1 /* Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2008, 2009, 2010
2 Free Software Foundation
4 This file is part of libgcj.
6 This software is copyrighted work licensed under the terms of the
7 Libgcj License. Please consult the file "LIBGCJ_LICENSE" for
10 /* Written by Tom Tromey <tromey@redhat.com> */
12 /* Uncomment this to enable debugging output. */
13 /* #define VERIFY_DEBUG */
19 /* Hack to work around namespace pollution from java-tree.h. */
22 /* This is used to mark states which are not scheduled for
24 #define INVALID_STATE ((state *) -1)
26 static void ATTRIBUTE_PRINTF_1
27 debug_print (const char *fmt ATTRIBUTE_UNUSED, ...)
32 vfprintf (stderr, fmt, ap);
34 #endif /* VERIFY_DEBUG */
37 /* This started as a fairly ordinary verifier, and for the most part
38 it remains so. It works in the obvious way, by modeling the effect
39 of each opcode as it is encountered. For most opcodes, this is a
40 straightforward operation.
42 This verifier does not do type merging. It used to, but this
43 results in difficulty verifying some relatively simple code
44 involving interfaces, and it pushed some verification work into the
47 Instead of merging reference types, when we reach a point where two
48 flows of control merge, we simply keep the union of reference types
49 from each branch. Then, when we need to verify a fact about a
50 reference on the stack (e.g., that it is compatible with the
51 argument type of a method), we check to ensure that all possible
52 types satisfy the requirement.
54 Another area this verifier differs from the norm is in its handling
55 of subroutines. The JVM specification has some confusing things to
56 say about subroutines. For instance, it makes claims about not
57 allowing subroutines to merge and it rejects recursive subroutines.
58 For the most part these are red herrings; we used to try to follow
59 these things but they lead to problems. For example, the notion of
60 "being in a subroutine" is not well-defined: is an exception
61 handler in a subroutine? If you never execute the `ret' but
62 instead `goto 1' do you remain in the subroutine?
64 For clarity on what is really required for type safety, read
65 "Simple Verification Technique for Complex Java Bytecode
66 Subroutines" by Alessandro Coglio. Among other things this paper
67 shows that recursive subroutines are not harmful to type safety.
68 We implement something similar to what he proposes. Note that this
69 means that this verifier will accept code that is rejected by some
72 For those not wanting to read the paper, the basic observation is
73 that we can maintain split states in subroutines. We maintain one
74 state for each calling `jsr'. In other words, we re-verify a
75 subroutine once for each caller, using the exact types held by the
76 callers (as opposed to the old approach of merging types and
77 keeping a bitmap registering what did or did not change). This
78 approach lets us continue to verify correctly even when a
79 subroutine is exited via `goto' or `athrow' and not `ret'.
81 In some other areas the JVM specification is (mildly) incorrect,
82 so we diverge. For instance, you cannot
83 violate type safety by allocating an object with `new' and then
84 failing to initialize it, no matter how one branches or where one
85 stores the uninitialized reference. See "Improving the official
86 specification of Java bytecode verification" by Alessandro Coglio.
88 Note that there's no real point in enforcing that padding bytes or
89 the mystery byte of invokeinterface must be 0, but we do that
92 The verifier is currently neither completely lazy nor eager when it
93 comes to loading classes. It tries to represent types by name when
94 possible, and then loads them when it needs to verify a fact about
95 the type. Checking types by name is valid because we only use
96 names which come from the current class' constant pool. Since all
97 such names are looked up using the same class loader, there is no
98 danger that we might be fooled into comparing different types with
101 In the future we plan to allow for a completely lazy mode of
102 operation, where the verifier will construct a list of type
103 assertions to be checked later.
105 Some test cases for the verifier live in the "verify" module of the
106 Mauve test suite. However, some of these are presently
107 (2004-01-20) believed to be incorrect. (More precisely the notion
108 of "correct" is not well-defined, and this verifier differs from
109 others while remaining type-safe.) Some other tests live in the
112 This verifier is also written to be pluggable. This means that it
113 is intended for use in a variety of environments, not just libgcj.
114 As a result the verifier expects a number of type and method
115 declarations to be declared in "verify.h". The intent is that you
116 recompile the verifier for your particular environment. This
117 approach was chosen so that operations could be inlined in verify.h
120 See the verify.h that accompanies this copy of the verifier to see
121 what types, preprocessor defines, and functions must be declared.
122 The interface is ad hoc, but was defined so that it could be
123 implemented to connect to a pure C program.
126 #define FLAG_INSN_START 1
127 #define FLAG_BRANCH_TARGET 2
128 #define FLAG_INSN_SEEN 4
132 struct ref_intersection;
134 typedef struct state state;
135 typedef struct type type;
136 typedef struct ref_intersection ref_intersection;
138 /*typedef struct state_list state_list;*/
140 typedef struct state_list
143 struct state_list *next;
146 typedef struct vfy_string_list
149 struct vfy_string_list *next;
152 typedef struct verifier_context
154 /* The current PC. */
156 /* The PC corresponding to the start of the current instruction. */
159 /* The current state of the stack, locals, etc. */
160 state *current_state;
162 /* At each branch target we keep a linked list of all the states we
163 can process at that point. We'll only have multiple states at a
164 given PC if they both have different return-address types in the
165 same stack or local slot. This array is indexed by PC and holds
166 the list of all such states. */
169 /* We keep a linked list of all the states which we must reverify.
170 This is the head of the list. */
171 state *next_verify_state;
173 /* We keep some flags for each instruction. The values are the
174 FLAG_* constants defined above. This is an array indexed by PC. */
177 /* The bytecode itself. */
178 const unsigned char *bytecode;
179 /* The exceptions. */
180 vfy_exception *exception;
182 /* Defining class. */
183 vfy_jclass current_class;
185 vfy_method *current_method;
187 /* A linked list of utf8 objects we allocate. */
188 vfy_string_list *utf8_list;
190 /* A linked list of all ref_intersection objects we allocate. */
191 ref_intersection *isect_list;
194 /* The current verifier's state data. This is maintained by
195 {push/pop}_verifier_context to provide a shorthand form to access
196 the verification state. */
197 static GTY(()) verifier_context *vfr;
199 /* Local function declarations. */
200 bool type_initialized (type *t);
201 int ref_count_dimensions (ref_intersection *ref);
204 verify_fail_pc (const char *s, int pc)
206 vfy_fail (s, pc, vfr->current_class, vfr->current_method);
210 verify_fail (const char *s)
212 verify_fail_pc (s, vfr->PC);
215 /* This enum holds a list of tags for all the different types we
216 need to handle. Reference types are treated specially by the
218 typedef enum type_val
222 /* The values for primitive types are chosen to correspond to values
223 specified to newarray. */
233 /* Used when overwriting second word of a double or long in the
234 local variables. Also used after merging local variable states
235 to indicate an unusable value. */
238 /* This is the second word of a two-word value, i.e., a double or
242 /* Everything after `reference_type' must be a reference type. */
245 uninitialized_reference_type
248 /* This represents a merged class type. Some verifiers (including
249 earlier versions of this one) will compute the intersection of
250 two class types when merging states. However, this loses
251 critical information about interfaces implemented by the various
252 classes. So instead we keep track of all the actual classes that
254 struct ref_intersection
256 /* Whether or not this type has been resolved. */
259 /* Actual type data. */
262 /* For a resolved reference type, this is a pointer to the class. */
264 /* For other reference types, this it the name of the class. */
268 /* Link to the next reference in the intersection. */
269 ref_intersection *ref_next;
271 /* This is used to keep track of all the allocated
272 ref_intersection objects, so we can free them.
273 FIXME: we should allocate these in chunks. */
274 ref_intersection *alloc_next;
277 static ref_intersection *
280 ref_intersection *new_ref =
281 (ref_intersection *) vfy_alloc (sizeof (ref_intersection));
283 new_ref->alloc_next = vfr->isect_list;
284 vfr->isect_list = new_ref;
288 static ref_intersection *
289 clone_ref (ref_intersection *dup)
291 ref_intersection *new_ref = make_ref ();
293 new_ref->is_resolved = dup->is_resolved;
294 new_ref->data = dup->data;
299 resolve_ref (ref_intersection *ref)
301 if (ref->is_resolved)
303 ref->data.klass = vfy_find_class (vfr->current_class, ref->data.name);
304 ref->is_resolved = true;
308 refs_equal (ref_intersection *ref1, ref_intersection *ref2)
310 if (! ref1->is_resolved && ! ref2->is_resolved
311 && vfy_strings_equal (ref1->data.name, ref2->data.name))
313 if (! ref1->is_resolved)
315 if (! ref2->is_resolved)
317 return ref1->data.klass == ref2->data.klass;
320 /* Merge REF1 type into REF2, returning the result. This will
321 return REF2 if all the classes in THIS already appear in
323 static ref_intersection *
324 merge_refs (ref_intersection *ref1, ref_intersection *ref2)
326 ref_intersection *tail = ref2;
327 for (; ref1 != NULL; ref1 = ref1->ref_next)
330 ref_intersection *iter;
331 for (iter = ref2; iter != NULL; iter = iter->ref_next)
333 if (refs_equal (ref1, iter))
342 ref_intersection *new_tail = clone_ref (ref1);
343 new_tail->ref_next = tail;
350 /* See if an object of type SOURCE can be assigned to an object of
351 type TARGET. This might resolve classes in one chain or the other. */
353 ref_compatible (ref_intersection *target, ref_intersection *source)
355 for (; target != NULL; target = target->ref_next)
357 ref_intersection *source_iter = source;
359 for (; source_iter != NULL; source_iter = source_iter->ref_next)
361 /* Avoid resolving if possible. */
362 if (! target->is_resolved
363 && ! source_iter->is_resolved
364 && vfy_strings_equal (target->data.name,
365 source_iter->data.name))
368 if (! target->is_resolved)
369 resolve_ref (target);
370 if (! source_iter->is_resolved)
371 resolve_ref (source_iter);
373 if (! vfy_is_assignable_from (target->data.klass,
374 source_iter->data.klass))
383 ref_isarray (ref_intersection *ref)
385 /* assert (ref_next == NULL); */
386 if (ref->is_resolved)
387 return vfy_is_array (ref->data.klass);
389 return vfy_string_bytes (ref->data.name)[0] == '[';
393 ref_isinterface (ref_intersection *ref)
395 /* assert (ref_next == NULL); */
396 if (! ref->is_resolved)
398 return vfy_is_interface (ref->data.klass);
402 ref_isabstract (ref_intersection *ref)
404 /* assert (ref_next == NULL); */
405 if (! ref->is_resolved)
407 return vfy_is_abstract (ref->data.klass);
411 ref_getclass (ref_intersection *ref)
413 if (! ref->is_resolved)
415 return ref->data.klass;
419 ref_count_dimensions (ref_intersection *ref)
422 if (ref->is_resolved)
424 vfy_jclass k = ref->data.klass;
425 while (vfy_is_array (k))
427 k = vfy_get_component_type (k);
433 const char *p = vfy_string_bytes (ref->data.name);
440 /* Return the type_val corresponding to a primitive signature
441 character. For instance `I' returns `int.class'. */
443 get_type_val_for_signature (char sig)
476 verify_fail ("invalid signature");
482 /* Return the type_val corresponding to a primitive class. */
484 get_type_val_for_primtype (vfy_jclass k)
486 return get_type_val_for_signature (vfy_get_primitive_char (k));
489 /* The `type' class is used to represent a single type in the verifier. */
495 /* For reference types, the representation of the type. */
496 ref_intersection *klass;
498 /* This is used in two situations.
500 First, when constructing a new object, it is the PC of the
501 `new' instruction which created the object. We use the special
502 value UNINIT to mean that this is uninitialized. The special
503 value SELF is used for the case where the current method is
504 itself the <init> method. the special value EITHER is used
505 when we may optionally allow either an uninitialized or
506 initialized reference to match.
508 Second, when the key is return_address_type, this holds the PC
509 of the instruction following the `jsr'. */
517 /* Make a new instance given the type tag. We assume a generic
518 `reference_type' means Object. */
520 init_type_from_tag (type *t, type_val k)
523 /* For reference_type, if KLASS==NULL then that means we are
524 looking for a generic object of any kind, including an
525 uninitialized reference. */
530 /* Make a type for the given type_val tag K. */
532 make_type (type_val k)
535 init_type_from_tag (&t, k);
539 /* Make a new instance given a class. */
541 init_type_from_class (type *t, vfy_jclass k)
543 t->key = reference_type;
544 t->klass = make_ref ();
545 t->klass->is_resolved = true;
546 t->klass->data.klass = k;
547 t->klass->ref_next = NULL;
552 make_type_from_class (vfy_jclass k)
555 init_type_from_class (&t, k);
560 init_type_from_string (type *t, vfy_string n)
562 t->key = reference_type;
563 t->klass = make_ref ();
564 t->klass->is_resolved = false;
565 t->klass->data.name = n;
566 t->klass->ref_next = NULL;
571 make_type_from_string (vfy_string n)
574 init_type_from_string (&t, n);
578 /* Promote a numeric type. */
580 vfy_promote_type (type *t)
582 if (t->key == boolean_type || t->key == char_type
583 || t->key == byte_type || t->key == short_type)
586 #define promote_type vfy_promote_type
588 /* Mark this type as the uninitialized result of `new'. */
590 type_set_uninitialized (type *t, int npc)
592 if (t->key == reference_type)
593 t->key = uninitialized_reference_type;
595 verify_fail ("internal error in type::uninitialized");
599 /* Mark this type as now initialized. */
601 type_set_initialized (type *t, int npc)
603 if (npc != UNINIT && t->pc == npc && t->key == uninitialized_reference_type)
605 t->key = reference_type;
610 /* Mark this type as a particular return address. */
611 static void type_set_return_address (type *t, int npc)
616 /* Return true if this type and type OTHER are considered
617 mergeable for the purposes of state merging. This is related
618 to subroutine handling. For this purpose two types are
619 considered unmergeable if they are both return-addresses but
620 have different PCs. */
622 type_state_mergeable_p (type *t1, type *t2)
624 return (t1->key != return_address_type
625 || t2->key != return_address_type
626 || t1->pc == t2->pc);
629 /* Return true if an object of type K can be assigned to a variable
630 of type T. Handle various special cases too. Might modify
631 T or K. Note however that this does not perform numeric
634 types_compatible (type *t, type *k)
636 /* Any type is compatible with the unsuitable type. */
637 if (k->key == unsuitable_type)
640 if (t->key < reference_type || k->key < reference_type)
641 return t->key == k->key;
643 /* The `null' type is convertible to any initialized reference
645 if (t->key == null_type)
646 return k->key != uninitialized_reference_type;
647 if (k->key == null_type)
648 return t->key != uninitialized_reference_type;
650 /* A special case for a generic reference. */
651 if (t->klass == NULL)
653 if (k->klass == NULL)
654 verify_fail ("programmer error in type::compatible");
656 /* Handle the special 'EITHER' case, which is only used in a
657 special case of 'putfield'. Note that we only need to handle
658 this on the LHS of a check. */
659 if (! type_initialized (t) && t->pc == EITHER)
661 /* If the RHS is uninitialized, it must be an uninitialized
663 if (! type_initialized (k) && k->pc != SELF)
666 else if (type_initialized (t) != type_initialized (k))
668 /* An initialized type and an uninitialized type are not
669 otherwise compatible. */
674 /* Two uninitialized objects are compatible if either:
675 * The PCs are identical, or
676 * One PC is UNINIT. */
677 if (type_initialized (t))
679 if (t->pc != k->pc && t->pc != UNINIT && k->pc != UNINIT)
684 return ref_compatible (t->klass, k->klass);
687 /* Return true if two types are equal. Only valid for reference
690 types_equal (type *t1, type *t2)
692 if ((t1->key != reference_type && t1->key != uninitialized_reference_type)
693 || (t2->key != reference_type
694 && t2->key != uninitialized_reference_type))
696 /* Only single-ref types are allowed. */
697 if (t1->klass->ref_next || t2->klass->ref_next)
699 return refs_equal (t1->klass, t2->klass);
703 type_isvoid (type *t)
705 return t->key == void_type;
709 type_iswide (type *t)
711 return t->key == long_type || t->key == double_type;
714 /* Return number of stack or local variable slots taken by this type. */
718 return type_iswide (t) ? 2 : 1;
722 type_isarray (type *t)
724 /* We treat null_type as not an array. This is ok based on the
725 current uses of this method. */
726 if (t->key == reference_type)
727 return ref_isarray (t->klass);
732 type_isnull (type *t)
734 return t->key == null_type;
738 type_isinterface (type *t)
740 if (t->key != reference_type)
742 return ref_isinterface (t->klass);
746 type_isabstract (type *t)
748 if (t->key != reference_type)
750 return ref_isabstract (t->klass);
753 /* Return the element type of an array. */
755 type_array_element (type *t)
760 if (t->key != reference_type)
761 verify_fail ("programmer error in type::element_type()");
763 k = vfy_get_component_type (ref_getclass (t->klass));
764 if (vfy_is_primitive (k))
765 init_type_from_tag (&et, get_type_val_for_primtype (k));
767 init_type_from_class (&et, k);
771 /* Return the array type corresponding to an initialized
772 reference. We could expand this to work for other kinds of
773 types, but currently we don't need to. */
775 type_to_array (type *t)
780 if (t->key != reference_type)
781 verify_fail ("internal error in type::to_array()");
783 k = ref_getclass (t->klass);
784 init_type_from_class (&at, vfy_get_array_class (k));
789 type_isreference (type *t)
791 return t->key >= reference_type;
795 type_get_pc (type *t)
801 type_initialized (type *t)
803 return t->key == reference_type || t->key == null_type;
807 type_verify_dimensions (type *t, int ndims)
809 /* The way this is written, we don't need to check isarray(). */
810 if (t->key != reference_type)
811 verify_fail ("internal error in verify_dimensions:"
812 " not a reference type");
814 if (ref_count_dimensions (t->klass) < ndims)
815 verify_fail ("array type has fewer dimensions"
819 /* Merge OLD_TYPE into this. On error throw exception. Return
820 true if the merge caused a type change. */
822 merge_types (type *t, type *old_type, bool local_semantics)
824 bool changed = false;
825 bool refo = type_isreference (old_type);
826 bool refn = type_isreference (t);
829 if (old_type->key == null_type)
831 else if (t->key == null_type)
836 else if (type_initialized (t) != type_initialized (old_type))
837 verify_fail ("merging initialized and uninitialized types");
840 ref_intersection *merged;
841 if (! type_initialized (t))
844 t->pc = old_type->pc;
845 else if (old_type->pc == UNINIT)
847 else if (t->pc != old_type->pc)
848 verify_fail ("merging different uninitialized types");
851 merged = merge_refs (old_type->klass, t->klass);
852 if (merged != t->klass)
859 else if (refo || refn || t->key != old_type->key)
863 /* If we already have an `unsuitable' type, then we
864 don't need to change again. */
865 if (t->key != unsuitable_type)
867 t->key = unsuitable_type;
872 verify_fail ("unmergeable type");
884 case boolean_type: c = 'Z'; break;
885 case byte_type: c = 'B'; break;
886 case char_type: c = 'C'; break;
887 case short_type: c = 'S'; break;
888 case int_type: c = 'I'; break;
889 case long_type: c = 'J'; break;
890 case float_type: c = 'F'; break;
891 case double_type: c = 'D'; break;
892 case void_type: c = 'V'; break;
893 case unsuitable_type: c = '-'; break;
894 case return_address_type: c = 'r'; break;
895 case continuation_type: c = '+'; break;
896 case reference_type: c = 'L'; break;
897 case null_type: c = '@'; break;
898 case uninitialized_reference_type: c = 'U'; break;
900 debug_print ("%c", c);
902 #endif /* VERIFY_DEBUG */
904 /* This class holds all the state information we need for a given
908 /* The current top of the stack, in terms of slots. */
910 /* The current depth of the stack. This will be larger than
911 STACKTOP when wide types are on the stack. */
915 /* The local variables. */
917 /* We keep track of the type of `this' specially. This is used to
918 ensure that an instance initializer invokes another initializer
919 on `this' before returning. We must keep track of this
920 specially because otherwise we might be confused by code which
921 assigns to locals[0] (overwriting `this') and then returns
922 without really initializing. */
925 /* The PC for this state. This is only valid on states which are
926 permanently attached to a given PC. For an object like
927 `current_state', which is used transiently, this has no
930 /* We keep a linked list of all states requiring reverification.
931 If this is the special value INVALID_STATE then this state is
932 not on the list. NULL marks the end of the linked list. */
936 /* NO_NEXT is the PC value meaning that a new state must be
937 acquired from the verification list. */
941 init_state_with_stack (state *s, int max_stack, int max_locals)
946 s->stack = (type *) vfy_alloc (max_stack * sizeof (type));
947 for (i = 0; i < max_stack; ++i)
948 init_type_from_tag (&s->stack[i], unsuitable_type);
949 s->locals = (type *) vfy_alloc (max_locals * sizeof (type));
950 for (i = 0; i < max_locals; ++i)
951 init_type_from_tag (&s->locals[i], unsuitable_type);
952 init_type_from_tag (&s->this_type, unsuitable_type);
954 s->next = INVALID_STATE;
958 copy_state (state *s, state *copy, int max_stack, int max_locals)
961 s->stacktop = copy->stacktop;
962 s->stackdepth = copy->stackdepth;
963 for (i = 0; i < max_stack; ++i)
964 s->stack[i] = copy->stack[i];
965 for (i = 0; i < max_locals; ++i)
966 s->locals[i] = copy->locals[i];
968 s->this_type = copy->this_type;
969 /* Don't modify `next' or `pc'. */
973 copy_state_with_stack (state *s, state *orig, int max_stack, int max_locals)
975 init_state_with_stack (s, max_stack, max_locals);
976 copy_state (s, orig, max_stack, max_locals);
979 /* Allocate a new state, copying ORIG. */
981 make_state_copy (state *orig, int max_stack, int max_locals)
983 state *s = (state *) vfy_alloc (sizeof (state));
984 copy_state_with_stack (s, orig, max_stack, max_locals);
989 make_state (int max_stack, int max_locals)
991 state *s = (state *) vfy_alloc (sizeof (state));
992 init_state_with_stack (s, max_stack, max_locals);
997 free_state (state *s)
999 if (s->stack != NULL)
1000 vfy_free (s->stack);
1001 if (s->locals != NULL)
1002 vfy_free (s->locals);
1005 /* Modify this state to reflect entry to an exception handler. */
1007 state_set_exception (state *s, type *t, int max_stack)
1013 for (i = s->stacktop; i < max_stack; ++i)
1014 init_type_from_tag (&s->stack[i], unsuitable_type);
1017 /* Merge STATE_OLD into this state. Destructively modifies this
1018 state. Returns true if the new state was in fact changed.
1019 Will throw an exception if the states are not mergeable. */
1021 merge_states (state *s, state *state_old, int max_locals)
1024 bool changed = false;
1026 /* Special handling for `this'. If one or the other is
1027 uninitialized, then the merge is uninitialized. */
1028 if (type_initialized (&s->this_type))
1029 s->this_type = state_old->this_type;
1032 if (state_old->stacktop != s->stacktop) /* FIXME stackdepth instead? */
1033 verify_fail ("stack sizes differ");
1034 for (i = 0; i < state_old->stacktop; ++i)
1036 if (merge_types (&s->stack[i], &state_old->stack[i], false))
1040 /* Merge local variables. */
1041 for (i = 0; i < max_locals; ++i)
1043 if (merge_types (&s->locals[i], &state_old->locals[i], true))
1050 /* Ensure that `this' has been initialized. */
1052 state_check_this_initialized (state *s)
1054 if (type_isreference (&s->this_type) && ! type_initialized (&s->this_type))
1055 verify_fail ("`this' is uninitialized");
1058 /* Set type of `this'. */
1060 state_set_this_type (state *s, type *k)
1065 /* Mark each `new'd object we know of that was allocated at PC as
1068 state_set_initialized (state *s, int pc, int max_locals)
1071 for (i = 0; i < s->stacktop; ++i)
1072 type_set_initialized (&s->stack[i], pc);
1073 for (i = 0; i < max_locals; ++i)
1074 type_set_initialized (&s->locals[i], pc);
1075 type_set_initialized (&s->this_type, pc);
1078 /* This tests to see whether two states can be considered "merge
1079 compatible". If both states have a return-address in the same
1080 slot, and the return addresses are different, then they are not
1081 compatible and we must not try to merge them. */
1083 state_mergeable_p (state *s, state *other, int max_locals)
1088 /* This is tricky: if the stack sizes differ, then not only are
1089 these not mergeable, but in fact we should give an error, as
1090 we've found two execution paths that reach a branch target
1091 with different stack depths. FIXME stackdepth instead? */
1092 if (s->stacktop != other->stacktop)
1093 verify_fail ("stack sizes differ");
1095 for (i = 0; i < s->stacktop; ++i)
1096 if (! type_state_mergeable_p (&s->stack[i], &other->stack[i]))
1098 for (i = 0; i < max_locals; ++i)
1099 if (! type_state_mergeable_p (&s->locals[i], &other->locals[i]))
1105 state_reverify (state *s)
1107 if (s->next == INVALID_STATE)
1109 s->next = vfr->next_verify_state;
1110 vfr->next_verify_state = s;
1116 debug_print_state (state *s, const char *leader, int pc, int max_stack,
1120 debug_print ("%s [%4d]: [stack] ", leader, pc);
1121 for (i = 0; i < s->stacktop; ++i)
1122 type_print (&s->stack[i]);
1123 for (; i < max_stack; ++i)
1125 debug_print (" [local] ");
1126 for (i = 0; i < max_locals; ++i)
1127 type_print (&s->locals[i]);
1128 debug_print (" | %p\n", s);
1132 debug_print_state (state *s ATTRIBUTE_UNUSED,
1133 const char *leader ATTRIBUTE_UNUSED,
1134 int pc ATTRIBUTE_UNUSED, int max_stack ATTRIBUTE_UNUSED,
1135 int max_locals ATTRIBUTE_UNUSED)
1138 #endif /* VERIFY_DEBUG */
1144 state *s = vfr->current_state;
1145 if (s->stacktop <= 0)
1146 verify_fail ("stack empty");
1147 r = s->stack[--s->stacktop];
1148 s->stackdepth -= type_depth (&r);
1149 if (s->stackdepth < 0)
1150 verify_fail_pc ("stack empty", vfr->start_PC);
1157 type r = pop_raw ();
1158 if (type_iswide (&r))
1159 verify_fail ("narrow pop of wide type");
1164 vfy_pop_type_t (type match)
1167 vfy_promote_type (&match);
1169 if (! types_compatible (&match, &t))
1170 verify_fail ("incompatible type on stack");
1175 vfy_pop_type (type_val match)
1177 type t = make_type (match);
1178 return vfy_pop_type_t (t);
1181 #define pop_type vfy_pop_type
1182 #define pop_type_t vfy_pop_type_t
1184 /* Pop a reference which is guaranteed to be initialized. MATCH
1185 doesn't have to be a reference type; in this case this acts like
1188 pop_init_ref_t (type match)
1190 type t = pop_raw ();
1191 if (type_isreference (&t) && ! type_initialized (&t))
1192 verify_fail ("initialized reference required");
1193 else if (! types_compatible (&match, &t))
1194 verify_fail ("incompatible type on stack");
1199 pop_init_ref (type_val match)
1201 type t = make_type (match);
1202 return pop_init_ref_t (t);
1205 /* Pop a reference type or a return address. */
1207 pop_ref_or_return (void)
1209 type t = pop_raw ();
1210 if (! type_isreference (&t) && t.key != return_address_type)
1211 verify_fail ("expected reference or return address on stack");
1216 vfy_push_type_t (type t)
1219 state *s = vfr->current_state;
1220 /* If T is a numeric type like short, promote it to int. */
1223 depth = type_depth (&t);
1225 if (s->stackdepth + depth > vfr->current_method->max_stack)
1226 verify_fail ("stack overflow");
1227 s->stack[s->stacktop++] = t;
1228 s->stackdepth += depth;
1232 vfy_push_type (type_val tval)
1234 type t = make_type (tval);
1235 vfy_push_type_t (t);
1238 #define push_type vfy_push_type
1239 #define push_type_t vfy_push_type_t
1242 set_variable (int index, type t)
1245 state *s = vfr->current_state;
1246 /* If T is a numeric type like short, promote it to int. */
1249 depth = type_depth (&t);
1250 if (index > vfr->current_method->max_locals - depth)
1251 verify_fail ("invalid local variable");
1252 s->locals[index] = t;
1255 init_type_from_tag (&s->locals[index + 1], continuation_type);
1256 if (index > 0 && type_iswide (&s->locals[index - 1]))
1257 init_type_from_tag (&s->locals[index - 1], unsuitable_type);
1261 get_variable_t (int index, type *t)
1263 state *s = vfr->current_state;
1264 int depth = type_depth (t);
1265 if (index > vfr->current_method->max_locals - depth)
1266 verify_fail ("invalid local variable");
1267 if (! types_compatible (t, &s->locals[index]))
1268 verify_fail ("incompatible type in local variable");
1271 type cont = make_type (continuation_type);
1272 if (! types_compatible (&s->locals[index + 1], &cont))
1273 verify_fail ("invalid local variable");
1275 return s->locals[index];
1279 get_variable (int index, type_val v)
1281 type t = make_type (v);
1282 return get_variable_t (index, &t);
1285 /* Make sure ARRAY is an array type and that its elements are
1286 compatible with type ELEMENT. Returns the actual element type. */
1288 require_array_type_t (type array, type element)
1291 /* An odd case. Here we just pretend that everything went ok. If
1292 the requested element type is some kind of reference, return
1293 the null type instead. */
1294 if (type_isnull (&array))
1295 return type_isreference (&element) ? make_type (null_type) : element;
1297 if (! type_isarray (&array))
1298 verify_fail ("array required");
1300 t = type_array_element (&array);
1301 if (! types_compatible (&element, &t))
1303 /* Special case for byte arrays, which must also be boolean
1306 if (element.key == byte_type)
1308 type e2 = make_type (boolean_type);
1309 ok = types_compatible (&e2, &t);
1312 verify_fail ("incompatible array element type");
1315 /* Return T and not ELEMENT, because T might be specialized. */
1320 require_array_type (type array, type_val element)
1322 type t = make_type (element);
1323 return require_array_type_t (array, t);
1329 if (vfr->PC >= vfr->current_method->code_length)
1330 verify_fail ("premature end of bytecode");
1331 return (jint) vfr->bytecode[vfr->PC++] & 0xff;
1337 jint b1 = get_byte ();
1338 jint b2 = get_byte ();
1339 return (jint) ((b1 << 8) | b2) & 0xffff;
1345 signed char b1 = (signed char) get_byte ();
1346 jint b2 = get_byte ();
1347 jshort s = (b1 << 8) | b2;
1354 jint b1 = get_byte ();
1355 jint b2 = get_byte ();
1356 jint b3 = get_byte ();
1357 jint b4 = get_byte ();
1358 jword result = (b1 << 24) | (b2 << 16) | (b3 << 8) | b4;
1359 /* In the compiler, 'jint' might have more than 32 bits, so we must
1361 return WORD_TO_INT (result);
1365 compute_jump (int offset)
1367 int npc = vfr->start_PC + offset;
1368 if (npc < 0 || npc >= vfr->current_method->code_length)
1369 verify_fail_pc ("branch out of range", vfr->start_PC);
1373 /* Add a new state to the state list at NPC. */
1375 add_new_state (int npc, state *old_state)
1378 vfy_method *current_method = vfr->current_method;
1379 state *new_state = make_state_copy (old_state, current_method->max_stack,
1380 current_method->max_locals);
1381 debug_print ("== New state in add_new_state\n");
1382 debug_print_state (new_state, "New", npc, current_method->max_stack,
1383 current_method->max_locals);
1385 nlink = (state_list *) vfy_alloc (sizeof (state_list));
1386 nlink->val = new_state;
1387 nlink->next = vfr->states[npc];
1388 vfr->states[npc] = nlink;
1389 new_state->pc = npc;
1393 /* Merge the indicated state into the state at the branch target and
1394 schedule a new PC if there is a change. NPC is the PC of the
1395 branch target, and FROM_STATE is the state at the source of the
1396 branch. This method returns true if the destination state
1397 changed and requires reverification, false otherwise. */
1399 merge_into (int npc, state *from_state)
1401 /* Iterate over all target states and merge our state into each,
1402 if applicable. FIXME one improvement we could make here is
1403 "state destruction". Merging a new state into an existing one
1404 might cause a return_address_type to be merged to
1405 unsuitable_type. In this case the resulting state may now be
1406 mergeable with other states currently held in parallel at this
1407 location. So in this situation we could pairwise compare and
1408 reduce the number of parallel states. */
1410 bool applicable = false;
1411 for (iter = vfr->states[npc]; iter != NULL; iter = iter->next)
1413 state *new_state = iter->val;
1414 vfy_method *current_method = vfr->current_method;
1416 if (state_mergeable_p (new_state, from_state,
1417 current_method->max_locals))
1422 debug_print ("== Merge states in merge_into\n");
1423 debug_print_state (from_state, "Frm", vfr->start_PC, current_method->max_stack,
1424 current_method->max_locals);
1425 debug_print_state (new_state, " To", npc, current_method->max_stack,
1426 current_method->max_locals);
1427 changed = merge_states (new_state, from_state,
1428 current_method->max_locals);
1429 debug_print_state (new_state, "New", npc, current_method->max_stack,
1430 current_method->max_locals);
1433 state_reverify (new_state);
1439 /* Either we don't yet have a state at NPC, or we have a
1440 return-address type that is in conflict with all existing
1441 state. So, we need to create a new entry. */
1442 state *new_state = add_new_state (npc, from_state);
1443 /* A new state added in this way must always be reverified. */
1444 state_reverify (new_state);
1449 push_jump (int offset)
1451 int npc = compute_jump (offset);
1452 /* According to the JVM Spec, we need to check for uninitialized
1453 objects here. However, this does not actually affect type
1454 safety, and the Eclipse java compiler generates code that
1455 violates this constraint. */
1456 merge_into (npc, vfr->current_state);
1460 push_exception_jump (type t, int pc)
1463 /* According to the JVM Spec, we need to check for uninitialized
1464 objects here. However, this does not actually affect type
1465 safety, and the Eclipse java compiler generates code that
1466 violates this constraint. */
1467 copy_state_with_stack (&s, vfr->current_state,
1468 vfr->current_method->max_stack,
1469 vfr->current_method->max_locals);
1470 if (vfr->current_method->max_stack < 1)
1471 verify_fail ("stack overflow at exception handler");
1472 state_set_exception (&s, &t, vfr->current_method->max_stack);
1473 merge_into (pc, &s);
1474 /* FIXME: leak.. need free_state or GC */
1480 state *new_state = vfr->next_verify_state;
1481 if (new_state == INVALID_STATE)
1482 verify_fail ("programmer error in pop_jump");
1483 if (new_state != NULL)
1485 vfr->next_verify_state = new_state->next;
1486 new_state->next = INVALID_STATE;
1492 invalidate_pc (void)
1498 note_branch_target (int pc)
1500 /* Don't check `pc <= PC', because we've advanced PC after
1501 fetching the target and we haven't yet checked the next
1503 if (pc < vfr->PC && ! (vfr->flags[pc] & FLAG_INSN_START))
1504 verify_fail_pc ("branch not to instruction start", vfr->start_PC);
1505 vfr->flags[pc] |= FLAG_BRANCH_TARGET;
1511 while ((vfr->PC % 4) > 0)
1512 if (get_byte () != 0)
1513 verify_fail ("found nonzero padding byte");
1516 /* Do the work for a `ret' instruction. INDEX is the index into the
1519 handle_ret_insn (int index)
1521 type ret = make_type (return_address_type);
1522 type ret_addr = get_variable_t (index, &ret);
1523 /* It would be nice if we could do this. However, the JVM Spec
1524 doesn't say that this is what happens. It is implied that
1525 reusing a return address is invalid, but there's no actual
1526 prohibition against it. */
1527 /* set_variable (index, unsuitable_type); */
1529 int npc = type_get_pc (&ret_addr);
1530 /* We might be returning to a `jsr' that is at the end of the
1531 bytecode. This is ok if we never return from the called
1532 subroutine, but if we see this here it is an error. */
1533 if (npc >= vfr->current_method->code_length)
1534 verify_fail ("fell off end");
1536 /* According to the JVM Spec, we need to check for uninitialized
1537 objects here. However, this does not actually affect type
1538 safety, and the Eclipse java compiler generates code that
1539 violates this constraint. */
1540 merge_into (npc, vfr->current_state);
1544 static void handle_jsr_insn (int offset)
1547 int npc = compute_jump (offset);
1549 /* According to the JVM Spec, we need to check for uninitialized
1550 objects here. However, this does not actually affect type
1551 safety, and the Eclipse java compiler generates code that
1552 violates this constraint. */
1554 /* Modify our state as appropriate for entry into a subroutine. */
1555 ret_addr = make_type (return_address_type);
1556 type_set_return_address (&ret_addr, vfr->PC);
1557 vfy_push_type_t (ret_addr);
1558 merge_into (npc, vfr->current_state);
1563 construct_primitive_array_type (type_val prim)
1565 vfy_jclass k = NULL;
1576 k = vfy_get_primitive_type ((int) prim);
1579 /* These aren't used here but we call them out to avoid
1582 case unsuitable_type:
1583 case return_address_type:
1584 case continuation_type:
1585 case reference_type:
1587 case uninitialized_reference_type:
1589 verify_fail ("unknown type in construct_primitive_array_type");
1591 k = vfy_get_array_class (k);
1595 /* This pass computes the location of branch targets and also
1596 instruction starts. */
1598 branch_prepass (void)
1601 vfr->flags = (char *) vfy_alloc (vfr->current_method->code_length);
1603 for (i = 0; i < vfr->current_method->code_length; ++i)
1607 while (vfr->PC < vfr->current_method->code_length)
1610 /* Set `start_PC' early so that error checking can have the
1612 vfr->start_PC = vfr->PC;
1613 vfr->flags[vfr->PC] |= FLAG_INSN_START;
1615 opcode = (java_opcode) vfr->bytecode[vfr->PC++];
1619 case op_aconst_null:
1755 case op_monitorenter:
1756 case op_monitorexit:
1764 case op_arraylength:
1796 case op_invokespecial:
1797 case op_invokestatic:
1798 case op_invokevirtual:
1802 case op_multianewarray:
1825 note_branch_target (compute_jump (get_short ()));
1828 case op_tableswitch:
1832 note_branch_target (compute_jump (get_int ()));
1836 verify_fail_pc ("invalid tableswitch", vfr->start_PC);
1837 for (i = low; i <= hi; ++i)
1838 note_branch_target (compute_jump (get_int ()));
1842 case op_lookupswitch:
1846 note_branch_target (compute_jump (get_int ()));
1847 npairs = get_int ();
1849 verify_fail_pc ("too few pairs in lookupswitch", vfr->start_PC);
1850 while (npairs-- > 0)
1853 note_branch_target (compute_jump (get_int ()));
1858 case op_invokeinterface:
1866 opcode = (java_opcode) get_byte ();
1868 if (opcode == op_iinc)
1875 note_branch_target (compute_jump (get_int ()));
1879 /* These are unused here, but we call them out explicitly
1880 so that -Wswitch-enum doesn't complain. */
1886 case op_putstatic_1:
1887 case op_putstatic_2:
1888 case op_putstatic_4:
1889 case op_putstatic_8:
1890 case op_putstatic_a:
1892 case op_getfield_2s:
1893 case op_getfield_2u:
1897 case op_getstatic_1:
1898 case op_getstatic_2s:
1899 case op_getstatic_2u:
1900 case op_getstatic_4:
1901 case op_getstatic_8:
1902 case op_getstatic_a:
1903 #endif /* VFY_FAST_OPCODES */
1905 verify_fail_pc ("unrecognized instruction in branch_prepass",
1909 /* See if any previous branch tried to branch to the middle of
1910 this instruction. */
1911 for (pc = vfr->start_PC + 1; pc < vfr->PC; ++pc)
1913 if ((vfr->flags[pc] & FLAG_BRANCH_TARGET))
1914 verify_fail_pc ("branch to middle of instruction", pc);
1918 /* Verify exception handlers. */
1919 for (i = 0; i < vfr->current_method->exc_count; ++i)
1921 int handler, start, end, htype;
1922 vfy_get_exception (vfr->exception, i, &handler, &start, &end, &htype);
1923 if (! (vfr->flags[handler] & FLAG_INSN_START))
1924 verify_fail_pc ("exception handler not at instruction start",
1926 if (! (vfr->flags[start] & FLAG_INSN_START))
1927 verify_fail_pc ("exception start not at instruction start", start);
1928 if (end != vfr->current_method->code_length
1929 && ! (vfr->flags[end] & FLAG_INSN_START))
1930 verify_fail_pc ("exception end not at instruction start", end);
1932 vfr->flags[handler] |= FLAG_BRANCH_TARGET;
1937 check_pool_index (int index)
1939 if (index < 0 || index >= vfy_get_constants_size (vfr->current_class))
1940 verify_fail_pc ("constant pool index out of range", vfr->start_PC);
1944 check_class_constant (int index)
1946 type t = { (type_val) 0, 0, 0 };
1947 vfy_constants *pool;
1949 check_pool_index (index);
1950 pool = vfy_get_constants (vfr->current_class);
1951 if (vfy_tag (pool, index) == JV_CONSTANT_ResolvedClass)
1952 init_type_from_class (&t, vfy_get_pool_class (pool, index));
1953 else if (vfy_tag (pool, index) == JV_CONSTANT_Class)
1954 init_type_from_string (&t, vfy_get_pool_string (pool, index));
1956 verify_fail_pc ("expected class constant", vfr->start_PC);
1961 check_constant (int index)
1963 type t = { (type_val) 0, 0, 0 };
1964 vfy_constants *pool;
1966 check_pool_index (index);
1967 pool = vfy_get_constants (vfr->current_class);
1968 if (vfy_tag (pool, index) == JV_CONSTANT_ResolvedString
1969 || vfy_tag (pool, index) == JV_CONSTANT_String)
1970 init_type_from_class (&t, vfy_string_type ());
1971 else if (vfy_tag (pool, index) == JV_CONSTANT_Integer)
1972 init_type_from_tag (&t, int_type);
1973 else if (vfy_tag (pool, index) == JV_CONSTANT_Float)
1974 init_type_from_tag (&t, float_type);
1975 else if (vfy_tag (pool, index) == JV_CONSTANT_Class
1976 || vfy_tag (pool, index) == JV_CONSTANT_ResolvedClass)
1977 /* FIXME: should only allow this for 1.5 bytecode. */
1978 init_type_from_class (&t, vfy_class_type ());
1980 verify_fail_pc ("String, int, or float constant expected", vfr->start_PC);
1985 check_wide_constant (int index)
1987 type t = { (type_val) 0, 0, 0 };
1988 vfy_constants *pool;
1990 check_pool_index (index);
1991 pool = vfy_get_constants (vfr->current_class);
1992 if (vfy_tag (pool, index) == JV_CONSTANT_Long)
1993 init_type_from_tag (&t, long_type);
1994 else if (vfy_tag (pool, index) == JV_CONSTANT_Double)
1995 init_type_from_tag (&t, double_type);
1997 verify_fail_pc ("long or double constant expected", vfr->start_PC);
2001 /* Helper for both field and method. These are laid out the same in
2002 the constant pool. */
2004 handle_field_or_method (int index, int expected,
2005 vfy_string *name, vfy_string *fmtype)
2007 vfy_uint_16 class_index, name_and_type_index;
2008 vfy_uint_16 name_index, desc_index;
2009 vfy_constants *pool;
2011 check_pool_index (index);
2012 pool = vfy_get_constants (vfr->current_class);
2013 if (vfy_tag (pool, index) != expected)
2014 verify_fail_pc ("didn't see expected constant", vfr->start_PC);
2015 /* Once we know we have a Fieldref or Methodref we assume that it
2016 is correctly laid out in the constant pool. I think the code
2017 in defineclass.cc guarantees this. */
2018 vfy_load_indexes (pool, index, &class_index, &name_and_type_index);
2019 vfy_load_indexes (pool, name_and_type_index, &name_index, &desc_index);
2021 *name = vfy_get_pool_string (pool, name_index);
2022 *fmtype = vfy_get_pool_string (pool, desc_index);
2024 return check_class_constant (class_index);
2027 /* Return field's type, compute class' type if requested. If
2028 PUTFIELD is true, use the special 'putfield' semantics. */
2030 check_field_constant (int index, type *class_type, bool putfield)
2032 vfy_string name, field_type;
2036 type ct = handle_field_or_method (index,
2037 JV_CONSTANT_Fieldref,
2038 &name, &field_type);
2041 typec = vfy_string_bytes (field_type);
2042 if (typec[0] == '[' || typec[0] == 'L')
2043 init_type_from_string (&t, field_type);
2045 init_type_from_tag (&t, get_type_val_for_signature (typec[0]));
2047 /* We have an obscure special case here: we can use `putfield' on a
2048 field declared in this class, even if `this' has not yet been
2051 && ! type_initialized (&vfr->current_state->this_type)
2052 && vfr->current_state->this_type.pc == SELF
2053 && types_equal (&vfr->current_state->this_type, &ct)
2054 && vfy_class_has_field (vfr->current_class, name, field_type))
2055 /* Note that we don't actually know whether we're going to match
2056 against 'this' or some other object of the same type. So,
2057 here we set things up so that it doesn't matter. This relies
2058 on knowing what our caller is up to. */
2059 type_set_uninitialized (class_type, EITHER);
2065 check_method_constant (int index, bool is_interface,
2066 vfy_string *method_name,
2067 vfy_string *method_signature)
2069 return handle_field_or_method (index,
2071 ? JV_CONSTANT_InterfaceMethodref
2072 : JV_CONSTANT_Methodref),
2073 method_name, method_signature);
2077 get_one_type (const char *p, type *t)
2079 const char *start = p;
2099 name = vfy_get_string (start, p - start);
2100 *t = make_type_from_string (name);
2104 /* Casting to jchar here is ok since we are looking at an ASCII
2106 rt = get_type_val_for_signature (v);
2108 if (arraycount == 0)
2110 /* Callers of this function eventually push their arguments on
2111 the stack. So, promote them here. */
2112 type new_t = make_type (rt);
2113 vfy_promote_type (&new_t);
2118 k = construct_primitive_array_type (rt);
2119 while (--arraycount > 0)
2120 k = vfy_get_array_class (k);
2121 *t = make_type_from_class (k);
2126 compute_argument_types (vfy_string signature, type *types)
2129 const char *p = vfy_string_bytes (signature);
2136 p = get_one_type (p, &types[i++]);
2140 compute_return_type (vfy_string signature)
2142 const char *p = vfy_string_bytes (signature);
2147 get_one_type (p, &t);
2152 check_return_type (type onstack)
2154 type rt = compute_return_type (vfy_get_signature (vfr->current_method));
2155 if (! types_compatible (&rt, &onstack))
2156 verify_fail ("incompatible return type");
2159 /* Initialize the stack for the new method. Returns true if this
2160 method is an instance initializer. */
2162 initialize_stack (void)
2166 bool is_init = vfy_strings_equal (vfy_get_method_name (vfr->current_method),
2168 bool is_clinit = vfy_strings_equal (vfy_get_method_name (vfr->current_method),
2171 if (! vfy_is_static (vfr->current_method))
2173 type kurr = make_type_from_class (vfr->current_class);
2176 type_set_uninitialized (&kurr, SELF);
2180 verify_fail ("<clinit> method must be static");
2181 set_variable (0, kurr);
2182 state_set_this_type (vfr->current_state, &kurr);
2188 verify_fail ("<init> method must be non-static");
2191 /* We have to handle wide arguments specially here. */
2192 arg_count = vfy_count_arguments (vfy_get_signature (vfr->current_method));
2194 type *arg_types = (type *) vfy_alloc (arg_count * sizeof (type));
2195 compute_argument_types (vfy_get_signature (vfr->current_method), arg_types);
2196 for (i = 0; i < arg_count; ++i)
2198 set_variable (var, arg_types[i]);
2200 if (type_iswide (&arg_types[i]))
2203 vfy_free (arg_types);
2210 verify_instructions_0 (void)
2215 vfr->current_state = make_state (vfr->current_method->max_stack,
2216 vfr->current_method->max_locals);
2221 /* True if we are verifying an instance initializer. */
2222 this_is_init = initialize_stack ();
2224 vfr->states = (state_list **) vfy_alloc (sizeof (state_list *)
2225 * vfr->current_method->code_length);
2227 for (i = 0; i < vfr->current_method->code_length; ++i)
2228 vfr->states[i] = NULL;
2230 vfr->next_verify_state = NULL;
2236 /* If the PC was invalidated, get a new one from the work list. */
2237 if (vfr->PC == NO_NEXT)
2239 state *new_state = pop_jump ();
2240 /* If it is null, we're done. */
2241 if (new_state == NULL)
2244 vfr->PC = new_state->pc;
2245 debug_print ("== State pop from pending list\n");
2246 /* Set up the current state. */
2247 copy_state (vfr->current_state, new_state,
2248 vfr->current_method->max_stack, vfr->current_method->max_locals);
2252 /* We only have to do this checking in the situation where
2253 control flow falls through from the previous instruction.
2254 Otherwise merging is done at the time we push the branch.
2255 Note that we'll catch the off-the-end problem just
2257 if (vfr->PC < vfr->current_method->code_length
2258 && vfr->states[vfr->PC] != NULL)
2260 /* We've already visited this instruction. So merge
2261 the states together. It is simplest, but not most
2262 efficient, to just always invalidate the PC here. */
2263 merge_into (vfr->PC, vfr->current_state);
2269 /* Control can't fall off the end of the bytecode. We need to
2270 check this in both cases, not just the fall-through case,
2271 because we don't check to see whether a `jsr' appears at
2272 the end of the bytecode until we process a `ret'. */
2273 if (vfr->PC >= vfr->current_method->code_length)
2274 verify_fail ("fell off end");
2275 vfr->flags[vfr->PC] |= FLAG_INSN_SEEN;
2277 /* We only have to keep saved state at branch targets. If
2278 we're at a branch target and the state here hasn't been set
2279 yet, we set it now. You might notice that `ret' targets
2280 won't necessarily have FLAG_BRANCH_TARGET set. This
2281 doesn't matter, since those states will be filled in by
2283 /* Note that other parts of the compiler assume that there is a
2284 label with a type map at PC=0. */
2285 if (vfr->states[vfr->PC] == NULL
2286 && (vfr->PC == 0 || (vfr->flags[vfr->PC] & FLAG_BRANCH_TARGET) != 0))
2287 add_new_state (vfr->PC, vfr->current_state);
2289 /* Set this before handling exceptions so that debug output is
2291 vfr->start_PC = vfr->PC;
2293 /* Update states for all active exception handlers. Ordinarily
2294 there are not many exception handlers. So we simply run
2295 through them all. */
2296 for (i = 0; i < vfr->current_method->exc_count; ++i)
2298 int hpc, start, end, htype;
2299 vfy_get_exception (vfr->exception, i, &hpc, &start, &end, &htype);
2300 if (vfr->PC >= start && vfr->PC < end)
2302 type handler = make_type_from_class (vfy_throwable_type ());
2304 handler = check_class_constant (htype);
2305 push_exception_jump (handler, hpc);
2310 debug_print_state (vfr->current_state, " ", vfr->PC,
2311 vfr->current_method->max_stack,
2312 vfr->current_method->max_locals);
2313 opcode = (java_opcode) vfr->bytecode[vfr->PC++];
2319 case op_aconst_null:
2320 push_type (null_type);
2330 push_type (int_type);
2335 push_type (long_type);
2341 push_type (float_type);
2346 push_type (double_type);
2351 push_type (int_type);
2356 push_type (int_type);
2360 push_type_t (check_constant (get_byte ()));
2363 push_type_t (check_constant (get_ushort ()));
2366 push_type_t (check_wide_constant (get_ushort ()));
2370 push_type_t (get_variable (get_byte (), int_type));
2373 push_type_t (get_variable (get_byte (), long_type));
2376 push_type_t (get_variable (get_byte (), float_type));
2379 push_type_t (get_variable (get_byte (), double_type));
2382 push_type_t (get_variable (get_byte (), reference_type));
2389 push_type_t (get_variable (opcode - op_iload_0, int_type));
2395 push_type_t (get_variable (opcode - op_lload_0, long_type));
2401 push_type_t (get_variable (opcode - op_fload_0, float_type));
2407 push_type_t (get_variable (opcode - op_dload_0, double_type));
2413 push_type_t (get_variable (opcode - op_aload_0, reference_type));
2416 pop_type (int_type);
2417 push_type_t (require_array_type (pop_init_ref (reference_type),
2421 pop_type (int_type);
2422 push_type_t (require_array_type (pop_init_ref (reference_type),
2426 pop_type (int_type);
2427 push_type_t (require_array_type (pop_init_ref (reference_type),
2431 pop_type (int_type);
2432 push_type_t (require_array_type (pop_init_ref (reference_type),
2436 pop_type (int_type);
2437 push_type_t (require_array_type (pop_init_ref (reference_type),
2441 pop_type (int_type);
2442 require_array_type (pop_init_ref (reference_type), byte_type);
2443 push_type (int_type);
2446 pop_type (int_type);
2447 require_array_type (pop_init_ref (reference_type), char_type);
2448 push_type (int_type);
2451 pop_type (int_type);
2452 require_array_type (pop_init_ref (reference_type), short_type);
2453 push_type (int_type);
2456 set_variable (get_byte (), pop_type (int_type));
2459 set_variable (get_byte (), pop_type (long_type));
2462 set_variable (get_byte (), pop_type (float_type));
2465 set_variable (get_byte (), pop_type (double_type));
2468 set_variable (get_byte (), pop_ref_or_return ());
2474 set_variable (opcode - op_istore_0, pop_type (int_type));
2480 set_variable (opcode - op_lstore_0, pop_type (long_type));
2486 set_variable (opcode - op_fstore_0, pop_type (float_type));
2492 set_variable (opcode - op_dstore_0, pop_type (double_type));
2498 set_variable (opcode - op_astore_0, pop_ref_or_return ());
2501 pop_type (int_type);
2502 pop_type (int_type);
2503 require_array_type (pop_init_ref (reference_type), int_type);
2506 pop_type (long_type);
2507 pop_type (int_type);
2508 require_array_type (pop_init_ref (reference_type), long_type);
2511 pop_type (float_type);
2512 pop_type (int_type);
2513 require_array_type (pop_init_ref (reference_type), float_type);
2516 pop_type (double_type);
2517 pop_type (int_type);
2518 require_array_type (pop_init_ref (reference_type), double_type);
2521 pop_type (reference_type);
2522 pop_type (int_type);
2523 require_array_type (pop_init_ref (reference_type), reference_type);
2526 pop_type (int_type);
2527 pop_type (int_type);
2528 require_array_type (pop_init_ref (reference_type), byte_type);
2531 pop_type (int_type);
2532 pop_type (int_type);
2533 require_array_type (pop_init_ref (reference_type), char_type);
2536 pop_type (int_type);
2537 pop_type (int_type);
2538 require_array_type (pop_init_ref (reference_type), short_type);
2545 type t = pop_raw ();
2546 if (! type_iswide (&t))
2569 type t2 = pop_raw ();
2570 if (! type_iswide (&t2))
2584 type t = pop_raw ();
2585 if (! type_iswide (&t))
2599 type t1 = pop_raw ();
2601 if (! type_iswide (&t1))
2616 type t1 = pop_raw ();
2617 if (type_iswide (&t1))
2619 type t2 = pop_raw ();
2620 if (type_iswide (&t2))
2637 type t3 = pop_raw ();
2638 if (type_iswide (&t3))
2675 pop_type (int_type);
2676 push_type_t (pop_type (int_type));
2686 pop_type (long_type);
2687 push_type_t (pop_type (long_type));
2692 pop_type (int_type);
2693 push_type_t (pop_type (long_type));
2700 pop_type (float_type);
2701 push_type_t (pop_type (float_type));
2708 pop_type (double_type);
2709 push_type_t (pop_type (double_type));
2715 push_type_t (pop_type (int_type));
2718 push_type_t (pop_type (long_type));
2721 push_type_t (pop_type (float_type));
2724 push_type_t (pop_type (double_type));
2727 get_variable (get_byte (), int_type);
2731 pop_type (int_type);
2732 push_type (long_type);
2735 pop_type (int_type);
2736 push_type (float_type);
2739 pop_type (int_type);
2740 push_type (double_type);
2743 pop_type (long_type);
2744 push_type (int_type);
2747 pop_type (long_type);
2748 push_type (float_type);
2751 pop_type (long_type);
2752 push_type (double_type);
2755 pop_type (float_type);
2756 push_type (int_type);
2759 pop_type (float_type);
2760 push_type (long_type);
2763 pop_type (float_type);
2764 push_type (double_type);
2767 pop_type (double_type);
2768 push_type (int_type);
2771 pop_type (double_type);
2772 push_type (long_type);
2775 pop_type (double_type);
2776 push_type (float_type);
2779 pop_type (long_type);
2780 pop_type (long_type);
2781 push_type (int_type);
2785 pop_type (float_type);
2786 pop_type (float_type);
2787 push_type (int_type);
2791 pop_type (double_type);
2792 pop_type (double_type);
2793 push_type (int_type);
2801 pop_type (int_type);
2802 push_jump (get_short ());
2810 pop_type (int_type);
2811 pop_type (int_type);
2812 push_jump (get_short ());
2816 pop_type (reference_type);
2817 pop_type (reference_type);
2818 push_jump (get_short ());
2821 push_jump (get_short ());
2825 handle_jsr_insn (get_short ());
2828 handle_ret_insn (get_byte ());
2830 case op_tableswitch:
2834 pop_type (int_type);
2836 push_jump (get_int ());
2839 /* Already checked LOW -vs- HIGH. */
2840 for (i = low; i <= high; ++i)
2841 push_jump (get_int ());
2846 case op_lookupswitch:
2849 jint npairs, lastkey;
2851 pop_type (int_type);
2853 push_jump (get_int ());
2854 npairs = get_int ();
2855 /* Already checked NPAIRS >= 0. */
2857 for (i = 0; i < npairs; ++i)
2859 jint key = get_int ();
2860 if (i > 0 && key <= lastkey)
2861 verify_fail_pc ("lookupswitch pairs unsorted", vfr->start_PC);
2863 push_jump (get_int ());
2869 check_return_type (pop_type (int_type));
2873 check_return_type (pop_type (long_type));
2877 check_return_type (pop_type (float_type));
2881 check_return_type (pop_type (double_type));
2885 check_return_type (pop_init_ref (reference_type));
2889 /* We only need to check this when the return type is void,
2890 because all instance initializers return void. We also
2891 need to special-case Object constructors, as they can't
2892 call a superclass <init>. */
2893 if (this_is_init && vfr->current_class != vfy_object_type ())
2894 state_check_this_initialized (vfr->current_state);
2895 check_return_type (make_type (void_type));
2899 push_type_t (check_field_constant (get_ushort (), NULL, false));
2902 pop_type_t (check_field_constant (get_ushort (), NULL, false));
2907 type field = check_field_constant (get_ushort (), &klass, false);
2909 push_type_t (field);
2915 type field = check_field_constant (get_ushort (), &klass, true);
2921 case op_invokevirtual:
2922 case op_invokespecial:
2923 case op_invokestatic:
2924 case op_invokeinterface:
2926 vfy_string method_name, method_signature;
2930 bool is_init = false;
2933 = check_method_constant (get_ushort (),
2934 opcode == op_invokeinterface,
2937 /* NARGS is only used when we're processing
2938 invokeinterface. It is simplest for us to compute it
2939 here and then verify it later. */
2941 if (opcode == op_invokeinterface)
2943 nargs = get_byte ();
2944 if (get_byte () != 0)
2945 verify_fail ("invokeinterface dummy byte is wrong");
2948 namec = vfy_string_bytes (method_name);
2950 if (vfy_strings_equal (method_name, vfy_init_name()))
2953 if (opcode != op_invokespecial)
2954 verify_fail ("can't invoke <init>");
2956 else if (namec[0] == '<')
2957 verify_fail ("can't invoke method starting with `<'");
2959 arg_count = vfy_count_arguments (method_signature);
2961 /* Pop arguments and check types. */
2962 type *arg_types = (type *) vfy_alloc (arg_count * sizeof (type));
2964 compute_argument_types (method_signature, arg_types);
2965 for (i = arg_count - 1; i >= 0; --i)
2967 /* This is only used for verifying the byte for
2969 nargs -= type_depth (&arg_types[i]);
2970 pop_init_ref_t (arg_types[i]);
2973 vfy_free (arg_types);
2976 if (opcode == op_invokeinterface
2978 verify_fail ("wrong argument count for invokeinterface");
2980 if (opcode != op_invokestatic)
2983 type t = class_type;
2986 /* In this case the PC doesn't matter. */
2987 type_set_uninitialized (&t, UNINIT);
2988 /* FIXME: check to make sure that the <init>
2989 call is to the right class.
2990 It must either be super or an exact class
2994 if (! types_compatible (&t, &raw))
2995 verify_fail ("incompatible type on stack");
2998 state_set_initialized (vfr->current_state,
2999 type_get_pc (&raw), vfr->current_method->max_locals);
3002 rt = compute_return_type (method_signature);
3003 if (! type_isvoid (&rt))
3010 type t = check_class_constant (get_ushort ());
3011 if (type_isarray (&t) || type_isinterface (&t)
3012 || type_isabstract (&t))
3013 verify_fail ("type is array, interface, or abstract");
3014 type_set_uninitialized (&t, vfr->start_PC);
3021 int atype = get_byte ();
3024 /* We intentionally have chosen constants to make this
3026 if (atype < boolean_type || atype > long_type)
3027 verify_fail_pc ("type not primitive", vfr->start_PC);
3028 pop_type (int_type);
3029 k = construct_primitive_array_type ((type_val) atype);
3030 init_type_from_class (&t, k);
3037 pop_type (int_type);
3038 t = check_class_constant (get_ushort ());
3039 push_type_t (type_to_array (&t));
3042 case op_arraylength:
3044 type t = pop_init_ref (reference_type);
3045 if (! type_isarray (&t) && ! type_isnull (&t))
3046 verify_fail ("array type expected");
3047 push_type (int_type);
3051 pop_type_t (make_type_from_class (vfy_throwable_type ()));
3055 pop_init_ref (reference_type);
3056 push_type_t (check_class_constant (get_ushort ()));
3059 pop_init_ref (reference_type);
3060 check_class_constant (get_ushort ());
3061 push_type (int_type);
3063 case op_monitorenter:
3064 pop_init_ref (reference_type);
3066 case op_monitorexit:
3067 pop_init_ref (reference_type);
3071 switch (get_byte ())
3074 push_type_t (get_variable (get_ushort (), int_type));
3077 push_type_t (get_variable (get_ushort (), long_type));
3080 push_type_t (get_variable (get_ushort (), float_type));
3083 push_type_t (get_variable (get_ushort (), double_type));
3086 push_type_t (get_variable (get_ushort (), reference_type));
3089 set_variable (get_ushort (), pop_type (int_type));
3092 set_variable (get_ushort (), pop_type (long_type));
3095 set_variable (get_ushort (), pop_type (float_type));
3098 set_variable (get_ushort (), pop_type (double_type));
3101 set_variable (get_ushort (), pop_init_ref (reference_type));
3104 handle_ret_insn (get_short ());
3107 get_variable (get_ushort (), int_type);
3111 verify_fail_pc ("unrecognized wide instruction", vfr->start_PC);
3115 case op_multianewarray:
3118 type atype = check_class_constant (get_ushort ());
3119 int dim = get_byte ();
3121 verify_fail_pc ("too few dimensions to multianewarray", vfr->start_PC);
3122 type_verify_dimensions (&atype, dim);
3123 for (i = 0; i < dim; ++i)
3124 pop_type (int_type);
3125 push_type_t (atype);
3130 pop_type (reference_type);
3131 push_jump (get_short ());
3134 push_jump (get_int ());
3138 handle_jsr_insn (get_int ());
3142 /* Unrecognized opcode. */
3143 verify_fail_pc ("unrecognized instruction in verify_instructions_0",
3149 /* This turns a `type' into something suitable for use by the type map
3150 in the other parts of the compiler. In particular, reference types
3151 are mapped to Object, primitive types are unchanged, and other
3152 types are mapped using special functions declared in verify.h. */
3154 collapse_type (type *t)
3167 return vfy_get_primitive_type (t->key);
3169 case unsuitable_type:
3170 case continuation_type:
3171 return vfy_unsuitable_type ();
3173 case return_address_type:
3174 return vfy_return_address_type ();
3177 return vfy_null_type ();
3179 case reference_type:
3180 case uninitialized_reference_type:
3181 return vfy_object_type ();
3188 verify_instructions (void)
3193 verify_instructions_0 ();
3195 /* Now tell the rest of the compiler about the types we've found. */
3196 for (i = 0; i < vfr->current_method->code_length; ++i)
3201 if ((vfr->flags[i] & FLAG_INSN_SEEN) != 0)
3202 vfy_note_instruction_seen (i);
3204 if (! vfr->states[i])
3207 curr = vfr->states[i]->val;
3208 vfy_note_stack_depth (vfr->current_method, i, curr->stackdepth);
3210 /* Tell the compiler about each local variable. */
3211 for (j = 0; j < vfr->current_method->max_locals; ++j)
3212 vfy_note_local_type (vfr->current_method, i, j,
3213 collapse_type (&curr->locals[j]));
3214 /* Tell the compiler about each stack slot. */
3215 for (slot = j = 0; j < curr->stacktop; ++j, ++slot)
3217 vfy_note_stack_type (vfr->current_method, i, slot,
3218 collapse_type (&curr->stack[j]));
3219 if (type_iswide (&curr->stack[j]))
3222 vfy_note_stack_type (vfr->current_method, i, slot,
3223 vfy_unsuitable_type ());
3226 gcc_assert (slot == curr->stackdepth);
3231 make_verifier_context (vfy_method *m)
3233 vfr = (verifier_context *) vfy_alloc (sizeof (struct verifier_context));
3235 vfr->current_method = m;
3236 vfr->bytecode = vfy_get_bytecode (m);
3237 vfr->exception = vfy_get_exceptions (m);
3238 vfr->current_class = m->defining_class;
3242 vfr->utf8_list = NULL;
3243 vfr->isect_list = NULL;
3247 free_verifier_context (void)
3249 vfy_string_list *utf8_list;
3250 ref_intersection *isect_list;
3253 vfy_free (vfr->flags);
3255 utf8_list = vfr->utf8_list;
3256 while (utf8_list != NULL)
3258 vfy_string_list *n = utf8_list->next;
3259 vfy_free (utf8_list);
3263 isect_list = vfr->isect_list;
3264 while (isect_list != NULL)
3266 ref_intersection *next = isect_list->alloc_next;
3267 vfy_free (isect_list);
3271 if (vfr->states != NULL)
3274 for (i = 0; i < vfr->current_method->code_length; ++i)
3276 state_list *iter = vfr->states[i];
3277 while (iter != NULL)
3279 state_list *next = iter->next;
3280 free_state (iter->val);
3281 vfy_free (iter->val);
3286 vfy_free (vfr->states);
3293 verify_method (vfy_method *meth)
3295 debug_print ("verify_method (%s) %i\n", vfy_string_bytes (meth->name),
3299 verify_fail ("verifier re-entered");
3301 make_verifier_context (meth);
3302 verify_instructions ();
3303 free_verifier_context ();
OSDN Git Service
