Bounded verification of message-passing concurrency in Go using Promela and Spin

Nicolas, Dilley,; Lange, Julien

doi:10.4204/eptcs.314.4

Cited by 14 publications

(7 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…В работах [18,19] Дилли и Ланге предлагают подход Gomela проверки программ на подмножестве языка Go путем генерации соответствующего кода на Promela. Проверяется корректность функций передачи сообщений.…”

Section: обзор связанных работunclassified

Model checking programs in process-oriented IEC 61131-3 Structured Text

Garanina,

Staroletov,

Zyubin

et al. 2024

Model. anal. inf. sist.

View full text Add to dashboard Cite

The process-oriented programming is a paradigm based on the process concept where each process is a concurrent finite state machine inside. The paradigm is intended for PLC (programmable logic controllers) developers to write Industry 4.0-enabled software. The poST language is a promising process-oriented extension of the IEC 61131-3 Structured Text (ST) language designed to provide a conceptual consistency of the PLC source code with technological description of the process under control. This language combines the advantages of FSM-based programming with the standard syntax of the ST language. We propose transformational semantics of poST providing rules for translation of poST language statements to Promela — the input language of the SPIN model checker. Following these semantic rules, our Xtext-based translator outputs a Promela model for the poST program. Our contribution is the poST transformational semantics and the method for automatic generation of the Promela code from poST control programs. The resulting Promela program is ready to be verified with SPIN model checker against linear temporal logic requirements to the source poST program. In the paper we provide an overview of related work, as well as a brief description of the poST and Promela languages. Further, the Promela poST translation rules cover control flow statements, process creation and state management constructs, and timeout management. Then we define service processes for modeling the external environment and managing high-level LTL specifications. Then we present the main ideas of implementing the translator poST to Promela. We also illustrate our approach using the example of a system for managing electricity consumption and production, including renewable sources.

show abstract

Section: обзор связанных работunclassified

Model checking programs in process-oriented IEC 61131-3 Structured Text

Garanina,

Staroletov,

Zyubin

et al. 2024

Model. anal. inf. sist.

View full text Add to dashboard Cite

show abstract

“…It detects channel and mutex-related bugs and data-races, but it has limited applicability. Our work builds on a prototype by Dilley and Lange [5] which uses Promela as a behaviour type language. We extend their work with an inter-procedural extraction of concurrency parameters, support for more concurrency primitives (waitgroup and mutex), support for structures and methods, an automated verification algorithm (Algorithm 1), and an evaluation of our approach on real-world Go code.…”

Section: Related Workmentioning

confidence: 99%

“…Amongst recent works on static checkers for Go, we distinguish those that aim for soundness, e.g., using a behavioural type approach [5], [6], [18], [19], [23], and those that aim for completeness, e.g., GCatch [20]. Existing checkers based on behavioural types tend to raise too many false alarms, do not scale to large codebases, and support a very limited subset of Go.…”

Section: Introductionmentioning

confidence: 99%

Automated Verification of Go Programs via Bounded Model Checking

Nicolas

Lange

2021

2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE)

Self Cite

View full text Add to dashboard Cite

The Go programming language offers a wide range of primitives to coordinate lightweight threads, e.g., channels, waitgroups, and mutexes -all of which may cause concurrency bugs. Static checkers that guarantee the absence of bugs are essential to help programmers avoid these costly errors before their code is executed. However existing tools either miss too many bugs or cannot handle large programs. To address these limitations, we propose a static checker for Go programs which relies on performing bounded model checking of their concurrent behaviours. In contrast to previous works, our approach deals with large codebases, supports programs that have statically unknown parameters, and is extensible to additional concurrency primitives. Our work includes a detailed presentation of the extraction algorithm from Go programs to models, an algorithm to automatically check programs with statically unknown parameters, and a large scale evaluation of our approach. The latter shows that our approach outperforms the state-of-the-art. 1 func preload(trees []string, n int) { 2 ch := make(chan string, n) // new chan with capacity n 3 limitCh := make(chan int, runtime.NumCPU()) 4 for i := 0; i < runtime.NumCPU(); i++ { 5 limitCh <-1 // send token on chan limitCh 6 } 7 var wg sync.WaitGroup 8 for _, t := range trees { 9 wg.Add(1) // increment wg counter 10 go func(v string) { // spawn goroutine 11 <-limitCh // receive token before starting work 12 s := DoSomeWork(v) 13 ch <-s 14 limitCh <-1 // return token 15 wg.Done() // decrement wg counter 16 }(t) 17 } 18 go func() { // spawn goroutine 19 wg.Wait() // wait for wg to reach 0 20 close(ch) // set ch to closed 21 }() 22 for s := range ch { // receive message from ch 23 if IsError(s) { 24

show abstract

“…Sulzmann and Stadtmuller attempted to solve the problem of dynamic verification of Go programs by proposing a track-based method to analyze Go programs that only use the synchronous channel in [26]; then they introduced an improved method that supports asynchronous channels and relies on vector clocks in [27]. Nicolas [28] et al used model checking to SPIN to verify the Go program, they converted the Go source code to the form of promela [29] and used SPIN [30] to check the program's properties.…”

Section: Study On Go Concurrency Bugs Nicolas Dilley Et Almentioning

confidence: 99%

“…The static approaches mentioned above provide limited support for detecting concurrency bugs in Go. For example, all of the static verification frameworks in [17], [18], [19], [20], [21], [28] can only be used to verify small Go programs or those with low usage of message passing primitives. The works in [21] and [22] take the program as a whole to find potential concurrency bugs, after which they can only get qualitative results, which is not conducive to the repair of concurrency bugs in the future, Meanwhile, existing static tools are not sensitive to dead codes, which may cause false positives or false negatives.…”

Section: Study On Go Concurrency Bugs Nicolas Dilley Et Almentioning

confidence: 99%

GoDetector: Detecting Concurrent Bug in Go

Zhang

2021

IEEE Access

View full text Add to dashboard Cite

Go provides a new concurrency mechanism based on message-passing, which brings a series of new concurrency bugs. The existing tools are highly dependent on model-checking methods in which they take the source program as the input of model-checking tools to detect the potential concurrent bugs. However, these methods can only qualitatively obtain the concurrency of the program but not obtain the exact number of concurrency bugs in the program. Meanwhile, these approaches are not sensitive to dead codes, which are prone to false negatives. Furthermore, few works have been done on detecting WaitGroup-related bugs in Go concurrent programming, which may cause deadlock. To this end, this paper proposes a novel approach GoDetector to detect concurrent bugs. GoDetector uses a detecting algorithm and a pushdown automaton to verify the channel-related concurrent bugs and WaitGroup-related concurrent bugs separately. To support the evaluation of the tool, 30 benchmarks are collected from the existing tools. GoDetector reports 2 channel safety errors, 29 deadlocks, and 11 WaitGroup-related errors. Compared with the existing tool Godel, GoDetector has the capacity to report more concurrency bugs and fewer false positives. GoDetector also offers additional support for the detection of WaitGroup variables. The experimental results indicate that GoDecetor is more efficient at detecting the concurrency in regards to accuracy and diversity.

show abstract

Bounded verification of message-passing concurrency in Go using Promela and Spin

Cited by 14 publications

References 15 publications

Model checking programs in process-oriented IEC 61131-3 Structured Text

Model checking programs in process-oriented IEC 61131-3 Structured Text

Automated Verification of Go Programs via Bounded Model Checking

GoDetector: Detecting Concurrent Bug in Go

Contact Info

Product

Resources

About