State Machines which one may view as code written in an abstract programming language, can be applied to other virtual machines and to other programming languages as well. The target readers are practitioners---programmers, implementors, standardizers, lecturers, students---who need for their work a complete, correct, and at the same time transparent definition, and an executable model of the language and of the virtual machine underlying its intended implementation. As a consequence, in our models for the language and the machine, we first of all try to directly and faithfully reflect, in a complete way, as far as possible without becoming inconsistent, and in an unambiguous yet for the human reader graspable way, the intuitions and design decisions which are expressed in the reference manuals [18, 23] and underlie the current implementations of the language and the machine. We clarify various ambiguities and inconsistencies we discovered in the manuals and in the implementations, concerning fundamental notions like legal Java program, legal bytecode, verifiable bytecode, etc. Our analysis of the JVM bytecode verifier, which we relate to the static analysis of the Java parser (rules of definite assignment and reachability analysis), goes beyond the work of Stata and Abadi [34], Qian [27, 28], Freund and Mitchell [16], and O'Callahan [26]. 1.1 The goals of the book 3 In this introduction, we give an overview of the general goals of the book, its contents, the structuring techniques we use for decomposing Java and the JVM, and the literature we used. For additional information on the book and updates made after its publication, see the Home Page of Jbook at http://www.inf.ethz.ch/~jbook. 1.1 The goals of the book Our main goal is not to write an introduction to progr...

Bytecode verification is the main mechanism to enforce type safety in the Java Virtual Machine. Since Java security is based on type safety, inadequacies and ambiguities in the official specification of bytecode verification can lead to incorrect implementations where security can be broken. This paper analyzes the specification and proposes concrete improvements. The goal of this work is to increase the understanding, assurance, and usability of the Java platform.

The contribution of the paper is twofold. First, we define a toy language, called MCL, which provides a very abstract view of the mechanism of dynamic class loading with multiple loaders as in Java. The aim is to study this feature in isolation, allowing a better understanding; moreover, this also shows a stratified approach, which, differently from the Java approach based on reflection, distinguishes between the language at the user level and the configuration language. This approach is less flexible but allows to statically check type safety, hence provides an intermediate solution between the rigid approach based only on the class path and that which allows loaders to depend on execution of user applications, which can be intricate and error-prone. The second contribution is related to a recent stream of work aiming at defining simple and powerful calculi providing a common foundation for systems supporting dynamic reconfiguration. We use MCL as an extended case-study, by defining an encoding in one of these kernel calculi, and prove the correctness of the translation. 1

In a recent paper we proposed a calculus for modeling dynamic linking independently of the details of a particular programming environment.