Powered by
Proceedings of the ACM on Programming Languages, Volume 10, Number POPL
Frontmatter
Editorial Message
The Proceedings of the ACM series presents the highest-quality
research conducted in diverse areas of computer science, as
represented by the ACM Special Interest Groups (SIGs). The ACM
Proceedings of the ACM on Programming Languages (PACMPL) focuses on
research on all aspects of programming languages, from design to
implementation and from mathematical formalisms to empirical studies.
The journal operates in close collaboration with the Special Interest
Group on Programming Languages (SIGPLAN) and is committed to making
high-quality peer-reviewed scientific research in programming
languages free of restrictions on both access and use.
Article: popl26foreword-fm001-p doi:
Sponsors
Article: popl26foreword-fm003-p doi:
Regular Papers
The Complexity of Testing Message-Passing Concurrency
Zheng Shi,
Lasse Møldrup,
Umang Mathur, and
Andreas Pavlogiannis
(National University of Singapore, Singapore; Aarhus University, Denmark)
A key computational question underpinning the automated testing and verification of concurrent programs is the consistency question — given a partial execution history, can it be completed in a consistent manner? Due to its importance, consistency testing has been studied extensively for memory models, as well as for database isolation levels. A common theme in all these settings is the use of shared-memory as the primal mode of interthread communication. On the other hand, modern programming languages, such as Go, Rust and Kotlin, advocate a paradigm shift towards channel-based (i.e., message-passing) communication. However, the consistency question for channel-based concurrency is currently poorly understood.
In this paper we lift the study of fundamental consistency problems to channels, taking into account various input parameters, such as the number of threads executing, the number of channels, and the channel capacities. We draw a rich complexity landscape, including upper bounds that become polynomial when certain input parameters are fixed, as well as hardness lower bounds. Our upper bounds are based on algorithms that can drive the verification of channel consistency in automated verification tools. Our lower bounds characterize minimal input parameters that are sufficient for hardness to arise, and thus shed light on the intricacies of testing channel-based concurrency. In combination, our upper and lower bounds characterize the boundary of tractability/intractability of verifying channel consistency, and imply that our algorithms are often (nearly) optimal. We have also implemented our main consistency checking algorithm and designed optimizations to enhance its performance. We evaluated the performance of our implementation over a set of 103 instances obtained from open source Go projects, and compared it against a constraint-solving based algorithm. Our experimental results demonstrate the power of our consistency-checking algorithm; it scales to around 1M events, and is significantly faster in running-time performance, compared to a constraint-solving approach.
Publisher's Version
Published Artifact
Artifacts Available
Article: popl26main-p14-p doi:10.1145/3776643
Let Generalization, Polymorphic Recursion, and Variable Minimization in Boolean-Kinded Type Systems
Joseph A. Zullo
(Purdue University, USA)
Recent research has demonstrated the effectiveness of extending the Hindley-Milner (HM) type system with Boolean kinds to support type inference for a wide variety of features. However, the means to support classic type system provisions such as local let generalization and polymorphic recursion is either limited or unknown for such extensions. This paper contributes procedures for equational generalization and semiunification in arbitrary Boolean rings, enabling let generalization and polymorphic recursion in Boolean-kinded type inference. Additionally, methods to minimize the number of bound Boolean type variables are developed to keep types small in these systems. Boolean-kinded HM extensions are exemplified with nullable reference types, and how to use the developed procedures to support let generalization and polymorphic recursion is outlined.
Publisher's Version
Published Artifact
Artifacts Available
Artifacts Reusable
Article: popl26main-p20-p doi:10.1145/3776644
Qudit Quantum Programming with Projective Cliffords
Jennifer Paykin and
Sam Winnick
(University of Vermont, USA; Intel, USA; Simon Fraser University, Canada; University of Waterloo, Canada)
This paper introduces a novel abstraction for programming quantum operations, specifically projective Cliffords, as functions over the qudit Pauli group. Generalizing the idea behind Pauli tableaux, we introduce a type system and lambda calculus for projective Cliffords called LambdaPC that captures well-formed Clifford operations via a Curry-Howard correspondence with a particular encoding of the Clifford and Pauli groups. In LambdaPC, users write functions that encode projective Cliffords P ↦ U P U†, and such functions are compiled to circuits executable on modern quantum computers that transform quantum states |ϕ⟩ into U |ϕ⟩, up to a global phase. Importantly, the language captures not just qubit operations, but qudit operations for any dimension d.
Throughout the paper we explore what it means to program with projective Cliffords through a number of examples and a case study focusing on stabilizer error correcting codes.
Publisher's Version
Article: popl26main-p28-p doi:10.1145/3776646
Hadamard-Pi: Equational Quantum Programming
Wang Fang,
Chris Heunen, and
Robin Kaarsgaard
(University of Edinburgh, UK; University of Southern Denmark, Denmark)
Quantum computing offers advantages over classical computation, yet the precise features that set the two apart remain unclear. In the standard quantum circuit model, adding a 1-qubit basis-changing gate—commonly chosen to be the Hadamard gate—to a universal set of classical reversible gates yields computationally universal quantum computation. However, the computational behaviours enabled by this addition are not fully characterised. We give such a characterisation by introducing a small quantum programming language extending the universal classical reversible programming language Π with a single primitive corresponding to the Hadamard gate. The language comes equipped with a sound and complete categorical semantics that is specified by a purely equational theory. Completeness is shown by means of a novel finite presentation, and a corresponding synthesis algorithm, for the groups of orthogonal matrices with entries in the ring ℤ[1/√2].
Publisher's Version
Article: popl26main-p32-p doi:10.1145/3776647
RapunSL: Untangling Quantum Computing with Separation, Linear Combination and Mixing
Yusuke Matsushita,
Kengo Hirata,
Ryo Wakizaka, and
Emanuele D'Osualdo
(Kyoto University, Japan; University of Edinburgh, UK; University of Konstanz, Germany)
Quantum Separation Logic (QSL) has been proposed as an effective tool to improve the scalability of deductive reasoning for quantum programs. In QSL, separation is interpreted as disentanglement, and the frame rule brings a notion of entanglement-local specification (one that only talks about the qubits entangled with those acted upon by the program). In this paper, we identify two notions of locality unique to the quantum domain, and we construct a novel quantum separation logic, RapunSL, which is able to soundly reduce reasoning about superposition states to reasoning about pure states (basis-locality), and reasoning about mixed states arising from measurement to reasoning about pure states (outcome-locality). To do so, we introduce two connectives, linear combination and mixing, which together with separation provide a dramatic improvement in the scalability of reasoning, as we demonstrate on a series of challenging case studies.
Publisher's Version
Article: popl26main-p35-p doi:10.1145/3776648
Hyperfunctions: Communicating Continuations
Donnacha Oisín Kidney and
Nicolas Wu
(Imperial College London, UK)
A hyperfunction is a continuation-like construction that can be used to implement communication in the
context of concurrency. Though it has been reinvented many times, it remains somewhat obscure: since its
definition by Launchbury et al., hyperfunctions have been used to implement certain algebraic effect handlers,
coroutines, and breadth-first traversals; however, in each of these examples, the hyperfunction type went
unrecognised.
We identify the hyperfunctions hidden in all of these algorithms, and we exposit the common pattern
between them, building a framework for working with and reasoning about hyperfunctions. We use this
framework to solve a long-standing problem: giving a fully-abstract continuation-based semantics for a
concurrent calculus, the Calculus of Communicating Systems. Finally, we use hyperfunctions to build a
monadic Haskell library for efficient first-class coroutines.
Publisher's Version
Article: popl26main-p42-p doi:10.1145/3776649
ArchSem: Reusable Rigorous Semantics of Relaxed Architectures
Thibaut Pérami,
Thomas Bauereiss,
Brian Campbell,
Zongyuan Liu,
Nils Lauermann,
Alasdair Armstrong, and
Peter Sewell
(University of Cambridge, UK; University of Edinburgh, UK; Aarhus University, Denmark)
The specifications of mainstream processor architectures, such as Arm, x86, and RISC-V, underlie modern computing, as the targets of compilers, operating systems, and hypervisors. However, despite extensive research and tooling for instruction-set architecture (ISA) and relaxed-memory semantics, recently including systems features, there still do not exist integrated mathematical models that suffice for foundational formal verification, of concurrent architecture properties or of systems software. Previous proof-assistant work has had to substantially simplify the ISA semantics, the concurrency model, or both.
We present ArchSem, an architecture-generic framework for architecture semantics, modularly combining ISA and concurrency models along a tractable interface of instruction-semantics effects, that covers a range of systems aspects. To do so, one has to handle many issues that were previously unclear, about the architectures themselves, the interface, the proper definition of reusable models, and the Rocq and Isabelle idioms required to make it usable. We instantiate it to the Arm-A and RISC-V instruction-set architectures and multiple concurrency models.
We demonstrate usability for proof, despite the scale, by establishing that the Arm architecture (in a particular configuration) provides a provable virtual memory abstraction, with a combination of Rocq, Isabelle, and paper proof. Previous work provides further confirmation of usability: the AxSL program logic for Arm relaxed concurrency was proved sound above an earlier version of ArchSem.
This establishes a basis for future proofs of architecture properties and systems software, above production architecture specifications.
Publisher's Version
Article: popl26main-p44-p doi:10.1145/3776650
Probabilistic Concurrent Reasoning in Outcome Logic: Independence, Conditioning, and Invariants
Noam Zilberstein,
Alexandra Silva, and
Joseph Tassarotti
(Cornell University, USA; New York University, USA)
Although randomization has long been used in distributed computing, formal methods for reasoning about probabilistic concurrent programs have lagged behind. No existing program logics can express specifications about the full distributions of outcomes resulting from programs that are both probabilistic and concurrent. To address this, we introduce Probabilistic Concurrent Outcome Logic (pcOL), which incorporates ideas from concurrent and probabilistic separation logics into Outcome Logic to introduce new compositional reasoning principles. At its core, pcOL reinterprets the rules of Concurrent Separation Logic in a setting where separation models probabilistic independence, so as to compositionally describe joint distributions over variables in concurrent threads. Reasoning about outcomes also proves crucial, as case analysis is often necessary to derive precise information about threads that rely on randomized shared state. We demonstrate pcOL on a variety of examples, including to prove almost sure termination of unbounded loops.
Publisher's Version
ACM SIGPLAN Distinguished Paper Award
Article: popl26main-p57-p doi:10.1145/3776651
Characterizing Sets of Theories That Can Be Disjointly Combined
Benjamin Przybocki,
Guilherme V. Toledo, and
Yoni Zohar
(Carnegie Mellon University, USA; Bar-Ilan University, Israel)
We study properties that allow first-order theories to be disjointly combined, including stable infiniteness, shininess, strong politeness, and gentleness. Specifically, we describe a Galois connection between sets of decidable theories, which picks out the largest set of decidable theories that can be combined with a given set of decidable theories. Using this, we exactly characterize the sets of decidable theories that can be combined with those satisfying well-known theory combination properties. This strengthens previous results and answers in the negative several long-standing open questions about the possibility of improving existing theory combination methods to apply to larger sets of theories. Additionally, the Galois connection gives rise to a complete lattice of theory combination properties, which allows one to generate new theory combination methods by taking meets and joins of elements of this lattice. We provide examples of this process, introducing new combination theorems. We situate both new and old combination methods within this lattice.
Publisher's Version
Article: popl26main-p71-p doi:10.1145/3776652
Local Contextual Type Inference
Xu Xue,
Chen Cui,
Shengyi Jiang, and
Bruno C. d. S. Oliveira
(University of Hong Kong, China)
Type inference is essential for programming languages, yet complete and global inference quickly becomes undecidable in the presence of rich type systems like System F. Pierce and Turner proposed local type inference (LTI) as a scalable, partially annotated alternative by relying on information local to applications. While LTI has been widely adopted in practice, there are significant gaps between theory and practice, with its theory being underdeveloped and specifications for LTI being complex and restrictive.
We propose Local Contextual Type Inference, a principled redesign of LTI grounded in contextual typing—a recent formalism which captures type information flow. We present Contextual System F (Fc), a variant of System F with implicit and first-class polymorphism. We formalize Fc using a declarative type system, prove soundness, completeness, and decidability, and introduce matching subtyping as a bridge between declarative and algorithmic inference. This work offers the first mechanized treatment of LTI, while at the same time removing important practical restrictions and also demonstrating the power of contextual typing in designing robust, extensible and simple to implement type inference algorithms.
Publisher's Version
Published Artifact
Artifacts Available
Artifacts Reusable
Article: popl26main-p73-p doi:10.1145/3776653
JAX Autodiff from a Linear Logic Perspective
Giulia Giusti and
Michele Pagani
(ENS Lyon - CNRS - Université Claude Bernard Lyon 1 - LIP - UMR 5668, France)
JAX Autodiff refers to the core of the automatic differentiation (AD) systems developed in projects like JAX and Dex. JAX Autodiff has recently been formalised in a linear typed calculus by Radul et al in POPL 2023. Although this formalisation suffices to express the main program transformations of AD, the calculus is very specific to this task, and it is not clear whether the type system yields a substructural logic that has interest on its own. We propose an encoding of JAX Autodiff into a linear λ-calculus that enjoys a Curry-Howard correspondence with Girard’s linear logic. We prove that the encoding is sound both qualitatively (the encoded terms are extensionally equivalent to the original ones) and quantitatively (the encoding preserves the original work cost as described in Radul et al). As a byproduct, we show that unzipping, one of the transformations used to implement backpropagation in JAX Autodiff, is, in fact, optional.
Publisher's Version
Article: popl26main-p79-p doi:10.1145/3776654
TypeDis: A Type System for Disentanglement
Alexandre Moine,
Stephanie Balzer,
Alex Xu, and
Sam Westrick
(New York University, USA; Carnegie Mellon University, USA)
Disentanglement is a runtime property of parallel programs
guaranteeing that parallel tasks remain oblivious to each other's
allocations. As demonstrated in the MaPLe compiler and run-time
system, disentanglement can be exploited for fast automatic memory
management, especially task-local garbage collection with no
synchronization between parallel tasks. However, as a low-level
property, disentanglement can be difficult to reason about for
programmers. The only means of statically verifying disentanglement
so far has been DisLog, an Iris-fueled variant of separation logic,
mechanized in the Rocq proof assistant. DisLog is a fully-featured
program logic, allowing for proof of functional correctness as well as
verification of disentanglement. Yet its employment requires
significant expertise and per-program proof effort.
This paper explores the route of automatic verification via a type
system, ensuring that any well-typed program is disentangled and
lifting the burden of carrying out manual proofs from the programmer.
It contributes TypeDis, a type system inspired by region types, where
each type is annotated with a timestamp, identifying the task that
allocated it. TypeDis supports iso-recursive types as well as
polymorphism over both types and timestamps. Crucially, timestamps
are allowed to change during type-checking, at join points as well as
via a form of subtyping, dubbed subtiming. The paper illustrates
TypeDis and its features on a range of examples. The soundness of
TypeDis and the examples are mechanized in the Rocq proof assistant,
using an improved version of DisLog, dubbed DisLog2.
Publisher's Version
Published Artifact
Artifacts Available
Artifacts Reusable
Article: popl26main-p80-p doi:10.1145/3776655
Network Change Validation with Relational NetKAT
Han Xu,
Zachary Kincaid,
Ratul Mahajan, and
David Walker
(Princeton University, USA; University of Washington, USA)
Relational NetKAT (RN) is a new specification language for network change validation. Engineers use RN to specify intended changes by providing a trace relation R, which maps existing packet traces in the pre-change network to intended packet traces in the post-change network. The intended set of traces may then be checked against the actual post-change traces to uncover errors in implementation. Trace relations are constructed compositionally from a language of combinators that include trace insertion, trace deletion, and packet transformation, as well as regular operators for concatenation, union, and iteration of relations. We provide algorithms for converting trace relations into a new form of NetKAT transducer and also for constructing an automaton that recognizes the image of a NetKAT automaton under a NetKAT transducer. These algorithms, together with existing decision procedures for NetKAT automaton equivalence, suffice for validating network changes. We provide a denotational semantics for our specification language, prove our compilation algorithms correct, implement a tool for network change validation, and evaluate it on a set of benchmarks drawn from a production network and Amazon’s Batfish toolkit.
Publisher's Version
Published Artifact
Artifacts Available
Artifacts Reusable
Article: popl26main-p84-p doi:10.1145/3776656
An Expressive Assertion Language for Quantum Programs
Bonan Su,
Yuan Feng,
Mingsheng Ying, and
Li Zhou
(Tsinghua University, China; University of Technology Sydney, Australia; Institute of Software at Chinese Academy of Sciences, China)
In this paper, we define an assertion language designed for expectation-based reasoning about quantum programs. The key design idea is a representation of quantum predicates by quasi-probability distributions of generalized Pauli operators. Then we extend classical techniques such as Gödelization to prove that this language is expressive with respect to the quantum programs with loops—specifically, for any program S and any postcondition ψ formulated in the assertion language, the weakest precondition of S with respect to ψ can also be expressed as a formula in the assertion language. As an application, we present a sound and relatively complete quantum Hoare logic upon our expressive assertion language.
Publisher's Version
Article: popl26main-p95-p doi:10.1145/3776658
Fuzzing Guided by Bayesian Program Analysis
Yifan Zhang and
Xin Zhang
(Peking University, China)
We propose a novel approach that leverages Bayesian program analysis to guide large-scale target-guided greybox fuzzing (LTGF). LTGF prioritizes program locations (targets) that are likely to contain bugs and applies directed mutation towards high-priority targets. However, existing LTGF approaches suffer from coarse and heuristic target prioritization strategies, and lack a systematic design to fully exploit feedback from the fuzzing process. We systematically define this prioritization process as the reachable fuzzing targets problem. Bayesian program analysis attaches probabilities to analysis rules and transforms the analysis results into a Bayesian model. By redefining the semantics of Bayesian program analysis, we enable the prediction of whether each target is reachable by the fuzzer, and dynamically adjust the predictions based on fuzzer feedback. On the one hand, Bayesian program analysis builds Bayesian models based on program semantics, enabling systematic and fine-grained prioritization. On the other hand, Bayesian program analysis systematically learns feedback from the fuzzing process, making its guidance adaptive. Moreover, this combination extends the application of Bayesian program analysis from alarm ranking to fully automated bug discovery. We implement our approach and evaluate it against several state-of-the-art fuzzers. On a suite of real-world programs, our approach discovers 3.25 × to 13 × more unique bugs compared to baselines. In addition, our approach identifies 39 previously unknown bugs in well-tested programs, 30 of which have been assigned CVEs.
Publisher's Version
Published Artifact
Artifacts Available
Artifacts Reusable
Article: popl26main-p99-p doi:10.1145/3776659
ChiSA: Static Analysis for Lightweight Chisel Verification
Jiacai Cui,
Qinlin Chen,
Zhongsheng Zhan,
Tian Tan, and
Yue Li
(Nanjing University, China)
The growing demand for productivity in hardware development opens up new opportunities for applying programming language (PL) techniques to hardware description languages (HDLs). Chisel, a leading agile HDL, embraces this shift by leveraging modern PL features to enhance hardware design productivity. However, verification for Chisel remains a major productivity bottleneck, requiring substantial time and manual effort. To address this issue, we advocate the use of static analysis—a technique proven well-suited to agile development workflows in software—for lightweight Chisel verification.
This work establishes a theoretical foundation for Chisel static analysis. At its core is λC, a formal core calculus of ChAIR (a Chisel-specific intermediate representation for analysis). λC is the first formalism that captures the essence of Chisel while being deliberately minimal to ease rigorous reasoning about static analysis built on λC. We prove key properties of λC that reflect real hardware characteristics, which in turn offer a form of retrospective validation for its design. On the basis of λC, we define and formalize the hardware value flow analysis (HVFA) problem, which underpins our static analyses for critical Chisel verification tasks, including bug detection and security analysis. We then propose a synchronized fixed-point solution to the HVFA problem, featuring hardware-specific treatment of the synchronous behavior of clock-driven hardware registers—the essential feature of Chisel programs. We further prove key theorems establishing the guarantees and limitations of our solution.
As a proof of concept, we develop ChiSA (30K+ LoC)—the first Chisel static analyzer that can analyze intricate hardware value flows to enable lightweight analyses for critical Chisel verification tasks such as bug detection and security analysis. To facilitate thorough evaluation of both ChiSA and future work, we provide ChiSABench (11M+ LoC), a comprehensive benchmark for Chisel static analysis.
Our evaluation on ChiSABench demonstrates that ChiSA offers an effective and significantly more lightweight approach for critical Chisel verification tasks, especially on large and complex real-world designs. For example, ChiSA identified 69 violable developer-inserted assertions in large-scale Chisel designs (9.7M+ LoC) in under 200 seconds—eight of which were recognized by developers and scheduled for future fixes—and detected all 60 information-leak vulnerabilities in the well-known TrustHub benchmark (1.1M+ LoC) in just one second—outperforming state-of-the-art Chisel approaches like ChiselTest’s bounded model checking and ChiselFlow’s secure type system. These results underscore the high promise of static analysis for lightweight Chisel verification. To encourage continued research and innovation, we will fully open-source ChiSA (30K+ LoC) and ChiSABench (11M+ LoC).
Publisher's Version
Published Artifact
Artifacts Available
Artifacts Reusable
Article: popl26main-p104-p doi:10.1145/3776660
General Decidability Results for Systems with Continuous Counters
A. R. Balasubramanian,
Matthew Hague,
Rupak Majumdar,
Ramanathan S. Thinniyam, and
Georg Zetzsche
(MPI-SWS, Germany; Royal Holloway University of London, UK; Uppsala University, Sweden)
Counters that hold natural numbers are ubiquitous in modeling and verifying software systems; for example, they model dynamic creation and use of resources in concurrent programs. Unfortunately, such discrete counters often lead to extremely high complexity. Continuous counters are an efficient over-approximation of discrete counters. They are obtained by relaxing the original counters to hold values over the non-negative rational numbers.
This work shows that continuous counters are extraordinarily well-behaved in terms of decidability. Our main result is that, despite continuous counters being infinite-state, the language of sequences of counter
instructions that can arrive in a given target configuration, is regular. Moreover, a finite automaton for this language can be computed effectively. This implies that a wide variety of transition systems can be equipped with continuous counters, while maintaining decidability of reachability properties. Examples include higher-order recursion schemes, well-structured transition systems, and decidable extensions of discrete counter systems.
We also prove a non-elementary lower bound for the size of the resulting finite automaton.
Publisher's Version
Article: popl26main-p113-p doi:10.1145/3776661
Extensible Data Types with Ad-Hoc Polymorphism
Matthew Toohey,
Yanning Chen,
Ara Jamalzadeh, and
Ningning Xie
(University of Toronto, Canada)
This paper proposes a novel language design that combines extensible data types, implemented through row types and row polymorphism, with ad-hoc polymorphism, implemented through type classes. Our design introduces several new constructs and constraints useful for generic operations over rows. We formalize our design in a source calculus λρ⇒, which elaborates into a target calculus Fω⊗⊕. We prove that the target calculus is type-safe and that the elaboration is sound, thus establishing the soundness of λρ⇒. All proofs are mechanized in the Lean 4 proof assistant. Furthermore, we evaluate our type system using the Brown Benchmark for Table Types, demonstrating the utility of extensible rows with type classes for table types.
Publisher's Version
Published Artifact
Artifacts Available
Artifacts Reusable
Article: popl26main-p116-p doi:10.1145/3776662
Optimising Density Computations in Probabilistic Programs via Automatic Loop Vectorisation
Sangho Lim,
Hyoungjin Lim,
Wonyeol Lee,
Xavier Rival, and
Hongseok Yang
(KAIST, Republic of Korea; POSTECH, Republic of Korea; DIENS - École Normale Supérieure de Paris - CNRS - PSL University, France; Inria, France)
Probabilistic programming languages (PPLs) are a popular tool for high-level modelling across many fields. They provide a range of algorithms for probabilistic inference, which analyse models by learning their parameters from a dataset or estimating their posterior distributions. However, probabilistic inference is known to be very costly. One of the bottlenecks of probabilistic inference stems from the iteration over entries of a large dataset or a long series of random samples. Vectorisation can mitigate this cost, but manual vectorisation is error-prone, and existing automatic techniques are often ad-hoc and limited, unable to handle general repetition structures, such as nested loops and loops with data-dependent control flow, without significant user intervention. To address this bottleneck, we propose a sound and effective method for automatically vectorising loops in probabilistic programs. Our method achieves high throughput using speculative parallel execution of loop iterations, while preserving the semantics of the original loop through a fixed-point check. We formalise our method as a translation from an imperative PPL into a lower-level target language with primitives geared towards vectorisation. We implemented our method for the Pyro PPL and evaluated it on a range of probabilistic models. Our experiments show significant performance gains against an existing vectorisation baseline, achieving 1.1–6× speedups and reducing GPU memory usage in many cases. Unlike the baseline, which is limited to a subset of models, our method effectively handled all the tested models.
Publisher's Version
Info
Article: popl26main-p121-p doi:10.1145/3776663
AdapTT: Functoriality for Dependent Type Casts
Arthur Adjedj,
Meven Lennon-Bertrand,
Thibaut Benjamin, and
Kenji Maillard
(ENS Paris-Saclay - Université Paris-Saclay, France; Université Paris Cité - Inria - CNRS - IRIF, France; Université Paris-Saclay - CNRS - ENS Paris-Saclay - LMF, France; Nantes Université - École Centrale Nantes - CNRS - Inria - LS2N - UMR 6004, France)
The ability to cast values between related types is a leitmotiv of many flavors of dependent type theory, such as observational type theories, subtyping, or cast calculi for gradual typing. These casts all exhibit a common structural behavior that boils down to the pervasive functoriality of type formers. We propose and extensively study a type theory, called AdapTT, which makes systematic and precise this idea of functorial type formers, with respect to an abstract notion of adapters relating types. Leveraging descriptions for functorial inductive types in AdapTT, we derive structural laws for type casts on general inductive type formers.
Publisher's Version
Published Artifact
Artifacts Available
Artifacts Functional
Article: popl26main-p126-p doi:10.1145/3776664
On Circuit Description Languages, Indexed Monads, and Resource Analysis
Ken Sakayori,
Andrea Colledan, and
Ugo Dal Lago
(University of Tokyo, Japan; University of Bologna, Italy; Centre Inria d’Université Côte d’Azur, France)
In this paper, a monad-based denotational model is introduced and shown adequate for the Proto-Quipper family of calculi, themselves being idealized versions of the Quipper programming language. The use of a monadic approach allows us to separate the value to which a term reduces from the circuit that the term itself produces as a side effect. In turn, this enables the denotational interpretation and validation of rich type systems in which the size of the produced circuit can be controlled. Notably, the proposed semantic framework, through the novel concept of circuit algebra, suggests forms of effect typing guaranteeing quantitative properties about the resulting circuit, even in presence of optimizations.
Publisher's Version
Article: popl26main-p140-p doi:10.1145/3776666
Towards Pen-and-Paper-Style Equational Reasoning in Interactive Theorem Provers by Equality Saturation
Marcus Rossel,
Rudi Schneider,
Thomas Kœhler,
Michel Steuwer, and
Andrés Goens
(Barkhausen Institut, Germany; TU Darmstadt, Germany; TU Berlin, Germany; ICube Lab - CNRS - Université de Strasbourg, France; University of Amsterdam, Netherlands)
Equations are ubiquitous in mathematical reasoning.
Often, however, they only hold under certain conditions.
As these conditions are usually clear from context, mathematicians regularly omit them when performing equational reasoning on paper.
In contrast, interactive theorem provers pedantically insist on every detail to be convinced that a theorem holds, hindering equational reasoning at the more abstract level of pen-and-paper mathematics.
In this paper, we address this issue by raising the level of equational reasoning to enable pen-and-paper style in interactive theorem provers.
We achieve this by interpreting theorems as conditional rewrite rules, and use equality saturation to automatically derive equational proofs.
Conditions that cannot be automatically proven may be surfaced as proof obligations.
Concretely, we present how to interpret theorems as conditional rewrite rules for a significant class of theorems.
Handling these theorems goes beyond simple syntactic rewriting, and deals with aspects like propositional conditions and type classes.
We evaluate our approach by implementing it as a tactic in Lean, using the egg library for equality saturation with e-graphs.
We show four use cases demonstrating the efficacy of this higher level of abstraction for equational reasoning.
Publisher's Version
Published Artifact
Artifacts Available
Artifacts Reusable
Article: popl26main-p142-p doi:10.1145/3776667
All for One and One for All: Program Logics for Exploiting Internal Determinism in Parallel Programs
Alexandre Moine,
Sam Westrick, and
Joseph Tassarotti
(New York University, USA)
Nondeterminism makes parallel programs challenging to write and reason
about. To avoid these challenges, researchers have developed
techniques for internally deterministic parallel programming, in which
the steps of a parallel computation proceed in a deterministic way.
Internal determinism is useful because it lets a programmer reason
about a program as if it executed in a sequential order. However, no
verification framework exists to exploit this property and simplify
formal reasoning about internally deterministic programs.
To capture the essence of why internally deterministic programs should
be easier to reason about, this paper defines a property called
schedule-independent safety. A program satisfies schedule-independent
safety, if, to show that the program is safe across all orderings, it
suffices to show that one terminating execution of the program is
safe. We then present a separation logic called Musketeer for proving
that a program satisfies schedule-independent safety. Once a parallel
program has been shown to satisfy schedule-independent safety, we can
verify it with a new logic called Angelic, which allows one to
dynamically select and verify just one sequential ordering of the
program.
Using Musketeer, we prove the soundness of MiniDet, an affine type
system for enforcing internal determinism. MiniDet supports several
core algorithmic primitives for internally deterministic programming
that have been identified in the research literature, including a
deterministic version of a concurrent hash set. Because any
syntactically well-typed MiniDet program satisfies
schedule-independent safety, we can apply Angelic to verify such
programs.
All results in this paper have been verified in Rocq using the Iris
separation logic framework.
Publisher's Version
Published Artifact
Artifacts Available
Artifacts Reusable
ACM SIGPLAN Distinguished Paper Award
Article: popl26main-p156-p doi:10.1145/3776668
Security Reasoning via Substructural Dependency Tracking
Hemant Gouni,
Frank Pfenning, and
Jonathan Aldrich
(Carnegie Mellon University, USA)
Substructural type systems provide the ability to speak about resources. By enforcing usage restrictions on inputs to computations they allow programmers to reify limited system units—such as memory—in types. We demonstrate a new form of resource reasoning founded on constraining outputs and explore its utility for practical programming. In particular, we identify a number of disparate programming features explored largely in the security literature as various fragments of our unified framework. These encompass capabilities, quantitative information leakage, sandboxing in the style of the Linux seccomp interface, authorization protocols, and more. We furthermore explore its connection to conventional input-based resource reasoning, casting it as an internal treatment of the constructive Kripke semantics of substructural logics. We verify the capability, quantity, and protocol safety of our system through a single logical relations argument. In doing so, we take the first steps towards obtaining the ultimate multitool for security reasoning.
Publisher's Version
Published Artifact
Artifacts Available
ACM SIGPLAN Distinguished Paper Award
Article: popl26main-p157-p doi:10.1145/3776669
Dependent Coeffects for Local Sensitivity Analysis
Victor Sannier and
Patrick Baillot
(Univ. Lille - CNRS - Inria - Centrale Lille - UMR 9189 CRIStAL, France)
Differential privacy is a formal definition of privacy that bounds the maximum acceptable information leakage when a query is performed on sensitive data. To ensure this property, a key technique involves bounding the query’s sensitivity (how much input variations affect the output) and adding noise to the result according to this quantity. While prior work like the Fuzz type system focuses on global sensitivity, many useful queries have infinite global sensitivity, restricting the scope of such approaches. This limitation can be addressed by considering a more fine-grained measure: local sensitivity, which quantifies output change for inputs adjacent to a specific dataset. In this article, we introduce Local Fuzz, a type system with dependent coeffects designed to bound the local sensitivity of programs written in a simple functional language. We provide a denotational semantics for this system in the category of extended premetric spaces, leveraging the recently introduced construction of a dependently graded comonad. Finally, we illustrate how Local Fuzz can lead to better differential privacy guarantees than Fuzz, both for mechanisms that rely on global sensitivity and for those that leverage local sensitivity, such as the Propose-Test-Release framework.
Publisher's Version
Article: popl26main-p162-p doi:10.1145/3776670
Separating the Wheat from the Chaff: Understanding (In-)Completeness of Proof Mechanisms for Separation Logic with Inductive Definitions
Neta Elad,
Adithya Murali, and
Sharon Shoham
(Tel Aviv University, Israel; University of Wisconsin, USA)
For over two decades Separation Logic has enjoyed
its unique position as arguably the most popular framework
for reasoning about heap-manipulating programs,
as well as reasoning about shared resources and permissions.
Separation Logic is often extended to include
inductively-defined predicates,
interpreted as least fixpoints,
to form what is known as Separation Logic with Inductive Definitions (SLID).
These inductive predicates are
used to describe unbounded data-structures in the heap
and to verify key properties thereof.
Many theoretical and practical advances
have been made in developing automated proof mechanisms
for SLID,
but by their very nature these mechanisms are imperfect,
and a deeper understanding of their failures
is desired.
As expressive as Separation Logic is, it is not surprising
that it is incomplete:
there is no procedure that will provide a proof
for all valid entailments in Separation Logic.
In fact, at its very core, Separation Logic contains several
sources of incompleteness that defy automated reasoning.
In this paper we study these sources of incompleteness
and how they relate to failures of proof mechanisms of SLID.
We contextualize SLID within a larger, relaxed logic,
that we call Weak Separation Logic (WSL).
We prove that unlike SLID, WSL enjoys completeness
for a non-trivial
fragment of quantified entailments with background theories and
inductive definitions,
via a reduction to first-order logic (FOL).
Moreover, we show that the ubiquitous fold/unfold proof mechanism,
which is unsurprisingly incomplete for SLID,
does constitute a sound and complete proof mechanism of
WSL,
for theory-free, quantifier-free entailments with inductive definitions.
In some sense, this shows that WSL is the natural logic
of such proof mechanisms.
Through this contextualization of SLID within WSL,
we understand proof failures as stemming from
rogue, nonstandard models,
that exist within the class of models considered by WSL,
but do not adhere to the stricter requirements of SLID.
These rogue models are typically infinite,
and we use the
recently proposed formalism of symbolic structures
to represent and automatically find them.
We present a prototype tool that implements the encoding of
WSL to FOL and test it on an existing benchmark,
which contains over 700
quantified entailment problems with inductive definitions,
a third of which also contain background theories.
Our tool is able to find counter-models
to many of the examples,
and we provide a partial taxonomy of the rogue models,
shedding some light on real-world proof failures.
Publisher's Version
Published Artifact
Artifacts Available
Artifacts Reusable
Article: popl26main-p167-p doi:10.1145/3776671
Rows and Capabilities as Modal Effects
Wenhao Tang and
Sam Lindley
(University of Edinburgh, UK)
Effect handlers allow programmers to model and compose computational
effects modularly. Effect systems statically guarantee that all
effects are handled. Several recent practical effect systems are
based on either row polymorphism or capabilities. However, there
remains a gap in understanding the precise relationship between effect
systems with such disparate foundations. The main difficulty is that
in both row-based and capability-based systems, effect tracking is
typically entangled with other features such as functions.
We propose a uniform framework for encoding, analysing, and comparing
effect systems. Our framework exploits and generalises modal effect
types, a recent novel effect system which decouples effect tracking
from functions via modalities. Modalities offer fine-grained control
over when and how effects are tracked, enabling us to express
different strategies for effect tracking. We give encodings as macro
translations from existing row-based and capability-based effect
systems into our framework and show that these encodings preserve
types and semantics. Our encodings reveal the essence of effect
tracking mechanisms in different effect systems, enable a direct
analysis on their differences, and provide practical insights on
language design.
Publisher's Version
Article: popl26main-p187-p doi:10.1145/3776674
Tropical Mathematics and the Lambda-Calculus II: Tropical Geometry of Probabilistic Programming Languages
Davide Barbarossa and
Paolo Pistone
(University of Bath, UK; Université Claude Bernard Lyon 1, France)
In the last few years there has been a growing interest towards methods for statistical inference and learning based on computational geometry and, notably, tropical geometry, that is, the study of algebraic varieties over the min-plus semiring. At the same time, recent work has demonstrated the possibility of interpreting higher-order probabilistic programming languages in the framework of tropical mathematics, by exploiting algebraic and categorical tools coming from the semantics of linear logic. In this work we combine these two worlds, showing that tools and ideas from tropical geometry can be used to perform statistical inference over higher-order probabilistic programs.
Notably, we first show that each such program can be associated with a degree and a n-dimensional polyhedron that encode its most likely runs. Then, we use these tools in order to design an intersection type system that estimates most likely runs in a compositional and efficient way.
Publisher's Version
Article: popl26main-p189-p doi:10.1145/3776675
A Relational Separation Logic for Effect Handlers
Paulo Emílio de Vilhena,
Simcha van Collem,
Ines Wright, and
Robbert Krebbers
(Imperial College London, UK; Radboud University Nijmegen, Netherlands; Aarhus University, Denmark)
Effect handlers offer a powerful and relatively simple mechanism for controlling a program's flow of execution. Since their introduction, an impressive array of verification tools for effect handlers has been developed. However, to this day, no framework can express and prove relational properties about programs that use effect handlers in languages such as OCaml and Links, where programming features like mutable state and concurrency are readily available. To this end, we introduce blaze, the first relational separation logic for effect handlers. We build blaze on top of the Rocq implementation of the Iris separation logic, thereby enjoying the rigour of a mechanised theory and all the reasoning properties of a modern fully-fledged concurrent separation logic, such as modular reasoning about stateful concurrent programs and the ability to introduce user-defined ghost state. In addition to familiar reasoning rules, such as the bind rule and the frame rule, blaze offers rules to reason modularly about programs that perform and handle effects. Significantly, when verifying that two programs are related, blaze does not require that effects and handlers from one program be in correspondence with effects and handlers from the other. To assess this flexibility, we conduct a number of case studies: most noticeably, we show how different implementations of an asynchronous-programming library using effects are related to truly concurrent implementations. As side contributions, we introduce two new, simple, and general reasoning rules for concurrent relational separation logic that are independent of effects: a logical-fork rule that allows one to reason about an arbitrary program phrase as if it had been spawned as a thread and a thread-swap rule that allows one to reason about how threads are scheduled.
Publisher's Version
Published Artifact
Artifacts Available
Artifacts Reusable
Article: popl26main-p190-p doi:10.1145/3776676
Compiling to Linear Neurons
Joey Velez-Ginorio,
Nada Amin,
Konrad Kording, and
Steve Zdancewic
(University of Pennsylvania, USA; Harvard University, USA)
We don’t program neural networks directly. Instead, we rely on an indirect style where learning algorithms, like gradient descent, determine a neural network’s function by learning from data. This indirect style is often a virtue; it empowers us to solve problems that were previously impossible. But it lacks discrete structure. We can’t compile most algorithms into a neural network—even if these algorithms could help the network learn. This limitation occurs because discrete algorithms are not obviously differentiable, making them incompatible with the gradient-based learning algorithms that determine a neural network’s function. To address this, we introduce Cajal: a typed, higher-order and linear programming language intended to be a minimal vehicle for exploring a direct style of programming neural networks. We prove Cajal programs compile to linear neurons, allowing discrete algorithms to be expressed in a differentiable form compatible with gradient-based learning. With our implementation of Cajal, we conduct several experiments where we link these linear neurons against other neural networks to determine part of their function prior to learning. Linking with these neurons allows networks to learn faster, with greater data-efficiency, and in a way that’s easier to debug. A key lesson is that linear programming languages provide a path towards directly programming neural networks, enabling a rich interplay between learning and the discrete structures of ordinary programming.
Publisher's Version
Article: popl26main-p199-p doi:10.1145/3776677
Handling Higher-Order Effectful Operations with Judgemental Monadic Laws
Zhixuan Yang and
Nicolas Wu
(Imperial College London, UK)
This paper studies the design of programming languages with handlers of higher-order effectful operations – effectful operations that may take in computations as arguments or return computations as output. We present and analyse a core calculus with higher-kinded impredicative polymorphism, handlers of higher-order effectful operations, and optionally general recursion. The distinctive design choice of this calculus is that handlers are carried by lawless raw monads, while the computation judgements still satisfy the monadic laws judgementally. We present the calculus with a logical framework and give denotational models of the calculus using realizability semantics. We prove closed-term canonicity and parametricity for the recursion-free fragment of the language using synthetic Tait computability and a novel form of the ⊤⊤-lifting technique.
Publisher's Version
Article: popl26main-p206-p doi:10.1145/3776678
Accelerating Syntax-Guided Program Synthesis by Optimizing Domain-Specific Languages
Zhentao Ye,
Ruyi Ji,
Yingfei Xiong, and
Xin Zhang
(Peking University, China)
Syntax-guided program synthesis relies on domain-specific languages (DSLs) to constrain the search space and improve efficiency. However, manually designing optimal DSLs is challenging and often results in suboptimal performance. In this paper, we propose AMaze, a novel framework that automatically optimizes DSLs to accelerate synthesis. AMaze iteratively refines a DSL by identifying key program fragments, termed feature components, whose enumeration ranks correlate with synthesis time. Using a dynamic-programming-based algorithm to calculate enumeration ranks of feature components and a machine learning model based on them, AMaze estimates synthesis cost instead of directly invoking the synthesizer, which is impractical due to high computational cost. We evaluate AMaze on state-of-the-art synthesizers, including DryadSynth, Duet, Polygen, and EUsolver, across multiple domains. Empirical results demonstrate that AMaze achieves up to 4.35X speedup, effectively reducing synthesis time while maintaining expressiveness.
Publisher's Version
Published Artifact
Artifacts Available
Artifacts Functional
Article: popl26main-p213-p doi:10.1145/3776679