## Verified Bytecode Verification and Type-Certifying Compilation (2003)

### Cached

### Download Links

- [www4.in.tum.de]
- [www.cse.unsw.edu.au]
- [wwwbroy.informatik.tu-muenchen.de]
- [www4.informatik.tu-muenchen.de]
- DBLP

### Other Repositories/Bibliography

Venue: | JOURNAL OF LOGIC AND ALGEBRAIC PROGRAMMING |

Citations: | 6 - 1 self |

### BibTeX

@ARTICLE{Klein03verifiedbytecode,

author = {Gerwin Klein and Martin Strecker},

title = {Verified Bytecode Verification and Type-Certifying Compilation},

journal = {JOURNAL OF LOGIC AND ALGEBRAIC PROGRAMMING},

year = {2003},

volume = {58},

pages = {27--60}

}

### OpenURL

### Abstract

This article presents a type certifying compiler for a subset of Java and proves the type correctness of the bytecode it generates in the proof assistant Isabelle. The proof is performed by defining a type compiler that emits a type certificate and by showing a correspondence between bytecode and the certificate which entails welltyping. The basis for this work is an extensive formalization of the Java bytecode type system, which is first presented in an abstract, lattice-theoretic setting and then instantiated to Java types.

### Citations

1617 |
The Java language specification
- Gosling
- 2000
(Show Context)
Citation Context ...-incorrect bytecode rejected by the bytecode verifier. The deeper reason is that source code typechecker and bytecode verifier have different notions of when variables have been “definitely assigned=-=” [BGJS00]-=-. Since our restricted language fragment does not contain the above-mentioned construct, we cannot reproduce this problem. Still, there are sufficient sources of potential bytecode type errors. For ex... |

1076 |
The Java Virtual Machine Specification
- Lindholm, Yellin
- 1996
(Show Context)
Citation Context ...have specified and analyzed large portions of the bytecode verifier [CGQ98,CGQ00]. Goldberg [Gol98] rephrases and generalizes the overly concrete description of the BCV given in the JVM specification =-=[LY99]-=- as an instance of a generic data flow framework. Qian [Qia99] specifies the BCV as a set of typing rules, a subset of which was proved correct formally by Pusch [Pus99]. Qian [Qia00] also proves the ... |

588 | From System F to Typed Assembly Language
- Morrisett, Walker, et al.
- 1999
(Show Context)
Citation Context ...tness and instead focused on the preservation of certain safety properties. The source languages are mostly functional, having ML-like [Mor95,SA95] type systems or even stronger ones such as System F =-=[MWCG99]-=-. The purpose is to exploit types for a program analysis that allows for more efficient closure conversion [WDMT97] or that avoids boxing polymorphic variables. In [LST02], Java is compiled not to byt... |

104 | A type system for object initialization in the java bytecode language - Freund, Mitchell - 1999 |

102 | Compiling With Types - Morrisett - 1995 |

84 | Correctness of a compiler for arithmetic expressions
- McCarthy, Painter
- 1967
(Show Context)
Citation Context ...is for the formalization of subroutines in µJava. Compiler correctness proofs have for a long time been an active research area, starting with pencil-and-paper proofs for a simple expression language=-= [MP67]-=-, and more recently using diverse specification formalisms such as Z [Ste98] and verification systems such as ACL2 [You89,Goe00], HOL [Cur93] and PVS [DV01]. Little attention is given to preservation ... |

83 | Java bytecode verification: algorithms and formalizations
- Leroy
- 2003
(Show Context)
Citation Context ...Mitchell [FM98,FM99,Fre00] develop typing rules for increasingly large subsets of the JVM, including exception handling, object initialization, and subroutines. They do not look at compilation. Leroy =-=[Ler01,Ler03]-=- gives a very good overview on bytecode verification, and proposes a polyvariant data flow analysis in the BCV to solve the notorious subroutine problem. Coglio [Cog01,Cog02] provides an even simpler ... |

62 |
Verified bytecode verifiers
- Klein, Nipkow
- 2003
(Show Context)
Citation Context ...data flow analysis is independent of the JVM, its typing rules, and instruction set. Since it is a slightly extended version of the 13sframework already presented in [Nip01] and (with more detail) in =-=[KN02], -=-we concentrate on the general setting and the result of the data flow analysis. We leave out the data flow analysis itself, i.e. Kildall’s algorithm. 3.2.1 Orders and semilattices This section intro... |

52 |
Describing the semantics of Java and proving type soundness
- Drossopoulou, Eisenbach
- 1999
(Show Context)
Citation Context ...oof assistant Isabelle, we can convert them to executable ML code using Isabelle’s extraction facility [BN00,BS03]. Our encoding of the Java source language owes much to the formalization on paper i=-=n [DE99]-=-, which has also been the basis for an alternative formalization, including a type soundness proof, in the Declare system [Sym99]. Both differ from our definition in that they use a small-step operati... |

52 | A specification of Java loading and bytecode verification
- Goldberg
- 1998
(Show Context)
Citation Context ...checking approach correct. Working towards a verified implementation in Specware, Qian, Goldberg and Coglio have specified and analyzed large portions of the bytecode verifier [CGQ98,CGQ00]. Goldberg =-=[Gol98]-=- rephrases and generalizes the overly concrete description of the BCV given in the JVM specification [LY99] as an instance of a generic data flow framework. Qian [Qia99] specifies the BCV as a set of ... |

52 | A formal formal specification of Java Virtual Machine instructions
- Qian
- 1999
(Show Context)
Citation Context ...rifier [CGQ98,CGQ00]. Goldberg [Gol98] rephrases and generalizes the overly concrete description of the BCV given in the JVM specification [LY99] as an instance of a generic data flow framework. Qian =-=[Qia99]-=- specifies the BCV as a set of typing rules, a subset of which was proved correct formally by Pusch [Pus99]. Qian [Qia00] also proves the correctness of an algorithm for turning his type checking rule... |

48 | Executing higher order logic - Berghofer, Nipkow - 2002 |

46 | Java byte-code verification: an overview
- Leroy
- 2013
(Show Context)
Citation Context ...Mitchell [FM98,FM99,Fre00] develop typing rules for increasingly large subsets of the JVM, including exception handling, object initialization, and subroutines. They do not look at compilation. Leroy =-=[Ler01,Ler03]-=- gives a very good overview on bytecode verification, and proposes a polyvariant data flow analysis in the BCV to solve the notorious subroutine problem. Coglio [Cog01,Cog02] provides an even simpler ... |

41 | A Formal Framework for the Java Bytecode Language and Verifier - Freund, Mitchell - 1999 |

39 |
µJava: Embedding a programming language in a theorem prover
- Nipkow, Oheimb, et al.
- 2000
(Show Context)
Citation Context ...on, we give an overview of Isabelle and describe the existing formalizations of Java in Isabelle: the source language, µJava, and the Java virtual machine language, µJVM. This reduced version of Jav=-=a [NOP00]-=- accommodates essential aspects of Java, like classes, subtyping, object creation, inheritance, dynamic binding and exceptions, but abstracts away from most arithmetic data types, interfaces, arrays a... |

37 | Proving the soundness of a java bytecode verifier specification in isabelle/hol
- Pusch
- 1999
(Show Context)
Citation Context ... given in the JVM specification [LY99] as an instance of a generic data flow framework. Qian [Qia99] specifies the BCV as a set of typing rules, a subset of which was proved correct formally by Pusch =-=[Pus99]-=-. Qian [Qia00] also proves the correctness of an algorithm for turning his type checking rules into a data flow analyzer. Stata and Abadi [SA98] were the first to specify a type system for a subset of... |

36 | Z.: Toward a provably-correct implementation of the JVM bytecode verifier - Coglio, Goldberg, et al. - 1998 |

34 | Type-preserving compilation of Featherweight Java
- League, Shao, et al.
- 2002
(Show Context)
Citation Context ...onger ones such as System F [MWCG99]. The purpose is to exploit types for a program analysis that allows for more efficient closure conversion [WDMT97] or that avoids boxing polymorphic variables. In =-=[LST02]-=-, Java is compiled not to bytecode, but to a functional intermediate language which can also be used as the target of functional programming languages [LST03]. Since compilation is a multi-stage proce... |

27 | Verification of compilers
- Goos, Zimmermann
- 1999
(Show Context)
Citation Context ...ittle attention is given to preservation of type correctness, which is not surprizing since the source language (such as Lisp) or the target language only have a weak type system. The Verifix project =-=[GZ99]-=- has attempted to develop an appropriate compiler correctness criterion for finite resources (such as memory) and nondeterministic programs. Neither of these is a problem in our case. In particular, o... |

25 | Precision in practice: A type-preserving Java compiler
- League, Shao, et al.
- 2003
(Show Context)
Citation Context ...t avoids boxing polymorphic variables. In [LST02], Java is compiled not to bytecode, but to a functional intermediate language which can also be used as the target of functional programming languages =-=[LST03]-=-. Since compilation is a multi-stage process involving several intermediate languages, well-typing of programs has to be preserved during compilation. The type correctness statement is mostly proved o... |

19 |
Analyzing Java in Isabelle/HOL: Formalization, Type Safety and Hoare Logic
- Oheimb
- 2001
(Show Context)
Citation Context ... the same techniques as presented below. The work described here is part of a larger effort aiming at formalizing diverse aspects of the Java language, such as its operational and axiomatic semantics =-=[Ohe01]-=-, its bytecode type system and bytecode verifier [Kle03] and the correctness (in the sense of preservation of semantics) of a compiler [Str02a]. This article extends on a previous paper [Str02b] by pr... |

18 | Simple Verification Technique for Complex Java Bytecode Subroutines - Coglio - 2002 |

16 | A formal executable semantics of the JavaCard platform - Barthe, Dufay, et al. - 2001 |

16 | Verified Java Bytecode Verification
- Klein
- 2003
(Show Context)
Citation Context ...bed here is part of a larger effort aiming at formalizing diverse aspects of the Java language, such as its operational and axiomatic semantics [Ohe01], its bytecode type system and bytecode verifier =-=[Kle03]-=- and the correctness (in the sense of preservation of semantics) of a compiler [Str02a]. This article extends on a previous paper [Str02b] by providing an in-depth exposition of the bytecode type syst... |

16 | Verified lightweight bytecode verification. Concurrency and Computation: Practice and Experience - Klein, Nipow - 2001 |

15 | Type inference verified: Algorithm W in Isabelle/HOL
- Naraschewski, Nipkow
- 1999
(Show Context)
Citation Context ...les and α-convertibility are often glossed over, even though there is good evidence that proofs of typing properties of lambda calculi become quite demanding once these details are taken into account=-= [NN99]-=-. The extensive pencil-and-paper formalization of Java using Abstract State Machines in [SSB01] is complementary to ours: whereas the ASM formalization is much more complete with respect to language f... |

12 | Java bytecode verification using model checking
- Posegga, Vogt
- 2002
(Show Context)
Citation Context ...ates. 36sBarthe et al. [BDJ + 01,BDJ + 02] employ the Coq system for proofs about the JVM and bytecode verification. They formalize the full JavaCard bytecode language, but do not have a compiler. In =-=[PV98]-=-, Posegga and Vogt look at bytecode verification from a model checking perspective. They transform a given bytecode program into a finite state machine and check type safety, which they phrase in term... |

11 | A formal correspondence between offensive and defensive javacard virtual machines - Barthe, Dufay, et al. - 2002 |

11 | A mechanically verified compiling specification for a Lisp compiler
- Dold, Vialard
- 2001
(Show Context)
Citation Context ...per proofs for a simple expression language [MP67], and more recently using diverse specification formalisms such as Z [Ste98] and verification systems such as ACL2 [You89,Goe00], HOL [Cur93] and PVS =-=[DV01]-=-. Little attention is given to preservation of type correctness, which is not surprizing since the source language (such as Lisp) or the target language only have a weak type system. The Verifix proje... |

10 | Type Systems for Object-Oriented Intermediate Languages - Freund - 2000 |

6 | Verified bytecode model checkers
- Basin, Friedrich, et al.
- 2002
(Show Context)
Citation Context ...form a given bytecode program into a finite state machine and check type safety, which they phrase in terms of temporal logic, by using an off-the-shelf model checker. Basin, Friedrich, and Gawkowski =-=[BFG02] -=-use Isabelle/HOL, µJava, and the abstract BCV framework [Nip01] to prove the model checking approach correct. Working towards a verified implementation in Specware, Qian, Goldberg and Coglio have spe... |

6 |
A Proof Assistant for Higher-Order Logic. LNCS 2283
- IsabelleHOL
- 2002
(Show Context)
Citation Context ...aCard dialect of Java, targeted at smart cards. 2.1 An Isabelle Primer Isabelle is a generic framework for encoding different object logics. In this paper, we will only be concerned with Isabelle/HOL =-=[NPW02], -=-which comprises a higher-order logic and facilities for defining data types as well as primitive and terminating general recursive functions. Isabelle’s syntax is reminiscent of ML, so we will only ... |

4 | Extracting a formally verified, fully executable compiler from a proof assistant - Berghofer, Strecker |

4 | Proving Preservation of Partial Correctness with ACL2: A Mechanical Compiler Source Level Correctness Proof - Goerigk - 2000 |

3 | A verified Vista implementation
- Curzon
- 1993
(Show Context)
Citation Context ...th pencil-and-paper proofs for a simple expression language [MP67], and more recently using diverse specification formalisms such as Z [Ste98] and verification systems such as ACL2 [You89,Goe00], HOL =-=[Cur93]-=- and PVS [DV01]. Little attention is given to preservation of type correctness, which is not surprizing since the source language (such as Lisp) or the target language only have a weak type system. Th... |