Index of /Software/Bandera

Name	Last modified	Size

Parent Directory		-
bandera/	2012-11-01 12:13	-

Bandera Readme

Bandera

A toolset for model checking Java programs

Bandera has been developed as a collection of tool components for exploring approaches to model checking correctness properties of Java programs. For the purpose of assessing the effectiveness of different approaches the components have been integrated into what we hope is a useful tool for specifying a useful class of correctness properties and verifying/validating those properties on associated implementations.

Bandera Release 0.1 has quite a few known limitations, which we outline below, and we're sure it has some unknown limitations (i.e., bugs) as well.

This file contains some notes about installing and running Bandera, as well as a description of the limitations of the toolset. The directory doc directory contains a detailed tutorial/manual; doc/examples contains examples associated with the tutorial, both can be downloaded separately.

Bandera is available for download at: http://www.cis.ksu.edu/santos/bandera

Please send email about any questions/bug fixes/contributions etc. about Bandera to bandera-support@cis.ksu.edu

1. RELEASE INFORMATION:

Release 0.1 is the first public Bandera. We plan on making periodic subsequent bug-fix releases as time permits and to make major releases when significant new functionality has been added (see the project web page for release plans).

2. INSTALLATION NOTES:

2a. Machine requirements:

Minimum Processor: Intel Pentium III 600 MHz or equivalent.
Memory: 128 MB (minimum), 256 MB or more is recommended.
Hard drive free space: 60 MB (minimum). May need some space in user's home directory for logging and custom files, typically less than 1 MB.

2b. Supported operating systems:

Windows (TM) 95/98/Me, 2000, and NT 4.0
Sun OS 5.6 or 5.7
Linux with kernel 2.2.14 or better.

2c) Other software that is needed:

We are aware that Java programs can be run on any platform with Java compiler. Although we endeavor to make Bandera run in all Java-supporting platforms, we have not yet tested it in platforms other than those mentioned above. We currently use Sun's standard JDK version 1.3 for Bandera development. We are aware that there are many Java compilers. Even if it claims compatibility with the standard JDK, we are not certain that Bandera would compile or run. Earlier versions of standard JDK are also not recommended.

Bandera supports JPF, Spin, dSpin, and NuSMV for this release. However none of these checkers are bundled with the distribution --- you need to separately install those model checkers if you intend to use Bandera with them. Spin can be obtained here. For Spin, we expect that the main model checker filename is spin. For SMV, it should be NuSMV, which is obtainable here For DSpin, it should be dspin, which is from here. Please make sure that all of these are installed in the directories mentioned in your path. To obtain JPF, visit here. To use JPF with Bandera, simply put it with all its supporting packages into the same directory with Bandera.

Make sure that you have your C compiler and C preprocessor properly installed and their directory is mentioned in the path. This is necessary because the Spin model checker produces C files that have to be preprocessed and compiled. We assume the C compiler is GNU's gcc and that the C preprocessor is GNU's cpp. The gcc and cpp versions are not specific, but our testing shows that version 2.91 or above is fine. For the Windows environment, DJGPP's gcc has worked for us without problems.

Bandera is built on top of the SOOT framework. Since we use an older version of SOOT, we include that version in our release. We will be synchronizing Bandera with the latest SOOT release later this year.

2d) Installing Bandera

Bandera is distributed in jar format. It should be installed into a directory with the command: jar xvf bandera-x.y.jar, where "x.y" is the version number. For example: jar xvf bandera-0.1.jar The following descriptions assume that you will have unpacked the distribution in a directory named BANDERA.

... on UNIX:

Assuming that you have the Java SDK installed in SDK set the CLASSPATH as follows and export it:
```
   CLASSPATH=BANDERA:SDK/jre/lib/rt.jar:SDK/lib/tools.jar:$CLASSPATH
```
You need to have the current directory in your PATH, e.g., PATH=.: ...
... on Windows 95/98/Me:

Add the following line to your AUTOEXEC.BAT file:
```
   SET CLASSPATH=C:\BANDERA;C:\JDK1.3\JRE\LIB\rt.jar;C:\JDK1.3\LIB\tools.jar;%CLASSPATH%
```
This assumes that you unjarred Bandera in C:\ drive and that the JDK is installed in C:\JDK1.3. Don't forget to reboot your machine before using Bandera. We assume your familiarity of Windows operating system when installing Bandera. If you are not sure, please consult your system administrator.
... on Windows NT 4.0 or Windows 2000:

Set the classpath as follows:
Right-click "My Computer" icon then choose "Properties". Open the "Environment" tab. In "System Variables" box, look for "ClassPath" variable. Highlight it. At the bottom of the dialog box, there is a "Value" input text box. Add the following text in front of the text box:
```
   C:\BANDERA;C:\JDK1.3\jre\lib\rt.jar;C:\JDK1.3\LIB\tools.jar;
```
If you do not have ClassPath variable in your system, you can add it by typing ClassPath in the "Variable" input text box at the bottom and type the above text in "Value" input text box. Please delete the last semicolon.
This assumes that you unjarred Bandera in C:\ and the JDK is installed in C:\JDK1.3. We also assume your familiarity of Windows operating system when installing Bandera. If you are not sure, please consult your system administrator.

2e) Package Contents:

Upon unpacking, Bandera should create the following files and directories:

`Bandera.java`	Main program file
`Bandera.class`	Main program class file
`COPYING`	Copyright notice
`README.html`	Release information
`filelist.txt`	Complete list of distribution files
`ca`	McGill University Soot Framework
`doc`	Documents, tutorials and examples (downloaded separately)
`edu`	All programs reside here
`java_cup`	Necessary files for parsing

For the complete list of files, please consult filelist.txt file.

2f) Compiling:

Bandera is distributed along with the class files. So, you don't have to recompile it. However, you could compile it by invoking Java compiler:

  javac Bandera.java

after you have set the Classpath as mentioned previously.

You should invoke the compiler in Bandera's installed directory if you want to recompile it. Please note that recompiling is absolutely not recommended for the current release.

3) RUNNING THE TOOL:

After setting up the tool and classpaths as described above. You can invoke Bandera on UNIX as:

  java Bandera

For Windows, you can open your Command Prompt or MS-DOS Prompt window, and invoke:

  java Bandera

Upon the first launch, Bandera will initialize itself. This involves in creating a .bandera directory which will reside in user's "home directory". The table below describes the location of the home directory depending on the operating system.

Operating System	Location
UNIX variant	`~/.bandera`
Windows 95/98/Me	`C:\WINDOWS\Profiles\(username)\.bandera`
Windows NT 4.0	`C:\WINNT\Profiles\(username)\.bandera`
Windows 2000	`C:\Documents and Settings\(username)\.bandera`

We assume that for Windows environment, the Windows is installed in C:. You should replace the "(username)" with the appropriate user login name. In some variants of Windows 95/98, the directory location is placed in C:\WINDOWS\ directory.

Inside the .bandera directory, we have a preferences file .banderarc, an abstraction file Abstractions, and three directories integral, real, and log.

The preferences file is meant to store user preferences, e.g. directory locations and colors. Later versions of the tool will add more functionality. We currently have no GUI to modify these values. You can hack the color values if you wish, but manually modifying the other entries of this file is highly discouraged.

The Abstractions file is used by Abstraction Manager to store user's custom abstraction library. The directories integral and real are used to categorize these files. However, this functionality is not fully supported in the current version of Bandera.

The log subdirectory is used to store all log files upon Bandera's failure. Please send all these logs along with their related files when you submit a bug report. Whenever you need a spare disk space, you can safely delete these log files.

If you experience some problems in running Bandera, you can try to delete the .bandera directory and re-run Bandera. This is usually due to the growing requirements for Bandera setup settings.

See the tutorial for a detailed walk through of some of the tools capabilities.

4) POINTERS TO ONLINE RESOURCES:

Bandera Project web-page:
http://www.cis.ksu.edu/santos/bandera/
SOOT Project web-page:
http://www.sable.mcgill.ca/soot/
SPIN model checker:
http://netlib.bell-labs.com/netlib/spin/whatispin.html
NuSMV model checker:
http://sra.itc.it/tools/nusmv/
JavaPathFinder model checker:
http://ase.arc.nasa.gov/visser/jpf/
PVS theorem prover:
http://pvs.csl.sri.com/
Specification pattern project:
http://www.cis.ksu.edu/santos/spec-patterns/

5) KNOWN LIMITATIONS:

Bandera consists of the following components:

Java to Jimple compiler (JJJC)
Bandera specification language (BSL) compiler
program slicer
abstraction library manager
abstraction type inference engine
source-level abstraction (SLABS) compiler
Jimple to Java decompiler
Bandera intermediate representation (BIR) constructor (BIRC)
BIR to Promela translator
prototype BIR to SMV translator
prototype BIR to DSpin translator

Several of these components (1-5) have GUI interfaces associated with them and the translators (8-11) also interface with a GUI that allows navigation of the source code statements that correspond to a counter-example. These GUI components are collectively refered to as the Bandera User Interface (BUI).

5a) Main Limitations:

A detailed component-by-component listing of the known limitations is given below. Here we outline the main toolset-wide limitations.

One instance per Thread/Runnable class:
The current translators to SPIN/SMV/DSPIN only support a form of static description of threads. Each class in the program that is a subtype of java.lang.Thread or implements java.lang.Runnable can have at most one allocated instance during program execution. This is a serious limitation, since it prohibits code like:
```
     p1 = new Producer();
     p2 = new Producer();
```
Instead one must replicate the definition of Producer and rename it, e.g., Producer1, then transform the code as:
```
     p1 = new Producer();
     p2 = new Producer1();
```
Fortunately, this is not a difficult problem to fix and we believe that our first minor release will lift this limitation.
JavaPathFinder (JPF) does not have this limitation, so it is possible to use JPF as the model checking engine on code that has not been transformed as described above.
Resource Bounds
The translators impose limits on the maximum sizes for: maximal and minimal integer values, number of instances allocated by any new C() expression and array size. User's are free to select whatever values they would like for these bounds.
While this may seem like a serious limitation, in fact, its more of a feature. Model checking integers that range over all integral values will be infeasible in practice. Bandera's abstractions provides one means for reducing the cost of checking systems that manipulate integral values. In addition, with Bandera one can perform "Resource Bounded" model checks. These are exhaustive depth-bounded state space searches where the bound is determined not by the number of transitions, but rather by "values" of the bounded quantities. For example, one might be interested in checking properties of a program only in states where the value of some integer field is less than 10; note that this is not safe in the sense that abstractions are, but it can be effective for quickly finding errors. It is also possible to disable "Resource Bounded" checks in which case the tool will report a "Range Limit Exception", and terminate checking, when an execution is found that exceeds one of the resource bounds.
As suggested by the discussion above, the Bandera translators do not model garbage collection. JavaPathfinder and DSPIN do, however, model garbage collection.
No recursion
Bandera's built in translators do not currently support recursion. Program's are inlined before SPIN/SMV models are constructed. Our long-term approach to treating recursion is to exploit recent work on shape analysis to transform the program's data space and to transform recursive methods to compute over this new data space (thereby eliminating recursion).
While in principle DSPIN can deal with recursion, our current translator does not take advantage of this. An update to the translators is in the works to fix this situation for DSPIN. JavaPathFinder can process models with recursion.
Exception handling code is ignored
Bandera's translators do not currently model exception handling code. The translators do model the raising of builtin exceptions, e.g., NullReference. The translator update mentioned above will provide a more complete solution for exceptions.
JavaPathfinder support exceptions.
Library code
Bandera extracts models from Java source code, not class files, therefore it must have the source and cannot handle native methods. In order for calls to library code to work one must insure that the library is pure java and the source is in the classpath provided to Bandera. We have run a variety of examples that use library code, e.g., java.util.Vector, java.util.Stack, and java.lang.Object, that has the native methods replaced by Java code.
JavaPathfinder processes class files and can therefore handle library code as is, although it has some trouble with native methods as well.
Specifications
JavaPathfinder can only analyze for deadlock and assertions. Work is underway by the JPF team to lift this limitation.

To summarize how to navigate the set of limitations to various components here are some guidelines:

If you don't have source ==> Use JPF standalone.
If you have source
- If you are interested in using SPIN/SMV ==> Use Bandera's translators.
- If minimal code modifications are a priority ==> Use Bandera & JPF.
- If you want to check temporal properties ==> Use Bandera & SPIN.

5b) Component Limitations:

Features not supported by JJJC:

Inner/anonymous classes (and any Java features related to them).
Break and continue statements with label.
Try with finally statement.
Non-constant switch's case (e.g. fields or expression).
T.class, where T is a type (e.g. int.class).
Circular symbolic links in JJJC's (sub-)classpath cause problems.
Does not do comprehensive checks on the program as in javac, it assumes the input to be a well-formed Java program (note: use javac to get better error messages).

Features not supported by BSL compiler:

Inner/anonymous classes
Predicates and assertion disregards inheritance.

Abstract Type Inference Limitations:

Array and class types.

Slicer limitations:

Slicer does not consider any dependence analysis in the presence of exception handlings. As a result of this limitation, the residual program will keep all original exceptions and their handlers
Slicer does not solve the calling context problem which exists in Weiser's algorithm, the interprocedural slicing is inaccurate. A more accurate approach is under construction.
All locks in programs are assumed to be safe. A safe lock is a lock that is guaranteed to be released at some point.
If you are running a version 1.3.0_01 or earlier of the SDK there is a swing bug in the "drag & drop" feature of the PDG browser. Upgrading the SDK fixes this.

Abstract Type Inference Limitations:

Array and class types are not currently supported.

Abstraction Library and BASL Limitations:

Only supports integral (byte, char, short, int, long) and real (float, double) type abstraction.

SLABS Limitations:

Array and class types not supported.

Decompiler Limitations:

Complex boolean expressions cannot be decompiled, especially the "? :" operator and arbitrary compositions of && and || operators. Even though the decompilation may succeed at some point, it is still very buggy.
Since much of the assertions are translated into "? :", the chance of going through the decompilation is also dim.

BIRC Limitation:

Raises exception using java 1.3 on linux (but not on other platforms) switch to 1.2.

SPIN Translator Limitations:

Return predicates for run methods not supported properly.

SMV Translator Limitations:

This translator has been less well tested (its pretty brittle).
Predicate mappings for BSL not implemented => deadlock checks only.
No depth-bounded search switch.

BUI Limitations:

Counter-example display doesn't illustrate cyclic nature of liveness property violations.

Helpful Hints for using the BUI:

When specifying a property using object universal quantification, a dot "." must be typed after each "forall[c:C]" construct.
The type inference GUI can be used properly only if the previous compilation by JJJC is successful.

Helpful Hints for using the JPF and Bandera:

The program's class files are needed when model checking using JPF if Bandera does not slice or abstract the program.

Bandera README ends