Robert O'Callahan. A Simple, Comprehensive Type System for Java Bytecode Subroutines. In Proceedings of the 26th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 70--78, San Antonio, Texas, January 1999.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....inference [LG88, Wri92] to gain a measure of polymorphism. The type state system of NIL [SY86] is one of the earliest to incorporate ow sensitive type checking. Xu et al. [XRM01] use a ow sensitive analysis to check type safety of machine code. Type systems developed for Java byte code [SA98, O C99] also incorporate ow sensitivity to check for initialization before use and to allow reuse of the same local variable with di erent types. Igarashi and Kobayashi [IK02] propose a general framework for resource usage analysis, which associates a trace with each object specifying valid accesses to ....

Robert O'Callahan. A Simple, Comprehensive Type System for Java Bytecode Subroutines. In Proceedings of the 26th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, San Antonio, Texas, January 1999, pages 70-78.

....Approaches It may happen that the implementation of the enforcement mechanism de nes the security policy, rather than vice versa. An implementation de ned security policy is dicult to describe at an abstract level: witness recent attempts to formalize the Java bytecode veri er [SA99, FM98, O C99] In the absence of a precise de nition, it is impossible to establish rigorously that a security policy does not permit the malicious behavior that it is designed to prevent. Systems such as PCC and TAL are based on explicit formal models, but it can be dicult to extend the security policy ....

Robert O'Callahan. A simple, comprehensive type system for Java bytecode subroutines. In Proceedings of the 26th ACM SIGPLANSIGACT Symposium on Principles of Programming Languages, pages 70-78, San Antonio, TX, January 1999.

....are, in addition to Test1 and Test2, many legal Java programs that cannot be typed in their system. 4 The bytecode of Test1 and Test2 still cannot be typed in the extended and refined system of Freund and Mitchell in [3,2] The two examples can also not be typed in the system of O Callahan in [13] which is based on ideas of type systems for continuations and polymorphic recursion. It seems that any type system (or bytecode verifier) that checks each subroutine only once will reject legal Java programs like Test1 and Test2. This includes also various systems by Qian (e.g. 14] and other ....

R. O'Callahan. A simple, comprehensive type system for Java bytecode subroutines. In Proc. 26th ACM Symposium on Principles of Programming Languages, pages 70--78, 1998.

....bytecode, verifiable bytecode, etc. Our analysis of the JVM bytecode verifier, which we relate to the static analysis of the Java parser (rules of definite assignment and reachability analysis) goes beyond the work of Stata and Abadi [34] Qian [27, 28] Freund and Mitchell [16] and O Callahan [26]. 1.1 The goals of the book 3 In this introduction, we give an overview of the general goals of the book, its contents, the structuring techniques we use for decomposing Java and the JVM, and the literature we used. For additional information on the book and updates made after its publication, ....

R. O'Callahan. A simple, comprehensive type system for Java bytecode subroutines. In POPL '99. Proc. 26th ACM Symposium on Principles of Programming Languages, pages 70--78, 1999.

....in a series of papers by Stata Abadi [17] and Freund Mitchell [7, 8, 9] with the admitted aim of covering most of the static analysis problems of JVML. Other approaches to bytecode veri cation, that don t cover concurrency issues, are based on data ow analysis [10] typed assembly languages [14], the Haskell type checker [19] and abstract state machines [5] As regards the bytecode, a detailed semantics can be found in Bertelsen s works [2] However Bertelsen does not address the semantics of multi threading, as well as that of monitorenter and monitorexit (in his work these ....

R. O'Callahan. A simple, comprehensive type system for Java bytecode subroutines. In Conference Record of POPL'99: The 26th ACM SIGPLANSIGACT Symposium on Principles of Programming Languages, pages 70{ 78. ACM Press, 1999.

....the disambiguation of them to classes, as well as the generation of subtype constraints as opposed to loading classes. 4 Conclusion The topic of Java bytecode veri cation has attracted the interest of several researchers. As a result, there has been a large number of publications on the subject [CG01, CGQ98, CL99, FC00, FC01, FM99a, FM99b, FM99c, Fre98, Gol98, HT98, Jon98, KN00, Nip01, O C99, Pus99, PV98, Qia99, Qia00, Req00, RR98, SA99, SSB01, Yel99]. These works have greatly contributed to the clari cation of key issues in bytecode veri cation, including pointing out some inadequacies in JS and proposing improvements. To my knowledge, this paper is currently the only work to provide a comprehensive analysis of the ocial speci cation of ....

Robert O'Callahan. A simple, comprehensive type system for Java bytecode subroutines. In Proc. 26th ACM Symposium on Principles of Programming Languages (POPL'99), pages 70-78, January 1999.

....in a way that is closer to Sun s implementation. The simultaneous determination of types and Used( sets complicates the data ow analysis: the transfer function of the analysis is no longer monotonous, and special iteration strategies are required to reach the xpoint. Finally, O Callahan [21] and Hagiya and Tozawa [10] also give non standard type systems for subroutines based on continuation types and context dependent types, respectively. However, these papers give only type checking rules, but no e ective veri cation (type inference) algorithms. While these works shed considerable ....

R. O'Callahan. A simple, comprehensive type system for Java bytecode subroutines. In POPL'99, pages 70-78. ACM Press, 1999.

....there are, in addition to Test1 and Test2, many legal Java programs that cannot be typed in their system. The bytecode of Test1 and Test2 still cannot be typed in the extended and refined system of Freund and Mitchell in [2] The two examples can also not be typed in the system of O Callahan in [7] which is based on ideas of type systems for continuations and polymorphic recursion. It seems that any type system (or bytecode verifier) that checks each subroutine only once will reject legal Java programs like Test1 and Test2. This includes also various systems by Qian (e.g. 8] There are ....

R. O'Callahan. A simple, comprehensive type system for Java bytecode subroutines. In POPL '99. Proc. 26th ACM Symposium on Principles of Programming Languages, pages 70--78, 1999.

....and subroutines and proved the soundness. Hagiya and Tozawa [4] presented another type system for subroutines, where the soundness proof is extremely simple. Pusch [7] formalized a subset of JVM in the theorem prover Isabelle HOL and reached a higher degree of reliability. Recently, O Callahan [6] proposed yet another typing system based on type constraints, polymorphic recursion and continuations. All this work basically aimed at defining what types memory locations should have, did not consider how to develop a provably correct implementation to compute types for memory locations. ....

....a logical interpretation for the transfer functions. In addition, since he did not consider subroutines, he did not encounter the problems we discuss in this paper. Although all the approaches mentioned above look different and deal with different subsets of JVM instructions, they all, except [6], directly or indirectly handle flow analysis in some ways. Thus the correspondences are quite straightforward. A previous version of the current paper proposed an algorithm where the application of rule (10) needs to be restricted. The current paper shows that the restriction can be removed. In ....

[Article contains additional citation context not shown here]

R. O'Callahan. A simple, comprehensive type system for Java bytecode subroutines. In Proc. 26th ACM Symp. Principles of Programming Languages, 1999. To appear.

....6.2 JVML s The JVML bytecodes for subroutines have also been added to JVML i and are presented in another extended language, JVML s . While this section will not go into all the details of subroutines, detailed discussions of bytecode subroutines can be found in several other works [SA99, LY96, O C99, HT98] Subroutines are used to compile the finally clauses of exception handlers in the Java language. Subroutines share the same activation record as the method which uses them, and they can be called from different locations in the same method, enabling all locations where finally code must be ....

....ideas from that type system may used to eliminate some of the simplifications to the subroutine mechanism in the work of Stata and Abadi. Several recent projects have departed from Sun s original specification and have developed significantly different static semantics for JVML subroutines. In [O C99] O Callahan presents a system based on ideas from the TAL type system of Morrisett et al. MCGW98] Other work has borrowed ideas from the type system of Haskell [Jon98, Yel99] Another approach using concurrent constraint programming was also proposed [Sar97] This approach is based on ....

Robert O'Callahan. A simple, comprehensive type system for Java bytecode subroutines. In Proc. 26th ACM Symposium on Principles of Programming Languages, January 1999.

.... It has been demonstrated that many breaches of the Java security originate with the possibility of breaking the type system through a combination of fooling the bytecode veri er and the linker loader [4, 5, 23] The semantics of the Java source language [7, 35, 37, 27, 1, 29, 8] the Java bytecode [33, 12, 28, 26, 29], and safety pitfalls or security considerations [4, 24, 5, 38, 23] has attracted much research. In some cases, this research has helped to get some loopholes xed [32] in other cases, it has illuminated grey areas and explored possible interpretations [12, 35, 9, 33, 11] This paper presents a ....

Robert O'Callahan. A Simple, Comprehensive Type System for Java Bytecode Subroutines. In Proceedings of the POPL'99 the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 70-78. ACM, January 1999.

....the technical development, we compare the results presented in this paper with related works. The work most relevant to ours is that of Stata and Abadi [17] who presented a type system of a subset of the Java bytecode language including subroutines. This work is further refined by O Challahan [12] and Freund and Mitchell [3] In these approaches, a type system is used to check the consistency of an array of instructions. The result of typecheking is success or failure indicating whether the array of instruction is type consistent or not. In contrast, our approach is to interpret a given ....

Robert O'Callahan. A simple, comprehensive type system for Java bytecode subroutines. In Proceedings of ACM Symposium on Principles of Programming Languages, pages 70--78, 1999.

....in a series of papers by Stata Abadi [16] and Freund Mitchell [6, 7, 8] with the admitted aim of covering most of the static analysis problems of JVML. Other approaches to bytecode veri cation, that don t cover concurrency issues, are based on data ow analysis [9] typed assembly languages [13] and the Haskell type checker [17] As regards the bytecode, a very detailed semantics can be found in Bertelsen s works [2] However Bertelsen does not address the semantics of multi threading, as well as that of monitorenter and monitorexit (in his work these instructions have been regarded ....

R. O'Callahan. A simple, comprehensive type system for Java bytecode subroutines. In Conference Record of POPL'99: The 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 70-78. ACM Press, 1999.

....the code passes type checking in de Caml. Notice that it is impossible to determine whether dst. i) is safe if the type annotation is not supplied. In this paper, we apply this idea to JVMLa, a subset of JVML, presenting an approach towards eliminating array bound checks in JVML. Inspired by [7, 10], we design a type system for JVMLa which is expressive enough to capture the memory safety property of JVMLa bytecode, where memory safety consists of both type safety and safe array access. We are thus able to enforce memory safety of bytecode through type checking and thus eliminate run time ....

....execution of a well type JVMLa program cannot lead to run time memory violation. This implies that memory safety of JVMLa programs can be enforced through static type checking. 6 Extension The instructions jsr and ret in JVML complicate a JVML verifier implementation significantly as stated in [10]. This, however, is not the case for JVMLa, which can readily handle jsr and ret. The execution of jsr L pushes the program count of the 10 No. OE V S 09 n : nat; k : nat; v 0 : intarray(n) v 1 : intarray(n) ffl k n v 2 : int(n) v 3 : int(k) 10 n : nat; k : nat; v 0 : intarray(n) v 1 : ....

[Article contains additional citation context not shown here]

Robert O'Callahan. A simple, comprehensive type system for Java bytecode subroutines. In Proceedings of ACM SIGPLAN Symposium on Principles of Programming Languages, pages 70--78, San Antonio, January 1999.

....assignment for the method. SJVMS informally describes how to determine if a JVM program is welltyped. But it lacks a formal semantics. Since the static well typedness is an important aspect of Java based Internet security, a number of formal specifications have been proposed to define it (e.g. [7,10,11,20,22,21,25]) This paper takes a step further and presents a standard chaotic (fixpoint) iteration (see e.g. 6] which represents a family of standard fixpoint computation strategies (see e.g. 13,18] to compute a least type for each JVM program within a finite number of iteration steps. Since the ....

....They have not identified any non monotonicity property nor explicitly considered operational properties of their verification algorithms as done here. More investigations are needed to see whether their verification algorithms have properties similar to those we have proved here. O Callahan [20] has constructed a typing system based on polymorphic recursion and continuations similar to a more general setting of typed assem36 bly language [16,17] and compared it with bytecode verification. He reveals that return addresses can be directly typed using continuations so that one does not ....

R. O'Callahan. A simple, comprehensive type system for Java bytecode subroutines. In Proc. 26th ACM Symp. Principles of Programming Languages, pages 70--78, 1999. 39

....produce a sound static semantics. One final category of projects regarding JVML are those which have departed from the original Sun specification. O Callahan, for example, presents a type system for Java bytecode subroutines based on the framework developed to study typed assembly language [O C99] Jones and Yelland independently developed ways of type checking bytecode programs using the Haskell type checker [Yel99, Jon98] One potential area for future work is to combine some of the ideas from these studies and the type systems for typed assembly languages [TMC 96, MCGW98] into our ....

Robert O'Callahan. A simple, comprehensive type system for Java bytecode subroutines. In Proc. 26th ACM Symposium on Principles of Programming Languages, January 1999.

....the code passes type checking in de Caml. Notice that it is impossible to determine whether dst. i) is safe if the type annotation is not supplied. In this paper, we apply this idea to JVMLa, a subset of JVML, presenting an approach towards eliminating array bound checks in JVML. Inspired by [8, 11], we design a type system for JVMLa which is expressive enough to capture the memory safety property of JVMLa bytecode, where memory safety consists of both type safety and safe array access. We are thus able to enforce memory safety of bytecode through type checking and thus eliminate run time ....

....on the dynamic semantics of JVMLa, is currently under study and will be reported in future work. 9 Related work A typed assembly language (TAL) is first introduced in [8] and a stack based typed assembly language (STAL) is then introduced in [7] A type system similar to STAL is developed in [11] for JVML 0 C, which is basically a minimal subset of JVML capturing the feature of jump tosubroutine. The type systems of these languages suffice to guarantee type safety of programs. Unfortunately, the property of safe array access cannot be captured in these type systems. As a consequence, it ....

Robert O'Callahan. A simple, comprehensive type system for Java bytecode subroutines. In Proceedings of ACM SIGPLAN Symposium on Principles of Programming Languages, pages 70--78, San Antonio, January 1999.

....for the applet to use this class loader to load, say, a malicious security manager that would permit unlimited disk access. According to some authors [4, 13] these problems were ultimately due to a lack of an adequate semantic model for Java. Steps to remedy this situation have since been taken [1, 27]. Nevertheless, despite these initial failings, the basic approach constituted a significant step forward in practical programming language security. It not only pointed the way toward a simple and effective means of providing a basic level of security, but also helped to galvanize the attention ....

Robert O'Callahan. A simple, comprehensive type system for Java bytecode subroutines. In Proc. 26th Symp. Principles of Programming Languages, pages 70--78. ACM SIGPLAN/SIGACT, January 1999.

....during execution. Consequently, procedure call must be a primitive construct (which it is in the Java Virtual Machine) In contrast, our treatment supports polymorphic stack recursion, and hence procedure calls can be encoded using existing assembly language primitives. More recently, O Callahan [24] has used the mechanisms in this paper to devise an alternative, simpler type system for Java bytecodes that di#ers from the Java bytecode verifier s discipline [19] 4 This is an example of when it is inconvenient that stack types specify the order in which data appear on the stack. In fact, ....

Robert O'Callahan. A simple, comprehensive type system for Java bytecode subroutines. In Twenty-Sixth ACM Symposium on Principles of Programming Languages, San Antonio, Texas, January 1999. To appear.

No context found.

Robert O'Callahan. A simple, comprehensive type system for Java bytecode subroutines. In Proc. 26th ACM Symposium on Principles of Programming Languages (POPL'99), pages 70--78, January 1999.

....to a platform independent bytecode language, which is executed by the Java Virtual Machine (JVM) 18] This bytecode language features intra method subroutines, used by Java compilers to generate more compact code [18, Sect. 7. 13] In an idealized version of Java bytecode, similar to those in [8, 13, 20, 25], a program P is a list of instructions. The positions in the list (starting from 0) are the addresses of P . Instructions operate on values stored in a nite collection of named variables and in a stack of bounded size. Values are integers, oats, and (some) addresses; values carry explicit type ....

....be later separated, they are merged into one pair; they are kept distinct if there are di erent calling addresses in corresponding positions. So, if a program has no subroutines, all sets are singletons and the analysis essentially reduces to the one in [18, Sect. 4.9. 2] 6 Experimental measures [7, 20] suggest that current compilers generate code with very infrequent use of subroutines. So, in the presence of subroutines, the sets of pairs should be fairly small. 5 Related Work As a point of comparison with other techniques, consider the Java code in Fig. 2 (adapted from [24, Fig. 16.8] The ....

[Article contains additional citation context not shown here]

Robert O'Callahan. A simple, comprehensive type system for Java bytecode subroutines. In Proc. 26th ACM Symposium on Principles of Programming Languages (POPL'99), pages 70-78, January 1999.

....with subroutines, in order to accept code produced by mundane compilers, a more precise analysis of the ow of control is needed. Besides the ocial technique to verify subroutines informally described in [LY99, Sect. 4.9. 6] and implemented in [Suna] several formal techniques have been proposed [FM99, HT98, O C99, PV98, Qia99, SSB01, SA99, Yel99]. Unfortunately, each of them (including the ocial one) rejects certain programs produced by mundane compilers or is otherwise dicult to realize within a JVM implementation. This paper presents a novel technique which is surprisingly simple to understand, implement, and prove sound. It is also ....

....Related work is discussed in Section 4. The Appendix summarizes the mathematical notations used in the paper and collects the proofs of lemmas and theorems. 2 Subroutines This section de nes the syntax and semantics of a simple language L with subroutines, similar to the languages used in [FM99, HT98, O C99, SA99], along with a notion of type safety. The key issues in veri cation are then discussed. L is an abstraction of Java bytecode, which is much richer. This simpler language exposes the essence of problems and solutions, because the omitted features are orthogonal. 2.1 A Simple Language with ....

[Article contains additional citation context not shown here]

Robert O'Callahan. A simple, comprehensive type system for Java bytecode subroutines. In Proc. 26th ACM Symposium on Principles of Programming Languages (POPL'99), pages 70-78, January 1999.

No context found.

Robert O'Callahan. A Simple, Comprehensive Type System for Java Bytecode Subroutines. In Proceedings of the 26th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 70--78, San Antonio, Texas, January 1999.

No context found.

Robert O'Callahan. A simple, comprehensive type system for Java bytecode subroutines. In Proceedings of ACM Symposium on Principles of Programming Languages, pages 70-78, 1999.

No context found.

Robert O'Callahan. A simple, comprehensive type system for Java bytecode subroutines. In Proceedings of the 26th ACM SIGPLANSIGACT Symposium on Principles of Programming Languages, pages 70-78, San Antonio, TX, January 1999.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC