Springer
Berlin Heidelberg New York Barcelona Hong Kong London Milan Paris Singapore TokyoRobert
F.
SHirk
Joachim Schmid
Egon Borger
Java and the
Java Virtual Machine
Definition, Verification, Validation
With 84 Figures, 18 Tables, and CD-ROM
Additional material to this book can be downloaded from http://extras.springer.com
Prof. Dr. Robert
F.Stiirk
ETH Zentrum, Theoretische Informatik 8092 Zurich, Switzerland
Dipl.-Inf. Joachim Schmid
Siemens AG, CT SE 4, Otto-Hahn-Ring 6 81730 Munchen, Germany
Prof. Dr. Egon Borger
Universita di Pis a, Dipartimento di Informatica Corso Italia 40,56125 Pis a, Italy
Library of Congress Cataloging-in-Publication Data applied for Die Deutsche Bibliothek-CIP-Einheitsaufnahme
Java and the Java virtual machine: definition, verification, validation: with 18 tables and CD-ROMI
Robert F. Stark; Joachim Schmid; Egon Borger. - Berlin; Heidelberg; New York; Barcelona; Hong Kong; London; Milan; Paris; Singapore; Tokyo: Springer, 2001
ISBN-13: 978-3-642-63997 -5 e- ISBN-13:978-3-642-59495-3 DOl: 10.lO071978-3-642-59495-3
ACM Computing Classification (1998): D.3.1, D.3.4, F.3.2-3
ISBN-13:978-3-642-63997-5 Springer-Verlag Berlin Heidelberg New York
This work consists of a printed book and a CD-ROM packaged with the book, and is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfIlm or in any other way, and storage in data banks. Duplication of this publication or parts thereof is per-mitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer-Verlag. Violations are liable for prosecution under the German Copyright Law.
Springer-Verlag or the authors make no warranty for representation, either expressed or implied with respect to this CD-ROM or book, including their quality, merchantibility, or fitness for a particular purpose. In no event will springer or the authors be liable for direct, indirect, special, incidental, or consequential damages arising out of the use or inability to use the CD-ROM or book, even if Springer-Verlag or the authors have been advised of the possibility of such damages.
Springer-Verlag Berlin Heidelberg New York, a member of Springer Science+Business Media http://www.springer.de
© Springer-Verlag Berlin Heidelberg 2001 Softcover reprint of the hardcover 1st edition 2001
The use of designations, trademarks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. Java and all Java-based marks are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. Springer-Verlag is independent of Sun Microsystems, Inc.
Cover Design: KiinkelLopka, Heidelberg
Typesetting: Computer to film by authors' data
Preface
The origin of this book goes back to the Dagstuhl seminar on Logic for System Engineering, organized during the first week of March 1997 by S. Jiihnichen, J. Loeckx, and M. Wirsing. During that seminar, after Egon Borger's talk on How to Use Abstract State Machines in Software Engineering, Wolfram Schulte, at the time a research assistant at the University of Ulm, Germany, questioned whether ASMs provide anything special as a scientifically well-founded and rigorous yet simple and industrially viable framework for high-level design and analysis of complex systems, and for natural refinements of models to executable code. Wolfram Schulte argued, referring to his work with K. Achatz on A Formal Object-Oriented Method Inspired by Fusion and Object-Z [1], that with current techniques of functional programming and of axiomatic specification, one can achieve the same result. An intensive and long debate arose from this discussion. At the end of the week, it led Egon Borger to propose a collaboration on a real-life specification project of Wolfram Schulte's choice, as a comparative field test of purely functional-declarative methods and of their enhancement within an integrated abstract state-based operational (ASM) approach.
After some hesitation, in May 1997 Wolfram Schulte accepted the offer and chose as the theme a high-level specification of Java and of the Java Virtual Machine. What followed were two years of hard but enjoyable joint work, resulting in a series of ASM models of the Java language, of the JVM, and of a provably correct compilation scheme for compiling Java programs to JVM code, which were published in [9, 8, 10, 11, 12]. When in the spring of 1999, Wolfram Schulte put this work together for his Habilitationsschrift at the University of Ulm, Egon Borger suggested completing and extending it to a-badly needed- full-blown ASM case study book. The book should show the ASM method at work, convincingly, for the practical design of a complex real-life system, and for its rigorous mathematical and extensive experimental analysis.
Robert Stark and Joachim Schmid accepted to join this book project. At that time, in his Fribourg lectures [33], Robert Stark had already elabo-rated part of the Java-to-JVM compilation correctness claim, namely, that the execution, on the ASM for the JVM, of every correctly compiled legal Java program is equivalent to the execution of the original Java program
VI Preface
on the ASM for Java. In the spring of 1998, Egon Borger had proposed to Joachim Schmid a PhD thesis, hosted by Siemens Corporate Technology in Munich, on defining and implementing practically useful structuring and de-composition principles for large ASMs. It could be expected that for this work Wolfram Schulte's suggestion to make our abstract Java/ JVM mod-els executable would provide a rich test bed for validating the submachine concepts we were looking for (see [7]). The realization of these ideas led to a complete revision (completion, correction, and restructuring) of all the Java/ JVM models and to their refinement by AsmGofer executable versions. The revision was triggered, not surprisingly, by three sources, namely: - The needs of the proofs, in particular for the correctness and completeness
of the verification of the bytecode resulting from the compilation, proofs which have been worked out for this book by Robert Stark
- The needs of naturally detailing the abstractions to make them executable in AsmGofer, developed by Joachim Schmid building upon an extension of the functional programming environment Gofer by graphical user inter-faces [36]
- An enhancement of the stepwise refined definition of the Java/ JVM models, driven by the goal to create a compositional structure of submachines which supports incremental modularized proofs and component-wise validation (model-based testing)
All this took much more time and energy, and made us aware of more problems with bytecode verification than we had expected in the spring of 1999, and in retrospect we see that it was at the very beginning of this long journey when we lost Wolfram Schulte as the fourth author. We regret this, it was painful for the four of us to eventually recognize and accept it. We had to understand that since the moment when, just after having submitted his
Habilitationsschrift to the University of VIm, Wolfram joined the Foundations of Software Engineering group at Microsoft Research in Redmond, all his energy has been absorbed by Yuri Gurevich's challenging project to make ASMs relevant for software development at Microsoft.
Egon Borger, Joachim Schmid, Robert Stark
Contents
1. Introduction... . . .. . ... .. ... 1
1.1 The goals of the book . . . 2
1.2 The contents of the book. . . 3
1.3 Decomposing Java and the JVM ... 7
1.4 Sources and literature. . . .. 11
2. Abstract State Machines . . . .. 15
2.1 ASMs in a nutshell . . . .. 15
2.2 Mathematical definition of ASMs . . . .. 18
2.3 Notational conventions. . . .. 27
Part I. Java 3. The imperative core Javax of Java. . . .. . .. .. . . .. 33
3.1 Static semantics of Javar . . . .. 33
3.2 Transition rules for Javar. . . .. 39
4. The procedural extension Javac of Javax ... 47
4.1 Static semantics of Javac . . . 47
4.2 Transition rules for Javac. . . 63
5. The object-oriented extension Javao of Javac .. .. . .. .. . . .. 71
5.1 Static semantics of Javao . . . .. 71
5.2 Transition rules for Javao ... . . .... . ... . .. . .... . . ... .. 80
6. The exception-handling extension Javae of Javao . .. .. . . .. 87
6.1 Static semantics of Java£ . . . 87
6.2 Transition rules for J ava£ . . . .. 89
7. The concurrent extension JavaT of Javae . . .. .... . . . .. . . 95
7.1 Static semantics of JavaT ... .... ... .... ... ... .. . . .... , 96
7.2 Transition rules for JavaT . ... . ... .... .... . . ... ... . . 98
VIII Contents
8. Java is type safe . . . .. 111
8.1 Structural properties of Java runs . . ... . ... . ... . . . .. .. 111
8.2 Unreachable statements .... . .. .. .... .... ... .. ... .... 117
8.3 Rules of definite assignment . ... .. . .. .. ... .. . .. . ... .... .. 121
8.4 Java is type safe ... 126
Part II. Compilation of Java: The Trustful JVM 9. The JVMz submachine ... 139
9.1 Dynamic semantics of the JVMI ... 139
9.2 Compilation of JavaI ... .. . . ... .... . ... ... .. . 142
10. The procedural extension JVMc of JVMz ... 147
10.1 Dynamic semantics of the JVMc ... . ... .. ... .. 147
10.2 Compilation of Javac ... .. .. .. ... .. . .. .. ... 153
11. The object-oriented extension JVMo of JVMc . ... . .. 155
11.1 Dynamic semantics of the JVMo .... . . .. ... . .. ... .. .... 155
11.2 Compilation of Javao . . .... .. ... .... . . ... . .. 157
12. The exception-handling extension JVMe of JVMo ... 159
12.1 Dynamic semantics of the JVMe ... .. 159
12.2 Compilation of Javae .... . ... .. .. . ... . .. .. . .... ... . . 163
13. Executing the JVM..v ... . ... ... . ... . . ... 165
14. Correctness of the compiler ... 167
14.1 The correctness statement . .. ... ... ... .. .... .. ... . 167
14.2 The correctness proof . ... . .... .. . .. ... ... .. .... .. . . 178
Part III. Bytecode Verification: The Secure JVM 15. The defensive virtual machine ... 209
15.1 Construction of the defensive JVM .... .. ... .. . .... . .. 210
15.2 Checking JVMI ... .... . .... ... . ... .. .... . ... . 210
15.3 Checking JVMc ... .... . .. ... .... ... . ... . . 213
15.4 Checking JVMo . ... .... . ... .. . . ... ... .... 214
15.5 Checking JVMe ... .. ... 219
15.6 Checking JVMN ... ... ... 221
Contents IX
16. Bytecode type assignments ... 223
16.1 Problems of bytecode verification ... . .... . . . ... . . 224
16.2 Successors of bytecode instructions ... 231
16.3 Type assignments without subroutine call stacks ... . .. 236
16.4 Soundness of bytecode type assignments . .. . ... ... . ... ... 242
16.5 Certifying compilation . ... ... ... . .. . . . .. . . .. ... 252
17. The diligent virtual machine . .. .... ... ... . . . .... ... . .. 273
17.1 Principal bytecode type assignments ... 273
17.2 Verifying JVMy ... 275
17.3 Verifying JVMc ... . 279
17.4 Verifying JVMo .. . .. ... . ... .. . ... .. . .. .. ... . .. ... . .. 283
17.5 Verifying JVM£ ... . .... .... ... .. ... . . ... 283
17.6 Verifying JVMN . . ... . . . ... .. ... ... ... ... . 286
18. The dynamic virtual machine .... .. ... . ... , 289
18.1 Initiating and defining loaders ... ... . . ... ... . . . ... 289
18.2 Loading classes .... . ... . ... 290
18.3 Dynamic semantics of the JVMv ... .. ... 291
Appendix A. Executable Models . .... . ... .. . . .... . ... .. ... . .. 305
A.1 Overview. . ... . .. .. ... 305
A.2 Java ... . . 306
A.3 Compiler ... . ... .. ... . .. .. ... . .. .. .. ... . ... .. .. .. .. 312
A.4 Java Virtual Machine ... . .. .. ... . .. . ... . . 314
B . Java . ... .. ... . ... 323 B.1 Rules ... . ... 323 B.2 Arrays . ... . ... . ... . .. .. . .. .... . ... . . 331
c.
JVM .... . .. ... .. . ... . ... .. .... . ... . ... ... ... . .. 335 C.1 Trustful execution ... 335 C.2 Defensive execution ... . ... . .. .. ... .. ... .. ... 343 C.3 Diligent execution ... . ... .. ... 344 C.4 Check functions .. ... . . .. .. .. ... . ... . ... .. ... .. 347 C.5 Successor functions ... 348 C.6 Constraints .... ... ... . ... 349 C.7 Arrays ... .. .... . ... .. ... .. ... ... ... . . 351X Contents D. Compiler 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3 6 1 D o l Compilation functions 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3 6 1 D o 2 maxOpd 0 0 0 0 0 0 0 0 0 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 00 0 0 0 0 0 0 3 6 3 D o 3 Arrays 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3 6 4 References 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3 6 5 List of Figures 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3 6 7 List of Tables 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3 7 1 Index 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3 7 3