1 /* Copyright (C) 2001-2014 Free Software Foundation, Inc.
3 This file is part of libgcj.
5 This software is copyrighted work licensed under the terms of the
6 Libgcj License. Please consult the file "LIBGCJ_LICENSE" for
9 /* Written by Tom Tromey <tromey@redhat.com> */
11 /* Uncomment this to enable debugging output. */
12 /* #define VERIFY_DEBUG */
16 #include "coretypes.h"
20 /* Hack to work around namespace pollution from java-tree.h. */
23 /* This is used to mark states which are not scheduled for
25 #define INVALID_STATE ((state *) -1)
27 static void ATTRIBUTE_PRINTF_1
28 debug_print (const char *fmt ATTRIBUTE_UNUSED
, ...)
33 vfprintf (stderr
, fmt
, ap
);
35 #endif /* VERIFY_DEBUG */
38 /* This started as a fairly ordinary verifier, and for the most part
39 it remains so. It works in the obvious way, by modeling the effect
40 of each opcode as it is encountered. For most opcodes, this is a
41 straightforward operation.
43 This verifier does not do type merging. It used to, but this
44 results in difficulty verifying some relatively simple code
45 involving interfaces, and it pushed some verification work into the
48 Instead of merging reference types, when we reach a point where two
49 flows of control merge, we simply keep the union of reference types
50 from each branch. Then, when we need to verify a fact about a
51 reference on the stack (e.g., that it is compatible with the
52 argument type of a method), we check to ensure that all possible
53 types satisfy the requirement.
55 Another area this verifier differs from the norm is in its handling
56 of subroutines. The JVM specification has some confusing things to
57 say about subroutines. For instance, it makes claims about not
58 allowing subroutines to merge and it rejects recursive subroutines.
59 For the most part these are red herrings; we used to try to follow
60 these things but they lead to problems. For example, the notion of
61 "being in a subroutine" is not well-defined: is an exception
62 handler in a subroutine? If you never execute the `ret' but
63 instead `goto 1' do you remain in the subroutine?
65 For clarity on what is really required for type safety, read
66 "Simple Verification Technique for Complex Java Bytecode
67 Subroutines" by Alessandro Coglio. Among other things this paper
68 shows that recursive subroutines are not harmful to type safety.
69 We implement something similar to what he proposes. Note that this
70 means that this verifier will accept code that is rejected by some
73 For those not wanting to read the paper, the basic observation is
74 that we can maintain split states in subroutines. We maintain one
75 state for each calling `jsr'. In other words, we re-verify a
76 subroutine once for each caller, using the exact types held by the
77 callers (as opposed to the old approach of merging types and
78 keeping a bitmap registering what did or did not change). This
79 approach lets us continue to verify correctly even when a
80 subroutine is exited via `goto' or `athrow' and not `ret'.
82 In some other areas the JVM specification is (mildly) incorrect,
83 so we diverge. For instance, you cannot
84 violate type safety by allocating an object with `new' and then
85 failing to initialize it, no matter how one branches or where one
86 stores the uninitialized reference. See "Improving the official
87 specification of Java bytecode verification" by Alessandro Coglio.
89 Note that there's no real point in enforcing that padding bytes or
90 the mystery byte of invokeinterface must be 0, but we do that
93 The verifier is currently neither completely lazy nor eager when it
94 comes to loading classes. It tries to represent types by name when
95 possible, and then loads them when it needs to verify a fact about
96 the type. Checking types by name is valid because we only use
97 names which come from the current class' constant pool. Since all
98 such names are looked up using the same class loader, there is no
99 danger that we might be fooled into comparing different types with
102 In the future we plan to allow for a completely lazy mode of
103 operation, where the verifier will construct a list of type
104 assertions to be checked later.
106 Some test cases for the verifier live in the "verify" module of the
107 Mauve test suite. However, some of these are presently
108 (2004-01-20) believed to be incorrect. (More precisely the notion
109 of "correct" is not well-defined, and this verifier differs from
110 others while remaining type-safe.) Some other tests live in the
113 This verifier is also written to be pluggable. This means that it
114 is intended for use in a variety of environments, not just libgcj.
115 As a result the verifier expects a number of type and method
116 declarations to be declared in "verify.h". The intent is that you
117 recompile the verifier for your particular environment. This
118 approach was chosen so that operations could be inlined in verify.h
121 See the verify.h that accompanies this copy of the verifier to see
122 what types, preprocessor defines, and functions must be declared.
123 The interface is ad hoc, but was defined so that it could be
124 implemented to connect to a pure C program.
127 #define FLAG_INSN_START 1
128 #define FLAG_BRANCH_TARGET 2
129 #define FLAG_INSN_SEEN 4
133 struct ref_intersection
;
135 typedef struct state state
;
136 typedef struct type type
;
137 typedef struct ref_intersection ref_intersection
;
139 /*typedef struct state_list state_list;*/
141 typedef struct state_list
144 struct state_list
*next
;
147 typedef struct vfy_string_list
150 struct vfy_string_list
*next
;
153 typedef struct verifier_context
155 /* The current PC. */
157 /* The PC corresponding to the start of the current instruction. */
160 /* The current state of the stack, locals, etc. */
161 state
*current_state
;
163 /* At each branch target we keep a linked list of all the states we
164 can process at that point. We'll only have multiple states at a
165 given PC if they both have different return-address types in the
166 same stack or local slot. This array is indexed by PC and holds
167 the list of all such states. */
170 /* We keep a linked list of all the states which we must reverify.
171 This is the head of the list. */
172 state
*next_verify_state
;
174 /* We keep some flags for each instruction. The values are the
175 FLAG_* constants defined above. This is an array indexed by PC. */
178 /* The bytecode itself. */
179 const unsigned char *bytecode
;
180 /* The exceptions. */
181 vfy_exception
*exception
;
183 /* Defining class. */
184 vfy_jclass current_class
;
186 vfy_method
*current_method
;
188 /* A linked list of utf8 objects we allocate. */
189 vfy_string_list
*utf8_list
;
191 /* A linked list of all ref_intersection objects we allocate. */
192 ref_intersection
*isect_list
;
195 /* The current verifier's state data. This is maintained by
196 {push/pop}_verifier_context to provide a shorthand form to access
197 the verification state. */
198 static GTY(()) verifier_context
*vfr
;
200 /* Local function declarations. */
201 bool type_initialized (type
*t
);
202 int ref_count_dimensions (ref_intersection
*ref
);
205 verify_fail_pc (const char *s
, int pc
)
207 vfy_fail (s
, pc
, vfr
->current_class
, vfr
->current_method
);
211 verify_fail (const char *s
)
213 verify_fail_pc (s
, vfr
->PC
);
216 /* This enum holds a list of tags for all the different types we
217 need to handle. Reference types are treated specially by the
219 typedef enum type_val
223 /* The values for primitive types are chosen to correspond to values
224 specified to newarray. */
234 /* Used when overwriting second word of a double or long in the
235 local variables. Also used after merging local variable states
236 to indicate an unusable value. */
239 /* This is the second word of a two-word value, i.e., a double or
243 /* Everything after `reference_type' must be a reference type. */
246 uninitialized_reference_type
249 /* This represents a merged class type. Some verifiers (including
250 earlier versions of this one) will compute the intersection of
251 two class types when merging states. However, this loses
252 critical information about interfaces implemented by the various
253 classes. So instead we keep track of all the actual classes that
255 struct ref_intersection
257 /* Whether or not this type has been resolved. */
260 /* Actual type data. */
263 /* For a resolved reference type, this is a pointer to the class. */
265 /* For other reference types, this it the name of the class. */
269 /* Link to the next reference in the intersection. */
270 ref_intersection
*ref_next
;
272 /* This is used to keep track of all the allocated
273 ref_intersection objects, so we can free them.
274 FIXME: we should allocate these in chunks. */
275 ref_intersection
*alloc_next
;
278 static ref_intersection
*
281 ref_intersection
*new_ref
=
282 (ref_intersection
*) vfy_alloc (sizeof (ref_intersection
));
284 new_ref
->alloc_next
= vfr
->isect_list
;
285 vfr
->isect_list
= new_ref
;
289 static ref_intersection
*
290 clone_ref (ref_intersection
*dup
)
292 ref_intersection
*new_ref
= make_ref ();
294 new_ref
->is_resolved
= dup
->is_resolved
;
295 new_ref
->data
= dup
->data
;
300 resolve_ref (ref_intersection
*ref
)
302 if (ref
->is_resolved
)
304 ref
->data
.klass
= vfy_find_class (vfr
->current_class
, ref
->data
.name
);
305 ref
->is_resolved
= true;
309 refs_equal (ref_intersection
*ref1
, ref_intersection
*ref2
)
311 if (! ref1
->is_resolved
&& ! ref2
->is_resolved
312 && vfy_strings_equal (ref1
->data
.name
, ref2
->data
.name
))
314 if (! ref1
->is_resolved
)
316 if (! ref2
->is_resolved
)
318 return ref1
->data
.klass
== ref2
->data
.klass
;
321 /* Merge REF1 type into REF2, returning the result. This will
322 return REF2 if all the classes in THIS already appear in
324 static ref_intersection
*
325 merge_refs (ref_intersection
*ref1
, ref_intersection
*ref2
)
327 ref_intersection
*tail
= ref2
;
328 for (; ref1
!= NULL
; ref1
= ref1
->ref_next
)
331 ref_intersection
*iter
;
332 for (iter
= ref2
; iter
!= NULL
; iter
= iter
->ref_next
)
334 if (refs_equal (ref1
, iter
))
343 ref_intersection
*new_tail
= clone_ref (ref1
);
344 new_tail
->ref_next
= tail
;
351 /* See if an object of type SOURCE can be assigned to an object of
352 type TARGET. This might resolve classes in one chain or the other. */
354 ref_compatible (ref_intersection
*target
, ref_intersection
*source
)
356 for (; target
!= NULL
; target
= target
->ref_next
)
358 ref_intersection
*source_iter
= source
;
360 for (; source_iter
!= NULL
; source_iter
= source_iter
->ref_next
)
362 /* Avoid resolving if possible. */
363 if (! target
->is_resolved
364 && ! source_iter
->is_resolved
365 && vfy_strings_equal (target
->data
.name
,
366 source_iter
->data
.name
))
369 if (! target
->is_resolved
)
370 resolve_ref (target
);
371 if (! source_iter
->is_resolved
)
372 resolve_ref (source_iter
);
374 if (! vfy_is_assignable_from (target
->data
.klass
,
375 source_iter
->data
.klass
))
384 ref_isarray (ref_intersection
*ref
)
386 /* assert (ref_next == NULL); */
387 if (ref
->is_resolved
)
388 return vfy_is_array (ref
->data
.klass
);
390 return vfy_string_bytes (ref
->data
.name
)[0] == '[';
394 ref_isinterface (ref_intersection
*ref
)
396 /* assert (ref_next == NULL); */
397 if (! ref
->is_resolved
)
399 return vfy_is_interface (ref
->data
.klass
);
403 ref_isabstract (ref_intersection
*ref
)
405 /* assert (ref_next == NULL); */
406 if (! ref
->is_resolved
)
408 return vfy_is_abstract (ref
->data
.klass
);
412 ref_getclass (ref_intersection
*ref
)
414 if (! ref
->is_resolved
)
416 return ref
->data
.klass
;
420 ref_count_dimensions (ref_intersection
*ref
)
423 if (ref
->is_resolved
)
425 vfy_jclass k
= ref
->data
.klass
;
426 while (vfy_is_array (k
))
428 k
= vfy_get_component_type (k
);
434 const char *p
= vfy_string_bytes (ref
->data
.name
);
441 /* Return the type_val corresponding to a primitive signature
442 character. For instance `I' returns `int.class'. */
444 get_type_val_for_signature (char sig
)
477 verify_fail ("invalid signature");
483 /* Return the type_val corresponding to a primitive class. */
485 get_type_val_for_primtype (vfy_jclass k
)
487 return get_type_val_for_signature (vfy_get_primitive_char (k
));
490 /* The `type' class is used to represent a single type in the verifier. */
496 /* For reference types, the representation of the type. */
497 ref_intersection
*klass
;
499 /* This is used in two situations.
501 First, when constructing a new object, it is the PC of the
502 `new' instruction which created the object. We use the special
503 value UNINIT to mean that this is uninitialized. The special
504 value SELF is used for the case where the current method is
505 itself the <init> method. the special value EITHER is used
506 when we may optionally allow either an uninitialized or
507 initialized reference to match.
509 Second, when the key is return_address_type, this holds the PC
510 of the instruction following the `jsr'. */
518 /* Make a new instance given the type tag. We assume a generic
519 `reference_type' means Object. */
521 init_type_from_tag (type
*t
, type_val k
)
524 /* For reference_type, if KLASS==NULL then that means we are
525 looking for a generic object of any kind, including an
526 uninitialized reference. */
531 /* Make a type for the given type_val tag K. */
533 make_type (type_val k
)
536 init_type_from_tag (&t
, k
);
540 /* Make a new instance given a class. */
542 init_type_from_class (type
*t
, vfy_jclass k
)
544 t
->key
= reference_type
;
545 t
->klass
= make_ref ();
546 t
->klass
->is_resolved
= true;
547 t
->klass
->data
.klass
= k
;
548 t
->klass
->ref_next
= NULL
;
553 make_type_from_class (vfy_jclass k
)
556 init_type_from_class (&t
, k
);
561 init_type_from_string (type
*t
, vfy_string n
)
563 t
->key
= reference_type
;
564 t
->klass
= make_ref ();
565 t
->klass
->is_resolved
= false;
566 t
->klass
->data
.name
= n
;
567 t
->klass
->ref_next
= NULL
;
572 make_type_from_string (vfy_string n
)
575 init_type_from_string (&t
, n
);
579 /* Promote a numeric type. */
581 vfy_promote_type (type
*t
)
583 if (t
->key
== boolean_type
|| t
->key
== char_type
584 || t
->key
== byte_type
|| t
->key
== short_type
)
587 #define promote_type vfy_promote_type
589 /* Mark this type as the uninitialized result of `new'. */
591 type_set_uninitialized (type
*t
, int npc
)
593 if (t
->key
== reference_type
)
594 t
->key
= uninitialized_reference_type
;
596 verify_fail ("internal error in type::uninitialized");
600 /* Mark this type as now initialized. */
602 type_set_initialized (type
*t
, int npc
)
604 if (npc
!= UNINIT
&& t
->pc
== npc
&& t
->key
== uninitialized_reference_type
)
606 t
->key
= reference_type
;
611 /* Mark this type as a particular return address. */
612 static void type_set_return_address (type
*t
, int npc
)
617 /* Return true if this type and type OTHER are considered
618 mergeable for the purposes of state merging. This is related
619 to subroutine handling. For this purpose two types are
620 considered unmergeable if they are both return-addresses but
621 have different PCs. */
623 type_state_mergeable_p (type
*t1
, type
*t2
)
625 return (t1
->key
!= return_address_type
626 || t2
->key
!= return_address_type
627 || t1
->pc
== t2
->pc
);
630 /* Return true if an object of type K can be assigned to a variable
631 of type T. Handle various special cases too. Might modify
632 T or K. Note however that this does not perform numeric
635 types_compatible (type
*t
, type
*k
)
637 /* Any type is compatible with the unsuitable type. */
638 if (k
->key
== unsuitable_type
)
641 if (t
->key
< reference_type
|| k
->key
< reference_type
)
642 return t
->key
== k
->key
;
644 /* The `null' type is convertible to any initialized reference
646 if (t
->key
== null_type
)
647 return k
->key
!= uninitialized_reference_type
;
648 if (k
->key
== null_type
)
649 return t
->key
!= uninitialized_reference_type
;
651 /* A special case for a generic reference. */
652 if (t
->klass
== NULL
)
654 if (k
->klass
== NULL
)
655 verify_fail ("programmer error in type::compatible");
657 /* Handle the special 'EITHER' case, which is only used in a
658 special case of 'putfield'. Note that we only need to handle
659 this on the LHS of a check. */
660 if (! type_initialized (t
) && t
->pc
== EITHER
)
662 /* If the RHS is uninitialized, it must be an uninitialized
664 if (! type_initialized (k
) && k
->pc
!= SELF
)
667 else if (type_initialized (t
) != type_initialized (k
))
669 /* An initialized type and an uninitialized type are not
670 otherwise compatible. */
675 /* Two uninitialized objects are compatible if either:
676 * The PCs are identical, or
677 * One PC is UNINIT. */
678 if (type_initialized (t
))
680 if (t
->pc
!= k
->pc
&& t
->pc
!= UNINIT
&& k
->pc
!= UNINIT
)
685 return ref_compatible (t
->klass
, k
->klass
);
688 /* Return true if two types are equal. Only valid for reference
691 types_equal (type
*t1
, type
*t2
)
693 if ((t1
->key
!= reference_type
&& t1
->key
!= uninitialized_reference_type
)
694 || (t2
->key
!= reference_type
695 && t2
->key
!= uninitialized_reference_type
))
697 /* Only single-ref types are allowed. */
698 if (t1
->klass
->ref_next
|| t2
->klass
->ref_next
)
700 return refs_equal (t1
->klass
, t2
->klass
);
704 type_isvoid (type
*t
)
706 return t
->key
== void_type
;
710 type_iswide (type
*t
)
712 return t
->key
== long_type
|| t
->key
== double_type
;
715 /* Return number of stack or local variable slots taken by this type. */
719 return type_iswide (t
) ? 2 : 1;
723 type_isarray (type
*t
)
725 /* We treat null_type as not an array. This is ok based on the
726 current uses of this method. */
727 if (t
->key
== reference_type
)
728 return ref_isarray (t
->klass
);
733 type_isnull (type
*t
)
735 return t
->key
== null_type
;
739 type_isinterface (type
*t
)
741 if (t
->key
!= reference_type
)
743 return ref_isinterface (t
->klass
);
747 type_isabstract (type
*t
)
749 if (t
->key
!= reference_type
)
751 return ref_isabstract (t
->klass
);
754 /* Return the element type of an array. */
756 type_array_element (type
*t
)
761 if (t
->key
!= reference_type
)
762 verify_fail ("programmer error in type::element_type()");
764 k
= vfy_get_component_type (ref_getclass (t
->klass
));
765 if (vfy_is_primitive (k
))
766 init_type_from_tag (&et
, get_type_val_for_primtype (k
));
768 init_type_from_class (&et
, k
);
772 /* Return the array type corresponding to an initialized
773 reference. We could expand this to work for other kinds of
774 types, but currently we don't need to. */
776 type_to_array (type
*t
)
781 if (t
->key
!= reference_type
)
782 verify_fail ("internal error in type::to_array()");
784 k
= ref_getclass (t
->klass
);
785 init_type_from_class (&at
, vfy_get_array_class (k
));
790 type_isreference (type
*t
)
792 return t
->key
>= reference_type
;
796 type_get_pc (type
*t
)
802 type_initialized (type
*t
)
804 return t
->key
== reference_type
|| t
->key
== null_type
;
808 type_verify_dimensions (type
*t
, int ndims
)
810 /* The way this is written, we don't need to check isarray(). */
811 if (t
->key
!= reference_type
)
812 verify_fail ("internal error in verify_dimensions:"
813 " not a reference type");
815 if (ref_count_dimensions (t
->klass
) < ndims
)
816 verify_fail ("array type has fewer dimensions"
820 /* Merge OLD_TYPE into this. On error throw exception. Return
821 true if the merge caused a type change. */
823 merge_types (type
*t
, type
*old_type
, bool local_semantics
)
825 bool changed
= false;
826 bool refo
= type_isreference (old_type
);
827 bool refn
= type_isreference (t
);
830 if (old_type
->key
== null_type
)
832 else if (t
->key
== null_type
)
837 else if (type_initialized (t
) != type_initialized (old_type
))
838 verify_fail ("merging initialized and uninitialized types");
841 ref_intersection
*merged
;
842 if (! type_initialized (t
))
845 t
->pc
= old_type
->pc
;
846 else if (old_type
->pc
== UNINIT
)
848 else if (t
->pc
!= old_type
->pc
)
849 verify_fail ("merging different uninitialized types");
852 merged
= merge_refs (old_type
->klass
, t
->klass
);
853 if (merged
!= t
->klass
)
860 else if (refo
|| refn
|| t
->key
!= old_type
->key
)
864 /* If we already have an `unsuitable' type, then we
865 don't need to change again. */
866 if (t
->key
!= unsuitable_type
)
868 t
->key
= unsuitable_type
;
873 verify_fail ("unmergeable type");
885 case boolean_type
: c
= 'Z'; break;
886 case byte_type
: c
= 'B'; break;
887 case char_type
: c
= 'C'; break;
888 case short_type
: c
= 'S'; break;
889 case int_type
: c
= 'I'; break;
890 case long_type
: c
= 'J'; break;
891 case float_type
: c
= 'F'; break;
892 case double_type
: c
= 'D'; break;
893 case void_type
: c
= 'V'; break;
894 case unsuitable_type
: c
= '-'; break;
895 case return_address_type
: c
= 'r'; break;
896 case continuation_type
: c
= '+'; break;
897 case reference_type
: c
= 'L'; break;
898 case null_type
: c
= '@'; break;
899 case uninitialized_reference_type
: c
= 'U'; break;
901 debug_print ("%c", c
);
903 #endif /* VERIFY_DEBUG */
905 /* This class holds all the state information we need for a given
909 /* The current top of the stack, in terms of slots. */
911 /* The current depth of the stack. This will be larger than
912 STACKTOP when wide types are on the stack. */
916 /* The local variables. */
918 /* We keep track of the type of `this' specially. This is used to
919 ensure that an instance initializer invokes another initializer
920 on `this' before returning. We must keep track of this
921 specially because otherwise we might be confused by code which
922 assigns to locals[0] (overwriting `this') and then returns
923 without really initializing. */
926 /* The PC for this state. This is only valid on states which are
927 permanently attached to a given PC. For an object like
928 `current_state', which is used transiently, this has no
931 /* We keep a linked list of all states requiring reverification.
932 If this is the special value INVALID_STATE then this state is
933 not on the list. NULL marks the end of the linked list. */
937 /* NO_NEXT is the PC value meaning that a new state must be
938 acquired from the verification list. */
942 init_state_with_stack (state
*s
, int max_stack
, int max_locals
)
947 s
->stack
= (type
*) vfy_alloc (max_stack
* sizeof (type
));
948 for (i
= 0; i
< max_stack
; ++i
)
949 init_type_from_tag (&s
->stack
[i
], unsuitable_type
);
950 s
->locals
= (type
*) vfy_alloc (max_locals
* sizeof (type
));
951 for (i
= 0; i
< max_locals
; ++i
)
952 init_type_from_tag (&s
->locals
[i
], unsuitable_type
);
953 init_type_from_tag (&s
->this_type
, unsuitable_type
);
955 s
->next
= INVALID_STATE
;
959 copy_state (state
*s
, state
*copy
, int max_stack
, int max_locals
)
962 s
->stacktop
= copy
->stacktop
;
963 s
->stackdepth
= copy
->stackdepth
;
964 for (i
= 0; i
< max_stack
; ++i
)
965 s
->stack
[i
] = copy
->stack
[i
];
966 for (i
= 0; i
< max_locals
; ++i
)
967 s
->locals
[i
] = copy
->locals
[i
];
969 s
->this_type
= copy
->this_type
;
970 /* Don't modify `next' or `pc'. */
974 copy_state_with_stack (state
*s
, state
*orig
, int max_stack
, int max_locals
)
976 init_state_with_stack (s
, max_stack
, max_locals
);
977 copy_state (s
, orig
, max_stack
, max_locals
);
980 /* Allocate a new state, copying ORIG. */
982 make_state_copy (state
*orig
, int max_stack
, int max_locals
)
984 state
*s
= (state
*) vfy_alloc (sizeof (state
));
985 copy_state_with_stack (s
, orig
, max_stack
, max_locals
);
990 make_state (int max_stack
, int max_locals
)
992 state
*s
= (state
*) vfy_alloc (sizeof (state
));
993 init_state_with_stack (s
, max_stack
, max_locals
);
998 free_state (state
*s
)
1000 if (s
->stack
!= NULL
)
1001 vfy_free (s
->stack
);
1002 if (s
->locals
!= NULL
)
1003 vfy_free (s
->locals
);
1006 /* Modify this state to reflect entry to an exception handler. */
1008 state_set_exception (state
*s
, type
*t
, int max_stack
)
1014 for (i
= s
->stacktop
; i
< max_stack
; ++i
)
1015 init_type_from_tag (&s
->stack
[i
], unsuitable_type
);
1018 /* Merge STATE_OLD into this state. Destructively modifies this
1019 state. Returns true if the new state was in fact changed.
1020 Will throw an exception if the states are not mergeable. */
1022 merge_states (state
*s
, state
*state_old
, int max_locals
)
1025 bool changed
= false;
1027 /* Special handling for `this'. If one or the other is
1028 uninitialized, then the merge is uninitialized. */
1029 if (type_initialized (&s
->this_type
))
1030 s
->this_type
= state_old
->this_type
;
1033 if (state_old
->stacktop
!= s
->stacktop
) /* FIXME stackdepth instead? */
1034 verify_fail ("stack sizes differ");
1035 for (i
= 0; i
< state_old
->stacktop
; ++i
)
1037 if (merge_types (&s
->stack
[i
], &state_old
->stack
[i
], false))
1041 /* Merge local variables. */
1042 for (i
= 0; i
< max_locals
; ++i
)
1044 if (merge_types (&s
->locals
[i
], &state_old
->locals
[i
], true))
1051 /* Ensure that `this' has been initialized. */
1053 state_check_this_initialized (state
*s
)
1055 if (type_isreference (&s
->this_type
) && ! type_initialized (&s
->this_type
))
1056 verify_fail ("`this' is uninitialized");
1059 /* Set type of `this'. */
1061 state_set_this_type (state
*s
, type
*k
)
1066 /* Mark each `new'd object we know of that was allocated at PC as
1069 state_set_initialized (state
*s
, int pc
, int max_locals
)
1072 for (i
= 0; i
< s
->stacktop
; ++i
)
1073 type_set_initialized (&s
->stack
[i
], pc
);
1074 for (i
= 0; i
< max_locals
; ++i
)
1075 type_set_initialized (&s
->locals
[i
], pc
);
1076 type_set_initialized (&s
->this_type
, pc
);
1079 /* This tests to see whether two states can be considered "merge
1080 compatible". If both states have a return-address in the same
1081 slot, and the return addresses are different, then they are not
1082 compatible and we must not try to merge them. */
1084 state_mergeable_p (state
*s
, state
*other
, int max_locals
)
1089 /* This is tricky: if the stack sizes differ, then not only are
1090 these not mergeable, but in fact we should give an error, as
1091 we've found two execution paths that reach a branch target
1092 with different stack depths. FIXME stackdepth instead? */
1093 if (s
->stacktop
!= other
->stacktop
)
1094 verify_fail ("stack sizes differ");
1096 for (i
= 0; i
< s
->stacktop
; ++i
)
1097 if (! type_state_mergeable_p (&s
->stack
[i
], &other
->stack
[i
]))
1099 for (i
= 0; i
< max_locals
; ++i
)
1100 if (! type_state_mergeable_p (&s
->locals
[i
], &other
->locals
[i
]))
1106 state_reverify (state
*s
)
1108 if (s
->next
== INVALID_STATE
)
1110 s
->next
= vfr
->next_verify_state
;
1111 vfr
->next_verify_state
= s
;
1117 debug_print_state (state
*s
, const char *leader
, int pc
, int max_stack
,
1121 debug_print ("%s [%4d]: [stack] ", leader
, pc
);
1122 for (i
= 0; i
< s
->stacktop
; ++i
)
1123 type_print (&s
->stack
[i
]);
1124 for (; i
< max_stack
; ++i
)
1126 debug_print (" [local] ");
1127 for (i
= 0; i
< max_locals
; ++i
)
1128 type_print (&s
->locals
[i
]);
1129 debug_print (" | %p\n", s
);
1133 debug_print_state (state
*s ATTRIBUTE_UNUSED
,
1134 const char *leader ATTRIBUTE_UNUSED
,
1135 int pc ATTRIBUTE_UNUSED
, int max_stack ATTRIBUTE_UNUSED
,
1136 int max_locals ATTRIBUTE_UNUSED
)
1139 #endif /* VERIFY_DEBUG */
1145 state
*s
= vfr
->current_state
;
1146 if (s
->stacktop
<= 0)
1147 verify_fail ("stack empty");
1148 r
= s
->stack
[--s
->stacktop
];
1149 s
->stackdepth
-= type_depth (&r
);
1150 if (s
->stackdepth
< 0)
1151 verify_fail_pc ("stack empty", vfr
->start_PC
);
1158 type r
= pop_raw ();
1159 if (type_iswide (&r
))
1160 verify_fail ("narrow pop of wide type");
1165 vfy_pop_type_t (type match
)
1168 vfy_promote_type (&match
);
1170 if (! types_compatible (&match
, &t
))
1171 verify_fail ("incompatible type on stack");
1176 vfy_pop_type (type_val match
)
1178 type t
= make_type (match
);
1179 return vfy_pop_type_t (t
);
1182 #define pop_type vfy_pop_type
1183 #define pop_type_t vfy_pop_type_t
1185 /* Pop a reference which is guaranteed to be initialized. MATCH
1186 doesn't have to be a reference type; in this case this acts like
1189 pop_init_ref_t (type match
)
1191 type t
= pop_raw ();
1192 if (type_isreference (&t
) && ! type_initialized (&t
))
1193 verify_fail ("initialized reference required");
1194 else if (! types_compatible (&match
, &t
))
1195 verify_fail ("incompatible type on stack");
1200 pop_init_ref (type_val match
)
1202 type t
= make_type (match
);
1203 return pop_init_ref_t (t
);
1206 /* Pop a reference type or a return address. */
1208 pop_ref_or_return (void)
1210 type t
= pop_raw ();
1211 if (! type_isreference (&t
) && t
.key
!= return_address_type
)
1212 verify_fail ("expected reference or return address on stack");
1217 vfy_push_type_t (type t
)
1220 state
*s
= vfr
->current_state
;
1221 /* If T is a numeric type like short, promote it to int. */
1224 depth
= type_depth (&t
);
1226 if (s
->stackdepth
+ depth
> vfr
->current_method
->max_stack
)
1227 verify_fail ("stack overflow");
1228 s
->stack
[s
->stacktop
++] = t
;
1229 s
->stackdepth
+= depth
;
1233 vfy_push_type (type_val tval
)
1235 type t
= make_type (tval
);
1236 vfy_push_type_t (t
);
1239 #define push_type vfy_push_type
1240 #define push_type_t vfy_push_type_t
1243 set_variable (int index
, type t
)
1246 state
*s
= vfr
->current_state
;
1247 /* If T is a numeric type like short, promote it to int. */
1250 depth
= type_depth (&t
);
1251 if (index
> vfr
->current_method
->max_locals
- depth
)
1252 verify_fail ("invalid local variable");
1253 s
->locals
[index
] = t
;
1256 init_type_from_tag (&s
->locals
[index
+ 1], continuation_type
);
1257 if (index
> 0 && type_iswide (&s
->locals
[index
- 1]))
1258 init_type_from_tag (&s
->locals
[index
- 1], unsuitable_type
);
1262 get_variable_t (int index
, type
*t
)
1264 state
*s
= vfr
->current_state
;
1265 int depth
= type_depth (t
);
1266 if (index
> vfr
->current_method
->max_locals
- depth
)
1267 verify_fail ("invalid local variable");
1268 if (! types_compatible (t
, &s
->locals
[index
]))
1269 verify_fail ("incompatible type in local variable");
1272 type cont
= make_type (continuation_type
);
1273 if (! types_compatible (&s
->locals
[index
+ 1], &cont
))
1274 verify_fail ("invalid local variable");
1276 return s
->locals
[index
];
1280 get_variable (int index
, type_val v
)
1282 type t
= make_type (v
);
1283 return get_variable_t (index
, &t
);
1286 /* Make sure ARRAY is an array type and that its elements are
1287 compatible with type ELEMENT. Returns the actual element type. */
1289 require_array_type_t (type array
, type element
)
1292 /* An odd case. Here we just pretend that everything went ok. If
1293 the requested element type is some kind of reference, return
1294 the null type instead. */
1295 if (type_isnull (&array
))
1296 return type_isreference (&element
) ? make_type (null_type
) : element
;
1298 if (! type_isarray (&array
))
1299 verify_fail ("array required");
1301 t
= type_array_element (&array
);
1302 if (! types_compatible (&element
, &t
))
1304 /* Special case for byte arrays, which must also be boolean
1307 if (element
.key
== byte_type
)
1309 type e2
= make_type (boolean_type
);
1310 ok
= types_compatible (&e2
, &t
);
1313 verify_fail ("incompatible array element type");
1316 /* Return T and not ELEMENT, because T might be specialized. */
1321 require_array_type (type array
, type_val element
)
1323 type t
= make_type (element
);
1324 return require_array_type_t (array
, t
);
1330 if (vfr
->PC
>= vfr
->current_method
->code_length
)
1331 verify_fail ("premature end of bytecode");
1332 return (jint
) vfr
->bytecode
[vfr
->PC
++] & 0xff;
1338 jint b1
= get_byte ();
1339 jint b2
= get_byte ();
1340 return (jint
) ((b1
<< 8) | b2
) & 0xffff;
1346 signed char b1
= (signed char) get_byte ();
1347 jint b2
= get_byte ();
1348 jshort s
= (b1
<< 8) | b2
;
1355 jint b1
= get_byte ();
1356 jint b2
= get_byte ();
1357 jint b3
= get_byte ();
1358 jint b4
= get_byte ();
1359 jword result
= (b1
<< 24) | (b2
<< 16) | (b3
<< 8) | b4
;
1360 /* In the compiler, 'jint' might have more than 32 bits, so we must
1362 return WORD_TO_INT (result
);
1366 compute_jump (int offset
)
1368 int npc
= vfr
->start_PC
+ offset
;
1369 if (npc
< 0 || npc
>= vfr
->current_method
->code_length
)
1370 verify_fail_pc ("branch out of range", vfr
->start_PC
);
1374 /* Add a new state to the state list at NPC. */
1376 add_new_state (int npc
, state
*old_state
)
1379 vfy_method
*current_method
= vfr
->current_method
;
1380 state
*new_state
= make_state_copy (old_state
, current_method
->max_stack
,
1381 current_method
->max_locals
);
1382 debug_print ("== New state in add_new_state\n");
1383 debug_print_state (new_state
, "New", npc
, current_method
->max_stack
,
1384 current_method
->max_locals
);
1386 nlink
= (state_list
*) vfy_alloc (sizeof (state_list
));
1387 nlink
->val
= new_state
;
1388 nlink
->next
= vfr
->states
[npc
];
1389 vfr
->states
[npc
] = nlink
;
1390 new_state
->pc
= npc
;
1394 /* Merge the indicated state into the state at the branch target and
1395 schedule a new PC if there is a change. NPC is the PC of the
1396 branch target, and FROM_STATE is the state at the source of the
1397 branch. This method returns true if the destination state
1398 changed and requires reverification, false otherwise. */
1400 merge_into (int npc
, state
*from_state
)
1402 /* Iterate over all target states and merge our state into each,
1403 if applicable. FIXME one improvement we could make here is
1404 "state destruction". Merging a new state into an existing one
1405 might cause a return_address_type to be merged to
1406 unsuitable_type. In this case the resulting state may now be
1407 mergeable with other states currently held in parallel at this
1408 location. So in this situation we could pairwise compare and
1409 reduce the number of parallel states. */
1411 bool applicable
= false;
1412 for (iter
= vfr
->states
[npc
]; iter
!= NULL
; iter
= iter
->next
)
1414 state
*new_state
= iter
->val
;
1415 vfy_method
*current_method
= vfr
->current_method
;
1417 if (state_mergeable_p (new_state
, from_state
,
1418 current_method
->max_locals
))
1423 debug_print ("== Merge states in merge_into\n");
1424 debug_print_state (from_state
, "Frm", vfr
->start_PC
, current_method
->max_stack
,
1425 current_method
->max_locals
);
1426 debug_print_state (new_state
, " To", npc
, current_method
->max_stack
,
1427 current_method
->max_locals
);
1428 changed
= merge_states (new_state
, from_state
,
1429 current_method
->max_locals
);
1430 debug_print_state (new_state
, "New", npc
, current_method
->max_stack
,
1431 current_method
->max_locals
);
1434 state_reverify (new_state
);
1440 /* Either we don't yet have a state at NPC, or we have a
1441 return-address type that is in conflict with all existing
1442 state. So, we need to create a new entry. */
1443 state
*new_state
= add_new_state (npc
, from_state
);
1444 /* A new state added in this way must always be reverified. */
1445 state_reverify (new_state
);
1450 push_jump (int offset
)
1452 int npc
= compute_jump (offset
);
1453 /* According to the JVM Spec, we need to check for uninitialized
1454 objects here. However, this does not actually affect type
1455 safety, and the Eclipse java compiler generates code that
1456 violates this constraint. */
1457 merge_into (npc
, vfr
->current_state
);
1461 push_exception_jump (type t
, int pc
)
1464 /* According to the JVM Spec, we need to check for uninitialized
1465 objects here. However, this does not actually affect type
1466 safety, and the Eclipse java compiler generates code that
1467 violates this constraint. */
1468 copy_state_with_stack (&s
, vfr
->current_state
,
1469 vfr
->current_method
->max_stack
,
1470 vfr
->current_method
->max_locals
);
1471 if (vfr
->current_method
->max_stack
< 1)
1472 verify_fail ("stack overflow at exception handler");
1473 state_set_exception (&s
, &t
, vfr
->current_method
->max_stack
);
1474 merge_into (pc
, &s
);
1475 /* FIXME: leak.. need free_state or GC */
1481 state
*new_state
= vfr
->next_verify_state
;
1482 if (new_state
== INVALID_STATE
)
1483 verify_fail ("programmer error in pop_jump");
1484 if (new_state
!= NULL
)
1486 vfr
->next_verify_state
= new_state
->next
;
1487 new_state
->next
= INVALID_STATE
;
1493 invalidate_pc (void)
1499 note_branch_target (int pc
)
1501 /* Don't check `pc <= PC', because we've advanced PC after
1502 fetching the target and we haven't yet checked the next
1504 if (pc
< vfr
->PC
&& ! (vfr
->flags
[pc
] & FLAG_INSN_START
))
1505 verify_fail_pc ("branch not to instruction start", vfr
->start_PC
);
1506 vfr
->flags
[pc
] |= FLAG_BRANCH_TARGET
;
1512 while ((vfr
->PC
% 4) > 0)
1513 if (get_byte () != 0)
1514 verify_fail ("found nonzero padding byte");
1517 /* Do the work for a `ret' instruction. INDEX is the index into the
1520 handle_ret_insn (int index
)
1522 type ret
= make_type (return_address_type
);
1523 type ret_addr
= get_variable_t (index
, &ret
);
1524 /* It would be nice if we could do this. However, the JVM Spec
1525 doesn't say that this is what happens. It is implied that
1526 reusing a return address is invalid, but there's no actual
1527 prohibition against it. */
1528 /* set_variable (index, unsuitable_type); */
1530 int npc
= type_get_pc (&ret_addr
);
1531 /* We might be returning to a `jsr' that is at the end of the
1532 bytecode. This is ok if we never return from the called
1533 subroutine, but if we see this here it is an error. */
1534 if (npc
>= vfr
->current_method
->code_length
)
1535 verify_fail ("fell off end");
1537 /* According to the JVM Spec, we need to check for uninitialized
1538 objects here. However, this does not actually affect type
1539 safety, and the Eclipse java compiler generates code that
1540 violates this constraint. */
1541 merge_into (npc
, vfr
->current_state
);
1545 static void handle_jsr_insn (int offset
)
1548 int npc
= compute_jump (offset
);
1550 /* According to the JVM Spec, we need to check for uninitialized
1551 objects here. However, this does not actually affect type
1552 safety, and the Eclipse java compiler generates code that
1553 violates this constraint. */
1555 /* Modify our state as appropriate for entry into a subroutine. */
1556 ret_addr
= make_type (return_address_type
);
1557 type_set_return_address (&ret_addr
, vfr
->PC
);
1558 vfy_push_type_t (ret_addr
);
1559 merge_into (npc
, vfr
->current_state
);
1564 construct_primitive_array_type (type_val prim
)
1566 vfy_jclass k
= NULL
;
1577 k
= vfy_get_primitive_type ((int) prim
);
1580 /* These aren't used here but we call them out to avoid
1583 case unsuitable_type
:
1584 case return_address_type
:
1585 case continuation_type
:
1586 case reference_type
:
1588 case uninitialized_reference_type
:
1590 verify_fail ("unknown type in construct_primitive_array_type");
1592 k
= vfy_get_array_class (k
);
1596 /* This pass computes the location of branch targets and also
1597 instruction starts. */
1599 branch_prepass (void)
1602 vfr
->flags
= (char *) vfy_alloc (vfr
->current_method
->code_length
);
1604 for (i
= 0; i
< vfr
->current_method
->code_length
; ++i
)
1608 while (vfr
->PC
< vfr
->current_method
->code_length
)
1611 /* Set `start_PC' early so that error checking can have the
1613 vfr
->start_PC
= vfr
->PC
;
1614 vfr
->flags
[vfr
->PC
] |= FLAG_INSN_START
;
1616 opcode
= (java_opcode
) vfr
->bytecode
[vfr
->PC
++];
1620 case op_aconst_null
:
1756 case op_monitorenter
:
1757 case op_monitorexit
:
1765 case op_arraylength
:
1797 case op_invokespecial
:
1798 case op_invokestatic
:
1799 case op_invokevirtual
:
1803 case op_multianewarray
:
1826 note_branch_target (compute_jump (get_short ()));
1829 case op_tableswitch
:
1833 note_branch_target (compute_jump (get_int ()));
1837 verify_fail_pc ("invalid tableswitch", vfr
->start_PC
);
1838 for (i
= low
; i
<= hi
; ++i
)
1839 note_branch_target (compute_jump (get_int ()));
1843 case op_lookupswitch
:
1847 note_branch_target (compute_jump (get_int ()));
1848 npairs
= get_int ();
1850 verify_fail_pc ("too few pairs in lookupswitch", vfr
->start_PC
);
1851 while (npairs
-- > 0)
1854 note_branch_target (compute_jump (get_int ()));
1859 case op_invokeinterface
:
1867 opcode
= (java_opcode
) get_byte ();
1869 if (opcode
== op_iinc
)
1876 note_branch_target (compute_jump (get_int ()));
1880 /* These are unused here, but we call them out explicitly
1881 so that -Wswitch-enum doesn't complain. */
1887 case op_putstatic_1
:
1888 case op_putstatic_2
:
1889 case op_putstatic_4
:
1890 case op_putstatic_8
:
1891 case op_putstatic_a
:
1893 case op_getfield_2s
:
1894 case op_getfield_2u
:
1898 case op_getstatic_1
:
1899 case op_getstatic_2s
:
1900 case op_getstatic_2u
:
1901 case op_getstatic_4
:
1902 case op_getstatic_8
:
1903 case op_getstatic_a
:
1904 #endif /* VFY_FAST_OPCODES */
1906 verify_fail_pc ("unrecognized instruction in branch_prepass",
1910 /* See if any previous branch tried to branch to the middle of
1911 this instruction. */
1912 for (pc
= vfr
->start_PC
+ 1; pc
< vfr
->PC
; ++pc
)
1914 if ((vfr
->flags
[pc
] & FLAG_BRANCH_TARGET
))
1915 verify_fail_pc ("branch to middle of instruction", pc
);
1919 /* Verify exception handlers. */
1920 for (i
= 0; i
< vfr
->current_method
->exc_count
; ++i
)
1922 int handler
, start
, end
, htype
;
1923 vfy_get_exception (vfr
->exception
, i
, &handler
, &start
, &end
, &htype
);
1924 if (! (vfr
->flags
[handler
] & FLAG_INSN_START
))
1925 verify_fail_pc ("exception handler not at instruction start",
1927 if (! (vfr
->flags
[start
] & FLAG_INSN_START
))
1928 verify_fail_pc ("exception start not at instruction start", start
);
1929 if (end
!= vfr
->current_method
->code_length
1930 && ! (vfr
->flags
[end
] & FLAG_INSN_START
))
1931 verify_fail_pc ("exception end not at instruction start", end
);
1933 vfr
->flags
[handler
] |= FLAG_BRANCH_TARGET
;
1938 check_pool_index (int index
)
1940 if (index
< 0 || index
>= vfy_get_constants_size (vfr
->current_class
))
1941 verify_fail_pc ("constant pool index out of range", vfr
->start_PC
);
1945 check_class_constant (int index
)
1947 type t
= { (type_val
) 0, 0, 0 };
1948 vfy_constants
*pool
;
1950 check_pool_index (index
);
1951 pool
= vfy_get_constants (vfr
->current_class
);
1952 if (vfy_tag (pool
, index
) == JV_CONSTANT_ResolvedClass
)
1953 init_type_from_class (&t
, vfy_get_pool_class (pool
, index
));
1954 else if (vfy_tag (pool
, index
) == JV_CONSTANT_Class
)
1955 init_type_from_string (&t
, vfy_get_pool_string (pool
, index
));
1957 verify_fail_pc ("expected class constant", vfr
->start_PC
);
1962 check_constant (int index
)
1964 type t
= { (type_val
) 0, 0, 0 };
1965 vfy_constants
*pool
;
1967 check_pool_index (index
);
1968 pool
= vfy_get_constants (vfr
->current_class
);
1969 if (vfy_tag (pool
, index
) == JV_CONSTANT_ResolvedString
1970 || vfy_tag (pool
, index
) == JV_CONSTANT_String
)
1971 init_type_from_class (&t
, vfy_string_type ());
1972 else if (vfy_tag (pool
, index
) == JV_CONSTANT_Integer
)
1973 init_type_from_tag (&t
, int_type
);
1974 else if (vfy_tag (pool
, index
) == JV_CONSTANT_Float
)
1975 init_type_from_tag (&t
, float_type
);
1976 else if (vfy_tag (pool
, index
) == JV_CONSTANT_Class
1977 || vfy_tag (pool
, index
) == JV_CONSTANT_ResolvedClass
)
1978 /* FIXME: should only allow this for 1.5 bytecode. */
1979 init_type_from_class (&t
, vfy_class_type ());
1981 verify_fail_pc ("String, int, or float constant expected", vfr
->start_PC
);
1986 check_wide_constant (int index
)
1988 type t
= { (type_val
) 0, 0, 0 };
1989 vfy_constants
*pool
;
1991 check_pool_index (index
);
1992 pool
= vfy_get_constants (vfr
->current_class
);
1993 if (vfy_tag (pool
, index
) == JV_CONSTANT_Long
)
1994 init_type_from_tag (&t
, long_type
);
1995 else if (vfy_tag (pool
, index
) == JV_CONSTANT_Double
)
1996 init_type_from_tag (&t
, double_type
);
1998 verify_fail_pc ("long or double constant expected", vfr
->start_PC
);
2002 /* Helper for both field and method. These are laid out the same in
2003 the constant pool. */
2005 handle_field_or_method (int index
, int expected
,
2006 vfy_string
*name
, vfy_string
*fmtype
)
2008 vfy_uint_16 class_index
, name_and_type_index
;
2009 vfy_uint_16 name_index
, desc_index
;
2010 vfy_constants
*pool
;
2012 check_pool_index (index
);
2013 pool
= vfy_get_constants (vfr
->current_class
);
2014 if (vfy_tag (pool
, index
) != expected
)
2015 verify_fail_pc ("didn't see expected constant", vfr
->start_PC
);
2016 /* Once we know we have a Fieldref or Methodref we assume that it
2017 is correctly laid out in the constant pool. I think the code
2018 in defineclass.cc guarantees this. */
2019 vfy_load_indexes (pool
, index
, &class_index
, &name_and_type_index
);
2020 vfy_load_indexes (pool
, name_and_type_index
, &name_index
, &desc_index
);
2022 *name
= vfy_get_pool_string (pool
, name_index
);
2023 *fmtype
= vfy_get_pool_string (pool
, desc_index
);
2025 return check_class_constant (class_index
);
2028 /* Return field's type, compute class' type if requested. If
2029 PUTFIELD is true, use the special 'putfield' semantics. */
2031 check_field_constant (int index
, type
*class_type
, bool putfield
)
2033 vfy_string name
, field_type
;
2037 type ct
= handle_field_or_method (index
,
2038 JV_CONSTANT_Fieldref
,
2039 &name
, &field_type
);
2042 typec
= vfy_string_bytes (field_type
);
2043 if (typec
[0] == '[' || typec
[0] == 'L')
2044 init_type_from_string (&t
, field_type
);
2046 init_type_from_tag (&t
, get_type_val_for_signature (typec
[0]));
2048 /* We have an obscure special case here: we can use `putfield' on a
2049 field declared in this class, even if `this' has not yet been
2052 && ! type_initialized (&vfr
->current_state
->this_type
)
2053 && vfr
->current_state
->this_type
.pc
== SELF
2054 && types_equal (&vfr
->current_state
->this_type
, &ct
)
2055 && vfy_class_has_field (vfr
->current_class
, name
, field_type
))
2056 /* Note that we don't actually know whether we're going to match
2057 against 'this' or some other object of the same type. So,
2058 here we set things up so that it doesn't matter. This relies
2059 on knowing what our caller is up to. */
2060 type_set_uninitialized (class_type
, EITHER
);
2066 check_method_constant (int index
, bool is_interface
,
2067 vfy_string
*method_name
,
2068 vfy_string
*method_signature
)
2070 return handle_field_or_method (index
,
2072 ? JV_CONSTANT_InterfaceMethodref
2073 : JV_CONSTANT_Methodref
),
2074 method_name
, method_signature
);
2078 get_one_type (const char *p
, type
*t
)
2080 const char *start
= p
;
2100 name
= vfy_get_string (start
, p
- start
);
2101 *t
= make_type_from_string (name
);
2105 /* Casting to jchar here is ok since we are looking at an ASCII
2107 rt
= get_type_val_for_signature (v
);
2109 if (arraycount
== 0)
2111 /* Callers of this function eventually push their arguments on
2112 the stack. So, promote them here. */
2113 type new_t
= make_type (rt
);
2114 vfy_promote_type (&new_t
);
2119 k
= construct_primitive_array_type (rt
);
2120 while (--arraycount
> 0)
2121 k
= vfy_get_array_class (k
);
2122 *t
= make_type_from_class (k
);
2127 compute_argument_types (vfy_string signature
, type
*types
)
2130 const char *p
= vfy_string_bytes (signature
);
2137 p
= get_one_type (p
, &types
[i
++]);
2141 compute_return_type (vfy_string signature
)
2143 const char *p
= vfy_string_bytes (signature
);
2148 get_one_type (p
, &t
);
2153 check_return_type (type onstack
)
2155 type rt
= compute_return_type (vfy_get_signature (vfr
->current_method
));
2156 if (! types_compatible (&rt
, &onstack
))
2157 verify_fail ("incompatible return type");
2160 /* Initialize the stack for the new method. Returns true if this
2161 method is an instance initializer. */
2163 initialize_stack (void)
2167 bool is_init
= vfy_strings_equal (vfy_get_method_name (vfr
->current_method
),
2169 bool is_clinit
= vfy_strings_equal (vfy_get_method_name (vfr
->current_method
),
2172 if (! vfy_is_static (vfr
->current_method
))
2174 type kurr
= make_type_from_class (vfr
->current_class
);
2177 type_set_uninitialized (&kurr
, SELF
);
2181 verify_fail ("<clinit> method must be static");
2182 set_variable (0, kurr
);
2183 state_set_this_type (vfr
->current_state
, &kurr
);
2189 verify_fail ("<init> method must be non-static");
2192 /* We have to handle wide arguments specially here. */
2193 arg_count
= vfy_count_arguments (vfy_get_signature (vfr
->current_method
));
2195 type
*arg_types
= (type
*) vfy_alloc (arg_count
* sizeof (type
));
2196 compute_argument_types (vfy_get_signature (vfr
->current_method
), arg_types
);
2197 for (i
= 0; i
< arg_count
; ++i
)
2199 set_variable (var
, arg_types
[i
]);
2201 if (type_iswide (&arg_types
[i
]))
2204 vfy_free (arg_types
);
2211 verify_instructions_0 (void)
2216 vfr
->current_state
= make_state (vfr
->current_method
->max_stack
,
2217 vfr
->current_method
->max_locals
);
2222 /* True if we are verifying an instance initializer. */
2223 this_is_init
= initialize_stack ();
2225 vfr
->states
= (state_list
**) vfy_alloc (sizeof (state_list
*)
2226 * vfr
->current_method
->code_length
);
2228 for (i
= 0; i
< vfr
->current_method
->code_length
; ++i
)
2229 vfr
->states
[i
] = NULL
;
2231 vfr
->next_verify_state
= NULL
;
2237 /* If the PC was invalidated, get a new one from the work list. */
2238 if (vfr
->PC
== NO_NEXT
)
2240 state
*new_state
= pop_jump ();
2241 /* If it is null, we're done. */
2242 if (new_state
== NULL
)
2245 vfr
->PC
= new_state
->pc
;
2246 debug_print ("== State pop from pending list\n");
2247 /* Set up the current state. */
2248 copy_state (vfr
->current_state
, new_state
,
2249 vfr
->current_method
->max_stack
, vfr
->current_method
->max_locals
);
2253 /* We only have to do this checking in the situation where
2254 control flow falls through from the previous instruction.
2255 Otherwise merging is done at the time we push the branch.
2256 Note that we'll catch the off-the-end problem just
2258 if (vfr
->PC
< vfr
->current_method
->code_length
2259 && vfr
->states
[vfr
->PC
] != NULL
)
2261 /* We've already visited this instruction. So merge
2262 the states together. It is simplest, but not most
2263 efficient, to just always invalidate the PC here. */
2264 merge_into (vfr
->PC
, vfr
->current_state
);
2270 /* Control can't fall off the end of the bytecode. We need to
2271 check this in both cases, not just the fall-through case,
2272 because we don't check to see whether a `jsr' appears at
2273 the end of the bytecode until we process a `ret'. */
2274 if (vfr
->PC
>= vfr
->current_method
->code_length
)
2275 verify_fail ("fell off end");
2276 vfr
->flags
[vfr
->PC
] |= FLAG_INSN_SEEN
;
2278 /* We only have to keep saved state at branch targets. If
2279 we're at a branch target and the state here hasn't been set
2280 yet, we set it now. You might notice that `ret' targets
2281 won't necessarily have FLAG_BRANCH_TARGET set. This
2282 doesn't matter, since those states will be filled in by
2284 /* Note that other parts of the compiler assume that there is a
2285 label with a type map at PC=0. */
2286 if (vfr
->states
[vfr
->PC
] == NULL
2287 && (vfr
->PC
== 0 || (vfr
->flags
[vfr
->PC
] & FLAG_BRANCH_TARGET
) != 0))
2288 add_new_state (vfr
->PC
, vfr
->current_state
);
2290 /* Set this before handling exceptions so that debug output is
2292 vfr
->start_PC
= vfr
->PC
;
2294 /* Update states for all active exception handlers. Ordinarily
2295 there are not many exception handlers. So we simply run
2296 through them all. */
2297 for (i
= 0; i
< vfr
->current_method
->exc_count
; ++i
)
2299 int hpc
, start
, end
, htype
;
2300 vfy_get_exception (vfr
->exception
, i
, &hpc
, &start
, &end
, &htype
);
2301 if (vfr
->PC
>= start
&& vfr
->PC
< end
)
2303 type handler
= make_type_from_class (vfy_throwable_type ());
2305 handler
= check_class_constant (htype
);
2306 push_exception_jump (handler
, hpc
);
2311 debug_print_state (vfr
->current_state
, " ", vfr
->PC
,
2312 vfr
->current_method
->max_stack
,
2313 vfr
->current_method
->max_locals
);
2314 opcode
= (java_opcode
) vfr
->bytecode
[vfr
->PC
++];
2320 case op_aconst_null
:
2321 push_type (null_type
);
2331 push_type (int_type
);
2336 push_type (long_type
);
2342 push_type (float_type
);
2347 push_type (double_type
);
2352 push_type (int_type
);
2357 push_type (int_type
);
2361 push_type_t (check_constant (get_byte ()));
2364 push_type_t (check_constant (get_ushort ()));
2367 push_type_t (check_wide_constant (get_ushort ()));
2371 push_type_t (get_variable (get_byte (), int_type
));
2374 push_type_t (get_variable (get_byte (), long_type
));
2377 push_type_t (get_variable (get_byte (), float_type
));
2380 push_type_t (get_variable (get_byte (), double_type
));
2383 push_type_t (get_variable (get_byte (), reference_type
));
2390 push_type_t (get_variable (opcode
- op_iload_0
, int_type
));
2396 push_type_t (get_variable (opcode
- op_lload_0
, long_type
));
2402 push_type_t (get_variable (opcode
- op_fload_0
, float_type
));
2408 push_type_t (get_variable (opcode
- op_dload_0
, double_type
));
2414 push_type_t (get_variable (opcode
- op_aload_0
, reference_type
));
2417 pop_type (int_type
);
2418 push_type_t (require_array_type (pop_init_ref (reference_type
),
2422 pop_type (int_type
);
2423 push_type_t (require_array_type (pop_init_ref (reference_type
),
2427 pop_type (int_type
);
2428 push_type_t (require_array_type (pop_init_ref (reference_type
),
2432 pop_type (int_type
);
2433 push_type_t (require_array_type (pop_init_ref (reference_type
),
2437 pop_type (int_type
);
2438 push_type_t (require_array_type (pop_init_ref (reference_type
),
2442 pop_type (int_type
);
2443 require_array_type (pop_init_ref (reference_type
), byte_type
);
2444 push_type (int_type
);
2447 pop_type (int_type
);
2448 require_array_type (pop_init_ref (reference_type
), char_type
);
2449 push_type (int_type
);
2452 pop_type (int_type
);
2453 require_array_type (pop_init_ref (reference_type
), short_type
);
2454 push_type (int_type
);
2457 set_variable (get_byte (), pop_type (int_type
));
2460 set_variable (get_byte (), pop_type (long_type
));
2463 set_variable (get_byte (), pop_type (float_type
));
2466 set_variable (get_byte (), pop_type (double_type
));
2469 set_variable (get_byte (), pop_ref_or_return ());
2475 set_variable (opcode
- op_istore_0
, pop_type (int_type
));
2481 set_variable (opcode
- op_lstore_0
, pop_type (long_type
));
2487 set_variable (opcode
- op_fstore_0
, pop_type (float_type
));
2493 set_variable (opcode
- op_dstore_0
, pop_type (double_type
));
2499 set_variable (opcode
- op_astore_0
, pop_ref_or_return ());
2502 pop_type (int_type
);
2503 pop_type (int_type
);
2504 require_array_type (pop_init_ref (reference_type
), int_type
);
2507 pop_type (long_type
);
2508 pop_type (int_type
);
2509 require_array_type (pop_init_ref (reference_type
), long_type
);
2512 pop_type (float_type
);
2513 pop_type (int_type
);
2514 require_array_type (pop_init_ref (reference_type
), float_type
);
2517 pop_type (double_type
);
2518 pop_type (int_type
);
2519 require_array_type (pop_init_ref (reference_type
), double_type
);
2522 pop_type (reference_type
);
2523 pop_type (int_type
);
2524 require_array_type (pop_init_ref (reference_type
), reference_type
);
2527 pop_type (int_type
);
2528 pop_type (int_type
);
2529 require_array_type (pop_init_ref (reference_type
), byte_type
);
2532 pop_type (int_type
);
2533 pop_type (int_type
);
2534 require_array_type (pop_init_ref (reference_type
), char_type
);
2537 pop_type (int_type
);
2538 pop_type (int_type
);
2539 require_array_type (pop_init_ref (reference_type
), short_type
);
2546 type t
= pop_raw ();
2547 if (! type_iswide (&t
))
2570 type t2
= pop_raw ();
2571 if (! type_iswide (&t2
))
2585 type t
= pop_raw ();
2586 if (! type_iswide (&t
))
2600 type t1
= pop_raw ();
2602 if (! type_iswide (&t1
))
2617 type t1
= pop_raw ();
2618 if (type_iswide (&t1
))
2620 type t2
= pop_raw ();
2621 if (type_iswide (&t2
))
2638 type t3
= pop_raw ();
2639 if (type_iswide (&t3
))
2676 pop_type (int_type
);
2677 push_type_t (pop_type (int_type
));
2687 pop_type (long_type
);
2688 push_type_t (pop_type (long_type
));
2693 pop_type (int_type
);
2694 push_type_t (pop_type (long_type
));
2701 pop_type (float_type
);
2702 push_type_t (pop_type (float_type
));
2709 pop_type (double_type
);
2710 push_type_t (pop_type (double_type
));
2716 push_type_t (pop_type (int_type
));
2719 push_type_t (pop_type (long_type
));
2722 push_type_t (pop_type (float_type
));
2725 push_type_t (pop_type (double_type
));
2728 get_variable (get_byte (), int_type
);
2732 pop_type (int_type
);
2733 push_type (long_type
);
2736 pop_type (int_type
);
2737 push_type (float_type
);
2740 pop_type (int_type
);
2741 push_type (double_type
);
2744 pop_type (long_type
);
2745 push_type (int_type
);
2748 pop_type (long_type
);
2749 push_type (float_type
);
2752 pop_type (long_type
);
2753 push_type (double_type
);
2756 pop_type (float_type
);
2757 push_type (int_type
);
2760 pop_type (float_type
);
2761 push_type (long_type
);
2764 pop_type (float_type
);
2765 push_type (double_type
);
2768 pop_type (double_type
);
2769 push_type (int_type
);
2772 pop_type (double_type
);
2773 push_type (long_type
);
2776 pop_type (double_type
);
2777 push_type (float_type
);
2780 pop_type (long_type
);
2781 pop_type (long_type
);
2782 push_type (int_type
);
2786 pop_type (float_type
);
2787 pop_type (float_type
);
2788 push_type (int_type
);
2792 pop_type (double_type
);
2793 pop_type (double_type
);
2794 push_type (int_type
);
2802 pop_type (int_type
);
2803 push_jump (get_short ());
2811 pop_type (int_type
);
2812 pop_type (int_type
);
2813 push_jump (get_short ());
2817 pop_type (reference_type
);
2818 pop_type (reference_type
);
2819 push_jump (get_short ());
2822 push_jump (get_short ());
2826 handle_jsr_insn (get_short ());
2829 handle_ret_insn (get_byte ());
2831 case op_tableswitch
:
2835 pop_type (int_type
);
2837 push_jump (get_int ());
2840 /* Already checked LOW -vs- HIGH. */
2841 for (i
= low
; i
<= high
; ++i
)
2842 push_jump (get_int ());
2847 case op_lookupswitch
:
2850 jint npairs
, lastkey
;
2852 pop_type (int_type
);
2854 push_jump (get_int ());
2855 npairs
= get_int ();
2856 /* Already checked NPAIRS >= 0. */
2858 for (i
= 0; i
< npairs
; ++i
)
2860 jint key
= get_int ();
2861 if (i
> 0 && key
<= lastkey
)
2862 verify_fail_pc ("lookupswitch pairs unsorted", vfr
->start_PC
);
2864 push_jump (get_int ());
2870 check_return_type (pop_type (int_type
));
2874 check_return_type (pop_type (long_type
));
2878 check_return_type (pop_type (float_type
));
2882 check_return_type (pop_type (double_type
));
2886 check_return_type (pop_init_ref (reference_type
));
2890 /* We only need to check this when the return type is void,
2891 because all instance initializers return void. We also
2892 need to special-case Object constructors, as they can't
2893 call a superclass <init>. */
2894 if (this_is_init
&& vfr
->current_class
!= vfy_object_type ())
2895 state_check_this_initialized (vfr
->current_state
);
2896 check_return_type (make_type (void_type
));
2900 push_type_t (check_field_constant (get_ushort (), NULL
, false));
2903 pop_type_t (check_field_constant (get_ushort (), NULL
, false));
2908 type field
= check_field_constant (get_ushort (), &klass
, false);
2910 push_type_t (field
);
2916 type field
= check_field_constant (get_ushort (), &klass
, true);
2922 case op_invokevirtual
:
2923 case op_invokespecial
:
2924 case op_invokestatic
:
2925 case op_invokeinterface
:
2927 vfy_string method_name
, method_signature
;
2931 bool is_init
= false;
2934 = check_method_constant (get_ushort (),
2935 opcode
== op_invokeinterface
,
2938 /* NARGS is only used when we're processing
2939 invokeinterface. It is simplest for us to compute it
2940 here and then verify it later. */
2942 if (opcode
== op_invokeinterface
)
2944 nargs
= get_byte ();
2945 if (get_byte () != 0)
2946 verify_fail ("invokeinterface dummy byte is wrong");
2949 namec
= vfy_string_bytes (method_name
);
2951 if (vfy_strings_equal (method_name
, vfy_init_name()))
2954 if (opcode
!= op_invokespecial
)
2955 verify_fail ("can't invoke <init>");
2957 else if (namec
[0] == '<')
2958 verify_fail ("can't invoke method starting with `<'");
2960 arg_count
= vfy_count_arguments (method_signature
);
2962 /* Pop arguments and check types. */
2963 type
*arg_types
= (type
*) vfy_alloc (arg_count
* sizeof (type
));
2965 compute_argument_types (method_signature
, arg_types
);
2966 for (i
= arg_count
- 1; i
>= 0; --i
)
2968 /* This is only used for verifying the byte for
2970 nargs
-= type_depth (&arg_types
[i
]);
2971 pop_init_ref_t (arg_types
[i
]);
2974 vfy_free (arg_types
);
2977 if (opcode
== op_invokeinterface
2979 verify_fail ("wrong argument count for invokeinterface");
2981 if (opcode
!= op_invokestatic
)
2984 type t
= class_type
;
2987 /* In this case the PC doesn't matter. */
2988 type_set_uninitialized (&t
, UNINIT
);
2989 /* FIXME: check to make sure that the <init>
2990 call is to the right class.
2991 It must either be super or an exact class
2995 if (! types_compatible (&t
, &raw
))
2996 verify_fail ("incompatible type on stack");
2999 state_set_initialized (vfr
->current_state
,
3000 type_get_pc (&raw
), vfr
->current_method
->max_locals
);
3003 rt
= compute_return_type (method_signature
);
3004 if (! type_isvoid (&rt
))
3011 type t
= check_class_constant (get_ushort ());
3012 if (type_isarray (&t
) || type_isinterface (&t
)
3013 || type_isabstract (&t
))
3014 verify_fail ("type is array, interface, or abstract");
3015 type_set_uninitialized (&t
, vfr
->start_PC
);
3022 int atype
= get_byte ();
3025 /* We intentionally have chosen constants to make this
3027 if (atype
< boolean_type
|| atype
> long_type
)
3028 verify_fail_pc ("type not primitive", vfr
->start_PC
);
3029 pop_type (int_type
);
3030 k
= construct_primitive_array_type ((type_val
) atype
);
3031 init_type_from_class (&t
, k
);
3038 pop_type (int_type
);
3039 t
= check_class_constant (get_ushort ());
3040 push_type_t (type_to_array (&t
));
3043 case op_arraylength
:
3045 type t
= pop_init_ref (reference_type
);
3046 if (! type_isarray (&t
) && ! type_isnull (&t
))
3047 verify_fail ("array type expected");
3048 push_type (int_type
);
3052 pop_type_t (make_type_from_class (vfy_throwable_type ()));
3056 pop_init_ref (reference_type
);
3057 push_type_t (check_class_constant (get_ushort ()));
3060 pop_init_ref (reference_type
);
3061 check_class_constant (get_ushort ());
3062 push_type (int_type
);
3064 case op_monitorenter
:
3065 pop_init_ref (reference_type
);
3067 case op_monitorexit
:
3068 pop_init_ref (reference_type
);
3072 switch (get_byte ())
3075 push_type_t (get_variable (get_ushort (), int_type
));
3078 push_type_t (get_variable (get_ushort (), long_type
));
3081 push_type_t (get_variable (get_ushort (), float_type
));
3084 push_type_t (get_variable (get_ushort (), double_type
));
3087 push_type_t (get_variable (get_ushort (), reference_type
));
3090 set_variable (get_ushort (), pop_type (int_type
));
3093 set_variable (get_ushort (), pop_type (long_type
));
3096 set_variable (get_ushort (), pop_type (float_type
));
3099 set_variable (get_ushort (), pop_type (double_type
));
3102 set_variable (get_ushort (), pop_init_ref (reference_type
));
3105 handle_ret_insn (get_short ());
3108 get_variable (get_ushort (), int_type
);
3112 verify_fail_pc ("unrecognized wide instruction", vfr
->start_PC
);
3116 case op_multianewarray
:
3119 type atype
= check_class_constant (get_ushort ());
3120 int dim
= get_byte ();
3122 verify_fail_pc ("too few dimensions to multianewarray", vfr
->start_PC
);
3123 type_verify_dimensions (&atype
, dim
);
3124 for (i
= 0; i
< dim
; ++i
)
3125 pop_type (int_type
);
3126 push_type_t (atype
);
3131 pop_type (reference_type
);
3132 push_jump (get_short ());
3135 push_jump (get_int ());
3139 handle_jsr_insn (get_int ());
3143 /* Unrecognized opcode. */
3144 verify_fail_pc ("unrecognized instruction in verify_instructions_0",
3150 /* This turns a `type' into something suitable for use by the type map
3151 in the other parts of the compiler. In particular, reference types
3152 are mapped to Object, primitive types are unchanged, and other
3153 types are mapped using special functions declared in verify.h. */
3155 collapse_type (type
*t
)
3168 return vfy_get_primitive_type (t
->key
);
3170 case unsuitable_type
:
3171 case continuation_type
:
3172 return vfy_unsuitable_type ();
3174 case return_address_type
:
3175 return vfy_return_address_type ();
3178 return vfy_null_type ();
3180 case reference_type
:
3181 case uninitialized_reference_type
:
3182 return vfy_object_type ();
3189 verify_instructions (void)
3194 verify_instructions_0 ();
3196 /* Now tell the rest of the compiler about the types we've found. */
3197 for (i
= 0; i
< vfr
->current_method
->code_length
; ++i
)
3202 if ((vfr
->flags
[i
] & FLAG_INSN_SEEN
) != 0)
3203 vfy_note_instruction_seen (i
);
3205 if (! vfr
->states
[i
])
3208 curr
= vfr
->states
[i
]->val
;
3209 vfy_note_stack_depth (vfr
->current_method
, i
, curr
->stackdepth
);
3211 /* Tell the compiler about each local variable. */
3212 for (j
= 0; j
< vfr
->current_method
->max_locals
; ++j
)
3213 vfy_note_local_type (vfr
->current_method
, i
, j
,
3214 collapse_type (&curr
->locals
[j
]));
3215 /* Tell the compiler about each stack slot. */
3216 for (slot
= j
= 0; j
< curr
->stacktop
; ++j
, ++slot
)
3218 vfy_note_stack_type (vfr
->current_method
, i
, slot
,
3219 collapse_type (&curr
->stack
[j
]));
3220 if (type_iswide (&curr
->stack
[j
]))
3223 vfy_note_stack_type (vfr
->current_method
, i
, slot
,
3224 vfy_unsuitable_type ());
3227 gcc_assert (slot
== curr
->stackdepth
);
3232 make_verifier_context (vfy_method
*m
)
3234 vfr
= (verifier_context
*) vfy_alloc (sizeof (struct verifier_context
));
3236 vfr
->current_method
= m
;
3237 vfr
->bytecode
= vfy_get_bytecode (m
);
3238 vfr
->exception
= vfy_get_exceptions (m
);
3239 vfr
->current_class
= m
->defining_class
;
3243 vfr
->utf8_list
= NULL
;
3244 vfr
->isect_list
= NULL
;
3248 free_verifier_context (void)
3250 vfy_string_list
*utf8_list
;
3251 ref_intersection
*isect_list
;
3254 vfy_free (vfr
->flags
);
3256 utf8_list
= vfr
->utf8_list
;
3257 while (utf8_list
!= NULL
)
3259 vfy_string_list
*n
= utf8_list
->next
;
3260 vfy_free (utf8_list
);
3264 isect_list
= vfr
->isect_list
;
3265 while (isect_list
!= NULL
)
3267 ref_intersection
*next
= isect_list
->alloc_next
;
3268 vfy_free (isect_list
);
3272 if (vfr
->states
!= NULL
)
3275 for (i
= 0; i
< vfr
->current_method
->code_length
; ++i
)
3277 state_list
*iter
= vfr
->states
[i
];
3278 while (iter
!= NULL
)
3280 state_list
*next
= iter
->next
;
3281 free_state (iter
->val
);
3282 vfy_free (iter
->val
);
3287 vfy_free (vfr
->states
);
3294 verify_method (vfy_method
*meth
)
3296 debug_print ("verify_method (%s) %i\n", vfy_string_bytes (meth
->name
),
3300 verify_fail ("verifier re-entered");
3302 make_verifier_context (meth
);
3303 verify_instructions ();
3304 free_verifier_context ();