Towards a Formal Foundation of Intermittent Computing by Surbatovich, Milijana et al.
Towards a Formal Foundation of Intermittent Computing
MILIJANA SURBATOVICH, Carnegie Mellon University, USA
LIMIN JIA, Carnegie Mellon University, USA
BRANDON LUCIA, Carnegie Mellon University, USA
Intermittently powered devices enable new applications in harsh or inaccessible environments, such as space
or in-body implants, but also introduce problems in programmability and correctness. Researchers have
developed programming models to ensure that programs make progress and do not produce erroneous results
due to memory inconsistencies caused by intermittent executions. As the technology has matured, more and
more features are added to intermittently powered devices, such as I/O. Prior work has shown that all existing
intermittent execution models have problems with repeated device or sensor inputs (RIO). RIOs could leave
intermittent executions in an inconsistent state. Such problems and the proliferation of existing intermittent
execution models necessitate a formal foundation for intermittent computing.
In this paper, we formalize intermittent execution models, their correctness properties with respect to
memory consistency and inputs, and identify the invariants needed to prove systems correct. We prove
equivalence between several existing intermittent systems. To address RIO problems, we define an algorithm
for identifying variables affected by RIOs that need to be restored after reboot and prove the algorithm correct.
Finally, we implement the algorithm in a novel intermittent runtime system that is correct with respect to
input operations and evaluate its performance.
1 INTRODUCTION
Battery-less, energy-harvesting devices (EHDs) are an emerging class of embedded computing
device that operate entirely using energy extracted from their environment, such as light energy
from a solar panel or energy from radio waves using an antenna. Free from a battery, these
devices enable new applications in IoT [Colin et al. 2018; Fraternali et al. 2018; Hester and Sorber
2017; Jackson et al. 2019], civil infrastructure sensing [Nardello et al. 2019], in-body medical
sensing [Proteus Digital Health 2015], and space exploration [Colin et al. 2018; Denby and Lucia
2020; Zac Manchester 2015]. We study EHDs that compute intermittently as energy is available. The
device slowly harvests energy into a capacitor. After storing sufficient energy to make meaningful
progress, the device operates, quickly consuming the energy. After exhausting the stored energy, the
device powers off, awaiting more energy. Software executes according to an intermittent execution
model, where programs make progress during an active period that is preceded by and followed by
an inactive recharge period and a reboot [Balsamo et al. 2015; Colin and Lucia 2016; Jayakumar
et al. 2014; Lucia and Ransford 2015; Maeng et al. 2017; Ransford et al. 2011; Van Der Woude and
Hicks 2016]. A reboot clears volatile state (registers and SRAM) and preserves non-volatile state
(FRAM [TI Inc. 2014] and Flash). This execution pattern is illustrated in Figure 1 (a).
Unpredictably-timed power failures create several challenges for an intermittent execution
model, including how to maintain forward progress, ensure memory consistency, manage I/O
and concurrency, and correctly interface with hardware. Figure 1 (a) illustrates how executing a
program intermittently can result in a memory state inconsistent with any continuous execution
of a program, if the program contains certain memory access patterns or repeats input operations.
As energy-harvesting devices have matured, an increasing variety of new programming models
and runtime systems for intermittent execution, with varying technical approaches to addressing
Authors’ addresses: Milijana Surbatovich, Carnegie Mellon University, USA, milijans@andrew.cmu.edu; Limin Jia, Carnegie
Mellon University, USA, liminjia@cmu.edu; Brandon Lucia, Carnegie Mellon University, USA, blucia@cmu.edu.
2020.
ar
X
iv
:2
00
7.
15
12
6v
1 
 [c
s.P
L]
  2
9 J
ul 
20
20
2 Milijana Surbatovich, Limin Jia, and Brandon Lucia
these key challenges, have emerged [Balsamo et al. 2016, 2015; Colin and Lucia 2016; Colin et al.
2018; Ganesan et al. 2019; Gobieski et al. 2019; Jayakumar et al. 2014; Kortbeek et al. 2020; Lucia
and Ransford 2015; Ma et al. 2017; Maeng et al. 2017; Maeng and Lucia 2018, 2019; Ransford et al.
2011; Ruppel and Lucia 2019; Van Der Woude and Hicks 2016].
The proliferation of diverse intermittent execution models presents a developer with a confusing
space of implementation options and raises the question of how to specify and compare the
behavioral properties of different systems. Models differ subtly, and a program written for one
model may make assumptions not met by another. Moreover, no existing software or hardware
system has clear, formally defined behaviour. Such a characterization and formalism is a key building
block for defining and proving correctness properties, developing tools to find and fix intermittence-
specific bugs, and understanding the fundamental similarities and differences between models.
The lack of specifications of intermittent systems is a key impediment to their deployment in
applications that demand high reliability or security.
In this work, we lay the groundwork for provably correct intermittent computing by formalizing
the semantics of several classes of intermittent execution models, focusing on the foundational
correctness issue of ensuring memory consistency in the presence of non-deterministic input opera-
tions. Figure 1 (b) provides an overview of our contributions. An intuitive correctness property
is that an intermittent execution’s behavior should be equivalent to some continuously-powered
execution. Prior work [Surbatovich et al. 2019] has shown (confirmed by our formalism) that a
majority of existing intermittent systems do not satisfy a reasonable correctness condition in the
presence of input operations that may change as a program runs intermittently. We articulate
the changes to the execution model that are necessary to correctly handle the behavior of input
operations in an intermittent execution. We start by formalizing a checkpoint-based intermittent
execution model based on DINO [Lucia and Ransford 2015]. A checkpoint model saves important
state during execution and, after a power failure, restarts from that point in the execution by
restoring the checkpoint on reboot. We then formalize the behavior of variants of checkpoint-based
systems [Van Der Woude and Hicks 2016], including both redo- and undo-logging checkpoint
strategies, and a task-based execution model [Maeng et al. 2017]. We relate these systems via
bi-simulation, showing that the correctness properties of one system hold for the others. Finally,
we propose a new checkpoint-based intermittent execution model that provably handles input
behavior correctly, while allowing re-execution of inputs (crucial for data freshness). As far as we
know, we are the first to propose such an execution model.
We acknowledge that intermittent systems are similar to systems that handle crashes and failures
in file systems or databases [De Kruijf and Sankaralingam 2013a; Izraelevitz et al. 2016a; Koskinen
and Yang 2016], but there are key differences. As intermittent execution targets highly resource-
constrained, embedded systems, and failure is inevitable and frequent, the checkpoint and recovery
mechanisms are typically implemented to save and restore the least state possible. Additionally, the
correctness of the system depends on the state of both the volatile and non-volatile memory, and
programs are often driven by non-deterministic sensor inputs. Existing formalisms for verifying
crash consistency typically do not model the internal state of the recovery mechanism [Koskinen
and Yang 2016], which is necessary to capture the behaviour of the systems we model, model
nonvolatile state only [Chen et al. 2015; Sigurbjarnarson et al. 2016], or do not explicitly model
peripherals. These differences mean that existing automatic verifiers or logic frameworks [Chen
et al. 2015; Koskinen and Yang 2016; Ntzik et al. 2015; Sigurbjarnarson et al. 2016] are not directly
suitable for analyzing intermittent execution models, though the correctness specifications and
invariants that we identify are useful for extending such tools to work for intermittent computing.
Identifying such invariants for the correctness proofs is nontrivial. These invariants deepen our
understanding of intermittent systems. This work is the foundation for formalizing more complex
Foundations of Intermittent Computing 3
4  5
St
o
re
d
En
er
gy
Time
W
A
R
 
Pr
o
b
le
m
R
IO
 
Pr
o
b
le
m
x := y 
y :=5
x := y 
y :=5
x := IN()
if x > 5:
y := 5
x := IN()
if x > 5:
y := 5
x  y x  y 
5 5
x  y 
0  4
x  y x  y 
6  5 3  5
x  y 
0  4
on, 
executing 
off, 
charging
Chkpt war Chkpt war
x := IN()
if x > 5:
y := 5
x := IN()
if x > 5:
y := 5
x  y x  y 
6  5 3  4
x  y 
0  4
Chkpt 
war & rio
intermittent 
exec. state
continuous 
exec. state
reboot
n  n memory3
5
7
6
8
(a) background (b) novel to this work
Chkpt Task 
9
Chkpt 
war & rio
n
paper 
section
Σ Σ′ Σ′′ 𝜎
Σ
𝜎
4
Fig. 1. (a) The intermittent execution model. Re-executions can result in an inconsistent memory state due to
write-after-read dependencies and repeated input operations. (b) We provide a formal correctness theorem,
prove equivalence between systems, and implement a runtime with a provably correct algorithm
intermittent behaviour, including event-driven and reactive execution [Ruppel and Lucia 2019;
Yildirim et al. 2018], or guaranteeing forward progress. We make the following contributions:
• A novel, formal intermittent execution model with inputs, a correctness theorem, and sufficient
conditions for correctness.
• A provably sound algorithm to collect variables to checkpoint and an implementation for an
existing intermittent system.
• Formalized variants of intermittent-execution models and proofs of the equivalence of these
systems via bi-simulation.
• An experimental evaluation of our algorithm implementation on real hardware showing that our
technique has low time and space overheads while requiring little to no programmer effort.
Due to space, we relegate detailed formalism and proofs to the technical appendix (TR).
2 SCOPE AND RELATEDWORK
Fully specifying intermittent system behaviour requires reasoning about diverse properties. These
properties include memory consistency, forward progress, timeliness, and correct handling of
concurrency. Our paper addresses memory consistency. An intermittent program that is guaranteed
to finish and always processes only fresh data is incorrect if it operates on a memory state incon-
sistent with any continuous execution of the program. While we focus on memory consistency,
we can extend the formalism to cover other correctness properties in the future. In the remainder
of this section, we describe these other properties at the high level and sketch what extensions
are necessary for our framework to capture these properties. We then discuss how our framework
relates to existing research, particularly in intermittent computing and verified crash consistency.
2.1 Scope: what the paper is not about
We focus on memory consistency with re-executed inputs. Reasoning about other desirable prop-
erties presupposes that the underlying system memory is correct. As intermittent applications
are often sensor-driven, ensuring correctness with input operations is paramount. The full set of
properties mentioned above is a long term goal that can be reached by building on top of our current
framework. Each additional piece requires nontrivial theoretical and implementation components.
Forward progress To make forward progress, a program executing intermittently must be able
to execute the region between any two adjacent checkpoints (or any task) with the amount of
4 Milijana Surbatovich, Limin Jia, and Brandon Lucia
energy in the device’s buffer. Otherwise the program will get stuck, partially executing the region,
recharging energy, and rebooting forever. Current intermittent systems assume that the largest
task or checkpoint region will be cheap enough to finish [Maeng et al. 2017; Van Der Woude and
Hicks 2016]. Our correctness theorem is sound relative to this assumption and does not itself prove
forward progress. Formalizing and guaranteeing forward progress requires a persistent energy
model, which is likely to be complex because the amount of energy a sequence of instructions
consumes depends on the state of the entire board, not the processor alone. A region between
checkpoints could finish on a processor in isolation, but may not if, e.g., the radio is enabled.
CleanCut [Colin and Lucia 2018] is a compiler tool that provides a probabilistic energy model to
guide programmers in sizing tasks, but it offers no guarantees and does not consider the full state of
the board. Samoyed [Maeng and Lucia 2019] allows programmers to specify cheaper alternatives to
algorithms that the system can switch to at runtime, if it seems a program is not making progress.
TimelinessAs power can be off for an arbitrary period of time, sensor data collected before a power
failure can be stale and useless after a reboot. To avoid processing stale data, prior systems have
either required external persistent timekeepers [de Winkel et al. 2020; Hester et al. 2016] so that a
programmer can specify explicit timing annotations that the system can check at runtime [Hester
et al. 2017; Kortbeek et al. 2020], or required that the programmer place sensor calls and uses
requiring fresh data in the same checkpoint region or task. We assume the latter approach in
this work, and find that while it allows timely processing of data, it also introduces memory
inconsistencies, making current systems that take this approach incorrect. Our formalism aids us
in developing a runtime that allows consistent re-execution of inputs.
Guaranteeing timely consumption of data requires additional language and type constructs to
specify which inputs and uses are time-critical, along with either static checking algorithms to
disallow programs that may incorrectly consume stale data or additional runtime mechanisms to
ensure that a program will not consume stale data.
Concurrency While most current intermittent systems use single-core micro-controllers and
have no parallelism, recent work [Ruppel and Lucia 2019] supported interrupt-based concurrency
through transactions. Modeling concurrency requires modeling interrupts and asynchronous events
and updating the language with synchronization commands.
2.2 Related Work
The ideas presented in this paper are related to work in intermittent systems, fault tolerance and
crash consistency in files systems, and formal persistent memory models. We first discuss the most
related works in verified crash consistency and persistent memory models, and then how our work
relates to existing intermittent systems, particularly those that deal with inputs or reactivity.
Crash consistency The failure and recovery problems of intermittent systems are similar to those
of crash consistency on concurrent programs and file systems. A file system can crash at any time
and must not exhibit unspecified behaviour after recovering. Developing formal specifications and
verifiable file systems is an important research goal [Joshi and Holzmann 2007], particularly to
guarantee correctness in the presence of crashes [Bornholt et al. 2016; Chen et al. 2015; Ernst et al.
2016; Ntzik et al. 2015; Schellhorn et al. 2014; Sigurbjarnarson et al. 2016].
Bornholt et al. [Bornholt et al. 2016] create a framework for generating crash consistency models.
A crash consistency model specifies the allowed behaviour of a file system across crashes. Their
crash consistency theorem relates the crashy fs trace to a canonical program trace with no crashes.
In contrast, as we model non-deterministic sensor inputs, there is no single canonical trace even for
executions with no crashes. The model consists of litmus tests and an operational semantics of the
Foundations of Intermittent Computing 5
file system that models both volatile core state and durable disk state. Our semantics additionally
model checkpoints.
The verification tool Yggdrasil [Sigurbjarnarson et al. 2016] uses crash refinement to aid program-
mers in developing verified file systems. Programmers must write specification and consistency
invariants of their system. Then the verification is process is modular, allowing developers to swap
in different implementation of system components as long as they meet the specification. The
focus of our work is on defining correct specifications of intermittent system behaviour, including
whether different implementations are in fact equivalent. While our correctness theorem is similar
to crash refinement, we do not use Yggdrasil to verify our specifications as Yggdrasil uses file
system abstractions, e.g., inode layouts and disc models, that don’t apply to intermittent systems,
which interact directly with memory. We additionally model the effects of inputs.
Crash Hoare Logic (CHL) [Chen et al. 2015] and fault-tolerant resource reasoning [Ntzik et al.
2015] are proof automation tools that extend Hoare triples with crash conditions to verify file system
implementations. Using CHL has a high programmer proof burden because the programmer must
specify the correctness invariants and recovery procedures and prove the recovery procedure correct.
Thus, a large portion of our work is a prerequisite to using CHL; we define intermittent correctness
invariants, which is non-trivial. We additionally show that existing recovery procedures are in fact
incorrect. Using CHL for proof automation once we have defined intermittent correctness is not
immediately possible as CHL does not provide primitives for checkpoints and only explicitly models
non-volatile state, not the mixed-volatility state typical on an intermittent system. Additionally, the
crash conditions for the Hoare triples should capture the intermediate states at which a crash could
occur, and must be specified for every procedure. For a set of file system procedures, capturing these
intermediate states is not onerous, as each procedure interacts with only a few blocks of the disk.
In contrast, we model intermittent execution traces of programs, which makes enumerating crash
conditions complicated and time-consuming. Ntzik et al. [Ntzik et al. 2015] do consider both volatile
and non-volatile resources, though they also require enumerating the non-volatile states possible
after a procedure crashes. The authors use their framework to prove the soundness of an ARIES
recovery mechanism. They model updates to the durable state at page granularity, and undoing a
transaction requires rolling back all updates to pages modified by the transaction. In contrast, the
intermittent systems we model are designed to roll back the minimum set of updates necessary to
(ostensibly) guarantee correctness. Neither of these frameworks model non-deterministic sensor
inputs.
Unlike the works above, which deal with verifying the file system itself, Koskinen et al. [Koskinen
and Yang 2016] automatically verify crash recoverability at the program level. Our approach is
most similar to this work. Our correctness theorem is similar, defining correctness in terms of
a simulation relation and observational equivalence between the continuous and intermittent
executions. In contrast to our work, this model assumes that underlying system operations will
be correct. Their method analyzes control-flow and reduces crash recoverability to reachability: if
control-flow cannot reach an error state, it will be correct. The definition of a recovery mechanism is
that given a stateqk in the original program, after a crash the mechanism brings the program back to
qk after transitioning through some recovery states. While this is clearly the desired behaviour of a
recovery mechanism, this definition does not consider the internal state of the recovery mechanism
and is not expressive enough to capture the behaviour of existing intermittent checkpoint systems.
After fully executing the recovery procedure, an intermittent program is not in an equivalent state
to before the crash. Identifying what differences are allowable in the recovered state so that further
execution eventually brings the program to a consistent state is a key contribution of this work.
Persistentmemory formalisms Persistent memory has been used for whole systems [Narayanan
and Hodson 2012], entirely non-volatile processors [Ma et al. 2015a,b], and heap structures [Coburn
6 Milijana Surbatovich, Limin Jia, and Brandon Lucia
et al. 2011; Volos et al. 2011]. There are formalisms exploring persistency models [Pelley et al. 2014,
2015] for reasoning about data on non-volatile systems and parallel persistency [Blelloch et al.
2018]. Other work looks at defining linearizability [Izraelevitz et al. 2016b] for persistent objects on
concurrent systems. While these are useful correctness properties, current intermittent hardware
is single-core and has no thread-level concurrency.
Weak persistency semantics have been formalized for TSO memory models [Raad and Vafeiadis
2018], for ARMv8 [Raad et al. 2019a], and for Intel x86 [Raad et al. 2019b]. In [Raad et al. 2019a],
the authors introduce a declarative semantics for reasoning about persistency. Among memory
persistency formalisms, our approach is most similar to this one, but we are at a higher level;
there are differences in scope and the language features provided. These persistency models reason
about the allowable differences between the order in which instructions execute and the order they
persist to memory on multi-threaded programs. This scope introduces (needed) complexity into
the declarative semantics, but the devices we target do not have multi-threading and expose no
difference between execution and persist order. We do not currently benefit from this complexity,
but in future work we may need to integrate with these models to guarantee assumptions, e.g.,
checkpoint atomicity, that are currently upheld by the simple hardware. Moreover, our modeling
language provides inputs and checkpoints.
Runtime systems for crash consistency Runtime systems that attempt to provide crash consis-
tency on database systems have similar functionality to runtime systems for intermittent execution,
but generally do not provide re-execution of inputs, necessary for data freshness.
JustDo logging [Izraelevitz et al. 2016a] targets hybrid persistent systems. JustDo explicitly avoids
re-executing code for better performance. iDo [Liu et al. 2018], also targeting hybrid systems, identi-
fies idempotent instruction sequences to reduce the number of locations to be logged. Idempotence
has also been used as a correctness criterion for fault tolerance in distributed systems [Ramalingam
and Vaswani 2013]. Idempotent processing [De Kruijf and Sankaralingam 2013b; de Kruijf et al.
2012] has been posed as an alternative recovery mechanism to checkpoint-logging and re-execution,
but does not allow re-executing inputs, which sometimes is necessary for intermittent systems to
provide fresh sensor readings.
Other work [Ben-David et al. 2019] provides a construction to automatically make accesses
to shared memory and algorithms persistent. Intermittent systems need all executing code to be
checkpointed or in transactions, not just shared data structures.
Runtimes for Intermittent Systems In this paper, we explicitly model DINO [Lucia and Rans-
ford 2015] as a basic checkpointing system, Ratchet [Van Der Woude and Hicks 2016] for the
idempotent region variant, Alpaca [Maeng et al. 2017] as an example of task-based redo logging,
and Chinchilla [Maeng and Lucia 2018] for undo logging. Hibernus [Balsamo et al. 2016, 2015]
is a just-in-time checkpoint system that dynamically inserts checkpoints and does not re-execute
code, but suffers timeliness violations. Mayfly [Hester et al. 2017] is the first work to describe the
timeliness problem and implements a programming model to enforce timeliness using an external
timekeeper and explicit programmer annotations. Capybara [Colin et al. 2018] is a reconfigurable
energy-harvesting platform that allows flexible atomicity and reactive events. Homerun [Kang et al.
2018] also explores atomicity for I/O events. Coati [Ruppel and Lucia 2019] and InK [Yildirim et al.
2018] explore event-driven intermittent systems. None of these works provide formal definitions
or guarantees of correctness for either memory consistency or timely processing of inputs.
EDB [Colin et al. 2016] and Ekho [Zhang et al. 2011] are frameworks for debugging intermittent
systems, and ScEpTIC [Maioli et al. 2019] is a tool for detecting bugs caused by write-after-read
patterns. The EH Model [Miguel et al. 2018] provides a way of reasoning about the architectural
and software consequences of energy availability and intermittent system design choices.
Foundations of Intermittent Computing 7
Dahiya et al. [Dahiya and Bansal 2018] create a formal model for verifying via translation
validation that instrumented intermittent programs are equivalent to continuous ones. They do not
consider repeated input operations or how checkpoints must behave for programs to be correct.
Inputs on intermittent systems IBIS [Surbatovich et al. 2019] identifies and characterizes bugs
caused by repeated inputs in intermittent systems. The authors provide only a bug detection tool,
not a correct runtime system, nor formal correctness invariants. We provide a formal proof of a
sound version of the algorithm the authors use in their tool, as well as a correct runtime system.
We discuss in detail the differences and similarities of the algorithm presented in this paper versus
the algorithm in the IBIS tool in Section 9.3.
Developed most recently, TICS [Kortbeek et al. 2020] is a runtime system that uses an external
timekeeper and programmer annotations to avoid consuming stale data. Rather than regather data,
the runtime reruns expiration checks after rebooting, so that any stale data will not be processed.
This approach avoids any consistency errors associated with re-executing inputs, but can also
miss processing any input events if power failures are frequent. Moreover, this approach requires
external time-keeping hardware.
Samoyed [Maeng and Lucia 2019], Sytare [Berthou et al. 2017] and RESTOP [Rodriguez Arreola
et al. 2018] look at retaining the peripheral state of input devices, not at memory correctness issues
caused by repeated input operations.
3 BACKGROUND ANDMOTIVATION
Our work is motivated by emerging intermittent execution models and their varied correctness
definitions. In this section, we review the fundamentals of checkpoint-based intermittent execution
and show by example how existing models are not correct in the presence of input operations. Any
intermittent execution model must ensure forward progress and preserve state. An intermittent
execution progresses only when energy is available. Power fails when energy is exhausted, erasing
the device’s execution context and volatile state, including registers and all data stored in volatile
memory. By default, the system then restarts from the start of main() and naively-written code
makes no forward progress. To make progress, an intermittent system can periodically save its
execution context and restart from that execution context on reboot; a common mechanism for
saving state is a statically placed checkpoint. A checkpoint is an operation that stores some memory
state and execution context in non-volatile memory, preserving it across a power failure [Balsamo
et al. 2016, 2015; Jayakumar et al. 2014; Lucia and Ransford 2015; Maeng and Lucia 2018; Mirhoseini
et al. 2013; Ransford et al. 2011; Van Der Woude and Hicks 2016].
To be correct, an intermittent execution should generate the same result as a continuous execution.
Multiple partial executions followed by a complete execution should have the same behaviour as
some continuous execution. Code between checkpoints must execute idempotently. Unfortunately,
a checkpoint system that saves only volatile execution context and volatile memory [Ransford
et al. 2011] may be incorrect. Prior work [Lucia and Ransford 2015; Van Der Woude and Hicks
2016] identified that write-after-read (WAR) dependencies on non-volatile locations cause non-
idempotent behavior and adjust the checkpointed data accordingly. We next discuss how WAR
dependencies cause problems.
3.1 Write-after-Read (WAR) Dependencies
An intermittent execution may produce an incorrect result if the execution writes a value into
non-volatile memory before a power failure and the execution reads that updated value after
rebooting. Consider the example shown in Figure 2 (a). On the left of the figure is a small program.
The next column shows execution traces illustrating the WAR problem. In the initial execution, the
branch at line 1 is taken. After executing through line 4, there is a power failure. The column then
8 Milijana Surbatovich, Limin Jia, and Brandon Lucia
shows the re-execution of the code. The re-execution assumes that the checkpoint restores only
volatile state (i.e., control state) and retains non-volatile variables’ values. This time, the execution
completes and yields state N ′4 . A continuous program would finish with the memory in state N4.
The state in N ′4 contains a different value for x . The re-execution does not idempotently update x
because x depends on w . When the re-execution reads w into x at line 2, the read produces the
(incorrect) value ofw written before the power failure. The example shows that the re-execution is
non-idempotent becausew is involved in a WAR dependence, which we call aWAR Variable.
0  ckpt
1  if a > 0
2  then x:=w; 
3           w:=5; 
4           b:= 2
5  else b:=3; 
6          i = IN(); 
7          if i > 1
8          then x:= 6;
9                   y := 7; 
10                 b :=9
11        else x:=z; 
12                 z:= 8;
13                 w:=5 
0   0   1   2   3   4
0   3   1   2   3   4
0   3   3   7 8   5
0   3   6   2   3   4
0   3   6   7   3   4
0   3   3   7 3   4
0   3   3   7 8   4
0   3   3   2   8   5
0   3   3   2   3   4
0   3   3   2   8   40   3   6   7   3   4
0   3   6   2   3   4
0   9   6   7   3   4
1   0   1   4
1   0   4   4
1   0   4   5
1   2   4   5
1   2   4   5
1   2   5 5
1   2   5 5
1 2 5 5
0   9   6   7   3   4
Initial execution
a   b   x   w
𝑁0𝑡
𝑁2
𝑁3
𝑁4
𝑁′0𝑡
𝑁′2
𝑁′3
𝑁′4
a   b   x   y   z   w
𝑁0𝑓
𝑁10
Possible correct executions
𝑁13
Re-execution
IN() → 0IN() → 2
𝑁𝑖
NV memory
state at line i
Code (a) WAR Problem (b) RIO Problem
Power fail and reboot
Consistent 
Memory
Inconsistent 
Memory
𝑁5
a   b   x   y   z   w
𝑁8
𝑁9
𝑁11
𝑁12
𝑁10
𝑁′13
IN() → 0IN() → 2
a   b   x   y   z   w
𝑁′0𝑓
𝑁′5
𝑁8
𝑁9
𝑁′11
𝑁′12
a   b   x   y   z   w
Initial execution
Re-execution
0   0   1   2   3   4
0   3   1   2   3   4
a   b   x   y   z   w
𝑁0𝑓
𝑁5
0   3   6   7   3   4
0   3   6   7   3   4
Fig. 2. An example program illustrating WAR and RIO problems
To ensure that code containing WAR dependencies executes idempotently, existing checkpoint-
based systems must add potentially inconsistent variables to the checkpoint [Lucia and Ransford
2015; Maeng and Lucia 2018] and restore those variables with the checkpoint after a power failure.
In the example, w is potentially inconsistent because a write to w before the power failure may
be visible to a read after restarting from the checkpoint. At line 0, a checkpoint system needs to
save a version ofw with the checkpoint. Prior work observed that not all WAR dependences lead to
inconsistency [Lucia and Ransford 2015; Maeng et al. 2017; Van Der Woude and Hicks 2016]. Ifw
had been written before being read, e.g. if line 1 was insteadw := 3; if a > 0, thenw need not be
checkpointed. The read on line 1 would always see a consistent value.
CheckpointingWAR variables that are not write-dominated is the current state-of-art in ensuring
idempotent re-execution, which is insufficient for correctness, due to RIOs [Surbatovich et al. 2019].
3.2 Repeated Inputs Cause Incorrect Behavior
Applications that target low-power embedded systems rely heavily on peripheral devices, such as
sensors and radios. A program stores in a variable the result of an input operation. In an intermittent
execution, a program may execute an input operation before a power failure, and then repeat that
input operation after a failure, in both cases fetching a fresh, usable value. However, repeating the
input operation can lead to incorrect behavior when a program’s control- or data-flow depends
on the result of that input operation. We refer to a re-executed input as a RIO: a Repeated Input
Operation that can generate a different value each execution.
Continuing with Figure 2 (b), the columns to the right show how a RIO causes incorrect behavior.
The example now assumes that all variables are in non-volatile memory and that the system now
checkpoints variables involved in potentially inconsistent WAR dependencies at line 0, saving
and restoring w and z. The starting memory N0f has a 7→ 0, so the initial branch is not taken.
Instruction i = IN(); on line 6 reads an input value (e.g., from a sensor). Depending on the sensor
reading, a continuous execution could correctly end with either state N10 or N13.
An intermittent execution may produce a result different from both N10 and N13. Such an
execution may first get an input greater than 1 at line 6, causing the branch at line 7 to be taken.
Power then fails and the program restarts. After the restart, the input is less than 1, and the branch at
Foundations of Intermittent Computing 9
line 7 is not taken. The final state isN ′13, which is inconsistent with all correct, continuously-powered
outcomes because the RIO is not idempotent.
An intermittent execution with inputs is correct if it corresponds to a continuously-powered
execution, regardless of the inputs. Here, the RIO causes different branches to be taken and non-
volatile variable y is written on only one of them. Checkpoint systems that version WAR variables
do not handle y’s RIO problem because y is not a WAR variable. No existing checkpoint or task-based
intermittent execution system correctly handles these non-idempotent RIOs. A correct checkpoint
system must store y’s value at the checkpoint and restore it on reboot. We refer to variables that
are affected by RIOs (e.g., y) as RIO variables. Preventing inputs from re-executing, as by placing
a checkpoint immediately after the operation, is not an adequate solution as some inputs must be
re-executed to be timely [Hester et al. 2017]. This paper fills the gap left by RIOs, formally and with
a practical system implementation that makes intermittent systems robust to RIOs.
4 SYSTEM ASSUMPTIONS AND FORMAL MODEL
We define a language to model checkpoint-based intermittent execution with inputs, providing
the syntax and semantics for both continuously-powered and intermittent executions. First, we
explain the lower-level system assumptions to justify our choice of modeling language.
Target System Assumptions Our target intermittent systems use low-end microcontrollers
(MCUs) such as the TI MSP430FR series [TI Inc. 2014]. These are single-threaded, single-issue, in-
order compute cores. The MCUs have embedded, on-chip volatile SRAM or DRAM and non-volatile
Flash, FRAM, or STT-MRAM. These architectures often lack caches or have only a simple write-
through cache to avoid repeated non-volatile memory accesses. Unlike prior work in persistent
memory targeting more complex architectures [Blelloch et al. 2018; Izraelevitz et al. 2016b; Raad
and Vafeiadis 2018; Raad et al. 2019b,a], we need not reason about concurrency or persist order due
to write-back caches or other microarchitectural optimizations. We thus realistically assume that
execution and persist order are the same and that the compiler never re-orders an instruction past
a checkpoint.
SyntaxOur simple language includes accesses to volatile memory, accesses to non-volatile memory,
and branch statements. We include arrays but omit general pointer arithmetic. We also omit
functions calls and unbounded loops. These omissions do not affect our ability to capture the
behavior of existing intermittent execution models. Existing systems [Lucia and Ransford 2015;
Maeng et al. 2017] do not allow recursive function calls, so any code in a function body can be inlined.
Including general pointer arithmetic would not change the correctness invariants we present, as
the definitions consider memory locations directly, but would complicate the implementation of
any checkpoint algorithm (discussed in Section 9), as the alias sets of the memory locations in the
definitions would need to be tracked as well. Unbounded loops can be handled by extending our
infrastructure with loop invariants, which do not introduce technical difficulties but unnecessarily
complicate the presentation. Though simple, this modeling language suffices to illustrate clearly
the key challenges in defining memory-consistent intermittent execution models.
We summarize the syntax in Figure 3. We write v to denote values, which can be numbers
n, the boolean values true and false, and inputs in(τ ), representing the input gathered at time τ .
Expressions, denoted e , can be variables, values, binary operations of expressions, or an array
element. Array lengths are fixed and all array indices are assumed in bounds; this assumption
is necessary for correctness and memory safety for real C code is orthogonal [Grossman et al.
2002] and beyond our scope. Instructions, denoted ι, consist of assignments to variables and arrays,
checkpointing, rebooting, skip, and synchronous input operations IN(). We write ω to denote the
set of non-volatile variables and arrays that must be saved with a checkpoint to avoid inconsistency.
10 Milijana Surbatovich, Limin Jia, and Brandon Lucia
Values v ::= n | true | false | in(τ ) Configuration Σ ::= (τ ,κ,N ,V , c)
Expressions e ::= x |v | e1 bop e2 | a[e ′] Cont. config. σ ::= (τ ,N ,V , c)
Instructions ι ::= x := e | a[e] := e ′ | x := IN() | Volatile mem. V : M
skip | checkpoint(ω) | reboot(n) Non-vol. mem. N : M
Commands c ::= ι | ι; c | if e then c1 else c2 Context κ ::= (N ,V , c)
Memory loc. loc ::= x | a[n] Read obs. r ::= rd loc v | r , r
Chckpnted loc. ω ::= ω,x , |ω,an Observation o ::= [r ] | in(τ ) | reboot
Mem. mapping M ::= Loc→ Val | checkpoint
Fig. 3. Syntax and Semantic Constructs
I/O-CP-CkPt
(τ ,κ,N ,V , checkpoint(ω); c) checkpoint=⇒ (τ + 1, (N |ω ,V , c),N ,V , c)
I/O-CP-PowerFail
pick(n)
(τ ,κ,N ,V , c) =⇒ (τ + 1,κ,N , reset(V ), reboot(n))
I/O-CP-Reboot
κ = (N ,V , c)
(τ ,κ,N ′,V ′, reboot(n)) reboot=⇒ (τ + n,κ,N ′ ◁ N ,V , c)
Fig. 4. Selected semantic rules
We call these variables checkpointed locations. In the example in Figure 2, checkpoint({w,y, z})
would precede the if statement on line 1, which include both WAR and RIO variables. We write an
to represent all the locations in the array a. That is: each an in ω represents the set of locations
{a[1], · · · ,a[n]}. We often omit the bounds n and write a directly. We assume that checkpoint
operations are manually inserted into code (e.g., like DINO [Lucia and Ransford 2015]). Section B.2
of the TR details the algorithm to compute ω for WAR variables, as in existing systems. Section 7
describes our novel algorithm for computing ω for RIOs. A program is a command c , which is an
atomic instruction, a sequence of instructions, or an if branching statement. We lift all the branches
to the top-level for ease of explanation. Any program with general branching statements can be
re-written to our language and bounded loops can be un-rolled to if statements.
Semantics for Intermittent ExecutionWe focus on intermittent execution semantics. The rules
for continuously-powered execution semantics are standard and can be found in TR Section A.2. First
we define the necessary runtime constructs in Figure 3. Memory is a mapping from a location, which
is either a variable or an array index, to a value. We distinguish between volatile and non-volatile
memory, which are disjoint. The method of specifying where a variable resides varies; systems may
provide abstractions [Colin et al. 2018; Maeng et al. 2017], do automatic compiler analysis [Maeng
and Lucia 2018], or assume that all data is non-volatile [Van Der Woude and Hicks 2016]. A
configuration Σ is a tuple consisting of a timestamp τ , a checkpoint context κ, non-volatile memory
state, volatile memory state, and a command to be executed c . The checkpoint context κ consists
of the non-volatile data, volatile data, and command saved at the last checkpoint. The timestamp
is the logical time at the current configuration. Executing commands and evaluating expressions
generate observations, which are memory reads, input reads, or occurrences of a checkpoint or
reboot instruction. These observations are used for facilitating definitions of correctness.
The semantic rules are of the form: (τ ,κ,N ,V , c) O=⇒ (τ ′,κ ′,N ′,V ′, c ′), where O is a list of
observations. We show rules specific to intermittent execution in Figure 4. The rule I/O-CP-CkPt
states that at a checkpoint, the context κ is updated to include the portion of the current non-volatile
memory whose domain is ω, the current state of volatile memory, and the current command to
be executed. We writem |ω to denote the part ofm, whose domain is ω. The system generates the
checkpoint observation and proceeds to execute the command after the checkpoint. This operation
Foundations of Intermittent Computing 11
|| || ||…
O2O1 On
On
⤋
⤋
⤋
(1) Ends in the same (N, V, c)
⤋
⤋
…
…
Intermittent execution
Continuous execution
Starts from the same (N0, V0, c0)power failure and reboot
checkpoint
(2) On are the same
||
∃
∀
τ2τ
Fig. 5. Illustrating the correctness definition
is assumed to be atomic, implemented at the low-level with an atomic flag update and double
buffering to ensure there is always a valid last checkpoint. The I/O-CP-PowerFail can execute at
any step, as power failures can occur at any time. When power fails, volatile memory is reset, the
current command is lost, and a positive integer n is picked at random for the subsequent reboot
instruction. The system then transitions to reboot. On reboot, I/O-CP-Reboot partially restores
non-volatile memory using the checkpoint. This rule applies even before the first checkpoint is
reached as κ is a piece of memory initialized with the starting V and c and empty non-volatile
portion. We writem1 ◁m2 to denote the memory resulting from updating locations inm1 with the
values of those locations inm2. The reboot restores volatile memory and the command to the values
in the checkpoint’s context. A reboot is added to the observation sequence, and the timestamp
increases to τ +n. The increase captures the idea that a power failure can have an arbitrary duration.
We write N ,V ⊢ e ⇓r v to mean that with memories N and V , expression e evaluates to value v
with observation r . For example, N0f ,V ⊢ w ⇓rdw 4 4 is a sub-derivation when line 2 of the program
in Figure 2 is executed. The rules are standard, so we omit them for space. Finally, we write =⇒ to
denote an intermittent execution, and −→ to denote a continuous execution.
5 FORMALLY CORRECT INTERMITTENT EXECUTION
A program can be executed correctly in an intermittent model if and only if any completed
intermittent execution trace of the program corresponds to a continuous execution, w.r.t. the
program context and the observation sequence. More precisely, comparing an intermittent and
continuous execution, the program contexts, including volatile and non-volatile memory and
the command to be executed must be the same by the end of the program. To show this, we
examine execution segments between checkpoints. Each partial re-execution from a checkpoint can
observe a different value produced by the same input. Consequently, observation sequences from
partial executions are not necessarily prefixes of the same continuous execution. To be correct, the
observation sequence of the final re-execution segment in an intermittent execution must match a
continuous execution with the same input results. We illustrate this in Figure 5. Time advances
from left to right. The top line is an intermittent execution trace. We detail a segment between two
checkpoints, marked by down arrows. Multiple power failures and reboots are present in these
segments, demarcated by red parallel bars. The observed memory reads Oi are shown on top of
the line. For each such intermittent execution, the correctness property dictates the existence of a
continuous execution—the second line—such that the read accesses from the latest reboot to the
checkpoint (On) match the read accesses of that continuous execution. Furthermore, the ending
configuration of both executions at the checkpoint are the same (excepting the extra context κ in
the intermittent configuration). The above holds for all execution segments, including the last.
To formalize this definition, we introduce additional notation and constructs to relate intermit-
tent and continuous program contexts and observation sequences. We define the erasure of the
configuration: (τ ,κ,N ,V , c)− = (τ ,N ,V , c) to relate the configurations at the checkpoints. We next
12 Milijana Surbatovich, Limin Jia, and Brandon Lucia
formally relate the observation sequences.
I-Rb-Base
O ⩽m O
I-Rb-Ind
O ′1 ⩽m O2
O1, reboot,O ′1 ⩽m O2
Cp-Base
O1 ⩽m O2
O1 ⩽mc O2
Cp-Ind
O1 ⩽m O2 O ′1 ⩽mc O ′2
O1, checkpoint,O ′1 ⩽mc O2,O ′2
The rules use ⩽m and ⩽mc to express the prefix requirements of the observation sequence of the
intermittent execution (O1) to the observation of the continuous execution (O2). ⩽m expresses a
relation between an O1 that may include reboots to O2, and ⩽mc expresses a relation between an
O1 that may include both reboots and checkpoints to O2. The key intuition of these rules is that
the observation prefixes of an intermittent execution before a reboot (rule I-Rb-Ind) may rely on a
transient input operation and should be discarded.
The correctness of an intermittent execution model is defined as follows:
Definition 1 (Correctness of Intermittent Execution).
A program c can be correctly intermittently executed if for all τ , N , V , O1 s.t. (τ , ∅,N ,V , c)
O1
=⇒∗ Σ,
where the program in Σ is skip (i.e., the program terminated), then ∃O2,τ2,σ s.t. (τ2,N ,V , c)
O2−→∗ σ ,
τ2 ≥ τ , O1 ⩽mc O2, and σ = (Σ)−.
Figure 6 illustrates the relations in the correctness definition by revisiting the code from Figure 2.
Assume there is a checkpoint immediately preceding the branch on a, which saves the state of
{w,y, z}. Consider a power failure after the assignment to y on line 9, which lasts for 4 timestamps.
The column on the left shows the intermittent execution state and the right shows the continuous
execution state, starting at a later time, time 8. The final state of the executions (N ′5 and N5) are
equal, despite differences in their execution paths and intermediate states. Further, the observation
sequences relate: checkpoint, in(1), reboot, in(9), rd z 3 ⩽mc in(9), rd z 3. There happens to be no
reads before the reboot. If there were, they would not need to match the reads on the right, as they
are not in the final (successful) re-execution. To ensure this correctness property, a checkpointed
set must include bothWAR and RIO variables, which we will explain in the next section.
6 PROVING MEMORY CONSISTENCY
i:=IN()
pick 4
3  in(1)  6  7  3  4
b:=3
y:=7
0    0    1  2  3  4
Intermittent execution Continuous execution
power failure and reboot
checkpoint⤋
b    i x   y  z  w
𝑁0
𝑁4
3  in(1)  6  2  3  4𝑁′0
3  in(1)  6  2  3  4𝑁′1
3  in(9)  6  2  3  4𝑁′2
3  in(9)  3  2  3  4𝑁′3
3  in(9)  3  2  8  4𝑁′4
3  in(9)  3  2  8  5𝑁′5
0  0    1  2  3  4
b    i x   y  z  w
𝑁0
3   0    1  2  3  4𝑁1
3  in(9)  1  2  3  4𝑁2
3  in(9)  3  2  3  4𝑁3
3  in(9)  3  2  8  4𝑁4
3  in(9)  3  2  8  5𝑁5
⤋
b:=3
x:=6
w:=5
i:=IN()
z:=8
x:=z
⤋
𝑁𝑖
memory 
at step i
ckpt
. 
reboot
. 
in(9)
rd z 3
. 
. 
in(9)
rd z 3
. 
. 
. 
. 
Trace
1
2
3
4
8
9
10
11
12
13
in(1)
0
Fig. 6. Illustrating the correctness definition by example
Non-volatile memory updates of an intermit-
tent execution can diverge from non-volatile
memory updates of a continuous execution
in two key ways. A continuous execution up-
dates memory through the writes of a single
execution of the program. An intermittent
execution updates memory through multi-
ple executions of a prefix of the program
and by overwriting some set of non-volatile
memory locations after a reboot. To be cor-
rect, an intermittent execution model must
ensure that any inconsistencies caused by
these different update traces have resolved by the next checkpoint. In this section, we define for
the first time invariants on the checkpointed set and non-volatile memory updates that allow us to
prove an intermittent execution model correct. A runtime system that upholds these invariants
will provably update memory consistently, no matter the algorithm used in implementation.
Foundations of Intermittent Computing 13
6.1 Locations to Checkpoint
The correctness of an intermittent execution model requires restoring at reboot a set of non-volatile
memory locationsω (e.g., {y, z,w} in Figure 6).We refer to theminimal set of potentially inconsistent
non-volatile memory locations as ω† and observe that precisely computing this set is difficult in
general. It is safe to over-approximate ω†. One safe over-approximation is all of non-volatile
memory, ωall = dom(N ), but ωall is inefficient because it requires unnecessarily checkpointing
many variables. Existing systems use ostensibly less conservative over-approximations, such as a
subset of the variables involved in WAR dependence, ωWAR [Hicks 2017; Lucia and Ransford 2015;
Maeng et al. 2017; Maeng and Lucia 2018; Van Der Woude and Hicks 2016], but as we have shown,
this set misses any variables that are inconsistent due to RIOs. Next, we describe how to to check
that all potentially inconsistently written locations are checkpointed. We then define an algorithm
to statically analyze the program and add those locations to the checkpoint in Section 7.
To express that a checkpoint includes the subset of potentially inconsistent variables, we introduce
two judgments: ⊩WAR c : ok, which checks variables inconsistent due to WARs and ⊩RIO c : ok
which checks variables inconsistent due to RIOs. We formally define rules for this judgment here.
Rules for the WAR checking judgment are in TR Section B.1.
Our checking algorithm leverages taint-tracking to find branch operations that depend on an
input, then ensures that if a non-volatile location is written on any path of such a branch, that
location is either written on all paths of the branch or is in the checkpointed set. We call variables
that are written on all paths regardless of inputs must-write variables.
There are two top-level judgments for commands, depending on whether control is currently
input-dependent — i.e., tainted — or not: N ;M ⊩taint c : ok and N ; I ;M ⊩RIO c : ok respectively.
Likewise there are two judgments for instructions: N ;M ′ ⊩taint ι : ok or N ; I ;M ⊩RIO ι : ok. N is
the set of checkpointed variables, I is the set of variables that depend on inputs (control and data
dependence), andM is the set of variables written prior to executing c . The ⊩taint judgment does
not use I as the judgment itself carries the information that control is tainted. The ⊩taint check for
instructions ensures that all writes access checkpointed variables in N or are must-write variables,
which captures how RIOs’ effects may transitively taint variables through dependences. We show
rule RIO-Assign-tainted as an example.
RIO-Cp
ω; ∅; ∅ ⊩RIO c : ok
N ; I ;M ⊩RIO checkpoint(ω); c : ok
RIO-If-NDep
I ∩ rd(e) = ∅ N ; I ;M ⊩RIO ci : ok i ∈ [1, 2]
N ; I ;M ⊩RIO if e then c1else c2 : ok
RIO-If-Dep
I ∩ rd(e) , ∅ M ⊩mstWt if e then c1 else c2 : M ′
N ;M ′ ⊩taint ci : ok i ∈ [1, 2]
N ; I ;M ⊩RIO if e then c1 else c2 : ok
RIO-Assign-tainted
x ∈ (M ∪ N )
N ;M ⊩taint x := e : ok
We explain selected rules for commands. Rule RIO-Cp applies to a command starting with a
checkpoint and checks the remaining command c using the checkpoint’s checkpointed set ω and an
empty I andM . Rule RIO-If-NDep checks a branch that is input-independent. RIO-If-Dep checks
an input-dependent branch , identifying its must-write variables up to the next checkpoint using
auxiliary judgmentM ⊩mstWt c : M ′ (not shown). The resultingM ′ includes variables written on the
path up to the branch ({i, b} in the example) and any variables that must be written on all paths from
the branch ({x} in the example). The key difference between these two rules is that RIO-If-NDep
checks its sub-commands with ⊩RIO and the must-write set M , whereas RIO-If-Dep checks its
sub-commands with ⊩taint andM ′. The intuition for this is that an input-independent branch will
14 Milijana Surbatovich, Limin Jia, and Brandon Lucia
always evaluate the same way. Any variable written will be written on any re-execution, even if it
is not written on all paths. An input-dependent branch may not take the same path, however, so
the sub-command must be checked with the must-write set of all paths from the branch.
Returning to Figure 2, the rules check the if statement at line 7 using judgment ⊩taint . TheM ′ is
{i,b,x}. To satisfy the check, N must include y, z,w .
6.2 Defining the effect of input on execution prefixes
Input can cause an intermittent execution’s memory state to vary across re-executions, behaviour
impossible on a continuous execution. We introduce notation showing how input interacts with a
program execution.O |in denotes the sequence of input values in observation sequenceO . Let "trace"
refer to the sequence of execution states with observations annotated on top of each transition
generated by an intermittent execution. We define Run(σ ,I, c) to be a trace starting at σ , ending
in command c with the input sequence I and without checkpoints. Formally:
Run(σ ,I, c) = {T |T = σ
O
−→∗(τ ,N ,V , c) ∧O contains no checkpoints ∧ I = O |in}
We write Run(σ ,I,CP) to denote the trace ending in the nearest checkpoint. Note that given a
set of inputs, Run(σ ,I, c) is always a singleton set with a uniquely determined trace: inputs already
executed from the previous checkpoint to the current execution point are fixed, and any execution
to the current point with those same inputs will yield the same trace. There are, however, multiple
possible traces from an arbitrary point c to the next checkpoint due to inputs yet to execute.
We write Wt(T ) to be the write set of a trace and FstWt(T ) to be the set of variables written
before they are read in a trace. We define the set of locations that must be written on any input:
MstWt(N ,V , c) = {loc | ∀τ ,N ,V , c,∀I,∀T ∈ Run((τ ,N ,V , c),I,CP), loc ∈ Wt(T )}
The must-write set of the example program is {b,x}. We define the set of locations that must be
first written before being read, no matter the input value, below:
MFstWt(N ,V , c) = {loc | ∀τ ,N ,V , c,∀I,∀T ∈ Run((τ ,N ,V , c),I,CP), loc ∈ FstWt(T )}
This set contains locations in non-volatile memories that are first written (not read) on all possible
runs through the checkpointed region, starting from c . We call the set the must-first-write set, or
MFstWt. In the example program, the MFstWt = MstWt, but the distinction is important as the
must-first-write set will not include variables that have a (non-write-dominated) WAR dependence.
6.3 Invariants Relating Memories
As shown in Figure 6, the non-volatile memories are not always the same. To prove the intermittent
execution model correct, we need to identify relations between the intermittent execution and the
continuously-powered execution configurations. Therefore, we define relations between memories
in intermittent and continuous executions, as illustrated in Figure 7. We relate the memory states
at the same execution point with dashed lines and relate an intermittent execution’s memory state
at any point to a continuous execution’s memory at its initial point with solid lines. These relations
describe how memory locations are allowed to differ, while still converging to the same memory
and observation by the next checkpoint, the key invariant for correctness.
Arbitrary-point Memory Relation (Solid Line)We define the relation of the memory state of
an intermittent execution at an arbitrary point N1 and continuous execution at its initial point N2:
Definition 2 (Related memories between current and initial execution point). Nckpt ,N ,V , c ⊢
N1 ∼ N2 iff dom(N1) = dom(N2), ∀loc ∈ N1 s.t. N1(loc) , N2(loc), loc ∈ Nckpt ∪MFstWt(N ,V , c)
Foundations of Intermittent Computing 15
|| ⤋
⤋
⤋(N3, V3, c3)
⤋
⤋
…
…
intermittent 
execution
continuous 
execution
(𝜅, N0, V0, c0)
power failure 
and reboot
checkpoint
||
⟹
→
(𝜅, N2◁ N, V0, c0)Σ1 ⟹ Σ2 ⟹ ⟹ (𝜅, N'3, V'3, c3)Σ'1 ⟹ Σ'2
𝜅 = (N, V0, c0)
(N0, V0, c0) 𝜎1 → 𝜎2 →
⟹
→
Fig. 7. Illustrating the correctness proofs and invariants
For correctness, all locations that differ between N1 and N2 must be in the checkpointed set
(Nckpt ) or in the must-first-write set of the initial command. The checkpoint reverts writes to
data in the checkpointed set on each reboot. Re-execution after a reboot over-writes each variable
in the must-first-write set because every path to the next checkpoint writes to variables in that
set, regardless of input. In Figure 6, variables b, i,x ,y differ between N0 and N4. Given the initial
memory state, execution always takes the false path from the first branch and always writes b and i .
All paths write x and it is always first written to. Finally, y is checkpointed. Together these actions
reconcile all differences between N0 and N4.
Same-point Memory Relation (Dashed Line)We next define the relation of the memory state
of an intermittent execution N1 and a continuous execution at the same point N2:
Definition 3 (Related memories at the same execution point). τ ,N0,V0, c, c ′,I ⊢ N1 ∼ N2 iff
dom(N1) = dom(N2) and ∀loc ∈ N1 s.t. N1(loc) , N2(loc),
• loc ∈ MFstWt(N0,V0, c)
• let {T } = Run((τ ,N0,V0, c),I, c ′) and the last state of T is (τ ′,N1,V , c ′), loc ∈ MstWt(N1,V , c ′) and
loc < Wt(T )
The relation is parameterized with a timestamp τ and an input sequence I. The relation uses
τ and I to define the singleton set Run(σ ,I, c ′) from the initial point to the current point. The
relation has access to all parameters because at each point in the execution, all prior input values
are already concrete and timestamps are given. Beyond sharing the same domain, the definition
restricts locations that differ between the memories. If such a location is not written from the initial
execution point to the current one, then the location must be in the must-first-write set of the
entire trace and must be written between the current execution point and the next checkpoint. The
intuition is that differing locations must be written to on all possible paths through the remainder
of the trace so that the intermittent and continuous traces converge to the same state. Moreover,
re-execution following any path dictated by fresh input values should not read locations that differ,
which would cause non-idempotent re-execution (i.e., first written to in every execution).
In Figure 6, the continuous and intermittent states differ at corresponding points N0 and N ′0 ,
N1 and N ′1 , and N2 and N ′2 . Starting with N0, the execution writes b, i,x regardless of input. After
stepping to states N1,N ′1 , b cannot differ because the execution from its initial point to the current
point wrote b. After stepping to states N2,N ′2 , i cannot differ because the execution from its initial
point to the current point wrote to i . i’s written value is the same in both executions because we
choose a continuous execution that reads the input at time 9, which the intermittent execution
also reads. x is not yet written, but will be on all paths. At states N3 and N ′3 , all locations must be
the same. x ,b, i have been written between the initial and current execution point and none are
written between the current execution point and the next checkpoint. z is written to on the current
path, but is not in the must-first-write set of the entire trace, nor arew and y.
6.4 Proving Correctness
We prove the following theorem:
16 Milijana Surbatovich, Limin Jia, and Brandon Lucia
Theorem 4 (Correctness). If ⊩WAR c : ok, ⊩RIO c : ok then c can be correctly intermittently executed.
We actually prove a stronger theorem that relates an intermittent execution up to checkpoints
to a corresponding continuous execution. Only at each checkpoint, the memories are guaranteed
to sync up between the two executions.
The proof requires augmenting the semantics with variable taint tracking, dynamically marking
all input-dependent locations. We leverage standard taint tracking semantics rules and omit them
here. The proof follows the structure in Figure 7 and requires the following properties: (1) arbitrary
intermittent configurations relate to the continuous initial configurations, (2) each intermittent
configuration relates to a continuous configuration at the same execution point, and (3), after
reboot, we can switch from the relation illustrated by the solid line to that of the dashed line and
after checkpoint, we can switch from dashed line to solid line.
With properties (1) – (3) established, the proof of Theorem 4 is by induction over the structure of
the intermittent execution trace. First over the number of checkpoints to show that, from checkpoint
to checkpoint, the resulting memories are the same and memory reads are idempotent. For each
segment between checkpoints, we induct over the number of reboots and use the relations in
the previous section to relate memory at each execution step. Note that no existing intermittent
execution model checks ⊩RIO c : ok; none meets a reasonable correctness definition in the presence
of I/O, which is one of the key results of this work. We show the full proofs in TR Section F.6.
7 COLLECTING EXCLUSIVE MAY-WRITES
Given our correctness definition, an intermittent execution model must collect and checkpoint
not only WAR variables, but also RIO variables. Our algorithm identifies a (safe) conservative
over-approximation of this set. If a variable might be written on one side of a branch and not the
other, and the branch condition might change from one re-execution to the next due to a RIO, then
the variable should be checkpointed. In other words, RIO variables are in the exclusive may-write
set for some command c – i.e., the set of variables that may be written on exclusively one side of
some future branch, but that will not be written unconditionally. Using the exclusive may-write set,
a simple rewriting algorithm can transform a program with empty checkpoint sets into a program
that correctly checkpoints RIO variables.
Our algorithm computes exclusive may-write sets, and identifies input-dependent (or tainted)
branches. Given a branch if e then c1 else c2, if e is not (transitively) input-dependent, the branch’s
outcome is the same on every re-execution. The first branch in Figure 2 is never taken under N0f ,
and the write to b happens regardless of line 6’s input; the write is not in the exclusive may-write
set. If e is input-dependent, the branch outcome depends on input and later writes are candidates
for exclusive may-write. In Figure 2, the branch at line 7 is input-dependent and its exclusive
may-write set is {w,y, z}, each of which are written on one, but not both sides of the branch.
Our algorithm uses taint analysis to identify input-dependent branches, and adds to ω exclusive
may-write variables for input-dependent branches.
Collection per instruction. Two sets of rules collect the exclusive may-write set X , must-write
setM , and input-dependent variable set I for instructions: X ;M ; I ⊩RIO ι : X ′;M ′; I ′ and X ;M ⊩taint
ι : X ′;M ′. The⊩RIO rules apply to ι in commands from an input-independent branch and⊩taint rules
apply to ι in commands from an input-dependent branch. The primary distinction for instruction
level rules is that I does not need to be collected in the ⊩taint rules as our branches never merge. We
Foundations of Intermittent Computing 17
explain selected ⊩RIO rules; rules for X ;M ⊩taint ι : X ′;M ′ are similar with taint tracking removed.
X ;M ; I ⊩RIO x := IN() : X ;M ∪ x ; I ∪ x
I/O-Get
I ∩ rd(e) , ∅
X ;M ; I ⊩RIO x := e : X ;M ∪ x ; I ∪ x
I/O-Assign-dep
I/O-dep-clear
I ∩ rd(e) = ∅ x ∈ I
X ;M ; I ⊩RIO x := e : X ;M ∪ x ; I \ x
I/O-Arr-loc
I ∩ rd(e) , ∅
X ;M ; I ⊩RIO a[e] := e ′ : X ∪ a;M ; I ∪ a
All assignments add the variable x toM , since x must be written on the current command. Rule
I/O-Get adds x to I . If any assignment has an expression that reads a value in I , the assigned
location is also added to I , as taint propagates to x (rule I/O-Assign-dep). Conversely, assigning a
location in I to an input-independent expression removes that location from I , effectively clearing
its taint (rule I/O-dep-clear). Propagating taint to an array element would cause the entire array a
to be conservatively tainted. If an array index is tainted, then a is added to X because the written
array element may differ in each re-execution (rule I/O-Arr-loc).
Collection for commands Two sets of rules define collection and rewriting for commands:
X ;M ; I ⊩RIO c −→ c ′ : X ′ and X ;M ⊩taint c −→ c ′ : X ′;M ′, with the same distinction as the ι
rules between ⊩RIO and ⊩taint . These rules compute the exclusive may-write set X ′ and must-write
set M ′ up to a checkpoint in c and rewrite the checkpoint command to use the collected X ′ as
ω. Rewriting an instruction ι directly uses the rules we introduced in the previous paragraph to
collect relevant variants (e.g, X ,M) and rewrites of itself. Much of the complexity for commands is
collecting exclusive may-write and must-write sets from (nested) branches. We show key rules:
I ∩ rd(e) , ∅ X ;M ⊩taint ci −→ c ′i : Xi ;Mi i ∈ [1, 2]
X ;M ; I ⊩RIO if e then c1 else c2 −→ if e then c ′1 else c ′2 : (X1 ∪ X2 ∪M1 ∪M2) \ (M1 ∩M2)
I/O-If-Dep
∅;M ⊩taint ci −→ c ′i : Xi ;Mi i ∈ [1, 2]
X ;M ⊩taint if e then c1 else c2 −→ if e then c ′1 else c ′2
: (X1 ∪ X2 ∪M1 ∪M2) \ (M1 ∩M2); (M1 ∩M2)
I/O-If-Tainted
∅; ∅; ∅ ⊩RIO c −→ c ′ : X ′
X ;M ⊩taint checkpoint(); c −→ checkpoint(X′); c ′ : X ;M
CP-Tainted
I/O-If-Dep applies to an input-dependent branch encountered when control is not yet tainted.
The rule switches from ⊩RIO to ⊩taint in the premises because the condition expression is input
dependent. The exclusive may-write set is the union of exclusive may-write and must-write sets
from each side of the branch, minus the intersection of the must-write sets. I/O-If-Tainted applies
to branches encountered while in ⊩taint This rule must also collect the branch’s must-write set,
which is the intersection of the must-write sets from both sides of the branch, unioned with the
must-write set from before the if statement.
Exclusive-May-Write Collection Example Figure 8 illustrates exclusive may-write collection,
using code from Figure 2. We letter each branch outcome path and number each branch instruction.
Collection begins in the ⊩RIO rule, as the branch is not tainted. For path A, XA is ∅. For path B,
the must-write set is {b, i} before branching on i . We apply ⊩taint rules to paths C and D because
i is input-dependent. XC and XD are empty, MC = {b, i,x ,y}, and MD = {b, i,x , z,w}. Then the
must-write set for branch 2 is the intersection of MC and MD , which is {b, i,x}. The may-write
set of paths C and D is the union of the segments’ X and M sets: {b, i,w,x ,y, z}. The exclusive
may-write set removes variables that must be written on both paths (i.e., {b, i,x}); so X2 = {w,y, z}.
18 Milijana Surbatovich, Limin Jia, and Brandon Lucia
1  2  3  
1  2  5  
1  2  3  
0  ckpt();
1  x := 1;
2  y := 2;
3  z := 3; 
4 ckpt(x,y);
5 a := x; 
6 x := y;
7 y := a; 
8 z := 5;
9 ckpt(y,z);
checkpoint⤋
𝑁 ⊲ 𝑁𝑐
tasks {1:init, 
2:swap,3:rest}
shared {x,y,z}
t1 task_init {
1 x := 1;
2 y := 2;
3 z := 3;
4 toTask(2); }
t2 task_swap {
5 a := x; 
6  x := y;
7 y := a; 
8 z := 5;
9 toTask(3); }
t3 task_rest{…}
(b) Ckpt Redo(a) Ckpt DINO
ℒ5
𝑁𝑐: [𝑥: 1, 𝑦: 2]
(c) Task
tasks 3 : ( 𝑦, 𝑧 , 𝑐𝑟𝑒𝑠𝑡)reboot
Ckpt Code 1  2  3  
x   y  z 
𝑁5
2  2  3  𝑁6
2  1  3  𝑁7
∅
2  1  5  𝑁8
1  2  5  𝑁5
′
2  2  5  𝑁6
′
2  1  5  𝑁7
′
2  1  5  𝑁8
′
𝑁9 2  1  5  
1  2  3  
x   y  z 
𝑁5
1  2  3  𝑁6
1  2  3  𝑁7
1  2  5  𝑁8
1  2  5  𝑁5
′
1  2  5  𝑁6
′
1  2  5  𝑁7
′
1  2  5  𝑁8
′
𝑁9 2  1  5  
𝑁 ⊲ ℒ
ℒ ∶ ∅
Task Code
L1 ckpt();
1   x := 1;
2   y := 2;
3 z := 3;
4 goto L2; 
L2 ckpt(x,y);
5 a := x; 
6 x := y;
7 y := a; 
8 z := 5;
9 goto L3;
L3 ckpt(y,z);
Translated
Ckpt Code 1  2  3  
x   y  z 
𝒯𝑠5
𝒯𝑠6
𝒯𝑠7
𝒯𝑠8
1  2  5  𝒯𝑠5
′
1  2  5  𝒯𝑠6
′
1  2  5  𝒯𝑠7
′
1  2  5  𝒯𝑠8
′
𝒯𝑠9 2  1  5  
ℒ6
ℒ7
ℒ8
ℒ5
′
ℒ7
′
ℒ8
′
ℒ6
′
ℒ9
x  y
∅
2 ∅
2 1
2 1
∅ ∅
2 ∅
2 1
2 1
y  z
∅ ∅
𝒯𝑝5 ∅
𝒯𝑝: ∅
𝒯𝑝6
𝒯𝑝7
𝒯𝑝8
𝒯𝑝5
′
𝒯𝑝7
′
𝒯𝑝8
′
𝒯𝑝6
′
𝒯𝑝9
x  y
∅
2 ∅
2 1
2 1
∅ ∅
2 ∅
2 1
2 1
y  z
∅ ∅
𝒯𝑠 ⊲ 𝒯𝑝⤋ ⤋ ⇝
𝒯𝑙5 ∅
𝒯𝑙𝑉: ∅
𝒯𝑙6
𝒯𝑙7
𝒯𝑙8
a 
1
1
1
𝒯𝑙5
′
𝒯𝑙6
′
𝒯𝑙7
′
𝒯𝑙8
′
1
1
1
𝒯𝑙9 1
∅uninitialized⇝transition
1Ti
m
e
tasks 2 : ( 𝑥, 𝑦 , 𝑐5)𝜔: {𝑥, 𝑦}
𝑁𝑐: [𝑦: 1, 𝑧: 5] 𝜔: {𝑦, 𝑧}
𝑵𝒅 𝑵𝒓 𝓛 𝓣𝒔 𝓣𝒍 𝓣𝒑
Fig. 9. Illustrating the relation of DINO to redo-logging and tasks to translated redo-logging via examples
Collection propagates XB = X2 and the final exclusive may-write set for branch 1 is the union of
those for paths A and B: X1 = {w,y, z}. For this code snippet, {w,y, z} have to be checkpointed.
b := 3
i := IN( )
x := z
z := 8
w := 5
x := 6
y := 7
b := 9
A B
C D
𝑋2 = 𝑤, 𝑦, 𝑧if i >1
if a >0
2
1
𝑋𝐴 = { }
𝑋𝐶 = { }
𝑀𝐶 = {𝑏, 𝑖, 𝑥, 𝑦, }
𝑋𝐷 = { }
𝑀𝐷 = {𝑏, 𝑖, 𝑥, 𝑧, 𝑤}
𝑋1 = {𝑤, 𝑦, 𝑧}
Fig. 8. Example of exclusive may-write set collection.
Inserting ω At a checkpoint, collection in-
serts the exclusive may-write set returned from
rewriting c as ω (rule CP-Tainted). The rules
re-write the command after a checkpoint us-
ing the judgment ⊩RIO , even if control is tainted.
This re-writing is correct because after check-
pointing, the input operation will never be re-
executed and execution is deterministic until
the next input operation.
Correctness of the Algorithm We prove that the collection rules are safe with regard to the
checking rules, which is a condition in Theorem 4.
Lemma 5. If ⊩RIO c −→ c ′ : X then ⊩RIO c ′ : ok.
The lemma states that if a command has been rewritten using the collection algorithm, the
rewritten command is safe with respect to RIOs. Note that separating the collection algorithm from
the checking ⊩RIO c ′ : ok enables modular proofs. A different collection algorithm does not change
the overall correctness proof as long as it can be shown to be safe w.r.t. the checking rules.
8 EQUIVALENCES BETWEEN SYSTEMS
The checkpoint system presented is based on DINO [Lucia and Ransford 2015], but many others
exist. We additionally formalize four alternative implementations—undo logging [Maeng and
Lucia 2018], redo logging, idempotent regions [Van Der Woude and Hicks 2016], and a task-based
execution model Alpaca [Maeng et al. 2017]. Instead of reproving the correctness theorems for each
system, we define and prove a bi-simulation relation between the basic system and each alternative
showing that they are equivalent. While these systems differ in mechanism and performance, the
equivalence result shows that their correctness criteria are the same, allowing us to implement the
algorithm in Section 7 for the more performant Alpaca. We relegate bi-simulation for undo logging
and idempotent regions to TR Section D, as DINO implements a conservative form of undo-logging,
and idempotent regions differ from the basic model by constraints on checkpoint placement.
Foundations of Intermittent Computing 19
8.1 Redo Logging
State restoration can be implemented with redo-logging, which works by logging memory updates
during execution and committing the log to memory upon reaching a checkpoint. A redo logging
context κRL is of the form (L,V , c,ω), where L is a log and ω has the same meaning as before.
We illustrate the key behaviour of redo-logging and its relation to the basic model in Figure 9.
Ckpt Code is a simple program that initializes the variables x ,y, z, checkpoints {x ,y}, swaps their
values using a volatile variable a, and takes another checkpoint before continuing with the rest of
the program. Columns (a-c) on the right show the program’s state at each point in the execution.
Column (a) shows the execution of the basic model starting from the checkpoint at line 4. Column
(b) shows a redo-logging execution. Volatile memory V and command c are equivalent at each step
and omitted. DINO starts with Nc containing the values of x ,y at the checkpoint. Redo-logging
starts with an empty log and ω = {x ,y}. In any checkpoint region, the domain of the log will be ω.
If the program contains an assignment to a non-volatile location inω (lines 6,7), the update is placed
directly into the log, leaving non-volatile memory untouched. Otherwise the variable is updated
directly in non-volatile memory (line 8). On reboot, the redo log clears but leaves non-volatile
memory untouched, as all updates to locations in ω reside in the log only. The basic model updates
non-volatile locations in ω to the values from the checkpoint. As the program re-executes, updates
to locations in ω are redone, either directly to non-volatile memory (a) or to the log (b). When
the program reaches the next checkpoint on line 9, the Redo model applies the log to non-volatile
memory, committing the changes.
A key part of the bi-simulation relation between DINO and redo-logging is that if the value
of a location in redo-log non-volatile memory Nr is not equal to the same location in DINO’s
non-volatile memory Nd , then that location is in the domain ofω and therefore in the log. The value
in the log is equal to the value in Nd , as both reflect its latest update. Consequently, Nd = Nr ◁L. At
reboots and checkpoints L is empty, and the non-volatile memory, volatile memory, and command
of both models are equal. We formalize this relation and prove bi-simulation in TR Section D.4.
8.2 Task-Based Systems
Task-based systems [Colin and Lucia 2016; Colin et al. 2018; Hester et al. 2017; Maeng et al. 2017;
Ruppel and Lucia 2019] require the programmer to structure an intermittent program as a series
of transaction-like tasks. Updates within a task are not be visible to other tasks (including re-
executions of the same task) until the task commits. Task semantics rely on either undo or redo
logging. The key differences between checkpoint- and task-based systems are in their memory
abstraction and control structure.
Task code has no checkpoints. A special instruction toTask(i) ends the current task, transitioning
to task i . A task-based program is a series of tasks. The context is augmented with a mapping T ,
from task IDs to a checkpoint set ω and command for the corresponding task. The context κTSK for
intermittent execution is a pair (T , i) consisting of the task map and the ID of the current task.
Instr. ι ::= · · · | toTask(i) Commands c ::= · · · | goto ℓ
Task Map T ::= · |T , i 7→ (ω, c) Code context Ψ ::= Ψ · | ℓi : checkpoint(ω); c
The task-system has a memory abstraction of task-shared memory Ts, task-local memory Tι, and
task-private memory Tp. A programmer assigns variables accessed in multiple tasks to task-shared
memory and variables used only in a single task to task-local. Task shared memory must be non-
volatile, and task-local can be split into volatile and non-volatile sections, TιV and TιN respectively.
Task-private variables are hidden from the programmer and used to implement logging. A task
must initialize task-local variables by writing them before reading them. Like basic checkpoints, the
command in each task is well-formed given the checkpoint set: ω ⊩WAR c : ok and ω ⊩RIO c : ok.
20 Milijana Surbatovich, Limin Jia, and Brandon Lucia
To prove equivalence between a task-based and a checkpoint-based system, we first translate task
transitions to checkpoint commands. We augment the basic language with a goto command and a
code context Ψ that includes a set of labeled program points, each beginning with a checkpoint.
Correctness still holds; extending the main proofs is trivial as goto does not change memory. We
specify a translation relation from tasks to a redo-logging code context, written T { Ψ. The key
idea is that each task can be translated to a checkpoint followed by the translated task command:
i 7→ (ω, ct ) { ℓi : checkpoint(ω); cr . Here cr = ⟦ct⟧ and task transitions are translated to gotos:
⟦toTask(i)⟧ { goto ℓi . The translation of the rest of the constructs recursively translates the
sub-terms and returns the same construct when an instruction is reached. We show a task-based
version of the program to swap x and y and its translation to a checkpoint program in Figure 9. The
program is a series of three tasks: init, swap, and rest. The variables x ,y, z are shared between
the tasks. Variable a is local to task swap. To translate the program, each toTask is replaced by a
goto whose label points to a checkpoint followed by the translated command of the task.
Using these constructs and the translated program, we relate a configuration of a task-based
system to that of redo-logging. Column (c) shows the execution of the task program; the redo-
log execution of the translated program is the same as in column (b) , as the only difference to
the original Ckpt code is the addition of the blue goto instructions. The redo-log L and Tp are
equivalent. Any updates to locations in ω will be placed into Tp, not Ts. If Tι is entirely volatile,
then Ts and Nr will also be equivalent. Otherwise, if a is stored in a non-volatile location, then Nr
will be equal to the union of Ts and TιN . If a in a volatile location, TιV will be equal to the redo
log volatile memory, once a has been initialized. This qualification is necessary as TιV is cleared on
reboot (after line 8), whereas redo logging restores the checkpointed volatile memory. Translated
commands will always be well-formed w.r.t. task-local memory, however, so there can be no read
to a volatile memory location before it is initialized. Thus any memory accesses on the two systems
will be equivalent. This property does not hold for any arbitrary redo-log program; consider a
redo-log program where the assignment to a occurred before the checkpoint — the first access to a
after the checkpoint would be a read. At line 9, task swap transitions to task rest. A task transition
commits Tp to Ts, resets Tp, and transfers control to the specified task, switching the task reference
in the context to the new task. The translated program jumps to the label L3, corresponding to
the command checkpoint(y, z); ⟦crest⟧. When it executes this checkpoint, it updates Nr with the
log and the clears the log. As Tp and L are equivalent, the updated non-volatile memory is still
equivalent to the union of the task-shared and non-volatile task-local memories. Furthermore, as no
writes are left to occur,Vr = TιV . We formalize this relation and prove equivalence in TR Section E.
9 IMPLEMENTATION
We implemented the exclusive may-write (EMW) collection algorithm in Section 7, which consists
of both write-set collection and taint-tracking, and combined its output with Alpaca’s runtime
system, yielding an intermittent execution runtime with safe access to I/O. We built two variants:
EMW, which backs up EMW sets for all branches (correct, but conservative), and taint-optimized
EMW, which calculates the EMW set for only input-dependent branches. EMW requires no code
changes, but backs up some unnecessary variables. Taint-optimized EMW requires very minor code
changes to annotate input operations, but backs up a smaller, far less conservative variable set.
9.1 System
We implemented EMW collection in LLVM [Lattner and Adve 2004] and to Alpaca, we added
support to back up EMW variables. Alpaca is a task-based system and can use either undo or redo
logging [Maeng et al. 2019]. As Section 8 shows, a task-based program translates into an equivalent
Foundations of Intermittent Computing 21
checkpoint-based program with either style of logging. We use undo-log Alpaca since it is the most
efficient Alpaca variant.
9.2 Limitations due to C Features
The algorithm in Section 7 is sound for our simple modeling language. However, Alpaca extends
C, which has several features not present in the modeling language, such as merging branches,
arbitrary pointers, and non-recursive functions (which do not checkpoint state), leading to a
few differences between the formal statement of the algorithm and the implementation. Merging
branches and functions do not require changes to the algorithm. All paths can be explored even if a
branch merges A write in an unconditionally executed block will execute on all paths and be in the
must-write set. Functions are treated as inlined, leveraging the lack of recursion.
Taint tracking Pointers and functions complicate taint tracking. Taint-optimized EMW collection
is sound only if taint does not propagate indirectly, as through pointer arithmetic (e.g., y points
to N , the address of a tainted location, x points to N − 1, x + +. The algorithm would miss that x
points to a tainted location). Our implementation propagates taint through function parameters
and return values. A call with a tainted parameter taints the corresponding argument. A tainted
return value taints the store of the return value in the function’s caller. A function may taint a
reference parameter, and our implemented algorithm taints the corresponding parameter in the
function’s caller (similar to [Surbatovich et al. 2019]). These aliasing limitations of taint tracking
do not affect the soundness of taint-agnostic EMW collection, and none of our test programs had
indirect taint propagation, which would compromise soundness.
Write set collection To compute write sets, we assume that task-shared variables must be stored
to directly, and cannot be aliased through a task local pointer. All Alpaca applications followed this
behaviour. This direct access of task-shared variables allows the algorithm to compute may and
must write sets precisely, apart from arrays. This limitation is due to our prototype implementation
and is not inherent to the formal algorithm. To extend the prototype to compute safe EMW sets
with complex aliasing, must-write sets should include must-alias only, and may-write sets should
include may-alias locations. As in the formal algorithm, any array written to on a tainted branch is
conservatively (safely) put into the EMW set.
9.3 Algorithm Implementation
We implement taint tracking as a fixed-point dataflow analysis, propagating data taint in a tra-
versal. At the end of each traversal, the algorithm examines any instructions that introduced
inter-procedural dataflow, and adds any new sinks to a worklist from which to start future traver-
sals. When no new inter-procedural flows are identified, the algorithm is at a fixed point and stops.
The analysis returns a list of tainted instructions. As we mentioned earlier, we could under-taint,
though we did not observe any under-tainting.
EMW collection is a separate analysis directly implemented from our formal description. Taint-
enabled EMW collection narrows the scope of the analysis, using the taint tracking analysis result
and calculating the EMW sets for conditionals that are tainted only. EMW collection returns a map
from a function to its computed EMW sets.
We modify Alpaca’s undo-logging compiler analysis to use the EMW set information. Alpaca
maintains a per-function set of WAR variables to undo-log in their called task. We modify Alpaca
to include a function’s EMW set with the function’s WAR variables, which are then passed together
to Alpaca’s existing undo-logging instrumentation pass, which allocates undo log storage, creates
checkpoint metadata, and adds undo-logging instrumentation.
22 Milijana Surbatovich, Limin Jia, and Brandon Lucia
Comparison to IBIS’ algorithm The specification of the algorithm in IBIS is unsound. Even
assuming perfect pointer aliasing and taint propagation, IBIS could still miss bugs. IBIS detects RIO
bugs by calculating the may-write sets of paths off tainted branches and comparing them. If the
may-write sets are equal it reports no bug. Consider if(tainted e) x := 1; if(e2) y := 1 else z := 1;
else x := 1;y := 1; z := 1. IBIS would report no bugs as the may-write sets are the same, but y and
z are in the EMW set and thus potentially inconsistent. Additionally, conservatism, whether due
to implementation decisions such as aliasing or inherent in static analyses (such as opaque path
conditions) hampers the usability of IBIS. Any variable falsely identified as potentially inconsistent
generates a confusing false-positive bug report that the programmer must reason through, whereas
the EMW runtime safely adds it to the checkpoint at little runtime cost.
10 EVALUATION
The goal of the evaluation is to show that modifying Alpaca to correctly support input operations
is practically efficient. We evaluate Alpaca’s baseline system, a variant that checkpoints all data
identified by our exclusive may-write (EMW) analysis without taint tracking, and a variant that
checkpoints all data identified by our EMW analysis refined with taint-tracking support. Our
data show that our analysis provides correctness, through checkpointing both WAR and RIO
variables, with low run time and memory overheads. EMW alone has very low overheads with
no programming effort and EMW plus taint analysis has virtually no time overhead and very low
memory overhead, but asks the programmer to annotate input operations. To demonstrate the
programmability benefit of our analysis, we perform case studies, showing that it is non-trivial
(sometimes complicated) to fix RIO bugs manually, even using a state-of-the-art bug detection tool
(IBIS [Surbatovich et al. 2019]), but trivial using our analysis.
10.1 Benchmarks
We use benchmarks from the IBIS paper [Surbatovich et al. 2019], obtained from the authors, as they
run on Alpaca and have input bugs. There are 11 programs: 7 drivers and low-level applications
from TI-RTOS [TI Inc. 2017] and 4 from Alpaca [Maeng et al. 2017]. The TI-RTOS programs are
bmp a pressure sensor driver, hdc a humidity sensor driver, elink, a radio implementation, mpu, a
magnetometer driver, opt, an optical sensor driver, temp, a temperature sensor driver, and wsn, a
sensor data aggregator. The Alpaca programs are ar, activity recognition, bc, bit counting, cem, a
compressive logger, and cuckoo, a cuckoo filter. IBIS found RIO bugs in mpu, opt, temp, and wsn.
10.2 Performance Overhead of EMW Tracking
ar bc bmp cem cuckooelink hdc mpu opt temp wsn geo-m
0.85
0.90
0.95
1.00
1.05
1.10
No
rm
al
ize
d 
Ru
nt
im
e
Alpaca (incorrect)
Alpaca + EMW
Alpaca + EMW + taint
Fig. 10. Normalized runtimes of Alpaca, Alpaca with
EMW sets, and Alpaca with taint-optimized EMW sets
Checkpointing data added toω by EMW anal-
ysis guarantees correctness and causes only
low run time and memory overheads. Fig-
ure 10 shows run time normalized to Alpaca
for plain Alpaca (blue), Alpaca with check-
pointing for EMW sets (yellow), and Alpaca
with checkpointing for I/O-tainted EMWdata
only (green). Each bar averages 100 run times
on continuous power with fixed inputs, and
error bars are a 95% confidence interval. Plain
Alpaca is fastest, but incorrect because it does
not back up variables made inconsistent by RIOs. EMW with taint-tracking has virtually no time
overhead (0 - 0.7%) because the analysis checkpoints the few variables from the EMW set required
for correctness. Checkpointing full EMW sets has higher overhead, ranging from negligible to
Foundations of Intermittent Computing 23
nearly 15% for cuckoo. The higher overheads of EMW alone demonstrate the need for taint tracking,
which eliminates overheads, requiring only that the programmer annotate input operations.
Checkpoint and Memory Overheads Taint-optimized EMW analysis checkpoints only the few
variables necessary to avoid RIOs and WARs, while using EMW analysis conservatively requires
checkpointing many more variables, at a higher memory overhead. Figure 11 shows the bytes
needed to back up variables identified by EMW and taint-optimized EMW. The left bar in each
pair is for EMW alone, and the right is for taint-optimized EMW. Each bar is broken up into
bytes due to variables in a WAR dependence (blue), untainted variables conservatively in the
exclusive-may-write set (yellow), and tainted variables in the exclusive may-write set (green).
Any array is double-buffered, potentially causing a large difference in log size (bmp) Together, the
yellow and green segments in an EMW bar include all tainted and untainted EMW variables. The
taint-optimized EMW bar eliminates the yellow segment, identifying input-tainted EMW variables
only and illustrating the conservatism in EMW alone that requires checkpointing more variables.
530
540
E  T
ar bc bmp cem cuckoo elink hdc mpu opt temp wsn
0
20
40
60
80
Nu
m
be
r o
f A
dd
ed
 B
yt
es
WAR vars
EMW vars
EMW+Taint vars
Fig. 11. Space needed to back up variables identified by
EMW and taint-optimized EMW analysis, by category
Figure 12 quantifies the normalized mem-
ory overhead caused by the increase in logged
variables, accounting for all checkpoint stor-
age and metadata (including array-size de-
pendent metadata [Maeng et al. 2017]). Taint-
optimized EMW reduces memory overheads
significantly compared to EMW alone.
Programmability Benefits of EMWUsing
taint-optimized EMW analysis is a simpler so-
lution for repeated I/O than manually chang-
ing code. Prior work detects RIO bugs using
an ad hoc approximation of our taint-optimized EMW analysis [Surbatovich et al. 2019], suggesting
that the programmer fix bugs. Taint-optimized EMW has low overheads and requires the pro-
grammer to annotate input operations only, which is simple. Manually finding and fixing bugs is
relatively more complex. IBIS [Surbatovich et al. 2019] advises re-initializing I/O-tainted variables
at the start of the task that taints them. This strategy moves each variable into the must-first-write
set, causing it to be written on every task execution and eliminating the need to include it in
ω. However, unconditional initialization in a task may change a program’s meaning if the value
overwritten by the initialization is important. Instead, a programmer could create their own backup
copy of the variable and save its value on the first write in the task; doing so amounts to manually
applying undo-logging, guided by IBIS’s bug report.
ar bc bmp cem cuckooelink hdc mpu opt temp wsn geo-m
0
1
2
3
4
5
6
7
8
No
rm
al
ize
d 
Ch
ec
kp
oi
nt
 S
ize EMW 
EMW+Taint
Fig. 12. Normalized checkpoint size overhead caused by
EMW tracking and taint-optimized EMW tracking.
Manual undo-logging requires modifying
each use, and adding an initialization and a
backup operation, requiring changing at least∑(∀loc ∈ EMW, 2 + uses(loc)) lines of code.
Concretely, mpu required 22 changes, opt re-
quired four, temp required seven, and wsn re-
quired 17. As reported by IBIS, only these
benchmarks had RIO bugs that required code
changes to fix.
Manual fixing is not only onerous, but ul-
timately duplicative: manual backup intro-
duces a WAR dependence on a task-shared variable and any non-idempotent EMW variable will be
added to the checkpoint anyway by the WAR analysis after fixing manually. IBIS may also miss
24 Milijana Surbatovich, Limin Jia, and Brandon Lucia
RIO bugs. Fixing only IBIS’ reported bugs may result in still incorrect code. Our taint-optimized
EMW analysis eliminates the risk of manual code fixes and directly backs up the necessary data,
ensuring correctness with reasonable overhead and essentially no programming burden.
11 CONCLUSION AND FUTUREWORK
We provide the first formal framework for examining the correctness of intermittent systems, w.r.t
memory consistency. We show the framework’s usefulness by using it to formalize intermittent
systems with input operations, showing that many existing systems do not meet reasonable
correctness criteria, and using the correctness invariants to implement a correct runtime system.
We further extend the framework to show that a variety of existing systems are equivalent, indicating
that the same correctness properties hold for all the modeled systems. This framework lays the
foundation for formally defining intermittent system correctness, and futurework should extend it to
define properties beyond memory consistency, such as timeliness, forward progress, or concurrency.
REFERENCES
D. Balsamo, A. Weddell, A. Das, A. Arreola, D. Brunelli, B. Al-Hashimi, G. Merrett, and L. Benini. 2016. Hibernus++: A
Self-Calibrating and Adaptive System for Transiently-Powered Embedded Devices. IEEE Transactions on Computer-Aided
Design of Integrated Circuits and Systems PP, 99 (2016), 1–1. https://doi.org/10.1109/TCAD.2016.2547919
Domenico Balsamo, Alex SWeddell, Geoff VMerrett, Bashir M Al-Hashimi, Davide Brunelli, and Luca Benini. 2015. Hibernus:
Sustaining computation during intermittent supply for energy-harvesting systems. IEEE Embedded Systems Letters 7, 1
(2015), 15–18.
Naama Ben-David, Guy E. Blelloch, Michal Friedman, and Yuanhao Wei. 2019. Delay-Free Concurrency on Faulty Persistent
Memory. In The 31st ACM Symposium on Parallelism in Algorithms and Architectures (SPAA ’19). ACM, New York, NY,
USA, 253–264. https://doi.org/10.1145/3323165.3323187
Gautier Berthou, Tristan Delizy, Kevin Marquet, Tanguy Risset, and Guillaume Salagnac. 2017. Peripheral state persistence
for transiently-powered systems. In 2017 Global Internet of Things Summit (GIoTS). IEEE. https://doi.org/10.1109/giots.
2017.8016243
Guy E. Blelloch, Phillip B. Gibbons, Yan Gu, Charles McGuffey, and Julian Shun. 2018. The Parallel Persistent Memory
Model. In Proceedings of the 30th on Symposium on Parallelism in Algorithms and Architectures, SPAA 2018, Vienna, Austria,
July 16-18, 2018. 247–258. https://doi.org/10.1145/3210377.3210381
James Bornholt, Antoine Kaufmann, Jialin Li, Arvind Krishnamurthy, Emina Torlak, and Xi Wang. 2016. Specifying
and Checking File System Crash-Consistency Models. SIGARCH Comput. Archit. News 44, 2 (March 2016), 83âĂŞ98.
https://doi.org/10.1145/2980024.2872406
Haogang Chen, Daniel Ziegler, Tej Chajed, Adam Chlipala, M. Frans Kaashoek, and Nickolai Zeldovich. 2015. Using Crash
Hoare Logic for Certifying the FSCQ File System. In Proceedings of the 25th Symposium on Operating Systems Principles
(SOSP ’15). ACM, New York, NY, USA, 18–37. https://doi.org/10.1145/2815400.2815402
Joel Coburn, Adrian M. Caulfield, Ameen Akel, Laura M. Grupp, Rajesh K. Gupta, Ranjit Jhala, and Steven Swanson. 2011.
NV-Heaps: Making Persistent Objects Fast and Safe with Next-generation, Non-volatile Memories. In Proceedings of the
Sixteenth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS
XVI). https://doi.org/10.1145/1950365.1950380
Alexei Colin, Graham Harvey, Brandon Lucia, and Alanson P. Sample. 2016. An Energy-interference-free Hardware-Software
Debugger for Intermittent Energy-harvesting Systems. In Proceedings of the Twenty-First International Conference on
Architectural Support for Programming Languages and Operating Systems (ASPLOS ’16). https://doi.org/10.1145/2872362.
2872409
Alexei Colin and Brandon Lucia. 2016. Chain: Tasks and Channels for Reliable Intermittent Programs. In Proceedings of the
ACM International Conference on Object Oriented Programming Systems Languages and Applications (OOPSLA).
Alexei Colin and Brandon Lucia. 2018. Termination checking and task decomposition for task-based intermittent programs.
In Proceedings of the 27th International Conference on Compiler Construction.
Alexei Colin, Emily Ruppel, and Brandon Lucia. 2018. A Reconfigurable Energy Storage Architecture for Energy-harvesting
Devices. In Proceedings of the Twenty-Third International Conference on Architectural Support for Programming Languages
and Operating Systems (ASPLOS ’18).
Manjeet Dahiya and Sorav Bansal. 2018. Automatic Verification of Intermittent Systems. In Verification, Model Checking,
and Abstract Interpretation, Isil Dillig and Jens Palsberg (Eds.). Cham.
Foundations of Intermittent Computing 25
Marc De Kruijf and Karthikeyan Sankaralingam. 2013a. Idempotent code generation: Implementation, analysis, and
evaluation. In Proceedings of the 2013 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).
IEEE Computer Society, 1–12.
Marc De Kruijf and Karthikeyan Sankaralingam. 2013b. Idempotent code generation: Implementation, analysis, and
evaluation. In Proceedings of the 2013 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).
Marc A. de Kruijf, Karthikeyan Sankaralingam, and Somesh Jha. 2012. Static Analysis and Compiler Design for Idempotent
Processing. In Proceedings of the 33rd ACM SIGPLAN Conference on Programming Language Design and Implementation
(PLDI ’12). https://doi.org/10.1145/2254064.2254120
Jasper de Winkel, Carlo Delle Donne, Kasim Sinan Yildirim, Przemysław Pawełczak, and Josiah Hester. 2020. Reliable
Timekeeping for Intermittent Computing. In Proceedings of the Twenty-Fifth International Conference on Architectural
Support for Programming Languages and Operating Systems (ASPLOS âĂŹ20). Association for Computing Machinery,
New York, NY, USA, 53âĂŞ67. https://doi.org/10.1145/3373376.3378464
Bradley Denby and Brandon Lucia. 2020. Orbital Edge Computing: Nanosatellite Constellations as a New Class of Computer
System. In Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages
and Operating Systems (ASPLOS âĂŹ20). Association for Computing Machinery, New York, NY, USA, 939âĂŞ954.
https://doi.org/10.1145/3373376.3378473
Gidon Ernst, Jörg Pfähler, Gerhard Schellhorn, and Wolfgang Reif. 2016. Inside a Verified Flash File System: Transactions
and Garbage Collection. In Verified Software: Theories, Tools, and Experiments, Arie Gurfinkel and Sanjit A. Seshia (Eds.).
Springer International Publishing, Cham, 73–93.
Francesco Fraternali, Bharathan Balaji, Yuvraj Agarwal, Luca Benini, and Rajesh Gupta. 2018. Pible: battery-free mote for
perpetual indoor BLE applications. In Proceedings of the 5th Conference on Systems for Built Environments. ACM, 168–171.
Karthik Ganesan, Joshua San Miguel, and Natalie Enright Jerger. 2019. The WhatâĂŹs Next Intermittent Computing
Architecture. In 2019 IEEE International Symposium on High Performance Computer Architecture (HPCA). IEEE, 211–223.
Graham Gobieski, Brandon Lucia, and Nathan Beckmann. 2019. Intelligence Beyond the Edge: Inference on Intermittent
Embedded Systems. In ASPLOS.
Dan Grossman, Greg Morrisett, Trevor Jim, Michael Hicks, Yanling Wang, and James Cheney. 2002. Region-based Memory
Management in Cyclone. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and
Implementation (PLDI ’02). ACM, New York, NY, USA, 282–293. https://doi.org/10.1145/512529.512563
Josiah Hester and Jacob Sorber. 2017. Flicker: Rapid Prototyping for the Batteryless Internet of Things. In Proceedings of the
15th ACM Conference on Embedded Network Sensor Systems (SenSys ’17).
Josiah Hester, Kevin Storer, and Jacob Sorber. 2017. Timely Execution on Intermittently Powered Batteryless Sensors. In
Proceedings of the 15th ACM Conference on Embedded Network Sensor Systems.
Josiah Hester, Nicole Tobias, Amir Rahmati, Lanny Sitanayah, Daniel Holcomb, Kevin Fu, Wayne P. Burleson, and Jacob
Sorber. 2016. Persistent Clocks for Batteryless Sensing Devices. ACM Trans. Embed. Comput. Syst. 15, 4, Article 77 (Aug.
2016), 28 pages. https://doi.org/10.1145/2903140
Matthew Hicks. 2017. Clank: Architectural Support for Intermittent Computation. In Proceedings of the 44th Annual
International Symposium on Computer Architecture (ISCA ’17). https://doi.org/10.1145/3079856.3080238
Joseph Izraelevitz, Terence Kelly, and Aasheesh Kolli. 2016a. Failure-Atomic Persistent Memory Updates via JUSTDO
Logging. In Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages
and Operating Systems (ASPLOS ’16). ACM, New York, NY, USA, 427–442. https://doi.org/10.1145/2872362.2872410
Joseph Izraelevitz, Hammurabi Mendes, and Michael L. Scott. 2016b. Linearizability of Persistent Memory Objects Under a
Full-System-Crash Failure Model. In Distributed Computing, Cyril Gavoille and David Ilcinkas (Eds.). Springer Berlin
Heidelberg, Berlin, Heidelberg, 313–327.
Neal Jackson, Joshua Adkins, and Prabal Dutta. 2019. Capacity Over Capacitance for Reliable Energy Harvesting Sensors. In
IPSN.
Hrishikesh Jayakumar, Arnab Raha, and Vijay Raghunathan. 2014. QuickRecall: A low overhead HW/SW approach for
enabling computations across power cycles in transiently powered computers. In 2014 27th International Conference on
VLSI Design and 2014 13th International Conference on Embedded Systems.
Rajeev Joshi and Gerard Holzmann. 2007. A Mini Challenge: Build a Verifiable Filesystem. Formal Asp. Comput. 19 (06 2007),
269–272. https://doi.org/10.1007/s00165-006-0022-3
Chih-Kai Kang, Chun-Han Lin, Pi-Cheng Hsiu, and Ming-Syan Chen. 2018. HomeRun: HW/SW Co-Design for Program
Atomicity on Self-Powered Intermittent Systems. In Proceedings of the International Symposium on Low Power Electronics
and Design (ISLPED ’18). Article 29. https://doi.org/10.1145/3218603.3218633
Vito Kortbeek, Kasim Sinan Yildirim, Abu Bakar, Jacob Sorber, Josiah Hester, and Przemysław Pawełczak. 2020. Time-
Sensitive Intermittent Computing Meets Legacy Software. In Proceedings of the Twenty-Fifth International Conference on
Architectural Support for Programming Languages and Operating Systems (ASPLOS âĂŹ20). Association for Computing
Machinery, New York, NY, USA, 85âĂŞ99. https://doi.org/10.1145/3373376.3378476
26 Milijana Surbatovich, Limin Jia, and Brandon Lucia
Eric Koskinen and Junfeng Yang. 2016. Reducing Crash Recoverability to Reachability. In Proceedings of the 43rd Annual
ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’16). ACM, New York, NY, USA,
97–108. https://doi.org/10.1145/2837614.2837648
Chris Lattner and Vikram Adve. 2004. LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation.
In Proceedings of the International Symposium on Code Generation and Optimization: Feedback-directed and Runtime
Optimization (CGO ’04). IEEE Computer Society, Washington, DC, USA, 75–. http://dl.acm.org/citation.cfm?id=977395.
977673
Q. Liu, J. Izraelevitz, S. K. Lee, M. L. Scott, S. H. Noh, and C. Jung. 2018. iDO: Compiler-Directed Failure Atomicity for
Nonvolatile Memory. In 2018 51st Annual IEEE/ACM International Symposium on Microarchitecture (MICRO). 258–270.
https://doi.org/10.1109/MICRO.2018.00029
Brandon Lucia and Benjamin Ransford. 2015. A Simpler, Safer Programming and Execution Model for Intermittent Systems.
In Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2015).
https://doi.org/10.1145/2737924.2737978
Kaisheng Ma, Xueqing Li, Jinyang Li, Yongpan Liu, Yuan Xie, Jack Sampson, Mahmut Taylan Kandemir, and Vijaykrishnan
Narayanan. 2017. Incidental Computing on IoT Nonvolatile Processors. In Proceedings of the 50th Annual IEEE/ACM
International Symposium on Microarchitecture (MICRO-50 ’17). ACM, New York, NY, USA, 204–218. https://doi.org/10.
1145/3123939.3124533
Kaisheng Ma, Xueqing Li, Shuangchen Li, Yongpan Liu, John Jack Sampson, Yuan Xie, and Vijaykrishnan Narayanan. 2015a.
Nonvolatile processor architecture exploration for energy-harvesting applications. IEEE Micro 35, 5 (2015), 32–40.
Kaisheng Ma, Yang Zheng, Shuangchen Li, Karthik Swaminathan, Xueqing Li, Yongpan Liu, Jack Sampson, Yuan Xie, and
Vijaykrishnan Narayanan. 2015b. Architecture exploration for ambient energy harvesting nonvolatile processors. In
High Performance Computer Architecture (HPCA), 2015 IEEE 21st International Symposium on.
Kiwan Maeng, Alexei Colin, and Brandon Lucia. 2017. Alpaca: Intermittent Execution Without Checkpoints. Proc. ACM
Program. Lang. 1, OOPSLA, Article 96 (Oct. 2017), 96:1–96:30 pages. https://doi.org/10.1145/3133920
Kiwan Maeng, Alexei Colin, and Brandon Lucia. 2019. Alpaca: Intermittent Execution without Checkpoints. (2019).
arXiv:cs.DC/1909.06951
Kiwan Maeng and Brandon Lucia. 2018. Adaptive Dynamic Checkpointing for Safe Efficient Intermittent Computing.
In Proceedings of the 12th USENIX Conference on Operating Systems Design and Implementation (OSDI’18). USENIX
Association, Berkeley, CA, USA, 129–144. http://dl.acm.org/citation.cfm?id=3291168.3291178
Kiwan Maeng and Brandon Lucia. 2019. Supporting Peripherals in Intermittent Systems with Just-In-Time Checkpoints. In
Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’19).
Andrea Maioli, Luca Mottola, Muhammad Hamad Alizai, and Junaid Haroon Siddiqui. 2019. On intermittence bugs in the
battery-less internet of things (WIP paper). In Proceedings of the 20th ACM SIGPLAN/SIGBED International Conference on
Languages, Compilers, and Tools for Embedded Systems. ACM, 203–207.
J. San Miguel, K. Ganesan, M. Badr, and N. E. Jerger. 2018. The EH Model: Analytical Exploration of Energy-Harvesting
Architectures. IEEE Computer Architecture Letters 17, 1 (Jan 2018), 76–79. https://doi.org/10.1109/LCA.2017.2777834
Azalia Mirhoseini, Ebrahim M Songhori, and Farinaz Koushanfar. 2013. Idetic: A high-level synthesis approach for enabling
long computations on transiently-powered ASICs. In Pervasive Computing and Communications (PerCom), 2013 IEEE
International Conference on.
Dushyanth Narayanan and Orion Hodson. 2012. Whole-system Persistence. In Proceedings of the Seventeenth International
Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS XVII). https://doi.org/
10.1145/2150976.2151018
Matteo Nardello, Harsh Desai, Davide Brunelli, and Brandon Lucia. 2019. Camaroptera: A Batteryless Long-Range Remote
Visual Sensing System. In Proceedings of the 7th International Workshop on Energy Harvesting & Energy-Neutral Sensing
Systems (ENSsys’19). ACM, New York, NY, USA, 8–14. https://doi.org/10.1145/3362053.3363491
Gian Ntzik, Pedro da Rocha Pinto, and Philippa Gardner. 2015. Fault-Tolerant Resource Reasoning. In Programming Languages
and Systems, Xinyu Feng and Sungwoo Park (Eds.). Springer International Publishing, Cham, 169–188.
Steven Pelley, PeterM. Chen, and Thomas F.Wenisch. 2014. Memory Persistency. In Proceeding of the 41st Annual International
Symposium on Computer Architecuture (ISCA ’14). Piscataway, NJ, USA.
Steven Pelley, Peter M Chen, and Thomas FWenisch. 2015. Memory Persistency: Semantics for Byte-Addressable Nonvolatile
Memory Technologies. IEEE Micro 35, 3 (2015), 125–131.
Proteus Digital Health. 2015. Proteus Digital Health. http://www.proteus.com/. (2015).
Azalea Raad and Viktor Vafeiadis. 2018. Persistence Semantics forWeakMemory: Integrating Epoch Persistencywith the TSO
Memory Model. Proc. ACM Program. Lang. 2, OOPSLA, Article 137 (Oct. 2018), 27 pages. https://doi.org/10.1145/3276507
Azalea Raad, John Wickerson, Gil Neiger, and Viktor Vafeiadis. 2019b. Persistency Semantics of the Intel-X86 Architecture.
Proc. ACM Program. Lang. 4, POPL, Article 11 (Dec. 2019), 31 pages. https://doi.org/10.1145/3371079
Foundations of Intermittent Computing 27
Azalea Raad, John Wickerson, and Viktor Vafeiadis. 2019a. Weak Persistency Semantics from the Ground Up: Formalising
the Persistency Semantics of ARMv8 and Transactional Models. Proc. ACM Program. Lang. 3, OOPSLA, Article 135 (Oct.
2019), 27 pages. https://doi.org/10.1145/3360561
G. Ramalingam and Kapil Vaswani. 2013. Fault Tolerance via Idempotence. Principles of Programming Languages (POPL)
(January 2013). https://www.microsoft.com/en-us/research/publication/fault-tolerance-via-idempotence/
Benjamin Ransford, Jacob Sorber, and Kevin Fu. 2011. Mementos: System Support for Long-running Computation on
RFID-scale Devices. In Proceedings of the Sixteenth International Conference on Architectural Support for Programming
Languages and Operating Systems (ASPLOS XVI). https://doi.org/10.1145/1950365.1950386
Alberto Rodriguez Arreola, Domenico Balsamo, Geoff V Merrett, and Alex S Weddell. 2018. RESTOP: Retaining External
Peripheral State in Intermittently-Powered Sensor Systems. Sensors 18, 1 (2018), 172.
Emily Ruppel and Brandon Lucia. 2019. Transactional Concurrency for Intermittent Systems. In Proceedings of the 40th
ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’19).
Gerhard Schellhorn, Gidon Ernst, Jörg Pfähler, Dominik Haneberg, and Wolfgang Reif. 2014. Development of a Verified
Flash File System. In Proceedings of the 4th International Conference on Abstract State Machines, Alloy, B, TLA, VDM, and Z
- Volume 8477 (ABZ 2014). Springer-Verlag, Berlin, Heidelberg, 9âĂŞ24. https://doi.org/10.1007/978-3-662-43652-3_2
Helgi Sigurbjarnarson, James Bornholt, Emina Torlak, and Xi Wang. 2016. Push-Button Verification of File Systems via Crash
Refinement. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16). USENIX Association,
Savannah, GA, 1–16. https://www.usenix.org/conference/osdi16/technical-sessions/presentation/sigurbjarnarson
Milijana Surbatovich, Limin Jia, and Brandon Lucia. 2019. I/O Dependent Idempotence Bugs in Intermittent Systems. Proc.
ACM Program. Lang. 3, OOPSLA, Article 183 (Oct. 2019), 31 pages. https://doi.org/10.1145/3360609
TI Inc. 2014. Overview for MSP430FRxx FRAM. http://ti.com/wolverine. (2014). Visited July 28, 2014.
TI Inc. 2017. TI-RTOS: Real-Time Operating System (RTOS) for Microcontrollers (MCU). (2017). http://www.ti.com/tool/
ti-rtos-mcu Accessed: 2018-05-08.
Joel Van Der Woude and Matthew Hicks. 2016. Intermittent computation without hardware support or programmer
intervention. In Proceedings of OSDI’16: 12th USENIX Symposium on Operating Systems Design and Implementation.
Haris Volos, Andres Jaan Tack, and Michael M. Swift. 2011. Mnemosyne: Lightweight Persistent Memory. In Proceedings
of the Sixteenth International Conference on Architectural Support for Programming Languages and Operating Systems
(ASPLOS XVI). https://doi.org/10.1145/1950365.1950379
Kasim Sinan Yildirim, Amjad Yousef Majid, Dimitris Patoukas, Koen Schaper, Przemyslaw Pawelczak, and Josiah Hester. 2018.
InK: Reactive Kernel for Tiny Batteryless Sensors. In Proceedings of the 16th ACM Conference on Embedded Networked
Sensor Systems (SenSys ’18). ACM, New York, NY, USA, 41–53. https://doi.org/10.1145/3274783.3274837
Zac Manchester. 2015. KickSat. http://zacinaction.github.io/kicksat/. (2015).
Hong Zhang, Mastooreh Salajegheh, Kevin Fu, and Jacob Sorber. 2011. Ekho: Bridging the Gap Between Simulation and
Reality in Tiny Energy-harvesting Sensors. In Proceedings of the 4th Workshop on Power-Aware Computing and Systems
(HotPower ’11). Article 9. https://doi.org/10.1145/2039252.2039261
*
A SUMMARY OF SYNTAX AND SEMANTICS OF BASIC CHECKPOINTING SYSTEM
A.1 Syntax
We define a core calculus for checkpoints. We write ω to denote the set of global variables and
arrays that need to be stored across checkpoints. Note that each array has a pre-defined, fixed
bound. an indicates that array a has length n. We omit the bounds for simplicity.
values v ::= n | true | false
expressions e ::= x |v | e1 bop e2 | a[e]
war variables ω ::= · · · |ω,x |ω,an
instructions ι ::= skip | x := e | a[e] := e ′ | checkpoint(ω) | reboot
commands c ::= ι | ι; c | if e then c1 else c2
We distinguish between volatile and non-volatile memory. We write κ to denote checkpointed
data, which is a triple consisting of checkpointed non-volatile memory, volatile memory, and
command to execute at the time of the checkpoint instruction. Note that the checkpointed non-
volatile memory could be empty.
28 Milijana Surbatovich, Limin Jia, and Brandon Lucia
Memory locations loc ::= x | a[n]
Memory mapping M ::= Loc→ Val
Non-volatile memory N : M
Volatile memory V : M
Continuous Conf. σ ::= (N ,V , c)
Context κ ::= (N ,V , c)
Intermittent Conf. Σ ::= (κ,N ,V , c)
Read Observation r ::= rd loc v | r , r
Observation o ::= [r ] | reboot | checkpoint
Observation sequence O ::= · |O,o
A.2 Continuously-Powered Operational Semantics
An observation sequence is determined by the following rules. We write N ,V ⊢ e ⇓r v to denote
that with memories N and V , expression e evaluates to value v with observation r . We write
[[v1bop v2]] to denote the result of computing a binary operation with values v1, v2.
N ,V ⊢ v ⇓· v
Val
i ∈ [1, 2] N ,V ⊢ ei ⇓ri vi
N ,V ⊢ e1bop e2 ⇓r1,r2 [[v1bop v2]]
BinOp
N ∪V (x) = v
N ,V ⊢ x ⇓rd x v v
Rd-Var
N ,V ⊢ e ⇓re ve N ∪V (a[ve ]) = v
N ,V ⊢ a[e] ⇓re ,rda[ve ]v v
Rd-Arr
We writem |ω to denote the part ofm, whose domain is ω. an represents all the locations in the
array a. That is: each an in ω represents the set of locations {a[1], · · · ,a[n]}. We writem[loc 7→ v]
to denote the memory that is the same asm except that loc is mapped to v . We writem1 ◁m2 to
denote the memory resulted from updatingm1 withm2.
We write σ O−→ σ ′ to denote the semantics of sequential executions. The rules are the same as
those for the intermittent execution except that the checkpoint instruction behaves the same as
skip, and that the state does not need the checkpointed context κ, and that there are no rules for
fail or reboot.
(N ,V , c) O−→ (N ′,V ′, c ′)
Foundations of Intermittent Computing 29
x ∈ dom(N ) N ,V ⊢ e ⇓r v
(N ,V ,x := e) [r ]−→ (N [x 7→ v],V , skip)
NV-Assign
x ∈ dom(V ) N ,V ⊢ e ⇓r v
(N ,V ,x := e) [r ]−→ (N ,V [x 7→ v], skip)
V-Assign
N ,V ⊢ e ⇓r v N ,V ⊢ e ′ ⇓r ′ v ′
(N ,V ,a[e] := e ′) [r,r
′]−→ (N [a[v] 7→ v ′],V , skip)
Assign-Arr
(N ,V , checkpoint(ω); c) checkpoint−→ (N ,V , c)
CheckPoint
(N ,V , skip; c) −→ (N ,V , c) Skip
(N ,V , ι) o−→ (N ′,V ′, skip)
(N ,V , ι; c) o−→ (N ′,V ′, c)
Seq
N ,V ⊢ e ⇓r true
(N ,V , if e then c1 else c2) [r ]−→ (N ,V , c1)
If-T
N ,V ⊢ e ⇓r false
(N ,V , if e then c1 else c2) [r ]−→ (N ,V , c2)
If-F
A.3 Intermittent Operational Semantics
We write (κ,N ,V , c) O=⇒ (κ ′,N ′,V ′, c ′) to denote the small-step operational semantics of the core
calculus. The rules are summarized below.
(κ,N ,V , c) O=⇒ (κ ′,N ′,V ′, c ′)
(κ,N ,V , c) =⇒ (κ,N , reset(V ), reboot) CP-PowerFail
(κ,N ,V , checkpoint(ω); c) checkpoint=⇒ ((N |ω ,V , c),N ,V , c)
CP-CheckPoint
κ = (N ,V , c)
(κ,N ′,V ′, reboot) reboot=⇒ (κ,N ′ ◁ N ,V , c)
CP-Reboot
30 Milijana Surbatovich, Limin Jia, and Brandon Lucia
x ∈ dom(N ) N ,V ⊢ e ⇓r v
(κ,N ,V ,x := e) [r ]=⇒ (κ,N [x 7→ v],V , skip)
CP-NV-Assign
N ,V ⊢ e ⇓r v N ,V ⊢ e ′ ⇓r ′ v ′
(κ,N ,V ,a[e] := e ′) [r,r
′]
=⇒ (κ,N [a[v] 7→ v ′],V , skip)
CP-Assign-Arr
x ∈ dom(V ) N ,V ⊢ e ⇓r v
(κ,N ,V ,x := e) [r ]=⇒ (κ,N ,V [x 7→ v], skip)
CP-V-Assign
(κ,N ,V , skip; c) =⇒ (κ,N ,V , c) CP-Skip
(κ,N ,V , ι) o=⇒ (κ,N ′,V ′, skip)
(κ,N ,V , ι; c) o=⇒ (κ,N ′,V ′, c)
CP-Seq
N ,V ⊢ e ⇓r true
(κ,N ,V , if e then c1 else c2)
[r ]
=⇒ (κ,N ,V , c1)
CP-If-T
N ,V ⊢ e ⇓r false
(κ,N ,V , if e then c1 else c2)
[r ]
=⇒ (κ,N ,V , c2)
CP-If-F
B CHECKPOINTED DATA (WAR)
B.1 Algorithm for Checking Checkpointed Data (WAR Variables)
Rules of the form N ;W ;R ⊩ ι : W ′;R′ check each memory access is well-formed w.r.t. the
checkpointed variables in N , written setW , and read set R, and returns newly written setW ′ and
newly read set R′.
N ;W ;R ⊩WAR ι :W ′;R′
N ;W ;R ⊩WAR skip :W ;R
WAR-Skip
R′ = R ∪ rd(e) x < R′
N ;W ;R ⊩WAR x := e :W ∪ x ;R′
WAR-NoRd
R′ = R ∪ rd(e) x ∈ R′ x <W x ∈ N
N ;W ;R ⊩WAR x := e :W ∪ x ;R′
WAR-Checkpointed
R′ = R ∪ rd(e) x ∈ R′ x ∈W
N ;W ;R ⊩WAR x := e :W ;R′
WAR-Wt
R′ = R ∪ rd(e) ∪ rd(e ′) a < R′
N ;W ;R ⊩WAR a[e ′] := e :W ∪ a;R′
WAR-NoRd-Arr
R′ = R ∪ rd(e) ∪ rd(e ′) a ∈ R′ a ∈ N
N ;W ;R ⊩WAR a[e ′] := e :W ∪ a;R′
WAR-Checkpointed-Arr
Foundations of Intermittent Computing 31
Judgment N ;W ;R ⊩WAR c : ok means that all of c’s WAR variables are in N , given R is the set of
variables that are read from the most recent checkpoint,W is the set of written variables, and N is
the set of checkpointed variables in the most recent checkpoint instruction.
N ;W ;R ⊩WAR c : ok
N ;W ;R ⊩WAR ι :W ′;R′
N ;W ;R ⊩WAR ι : ok
WAR-I
ω; ∅; ∅ ⊩WAR c : ok
N ;W ;R ⊩WAR checkpoint(ω); c : ok
WAR-Cp
N ;W ;R ⊩WAR ι :W ′;R′ N ;W ′;R′ ⊩WAR c : ok
N ;W ;R ⊩WAR ι; c : ok
WAR-Seq
R′ = R ∪ rd(e) N ,W ,R′ ⊢ c1 : ok N ,W ,R′ ⊢ c2 : ok
N ;W ;R ⊩WAR if e then c1 else c2 : ok
WAR-If
B.2 Algorithms for Collecting Checkpointed Locations
Existing systems typically implement an algorithm for identifying WAR variables. We show two
variants here and prove that both of the algorithms produce programs that pass the WAR checking
defined in the previous section.
Algorithm used by Dino
N ;W ;R ⊩DINO ι : N ′;W ′,R′
N ;W ;R ⊩DINO skip : N ;W ;R
D-WAR-Skip
R′ = R ∪ rd(e) x < R′
N ;W ;R ⊩DINO x := e : N ;W ∪ x ;R′
D-WAR-Written
R′ = R ∪ rd(e) x ∈ R′ x <W
N ;W ;R ⊩DINO x := e : N ∪ x ;W ∪ x ;R′
D-WAR-CP-Asgn
R′ = R ∪ rd(e) x ∈ R′ x ∈W
N ;W ;R ⊩DINO x := e : N ;W ;R′
D-WAR-WtDom
R′ = R ∪ rd(e) ∪ rd(e ′) a < R′
N ;W ;R ⊩DINO a[e ′] := e : N ;W ∪ a;R′
D-WAR-Wt-Arr
R′ = R ∪ rd(e) ∪ rd(e ′) a ∈ R′
N ;W ;R ⊩DINO a[e ′] := e : N ∪ a;W ∪ a;R′
D-WAR-CP-Arr
N ;W ;R ⊩DINO c −→ c ′ : N ′
N ;W ;R ⊩DINO ι : N ′;W ′;R′
N ;W ;R ⊩DINO ι −→ ι : N ′
D-WAR-Instr
N ;W ;R ⊩DINO ι : N ′;W ′;R′ N ′;W ′;R′ ⊩DINO c −→ c ′ : N ′′
N ;W ;R ⊩DINO ι; c −→ ι; c ′ : N ′′
D-WAR-Seq
32 Milijana Surbatovich, Limin Jia, and Brandon Lucia
R′ = R ∪ rd(e) N ,W ,R′ ⊢ ci −→ c ′i : Ni i ∈ [1, 2]
N ;W ;R ⊩DINO if e then c1 else c2 −→ if e then c ′1 else c ′2 : N1 ∪ N2
D-WAR-If
∅; ∅; ∅ ⊩DINO c −→ c ′ : N ′
N ;W ;R ⊩DINO checkpoint(); c −→ checkpoint(N′); c ′ : N
D-WAR-CP
Lemma 6. (1) If E :: N ;W ;R ⊩DINO ι : N ′;W ′,R′ then N ′ ⊇ N
(2) If E :: N ;W ;R ⊩DINO c 7→ c ′ : N ′ then N ′ ⊇ N .
Proof (sketch). By induction over the structure of E. (2) uses (1). □
Lemma 7. If E :: N ;W ;R ⊩DINO ι : N ′;W ′,R′ then ∀ N1 ⊇ N ′, N1;W ;R ⊩WAR ι :W ′,R′
Proof (sketch). By induction over the structure of E. □
Lemma 8 (DINO WAR collection algorithm is correct). If E :: N ;W ;R ⊩DINO c −→ c ′ : N ′ then ∀
N1 ⊇ N ′, N1;W ;R ⊩WAR c ′ : ok.
Proof (sketch). By induction over the structure of E. Uses Lemma 6 and Lemma 7. □
C CORRECTNESS OF BASIC CHECKPOINTED SYSTEM
C.1 Auxiliary definitions
We first define relations between traces emitted by continuous executions and traces emitted by
intermittent executions. We write O1 ⩽ O2 to mean that O1, emitted by an intermittent execution,
is a prefix of O2, emitted by a continuous execution of the same program . Here, the intermittent
execution has not experienced a power failure nor a checkpoint. Note that both O1 and O2 only
contain read actions. We write O1 ⩽m O2 to mean that O1, emitted by an intermittent execution, is
a sequence of prefixes of O2, emitted by a continuous execution of the same program . Here, the
intermittent execution may have experienced a number of power failures and subsequent reboots,
but have not passed a checkpoint. Here, O1 may contain have reboot and read actions and O2 only
has reads. We writeO1 ⩽mc O2 to mean thatO1, emitted by an intermittent execution, is a sequence
of sequences of prefixes of fragments ofO2, emitted by a continuous execution of the same program.
Here, the intermittent execution may have experienced a number of power failures and subsequent
reboots and a number of checkpoints. O1 can have reads, reboots and checkpoints, O2 has (no-op)
checkpoints and read observations.
O ⩽m O
Rb-Base
O1 ⩽ O2 O ′1 ⩽m O2
O1, reboot,O ′1 ⩽m O2
Rb-Ind
O1 ⩽m O2
O1 ⩽mc O2
Cp-Base
O1 ⩽m O2 O ′1 ⩽mc O ′2
O1, checkpoint,O ′1 ⩽mc O2, checkpoint,O ′2
Cp-Ind
We write CP(Σ) to mean that the first instruction in Σ is checkpoint. We write σ −→∗ CP to
denote the trace from σ to the nearest checkpoint. We write Σ =⇒∗ CP to denote the trace from Σ
to the nearest checkpoint.
Definition 9 (Relating memories at the same execution point). N0,V0, c, c ′ ⊢ N1 ∼ N2 iff
dom(N1) = dom(N2), and let T1 = (N0,V0, c) −→∗ (N1,V ′, c ′), T2 = (N1,V ′, c ′) −→∗ CP, where T1
does not contain checkpoints, ∀loc ∈ N1 s.t. N1(loc) , N2(loc), loc ∈ Wt(T2) ∩ FstWt(T1 · T2) and
loc < WT (T1).
Foundations of Intermittent Computing 33
Definition 10 (Relating memories between current and initial execution point). N0,N ,V , c ⊢ N1 ∼
N2 iff dom(N1) = dom(N2), N0 ⊆ N2, ∀loc ∈ N1 s.t. N1(loc) , N2(loc), loc ∈ FstWt(T ) ∪ dom(N0),
where T = (N ,V , c) −→∗ CP.
Definition 11 (Related configurations). N ⊢ (κ,N1,V1, c1) ∼ (N2,V2, c2) iffκ = (N0,V0, c0),N0 ⊆ N ,
N ,V0, c0, c1 ⊢ N1 ∼ N2, V1 = V2, and c1 = c2.
Definition 12 (Erased configuration). (κ,N ,V , c)− = (N ,V , c)
Lemma 13. If N ,N1,V0, c0 ⊢ N1 ∼ N2, N ⊆ N1 and N ⊆ N2 then N1,V0, c0, c0 ⊢ N1 ∼ N2.
Proof. By examining the two relations. □
C.2 Correctness Proofs
The Correctness Theorem for intermittent systems without Inputs follows from the following
Lemma.
Lemma 14 (Correctness). If (κ,N ,V , c)
O1
=⇒∗ Σ, κ = (N0,V , c), N0 ⊆ N , and N0, ∅, ∅ ⊩ c : ok then
∃O2,σ s.t.
(1) (N ,V , c)
O2−→∗ σ and N ⊢ Σ ∼ σ and
(2) ∀T ′ = Σ O=⇒∗ Σ′, CP(Σ′), and T ′ does not contain checkpoints or reboots implies σ O−→∗
(Σ′)−and O1,O ⩽mc O2,O .
Proof. By induction on the number of checkpoints in O1.
Base case: O1 does not include any checkpoint, directly apply Lemma 16.
Inductive case: O1 contains k + 1 checkpoints where k ≥ 0
By assumption,
(1) T = (κ,N ,V , c)
O1
=⇒∗ (κ,N1,V1, checkpoint(ω); c1)
checkpoint
=⇒ Σ′
O2
=⇒∗ Σ′′,
where O1 does not contain checkpoints
By Lemma 16
(2) (N ,V , c)
O ′1−→∗ (N1,V1, checkpoint(ω); c1) and O1 ⩽m O ′1
By CP-CheckPoint and (1)
(3) Σ′ = (κ1,N1,V1, c1) where κ1 = (N1 |ω ,V1, c1)
By CheckPoint and (2)
(4) (N1,V1, checkpoint(ω); c1)
checkpoint−→ (N1,V1, c1)
By N0, ∅, ∅ ⊩ c : ok and Lemma 15
(5) existsW ′.R′ s.t. N0,W ′,R′ ⊨ checkpoint(ω); c1 : ok
By inversion of (5)
(6) ω, ∅, ∅ ⊩ c1 : ok
By I.H. on the tail of T , (3), and (6)
(7) (N1,V1, c1)
O ′2−→∗ σ ′′ and Σ′′ ∼ σ ′′ and
(8) and Σ′′
O3
=⇒∗ (κ ′′′,N ′′′,V ′′′, checkpoint(ω ′); c ′′′) implies
σ ′′
O3−→∗ (N ′′′,V ′′′, checkpoint(ω ′); c ′′′), and O2,O3 ⩽mc O ′2,O3.
By (2) and (8) and Cp-Ind
(9) O1, checkpoint,O2,O3 ⩽mc O ′1, checkpoint,O ′2,O3
By connection of the executions the conclusion holds
34 Milijana Surbatovich, Limin Jia, and Brandon Lucia
□
Lemma 15. If N0,W ,R ⊩ c : ok and (N ,V , c)
O
−→∗ (N ′,V ′, c ′), and O does not contain checkpoints,
then ∃W ′, R′ s.t. N0,W ′,R′ ⊩ c ′ : ok.
Proof (sketch). By induction over the derivation N0,W ,R ⊩ c : ok. □
Lemma 16 (One checkpoint, multiple failures). IfT = (κ,N1,V , c)
O1
=⇒∗ Σ whereT does not execute
checkpoint, κ = (N0,V , c), N0 ⊆ N1, N0 ⊆ N2, and N0,N1,V , c ⊢ N1 ∼ N2 and N0, ∅, ∅ ⊩ c : ok then
• ∃O2,σ s.t. (N2,V , c)
O2−→∗ σ and N1 ⊢ Σ ∼ σ and
• ∀T ′ = Σ O=⇒∗ Σ′ where Σ′ = (κ ′,N ′,V ′, checkpoint(ω); c ′) andT ′ does not contain checkpoints
or reboots implies σ
O
−→∗ (Σ′)−, and O1,O ⩽m O2,O .
Proof. By induction on the number of reboots in O1.
Base case: O1 does not include any reboot, first apply Lemma 13 to show N1,V , c, c ⊢ N1 ∼ N2;
then directly apply Lemma 21 and Lemma 22.
Inductive case: O1 contains k + 1 reboots where k ≥ 0
By assumption
(1) T = (κ,N1,V , c)
O ′1
=⇒∗ (κ,N ′1,V1, reboot(ω))
reboot
=⇒ Σ′
O ′′1
=⇒∗ Σ′′,
and O ′1 does not contain reboots or checkpoints
Use Lemma 17 to bring the relation of non-volatile memories to satisfy the precondition after reboot.
By assumption N0,N1,V , c ⊢ N1 ∼ N2
By Lemma 17
(2) N0,V , c ⊢ N ′1 ∼ N2. It follows that N0,V , c ⊢ N ′1 ◁ N0 ∼ N2
By CP-Reboot and (1)
(3) Σ′ = (κ,N ′1 ◁ N0,V , c)
By I.H. on the tail of T
(4) exists O2 and σ s.t. (N2,V , c)
O2−→∗ σ and Σ′′ ∼ σ
(5) Σ′′
O
=⇒∗ (κ ′,N ′,V ′, checkpoint(ω); c ′)
implies σ
O
−→∗ (N ′,V ′, checkpoint(ω); c ′) and O ′′1 ,O ⩽m O2,O
Next, we reuse the proof of the base case to show O ′1 ⩽ O2,O
By (1) and expanding the first part of T
(6) T = (κ,N1,V , c)
O ′1
=⇒∗ Σf =⇒ (κ,N ′1,V1, reboot())
By assumption that configurations can always make progress
(7) exists Of s.t. Σf
Of
=⇒∗ (κ ′f ,N ′f ,V ′f , checkpoint(ω); c ′f )
By the base case proof
(8) exists O ′2 s.t. (N2,V , c)
O ′2−→∗ (N ′f ,V ′f , checkpoint(ω); c ′f ) and O ′1,Of ⩽ O ′2
By the semantics are deterministic, (8) and (4), (5)
(9) O ′2 = O2,O
By (8), (9) and the definition of ⩽
(10) O ′1 ⩽ O2,O
By (5) and (10) and Rb-Ind
Foundations of Intermittent Computing 35
(11) O ′1, reboot,O ′′1 ,O ⩽m O2,O
By (5), (11) the conclusion holds.
□
Lemma 17 (Partial run relates to initial state (Multi-steps)). IfT = (κ,N1,V , c0)
O
=⇒∗ (κ,N ′1,V ′, c),
T does not execute checkpoint or reboot,N0; ∅; ∅ ⊩ c0 : ok,κ = (N0,V , c0), andN0,N1,V , c0 ⊢ N1 ∼ N2
then N0,N1,V , c0 ⊢ N ′1 ∼ N2.
Proof. By induction over the length of T . The base case is trivial. The inductive case uses I.H.
and Lemma 20. □
Lemma 18 (Relating syntactic and semantic read). If E :: N0;W0;R0 ⊩ c0 : ok, and T =
(N1,V0, c0) −→∗ (N ,V , c), T does not contain any checkpoints then N0;Wt(T ) ∪W0;Rd(T ) ∪ R0 ⊩ c :
ok.
Proof (sketch). Induction over the derivation E. □
Lemma 19 (Writes are either First Writes or Checkpointed). If N0; ∅; ∅ ⊩ c0 : ok, let Tc be a trace
from c0 to the nearest checkpoint: Tc = T0 · (N ,V ,x := e; c1)
O
−→∗ (N ′,V ′, checkpoint(ω); c ′) then
x ∈ FstWt(Tc ) ∪ N0
Proof. By induction over the number of writes to x in T0
Base case: T0 does not contain any writes to x
We consider two subcases: (I) x ∈ RD(T0) ∪ rd(e) and (II) x < RD(T0) ∪ rd(e)
Subcase (I) x ∈ RD(T0) ∪ rd(e),
By Lemma 18
(1) E ′ :: N0;Wt(T0);Rd(T0) ⊩ x := e; c1 : ok, and
By inversion of E ′, assumption that x <Wt(T0) and (1), x ∈ N0
Subcase (II) x < RD(T0) ∪ rd(e)
By definition of FstWt, x ∈ FstWt(Tc )
Inductive case: T0 contains n + 1 writes to x
By assumptions
(1) T0 = T1 · (N ,V ,x := e; c2)
O1−→∗ (N ,V ,x := e; c1)
By I.H. on T1, the conclusion holds.
□
Lemma 20 (Partial run relates to initial state (One step)). If all of the following hold
• T = (κ,N ,V , c) o=⇒ (κ,N ′,V ′, c ′), where κ = (N0,V0, c0),
• o is not checkpoint or reboot,
• N0; ∅; ∅ ⊩ c0 : ok,
• T0 = (N1,V0, c0) −→∗ (N ,V , c), T0 does not contain any checkpoints,
• N0,N1,V0, c0 ⊢ N ∼ N2
then N0,N1,V0, c0 ⊢ N ′ ∼ N2.
Proof. We case on T . We only show the cases where non-volatile memory is updated; as the
conclusion trivially hold in other cases.
Case T ends in a variable assignment (when x := e is the last instruction, c1 = skip)
36 Milijana Surbatovich, Limin Jia, and Brandon Lucia
By assumption
(1) (κ,N ,V ,x := e; c1)
[r ]
=⇒ (κ,N [x 7→ v],V , c1)
x ∈ dom(N ), and N ,V ⊢ e ⇓r v
(2) N0; ∅; ∅ ⊩ c0 : ok
Let Tc be a trace from c0 to the nearest checkpoint
(3) Tc = (N1,V0, c0) −→∗ (N ′,V ′, checkpoint(ω); c ′)
By the semantic rules are deterministic
(4) Tc = T0 · (N ,V ,x := e; c1) [r ]−→ (κ,N [x 7→ v],V , c1) −→∗ (N ′,V ′, checkpoint(ω); c ′)
We only need to show that x ∈ FstWt(Tc ) ∪ N0.
By Lemma 19, x ∈ FstWt(Tc ) ∪ N0.
Case T ends in array assignment
By assumption
(1) (κ,N ,V ,a[e] := e ′; c1)
[r,r ′]
=⇒ (κ,N [a[v] 7→ v ′],V , c1)
N ,V ⊢ e ⇓r v and N ,V ⊢ e ′ ⇓r ′ v ′
(2) N0; ∅; ∅ ⊩ c0 : ok
Let Tc be a trace from c0 to the nearest checkpoint
(3) Tc = (N1,V0, c0) −→∗ (N ′,V ′, checkpoint(ω); c ′)
By the semantic rules are deterministic
(4) Tc = T0 · (N ,V ,a[e] := e ′; c1) [r,r
′]−→ (κ,N [a[v] 7→ v],V , c1) −→∗ (N ′,V ′, checkpoint(ω); c ′)
We only need to show that a[v] ∈ FstWt(Tc ) ∪ N0.
We consider two subcases: (I) a[v] ∈ RD(T0) ∪ rd(e) ∪ rd(e ′) and (II) a[v] < RD(T0) ∪ rd(e) ∪ rd(e ′)
Subcase (I) a[v] ∈ RD(T0) ∪ rd(e) ∪ rd(e ′)
By Lemma 18 and (2) and (4)
(5) ∃W and R s.t. E ′ :: N0;W ;R ⊩ a[e] := e ′; c1 : ok, and
(6) RD(T0) ⊆ R
By inversion of E ′ and (6), a ∈ N0
Subcase (II) a[v] < RD(T0) ∪ rd(e) ∪ rd(e ′)
By definition of FstWt, a[v] ∈ FstWt(Tc )
□
Lemma 21 (One failure). If
• T = (κ,N1,V , c)
O
=⇒∗ (κ,N ′1,V ′, c ′), T does not execute checkpoint or reboot,
• κ = (N0,V0, c0), and
• T0 = (N ,V0, c0) −→∗ (N1,V , c), T0 does not contain any checkpoints,
• N ,V0, c0, c ⊢ N1 ∼ N2
then (N2,V , c)
O
−→∗ (N ′2,V ′, c ′), and N ,V0, c0, c ′ ⊢ N ′1 ∼ N ′2 .
Proof. By induction over the length of T , apply Lemma 23. □
Lemma 22 (related NV step to equal NV by checkpoint). If T = (κ,N1,V , c)
O
=⇒∗ Σ′, CP(Σ′) and
T does not execute checkpoint or reboot, κ = (N0,V0, c0), T0 = (N ,V0, c0) −→∗ (N1,V , c), T0 does not
contain any checkpoints, and N ,V0, c0, c ⊢ N1 ∼ N2, then (N2,V , c)
O
−→∗ Σ′−.
Proof. By induction over the length of T .
Foundations of Intermittent Computing 37
Base case: |T | = 0
By assumption
(1) c = checkpoint(ω); c ′
(2) ∀loc ∈ N1 s.t. N1(loc) , N2(loc), loc ∈ Wt(∅) ∩ FstWt(T0) and loc < WT (T0)
By (2), there is no loc
(3) N1 = N2
The continuous powered execution also takes 0 steps and the conclusion holds
Inductive case:
By assumption
(1) T = (κ,N1,V , c) o=⇒ (κ,N ′1,V1, c1)
O
=⇒∗ (κ,N ′,V ′, checkpoint(ω); c ′),
By Lemma 23
(2) (N2,V , c) o−→ (N ′2,V1, c1) and N ,V0, c0, c1 ⊢ N ′1 ∼ N ′2 .
By I.H. on the tail of T
(3) (N ′2,V1, c1)
O
−→∗ (N ′,V ′, checkpoint(ω); c ′)
By (2) and (3)
The conclusion holds
□
Lemma 23 (related NV step to related NV). If T = (κ,N1,V , c) o=⇒ (κ,N ′1,V ′, c ′), and T does not
execute checkpoint or reboot, κ = (N0,V0, c0), T0 = (N ,V0, c0) −→∗ (N1,V , c), T0 does not contain any
checkpoints, and V0, c0, c ⊢ N1 ∼ N2, then (N2,V , c) o−→ (N ′2,V ′, c ′) and N ,V0, c0, c ′ ⊢ N ′1 ∼ N ′2 .
Proof. By examining the structure of T .
Case: T ends in CP-Skip rule.
By assumption
(1) T = (κ,N1,V , skip; c) =⇒ (κ,N1,V , c) and
(2) κ = (N0,V0, c0), and V0, c0, (skip; c) ⊢ N1 ∼ N2
By Skip rule
(3) (N2,V , skip; c) −→ (N2,V , c)
By (2) and skip does not write to store
(4) N ,V0, c0, c ⊢ N1 ∼ N2
Case: T ends in CP-Seq rule and uses CP-NV-Assign or ends in CP-NV-Assign rule. The proof for
both of these two cases are the same except that in the latter, the resulting command is skip.
By assumption
(1) T = (κ,N1,V ,x := e; c)
[r1]
=⇒ (κ,N1[x 7→ v1],V , c) and
(2) N1;V ⊢ e ⇓r1 v1 and
(3) κ = (N0,V0, c0) and V0, c0, (x := e; c) ⊢ N1 ∼ N2
By CP-NV-Assign rule
(4) (N2,V ,x := e; c) [r2]−→ (N2[x 7→ v2],V , c) and
(5) N2;V ⊢ e ⇓r2 v2
By Lemma 24 and Lemma 25
(6) v1 = v2 and r1 = r2
By (3) and (6)
(7) N ,V0, c0, c ⊢ N1[x 7→ v1] ∼ N2[x 7→ v2]
Case: T ends in CP-Seq rule and uses CP-Arr-Assign rule or ends in CP-Arr-Assign rule.
38 Milijana Surbatovich, Limin Jia, and Brandon Lucia
By assumption
(1) T = (κ,N1,V ,a[e ′] := e; c)
[r ′1,r1]
=⇒ (κ,N1[(a[v ′1]) 7→ v1],V , c) and
(2) N1;V ⊢ e ⇓r1 v1 and N1;V ⊢ e ′ ⇓r ′1 v ′1
(3) κ = (N0,V0, c0) and V0, c0, (a[e ′] := e; c) ⊢ N1 ∼ N2
By CP-Ary-Assign rule
(4) (N2,V ,a[e ′] := e; c)
[r ′2,r2]−→ (N2[(a[v ′2]) 7→ v2],V , c) and
(5) N2;V ⊢ e ′ ⇓r ′2 v ′2 andN2;V ⊢ e ⇓r2 v2
By Lemma 24 and Lemma 25
(6) v1 = v2 and v ′1 = v ′2 and r1 = r2 and r ′1 = r ′2
By (3) and (6)
(7) N ,V0, c0, c ⊢ N1[a[v ′1] 7→ v1] ∼ N2[a[v ′2] 7→ v2]
Case: T ends in CP-Seq rule and uses CP-V-Assign rule or ends in CP-V-Assign rule.
By assumption
(1) T = (κ,N1,V ,x := e; c)
[r1]
=⇒ (κ,N1,V [x 7→ v1], c) and N1;V ⊢ e ⇓r1 v1
(2) κ = (N0,V0, c0), and V0, c0, (x := e; c) ⊢ N1 ∼ N2
By CP-V-Assign rule
(3) (N2,V ,x := e; c) [r2]−→ (N2,V [x 7→ v2], c) and N2;V ⊢ e ⇓r2 v2
By Lemma 24 and Lemma 25
(4) v1 = v2 and r1 = r2
By (4), V [x 7→ v1] = V [x 7→ v2]
By (2) and CP-V-Assign does not write to non-volatile store
(4) N ,V0, c0, c ⊢ N1 ∼ N2
Case: T ends in CP-If-T rule.
By assumption
(1) T = (κ,N1,V , if e then c1 else c2)
[r1]
=⇒ (κ,N1,V , c1) and N1,V ⊢ e ⇓r1 true and
(2) κ = (N0,V0, c0), and V0, c0, if e then c1 else c2 ⊢ N1 ∼ N2
Let’s assume
(3) N2,V ⊢ e ⇓r2 v
By Lemma 24 and Lemma 25
(4) v = true and r1 = r2
By CP-If-T rule and (4)
(5) (N2,V , if e then c1 else c2) [r2]−→ (N2,V , c1)
By (5) and CP-If-T doesn’t write to storage
(6) N ,V0, c0, c1 ⊢ N1 ∼ N2
Case: T ends in CP-If-F rule. Similar to the previous case.
□
Lemma 24. If T = (N ,V0, c0) −→∗ (N1,V ′, ι; c), T does not execute checkpoint, N ,V0, c0, (ι; c) ⊢
N1 ∼ N2 where ι , checkpoint, and loc ∈ rd(ι) ∩ N1, then N1(loc) = N2(loc).
Proof. We assume that N1(loc) , N2(loc) then derive a contradiction.
By assumption,
(1) N1(loc) , N2(loc) and V0, c0, (ι; c) ⊢ N1 ∼ N2.
By definition 9
Foundations of Intermittent Computing 39
(2) T2 = (N1,V ′, ι; c) −→∗ (N ′′,V ′′, checkpoint(ω); c ′′), where T2 do not contain checkpoints,
∀x ∈ N1 s.t. N1(x) , N2(x), x ∈ Wt(T2) ∩ FstWt(T ·T2) and x < WT (T ).
By (1) and (2)
(3) loc ∈ Wt(T2) ∩ FstWt(T ·T2) and loc < WT (T ).
By loc ∈ rd(ι), loc < WT (T ), and the definition of FstWt
(4) loc < FstWt(T ·T2)
(3) and (4) derive a contradiction, so the conclusion holds.
□
Lemma 25. If ∀loc ∈ rd(e), N1 ∪V1(loc) = N2 ∪V2(loc), and N1,V1 ⊢ e ⇓r1 v1 N2,V2 ⊢ e ⇓r2 v2 then
r1 = r2 and v1 = v2.
Proof. By induction over the structure of e . □
D CHECKPOINTING VARIANTS
D.1 Idempotent Regions
An alternative to logging is to place checkpoints so that all operations in an inter-checkpoint region
safely re-execute. One strategy previously used for intermittent system Ratchet is to break WAR
dependences by inserting a checkpoint before the WAR’s write. The idea is to rewrite a program
without checkpoints into one with a checkpoint instruction that has an empty ω (i.e., checkpoint( ))
at a subset of program locations. We define the rewriting rules of the form:W ;R ⊩ c −→: c ′ , where
W and R is the variables written and respectively read from the beginning of the program to c . c is
rewritten into c ′.
W ;R ⊩ c −→ c ′
R′ = R ∪ rd(e) x < R′ W ∪ x ;R′ ⊩ c −→ c ′
W ;R ⊩ x := e; c −→ x := e; c ′ R-WAR-Written
x ∈ R x <W x < rd(e) x ; rd(e) ⊩ c −→ c ′
W ;R ⊩ x := e; c −→ checkpoint();x := e; c ′ R-WAR-Cp-Simple
R′ = R ∪ rd(e)
x ∈ R x <W x ∈ rd(e) fresh(x ′) x ;x ′ ⊩ c −→ c ′
W ;R ⊩ x := e; c −→ x ′ := e; checkpoint();x := x ′; c ′ R-WAR-Cp-Split
R′ = R ∪ rd(e) x ∈ R′ x ∈W W ;R′ ⊩ c −→ c ′
W ∪ {x};R ⊩ x := e; c −→ x := e; c ′ R-WAR-WriteDom
R′ = R ∪ rd(e) ∪ rd(e ′) a < R′ W ∪ a;R′ ⊩ c −→ c ′
W ;R ⊩ a[e ′] := e; c −→ a[e ′] := e; c ′ R-WAR-Written-Arr
R′ = rd(e) ∪ rd(e ′) a ∈ R a < R′ a;R′ ⊩ c −→ c ′
W ;R ⊩ a[e ′] := e; c −→ checkpoint();a[e ′] := e; c ′ R-WAR-Cp-Arr-Simple
40 Milijana Surbatovich, Limin Jia, and Brandon Lucia
R′ = rd(e) ∪ rd(e ′) a ∈ R′ fresh(x ,y) a; {x ,y} ⊩ c −→ c ′
W ;R ⊩ a[e ′] := e; c −→ x := e;y := e ′; checkpoint();a[y] := x ; c ′ R-WAR-Cp-Arr-Split
R′ = R ∪ rd(e) W ;R′ ⊩ c1 −→ c ′1 W ;R′ ⊩ c2 −→ c ′2
W ;R ⊩ if e then c1 else c2 −→ if e then c ′1 else c ′2
WAR-If
Lemma 26. IfW ;R ⊩ c −→ c ′ then ∅;W ;R ⊩WAR c ′ : ok
Proof (sketch). By induction over the structure of the rewriting derivation. □
D.2 JIT Checkpointing
Just-In-Time (JIT) checkpointing system relies on the runtime to detect low power and then the
system checkpoints the volatile memory and program to be executed on the spot. We model such
a system based on Hibernas. The tricky part is to deal with situations where the checkpointing
action fails due to powerfailure. Hibernas implements a flag, indicating whether the checkpoint
has succeeded. We model it using the checkpoint context κ as follows.
context κ ::= fail | success(V , c)
The context can either be fail, which means that the checkpoint did not complete; or success(V , c),
meaning the checkpoint is successful and the volatile memory and the command at the checkpoint
is V and c respectively.
The powerfail, reboot, and checkpoint rules are defined below.
(τ ,κ,N ,V , c) −→ (τ ′,κ ′,N ′,V ′, c ′)
PowerLow
(τ ,κ,N ,V , c) −→ (τ + 1,κ,N ,V , checkpoint(); c) JIT-LowPower
pick(n)
(τ ,κ,N ,V , checkpoint(); c) −→ (τ + 1, success(V , c),N ,V , reboot(n)) JIT-CP-Success
pick(n)
(τ ,κ,N ,V , checkpoint(); c) −→ (τ + 1, fail,N ,V , reboot(n)) JIT-CP-Fail
(τ , success(V , c),N ,V ′, reboot(n)) −→ (τ + n, success(V , c),N ,V , c) JIT-Restore
(τ , fail,N ,V ′, reboot(n)) −→ (τ + n, fail,N0, reset(V ), c0)
JIT-Restart
When power is low (JIT-LowPower), a checkpoint is inserted. Rule JIT-CP-Success applies when
the checkpoint instruction completes. Rule JIT-CP-Fail applies when the checkpoint instruction
fails due to power failure. Upon reboot, if the checkpoint was a success, the volatile memory and
command are restored (JIT-Restore); otherwise, the system starts from its initial state.
The correctness proof of JIT is much simpler as the JIT checkpoints allow the system to continue
at the exact point of power failure (no roll back at all). The only somewhat interesting case is the
restart. The correctness requires the system start from the initial state. For embedded systems, this
requires the initial memory N0 to be rewritten, which was not mentioned in the Hibernas.
Foundations of Intermittent Computing 41
D.3 Undo Logging
An undo logging system stores a potentially inconsistent location’s value into a log immediately
before the first write to that location. Upon reboot after a power failure, the log is applied to the
non-volatile memory, and thus the system rolls back (undoes) the effects of the failed intermittent
execution. Our basic checkpoint-based model (i.e., DINO) is a conservative, static form of undo
logging, which stores all initial values to the context κ at checkpoint time, rather than on-demand
when a write is encountered.
Syntax andOperational Semantics The undo logging context, denotedκUL, additionally includes
a log L, residing in non-volatile memory, a list of already-logged locations LL, and the list of
locations that will need to be logged ω.
log L : M
logged locations LL ::= · | LL, loc
context κUL ::= (L,V , c,ω, LL)
We summarize the semantics for undo-logging below.
(κUL,N ,V , c) =⇒UL (κ ′UL,N ′,V ′, c ′)
(κUL,N ,V , c) =⇒UL (κUL,N , reset(V ), reboot())
UL-PowerFail
((L ′,V ′, c ′,ω ′, LL),N ,V , checkpoint(ω); c) checkpoint=⇒ UL ((∅,V , c,ω, ∅),N ,V , c)
UL-Commit
((L,V , c,ω, LL),N ,V ′, reboot()) reboot=⇒ UL ((∅,V , c,ω, ∅),N ◁ L,V , c)
UL-Reboot
x ∈ ω x < LL N ,V ⊢ e ⇓r v
((L,Vc , cc ,ω, LL),N ,V ,x := e)
[r ]
=⇒UL ((L[x 7→ N (x)],Vc , cc ,ω, LL ∪ {x}),N [x 7→ v],V , skip)
UL-NV-Log
x ∈ dom(N ) (x < ω ∨ x ∈ LL) N ,V ⊢ e ⇓r v
(κUL,N ,V ,x := e)
[r ]
=⇒UL (κUL,N [x 7→ v],V , skip)
UL-NV-Assign
x ∈ dom(V ) N ,V ⊢ e ⇓r v
(κUL,N ,V ,x := e)
[r ]
=⇒UL (κUL,N ,V [x 7→ v], skip)
UL-V-Assign
a ∈ ω a[v] < LL N ,V ⊢ e ⇓r v N ,V ⊢ e ′ ⇓r ′ v ′
((L,Vc , cc ,ω, LL),N ,V ,a[e] := e ′)
[r,r ′]
=⇒UL
((L[a[v] 7→ N (a[v])],Vc , cc ,ω, LL ∪ {a[v]}),N [a[v] 7→ v ′],V , skip)
UL-Arr-Log
(a < ω ∨ a[v] ∈ LL) N ,V ⊢ e ⇓r v N ,V ⊢ e ′ ⇓r ′ v ′
(κUL,N ,V ,a[e] := e ′)
[r,r ′]
=⇒UL (κUL,N [a[v] 7→ v ′],V , skip)
UL-Arr-Assign
42 Milijana Surbatovich, Limin Jia, and Brandon Lucia
(κUL,N ,V , ι) o=⇒UL (κUL,N ′,V ′, skip)
(κUL,N ,V , ι; c) o=⇒UL (κUL,N ′,V ′, c)
UL-Seq
N ,V ⊢ e ⇓r true
(κUL,N ,V , if e then c1 else c2)
[r ]
=⇒UL (κUL,N ,V , c1)
UL-If-T
N ,V ⊢ e ⇓r false
(κUL,N ,V , if e then c1 else c2)
[r ]
=⇒UL (κUL,N ,V , c2)
UL-If-F
The UL-Checkpoint rule is analogous to the CP-Checkpoint rule. The rule updates ω to ω ′
in the context, and clears L and LL. The execution fills the log with values to roll back on reboot.
The UL-NV-Log rule applies to the first assignment to a variable in ω since the last checkpoint.
The current value of the assigned location is written to the log, the location is added to the logged
list, and non-volatile memory is updated with the new value. On rebooting, the UL-Reboot rule
applies the log to non-volatile memory, reverting changes to a subset of variables in ω. The log and
logged list are again reset, and the program starts to re-execute the command stored in the context.
In contrast, the UL-NV-Assign rule simply updates non-volatile memory, applying to subsequent
(i.e., non-first) assignments of variables in ω and to assignments of variables not in ω. Variables
already in the log don’t need any extra tracking because on reboot their values will correctly revert
to whatever they were at the last checkpoint.
Assignments to arrays follow the same pattern as assignments to non-volatile memory. Unlike
the basic checkpointing system, which adds the entire array to ω if any array element could be
involved in WAR dependence, undo logging can more precisely handle arrays by adding a single
array element to the log dynamically at the write operation. avoiding checkpointing the entire array
at potentially high checkpointing time cost.
Equivalence to basic checkpoint systemWe define a binary relation between basic checkpoint
and undo-logging state, written Σ↬ ΣUL, as follows. We then prove it’s a bisimulation relation.
Σ = (κ,N ,V , c) ΣUL = (κUL,Nu ,Vu , cu ) κ = (Nc ,Vc , cc )
κUL = (L,Vc , cc ,ω, LL) c = cu N = Nu V = Vu ω = dom(Nc )
LL = dom(L) ∀loc ∈ LL,L(loc) = Nc (loc) ∀loc ∈ ω\LL,Nu (loc) = Nc (loc)
Σ↬ ΣUL
The key idea is that the log L is a subset of the checkpointed data Nc , and, for any location in
ω that is not yet logged, its checkpointed value (Nc (loc)) is the same as its value in non-volatile
memory of the undo log system (Nu (loc)). The last property holds because the location is unwritten
if it is not yet logged.
The equivalence proofs need to show that after a reboot, the non-volatile memories are equal,
even though a reboot on the basic system results N ◁ Nc and the undo-logging system results in
Nu ◁ L. The log is always a subset of the checkpointed memory so all locations in Nc ∩ L will
match after the application. Any checkpointed locations not in the log have not been updated yet,
so their value in Nu matches their value in the checkpointed set, and so the two memories are
equal after a reboot.
Lemma 27 (Undo logging simulates basic check point system). Σ↬ ΣUL and Σ
o1
=⇒ Σ′ then ∃Σ′UL
s.t. ΣUL
o2
=⇒UL Σ′UL and Σ′ ↬ Σ′UL and o1 = o2.
Foundations of Intermittent Computing 43
Proof. By induction over E :: Σ o1=⇒ Σ′
Cases: E ends in CP-Skip, CP-V-Assign, CP-If-T CP-If-F rule. The non-volatile memory and
checkpointed data is not altered. The undo logging system takes corresponding UL-Skip,
UL-V-Assign, UL-If-T UL-If-F to reach a related configuration.
Case: E ends in CP-Seq rule. We apply I.H. directly.
Case: E ends in CP-NV-Assign rule
By assumption
(1) Σ↬ ΣUL
By CP-NV-Assign rule
(2) ((Nc ,Vc , cc ),N ,V ,x := e)
[r ]
=⇒ ((Nc ,Vc , cc ),N [x 7→ v],V , skip)
(3) N ,V ⊢ e ⇓r v
We consider two subcases: (I) x < ω or x ∈ L and (II) x ∈ ω and x < L
Subcase (I) x < ω or x ∈ L
By UL-Assign rule
(I1) (κUL,Nu ,Vu ,x := e)
[ru ]
=⇒UL (κUL,Nu [x 7→ vu ],Vu , skip)
(I2) Nu ,Vu ⊢ e ⇓r ′ vu
By assumption
(I3) Nu = N and Vu = V
By expression evaluation is deterministic
(I4) v = vu , r = ru ,
By (I3) and (I4)
(I5) N [x 7→ v] = Nu [x 7→ vu ]
By (I5) and Volatile memory and log do not change, Σ′ ↬ Σ′UL
Subcase (II) x ∈ ω and x < L
By UL-NV-Log rule
(II1) ((L,Vc , cc ,ω,L),Nu ,Vu ,x := e)
[ru ]
=⇒UL ((L[x 7→ Nu (x)],Vc , cc ,ω,L ∪ x),Nu [x 7→ vu ],Vu , skip)
(II2) Nu ,Vu ⊢ e ⇓ru vu
By assumption that Σ↬ ΣUL
(II3) N = Nu and Vu = V
By (II3)
(II4) v = vu , r = ru ,
By (II3) and (II4)
(II5) N [x 7→ v] = Nu [x 7→ vu ]
By assumption that Σ↬ ΣUL
(II6) Nu (x) = Nc (x)
By (II6)
(II7) (L[x 7→ Nu (x)])(x) = Nc (x)
By (II5) and (II) and other parts of the log and volatile memories do not change, Σ′ ↬ Σ′UL
Case: E ends in CP-Assign-Arr rule
By assumption
(1) Σ↬ ΣUL
By CP-Assign-Arr rule
(2) ((Nc ,Vc , cc ),N ,V ,a[e] := e ′)
[r,r ′]
=⇒ ((Nc ,Vc , cc ),N [a[v] 7→ v ′],V , skip)
(3) N ,V ⊢ e ⇓r v
44 Milijana Surbatovich, Limin Jia, and Brandon Lucia
(4) N ,V ⊢ e ′ ⇓r ′ v ′
We consider two subcases: and (I) a < ω or a[v] ∈ LL or (II) a ∈ ω
Subcase (I) a < ω or a[v] ∈ LL
By UL-Arr-Assign rule
(I1) (κUL,Nu ,Vu ,a[e] := e ′)
[ru ,r ′u ]
=⇒ UL (κUL,Nu [a[vu ] 7→ v ′u ],Vu , skip)
(I2) Nu ,Vu ⊢ e ⇓ru vu
(I3) Nu ,Vu ⊢ e ′ ⇓r ′u v ′u
By assumption that Σ↬ ΣUL
(I4) Nu = N and Vu = V
By expression evaluation is deterministic
(I5) vu = v and v ′u = v ′ and ru = r and r ′u = r ′
By (I4) and (I5)
(I6) N [a[v] 7→ v ′] = Nu [a[vu ] 7→ v ′u ]
By (I6) and volatile memories and log do not change, Σ′ ↬ Σ′UL
Subcase (II) a ∈ ω and a[v] < LL
(II1) Nu ,Vu ⊢ e ⇓ru vu
(II2) Nu ,Vu ⊢ e ′ ⇓r ′u v ′u
By assumption that Σ↬ ΣUL,
(II3) N = Nu and V = Vu
By expression evaluation is deterministic
(II4) vu = v and v ′u = v ′ and ru = r and r ′u = r ′
By UL-Arr-Log rule
(II5) ((L,Vc , cc ,ω, LL),Nu ,Vu ,a[e] := e ′)
[ru ,r ′u ]
=⇒ UL ((L[a[vu ] 7→ Nu (a[vu ])],Vc , cc ,ω, LL ∪ a[vu ]),Nu [a[vu ] 7→ v ′u ],Vu , skip)
By (II3) and (II4)
(II6) N [a[v] 7→ v ′] = Nu [a[vu ] 7→ v ′u ]
By assumption that Σ↬ ΣUL
(II7) Nu (a[vu ]) = Nc (a[vu ])
By (II7)
(II8) L[a[vu ] 7→ Nu (a[vu ])](a[vu ]) = Nc (a[vu ])
By (II6) and (II8) and other parts of the log and volatile memories do not change, Σ′ ↬ Σ′UL
Case: E ends in CP-Checkpoint rule
By assumption
(1) Σ↬ ΣUL
By CP-Checkpoint rule
(2) ((Nc ,Vc , cc ),N ,V , checkpoint(ω; c))
checkpoint
=⇒ ((N |ω ,V , c),N ,V , c)
By UL-Commit rule
(3) ((L,Vc , cc ,ω ′, LL),Nu ,Vu , checkpoint(ω); c)
checkpoint
=⇒ UL ((∅,Vu , c,ω, ∅),Nu ,Vu , c)
By assumption and memory doesn’t change
(4) N = Nu and V = Vu
By (2), (3) and (4)
(5) ∀loc ∈ ω,Nu (loc) = N |ω (loc)
By (5), memories do not change, and observation is the same, Σ′ ↬ Σ′UL
Case: E ends in CP-reboot rule
By assumption
Foundations of Intermittent Computing 45
(1) Σ↬ ΣUL
By CP-reboot rule
(2) ((Nc ,Vc , cc ),N ,V , reboot()) reboot=⇒ ((Nc ,Vc , cc ),N ◁ Nc ,Vc , cc )
By UL-reboot rule
(3) ((L,Vc , cc ,ω, LL),Nu ,Vu , reboot()) reboot=⇒ UL ((∅,Vc , cc ,ω, ∅),Nu ◁ L,Vc , cc )
By assumption that Σ↬ ΣUL
(4) Nu = N and Vu = V
(5) ∀loc ∈ LL,L(loc) = Nc (loc) and LL = dom(L)
(6) ∀loc ∈ ω\LL,Nu (loc) = Nc (loc)
T.S. that Nu ◁ L = N ◁ Nc
By (5)
(7) ∀loc : loc ∈ L ∧ loc ∈ ω ⇒ Nu ◁ L(L) = N ◁ Nc (loc)
By (6)
(8) ∀loc : loc < L ∧ loc ∈ ω ⇒ Nu (loc) = Nc (loc)
By (7) and (8)
(9) Nu ◁ L = N ◁ Nc
By (9), ω ∈ dom(Nc ) and volatile memories do not change
(11) Σ′ ↬ Σ′UL
□
Lemma 28 (Basic check point system simulates undo logging). Σ↬ ΣUL and ΣUL
o1
=⇒UL Σ′UL then
∃Σ′ s.t. Σ o2=⇒ Σ′ and Σ′ ↬ Σ′UL and o1 = o2.
Proof. By induction over E :: ΣUL o1=⇒UL Σ′UL
Cases: E ends in UL-Skip, UL-V-Assign, UL-If-T UL-If-F rule. The non-volatile memory and
checkpointed data is not altered. The related basic check point system takes the corresponding
CP-Skip, CP-V-Assign, CP-If-T CP-If-F to reach a related configuration.
Case: E ends in UL-Seq rule. We apply I.H. directly.
Case: E ends with UL-NV-Assign
By assumption
(1) Σ↬ ΣUL
By UL-NV-Assign rule
(2) (κUL,Nu ,Vu ,x := e)
[ru ]
=⇒UL (κUL,Nu [x 7→ vu ],Vu , skip)
(3) Nu ,Vu ⊢ e ⇓ru vu
By CP-NV-Assign rule
(4) ((Nc ,Vc , cc ),N ,V ,x := e)
[r ]
=⇒ ((Nc ,Vc , cc ),N [x 7→ v],V , skip)
(5) N ,V ⊢ e ⇓r v
By assumption that Σ↬ ΣUL
(6) V = Vu and N = Nu
By expression evaluation is deterministic
(7) vu = v and ru = r
By (7)
(8) N [x 7→ v] = Nu [x 7→ vu ]
By (8) and volatile memory and log do not change, Σ′ ↬ Σ′UL
Case: E ends in UL-NV-Log
46 Milijana Surbatovich, Limin Jia, and Brandon Lucia
By assumption
(1) Σ↬ ΣUL
By UL-NV-Log rule
(2) ((L,Vc , cc ,ω, LL),Nu ,Vu ,x := e)
[ru ]
=⇒UL ((L[x 7→ Nu (x)],Vc , cc ,ω, LL ∪ x),Nu [x 7→ vu ],Vu , skip)
Nu ,Vu ⊢ e ⇓ru vu and
(3) x ∈ ω and x < LL
By CP-NV-Assign rule
(4) ((Nc ,Vc , cc ),N ,V ,x := e)
[r ]
=⇒ ((Nc ,Vc , cc ),N [x 7→ v],V skip)
N ,V ⊢ e ⇓r v
By assumption that Σ↬ ΣUL
(5) V = Vu and N = Nu
By expression evaluation is deterministic
(6) vu = v and ru = r
By (6)
(7) N [x 7→ v] = Nu [x 7→ vu ]
By (3) and assumption that ∀loc ∈ ω\LL,Nu (loc) = Nc (loc)
(8) L[x 7→ Nu (x)](x) = Nc (x)
By (4), (8), and volatile memories do not change, Σ′ ↬ Σ′UL
Case: E ends in UL-Arr-Assign rule
By assumption
(1) Σ↬ ΣUL
By UL-Arr-Assign rule
(2) (κUL,Nu ,Vu ,a[e] := e ′)
[ru ,r ′u ]
=⇒ UL (κUL,Nu [a[vu ] 7→ v ′u ],Vu , skip)
Nu ,Vu ⊢ e ⇓ru vu and Nu ,Vu ⊢ e ′ ⇓r ′u v ′u
By CP-Arr-Assign rule
(3) ((Nc ,Vc , cc ),N ,V ,a[e] := e ′)
[r,r ′]
=⇒ ((Nc ,Vc , cc ),N [a[v] 7→ v ′],V , skip)
N ,V ⊢ e ⇓r v and N ,V ⊢ e ′ ⇓r ′ v ′
By assumption that Σ↬ ΣUL
(4) V = Vu and N = Nu
By expression evaluation is deterministic
(5) vu = v and v ′u = v ′ and ru = r and r ′u = r ′
By (5)
(6) N [a[v] 7→ v ′] = Nu [a[vu ] 7→ v ′u ]
By (6) and volatile memories and log do not change, Σ′ ↬ Σ′UL
Case: E ends in UL-Arr-Log rule
By assumption
(1) Σ↬ ΣUL
By UL-Arr-Log rule
(2) ((L,Vc , cc ,ω, LL),Nu ,Vu ,a[e] := e ′)
[ru ,r ′u ]
=⇒ UL ((L[a[vu ] 7→ Nu (a[vu ])],Vc , cc ,ω, LL ∪ a[vu ]),Nu [a[vu ] 7→ v ′u ],Vu , skip)
Nu ,Vu ⊢ e ⇓ru vu and Nu ,Vu ⊢ e ′ ⇓r ′u v ′u
(3) a ∈ ω and a[vu ] < LL
By CP-Arr-Assign rule
Foundations of Intermittent Computing 47
(3) ((Nc ,Vc , cc ),N ,V ,a[e] := e ′)
[r,r ′]
=⇒ ((Nc ,Vc , cc ),N [a[v] 7→ v ′],V , skip)
N ,V ⊢ e ⇓r v and N ,V ⊢ e ′ ⇓r ′ v ′
By assumption that Σ↬ ΣUL
(4) V = Vu and N = Nu
By (3) and assumption that ∀loc ∈ ω\LL,Nu (loc) = Nc (loc)
(6) Nu (a[vu ]) = Nc (a[vu ])
By expression evaluation is deterministic
(7) vu = v andv ′u = v ′ and ru = r and r ′u = r ′
By (7)
(8) N [a[v] 7→ v ′] = Nu [a[vu ] 7→ v ′u ]
By (6)
(9) L[a[vu ] 7→ Nu (a[vu ])](a[vu ]) = Nc (a[vu ])
By (8), (9), and rest of log and volatile memories do not change, Σ′ ↬ Σ′UL
Case: E ends in UL-Commit rule
By assumption
(1) Σ↬ ΣUL
By UL-Commit rule
(2) ((L,Vc , cc ,ω ′, LL,Nu ,Vu , checkpoint(ω); c)
checkpoint
=⇒ UL ((∅,Vu , c,ω, ∅),Nu ,Vu , c)
By CP-Checkpoint rule
(3) ((Nc ,Vc , cc ),N ,V , checkpoint(ω); c)
checkpoint
=⇒ ((N |ω ,V , c),N ,V , c)
By assumption and memory doesn’t change
(4) N = Nu
(5) V = Vu
By (2), (3), and (4)
(6) Nu (ω) = N |ω
By (6), observation is the same, and memories do not change, Σ′ ↬ Σ′UL
Case: E ends in UL-Reboot rule
By assumption
(1) Σ↬ ΣUL
By UL-reboot
(2) ((L,Vc , cc ,ω, LL),Nu ,V ′u , reboot())
reboot
=⇒ UL ((∅,Vc , cc ,ω, ∅),Nu ◁ L,Vc , cc )
By CP-reboot rule
(3) ((Nc ,Vc , cc ),N ,V , reboot)
reboot()
=⇒ ((Nc ,Vc , cc ),N ◁ Nc ,Vc , cc )
By assumption
(4) Nu = N
(5) ∀loc ∈ LL,L(loc) = Nc (loc) and LL = domL
(6) ∀loc ∈ ω\LL,Nu (loc) = Nc (loc)
T.S. that Nu ◁ L = N ◁ Nc
By (5), (6) and ω = dom(Nc )
(7) ∀loc ∈ ω : loc ∈ L ⇒ Nu ◁ L(loд) = N ◁ Nc (loc)
(8) ∀loc ∈ ω : loc < L ⇒ Nu (loc) = Nc (loc)
By (7) and (8)
(9) Nu ◁ L = N ◁ Nc
By (9), ω = dom(Nc ), observation is the same, and volatile memories do not change
(11) Σ′ ↬ Σ′UL
48 Milijana Surbatovich, Limin Jia, and Brandon Lucia
□
Corollary 29 (Correctness of Undo Logging). If (∅,N ,V , c) O1=⇒
∗
UL Σ, CP(Σ) and ⊩ c : ok then
∃O2,σ s.t. (N ,V , c)
O2−→∗ σ , Σ− = σ and O1 ⩽mc O2.
Proof (sketch). By the simulation relation, for any trace in undo logging, there is a trace in
basic checkpoint system with the same observations and erased configurations, and the correctness
follows from that. □
D.4 Redo Logging
Syntax and Operational Semantics The checkpointed context κRL is defined as follows.
context κRL ::= (L,V , c,ω)
We summarize the semantics for redo-logging below.
(κRL,N ,V , c) =⇒RL (κ ′RL,N ′,V ′, c ′)
(κRL,N ,V , c) =⇒RL (κRL,N , reset(V ), reboot())
RL-PowerFail
((L,V ′, c ′,ω ′),N ,V , checkpoint(ω); c) checkpoint=⇒ RL ((∅,V , c,ω),N ◁ L,V , c)
RL-CheckPoint
((L,V , c,ω),N ,V ′, reboot()) reboot=⇒ RL ((∅,V , c,ω),N ,V , c)
RL-Reboot
x ∈ dom(N ) x ∈ ω N ◁ L,V ⊢ e ⇓r v
((L,Vc , cc ,ω),N ,V ,x := e)
[r ]
=⇒RL ((L[x 7→ v],Vc , cc ,ω),N ,V , skip)
RL-NV-Log
x ∈ dom(N ) x < ω N ◁ L,V ⊢ e ⇓r v
((L,Vc , cc ,ω),N ,V ,x := e)
[r ]
=⇒RL ((L,Vc , cc ,ω),N [x 7→ v],V , skip)
RL-NV-Assign
a ∈ ω N ◁ L,V ⊢ e ⇓r v N ◁ L,V ⊢ e ′ ⇓r ′ v ′
((L,Vc , cc ,ω),N ,V ,a[e] := e ′)
[r,r ′]
=⇒RL ((L[a[v] 7→ v ′],Vc , cc ,ω),N ,V , skip)
RL-Arr-Log
a ∈ dom(N ) a < ω N ◁ L,V ⊢ e ⇓r v N ◁ L,V ⊢ e ′ ⇓r ′ v ′
((L,Vc , cc ,ω),N ,V ,a[e] := e ′; c)
[r,r ′]
=⇒RL ((L,Vc , cc ,ω),N [a[v] 7→ v ′],V , c)
RL-Arr-Assign
Foundations of Intermittent Computing 49
(κRL,N ,V , ι) o=⇒RL (κRL,N ′,V ′, skip)
(κRL,N ,V , ι; c) o=⇒RL (κRL,N ′,V ′, c)
RL-Seq
κRL = (L,V , c,ω) N ◁ L,V ⊢ e ⇓r true
(κRL,N ,V , if e then c1 else c2)
[r ]
=⇒RL ((L,V , c,ω),N ,V , c1)
RL-If-T
κRL = (L,V , c,ω) N ◁ L,V ⊢ e ⇓r false
(κRL,N ,V , if e then c1 else c2)
[r ]
=⇒RL (κRL,N ,V , c2)
RL-If-F
Equivalence to basic checkpoint systemWe define a binary relation between basic checkpoint
and redo-logging state, written Σ↬ ΣRL, as follows. We prove that it is a bisimulation relation.
Σ = (κ,N ,V , c) ΣRL = (κRL,Nr ,Vr , cr ) κ = (Nc ,Vc , cc )
κRL = (L,Vc , cc ,ω) c = cr V = Vr ω = dom(Nc ) ω = dom(L)
∀loc.Nr (loc) , N (loc), loc ∈ L ∀loc ∈ L,L(loc) = N (loc) ∀loc ∈ ω,Nr (loc) = Nc (loc)
Σ↬ ΣRL
Lemma 30. Σ↬ ΣRL and Σ
o1
=⇒ Σ′ then ∃Σ′RL s.t. ΣRL
o2
=⇒RL Σ′RL and Σ′ ↬ Σ′RL and o1 = o2.
Proof. By induction over E :: Σ o1=⇒ Σ′
Cases: E ends in CP-Skip, CP-V-Assign, CP-If-T CP-If-F rule. The non-volatile memory and
checkpointed data is not altered. The undo logging system takes corresponding RL-Skip,
RL-V-Assign, RL-If-T RL-If-F to reach a related configuration.
Case: E ends in CP-Seq rule. We apply I.H. directly.
Case: E ends in CP-NV-Assign rule
By assumption
(1) Σ↬ ΣRL
By CP-NV-Assign rule
(2) ((Nc ,Vc , cc ),N ,V ,x := e)
[r ]
=⇒ ((Nc ,Vc , cc ),N [x 7→ v],V , skip)
(3) N ,V ⊢ e ⇓r v
We consider two subcases: (I) x ∈ ω and (II) x < ω
Subcase (I) x < ω
By RL-NV-Assign rule
(I1)(κRL,Nr ,Vr ,x := e)
[rr ]
=⇒RL (κRL,Nr [x 7→ vr ],Vr , skip)
(I2)Nr ◁ L,Vr ⊢ e ⇓rr vr
By assumption that Σ↬ ΣRL
(I3) Vr = V
By (I3) and expression evaluation is deterministic
(I4)vr = v and r = rr
By (I4)
(I5)N [x 7→ v] = Nr [x 7→ vr ]
By (I5), volatile memory and log do not change, Σ′ = Σ′RL
Subcase (II) x ∈ ω
By RL-NV-Log rule
50 Milijana Surbatovich, Limin Jia, and Brandon Lucia
(II1)((L,Vc , cc ,ω),Nr ,Vr ,x := e)
[rr ]
=⇒RL ((L[x 7→ vr ],Vc , cc ,ω),Nr ,Vr , skip)
(II2)Nr ◁ L,Vr ⊢ e ⇓rr vr
By assumption that Σ↬ ΣRL
(II3) Vr = V
By (II3) and expression evaluation is deterministic
(II4)vr = v and r = rr
By (II4)
(II5)N [x 7→ v] = L[x 7→ vr ]
By assumption and Nr does not change
(II6)∀loc ∈ ω : Nr [loc] = Nc [loc]
By volatile memory does not change, Nr does not change, Σ′ = Σ′RL
Case: E ends in CP-Assign-Arr rule
By assumption
(1) Σ↬ ΣUL
By CP-Assign-Arr rule
(2) ((Nc ,Vc , cc ),N ,V ,a[e] := e ′)
[r,r ′]
=⇒ ((Nc ,Vc , cc ),N [a[v] 7→ v ′],V , skip)
(3) N ,V ⊢ e ⇓r v
(4) N ,V ⊢ e ′ ⇓r ′ v ′
We consider two subcases: (I) a ∈ ω and (II) a < ω
Subcase (I) a < ω
By RL-Arr-Assign rule
(I1) (κRL,Nr ,Vr ,a[e] := e ′)
[rr ,r ′r ]
=⇒ RL (κRL,Nr [a[vr ] 7→ v ′r ],Vr , skip)
(I2) Nr ◁ L,Vr ⊢ e ⇓rr vr
(I3) Nr ◁ L,Vr ⊢ e ′ ⇓r ′r v ′r
By assumption
(I4) V = Vr and L ∈ N
By (I4), expression evaluation is deterministic
(I5) vr = v and v ′r = v ′ and rr = r and r ′r = r ′
By (I5)
(I6) N [a[v] 7→ v ′] = Nr [a[vr ] 7→ v ′r ]
By (I6), volatile memory and log do not change, Σ′ ↬ Σ′RL.
Subcase (II) a ∈ ω
By RL-Arr-Update rule
(II1) ((L,Vc , cc ,ω),Nr ,Vr ,a[e] := e ′)
[r,r ′]
=⇒RL ((L[a[vr ] 7→ v ′r ],Vc , cc ,ω),Nr ,Vr , skip)
(II2) Nr ◁ L,Vr ⊢ e ⇓r vr
(II3) Nr ◁ L,Vr ⊢ e ′ ⇓r ′ v ′r
By assumption
(II4) V = Vr and L ∈ N
By (II4), expression evaluation is deterministic
(II5) vr = v and v ′r = v ′ and rr = r and r ′r = r ′
By (II5)
(II6) N [a[v] 7→ v ′] = L[a[vr ] 7→ v ′r ]
By volatile memory does not change, Nr does not change, Σ′ = Σ′RL
Case: E ends in CP-Checkpoint rule
By assumption
Foundations of Intermittent Computing 51
(1) Σ↬ ΣRL
By CP-Checkpoint rule
(2) ((Nc ,Vc , cc ),N ,V , checkpoint(ω); c)
checkpoint
=⇒ ((N |ω ,V , c),N ,V , c)
By RL-Commit rule
(3) ((L,Vc , cc ,ω ′),Nr ,Vr , checkpoint(ω); c)
checkpoint
=⇒ RL ((∅,Vr , c,ω),Nr ◁ L,Vr , c)
By assumption that L ⊆ N and ∀loc s.t. Nr (loc) , N (loc) : loc ∈ L
(4) Nr ◁ L = N
By (4), volatile memory does not change, and observation is the same, Σ′ = Σ′RL.
Case: E ends in CP-reboot rule
By assumption
(1) Σ↬ ΣUL
By CP-reboot rule
(2) ((Nc ,Vc , cc ),N ,V , reboot)
reboot()
=⇒ ((Nc ,Vc , cc ),N ◁ Nc ,Vc , cc )
By RL-reboot rule
(3) ((L,Vc , cc ,ω),Nr ,Vr , reboot()) reboot=⇒ RL ((∅,Vc , cc ,ω),Nr ,Vc , cc )
By assumption
(4) ∀locs.t. Nr (loc) , N (loc), loc ∈ L
(5) ∀loc ∈ ω,Nr (loc) = Nc (loc)
By (4) and semantics are deterministic
(6) ∀loc s.t. Nr (loc) , N (loc), loc ∈ ω
By (5) and (6)
(7) ∀loc s.t. Nr (loc) , N (loc),Nr (loc) = Nc (loc)
By (7)
(8) N ◁ Nc = Nr
By (8), volatile memories are the same, and observation is the same, Σ′ ↬ Σ′RL
□
Lemma 31. Σ↬ ΣRL and ΣRL
o1
=⇒RL Σ′RL then ∃Σ′ s.t. Σ
o2
=⇒ Σ′ and Σ′ ↬ Σ′RL and o1 = o2.
Proof. By induction over E :: ΣRL o1=⇒ Σ′RL
Cases: E ends in RL-Skip, RL-V-Assign, RL-If-T, RL-If-F rule. The non-volatile memory and
checkpointed data is not altered. The checkpoint system takes corresponding CP-Skip, CP-V-
Assign, CP-If-T, CP-If-F to reach a related configuration.
Case: E ends in RL-Seq rule. We apply I.H. directly.
Case: E ends in RL-NV-Assign rule
By assumption
(1) Σ↬ ΣRL
By RL-NV-Assign rule
(2) (κRL,Nr ,Vr ,x := e)
[rr ]
=⇒RL (κRL,Nr [x 7→ vr ],Vr , skip)
(3) Nr ◁ L,Vr ⊢ e ⇓rr vr
By CP-NV-Assign rule
(4) ((Nc ,Vc , cc ),N ,V ,x := e)
[r ]
=⇒ ((Nc ,Vc , cc ),N [x 7→ v],V , skip)
(5) N ,V ⊢ e ⇓r v
By assumption that Σ↬ ΣRL
(6 ) Vr = V
52 Milijana Surbatovich, Limin Jia, and Brandon Lucia
By (6), and expression evaluation is deterministic
(7) vr = v and r = rr
By (7)
(8) Nr [x 7→ vr ] = N [x 7→ v]
By (8), volatile memory and log do not change, Σ′ = Σ′RL
Case: E ends in RL-NV-Log rule
By assumption
(1) Σ↬ ΣRL
By RL-Update rule
(2) ((L,Vc , cc ,ω),Nr ,Vr ,x := e)
[rr ]
=⇒RL ((L[x 7→ vr ],Vc , cc ,ω),Nr ,Vr , skip)
(3) Nr ◁ L,Vr ⊢ e ⇓rr vr
By CP-NV-Assign rule
(4) ((Nc ,Vc , cc ),N ,V ,x := e)
[r ]
=⇒ ((Nc ,Vc , cc ),N [x 7→ v],V , skip)
(5) N ,V ⊢ e ⇓r v
By assumption that Σ↬ ΣRL
(6) Vr = V
By (6), and expression evaluation is deterministic
(7) vr = v and r = rr
By (7)
(8) N [x 7→ v] = L[x 7→ vr ]
By volatile memory does not change, Nr does not change, Σ′ = Σ′RL
Case: E ends in RL-Assign-Arr rule
By assumption
(1) Σ↬ ΣUL
By RL-Arr-Assign rule
(2) (κRL,Nr ,Vr ,a[e] := e ′)
[rr ,r ′r ]
=⇒ RL (κRL,Nr [a[vr ] 7→ v ′r ],Vr , skip)
(3) Nr ◁ L,Vr ⊢ e ⇓rr vr
(4) Nr ◁ L,Vr ⊢ e ′ ⇓r ′r v ′r
By CP-Assign-Arr rule
(5) ((Nc ,Vc , cc ),N ,V ,a[e] := e ′)
[r,r ′]
=⇒ ((Nc ,Vc , cc ),N [a[v] 7→ v ′],V , skip)
(6) N ,V ⊢ e ⇓r v
(7) N ,V ⊢ e ′ ⇓r ′ v ′
By assumption
(8) V = Vr
By (8), and expression evaluation is deterministic
(9) vr = v and v ′r = v ′ and rr = r and r ′r = r ′
By (9)
(10) N [a[v] 7→ v ′] = Nr [a[vr ] 7→ v ′r ]
By (10), volatile memory and log do not change, Σ′ ↬ Σ′RL.
Case: E ends in RL-Arr-Update rule
By assumption
(1) Σ↬ ΣUL
By RL-Arr-Update rule
(2) ((L,Vc , cc ,ω),Nr ,Vr ,a[e] := e ′)
[r,r ′]
=⇒RL ((L[a[vr ] 7→ v ′r ],Vc , cc ,ω),Nr ,Vr , skip)
Foundations of Intermittent Computing 53
(3) Nr ◁ L,Vr ⊢ e ⇓r vr
(4) Nr ◁ L,Vr ⊢ e ′ ⇓r ′ v ′r
By CP-Assign-Arr rule
(5) ((Nc ,Vc , cc ),N ,V ,a[e] := e ′)
[r,r ′]
=⇒ ((Nc ,Vc , cc ),N [a[v] 7→ v ′],V , skip)
(6) N ,V ⊢ e ⇓r v
(7) N ,V ⊢ e ′ ⇓r ′ v ′
By assumption
(8) V = Vr
By (9), and expression evaluation is deterministic
(10) vr = v and v ′r = v ′ and rr = r and r ′r = r ′
By (10)
(11) N [a[v] 7→ v ′] = L[a[vr ] 7→ v ′r ]
By (11), volatile memory does not change, Nr does not change, Σ′ = Σ′RL
Case: E ends in RL-Commit rule
By assumption
(1) Σ↬ ΣRL
By RL-Commit rule
(2) ((L,Vc , cc ,ω ′),Nr ,Vr , checkpoint(ω); c)
checkpoint
=⇒ RL ((∅,Vr , c,ω),Nr ◁ L,Vr , c)
By CP-Checkpoint rule
(3) ((Nc ,Vc , cc ),N ,V , checkpoint(ω); c)
checkpoint
=⇒ ((N |ω ,V , c),N ,V , c)
By assumption that L ⊆ N and ∀loc s.t. Nr (loc) , N (loc), loc ∈ L
(4) Nr ◁ L = N
By (4), volatile memory does not change, and observation is the same, Σ′ = Σ′RL.
Case: E ends in RL-reboot rule
By assumption
(1) Σ↬ ΣUL
By RL-reboot rule
(2) ((L,Vc , cc ,ω),Nr ,Vr , reboot()) reboot=⇒ RL ((∅,Vc , cc ,ω),Nr ,Vc , cc )
By CP-reboot rule
(3) ((Nc ,Vc , cc ),N ,V , reboot)
reboot()
=⇒ ((Nc ,Vc , cc ),N ◁ Nc ,Vc , cc )
By assumption
(4) ∀loc s.t. Nr (loc) , N (loc), loc ∈ L
(5) ∀loc ∈ ω,Nr (loc) = Nc (loc)
By (4) and semantics are deterministic
(6) ∀loc s.t. Nr (loc) , N (loc), loc ∈ ω
By (5) and (6)
(7) ∀loc s.t. Nr (loc) , N (loc),Nr (loc) = Nc (loc)
By (7)
(8) N ◁ Nc = Nr
By (8), volatile memories are the same, and observation is the same, Σ′ ↬ Σ′RL
□
Corollary 32 (Correctness of Redo Logging). If (∅,N ,V , c) O1=⇒
∗
RL Σ, CP(Σ) and ⊩ c : ok then
∃O2,σ s.t. (N ,V , c)
O2−→∗ σ , Σ− = σ and O1 ⩽mc O2.
54 Milijana Surbatovich, Limin Jia, and Brandon Lucia
Proof (sketch). By the bi-simulation relation, for any trace in undo logging, there is a trace in
basic checkpoint system with the same observations and erased configurations, and the correctness
follows from that. □
E TASKS
E.1 Syntax and Operational Semantics
We define the syntax and semantics of a task-based system using redo logging.
Task-shared memory Ts : M
Privatized memory Tp : M
Task-local memory Tι : M
Task IDs i : Int
Instr. ι ::= · · · | toTask(i)
Task Map T ::= · |T , i 7→ (ω, c)
context κTSK ::= (T , i)
We first define a function to reset the volatile part of a memory region. The resetVol function,
given memoryM , resets any volatile portion ofM and persists any non-volatile portion.
M = Mn ,Mv persistent(Mn) volatile(Mv )
resetVol(M) = Mn , reset(Mv )
(κ,Ts,Tp,Tι, c) O=⇒TSK (κ ′,Ts′,Tp′,Tι′, c ′)
Tι′ = resetVol(Tι)
(κTSK ,Ts,Tp,Tι, c) =⇒TSK (κTSK ,Ts,Tp,Tι′, reboot)
TSK-PowerFail
κTSK = (T , i) T (i) = (ω, c)
(κTSK ,Ts,Tp,Tι, reboot) =⇒TSK (κTSK ,Ts, ∅,Tι, c)
TSK-Reboot
κTSK = (T , i) T (j) = (ω, c)
(κTSK ,Ts,Tp,Tι, toTask(j)) =⇒TSK ((T , j)),Ts ◁ Tp, ∅,Tι, c)
TSK-Trans
Foundations of Intermittent Computing 55
κTSK = (T , i) T (i) = (ω, c)
x ∈ dom(Ts) x < ω Ts ◁ Tp,Tι ⊢ e ⇓rt vt
(κTSK ,Ts,Tp,Tι,x := e)
[rt ]
=⇒TSK (κTSK ,Ts[x 7→ vt ],Tp,Tι, skip)
TSK-Update-S
κTSK = (T , i) T (i) = (ω, c)
x ∈ dom(Ts) x ∈ ω Ts ◁ Tp,Tι ⊢ e ⇓rt vt
(κTSK ,Ts,Tp,Tι,x := e)
[rt ]
=⇒TSK (κTSK ,Ts,Tp[x 7→ vt ],Tι, skip)
TSK-Update-S-Log
x ∈ dom(Tι) Ts ◁ Tp,Tι ⊢ e ⇓rt vt
(κTSK ,Ts,Tp,Tι,x := e)
[rt ]
=⇒TSK (κTSK ,Ts,Tp,Tι[x 7→ vt ], skip)
TSK-Update-L
κTSK = (T , i) T (i) = (ω, c) a ∈ dom(Ts) a < ω
Ts ◁ Tp,Tι ⊢ e ⇓rt vt Ts ◁ Tp,Tι ⊢ e ′ ⇓rt v ′t
(κTSK ,Ts,Tp,Tι,a[e] := e ′)
[rt ,r ′t ]
=⇒ TSK (κTSK ,Ts[a[vt ] 7→ v ′t ],Tp,Tι, skip)
TSK-Arr-S
κTSK = (T , i) T (i) = (ω, c) a ∈ dom(Ts) a ∈ ω
Ts ◁ Tp,Tι ⊢ e ⇓rt vt Ts ◁ Tp,Tι ⊢ e ′ ⇓rt v ′t
(κTSK ,Ts,Tp,Tι,a[e] := e ′)
[rt ,r ′t ]
=⇒ TSK (κTSK ,Ts,Tp[a[vt ] 7→ v ′t ],Tι, skip)
TSK-Arr-S-Log
a ∈ dom(Tι) Ts ◁ Tp,Tι ⊢ e ⇓rt vt Ts ◁ Tp,Tι ⊢ e ′ ⇓r ′t v ′t
(κTSK ,Ts,Tp,Tι,a[e] := e ′)
[rt ,r ′t ]
=⇒ TSK (κTSK ,Ts,Tp,Tι[a[vt ] 7→ v ′t ], skip)
TSK-Arr-L
E.2 Well-formedness Checking
We create a top-level well-formedness judgment for tasks Tι ⊩WAR T : ok. A task-based pro-
gram is well-formed if every task in the program is well-formed. We assume the Tι set is given.
Tι ⊩WAR T : ok
∀i ∈ dom(T ),T (i) = (ω, c) Tι;ω; ∅; ∅ ⊩WAR c : ok
Tι ⊩WAR T : ok
T-WAR-TSK
A task program is only well-formed if the first access to any location in Tι is a write, in addition to
the usual checking of WAR variables, which are task-shared locations. In other words, Tι variables
are not WAR variables as it is never read before written to. We show the changed rule for the WAR
variable checking judgment below. The corresponding array access rule is changed analogously.
Tι;N ;W ;R ⊩WAR ι :W ′;R′
R′ = R ∪ rd(e) x ∈ R′ x <W x ∈ N x < Tι
Tι;N ;W ;R ⊩WAR x := e :W ∪ x ;R′
WAR-Checkpointed
The rule ensure additionally that it will never be the case that a task-local location (e.g., x in this
rule) is read before it’s written to. It’s trivial to prove the following lemma:
Lemma 33. If Tι;ω; ∅; ∅ ⊩WAR c : ok, then dom(Tι) ∩ ω = ∅.
56 Milijana Surbatovich, Limin Jia, and Brandon Lucia
E.3 Translation from Task-based Systems to Checkpoint Systems
To capture the behavior of of a task transition, we augment the redo-log semantics with a goto
command and code context.
Commands c ::= · · · | goto ℓ
Code context Ψ ::= Ψ · | ℓ : checkpoint(ω); c
The small step rule for goto is as follows. The continuously-powered rule is similar.
Ψ(ℓ) = c
Ψ, (κRL,N ,V , goto ℓ; c ′) =⇒RL Ψ, (κRL,N ,V , c)
RL-Goto
We give a translation relation from a task to a redo log program, written T { Ψ.
· { ·
T { Ψ ⟦ct⟧ = cr
T , i 7→ (ω, ct ) { Ψ, ℓ : checkpoint(ω); cr ⟦toTask(i)⟧ = goto ℓi
ι , ⟦toTask(i)⟧
⟦ι⟧ = ι ⟦ι; c⟧ = ⟦ι⟧; ⟦c⟧ ⟦if e then c1 else c2⟧ = if e then ⟦c1⟧ else ⟦c2⟧
Finally, we extend the behavior of assignments to Tι to capture whether or not a variable has
been initialized. Each write to task-local memory writes a pair (b,v), wherev is the value, as before,
and b is a bit ∈ {0, 1} indicating if the value has been written to. Assignments flip the bit of a
location to 1, and resetting volatile memory on power failure sets all bits to 0; that is every volatile
location loc becomes loc 7→ (0, reset()) after reset.
x ∈ dom(Tι) Ts ◁ Tp,Tι ⊢ e ⇓rt vt
(κTSK ,Ts,Tp,Tι,x := e)
[rt ]
=⇒TSK (κTSK ,Ts,Tp,Tι[x 7→ (1,vt )], skip)
TSK-Update-L
We use this to define a relation between TιV and V , the memory of each system that resides
in the volatile memory, TιV ≈ V . The relation holds if as long as a task-local variable has been
initialized, it will equal the value in the redo-log system’s volatile memory.
TιV ≈ V
TιV ≈ V
TιV , loc 7→ (0,vt ) ≈ V , loc 7→ vr
TιV ≈ V vt = vr
TιV , loc 7→ (1,vt ) ≈ V , loc 7→ vr
We are now ready to define a binary relation between a task program and a redo-log program.
written ΣTSK ↬ Ψ, ΣRL
ΣRL = (κRL,Nr ,Vr , cr ) ΣTSK = (κTSK ,Ts,Tp,Tι, ct )
κRL = (L,Vc , cc ,ωr ) κTSK = (T , i) T (i) = (ωt , ctt)
T { Ψ ⟦ct⟧ = cr ⟦ctt⟧ = cc ωt = ωr
Tp = L Tι = TιV ,TιN Nr = Ts ∪ TιN Vr ≈ TιV dom(Vr ) ⊆ dom(TιV )
ΣTSK ↬ Ψ, ΣRL
To aid in proving bi-simulation, we first prove a helper lemma that states that expression evaluation
is equivalent between a related task and redo-log system.
Lemma34 (Related undo-log and task expression evaluation are the same). Given ΣRL = (κRL,Nr ,Vr , cr ),
ΣTSK = (κTSK ,Ts,Tp,Tι, ct ), and an expression e s.t. ΣTSK ↬ Ψ, ΣRL, ∀loc ∈ rd(e) ∩ dom(Tι),
Tι(loc) = (1, _) and Ts ◁ Tp,Tι ⊢ e ⇓rt vt , and Nr ◁ L,Vr ⊢ e ⇓rr vr , then rr = rt and vr = vt
Proof. By induction over the structure of e .
Foundations of Intermittent Computing 57
Case: e = x
We examine two subcases: (I) x ∈ dom(Nr ) and (II) x ∈ dom(Vr )
Subcase (I): x ∈ dom(Nr )
By assumption, Nr = Ts ∪ TιN and Tp = L
(I1) Nr ◁ L,Vr = Ts ◁ Tp,Tι
By (I1)
(I2) rt = rr = rd x vt and vt = vr = (Nr ◁ L,Vr )(x)
Subcase (II): x ∈ dom(Vr )
By assumption
(II1) x ∈ dom(TιV )
By assumption
(II2) TιV (x) = (1,vt )
By (II2) and assumption that Vr ≈ TιV
(II3)Nr (x) = vr = vt
By (II3) and rule Rd-Var
(II4)rt = rr = rd x vt
Case: e = a[e ′]
We apply the I.H. to e ′
This is similar to the previous case. Neither a or variables in e ′ can differ in Tι and Vr .
Case: e = e1bope2
We apply the I.H. to e1 and e2
By rule BinOp and expression evaluation is deterministic, vt = vr and rt = rr
□
Lemma 35 (Redo logging simulates task-based system). ⊢WAR ΣTSK : ok, ΣTSK ↬ Ψ, ΣRL and
ΣTSK
o1
=⇒TSK Σ′TSK then ∃Σ′RL s.t. ΣRL
o2
=⇒∗RL Σ′RL and Σ′TSK ↬ Ψ, Σ′RLand o1 = o2.
Proof. By induction over E :: ΣTSK o1=⇒TSK Σ′TSK
Cases: E ends in TSK-Skip, TSK-If-T TSK-If-F rule. The non-volatile memory and task-shared
data is not altered data is not altered. The redo logging system takes corresponding RL-Skip,
RL-If-T RL-If-F to reach a related configuration.
Case: E ends in TSK-Seq rule. We apply I.H. directly.
Case: E ends in TSK-Update-S rule
By assumption
(1) ΣTSK ↬ Ψ, ΣUL
By TSK-Update-S rule
(2) (κTSK ,Ts,Tp,Tι,x := e)
[rt ]
=⇒TSK (κTSK ,Ts[x 7→ vt ],Tp,Tι, skip)
(3) T (i) = (ωt , ct ), x < ωt , x ∈ dom(Ts)
(4) Ts ◁ Tp,Tι ⊢ e ⇓r vt
By (1)
(5) κRL = (L,Vc , cc ,ωr ), ωr = ωt , Nr = Ts,TιN
By (3), (5)
(6) x < ωr , x ∈ dom(Nr )
By RL-NV-Assign rule
(7) Ψ, (κRL,Nr ,Vr ,x := e)
[rr ]
=⇒RL Ψ, (κRL,Nr [x 7→ vr ],Vr , skip)
58 Milijana Surbatovich, Limin Jia, and Brandon Lucia
(8) Nr ◁ L,Vr ⊢ e ⇓rr vr
By ⊢WAR ΣTSK : ok,
(9) ∀loc ∈ rd(e) ∩ Tι, Tι(loc) = (1, _)
By Lemma 34 and (9)
(10) vt = vr and rt = rr
By (10)
(11) Ts[x 7→ vt ] = Nr [x 7→ vr ]
By (11) and volatile memory and log do not change, Σ′TSK ↬ Ψ, Σ′RL
Case: E ends in TSK-Update-S-Log rule
By assumption
(1) ΣTSK ↬ Ψ, ΣUL
By TSK-Update-S-Log rule
(2) (κTSK ,Ts,Tp,Tι,x := e)
[rt ]
=⇒TSK (κTSK ,Ts,Tp[x 7→ vt ],Tι, skip)
(3) T (i) = (ωt , ct ), x ∈ ωt , x ∈ dom(Ts)
(4) Ts ◁ Tp,Tι ⊢ e ⇓r vt
By (1)
(5) κRL = (L,Vc , cc ,ωr ), ωr = ωt , Nr = Ts,TιN
By (3), (5)
(6) x ∈ ωr , x ∈ dom(Nr )
By RL-NV-Log rule
(7) Ψ, (κRL,Nr ,Vr ,x := e)
[rr ]
=⇒RL Ψ, (κ ′RL,Nr ,Vr , skip) where κ ′RL = (L[x 7→ vr ],Vc , cc ,ωr )
(8) Nr ◁ L,Vr ⊢ e ⇓rr vr
By ⊢WAR ΣTSK : ok,
(9) ∀loc ∈ rd(e) ∩ Tι, Tι(loc) = (1, _)
By Lemma 34
(10) vt = vr and rt = rr
By (10)
(11) Tp[x 7→ vt ] = L[x 7→ vr ]
By (11) and other parts of the state don’t change, Σ′TSK ↬ Ψ, Σ′RL
Case: E ends in TSK-Update-L rule
By assumption
(1) ΣTSK ↬ Ψ, ΣRL
By TSK-Update-L rule
(2) (κTSK ,Ts,Tp,Tι,x := e)
[rt ]
=⇒TSK (κTSK ,Ts,Tp,Tι[x 7→ vt ], skip)
(3) Ts ◁ Tp,Tι ⊢ e ⇓rt vt
By (1)
(4) κRL = (L,Vc , cc ,ωr ), Tp = L, TιV = Vr ωr = ωt , Nr = Ts,TιN
We consider two subcases: (I) x ∈ TιN or (II) x ∈ TιV
Subcase (I) x ∈ TιN
By Lemma 33 and ⊢WAR ΣTSK : ok,
(I1) x < ωt
By (4) and (I1)
(I2) x < ωr
By RL-NV-Assign rule
(I3) Ψ, (κRL,Nr ,Vr ,x := e)
[rr ]
=⇒RL Ψ, (κRL,Nr [x 7→ vr ],Vr , skip)
Foundations of Intermittent Computing 59
(I4) Nr ◁ L,Vr ⊢ e ⇓rr vr
By ⊢WAR ΣTSK : ok,
(I5) ∀loc ∈ rd(e) ∩ Tι, Tι(loc) = (1, _)
By Lemma 34 and expression evaluation is deterministic
(I6) vt = vr and rt = rr
By (I6)
(I7) TιN [x 7→ vt ] = Nr [x 7→ vr ]
By (I7), volatile memory and log do not change, Σ′TSK = Σ
′
RL
Subcase (II) x ∈ TιV
By RL-Assign-V rule
(II1) Ψ, (κRL,Nr ,Vr ,x := e)
[rr ]
=⇒RL Ψ, (κUL,Nr ,Vr [x 7→ vr ], skip)
(II2) Nr ◁ L,Vr ⊢ e ⇓rr vr
By ⊢WAR ΣTSK : ok,
(II3) ∀loc ∈ rd(e) ∩ Tι, Tι(loc) = (1, _)
By Lemma 34 and (II3) and expression evaluation is deterministic
(II4) vt = vr , rt = rr ,
By (II4)
(II5) TιV [x 7→ (1,vt )] = Vr [x 7→ vr ]
By (II5) and task-shared, non-volatile memories, and log do not change, Σ′TSK ↬ Ψ, Σ′RL
Case: E ends in TSK-Update-Arr-S or TSK-Update-Arr-S-Log, or TSK-Update-Arr-L. These
proofs are similar the previous three cases.
Case: E ends in TSK-Trans rule
By assumption
(1) ΣTSK ↬ Ψ, ΣRL
By TSK-Trans rule
(2) (κTSK ,Ts,Tp,Tι, toTask(j))
checkpoint
=⇒ TSK ((T , task(j)),Ts ◁ Tp, ∅,Tι, ct )
(3) T (j) = (ω, ct )
By assumption,
(4) ⟦toTask(j)⟧ = goto ℓj
(5) Ψ(ℓj ) = checkpoint(ω); cr and ⟦ct⟧ = cr
By (4) and RL-Goto rule
(6) Ψ, (κRL,Nr ,Vr , goto ℓj ) =⇒RL Ψ, (κRL,Nr ,Vr , checkpoint(ω); cr )
By (6), (5), and RL-Commit rule
(7) Ψ, ((L,Vc , cc ,ω ′),Nr ,Vr , checkpoint(ω); cr )
checkpoint
=⇒ RL Ψ, ((∅,Vr , cr ,ω),Nr ◁ L,Vr , cr )
By assumption that L = Tp and Nr = Ts ∪ TιN
(8) Ts ◁ Tp ∪ TιN = Nr ◁ L
By (8) volatile memory does not change, and the initial contexts relate to each other
(9) the observation is equivalent and Σ′TSK ↬ Ψ, Σ′RL.
Case: E ends in TSK-reboot rule
By assumption
(1) ΣTSK ↬ Ψ, ΣRL
By TSK-reboot rule
(2) (κTSK ,Ts,Tp,Tι, reboot) reboot=⇒ TSK (κTSK ,Ts, ∅,Tι, ct )
(3) κTSK = (T , i) and T (i) = (ωt , ct )
By RL-reboot rule
60 Milijana Surbatovich, Limin Jia, and Brandon Lucia
(4) Ψ, ((L,Vc , cc ,ω),Nr ,Vr , reboot()) reboot=⇒ RL Ψ, ((∅,Vc , cc ,ωc ),Nr ,Vc , cc )
By (1)
(5) cc = ⟦ct⟧, ωc = ωt , and Ts,TιN = Nr
By power failure must precede reboot, and the definition of resetVol
(6) ∀loc ∈ TιV ,TιV [loc 7→ (0,vt )]
By (6)
(7) Vc ≈ TιV
By (5), (6), and (7) and the new log and the Tp are both empty, Σ′TSK ↬ Ψ, Σ′RL
□
Here, we write Ψ, ΣRL
o1
=⇒†RL Ψ, Σ′RL to include all one-step transitions, except RL-Commit and
include instead RL-Goto followed by Checkpoint as one atomic step. This is reasonable as these
correspond to an atomic step in the task setting. Further, there are no checkpoints in commands
other than those translated from toTask.
Lemma 36 (Task-based system simulates translated continuous program). ⊢WAR ΣTSK : ok, ΣTSK ↬
Ψ, ΣRL and Ψ, ΣRL
o1
=⇒†RL Ψ, Σ′RL then ∃Σ′TSK s.t. ΣTSK
o2
=⇒TSK Σ′TSK and Σ′TSK ↬ Ψ, Σ′RLand o1 = o2.
Proof. By induction over E :: ΣRL o1=⇒TSK Σ′RL
Cases: E ends in RL-Skip, RL-If-T RL-If-F rule. The memory is not altered. The task system takes
corresponding TSK-Skip, TSK-If-T TSK-If-F to reach a related configuration.
Case: E ends in RL-Seq rule. We apply I.H. directly.
Case: E ends in RL-NV-Assign rule
By assumption
(1) ΣTSK ↬ Ψ, ΣRL
By RL-NV-Assign rule
(2) Ψ, (κRL,Nr ,Vr ,x := e)
[rr ]
=⇒RL Ψ, (κRL,Nr [x 7→ vr ],Vr , skip)
(3) Nr ◁ L,Vr ⊢ e ⇓rr vr and x < ωr , x ∈ dom(Nr )
By (1)
(4) Nr = Ts,TιN , ωr = ωt , Tp = L, Vr = TιV
By (4)
(5) Ts ◁ Tp,Tι ⊢ e ⇓rt vt
By ⊢WAR ΣTSK : ok,
(6) ∀loc ∈ rd(e) ∩ Tι, Tι(loc) = (1, _)
By assumption,(4), (5), (6) and Lemma 34
(7) vt = vr and rt = rr
We consider two subcases: (I) x ∈ dom(Ts) or (II) x ∈ dom(TιN )
Subcase (I) x ∈ dom(Ts)
By TSK-Update-S rule
(I1) (κTSK ,Ts,Tp,Tι,x := e)
[rt ]
=⇒TSK (κTSK ,Ts[x 7→ vt ],Tp,Tι, skip)
By (7) and (4)
(I2)Ts[x 7→ vt ] = Nr [x 7→ vr ]
By (I3), volatile memory and log do not change, Σ′TSK = Σ
′
RL
Subcase (II) x ∈ dom(TιN )
By TSK-Update-L rule
(II1) (κTSK ,Ts,Tp,Tι,x := e)
[rt ]
=⇒TSK (κTSK ,Ts,Tp,Tι[x 7→ vt ], skip)
Foundations of Intermittent Computing 61
By (7)
(II2)TιN [x 7→ vt ] = Nr [x 7→ vr ]
By (II2), volatile memories and log do not change, Σ′TSK ↬ Ψ, Σ′RL
Case: E ends in RL-NV-Log rule
By assumption
(1) ΣTSK ↬ Ψ, ΣRL
By RL-NV-Log rule
(2) Ψ, ((L,Vc , cc ,ωr ),Nr ,Vr ,x := e)
[rr ]
=⇒RL Ψ, ((L[x 7→ vr ],Vc , cc ,ω),Nr ,Vr , skip)
(3) Nr ◁ L,Vr ⊢ e ⇓rr vr , x ∈ ωr , x ∈ dom(Nr )
By (1)
(4) Nr = Ts,TιN , ωr = ωt , Tp = L, Vr = TιV
By (3) and (4)
(5) x ∈ ωt and x ∈ Ts,TιN
By Lemma 33 and ⊢WAR ΣTSK : ok,
(6) x < TιN
By TSK-Update-S-Log rule
(7) (κTSK ,Ts,Tp,Tι,x := e)
[rt ]
=⇒TSK (κTSK ,Ts,Tp[x 7→ vt ],Tι, skip)
(8) Ts ◁ Tp,Tι ⊢ e ⇓rt vt
By ⊢WAR ΣTSK : ok,
(9) ∀loc ∈ rd(e) ∩ Tι, Tι(loc) = (1, _)
By assumption, (4), (8), (9) and Lemma 34
(10) vt = vr and rt = rr
By (4) and (10)
(11) Tp[x 7→ vt ] = L[x 7→ vr ]
By (11), Ts,Tι and Nr ,Vr does not change and observation is the same, Σ′TSK ↬ Ψ, Σ′RL
Case: E ends in RL-V-Assign rule. The case is similar to the previous cases. Here, the corresponding
TSK-Update-L rule is applied.
Case: E ends in RL-Assign-Arr or RL-Arr-Log or RL-V-Assign-Arr rule, the proofs are similar
to the previous three cases.
Case: E ends in RL-Goto followed by RL-Commit rule
By assumption
(1) ΣTSK ↬ Ψ, ΣRL
By RL-Goto rule
(2) Ψ, (κRL,Nr ,Vr , goto ℓi ) =⇒RL Ψ, (κRL,Nr ,Vr , checkpoint(ωr ); cr )
(3) Ψ(ℓi ) = checkpoint(ωr ); cr
By (2) and RL-Commit rule
(4) Ψ, ((L,Vc , cc ,ω ′),Nr ,Vr , checkpoint(ωr ); cr )
checkpoint
=⇒ RL Ψ, ((∅,Vr , cr ,ωr ),Nr ◁ L,Vr , ci )
By (1)
(5) ⟦toTask(i)⟧ = goto ℓi and T (i) = (ωt , ct ), ωr = ωt , and ⟦ct⟧ = cr
By TSK-Trans rule
(6) (κTSK ,Ts,Tp,Tι, toTask(i))
checkpoint
=⇒ TSK ((T , i),Ts ◁ Tp, ∅,Tι, ct )
By (4) and (5)
(7) L ′ = ∅ = Tp′
By assumption that L = Tp and Ts ∪ TιN = Nr
(8) Ts ◁ Tp ∪ TιN = Nr ◁ L
62 Milijana Surbatovich, Limin Jia, and Brandon Lucia
By (7), (8), volatile memory does not change, and observation is equivalent, Σ′TSK ↬ Ψ, Σ′RL.
Case: E ends in RL-reboot rule
By assumption
(1) ΣTSK ↬ Ψ, ΣRL
By RL-reboot rule
(2) Ψ, ((L,Vc , cc ,ωc ),Nr ,Vr , reboot()) reboot=⇒ RL Ψ, ((∅,Vc , cc ,ωc ),Nr ,Vc , cc )
(3) κTSK = (T , i) and T (i) = (ωt , ct )
By TSK-reboot rule
(4) (κTSK ,Ts,Tp,Tι, reboot) reboot=⇒ TSK (κTSK ,Ts, ∅,Tι, ct )
By (1)
(5) cc = ⟦ct⟧, ωc = ωt , and Ts,TιN = Nr
By power failure must precede reboot, and resetVol
(6) ∀loc ∈ TιV ,TιV [loc 7→ (0,vt )]
By (6)
(7) Vc ≈ TιV
By (5), (6), and (7) and the new log and the Tp are both empty, Σ′TSK ↬ Ψ, Σ′RL
□
F INTERMITTENT COMPUTINGWITH INPUTS
F.1 Summary of Operational Semantics
(τ ,κ,N ,V , c) O=⇒ (τ ′,κ ′,N ′,V ′, c ′)
pick(n)
(τ ,κ,N ,V , c) =⇒ (τ + 1,κ,N , reset(V ), reboot(n)) I/O-CP-PowerFail
(τ ,κ,N ,V , checkpoint(ω); c) checkpoint=⇒ (τ + 1, (N |ω ,V , c),N ,V , c)
I/O-CP-CheckPoint
κ = (N ,V , c)
(τ ,κ,N ′,V ′, reboot(n)) reboot=⇒ (τ + n,κ,N ′ ◁ N ,V , c)
I/O-CP-Reboot
x ∈ dom(V )
(τ ,κ,N ,V ,x := IN()) in(τ )=⇒ (τ + 1,κ,N ,V [x 7→ in(τ )], skip)
I/O-CP-V-Assign-I/O
x ∈ dom(N ) N ,V ⊢ e ⇓r v
(τ ,κ,N ,V ,x := e) [r ]=⇒ (τ + 1,κ,N [x 7→ v],V , skip)
I/O-NV-Assign
N ,V ⊢ e ⇓r v N ,V ⊢ e ′ ⇓r ′ v ′
(τ ,κ,N ,V ,a[e] := e ′) [r,r
′]
=⇒ (τ + 1,κ,N [a[v] 7→ v ′],V , skip)
I/O-CP-Assign-Arr
Foundations of Intermittent Computing 63
x ∈ dom(V ) N ,V ⊢ e ⇓r v
(τ ,κ,N ,V ,x := e) [r ]=⇒ (τ + 1,κ,N ,V [x 7→ v], skip)
I/O-CP-V-Assign
x ∈ dom(N )
(τ ,κ,N ,V ,x := IN()) in(τ )=⇒ (τ + 1,κ,N [x 7→ in(τ )],V , skip)
I/O-CP-NV-Assign-In
N ,V ⊢ e ⇓r v
(τ ,κ,N ,V ,a[e] := IN()) [r ], in(τ )=⇒ (τ + 1,κ,N [a[v] 7→ in(τ )],V , skip)
I/O-CP-Assign-Arr-In
(τ ,κ,N ,V , skip; c) =⇒ (τ ,κ,N ,V , c) I/O-CP-Skip
(τ ,κ,N ,V , i) o=⇒ (τ + 1,κ,N ′,V ′, skip)
(τ ,κ,N ,V , i; c) o=⇒ (τ + 1,κ,N ′,V ′, c)
I/O-CP-Seq
N ,V ⊢ e ⇓r true
(τ ,κ,N ,V , if e then c1 else c2)
[r ]
=⇒ (τ + 1,κ,N ,V , c1)
I/O-CP-If-T
N ,V ⊢ e ⇓r false
(τ ,κ,N ,V , if e then c1 else c2)
[r ]
=⇒ (τ + 1,κ,N ,V , c2)
I/O-CP-If-F
F.2 Checking RIO Variables
We write N ; I ;M ⊩RIO ι : I ′;M ′ to mean that given the version set N , the input-dependent set I ,
write-setM , and control is not tainted, any input-dependent variables in ι are in I ′ and any variables
written are inM . We write N ;M ⊩taint ι : ok to mean that given the version set N , the must-write
set M , and control is tainted, any variable updated in ι that is not in M must be in N . Any array
updated must be in N . input-dependent variables in ι are in I ′
N ; I ;M ⊩RIO ι : I ′,M ′
I ∩ rd(e) , ∅
N ; I ;M ⊩RIO x := e : I ∪ x ;M ∪ x
RIO-dep
I ∩ rd(e) = ∅ x ∈ I
N ; I ;M ⊩RIO x := e : I \ x ;M ∪ x
RIO-dep-clear
I ∩ rd(e) = ∅
N ; I ;M ⊩RIO x := e : I ;M ∪ x
RIO-NDep
I ∩ (rd(e) ∪ rd(e ′)) = ∅
N ; I ;M ⊩RIO a[e] := e ′ : I ;M
RIO-Arr-NDep
I ∩ rd(e ′) , ∅
N ; I ;M ⊩RIO a[e] := e ′ : I ∪ a;M
RIO-Arr-dep
N ; I ;M ⊩RIO x := IN() : I ∪ x ;M ∪ x
RIO-Get
I ∩ rd(e) , ∅ a ∈ N
N ; I ;M ⊩RIO a[e] := e ′ : I ∪ a;M
RIO-Arr-loc
64 Milijana Surbatovich, Limin Jia, and Brandon Lucia
N ;M ⊩taint ι : ok
x ∈ (M ∪ N )
N ;M ⊩taint x := e : ok
RIO-Assign-tainted
a ∈ N
N ;M ⊩taint a[e] := e ′ : ok
RIO-Arr-tainted
x ∈ (M ∪ N )
N ;M ⊩taint x := IN() : ok
RIO-Get-tainted
Judgment N ; I ;M ⊩RIO c : ok means that all of c’s exclusive may-write variables are in N , given
I is the set of input-dependent variables, N is the set of versioned variables from the most recent
checkpoint,M is the set of variables that must be written from the most recent checkpoint, and
control is not tainted. Judgement N ;M ⊩taint c : ok means that all of c’s exclusive may-write
variables are in N , givenM is the set of must-write variables, N is the set of versioned variables
from the most recent checkpoint, and control is tainted. We say ⊩MstWt c : M to denote the must
write setM returned by the collection algorithm on the command C .
N ; I ;M ⊩RIO c : ok
N ; I ;M ⊩RIO ι : I ′,M ′
N ; I ;M ⊩RIO ι : ok
RIO-ι
ω; ∅; ∅ ⊩RIO c : ok
N ; I ;M ⊩RIO checkpoint(ω); c : ok
RIO-Cp
N ; I ;M ⊩RIO ι : I ′;M ′ N ; I ′;M ′ ⊩RIO c : ok
N ; I ;M ⊩RIO ι; c : ok
RIO-Seq
I ∩ rd(e) , ∅
M ⊩MstWt if e then c1 else c2 : M ′ ∀i ∈ [1, 2],N ;M ′ ⊩taint ci : ok
N ; I ;M ⊩RIO if e then c1 else c2 : ok
RIO-If-Dep
I ∩ rd(e) = ∅ N ; I ;M ⊩RIO ci : ok i ∈ [1, 2]
N ; I ;M ⊩RIO if e then c1else c2 : ok
RIO-If-NDep
N ;M ⊩taint c : ok
ω; ∅ ⊩RIO c : ok
N ;M ⊩taint checkpoint(ω); c : ok
RIO-Cp-tainted
N ;M ⊩taint ι : ok N ;M ⊩taint c : ok
N ;M ⊩taint ι; c : ok
RIO-Seq-tainted
N ;M ⊩taint ci : ok i ∈ [1, 2]
N ;M ⊩taint if e then c1 else c2 : ok
RIO-If-tainted
We writeM ⊩MstWt ι : M ′ to mean that given must-write setM variables that must be written to
in ι are inM ′.
Foundations of Intermittent Computing 65
x is stored on non-volatile memory
M ⊩MstWt x := e : M ∪ x Must-NV-Assign
M ⊩MstWt x := IN () : M ∪ x Must-Assign-In M ⊩MstWt a[e] := e ′ : M Must-Assign-Arr
M ⊩MstWt ι : M ′ M ′ ⊩MstWt c : M ′′
M ⊩MstWt ι; c : M ′′
Must-Seq
M ⊢ ci : Mi i ∈ [1, 2]
M ⊩MstWt if e then c1 else c2 : M1 ∩M2
Must-If
M ⊩MstWt checkpoint(); c : M Must-CP
F.3 RIO Variable Collection Algorithm
X ;M ; I ⊩RIO ι : X ′;M ′; I ′
X ;M ; I ⊩RIO skip : X ;M ; I
I/O-skip
X ;M ; I ⊩RIO x := IN() : X ;M ∪ x ; I ∪ x
I/O-Get
I ∩ rd(e) , ∅
X ;M ; I ⊩RIO x := e : X ;M ∪ x ; I ∪ x
I/O-Assign-Dep
I ∩ rd(e) = ∅
X ;M ; I ⊩RIO x := e : X ;M ∪ x ; I
I/O-Assign-NDep
I ∩ rd(e) = ∅ x ∈ I
X ;M ; I ⊩RIO x := e : X ;M ∪ x ; I \ x
I/O-dep-clear
I ∩ rd(e ′) , ∅
X ;M ; I ⊩RIO a[e] := e ′ : X ;M ; I ∪ a
I/O-Arr-dep
I ∩ rd(e) , ∅
X ;M ; I ⊩RIO a[e] := e ′ : X ∪ a;M, I ∪ a
I/O-Arr-loc
I ∩ rd(e ′) = ∅ I ∩ rd(e) = ∅
X ;M ; I ⊩RIO a[e] := e ′ : X ;M ; I
I/O-Arr-nodep
66 Milijana Surbatovich, Limin Jia, and Brandon Lucia
X ;M ; I ⊩RIO c −→ c ′ : X ′
I ∩ rd(e) = ∅ X ;M ; I ⊩RIO ci −→ c ′i : Xi i ∈ [1, 2]
X ;M ; I ⊩RIO if e then c1 else c2 −→ if e then c ′1 else c ′2 : X1 ∪ X2
I/O-If-NDep
I ∩ rd(e) , ∅ X ;M ⊩taint ci −→ c ′i : Xi ;Mi i ∈ [1, 2]
X ;M ; I ⊩RIO if e then c1 else c2 −→
if e then c ′1 else c
′
2 : (X1 ∪ X2 ∪M1 ∪M2) \ (M1 ∩M2)
I/O-If-Dep
X ;M ; I ⊩RIO ι : X ′;M ′; I ′ X ′;M ′; I ′ ⊩RIO c −→ c ′ : X ′′
X ;M ; I ⊩RIO ι; c −→ ι; c ′ : X ′′
I/O-Seq
∅; ∅; ∅ ⊩RIO c −→ c ′ : X ′
X ;M ; I ⊩RIO checkpoint(); c −→ checkpoint(X′); c ′ : X
Collect-CP
X ;M ; I ⊩RIO ι : X ′;M ′; I ′
X ;M ; I ⊩RIO ι −→ ι : X ′
Collect-ι
We write X ;M ⊩taint ι : X ′;M ′ to mean that given that control is tainted, must-write setM , and
exclusive may set X , variables that must be written to in ι are inM ′, variables that may (exclusive)
be written to in ι are in X ′. We write X ;M ⊩taint c −→ c ′ : X ′;M ′ to mean that given must-write
setM , and exclusive may set X , program c , and control is tainted, c ′ is a rewritten program where
variables that must be written to in c up to the next checkpoint are inM ′, and and variables that
may (exclusive) be written to in c up to the next checkpoint are in X ′.
X ;M ⊩taint ι : X ′;M ′
X ;M ⊩taint skip : X ;M
I/O-skip-tainted
X ;M ⊩taint x := IN() : X ;M ∪ x
I/O-Get-tainted
X ;M ⊩taint x := e : X ;M ∪ x
I/O-Assign-tainted
X ;M ⊩taint a[e] := e ′ : X ∪ a;M
I/O-Arr-tainted
Foundations of Intermittent Computing 67
X ;M ⊩taint c −→ c ′ : X ′;M ′
X ;M ⊩taint ci −→ c ′i : Xi ;Mi i ∈ [1, 2]
X ;M ⊩taint if e then c1 else c2 −→
if e then c ′1 else c
′
2 : ((X1 ∪ X2 ∪M1 ∪M2) \ (M1 ∩M2)); (M1 ∩M2)
I/O-If-tainted
X ;M ⊩taint ι : X ′;M ′ X ′;M ′ ⊩taint c −→ c ′ : X ′′;M ′′
X ;M ⊩taint ι; c −→ ι; c ′ : X ′′;M ′′
I/O-Seq-tainted
∅; ∅; ∅ ⊩RIO c −→ c ′ : X ′
X ;M ⊩taint checkpoint(); c −→ checkpoint(X′); c ′ : X ;M
Collect-CP-tainted
X ;M ⊩taint ι : X ′;M ′
X ;M ⊩taint ι −→ ι : X ′;M ′
Collect-ι-tainted
Lemma 37. (1) If E :: M1 ⊩MstWt ι : M2 and X ;M1 ⊩taint ι : X ′;M ′2 thenM2 = M ′2
(2) If E :: M1 ⊩MstWt c : M2 and X ;M1 ⊩taint c −→ c ′ : X ′;M ′2 thenM2 = M ′2
Proof (sketch). By induction over the structure of E. □
Lemma 38.
• If X ;M ; I ⊩RIO ι : X ′;M ′; I ′ and all of the locations in X are array and all of the locations inM
are variables then all of the locations in X ′ are array and all of the locations inM ′ are variables
and X ′ ⊇ X
• If X ;M ; I ⊩RIO c −→ c ′ : X ′ and all of the locations in X are array and all of the locations inM
are variables then X ′ ⊇ X
• If X ;M ⊩taint ι : X ′;M ′ and all of the locations in X are array and all of the locations inM are
variables then all of the locations in X ′ are array and all of the locations in M ′ are variables
X ′ ⊇ X andM ′ ∪ X ′ ⊇ X ∪M .
• If X ;M ⊩taint c −→ c ′ : X ′;M ′ and all of the locations in X are array and all of the locations in
M are variables then X ′ ∩M ′ = ∅, X ′ ⊇ X ,M ′ ∪ X ′ ⊇ X ∪M .
Proof (sketch). By induction over the structure of the checkpointed locations collection
derivations. □
Lemma 39.
• If X ;M ; I ⊩RIO ι : X ′;M ′; I ′ and all of the locations in X are array and all of the locations inM
are variables then ∀N ⊇ X ′, N ; I ;M ⊩RIO ι : I ′;M ′
• If X ;M ; I ⊩RIO c −→ c ′ : X ′ and all of the locations in X are array and all of the locations inM
are variables then then ∀N ⊇ X ′, N ; I ;M ⊩RIO c ′ : ok
• If X ;M ⊩taint ι : X ′;M ′ and all of the locations in X are array and all of the locations inM are
variables then ∀Nc ⊇ X ′, ∀Mc s.t. Nc ∪Mc ⊇ X ′ ∪M ′, Nc ;Mc ⊩taint ι : ok
• If X ;M ⊩taint c −→ c ′ : X ′;M ′and all of the locations in X are array and all of the locations in
M are variables then ∀Nc ⊇ X ′, ∀Mc s.t. Nc ∪Mc ⊇ X ′ ∪M ′, Nc ;Mc ⊩taint c ′ : ok
Proof (sketch). By induction over the structure of the checkpointed locations collection
derivations. □
68 Milijana Surbatovich, Limin Jia, and Brandon Lucia
F.4 Tainting Semantics
We augment values with tainted values denoted vT . The expression evaluation now propagates the
taint tag.
values val ::= v |vt
Configuration σ ::= (τ ,N ,V , c)
We write (τ ,N ,V , c) O−→ (τ ′,N ′,V ′, c ′) to denote the small-step operational semantics of the
core calculus. The rules are summarized below.
(τ ,N ,V , c) O−→ (τ ′,N ′,V ′, c ′)
(τ ,N ,V , checkpoint(ω); c) checkpoint−→ (τ + 1,N ,V , c)
I/O-Tnt-CheckPoint
(τ ,N ,V , skip; c) −→ (τ ,N ,V , c) I/O-Tnt-Skip
x ∈ dom(N ) N ,V ⊢ e ⇓r val
(τ ,N ,V ,x := e) [r ]−→ (τ + 1,N [x 7→ val],V , skip)
I/O-Tnt-NV-Assign
N ,V ⊢ e ⇓r val N ,V ⊢ e ′ ⇓r ′ val′
(τ ,N ,V ,a[e] := e ′) [r,r
′]−→ (τ + 1,N [a[val] 7→ val′],V , skip)
I/O-Tnt-Assign-Arr
x ∈ dom(V ) N ,V ⊢ e ⇓r val
(τ ,N ,V ,x := e) [r ]−→ (τ + 1,N ,V [x 7→ val], skip)
I/O-Tnt-V-Assign
x ∈ dom(N )
(τ ,N ,V ,x := IN()) in(τ )−→ (τ + 1,N [x 7→ in(τ )t ],V , skip)
I/O-Tnt-NV-Assign-In
N ,V ⊢ e ⇓r val
(τ ,N ,V ,a[e] := IN()) [r ], in(τ )−→ (τ + 1,N [a[val] 7→ in(τ )t ],V , skip)
I/O-Tnt-Assign-Arr-In
x ∈ dom(V )
(τ ,N ,V ,x := IN()) in(τ )−→ (τ + 1,N ,V [x 7→ in(τ )t ], skip)
I/O-Tnt-V-Assign-In
(τ ,N ,V , i) o−→ (τ + 1,N ′,V ′, skip)
(τ ,N ,V , i; c) o−→ (τ + 1,N ′,V ′, c)
I/O-Tnt-Seq
N ,V ⊢ e ⇓r val val = true or truet
(τ ,N ,V , if e then c1 else c2) [r ]−→ (τ + 1,N ,V , c1)
I/O-Tnt-IfT
Foundations of Intermittent Computing 69
N ,V ⊢ e ⇓r val val = false or falset
(τ ,N ,V , if e then c1 else c2) [r ]−→ (τ + 1,N ,V , c2)
I/O-Tnt-IfF
τ ′ > τ
(τ ,N ,V , c) −→ (τ ′,N ,V , c) I/O-Tnt-Sleep
F.5 Auxiliary Definitions
Idempotent reads.
O ⩽m O
I-Rb-Base
O ′1 ⩽m O2
O1, reboot,O ′1 ⩽m O2
I-Rb-Ind
O1 ⩽m O2
O1 ⩽mc O2
Cp-Base
O1 ⩽m O2 O ′1 ⩽mc O ′2
O1, checkpoint,O ′1 ⩽mc O2,O ′2
Cp-Ind
Related non-volatile memory.
Definition 40 (Related non-volatile memories at the same execution point). τ ,N0,V0, c, c ′,I ⊢
N1 ∼ N2 iff
• dom(N1) = dom(N2) and
• ∀loc ∈ N1 s.t. N1(loc) , N2(loc),
– loc ∈ MFstWt(N0,V0, c)
– let {T } = Run(σ ,I, c ′) where σ = (τ ,N0,V0, c) and the last state of T is (τ ′,N1,V , c ′)
∗ loc ∈ MstWt(N1,V , c ′)
∗ loc < Wt(T )
Definition 41 (Related non-volatilememories between current and initial execution point). N0,N ,V , c ⊢
N1 ∼ N2 iff dom(N1) = dom(N2),
• dom(N1) = dom(N2) and
• ∀loc ∈ N1 s.t. N1(loc) , N2(loc), loc ∈ N0 ∪MFstWt(N ,V , c)
Definition 42 (Related configurations). τ0,I,N ⊢ (τ1,κ,N1,V1, c1) ∼ (τ2,N2,V2, c2) iffκ = (N0,V0, c0),
N0 ⊆ N τ0,N ,V0, c0, c1,I ⊢ N1 ∼ N2, τ1 = τ2, V1 = V2, and c1 = c2.
Definition 43 (Erased configuration). (τ ,κ,N ,V , c)− = (τ ,N ,V , c)
Lemma 44. If N ,N0,V0, c0 ⊢ N1 ∼ N2, N ⊆ N1 and N ⊆ N2 and N ⊆ N0 then ∀τ , and
τ ,N0,V0, c0, c0, ∅ ⊢ N1 ∼ N2.
Proof (sketch). By examining the two relations. □
F.6 Correctness Proofs
The correctness theorem follows from the following lemma.
Lemma 45 (Correctness). If (τ ,κ,N ,V , c)
O1
=⇒∗ Σ, κ = (N0,V , c), N0 ⊆ N , and N0, ∅, ∅ ⊩WAR c : ok,
N0, ∅, ∅ ⊩RIO c : ok then ∃O2,τ2,σ s.t.
(1) (τ2,N ,V , c)
O2−→∗ σ , τ2,O2 | in,N ⊢ Σ ∼ σ , and τ2 ≥ τ , O1 ⩽mc O2. and
(2) ∀T ′ = Σ O=⇒∗ Σ′, CP(Σ′) and T ′ does not contain checkpoints or reboots implies σ O−→∗ (Σ′)−
Proof. By induction on the number of checkpoints in O1.
70 Milijana Surbatovich, Limin Jia, and Brandon Lucia
Base case: O1 does not include any checkpoint, directly apply Lemma 47.
Inductive case: O1 contains k + 1 checkpoints where k ≥ 0
By assumption,
(1) T = (τ ,κ,N ,V , c)
O1
=⇒∗ (τ1,κ,N1,V1, checkpoint(ω); c1)
checkpoint
=⇒ Σ′
O2
=⇒∗ Σ′′,
where O1 does not contain checkpoints
By Lemma 47, exists O ′1 and τ ′ s.t.
(2) (τ ′,N ,V , c)
O ′1−→∗ (τ1,N1,V1, checkpoint(ω); c1) and O1 ⩽m O ′1 and τ ′ ≥ τ
By I/O-CP-CheckPoint and (1)
(3) Σ′ = (τ1 + 1,κ1,N1,V1, c1) where κ1 = (N1 |ω ,V1, c1)
By I/O-Tnt-CheckPoint and (2)
(4) (τ1,N1,V1, checkpoint(ω); c1) −→ (τ1 + 1,N1,V1, c1)
By N0, ∅, ∅ ⊩RIO c : ok and Lemma 46
(5) ∃ I ′,M s.t. N0, I ′,M ⊨RIO checkpoint(ω); c1 : ok
or ∃M s.t. N0,M ⊩taint checkpoint(ω); c1 : ok
By inversion of (5)
(6) ω, ∅, , ∅ ⊩RIO c1 : ok
By Lemma 15 and N0, ∅, ∅ ⊩WAR c : ok
(7) ∃W ′,R′ s.t. N0,W ′,R′ ⊩WAR checkpoint(ω); c1 : ok
By inversion of (7)
(8) ω, ∅, ∅ ⊩WAR c1 : ok
By I.H. on the tail of T starting from Σ′, (3), (6), (8), exists O ′2 and τ2 s.t.
(9) (τ2,N1,V1, c1)
O ′2−→∗ σ ′′ and τ2,O ′2 | in,N1 ⊢ Σ′′ ∼ σ ′′ and O2 ⩽mc O ′2 and τ2 ≥ (τ1 + 1) and
(10) Σ′′
O3
=⇒∗ (τ3,κ3,N3,V3, checkpoint(ω ′); c3) implies
σ ′′
O3−→∗ (τ3,N3,V3, checkpoint(ω ′); c3),
By (2) and (9) and Cp-Ind
(11) O1, checkpoint,O2 ⩽mc O ′1,O ′2
By I/O-Tnt-Sleep and τ2 ≥ (τ1 + 1)
(12) (τ1 + 1,N1,V1, c1) −→ (τ2,N1,V1, c1)
By connecting the executions the conclusion holds
□
Lemma 46. If N0, ∅, ∅ ⊩RIO c : ok and (τ ,N ,V , c)
O
−→∗ (τ ′,N ′,V ′, c ′), and O does not contain
checkpoints, then either ∃ I ′,M s.t. N0, I ′,M ⊩RIO c ′ : ok or ∃M s.t. N0,M ⊩taint c ′ : ok.
Proof (sketch). By induction over the derivation N0,W ,R ⊩ c : ok. □
Lemma 47 (One checkpoint, multiple failures). If T = (τ ,κ,N1,V , c)
O1
=⇒∗ Σ where T does not
execute checkpoint, κ = (N0,V , c), N0 ⊆ N1, N0 ⊆ N2, and N0,N1,V , c ⊢ N1 ∼ N2 and N0, ∅, ∅ ⊩WAR
c : ok, N0, ∅, ∅ ⊩RIO c : ok then
• ∃O2,τ2,σ s.t. (τ2,N2,V , c)
O2−→∗ σ and τ2,O2 | in,N1 ⊢ Σ ∼ σ and τ2 ≥ τ and O1 ⩽m O2.
• ∀T ′ = Σ O=⇒∗ Σ′ where Σ′ = (τ ′,κ ′,N ′,V ′, checkpoint(ω); c ′) and T ′ does not contain check-
points implies σ
O
−→∗ (Σ′)−,
Proof. By induction on the number of reboots in O1.
Foundations of Intermittent Computing 71
Base case: O1 does not include any reboot, first apply Lemma 44 to show τ ,N1,V , c, c, ∅ ⊢ N1 ∼ N2;
then directly apply Lemma 61 and Lemma 62.
Inductive case: O1 contains k + 1 reboots where k ≥ 0
By assumption
(1) T = (τ ,κ,N1,V , c)
O ′1
=⇒∗ (τ1,κ,N ′1,V1, reboot(ω))
reboot
=⇒ Σ′
O ′′1
=⇒∗ Σ′′,
and O ′1 does not contain reboots or checkpoints
By assumption N0,N1,V , c ⊢ N1 ∼ N2
By Lemma 48
(2) N0,N1,V , c ⊢ N ′1 ∼ N2. It follows that N0,N1,V , c ⊢ N ′1 ◁ N0 ∼ N2
By I/O-CP-Reboot and (1)
(3) Σ′ = (τ1 + n,κ,N ′1 ◁ N0,V , c)
By I.H. on all the tail of T starting from Σ′
(4) exists O2, τ ′, and σ s.t. (τ ′,N2,V , c)
O2−→∗ σ and τ ′,O2 | in,N1, ⊢ Σ′′ ∼ σ
and τ ′ ≥ τ1 + n and O ′′1 ⩽m O2
(5) Σ′′
O
=⇒∗ (τ3,κ ′,N ′,V ′, checkpoint(ω); c ′)
implies σ
O
−→∗ (τ3,N ′,V ′, checkpoint(ω); c ′)
By (1), (4) and Rb-Ind
(6) O ′1, reboot,O ′′1 ⩽m O2
By (3) and (4) and time is monotonically increasing
(7) τ ′ ≥ τ1 + n ≥ τ1 ≥ τ
By (5), (6), (7) the conclusion holds.
□
Lemma48 (Partial run relates to initial state (Multi-steps)). IfT = (τ ,κ,N1,V , c0)
O
=⇒∗ (τ ′,κ,N ′1,V ′, c),
T does not execute checkpoint or reboot, N0; ∅; ∅ ⊩WAR c0 : ok, N0, ∅, ∅ ⊩RIO c0 : ok, κ = (N0,V , c0),
and N0,N1,V , c0 ⊢ N1 ∼ N2 then N0,N1,V , c0 ⊢ N ′1 ∼ N2.
Proof. By induction over the length of T . The base case is trivial. The inductive case uses I.H.
and Lemma 60. □
Lemma 49 (Relating syntactic and semantic read). If E :: N0;W0;R0 ⊩ c0 : ok, and T =
(τ0,N1,V0, c0) −→∗ (τ ,N ,V , c),T does not contain any checkpoints then ∃W and R s.t.N0;W ;R ⊩WAR
c : ok, and RD(T ) ∪ R0 ⊆ R.
Proof (sketch). Induction over the derivation E. □
Lemma 50 (Relating syntactic must write and semantic must write). If E :: M ⊩MstWt c : M ′,
x ∈ M ′ \M then ∀T s.t. T = (τ ,N ,V , c) −→∗ (τ ′,N ′,V ′, checkpoint(ω); c ′) and |T | ≥ 1, x ∈ Wt(T ).
Proof (sketch). By induction over the structure of E. □
Lemma 51 (VariableWrites are either First Writes or Versioned). If N0; ∅; ∅ ⊩WAR c0 : ok, given any
traceTc from c0 to the nearest checkpoint:Tc = T0·(τ ,N ,V ,x := e ; c1)
O
−→∗ (τ ′,N ′,V ′, checkpoint(ω); c ′)
then x ∈ FstWt(Tc ) or x ∈ N0.
Proof (sketch). The same as proof Lemma 19. □
Lemma 52. If E :: N0; I ;M ⊩RIO c0 : ok, exists T s.t. T = (τ0,N1,V1, c0) −→∗ (τ2,N2,V2, c1)
and N0,M1 ⊩taint c1 : ok, then T = (τ0,N1,V1, c0) −→∗ (τ1,N1,V1, c) −→∗ (τ2,N2,V2, c1) where
72 Milijana Surbatovich, Limin Jia, and Brandon Lucia
c = if e then ct else cf and M ′ ⊩MstWt c : M1 and ∃E ′, I s.t. E ′ :: N0; I ⊩RIO c : ok and E ′ is a
sub-derivation of E.
Proof (sketch). By induction over the length of T . □
Lemma 53 (Variable Writes are either Must Writes or Versioned). If N0; ∅; ∅ ⊩RIO c0 : ok,
exists T s.t. T = (τ0,N1,V1, c0) −→∗ (τ ,N2,V2,x := e; c1) then ∀Tc s.t. Tc = (τ0,N ,V , c0) −→∗
(τ ′,N ′,V ′, checkpoint(ω); c ′), x ∈ Wt(Tc ) ∪ N0.
Proof. By Lemma 46 there are two cases: (I): ∃ I M s.t. N0, I ;M ⊩RIO x := e; c1 : ok or (II): ∃M
s.t. N0,M ⊩taint x := e; c1 : ok.
By assumption, let T0 be the trace s.t. T0 = (τ0,N1,V1, c0) −→∗ (τ ,N2,V2,x := e; c1)
Case I: N0, I ,M ⊩RIO x := e; c1 : ok
By Lemma 58,
(I1) ∀T s.t. T = (τ0,N ,V , c0) −→∗ (τ ′,N ′,V ′, checkpoint(ω); c ′),
T = (τ ,N1,V1, c0) −→∗ (τ ′′,N ′2,V ′2 ,x := e; c1) −→∗ (τ ′,N ′,V ′, checkpoint(ω); c ′)
By (I1) and operation semantics and the definition ofWt
(I2) x ∈ Wt(T )
Case II: ∃M s.t. E :: N0,M ⊩taint x := e; c1 : ok.
By inversion of E
(II1) x ∈ N0 (conclusion holds) or x ∈ M
We continue with the case where x ∈ M
By Lemma 52
(II2) T0 = (τ0,N1,V1, c0) −→∗ (τ1,N1,V1, c) −→∗ (τ ,N2,V2,x := e; c1)
where c = if e then ct else cf
(II3) andM ′ ⊩MstWt c : M
(II4) and ∃I s.t. N0; I ;M ′ ⊩RIO c : ok.
By Lemma 58
(II5) ∀Tc s.t. Tc = (τ0,N ,V , c0) −→∗ (τ ′,N ′,V ′, checkpoint(ω); c ′),
Tc = Tc1 ·Tc2, Tc1 = (τ0,N ,V , c0) −→∗ (τ ′1,N ′1,V ′1 , c),
Tc2 = (τ ′1,N ′1,V ′1 , c) −→∗ (τ ′,N ′,V ′, checkpoint(ω); c ′),
where c = if e then ct else cf
(II6) and ∀x ∈ M ′, x ∈ Wt(Tc1)
By Lemma 50, (II3), and x ∈ M \M ′
(II7) x ∈ Wt(Tc2)
By (II6) and (II7), x ∈ Wt(Tc )
□
Lemma 54 (Array Writes are either First Writes or Versioned). If N0; ∅; ∅ ⊩WAR c0 : ok, given any
traceTc from c0 to the nearest checkpoint:Tc = T0·(τ ,N ,V ,a[e] := e ′; c1)
O
−→∗ (τ ′,N ′,V ′, checkpoint(ω); c ′),
N ,V ⊢ e ⇓r v then a[v] ∈ Wt(Tc ) implies a[v] ∈ FstWt(Tc ) or a ∈ N0.
Proof (sketch). We consider two cases: (I) a[v] ∈ RD(T0) ∪ rd(e) ∪ rd(e ′) and (II) a[v] <
RD(T0) ∪ rd(e) ∪ rd(e ′)
Case (I) a[v] ∈ RD(T0) ∪ rd(e) ∪ rd(e ′)
a[v] ∈ RD(T0) ∪ rd(e) ∪ rd(e ′)
By Lemma 49 and (2) and (4)
(I1) ∃W and R s.t. E ′ :: N0;W ;R ⊩WAR a[e] := e ′; c1 : ok, and
Foundations of Intermittent Computing 73
(I2) RD(T0) ⊆ R
By inversion of E ′ and (I2), a ∈ N0
Case (II) a[v] < RD(T0) ∪ rd(e) ∪ rd(e ′)
By definition of FstWt, a[v] ∈ FstWt(Tc )
□
Lemma 55 (Array Writes are either Must Writes or Versioned). If N0; ∅; ∅ ⊩RIO c0 : ok, exists
T0 s.t. T0 = (τ0,N1,V1, c0) −→∗ (τ ,N2,V2,a[e] := e ′; c1) , N2,V2 ⊢ e ⇓r v then ∀Tc s.t. Tc =
(τ0,N ,V , c0) −→∗ (τ ′,N ′,V ′, checkpoint(ω); c ′) a[v] ∈ Wt(Tc ) or a ∈ N0.
Proof. By Lemma 46 there are two cases: (I): ∃ I M s.t. N0, I ,M ⊩RIO a[e] := e ′; c1 : ok or (II): ∃
M s.t. N0,M ⊩taint a[e] := e ′; c1 : ok.
By assumption, let T0 be the trace s.t. T0 = (τ0,N1,V1, c0) −→∗ (τ ,N2,V2,a[e] := e ′; c1)
Case I: N0, I ,M ⊩RIO a[e] := e ′; c1 : ok
By Lemma 58,
(I1) ∀T s.t. T = (τ0,N ,V , c0) −→∗ (τ ′,N ′,V ′, checkpoint(ω); c ′),
T = (τ ,N1,V1, c0) −→∗ (τ ′′,N ′2,V ′2 ,a[e] := e ′; c1) −→∗ (τ ′,N ′,V ′, checkpoint(ω); c ′)
(I2) and N2 ≈tnt N ′2 and V2 ≈tnt V ′2
By Lemma 59 and (I2)
(I3) N ′2,V ′2 ⊢ e ⇓r v
By (I1) and operation semantics and the definition ofWt
(I4) a[v] ∈ Wt(T )
Case II: ∃M s.t. E :: N0,M ⊩taint a[e ′] := e; c1 : ok.
By inversion of E, a ∈ N0, conclusion holds
□
We write σ −→∗ CP to denote the trace from σ to the nearest checkpoint. We write N1 ≈tnt N2
to mean that N1 and N2 only differ in tainted value.
Lemma 56 (Taint Diff). If N0 ≈tnt N ′0 , V0 ≈tnt V ′0 , (τ0,N0,V0, ι) −→ (τ0 + 1,N1,V1, skip), then
(τ0,N ′0,V ′0 , ι) −→ (τ0 + 1,N ′1,V ′1 , skip) and N1 ≈tnt N ′1 , V1 ≈tnt V ′1 .
Proof (sketch). By examining all the operational semantic rules. □
Lemma 57 (Relating Syntactic and Semantics Taint). If N ; I0 ⊩ ι : I1 and taint(N0 ∪V0) ⊆ I0, and
(τ0,N0,V0, ι) −→ (τ0 + 1,N1,V1, skip), then taint(N1 ∪V1) ⊆ I1.
Proof (sketch). By examining all the operational semantic rules. □
Lemma 58 (Not tainted execution deterministic). If E :: N ; I ;M ⊩RIO c0 : ok, E ′ :: N ; I1;M1 ⊩RIO
c1 : ok, E ′ is a sub-derivation of E, and exists τ0, N0, V0, N1, V1, T s.t. T = (τ0,N0,V0, c0) −→∗
(_,N1,V1, c1), and taint(N0 ∪ V0) ⊆ I then ∀τ0,N ′0,V ′0 ,Tc s.t. Tc = (τ ′0,N ′0,V ′0 , c0) −→∗ CP, and
N0 ≈tnt N ′0 ,V0 ≈tnt V ′0 , it is the case thatTc = Tc1 ·Tc2 whereTc1 = (τ ′0,N ′0,V ′0 , c0) −→∗ (_,N ′1,V ′1 , c1)
and Tc2 = (_,N ′1,V ′1 , c1) −→∗ CP, and N1 ≈tnt N ′1 and V1 ≈tnt V ′1 and ∀x ∈ M1 \M , x ∈ Wt(Tc1).
Proof. By induction over the distance between E and E ′. For the base case: E = E ′, the
conclusion holds trivially. For the inductive case, we case on E.
E ends in RIO-Seq
By assumptions
74 Milijana Surbatovich, Limin Jia, and Brandon Lucia
(1) E =
E1 :: N ; I ;M ⊩ ι : I1,M1 E2 :: N ; I1;M1 ⊩RIO c1 : ok
N ; I ;M ⊩RIO ι; c1 : ok
RIO-Seq
and E ′ is a sub-derivation of E2
By assumptions, exists T0 s.t.
(2) T0 = (τ0,N0,V0, ι; c1) −→∗ (τ ,N2,V2, c)
By operational semantic rules and (2)
(3) T0 = (τ0,N0,V0, ι; c1) −→ (τ0 + 1,N1,V1, c1) −→∗ (τ ,N2,V2, c)
By Lemma 57
(4) taint(N1 ∪V1) ⊆ I1
By I.H. on E2, (4)
(5) ∀τ1,T1,N ′1,V ′1 s.t. T1 = (τ1,N ′1,V ′1 , c1) −→∗ CP,
and N1 ≈tnt N ′1 and V1 ≈tnt V ′1
T1 = (τ1,N ′1,V ′1 , c1) −→∗ (τ2,N ′2,V ′2 , c) −→∗ CP,
and N2 ≈tnt N ′2 and V2 ≈tnt V ′2
Given any time τ ′0 , N ′0 , V ′0 s.t. N0 ≈tnt N ′0 and V0 ≈tnt V ′0
Given any T ′0 = (τ ′0,N ′0,V ′0 , ι; c1) −→∗ CP
By operational semantic rules
(6) T ′0 = (τ ′0,N ′0,V ′0 , ι; c1) −→ (τ ′0 + 1,N ′′1 ,V ′′1 , c1) ·T ′1
and T ′1 = (τ ′0 + 1,N ′′1 ,V ′′1 , c1) −→∗ CP
By Lemma 56 and (3) and (5)
(7) N1 ≈tnt N ′′1 and V1 ≈tnt V ′′1
By (5), (7), and (6)
(8) T ′1 = (τ ′0 + 1,N ′′1 ,V ′′1 , c1) −→∗ (τ ′2,N ′2,V ′2 , c) −→∗ CP
By (6) and (8), the conclusion holds
E ends in RIO-If-NDep
By assumptions
(1) E =
E1 :: I ∩ rd(e) = ∅ E2 :: N ; I ;M ⊩RIO ci : ok i ∈ [1, 2]
N ; I ;M ⊩RIO if e then c1else c2 : ok
RIO-If-no-dep
By assumptions, exists T0 s.t.
(2) T0 = (τ0,N0,V0, if e then c1 else c2) −→∗ (τ ,N2,V2, c)
We show the case where the true branch is taken; the proof for the other case is the same.
By operational semantic rules and (2),
(3) T0 = (τ0,N0,V0, if e then c1 else c2) −→ (τ0 + 1,N0,V0, c1) −→∗ (τ ,N2,V2, c),
(4) and N0,V0 ⊢ e ⇓r true
By I.H. on E2
(5) ∀τ1,T1,N ′1,V ′1 s.t. T1 = (τ1,N ′1,V ′1 , c1) −→∗ CP,
and N0 ≈tnt N ′1 and V0 ≈tnt V ′1
T1 = (τ1,N ′1,V ′1 , c1) −→∗ (τ2,N ′2,V ′2 , c) −→∗ CP,
and N2 ≈tnt N ′2 and V2 ≈tnt V ′2
Given any time τ ′0 , N ′0 , V ′0 s.t. N0 ≈tnt N ′0 and V0 ≈tnt V ′0
Given any T ′0 = (τ ′0,N ′0,V ′0 , if e then c1 else c2) −→∗ CP
By assumption taint(N0 ∪V0) ⊆ I
(6) taint(N ′0 ∪V ′0 ) ⊆ I
By Lemma 59, E1, and (4)
(7) and N ′0,V ′0 ⊢ e ⇓r true
Foundations of Intermittent Computing 75
By operational semantic rules
(8) T ′0 = (τ ′0,N ′0,V ′0 , ι; if e then c1 else c2) −→ (τ ′0 + 1,N ′0,V ′0 , c1) ·T ′1
and T ′1 = (τ ′0 + 1,N ′0,V ′0 , c1) −→∗ CP
By (5), (8)
(9) T ′1 = (τ ′0 + 1,N ′0,V ′0 , c1) −→∗ (τ ′2,N ′2,V ′2 , c) −→∗ CP
By (8) and (9), the conclusion holds
E ends in RIO-If-Dep or RIO-ι
These two cases are the base cases where E = E ′.
□
Lemma 59 (Not tainted val eq). If N1 and N2 only differs in tainted values, andV1 andV2 only differs
in tainted values, ∀loc ∈ rd(e), N1 ∪V1(loc) is not tainted, and N1,V1 ⊢ e ⇓r1 v1 N2,V2 ⊢ e ⇓r2 v2 then
r1 = r2 and v1 = v2.
Proof (sketch). By induction over the structure of e . Note that when an ∈ rd(e), we mean all
of a[1] to a[n] in rd(e). □
Lemma 60 (Partial run relates to initial state (One step)). If all of the following hold
• T = (τ ,κ,N ,V , c) o=⇒ (τ + 1,κ,N ′,V ′, c ′), where κ = (N0,V0, c0),
• o is not checkpoint or reboot,
• N0; ∅; ∅ ⊩WAR c0 : ok, N0; ∅; ∅ ⊩RIO c0 : ok,
• T0 = (τ0,N1,V0, c0) −→∗ (τ ,N ,V , c), T0 does not contain any checkpoints,
• N0,N1,V0, c0 ⊢ N ∼ N2
then N0,N1,V0, c0 ⊢ N ′ ∼ N2.
Proof. We case on T . We only show the cases where non-volatile memory is updated; as the
conclusion trivially hold in other cases.
Case T ends in a variable assignment (when x := e is the last instruction, c1 = skip)
By assumption
(1) (τ ,κ,N ,V ,x := e; c1)
[r ]
=⇒ (τ + 1,κ,N [x 7→ val],V , c1)
x ∈ dom(N ), and N ,V ⊢ e ⇓r val
(2) N0; ∅; ∅ ⊩WAR c0 : ok
(3) N0; ∅; ∅ ⊩RIO c0 : ok
We only need to show that x ∈ MFstWt(N1,V0, c0) ∪ N0.
By Lemma 53,
(4) x ∈ MustWt(N1,V0, c0) ∪ N0.
By (4) and Lemma 51,
(5) x ∈ MFstWt(N1,V0, c0) ∪ N0,
The conclusion holds from (4), (5)
Case T ends in array assignment
By assumption
(1) (τ ,κ,N ,V ,a[e] := e ′; c1)
[r,r ′]
=⇒ (τ + 1,κ,N [a[v] 7→ v ′],V , c1)
N ,V ⊢ e ⇓r v and N ,V ⊢ e ′ ⇓r ′ v ′
(2) N0; ∅; ∅ ⊩WAR c0 : ok
(3) N0; ∅; ∅ ⊩RIO c0 : ok
We only need to show that a[v] ∈ MFstWt(N1,V0, c0) ∪ N0.
By Lemma 55,
76 Milijana Surbatovich, Limin Jia, and Brandon Lucia
(4) a[v] ∈ MustWt(N1,V0, c0) ∪ N0.
By Lemma 54,
(5) a[v] ∈ MFstWt(N1,V0, c0) or a ∈ N0,
The conclusion holds from (4), (5)
Case T ends in input assignment
By assumption
(1) (τ ,κ,N ,V ,x := IN(); c1)
in(τ )
=⇒ (τ + 1,κ,N [x 7→ in(τ )t ],V , c1) and x ∈ dom(N )
(2) N0; ∅; ∅ ⊩WAR c0 : ok
(3) N0; ∅; ∅ ⊩RIO c0 : ok
We only need to show that x ∈ MFstWt(N1,V0, c0) ∪ N0.
By Lemma 53,
(4) x ∈ MustWt(N1,V0, c0) ∪ N0.
By (4) and Lemma 51,
(5) x ∈ MFstWt(N1,V0, c0) ∪ N0,
The conclusion holds from (4), (5)
□
Lemma 61 (One failure). If
• T = (τ ,κ,N1,V , c)
O
=⇒∗ (τ ′,κ,N ′1,V ′, c ′), T does not execute checkpoint or reboot,
• κ = (N0,V0, c0), and
• T0 = (τ0,N ,V0, c0)
O0−→∗ (τ ,N1,V , c), T0 does not contain any checkpoints,
• τ0,N ,V0, c0, c,O0 | in ⊢ N1 ∼ N2
then (τ ,N2,V , c)
O
−→∗ (τ ′,N ′2,V ′, c ′), and τ0,N ,V0, c0, c ′, (O0 ·O) | in ⊢ N ′1 ∼ N ′2 .
Proof. By induction over the length of T , apply Lemma 63. □
Lemma 62 (related NV step to equal NV by checkpoint). If T = (τ ,κ,N1,V , c)
O
=⇒∗ Σ′, CP(Σ′)
and T does not execute checkpoint or reboot, κ = (N0,V0, c0), T0 = (τ0,N ,V0, c0)
O0−→∗ (τ ,N1,V , c), T0
does not contain any checkpoints, and τ0,N ,V0, c0, c,O0 | in ⊢ N1 ∼ N2, then (τ ,N2,V , c)
O
−→∗ Σ′−
Proof. By induction over the length of T .
Base case: |T | = 0
By assumption
(1) c = checkpoint(ω); c ′
(2) ∀loc ∈ N1 s.t. N1(loc) , N2(loc), loc ∈ MFstWt(N ,V0, c0) and
loc ∈ MstWt(N1,V , checkpoint(ω); c ′) = ∅
By (2) and ∄loc s.t. loc ∈ ∅
(3) N1 = N2
The continuous powered execution also takes 0 steps and the conclusion holds
Inductive case:
By assumption
(1) T = (τ ,κ,N1,V , c) o=⇒ (τ1,κ,N ′1,V1, c1)
O
=⇒∗ (τ ′,κ,N ′,V ′, checkpoint(ω); c ′),
By Lemma 63
(2) (τ ,N2,V , c) o−→ (τ1,N ′2,V1, c1) and τ0,N ,V0, c0, c1,o | in ⊢ N ′1 ∼ N ′2 .
Foundations of Intermittent Computing 77
By I.H. on the tail of T
(3) (τ1,N ′2,V1, c1)
O
−→∗ (τ ′,N ′,V ′, checkpoint(ω); c ′)
By (2) and (3)
The conclusion holds
□
Lemma63 (relatedNVs step to relatedNVs (One step)). IfT = (τ ,κ,N1,V , c) o=⇒ (τ+1,κ,N ′1,V ′, c ′),
and T does not execute checkpoint or reboot, κ = (N0,V0, c0), T0 = (τ0,N ,V0, c0)
O0−→∗ (τ ,N1,V , c),
T0 does not contain any checkpoints, and τ0,N ,V0, c0, c,O0 | in ⊢ N1 ∼ N2, then (τ ,N2,V , c) o−→
(τ + 1,N ′2,V ′, c ′) and τ0,N ,V0, c0, c ′, (O0 · o) | in ⊢ N ′1 ∼ N ′2 .
Proof. By examining the structure of T .
Case: T ends in I/O-CP-Skip rule.
By assumption
(1) T = (τ ,κ,N1,V , skip; c) =⇒ (τ + 1,κ,N1,V , c) and
(2) κ = (N0,V0, c0), and τ0,N ,V0, c0, (skip; c),O0 | in ⊢ N1 ∼ N2
By I/O-Tnt-Skip rule
(3) (τ ,N2,V , skip; c) −→ (τ + 1,N2,V , c)
By (2) and skip does not write to store
(4) τ0,N ,V0, c0, c,O0 | in ⊢ N1 ∼ N2
Case: T ends in I/O-CP-Seq rule and uses I/O-CP-NV-Assign or ends in I/O-CP-NV-Assign rule.
The proof for both of these two cases are the same except that in the latter, the resulting
command is skip.
By assumption
(1) T = (τ ,κ,N1,V ,x := e; c)
[r1]
=⇒ (τ + 1,κ,N1[x 7→ v1],V , c) and
(2) N1;V ⊢ e ⇓r1 v1 and
(3) κ = (N0,V0, c0) and τ0,N ,V0, c0, (x := e; c),O0 | in ⊢ N1 ∼ N2
By I/O-Tnt-NV-Assign rule
(4) (τ ,N2,V ,x := e; c) [r2]−→ (τ + 1,N2[x 7→ v2],V , c) and
(5) N2;V ⊢ e ⇓r2 v2
By Lemma 64 and Lemma 25
(6) v1 = v2 and r1 = r2
By (3) and (6), and
(7) τ0,N ,V0, c0, c,O0 | in ⊢ N1[x 7→ v1] ∼ N2[x 7→ v2]
Case: T ends in I/O-CP-Seq rule and uses I/O-CP-Arr-Assign rule or ends in I/O-CP-Arr-Assign
rule.
By assumption
(1) T = (τ ,κ,N1,V ,a[e ′] := e; c)
[r ′1,r1]
=⇒ (τ + 1,κ,N1[(a[v ′1]) 7→ v1],V , c) and
(2) N1;V ⊢ e ⇓r1 v1 and N1;V ⊢ e ′ ⇓r ′1 v ′1
(3) κ = (N0,V0, c0) and τ0,N ,V0, c0, (a[e ′] := e; c),O0 | in ⊢ N1 ∼ N2
By I/O-Tnt-Assign-Arr rule
(4) (τ ,N2,V ,a[e ′] := e; c)
[r ′2,r2]−→ (τ + 1,N2[(a[v ′2]) 7→ v2],V , c) and
(5) N2;V ⊢ e ′ ⇓r ′2 v ′2 and N2;V ⊢ e ⇓r2 v2
By Lemma 64 and Lemma 25
78 Milijana Surbatovich, Limin Jia, and Brandon Lucia
(6) v1 = v2 and v ′1 = v ′2 and r1 = r2 and r ′1 = r ′2
By (3) and (6)
(7) τ0,N ,V0, c0, c,O0 | in ⊢ N1[a[v ′1] 7→ v1] ∼ N2[a[v ′2] 7→ v2]
Case: T ends in I/O-CP-Seq rule and uses I/O-CP-V-Assign rule or ends in I/O-CP-V-Assign rule.
By assumption
(1) T = (τ ,κ,N1,V ,x := e; c)
[r1]
=⇒ (τ + 1,κ,N1,V [x 7→ v1], c) and N1;V ⊢ e ⇓r1 v1
(2) κ = (N0,V0, c0), and τ0,N ,V0, c0, (x := e; c),O0 | in ⊢ N1 ∼ N2
By I/O-Tnt-V-Assign rule
(3) (τ ,N2,V ,x := e; c) [r2]−→ (τ + 1,N2,V [x 7→ v2], c) and N2;V ⊢ e ⇓r2 v2
By Lemma 64 and Lemma 25
(4) v1 = v2 and r1 = r2
By (4), V [x 7→ v1] = V [x 7→ v2]
By (2) and CP-V-Assign does not write to non-volatile store
(4) τ0,N ,V0, c0, c,O0 | in ⊢ N1 ∼ N2
Case: T ends in I/O-CP-Seq rule and uses I/O-CP-NV-Assign-In or ends in I/O-CP-NV-Assign-In
rule.
By assumption
(1) T = (τ ,κ,N1,V ,x := IN (); c)
in(τ )
=⇒ (τ + 1,κ,N1[x 7→ in(τ )t ],V , c) and
(2) κ = (N0,V0, c0) and τ0,N ,V0, c0, (x := IN (); c),O0 | in ⊢ N1 ∼ N2
By I/O-Tnt-NV-Assign-In rule
(3) (τ ,N2,V ,x = IN (); c) in(τ )−→ (τ + 1,N2[x 7→ in(τ )t ],V , c) and
By (1) and (3)
(7) τ0,N ,V0, c0, c, (O0 · in(τ )) | in ⊢ N1[x 7→ in(τ )t ] ∼ N2[x 7→ in(τ )t ]
Case: T ends in I/O-CP-Seq rule and uses I/O-CP-Arr-Assign-In rule or ends in I/O-CP-Arr-
Assign-In rule.
By assumption
(1) T = (τ ,κ,N1,V ,a[e ′] := IN (); c)
[r ′1], in(τ )
=⇒ (τ + 1,κ,N1[(a[v ′1]) 7→ in(τ )t ],V , c) and
(2) N1;V ⊢ e ′ ⇓r ′1 v ′1
(3) κ = (N0,V0, c0) and τ0,N ,V0, c0, (a[e ′] := IN (); c),O0 | in ⊢ N1 ∼ N2
By I/O-Tnt-Assign-Arr-In rule
(4) (τ ,N2,V ,a[e ′] := IN (); c)
[r ′2], in(τ )−→ (τ + 1,N2[(a[v ′2]) 7→ in(τ )t ],V , c) and
(5) N2;V ⊢ e ′ ⇓r ′2 v ′2
By Lemma 64 and Lemma 25
(6) v ′1 = v ′2 and r ′1 = r ′2
By (3), (4) and (6)
(7) τ0,N ,V0, c0, c, (O0 · in(τ )) | in ⊢ N1[a[v ′1] 7→ in(τ )t ] ∼ N2[a[v ′2] 7→ in(τ )t ]
Case: T ends in I/O-CP-Seq rule and uses I/O-CP-V-Assign-In rule or ends in I/O-CP-V-Assign-In
rule.
By assumption
(1) T = (τ ,κ,N1,V ,x := IN (); c)
in(τ )
=⇒ (τ + 1,κ,N1,V [x 7→ in(τ )t ], c)
(2) κ = (N0,V0, c0), and τ0,N ,V0, c0, (x := IN (); c),O0 | in ⊢ N1 ∼ N2
By I/O-Tnt-V-Assign-In rule
Foundations of Intermittent Computing 79
(3) (τ ,N2,V ,x := IN (); c) in(τ )−→ (τ + 1,N2,V [x 7→ in(τ )t ], c)
By (2) and CP-V-Assign does not write to non-volatile store
(4) τ0,N ,V0, c0, c, (O0 · in(τ )) | in ⊢ N1 ∼ N2
Case: T ends in I/O-CP-If-T rule.
By assumption
(1) T = (τ ,κ,N1,V , if e then c1 else c2)
[r1]
=⇒ (τ + 1,κ,N1,V , c1) and N1,V ⊢ e ⇓r1 true and
(2) κ = (N0,V0, c0), and τ0,N ,V0, c0, if e then c1 else c2,O0 | in ⊢ N1 ∼ N2
Let’s assume
(3) N2,V ⊢ e ⇓r2 v
By Lemma 64 and Lemma 25
(4) v = true and r1 = r2
By I/O-Tnt-If-T rule and (4)
(5) (τ ,N2,V , if e then c1 else c2) [r2]−→ (τ + 1,N2,V , c1)
By (5) and CP-If-T doesn’t write to storage, and the must write set of if statement
is the intersection of the must writes in both branches,
(6) τ0,N ,V0, c0, c1,O0 ⊢ N1 ∼ N2
Case: T ends in CP-If-F rule. Similar to the previous case.
□
Lemma 64 (Eq val in read locations). If T = (τ0,N ,V0, c0)
O
−→∗ (τ ,N1,V ′, ι; c), T does not execute
checkpoint, τ0,N ,V0, c0, (ι; c),O | in ⊢ N1 ∼ N2 where ι , checkpoint, and loc ∈ rd(ι) ∩ N1, then
N1(loc) = N2(loc).
Proof. We assume that N1(loc) , N2(loc) then derive a contradiction.
By assumption,
(1) N1(loc) , N2(loc) and τ0,N ,V0, c0, (ι; c) ⊢ N1 ∼ N2.
By definition 40
(2)
∀x ∈ N1 s.t. N1(x) , N2(x), x ∈ MFstWt(N ,V0, c0), x ∈ MstWt(N1,V ′, ι; c) and x < Wt(T ′)
where {T ′} = Run(σ ,O | in, (ι; c)), σ = (τ0,N ,V0, c0) and the last state of T ′ is (τ ,N1,V ′, ι; c)
By (1) and (2)
(3) loc ∈ MFstWt(N ,V0, c0), and loc < Wt(T ′)
By loc ∈ rd(ι), loc < WT (T ′), and the definitions of FstWt and MFstWt
(4) loc < MFstWt(N ,V0, c0)
(3) and (4) derive a contradiction, so the conclusion holds.
□
