1 /* Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2008, 2009
2 Free Software Foundation
4 This file is part of libgcj.
6 This software is copyrighted work licensed under the terms of the
7 Libgcj License. Please consult the file "LIBGCJ_LICENSE" for
10 /* Written by Tom Tromey <tromey@redhat.com> */
12 /* Uncomment this to enable debugging output. */
13 /* #define VERIFY_DEBUG */
19 /* Hack to work around namespace pollution from java-tree.h. */
24 #endif /* VERIFY_DEBUG */
26 /* This is used to mark states which are not scheduled for
28 #define INVALID_STATE ((state *) -1)
30 static void ATTRIBUTE_PRINTF_1
31 debug_print (const char *fmt ATTRIBUTE_UNUSED, ...)
36 vfprintf (stderr, fmt, ap);
38 #endif /* VERIFY_DEBUG */
41 /* This started as a fairly ordinary verifier, and for the most part
42 it remains so. It works in the obvious way, by modeling the effect
43 of each opcode as it is encountered. For most opcodes, this is a
44 straightforward operation.
46 This verifier does not do type merging. It used to, but this
47 results in difficulty verifying some relatively simple code
48 involving interfaces, and it pushed some verification work into the
51 Instead of merging reference types, when we reach a point where two
52 flows of control merge, we simply keep the union of reference types
53 from each branch. Then, when we need to verify a fact about a
54 reference on the stack (e.g., that it is compatible with the
55 argument type of a method), we check to ensure that all possible
56 types satisfy the requirement.
58 Another area this verifier differs from the norm is in its handling
59 of subroutines. The JVM specification has some confusing things to
60 say about subroutines. For instance, it makes claims about not
61 allowing subroutines to merge and it rejects recursive subroutines.
62 For the most part these are red herrings; we used to try to follow
63 these things but they lead to problems. For example, the notion of
64 "being in a subroutine" is not well-defined: is an exception
65 handler in a subroutine? If you never execute the `ret' but
66 instead `goto 1' do you remain in the subroutine?
68 For clarity on what is really required for type safety, read
69 "Simple Verification Technique for Complex Java Bytecode
70 Subroutines" by Alessandro Coglio. Among other things this paper
71 shows that recursive subroutines are not harmful to type safety.
72 We implement something similar to what he proposes. Note that this
73 means that this verifier will accept code that is rejected by some
76 For those not wanting to read the paper, the basic observation is
77 that we can maintain split states in subroutines. We maintain one
78 state for each calling `jsr'. In other words, we re-verify a
79 subroutine once for each caller, using the exact types held by the
80 callers (as opposed to the old approach of merging types and
81 keeping a bitmap registering what did or did not change). This
82 approach lets us continue to verify correctly even when a
83 subroutine is exited via `goto' or `athrow' and not `ret'.
85 In some other areas the JVM specification is (mildly) incorrect,
86 so we diverge. For instance, you cannot
87 violate type safety by allocating an object with `new' and then
88 failing to initialize it, no matter how one branches or where one
89 stores the uninitialized reference. See "Improving the official
90 specification of Java bytecode verification" by Alessandro Coglio.
92 Note that there's no real point in enforcing that padding bytes or
93 the mystery byte of invokeinterface must be 0, but we do that
96 The verifier is currently neither completely lazy nor eager when it
97 comes to loading classes. It tries to represent types by name when
98 possible, and then loads them when it needs to verify a fact about
99 the type. Checking types by name is valid because we only use
100 names which come from the current class' constant pool. Since all
101 such names are looked up using the same class loader, there is no
102 danger that we might be fooled into comparing different types with
105 In the future we plan to allow for a completely lazy mode of
106 operation, where the verifier will construct a list of type
107 assertions to be checked later.
109 Some test cases for the verifier live in the "verify" module of the
110 Mauve test suite. However, some of these are presently
111 (2004-01-20) believed to be incorrect. (More precisely the notion
112 of "correct" is not well-defined, and this verifier differs from
113 others while remaining type-safe.) Some other tests live in the
116 This verifier is also written to be pluggable. This means that it
117 is intended for use in a variety of environments, not just libgcj.
118 As a result the verifier expects a number of type and method
119 declarations to be declared in "verify.h". The intent is that you
120 recompile the verifier for your particular environment. This
121 approach was chosen so that operations could be inlined in verify.h
124 See the verify.h that accompanies this copy of the verifier to see
125 what types, preprocessor defines, and functions must be declared.
126 The interface is ad hoc, but was defined so that it could be
127 implemented to connect to a pure C program.
130 #define FLAG_INSN_START 1
131 #define FLAG_BRANCH_TARGET 2
132 #define FLAG_INSN_SEEN 4
136 struct ref_intersection;
138 typedef struct state state;
139 typedef struct type type;
140 typedef struct ref_intersection ref_intersection;
142 /*typedef struct state_list state_list;*/
144 typedef struct state_list
147 struct state_list *next;
150 typedef struct vfy_string_list
153 struct vfy_string_list *next;
156 typedef struct verifier_context
158 /* The current PC. */
160 /* The PC corresponding to the start of the current instruction. */
163 /* The current state of the stack, locals, etc. */
164 state *current_state;
166 /* At each branch target we keep a linked list of all the states we
167 can process at that point. We'll only have multiple states at a
168 given PC if they both have different return-address types in the
169 same stack or local slot. This array is indexed by PC and holds
170 the list of all such states. */
173 /* We keep a linked list of all the states which we must reverify.
174 This is the head of the list. */
175 state *next_verify_state;
177 /* We keep some flags for each instruction. The values are the
178 FLAG_* constants defined above. This is an array indexed by PC. */
181 /* The bytecode itself. */
182 const unsigned char *bytecode;
183 /* The exceptions. */
184 vfy_exception *exception;
186 /* Defining class. */
187 vfy_jclass current_class;
189 vfy_method *current_method;
191 /* A linked list of utf8 objects we allocate. */
192 vfy_string_list *utf8_list;
194 /* A linked list of all ref_intersection objects we allocate. */
195 ref_intersection *isect_list;
198 /* The current verifier's state data. This is maintained by
199 {push/pop}_verifier_context to provide a shorthand form to access
200 the verification state. */
201 static GTY(()) verifier_context *vfr;
203 /* Local function declarations. */
204 bool type_initialized (type *t);
205 int ref_count_dimensions (ref_intersection *ref);
208 verify_fail_pc (const char *s, int pc)
210 vfy_fail (s, pc, vfr->current_class, vfr->current_method);
214 verify_fail (const char *s)
216 verify_fail_pc (s, vfr->PC);
219 /* This enum holds a list of tags for all the different types we
220 need to handle. Reference types are treated specially by the
222 typedef enum type_val
226 /* The values for primitive types are chosen to correspond to values
227 specified to newarray. */
237 /* Used when overwriting second word of a double or long in the
238 local variables. Also used after merging local variable states
239 to indicate an unusable value. */
242 /* This is the second word of a two-word value, i.e., a double or
246 /* Everything after `reference_type' must be a reference type. */
249 uninitialized_reference_type
252 /* This represents a merged class type. Some verifiers (including
253 earlier versions of this one) will compute the intersection of
254 two class types when merging states. However, this loses
255 critical information about interfaces implemented by the various
256 classes. So instead we keep track of all the actual classes that
258 struct ref_intersection
260 /* Whether or not this type has been resolved. */
263 /* Actual type data. */
266 /* For a resolved reference type, this is a pointer to the class. */
268 /* For other reference types, this it the name of the class. */
272 /* Link to the next reference in the intersection. */
273 ref_intersection *ref_next;
275 /* This is used to keep track of all the allocated
276 ref_intersection objects, so we can free them.
277 FIXME: we should allocate these in chunks. */
278 ref_intersection *alloc_next;
281 static ref_intersection *
284 ref_intersection *new_ref =
285 (ref_intersection *) vfy_alloc (sizeof (ref_intersection));
287 new_ref->alloc_next = vfr->isect_list;
288 vfr->isect_list = new_ref;
292 static ref_intersection *
293 clone_ref (ref_intersection *dup)
295 ref_intersection *new_ref = make_ref ();
297 new_ref->is_resolved = dup->is_resolved;
298 new_ref->data = dup->data;
303 resolve_ref (ref_intersection *ref)
305 if (ref->is_resolved)
307 ref->data.klass = vfy_find_class (vfr->current_class, ref->data.name);
308 ref->is_resolved = true;
312 refs_equal (ref_intersection *ref1, ref_intersection *ref2)
314 if (! ref1->is_resolved && ! ref2->is_resolved
315 && vfy_strings_equal (ref1->data.name, ref2->data.name))
317 if (! ref1->is_resolved)
319 if (! ref2->is_resolved)
321 return ref1->data.klass == ref2->data.klass;
324 /* Merge REF1 type into REF2, returning the result. This will
325 return REF2 if all the classes in THIS already appear in
327 static ref_intersection *
328 merge_refs (ref_intersection *ref1, ref_intersection *ref2)
330 ref_intersection *tail = ref2;
331 for (; ref1 != NULL; ref1 = ref1->ref_next)
334 ref_intersection *iter;
335 for (iter = ref2; iter != NULL; iter = iter->ref_next)
337 if (refs_equal (ref1, iter))
346 ref_intersection *new_tail = clone_ref (ref1);
347 new_tail->ref_next = tail;
354 /* See if an object of type SOURCE can be assigned to an object of
355 type TARGET. This might resolve classes in one chain or the other. */
357 ref_compatible (ref_intersection *target, ref_intersection *source)
359 for (; target != NULL; target = target->ref_next)
361 ref_intersection *source_iter = source;
363 for (; source_iter != NULL; source_iter = source_iter->ref_next)
365 /* Avoid resolving if possible. */
366 if (! target->is_resolved
367 && ! source_iter->is_resolved
368 && vfy_strings_equal (target->data.name,
369 source_iter->data.name))
372 if (! target->is_resolved)
373 resolve_ref (target);
374 if (! source_iter->is_resolved)
375 resolve_ref (source_iter);
377 if (! vfy_is_assignable_from (target->data.klass,
378 source_iter->data.klass))
387 ref_isarray (ref_intersection *ref)
389 /* assert (ref_next == NULL); */
390 if (ref->is_resolved)
391 return vfy_is_array (ref->data.klass);
393 return vfy_string_bytes (ref->data.name)[0] == '[';
397 ref_isinterface (ref_intersection *ref)
399 /* assert (ref_next == NULL); */
400 if (! ref->is_resolved)
402 return vfy_is_interface (ref->data.klass);
406 ref_isabstract (ref_intersection *ref)
408 /* assert (ref_next == NULL); */
409 if (! ref->is_resolved)
411 return vfy_is_abstract (ref->data.klass);
415 ref_getclass (ref_intersection *ref)
417 if (! ref->is_resolved)
419 return ref->data.klass;
423 ref_count_dimensions (ref_intersection *ref)
426 if (ref->is_resolved)
428 vfy_jclass k = ref->data.klass;
429 while (vfy_is_array (k))
431 k = vfy_get_component_type (k);
437 const char *p = vfy_string_bytes (ref->data.name);
444 /* Return the type_val corresponding to a primitive signature
445 character. For instance `I' returns `int.class'. */
447 get_type_val_for_signature (char sig)
480 verify_fail ("invalid signature");
486 /* Return the type_val corresponding to a primitive class. */
488 get_type_val_for_primtype (vfy_jclass k)
490 return get_type_val_for_signature (vfy_get_primitive_char (k));
493 /* The `type' class is used to represent a single type in the verifier. */
499 /* For reference types, the representation of the type. */
500 ref_intersection *klass;
502 /* This is used in two situations.
504 First, when constructing a new object, it is the PC of the
505 `new' instruction which created the object. We use the special
506 value UNINIT to mean that this is uninitialized. The special
507 value SELF is used for the case where the current method is
508 itself the <init> method. the special value EITHER is used
509 when we may optionally allow either an uninitialized or
510 initialized reference to match.
512 Second, when the key is return_address_type, this holds the PC
513 of the instruction following the `jsr'. */
521 /* Make a new instance given the type tag. We assume a generic
522 `reference_type' means Object. */
524 init_type_from_tag (type *t, type_val k)
527 /* For reference_type, if KLASS==NULL then that means we are
528 looking for a generic object of any kind, including an
529 uninitialized reference. */
534 /* Make a type for the given type_val tag K. */
536 make_type (type_val k)
539 init_type_from_tag (&t, k);
543 /* Make a new instance given a class. */
545 init_type_from_class (type *t, vfy_jclass k)
547 t->key = reference_type;
548 t->klass = make_ref ();
549 t->klass->is_resolved = true;
550 t->klass->data.klass = k;
551 t->klass->ref_next = NULL;
556 make_type_from_class (vfy_jclass k)
559 init_type_from_class (&t, k);
564 init_type_from_string (type *t, vfy_string n)
566 t->key = reference_type;
567 t->klass = make_ref ();
568 t->klass->is_resolved = false;
569 t->klass->data.name = n;
570 t->klass->ref_next = NULL;
575 make_type_from_string (vfy_string n)
578 init_type_from_string (&t, n);
582 /* Promote a numeric type. */
584 vfy_promote_type (type *t)
586 if (t->key == boolean_type || t->key == char_type
587 || t->key == byte_type || t->key == short_type)
590 #define promote_type vfy_promote_type
592 /* Mark this type as the uninitialized result of `new'. */
594 type_set_uninitialized (type *t, int npc)
596 if (t->key == reference_type)
597 t->key = uninitialized_reference_type;
599 verify_fail ("internal error in type::uninitialized");
603 /* Mark this type as now initialized. */
605 type_set_initialized (type *t, int npc)
607 if (npc != UNINIT && t->pc == npc && t->key == uninitialized_reference_type)
609 t->key = reference_type;
614 /* Mark this type as a particular return address. */
615 static void type_set_return_address (type *t, int npc)
620 /* Return true if this type and type OTHER are considered
621 mergeable for the purposes of state merging. This is related
622 to subroutine handling. For this purpose two types are
623 considered unmergeable if they are both return-addresses but
624 have different PCs. */
626 type_state_mergeable_p (type *t1, type *t2)
628 return (t1->key != return_address_type
629 || t2->key != return_address_type
630 || t1->pc == t2->pc);
633 /* Return true if an object of type K can be assigned to a variable
634 of type T. Handle various special cases too. Might modify
635 T or K. Note however that this does not perform numeric
638 types_compatible (type *t, type *k)
640 /* Any type is compatible with the unsuitable type. */
641 if (k->key == unsuitable_type)
644 if (t->key < reference_type || k->key < reference_type)
645 return t->key == k->key;
647 /* The `null' type is convertible to any initialized reference
649 if (t->key == null_type)
650 return k->key != uninitialized_reference_type;
651 if (k->key == null_type)
652 return t->key != uninitialized_reference_type;
654 /* A special case for a generic reference. */
655 if (t->klass == NULL)
657 if (k->klass == NULL)
658 verify_fail ("programmer error in type::compatible");
660 /* Handle the special 'EITHER' case, which is only used in a
661 special case of 'putfield'. Note that we only need to handle
662 this on the LHS of a check. */
663 if (! type_initialized (t) && t->pc == EITHER)
665 /* If the RHS is uninitialized, it must be an uninitialized
667 if (! type_initialized (k) && k->pc != SELF)
670 else if (type_initialized (t) != type_initialized (k))
672 /* An initialized type and an uninitialized type are not
673 otherwise compatible. */
678 /* Two uninitialized objects are compatible if either:
679 * The PCs are identical, or
680 * One PC is UNINIT. */
681 if (type_initialized (t))
683 if (t->pc != k->pc && t->pc != UNINIT && k->pc != UNINIT)
688 return ref_compatible (t->klass, k->klass);
691 /* Return true if two types are equal. Only valid for reference
694 types_equal (type *t1, type *t2)
696 if ((t1->key != reference_type && t1->key != uninitialized_reference_type)
697 || (t2->key != reference_type
698 && t2->key != uninitialized_reference_type))
700 /* Only single-ref types are allowed. */
701 if (t1->klass->ref_next || t2->klass->ref_next)
703 return refs_equal (t1->klass, t2->klass);
707 type_isvoid (type *t)
709 return t->key == void_type;
713 type_iswide (type *t)
715 return t->key == long_type || t->key == double_type;
718 /* Return number of stack or local variable slots taken by this type. */
722 return type_iswide (t) ? 2 : 1;
726 type_isarray (type *t)
728 /* We treat null_type as not an array. This is ok based on the
729 current uses of this method. */
730 if (t->key == reference_type)
731 return ref_isarray (t->klass);
736 type_isnull (type *t)
738 return t->key == null_type;
742 type_isinterface (type *t)
744 if (t->key != reference_type)
746 return ref_isinterface (t->klass);
750 type_isabstract (type *t)
752 if (t->key != reference_type)
754 return ref_isabstract (t->klass);
757 /* Return the element type of an array. */
759 type_array_element (type *t)
764 if (t->key != reference_type)
765 verify_fail ("programmer error in type::element_type()");
767 k = vfy_get_component_type (ref_getclass (t->klass));
768 if (vfy_is_primitive (k))
769 init_type_from_tag (&et, get_type_val_for_primtype (k));
771 init_type_from_class (&et, k);
775 /* Return the array type corresponding to an initialized
776 reference. We could expand this to work for other kinds of
777 types, but currently we don't need to. */
779 type_to_array (type *t)
784 if (t->key != reference_type)
785 verify_fail ("internal error in type::to_array()");
787 k = ref_getclass (t->klass);
788 init_type_from_class (&at, vfy_get_array_class (k));
793 type_isreference (type *t)
795 return t->key >= reference_type;
799 type_get_pc (type *t)
805 type_initialized (type *t)
807 return t->key == reference_type || t->key == null_type;
811 type_verify_dimensions (type *t, int ndims)
813 /* The way this is written, we don't need to check isarray(). */
814 if (t->key != reference_type)
815 verify_fail ("internal error in verify_dimensions:"
816 " not a reference type");
818 if (ref_count_dimensions (t->klass) < ndims)
819 verify_fail ("array type has fewer dimensions"
823 /* Merge OLD_TYPE into this. On error throw exception. Return
824 true if the merge caused a type change. */
826 merge_types (type *t, type *old_type, bool local_semantics)
828 bool changed = false;
829 bool refo = type_isreference (old_type);
830 bool refn = type_isreference (t);
833 if (old_type->key == null_type)
835 else if (t->key == null_type)
840 else if (type_initialized (t) != type_initialized (old_type))
841 verify_fail ("merging initialized and uninitialized types");
844 ref_intersection *merged;
845 if (! type_initialized (t))
848 t->pc = old_type->pc;
849 else if (old_type->pc == UNINIT)
851 else if (t->pc != old_type->pc)
852 verify_fail ("merging different uninitialized types");
855 merged = merge_refs (old_type->klass, t->klass);
856 if (merged != t->klass)
863 else if (refo || refn || t->key != old_type->key)
867 /* If we already have an `unsuitable' type, then we
868 don't need to change again. */
869 if (t->key != unsuitable_type)
871 t->key = unsuitable_type;
876 verify_fail ("unmergeable type");
888 case boolean_type: c = 'Z'; break;
889 case byte_type: c = 'B'; break;
890 case char_type: c = 'C'; break;
891 case short_type: c = 'S'; break;
892 case int_type: c = 'I'; break;
893 case long_type: c = 'J'; break;
894 case float_type: c = 'F'; break;
895 case double_type: c = 'D'; break;
896 case void_type: c = 'V'; break;
897 case unsuitable_type: c = '-'; break;
898 case return_address_type: c = 'r'; break;
899 case continuation_type: c = '+'; break;
900 case reference_type: c = 'L'; break;
901 case null_type: c = '@'; break;
902 case uninitialized_reference_type: c = 'U'; break;
904 debug_print ("%c", c);
906 #endif /* VERIFY_DEBUG */
908 /* This class holds all the state information we need for a given
912 /* The current top of the stack, in terms of slots. */
914 /* The current depth of the stack. This will be larger than
915 STACKTOP when wide types are on the stack. */
919 /* The local variables. */
921 /* We keep track of the type of `this' specially. This is used to
922 ensure that an instance initializer invokes another initializer
923 on `this' before returning. We must keep track of this
924 specially because otherwise we might be confused by code which
925 assigns to locals[0] (overwriting `this') and then returns
926 without really initializing. */
929 /* The PC for this state. This is only valid on states which are
930 permanently attached to a given PC. For an object like
931 `current_state', which is used transiently, this has no
934 /* We keep a linked list of all states requiring reverification.
935 If this is the special value INVALID_STATE then this state is
936 not on the list. NULL marks the end of the linked list. */
940 /* NO_NEXT is the PC value meaning that a new state must be
941 acquired from the verification list. */
945 init_state_with_stack (state *s, int max_stack, int max_locals)
950 s->stack = (type *) vfy_alloc (max_stack * sizeof (type));
951 for (i = 0; i < max_stack; ++i)
952 init_type_from_tag (&s->stack[i], unsuitable_type);
953 s->locals = (type *) vfy_alloc (max_locals * sizeof (type));
954 for (i = 0; i < max_locals; ++i)
955 init_type_from_tag (&s->locals[i], unsuitable_type);
956 init_type_from_tag (&s->this_type, unsuitable_type);
958 s->next = INVALID_STATE;
962 copy_state (state *s, state *copy, int max_stack, int max_locals)
965 s->stacktop = copy->stacktop;
966 s->stackdepth = copy->stackdepth;
967 for (i = 0; i < max_stack; ++i)
968 s->stack[i] = copy->stack[i];
969 for (i = 0; i < max_locals; ++i)
970 s->locals[i] = copy->locals[i];
972 s->this_type = copy->this_type;
973 /* Don't modify `next' or `pc'. */
977 copy_state_with_stack (state *s, state *orig, int max_stack, int max_locals)
979 init_state_with_stack (s, max_stack, max_locals);
980 copy_state (s, orig, max_stack, max_locals);
983 /* Allocate a new state, copying ORIG. */
985 make_state_copy (state *orig, int max_stack, int max_locals)
987 state *s = (state *) vfy_alloc (sizeof (state));
988 copy_state_with_stack (s, orig, max_stack, max_locals);
993 make_state (int max_stack, int max_locals)
995 state *s = (state *) vfy_alloc (sizeof (state));
996 init_state_with_stack (s, max_stack, max_locals);
1001 free_state (state *s)
1003 if (s->stack != NULL)
1004 vfy_free (s->stack);
1005 if (s->locals != NULL)
1006 vfy_free (s->locals);
1009 /* Modify this state to reflect entry to an exception handler. */
1011 state_set_exception (state *s, type *t, int max_stack)
1017 for (i = s->stacktop; i < max_stack; ++i)
1018 init_type_from_tag (&s->stack[i], unsuitable_type);
1021 /* Merge STATE_OLD into this state. Destructively modifies this
1022 state. Returns true if the new state was in fact changed.
1023 Will throw an exception if the states are not mergeable. */
1025 merge_states (state *s, state *state_old, int max_locals)
1028 bool changed = false;
1030 /* Special handling for `this'. If one or the other is
1031 uninitialized, then the merge is uninitialized. */
1032 if (type_initialized (&s->this_type))
1033 s->this_type = state_old->this_type;
1036 if (state_old->stacktop != s->stacktop) /* FIXME stackdepth instead? */
1037 verify_fail ("stack sizes differ");
1038 for (i = 0; i < state_old->stacktop; ++i)
1040 if (merge_types (&s->stack[i], &state_old->stack[i], false))
1044 /* Merge local variables. */
1045 for (i = 0; i < max_locals; ++i)
1047 if (merge_types (&s->locals[i], &state_old->locals[i], true))
1054 /* Ensure that `this' has been initialized. */
1056 state_check_this_initialized (state *s)
1058 if (type_isreference (&s->this_type) && ! type_initialized (&s->this_type))
1059 verify_fail ("`this' is uninitialized");
1062 /* Set type of `this'. */
1064 state_set_this_type (state *s, type *k)
1069 /* Mark each `new'd object we know of that was allocated at PC as
1072 state_set_initialized (state *s, int pc, int max_locals)
1075 for (i = 0; i < s->stacktop; ++i)
1076 type_set_initialized (&s->stack[i], pc);
1077 for (i = 0; i < max_locals; ++i)
1078 type_set_initialized (&s->locals[i], pc);
1079 type_set_initialized (&s->this_type, pc);
1082 /* This tests to see whether two states can be considered "merge
1083 compatible". If both states have a return-address in the same
1084 slot, and the return addresses are different, then they are not
1085 compatible and we must not try to merge them. */
1087 state_mergeable_p (state *s, state *other, int max_locals)
1092 /* This is tricky: if the stack sizes differ, then not only are
1093 these not mergeable, but in fact we should give an error, as
1094 we've found two execution paths that reach a branch target
1095 with different stack depths. FIXME stackdepth instead? */
1096 if (s->stacktop != other->stacktop)
1097 verify_fail ("stack sizes differ");
1099 for (i = 0; i < s->stacktop; ++i)
1100 if (! type_state_mergeable_p (&s->stack[i], &other->stack[i]))
1102 for (i = 0; i < max_locals; ++i)
1103 if (! type_state_mergeable_p (&s->locals[i], &other->locals[i]))
1109 state_reverify (state *s)
1111 if (s->next == INVALID_STATE)
1113 s->next = vfr->next_verify_state;
1114 vfr->next_verify_state = s;
1120 debug_print_state (state *s, const char *leader, int pc, int max_stack,
1124 debug_print ("%s [%4d]: [stack] ", leader, pc);
1125 for (i = 0; i < s->stacktop; ++i)
1126 type_print (&s->stack[i]);
1127 for (; i < max_stack; ++i)
1129 debug_print (" [local] ");
1130 for (i = 0; i < max_locals; ++i)
1131 type_print (&s->locals[i]);
1132 debug_print (" | %p\n", s);
1136 debug_print_state (state *s ATTRIBUTE_UNUSED,
1137 const char *leader ATTRIBUTE_UNUSED,
1138 int pc ATTRIBUTE_UNUSED, int max_stack ATTRIBUTE_UNUSED,
1139 int max_locals ATTRIBUTE_UNUSED)
1142 #endif /* VERIFY_DEBUG */
1148 state *s = vfr->current_state;
1149 if (s->stacktop <= 0)
1150 verify_fail ("stack empty");
1151 r = s->stack[--s->stacktop];
1152 s->stackdepth -= type_depth (&r);
1153 if (s->stackdepth < 0)
1154 verify_fail_pc ("stack empty", vfr->start_PC);
1161 type r = pop_raw ();
1162 if (type_iswide (&r))
1163 verify_fail ("narrow pop of wide type");
1168 vfy_pop_type_t (type match)
1171 vfy_promote_type (&match);
1173 if (! types_compatible (&match, &t))
1174 verify_fail ("incompatible type on stack");
1179 vfy_pop_type (type_val match)
1181 type t = make_type (match);
1182 return vfy_pop_type_t (t);
1185 #define pop_type vfy_pop_type
1186 #define pop_type_t vfy_pop_type_t
1188 /* Pop a reference which is guaranteed to be initialized. MATCH
1189 doesn't have to be a reference type; in this case this acts like
1192 pop_init_ref_t (type match)
1194 type t = pop_raw ();
1195 if (type_isreference (&t) && ! type_initialized (&t))
1196 verify_fail ("initialized reference required");
1197 else if (! types_compatible (&match, &t))
1198 verify_fail ("incompatible type on stack");
1203 pop_init_ref (type_val match)
1205 type t = make_type (match);
1206 return pop_init_ref_t (t);
1209 /* Pop a reference type or a return address. */
1211 pop_ref_or_return (void)
1213 type t = pop_raw ();
1214 if (! type_isreference (&t) && t.key != return_address_type)
1215 verify_fail ("expected reference or return address on stack");
1220 vfy_push_type_t (type t)
1223 state *s = vfr->current_state;
1224 /* If T is a numeric type like short, promote it to int. */
1227 depth = type_depth (&t);
1229 if (s->stackdepth + depth > vfr->current_method->max_stack)
1230 verify_fail ("stack overflow");
1231 s->stack[s->stacktop++] = t;
1232 s->stackdepth += depth;
1236 vfy_push_type (type_val tval)
1238 type t = make_type (tval);
1239 vfy_push_type_t (t);
1242 #define push_type vfy_push_type
1243 #define push_type_t vfy_push_type_t
1246 set_variable (int index, type t)
1249 state *s = vfr->current_state;
1250 /* If T is a numeric type like short, promote it to int. */
1253 depth = type_depth (&t);
1254 if (index > vfr->current_method->max_locals - depth)
1255 verify_fail ("invalid local variable");
1256 s->locals[index] = t;
1259 init_type_from_tag (&s->locals[index + 1], continuation_type);
1260 if (index > 0 && type_iswide (&s->locals[index - 1]))
1261 init_type_from_tag (&s->locals[index - 1], unsuitable_type);
1265 get_variable_t (int index, type *t)
1267 state *s = vfr->current_state;
1268 int depth = type_depth (t);
1269 if (index > vfr->current_method->max_locals - depth)
1270 verify_fail ("invalid local variable");
1271 if (! types_compatible (t, &s->locals[index]))
1272 verify_fail ("incompatible type in local variable");
1275 type cont = make_type (continuation_type);
1276 if (! types_compatible (&s->locals[index + 1], &cont))
1277 verify_fail ("invalid local variable");
1279 return s->locals[index];
1283 get_variable (int index, type_val v)
1285 type t = make_type (v);
1286 return get_variable_t (index, &t);
1289 /* Make sure ARRAY is an array type and that its elements are
1290 compatible with type ELEMENT. Returns the actual element type. */
1292 require_array_type_t (type array, type element)
1295 /* An odd case. Here we just pretend that everything went ok. If
1296 the requested element type is some kind of reference, return
1297 the null type instead. */
1298 if (type_isnull (&array))
1299 return type_isreference (&element) ? make_type (null_type) : element;
1301 if (! type_isarray (&array))
1302 verify_fail ("array required");
1304 t = type_array_element (&array);
1305 if (! types_compatible (&element, &t))
1307 /* Special case for byte arrays, which must also be boolean
1310 if (element.key == byte_type)
1312 type e2 = make_type (boolean_type);
1313 ok = types_compatible (&e2, &t);
1316 verify_fail ("incompatible array element type");
1319 /* Return T and not ELEMENT, because T might be specialized. */
1324 require_array_type (type array, type_val element)
1326 type t = make_type (element);
1327 return require_array_type_t (array, t);
1333 if (vfr->PC >= vfr->current_method->code_length)
1334 verify_fail ("premature end of bytecode");
1335 return (jint) vfr->bytecode[vfr->PC++] & 0xff;
1341 jint b1 = get_byte ();
1342 jint b2 = get_byte ();
1343 return (jint) ((b1 << 8) | b2) & 0xffff;
1349 signed char b1 = (signed char) get_byte ();
1350 jint b2 = get_byte ();
1351 jshort s = (b1 << 8) | b2;
1358 jint b1 = get_byte ();
1359 jint b2 = get_byte ();
1360 jint b3 = get_byte ();
1361 jint b4 = get_byte ();
1362 jword result = (b1 << 24) | (b2 << 16) | (b3 << 8) | b4;
1363 /* In the compiler, 'jint' might have more than 32 bits, so we must
1365 return WORD_TO_INT (result);
1369 compute_jump (int offset)
1371 int npc = vfr->start_PC + offset;
1372 if (npc < 0 || npc >= vfr->current_method->code_length)
1373 verify_fail_pc ("branch out of range", vfr->start_PC);
1377 /* Add a new state to the state list at NPC. */
1379 add_new_state (int npc, state *old_state)
1382 vfy_method *current_method = vfr->current_method;
1383 state *new_state = make_state_copy (old_state, current_method->max_stack,
1384 current_method->max_locals);
1385 debug_print ("== New state in add_new_state\n");
1386 debug_print_state (new_state, "New", npc, current_method->max_stack,
1387 current_method->max_locals);
1389 nlink = (state_list *) vfy_alloc (sizeof (state_list));
1390 nlink->val = new_state;
1391 nlink->next = vfr->states[npc];
1392 vfr->states[npc] = nlink;
1393 new_state->pc = npc;
1397 /* Merge the indicated state into the state at the branch target and
1398 schedule a new PC if there is a change. NPC is the PC of the
1399 branch target, and FROM_STATE is the state at the source of the
1400 branch. This method returns true if the destination state
1401 changed and requires reverification, false otherwise. */
1403 merge_into (int npc, state *from_state)
1405 /* Iterate over all target states and merge our state into each,
1406 if applicable. FIXME one improvement we could make here is
1407 "state destruction". Merging a new state into an existing one
1408 might cause a return_address_type to be merged to
1409 unsuitable_type. In this case the resulting state may now be
1410 mergeable with other states currently held in parallel at this
1411 location. So in this situation we could pairwise compare and
1412 reduce the number of parallel states. */
1414 bool applicable = false;
1415 for (iter = vfr->states[npc]; iter != NULL; iter = iter->next)
1417 state *new_state = iter->val;
1418 vfy_method *current_method = vfr->current_method;
1420 if (state_mergeable_p (new_state, from_state,
1421 current_method->max_locals))
1426 debug_print ("== Merge states in merge_into\n");
1427 debug_print_state (from_state, "Frm", vfr->start_PC, current_method->max_stack,
1428 current_method->max_locals);
1429 debug_print_state (new_state, " To", npc, current_method->max_stack,
1430 current_method->max_locals);
1431 changed = merge_states (new_state, from_state,
1432 current_method->max_locals);
1433 debug_print_state (new_state, "New", npc, current_method->max_stack,
1434 current_method->max_locals);
1437 state_reverify (new_state);
1443 /* Either we don't yet have a state at NPC, or we have a
1444 return-address type that is in conflict with all existing
1445 state. So, we need to create a new entry. */
1446 state *new_state = add_new_state (npc, from_state);
1447 /* A new state added in this way must always be reverified. */
1448 state_reverify (new_state);
1453 push_jump (int offset)
1455 int npc = compute_jump (offset);
1456 /* According to the JVM Spec, we need to check for uninitialized
1457 objects here. However, this does not actually affect type
1458 safety, and the Eclipse java compiler generates code that
1459 violates this constraint. */
1460 merge_into (npc, vfr->current_state);
1464 push_exception_jump (type t, int pc)
1467 /* According to the JVM Spec, we need to check for uninitialized
1468 objects here. However, this does not actually affect type
1469 safety, and the Eclipse java compiler generates code that
1470 violates this constraint. */
1471 copy_state_with_stack (&s, vfr->current_state,
1472 vfr->current_method->max_stack,
1473 vfr->current_method->max_locals);
1474 if (vfr->current_method->max_stack < 1)
1475 verify_fail ("stack overflow at exception handler");
1476 state_set_exception (&s, &t, vfr->current_method->max_stack);
1477 merge_into (pc, &s);
1478 /* FIXME: leak.. need free_state or GC */
1484 state *new_state = vfr->next_verify_state;
1485 if (new_state == INVALID_STATE)
1486 verify_fail ("programmer error in pop_jump");
1487 if (new_state != NULL)
1489 vfr->next_verify_state = new_state->next;
1490 new_state->next = INVALID_STATE;
1496 invalidate_pc (void)
1502 note_branch_target (int pc)
1504 /* Don't check `pc <= PC', because we've advanced PC after
1505 fetching the target and we haven't yet checked the next
1507 if (pc < vfr->PC && ! (vfr->flags[pc] & FLAG_INSN_START))
1508 verify_fail_pc ("branch not to instruction start", vfr->start_PC);
1509 vfr->flags[pc] |= FLAG_BRANCH_TARGET;
1515 while ((vfr->PC % 4) > 0)
1516 if (get_byte () != 0)
1517 verify_fail ("found nonzero padding byte");
1520 /* Do the work for a `ret' instruction. INDEX is the index into the
1523 handle_ret_insn (int index)
1525 type ret = make_type (return_address_type);
1526 type ret_addr = get_variable_t (index, &ret);
1527 /* It would be nice if we could do this. However, the JVM Spec
1528 doesn't say that this is what happens. It is implied that
1529 reusing a return address is invalid, but there's no actual
1530 prohibition against it. */
1531 /* set_variable (index, unsuitable_type); */
1533 int npc = type_get_pc (&ret_addr);
1534 /* We might be returning to a `jsr' that is at the end of the
1535 bytecode. This is ok if we never return from the called
1536 subroutine, but if we see this here it is an error. */
1537 if (npc >= vfr->current_method->code_length)
1538 verify_fail ("fell off end");
1540 /* According to the JVM Spec, we need to check for uninitialized
1541 objects here. However, this does not actually affect type
1542 safety, and the Eclipse java compiler generates code that
1543 violates this constraint. */
1544 merge_into (npc, vfr->current_state);
1548 static void handle_jsr_insn (int offset)
1551 int npc = compute_jump (offset);
1553 /* According to the JVM Spec, we need to check for uninitialized
1554 objects here. However, this does not actually affect type
1555 safety, and the Eclipse java compiler generates code that
1556 violates this constraint. */
1558 /* Modify our state as appropriate for entry into a subroutine. */
1559 ret_addr = make_type (return_address_type);
1560 type_set_return_address (&ret_addr, vfr->PC);
1561 vfy_push_type_t (ret_addr);
1562 merge_into (npc, vfr->current_state);
1567 construct_primitive_array_type (type_val prim)
1569 vfy_jclass k = NULL;
1580 k = vfy_get_primitive_type ((int) prim);
1583 /* These aren't used here but we call them out to avoid
1586 case unsuitable_type:
1587 case return_address_type:
1588 case continuation_type:
1589 case reference_type:
1591 case uninitialized_reference_type:
1593 verify_fail ("unknown type in construct_primitive_array_type");
1595 k = vfy_get_array_class (k);
1599 /* This pass computes the location of branch targets and also
1600 instruction starts. */
1602 branch_prepass (void)
1605 vfr->flags = (char *) vfy_alloc (vfr->current_method->code_length);
1607 for (i = 0; i < vfr->current_method->code_length; ++i)
1611 while (vfr->PC < vfr->current_method->code_length)
1614 /* Set `start_PC' early so that error checking can have the
1616 vfr->start_PC = vfr->PC;
1617 vfr->flags[vfr->PC] |= FLAG_INSN_START;
1619 opcode = (java_opcode) vfr->bytecode[vfr->PC++];
1623 case op_aconst_null:
1759 case op_monitorenter:
1760 case op_monitorexit:
1768 case op_arraylength:
1800 case op_invokespecial:
1801 case op_invokestatic:
1802 case op_invokevirtual:
1806 case op_multianewarray:
1829 note_branch_target (compute_jump (get_short ()));
1832 case op_tableswitch:
1836 note_branch_target (compute_jump (get_int ()));
1840 verify_fail_pc ("invalid tableswitch", vfr->start_PC);
1841 for (i = low; i <= hi; ++i)
1842 note_branch_target (compute_jump (get_int ()));
1846 case op_lookupswitch:
1850 note_branch_target (compute_jump (get_int ()));
1851 npairs = get_int ();
1853 verify_fail_pc ("too few pairs in lookupswitch", vfr->start_PC);
1854 while (npairs-- > 0)
1857 note_branch_target (compute_jump (get_int ()));
1862 case op_invokeinterface:
1870 opcode = (java_opcode) get_byte ();
1872 if (opcode == op_iinc)
1879 note_branch_target (compute_jump (get_int ()));
1883 /* These are unused here, but we call them out explicitly
1884 so that -Wswitch-enum doesn't complain. */
1890 case op_putstatic_1:
1891 case op_putstatic_2:
1892 case op_putstatic_4:
1893 case op_putstatic_8:
1894 case op_putstatic_a:
1896 case op_getfield_2s:
1897 case op_getfield_2u:
1901 case op_getstatic_1:
1902 case op_getstatic_2s:
1903 case op_getstatic_2u:
1904 case op_getstatic_4:
1905 case op_getstatic_8:
1906 case op_getstatic_a:
1907 #endif /* VFY_FAST_OPCODES */
1909 verify_fail_pc ("unrecognized instruction in branch_prepass",
1913 /* See if any previous branch tried to branch to the middle of
1914 this instruction. */
1915 for (pc = vfr->start_PC + 1; pc < vfr->PC; ++pc)
1917 if ((vfr->flags[pc] & FLAG_BRANCH_TARGET))
1918 verify_fail_pc ("branch to middle of instruction", pc);
1922 /* Verify exception handlers. */
1923 for (i = 0; i < vfr->current_method->exc_count; ++i)
1925 int handler, start, end, htype;
1926 vfy_get_exception (vfr->exception, i, &handler, &start, &end, &htype);
1927 if (! (vfr->flags[handler] & FLAG_INSN_START))
1928 verify_fail_pc ("exception handler not at instruction start",
1930 if (! (vfr->flags[start] & FLAG_INSN_START))
1931 verify_fail_pc ("exception start not at instruction start", start);
1932 if (end != vfr->current_method->code_length
1933 && ! (vfr->flags[end] & FLAG_INSN_START))
1934 verify_fail_pc ("exception end not at instruction start", end);
1936 vfr->flags[handler] |= FLAG_BRANCH_TARGET;
1941 check_pool_index (int index)
1943 if (index < 0 || index >= vfy_get_constants_size (vfr->current_class))
1944 verify_fail_pc ("constant pool index out of range", vfr->start_PC);
1948 check_class_constant (int index)
1950 type t = { (type_val) 0, 0, 0 };
1951 vfy_constants *pool;
1953 check_pool_index (index);
1954 pool = vfy_get_constants (vfr->current_class);
1955 if (vfy_tag (pool, index) == JV_CONSTANT_ResolvedClass)
1956 init_type_from_class (&t, vfy_get_pool_class (pool, index));
1957 else if (vfy_tag (pool, index) == JV_CONSTANT_Class)
1958 init_type_from_string (&t, vfy_get_pool_string (pool, index));
1960 verify_fail_pc ("expected class constant", vfr->start_PC);
1965 check_constant (int index)
1967 type t = { (type_val) 0, 0, 0 };
1968 vfy_constants *pool;
1970 check_pool_index (index);
1971 pool = vfy_get_constants (vfr->current_class);
1972 if (vfy_tag (pool, index) == JV_CONSTANT_ResolvedString
1973 || vfy_tag (pool, index) == JV_CONSTANT_String)
1974 init_type_from_class (&t, vfy_string_type ());
1975 else if (vfy_tag (pool, index) == JV_CONSTANT_Integer)
1976 init_type_from_tag (&t, int_type);
1977 else if (vfy_tag (pool, index) == JV_CONSTANT_Float)
1978 init_type_from_tag (&t, float_type);
1979 else if (vfy_tag (pool, index) == JV_CONSTANT_Class
1980 || vfy_tag (pool, index) == JV_CONSTANT_ResolvedClass)
1981 /* FIXME: should only allow this for 1.5 bytecode. */
1982 init_type_from_class (&t, vfy_class_type ());
1984 verify_fail_pc ("String, int, or float constant expected", vfr->start_PC);
1989 check_wide_constant (int index)
1991 type t = { (type_val) 0, 0, 0 };
1992 vfy_constants *pool;
1994 check_pool_index (index);
1995 pool = vfy_get_constants (vfr->current_class);
1996 if (vfy_tag (pool, index) == JV_CONSTANT_Long)
1997 init_type_from_tag (&t, long_type);
1998 else if (vfy_tag (pool, index) == JV_CONSTANT_Double)
1999 init_type_from_tag (&t, double_type);
2001 verify_fail_pc ("long or double constant expected", vfr->start_PC);
2005 /* Helper for both field and method. These are laid out the same in
2006 the constant pool. */
2008 handle_field_or_method (int index, int expected,
2009 vfy_string *name, vfy_string *fmtype)
2011 vfy_uint_16 class_index, name_and_type_index;
2012 vfy_uint_16 name_index, desc_index;
2013 vfy_constants *pool;
2015 check_pool_index (index);
2016 pool = vfy_get_constants (vfr->current_class);
2017 if (vfy_tag (pool, index) != expected)
2018 verify_fail_pc ("didn't see expected constant", vfr->start_PC);
2019 /* Once we know we have a Fieldref or Methodref we assume that it
2020 is correctly laid out in the constant pool. I think the code
2021 in defineclass.cc guarantees this. */
2022 vfy_load_indexes (pool, index, &class_index, &name_and_type_index);
2023 vfy_load_indexes (pool, name_and_type_index, &name_index, &desc_index);
2025 *name = vfy_get_pool_string (pool, name_index);
2026 *fmtype = vfy_get_pool_string (pool, desc_index);
2028 return check_class_constant (class_index);
2031 /* Return field's type, compute class' type if requested. If
2032 PUTFIELD is true, use the special 'putfield' semantics. */
2034 check_field_constant (int index, type *class_type, bool putfield)
2036 vfy_string name, field_type;
2040 type ct = handle_field_or_method (index,
2041 JV_CONSTANT_Fieldref,
2042 &name, &field_type);
2045 typec = vfy_string_bytes (field_type);
2046 if (typec[0] == '[' || typec[0] == 'L')
2047 init_type_from_string (&t, field_type);
2049 init_type_from_tag (&t, get_type_val_for_signature (typec[0]));
2051 /* We have an obscure special case here: we can use `putfield' on a
2052 field declared in this class, even if `this' has not yet been
2055 && ! type_initialized (&vfr->current_state->this_type)
2056 && vfr->current_state->this_type.pc == SELF
2057 && types_equal (&vfr->current_state->this_type, &ct)
2058 && vfy_class_has_field (vfr->current_class, name, field_type))
2059 /* Note that we don't actually know whether we're going to match
2060 against 'this' or some other object of the same type. So,
2061 here we set things up so that it doesn't matter. This relies
2062 on knowing what our caller is up to. */
2063 type_set_uninitialized (class_type, EITHER);
2069 check_method_constant (int index, bool is_interface,
2070 vfy_string *method_name,
2071 vfy_string *method_signature)
2073 return handle_field_or_method (index,
2075 ? JV_CONSTANT_InterfaceMethodref
2076 : JV_CONSTANT_Methodref),
2077 method_name, method_signature);
2081 get_one_type (const char *p, type *t)
2083 const char *start = p;
2103 name = vfy_get_string (start, p - start);
2104 *t = make_type_from_string (name);
2108 /* Casting to jchar here is ok since we are looking at an ASCII
2110 rt = get_type_val_for_signature (v);
2112 if (arraycount == 0)
2114 /* Callers of this function eventually push their arguments on
2115 the stack. So, promote them here. */
2116 type new_t = make_type (rt);
2117 vfy_promote_type (&new_t);
2122 k = construct_primitive_array_type (rt);
2123 while (--arraycount > 0)
2124 k = vfy_get_array_class (k);
2125 *t = make_type_from_class (k);
2130 compute_argument_types (vfy_string signature, type *types)
2133 const char *p = vfy_string_bytes (signature);
2140 p = get_one_type (p, &types[i++]);
2144 compute_return_type (vfy_string signature)
2146 const char *p = vfy_string_bytes (signature);
2151 get_one_type (p, &t);
2156 check_return_type (type onstack)
2158 type rt = compute_return_type (vfy_get_signature (vfr->current_method));
2159 if (! types_compatible (&rt, &onstack))
2160 verify_fail ("incompatible return type");
2163 /* Initialize the stack for the new method. Returns true if this
2164 method is an instance initializer. */
2166 initialize_stack (void)
2170 bool is_init = vfy_strings_equal (vfy_get_method_name (vfr->current_method),
2172 bool is_clinit = vfy_strings_equal (vfy_get_method_name (vfr->current_method),
2175 if (! vfy_is_static (vfr->current_method))
2177 type kurr = make_type_from_class (vfr->current_class);
2180 type_set_uninitialized (&kurr, SELF);
2184 verify_fail ("<clinit> method must be static");
2185 set_variable (0, kurr);
2186 state_set_this_type (vfr->current_state, &kurr);
2192 verify_fail ("<init> method must be non-static");
2195 /* We have to handle wide arguments specially here. */
2196 arg_count = vfy_count_arguments (vfy_get_signature (vfr->current_method));
2198 type *arg_types = (type *) vfy_alloc (arg_count * sizeof (type));
2199 compute_argument_types (vfy_get_signature (vfr->current_method), arg_types);
2200 for (i = 0; i < arg_count; ++i)
2202 set_variable (var, arg_types[i]);
2204 if (type_iswide (&arg_types[i]))
2207 vfy_free (arg_types);
2214 verify_instructions_0 (void)
2219 vfr->current_state = make_state (vfr->current_method->max_stack,
2220 vfr->current_method->max_locals);
2225 /* True if we are verifying an instance initializer. */
2226 this_is_init = initialize_stack ();
2228 vfr->states = (state_list **) vfy_alloc (sizeof (state_list *)
2229 * vfr->current_method->code_length);
2231 for (i = 0; i < vfr->current_method->code_length; ++i)
2232 vfr->states[i] = NULL;
2234 vfr->next_verify_state = NULL;
2240 /* If the PC was invalidated, get a new one from the work list. */
2241 if (vfr->PC == NO_NEXT)
2243 state *new_state = pop_jump ();
2244 /* If it is null, we're done. */
2245 if (new_state == NULL)
2248 vfr->PC = new_state->pc;
2249 debug_print ("== State pop from pending list\n");
2250 /* Set up the current state. */
2251 copy_state (vfr->current_state, new_state,
2252 vfr->current_method->max_stack, vfr->current_method->max_locals);
2256 /* We only have to do this checking in the situation where
2257 control flow falls through from the previous instruction.
2258 Otherwise merging is done at the time we push the branch.
2259 Note that we'll catch the off-the-end problem just
2261 if (vfr->PC < vfr->current_method->code_length
2262 && vfr->states[vfr->PC] != NULL)
2264 /* We've already visited this instruction. So merge
2265 the states together. It is simplest, but not most
2266 efficient, to just always invalidate the PC here. */
2267 merge_into (vfr->PC, vfr->current_state);
2273 /* Control can't fall off the end of the bytecode. We need to
2274 check this in both cases, not just the fall-through case,
2275 because we don't check to see whether a `jsr' appears at
2276 the end of the bytecode until we process a `ret'. */
2277 if (vfr->PC >= vfr->current_method->code_length)
2278 verify_fail ("fell off end");
2279 vfr->flags[vfr->PC] |= FLAG_INSN_SEEN;
2281 /* We only have to keep saved state at branch targets. If
2282 we're at a branch target and the state here hasn't been set
2283 yet, we set it now. You might notice that `ret' targets
2284 won't necessarily have FLAG_BRANCH_TARGET set. This
2285 doesn't matter, since those states will be filled in by
2287 /* Note that other parts of the compiler assume that there is a
2288 label with a type map at PC=0. */
2289 if (vfr->states[vfr->PC] == NULL
2290 && (vfr->PC == 0 || (vfr->flags[vfr->PC] & FLAG_BRANCH_TARGET) != 0))
2291 add_new_state (vfr->PC, vfr->current_state);
2293 /* Set this before handling exceptions so that debug output is
2295 vfr->start_PC = vfr->PC;
2297 /* Update states for all active exception handlers. Ordinarily
2298 there are not many exception handlers. So we simply run
2299 through them all. */
2300 for (i = 0; i < vfr->current_method->exc_count; ++i)
2302 int hpc, start, end, htype;
2303 vfy_get_exception (vfr->exception, i, &hpc, &start, &end, &htype);
2304 if (vfr->PC >= start && vfr->PC < end)
2306 type handler = make_type_from_class (vfy_throwable_type ());
2308 handler = check_class_constant (htype);
2309 push_exception_jump (handler, hpc);
2314 debug_print_state (vfr->current_state, " ", vfr->PC,
2315 vfr->current_method->max_stack,
2316 vfr->current_method->max_locals);
2317 opcode = (java_opcode) vfr->bytecode[vfr->PC++];
2323 case op_aconst_null:
2324 push_type (null_type);
2334 push_type (int_type);
2339 push_type (long_type);
2345 push_type (float_type);
2350 push_type (double_type);
2355 push_type (int_type);
2360 push_type (int_type);
2364 push_type_t (check_constant (get_byte ()));
2367 push_type_t (check_constant (get_ushort ()));
2370 push_type_t (check_wide_constant (get_ushort ()));
2374 push_type_t (get_variable (get_byte (), int_type));
2377 push_type_t (get_variable (get_byte (), long_type));
2380 push_type_t (get_variable (get_byte (), float_type));
2383 push_type_t (get_variable (get_byte (), double_type));
2386 push_type_t (get_variable (get_byte (), reference_type));
2393 push_type_t (get_variable (opcode - op_iload_0, int_type));
2399 push_type_t (get_variable (opcode - op_lload_0, long_type));
2405 push_type_t (get_variable (opcode - op_fload_0, float_type));
2411 push_type_t (get_variable (opcode - op_dload_0, double_type));
2417 push_type_t (get_variable (opcode - op_aload_0, reference_type));
2420 pop_type (int_type);
2421 push_type_t (require_array_type (pop_init_ref (reference_type),
2425 pop_type (int_type);
2426 push_type_t (require_array_type (pop_init_ref (reference_type),
2430 pop_type (int_type);
2431 push_type_t (require_array_type (pop_init_ref (reference_type),
2435 pop_type (int_type);
2436 push_type_t (require_array_type (pop_init_ref (reference_type),
2440 pop_type (int_type);
2441 push_type_t (require_array_type (pop_init_ref (reference_type),
2445 pop_type (int_type);
2446 require_array_type (pop_init_ref (reference_type), byte_type);
2447 push_type (int_type);
2450 pop_type (int_type);
2451 require_array_type (pop_init_ref (reference_type), char_type);
2452 push_type (int_type);
2455 pop_type (int_type);
2456 require_array_type (pop_init_ref (reference_type), short_type);
2457 push_type (int_type);
2460 set_variable (get_byte (), pop_type (int_type));
2463 set_variable (get_byte (), pop_type (long_type));
2466 set_variable (get_byte (), pop_type (float_type));
2469 set_variable (get_byte (), pop_type (double_type));
2472 set_variable (get_byte (), pop_ref_or_return ());
2478 set_variable (opcode - op_istore_0, pop_type (int_type));
2484 set_variable (opcode - op_lstore_0, pop_type (long_type));
2490 set_variable (opcode - op_fstore_0, pop_type (float_type));
2496 set_variable (opcode - op_dstore_0, pop_type (double_type));
2502 set_variable (opcode - op_astore_0, pop_ref_or_return ());
2505 pop_type (int_type);
2506 pop_type (int_type);
2507 require_array_type (pop_init_ref (reference_type), int_type);
2510 pop_type (long_type);
2511 pop_type (int_type);
2512 require_array_type (pop_init_ref (reference_type), long_type);
2515 pop_type (float_type);
2516 pop_type (int_type);
2517 require_array_type (pop_init_ref (reference_type), float_type);
2520 pop_type (double_type);
2521 pop_type (int_type);
2522 require_array_type (pop_init_ref (reference_type), double_type);
2525 pop_type (reference_type);
2526 pop_type (int_type);
2527 require_array_type (pop_init_ref (reference_type), reference_type);
2530 pop_type (int_type);
2531 pop_type (int_type);
2532 require_array_type (pop_init_ref (reference_type), byte_type);
2535 pop_type (int_type);
2536 pop_type (int_type);
2537 require_array_type (pop_init_ref (reference_type), char_type);
2540 pop_type (int_type);
2541 pop_type (int_type);
2542 require_array_type (pop_init_ref (reference_type), short_type);
2549 type t = pop_raw ();
2550 if (! type_iswide (&t))
2573 type t2 = pop_raw ();
2574 if (! type_iswide (&t2))
2588 type t = pop_raw ();
2589 if (! type_iswide (&t))
2603 type t1 = pop_raw ();
2605 if (! type_iswide (&t1))
2620 type t1 = pop_raw ();
2621 if (type_iswide (&t1))
2623 type t2 = pop_raw ();
2624 if (type_iswide (&t2))
2641 type t3 = pop_raw ();
2642 if (type_iswide (&t3))
2679 pop_type (int_type);
2680 push_type_t (pop_type (int_type));
2690 pop_type (long_type);
2691 push_type_t (pop_type (long_type));
2696 pop_type (int_type);
2697 push_type_t (pop_type (long_type));
2704 pop_type (float_type);
2705 push_type_t (pop_type (float_type));
2712 pop_type (double_type);
2713 push_type_t (pop_type (double_type));
2719 push_type_t (pop_type (int_type));
2722 push_type_t (pop_type (long_type));
2725 push_type_t (pop_type (float_type));
2728 push_type_t (pop_type (double_type));
2731 get_variable (get_byte (), int_type);
2735 pop_type (int_type);
2736 push_type (long_type);
2739 pop_type (int_type);
2740 push_type (float_type);
2743 pop_type (int_type);
2744 push_type (double_type);
2747 pop_type (long_type);
2748 push_type (int_type);
2751 pop_type (long_type);
2752 push_type (float_type);
2755 pop_type (long_type);
2756 push_type (double_type);
2759 pop_type (float_type);
2760 push_type (int_type);
2763 pop_type (float_type);
2764 push_type (long_type);
2767 pop_type (float_type);
2768 push_type (double_type);
2771 pop_type (double_type);
2772 push_type (int_type);
2775 pop_type (double_type);
2776 push_type (long_type);
2779 pop_type (double_type);
2780 push_type (float_type);
2783 pop_type (long_type);
2784 pop_type (long_type);
2785 push_type (int_type);
2789 pop_type (float_type);
2790 pop_type (float_type);
2791 push_type (int_type);
2795 pop_type (double_type);
2796 pop_type (double_type);
2797 push_type (int_type);
2805 pop_type (int_type);
2806 push_jump (get_short ());
2814 pop_type (int_type);
2815 pop_type (int_type);
2816 push_jump (get_short ());
2820 pop_type (reference_type);
2821 pop_type (reference_type);
2822 push_jump (get_short ());
2825 push_jump (get_short ());
2829 handle_jsr_insn (get_short ());
2832 handle_ret_insn (get_byte ());
2834 case op_tableswitch:
2838 pop_type (int_type);
2840 push_jump (get_int ());
2843 /* Already checked LOW -vs- HIGH. */
2844 for (i = low; i <= high; ++i)
2845 push_jump (get_int ());
2850 case op_lookupswitch:
2853 jint npairs, lastkey;
2855 pop_type (int_type);
2857 push_jump (get_int ());
2858 npairs = get_int ();
2859 /* Already checked NPAIRS >= 0. */
2861 for (i = 0; i < npairs; ++i)
2863 jint key = get_int ();
2864 if (i > 0 && key <= lastkey)
2865 verify_fail_pc ("lookupswitch pairs unsorted", vfr->start_PC);
2867 push_jump (get_int ());
2873 check_return_type (pop_type (int_type));
2877 check_return_type (pop_type (long_type));
2881 check_return_type (pop_type (float_type));
2885 check_return_type (pop_type (double_type));
2889 check_return_type (pop_init_ref (reference_type));
2893 /* We only need to check this when the return type is void,
2894 because all instance initializers return void. We also
2895 need to special-case Object constructors, as they can't
2896 call a superclass <init>. */
2897 if (this_is_init && vfr->current_class != vfy_object_type ())
2898 state_check_this_initialized (vfr->current_state);
2899 check_return_type (make_type (void_type));
2903 push_type_t (check_field_constant (get_ushort (), NULL, false));
2906 pop_type_t (check_field_constant (get_ushort (), NULL, false));
2911 type field = check_field_constant (get_ushort (), &klass, false);
2913 push_type_t (field);
2919 type field = check_field_constant (get_ushort (), &klass, true);
2925 case op_invokevirtual:
2926 case op_invokespecial:
2927 case op_invokestatic:
2928 case op_invokeinterface:
2930 vfy_string method_name, method_signature;
2934 bool is_init = false;
2937 = check_method_constant (get_ushort (),
2938 opcode == op_invokeinterface,
2941 /* NARGS is only used when we're processing
2942 invokeinterface. It is simplest for us to compute it
2943 here and then verify it later. */
2945 if (opcode == op_invokeinterface)
2947 nargs = get_byte ();
2948 if (get_byte () != 0)
2949 verify_fail ("invokeinterface dummy byte is wrong");
2952 namec = vfy_string_bytes (method_name);
2954 if (vfy_strings_equal (method_name, vfy_init_name()))
2957 if (opcode != op_invokespecial)
2958 verify_fail ("can't invoke <init>");
2960 else if (namec[0] == '<')
2961 verify_fail ("can't invoke method starting with `<'");
2963 arg_count = vfy_count_arguments (method_signature);
2965 /* Pop arguments and check types. */
2966 type *arg_types = (type *) vfy_alloc (arg_count * sizeof (type));
2968 compute_argument_types (method_signature, arg_types);
2969 for (i = arg_count - 1; i >= 0; --i)
2971 /* This is only used for verifying the byte for
2973 nargs -= type_depth (&arg_types[i]);
2974 pop_init_ref_t (arg_types[i]);
2977 vfy_free (arg_types);
2980 if (opcode == op_invokeinterface
2982 verify_fail ("wrong argument count for invokeinterface");
2984 if (opcode != op_invokestatic)
2987 type t = class_type;
2990 /* In this case the PC doesn't matter. */
2991 type_set_uninitialized (&t, UNINIT);
2992 /* FIXME: check to make sure that the <init>
2993 call is to the right class.
2994 It must either be super or an exact class
2998 if (! types_compatible (&t, &raw))
2999 verify_fail ("incompatible type on stack");
3002 state_set_initialized (vfr->current_state,
3003 type_get_pc (&raw), vfr->current_method->max_locals);
3006 rt = compute_return_type (method_signature);
3007 if (! type_isvoid (&rt))
3014 type t = check_class_constant (get_ushort ());
3015 if (type_isarray (&t) || type_isinterface (&t)
3016 || type_isabstract (&t))
3017 verify_fail ("type is array, interface, or abstract");
3018 type_set_uninitialized (&t, vfr->start_PC);
3025 int atype = get_byte ();
3028 /* We intentionally have chosen constants to make this
3030 if (atype < boolean_type || atype > long_type)
3031 verify_fail_pc ("type not primitive", vfr->start_PC);
3032 pop_type (int_type);
3033 k = construct_primitive_array_type ((type_val) atype);
3034 init_type_from_class (&t, k);
3041 pop_type (int_type);
3042 t = check_class_constant (get_ushort ());
3043 push_type_t (type_to_array (&t));
3046 case op_arraylength:
3048 type t = pop_init_ref (reference_type);
3049 if (! type_isarray (&t) && ! type_isnull (&t))
3050 verify_fail ("array type expected");
3051 push_type (int_type);
3055 pop_type_t (make_type_from_class (vfy_throwable_type ()));
3059 pop_init_ref (reference_type);
3060 push_type_t (check_class_constant (get_ushort ()));
3063 pop_init_ref (reference_type);
3064 check_class_constant (get_ushort ());
3065 push_type (int_type);
3067 case op_monitorenter:
3068 pop_init_ref (reference_type);
3070 case op_monitorexit:
3071 pop_init_ref (reference_type);
3075 switch (get_byte ())
3078 push_type_t (get_variable (get_ushort (), int_type));
3081 push_type_t (get_variable (get_ushort (), long_type));
3084 push_type_t (get_variable (get_ushort (), float_type));
3087 push_type_t (get_variable (get_ushort (), double_type));
3090 push_type_t (get_variable (get_ushort (), reference_type));
3093 set_variable (get_ushort (), pop_type (int_type));
3096 set_variable (get_ushort (), pop_type (long_type));
3099 set_variable (get_ushort (), pop_type (float_type));
3102 set_variable (get_ushort (), pop_type (double_type));
3105 set_variable (get_ushort (), pop_init_ref (reference_type));
3108 handle_ret_insn (get_short ());
3111 get_variable (get_ushort (), int_type);
3115 verify_fail_pc ("unrecognized wide instruction", vfr->start_PC);
3119 case op_multianewarray:
3122 type atype = check_class_constant (get_ushort ());
3123 int dim = get_byte ();
3125 verify_fail_pc ("too few dimensions to multianewarray", vfr->start_PC);
3126 type_verify_dimensions (&atype, dim);
3127 for (i = 0; i < dim; ++i)
3128 pop_type (int_type);
3129 push_type_t (atype);
3134 pop_type (reference_type);
3135 push_jump (get_short ());
3138 push_jump (get_int ());
3142 handle_jsr_insn (get_int ());
3146 /* Unrecognized opcode. */
3147 verify_fail_pc ("unrecognized instruction in verify_instructions_0",
3153 /* This turns a `type' into something suitable for use by the type map
3154 in the other parts of the compiler. In particular, reference types
3155 are mapped to Object, primitive types are unchanged, and other
3156 types are mapped using special functions declared in verify.h. */
3158 collapse_type (type *t)
3171 return vfy_get_primitive_type (t->key);
3173 case unsuitable_type:
3174 case continuation_type:
3175 return vfy_unsuitable_type ();
3177 case return_address_type:
3178 return vfy_return_address_type ();
3181 return vfy_null_type ();
3183 case reference_type:
3184 case uninitialized_reference_type:
3185 return vfy_object_type ();
3192 verify_instructions (void)
3197 verify_instructions_0 ();
3199 /* Now tell the rest of the compiler about the types we've found. */
3200 for (i = 0; i < vfr->current_method->code_length; ++i)
3205 if ((vfr->flags[i] & FLAG_INSN_SEEN) != 0)
3206 vfy_note_instruction_seen (i);
3208 if (! vfr->states[i])
3211 curr = vfr->states[i]->val;
3212 vfy_note_stack_depth (vfr->current_method, i, curr->stackdepth);
3214 /* Tell the compiler about each local variable. */
3215 for (j = 0; j < vfr->current_method->max_locals; ++j)
3216 vfy_note_local_type (vfr->current_method, i, j,
3217 collapse_type (&curr->locals[j]));
3218 /* Tell the compiler about each stack slot. */
3219 for (slot = j = 0; j < curr->stacktop; ++j, ++slot)
3221 vfy_note_stack_type (vfr->current_method, i, slot,
3222 collapse_type (&curr->stack[j]));
3223 if (type_iswide (&curr->stack[j]))
3226 vfy_note_stack_type (vfr->current_method, i, slot,
3227 vfy_unsuitable_type ());
3230 gcc_assert (slot == curr->stackdepth);
3235 make_verifier_context (vfy_method *m)
3237 vfr = (verifier_context *) vfy_alloc (sizeof (struct verifier_context));
3239 vfr->current_method = m;
3240 vfr->bytecode = vfy_get_bytecode (m);
3241 vfr->exception = vfy_get_exceptions (m);
3242 vfr->current_class = m->defining_class;
3246 vfr->utf8_list = NULL;
3247 vfr->isect_list = NULL;
3251 free_verifier_context (void)
3253 vfy_string_list *utf8_list;
3254 ref_intersection *isect_list;
3257 vfy_free (vfr->flags);
3259 utf8_list = vfr->utf8_list;
3260 while (utf8_list != NULL)
3262 vfy_string_list *n = utf8_list->next;
3263 vfy_free (utf8_list);
3267 isect_list = vfr->isect_list;
3268 while (isect_list != NULL)
3270 ref_intersection *next = isect_list->alloc_next;
3271 vfy_free (isect_list);
3275 if (vfr->states != NULL)
3278 for (i = 0; i < vfr->current_method->code_length; ++i)
3280 state_list *iter = vfr->states[i];
3281 while (iter != NULL)
3283 state_list *next = iter->next;
3284 free_state (iter->val);
3285 vfy_free (iter->val);
3290 vfy_free (vfr->states);
3297 verify_method (vfy_method *meth)
3299 debug_print ("verify_method (%s) %i\n", vfy_string_bytes (meth->name),
3303 verify_fail ("verifier re-entered");
3305 make_verifier_context (meth);
3306 verify_instructions ();
3307 free_verifier_context ();
OSDN Git Service
