A Demonstration of Basic Aspects of the Bandera Tool Set

1
A Demonstration of Basic Aspects of the Bandera
Tool Set
SAnToS Laboratory, Kansas State University, USA
Faculty
Students and Post-docs

• Matthew Dwyer
• John Hatcliff

Radu Iosif Hongjun Zheng Shawn Laubach Corina
Pasareanu
Robby Roby Joehanes Venkatesh Ranganath Oksana
Tkachuk
http//www.cis.ksu.edu/santos/bandera
2
Notes

• Demo examples are chosen to be simple and to
  illustrate tool components
• For more examples with interesting
  specifications, see
• Bandera tutorial
• STTT paper
• complete presentation of BoundedBuffer example
• Doug Leas Readers/Writers
• Publish/Subscribe framework from java.util

3
Outline

• Concept of a session
• configuring Bandera for a run
• Simple deadlock example
• illustrates session, code display, counterexample
  navigation, and slicing
• Pipeline example
• illustrates creating a temporal specification,
  slicing, and abstraction

4
Configuring Bandera

• A session specifies...
• which Java files to take as input
• which property to check
• which tool components (e.g., slicer, abstraction)
  to invoke
• which backend model-checker to use
• other options
• A session file holds several related sessions
• sessions in session file can be executed in batch
  mode or individually selected in the BUI.

5
Simple Deadlock Example
Process 1
Process 2
Lock 1
Lock 2
6
Simple Deadlock Example
public class Deadlock static Lock lock1
static Lock lock2 static int state public
static void main(String args) lock1
new Lock() lock2 new Lock() Process1
p1 new Process1() Process2 p2
new Process2() p1.start()
p2.start()
class Process1 extends Thread public void
run() Deadlock.state synchronized
(Deadlock.lock1) synchronized
(Deadlock.lock2) Deadlock.state

class Process2 extends Thread public void
run() Deadlock.state synchronized
(Deadlock.lock2) synchronized
(Deadlock.lock1) Deadlock.state

class Lock
7
Deadlock Example Artifacts
Point.basl
Abstracted Java
Point.java
.trail
Sliced Java
8
Simple Deadlock Example
Bandera predicate (used as proposition in
temporal logic specification)
/ _at_observable LOCATIONp1startlab
el p1start() / public static void
main(String args) lock1 new
Lock() lock2 new Lock()
Process1 p1 new Process1() Process2 p2
new Process2() p1startlabel
p1.start() p2.start()
9
Simple Deadlock Example
Bandera predicate (used as proposition in
temporal logic specification)
/ _at_observable EXP x1isTwo(this) (x1
2) / class Process1 extends Thread int
x1, y1 public void run()
DeadlockAbs.state synchronized
(DeadlockAbs.lock1) synchronized
(DeadlockAbs.lock2) x1
DeadlockAbs.state y1
DeadlockAbs.state x1

Integer variables that interact with
Deadlock.state
10
Tool Status

• Available for download with user manual, example
  repository, BIR backend developers guide
• Major additions over next 3 months to allow
  treatment of almost all of Java
• minor releases throughout fall
• Complete rewrite of code-base is underway and new
  version will be incorporated into IBMs Eclipse
  open source IDE.
• target for release March 2003