1. Field of the Invention
The present invention is directed to a method for operating a computer system, to a byte code verifier and to a computer system.
2. Description of the Related Art
U.S. Pat. No. 5,668,999 discloses a method for operating a computer system that, following the loading of a computer program and before the execution of the computer program, checks this to see that it executes no disallowed data processing procedures. What is referred to as a byte code verifier, which checks the byte code of the loaded computer program, is provided for this purpose. The verifier contains a virtual stack for the temporary storage of type information that specify the data that lie on the stack in the execution of the program. The verifier further comprises a stack snapshot memory with a snapshot list and a snapshot memory area for storing the status of the virtual stack at different points of the program run.
The checking of the computer program ensues in two phases, whereby all destination addresses to which conditional or unconditional branches point are determined in the first phase. The program is simulated in the second phase. What are referred to as snapshots of the virtual stack are thereby produced for every destination address of the branch and are stored in the snapshot list. By comparing the information stored in the snapshot list, a determination is made as to whether the stack is manipulated in a way that could lead to an overflow or underflow. An error message is output if such an inadmissible change were to be caused.
The employment of such a byte code verifier allows a considerable speed-up of the execution of the program. Traditional interpreters for the execution of a computer program contain routines for monitoring the stack and for avoiding an overflow or, respectively, underflow. These routines were executed at every command accessing the stack. Monitoring the stack could therefore take up to 80% of the execution time of a computer program. The employment of the byte code verifier is advantageous particularly given loops, since only the commands of one loop run are checked a single time with the byte code verifier, in contrast whereto the individual commands have been rechecked in each loop run given a traditional interpreter.
The virtual stack is constructed like a regular stack, except that, instead of the actual data and constants, indicators are stored in the virtual stack that represent the respective data type such as, for example, whole number (I), long whole number (L), singly-exact floating decimal point number (F), doubly-exact floating decimal point number (D), byte (B), etc.
A virtual field of the local variables is also established in this known method. This virtual field is constructed similar to the virtual stack, i.e. only the indicators of the data types of the data to be stored in the actual memory field are contained in the virtual field.
Given branches in the program execution, however, only snapshots of the virtual stack are compared to one another. Changes in the virtual field remain unconsidered, so that errors produced on the basis of branches cannot be detected given access to the field of the local variables. This can lead to errors in the program execution that deteriorate the operation of the computer system and can even lead to a crash of the computer system.
U.S. Patent No. 5,668,999 discloses the byte code verifier with reference to the computer language OAK. The computer language Java(trademark) has been developed from OAK. Due to its independence from platform, Java(trademark) is often employed in Internet applications that are loaded from a server onto an arbitrary client, whereby the client can be a computer system with an arbitrary, standard operating system.
The reference Java(trademark) Virtual Machine Specification, Tim Lindholm and Frank Yellin, Addison-Wesley, 1997 (ISBN 0-201-63452-X), pp. 128 ff., describes a byte code verifier that essentially corresponds to that of U.S. Pat. No. 5,668,999 but differs therefrom in that it is not only copies of the virtual stack but also copies of the virtual field of the local variables that are produced with the snapshots. Given a conditional or unconditional branch in the program execution, it is not only the snapshots of the stacks but also those of the virtual fields of the local variables that are compared, so that an error produced by an access to the variable field implemented after a branch can also be detected.
Producing a complete copy of the virtual field of the local variables for the destination address given a branch produces a considerable dataset that uses a correspondingly large memory space. Since OAK and Java were developed not only for Internet applications but, in particular, for embedded applications with small processor systems, this substantial memory requirement opposes the original objective. There is a considerable need for a reduction of the memory requirements particularly for specific developments of Java such as, for example, JAVACARD, which is a programming language specifically designed for chip cards.
The present invention is therefore based on the object of developing a method of the species disclosed by U.S. Pat. No. 5,668,999, a byte code verifier and a computer system such that a dependable execution of a computer program loaded on a computer system is nonetheless assured given low memory requirements.
This object and others are achieved by a method having for operating a computer system, including the following steps: storing a computer program in a memory of the computer system, whereby the computer program comprises a sequence of byte codes that represent program commands, whereby the program commands can access variables; testing the computer program loaded into the computer system before the execution of the computer program to see whether the program commands contained therein would produce an inadmissible data processing event upon execution; allowing execution of the program when the test of the computer system has yielded no inadmissible data processing event, otherwise a corresponding error message is output; and testing the individual program commands in the sequence of the program execution in the test of the computer program to see whether they access a variable upon execution before this variable has been initialized.
Advantageous developments of the invention are provided by a method for operating a computer system, in that, when testing the computer program, a virtual stack is checked to see whether an overflow or an underflow of the virtual stack is produced due to an illegal data processing event. In the method, a virtual field of local variables is generated wherein indicators that represent the respective data type are stored instead of the data and constants that are entered into a corresponding, actual field of local variables upon execution of the computer program. Preferably, whether each local variable of the field has been initialized before the accesses is successively checked for each local variable of the field when testing the computer program. When testing the computer program, the program commands are interrogated in the sequence of the program execution to see whether a specific variable is initialized by the respective program command, and, if this interrogation yields that the variable is not initialized by this program command, an interrogation is carried to see whether this variable is accessed by this program command, and, if this interrogation yields that this variable is accessed, an error message is output and the execution of the computer program is not allowed. When it is found in the interrogation about the access onto the variable that the variable is not accessed, all program commands that can follow the program command just tested in the program execution are identified, and a determination is made as to whether one or more of these program commands have already been tested, and, if one or more untested program commands thereby derive, these are tested according to the method steps in set forth above. When no untested program command is found, the computer program is tested for the next variable, and the testing process is ended when all variables have been tested. In the method for operating a computer system, when it is found in the interrogation as to whether a specific variable is initialized by the respective program command that the variable is initialized by the program command, an interrogation is carried out to see whether further program commands that do not follow the program command just tested must be tested for this variable and, when such further program commands derive, then these are tested according to the method steps above; otherwise, the computer program is tested for the next variable and the testing process is ended when all variables have been tested.
The invention also provides a byte code verifier that tests a program loaded onto a computer system for illegal data processing events before its execution, the byte code verifier being fashioned such that the program commands of the computer program are checked in the sequence of the program execution to see whether they access a variable upon execution before this variable is initialized. Preferably, the byte code verifier is implemented for the execution of the method as set out in the foregoing. The byte code verifier may be stored on a data carrier.
The invention also provides a computer system having a memory for storing a computer program, whereby the computer program comprises a sequence of byte codes that represent program commands, some program commands can access variables, a data processing unit for executing programs stored in the memory, a byte code verifier stored in the memory, the byte code verifier testing a program loaded into the memory of the computer system for illegal data processing events before its execution, and the byte code verifier being fashioned such that the computer program is tested to see whether, upon execution thereof, variables have been respectively initialized before possible accesses to the variables. In a preferred embodiment, the computer system includes the byte code verifier as described herein.
The inventive method for operating a computer system comprises the following steps:
a) Storing a computer program in a memory of the computer system, whereby the computer program comprises a sequence of byte codes that represent program commands, whereby the program commands can access variables;
b) Testing the computer program loaded into the computer system before the execution of the computer program to see whether the program commands contained therein would produce an inadmissible data processing event upon execution; and
c) The execution of the program is allowed when the test of the computer system has yielded no inadmissible data processing event, otherwise a corresponding error message is output.
The inventive method is characterized in that whether variables have been previously initialized is checked before the accesses to variables when testing the computer program.
The inventor has recognized that inadmissible data processing events are not recognized with the method disclosed by U.S. Pat. No. 5,668,999 given branches in the program execution. FIG. 3 shows an example of a program that comprises an inadmissible data processing event that is not recognized by this known method. In the illustration of FIG. 3, the respectively program command is shown in the left-hand column, the content of the virtual stack is shown in the middle column and the content of the virtual field of the local variable is shown in the right-hand column. The program commands are numbered consecutively. With the first command xe2x80x9cgoto 5xe2x80x9d, the program execution branches to command number 5 (aload 2). The content of the variable 2 of the virtual field is thereby loaded onto the stack. The variable 2 should contain an indicator for a data type such as, for example, xe2x80x9cCxe2x80x9d. Since, however, the program commands 2 through 4 were skipped and the variable 2 would be occupied with a value for the first time with command 3 (astore 2), the variable 2 has not yet been occupied with a value given the execution of command 5. In other words, the variable 2 has not yet been initialized given the execution of the command 5. If the program were executed, the variable 2 would be read with the command 5, even though a value has not yet been assigned here. This produces an undefined condition since non-extant data are read in an inadmissible way. Such program executions can lead to undefined conditions of the computer system or could even produce a crash of the entire computer system.
With the inventive method, a check is carried out to see whether, given access to a variable (command No. 5), the variable has been previously initialized. In the test, the individual commands of the computer program are investigated in the sequence with which they are carried out given an execution of the computer program, whereby the individual program branches given a branch of the program execution are investigated independently of one another. The execution of the program is allowed only when it is assured that the variables are initialized before they are accessed, i.e. occupied with a value. As a result thereof, an inadmissible access to a variable is reliably prevented and undefined conditions of the computer system are avoided.
The need for additional memory space of a byte code verifier that is provided with a routine for checking the computer program whether variable have been previously initialized before being accessed is significantly less than if a virtual field of local variables were to be copied for each destination of a conditional or unconditional branch.
Given low memory space requirements, thus, a dependable execution of a computer program loaded on a computer system is assured with the inventive method since inadmissible data accesses in the field for local variables can also be detected in the determination of inadmissible data processing events.