1 /*
   2  * Copyright (c) 1998, 2025, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.
   8  *
   9  * This code is distributed in the hope that it will be useful, but WITHOUT
  10  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  11  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  12  * version 2 for more details (a copy is included in the LICENSE file that
  13  * accompanied this code).
  14  *
  15  * You should have received a copy of the GNU General Public License version
  16  * 2 along with this work; if not, write to the Free Software Foundation,
  17  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  18  *
  19  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  20  * or visit www.oracle.com if you need additional information or have any
  21  * questions.
  22  *
  23  */
  24 
  25 #include "cds/cdsConfig.hpp"
  26 #include "classfile/classFileStream.hpp"
  27 #include "classfile/classLoader.hpp"
  28 #include "classfile/javaClasses.hpp"
  29 #include "classfile/stackMapTable.hpp"
  30 #include "classfile/stackMapFrame.hpp"
  31 #include "classfile/stackMapTableFormat.hpp"
  32 #include "classfile/symbolTable.hpp"
  33 #include "classfile/systemDictionary.hpp"
  34 #include "classfile/verifier.hpp"
  35 #include "classfile/vmClasses.hpp"
  36 #include "classfile/vmSymbols.hpp"
  37 #include "interpreter/bytecodes.hpp"
  38 #include "interpreter/bytecodeStream.hpp"
  39 #include "jvm.h"
  40 #include "logging/log.hpp"
  41 #include "logging/logStream.hpp"
  42 #include "memory/oopFactory.hpp"
  43 #include "memory/resourceArea.hpp"
  44 #include "memory/universe.hpp"
  45 #include "oops/constantPool.inline.hpp"
  46 #include "oops/fieldStreams.inline.hpp"
  47 #include "oops/instanceKlass.inline.hpp"
  48 #include "oops/klass.inline.hpp"
  49 #include "oops/oop.inline.hpp"
  50 #include "oops/typeArrayOop.hpp"
  51 #include "runtime/arguments.hpp"
  52 #include "runtime/fieldDescriptor.inline.hpp"
  53 #include "runtime/handles.inline.hpp"
  54 #include "runtime/interfaceSupport.inline.hpp"
  55 #include "runtime/javaCalls.hpp"
  56 #include "runtime/javaThread.hpp"
  57 #include "runtime/jniHandles.inline.hpp"
  58 #include "runtime/os.hpp"
  59 #include "runtime/safepointVerifiers.hpp"
  60 #include "services/threadService.hpp"
  61 #include "utilities/align.hpp"
  62 #include "utilities/bytes.hpp"
  63 #if INCLUDE_CDS
  64 #include "classfile/systemDictionaryShared.hpp"
  65 #endif
  66 
  67 #define NOFAILOVER_MAJOR_VERSION                       51
  68 #define NONZERO_PADDING_BYTES_IN_SWITCH_MAJOR_VERSION  51
  69 #define STATIC_METHOD_IN_INTERFACE_MAJOR_VERSION       52
  70 #define INLINE_TYPE_MAJOR_VERSION                       56
  71 #define MAX_ARRAY_DIMENSIONS 255
  72 
  73 // Access to external entry for VerifyClassForMajorVersion - old byte code verifier
  74 
  75 extern "C" {
  76   typedef jboolean (*verify_byte_codes_fn_t)(JNIEnv *, jclass, char *, jint, jint);
  77 }
  78 
  79 static verify_byte_codes_fn_t volatile _verify_byte_codes_fn = nullptr;
  80 
  81 static verify_byte_codes_fn_t verify_byte_codes_fn() {
  82 
  83   if (_verify_byte_codes_fn != nullptr)
  84     return _verify_byte_codes_fn;
  85 
  86   MutexLocker locker(Verify_lock);
  87 
  88   if (_verify_byte_codes_fn != nullptr)
  89     return _verify_byte_codes_fn;
  90 
  91   void *lib_handle = nullptr;
  92   // Load verify dll
  93   if (is_vm_statically_linked()) {
  94     lib_handle = os::get_default_process_handle();
  95   } else {
  96     char buffer[JVM_MAXPATHLEN];
  97     char ebuf[1024];
  98     if (!os::dll_locate_lib(buffer, sizeof(buffer), Arguments::get_dll_dir(), "verify"))
  99       return nullptr; // Caller will throw VerifyError
 100 
 101     lib_handle = os::dll_load(buffer, ebuf, sizeof(ebuf));
 102     if (lib_handle == nullptr)
 103       return nullptr; // Caller will throw VerifyError
 104   }
 105 
 106   void *fn = os::dll_lookup(lib_handle, "VerifyClassForMajorVersion");
 107   if (fn == nullptr)
 108     return nullptr; // Caller will throw VerifyError
 109 
 110   return _verify_byte_codes_fn = CAST_TO_FN_PTR(verify_byte_codes_fn_t, fn);
 111 }
 112 
 113 
 114 // Methods in Verifier
 115 
 116 // This method determines whether we run the verifier and class file format checking code.
 117 bool Verifier::should_verify_for(oop class_loader) {
 118   return class_loader == nullptr ?
 119     BytecodeVerificationLocal : BytecodeVerificationRemote;
 120 }
 121 
 122 // This method determines whether we allow package access in access checks in reflection.
 123 bool Verifier::relax_access_for(oop loader) {
 124   bool trusted = java_lang_ClassLoader::is_trusted_loader(loader);
 125   bool need_verify =
 126     // verifyAll
 127     (BytecodeVerificationLocal && BytecodeVerificationRemote) ||
 128     // verifyRemote
 129     (!BytecodeVerificationLocal && BytecodeVerificationRemote && !trusted);
 130   return !need_verify;
 131 }
 132 
 133 // Callers will pass should_verify_class as true, depending on the results of should_verify_for() above,
 134 // or pass true for redefinition of any class.
 135 static bool is_eligible_for_verification(InstanceKlass* klass, bool should_verify_class) {
 136   Symbol* name = klass->name();
 137 
 138   return (should_verify_class &&
 139     // Can not verify the bytecodes for shared classes because they have
 140     // already been rewritten to contain constant pool cache indices,
 141     // which the verifier can't understand.
 142     // Shared classes shouldn't have stackmaps either.
 143     // However, bytecodes for shared old classes can be verified because
 144     // they have not been rewritten.
 145     !(klass->is_shared() && klass->is_rewritten()));
 146 }
 147 
 148 void Verifier::trace_class_resolution(Klass* resolve_class, InstanceKlass* verify_class) {
 149   assert(verify_class != nullptr, "Unexpected null verify_class");
 150   ResourceMark rm;
 151   Symbol* s = verify_class->source_file_name();
 152   const char* source_file = (s != nullptr ? s->as_C_string() : nullptr);
 153   const char* verify = verify_class->external_name();
 154   const char* resolve = resolve_class->external_name();
 155   // print in a single call to reduce interleaving between threads
 156   if (source_file != nullptr) {
 157     log_debug(class, resolve)("%s %s %s (verification)", verify, resolve, source_file);
 158   } else {
 159     log_debug(class, resolve)("%s %s (verification)", verify, resolve);
 160   }
 161 }
 162 
 163 // Prints the end-verification message to the appropriate output.
 164 void Verifier::log_end_verification(outputStream* st, const char* klassName, Symbol* exception_name, oop pending_exception) {
 165   if (pending_exception != nullptr) {
 166     st->print("Verification for %s has", klassName);
 167     oop message = java_lang_Throwable::message(pending_exception);
 168     if (message != nullptr) {
 169       char* ex_msg = java_lang_String::as_utf8_string(message);
 170       st->print_cr(" exception pending '%s %s'",
 171                    pending_exception->klass()->external_name(), ex_msg);
 172     } else {
 173       st->print_cr(" exception pending %s ",
 174                    pending_exception->klass()->external_name());
 175     }
 176   } else if (exception_name != nullptr) {
 177     st->print_cr("Verification for %s failed", klassName);
 178   }
 179   st->print_cr("End class verification for: %s", klassName);
 180 }
 181 
 182 bool Verifier::verify(InstanceKlass* klass, bool should_verify_class, TRAPS) {
 183   HandleMark hm(THREAD);
 184   ResourceMark rm(THREAD);
 185 
 186   // Eagerly allocate the identity hash code for a klass. This is a fallout
 187   // from 6320749 and 8059924: hash code generator is not supposed to be called
 188   // during the safepoint, but it allows to sneak the hashcode in during
 189   // verification. Without this eager hashcode generation, we may end up
 190   // installing the hashcode during some other operation, which may be at
 191   // safepoint -- blowing up the checks. It was previously done as the side
 192   // effect (sic!) for external_name(), but instead of doing that, we opt to
 193   // explicitly push the hashcode in here. This is signify the following block
 194   // is IMPORTANT:
 195   if (klass->java_mirror() != nullptr) {
 196     klass->java_mirror()->identity_hash();
 197   }
 198 
 199   if (!is_eligible_for_verification(klass, should_verify_class)) {
 200     return true;
 201   }
 202 
 203   // Timer includes any side effects of class verification (resolution,
 204   // etc), but not recursive calls to Verifier::verify().
 205   JavaThread* jt = THREAD;
 206   PerfClassTraceTime timer(ClassLoader::perf_class_verify_time(),
 207                            ClassLoader::perf_class_verify_selftime(),
 208                            ClassLoader::perf_classes_verified(),
 209                            jt->get_thread_stat()->perf_recursion_counts_addr(),
 210                            jt->get_thread_stat()->perf_timers_addr(),
 211                            PerfClassTraceTime::CLASS_VERIFY);
 212 
 213   // If the class should be verified, first see if we can use the split
 214   // verifier.  If not, or if verification fails and can failover, then
 215   // call the inference verifier.
 216   Symbol* exception_name = nullptr;
 217   const size_t message_buffer_len = klass->name()->utf8_length() + 1024;
 218   char* message_buffer = nullptr;
 219   char* exception_message = nullptr;
 220 
 221   log_info(class, init)("Start class verification for: %s", klass->external_name());
 222   if (klass->major_version() >= STACKMAP_ATTRIBUTE_MAJOR_VERSION) {
 223     ClassVerifier split_verifier(jt, klass);
 224     // We don't use CHECK here, or on inference_verify below, so that we can log any exception.
 225     split_verifier.verify_class(THREAD);
 226     exception_name = split_verifier.result();
 227 
 228     // If dumping static archive then don't fall back to the old verifier on
 229     // verification failure. If a class fails verification with the split verifier,
 230     // it might fail the CDS runtime verifier constraint check. In that case, we
 231     // don't want to share the class. We only archive classes that pass the split
 232     // verifier.
 233     bool can_failover = !CDSConfig::is_dumping_static_archive() &&
 234       klass->major_version() < NOFAILOVER_MAJOR_VERSION;
 235 
 236     if (can_failover && !HAS_PENDING_EXCEPTION &&  // Split verifier doesn't set PENDING_EXCEPTION for failure
 237         (exception_name == vmSymbols::java_lang_VerifyError() ||
 238          exception_name == vmSymbols::java_lang_ClassFormatError())) {
 239       log_info(verification)("Fail over class verification to old verifier for: %s", klass->external_name());
 240       log_info(class, init)("Fail over class verification to old verifier for: %s", klass->external_name());
 241 #if INCLUDE_CDS
 242       // Exclude any classes that fail over during dynamic dumping
 243       if (CDSConfig::is_dumping_dynamic_archive()) {
 244         SystemDictionaryShared::warn_excluded(klass, "Failed over class verification while dynamic dumping");
 245         SystemDictionaryShared::set_excluded(klass);
 246       }
 247 #endif
 248       message_buffer = NEW_RESOURCE_ARRAY(char, message_buffer_len);
 249       exception_message = message_buffer;
 250       exception_name = inference_verify(
 251         klass, message_buffer, message_buffer_len, THREAD);
 252     }
 253     if (exception_name != nullptr) {
 254       exception_message = split_verifier.exception_message();
 255     }
 256   } else {
 257     message_buffer = NEW_RESOURCE_ARRAY(char, message_buffer_len);
 258     exception_message = message_buffer;
 259     exception_name = inference_verify(
 260         klass, message_buffer, message_buffer_len, THREAD);
 261   }
 262 
 263   LogTarget(Info, class, init) lt1;
 264   if (lt1.is_enabled()) {
 265     LogStream ls(lt1);
 266     log_end_verification(&ls, klass->external_name(), exception_name, PENDING_EXCEPTION);
 267   }
 268   LogTarget(Info, verification) lt2;
 269   if (lt2.is_enabled()) {
 270     LogStream ls(lt2);
 271     log_end_verification(&ls, klass->external_name(), exception_name, PENDING_EXCEPTION);
 272   }
 273 
 274   if (HAS_PENDING_EXCEPTION) {
 275     return false; // use the existing exception
 276   } else if (exception_name == nullptr) {
 277     return true; // verification succeeded
 278   } else { // VerifyError or ClassFormatError to be created and thrown
 279     Klass* kls =
 280       SystemDictionary::resolve_or_fail(exception_name, true, CHECK_false);
 281     if (log_is_enabled(Debug, class, resolve)) {
 282       Verifier::trace_class_resolution(kls, klass);
 283     }
 284 
 285     while (kls != nullptr) {
 286       if (kls == klass) {
 287         // If the class being verified is the exception we're creating
 288         // or one of it's superclasses, we're in trouble and are going
 289         // to infinitely recurse when we try to initialize the exception.
 290         // So bail out here by throwing the preallocated VM error.
 291         THROW_OOP_(Universe::internal_error_instance(), false);
 292       }
 293       kls = kls->super();
 294     }
 295     if (message_buffer != nullptr) {
 296       message_buffer[message_buffer_len - 1] = '\0'; // just to be sure
 297     }
 298     assert(exception_message != nullptr, "");
 299     THROW_MSG_(exception_name, exception_message, false);
 300   }
 301 }
 302 
 303 Symbol* Verifier::inference_verify(
 304     InstanceKlass* klass, char* message, size_t message_len, TRAPS) {
 305   JavaThread* thread = THREAD;
 306 
 307   verify_byte_codes_fn_t verify_func = verify_byte_codes_fn();
 308 
 309   if (verify_func == nullptr) {
 310     jio_snprintf(message, message_len, "Could not link verifier");
 311     return vmSymbols::java_lang_VerifyError();
 312   }
 313 
 314   ResourceMark rm(thread);
 315   log_info(verification)("Verifying class %s with old format", klass->external_name());
 316 
 317   jclass cls = (jclass) JNIHandles::make_local(thread, klass->java_mirror());
 318   jint result;
 319 
 320   {
 321     HandleMark hm(thread);
 322     ThreadToNativeFromVM ttn(thread);
 323     // ThreadToNativeFromVM takes care of changing thread_state, so safepoint
 324     // code knows that we have left the VM
 325     JNIEnv *env = thread->jni_environment();
 326     result = (*verify_func)(env, cls, message, (int)message_len, klass->major_version());
 327   }
 328 
 329   JNIHandles::destroy_local(cls);
 330 
 331   // These numbers are chosen so that VerifyClassCodes interface doesn't need
 332   // to be changed (still return jboolean (unsigned char)), and result is
 333   // 1 when verification is passed.
 334   if (result == 0) {
 335     return vmSymbols::java_lang_VerifyError();
 336   } else if (result == 1) {
 337     return nullptr; // verified.
 338   } else if (result == 2) {
 339     THROW_MSG_(vmSymbols::java_lang_OutOfMemoryError(), message, nullptr);
 340   } else if (result == 3) {
 341     return vmSymbols::java_lang_ClassFormatError();
 342   } else {
 343     ShouldNotReachHere();
 344     return nullptr;
 345   }
 346 }
 347 
 348 TypeOrigin TypeOrigin::null() {
 349   return TypeOrigin();
 350 }
 351 TypeOrigin TypeOrigin::local(int index, StackMapFrame* frame) {
 352   assert(frame != nullptr, "Must have a frame");
 353   return TypeOrigin(CF_LOCALS, index, StackMapFrame::copy(frame),
 354      frame->local_at(index));
 355 }
 356 TypeOrigin TypeOrigin::stack(int index, StackMapFrame* frame) {
 357   assert(frame != nullptr, "Must have a frame");
 358   return TypeOrigin(CF_STACK, index, StackMapFrame::copy(frame),
 359       frame->stack_at(index));
 360 }
 361 TypeOrigin TypeOrigin::sm_local(int index, StackMapFrame* frame) {
 362   assert(frame != nullptr, "Must have a frame");
 363   return TypeOrigin(SM_LOCALS, index, StackMapFrame::copy(frame),
 364       frame->local_at(index));
 365 }
 366 TypeOrigin TypeOrigin::sm_stack(int index, StackMapFrame* frame) {
 367   assert(frame != nullptr, "Must have a frame");
 368   return TypeOrigin(SM_STACK, index, StackMapFrame::copy(frame),
 369       frame->stack_at(index));
 370 }
 371 TypeOrigin TypeOrigin::bad_index(int index) {
 372   return TypeOrigin(BAD_INDEX, index, nullptr, VerificationType::bogus_type());
 373 }
 374 TypeOrigin TypeOrigin::cp(int index, VerificationType vt) {
 375   return TypeOrigin(CONST_POOL, index, nullptr, vt);
 376 }
 377 TypeOrigin TypeOrigin::signature(VerificationType vt) {
 378   return TypeOrigin(SIG, 0, nullptr, vt);
 379 }
 380 TypeOrigin TypeOrigin::implicit(VerificationType t) {
 381   return TypeOrigin(IMPLICIT, 0, nullptr, t);
 382 }
 383 TypeOrigin TypeOrigin::frame(StackMapFrame* frame) {
 384   return TypeOrigin(FRAME_ONLY, 0, StackMapFrame::copy(frame),
 385                     VerificationType::bogus_type());
 386 }
 387 
 388 void TypeOrigin::reset_frame() {
 389   if (_frame != nullptr) {
 390     _frame->restore();
 391   }
 392 }
 393 
 394 void TypeOrigin::details(outputStream* ss) const {
 395   _type.print_on(ss);
 396   switch (_origin) {
 397     case CF_LOCALS:
 398       ss->print(" (current frame, locals[%d])", _index);
 399       break;
 400     case CF_STACK:
 401       ss->print(" (current frame, stack[%d])", _index);
 402       break;
 403     case SM_LOCALS:
 404       ss->print(" (stack map, locals[%d])", _index);
 405       break;
 406     case SM_STACK:
 407       ss->print(" (stack map, stack[%d])", _index);
 408       break;
 409     case CONST_POOL:
 410       ss->print(" (constant pool %d)", _index);
 411       break;
 412     case SIG:
 413       ss->print(" (from method signature)");
 414       break;
 415     case IMPLICIT:
 416     case FRAME_ONLY:
 417     case NONE:
 418     default:
 419       ;
 420   }
 421 }
 422 
 423 #ifdef ASSERT
 424 void TypeOrigin::print_on(outputStream* str) const {
 425   str->print("{%d,%d,%p:", _origin, _index, _frame);
 426   if (_frame != nullptr) {
 427     _frame->print_on(str);
 428   } else {
 429     str->print("null");
 430   }
 431   str->print(",");
 432   _type.print_on(str);
 433   str->print("}");
 434 }
 435 #endif
 436 
 437 void ErrorContext::details(outputStream* ss, const Method* method) const {
 438   if (is_valid()) {
 439     ss->cr();
 440     ss->print_cr("Exception Details:");
 441     location_details(ss, method);
 442     reason_details(ss);
 443     frame_details(ss);
 444     bytecode_details(ss, method);
 445     handler_details(ss, method);
 446     stackmap_details(ss, method);
 447   }
 448 }
 449 
 450 void ErrorContext::reason_details(outputStream* ss) const {
 451   streamIndentor si(ss);
 452   ss->indent().print_cr("Reason:");
 453   streamIndentor si2(ss);
 454   ss->indent().print("%s", "");
 455   switch (_fault) {
 456     case INVALID_BYTECODE:
 457       ss->print("Error exists in the bytecode");
 458       break;
 459     case WRONG_TYPE:
 460       if (_expected.is_valid()) {
 461         ss->print("Type ");
 462         _type.details(ss);
 463         ss->print(" is not assignable to ");
 464         _expected.details(ss);
 465       } else {
 466         ss->print("Invalid type: ");
 467         _type.details(ss);
 468       }
 469       break;
 470     case FLAGS_MISMATCH:
 471       if (_expected.is_valid()) {
 472         ss->print("Current frame's flags are not assignable "
 473                   "to stack map frame's.");
 474       } else {
 475         ss->print("Current frame's flags are invalid in this context.");
 476       }
 477       break;
 478     case BAD_CP_INDEX:
 479       ss->print("Constant pool index %d is invalid", _type.index());
 480       break;
 481     case BAD_LOCAL_INDEX:
 482       ss->print("Local index %d is invalid", _type.index());
 483       break;
 484     case BAD_STRICT_FIELDS:
 485       ss->print("Invalid use of strict instance fields");
 486       break;
 487     case LOCALS_SIZE_MISMATCH:
 488       ss->print("Current frame's local size doesn't match stackmap.");
 489       break;
 490     case STACK_SIZE_MISMATCH:
 491       ss->print("Current frame's stack size doesn't match stackmap.");
 492       break;
 493     case STRICT_FIELDS_MISMATCH:
 494       ss->print("Current frame's strict instance fields not compatible with stackmap.");
 495       break;
 496     case STACK_OVERFLOW:
 497       ss->print("Exceeded max stack size.");
 498       break;
 499     case STACK_UNDERFLOW:
 500       ss->print("Attempt to pop empty stack.");
 501       break;
 502     case MISSING_STACKMAP:
 503       ss->print("Expected stackmap frame at this location.");
 504       break;
 505     case BAD_STACKMAP:
 506       ss->print("Invalid stackmap specification.");
 507       break;
 508     case WRONG_INLINE_TYPE:
 509       ss->print("Type ");
 510       _type.details(ss);
 511       ss->print(" and type ");
 512       _expected.details(ss);
 513       ss->print(" must be identical inline types.");
 514       break;
 515     case UNKNOWN:
 516     default:
 517       ShouldNotReachHere();
 518       ss->print_cr("Unknown");
 519   }
 520   ss->cr();
 521 }
 522 
 523 void ErrorContext::location_details(outputStream* ss, const Method* method) const {
 524   if (_bci != -1 && method != nullptr) {
 525     streamIndentor si(ss);
 526     const char* bytecode_name = "<invalid>";
 527     if (method->validate_bci(_bci) != -1) {
 528       Bytecodes::Code code = Bytecodes::code_or_bp_at(method->bcp_from(_bci));
 529       if (Bytecodes::is_defined(code)) {
 530           bytecode_name = Bytecodes::name(code);
 531       } else {
 532           bytecode_name = "<illegal>";
 533       }
 534     }
 535     InstanceKlass* ik = method->method_holder();
 536     ss->indent().print_cr("Location:");
 537     streamIndentor si2(ss);
 538     ss->indent().print_cr("%s.%s%s @%d: %s",
 539         ik->name()->as_C_string(), method->name()->as_C_string(),
 540         method->signature()->as_C_string(), _bci, bytecode_name);
 541   }
 542 }
 543 
 544 void ErrorContext::frame_details(outputStream* ss) const {
 545   streamIndentor si(ss);
 546   if (_type.is_valid() && _type.frame() != nullptr) {
 547     ss->indent().print_cr("Current Frame:");
 548     streamIndentor si2(ss);
 549     _type.frame()->print_on(ss);
 550   }
 551   if (_expected.is_valid() && _expected.frame() != nullptr) {
 552     ss->indent().print_cr("Stackmap Frame:");
 553     streamIndentor si2(ss);
 554     _expected.frame()->print_on(ss);
 555   }
 556 }
 557 
 558 void ErrorContext::bytecode_details(outputStream* ss, const Method* method) const {
 559   if (method != nullptr) {
 560     streamIndentor si(ss);
 561     ss->indent().print_cr("Bytecode:");
 562     streamIndentor si2(ss);
 563     ss->print_data(method->code_base(), method->code_size(), false);
 564   }
 565 }
 566 
 567 void ErrorContext::handler_details(outputStream* ss, const Method* method) const {
 568   if (method != nullptr) {
 569     streamIndentor si(ss);
 570     ExceptionTable table(method);
 571     if (table.length() > 0) {
 572       ss->indent().print_cr("Exception Handler Table:");
 573       streamIndentor si2(ss);
 574       for (int i = 0; i < table.length(); ++i) {
 575         ss->indent().print_cr("bci [%d, %d] => handler: %d", table.start_pc(i),
 576             table.end_pc(i), table.handler_pc(i));
 577       }
 578     }
 579   }
 580 }
 581 
 582 void ErrorContext::stackmap_details(outputStream* ss, const Method* method) const {
 583   if (method != nullptr && method->has_stackmap_table()) {
 584     streamIndentor si(ss);
 585     ss->indent().print_cr("Stackmap Table:");
 586     Array<u1>* data = method->stackmap_data();
 587     stack_map_table* sm_table =
 588         stack_map_table::at((address)data->adr_at(0));
 589     stack_map_frame* sm_frame = sm_table->entries();
 590     streamIndentor si2(ss);
 591     int current_offset = -1;
 592     address end_of_sm_table = (address)sm_table + method->stackmap_data()->length();
 593     for (u2 i = 0; i < sm_table->number_of_entries(); ++i) {
 594       ss->indent();
 595       if (!sm_frame->verify((address)sm_frame, end_of_sm_table)) {
 596         sm_frame->print_truncated(ss, current_offset);
 597         return;
 598       }
 599       sm_frame->print_on(ss, current_offset);
 600       ss->cr();
 601       current_offset += sm_frame->offset_delta();
 602       sm_frame = sm_frame->next();
 603     }
 604   }
 605 }
 606 
 607 // Methods in ClassVerifier
 608 
 609 ClassVerifier::ClassVerifier(JavaThread* current, InstanceKlass* klass)
 610     : _thread(current), _previous_symbol(nullptr), _symbols(nullptr), _exception_type(nullptr),
 611       _message(nullptr), _klass(klass) {
 612   _this_type = VerificationType::reference_type(klass->name());
 613 }
 614 
 615 ClassVerifier::~ClassVerifier() {
 616   // Decrement the reference count for any symbols created.
 617   if (_symbols != nullptr) {
 618     for (int i = 0; i < _symbols->length(); i++) {
 619       Symbol* s = _symbols->at(i);
 620       s->decrement_refcount();
 621     }
 622   }
 623 }
 624 
 625 VerificationType ClassVerifier::object_type() const {
 626   return VerificationType::reference_type(vmSymbols::java_lang_Object());
 627 }
 628 
 629 TypeOrigin ClassVerifier::ref_ctx(const char* sig) {
 630   VerificationType vt = VerificationType::reference_type(
 631                          create_temporary_symbol(sig, (int)strlen(sig)));
 632   return TypeOrigin::implicit(vt);
 633 }
 634 
 635 static bool supports_strict_fields(InstanceKlass* klass) {
 636   int ver = klass->major_version();
 637   return ver > Verifier::VALUE_TYPES_MAJOR_VERSION ||
 638          (ver == Verifier::VALUE_TYPES_MAJOR_VERSION && klass->minor_version() == Verifier::JAVA_PREVIEW_MINOR_VERSION);
 639 }
 640 
 641 void ClassVerifier::verify_class(TRAPS) {
 642   log_info(verification)("Verifying class %s with new format", _klass->external_name());
 643 
 644   // Either verifying both local and remote classes or just remote classes.
 645   assert(BytecodeVerificationRemote, "Should not be here");
 646 
 647   Array<Method*>* methods = _klass->methods();
 648   int num_methods = methods->length();
 649 
 650   for (int index = 0; index < num_methods; index++) {
 651     // Check for recursive re-verification before each method.
 652     if (was_recursively_verified()) return;
 653 
 654     Method* m = methods->at(index);
 655     if (m->is_native() || m->is_abstract() || m->is_overpass()) {
 656       // If m is native or abstract, skip it.  It is checked in class file
 657       // parser that methods do not override a final method.  Overpass methods
 658       // are trusted since the VM generates them.
 659       continue;
 660     }
 661     verify_method(methodHandle(THREAD, m), CHECK_VERIFY(this));
 662   }
 663 
 664   if (was_recursively_verified()){
 665     log_info(verification)("Recursive verification detected for: %s", _klass->external_name());
 666     log_info(class, init)("Recursive verification detected for: %s",
 667                         _klass->external_name());
 668   }
 669 }
 670 
 671 // Translate the signature entries into verification types and save them in
 672 // the growable array.  Also, save the count of arguments.
 673 void ClassVerifier::translate_signature(Symbol* const method_sig,
 674                                         sig_as_verification_types* sig_verif_types) {
 675   SignatureStream sig_stream(method_sig);
 676   VerificationType sig_type[2];
 677   int sig_i = 0;
 678   GrowableArray<VerificationType>* verif_types = sig_verif_types->sig_verif_types();
 679 
 680   // Translate the signature arguments into verification types.
 681   while (!sig_stream.at_return_type()) {
 682     int n = change_sig_to_verificationType(&sig_stream, sig_type);
 683     assert(n <= 2, "Unexpected signature type");
 684 
 685     // Store verification type(s).  Longs and Doubles each have two verificationTypes.
 686     for (int x = 0; x < n; x++) {
 687       verif_types->push(sig_type[x]);
 688     }
 689     sig_i += n;
 690     sig_stream.next();
 691   }
 692 
 693   // Set final arg count, not including the return type.  The final arg count will
 694   // be compared with sig_verify_types' length to see if there is a return type.
 695   sig_verif_types->set_num_args(sig_i);
 696 
 697   // Store verification type(s) for the return type, if there is one.
 698   if (sig_stream.type() != T_VOID) {
 699     int n = change_sig_to_verificationType(&sig_stream, sig_type);
 700     assert(n <= 2, "Unexpected signature return type");
 701     for (int y = 0; y < n; y++) {
 702       verif_types->push(sig_type[y]);
 703     }
 704   }
 705 }
 706 
 707 void ClassVerifier::create_method_sig_entry(sig_as_verification_types* sig_verif_types,
 708                                             int sig_index) {
 709   // Translate the signature into verification types.
 710   ConstantPool* cp = _klass->constants();
 711   Symbol* const method_sig = cp->symbol_at(sig_index);
 712   translate_signature(method_sig, sig_verif_types);
 713 
 714   // Add the list of this signature's verification types to the table.
 715   bool is_unique = method_signatures_table()->put(sig_index, sig_verif_types);
 716   assert(is_unique, "Duplicate entries in method_signature_table");
 717 }
 718 
 719 void ClassVerifier::verify_method(const methodHandle& m, TRAPS) {
 720   HandleMark hm(THREAD);
 721   _method = m;   // initialize _method
 722   log_info(verification)("Verifying method %s", m->name_and_sig_as_C_string());
 723 
 724 // For clang, the only good constant format string is a literal constant format string.
 725 #define bad_type_msg "Bad type on operand stack in %s"
 726 
 727   u2 max_stack = m->verifier_max_stack();
 728   u2 max_locals = m->max_locals();
 729   constantPoolHandle cp(THREAD, m->constants());
 730 
 731   // Method signature was checked in ClassFileParser.
 732   assert(SignatureVerifier::is_valid_method_signature(m->signature()),
 733          "Invalid method signature");
 734 
 735   // Collect the initial strict instance fields
 736   StackMapFrame::AssertUnsetFieldTable* strict_fields = new StackMapFrame::AssertUnsetFieldTable();
 737   if (m->is_object_constructor()) {
 738     for (AllFieldStream fs(m->method_holder()); !fs.done(); fs.next()) {
 739       if (fs.access_flags().is_strict() && !fs.access_flags().is_static()) {
 740         NameAndSig new_field(fs.name(), fs.signature());
 741         if (IgnoreAssertUnsetFields) {
 742           strict_fields->put(new_field, true);
 743         } else {
 744           strict_fields->put(new_field, false);
 745         }
 746       }
 747     }
 748   }
 749 
 750   // Initial stack map frame: offset is 0, stack is initially empty.
 751   StackMapFrame current_frame(max_locals, max_stack, strict_fields, this);
 752   // Set initial locals
 753   VerificationType return_type = current_frame.set_locals_from_arg( m, current_type());
 754 
 755   u2 stackmap_index = 0; // index to the stackmap array
 756 
 757   u4 code_length = m->code_size();
 758 
 759   // Scan the bytecode and map each instruction's start offset to a number.
 760   char* code_data = generate_code_data(m, code_length, CHECK_VERIFY(this));
 761 
 762   int ex_min = code_length;
 763   int ex_max = -1;
 764   // Look through each item on the exception table. Each of the fields must refer
 765   // to a legal instruction.
 766   if (was_recursively_verified()) return;
 767   verify_exception_handler_table(
 768     code_length, code_data, ex_min, ex_max, CHECK_VERIFY(this));
 769 
 770   // Look through each entry on the local variable table and make sure
 771   // its range of code array offsets is valid. (4169817)
 772   if (m->has_localvariable_table()) {
 773     verify_local_variable_table(code_length, code_data, CHECK_VERIFY(this));
 774   }
 775 
 776   Array<u1>* stackmap_data = m->stackmap_data();
 777   StackMapStream stream(stackmap_data);
 778   StackMapReader reader(this, &stream, code_data, code_length, &current_frame, max_locals, max_stack, strict_fields, THREAD);
 779   StackMapTable stackmap_table(&reader, CHECK_VERIFY(this));
 780 
 781   LogTarget(Debug, verification) lt;
 782   if (lt.is_enabled()) {
 783     LogStream ls(lt);
 784     stackmap_table.print_on(&ls);
 785   }
 786 
 787   RawBytecodeStream bcs(m);
 788 
 789   // Scan the byte code linearly from the start to the end
 790   bool no_control_flow = false; // Set to true when there is no direct control
 791                                 // flow from current instruction to the next
 792                                 // instruction in sequence
 793 
 794   Bytecodes::Code opcode;
 795   while (!bcs.is_last_bytecode()) {
 796     // Check for recursive re-verification before each bytecode.
 797     if (was_recursively_verified())  return;
 798 
 799     opcode = bcs.raw_next();
 800     int bci = bcs.bci();
 801 
 802     // Set current frame's offset to bci
 803     current_frame.set_offset(bci);
 804     current_frame.set_mark();
 805 
 806     // Make sure every offset in stackmap table point to the beginning to
 807     // an instruction. Match current_frame to stackmap_table entry with
 808     // the same offset if exists.
 809     stackmap_index = verify_stackmap_table(
 810       stackmap_index, bci, &current_frame, &stackmap_table,
 811       no_control_flow, CHECK_VERIFY(this));
 812 
 813 
 814     bool this_uninit = false;  // Set to true when invokespecial <init> initialized 'this'
 815     bool verified_exc_handlers = false;
 816 
 817     // Merge with the next instruction
 818     {
 819       int target;
 820       VerificationType type, type2;
 821       VerificationType atype;
 822 
 823       LogTarget(Debug, verification) lt;
 824       if (lt.is_enabled()) {
 825         LogStream ls(lt);
 826         current_frame.print_on(&ls);
 827         lt.print("offset = %d,  opcode = %s", bci,
 828                  opcode == Bytecodes::_illegal ? "illegal" : Bytecodes::name(opcode));
 829       }
 830 
 831       // Make sure wide instruction is in correct format
 832       if (bcs.is_wide()) {
 833         if (opcode != Bytecodes::_iinc   && opcode != Bytecodes::_iload  &&
 834             opcode != Bytecodes::_aload  && opcode != Bytecodes::_lload  &&
 835             opcode != Bytecodes::_istore && opcode != Bytecodes::_astore &&
 836             opcode != Bytecodes::_lstore && opcode != Bytecodes::_fload  &&
 837             opcode != Bytecodes::_dload  && opcode != Bytecodes::_fstore &&
 838             opcode != Bytecodes::_dstore) {
 839           /* Unreachable?  RawBytecodeStream's raw_next() returns 'illegal'
 840            * if we encounter a wide instruction that modifies an invalid
 841            * opcode (not one of the ones listed above) */
 842           verify_error(ErrorContext::bad_code(bci), "Bad wide instruction");
 843           return;
 844         }
 845       }
 846 
 847       // Look for possible jump target in exception handlers and see if it
 848       // matches current_frame.  Do this check here for astore*, dstore*,
 849       // fstore*, istore*, and lstore* opcodes because they can change the type
 850       // state by adding a local.  JVM Spec says that the incoming type state
 851       // should be used for this check.  So, do the check here before a possible
 852       // local is added to the type state.
 853       if (Bytecodes::is_store_into_local(opcode) && bci >= ex_min && bci < ex_max) {
 854         if (was_recursively_verified()) return;
 855         verify_exception_handler_targets(
 856           bci, this_uninit, &current_frame, &stackmap_table, CHECK_VERIFY(this));
 857         verified_exc_handlers = true;
 858       }
 859 
 860       if (was_recursively_verified()) return;
 861 
 862       switch (opcode) {
 863         case Bytecodes::_nop :
 864           no_control_flow = false; break;
 865         case Bytecodes::_aconst_null :
 866           current_frame.push_stack(
 867             VerificationType::null_type(), CHECK_VERIFY(this));
 868           no_control_flow = false; break;
 869         case Bytecodes::_iconst_m1 :
 870         case Bytecodes::_iconst_0 :
 871         case Bytecodes::_iconst_1 :
 872         case Bytecodes::_iconst_2 :
 873         case Bytecodes::_iconst_3 :
 874         case Bytecodes::_iconst_4 :
 875         case Bytecodes::_iconst_5 :
 876           current_frame.push_stack(
 877             VerificationType::integer_type(), CHECK_VERIFY(this));
 878           no_control_flow = false; break;
 879         case Bytecodes::_lconst_0 :
 880         case Bytecodes::_lconst_1 :
 881           current_frame.push_stack_2(
 882             VerificationType::long_type(),
 883             VerificationType::long2_type(), CHECK_VERIFY(this));
 884           no_control_flow = false; break;
 885         case Bytecodes::_fconst_0 :
 886         case Bytecodes::_fconst_1 :
 887         case Bytecodes::_fconst_2 :
 888           current_frame.push_stack(
 889             VerificationType::float_type(), CHECK_VERIFY(this));
 890           no_control_flow = false; break;
 891         case Bytecodes::_dconst_0 :
 892         case Bytecodes::_dconst_1 :
 893           current_frame.push_stack_2(
 894             VerificationType::double_type(),
 895             VerificationType::double2_type(), CHECK_VERIFY(this));
 896           no_control_flow = false; break;
 897         case Bytecodes::_sipush :
 898         case Bytecodes::_bipush :
 899           current_frame.push_stack(
 900             VerificationType::integer_type(), CHECK_VERIFY(this));
 901           no_control_flow = false; break;
 902         case Bytecodes::_ldc :
 903           verify_ldc(
 904             opcode, bcs.get_index_u1(), &current_frame,
 905             cp, bci, CHECK_VERIFY(this));
 906           no_control_flow = false; break;
 907         case Bytecodes::_ldc_w :
 908         case Bytecodes::_ldc2_w :
 909           verify_ldc(
 910             opcode, bcs.get_index_u2(), &current_frame,
 911             cp, bci, CHECK_VERIFY(this));
 912           no_control_flow = false; break;
 913         case Bytecodes::_iload :
 914           verify_iload(bcs.get_index(), &current_frame, CHECK_VERIFY(this));
 915           no_control_flow = false; break;
 916         case Bytecodes::_iload_0 :
 917         case Bytecodes::_iload_1 :
 918         case Bytecodes::_iload_2 :
 919         case Bytecodes::_iload_3 : {
 920           int index = opcode - Bytecodes::_iload_0;
 921           verify_iload(index, &current_frame, CHECK_VERIFY(this));
 922           no_control_flow = false; break;
 923           }
 924         case Bytecodes::_lload :
 925           verify_lload(bcs.get_index(), &current_frame, CHECK_VERIFY(this));
 926           no_control_flow = false; break;
 927         case Bytecodes::_lload_0 :
 928         case Bytecodes::_lload_1 :
 929         case Bytecodes::_lload_2 :
 930         case Bytecodes::_lload_3 : {
 931           int index = opcode - Bytecodes::_lload_0;
 932           verify_lload(index, &current_frame, CHECK_VERIFY(this));
 933           no_control_flow = false; break;
 934           }
 935         case Bytecodes::_fload :
 936           verify_fload(bcs.get_index(), &current_frame, CHECK_VERIFY(this));
 937           no_control_flow = false; break;
 938         case Bytecodes::_fload_0 :
 939         case Bytecodes::_fload_1 :
 940         case Bytecodes::_fload_2 :
 941         case Bytecodes::_fload_3 : {
 942           int index = opcode - Bytecodes::_fload_0;
 943           verify_fload(index, &current_frame, CHECK_VERIFY(this));
 944           no_control_flow = false; break;
 945           }
 946         case Bytecodes::_dload :
 947           verify_dload(bcs.get_index(), &current_frame, CHECK_VERIFY(this));
 948           no_control_flow = false; break;
 949         case Bytecodes::_dload_0 :
 950         case Bytecodes::_dload_1 :
 951         case Bytecodes::_dload_2 :
 952         case Bytecodes::_dload_3 : {
 953           int index = opcode - Bytecodes::_dload_0;
 954           verify_dload(index, &current_frame, CHECK_VERIFY(this));
 955           no_control_flow = false; break;
 956           }
 957         case Bytecodes::_aload :
 958           verify_aload(bcs.get_index(), &current_frame, CHECK_VERIFY(this));
 959           no_control_flow = false; break;
 960         case Bytecodes::_aload_0 :
 961         case Bytecodes::_aload_1 :
 962         case Bytecodes::_aload_2 :
 963         case Bytecodes::_aload_3 : {
 964           int index = opcode - Bytecodes::_aload_0;
 965           verify_aload(index, &current_frame, CHECK_VERIFY(this));
 966           no_control_flow = false; break;
 967           }
 968         case Bytecodes::_iaload :
 969           type = current_frame.pop_stack(
 970             VerificationType::integer_type(), CHECK_VERIFY(this));
 971           atype = current_frame.pop_stack(
 972             VerificationType::reference_check(), CHECK_VERIFY(this));
 973           if (!atype.is_int_array()) {
 974             verify_error(ErrorContext::bad_type(bci,
 975                 current_frame.stack_top_ctx(), ref_ctx("[I")),
 976                 bad_type_msg, "iaload");
 977             return;
 978           }
 979           current_frame.push_stack(
 980             VerificationType::integer_type(), CHECK_VERIFY(this));
 981           no_control_flow = false; break;
 982         case Bytecodes::_baload :
 983           type = current_frame.pop_stack(
 984             VerificationType::integer_type(), CHECK_VERIFY(this));
 985           atype = current_frame.pop_stack(
 986             VerificationType::reference_check(), CHECK_VERIFY(this));
 987           if (!atype.is_bool_array() && !atype.is_byte_array()) {
 988             verify_error(
 989                 ErrorContext::bad_type(bci, current_frame.stack_top_ctx()),
 990                 bad_type_msg, "baload");
 991             return;
 992           }
 993           current_frame.push_stack(
 994             VerificationType::integer_type(), CHECK_VERIFY(this));
 995           no_control_flow = false; break;
 996         case Bytecodes::_caload :
 997           type = current_frame.pop_stack(
 998             VerificationType::integer_type(), CHECK_VERIFY(this));
 999           atype = current_frame.pop_stack(
1000             VerificationType::reference_check(), CHECK_VERIFY(this));
1001           if (!atype.is_char_array()) {
1002             verify_error(ErrorContext::bad_type(bci,
1003                 current_frame.stack_top_ctx(), ref_ctx("[C")),
1004                 bad_type_msg, "caload");
1005             return;
1006           }
1007           current_frame.push_stack(
1008             VerificationType::integer_type(), CHECK_VERIFY(this));
1009           no_control_flow = false; break;
1010         case Bytecodes::_saload :
1011           type = current_frame.pop_stack(
1012             VerificationType::integer_type(), CHECK_VERIFY(this));
1013           atype = current_frame.pop_stack(
1014             VerificationType::reference_check(), CHECK_VERIFY(this));
1015           if (!atype.is_short_array()) {
1016             verify_error(ErrorContext::bad_type(bci,
1017                 current_frame.stack_top_ctx(), ref_ctx("[S")),
1018                 bad_type_msg, "saload");
1019             return;
1020           }
1021           current_frame.push_stack(
1022             VerificationType::integer_type(), CHECK_VERIFY(this));
1023           no_control_flow = false; break;
1024         case Bytecodes::_laload :
1025           type = current_frame.pop_stack(
1026             VerificationType::integer_type(), CHECK_VERIFY(this));
1027           atype = current_frame.pop_stack(
1028             VerificationType::reference_check(), CHECK_VERIFY(this));
1029           if (!atype.is_long_array()) {
1030             verify_error(ErrorContext::bad_type(bci,
1031                 current_frame.stack_top_ctx(), ref_ctx("[J")),
1032                 bad_type_msg, "laload");
1033             return;
1034           }
1035           current_frame.push_stack_2(
1036             VerificationType::long_type(),
1037             VerificationType::long2_type(), CHECK_VERIFY(this));
1038           no_control_flow = false; break;
1039         case Bytecodes::_faload :
1040           type = current_frame.pop_stack(
1041             VerificationType::integer_type(), CHECK_VERIFY(this));
1042           atype = current_frame.pop_stack(
1043             VerificationType::reference_check(), CHECK_VERIFY(this));
1044           if (!atype.is_float_array()) {
1045             verify_error(ErrorContext::bad_type(bci,
1046                 current_frame.stack_top_ctx(), ref_ctx("[F")),
1047                 bad_type_msg, "faload");
1048             return;
1049           }
1050           current_frame.push_stack(
1051             VerificationType::float_type(), CHECK_VERIFY(this));
1052           no_control_flow = false; break;
1053         case Bytecodes::_daload :
1054           type = current_frame.pop_stack(
1055             VerificationType::integer_type(), CHECK_VERIFY(this));
1056           atype = current_frame.pop_stack(
1057             VerificationType::reference_check(), CHECK_VERIFY(this));
1058           if (!atype.is_double_array()) {
1059             verify_error(ErrorContext::bad_type(bci,
1060                 current_frame.stack_top_ctx(), ref_ctx("[D")),
1061                 bad_type_msg, "daload");
1062             return;
1063           }
1064           current_frame.push_stack_2(
1065             VerificationType::double_type(),
1066             VerificationType::double2_type(), CHECK_VERIFY(this));
1067           no_control_flow = false; break;
1068         case Bytecodes::_aaload : {
1069           type = current_frame.pop_stack(
1070             VerificationType::integer_type(), CHECK_VERIFY(this));
1071           atype = current_frame.pop_stack(
1072             VerificationType::reference_check(), CHECK_VERIFY(this));
1073           if (!atype.is_reference_array()) {
1074             verify_error(ErrorContext::bad_type(bci,
1075                 current_frame.stack_top_ctx(),
1076                 TypeOrigin::implicit(VerificationType::reference_check())),
1077                 bad_type_msg, "aaload");
1078             return;
1079           }
1080           if (atype.is_null()) {
1081             current_frame.push_stack(
1082               VerificationType::null_type(), CHECK_VERIFY(this));
1083           } else {
1084             VerificationType component = atype.get_component(this);
1085             current_frame.push_stack(component, CHECK_VERIFY(this));
1086           }
1087           no_control_flow = false; break;
1088         }
1089         case Bytecodes::_istore :
1090           verify_istore(bcs.get_index(), &current_frame, CHECK_VERIFY(this));
1091           no_control_flow = false; break;
1092         case Bytecodes::_istore_0 :
1093         case Bytecodes::_istore_1 :
1094         case Bytecodes::_istore_2 :
1095         case Bytecodes::_istore_3 : {
1096           int index = opcode - Bytecodes::_istore_0;
1097           verify_istore(index, &current_frame, CHECK_VERIFY(this));
1098           no_control_flow = false; break;
1099           }
1100         case Bytecodes::_lstore :
1101           verify_lstore(bcs.get_index(), &current_frame, CHECK_VERIFY(this));
1102           no_control_flow = false; break;
1103         case Bytecodes::_lstore_0 :
1104         case Bytecodes::_lstore_1 :
1105         case Bytecodes::_lstore_2 :
1106         case Bytecodes::_lstore_3 : {
1107           int index = opcode - Bytecodes::_lstore_0;
1108           verify_lstore(index, &current_frame, CHECK_VERIFY(this));
1109           no_control_flow = false; break;
1110           }
1111         case Bytecodes::_fstore :
1112           verify_fstore(bcs.get_index(), &current_frame, CHECK_VERIFY(this));
1113           no_control_flow = false; break;
1114         case Bytecodes::_fstore_0 :
1115         case Bytecodes::_fstore_1 :
1116         case Bytecodes::_fstore_2 :
1117         case Bytecodes::_fstore_3 : {
1118           int index = opcode - Bytecodes::_fstore_0;
1119           verify_fstore(index, &current_frame, CHECK_VERIFY(this));
1120           no_control_flow = false; break;
1121           }
1122         case Bytecodes::_dstore :
1123           verify_dstore(bcs.get_index(), &current_frame, CHECK_VERIFY(this));
1124           no_control_flow = false; break;
1125         case Bytecodes::_dstore_0 :
1126         case Bytecodes::_dstore_1 :
1127         case Bytecodes::_dstore_2 :
1128         case Bytecodes::_dstore_3 : {
1129           int index = opcode - Bytecodes::_dstore_0;
1130           verify_dstore(index, &current_frame, CHECK_VERIFY(this));
1131           no_control_flow = false; break;
1132           }
1133         case Bytecodes::_astore :
1134           verify_astore(bcs.get_index(), &current_frame, CHECK_VERIFY(this));
1135           no_control_flow = false; break;
1136         case Bytecodes::_astore_0 :
1137         case Bytecodes::_astore_1 :
1138         case Bytecodes::_astore_2 :
1139         case Bytecodes::_astore_3 : {
1140           int index = opcode - Bytecodes::_astore_0;
1141           verify_astore(index, &current_frame, CHECK_VERIFY(this));
1142           no_control_flow = false; break;
1143           }
1144         case Bytecodes::_iastore :
1145           type = current_frame.pop_stack(
1146             VerificationType::integer_type(), CHECK_VERIFY(this));
1147           type2 = current_frame.pop_stack(
1148             VerificationType::integer_type(), CHECK_VERIFY(this));
1149           atype = current_frame.pop_stack(
1150             VerificationType::reference_check(), CHECK_VERIFY(this));
1151           if (!atype.is_int_array()) {
1152             verify_error(ErrorContext::bad_type(bci,
1153                 current_frame.stack_top_ctx(), ref_ctx("[I")),
1154                 bad_type_msg, "iastore");
1155             return;
1156           }
1157           no_control_flow = false; break;
1158         case Bytecodes::_bastore :
1159           type = current_frame.pop_stack(
1160             VerificationType::integer_type(), CHECK_VERIFY(this));
1161           type2 = current_frame.pop_stack(
1162             VerificationType::integer_type(), CHECK_VERIFY(this));
1163           atype = current_frame.pop_stack(
1164             VerificationType::reference_check(), CHECK_VERIFY(this));
1165           if (!atype.is_bool_array() && !atype.is_byte_array()) {
1166             verify_error(
1167                 ErrorContext::bad_type(bci, current_frame.stack_top_ctx()),
1168                 bad_type_msg, "bastore");
1169             return;
1170           }
1171           no_control_flow = false; break;
1172         case Bytecodes::_castore :
1173           current_frame.pop_stack(
1174             VerificationType::integer_type(), CHECK_VERIFY(this));
1175           current_frame.pop_stack(
1176             VerificationType::integer_type(), CHECK_VERIFY(this));
1177           atype = current_frame.pop_stack(
1178             VerificationType::reference_check(), CHECK_VERIFY(this));
1179           if (!atype.is_char_array()) {
1180             verify_error(ErrorContext::bad_type(bci,
1181                 current_frame.stack_top_ctx(), ref_ctx("[C")),
1182                 bad_type_msg, "castore");
1183             return;
1184           }
1185           no_control_flow = false; break;
1186         case Bytecodes::_sastore :
1187           current_frame.pop_stack(
1188             VerificationType::integer_type(), CHECK_VERIFY(this));
1189           current_frame.pop_stack(
1190             VerificationType::integer_type(), CHECK_VERIFY(this));
1191           atype = current_frame.pop_stack(
1192             VerificationType::reference_check(), CHECK_VERIFY(this));
1193           if (!atype.is_short_array()) {
1194             verify_error(ErrorContext::bad_type(bci,
1195                 current_frame.stack_top_ctx(), ref_ctx("[S")),
1196                 bad_type_msg, "sastore");
1197             return;
1198           }
1199           no_control_flow = false; break;
1200         case Bytecodes::_lastore :
1201           current_frame.pop_stack_2(
1202             VerificationType::long2_type(),
1203             VerificationType::long_type(), CHECK_VERIFY(this));
1204           current_frame.pop_stack(
1205             VerificationType::integer_type(), CHECK_VERIFY(this));
1206           atype = current_frame.pop_stack(
1207             VerificationType::reference_check(), CHECK_VERIFY(this));
1208           if (!atype.is_long_array()) {
1209             verify_error(ErrorContext::bad_type(bci,
1210                 current_frame.stack_top_ctx(), ref_ctx("[J")),
1211                 bad_type_msg, "lastore");
1212             return;
1213           }
1214           no_control_flow = false; break;
1215         case Bytecodes::_fastore :
1216           current_frame.pop_stack(
1217             VerificationType::float_type(), CHECK_VERIFY(this));
1218           current_frame.pop_stack
1219             (VerificationType::integer_type(), CHECK_VERIFY(this));
1220           atype = current_frame.pop_stack(
1221             VerificationType::reference_check(), CHECK_VERIFY(this));
1222           if (!atype.is_float_array()) {
1223             verify_error(ErrorContext::bad_type(bci,
1224                 current_frame.stack_top_ctx(), ref_ctx("[F")),
1225                 bad_type_msg, "fastore");
1226             return;
1227           }
1228           no_control_flow = false; break;
1229         case Bytecodes::_dastore :
1230           current_frame.pop_stack_2(
1231             VerificationType::double2_type(),
1232             VerificationType::double_type(), CHECK_VERIFY(this));
1233           current_frame.pop_stack(
1234             VerificationType::integer_type(), CHECK_VERIFY(this));
1235           atype = current_frame.pop_stack(
1236             VerificationType::reference_check(), CHECK_VERIFY(this));
1237           if (!atype.is_double_array()) {
1238             verify_error(ErrorContext::bad_type(bci,
1239                 current_frame.stack_top_ctx(), ref_ctx("[D")),
1240                 bad_type_msg, "dastore");
1241             return;
1242           }
1243           no_control_flow = false; break;
1244         case Bytecodes::_aastore :
1245           type = current_frame.pop_stack(object_type(), CHECK_VERIFY(this));
1246           type2 = current_frame.pop_stack(
1247             VerificationType::integer_type(), CHECK_VERIFY(this));
1248           atype = current_frame.pop_stack(
1249             VerificationType::reference_check(), CHECK_VERIFY(this));
1250           // more type-checking is done at runtime
1251           if (!atype.is_reference_array()) {
1252             verify_error(ErrorContext::bad_type(bci,
1253                 current_frame.stack_top_ctx(),
1254                 TypeOrigin::implicit(VerificationType::reference_check())),
1255                 bad_type_msg, "aastore");
1256             return;
1257           }
1258           // 4938384: relaxed constraint in JVMS 3rd edition.
1259           no_control_flow = false; break;
1260         case Bytecodes::_pop :
1261           current_frame.pop_stack(
1262             VerificationType::category1_check(), CHECK_VERIFY(this));
1263           no_control_flow = false; break;
1264         case Bytecodes::_pop2 :
1265           type = current_frame.pop_stack(CHECK_VERIFY(this));
1266           if (type.is_category1()) {
1267             current_frame.pop_stack(
1268               VerificationType::category1_check(), CHECK_VERIFY(this));
1269           } else if (type.is_category2_2nd()) {
1270             current_frame.pop_stack(
1271               VerificationType::category2_check(), CHECK_VERIFY(this));
1272           } else {
1273             /* Unreachable? Would need a category2_1st on TOS
1274              * which does not appear possible. */
1275             verify_error(
1276                 ErrorContext::bad_type(bci, current_frame.stack_top_ctx()),
1277                 bad_type_msg, "pop2");
1278             return;
1279           }
1280           no_control_flow = false; break;
1281         case Bytecodes::_dup :
1282           type = current_frame.pop_stack(
1283             VerificationType::category1_check(), CHECK_VERIFY(this));
1284           current_frame.push_stack(type, CHECK_VERIFY(this));
1285           current_frame.push_stack(type, CHECK_VERIFY(this));
1286           no_control_flow = false; break;
1287         case Bytecodes::_dup_x1 :
1288           type = current_frame.pop_stack(
1289             VerificationType::category1_check(), CHECK_VERIFY(this));
1290           type2 = current_frame.pop_stack(
1291             VerificationType::category1_check(), CHECK_VERIFY(this));
1292           current_frame.push_stack(type, CHECK_VERIFY(this));
1293           current_frame.push_stack(type2, CHECK_VERIFY(this));
1294           current_frame.push_stack(type, CHECK_VERIFY(this));
1295           no_control_flow = false; break;
1296         case Bytecodes::_dup_x2 :
1297         {
1298           VerificationType type3;
1299           type = current_frame.pop_stack(
1300             VerificationType::category1_check(), CHECK_VERIFY(this));
1301           type2 = current_frame.pop_stack(CHECK_VERIFY(this));
1302           if (type2.is_category1()) {
1303             type3 = current_frame.pop_stack(
1304               VerificationType::category1_check(), CHECK_VERIFY(this));
1305           } else if (type2.is_category2_2nd()) {
1306             type3 = current_frame.pop_stack(
1307               VerificationType::category2_check(), CHECK_VERIFY(this));
1308           } else {
1309             /* Unreachable? Would need a category2_1st at stack depth 2 with
1310              * a category1 on TOS which does not appear possible. */
1311             verify_error(ErrorContext::bad_type(
1312                 bci, current_frame.stack_top_ctx()), bad_type_msg, "dup_x2");
1313             return;
1314           }
1315           current_frame.push_stack(type, CHECK_VERIFY(this));
1316           current_frame.push_stack(type3, CHECK_VERIFY(this));
1317           current_frame.push_stack(type2, CHECK_VERIFY(this));
1318           current_frame.push_stack(type, CHECK_VERIFY(this));
1319           no_control_flow = false; break;
1320         }
1321         case Bytecodes::_dup2 :
1322           type = current_frame.pop_stack(CHECK_VERIFY(this));
1323           if (type.is_category1()) {
1324             type2 = current_frame.pop_stack(
1325               VerificationType::category1_check(), CHECK_VERIFY(this));
1326           } else if (type.is_category2_2nd()) {
1327             type2 = current_frame.pop_stack(
1328               VerificationType::category2_check(), CHECK_VERIFY(this));
1329           } else {
1330             /* Unreachable?  Would need a category2_1st on TOS which does not
1331              * appear possible. */
1332             verify_error(
1333                 ErrorContext::bad_type(bci, current_frame.stack_top_ctx()),
1334                 bad_type_msg, "dup2");
1335             return;
1336           }
1337           current_frame.push_stack(type2, CHECK_VERIFY(this));
1338           current_frame.push_stack(type, CHECK_VERIFY(this));
1339           current_frame.push_stack(type2, CHECK_VERIFY(this));
1340           current_frame.push_stack(type, CHECK_VERIFY(this));
1341           no_control_flow = false; break;
1342         case Bytecodes::_dup2_x1 :
1343         {
1344           VerificationType type3;
1345           type = current_frame.pop_stack(CHECK_VERIFY(this));
1346           if (type.is_category1()) {
1347             type2 = current_frame.pop_stack(
1348               VerificationType::category1_check(), CHECK_VERIFY(this));
1349           } else if (type.is_category2_2nd()) {
1350             type2 = current_frame.pop_stack(
1351               VerificationType::category2_check(), CHECK_VERIFY(this));
1352           } else {
1353             /* Unreachable?  Would need a category2_1st on TOS which does
1354              * not appear possible. */
1355             verify_error(
1356                 ErrorContext::bad_type(bci, current_frame.stack_top_ctx()),
1357                 bad_type_msg, "dup2_x1");
1358             return;
1359           }
1360           type3 = current_frame.pop_stack(
1361             VerificationType::category1_check(), CHECK_VERIFY(this));
1362           current_frame.push_stack(type2, CHECK_VERIFY(this));
1363           current_frame.push_stack(type, CHECK_VERIFY(this));
1364           current_frame.push_stack(type3, CHECK_VERIFY(this));
1365           current_frame.push_stack(type2, CHECK_VERIFY(this));
1366           current_frame.push_stack(type, CHECK_VERIFY(this));
1367           no_control_flow = false; break;
1368         }
1369         case Bytecodes::_dup2_x2 :
1370         {
1371           VerificationType type3, type4;
1372           type = current_frame.pop_stack(CHECK_VERIFY(this));
1373           if (type.is_category1()) {
1374             type2 = current_frame.pop_stack(
1375               VerificationType::category1_check(), CHECK_VERIFY(this));
1376           } else if (type.is_category2_2nd()) {
1377             type2 = current_frame.pop_stack(
1378               VerificationType::category2_check(), CHECK_VERIFY(this));
1379           } else {
1380             /* Unreachable?  Would need a category2_1st on TOS which does
1381              * not appear possible. */
1382             verify_error(
1383                 ErrorContext::bad_type(bci, current_frame.stack_top_ctx()),
1384                 bad_type_msg, "dup2_x2");
1385             return;
1386           }
1387           type3 = current_frame.pop_stack(CHECK_VERIFY(this));
1388           if (type3.is_category1()) {
1389             type4 = current_frame.pop_stack(
1390               VerificationType::category1_check(), CHECK_VERIFY(this));
1391           } else if (type3.is_category2_2nd()) {
1392             type4 = current_frame.pop_stack(
1393               VerificationType::category2_check(), CHECK_VERIFY(this));
1394           } else {
1395             /* Unreachable?  Would need a category2_1st on TOS after popping
1396              * a long/double or two category 1's, which does not
1397              * appear possible. */
1398             verify_error(
1399                 ErrorContext::bad_type(bci, current_frame.stack_top_ctx()),
1400                 bad_type_msg, "dup2_x2");
1401             return;
1402           }
1403           current_frame.push_stack(type2, CHECK_VERIFY(this));
1404           current_frame.push_stack(type, CHECK_VERIFY(this));
1405           current_frame.push_stack(type4, CHECK_VERIFY(this));
1406           current_frame.push_stack(type3, CHECK_VERIFY(this));
1407           current_frame.push_stack(type2, CHECK_VERIFY(this));
1408           current_frame.push_stack(type, CHECK_VERIFY(this));
1409           no_control_flow = false; break;
1410         }
1411         case Bytecodes::_swap :
1412           type = current_frame.pop_stack(
1413             VerificationType::category1_check(), CHECK_VERIFY(this));
1414           type2 = current_frame.pop_stack(
1415             VerificationType::category1_check(), CHECK_VERIFY(this));
1416           current_frame.push_stack(type, CHECK_VERIFY(this));
1417           current_frame.push_stack(type2, CHECK_VERIFY(this));
1418           no_control_flow = false; break;
1419         case Bytecodes::_iadd :
1420         case Bytecodes::_isub :
1421         case Bytecodes::_imul :
1422         case Bytecodes::_idiv :
1423         case Bytecodes::_irem :
1424         case Bytecodes::_ishl :
1425         case Bytecodes::_ishr :
1426         case Bytecodes::_iushr :
1427         case Bytecodes::_ior :
1428         case Bytecodes::_ixor :
1429         case Bytecodes::_iand :
1430           current_frame.pop_stack(
1431             VerificationType::integer_type(), CHECK_VERIFY(this));
1432           // fall through
1433         case Bytecodes::_ineg :
1434           current_frame.pop_stack(
1435             VerificationType::integer_type(), CHECK_VERIFY(this));
1436           current_frame.push_stack(
1437             VerificationType::integer_type(), CHECK_VERIFY(this));
1438           no_control_flow = false; break;
1439         case Bytecodes::_ladd :
1440         case Bytecodes::_lsub :
1441         case Bytecodes::_lmul :
1442         case Bytecodes::_ldiv :
1443         case Bytecodes::_lrem :
1444         case Bytecodes::_land :
1445         case Bytecodes::_lor :
1446         case Bytecodes::_lxor :
1447           current_frame.pop_stack_2(
1448             VerificationType::long2_type(),
1449             VerificationType::long_type(), CHECK_VERIFY(this));
1450           // fall through
1451         case Bytecodes::_lneg :
1452           current_frame.pop_stack_2(
1453             VerificationType::long2_type(),
1454             VerificationType::long_type(), CHECK_VERIFY(this));
1455           current_frame.push_stack_2(
1456             VerificationType::long_type(),
1457             VerificationType::long2_type(), CHECK_VERIFY(this));
1458           no_control_flow = false; break;
1459         case Bytecodes::_lshl :
1460         case Bytecodes::_lshr :
1461         case Bytecodes::_lushr :
1462           current_frame.pop_stack(
1463             VerificationType::integer_type(), CHECK_VERIFY(this));
1464           current_frame.pop_stack_2(
1465             VerificationType::long2_type(),
1466             VerificationType::long_type(), CHECK_VERIFY(this));
1467           current_frame.push_stack_2(
1468             VerificationType::long_type(),
1469             VerificationType::long2_type(), CHECK_VERIFY(this));
1470           no_control_flow = false; break;
1471         case Bytecodes::_fadd :
1472         case Bytecodes::_fsub :
1473         case Bytecodes::_fmul :
1474         case Bytecodes::_fdiv :
1475         case Bytecodes::_frem :
1476           current_frame.pop_stack(
1477             VerificationType::float_type(), CHECK_VERIFY(this));
1478           // fall through
1479         case Bytecodes::_fneg :
1480           current_frame.pop_stack(
1481             VerificationType::float_type(), CHECK_VERIFY(this));
1482           current_frame.push_stack(
1483             VerificationType::float_type(), CHECK_VERIFY(this));
1484           no_control_flow = false; break;
1485         case Bytecodes::_dadd :
1486         case Bytecodes::_dsub :
1487         case Bytecodes::_dmul :
1488         case Bytecodes::_ddiv :
1489         case Bytecodes::_drem :
1490           current_frame.pop_stack_2(
1491             VerificationType::double2_type(),
1492             VerificationType::double_type(), CHECK_VERIFY(this));
1493           // fall through
1494         case Bytecodes::_dneg :
1495           current_frame.pop_stack_2(
1496             VerificationType::double2_type(),
1497             VerificationType::double_type(), CHECK_VERIFY(this));
1498           current_frame.push_stack_2(
1499             VerificationType::double_type(),
1500             VerificationType::double2_type(), CHECK_VERIFY(this));
1501           no_control_flow = false; break;
1502         case Bytecodes::_iinc :
1503           verify_iinc(bcs.get_index(), &current_frame, CHECK_VERIFY(this));
1504           no_control_flow = false; break;
1505         case Bytecodes::_i2l :
1506           type = current_frame.pop_stack(
1507             VerificationType::integer_type(), CHECK_VERIFY(this));
1508           current_frame.push_stack_2(
1509             VerificationType::long_type(),
1510             VerificationType::long2_type(), CHECK_VERIFY(this));
1511           no_control_flow = false; break;
1512        case Bytecodes::_l2i :
1513           current_frame.pop_stack_2(
1514             VerificationType::long2_type(),
1515             VerificationType::long_type(), CHECK_VERIFY(this));
1516           current_frame.push_stack(
1517             VerificationType::integer_type(), CHECK_VERIFY(this));
1518           no_control_flow = false; break;
1519         case Bytecodes::_i2f :
1520           current_frame.pop_stack(
1521             VerificationType::integer_type(), CHECK_VERIFY(this));
1522           current_frame.push_stack(
1523             VerificationType::float_type(), CHECK_VERIFY(this));
1524           no_control_flow = false; break;
1525         case Bytecodes::_i2d :
1526           current_frame.pop_stack(
1527             VerificationType::integer_type(), CHECK_VERIFY(this));
1528           current_frame.push_stack_2(
1529             VerificationType::double_type(),
1530             VerificationType::double2_type(), CHECK_VERIFY(this));
1531           no_control_flow = false; break;
1532         case Bytecodes::_l2f :
1533           current_frame.pop_stack_2(
1534             VerificationType::long2_type(),
1535             VerificationType::long_type(), CHECK_VERIFY(this));
1536           current_frame.push_stack(
1537             VerificationType::float_type(), CHECK_VERIFY(this));
1538           no_control_flow = false; break;
1539         case Bytecodes::_l2d :
1540           current_frame.pop_stack_2(
1541             VerificationType::long2_type(),
1542             VerificationType::long_type(), CHECK_VERIFY(this));
1543           current_frame.push_stack_2(
1544             VerificationType::double_type(),
1545             VerificationType::double2_type(), CHECK_VERIFY(this));
1546           no_control_flow = false; break;
1547         case Bytecodes::_f2i :
1548           current_frame.pop_stack(
1549             VerificationType::float_type(), CHECK_VERIFY(this));
1550           current_frame.push_stack(
1551             VerificationType::integer_type(), CHECK_VERIFY(this));
1552           no_control_flow = false; break;
1553         case Bytecodes::_f2l :
1554           current_frame.pop_stack(
1555             VerificationType::float_type(), CHECK_VERIFY(this));
1556           current_frame.push_stack_2(
1557             VerificationType::long_type(),
1558             VerificationType::long2_type(), CHECK_VERIFY(this));
1559           no_control_flow = false; break;
1560         case Bytecodes::_f2d :
1561           current_frame.pop_stack(
1562             VerificationType::float_type(), CHECK_VERIFY(this));
1563           current_frame.push_stack_2(
1564             VerificationType::double_type(),
1565             VerificationType::double2_type(), CHECK_VERIFY(this));
1566           no_control_flow = false; break;
1567         case Bytecodes::_d2i :
1568           current_frame.pop_stack_2(
1569             VerificationType::double2_type(),
1570             VerificationType::double_type(), CHECK_VERIFY(this));
1571           current_frame.push_stack(
1572             VerificationType::integer_type(), CHECK_VERIFY(this));
1573           no_control_flow = false; break;
1574         case Bytecodes::_d2l :
1575           current_frame.pop_stack_2(
1576             VerificationType::double2_type(),
1577             VerificationType::double_type(), CHECK_VERIFY(this));
1578           current_frame.push_stack_2(
1579             VerificationType::long_type(),
1580             VerificationType::long2_type(), CHECK_VERIFY(this));
1581           no_control_flow = false; break;
1582         case Bytecodes::_d2f :
1583           current_frame.pop_stack_2(
1584             VerificationType::double2_type(),
1585             VerificationType::double_type(), CHECK_VERIFY(this));
1586           current_frame.push_stack(
1587             VerificationType::float_type(), CHECK_VERIFY(this));
1588           no_control_flow = false; break;
1589         case Bytecodes::_i2b :
1590         case Bytecodes::_i2c :
1591         case Bytecodes::_i2s :
1592           current_frame.pop_stack(
1593             VerificationType::integer_type(), CHECK_VERIFY(this));
1594           current_frame.push_stack(
1595             VerificationType::integer_type(), CHECK_VERIFY(this));
1596           no_control_flow = false; break;
1597         case Bytecodes::_lcmp :
1598           current_frame.pop_stack_2(
1599             VerificationType::long2_type(),
1600             VerificationType::long_type(), CHECK_VERIFY(this));
1601           current_frame.pop_stack_2(
1602             VerificationType::long2_type(),
1603             VerificationType::long_type(), CHECK_VERIFY(this));
1604           current_frame.push_stack(
1605             VerificationType::integer_type(), CHECK_VERIFY(this));
1606           no_control_flow = false; break;
1607         case Bytecodes::_fcmpl :
1608         case Bytecodes::_fcmpg :
1609           current_frame.pop_stack(
1610             VerificationType::float_type(), CHECK_VERIFY(this));
1611           current_frame.pop_stack(
1612             VerificationType::float_type(), CHECK_VERIFY(this));
1613           current_frame.push_stack(
1614             VerificationType::integer_type(), CHECK_VERIFY(this));
1615           no_control_flow = false; break;
1616         case Bytecodes::_dcmpl :
1617         case Bytecodes::_dcmpg :
1618           current_frame.pop_stack_2(
1619             VerificationType::double2_type(),
1620             VerificationType::double_type(), CHECK_VERIFY(this));
1621           current_frame.pop_stack_2(
1622             VerificationType::double2_type(),
1623             VerificationType::double_type(), CHECK_VERIFY(this));
1624           current_frame.push_stack(
1625             VerificationType::integer_type(), CHECK_VERIFY(this));
1626           no_control_flow = false; break;
1627         case Bytecodes::_if_icmpeq:
1628         case Bytecodes::_if_icmpne:
1629         case Bytecodes::_if_icmplt:
1630         case Bytecodes::_if_icmpge:
1631         case Bytecodes::_if_icmpgt:
1632         case Bytecodes::_if_icmple:
1633           current_frame.pop_stack(
1634             VerificationType::integer_type(), CHECK_VERIFY(this));
1635           // fall through
1636         case Bytecodes::_ifeq:
1637         case Bytecodes::_ifne:
1638         case Bytecodes::_iflt:
1639         case Bytecodes::_ifge:
1640         case Bytecodes::_ifgt:
1641         case Bytecodes::_ifle:
1642           current_frame.pop_stack(
1643             VerificationType::integer_type(), CHECK_VERIFY(this));
1644           target = bcs.dest();
1645           stackmap_table.check_jump_target(
1646             &current_frame, target, CHECK_VERIFY(this));
1647           no_control_flow = false; break;
1648         case Bytecodes::_if_acmpeq :
1649         case Bytecodes::_if_acmpne :
1650           current_frame.pop_stack(
1651             VerificationType::reference_check(), CHECK_VERIFY(this));
1652           // fall through
1653         case Bytecodes::_ifnull :
1654         case Bytecodes::_ifnonnull :
1655           current_frame.pop_stack(
1656             VerificationType::reference_check(), CHECK_VERIFY(this));
1657           target = bcs.dest();
1658           stackmap_table.check_jump_target
1659             (&current_frame, target, CHECK_VERIFY(this));
1660           no_control_flow = false; break;
1661         case Bytecodes::_goto :
1662           target = bcs.dest();
1663           stackmap_table.check_jump_target(
1664             &current_frame, target, CHECK_VERIFY(this));
1665           no_control_flow = true; break;
1666         case Bytecodes::_goto_w :
1667           target = bcs.dest_w();
1668           stackmap_table.check_jump_target(
1669             &current_frame, target, CHECK_VERIFY(this));
1670           no_control_flow = true; break;
1671         case Bytecodes::_tableswitch :
1672         case Bytecodes::_lookupswitch :
1673           verify_switch(
1674             &bcs, code_length, code_data, &current_frame,
1675             &stackmap_table, CHECK_VERIFY(this));
1676           no_control_flow = true; break;
1677         case Bytecodes::_ireturn :
1678           type = current_frame.pop_stack(
1679             VerificationType::integer_type(), CHECK_VERIFY(this));
1680           verify_return_value(return_type, type, bci,
1681                               &current_frame, CHECK_VERIFY(this));
1682           no_control_flow = true; break;
1683         case Bytecodes::_lreturn :
1684           type2 = current_frame.pop_stack(
1685             VerificationType::long2_type(), CHECK_VERIFY(this));
1686           type = current_frame.pop_stack(
1687             VerificationType::long_type(), CHECK_VERIFY(this));
1688           verify_return_value(return_type, type, bci,
1689                               &current_frame, CHECK_VERIFY(this));
1690           no_control_flow = true; break;
1691         case Bytecodes::_freturn :
1692           type = current_frame.pop_stack(
1693             VerificationType::float_type(), CHECK_VERIFY(this));
1694           verify_return_value(return_type, type, bci,
1695                               &current_frame, CHECK_VERIFY(this));
1696           no_control_flow = true; break;
1697         case Bytecodes::_dreturn :
1698           type2 = current_frame.pop_stack(
1699             VerificationType::double2_type(),  CHECK_VERIFY(this));
1700           type = current_frame.pop_stack(
1701             VerificationType::double_type(), CHECK_VERIFY(this));
1702           verify_return_value(return_type, type, bci,
1703                               &current_frame, CHECK_VERIFY(this));
1704           no_control_flow = true; break;
1705         case Bytecodes::_areturn :
1706           type = current_frame.pop_stack(
1707             VerificationType::reference_check(), CHECK_VERIFY(this));
1708           verify_return_value(return_type, type, bci,
1709                               &current_frame, CHECK_VERIFY(this));
1710           no_control_flow = true; break;
1711         case Bytecodes::_return :
1712           if (return_type != VerificationType::bogus_type()) {
1713             verify_error(ErrorContext::bad_code(bci),
1714                          "Method expects a return value");
1715             return;
1716           }
1717           // Make sure "this" has been initialized if current method is an
1718           // <init>.
1719           if (_method->is_object_constructor() &&
1720               current_frame.flag_this_uninit()) {
1721             verify_error(ErrorContext::bad_code(bci),
1722                          "Constructor must call super() or this() "
1723                          "before return");
1724             return;
1725           }
1726           no_control_flow = true; break;
1727         case Bytecodes::_getstatic :
1728         case Bytecodes::_putstatic :
1729           // pass TRUE, operand can be an array type for getstatic/putstatic.
1730           verify_field_instructions(
1731             &bcs, &current_frame, cp, true, CHECK_VERIFY(this));
1732           no_control_flow = false; break;
1733         case Bytecodes::_getfield :
1734         case Bytecodes::_putfield :
1735           // pass FALSE, operand can't be an array type for getfield/putfield.
1736           verify_field_instructions(
1737             &bcs, &current_frame, cp, false, CHECK_VERIFY(this));
1738           no_control_flow = false; break;
1739         case Bytecodes::_invokevirtual :
1740         case Bytecodes::_invokespecial :
1741         case Bytecodes::_invokestatic :
1742         case Bytecodes::_invokeinterface :
1743         case Bytecodes::_invokedynamic :
1744           verify_invoke_instructions(
1745             &bcs, code_length, &current_frame, (bci >= ex_min && bci < ex_max),
1746             &this_uninit, cp, &stackmap_table, CHECK_VERIFY(this));
1747           no_control_flow = false; break;
1748         case Bytecodes::_new :
1749         {
1750           u2 index = bcs.get_index_u2();
1751           verify_cp_class_type(bci, index, cp, CHECK_VERIFY(this));
1752           VerificationType new_class_type =
1753             cp_index_to_type(index, cp, CHECK_VERIFY(this));
1754           if (!new_class_type.is_object()) {
1755             verify_error(ErrorContext::bad_type(bci,
1756                 TypeOrigin::cp(index, new_class_type)),
1757                 "Illegal new instruction");
1758             return;
1759           }
1760           type = VerificationType::uninitialized_type(checked_cast<u2>(bci));
1761           current_frame.push_stack(type, CHECK_VERIFY(this));
1762           no_control_flow = false; break;
1763         }
1764         case Bytecodes::_newarray :
1765           type = get_newarray_type(bcs.get_index(), bci, CHECK_VERIFY(this));
1766           current_frame.pop_stack(
1767             VerificationType::integer_type(),  CHECK_VERIFY(this));
1768           current_frame.push_stack(type, CHECK_VERIFY(this));
1769           no_control_flow = false; break;
1770         case Bytecodes::_anewarray :
1771           verify_anewarray(
1772             bci, bcs.get_index_u2(), cp, &current_frame, CHECK_VERIFY(this));
1773           no_control_flow = false; break;
1774         case Bytecodes::_arraylength :
1775           type = current_frame.pop_stack(
1776             VerificationType::reference_check(), CHECK_VERIFY(this));
1777           if (!(type.is_null() || type.is_array())) {
1778             verify_error(ErrorContext::bad_type(
1779                 bci, current_frame.stack_top_ctx()),
1780                 bad_type_msg, "arraylength");
1781           }
1782           current_frame.push_stack(
1783             VerificationType::integer_type(), CHECK_VERIFY(this));
1784           no_control_flow = false; break;
1785         case Bytecodes::_checkcast :
1786         {
1787           u2 index = bcs.get_index_u2();
1788           verify_cp_class_type(bci, index, cp, CHECK_VERIFY(this));
1789           current_frame.pop_stack(object_type(), CHECK_VERIFY(this));
1790           VerificationType klass_type = cp_index_to_type(
1791             index, cp, CHECK_VERIFY(this));
1792           current_frame.push_stack(klass_type, CHECK_VERIFY(this));
1793           no_control_flow = false; break;
1794         }
1795         case Bytecodes::_instanceof : {
1796           u2 index = bcs.get_index_u2();
1797           verify_cp_class_type(bci, index, cp, CHECK_VERIFY(this));
1798           current_frame.pop_stack(object_type(), CHECK_VERIFY(this));
1799           current_frame.push_stack(
1800             VerificationType::integer_type(), CHECK_VERIFY(this));
1801           no_control_flow = false; break;
1802         }
1803         case Bytecodes::_monitorenter :
1804         case Bytecodes::_monitorexit : {
1805           VerificationType ref = current_frame.pop_stack(
1806             VerificationType::reference_check(), CHECK_VERIFY(this));
1807           no_control_flow = false; break;
1808         }
1809         case Bytecodes::_multianewarray :
1810         {
1811           u2 index = bcs.get_index_u2();
1812           u2 dim = *(bcs.bcp()+3);
1813           verify_cp_class_type(bci, index, cp, CHECK_VERIFY(this));
1814           VerificationType new_array_type =
1815             cp_index_to_type(index, cp, CHECK_VERIFY(this));
1816           if (!new_array_type.is_array()) {
1817             verify_error(ErrorContext::bad_type(bci,
1818                 TypeOrigin::cp(index, new_array_type)),
1819                 "Illegal constant pool index in multianewarray instruction");
1820             return;
1821           }
1822           if (dim < 1 || new_array_type.dimensions() < dim) {
1823             verify_error(ErrorContext::bad_code(bci),
1824                 "Illegal dimension in multianewarray instruction: %d", dim);
1825             return;
1826           }
1827           for (int i = 0; i < dim; i++) {
1828             current_frame.pop_stack(
1829               VerificationType::integer_type(), CHECK_VERIFY(this));
1830           }
1831           current_frame.push_stack(new_array_type, CHECK_VERIFY(this));
1832           no_control_flow = false; break;
1833         }
1834         case Bytecodes::_athrow :
1835           type = VerificationType::reference_type(
1836             vmSymbols::java_lang_Throwable());
1837           current_frame.pop_stack(type, CHECK_VERIFY(this));
1838           no_control_flow = true; break;
1839         default:
1840           // We only need to check the valid bytecodes in class file.
1841           // And jsr and ret are not in the new class file format in JDK1.6.
1842           verify_error(ErrorContext::bad_code(bci),
1843               "Bad instruction: %02x", opcode);
1844           no_control_flow = false;
1845           return;
1846       }  // end switch
1847     }  // end Merge with the next instruction
1848 
1849     // Look for possible jump target in exception handlers and see if it matches
1850     // current_frame.  Don't do this check if it has already been done (for
1851     // ([a,d,f,i,l]store* opcodes).  This check cannot be done earlier because
1852     // opcodes, such as invokespecial, may set the this_uninit flag.
1853     assert(!(verified_exc_handlers && this_uninit),
1854       "Exception handler targets got verified before this_uninit got set");
1855     if (!verified_exc_handlers && bci >= ex_min && bci < ex_max) {
1856       if (was_recursively_verified()) return;
1857       verify_exception_handler_targets(
1858         bci, this_uninit, &current_frame, &stackmap_table, CHECK_VERIFY(this));
1859     }
1860   } // end while
1861 
1862   // Make sure that control flow does not fall through end of the method
1863   if (!no_control_flow) {
1864     verify_error(ErrorContext::bad_code(code_length),
1865         "Control flow falls through code end");
1866     return;
1867   }
1868 }
1869 
1870 #undef bad_type_message
1871 
1872 char* ClassVerifier::generate_code_data(const methodHandle& m, u4 code_length, TRAPS) {
1873   char* code_data = NEW_RESOURCE_ARRAY(char, code_length);
1874   memset(code_data, 0, sizeof(char) * code_length);
1875   RawBytecodeStream bcs(m);
1876 
1877   while (!bcs.is_last_bytecode()) {
1878     if (bcs.raw_next() != Bytecodes::_illegal) {
1879       int bci = bcs.bci();
1880       if (bcs.raw_code() == Bytecodes::_new) {
1881         code_data[bci] = NEW_OFFSET;
1882       } else {
1883         code_data[bci] = BYTECODE_OFFSET;
1884       }
1885     } else {
1886       verify_error(ErrorContext::bad_code(bcs.bci()), "Bad instruction");
1887       return nullptr;
1888     }
1889   }
1890 
1891   return code_data;
1892 }
1893 
1894 // Since this method references the constant pool, call was_recursively_verified()
1895 // before calling this method to make sure a prior class load did not cause the
1896 // current class to get verified.
1897 void ClassVerifier::verify_exception_handler_table(u4 code_length, char* code_data, int& min, int& max, TRAPS) {
1898   ExceptionTable exhandlers(_method());
1899   int exlength = exhandlers.length();
1900   constantPoolHandle cp (THREAD, _method->constants());
1901 
1902   for(int i = 0; i < exlength; i++) {
1903     u2 start_pc = exhandlers.start_pc(i);
1904     u2 end_pc = exhandlers.end_pc(i);
1905     u2 handler_pc = exhandlers.handler_pc(i);
1906     if (start_pc >= code_length || code_data[start_pc] == 0) {
1907       class_format_error("Illegal exception table start_pc %d", start_pc);
1908       return;
1909     }
1910     if (end_pc != code_length) {   // special case: end_pc == code_length
1911       if (end_pc > code_length || code_data[end_pc] == 0) {
1912         class_format_error("Illegal exception table end_pc %d", end_pc);
1913         return;
1914       }
1915     }
1916     if (handler_pc >= code_length || code_data[handler_pc] == 0) {
1917       class_format_error("Illegal exception table handler_pc %d", handler_pc);
1918       return;
1919     }
1920     u2 catch_type_index = exhandlers.catch_type_index(i);
1921     if (catch_type_index != 0) {
1922       VerificationType catch_type = cp_index_to_type(
1923         catch_type_index, cp, CHECK_VERIFY(this));
1924       VerificationType throwable =
1925         VerificationType::reference_type(vmSymbols::java_lang_Throwable());
1926       // If the catch type is Throwable pre-resolve it now as the assignable check won't
1927       // do that, and we need to avoid a runtime resolution in case we are trying to
1928       // catch OutOfMemoryError.
1929       if (cp->klass_name_at(catch_type_index) == vmSymbols::java_lang_Throwable()) {
1930         cp->klass_at(catch_type_index, CHECK);
1931       }
1932       bool is_subclass = throwable.is_assignable_from(
1933         catch_type, this, false, CHECK_VERIFY(this));
1934       if (!is_subclass) {
1935         // 4286534: should throw VerifyError according to recent spec change
1936         verify_error(ErrorContext::bad_type(handler_pc,
1937             TypeOrigin::cp(catch_type_index, catch_type),
1938             TypeOrigin::implicit(throwable)),
1939             "Catch type is not a subclass "
1940             "of Throwable in exception handler %d", handler_pc);
1941         return;
1942       }
1943     }
1944     if (start_pc < min) min = start_pc;
1945     if (end_pc > max) max = end_pc;
1946   }
1947 }
1948 
1949 void ClassVerifier::verify_local_variable_table(u4 code_length, char* code_data, TRAPS) {
1950   int localvariable_table_length = _method->localvariable_table_length();
1951   if (localvariable_table_length > 0) {
1952     LocalVariableTableElement* table = _method->localvariable_table_start();
1953     for (int i = 0; i < localvariable_table_length; i++) {
1954       u2 start_bci = table[i].start_bci;
1955       u2 length = table[i].length;
1956 
1957       if (start_bci >= code_length || code_data[start_bci] == 0) {
1958         class_format_error(
1959           "Illegal local variable table start_pc %d", start_bci);
1960         return;
1961       }
1962       u4 end_bci = (u4)(start_bci + length);
1963       if (end_bci != code_length) {
1964         if (end_bci >= code_length || code_data[end_bci] == 0) {
1965           class_format_error( "Illegal local variable table length %d", length);
1966           return;
1967         }
1968       }
1969     }
1970   }
1971 }
1972 
1973 u2 ClassVerifier::verify_stackmap_table(u2 stackmap_index, int bci,
1974                                         StackMapFrame* current_frame,
1975                                         StackMapTable* stackmap_table,
1976                                         bool no_control_flow, TRAPS) {
1977   if (stackmap_index < stackmap_table->get_frame_count()) {
1978     int this_offset = stackmap_table->get_offset(stackmap_index);
1979     if (no_control_flow && this_offset > bci) {
1980       verify_error(ErrorContext::missing_stackmap(bci),
1981                    "Expecting a stack map frame");
1982       return 0;
1983     }
1984     if (this_offset == bci) {
1985       ErrorContext ctx;
1986       // See if current stack map can be assigned to the frame in table.
1987       // current_frame is the stackmap frame got from the last instruction.
1988       // If matched, current_frame will be updated by this method.
1989       bool matches = stackmap_table->match_stackmap(
1990         current_frame, this_offset, stackmap_index,
1991         !no_control_flow, true, &ctx, CHECK_VERIFY_(this, 0));
1992       if (!matches) {
1993         // report type error
1994         verify_error(ctx, "Instruction type does not match stack map");
1995         return 0;
1996       }
1997       stackmap_index++;
1998     } else if (this_offset < bci) {
1999       // current_offset should have met this_offset.
2000       class_format_error("Bad stack map offset %d", this_offset);
2001       return 0;
2002     }
2003   } else if (no_control_flow) {
2004     verify_error(ErrorContext::bad_code(bci), "Expecting a stack map frame");
2005     return 0;
2006   }
2007   return stackmap_index;
2008 }
2009 
2010 // Since this method references the constant pool, call was_recursively_verified()
2011 // before calling this method to make sure a prior class load did not cause the
2012 // current class to get verified.
2013 void ClassVerifier::verify_exception_handler_targets(int bci, bool this_uninit,
2014                                                      StackMapFrame* current_frame,
2015                                                      StackMapTable* stackmap_table, TRAPS) {
2016   constantPoolHandle cp (THREAD, _method->constants());
2017   ExceptionTable exhandlers(_method());
2018   int exlength = exhandlers.length();
2019   for(int i = 0; i < exlength; i++) {
2020     u2 start_pc = exhandlers.start_pc(i);
2021     u2 end_pc = exhandlers.end_pc(i);
2022     u2 handler_pc = exhandlers.handler_pc(i);
2023     int catch_type_index = exhandlers.catch_type_index(i);
2024     if(bci >= start_pc && bci < end_pc) {
2025       u1 flags = current_frame->flags();
2026       if (this_uninit) {  flags |= FLAG_THIS_UNINIT; }
2027       StackMapFrame* new_frame = current_frame->frame_in_exception_handler(flags);
2028       if (catch_type_index != 0) {
2029         if (was_recursively_verified()) return;
2030         // We know that this index refers to a subclass of Throwable
2031         VerificationType catch_type = cp_index_to_type(
2032           catch_type_index, cp, CHECK_VERIFY(this));
2033         new_frame->push_stack(catch_type, CHECK_VERIFY(this));
2034       } else {
2035         VerificationType throwable =
2036           VerificationType::reference_type(vmSymbols::java_lang_Throwable());
2037         new_frame->push_stack(throwable, CHECK_VERIFY(this));
2038       }
2039       ErrorContext ctx;
2040       bool matches = stackmap_table->match_stackmap(
2041         new_frame, handler_pc, true, false, &ctx, CHECK_VERIFY(this));
2042       if (!matches) {
2043         verify_error(ctx, "Stack map does not match the one at "
2044             "exception handler %d", handler_pc);
2045         return;
2046       }
2047     }
2048   }
2049 }
2050 
2051 void ClassVerifier::verify_cp_index(
2052     int bci, const constantPoolHandle& cp, u2 index, TRAPS) {
2053   int nconstants = cp->length();
2054   if ((index <= 0) || (index >= nconstants)) {
2055     verify_error(ErrorContext::bad_cp_index(bci, index),
2056         "Illegal constant pool index %d in class %s",
2057         index, cp->pool_holder()->external_name());
2058     return;
2059   }
2060 }
2061 
2062 void ClassVerifier::verify_cp_type(
2063     int bci, u2 index, const constantPoolHandle& cp, unsigned int types, TRAPS) {
2064 
2065   // In some situations, bytecode rewriting may occur while we're verifying.
2066   // In this case, a constant pool cache exists and some indices refer to that
2067   // instead.  Be sure we don't pick up such indices by accident.
2068   // We must check was_recursively_verified() before we get here.
2069   guarantee(cp->cache() == nullptr, "not rewritten yet");
2070 
2071   verify_cp_index(bci, cp, index, CHECK_VERIFY(this));
2072   unsigned int tag = cp->tag_at(index).value();
2073   // tags up to JVM_CONSTANT_ExternalMax are verifiable and valid for shift op
2074   if (tag > JVM_CONSTANT_ExternalMax || (types & (1 << tag)) == 0) {
2075     verify_error(ErrorContext::bad_cp_index(bci, index),
2076       "Illegal type at constant pool entry %d in class %s",
2077       index, cp->pool_holder()->external_name());
2078     return;
2079   }
2080 }
2081 
2082 void ClassVerifier::verify_cp_class_type(
2083     int bci, u2 index, const constantPoolHandle& cp, TRAPS) {
2084   verify_cp_index(bci, cp, index, CHECK_VERIFY(this));
2085   constantTag tag = cp->tag_at(index);
2086   if (!tag.is_klass() && !tag.is_unresolved_klass()) {
2087     verify_error(ErrorContext::bad_cp_index(bci, index),
2088         "Illegal type at constant pool entry %d in class %s",
2089         index, cp->pool_holder()->external_name());
2090     return;
2091   }
2092 }
2093 
2094 void ClassVerifier::verify_error(ErrorContext ctx, const char* msg, ...) {
2095   stringStream ss;
2096 
2097   ctx.reset_frames();
2098   _exception_type = vmSymbols::java_lang_VerifyError();
2099   _error_context = ctx;
2100   va_list va;
2101   va_start(va, msg);
2102   ss.vprint(msg, va);
2103   va_end(va);
2104   _message = ss.as_string();
2105 #ifdef ASSERT
2106   ResourceMark rm;
2107   const char* exception_name = _exception_type->as_C_string();
2108   Exceptions::debug_check_abort(exception_name, nullptr);
2109 #endif // ndef ASSERT
2110 }
2111 
2112 void ClassVerifier::class_format_error(const char* msg, ...) {
2113   stringStream ss;
2114   _exception_type = vmSymbols::java_lang_ClassFormatError();
2115   va_list va;
2116   va_start(va, msg);
2117   ss.vprint(msg, va);
2118   va_end(va);
2119   if (!_method.is_null()) {
2120     ss.print(" in method '");
2121     _method->print_external_name(&ss);
2122     ss.print("'");
2123   }
2124   _message = ss.as_string();
2125 }
2126 
2127 Klass* ClassVerifier::load_class(Symbol* name, TRAPS) {
2128   HandleMark hm(THREAD);
2129   // Get current loader first.
2130   oop loader = current_class()->class_loader();
2131 
2132   assert(name_in_supers(name, current_class()), "name should be a super class");
2133 
2134   Klass* kls = SystemDictionary::resolve_or_fail(
2135     name, Handle(THREAD, loader), true, THREAD);
2136 
2137   if (kls != nullptr) {
2138     if (log_is_enabled(Debug, class, resolve)) {
2139       Verifier::trace_class_resolution(kls, current_class());
2140     }
2141   }
2142   return kls;
2143 }
2144 
2145 bool ClassVerifier::is_protected_access(InstanceKlass* this_class,
2146                                         Klass* target_class,
2147                                         Symbol* field_name,
2148                                         Symbol* field_sig,
2149                                         bool is_method) {
2150   NoSafepointVerifier nosafepoint;
2151 
2152   // If target class isn't a super class of this class, we don't worry about this case
2153   if (!this_class->is_subclass_of(target_class)) {
2154     return false;
2155   }
2156   // Check if the specified method or field is protected
2157   InstanceKlass* target_instance = InstanceKlass::cast(target_class);
2158   fieldDescriptor fd;
2159   if (is_method) {
2160     Method* m = target_instance->uncached_lookup_method(field_name, field_sig, Klass::OverpassLookupMode::find);
2161     if (m != nullptr && m->is_protected()) {
2162       if (!this_class->is_same_class_package(m->method_holder())) {
2163         return true;
2164       }
2165     }
2166   } else {
2167     Klass* member_klass = target_instance->find_field(field_name, field_sig, &fd);
2168     if (member_klass != nullptr && fd.is_protected()) {
2169       if (!this_class->is_same_class_package(member_klass)) {
2170         return true;
2171       }
2172     }
2173   }
2174   return false;
2175 }
2176 
2177 void ClassVerifier::verify_ldc(
2178     int opcode, u2 index, StackMapFrame* current_frame,
2179     const constantPoolHandle& cp, int bci, TRAPS) {
2180   verify_cp_index(bci, cp, index, CHECK_VERIFY(this));
2181   constantTag tag = cp->tag_at(index);
2182   unsigned int types = 0;
2183   if (opcode == Bytecodes::_ldc || opcode == Bytecodes::_ldc_w) {
2184     if (!tag.is_unresolved_klass()) {
2185       types = (1 << JVM_CONSTANT_Integer) | (1 << JVM_CONSTANT_Float)
2186             | (1 << JVM_CONSTANT_String) | (1 << JVM_CONSTANT_Class)
2187             | (1 << JVM_CONSTANT_MethodHandle) | (1 << JVM_CONSTANT_MethodType)
2188             | (1 << JVM_CONSTANT_Dynamic);
2189       // Note:  The class file parser already verified the legality of
2190       // MethodHandle and MethodType constants.
2191       verify_cp_type(bci, index, cp, types, CHECK_VERIFY(this));
2192     }
2193   } else {
2194     assert(opcode == Bytecodes::_ldc2_w, "must be ldc2_w");
2195     types = (1 << JVM_CONSTANT_Double) | (1 << JVM_CONSTANT_Long)
2196           | (1 << JVM_CONSTANT_Dynamic);
2197     verify_cp_type(bci, index, cp, types, CHECK_VERIFY(this));
2198   }
2199   if (tag.is_string()) {
2200     current_frame->push_stack(
2201       VerificationType::reference_type(
2202         vmSymbols::java_lang_String()), CHECK_VERIFY(this));
2203   } else if (tag.is_klass() || tag.is_unresolved_klass()) {
2204     current_frame->push_stack(
2205       VerificationType::reference_type(
2206         vmSymbols::java_lang_Class()), CHECK_VERIFY(this));
2207   } else if (tag.is_int()) {
2208     current_frame->push_stack(
2209       VerificationType::integer_type(), CHECK_VERIFY(this));
2210   } else if (tag.is_float()) {
2211     current_frame->push_stack(
2212       VerificationType::float_type(), CHECK_VERIFY(this));
2213   } else if (tag.is_double()) {
2214     current_frame->push_stack_2(
2215       VerificationType::double_type(),
2216       VerificationType::double2_type(), CHECK_VERIFY(this));
2217   } else if (tag.is_long()) {
2218     current_frame->push_stack_2(
2219       VerificationType::long_type(),
2220       VerificationType::long2_type(), CHECK_VERIFY(this));
2221   } else if (tag.is_method_handle()) {
2222     current_frame->push_stack(
2223       VerificationType::reference_type(
2224         vmSymbols::java_lang_invoke_MethodHandle()), CHECK_VERIFY(this));
2225   } else if (tag.is_method_type()) {
2226     current_frame->push_stack(
2227       VerificationType::reference_type(
2228         vmSymbols::java_lang_invoke_MethodType()), CHECK_VERIFY(this));
2229   } else if (tag.is_dynamic_constant()) {
2230     Symbol* constant_type = cp->uncached_signature_ref_at(index);
2231     // Field signature was checked in ClassFileParser.
2232     assert(SignatureVerifier::is_valid_type_signature(constant_type),
2233            "Invalid type for dynamic constant");
2234     assert(sizeof(VerificationType) == sizeof(uintptr_t),
2235           "buffer type must match VerificationType size");
2236     uintptr_t constant_type_buffer[2];
2237     VerificationType* v_constant_type = (VerificationType*)constant_type_buffer;
2238     SignatureStream sig_stream(constant_type, false);
2239     int n = change_sig_to_verificationType(&sig_stream, v_constant_type);
2240     int opcode_n = (opcode == Bytecodes::_ldc2_w ? 2 : 1);
2241     if (n != opcode_n) {
2242       // wrong kind of ldc; reverify against updated type mask
2243       types &= ~(1 << JVM_CONSTANT_Dynamic);
2244       verify_cp_type(bci, index, cp, types, CHECK_VERIFY(this));
2245     }
2246     for (int i = 0; i < n; i++) {
2247       current_frame->push_stack(v_constant_type[i], CHECK_VERIFY(this));
2248     }
2249   } else {
2250     /* Unreachable? verify_cp_type has already validated the cp type. */
2251     verify_error(
2252         ErrorContext::bad_cp_index(bci, index), "Invalid index in ldc");
2253     return;
2254   }
2255 }
2256 
2257 void ClassVerifier::verify_switch(
2258     RawBytecodeStream* bcs, u4 code_length, char* code_data,
2259     StackMapFrame* current_frame, StackMapTable* stackmap_table, TRAPS) {
2260   int bci = bcs->bci();
2261   address bcp = bcs->bcp();
2262   address aligned_bcp = align_up(bcp + 1, jintSize);
2263 
2264   if (_klass->major_version() < NONZERO_PADDING_BYTES_IN_SWITCH_MAJOR_VERSION) {
2265     // 4639449 & 4647081: padding bytes must be 0
2266     u2 padding_offset = 1;
2267     while ((bcp + padding_offset) < aligned_bcp) {
2268       if(*(bcp + padding_offset) != 0) {
2269         verify_error(ErrorContext::bad_code(bci),
2270                      "Nonzero padding byte in lookupswitch or tableswitch");
2271         return;
2272       }
2273       padding_offset++;
2274     }
2275   }
2276 
2277   int default_offset = (int) Bytes::get_Java_u4(aligned_bcp);
2278   int keys, delta;
2279   current_frame->pop_stack(
2280     VerificationType::integer_type(), CHECK_VERIFY(this));
2281   if (bcs->raw_code() == Bytecodes::_tableswitch) {
2282     jint low = (jint)Bytes::get_Java_u4(aligned_bcp + jintSize);
2283     jint high = (jint)Bytes::get_Java_u4(aligned_bcp + 2*jintSize);
2284     if (low > high) {
2285       verify_error(ErrorContext::bad_code(bci),
2286           "low must be less than or equal to high in tableswitch");
2287       return;
2288     }
2289     int64_t keys64 = ((int64_t)high - low) + 1;
2290     if (keys64 > 65535) {  // Max code length
2291       verify_error(ErrorContext::bad_code(bci), "too many keys in tableswitch");
2292       return;
2293     }
2294     keys = (int)keys64;
2295     delta = 1;
2296   } else {
2297     keys = (int)Bytes::get_Java_u4(aligned_bcp + jintSize);
2298     if (keys < 0) {
2299       verify_error(ErrorContext::bad_code(bci),
2300                    "number of keys in lookupswitch less than 0");
2301       return;
2302     }
2303     delta = 2;
2304     // Make sure that the lookupswitch items are sorted
2305     for (int i = 0; i < (keys - 1); i++) {
2306       jint this_key = Bytes::get_Java_u4(aligned_bcp + (2+2*i)*jintSize);
2307       jint next_key = Bytes::get_Java_u4(aligned_bcp + (2+2*i+2)*jintSize);
2308       if (this_key >= next_key) {
2309         verify_error(ErrorContext::bad_code(bci),
2310                      "Bad lookupswitch instruction");
2311         return;
2312       }
2313     }
2314   }
2315   int target = bci + default_offset;
2316   stackmap_table->check_jump_target(current_frame, target, CHECK_VERIFY(this));
2317   for (int i = 0; i < keys; i++) {
2318     // Because check_jump_target() may safepoint, the bytecode could have
2319     // moved, which means 'aligned_bcp' is no good and needs to be recalculated.
2320     aligned_bcp = align_up(bcs->bcp() + 1, jintSize);
2321     target = bci + (jint)Bytes::get_Java_u4(aligned_bcp+(3+i*delta)*jintSize);
2322     stackmap_table->check_jump_target(
2323       current_frame, target, CHECK_VERIFY(this));
2324   }
2325   NOT_PRODUCT(aligned_bcp = nullptr);  // no longer valid at this point
2326 }
2327 
2328 bool ClassVerifier::name_in_supers(
2329     Symbol* ref_name, InstanceKlass* current) {
2330   Klass* super = current->super();
2331   while (super != nullptr) {
2332     if (super->name() == ref_name) {
2333       return true;
2334     }
2335     super = super->super();
2336   }
2337   return false;
2338 }
2339 
2340 void ClassVerifier::verify_field_instructions(RawBytecodeStream* bcs,
2341                                               StackMapFrame* current_frame,
2342                                               const constantPoolHandle& cp,
2343                                               bool allow_arrays,
2344                                               TRAPS) {
2345   u2 index = bcs->get_index_u2();
2346   verify_cp_type(bcs->bci(), index, cp,
2347       1 << JVM_CONSTANT_Fieldref, CHECK_VERIFY(this));
2348 
2349   // Get field name and signature
2350   Symbol* field_name = cp->uncached_name_ref_at(index);
2351   Symbol* field_sig = cp->uncached_signature_ref_at(index);
2352   bool is_getfield = false;
2353 
2354   // Field signature was checked in ClassFileParser.
2355   assert(SignatureVerifier::is_valid_type_signature(field_sig),
2356          "Invalid field signature");
2357 
2358   // Get referenced class type
2359   VerificationType ref_class_type = cp_ref_index_to_type(
2360     index, cp, CHECK_VERIFY(this));
2361   if (!ref_class_type.is_object() &&
2362       (!allow_arrays || !ref_class_type.is_array())) {
2363     verify_error(ErrorContext::bad_type(bcs->bci(),
2364         TypeOrigin::cp(index, ref_class_type)),
2365         "Expecting reference to class in class %s at constant pool index %d",
2366         _klass->external_name(), index);
2367     return;
2368   }
2369 
2370   VerificationType target_class_type = ref_class_type;
2371 
2372   assert(sizeof(VerificationType) == sizeof(uintptr_t),
2373         "buffer type must match VerificationType size");
2374   uintptr_t field_type_buffer[2];
2375   VerificationType* field_type = (VerificationType*)field_type_buffer;
2376   // If we make a VerificationType[2] array directly, the compiler calls
2377   // to the c-runtime library to do the allocation instead of just
2378   // stack allocating it.  Plus it would run constructors.  This shows up
2379   // in performance profiles.
2380 
2381   SignatureStream sig_stream(field_sig, false);
2382   VerificationType stack_object_type;
2383   int n = change_sig_to_verificationType(&sig_stream, field_type);
2384   int bci = bcs->bci();
2385   bool is_assignable;
2386   switch (bcs->raw_code()) {
2387     case Bytecodes::_getstatic: {
2388       for (int i = 0; i < n; i++) {
2389         current_frame->push_stack(field_type[i], CHECK_VERIFY(this));
2390       }
2391       break;
2392     }
2393     case Bytecodes::_putstatic: {
2394       for (int i = n - 1; i >= 0; i--) {
2395         current_frame->pop_stack(field_type[i], CHECK_VERIFY(this));
2396       }
2397       break;
2398     }
2399     case Bytecodes::_getfield: {
2400       is_getfield = true;
2401       stack_object_type = current_frame->pop_stack(
2402         target_class_type, CHECK_VERIFY(this));
2403       goto check_protected;
2404     }
2405     case Bytecodes::_putfield: {
2406       for (int i = n - 1; i >= 0; i--) {
2407         current_frame->pop_stack(field_type[i], CHECK_VERIFY(this));
2408       }
2409       stack_object_type = current_frame->pop_stack(CHECK_VERIFY(this));
2410 
2411       // Field initialization is allowed before the superclass
2412       // initializer, if the field is defined within the current class.
2413       fieldDescriptor fd;
2414       bool is_local_field = _klass->find_local_field(field_name, field_sig, &fd) &&
2415                             target_class_type.equals(current_type());
2416       if (stack_object_type == VerificationType::uninitialized_this_type()) {
2417         if (is_local_field) {
2418           // Set the type to the current type so the is_assignable check passes.
2419           stack_object_type = current_type();
2420 
2421           if (fd.access_flags().is_strict()) {
2422             ResourceMark rm(THREAD);
2423             if (!current_frame->satisfy_unset_field(fd.name(), fd.signature())) {
2424               log_info(verification)("Attempting to initialize field not found in initial strict instance fields: %s%s",
2425                                      fd.name()->as_C_string(), fd.signature()->as_C_string());
2426               verify_error(ErrorContext::bad_strict_fields(bci, current_frame),
2427                            "Initializing unknown strict field: %s:%s", fd.name()->as_C_string(), fd.signature()->as_C_string());
2428             }
2429           }
2430         }
2431       } else if (supports_strict_fields(_klass)) {
2432         // `strict` fields are not writable, but only local fields produce verification errors
2433         if (is_local_field && fd.access_flags().is_strict() && fd.access_flags().is_final()) {
2434           verify_error(ErrorContext::bad_code(bci),
2435                        "Illegal use of putfield on a strict field");
2436           return;
2437         }
2438       }
2439       is_assignable = target_class_type.is_assignable_from(
2440         stack_object_type, this, false, CHECK_VERIFY(this));
2441       if (!is_assignable) {
2442         verify_error(ErrorContext::bad_type(bci,
2443             current_frame->stack_top_ctx(),
2444             TypeOrigin::cp(index, target_class_type)),
2445             "Bad type on operand stack in putfield");
2446         return;
2447       }
2448     }
2449     check_protected: {
2450       if (_this_type == stack_object_type)
2451         break; // stack_object_type must be assignable to _current_class_type
2452       if (was_recursively_verified()) {
2453         if (is_getfield) {
2454           // Push field type for getfield.
2455           for (int i = 0; i < n; i++) {
2456             current_frame->push_stack(field_type[i], CHECK_VERIFY(this));
2457           }
2458         }
2459         return;
2460       }
2461       Symbol* ref_class_name =
2462         cp->klass_name_at(cp->uncached_klass_ref_index_at(index));
2463       if (!name_in_supers(ref_class_name, current_class()))
2464         // stack_object_type must be assignable to _current_class_type since:
2465         // 1. stack_object_type must be assignable to ref_class.
2466         // 2. ref_class must be _current_class or a subclass of it. It can't
2467         //    be a superclass of it. See revised JVMS 5.4.4.
2468         break;
2469 
2470       Klass* ref_class_oop = load_class(ref_class_name, CHECK);
2471       if (is_protected_access(current_class(), ref_class_oop, field_name,
2472                               field_sig, false)) {
2473         // It's protected access, check if stack object is assignable to
2474         // current class.
2475         is_assignable = current_type().is_assignable_from(
2476           stack_object_type, this, true, CHECK_VERIFY(this));
2477         if (!is_assignable) {
2478           verify_error(ErrorContext::bad_type(bci,
2479               current_frame->stack_top_ctx(),
2480               TypeOrigin::implicit(current_type())),
2481               "Bad access to protected data in %s",
2482               is_getfield ? "getfield" : "putfield");
2483           return;
2484         }
2485       }
2486       break;
2487     }
2488     default: ShouldNotReachHere();
2489   }
2490   if (is_getfield) {
2491     // Push field type for getfield after doing protection check.
2492     for (int i = 0; i < n; i++) {
2493       current_frame->push_stack(field_type[i], CHECK_VERIFY(this));
2494     }
2495   }
2496 }
2497 
2498 // Look at the method's handlers.  If the bci is in the handler's try block
2499 // then check if the handler_pc is already on the stack.  If not, push it
2500 // unless the handler has already been scanned.
2501 void ClassVerifier::push_handlers(ExceptionTable* exhandlers,
2502                                   GrowableArray<u4>* handler_list,
2503                                   GrowableArray<u4>* handler_stack,
2504                                   u4 bci) {
2505   int exlength = exhandlers->length();
2506   for(int x = 0; x < exlength; x++) {
2507     if (bci >= exhandlers->start_pc(x) && bci < exhandlers->end_pc(x)) {
2508       u4 exhandler_pc = exhandlers->handler_pc(x);
2509       if (!handler_list->contains(exhandler_pc)) {
2510         handler_stack->append_if_missing(exhandler_pc);
2511         handler_list->append(exhandler_pc);
2512       }
2513     }
2514   }
2515 }
2516 
2517 // Return TRUE if all code paths starting with start_bc_offset end in
2518 // bytecode athrow or loop.
2519 bool ClassVerifier::ends_in_athrow(u4 start_bc_offset) {
2520   ResourceMark rm;
2521   // Create bytecode stream.
2522   RawBytecodeStream bcs(method());
2523   int code_length = method()->code_size();
2524   bcs.set_start(start_bc_offset);
2525 
2526   // Create stack for storing bytecode start offsets for if* and *switch.
2527   GrowableArray<u4>* bci_stack = new GrowableArray<u4>(30);
2528   // Create stack for handlers for try blocks containing this handler.
2529   GrowableArray<u4>* handler_stack = new GrowableArray<u4>(30);
2530   // Create list of handlers that have been pushed onto the handler_stack
2531   // so that handlers embedded inside of their own TRY blocks only get
2532   // scanned once.
2533   GrowableArray<u4>* handler_list = new GrowableArray<u4>(30);
2534   // Create list of visited branch opcodes (goto* and if*).
2535   GrowableArray<u4>* visited_branches = new GrowableArray<u4>(30);
2536   ExceptionTable exhandlers(_method());
2537 
2538   while (true) {
2539     if (bcs.is_last_bytecode()) {
2540       // if no more starting offsets to parse or if at the end of the
2541       // method then return false.
2542       if ((bci_stack->is_empty()) || (bcs.end_bci() == code_length))
2543         return false;
2544       // Pop a bytecode starting offset and scan from there.
2545       bcs.set_start(bci_stack->pop());
2546     }
2547     Bytecodes::Code opcode = bcs.raw_next();
2548     int bci = bcs.bci();
2549 
2550     // If the bytecode is in a TRY block, push its handlers so they
2551     // will get parsed.
2552     push_handlers(&exhandlers, handler_list, handler_stack, bci);
2553 
2554     switch (opcode) {
2555       case Bytecodes::_if_icmpeq:
2556       case Bytecodes::_if_icmpne:
2557       case Bytecodes::_if_icmplt:
2558       case Bytecodes::_if_icmpge:
2559       case Bytecodes::_if_icmpgt:
2560       case Bytecodes::_if_icmple:
2561       case Bytecodes::_ifeq:
2562       case Bytecodes::_ifne:
2563       case Bytecodes::_iflt:
2564       case Bytecodes::_ifge:
2565       case Bytecodes::_ifgt:
2566       case Bytecodes::_ifle:
2567       case Bytecodes::_if_acmpeq:
2568       case Bytecodes::_if_acmpne:
2569       case Bytecodes::_ifnull:
2570       case Bytecodes::_ifnonnull: {
2571         int target = bcs.dest();
2572         if (visited_branches->contains(bci)) {
2573           if (bci_stack->is_empty()) {
2574             if (handler_stack->is_empty()) {
2575               return true;
2576             } else {
2577               // Parse the catch handlers for try blocks containing athrow.
2578               bcs.set_start(handler_stack->pop());
2579             }
2580           } else {
2581             // Pop a bytecode starting offset and scan from there.
2582             bcs.set_start(bci_stack->pop());
2583           }
2584         } else {
2585           if (target > bci) { // forward branch
2586             if (target >= code_length) return false;
2587             // Push the branch target onto the stack.
2588             bci_stack->push(target);
2589             // then, scan bytecodes starting with next.
2590             bcs.set_start(bcs.next_bci());
2591           } else { // backward branch
2592             // Push bytecode offset following backward branch onto the stack.
2593             bci_stack->push(bcs.next_bci());
2594             // Check bytecodes starting with branch target.
2595             bcs.set_start(target);
2596           }
2597           // Record target so we don't branch here again.
2598           visited_branches->append(bci);
2599         }
2600         break;
2601         }
2602 
2603       case Bytecodes::_goto:
2604       case Bytecodes::_goto_w: {
2605         int target = (opcode == Bytecodes::_goto ? bcs.dest() : bcs.dest_w());
2606         if (visited_branches->contains(bci)) {
2607           if (bci_stack->is_empty()) {
2608             if (handler_stack->is_empty()) {
2609               return true;
2610             } else {
2611               // Parse the catch handlers for try blocks containing athrow.
2612               bcs.set_start(handler_stack->pop());
2613             }
2614           } else {
2615             // Been here before, pop new starting offset from stack.
2616             bcs.set_start(bci_stack->pop());
2617           }
2618         } else {
2619           if (target >= code_length) return false;
2620           // Continue scanning from the target onward.
2621           bcs.set_start(target);
2622           // Record target so we don't branch here again.
2623           visited_branches->append(bci);
2624         }
2625         break;
2626         }
2627 
2628       // Check that all switch alternatives end in 'athrow' bytecodes. Since it
2629       // is  difficult to determine where each switch alternative ends, parse
2630       // each switch alternative until either hit a 'return', 'athrow', or reach
2631       // the end of the method's bytecodes.  This is gross but should be okay
2632       // because:
2633       // 1. tableswitch and lookupswitch byte codes in handlers for ctor explicit
2634       //    constructor invocations should be rare.
2635       // 2. if each switch alternative ends in an athrow then the parsing should be
2636       //    short.  If there is no athrow then it is bogus code, anyway.
2637       case Bytecodes::_lookupswitch:
2638       case Bytecodes::_tableswitch:
2639         {
2640           address aligned_bcp = align_up(bcs.bcp() + 1, jintSize);
2641           int default_offset = Bytes::get_Java_u4(aligned_bcp) + bci;
2642           int keys, delta;
2643           if (opcode == Bytecodes::_tableswitch) {
2644             jint low = (jint)Bytes::get_Java_u4(aligned_bcp + jintSize);
2645             jint high = (jint)Bytes::get_Java_u4(aligned_bcp + 2*jintSize);
2646             // This is invalid, but let the regular bytecode verifier
2647             // report this because the user will get a better error message.
2648             if (low > high) return true;
2649             keys = high - low + 1;
2650             delta = 1;
2651           } else {
2652             keys = (int)Bytes::get_Java_u4(aligned_bcp + jintSize);
2653             delta = 2;
2654           }
2655           // Invalid, let the regular bytecode verifier deal with it.
2656           if (keys < 0) return true;
2657 
2658           // Push the offset of the next bytecode onto the stack.
2659           bci_stack->push(bcs.next_bci());
2660 
2661           // Push the switch alternatives onto the stack.
2662           for (int i = 0; i < keys; i++) {
2663             int target = bci + (jint)Bytes::get_Java_u4(aligned_bcp+(3+i*delta)*jintSize);
2664             if (target > code_length) return false;
2665             bci_stack->push(target);
2666           }
2667 
2668           // Start bytecode parsing for the switch at the default alternative.
2669           if (default_offset > code_length) return false;
2670           bcs.set_start(default_offset);
2671           break;
2672         }
2673 
2674       case Bytecodes::_return:
2675         return false;
2676 
2677       case Bytecodes::_athrow:
2678         {
2679           if (bci_stack->is_empty()) {
2680             if (handler_stack->is_empty()) {
2681               return true;
2682             } else {
2683               // Parse the catch handlers for try blocks containing athrow.
2684               bcs.set_start(handler_stack->pop());
2685             }
2686           } else {
2687             // Pop a bytecode offset and starting scanning from there.
2688             bcs.set_start(bci_stack->pop());
2689           }
2690         }
2691         break;
2692 
2693       default:
2694         ;
2695     } // end switch
2696   } // end while loop
2697 
2698   return false;
2699 }
2700 
2701 void ClassVerifier::verify_invoke_init(
2702     RawBytecodeStream* bcs, u2 ref_class_index, VerificationType ref_class_type,
2703     StackMapFrame* current_frame, u4 code_length, bool in_try_block,
2704     bool *this_uninit, const constantPoolHandle& cp, StackMapTable* stackmap_table,
2705     TRAPS) {
2706   int bci = bcs->bci();
2707   VerificationType type = current_frame->pop_stack(
2708     VerificationType::reference_check(), CHECK_VERIFY(this));
2709   if (type == VerificationType::uninitialized_this_type()) {
2710     // The method must be an <init> method of this class or its superclass
2711     Klass* superk = current_class()->super();
2712     if (ref_class_type.name() != current_class()->name() &&
2713         ref_class_type.name() != superk->name()) {
2714       verify_error(ErrorContext::bad_type(bci,
2715           TypeOrigin::implicit(ref_class_type),
2716           TypeOrigin::implicit(current_type())),
2717           "Bad <init> method call");
2718       return;
2719     } else if (ref_class_type.name() == superk->name()) {
2720       // Strict final fields must be satisfied by this point
2721       if (!current_frame->verify_unset_fields_satisfied()) {
2722         log_info(verification)("Strict instance fields not initialized");
2723         StackMapFrame::print_strict_fields(current_frame->assert_unset_fields());
2724         current_frame->unsatisfied_strict_fields_error(current_class(), bci);
2725       }
2726     }
2727 
2728     // If this invokespecial call is done from inside of a TRY block then make
2729     // sure that all catch clause paths end in a throw.  Otherwise, this can
2730     // result in returning an incomplete object.
2731     if (in_try_block) {
2732       ExceptionTable exhandlers(_method());
2733       int exlength = exhandlers.length();
2734       for(int i = 0; i < exlength; i++) {
2735         u2 start_pc = exhandlers.start_pc(i);
2736         u2 end_pc = exhandlers.end_pc(i);
2737 
2738         if (bci >= start_pc && bci < end_pc) {
2739           if (!ends_in_athrow(exhandlers.handler_pc(i))) {
2740             verify_error(ErrorContext::bad_code(bci),
2741               "Bad <init> method call from after the start of a try block");
2742             return;
2743           } else if (log_is_enabled(Debug, verification)) {
2744             ResourceMark rm(THREAD);
2745             log_debug(verification)("Survived call to ends_in_athrow(): %s",
2746                                           current_class()->name()->as_C_string());
2747           }
2748         }
2749       }
2750 
2751       // Check the exception handler target stackmaps with the locals from the
2752       // incoming stackmap (before initialize_object() changes them to outgoing
2753       // state).
2754       if (was_recursively_verified()) return;
2755       verify_exception_handler_targets(bci, true, current_frame,
2756                                        stackmap_table, CHECK_VERIFY(this));
2757     } // in_try_block
2758 
2759     current_frame->initialize_object(type, current_type());
2760     *this_uninit = true;
2761   } else if (type.is_uninitialized()) {
2762     u2 new_offset = type.bci();
2763     address new_bcp = bcs->bcp() - bci + new_offset;
2764     if (new_offset > (code_length - 3) || (*new_bcp) != Bytecodes::_new) {
2765       /* Unreachable?  Stack map parsing ensures valid type and new
2766        * instructions have a valid BCI. */
2767       verify_error(ErrorContext::bad_code(new_offset),
2768                    "Expecting new instruction");
2769       return;
2770     }
2771     u2 new_class_index = Bytes::get_Java_u2(new_bcp + 1);
2772     if (was_recursively_verified()) return;
2773     verify_cp_class_type(bci, new_class_index, cp, CHECK_VERIFY(this));
2774 
2775     // The method must be an <init> method of the indicated class
2776     VerificationType new_class_type = cp_index_to_type(
2777       new_class_index, cp, CHECK_VERIFY(this));
2778     if (!new_class_type.equals(ref_class_type)) {
2779       verify_error(ErrorContext::bad_type(bci,
2780           TypeOrigin::cp(new_class_index, new_class_type),
2781           TypeOrigin::cp(ref_class_index, ref_class_type)),
2782           "Call to wrong <init> method");
2783       return;
2784     }
2785     // According to the VM spec, if the referent class is a superclass of the
2786     // current class, and is in a different runtime package, and the method is
2787     // protected, then the objectref must be the current class or a subclass
2788     // of the current class.
2789     VerificationType objectref_type = new_class_type;
2790     if (name_in_supers(ref_class_type.name(), current_class())) {
2791       Klass* ref_klass = load_class(ref_class_type.name(), CHECK);
2792       if (was_recursively_verified()) return;
2793       Method* m = InstanceKlass::cast(ref_klass)->uncached_lookup_method(
2794         vmSymbols::object_initializer_name(),
2795         cp->uncached_signature_ref_at(bcs->get_index_u2()),
2796         Klass::OverpassLookupMode::find);
2797       // Do nothing if method is not found.  Let resolution detect the error.
2798       if (m != nullptr) {
2799         InstanceKlass* mh = m->method_holder();
2800         if (m->is_protected() && !mh->is_same_class_package(_klass)) {
2801           bool assignable = current_type().is_assignable_from(
2802             objectref_type, this, true, CHECK_VERIFY(this));
2803           if (!assignable) {
2804             verify_error(ErrorContext::bad_type(bci,
2805                 TypeOrigin::cp(new_class_index, objectref_type),
2806                 TypeOrigin::implicit(current_type())),
2807                 "Bad access to protected <init> method");
2808             return;
2809           }
2810         }
2811       }
2812     }
2813     // Check the exception handler target stackmaps with the locals from the
2814     // incoming stackmap (before initialize_object() changes them to outgoing
2815     // state).
2816     if (in_try_block) {
2817       if (was_recursively_verified()) return;
2818       verify_exception_handler_targets(bci, *this_uninit, current_frame,
2819                                        stackmap_table, CHECK_VERIFY(this));
2820     }
2821     current_frame->initialize_object(type, new_class_type);
2822   } else {
2823     verify_error(ErrorContext::bad_type(bci, current_frame->stack_top_ctx()),
2824         "Bad operand type when invoking <init>");
2825     return;
2826   }
2827 }
2828 
2829 bool ClassVerifier::is_same_or_direct_interface(
2830     InstanceKlass* klass,
2831     VerificationType klass_type,
2832     VerificationType ref_class_type) {
2833   if (ref_class_type.equals(klass_type)) return true;
2834   Array<InstanceKlass*>* local_interfaces = klass->local_interfaces();
2835   if (local_interfaces != nullptr) {
2836     for (int x = 0; x < local_interfaces->length(); x++) {
2837       InstanceKlass* k = local_interfaces->at(x);
2838       assert (k != nullptr && k->is_interface(), "invalid interface");
2839       if (ref_class_type.equals(VerificationType::reference_type(k->name()))) {
2840         return true;
2841       }
2842     }
2843   }
2844   return false;
2845 }
2846 
2847 void ClassVerifier::verify_invoke_instructions(
2848     RawBytecodeStream* bcs, u4 code_length, StackMapFrame* current_frame,
2849     bool in_try_block, bool *this_uninit,
2850     const constantPoolHandle& cp, StackMapTable* stackmap_table, TRAPS) {
2851   // Make sure the constant pool item is the right type
2852   u2 index = bcs->get_index_u2();
2853   Bytecodes::Code opcode = bcs->raw_code();
2854   unsigned int types = 0;
2855   switch (opcode) {
2856     case Bytecodes::_invokeinterface:
2857       types = 1 << JVM_CONSTANT_InterfaceMethodref;
2858       break;
2859     case Bytecodes::_invokedynamic:
2860       types = 1 << JVM_CONSTANT_InvokeDynamic;
2861       break;
2862     case Bytecodes::_invokespecial:
2863     case Bytecodes::_invokestatic:
2864       types = (_klass->major_version() < STATIC_METHOD_IN_INTERFACE_MAJOR_VERSION) ?
2865         (1 << JVM_CONSTANT_Methodref) :
2866         ((1 << JVM_CONSTANT_InterfaceMethodref) | (1 << JVM_CONSTANT_Methodref));
2867       break;
2868     default:
2869       types = 1 << JVM_CONSTANT_Methodref;
2870   }
2871   verify_cp_type(bcs->bci(), index, cp, types, CHECK_VERIFY(this));
2872 
2873   // Get method name and signature
2874   Symbol* method_name = cp->uncached_name_ref_at(index);
2875   Symbol* method_sig = cp->uncached_signature_ref_at(index);
2876 
2877   // Method signature was checked in ClassFileParser.
2878   assert(SignatureVerifier::is_valid_method_signature(method_sig),
2879          "Invalid method signature");
2880 
2881   // Get referenced class
2882   VerificationType ref_class_type;
2883   if (opcode == Bytecodes::_invokedynamic) {
2884     if (_klass->major_version() < Verifier::INVOKEDYNAMIC_MAJOR_VERSION) {
2885       class_format_error(
2886         "invokedynamic instructions not supported by this class file version (%d), class %s",
2887         _klass->major_version(), _klass->external_name());
2888       return;
2889     }
2890   } else {
2891     ref_class_type = cp_ref_index_to_type(index, cp, CHECK_VERIFY(this));
2892   }
2893 
2894   assert(sizeof(VerificationType) == sizeof(uintptr_t),
2895         "buffer type must match VerificationType size");
2896 
2897   // Get the UTF8 index for this signature.
2898   int sig_index = cp->signature_ref_index_at(cp->uncached_name_and_type_ref_index_at(index));
2899 
2900   // Get the signature's verification types.
2901   sig_as_verification_types* mth_sig_verif_types;
2902   sig_as_verification_types** mth_sig_verif_types_ptr = method_signatures_table()->get(sig_index);
2903   if (mth_sig_verif_types_ptr != nullptr) {
2904     // Found the entry for the signature's verification types in the hash table.
2905     mth_sig_verif_types = *mth_sig_verif_types_ptr;
2906     assert(mth_sig_verif_types != nullptr, "Unexpected null sig_as_verification_types value");
2907   } else {
2908     // Not found, add the entry to the table.
2909     GrowableArray<VerificationType>* verif_types = new GrowableArray<VerificationType>(10);
2910     mth_sig_verif_types = new sig_as_verification_types(verif_types);
2911     create_method_sig_entry(mth_sig_verif_types, sig_index);
2912   }
2913 
2914   // Get the number of arguments for this signature.
2915   int nargs = mth_sig_verif_types->num_args();
2916 
2917   // Check instruction operands
2918   int bci = bcs->bci();
2919   if (opcode == Bytecodes::_invokeinterface) {
2920     address bcp = bcs->bcp();
2921     // 4905268: count operand in invokeinterface should be nargs+1, not nargs.
2922     // JSR202 spec: The count operand of an invokeinterface instruction is valid if it is
2923     // the difference between the size of the operand stack before and after the instruction
2924     // executes.
2925     if (*(bcp+3) != (nargs+1)) {
2926       verify_error(ErrorContext::bad_code(bci),
2927           "Inconsistent args count operand in invokeinterface");
2928       return;
2929     }
2930     if (*(bcp+4) != 0) {
2931       verify_error(ErrorContext::bad_code(bci),
2932           "Fourth operand byte of invokeinterface must be zero");
2933       return;
2934     }
2935   }
2936 
2937   if (opcode == Bytecodes::_invokedynamic) {
2938     address bcp = bcs->bcp();
2939     if (*(bcp+3) != 0 || *(bcp+4) != 0) {
2940       verify_error(ErrorContext::bad_code(bci),
2941           "Third and fourth operand bytes of invokedynamic must be zero");
2942       return;
2943     }
2944   }
2945 
2946   if (method_name->char_at(0) == JVM_SIGNATURE_SPECIAL) {
2947     // Make sure:
2948     //   <init> can only be invoked by invokespecial.
2949     if (opcode != Bytecodes::_invokespecial ||
2950           method_name != vmSymbols::object_initializer_name()) {
2951       verify_error(ErrorContext::bad_code(bci),
2952           "Illegal call to internal method");
2953       return;
2954     }
2955   } else if (opcode == Bytecodes::_invokespecial
2956              && !is_same_or_direct_interface(current_class(), current_type(), ref_class_type)
2957              && !ref_class_type.equals(VerificationType::reference_type(
2958                   current_class()->super()->name()))) { // super() can never be an inline_type.
2959     bool subtype = false;
2960     bool have_imr_indirect = cp->tag_at(index).value() == JVM_CONSTANT_InterfaceMethodref;
2961     subtype = ref_class_type.is_assignable_from(
2962                current_type(), this, false, CHECK_VERIFY(this));
2963     if (!subtype) {
2964       verify_error(ErrorContext::bad_code(bci),
2965           "Bad invokespecial instruction: "
2966           "current class isn't assignable to reference class.");
2967        return;
2968     } else if (have_imr_indirect) {
2969       verify_error(ErrorContext::bad_code(bci),
2970           "Bad invokespecial instruction: "
2971           "interface method reference is in an indirect superinterface.");
2972       return;
2973     }
2974 
2975   }
2976 
2977   // Get the verification types for the method's arguments.
2978   GrowableArray<VerificationType>* sig_verif_types = mth_sig_verif_types->sig_verif_types();
2979   assert(sig_verif_types != nullptr, "Missing signature's array of verification types");
2980   // Match method descriptor with operand stack
2981   // The arguments are on the stack in descending order.
2982   for (int i = nargs - 1; i >= 0; i--) { // Run backwards
2983     current_frame->pop_stack(sig_verif_types->at(i), CHECK_VERIFY(this));
2984   }
2985 
2986   // Check objectref on operand stack
2987   if (opcode != Bytecodes::_invokestatic &&
2988       opcode != Bytecodes::_invokedynamic) {
2989     if (method_name == vmSymbols::object_initializer_name()) {  // <init> method
2990       verify_invoke_init(bcs, index, ref_class_type, current_frame,
2991         code_length, in_try_block, this_uninit, cp, stackmap_table,
2992         CHECK_VERIFY(this));
2993       if (was_recursively_verified()) return;
2994     } else {   // other methods
2995       // Ensures that target class is assignable to method class.
2996       if (opcode == Bytecodes::_invokespecial) {
2997         current_frame->pop_stack(current_type(), CHECK_VERIFY(this));
2998       } else if (opcode == Bytecodes::_invokevirtual) {
2999         VerificationType stack_object_type =
3000           current_frame->pop_stack(ref_class_type, CHECK_VERIFY(this));
3001         if (current_type() != stack_object_type) {
3002           if (was_recursively_verified()) return;
3003           assert(cp->cache() == nullptr, "not rewritten yet");
3004           Symbol* ref_class_name =
3005             cp->klass_name_at(cp->uncached_klass_ref_index_at(index));
3006           // See the comments in verify_field_instructions() for
3007           // the rationale behind this.
3008           if (name_in_supers(ref_class_name, current_class())) {
3009             Klass* ref_class = load_class(ref_class_name, CHECK);
3010             if (is_protected_access(
3011                   _klass, ref_class, method_name, method_sig, true)) {
3012               // It's protected access, check if stack object is
3013               // assignable to current class.
3014               if (ref_class_type.name() == vmSymbols::java_lang_Object()
3015                   && stack_object_type.is_array()
3016                   && method_name == vmSymbols::clone_name()) {
3017                 // Special case: arrays pretend to implement public Object
3018                 // clone().
3019               } else {
3020                 bool is_assignable = current_type().is_assignable_from(
3021                   stack_object_type, this, true, CHECK_VERIFY(this));
3022                 if (!is_assignable) {
3023                   verify_error(ErrorContext::bad_type(bci,
3024                       current_frame->stack_top_ctx(),
3025                       TypeOrigin::implicit(current_type())),
3026                       "Bad access to protected data in invokevirtual");
3027                   return;
3028                 }
3029               }
3030             }
3031           }
3032         }
3033       } else {
3034         assert(opcode == Bytecodes::_invokeinterface, "Unexpected opcode encountered");
3035         current_frame->pop_stack(ref_class_type, CHECK_VERIFY(this));
3036       }
3037     }
3038   }
3039   // Push the result type.
3040   int sig_verif_types_len = sig_verif_types->length();
3041   if (sig_verif_types_len > nargs) {  // There's a return type
3042     if (method_name == vmSymbols::object_initializer_name()) {
3043       // an <init> method must have a void return type
3044       verify_error(ErrorContext::bad_code(bci),
3045           "Return type must be void in <init> method");
3046       return;
3047     }
3048 
3049     assert(sig_verif_types_len <= nargs + 2,
3050            "Signature verification types array return type is bogus");
3051     for (int i = nargs; i < sig_verif_types_len; i++) {
3052       assert(i == nargs || sig_verif_types->at(i).is_long2() ||
3053              sig_verif_types->at(i).is_double2(), "Unexpected return verificationType");
3054       current_frame->push_stack(sig_verif_types->at(i), CHECK_VERIFY(this));
3055     }
3056   }
3057 }
3058 
3059 VerificationType ClassVerifier::get_newarray_type(
3060     u2 index, int bci, TRAPS) {
3061   const char* from_bt[] = {
3062     nullptr, nullptr, nullptr, nullptr, "[Z", "[C", "[F", "[D", "[B", "[S", "[I", "[J",
3063   };
3064   if (index < T_BOOLEAN || index > T_LONG) {
3065     verify_error(ErrorContext::bad_code(bci), "Illegal newarray instruction");
3066     return VerificationType::bogus_type();
3067   }
3068 
3069   // from_bt[index] contains the array signature which has a length of 2
3070   Symbol* sig = create_temporary_symbol(from_bt[index], 2);
3071   return VerificationType::reference_type(sig);
3072 }
3073 
3074 void ClassVerifier::verify_anewarray(
3075     int bci, u2 index, const constantPoolHandle& cp,
3076     StackMapFrame* current_frame, TRAPS) {
3077   verify_cp_class_type(bci, index, cp, CHECK_VERIFY(this));
3078   current_frame->pop_stack(
3079     VerificationType::integer_type(), CHECK_VERIFY(this));
3080 
3081   if (was_recursively_verified()) return;
3082   VerificationType component_type =
3083     cp_index_to_type(index, cp, CHECK_VERIFY(this));
3084   int length;
3085   char* arr_sig_str;
3086   if (component_type.is_array()) {     // it's an array
3087     const char* component_name = component_type.name()->as_utf8();
3088     // Check for more than MAX_ARRAY_DIMENSIONS
3089     length = (int)strlen(component_name);
3090     if (length > MAX_ARRAY_DIMENSIONS &&
3091         component_name[MAX_ARRAY_DIMENSIONS - 1] == JVM_SIGNATURE_ARRAY) {
3092       verify_error(ErrorContext::bad_code(bci),
3093         "Illegal anewarray instruction, array has more than 255 dimensions");
3094     }
3095     // add one dimension to component
3096     length++;
3097     arr_sig_str = NEW_RESOURCE_ARRAY_IN_THREAD(THREAD, char, length + 1);
3098     int n = os::snprintf(arr_sig_str, length + 1, "%c%s",
3099                          JVM_SIGNATURE_ARRAY, component_name);
3100     assert(n == length, "Unexpected number of characters in string");
3101   } else {         // it's an object or interface
3102     const char* component_name = component_type.name()->as_utf8();
3103     // add one dimension to component with 'L' prepended and ';' postpended.
3104     length = (int)strlen(component_name) + 3;
3105     arr_sig_str = NEW_RESOURCE_ARRAY_IN_THREAD(THREAD, char, length + 1);
3106     int n = os::snprintf(arr_sig_str, length + 1, "%c%c%s;",
3107                          JVM_SIGNATURE_ARRAY, JVM_SIGNATURE_CLASS, component_name);
3108     assert(n == length, "Unexpected number of characters in string");
3109   }
3110   Symbol* arr_sig = create_temporary_symbol(arr_sig_str, length);
3111   VerificationType new_array_type = VerificationType::reference_type(arr_sig);
3112   current_frame->push_stack(new_array_type, CHECK_VERIFY(this));
3113 }
3114 
3115 void ClassVerifier::verify_iload(int index, StackMapFrame* current_frame, TRAPS) {
3116   current_frame->get_local(
3117     index, VerificationType::integer_type(), CHECK_VERIFY(this));
3118   current_frame->push_stack(
3119     VerificationType::integer_type(), CHECK_VERIFY(this));
3120 }
3121 
3122 void ClassVerifier::verify_lload(int index, StackMapFrame* current_frame, TRAPS) {
3123   current_frame->get_local_2(
3124     index, VerificationType::long_type(),
3125     VerificationType::long2_type(), CHECK_VERIFY(this));
3126   current_frame->push_stack_2(
3127     VerificationType::long_type(),
3128     VerificationType::long2_type(), CHECK_VERIFY(this));
3129 }
3130 
3131 void ClassVerifier::verify_fload(int index, StackMapFrame* current_frame, TRAPS) {
3132   current_frame->get_local(
3133     index, VerificationType::float_type(), CHECK_VERIFY(this));
3134   current_frame->push_stack(
3135     VerificationType::float_type(), CHECK_VERIFY(this));
3136 }
3137 
3138 void ClassVerifier::verify_dload(int index, StackMapFrame* current_frame, TRAPS) {
3139   current_frame->get_local_2(
3140     index, VerificationType::double_type(),
3141     VerificationType::double2_type(), CHECK_VERIFY(this));
3142   current_frame->push_stack_2(
3143     VerificationType::double_type(),
3144     VerificationType::double2_type(), CHECK_VERIFY(this));
3145 }
3146 
3147 void ClassVerifier::verify_aload(int index, StackMapFrame* current_frame, TRAPS) {
3148   VerificationType type = current_frame->get_local(
3149     index, VerificationType::reference_check(), CHECK_VERIFY(this));
3150   current_frame->push_stack(type, CHECK_VERIFY(this));
3151 }
3152 
3153 void ClassVerifier::verify_istore(int index, StackMapFrame* current_frame, TRAPS) {
3154   current_frame->pop_stack(
3155     VerificationType::integer_type(), CHECK_VERIFY(this));
3156   current_frame->set_local(
3157     index, VerificationType::integer_type(), CHECK_VERIFY(this));
3158 }
3159 
3160 void ClassVerifier::verify_lstore(int index, StackMapFrame* current_frame, TRAPS) {
3161   current_frame->pop_stack_2(
3162     VerificationType::long2_type(),
3163     VerificationType::long_type(), CHECK_VERIFY(this));
3164   current_frame->set_local_2(
3165     index, VerificationType::long_type(),
3166     VerificationType::long2_type(), CHECK_VERIFY(this));
3167 }
3168 
3169 void ClassVerifier::verify_fstore(int index, StackMapFrame* current_frame, TRAPS) {
3170   current_frame->pop_stack(VerificationType::float_type(), CHECK_VERIFY(this));
3171   current_frame->set_local(
3172     index, VerificationType::float_type(), CHECK_VERIFY(this));
3173 }
3174 
3175 void ClassVerifier::verify_dstore(int index, StackMapFrame* current_frame, TRAPS) {
3176   current_frame->pop_stack_2(
3177     VerificationType::double2_type(),
3178     VerificationType::double_type(), CHECK_VERIFY(this));
3179   current_frame->set_local_2(
3180     index, VerificationType::double_type(),
3181     VerificationType::double2_type(), CHECK_VERIFY(this));
3182 }
3183 
3184 void ClassVerifier::verify_astore(int index, StackMapFrame* current_frame, TRAPS) {
3185   VerificationType type = current_frame->pop_stack(
3186     VerificationType::reference_check(), CHECK_VERIFY(this));
3187   current_frame->set_local(index, type, CHECK_VERIFY(this));
3188 }
3189 
3190 void ClassVerifier::verify_iinc(int index, StackMapFrame* current_frame, TRAPS) {
3191   VerificationType type = current_frame->get_local(
3192     index, VerificationType::integer_type(), CHECK_VERIFY(this));
3193   current_frame->set_local(index, type, CHECK_VERIFY(this));
3194 }
3195 
3196 void ClassVerifier::verify_return_value(
3197     VerificationType return_type, VerificationType type, int bci,
3198     StackMapFrame* current_frame, TRAPS) {
3199   if (return_type == VerificationType::bogus_type()) {
3200     verify_error(ErrorContext::bad_type(bci,
3201         current_frame->stack_top_ctx(), TypeOrigin::signature(return_type)),
3202         "Method does not expect a return value");
3203     return;
3204   }
3205   bool match = return_type.is_assignable_from(type, this, false, CHECK_VERIFY(this));
3206   if (!match) {
3207     verify_error(ErrorContext::bad_type(bci,
3208         current_frame->stack_top_ctx(), TypeOrigin::signature(return_type)),
3209         "Bad return type");
3210     return;
3211   }
3212 }
3213 
3214 // The verifier creates symbols which are substrings of Symbols.
3215 // These are stored in the verifier until the end of verification so that
3216 // they can be reference counted.
3217 Symbol* ClassVerifier::create_temporary_symbol(const char *name, int length) {
3218   // Quick deduplication check
3219   if (_previous_symbol != nullptr && _previous_symbol->equals(name, length)) {
3220     return _previous_symbol;
3221   }
3222   Symbol* sym = SymbolTable::new_symbol(name, length);
3223   if (!sym->is_permanent()) {
3224     if (_symbols == nullptr) {
3225       _symbols = new GrowableArray<Symbol*>(50, 0, nullptr);
3226     }
3227     _symbols->push(sym);
3228   }
3229   _previous_symbol = sym;
3230   return sym;
3231 }