Dr. Dobb's Journal - September 2008 - (Page 55)

d09kilch_p3db 7/11/08 1:31 PM Page 55 pushed back on the stack. A class verifier ensures that attempts to operate on values inappropriate for the instruction are caught. For example, it is illegal to load a long on the stack and attempt to use it as two ints. As the term “bytecode” suggests, the JVM model defines operation codes (or opcodes) as single bytes, thus limiting the number of instructions the virtual machine can provide. The operations that are provided are not, therefore, orthogonal: there is no add instruction for shorts or bytes. Instead, to perform addition on bytes or shorts, the value must first be converted to int, and only then can the addition be performed. Converting shorts or bytes to integer “widens” the integer without loss of data. The JVM does not indicate overflow of integer operations (the only exception that JVM generates as a result of integer arithmetic operations is ArithmeticException when dividing by zero). So undetected overflow can occur in several places: • The arithmetic instructions add, sub, mul, div, and neg (the last two for the special cases of dividing MIN_VALUE by –1 or negating MIN_VALUE, respectively). • During narrowing operations from int to short or byte. • During increment operations. Instrumenting the code therefore involves adding code to the following instructions: • Arithmetic instructions. iadd, isub, imul, idiv, ineg, ladd, lsub, lmul, ldiv, lneg, iinc. • Narrowing instructions. i2b, i2s, l2i. We consciously decided that left shifting would be left alone—we think that you are more likely to be aware of possible overflows in this case. jump operations. ASM (asm.objectweb.org) is such a library, particularly small yet powerful and efficient, making heavy use of design patterns. ASM offers methods to process bytecode streams, either in the form of an editable structure holding the entire code (analogous to a DOM-like parser for XML files), or through an event model (a SAX-like parser). The event model makes filtering easy; for instance, to replace every iadd by a method call. The library also offers a program named ASMifier, which takes an existing *.class file and generates the Java+ASM source code that generates the same bytecode sequence at runtime. Integrated in an Eclipse plug-in, this tool quickly becomes a must-have. Example 2 is a fragment of Java source code, and the corresponding bytecode instructions, first in an abstracted syntax, then as an output of ASMifier. Example 3 illustrates how to write a program that replaces every iadd by a call to the presumably existing method used in Example 1. The ASM library makes it easy to write a bytecode instrumentation program, but sketching the details of overflow management requires a careful analysis. For instance, you might not at first notice that unary integer negation or integer division are “dangerous” operations, or that incrementation has its own bytecode instruction. When playing with the operand stack instructions, it appears that some manipulations are possible on int values but not on long values, because the latter occupy two slots in the stack. The identifiers of added methods must be unique, even when processing an already instrumented class. COJAC Tool With the help of two students, we developed COJAC (short for “Checking Overflows in JAva Code”), a freely available tool (http://home.hefr.ch/bapst/cojac) that instruments any existing Java bytecode for overflow detection. It takes as input any *.class file, and outputs an instrumented version that will detect overflows and signal them at runtime. Here are some features of COJAC: • COJAC is a portable Java program with a command-line interface. • Instrumentation is applied on individual classes or entire *.jar archives. • Any type of arithmetic integer overflow can be processed. • COJAC can also check when narrowing type casting (int2short, for example) leads to a data loss (such as when the original value is out of target type bound). • The options offer a fine control over the particular bytecode instructions to instrument (six operations on ints, five on longs, four kinds of typecasting). (a) int a, b, r; r = a + b; (b) int a, b, r; r = checkedIADD(a,b); (c) Using the ASM Library While it is possible to process bytecode files with no other support than reading/writing bytes, there are well-defined libraries that considerably simplify the work, by managing the details and bookkeeping, such as computing the maximal size of the stack operand, the index of a literal in the constant pool, or the precise offsets when inserting package utils; public class SecuredArithmetics { static int checkedIADD(int a, int b) { int r=a+b; if (( (a^r) & (b^r) ) < 0) System.err.println("Overflow!"); return r; } } // (a^r)&(b^r))<0) is a shorthand for: // (a<0 && b =0) || // (a>0 && b>0 && x<=0) ) Example 1: Adding overflow checking: (a) before, (b) after instrumentation, (c) possible detection algorithm. September 2008 l www.ddj.com l Dr. Dobb’s Journal 55 http://asm.objectweb.org http://home.hefr.ch/bapst/cojac http://www.ddj.com

Table of Contents Feed for the Digital Edition of Dr. Dobb's Journal - September 2008

Dr. Dobb's Journal - September 2008 Contents Friday Night Fish Fry Alia Vox Developer Diaries Developer’s Notebook A Conversation With Erik Demaine Application Lifecycle Management Meets Model-Driven Development Building a Robust Development Environment Real Users Really Matter Matching Wildcards: An Algorithm The Android Mobile Phone Platform Managing Application Thread Use Signalling Integer Overflows in Java .NET Development & the IBM WebSphere Portal Server The Agile Edge Effective Concurrency Swaine’s Flames

Dr. Dobb's Journal - September 2008

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.