## Standard Fixpoint Iteration for Java Bytecode Verification (0)

Venue: | ACM Transactions on Programming Languages and Systems |

Citations: | 27 - 0 self |

### BibTeX

@ARTICLE{Qian_standardfixpoint,

author = {Zhenyu Qian},

title = {Standard Fixpoint Iteration for Java Bytecode Verification},

journal = {ACM Transactions on Programming Languages and Systems},

year = {},

volume = {22},

pages = {638--672}

}

### OpenURL

### Abstract

. Java bytecode verification forms the basis for Java-based Internet security and needs a rigorous description. One important aspect of bytecode verification is to check if a Java Virtual Machine (JVM) program is statically well-typed. So far several formal specifications have been proposed to define what the static welltypedness means. This paper takes a step further and presents a chaotic fixpoint iteration, which represents a family of fixpoint computation strategies to compute a least type for each JVM program within a finite number of iteration steps. Since a transfer function in the iteration is not monotone, we choose to follow the example of a non-standard fixpoint theorem, which requires that all transfer functions are increasing, and monotone in case the bigger element is already a fixpoint. The resulting least type is the artificial top element if and only if the JVM program is not statically well-typed. The iteration is standard and close to Sun's informal specification and...

### Citations

1880 |
Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints
- Cousot, Cousot
- 1977
(Show Context)
Citation Context ...ed many times in the literature (see [14] for a survey). There has been much work on applications of fixpoint theorems in dataflow analysis (see e.g. [13,18]) and abstraction interpretation (see e.g. =-=[5]-=-). From these perspectives, our chaotic iteration is not something that is substantially new. However, the result of the current paper is non-trivial, since it relies on the choice of a special form o... |

1075 |
The Java Virtual Machine Specification
- Lindholm
- 1996
(Show Context)
Citation Context ...is paper. Since a JVM method may be dynamically loaded from the network, there is no guarantee that it contains no bugs or has no hostile intentions to break the host system. Sun’s JVM Specification [=-=Lindholm and Yellin 1996-=-] (SJVMS) requires, that prior to execution, bytecode verification must be performed to prove, among The author was supported in part by DARPA contracts F30602-96-C-0363 and F30602-99-C-0091. Author’s... |

955 |
Advanced Compiler Design and Implementation
- Muchnick
- 1997
(Show Context)
Citation Context ...,11,20,22,21,25]). This paper takes a step further and presents a standard chaotic (fixpoint) iteration (see e.g. [6]), which represents a family of standard fixpoint computation strategies (see e.g. =-=[13,18]-=-) to compute a least type for each JVM program within a finite number of iteration steps. Since the iteration is close to SJVMS and most commercial bytecode verifiers, it might be used to derive refer... |

588 | From System F to Typed Assembly Language
- Morrisett, Walker, et al.
- 1999
(Show Context)
Citation Context ... similar to those we have proved here. O'Callahan [20] has constructed a typing system based on polymorphic recursion and continuations similar to a more general setting of typed assem36 bly language =-=[16,17]-=-, and compared it with bytecode verification. He reveals that return addresses can be directly typed using continuations so that one does not have to analyze which subroutine each instruction belongs ... |

308 | A unified approach to global program optimization
- Kildall
- 1973
(Show Context)
Citation Context ...,11,20,22,21,25]). This paper takes a step further and presents a standard chaotic (fixpoint) iteration (see e.g. [6]), which represents a family of standard fixpoint computation strategies (see e.g. =-=[13,18]-=-) to compute a least type for each JVM program within a finite number of iteration steps. Since the iteration is close to SJVMS and most commercial bytecode verifiers, it might be used to derive refer... |

176 | M.: A type system for Java bytecode subroutines
- Stata, Abadi
- 1999
(Show Context)
Citation Context ...typed. But it lacks a formal semantics. Since the static well-typedness is an important aspect of Java-based Internet security, a number of formal specifications have been proposed to define it (e.g. =-=[7,10,11,20,22,21,25]-=-). This paper takes a step further and presents a standard chaotic (fixpoint) iteration (see e.g. [6]), which represents a family of standard fixpoint computation strategies (see e.g. [13,18]) to comp... |

146 | A Linearly Typed Assembly Language
- Cheney, Morrisett
- 2003
(Show Context)
Citation Context ... similar to those we have proved here. O'Callahan [20] has constructed a typing system based on polymorphic recursion and continuations similar to a more general setting of typed assem36 bly language =-=[16,17]-=-, and compared it with bytecode verification. He reveals that return addresses can be directly typed using continuations so that one does not have to analyze which subroutine each instruction belongs ... |

104 | A type system for object initialization in the java bytecode language
- Freund, Mitchell
- 1999
(Show Context)
Citation Context ...typed. But it lacks a formal semantics. Since the static well-typedness is an important aspect of Java-based Internet security, a number of formal specifications have been proposed to define it (e.g. =-=[7,10,11,20,22,21,25]-=-). This paper takes a step further and presents a standard chaotic (fixpoint) iteration (see e.g. [6]), which represents a family of standard fixpoint computation strategies (see e.g. [13,18]) to comp... |

96 |
The JavaTM Virtual Machine Specification
- Lindholm, Yellin
- 1999
(Show Context)
Citation Context ...his paper. Since a JVM method may be dynamically loaded from the network, there is no guarantee that it contains no bugs or has no hostile intentions to break the host system. Sun's JVM Specification =-=[15]-=- (SJVMS) requires that prior to execution, bytecode verification must be performed to prove, among others, that each newly loaded JVM method is (statically) well-typed. Informally, if one can statical... |

62 | Verified bytecode verifiers - Klein, Nipkow - 2003 |

52 | A specification of Java loading and bytecode verification
- Goldberg
- 1998
(Show Context)
Citation Context ...typed. But it lacks a formal semantics. Since the static well-typedness is an important aspect of Java-based Internet security, a number of formal specifications have been proposed to define it (e.g. =-=[7,10,11,20,22,21,25]-=-). This paper takes a step further and presents a standard chaotic (fixpoint) iteration (see e.g. [6]), which represents a family of standard fixpoint computation strategies (see e.g. [13,18]) to comp... |

52 | A formal formal specification of Java Virtual Machine instructions
- Qian
- 1999
(Show Context)
Citation Context ...cial feature in Sun’s bytecode verifier. 10.2 Formal Specification of Bytecode Verification Our chaotic iteration is described using a simplified version of the typing rules in Qian [1998]. The work [=-=Qian 1998-=-] proves the soundness of the typing rules with respect to an operational semantics and thus solves a completely different problem from the current paper. It is noteworthy that we could formalize a ch... |

51 | A simple, comprehensive type system for java bytecode subroutines
- O’Callahan
- 1999
(Show Context)
Citation Context |

50 |
Order-sorted equational computation
- Smolka, Nutt, et al.
- 1989
(Show Context)
Citation Context ...lving framework based on a first-order order-sorted algebra, which consists of a collection of sets, called sorts, a subset relation among the sorts, functions and predicatesson these sorts (cf. e.g. =-=[24]-=-). A function is uniquely determined by a name. A predicate is uniquely determined by a name and argument sorts. There is a set of variables for each sort. Variables may occur in terms and logical for... |

46 | Constructive versions of Tarski’s fixed point theorems
- Cousot, Cousot
- 1979
(Show Context)
Citation Context ...ecurity, a number of formal specifications have been proposed to define it (e.g. [7,10,11,20,22,21,25]). This paper takes a step further and presents a standard chaotic (fixpoint) iteration (see e.g. =-=[6]-=-), which represents a family of standard fixpoint computation strategies (see e.g. [13,18]) to compute a least type for each JVM program within a finite number of iteration steps. Since the iteration ... |

41 |
Fixed Point. Theorems and Semantics: A Folk Tale
- Lassez, Nguyen, et al.
- 1982
(Show Context)
Citation Context ... Unfortunately, we cannot apply any of the standard fixpoint theorems, since not all transfer functions of the iteration are monotone (see Section 4.1), as required by these theorem (cf. e.g. [6] and =-=[14]-=- for a survey). The nonmonotonicity property stems from the requirements on instructions for JVM subroutines. To avoid the problem, we choose to follow the example of a non-standard fixpoint theorem, ... |

41 | A Formal Framework for the Java Bytecode Language and Verifier
- Freund, Mitchell
- 1999
(Show Context)
Citation Context ...nt. Another disadvantage would be that it would differ significantly from most commercial bytecode verifiers and thus not directly provide hints on their qualities. Freund and Mitchell’s recent work [=-=Freund and Mitchell 1999-=-b] follows this direction. See Section 10 for more discussion. This paper follows the second approach. It has the disadvantage that the proofs are nonstandard. But it does have the advantage that the ... |

37 | Proving the soundness of a java bytecode verifier specification in isabelle/hol
- Pusch
- 1999
(Show Context)
Citation Context |

36 | Z.: Toward a provably-correct implementation of the JVM bytecode verifier
- Coglio, Goldberg, et al.
- 1998
(Show Context)
Citation Context ...twork equipped with different bytecode verifiers. Currently, we are using the Specware system to formally specify bytecode verification and synthesize a verification algorithm from that specification =-=[3]-=-. The synthesized verification algorithm directly corresponds to that in the current paper except that for practical reasons we are synthesizing concrete transfer functions for individual instructions... |

22 |
The defensive Java virtual machine specification
- Cohen
- 1997
(Show Context)
Citation Context ...[19]. Bertelsen has formalized JVM instructions using state transitions [1]. Cohen has described a formal semantics of a subset of the JVM, where runtime checks are used to assure type-safe execution =-=[4]-=-. Both papers have not considered bytecode verification. Recently Borger and Schulte [2] have presented a quite comprehensive high-level definition of JVM in a similar style as [1,4] and derived a byt... |

22 | On a new method for dataflow analysis of Java Virtual Machine subroutines
- Hagiya, Tozawa
- 1998
(Show Context)
Citation Context |

20 |
A formal specification of Java[TM] virtual machine instructions for objects, methods and subroutines
- Qian
(Show Context)
Citation Context |

14 |
A compositional account of the Java virtual machine
- Yelland
- 1999
(Show Context)
Citation Context ...chanically repeated when small changes are made on some parts of the whole specification. Her work shows that formal tools can be used to model real life programming languages. Jones [12] and Yelland =-=[26]-=- have independently specified the semantics of JVM instructions using the functional language Haskell. Their specifications are executable programs. Thus part of them can be regarded as a verification... |

13 |
Specification and verification of Java bytecode subroutines and exceptions
- Freund, Mitchell
(Show Context)
Citation Context ...ent. Another disadvantage would be that it would differ significantly from most commercial bytecode verifiers and thus not directly provide hints on their qualities. Freund and Mitchell's recent work =-=[8]-=- follows this direction. See Section 10 for more discussion. 11 This paper follows the second approach. It has the disadvantage that the proofs are non-standard. But it does have the advantage that th... |

10 | The functions of Java bytecode
- Jones
- 1998
(Show Context)
Citation Context ...ble and can be mechanically repeated when small changes are made on some parts of the whole specification. Her work shows that formal tools can be used to model real life programming languages. Jones =-=[12]-=- and Yelland [26] have independently specified the semantics of JVM instructions using the functional language Haskell. Their specifications are executable programs. Thus part of them can be regarded ... |

9 | Modular design for the Java virtual machine architecture
- Börger, Schulte
- 2000
(Show Context)
Citation Context ...escribed a formal semantics of a subset of the JVM, where runtime checks are used to assure type-safe execution [4]. Both papers have not considered bytecode verification. Recently Borger and Schulte =-=[2]-=- have presented a quite comprehensive high-level definition of JVM in a similar style as [1,4] and derived a bytecode verifier from the high-level definition. But they have not considered any properti... |

4 |
Semantics of java byte code. http://www.dina.kvl.dk/~pmb
- Bertelsen
- 1997
(Show Context)
Citation Context ...d to make it decidable. One such restriction would be to disallow return address types from being nested beyond a certain depth [19]. Bertelsen has formalized JVM instructions using state transitions =-=[1]-=-. Cohen has described a formal semantics of a subset of the JVM, where runtime checks are used to assure type-safe execution [4]. Both papers have not considered bytecode verification. Recently Borger... |

3 |
Private communication
- O’Callahan
- 2010
(Show Context)
Citation Context ...he problem is in general doubtful. Thus some restrictions might be needed to make it decidable. One such restriction would be to disallow return address types from being nested beyond a certain depth =-=[19]-=-. Bertelsen has formalized JVM instructions using state transitions [1]. Cohen has described a formal semantics of a subset of the JVM, where runtime checks are used to assure type-safe execution [4].... |

1 |
Non-monotone fixtpoint iterations to resolve second order effects
- Geser, Knoop, et al.
- 1996
(Show Context)
Citation Context ...ial form of fixpoint theorem and the application of the theorem using special properties of the JVM instructions. We are not aware of any paper in the literature directly applying Theorem 2. The work =-=[9]-=- by Geser et. al. might be the closest one. It presents a fixpoint theorem that is the same as Theorem 2 except that the requirement on monotonicity-with-fixpoint is replaced by that on delay-monotoni... |

1 | Least types for memory locations in Java tm bytecode - Qian - 1999 |

1 | Semantics of Java byte code. Available under ftp://ftp.dina.kvl.dk/pub/Staff/Peter.Bertelsen/jvm-semantics.ps.gz - Bertelsen - 1997 |