001/*
002 * Licensed to the Apache Software Foundation (ASF) under one or more
003 * contributor license agreements.  See the NOTICE file distributed with
004 * this work for additional information regarding copyright ownership.
005 * The ASF licenses this file to You under the Apache License, Version 2.0
006 * (the "License"); you may not use this file except in compliance with
007 * the License.  You may obtain a copy of the License at
008 *
009 *      http://www.apache.org/licenses/LICENSE-2.0
010 *
011 *  Unless required by applicable law or agreed to in writing, software
012 *  distributed under the License is distributed on an "AS IS" BASIS,
013 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014 *  See the License for the specific language governing permissions and
015 *  limitations under the License.
016 */
017package org.apache.bcel.verifier.structurals;
018
019import java.io.PrintWriter;
020import java.io.StringWriter;
021import java.util.ArrayList;
022import java.util.List;
023import java.util.Random;
024import java.util.Vector;
025
026import org.apache.bcel.Const;
027import org.apache.bcel.Repository;
028import org.apache.bcel.classfile.JavaClass;
029import org.apache.bcel.classfile.Method;
030import org.apache.bcel.generic.ConstantPoolGen;
031import org.apache.bcel.generic.InstructionHandle;
032import org.apache.bcel.generic.JsrInstruction;
033import org.apache.bcel.generic.MethodGen;
034import org.apache.bcel.generic.ObjectType;
035import org.apache.bcel.generic.RET;
036import org.apache.bcel.generic.ReferenceType;
037import org.apache.bcel.generic.ReturnInstruction;
038import org.apache.bcel.generic.ReturnaddressType;
039import org.apache.bcel.generic.Type;
040import org.apache.bcel.verifier.PassVerifier;
041import org.apache.bcel.verifier.VerificationResult;
042import org.apache.bcel.verifier.Verifier;
043import org.apache.bcel.verifier.exc.AssertionViolatedException;
044import org.apache.bcel.verifier.exc.StructuralCodeConstraintException;
045import org.apache.bcel.verifier.exc.VerifierConstraintViolatedException;
046
047/**
048 * This PassVerifier verifies a method of class file according to pass 3, so-called structural verification as described
049 * in The Java Virtual Machine Specification, 2nd edition. More detailed information is to be found at the do_verify()
050 * method's documentation.
051 *
052 * @see #do_verify()
053 */
054
055public final class Pass3bVerifier extends PassVerifier {
056    /*
057     * TODO: Throughout pass 3b, upper halves of LONG and DOUBLE are represented by Type.UNKNOWN. This should be changed in
058     * favour of LONG_Upper and DOUBLE_Upper as in pass 2.
059     */
060
061    /**
062     * An InstructionContextQueue is a utility class that holds (InstructionContext, ArrayList) pairs in a Queue data
063     * structure. This is used to hold information about InstructionContext objects externally --- i.e. that information is
064     * not saved inside the InstructionContext object itself. This is useful to save the execution path of the symbolic
065     * execution of the Pass3bVerifier - this is not information that belongs into the InstructionContext object itself.
066     * Only at "execute()"ing time, an InstructionContext object will get the current information we have about its symbolic
067     * execution predecessors.
068     */
069    private static final class InstructionContextQueue {
070        // The following two fields together represent the queue.
071        /** The first elements from pairs in the queue. */
072        private final List<InstructionContext> ics = new Vector<>();
073        /** The second elements from pairs in the queue. */
074        private final List<ArrayList<InstructionContext>> ecs = new Vector<>();
075
076        /**
077         * Adds an (InstructionContext, ExecutionChain) pair to this queue.
078         *
079         * @param ic the InstructionContext
080         * @param executionChain the ExecutionChain
081         */
082        public void add(final InstructionContext ic, final ArrayList<InstructionContext> executionChain) {
083            ics.add(ic);
084            ecs.add(executionChain);
085        }
086
087        /**
088         * Gets a specific ExecutionChain from the queue.
089         *
090         * @param i the index of the item to be fetched
091         * @return the indicated ExecutionChain
092         */
093        public ArrayList<InstructionContext> getEC(final int i) {
094            return ecs.get(i);
095        }
096
097        /**
098         * Gets a specific InstructionContext from the queue.
099         *
100         * @param i the index of the item to be fetched
101         * @return the indicated InstructionContext
102         */
103        public InstructionContext getIC(final int i) {
104            return ics.get(i);
105        }
106
107        /**
108         * Tests if InstructionContext queue is empty.
109         *
110         * @return true if the InstructionContext queue is empty.
111         */
112        public boolean isEmpty() {
113            return ics.isEmpty();
114        }
115
116        /**
117         * Removes a specific (InstructionContext, ExecutionChain) pair from their respective queues.
118         *
119         * @param i the index of the items to be removed
120         */
121        public void remove(final int i) {
122            ics.remove(i);
123            ecs.remove(i);
124        }
125
126        /**
127         * Gets the size of the InstructionContext queue.
128         *
129         * @return the size of the InstructionQueue
130         */
131        public int size() {
132            return ics.size();
133        }
134    } // end Inner Class InstructionContextQueue
135
136    /** In DEBUG mode, the verification algorithm is not randomized. */
137    private static final boolean DEBUG = true;
138
139    /** The Verifier that created this. */
140    private final Verifier myOwner;
141
142    /** The method number to verify. */
143    private final int methodNo;
144
145    /**
146     * This class should only be instantiated by a Verifier.
147     *
148     * @see org.apache.bcel.verifier.Verifier
149     */
150    public Pass3bVerifier(final Verifier myOwner, final int methodNo) {
151        this.myOwner = myOwner;
152        this.methodNo = methodNo;
153    }
154
155    /**
156     * Whenever the outgoing frame situation of an InstructionContext changes, all its successors are put [back] into the
157     * queue [as if they were unvisited]. The proof of termination is about the existence of a fix point of frame merging.
158     */
159    private void circulationPump(final MethodGen m, final ControlFlowGraph cfg, final InstructionContext start, final Frame vanillaFrame,
160        final InstConstraintVisitor icv, final ExecutionVisitor ev) {
161        final Random random = new Random();
162        final InstructionContextQueue icq = new InstructionContextQueue();
163
164        start.execute(vanillaFrame, new ArrayList<>(), icv, ev);
165        // new ArrayList() <=> no Instruction was executed before
166        // => Top-Level routine (no jsr call before)
167        icq.add(start, new ArrayList<>());
168
169        // LOOP!
170        while (!icq.isEmpty()) {
171            InstructionContext u;
172            ArrayList<InstructionContext> ec;
173            if (!DEBUG) {
174                final int r = random.nextInt(icq.size());
175                u = icq.getIC(r);
176                ec = icq.getEC(r);
177                icq.remove(r);
178            } else {
179                u = icq.getIC(0);
180                ec = icq.getEC(0);
181                icq.remove(0);
182            }
183
184            @SuppressWarnings("unchecked") // ec is of type ArrayList<InstructionContext>
185            final ArrayList<InstructionContext> oldchain = (ArrayList<InstructionContext>) ec.clone();
186            @SuppressWarnings("unchecked") // ec is of type ArrayList<InstructionContext>
187            final ArrayList<InstructionContext> newchain = (ArrayList<InstructionContext>) ec.clone();
188            newchain.add(u);
189
190            if (u.getInstruction().getInstruction() instanceof RET) {
191//System.err.println(u);
192                // We can only follow _one_ successor, the one after the
193                // JSR that was recently executed.
194                final RET ret = (RET) u.getInstruction().getInstruction();
195                final ReturnaddressType t = (ReturnaddressType) u.getOutFrame(oldchain).getLocals().get(ret.getIndex());
196                final InstructionContext theSuccessor = cfg.contextOf(t.getTarget());
197
198                // Sanity check
199                InstructionContext lastJSR = null;
200                int skipJsr = 0;
201                for (int ss = oldchain.size() - 1; ss >= 0; ss--) {
202                    if (skipJsr < 0) {
203                        throw new AssertionViolatedException("More RET than JSR in execution chain?!");
204                    }
205//System.err.println("+"+oldchain.get(ss));
206                    if (oldchain.get(ss).getInstruction().getInstruction() instanceof JsrInstruction) {
207                        if (skipJsr == 0) {
208                            lastJSR = oldchain.get(ss);
209                            break;
210                        }
211                        skipJsr--;
212                    }
213                    if (oldchain.get(ss).getInstruction().getInstruction() instanceof RET) {
214                        skipJsr++;
215                    }
216                }
217                if (lastJSR == null) {
218                    throw new AssertionViolatedException("RET without a JSR before in ExecutionChain?! EC: '" + oldchain + "'.");
219                }
220                final JsrInstruction jsr = (JsrInstruction) lastJSR.getInstruction().getInstruction();
221                if (theSuccessor != cfg.contextOf(jsr.physicalSuccessor())) {
222                    throw new AssertionViolatedException("RET '" + u.getInstruction() + "' info inconsistent: jump back to '" + theSuccessor + "' or '"
223                        + cfg.contextOf(jsr.physicalSuccessor()) + "'?");
224                }
225
226                if (theSuccessor.execute(u.getOutFrame(oldchain), newchain, icv, ev)) {
227                    @SuppressWarnings("unchecked") // newchain is already of type ArrayList<InstructionContext>
228                    final ArrayList<InstructionContext> newchainClone = (ArrayList<InstructionContext>) newchain.clone();
229                    icq.add(theSuccessor, newchainClone);
230                }
231            } else { // "not a ret"
232
233                // Normal successors. Add them to the queue of successors.
234                final InstructionContext[] succs = u.getSuccessors();
235                for (final InstructionContext v : succs) {
236                    if (v.execute(u.getOutFrame(oldchain), newchain, icv, ev)) {
237                        @SuppressWarnings("unchecked") // newchain is already of type ArrayList<InstructionContext>
238                        final ArrayList<InstructionContext> newchainClone = (ArrayList<InstructionContext>) newchain.clone();
239                        icq.add(v, newchainClone);
240                    }
241                }
242            } // end "not a ret"
243
244            // Exception Handlers. Add them to the queue of successors.
245            // [subroutines are never protected; mandated by JustIce]
246            final ExceptionHandler[] excHds = u.getExceptionHandlers();
247            for (final ExceptionHandler excHd : excHds) {
248                final InstructionContext v = cfg.contextOf(excHd.getHandlerStart());
249                // TODO: the "oldchain" and "newchain" is used to determine the subroutine
250                // we're in (by searching for the last JSR) by the InstructionContext
251                // implementation. Therefore, we should not use this chain mechanism
252                // when dealing with exception handlers.
253                // Example: a JSR with an exception handler as its successor does not
254                // mean we're in a subroutine if we go to the exception handler.
255                // We should address this problem later; by now we simply "cut" the chain
256                // by using an empty chain for the exception handlers.
257                // if (v.execute(new Frame(u.getOutFrame(oldchain).getLocals(),
258                // new OperandStack (u.getOutFrame().getStack().maxStack(),
259                // (exc_hds[s].getExceptionType() == null ? Type.THROWABLE : exc_hds[s].getExceptionType())) ), newchain), icv, ev) {
260                // icq.add(v, (ArrayList) newchain.clone());
261                if (v.execute(new Frame(u.getOutFrame(oldchain).getLocals(), new OperandStack(u.getOutFrame(oldchain).getStack().maxStack(),
262                    excHd.getExceptionType() == null ? Type.THROWABLE : excHd.getExceptionType())), new ArrayList<>(), icv, ev)) {
263                    icq.add(v, new ArrayList<>());
264                }
265            }
266
267        } // while (!icq.isEmpty()) END
268
269        InstructionHandle ih = start.getInstruction();
270        do {
271            if (ih.getInstruction() instanceof ReturnInstruction && !cfg.isDead(ih)) {
272                final InstructionContext ic = cfg.contextOf(ih);
273                // TODO: This is buggy, we check only the top-level return instructions this way.
274                // Maybe some maniac returns from a method when in a subroutine?
275                final Frame f = ic.getOutFrame(new ArrayList<>());
276                final LocalVariables lvs = f.getLocals();
277                for (int i = 0; i < lvs.maxLocals(); i++) {
278                    if (lvs.get(i) instanceof UninitializedObjectType) {
279                        this.addMessage("Warning: ReturnInstruction '" + ic + "' may leave method with an uninitialized object in the local variables array '"
280                            + lvs + "'.");
281                    }
282                }
283                final OperandStack os = f.getStack();
284                for (int i = 0; i < os.size(); i++) {
285                    if (os.peek(i) instanceof UninitializedObjectType) {
286                        this.addMessage(
287                            "Warning: ReturnInstruction '" + ic + "' may leave method with an uninitialized object on the operand stack '" + os + "'.");
288                    }
289                }
290                // see JVM $4.8.2
291                Type returnedType = null;
292                final OperandStack inStack = ic.getInFrame().getStack();
293                if (inStack.size() >= 1) {
294                    returnedType = inStack.peek();
295                } else {
296                    returnedType = Type.VOID;
297                }
298
299                if (returnedType != null) {
300                    if (returnedType instanceof ReferenceType) {
301                        try {
302                            if (!((ReferenceType) returnedType).isCastableTo(m.getReturnType())) {
303                                invalidReturnTypeError(returnedType, m);
304                            }
305                        } catch (final ClassNotFoundException e) {
306                            // Don't know what to do now, so raise RuntimeException
307                            throw new IllegalArgumentException(e);
308                        }
309                    } else if (!returnedType.equals(m.getReturnType().normalizeForStackOrLocal())) {
310                        invalidReturnTypeError(returnedType, m);
311                    }
312                }
313            }
314        } while ((ih = ih.getNext()) != null);
315
316    }
317
318    /**
319     * Pass 3b implements the data flow analysis as described in the Java Virtual Machine Specification, Second Edition.
320     * Later versions will use LocalVariablesInfo objects to verify if the verifier-inferred types and the class file's
321     * debug information (LocalVariables attributes) match [TODO].
322     *
323     * @see org.apache.bcel.verifier.statics.LocalVariablesInfo
324     * @see org.apache.bcel.verifier.statics.Pass2Verifier#getLocalVariablesInfo(int)
325     */
326    @Override
327    public VerificationResult do_verify() {
328        if (!myOwner.doPass3a(methodNo).equals(VerificationResult.VR_OK)) {
329            return VerificationResult.VR_NOTYET;
330        }
331
332        // Pass 3a ran before, so it's safe to assume the JavaClass object is
333        // in the BCEL repository.
334        JavaClass jc;
335        try {
336            jc = Repository.lookupClass(myOwner.getClassName());
337        } catch (final ClassNotFoundException e) {
338            // FIXME: maybe not the best way to handle this
339            throw new AssertionViolatedException("Missing class: " + e, e);
340        }
341
342        final ConstantPoolGen constantPoolGen = new ConstantPoolGen(jc.getConstantPool());
343        // Init Visitors
344        final InstConstraintVisitor icv = new InstConstraintVisitor();
345        icv.setConstantPoolGen(constantPoolGen);
346
347        final ExecutionVisitor ev = new ExecutionVisitor();
348        ev.setConstantPoolGen(constantPoolGen);
349
350        final Method[] methods = jc.getMethods(); // Method no "methodNo" exists, we ran Pass3a before on it!
351
352        try {
353
354            final MethodGen mg = new MethodGen(methods[methodNo], myOwner.getClassName(), constantPoolGen);
355
356            icv.setMethodGen(mg);
357
358            ////////////// DFA BEGINS HERE ////////////////
359            if (!(mg.isAbstract() || mg.isNative())) { // IF mg HAS CODE (See pass 2)
360
361                final ControlFlowGraph cfg = new ControlFlowGraph(mg);
362
363                // Build the initial frame situation for this method.
364                final Frame f = new Frame(mg.getMaxLocals(), mg.getMaxStack());
365                if (!mg.isStatic()) {
366                    if (mg.getName().equals(Const.CONSTRUCTOR_NAME)) {
367                        Frame.setThis(new UninitializedObjectType(ObjectType.getInstance(jc.getClassName())));
368                        f.getLocals().set(0, Frame.getThis());
369                    } else {
370                        Frame.setThis(null);
371                        f.getLocals().set(0, ObjectType.getInstance(jc.getClassName()));
372                    }
373                }
374                final Type[] argtypes = mg.getArgumentTypes();
375                int twoslotoffset = 0;
376                for (int j = 0; j < argtypes.length; j++) {
377                    if (argtypes[j] == Type.SHORT || argtypes[j] == Type.BYTE || argtypes[j] == Type.CHAR || argtypes[j] == Type.BOOLEAN) {
378                        argtypes[j] = Type.INT;
379                    }
380                    f.getLocals().set(twoslotoffset + j + (mg.isStatic() ? 0 : 1), argtypes[j]);
381                    if (argtypes[j].getSize() == 2) {
382                        twoslotoffset++;
383                        f.getLocals().set(twoslotoffset + j + (mg.isStatic() ? 0 : 1), Type.UNKNOWN);
384                    }
385                }
386                circulationPump(mg, cfg, cfg.contextOf(mg.getInstructionList().getStart()), f, icv, ev);
387            }
388        } catch (final VerifierConstraintViolatedException ce) {
389            ce.extendMessage("Constraint violated in method '" + methods[methodNo] + "':\n", "");
390            return new VerificationResult(VerificationResult.VERIFIED_REJECTED, ce.getMessage());
391        } catch (final RuntimeException re) {
392            // These are internal errors
393
394            final StringWriter sw = new StringWriter();
395            final PrintWriter pw = new PrintWriter(sw);
396            re.printStackTrace(pw);
397
398            throw new AssertionViolatedException("Some RuntimeException occurred while verify()ing class '" + jc.getClassName() + "', method '"
399                + methods[methodNo] + "'. Original RuntimeException's stack trace:\n---\n" + sw + "---\n", re);
400        }
401        return VerificationResult.VR_OK;
402    }
403
404    /** Returns the method number as supplied when instantiating. */
405    public int getMethodNo() {
406        return methodNo;
407    }
408
409    /**
410     * Throws an exception indicating the returned type is not compatible with the return type of the given method.
411     *
412     * @param returnedType the type of the returned expression
413     * @param m the method we are processing
414     * @throws StructuralCodeConstraintException always
415     * @since 6.0
416     */
417    public void invalidReturnTypeError(final Type returnedType, final MethodGen m) {
418        throw new StructuralCodeConstraintException("Returned type " + returnedType + " does not match Method's return type " + m.getReturnType());
419    }
420}