• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2011 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef ART_RUNTIME_VERIFIER_METHOD_VERIFIER_H_
18 #define ART_RUNTIME_VERIFIER_METHOD_VERIFIER_H_
19 
20 #include <memory>
21 #include <sstream>
22 #include <vector>
23 
24 #include "base/arena_allocator.h"
25 #include "base/macros.h"
26 #include "base/scoped_arena_containers.h"
27 #include "base/stl_util.h"
28 #include "base/value_object.h"
29 #include "dex_file.h"
30 #include "handle.h"
31 #include "instruction_flags.h"
32 #include "method_reference.h"
33 #include "register_line.h"
34 #include "reg_type_cache.h"
35 
36 namespace art {
37 
38 class CompilerCallbacks;
39 class Instruction;
40 struct ReferenceMap2Visitor;
41 class Thread;
42 class VariableIndentationOutputStream;
43 
44 namespace verifier {
45 
46 class MethodVerifier;
47 class RegisterLine;
48 using RegisterLineArenaUniquePtr = std::unique_ptr<RegisterLine, RegisterLineArenaDelete>;
49 class RegType;
50 
51 /*
52  * "Direct" and "virtual" methods are stored independently. The type of call used to invoke the
53  * method determines which list we search, and whether we travel up into superclasses.
54  *
55  * (<clinit>, <init>, and methods declared "private" or "static" are stored in the "direct" list.
56  * All others are stored in the "virtual" list.)
57  */
58 enum MethodType {
59   METHOD_UNKNOWN  = 0,
60   METHOD_DIRECT,      // <init>, private
61   METHOD_STATIC,      // static
62   METHOD_VIRTUAL,     // virtual
63   METHOD_SUPER,       // super
64   METHOD_INTERFACE    // interface
65 };
66 std::ostream& operator<<(std::ostream& os, const MethodType& rhs);
67 
68 /*
69  * An enumeration of problems that can turn up during verification.
70  * Both VERIFY_ERROR_BAD_CLASS_SOFT and VERIFY_ERROR_BAD_CLASS_HARD denote failures that cause
71  * the entire class to be rejected. However, VERIFY_ERROR_BAD_CLASS_SOFT denotes a soft failure
72  * that can potentially be corrected, and the verifier will try again at runtime.
73  * VERIFY_ERROR_BAD_CLASS_HARD denotes a hard failure that can't be corrected, and will cause
74  * the class to remain uncompiled. Other errors denote verification errors that cause bytecode
75  * to be rewritten to fail at runtime.
76  */
77 enum VerifyError {
78   VERIFY_ERROR_BAD_CLASS_HARD = 1,        // VerifyError; hard error that skips compilation.
79   VERIFY_ERROR_BAD_CLASS_SOFT = 2,        // VerifyError; soft error that verifies again at runtime.
80 
81   VERIFY_ERROR_NO_CLASS = 4,              // NoClassDefFoundError.
82   VERIFY_ERROR_NO_FIELD = 8,              // NoSuchFieldError.
83   VERIFY_ERROR_NO_METHOD = 16,            // NoSuchMethodError.
84   VERIFY_ERROR_ACCESS_CLASS = 32,         // IllegalAccessError.
85   VERIFY_ERROR_ACCESS_FIELD = 64,         // IllegalAccessError.
86   VERIFY_ERROR_ACCESS_METHOD = 128,       // IllegalAccessError.
87   VERIFY_ERROR_CLASS_CHANGE = 256,        // IncompatibleClassChangeError.
88   VERIFY_ERROR_INSTANTIATION = 512,       // InstantiationError.
89   // For opcodes that don't have complete verifier support (such as lambda opcodes),
90   // we need a way to continue execution at runtime without attempting to re-verify
91   // (since we know it will fail no matter what). Instead, run as the interpreter
92   // in a special "do access checks" mode which will perform verifier-like checking
93   // on the fly.
94   //
95   // TODO: Once all new opcodes have implemented full verifier support, this can be removed.
96   VERIFY_ERROR_FORCE_INTERPRETER = 1024,  // Skip the verification phase at runtime;
97                                           // force the interpreter to do access checks.
98                                           // (sets a soft fail at compile time).
99   VERIFY_ERROR_LOCKING = 2048,            // Could not guarantee balanced locking. This should be
100                                           // punted to the interpreter with access checks.
101 };
102 std::ostream& operator<<(std::ostream& os, const VerifyError& rhs);
103 
104 // We don't need to store the register data for many instructions, because we either only need
105 // it at branch points (for verification) or GC points and branches (for verification +
106 // type-precise register analysis).
107 enum RegisterTrackingMode {
108   kTrackRegsBranches,
109   kTrackCompilerInterestPoints,
110   kTrackRegsAll,
111 };
112 
113 // A mapping from a dex pc to the register line statuses as they are immediately prior to the
114 // execution of that instruction.
115 class PcToRegisterLineTable {
116  public:
117   explicit PcToRegisterLineTable(ScopedArenaAllocator& arena);
118   ~PcToRegisterLineTable();
119 
120   // Initialize the RegisterTable. Every instruction address can have a different set of information
121   // about what's in which register, but for verification purposes we only need to store it at
122   // branch target addresses (because we merge into that).
123   void Init(RegisterTrackingMode mode, InstructionFlags* flags, uint32_t insns_size,
124             uint16_t registers_size, MethodVerifier* verifier);
125 
GetLine(size_t idx)126   RegisterLine* GetLine(size_t idx) const {
127     return register_lines_[idx].get();
128   }
129 
130  private:
131   ScopedArenaVector<RegisterLineArenaUniquePtr> register_lines_;
132 
133   DISALLOW_COPY_AND_ASSIGN(PcToRegisterLineTable);
134 };
135 
136 // The verifier
137 class MethodVerifier {
138  public:
139   enum FailureKind {
140     kNoFailure,
141     kSoftFailure,
142     kHardFailure,
143   };
144 
CanCompilerHandleVerificationFailure(uint32_t encountered_failure_types)145   static bool CanCompilerHandleVerificationFailure(uint32_t encountered_failure_types) {
146     constexpr uint32_t unresolved_mask = verifier::VerifyError::VERIFY_ERROR_NO_CLASS
147         | verifier::VerifyError::VERIFY_ERROR_ACCESS_CLASS
148         | verifier::VerifyError::VERIFY_ERROR_ACCESS_FIELD
149         | verifier::VerifyError::VERIFY_ERROR_ACCESS_METHOD;
150     return (encountered_failure_types & (~unresolved_mask)) == 0;
151   }
152 
153   // Verify a class. Returns "kNoFailure" on success.
154   static FailureKind VerifyClass(Thread* self,
155                                  mirror::Class* klass,
156                                  CompilerCallbacks* callbacks,
157                                  bool allow_soft_failures,
158                                  LogSeverity log_level,
159                                  std::string* error)
160       SHARED_REQUIRES(Locks::mutator_lock_);
161   static FailureKind VerifyClass(Thread* self,
162                                  const DexFile* dex_file,
163                                  Handle<mirror::DexCache> dex_cache,
164                                  Handle<mirror::ClassLoader> class_loader,
165                                  const DexFile::ClassDef* class_def,
166                                  CompilerCallbacks* callbacks,
167                                  bool allow_soft_failures,
168                                  LogSeverity log_level,
169                                  std::string* error)
170       SHARED_REQUIRES(Locks::mutator_lock_);
171 
172   static MethodVerifier* VerifyMethodAndDump(Thread* self,
173                                              VariableIndentationOutputStream* vios,
174                                              uint32_t method_idx,
175                                              const DexFile* dex_file,
176                                              Handle<mirror::DexCache> dex_cache,
177                                              Handle<mirror::ClassLoader> class_loader,
178                                              const DexFile::ClassDef* class_def,
179                                              const DexFile::CodeItem* code_item, ArtMethod* method,
180                                              uint32_t method_access_flags)
181       SHARED_REQUIRES(Locks::mutator_lock_);
182 
183   uint8_t EncodePcToReferenceMapData() const;
184 
DexFileVersion()185   uint32_t DexFileVersion() const {
186     return dex_file_->GetVersion();
187   }
188 
GetRegTypeCache()189   RegTypeCache* GetRegTypeCache() {
190     return &reg_types_;
191   }
192 
193   // Log a verification failure.
194   std::ostream& Fail(VerifyError error);
195 
196   // Log for verification information.
197   std::ostream& LogVerifyInfo();
198 
199   // Dump the failures encountered by the verifier.
200   std::ostream& DumpFailures(std::ostream& os);
201 
202   // Dump the state of the verifier, namely each instruction, what flags are set on it, register
203   // information
204   void Dump(std::ostream& os) SHARED_REQUIRES(Locks::mutator_lock_);
205   void Dump(VariableIndentationOutputStream* vios) SHARED_REQUIRES(Locks::mutator_lock_);
206 
207   // Fills 'monitor_enter_dex_pcs' with the dex pcs of the monitor-enter instructions corresponding
208   // to the locks held at 'dex_pc' in method 'm'.
209   static void FindLocksAtDexPc(ArtMethod* m, uint32_t dex_pc,
210                                std::vector<uint32_t>* monitor_enter_dex_pcs)
211       SHARED_REQUIRES(Locks::mutator_lock_);
212 
213   // Returns the accessed field corresponding to the quick instruction's field
214   // offset at 'dex_pc' in method 'm'.
215   static ArtField* FindAccessedFieldAtDexPc(ArtMethod* m, uint32_t dex_pc)
216       SHARED_REQUIRES(Locks::mutator_lock_);
217 
218   // Returns the invoked method corresponding to the quick instruction's vtable
219   // index at 'dex_pc' in method 'm'.
220   static ArtMethod* FindInvokedMethodAtDexPc(ArtMethod* m, uint32_t dex_pc)
221       SHARED_REQUIRES(Locks::mutator_lock_);
222 
223   static void Init() SHARED_REQUIRES(Locks::mutator_lock_);
224   static void Shutdown();
225 
CanLoadClasses()226   bool CanLoadClasses() const {
227     return can_load_classes_;
228   }
229 
230   ~MethodVerifier();
231 
232   // Run verification on the method. Returns true if verification completes and false if the input
233   // has an irrecoverable corruption.
234   bool Verify() SHARED_REQUIRES(Locks::mutator_lock_);
235 
236   // Describe VRegs at the given dex pc.
237   std::vector<int32_t> DescribeVRegs(uint32_t dex_pc);
238 
239   static void VisitStaticRoots(RootVisitor* visitor)
240       SHARED_REQUIRES(Locks::mutator_lock_);
241   void VisitRoots(RootVisitor* visitor, const RootInfo& roots)
242       SHARED_REQUIRES(Locks::mutator_lock_);
243 
244   // Accessors used by the compiler via CompilerCallback
245   const DexFile::CodeItem* CodeItem() const;
246   RegisterLine* GetRegLine(uint32_t dex_pc);
247   ALWAYS_INLINE const InstructionFlags& GetInstructionFlags(size_t index) const;
248   ALWAYS_INLINE InstructionFlags& GetInstructionFlags(size_t index);
249   mirror::ClassLoader* GetClassLoader() SHARED_REQUIRES(Locks::mutator_lock_);
250   mirror::DexCache* GetDexCache() SHARED_REQUIRES(Locks::mutator_lock_);
251   ArtMethod* GetMethod() const SHARED_REQUIRES(Locks::mutator_lock_);
252   MethodReference GetMethodReference() const;
253   uint32_t GetAccessFlags() const;
254   bool HasCheckCasts() const;
255   bool HasVirtualOrInterfaceInvokes() const;
256   bool HasFailures() const;
HasInstructionThatWillThrow()257   bool HasInstructionThatWillThrow() const {
258     return have_any_pending_runtime_throw_failure_;
259   }
260 
261   const RegType& ResolveCheckedClass(uint32_t class_idx)
262       SHARED_REQUIRES(Locks::mutator_lock_);
263   // Returns the method of a quick invoke or null if it cannot be found.
264   ArtMethod* GetQuickInvokedMethod(const Instruction* inst, RegisterLine* reg_line,
265                                            bool is_range, bool allow_failure)
266       SHARED_REQUIRES(Locks::mutator_lock_);
267   // Returns the access field of a quick field access (iget/iput-quick) or null
268   // if it cannot be found.
269   ArtField* GetQuickFieldAccess(const Instruction* inst, RegisterLine* reg_line)
270       SHARED_REQUIRES(Locks::mutator_lock_);
271 
GetEncounteredFailureTypes()272   uint32_t GetEncounteredFailureTypes() {
273     return encountered_failure_types_;
274   }
275 
IsInstanceConstructor()276   bool IsInstanceConstructor() const {
277     return IsConstructor() && !IsStatic();
278   }
279 
GetArena()280   ScopedArenaAllocator& GetArena() {
281     return arena_;
282   }
283 
284  private:
285   MethodVerifier(Thread* self,
286                  const DexFile* dex_file,
287                  Handle<mirror::DexCache> dex_cache,
288                  Handle<mirror::ClassLoader> class_loader,
289                  const DexFile::ClassDef* class_def,
290                  const DexFile::CodeItem* code_item,
291                  uint32_t method_idx,
292                  ArtMethod* method,
293                  uint32_t access_flags,
294                  bool can_load_classes,
295                  bool allow_soft_failures,
296                  bool need_precise_constants,
297                  bool verify_to_dump,
298                  bool allow_thread_suspension)
299       SHARED_REQUIRES(Locks::mutator_lock_);
300 
301   void UninstantiableError(const char* descriptor);
302   static bool IsInstantiableOrPrimitive(mirror::Class* klass) SHARED_REQUIRES(Locks::mutator_lock_);
303 
304   // Is the method being verified a constructor? See the comment on the field.
IsConstructor()305   bool IsConstructor() const {
306     return is_constructor_;
307   }
308 
309   // Is the method verified static?
IsStatic()310   bool IsStatic() const {
311     return (method_access_flags_ & kAccStatic) != 0;
312   }
313 
314   // Adds the given string to the beginning of the last failure message.
315   void PrependToLastFailMessage(std::string);
316 
317   // Adds the given string to the end of the last failure message.
318   void AppendToLastFailMessage(std::string);
319 
320   // Verification result for method(s). Includes a (maximum) failure kind, and (the union of)
321   // all failure types.
322   struct FailureData : ValueObject {
323     FailureKind kind = kNoFailure;
324     uint32_t types = 0U;
325 
326     // Merge src into this. Uses the most severe failure kind, and the union of types.
327     void Merge(const FailureData& src);
328   };
329 
330   // Verify all direct or virtual methods of a class. The method assumes that the iterator is
331   // positioned correctly, and the iterator will be updated.
332   template <bool kDirect>
333   static FailureData VerifyMethods(Thread* self,
334                                    ClassLinker* linker,
335                                    const DexFile* dex_file,
336                                    const DexFile::ClassDef* class_def,
337                                    ClassDataItemIterator* it,
338                                    Handle<mirror::DexCache> dex_cache,
339                                    Handle<mirror::ClassLoader> class_loader,
340                                    CompilerCallbacks* callbacks,
341                                    bool allow_soft_failures,
342                                    LogSeverity log_level,
343                                    bool need_precise_constants,
344                                    std::string* error_string)
345       SHARED_REQUIRES(Locks::mutator_lock_);
346 
347   /*
348    * Perform verification on a single method.
349    *
350    * We do this in three passes:
351    *  (1) Walk through all code units, determining instruction locations,
352    *      widths, and other characteristics.
353    *  (2) Walk through all code units, performing static checks on
354    *      operands.
355    *  (3) Iterate through the method, checking type safety and looking
356    *      for code flow problems.
357    */
358   static FailureData VerifyMethod(Thread* self, uint32_t method_idx,
359                                   const DexFile* dex_file,
360                                   Handle<mirror::DexCache> dex_cache,
361                                   Handle<mirror::ClassLoader> class_loader,
362                                   const DexFile::ClassDef* class_def_idx,
363                                   const DexFile::CodeItem* code_item,
364                                   ArtMethod* method,
365                                   uint32_t method_access_flags,
366                                   CompilerCallbacks* callbacks,
367                                   bool allow_soft_failures,
368                                   LogSeverity log_level,
369                                   bool need_precise_constants,
370                                   std::string* hard_failure_msg)
371       SHARED_REQUIRES(Locks::mutator_lock_);
372 
373   void FindLocksAtDexPc() SHARED_REQUIRES(Locks::mutator_lock_);
374 
375   ArtField* FindAccessedFieldAtDexPc(uint32_t dex_pc)
376       SHARED_REQUIRES(Locks::mutator_lock_);
377 
378   ArtMethod* FindInvokedMethodAtDexPc(uint32_t dex_pc)
379       SHARED_REQUIRES(Locks::mutator_lock_);
380 
381   SafeMap<uint32_t, std::set<uint32_t>>& FindStringInitMap()
382       SHARED_REQUIRES(Locks::mutator_lock_);
383 
384   /*
385    * Compute the width of the instruction at each address in the instruction stream, and store it in
386    * insn_flags_. Addresses that are in the middle of an instruction, or that are part of switch
387    * table data, are not touched (so the caller should probably initialize "insn_flags" to zero).
388    *
389    * The "new_instance_count_" and "monitor_enter_count_" fields in vdata are also set.
390    *
391    * Performs some static checks, notably:
392    * - opcode of first instruction begins at index 0
393    * - only documented instructions may appear
394    * - each instruction follows the last
395    * - last byte of last instruction is at (code_length-1)
396    *
397    * Logs an error and returns "false" on failure.
398    */
399   bool ComputeWidthsAndCountOps();
400 
401   /*
402    * Set the "in try" flags for all instructions protected by "try" statements. Also sets the
403    * "branch target" flags for exception handlers.
404    *
405    * Call this after widths have been set in "insn_flags".
406    *
407    * Returns "false" if something in the exception table looks fishy, but we're expecting the
408    * exception table to be somewhat sane.
409    */
410   bool ScanTryCatchBlocks() SHARED_REQUIRES(Locks::mutator_lock_);
411 
412   /*
413    * Perform static verification on all instructions in a method.
414    *
415    * Walks through instructions in a method calling VerifyInstruction on each.
416    */
417   bool VerifyInstructions();
418 
419   /*
420    * Perform static verification on an instruction.
421    *
422    * As a side effect, this sets the "branch target" flags in InsnFlags.
423    *
424    * "(CF)" items are handled during code-flow analysis.
425    *
426    * v3 4.10.1
427    * - target of each jump and branch instruction must be valid
428    * - targets of switch statements must be valid
429    * - operands referencing constant pool entries must be valid
430    * - (CF) operands of getfield, putfield, getstatic, putstatic must be valid
431    * - (CF) operands of method invocation instructions must be valid
432    * - (CF) only invoke-direct can call a method starting with '<'
433    * - (CF) <clinit> must never be called explicitly
434    * - operands of instanceof, checkcast, new (and variants) must be valid
435    * - new-array[-type] limited to 255 dimensions
436    * - can't use "new" on an array class
437    * - (?) limit dimensions in multi-array creation
438    * - local variable load/store register values must be in valid range
439    *
440    * v3 4.11.1.2
441    * - branches must be within the bounds of the code array
442    * - targets of all control-flow instructions are the start of an instruction
443    * - register accesses fall within range of allocated registers
444    * - (N/A) access to constant pool must be of appropriate type
445    * - code does not end in the middle of an instruction
446    * - execution cannot fall off the end of the code
447    * - (earlier) for each exception handler, the "try" area must begin and
448    *   end at the start of an instruction (end can be at the end of the code)
449    * - (earlier) for each exception handler, the handler must start at a valid
450    *   instruction
451    */
452   bool VerifyInstruction(const Instruction* inst, uint32_t code_offset);
453 
454   /* Ensure that the register index is valid for this code item. */
455   bool CheckRegisterIndex(uint32_t idx);
456 
457   /* Ensure that the wide register index is valid for this code item. */
458   bool CheckWideRegisterIndex(uint32_t idx);
459 
460   // Perform static checks on a field Get or set instruction. All we do here is ensure that the
461   // field index is in the valid range.
462   bool CheckFieldIndex(uint32_t idx);
463 
464   // Perform static checks on a method invocation instruction. All we do here is ensure that the
465   // method index is in the valid range.
466   bool CheckMethodIndex(uint32_t idx);
467 
468   // Perform static checks on a "new-instance" instruction. Specifically, make sure the class
469   // reference isn't for an array class.
470   bool CheckNewInstance(uint32_t idx);
471 
472   /* Ensure that the string index is in the valid range. */
473   bool CheckStringIndex(uint32_t idx);
474 
475   // Perform static checks on an instruction that takes a class constant. Ensure that the class
476   // index is in the valid range.
477   bool CheckTypeIndex(uint32_t idx);
478 
479   // Perform static checks on a "new-array" instruction. Specifically, make sure they aren't
480   // creating an array of arrays that causes the number of dimensions to exceed 255.
481   bool CheckNewArray(uint32_t idx);
482 
483   // Verify an array data table. "cur_offset" is the offset of the fill-array-data instruction.
484   bool CheckArrayData(uint32_t cur_offset);
485 
486   // Verify that the target of a branch instruction is valid. We don't expect code to jump directly
487   // into an exception handler, but it's valid to do so as long as the target isn't a
488   // "move-exception" instruction. We verify that in a later stage.
489   // The dex format forbids certain instructions from branching to themselves.
490   // Updates "insn_flags_", setting the "branch target" flag.
491   bool CheckBranchTarget(uint32_t cur_offset);
492 
493   // Verify a switch table. "cur_offset" is the offset of the switch instruction.
494   // Updates "insn_flags_", setting the "branch target" flag.
495   bool CheckSwitchTargets(uint32_t cur_offset);
496 
497   // Check the register indices used in a "vararg" instruction, such as invoke-virtual or
498   // filled-new-array.
499   // - vA holds word count (0-5), args[] have values.
500   // There are some tests we don't do here, e.g. we don't try to verify that invoking a method that
501   // takes a double is done with consecutive registers. This requires parsing the target method
502   // signature, which we will be doing later on during the code flow analysis.
503   bool CheckVarArgRegs(uint32_t vA, uint32_t arg[]);
504 
505   // Check the register indices used in a "vararg/range" instruction, such as invoke-virtual/range
506   // or filled-new-array/range.
507   // - vA holds word count, vC holds index of first reg.
508   bool CheckVarArgRangeRegs(uint32_t vA, uint32_t vC);
509 
510   // Extract the relative offset from a branch instruction.
511   // Returns "false" on failure (e.g. this isn't a branch instruction).
512   bool GetBranchOffset(uint32_t cur_offset, int32_t* pOffset, bool* pConditional,
513                        bool* selfOkay);
514 
515   /* Perform detailed code-flow analysis on a single method. */
516   bool VerifyCodeFlow() SHARED_REQUIRES(Locks::mutator_lock_);
517 
518   // Set the register types for the first instruction in the method based on the method signature.
519   // This has the side-effect of validating the signature.
520   bool SetTypesFromSignature() SHARED_REQUIRES(Locks::mutator_lock_);
521 
522   /*
523    * Perform code flow on a method.
524    *
525    * The basic strategy is as outlined in v3 4.11.1.2: set the "changed" bit on the first
526    * instruction, process it (setting additional "changed" bits), and repeat until there are no
527    * more.
528    *
529    * v3 4.11.1.1
530    * - (N/A) operand stack is always the same size
531    * - operand stack [registers] contain the correct types of values
532    * - local variables [registers] contain the correct types of values
533    * - methods are invoked with the appropriate arguments
534    * - fields are assigned using values of appropriate types
535    * - opcodes have the correct type values in operand registers
536    * - there is never an uninitialized class instance in a local variable in code protected by an
537    *   exception handler (operand stack is okay, because the operand stack is discarded when an
538    *   exception is thrown) [can't know what's a local var w/o the debug info -- should fall out of
539    *   register typing]
540    *
541    * v3 4.11.1.2
542    * - execution cannot fall off the end of the code
543    *
544    * (We also do many of the items described in the "static checks" sections, because it's easier to
545    * do them here.)
546    *
547    * We need an array of RegType values, one per register, for every instruction. If the method uses
548    * monitor-enter, we need extra data for every register, and a stack for every "interesting"
549    * instruction. In theory this could become quite large -- up to several megabytes for a monster
550    * function.
551    *
552    * NOTE:
553    * The spec forbids backward branches when there's an uninitialized reference in a register. The
554    * idea is to prevent something like this:
555    *   loop:
556    *     move r1, r0
557    *     new-instance r0, MyClass
558    *     ...
559    *     if-eq rN, loop  // once
560    *   initialize r0
561    *
562    * This leaves us with two different instances, both allocated by the same instruction, but only
563    * one is initialized. The scheme outlined in v3 4.11.1.4 wouldn't catch this, so they work around
564    * it by preventing backward branches. We achieve identical results without restricting code
565    * reordering by specifying that you can't execute the new-instance instruction if a register
566    * contains an uninitialized instance created by that same instruction.
567    */
568   bool CodeFlowVerifyMethod() SHARED_REQUIRES(Locks::mutator_lock_);
569 
570   /*
571    * Perform verification for a single instruction.
572    *
573    * This requires fully decoding the instruction to determine the effect it has on registers.
574    *
575    * Finds zero or more following instructions and sets the "changed" flag if execution at that
576    * point needs to be (re-)evaluated. Register changes are merged into "reg_types_" at the target
577    * addresses. Does not set or clear any other flags in "insn_flags_".
578    */
579   bool CodeFlowVerifyInstruction(uint32_t* start_guess)
580       SHARED_REQUIRES(Locks::mutator_lock_);
581 
582   // Perform verification of a new array instruction
583   void VerifyNewArray(const Instruction* inst, bool is_filled, bool is_range)
584       SHARED_REQUIRES(Locks::mutator_lock_);
585 
586   // Helper to perform verification on puts of primitive type.
587   void VerifyPrimitivePut(const RegType& target_type, const RegType& insn_type,
588                           const uint32_t vregA) SHARED_REQUIRES(Locks::mutator_lock_);
589 
590   // Perform verification of an aget instruction. The destination register's type will be set to
591   // be that of component type of the array unless the array type is unknown, in which case a
592   // bottom type inferred from the type of instruction is used. is_primitive is false for an
593   // aget-object.
594   void VerifyAGet(const Instruction* inst, const RegType& insn_type,
595                   bool is_primitive) SHARED_REQUIRES(Locks::mutator_lock_);
596 
597   // Perform verification of an aput instruction.
598   void VerifyAPut(const Instruction* inst, const RegType& insn_type,
599                   bool is_primitive) SHARED_REQUIRES(Locks::mutator_lock_);
600 
601   // Lookup instance field and fail for resolution violations
602   ArtField* GetInstanceField(const RegType& obj_type, int field_idx)
603       SHARED_REQUIRES(Locks::mutator_lock_);
604 
605   // Lookup static field and fail for resolution violations
606   ArtField* GetStaticField(int field_idx) SHARED_REQUIRES(Locks::mutator_lock_);
607 
608   // Perform verification of an iget/sget/iput/sput instruction.
609   enum class FieldAccessType {  // private
610     kAccGet,
611     kAccPut
612   };
613   template <FieldAccessType kAccType>
614   void VerifyISFieldAccess(const Instruction* inst, const RegType& insn_type,
615                            bool is_primitive, bool is_static)
616       SHARED_REQUIRES(Locks::mutator_lock_);
617 
618   template <FieldAccessType kAccType>
619   void VerifyQuickFieldAccess(const Instruction* inst, const RegType& insn_type, bool is_primitive)
620       SHARED_REQUIRES(Locks::mutator_lock_);
621 
622   // Resolves a class based on an index and performs access checks to ensure the referrer can
623   // access the resolved class.
624   const RegType& ResolveClassAndCheckAccess(uint32_t class_idx)
625       SHARED_REQUIRES(Locks::mutator_lock_);
626 
627   /*
628    * For the "move-exception" instruction at "work_insn_idx_", which must be at an exception handler
629    * address, determine the Join of all exceptions that can land here. Fails if no matching
630    * exception handler can be found or if the Join of exception types fails.
631    */
632   const RegType& GetCaughtExceptionType()
633       SHARED_REQUIRES(Locks::mutator_lock_);
634 
635   /*
636    * Resolves a method based on an index and performs access checks to ensure
637    * the referrer can access the resolved method.
638    * Does not throw exceptions.
639    */
640   ArtMethod* ResolveMethodAndCheckAccess(uint32_t method_idx, MethodType method_type)
641       SHARED_REQUIRES(Locks::mutator_lock_);
642 
643   /*
644    * Verify the arguments to a method. We're executing in "method", making
645    * a call to the method reference in vB.
646    *
647    * If this is a "direct" invoke, we allow calls to <init>. For calls to
648    * <init>, the first argument may be an uninitialized reference. Otherwise,
649    * calls to anything starting with '<' will be rejected, as will any
650    * uninitialized reference arguments.
651    *
652    * For non-static method calls, this will verify that the method call is
653    * appropriate for the "this" argument.
654    *
655    * The method reference is in vBBBB. The "is_range" parameter determines
656    * whether we use 0-4 "args" values or a range of registers defined by
657    * vAA and vCCCC.
658    *
659    * Widening conversions on integers and references are allowed, but
660    * narrowing conversions are not.
661    *
662    * Returns the resolved method on success, null on failure (with *failure
663    * set appropriately).
664    */
665   ArtMethod* VerifyInvocationArgs(const Instruction* inst, MethodType method_type, bool is_range)
666       SHARED_REQUIRES(Locks::mutator_lock_);
667 
668   // Similar checks to the above, but on the proto. Will be used when the method cannot be
669   // resolved.
670   void VerifyInvocationArgsUnresolvedMethod(const Instruction* inst, MethodType method_type,
671                                             bool is_range)
672       SHARED_REQUIRES(Locks::mutator_lock_);
673 
674   template <class T>
675   ArtMethod* VerifyInvocationArgsFromIterator(T* it, const Instruction* inst,
676                                                       MethodType method_type, bool is_range,
677                                                       ArtMethod* res_method)
678       SHARED_REQUIRES(Locks::mutator_lock_);
679 
680   ArtMethod* VerifyInvokeVirtualQuickArgs(const Instruction* inst, bool is_range)
681   SHARED_REQUIRES(Locks::mutator_lock_);
682 
683   /*
684    * Verify that the target instruction is not "move-exception". It's important that the only way
685    * to execute a move-exception is as the first instruction of an exception handler.
686    * Returns "true" if all is well, "false" if the target instruction is move-exception.
687    */
688   bool CheckNotMoveException(const uint16_t* insns, int insn_idx);
689 
690   /*
691    * Verify that the target instruction is not "move-result". It is important that we cannot
692    * branch to move-result instructions, but we have to make this a distinct check instead of
693    * adding it to CheckNotMoveException, because it is legal to continue into "move-result"
694    * instructions - as long as the previous instruction was an invoke, which is checked elsewhere.
695    */
696   bool CheckNotMoveResult(const uint16_t* insns, int insn_idx);
697 
698   /*
699    * Verify that the target instruction is not "move-result" or "move-exception". This is to
700    * be used when checking branch and switch instructions, but not instructions that can
701    * continue.
702    */
703   bool CheckNotMoveExceptionOrMoveResult(const uint16_t* insns, int insn_idx);
704 
705   /*
706   * Control can transfer to "next_insn". Merge the registers from merge_line into the table at
707   * next_insn, and set the changed flag on the target address if any of the registers were changed.
708   * In the case of fall-through, update the merge line on a change as its the working line for the
709   * next instruction.
710   * Returns "false" if an error is encountered.
711   */
712   bool UpdateRegisters(uint32_t next_insn, RegisterLine* merge_line, bool update_merge_line)
713       SHARED_REQUIRES(Locks::mutator_lock_);
714 
715   // Return the register type for the method.
716   const RegType& GetMethodReturnType() SHARED_REQUIRES(Locks::mutator_lock_);
717 
718   // Get a type representing the declaring class of the method.
719   const RegType& GetDeclaringClass() SHARED_REQUIRES(Locks::mutator_lock_);
720 
721   InstructionFlags* CurrentInsnFlags();
722 
723   const RegType& DetermineCat1Constant(int32_t value, bool precise)
724       SHARED_REQUIRES(Locks::mutator_lock_);
725 
726   // Try to create a register type from the given class. In case a precise type is requested, but
727   // the class is not instantiable, a soft error (of type NO_CLASS) will be enqueued and a
728   // non-precise reference will be returned.
729   // Note: we reuse NO_CLASS as this will throw an exception at runtime, when the failing class is
730   //       actually touched.
731   const RegType& FromClass(const char* descriptor, mirror::Class* klass, bool precise)
732       SHARED_REQUIRES(Locks::mutator_lock_);
733 
734   // The thread we're verifying on.
735   Thread* const self_;
736 
737   // Arena allocator.
738   ArenaStack arena_stack_;
739   ScopedArenaAllocator arena_;
740 
741   RegTypeCache reg_types_;
742 
743   PcToRegisterLineTable reg_table_;
744 
745   // Storage for the register status we're currently working on.
746   RegisterLineArenaUniquePtr work_line_;
747 
748   // The address of the instruction we're currently working on, note that this is in 2 byte
749   // quantities
750   uint32_t work_insn_idx_;
751 
752   // Storage for the register status we're saving for later.
753   RegisterLineArenaUniquePtr saved_line_;
754 
755   const uint32_t dex_method_idx_;  // The method we're working on.
756   // Its object representation if known.
757   ArtMethod* mirror_method_ GUARDED_BY(Locks::mutator_lock_);
758   const uint32_t method_access_flags_;  // Method's access flags.
759   const RegType* return_type_;  // Lazily computed return type of the method.
760   const DexFile* const dex_file_;  // The dex file containing the method.
761   // The dex_cache for the declaring class of the method.
762   Handle<mirror::DexCache> dex_cache_ GUARDED_BY(Locks::mutator_lock_);
763   // The class loader for the declaring class of the method.
764   Handle<mirror::ClassLoader> class_loader_ GUARDED_BY(Locks::mutator_lock_);
765   const DexFile::ClassDef* const class_def_;  // The class def of the declaring class of the method.
766   const DexFile::CodeItem* const code_item_;  // The code item containing the code for the method.
767   const RegType* declaring_class_;  // Lazily computed reg type of the method's declaring class.
768   // Instruction widths and flags, one entry per code unit.
769   // Owned, but not unique_ptr since insn_flags_ are allocated in arenas.
770   ArenaUniquePtr<InstructionFlags[]> insn_flags_;
771   // The dex PC of a FindLocksAtDexPc request, -1 otherwise.
772   uint32_t interesting_dex_pc_;
773   // The container into which FindLocksAtDexPc should write the registers containing held locks,
774   // null if we're not doing FindLocksAtDexPc.
775   std::vector<uint32_t>* monitor_enter_dex_pcs_;
776 
777   // The types of any error that occurs.
778   std::vector<VerifyError> failures_;
779   // Error messages associated with failures.
780   std::vector<std::ostringstream*> failure_messages_;
781   // Is there a pending hard failure?
782   bool have_pending_hard_failure_;
783   // Is there a pending runtime throw failure? A runtime throw failure is when an instruction
784   // would fail at runtime throwing an exception. Such an instruction causes the following code
785   // to be unreachable. This is set by Fail and used to ensure we don't process unreachable
786   // instructions that would hard fail the verification.
787   // Note: this flag is reset after processing each instruction.
788   bool have_pending_runtime_throw_failure_;
789   // Is there a pending experimental failure?
790   bool have_pending_experimental_failure_;
791 
792   // A version of the above that is not reset and thus captures if there were *any* throw failures.
793   bool have_any_pending_runtime_throw_failure_;
794 
795   // Info message log use primarily for verifier diagnostics.
796   std::ostringstream info_messages_;
797 
798   // The number of occurrences of specific opcodes.
799   size_t new_instance_count_;
800   size_t monitor_enter_count_;
801 
802   // Bitset of the encountered failure types. Bits are according to the values in VerifyError.
803   uint32_t encountered_failure_types_;
804 
805   const bool can_load_classes_;
806 
807   // Converts soft failures to hard failures when false. Only false when the compiler isn't
808   // running and the verifier is called from the class linker.
809   const bool allow_soft_failures_;
810 
811   // An optimization where instead of generating unique RegTypes for constants we use imprecise
812   // constants that cover a range of constants. This isn't good enough for deoptimization that
813   // avoids loading from registers in the case of a constant as the dex instruction set lost the
814   // notion of whether a value should be in a floating point or general purpose register file.
815   const bool need_precise_constants_;
816 
817   // Indicates the method being verified contains at least one check-cast or aput-object
818   // instruction. Aput-object operations implicitly check for array-store exceptions, similar to
819   // check-cast.
820   bool has_check_casts_;
821 
822   // Indicates the method being verified contains at least one invoke-virtual/range
823   // or invoke-interface/range.
824   bool has_virtual_or_interface_invokes_;
825 
826   // Indicates whether we verify to dump the info. In that case we accept quickened instructions
827   // even though we might detect to be a compiler. Should only be set when running
828   // VerifyMethodAndDump.
829   const bool verify_to_dump_;
830 
831   // Whether or not we call AllowThreadSuspension periodically, we want a way to disable this for
832   // thread dumping checkpoints since we may get thread suspension at an inopportune time due to
833   // FindLocksAtDexPC, resulting in deadlocks.
834   const bool allow_thread_suspension_;
835 
836   // Whether the method seems to be a constructor. Note that this field exists as we can't trust
837   // the flags in the dex file. Some older code does not mark methods named "<init>" and "<clinit>"
838   // correctly.
839   //
840   // Note: this flag is only valid once Verify() has started.
841   bool is_constructor_;
842 
843   // Link, for the method verifier root linked list.
844   MethodVerifier* link_;
845 
846   friend class art::Thread;
847 
848   DISALLOW_COPY_AND_ASSIGN(MethodVerifier);
849 };
850 std::ostream& operator<<(std::ostream& os, const MethodVerifier::FailureKind& rhs);
851 
852 }  // namespace verifier
853 }  // namespace art
854 
855 #endif  // ART_RUNTIME_VERIFIER_METHOD_VERIFIER_H_
856