method_verifier.h revision 53e32d14d7a51198c6ef09120c15bafdd1d055c2 
1/*
2 * Copyright (C) 2011 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#ifndef ART_RUNTIME_VERIFIER_METHOD_VERIFIER_H_
18#define ART_RUNTIME_VERIFIER_METHOD_VERIFIER_H_
19
20#include <memory>
21#include <sstream>
22#include <vector>
23
24#include "base/arena_allocator.h"
25#include "base/macros.h"
26#include "base/scoped_arena_containers.h"
27#include "base/stl_util.h"
28#include "dex_file.h"
29#include "handle.h"
30#include "instruction_flags.h"
31#include "method_reference.h"
32#include "reg_type_cache.h"
33
34namespace art {
35
36class CompilerCallbacks;
37class Instruction;
38struct ReferenceMap2Visitor;
39class Thread;
40class VariableIndentationOutputStream;
41
42namespace verifier {
43
44class DexPcToReferenceMap;
45class MethodVerifier;
46class RegisterLine;
47class RegType;
48
49/*
50 * "Direct" and "virtual" methods are stored independently. The type of call used to invoke the
51 * method determines which list we search, and whether we travel up into superclasses.
52 *
53 * (<clinit>, <init>, and methods declared "private" or "static" are stored in the "direct" list.
54 * All others are stored in the "virtual" list.)
55 */
56enum MethodType {
57  METHOD_UNKNOWN  = 0,
58  METHOD_DIRECT,      // <init>, private
59  METHOD_STATIC,      // static
60  METHOD_VIRTUAL,     // virtual, super
61  METHOD_INTERFACE    // interface
62};
63std::ostream& operator<<(std::ostream& os, const MethodType& rhs);
64
65/*
66 * An enumeration of problems that can turn up during verification.
67 * Both VERIFY_ERROR_BAD_CLASS_SOFT and VERIFY_ERROR_BAD_CLASS_HARD denote failures that cause
68 * the entire class to be rejected. However, VERIFY_ERROR_BAD_CLASS_SOFT denotes a soft failure
69 * that can potentially be corrected, and the verifier will try again at runtime.
70 * VERIFY_ERROR_BAD_CLASS_HARD denotes a hard failure that can't be corrected, and will cause
71 * the class to remain uncompiled. Other errors denote verification errors that cause bytecode
72 * to be rewritten to fail at runtime.
73 */
74enum VerifyError {
75  VERIFY_ERROR_BAD_CLASS_HARD = 1,        // VerifyError; hard error that skips compilation.
76  VERIFY_ERROR_BAD_CLASS_SOFT = 2,        // VerifyError; soft error that verifies again at runtime.
77
78  VERIFY_ERROR_NO_CLASS = 4,              // NoClassDefFoundError.
79  VERIFY_ERROR_NO_FIELD = 8,              // NoSuchFieldError.
80  VERIFY_ERROR_NO_METHOD = 16,            // NoSuchMethodError.
81  VERIFY_ERROR_ACCESS_CLASS = 32,         // IllegalAccessError.
82  VERIFY_ERROR_ACCESS_FIELD = 64,         // IllegalAccessError.
83  VERIFY_ERROR_ACCESS_METHOD = 128,       // IllegalAccessError.
84  VERIFY_ERROR_CLASS_CHANGE = 256,        // IncompatibleClassChangeError.
85  VERIFY_ERROR_INSTANTIATION = 512,       // InstantiationError.
86  // For opcodes that don't have complete verifier support (such as lambda opcodes),
87  // we need a way to continue execution at runtime without attempting to re-verify
88  // (since we know it will fail no matter what). Instead, run as the interpreter
89  // in a special "do access checks" mode which will perform verifier-like checking
90  // on the fly.
91  //
92  // TODO: Once all new opcodes have implemented full verifier support, this can be removed.
93  VERIFY_ERROR_FORCE_INTERPRETER = 1024,  // Skip the verification phase at runtime;
94                                          // force the interpreter to do access checks.
95                                          // (sets a soft fail at compile time).
96  VERIFY_ERROR_LOCKING = 2048,            // Could not guarantee balanced locking. This should be
97                                          // punted to the interpreter with access checks.
98};
99std::ostream& operator<<(std::ostream& os, const VerifyError& rhs);
100
101// We don't need to store the register data for many instructions, because we either only need
102// it at branch points (for verification) or GC points and branches (for verification +
103// type-precise register analysis).
104enum RegisterTrackingMode {
105  kTrackRegsBranches,
106  kTrackCompilerInterestPoints,
107  kTrackRegsAll,
108};
109
110// A mapping from a dex pc to the register line statuses as they are immediately prior to the
111// execution of that instruction.
112class PcToRegisterLineTable {
113 public:
114  explicit PcToRegisterLineTable(ScopedArenaAllocator& arena);
115  ~PcToRegisterLineTable();
116
117  // Initialize the RegisterTable. Every instruction address can have a different set of information
118  // about what's in which register, but for verification purposes we only need to store it at
119  // branch target addresses (because we merge into that).
120  void Init(RegisterTrackingMode mode, InstructionFlags* flags, uint32_t insns_size,
121            uint16_t registers_size, MethodVerifier* verifier);
122
123  RegisterLine* GetLine(size_t idx) const {
124    return register_lines_[idx].get();
125  }
126
127 private:
128  ScopedArenaVector<ArenaUniquePtr<RegisterLine>> register_lines_;
129
130  DISALLOW_COPY_AND_ASSIGN(PcToRegisterLineTable);
131};
132
133// The verifier
134class MethodVerifier {
135 public:
136  enum FailureKind {
137    kNoFailure,
138    kSoftFailure,
139    kHardFailure,
140  };
141
142  /* Verify a class. Returns "kNoFailure" on success. */
143  static FailureKind VerifyClass(Thread* self,
144                                 mirror::Class* klass,
145                                 CompilerCallbacks* callbacks,
146                                 bool allow_soft_failures,
147                                 bool log_hard_failures,
148                                 std::string* error)
149      SHARED_REQUIRES(Locks::mutator_lock_);
150  static FailureKind VerifyClass(Thread* self,
151                                 const DexFile* dex_file,
152                                 Handle<mirror::DexCache> dex_cache,
153                                 Handle<mirror::ClassLoader> class_loader,
154                                 const DexFile::ClassDef* class_def,
155                                 CompilerCallbacks* callbacks,
156                                 bool allow_soft_failures,
157                                 bool log_hard_failures,
158                                 std::string* error)
159      SHARED_REQUIRES(Locks::mutator_lock_);
160
161  static MethodVerifier* VerifyMethodAndDump(Thread* self,
162                                             VariableIndentationOutputStream* vios,
163                                             uint32_t method_idx,
164                                             const DexFile* dex_file,
165                                             Handle<mirror::DexCache> dex_cache,
166                                             Handle<mirror::ClassLoader> class_loader,
167                                             const DexFile::ClassDef* class_def,
168                                             const DexFile::CodeItem* code_item, ArtMethod* method,
169                                             uint32_t method_access_flags)
170      SHARED_REQUIRES(Locks::mutator_lock_);
171
172  uint8_t EncodePcToReferenceMapData() const;
173
174  uint32_t DexFileVersion() const {
175    return dex_file_->GetVersion();
176  }
177
178  RegTypeCache* GetRegTypeCache() {
179    return &reg_types_;
180  }
181
182  // Log a verification failure.
183  std::ostream& Fail(VerifyError error);
184
185  // Log for verification information.
186  std::ostream& LogVerifyInfo();
187
188  // Dump the failures encountered by the verifier.
189  std::ostream& DumpFailures(std::ostream& os);
190
191  // Dump the state of the verifier, namely each instruction, what flags are set on it, register
192  // information
193  void Dump(std::ostream& os) SHARED_REQUIRES(Locks::mutator_lock_);
194  void Dump(VariableIndentationOutputStream* vios) SHARED_REQUIRES(Locks::mutator_lock_);
195
196  // Fills 'monitor_enter_dex_pcs' with the dex pcs of the monitor-enter instructions corresponding
197  // to the locks held at 'dex_pc' in method 'm'.
198  static void FindLocksAtDexPc(ArtMethod* m, uint32_t dex_pc,
199                               std::vector<uint32_t>* monitor_enter_dex_pcs)
200      SHARED_REQUIRES(Locks::mutator_lock_);
201
202  // Returns the accessed field corresponding to the quick instruction's field
203  // offset at 'dex_pc' in method 'm'.
204  static ArtField* FindAccessedFieldAtDexPc(ArtMethod* m, uint32_t dex_pc)
205      SHARED_REQUIRES(Locks::mutator_lock_);
206
207  // Returns the invoked method corresponding to the quick instruction's vtable
208  // index at 'dex_pc' in method 'm'.
209  static ArtMethod* FindInvokedMethodAtDexPc(ArtMethod* m, uint32_t dex_pc)
210      SHARED_REQUIRES(Locks::mutator_lock_);
211
212  static SafeMap<uint32_t, std::set<uint32_t>> FindStringInitMap(ArtMethod* m)
213      SHARED_REQUIRES(Locks::mutator_lock_);
214
215  static void Init() SHARED_REQUIRES(Locks::mutator_lock_);
216  static void Shutdown();
217
218  bool CanLoadClasses() const {
219    return can_load_classes_;
220  }
221
222  MethodVerifier(Thread* self,
223                 const DexFile* dex_file,
224                 Handle<mirror::DexCache> dex_cache,
225                 Handle<mirror::ClassLoader> class_loader,
226                 const DexFile::ClassDef* class_def,
227                 const DexFile::CodeItem* code_item,
228                 uint32_t method_idx,
229                 ArtMethod* method,
230                 uint32_t access_flags,
231                 bool can_load_classes,
232                 bool allow_soft_failures,
233                 bool need_precise_constants,
234                 bool allow_thread_suspension)
235          SHARED_REQUIRES(Locks::mutator_lock_)
236      : MethodVerifier(self,
237                       dex_file,
238                       dex_cache,
239                       class_loader,
240                       class_def,
241                       code_item,
242                       method_idx,
243                       method,
244                       access_flags,
245                       can_load_classes,
246                       allow_soft_failures,
247                       need_precise_constants,
248                       false,
249                       allow_thread_suspension) {}
250
251  ~MethodVerifier();
252
253  // Run verification on the method. Returns true if verification completes and false if the input
254  // has an irrecoverable corruption.
255  bool Verify() SHARED_REQUIRES(Locks::mutator_lock_);
256
257  // Describe VRegs at the given dex pc.
258  std::vector<int32_t> DescribeVRegs(uint32_t dex_pc);
259
260  static void VisitStaticRoots(RootVisitor* visitor)
261      SHARED_REQUIRES(Locks::mutator_lock_);
262  void VisitRoots(RootVisitor* visitor, const RootInfo& roots)
263      SHARED_REQUIRES(Locks::mutator_lock_);
264
265  // Accessors used by the compiler via CompilerCallback
266  const DexFile::CodeItem* CodeItem() const;
267  RegisterLine* GetRegLine(uint32_t dex_pc);
268  ALWAYS_INLINE const InstructionFlags& GetInstructionFlags(size_t index) const;
269  ALWAYS_INLINE InstructionFlags& GetInstructionFlags(size_t index);
270  mirror::ClassLoader* GetClassLoader() SHARED_REQUIRES(Locks::mutator_lock_);
271  mirror::DexCache* GetDexCache() SHARED_REQUIRES(Locks::mutator_lock_);
272  MethodReference GetMethodReference() const;
273  uint32_t GetAccessFlags() const;
274  bool HasCheckCasts() const;
275  bool HasVirtualOrInterfaceInvokes() const;
276  bool HasFailures() const;
277  bool HasInstructionThatWillThrow() const {
278    return have_any_pending_runtime_throw_failure_;
279  }
280
281  const RegType& ResolveCheckedClass(uint32_t class_idx)
282      SHARED_REQUIRES(Locks::mutator_lock_);
283  // Returns the method of a quick invoke or null if it cannot be found.
284  ArtMethod* GetQuickInvokedMethod(const Instruction* inst, RegisterLine* reg_line,
285                                           bool is_range, bool allow_failure)
286      SHARED_REQUIRES(Locks::mutator_lock_);
287  // Returns the access field of a quick field access (iget/iput-quick) or null
288  // if it cannot be found.
289  ArtField* GetQuickFieldAccess(const Instruction* inst, RegisterLine* reg_line)
290      SHARED_REQUIRES(Locks::mutator_lock_);
291
292  SafeMap<uint32_t, std::set<uint32_t>>& GetStringInitPcRegMap() {
293    return string_init_pc_reg_map_;
294  }
295
296  uint32_t GetEncounteredFailureTypes() {
297    return encountered_failure_types_;
298  }
299
300  bool IsInstanceConstructor() const {
301    return IsConstructor() && !IsStatic();
302  }
303
304  ScopedArenaAllocator& GetArena() {
305    return arena_;
306  }
307
308 private:
309  void UninstantiableError(const char* descriptor);
310  static bool IsInstantiableOrPrimitive(mirror::Class* klass) SHARED_REQUIRES(Locks::mutator_lock_);
311
312  // Is the method being verified a constructor? See the comment on the field.
313  bool IsConstructor() const {
314    return is_constructor_;
315  }
316
317  // Is the method verified static?
318  bool IsStatic() const {
319    return (method_access_flags_ & kAccStatic) != 0;
320  }
321
322  // Private constructor for dumping.
323  MethodVerifier(Thread* self,
324                 const DexFile* dex_file,
325                 Handle<mirror::DexCache> dex_cache,
326                 Handle<mirror::ClassLoader> class_loader,
327                 const DexFile::ClassDef* class_def,
328                 const DexFile::CodeItem* code_item,
329                 uint32_t method_idx,
330                 ArtMethod* method,
331                 uint32_t access_flags,
332                 bool can_load_classes,
333                 bool allow_soft_failures,
334                 bool need_precise_constants,
335                 bool verify_to_dump,
336                 bool allow_thread_suspension)
337      SHARED_REQUIRES(Locks::mutator_lock_);
338
339  // Adds the given string to the beginning of the last failure message.
340  void PrependToLastFailMessage(std::string);
341
342  // Adds the given string to the end of the last failure message.
343  void AppendToLastFailMessage(std::string);
344
345  // Verify all direct or virtual methods of a class. The method assumes that the iterator is
346  // positioned correctly, and the iterator will be updated.
347  template <bool kDirect>
348  static void VerifyMethods(Thread* self,
349                            ClassLinker* linker,
350                            const DexFile* dex_file,
351                            const DexFile::ClassDef* class_def,
352                            ClassDataItemIterator* it,
353                            Handle<mirror::DexCache> dex_cache,
354                            Handle<mirror::ClassLoader> class_loader,
355                            CompilerCallbacks* callbacks,
356                            bool allow_soft_failures,
357                            bool log_hard_failures,
358                            bool need_precise_constants,
359                            bool* hard_fail,
360                            size_t* error_count,
361                            std::string* error_string)
362      SHARED_REQUIRES(Locks::mutator_lock_);
363
364  /*
365   * Perform verification on a single method.
366   *
367   * We do this in three passes:
368   *  (1) Walk through all code units, determining instruction locations,
369   *      widths, and other characteristics.
370   *  (2) Walk through all code units, performing static checks on
371   *      operands.
372   *  (3) Iterate through the method, checking type safety and looking
373   *      for code flow problems.
374   */
375  static FailureKind VerifyMethod(Thread* self, uint32_t method_idx,
376                                  const DexFile* dex_file,
377                                  Handle<mirror::DexCache> dex_cache,
378                                  Handle<mirror::ClassLoader> class_loader,
379                                  const DexFile::ClassDef* class_def_idx,
380                                  const DexFile::CodeItem* code_item,
381                                  ArtMethod* method,
382                                  uint32_t method_access_flags,
383                                  CompilerCallbacks* callbacks,
384                                  bool allow_soft_failures,
385                                  bool log_hard_failures,
386                                  bool need_precise_constants,
387                                  std::string* hard_failure_msg)
388      SHARED_REQUIRES(Locks::mutator_lock_);
389
390  void FindLocksAtDexPc() SHARED_REQUIRES(Locks::mutator_lock_);
391
392  ArtField* FindAccessedFieldAtDexPc(uint32_t dex_pc)
393      SHARED_REQUIRES(Locks::mutator_lock_);
394
395  ArtMethod* FindInvokedMethodAtDexPc(uint32_t dex_pc)
396      SHARED_REQUIRES(Locks::mutator_lock_);
397
398  SafeMap<uint32_t, std::set<uint32_t>>& FindStringInitMap()
399      SHARED_REQUIRES(Locks::mutator_lock_);
400
401  /*
402   * Compute the width of the instruction at each address in the instruction stream, and store it in
403   * insn_flags_. Addresses that are in the middle of an instruction, or that are part of switch
404   * table data, are not touched (so the caller should probably initialize "insn_flags" to zero).
405   *
406   * The "new_instance_count_" and "monitor_enter_count_" fields in vdata are also set.
407   *
408   * Performs some static checks, notably:
409   * - opcode of first instruction begins at index 0
410   * - only documented instructions may appear
411   * - each instruction follows the last
412   * - last byte of last instruction is at (code_length-1)
413   *
414   * Logs an error and returns "false" on failure.
415   */
416  bool ComputeWidthsAndCountOps();
417
418  /*
419   * Set the "in try" flags for all instructions protected by "try" statements. Also sets the
420   * "branch target" flags for exception handlers.
421   *
422   * Call this after widths have been set in "insn_flags".
423   *
424   * Returns "false" if something in the exception table looks fishy, but we're expecting the
425   * exception table to be somewhat sane.
426   */
427  bool ScanTryCatchBlocks() SHARED_REQUIRES(Locks::mutator_lock_);
428
429  /*
430   * Perform static verification on all instructions in a method.
431   *
432   * Walks through instructions in a method calling VerifyInstruction on each.
433   */
434  bool VerifyInstructions();
435
436  /*
437   * Perform static verification on an instruction.
438   *
439   * As a side effect, this sets the "branch target" flags in InsnFlags.
440   *
441   * "(CF)" items are handled during code-flow analysis.
442   *
443   * v3 4.10.1
444   * - target of each jump and branch instruction must be valid
445   * - targets of switch statements must be valid
446   * - operands referencing constant pool entries must be valid
447   * - (CF) operands of getfield, putfield, getstatic, putstatic must be valid
448   * - (CF) operands of method invocation instructions must be valid
449   * - (CF) only invoke-direct can call a method starting with '<'
450   * - (CF) <clinit> must never be called explicitly
451   * - operands of instanceof, checkcast, new (and variants) must be valid
452   * - new-array[-type] limited to 255 dimensions
453   * - can't use "new" on an array class
454   * - (?) limit dimensions in multi-array creation
455   * - local variable load/store register values must be in valid range
456   *
457   * v3 4.11.1.2
458   * - branches must be within the bounds of the code array
459   * - targets of all control-flow instructions are the start of an instruction
460   * - register accesses fall within range of allocated registers
461   * - (N/A) access to constant pool must be of appropriate type
462   * - code does not end in the middle of an instruction
463   * - execution cannot fall off the end of the code
464   * - (earlier) for each exception handler, the "try" area must begin and
465   *   end at the start of an instruction (end can be at the end of the code)
466   * - (earlier) for each exception handler, the handler must start at a valid
467   *   instruction
468   */
469  bool VerifyInstruction(const Instruction* inst, uint32_t code_offset);
470
471  /* Ensure that the register index is valid for this code item. */
472  bool CheckRegisterIndex(uint32_t idx);
473
474  /* Ensure that the wide register index is valid for this code item. */
475  bool CheckWideRegisterIndex(uint32_t idx);
476
477  // Perform static checks on a field Get or set instruction. All we do here is ensure that the
478  // field index is in the valid range.
479  bool CheckFieldIndex(uint32_t idx);
480
481  // Perform static checks on a method invocation instruction. All we do here is ensure that the
482  // method index is in the valid range.
483  bool CheckMethodIndex(uint32_t idx);
484
485  // Perform static checks on a "new-instance" instruction. Specifically, make sure the class
486  // reference isn't for an array class.
487  bool CheckNewInstance(uint32_t idx);
488
489  /* Ensure that the string index is in the valid range. */
490  bool CheckStringIndex(uint32_t idx);
491
492  // Perform static checks on an instruction that takes a class constant. Ensure that the class
493  // index is in the valid range.
494  bool CheckTypeIndex(uint32_t idx);
495
496  // Perform static checks on a "new-array" instruction. Specifically, make sure they aren't
497  // creating an array of arrays that causes the number of dimensions to exceed 255.
498  bool CheckNewArray(uint32_t idx);
499
500  // Verify an array data table. "cur_offset" is the offset of the fill-array-data instruction.
501  bool CheckArrayData(uint32_t cur_offset);
502
503  // Verify that the target of a branch instruction is valid. We don't expect code to jump directly
504  // into an exception handler, but it's valid to do so as long as the target isn't a
505  // "move-exception" instruction. We verify that in a later stage.
506  // The dex format forbids certain instructions from branching to themselves.
507  // Updates "insn_flags_", setting the "branch target" flag.
508  bool CheckBranchTarget(uint32_t cur_offset);
509
510  // Verify a switch table. "cur_offset" is the offset of the switch instruction.
511  // Updates "insn_flags_", setting the "branch target" flag.
512  bool CheckSwitchTargets(uint32_t cur_offset);
513
514  // Check the register indices used in a "vararg" instruction, such as invoke-virtual or
515  // filled-new-array.
516  // - vA holds word count (0-5), args[] have values.
517  // There are some tests we don't do here, e.g. we don't try to verify that invoking a method that
518  // takes a double is done with consecutive registers. This requires parsing the target method
519  // signature, which we will be doing later on during the code flow analysis.
520  bool CheckVarArgRegs(uint32_t vA, uint32_t arg[]);
521
522  // Check the register indices used in a "vararg/range" instruction, such as invoke-virtual/range
523  // or filled-new-array/range.
524  // - vA holds word count, vC holds index of first reg.
525  bool CheckVarArgRangeRegs(uint32_t vA, uint32_t vC);
526
527  // Extract the relative offset from a branch instruction.
528  // Returns "false" on failure (e.g. this isn't a branch instruction).
529  bool GetBranchOffset(uint32_t cur_offset, int32_t* pOffset, bool* pConditional,
530                       bool* selfOkay);
531
532  /* Perform detailed code-flow analysis on a single method. */
533  bool VerifyCodeFlow() SHARED_REQUIRES(Locks::mutator_lock_);
534
535  // Set the register types for the first instruction in the method based on the method signature.
536  // This has the side-effect of validating the signature.
537  bool SetTypesFromSignature() SHARED_REQUIRES(Locks::mutator_lock_);
538
539  /*
540   * Perform code flow on a method.
541   *
542   * The basic strategy is as outlined in v3 4.11.1.2: set the "changed" bit on the first
543   * instruction, process it (setting additional "changed" bits), and repeat until there are no
544   * more.
545   *
546   * v3 4.11.1.1
547   * - (N/A) operand stack is always the same size
548   * - operand stack [registers] contain the correct types of values
549   * - local variables [registers] contain the correct types of values
550   * - methods are invoked with the appropriate arguments
551   * - fields are assigned using values of appropriate types
552   * - opcodes have the correct type values in operand registers
553   * - there is never an uninitialized class instance in a local variable in code protected by an
554   *   exception handler (operand stack is okay, because the operand stack is discarded when an
555   *   exception is thrown) [can't know what's a local var w/o the debug info -- should fall out of
556   *   register typing]
557   *
558   * v3 4.11.1.2
559   * - execution cannot fall off the end of the code
560   *
561   * (We also do many of the items described in the "static checks" sections, because it's easier to
562   * do them here.)
563   *
564   * We need an array of RegType values, one per register, for every instruction. If the method uses
565   * monitor-enter, we need extra data for every register, and a stack for every "interesting"
566   * instruction. In theory this could become quite large -- up to several megabytes for a monster
567   * function.
568   *
569   * NOTE:
570   * The spec forbids backward branches when there's an uninitialized reference in a register. The
571   * idea is to prevent something like this:
572   *   loop:
573   *     move r1, r0
574   *     new-instance r0, MyClass
575   *     ...
576   *     if-eq rN, loop  // once
577   *   initialize r0
578   *
579   * This leaves us with two different instances, both allocated by the same instruction, but only
580   * one is initialized. The scheme outlined in v3 4.11.1.4 wouldn't catch this, so they work around
581   * it by preventing backward branches. We achieve identical results without restricting code
582   * reordering by specifying that you can't execute the new-instance instruction if a register
583   * contains an uninitialized instance created by that same instruction.
584   */
585  bool CodeFlowVerifyMethod() SHARED_REQUIRES(Locks::mutator_lock_);
586
587  /*
588   * Perform verification for a single instruction.
589   *
590   * This requires fully decoding the instruction to determine the effect it has on registers.
591   *
592   * Finds zero or more following instructions and sets the "changed" flag if execution at that
593   * point needs to be (re-)evaluated. Register changes are merged into "reg_types_" at the target
594   * addresses. Does not set or clear any other flags in "insn_flags_".
595   */
596  bool CodeFlowVerifyInstruction(uint32_t* start_guess)
597      SHARED_REQUIRES(Locks::mutator_lock_);
598
599  // Perform verification of a new array instruction
600  void VerifyNewArray(const Instruction* inst, bool is_filled, bool is_range)
601      SHARED_REQUIRES(Locks::mutator_lock_);
602
603  // Helper to perform verification on puts of primitive type.
604  void VerifyPrimitivePut(const RegType& target_type, const RegType& insn_type,
605                          const uint32_t vregA) SHARED_REQUIRES(Locks::mutator_lock_);
606
607  // Perform verification of an aget instruction. The destination register's type will be set to
608  // be that of component type of the array unless the array type is unknown, in which case a
609  // bottom type inferred from the type of instruction is used. is_primitive is false for an
610  // aget-object.
611  void VerifyAGet(const Instruction* inst, const RegType& insn_type,
612                  bool is_primitive) SHARED_REQUIRES(Locks::mutator_lock_);
613
614  // Perform verification of an aput instruction.
615  void VerifyAPut(const Instruction* inst, const RegType& insn_type,
616                  bool is_primitive) SHARED_REQUIRES(Locks::mutator_lock_);
617
618  // Lookup instance field and fail for resolution violations
619  ArtField* GetInstanceField(const RegType& obj_type, int field_idx)
620      SHARED_REQUIRES(Locks::mutator_lock_);
621
622  // Lookup static field and fail for resolution violations
623  ArtField* GetStaticField(int field_idx) SHARED_REQUIRES(Locks::mutator_lock_);
624
625  // Perform verification of an iget/sget/iput/sput instruction.
626  enum class FieldAccessType {  // private
627    kAccGet,
628    kAccPut
629  };
630  template <FieldAccessType kAccType>
631  void VerifyISFieldAccess(const Instruction* inst, const RegType& insn_type,
632                           bool is_primitive, bool is_static)
633      SHARED_REQUIRES(Locks::mutator_lock_);
634
635  template <FieldAccessType kAccType>
636  void VerifyQuickFieldAccess(const Instruction* inst, const RegType& insn_type, bool is_primitive)
637      SHARED_REQUIRES(Locks::mutator_lock_);
638
639  // Resolves a class based on an index and performs access checks to ensure the referrer can
640  // access the resolved class.
641  const RegType& ResolveClassAndCheckAccess(uint32_t class_idx)
642      SHARED_REQUIRES(Locks::mutator_lock_);
643
644  /*
645   * For the "move-exception" instruction at "work_insn_idx_", which must be at an exception handler
646   * address, determine the Join of all exceptions that can land here. Fails if no matching
647   * exception handler can be found or if the Join of exception types fails.
648   */
649  const RegType& GetCaughtExceptionType()
650      SHARED_REQUIRES(Locks::mutator_lock_);
651
652  /*
653   * Resolves a method based on an index and performs access checks to ensure
654   * the referrer can access the resolved method.
655   * Does not throw exceptions.
656   */
657  ArtMethod* ResolveMethodAndCheckAccess(uint32_t method_idx, MethodType method_type)
658      SHARED_REQUIRES(Locks::mutator_lock_);
659
660  /*
661   * Verify the arguments to a method. We're executing in "method", making
662   * a call to the method reference in vB.
663   *
664   * If this is a "direct" invoke, we allow calls to <init>. For calls to
665   * <init>, the first argument may be an uninitialized reference. Otherwise,
666   * calls to anything starting with '<' will be rejected, as will any
667   * uninitialized reference arguments.
668   *
669   * For non-static method calls, this will verify that the method call is
670   * appropriate for the "this" argument.
671   *
672   * The method reference is in vBBBB. The "is_range" parameter determines
673   * whether we use 0-4 "args" values or a range of registers defined by
674   * vAA and vCCCC.
675   *
676   * Widening conversions on integers and references are allowed, but
677   * narrowing conversions are not.
678   *
679   * Returns the resolved method on success, null on failure (with *failure
680   * set appropriately).
681   */
682  ArtMethod* VerifyInvocationArgs(const Instruction* inst,
683                                          MethodType method_type,
684                                          bool is_range, bool is_super)
685      SHARED_REQUIRES(Locks::mutator_lock_);
686
687  // Similar checks to the above, but on the proto. Will be used when the method cannot be
688  // resolved.
689  void VerifyInvocationArgsUnresolvedMethod(const Instruction* inst, MethodType method_type,
690                                            bool is_range)
691      SHARED_REQUIRES(Locks::mutator_lock_);
692
693  template <class T>
694  ArtMethod* VerifyInvocationArgsFromIterator(T* it, const Instruction* inst,
695                                                      MethodType method_type, bool is_range,
696                                                      ArtMethod* res_method)
697      SHARED_REQUIRES(Locks::mutator_lock_);
698
699  ArtMethod* VerifyInvokeVirtualQuickArgs(const Instruction* inst, bool is_range)
700  SHARED_REQUIRES(Locks::mutator_lock_);
701
702  /*
703   * Verify that the target instruction is not "move-exception". It's important that the only way
704   * to execute a move-exception is as the first instruction of an exception handler.
705   * Returns "true" if all is well, "false" if the target instruction is move-exception.
706   */
707  bool CheckNotMoveException(const uint16_t* insns, int insn_idx);
708
709  /*
710   * Verify that the target instruction is not "move-result". It is important that we cannot
711   * branch to move-result instructions, but we have to make this a distinct check instead of
712   * adding it to CheckNotMoveException, because it is legal to continue into "move-result"
713   * instructions - as long as the previous instruction was an invoke, which is checked elsewhere.
714   */
715  bool CheckNotMoveResult(const uint16_t* insns, int insn_idx);
716
717  /*
718   * Verify that the target instruction is not "move-result" or "move-exception". This is to
719   * be used when checking branch and switch instructions, but not instructions that can
720   * continue.
721   */
722  bool CheckNotMoveExceptionOrMoveResult(const uint16_t* insns, int insn_idx);
723
724  /*
725  * Control can transfer to "next_insn". Merge the registers from merge_line into the table at
726  * next_insn, and set the changed flag on the target address if any of the registers were changed.
727  * In the case of fall-through, update the merge line on a change as its the working line for the
728  * next instruction.
729  * Returns "false" if an error is encountered.
730  */
731  bool UpdateRegisters(uint32_t next_insn, RegisterLine* merge_line, bool update_merge_line)
732      SHARED_REQUIRES(Locks::mutator_lock_);
733
734  // Return the register type for the method.
735  const RegType& GetMethodReturnType() SHARED_REQUIRES(Locks::mutator_lock_);
736
737  // Get a type representing the declaring class of the method.
738  const RegType& GetDeclaringClass() SHARED_REQUIRES(Locks::mutator_lock_);
739
740  InstructionFlags* CurrentInsnFlags();
741
742  const RegType& DetermineCat1Constant(int32_t value, bool precise)
743      SHARED_REQUIRES(Locks::mutator_lock_);
744
745  // Try to create a register type from the given class. In case a precise type is requested, but
746  // the class is not instantiable, a soft error (of type NO_CLASS) will be enqueued and a
747  // non-precise reference will be returned.
748  // Note: we reuse NO_CLASS as this will throw an exception at runtime, when the failing class is
749  //       actually touched.
750  const RegType& FromClass(const char* descriptor, mirror::Class* klass, bool precise)
751      SHARED_REQUIRES(Locks::mutator_lock_);
752
753  // The thread we're verifying on.
754  Thread* const self_;
755
756  // Arena allocator.
757  ArenaStack arena_stack_;
758  ScopedArenaAllocator arena_;
759
760  RegTypeCache reg_types_;
761
762  PcToRegisterLineTable reg_table_;
763
764  // Storage for the register status we're currently working on.
765  ArenaUniquePtr<RegisterLine> work_line_;
766
767  // The address of the instruction we're currently working on, note that this is in 2 byte
768  // quantities
769  uint32_t work_insn_idx_;
770
771  // Storage for the register status we're saving for later.
772  ArenaUniquePtr<RegisterLine> saved_line_;
773
774  const uint32_t dex_method_idx_;  // The method we're working on.
775  // Its object representation if known.
776  ArtMethod* mirror_method_ GUARDED_BY(Locks::mutator_lock_);
777  const uint32_t method_access_flags_;  // Method's access flags.
778  const RegType* return_type_;  // Lazily computed return type of the method.
779  const DexFile* const dex_file_;  // The dex file containing the method.
780  // The dex_cache for the declaring class of the method.
781  Handle<mirror::DexCache> dex_cache_ GUARDED_BY(Locks::mutator_lock_);
782  // The class loader for the declaring class of the method.
783  Handle<mirror::ClassLoader> class_loader_ GUARDED_BY(Locks::mutator_lock_);
784  const DexFile::ClassDef* const class_def_;  // The class def of the declaring class of the method.
785  const DexFile::CodeItem* const code_item_;  // The code item containing the code for the method.
786  const RegType* declaring_class_;  // Lazily computed reg type of the method's declaring class.
787  // Instruction widths and flags, one entry per code unit.
788  // Owned, but not unique_ptr since insn_flags_ are allocated in arenas.
789  ArenaUniquePtr<InstructionFlags[]> insn_flags_;
790  // The dex PC of a FindLocksAtDexPc request, -1 otherwise.
791  uint32_t interesting_dex_pc_;
792  // The container into which FindLocksAtDexPc should write the registers containing held locks,
793  // null if we're not doing FindLocksAtDexPc.
794  std::vector<uint32_t>* monitor_enter_dex_pcs_;
795
796  // The types of any error that occurs.
797  std::vector<VerifyError> failures_;
798  // Error messages associated with failures.
799  std::vector<std::ostringstream*> failure_messages_;
800  // Is there a pending hard failure?
801  bool have_pending_hard_failure_;
802  // Is there a pending runtime throw failure? A runtime throw failure is when an instruction
803  // would fail at runtime throwing an exception. Such an instruction causes the following code
804  // to be unreachable. This is set by Fail and used to ensure we don't process unreachable
805  // instructions that would hard fail the verification.
806  // Note: this flag is reset after processing each instruction.
807  bool have_pending_runtime_throw_failure_;
808  // Is there a pending experimental failure?
809  bool have_pending_experimental_failure_;
810
811  // A version of the above that is not reset and thus captures if there were *any* throw failures.
812  bool have_any_pending_runtime_throw_failure_;
813
814  // Info message log use primarily for verifier diagnostics.
815  std::ostringstream info_messages_;
816
817  // The number of occurrences of specific opcodes.
818  size_t new_instance_count_;
819  size_t monitor_enter_count_;
820
821  // Bitset of the encountered failure types. Bits are according to the values in VerifyError.
822  uint32_t encountered_failure_types_;
823
824  const bool can_load_classes_;
825
826  // Converts soft failures to hard failures when false. Only false when the compiler isn't
827  // running and the verifier is called from the class linker.
828  const bool allow_soft_failures_;
829
830  // An optimization where instead of generating unique RegTypes for constants we use imprecise
831  // constants that cover a range of constants. This isn't good enough for deoptimization that
832  // avoids loading from registers in the case of a constant as the dex instruction set lost the
833  // notion of whether a value should be in a floating point or general purpose register file.
834  const bool need_precise_constants_;
835
836  // Indicates the method being verified contains at least one check-cast or aput-object
837  // instruction. Aput-object operations implicitly check for array-store exceptions, similar to
838  // check-cast.
839  bool has_check_casts_;
840
841  // Indicates the method being verified contains at least one invoke-virtual/range
842  // or invoke-interface/range.
843  bool has_virtual_or_interface_invokes_;
844
845  // Indicates whether we verify to dump the info. In that case we accept quickened instructions
846  // even though we might detect to be a compiler. Should only be set when running
847  // VerifyMethodAndDump.
848  const bool verify_to_dump_;
849
850  // Whether or not we call AllowThreadSuspension periodically, we want a way to disable this for
851  // thread dumping checkpoints since we may get thread suspension at an inopportune time due to
852  // FindLocksAtDexPC, resulting in deadlocks.
853  const bool allow_thread_suspension_;
854
855  // Whether the method seems to be a constructor. Note that this field exists as we can't trust
856  // the flags in the dex file. Some older code does not mark methods named "<init>" and "<clinit>"
857  // correctly.
858  //
859  // Note: this flag is only valid once Verify() has started.
860  bool is_constructor_;
861
862  // Link, for the method verifier root linked list.
863  MethodVerifier* link_;
864
865  friend class art::Thread;
866
867  // Map of dex pcs of invocations of java.lang.String.<init> to the set of other registers that
868  // contain the uninitialized this pointer to that invoke. Will contain no entry if there are
869  // no other registers.
870  SafeMap<uint32_t, std::set<uint32_t>> string_init_pc_reg_map_;
871
872  DISALLOW_COPY_AND_ASSIGN(MethodVerifier);
873};
874std::ostream& operator<<(std::ostream& os, const MethodVerifier::FailureKind& rhs);
875
876}  // namespace verifier
877}  // namespace art
878
879#endif  // ART_RUNTIME_VERIFIER_METHOD_VERIFIER_H_
880