

# Correctness of Intermittent Executions via Modal Crash Types

**Myra Dotzel**  
**PhD student, CSD, CMU**

Joint work with Farzaneh Derakhshan,  
Milijana Surbatovich, and Limin Jia



# Intermittent Computing

- batteryless energy-harvesting devices deployed in harsh or inaccessible environments
- devices charge, compute, and crash frequently
- nonvolatile memory (NV) persistent while volatile memory (V) transient



# Re-execution causes memory inconsistency bugs!

Ckpt

|    |            |
|----|------------|
| L1 | x := y;    |
| L2 | y := z;    |
| L3 | w := x + y |

Memory state (before re-execution):

|    | x | y | z | w |
|----|---|---|---|---|
|    | 0 | 1 | 2 | 0 |
| L1 | 1 | 1 | 2 | 0 |
| L2 | 1 | 2 | 2 | 0 |
|    | 1 | 2 | 2 | 0 |
| L1 | 2 | 2 | 2 | 0 |
| L2 | 2 | 2 | 2 | 0 |
| L3 | 2 | 2 | 2 | 4 |

Memory state (after re-execution):

|    | x | y | z | w |
|----|---|---|---|---|
|    | 0 | 1 | 2 | 0 |
| L1 | 1 | 1 | 2 | 0 |
| L2 | 1 | 2 | 2 | 0 |
| L3 | 1 | 2 | 2 | 3 |



→ Write-after-read patterns [Lucia 2015]  
Incorrect checkpointing causes bugs!

Question:

How can we **ensure** that intermittent programs execute correctly?

Surbatovich et al. 2019, 2020: practical implementation + correctness of intermittent executions

# Overview of our work

- Model key operations: checkpoint, crash, restore, re-execute.
  - One approach: checkpoint everything not read-only (Derakhshan et al. 2023)
  - More efficient: only checkpoint write-after-read variables
- First type system based on modal logic to characterize the correctness of programs under crashes.

Types allow us to automatically check that programs can execute  
**correctly intermittently.**

# Outline

- Background — intermittent computing, WAR patterns
- Overview
- **Type system**
- Logical relation
- Metatheory
- Conclusion

# Type System

store types  
basic types

$$\begin{aligned} A &:= \text{int} \mid \text{bool} \\ T &:= \text{unit} \mid A \end{aligned}$$

unstable types  
stable types

$$\begin{aligned} \tau^u &:= T \mid \downarrow \tau^s \mid \tau^u \vee \tau^u \mid v_t \\ \tau^s &:= \uparrow \tau^u \mid \text{nat} \rightsquigarrow \tau^s \end{aligned}$$

access qualifiers  $q := \text{CK} \mid \text{RD} \mid \text{MtWt} \mid \text{Wtn}$

---

# Type System

store types

$$A := \text{int} \mid \text{bool}$$

basic types

$$T := \text{unit} \mid A$$

unstable types

$$\tau^u := T \mid \downarrow \tau^s \mid \tau^u \vee \tau^u \mid v_t$$

stable types

$$\tau^s := \uparrow \tau^u \mid \text{nat} \rightsquigarrow \tau^s$$

access qualifiers  $q := \text{CK} \mid \text{RD} \mid \text{MtWt} \mid \text{Wtn}$



# Type System

|                   |                                                                       |
|-------------------|-----------------------------------------------------------------------|
| store types       | $A := \text{int} \mid \text{bool}$                                    |
| basic types       | $T := \text{unit} \mid A$                                             |
| unstable types    | $\tau^u := T \mid \downarrow \tau^s \mid \tau^u \vee \tau^u \mid v_t$ |
| stable types      | $\tau^s := \uparrow \tau^u \mid \text{nat} \rightsquigarrow \tau^s$   |
| access qualifiers | $q := \text{CK} \mid \text{RD} \mid \text{MtWt} \mid \text{Wtn}$      |



# Connection to Adjoint Modal Logic

- Independence principle: validity does not depend on truth.



- Here: stable values ( $s$ ) do not depend on unstable values ( $u$ ).



# Type System

store types

$$A := \text{int} \mid \text{bool}$$

basic types

$$T := \text{unit} \mid A$$

unstable types

$$\tau^u := T \mid \downarrow \tau^s \mid \tau^u \vee \tau^u \mid v_t$$

stable types

$$\tau^s := \uparrow \tau^u \mid \text{nat} \rightsquigarrow \tau^s$$

access qualifiers

$$q := \text{CK} \mid \text{RD} \mid \text{MtWt} \mid \text{Wtn}$$



## Crash type

$$C = \downarrow \uparrow \text{unit} \vee \downarrow (\text{nat} \rightsquigarrow \uparrow C)$$

Successful  
execution

Re-execution

# Type System

store types

$$A := \text{int} \mid \text{bool}$$

basic types

$$T := \text{unit} \mid A$$

unstable types

$$\tau^u := T \mid \downarrow \tau^s \mid \tau^u \vee \tau^u \mid v_t$$

stable types

$$\tau^s := \uparrow \tau^u \mid \text{nat} \rightsquigarrow \tau^s$$

access qualifiers

$$q := \text{CK} \mid \text{RD} \mid \text{MtWt} \mid \text{Wtn}$$



**Unstable typing judgment**

$$\boxed{\text{Energy buffer}} \mid \boxed{x : \tau^s} \boxed{y : \tau^u} \mid \Omega ; \Sigma \vdash_{\text{Sig}} x := y : C \dashv \Omega'$$

Energy buffer NV V  
typing context typing context Post-context

**Stable typing judgment**

$$\boxed{\text{Energy buffer}} \mid \boxed{x : \tau^s} \mid \Omega \vdash \text{Ckpt} \boxed{x := y; \\ y := z; \\ w := x + y} : \uparrow C$$

# Type System

store types

$$A := \text{int} \mid \text{bool}$$

basic types

$$T := \text{unit} \mid A$$

unstable types

$$\tau^u := T \mid \downarrow \tau^s \mid \tau^u \vee \tau^u \mid v_t$$

stable types

$$\tau^s := \uparrow \tau^u \mid \text{nat} \rightsquigarrow \tau^s$$

access qualifiers

$$q := \text{CK} \mid \text{RD} \mid \text{MtWt} \mid \text{Wtn}$$

Ckpt(y)

x := y;   $\tau^u$

y := z; 

w := x + y



  $\tau^s$

# Type System

store types

$$A := \text{int} \mid \text{bool}$$

basic types

$$T := \text{unit} \mid A$$

unstable types

$$\tau^u := T \mid \downarrow \tau^s \mid \tau^u \vee \tau^u \mid v_t$$

stable types

$$\tau^s := \uparrow \tau^u \mid \text{nat} \rightsquigarrow \tau^s$$

access qualifiers

$$q := \text{CK} \mid \text{RD} \mid \text{MtWt} \mid \text{Wtn}$$



## Command sequencing

$x:\tau @ \text{MtWt}, y:\tau @ \text{CK}$



$$| \Omega; \Sigma \vdash_{\text{Sig}} x := y : C_{\text{unit}} \dashv \Omega'$$



$$| \Omega'; \Sigma \vdash_{\text{Sig}} y := z : \tau \dashv \Omega''$$

---


$$| \Omega; \Sigma \vdash_{\text{Sig}} x := y; y := z : \tau \dashv \Omega''$$

$x:\tau @ \text{Wtn}, y:\tau @ \text{CK}$

$x:\tau @ \text{Wtn}, y:\tau @ \text{CK}$

# Example

$Ckpt(y)$

L1       $x := y;$   
 L2       $y := z;$   
 L3       $w := x + y$



# Outline

- Background — intermittent computing, WAR patterns
- Overview
- Type system
- **Logical relation**
- Metatheory
- Conclusion

# Logical Relation

$$(\text{Battery icon} \mid \text{INV} \mid \text{V} \mid c_1, \text{Plug icon} \mid \text{NV} \mid \text{V} \mid c_2) \in \mathcal{E} \llbracket \mathbf{C}_{Unit} \rrbracket^m$$

# crashes

Intermittent execution      Continuous execution      Crash type

---

Correctness:

Every intermittent execution of a well-typed program can be simulated by its continuous execution.

# Term Relation

## Base case

$$(\text{battery icon} \mid NV \mid V \mid c, \text{plug icon} \mid NV \mid V \mid c) \in \mathcal{E} \llbracket C_{Unit} \rrbracket^0$$

---

# Term Relation

## Base case

$$(\text{Battery icon} \mid NV \mid V \mid c, \text{Plug icon} \mid NV \mid V \mid c) \in \mathcal{E}[\mathbb{C}_{Unit}]^0$$

## Inductive case

$$(\text{Battery icon} \mid NV_1 \mid V \mid c, \text{Plug icon} \mid NV_2 \mid V \mid c) \in \mathcal{E}[\mathbb{C}_{Unit}]^{k+1} \quad (NV_1 \setminus \{MtWt\} = NV_2 \setminus \{MtWt\})$$

iff

$$\begin{cases} (\text{Battery icon} \mid NV'_1 \mid V \mid c_1, \text{Plug icon} \mid NV_2 \mid V \mid c) \in \mathcal{V}[\downarrow \uparrow \text{unit}]^k \quad \text{or} \\ (\text{Dead icon} \mid NV'_1 \mid V \mid c_1, \text{Plug icon} \mid NV_2 \mid V \mid c) \in \mathcal{V}[\downarrow (\text{nat} \rightsquigarrow \uparrow C)]^k \end{cases}$$

# Value Relation

(  | NV'\_1 | V | c\_1,  | NV\_2 | V | c ) ∈ ™[C\_Unit]^{k+1}

Crash

# Value Relation

$$(\boxed{\text{⚡}} \mid NV'_1 \mid V \mid c_1, \boxed{\text{🔌}} \mid NV_2 \mid V \mid c) \in \mathcal{V}[\mathbf{C}_{Unit}]^{k+1}$$

Crash

$$\text{iff } (\boxed{\text{⚡}} \mid NV'_1 \mid V \mid \downarrow \epsilon \# in(b > 0, \uparrow c), \boxed{\text{🔌}} \mid NV_2 \mid V \mid c) \in \mathcal{V}[\downarrow (nat \rightsquigarrow \uparrow \mathbf{C}_{Unit})]^k$$

PwOff

# Value Relation

$$(\boxed{\text{⚡}} \mid NV'_1 \mid V \mid c_1, \boxed{\text{🔌}} \mid NV_2 \mid V \mid c) \in \mathcal{V}[\mathbb{C}_{Unit}]^{k+1}$$

Crash

iff  $(\boxed{\text{⚡}} \mid NV'_1 \mid V \mid \downarrow \epsilon \# in(b > 0, \uparrow c), \boxed{\text{🔌}} \mid NV_2 \mid V \mid c) \in \mathcal{V}[\downarrow (nat \rightsquigarrow \uparrow \mathbb{C}_{Unit})]^k$  PwOff

iff  $(\boxed{\text{⚡}} \mid \boxed{NV'_1} \mid \epsilon \# in(b > 0, \uparrow c), \boxed{\text{🔌}} \mid NV_2 \mid V \mid c) \in \mathcal{V}[nat \rightsquigarrow \uparrow \mathbb{C}_{Unit}]^k$  Harvest

# Value Relation

(  | NV'\_1 | V | c\_1,  | NV\_2 | V | c ) ∈ ™[C\_Unit]^{k+1} Crash

iff (  | NV'\_1 | V | ↓ ε#in(b > 0, ↑ c ),  | NV\_2 | V | c ) ∈ ™[↓(nat ↣↑ C\_Unit)]^k PwOff

iff (  | NV'\_1 | ε#in(b > 0, ↑ c ),  | NV\_2 | V | c ) ∈ ™[nat ↣↑ C\_Unit]^k Harvest

iff (  | NV'\_1 | ↑ c ,  | NV\_2 | V | c ) ∈ ™[↑ C\_Unit]^k Restore

# Value Relation

$$(\boxed{\text{⚡}} \mid NV'_1 \mid V \mid c_1, \boxed{\text{🔌}} \mid NV_2 \mid V \mid c) \in \mathcal{V}[\mathbf{C}_{Unit}]^{k+1}$$

Crash

iff  $(\boxed{\text{⚡}} \mid NV'_1 \mid V \downarrow \epsilon \# in(b > 0, \uparrow c), \boxed{\text{🔌}} \mid NV_2 \mid V \mid c) \in \mathcal{V}[\downarrow (nat \rightsquigarrow \uparrow \mathbf{C}_{Unit})]^k$

PwOff

iff  $(\boxed{\text{⚡}} \mid NV'_1 \mid \epsilon \# in(b > 0, \uparrow c), \boxed{\text{🔌}} \mid NV_2 \mid V \mid c) \in \mathcal{V}[nat \rightsquigarrow \uparrow \mathbf{C}_{Unit}]^k$

Harvest

iff  $(\boxed{\text{🔋}} \mid NV'_1 \mid \uparrow c, \boxed{\text{🔌}} \mid NV_2 \mid V \mid c) \in \mathcal{V}[\uparrow \mathbf{C}_{Unit}]^k$

Restore

iff  $(\boxed{\text{🔋}} \mid NV''_1 \mid V \mid c, \boxed{\text{🔌}} \mid NV_2 \mid V \mid c) \in \mathcal{E}[\mathbf{C}_{Unit}]^k$

$(NV''_1 \setminus \{MtWt\} = NV_2 \setminus \{MtWt\})$

# Outline

- Background — intermittent computing, WAR patterns
- Overview
- Type system
- Logical relation
- **Metatheory**
- Conclusion

# Metatheory

- Type Soundness: progress + preservation
- Fundamental Theorem: a syntactically well-typed program is semantically well-typed.
- Adequacy: semantically well-typed programs are correct.

**Every intermittent execution of a well-typed program can be simulated by its continuous execution.**



# Outline

- Background — intermittent computing, WAR patterns
- Overview
- Type system
- Logical relation
- Metatheory
- **Conclusion**

# Conclusion

- First logical interpretation of key operations of intermittent execution
- A core calculus for Crash types with type soundness
- A novel logical relation to characterize correctness
- Extensible to other modes of execution

## Future work

- Other classes of bugs (repeated I/O)
- Shared memory concurrency
- Other systems crash too!

# Correctness of Intermittent Executions via Modal Crash Types

**Myra Dotzel**  
**PhD student, CSD, CMU**

Joint work with Farzaneh Derakhshan,  
Milijana Surbatovich, and Limin Jia



# References

- [1] I/O Dependent Idempotence Bugs in Intermittent Systems. Surbatovich et al. OOPSLA 2019.
- [2] Towards a Formal Foundation of Intermittent Computing. Surbatovich et al. OOPSLA 2020.
- [3] A simpler, safer programming and execution model for intermittent systems. Lucia et al. PLDI 2015.
- [4] Modal Crash Types for Intermittent Computing. Derakhshan et al. ESOP 2023.
- [5] A judgmental deconstruction of modal logic. Reed. 2009.
- [6] A judgmental reconstruction of modal logic. Pfenning et al. IMLA'99.
- [7] A mixed linear and non-linear logic: Proofs, terms and models. Benton. CLS'94.
- [8] Adjoint Logic. Pruiksma et al. 2018.