Java is typically compiled into an intermediate language, JVML, that is interpreted by the Java Virtual Machine. Because mobile JVML code is not always trusted, a bytecode verifier enforces static constraints that prevent various dynamic errors. Given the importance of the bytecode verifier for security, its current descriptions are inadequate. This paper proposes using typing rules to describe the bytecode verifier because they are more precise than prose, clearer than code, and easier to reason about than either. JVML has a subroutine construct used for the compilation of Java’s try-finally statement. Subroutines are a major source of complexity for the bytecode verifier because they are not obviously last-in/first-out and because they require a kind of polymorphism. Focusing on subroutines, we isolate an interesting, small subset of JVML. We give typing rules for this subset and prove their correctness. Our type system constitutes a sound basis for bytecode verification and a rational reconstruction of a delicate part of Sun’s bytecode verifier. 1 Bytecode verification and typing rules The Java language is typically compiled into an intermediate language that is interpreted by the Java Virtual Machine (VM) [LY96]. This intermediate language, which we call JVML, is an object-oriented language similar to Java. Its features include packages, classes with single inheritance, and interfaces with multiple inheritance. However, unlike method bodies in Java, method bodies in JVML are sequences of bytecode instructions. These instructions are fairly high-level but, compared to the structured statements used in Java, they are more compact and easier to interpret. JVML code is often shipped across networks to Java VMs embedded in web browsers and other applications. Mobile JVML code is not always trusted by the VM that receives it. Therefore, a bytecode verifier enforces static constraints on mobile JVML code. These constraints rule out type errors (such as dereferencing an integer), access control violations (such as accessing a private method from outside its class),

The Microsoft .NET Framework is a new computing architecture designed to support a variety of distributed applications and web-based services. .NET software components are typically distributed in an object-oriented intermediate language, Microsoft IL, executed by the Microsoft Common Language Runtime. To allow convenient multilanguage working, IL supports a wide variety of high-level language constructs, including class-based objects, inheritance, garbage collection, and a security mechanism based on type safe execution.

This article presents a static race-detection analysis for multithreaded shared-memory programs, focusing on the Java programming language. The analysis is based on a type system that captures many common synchronization patterns. It supports classes with internal synchronization, classes that require client-side synchronization, and thread-local classes. In order to demonstrate the effectiveness of the type system, we have implemented it in a checker and applied it to over 40,000 lines of hand-annotated Java code. We found a number of race conditions in the standard Java libraries and other test programs. The checker required fewer than 20 additional type annotations per 1,000 lines of code. This article also describes two improvements that facilitate checking much larger programs: an algorithm for annotation inference and a user interface that clarifies warnings generated by the checker. These extensions have enabled us to use the checker for identifying race conditions in large-scale software systems with up to 500,000 lines of code.

We propose a conservative extension of the polymorphic lambda calculus (F ! ) as an intermediate language for compiling languages with name-based class and interface hierarchies. Our extension enriches standard F ! with recursive types, existential types, and row polymorphism, but only ordered records with no subtyping. Basing our language on F ! makes it also a suitable target for translation from other higher-order languages; this enables the safe interoperation between class-based and higher-order languages and the reuse of common type-directed optimization techniques, compiler back ends, and runtime support. We present the formal semantics of our intermediate language and illustrate its features by providing a formal translation from a subset of Java, including classes, interfaces, and private instance variables. The translation preserves the name-based hierarchical relation between Java classes and interfaces, and allows access to private instance variables of parameters of ...

Current JDK Java compiler relies too much on programmer 's specification for checking against uncaught exceptions of the input program. It is not elaborate enough to remove programmer's unnecessary handlers (when programmer 's specifications are too many) nor suggest to programmers for specialized handlings (when programmer's specifications are too general). We propose a static analysis of Java programs that estimates their exception flows independently of the programmer's specifications. This analysis is designed and implemented based on set-constraint framework. Its cost-effectiveness is suggested by sparsely analyzing the program at method-level (hence reducing the number of unknowns in the flow equations). We have shown that our exception analysis can effectively detect uncaught exceptions for realistic Java programs. 1. INTRODUCTION Exception facilities in Java allow the programmer to define, throw and catch exceptional conditions. Exceptional conditions are brought (by a throw ...

Java bytecode provides a portable representation for programs that allows executable content to be embedded in web pages, transferred across a network, and executed on a remote user's machine. Features like these provide many new opportunities for developers, but special precautions must be taken to protect users from badly-behaved programs, which might otherwise destroy valuable data or compromise their privacy. To avoid such problems, bytecode programs from untrusted sources must be verified before they are used. If a program passes, then it should be well-behaved, and should not be able to subvert the other security mechanisms of the Java platform. However, if a program fails, then it will be rejected. Clearly, to be sure that it is effective, we need a precise way to understand bytecode verification. This paper describes the main features of a formal specification for Java bytecode that allows us to reason about the correctness of Java implementations, and to guarantee safety prope...

In this paper we present the type system of the TIGUKAT database programming language. It is a highly parametric object-oriented type system that combines multiple dispatch with reflexivity, separation of interface and implementation, precise behavior typing, and union and intersection types. We demonstrate the inner workings of the type system by considering a concrete example of type specification in TIGUKAT. We also review type systems of several existing programming languages and conclude that the proposed type system has a unique combination of features particularly suited for object-oriented database programming. This is an expanded version of the extended abstract submitted to DBPL 97. 1 INTRODUCTION 1 1 Introduction In the past two decades, several new database application areas have emerged. These new areas include office automation systems, geographical information systems, CASE tools, medical systems, and CAD/CAM systems. These complicated applications demand new, more ...

This paper proposes a transformation-based approach to design constraint-based analyses for Java at a coarser granularity. In this approach, we design a less or equally precise but more e#cient version of an original analysis by transforming the original construction rules into new ones. As applications of this rule transformation, we provide two instances of analysis design by rule-transformation. The first one designs a sparse version of class analysis for Java and the second one deals with a sparse exception analysis for Java. Both are designed based on method-level, and the sparse exception analysis is shown to give the same information for every method as the original analysis. Keywords constraint-based analysis, set constraints, construction rules, partition function 1.

This paper presents a case study that is done in the context of the loop project in Nijmegen. A functional behaviour specification of the class AbstractCollection from java's standard library is veried. This verication is a typical example of a modular verification, where small parts of the program are veried in isolation, assuming the correctness of the other parts. Typical problems that occur in such verifications are discussed. Specifications of the classes involved in the verification are presented (using the java Modeling Language (jml) as a specification language), and some problems related to writing these specifications are discussed. Finally it is shown that the implementation satisfies this specification.

In this paper, we first present a static analysis based on set-based framework, which estimates exception propagation paths of Java programs. We construct an exception propagation graph from the static analysis information, which includes the origin of exceptions, handler of exceptions, and propagation paths of exceptions. We have implemented the exception propagation analysis and a visualization tool which visualizes propagation paths of exceptions using the exception propagation graph. This propagation information can guide programmers to detect uncaught exceptions, handle exceptions more specifically, and put exception handlers at appropriate places by tracing exception propagation.