View Javadoc
1 package org.apache.bcel.verifier.structurals; 2 3 /* ==================================================================== 4 * The Apache Software License, Version 1.1 5 * 6 * Copyright (c) 2001 The Apache Software Foundation. All rights 7 * reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. The end-user documentation included with the redistribution, 22 * if any, must include the following acknowledgment: 23 * "This product includes software developed by the 24 * Apache Software Foundation (http://www.apache.org/)." 25 * Alternately, this acknowledgment may appear in the software itself, 26 * if and wherever such third-party acknowledgments normally appear. 27 * 28 * 4. The names "Apache" and "Apache Software Foundation" and 29 * "Apache BCEL" must not be used to endorse or promote products 30 * derived from this software without prior written permission. For 31 * written permission, please contact apache@apache.org. 32 * 33 * 5. Products derived from this software may not be called "Apache", 34 * "Apache BCEL", nor may "Apache" appear in their name, without 35 * prior written permission of the Apache Software Foundation. 36 * 37 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED 38 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 39 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 40 * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR 41 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 42 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 43 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF 44 * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 45 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 46 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 47 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 48 * SUCH DAMAGE. 49 * ==================================================================== 50 * 51 * This software consists of voluntary contributions made by many 52 * individuals on behalf of the Apache Software Foundation. For more 53 * information on the Apache Software Foundation, please see 54 * <http://www.apache.org/>;. 55 */ 56 57 import java.io.*; 58 import java.util.ArrayList; 59 import java.util.Random; 60 import java.util.Vector; 61 import org.apache.bcel.Constants; 62 import org.apache.bcel.Repository; 63 import org.apache.bcel.classfile.*; 64 import org.apache.bcel.generic.*; 65 import org.apache.bcel.verifier.*; 66 import org.apache.bcel.verifier.statics.*; 67 import org.apache.bcel.verifier.exc.*; 68 69 /*** 70 * This PassVerifier verifies a method of class file according to pass 3, 71 * so-called structural verification as described in The Java Virtual Machine 72 * Specification, 2nd edition. 73 * More detailed information is to be found at the do_verify() method's 74 * documentation. 75 * 76 * @version $Id: Pass3bVerifier.java,v 1.3 2002/07/04 21:44:42 enver Exp $ 77 * @author <A HREF="http://www.inf.fu-berlin.de/~ehaase"/>Enver Haase</A> 78 * @see #do_verify() 79 */ 80 81 public final class Pass3bVerifier extends PassVerifier{ 82 /* TODO: Throughout pass 3b, upper halves of LONG and DOUBLE 83 are represented by Type.UNKNOWN. This should be changed 84 in favour of LONG_Upper and DOUBLE_Upper as in pass 2. */ 85 86 /*** 87 * An InstructionContextQueue is a utility class that holds 88 * (InstructionContext, ArrayList) pairs in a Queue data structure. 89 * This is used to hold information about InstructionContext objects 90 * externally --- i.e. that information is not saved inside the 91 * InstructionContext object itself. This is useful to save the 92 * execution path of the symbolic execution of the 93 * Pass3bVerifier - this is not information 94 * that belongs into the InstructionContext object itself. 95 * Only at "execute()"ing 96 * time, an InstructionContext object will get the current information 97 * we have about its symbolic execution predecessors. 98 */ 99 private static final class InstructionContextQueue{ 100 private Vector ics = new Vector(); // Type: InstructionContext 101 private Vector ecs = new Vector(); // Type: ArrayList (of InstructionContext) 102 public void add(InstructionContext ic, ArrayList executionChain){ 103 ics.add(ic); 104 ecs.add(executionChain); 105 } 106 public boolean isEmpty(){ 107 return ics.isEmpty(); 108 } 109 public void remove(){ 110 this.remove(0); 111 } 112 public void remove(int i){ 113 ics.remove(i); 114 ecs.remove(i); 115 } 116 public InstructionContext getIC(int i){ 117 return (InstructionContext) ics.get(i); 118 } 119 public ArrayList getEC(int i){ 120 return (ArrayList) ecs.get(i); 121 } 122 public int size(){ 123 return ics.size(); 124 } 125 } // end Inner Class InstructionContextQueue 126 127 /*** In DEBUG mode, the verification algorithm is not randomized. */ 128 private static final boolean DEBUG = true; 129 130 /*** The Verifier that created this. */ 131 private Verifier myOwner; 132 133 /*** The method number to verify. */ 134 private int method_no; 135 136 /*** 137 * This class should only be instantiated by a Verifier. 138 * 139 * @see org.apache.bcel.verifier.Verifier 140 */ 141 public Pass3bVerifier(Verifier owner, int method_no){ 142 myOwner = owner; 143 this.method_no = method_no; 144 } 145 146 /*** 147 * Whenever the outgoing frame 148 * situation of an InstructionContext changes, all its successors are 149 * put [back] into the queue [as if they were unvisited]. 150 * The proof of termination is about the existence of a 151 * fix point of frame merging. 152 */ 153 private void circulationPump(ControlFlowGraph cfg, InstructionContext start, Frame vanillaFrame, InstConstraintVisitor icv, ExecutionVisitor ev){ 154 final Random random = new Random(); 155 InstructionContextQueue icq = new InstructionContextQueue(); 156 157 start.execute(vanillaFrame, new ArrayList(), icv, ev); // new ArrayList() <=> no Instruction was executed before 158 // => Top-Level routine (no jsr call before) 159 icq.add(start, new ArrayList()); 160 161 // LOOP! 162 while (!icq.isEmpty()){ 163 InstructionContext u; 164 ArrayList ec; 165 if (!DEBUG){ 166 int r = random.nextInt(icq.size()); 167 u = icq.getIC(r); 168 ec = icq.getEC(r); 169 icq.remove(r); 170 } 171 else{ 172 u = icq.getIC(0); 173 ec = icq.getEC(0); 174 icq.remove(0); 175 } 176 177 ArrayList oldchain = (ArrayList) (ec.clone()); 178 ArrayList newchain = (ArrayList) (ec.clone()); 179 newchain.add(u); 180 181 if ((u.getInstruction().getInstruction()) instanceof RET){ 182 //System.err.println(u); 183 // We can only follow _one_ successor, the one after the 184 // JSR that was recently executed. 185 RET ret = (RET) (u.getInstruction().getInstruction()); 186 ReturnaddressType t = (ReturnaddressType) u.getOutFrame(oldchain).getLocals().get(ret.getIndex()); 187 InstructionContext theSuccessor = cfg.contextOf(t.getTarget()); 188 189 // Sanity check 190 InstructionContext lastJSR = null; 191 int skip_jsr = 0; 192 for (int ss=oldchain.size()-1; ss >= 0; ss--){ 193 if (skip_jsr < 0){ 194 throw new AssertionViolatedException("More RET than JSR in execution chain?!"); 195 } 196 //System.err.println("+"+oldchain.get(ss)); 197 if (((InstructionContext) oldchain.get(ss)).getInstruction().getInstruction() instanceof JsrInstruction){ 198 if (skip_jsr == 0){ 199 lastJSR = (InstructionContext) oldchain.get(ss); 200 break; 201 } 202 else{ 203 skip_jsr--; 204 } 205 } 206 if (((InstructionContext) oldchain.get(ss)).getInstruction().getInstruction() instanceof RET){ 207 skip_jsr++; 208 } 209 } 210 if (lastJSR == null){ 211 throw new AssertionViolatedException("RET without a JSR before in ExecutionChain?! EC: '"+oldchain+"'."); 212 } 213 JsrInstruction jsr = (JsrInstruction) (lastJSR.getInstruction().getInstruction()); 214 if ( theSuccessor != (cfg.contextOf(jsr.physicalSuccessor())) ){ 215 throw new AssertionViolatedException("RET '"+u.getInstruction()+"' info inconsistent: jump back to '"+theSuccessor+"' or '"+cfg.contextOf(jsr.physicalSuccessor())+"'?"); 216 } 217 218 if (theSuccessor.execute(u.getOutFrame(oldchain), newchain, icv, ev)){ 219 icq.add(theSuccessor, (ArrayList) newchain.clone()); 220 } 221 } 222 else{// "not a ret" 223 224 // Normal successors. Add them to the queue of successors. 225 InstructionContext[] succs = u.getSuccessors(); 226 for (int s=0; s<succs.length; s++){ 227 InstructionContext v = succs[s]; 228 if (v.execute(u.getOutFrame(oldchain), newchain, icv, ev)){ 229 icq.add(v, (ArrayList) newchain.clone()); 230 } 231 } 232 }// end "not a ret" 233 234 // Exception Handlers. Add them to the queue of successors. 235 // [subroutines are never protected; mandated by JustIce] 236 ExceptionHandler[] exc_hds = u.getExceptionHandlers(); 237 for (int s=0; s<exc_hds.length; s++){ 238 InstructionContext v = cfg.contextOf(exc_hds[s].getHandlerStart()); 239 // TODO: the "oldchain" and "newchain" is used to determine the subroutine 240 // we're in (by searching for the last JSR) by the InstructionContext 241 // implementation. Therefore, we should not use this chain mechanism 242 // when dealing with exception handlers. 243 // Example: a JSR with an exception handler as its successor does not 244 // mean we're in a subroutine if we go to the exception handler. 245 // We should address this problem later; by now we simply "cut" the chain 246 // by using an empty chain for the exception handlers. 247 //if (v.execute(new Frame(u.getOutFrame(oldchain).getLocals(), new OperandStack (u.getOutFrame().getStack().maxStack(), (exc_hds[s].getExceptionType()==null? Type.THROWABLE : exc_hds[s].getExceptionType())) ), newchain), icv, ev){ 248 //icq.add(v, (ArrayList) newchain.clone()); 249 if (v.execute(new Frame(u.getOutFrame(oldchain).getLocals(), new OperandStack (u.getOutFrame(oldchain).getStack().maxStack(), (exc_hds[s].getExceptionType()==null? Type.THROWABLE : exc_hds[s].getExceptionType())) ), new ArrayList(), icv, ev)){ 250 icq.add(v, new ArrayList()); 251 } 252 } 253 254 }// while (!icq.isEmpty()) END 255 256 InstructionHandle ih = start.getInstruction(); 257 do{ 258 if ((ih.getInstruction() instanceof ReturnInstruction) && (!(cfg.isDead(ih)))) { 259 InstructionContext ic = cfg.contextOf(ih); 260 Frame f = ic.getOutFrame(new ArrayList()); // TODO: This is buggy, we check only the top-level return instructions this way. Maybe some maniac returns from a method when in a subroutine? 261 LocalVariables lvs = f.getLocals(); 262 for (int i=0; i<lvs.maxLocals(); i++){ 263 if (lvs.get(i) instanceof UninitializedObjectType){ 264 this.addMessage("Warning: ReturnInstruction '"+ic+"' may leave method with an uninitialized object in the local variables array '"+lvs+"'."); 265 } 266 } 267 OperandStack os = f.getStack(); 268 for (int i=0; i<os.size(); i++){ 269 if (os.peek(i) instanceof UninitializedObjectType){ 270 this.addMessage("Warning: ReturnInstruction '"+ic+"' may leave method with an uninitialized object on the operand stack '"+os+"'."); 271 } 272 } 273 } 274 }while ((ih = ih.getNext()) != null); 275 276 } 277 278 /*** 279 * Pass 3b implements the data flow analysis as described in the Java Virtual 280 * Machine Specification, Second Edition. 281 * Later versions will use LocalVariablesInfo objects to verify if the 282 * verifier-inferred types and the class file's debug information (LocalVariables 283 * attributes) match [TODO]. 284 * 285 * @see org.apache.bcel.verifier.statics.LocalVariablesInfo 286 * @see org.apache.bcel.verifier.statics.Pass2Verifier#getLocalVariablesInfo(int) 287 */ 288 public VerificationResult do_verify(){ 289 if (! myOwner.doPass3a(method_no).equals(VerificationResult.VR_OK)){ 290 return VerificationResult.VR_NOTYET; 291 } 292 293 // Pass 3a ran before, so it's safe to assume the JavaClass object is 294 // in the BCEL repository. 295 JavaClass jc = Repository.lookupClass(myOwner.getClassName()); 296 297 ConstantPoolGen constantPoolGen = new ConstantPoolGen(jc.getConstantPool()); 298 // Init Visitors 299 InstConstraintVisitor icv = new InstConstraintVisitor(); 300 icv.setConstantPoolGen(constantPoolGen); 301 302 ExecutionVisitor ev = new ExecutionVisitor(); 303 ev.setConstantPoolGen(constantPoolGen); 304 305 Method[] methods = jc.getMethods(); // Method no "method_no" exists, we ran Pass3a before on it! 306 307 try{ 308 309 MethodGen mg = new MethodGen(methods[method_no], myOwner.getClassName(), constantPoolGen); 310 311 icv.setMethodGen(mg); 312 313 ////////////// DFA BEGINS HERE //////////////// 314 if (! (mg.isAbstract() || mg.isNative()) ){ // IF mg HAS CODE (See pass 2) 315 316 ControlFlowGraph cfg = new ControlFlowGraph(mg); 317 318 // Build the initial frame situation for this method. 319 Frame f = new Frame(mg.getMaxLocals(),mg.getMaxStack()); 320 if ( !mg.isStatic() ){ 321 if (mg.getName().equals(Constants.CONSTRUCTOR_NAME)){ 322 f._this = new UninitializedObjectType(new ObjectType(jc.getClassName())); 323 f.getLocals().set(0, f._this); 324 } 325 else{ 326 f._this = null; 327 f.getLocals().set(0, new ObjectType(jc.getClassName())); 328 } 329 } 330 Type[] argtypes = mg.getArgumentTypes(); 331 int twoslotoffset = 0; 332 for (int j=0; j<argtypes.length; j++){ 333 if (argtypes[j] == Type.SHORT || argtypes[j] == Type.BYTE || argtypes[j] == Type.CHAR || argtypes[j] == Type.BOOLEAN){ 334 argtypes[j] = Type.INT; 335 } 336 f.getLocals().set(twoslotoffset + j + (mg.isStatic()?0:1), argtypes[j]); 337 if (argtypes[j].getSize() == 2){ 338 twoslotoffset++; 339 f.getLocals().set(twoslotoffset + j + (mg.isStatic()?0:1), Type.UNKNOWN); 340 } 341 } 342 circulationPump(cfg, cfg.contextOf(mg.getInstructionList().getStart()), f, icv, ev); 343 } 344 } 345 catch (VerifierConstraintViolatedException ce){ 346 ce.extendMessage("Constraint violated in method '"+methods[method_no]+"':\n",""); 347 return new VerificationResult(VerificationResult.VERIFIED_REJECTED, ce.getMessage()); 348 } 349 catch (RuntimeException re){ 350 // These are internal errors 351 352 StringWriter sw = new StringWriter(); 353 PrintWriter pw = new PrintWriter(sw); 354 re.printStackTrace(pw); 355 356 throw new AssertionViolatedException("Some RuntimeException occured while verify()ing class '"+jc.getClassName()+"', method '"+methods[method_no]+"'. Original RuntimeException's stack trace:\n---\n"+sw+"---\n"); 357 } 358 return VerificationResult.VR_OK; 359 } 360 361 /*** Returns the method number as supplied when instantiating. */ 362 public int getMethodNo(){ 363 return method_no; 364 } 365 }

This page was automatically generated by Maven