Abstract
Decomposing the design (or documentation) of large systems is a practical necessity but finding compositional development methods for concurrent software is technically challenging. This paper includes the development of a difficult example in order to draw out lessons about such methods. The concurrent garbage collector development is interesting in several ways; in particular, the final step of its development appears to be just beyond what can be expressed by rely/guarantee relations. This prompts an exploration of the limitations of this well-known method. Although the rely/guarantee approach is used, most of the lessons are more general.
Article PDF
Similar content being viewed by others
Avoid common mistakes on your manuscript.
References
Ben-Ari M (1984) Algorithms for on-the-fly garbage collection. ACM Trans Programm Lang Syst 6(3): 333–344
Bornat R, Amjad H (2010) Inter-process buffers in separation logic with rely-guarantee. Formal Asp Comput 22(6): 735–772
Bornat R, Amjad H (2013) Explanation of two non-blocking shared-variable communication algorithms. Formal Asp Comput 25(6): 893–931
Back R-JR, von Wright J (1998) Refinement calculus: a systematic introduction. Springer, New York
Collette P, Jones CB (2000) Enhancing the tractability of rely/guarantee specifications in the development of interfering operations. In: Plotkin G, Stirling C, Tofte M (eds) Proof, language and interaction, chapter 10. MIT Press, pp 277–307
Coleman JW, Jones CB (2007) A structural proof of the soundness of rely/guarantee rules. J Log Comput 17(4): 807–841
Coleman JW (2008) Constructing a tractable reasoning framework upon a fine-grained structural operational semantics. PhD thesis, Newcastle University
Dodds M, Feng X, Parkinson M, Vafeiadis V (2009) Deny-guarantee reasoning. In: Castagna G (ed) Programming languages and systems, volume 5502 of lecture notes in computer science. Springer, Berlin, pp 363–377
Dingel J (2000) Systematic parallel programming. PhD thesis, Carnegie Mellon University, CMU-CS-99-172
Dinsdale-Young T, Dodds M, Gardner P, Parkinson MJ, Vafeiadis V (2010) Concurrent abstract predicates. In: Proceedings of the 24th European conference on object-oriented programming, Berlin, Heidelberg, pp 504–528
Feng X, Ferreira R, Shao Z (2007) On the relationship between concurrent separation logic and assume-guarantee reasoning. In: ESOP: programming languages and systems. Springer, pp 173–188
Gao H, Groote JF, Hesselink WH (2007) Lock-free parallel and concurrent garbage collection by mark&sweep. Sci Comput Program 64(3): 341–374
Hayes IJ, Burns A, Dongol B, Jones CB (2013) Comparing degrees of non-determinism in expression evaluation. Comput J 56(6): 741–755
Hayes IJ, Jones CB (2018) A guide to rely/guarantee thinking. In: Bowen JP, Liu Z, Zhang Z (eds) Engineering trustworthy software systems, volume 11174 of LNCS. Springer, Cham, pp 1–38
Hayes IJ, Jones CB, Colvin RJ (July 2014) Laws and semantics for rely-guarantee refinement. Technical report CS-TR-1425, Newcastle University
Hesselink WH, Lali MI (2010) Simple concurrent garbage collection almost without synchronization. Formal Methods Syst Des 36(2): 148–166
Hoare CAR (1972) Towards a theory of parallel programming. In: Operating system techniques. Academic Press, pp 61–71
Jones CB, Hayes IJ (2016) Possible values: exploring a concept for concurrency. J Log Algebraic Methods Programm 85(5, Part 2):972–984
Jones CB, Hayes IJ, Colvin RJ (2015) Balancing expressiveness in formal approaches to concurrency. Formal Asp Comput 27(3): 475–497
Jones R, Hosking A, Moss E (2016) The garbage collection handbook: the art of automatic memory management. Chapman and Hall
Jones CB (June 1981) Development methods for computer programs including a notion of interference. PhD thesis, Oxford University, June 1981. Available as: Oxford University Computing Laboratory (now Computer Science) Technical Monograph PRG-25
Jones CB (1983) Specification and design of (parallel) programs. In: Proceedings of IFIP’83. North-Holland, pp 321–332
Jones CB (1983) Tentative steps toward a development method for interfering programs. ACM ToPLaS 5(4): 596–619
Jones CB (1990) Systematic software development using VDM, 2nd edn. Prentice Hall International
Jones CB (March 1996) Accommodating interference in the formal design of concurrent object-based programs. Formal Methods Syst Des 8(2):105–122
Jones CB, Pierce KG (2011) Elucidating concurrent algorithms via layers of abstraction and reification. Formal Asp Comput 23(3): 289–306
Jones CB, Velykis A, Yatapanage N (2017) General lessons from a rely/guarantee development. In: Larsen KG, Sokolsky O, Wang J (eds) Dependable software engineering: theories, tools, and applications, volume 10606 of LNCS. Springer, pp 3–24
Jones CB, Yatapanage N (2015) Reasoning about separation using abstraction and reification. In: Calinescu R, Rumpe B (eds) Software engineering and formal methods, volume 9276 of LNCS. Springer, pp 3–19
Liang H, Feng X, Fu M (2014) A rely-guarantee-based simulation for compositional verification of concurrent program transformations. ACM Trans Programm Lang Syst 36(1):3:1–3:55
Liang H (2014) Refinement verification of concurrent programs and its applications. PhD thesis, USTC, China
McCarthy J (1966) A formal description of a subset of ALGOL. In: Formal language description languages for computer programming. North-Holland, pp 1–12
Morgan C (1990) Programming from specifications. Prentice-Hall
Nieto LP, Esparza J (2000) Verifying single and multi-mutator garbage collectors with Owicki-Gries in Isabelle/HOL. In: MFCS 2000, volume 1893 of LNCS. Springer, pp 619–628
Nipkow T, Paulson LC, Wenzel M (2009) Isabelle/HOL—a proof assistant for higher-order logic, volume 2283 of LNCS. Springer
Owicki SS, Gries D (1976) An axiomatic proof technique for parallel programs I. Acta Inf 6(4): 319–340
O’Hearn PW (May 2007) Resources, concurrency and local reasoning. Theor Comput Sci 375(1–3):271–307
Owicki S (1975) Axiomatic proof techniques for parallel programs. PhD thesis, Department of Computer Science, Cornell University
Parkinson M (2010) The next 700 separation logics. In: Leavens G, O’Hearn P, Rajamani S (eds) Verified software: theories, tools, experiments, volume 6217 of LNCS. Springer, pp 169–182
Pierce K (2009) Enhancing the useability of rely-guaranteee conditions for atomicity refinement. PhD thesis, Newcastle University
Pavlovic D, Pepper P, Smith DR (2010) Formal derivation of concurrent garbage collectors. In: MPC 2010, volume 6120 of LNCS. Springer, pp 353–376
Nieto LP (2001) Verification of parallel programs with the Owicki–Gries and Rely–Guarantee methods in Isabelle/HOL. PhD thesis, Institut für Informatic der Technischen Universitaet München
Schellhorn G, Tofan B, Ernst G, Reif W (2011) Interleaved programs and rely-guarantee reasoning with ITL. In: TIME, pap 99–106
Stølen K (1990) Development of parallel programs on shared data-structures. PhD thesis, Manchester University, Available as UMCS-91-1-1
Torp-Smith N, Birkedal L, Reynolds JC (2008) Local reasoning about a copying garbage collector. ToPLaS 30:24:1–24:58
Vafeiadis V (2007) Modular fine-grained concurrency verification. PhD thesis, University of Cambridge
van de Snepscheut JLA (1987) Algorithms for on-the-fly garbage collection revisited. Inf Process Lett 24(4): 211–216
Vechev MT, Yahav E, Bacon DF (2006) Correctness-preserving derivation of concurrent garbage collection algorithms. In: PLDI, pp 341–353
Wickerson J, Dodds M, Parkinson MJ (2010) Explicit stabilisation for modular rely-guarantee reasoning. In: Gordon AD (ed) ESOP, volume 6012 of LNCS. Springer, pp 610–629
Xu Q (1992) A theory of state-based parallel programming. PhD thesis, Oxford University
Zakowski Y, Cachera D, Demange D, Petri G, Pichardie D, Jagannathan S, Vitek J (2017) Verifying a concurrent garbage collector using a rely-guarantee methodology. In: Ayala-Rincón M, Muñoz CA (eds) Proceedings of interactive theorem proving—8th international conference, ITP 2017, Brasília, Brazil, September 26–29, 2017, volume 10499 of lecture notes in computer science. Springer, pp 496–513
Acknowledgements
The current journal paper is a major reworking of an earlier conference paper [JVY17] and we acknowledge the earlier enjoyable collaboration with our colleague Andrius Velykis before he moved to industry and then back to his homeland.
We have also benefitted fromproductive discussions with researchers including Jose´ NunoOliveira, IanHayes and attendees at the Northern Concurrency Working Group. In particular, Simon Doherty pointed out that GC is a nasty challenge for any compositional approach because the mutator/collector were clearly thought out together; while this is true, looking at an example at the fringe of R/G expressivity has informed the notion of compositional development. Leo Freitas is in the process of mechanising the proofs of the lemmas and theorems above and has mademany useful comments. An anonymous referee also provided useful input that has hopefully led to clarifications.
The authors gratefully acknowledge funding for this research from EPSRC grants Taming Concurrency and Strata.
Author information
Authors and Affiliations
Corresponding author
Additional information
Jim Woodcock
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.
About this article
Cite this article
Jones, C.B., Yatapanage, N. Investigating the limits of rely/guarantee relations based on a concurrent garbage collector example. Form Asp Comp 31, 353–374 (2019). https://doi.org/10.1007/s00165-019-00482-3
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00165-019-00482-3