16 research outputs found
A Non-Null Annotation Inferencer for Java Bytecode
We present a non-null annotations inferencer for the Java bytecode language.
We previously proposed an analysis to infer non-null annotations and proved it
soundness and completeness with respect to a state of the art type system. This
paper proposes extensions to our former analysis in order to deal with the Java
bytecode language. We have implemented both analyses and compared their
behaviour on several benchmarks. The results show a substantial improvement in
the precision and, despite being a whole-program analysis, production
applications can be analyzed within minutes
Enforcing Secure Object Initialization in Java
Sun and the CERT recommend for secure Java development to not allow partially
initialized objects to be accessed. The CERT considers the severity of the
risks taken by not following this recommendation as high. The solution
currently used to enforce object initialization is to implement a coding
pattern proposed by Sun, which is not formally checked. We propose a modular
type system to formally specify the initialization policy of libraries or
programs and a type checker to statically check at load time that all loaded
classes respect the policy. This allows to prove the absence of bugs which have
allowed some famous privilege escalations in Java. Our experimental results
show that our safe default policy allows to prove 91% of classes of java.lang,
java.security and javax.security safe without any annotation and by adding 57
simple annotations we proved all classes but four safe. The type system and its
soundness theorem have been formalized and machine checked using Coq
Soundly Handling Static Fields: Issues, Semantics and Analysis
Although in most cases class initialization works as expected, some static
fields may be read before being initialized, despite being initialized in their
corresponding class initializer. We propose an analysis which compute, for each
program point, the set of static fields that must have been initialized and
discuss its soundness. We show that such an analysis can be directly applied to
identify the static fields that may be read before being initialized and to
improve the precision while preserving the soundness of a null-pointer
analysis.Comment: Proceedings of the Fourth Workshop on Bytecode Semantics,
Verification, Analysis and Transformation (BYTECODE 2009
A unified framework for verification techniques for object invariants
Object invariants define the consistency of objects. They have subtle semantics, mainly because of call-backs, multi-object invariants, and subclassing. Several verification techniques for object invariants have been proposed. It is difficult to compare these techniques, and to ascertain their soundness, because of their differences in restrictions on programs and invariants, in the use of advanced type systems (e.g., ownership types), in the meaning of invariants, and in proof obligations. We develop a unified framework for such techniques. We distil seven parameters that characterise a verification technique, and identify sufficient conditions on these parameters which guarantee soundness. We instantiate our framework with three verification techniques from the literature, and use it to assess soundness and compare expressiveness.peer-reviewe
Object Inheritance Without Classes
Which comes first: the object or the class? Language designers enjoy
the conceptual simplicity of object-based languages (such as Emerald
or Self) while many programmers prefer the pragmatic utility of
classical inheritance (as in Simula and Java). Programmers in
object-based languages have a tendency to build libraries to support
traditional inheritance, and language implementations are often
contorted to the same end. In this paper, we revisit the relationship
between classes and objects. We model various kinds of inheritance in
the context of an object-oriented language whose objects are not
defined by classes, and explain why class inheritance and
initialisation cannot be easily modelled purely by delegation
Blame for Null
Multiple modern programming languages, including Kotlin, Scala, Swift, and C#, have type systems where nullability is explicitly specified in the types. All of the above also need to interoperate with languages where types remain implicitly nullable, like Java. This leads to runtime errors that can manifest in subtle ways. In this paper, we show how to reason about the presence and provenance of such nullability errors using the concept of blame from gradual typing. Specifically, we introduce a calculus, ?_null, where some terms are typed as implicitly nullable and others as explicitly nullable. Just like in the original blame calculus of Wadler and Findler, interactions between both kinds of terms are mediated by casts with attached blame labels, which indicate the origin of errors. On top of ?_null, we then create a second calculus, ?_null^s, which closely models the interoperability between languages with implicit nullability and languages with explicit nullability, such as Java and Scala. Our main result is a theorem that states that nullability errors in ?_null^s can always be blamed on terms with less-precise typing; that is, terms typed as implicitly nullable. By analogy, this would mean that NullPointerExceptions in combined Java/Scala programs are always the result of unsoundness in the Java type system. We summarize our result with the slogan explicitly nullable programs can\u27t be blamed. All our results are formalized in the Coq proof assistant
Scala with Explicit Nulls
The Scala programming language makes all reference types implicitly nullable. This is a problem, because null references do not support most operations that do make sense on regular objects, leading to runtime errors. In this paper, we present a modification to the Scala type system that makes nullability explicit in the types. Specifically, we make reference types non-nullable by default, while still allowing for nullable types via union types. We have implemented this design for explicit nulls as a fork of the Dotty (Scala 3) compiler. We evaluate our scheme by migrating a number of Scala libraries to use explicit nulls. Finally, we give a denotational semantics of type nullification, the interoperability layer between Java and Scala with explicit nulls. We show a soundness theorem stating that, for variants of System F_? that model Java and Scala, nullification preserves values of types
A mechanized semantics for C++ object construction and destruction, with applications to resource management
International audienceWe present a formal operational semantics and its Coq mechanization for the C++ object model, featuring object construction and destruction, shared and repeated multiple inheritance, and virtual function call dispatch. These are key C++ language features for high-level system programming, in particular for predictable and reliable resource management. This paper is the first to present a formal mechanized account of the metatheory of construction and destruction in C++, and applications to popular programming techniques such as "resource acquisition is initialization." We also report on irregularities and apparent contradictions in the ISO C++03 and C++11 standards
Toward Interprocedural Pointer and Effect Analysis for Scala
Static program analysis techniques working on object-oriented languages require precise knowledge of the aliasing relation between variables. This knowledge is important to, among other things, understand the read and write effects of method calls on objects. Understanding such effects in turn enables compiler optimizations and other code transformations such as automated parallelization. This thesis presents a combination of a pointer analysis with a memory effect analysis for the Scala programming language. Our analysis is based on abstract interpretation, and computes summaries of method effects as graphs. This representation allows the analysis to be compositional. Our second contribution is an implementation of our analysis in a tool called Insane. Our tool is built as a plugin for the official Scala compiler. It accepts any Scala program, and is freely available