CS7470  Seminar in PL: Influential Ideas in Programming Languages (Spring 2026)

References:

• Reynolds, J. C. (1974). Towards a Theory of Type Structure. Programming Symposium, Proceedings of the Colloque sur la Programmation, pp. 408–425. Springer, Paris.

References:

• Reynolds, J. C. (1983). Types, abstraction and parametric polymorphism./a> In R. E. A. Mason (Ed.), Information Processing 83 (pp. 513-523). Elsevier Science Publishers B.V. (North-Holland).

References:

• Mitchell, John C.; Plotkin, Gordon D. (1988). Abstract Types Have Existential Type. ACM Transactions on Programming Languages and Systems. 10 (3): 470–502.

Separation logic developed out of a need for a more native way to reason about shared memory. It establishes an assertion language with two new operators — ∗ and —∗ ; (separating conjunction and "wand" respectively) — that allow clean description of heap states. The "vanilla" separation logic, discovered by a combination of Ishtiaq, O'Hearn, and Reynolds around 1999-2002, sparked a wave of new separation logics with features that allowed for new types of reasoning. This lecture will go over the fundamentals of separation logic and motivate the works that came after, culminating in a discussion of the context in which Iris came to be.

Primary references:

• Samin S. Ishtiaq and Peter W. O’Hearn. BI as an assertion language for mutable data structures. In Proceedings of the 28th ACM SIGPLAN-SIGACT symposium on Principles of programming languages (POPL 2001).
• Parkinson, M. The Next 700 Separation Logics. In Verified Software: Theories, Tools, Experiments (VSTTE 2010).

Types allow for tracking of what operations are possible on values: files can be opened and closed, locks can be acquired and released, memory can be allocated and deallocated. Although at any given moment, the real resource is only at one of these states, simply typed lambda calculus is not representative of this reality: it allows for resources to exist in multiple states at any given moment. Linear types allow us to address this and reject buggy programs as well as maintain language purity in certain scenarios. I will be talking about *why* these problems exist and *how* linear types address them, as well as the biggest application of linear types by far in the management of heap memory.

Primary references:

• Jean-Yves Girard Linear Logic Theoretical Computer Science, Elsevier (1987)
• Yves Lafont The linear abstract machine Theoretical Computer Science, Elsevier (1988)
• Philip Wadler Linear types can change the world! Programming Concepts and Methods (1990)
• David Walker Substructural type systems Advanced Topics in Types and Programming Languages (2005)

Type systems allow programmers to express and statically check specifications of program behavior. However, some programs have behavior that can only be expressed for some subset of a given type: for instance, some list functions may require a nonempty input or ensure that the length of their output remains unchanged; certain algorithms on propositional formulae require their input to be in a particular normal form. In many languages, these kinds of behavioral constraints are too granular to be expressed at the type level and so must be left implicit. Type refinement systems, however, enrich such type systems with a means to express properties requiring sub-type precision that the language's base type system cannot capture, allowing programmers to identify subsets of types satisfying properties of interest. This talk will present a simple calculus that introduces several core features of refinement types. It will then examine a particular style of type refinement known as datasort refinement, introduced by Freeman and Pfenning in 1991, which refines ML-like type systems with sorts defined over the inductive structure of data types. Finally, it will discuss several alternative approaches to type refinement that provide more expressive refinements using type-level term languages and more complex constraint-solving infrastructure.

References:

• Rowan Davies. 2005. Practical Refinement-Type Checking. Ph.D. Dissertation. Carnegie Mellon University, Pittsburgh, Pa. (Ch. 1, 3, 5.)
• Jana Clara Dunfield. 2007. A Unified System of Type Refinements. Ph.D. Dissertation. Carnegie Mellon University, Pittsburgh, Pa. (Ch. 1, §7.4.)
• Tim Freeman and Frank Pfenning. 1991. Refinement types for ML. In Proceedings of the ACM SIGPLAN 1991 Conference on Programming Language Design and Implementation (PLDI ’91).
• William Lovas and Frank Pfenning. 2009. Refinement Types for Logical Frameworks and Their Interpretation as Proof Irrelevance. In Typed Lambda Calculi and Applications, 2009. Springer Berlin Heidelberg, Berlin, Heidelberg, 157–171.
• Niki Vazou, Eric L. Seidel, Ranjit Jhala, Dimitrios Vytiniotis, and Simon Peyton-Jones. 2014. Refinement types for Haskell. In Proceedings of the 19th ACM SIGPLAN International Conference on Functional Programming (ICFP ’14), 2014. Association for Computing Machinery, New York, NY, USA, 269–282.
• Hongwei Xi and Frank Pfenning. 1999. Dependent types in practical programming. In Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’99), 1999. Association for Computing Machinery, New York, NY, USA, 214–227.
• Noam Zeilberger. 2016. Principles of Type Refinement. Lecture notes.

Modal logic is used for reasoning about knowledge and possibility. I present modal logic with possible worlds semantics and an axiomatic presentation. Then, I show Pfenning/Davies’s judgmental presentation of modal logic and how a Curry-Howard interpretation of that logic can be used to create a language for staged computation.

In the second part of my presentation I discuss specifically the judgmental approach that Pfenning and Davies are using in “Judgmental Reconstruction”—what design choices are they making when creating logics, and what are the philosophical and practical reasons behind them? How might these choices translate to other logics? I highlight how using this judgmental approach with linear logic can reveal adjoint logic as a generalization over modal and substructural logics.

References:

• Chellas, Brian F. 1980. Modal Logic: An Introduction. Cambridge University Press.
• Pfenning, Frank, and Rowan Davies. 2001. “A Judgmental Reconstruction of Modal Logic.” Mathematical Structures in Computer Science. (USA) 11 (4): 511–40. https://doi.org/10.1017/S0960129501003322.
• Davies, Rowan, and Frank Pfenning. 2001. “A Modal Analysis of Staged Computation.” J. ACM (New York, NY, USA) 48 (3): 555–604. https://doi.org/10.1145/382780.382785.

• Reed, Jason. 2009. “A Judgmental Deconstruction of Modal Logic.” Unpublished manuscript.
• Chang, Bor-Yuh Evan, Kaustuv Chaudhuri, and Frank Pfenning. 2003. A Judgmental Analysis of Linear Logic. Carnegie Mellon University.
• Pruiksma, Klaas, Willow Chargin, Frank Pfenning, and Jason Reed. 2018. “Adjoint Logic.” Unpublished manuscript.

Reasoning about information flow frequently requires security labelling (ex. secret or public) for types/data. In 1998, Heintze and Ricke published the SLam Calculus, a language in the style of SML, which annotated types with security properties. In 1999, Abadi et al. utilized a monadic approach (DCC) to establish a calculus for reasoning about general program dependencies, including information flow. This lecture will begin with a brief overview of SLam and DCC, followed by a logical relations proof of noninterference for DCC and a discussion of recent results for weakening non-interference (declassification).

Primary references:

• Nevin Heintze and Jon G. Riecke. The SLam Calculus : Programming with Secrecy and Integrity . In Proceedings of the 25th ACM SIGPLAN-SIGACT symposium on Principles of programming languages (POPL '98).
• Martin Abadi, Anindya Banerjee, Nevin Heintze, and Jon G. Riecke. A core calculus of Dependency. In Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages (POPL '99).
• Stephen Chong and Andrew C. Myers. Security policies for downgrading. In Proceedings of the 11th ACM conference on Computer and communications security, 2004.
• Hemant Gouni, and Frank Pfenning, and Jonathan Aldrich. Structural Information Flow. In Proceedings of the ACM on Programming Languages, Volume 9, Issue OOPSLA2, 2024.

A large part of the verification community uses tools like Dafny,  F*, and Liquid Haskell which use SMT solvers such as Z3 to partially automate proofs. These tools are dubbed _auto-active_, since they combine the strengths of both automated theorem provers and interactive proof assistants. In this lecture, we will introduce the SMT solving ecosystem and show how these tools leverage SMT to build higher-level program logics.

References:

• Leonardo de Moura and Nikolaj Bjorner. Z3: An Efficient SMT Solver, TACAS 2008
• Swamy et al. Dependent Types and Multi-monadic Effects in F*, POPL 2016
• Rondon, Kawaguchi, and Jhala. Liquid Types, PLDI 2008

A lot of interesting compiler optimizations require information from a control-flow analysis. This is a straightforward process in a first-order language where control operators are part of syntax and therefore, it is easy to construct a control-flow graph. The story is more complicated in a higher-order language: lambda is a piece of data that has control and environment effects. So, in order to do control-flow, you need to do data-flow, and to do data-flow, you need to do control-flow. This lecture will talk about a popular framework to solve this problem (k-CFA) as well as work that followed after this research (ΓCFA, AAM) and applications of the CFA framework.

References:

• Olin Shivers. Control-Flow Analysis of Higher-Order Languages or Taming Lambda , Ph.D. Dissertation, Carnegie Mellon University, 1991
• Matthew Might, Olin Shivers. Improving flow analyses via ΓCFA: Abstract garbage collection and counting , In Proceedings of the Eleventh ACM SIGPLAN International Conference on Functional Programming (ICFP'06)
• David Van Horn, Matthew Might. Abstracting Abstract Machines In Proceedings of the Eleventh ACM SIGPLAN International Conference on Functional Programming (ICFP'10)

Proof-carrying code (PCC) provides a way to safely execute untrusted native code without runtime overhead: the code producer supplies a formal safety proof alongside the code, and the consumer only needs to validate it—a one-time, simple, and fast operation. We begin with Necula and Lee's original PCC framework for safe kernel extensions, then examine foundational PCC (FPCC), which moves instruction semantics into the logic itself and correspondingly reduces what must be trusted. Sufficiently rich type systems can express many of the safety properties that PCC captures, embedding the safety argument in the typing derivation itself; type-preserving compilation leverages this by maintaining well-typedness through each compiler pass down to the target language, eliminating the need for a separate proof artifact. We trace this line of work and ask why it has not fully materialized thirty years later.

Primary references:

• George C. Necula and Peter Lee. Safe Kernel Extensions Without Run-Time Checking. In Proceedings of the Second USENIX Symposium on Operating Systems Design and Implementation (OSDI '96).
• George C. Necula. Proof-Carrying Code. In Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL '97).
• Greg Morrisett, David Walker, Karl Crary, and Neal Glew. From System F to Typed Assembly Language. In Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL '98).
• Andrew W. Appel. Foundational Proof-Carrying Code. In Proceedings of the 16th Annual IEEE Symposium on Logic in Computer Science (LICS '01).
• William J. Bowman. Compiling with Dependent Types. Ph.D. Dissertation, Northeastern University, 2019.

Multi-language computation exists all around us. Large systems are often made up of code in different languages. System designers and programmers need to think hard about how these pieces of code interact, especially in the presence of vastly different data representations and semantics. How do we reason about our code in this setting? With this question in mind, Matthews and Findler introduced a framework for reasoning about type soundness in a multi-language setting, centering on the use of language boundaries. This lecture explains what language boundaries are and how they have been used in research.

Bibliography

• Matthews, Jacob, and Robert Bruce Findler. "Operational semantics for multi-language programs." ACM Transactions on Programming Languages and Systems (TOPLAS) 31.3 (2009): 1-44.
• Tov, Jesse A., and Riccardo Pucella. "Stateful contracts for affine types." European Symposium on Programming. Berlin, Heidelberg: Springer Berlin Heidelberg, 2010.
• Scherer, Gabriel, et al. "Fabulous Interoperability for ML." Foundations of Software Science and Computation Structures: 21st International Conference, FOSSACS 2018, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2018, Thessaloniki, Greece, April 14–20, 2018. Proceedings. Springer, 2018.
• Patterson, Daniel, et al. "Semantic soundness for language interoperability." Proceedings of the 43rd ACM SIGPLAN International Conference on Programming Language Design and Implementation. 2022.

Symbolic execution is the bridge between theorem proving and traditional testing methods, as it combines the power of constraint solving with the practicality of normal testing. The original symbolic execution work of James C. King laid the foundation for symbolic execution. It also suffered from a lot of limitations at that time. A DP algorithm walkthrough is presented on an example from symbolic execution to show how exactly one can solve SAT problem. DP, DPLL, and subsequent SAT/SMT techniques enabled tools that rely on constraint solving. EXE, with its powerful co-designed STP solver, improved and innovated upon the original vision of King. KLEE built upon EXE to address several of its limitations and presented us with a new way to do symbolic execution. Finally, I will conclude with some remarks on what makes a program analysis tool good based on the development of KLEE and reports from Google and Facebook.

Primary References:

• James C. King. Symbolic Execution and Program Testing . Communications of the ACM, Volume 19, Issue 7, July 1976.
• Cristian Cadar, Vijay Ganesh, Peter Pawlowski, David Dill, and Dawson Engler. EXE: Automatically Generating Inputs of Death . ACM Transactions on Information and System Security (TISSEC), Volume 12, Issue 2, January 2008.
• Vijay Ganesh and David L. Dill. A Decision Procedure for Bit-Vectors and Arrays . In: Damm, W., Hermanns, H. (eds), Computer Aided Verification (CAV 2007). Lecture Notes in Computer Science, vol. 4590. Springer, Berlin, Heidelberg.
• Cristian Cadar and Koushik Sen. Symbolic Execution for Software Testing: Three Decades Later . Communications of the ACM, Volume 56, Issue 2, February 2013, pp. 82–90.
• Cristian Cadar, Daniel Dunbar, and Dawson Engler. KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs . Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation (OSDI), 2008.
• Caitlin Sadowski, Edward Aftandilian, Alex Eagle, Liam Miller-Cushon, and Ciera Jaspan. Lessons from Building Static Analysis Tools at Google . Communications of the ACM, Volume 61, Issue 4, April 2018, pp. 58–66.
• Dino Distefano, Manuel Fähndrich, Francesco Logozzo, and Peter W. O'Hearn. Scaling Static Analyses at Facebook . Communications of the ACM, Volume 62, Issue 8, August 2019, pp. 62–70.
• Julien Vanegue A Guide to KLEE LLVM Execution Engine Internals POC||GTFO, ed. Manul Laphroaig, pp 51-58

Hoare logic has some things it fundamentally can't express. In this talk, we discuss what the limitations of the Hoare triple definition are and use that to motivate Incorrectness Logic. After studying the definition and getting an intuition for what the triples say, we move on to motivating the development of predicate transformers and study the eight transformers Versht et.al. defines.

Primary references:

• Peter W. O’Hearn. Incorrectness Logic. In Proceedings of the ACM on Programming Languages, Volume 4, Issue POPL (POPL 2019).
• Versht, L. & Kaminski, B., L. A Taxonomy of Hoare-Like Logics: Towards a Holistic View using Predicate Transformers and Kleene Algebras with Top and Tests. In Proceedings of the ACM on Programming Languages, Volume 4, Issue POPL (POPL 2025).

A long line of philosophical work, dating back centuries, has sought to formalize and verify deductive reasoning by mechanical means. Through the Curry–Howard correspondence, dependent type theories can be fruitfully used as the basis of such computational systems, and have seen widespread use in modern proof assistants like Agda, Lean, and Rocq. This talk will discuss the theories that underlie these three systems, beginning with Martin-Löf’s intensional type theory and developing thereupon the Calculus of (Inductive) Constructions and its extensions. In so doing, it will also consider the relative metatheoretic trade-offs made by different CIC-based proof assistants.

References:

• Mario Carneiro. 2019. The Type Theory of Lean. M.S. Thesis. Carnegie Mellon University.
• Thierry Coquand and Gérard Huet. 1988. The Calculus of Constructions. Information and Computation 76, 2, 95–120.
• Thierry Coquand and Christine Paulin. 1990. Inductively defined types. In COLOG-88. Springer, 50–66.
• Per Martin-Löf. 1975. An Intuitionistic Theory of Types: Predicative Part. In Logic Colloquium ’73, H. E. Rose and J. C. Shepherdson (eds.). Elsevier, 73–118.
• Christine Paulin-Mohring. 2015. Introduction to the Calculus of Inductive Constructions. In All about Proofs, Proofs for All, Bruno Woltzenlogel Paleo and David Delahaye (eds.). College Publications.