Investigating the limits of rely/guarantee relations based on a concurrent garbage collector example

  • Cliff B. JonesEmail author
  • Nisansala Yatapanage
Open Access
Original Article


Decomposing the design (or documentation) of large systems is a practical necessity but finding compositional development methods for concurrent software is technically challenging. This paper includes the development of a difficult example in order to draw out lessons about such methods. The concurrent garbage collector development is interesting in several ways; in particular, the final step of its development appears to be just beyond what can be expressed by rely/guarantee relations. This prompts an exploration of the limitations of this well-known method. Although the rely/guarantee approach is used, most of the lessons are more general.


Concurrency Compositional methods Rely-guarantee Auxiliary/ghost variable 



The current journal paper is a major reworking of an earlier conference paper [JVY17] and we acknowledge the earlier enjoyable collaboration with our colleague Andrius Velykis before he moved to industry and then back to his homeland.

We have also benefitted fromproductive discussions with researchers including Jose´ NunoOliveira, IanHayes and attendees at the Northern Concurrency Working Group. In particular, Simon Doherty pointed out that GC is a nasty challenge for any compositional approach because the mutator/collector were clearly thought out together; while this is true, looking at an example at the fringe of R/G expressivity has informed the notion of compositional development. Leo Freitas is in the process of mechanising the proofs of the lemmas and theorems above and has mademany useful comments. An anonymous referee also provided useful input that has hopefully led to clarifications.

The authors gratefully acknowledge funding for this research from EPSRC grants Taming Concurrency and Strata.


  1. BA84.
    Ben-Ari M (1984) Algorithms for on-the-fly garbage collection. ACM Trans Programm Lang Syst 6(3): 333–344CrossRefzbMATHGoogle Scholar
  2. BA10.
    Bornat R, Amjad H (2010) Inter-process buffers in separation logic with rely-guarantee. Formal Asp Comput 22(6): 735–772CrossRefzbMATHGoogle Scholar
  3. BA13.
    Bornat R, Amjad H (2013) Explanation of two non-blocking shared-variable communication algorithms. Formal Asp Comput 25(6): 893–931MathSciNetCrossRefzbMATHGoogle Scholar
  4. BvW98.
    Back R-JR, von Wright J (1998) Refinement calculus: a systematic introduction. Springer, New YorkCrossRefzbMATHGoogle Scholar
  5. CJ00.
    Collette P, Jones CB (2000) Enhancing the tractability of rely/guarantee specifications in the development of interfering operations. In: Plotkin G, Stirling C, Tofte M (eds) Proof, language and interaction, chapter 10. MIT Press, pp 277–307Google Scholar
  6. CJ07.
    Coleman JW, Jones CB (2007) A structural proof of the soundness of rely/guarantee rules. J Log Comput 17(4): 807–841MathSciNetCrossRefzbMATHGoogle Scholar
  7. Col08.
    Coleman JW (2008) Constructing a tractable reasoning framework upon a fine-grained structural operational semantics. PhD thesis, Newcastle UniversityGoogle Scholar
  8. DFPV09.
    Dodds M, Feng X, Parkinson M, Vafeiadis V (2009) Deny-guarantee reasoning. In: Castagna G (ed) Programming languages and systems, volume 5502 of lecture notes in computer science. Springer, Berlin, pp 363–377Google Scholar
  9. Din00.
    Dingel J (2000) Systematic parallel programming. PhD thesis, Carnegie Mellon University, CMU-CS-99-172Google Scholar
  10. DYDG+10.
    Dinsdale-Young T, Dodds M, Gardner P, Parkinson MJ, Vafeiadis V (2010) Concurrent abstract predicates. In: Proceedings of the 24th European conference on object-oriented programming, Berlin, Heidelberg, pp 504–528Google Scholar
  11. FFS07.
    Feng X, Ferreira R, Shao Z (2007) On the relationship between concurrent separation logic and assume-guarantee reasoning. In: ESOP: programming languages and systems. Springer, pp 173–188Google Scholar
  12. GGH07.
    Gao H, Groote JF, Hesselink WH (2007) Lock-free parallel and concurrent garbage collection by mark&sweep. Sci Comput Program 64(3): 341–374MathSciNetCrossRefzbMATHGoogle Scholar
  13. HBDJ13.
    Hayes IJ, Burns A, Dongol B, Jones CB (2013) Comparing degrees of non-determinism in expression evaluation. Comput J 56(6): 741–755CrossRefGoogle Scholar
  14. HJ18.
    Hayes IJ, Jones CB (2018) A guide to rely/guarantee thinking. In: Bowen JP, Liu Z, Zhang Z (eds) Engineering trustworthy software systems, volume 11174 of LNCS. Springer, Cham, pp 1–38Google Scholar
  15. HJC14.
    Hayes IJ, Jones CB, Colvin RJ (July 2014) Laws and semantics for rely-guarantee refinement. Technical report CS-TR-1425, Newcastle UniversityGoogle Scholar
  16. HL10.
    Hesselink WH, Lali MI (2010) Simple concurrent garbage collection almost without synchronization. Formal Methods Syst Des 36(2): 148–166CrossRefzbMATHGoogle Scholar
  17. Hoa72.
    Hoare CAR (1972) Towards a theory of parallel programming. In: Operating system techniques. Academic Press, pp 61–71Google Scholar
  18. JH16.
    Jones CB, Hayes IJ (2016) Possible values: exploring a concept for concurrency. J Log Algebraic Methods Programm 85(5, Part 2):972–984Google Scholar
  19. JHC15.
    Jones CB, Hayes IJ, Colvin RJ (2015) Balancing expressiveness in formal approaches to concurrency. Formal Asp Comput 27(3): 475–497MathSciNetCrossRefzbMATHGoogle Scholar
  20. JHM16.
    Jones R, Hosking A, Moss E (2016) The garbage collection handbook: the art of automatic memory management. Chapman and HallGoogle Scholar
  21. Jon81.
    Jones CB (June 1981) Development methods for computer programs including a notion of interference. PhD thesis, Oxford University, June 1981. Available as: Oxford University Computing Laboratory (now Computer Science) Technical Monograph PRG-25Google Scholar
  22. Jon83a.
    Jones CB (1983) Specification and design of (parallel) programs. In: Proceedings of IFIP’83. North-Holland, pp 321–332Google Scholar
  23. Jon83b.
    Jones CB (1983) Tentative steps toward a development method for interfering programs. ACM ToPLaS 5(4): 596–619CrossRefzbMATHGoogle Scholar
  24. Jon90.
    Jones CB (1990) Systematic software development using VDM, 2nd edn. Prentice Hall InternationalGoogle Scholar
  25. Jon96.
    Jones CB (March 1996) Accommodating interference in the formal design of concurrent object-based programs. Formal Methods Syst Des 8(2):105–122Google Scholar
  26. JP11.
    Jones CB, Pierce KG (2011) Elucidating concurrent algorithms via layers of abstraction and reification. Formal Asp Comput 23(3): 289–306MathSciNetCrossRefzbMATHGoogle Scholar
  27. JVY17.
    Jones CB, Velykis A, Yatapanage N (2017) General lessons from a rely/guarantee development. In: Larsen KG, Sokolsky O, Wang J (eds) Dependable software engineering: theories, tools, and applications, volume 10606 of LNCS. Springer, pp 3–24Google Scholar
  28. JY15.
    Jones CB, Yatapanage N (2015) Reasoning about separation using abstraction and reification. In: Calinescu R, Rumpe B (eds) Software engineering and formal methods, volume 9276 of LNCS. Springer, pp 3–19Google Scholar
  29. LFF14.
    Liang H, Feng X, Fu M (2014) A rely-guarantee-based simulation for compositional verification of concurrent program transformations. ACM Trans Programm Lang Syst 36(1):3:1–3:55Google Scholar
  30. Lia14.
    Liang H (2014) Refinement verification of concurrent programs and its applications. PhD thesis, USTC, ChinaGoogle Scholar
  31. McC66.
    McCarthy J (1966) A formal description of a subset of ALGOL. In: Formal language description languages for computer programming. North-Holland, pp 1–12Google Scholar
  32. Mor90.
    Morgan C (1990) Programming from specifications. Prentice-HallGoogle Scholar
  33. NE00.
    Nieto LP, Esparza J (2000) Verifying single and multi-mutator garbage collectors with Owicki-Gries in Isabelle/HOL. In: MFCS 2000, volume 1893 of LNCS. Springer, pp 619–628Google Scholar
  34. NPW09.
    Nipkow T, Paulson LC, Wenzel M (2009) Isabelle/HOL—a proof assistant for higher-order logic, volume 2283 of LNCS. SpringerGoogle Scholar
  35. OG76.
    Owicki SS, Gries D (1976) An axiomatic proof technique for parallel programs I. Acta Inf 6(4): 319–340MathSciNetCrossRefzbMATHGoogle Scholar
  36. O’H07.
    O’Hearn PW (May 2007) Resources, concurrency and local reasoning. Theor Comput Sci 375(1–3):271–307Google Scholar
  37. Owi75.
    Owicki S (1975) Axiomatic proof techniques for parallel programs. PhD thesis, Department of Computer Science, Cornell UniversityGoogle Scholar
  38. Par10.
    Parkinson M (2010) The next 700 separation logics. In: Leavens G, O’Hearn P, Rajamani S (eds) Verified software: theories, tools, experiments, volume 6217 of LNCS. Springer, pp 169–182Google Scholar
  39. Pie09.
    Pierce K (2009) Enhancing the useability of rely-guaranteee conditions for atomicity refinement. PhD thesis, Newcastle UniversityGoogle Scholar
  40. PPS10.
    Pavlovic D, Pepper P, Smith DR (2010) Formal derivation of concurrent garbage collectors. In: MPC 2010, volume 6120 of LNCS. Springer, pp 353–376Google Scholar
  41. Pre01.
    Nieto LP (2001) Verification of parallel programs with the Owicki–Gries and Rely–Guarantee methods in Isabelle/HOL. PhD thesis, Institut für Informatic der Technischen Universitaet MünchenGoogle Scholar
  42. STER11.
    Schellhorn G, Tofan B, Ernst G, Reif W (2011) Interleaved programs and rely-guarantee reasoning with ITL. In: TIME, pap 99–106Google Scholar
  43. Stø90.
    Stølen K (1990) Development of parallel programs on shared data-structures. PhD thesis, Manchester University, Available as UMCS-91-1-1Google Scholar
  44. TSBR08.
    Torp-Smith N, Birkedal L, Reynolds JC (2008) Local reasoning about a copying garbage collector. ToPLaS 30:24:1–24:58Google Scholar
  45. Vaf07.
    Vafeiadis V (2007) Modular fine-grained concurrency verification. PhD thesis, University of CambridgeGoogle Scholar
  46. vdS87.
    van de Snepscheut JLA (1987) Algorithms for on-the-fly garbage collection revisited. Inf Process Lett 24(4): 211–216CrossRefGoogle Scholar
  47. VYB06.
    Vechev MT, Yahav E, Bacon DF (2006) Correctness-preserving derivation of concurrent garbage collection algorithms. In: PLDI, pp 341–353Google Scholar
  48. WDP10.
    Wickerson J, Dodds M, Parkinson MJ (2010) Explicit stabilisation for modular rely-guarantee reasoning. In: Gordon AD (ed) ESOP, volume 6012 of LNCS. Springer, pp 610–629Google Scholar
  49. Xu92.
    Xu Q (1992) A theory of state-based parallel programming. PhD thesis, Oxford UniversityGoogle Scholar
  50. ZCD+17.
    Zakowski Y, Cachera D, Demange D, Petri G, Pichardie D, Jagannathan S, Vitek J (2017) Verifying a concurrent garbage collector using a rely-guarantee methodology. In: Ayala-Rincón M, Muñoz CA (eds) Proceedings of interactive theorem proving—8th international conference, ITP 2017, Brasília, Brazil, September 26–29, 2017, volume 10499 of lecture notes in computer science. Springer, pp 496–513Google Scholar

Copyright information

© The Author(s) 2019

Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (, which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Authors and Affiliations

  1. 1.School of Computing ScienceNewcastle UniversityNewcastle upon TyneUK
  2. 2.School of Computer Science and InformaticsDe Montfort UniversityLeicesterUK

Personalised recommendations