Proving the correctness of coroutines without history variables

Quantified Score

Visualization

Abstract

We examine the question of whether history variables are necessary in formal proofs of correctness for coroutines. History variables are special variables which are added to a program to facilitate its proof by recording the execution history of the program. Such variables were first used by Clint in his paper "Program Proving: Coroutines." They have also been used by Owicki and Howard (concurrent program) and by Apt (sequential programs). We argue that recording the entire history of a computation in a single set of variables is inconvenient and leads to extremely complicated proofs. We propose a modification of Clint's axiom system and a strategy for constructing proofs which eliminates the need for history variables in verifying simple coroutines. Examples are given to illustrate this technique of verifying coroutines and our axiom system is shown to be sound and relatively complete with respect to an operational semantics for coroutines. Finally, we discuss extensions of the coroutine concept for which history variables do appear to be needed; we also discuss the question of whether history variables are necessary in verifying concurrent programs.