1 // verify.cc - verify bytecode
3 /* Copyright (C) 2001, 2002, 2003 Free Software Foundation
5 This file is part of libgcj.
7 This software is copyrighted work licensed under the terms of the
8 Libgcj License. Please consult the file "LIBGCJ_LICENSE" for
11 // Written by Tom Tromey <tromey@redhat.com>
13 // Define VERIFY_DEBUG to enable debugging output.
19 #include <java-insns.h>
20 #include <java-interp.h>
24 #include <java/lang/Class.h>
25 #include <java/lang/VerifyError.h>
26 #include <java/lang/Throwable.h>
27 #include <java/lang/reflect/Modifier.h>
28 #include <java/lang/StringBuffer.h>
32 #endif /* VERIFY_DEBUG */
35 static void debug_print (const char *fmt, ...)
36 __attribute__ ((format (printf, 1, 2)));
39 debug_print (const char *fmt, ...)
44 vfprintf (stderr, fmt, ap);
46 #endif /* VERIFY_DEBUG */
49 class _Jv_BytecodeVerifier
53 static const int FLAG_INSN_START = 1;
54 static const int FLAG_BRANCH_TARGET = 2;
59 struct subr_entry_info;
61 struct ref_intersection;
65 // The PC corresponding to the start of the current instruction.
68 // The current state of the stack, locals, etc.
71 // We store the state at branch targets, for merging. This holds
75 // We keep a linked list of all the PCs which we must reverify.
76 // The link is done using the PC values. This is the head of the
80 // We keep some flags for each instruction. The values are the
81 // FLAG_* constants defined above.
84 // We need to keep track of which instructions can call a given
85 // subroutine. FIXME: this is inefficient. We keep a linked list
86 // of all calling `jsr's at at each jsr target.
89 // We keep a linked list of entries which map each `ret' instruction
90 // to its unique subroutine entry point. We expect that there won't
91 // be many `ret' instructions, so a linked list is ok.
92 subr_entry_info *entry_points;
94 // The bytecode itself.
95 unsigned char *bytecode;
97 _Jv_InterpException *exception;
100 jclass current_class;
102 _Jv_InterpMethod *current_method;
104 // A linked list of utf8 objects we allocate. This is really ugly,
105 // but without this our utf8 objects would be collected.
106 linked_utf8 *utf8_list;
108 // A linked list of all ref_intersection objects we allocate.
109 ref_intersection *isect_list;
117 _Jv_Utf8Const *make_utf8_const (char *s, int len)
119 _Jv_Utf8Const *val = _Jv_makeUtf8Const (s, len);
120 _Jv_Utf8Const *r = (_Jv_Utf8Const *) _Jv_Malloc (sizeof (_Jv_Utf8Const)
123 r->length = val->length;
125 memcpy (r->data, val->data, val->length + 1);
127 linked_utf8 *lu = (linked_utf8 *) _Jv_Malloc (sizeof (linked_utf8));
129 lu->next = utf8_list;
135 __attribute__ ((__noreturn__)) void verify_fail (char *s, jint pc = -1)
137 using namespace java::lang;
138 StringBuffer *buf = new StringBuffer ();
140 buf->append (JvNewStringLatin1 ("verification failed"));
145 buf->append (JvNewStringLatin1 (" at PC "));
149 _Jv_InterpMethod *method = current_method;
150 buf->append (JvNewStringLatin1 (" in "));
151 buf->append (current_class->getName());
152 buf->append ((jchar) ':');
153 buf->append (JvNewStringUTF (method->get_method()->name->data));
154 buf->append ((jchar) '(');
155 buf->append (JvNewStringUTF (method->get_method()->signature->data));
156 buf->append ((jchar) ')');
158 buf->append (JvNewStringLatin1 (": "));
159 buf->append (JvNewStringLatin1 (s));
160 throw new java::lang::VerifyError (buf->toString ());
163 // This enum holds a list of tags for all the different types we
164 // need to handle. Reference types are treated specially by the
170 // The values for primitive types are chosen to correspond to values
171 // specified to newarray.
181 // Used when overwriting second word of a double or long in the
182 // local variables. Also used after merging local variable states
183 // to indicate an unusable value.
188 // There is an obscure special case which requires us to note when
189 // a local variable has not been used by a subroutine. See
190 // push_jump_merge for more information.
191 unused_by_subroutine_type,
193 // Everything after `reference_type' must be a reference type.
196 uninitialized_reference_type
199 // This represents a merged class type. Some verifiers (including
200 // earlier versions of this one) will compute the intersection of
201 // two class types when merging states. However, this loses
202 // critical information about interfaces implemented by the various
203 // classes. So instead we keep track of all the actual classes that
205 struct ref_intersection
207 // Whether or not this type has been resolved.
213 // For a resolved reference type, this is a pointer to the class.
215 // For other reference types, this it the name of the class.
219 // Link to the next reference in the intersection.
220 ref_intersection *ref_next;
222 // This is used to keep track of all the allocated
223 // ref_intersection objects, so we can free them.
224 // FIXME: we should allocate these in chunks.
225 ref_intersection *alloc_next;
227 ref_intersection (jclass klass, _Jv_BytecodeVerifier *verifier)
232 alloc_next = verifier->isect_list;
233 verifier->isect_list = this;
236 ref_intersection (_Jv_Utf8Const *name, _Jv_BytecodeVerifier *verifier)
241 alloc_next = verifier->isect_list;
242 verifier->isect_list = this;
245 ref_intersection (ref_intersection *dup, ref_intersection *tail,
246 _Jv_BytecodeVerifier *verifier)
249 is_resolved = dup->is_resolved;
251 alloc_next = verifier->isect_list;
252 verifier->isect_list = this;
255 bool equals (ref_intersection *other, _Jv_BytecodeVerifier *verifier)
257 if (! is_resolved && ! other->is_resolved
258 && _Jv_equalUtf8Consts (data.name, other->data.name))
262 if (! other->is_resolved)
263 other->resolve (verifier);
264 return data.klass == other->data.klass;
267 // Merge THIS type into OTHER, returning the result. This will
268 // return OTHER if all the classes in THIS already appear in
270 ref_intersection *merge (ref_intersection *other,
271 _Jv_BytecodeVerifier *verifier)
273 ref_intersection *tail = other;
274 for (ref_intersection *self = this; self != NULL; self = self->ref_next)
277 for (ref_intersection *iter = other; iter != NULL;
278 iter = iter->ref_next)
280 if (iter->equals (self, verifier))
288 tail = new ref_intersection (self, tail, verifier);
293 void resolve (_Jv_BytecodeVerifier *verifier)
298 using namespace java::lang;
299 java::lang::ClassLoader *loader
300 = verifier->current_class->getClassLoaderInternal();
301 // We might see either kind of name. Sigh.
302 if (data.name->data[0] == 'L'
303 && data.name->data[data.name->length - 1] == ';')
304 data.klass = _Jv_FindClassFromSignature (data.name->data, loader);
306 data.klass = Class::forName (_Jv_NewStringUtf8Const (data.name),
311 // See if an object of type OTHER can be assigned to an object of
312 // type *THIS. This might resolve classes in one chain or the
314 bool compatible (ref_intersection *other,
315 _Jv_BytecodeVerifier *verifier)
317 ref_intersection *self = this;
319 for (; self != NULL; self = self->ref_next)
321 ref_intersection *other_iter = other;
323 for (; other_iter != NULL; other_iter = other_iter->ref_next)
325 // Avoid resolving if possible.
326 if (! self->is_resolved
327 && ! other_iter->is_resolved
328 && _Jv_equalUtf8Consts (self->data.name,
329 other_iter->data.name))
332 if (! self->is_resolved)
333 self->resolve(verifier);
334 if (! other_iter->is_resolved)
335 other_iter->resolve(verifier);
337 if (! is_assignable_from_slow (self->data.klass,
338 other_iter->data.klass))
348 // assert (ref_next == NULL);
350 return data.klass->isArray ();
352 return data.name->data[0] == '[';
355 bool isinterface (_Jv_BytecodeVerifier *verifier)
357 // assert (ref_next == NULL);
360 return data.klass->isInterface ();
363 bool isabstract (_Jv_BytecodeVerifier *verifier)
365 // assert (ref_next == NULL);
368 using namespace java::lang::reflect;
369 return Modifier::isAbstract (data.klass->getModifiers ());
372 jclass getclass (_Jv_BytecodeVerifier *verifier)
379 int count_dimensions ()
384 jclass k = data.klass;
385 while (k->isArray ())
387 k = k->getComponentType ();
393 char *p = data.name->data;
400 void *operator new (size_t bytes)
402 return _Jv_Malloc (bytes);
405 void operator delete (void *mem)
411 // Return the type_val corresponding to a primitive signature
412 // character. For instance `I' returns `int.class'.
413 type_val get_type_val_for_signature (jchar sig)
446 verify_fail ("invalid signature");
451 // Return the type_val corresponding to a primitive class.
452 type_val get_type_val_for_signature (jclass k)
454 return get_type_val_for_signature ((jchar) k->method_count);
457 // This is like _Jv_IsAssignableFrom, but it works even if SOURCE or
458 // TARGET haven't been prepared.
459 static bool is_assignable_from_slow (jclass target, jclass source)
461 // First, strip arrays.
462 while (target->isArray ())
464 // If target is array, source must be as well.
465 if (! source->isArray ())
467 target = target->getComponentType ();
468 source = source->getComponentType ();
472 if (target == &java::lang::Object::class$)
477 if (source == target)
480 if (target->isPrimitive () || source->isPrimitive ())
483 if (target->isInterface ())
485 for (int i = 0; i < source->interface_count; ++i)
487 // We use a recursive call because we also need to
488 // check superinterfaces.
489 if (is_assignable_from_slow (target, source->interfaces[i]))
493 source = source->getSuperclass ();
495 while (source != NULL);
500 // This is used to keep track of which `jsr's correspond to a given
504 // PC of the instruction just after the jsr.
510 // This is used to keep track of which subroutine entry point
511 // corresponds to which `ret' instruction.
512 struct subr_entry_info
514 // PC of the subroutine entry point.
516 // PC of the `ret' instruction.
519 subr_entry_info *next;
522 // The `type' class is used to represent a single type in the
529 // For reference types, the representation of the type.
530 ref_intersection *klass;
532 // This is used when constructing a new object. It is the PC of the
533 // `new' instruction which created the object. We use the special
534 // value -2 to mean that this is uninitialized, and the special
535 // value -1 for the case where the current method is itself the
539 static const int UNINIT = -2;
540 static const int SELF = -1;
542 // Basic constructor.
545 key = unsuitable_type;
550 // Make a new instance given the type tag. We assume a generic
551 // `reference_type' means Object.
555 // For reference_type, if KLASS==NULL then that means we are
556 // looking for a generic object of any kind, including an
557 // uninitialized reference.
562 // Make a new instance given a class.
563 type (jclass k, _Jv_BytecodeVerifier *verifier)
565 key = reference_type;
566 klass = new ref_intersection (k, verifier);
570 // Make a new instance given the name of a class.
571 type (_Jv_Utf8Const *n, _Jv_BytecodeVerifier *verifier)
573 key = reference_type;
574 klass = new ref_intersection (n, verifier);
586 // These operators are required because libgcj can't link in
588 void *operator new[] (size_t bytes)
590 return _Jv_Malloc (bytes);
593 void operator delete[] (void *mem)
598 type& operator= (type_val k)
606 type& operator= (const type& t)
614 // Promote a numeric type.
617 if (key == boolean_type || key == char_type
618 || key == byte_type || key == short_type)
623 // Mark this type as the uninitialized result of `new'.
624 void set_uninitialized (int npc, _Jv_BytecodeVerifier *verifier)
626 if (key == reference_type)
627 key = uninitialized_reference_type;
629 verifier->verify_fail ("internal error in type::uninitialized");
633 // Mark this type as now initialized.
634 void set_initialized (int npc)
636 if (npc != UNINIT && pc == npc && key == uninitialized_reference_type)
638 key = reference_type;
644 // Return true if an object of type K can be assigned to a variable
645 // of type *THIS. Handle various special cases too. Might modify
646 // *THIS or K. Note however that this does not perform numeric
648 bool compatible (type &k, _Jv_BytecodeVerifier *verifier)
650 // Any type is compatible with the unsuitable type.
651 if (key == unsuitable_type)
654 if (key < reference_type || k.key < reference_type)
657 // The `null' type is convertible to any initialized reference
659 if (key == null_type)
660 return k.key != uninitialized_reference_type;
661 if (k.key == null_type)
662 return key != uninitialized_reference_type;
664 // A special case for a generic reference.
668 verifier->verify_fail ("programmer error in type::compatible");
670 // An initialized type and an uninitialized type are not
672 if (isinitialized () != k.isinitialized ())
675 // Two uninitialized objects are compatible if either:
676 // * The PCs are identical, or
677 // * One PC is UNINIT.
678 if (! isinitialized ())
680 if (pc != k.pc && pc != UNINIT && k.pc != UNINIT)
684 return klass->compatible(k.klass, verifier);
689 return key == void_type;
694 return key == long_type || key == double_type;
697 // Return number of stack or local variable slots taken by this
701 return iswide () ? 2 : 1;
704 bool isarray () const
706 // We treat null_type as not an array. This is ok based on the
707 // current uses of this method.
708 if (key == reference_type)
709 return klass->isarray ();
715 return key == null_type;
718 bool isinterface (_Jv_BytecodeVerifier *verifier)
720 if (key != reference_type)
722 return klass->isinterface (verifier);
725 bool isabstract (_Jv_BytecodeVerifier *verifier)
727 if (key != reference_type)
729 return klass->isabstract (verifier);
732 // Return the element type of an array.
733 type element_type (_Jv_BytecodeVerifier *verifier)
735 if (key != reference_type)
736 verifier->verify_fail ("programmer error in type::element_type()", -1);
738 jclass k = klass->getclass (verifier)->getComponentType ();
739 if (k->isPrimitive ())
740 return type (verifier->get_type_val_for_signature (k));
741 return type (k, verifier);
744 // Return the array type corresponding to an initialized
745 // reference. We could expand this to work for other kinds of
746 // types, but currently we don't need to.
747 type to_array (_Jv_BytecodeVerifier *verifier)
749 if (key != reference_type)
750 verifier->verify_fail ("internal error in type::to_array()");
752 jclass k = klass->getclass (verifier);
753 return type (_Jv_GetArrayClass (k, k->getClassLoaderInternal()),
757 bool isreference () const
759 return key >= reference_type;
767 bool isinitialized () const
769 return key == reference_type || key == null_type;
772 bool isresolved () const
774 return (key == reference_type
776 || key == uninitialized_reference_type);
779 void verify_dimensions (int ndims, _Jv_BytecodeVerifier *verifier)
781 // The way this is written, we don't need to check isarray().
782 if (key != reference_type)
783 verifier->verify_fail ("internal error in verify_dimensions: not a reference type");
785 if (klass->count_dimensions () < ndims)
786 verifier->verify_fail ("array type has fewer dimensions than required");
789 // Merge OLD_TYPE into this. On error throw exception.
790 bool merge (type& old_type, bool local_semantics,
791 _Jv_BytecodeVerifier *verifier)
793 bool changed = false;
794 bool refo = old_type.isreference ();
795 bool refn = isreference ();
798 if (old_type.key == null_type)
800 else if (key == null_type)
805 else if (isinitialized () != old_type.isinitialized ())
806 verifier->verify_fail ("merging initialized and uninitialized types");
809 if (! isinitialized ())
813 else if (old_type.pc == UNINIT)
815 else if (pc != old_type.pc)
816 verifier->verify_fail ("merging different uninitialized types");
819 ref_intersection *merged = old_type.klass->merge (klass,
828 else if (refo || refn || key != old_type.key)
832 // If we're merging into an "unused" slot, then we
833 // simply accept whatever we're merging from.
834 if (key == unused_by_subroutine_type)
839 else if (old_type.key == unused_by_subroutine_type)
843 // If we already have an `unsuitable' type, then we
844 // don't need to change again.
845 else if (key != unsuitable_type)
847 key = unsuitable_type;
852 verifier->verify_fail ("unmergeable type");
858 void print (void) const
863 case boolean_type: c = 'Z'; break;
864 case byte_type: c = 'B'; break;
865 case char_type: c = 'C'; break;
866 case short_type: c = 'S'; break;
867 case int_type: c = 'I'; break;
868 case long_type: c = 'J'; break;
869 case float_type: c = 'F'; break;
870 case double_type: c = 'D'; break;
871 case void_type: c = 'V'; break;
872 case unsuitable_type: c = '-'; break;
873 case return_address_type: c = 'r'; break;
874 case continuation_type: c = '+'; break;
875 case unused_by_subroutine_type: c = '_'; break;
876 case reference_type: c = 'L'; break;
877 case null_type: c = '@'; break;
878 case uninitialized_reference_type: c = 'U'; break;
880 debug_print ("%c", c);
882 #endif /* VERIFY_DEBUG */
885 // This class holds all the state information we need for a given
889 // The current top of the stack, in terms of slots.
891 // The current depth of the stack. This will be larger than
892 // STACKTOP when wide types are on the stack.
896 // The local variables.
898 // Flags are used in subroutines to keep track of which local
899 // variables have been accessed. They are also used after
901 // If not 0, then we are in a subroutine. The value is the PC of
902 // the subroutine's entry point. We can use 0 as an exceptional
903 // value because PC=0 can never be a subroutine.
905 // This is used to keep a linked list of all the states which
906 // require re-verification. We use the PC to keep track.
908 // We keep track of the type of `this' specially. This is used to
909 // ensure that an instance initializer invokes another initializer
910 // on `this' before returning. We must keep track of this
911 // specially because otherwise we might be confused by code which
912 // assigns to locals[0] (overwriting `this') and then returns
913 // without really initializing.
915 // This is a list of all subroutines that have been seen at this
916 // point. Ordinarily this is NULL; it is only allocated and used
917 // in relatively weird situations involving non-ret exit from a
918 // subroutine. We have to keep track of this in this way to avoid
919 // endless recursion in these cases.
920 subr_info *seen_subrs;
922 // INVALID marks a state which is not on the linked list of states
923 // requiring reverification.
924 static const int INVALID = -1;
925 // NO_NEXT marks the state at the end of the reverification list.
926 static const int NO_NEXT = -2;
928 // This is used to mark the stack depth at the instruction just
929 // after a `jsr' when we haven't yet processed the corresponding
930 // `ret'. See handle_jsr_insn for more information.
931 static const int NO_STACK = -1;
933 // This flag indicates that the local was changed in this
935 static const int FLAG_CHANGED = 1;
936 // This is set only on the flags of the state of an instruction
937 // directly following a "jsr". It indicates that the local
938 // variable was changed by the subroutine corresponding to the
940 static const int FLAG_USED = 2;
951 state (int max_stack, int max_locals)
956 stack = new type[max_stack];
957 for (int i = 0; i < max_stack; ++i)
958 stack[i] = unsuitable_type;
959 locals = new type[max_locals];
960 flags = (char *) _Jv_Malloc (sizeof (char) * max_locals);
962 for (int i = 0; i < max_locals; ++i)
964 locals[i] = unsuitable_type;
971 state (const state *orig, int max_stack, int max_locals,
972 bool ret_semantics = false)
974 stack = new type[max_stack];
975 locals = new type[max_locals];
976 flags = (char *) _Jv_Malloc (sizeof (char) * max_locals);
978 copy (orig, max_stack, max_locals, ret_semantics);
993 void *operator new[] (size_t bytes)
995 return _Jv_Malloc (bytes);
998 void operator delete[] (void *mem)
1003 void *operator new (size_t bytes)
1005 return _Jv_Malloc (bytes);
1008 void operator delete (void *mem)
1015 subr_info *info = seen_subrs;
1016 while (info != NULL)
1018 subr_info *next = info->next;
1025 void copy (const state *copy, int max_stack, int max_locals,
1026 bool ret_semantics = false)
1028 stacktop = copy->stacktop;
1029 stackdepth = copy->stackdepth;
1030 subroutine = copy->subroutine;
1031 for (int i = 0; i < max_stack; ++i)
1032 stack[i] = copy->stack[i];
1033 for (int i = 0; i < max_locals; ++i)
1035 // See push_jump_merge to understand this case.
1038 if ((copy->flags[i] & FLAG_CHANGED))
1040 // Changed in the subroutine, so we copy it here.
1041 locals[i] = copy->locals[i];
1042 flags[i] |= FLAG_USED;
1046 // Not changed in the subroutine. Use a special
1047 // type so the coming merge will overwrite.
1048 locals[i] = type (unused_by_subroutine_type);
1052 locals[i] = copy->locals[i];
1054 // Clear the flag unconditionally just so printouts look ok,
1055 // then only set it if we're still in a subroutine and it
1056 // did in fact change.
1057 flags[i] &= ~FLAG_CHANGED;
1058 if (subroutine && (copy->flags[i] & FLAG_CHANGED) != 0)
1059 flags[i] |= FLAG_CHANGED;
1063 if (copy->seen_subrs)
1065 for (subr_info *info = copy->seen_subrs;
1066 info != NULL; info = info->next)
1067 add_subr (info->pc);
1070 this_type = copy->this_type;
1071 // Don't modify `next'.
1074 // Modify this state to reflect entry to an exception handler.
1075 void set_exception (type t, int max_stack)
1080 for (int i = stacktop; i < max_stack; ++i)
1081 stack[i] = unsuitable_type;
1084 // Modify this state to reflect entry into a subroutine.
1085 void enter_subroutine (int npc, int max_locals)
1088 // Mark all items as unchanged. Each subroutine needs to keep
1089 // track of its `changed' state independently. In the case of
1090 // nested subroutines, this information will be merged back into
1091 // parent by the `ret'.
1092 for (int i = 0; i < max_locals; ++i)
1093 flags[i] &= ~FLAG_CHANGED;
1096 // Indicate that we've been in this this subroutine.
1097 void add_subr (int pc)
1099 subr_info *n = (subr_info *) _Jv_Malloc (sizeof (subr_info));
1101 n->next = seen_subrs;
1105 // Merge STATE_OLD into this state. Destructively modifies this
1106 // state. Returns true if the new state was in fact changed.
1107 // Will throw an exception if the states are not mergeable.
1108 bool merge (state *state_old, bool ret_semantics,
1109 int max_locals, _Jv_BytecodeVerifier *verifier,
1110 bool jsr_semantics = false)
1112 bool changed = false;
1114 // Special handling for `this'. If one or the other is
1115 // uninitialized, then the merge is uninitialized.
1116 if (this_type.isinitialized ())
1117 this_type = state_old->this_type;
1119 // Merge subroutine states. Here we just keep track of what
1120 // subroutine we think we're in. We only check for a merge
1121 // (which is invalid) when we see a `ret'.
1122 if (subroutine == state_old->subroutine)
1126 else if (subroutine == 0)
1128 subroutine = state_old->subroutine;
1133 // If the subroutines differ, and we haven't seen this
1134 // subroutine before, indicate that the state changed. This
1135 // is needed to detect when subroutines have merged.
1137 for (subr_info *info = seen_subrs; info != NULL; info = info->next)
1139 if (info->pc == state_old->subroutine)
1147 add_subr (state_old->subroutine);
1152 // Merge stacks, including special handling for NO_STACK case.
1153 // If the destination is NO_STACK, this means it is the
1154 // instruction following a "jsr" and has not yet been processed
1155 // in any way. In this situation, if we are currently
1156 // processing a "ret", then we must *copy* any locals changed in
1157 // the subroutine into the current state. Merging in this
1158 // situation is incorrect because the locals we've noted didn't
1159 // come real program flow, they are just an artifact of how
1160 // we've chosen to handle the post-jsr state.
1161 bool copy_in_locals = ret_semantics && stacktop == NO_STACK;
1163 if (state_old->stacktop == NO_STACK)
1165 // This can happen if we're doing a pass-through jsr merge.
1166 // Here we can just ignore the stack.
1168 else if (stacktop == NO_STACK)
1170 stacktop = state_old->stacktop;
1171 stackdepth = state_old->stackdepth;
1172 for (int i = 0; i < stacktop; ++i)
1173 stack[i] = state_old->stack[i];
1176 else if (state_old->stacktop != stacktop)
1177 verifier->verify_fail ("stack sizes differ");
1180 for (int i = 0; i < state_old->stacktop; ++i)
1182 if (stack[i].merge (state_old->stack[i], false, verifier))
1187 // Merge local variables.
1188 for (int i = 0; i < max_locals; ++i)
1190 // If we're not processing a `ret', then we merge every
1191 // local variable. If we are processing a `ret', then we
1192 // only merge locals which changed in the subroutine. When
1193 // processing a `ret', STATE_OLD is the state at the point
1194 // of the `ret', and THIS is the state just after the `jsr'.
1195 // See comment above for explanation of COPY_IN_LOCALS.
1198 if ((state_old->flags[i] & FLAG_CHANGED) != 0)
1200 locals[i] = state_old->locals[i];
1202 // There's no point in calling note_variable here,
1203 // since we call it under the same condition before
1207 else if (jsr_semantics && (flags[i] & FLAG_USED) != 0)
1209 // We are processing the "pass-through" part of a jsr
1210 // statement. In this particular case, the local was
1211 // changed by the subroutine. So, we have no work to
1212 // do, as the pre-jsr value does not survive the
1215 else if (! ret_semantics
1216 || (state_old->flags[i] & FLAG_CHANGED) != 0)
1218 // If we have ordinary (not ret) semantics, then we have
1219 // merging flow control, so we merge types. Or, we have
1220 // jsr pass-through semantics and the type survives the
1221 // subroutine (see above), so again we merge. Or,
1222 // finally, we have ret semantics and this value did
1223 // change, in which case we merge the change from the
1224 // subroutine into the post-jsr instruction.
1225 if (locals[i].merge (state_old->locals[i], true, verifier))
1227 // Note that we don't call `note_variable' here.
1228 // This change doesn't represent a real change to a
1229 // local, but rather a merge artifact. If we're in
1230 // a subroutine which is called with two
1231 // incompatible types in a slot that is unused by
1232 // the subroutine, then we don't want to mark that
1233 // variable as having been modified.
1238 // If we're in a subroutine, we must compute the union of
1239 // all the changed local variables.
1240 if ((state_old->flags[i] & FLAG_CHANGED) != 0)
1243 // If we're returning from a subroutine, we must mark the
1244 // post-jsr instruction with information about what changed,
1245 // so that future "pass-through" jsr merges work correctly.
1246 if (ret_semantics && (state_old->flags[i] & FLAG_CHANGED) != 0)
1247 flags[i] |= FLAG_USED;
1253 // Throw an exception if there is an uninitialized object on the
1254 // stack or in a local variable. EXCEPTION_SEMANTICS controls
1255 // whether we're using backwards-branch or exception-handing
1257 void check_no_uninitialized_objects (int max_locals,
1258 _Jv_BytecodeVerifier *verifier,
1259 bool exception_semantics = false)
1261 if (! exception_semantics)
1263 for (int i = 0; i < stacktop; ++i)
1264 if (stack[i].isreference () && ! stack[i].isinitialized ())
1265 verifier->verify_fail ("uninitialized object on stack");
1268 for (int i = 0; i < max_locals; ++i)
1269 if (locals[i].isreference () && ! locals[i].isinitialized ())
1270 verifier->verify_fail ("uninitialized object in local variable");
1272 check_this_initialized (verifier);
1275 // Ensure that `this' has been initialized.
1276 void check_this_initialized (_Jv_BytecodeVerifier *verifier)
1278 if (this_type.isreference () && ! this_type.isinitialized ())
1279 verifier->verify_fail ("`this' is uninitialized");
1282 // Set type of `this'.
1283 void set_this_type (const type &k)
1288 // Note that a local variable was modified.
1289 void note_variable (int index)
1292 flags[index] |= FLAG_CHANGED;
1295 // Mark each `new'd object we know of that was allocated at PC as
1297 void set_initialized (int pc, int max_locals)
1299 for (int i = 0; i < stacktop; ++i)
1300 stack[i].set_initialized (pc);
1301 for (int i = 0; i < max_locals; ++i)
1302 locals[i].set_initialized (pc);
1303 this_type.set_initialized (pc);
1306 // Return true if this state is the unmerged result of a `ret'.
1307 bool is_unmerged_ret_state (int max_locals) const
1309 if (stacktop == NO_STACK)
1311 for (int i = 0; i < max_locals; ++i)
1313 if (locals[i].key == unused_by_subroutine_type)
1320 void print (const char *leader, int pc,
1321 int max_stack, int max_locals) const
1323 debug_print ("%s [%4d]: [stack] ", leader, pc);
1325 for (i = 0; i < stacktop; ++i)
1327 for (; i < max_stack; ++i)
1329 debug_print (" [local] ");
1330 for (i = 0; i < max_locals; ++i)
1333 if ((flags[i] & FLAG_USED) != 0)
1334 debug_print ((flags[i] & FLAG_CHANGED) ? ">" : "<");
1336 debug_print ((flags[i] & FLAG_CHANGED) ? "+" : " ");
1338 if (subroutine == 0)
1339 debug_print (" | None");
1341 debug_print (" | %4d", subroutine);
1342 debug_print (" | %p\n", this);
1345 inline void print (const char *, int, int, int) const
1348 #endif /* VERIFY_DEBUG */
1353 if (current_state->stacktop <= 0)
1354 verify_fail ("stack empty");
1355 type r = current_state->stack[--current_state->stacktop];
1356 current_state->stackdepth -= r.depth ();
1357 if (current_state->stackdepth < 0)
1358 verify_fail ("stack empty", start_PC);
1364 type r = pop_raw ();
1366 verify_fail ("narrow pop of wide type");
1370 type pop_type (type match)
1373 type t = pop_raw ();
1374 if (! match.compatible (t, this))
1375 verify_fail ("incompatible type on stack");
1379 // Pop a reference which is guaranteed to be initialized. MATCH
1380 // doesn't have to be a reference type; in this case this acts like
1382 type pop_init_ref (type match)
1384 type t = pop_raw ();
1385 if (t.isreference () && ! t.isinitialized ())
1386 verify_fail ("initialized reference required");
1387 else if (! match.compatible (t, this))
1388 verify_fail ("incompatible type on stack");
1392 // Pop a reference type or a return address.
1393 type pop_ref_or_return ()
1395 type t = pop_raw ();
1396 if (! t.isreference () && t.key != return_address_type)
1397 verify_fail ("expected reference or return address on stack");
1401 void push_type (type t)
1403 // If T is a numeric type like short, promote it to int.
1406 int depth = t.depth ();
1407 if (current_state->stackdepth + depth > current_method->max_stack)
1408 verify_fail ("stack overflow");
1409 current_state->stack[current_state->stacktop++] = t;
1410 current_state->stackdepth += depth;
1413 void set_variable (int index, type t)
1415 // If T is a numeric type like short, promote it to int.
1418 int depth = t.depth ();
1419 if (index > current_method->max_locals - depth)
1420 verify_fail ("invalid local variable");
1421 current_state->locals[index] = t;
1422 current_state->note_variable (index);
1426 current_state->locals[index + 1] = continuation_type;
1427 current_state->note_variable (index + 1);
1429 if (index > 0 && current_state->locals[index - 1].iswide ())
1431 current_state->locals[index - 1] = unsuitable_type;
1432 // There's no need to call note_variable here.
1436 type get_variable (int index, type t)
1438 int depth = t.depth ();
1439 if (index > current_method->max_locals - depth)
1440 verify_fail ("invalid local variable");
1441 if (! t.compatible (current_state->locals[index], this))
1442 verify_fail ("incompatible type in local variable");
1445 type t (continuation_type);
1446 if (! current_state->locals[index + 1].compatible (t, this))
1447 verify_fail ("invalid local variable");
1449 return current_state->locals[index];
1452 // Make sure ARRAY is an array type and that its elements are
1453 // compatible with type ELEMENT. Returns the actual element type.
1454 type require_array_type (type array, type element)
1456 // An odd case. Here we just pretend that everything went ok. If
1457 // the requested element type is some kind of reference, return
1458 // the null type instead.
1459 if (array.isnull ())
1460 return element.isreference () ? type (null_type) : element;
1462 if (! array.isarray ())
1463 verify_fail ("array required");
1465 type t = array.element_type (this);
1466 if (! element.compatible (t, this))
1468 // Special case for byte arrays, which must also be boolean
1471 if (element.key == byte_type)
1473 type e2 (boolean_type);
1474 ok = e2.compatible (t, this);
1477 verify_fail ("incompatible array element type");
1480 // Return T and not ELEMENT, because T might be specialized.
1486 if (PC >= current_method->code_length)
1487 verify_fail ("premature end of bytecode");
1488 return (jint) bytecode[PC++] & 0xff;
1493 jint b1 = get_byte ();
1494 jint b2 = get_byte ();
1495 return (jint) ((b1 << 8) | b2) & 0xffff;
1500 jint b1 = get_byte ();
1501 jint b2 = get_byte ();
1502 jshort s = (b1 << 8) | b2;
1508 jint b1 = get_byte ();
1509 jint b2 = get_byte ();
1510 jint b3 = get_byte ();
1511 jint b4 = get_byte ();
1512 return (b1 << 24) | (b2 << 16) | (b3 << 8) | b4;
1515 int compute_jump (int offset)
1517 int npc = start_PC + offset;
1518 if (npc < 0 || npc >= current_method->code_length)
1519 verify_fail ("branch out of range", start_PC);
1523 // Merge the indicated state into the state at the branch target and
1524 // schedule a new PC if there is a change. If RET_SEMANTICS is
1525 // true, then we are merging from a `ret' instruction into the
1526 // instruction after a `jsr'. This is a special case with its own
1527 // modified semantics. If JSR_SEMANTICS is true, then we're merging
1528 // some type information from a "jsr" instruction to the immediately
1529 // following instruction. In this situation we have to be careful
1530 // not to merge local variables whose values are modified by the
1531 // subroutine we're about to call.
1532 void push_jump_merge (int npc, state *nstate,
1533 bool ret_semantics = false,
1534 bool jsr_semantics = false)
1536 bool changed = true;
1537 if (states[npc] == NULL)
1539 // There's a weird situation here. If are examining the
1540 // branch that results from a `ret', and there is not yet a
1541 // state available at the branch target (the instruction just
1542 // after the `jsr'), then we have to construct a special kind
1543 // of state at that point for future merging. This special
1544 // state has the type `unused_by_subroutine_type' in each slot
1545 // which was not modified by the subroutine.
1546 states[npc] = new state (nstate, current_method->max_stack,
1547 current_method->max_locals, ret_semantics);
1548 debug_print ("== New state in push_jump_merge (ret_semantics = %s)\n",
1549 ret_semantics ? "true" : "false");
1550 states[npc]->print ("New", npc, current_method->max_stack,
1551 current_method->max_locals);
1555 debug_print ("== Merge states in push_jump_merge\n");
1556 nstate->print ("Frm", start_PC, current_method->max_stack,
1557 current_method->max_locals);
1558 states[npc]->print (" To", npc, current_method->max_stack,
1559 current_method->max_locals);
1560 changed = states[npc]->merge (nstate, ret_semantics,
1561 current_method->max_locals, this,
1563 states[npc]->print ("New", npc, current_method->max_stack,
1564 current_method->max_locals);
1567 if (changed && states[npc]->next == state::INVALID)
1569 // The merge changed the state, and the new PC isn't yet on our
1570 // list of PCs to re-verify.
1571 states[npc]->next = next_verify_pc;
1572 next_verify_pc = npc;
1576 void push_jump (int offset)
1578 int npc = compute_jump (offset);
1580 current_state->check_no_uninitialized_objects (current_method->max_locals, this);
1581 push_jump_merge (npc, current_state);
1584 void push_exception_jump (type t, int pc)
1586 current_state->check_no_uninitialized_objects (current_method->max_locals,
1588 state s (current_state, current_method->max_stack,
1589 current_method->max_locals);
1590 if (current_method->max_stack < 1)
1591 verify_fail ("stack overflow at exception handler");
1592 s.set_exception (t, current_method->max_stack);
1593 push_jump_merge (pc, &s);
1598 int *prev_loc = &next_verify_pc;
1599 int npc = next_verify_pc;
1601 while (npc != state::NO_NEXT)
1603 // If the next available PC is an unmerged `ret' state, then
1604 // we aren't yet ready to handle it. That's because we would
1605 // need all kind of special cases to do so. So instead we
1606 // defer this jump until after we've processed it via a
1607 // fall-through. This has to happen because the instruction
1608 // before this one must be a `jsr'.
1609 if (! states[npc]->is_unmerged_ret_state (current_method->max_locals))
1611 *prev_loc = states[npc]->next;
1612 states[npc]->next = state::INVALID;
1616 prev_loc = &states[npc]->next;
1617 npc = states[npc]->next;
1620 // Note that we might have gotten here even when there are
1621 // remaining states to process. That can happen if we find a
1622 // `jsr' without a `ret'.
1623 return state::NO_NEXT;
1626 void invalidate_pc ()
1628 PC = state::NO_NEXT;
1631 void note_branch_target (int pc, bool is_jsr_target = false)
1633 // Don't check `pc <= PC', because we've advanced PC after
1634 // fetching the target and we haven't yet checked the next
1636 if (pc < PC && ! (flags[pc] & FLAG_INSN_START))
1637 verify_fail ("branch not to instruction start", start_PC);
1638 flags[pc] |= FLAG_BRANCH_TARGET;
1641 // Record the jsr which called this instruction.
1642 subr_info *info = (subr_info *) _Jv_Malloc (sizeof (subr_info));
1644 info->next = jsr_ptrs[pc];
1645 jsr_ptrs[pc] = info;
1649 void skip_padding ()
1651 while ((PC % 4) > 0)
1652 if (get_byte () != 0)
1653 verify_fail ("found nonzero padding byte");
1656 // Return the subroutine to which the instruction at PC belongs.
1657 int get_subroutine (int pc)
1659 if (states[pc] == NULL)
1661 return states[pc]->subroutine;
1664 // Do the work for a `ret' instruction. INDEX is the index into the
1666 void handle_ret_insn (int index)
1668 get_variable (index, return_address_type);
1670 int csub = current_state->subroutine;
1672 verify_fail ("no subroutine");
1674 // Check to see if we've merged subroutines.
1675 subr_entry_info *entry;
1676 for (entry = entry_points; entry != NULL; entry = entry->next)
1678 if (entry->ret_pc == start_PC)
1683 entry = (subr_entry_info *) _Jv_Malloc (sizeof (subr_entry_info));
1685 entry->ret_pc = start_PC;
1686 entry->next = entry_points;
1687 entry_points = entry;
1689 else if (entry->pc != csub)
1690 verify_fail ("subroutines merged");
1692 for (subr_info *subr = jsr_ptrs[csub]; subr != NULL; subr = subr->next)
1694 // We might be returning to a `jsr' that is at the end of the
1695 // bytecode. This is ok if we never return from the called
1696 // subroutine, but if we see this here it is an error.
1697 if (subr->pc >= current_method->code_length)
1698 verify_fail ("fell off end");
1700 // Temporarily modify the current state so it looks like we're
1701 // in the enclosing context.
1702 current_state->subroutine = get_subroutine (subr->pc);
1704 current_state->check_no_uninitialized_objects (current_method->max_locals, this);
1705 push_jump_merge (subr->pc, current_state, true);
1708 current_state->subroutine = csub;
1712 // We're in the subroutine SUB, calling a subroutine at DEST. Make
1713 // sure this subroutine isn't already on the stack.
1714 void check_nonrecursive_call (int sub, int dest)
1719 verify_fail ("recursive subroutine call");
1720 for (subr_info *info = jsr_ptrs[sub]; info != NULL; info = info->next)
1721 check_nonrecursive_call (get_subroutine (info->pc), dest);
1724 void handle_jsr_insn (int offset)
1726 int npc = compute_jump (offset);
1729 current_state->check_no_uninitialized_objects (current_method->max_locals, this);
1730 check_nonrecursive_call (current_state->subroutine, npc);
1732 // Modify our state as appropriate for entry into a subroutine.
1733 push_type (return_address_type);
1734 push_jump_merge (npc, current_state);
1736 pop_type (return_address_type);
1738 // On entry to the subroutine, the subroutine number must be set
1739 // and the locals must be marked as cleared. We do this after
1740 // merging state so that we don't erroneously "notice" a variable
1741 // change merely on entry.
1742 states[npc]->enter_subroutine (npc, current_method->max_locals);
1744 // Indicate that we don't know the stack depth of the instruction
1745 // following the `jsr'. The idea here is that we need to merge
1746 // the local variable state across the jsr, but the subroutine
1747 // might change the stack depth, so we can't make any assumptions
1748 // about it. So we have yet another special case. We know that
1749 // at this point PC points to the instruction after the jsr. Note
1750 // that it is ok to have a `jsr' at the end of the bytecode,
1751 // provided that the called subroutine never returns. So, we have
1752 // a special case here and another one when we handle the ret.
1753 if (PC < current_method->code_length)
1755 current_state->stacktop = state::NO_STACK;
1756 push_jump_merge (PC, current_state, false, true);
1761 jclass construct_primitive_array_type (type_val prim)
1767 k = JvPrimClass (boolean);
1770 k = JvPrimClass (char);
1773 k = JvPrimClass (float);
1776 k = JvPrimClass (double);
1779 k = JvPrimClass (byte);
1782 k = JvPrimClass (short);
1785 k = JvPrimClass (int);
1788 k = JvPrimClass (long);
1791 // These aren't used here but we call them out to avoid
1794 case unsuitable_type:
1795 case return_address_type:
1796 case continuation_type:
1797 case unused_by_subroutine_type:
1798 case reference_type:
1800 case uninitialized_reference_type:
1802 verify_fail ("unknown type in construct_primitive_array_type");
1804 k = _Jv_GetArrayClass (k, NULL);
1808 // This pass computes the location of branch targets and also
1809 // instruction starts.
1810 void branch_prepass ()
1812 flags = (char *) _Jv_Malloc (current_method->code_length);
1813 jsr_ptrs = (subr_info **) _Jv_Malloc (sizeof (subr_info *)
1814 * current_method->code_length);
1816 for (int i = 0; i < current_method->code_length; ++i)
1822 bool last_was_jsr = false;
1825 while (PC < current_method->code_length)
1827 // Set `start_PC' early so that error checking can have the
1830 flags[PC] |= FLAG_INSN_START;
1832 // If the previous instruction was a jsr, then the next
1833 // instruction is a branch target -- the branch being the
1834 // corresponding `ret'.
1836 note_branch_target (PC);
1837 last_was_jsr = false;
1839 java_opcode opcode = (java_opcode) bytecode[PC++];
1843 case op_aconst_null:
1979 case op_monitorenter:
1980 case op_monitorexit:
1988 case op_arraylength:
2020 case op_invokespecial:
2021 case op_invokestatic:
2022 case op_invokevirtual:
2026 case op_multianewarray:
2032 last_was_jsr = true;
2051 note_branch_target (compute_jump (get_short ()), last_was_jsr);
2054 case op_tableswitch:
2057 note_branch_target (compute_jump (get_int ()));
2058 jint low = get_int ();
2059 jint hi = get_int ();
2061 verify_fail ("invalid tableswitch", start_PC);
2062 for (int i = low; i <= hi; ++i)
2063 note_branch_target (compute_jump (get_int ()));
2067 case op_lookupswitch:
2070 note_branch_target (compute_jump (get_int ()));
2071 int npairs = get_int ();
2073 verify_fail ("too few pairs in lookupswitch", start_PC);
2074 while (npairs-- > 0)
2077 note_branch_target (compute_jump (get_int ()));
2082 case op_invokeinterface:
2090 opcode = (java_opcode) get_byte ();
2092 if (opcode == op_iinc)
2098 last_was_jsr = true;
2101 note_branch_target (compute_jump (get_int ()), last_was_jsr);
2104 // These are unused here, but we call them out explicitly
2105 // so that -Wswitch-enum doesn't complain.
2111 case op_putstatic_1:
2112 case op_putstatic_2:
2113 case op_putstatic_4:
2114 case op_putstatic_8:
2115 case op_putstatic_a:
2117 case op_getfield_2s:
2118 case op_getfield_2u:
2122 case op_getstatic_1:
2123 case op_getstatic_2s:
2124 case op_getstatic_2u:
2125 case op_getstatic_4:
2126 case op_getstatic_8:
2127 case op_getstatic_a:
2129 verify_fail ("unrecognized instruction in branch_prepass",
2133 // See if any previous branch tried to branch to the middle of
2134 // this instruction.
2135 for (int pc = start_PC + 1; pc < PC; ++pc)
2137 if ((flags[pc] & FLAG_BRANCH_TARGET))
2138 verify_fail ("branch to middle of instruction", pc);
2142 // Verify exception handlers.
2143 for (int i = 0; i < current_method->exc_count; ++i)
2145 if (! (flags[exception[i].handler_pc.i] & FLAG_INSN_START))
2146 verify_fail ("exception handler not at instruction start",
2147 exception[i].handler_pc.i);
2148 if (! (flags[exception[i].start_pc.i] & FLAG_INSN_START))
2149 verify_fail ("exception start not at instruction start",
2150 exception[i].start_pc.i);
2151 if (exception[i].end_pc.i != current_method->code_length
2152 && ! (flags[exception[i].end_pc.i] & FLAG_INSN_START))
2153 verify_fail ("exception end not at instruction start",
2154 exception[i].end_pc.i);
2156 flags[exception[i].handler_pc.i] |= FLAG_BRANCH_TARGET;
2160 void check_pool_index (int index)
2162 if (index < 0 || index >= current_class->constants.size)
2163 verify_fail ("constant pool index out of range", start_PC);
2166 type check_class_constant (int index)
2168 check_pool_index (index);
2169 _Jv_Constants *pool = ¤t_class->constants;
2170 if (pool->tags[index] == JV_CONSTANT_ResolvedClass)
2171 return type (pool->data[index].clazz, this);
2172 else if (pool->tags[index] == JV_CONSTANT_Class)
2173 return type (pool->data[index].utf8, this);
2174 verify_fail ("expected class constant", start_PC);
2177 type check_constant (int index)
2179 check_pool_index (index);
2180 _Jv_Constants *pool = ¤t_class->constants;
2181 if (pool->tags[index] == JV_CONSTANT_ResolvedString
2182 || pool->tags[index] == JV_CONSTANT_String)
2183 return type (&java::lang::String::class$, this);
2184 else if (pool->tags[index] == JV_CONSTANT_Integer)
2185 return type (int_type);
2186 else if (pool->tags[index] == JV_CONSTANT_Float)
2187 return type (float_type);
2188 verify_fail ("String, int, or float constant expected", start_PC);
2191 type check_wide_constant (int index)
2193 check_pool_index (index);
2194 _Jv_Constants *pool = ¤t_class->constants;
2195 if (pool->tags[index] == JV_CONSTANT_Long)
2196 return type (long_type);
2197 else if (pool->tags[index] == JV_CONSTANT_Double)
2198 return type (double_type);
2199 verify_fail ("long or double constant expected", start_PC);
2202 // Helper for both field and method. These are laid out the same in
2203 // the constant pool.
2204 type handle_field_or_method (int index, int expected,
2205 _Jv_Utf8Const **name,
2206 _Jv_Utf8Const **fmtype)
2208 check_pool_index (index);
2209 _Jv_Constants *pool = ¤t_class->constants;
2210 if (pool->tags[index] != expected)
2211 verify_fail ("didn't see expected constant", start_PC);
2212 // Once we know we have a Fieldref or Methodref we assume that it
2213 // is correctly laid out in the constant pool. I think the code
2214 // in defineclass.cc guarantees this.
2215 _Jv_ushort class_index, name_and_type_index;
2216 _Jv_loadIndexes (&pool->data[index],
2218 name_and_type_index);
2219 _Jv_ushort name_index, desc_index;
2220 _Jv_loadIndexes (&pool->data[name_and_type_index],
2221 name_index, desc_index);
2223 *name = pool->data[name_index].utf8;
2224 *fmtype = pool->data[desc_index].utf8;
2226 return check_class_constant (class_index);
2229 // Return field's type, compute class' type if requested.
2230 type check_field_constant (int index, type *class_type = NULL)
2232 _Jv_Utf8Const *name, *field_type;
2233 type ct = handle_field_or_method (index,
2234 JV_CONSTANT_Fieldref,
2235 &name, &field_type);
2238 if (field_type->data[0] == '[' || field_type->data[0] == 'L')
2239 return type (field_type, this);
2240 return get_type_val_for_signature (field_type->data[0]);
2243 type check_method_constant (int index, bool is_interface,
2244 _Jv_Utf8Const **method_name,
2245 _Jv_Utf8Const **method_signature)
2247 return handle_field_or_method (index,
2249 ? JV_CONSTANT_InterfaceMethodref
2250 : JV_CONSTANT_Methodref),
2251 method_name, method_signature);
2254 type get_one_type (char *&p)
2272 _Jv_Utf8Const *name = make_utf8_const (start, p - start);
2273 return type (name, this);
2276 // Casting to jchar here is ok since we are looking at an ASCII
2278 type_val rt = get_type_val_for_signature (jchar (v));
2280 if (arraycount == 0)
2282 // Callers of this function eventually push their arguments on
2283 // the stack. So, promote them here.
2284 return type (rt).promote ();
2287 jclass k = construct_primitive_array_type (rt);
2288 while (--arraycount > 0)
2289 k = _Jv_GetArrayClass (k, NULL);
2290 return type (k, this);
2293 void compute_argument_types (_Jv_Utf8Const *signature,
2296 char *p = signature->data;
2302 types[i++] = get_one_type (p);
2305 type compute_return_type (_Jv_Utf8Const *signature)
2307 char *p = signature->data;
2311 return get_one_type (p);
2314 void check_return_type (type onstack)
2316 type rt = compute_return_type (current_method->self->signature);
2317 if (! rt.compatible (onstack, this))
2318 verify_fail ("incompatible return type");
2321 // Initialize the stack for the new method. Returns true if this
2322 // method is an instance initializer.
2323 bool initialize_stack ()
2326 bool is_init = _Jv_equalUtf8Consts (current_method->self->name,
2328 bool is_clinit = _Jv_equalUtf8Consts (current_method->self->name,
2331 using namespace java::lang::reflect;
2332 if (! Modifier::isStatic (current_method->self->accflags))
2334 type kurr (current_class, this);
2337 kurr.set_uninitialized (type::SELF, this);
2341 verify_fail ("<clinit> method must be static");
2342 set_variable (0, kurr);
2343 current_state->set_this_type (kurr);
2349 verify_fail ("<init> method must be non-static");
2352 // We have to handle wide arguments specially here.
2353 int arg_count = _Jv_count_arguments (current_method->self->signature);
2354 type arg_types[arg_count];
2355 compute_argument_types (current_method->self->signature, arg_types);
2356 for (int i = 0; i < arg_count; ++i)
2358 set_variable (var, arg_types[i]);
2360 if (arg_types[i].iswide ())
2367 void verify_instructions_0 ()
2369 current_state = new state (current_method->max_stack,
2370 current_method->max_locals);
2375 // True if we are verifying an instance initializer.
2376 bool this_is_init = initialize_stack ();
2378 states = (state **) _Jv_Malloc (sizeof (state *)
2379 * current_method->code_length);
2380 for (int i = 0; i < current_method->code_length; ++i)
2383 next_verify_pc = state::NO_NEXT;
2387 // If the PC was invalidated, get a new one from the work list.
2388 if (PC == state::NO_NEXT)
2391 if (PC == state::INVALID)
2392 verify_fail ("can't happen: saw state::INVALID");
2393 if (PC == state::NO_NEXT)
2395 debug_print ("== State pop from pending list\n");
2396 // Set up the current state.
2397 current_state->copy (states[PC], current_method->max_stack,
2398 current_method->max_locals);
2402 // Control can't fall off the end of the bytecode. We
2403 // only need to check this in the fall-through case,
2404 // because branch bounds are checked when they are
2406 if (PC >= current_method->code_length)
2407 verify_fail ("fell off end");
2409 // We only have to do this checking in the situation where
2410 // control flow falls through from the previous
2411 // instruction. Otherwise merging is done at the time we
2413 if (states[PC] != NULL)
2415 // We've already visited this instruction. So merge
2416 // the states together. If this yields no change then
2417 // we don't have to re-verify. However, if the new
2418 // state is an the result of an unmerged `ret', we
2419 // must continue through it.
2420 debug_print ("== Fall through merge\n");
2421 states[PC]->print ("Old", PC, current_method->max_stack,
2422 current_method->max_locals);
2423 current_state->print ("Cur", PC, current_method->max_stack,
2424 current_method->max_locals);
2425 if (! current_state->merge (states[PC], false,
2426 current_method->max_locals, this)
2427 && ! states[PC]->is_unmerged_ret_state (current_method->max_locals))
2429 debug_print ("== Fall through optimization\n");
2433 // Save a copy of it for later.
2434 states[PC]->copy (current_state, current_method->max_stack,
2435 current_method->max_locals);
2436 current_state->print ("New", PC, current_method->max_stack,
2437 current_method->max_locals);
2441 // We only have to keep saved state at branch targets. If
2442 // we're at a branch target and the state here hasn't been set
2443 // yet, we set it now.
2444 if (states[PC] == NULL && (flags[PC] & FLAG_BRANCH_TARGET))
2446 states[PC] = new state (current_state, current_method->max_stack,
2447 current_method->max_locals);
2450 // Set this before handling exceptions so that debug output is
2454 // Update states for all active exception handlers. Ordinarily
2455 // there are not many exception handlers. So we simply run
2456 // through them all.
2457 for (int i = 0; i < current_method->exc_count; ++i)
2459 if (PC >= exception[i].start_pc.i && PC < exception[i].end_pc.i)
2461 type handler (&java::lang::Throwable::class$, this);
2462 if (exception[i].handler_type.i != 0)
2463 handler = check_class_constant (exception[i].handler_type.i);
2464 push_exception_jump (handler, exception[i].handler_pc.i);
2468 current_state->print (" ", PC, current_method->max_stack,
2469 current_method->max_locals);
2470 java_opcode opcode = (java_opcode) bytecode[PC++];
2476 case op_aconst_null:
2477 push_type (null_type);
2487 push_type (int_type);
2492 push_type (long_type);
2498 push_type (float_type);
2503 push_type (double_type);
2508 push_type (int_type);
2513 push_type (int_type);
2517 push_type (check_constant (get_byte ()));
2520 push_type (check_constant (get_ushort ()));
2523 push_type (check_wide_constant (get_ushort ()));
2527 push_type (get_variable (get_byte (), int_type));
2530 push_type (get_variable (get_byte (), long_type));
2533 push_type (get_variable (get_byte (), float_type));
2536 push_type (get_variable (get_byte (), double_type));
2539 push_type (get_variable (get_byte (), reference_type));
2546 push_type (get_variable (opcode - op_iload_0, int_type));
2552 push_type (get_variable (opcode - op_lload_0, long_type));
2558 push_type (get_variable (opcode - op_fload_0, float_type));
2564 push_type (get_variable (opcode - op_dload_0, double_type));
2570 push_type (get_variable (opcode - op_aload_0, reference_type));
2573 pop_type (int_type);
2574 push_type (require_array_type (pop_init_ref (reference_type),
2578 pop_type (int_type);
2579 push_type (require_array_type (pop_init_ref (reference_type),
2583 pop_type (int_type);
2584 push_type (require_array_type (pop_init_ref (reference_type),
2588 pop_type (int_type);
2589 push_type (require_array_type (pop_init_ref (reference_type),
2593 pop_type (int_type);
2594 push_type (require_array_type (pop_init_ref (reference_type),
2598 pop_type (int_type);
2599 require_array_type (pop_init_ref (reference_type), byte_type);
2600 push_type (int_type);
2603 pop_type (int_type);
2604 require_array_type (pop_init_ref (reference_type), char_type);
2605 push_type (int_type);
2608 pop_type (int_type);
2609 require_array_type (pop_init_ref (reference_type), short_type);
2610 push_type (int_type);
2613 set_variable (get_byte (), pop_type (int_type));
2616 set_variable (get_byte (), pop_type (long_type));
2619 set_variable (get_byte (), pop_type (float_type));
2622 set_variable (get_byte (), pop_type (double_type));
2625 set_variable (get_byte (), pop_ref_or_return ());
2631 set_variable (opcode - op_istore_0, pop_type (int_type));
2637 set_variable (opcode - op_lstore_0, pop_type (long_type));
2643 set_variable (opcode - op_fstore_0, pop_type (float_type));
2649 set_variable (opcode - op_dstore_0, pop_type (double_type));
2655 set_variable (opcode - op_astore_0, pop_ref_or_return ());
2658 pop_type (int_type);
2659 pop_type (int_type);
2660 require_array_type (pop_init_ref (reference_type), int_type);
2663 pop_type (long_type);
2664 pop_type (int_type);
2665 require_array_type (pop_init_ref (reference_type), long_type);
2668 pop_type (float_type);
2669 pop_type (int_type);
2670 require_array_type (pop_init_ref (reference_type), float_type);
2673 pop_type (double_type);
2674 pop_type (int_type);
2675 require_array_type (pop_init_ref (reference_type), double_type);
2678 pop_type (reference_type);
2679 pop_type (int_type);
2680 require_array_type (pop_init_ref (reference_type), reference_type);
2683 pop_type (int_type);
2684 pop_type (int_type);
2685 require_array_type (pop_init_ref (reference_type), byte_type);
2688 pop_type (int_type);
2689 pop_type (int_type);
2690 require_array_type (pop_init_ref (reference_type), char_type);
2693 pop_type (int_type);
2694 pop_type (int_type);
2695 require_array_type (pop_init_ref (reference_type), short_type);
2702 type t = pop_raw ();
2726 type t2 = pop_raw ();
2741 type t = pop_raw ();
2756 type t1 = pop_raw ();
2773 type t1 = pop_raw ();
2776 type t2 = pop_raw ();
2794 type t3 = pop_raw ();
2832 pop_type (int_type);
2833 push_type (pop_type (int_type));
2843 pop_type (long_type);
2844 push_type (pop_type (long_type));
2849 pop_type (int_type);
2850 push_type (pop_type (long_type));
2857 pop_type (float_type);
2858 push_type (pop_type (float_type));
2865 pop_type (double_type);
2866 push_type (pop_type (double_type));
2872 push_type (pop_type (int_type));
2875 push_type (pop_type (long_type));
2878 push_type (pop_type (float_type));
2881 push_type (pop_type (double_type));
2884 get_variable (get_byte (), int_type);
2888 pop_type (int_type);
2889 push_type (long_type);
2892 pop_type (int_type);
2893 push_type (float_type);
2896 pop_type (int_type);
2897 push_type (double_type);
2900 pop_type (long_type);
2901 push_type (int_type);
2904 pop_type (long_type);
2905 push_type (float_type);
2908 pop_type (long_type);
2909 push_type (double_type);
2912 pop_type (float_type);
2913 push_type (int_type);
2916 pop_type (float_type);
2917 push_type (long_type);
2920 pop_type (float_type);
2921 push_type (double_type);
2924 pop_type (double_type);
2925 push_type (int_type);
2928 pop_type (double_type);
2929 push_type (long_type);
2932 pop_type (double_type);
2933 push_type (float_type);
2936 pop_type (long_type);
2937 pop_type (long_type);
2938 push_type (int_type);
2942 pop_type (float_type);
2943 pop_type (float_type);
2944 push_type (int_type);
2948 pop_type (double_type);
2949 pop_type (double_type);
2950 push_type (int_type);
2958 pop_type (int_type);
2959 push_jump (get_short ());
2967 pop_type (int_type);
2968 pop_type (int_type);
2969 push_jump (get_short ());
2973 pop_type (reference_type);
2974 pop_type (reference_type);
2975 push_jump (get_short ());
2978 push_jump (get_short ());
2982 handle_jsr_insn (get_short ());
2985 handle_ret_insn (get_byte ());
2987 case op_tableswitch:
2989 pop_type (int_type);
2991 push_jump (get_int ());
2992 jint low = get_int ();
2993 jint high = get_int ();
2994 // Already checked LOW -vs- HIGH.
2995 for (int i = low; i <= high; ++i)
2996 push_jump (get_int ());
3001 case op_lookupswitch:
3003 pop_type (int_type);
3005 push_jump (get_int ());
3006 jint npairs = get_int ();
3007 // Already checked NPAIRS >= 0.
3009 for (int i = 0; i < npairs; ++i)
3011 jint key = get_int ();
3012 if (i > 0 && key <= lastkey)
3013 verify_fail ("lookupswitch pairs unsorted", start_PC);
3015 push_jump (get_int ());
3021 check_return_type (pop_type (int_type));
3025 check_return_type (pop_type (long_type));
3029 check_return_type (pop_type (float_type));
3033 check_return_type (pop_type (double_type));
3037 check_return_type (pop_init_ref (reference_type));
3041 // We only need to check this when the return type is
3042 // void, because all instance initializers return void.
3044 current_state->check_this_initialized (this);
3045 check_return_type (void_type);
3049 push_type (check_field_constant (get_ushort ()));
3052 pop_type (check_field_constant (get_ushort ()));
3057 type field = check_field_constant (get_ushort (), &klass);
3065 type field = check_field_constant (get_ushort (), &klass);
3068 // We have an obscure special case here: we can use
3069 // `putfield' on a field declared in this class, even if
3070 // `this' has not yet been initialized.
3071 if (! current_state->this_type.isinitialized ()
3072 && current_state->this_type.pc == type::SELF)
3073 klass.set_uninitialized (type::SELF, this);
3078 case op_invokevirtual:
3079 case op_invokespecial:
3080 case op_invokestatic:
3081 case op_invokeinterface:
3083 _Jv_Utf8Const *method_name, *method_signature;
3085 = check_method_constant (get_ushort (),
3086 opcode == op_invokeinterface,
3089 // NARGS is only used when we're processing
3090 // invokeinterface. It is simplest for us to compute it
3091 // here and then verify it later.
3093 if (opcode == op_invokeinterface)
3095 nargs = get_byte ();
3096 if (get_byte () != 0)
3097 verify_fail ("invokeinterface dummy byte is wrong");
3100 bool is_init = false;
3101 if (_Jv_equalUtf8Consts (method_name, gcj::init_name))
3104 if (opcode != op_invokespecial)
3105 verify_fail ("can't invoke <init>");
3107 else if (method_name->data[0] == '<')
3108 verify_fail ("can't invoke method starting with `<'");
3110 // Pop arguments and check types.
3111 int arg_count = _Jv_count_arguments (method_signature);
3112 type arg_types[arg_count];
3113 compute_argument_types (method_signature, arg_types);
3114 for (int i = arg_count - 1; i >= 0; --i)
3116 // This is only used for verifying the byte for
3118 nargs -= arg_types[i].depth ();
3119 pop_init_ref (arg_types[i]);
3122 if (opcode == op_invokeinterface
3124 verify_fail ("wrong argument count for invokeinterface");
3126 if (opcode != op_invokestatic)
3128 type t = class_type;
3131 // In this case the PC doesn't matter.
3132 t.set_uninitialized (type::UNINIT, this);
3133 // FIXME: check to make sure that the <init>
3134 // call is to the right class.
3135 // It must either be super or an exact class
3138 type raw = pop_raw ();
3139 if (! t.compatible (raw, this))
3140 verify_fail ("incompatible type on stack");
3143 current_state->set_initialized (raw.get_pc (),
3144 current_method->max_locals);
3147 type rt = compute_return_type (method_signature);
3155 type t = check_class_constant (get_ushort ());
3156 if (t.isarray () || t.isinterface (this) || t.isabstract (this))
3157 verify_fail ("type is array, interface, or abstract");
3158 t.set_uninitialized (start_PC, this);
3165 int atype = get_byte ();
3166 // We intentionally have chosen constants to make this
3168 if (atype < boolean_type || atype > long_type)
3169 verify_fail ("type not primitive", start_PC);
3170 pop_type (int_type);
3171 type t (construct_primitive_array_type (type_val (atype)), this);
3176 pop_type (int_type);
3177 push_type (check_class_constant (get_ushort ()).to_array (this));
3179 case op_arraylength:
3181 type t = pop_init_ref (reference_type);
3182 if (! t.isarray () && ! t.isnull ())
3183 verify_fail ("array type expected");
3184 push_type (int_type);
3188 pop_type (type (&java::lang::Throwable::class$, this));
3192 pop_init_ref (reference_type);
3193 push_type (check_class_constant (get_ushort ()));
3196 pop_init_ref (reference_type);
3197 check_class_constant (get_ushort ());
3198 push_type (int_type);
3200 case op_monitorenter:
3201 pop_init_ref (reference_type);
3203 case op_monitorexit:
3204 pop_init_ref (reference_type);
3208 switch (get_byte ())
3211 push_type (get_variable (get_ushort (), int_type));
3214 push_type (get_variable (get_ushort (), long_type));
3217 push_type (get_variable (get_ushort (), float_type));
3220 push_type (get_variable (get_ushort (), double_type));
3223 push_type (get_variable (get_ushort (), reference_type));
3226 set_variable (get_ushort (), pop_type (int_type));
3229 set_variable (get_ushort (), pop_type (long_type));
3232 set_variable (get_ushort (), pop_type (float_type));
3235 set_variable (get_ushort (), pop_type (double_type));
3238 set_variable (get_ushort (), pop_init_ref (reference_type));
3241 handle_ret_insn (get_short ());
3244 get_variable (get_ushort (), int_type);
3248 verify_fail ("unrecognized wide instruction", start_PC);
3252 case op_multianewarray:
3254 type atype = check_class_constant (get_ushort ());
3255 int dim = get_byte ();
3257 verify_fail ("too few dimensions to multianewarray", start_PC);
3258 atype.verify_dimensions (dim, this);
3259 for (int i = 0; i < dim; ++i)
3260 pop_type (int_type);
3266 pop_type (reference_type);
3267 push_jump (get_short ());
3270 push_jump (get_int ());
3274 handle_jsr_insn (get_int ());
3277 // These are unused here, but we call them out explicitly
3278 // so that -Wswitch-enum doesn't complain.
3284 case op_putstatic_1:
3285 case op_putstatic_2:
3286 case op_putstatic_4:
3287 case op_putstatic_8:
3288 case op_putstatic_a:
3290 case op_getfield_2s:
3291 case op_getfield_2u:
3295 case op_getstatic_1:
3296 case op_getstatic_2s:
3297 case op_getstatic_2u:
3298 case op_getstatic_4:
3299 case op_getstatic_8:
3300 case op_getstatic_a:
3302 // Unrecognized opcode.
3303 verify_fail ("unrecognized instruction in verify_instructions_0",
3311 void verify_instructions ()
3314 verify_instructions_0 ();
3317 _Jv_BytecodeVerifier (_Jv_InterpMethod *m)
3319 // We just print the text as utf-8. This is just for debugging
3321 debug_print ("--------------------------------\n");
3322 debug_print ("-- Verifying method `%s'\n", m->self->name->data);
3325 bytecode = m->bytecode ();
3326 exception = m->exceptions ();
3327 current_class = m->defining_class;
3334 entry_points = NULL;
3337 ~_Jv_BytecodeVerifier ()
3346 for (int i = 0; i < current_method->code_length; ++i)
3348 if (jsr_ptrs[i] != NULL)
3350 subr_info *info = jsr_ptrs[i];
3351 while (info != NULL)
3353 subr_info *next = info->next;
3359 _Jv_Free (jsr_ptrs);
3362 while (utf8_list != NULL)
3364 linked_utf8 *n = utf8_list->next;
3365 _Jv_Free (utf8_list->val);
3366 _Jv_Free (utf8_list);
3370 while (entry_points != NULL)
3372 subr_entry_info *next = entry_points->next;
3373 _Jv_Free (entry_points);
3374 entry_points = next;
3377 while (isect_list != NULL)
3379 ref_intersection *next = isect_list->alloc_next;
3387 _Jv_VerifyMethod (_Jv_InterpMethod *meth)
3389 _Jv_BytecodeVerifier v (meth);
3390 v.verify_instructions ();
3392 #endif /* INTERPRETER */