View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *   https://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied.  See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.bcel.verifier.structurals;
20  
21  import java.io.PrintWriter;
22  import java.io.StringWriter;
23  import java.util.ArrayList;
24  import java.util.List;
25  import java.util.Random;
26  import java.util.Vector;
27  
28  import org.apache.bcel.Const;
29  import org.apache.bcel.Repository;
30  import org.apache.bcel.classfile.JavaClass;
31  import org.apache.bcel.classfile.Method;
32  import org.apache.bcel.generic.ConstantPoolGen;
33  import org.apache.bcel.generic.InstructionHandle;
34  import org.apache.bcel.generic.JsrInstruction;
35  import org.apache.bcel.generic.MethodGen;
36  import org.apache.bcel.generic.ObjectType;
37  import org.apache.bcel.generic.RET;
38  import org.apache.bcel.generic.ReferenceType;
39  import org.apache.bcel.generic.ReturnInstruction;
40  import org.apache.bcel.generic.ReturnaddressType;
41  import org.apache.bcel.generic.Type;
42  import org.apache.bcel.verifier.PassVerifier;
43  import org.apache.bcel.verifier.VerificationResult;
44  import org.apache.bcel.verifier.Verifier;
45  import org.apache.bcel.verifier.exc.AssertionViolatedException;
46  import org.apache.bcel.verifier.exc.StructuralCodeConstraintException;
47  import org.apache.bcel.verifier.exc.VerifierConstraintViolatedException;
48  
49  /**
50   * This PassVerifier verifies a method of class file according to pass 3, so-called structural verification as described
51   * in The Java Virtual Machine Specification, 2nd edition. More detailed information is to be found at the do_verify()
52   * method's documentation.
53   *
54   * @see #do_verify()
55   */
56  
57  public final class Pass3bVerifier extends PassVerifier {
58      /*
59       * TODO: Throughout pass 3b, upper halves of LONG and DOUBLE are represented by Type.UNKNOWN. This should be changed in
60       * favor of LONG_Upper and DOUBLE_Upper as in pass 2.
61       */
62  
63      /**
64       * An InstructionContextQueue is a utility class that holds (InstructionContext, ArrayList) pairs in a Queue data
65       * structure. This is used to hold information about InstructionContext objects externally --- for example that information is
66       * not saved inside the InstructionContext object itself. This is useful to save the execution path of the symbolic
67       * execution of the Pass3bVerifier - this is not information that belongs into the InstructionContext object itself.
68       * Only at "execute()"ing time, an InstructionContext object will get the current information we have about its symbolic
69       * execution predecessors.
70       */
71      private static final class InstructionContextQueue {
72          // The following two fields together represent the queue.
73  
74          /** The first elements from pairs in the queue. */
75          private final List<InstructionContext> ics = new Vector<>();
76  
77          /** The second elements from pairs in the queue. */
78          private final List<ArrayList<InstructionContext>> ecs = new Vector<>();
79  
80          /**
81           * Adds an (InstructionContext, ExecutionChain) pair to this queue.
82           *
83           * @param ic the InstructionContext.
84           * @param executionChain the ExecutionChain.
85           */
86          public void add(final InstructionContext ic, final ArrayList<InstructionContext> executionChain) {
87              ics.add(ic);
88              ecs.add(executionChain);
89          }
90  
91          /**
92           * Gets a specific ExecutionChain from the queue.
93           *
94           * @param i the index of the item to be fetched.
95           * @return the indicated ExecutionChain.
96           */
97          public ArrayList<InstructionContext> getEC(final int i) {
98              return ecs.get(i);
99          }
100 
101         /**
102          * Gets a specific InstructionContext from the queue.
103          *
104          * @param i the index of the item to be fetched.
105          * @return the indicated InstructionContext.
106          */
107         public InstructionContext getIC(final int i) {
108             return ics.get(i);
109         }
110 
111         /**
112          * Tests if InstructionContext queue is empty.
113          *
114          * @return true if the InstructionContext queue is empty.
115          */
116         public boolean isEmpty() {
117             return ics.isEmpty();
118         }
119 
120         /**
121          * Removes a specific (InstructionContext, ExecutionChain) pair from their respective queues.
122          *
123          * @param i the index of the items to be removed.
124          */
125         public void remove(final int i) {
126             ics.remove(i);
127             ecs.remove(i);
128         }
129 
130         /**
131          * Gets the size of the InstructionContext queue.
132          *
133          * @return the size of the InstructionQueue.
134          */
135         public int size() {
136             return ics.size();
137         }
138     } // end Inner Class InstructionContextQueue
139 
140     /** In DEBUG mode, the verification algorithm is not randomized. */
141     private static final boolean DEBUG = true;
142 
143     /** The Verifier that created this. */
144     private final Verifier myOwner;
145 
146     /** The method number to verify. */
147     private final int methodNo;
148 
149     /**
150      * This class should only be instantiated by a Verifier.
151      *
152      * @see org.apache.bcel.verifier.Verifier
153      */
154     public Pass3bVerifier(final Verifier myOwner, final int methodNo) {
155         this.myOwner = myOwner;
156         this.methodNo = methodNo;
157     }
158 
159     /**
160      * Whenever the outgoing frame situation of an InstructionContext changes, all its successors are put [back] into the
161      * queue [as if they were unvisited]. The proof of termination is about the existence of a fix point of frame merging.
162      */
163     private void circulationPump(final MethodGen m, final ControlFlowGraph cfg, final InstructionContext start, final Frame vanillaFrame,
164         final InstConstraintVisitor icv, final ExecutionVisitor ev) {
165         final Random random = new Random();
166         final InstructionContextQueue icq = new InstructionContextQueue();
167 
168         start.execute(vanillaFrame, new ArrayList<>(), icv, ev);
169         // new ArrayList() <=> no Instruction was executed before
170         // => Top-Level routine (no jsr call before)
171         icq.add(start, new ArrayList<>());
172 
173         // LOOP!
174         while (!icq.isEmpty()) {
175             final InstructionContext u;
176             final ArrayList<InstructionContext> ec;
177             if (!DEBUG) {
178                 final int r = random.nextInt(icq.size());
179                 u = icq.getIC(r);
180                 ec = icq.getEC(r);
181                 icq.remove(r);
182             } else {
183                 u = icq.getIC(0);
184                 ec = icq.getEC(0);
185                 icq.remove(0);
186             }
187 
188             @SuppressWarnings("unchecked") // ec is of type ArrayList<InstructionContext>
189             final ArrayList<InstructionContext> oldchain = (ArrayList<InstructionContext>) ec.clone();
190             @SuppressWarnings("unchecked") // ec is of type ArrayList<InstructionContext>
191             final ArrayList<InstructionContext> newchain = (ArrayList<InstructionContext>) ec.clone();
192             newchain.add(u);
193 
194             if (u.getInstruction().getInstruction() instanceof RET) {
195 //System.err.println(u);
196                 // We can only follow _one_ successor, the one after the
197                 // JSR that was recently executed.
198                 final RET ret = (RET) u.getInstruction().getInstruction();
199                 final ReturnaddressType t = (ReturnaddressType) u.getOutFrame(oldchain).getLocals().get(ret.getIndex());
200                 final InstructionContext theSuccessor = cfg.contextOf(t.getTarget());
201 
202                 // Sanity check
203                 InstructionContext lastJSR = null;
204                 int skipJsr = 0;
205                 for (int ss = oldchain.size() - 1; ss >= 0; ss--) {
206                     if (skipJsr < 0) {
207                         throw new AssertionViolatedException("More RET than JSR in execution chain?!");
208                     }
209 //System.err.println("+"+oldchain.get(ss));
210                     if (oldchain.get(ss).getInstruction().getInstruction() instanceof JsrInstruction) {
211                         if (skipJsr == 0) {
212                             lastJSR = oldchain.get(ss);
213                             break;
214                         }
215                         skipJsr--;
216                     }
217                     if (oldchain.get(ss).getInstruction().getInstruction() instanceof RET) {
218                         skipJsr++;
219                     }
220                 }
221                 if (lastJSR == null) {
222                     throw new AssertionViolatedException("RET without a JSR before in ExecutionChain?! EC: '" + oldchain + "'.");
223                 }
224                 final JsrInstruction jsr = (JsrInstruction) lastJSR.getInstruction().getInstruction();
225                 if (theSuccessor != cfg.contextOf(jsr.physicalSuccessor())) {
226                     throw new AssertionViolatedException("RET '" + u.getInstruction() + "' info inconsistent: jump back to '" + theSuccessor + "' or '"
227                         + cfg.contextOf(jsr.physicalSuccessor()) + "'?");
228                 }
229 
230                 if (theSuccessor.execute(u.getOutFrame(oldchain), newchain, icv, ev)) {
231                     @SuppressWarnings("unchecked") // newchain is already of type ArrayList<InstructionContext>
232                     final ArrayList<InstructionContext> newchainClone = (ArrayList<InstructionContext>) newchain.clone();
233                     icq.add(theSuccessor, newchainClone);
234                 }
235             } else { // "not a ret"
236 
237                 // Normal successors. Add them to the queue of successors.
238                 final InstructionContext[] succs = u.getSuccessors();
239                 for (final InstructionContext v : succs) {
240                     if (v.execute(u.getOutFrame(oldchain), newchain, icv, ev)) {
241                         @SuppressWarnings("unchecked") // newchain is already of type ArrayList<InstructionContext>
242                         final ArrayList<InstructionContext> newchainClone = (ArrayList<InstructionContext>) newchain.clone();
243                         icq.add(v, newchainClone);
244                     }
245                 }
246             } // end "not a ret"
247 
248             // Exception Handlers. Add them to the queue of successors.
249             // [subroutines are never protected; mandated by JustIce]
250             final ExceptionHandler[] excHds = u.getExceptionHandlers();
251             for (final ExceptionHandler excHd : excHds) {
252                 final InstructionContext v = cfg.contextOf(excHd.getHandlerStart());
253                 // TODO: the "oldchain" and "newchain" is used to determine the subroutine
254                 // we're in (by searching for the last JSR) by the InstructionContext
255                 // implementation. Therefore, we should not use this chain mechanism
256                 // when dealing with exception handlers.
257                 // Example: a JSR with an exception handler as its successor does not
258                 // mean we're in a subroutine if we go to the exception handler.
259                 // We should address this problem later; by now we simply "cut" the chain
260                 // by using an empty chain for the exception handlers.
261                 // if (v.execute(new Frame(u.getOutFrame(oldchain).getLocals(),
262                 // new OperandStack (u.getOutFrame().getStack().maxStack(),
263                 // (exc_hds[s].getExceptionType() == null ? Type.THROWABLE : exc_hds[s].getExceptionType())) ), newchain), icv, ev) {
264                 // icq.add(v, (ArrayList) newchain.clone());
265                 if (v.execute(new Frame(u.getOutFrame(oldchain).getLocals(), new OperandStack(u.getOutFrame(oldchain).getStack().maxStack(),
266                     excHd.getExceptionType() == null ? Type.THROWABLE : excHd.getExceptionType())), new ArrayList<>(), icv, ev)) {
267                     icq.add(v, new ArrayList<>());
268                 }
269             }
270 
271         } // while (!icq.isEmpty()) END
272 
273         InstructionHandle ih = start.getInstruction();
274         do {
275             if (ih.getInstruction() instanceof ReturnInstruction && !cfg.isDead(ih)) {
276                 final InstructionContext ic = cfg.contextOf(ih);
277                 // TODO: This is buggy, we check only the top-level return instructions this way.
278                 // Maybe some maniac returns from a method when in a subroutine?
279                 final Frame f = ic.getOutFrame(new ArrayList<>());
280                 final LocalVariables lvs = f.getLocals();
281                 for (int i = 0; i < lvs.maxLocals(); i++) {
282                     if (lvs.get(i) instanceof UninitializedObjectType) {
283                         addMessage("Warning: ReturnInstruction '" + ic + "' may leave method with an uninitialized object in the local variables array '"
284                             + lvs + "'.");
285                     }
286                 }
287                 final OperandStack os = f.getStack();
288                 for (int i = 0; i < os.size(); i++) {
289                     if (os.peek(i) instanceof UninitializedObjectType) {
290                         addMessage(
291                             "Warning: ReturnInstruction '" + ic + "' may leave method with an uninitialized object on the operand stack '" + os + "'.");
292                     }
293                 }
294                 // see JVM $4.8.2
295                 Type returnedType = null;
296                 final OperandStack inStack = ic.getInFrame().getStack();
297                 if (inStack.size() >= 1) {
298                     returnedType = inStack.peek();
299                 } else {
300                     returnedType = Type.VOID;
301                 }
302 
303                 if (returnedType != null) {
304                     if (returnedType instanceof ReferenceType) {
305                         try {
306                             if (!((ReferenceType) returnedType).isCastableTo(m.getReturnType())) {
307                                 invalidReturnTypeError(returnedType, m);
308                             }
309                         } catch (final ClassNotFoundException e) {
310                             // Don't know what to do now, so raise RuntimeException
311                             throw new IllegalArgumentException(e);
312                         }
313                     } else if (!returnedType.equals(m.getReturnType().normalizeForStackOrLocal())) {
314                         invalidReturnTypeError(returnedType, m);
315                     }
316                 }
317             }
318         } while ((ih = ih.getNext()) != null);
319 
320     }
321 
322     /**
323      * Pass 3b implements the data flow analysis as described in the Java Virtual Machine Specification, Second Edition.
324      * Later versions will use LocalVariablesInfo objects to verify if the verifier-inferred types and the class file's
325      * debug information (LocalVariables attributes) match [TODO].
326      *
327      * @see org.apache.bcel.verifier.statics.LocalVariablesInfo
328      * @see org.apache.bcel.verifier.statics.Pass2Verifier#getLocalVariablesInfo(int)
329      */
330     @Override
331     public VerificationResult do_verify() {
332         if (!myOwner.doPass3a(methodNo).equals(VerificationResult.VR_OK)) {
333             return VerificationResult.VR_NOTYET;
334         }
335 
336         // Pass 3a ran before, so it's safe to assume the JavaClass object is
337         // in the BCEL repository.
338         final JavaClass jc;
339         try {
340             jc = Repository.lookupClass(myOwner.getClassName());
341         } catch (final ClassNotFoundException e) {
342             // FIXME: maybe not the best way to handle this
343             throw new AssertionViolatedException("Missing class: " + e, e);
344         }
345 
346         final ConstantPoolGen constantPoolGen = new ConstantPoolGen(jc.getConstantPool());
347         // Init Visitors
348         final InstConstraintVisitor icv = new InstConstraintVisitor();
349         icv.setConstantPoolGen(constantPoolGen);
350 
351         final ExecutionVisitor ev = new ExecutionVisitor();
352         ev.setConstantPoolGen(constantPoolGen);
353 
354         final Method[] methods = jc.getMethods(); // Method no "methodNo" exists, we ran Pass3a before on it!
355 
356         try {
357 
358             final MethodGen mg = new MethodGen(methods[methodNo], myOwner.getClassName(), constantPoolGen);
359 
360             icv.setMethodGen(mg);
361 
362             ////////////// DFA BEGINS HERE ////////////////
363             if (!(mg.isAbstract() || mg.isNative())) { // IF mg HAS CODE (See pass 2)
364 
365                 final ControlFlowGraph cfg = new ControlFlowGraph(mg);
366 
367                 // Build the initial frame situation for this method.
368                 final Frame f = new Frame(mg.getMaxLocals(), mg.getMaxStack());
369                 if (!mg.isStatic()) {
370                     if (mg.getName().equals(Const.CONSTRUCTOR_NAME)) {
371                         Frame.setThis(new UninitializedObjectType(ObjectType.getInstance(jc.getClassName())));
372                         f.getLocals().set(0, Frame.getThis());
373                     } else {
374                         Frame.setThis(null);
375                         f.getLocals().set(0, ObjectType.getInstance(jc.getClassName()));
376                     }
377                 }
378                 final Type[] argtypes = mg.getArgumentTypes();
379                 int twoslotoffset = 0;
380                 for (int j = 0; j < argtypes.length; j++) {
381                     if (argtypes[j] == Type.SHORT || argtypes[j] == Type.BYTE || argtypes[j] == Type.CHAR || argtypes[j] == Type.BOOLEAN) {
382                         argtypes[j] = Type.INT;
383                     }
384                     f.getLocals().set(twoslotoffset + j + (mg.isStatic() ? 0 : 1), argtypes[j]);
385                     if (argtypes[j].getSize() == 2) {
386                         twoslotoffset++;
387                         f.getLocals().set(twoslotoffset + j + (mg.isStatic() ? 0 : 1), Type.UNKNOWN);
388                     }
389                 }
390                 circulationPump(mg, cfg, cfg.contextOf(mg.getInstructionList().getStart()), f, icv, ev);
391             }
392         } catch (final VerifierConstraintViolatedException ce) {
393             ce.extendMessage("Constraint violated in method '" + methods[methodNo] + "':\n", "");
394             return new VerificationResult(VerificationResult.VERIFIED_REJECTED, ce.getMessage());
395         } catch (final RuntimeException re) {
396             // These are internal errors
397 
398             final StringWriter sw = new StringWriter();
399             final PrintWriter pw = new PrintWriter(sw);
400             re.printStackTrace(pw);
401 
402             throw new AssertionViolatedException("Some RuntimeException occurred while verify()ing class '" + jc.getClassName() + "', method '"
403                 + methods[methodNo] + "'. Original RuntimeException's stack trace:\n---\n" + sw + "---\n", re);
404         }
405         return VerificationResult.VR_OK;
406     }
407 
408     /** Returns the method number as supplied when instantiating. */
409     public int getMethodNo() {
410         return methodNo;
411     }
412 
413     /**
414      * Throws an exception indicating the returned type is not compatible with the return type of the given method.
415      *
416      * @param returnedType the type of the returned expression.
417      * @param m the method we are processing.
418      * @throws StructuralCodeConstraintException always
419      * @since 6.0
420      */
421     public void invalidReturnTypeError(final Type returnedType, final MethodGen m) {
422         throw new StructuralCodeConstraintException("Returned type " + returnedType + " does not match Method's return type " + m.getReturnType());
423     }
424 }