Proof of Semantics Preservation

B.2 Proof of Semantics Preservation

• B=storex. Sincexappears in the bytecode, it cannot be a temporary variable, but ratherx∈dom(s). We havev::ρ=J^e::asK

¦

s,st,h, hencev=J^eK

¦

s,st,h. We define s[x7→v]=s[x7→J^eK

¦

s,st,h]=s⁰. Then (m,i,s,h,v::ρ) −→^{B ¦}₀(m,i+1,s⁰,h,ρ).

By definition,BC2IRinstr(i,B,e::as)=(block[x:=e],as[t_i⁰/x]). We get the IR transition (m,i,s,st,h) −→^{I ¦}₀(m,i+1,s⁰,s⁰_t,h), wheres⁰_t=st[t_i⁰7→s(x)]. In other words, the IR step results in the same stores⁰, and the heaphis unchanged. We still have to show thatq

as[t_i⁰/x]y_¦

s⁰,s⁰_t,h=ρ. Because of the side conditiont_i⁰6∈as, we getq

as[t_i⁰/x]y¦

s⁰,s⁰_t,h=q

as[t_i⁰/x]y¦

s[x7→v],st[t_i⁰7→s(x)],h=J^as[s(x)/x]K

¦

s[x7→v],st,h= J^asK

¦

s,st,h=ρ.

• B=bnz j. Letρ =v ::v. There are two cases, depending on the valuev on top of the stack. We only treat the jump case here, i.e., wherev6=0. We have the bytecode transition (m,i,s,h,v::v) −→^{B ¦}₀(m,j,s,h,v). Also, by definition BC2IRinstr(i,B,e::e)=(ife j,e) andas⁰=e. AsJ^e::eK

¦

s,st,h=J^asK

¦

s,st,h=v::v, we getJ^eK

¦

s,st,h=v6=0. Therefore, the IR step is (m,i,s,st,h) −→^{I ¦}₀(m,j,s,st,h).

Stores and heaps remain unchanged, andρ⁰=v=J^eK

¦s,s_t,h=J^as0K

¦s,s_t,h.

• B=jmpj. ThenBC2IRinstr(i,B,as)=(jmp j,as). We have the two transitions (m,i,s,h,ρ) −→^{B ¦}₀(m,j,s,h,ρ) and (m,i,s,st,h) −→^{I ¦}₀(m,j,s,st,h). Stores, heaps, and stacks remain unchanged.

• B=cpush j. This case is the same as forB=nop, since the IR semantics of cpushjis the same as forblock_².

• B=cjmp j. This case is the same as forB=jmpj, since the IR semantics of cjmpjis the sam as forjmpj.

• B=newC. Letr be fresh inh, andh⁰=h∪[r 7→(C, [fields(C)7→v])]. We have the bytecode transition (m,i,s,h,v::ρ) −→^{B ¦}₀(m,i+1,s,h⁰,r::ρ). Also, by defi-nitionBC2IR_instr=(i,B,e::as)=(block[t_i⁰:=newC(e)],t_i⁰::as). Since we can use the same memory locationr in the IR semantics, we get the IR transition (m,i,s,st,h) −→^{I ¦}₀(m,i+1,s,s_t⁰,h⁰), wheres⁰_t=st[t_i⁰7→r]. That is, both resulting heaps are the same, and the storesremains unchanged. Sincet_i⁰6∈asby the side condition, we getJ^as0K

¦

s,s⁰_t,h⁰=q t_i⁰y_¦

s,s_t⁰,h⁰::J^asK

¦

s,st,h=r::ρ=ρ⁰.

• B=getf f. We haveBC2IRinstr(i,B,e::e)=(block_²,e.f ::e). Thus, we have the bytecode transition (m,i,s,h,r ::ρ) −→^{B ¦}₀(m,i+1,s,h,h(r)(f) ::ρ) and the IR transition (m,i,s,st,h) −→^{I ¦}₀(m,i+1,s,st,h). Stores and heaps remain un-changed. By assumptionJ^asK

¦s,s_t,h=J^e::eK

¦s,s_t,h=r ::ρ, thusJ^eK

¦s,s_t,h=r. It fol-lowsJ^as0K

¦

s,st,h=J^{e.f ::e}K

¦

s,st,h=h(J^eK

¦

s,st,h)(f) ::ρ=h(r)(f) ::ρ=ρ⁰.

• B=putf f. We have the transition (m,i,s,h,v::r ::v) −→^{B ¦}₀ (m,i+1,s,h⁰,v), where h⁰ =h[r 7→h(r)[f 7→v]]. The input stack is as =e⁰ ::e ::e, such that J^asK

¦

s,st,h=J^e0::e::eK

¦

s,st,h=v::r::v.

By definitionBC2IRinstr(i,B,as)=(block[ti:=e,e.f:=e⁰],ti). When we execute the IR instruction, we get exactly the heaph⁰. SinceJ^eK

¦

s,st,h=vandt_i6∈eby the side condition, we get the IR transition (m,i,s,s_t,h)−→^{I ¦}₀(m,i+1,s,s⁰_t,h⁰), where s⁰_t=st[ti7→v]. Finally, we haveJ^as0K

¦

s,s⁰_t,h⁰=J^tiK

¦

s,s⁰_t,h⁰=v=ρ⁰. To show the semantic preservation for big-step transitions, we now consider a fixed IR program that has been created by theBC2IRalgorithm, i.e.,P_IR=BC2IR(P_BC), along with the arraysASin[m,i] andASout[m,i]. We first show a result for call-free big-step transitions.

Proposition B.4 Suppose we have(m,i,s,h,ρ) ==⇒

BC

¦0(m,i⁰,s⁰,h⁰,ρ⁰). Let stbe a tempo-rary variable store such thatρ=J^ASin[m,i]K

¦s,s_t,h. Then there exists a store s⁰_tsuch that (m,i,s,s_t,h) =⇒

IR

¦0(m,i⁰,s⁰,s⁰_t,h⁰)andρ⁰=J^ASin[m,i⁰]K

¦ s⁰,s⁰_t,h⁰.

PROOF By induction on the number of execution steps, i.e., the definition of big-step semantics.

• If zero steps are taken, i.e., (m,i,s,h,ρ) ==⇒

BC

¦0(m,i,s,h,ρ), then we can derive (m,i,s,s_t,h) =⇒

IR

¦0(m,i,s,s_t,h). Sincei⁰=i, we get the desired properties from the assumptions.

• Suppose more than zero steps have been taken, that is, we have the small-step transition (m,i,s,h,ρ) −−−−−→^{IR[m,i] ¦}₀(m,i⁰⁰,s⁰⁰,h⁰⁰,ρ⁰⁰) and the big-step transition (m,i⁰⁰,s⁰⁰,h⁰⁰,ρ⁰⁰) ==⇒

BC

¦0(m,i⁰,s⁰,h⁰,ρ⁰). SincePIR=BC2IR(PBC), we get by defi-nition of the algorithmBC2IRinstr(i,BC(m,i),ASin[m,i])=(IR[m,i],ASout[m,i]).

With Proposition B.3, we immediately get (m,i,s,st,h) −−−−−→^{IR[m,i] ¦}₀(m,i⁰⁰,s⁰⁰,s⁰⁰_t,h⁰⁰) andρ⁰⁰=J^ASout[m,i]K

¦

s⁰⁰,s⁰⁰_t,h⁰⁰. Since (m,i)7−−−−−→^IR[m,i] (m,i⁰⁰), we get with Propo-sition 5.5 on page 73ASout[m,i]=ASin[m,i⁰⁰], henceρ⁰=J^ASin[m,i⁰⁰]K

¦ s⁰⁰,s⁰⁰_t,h⁰⁰. Therefore, we can apply this theorem inductively, and get the transition relation (m,i⁰⁰,s⁰⁰,s⁰⁰_t,h⁰⁰) =⇒

IR

¦0(m,i⁰,s⁰,s_t⁰,h⁰) andρ=J^ASin[m,i⁰]K

¦

s⁰,s⁰_t,h⁰. Also, by defini-tion of IR big-step semantics, we get (m,i,s,st,h) =⇒

IR

¦0(m,i⁰,s⁰,s⁰_t,h⁰).

The following proposition applies to arbitrary big-step transitions.

Proposition B.5 Suppose we have(m,i,s,h,ρ)==⇒

BC

¦n(m,i⁰,s⁰,h⁰,ρ⁰). Let stbe a tempo-rary variable store such thatρ=J^ASin[m,i]K

¦

s,st,h. Then there exists a store s⁰_tsuch that (m,i,s,st,h) =⇒

IR

¦n(m,i⁰,s⁰,s⁰_t,h⁰)andρ⁰=J^ASin[m,i⁰]K

¦ s⁰,s⁰_t,h⁰.

B.2 Proof of Semantics Preservation We call the previous propositionP(m,n), and prove it by strong induction onn. For this, we need the following auxiliary proposition.

Proposition B.6 Let n≥0, and supposeP(m,k)holds for all methods m and all call depths k<n. Suppose(m,i,s,h,ρ) −−−−−−→^{BC(m,i) ¦}n(m,i⁰,s⁰,h⁰,ρ⁰). Let stbe a store such that ρ=J^ASin[m,i]K

¦s,st,h. Then there is an s⁰_tsuch that(m,i,s,st,h)−−−−−→^{IR[m,i] ¦}n(m,i⁰,s⁰,s⁰_t,h⁰) andρ⁰=J^ASin[m,i0]K

¦ s⁰,s⁰_t,h⁰.

PROOF Ifn=0, we can directly apply Proposition B.3 and get the desired properties. As-sumen>0. By construction of the bytecode semantics, it followsBC(m,i)=callm⁰. We have (m,i,s,h,v::r ::v⁰) −→^{B ¦}_n(m,i+1,s,h⁰,s⁰⁰(ret) ::v⁰) and the method exe-cution (s⁰,h) ^m

0

==⇒BC

¦n−1(s⁰⁰,h⁰), wheres⁰=[this7→r]∪[margs(m⁰)7→v]∪[ret7→defval].

By definition of big-step method executions, this means there existsρ⁰⁰such that (m⁰,mentry(m⁰),s⁰,h,²) ==⇒

BC

¦n−1 (m⁰,mexit(m⁰),s⁰⁰,h⁰,ρ⁰⁰). From Proposition 5.4 on page 73, we knowAS_in[m⁰,mentry(m)]=². Therefore, we applyP(m⁰,n−1), and get that there is a stores_t⁰⁰such that

(mentry(m⁰),i,s, [tvars(m⁰)7→defval],h) =⇒

IR

¦n−1(m⁰,mexit(m⁰),s⁰⁰,s⁰⁰_t,h⁰) which means by definition (s⁰,h) ^m

0

=⇒IR

¦n−1(s⁰⁰,h⁰). (*)

At the same time, we haveIR[m,i]=block[ti:=e⁰;t_i⁰:=e.m⁰(e)] and the stacks ASin[m,i]=(e::e::e⁰) andASin[m,i+1]=ti. With the assumption, we know that qe::e::e⁰y¦

s,st,h=v::r::v⁰.

For the execution of the block, we get with IR semantics and result (*) the transition (m,i,s,st,h) −−−−−→^{IR[m,i] ¦}n(m,i+1,s,s⁰_t,h⁰), wheres_t⁰=[ti7→q

e⁰y¦

s,st,h]∪[t_i⁰7→s⁰⁰(ret)]. All that is left to show is thatJ^ASin[m,i+1]K

¦

s,s⁰_t,h⁰=q

t_i⁰::tiy¦

s,s⁰_t,h⁰=s⁰⁰(ret) ::v⁰=ρ⁰. But this follows fromq

t_i⁰y¦

s,s⁰_t,h⁰=s⁰⁰(ret) and r

t_i⁰ z_¦

s,s_t⁰,h⁰=q e⁰y¦

s,s_t,h=v⁰.

PROOF(OFPROPOSITIONB.5) By induction on the length of the executionc.

• If zero steps are taken, we have (m,i,s,h,ρ) ==⇒

BC

¦n(m,i,s,h,ρ). For anyst, we can derive (m,i,s,st,h) =⇒

IR

¦n(m,i,s,st,h) and get the desired properties directly from the assumptions.

• Ifc>0 steps are taken, then suppose this propositionP(m,n) holds for allc⁰<c.

By definition of big-step semantics, we have

(m,i,s,h,ρ) −−−−−−→^{BC(m,i) ¦}n1(m,i⁰⁰,s⁰⁰,h⁰⁰,ρ⁰⁰) ==⇒

BC

¦n2(m,i⁰,s⁰,h⁰,ρ⁰)

wheren₁≤nandn₂≤n. We can apply Proposition B.6 to the first step and the induction hypothesisP(m,n) to the remaining execution, because it contains less execution steps. It follows

(m,i,s,st,h) −−−−−→^{IR[m,i] ¦}n₁(m,i⁰⁰,s⁰⁰,s⁰⁰_t,h⁰⁰) =⇒

IR

¦n₂(m,i⁰,s⁰,s_t⁰,h⁰) for somes⁰_t,s⁰⁰_t, such thatJ^ASin[m,i⁰⁰]K

¦

s⁰⁰,s⁰⁰_t,h⁰⁰=ρ⁰⁰andJ^ASin[m,i⁰]K

¦

s⁰,s⁰_t,h⁰ =ρ⁰. Putting the executions together, we get (m,i,s,st,h)=⇒

IR

¦n(m,i⁰,s⁰,s⁰_t,h⁰).

Theorem B.7 Let PBC be a bytecode program, and PIR be an IR program such that PIR=BC2IR(PBC). Let m be a method, s,s⁰be stores, and h,h⁰be heaps, and n be a call depth. If

(s,h) ==⇒^m

BC

¦n(s⁰,h⁰) then

(s,h) =⇒^m

IR

¦n(s⁰,h⁰)

PROOF By definition of (s,h) ==⇒^m

BC

¦n(s⁰,h⁰) semantics, we know there is a stackρsuch that (m,mentry(m),s,h,²) ==⇒

BC

¦n (m,mexit(m),s⁰,h⁰,ρ). Letst =[tvars(m)7→defval].

With Proposition 5.4 on page 73, we haveASin[m,mentry(m)]=², therefore we know thatJ^ASin[m,mentry(m)]K

¦

s,st,h=². We can apply Proposition B.5 and get that there is some temporary states⁰_tsuch that (m,mentry(m),s,st,h) =⇒

IR

¦n(m,mexit(m),s⁰,s⁰_t,h⁰), which by definition means (s,h) =⇒^m

IR

¦n(s⁰,h⁰).

Correctness Proof for the IR Type System C

This appendix contains the complete soundness proof for the type system of the intermediate representation. In the following, the meta-variableωis used for IR state triples (s,s_t,h).

C.1 Properties of Single Executions

In this section, we first show how assignments in the IR language are related to as-signments in the high-level DSD language. Then we define equivalence relations for confluence point stacks and for IR configurations. Finally, we show that a program does not change “low” variables and fields under a “high”pclabel, and other properties that apply to single executions of well-typed IR instructions.

C.1.1 Connection to the High-Level Language

We extend some high-level definitions to IR program states:

constraint set satisfiability: (s,st,h)|=^¦Q ⇐⇒ (s∪st,h)|=^¦Q expression evaluation: J^eK

¦s,s_t,h = J^eK

¦s∪s_t,h

We formalize the similarity between assignment blocks and the respective high-level sequential compositions. We define an auxiliary functionmakestmtthat combines a

sequence of assignment statements into a valid high-level statement (either a nested sequential composition orskip):

makestmt(a)=











skip ifa=²

a ifa=a

a;makestmt(ar) ifa=a::ar

Then for call-free assignment blocks, the IR semantics corresponds directly to the high-level semantics.

Lemma C.1 Let blocka be an assignment block IR instruction. If the small-step IR transition(m,i,s,s_t,h) −−−−−−→^{blocka ¦}₀(m,i+1,s⁰,s⁰_t,h⁰)can be derived, then high-level big-step transition(s∪st,h) makestmt(a)

−−−−−−−−−→^¦(s⁰∪s⁰_t,h⁰)can be derived.

PROOF Follows directly from the definition of =⇒^{a ¦}₀. The correspondence of the IR typing for assignment blocks and the high-level typing judgement is formalized by the following lemma.

Lemma C.2 Let I=blocka be an assignment block instruction. If the IR typing judge-mentΓ,Γt `i,pc,∆,Q −→<sup>I</sup> i+1,pc,∆,Q<sup>0</sup>can be derived, then high-level typing judge-mentΓ∪Γt,pc ` {Q} makestmt(a) {Q⁰}can be derived.

PROOF Follows directly from the definition ofΓ,Γt,∆,pc `{Q} a {Q⁰}.

Finally, we show that the evaluation ofpcand∆remains unchanged during the execution of assignment blocks.

Lemma C.3 LetI=blocka. If we can derive the transition(m,i,ω) −→^{I ¦}_n(m,i+1,ω⁰) and the typing judgmenetΓ,Γt `i,pc,∆,Q −→^I i+1,pc,∆,Q⁰, thenJ^pcK

¦ω=J^pcK

¦ω⁰

andJ∆K

¦ω=J∆K

¦ω⁰.

PROOF This follows from the definition of the typing rules. They require that the variables or fields that can possibly change do not occur syntactically in∆orpc.

C.1.2 Equivalences

We define the following equivalence relation for IR program states, which naturally extends the definition of DSD program states:

`<sup>¦</sup>(s,s<sub>t</sub>,h)∼<sup>Γ,Γ</sup><sub>β</sub> <sup>t,k</sup>(s<sup>0</sup>,s<sup>0</sup><sub>t</sub>,h<sup>0</sup>)⇐⇒ `^¦s∼^Γ_β^,ks⁰∧ `<sup>¦</sup>s<sub>t</sub>∼<sup>Γ</sup><sub>β</sub><sup>t,k</sup>s<sup>0</sup><sub>t</sub>∧ `^¦h∼^k_βh⁰

C.1 Properties of Single Executions We also give a definition for confluence point stack equivalences: we require that there exists a common “low” prefix such that the program points and evaluated labels in this “low” prefix are equal, the labels evaluate to some domain that is less or equal tok, and in the remaining “high” parts of the stacks, the labels evaluate to a domain that is neither less nor equal tok.

Definition C.4 Letω1,ω2be IR states, and¦be a domain lattice, and k∈Dom^¦. Two evaluated confluence point stacksJ∆1K

¦ω1=i1,k1andJ∆2K

¦ω2=i2,k2are¦,k-equivalent, written

`^¦J∆1K

¦ω1

∼kJ∆2K

¦ω2

if there exists a prefix index p such that

• 0≤p≤min(|k1|,|k2|),

• ∀j∈1, . . . ,p.k1.j=k2.j≤^¦k ∧ i1.j=i2.j ,

• ∀j∈{p+1, . . . ,|k1|}.k1.j6≤^¦k, and

• ∀j∈{p+1, . . . ,|k2|}.k2.j6≤^¦k.

Definition C.5 (Equivalent IR configurations) Let¦be a domain lattice, and let k be a domain with k∈Dom^¦. Two IR configurations are¦,k-equivalent, written

Γ,Γt`(m,i1,ω1) :pc1,∆1,Q1≈^¦_k,β(m,i2,ω2) :pc2,∆2,Q2

if and only if:

• `^¦ω1∼^Γ,Γ_β ^t,kω2,

• ω1|=^¦Q₁andω2|=^¦Q₂,

• `^¦J∆1K

¦ω1

∼k J∆2K

¦ω2, and

• eitherJ^pc1K

¦ω1=J^pc2K

¦ω2≤^¦k and i1=i2, orJ^pc1K

¦ω16≤^¦k andJ^pc2K

¦ω26≤^¦k Lemma C.6 All equivalence relations defined in this section are reflexive, transitive, and symmetric.

PROOF Follows by definition of the equivalences.

C.1.3 Properties of single executions

Then we show in two lemmas that for a single execution of a small step,

• if the pre-state satisfiesQ, then the post-state satisfiesQ⁰,

• if the step is executed under a “high” pc, then the states are indistinguishable,

• there is an invariant on∆: it contains ascendingpclabels, and if there is a bottom element, it does not change during the execution, and if the finalpcis “high”, the stack does not change its “low” prefix.

Using these lemmas, we then show that the satisfiability of constraint setsQand the indistinguishability of states under a highpcremain invariant for single executions of an arbitrary chain of steps.

Lemma C.7 LetΓ,Γt `i,pc,∆,Q −→^I i⁰,pc⁰,∆⁰,Q⁰and(m,i,ω) −→^{I ¦}₀(m,i⁰,ω⁰).

Ifω|=^¦Q, thenω⁰|=^¦Q⁰.

PROOF By induction over the type derivation.

• If the typing judgement has been derived by the weakening rule, we have the judgementΓ,Γt `i,pc,∆,Q₀ −→^I i⁰,pc⁰,∆⁰,Q⁰₀withQ ⇒ Q₀ andQ⁰₀ ⇒ Q⁰. Sinceω|=^¦Q, we get with Lemma 3.5 on page 34 thatω|=^¦Q0. Hence we can apply the theorem inductively and getω⁰|=^¦Q₀⁰, and hence with lemmaω|=^¦Q⁰.

• I=ife j.

We have (m,i,ω) −→^{I ¦}₀(m,i⁰,ω). We invert the rule for the instruction and make a case distinction over the shape of the postcondition:

– IfQ⁰=Q, thenω|=^¦Q⁰follows trivially.

– IfQ⁰=Q∪{`1v`2}, thene=`1v`2. Also,i⁰=j, thus (m,i,ω) −→^{I ¦}₀(m,j,ω), thusJ`1v`2K

¦ω6=0. Therefore,J`1K

¦ω≤^¦J`2K

¦ω, and withω|=^¦Q, we get ω|=^¦Q∪{`1v`2}.

• I=blocka.

Let S =makestmt(a). We get (s∪st,h) −→^{S ¦}(s⁰∪s_t⁰,h⁰) with Lemma C.1, and Γ∪Γt,pc ` {Q} P {Q⁰} with Lemma C.2. With Lemma A.5 on page 116, we get (s⁰∪s_t⁰,h⁰)|=^¦Q⁰, henceω⁰|=^¦Q⁰.

• I∈{jmpj,cjmpj,cpushj}.

Thenω⁰=ωandQ=Q⁰, henceω⁰|=^¦Q⁰follows trivially from the assumptions.

C.1 Properties of Single Executions Lemma C.8 LetΓ,Γt `i,pc,∆,Q −→^I i⁰,pc⁰,∆⁰,Q⁰and(m,i,ω) −→^{I ¦}₀(m,i⁰,ω⁰).

Ifω|=^¦Q andJ^pcK

¦ω6≤^¦k, then `^¦ω∼^Γ_id^,Γt,kω⁰. PROOF By induction over the type derivation.

• If the typing judgement has been derived by the weakening rule, we have the judgementΓ,Γt `i,pc,∆,Q0

−→I i⁰,pc⁰,∆⁰,Q⁰₀withQ ⇒Q0. Sinceω|=^¦Q, we get with Lemma 3.5 on page 34 thatω|=^¦Q₀. Hence we can apply the theorem inductively and get `^¦ω∼^Γ,Γ_id ^t,kω⁰.

• I=blocka.

Let P =makestmt(a). We get (s∪st,h)−→^{P ¦}(s⁰∪s⁰_t,h⁰) with Lemma C.1 and Γ∪Γt,pc `{Q}P {Q⁰} with Lemma C.2.

With Lemma A.6 on page 117 (high-level soundness under high pc), we can conclude `<sup>¦</sup>(s∪st,h)∼<sup>Γ∪Γ</sup><sub>id</sub> <sup>t,k</sup>(s<sup>0</sup>∪s<sup>0</sup><sub>t</sub>,h<sup>0</sup>), hence `^¦ω∼^Γ,Γ_id ^t,kω⁰.

• I∈{jmpj,cjmpj,ife j,cpushj}.

Then (m,i,ω) −→^{I ¦}₀(m,i⁰,ω⁰) withω⁰=ωfor somei⁰, so `^¦ω∼^Γ_id^,Γt,kω⁰ follows

trivially.

Confluence point stacks reflect the high-level control flow structure (condition-als and loops) at a specific point in an IR program. More precisely, they indicate the addresses where the structures end, and the correspondingpclabels that are to be restored at these addresses. The innermost structure is on top of the stack, the outer-most structure is at the bottom. Therefore, the row ofpclabels on the stack is always in ascending order, if we start to count from the bottom (right-most) element. (The rationale is that∆is a stack that “grows” to the left. In contrast, if∆was regarded as a sequence ofpclabels, a more natural description of the order would bedescending.) Definition C.9 A stack of domains isascendingif its domains are sorted in ascending order with respect to≤^¦from bottom (right-most) to top. More precisely, k is ascending if and only if

• k is empty or contains only one element, or

• k=k1::k2::ks and k2≤^¦k1and k2::ks is ascending.

In the following, we write∆pcto refer only to the stack ofpclabels in a confluence point stack, thereby projecting away the program points. Also,bottom(x) refers to the right-most (last, bottom) element of the stack or sequencex.

Lemma C.10 LetΓ,Γt `i,pc,∆,Q −→^I i⁰,pc⁰,∆⁰,Q⁰and(m,i,ω) −→^{I ¦}n(m,i⁰,ω⁰).

IfJ^pc::∆pcK

¦ωis ascending, then

1. q

pc⁰::∆⁰pc

y¦

ω⁰is ascending, and 2. bottom(J^pc::∆pcK

¦ω)≤^¦bottom(q

pc⁰::∆⁰pc

y_¦

ω⁰), and 3. ifJ^pc0K

¦ω⁰6≤^¦k, then `^¦J∆K

¦ω k

∼J∆⁰K

¦ω⁰. PROOF By induction over the type derivation.

• If the typing judgement has been derived by the weakening rule, we get by rule inversionΓ,Γt `i,pc,∆,Q0

−→I i⁰,pc⁰,∆⁰,Q₀⁰, hence we can inductively apply this lemma and get the desired properties.

• I=ife j.

We have∆⁰=∆andω⁰=ωandJ^pcK

¦ω≤^¦J^pcK

¦ω∨^¦J`K

¦ω=J^pct`K

¦ω=J^pc0K

¦ω⁰. 1. With the assumptions, we getq

(pct`) ::∆⁰pc

y_¦

ω⁰ is ascending.

2. If∆is not empty, we get the assumption trivially, since∆⁰=∆andω⁰=ω. Otherwise, we can conclude thatbottom(J^pc::∆pcK

¦ω)=J^pcK

¦ω≤^¦J^pc0K

¦ω⁰= bottom(q

pc⁰::∆⁰pc

y¦ ω⁰.

3. This holds trivially, since∆⁰=∆andω=ω⁰.

• I=jmpj.

We have∆⁰=∆andω⁰=ωandpc⁰=pc, therefore the stack stays in ascending order, the bottom element does not change, and the pre-stack is¦,k-equivalent to the post-stack.

• I=cpushj.

We haveω⁰=ωandpc⁰=pc.

1. SinceJ^pc::∆pcK

¦ωis ascending,J^pc::pc::∆pcK

¦ω⁰ is ascending.

2. We havebottom(J^pc::∆pcK

¦ω)=bottom(J^pc::pc::∆pcK

¦ω).

3. IfJ^pcK

¦ω6≤^¦k, we get by definition of¦,k-equivalence `^¦J∆K

¦ω k

∼J^pc::∆K

¦ω.

• I=cjmpj. We haveω⁰=ω.

1. SinceJ^pc::pc0::∆K

¦ωis ascending,J^pc0::∆pcK

¦ωis ascending.

2. We havebottom(J^pc::pc0::∆pcK

¦ω)=bottom(J^pc0::∆pcK

¦ω).

3. IfJ^pc0K

¦ω6≤^¦k, then by definition of¦,k-equivalence `^¦J^pc0::∆K

¦ω k

∼J∆K

¦ω.

C.1 Properties of Single Executions

• I=blocka.

We have∆⁰=∆, andpc⁰=pc. From Lemma C.3, it follows thatJ∆K

¦ω=J∆K

¦ω⁰and J^pcK

¦ω=J^pcK

¦ω⁰, therefore we get the required propositions trivially.

Theorem C.11 Let¦be a domain lattice, and let k ∈Dom^¦be a domain. Given an IR program PIR that is well-typed. Let m be a method with a signaturemsig(m)= [Γ,pc_m,Q_m,Q_m⁰ ]. Suppose that i,i⁰∈dom(IR(m))are addresses in m, such thatΛ(i)= (pc,∆,Q)andΛ(i⁰)=(pc⁰,∆⁰,Q⁰). If

• (m,i,ω) =⇒

IR

¦n(m,i⁰,ω⁰),

• ω|=^¦Q,

• J^pc::∆pcK

¦ωis ascending andbottom(J^pc::∆pcK

¦ω)6≤^¦k, then there exists a type environmentΓt such that

• ω⁰|=^¦Q⁰, and

• `^¦ω∼^Γ_id^,Γt,kω⁰.

We call this theoremP(m,n), and prove it by strong induction onn. For this, we need the following auxiliary lemma.

Lemma C.12 LetΓ,Γt `i,pc,∆,Q −→^I i⁰,pc⁰,∆⁰,Q⁰and(m,i,ω) −→^{I ¦}_n(m,i⁰,ω⁰). Fur-thermore, letP(m,p)for all p<n. Let¦be a domain lattice, and let k∈Dom^¦.

Ifω|=^¦Q andJ^pcK

¦ω6≤^¦k, thenω⁰|=^¦Q⁰, and `^¦ω∼^Γ_id^,Γt,kω⁰. PROOF By case distinction overn.

• Letn=0. Then we can apply Lemma C.7, and getω⁰|=^¦Q⁰, and Lemma C.8 and get `^¦ω∼^Γ,Γ_id ^t,kω⁰.

• Letn 6=0. Then I=blocka. For all a ∈a, ifω −→^{a ¦}₀ω⁰, we getω⁰ |=^¦Q⁰ and

`<sup>¦</sup>ω∼<sup>Γ</sup><sub>id</sub><sup>,Γt,k</sup> ω<sup>0</sup>. Ifω −→<sup>a ¦</sup><sub>n</sub>ω<sup>0</sup> andn6=0, then it must bea =x:=e.m(e). With a similar argument as in Lemma A.6 on page 117 for high-level method calls and usingP(m,n−1) and the fact thatpc<sub>m</sub>for the called method must be invisible atkin¦, we getω<sup>0</sup>|=<sup>¦</sup>Q<sup>0</sup>, and `^¦ω∼^Γ_id^,Γt,kω⁰.

PROOF(OFTHEOREMC.11) Sincepc::∆pcis ascending and the bottom element is not¦,k-visible, we getJ^pcK

¦ω6≤^¦k. As the method is well-typed, we know by definition that there exists a type environmentΓtsuch that a type mappingΛis derivable forΓ frommsig(m) and thatΓt, that is, there are suitable small-step typing judgements for each successor relation (m,i)7−→^I (m,i⁰).

We proceed by induction onnand the number of execution stepsc.

• Ifc=0, then zero steps have been taken, i.e.i=i⁰. We haveω⁰=ω, and get the desired propositions directly from the assumptions and by reflexivity of the state equivalence relation.

• Ifc>0, then (m,i,ω) −→^{I ¦}n₁(m,i⁰⁰,ω⁰⁰) =⇒

IR

¦n₂(m,i⁰,ω⁰) andn1≤nandn2≤n. Let Λ(i⁰⁰)=(pc⁰⁰,∆⁰⁰,Q⁰⁰).

– Ifn=0, thenn1=0 andn2=0. Hence we get with Lemmas C.7 and C.8 thatω⁰⁰|=^¦Q⁰⁰and `^¦ω∼^Γ_id^,Γt,kω⁰⁰.

– Letn>0, andP(m,p) for allp<n. Hence we can apply Lemma C.12 and getω⁰⁰|=^¦Q⁰⁰and `^¦ω∼^Γ_id^,Γt,kω⁰⁰. By Lemma C.10,q

pc⁰::∆⁰pc

y_¦

ω⁰ is ascending, andbottom(q

pc⁰::∆⁰pc

y_¦

ω⁰)6≤^¦k.

The remaining execution (m,i⁰⁰,ω⁰⁰) =⇒

IR

¦n2 (m,i⁰,ω⁰) is shorter, hence we can apply the theorem inductively on it and getω⁰|=^¦Q⁰and `<sup>¦</sup>ω<sup>00</sup>∼<sup>Γ,Γ</sup><sub>id</sub> <sup>t,k</sup>ω<sup>0</sup>. By transitivity of the state equivalence relation we finally get `^¦ω∼^Γ_id^,Γt,kω⁰.

Im Dokument Information flow analysis for mobile code in dynamic security environments (Seite 136-148)