduce Blade, a new approach to automatically and efficiently eliminate speculative leaks from cryptographic code. Blade is built on the insight that to stop leaks via speculative execution, it suffices to cut the dataflow from expressions that speculatively introduce secrets (sources) to those that leak them through the cache (sinks), rather than prohibit speculation altogether. We formalize this insight in a static type system that (1) types each expression as either transient, i.e., possibly containing speculative secrets or as being stable, and (2) prohibits speculative leaks by requiring that all sink expressions are stable. Blade relies on a new abstract primitive, protect, to halt speculation at fine granularity. We formalize and implement protect using existing architectural mechanisms, and show how Blade’s type system can automatically synthesize a minimal number of protects to provably eliminate speculative leaks. We implement Blade in the Cranelift WebAssembly compiler and evaluate our approach by repairing several verified, yet vulnerable WebAssembly implementations of cryptographic primitives. We find that Blade can fix existing programs that leak via speculation automatically, without user intervention, and efficiently even when using fences to implement protect. @Article{POPL21p49, author = {Marco Vassena and Craig Disselkoen and Klaus von Gleissenthall and Sunjay Cauligi and Rami Gökhan Kıcı and Ranjit Jhala and Dean Tullsen and Deian Stefan}, title = {Automatically Eliminating Speculative Leaks from Cryptographic Code with Blade}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {49}, numpages = {30}, doi = {10.1145/3434330}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Jones, Eddie 
POPL '21: "Intensional Datatype Refinement: ..."
Intensional Datatype Refinement: With Application to Scalable Verification of PatternMatch Safety
Eddie Jones and Steven Ramsay (University of Bristol, UK) The patternmatch safety problem is to verify that a given functional program will never crash due to nonexhaustive patterns in its function definitions. We present a refinement type system that can be used to solve this problem. The system extends MLstyle type systems with algebraic datatypes by a limited form of structural subtyping and environmentlevel intersection. We describe a fully automatic, sound and complete type inference procedure for this system which, under reasonable assumptions, is worstcase lineartime in the program size. Compositionality is essential to obtaining this complexity guarantee. A prototype implementation for Haskell is able to analyse a selection of packages from the Hackage database in a few hundred milliseconds. @Article{POPL21p55, author = {Eddie Jones and Steven Ramsay}, title = {Intensional Datatype Refinement: With Application to Scalable Verification of PatternMatch Safety}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {55}, numpages = {29}, doi = {10.1145/3434336}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Kaminski, Benjamin Lucien 
POPL '21: "Relatively Complete Verification ..."
Relatively Complete Verification of Probabilistic Programs: An Expressive Language for ExpectationBased Reasoning
Kevin Batz , Benjamin Lucien Kaminski , JoostPieter Katoen , and Christoph Matheja (RWTH Aachen University, Germany; University College London, UK; ETH Zurich, Switzerland) We study a syntax for specifying quantitative assertions—functions mapping program states to numbers—for probabilistic program verification. We prove that our syntax is expressive in the following sense: Given any probabilistic program C, if a function f is expressible in our syntax, then the function mapping each initial state σ to the expected value of evaluated in the final states reached after termination of C on σ (also called the weakest preexpectation wp[C](f)) is also expressible in our syntax. As a consequence, we obtain a relatively complete verification system for reasoning about expected values and probabilities in the sense of Cook: Apart from proving a single inequality between two functions given by syntactic expressions in our language, given f, g, and C, we can check whether g ≼ wp[C](f). @Article{POPL21p39, author = {Kevin Batz and Benjamin Lucien Kaminski and JoostPieter Katoen and Christoph Matheja}, title = {Relatively Complete Verification of Probabilistic Programs: An Expressive Language for ExpectationBased Reasoning}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {39}, numpages = {30}, doi = {10.1145/3434320}, year = {2021}, } Publisher's Version POPL '21: "A Preexpectation Calculus ..." A Preexpectation Calculus for Probabilistic Sensitivity Alejandro Aguirre , Gilles Barthe , Justin Hsu , Benjamin Lucien Kaminski, JoostPieter Katoen , and Christoph Matheja (IMDEA Software Institute, Spain; Universidad Politécnica de Madrid, Spain; MPISP, Germany; University of WisconsinMadison, USA; University College London, UK; RWTH Aachen University, Germany; ETH Zurich, Switzerland) Sensitivity properties describe how changes to the input of a program affect the output, typically by upper bounding the distance between the outputs of two runs by a monotone function of the distance between the corresponding inputs. When programs are probabilistic, the distance between outputs is a distance between distributions. The Kantorovich lifting provides a general way of defining a distance between distributions by lifting the distance of the underlying sample space; by choosing an appropriate distance on the base space, one can recover other usual probabilistic distances, such as the Total Variation distance. We develop a relational preexpectation calculus to upper bound the Kantorovich distance between two executions of a probabilistic program. We illustrate our methods by proving algorithmic stability of a machine learning algorithm, convergence of a reinforcement learning algorithm, and fast mixing for card shuffling algorithms. We also consider some extensions: using our calculus to show convergence of Markov chains to the uniform distribution over states and an asynchronous extension to reason about pairs of program executions with different control flow. @Article{POPL21p52, author = {Alejandro Aguirre and Gilles Barthe and Justin Hsu and Benjamin Lucien Kaminski and JoostPieter Katoen and Christoph Matheja}, title = {A Preexpectation Calculus for Probabilistic Sensitivity}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {52}, numpages = {28}, doi = {10.1145/3434333}, year = {2021}, } Publisher's Version 

Karimov, Toghrul 
POPL '21: "Deciding ωRegular Properties ..."
Deciding ωRegular Properties on Linear Recurrence Sequences
Shaull Almagor , Toghrul Karimov , Edon Kelmendi, Joël Ouaknine , and James Worrell (Technion, Israel; MPISWS, Germany; University of Oxford, UK) We consider the problem of deciding ωregular properties on infinite traces produced by linear loops. Here we think of a given loop as producing a single infinite trace that encodes information about the signs of program variables at each time step. Formally, our main result is a procedure that inputs a prefixindependent ωregular property and a sequence of numbers satisfying a linear recurrence, and determines whether the sign description of the sequence (obtained by replacing each positive entry with “+”, each negative entry with “−”, and each zero entry with “0”) satisfies the given property. Our procedure requires that the recurrence be simple, i.e., that the update matrix of the underlying loop be diagonalisable. This assumption is instrumental in proving our key technical lemma: namely that the sign description of a simple linear recurrence sequence is almost periodic in the sense of Muchnik, Sem'enov, and Ushakov. To complement this lemma, we give an example of a linear recurrence sequence whose sign description fails to be almost periodic. Generalising from sign descriptions, we also consider the verification of properties involving semialgebraic predicates on program variables. @Article{POPL21p48, author = {Shaull Almagor and Toghrul Karimov and Edon Kelmendi and Joël Ouaknine and James Worrell}, title = {Deciding ωRegular Properties on Linear Recurrence Sequences}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {48}, numpages = {24}, doi = {10.1145/3434329}, year = {2021}, } Publisher's Version 

Katoen, JoostPieter 
POPL '21: "Relatively Complete Verification ..."
Relatively Complete Verification of Probabilistic Programs: An Expressive Language for ExpectationBased Reasoning
Kevin Batz , Benjamin Lucien Kaminski , JoostPieter Katoen , and Christoph Matheja (RWTH Aachen University, Germany; University College London, UK; ETH Zurich, Switzerland) We study a syntax for specifying quantitative assertions—functions mapping program states to numbers—for probabilistic program verification. We prove that our syntax is expressive in the following sense: Given any probabilistic program C, if a function f is expressible in our syntax, then the function mapping each initial state σ to the expected value of evaluated in the final states reached after termination of C on σ (also called the weakest preexpectation wp[C](f)) is also expressible in our syntax. As a consequence, we obtain a relatively complete verification system for reasoning about expected values and probabilities in the sense of Cook: Apart from proving a single inequality between two functions given by syntactic expressions in our language, given f, g, and C, we can check whether g ≼ wp[C](f). @Article{POPL21p39, author = {Kevin Batz and Benjamin Lucien Kaminski and JoostPieter Katoen and Christoph Matheja}, title = {Relatively Complete Verification of Probabilistic Programs: An Expressive Language for ExpectationBased Reasoning}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {39}, numpages = {30}, doi = {10.1145/3434320}, year = {2021}, } Publisher's Version POPL '21: "A Preexpectation Calculus ..." A Preexpectation Calculus for Probabilistic Sensitivity Alejandro Aguirre , Gilles Barthe , Justin Hsu , Benjamin Lucien Kaminski, JoostPieter Katoen , and Christoph Matheja (IMDEA Software Institute, Spain; Universidad Politécnica de Madrid, Spain; MPISP, Germany; University of WisconsinMadison, USA; University College London, UK; RWTH Aachen University, Germany; ETH Zurich, Switzerland) Sensitivity properties describe how changes to the input of a program affect the output, typically by upper bounding the distance between the outputs of two runs by a monotone function of the distance between the corresponding inputs. When programs are probabilistic, the distance between outputs is a distance between distributions. The Kantorovich lifting provides a general way of defining a distance between distributions by lifting the distance of the underlying sample space; by choosing an appropriate distance on the base space, one can recover other usual probabilistic distances, such as the Total Variation distance. We develop a relational preexpectation calculus to upper bound the Kantorovich distance between two executions of a probabilistic program. We illustrate our methods by proving algorithmic stability of a machine learning algorithm, convergence of a reinforcement learning algorithm, and fast mixing for card shuffling algorithms. We also consider some extensions: using our calculus to show convergence of Markov chains to the uniform distribution over states and an asynchronous extension to reason about pairs of program executions with different control flow. @Article{POPL21p52, author = {Alejandro Aguirre and Gilles Barthe and Justin Hsu and Benjamin Lucien Kaminski and JoostPieter Katoen and Christoph Matheja}, title = {A Preexpectation Calculus for Probabilistic Sensitivity}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {52}, numpages = {28}, doi = {10.1145/3434333}, year = {2021}, } Publisher's Version 

Kaysin, Ilya 
POPL '21: "PerSeVerE: Persistency Semantics ..."
PerSeVerE: Persistency Semantics for Verification under Ext4
Michalis Kokologiannakis , Ilya Kaysin, Azalea Raad, and Viktor Vafeiadis (MPISWS, Germany; National Research University Higher School of Economics, Russia; JetBrains Research, Russia; Imperial College London, UK) Although ubiquitous, modern filesystems have rather complex behaviours that are hardly understood by programmers and lead to severe software bugs such as data corruption. As a first step to ensure correctness of software performing file I/O, we formalize the semantics of the Linux ext4 filesystem, which we integrate with the weak memory consistency semantics of C/C++. We further develop an effective model checking approach for verifying programs that use the filesystem. In doing so, we discover and report bugs in commonlyused text editors such as vim, emacs and nano. @Article{POPL21p43, author = {Michalis Kokologiannakis and Ilya Kaysin and Azalea Raad and Viktor Vafeiadis}, title = {PerSeVerE: Persistency Semantics for Verification under Ext4}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {43}, numpages = {29}, doi = {10.1145/3434324}, year = {2021}, } Publisher's Version Info Artifacts Reusable Artifacts Functional 

Kelmendi, Edon 
POPL '21: "Deciding ωRegular Properties ..."
Deciding ωRegular Properties on Linear Recurrence Sequences
Shaull Almagor , Toghrul Karimov , Edon Kelmendi, Joël Ouaknine , and James Worrell (Technion, Israel; MPISWS, Germany; University of Oxford, UK) We consider the problem of deciding ωregular properties on infinite traces produced by linear loops. Here we think of a given loop as producing a single infinite trace that encodes information about the signs of program variables at each time step. Formally, our main result is a procedure that inputs a prefixindependent ωregular property and a sequence of numbers satisfying a linear recurrence, and determines whether the sign description of the sequence (obtained by replacing each positive entry with “+”, each negative entry with “−”, and each zero entry with “0”) satisfies the given property. Our procedure requires that the recurrence be simple, i.e., that the update matrix of the underlying loop be diagonalisable. This assumption is instrumental in proving our key technical lemma: namely that the sign description of a simple linear recurrence sequence is almost periodic in the sense of Muchnik, Sem'enov, and Ushakov. To complement this lemma, we give an example of a linear recurrence sequence whose sign description fails to be almost periodic. Generalising from sign descriptions, we also consider the verification of properties involving semialgebraic predicates on program variables. @Article{POPL21p48, author = {Shaull Almagor and Toghrul Karimov and Edon Kelmendi and Joël Ouaknine and James Worrell}, title = {Deciding ωRegular Properties on Linear Recurrence Sequences}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {48}, numpages = {24}, doi = {10.1145/3434329}, year = {2021}, } Publisher's Version 

Khyzha, Artem 
POPL '21: "Taming x86TSO Persistency ..."
Taming x86TSO Persistency
Artem Khyzha and Ori Lahav (Tel Aviv University, Israel) We study the formal semantics of nonvolatile memory in the x86TSO architecture. We show that while the explicit persist operations in the recent model of Raad et al. from POPL'20 only enforce order between writes to the nonvolatile memory, it is equivalent, in terms of reachable states, to a model whose explicit persist operations mandate that prior writes are actually written to the nonvolatile memory. The latter provides a novel model that is much closer to common developers' understanding of persistency semantics. We further introduce a simpler and stronger sequentially consistent persistency model, develop a sound mapping from this model to x86, and establish a dataracefreedom guarantee providing programmers with a safe programming discipline. Our operational models are accompanied with equivalent declarative formulations, which facilitate our formal arguments, and may prove useful for program verification under x86 persistency. @Article{POPL21p47, author = {Artem Khyzha and Ori Lahav}, title = {Taming x86TSO Persistency}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {47}, numpages = {29}, doi = {10.1145/3434328}, year = {2021}, } Publisher's Version 

Kıcı, Rami Gökhan 
POPL '21: "Automatically Eliminating ..."
Automatically Eliminating Speculative Leaks from Cryptographic Code with Blade
Marco Vassena, Craig Disselkoen , Klaus von Gleissenthall, Sunjay Cauligi, Rami Gökhan Kıcı, Ranjit Jhala , Dean Tullsen , and Deian Stefan (CISPA, Germany; University of California at San Diego, USA; Vrije Universiteit Amsterdam, Netherlands) We introduce Blade, a new approach to automatically and efficiently eliminate speculative leaks from cryptographic code. Blade is built on the insight that to stop leaks via speculative execution, it suffices to cut the dataflow from expressions that speculatively introduce secrets (sources) to those that leak them through the cache (sinks), rather than prohibit speculation altogether. We formalize this insight in a static type system that (1) types each expression as either transient, i.e., possibly containing speculative secrets or as being stable, and (2) prohibits speculative leaks by requiring that all sink expressions are stable. Blade relies on a new abstract primitive, protect, to halt speculation at fine granularity. We formalize and implement protect using existing architectural mechanisms, and show how Blade’s type system can automatically synthesize a minimal number of protects to provably eliminate speculative leaks. We implement Blade in the Cranelift WebAssembly compiler and evaluate our approach by repairing several verified, yet vulnerable WebAssembly implementations of cryptographic primitives. We find that Blade can fix existing programs that leak via speculation automatically, without user intervention, and efficiently even when using fences to implement protect. @Article{POPL21p49, author = {Marco Vassena and Craig Disselkoen and Klaus von Gleissenthall and Sunjay Cauligi and Rami Gökhan Kıcı and Ranjit Jhala and Dean Tullsen and Deian Stefan}, title = {Automatically Eliminating Speculative Leaks from Cryptographic Code with Blade}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {49}, numpages = {30}, doi = {10.1145/3434330}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Kim, Jinwoo 
POPL '21: "SemanticsGuided Synthesis ..."
SemanticsGuided Synthesis
Jinwoo Kim , Qinheping Hu, Loris D'Antoni , and Thomas Reps (University of WisconsinMadison, USA) This paper develops a new framework for program synthesis, called semanticsguided synthesis (SemGuS), that allows a user to provide both the syntax and the semantics for the constructs in the language. SemGuS accepts a recursively defined bigstep semantics, which allows it, for example, to be used to specify and solve synthesis problems over an imperative programming language that may contain loops with unbounded behavior. The customizable nature of SemGuS also allows synthesis problems to be defined over a nonstandard semantics, such as an abstract semantics. In addition to the SemGuS framework, we develop an algorithm for solving SemGuS problems that is capable of both synthesizing programs and proving unrealizability, by encoding a SemGuS problem as a proof search over Constrained Horn Clauses: in particular, our approach is the first that we are aware of that can prove unrealizabilty for synthesis problems that involve imperative programs with unbounded loops, over an infinite syntactic search space. We implemented the technique in a tool called MESSY, and applied it to SyGuS problems (i.e., over expressions), synthesis problems over an imperative programming language, and synthesis problems over regular expressions. @Article{POPL21p30, author = {Jinwoo Kim and Qinheping Hu and Loris D'Antoni and Thomas Reps}, title = {SemanticsGuided Synthesis}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {30}, numpages = {32}, doi = {10.1145/3434311}, year = {2021}, } Publisher's Version Artifacts Functional 

Kokologiannakis, Michalis 
POPL '21: "PerSeVerE: Persistency Semantics ..."
PerSeVerE: Persistency Semantics for Verification under Ext4
Michalis Kokologiannakis , Ilya Kaysin, Azalea Raad, and Viktor Vafeiadis (MPISWS, Germany; National Research University Higher School of Economics, Russia; JetBrains Research, Russia; Imperial College London, UK) Although ubiquitous, modern filesystems have rather complex behaviours that are hardly understood by programmers and lead to severe software bugs such as data corruption. As a first step to ensure correctness of software performing file I/O, we formalize the semantics of the Linux ext4 filesystem, which we integrate with the weak memory consistency semantics of C/C++. We further develop an effective model checking approach for verifying programs that use the filesystem. In doing so, we discover and report bugs in commonlyused text editors such as vim, emacs and nano. @Article{POPL21p43, author = {Michalis Kokologiannakis and Ilya Kaysin and Azalea Raad and Viktor Vafeiadis}, title = {PerSeVerE: Persistency Semantics for Verification under Ext4}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {43}, numpages = {29}, doi = {10.1145/3434324}, year = {2021}, } Publisher's Version Info Artifacts Reusable Artifacts Functional 

Krebbers, Robbert 
POPL '21: "Intrinsically Typed Compilation ..."
Intrinsically Typed Compilation with Nameless Labels
Arjen Rouvoet , Robbert Krebbers , and Eelco Visser (Delft University of Technology, Netherlands; Radboud University Nijmegen, Netherlands) To avoid compilation errors it is desirable to verify that a compiler is type correct—i.e., given welltyped source code, it always outputs welltyped target code. This can be done intrinsically by implementing it as a function in a dependently typed programming language, such as Agda. This function manipulates data types of welltyped source and target programs, and is therefore type correct by construction. A key challenge in implementing an intrinsically typed compiler is the representation of labels in bytecode. Because label names are global, bytecode typing appears to be inherently a noncompositional, wholeprogram property. The individual operations of the compiler do not preserve this property, which requires the programmer to reason about labels, which spoils the compiler definition with proof terms. In this paper, we address this problem using a new nameless and cocontextual representation of typed global label binding, which is compositional. Our key idea is to use linearity to ensure that all labels are defined exactly once. To write concise compilers that manipulate programs in our representation, we develop a linear, dependently typed, shallowly embedded language in Agda, based on separation logic. We show that this language enables the concise specification and implementation of intrinsically typed operations on bytecode, culminating in an intrinsically typed compiler for a language with structured controlflow. @Article{POPL21p22, author = {Arjen Rouvoet and Robbert Krebbers and Eelco Visser}, title = {Intrinsically Typed Compilation with Nameless Labels}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {22}, numpages = {28}, doi = {10.1145/3434303}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Krishnaswami, Neel 
POPL '21: "Transfinite StepIndexing ..."
Transfinite StepIndexing for Termination
Simon Spies , Neel Krishnaswami , and Derek Dreyer (MPISWS, Germany; University of Cambridge, UK) Stepindexed logical relations are an extremely useful technique for building operationalsemanticsbased models and program logics for realistic, richlytyped programming languages. They have proven to be indispensable for modeling features like higherorder state, which many languages support but which were difficult to accommodate using traditional denotational models. However, the conventional wisdom is that, because they only support reasoning about finite traces of computation, (unary) stepindexed models are only good for proving safety properties like “welltyped programs don’t go wrong”. There has consequently been very little work on using stepindexing to establish liveness properties, in particular termination. In this paper, we show that stepindexing can in fact be used to prove termination of welltyped programs—even in the presence of dynamicallyallocated, shared, mutable, higherorder state—so long as one’s type system enforces disciplined use of such state. Specifically, we consider a language with asynchronous channels, inspired by promises in JavaScript, in which higherorder state is used to implement communication, and linearity is used to ensure termination. The key to our approach is to generalize from natural number stepindexing to transfinite stepindexing, which enables us to compute termination bounds for program expressions in a compositional way. Although transfinite stepindexing has been proposed previously, we are the first to apply this technique to reasoning about termination in the presence of higherorder state. @Article{POPL21p13, author = {Simon Spies and Neel Krishnaswami and Derek Dreyer}, title = {Transfinite StepIndexing for Termination}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {13}, numpages = {29}, doi = {10.1145/3434294}, year = {2021}, } Publisher's Version Info 

Krogmeier, Paul 
POPL '21: "Deciding Accuracy of Differential ..."
Deciding Accuracy of Differential Privacy Schemes
Gilles Barthe , Rohit Chadha, Paul Krogmeier , A. Prasad Sistla, and Mahesh Viswanathan (MPISP, Germany; University of Missouri, USA; University of Illinois at UrbanaChampaign, USA; University of Illinois at Chicago, USA) Differential privacy is a mathematical framework for developing statistical computations with provable guarantees of privacy and accuracy. In contrast to the privacy component of differential privacy, which has a clear mathematical and intuitive meaning, the accuracy component of differential privacy does not have a generally accepted definition; accuracy claims of differential privacy algorithms vary from algorithm to algorithm and are not instantiations of a general definition. We identify program discontinuity as a common theme in existing ad hoc definitions and introduce an alternative notion of accuracy parametrized by, what we call, — the of an input x w.r.t. a deterministic computation f and a distance d, is the minimal distance d(x,y) over all y such that f(y)≠ f(x). We show that our notion of accuracy subsumes the definition used in theoretical computer science, and captures known accuracy claims for differential privacy algorithms. In fact, our general notion of accuracy helps us prove better claims in some cases. Next, we study the decidability of accuracy. We first show that accuracy is in general undecidable. Then, we define a nontrivial class of probabilistic computations for which accuracy is decidable (unconditionally, or assuming Schanuel’s conjecture). We implement our decision procedure and experimentally evaluate the effectiveness of our approach for generating proofs or counterexamples of accuracy for common algorithms from the literature. @Article{POPL21p8, author = {Gilles Barthe and Rohit Chadha and Paul Krogmeier and A. Prasad Sistla and Mahesh Viswanathan}, title = {Deciding Accuracy of Differential Privacy Schemes}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {8}, numpages = {30}, doi = {10.1145/3434289}, year = {2021}, } Publisher's Version Artifacts Functional 

Kumar, K. Narayan 
POPL '21: "Deciding Reachability under ..."
Deciding Reachability under Persistent x86TSO
Parosh Aziz Abdulla , Mohamed Faouzi Atig , Ahmed Bouajjani , K. Narayan Kumar , and Prakash Saivasan (Uppsala University, Sweden; University of Paris, France; Chennai Mathematical Institute, India; CNRS UMI ReLaX, India; Institute of Mathematical Sciences, India) We address the problem of verifying the reachability problem in programs running under the formal model Px86 defined recently by Raad et al. in POPL'20 for the persistent Intel x86 architecture. We prove that this problem is decidable. To achieve that, we provide a new formal model that is equivalent to Px86 and that has the feature of being a well structured system. Deriving this new model is the result of a deep investigation of the properties of Px86 and the interplay of its components. @Article{POPL21p56, author = {Parosh Aziz Abdulla and Mohamed Faouzi Atig and Ahmed Bouajjani and K. Narayan Kumar and Prakash Saivasan}, title = {Deciding Reachability under Persistent x86TSO}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {56}, numpages = {32}, doi = {10.1145/3434337}, year = {2021}, } Publisher's Version 

Kuperberg, Denis 
POPL '21: "Cyclic Proofs, System T, and ..."
Cyclic Proofs, System T, and the Power of Contraction
Denis Kuperberg , Laureline Pinault, and Damien Pous (University of Lyon, France; CNRS, France; ENS Lyon, France; Claude Bernard University Lyon 1, France; LIP, France) We study a cyclic proof system C over regular expression types, inspired by linear logic and nonwellfounded proof theory. Proofs in C can be seen as strongly typed goto programs. We show that they denote computable total functions and we analyse the relative strength of C and Gödel’s system T. In the general case, we prove that the two systems capture the same functions on natural numbers. In the affine case, i.e., when contraction is removed, we prove that they capture precisely the primitive recursive functions—providing an alternative and more general proof of a result by Dal Lago, about an affine version of system T. Without contraction, we manage to give a direct and uniform encoding of C into T, by analysing cycles and translating them into explicit recursions. Whether such a direct and uniform translation from C to T can be given in the presence of contraction remains open. We obtain the two upper bounds on the expressivity of C using a different technique: we formalise weak normalisation of a small step reduction semantics in subsystems of secondorder arithmetic: ACA_{0} and RCA_{0}. @Article{POPL21p1, author = {Denis Kuperberg and Laureline Pinault and Damien Pous}, title = {Cyclic Proofs, System T, and the Power of Contraction}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {1}, numpages = {28}, doi = {10.1145/3434282}, year = {2021}, } Publisher's Version 

Lahav, Ori 
POPL '21: "Verifying Observational Robustness ..."
Verifying Observational Robustness against a C11Style Memory Model
Roy Margalit and Ori Lahav (Tel Aviv University, Israel) We study the problem of verifying the robustness of concurrent programs against a C11style memory model that includes relaxed accesses and release/acquire accesses and fences, and show that this verification problem can be reduced to a standard reachability problem under sequential consistency. We further observe that existing robustness notions do not allow the verification of programs that use speculative reads as in the sequence lock mechanism, and introduce a novel "observational robustness" property that fills this gap. In turn, we show how to soundly check for observational robustness. We have implemented our method and applied it to several challenging concurrent algorithms, demonstrating the applicability of our approach. To the best of our knowledge, this is the first method for verifying robustness against a programming language concurrency model that includes relaxed accesses and release/acquire fences. @Article{POPL21p4, author = {Roy Margalit and Ori Lahav}, title = {Verifying Observational Robustness against a C11Style Memory Model}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {4}, numpages = {33}, doi = {10.1145/3434285}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional POPL '21: "Taming x86TSO Persistency ..." Taming x86TSO Persistency Artem Khyzha and Ori Lahav (Tel Aviv University, Israel) We study the formal semantics of nonvolatile memory in the x86TSO architecture. We show that while the explicit persist operations in the recent model of Raad et al. from POPL'20 only enforce order between writes to the nonvolatile memory, it is equivalent, in terms of reachable states, to a model whose explicit persist operations mandate that prior writes are actually written to the nonvolatile memory. The latter provides a novel model that is much closer to common developers' understanding of persistency semantics. We further introduce a simpler and stronger sequentially consistent persistency model, develop a sound mapping from this model to x86, and establish a dataracefreedom guarantee providing programmers with a safe programming discipline. Our operational models are accompanied with equivalent declarative formulations, which facilitate our formal arguments, and may prove useful for program verification under x86 persistency. @Article{POPL21p47, author = {Artem Khyzha and Ori Lahav}, title = {Taming x86TSO Persistency}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {47}, numpages = {29}, doi = {10.1145/3434328}, year = {2021}, } Publisher's Version 

Lee, Woosuk 
POPL '21: "Combining the TopDown Propagation ..."
Combining the TopDown Propagation and BottomUp Enumeration for Inductive Program Synthesis
Woosuk Lee (Hanyang University, South Korea) We present an effective method for scalable and generalpurpose inductive program synthesis. There have been two main approaches for inductive synthesis: enumerative search, which repeatedly enumerates possible candidate programs, and the topdown propagation (TDP), which recursively decomposes a given large synthesis problem into smaller subproblems. Enumerative search is generally applicable but limited in scalability, and the TDP is efficient but only works for special grammars or applications. In this paper, we synergistically combine the two approaches. We generate small program subexpressions via enumerative search and put them together into the desired program by using the TDP. Enumerative search enables to bring the power of TDP into arbitrary grammars, and the TDP helps to overcome the limited scalability of enumerative search. We apply our approach to a standard formulation, syntaxguided synthesis (SyGuS), thereby supporting a broad class of inductive synthesis problems. We have implemented our approach in a tool called Duet and evaluate it on SyGuS benchmark problems from various domains. We show that Duet achieves significant performance gains over existing generalpurpose as well as domainspecific synthesizers. @Article{POPL21p54, author = {Woosuk Lee}, title = {Combining the TopDown Propagation and BottomUp Enumeration for Inductive Program Synthesis}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {54}, numpages = {28}, doi = {10.1145/3434335}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Leroy, Xavier 
POPL '21: "Verified Code Generation for ..."
Verified Code Generation for the Polyhedral Model
Nathanaël Courant and Xavier Leroy (Inria, France; Collège de France, France; PSL University, France) The polyhedral model is a highlevel intermediate representation for loop nests that supports elegantly a great many loop optimizations. In a compiler, after polyhedral loop optimizations have been performed, it is necessary and difficult to regenerate sequential or parallel loop nests before continuing compilation. This paper reports on the formalization and proof of semantic preservation of such a code generator that produces sequential code from a polyhedral representation. The formalization and proofs are mechanized using the Coq proof assistant. @Article{POPL21p40, author = {Nathanaël Courant and Xavier Leroy}, title = {Verified Code Generation for the Polyhedral Model}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {40}, numpages = {24}, doi = {10.1145/3434321}, year = {2021}, } Publisher's Version 

Li, Yuanbo 
POPL '21: "On the Complexity of Bidirected ..."
On the Complexity of Bidirected Interleaved DyckReachability
Yuanbo Li , Qirun Zhang , and Thomas Reps (Georgia Institute of Technology, USA; University of WisconsinMadison, USA) Many program analyses need to reason about pairs of matching actions, such as call/return, lock/unlock, or setfield/getfield. The family of Dyck languages {D_{k}}, where D_{k} has k kinds of parenthesis pairs, can be used to model matching actions as balanced parentheses. Consequently, many programanalysis problems can be formulated as Dyckreachability problems on edgelabeled digraphs. Interleaved Dyckreachability (InterDyckreachability), denoted by D_{k} ⊙ D_{k}reachability, is a natural extension of Dyckreachability that allows one to formulate programanalysis problems that involve multiple kinds of matchingaction pairs. Unfortunately, the general InterDyckreachability problem is undecidable. In this paper, we study variants of InterDyckreachability on bidirected graphs, where for each edge ⟨ p, q ⟩ labeled by an open parenthesis ”(_{a}”, there is an edge ⟨ q, p ⟩ labeled by the corresponding close parenthesis ”)_{a}”, and vice versa. Languagereachability on a bidirected graph has proven to be useful both (1) in its own right, as a way to formalize many programanalysis problems, such as pointer analysis, and (2) as a relaxation method that uses a fast algorithm to overapproximate languagereachability on a directed graph. However, unlike its directed counterpart, the complexity of bidirected InterDyckreachability still remains open. We establish the first decidable variant (i.e., D_{1} ⊙ D_{1}reachability) of bidirected InterDyckreachability. In D_{1} ⊙ D_{1}reachability, each of the two Dyck languages is restricted to have only a single kind of parenthesis pair. In particular, we show that the bidirected D_{1} ⊙ D_{1} problem is in PTIME. We also show that when one extends each Dyck language to involve k different kinds of parentheses (i.e., D_{k} ⊙ D_{k}reachability with k ≥ 2), the problem is NPhard (and therefore much harder). We have implemented the polynomialtime algorithm for bidirected D_{1} ⊙ D_{1}reachability. D_{k} ⊙ D_{k}reachability provides a new overapproximation method for bidirected D_{k} ⊙ D_{k}reachability in the sense that D_{k}⊙ D_{k}reachability can first be relaxed to bidirected D_{1} ⊙ D_{1}reachability, and then the resulting bidirected D_{1} ⊙ D_{1}reachability problem is solved precisely. We compare this D_{1} ⊙ D_{1}reachabilitybased approach against another known overapproximating D_{k} ⊙ D_{k}reachability algorithm. Surprisingly, we found that the overapproximation approach based on bidirected D_{1} ⊙ D_{1}reachability computes more precise solutions, even though the D_{1}⊙ D_{1} formalism is inherently less expressive than the D_{k}⊙ D_{k} formalism. @Article{POPL21p59, author = {Yuanbo Li and Qirun Zhang and Thomas Reps}, title = {On the Complexity of Bidirected Interleaved DyckReachability}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {59}, numpages = {28}, doi = {10.1145/3434340}, year = {2021}, } Publisher's Version 

Lim, Jay P. 
POPL '21: "An Approach to Generate Correctly ..."
An Approach to Generate Correctly Rounded Math Libraries for New Floating Point Variants
Jay P. Lim , Mridul Aanjaneya , John Gustafson, and Santosh Nagarakatte (Rutgers University, USA; National University of Singapore, Singapore) Given the importance of floating point (FP) performance in numerous domains, several new variants of FP and its alternatives have been proposed (e.g., Bfloat16, TensorFloat32, and posits). These representations do not have correctly rounded math libraries. Further, the use of existing FP libraries for these new representations can produce incorrect results. This paper proposes a novel approach for generating polynomial approximations that can be used to implement correctly rounded math libraries. Existing methods generate polynomials that approximate the real value of an elementary function 𝑓 (𝑥) and produce wrong results due to approximation errors and rounding errors in the implementation. In contrast, our approach generates polynomials that approximate the correctly rounded value of 𝑓 (𝑥) (i.e., the value of 𝑓 (𝑥) rounded to the target representation). It provides more margin to identify efficient polynomials that produce correctly rounded results for all inputs. We frame the problem of generating efficient polynomials that produce correctly rounded results as a linear programming problem. Using our approach, we have developed correctly rounded, yet faster, implementations of elementary functions for multiple target representations. @Article{POPL21p29, author = {Jay P. Lim and Mridul Aanjaneya and John Gustafson and Santosh Nagarakatte}, title = {An Approach to Generate Correctly Rounded Math Libraries for New Floating Point Variants}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {29}, numpages = {30}, doi = {10.1145/3434310}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Loregian, Fosco 
POPL '21: "Functorial Semantics for Partial ..."
Functorial Semantics for Partial Theories
Ivan Di Liberti, Fosco Loregian, Chad Nester, and Paweł Sobociński (Czech Academy of Sciences, Czechia; Tallinn University of Technology, Estonia) We provide a Lawverestyle definition for partial theories, extending the classical notion of equational theory by allowing partially defined operations. As in the classical case, our definition is syntactic: we use an appropriate class of string diagrams as terms. This allows for equational reasoning about the class of models defined by a partial theory. We demonstrate the expressivity of such equational theories by considering a number of examples, including partial combinatory algebras and cartesian closed categories. Moreover, despite the increase in expressivity of the syntax we retain a wellbehaved notion of semantics: we show that our categories of models are precisely locally finitely presentable categories, and that free models exist. @Article{POPL21p57, author = {Ivan Di Liberti and Fosco Loregian and Chad Nester and Paweł Sobociński}, title = {Functorial Semantics for Partial Theories}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {57}, numpages = {28}, doi = {10.1145/3434338}, year = {2021}, } Publisher's Version 

Majumdar, Rupak 
POPL '21: "ContextBounded Verification ..."
ContextBounded Verification of Liveness Properties for Multithreaded SharedMemory Programs
Pascal Baumann , Rupak Majumdar , Ramanathan S. Thinniyam , and Georg Zetzsche (MPISWS, Germany) We study contextbounded verification of liveness properties of multithreaded, sharedmemory programs, where each thread can spawn additional threads. Our main result shows that contextbounded fair termination is decidable for the model; contextbounded implies that each spawned thread can be context switched a fixed constant number of times. Our proof is technical, since fair termination requires reasoning about the composition of unboundedly many threads each with unboundedly large stacks. In fact, techniques for related problems, which depend crucially on replacing the pushdown threads with finitestate threads, are not applicable. Instead, we introduce an extension of vector addition systems with states (VASS), called VASS with balloons (VASSB), as an intermediate model; it is an infinitestate model of independent interest. A VASSB allows tokens that are themselves markings (balloons). We show that context bounded fair termination reduces to fair termination for VASSB. We show the latter problem is decidable by showing a series of reductions: from fair termination to configuration reachability for VASSB and thence to the reachability problem for VASS. For a lower bound, fair termination is known to be nonelementary already in the special case where threads run to completion (no context switches). We also show that the simpler problem of contextbounded termination is 2EXPSPACEcomplete, matching the complexity boundand indeed the techniquesfor safety verification. Additionally, we show the related problem of fair starvation, which checks if some thread can be starved along a fair run, is also decidable in the contextbounded case. The decidability employs an intricate reduction from fair starvation to fair termination. Like fair termination, this problem is also nonelementary. @Article{POPL21p44, author = {Pascal Baumann and Rupak Majumdar and Ramanathan S. Thinniyam and Georg Zetzsche}, title = {ContextBounded Verification of Liveness Properties for Multithreaded SharedMemory Programs}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {44}, numpages = {31}, doi = {10.1145/3434325}, year = {2021}, } Publisher's Version 

Margalit, Roy 
POPL '21: "Verifying Observational Robustness ..."
Verifying Observational Robustness against a C11Style Memory Model
Roy Margalit and Ori Lahav (Tel Aviv University, Israel) We study the problem of verifying the robustness of concurrent programs against a C11style memory model that includes relaxed accesses and release/acquire accesses and fences, and show that this verification problem can be reduced to a standard reachability problem under sequential consistency. We further observe that existing robustness notions do not allow the verification of programs that use speculative reads as in the sequence lock mechanism, and introduce a novel "observational robustness" property that fills this gap. In turn, we show how to soundly check for observational robustness. We have implemented our method and applied it to several challenging concurrent algorithms, demonstrating the applicability of our approach. To the best of our knowledge, this is the first method for verifying robustness against a programming language concurrency model that includes relaxed accesses and release/acquire fences. @Article{POPL21p4, author = {Roy Margalit and Ori Lahav}, title = {Verifying Observational Robustness against a C11Style Memory Model}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {4}, numpages = {33}, doi = {10.1145/3434285}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Martin, Eric Mark 
POPL '21: "On the Semantic Expressiveness ..."
On the Semantic Expressiveness of Recursive Types
Marco Patrignani , Eric Mark Martin, and Dominique Devriese (Stanford University, USA; CISPA, Germany; Vrije Universiteit Brussel, Belgium) Recursive types extend the simplytyped lambda calculus (STLC) with the additional expressive power to enable diverging computation and to encode recursive datatypes (e.g., lists). Two formulations of recursive types exist: isorecursive and equirecursive. The relative advantages of iso and equirecursion are well studied when it comes to their impact on typeinference. However, the relative semantic expressiveness of the two formulations remains unclear so far. This paper studies the semantic expressiveness of STLC with iso and equirecursive types, proving that these formulations are equally expressive. In fact, we prove that they are both as expressive as STLC with only termlevel recursion. We phrase these equiexpressiveness results in terms of full abstraction of three canonical compilers between these three languages (STLC with iso, with equirecursive types and with termlevel recursion). Our choice of languages allows us to study expressiveness when interacting over both a simplytyped and a recursivelytyped interface. The three proofs all rely on a typed version of a proof technique called approximate backtranslation. Together, our results show that there is no difference in semantic expressiveness between STLCs with iso and equirecursive types. In this paper, we focus on a simplytyped setting but we believe our results scale to more powerful type systems like System F. @Article{POPL21p21, author = {Marco Patrignani and Eric Mark Martin and Dominique Devriese}, title = {On the Semantic Expressiveness of Recursive Types}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {21}, numpages = {29}, doi = {10.1145/3434302}, year = {2021}, } Publisher's Version 

Matheja, Christoph 
POPL '21: "Relatively Complete Verification ..."
Relatively Complete Verification of Probabilistic Programs: An Expressive Language for ExpectationBased Reasoning
Kevin Batz , Benjamin Lucien Kaminski , JoostPieter Katoen , and Christoph Matheja (RWTH Aachen University, Germany; University College London, UK; ETH Zurich, Switzerland) We study a syntax for specifying quantitative assertions—functions mapping program states to numbers—for probabilistic program verification. We prove that our syntax is expressive in the following sense: Given any probabilistic program C, if a function f is expressible in our syntax, then the function mapping each initial state σ to the expected value of evaluated in the final states reached after termination of C on σ (also called the weakest preexpectation wp[C](f)) is also expressible in our syntax. As a consequence, we obtain a relatively complete verification system for reasoning about expected values and probabilities in the sense of Cook: Apart from proving a single inequality between two functions given by syntactic expressions in our language, given f, g, and C, we can check whether g ≼ wp[C](f). @Article{POPL21p39, author = {Kevin Batz and Benjamin Lucien Kaminski and JoostPieter Katoen and Christoph Matheja}, title = {Relatively Complete Verification of Probabilistic Programs: An Expressive Language for ExpectationBased Reasoning}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {39}, numpages = {30}, doi = {10.1145/3434320}, year = {2021}, } Publisher's Version POPL '21: "A Preexpectation Calculus ..." A Preexpectation Calculus for Probabilistic Sensitivity Alejandro Aguirre , Gilles Barthe , Justin Hsu , Benjamin Lucien Kaminski, JoostPieter Katoen , and Christoph Matheja (IMDEA Software Institute, Spain; Universidad Politécnica de Madrid, Spain; MPISP, Germany; University of WisconsinMadison, USA; University College London, UK; RWTH Aachen University, Germany; ETH Zurich, Switzerland) Sensitivity properties describe how changes to the input of a program affect the output, typically by upper bounding the distance between the outputs of two runs by a monotone function of the distance between the corresponding inputs. When programs are probabilistic, the distance between outputs is a distance between distributions. The Kantorovich lifting provides a general way of defining a distance between distributions by lifting the distance of the underlying sample space; by choosing an appropriate distance on the base space, one can recover other usual probabilistic distances, such as the Total Variation distance. We develop a relational preexpectation calculus to upper bound the Kantorovich distance between two executions of a probabilistic program. We illustrate our methods by proving algorithmic stability of a machine learning algorithm, convergence of a reinforcement learning algorithm, and fast mixing for card shuffling algorithms. We also consider some extensions: using our calculus to show convergence of Markov chains to the uniform distribution over states and an asynchronous extension to reason about pairs of program executions with different control flow. @Article{POPL21p52, author = {Alejandro Aguirre and Gilles Barthe and Justin Hsu and Benjamin Lucien Kaminski and JoostPieter Katoen and Christoph Matheja}, title = {A Preexpectation Calculus for Probabilistic Sensitivity}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {52}, numpages = {28}, doi = {10.1145/3434333}, year = {2021}, } Publisher's Version 

Mathiasen, Anders Alnor 
POPL '21: "The FineGrained and Parallel ..."
The FineGrained and Parallel Complexity of Andersen’s Pointer Analysis
Anders Alnor Mathiasen and Andreas Pavlogiannis (Aarhus University, Denmark) Pointer analysis is one of the fundamental problems in static program analysis. Given a set of pointers, the task is to produce a useful overapproximation of the memory locations that each pointer may pointto at runtime. The most common formulation is Andersen’s Pointer Analysis (APA), defined as an inclusionbased set of m pointer constraints over a set of n pointers. Scalability is extremely important, as pointsto information is a prerequisite to many other components in the staticanalysis pipeline. Existing algorithms solve APA in O(n^{2}· m) time, while it has been conjectured that the problem has no truly subcubic algorithm, with a proof so far having remained elusive. It is also wellknown that APA can be solved in O(n^{2}) time under certain sparsity conditions that hold naturally in some settings. Besides these simple bounds, the complexity of the problem has remained poorly understood. In this work we draw a rich finegrained and parallel complexity landscape of APA, and present upper and lower bounds. First, we establish an O(n^{3}) upperbound for general APA, improving over O(n^{2}· m) as n=O(m). Second, we show that even ondemand APA (“may a specific pointer a point to a specific location b?”) has an Ω(n^{3}) (combinatorial) lower bound under standard complexitytheoretic hypotheses. This formally establishes the longconjectured “cubic bottleneck” of APA, and shows that our O(n^{3})time algorithm is optimal. Third, we show that under mild restrictions, APA is solvable in Õ(n^{ω}) time, where ω<2.373 is the matrixmultiplication exponent. It is believed that ω=2+o(1), in which case this bound becomes quadratic. Fourth, we show that even under such restrictions, even the ondemand problem has an Ω(n^{2}) lower bound under standard complexitytheoretic hypotheses, and hence our algorithm is optimal when ω=2+o(1). Fifth, we study the parallelizability of APA and establish lower and upper bounds: (i) in general, the problem is Pcomplete and hence unlikely parallelizable, whereas (ii) under mild restrictions, the problem is parallelizable. Our theoretical treatment formalizes several insights that can lead to practical improvements in the future. @Article{POPL21p34, author = {Anders Alnor Mathiasen and Andreas Pavlogiannis}, title = {The FineGrained and Parallel Complexity of Andersen’s Pointer Analysis}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {34}, numpages = {29}, doi = {10.1145/3434315}, year = {2021}, } Publisher's Version 

Mathur, Umang 
POPL '21: "Optimal Prediction of SynchronizationPreserving ..."
Optimal Prediction of SynchronizationPreserving Races
Umang Mathur , Andreas Pavlogiannis , and Mahesh Viswanathan (University of Illinois at UrbanaChampaign, USA; Aarhus University, Denmark) Concurrent programs are notoriously hard to write correctly, as scheduling nondeterminism introduces subtle errors that are both hard to detect and to reproduce. The most common concurrency errors are (data) races, which occur when memoryconflicting actions are executed concurrently. Consequently, considerable effort has been made towards developing efficient techniques for race detection. The most common approach is dynamic race prediction: given an observed, racefree trace σ of a concurrent program, the task is to decide whether events of σ can be correctly reordered to a trace σ^{*} that witnesses a race hidden in σ. In this work we introduce the notion of sync(hronization)preserving races. A syncpreserving race occurs in σ when there is a witness σ^{*} in which synchronization operations (e.g., acquisition and release of locks) appear in the same order as in σ. This is a broad definition that strictly subsumes the famous notion of happensbefore races. Our main results are as follows. First, we develop a sound and complete algorithm for predicting syncpreserving races. For moderate values of parameters like the number of threads, the algorithm runs in Õ(N) time and space, where N is the length of the trace σ. Second, we show that the problem has a Ω(N/log^{2} N) space lower bound, and thus our algorithm is essentially time and space optimal. Third, we show that predicting races with even just a single reversal of two sync operations is NPcomplete and even W1hard when parameterized by the number of threads. Thus, syncpreservation characterizes exactly the tractability boundary of race prediction, and our algorithm is nearly optimal for the tractable side. Our experiments show that our algorithm is fast in practice, while syncpreservation characterizes races often missed by stateoftheart methods. @Article{POPL21p36, author = {Umang Mathur and Andreas Pavlogiannis and Mahesh Viswanathan}, title = {Optimal Prediction of SynchronizationPreserving Races}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {36}, numpages = {29}, doi = {10.1145/3434317}, year = {2021}, } Publisher's Version Artifacts Functional 

Mazza, Damiano 
POPL '21: "Automatic Differentiation ..."
Automatic Differentiation in PCF
Damiano Mazza and Michele Pagani (CNRS, France; University of Paris, France) We study the correctness of automatic differentiation (AD) in the context of a higherorder, Turingcomplete language (PCF with real numbers), both in forward and reverse mode. Our main result is that, under mild hypotheses on the primitive functions included in the language, AD is almost everywhere correct, that is, it computes the derivative or gradient of the program under consideration except for a set of Lebesgue measure zero. Stated otherwise, there are inputs on which AD is incorrect, but the probability of randomly choosing one such input is zero. Our result is in fact more precise, in that the set of failure points admits a more explicit description: for example, in case the primitive functions are just constants, addition and multiplication, the set of points where AD fails is contained in a countable union of zero sets of polynomials. @Article{POPL21p28, author = {Damiano Mazza and Michele Pagani}, title = {Automatic Differentiation in PCF}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {28}, numpages = {27}, doi = {10.1145/3434309}, year = {2021}, } Publisher's Version 

Michel, Jesse 
POPL '21: "𝜆ₛ: Computable Semantics ..."
𝜆ₛ: Computable Semantics for Differentiable Programming with HigherOrder Functions and Datatypes
Benjamin Sherman, Jesse Michel, and Michael Carbin (Massachusetts Institute of Technology, USA) Deep learning is moving towards increasingly sophisticated optimization objectives that employ higherorder functions, such as integration, continuous optimization, and rootfinding. Since differentiable programming frameworks such as PyTorch and TensorFlow do not have firstclass representations of these functions, developers must reason about the semantics of such objectives and manually translate them to differentiable code. We present a differentiable programming language, λ_{S}, that is the first to deliver a semantics for higherorder functions, higherorder derivatives, and Lipschitz but nondifferentiable functions. Together, these features enableλ_{S} to expose differentiable, higherorder functions for integration, optimization, and rootfinding as firstclass functions with automatically computed derivatives. λ_{S}’s semantics is computable, meaning that values can be computed to arbitrary precision, and we implement λ_{S} as an embedded language in Haskell. We use λ_{S} to construct novel differentiable libraries for representing probability distributions, implicit surfaces, and generalized parametric surfaces – all as instances of higherorder datatypes – and present case studies that rely on computing the derivatives of these higherorder functions and datatypes. In addition to modeling existing differentiable algorithms, such as a differentiable ray tracer for implicit surfaces, without requiring any userlevel differentiation code, we demonstrate new differentiable algorithms, such as the Hausdorff distance of generalized parametric surfaces. @Article{POPL21p3, author = {Benjamin Sherman and Jesse Michel and Michael Carbin}, title = {𝜆ₛ: Computable Semantics for Differentiable Programming with HigherOrder Functions and Datatypes}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {3}, numpages = {31}, doi = {10.1145/3434284}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Møgelberg, Rasmus Ejlers 
POPL '21: "Diamonds Are Not Forever: ..."
Diamonds Are Not Forever: Liveness in Reactive Programming with Guarded Recursion
Patrick Bahr , Christian Uldal Graulund, and Rasmus Ejlers Møgelberg (IT University of Copenhagen, Denmark) When designing languages for functional reactive programming (FRP) the main challenge is to provide the user with a simple, flexible interface for writing programs on a high level of abstraction while ensuring that all programs can be implemented efficiently in a lowlevel language. To meet this challenge, a new family of modal FRP languages has been proposed, in which variants of Nakano's guarded fixed point operator are used for writing recursive programs guaranteeing properties such as causality and productivity. As an apparent extension to this it has also been suggested to use Linear Temporal Logic (LTL) as a language for reactive programming through the CurryHoward isomorphism, allowing properties such as termination, liveness and fairness to be encoded in types. However, these two ideas are in conflict with each other, since the fixed point operator introduces nontermination into the inductive types that are supposed to provide termination guarantees. In this paper we show that by regarding the modal time step operator of LTL a submodality of the one used for guarded recursion (rather than equating them), one can obtain a modal type system capable of expressing liveness properties while retaining the power of the guarded fixed point operator. We introduce the language Lively RaTT, a modal FRP language with a guarded fixed point operator and an `until' type constructor as in LTL, and show how to program with events and fair streams. Using a stepindexed Kripke logical relation we prove operational properties of Lively RaTT including productivity and causality as well as the termination and liveness properties expected of types from LTL. Finally, we prove that the type system of Lively RaTT guarantees the absence of implicit space leaks. @Article{POPL21p2, author = {Patrick Bahr and Christian Uldal Graulund and Rasmus Ejlers Møgelberg}, title = {Diamonds Are Not Forever: Liveness in Reactive Programming with Guarded Recursion}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {2}, numpages = {28}, doi = {10.1145/3434283}, year = {2021}, } Publisher's Version 

Moll, Simon 
POPL '21: "An Abstract Interpretation ..."
An Abstract Interpretation for SPMD Divergence on Reducible Control Flow Graphs
Julian Rosemann, Simon Moll, and Sebastian Hack (Saarland University, Germany; NEC, Germany) Vectorizing compilers employ divergence analysis to detect at which program point a specific variable is uniform, i.e. has the same value on all SPMD threads that execute this program point. They exploit uniformity to retain branching to counter branch divergence and defer computations to scalar processor units. Divergence is a hyperproperty and is closely related to noninterference and binding time. There exist several divergence, binding time, and noninterference analyses already but they either sacrifice precision or make significant restrictions to the syntactical structure of the program in order to achieve soundness. In this paper, we present the first abstract interpretation for uniformity that is general enough to be applicable to reducible CFGs and, at the same time, more precise than other analyses that achieve at least the same generality. Our analysis comes with a correctness proof that is to a large part mechanized in Coq. Our experimental evaluation shows that the compile time and the precision of our analysis is on par with LLVM's default divergence analysis that is only sound on more restricted CFGs. At the same time, our analysis is faster and achieves better precision than a stateoftheart noninterference analysis that is sound and at least as general as our analysis. @Article{POPL21p31, author = {Julian Rosemann and Simon Moll and Sebastian Hack}, title = {An Abstract Interpretation for SPMD Divergence on Reducible Control Flow Graphs}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {31}, numpages = {31}, doi = {10.1145/3434312}, year = {2021}, } Publisher's Version Info Artifacts Functional 

Mörtberg, Anders 
POPL '21: "Internalizing Representation ..."
Internalizing Representation Independence with Univalence
Carlo Angiuli , Evan Cavallo , Anders Mörtberg , and Max Zeuner (Carnegie Mellon University, USA; Stockholm University, Sweden) In their usual form, representation independence metatheorems provide an external guarantee that two implementations of an abstract interface are interchangeable when they are related by an operationpreserving correspondence. If our programming language is dependentlytyped, however, we would like to appeal to such invariance results within the language itself, in order to obtain correctness theorems for complex implementations by transferring them from simpler, related implementations. Recent work in proof assistants has shown that Voevodsky's univalence principle allows transferring theorems between isomorphic types, but many instances of representation independence in programming involve nonisomorphic representations. In this paper, we develop techniques for establishing internal relational representation independence results in dependent type theory, by using higher inductive types to simultaneously quotient two related implementation types by a heterogeneous correspondence between them. The correspondence becomes an isomorphism between the quotiented types, thereby allowing us to obtain an equality of implementations by univalence. We illustrate our techniques by considering applications to matrices, queues, and finite multisets. Our results are all formalized in Cubical Agda, a recent extension of Agda which supports univalence and higher inductive types in a computationally wellbehaved way. @Article{POPL21p12, author = {Carlo Angiuli and Evan Cavallo and Anders Mörtberg and Max Zeuner}, title = {Internalizing Representation Independence with Univalence}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {12}, numpages = {30}, doi = {10.1145/3434293}, year = {2021}, } Publisher's Version Artifacts Functional 

Moy, Cameron 
POPL '21: "Corpse Reviver: Sound and ..."
Corpse Reviver: Sound and Efficient Gradual Typing via Contract Verification
Cameron Moy , Phúc C. Nguyễn, Sam TobinHochstadt , and David Van Horn (Northeastern University, USA; University of Maryland, USA; Indiana University, USA) Gradually typed programming languages permit the incremental addition of static types to untyped programs. To remain sound, languages insert runtime checks at the boundaries between typed and untyped code. Unfortunately, performance studies have shown that the overhead of these checks can be disastrously high, calling into question the viability of sound gradual typing. In this paper, we show that by building on existing work on soft contract verification, we can reduce or eliminate this overhead. Our key insight is that while untyped code cannot be trusted by a gradual type system, there is no need to consider only the worst case when optimizing a gradually typed program. Instead, we statically analyze the untyped portions of a gradually typed program to prove that almost all of the dynamic checks implied by gradual type boundaries cannot fail, and can be eliminated at compile time. Our analysis is modular, and can be applied to any portion of a program. We evaluate this approach on a dozen existing gradually typed programs previously shown to have prohibitive performance overhead—with a median overhead of 2.5× and up to 80.6× in the worst case—and eliminate all overhead in most cases, suffering only 1.5× overhead in the worst case. @Article{POPL21p53, author = {Cameron Moy and Phúc C. Nguyễn and Sam TobinHochstadt and David Van Horn}, title = {Corpse Reviver: Sound and Efficient Gradual Typing via Contract Verification}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {53}, numpages = {28}, doi = {10.1145/3434334}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Muller, Stefan K. 
POPL '21: "Modeling and Analyzing Evaluation ..."
Modeling and Analyzing Evaluation Cost of CUDA Kernels
Stefan K. Muller and Jan Hoffmann (Illinois Institute of Technology, USA; Carnegie Mellon University, USA) Generalpurpose programming on GPUs (GPGPU) is becoming increasingly in vogue as applications such as machine learning and scientific computing demand high throughput in vectorparallel applications. NVIDIA's CUDA toolkit seeks to make GPGPU programming accessible by allowing programmers to write GPU functions, called kernels, in a small extension of C/C++. However, due to CUDA's complex execution model, the performance characteristics of CUDA kernels are difficult to predict, especially for novice programmers. This paper introduces a novel quantitative program logic for CUDA kernels, which allows programmers to reason about both functional correctness and resource usage of CUDA kernels, paying particular attention to a set of common but CUDAspecific performance bottlenecks. The logic is proved sound with respect to a novel operational cost semantics for CUDA kernels. The semantics, logic and soundness proofs are formalized in Coq. An inference algorithm based on LP solving automatically synthesizes symbolic resource bounds by generating derivations in the logic. This algorithm is the basis of RaCuda, an endtoend resourceanalysis tool for kernels, which has been implemented using an existing resourceanalysis tool for imperative programs. An experimental evaluation on a suite of CUDA benchmarks shows that the analysis is effective in aiding the detection of performance bugs in CUDA kernels. @Article{POPL21p25, author = {Stefan K. Muller and Jan Hoffmann}, title = {Modeling and Analyzing Evaluation Cost of CUDA Kernels}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {25}, numpages = {31}, doi = {10.1145/3434306}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

MüllerOlm, Markus 
POPL '21: "Automata and Fixpoints for ..."
Automata and Fixpoints for Asynchronous Hyperproperties
Jens Oliver Gutsfeld , Markus MüllerOlm, and Christoph Ohrem (University of Münster, Germany) Hyperproperties have received increasing attention in the last decade due to their importance e.g. for security analyses. Past approaches have focussed on synchronous analyses, i.e. techniques in which different paths are compared lockstepwise. In this paper, we systematically study asynchronous analyses for hyperproperties by introducing both a novel automata model (Alternating Asynchronous Parity Automata) and the temporal fixpoint calculus H_{µ}, the first fixpoint calculus that can systematically express hyperproperties in an asynchronous manner and at the same time subsumes the existing logic HyperLTL. We show that the expressive power of both models coincides over fixed path assignments. The high expressive power of both models is evidenced by the fact that decision problems of interest are highly undecidable, i.e. not even arithmetical. As a remedy, we propose approximative analyses for both models that also induce natural decidable fragments. @Article{POPL21p38, author = {Jens Oliver Gutsfeld and Markus MüllerOlm and Christoph Ohrem}, title = {Automata and Fixpoints for Asynchronous Hyperproperties}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {38}, numpages = {29}, doi = {10.1145/3434319}, year = {2021}, } Publisher's Version 

Nagarakatte, Santosh 
POPL '21: "An Approach to Generate Correctly ..."
An Approach to Generate Correctly Rounded Math Libraries for New Floating Point Variants
Jay P. Lim , Mridul Aanjaneya , John Gustafson, and Santosh Nagarakatte (Rutgers University, USA; National University of Singapore, Singapore) Given the importance of floating point (FP) performance in numerous domains, several new variants of FP and its alternatives have been proposed (e.g., Bfloat16, TensorFloat32, and posits). These representations do not have correctly rounded math libraries. Further, the use of existing FP libraries for these new representations can produce incorrect results. This paper proposes a novel approach for generating polynomial approximations that can be used to implement correctly rounded math libraries. Existing methods generate polynomials that approximate the real value of an elementary function 𝑓 (𝑥) and produce wrong results due to approximation errors and rounding errors in the implementation. In contrast, our approach generates polynomials that approximate the correctly rounded value of 𝑓 (𝑥) (i.e., the value of 𝑓 (𝑥) rounded to the target representation). It provides more margin to identify efficient polynomials that produce correctly rounded results for all inputs. We frame the problem of generating efficient polynomials that produce correctly rounded results as a linear programming problem. Using our approach, we have developed correctly rounded, yet faster, implementations of elementary functions for multiple target representations. @Article{POPL21p29, author = {Jay P. Lim and Mridul Aanjaneya and John Gustafson and Santosh Nagarakatte}, title = {An Approach to Generate Correctly Rounded Math Libraries for New Floating Point Variants}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {29}, numpages = {30}, doi = {10.1145/3434310}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Nandi, Chandrakana 
POPL '21: "egg: Fast and Extensible Equality ..."
egg: Fast and Extensible Equality Saturation
Max Willsey , Chandrakana Nandi , Yisu Remy Wang , Oliver Flatt, Zachary Tatlock , and Pavel Panchekha (University of Washington, USA; University of Utah, USA) An egraph efficiently represents a congruence relation over many expressions. Although they were originally developed in the late 1970s for use in automated theorem provers, a more recent technique known as equality saturation repurposes egraphs to implement stateoftheart, rewritedriven compiler optimizations and program synthesizers. However, egraphs remain unspecialized for this newer use case. Equality saturation workloads exhibit distinct characteristics and often require adhoc egraph extensions to incorporate transformations beyond purely syntactic rewrites. This work contributes two techniques that make egraphs fast and extensible, specializing them to equality saturation. A new amortized invariant restoration technique called rebuilding takes advantage of equality saturation's distinct workload, providing asymptotic speedups over current techniques in practice. A general mechanism called eclass analyses integrates domainspecific analyses into the egraph, reducing the need for ad hoc manipulation. We implemented these techniques in a new opensource library called egg. Our case studies on three previously published applications of equality saturation highlight how egg's performance and flexibility enable stateoftheart results across diverse domains. @Article{POPL21p23, author = {Max Willsey and Chandrakana Nandi and Yisu Remy Wang and Oliver Flatt and Zachary Tatlock and Pavel Panchekha}, title = {egg: Fast and Extensible Equality Saturation}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {23}, numpages = {29}, doi = {10.1145/3434304}, year = {2021}, } Publisher's Version Info Artifacts Reusable Artifacts Functional 

Nanevski, Aleksandar 
POPL '21: "On Algebraic Abstractions ..."
On Algebraic Abstractions for Concurrent Separation Logics
František Farka , Aleksandar Nanevski , Anindya Banerjee , Germán Andrés Delbianco , and Ignacio Fábregas (IMDEA Software Institute, Spain; Nomadic Labs, France; Complutense University of Madrid, Spain) Concurrent separation logic is distinguished by transfer of state ownership upon parallel composition and framing. The algebraic structure that underpins ownership transfer is that of partial commutative monoids (PCMs). Extant research considers ownership transfer primarily from the logical perspective while comparatively less attention is drawn to the algebraic considerations. This paper provides an algebraic formalization of ownership transfer in concurrent separation logic by means of structurepreserving partial functions (i.e., morphisms) between PCMs, and an associated notion of separating relations. Morphisms of structures are a standard concept in algebra and category theory, but haven't seen ubiquitous use in separation logic before. Separating relations. are binary relations that generalize disjointness and characterize the inputs on which morphisms preserve structure. The two abstractions facilitate verification by enabling concise ways of writing specs, by providing abstract views of threads' states that are preserved under ownership transfer, and by enabling userlevel construction of new PCMs out of existing ones. @Article{POPL21p5, author = {František Farka and Aleksandar Nanevski and Anindya Banerjee and Germán Andrés Delbianco and Ignacio Fábregas}, title = {On Algebraic Abstractions for Concurrent Separation Logics}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {5}, numpages = {32}, doi = {10.1145/3434286}, year = {2021}, } Publisher's Version Info Artifacts Reusable Artifacts Functional 

Nester, Chad 
POPL '21: "Functorial Semantics for Partial ..."
Functorial Semantics for Partial Theories
Ivan Di Liberti, Fosco Loregian, Chad Nester, and Paweł Sobociński (Czech Academy of Sciences, Czechia; Tallinn University of Technology, Estonia) We provide a Lawverestyle definition for partial theories, extending the classical notion of equational theory by allowing partially defined operations. As in the classical case, our definition is syntactic: we use an appropriate class of string diagrams as terms. This allows for equational reasoning about the class of models defined by a partial theory. We demonstrate the expressivity of such equational theories by considering a number of examples, including partial combinatory algebras and cartesian closed categories. Moreover, despite the increase in expressivity of the syntax we retain a wellbehaved notion of semantics: we show that our categories of models are precisely locally finitely presentable categories, and that free models exist. @Article{POPL21p57, author = {Ivan Di Liberti and Fosco Loregian and Chad Nester and Paweł Sobociński}, title = {Functorial Semantics for Partial Theories}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {57}, numpages = {28}, doi = {10.1145/3434338}, year = {2021}, } Publisher's Version 

Nguyễn, Phúc C. 
POPL '21: "Corpse Reviver: Sound and ..."
Corpse Reviver: Sound and Efficient Gradual Typing via Contract Verification
Cameron Moy , Phúc C. Nguyễn, Sam TobinHochstadt , and David Van Horn (Northeastern University, USA; University of Maryland, USA; Indiana University, USA) Gradually typed programming languages permit the incremental addition of static types to untyped programs. To remain sound, languages insert runtime checks at the boundaries between typed and untyped code. Unfortunately, performance studies have shown that the overhead of these checks can be disastrously high, calling into question the viability of sound gradual typing. In this paper, we show that by building on existing work on soft contract verification, we can reduce or eliminate this overhead. Our key insight is that while untyped code cannot be trusted by a gradual type system, there is no need to consider only the worst case when optimizing a gradually typed program. Instead, we statically analyze the untyped portions of a gradually typed program to prove that almost all of the dynamic checks implied by gradual type boundaries cannot fail, and can be eliminated at compile time. Our analysis is modular, and can be applied to any portion of a program. We evaluate this approach on a dozen existing gradually typed programs previously shown to have prohibitive performance overhead—with a median overhead of 2.5× and up to 80.6× in the worst case—and eliminate all overhead in most cases, suffering only 1.5× overhead in the worst case. @Article{POPL21p53, author = {Cameron Moy and Phúc C. Nguyễn and Sam TobinHochstadt and David Van Horn}, title = {Corpse Reviver: Sound and Efficient Gradual Typing via Contract Verification}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {53}, numpages = {28}, doi = {10.1145/3434334}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Ni, Newton 
POPL '21: "Petr4: Formal Foundations ..."
Petr4: Formal Foundations for P4 Data Planes
Ryan Doenges , Mina Tahmasbi Arashloo, Santiago Bautista , Alexander Chang, Newton Ni, Samwise Parkinson, Rudy Peterson , Alaia SolkoBreslin, Amanda Xu, and Nate Foster (Cornell University, USA; ENS Rennes, France) P4 is a domainspecific language for programming and specifying packetprocessing systems. It is based on an elegant design with highlevel abstractions like parsers and matchaction pipelines that can be compiled to efficient implementations in software or hardware. Unfortunately, like many industrial languages, P4 has developed without a formal foundation. The P4 Language Specification is a 160page document with a mixture of informal prose, graphical diagrams, and pseudocode, leaving many aspects of the language semantics up to individual compilation targets. The P4 reference implementation is a complex system, running to over 40KLoC of C++ code, with support for only a few targets. Clearly neither of these artifacts is suitable for formal reasoning about P4 in general. This paper presents a new framework, called Petr4, that puts P4 on a solid foundation. Petr4 consists of a cleanslate definitional interpreter and a core calculus that models a fragment of P4. Petr4 is not tied to any particular target: the interpreter is parameterized over an interface that collects features delegated to targets in one place, while the core calculus overapproximates targetspecific behaviors using nondeterminism. We have validated the interpreter against a suite of over 750 tests from the P4 reference implementation, exercising our target interface with tests for different targets. We validated the core calculus with a proof of typepreserving termination. While developing Petr4, we reported dozens of bugs in the language specification and the reference implementation, many of which have been fixed. @Article{POPL21p41, author = {Ryan Doenges and Mina Tahmasbi Arashloo and Santiago Bautista and Alexander Chang and Newton Ni and Samwise Parkinson and Rudy Peterson and Alaia SolkoBreslin and Amanda Xu and Nate Foster}, title = {Petr4: Formal Foundations for P4 Data Planes}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {41}, numpages = {32}, doi = {10.1145/3434322}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Nieto, Abel 
POPL '21: "Distributed Causal Memory: ..."
Distributed Causal Memory: Modular Specification and Verification in HigherOrder Distributed Separation Logic
Léon Gondelman , Simon Oddershede Gregersen , Abel Nieto , Amin Timany , and Lars Birkedal (Aarhus University, Denmark) We present the first specification and verification of an implementation of a causallyconsistent distributed database that supports modular verification of full functional correctness properties of clients and servers. We specify and reason about the causallyconsistent distributed database in Aneris, a higherorder distributed separation logic for an MLlike programming language with network primitives for programming distributed systems. We demonstrate that our specifications are useful, by proving the correctness of small, but tricky, synthetic examples involving causal dependency and by verifying a session manager library implemented on top of the distributed database. We use Aneris's facilities for modular specification and verification to obtain a highly modular development, where each component is verified in isolation, relying only on the specifications (not the implementations) of other components. We have used the Coq formalization of the Aneris logic to formalize all the results presented in the paper in the Coq proof assistant. @Article{POPL21p42, author = {Léon Gondelman and Simon Oddershede Gregersen and Abel Nieto and Amin Timany and Lars Birkedal}, title = {Distributed Causal Memory: Modular Specification and Verification in HigherOrder Distributed Separation Logic}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {42}, numpages = {29}, doi = {10.1145/3434323}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Ohrem, Christoph 
POPL '21: "Automata and Fixpoints for ..."
Automata and Fixpoints for Asynchronous Hyperproperties
Jens Oliver Gutsfeld , Markus MüllerOlm, and Christoph Ohrem (University of Münster, Germany) Hyperproperties have received increasing attention in the last decade due to their importance e.g. for security analyses. Past approaches have focussed on synchronous analyses, i.e. techniques in which different paths are compared lockstepwise. In this paper, we systematically study asynchronous analyses for hyperproperties by introducing both a novel automata model (Alternating Asynchronous Parity Automata) and the temporal fixpoint calculus H_{µ}, the first fixpoint calculus that can systematically express hyperproperties in an asynchronous manner and at the same time subsumes the existing logic HyperLTL. We show that the expressive power of both models coincides over fixed path assignments. The high expressive power of both models is evidenced by the fact that decision problems of interest are highly undecidable, i.e. not even arithmetical. As a remedy, we propose approximative analyses for both models that also induce natural decidable fragments. @Article{POPL21p38, author = {Jens Oliver Gutsfeld and Markus MüllerOlm and Christoph Ohrem}, title = {Automata and Fixpoints for Asynchronous Hyperproperties}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {38}, numpages = {29}, doi = {10.1145/3434319}, year = {2021}, } Publisher's Version 

Ouaknine, Joël 
POPL '21: "Deciding ωRegular Properties ..."
Deciding ωRegular Properties on Linear Recurrence Sequences
Shaull Almagor , Toghrul Karimov , Edon Kelmendi, Joël Ouaknine , and James Worrell (Technion, Israel; MPISWS, Germany; University of Oxford, UK) We consider the problem of deciding ωregular properties on infinite traces produced by linear loops. Here we think of a given loop as producing a single infinite trace that encodes information about the signs of program variables at each time step. Formally, our main result is a procedure that inputs a prefixindependent ωregular property and a sequence of numbers satisfying a linear recurrence, and determines whether the sign description of the sequence (obtained by replacing each positive entry with “+”, each negative entry with “−”, and each zero entry with “0”) satisfies the given property. Our procedure requires that the recurrence be simple, i.e., that the update matrix of the underlying loop be diagonalisable. This assumption is instrumental in proving our key technical lemma: namely that the sign description of a simple linear recurrence sequence is almost periodic in the sense of Muchnik, Sem'enov, and Ushakov. To complement this lemma, we give an example of a linear recurrence sequence whose sign description fails to be almost periodic. Generalising from sign descriptions, we also consider the verification of properties involving semialgebraic predicates on program variables. @Article{POPL21p48, author = {Shaull Almagor and Toghrul Karimov and Edon Kelmendi and Joël Ouaknine and James Worrell}, title = {Deciding ωRegular Properties on Linear Recurrence Sequences}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {48}, numpages = {24}, doi = {10.1145/3434329}, year = {2021}, } Publisher's Version 

Pagani, Michele 
POPL '21: "Automatic Differentiation ..."
Automatic Differentiation in PCF
Damiano Mazza and Michele Pagani (CNRS, France; University of Paris, France) We study the correctness of automatic differentiation (AD) in the context of a higherorder, Turingcomplete language (PCF with real numbers), both in forward and reverse mode. Our main result is that, under mild hypotheses on the primitive functions included in the language, AD is almost everywhere correct, that is, it computes the derivative or gradient of the program under consideration except for a set of Lebesgue measure zero. Stated otherwise, there are inputs on which AD is incorrect, but the probability of randomly choosing one such input is zero. Our result is in fact more precise, in that the set of failure points admits a more explicit description: for example, in case the primitive functions are just constants, addition and multiplication, the set of points where AD fails is contained in a countable union of zero sets of polynomials. @Article{POPL21p28, author = {Damiano Mazza and Michele Pagani}, title = {Automatic Differentiation in PCF}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {28}, numpages = {27}, doi = {10.1145/3434309}, year = {2021}, } Publisher's Version 

Panchekha, Pavel 
POPL '21: "egg: Fast and Extensible Equality ..."
egg: Fast and Extensible Equality Saturation
Max Willsey , Chandrakana Nandi , Yisu Remy Wang , Oliver Flatt, Zachary Tatlock , and Pavel Panchekha (University of Washington, USA; University of Utah, USA) An egraph efficiently represents a congruence relation over many expressions. Although they were originally developed in the late 1970s for use in automated theorem provers, a more recent technique known as equality saturation repurposes egraphs to implement stateoftheart, rewritedriven compiler optimizations and program synthesizers. However, egraphs remain unspecialized for this newer use case. Equality saturation workloads exhibit distinct characteristics and often require adhoc egraph extensions to incorporate transformations beyond purely syntactic rewrites. This work contributes two techniques that make egraphs fast and extensible, specializing them to equality saturation. A new amortized invariant restoration technique called rebuilding takes advantage of equality saturation's distinct workload, providing asymptotic speedups over current techniques in practice. A general mechanism called eclass analyses integrates domainspecific analyses into the egraph, reducing the need for ad hoc manipulation. We implemented these techniques in a new opensource library called egg. Our case studies on three previously published applications of equality saturation highlight how egg's performance and flexibility enable stateoftheart results across diverse domains. @Article{POPL21p23, author = {Max Willsey and Chandrakana Nandi and Yisu Remy Wang and Oliver Flatt and Zachary Tatlock and Pavel Panchekha}, title = {egg: Fast and Extensible Equality Saturation}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {23}, numpages = {29}, doi = {10.1145/3434304}, year = {2021}, } Publisher's Version Info Artifacts Reusable Artifacts Functional 

Pantović, Jovanka 
POPL '21: "Precise Subtyping for Asynchronous ..."
Precise Subtyping for Asynchronous Multiparty Sessions
Silvia Ghilezan , Jovanka Pantović , Ivan Prokić , Alceste Scalas , and Nobuko Yoshida (University of Novi Sad, Serbia; DTU, Denmark; Aston University, UK; Imperial College London, UK) Session subtyping is a cornerstone of refinement of communicating processes: a process implementing a session type (i.e., a communication protocol) T can be safely used whenever a process implementing one of its supertypes T′ is expected, in any context, without introducing deadlocks nor other communication errors. As a consequence, whenever T T′ holds, it is safe to replace an implementation of T′ with an implementation of the subtype T, which may allow for more optimised communication patterns. We present the first formalisation of the precise subtyping relation for asynchronous multiparty sessions. We show that our subtyping relation is sound (ı.e., guarantees safe process replacement, as outlined above) and also complete: any extension of the relation is unsound. To achieve our results, we develop a novel session decomposition technique, from full session types (including internal/external choices) into single input/output session trees (without choices). Previous work studies precise subtyping for binary sessions (with just two participants), or multiparty sessions (with any number of participants) and synchronous interaction. Here, we cover multiparty sessions with asynchronous interaction, where messages are transmitted via FIFO queues (as in the TCP/IP protocol), and prove that our subtyping is both operationally and denotationally precise. In the asynchronous multiparty setting, finding the precise subtyping relation is a highly complex task: this is because, under some conditions, participants can permute the order of their inputs and outputs, by sending some messages earlier or receiving some later, without causing errors; the precise subtyping relation must capture all such valid permutations — and consequently, its formalisation, reasoning and proofs become challenging. Our session decomposition technique overcomes this complexity, expressing the subtyping relation as a composition of refinement relations between single input/output trees, and providing a simple reasoning principle for asynchronous message optimisations. @Article{POPL21p16, author = {Silvia Ghilezan and Jovanka Pantović and Ivan Prokić and Alceste Scalas and Nobuko Yoshida}, title = {Precise Subtyping for Asynchronous Multiparty Sessions}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {16}, numpages = {28}, doi = {10.1145/3434297}, year = {2021}, } Publisher's Version 

Parkinson, Samwise 
POPL '21: "Petr4: Formal Foundations ..."
Petr4: Formal Foundations for P4 Data Planes
Ryan Doenges , Mina Tahmasbi Arashloo, Santiago Bautista , Alexander Chang, Newton Ni, Samwise Parkinson, Rudy Peterson , Alaia SolkoBreslin, Amanda Xu, and Nate Foster (Cornell University, USA; ENS Rennes, France) P4 is a domainspecific language for programming and specifying packetprocessing systems. It is based on an elegant design with highlevel abstractions like parsers and matchaction pipelines that can be compiled to efficient implementations in software or hardware. Unfortunately, like many industrial languages, P4 has developed without a formal foundation. The P4 Language Specification is a 160page document with a mixture of informal prose, graphical diagrams, and pseudocode, leaving many aspects of the language semantics up to individual compilation targets. The P4 reference implementation is a complex system, running to over 40KLoC of C++ code, with support for only a few targets. Clearly neither of these artifacts is suitable for formal reasoning about P4 in general. This paper presents a new framework, called Petr4, that puts P4 on a solid foundation. Petr4 consists of a cleanslate definitional interpreter and a core calculus that models a fragment of P4. Petr4 is not tied to any particular target: the interpreter is parameterized over an interface that collects features delegated to targets in one place, while the core calculus overapproximates targetspecific behaviors using nondeterminism. We have validated the interpreter against a suite of over 750 tests from the P4 reference implementation, exercising our target interface with tests for different targets. We validated the core calculus with a proof of typepreserving termination. While developing Petr4, we reported dozens of bugs in the language specification and the reference implementation, many of which have been fixed. @Article{POPL21p41, author = {Ryan Doenges and Mina Tahmasbi Arashloo and Santiago Bautista and Alexander Chang and Newton Ni and Samwise Parkinson and Rudy Peterson and Alaia SolkoBreslin and Amanda Xu and Nate Foster}, title = {Petr4: Formal Foundations for P4 Data Planes}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {41}, numpages = {32}, doi = {10.1145/3434322}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Patrignani, Marco 
POPL '21: "On the Semantic Expressiveness ..."
On the Semantic Expressiveness of Recursive Types
Marco Patrignani , Eric Mark Martin, and Dominique Devriese (Stanford University, USA; CISPA, Germany; Vrije Universiteit Brussel, Belgium) Recursive types extend the simplytyped lambda calculus (STLC) with the additional expressive power to enable diverging computation and to encode recursive datatypes (e.g., lists). Two formulations of recursive types exist: isorecursive and equirecursive. The relative advantages of iso and equirecursion are well studied when it comes to their impact on typeinference. However, the relative semantic expressiveness of the two formulations remains unclear so far. This paper studies the semantic expressiveness of STLC with iso and equirecursive types, proving that these formulations are equally expressive. In fact, we prove that they are both as expressive as STLC with only termlevel recursion. We phrase these equiexpressiveness results in terms of full abstraction of three canonical compilers between these three languages (STLC with iso, with equirecursive types and with termlevel recursion). Our choice of languages allows us to study expressiveness when interacting over both a simplytyped and a recursivelytyped interface. The three proofs all rely on a typed version of a proof technique called approximate backtranslation. Together, our results show that there is no difference in semantic expressiveness between STLCs with iso and equirecursive types. In this paper, we focus on a simplytyped setting but we believe our results scale to more powerful type systems like System F. @Article{POPL21p21, author = {Marco Patrignani and Eric Mark Martin and Dominique Devriese}, title = {On the Semantic Expressiveness of Recursive Types}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {21}, numpages = {29}, doi = {10.1145/3434302}, year = {2021}, } Publisher's Version 

Pavlinovic, Zvonimir 
POPL '21: "Data Flow Refinement Type ..."
Data Flow Refinement Type Inference
Zvonimir Pavlinovic, Yusen Su, and Thomas Wies (New York University, USA; Google, USA; University of Waterloo, Canada) Refinement types enable lightweight verification of functional programs. Algorithms for statically inferring refinement types typically work by reduction to solving systems of constrained Horn clauses extracted from typing derivations. An example is Liquid type inference, which solves the extracted constraints using predicate abstraction. However, the reduction to constraint solving in itself already signifies an abstraction of the program semantics that affects the precision of the overall static analysis. To better understand this issue, we study the type inference problem in its entirety through the lens of abstract interpretation. We propose a new refinement type system that is parametric with the choice of the abstract domain of type refinements as well as the degree to which it tracks contextsensitive control flow information. We then derive an accompanying parametric inference algorithm as an abstract interpretation of a novel data flow semantics of functional programs. We further show that the type system is sound and complete with respect to the constructed abstract semantics. Our theoretical development reveals the key abstraction steps inherent in refinement type inference algorithms. The tradeoff between precision and efficiency of these abstraction steps is controlled by the parameters of the type system. Existing refinement type systems and their respective inference algorithms, such as Liquid types, are captured by concrete parameter instantiations. We have implemented our framework in a prototype tool and evaluated it for a range of new parameter instantiations (e.g., using octagons and polyhedra for expressing type refinements). The tool compares favorably against other existing tools. Our evaluation indicates that our approach can be used to systematically construct new refinement type inference algorithms that are both robust and precise. @Article{POPL21p19, author = {Zvonimir Pavlinovic and Yusen Su and Thomas Wies}, title = {Data Flow Refinement Type Inference}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {19}, numpages = {31}, doi = {10.1145/3434300}, year = {2021}, } Publisher's Version 

Pavlogiannis, Andreas 
POPL '21: "Optimal Prediction of SynchronizationPreserving ..."
Optimal Prediction of SynchronizationPreserving Races
Umang Mathur , Andreas Pavlogiannis , and Mahesh Viswanathan (University of Illinois at UrbanaChampaign, USA; Aarhus University, Denmark) Concurrent programs are notoriously hard to write correctly, as scheduling nondeterminism introduces subtle errors that are both hard to detect and to reproduce. The most common concurrency errors are (data) races, which occur when memoryconflicting actions are executed concurrently. Consequently, considerable effort has been made towards developing efficient techniques for race detection. The most common approach is dynamic race prediction: given an observed, racefree trace σ of a concurrent program, the task is to decide whether events of σ can be correctly reordered to a trace σ^{*} that witnesses a race hidden in σ. In this work we introduce the notion of sync(hronization)preserving races. A syncpreserving race occurs in σ when there is a witness σ^{*} in which synchronization operations (e.g., acquisition and release of locks) appear in the same order as in σ. This is a broad definition that strictly subsumes the famous notion of happensbefore races. Our main results are as follows. First, we develop a sound and complete algorithm for predicting syncpreserving races. For moderate values of parameters like the number of threads, the algorithm runs in Õ(N) time and space, where N is the length of the trace σ. Second, we show that the problem has a Ω(N/log^{2} N) space lower bound, and thus our algorithm is essentially time and space optimal. Third, we show that predicting races with even just a single reversal of two sync operations is NPcomplete and even W1hard when parameterized by the number of threads. Thus, syncpreservation characterizes exactly the tractability boundary of race prediction, and our algorithm is nearly optimal for the tractable side. Our experiments show that our algorithm is fast in practice, while syncpreservation characterizes races often missed by stateoftheart methods. @Article{POPL21p36, author = {Umang Mathur and Andreas Pavlogiannis and Mahesh Viswanathan}, title = {Optimal Prediction of SynchronizationPreserving Races}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {36}, numpages = {29}, doi = {10.1145/3434317}, year = {2021}, } Publisher's Version Artifacts Functional POPL '21: "The FineGrained and Parallel ..." The FineGrained and Parallel Complexity of Andersen’s Pointer Analysis Anders Alnor Mathiasen and Andreas Pavlogiannis (Aarhus University, Denmark) Pointer analysis is one of the fundamental problems in static program analysis. Given a set of pointers, the task is to produce a useful overapproximation of the memory locations that each pointer may pointto at runtime. The most common formulation is Andersen’s Pointer Analysis (APA), defined as an inclusionbased set of m pointer constraints over a set of n pointers. Scalability is extremely important, as pointsto information is a prerequisite to many other components in the staticanalysis pipeline. Existing algorithms solve APA in O(n^{2}· m) time, while it has been conjectured that the problem has no truly subcubic algorithm, with a proof so far having remained elusive. It is also wellknown that APA can be solved in O(n^{2}) time under certain sparsity conditions that hold naturally in some settings. Besides these simple bounds, the complexity of the problem has remained poorly understood. In this work we draw a rich finegrained and parallel complexity landscape of APA, and present upper and lower bounds. First, we establish an O(n^{3}) upperbound for general APA, improving over O(n^{2}· m) as n=O(m). Second, we show that even ondemand APA (“may a specific pointer a point to a specific location b?”) has an Ω(n^{3}) (combinatorial) lower bound under standard complexitytheoretic hypotheses. This formally establishes the longconjectured “cubic bottleneck” of APA, and shows that our O(n^{3})time algorithm is optimal. Third, we show that under mild restrictions, APA is solvable in Õ(n^{ω}) time, where ω<2.373 is the matrixmultiplication exponent. It is believed that ω=2+o(1), in which case this bound becomes quadratic. Fourth, we show that even under such restrictions, even the ondemand problem has an Ω(n^{2}) lower bound under standard complexitytheoretic hypotheses, and hence our algorithm is optimal when ω=2+o(1). Fifth, we study the parallelizability of APA and establish lower and upper bounds: (i) in general, the problem is Pcomplete and hence unlikely parallelizable, whereas (ii) under mild restrictions, the problem is parallelizable. Our theoretical treatment formalizes several insights that can lead to practical improvements in the future. @Article{POPL21p34, author = {Anders Alnor Mathiasen and Andreas Pavlogiannis}, title = {The FineGrained and Parallel Complexity of Andersen’s Pointer Analysis}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {34}, numpages = {29}, doi = {10.1145/3434315}, year = {2021}, } Publisher's Version 

Peterson, Rudy 
POPL '21: "Petr4: Formal Foundations ..."
Petr4: Formal Foundations for P4 Data Planes
Ryan Doenges , Mina Tahmasbi Arashloo, Santiago Bautista , Alexander Chang, Newton Ni, Samwise Parkinson, Rudy Peterson , Alaia SolkoBreslin, Amanda Xu, and Nate Foster (Cornell University, USA; ENS Rennes, France) P4 is a domainspecific language for programming and specifying packetprocessing systems. It is based on an elegant design with highlevel abstractions like parsers and matchaction pipelines that can be compiled to efficient implementations in software or hardware. Unfortunately, like many industrial languages, P4 has developed without a formal foundation. The P4 Language Specification is a 160page document with a mixture of informal prose, graphical diagrams, and pseudocode, leaving many aspects of the language semantics up to individual compilation targets. The P4 reference implementation is a complex system, running to over 40KLoC of C++ code, with support for only a few targets. Clearly neither of these artifacts is suitable for formal reasoning about P4 in general. This paper presents a new framework, called Petr4, that puts P4 on a solid foundation. Petr4 consists of a cleanslate definitional interpreter and a core calculus that models a fragment of P4. Petr4 is not tied to any particular target: the interpreter is parameterized over an interface that collects features delegated to targets in one place, while the core calculus overapproximates targetspecific behaviors using nondeterminism. We have validated the interpreter against a suite of over 750 tests from the P4 reference implementation, exercising our target interface with tests for different targets. We validated the core calculus with a proof of typepreserving termination. While developing Petr4, we reported dozens of bugs in the language specification and the reference implementation, many of which have been fixed. @Article{POPL21p41, author = {Ryan Doenges and Mina Tahmasbi Arashloo and Santiago Bautista and Alexander Chang and Newton Ni and Samwise Parkinson and Rudy Peterson and Alaia SolkoBreslin and Amanda Xu and Nate Foster}, title = {Petr4: Formal Foundations for P4 Data Planes}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {41}, numpages = {32}, doi = {10.1145/3434322}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Pichardie, David 
POPL '21: "Formally Verified Speculation ..."
Formally Verified Speculation and Deoptimization in a JIT Compiler
Aurèle Barrière , Sandrine Blazy , Olivier Flückiger , David Pichardie , and Jan Vitek (University of Rennes, France; Inria, France; CNRS, France; IRISA, France; Northeastern University, USA; Czech Technical University, Czechia) Justintime compilers for dynamic languages routinely generate code under assumptions that may be invalidated at runtime, this allows for specialization of program code to the common case in order to avoid unnecessary overheads due to uncommon cases. This form of software speculation requires support for deoptimization when some of the assumptions fail to hold. This paper presents a model justintime compiler with an intermediate representation that explicits the synchronization points used for deoptimization and the assumptions made by the compiler's speculation. We also present several common compiler optimizations that can leverage speculation to generate improved code. The optimizations are proved correct with the help of a proof assistant. While our work stops short of proving native code generation, we demonstrate how one could use the verified optimization to obtain significant speed ups in an endtoend setting. @Article{POPL21p46, author = {Aurèle Barrière and Sandrine Blazy and Olivier Flückiger and David Pichardie and Jan Vitek}, title = {Formally Verified Speculation and Deoptimization in a JIT Compiler}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {46}, numpages = {26}, doi = {10.1145/3434327}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Pinault, Laureline 
POPL '21: "Cyclic Proofs, System T, and ..."
Cyclic Proofs, System T, and the Power of Contraction
Denis Kuperberg , Laureline Pinault, and Damien Pous (University of Lyon, France; CNRS, France; ENS Lyon, France; Claude Bernard University Lyon 1, France; LIP, France) We study a cyclic proof system C over regular expression types, inspired by linear logic and nonwellfounded proof theory. Proofs in C can be seen as strongly typed goto programs. We show that they denote computable total functions and we analyse the relative strength of C and Gödel’s system T. In the general case, we prove that the two systems capture the same functions on natural numbers. In the affine case, i.e., when contraction is removed, we prove that they capture precisely the primitive recursive functions—providing an alternative and more general proof of a result by Dal Lago, about an affine version of system T. Without contraction, we manage to give a direct and uniform encoding of C into T, by analysing cycles and translating them into explicit recursions. Whether such a direct and uniform translation from C to T can be given in the presence of contraction remains open. We obtain the two upper bounds on the expressivity of C using a different technique: we formalise weak normalisation of a small step reduction semantics in subsystems of secondorder arithmetic: ACA_{0} and RCA_{0}. @Article{POPL21p1, author = {Denis Kuperberg and Laureline Pinault and Damien Pous}, title = {Cyclic Proofs, System T, and the Power of Contraction}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {1}, numpages = {28}, doi = {10.1145/3434282}, year = {2021}, } Publisher's Version 

Pottier, François 
POPL '21: "A Separation Logic for Effect ..."
A Separation Logic for Effect Handlers
Paulo Emílio de Vilhena and François Pottier (Inria, France) Userdefined effects and effect handlers are advertised and advocated as a relatively easytounderstand and modular approach to delimited control. They offer the ability of suspending and resuming a computation and allow information to be transmitted both ways between the computation, which requests a certain service, and the handler, which provides this service. Yet, a key question remains, to this day, largely unanswered: how does one modularly specify and verify programs in the presence of both userdefined effect handlers and primitive effects, such as heapallocated mutable state? We answer this question by presenting a Separation Logic with builtin support for effect handlers, both shallow and deep. The specification of a program fragment includes a protocol that describes the effects that the program may perform as well as the replies that it can expect to receive. The logic allows local reasoning via a frame rule and a bind rule. It is based on Iris and inherits all of its advanced features, including support for higherorder functions, userdefined ghost state, and invariants. We illustrate its power via several case studies, including (1) a generic formulation of control inversion, which turns a producer that ``pushes'' elements towards a consumer into a producer from which one can ``pull'' elements on demand, and (2) a simple system for cooperative concurrency, where several threads execute concurrently, can spawn new threads, and communicate via promises. @Article{POPL21p33, author = {Paulo Emílio de Vilhena and François Pottier}, title = {A Separation Logic for Effect Handlers}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {33}, numpages = {28}, doi = {10.1145/3434314}, year = {2021}, } Publisher's Version Info Artifacts Reusable Artifacts Functional 

Pous, Damien 
POPL '21: "Cyclic Proofs, System T, and ..."
Cyclic Proofs, System T, and the Power of Contraction
Denis Kuperberg , Laureline Pinault, and Damien Pous (University of Lyon, France; CNRS, France; ENS Lyon, France; Claude Bernard University Lyon 1, France; LIP, France) We study a cyclic proof system C over regular expression types, inspired by linear logic and nonwellfounded proof theory. Proofs in C can be seen as strongly typed goto programs. We show that they denote computable total functions and we analyse the relative strength of C and Gödel’s system T. In the general case, we prove that the two systems capture the same functions on natural numbers. In the affine case, i.e., when contraction is removed, we prove that they capture precisely the primitive recursive functions—providing an alternative and more general proof of a result by Dal Lago, about an affine version of system T. Without contraction, we manage to give a direct and uniform encoding of C into T, by analysing cycles and translating them into explicit recursions. Whether such a direct and uniform translation from C to T can be given in the presence of contraction remains open. We obtain the two upper bounds on the expressivity of C using a different technique: we formalise weak normalisation of a small step reduction semantics in subsystems of secondorder arithmetic: ACA_{0} and RCA_{0}. @Article{POPL21p1, author = {Denis Kuperberg and Laureline Pinault and Damien Pous}, title = {Cyclic Proofs, System T, and the Power of Contraction}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {1}, numpages = {28}, doi = {10.1145/3434282}, year = {2021}, } Publisher's Version 

Pradic, Pierre 
POPL '21: "Generating Collection Transformations ..."
Generating Collection Transformations from Proofs
Michael Benedikt and Pierre Pradic (University of Oxford, UK) Nested relations, built up from atomic types via product and set types, form a rich data model. Over the last decades the nested relational calculus, NRC, has emerged as a standard language for defining transformations on nested collections. NRC is a stronglytyped functional language which allows building up transformations using tupling and projections, a singletonformer, and a map operation that lifts transformations on tuples to transformations on sets. In this work we describe an alternative declarative method of describing transformations in logic. A formula with distinguished inputs and outputs gives an implicit definition if one can prove that for each input there is only one output that satisfies it. Our main result shows that one can synthesize transformations from proofs that a formula provides an implicit definition, where the proof is in an intuitionistic calculus that captures a natural style of reasoning about nested collections. Our polynomial time synthesis procedure is based on an analog of Craig's interpolation lemma, starting with a provable containment between terms representing nested collections and generating an NRC expression that interpolates between them. We further show that NRC expressions that implement an implicit definition can be found when there is a classical proof of functionality, not just when there is an intuitionistic one. That is, whenever a formula implicitly defines a transformation, there is an NRC expression that implements it. @Article{POPL21p14, author = {Michael Benedikt and Pierre Pradic}, title = {Generating Collection Transformations from Proofs}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {14}, numpages = {28}, doi = {10.1145/3434295}, year = {2021}, } Publisher's Version 

Pretnar, Matija 
POPL '21: "Asynchronous Effects ..."
Asynchronous Effects
Danel Ahman and Matija Pretnar (University of Ljubljana, Slovenia) We explore asynchronous programming with algebraic effects. We complement their conventional synchronous treatment by showing how to naturally also accommodate asynchrony within them, namely, by decoupling the execution of operation calls into signalling that an operation’s implementation needs to be executed, and interrupting a running computation with the operation’s result, to which the computation can react by installing interrupt handlers. We formalise these ideas in a small core calculus, called λ_{æ}. We demonstrate the flexibility of λ_{æ} using examples ranging from a multiparty web application, to preemptive multithreading, to remote function calls, to a parallel variant of runners of algebraic effects. In addition, the paper is accompanied by a formalisation of λ_{æ}’s type safety proofs in Agda, and a prototype implementation of λ_{æ} in OCaml. @Article{POPL21p24, author = {Danel Ahman and Matija Pretnar}, title = {Asynchronous Effects}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {24}, numpages = {28}, doi = {10.1145/3434305}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Prokić, Ivan 
POPL '21: "Precise Subtyping for Asynchronous ..."
Precise Subtyping for Asynchronous Multiparty Sessions
Silvia Ghilezan , Jovanka Pantović , Ivan Prokić , Alceste Scalas , and Nobuko Yoshida (University of Novi Sad, Serbia; DTU, Denmark; Aston University, UK; Imperial College London, UK) Session subtyping is a cornerstone of refinement of communicating processes: a process implementing a session type (i.e., a communication protocol) T can be safely used whenever a process implementing one of its supertypes T′ is expected, in any context, without introducing deadlocks nor other communication errors. As a consequence, whenever T T′ holds, it is safe to replace an implementation of T′ with an implementation of the subtype T, which may allow for more optimised communication patterns. We present the first formalisation of the precise subtyping relation for asynchronous multiparty sessions. We show that our subtyping relation is sound (ı.e., guarantees safe process replacement, as outlined above) and also complete: any extension of the relation is unsound. To achieve our results, we develop a novel session decomposition technique, from full session types (including internal/external choices) into single input/output session trees (without choices). Previous work studies precise subtyping for binary sessions (with just two participants), or multiparty sessions (with any number of participants) and synchronous interaction. Here, we cover multiparty sessions with asynchronous interaction, where messages are transmitted via FIFO queues (as in the TCP/IP protocol), and prove that our subtyping is both operationally and denotationally precise. In the asynchronous multiparty setting, finding the precise subtyping relation is a highly complex task: this is because, under some conditions, participants can permute the order of their inputs and outputs, by sending some messages earlier or receiving some later, without causing errors; the precise subtyping relation must capture all such valid permutations — and consequently, its formalisation, reasoning and proofs become challenging. Our session decomposition technique overcomes this complexity, expressing the subtyping relation as a composition of refinement relations between single input/output trees, and providing a simple reasoning principle for asynchronous message optimisations. @Article{POPL21p16, author = {Silvia Ghilezan and Jovanka Pantović and Ivan Prokić and Alceste Scalas and Nobuko Yoshida}, title = {Precise Subtyping for Asynchronous Multiparty Sessions}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {16}, numpages = {28}, doi = {10.1145/3434297}, year = {2021}, } Publisher's Version 

Raad, Azalea 
POPL '21: "PerSeVerE: Persistency Semantics ..."
PerSeVerE: Persistency Semantics for Verification under Ext4
Michalis Kokologiannakis , Ilya Kaysin, Azalea Raad, and Viktor Vafeiadis (MPISWS, Germany; National Research University Higher School of Economics, Russia; JetBrains Research, Russia; Imperial College London, UK) Although ubiquitous, modern filesystems have rather complex behaviours that are hardly understood by programmers and lead to severe software bugs such as data corruption. As a first step to ensure correctness of software performing file I/O, we formalize the semantics of the Linux ext4 filesystem, which we integrate with the weak memory consistency semantics of C/C++. We further develop an effective model checking approach for verifying programs that use the filesystem. In doing so, we discover and report bugs in commonlyused text editors such as vim, emacs and nano. @Article{POPL21p43, author = {Michalis Kokologiannakis and Ilya Kaysin and Azalea Raad and Viktor Vafeiadis}, title = {PerSeVerE: Persistency Semantics for Verification under Ext4}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {43}, numpages = {29}, doi = {10.1145/3434324}, year = {2021}, } Publisher's Version Info Artifacts Reusable Artifacts Functional 

Rajani, Vineet 
POPL '21: "A Unifying TypeTheory for ..."
A Unifying TypeTheory for HigherOrder (Amortized) Cost Analysis
Vineet Rajani , Marco Gaboardi , Deepak Garg , and Jan Hoffmann (MPISP, Germany; Boston University, USA; MPISWS, Germany; Carnegie Mellon University, USA) This paper presents λamor, a new typetheoretic framework for amortized cost analysis of higherorder functional programs and shows that existing type systems for cost analysis can be embedded in it. λamor introduces a new modal type for representing potentials – costs that have been accounted for, but not yet incurred, which are central to amortized analysis. Additionally, λamor relies on standard typetheoretic concepts like affineness, refinement types and an indexed cost monad. λamor is proved sound using a rather simple logical relation. We embed two existing type systems for cost analysis in λamor showing that, despite its simplicity, λamor can simulate cost analysis for different evaluation strategies (callbyname and callbyvalue), in different styles (effectbased and coeffectbased), and with or without amortization. One of the embeddings also implies that λamor is relatively complete for all terminating PCF programs. @Article{POPL21p27, author = {Vineet Rajani and Marco Gaboardi and Deepak Garg and Jan Hoffmann}, title = {A Unifying TypeTheory for HigherOrder (Amortized) Cost Analysis}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {27}, numpages = {28}, doi = {10.1145/3434308}, year = {2021}, } Publisher's Version 

Ramsay, Steven 
POPL '21: "Intensional Datatype Refinement: ..."
Intensional Datatype Refinement: With Application to Scalable Verification of PatternMatch Safety
Eddie Jones and Steven Ramsay (University of Bristol, UK) The patternmatch safety problem is to verify that a given functional program will never crash due to nonexhaustive patterns in its function definitions. We present a refinement type system that can be used to solve this problem. The system extends MLstyle type systems with algebraic datatypes by a limited form of structural subtyping and environmentlevel intersection. We describe a fully automatic, sound and complete type inference procedure for this system which, under reasonable assumptions, is worstcase lineartime in the program size. Compositionality is essential to obtaining this complexity guarantee. A prototype implementation for Haskell is able to analyse a selection of packages from the Hackage database in a few hundred milliseconds. @Article{POPL21p55, author = {Eddie Jones and Steven Ramsay}, title = {Intensional Datatype Refinement: With Application to Scalable Verification of PatternMatch Safety}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {55}, numpages = {29}, doi = {10.1145/3434336}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Rand, Robert 
POPL '21: "A Verified Optimizer for Quantum ..."
A Verified Optimizer for Quantum Circuits
Kesha Hietala , Robert Rand , ShihHan Hung , Xiaodi Wu , and Michael Hicks (University of Maryland, USA; University of Chicago, USA) We present VOQC, the first fully verified optimizer for quantum circuits, written using the Coq proof assistant. Quantum circuits are expressed as programs in a simple, lowlevel language called SQIR, a simple quantum intermediate representation, which is deeply embedded in Coq. Optimizations and other transformations are expressed as Coq functions, which are proved correct with respect to a semantics of SQIR programs. SQIR uses a semantics of matrices of complex numbers, which is the standard for quantum computation, but treats matrices symbolically in order to reason about programs that use an arbitrary number of quantum bits. SQIR's careful design and our provided automation make it possible to write and verify a broad range of optimizations in VOQC, including fullcircuit transformations from cuttingedge optimizers. @Article{POPL21p37, author = {Kesha Hietala and Robert Rand and ShihHan Hung and Xiaodi Wu and Michael Hicks}, title = {A Verified Optimizer for Quantum Circuits}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {37}, numpages = {29}, doi = {10.1145/3434318}, year = {2021}, } Publisher's Version Info Artifacts Functional 

Reps, Thomas 
POPL '21: "SemanticsGuided Synthesis ..."
SemanticsGuided Synthesis
Jinwoo Kim , Qinheping Hu, Loris D'Antoni , and Thomas Reps (University of WisconsinMadison, USA) This paper develops a new framework for program synthesis, called semanticsguided synthesis (SemGuS), that allows a user to provide both the syntax and the semantics for the constructs in the language. SemGuS accepts a recursively defined bigstep semantics, which allows it, for example, to be used to specify and solve synthesis problems over an imperative programming language that may contain loops with unbounded behavior. The customizable nature of SemGuS also allows synthesis problems to be defined over a nonstandard semantics, such as an abstract semantics. In addition to the SemGuS framework, we develop an algorithm for solving SemGuS problems that is capable of both synthesizing programs and proving unrealizability, by encoding a SemGuS problem as a proof search over Constrained Horn Clauses: in particular, our approach is the first that we are aware of that can prove unrealizabilty for synthesis problems that involve imperative programs with unbounded loops, over an infinite syntactic search space. We implemented the technique in a tool called MESSY, and applied it to SyGuS problems (i.e., over expressions), synthesis problems over an imperative programming language, and synthesis problems over regular expressions. @Article{POPL21p30, author = {Jinwoo Kim and Qinheping Hu and Loris D'Antoni and Thomas Reps}, title = {SemanticsGuided Synthesis}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {30}, numpages = {32}, doi = {10.1145/3434311}, year = {2021}, } Publisher's Version Artifacts Functional POPL '21: "On the Complexity of Bidirected ..." On the Complexity of Bidirected Interleaved DyckReachability Yuanbo Li , Qirun Zhang , and Thomas Reps (Georgia Institute of Technology, USA; University of WisconsinMadison, USA) Many program analyses need to reason about pairs of matching actions, such as call/return, lock/unlock, or setfield/getfield. The family of Dyck languages {D_{k}}, where D_{k} has k kinds of parenthesis pairs, can be used to model matching actions as balanced parentheses. Consequently, many programanalysis problems can be formulated as Dyckreachability problems on edgelabeled digraphs. Interleaved Dyckreachability (InterDyckreachability), denoted by D_{k} ⊙ D_{k}reachability, is a natural extension of Dyckreachability that allows one to formulate programanalysis problems that involve multiple kinds of matchingaction pairs. Unfortunately, the general InterDyckreachability problem is undecidable. In this paper, we study variants of InterDyckreachability on bidirected graphs, where for each edge ⟨ p, q ⟩ labeled by an open parenthesis ”(_{a}”, there is an edge ⟨ q, p ⟩ labeled by the corresponding close parenthesis ”)_{a}”, and vice versa. Languagereachability on a bidirected graph has proven to be useful both (1) in its own right, as a way to formalize many programanalysis problems, such as pointer analysis, and (2) as a relaxation method that uses a fast algorithm to overapproximate languagereachability on a directed graph. However, unlike its directed counterpart, the complexity of bidirected InterDyckreachability still remains open. We establish the first decidable variant (i.e., D_{1} ⊙ D_{1}reachability) of bidirected InterDyckreachability. In D_{1} ⊙ D_{1}reachability, each of the two Dyck languages is restricted to have only a single kind of parenthesis pair. In particular, we show that the bidirected D_{1} ⊙ D_{1} problem is in PTIME. We also show that when one extends each Dyck language to involve k different kinds of parentheses (i.e., D_{k} ⊙ D_{k}reachability with k ≥ 2), the problem is NPhard (and therefore much harder). We have implemented the polynomialtime algorithm for bidirected D_{1} ⊙ D_{1}reachability. D_{k} ⊙ D_{k}reachability provides a new overapproximation method for bidirected D_{k} ⊙ D_{k}reachability in the sense that D_{k}⊙ D_{k}reachability can first be relaxed to bidirected D_{1} ⊙ D_{1}reachability, and then the resulting bidirected D_{1} ⊙ D_{1}reachability problem is solved precisely. We compare this D_{1} ⊙ D_{1}reachabilitybased approach against another known overapproximating D_{k} ⊙ D_{k}reachability algorithm. Surprisingly, we found that the overapproximation approach based on bidirected D_{1} ⊙ D_{1}reachability computes more precise solutions, even though the D_{1}⊙ D_{1} formalism is inherently less expressive than the D_{k}⊙ D_{k} formalism. @Article{POPL21p59, author = {Yuanbo Li and Qirun Zhang and Thomas Reps}, title = {On the Complexity of Bidirected Interleaved DyckReachability}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {59}, numpages = {28}, doi = {10.1145/3434340}, year = {2021}, } Publisher's Version 

Reynaud, Alban 
POPL '21: "A Practical Mode System for ..."
A Practical Mode System for Recursive Definitions
Alban Reynaud , Gabriel Scherer , and Jeremy Yallop (ENS Lyon, France; Inria, France; University of Cambridge, UK) In callbyvalue languages, some mutuallyrecursive definitions can be safely evaluated to build recursive functions or cyclic data structures, but some definitions (let rec x = x + 1) contain vicious circles and their evaluation fails at runtime. We propose a new static analysis to check the absence of such runtime failures. We present a set of declarative inference rules, prove its soundness with respect to the reference sourcelevel semantics of Nordlander, Carlsson, and Gill [2008], and show that it can be directed into an algorithmic backwards analysis check in a surprisingly simple way. Our implementation of this new check replaced the existing check used by the OCaml programming language, a fragile syntactic criterion which let several subtle bugs slip through as the language kept evolving. We document some issues that arise when advanced features of a realworld functional language (exceptions in firstclass modules, GADTs, etc.) interact with safety checking for recursive definitions. @Article{POPL21p45, author = {Alban Reynaud and Gabriel Scherer and Jeremy Yallop}, title = {A Practical Mode System for Recursive Definitions}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {45}, numpages = {29}, doi = {10.1145/3434326}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Rocca, Simona Ronchi Della 
POPL '21: "Intersection Types and (Positive) ..."
Intersection Types and (Positive) AlmostSure Termination
Ugo Dal Lago , Claudia Faggian , and Simona Ronchi Della Rocca (University of Bologna, Italy; University of Paris, France; IRIF, France; CNRS, France; University of Turin, Italy) Randomized higherorder computation can be seen as being captured by a λcalculus endowed with a single algebraic operation, namely a construct for binary probabilistic choice. What matters about such computations is the probability of obtaining any given result, rather than the possibility or the necessity of obtaining it, like in (non)deterministic computation. Termination, arguably the simplest kind of reachability problem, can be spelled out in at least two ways, depending on whether it talks about the probability of convergence or about the expected evaluation time, the second one providing a stronger guarantee. In this paper, we show that intersection types are capable of precisely characterizing both notions of termination inside a single system of types: the probability of convergence of any λterm can be underapproximated by its type, while the underlying derivation’s weight gives a lower bound to the term’s expected number of steps to normal form. Noticeably, both approximations are tight—not only soundness but also completeness holds. The crucial ingredient is nonidempotency, without which it would be impossible to reason on the expected number of reduction steps which are necessary to completely evaluate any term. Besides, the kind of approximation we obtain is proved to be optimal recursion theoretically: no recursively enumerable formal system can do better than that. @Article{POPL21p32, author = {Ugo Dal Lago and Claudia Faggian and Simona Ronchi Della Rocca}, title = {Intersection Types and (Positive) AlmostSure Termination}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {32}, numpages = {32}, doi = {10.1145/3434313}, year = {2021}, } Publisher's Version 

Rosemann, Julian 
POPL '21: "An Abstract Interpretation ..."
An Abstract Interpretation for SPMD Divergence on Reducible Control Flow Graphs
Julian Rosemann, Simon Moll, and Sebastian Hack (Saarland University, Germany; NEC, Germany) Vectorizing compilers employ divergence analysis to detect at which program point a specific variable is uniform, i.e. has the same value on all SPMD threads that execute this program point. They exploit uniformity to retain branching to counter branch divergence and defer computations to scalar processor units. Divergence is a hyperproperty and is closely related to noninterference and binding time. There exist several divergence, binding time, and noninterference analyses already but they either sacrifice precision or make significant restrictions to the syntactical structure of the program in order to achieve soundness. In this paper, we present the first abstract interpretation for uniformity that is general enough to be applicable to reducible CFGs and, at the same time, more precise than other analyses that achieve at least the same generality. Our analysis comes with a correctness proof that is to a large part mechanized in Coq. Our experimental evaluation shows that the compile time and the precision of our analysis is on par with LLVM's default divergence analysis that is only sound on more restricted CFGs. At the same time, our analysis is faster and achieves better precision than a stateoftheart noninterference analysis that is sound and at least as general as our analysis. @Article{POPL21p31, author = {Julian Rosemann and Simon Moll and Sebastian Hack}, title = {An Abstract Interpretation for SPMD Divergence on Reducible Control Flow Graphs}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {31}, numpages = {31}, doi = {10.1145/3434312}, year = {2021}, } Publisher's Version Info Artifacts Functional 

Rouvoet, Arjen 
POPL '21: "Intrinsically Typed Compilation ..."
Intrinsically Typed Compilation with Nameless Labels
Arjen Rouvoet , Robbert Krebbers , and Eelco Visser (Delft University of Technology, Netherlands; Radboud University Nijmegen, Netherlands) To avoid compilation errors it is desirable to verify that a compiler is type correct—i.e., given welltyped source code, it always outputs welltyped target code. This can be done intrinsically by implementing it as a function in a dependently typed programming language, such as Agda. This function manipulates data types of welltyped source and target programs, and is therefore type correct by construction. A key challenge in implementing an intrinsically typed compiler is the representation of labels in bytecode. Because label names are global, bytecode typing appears to be inherently a noncompositional, wholeprogram property. The individual operations of the compiler do not preserve this property, which requires the programmer to reason about labels, which spoils the compiler definition with proof terms. In this paper, we address this problem using a new nameless and cocontextual representation of typed global label binding, which is compositional. Our key idea is to use linearity to ensure that all labels are defined exactly once. To write concise compilers that manipulate programs in our representation, we develop a linear, dependently typed, shallowly embedded language in Agda, based on separation logic. We show that this language enables the concise specification and implementation of intrinsically typed operations on bytecode, culminating in an intrinsically typed compiler for a language with structured controlflow. @Article{POPL21p22, author = {Arjen Rouvoet and Robbert Krebbers and Eelco Visser}, title = {Intrinsically Typed Compilation with Nameless Labels}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {22}, numpages = {28}, doi = {10.1145/3434303}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Sabok, Marcin 
POPL '21: "Probabilistic Programming ..."
Probabilistic Programming Semantics for Name Generation
Marcin Sabok, Sam Staton , Dario Stein, and Michael Wolman (McGill University, Canada; University of Oxford, UK) We make a formal analogy between random sampling and fresh name generation. We show that quasiBorel spaces, a model for probabilistic programming, can soundly interpret the νcalculus, a calculus for name generation. Moreover, we prove that this semantics is fully abstract up to firstorder types. This is surprising for an ‘offtheshelf’ model, and requires a novel analysis of probability distributions on function spaces. Our tools are diverse and include descriptive set theory and normal forms for the νcalculus. @Article{POPL21p11, author = {Marcin Sabok and Sam Staton and Dario Stein and Michael Wolman}, title = {Probabilistic Programming Semantics for Name Generation}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {11}, numpages = {29}, doi = {10.1145/3434292}, year = {2021}, } Publisher's Version 

Sabry, Amr 
POPL '21: "A Computational Interpretation ..."
A Computational Interpretation of Compact Closed Categories: Reversible Programming with Negative and Fractional Types
ChaoHong Chen and Amr Sabry (Indiana University, USA) Compact closed categories include objects representing higherorder functions and are wellestablished as models of linear logic, concurrency, and quantum computing. We show that it is possible to construct such compact closed categories for conventional sum and product types by defining a dual to sum types, a negative type, and a dual to product types, a fractional type. Inspired by the categorical semantics, we define a sound operational semantics for negative and fractional types in which a negative type represents a computational effect that ``reverses execution flow'' and a fractional type represents a computational effect that ``garbage collects'' particular values or throws exceptions. Specifically, we extend a firstorder reversible language of type isomorphisms with negative and fractional types, specify an operational semantics for each extension, and prove that each extension forms a compact closed category. We furthermore show that both operational semantics can be merged using the standard combination of backtracking and exceptions resulting in a smooth interoperability of negative and fractional types. We illustrate the expressiveness of this combination by writing a reversible SAT solver that uses backtracking search along freshly allocated and deallocated locations. The operational semantics, most of its metatheoretic properties, and all examples are formalized in a supplementary Agda package. @Article{POPL21p9, author = {ChaoHong Chen and Amr Sabry}, title = {A Computational Interpretation of Compact Closed Categories: Reversible Programming with Negative and Fractional Types}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {9}, numpages = {29}, doi = {10.1145/3434290}, year = {2021}, } Publisher's Version Info Artifacts Reusable Artifacts Functional 

Sagiv, Mooly 
POPL '21: "Learning the Boundary of Inductive ..."
Learning the Boundary of Inductive Invariants
Yotam M. Y. Feldman, Mooly Sagiv, Sharon Shoham , and James R. Wilcox (Tel Aviv University, Israel; Certora, USA) We study the complexity of invariant inference and its connections to exact concept learning. We define a condition on invariants and their geometry, called the fence condition, which permits applying theoretical results from exact concept learning to answer open problems in invariant inference theory. The condition requires the invariant's boundarythe states whose Hamming distance from the invariant is oneto be backwards reachable from the bad states in a small number of steps. Using this condition, we obtain the first polynomial complexity result for an interpolationbased invariant inference algorithm, efficiently inferring monotone DNF invariants with access to a SAT solver as an oracle. We further harness Bshouty's seminal result in concept learning to efficiently infer invariants of a larger syntactic class of invariants beyond monotone DNF. Lastly, we consider the robustness of inference under program transformations. We show that some simple transformations preserve the fence condition, and that it is sensitive to more complex transformations. @Article{POPL21p15, author = {Yotam M. Y. Feldman and Mooly Sagiv and Sharon Shoham and James R. Wilcox}, title = {Learning the Boundary of Inductive Invariants}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {15}, numpages = {30}, doi = {10.1145/3434296}, year = {2021}, } Publisher's Version 

Saivasan, Prakash 
POPL '21: "Deciding Reachability under ..."
Deciding Reachability under Persistent x86TSO
Parosh Aziz Abdulla , Mohamed Faouzi Atig , Ahmed Bouajjani , K. Narayan Kumar , and Prakash Saivasan (Uppsala University, Sweden; University of Paris, France; Chennai Mathematical Institute, India; CNRS UMI ReLaX, India; Institute of Mathematical Sciences, India) We address the problem of verifying the reachability problem in programs running under the formal model Px86 defined recently by Raad et al. in POPL'20 for the persistent Intel x86 architecture. We prove that this problem is decidable. To achieve that, we provide a new formal model that is equivalent to Px86 and that has the feature of being a well structured system. Deriving this new model is the result of a deep investigation of the properties of Px86 and the interplay of its components. @Article{POPL21p56, author = {Parosh Aziz Abdulla and Mohamed Faouzi Atig and Ahmed Bouajjani and K. Narayan Kumar and Prakash Saivasan}, title = {Deciding Reachability under Persistent x86TSO}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {56}, numpages = {32}, doi = {10.1145/3434337}, year = {2021}, } Publisher's Version 

Scalas, Alceste 
POPL '21: "Precise Subtyping for Asynchronous ..."
Precise Subtyping for Asynchronous Multiparty Sessions
Silvia Ghilezan , Jovanka Pantović , Ivan Prokić , Alceste Scalas , and Nobuko Yoshida (University of Novi Sad, Serbia; DTU, Denmark; Aston University, UK; Imperial College London, UK) Session subtyping is a cornerstone of refinement of communicating processes: a process implementing a session type (i.e., a communication protocol) T can be safely used whenever a process implementing one of its supertypes T′ is expected, in any context, without introducing deadlocks nor other communication errors. As a consequence, whenever T T′ holds, it is safe to replace an implementation of T′ with an implementation of the subtype T, which may allow for more optimised communication patterns. We present the first formalisation of the precise subtyping relation for asynchronous multiparty sessions. We show that our subtyping relation is sound (ı.e., guarantees safe process replacement, as outlined above) and also complete: any extension of the relation is unsound. To achieve our results, we develop a novel session decomposition technique, from full session types (including internal/external choices) into single input/output session trees (without choices). Previous work studies precise subtyping for binary sessions (with just two participants), or multiparty sessions (with any number of participants) and synchronous interaction. Here, we cover multiparty sessions with asynchronous interaction, where messages are transmitted via FIFO queues (as in the TCP/IP protocol), and prove that our subtyping is both operationally and denotationally precise. In the asynchronous multiparty setting, finding the precise subtyping relation is a highly complex task: this is because, under some conditions, participants can permute the order of their inputs and outputs, by sending some messages earlier or receiving some later, without causing errors; the precise subtyping relation must capture all such valid permutations — and consequently, its formalisation, reasoning and proofs become challenging. Our session decomposition technique overcomes this complexity, expressing the subtyping relation as a composition of refinement relations between single input/output trees, and providing a simple reasoning principle for asynchronous message optimisations. @Article{POPL21p16, author = {Silvia Ghilezan and Jovanka Pantović and Ivan Prokić and Alceste Scalas and Nobuko Yoshida}, title = {Precise Subtyping for Asynchronous Multiparty Sessions}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {16}, numpages = {28}, doi = {10.1145/3434297}, year = {2021}, } Publisher's Version 

Scherer, Gabriel 
POPL '21: "A Practical Mode System for ..."
A Practical Mode System for Recursive Definitions
Alban Reynaud , Gabriel Scherer , and Jeremy Yallop (ENS Lyon, France; Inria, France; University of Cambridge, UK) In callbyvalue languages, some mutuallyrecursive definitions can be safely evaluated to build recursive functions or cyclic data structures, but some definitions (let rec x = x + 1) contain vicious circles and their evaluation fails at runtime. We propose a new static analysis to check the absence of such runtime failures. We present a set of declarative inference rules, prove its soundness with respect to the reference sourcelevel semantics of Nordlander, Carlsson, and Gill [2008], and show that it can be directed into an algorithmic backwards analysis check in a surprisingly simple way. Our implementation of this new check replaced the existing check used by the OCaml programming language, a fragile syntactic criterion which let several subtle bugs slip through as the language kept evolving. We document some issues that arise when advanced features of a realworld functional language (exceptions in firstclass modules, GADTs, etc.) interact with safety checking for recursive definitions. @Article{POPL21p45, author = {Alban Reynaud and Gabriel Scherer and Jeremy Yallop}, title = {A Practical Mode System for Recursive Definitions}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {45}, numpages = {29}, doi = {10.1145/3434326}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Sherman, Benjamin 
POPL '21: "𝜆ₛ: Computable Semantics ..."
𝜆ₛ: Computable Semantics for Differentiable Programming with HigherOrder Functions and Datatypes
Benjamin Sherman, Jesse Michel, and Michael Carbin (Massachusetts Institute of Technology, USA) Deep learning is moving towards increasingly sophisticated optimization objectives that employ higherorder functions, such as integration, continuous optimization, and rootfinding. Since differentiable programming frameworks such as PyTorch and TensorFlow do not have firstclass representations of these functions, developers must reason about the semantics of such objectives and manually translate them to differentiable code. We present a differentiable programming language, λ_{S}, that is the first to deliver a semantics for higherorder functions, higherorder derivatives, and Lipschitz but nondifferentiable functions. Together, these features enableλ_{S} to expose differentiable, higherorder functions for integration, optimization, and rootfinding as firstclass functions with automatically computed derivatives. λ_{S}’s semantics is computable, meaning that values can be computed to arbitrary precision, and we implement λ_{S} as an embedded language in Haskell. We use λ_{S} to construct novel differentiable libraries for representing probability distributions, implicit surfaces, and generalized parametric surfaces – all as instances of higherorder datatypes – and present case studies that rely on computing the derivatives of these higherorder functions and datatypes. In addition to modeling existing differentiable algorithms, such as a differentiable ray tracer for implicit surfaces, without requiring any userlevel differentiation code, we demonstrate new differentiable algorithms, such as the Hausdorff distance of generalized parametric surfaces. @Article{POPL21p3, author = {Benjamin Sherman and Jesse Michel and Michael Carbin}, title = {𝜆ₛ: Computable Semantics for Differentiable Programming with HigherOrder Functions and Datatypes}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {3}, numpages = {31}, doi = {10.1145/3434284}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Shoham, Sharon 
POPL '21: "Learning the Boundary of Inductive ..."
Learning the Boundary of Inductive Invariants
Yotam M. Y. Feldman, Mooly Sagiv, Sharon Shoham , and James R. Wilcox (Tel Aviv University, Israel; Certora, USA) We study the complexity of invariant inference and its connections to exact concept learning. We define a condition on invariants and their geometry, called the fence condition, which permits applying theoretical results from exact concept learning to answer open problems in invariant inference theory. The condition requires the invariant's boundarythe states whose Hamming distance from the invariant is oneto be backwards reachable from the bad states in a small number of steps. Using this condition, we obtain the first polynomial complexity result for an interpolationbased invariant inference algorithm, efficiently inferring monotone DNF invariants with access to a SAT solver as an oracle. We further harness Bshouty's seminal result in concept learning to efficiently infer invariants of a larger syntactic class of invariants beyond monotone DNF. Lastly, we consider the robustness of inference under program transformations. We show that some simple transformations preserve the fence condition, and that it is sensitive to more complex transformations. @Article{POPL21p15, author = {Yotam M. Y. Feldman and Mooly Sagiv and Sharon Shoham and James R. Wilcox}, title = {Learning the Boundary of Inductive Invariants}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {15}, numpages = {30}, doi = {10.1145/3434296}, year = {2021}, } Publisher's Version 

Silver, Lucas 
POPL '21: "Dijkstra Monads Forever: TerminationSensitive ..."
Dijkstra Monads Forever: TerminationSensitive Specifications for Interaction Trees
Lucas Silver and Steve Zdancewic (University of Pennsylvania, USA) This paper extends the Dijkstra monad framework, designed for writing specifications over effectful programs using monadic effects, to handle termination sensitive specifications over interactive programs. We achieve this by introducing base specification monads for nonterminating programs with uninterpreted events. We model such programs using interaction trees, a coinductive datatype for representing programs with algebraic effects in Coq, which we further develop by adding trace semantics. We show that this approach subsumes typical, simple proof principles. The framework is implemented as an extension of the Interaction Trees Coq library. @Article{POPL21p26, author = {Lucas Silver and Steve Zdancewic}, title = {Dijkstra Monads Forever: TerminationSensitive Specifications for Interaction Trees}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {26}, numpages = {28}, doi = {10.1145/3434307}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Sistla, A. Prasad 
POPL '21: "Deciding Accuracy of Differential ..."
Deciding Accuracy of Differential Privacy Schemes
Gilles Barthe , Rohit Chadha, Paul Krogmeier , A. Prasad Sistla, and Mahesh Viswanathan (MPISP, Germany; University of Missouri, USA; University of Illinois at UrbanaChampaign, USA; University of Illinois at Chicago, USA) Differential privacy is a mathematical framework for developing statistical computations with provable guarantees of privacy and accuracy. In contrast to the privacy component of differential privacy, which has a clear mathematical and intuitive meaning, the accuracy component of differential privacy does not have a generally accepted definition; accuracy claims of differential privacy algorithms vary from algorithm to algorithm and are not instantiations of a general definition. We identify program discontinuity as a common theme in existing ad hoc definitions and introduce an alternative notion of accuracy parametrized by, what we call, — the of an input x w.r.t. a deterministic computation f and a distance d, is the minimal distance d(x,y) over all y such that f(y)≠ f(x). We show that our notion of accuracy subsumes the definition used in theoretical computer science, and captures known accuracy claims for differential privacy algorithms. In fact, our general notion of accuracy helps us prove better claims in some cases. Next, we study the decidability of accuracy. We first show that accuracy is in general undecidable. Then, we define a nontrivial class of probabilistic computations for which accuracy is decidable (unconditionally, or assuming Schanuel’s conjecture). We implement our decision procedure and experimentally evaluate the effectiveness of our approach for generating proofs or counterexamples of accuracy for common algorithms from the literature. @Article{POPL21p8, author = {Gilles Barthe and Rohit Chadha and Paul Krogmeier and A. Prasad Sistla and Mahesh Viswanathan}, title = {Deciding Accuracy of Differential Privacy Schemes}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {8}, numpages = {30}, doi = {10.1145/3434289}, year = {2021}, } Publisher's Version Artifacts Functional 

Sobociński, Paweł 
POPL '21: "Functorial Semantics for Partial ..."
Functorial Semantics for Partial Theories
Ivan Di Liberti, Fosco Loregian, Chad Nester, and Paweł Sobociński (Czech Academy of Sciences, Czechia; Tallinn University of Technology, Estonia) We provide a Lawverestyle definition for partial theories, extending the classical notion of equational theory by allowing partially defined operations. As in the classical case, our definition is syntactic: we use an appropriate class of string diagrams as terms. This allows for equational reasoning about the class of models defined by a partial theory. We demonstrate the expressivity of such equational theories by considering a number of examples, including partial combinatory algebras and cartesian closed categories. Moreover, despite the increase in expressivity of the syntax we retain a wellbehaved notion of semantics: we show that our categories of models are precisely locally finitely presentable categories, and that free models exist. @Article{POPL21p57, author = {Ivan Di Liberti and Fosco Loregian and Chad Nester and Paweł Sobociński}, title = {Functorial Semantics for Partial Theories}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {57}, numpages = {28}, doi = {10.1145/3434338}, year = {2021}, } Publisher's Version 

SolkoBreslin, Alaia 
POPL '21: "Petr4: Formal Foundations ..."
Petr4: Formal Foundations for P4 Data Planes
Ryan Doenges , Mina Tahmasbi Arashloo, Santiago Bautista , Alexander Chang, Newton Ni, Samwise Parkinson, Rudy Peterson , Alaia SolkoBreslin, Amanda Xu, and Nate Foster (Cornell University, USA; ENS Rennes, France) P4 is a domainspecific language for programming and specifying packetprocessing systems. It is based on an elegant design with highlevel abstractions like parsers and matchaction pipelines that can be compiled to efficient implementations in software or hardware. Unfortunately, like many industrial languages, P4 has developed without a formal foundation. The P4 Language Specification is a 160page document with a mixture of informal prose, graphical diagrams, and pseudocode, leaving many aspects of the language semantics up to individual compilation targets. The P4 reference implementation is a complex system, running to over 40KLoC of C++ code, with support for only a few targets. Clearly neither of these artifacts is suitable for formal reasoning about P4 in general. This paper presents a new framework, called Petr4, that puts P4 on a solid foundation. Petr4 consists of a cleanslate definitional interpreter and a core calculus that models a fragment of P4. Petr4 is not tied to any particular target: the interpreter is parameterized over an interface that collects features delegated to targets in one place, while the core calculus overapproximates targetspecific behaviors using nondeterminism. We have validated the interpreter against a suite of over 750 tests from the P4 reference implementation, exercising our target interface with tests for different targets. We validated the core calculus with a proof of typepreserving termination. While developing Petr4, we reported dozens of bugs in the language specification and the reference implementation, many of which have been fixed. @Article{POPL21p41, author = {Ryan Doenges and Mina Tahmasbi Arashloo and Santiago Bautista and Alexander Chang and Newton Ni and Samwise Parkinson and Rudy Peterson and Alaia SolkoBreslin and Amanda Xu and Nate Foster}, title = {Petr4: Formal Foundations for P4 Data Planes}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {41}, numpages = {32}, doi = {10.1145/3434322}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Spies, Simon 
POPL '21: "Transfinite StepIndexing ..."
Transfinite StepIndexing for Termination
Simon Spies , Neel Krishnaswami , and Derek Dreyer (MPISWS, Germany; University of Cambridge, UK) Stepindexed logical relations are an extremely useful technique for building operationalsemanticsbased models and program logics for realistic, richlytyped programming languages. They have proven to be indispensable for modeling features like higherorder state, which many languages support but which were difficult to accommodate using traditional denotational models. However, the conventional wisdom is that, because they only support reasoning about finite traces of computation, (unary) stepindexed models are only good for proving safety properties like “welltyped programs don’t go wrong”. There has consequently been very little work on using stepindexing to establish liveness properties, in particular termination. In this paper, we show that stepindexing can in fact be used to prove termination of welltyped programs—even in the presence of dynamicallyallocated, shared, mutable, higherorder state—so long as one’s type system enforces disciplined use of such state. Specifically, we consider a language with asynchronous channels, inspired by promises in JavaScript, in which higherorder state is used to implement communication, and linearity is used to ensure termination. The key to our approach is to generalize from natural number stepindexing to transfinite stepindexing, which enables us to compute termination bounds for program expressions in a compositional way. Although transfinite stepindexing has been proposed previously, we are the first to apply this technique to reasoning about termination in the presence of higherorder state. @Article{POPL21p13, author = {Simon Spies and Neel Krishnaswami and Derek Dreyer}, title = {Transfinite StepIndexing for Termination}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {13}, numpages = {29}, doi = {10.1145/3434294}, year = {2021}, } Publisher's Version Info 

Staton, Sam 
POPL '21: "Probabilistic Programming ..."
Probabilistic Programming Semantics for Name Generation
Marcin Sabok, Sam Staton , Dario Stein, and Michael Wolman (McGill University, Canada; University of Oxford, UK) We make a formal analogy between random sampling and fresh name generation. We show that quasiBorel spaces, a model for probabilistic programming, can soundly interpret the νcalculus, a calculus for name generation. Moreover, we prove that this semantics is fully abstract up to firstorder types. This is surprising for an ‘offtheshelf’ model, and requires a novel analysis of probability distributions on function spaces. Our tools are diverse and include descriptive set theory and normal forms for the νcalculus. @Article{POPL21p11, author = {Marcin Sabok and Sam Staton and Dario Stein and Michael Wolman}, title = {Probabilistic Programming Semantics for Name Generation}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {11}, numpages = {29}, doi = {10.1145/3434292}, year = {2021}, } Publisher's Version 

Stefan, Deian 
POPL '21: "Automatically Eliminating ..."
Automatically Eliminating Speculative Leaks from Cryptographic Code with Blade
Marco Vassena, Craig Disselkoen , Klaus von Gleissenthall, Sunjay Cauligi, Rami Gökhan Kıcı, Ranjit Jhala , Dean Tullsen , and Deian Stefan (CISPA, Germany; University of California at San Diego, USA; Vrije Universiteit Amsterdam, Netherlands) We introduce Blade, a new approach to automatically and efficiently eliminate speculative leaks from cryptographic code. Blade is built on the insight that to stop leaks via speculative execution, it suffices to cut the dataflow from expressions that speculatively introduce secrets (sources) to those that leak them through the cache (sinks), rather than prohibit speculation altogether. We formalize this insight in a static type system that (1) types each expression as either transient, i.e., possibly containing speculative secrets or as being stable, and (2) prohibits speculative leaks by requiring that all sink expressions are stable. Blade relies on a new abstract primitive, protect, to halt speculation at fine granularity. We formalize and implement protect using existing architectural mechanisms, and show how Blade’s type system can automatically synthesize a minimal number of protects to provably eliminate speculative leaks. We implement Blade in the Cranelift WebAssembly compiler and evaluate our approach by repairing several verified, yet vulnerable WebAssembly implementations of cryptographic primitives. We find that Blade can fix existing programs that leak via speculation automatically, without user intervention, and efficiently even when using fences to implement protect. @Article{POPL21p49, author = {Marco Vassena and Craig Disselkoen and Klaus von Gleissenthall and Sunjay Cauligi and Rami Gökhan Kıcı and Ranjit Jhala and Dean Tullsen and Deian Stefan}, title = {Automatically Eliminating Speculative Leaks from Cryptographic Code with Blade}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {49}, numpages = {30}, doi = {10.1145/3434330}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Stein, Dario 
POPL '21: "Probabilistic Programming ..."
Probabilistic Programming Semantics for Name Generation
Marcin Sabok, Sam Staton , Dario Stein, and Michael Wolman (McGill University, Canada; University of Oxford, UK) We make a formal analogy between random sampling and fresh name generation. We show that quasiBorel spaces, a model for probabilistic programming, can soundly interpret the νcalculus, a calculus for name generation. Moreover, we prove that this semantics is fully abstract up to firstorder types. This is surprising for an ‘offtheshelf’ model, and requires a novel analysis of probability distributions on function spaces. Our tools are diverse and include descriptive set theory and normal forms for the νcalculus. @Article{POPL21p11, author = {Marcin Sabok and Sam Staton and Dario Stein and Michael Wolman}, title = {Probabilistic Programming Semantics for Name Generation}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {11}, numpages = {29}, doi = {10.1145/3434292}, year = {2021}, } Publisher's Version 

Stephens, Jon 
POPL '21: "Verifying Correct Usage of ..."
Verifying Correct Usage of ContextFree API Protocols
Kostas Ferles , Jon Stephens, and Isil Dillig (University of Texas at Austin, USA) Several realworld libraries (e.g., reentrant locks, GUI frameworks, serialization libraries) require their clients to use the provided API in a manner that conforms to a contextfree specification. Motivated by this observation, this paper describes a new technique for verifying the correct usage of contextfree API protocols. The key idea underlying our technique is to overapproximate the program’s feasible API call sequences using a contextfree grammar (CFG) and then check language inclusion between this grammar and the specification. However, since this inclusion check may fail due to imprecision in the program’s CFG abstraction, we propose a novel refinement technique to progressively improve the CFG. In particular, our method obtains counterexamples from CFG inclusion queries and uses them to introduce new nonterminals and productions to the grammar while still overapproximating the program’s relevant behavior. We have implemented the proposed algorithm in a tool called CFPChecker and evaluate it on 10 popular Java applications that use at least one API with a contextfree specification. Our evaluation shows that CFPChecker is able to verify correct usage of the API in clients that use it correctly and produces counterexamples for those that do not. We also compare our method against three relevant baselines and demonstrate that CFPChecker enables verification of safety properties that are beyond the reach of existing tools. @Article{POPL21p17, author = {Kostas Ferles and Jon Stephens and Isil Dillig}, title = {Verifying Correct Usage of ContextFree API Protocols}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {17}, numpages = {30}, doi = {10.1145/3434298}, year = {2021}, } Publisher's Version 

Su, Yusen 
POPL '21: "Data Flow Refinement Type ..."
Data Flow Refinement Type Inference
Zvonimir Pavlinovic, Yusen Su, and Thomas Wies (New York University, USA; Google, USA; University of Waterloo, Canada) Refinement types enable lightweight verification of functional programs. Algorithms for statically inferring refinement types typically work by reduction to solving systems of constrained Horn clauses extracted from typing derivations. An example is Liquid type inference, which solves the extracted constraints using predicate abstraction. However, the reduction to constraint solving in itself already signifies an abstraction of the program semantics that affects the precision of the overall static analysis. To better understand this issue, we study the type inference problem in its entirety through the lens of abstract interpretation. We propose a new refinement type system that is parametric with the choice of the abstract domain of type refinements as well as the degree to which it tracks contextsensitive control flow information. We then derive an accompanying parametric inference algorithm as an abstract interpretation of a novel data flow semantics of functional programs. We further show that the type system is sound and complete with respect to the constructed abstract semantics. Our theoretical development reveals the key abstraction steps inherent in refinement type inference algorithms. The tradeoff between precision and efficiency of these abstraction steps is controlled by the parameters of the type system. Existing refinement type systems and their respective inference algorithms, such as Liquid types, are captured by concrete parameter instantiations. We have implemented our framework in a prototype tool and evaluated it for a range of new parameter instantiations (e.g., using octagons and polyhedra for expressing type refinements). The tool compares favorably against other existing tools. Our evaluation indicates that our approach can be used to systematically construct new refinement type inference algorithms that are both robust and precise. @Article{POPL21p19, author = {Zvonimir Pavlinovic and Yusen Su and Thomas Wies}, title = {Data Flow Refinement Type Inference}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {19}, numpages = {31}, doi = {10.1145/3434300}, year = {2021}, } Publisher's Version 

Tabareau, Nicolas 
POPL '21: "The Taming of the Rew: A Type ..."
The Taming of the Rew: A Type Theory with Computational Assumptions
Jesper Cockx , Nicolas Tabareau , and Théo Winterhalter (Delft University of Technology, Netherlands; Inria, France; LS2N, France) Dependently typed programming languages and proof assistants such as Agda and Coq rely on computation to automatically simplify expressions during type checking. To overcome the lack of certain programming primitives or logical principles in those systems, it is common to appeal to axioms to postulate their existence. However, one can only postulate the bare existence of an axiom, not its computational behaviour. Instead, users are forced to postulate equality proofs and appeal to them explicitly to simplify expressions, making axioms dramatically more complicated to work with than builtin primitives. On the other hand, the equality reflection rule from extensional type theory solves these problems by collapsing computation and equality, at the cost of having no practical type checking algorithm. This paper introduces Rewriting Type Theory (RTT), a type theory where it is possible to add computational assumptions in the form of rewrite rules. Rewrite rules go beyond the computational capabilities of intensional type theory, but in contrast to extensional type theory, they are applied automatically so type checking does not require input from the user. To ensure type soundness of RTT—as well as effective type checking—we provide a framework where confluence of userdefined rewrite rules can be checked modularly and automatically, and where adding new rewrite rules is guaranteed to preserve subject reduction. The properties of RTT have been formally verified using the MetaCoq framework and an implementation of rewrite rules is already available in the Agda proof assistant. @Article{POPL21p60, author = {Jesper Cockx and Nicolas Tabareau and Théo Winterhalter}, title = {The Taming of the Rew: A Type Theory with Computational Assumptions}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {60}, numpages = {29}, doi = {10.1145/3434341}, year = {2021}, } Publisher's Version Artifacts Functional 

Tatlock, Zachary 
POPL '21: "egg: Fast and Extensible Equality ..."
egg: Fast and Extensible Equality Saturation
Max Willsey , Chandrakana Nandi , Yisu Remy Wang , Oliver Flatt, Zachary Tatlock , and Pavel Panchekha (University of Washington, USA; University of Utah, USA) An egraph efficiently represents a congruence relation over many expressions. Although they were originally developed in the late 1970s for use in automated theorem provers, a more recent technique known as equality saturation repurposes egraphs to implement stateoftheart, rewritedriven compiler optimizations and program synthesizers. However, egraphs remain unspecialized for this newer use case. Equality saturation workloads exhibit distinct characteristics and often require adhoc egraph extensions to incorporate transformations beyond purely syntactic rewrites. This work contributes two techniques that make egraphs fast and extensible, specializing them to equality saturation. A new amortized invariant restoration technique called rebuilding takes advantage of equality saturation's distinct workload, providing asymptotic speedups over current techniques in practice. A general mechanism called eclass analyses integrates domainspecific analyses into the egraph, reducing the need for ad hoc manipulation. We implemented these techniques in a new opensource library called egg. Our case studies on three previously published applications of equality saturation highlight how egg's performance and flexibility enable stateoftheart results across diverse domains. @Article{POPL21p23, author = {Max Willsey and Chandrakana Nandi and Yisu Remy Wang and Oliver Flatt and Zachary Tatlock and Pavel Panchekha}, title = {egg: Fast and Extensible Equality Saturation}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {23}, numpages = {29}, doi = {10.1145/3434304}, year = {2021}, } Publisher's Version Info Artifacts Reusable Artifacts Functional 

Thinniyam, Ramanathan S. 
POPL '21: "ContextBounded Verification ..."
ContextBounded Verification of Liveness Properties for Multithreaded SharedMemory Programs
Pascal Baumann , Rupak Majumdar , Ramanathan S. Thinniyam , and Georg Zetzsche (MPISWS, Germany) We study contextbounded verification of liveness properties of multithreaded, sharedmemory programs, where each thread can spawn additional threads. Our main result shows that contextbounded fair termination is decidable for the model; contextbounded implies that each spawned thread can be context switched a fixed constant number of times. Our proof is technical, since fair termination requires reasoning about the composition of unboundedly many threads each with unboundedly large stacks. In fact, techniques for related problems, which depend crucially on replacing the pushdown threads with finitestate threads, are not applicable. Instead, we introduce an extension of vector addition systems with states (VASS), called VASS with balloons (VASSB), as an intermediate model; it is an infinitestate model of independent interest. A VASSB allows tokens that are themselves markings (balloons). We show that context bounded fair termination reduces to fair termination for VASSB. We show the latter problem is decidable by showing a series of reductions: from fair termination to configuration reachability for VASSB and thence to the reachability problem for VASS. For a lower bound, fair termination is known to be nonelementary already in the special case where threads run to completion (no context switches). We also show that the simpler problem of contextbounded termination is 2EXPSPACEcomplete, matching the complexity boundand indeed the techniquesfor safety verification. Additionally, we show the related problem of fair starvation, which checks if some thread can be starved along a fair run, is also decidable in the contextbounded case. The decidability employs an intricate reduction from fair starvation to fair termination. Like fair termination, this problem is also nonelementary. @Article{POPL21p44, author = {Pascal Baumann and Rupak Majumdar and Ramanathan S. Thinniyam and Georg Zetzsche}, title = {ContextBounded Verification of Liveness Properties for Multithreaded SharedMemory Programs}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {44}, numpages = {31}, doi = {10.1145/3434325}, year = {2021}, } Publisher's Version 

Timany, Amin 
POPL '21: "Efficient and Provable Local ..."
Efficient and Provable Local Capability Revocation using Uninitialized Capabilities
Aïna Linn Georges , Armaël Guéneau , Thomas Van Strydonck, Amin Timany , Alix Trieu , Sander Huyghebaert , Dominique Devriese , and Lars Birkedal (Aarhus University, Denmark; KU Leuven, Belgium; Vrije Universiteit Brussel, Belgium) Capability machines are a special form of CPUs that offer finegrained privilege separation using a form of authoritycarrying values known as capabilities. The CHERI capability machine offers local capabilities, which could be used as a cheap but restricted form of capability revocation. Unfortunately, local capability revocation is unrealistic in practice because large amounts of stack memory need to be cleared as a security precaution. In this paper, we address this shortcoming by introducing uninitialized capabilities: a new form of capabilities that represent read/write authority to a block of memory without exposing the memory’s initial contents. We provide a mechanically verified program logic for reasoning about programs on a capability machine with the new feature and we formalize and prove capability safety in the form of a universal contract for untrusted code. We use uninitialized capabilities for making a previouslyproposed secure calling convention efficient and prove its security using the program logic. Finally, we report on a proofofconcept implementation of uninitialized capabilities on the CHERI capability machine. @Article{POPL21p6, author = {Aïna Linn Georges and Armaël Guéneau and Thomas Van Strydonck and Amin Timany and Alix Trieu and Sander Huyghebaert and Dominique Devriese and Lars Birkedal}, title = {Efficient and Provable Local Capability Revocation using Uninitialized Capabilities}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {6}, numpages = {30}, doi = {10.1145/3434287}, year = {2021}, } Publisher's Version Artifacts Functional POPL '21: "Distributed Causal Memory: ..." Distributed Causal Memory: Modular Specification and Verification in HigherOrder Distributed Separation Logic Léon Gondelman , Simon Oddershede Gregersen , Abel Nieto , Amin Timany , and Lars Birkedal (Aarhus University, Denmark) We present the first specification and verification of an implementation of a causallyconsistent distributed database that supports modular verification of full functional correctness properties of clients and servers. We specify and reason about the causallyconsistent distributed database in Aneris, a higherorder distributed separation logic for an MLlike programming language with network primitives for programming distributed systems. We demonstrate that our specifications are useful, by proving the correctness of small, but tricky, synthetic examples involving causal dependency and by verifying a session manager library implemented on top of the distributed database. We use Aneris's facilities for modular specification and verification to obtain a highly modular development, where each component is verified in isolation, relying only on the specifications (not the implementations) of other components. We have used the Coq formalization of the Aneris logic to formalize all the results presented in the paper in the Coq proof assistant. @Article{POPL21p42, author = {Léon Gondelman and Simon Oddershede Gregersen and Abel Nieto and Amin Timany and Lars Birkedal}, title = {Distributed Causal Memory: Modular Specification and Verification in HigherOrder Distributed Separation Logic}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {42}, numpages = {29}, doi = {10.1145/3434323}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional POPL '21: "Mechanized Logical Relations ..." Mechanized Logical Relations for TerminationInsensitive Noninterference Simon Oddershede Gregersen , Johan Bay, Amin Timany , and Lars Birkedal (Aarhus University, Denmark) We present an expressive informationflow control type system with recursive types, existential types, label polymorphism, and impredicative type polymorphism for a higherorder programming language with higherorder state. We give a novel semantic model of this type system and show that welltyped programs satisfy terminationinsensitive noninterference. Our semantic approach supports compositional integration of syntactically welltyped and syntactically illtypedbut semantically soundcomponents, which we demonstrate through several interesting examples. We define our model using logical relations on top of the Iris program logic framework; to capture terminationinsensitivity, we develop a novel languageagnostic theory of Modal Weakest Preconditions. We formalize all of our theory and examples in the Coq proof assistant. @Article{POPL21p10, author = {Simon Oddershede Gregersen and Johan Bay and Amin Timany and Lars Birkedal}, title = {Mechanized Logical Relations for TerminationInsensitive Noninterference}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {10}, numpages = {29}, doi = {10.1145/3434291}, year = {2021}, } Publisher's Version Info Artifacts Reusable Artifacts Functional POPL '21: "Fully Abstract from Static ..." Fully Abstract from Static to Gradual Koen Jacobs , Amin Timany , and Dominique Devriese (KU Leuven, Belgium; Aarhus University, Denmark; Vrije Universiteit Brussel, Belgium) What is a good gradual language? Siek et al. have previously proposed the refined criteria, a set of formal ideas that characterize a range of guarantees typically expected from a gradual language. While these go a long way, they are mostly focused on syntactic and type safety properties and fail to characterize how richer semantic properties and reasoning principles that hold in the static language, like noninterference or parametricity for instance, should be upheld in the gradualization. In this paper, we investigate and argue for a new criterion previously hinted at by Devriese et al.: the embedding from the static to the gradual language should be fully abstract. Rather than preserving an arbitrarily chosen interpretation of source language types, this criterion requires that all source language equivalences are preserved. We demonstrate that the criterion weeds out erroneous gradualizations that nevertheless satisfy the refined criteria. At the same time, we demonstrate that the criterion is realistic by reporting on a mechanized proof that the property holds for a standard example: GTLC_{µ}, the natural gradualization of STLC_{µ}, the simply typed lambdacalculus with equirecursive types. We argue thus that the criterion is useful for understanding, evaluating, and guiding the design of gradual languages, particularly those which are intended to preserve source language guarantees in a rich way. @Article{POPL21p7, author = {Koen Jacobs and Amin Timany and Dominique Devriese}, title = {Fully Abstract from Static to Gradual}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {7}, numpages = {30}, doi = {10.1145/3434288}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

TobinHochstadt, Sam 
POPL '21: "Corpse Reviver: Sound and ..."
Corpse Reviver: Sound and Efficient Gradual Typing via Contract Verification
Cameron Moy , Phúc C. Nguyễn, Sam TobinHochstadt , and David Van Horn (Northeastern University, USA; University of Maryland, USA; Indiana University, USA) Gradually typed programming languages permit the incremental addition of static types to untyped programs. To remain sound, languages insert runtime checks at the boundaries between typed and untyped code. Unfortunately, performance studies have shown that the overhead of these checks can be disastrously high, calling into question the viability of sound gradual typing. In this paper, we show that by building on existing work on soft contract verification, we can reduce or eliminate this overhead. Our key insight is that while untyped code cannot be trusted by a gradual type system, there is no need to consider only the worst case when optimizing a gradually typed program. Instead, we statically analyze the untyped portions of a gradually typed program to prove that almost all of the dynamic checks implied by gradual type boundaries cannot fail, and can be eliminated at compile time. Our analysis is modular, and can be applied to any portion of a program. We evaluate this approach on a dozen existing gradually typed programs previously shown to have prohibitive performance overhead—with a median overhead of 2.5× and up to 80.6× in the worst case—and eliminate all overhead in most cases, suffering only 1.5× overhead in the worst case. @Article{POPL21p53, author = {Cameron Moy and Phúc C. Nguyễn and Sam TobinHochstadt and David Van Horn}, title = {Corpse Reviver: Sound and Efficient Gradual Typing via Contract Verification}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {53}, numpages = {28}, doi = {10.1145/3434334}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Trieu, Alix 
POPL '21: "Efficient and Provable Local ..."
Efficient and Provable Local Capability Revocation using Uninitialized Capabilities
Aïna Linn Georges , Armaël Guéneau , Thomas Van Strydonck, Amin Timany , Alix Trieu , Sander Huyghebaert , Dominique Devriese , and Lars Birkedal (Aarhus University, Denmark; KU Leuven, Belgium; Vrije Universiteit Brussel, Belgium) Capability machines are a special form of CPUs that offer finegrained privilege separation using a form of authoritycarrying values known as capabilities. The CHERI capability machine offers local capabilities, which could be used as a cheap but restricted form of capability revocation. Unfortunately, local capability revocation is unrealistic in practice because large amounts of stack memory need to be cleared as a security precaution. In this paper, we address this shortcoming by introducing uninitialized capabilities: a new form of capabilities that represent read/write authority to a block of memory without exposing the memory’s initial contents. We provide a mechanically verified program logic for reasoning about programs on a capability machine with the new feature and we formalize and prove capability safety in the form of a universal contract for untrusted code. We use uninitialized capabilities for making a previouslyproposed secure calling convention efficient and prove its security using the program logic. Finally, we report on a proofofconcept implementation of uninitialized capabilities on the CHERI capability machine. @Article{POPL21p6, author = {Aïna Linn Georges and Armaël Guéneau and Thomas Van Strydonck and Amin Timany and Alix Trieu and Sander Huyghebaert and Dominique Devriese and Lars Birkedal}, title = {Efficient and Provable Local Capability Revocation using Uninitialized Capabilities}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {6}, numpages = {30}, doi = {10.1145/3434287}, year = {2021}, } Publisher's Version Artifacts Functional 

Tullsen, Dean 
POPL '21: "Automatically Eliminating ..."
Automatically Eliminating Speculative Leaks from Cryptographic Code with Blade
Marco Vassena, Craig Disselkoen , Klaus von Gleissenthall, Sunjay Cauligi, Rami Gökhan Kıcı, Ranjit Jhala , Dean Tullsen , and Deian Stefan (CISPA, Germany; University of California at San Diego, USA; Vrije Universiteit Amsterdam, Netherlands) We introduce Blade, a new approach to automatically and efficiently eliminate speculative leaks from cryptographic code. Blade is built on the insight that to stop leaks via speculative execution, it suffices to cut the dataflow from expressions that speculatively introduce secrets (sources) to those that leak them through the cache (sinks), rather than prohibit speculation altogether. We formalize this insight in a static type system that (1) types each expression as either transient, i.e., possibly containing speculative secrets or as being stable, and (2) prohibits speculative leaks by requiring that all sink expressions are stable. Blade relies on a new abstract primitive, protect, to halt speculation at fine granularity. We formalize and implement protect using existing architectural mechanisms, and show how Blade’s type system can automatically synthesize a minimal number of protects to provably eliminate speculative leaks. We implement Blade in the Cranelift WebAssembly compiler and evaluate our approach by repairing several verified, yet vulnerable WebAssembly implementations of cryptographic primitives. We find that Blade can fix existing programs that leak via speculation automatically, without user intervention, and efficiently even when using fences to implement protect. @Article{POPL21p49, author = {Marco Vassena and Craig Disselkoen and Klaus von Gleissenthall and Sunjay Cauligi and Rami Gökhan Kıcı and Ranjit Jhala and Dean Tullsen and Deian Stefan}, title = {Automatically Eliminating Speculative Leaks from Cryptographic Code with Blade}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {49}, numpages = {30}, doi = {10.1145/3434330}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Vafeiadis, Viktor 
POPL '21: "PerSeVerE: Persistency Semantics ..."
PerSeVerE: Persistency Semantics for Verification under Ext4
Michalis Kokologiannakis , Ilya Kaysin, Azalea Raad, and Viktor Vafeiadis (MPISWS, Germany; National Research University Higher School of Economics, Russia; JetBrains Research, Russia; Imperial College London, UK) Although ubiquitous, modern filesystems have rather complex behaviours that are hardly understood by programmers and lead to severe software bugs such as data corruption. As a first step to ensure correctness of software performing file I/O, we formalize the semantics of the Linux ext4 filesystem, which we integrate with the weak memory consistency semantics of C/C++. We further develop an effective model checking approach for verifying programs that use the filesystem. In doing so, we discover and report bugs in commonlyused text editors such as vim, emacs and nano. @Article{POPL21p43, author = {Michalis Kokologiannakis and Ilya Kaysin and Azalea Raad and Viktor Vafeiadis}, title = {PerSeVerE: Persistency Semantics for Verification under Ext4}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {43}, numpages = {29}, doi = {10.1145/3434324}, year = {2021}, } Publisher's Version Info Artifacts Reusable Artifacts Functional 

Van Horn, David 
POPL '21: "Corpse Reviver: Sound and ..."
Corpse Reviver: Sound and Efficient Gradual Typing via Contract Verification
Cameron Moy , Phúc C. Nguyễn, Sam TobinHochstadt , and David Van Horn (Northeastern University, USA; University of Maryland, USA; Indiana University, USA) Gradually typed programming languages permit the incremental addition of static types to untyped programs. To remain sound, languages insert runtime checks at the boundaries between typed and untyped code. Unfortunately, performance studies have shown that the overhead of these checks can be disastrously high, calling into question the viability of sound gradual typing. In this paper, we show that by building on existing work on soft contract verification, we can reduce or eliminate this overhead. Our key insight is that while untyped code cannot be trusted by a gradual type system, there is no need to consider only the worst case when optimizing a gradually typed program. Instead, we statically analyze the untyped portions of a gradually typed program to prove that almost all of the dynamic checks implied by gradual type boundaries cannot fail, and can be eliminated at compile time. Our analysis is modular, and can be applied to any portion of a program. We evaluate this approach on a dozen existing gradually typed programs previously shown to have prohibitive performance overhead—with a median overhead of 2.5× and up to 80.6× in the worst case—and eliminate all overhead in most cases, suffering only 1.5× overhead in the worst case. @Article{POPL21p53, author = {Cameron Moy and Phúc C. Nguyễn and Sam TobinHochstadt and David Van Horn}, title = {Corpse Reviver: Sound and Efficient Gradual Typing via Contract Verification}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {53}, numpages = {28}, doi = {10.1145/3434334}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Vanoni, Gabriele 
POPL '21: "The (In)Efficiency of Interaction ..."
The (In)Efficiency of Interaction
Beniamino Accattoli , Ugo Dal Lago , and Gabriele Vanoni (Inria, France; École Polytechnique, France; University of Bologna, Italy) Evaluating higherorder functional programs through abstract machines inspired by the geometry of the interaction is known to induce space efficiencies, the price being time performances often poorer than those obtainable with traditional, environmentbased, abstract machines. Although families of lambdaterms for which the former is exponentially less efficient than the latter do exist, it is currently unknown how general this phenomenon is, and how far the inefficiencies can go, in the worst case. We answer these questions formulating four different wellknown abstract machines inside a common definitional framework, this way being able to give sharp results about the relative time efficiencies. We also prove that nonidempotent intersection type theories are able to precisely reflect the time performances of the interactive abstract machine, this way showing that its timeinefficiency ultimately descends from the presence of higherorder types. @Article{POPL21p51, author = {Beniamino Accattoli and Ugo Dal Lago and Gabriele Vanoni}, title = {The (In)Efficiency of Interaction}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {51}, numpages = {33}, doi = {10.1145/3434332}, year = {2021}, } Publisher's Version 

Van Strydonck, Thomas 
POPL '21: "Efficient and Provable Local ..."
Efficient and Provable Local Capability Revocation using Uninitialized Capabilities
Aïna Linn Georges , Armaël Guéneau , Thomas Van Strydonck, Amin Timany , Alix Trieu , Sander Huyghebaert , Dominique Devriese , and Lars Birkedal (Aarhus University, Denmark; KU Leuven, Belgium; Vrije Universiteit Brussel, Belgium) Capability machines are a special form of CPUs that offer finegrained privilege separation using a form of authoritycarrying values known as capabilities. The CHERI capability machine offers local capabilities, which could be used as a cheap but restricted form of capability revocation. Unfortunately, local capability revocation is unrealistic in practice because large amounts of stack memory need to be cleared as a security precaution. In this paper, we address this shortcoming by introducing uninitialized capabilities: a new form of capabilities that represent read/write authority to a block of memory without exposing the memory’s initial contents. We provide a mechanically verified program logic for reasoning about programs on a capability machine with the new feature and we formalize and prove capability safety in the form of a universal contract for untrusted code. We use uninitialized capabilities for making a previouslyproposed secure calling convention efficient and prove its security using the program logic. Finally, we report on a proofofconcept implementation of uninitialized capabilities on the CHERI capability machine. @Article{POPL21p6, author = {Aïna Linn Georges and Armaël Guéneau and Thomas Van Strydonck and Amin Timany and Alix Trieu and Sander Huyghebaert and Dominique Devriese and Lars Birkedal}, title = {Efficient and Provable Local Capability Revocation using Uninitialized Capabilities}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {6}, numpages = {30}, doi = {10.1145/3434287}, year = {2021}, } Publisher's Version Artifacts Functional 

Vassena, Marco 
POPL '21: "Automatically Eliminating ..."
Automatically Eliminating Speculative Leaks from Cryptographic Code with Blade
Marco Vassena, Craig Disselkoen , Klaus von Gleissenthall, Sunjay Cauligi, Rami Gökhan Kıcı, Ranjit Jhala , Dean Tullsen , and Deian Stefan (CISPA, Germany; University of California at San Diego, USA; Vrije Universiteit Amsterdam, Netherlands) We introduce Blade, a new approach to automatically and efficiently eliminate speculative leaks from cryptographic code. Blade is built on the insight that to stop leaks via speculative execution, it suffices to cut the dataflow from expressions that speculatively introduce secrets (sources) to those that leak them through the cache (sinks), rather than prohibit speculation altogether. We formalize this insight in a static type system that (1) types each expression as either transient, i.e., possibly containing speculative secrets or as being stable, and (2) prohibits speculative leaks by requiring that all sink expressions are stable. Blade relies on a new abstract primitive, protect, to halt speculation at fine granularity. We formalize and implement protect using existing architectural mechanisms, and show how Blade’s type system can automatically synthesize a minimal number of protects to provably eliminate speculative leaks. We implement Blade in the Cranelift WebAssembly compiler and evaluate our approach by repairing several verified, yet vulnerable WebAssembly implementations of cryptographic primitives. We find that Blade can fix existing programs that leak via speculation automatically, without user intervention, and efficiently even when using fences to implement protect. @Article{POPL21p49, author = {Marco Vassena and Craig Disselkoen and Klaus von Gleissenthall and Sunjay Cauligi and Rami Gökhan Kıcı and Ranjit Jhala and Dean Tullsen and Deian Stefan}, title = {Automatically Eliminating Speculative Leaks from Cryptographic Code with Blade}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {49}, numpages = {30}, doi = {10.1145/3434330}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Visser, Eelco 
POPL '21: "Intrinsically Typed Compilation ..."
Intrinsically Typed Compilation with Nameless Labels
Arjen Rouvoet , Robbert Krebbers , and Eelco Visser (Delft University of Technology, Netherlands; Radboud University Nijmegen, Netherlands) To avoid compilation errors it is desirable to verify that a compiler is type correct—i.e., given welltyped source code, it always outputs welltyped target code. This can be done intrinsically by implementing it as a function in a dependently typed programming language, such as Agda. This function manipulates data types of welltyped source and target programs, and is therefore type correct by construction. A key challenge in implementing an intrinsically typed compiler is the representation of labels in bytecode. Because label names are global, bytecode typing appears to be inherently a noncompositional, wholeprogram property. The individual operations of the compiler do not preserve this property, which requires the programmer to reason about labels, which spoils the compiler definition with proof terms. In this paper, we address this problem using a new nameless and cocontextual representation of typed global label binding, which is compositional. Our key idea is to use linearity to ensure that all labels are defined exactly once. To write concise compilers that manipulate programs in our representation, we develop a linear, dependently typed, shallowly embedded language in Agda, based on separation logic. We show that this language enables the concise specification and implementation of intrinsically typed operations on bytecode, culminating in an intrinsically typed compiler for a language with structured controlflow. @Article{POPL21p22, author = {Arjen Rouvoet and Robbert Krebbers and Eelco Visser}, title = {Intrinsically Typed Compilation with Nameless Labels}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {22}, numpages = {28}, doi = {10.1145/3434303}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Viswanathan, Mahesh 
POPL '21: "Deciding Accuracy of Differential ..."
Deciding Accuracy of Differential Privacy Schemes
Gilles Barthe , Rohit Chadha, Paul Krogmeier , A. Prasad Sistla, and Mahesh Viswanathan (MPISP, Germany; University of Missouri, USA; University of Illinois at UrbanaChampaign, USA; University of Illinois at Chicago, USA) Differential privacy is a mathematical framework for developing statistical computations with provable guarantees of privacy and accuracy. In contrast to the privacy component of differential privacy, which has a clear mathematical and intuitive meaning, the accuracy component of differential privacy does not have a generally accepted definition; accuracy claims of differential privacy algorithms vary from algorithm to algorithm and are not instantiations of a general definition. We identify program discontinuity as a common theme in existing ad hoc definitions and introduce an alternative notion of accuracy parametrized by, what we call, — the of an input x w.r.t. a deterministic computation f and a distance d, is the minimal distance d(x,y) over all y such that f(y)≠ f(x). We show that our notion of accuracy subsumes the definition used in theoretical computer science, and captures known accuracy claims for differential privacy algorithms. In fact, our general notion of accuracy helps us prove better claims in some cases. Next, we study the decidability of accuracy. We first show that accuracy is in general undecidable. Then, we define a nontrivial class of probabilistic computations for which accuracy is decidable (unconditionally, or assuming Schanuel’s conjecture). We implement our decision procedure and experimentally evaluate the effectiveness of our approach for generating proofs or counterexamples of accuracy for common algorithms from the literature. @Article{POPL21p8, author = {Gilles Barthe and Rohit Chadha and Paul Krogmeier and A. Prasad Sistla and Mahesh Viswanathan}, title = {Deciding Accuracy of Differential Privacy Schemes}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {8}, numpages = {30}, doi = {10.1145/3434289}, year = {2021}, } Publisher's Version Artifacts Functional POPL '21: "Optimal Prediction of SynchronizationPreserving ..." Optimal Prediction of SynchronizationPreserving Races Umang Mathur , Andreas Pavlogiannis , and Mahesh Viswanathan (University of Illinois at UrbanaChampaign, USA; Aarhus University, Denmark) Concurrent programs are notoriously hard to write correctly, as scheduling nondeterminism introduces subtle errors that are both hard to detect and to reproduce. The most common concurrency errors are (data) races, which occur when memoryconflicting actions are executed concurrently. Consequently, considerable effort has been made towards developing efficient techniques for race detection. The most common approach is dynamic race prediction: given an observed, racefree trace σ of a concurrent program, the task is to decide whether events of σ can be correctly reordered to a trace σ^{*} that witnesses a race hidden in σ. In this work we introduce the notion of sync(hronization)preserving races. A syncpreserving race occurs in σ when there is a witness σ^{*} in which synchronization operations (e.g., acquisition and release of locks) appear in the same order as in σ. This is a broad definition that strictly subsumes the famous notion of happensbefore races. Our main results are as follows. First, we develop a sound and complete algorithm for predicting syncpreserving races. For moderate values of parameters like the number of threads, the algorithm runs in Õ(N) time and space, where N is the length of the trace σ. Second, we show that the problem has a Ω(N/log^{2} N) space lower bound, and thus our algorithm is essentially time and space optimal. Third, we show that predicting races with even just a single reversal of two sync operations is NPcomplete and even W1hard when parameterized by the number of threads. Thus, syncpreservation characterizes exactly the tractability boundary of race prediction, and our algorithm is nearly optimal for the tractable side. Our experiments show that our algorithm is fast in practice, while syncpreservation characterizes races often missed by stateoftheart methods. @Article{POPL21p36, author = {Umang Mathur and Andreas Pavlogiannis and Mahesh Viswanathan}, title = {Optimal Prediction of SynchronizationPreserving Races}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {36}, numpages = {29}, doi = {10.1145/3434317}, year = {2021}, } Publisher's Version Artifacts Functional 

Vitek, Jan 
POPL '21: "Formally Verified Speculation ..."
Formally Verified Speculation and Deoptimization in a JIT Compiler
Aurèle Barrière , Sandrine Blazy , Olivier Flückiger , David Pichardie , and Jan Vitek (University of Rennes, France; Inria, France; CNRS, France; IRISA, France; Northeastern University, USA; Czech Technical University, Czechia) Justintime compilers for dynamic languages routinely generate code under assumptions that may be invalidated at runtime, this allows for specialization of program code to the common case in order to avoid unnecessary overheads due to uncommon cases. This form of software speculation requires support for deoptimization when some of the assumptions fail to hold. This paper presents a model justintime compiler with an intermediate representation that explicits the synchronization points used for deoptimization and the assumptions made by the compiler's speculation. We also present several common compiler optimizations that can leverage speculation to generate improved code. The optimizations are proved correct with the help of a proof assistant. While our work stops short of proving native code generation, we demonstrate how one could use the verified optimization to obtain significant speed ups in an endtoend setting. @Article{POPL21p46, author = {Aurèle Barrière and Sandrine Blazy and Olivier Flückiger and David Pichardie and Jan Vitek}, title = {Formally Verified Speculation and Deoptimization in a JIT Compiler}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {46}, numpages = {26}, doi = {10.1145/3434327}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Wang, Yisu Remy 
POPL '21: "egg: Fast and Extensible Equality ..."
egg: Fast and Extensible Equality Saturation
Max Willsey , Chandrakana Nandi , Yisu Remy Wang , Oliver Flatt, Zachary Tatlock , and Pavel Panchekha (University of Washington, USA; University of Utah, USA) An egraph efficiently represents a congruence relation over many expressions. Although they were originally developed in the late 1970s for use in automated theorem provers, a more recent technique known as equality saturation repurposes egraphs to implement stateoftheart, rewritedriven compiler optimizations and program synthesizers. However, egraphs remain unspecialized for this newer use case. Equality saturation workloads exhibit distinct characteristics and often require adhoc egraph extensions to incorporate transformations beyond purely syntactic rewrites. This work contributes two techniques that make egraphs fast and extensible, specializing them to equality saturation. A new amortized invariant restoration technique called rebuilding takes advantage of equality saturation's distinct workload, providing asymptotic speedups over current techniques in practice. A general mechanism called eclass analyses integrates domainspecific analyses into the egraph, reducing the need for ad hoc manipulation. We implemented these techniques in a new opensource library called egg. Our case studies on three previously published applications of equality saturation highlight how egg's performance and flexibility enable stateoftheart results across diverse domains. @Article{POPL21p23, author = {Max Willsey and Chandrakana Nandi and Yisu Remy Wang and Oliver Flatt and Zachary Tatlock and Pavel Panchekha}, title = {egg: Fast and Extensible Equality Saturation}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {23}, numpages = {29}, doi = {10.1145/3434304}, year = {2021}, } Publisher's Version Info Artifacts Reusable Artifacts Functional 

Weirich, Stephanie 
POPL '21: "A Graded Dependent Type System ..."
A Graded Dependent Type System with a UsageAware Semantics
Pritam Choudhury , Harley Eades III, Richard A. Eisenberg , and Stephanie Weirich (University of Pennsylvania, USA; Augusta University, USA; Tweag I/O, France; Bryn Mawr College, USA) Graded Type Theory provides a mechanism to track and reason about resource usage in type systems. In this paper, we develop GraD, a novel version of such a graded dependent type system that includes functions, tensor products, additive sums, and a unit type. Since standard operational semantics is resourceagnostic, we develop a heapbased operational semantics and prove a soundness theorem that shows correct accounting of resource usage. Several useful properties, including the standard type soundness theorem, noninterference of irrelevant resources in computation and single pointer property for linear resources, can be derived from this theorem. We hope that our work will provide a base for integrating linearity, irrelevance and dependent types in practical programming languages like Haskell. @Article{POPL21p50, author = {Pritam Choudhury and Harley Eades III and Richard A. Eisenberg and Stephanie Weirich}, title = {A Graded Dependent Type System with a UsageAware Semantics}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {50}, numpages = {32}, doi = {10.1145/3434331}, year = {2021}, } Publisher's Version Info Artifacts Reusable Artifacts Functional 

Westrick, Sam 
POPL '21: "Provably SpaceEfficient Parallel ..."
Provably SpaceEfficient Parallel Functional Programming
Jatin Arora , Sam Westrick , and Umut A. Acar (Carnegie Mellon University, USA) Because of its many desirable properties, such as its ability to control effects and thus potentially disastrous race conditions, functional programming offers a viable approach to programming modern multicore computers. Over the past decade several parallel functional languages, typically based on dialects of ML and Haskell, have been developed. These languages, however, have traditionally underperformed procedural languages (such as C and Java). The primary reason for this is their hunger for memory, which only grows with parallelism, causing traditional memory management techniques to buckle under increased demand for memory. Recent work opened a new angle of attack on this problem by identifying a memory property of determinacyracefree parallel programs, called disentanglement, which limits the knowledge of concurrent computations about each other’s memory allocations. The work has showed some promise in delivering good time scalability. In this paper, we present provably spaceefficient automatic memory management techniques for determinacyracefree functional parallel programs, allowing both pure and imperative programs where memory may be destructively updated. We prove that for a program with sequential live memory of R^{*}, any Pprocessor garbagecollected parallel run requires at most O(R^{*} · P) memory. We also prove a work bound of O(W+R^{*}P) for Pprocessor executions, accounting also for the cost of garbage collection. To achieve these results, we integrate thread scheduling with memory management. The idea is to coordinate memory allocation and garbage collection with thread scheduling decisions so that each processor can allocate memory without synchronization and independently collect a portion of memory by consulting a collection policy, which we formulate. The collection policy is fully distributed and does not require communicating with other processors. We show that the approach is practical by implementing it as an extension to the MPL compiler for Parallel ML. Our experimental results confirm our theoretical bounds and show that the techniques perform and scale well. @Article{POPL21p18, author = {Jatin Arora and Sam Westrick and Umut A. Acar}, title = {Provably SpaceEfficient Parallel Functional Programming}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {18}, numpages = {33}, doi = {10.1145/3434299}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Wies, Thomas 
POPL '21: "Data Flow Refinement Type ..."
Data Flow Refinement Type Inference
Zvonimir Pavlinovic, Yusen Su, and Thomas Wies (New York University, USA; Google, USA; University of Waterloo, Canada) Refinement types enable lightweight verification of functional programs. Algorithms for statically inferring refinement types typically work by reduction to solving systems of constrained Horn clauses extracted from typing derivations. An example is Liquid type inference, which solves the extracted constraints using predicate abstraction. However, the reduction to constraint solving in itself already signifies an abstraction of the program semantics that affects the precision of the overall static analysis. To better understand this issue, we study the type inference problem in its entirety through the lens of abstract interpretation. We propose a new refinement type system that is parametric with the choice of the abstract domain of type refinements as well as the degree to which it tracks contextsensitive control flow information. We then derive an accompanying parametric inference algorithm as an abstract interpretation of a novel data flow semantics of functional programs. We further show that the type system is sound and complete with respect to the constructed abstract semantics. Our theoretical development reveals the key abstraction steps inherent in refinement type inference algorithms. The tradeoff between precision and efficiency of these abstraction steps is controlled by the parameters of the type system. Existing refinement type systems and their respective inference algorithms, such as Liquid types, are captured by concrete parameter instantiations. We have implemented our framework in a prototype tool and evaluated it for a range of new parameter instantiations (e.g., using octagons and polyhedra for expressing type refinements). The tool compares favorably against other existing tools. Our evaluation indicates that our approach can be used to systematically construct new refinement type inference algorithms that are both robust and precise. @Article{POPL21p19, author = {Zvonimir Pavlinovic and Yusen Su and Thomas Wies}, title = {Data Flow Refinement Type Inference}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {19}, numpages = {31}, doi = {10.1145/3434300}, year = {2021}, } Publisher's Version 

Wilcox, James R. 
POPL '21: "Learning the Boundary of Inductive ..."
Learning the Boundary of Inductive Invariants
Yotam M. Y. Feldman, Mooly Sagiv, Sharon Shoham , and James R. Wilcox (Tel Aviv University, Israel; Certora, USA) We study the complexity of invariant inference and its connections to exact concept learning. We define a condition on invariants and their geometry, called the fence condition, which permits applying theoretical results from exact concept learning to answer open problems in invariant inference theory. The condition requires the invariant's boundarythe states whose Hamming distance from the invariant is oneto be backwards reachable from the bad states in a small number of steps. Using this condition, we obtain the first polynomial complexity result for an interpolationbased invariant inference algorithm, efficiently inferring monotone DNF invariants with access to a SAT solver as an oracle. We further harness Bshouty's seminal result in concept learning to efficiently infer invariants of a larger syntactic class of invariants beyond monotone DNF. Lastly, we consider the robustness of inference under program transformations. We show that some simple transformations preserve the fence condition, and that it is sensitive to more complex transformations. @Article{POPL21p15, author = {Yotam M. Y. Feldman and Mooly Sagiv and Sharon Shoham and James R. Wilcox}, title = {Learning the Boundary of Inductive Invariants}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {15}, numpages = {30}, doi = {10.1145/3434296}, year = {2021}, } Publisher's Version 

Willsey, Max 
POPL '21: "egg: Fast and Extensible Equality ..."
egg: Fast and Extensible Equality Saturation
Max Willsey , Chandrakana Nandi , Yisu Remy Wang , Oliver Flatt, Zachary Tatlock , and Pavel Panchekha (University of Washington, USA; University of Utah, USA) An egraph efficiently represents a congruence relation over many expressions. Although they were originally developed in the late 1970s for use in automated theorem provers, a more recent technique known as equality saturation repurposes egraphs to implement stateoftheart, rewritedriven compiler optimizations and program synthesizers. However, egraphs remain unspecialized for this newer use case. Equality saturation workloads exhibit distinct characteristics and often require adhoc egraph extensions to incorporate transformations beyond purely syntactic rewrites. This work contributes two techniques that make egraphs fast and extensible, specializing them to equality saturation. A new amortized invariant restoration technique called rebuilding takes advantage of equality saturation's distinct workload, providing asymptotic speedups over current techniques in practice. A general mechanism called eclass analyses integrates domainspecific analyses into the egraph, reducing the need for ad hoc manipulation. We implemented these techniques in a new opensource library called egg. Our case studies on three previously published applications of equality saturation highlight how egg's performance and flexibility enable stateoftheart results across diverse domains. @Article{POPL21p23, author = {Max Willsey and Chandrakana Nandi and Yisu Remy Wang and Oliver Flatt and Zachary Tatlock and Pavel Panchekha}, title = {egg: Fast and Extensible Equality Saturation}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {23}, numpages = {29}, doi = {10.1145/3434304}, year = {2021}, } Publisher's Version Info Artifacts Reusable Artifacts Functional 

Winterhalter, Théo 
POPL '21: "The Taming of the Rew: A Type ..."
The Taming of the Rew: A Type Theory with Computational Assumptions
Jesper Cockx , Nicolas Tabareau , and Théo Winterhalter (Delft University of Technology, Netherlands; Inria, France; LS2N, France) Dependently typed programming languages and proof assistants such as Agda and Coq rely on computation to automatically simplify expressions during type checking. To overcome the lack of certain programming primitives or logical principles in those systems, it is common to appeal to axioms to postulate their existence. However, one can only postulate the bare existence of an axiom, not its computational behaviour. Instead, users are forced to postulate equality proofs and appeal to them explicitly to simplify expressions, making axioms dramatically more complicated to work with than builtin primitives. On the other hand, the equality reflection rule from extensional type theory solves these problems by collapsing computation and equality, at the cost of having no practical type checking algorithm. This paper introduces Rewriting Type Theory (RTT), a type theory where it is possible to add computational assumptions in the form of rewrite rules. Rewrite rules go beyond the computational capabilities of intensional type theory, but in contrast to extensional type theory, they are applied automatically so type checking does not require input from the user. To ensure type soundness of RTT—as well as effective type checking—we provide a framework where confluence of userdefined rewrite rules can be checked modularly and automatically, and where adding new rewrite rules is guaranteed to preserve subject reduction. The properties of RTT have been formally verified using the MetaCoq framework and an implementation of rewrite rules is already available in the Agda proof assistant. @Article{POPL21p60, author = {Jesper Cockx and Nicolas Tabareau and Théo Winterhalter}, title = {The Taming of the Rew: A Type Theory with Computational Assumptions}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {60}, numpages = {29}, doi = {10.1145/3434341}, year = {2021}, } Publisher's Version Artifacts Functional 

Wolman, Michael 
POPL '21: "Probabilistic Programming ..."
Probabilistic Programming Semantics for Name Generation
Marcin Sabok, Sam Staton , Dario Stein, and Michael Wolman (McGill University, Canada; University of Oxford, UK) We make a formal analogy between random sampling and fresh name generation. We show that quasiBorel spaces, a model for probabilistic programming, can soundly interpret the νcalculus, a calculus for name generation. Moreover, we prove that this semantics is fully abstract up to firstorder types. This is surprising for an ‘offtheshelf’ model, and requires a novel analysis of probability distributions on function spaces. Our tools are diverse and include descriptive set theory and normal forms for the νcalculus. @Article{POPL21p11, author = {Marcin Sabok and Sam Staton and Dario Stein and Michael Wolman}, title = {Probabilistic Programming Semantics for Name Generation}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {11}, numpages = {29}, doi = {10.1145/3434292}, year = {2021}, } Publisher's Version 

Worrell, James 
POPL '21: "Deciding ωRegular Properties ..."
Deciding ωRegular Properties on Linear Recurrence Sequences
Shaull Almagor , Toghrul Karimov , Edon Kelmendi, Joël Ouaknine , and James Worrell (Technion, Israel; MPISWS, Germany; University of Oxford, UK) We consider the problem of deciding ωregular properties on infinite traces produced by linear loops. Here we think of a given loop as producing a single infinite trace that encodes information about the signs of program variables at each time step. Formally, our main result is a procedure that inputs a prefixindependent ωregular property and a sequence of numbers satisfying a linear recurrence, and determines whether the sign description of the sequence (obtained by replacing each positive entry with “+”, each negative entry with “−”, and each zero entry with “0”) satisfies the given property. Our procedure requires that the recurrence be simple, i.e., that the update matrix of the underlying loop be diagonalisable. This assumption is instrumental in proving our key technical lemma: namely that the sign description of a simple linear recurrence sequence is almost periodic in the sense of Muchnik, Sem'enov, and Ushakov. To complement this lemma, we give an example of a linear recurrence sequence whose sign description fails to be almost periodic. Generalising from sign descriptions, we also consider the verification of properties involving semialgebraic predicates on program variables. @Article{POPL21p48, author = {Shaull Almagor and Toghrul Karimov and Edon Kelmendi and Joël Ouaknine and James Worrell}, title = {Deciding ωRegular Properties on Linear Recurrence Sequences}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {48}, numpages = {24}, doi = {10.1145/3434329}, year = {2021}, } Publisher's Version 

Wu, Xiaodi 
POPL '21: "A Verified Optimizer for Quantum ..."
A Verified Optimizer for Quantum Circuits
Kesha Hietala , Robert Rand , ShihHan Hung , Xiaodi Wu , and Michael Hicks (University of Maryland, USA; University of Chicago, USA) We present VOQC, the first fully verified optimizer for quantum circuits, written using the Coq proof assistant. Quantum circuits are expressed as programs in a simple, lowlevel language called SQIR, a simple quantum intermediate representation, which is deeply embedded in Coq. Optimizations and other transformations are expressed as Coq functions, which are proved correct with respect to a semantics of SQIR programs. SQIR uses a semantics of matrices of complex numbers, which is the standard for quantum computation, but treats matrices symbolically in order to reason about programs that use an arbitrary number of quantum bits. SQIR's careful design and our provided automation make it possible to write and verify a broad range of optimizations in VOQC, including fullcircuit transformations from cuttingedge optimizers. @Article{POPL21p37, author = {Kesha Hietala and Robert Rand and ShihHan Hung and Xiaodi Wu and Michael Hicks}, title = {A Verified Optimizer for Quantum Circuits}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {37}, numpages = {29}, doi = {10.1145/3434318}, year = {2021}, } Publisher's Version Info Artifacts Functional 

Xu, Amanda 
POPL '21: "Petr4: Formal Foundations ..."
Petr4: Formal Foundations for P4 Data Planes
Ryan Doenges , Mina Tahmasbi Arashloo, Santiago Bautista , Alexander Chang, Newton Ni, Samwise Parkinson, Rudy Peterson , Alaia SolkoBreslin, Amanda Xu, and Nate Foster (Cornell University, USA; ENS Rennes, France) P4 is a domainspecific language for programming and specifying packetprocessing systems. It is based on an elegant design with highlevel abstractions like parsers and matchaction pipelines that can be compiled to efficient implementations in software or hardware. Unfortunately, like many industrial languages, P4 has developed without a formal foundation. The P4 Language Specification is a 160page document with a mixture of informal prose, graphical diagrams, and pseudocode, leaving many aspects of the language semantics up to individual compilation targets. The P4 reference implementation is a complex system, running to over 40KLoC of C++ code, with support for only a few targets. Clearly neither of these artifacts is suitable for formal reasoning about P4 in general. This paper presents a new framework, called Petr4, that puts P4 on a solid foundation. Petr4 consists of a cleanslate definitional interpreter and a core calculus that models a fragment of P4. Petr4 is not tied to any particular target: the interpreter is parameterized over an interface that collects features delegated to targets in one place, while the core calculus overapproximates targetspecific behaviors using nondeterminism. We have validated the interpreter against a suite of over 750 tests from the P4 reference implementation, exercising our target interface with tests for different targets. We validated the core calculus with a proof of typepreserving termination. While developing Petr4, we reported dozens of bugs in the language specification and the reference implementation, many of which have been fixed. @Article{POPL21p41, author = {Ryan Doenges and Mina Tahmasbi Arashloo and Santiago Bautista and Alexander Chang and Newton Ni and Samwise Parkinson and Rudy Peterson and Alaia SolkoBreslin and Amanda Xu and Nate Foster}, title = {Petr4: Formal Foundations for P4 Data Planes}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {41}, numpages = {32}, doi = {10.1145/3434322}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Yallop, Jeremy 
POPL '21: "A Practical Mode System for ..."
A Practical Mode System for Recursive Definitions
Alban Reynaud , Gabriel Scherer , and Jeremy Yallop (ENS Lyon, France; Inria, France; University of Cambridge, UK) In callbyvalue languages, some mutuallyrecursive definitions can be safely evaluated to build recursive functions or cyclic data structures, but some definitions (let rec x = x + 1) contain vicious circles and their evaluation fails at runtime. We propose a new static analysis to check the absence of such runtime failures. We present a set of declarative inference rules, prove its soundness with respect to the reference sourcelevel semantics of Nordlander, Carlsson, and Gill [2008], and show that it can be directed into an algorithmic backwards analysis check in a surprisingly simple way. Our implementation of this new check replaced the existing check used by the OCaml programming language, a fragile syntactic criterion which let several subtle bugs slip through as the language kept evolving. We document some issues that arise when advanced features of a realworld functional language (exceptions in firstclass modules, GADTs, etc.) interact with safety checking for recursive definitions. @Article{POPL21p45, author = {Alban Reynaud and Gabriel Scherer and Jeremy Yallop}, title = {A Practical Mode System for Recursive Definitions}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {45}, numpages = {29}, doi = {10.1145/3434326}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Yang, Cambridge 
POPL '21: "Simplifying Dependent Reductions ..."
Simplifying Dependent Reductions in the Polyhedral Model
Cambridge Yang, Eric Atkinson , and Michael Carbin (Massachusetts Institute of Technology, USA) A Reduction – an accumulation over a set of values, using an associative and commutative operator – is a common computation in many numerical computations, including scientific computations, machine learning, computer vision, and financial analytics. Contemporary polyhedralbased compilation techniques make it possible to optimize reductions, such as prefix sums, in which each component of the reduction’s output potentially shares computation with another component in the reduction. Therefore an optimizing compiler can identify the computation shared between multiple components and generate code that computes the shared computation only once. These techniques, however, do not support reductions that – when phrased in the language of the polyhedral model – span multiple dependent statements. In such cases, existing approaches can generate incorrect code that violates the data dependences of the original, unoptimized program. In this work, we identify and formalize the optimization of dependent reductions as an integer bilinear program. We present a heuristic optimization algorithm that uses an affine sequential schedule of the program to determine how to simplfy reductions yet still preserve the program’s dependences. We demonstrate that the algorithm provides optimal complexity for a set of benchmark programs from the literature on probabilistic inference algorithms, whose performance critically relies on simplifying these reductions. The complexities for 10 of the 11 programs improve siginifcantly by factors at least of the sizes of the input data, which are in the range of 10^{4} to 10^{6} for typical real application inputs. We also confirm the significance of the improvement by showing speedups in wallclock time that range from 1.1x to over 10^{6}x. @Article{POPL21p20, author = {Cambridge Yang and Eric Atkinson and Michael Carbin}, title = {Simplifying Dependent Reductions in the Polyhedral Model}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {20}, numpages = {33}, doi = {10.1145/3434301}, year = {2021}, } Publisher's Version 

Yoshida, Nobuko 
POPL '21: "Precise Subtyping for Asynchronous ..."
Precise Subtyping for Asynchronous Multiparty Sessions
Silvia Ghilezan , Jovanka Pantović , Ivan Prokić , Alceste Scalas , and Nobuko Yoshida (University of Novi Sad, Serbia; DTU, Denmark; Aston University, UK; Imperial College London, UK) Session subtyping is a cornerstone of refinement of communicating processes: a process implementing a session type (i.e., a communication protocol) T can be safely used whenever a process implementing one of its supertypes T′ is expected, in any context, without introducing deadlocks nor other communication errors. As a consequence, whenever T T′ holds, it is safe to replace an implementation of T′ with an implementation of the subtype T, which may allow for more optimised communication patterns. We present the first formalisation of the precise subtyping relation for asynchronous multiparty sessions. We show that our subtyping relation is sound (ı.e., guarantees safe process replacement, as outlined above) and also complete: any extension of the relation is unsound. To achieve our results, we develop a novel session decomposition technique, from full session types (including internal/external choices) into single input/output session trees (without choices). Previous work studies precise subtyping for binary sessions (with just two participants), or multiparty sessions (with any number of participants) and synchronous interaction. Here, we cover multiparty sessions with asynchronous interaction, where messages are transmitted via FIFO queues (as in the TCP/IP protocol), and prove that our subtyping is both operationally and denotationally precise. In the asynchronous multiparty setting, finding the precise subtyping relation is a highly complex task: this is because, under some conditions, participants can permute the order of their inputs and outputs, by sending some messages earlier or receiving some later, without causing errors; the precise subtyping relation must capture all such valid permutations — and consequently, its formalisation, reasoning and proofs become challenging. Our session decomposition technique overcomes this complexity, expressing the subtyping relation as a composition of refinement relations between single input/output trees, and providing a simple reasoning principle for asynchronous message optimisations. @Article{POPL21p16, author = {Silvia Ghilezan and Jovanka Pantović and Ivan Prokić and Alceste Scalas and Nobuko Yoshida}, title = {Precise Subtyping for Asynchronous Multiparty Sessions}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {16}, numpages = {28}, doi = {10.1145/3434297}, year = {2021}, } Publisher's Version 

Zdancewic, Steve 
POPL '21: "Dijkstra Monads Forever: TerminationSensitive ..."
Dijkstra Monads Forever: TerminationSensitive Specifications for Interaction Trees
Lucas Silver and Steve Zdancewic (University of Pennsylvania, USA) This paper extends the Dijkstra monad framework, designed for writing specifications over effectful programs using monadic effects, to handle termination sensitive specifications over interactive programs. We achieve this by introducing base specification monads for nonterminating programs with uninterpreted events. We model such programs using interaction trees, a coinductive datatype for representing programs with algebraic effects in Coq, which we further develop by adding trace semantics. We show that this approach subsumes typical, simple proof principles. The framework is implemented as an extension of the Interaction Trees Coq library. @Article{POPL21p26, author = {Lucas Silver and Steve Zdancewic}, title = {Dijkstra Monads Forever: TerminationSensitive Specifications for Interaction Trees}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {26}, numpages = {28}, doi = {10.1145/3434307}, year = {2021}, } Publisher's Version Artifacts Reusable Artifacts Functional 

Zetzsche, Georg 
POPL '21: "ContextBounded Verification ..."
ContextBounded Verification of Liveness Properties for Multithreaded SharedMemory Programs
Pascal Baumann , Rupak Majumdar , Ramanathan S. Thinniyam , and Georg Zetzsche (MPISWS, Germany) We study contextbounded verification of liveness properties of multithreaded, sharedmemory programs, where each thread can spawn additional threads. Our main result shows that contextbounded fair termination is decidable for the model; contextbounded implies that each spawned thread can be context switched a fixed constant number of times. Our proof is technical, since fair termination requires reasoning about the composition of unboundedly many threads each with unboundedly large stacks. In fact, techniques for related problems, which depend crucially on replacing the pushdown threads with finitestate threads, are not applicable. Instead, we introduce an extension of vector addition systems with states (VASS), called VASS with balloons (VASSB), as an intermediate model; it is an infinitestate model of independent interest. A VASSB allows tokens that are themselves markings (balloons). We show that context bounded fair termination reduces to fair termination for VASSB. We show the latter problem is decidable by showing a series of reductions: from fair termination to configuration reachability for VASSB and thence to the reachability problem for VASS. For a lower bound, fair termination is known to be nonelementary already in the special case where threads run to completion (no context switches). We also show that the simpler problem of contextbounded termination is 2EXPSPACEcomplete, matching the complexity boundand indeed the techniquesfor safety verification. Additionally, we show the related problem of fair starvation, which checks if some thread can be starved along a fair run, is also decidable in the contextbounded case. The decidability employs an intricate reduction from fair starvation to fair termination. Like fair termination, this problem is also nonelementary. @Article{POPL21p44, author = {Pascal Baumann and Rupak Majumdar and Ramanathan S. Thinniyam and Georg Zetzsche}, title = {ContextBounded Verification of Liveness Properties for Multithreaded SharedMemory Programs}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {44}, numpages = {31}, doi = {10.1145/3434325}, year = {2021}, } Publisher's Version 

Zeuner, Max 
POPL '21: "Internalizing Representation ..."
Internalizing Representation Independence with Univalence
Carlo Angiuli , Evan Cavallo , Anders Mörtberg , and Max Zeuner (Carnegie Mellon University, USA; Stockholm University, Sweden) In their usual form, representation independence metatheorems provide an external guarantee that two implementations of an abstract interface are interchangeable when they are related by an operationpreserving correspondence. If our programming language is dependentlytyped, however, we would like to appeal to such invariance results within the language itself, in order to obtain correctness theorems for complex implementations by transferring them from simpler, related implementations. Recent work in proof assistants has shown that Voevodsky's univalence principle allows transferring theorems between isomorphic types, but many instances of representation independence in programming involve nonisomorphic representations. In this paper, we develop techniques for establishing internal relational representation independence results in dependent type theory, by using higher inductive types to simultaneously quotient two related implementation types by a heterogeneous correspondence between them. The correspondence becomes an isomorphism between the quotiented types, thereby allowing us to obtain an equality of implementations by univalence. We illustrate our techniques by considering applications to matrices, queues, and finite multisets. Our results are all formalized in Cubical Agda, a recent extension of Agda which supports univalence and higher inductive types in a computationally wellbehaved way. @Article{POPL21p12, author = {Carlo Angiuli and Evan Cavallo and Anders Mörtberg and Max Zeuner}, title = {Internalizing Representation Independence with Univalence}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {12}, numpages = {30}, doi = {10.1145/3434293}, year = {2021}, } Publisher's Version Artifacts Functional 

Zhang, Qirun 
POPL '21: "On the Complexity of Bidirected ..."
On the Complexity of Bidirected Interleaved DyckReachability
Yuanbo Li , Qirun Zhang , and Thomas Reps (Georgia Institute of Technology, USA; University of WisconsinMadison, USA) Many program analyses need to reason about pairs of matching actions, such as call/return, lock/unlock, or setfield/getfield. The family of Dyck languages {D_{k}}, where D_{k} has k kinds of parenthesis pairs, can be used to model matching actions as balanced parentheses. Consequently, many programanalysis problems can be formulated as Dyckreachability problems on edgelabeled digraphs. Interleaved Dyckreachability (InterDyckreachability), denoted by D_{k} ⊙ D_{k}reachability, is a natural extension of Dyckreachability that allows one to formulate programanalysis problems that involve multiple kinds of matchingaction pairs. Unfortunately, the general InterDyckreachability problem is undecidable. In this paper, we study variants of InterDyckreachability on bidirected graphs, where for each edge ⟨ p, q ⟩ labeled by an open parenthesis ”(_{a}”, there is an edge ⟨ q, p ⟩ labeled by the corresponding close parenthesis ”)_{a}”, and vice versa. Languagereachability on a bidirected graph has proven to be useful both (1) in its own right, as a way to formalize many programanalysis problems, such as pointer analysis, and (2) as a relaxation method that uses a fast algorithm to overapproximate languagereachability on a directed graph. However, unlike its directed counterpart, the complexity of bidirected InterDyckreachability still remains open. We establish the first decidable variant (i.e., D_{1} ⊙ D_{1}reachability) of bidirected InterDyckreachability. In D_{1} ⊙ D_{1}reachability, each of the two Dyck languages is restricted to have only a single kind of parenthesis pair. In particular, we show that the bidirected D_{1} ⊙ D_{1} problem is in PTIME. We also show that when one extends each Dyck language to involve k different kinds of parentheses (i.e., D_{k} ⊙ D_{k}reachability with k ≥ 2), the problem is NPhard (and therefore much harder). We have implemented the polynomialtime algorithm for bidirected D_{1} ⊙ D_{1}reachability. D_{k} ⊙ D_{k}reachability provides a new overapproximation method for bidirected D_{k} ⊙ D_{k}reachability in the sense that D_{k}⊙ D_{k}reachability can first be relaxed to bidirected D_{1} ⊙ D_{1}reachability, and then the resulting bidirected D_{1} ⊙ D_{1}reachability problem is solved precisely. We compare this D_{1} ⊙ D_{1}reachabilitybased approach against another known overapproximating D_{k} ⊙ D_{k}reachability algorithm. Surprisingly, we found that the overapproximation approach based on bidirected D_{1} ⊙ D_{1}reachability computes more precise solutions, even though the D_{1}⊙ D_{1} formalism is inherently less expressive than the D_{k}⊙ D_{k} formalism. @Article{POPL21p59, author = {Yuanbo Li and Qirun Zhang and Thomas Reps}, title = {On the Complexity of Bidirected Interleaved DyckReachability}, journal = {Proc. ACM Program. Lang.}, volume = {5}, number = {POPL}, articleno = {59}, numpages = {28}, doi = {10.1145/3434340}, year = {2021}, } Publisher's Version 
200 authors
proc time: 53.89