15.2 Security Promises of the JVM

Here are some of the promises the Java virtual machine makes about programs that have passed the verification algorithm:

• Every object is constructed exactly once before it is used.

• Every object is an instance of exactly one class, which does not change through the life of the object.

• If a field or method is marked private, then the only code that ever accesses it is found within the class itself.

• Fields and methods marked protected are used only by code that participates in the implementation of the class.

• Every local variable is initialized before it is used.

• Every field is initialized before it is used.

• It is impossible to underflow or overflow the stack.

• It is impossible to read or write past the end of an array or before the beginning of the array.

• It is impossible to change the length of an array once it has been created.

• Final methods cannot be overridden, and final classes cannot be subclassed.

• Attempts to use a null reference as the receiver of a method invocation or source of a field cause a NullPointerException to be thrown.

The Java platform security architecture depends on all these promises and many more. The verification algorithm, which enforces these promises, was outlined in chapter 6. A more complete description is available in The Java Virtual Machine Specification, chapter 4. You can check the algorithms out for yourself. Part of the strength of the Java platform security architecture lies in the fact that many independent reviewers have checked the algorithms.