Subversion Repositories scarts

/* Copyright (C) 2001, 2002, 2003, 2004, 2005  Free Software Foundation

   This file is part of libgcj.

This software is copyrighted work licensed under the terms of the

Libgcj License.  Please consult the file "LIBGCJ_LICENSE" for

details.  */

/* Written by Tom Tromey <tromey@redhat.com>  */

/* Uncomment this to enable debugging output.  */

/* #define VERIFY_DEBUG */

#include "config.h"

#include "verify.h"

/* Hack to work around namespace pollution from java-tree.h.  */

#undef current_class

#ifdef VERIFY_DEBUG

#include <stdio.h>

#endif /* VERIFY_DEBUG */

/* This is used to mark states which are not scheduled for

   verification. */

#define INVALID_STATE ((state *) -1)

static void ATTRIBUTE_PRINTF_1

debug_print (const char *fmt ATTRIBUTE_UNUSED, ...)

{

#ifdef VERIFY_DEBUG

  va_list ap;

  va_start (ap, fmt);

  vfprintf (stderr, fmt, ap);

  va_end (ap);

#endif /* VERIFY_DEBUG */

}

/* This started as a fairly ordinary verifier, and for the most part

   it remains so.  It works in the obvious way, by modeling the effect

   of each opcode as it is encountered.  For most opcodes, this is a

   straightforward operation.

   This verifier does not do type merging.  It used to, but this

   results in difficulty verifying some relatively simple code

   involving interfaces, and it pushed some verification work into the

   interpreter.

   Instead of merging reference types, when we reach a point where two

   flows of control merge, we simply keep the union of reference types

   from each branch.  Then, when we need to verify a fact about a

   reference on the stack (e.g., that it is compatible with the

   argument type of a method), we check to ensure that all possible

   types satisfy the requirement.

   Another area this verifier differs from the norm is in its handling

   of subroutines.  The JVM specification has some confusing things to

   say about subroutines.  For instance, it makes claims about not

   allowing subroutines to merge and it rejects recursive subroutines.

   For the most part these are red herrings; we used to try to follow

   these things but they lead to problems.  For example, the notion of

   "being in a subroutine" is not well-defined: is an exception

   handler in a subroutine?  If you never execute the `ret' but

   instead `goto 1' do you remain in the subroutine?

   For clarity on what is really required for type safety, read

   "Simple Verification Technique for Complex Java Bytecode

   Subroutines" by Alessandro Coglio.  Among other things this paper

   shows that recursive subroutines are not harmful to type safety.

   We implement something similar to what he proposes.  Note that this

   means that this verifier will accept code that is rejected by some

   other verifiers.

   For those not wanting to read the paper, the basic observation is

   that we can maintain split states in subroutines.  We maintain one

   state for each calling `jsr'.  In other words, we re-verify a

   subroutine once for each caller, using the exact types held by the

   callers (as opposed to the old approach of merging types and

   keeping a bitmap registering what did or did not change).  This

   approach lets us continue to verify correctly even when a

   subroutine is exited via `goto' or `athrow' and not `ret'.

   In some other areas the JVM specification is (mildly) incorrect,

   so we diverge.  For instance, you cannot

   violate type safety by allocating an object with `new' and then

   failing to initialize it, no matter how one branches or where one

   stores the uninitialized reference.  See "Improving the official

   specification of Java bytecode verification" by Alessandro Coglio.

   Note that there's no real point in enforcing that padding bytes or

   the mystery byte of invokeinterface must be 0, but we do that

   regardless.

   The verifier is currently neither completely lazy nor eager when it

   comes to loading classes.  It tries to represent types by name when

   possible, and then loads them when it needs to verify a fact about

   the type.  Checking types by name is valid because we only use

   names which come from the current class' constant pool.  Since all

   such names are looked up using the same class loader, there is no

   danger that we might be fooled into comparing different types with

   the same name.

   In the future we plan to allow for a completely lazy mode of

   operation, where the verifier will construct a list of type

   assertions to be checked later.

   Some test cases for the verifier live in the "verify" module of the

   Mauve test suite.  However, some of these are presently

   (2004-01-20) believed to be incorrect.  (More precisely the notion

   of "correct" is not well-defined, and this verifier differs from

   others while remaining type-safe.)  Some other tests live in the

   libgcj test suite.

   This verifier is also written to be pluggable.  This means that it

   is intended for use in a variety of environments, not just libgcj.

   As a result the verifier expects a number of type and method

   declarations to be declared in "verify.h".  The intent is that you

   recompile the verifier for your particular environment.  This

   approach was chosen so that operations could be inlined in verify.h

   as much as possible.

   See the verify.h that accompanies this copy of the verifier to see

   what types, preprocessor defines, and functions must be declared.

   The interface is ad hoc, but was defined so that it could be

   implemented to connect to a pure C program.

*/

#define FLAG_INSN_START 1

#define FLAG_BRANCH_TARGET 2

#define FLAG_INSN_SEEN 4

struct state;

struct type;

struct ref_intersection;

typedef struct state state;

typedef struct type type;

typedef struct ref_intersection ref_intersection;

/*typedef struct state_list state_list;*/

typedef struct state_list

{

  state *val;

  struct state_list *next;

} state_list;

typedef struct vfy_string_list

{

  vfy_string val;

  struct vfy_string_list *next;

} vfy_string_list;

typedef struct verifier_context

{

  /* The current PC.  */

  int PC;

  /* The PC corresponding to the start of the current instruction.  */

  int start_PC;

  /* The current state of the stack, locals, etc.  */

  state *current_state;

  /* At each branch target we keep a linked list of all the states we

     can process at that point.  We'll only have multiple states at a

     given PC if they both have different return-address types in the

     same stack or local slot.  This array is indexed by PC and holds

     the list of all such states.  */

  state_list **states;

  /* We keep a linked list of all the states which we must reverify.

     This is the head of the list.  */

  state *next_verify_state;

  /* We keep some flags for each instruction.  The values are the

     FLAG_* constants defined above.  This is an array indexed by PC.  */

  char *flags;

  /* The bytecode itself.  */

  const unsigned char *bytecode;

  /* The exceptions.  */

  vfy_exception *exception;

  /* Defining class.  */

  vfy_jclass current_class;

  /* This method.  */

  vfy_method *current_method;

  /* A linked list of utf8 objects we allocate.  */

  vfy_string_list *utf8_list;

  /* A linked list of all ref_intersection objects we allocate.  */

  ref_intersection *isect_list;

} verifier_context;

/* The current verifier's state data. This is maintained by

   {push/pop}_verifier_context to provide a shorthand form to access

   the verification state. */

static GTY(()) verifier_context *vfr;

/* Local function declarations.  */

bool type_initialized (type *t);

int ref_count_dimensions (ref_intersection *ref);

static void

verify_fail_pc (const char *s, int pc)

{

  vfy_fail (s, pc, vfr->current_class, vfr->current_method);

}

static void

verify_fail (const char *s)

{

  verify_fail_pc (s, vfr->PC);

}

/* This enum holds a list of tags for all the different types we

   need to handle.  Reference types are treated specially by the

   type class.  */

typedef enum type_val

{

  void_type,

  /* The values for primitive types are chosen to correspond to values

     specified to newarray. */

  boolean_type = 4,

  char_type = 5,

  float_type = 6,

  double_type = 7,

  byte_type = 8,

  short_type = 9,

  int_type = 10,

  long_type = 11,

  /* Used when overwriting second word of a double or long in the

     local variables.  Also used after merging local variable states

     to indicate an unusable value.  */

  unsuitable_type,

  return_address_type,

  /* This is the second word of a two-word value, i.e., a double or

     a long.  */

  continuation_type,

  /* Everything after `reference_type' must be a reference type.  */

  reference_type,

  null_type,

  uninitialized_reference_type

} type_val;

/* This represents a merged class type.  Some verifiers (including

   earlier versions of this one) will compute the intersection of

   two class types when merging states.  However, this loses

   critical information about interfaces implemented by the various

   classes.  So instead we keep track of all the actual classes that

   have been merged.  */

struct ref_intersection

{

  /* Whether or not this type has been resolved.  */

  bool is_resolved;

  /* Actual type data.  */

  union

  {

    /* For a resolved reference type, this is a pointer to the class.  */

    vfy_jclass klass;

    /* For other reference types, this it the name of the class.  */

    vfy_string name;

  } data;

  /* Link to the next reference in the intersection.  */

  ref_intersection *ref_next;

  /* This is used to keep track of all the allocated

     ref_intersection objects, so we can free them.

     FIXME: we should allocate these in chunks.  */

  ref_intersection *alloc_next;

};

static ref_intersection *

make_ref (void)

{

  ref_intersection *new_ref =

    (ref_intersection *) vfy_alloc (sizeof (ref_intersection));

  new_ref->alloc_next = vfr->isect_list;

  vfr->isect_list = new_ref;

  return new_ref;

}

static ref_intersection *

clone_ref (ref_intersection *dup)

{

  ref_intersection *new_ref = make_ref ();

  new_ref->is_resolved = dup->is_resolved;

  new_ref->data = dup->data;

  return new_ref;

}

static void

resolve_ref (ref_intersection *ref)

{

  if (ref->is_resolved)

    return;

  ref->data.klass = vfy_find_class (vfr->current_class, ref->data.name);

  ref->is_resolved = true;

}

static bool

refs_equal (ref_intersection *ref1, ref_intersection *ref2)

{

  if (! ref1->is_resolved && ! ref2->is_resolved

      && vfy_strings_equal (ref1->data.name, ref2->data.name))

    return true;

  if (! ref1->is_resolved)

    resolve_ref (ref1);

  if (! ref2->is_resolved)

    resolve_ref (ref2);

  return ref1->data.klass == ref2->data.klass;

}

/* Merge REF1 type into REF2, returning the result.  This will

   return REF2 if all the classes in THIS already appear in

   REF2.  */

static ref_intersection *

merge_refs (ref_intersection *ref1, ref_intersection *ref2)

{

  ref_intersection *tail = ref2;

  for (; ref1 != NULL; ref1 = ref1->ref_next)

    {

      bool add = true;

      ref_intersection *iter;

      for (iter = ref2; iter != NULL; iter = iter->ref_next)

        {

          if (refs_equal (ref1, iter))

            {

              add = false;

              break;

            }

        }

      if (add)

        {

          ref_intersection *new_tail = clone_ref (ref1);

          new_tail->ref_next = tail;

          tail = new_tail;

        }

    }

  return tail;

}

/* See if an object of type SOURCE can be assigned to an object of

   type TARGET.  This might resolve classes in one chain or the other.  */

static bool

ref_compatible (ref_intersection *target, ref_intersection *source)

{

  for (; target != NULL; target = target->ref_next)

    {

      ref_intersection *source_iter = source;

      for (; source_iter != NULL; source_iter = source_iter->ref_next)

        {

          /* Avoid resolving if possible.  */

          if (! target->is_resolved

              && ! source_iter->is_resolved

              && vfy_strings_equal (target->data.name,

                                    source_iter->data.name))

            continue;

          if (! target->is_resolved)

            resolve_ref (target);

          if (! source_iter->is_resolved)

            resolve_ref (source_iter);

          if (! vfy_is_assignable_from (target->data.klass,

                                        source_iter->data.klass))

            return false;

        }

    }

  return true;

}

static bool

ref_isarray (ref_intersection *ref)

{

  /* assert (ref_next == NULL);  */

  if (ref->is_resolved)

    return vfy_is_array (ref->data.klass);

  else

    return vfy_string_bytes (ref->data.name)[0] == '[';

}

static bool

ref_isinterface (ref_intersection *ref)

{

  /* assert (ref_next == NULL);  */

  if (! ref->is_resolved)

    resolve_ref (ref);

  return vfy_is_interface (ref->data.klass);

}

static bool

ref_isabstract (ref_intersection *ref)

{

  /* assert (ref_next == NULL); */

  if (! ref->is_resolved)

    resolve_ref (ref);

  return vfy_is_abstract (ref->data.klass);

}

static vfy_jclass

ref_getclass (ref_intersection *ref)

{

  if (! ref->is_resolved)

    resolve_ref (ref);

  return ref->data.klass;

}

int

ref_count_dimensions (ref_intersection *ref)

{

  int ndims = 0;

  if (ref->is_resolved)

    {

      vfy_jclass k = ref->data.klass;

      while (vfy_is_array (k))

        {

          k = vfy_get_component_type (k);

          ++ndims;

        }

    }

  else

    {

      const char *p = vfy_string_bytes (ref->data.name);

      while (*p++ == '[')

        ++ndims;

    }

  return ndims;

}

/* Return the type_val corresponding to a primitive signature

   character.  For instance `I' returns `int.class'.  */

static type_val

get_type_val_for_signature (char sig)

{

  type_val rt;

  switch (sig)

    {

    case 'Z':

      rt = boolean_type;

      break;

    case 'B':

      rt = byte_type;

      break;

    case 'C':

      rt = char_type;

      break;

    case 'S':

      rt = short_type;

      break;

    case 'I':

      rt = int_type;

      break;

    case 'J':

      rt = long_type;

      break;

    case 'F':

      rt = float_type;

      break;

    case 'D':

      rt = double_type;

      break;

    case 'V':

      rt = void_type;

      break;

    default:

      verify_fail ("invalid signature");

      return null_type;

    }

  return rt;

}

/* Return the type_val corresponding to a primitive class.  */

static type_val

get_type_val_for_primtype (vfy_jclass k)

{

  return get_type_val_for_signature (vfy_get_primitive_char (k));

}

/* The `type' class is used to represent a single type in the verifier.  */

struct type

{

  /* The type key.  */

  type_val key;

  /* For reference types, the representation of the type.  */

  ref_intersection *klass;

  /* This is used in two situations.

     First, when constructing a new object, it is the PC of the

     `new' instruction which created the object.  We use the special

     value UNINIT to mean that this is uninitialized.  The special

     value SELF is used for the case where the current method is

     itself the <init> method.  the special value EITHER is used

     when we may optionally allow either an uninitialized or

     initialized reference to match.

     Second, when the key is return_address_type, this holds the PC

     of the instruction following the `jsr'.  */

  int pc;

#define UNINIT -2

#define SELF -1

#define EITHER -3

};

/* Make a new instance given the type tag.  We assume a generic

   `reference_type' means Object.  */

static void

init_type_from_tag (type *t, type_val k)

{

  t->key = k;

  /* For reference_type, if KLASS==NULL then that means we are

     looking for a generic object of any kind, including an

     uninitialized reference.  */

  t->klass = NULL;

  t->pc = UNINIT;

}

/* Make a type for the given type_val tag K.  */

static type

make_type (type_val k)

{

  type t;

  init_type_from_tag (&t, k);

  return t;

}

/* Make a new instance given a class.  */

static void

init_type_from_class (type *t, vfy_jclass k)

{

  t->key = reference_type;

  t->klass = make_ref ();

  t->klass->is_resolved = true;

  t->klass->data.klass = k;

  t->klass->ref_next = NULL;

  t->pc = UNINIT;

}

static type

make_type_from_class (vfy_jclass k)

{

  type t;

  init_type_from_class (&t, k);

  return t;

}

static void

init_type_from_string (type *t, vfy_string n)

{

  t->key = reference_type;

  t->klass = make_ref ();

  t->klass->is_resolved = false;

  t->klass->data.name = n;

  t->klass->ref_next = NULL;

  t->pc = UNINIT;

}

static type

make_type_from_string (vfy_string n)

{

  type t;

  init_type_from_string (&t, n);

  return t;

}

/* Promote a numeric type.  */

static void

vfy_promote_type (type *t)

{

  if (t->key == boolean_type || t->key == char_type

      || t->key == byte_type || t->key == short_type)

    t->key = int_type;

}

#define promote_type vfy_promote_type

/* Mark this type as the uninitialized result of `new'.  */

static void

type_set_uninitialized (type *t, int npc)

{

  if (t->key == reference_type)

    t->key = uninitialized_reference_type;

  else

    verify_fail ("internal error in type::uninitialized");

  t->pc = npc;

}

/* Mark this type as now initialized.  */

static void

type_set_initialized (type *t, int npc)

{

  if (npc != UNINIT && t->pc == npc && t->key == uninitialized_reference_type)

    {

      t->key = reference_type;

      t->pc = UNINIT;

    }

}

/* Mark this type as a particular return address.  */

static void type_set_return_address (type *t, int npc)

{

  t->pc = npc;

}

/* Return true if this type and type OTHER are considered

   mergeable for the purposes of state merging.  This is related

   to subroutine handling.  For this purpose two types are

   considered unmergeable if they are both return-addresses but

   have different PCs.  */

static bool

type_state_mergeable_p (type *t1, type *t2)

{

  return (t1->key != return_address_type

          || t2->key != return_address_type

          || t1->pc == t2->pc);

}

/* Return true if an object of type K can be assigned to a variable

   of type T.  Handle various special cases too.  Might modify

   T or K.  Note however that this does not perform numeric

   promotion.  */

static bool

types_compatible (type *t, type *k)

{

  /* Any type is compatible with the unsuitable type.  */

  if (k->key == unsuitable_type)

    return true;

  if (t->key < reference_type || k->key < reference_type)

    return t->key == k->key;

  /* The `null' type is convertible to any initialized reference

     type.  */

  if (t->key == null_type)

    return k->key != uninitialized_reference_type;

  if (k->key == null_type)

    return t->key != uninitialized_reference_type;

  /* A special case for a generic reference.  */

  if (t->klass == NULL)

    return true;

  if (k->klass == NULL)

    verify_fail ("programmer error in type::compatible");

  /* Handle the special 'EITHER' case, which is only used in a

     special case of 'putfield'.  Note that we only need to handle

     this on the LHS of a check.  */

  if (! type_initialized (t) && t->pc == EITHER)

    {

      /* If the RHS is uninitialized, it must be an uninitialized

         'this'.  */

      if (! type_initialized (k) && k->pc != SELF)

        return false;

    }

  else if (type_initialized (t) != type_initialized (k))

    {

      /* An initialized type and an uninitialized type are not

         otherwise compatible.  */

      return false;

    }

  else

    {

      /* Two uninitialized objects are compatible if either:

       * The PCs are identical, or

       * One PC is UNINIT.  */

      if (type_initialized (t))

        {

          if (t->pc != k->pc && t->pc != UNINIT && k->pc != UNINIT)

            return false;

        }

    }

  return ref_compatible (t->klass, k->klass);

}

/* Return true if two types are equal.  Only valid for reference

   types.  */

static bool

types_equal (type *t1, type *t2)

{

  if ((t1->key != reference_type && t1->key != uninitialized_reference_type)

      || (t2->key != reference_type

          && t2->key != uninitialized_reference_type))

    return false;

  /* Only single-ref types are allowed.  */

  if (t1->klass->ref_next || t2->klass->ref_next)

    return false;

  return refs_equal (t1->klass, t2->klass);

}

static bool

type_isvoid (type *t)

{

  return t->key == void_type;

}

static bool

type_iswide (type *t)

{

  return t->key == long_type || t->key == double_type;

}

/* Return number of stack or local variable slots taken by this type.  */

static int

type_depth (type *t)

{

  return type_iswide (t) ? 2 : 1;

}

static bool

type_isarray (type *t)

{

  /* We treat null_type as not an array.  This is ok based on the

     current uses of this method.  */

  if (t->key == reference_type)

    return ref_isarray (t->klass);

  return false;

}

static bool

type_isnull (type *t)

{

  return t->key == null_type;

}

static bool

type_isinterface (type *t)

{

  if (t->key != reference_type)

    return false;

  return ref_isinterface (t->klass);

}

static bool

type_isabstract (type *t)

{

  if (t->key != reference_type)

    return false;