diff options
| -rw-r--r-- | compiler/optimizing/instruction_builder.cc | 5 | ||||
| -rw-r--r-- | runtime/verifier/method_verifier.cc | 35 | ||||
| -rw-r--r-- | test/600-verifier-fails/expected.txt | 1 | ||||
| -rw-r--r-- | test/600-verifier-fails/info.txt | 20 | ||||
| -rw-r--r-- | test/600-verifier-fails/smali/iget.smali | 25 | ||||
| -rw-r--r-- | test/600-verifier-fails/src/Main.java | 3 |
6 files changed, 63 insertions, 26 deletions
diff --git a/compiler/optimizing/instruction_builder.cc b/compiler/optimizing/instruction_builder.cc index 5e691c7f5f..135038b753 100644 --- a/compiler/optimizing/instruction_builder.cc +++ b/compiler/optimizing/instruction_builder.cc @@ -381,10 +381,11 @@ HInstruction* HInstructionBuilder::LoadLocal(uint32_t reg_number, Primitive::Typ // If the operation requests a specific type, we make sure its input is of that type. if (type != value->GetType()) { if (Primitive::IsFloatingPointType(type)) { - return ssa_builder_->GetFloatOrDoubleEquivalent(value, type); + value = ssa_builder_->GetFloatOrDoubleEquivalent(value, type); } else if (type == Primitive::kPrimNot) { - return ssa_builder_->GetReferenceTypeEquivalent(value); + value = ssa_builder_->GetReferenceTypeEquivalent(value); } + DCHECK(value != nullptr); } return value; diff --git a/runtime/verifier/method_verifier.cc b/runtime/verifier/method_verifier.cc index 8ad79fb572..f2ae85a143 100644 --- a/runtime/verifier/method_verifier.cc +++ b/runtime/verifier/method_verifier.cc @@ -4528,7 +4528,7 @@ ArtField* MethodVerifier::GetStaticField(int field_idx) { ArtField* MethodVerifier::GetInstanceField(const RegType& obj_type, int field_idx) { const DexFile::FieldId& field_id = dex_file_->GetFieldId(field_idx); - // Check access to class + // Check access to class. const RegType& klass_type = ResolveClassAndCheckAccess(field_id.class_idx_); if (klass_type.IsConflict()) { AppendToLastFailMessage(StringPrintf(" in attempt to access instance field %d (%s) in %s", @@ -4549,20 +4549,11 @@ ArtField* MethodVerifier::GetInstanceField(const RegType& obj_type, int field_id DCHECK(self_->IsExceptionPending()); self_->ClearException(); return nullptr; - } else if (!GetDeclaringClass().CanAccessMember(field->GetDeclaringClass(), - field->GetAccessFlags())) { - Fail(VERIFY_ERROR_ACCESS_FIELD) << "cannot access instance field " << PrettyField(field) - << " from " << GetDeclaringClass(); - return nullptr; - } else if (field->IsStatic()) { - Fail(VERIFY_ERROR_CLASS_CHANGE) << "expected field " << PrettyField(field) - << " to not be static"; - return nullptr; } else if (obj_type.IsZero()) { - // Cannot infer and check type, however, access will cause null pointer exception - return field; + // Cannot infer and check type, however, access will cause null pointer exception. + // Fall through into a few last soft failure checks below. } else if (!obj_type.IsReferenceTypes()) { - // Trying to read a field from something that isn't a reference + // Trying to read a field from something that isn't a reference. Fail(VERIFY_ERROR_BAD_CLASS_HARD) << "instance field access on object that has " << "non-reference type " << obj_type; return nullptr; @@ -4584,7 +4575,6 @@ ArtField* MethodVerifier::GetInstanceField(const RegType& obj_type, int field_id << " of " << PrettyMethod(dex_method_idx_, *dex_file_); return nullptr; } - return field; } else if (!field_klass.IsAssignableFrom(obj_type)) { // Trying to access C1.field1 using reference of type C2, which is neither C1 or a sub-class // of C1. For resolution to occur the declared class of the field must be compatible with @@ -4602,10 +4592,22 @@ ArtField* MethodVerifier::GetInstanceField(const RegType& obj_type, int field_id Fail(type) << "cannot access instance field " << PrettyField(field) << " from object of type " << obj_type; return nullptr; - } else { - return field; } } + + // Few last soft failure checks. + if (!GetDeclaringClass().CanAccessMember(field->GetDeclaringClass(), + field->GetAccessFlags())) { + Fail(VERIFY_ERROR_ACCESS_FIELD) << "cannot access instance field " << PrettyField(field) + << " from " << GetDeclaringClass(); + return nullptr; + } else if (field->IsStatic()) { + Fail(VERIFY_ERROR_CLASS_CHANGE) << "expected field " << PrettyField(field) + << " to not be static"; + return nullptr; + } + + return field; } template <MethodVerifier::FieldAccessType kAccType> @@ -4928,6 +4930,7 @@ bool MethodVerifier::UpdateRegisters(uint32_t next_insn, RegisterLine* merge_lin // Initialize them as conflicts so they don't add to GC and deoptimization information. const Instruction* ret_inst = Instruction::At(code_item_->insns_ + next_insn); AdjustReturnLine(this, ret_inst, target_line); + // Directly bail if a hard failure was found. if (have_pending_hard_failure_) { return false; } diff --git a/test/600-verifier-fails/expected.txt b/test/600-verifier-fails/expected.txt index 010f1b74b2..8399969a2d 100644 --- a/test/600-verifier-fails/expected.txt +++ b/test/600-verifier-fails/expected.txt @@ -1,3 +1,4 @@ passed A passed B passed C +passed D diff --git a/test/600-verifier-fails/info.txt b/test/600-verifier-fails/info.txt index 677b4775d5..f77de05ac7 100644 --- a/test/600-verifier-fails/info.txt +++ b/test/600-verifier-fails/info.txt @@ -1,14 +1,18 @@ The situations in these tests were discovered by running the mutating dexfuzz on the DEX files of fuzzingly random generated Java test. -(1) b/28908555: - soft verification fail (on the final field modification) should - not hide the hard verification fail (on the type mismatch) to +(A) b/28908555: + soft verification failure (on the final field modification) should + not hide the hard verification failure (on the type mismatch) to avoid compiler crash later on -(2) b/29070461: - hard failure (not calling super in constructor) should bail - immediately and not allow soft fails to pile up behind it to - avoid fatal message later on -(3) b/29068831: +(B) b/29070461: + hard verification failure (not calling super in constructor) should + bail immediately and not allow soft verification failures to pile up + behind it to avoid fatal message later on +(C) b/29068831: access validation should occur prior to null reference check +(D) b/29126870: + soft verification failure (cannot access) should not hide the hard + verification failure (non-reference type) to avoid a compiler crash + later on diff --git a/test/600-verifier-fails/smali/iget.smali b/test/600-verifier-fails/smali/iget.smali new file mode 100644 index 0000000000..5c045e6b76 --- /dev/null +++ b/test/600-verifier-fails/smali/iget.smali @@ -0,0 +1,25 @@ +# +# Copyright (C) 2016 The Android Open Source Project +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +.class public LD; +.super Ljava/lang/Object; + +.method public constructor <init>()V + .registers 2 + invoke-direct {v1}, Ljava/lang/Object;-><init>()V + const v0, 2 + iget v1, v0, LMain;->privateField:I + return-void +.end method diff --git a/test/600-verifier-fails/src/Main.java b/test/600-verifier-fails/src/Main.java index 0a8c5a179d..a6a07fda79 100644 --- a/test/600-verifier-fails/src/Main.java +++ b/test/600-verifier-fails/src/Main.java @@ -20,6 +20,8 @@ public class Main { private static String staticPrivateField = null; + private int privateField = 0; + private static void test(String name) throws Exception { try { Class<?> a = Class.forName(name); @@ -33,5 +35,6 @@ public class Main { test("A"); test("B"); test("C"); + test("D"); } } |