001/* 002 * Licensed to the Apache Software Foundation (ASF) under one or more 003 * contributor license agreements. See the NOTICE file distributed with 004 * this work for additional information regarding copyright ownership. 005 * The ASF licenses this file to You under the Apache License, Version 2.0 006 * (the "License"); you may not use this file except in compliance with 007 * the License. You may obtain a copy of the License at 008 * 009 * http://www.apache.org/licenses/LICENSE-2.0 010 * 011 * Unless required by applicable law or agreed to in writing, software 012 * distributed under the License is distributed on an "AS IS" BASIS, 013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 014 * See the License for the specific language governing permissions and 015 * limitations under the License. 016 */ 017package org.apache.bcel.verifier.structurals; 018 019import java.io.PrintWriter; 020import java.io.StringWriter; 021import java.util.ArrayList; 022import java.util.List; 023import java.util.Random; 024import java.util.Vector; 025 026import org.apache.bcel.Const; 027import org.apache.bcel.Repository; 028import org.apache.bcel.classfile.JavaClass; 029import org.apache.bcel.classfile.Method; 030import org.apache.bcel.generic.ConstantPoolGen; 031import org.apache.bcel.generic.InstructionHandle; 032import org.apache.bcel.generic.JsrInstruction; 033import org.apache.bcel.generic.MethodGen; 034import org.apache.bcel.generic.ObjectType; 035import org.apache.bcel.generic.RET; 036import org.apache.bcel.generic.ReferenceType; 037import org.apache.bcel.generic.ReturnInstruction; 038import org.apache.bcel.generic.ReturnaddressType; 039import org.apache.bcel.generic.Type; 040import org.apache.bcel.verifier.PassVerifier; 041import org.apache.bcel.verifier.VerificationResult; 042import org.apache.bcel.verifier.Verifier; 043import org.apache.bcel.verifier.exc.AssertionViolatedException; 044import org.apache.bcel.verifier.exc.StructuralCodeConstraintException; 045import org.apache.bcel.verifier.exc.VerifierConstraintViolatedException; 046 047/** 048 * This PassVerifier verifies a method of class file according to pass 3, so-called structural verification as described 049 * in The Java Virtual Machine Specification, 2nd edition. More detailed information is to be found at the do_verify() 050 * method's documentation. 051 * 052 * @see #do_verify() 053 */ 054 055public final class Pass3bVerifier extends PassVerifier { 056 /* 057 * TODO: Throughout pass 3b, upper halves of LONG and DOUBLE are represented by Type.UNKNOWN. This should be changed in 058 * favour of LONG_Upper and DOUBLE_Upper as in pass 2. 059 */ 060 061 /** 062 * An InstructionContextQueue is a utility class that holds (InstructionContext, ArrayList) pairs in a Queue data 063 * structure. This is used to hold information about InstructionContext objects externally --- i.e. that information is 064 * not saved inside the InstructionContext object itself. This is useful to save the execution path of the symbolic 065 * execution of the Pass3bVerifier - this is not information that belongs into the InstructionContext object itself. 066 * Only at "execute()"ing time, an InstructionContext object will get the current information we have about its symbolic 067 * execution predecessors. 068 */ 069 private static final class InstructionContextQueue { 070 // The following two fields together represent the queue. 071 /** The first elements from pairs in the queue. */ 072 private final List<InstructionContext> ics = new Vector<>(); 073 /** The second elements from pairs in the queue. */ 074 private final List<ArrayList<InstructionContext>> ecs = new Vector<>(); 075 076 /** 077 * Adds an (InstructionContext, ExecutionChain) pair to this queue. 078 * 079 * @param ic the InstructionContext 080 * @param executionChain the ExecutionChain 081 */ 082 public void add(final InstructionContext ic, final ArrayList<InstructionContext> executionChain) { 083 ics.add(ic); 084 ecs.add(executionChain); 085 } 086 087 /** 088 * Gets a specific ExecutionChain from the queue. 089 * 090 * @param i the index of the item to be fetched 091 * @return the indicated ExecutionChain 092 */ 093 public ArrayList<InstructionContext> getEC(final int i) { 094 return ecs.get(i); 095 } 096 097 /** 098 * Gets a specific InstructionContext from the queue. 099 * 100 * @param i the index of the item to be fetched 101 * @return the indicated InstructionContext 102 */ 103 public InstructionContext getIC(final int i) { 104 return ics.get(i); 105 } 106 107 /** 108 * Tests if InstructionContext queue is empty. 109 * 110 * @return true if the InstructionContext queue is empty. 111 */ 112 public boolean isEmpty() { 113 return ics.isEmpty(); 114 } 115 116 /** 117 * Removes a specific (InstructionContext, ExecutionChain) pair from their respective queues. 118 * 119 * @param i the index of the items to be removed 120 */ 121 public void remove(final int i) { 122 ics.remove(i); 123 ecs.remove(i); 124 } 125 126 /** 127 * Gets the size of the InstructionContext queue. 128 * 129 * @return the size of the InstructionQueue 130 */ 131 public int size() { 132 return ics.size(); 133 } 134 } // end Inner Class InstructionContextQueue 135 136 /** In DEBUG mode, the verification algorithm is not randomized. */ 137 private static final boolean DEBUG = true; 138 139 /** The Verifier that created this. */ 140 private final Verifier myOwner; 141 142 /** The method number to verify. */ 143 private final int methodNo; 144 145 /** 146 * This class should only be instantiated by a Verifier. 147 * 148 * @see org.apache.bcel.verifier.Verifier 149 */ 150 public Pass3bVerifier(final Verifier myOwner, final int methodNo) { 151 this.myOwner = myOwner; 152 this.methodNo = methodNo; 153 } 154 155 /** 156 * Whenever the outgoing frame situation of an InstructionContext changes, all its successors are put [back] into the 157 * queue [as if they were unvisited]. The proof of termination is about the existence of a fix point of frame merging. 158 */ 159 private void circulationPump(final MethodGen m, final ControlFlowGraph cfg, final InstructionContext start, final Frame vanillaFrame, 160 final InstConstraintVisitor icv, final ExecutionVisitor ev) { 161 final Random random = new Random(); 162 final InstructionContextQueue icq = new InstructionContextQueue(); 163 164 start.execute(vanillaFrame, new ArrayList<>(), icv, ev); 165 // new ArrayList() <=> no Instruction was executed before 166 // => Top-Level routine (no jsr call before) 167 icq.add(start, new ArrayList<>()); 168 169 // LOOP! 170 while (!icq.isEmpty()) { 171 InstructionContext u; 172 ArrayList<InstructionContext> ec; 173 if (!DEBUG) { 174 final int r = random.nextInt(icq.size()); 175 u = icq.getIC(r); 176 ec = icq.getEC(r); 177 icq.remove(r); 178 } else { 179 u = icq.getIC(0); 180 ec = icq.getEC(0); 181 icq.remove(0); 182 } 183 184 @SuppressWarnings("unchecked") // ec is of type ArrayList<InstructionContext> 185 final ArrayList<InstructionContext> oldchain = (ArrayList<InstructionContext>) ec.clone(); 186 @SuppressWarnings("unchecked") // ec is of type ArrayList<InstructionContext> 187 final ArrayList<InstructionContext> newchain = (ArrayList<InstructionContext>) ec.clone(); 188 newchain.add(u); 189 190 if (u.getInstruction().getInstruction() instanceof RET) { 191//System.err.println(u); 192 // We can only follow _one_ successor, the one after the 193 // JSR that was recently executed. 194 final RET ret = (RET) u.getInstruction().getInstruction(); 195 final ReturnaddressType t = (ReturnaddressType) u.getOutFrame(oldchain).getLocals().get(ret.getIndex()); 196 final InstructionContext theSuccessor = cfg.contextOf(t.getTarget()); 197 198 // Sanity check 199 InstructionContext lastJSR = null; 200 int skipJsr = 0; 201 for (int ss = oldchain.size() - 1; ss >= 0; ss--) { 202 if (skipJsr < 0) { 203 throw new AssertionViolatedException("More RET than JSR in execution chain?!"); 204 } 205//System.err.println("+"+oldchain.get(ss)); 206 if (oldchain.get(ss).getInstruction().getInstruction() instanceof JsrInstruction) { 207 if (skipJsr == 0) { 208 lastJSR = oldchain.get(ss); 209 break; 210 } 211 skipJsr--; 212 } 213 if (oldchain.get(ss).getInstruction().getInstruction() instanceof RET) { 214 skipJsr++; 215 } 216 } 217 if (lastJSR == null) { 218 throw new AssertionViolatedException("RET without a JSR before in ExecutionChain?! EC: '" + oldchain + "'."); 219 } 220 final JsrInstruction jsr = (JsrInstruction) lastJSR.getInstruction().getInstruction(); 221 if (theSuccessor != cfg.contextOf(jsr.physicalSuccessor())) { 222 throw new AssertionViolatedException("RET '" + u.getInstruction() + "' info inconsistent: jump back to '" + theSuccessor + "' or '" 223 + cfg.contextOf(jsr.physicalSuccessor()) + "'?"); 224 } 225 226 if (theSuccessor.execute(u.getOutFrame(oldchain), newchain, icv, ev)) { 227 @SuppressWarnings("unchecked") // newchain is already of type ArrayList<InstructionContext> 228 final ArrayList<InstructionContext> newchainClone = (ArrayList<InstructionContext>) newchain.clone(); 229 icq.add(theSuccessor, newchainClone); 230 } 231 } else { // "not a ret" 232 233 // Normal successors. Add them to the queue of successors. 234 final InstructionContext[] succs = u.getSuccessors(); 235 for (final InstructionContext v : succs) { 236 if (v.execute(u.getOutFrame(oldchain), newchain, icv, ev)) { 237 @SuppressWarnings("unchecked") // newchain is already of type ArrayList<InstructionContext> 238 final ArrayList<InstructionContext> newchainClone = (ArrayList<InstructionContext>) newchain.clone(); 239 icq.add(v, newchainClone); 240 } 241 } 242 } // end "not a ret" 243 244 // Exception Handlers. Add them to the queue of successors. 245 // [subroutines are never protected; mandated by JustIce] 246 final ExceptionHandler[] excHds = u.getExceptionHandlers(); 247 for (final ExceptionHandler excHd : excHds) { 248 final InstructionContext v = cfg.contextOf(excHd.getHandlerStart()); 249 // TODO: the "oldchain" and "newchain" is used to determine the subroutine 250 // we're in (by searching for the last JSR) by the InstructionContext 251 // implementation. Therefore, we should not use this chain mechanism 252 // when dealing with exception handlers. 253 // Example: a JSR with an exception handler as its successor does not 254 // mean we're in a subroutine if we go to the exception handler. 255 // We should address this problem later; by now we simply "cut" the chain 256 // by using an empty chain for the exception handlers. 257 // if (v.execute(new Frame(u.getOutFrame(oldchain).getLocals(), 258 // new OperandStack (u.getOutFrame().getStack().maxStack(), 259 // (exc_hds[s].getExceptionType() == null ? Type.THROWABLE : exc_hds[s].getExceptionType())) ), newchain), icv, ev) { 260 // icq.add(v, (ArrayList) newchain.clone()); 261 if (v.execute(new Frame(u.getOutFrame(oldchain).getLocals(), new OperandStack(u.getOutFrame(oldchain).getStack().maxStack(), 262 excHd.getExceptionType() == null ? Type.THROWABLE : excHd.getExceptionType())), new ArrayList<>(), icv, ev)) { 263 icq.add(v, new ArrayList<>()); 264 } 265 } 266 267 } // while (!icq.isEmpty()) END 268 269 InstructionHandle ih = start.getInstruction(); 270 do { 271 if (ih.getInstruction() instanceof ReturnInstruction && !cfg.isDead(ih)) { 272 final InstructionContext ic = cfg.contextOf(ih); 273 // TODO: This is buggy, we check only the top-level return instructions this way. 274 // Maybe some maniac returns from a method when in a subroutine? 275 final Frame f = ic.getOutFrame(new ArrayList<>()); 276 final LocalVariables lvs = f.getLocals(); 277 for (int i = 0; i < lvs.maxLocals(); i++) { 278 if (lvs.get(i) instanceof UninitializedObjectType) { 279 addMessage("Warning: ReturnInstruction '" + ic + "' may leave method with an uninitialized object in the local variables array '" 280 + lvs + "'."); 281 } 282 } 283 final OperandStack os = f.getStack(); 284 for (int i = 0; i < os.size(); i++) { 285 if (os.peek(i) instanceof UninitializedObjectType) { 286 addMessage( 287 "Warning: ReturnInstruction '" + ic + "' may leave method with an uninitialized object on the operand stack '" + os + "'."); 288 } 289 } 290 // see JVM $4.8.2 291 Type returnedType = null; 292 final OperandStack inStack = ic.getInFrame().getStack(); 293 if (inStack.size() >= 1) { 294 returnedType = inStack.peek(); 295 } else { 296 returnedType = Type.VOID; 297 } 298 299 if (returnedType != null) { 300 if (returnedType instanceof ReferenceType) { 301 try { 302 if (!((ReferenceType) returnedType).isCastableTo(m.getReturnType())) { 303 invalidReturnTypeError(returnedType, m); 304 } 305 } catch (final ClassNotFoundException e) { 306 // Don't know what to do now, so raise RuntimeException 307 throw new IllegalArgumentException(e); 308 } 309 } else if (!returnedType.equals(m.getReturnType().normalizeForStackOrLocal())) { 310 invalidReturnTypeError(returnedType, m); 311 } 312 } 313 } 314 } while ((ih = ih.getNext()) != null); 315 316 } 317 318 /** 319 * Pass 3b implements the data flow analysis as described in the Java Virtual Machine Specification, Second Edition. 320 * Later versions will use LocalVariablesInfo objects to verify if the verifier-inferred types and the class file's 321 * debug information (LocalVariables attributes) match [TODO]. 322 * 323 * @see org.apache.bcel.verifier.statics.LocalVariablesInfo 324 * @see org.apache.bcel.verifier.statics.Pass2Verifier#getLocalVariablesInfo(int) 325 */ 326 @Override 327 public VerificationResult do_verify() { 328 if (!myOwner.doPass3a(methodNo).equals(VerificationResult.VR_OK)) { 329 return VerificationResult.VR_NOTYET; 330 } 331 332 // Pass 3a ran before, so it's safe to assume the JavaClass object is 333 // in the BCEL repository. 334 JavaClass jc; 335 try { 336 jc = Repository.lookupClass(myOwner.getClassName()); 337 } catch (final ClassNotFoundException e) { 338 // FIXME: maybe not the best way to handle this 339 throw new AssertionViolatedException("Missing class: " + e, e); 340 } 341 342 final ConstantPoolGen constantPoolGen = new ConstantPoolGen(jc.getConstantPool()); 343 // Init Visitors 344 final InstConstraintVisitor icv = new InstConstraintVisitor(); 345 icv.setConstantPoolGen(constantPoolGen); 346 347 final ExecutionVisitor ev = new ExecutionVisitor(); 348 ev.setConstantPoolGen(constantPoolGen); 349 350 final Method[] methods = jc.getMethods(); // Method no "methodNo" exists, we ran Pass3a before on it! 351 352 try { 353 354 final MethodGen mg = new MethodGen(methods[methodNo], myOwner.getClassName(), constantPoolGen); 355 356 icv.setMethodGen(mg); 357 358 ////////////// DFA BEGINS HERE //////////////// 359 if (!(mg.isAbstract() || mg.isNative())) { // IF mg HAS CODE (See pass 2) 360 361 final ControlFlowGraph cfg = new ControlFlowGraph(mg); 362 363 // Build the initial frame situation for this method. 364 final Frame f = new Frame(mg.getMaxLocals(), mg.getMaxStack()); 365 if (!mg.isStatic()) { 366 if (mg.getName().equals(Const.CONSTRUCTOR_NAME)) { 367 Frame.setThis(new UninitializedObjectType(ObjectType.getInstance(jc.getClassName()))); 368 f.getLocals().set(0, Frame.getThis()); 369 } else { 370 Frame.setThis(null); 371 f.getLocals().set(0, ObjectType.getInstance(jc.getClassName())); 372 } 373 } 374 final Type[] argtypes = mg.getArgumentTypes(); 375 int twoslotoffset = 0; 376 for (int j = 0; j < argtypes.length; j++) { 377 if (argtypes[j] == Type.SHORT || argtypes[j] == Type.BYTE || argtypes[j] == Type.CHAR || argtypes[j] == Type.BOOLEAN) { 378 argtypes[j] = Type.INT; 379 } 380 f.getLocals().set(twoslotoffset + j + (mg.isStatic() ? 0 : 1), argtypes[j]); 381 if (argtypes[j].getSize() == 2) { 382 twoslotoffset++; 383 f.getLocals().set(twoslotoffset + j + (mg.isStatic() ? 0 : 1), Type.UNKNOWN); 384 } 385 } 386 circulationPump(mg, cfg, cfg.contextOf(mg.getInstructionList().getStart()), f, icv, ev); 387 } 388 } catch (final VerifierConstraintViolatedException ce) { 389 ce.extendMessage("Constraint violated in method '" + methods[methodNo] + "':\n", ""); 390 return new VerificationResult(VerificationResult.VERIFIED_REJECTED, ce.getMessage()); 391 } catch (final RuntimeException re) { 392 // These are internal errors 393 394 final StringWriter sw = new StringWriter(); 395 final PrintWriter pw = new PrintWriter(sw); 396 re.printStackTrace(pw); 397 398 throw new AssertionViolatedException("Some RuntimeException occurred while verify()ing class '" + jc.getClassName() + "', method '" 399 + methods[methodNo] + "'. Original RuntimeException's stack trace:\n---\n" + sw + "---\n", re); 400 } 401 return VerificationResult.VR_OK; 402 } 403 404 /** Returns the method number as supplied when instantiating. */ 405 public int getMethodNo() { 406 return methodNo; 407 } 408 409 /** 410 * Throws an exception indicating the returned type is not compatible with the return type of the given method. 411 * 412 * @param returnedType the type of the returned expression 413 * @param m the method we are processing 414 * @throws StructuralCodeConstraintException always 415 * @since 6.0 416 */ 417 public void invalidReturnTypeError(final Type returnedType, final MethodGen m) { 418 throw new StructuralCodeConstraintException("Returned type " + returnedType + " does not match Method's return type " + m.getReturnType()); 419 } 420}