The Role of Auxiliary Variables in the Formal Development of Concurrent Programs

  • C. B. Jones


So called “auxiliary variables” are often used in reasoning about concurrent programs. They can be useful – but they can also be undesirable in that they can undermine the hard won property of “compositionality”. This paper explores the issue of auxiliary variables and tries to set concerns about overuse in a wider context; it concludes with an attempt to recommend constraints on their use.


Design Decision Auxiliary Variable Sequential Program Guarantee Condition Concurrent Program 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



I have had the pleasure of knowing Tony Hoare since the 1960s and my DPhilresearch was done under his supervision in 1979–1981. The process of editing“Essays” [21] enhanced our collaboration after I left Oxford. As was said(repeatedly) at the Cambridge meeting in April, 2009 Tony has inspired andsupported many of us over decades.

This paper was not actually presented at the Cambridge meeting to markTony’s birthday because Bill Roscoe and I had held ours as “makeweights” in caseany speakers could not get there. The material was actually presented at the PSYworkshop at CAV Grenoble (June 2009).

I am grateful for comments on drafts of this paper from Joey Coleman, LinasLaibinis, Thai Son Hoang and Bill Roscoe; and to my ever-patient proof readerMs. Allison. This is also a nice opportunity to give belated thanks to SchloßDagstuhl for (among other pleasurable visits) the two on “Atomicty”. The staff inDagstuhl, the environment and the stimulating participants always make tripsthere rewarding and refreshing.

My research is currently funded by the EU “Deploy” project, the (UK) EPSRC “TrAmS” platform grant and the ARC project (that brings together Ian Hayes, Keith Clark, Alan Burns and myself) “Time Bands for Teleo-Reactive Programs”.


  1. 1.
    Abrial, J.-R.: The Event-B Book. Cambridge University Press, Cambridge, UK (2010)Google Scholar
  2. 2.
    Abrial J.-R., Cansell, D.: Development of a concurrent program, private communication (2008).Google Scholar
  3. 3.
    Aczel, P.: A note on program verification. (Private communication) Manuscript, Manchester (January 1982).Google Scholar
  4. 4.
    Ashcroft, E.A., Manna, Z.: Formalization of properties of parallel programs. In: Meltzer, B., Michie, D. (eds.), Machine Intelligence, 6, pp. 17–41. Edinburgh University Press (1971).Google Scholar
  5. 5.
    America, P.: Issues in the design of a parallel object-oriented language. Formal Aspects Comput. 1(4), 366–411 (1989).CrossRefzbMATHGoogle Scholar
  6. 6.
    Anon. SETL: main page, Oct 2009. Scholar
  7. 7.
    Bornat, R., Amjad, H.: Inter-process buffers in separation logic with rely-guarantee, 2008. (private communication) Submitted to Formal Aspects Comput doi:10.1007/s00165-009-0141-8.Google Scholar
  8. 8.
    Bicarregui, J.: Intra-Modular Structuring in Model-Oriented Specification: Expressing Non-Interference with Read/Write Frames. PhD thesis, Manchester University (1995).Google Scholar
  9. 9.
    Barringer, H., Kuiper, R., Pnueli, A.: Now you can compose temporal logic specification. In: Proceedings of 16th ACM STOC, Washington (May 1984).Google Scholar
  10. 0.
    Brookes, S.D.: A semantics of concurrent separation logic. Theoret. Comput. Sci. (Reynolds Festschrift) 375(1–3), 227–270 (2007). (Preliminary version appeared in CONCUR’04, LNCS 3170, pp. 16–34.)zbMATHMathSciNetGoogle Scholar
  11. 1.
    Collette, P., Jones, C.B.: Enhancing the tractability of rely/guarantee specifications in the development of interfering operations. In: Plotkin, G., Stirling, C., Toft, M., (eds.), Proof, Language and Interaction, chapter 10, pp. 277–307. MIT (2000).Google Scholar
  12. 2.
    Coleman, J.W., Jones, C.B.: A structural proof of the soundness of rely/guarantee rules. J. Logic Comput. 17(4), 807–841 (2007).CrossRefzbMATHMathSciNetGoogle Scholar
  13. 3.
    Coleman, J.W.: Constructing a Tractable Reasoning Framework upon a Fine-Grained Structural Operational Semantics. PhD thesis, Newcastle University (January 2008).Google Scholar
  14. 4.
    Dijkstra, E.W.: Go to statement considered harmful. Commun. ACM 11(3), 147–148 (1968).CrossRefMathSciNetGoogle Scholar
  15. 5.
    Dijkstra, E.W.: A Discipline of Programming. Prentice-Hall, Englewood Cliffs, NJ, USA (1976).zbMATHGoogle Scholar
  16. 6.
    Dijkstra, E.W., Scholten, C.S.: Predicate Calculus and Program Semantics. Springer, New York, NY, USA (1990). ISBN 0-387-96957-8, 3-540-96957-8.CrossRefzbMATHGoogle Scholar
  17. 7.
    Floyd, R.W.: Assigning meanings to programs. In: Proc. Symp. in Applied Mathematics, vol. 19: Mathematical Aspects of Computer Science, pp. 19–32. American Mathematical Society (1967).CrossRefGoogle Scholar
  18. 8.
    Hayes, I., (ed.), Specification Case Studies, 2nd edn. Prentice Hall International, Englewood Cliffs, NJ, USA (1993).zbMATHGoogle Scholar
  19. 9.
    Henderson, N.: Formal Modelling and Analysis of an Asynchronous Communication Mechanism. PhD thesis, University of Newcastle upon Tyne (2004).Google Scholar
  20. 0.
    Hoare, C.A.R., Hayes, I.J., He, J., Morgan, C., Roscoe, A.W., Sanders, J.W., Sørensen, I.H., Spivey, J.M., Sufrin, B.A.: The laws of programming. Commun. ACM 30, 672–687 (1987). See Corrigenda in ibid 30:770.Google Scholar
  21. 1.
    Hoare, C.A.R., Jones, C. B.: Essays in Computing Science. Prentice Hall International, Hemel Hempstead, UK (1989).zbMATHGoogle Scholar
  22. 2.
    Hoare, C.A.R.: An axiomatic basis for computer programming. Commun. ACM 12 (10) 576–580, 583 (October 1969).Google Scholar
  23. 3.
    Hoare, C.A.R.: Proof of a program: FIND. Commun. ACM 14, 39–45 (January 1971).CrossRefzbMATHMathSciNetGoogle Scholar
  24. 4.
    Hoare, C.A.R.: Proof of correctness of data representations. Acta Inform. 1 271–281 (1972).CrossRefzbMATHGoogle Scholar
  25. 5.
    Hoare, C.A.R.: Parallel programming: An axiomatic approach. Comput. Lang., 1(2) 151–160 (June 1975).CrossRefzbMATHMathSciNetGoogle Scholar
  26. 6.
    Hoare, C.A.R.: Communicating sequential processes. Commun. ACM 21, 666–677 (August 1978).CrossRefzbMATHGoogle Scholar
  27. 7.
    Hoare, C.A.R.: Communicating Sequential Processes. Prentice-Hall, Hemel Hempstead, UK (1985).zbMATHGoogle Scholar
  28. 8.
    Isthiaq, S., O’Hearn, P.W.: BI as an assertion language for mutable data structures. In: 28th POPL, pp. 36–49 (2001).Google Scholar
  29. 9.
    Jones, C.B., Lomet, D., Romanovsky, A., Weikum, G.: The atomic manifesto. J. Universal Comput. Sci. 11(5), 636–650 (2005).Google Scholar
  30. 0.
    Jones, C.B.: A technique for showing that two functions preserve a relation between their domains. Technical Report LR 25.3.067, IBM Laboratory, Vienna (April 1970).Google Scholar
  31. 1.
    Jones, C.B.: Formal development of correct algorithms: an example based on Earley’s recogniser. In: SIGPLAN Notices, vol. 7, Number 1, pp. 150–169. ACM (January 1972).Google Scholar
  32. 2.
    Jones, C.B.: Operations and formal development. Technical Report TN 9004, IBM Laboratory, Hursley (September 1972).Google Scholar
  33. 3.
    Jones, C.B.: Implementation bias in constructive specification of abstract objects typescript (September 1977).Google Scholar
  34. 4.
    Jones, C.B.: Software Development: A Rigorous Approach. Prentice Hall International, Englewood Cliffs, NJ, USA (1980).zbMATHGoogle Scholar
  35. 5.
    Jones, C.B.: Development Methods for Computer Programs including a Notion of Interference. PhD thesis, Oxford University, June 1981. Printed as: Programming Research Group, Technical Monograph 25.Google Scholar
  36. 6.
    Jones, C.B.: Computer-aided formal reasoning for software design, March 1989. talk at: TAPSOFT’89, Barcelona.Google Scholar
  37. 7.
    Jones, C.B.: Systematic Software Development Using VDM 2nd edn., Prentice Hall International, (1990).Google Scholar
  38. 8.
    Jones, C.B.: Accommodating interference in the formal design of concurrent object-based programs. Formal Methods System Design 8(2), 105–122 (March 1996).CrossRefGoogle Scholar
  39. 9.
    Jones, C.B.: The early search for tractable ways of reasoning about programs. IEEE, Ann. History Comput. 25(2), 26–49 (2003).Google Scholar
  40. 0.
    Jones, C.B.: Splitting atoms safely. Theoret. Comput. Sci. 357, 109–119 (2007).CrossRefGoogle Scholar
  41. 1.
    Jones, C.B.: Annotated bibliography on rely/guarantee conditions (Oct 2009). Scholar
  42. 2.
    Jones, C.B., Pierce, K.G.: Splitting atoms with rely/guarantee conditions coupled with data reification. In: ABZ2008, vol. LNCS 5238, pp. 360–377 (2008).Google Scholar
  43. 3.
    Jones, C.B., Pierce, K.G.: Elucidating concurrent algorithms via layers of abstraction and reification. Technical Report CS-TR-1166, School of Computing Science, Newcastle University (2009).Google Scholar
  44. 4.
    King, J.C.: A Program Verifier. PhD thesis, Department of Computer Science Carnegie-Mellon University (1969).Google Scholar
  45. 5.
    Lucas, P.: Two constructive realizations of the block concept and their equivalence. Technical Report TR 25.085, IBM Laboratory Vienna (June 1968).Google Scholar
  46. 6.
    Milner, R.: An algebraic definition of simulation between programs. Technical Report CS-205, Computer Science Dept, Stanford University (February 1971).Google Scholar
  47. 7.
    Nipkow, T.: Non-deterministic data types: Models and implementations. Acta Inform. 22, 629–661 (1986).CrossRefzbMATHMathSciNetGoogle Scholar
  48. 8.
    Nipkow, T.: Behavioural Implementation Concepts for Nondeterministic Data Types. PhD thesis, University of Manchester (May 1987).Google Scholar
  49. 9.
    O’Hearn, P.W.: Resources, concurrency and local reasoning. Theoret. Comput. Science (Reynolds Festschrift) 375 (1–3), 271–307 (May 2007). Preliminary version appeared in CONCUR’04, LNCS 3170, 49–67.Google Scholar
  50. 0.
    Owicki, S.: Axiomatic Proof Techniques for Parallel Programs. PhD thesis, Department of Computer Science, Cornell University (1975).Google Scholar
  51. 1.
    O’Hearn, P.W., Yang, H., Reynolds, J. C.: Separation and information hiding. ACM TOPLAS 31 (3) (April 2009). Preliminary version appeared in 31st POPL, pp. 268–280 (2004).Google Scholar
  52. 2.
    Parkinson, M., Bierman, G.: Separation logic and abstraction. In: POPL ’05: Proceedings of the 32nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 247–258, New York, NY, USA (2005). ACM.Google Scholar
  53. 3.
    Ken Pierce: Enhancing the Usability of Rely-Guaranteee Conditions for Atomicity Refinement. PhD thesis, University of Newcastle upon Tyne. (2009).Google Scholar
  54. 4.
    Prensa Nieto, L.: Verification of Parallel Programs with the Owicki-Gries and Rely-Guarantee Methods in Isabelle/HOL. PhD thesis, Institut für Informatic der Technischen Universitaet München (2001).Google Scholar
  55. 5.
    Reynolds, J.C.: Intuitionistic reasoning about shared mutable data structure. In: Davies, J. Roscoe, B. and Woodcock, J. (eds.) Millennial Perspectives in Computer Science, pp. 303–321, Palgrave, Houndsmill, Hampshire (2000).Google Scholar
  56. 6.
    Reynolds, J.C.: Separation logic: A logic for shared mutable data structures. In: Proceedings of 17th LICS, pp. 55–74. IEEE (2002).Google Scholar
  57. 7.
    Simpson, H.R.: New algorithms for asynchronous communication. IEE, Proc. of Comput. Digital Technol. 144 (4), 227–231 (1997).Google Scholar
  58. 8.
    Stirling, C.: A compositional reformulation of Owicki-Gries’ partial correctness logic for a concurrent while language. In: ICALP’86. Springer (1986). LNCS 226.Google Scholar
  59. 9.
    Stølen, K.: Development of Parallel Programs on Shared Data-Structures. PhD thesis, Manchester University (1990). Available as UMCS-91-1-1.Google Scholar

Copyright information

© Springer London 2010

Authors and Affiliations

  1. 1.School of Computing ScienceNewcastle UniversityNewcastleUK

Personalised recommendations