Mob$%&'y Re,-./c1 G/o3p Post-docs: Simon CASTELLAN David CASTRO - - PowerPoint PPT Presentation

mob y re c1 g o3p
SMART_READER_LITE
LIVE PREVIEW

Mob$%&'y Re,-./c1 G/o3p Post-docs: Simon CASTELLAN David CASTRO - - PowerPoint PPT Presentation

Sep 02, 2022 470 likes •1.03k views

http://mrg.doc.ic.ac.uk Mob$%&'y Re,-./c1 G/o3p Post-docs: Simon CASTELLAN David CASTRO Francisco FERREIRA Raymond HU Rumyana NEYKOVA Nicholas NG Alceste SCALAS PhD Students: Assel ALTAYEVA Juliana FRANCO Eva GRAVERSEN POPL 2008 MOST

slide-1
SLIDE 1
slide-2
SLIDE 2

http://mrg.doc.ic.ac.uk

Mob$%&'y Re,-./c1 G/o3p

Post-docs: Simon CASTELLAN David CASTRO Francisco FERREIRA Raymond HU Rumyana NEYKOVA Nicholas NG Alceste SCALAS PhD Students: Assel ALTAYEVA Juliana FRANCO Eva GRAVERSEN

slide-3
SLIDE 3

POPL 2008 MOST INFLUENTIAL PAPER AWARD

slide-4
SLIDE 4

www.scribble.org

slide-5
SLIDE 5

Online tool : http://scribble.doc.ic.ac.uk/

slide-6
SLIDE 6
slide-7
SLIDE 7

End-to-End Switching Programme by DCC

slide-8
SLIDE 8

End-to-End Switching Programme by DCC

slide-9
SLIDE 9
slide-10
SLIDE 10

ECOOP’16 ECOOP’17 CC’18

slide-11
SLIDE 11

[LICS’18] Romain Demangeon, NY: Casual Computational Complexity of Distributed Processes. [CC’18] Rumyana Neykova , Raymond Hu, NY, Fahd Abdeljallal: Session Type Providers: Compile-time API Generation for Distributed Protocols with Interaction Refinements in F#. [FoSSaCS’18] Bernardo Toninho, NY: Depending On Session Typed Process. [ESOP’18] Bernardo Toninho, NY: On Polymorphic Sessions And Functions: A Talk of Two (Fully Abstract) Encodings. [ESOP’18] Malte Viering, Tzu-Chun Chen, Patrick Eugster, Raymond Hu , Lukasz Ziarek: A Typing Discipline for Statically Verified Crash Failure Handling in Distributed Systems. [ICSE’18] Julien Lange, Nicholas Ng, Bernardo Toninho, NY : A Static Verification Framework for Message Passing in Go using Behavioural Types [ECOOP’17] Alceste Scala, Raymond Hu, Ornela Darda, NY: A Linear Decomposition of Multiparty Sessions for Safe Distributed Programming.. [COORDINATION’17] Keigo Imai, NY, Shoji Yuen: Session-ocaml: a session-based library with polarities and lenses. [FoSSaCS’17] Julien Lange, NY: On the Undecidability of Asynchronous Session Subtyping. [FASE’17] Raymond Hu, NY: Explicit Connection Actions in Multiparty Session Types. [CC’17] Rumyana Neykova, NY: Let It Recover: Multiparty Protocol-Induced Recovery. [POPL’17] Julien Lange, Nicholas Ng, Bernardo Toninho, NY: Fencing off Go: Liveness and Safety for Channel-based Programming.

Selected Publications 2017/2018

slide-12
SLIDE 12

[LICS’18] Romain Demangeon, NY: Casual Computational Complexity of Distributed Processes. [CC’18] Rumyana Neykova , Raymond Hu, NY, Fahd Abdeljallal: Session Type Providers: Compile-time API Generation for Distributed Protocols with Interaction Refinements in F#. [FoSSaCS’18] Bernardo Toninho, NY: Depending On Session Typed Process. [ESOP’18] Bernardo Toninho, NY: On Polymorphic Sessions And Functions: A Talk of Two (Fully Abstract) Encodings. [ESOP’18] Malte Viering, Tzu-Chun Chen, Patrick Eugster, Raymond Hu , Lukasz Ziarek: A Typing Discipline for Statically Verified Crash Failure Handling in Distributed Systems. [ICSE’18] Julien Lange, Nicholas Ng, Bernardo Toninho, NY : A Static Verification Framework for Message Passing in Go using Behavioural Types. [ECOOP’17] Alceste Scala, Raymond Hu, Ornela Darda, NY: A Linear Decomposition of Multiparty Sessions for Safe Distributed Programming. [COORDINATION’17] Keigo Imai, NY, Shoji Yuen: Session-ocaml: a session-based library with polarities and lenses. [FoSSaCS’17] Julien Lange, NY: On the Undecidability of Asynchronous Session Subtyping. [FASE’17] Raymond Hu, NY: Explicit Connection Actions in Multiparty Session Types. [CC’17] Rumyana Neykova, NY: Let It Recover: Multiparty Protocol-Induced Recovery. [POPL’17] Julien Lange, Nicholas Ng, Bernardo Toninho, NY: Fencing off Go: Liveness and Safety for Channel-based Programming.

Selected Publications 2017/2018

slide-13
SLIDE 13

POPL’17

slide-14
SLIDE 14

ICSE’18

slide-15
SLIDE 15
slide-16
SLIDE 16
slide-17
SLIDE 17
slide-18
SLIDE 18
slide-19
SLIDE 19
slide-20
SLIDE 20
slide-21
SLIDE 21
slide-22
SLIDE 22
slide-23
SLIDE 23

Overview Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary

Static verification framework for Go

Overview Behavioural Types SSA IR Go source code

Type inference

Model checking mCRL2 model checker

Check safety and liveness

Termination checking KITTeL term. prover

Address type $ process gap Transform and verify 1 2 3

Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida Behavioural Type-Based Static Verification Framework for Go mrg.doc.ic.ac.uk

23/47

slide-24
SLIDE 24

Overview Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary

Concurrency in Go

Concurrency primitives

1 func main() { 2 ch := make(chan int) // Create channel. 3 go send(ch) // Spawn as goroutine. 4 print(<-ch) // Recv from channel. 5 } 6 7 func send(ch chan int) { // Channel as parameter. 8 ch <- 1 // Send to channel. 9 }

Send/receive blocks goroutines if channel full/empty resp. Channel buffer size specified at creation: make(chan int, 1) Other primitives:

Close a channel close(ch) Guarded choice select { case <-ch:; case <-ch2: }

Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida Behavioural Type-Based Static Verification Framework for Go mrg.doc.ic.ac.uk

24/47

slide-25
SLIDE 25

Overview Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary

Concurrency in Go

Deadlock detection

1 func main() { 2 ch := make(chan int) // Create channel. 3 send(ch) // Spawn as goroutine. 4 print(<-ch) // Recv from channel. 5 } 6 7 func send(ch chan int) { ch <- 1 }

Missing ’go’ keyword

Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida Behavioural Type-Based Static Verification Framework for Go mrg.doc.ic.ac.uk

25/47

slide-26
SLIDE 26

Overview Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary

Concurrency in Go

Deadlock detection

1 func main() { 2 ch := make(chan int) // Create channel. 3 send(ch) // Spawn as goroutine. 4 print(<-ch) // Recv from channel. 5 } 6 7 func send(ch chan int) { ch <- 1 }

Run program:

$ go run main.go fatal error: all goroutines are asleep - deadlock!

Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida Behavioural Type-Based Static Verification Framework for Go mrg.doc.ic.ac.uk

25/47

slide-27
SLIDE 27

Overview Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary

Concurrency in Go

Deadlock detection Go has a ::::::: runtime deadlock detector, crashes if deadlock Deadlock if all goroutines are blocked Some packages (e.g. net for networking) disables it

1 import _ "net" // Load unused "net" package 2 func main() { 3 ch := make(chan int) 4 send(ch) 5 print(<-ch) 6 } 7 func send(ch chan int) { ch <- 1 }

Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida Behavioural Type-Based Static Verification Framework for Go mrg.doc.ic.ac.uk

26/47

slide-28
SLIDE 28

Overview Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary

Concurrency in Go

Deadlock detection Go has a ::::::: runtime deadlock detector, crashes if deadlock Deadlock if all goroutines are blocked Some packages (e.g. net for networking) disables it

1 import _ "net" // Load unused "net" package 2 func main() { 3 ch := make(chan int) 4 send(ch) 5 print(<-ch) 6 } 7 func send(ch chan int) { ch <- 1 }

Add benign import Deadlock NOT detected

Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida Behavioural Type-Based Static Verification Framework for Go mrg.doc.ic.ac.uk

26/47

slide-29
SLIDE 29

Overview Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary

Abstracting Go with Behavioural Types

Type syntax

α := u | u | τ T, S := α; T | T S | N{αi; Ti}i∈I | (T | S) | 0 | (new a)T | close u; T | th˜ ui | bucn

k | u?

T := {t(˜ yi) = Ti}i∈I in S Types of a CCS-like process calculus Abstracts Go concurrency primitives

Send/Recv, new (channel), parallel composition (spawn) Go-specific: Close channel, Select (guarded choice)

Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida Behavioural Type-Based Static Verification Framework for Go mrg.doc.ic.ac.uk

27/47

slide-30
SLIDE 30

Overview Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary

Infer Behavioural Types from Go program

Input Go source code

1 func main() { 2 ch := make(chan int) // Create channel 3 go sendFn(ch) // Run as goroutine 4 x := recvVal(ch) // Function call 5 for i := 0; i < x; i++ { 6 print(i) 7 } 8 close(ch) // Close channel 9 } 10 func sendFn(c chan int) { c <- 3 } // Send to c 11 func recvVal(c chan int) int { return <-c } // Recv from c

Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida Behavioural Type-Based Static Verification Framework for Go mrg.doc.ic.ac.uk

28/47

slide-31
SLIDE 31

Overview Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary

Infer Behavioural Types from Go program

Program in Static Single Assignment (SSA) form

package main t0 = make chan int 0:int go sendFn(t0) t1 = recvVal(t0) jump 3 t5 = p h i [0: 0:int , 1: t3] #i t6 = t5 < t1 i f t6 goto 1 e l s e 2

3

t2 = print(t5) t3 = t5 + 1:int jump 3

1

t4 = close(t0) r e t u r n

2

for.loop for.done

func main.main()

entry return

send c <- 42: int r e t u r n func main.sendFn(c)

entry return

t0 = <-c r e t u r n t0 func main.recvVal(c)

entry return

Block of instructions Function boundary Package boundary

Context-sensitive analysis to distinguish channel variables Skip over non-communication code

Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida Behavioural Type-Based Static Verification Framework for Go mrg.doc.ic.ac.uk

29/47

slide-32
SLIDE 32

Overview Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary

Infer Behavioural Types from Go program

Types inferred from program

func main() { ch := make(chan int) // Create channel go sendFn(ch) // Run as goroutine x := recvVal(ch) // Function call for i := 0; i < x; i++ { print(i) } close(ch) // Close channel } func sendFn(c chan int) { c <- 3 } // Send to c func recvVal(c chan int) int { return <-c } // Recv from c

main() = (new t0)(sendFnht0i | recvValht0i; main 3ht0i) main 1(t0) = main 3ht0i main 2(t0) = close t0; 0 main 3(t0) = main 1ht0i main 2ht0i sendFn(c) = c; 0 recvVal(c) = c; 0

Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida Behavioural Type-Based Static Verification Framework for Go mrg.doc.ic.ac.uk

30/47

slide-33
SLIDE 33

Overview Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary

Model checking behavioural types

Behavioural Types SSA IR Go source code

Type inference

Model checking mCRL2 model checker

Check safety and liveness

Termination checking KITTeL term. prover

Address type $ process gap Transform and verify 1 2 3

Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida Behavioural Type-Based Static Verification Framework for Go mrg.doc.ic.ac.uk

31/47

slide-34
SLIDE 34

Overview Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary

Model checking behavioural types

Behavioural types as LTS model

  • 1. Generate LTS model from type semantics
  • 2. Generate µ-calculus formulae for LTS describing properties
  • 3. Check LTS |

= formulae with model checker (e.g. mCRL2) Properties of interest: Global deadlock freedom Channel safety (no send/close on closed channel) Liveness (partial deadlock freedom) Eventual reception Constraints (on mCRL2 model checker): Finite control (no parallel composition in recursion)

Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida Behavioural Type-Based Static Verification Framework for Go mrg.doc.ic.ac.uk

32/47

slide-35
SLIDE 35
slide-36
SLIDE 36
slide-37
SLIDE 37
slide-38
SLIDE 38
slide-39
SLIDE 39
slide-40
SLIDE 40
slide-41
SLIDE 41
slide-42
SLIDE 42

Overview Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary

Model checking behavioural types

Generating µ-calculus formulae (channel safety) Given an LTS model, generate formulae for safety properties Note: formulae are model-specific

Property: Channel safety

ψs

def

= ( ^

a∈A

#a?) = ) ¬(#a _ #clo a) hαiφ is a modal operator, satisfied if: There is a T’ where T ↵

  • ! T’ such that formula φ holds

Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida Behavioural Type-Based Static Verification Framework for Go mrg.doc.ic.ac.uk

40/47

slide-43
SLIDE 43

Overview Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary

Model checking behavioural types

Generating µ-calculus formulae (channel safety)

Property: Channel safety

ψs

def

= ( ^

a∈A

#a?) = ) ¬(#a _ #clo a) hαiφ is a modal operator, satisfied if: There is a T’ where T ↵

  • ! T’ such that formula φ holds

1 func main() { 2 ch := make(chan int) 3 go func(ch chan int) { 4 ch <- 1 5 }(ch) 6 close(ch) 7 <-ch // Receive from closed channel is OK 8 }

Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida Behavioural Type-Based Static Verification Framework for Go mrg.doc.ic.ac.uk

41/47

slide-44
SLIDE 44

Overview Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary

Model checking behavioural types

Generating µ-calculus formulae (liveness)

Property: Liveness

ψla

def

= ( ^

a∈A

#a _ #a) = ) eventually (hτaitrue)

Property: Liveness (select)

ψlb

def

= ( ^

˜ a∈P(A)

a) =

) eventually (h{τa | a 2 ˜ a}itrue) Liveness: sometimes known as partial deadlock freedom Program is live if (ψla ^ ψlb) holds

Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida Behavioural Type-Based Static Verification Framework for Go mrg.doc.ic.ac.uk

42/47

slide-45
SLIDE 45

Overview Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary

Model checking behavioural types

Summary

  • 1. Generate LTS model from type semantics
  • 2. Generate µ-calculus formulae for LTS describing properties
  • 3. Check LTS |

= formulae with model checker (e.g. mCRL2) Properties: X Global deadlock freedom X Channel safety (no send/close on closed channel) X – Liveness (partial deadlock freedom) X – Eventual reception

Require additional guarantees

Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida Behavioural Type-Based Static Verification Framework for Go mrg.doc.ic.ac.uk

43/47

slide-46
SLIDE 46

Overview Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary

Model checking behavioural types

Termination checking with KITTeL Extracted types do not consider data in process Type liveness 6= program liveness

Especially when involving iteration Check for loop termination

Properties:

X Global deadlock freedom X Channel safety (no send/close on closed channel) X Liveness (partial deadlock freedom) X Eventual reception

1 2 func main() { 3 ch := make(chan int) 4 go func() { 5 for i := 0; i < 10; i-- { 6 // Does not terminate 7 } 8 ch <- 1 9 }() 10 <-ch 11 }

Type: Live Program: NOT live

Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida Behavioural Type-Based Static Verification Framework for Go mrg.doc.ic.ac.uk

44/47

slide-47
SLIDE 47

Overview Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary

Tool demo

Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida Behavioural Type-Based Static Verification Framework for Go mrg.doc.ic.ac.uk

45/47

slide-48
SLIDE 48

Overview Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary

Conclusion

Verification framework based on Behavioural Types Behavioural types for Go concurrency Infer types from Go source code Model check types for safety/liveness + termination for iterative Go code Behavioural types SSA IR Go source code

Type inference Transform and verify

Model checking Termination checking

Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida Behavioural Type-Based Static Verification Framework for Go mrg.doc.ic.ac.uk

46/47

slide-49
SLIDE 49

Overview Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary

Future work

Extend framework to support more properties Unlimited possibilities!

Different verification techniques

Godel-Checker model checking [ICSE’18] (this talk) Gong type verifier [POPL’17] Choreography synthesis [CC’15]

Different concurrency issues

Other synchronisation mechanisms Race conditions

Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida Behavioural Type-Based Static Verification Framework for Go mrg.doc.ic.ac.uk

47/47

slide-50
SLIDE 50

Semantics of MiGo types

snd a; T

a

  • ! T

rcv a; T

a

  • ! T

tau τ; T

  • ! T

end close a; T

clo a

  • ! T

buf bacn

k clo a

  • ! a?

cld a?

a?

  • ! a?

sel i 2 {1, 2} T1 T2

  • ! Ti

bra αj; Tj

↵j

  • ! Tj

j 2 I N{αi; Ti}i2I

↵j

  • ! Tj

par T

  • ! T 0

T | S

  • ! T 0 | S

seq T

  • ! T 0

T; S

  • ! T 0; S

term 0; S

  • ! S

com α 2 {a, a?, a•} T

  • ! T 0

S

  • ! S0

β 2 {•a, a} T | S

⌧a

  • ! T 0 | S0

eq T ⌘↵ T 0 T

  • ! T 00

T 0

  • ! T 00

def T {˜

a/˜ x} ↵

  • ! T 0

t(˜ x) = T th˜ ai

  • ! T 0

close T

clo a

  • ! T 0

S

clo a

  • ! S0

T | S

  • ! T 0 | S0

in k < n bacn

k

  • a
  • ! bacn

k+1

  • ut

k 1 bacn

k a•

  • ! bacn

k1

Figure: Semantics of types.

Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida Behavioural Type-Based Static Verification Framework for Go mrg.doc.ic.ac.uk

1/5

slide-51
SLIDE 51

Barb predicates for MiGo types

a; T #a close a; T #clo a a; T #a a? #a? 8i 2 {1, . . . , n} : αi #oi N{αi; T}i2{1,...,n} #{o1...on} T #o T; T 0 #o T #a T 0 #a or T 0 #a? T | T 0 #⌧a T {˜

a/˜ x} #o

t(˜ x) = T th˜ ai #o T #a αi #a T | N{αi; Si}i2I #⌧a T #a or T #a? αi #a T | N{αi; Si}i2I #⌧a k < n bacn

k #•a

k 1 bacn

k #a•

T #a T 0 #•a T | T 0 #⌧a T #a• αi #a T | N{αi; Si}i2I #⌧a T #o T | T 0 #o T #o a / 2 fn(o) (newn a); T #o T #o T ⌘ T 0 T #o

Figure: Barb predicates for types.

Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida Behavioural Type-Based Static Verification Framework for Go mrg.doc.ic.ac.uk

2/5

slide-52
SLIDE 52

Model checking behavioural types

Generating µ-calculus formulae (global deadlock freedom) Given an LTS model, generate formulae for safety properties Note: formulae are model-specific

Property: Global deadlock freedom

ψg

def

= ( ^

a∈A

#a _ #a) = ) hAitrue hαiφ is a modal operator, satisfied if: There is a T’ where T ↵

  • ! T’ such that formula φ holds

Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida Behavioural Type-Based Static Verification Framework for Go mrg.doc.ic.ac.uk

3/5

slide-53
SLIDE 53

Model checking behavioural types

Generating µ-calculus formulae (eventual reception)

Property: Eventual reception

ψe

def

= ( ^

a∈A

#a•) = ) eventually (hτaitrue) Applies only to buffered channels

Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida Behavioural Type-Based Static Verification Framework for Go mrg.doc.ic.ac.uk

4/5

slide-54
SLIDE 54

Eventually

Eventually

eventually (φ) def = µy. (φ _ hAiy) i.e. φ holds in some reachable state

Julien Lange, Nicholas Ng, Bernardo Toninho, Nobuko Yoshida Behavioural Type-Based Static Verification Framework for Go mrg.doc.ic.ac.uk

5/5