Tobias Nipkow and David von Oheimb. Java `ight is type-safe --- definitely. Technical report, Technische Universitaet Muenchen, 1997. Submitted for publication.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....with mathematical rigor. As far as the Java language is concerned, most of the research on its semantics is focused on the operational approach (cf. e.g. Borger, Schmid, Schulte and Stark [7] Cenciarelli, Knapp, Reus and Wirsing [12] Drossopoulou, Eisenbach and Khurshid [13] Nipkow and Oheimb [31], and Syme [40] Notable exceptions are Oheimb [32] who introduces a Hoare style calculus for Java as well as Alves Foss and Lam [2] who present a denotational semantics which is, as usual, based on domain theoretic notions, cf. e.g. Fiore, Jung, Moggi, O Hearn, Riecke, Rosolini and Stark [20] ....

Tobias Nipkow and David von Oheimb. Java #ight is type-safe --- definitely. In Proc. 25th ACM Symp. Principles of Programming Languages. ACM Press, New York, 1998.

....tools that our own work on C relies on, such as HOL s mechanism for defining mutually recursive types, and functions over those types. More recently, work on the mechanisation of Java s semantics has been pursued by both Syme in his own DECLARE tool [Sym97b] and Nipkow and von Oheimb [NvO98] in Isabelle. This work involved the mechanisation of the complicated object oriented static and dynamic semantics of a subset of Java, followed by the proof of this system s type soundness. C s static semantics is not such an inspiring example, and although we do later prove a type preservation ....

Tobias Nipkow and David von Oheimb. Java #ight is type-safe --- definitely. In 25th principles of programming languages. ACM Press, 1998. To appear.

....further issues rather than pure logic only. 1 Introduction Theorem proving systems for higher order logics, such as HOL [5] Coq [4] PVS [15] and Isabelle [18] have reached a reasonable level of maturity to support non trivial applications. As an arbitrary example, consider Isabelle Bali [14], which is an extensive formalization of substantial parts of the Java type system and operational semantics undertaken in Isabelle HOL. Nevertheless, the current state of the art is not the final word on theorem proving technology. Experience from sizable projects such as Isabelle Bali shows ....

T. Nipkow and D. von Oheimb. Java `ight is type-safe --- definitely. In Proc. 25th ACM Symp. Principles of Programming Languages. ACM Press, New York, 1998.

.... property, especially for polymorphic languages [2, 4] It came to prominence with the discovery of the failure of its application to older versions of Eiffel [8, 23] Our proof of type soundness for compound types is based on the work of von Oheimb and Nipkow [36] a much extended version of [26], in which they have formalized and proved type soundness of a large subset of Java. They verified the proof mechanically with the theorem prover Isabelle HOL [27] To this formalization, we added compound types as reference types, appended the widening and casting relations with compound types, ....

Tobias Nipkow and David von Oheimb. Java `ight is type-safe --- definitely. In Proc. 25th ACM Symp. Principles of Programming Languages, pages 161--170. ACM Press, 1998.

....Stata and Abadi [SA98] also present a type system and operational semantics for JVM instructions. They have concentrated on the formalization of subroutine calls and do not treat object orientation. There are several efforts to formalize the Java source language. The work of Oheimb and Nipkow [NO98, ON98] is closely related to our work. They have formalized a large subset of Java ( Bali) together with its type system and operational semantics in Isabelle HOL. The type safety of Bali has been proved formally. Drossopoulou and Eisenbach [DE97] have elaborated a proof on paper for the type ....

....stk frs = frs 5 Results and Further Work We have given a formalization of the central parts of the JVM in Isabelle HOL. The theory files comprise nearly 1100 lines of code. Isabelle HOL turned out to be an adequate instrument to model real life programming languages such as Java (see also [NO98, ON98]) It is obvious that we had to make certain restrictions in this first approach to formalize the JVM. For example we do not consider the size of instructions and its operands and use instead abstract datatypes. These abstractions can be refined in further development steps of our formalization. ....

Tobias Nipkow and David von Oheimb. Java `ight is type-safe --- definitely. In Proc. 25th ACM Symp. Principles of Programming Languages, pages 161--170. ACM Press, 1998.

....Science Foundation. 1 As far as the Java language is concerned, most of the research on its semantics is focused on the operational approach (cf. e.g. Borger, Schmid, Schulte and Stark [6] Cenciarelli, Knapp, Reus and Wirsing [11] Drossopoulou, Eisenbach and Khurshid [12] Nipkow and Oheimb [30], and Syme [38] Notable exceptions are Oheimb [31] who introduces a Hoare style calculus for Java as well as Alves Foss and Lam [1] who present a denotational semantics which is, as usual, based on domain theoretic notions, cf. e.g. Fiore, Jung, Moggi, O Hearn, Riecke, Rosolini and Stark [19] ....

Tobias Nipkow and David von Oheimb. Java #ight is type-safe --- definitely. In Proc. 25th ACM Symp. Principles of Programming Languages. ACM Press, New York, 1998.

....proof support, such systems provide quite powerful environments for sizeable applications. Taking Isabelle HOL as an arbitrary representative of these semi automated reasoning systems, typical applications are the formalization of substantial parts of the Java type system and operational semantics [14], formalization of the first 100 pages of a semantics textbook [13] or formal proof of Church Rosser property of # reductions [12] Despite this success in actually formalizing parts of mathematics and computer science, there are still obstacles in addressing a broad range of users. One of the ....

T. Nipkow and D. v. Oheimb. Java #ight is type-safe --- definitely. In Proc. 25th ACM Symp. Principles of Programming Languages, pages 161--170. ACM Press, New York, 1998. 16

....further issues rather than pure logic only. 1 Introduction Theorem proving systems for higher order logics, such as HOL [5] Coq [4] PVS [14] and Isabelle [17] have reached a reasonable level of maturity to support non trivial applications. As an arbitrary example, consider Isabelle Bali [13], which is an extensive formalization of substantial parts of the Java type system and operational semantics undertaken in Isabelle HOL. Nevertheless, the current state of the art is not the final word on theorem proving technology. Experience from sizable projects such as Isabelle Bali shows that ....

T. Nipkow and D. von Oheimb. Java #ight is type-safe --- definitely. In Proc. 25th ACM Symp. Principles of Programming Languages. ACM Press, New York, 1998.

....thrown, and demonstrate that in all cases the final state conforms to the program and the environment. 8 Conclusions, Comparisons and Further Work To our knowledge, our work is the first to model exceptions for such a large subset of Java, and demonstrate the soundness of the Java approach. In [11, 1, 10] operational semantics and type systems for Java and SML exceptions are developed where method types do not mention the exceptions potentially escaping their bodies. 12 The formal system we have developed is very near to Java and to programmers intuitive ideas about program compilation and ....

Tobias Nipkow and David von Oheimb. Java `ight is Type-Safe --- Definitely. In POPL Proceedings, 1998.

....process failures at any time during a proof. Proof distribution is completely transparent; the existing tactic base is unmodified. 1 Introduction In recent years, there have been many example of significant formalization efforts in higher order logics, including Nipkow s formalization of Java [15], Howe s verification of the SCI cache coherency protocol [7] Miller and Srivas s verification of the AAMP5 avionics processor [14] in PVS [3] the verification and automated optimization of Ensemble protocols [11] and many others. Higher order logics are often chosen for these endeavors not ....

Tobias Nipkow and David von Oheimb. Java `ight is type-safe --- definitely. In Proc. 25th ACM Symp. Principles of Programming Languages, pages p. 161--170. ACM Press, New York, 1998.

....formal analysis of the JVM. Their model is called the defensive JVM because it includes run time checks to detect and prevent unsafe execution. Questions of type safety for the Java language itself have been investigated by Drossopoulou and Eisenbach [3] Syme [23] and Nipkow and von Oheimb [16], taking advantage of automatic theorem provers to establish useful soundness results. These results do not apply directly to the JVM because there is no guarantee that bytecode files will be generated by type preserving compilers from Java source. One interesting idea, attributed to Andrew Appel ....

Tobias Nipkow and David von Oheimb. Java `ight is type-safe --- definitely. In Conference record of POPL '98: 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 161--170, San Diego, CA, January 1998.

.... proof of its properties, ffl a strengthening of the properties of binary compatibility proven earlier [7] ffl demonstration that the properties of binary compatibility in Java stem from the few features described in the fragment calculus rather than from the rather large set of features of Java[16, 21] and its byte code [18, 19, 9] We believe that such a fragment calculus can serve as a basis for the description of the approaches to separate compilation and linking taken by other languages, and as a starting point for an abstract description of dynamic linking and loading in Java [15, 14, ....

T. Nipkow and D. von Oheimb. Java `ight is type-safe --- definitely. In 25th POPL Proceedings, 1998.

.... studied static type (un)safety in Java in the presence of more than one class loader [13] Although the JVM uses some structures of the Java language, our type system for the JVM resembles data flow analysis and thus is quite different from a formal specification of a type system for Java in e.g. [4,11,16]. 3 JVM programs, methods, data areas and frames According to the OJVMS, a byte is 8 bits, and a word is an abstract size that is larger than, among others, a byte. One byte wide data build instructions, whereas one word wide data represent runtime data. We use byt to range over all one byte data ....

T. Nipkow and D. von Oheimb. Java `ight is type-safe --- definitely. In Proc. 25st ACM Symp. Principles of Programming Languages, 1998.

....for an open system design allowing user programmed extensions in a logically sound way. The flexibility, generality and expressiveness of LCF style provers makes them symbolic programming environments, into which other languages can be logically embedded, e.g. Haskell (Regensburger, 1994) Java (Nipkow von Oheimb, 1998), Z (Bowen Gordon, 1994; Kolyang, Santen Wolff, 1996b) or CSP (Tej Wolff, 1997) Together with appropriate, customised proof support and a graphical user interface which hides the details of the embedding, this leads to an implementation technology for formal method tools which we call ....

Nipkow, Tobias, & von Oheimb, David. (1998). Java `ight is type-safe --- definitely. Pages 161--170 of: Proc. 25th acm symp. principles of programming languages. ACM Press.

....time. Type soundness is not a trivial property, especially for polymorphic languages [3, 4] It came to prominence with the discovery of its failure in Eiffel [8, 23] Our proof of type soundness for compound types is based on the work of von Oheimb and Nipkow [36] a much extended version of [25], in which they have formalized and proved the type soundness of a large subset of Java. They verified the proof mechanically with the theorem prover Isabelle HOL [26] To this formalization, we added compound types as reference types, appended the widening and casting relations with compound ....

Tobias Nipkow and David von Oheimb. Java `ight is type-safe --- definitely. In Proc. 25th ACM Symp. Principles of Programming Languages, pages 161-- 170. ACM Press, 1998.

....our decision: 1. Java is a very modern language. Although the Java fever seems quite exaggerated, it causes some positive effects for our project: a) Research projects from all over the world deal with Java. In particular, Nipkow and von Oheimb formally proved a Java subset type correct (cf. NvO98] b) Java is used in commercial software development more and more often. Thus, cooperations with industrial partners become more likely. c) The immense interest of students in Java eases sourcing out parts of the project as diploma theses. 2. Java comes with a small class library our system ....

....to provide the main features of imperative programming languages (e.g. recursion, iteration, basic data types, etc. 4. Svenja should be as small as possible (w.r.t. goals 2 and 3) to focus on the central problems. 5. Wherever it is reasonable, Svenja should be as close as possible to Bali (cf. NvO98] This eases our cooperation with Nipkow and von Oheimb. Notation The syntax of Svenja is presented in the Synthesizer Generator notation (see introduction) The form of a production declaration is phylum : operator name 1 ( phylum 1 1 phylum 2 1 . phylum k1 1 ) operator name 2 ( ....

[Article contains additional citation context not shown here]

T. Nipkow and D. von Oheimb. Java `ight is type-safe --- definitely. In Proc. 25th ACM Symp. Principles of Programming Languages. ACM Press, 1998. To appear.

No context found.

Tobias Nipkow and David von Oheimb. Java `ight is type-safe --- definitely. In Proc.25. ACM Symp. Principles of Programming Languages, pages 161--170. ACM Press, 1998.

....have come into their reach. The most widely used verification systems of this type are probably HOL [GM93] Isabelle [Pau94] and PVS [ORR 96] Examples for real world applications include verifications dealing with the AAMP5 microprocessor [MS95] the type system of a subset of Java [NvO98] and various security protocols [BP98] The reason of the success can mainly be found in the expressiveness of higher order logic, which allows us to formulate even complex application domains in an adequate and natural way. For our verification efforts we will use Isabelle in favour of HOL or ....

Tobias Nipkow and David von Oheimb. Java `ight is type-safe --- definitely. In Proc. 25th ACM Symp. Principles of Programming Languages, pages 161--170. ACM Press, New York, 1998.

.... size of the resulting HOL theories in lines, including all the proofs: Operational 300 Denotational (sets) 100 Axiomatic 300 Denotational (HOLCF) 100 Winskel is (almost) Right 15 But does it scale up We believe it does, and have two significant data points in support: ffl Nipkow and Oheimb [NO98, ON98] have formalized a large part of Java (excluding parallelism) and have proved type soundness. Their evaluation semantics is at least 10 times the size of the one for IMP. ffl Muller [MN97, DGM97, Mul98a, Mul98b] has formalized many aspects of I O automata, an abstract model of distributed ....

Tobias Nipkow and David von Oheimb. Java `ight is type-safe --- definitely. In Proc. 25th ACM Symp. Principles of Programming Languages, pages 161--170. ACM Press, 1998.

....later [DE99] to include exception handling. Syme has embedded this paper and pencil work in his theorem prover DECLARE [Sym99] correcting several flaws that came up thanks to the rigorous machine checked treatment. In parallel, we have developed the first version of our embedding in Isabelle HOL [NO98] covering a similar fraction of Java but using an evaluation ( big step ) semantics. Borger and Schulte have formalized (on paper) almost the full Java language as an Abstract State Machine [BS99] Jacobs el al. translate Java code directly into the PVS higher order logic (as a shallow embedding) ....

Tobias Nipkow and David von Oheimb. Java `ight is type-safe --- definitely. In Proc. 25th ACM Symp. Principles of Programming Languages, pages 161--170. ACM Press, 1998.

....should strive for such a machine checked design. The benefits are not just greater reliability, but also greater maintainability because the theorem prover keeps track of the impact that changes have on already established properties. This is a completely revised and extended version of [NO98] Research supported by DFG SPP Deduktion. Note that the type safety of Java is not sufficient to guarantee secure execution of bytecode programs on the Java Virtual Machine, because the bytecode might be tampered with, produced by a faulty compiler, or not be related to any Java source ....

....32 We do not yet have tools for automatically generating executable code from our theories, which would be an additional help in validating our formalization. The importance of such a mechanism became very obvious when we uncovered a mistake in our formalization (which was not present in [NO98] but was introduced by modifications) when symbolically executing the example in this article in Isabelle: the list returned by function fields was in reverse order. Although the type soundness proof itself was an excellent debugging mechanism which caught many minor and some major mistakes, it ....

Tobias Nipkow and David von Oheimb. Java `ight is type-safe --- definitely. In Proc. 25th ACM Symp. Principles of Programming Languages, pages 161--170. ACM Press, 1998.

No context found.

Tobias Nipkow and David von Oheimb. Java `ight is type-safe --- definitely. Technical report, Technische Universitaet Muenchen, 1997. Submitted for publication.

No context found.

T. Nipkow and D. von Oheimb. Java `ight is type-safe --- definitely. In 25th POPL Proceedings, 1998.

No context found.

T. Nipkow and D. von Oheimb. Java #ight is type-safe---definitely. In Proceedings of POPL, 1998.

No context found.

T. Nipkow and D. von Oheimb. Java #ight is type-safe --- definitely. In Proc. 25th ACM Symp. Principles of Programming Languages. ACM Press, New York, 1998.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC