Towards an abstract model of Java dynamic ... - Semantic Scholar

Download PDF
1 downloads 0 Views 289KB Size Report
Comment
In Jim Alves-Foss, editor, Formal Syntax and Semantics of Java, volume 1523 of LNCS. Springer, 1999. [24] Joe Wells and Rene Vestergaard. Confluent ...
Towards an abstract model of Java dynamic linking and verification Sophia Drossopoulou Department of Computing, Imperial College, London

Abstract We suggest a model for dynamic linking and verification as in Java. We distinguish five components in a Java implementation: evaluation, resolution, loading, verification, and preparation – with their associated checks. We demonstrate how these five together guarantee type soundness. We take an abstract view, and base our model on a language nearer to Java source than to bytecode. We consider the following features of Java: classes, subclasses, fields and hiding, methods and inheritance, and interfaces.

1 Introduction Java’s recent spectacular success is partly due to its novel approach to code deployment. Rather than compiling and linking a fixed piece of code for a set target machine, Java is compiled to bytecode[18], that can be executed on several platforms, and can link further code on demand: This approach, however, creates opportunities for malicious attacks. The security of Java greatly depends on the safety of the type system [4]. As it is bytecode that is executed rather than source code, and as bytecode is not always the product of compilation, Java security lies primarily with the bytecode verifier, which was formalized as as a type inference system where stack locations have types on a per-instruction basis, [22, 11, 10, 19]. On the other hand, [21] reported security flaws due to inconsistencies between loaders, which were rectified in later releases, as described in [17]. An operational semantics for multiple loaders is given in [14]. Thus, various components of Java and the virtual machine have been studied at considerable depth in isolation, but, except for this paper and [20] their interplay has not yet been formalized. We attempt a synthesis, and consider the complete process, i.e. evaluation, loading, verification, preparation and resolution in a typed setting. We base our model on a language that is very near to Java source, rather than the bytecode, as in [20]. Our model is therefore useful for source language pro-

grammers: Even if they do not program in bytecode, and do not download unverified bytecode, they may become aware of these issues, and may trigger verification, resolution and loading errors. 1 We distinguish the checks performed by verification and resolution, and demonstrate their dependencies: Resolution checks do not guarantee consistency unless applied on verified code, nor are verification checks sufficient unless later supported by resolution checks. Our model clarifies which situation will throw which exceptions, a question that is not unambiguously answered in [12, 18], and it demonstrates how execution of unverified code may corrupt the store. A clear understanding of these checks and their interplay is crucial for the design of new binary formats for Java. In fact, while most Java implementations use the lass format [18], any format satisfying the properties outlined in ch 13.1 of [12] may be used instead.

1.1 Overview of Java verification and dynamic linking, and of our formalization In traditional programming languages, e.g. Ada, Modula-2, the compiler checks all type-related requirements, and produces code which does not contain type information. If the various components of a program have been compiled in an order consistent with their dependencies (dependencies through imports or inheritance) then execution is guaranteed to be sound with respect to types. Thus, before execution, the program is linked eagerly, all external references are resolved and type-checked. Execution has therefore the form

e; ; Code ; e0 ;  0 ; Code i.e. it takes place in the context of fixed Code, and modified the expression e and the store  . Also, if the expression and state are well-formed in the context of Code, and e is not ground, then execution will continue with a well-formed expression, unless a program exception is thrown. We call program exceptions those 1 By compiling modified Java classes without recompiling all importing classes one may obtain bytecode that does not verify. Also, execution sometimes does not attempt to verify local classes.

term

L P e



L P e; ; P; L

; e0; 0 ; PP0 ; L0

<  =exp <  =nll <  =typ P; L `  lss 0 P; L ` impl i P; L ` i intf i0 ` P; L 3a ` P; L 3sups P; L `v L0 3 ( L00 P; L `v t  t0 ( L0 P; L; E `v e : t ( L0

meaning

definition

language of loaded code language of prepared code a term (identical in L and P ) a store, mapping identifiers and integers to identifiers or integers loaded code, from L prepared code from P

fig 3 fig 3 sect. 5.1

e,  rewrite to e0 ,  0 , prepared code augmented by P0 , loaded code becomes L0

fig 4

expression context, propagates to sub-expression null context, may throw exception type context, may cause loading and verification

fig 5 fig 5 fig 5

is a subclass of 0 in context of P, L

implements i in context of P, L i is a subinterface of i0 in context of P, L

the subclass/subinterface relationship in P, L is acyclic P, L contain all superclasses/superinterfaces of classes/interfaces defined in PL

fig 6 fig 6 fig 6 fig 6 fig 6

verifier checks that L0 is well formed in context of P, L, while loading L00 verifier checks that t widens to t0 in context of P, L, while loading L0 verifier checks that e has type t in context of P, L, while loading L0

fig 7 fig 7 fig 7

E

environment for the declaration of variables

fig 8

P; L ` t  t0 P; L; E ` e : t P; L ` P0 3 L ` P3

t widens to t0 in the context of the prepared code P, and loaded code L e has type t in the context of the prepared code P, and environment E P0 is well-formed in the context of P and L P is well-formed in the context of L

fig 9 fig 9 fig 9 fig 9

; P ` w : t ; P ` 3 P; E `  3 P; L ` t  t0 P; L; E `r ; e : t

value conforms weekly to type t in context of P the object stored at in  is well-formed (conforms strongly) all objects in  are well-formed, and agree to their declarations in E t widens to t0 in the context of P and L run-time expression e has type t in store  in the context of P, L, E

fig 10 fig 10 fig 10 fig 10 fig 10

ld(t; P; L) pr(L; P)

loading preparation

fig 11 fig 11

F o(f ; ; t; P) F s( ; P) Mo(m; ; t2 ; t1 ; P) Me( ; ; P) Mo (m; i; t2; t1 ; P)

the offset of field f with type t in class al fields with types and offsets, defined or inherited in class the offset of method m with argument type t2 and result type t1 in class the method body at offset in class the offset of method m with argument type t2 and result type t1 in interface i

fig 12 fig 12 fig 12 fig 12 fig 12

definitions in L, or in P, or in L and P are unambiguous look-up class or interface t in L, or in P, or in L and P

omitted omitted

loads

loads

loads

i

` L 3u, ` P 3u, ` P; L 3u L(t) , P(t) , PL(t)

Figure 1. Concepts defined in this paper

caused by the logic of the program, eg division by zero, null pointer dereferencing etc. Java on the other hand, does not require the complete program to have been linked before execution. During execution it is possible that a class is needed, which is part of the current code. If bytecode for the class name can be found, and verified, then the code is enriched with the new class, otherwise, a load-exception or a verificationexception is thrown. The Java approach is even lazier, in the sense that Code consists of a verified part P, and a loaded part L, which was loaded in order to support verification of P. We consider language L, which stands for loaded binary programs, and P , which stands for verified and prepared binary programs, c.f. section 2. Verification checks that the subtype relations required in some code are satisfied, but does not check the presence of fields or methods referred to in some piece of code. That is checked only when and if the method or field are accessed; if they cannot be found, then a resolution-exception is thrown. Therefore, we describe execution in terms of expressions e, states  , verified code P, and loaded but not verified code L. It has the general form

e; ; P; L

; e0; 0 ; PP0; L0

thus describing that the expression may be rewritten, the state may be modified, code may be loaded, and some of the loaded code may be verified and prepared. The possible errors are program exceptions, loading exceptions, verification exceptions, and resolution exceptions. We classify execution into the following five components:

    

evaluation corresponds to execution as in most programming languages, resolution describes the process of resolving references to fields and methods, loading is the process of loading class descriptions necessary for the verification of further classes, verification is the process of verifying L code preparation turns verified L code into P code.

We demonstrate these components in terms of an example. Consider the following high level view of byte code method call: new A[A; int; void].m( 3) which stands for the call of a method m, defined in class A, which takes an int parameter, and returns void,2 , and where the receiver is a new object of class A. 2 Method

calls in Java bytecode contain the signature of the method.

Assume that class A is not defined in L, nor in P. If class A can not be found, then a load error is thrown, otherwise A is loaded, and L is extended. Then class A is verified, which means that all its method bodies, and all its superclasses will be checked, and all required subtype relationships will be checked. Assume that class A had a method void m(int x){ B aB; aB = new C; aB[B; int].f = x } The term aB[B; int].f indicates selection from aB of a field f defined in class B with type int. Verification of the above method body requires that class C is a subtype of B. Assume that C has not been loaded nor verified yet. Then it will get loaded together with all its superclasses. If those include B, then verification will be successful. This is and example of a class that is loaded but not verified. We represent verification through a judgement

0 P; L; E `v e : t ( loads L ; which means that the expression e could be verified in the context of prepared P, loaded L, and environment E, and required further binaries L0 to be loaded. Now consider execution of the method body for m. The creation of the object of class C requires preparation of the class C. Preparation determines the layout of the objects of that class and the layout of the method look-up table of that class, ensuring that the offsets for inherited fields and methods coincide with those of the superclasses. When the assignment aB[B; int].f = x is executed, the filed access aB[B; int].f is resolved. If class B does not have a field f of type int, then a resolution exception is thrown. Otherwise, resolution returns the offset of int f from class B. This offset is used to access the field in aB, which happens to belong to class C. But because C is a subclass of B, and has been prepared, it will have the inherited field at the same offset as B, and so the assignment will not break the consistency of the object. If however, the method body had not been verified, and C was not a subclass of B, or if resolution could be fooled, then the integrity of the object could be violated. Thus, the above example demonstrates how the verification and resolution checks complement each other. We represent consistency of states with prepared code through P; E `  and types for run-time expressions through P; L; E `r ; e : t. In section 4 we prove a subject reduction and progress lemma, which guarantees for well-formed P, state  consistent with P and L, and welltyped e that execution will either produce a well-typed e0 , or a null pointer exception (if a null pointer is de-referenced), a loader exception (if requested classes could not be found, or were circular), or a verifier exception (if verification of requested classes unsuccessful), or a member absent exception (if a non-existing method or field was accessed). In all

3

cases it will preserve the consistency of  0 which is crucial for safety. Furthermore, execution will never get stuck. In figure 1 we list all judgements and functions defined in the paper, with a brief description of their intention, and the place of their definition. The treatment of interfaces

p def

::= ::=

methHd meth eld exp

::= ::= ::= ::= | | | | | | | ::= ::= ::= ::= ::= ::= ::= ::=

In order to establish that required subtype relationships are satisfied, verification looks up the appropriate classes. However, if the required subtype relationships involve interfaces, then these relationships are automatically assumed to hold and are not checked! Apparently overawed by the multiplicity of parents possible in a Java interface hierarchy, the implementors of Sun’s verifier ... abdicated responsibility for type checking involving the use of interfaces. Instead, ..., the burden of checking for compatibility, ... passed implicitly to the run-time system Philipp Yelland [25] Thus, at run-time these subtype requirements need to be checked, and execution of interface method calls will check the satisfaction of the associated subtype relationship. Again, we see that checks from two different JVM components complement each other, and in slightly different ways for classes than for interfaces.

2 The languages L and P The binary language L presents an abstract view of the Java bytecode. In order to keep the discussion simple, we only consider classes, subclasses, interfaces, subinterfaces, assignment, method overloading and inheritance, field inheritance and hiding.3 Even though our examples use sequential statements, we have not included them in the Land P -syntax, as they can be easily encoded by extra methods. In order to simplify the presentation, all methods have one argument, called x. The only types we consider are classes, interfaces and int; these demonstrate several interesting properties of the Java system. Interfaces introduce multiple subtyping. More interestingly, subtyping introduced through interfaces is dealt with differently from subtyping introduced through subclassing: as we shall see, the verifier assumes an interface to be a supertype of any type, whereas it considers a class to be a supertype of its loaded subclasses only; therefore, at runtime subclasses are not checked for instance

L

3 is a similar language to language Javacito[16] or the Java subset from [8]; it is larger than [13] because it considers imperative features, overloading and interfaces; and, though at a different abstraction level than [20], it is larger because it studies interfaces .

var type

Æ Æ

, i , m, f , z

def 

interface i ext i  { methHd  } class ext 0 impl i  { eld  meth  } type m (type x ) type m (type x ){exp } Æ

type f Æ exp [type ,type ,type ].m (exp ) exp [type ,type ,type ]i .m (exp ) exp [type ,type ].f var = exp new this

var

x | z | exp [type ,type ].f

| int | i

in L in P 1 | 2 | ... 0 | | -1 | -2 | ...



Ident

and where

are class names, i are interface names m are method names, f are field names, are addresses, are offsets, are integer values. Figure 3. The syntax of L and of P method calls, but subtypes are checked for interface method calls. Also, the type int and the address calculations during execution open the possibility of pitfalls, which, as we shall demonstrate, are averted by verification and the resolution checks. In L, as in the bytecode, field accesses and method calls are annotated by descriptors. Field access4 has the form e1 [t1 ,t2 ].f , where t1 is the class containing the field definition, and t2 the type of that field. Instance method calls5 have the form e1 [t1 ,t2 ,t3 ].m(e2 ), where t1 is the class containing the method definition, t2 is the type of the method’s argument, and t3 is the result type. Similarly, interface method calls6 have the form e[t1 ,t2 ,t3 ]i .m(e2 ); where t1 is the interface containing the method definition, t2 is the argument type, and t3 is the result type. Values are either integers or addresses of objects. Addresses are represented by positive integers and are denoted by or 0 ; the null pointer null is denoted by 0. Integer values, whether they stand for addresses or for integers, are to the bytecode instructions get eld and put eld to the bytecode instruction invokevirtual 6 corresponding to the bytecode instruction invokeinterfa e 4 corresponding 5 corresponding

LPh = class Phil ext Obje t impl  { int age Phil like Book think( FrPhil x) { ... x[FrPhil,Food].like = new Pear ... } Phil eat( Food x){ ... x = new Food ... }

PPh = class Phil ext Obje t impl  { int age Phil like Book think( FrPhil x) { ... x[FrPhil,Food].like = new Pear ... } Phil eat( Food x){ ... x = new Food ... }

}

}

LFrPh = class FrPhil ext Phil impl  {

PFrPh = class FrPhil ext Phil impl  { Food like Book think( FrPhil x) { ... x[FrPhil,Food].like = new Pear ... } Phil eat( Food x){ ... x = new Pear ... } Food think( FrPhil x) { new Pear[Food, Salt, Food]. ook( new Salt) }

Food like

Phil eat( Food x){ ... x = new Pear ... } Food think( FrPhil x) { new Pear[Food, Salt, Food]. ook( new Salt) }

1 2 1 2

}

}

Figure 2. An example in L, and the corresponding example in P denoted by , 0 etc. Figure 3 contains the syntax of L and of P ; figure 2 contains an example in L and the corresponding example in P . The example is a variation of the one given in [5]: Philosophers have an age, they like other Phil-osophers, and produce Book-s when they think; whereas FrPhil-osophers like Food, and produce Food when they think. Notice, that the field like in FrPhil “shadows” that of class Phil. Objects of class FrPhil contain three fields, i.e. age and like from class Phil, and like from class FrPhil.7 Field selection is determined by the type annotations. For example, x[Phil,Phil].like selects the field of type Phil defined in class Phil, whereas x[FrPhil,Food].like selects the field of type Food defined in class FrPhil. The instance method call x[Phil,FrPhil,Book].think(...) selects from the class Phil the method which takes a FrPhil parameter and returns a Book, whereas x[FrPhil,FrPhil,FrPhil].think(...) selects from the class FrPhil the method which takes a FrPhil parameter and returns a FrPhil. Contrary to Java source language rules [12], L- and P methods may have the same identifier and argument type but different result type as a method from a superclass, e.g. method Book think( FrPhil x) { ... } in class Phil, and method Food think( FrPhil x) { ... } in class FrPhil.8 The language P describes code after preparation; the 7 It is not required that the field in the subclass has a different type than that in the superclass; for example, it would be legal if like in class FrPhil had type Phil. 8 Such binaries may be created, e.g. through compilation of a class and its subclass, subsequent addition of a method in the superclass, and recompilation of the superclass without re-compilation of the subclass.

programs are extended by offset information. Thus, the syntax of expressions in P is identical to that of expressions in L, except that field declarations are augmented by offsets, determining the field’s position in actual objects on the heap, and method definitions are augmented by their offsets, describing the method’s position in the method look up tables. Offsets are positive integers, and denoted by , 0 etc. The classes PPh and PFrPh are possible results of the preparation of LPh , LFrPh : The fields in the subclass (here like in FrPhil) are given distinct offsets to those of the fields in the superclass. All inherited methods (here method Book think(FrPhil x){... } inherited in FrPhil from Phil) appear in the subclass with the same offset, whereas new methods (here method Food think(FrPhil x){...} in FrPhil) are given fresh offsets. Finally, any methods overriding methods from a superclass obtain the overridden method’s offset (here method Phil eat( Food x){ ... x = new Pear ... } from class FrPhil overrides method Phil eat( Food x){ ... x = new Food ... }, and therefore has offset 2). A basic requirement for L and P code is that it should be unambiguous. That is, each class or interface should have at most one definition, in L, or in P, or in L and P together. This is expressed by the judgments ` L u , or ` P u or ` P; L u . If these judgments are satisfied, the lookup functions L( ) , or P( ) , or PL( ) , will return the appropriate class or interface body, or  if none is there.9 Also, the subclass and subinterface relationship in P and L should acyclic, as expressed by the judgment ` P; L a ,

3

3

3

3

9 We do not define these judgments and look-up functions since they are standard.

3 1 2 3

Evaluation N ULL P OINT E RR

P ROPAGATE

e; ; P; L ; e0 ;  0 ; P0 ; L0 < e =exp ; ; P; L ; < e0 =exp ; ; P; L

< 0 =nll ; ; P; L ; NllPErr; ; P; L N EW P( ) = 6  new in  F s( ; P) = ft f1 1 ; : : : t fn n g 0 = [ 7! ; + 1 7! 0; : : : + n 7! 0℄ new ; ; P; L ; ; 0 ; P; L

ACC

z a variable z; ; P; L ;  (z); ; P; L

VAR A SS

z = ; ; P; L

1

; ;  7! ℄; P; L

n

Resolution F LDACC 1

F o(f ; t ; t ; P) = [t ; t ].f ; ; P; L ; ( + ); ; P; L [t ; t ].f = ; ; P; L ; ; [ + 7! ℄; P; L 1

1

2

1

2

2

F LDACC 2

F o(f ; t ; t ; P) = 2 [t ; t ].f ; ; P; L ; ClssChngErr; ; P; L [t ; t ].f = ; ; P; L ; ClssChngErr; ; P; L 1

1

2

1

2

2

F LDACC 3

F o(f ; t ; t ; P) = 1 [t ; t ].f ; ; P; L ; NoFldErr; ; P; L [t ; t ].f = ; ; P; L ; NoFldErr; ; P; L 1

1

2

1

2

2

M ETH C ALL 1

Mo(m; t ; t ; t ; P) = 2 [t ; t ; t ].m( ); ; P; L ; ClssChngErr; ; P; L 1

1

2

2

3

3

M ETH C ALL 2

Mo(m; t ; t ; t ; P) = 1 [t ; t ; t ].m( ); ; P; L ; NoMethErr; ; P; L 1

1

2

2

3

3

Mo (m; t ; t ; t ; P) = 2 i

1

2

3

[t1 ; t2 ; t3 ] .m( ); ; P; L i

Mo (m; t ; t ; t ; P) = 1 i

1

2

3

[t1 ; t2 ; t3 ] .m( ); ; P; L i

P; L 6`  ( ) impl t1 [t1 ; t2 ; t3 ]i .m( ); ; P; L

Mo(m; t ; t ; t ; P) = Me( ; ( ); P) = e 1

2

M ETH C ALL 3

3

y1 ; y2 are fresh variables in  e0 = e[x=y1 ; this=y2 ℄ 0 = 1 7! ; y2 7! ℄ [t1 ; t2 ; t3 ].m( ); ; P; L ; e0 ; 0 ; P; L

I NTF M ETH C ALL 1

; ClssChngErr; ; P; L I NTF M ETH C ALL 2

; NoMethErr; ; P; L I NTF M ETH C ALL 3

; ClssChngErr; ; P; L

I NTF M ETH C ALL 4

P; L `  ( ) impl t1 Moi (m; t1 ; t2 ; t3 ; P) = 0 Mo(m; ( ); t2 ; t3 ; P) = Me( ; ( ); P) = e y1 ; y2 are fresh variables in  e0 = e[x=y1 ; this=y2 ℄ 0 = 1 7! ; y2 7! ℄ [t1 ; t2 ; t3 ]i .m( ); ; P; L ; e0 ; 0 ; P; L

Veri ation

Loading

V ERIF E RR

L OAD E RR

P(t) = L(t) =  ld(t; P; L) = ; for a loader ld < t =typ ; ; P; L ; LoadErr; ; P; L

P(t) =  L1 (t) 6= ; and ` P; L1 3sups 0 8L0 : P; L 6`v L1 3 ( loads L typ < t = ; ; P; L1L2 ; VerifErr; ; P; L1L2

Preparation V ERIFA ND P REP

e =< t =typ P(t) = L(t) =  ld(t; P; L) = L0 ; for a loader ld e; ; P; L ; e; ; P; LL0

L OAD

e =< t =typ P(t) = ; and L1 (t) 6= ; and ` P; L1 3sups 0 P; L `v L1 3 ( loads L P1 = pr(P; L1 ); for a preparation pr e; ; P; L1 L2 ; e; ; PP1 ; L2 L0 Figure 4. Execution

<  =exp

::= | | | | | |

<  =nll <  =typ

::= | | | ::= | | |

<  =[type ,type ,type ].m (exp ) [type ,type ,type ].m (<  = ) <  =[type ,type ,type ] .m (exp ) [type ,type ,type ] .m (<  = ) <  =[type ,type ].f <  = = exp if <  = is a non-l-ground variable var = <  = if var is an l-ground variable <  =[type ,type ,type ].m (exp ) <  =[type ,type ,type ] .m (exp ) <  =[type ,type ].f <  =[type ,type ].f = [<  = ,type ,type ].m ( ) [<  = ,type ,type ] .m ( ) [<  = ,type ].f new <  = i

i

i

i

Figure 5. Contexts defined in figure 6. Last, we call an expression ground, if it is a value 10 , and l-ground, if it is an identifier, or has the form [t1 ,t2 ].f .

3 Execution Execution, described in figure 4, is defined in terms of a rewriting relationship on configurations, consisting of expression e, store  , prepared code P, and loaded binary L. The expression and store may be modified, more code may be linked, and further binaries may be loaded. Thus, execue0 ;  0 ; PP0 ; L0 . tion has the form e; ; P; L In order to give a more concise description of the rewrite semantics, and also, in order to distinguish between routine rewrite rules, and those particular to Java implementation, in figure 5 we introduce three kinds of contexts. Expres exp , are filled with a sub-expression; sion contexts, their execution propagates execution to this sub-expression, as in rule P ROPAGATE. Null-contexts,  nll , when filled with 0, raise an exception when executed as in rule N ULL P OINTER E RR. Type contexts,  typ , are filled with a type name; their execution causes the type to be loaded and prepared if the type is not part of the loaded or the prepared code, as in rules L OAD, L OAD E RR, V ERIF, V ERIF E RR and V ERIFA ND P REP.

;

< =

< =

0 ) F o(f ; ; t; P) = F o(f ; 0 ; t; P) Mo(m; 0 ; t; t0 ; P) > 0 ) Mo(m; ; t; t0 ; P) = Mo(m; 0 ; t; t0 ; P) for all identifiers t,t0 , m i = j ) i = j 1 i;j n 0i = 0j ) i = j 1 i;j k P; L ` lass ext 0 impl :::i:::{ t1 f 1 1 ::: tn f n n t11 m1 (t12 x){e1 } 01 ::: tk1 mk (tk2 x){ek } 0k } 3 P(i0 ) = interfa e ::: 1 i;j k mi = mj and ti1 = tj1 and ti2 = tj2 ) i = j P; L ` interfa e i ext :::i0 :::{t11 m1 (t12 x) ::: tk1 mk (tk2 x) } 3

` P; L 3a P(t) 6=  ) P; L ` P(t) 3 L ` P3 Figure 9. Well-formed prepared code

( ) = 0 P;  ` 0  lss ; P ` w :

 ( ) an integer value ; P ` w : int

 ( ) = 0 P(i) = interfa e ::: ; P ` w : i

( ) = P( ) = lass ::: 8t f 2 F s( ; P) : ; P ` w  ( + ) : t; and 8 0  :  ( + 0 ) 6= 0 ; P ` 3

; P ` w : int ; P ` 3

P; E `  3  ( ) =

; P ` w 0 : ; P ` w :

` P;  3sups ( ) 6=  ) ; P ` 3 E(z) 6=  ) ; P ` w  (z) : E(z) P; E `  3

P; E `  3 P; L; E `r ; : int P; L; E `r ; 0 : P; L; E `r ; new :

E(y) = t P; L; E `r ; : P; L; E `r ; y : t

P; L; E `r ; var : t P; L; E `r ; e : t0 P; L ` t0  t P; L; E `r ; var = e : t0

P; L; E `r ; e : t P; L ` t  t1 P; L; E `r ; e[t1 ; t2 ].f : t2

P; L; E `r ; e1 : t01 P; L; E `r ; e2 : t02 P; L ` t01  t1 P; L ` t02  t2 P; L; E `r ; e1 [t1 ; t2 ; t3 ].m(e2 ) : t3

P; L; E `r ; e1 : t01 P; L; E `r ; e2 : t02 P; L ` t02  t2 P; L; E `r ; e1 [t1 ; t2 ; t3 ]i .m(e2 ) : t3

Figure 10. Conformance, and types of runtime expressions

4.3 Locality and preservation of judgments

4.4 Subject reduction and progress

In general, one expects properties established in a certain context to hold for larger contexts as well. Locality properties were proven in [5], used in [4], and explored in our model of binary compatibility [6]. We can prove the following locality properties: Widening or verification requiring binaries L01 and L02 to be loaded, only require L02 to be loaded, if L01 had been loaded before25 . Also, an expression e with type t in environment E preserves its type in a larger environment E0 .

Execution of a well-typed expression e does not overwrite objects, creates new objects in the free space, and does not affect the type of any expression e00 – even if e00 were a subexpression of e! Such a property is required for type soundness in imperative object oriented languages, and was proven, e.g. , in [5, 23]. In the current work this property holds only for well-typed expressions.

Lemma 1 For all P, P0 , L, L0 , L01 , L02 , L0 , e, t, E, F, F0 :



0 0 P; L `v t  t0 ( loads L1 L2 , 0 0 ` P0 P; L0 LL1 L2 3a

)

P0 P; L0 LL01

`v t 

and

0 t0 ( loads L2

loads

0

0

0

2

loads

loads

loads

Verification of classes implies verification of the bodies of their methods:

0 Lemma 2 For any P, L, L0 , L00 , , if P; L `v L00 ( loads L 00 0 and L ( ) = class ext {: : : ti1 mi (ti2 x){ ei } : : :}, then, there exist t0i1 , L01 , L02 , L03 and L04 such that L0 =L01 L02 L03 L04 , 0 ( and P; LL01 ; (ti2 x; this) `v ei : t0i1 loads L2 , and also 0 0 0 0 P; LL1 L2 `v ti1  ti1 ( loads L3 .

3

then

     

: t0 , and P0 ; L0 ` t0 0 t=t if e is a non-l-ground variable,

` P; L L L 3a ) ` PP ; L L 3a P; L L ` t  t0 ) PP ; L L0 ` t  t0 P; L L ; E ` e : t ) PP ; L L0 ; E ` e : t L L0 ` PP 3 P; E `  3 ) PP ; E `  3 P; L L ; E `r ; e : t ) PP0 ; L L0 ; E `r ; e : 1 2 3

1

1 2

1

1 2

1



2 3

2

2

1

1

1 2

;

 P0 ; L0 ; E0 `r 0 ; e0

P1 =pr(P; L1 )

25 The

We can now prove progress and subject reduction: 26

3

` P3

2

the fourth part of the lemma, in the cases of VAR A SS or F LDACC 1 by structural induction over the typing of e00 , using the store conformance requirement whereby no object is stored within another object.

3

Lemma 3 For any P, L1 , L2 , L3 , L0 , F, e, t, E,  , if 0  P; L1 L2 `v L1 3 ( loads L

L1 L2

( ) = 0 ( ) =

Lemma 5 For any P, L, F, E,  , non-ground e, t, if L ` P ; and P; L; E `r ; e : t then there exist P0 , L0 , E0 ,  0 , e0 , t0 , such that e; ; P; L e0 ;  0 ; P0 ; L0 ; and 0 0 L `P ; ` E0  E, and

Preparation of verified code preserves judgments:

 

) 0 ( ) = , ) ( ) = or free in , P; E `  3 ) P; E `  0 3 P; L; E `r ; e00 : t00 ) P0 ; L0 ; E `r  0 ; e00 : t00 . Proof by structural induction over the derivation ;, and for    

1 2

1 2

1

 L ` P 3 , and  P; L; E `r ; e : t, and  e; ; P; L ; e0 ; 0 ; P0 ; L0 ,

then

 P; L; E `v e : t ( L0 L0 , and ` P P; L LL0 L0 3a ) P P; L LL0 ; E `v e : t ( L0  P; L; E `v e : t ( L0 , and ` E0  E ) P; L; E0 `v e : t ( L0 0

Lemma 4 For P, L, F, E,  , non-ground e, t, if

2

t

assertion in the lemma is actually more general, because it also allows for further binaries L0 to have been loaded, and P0 to have been prepared.



t, and or

e0 contains the exception NllPErr, or LoadErr, or VerifErr, or NoMethErr, or NoFldErr, or ClssChngErr.

Proof by structural induction over typing P; L; E `r ; e : t. Thus, the new, possibly augmented, prepared code, P0 , preserves its well-formedness, and the store  0 preserves conformance. Uninitialized parts of the store, where  ( ) = , are never de-referenced. Finally, execution never gets stuck. 26 We assume an unlimited heap so that garbage collection is unnecessary.

Also, it is easy to prove that if execution of well-typed expressions e, loads some some types (i.e. if e rewrites according to L OAD or L OAD E RR), then e must have the form new , or [ ,t2 ,t3 ]i .m( ). Namely, the well-typedness of the remaining type-contexts, i.e. field access e1 [t1 ,t2 ].f , and method call e1 [t1 ,t2 ,t3 ].m(e2 ), requires the type of e1 to be a subtype of t1 , which in its turn requires the presence of t1 in P. Therefore, when executing verified code, the only expressions that may extend the loaded and prepared classes are object creation and interface method call.

5 Summary and alternatives Verification of class requires verification of all methods in and all its (not yet prepared) superclasses. Verification of terms requires establishing subtype relations between types t and t0 . If t has not been loaded yet, then it will be loaded with all its superclasses, except if t and t0 are identical, or t0 is an interface. Verification does not ensure the presence of fields or methods, it only ensures that all methods in a verified class respect their signatures. Resolution checks for the presence of fields and methods of given signatures. Thus the verifier relies on resolution to pick some of the possible errors, and resolution is safe only on code previously checked by the verifier. Verification alone does not guard against link-time errors (i.e. LoadErr, or VerifErr, or NoMethErr, or NoFldErr, or ClssChngErr), but it does guarantee the integrity of the system. On the other hand, execution of unverified code may overwrite any part of the memory, and execute any methods. Link-time errors can be created when running code that has been produced by a compiler, as shown in the various footnotes. However,link-time errors will not occur, one re-complies all importing classes/interfaces and all suclasses/subinterfaces after re-compiling a class or interface – we have not demonstrated this yet. It is interesting that interfaces are treated by verification more leniently than classes, and thus require more run-time checks. It would have been possible to treat classes as leniently, or to treat interfaces more strictly. In current implementations the boundary of decomposition are classes or interfaces. That is, we load several classes/interfaces together, and we verify several classes/interfaces together. Is it possible to consider other levels of decomposition? A probably less attractive, more lazy alternative would put the boundary of decomposition at methods, and would verify method bodies only before they are first called. This would make the judgment L ` P even weaker, and would extend the operational semantics to check for previous verification The integrity of the system is demonstrated by the subject reduction lemma. This is based on the well-typedness

3

of the expression e and of the prepared code P. It is indicative, that in both judgments, namely in L ` P and in P; L; E `r ; e : t the role of the loaded code L is limited; the only information provided from L is which class/interface extends/implements which other class/interface, but the contents of the classes/interfaces in L is ignored. A more lazy alternative, as suggested in in [9, 20] and formalized in [20], instead of immediately establishing that t is a subtype of t0 would post a constraint requiring a t to be a subtype of t0 , to be validated only when t is loaded. This would treat L’s as constraints, and the judgment P; ; `v e : 0 t ( loads L to mean that the verifier established e to have type t, while posting L0 . It is easy to modify our model to express the above alternatives. More challenging would be a unified framework that would allow to characterize all such alternatives.

3

6 Conclusions, discussion and further work We have given a model for the five components of execution, and have demonstrated how the corresponding checks together ensure type soundness. Our model describes these execution components at a high level, and distinguishes these components and the time of the associated checks. Thus, our account is useful for source language programmers, designers of new binary formats for Java, and designers of alternative distributions of the checks among the four components. Our model does not yet treat multiple loaders. Formal treatments of linking were suggested in [3], albeit in a static setting. Dynamic linking at a fundamental level has been studied recently in [7, 1, 24], allowing for modules as first class values, usually untyped, concentrating on confluence and optimization issues. Recently, [15], discuss dynamic linking of native code as an extension of Typed Assembly Language. Recent related work [20] complements ours, and provides a model of Java evaluation, dynamic preparation, verification and loading at the bytecode level, without interfaces, but with multiple loaders. Their approach is lazier than that of SUN implementations, and verification posts constraints as opposed to loading classes. Further work includes refining the model to allow multiple class loaders (this would require the extension of the concept of class as e.g. [20]), extending the model to describe the source language and the compilation process, extending languages L and P with more Java features, considering different levels of decomposition, and applying the model to reconsider the meaning of binary compatibility [6]. Finally, though Java is novel in its approach to verification and dynamic linking, similar components and associated checks could be defined for any language that supports

A function ld : Ident  P

 L ! L is a loader

ld(t; P; L) = L0 )  L0 6=  ) L0 (t) 6= 

    

and P(t) = L(t) = 

` P; L 3a ) ` P; LL0 3a 8 0 : L0 ( 0 ) = lass 0 ext 00 impl :::i:::{:::} ) PLL0 ( 00 ) 6= ; 8i : L0 (i) = interfa e i ext :::i0 :::{:::} ) PLL0 (i) 6=  L0 =L0 L0 , L0 ( ) = ) ld( ; P; LL0 ) = L0 8P : ` P P; LL0 3a ) L0 = ld( ; P P; L) 1 2

0

1

1

pr(P; L) = P0

P0 ( ) 6= 

P0 (i) 6= 

and PLL0 (i) 6= 

2

0

0

A function pr : P

  

iff:

 L ! P is a preparation function iff:

) iff iff

L( ) 6= 

L(i) 6= 

P0 ( ) = lass ext 0 {t1 f 1 1 : : : tn f n n t11 m1 (t12 x){e1 } n+1 ; : : : tq1 m1 (tq2 x){eq } n+q } –

i 6= j

8i 6= j with 1 i;j n, or n+1 i;j n+q

)

– " is defined in L, and the linked class ( P0 ( ) ) has the same fields (t1 f 1 ... tn f n ) as the original class ( L( ) ) L( ) = lass ext 0 {t1 f 1 : : : tn f n t011 m01 (t012 x){e01 }; : : : t0p1 m01 (t0p2 x){e0p } } – 0 =Obje t and r=s=0 or PP0 ( 0 ) = class 0 ext 00 { t001 f 001 001 ... t00r f 00r 00r t0011 m001 (t0012 x){ e001 } 00r+1 ... t00s1 m00s (t00s2 x){ e00s } 00r+s }



– "the methods in P0 ( ) are composed of ..." f t11 m1 (t12 x){e1 } n+1 , . . . tq1 m1 (tq2 x){eq } n+q g = “... the methods inherited from 0 , and not overridden in ” f t00k1 m00k (t00k2 x){ e00k } 00r+k j 1 k s, and 8 1 j p: t0j1 m0j (t0j2 x)6=t00k1 m00k (t00k2 x) g “.... the methods from which override a method from 0 , preserving the offset of the overridden method” [ f t00k1 m00k (t00k2 x){e } 00k j 1 k s, and 9 1 j p: t0j1 m0j (t0j2 x)=t00k1 m00k (t00k2 x) and e=e0j g “... the methods newly introduced in ” [ f t0j1 m0j (t0j2 x){ej } j 1 j p, and 8 1 k s: t0j1 m0j (t0j2 x)6=t00k1 m00k (t00k2 x) g

P0 (i) = interface ...

)

P0 (i) = L(i)

Note that the text enclosed in " and " is explanatory, and not part of the definition. Figure 11. Loading and preparation

F o(f ; ; t; P)

=

F s( ; P)

=

Mo(m; ; t ; t ; P) 2

1

Me( ; ; P)

=

Mo (m; i; t ; t ; P) i

2

=

1

=

8 > > > > < > > > > : 



3 2

F o(f ; 0 ; t; P) 1

ft ;

f 1 ; : : : tn fn n g

1 1

8 > > < 32 > > : 

if P( ) =  if P( ) = interfa e : : : if P( ) = lass ext 0 { : : : t f : : : } if P( ) = lass ext 0 { t1 f 1 1 :::tn f n n meths } and 8 1 i n : ti f i = 6 tf if = Obje t

1

e



8 > > < 32 > > :0

1

[ F s( 0 ; P)

if P( ) = lass ext 0 {t1 f1 otherwise

if P( ) =  if P( ) = interfa e ::: if P( ) = lass ext 0 { : : : t1 m(t2 x){ : : : } otherwise if P( ) = lass ext 0 { : : : t1 m(t2 x){ e } otherwise

1 ; : : : tn fn n meths }

:::} :::}

if P( ) =  if P( ) = lass ::: if P(i) = interfa e i ext :::{ : : : t1 m(t2 x){ : : : } otherwise

: : : };

or Moi (m; i0 ; t2 ; t1 ; P) = 0

Figure 12. The field and method look up functions F , M, Mi

some concept of modularity. The generalization of such ideas to other programming languages is an open issue. Acknowledgments I am indebted to the TIC referees for extensible feedback and valuable suggestions. David Wragg gave invaluable initial information. Tatyana Valkevych, Susan Eisenbach, and Mark Skipper provided meticulous comments. Elena Zucca, and Eugenio Moggi asked pertinent questions and suggested a clearer presentation.

References [1] Davide Ancona and Elena Zucca. A Primitive calculus for module systems. In PPDP Proceedings, September 1999. [2] Martin Buechi. Type soundness Issues in Java, May 1999. Types mailing list, at

http : ==www: is:upenn:edu= b pier e=types=ar hives

and then /current/msg00140.html. [3] Luca Cardelli. Program Fragments, Linking, and Modularization. In POPL’97 Proceedings, January 1997. [4] Drew Dean. The Security of Static Typing with Dynamic Linking. In Fourth ACM Conference on Computer and Communication Security, 1997. [5] Sophia Drossopoulou, Susan Eisenbach, and Sarfraz Khurshid. Is Java Sound? Theory and Practice of Object Systems, 5(1), January 1999.

[6] Sophia Drossopoulou, Susan Eisenbach, and David Wragg. A Fragment Calculus - towards a model of Separate Compilation, Linking and Binary Compatibility. In LICS Proceedings, 1999. [7] Kathleen Fisher, John Reppy, and Jon Riecke. A Calculus for Compiling and Linking Classes. In ESOP Proceedings, March 2000. [8] Matthew Flatt, Shiram Khrishnamurthi, and Matthias Felleisen. Classes and Mixins. In POPL Proceedings, January 1998. [9] Philip W. L. Fong and Robert D. Cameron. Proof linking: An architecture for modular verification of dynamically-linked mobile code. In ACM SIGSOFT Sixth International Symposium on the Foundations of Software Engineering (FSE’98), November 1998. [10] Stephen N. Freund and J. C. Mitchell. A Formal Framework for the Java Bytecode Language and Verifier. In OOPSLA Proceeedings, November 1999. [11] Stephen N. Freund and J. C. Mitchell. A Type System for Object Initialization in the Java Bytecode Language. In OOPSLA Proceeedings, October 1998. [12] James Gosling, Bill Joy, and Guy Steele. The Java Language Specification. Addison-Wesley, August 1996. [13] Atsushi Igarashi, Benjamin Pierce, and Philip Wadler. Featherweight Java: A minimal core calculus for Java and GJ. In OOPSLA Proceedings, November 1999.

[14] Thomas Jensen, Daniel Le Metyayer, and Tommy Thorn. A Formalization of Visibility and Dynamic Loading in Java. In IEEE ICCL, 1998. [15] Karl Krary, Michael Hicks, and Stephanie Weirich. Safe and Flexible Dynamic Linking of Native Code, May 2000. Internal Report, Univerity of Pennsylvania. [16] Christopher League, Zhong Shao, and Valery Trifonov. Representing Java Classes in a Typed Intermediate language. In ICFP Proceedings, September 1999. [17] Sheng Liang and Gilad Bracha. Dynamic Class Loading in the JavaTM Virtual Machine. In OOPSLA Proceedings, October 1998. [18] Tim Lindholm and Frank Yellin. The Java Virtual Machine. Addison-Wesley, 1997. [19] Zhenyu Qian. Least Types for Memory Locations in Java Bytecode. In FOOL 6. http: //www.cs.williams.edu/ kim/FOOL/sched6.html, 1999. [20] Zhenyu Qian, Allen Goldberg, and Alessandro Coglio. A Formal Specification of JavaTM Class Loading. In OOPSLA’2000, November 2000. to appear. [21] Vijay Saraswat. Java is not type-safe. Technical report, AT&T Rresearch, 1997. http://www.research. att.comp/ vj/bug.html.

class Main { public static void main (String args[℄ ) } Thinker des artes; Man john = new Man(); System:out:println("a Man obje t reated"); if ( john instan eof Thinker) System:out:println("john is aThinker"); else System:out:println("john is NOT a Thinker"); des artes = new Man(); System:out:println("a Man assigned to a Thinker") ; john.be(); } We compile Thinker, Man and Main, and we then modify class Man, so that it does not implement Thinker, i.e. class Man { void be(){ System:out:println("be") ; } } We compile Man, without re-compiling Main. When we execute Main, we obtain the output:

[22] Raymie Stata and Martin Abadi. A Type System For Java Bytecode Subroutines. In POPL’98 Proceedings, January 1998.

a Man obje t reated john is NOT a Thinker a Man assigned to a Thinker In ompatibleClassChangeError :

lass Man does not implement Thinker

[23] Donald Syme. Proving Java Type Sound. In Jim Alves-Foss, editor, Formal Syntax and Semantics of Java, volume 1523 of LNCS. Springer, 1999.

The above behavior is described by our model, namely:

[24] Joe Wells and Rene Vestergaard. Confluent Equational Reasoning for Linking with First-Class Primitive Modules. In ESOP Proceedings, March 2000. [25] Phillip Yelland. Re: in Java, May 1999.

Type soundness Issues Types mailing list, at

http : ==www: is:upenn:edu= b pier e=types=ar hives and then /current/msg00145.html.

Another example demonstrating interfaces The following example demonstrates the verifier’s and run-time system’s treatment of interfaces. It is an adaptation of the example which was posted by Martin Buechi [2] in the types mailing list, and was then discussed at some length. We start with an interface Thinker implemented by class Man, and the class Main with method main: interface Thinker { void be(); } class Man impl Thinker { void be(){ System:out:println("be") ; } }



Verification of method main considers the assignment des artes = new Man(); as type correct, because the verifier is "liberal" with respect to interfaces



Verification of the interface method call john.be() requires loading of the interface Thinker.



Verification of method main does not need to load class Man.



The assignment des artes = new Man(); is executed without any checks, and therefore without errors.



The interface method call john.be() is compiled to a bytecode term which corresponds to john[Thinker,void,void]i .(). Execution of that term requires a run-time check according to rule I NTF M ETH C ALL 3. This check fails, and gives the In ompatibleClassChangeError : error message

lass Man does not implement Thinker

Suggest Documents

An abstract model of Java dynamic linking and ... - Semantic Scholar

An abstract model of Java dynamic linking and ... - Semantic Scholar
Read more
Towards an Existential Types Model for Java

Towards an Existential Types Model for Java
Read more
Towards Dynamic Backward Slicing of Model ... - Semantic Scholar

Towards Dynamic Backward Slicing of Model ... - Semantic Scholar
Read more
Towards Model Checking with Java PathFinder for ... - Semantic Scholar

Towards Model Checking with Java PathFinder for ... - Semantic Scholar
Read more
JML4: Towards an Industrial Grade IVE for Java ... - Semantic Scholar

JML4: Towards an Industrial Grade IVE for Java ... - Semantic Scholar
Read more
Dynamic Code Evolution for Java - Semantic Scholar

Dynamic Code Evolution for Java - Semantic Scholar
Read more
Towards OpenMP for Java - Semantic Scholar

Towards OpenMP for Java - Semantic Scholar
Read more
Dynamic SimpleScalar: Simulating Java Virtual ... - Semantic Scholar

Dynamic SimpleScalar: Simulating Java Virtual ... - Semantic Scholar
Read more
Delft-Java Dynamic Translation - Semantic Scholar

Delft-Java Dynamic Translation - Semantic Scholar
Read more
Dynamic Code Evolution for Java - Semantic Scholar

Dynamic Code Evolution for Java - Semantic Scholar
Read more
a dynamic model - Semantic Scholar

a dynamic model - Semantic Scholar
Read more
Towards an overarching classification model of ... - Semantic Scholar

Towards an overarching classification model of ... - Semantic Scholar
Read more
Towards an overarching classification model of ... - Semantic Scholar

Towards an overarching classification model of ... - Semantic Scholar
Read more
An EBIT-Based Model of Dynamic Capital Structure - Semantic Scholar

An EBIT-Based Model of Dynamic Capital Structure - Semantic Scholar
Read more
Dynamic Model Reduction: An Overview of ... - Semantic Scholar

Dynamic Model Reduction: An Overview of ... - Semantic Scholar
Read more
MaDe4IC: an abstract method for managing model ... - Semantic Scholar

MaDe4IC: an abstract method for managing model ... - Semantic Scholar
Read more
From an Abstract Object-Oriented Model to a ... - Semantic Scholar

From an Abstract Object-Oriented Model to a ... - Semantic Scholar
Read more
An Abstract Dual Propositional Model Counter - Semantic Scholar

An Abstract Dual Propositional Model Counter - Semantic Scholar
Read more
Towards Dynamic Reverse EngineeringVisual Contracts from Java

Towards Dynamic Reverse EngineeringVisual Contracts from Java
Read more
Transforming a Discourse Model to an Abstract ... - Semantic Scholar

Transforming a Discourse Model to an Abstract ... - Semantic Scholar
Read more
An Abstract Location Model for Mobile Games - Semantic Scholar

An Abstract Location Model for Mobile Games - Semantic Scholar
Read more
towards dynamic information modelling in ... - Semantic Scholar

towards dynamic information modelling in ... - Semantic Scholar
Read more
Towards Mapping Dynamic Environments - Semantic Scholar

Towards Mapping Dynamic Environments - Semantic Scholar
Read more
Towards Distributed and Dynamic Network ... - Semantic Scholar

Towards Distributed and Dynamic Network ... - Semantic Scholar
Read more