001/* 002 * Licensed to the Apache Software Foundation (ASF) under one or more 003 * contributor license agreements. See the NOTICE file distributed with 004 * this work for additional information regarding copyright ownership. 005 * The ASF licenses this file to You under the Apache License, Version 2.0 006 * (the "License"); you may not use this file except in compliance with 007 * the License. You may obtain a copy of the License at 008 * 009 * http://www.apache.org/licenses/LICENSE-2.0 010 * 011 * Unless required by applicable law or agreed to in writing, software 012 * distributed under the License is distributed on an "AS IS" BASIS, 013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 014 * See the License for the specific language governing permissions and 015 * limitations under the License. 016 * 017 */ 018package org.apache.bcel.verifier.structurals; 019 020 021import java.io.PrintWriter; 022import java.io.StringWriter; 023import java.util.ArrayList; 024import java.util.List; 025import java.util.Random; 026import java.util.Vector; 027 028import org.apache.bcel.Const; 029import org.apache.bcel.Repository; 030import org.apache.bcel.classfile.JavaClass; 031import org.apache.bcel.classfile.Method; 032import org.apache.bcel.generic.ConstantPoolGen; 033import org.apache.bcel.generic.InstructionHandle; 034import org.apache.bcel.generic.JsrInstruction; 035import org.apache.bcel.generic.MethodGen; 036import org.apache.bcel.generic.ObjectType; 037import org.apache.bcel.generic.RET; 038import org.apache.bcel.generic.ReferenceType; 039import org.apache.bcel.generic.ReturnInstruction; 040import org.apache.bcel.generic.ReturnaddressType; 041import org.apache.bcel.generic.Type; 042import org.apache.bcel.verifier.PassVerifier; 043import org.apache.bcel.verifier.VerificationResult; 044import org.apache.bcel.verifier.Verifier; 045import org.apache.bcel.verifier.exc.AssertionViolatedException; 046import org.apache.bcel.verifier.exc.StructuralCodeConstraintException; 047import org.apache.bcel.verifier.exc.VerifierConstraintViolatedException; 048 049/** 050 * This PassVerifier verifies a method of class file according to pass 3, 051 * so-called structural verification as described in The Java Virtual Machine 052 * Specification, 2nd edition. 053 * More detailed information is to be found at the do_verify() method's 054 * documentation. 055 * 056 * @version $Id: Pass3bVerifier.java 1749603 2016-06-21 20:50:19Z ggregory $ 057 * @see #do_verify() 058 */ 059 060public final class Pass3bVerifier extends PassVerifier{ 061 /* TODO: Throughout pass 3b, upper halves of LONG and DOUBLE 062 are represented by Type.UNKNOWN. This should be changed 063 in favour of LONG_Upper and DOUBLE_Upper as in pass 2. */ 064 065 /** 066 * An InstructionContextQueue is a utility class that holds 067 * (InstructionContext, ArrayList) pairs in a Queue data structure. 068 * This is used to hold information about InstructionContext objects 069 * externally --- i.e. that information is not saved inside the 070 * InstructionContext object itself. This is useful to save the 071 * execution path of the symbolic execution of the 072 * Pass3bVerifier - this is not information 073 * that belongs into the InstructionContext object itself. 074 * Only at "execute()"ing 075 * time, an InstructionContext object will get the current information 076 * we have about its symbolic execution predecessors. 077 */ 078 private static final class InstructionContextQueue{ 079 private final List<InstructionContext> ics = new Vector<>(); 080 private final List<ArrayList<InstructionContext>> ecs = new Vector<>(); 081 public void add(final InstructionContext ic, final ArrayList<InstructionContext> executionChain) { 082 ics.add(ic); 083 ecs.add(executionChain); 084 } 085 public boolean isEmpty() { 086 return ics.isEmpty(); 087 } 088 public void remove(final int i) { 089 ics.remove(i); 090 ecs.remove(i); 091 } 092 public InstructionContext getIC(final int i) { 093 return ics.get(i); 094 } 095 public ArrayList<InstructionContext> getEC(final int i) { 096 return ecs.get(i); 097 } 098 public int size() { 099 return ics.size(); 100 } 101 } // end Inner Class InstructionContextQueue 102 103 /** In DEBUG mode, the verification algorithm is not randomized. */ 104 private static final boolean DEBUG = true; 105 106 /** The Verifier that created this. */ 107 private final Verifier myOwner; 108 109 /** The method number to verify. */ 110 private final int method_no; 111 112 /** 113 * This class should only be instantiated by a Verifier. 114 * 115 * @see org.apache.bcel.verifier.Verifier 116 */ 117 public Pass3bVerifier(final Verifier owner, final int method_no) { 118 myOwner = owner; 119 this.method_no = method_no; 120 } 121 122 /** 123 * Whenever the outgoing frame 124 * situation of an InstructionContext changes, all its successors are 125 * put [back] into the queue [as if they were unvisited]. 126 * The proof of termination is about the existence of a 127 * fix point of frame merging. 128 */ 129 private void circulationPump(final MethodGen m,final ControlFlowGraph cfg, final InstructionContext start, 130 final Frame vanillaFrame, final InstConstraintVisitor icv, final ExecutionVisitor ev) { 131 final Random random = new Random(); 132 final InstructionContextQueue icq = new InstructionContextQueue(); 133 134 start.execute(vanillaFrame, new ArrayList<InstructionContext>(), icv, ev); 135 // new ArrayList() <=> no Instruction was executed before 136 // => Top-Level routine (no jsr call before) 137 icq.add(start, new ArrayList<InstructionContext>()); 138 139 // LOOP! 140 while (!icq.isEmpty()) { 141 InstructionContext u; 142 ArrayList<InstructionContext> ec; 143 if (!DEBUG) { 144 final int r = random.nextInt(icq.size()); 145 u = icq.getIC(r); 146 ec = icq.getEC(r); 147 icq.remove(r); 148 } 149 else{ 150 u = icq.getIC(0); 151 ec = icq.getEC(0); 152 icq.remove(0); 153 } 154 155 @SuppressWarnings("unchecked") // ec is of type ArrayList<InstructionContext> 156 final 157 ArrayList<InstructionContext> oldchain = (ArrayList<InstructionContext>) (ec.clone()); 158 @SuppressWarnings("unchecked") // ec is of type ArrayList<InstructionContext> 159 final 160 ArrayList<InstructionContext> newchain = (ArrayList<InstructionContext>) (ec.clone()); 161 newchain.add(u); 162 163 if ((u.getInstruction().getInstruction()) instanceof RET) { 164//System.err.println(u); 165 // We can only follow _one_ successor, the one after the 166 // JSR that was recently executed. 167 final RET ret = (RET) (u.getInstruction().getInstruction()); 168 final ReturnaddressType t = (ReturnaddressType) u.getOutFrame(oldchain).getLocals().get(ret.getIndex()); 169 final InstructionContext theSuccessor = cfg.contextOf(t.getTarget()); 170 171 // Sanity check 172 InstructionContext lastJSR = null; 173 int skip_jsr = 0; 174 for (int ss=oldchain.size()-1; ss >= 0; ss--) { 175 if (skip_jsr < 0) { 176 throw new AssertionViolatedException("More RET than JSR in execution chain?!"); 177 } 178//System.err.println("+"+oldchain.get(ss)); 179 if ((oldchain.get(ss)).getInstruction().getInstruction() instanceof JsrInstruction) { 180 if (skip_jsr == 0) { 181 lastJSR = oldchain.get(ss); 182 break; 183 } 184 skip_jsr--; 185 } 186 if ((oldchain.get(ss)).getInstruction().getInstruction() instanceof RET) { 187 skip_jsr++; 188 } 189 } 190 if (lastJSR == null) { 191 throw new AssertionViolatedException("RET without a JSR before in ExecutionChain?! EC: '"+oldchain+"'."); 192 } 193 final JsrInstruction jsr = (JsrInstruction) (lastJSR.getInstruction().getInstruction()); 194 if ( theSuccessor != (cfg.contextOf(jsr.physicalSuccessor())) ) { 195 throw new AssertionViolatedException("RET '"+u.getInstruction()+"' info inconsistent: jump back to '"+ 196 theSuccessor+"' or '"+cfg.contextOf(jsr.physicalSuccessor())+"'?"); 197 } 198 199 if (theSuccessor.execute(u.getOutFrame(oldchain), newchain, icv, ev)) { 200 @SuppressWarnings("unchecked") // newchain is already of type ArrayList<InstructionContext> 201 final 202 ArrayList<InstructionContext> newchainClone = (ArrayList<InstructionContext>) newchain.clone(); 203 icq.add(theSuccessor, newchainClone); 204 } 205 } 206 else{// "not a ret" 207 208 // Normal successors. Add them to the queue of successors. 209 final InstructionContext[] succs = u.getSuccessors(); 210 for (final InstructionContext v : succs) { 211 if (v.execute(u.getOutFrame(oldchain), newchain, icv, ev)) { 212 @SuppressWarnings("unchecked") // newchain is already of type ArrayList<InstructionContext> 213 final 214 ArrayList<InstructionContext> newchainClone = (ArrayList<InstructionContext>) newchain.clone(); 215 icq.add(v, newchainClone); 216 } 217 } 218 }// end "not a ret" 219 220 // Exception Handlers. Add them to the queue of successors. 221 // [subroutines are never protected; mandated by JustIce] 222 final ExceptionHandler[] exc_hds = u.getExceptionHandlers(); 223 for (final ExceptionHandler exc_hd : exc_hds) { 224 final InstructionContext v = cfg.contextOf(exc_hd.getHandlerStart()); 225 // TODO: the "oldchain" and "newchain" is used to determine the subroutine 226 // we're in (by searching for the last JSR) by the InstructionContext 227 // implementation. Therefore, we should not use this chain mechanism 228 // when dealing with exception handlers. 229 // Example: a JSR with an exception handler as its successor does not 230 // mean we're in a subroutine if we go to the exception handler. 231 // We should address this problem later; by now we simply "cut" the chain 232 // by using an empty chain for the exception handlers. 233 //if (v.execute(new Frame(u.getOutFrame(oldchain).getLocals(), 234 // new OperandStack (u.getOutFrame().getStack().maxStack(), 235 // (exc_hds[s].getExceptionType()==null? Type.THROWABLE : exc_hds[s].getExceptionType())) ), newchain), icv, ev) { 236 //icq.add(v, (ArrayList) newchain.clone()); 237 if (v.execute(new Frame(u.getOutFrame(oldchain).getLocals(), 238 new OperandStack (u.getOutFrame(oldchain).getStack().maxStack(), 239 exc_hd.getExceptionType()==null? Type.THROWABLE : exc_hd.getExceptionType())), 240 new ArrayList<InstructionContext>(), icv, ev)) { 241 icq.add(v, new ArrayList<InstructionContext>()); 242 } 243 } 244 245 }// while (!icq.isEmpty()) END 246 247 InstructionHandle ih = start.getInstruction(); 248 do{ 249 if ((ih.getInstruction() instanceof ReturnInstruction) && (!(cfg.isDead(ih)))) { 250 final InstructionContext ic = cfg.contextOf(ih); 251 // TODO: This is buggy, we check only the top-level return instructions this way. 252 // Maybe some maniac returns from a method when in a subroutine? 253 final Frame f = ic.getOutFrame(new ArrayList<InstructionContext>()); 254 final LocalVariables lvs = f.getLocals(); 255 for (int i=0; i<lvs.maxLocals(); i++) { 256 if (lvs.get(i) instanceof UninitializedObjectType) { 257 this.addMessage("Warning: ReturnInstruction '"+ic+ 258 "' may leave method with an uninitialized object in the local variables array '"+lvs+"'."); 259 } 260 } 261 final OperandStack os = f.getStack(); 262 for (int i=0; i<os.size(); i++) { 263 if (os.peek(i) instanceof UninitializedObjectType) { 264 this.addMessage("Warning: ReturnInstruction '"+ic+ 265 "' may leave method with an uninitialized object on the operand stack '"+os+"'."); 266 } 267 } 268 //see JVM $4.8.2 269 Type returnedType = null; 270 final OperandStack inStack = ic.getInFrame().getStack(); 271 if (inStack.size() >= 1) { 272 returnedType = inStack.peek(); 273 } else { 274 returnedType = Type.VOID; 275 } 276 277 if (returnedType != null) { 278 if (returnedType instanceof ReferenceType) { 279 try { 280 if (!((ReferenceType) returnedType).isCastableTo(m.getReturnType())) { 281 invalidReturnTypeError(returnedType, m); 282 } 283 } catch (final ClassNotFoundException e) { 284 // Don't know what do do now, so raise RuntimeException 285 throw new RuntimeException(e); 286 } 287 } else if (!returnedType.equals(m.getReturnType().normalizeForStackOrLocal())) { 288 invalidReturnTypeError(returnedType, m); 289 } 290 } 291 } 292 } while ((ih = ih.getNext()) != null); 293 294 } 295 296 /** 297 * Throws an exception indicating the returned type is not compatible with the return type of the given method 298 * @throws StructuralCodeConstraintException always 299 * @since 6.0 300 */ 301 public void invalidReturnTypeError(final Type returnedType, final MethodGen m) { 302 throw new StructuralCodeConstraintException( 303 "Returned type "+returnedType+" does not match Method's return type "+m.getReturnType()); 304 } 305 306 /** 307 * Pass 3b implements the data flow analysis as described in the Java Virtual 308 * Machine Specification, Second Edition. 309 * Later versions will use LocalVariablesInfo objects to verify if the 310 * verifier-inferred types and the class file's debug information (LocalVariables 311 * attributes) match [TODO]. 312 * 313 * @see org.apache.bcel.verifier.statics.LocalVariablesInfo 314 * @see org.apache.bcel.verifier.statics.Pass2Verifier#getLocalVariablesInfo(int) 315 */ 316 @Override 317 public VerificationResult do_verify() { 318 if (! myOwner.doPass3a(method_no).equals(VerificationResult.VR_OK)) { 319 return VerificationResult.VR_NOTYET; 320 } 321 322 // Pass 3a ran before, so it's safe to assume the JavaClass object is 323 // in the BCEL repository. 324 JavaClass jc; 325 try { 326 jc = Repository.lookupClass(myOwner.getClassName()); 327 } catch (final ClassNotFoundException e) { 328 // FIXME: maybe not the best way to handle this 329 throw new AssertionViolatedException("Missing class: " + e, e); 330 } 331 332 final ConstantPoolGen constantPoolGen = new ConstantPoolGen(jc.getConstantPool()); 333 // Init Visitors 334 final InstConstraintVisitor icv = new InstConstraintVisitor(); 335 icv.setConstantPoolGen(constantPoolGen); 336 337 final ExecutionVisitor ev = new ExecutionVisitor(); 338 ev.setConstantPoolGen(constantPoolGen); 339 340 final Method[] methods = jc.getMethods(); // Method no "method_no" exists, we ran Pass3a before on it! 341 342 try{ 343 344 final MethodGen mg = new MethodGen(methods[method_no], myOwner.getClassName(), constantPoolGen); 345 346 icv.setMethodGen(mg); 347 348 ////////////// DFA BEGINS HERE //////////////// 349 if (! (mg.isAbstract() || mg.isNative()) ) { // IF mg HAS CODE (See pass 2) 350 351 final ControlFlowGraph cfg = new ControlFlowGraph(mg); 352 353 // Build the initial frame situation for this method. 354 final Frame f = new Frame(mg.getMaxLocals(),mg.getMaxStack()); 355 if ( !mg.isStatic() ) { 356 if (mg.getName().equals(Const.CONSTRUCTOR_NAME)) { 357 Frame.setThis(new UninitializedObjectType(ObjectType.getInstance(jc.getClassName()))); 358 f.getLocals().set(0, Frame.getThis()); 359 } 360 else{ 361 Frame.setThis(null); 362 f.getLocals().set(0, ObjectType.getInstance(jc.getClassName())); 363 } 364 } 365 final Type[] argtypes = mg.getArgumentTypes(); 366 int twoslotoffset = 0; 367 for (int j=0; j<argtypes.length; j++) { 368 if (argtypes[j] == Type.SHORT || argtypes[j] == Type.BYTE || 369 argtypes[j] == Type.CHAR || argtypes[j] == Type.BOOLEAN) { 370 argtypes[j] = Type.INT; 371 } 372 f.getLocals().set(twoslotoffset + j + (mg.isStatic()?0:1), argtypes[j]); 373 if (argtypes[j].getSize() == 2) { 374 twoslotoffset++; 375 f.getLocals().set(twoslotoffset + j + (mg.isStatic()?0:1), Type.UNKNOWN); 376 } 377 } 378 circulationPump(mg,cfg, cfg.contextOf(mg.getInstructionList().getStart()), f, icv, ev); 379 } 380 } 381 catch (final VerifierConstraintViolatedException ce) { 382 ce.extendMessage("Constraint violated in method '"+methods[method_no]+"':\n",""); 383 return new VerificationResult(VerificationResult.VERIFIED_REJECTED, ce.getMessage()); 384 } 385 catch (final RuntimeException re) { 386 // These are internal errors 387 388 final StringWriter sw = new StringWriter(); 389 final PrintWriter pw = new PrintWriter(sw); 390 re.printStackTrace(pw); 391 392 throw new AssertionViolatedException("Some RuntimeException occured while verify()ing class '"+jc.getClassName()+ 393 "', method '"+methods[method_no]+"'. Original RuntimeException's stack trace:\n---\n"+sw+"---\n", re); 394 } 395 return VerificationResult.VR_OK; 396 } 397 398 /** Returns the method number as supplied when instantiating. */ 399 public int getMethodNo() { 400 return method_no; 401 } 402}