Questions: Concurrency Verification

With n threads each executing k steps, there are (nk)! / (k!)^n possible interleavings. Even small concurrent programs have astronomically many schedules. A data race might occur only when thread A reads between thread B's write and thread C's write — a specific 3-step interleaving among millions. Testing exercises a tiny fraction of interleavings; formal verification must cover all of them. This combinatorial explosion is the defining challenge of concurrency verification.

Answer: True

If thread 1 owns heap region described by P and thread 2 owns region described by Q, and the specification uses P * Q, then the regions are disjoint by the semantics of *. Neither thread can access the other's region, preventing data races. When threads need to communicate through shared state, they must explicitly transfer ownership through a shared resource invariant (e.g., a lock invariant that grants access to the shared region to whichever thread holds the lock). This disciplined ownership model is what makes compositional reasoning about concurrent programs possible.

Rely-guarantee, introduced by Jones (1983), was the first compositional approach to concurrent verification. Without it, you must reason about all interleavings globally. With rely-guarantee, each thread is verified independently under assumptions about its environment, and a compatibility check ensures the assumptions are justified. This is analogous to assume-guarantee reasoning in model checking and to interface contracts in modular software design. The approach complements concurrent separation logic: separation logic handles spatial (heap) decomposition, while rely-guarantee handles temporal (interference) decomposition.