Verified Bytecode Subroutines

Gerwin Klein and Martin Wildmoser


Bytecode subroutines are a major complication for Java bytecode verification: they are difficult to fit into the data flow analysis that the JVM specification suggests. Because of that, subroutines are left out or are restricted in most formalizations of the bytecode verifier. We examine the problems that occur with subroutines and give an overview of the most prominent solutions in the literature. Using the theorem prover Isabelle/HOL, we have extended our substantial formalization of the JVM and the bytecode verifier with its proof of correctness by the most general solution for bytecode subroutines.

Online Copy

Available as [PDF]

Isabelle Sources

A formalization of the Java bytecode verifier, including a defensive JVM, exceptions, constructor calls, object initialization, jsr/ret instructions, and arrays:

Bibtex entry

  author =  {Gerwin Klein and Martin Wildmoser},
  title =   {Verified Bytecode Subroutines},
  journal = {Journal of Automated Reasoning},
  year =    2003,
  volume = 30,
  number = {3--4},
  pages = {363--398},
  editor = {Tobias Nipkow},
  url =     {\url{}}
Gerwin Klein
2005-01-30 14:05:30