A Static Verification Framework for Message Passing in Go...
Transcript of A Static Verification Framework for Message Passing in Go...
![Page 1: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/1.jpg)
![Page 2: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/2.jpg)
![Page 3: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/3.jpg)
![Page 4: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/4.jpg)
![Page 5: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/5.jpg)
![Page 6: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/6.jpg)
![Page 7: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/7.jpg)
![Page 8: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/8.jpg)
[LICS’18] Romain Demangeon, NY: Casual Computational Complexity of Distributed Processes.[CC’18] Rumyana Neykova , Raymond Hu, NY, Fahd Abdeljallal: Session Type Providers: Compile-time API Generation for Distributed Protocols with Interaction Refinements in F#.[FoSSaCS’18] Bernardo Toninho, NY: Depending On Session Typed Process.[ESOP’18] Bernardo Toninho, NY: On Polymorphic Sessions And Functions: A Talk of Two (Fully Abstract) Encodings.[ESOP’18] Malte Viering, Tzu-Chun Chen, Patrick Eugster, Raymond Hu , Lukasz Ziarek: A Typing Discipline for Statically Verified Crash Failure Handling in Distributed Systems.[ICSE’18] Julien Lange, Nicholas Ng, Bernardo Toninho, NY : A Static Verification Framework for Message Passing in Go using Behavioural Types[ECOOP’17] Alceste Scala, Raymond Hu, Ornela Darda, NY: A Linear Decomposition of Multiparty Sessions for Safe Distributed Programming.. [COORDINATION’17] Keigo Imai, NY, Shoji Yuen: Session-ocaml: a session-based library with polarities and lenses. [FoSSaCS’17] Julien Lange, NY: On the Undecidability of Asynchronous Session Subtyping. [FASE’17] Raymond Hu, NY: Explicit Connection Actions in Multiparty Session Types.[CC’17] Rumyana Neykova, NY: Let It Recover: Multiparty Protocol-Induced Recovery. [POPL’17] Julien Lange, Nicholas Ng, Bernardo Toninho, NY: Fencing off Go: Liveness and Safety for Channel-based Programming.
Selected Publications 2017/2018
![Page 9: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/9.jpg)
[LICS’18] Romain Demangeon, NY: Casual Computational Complexity of Distributed Processes.[CC’18] Rumyana Neykova , Raymond Hu, NY, Fahd Abdeljallal: Session Type Providers: Compile-time API Generation for Distributed Protocols with Interaction Refinements in F#.[FoSSaCS’18] Bernardo Toninho, NY: Depending On Session Typed Process.[ESOP’18] Bernardo Toninho, NY: On Polymorphic Sessions And Functions: A Talk of Two (Fully Abstract) Encodings.[ESOP’18] Malte Viering, Tzu-Chun Chen, Patrick Eugster, Raymond Hu , Lukasz Ziarek: A Typing Discipline for Statically Verified Crash Failure Handling in Distributed Systems.[ICSE’18] Julien Lange, Nicholas Ng, Bernardo Toninho, NY : A Static Verification Framework for Message Passing in Go using Behavioural Types.[ECOOP’17] Alceste Scala, Raymond Hu, Ornela Darda, NY: A Linear Decomposition of Multiparty Sessions for Safe Distributed Programming.[COORDINATION’17] Keigo Imai, NY, Shoji Yuen: Session-ocaml: a session-based library with polarities and lenses. [FoSSaCS’17] Julien Lange, NY: On the Undecidability of Asynchronous Session Subtyping. [FASE’17] Raymond Hu, NY: Explicit Connection Actions in Multiparty Session Types.[CC’17] Rumyana Neykova, NY: Let It Recover: Multiparty Protocol-Induced Recovery. [POPL’17] Julien Lange, Nicholas Ng, Bernardo Toninho, NY: Fencing off Go: Liveness and Safety for Channel-based Programming.
Selected Publications 2017/2018
![Page 10: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/10.jpg)
![Page 11: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/11.jpg)
![Page 12: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/12.jpg)
![Page 13: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/13.jpg)
![Page 14: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/14.jpg)
![Page 15: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/15.jpg)
![Page 16: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/16.jpg)
![Page 17: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/17.jpg)
![Page 18: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/18.jpg)
![Page 19: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/19.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Static verification framework for GoOverview
BehaviouralTypes
SSA IR
Go source code
Type inference
Model checking
mCRL2 model checker
Check safety and liveness
Termination checking
KITTeL termination prover
Address type $ program gap
Transform
and verify
1
2
3
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 19/46
![Page 20: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/20.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Concurrency in GoGoroutines
1 func main() {
2 ch := make(chan string)
3 go send(ch)
4 print(<-ch)
5 close(ch)
6 }
78 func send(ch chan string) {
9 ch <- "Hello Kent!"
10 }
go keyword + function call
Spawns function as goroutine
Runs in parallel to parent
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 20/46
![Page 21: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/21.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Concurrency in GoChannels
1 func main() {
2 ch := make(chan string)
3 go send(ch)
4 print(<-ch)
5 close(ch)
6 }
78 func send(ch chan string) {
9 ch <- "Hello Kent!"
10 }
Create new channelSynchronous by default
Receive from channel
Close a channel
No more values sent to it
Can only close once
Send to channel
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 21/46
![Page 22: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/22.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Concurrency in GoChannels
1 func main() {
2 ch := make(chan string)
3 go send(ch)
4 print(<-ch)
5 close(ch)
6 }
78 func send(ch chan string) {
9 ch <- "Hello Kent!"
10 }
Also select-case:Wait on multiple channeloperations
switch-case forcommunication
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 21/46
![Page 23: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/23.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Concurrency in GoDeadlock detection
1 func main() {
2 ch := make(chan string)
3 go send(ch)
4 print(<-ch)
5 close(ch)
6 }
78 func send(ch chan string) {
9 ch <- "Hello Kent!"
10 }
Send message thru channel
Print message on screen
Output:$ go run hello.go
Hello Kent!
$
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 22/46
![Page 24: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/24.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Concurrency in GoDeadlock detection
Missing ’go’ keyword
1 // import _ "net"
2 func main() {
3 ch := make(chan string)
4 send(ch) // Oops
5 print(<-ch)
6 close(ch)
7 }
89 func send(ch chan string) {
10 ch <- "Hello Kent!"
11 }
Only one (main) goroutine
Send without receive - blocks
Output:$ go run deadlock.go
fatal error: all goroutines
are asleep - deadlock!
$
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 23/46
![Page 25: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/25.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Concurrency in GoDeadlock detection
Missing ’go’ keyword
1 // import _ "net"
2 func main() {
3 ch := make(chan string)
4 send(ch) // Oops
5 print(<-ch)
6 close(ch)
7 }
89 func send(ch chan string) {
10 ch <- "Hello Kent!"
11 }
Go’s runtime deadlock detector
Checks if all goroutines areblocked (‘global’ deadlock)
Print message then crash
Some packages disable it(e.g. net)
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 23/46
![Page 26: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/26.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Concurrency in GoDeadlock detection
Missing ’go’ keyword
1 import _ "net" // unused
2 func main() {
3 ch := make(chan string)
4 send(ch) // Oops
5 print(<-ch)
6 close(ch)
7 }
89 func send(ch chan string) {
10 ch <- "Hello Kent"
11 }
Import unused, unrelated package
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 23/46
![Page 27: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/27.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Concurrency in GoDeadlock detection
Missing ’go’ keyword
1 import _ "net" // unused
2 func main() {
3 ch := make(chan string)
4 send(ch) // Oops
5 print(<-ch)
6 close(ch)
7 }
89 func send(ch chan string) {
10 ch <- "Hello Kent"
11 }
Only one (main) goroutine
Send without receive - blocks
Output:$ go run deadlock2.go
Hangs: Deadlock NOT detected
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 23/46
![Page 28: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/28.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Our goal
Check liveness/safety properties in addition to global deadlocks
Apply process calculi techniques to Go
Use model checking to statically analyse Go programs
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 24/46
![Page 29: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/29.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Behavioural type inferenceAbstract Go communication as Behavioural Types
BehaviouralTypes
SSA IR
Go source code
Type inference
Model checking
mCRL2 model checker
Check safety and liveness
Termination checking
KITTeL termination prover
Address type $ program gap
Transform
and verify
1
2
3
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 25/46
![Page 30: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/30.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Infer Behavioural Types from Go program
Go source code
1 func main() {
2 ch := make(chan int)
3 go send(ch)
4 print(<-ch)
5 close(ch)
6 }
78 func send(c chan int) {
9 c <- 1
10 }
Behavioural TypesTypes of CCS-like [Milner ’80]process calculus
Send/Receive
new (channel)
parallel composition (spawn)
Go-specific
Close channel
Select (guarded choice)
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 26/46
![Page 31: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/31.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Infer Behavioural Types from Go program
Go source code
1 func main() {
2 ch := make(chan int)
3 go send(ch)
4 print(<-ch)
5 close(ch)
6 }
78 func send(c chan int) {
9 c <- 1
10 }
!
Inferred Behavioural Types
8>>>>>><
>>>>>>:
main() = (new ch);(sendhchi |ch;close ch),
send(ch) = ch
9>>>>>>=
>>>>>>;
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 26/46
![Page 32: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/32.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Infer Behavioural Types from Go program
Go source code
1 func main() {
2 ch := make(chan int)
3 go send(ch)
4 print(<-ch)
5 close(ch)
6 }
78 func send(c chan int) {
9 c <- 1
10 }
Inferred Behavioural Types
8>>>>>><
>>>>>>:
main() = (new ch);(sendhchi |ch;close ch),
send(ch) = ch
9>>>>>>=
>>>>>>;
create channel
spawnreceiveclose
send
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 26/46
![Page 33: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/33.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Infer Behavioural Types from Go program
1 func main() {
2 ch := make(chan int) // Create channel
3 go sendFn(ch) // Run as goroutine
4 x := recvVal(ch) // Function call
5 for i := 0; i < x; i++ {
6 print(i)
7 }
8 close(ch) // Close channel
9 }
10 func sendFn(c chan int) { c <- 3 } // Send to c
11 func recvVal(c chan int) int { return <-c } // Recv from c
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 27/46
![Page 34: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/34.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Infer Behavioural Types from Go programpackage main
t0 = make chan int 0:int
go sendFn(t0)
t1 = recvVal(t0)
jump 3
0
t5 = p h i [0: 0:int , 1: t3] #i
t6 = t5 < t1
i f t6 go to 1 e l s e 2
3
t2 = print(t5)
t3 = t5 + 1:int
jump 3
1
t4 = close(t0)
r e t u r n
2
for.loop
for.done
func main.main()entry
return
send c <- 42: int
r e t u r n
0func main.sendFn(c)
entry
return
t0 = <-c
r e t u r n t0
0func main.recvVal(c)
entry
return
Block of instructions
Function boundary
Package boundary
Analyse in
Static SingleAssignment
SSA representationof input program
Only inspect communication primitivesDistinguish between unique channels
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 28/46
![Page 35: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/35.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Model checking behavioural types
From behavioural types tomodel and property specification
BehaviouralTypes
SSA IR
Go source code
Type inference
Model checking
mCRL2 model checker
Check safety and liveness
Termination checking
KITTeL termination prover
Address type $ program gap
Transform
and verify
1
2
3
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 29/46
![Page 36: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/36.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Model checking behavioural types
M ✏ �
LTS model : inferred type + type semanticsSafety/liveness properties : µ-calculus formulae for LTSCheck with mCRL2 model checker
mCRL2 constraint: Finite control (no spawning in loops)
Global deadlock freedom
Channel safety (no send/close on closed channel)
Liveness (partial deadlock freedom)
Eventual receptionJulien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 30/46
![Page 37: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/37.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Behavioural Types as LTS model
Standard CS semantics, i.e.
a;Ta�! T
T
a�! T
0S
a�! S
0
T | S ⌧a�! T
0 | S 0 a;Ta�! T
Send on channel a Synchronise on a Receive on channel a
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 31/46
![Page 38: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/38.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Behavioural Types as LTS model
Standard CS semantics, i.e.
a;Ta�! T
T
a�! T
0S
a�! S
0
T | S ⌧a�! T
0 | S 0 a;Ta�! T
Send on channel a Synchronise on a Receive on channel a
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 31/46
![Page 39: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/39.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Specifying properties of model
Barbs (predicates at each state) describe property at state
Concept from process calculi [Milner ’88, Sangiorgi ’92]
µ-calculus properties specified in terms of barbs
Barbs (T #o
)
Predicates of state/type T
Holds when T is ready tofire action o
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 32/46
![Page 40: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/40.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Specifying properties of model
a;T #a
T #a
T
0 #a
T | T 0 #⌧a
a;T #a
Ready to send Ready to synchronise Ready to receive
Barbs (T #o
)
Predicates of state/type T
Holds when T is ready tofire action o
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 33/46
![Page 41: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/41.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Specifying properties of model
a;T #a
T #a
T
0 #a
T | T 0 #⌧a
a;T #a
Ready to send Ready to synchronise Ready to receive
Barbs (T #o
)
Predicates of state/type T
Holds when T is ready tofire action o
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 33/46
![Page 42: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/42.jpg)
![Page 43: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/43.jpg)
![Page 44: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/44.jpg)
![Page 45: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/45.jpg)
![Page 46: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/46.jpg)
![Page 47: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/47.jpg)
![Page 48: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/48.jpg)
![Page 49: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/49.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Specifying properties of model
Given
LTS model from inferred behavioural types
Barbs of the LTS model
Express safety/liveness properties
As µ-calculus formulae
In terms of the model and the barbs
Global deadlock freedom
Channel safety (no send/close on closed channel)
Liveness (partial deadlock freedom)
Eventual reception
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 34/46
![Page 50: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/50.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Property: Global deadlock freedom
(^
a2A#a
_ #a
) =) hAitrue
If a channel a is ready to receive or send,
then there must be a next state (i.e. not stuck)
A = set of all initialised channels A = set of all labels
) Ready receive/send = not end of program.
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 35/46
![Page 51: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/51.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Property: Global deadlock freedom
(^
a2A#a
_ #a
) =) hAitrue
1 import _ "net" // unused
2 func main() {
3 ch := make(chan string)
4 send(ch) // Oops
5 print(<-ch)
6 close(ch)
7 }
8
9 func send(ch chan string) {
10 ch <- "Hello Kent"
11 }
Send (#ch: line 10)No synchronisation
No more reduction
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 35/46
![Page 52: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/52.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Property: Channel safety
(^
a2A#a
⇤) =) ¬(#a
_ #clo a)
Once a channel a is closed (a⇤),it will not be sent to, nor closed again (clo a)
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 36/46
![Page 53: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/53.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Property: Channel safety
(^
a2A#a
⇤) =) ¬(#a
_ #clo a)
1 func main() {
2 ch := make(chan int)
3 go func(ch chan int) {
4 ch <- 1 // is ch closed?
5 }(ch)
6 close(ch)
7 <-ch
8 }
#clo ch when close(ch)
#ch⇤ fires after closedSend (#ch: line 4)
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 36/46
![Page 54: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/54.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Property: Liveness (partial deadlock freedom)Liveness for Send/Receive
(^
a2A#a
_ #a
) =) eventually (h⌧a
itrue)
If a channel is ready to receive or send,
then eventuallyit can synchronise (⌧
a
)
(i.e. there’s corresponding send for receiver/recv for sender)
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 37/46
![Page 55: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/55.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Property: Liveness (partial deadlock freedom)Liveness for Send/Receive
(^
a2A#a
_ #a
) =) eventually (h⌧a
itrue)
where:
eventually (�)def= µy. (� _ hAiy)
If a channel is ready to receive or send,
then for some reachable stateit can synchronise (⌧
a
)Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 37/46
![Page 56: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/56.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Property: Liveness (partial deadlock freedom)Liveness for Select
(^
a2P(A)
#a
) =) eventually (h{⌧a
| a 2 a}itrue)
If one of the channels in select is ready to receive or send,Then eventually it will synchronise (⌧
a
)
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 38/46
![Page 57: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/57.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Property: Liveness (partial deadlock freedom)Liveness for Select
(^
a2P(A)
#a
) =) eventually (h{⌧a
| a 2 a}itrue)
P1 = select{a, b, ⌧.P} P1 is live if P is XP2 = select{a, b} P2 is not live ⇥R1 = a (P2 | R1) is live X
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 38/46
![Page 58: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/58.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Property: Liveness (partial deadlock freedom)Liveness for Select
(^
a2P(A)
#a
) =) eventually (h{⌧a
| a 2 a}itrue)
P1 = select{a, b, ⌧.P} P1 is live if P is XP2 = select{a, b} P2 is not live ⇥R1 = a (P2 | R1) is live X
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 38/46
![Page 59: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/59.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Property: Liveness (partial deadlock freedom)
(^
a2A#a
_ #a
) =) eventually (h⌧a
itrue)
(^
a2P(A)
#a
) =) eventually (h{⌧a
| a 2 a}itrue)
1 func main() {
2 ch := make(chan int)
3 go looper() // !!!
4 <-ch // No matching send
5 }
6 func looper() {
7 for {
8 }
9 }
⇥ Runtime detector: Hangs
X Our tool: NOT live
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 39/46
![Page 60: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/60.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Property: Liveness (partial deadlock freedom)
(^
a2A#a
_ #a
) =) eventually (h⌧a
itrue)
(^
a2P(A)
#a
) =) eventually (h{⌧a
| a 2 a}itrue)
1 func main() {
2 ch := make(chan int)
3 go loopSend(ch)
4 <-ch
5 }
6 func loopSend(ch chan int) {
7 for i := 0; i < 10; i-- {
8 // Does not terminate
9 }
10 ch <- 1
11 }
What about this one?
Type: Live
Program: NOT live
Needs additional guarantees
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 39/46
![Page 61: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/61.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Property: Eventual reception
(^
a2A#a
•) =) eventually (h⌧a
itrue)
If an item is sent to a bu↵ered channel (a•),Then eventually it can be consumed/synchronised (⌧
a
)
(i.e. no orphan messages)
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 40/46
![Page 62: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/62.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Termination checkingAddressing the program-type abstraction gap
BehaviouralTypes
SSA IR
Go source code
Type inference
Model checking
mCRL2 model checker
Check safety and liveness
Termination checking
KITTeL termination prover
Address type $ program gap
Transform
and verify
1
2
3
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 41/46
![Page 63: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/63.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Termination checking with KITTeL
Type inference does not consider program data
Type liveness 6= Program liveness if program non-terminating
Especially when involving iteration
) Check for loop termination
If terminates, type liveness = program liveness
Program terminates Program does not terminateType live X Program live ?Type not live ⇥ Program not live ⇥ Program not live
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 42/46
![Page 64: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/64.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Tool: Godel-Checker
https://github.com/nickng/gospal
https://bitbucket.org/MobilityReadingGroup/godel-checker
GolangUK Conference 2017
Understanding Concurrency with Behavioural Types
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 43/46
![Page 65: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/65.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Conclusion
Verification framework based onBehavioural Types
Behavioural types for Go concurrency
Infer types from Go source code
Model check types for safety/liveness
+ termination for iterative Go code
Behavioural types
SSA IR
Go source code
Type inference
Transform and verify
Modelchecking
Terminationchecking
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 44/46
![Page 66: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/66.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
In the paper
See our paper for omitted topics in this talk:Behavioural type inference algorithmTreatment of bu↵ered (asynchronous) channelsThe select (non-deterministic choice) primitiveDefinitions of behavioural type semantics/barbs
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 45/46
![Page 67: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/67.jpg)
Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary
Future and related workExtend framework to support more safety propertiesDi↵erent verification approaches
Godel-Checker model checking [ICSE’18] (this talk)Gong type verifier [POPL’17]Choreography synthesis [CC’15]
Di↵erent concurrency issues (e.g. data races)
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 46/46
![Page 68: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/68.jpg)
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 1/4
![Page 69: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/69.jpg)
Behavioural Types for GoType syntax
↵ := u | u | ⌧T , S := ↵;T | T � S | N{↵
i
;Ti
}i2I | (T | S) | 0
| (new a)T | close u;T | thui | bucnk
| buf [u]closed
T := {t(yi
) = T
i
}i2I in S
Types of a CCS-like process calculusAbstracts Go concurrency primitives
Send/Recv, new (channel), parallel composition (spawn)Go-specific: Close channel, Select (guarded choice)
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 2/4
![Page 70: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/70.jpg)
Semantics of types
snd a;T
a�! T rcv a;T
a�! T tau ⌧ ;T⌧�! T
end close a;Tclo a���! T buf bacn
k
clo a���! buf [a]
closed
cld buf [a]
closed
a
⇤�! buf [a]
closed
sel
i 2 {1, 2}T
1
� T
2
⌧�! T
i
bra
↵j
;T
j
↵j�! T
j
j 2 I
N{↵i
;T
i
}i2I
↵j�! T
j
par
T
↵�! T
0
T | S ↵�! T
0 | Sseq
T
↵�! T
0
T ; S
↵�! T
0; S
term 0; S⌧�! S
com
↵ 2 {a, a⇤, a•} T
↵�! T
0S
��! S
0 � 2 {•a, a}T | S ⌧
a�! T
0 | S 0
eq
T ⌘↵ T
0T
↵�! T
00
T
0 ↵�! T
00 def
T {a/x} ↵�! T
0 t(x) = T
thai ↵�! T
0
close
T
clo a���! T
0S
clo a���! S
0
T | S ⌧�! T
0 | S 0 in
k < n
bacnk
•a�! bacn
k+1
out
k � 1
bacnk
a
•�! bacn
k�1
Figure: Semantics of types.
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 3/4
![Page 71: A Static Verification Framework for Message Passing in Go ...mrg.doc.ic.ac.uk/talks/2018/09/trends/slides.pdfmCRL2 constraint: Finite control (no spawning in loops) Global deadlock](https://reader034.fdocuments.in/reader034/viewer/2022042803/5f4a469997b07b795233b42d/html5/thumbnails/71.jpg)
Barb predicates for types
a;T #a
close a;T #clo a
a;T #a
buf [a]
closed
#a
⇤
8i 2 {1, . . . , n} : ↵i
#o
i
N{↵i
;T}i2{1,...,n} #{o
1
...on
}
T #o
T ;T
0 #o
T #a
T
0 #a
or T
0 #a
⇤
T | T 0 #⌧a
T {a/x} #o
t(x) = T
thai #o
T #a
↵i
#a
T | N{↵i
; S
i
}i2I
#⌧a
T #a
or T #a
⇤ ↵i
#a
T | N{↵i
; S
i
}i2I
#⌧a
k < n
bacnk
#•a
k � 1
bacnk
#a
•
T #a
T
0 #•a
T | T 0 #⌧a
T #a
• ↵i
#a
T | N{↵i
; S
i
}i2I
#⌧a
T #o
T | T 0 #o
T #o
a /2 fn(o)
(new
n
a);T #o
T #o
T ⌘ T
0
T #o
Figure: Barb predicates for types.
Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida
A Static Verification Framework for Message Passing in Go using Behavioural Types
mrg.doc.ic.ac.uk 4/4