001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * https://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, 013 * software distributed under the License is distributed on an 014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 015 * KIND, either express or implied. See the License for the 016 * specific language governing permissions and limitations 017 * under the License. 018 */ 019package org.apache.bcel.verifier.structurals; 020 021import java.io.PrintWriter; 022import java.io.StringWriter; 023import java.util.ArrayList; 024import java.util.List; 025import java.util.Random; 026import java.util.Vector; 027 028import org.apache.bcel.Const; 029import org.apache.bcel.Repository; 030import org.apache.bcel.classfile.JavaClass; 031import org.apache.bcel.classfile.Method; 032import org.apache.bcel.generic.ConstantPoolGen; 033import org.apache.bcel.generic.InstructionHandle; 034import org.apache.bcel.generic.JsrInstruction; 035import org.apache.bcel.generic.MethodGen; 036import org.apache.bcel.generic.ObjectType; 037import org.apache.bcel.generic.RET; 038import org.apache.bcel.generic.ReferenceType; 039import org.apache.bcel.generic.ReturnInstruction; 040import org.apache.bcel.generic.ReturnaddressType; 041import org.apache.bcel.generic.Type; 042import org.apache.bcel.verifier.PassVerifier; 043import org.apache.bcel.verifier.VerificationResult; 044import org.apache.bcel.verifier.Verifier; 045import org.apache.bcel.verifier.exc.AssertionViolatedException; 046import org.apache.bcel.verifier.exc.StructuralCodeConstraintException; 047import org.apache.bcel.verifier.exc.VerifierConstraintViolatedException; 048 049/** 050 * This PassVerifier verifies a method of class file according to pass 3, so-called structural verification as described 051 * in The Java Virtual Machine Specification, 2nd edition. More detailed information is to be found at the do_verify() 052 * method's documentation. 053 * 054 * @see #do_verify() 055 */ 056 057public final class Pass3bVerifier extends PassVerifier { 058 /* 059 * TODO: Throughout pass 3b, upper halves of LONG and DOUBLE are represented by Type.UNKNOWN. This should be changed in 060 * favor of LONG_Upper and DOUBLE_Upper as in pass 2. 061 */ 062 063 /** 064 * An InstructionContextQueue is a utility class that holds (InstructionContext, ArrayList) pairs in a Queue data 065 * structure. This is used to hold information about InstructionContext objects externally --- for example that information is 066 * not saved inside the InstructionContext object itself. This is useful to save the execution path of the symbolic 067 * execution of the Pass3bVerifier - this is not information that belongs into the InstructionContext object itself. 068 * Only at "execute()"ing time, an InstructionContext object will get the current information we have about its symbolic 069 * execution predecessors. 070 */ 071 private static final class InstructionContextQueue { 072 // The following two fields together represent the queue. 073 074 /** The first elements from pairs in the queue. */ 075 private final List<InstructionContext> ics = new Vector<>(); 076 077 /** The second elements from pairs in the queue. */ 078 private final List<ArrayList<InstructionContext>> ecs = new Vector<>(); 079 080 /** 081 * Adds an (InstructionContext, ExecutionChain) pair to this queue. 082 * 083 * @param ic the InstructionContext. 084 * @param executionChain the ExecutionChain. 085 */ 086 public void add(final InstructionContext ic, final ArrayList<InstructionContext> executionChain) { 087 ics.add(ic); 088 ecs.add(executionChain); 089 } 090 091 /** 092 * Gets a specific ExecutionChain from the queue. 093 * 094 * @param i the index of the item to be fetched. 095 * @return the indicated ExecutionChain. 096 */ 097 public ArrayList<InstructionContext> getEC(final int i) { 098 return ecs.get(i); 099 } 100 101 /** 102 * Gets a specific InstructionContext from the queue. 103 * 104 * @param i the index of the item to be fetched. 105 * @return the indicated InstructionContext. 106 */ 107 public InstructionContext getIC(final int i) { 108 return ics.get(i); 109 } 110 111 /** 112 * Tests if InstructionContext queue is empty. 113 * 114 * @return true if the InstructionContext queue is empty. 115 */ 116 public boolean isEmpty() { 117 return ics.isEmpty(); 118 } 119 120 /** 121 * Removes a specific (InstructionContext, ExecutionChain) pair from their respective queues. 122 * 123 * @param i the index of the items to be removed. 124 */ 125 public void remove(final int i) { 126 ics.remove(i); 127 ecs.remove(i); 128 } 129 130 /** 131 * Gets the size of the InstructionContext queue. 132 * 133 * @return the size of the InstructionQueue. 134 */ 135 public int size() { 136 return ics.size(); 137 } 138 } // end Inner Class InstructionContextQueue 139 140 /** In DEBUG mode, the verification algorithm is not randomized. */ 141 private static final boolean DEBUG = true; 142 143 /** The Verifier that created this. */ 144 private final Verifier myOwner; 145 146 /** The method number to verify. */ 147 private final int methodNo; 148 149 /** 150 * This class should only be instantiated by a Verifier. 151 * 152 * @see org.apache.bcel.verifier.Verifier 153 */ 154 public Pass3bVerifier(final Verifier myOwner, final int methodNo) { 155 this.myOwner = myOwner; 156 this.methodNo = methodNo; 157 } 158 159 /** 160 * Whenever the outgoing frame situation of an InstructionContext changes, all its successors are put [back] into the 161 * queue [as if they were unvisited]. The proof of termination is about the existence of a fix point of frame merging. 162 */ 163 private void circulationPump(final MethodGen m, final ControlFlowGraph cfg, final InstructionContext start, final Frame vanillaFrame, 164 final InstConstraintVisitor icv, final ExecutionVisitor ev) { 165 final Random random = new Random(); 166 final InstructionContextQueue icq = new InstructionContextQueue(); 167 168 start.execute(vanillaFrame, new ArrayList<>(), icv, ev); 169 // new ArrayList() <=> no Instruction was executed before 170 // => Top-Level routine (no jsr call before) 171 icq.add(start, new ArrayList<>()); 172 173 // LOOP! 174 while (!icq.isEmpty()) { 175 final InstructionContext u; 176 final ArrayList<InstructionContext> ec; 177 if (!DEBUG) { 178 final int r = random.nextInt(icq.size()); 179 u = icq.getIC(r); 180 ec = icq.getEC(r); 181 icq.remove(r); 182 } else { 183 u = icq.getIC(0); 184 ec = icq.getEC(0); 185 icq.remove(0); 186 } 187 188 @SuppressWarnings("unchecked") // ec is of type ArrayList<InstructionContext> 189 final ArrayList<InstructionContext> oldchain = (ArrayList<InstructionContext>) ec.clone(); 190 @SuppressWarnings("unchecked") // ec is of type ArrayList<InstructionContext> 191 final ArrayList<InstructionContext> newchain = (ArrayList<InstructionContext>) ec.clone(); 192 newchain.add(u); 193 194 if (u.getInstruction().getInstruction() instanceof RET) { 195//System.err.println(u); 196 // We can only follow _one_ successor, the one after the 197 // JSR that was recently executed. 198 final RET ret = (RET) u.getInstruction().getInstruction(); 199 final ReturnaddressType t = (ReturnaddressType) u.getOutFrame(oldchain).getLocals().get(ret.getIndex()); 200 final InstructionContext theSuccessor = cfg.contextOf(t.getTarget()); 201 202 // Sanity check 203 InstructionContext lastJSR = null; 204 int skipJsr = 0; 205 for (int ss = oldchain.size() - 1; ss >= 0; ss--) { 206 if (skipJsr < 0) { 207 throw new AssertionViolatedException("More RET than JSR in execution chain?!"); 208 } 209//System.err.println("+"+oldchain.get(ss)); 210 if (oldchain.get(ss).getInstruction().getInstruction() instanceof JsrInstruction) { 211 if (skipJsr == 0) { 212 lastJSR = oldchain.get(ss); 213 break; 214 } 215 skipJsr--; 216 } 217 if (oldchain.get(ss).getInstruction().getInstruction() instanceof RET) { 218 skipJsr++; 219 } 220 } 221 if (lastJSR == null) { 222 throw new AssertionViolatedException("RET without a JSR before in ExecutionChain?! EC: '" + oldchain + "'."); 223 } 224 final JsrInstruction jsr = (JsrInstruction) lastJSR.getInstruction().getInstruction(); 225 if (theSuccessor != cfg.contextOf(jsr.physicalSuccessor())) { 226 throw new AssertionViolatedException("RET '" + u.getInstruction() + "' info inconsistent: jump back to '" + theSuccessor + "' or '" 227 + cfg.contextOf(jsr.physicalSuccessor()) + "'?"); 228 } 229 230 if (theSuccessor.execute(u.getOutFrame(oldchain), newchain, icv, ev)) { 231 @SuppressWarnings("unchecked") // newchain is already of type ArrayList<InstructionContext> 232 final ArrayList<InstructionContext> newchainClone = (ArrayList<InstructionContext>) newchain.clone(); 233 icq.add(theSuccessor, newchainClone); 234 } 235 } else { // "not a ret" 236 237 // Normal successors. Add them to the queue of successors. 238 final InstructionContext[] succs = u.getSuccessors(); 239 for (final InstructionContext v : succs) { 240 if (v.execute(u.getOutFrame(oldchain), newchain, icv, ev)) { 241 @SuppressWarnings("unchecked") // newchain is already of type ArrayList<InstructionContext> 242 final ArrayList<InstructionContext> newchainClone = (ArrayList<InstructionContext>) newchain.clone(); 243 icq.add(v, newchainClone); 244 } 245 } 246 } // end "not a ret" 247 248 // Exception Handlers. Add them to the queue of successors. 249 // [subroutines are never protected; mandated by JustIce] 250 final ExceptionHandler[] excHds = u.getExceptionHandlers(); 251 for (final ExceptionHandler excHd : excHds) { 252 final InstructionContext v = cfg.contextOf(excHd.getHandlerStart()); 253 // TODO: the "oldchain" and "newchain" is used to determine the subroutine 254 // we're in (by searching for the last JSR) by the InstructionContext 255 // implementation. Therefore, we should not use this chain mechanism 256 // when dealing with exception handlers. 257 // Example: a JSR with an exception handler as its successor does not 258 // mean we're in a subroutine if we go to the exception handler. 259 // We should address this problem later; by now we simply "cut" the chain 260 // by using an empty chain for the exception handlers. 261 // if (v.execute(new Frame(u.getOutFrame(oldchain).getLocals(), 262 // new OperandStack (u.getOutFrame().getStack().maxStack(), 263 // (exc_hds[s].getExceptionType() == null ? Type.THROWABLE : exc_hds[s].getExceptionType())) ), newchain), icv, ev) { 264 // icq.add(v, (ArrayList) newchain.clone()); 265 if (v.execute(new Frame(u.getOutFrame(oldchain).getLocals(), new OperandStack(u.getOutFrame(oldchain).getStack().maxStack(), 266 excHd.getExceptionType() == null ? Type.THROWABLE : excHd.getExceptionType())), new ArrayList<>(), icv, ev)) { 267 icq.add(v, new ArrayList<>()); 268 } 269 } 270 271 } // while (!icq.isEmpty()) END 272 273 InstructionHandle ih = start.getInstruction(); 274 do { 275 if (ih.getInstruction() instanceof ReturnInstruction && !cfg.isDead(ih)) { 276 final InstructionContext ic = cfg.contextOf(ih); 277 // TODO: This is buggy, we check only the top-level return instructions this way. 278 // Maybe some maniac returns from a method when in a subroutine? 279 final Frame f = ic.getOutFrame(new ArrayList<>()); 280 final LocalVariables lvs = f.getLocals(); 281 for (int i = 0; i < lvs.maxLocals(); i++) { 282 if (lvs.get(i) instanceof UninitializedObjectType) { 283 addMessage("Warning: ReturnInstruction '" + ic + "' may leave method with an uninitialized object in the local variables array '" 284 + lvs + "'."); 285 } 286 } 287 final OperandStack os = f.getStack(); 288 for (int i = 0; i < os.size(); i++) { 289 if (os.peek(i) instanceof UninitializedObjectType) { 290 addMessage( 291 "Warning: ReturnInstruction '" + ic + "' may leave method with an uninitialized object on the operand stack '" + os + "'."); 292 } 293 } 294 // see JVM $4.8.2 295 Type returnedType = null; 296 final OperandStack inStack = ic.getInFrame().getStack(); 297 if (inStack.size() >= 1) { 298 returnedType = inStack.peek(); 299 } else { 300 returnedType = Type.VOID; 301 } 302 303 if (returnedType != null) { 304 if (returnedType instanceof ReferenceType) { 305 try { 306 if (!((ReferenceType) returnedType).isCastableTo(m.getReturnType())) { 307 invalidReturnTypeError(returnedType, m); 308 } 309 } catch (final ClassNotFoundException e) { 310 // Don't know what to do now, so raise RuntimeException 311 throw new IllegalArgumentException(e); 312 } 313 } else if (!returnedType.equals(m.getReturnType().normalizeForStackOrLocal())) { 314 invalidReturnTypeError(returnedType, m); 315 } 316 } 317 } 318 } while ((ih = ih.getNext()) != null); 319 320 } 321 322 /** 323 * Pass 3b implements the data flow analysis as described in the Java Virtual Machine Specification, Second Edition. 324 * Later versions will use LocalVariablesInfo objects to verify if the verifier-inferred types and the class file's 325 * debug information (LocalVariables attributes) match [TODO]. 326 * 327 * @see org.apache.bcel.verifier.statics.LocalVariablesInfo 328 * @see org.apache.bcel.verifier.statics.Pass2Verifier#getLocalVariablesInfo(int) 329 */ 330 @Override 331 public VerificationResult do_verify() { 332 if (!myOwner.doPass3a(methodNo).equals(VerificationResult.VR_OK)) { 333 return VerificationResult.VR_NOTYET; 334 } 335 336 // Pass 3a ran before, so it's safe to assume the JavaClass object is 337 // in the BCEL repository. 338 final JavaClass jc; 339 try { 340 jc = Repository.lookupClass(myOwner.getClassName()); 341 } catch (final ClassNotFoundException e) { 342 // FIXME: maybe not the best way to handle this 343 throw new AssertionViolatedException("Missing class: " + e, e); 344 } 345 346 final ConstantPoolGen constantPoolGen = new ConstantPoolGen(jc.getConstantPool()); 347 // Init Visitors 348 final InstConstraintVisitor icv = new InstConstraintVisitor(); 349 icv.setConstantPoolGen(constantPoolGen); 350 351 final ExecutionVisitor ev = new ExecutionVisitor(); 352 ev.setConstantPoolGen(constantPoolGen); 353 354 final Method[] methods = jc.getMethods(); // Method no "methodNo" exists, we ran Pass3a before on it! 355 356 try { 357 358 final MethodGen mg = new MethodGen(methods[methodNo], myOwner.getClassName(), constantPoolGen); 359 360 icv.setMethodGen(mg); 361 362 ////////////// DFA BEGINS HERE //////////////// 363 if (!(mg.isAbstract() || mg.isNative())) { // IF mg HAS CODE (See pass 2) 364 365 final ControlFlowGraph cfg = new ControlFlowGraph(mg); 366 367 // Build the initial frame situation for this method. 368 final Frame f = new Frame(mg.getMaxLocals(), mg.getMaxStack()); 369 if (!mg.isStatic()) { 370 if (mg.getName().equals(Const.CONSTRUCTOR_NAME)) { 371 Frame.setThis(new UninitializedObjectType(ObjectType.getInstance(jc.getClassName()))); 372 f.getLocals().set(0, Frame.getThis()); 373 } else { 374 Frame.setThis(null); 375 f.getLocals().set(0, ObjectType.getInstance(jc.getClassName())); 376 } 377 } 378 final Type[] argtypes = mg.getArgumentTypes(); 379 int twoslotoffset = 0; 380 for (int j = 0; j < argtypes.length; j++) { 381 if (argtypes[j] == Type.SHORT || argtypes[j] == Type.BYTE || argtypes[j] == Type.CHAR || argtypes[j] == Type.BOOLEAN) { 382 argtypes[j] = Type.INT; 383 } 384 f.getLocals().set(twoslotoffset + j + (mg.isStatic() ? 0 : 1), argtypes[j]); 385 if (argtypes[j].getSize() == 2) { 386 twoslotoffset++; 387 f.getLocals().set(twoslotoffset + j + (mg.isStatic() ? 0 : 1), Type.UNKNOWN); 388 } 389 } 390 circulationPump(mg, cfg, cfg.contextOf(mg.getInstructionList().getStart()), f, icv, ev); 391 } 392 } catch (final VerifierConstraintViolatedException ce) { 393 ce.extendMessage("Constraint violated in method '" + methods[methodNo] + "':\n", ""); 394 return new VerificationResult(VerificationResult.VERIFIED_REJECTED, ce.getMessage()); 395 } catch (final RuntimeException re) { 396 // These are internal errors 397 398 final StringWriter sw = new StringWriter(); 399 final PrintWriter pw = new PrintWriter(sw); 400 re.printStackTrace(pw); 401 402 throw new AssertionViolatedException("Some RuntimeException occurred while verify()ing class '" + jc.getClassName() + "', method '" 403 + methods[methodNo] + "'. Original RuntimeException's stack trace:\n---\n" + sw + "---\n", re); 404 } 405 return VerificationResult.VR_OK; 406 } 407 408 /** Returns the method number as supplied when instantiating. */ 409 public int getMethodNo() { 410 return methodNo; 411 } 412 413 /** 414 * Throws an exception indicating the returned type is not compatible with the return type of the given method. 415 * 416 * @param returnedType the type of the returned expression. 417 * @param m the method we are processing. 418 * @throws StructuralCodeConstraintException always 419 * @since 6.0 420 */ 421 public void invalidReturnTypeError(final Type returnedType, final MethodGen m) { 422 throw new StructuralCodeConstraintException("Returned type " + returnedType + " does not match Method's return type " + m.getReturnType()); 423 } 424}