1 /*
2 * Copyright (c) 1998, 2025, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 *
26 #include "classfile/classFileStream.hpp"
27 #include "classfile/classLoader.hpp"
28 #include "classfile/javaClasses.hpp"
29 #include "classfile/stackMapFrame.hpp"
30 #include "classfile/stackMapTable.hpp"
31 #include "classfile/stackMapTableFormat.hpp"
32 #include "classfile/symbolTable.hpp"
33 #include "classfile/systemDictionary.hpp"
34 #include "classfile/verifier.hpp"
35 #include "classfile/vmClasses.hpp"
36 #include "classfile/vmSymbols.hpp"
37 #include "interpreter/bytecodes.hpp"
38 #include "interpreter/bytecodeStream.hpp"
39 #include "jvm.h"
40 #include "logging/log.hpp"
41 #include "logging/logStream.hpp"
42 #include "memory/oopFactory.hpp"
43 #include "memory/resourceArea.hpp"
44 #include "memory/universe.hpp"
45 #include "oops/constantPool.inline.hpp"
46 #include "oops/instanceKlass.inline.hpp"
47 #include "oops/klass.inline.hpp"
48 #include "oops/oop.inline.hpp"
49 #include "oops/typeArrayOop.hpp"
50 #include "runtime/arguments.hpp"
51 #include "runtime/fieldDescriptor.hpp"
52 #include "runtime/handles.inline.hpp"
53 #include "runtime/interfaceSupport.inline.hpp"
54 #include "runtime/javaCalls.hpp"
55 #include "runtime/javaThread.hpp"
56 #include "runtime/jniHandles.inline.hpp"
57 #include "runtime/os.hpp"
58 #include "runtime/safepointVerifiers.hpp"
59 #include "services/threadService.hpp"
60 #include "utilities/align.hpp"
61 #include "utilities/bytes.hpp"
62 #if INCLUDE_CDS
63 #include "classfile/systemDictionaryShared.hpp"
64 #endif
65
66 #define NOFAILOVER_MAJOR_VERSION 51
67 #define NONZERO_PADDING_BYTES_IN_SWITCH_MAJOR_VERSION 51
68 #define STATIC_METHOD_IN_INTERFACE_MAJOR_VERSION 52
69 #define MAX_ARRAY_DIMENSIONS 255
70
71 // Access to external entry for VerifyClassForMajorVersion - old byte code verifier
72
73 extern "C" {
74 typedef jboolean (*verify_byte_codes_fn_t)(JNIEnv *, jclass, char *, jint, jint);
75 }
76
77 static verify_byte_codes_fn_t volatile _verify_byte_codes_fn = nullptr;
78
79 static verify_byte_codes_fn_t verify_byte_codes_fn() {
80
81 if (_verify_byte_codes_fn != nullptr)
82 return _verify_byte_codes_fn;
83
84 MutexLocker locker(Verify_lock);
85
86 if (_verify_byte_codes_fn != nullptr)
87 return _verify_byte_codes_fn;
88
459 _expected.details(ss);
460 } else {
461 ss->print("Invalid type: ");
462 _type.details(ss);
463 }
464 break;
465 case FLAGS_MISMATCH:
466 if (_expected.is_valid()) {
467 ss->print("Current frame's flags are not assignable "
468 "to stack map frame's.");
469 } else {
470 ss->print("Current frame's flags are invalid in this context.");
471 }
472 break;
473 case BAD_CP_INDEX:
474 ss->print("Constant pool index %d is invalid", _type.index());
475 break;
476 case BAD_LOCAL_INDEX:
477 ss->print("Local index %d is invalid", _type.index());
478 break;
479 case LOCALS_SIZE_MISMATCH:
480 ss->print("Current frame's local size doesn't match stackmap.");
481 break;
482 case STACK_SIZE_MISMATCH:
483 ss->print("Current frame's stack size doesn't match stackmap.");
484 break;
485 case STACK_OVERFLOW:
486 ss->print("Exceeded max stack size.");
487 break;
488 case STACK_UNDERFLOW:
489 ss->print("Attempt to pop empty stack.");
490 break;
491 case MISSING_STACKMAP:
492 ss->print("Expected stackmap frame at this location.");
493 break;
494 case BAD_STACKMAP:
495 ss->print("Invalid stackmap specification.");
496 break;
497 case UNKNOWN:
498 default:
499 ShouldNotReachHere();
500 ss->print_cr("Unknown");
501 }
502 ss->cr();
503 }
504
505 void ErrorContext::location_details(outputStream* ss, const Method* method) const {
506 if (_bci != -1 && method != nullptr) {
507 const char* bytecode_name = "<invalid>";
508 if (method->validate_bci(_bci) != -1) {
509 Bytecodes::Code code = Bytecodes::code_or_bp_at(method->bcp_from(_bci));
510 if (Bytecodes::is_defined(code)) {
511 bytecode_name = Bytecodes::name(code);
512 } else {
513 bytecode_name = "<illegal>";
514 }
515 }
516 InstanceKlass* ik = method->method_holder();
599 ClassVerifier::~ClassVerifier() {
600 // Decrement the reference count for any symbols created.
601 if (_symbols != nullptr) {
602 for (int i = 0; i < _symbols->length(); i++) {
603 Symbol* s = _symbols->at(i);
604 s->decrement_refcount();
605 }
606 }
607 }
608
609 VerificationType ClassVerifier::object_type() const {
610 return VerificationType::reference_type(vmSymbols::java_lang_Object());
611 }
612
613 TypeOrigin ClassVerifier::ref_ctx(const char* sig) {
614 VerificationType vt = VerificationType::reference_type(
615 create_temporary_symbol(sig, (int)strlen(sig)));
616 return TypeOrigin::implicit(vt);
617 }
618
619
620 void ClassVerifier::verify_class(TRAPS) {
621 log_info(verification)("Verifying class %s with new format", _klass->external_name());
622
623 // Either verifying both local and remote classes or just remote classes.
624 assert(BytecodeVerificationRemote, "Should not be here");
625
626 Array<Method*>* methods = _klass->methods();
627 int num_methods = methods->length();
628
629 for (int index = 0; index < num_methods; index++) {
630 // Check for recursive re-verification before each method.
631 if (was_recursively_verified()) return;
632
633 Method* m = methods->at(index);
634 if (m->is_native() || m->is_abstract() || m->is_overpass()) {
635 // If m is native or abstract, skip it. It is checked in class file
636 // parser that methods do not override a final method. Overpass methods
637 // are trusted since the VM generates them.
638 continue;
694 bool is_unique = method_signatures_table()->put(sig_index, sig_verif_types);
695 assert(is_unique, "Duplicate entries in method_signature_table");
696 }
697
698 void ClassVerifier::verify_method(const methodHandle& m, TRAPS) {
699 HandleMark hm(THREAD);
700 _method = m; // initialize _method
701 log_info(verification)("Verifying method %s", m->name_and_sig_as_C_string());
702
703 // For clang, the only good constant format string is a literal constant format string.
704 #define bad_type_msg "Bad type on operand stack in %s"
705
706 u2 max_stack = m->verifier_max_stack();
707 u2 max_locals = m->max_locals();
708 constantPoolHandle cp(THREAD, m->constants());
709
710 // Method signature was checked in ClassFileParser.
711 assert(SignatureVerifier::is_valid_method_signature(m->signature()),
712 "Invalid method signature");
713
714 // Initial stack map frame: offset is 0, stack is initially empty.
715 StackMapFrame current_frame(max_locals, max_stack, this);
716 // Set initial locals
717 VerificationType return_type = current_frame.set_locals_from_arg( m, current_type());
718
719 u2 stackmap_index = 0; // index to the stackmap array
720
721 u4 code_length = m->code_size();
722
723 // Scan the bytecode and map each instruction's start offset to a number.
724 char* code_data = generate_code_data(m, code_length, CHECK_VERIFY(this));
725
726 int ex_min = code_length;
727 int ex_max = -1;
728 // Look through each item on the exception table. Each of the fields must refer
729 // to a legal instruction.
730 if (was_recursively_verified()) return;
731 verify_exception_handler_table(
732 code_length, code_data, ex_min, ex_max, CHECK_VERIFY(this));
733
734 // Look through each entry on the local variable table and make sure
735 // its range of code array offsets is valid. (4169817)
736 if (m->has_localvariable_table()) {
737 verify_local_variable_table(code_length, code_data, CHECK_VERIFY(this));
738 }
739
740 Array<u1>* stackmap_data = m->stackmap_data();
741 StackMapStream stream(stackmap_data);
742 StackMapReader reader(this, &stream, code_data, code_length, ¤t_frame, max_locals, max_stack, THREAD);
743 StackMapTable stackmap_table(&reader, CHECK_VERIFY(this));
744
745 LogTarget(Debug, verification) lt;
746 if (lt.is_enabled()) {
747 LogStream ls(lt);
748 stackmap_table.print_on(&ls);
749 }
750
751 RawBytecodeStream bcs(m);
752
753 // Scan the byte code linearly from the start to the end
754 bool no_control_flow = false; // Set to true when there is no direct control
755 // flow from current instruction to the next
756 // instruction in sequence
757
758 Bytecodes::Code opcode;
759 while (!bcs.is_last_bytecode()) {
760 // Check for recursive re-verification before each bytecode.
761 if (was_recursively_verified()) return;
762
1593 case Bytecodes::_if_icmpge:
1594 case Bytecodes::_if_icmpgt:
1595 case Bytecodes::_if_icmple:
1596 current_frame.pop_stack(
1597 VerificationType::integer_type(), CHECK_VERIFY(this));
1598 // fall through
1599 case Bytecodes::_ifeq:
1600 case Bytecodes::_ifne:
1601 case Bytecodes::_iflt:
1602 case Bytecodes::_ifge:
1603 case Bytecodes::_ifgt:
1604 case Bytecodes::_ifle:
1605 current_frame.pop_stack(
1606 VerificationType::integer_type(), CHECK_VERIFY(this));
1607 stackmap_table.check_jump_target(
1608 ¤t_frame, bcs.bci(), bcs.get_offset_s2(), CHECK_VERIFY(this));
1609 no_control_flow = false; break;
1610 case Bytecodes::_if_acmpeq :
1611 case Bytecodes::_if_acmpne :
1612 current_frame.pop_stack(
1613 VerificationType::reference_check(), CHECK_VERIFY(this));
1614 // fall through
1615 case Bytecodes::_ifnull :
1616 case Bytecodes::_ifnonnull :
1617 current_frame.pop_stack(
1618 VerificationType::reference_check(), CHECK_VERIFY(this));
1619 stackmap_table.check_jump_target
1620 (¤t_frame, bcs.bci(), bcs.get_offset_s2(), CHECK_VERIFY(this));
1621 no_control_flow = false; break;
1622 case Bytecodes::_goto :
1623 stackmap_table.check_jump_target(
1624 ¤t_frame, bcs.bci(), bcs.get_offset_s2(), CHECK_VERIFY(this));
1625 no_control_flow = true; break;
1626 case Bytecodes::_goto_w :
1627 stackmap_table.check_jump_target(
1628 ¤t_frame, bcs.bci(), bcs.get_offset_s4(), CHECK_VERIFY(this));
1629 no_control_flow = true; break;
1630 case Bytecodes::_tableswitch :
1631 case Bytecodes::_lookupswitch :
1632 verify_switch(
1633 &bcs, code_length, code_data, ¤t_frame,
1634 &stackmap_table, CHECK_VERIFY(this));
1635 no_control_flow = true; break;
1636 case Bytecodes::_ireturn :
1637 type = current_frame.pop_stack(
1638 VerificationType::integer_type(), CHECK_VERIFY(this));
1658 VerificationType::double2_type(), CHECK_VERIFY(this));
1659 type = current_frame.pop_stack(
1660 VerificationType::double_type(), CHECK_VERIFY(this));
1661 verify_return_value(return_type, type, bci,
1662 ¤t_frame, CHECK_VERIFY(this));
1663 no_control_flow = true; break;
1664 case Bytecodes::_areturn :
1665 type = current_frame.pop_stack(
1666 VerificationType::reference_check(), CHECK_VERIFY(this));
1667 verify_return_value(return_type, type, bci,
1668 ¤t_frame, CHECK_VERIFY(this));
1669 no_control_flow = true; break;
1670 case Bytecodes::_return :
1671 if (return_type != VerificationType::bogus_type()) {
1672 verify_error(ErrorContext::bad_code(bci),
1673 "Method expects a return value");
1674 return;
1675 }
1676 // Make sure "this" has been initialized if current method is an
1677 // <init>.
1678 if (_method->name() == vmSymbols::object_initializer_name() &&
1679 current_frame.flag_this_uninit()) {
1680 verify_error(ErrorContext::bad_code(bci),
1681 "Constructor must call super() or this() "
1682 "before return");
1683 return;
1684 }
1685 no_control_flow = true; break;
1686 case Bytecodes::_getstatic :
1687 case Bytecodes::_putstatic :
1688 // pass TRUE, operand can be an array type for getstatic/putstatic.
1689 verify_field_instructions(
1690 &bcs, ¤t_frame, cp, true, CHECK_VERIFY(this));
1691 no_control_flow = false; break;
1692 case Bytecodes::_getfield :
1693 case Bytecodes::_putfield :
1694 // pass FALSE, operand can't be an array type for getfield/putfield.
1695 verify_field_instructions(
1696 &bcs, ¤t_frame, cp, false, CHECK_VERIFY(this));
1697 no_control_flow = false; break;
1698 case Bytecodes::_invokevirtual :
1699 case Bytecodes::_invokespecial :
1700 case Bytecodes::_invokestatic :
1701 verify_invoke_instructions(
1702 &bcs, code_length, ¤t_frame, (bci >= ex_min && bci < ex_max),
1703 &this_uninit, return_type, cp, &stackmap_table, CHECK_VERIFY(this));
1704 no_control_flow = false; break;
1705 case Bytecodes::_invokeinterface :
1706 case Bytecodes::_invokedynamic :
1707 verify_invoke_instructions(
1708 &bcs, code_length, ¤t_frame, (bci >= ex_min && bci < ex_max),
1709 &this_uninit, return_type, cp, &stackmap_table, CHECK_VERIFY(this));
1710 no_control_flow = false; break;
1711 case Bytecodes::_new :
1712 {
1713 u2 index = bcs.get_index_u2();
1714 verify_cp_class_type(bci, index, cp, CHECK_VERIFY(this));
1715 VerificationType new_class_type =
1716 cp_index_to_type(index, cp, CHECK_VERIFY(this));
1717 if (!new_class_type.is_object()) {
1718 verify_error(ErrorContext::bad_type(bci,
1719 TypeOrigin::cp(index, new_class_type)),
1720 "Illegal new instruction");
1721 return;
1722 }
1723 type = VerificationType::uninitialized_type(checked_cast<u2>(bci));
1724 current_frame.push_stack(type, CHECK_VERIFY(this));
1725 no_control_flow = false; break;
1726 }
1727 case Bytecodes::_newarray :
1728 type = get_newarray_type(bcs.get_index(), bci, CHECK_VERIFY(this));
1729 current_frame.pop_stack(
1747 no_control_flow = false; break;
1748 case Bytecodes::_checkcast :
1749 {
1750 u2 index = bcs.get_index_u2();
1751 verify_cp_class_type(bci, index, cp, CHECK_VERIFY(this));
1752 current_frame.pop_stack(object_type(), CHECK_VERIFY(this));
1753 VerificationType klass_type = cp_index_to_type(
1754 index, cp, CHECK_VERIFY(this));
1755 current_frame.push_stack(klass_type, CHECK_VERIFY(this));
1756 no_control_flow = false; break;
1757 }
1758 case Bytecodes::_instanceof : {
1759 u2 index = bcs.get_index_u2();
1760 verify_cp_class_type(bci, index, cp, CHECK_VERIFY(this));
1761 current_frame.pop_stack(object_type(), CHECK_VERIFY(this));
1762 current_frame.push_stack(
1763 VerificationType::integer_type(), CHECK_VERIFY(this));
1764 no_control_flow = false; break;
1765 }
1766 case Bytecodes::_monitorenter :
1767 case Bytecodes::_monitorexit :
1768 current_frame.pop_stack(
1769 VerificationType::reference_check(), CHECK_VERIFY(this));
1770 no_control_flow = false; break;
1771 case Bytecodes::_multianewarray :
1772 {
1773 u2 index = bcs.get_index_u2();
1774 u2 dim = *(bcs.bcp()+3);
1775 verify_cp_class_type(bci, index, cp, CHECK_VERIFY(this));
1776 VerificationType new_array_type =
1777 cp_index_to_type(index, cp, CHECK_VERIFY(this));
1778 if (!new_array_type.is_array()) {
1779 verify_error(ErrorContext::bad_type(bci,
1780 TypeOrigin::cp(index, new_array_type)),
1781 "Illegal constant pool index in multianewarray instruction");
1782 return;
1783 }
1784 if (dim < 1 || new_array_type.dimensions() < dim) {
1785 verify_error(ErrorContext::bad_code(bci),
1786 "Illegal dimension in multianewarray instruction: %d", dim);
1787 return;
1788 }
1789 for (int i = 0; i < dim; i++) {
1790 current_frame.pop_stack(
2128 } else {
2129 Klass* member_klass = target_instance->find_field(field_name, field_sig, &fd);
2130 if (member_klass != nullptr && fd.is_protected()) {
2131 if (!this_class->is_same_class_package(member_klass)) {
2132 return true;
2133 }
2134 }
2135 }
2136 return false;
2137 }
2138
2139 void ClassVerifier::verify_ldc(
2140 int opcode, u2 index, StackMapFrame* current_frame,
2141 const constantPoolHandle& cp, int bci, TRAPS) {
2142 verify_cp_index(bci, cp, index, CHECK_VERIFY(this));
2143 constantTag tag = cp->tag_at(index);
2144 unsigned int types = 0;
2145 if (opcode == Bytecodes::_ldc || opcode == Bytecodes::_ldc_w) {
2146 if (!tag.is_unresolved_klass()) {
2147 types = (1 << JVM_CONSTANT_Integer) | (1 << JVM_CONSTANT_Float)
2148 | (1 << JVM_CONSTANT_String) | (1 << JVM_CONSTANT_Class)
2149 | (1 << JVM_CONSTANT_MethodHandle) | (1 << JVM_CONSTANT_MethodType)
2150 | (1 << JVM_CONSTANT_Dynamic);
2151 // Note: The class file parser already verified the legality of
2152 // MethodHandle and MethodType constants.
2153 verify_cp_type(bci, index, cp, types, CHECK_VERIFY(this));
2154 }
2155 } else {
2156 assert(opcode == Bytecodes::_ldc2_w, "must be ldc2_w");
2157 types = (1 << JVM_CONSTANT_Double) | (1 << JVM_CONSTANT_Long)
2158 | (1 << JVM_CONSTANT_Dynamic);
2159 verify_cp_type(bci, index, cp, types, CHECK_VERIFY(this));
2160 }
2161 if (tag.is_string()) {
2162 current_frame->push_stack(
2163 VerificationType::reference_type(
2164 vmSymbols::java_lang_String()), CHECK_VERIFY(this));
2165 } else if (tag.is_klass() || tag.is_unresolved_klass()) {
2166 current_frame->push_stack(
2167 VerificationType::reference_type(
2168 vmSymbols::java_lang_Class()), CHECK_VERIFY(this));
2303 const constantPoolHandle& cp,
2304 bool allow_arrays,
2305 TRAPS) {
2306 u2 index = bcs->get_index_u2();
2307 verify_cp_type(bcs->bci(), index, cp,
2308 1 << JVM_CONSTANT_Fieldref, CHECK_VERIFY(this));
2309
2310 // Get field name and signature
2311 Symbol* field_name = cp->uncached_name_ref_at(index);
2312 Symbol* field_sig = cp->uncached_signature_ref_at(index);
2313 bool is_getfield = false;
2314
2315 // Field signature was checked in ClassFileParser.
2316 assert(SignatureVerifier::is_valid_type_signature(field_sig),
2317 "Invalid field signature");
2318
2319 // Get referenced class type
2320 VerificationType ref_class_type = cp_ref_index_to_type(
2321 index, cp, CHECK_VERIFY(this));
2322 if (!ref_class_type.is_object() &&
2323 (!allow_arrays || !ref_class_type.is_array())) {
2324 verify_error(ErrorContext::bad_type(bcs->bci(),
2325 TypeOrigin::cp(index, ref_class_type)),
2326 "Expecting reference to class in class %s at constant pool index %d",
2327 _klass->external_name(), index);
2328 return;
2329 }
2330 VerificationType target_class_type = ref_class_type;
2331
2332 assert(sizeof(VerificationType) == sizeof(uintptr_t),
2333 "buffer type must match VerificationType size");
2334 uintptr_t field_type_buffer[2];
2335 VerificationType* field_type = (VerificationType*)field_type_buffer;
2336 // If we make a VerificationType[2] array directly, the compiler calls
2337 // to the c-runtime library to do the allocation instead of just
2338 // stack allocating it. Plus it would run constructors. This shows up
2339 // in performance profiles.
2340
2341 SignatureStream sig_stream(field_sig, false);
2342 VerificationType stack_object_type;
2343 int n = change_sig_to_verificationType(&sig_stream, field_type);
2344 int bci = bcs->bci();
2345 bool is_assignable;
2346 switch (bcs->raw_code()) {
2347 case Bytecodes::_getstatic: {
2348 for (int i = 0; i < n; i++) {
2349 current_frame->push_stack(field_type[i], CHECK_VERIFY(this));
2351 break;
2352 }
2353 case Bytecodes::_putstatic: {
2354 for (int i = n - 1; i >= 0; i--) {
2355 current_frame->pop_stack(field_type[i], CHECK_VERIFY(this));
2356 }
2357 break;
2358 }
2359 case Bytecodes::_getfield: {
2360 is_getfield = true;
2361 stack_object_type = current_frame->pop_stack(
2362 target_class_type, CHECK_VERIFY(this));
2363 goto check_protected;
2364 }
2365 case Bytecodes::_putfield: {
2366 for (int i = n - 1; i >= 0; i--) {
2367 current_frame->pop_stack(field_type[i], CHECK_VERIFY(this));
2368 }
2369 stack_object_type = current_frame->pop_stack(CHECK_VERIFY(this));
2370
2371 // The JVMS 2nd edition allows field initialization before the superclass
2372 // initializer, if the field is defined within the current class.
2373 fieldDescriptor fd;
2374 if (stack_object_type == VerificationType::uninitialized_this_type() &&
2375 target_class_type.equals(current_type()) &&
2376 _klass->find_local_field(field_name, field_sig, &fd)) {
2377 stack_object_type = current_type();
2378 }
2379 is_assignable = target_class_type.is_assignable_from(
2380 stack_object_type, this, false, CHECK_VERIFY(this));
2381 if (!is_assignable) {
2382 verify_error(ErrorContext::bad_type(bci,
2383 current_frame->stack_top_ctx(),
2384 TypeOrigin::cp(index, target_class_type)),
2385 "Bad type on operand stack in putfield");
2386 return;
2387 }
2388 }
2389 check_protected: {
2390 if (_this_type == stack_object_type)
2391 break; // stack_object_type must be assignable to _current_class_type
2392 if (was_recursively_verified()) {
2393 if (is_getfield) {
2394 // Push field type for getfield.
2395 for (int i = 0; i < n; i++) {
2396 current_frame->push_stack(field_type[i], CHECK_VERIFY(this));
2397 }
2436 }
2437
2438 void ClassVerifier::verify_invoke_init(
2439 RawBytecodeStream* bcs, u2 ref_class_index, VerificationType ref_class_type,
2440 StackMapFrame* current_frame, u4 code_length, bool in_try_block,
2441 bool *this_uninit, const constantPoolHandle& cp, StackMapTable* stackmap_table,
2442 TRAPS) {
2443 int bci = bcs->bci();
2444 VerificationType type = current_frame->pop_stack(
2445 VerificationType::reference_check(), CHECK_VERIFY(this));
2446 if (type == VerificationType::uninitialized_this_type()) {
2447 // The method must be an <init> method of this class or its superclass
2448 Klass* superk = current_class()->super();
2449 if (ref_class_type.name() != current_class()->name() &&
2450 ref_class_type.name() != superk->name()) {
2451 verify_error(ErrorContext::bad_type(bci,
2452 TypeOrigin::implicit(ref_class_type),
2453 TypeOrigin::implicit(current_type())),
2454 "Bad <init> method call");
2455 return;
2456 }
2457
2458 // If this invokespecial call is done from inside of a TRY block then make
2459 // sure that all catch clause paths end in a throw. Otherwise, this can
2460 // result in returning an incomplete object.
2461 if (in_try_block) {
2462 // Check the exception handler target stackmaps with the locals from the
2463 // incoming stackmap (before initialize_object() changes them to outgoing
2464 // state).
2465 if (was_recursively_verified()) return;
2466 verify_exception_handler_targets(bci, true, current_frame,
2467 stackmap_table, CHECK_VERIFY(this));
2468 } // in_try_block
2469
2470 current_frame->initialize_object(type, current_type());
2471 *this_uninit = true;
2472 } else if (type.is_uninitialized()) {
2473 u2 new_offset = type.bci();
2474 address new_bcp = bcs->bcp() - bci + new_offset;
2475 if (new_offset > (code_length - 3) || (*new_bcp) != Bytecodes::_new) {
2540 bool ClassVerifier::is_same_or_direct_interface(
2541 InstanceKlass* klass,
2542 VerificationType klass_type,
2543 VerificationType ref_class_type) {
2544 if (ref_class_type.equals(klass_type)) return true;
2545 Array<InstanceKlass*>* local_interfaces = klass->local_interfaces();
2546 if (local_interfaces != nullptr) {
2547 for (int x = 0; x < local_interfaces->length(); x++) {
2548 InstanceKlass* k = local_interfaces->at(x);
2549 assert (k != nullptr && k->is_interface(), "invalid interface");
2550 if (ref_class_type.equals(VerificationType::reference_type(k->name()))) {
2551 return true;
2552 }
2553 }
2554 }
2555 return false;
2556 }
2557
2558 void ClassVerifier::verify_invoke_instructions(
2559 RawBytecodeStream* bcs, u4 code_length, StackMapFrame* current_frame,
2560 bool in_try_block, bool *this_uninit, VerificationType return_type,
2561 const constantPoolHandle& cp, StackMapTable* stackmap_table, TRAPS) {
2562 // Make sure the constant pool item is the right type
2563 u2 index = bcs->get_index_u2();
2564 Bytecodes::Code opcode = bcs->raw_code();
2565 unsigned int types = 0;
2566 switch (opcode) {
2567 case Bytecodes::_invokeinterface:
2568 types = 1 << JVM_CONSTANT_InterfaceMethodref;
2569 break;
2570 case Bytecodes::_invokedynamic:
2571 types = 1 << JVM_CONSTANT_InvokeDynamic;
2572 break;
2573 case Bytecodes::_invokespecial:
2574 case Bytecodes::_invokestatic:
2575 types = (_klass->major_version() < STATIC_METHOD_IN_INTERFACE_MAJOR_VERSION) ?
2576 (1 << JVM_CONSTANT_Methodref) :
2577 ((1 << JVM_CONSTANT_InterfaceMethodref) | (1 << JVM_CONSTANT_Methodref));
2578 break;
2579 default:
2580 types = 1 << JVM_CONSTANT_Methodref;
2581 }
2582 verify_cp_type(bcs->bci(), index, cp, types, CHECK_VERIFY(this));
2583
2584 // Get method name and signature
2585 Symbol* method_name = cp->uncached_name_ref_at(index);
2586 Symbol* method_sig = cp->uncached_signature_ref_at(index);
2587
2588 // Method signature was checked in ClassFileParser.
2589 assert(SignatureVerifier::is_valid_method_signature(method_sig),
2590 "Invalid method signature");
2591
2592 // Get referenced class type
2593 VerificationType ref_class_type;
2594 if (opcode == Bytecodes::_invokedynamic) {
2595 if (_klass->major_version() < Verifier::INVOKEDYNAMIC_MAJOR_VERSION) {
2596 class_format_error(
2597 "invokedynamic instructions not supported by this class file version (%d), class %s",
2598 _klass->major_version(), _klass->external_name());
2599 return;
2600 }
2601 } else {
2602 ref_class_type = cp_ref_index_to_type(index, cp, CHECK_VERIFY(this));
2603 }
2604
2605 assert(sizeof(VerificationType) == sizeof(uintptr_t),
2606 "buffer type must match VerificationType size");
2607
2608 // Get the UTF8 index for this signature.
2609 int sig_index = cp->signature_ref_index_at(cp->uncached_name_and_type_ref_index_at(index));
2610
2611 // Get the signature's verification types.
2612 sig_as_verification_types* mth_sig_verif_types;
2638 "Inconsistent args count operand in invokeinterface");
2639 return;
2640 }
2641 if (*(bcp+4) != 0) {
2642 verify_error(ErrorContext::bad_code(bci),
2643 "Fourth operand byte of invokeinterface must be zero");
2644 return;
2645 }
2646 }
2647
2648 if (opcode == Bytecodes::_invokedynamic) {
2649 address bcp = bcs->bcp();
2650 if (*(bcp+3) != 0 || *(bcp+4) != 0) {
2651 verify_error(ErrorContext::bad_code(bci),
2652 "Third and fourth operand bytes of invokedynamic must be zero");
2653 return;
2654 }
2655 }
2656
2657 if (method_name->char_at(0) == JVM_SIGNATURE_SPECIAL) {
2658 // Make sure <init> can only be invoked by invokespecial
2659 if (opcode != Bytecodes::_invokespecial ||
2660 method_name != vmSymbols::object_initializer_name()) {
2661 verify_error(ErrorContext::bad_code(bci),
2662 "Illegal call to internal method");
2663 return;
2664 }
2665 }
2666 // invokespecial, when not <init>, must be to a method in the current class, a direct superinterface,
2667 // or any superclass (including Object).
2668 else if (opcode == Bytecodes::_invokespecial
2669 && !is_same_or_direct_interface(current_class(), current_type(), ref_class_type)
2670 && !ref_class_type.equals(VerificationType::reference_type(current_class()->super()->name()))) {
2671
2672 // We know it is not current class, direct superinterface or immediate superclass. That means it
2673 // could be:
2674 // - a totally unrelated class or interface
2675 // - an indirect superinterface
2676 // - an indirect superclass (including Object)
2677 // We use the assignability test to see if it is a superclass, or else an interface, and keep track
2678 // of the latter. Note that subtype can be true if we are dealing with an interface that is not actually
2679 // implemented as assignability treats all interfaces as Object.
2680
2681 bool is_interface = false; // This can only be set true if the assignability check will return true
2682 // and we loaded the class. For any other "true" returns (e.g. same class
2683 // or Object) we either can't get here (same class already excluded above)
2684 // or we know it is not an interface (i.e. Object).
2685 bool subtype = ref_class_type.is_reference_assignable_from(current_type(), this, false,
2686 &is_interface, CHECK_VERIFY(this));
2687 if (!subtype) { // Totally unrelated class
2688 verify_error(ErrorContext::bad_code(bci),
2689 "Bad invokespecial instruction: "
2690 "current class isn't assignable to reference class.");
2750 verify_error(ErrorContext::bad_type(bci,
2751 current_frame->stack_top_ctx(),
2752 TypeOrigin::implicit(current_type())),
2753 "Bad access to protected data in invokevirtual");
2754 return;
2755 }
2756 }
2757 }
2758 }
2759 }
2760 } else {
2761 assert(opcode == Bytecodes::_invokeinterface, "Unexpected opcode encountered");
2762 current_frame->pop_stack(ref_class_type, CHECK_VERIFY(this));
2763 }
2764 }
2765 }
2766 // Push the result type.
2767 int sig_verif_types_len = sig_verif_types->length();
2768 if (sig_verif_types_len > nargs) { // There's a return type
2769 if (method_name == vmSymbols::object_initializer_name()) {
2770 // <init> method must have a void return type
2771 /* Unreachable? Class file parser verifies that methods with '<' have
2772 * void return */
2773 verify_error(ErrorContext::bad_code(bci),
2774 "Return type must be void in <init> method");
2775 return;
2776 }
2777
2778 assert(sig_verif_types_len <= nargs + 2,
2779 "Signature verification types array return type is bogus");
2780 for (int i = nargs; i < sig_verif_types_len; i++) {
2781 assert(i == nargs || sig_verif_types->at(i).is_long2() ||
2782 sig_verif_types->at(i).is_double2(), "Unexpected return verificationType");
2783 current_frame->push_stack(sig_verif_types->at(i), CHECK_VERIFY(this));
2784 }
2785 }
2786 }
2787
2788 VerificationType ClassVerifier::get_newarray_type(
2789 u2 index, int bci, TRAPS) {
2790 const char* from_bt[] = {
2791 nullptr, nullptr, nullptr, nullptr, "[Z", "[C", "[F", "[D", "[B", "[S", "[I", "[J",
2792 };
|
1 /*
2 * Copyright (c) 1998, 2026, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 *
26 #include "classfile/classFileStream.hpp"
27 #include "classfile/classLoader.hpp"
28 #include "classfile/javaClasses.hpp"
29 #include "classfile/stackMapFrame.hpp"
30 #include "classfile/stackMapTable.hpp"
31 #include "classfile/stackMapTableFormat.hpp"
32 #include "classfile/symbolTable.hpp"
33 #include "classfile/systemDictionary.hpp"
34 #include "classfile/verifier.hpp"
35 #include "classfile/vmClasses.hpp"
36 #include "classfile/vmSymbols.hpp"
37 #include "interpreter/bytecodes.hpp"
38 #include "interpreter/bytecodeStream.hpp"
39 #include "jvm.h"
40 #include "logging/log.hpp"
41 #include "logging/logStream.hpp"
42 #include "memory/oopFactory.hpp"
43 #include "memory/resourceArea.hpp"
44 #include "memory/universe.hpp"
45 #include "oops/constantPool.inline.hpp"
46 #include "oops/fieldStreams.inline.hpp"
47 #include "oops/instanceKlass.inline.hpp"
48 #include "oops/klass.inline.hpp"
49 #include "oops/oop.inline.hpp"
50 #include "oops/typeArrayOop.hpp"
51 #include "runtime/arguments.hpp"
52 #include "runtime/fieldDescriptor.inline.hpp"
53 #include "runtime/handles.inline.hpp"
54 #include "runtime/interfaceSupport.inline.hpp"
55 #include "runtime/javaCalls.hpp"
56 #include "runtime/javaThread.hpp"
57 #include "runtime/jniHandles.inline.hpp"
58 #include "runtime/os.hpp"
59 #include "runtime/safepointVerifiers.hpp"
60 #include "services/threadService.hpp"
61 #include "utilities/align.hpp"
62 #include "utilities/bytes.hpp"
63 #if INCLUDE_CDS
64 #include "classfile/systemDictionaryShared.hpp"
65 #endif
66
67 #define NOFAILOVER_MAJOR_VERSION 51
68 #define NONZERO_PADDING_BYTES_IN_SWITCH_MAJOR_VERSION 51
69 #define STATIC_METHOD_IN_INTERFACE_MAJOR_VERSION 52
70 #define INLINE_TYPE_MAJOR_VERSION 56
71 #define MAX_ARRAY_DIMENSIONS 255
72
73 // Access to external entry for VerifyClassForMajorVersion - old byte code verifier
74
75 extern "C" {
76 typedef jboolean (*verify_byte_codes_fn_t)(JNIEnv *, jclass, char *, jint, jint);
77 }
78
79 static verify_byte_codes_fn_t volatile _verify_byte_codes_fn = nullptr;
80
81 static verify_byte_codes_fn_t verify_byte_codes_fn() {
82
83 if (_verify_byte_codes_fn != nullptr)
84 return _verify_byte_codes_fn;
85
86 MutexLocker locker(Verify_lock);
87
88 if (_verify_byte_codes_fn != nullptr)
89 return _verify_byte_codes_fn;
90
461 _expected.details(ss);
462 } else {
463 ss->print("Invalid type: ");
464 _type.details(ss);
465 }
466 break;
467 case FLAGS_MISMATCH:
468 if (_expected.is_valid()) {
469 ss->print("Current frame's flags are not assignable "
470 "to stack map frame's.");
471 } else {
472 ss->print("Current frame's flags are invalid in this context.");
473 }
474 break;
475 case BAD_CP_INDEX:
476 ss->print("Constant pool index %d is invalid", _type.index());
477 break;
478 case BAD_LOCAL_INDEX:
479 ss->print("Local index %d is invalid", _type.index());
480 break;
481 case BAD_STRICT_FIELDS:
482 ss->print("Invalid use of strict instance fields");
483 break;
484 case LOCALS_SIZE_MISMATCH:
485 ss->print("Current frame's local size doesn't match stackmap.");
486 break;
487 case STACK_SIZE_MISMATCH:
488 ss->print("Current frame's stack size doesn't match stackmap.");
489 break;
490 case STRICT_FIELDS_MISMATCH:
491 ss->print("Current frame's strict instance fields not compatible with stackmap.");
492 break;
493 case STACK_OVERFLOW:
494 ss->print("Exceeded max stack size.");
495 break;
496 case STACK_UNDERFLOW:
497 ss->print("Attempt to pop empty stack.");
498 break;
499 case MISSING_STACKMAP:
500 ss->print("Expected stackmap frame at this location.");
501 break;
502 case BAD_STACKMAP:
503 ss->print("Invalid stackmap specification.");
504 break;
505 case WRONG_INLINE_TYPE:
506 ss->print("Type ");
507 _type.details(ss);
508 ss->print(" and type ");
509 _expected.details(ss);
510 ss->print(" must be identical inline types.");
511 break;
512 case UNKNOWN:
513 default:
514 ShouldNotReachHere();
515 ss->print_cr("Unknown");
516 }
517 ss->cr();
518 }
519
520 void ErrorContext::location_details(outputStream* ss, const Method* method) const {
521 if (_bci != -1 && method != nullptr) {
522 const char* bytecode_name = "<invalid>";
523 if (method->validate_bci(_bci) != -1) {
524 Bytecodes::Code code = Bytecodes::code_or_bp_at(method->bcp_from(_bci));
525 if (Bytecodes::is_defined(code)) {
526 bytecode_name = Bytecodes::name(code);
527 } else {
528 bytecode_name = "<illegal>";
529 }
530 }
531 InstanceKlass* ik = method->method_holder();
614 ClassVerifier::~ClassVerifier() {
615 // Decrement the reference count for any symbols created.
616 if (_symbols != nullptr) {
617 for (int i = 0; i < _symbols->length(); i++) {
618 Symbol* s = _symbols->at(i);
619 s->decrement_refcount();
620 }
621 }
622 }
623
624 VerificationType ClassVerifier::object_type() const {
625 return VerificationType::reference_type(vmSymbols::java_lang_Object());
626 }
627
628 TypeOrigin ClassVerifier::ref_ctx(const char* sig) {
629 VerificationType vt = VerificationType::reference_type(
630 create_temporary_symbol(sig, (int)strlen(sig)));
631 return TypeOrigin::implicit(vt);
632 }
633
634 static bool supports_strict_fields(InstanceKlass* klass) {
635 int ver = klass->major_version();
636 return ver > Verifier::VALUE_TYPES_MAJOR_VERSION ||
637 (ver == Verifier::VALUE_TYPES_MAJOR_VERSION && klass->minor_version() == Verifier::JAVA_PREVIEW_MINOR_VERSION);
638 }
639
640 void ClassVerifier::verify_class(TRAPS) {
641 log_info(verification)("Verifying class %s with new format", _klass->external_name());
642
643 // Either verifying both local and remote classes or just remote classes.
644 assert(BytecodeVerificationRemote, "Should not be here");
645
646 Array<Method*>* methods = _klass->methods();
647 int num_methods = methods->length();
648
649 for (int index = 0; index < num_methods; index++) {
650 // Check for recursive re-verification before each method.
651 if (was_recursively_verified()) return;
652
653 Method* m = methods->at(index);
654 if (m->is_native() || m->is_abstract() || m->is_overpass()) {
655 // If m is native or abstract, skip it. It is checked in class file
656 // parser that methods do not override a final method. Overpass methods
657 // are trusted since the VM generates them.
658 continue;
714 bool is_unique = method_signatures_table()->put(sig_index, sig_verif_types);
715 assert(is_unique, "Duplicate entries in method_signature_table");
716 }
717
718 void ClassVerifier::verify_method(const methodHandle& m, TRAPS) {
719 HandleMark hm(THREAD);
720 _method = m; // initialize _method
721 log_info(verification)("Verifying method %s", m->name_and_sig_as_C_string());
722
723 // For clang, the only good constant format string is a literal constant format string.
724 #define bad_type_msg "Bad type on operand stack in %s"
725
726 u2 max_stack = m->verifier_max_stack();
727 u2 max_locals = m->max_locals();
728 constantPoolHandle cp(THREAD, m->constants());
729
730 // Method signature was checked in ClassFileParser.
731 assert(SignatureVerifier::is_valid_method_signature(m->signature()),
732 "Invalid method signature");
733
734 // Collect the initial strict instance fields
735 StackMapFrame::AssertUnsetFieldTable* strict_fields = new StackMapFrame::AssertUnsetFieldTable();
736 if (m->is_object_constructor()) {
737 for (AllFieldStream fs(m->method_holder()); !fs.done(); fs.next()) {
738 if (fs.access_flags().is_strict() && !fs.access_flags().is_static()) {
739 NameAndSig new_field(fs.name(), fs.signature());
740 if (IgnoreAssertUnsetFields) {
741 strict_fields->put(new_field, true);
742 } else {
743 strict_fields->put(new_field, false);
744 }
745 }
746 }
747 }
748
749 // Initial stack map frame: offset is 0, stack is initially empty.
750 StackMapFrame current_frame(max_locals, max_stack, strict_fields, this);
751 // Set initial locals
752 VerificationType return_type = current_frame.set_locals_from_arg( m, current_type());
753
754 u2 stackmap_index = 0; // index to the stackmap array
755
756 u4 code_length = m->code_size();
757
758 // Scan the bytecode and map each instruction's start offset to a number.
759 char* code_data = generate_code_data(m, code_length, CHECK_VERIFY(this));
760
761 int ex_min = code_length;
762 int ex_max = -1;
763 // Look through each item on the exception table. Each of the fields must refer
764 // to a legal instruction.
765 if (was_recursively_verified()) return;
766 verify_exception_handler_table(
767 code_length, code_data, ex_min, ex_max, CHECK_VERIFY(this));
768
769 // Look through each entry on the local variable table and make sure
770 // its range of code array offsets is valid. (4169817)
771 if (m->has_localvariable_table()) {
772 verify_local_variable_table(code_length, code_data, CHECK_VERIFY(this));
773 }
774
775 Array<u1>* stackmap_data = m->stackmap_data();
776 StackMapStream stream(stackmap_data);
777 StackMapReader reader(this, &stream, code_data, code_length, ¤t_frame, max_locals, max_stack, strict_fields, THREAD);
778 StackMapTable stackmap_table(&reader, CHECK_VERIFY(this));
779
780 LogTarget(Debug, verification) lt;
781 if (lt.is_enabled()) {
782 LogStream ls(lt);
783 stackmap_table.print_on(&ls);
784 }
785
786 RawBytecodeStream bcs(m);
787
788 // Scan the byte code linearly from the start to the end
789 bool no_control_flow = false; // Set to true when there is no direct control
790 // flow from current instruction to the next
791 // instruction in sequence
792
793 Bytecodes::Code opcode;
794 while (!bcs.is_last_bytecode()) {
795 // Check for recursive re-verification before each bytecode.
796 if (was_recursively_verified()) return;
797
1628 case Bytecodes::_if_icmpge:
1629 case Bytecodes::_if_icmpgt:
1630 case Bytecodes::_if_icmple:
1631 current_frame.pop_stack(
1632 VerificationType::integer_type(), CHECK_VERIFY(this));
1633 // fall through
1634 case Bytecodes::_ifeq:
1635 case Bytecodes::_ifne:
1636 case Bytecodes::_iflt:
1637 case Bytecodes::_ifge:
1638 case Bytecodes::_ifgt:
1639 case Bytecodes::_ifle:
1640 current_frame.pop_stack(
1641 VerificationType::integer_type(), CHECK_VERIFY(this));
1642 stackmap_table.check_jump_target(
1643 ¤t_frame, bcs.bci(), bcs.get_offset_s2(), CHECK_VERIFY(this));
1644 no_control_flow = false; break;
1645 case Bytecodes::_if_acmpeq :
1646 case Bytecodes::_if_acmpne :
1647 current_frame.pop_stack(
1648 object_type(), CHECK_VERIFY(this));
1649 // fall through
1650 case Bytecodes::_ifnull :
1651 case Bytecodes::_ifnonnull :
1652 current_frame.pop_stack(
1653 object_type(), CHECK_VERIFY(this));
1654 stackmap_table.check_jump_target
1655 (¤t_frame, bcs.bci(), bcs.get_offset_s2(), CHECK_VERIFY(this));
1656 no_control_flow = false; break;
1657 case Bytecodes::_goto :
1658 stackmap_table.check_jump_target(
1659 ¤t_frame, bcs.bci(), bcs.get_offset_s2(), CHECK_VERIFY(this));
1660 no_control_flow = true; break;
1661 case Bytecodes::_goto_w :
1662 stackmap_table.check_jump_target(
1663 ¤t_frame, bcs.bci(), bcs.get_offset_s4(), CHECK_VERIFY(this));
1664 no_control_flow = true; break;
1665 case Bytecodes::_tableswitch :
1666 case Bytecodes::_lookupswitch :
1667 verify_switch(
1668 &bcs, code_length, code_data, ¤t_frame,
1669 &stackmap_table, CHECK_VERIFY(this));
1670 no_control_flow = true; break;
1671 case Bytecodes::_ireturn :
1672 type = current_frame.pop_stack(
1673 VerificationType::integer_type(), CHECK_VERIFY(this));
1693 VerificationType::double2_type(), CHECK_VERIFY(this));
1694 type = current_frame.pop_stack(
1695 VerificationType::double_type(), CHECK_VERIFY(this));
1696 verify_return_value(return_type, type, bci,
1697 ¤t_frame, CHECK_VERIFY(this));
1698 no_control_flow = true; break;
1699 case Bytecodes::_areturn :
1700 type = current_frame.pop_stack(
1701 VerificationType::reference_check(), CHECK_VERIFY(this));
1702 verify_return_value(return_type, type, bci,
1703 ¤t_frame, CHECK_VERIFY(this));
1704 no_control_flow = true; break;
1705 case Bytecodes::_return :
1706 if (return_type != VerificationType::bogus_type()) {
1707 verify_error(ErrorContext::bad_code(bci),
1708 "Method expects a return value");
1709 return;
1710 }
1711 // Make sure "this" has been initialized if current method is an
1712 // <init>.
1713 if (_method->is_object_constructor() &&
1714 current_frame.flag_this_uninit()) {
1715 verify_error(ErrorContext::bad_code(bci),
1716 "Constructor must call super() or this() "
1717 "before return");
1718 return;
1719 }
1720 no_control_flow = true; break;
1721 case Bytecodes::_getstatic :
1722 case Bytecodes::_putstatic :
1723 // pass TRUE, operand can be an array type for getstatic/putstatic.
1724 verify_field_instructions(
1725 &bcs, ¤t_frame, cp, true, CHECK_VERIFY(this));
1726 no_control_flow = false; break;
1727 case Bytecodes::_getfield :
1728 case Bytecodes::_putfield :
1729 // pass FALSE, operand can't be an array type for getfield/putfield.
1730 verify_field_instructions(
1731 &bcs, ¤t_frame, cp, false, CHECK_VERIFY(this));
1732 no_control_flow = false; break;
1733 case Bytecodes::_invokevirtual :
1734 case Bytecodes::_invokespecial :
1735 case Bytecodes::_invokestatic :
1736 case Bytecodes::_invokeinterface :
1737 case Bytecodes::_invokedynamic :
1738 verify_invoke_instructions(
1739 &bcs, code_length, ¤t_frame, (bci >= ex_min && bci < ex_max),
1740 &this_uninit, cp, &stackmap_table, CHECK_VERIFY(this));
1741 no_control_flow = false; break;
1742 case Bytecodes::_new :
1743 {
1744 u2 index = bcs.get_index_u2();
1745 verify_cp_class_type(bci, index, cp, CHECK_VERIFY(this));
1746 VerificationType new_class_type =
1747 cp_index_to_type(index, cp, CHECK_VERIFY(this));
1748 if (!new_class_type.is_object()) {
1749 verify_error(ErrorContext::bad_type(bci,
1750 TypeOrigin::cp(index, new_class_type)),
1751 "Illegal new instruction");
1752 return;
1753 }
1754 type = VerificationType::uninitialized_type(checked_cast<u2>(bci));
1755 current_frame.push_stack(type, CHECK_VERIFY(this));
1756 no_control_flow = false; break;
1757 }
1758 case Bytecodes::_newarray :
1759 type = get_newarray_type(bcs.get_index(), bci, CHECK_VERIFY(this));
1760 current_frame.pop_stack(
1778 no_control_flow = false; break;
1779 case Bytecodes::_checkcast :
1780 {
1781 u2 index = bcs.get_index_u2();
1782 verify_cp_class_type(bci, index, cp, CHECK_VERIFY(this));
1783 current_frame.pop_stack(object_type(), CHECK_VERIFY(this));
1784 VerificationType klass_type = cp_index_to_type(
1785 index, cp, CHECK_VERIFY(this));
1786 current_frame.push_stack(klass_type, CHECK_VERIFY(this));
1787 no_control_flow = false; break;
1788 }
1789 case Bytecodes::_instanceof : {
1790 u2 index = bcs.get_index_u2();
1791 verify_cp_class_type(bci, index, cp, CHECK_VERIFY(this));
1792 current_frame.pop_stack(object_type(), CHECK_VERIFY(this));
1793 current_frame.push_stack(
1794 VerificationType::integer_type(), CHECK_VERIFY(this));
1795 no_control_flow = false; break;
1796 }
1797 case Bytecodes::_monitorenter :
1798 case Bytecodes::_monitorexit : {
1799 VerificationType ref = current_frame.pop_stack(
1800 VerificationType::reference_check(), CHECK_VERIFY(this));
1801 no_control_flow = false; break;
1802 }
1803 case Bytecodes::_multianewarray :
1804 {
1805 u2 index = bcs.get_index_u2();
1806 u2 dim = *(bcs.bcp()+3);
1807 verify_cp_class_type(bci, index, cp, CHECK_VERIFY(this));
1808 VerificationType new_array_type =
1809 cp_index_to_type(index, cp, CHECK_VERIFY(this));
1810 if (!new_array_type.is_array()) {
1811 verify_error(ErrorContext::bad_type(bci,
1812 TypeOrigin::cp(index, new_array_type)),
1813 "Illegal constant pool index in multianewarray instruction");
1814 return;
1815 }
1816 if (dim < 1 || new_array_type.dimensions() < dim) {
1817 verify_error(ErrorContext::bad_code(bci),
1818 "Illegal dimension in multianewarray instruction: %d", dim);
1819 return;
1820 }
1821 for (int i = 0; i < dim; i++) {
1822 current_frame.pop_stack(
2160 } else {
2161 Klass* member_klass = target_instance->find_field(field_name, field_sig, &fd);
2162 if (member_klass != nullptr && fd.is_protected()) {
2163 if (!this_class->is_same_class_package(member_klass)) {
2164 return true;
2165 }
2166 }
2167 }
2168 return false;
2169 }
2170
2171 void ClassVerifier::verify_ldc(
2172 int opcode, u2 index, StackMapFrame* current_frame,
2173 const constantPoolHandle& cp, int bci, TRAPS) {
2174 verify_cp_index(bci, cp, index, CHECK_VERIFY(this));
2175 constantTag tag = cp->tag_at(index);
2176 unsigned int types = 0;
2177 if (opcode == Bytecodes::_ldc || opcode == Bytecodes::_ldc_w) {
2178 if (!tag.is_unresolved_klass()) {
2179 types = (1 << JVM_CONSTANT_Integer) | (1 << JVM_CONSTANT_Float)
2180 | (1 << JVM_CONSTANT_String) | (1 << JVM_CONSTANT_Class)
2181 | (1 << JVM_CONSTANT_MethodHandle) | (1 << JVM_CONSTANT_MethodType)
2182 | (1 << JVM_CONSTANT_Dynamic);
2183 // Note: The class file parser already verified the legality of
2184 // MethodHandle and MethodType constants.
2185 verify_cp_type(bci, index, cp, types, CHECK_VERIFY(this));
2186 }
2187 } else {
2188 assert(opcode == Bytecodes::_ldc2_w, "must be ldc2_w");
2189 types = (1 << JVM_CONSTANT_Double) | (1 << JVM_CONSTANT_Long)
2190 | (1 << JVM_CONSTANT_Dynamic);
2191 verify_cp_type(bci, index, cp, types, CHECK_VERIFY(this));
2192 }
2193 if (tag.is_string()) {
2194 current_frame->push_stack(
2195 VerificationType::reference_type(
2196 vmSymbols::java_lang_String()), CHECK_VERIFY(this));
2197 } else if (tag.is_klass() || tag.is_unresolved_klass()) {
2198 current_frame->push_stack(
2199 VerificationType::reference_type(
2200 vmSymbols::java_lang_Class()), CHECK_VERIFY(this));
2335 const constantPoolHandle& cp,
2336 bool allow_arrays,
2337 TRAPS) {
2338 u2 index = bcs->get_index_u2();
2339 verify_cp_type(bcs->bci(), index, cp,
2340 1 << JVM_CONSTANT_Fieldref, CHECK_VERIFY(this));
2341
2342 // Get field name and signature
2343 Symbol* field_name = cp->uncached_name_ref_at(index);
2344 Symbol* field_sig = cp->uncached_signature_ref_at(index);
2345 bool is_getfield = false;
2346
2347 // Field signature was checked in ClassFileParser.
2348 assert(SignatureVerifier::is_valid_type_signature(field_sig),
2349 "Invalid field signature");
2350
2351 // Get referenced class type
2352 VerificationType ref_class_type = cp_ref_index_to_type(
2353 index, cp, CHECK_VERIFY(this));
2354 if (!ref_class_type.is_object() &&
2355 (!allow_arrays || !ref_class_type.is_array())) {
2356 verify_error(ErrorContext::bad_type(bcs->bci(),
2357 TypeOrigin::cp(index, ref_class_type)),
2358 "Expecting reference to class in class %s at constant pool index %d",
2359 _klass->external_name(), index);
2360 return;
2361 }
2362
2363 VerificationType target_class_type = ref_class_type;
2364
2365 assert(sizeof(VerificationType) == sizeof(uintptr_t),
2366 "buffer type must match VerificationType size");
2367 uintptr_t field_type_buffer[2];
2368 VerificationType* field_type = (VerificationType*)field_type_buffer;
2369 // If we make a VerificationType[2] array directly, the compiler calls
2370 // to the c-runtime library to do the allocation instead of just
2371 // stack allocating it. Plus it would run constructors. This shows up
2372 // in performance profiles.
2373
2374 SignatureStream sig_stream(field_sig, false);
2375 VerificationType stack_object_type;
2376 int n = change_sig_to_verificationType(&sig_stream, field_type);
2377 int bci = bcs->bci();
2378 bool is_assignable;
2379 switch (bcs->raw_code()) {
2380 case Bytecodes::_getstatic: {
2381 for (int i = 0; i < n; i++) {
2382 current_frame->push_stack(field_type[i], CHECK_VERIFY(this));
2384 break;
2385 }
2386 case Bytecodes::_putstatic: {
2387 for (int i = n - 1; i >= 0; i--) {
2388 current_frame->pop_stack(field_type[i], CHECK_VERIFY(this));
2389 }
2390 break;
2391 }
2392 case Bytecodes::_getfield: {
2393 is_getfield = true;
2394 stack_object_type = current_frame->pop_stack(
2395 target_class_type, CHECK_VERIFY(this));
2396 goto check_protected;
2397 }
2398 case Bytecodes::_putfield: {
2399 for (int i = n - 1; i >= 0; i--) {
2400 current_frame->pop_stack(field_type[i], CHECK_VERIFY(this));
2401 }
2402 stack_object_type = current_frame->pop_stack(CHECK_VERIFY(this));
2403
2404 // Field initialization is allowed before the superclass
2405 // initializer, if the field is defined within the current class.
2406 fieldDescriptor fd;
2407 bool is_local_field = _klass->find_local_field(field_name, field_sig, &fd) &&
2408 target_class_type.equals(current_type());
2409 if (stack_object_type == VerificationType::uninitialized_this_type()) {
2410 if (is_local_field) {
2411 // Set the type to the current type so the is_assignable check passes.
2412 stack_object_type = current_type();
2413
2414 if (fd.access_flags().is_strict()) {
2415 if (!current_frame->satisfy_unset_field(fd.name(), fd.signature())) {
2416 log_info(verification)("Attempting to initialize field not found in initial strict instance fields: %s%s",
2417 fd.name()->as_C_string(), fd.signature()->as_C_string());
2418 verify_error(ErrorContext::bad_strict_fields(bci, current_frame),
2419 "Initializing unknown strict field: %s:%s", fd.name()->as_C_string(), fd.signature()->as_C_string());
2420 }
2421 }
2422 }
2423 } else if (supports_strict_fields(_klass)) {
2424 // `strict` fields are not writable, but only local fields produce verification errors
2425 if (is_local_field && fd.access_flags().is_strict() && fd.access_flags().is_final()) {
2426 verify_error(ErrorContext::bad_code(bci),
2427 "Illegal use of putfield on a strict field");
2428 return;
2429 }
2430 }
2431 is_assignable = target_class_type.is_assignable_from(
2432 stack_object_type, this, false, CHECK_VERIFY(this));
2433 if (!is_assignable) {
2434 verify_error(ErrorContext::bad_type(bci,
2435 current_frame->stack_top_ctx(),
2436 TypeOrigin::cp(index, target_class_type)),
2437 "Bad type on operand stack in putfield");
2438 return;
2439 }
2440 }
2441 check_protected: {
2442 if (_this_type == stack_object_type)
2443 break; // stack_object_type must be assignable to _current_class_type
2444 if (was_recursively_verified()) {
2445 if (is_getfield) {
2446 // Push field type for getfield.
2447 for (int i = 0; i < n; i++) {
2448 current_frame->push_stack(field_type[i], CHECK_VERIFY(this));
2449 }
2488 }
2489
2490 void ClassVerifier::verify_invoke_init(
2491 RawBytecodeStream* bcs, u2 ref_class_index, VerificationType ref_class_type,
2492 StackMapFrame* current_frame, u4 code_length, bool in_try_block,
2493 bool *this_uninit, const constantPoolHandle& cp, StackMapTable* stackmap_table,
2494 TRAPS) {
2495 int bci = bcs->bci();
2496 VerificationType type = current_frame->pop_stack(
2497 VerificationType::reference_check(), CHECK_VERIFY(this));
2498 if (type == VerificationType::uninitialized_this_type()) {
2499 // The method must be an <init> method of this class or its superclass
2500 Klass* superk = current_class()->super();
2501 if (ref_class_type.name() != current_class()->name() &&
2502 ref_class_type.name() != superk->name()) {
2503 verify_error(ErrorContext::bad_type(bci,
2504 TypeOrigin::implicit(ref_class_type),
2505 TypeOrigin::implicit(current_type())),
2506 "Bad <init> method call");
2507 return;
2508 } else if (ref_class_type.name() == superk->name()) {
2509 // Strict final fields must be satisfied by this point
2510 if (!current_frame->verify_unset_fields_satisfied()) {
2511 log_info(verification)("Strict instance fields not initialized");
2512 StackMapFrame::print_strict_fields(current_frame->assert_unset_fields());
2513 current_frame->unsatisfied_strict_fields_error(current_class(), bci);
2514 }
2515 }
2516
2517 // If this invokespecial call is done from inside of a TRY block then make
2518 // sure that all catch clause paths end in a throw. Otherwise, this can
2519 // result in returning an incomplete object.
2520 if (in_try_block) {
2521 // Check the exception handler target stackmaps with the locals from the
2522 // incoming stackmap (before initialize_object() changes them to outgoing
2523 // state).
2524 if (was_recursively_verified()) return;
2525 verify_exception_handler_targets(bci, true, current_frame,
2526 stackmap_table, CHECK_VERIFY(this));
2527 } // in_try_block
2528
2529 current_frame->initialize_object(type, current_type());
2530 *this_uninit = true;
2531 } else if (type.is_uninitialized()) {
2532 u2 new_offset = type.bci();
2533 address new_bcp = bcs->bcp() - bci + new_offset;
2534 if (new_offset > (code_length - 3) || (*new_bcp) != Bytecodes::_new) {
2599 bool ClassVerifier::is_same_or_direct_interface(
2600 InstanceKlass* klass,
2601 VerificationType klass_type,
2602 VerificationType ref_class_type) {
2603 if (ref_class_type.equals(klass_type)) return true;
2604 Array<InstanceKlass*>* local_interfaces = klass->local_interfaces();
2605 if (local_interfaces != nullptr) {
2606 for (int x = 0; x < local_interfaces->length(); x++) {
2607 InstanceKlass* k = local_interfaces->at(x);
2608 assert (k != nullptr && k->is_interface(), "invalid interface");
2609 if (ref_class_type.equals(VerificationType::reference_type(k->name()))) {
2610 return true;
2611 }
2612 }
2613 }
2614 return false;
2615 }
2616
2617 void ClassVerifier::verify_invoke_instructions(
2618 RawBytecodeStream* bcs, u4 code_length, StackMapFrame* current_frame,
2619 bool in_try_block, bool *this_uninit,
2620 const constantPoolHandle& cp, StackMapTable* stackmap_table, TRAPS) {
2621 // Make sure the constant pool item is the right type
2622 u2 index = bcs->get_index_u2();
2623 Bytecodes::Code opcode = bcs->raw_code();
2624 unsigned int types = 0;
2625 switch (opcode) {
2626 case Bytecodes::_invokeinterface:
2627 types = 1 << JVM_CONSTANT_InterfaceMethodref;
2628 break;
2629 case Bytecodes::_invokedynamic:
2630 types = 1 << JVM_CONSTANT_InvokeDynamic;
2631 break;
2632 case Bytecodes::_invokespecial:
2633 case Bytecodes::_invokestatic:
2634 types = (_klass->major_version() < STATIC_METHOD_IN_INTERFACE_MAJOR_VERSION) ?
2635 (1 << JVM_CONSTANT_Methodref) :
2636 ((1 << JVM_CONSTANT_InterfaceMethodref) | (1 << JVM_CONSTANT_Methodref));
2637 break;
2638 default:
2639 types = 1 << JVM_CONSTANT_Methodref;
2640 }
2641 verify_cp_type(bcs->bci(), index, cp, types, CHECK_VERIFY(this));
2642
2643 // Get method name and signature
2644 Symbol* method_name = cp->uncached_name_ref_at(index);
2645 Symbol* method_sig = cp->uncached_signature_ref_at(index);
2646
2647 // Method signature was checked in ClassFileParser.
2648 assert(SignatureVerifier::is_valid_method_signature(method_sig),
2649 "Invalid method signature");
2650
2651 // Get referenced class
2652 VerificationType ref_class_type;
2653 if (opcode == Bytecodes::_invokedynamic) {
2654 if (_klass->major_version() < Verifier::INVOKEDYNAMIC_MAJOR_VERSION) {
2655 class_format_error(
2656 "invokedynamic instructions not supported by this class file version (%d), class %s",
2657 _klass->major_version(), _klass->external_name());
2658 return;
2659 }
2660 } else {
2661 ref_class_type = cp_ref_index_to_type(index, cp, CHECK_VERIFY(this));
2662 }
2663
2664 assert(sizeof(VerificationType) == sizeof(uintptr_t),
2665 "buffer type must match VerificationType size");
2666
2667 // Get the UTF8 index for this signature.
2668 int sig_index = cp->signature_ref_index_at(cp->uncached_name_and_type_ref_index_at(index));
2669
2670 // Get the signature's verification types.
2671 sig_as_verification_types* mth_sig_verif_types;
2697 "Inconsistent args count operand in invokeinterface");
2698 return;
2699 }
2700 if (*(bcp+4) != 0) {
2701 verify_error(ErrorContext::bad_code(bci),
2702 "Fourth operand byte of invokeinterface must be zero");
2703 return;
2704 }
2705 }
2706
2707 if (opcode == Bytecodes::_invokedynamic) {
2708 address bcp = bcs->bcp();
2709 if (*(bcp+3) != 0 || *(bcp+4) != 0) {
2710 verify_error(ErrorContext::bad_code(bci),
2711 "Third and fourth operand bytes of invokedynamic must be zero");
2712 return;
2713 }
2714 }
2715
2716 if (method_name->char_at(0) == JVM_SIGNATURE_SPECIAL) {
2717 // Make sure:
2718 // <init> can only be invoked by invokespecial.
2719 if (opcode != Bytecodes::_invokespecial ||
2720 method_name != vmSymbols::object_initializer_name()) {
2721 verify_error(ErrorContext::bad_code(bci),
2722 "Illegal call to internal method");
2723 return;
2724 }
2725 }
2726 // invokespecial, when not <init>, must be to a method in the current class, a direct superinterface,
2727 // or any superclass (including Object).
2728 else if (opcode == Bytecodes::_invokespecial
2729 && !is_same_or_direct_interface(current_class(), current_type(), ref_class_type)
2730 && !ref_class_type.equals(VerificationType::reference_type(current_class()->super()->name()))) { // super() can never be an inline_type.
2731
2732 // We know it is not current class, direct superinterface or immediate superclass. That means it
2733 // could be:
2734 // - a totally unrelated class or interface
2735 // - an indirect superinterface
2736 // - an indirect superclass (including Object)
2737 // We use the assignability test to see if it is a superclass, or else an interface, and keep track
2738 // of the latter. Note that subtype can be true if we are dealing with an interface that is not actually
2739 // implemented as assignability treats all interfaces as Object.
2740
2741 bool is_interface = false; // This can only be set true if the assignability check will return true
2742 // and we loaded the class. For any other "true" returns (e.g. same class
2743 // or Object) we either can't get here (same class already excluded above)
2744 // or we know it is not an interface (i.e. Object).
2745 bool subtype = ref_class_type.is_reference_assignable_from(current_type(), this, false,
2746 &is_interface, CHECK_VERIFY(this));
2747 if (!subtype) { // Totally unrelated class
2748 verify_error(ErrorContext::bad_code(bci),
2749 "Bad invokespecial instruction: "
2750 "current class isn't assignable to reference class.");
2810 verify_error(ErrorContext::bad_type(bci,
2811 current_frame->stack_top_ctx(),
2812 TypeOrigin::implicit(current_type())),
2813 "Bad access to protected data in invokevirtual");
2814 return;
2815 }
2816 }
2817 }
2818 }
2819 }
2820 } else {
2821 assert(opcode == Bytecodes::_invokeinterface, "Unexpected opcode encountered");
2822 current_frame->pop_stack(ref_class_type, CHECK_VERIFY(this));
2823 }
2824 }
2825 }
2826 // Push the result type.
2827 int sig_verif_types_len = sig_verif_types->length();
2828 if (sig_verif_types_len > nargs) { // There's a return type
2829 if (method_name == vmSymbols::object_initializer_name()) {
2830 // an <init> method must have a void return type
2831 verify_error(ErrorContext::bad_code(bci),
2832 "Return type must be void in <init> method");
2833 return;
2834 }
2835
2836 assert(sig_verif_types_len <= nargs + 2,
2837 "Signature verification types array return type is bogus");
2838 for (int i = nargs; i < sig_verif_types_len; i++) {
2839 assert(i == nargs || sig_verif_types->at(i).is_long2() ||
2840 sig_verif_types->at(i).is_double2(), "Unexpected return verificationType");
2841 current_frame->push_stack(sig_verif_types->at(i), CHECK_VERIFY(this));
2842 }
2843 }
2844 }
2845
2846 VerificationType ClassVerifier::get_newarray_type(
2847 u2 index, int bci, TRAPS) {
2848 const char* from_bt[] = {
2849 nullptr, nullptr, nullptr, nullptr, "[Z", "[C", "[F", "[D", "[B", "[S", "[I", "[J",
2850 };
|