Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
SpringerLink
Log in

Go2Pins: a framework for the LTL verification of Go programs (extended version)

  • General
  • Special Issue: SPIN 2021
  • Published:
International Journal on Software Tools for Technology Transfer Aims and scope Submit manuscript

Abstract

We introduce Go2Pins, a tool that takes a program written in Go and links it with two model checkers: LTSMin (Kant et al. Ltsmin: high-performance language-independent model checking. In: TACAS’15, pp. 692–707, 2015) and Spot (Duret-Lutz et al. Spot 2.0-a framework for LTL and \({\omega }\) automata manipulation. In: ATVA’16, vol. 9938 of LNCS, pp. 1294, 122–129, 2016) . Go2Pins is an effort to promote the integration of both formal verification and testing inside industrial-size projects. With this goal in mind, we introduce black-box transitions, an efficient and scalable technique for handling the Go runtime. This approach, inspired by hardware verification techniques, allows easy, automatic and efficient abstractions. Go2Pins also handles basic concurrent programs through the use of a dedicated scheduler. Moreover, in order to efficiently handle recursive programs, we introduce PSL\(_{\textsc {Rec}}\), a formalism that augments PSL without changing the complexity of the underlying verification process. In this paper we demonstrate the usage of Go2Pins over benchmarks inspired by industrial problems and a set of LTL formulae. Even if Go2Pins is still at the early stages of development, our results are promising and show the benefits of using black-box transitions. This paper also shows how Go2Pins is able to work efficiently on two bugs coming from industrial problems Kubernetes and Trillian.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

Notes

  1. Note that in the particular context of CSP, validity can also be checked using refinement.

  2. In compiler realm, a difference is made between compilers that usually produce a directly usable artifact, whereas transpilers produce another form of source code.

  3. Model checkers represent the model as a Kripke structure. These two functions are enough to provide a Kripke view of a Go program.

  4. This is achieved by building one last extra function: G2PMain (see line 42). This function takes a state vector as a parameter and returns an initialized state vector during the first call. Then, this function dispatches the processing of the computation to the function under execution.

  5. In practice, this state represents the increment of the program counter.

  6. Here we merge LabelCounter and FunctionCounter for the sake of clarity.

  7. or structural typing

  8. Note that Go2Pins handles the same way, nested structures.

  9. Virtual dispatches are calls to function Say().

  10. The runtime of programming language is traditionally provided as a dynamic library.

  11. Notice that this technique is only possible since Go2Pins is developed in Go and produces Go files.

  12. The interested reader may look the definition of:https://golang.org/src/fmt/print.gohttps://golang.org/src/math/sqrt.go

  13. Another restriction concerns the use of the LTL Next operator. Indeed, if the black-boxed function has multiple modification of one variable, only the later one will be visible.

  14. Note that only the Spot backend supports PSL.

  15. Under GPL (v3), available at https://gitlab.lre.epita.fr/spot/go2pins

  16. https://ltsmin.utwente.nl

  17. https://gitlab.lre.epita.fr/spot/spot

  18. This approach is valid at least until we reach the core translation

  19. Details of our benchmark and how to reproduce it are available at https://www.lre.epita.fr/~renault/benchs/SPIN-2021/results.html

  20. In our benchmarks multiples programs have the same number of line of code (LOC). A series is defined as all computations, i.e., one per formula, w.r.t. a specific LOC.

  21. We also plan to translate the Promela database http://www.albertolluch.com/research/promelamodels to Go in order to compare with other verification tools

  22. Although PSL\(_{\textsc {Rec}}\) itself supports PSL syntax, only pure LTL formulas were used for this evaluation since LTSMin’s default translation backend only supports LTL syntax.

  23. This transformation can be found at https://gitlab.lre.epita.fr/spot/go2pins/-/blob/master/transform/waitgroup.go

  24. An adaptation of this program w.r.t the constraints of Gomela

  25. This is handled by some omitted code line 34

References

  1. Baranova, Z., Barnat, J., Kejstova, K., Kucera, T., Lauko, H., Mrazek, J., Rockai, P., Still, V.: Model checking of C and C++ with DIVINE 4. In ATVA’17, vol. 10482 of LNCS, pp. 201–207. Springer, (2017)

  2. Berthelot, G.: Checking properties of nets using transformation. In Applications and Theory in Petri Nets, vol. 222 of LNCS, pp. 19–40. Springer, (1985)

  3. Berthomieu, B., Le Botlan, D., Dal Zilio, S.: Counting Petri net markings from reduction equations. Int. J. Softw. Tools Technol. Transf. (2019)

  4. Blahoudek, F., Duret-Lutz, A., Rujbr, V., Strejček, J.: On refinement of Büchi automata for explicit model checking. In SPIN’15, vol. 9232 of LNCS, pp. 66–83. Springer, Aug. (2015)

  5. Bloemen, V., van de Pol, J.: Multi-core scc-based ltl model checking. In HVC’16, vol. 10028 of LNCS, pp. 18–33. Springer, Nov. (2016)

  6. Dekker, J., Vaandrager, F., Smetsers, R.: Generating a google go framework from an uppaal model. Master’s thesis. Radboud University (2014)

  7. Dilley, N., Lange, J.: An empirical study of messaging passing concurrency in go projects. In 2019 IEEE 26th International Conference on Software Analysis, Evolution and Reengineering (SANER’19), pp. 377–387, (2019)

  8. Dilley, N., Lange, J.: Bounded verification of message-passing concurrency in go using promela and spin. Electr. Proc. Theor. Comput. Sci. 314, 34–45 (2020). https://doi.org/10.4204/EPTCS.314.4

    Article  Google Scholar 

  9. Dilley,N., Lange, J.: Automated verification of go programs via bounded model checking. In 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 1016–1027, (2021)

  10. Duret-Lutz, A., Lewkowicz, A., Fauchille, A., Michaud, T., Renault, E., Xu, L.: Spot 2.0 — a framework for LTL and \(\omega \)-automata manipulation. In ATVA’16, vol. 9938 of LNCS, pp. 122–129. Springer, Oct. (2016)

  11. Eisner, C., Fisman, D.: A Practical Introduction to PSL. Springer, Series on Integrated Circuits and Systems (2006)

  12. Evangelista, S., Laarman, A., Petrucci, L., van de Pol, J.: Improved multi-core nested depth-first search. In ATVA’12, vol. 7561 of LNCS, pp. 269–283. Springer, (2012)

  13. GitHub repository. Go Compiler. https://github.com/golang/go/blob/04fb929a5b7991ed0945d05ab8015c1721958d82/src/go/types/stmt.go#L67-L69

  14. GitHub repository. Kubernetes generate node map bug. https://github.com/kubernetes/kubernetes/blob/d70ee902fddc682863a3cc4f0d8eac0223ebf70b/test/e2e/storage/vsphere/nodemapper.godd#L62

  15. GitHub repository. Trillian preload bug. https://github.com/kubernetes/kubernetes/blob/d70ee902fddc682863a3cc4f0d8eac0223ebf70b/test/e2e/storage/vsphere/nodemapper.go#L62

  16. GitHub repository. C2Go: Migrate from C to Go. https://godoc.org/rsc.io/c2go, (2020)

  17. GitHub repository. C4Go: Transpiling C code to Go code. https://github.com/Konstantin8105/c4go, (2020)

  18. GitHub repository. Transpiling fortran code to golang code. https://github.com/Konstantin8105/f4go, (2020)

  19. GitHub repository. Grumpy: Go running Python. https://github.com/google/grumpy, (2020)

  20. GitHub repository. Java2Go: Convert Java code to something like Go. https://github.com/dglo/java2go, (2020)

  21. Giunti, M.: Gopi: Compiling linear and static channels in go. In Coordination Models and Languages, pp. 137–152, (2020) Springer

  22. Godefroid, P.: Between testing and verification: Dynamic software model checking. In DSSE’16 45, pp. 99–116 (2016)

  23. Griesemer,R., Pike, R., Thompson, K., Taylor, I., Cox, R., Kim, J., Langley, A.: Hey! ho! let’s go! https://opensource.googleblog.com/2009/11/hey-ho-lets-go.html, (2009)

  24. Hoare, C.A.R.: Communicating Sequential Processes. Prentice-Hall Inc, USA (1985)

    MATH  Google Scholar 

  25. Holzmann, G.J.: The Spin Model Checker: Primer and Reference Manual. Addison-Wesley (2003)

  26. Kant, G., Laarman, A., Meijer, J., van de Pol, J., Blom, S., van Dijk, T.: Ltsmin: high-performance language-independent model checking. In TACAS’15, pp. 692–707, April (2015)

  27. Kirszenberg,A., Martin, A., Moreau, H., Renault, E.: Go2Pins: a framework for the LTL verification of Go programs. In SPIN’21, vol. 12864 of LNCS, pp. 140–156, May (2021) Springer

  28. Laarman,A.: Stubborn transaction reduction. In NFM, vol. 10811 of LNCS, pp. 280–298. Springer, (2018)

  29. Laarman, A., Pater, E., van de Pol, J., Hansen, H.: Guard-based partial-order reduction. Int. J. Softw. Tools Technol. Transf. 1–22, (2014)

  30. Lange,J., Ng, N., Toninho, B., Yoshida, N.: Fencing off Go: Liveness and Safety for Channel-based Programming. In POPL’17, pp. 748–761. ACM, (2017)

  31. Lange,J., Ng, N., Toninho, B., Yoshida, N.: A static verification framework for message passing in Go using behavioural Types. In CSE’18, pp. 1137–1148. ACM, (2018)

  32. Lipton, R.J.: Reduction: a method of proving properties of parallel programs. Commun. ACM 18(12), 717–721 (1975)

    Article  MathSciNet  MATH  Google Scholar 

  33. Liu, Z., Zhu, S., Qin, B., Chen, H., Song, L.: Automatically detecting and fixing concurrency bugs in go software systems. In: International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS) 11, pp. 2227–2240 (2016)

  34. Manna, Z., Pnueli, A.: A hierarchy of temporal properties. In PODC’90, pp. 377–410, (1990) ACM

  35. Ng, N., Yoshida, N.: Static deadlock detection for concurrent go by global session graph synthesis. In CCC’16, pp. 174–184. ACM, (2016)

  36. Peled, D.: Combining partial order reductions with on-the-fly model-checking. In CAV’94, vol. 818 of LNCS, pp. 377–390. Springer, (1994)

  37. Ray, B., Posnett, D., Filkov, V., Devanbu, P.: A large scale study of programming languages and code quality in github. In SIGSOFT’14, pp. 155–165, (2014)

  38. RERS challenge. Rigorous examination of reactive systems (RERS). http://rers-challenge.org/2019/, (2019)

  39. Tu, T., Liu, X., Song, L., Zhang, Y.: Understanding real-world concurrency bugs in go. In ASPLOS’19, pp. 865–878, (2019)

  40. Valmari, A.: Stubborn sets for reduced state space generation. In ICATPN’91, vol. 618 of LNCS, pp. 491–515, (1991) Springer

  41. Visser, W., Havelund, K., Brat, G., Park, S., Lerda, F.: Model Checking Programs. In ASE’03 10, pp. 203–232 (2018)

  42. Yuan, T., Li, G., Lu, J., Liu, C., Li, L., Xue, J.: Gobench: A benchmark suite of real-world go concurrency bugs. In 2021 IEEE/ACM International Symposium on Code Generation and Optimization (CGO), pp. 187–199, (2021)

  43. Zaks, A., Joshi, R.: Verifying Multi-threaded C Programs with SPIN. In SPIN’08, pp. 94–107, (2008)

  44. Zhong,C., Zhao, Q., Liu, X.: Bingo: Pinpointing concurrency bugs in go via binary analysis, (2022)

Download references

Author information

Authors and Affiliations

  1. EPITA Research Laboratory (LRE), Kremlin-Bicêtre, France

    Alexandre Kirszenberg, Antoine Martin, Hugo Moreau & Etienne Renault

Authors
  1. Alexandre Kirszenberg
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Antoine Martin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hugo Moreau
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Etienne Renault
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Etienne Renault.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Kirszenberg, A., Martin, A., Moreau, H. et al. Go2Pins: a framework for the LTL verification of Go programs (extended version). Int J Softw Tools Technol Transfer 25, 77–94 (2023). https://doi.org/10.1007/s10009-022-00692-w

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10009-022-00692-w

Keywords

Search

Navigation