13606 – need extra runtime verification of compiled code

Bug 13606 - need extra runtime verification of compiled code

Summary: need extra runtime verification of compiled code

Status:	RESOLVED FIXED

Alias:	None

Product:	gcc
Classification:	Unclassified
Component:	libgcj (show other bugs)
Version:	unknown

Importance:	P2 normal
Target Milestone:	4.0.0
Assignee:	Andrew Haley

URL:
Keywords:

Depends on:
Blocks:	13603 12725
	Show dependency tree / graph

Reported:	2004-01-07 19:07 UTC by Tom Tromey
Modified:	2004-12-01 03:12 UTC (History)
CC List:	2 users (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed:	2004-01-07 19:09:13

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tom Tromey 2004-01-07 19:07:08 UTC

With the new binary compatibility ABI, it is possible for
compiled code to be loaded into an environment where dependent
classes are different from the classes visible to the compiler
at bytecode verification time.

This can be used to circumvent type safety in some situations.

One potential fix is for the compiler to emit "verifier assertions"
that must be checked at runtime.  For example these could be checked
at class preparation time.

It isn't completely clear what assertions will need checking.
It might suffice to check extends/implements requirements
implied by the bytecode (and checked by the verifier).

It could also be worthwhile to look at the JSR relating to
"split verification".  I haven't done this yet due to the strange
license on this JSR.  Beware of this before downloading.

Comment 1 Andrew Pinski 2004-01-07 19:09:13 UTC

Confirmed.

Comment 2 Tom Tromey 2004-03-18 22:50:49 UTC

FYI, I managed to find a slide show about "split verification" that
isn't under an obnoxious license.  Split verification is basically a 
proposal for having the compiler emit type maps into the generated bytecode,
so that the runtime verifier can do much less work to verify bytecode.

So, this isn't exactly what we need.  Instead we need something that
accepts many constructs at verification time (e.g., always return true
when asked if "is method X in class Y" or "does class X implement
interface Y"), then builds a list of such assertions to be checked
when the resulting object file is linked at runtime.

Comment 3 Andrew Haley 2004-05-06 16:04:30 UTC

At present, the compiler on the gcj-abi-2-dev-branch output warning messages
when it fails to find types that it needs to check for compatibility.  

We need to change this so that type compatibility checks are output into the
<init> section of the file.

Comment 4 Andrew Haley 2004-05-12 19:29:09 UTC

We also need to make sure that a class isn't overriding a final methos somewhere
in the superclass chain.

Comment 5 Tom Tromey 2004-08-10 21:09:56 UTC

If a class fails a static assertion (e.g., stack overflow in a method),
gcj should not fail outright.  Instead it should continue to generate
code which throws a verification failure at the appropriate time.
At least, this is what we want for gcj-jit.  Otherwise, if gcj does
exit with a failure, we will just fall back on the bytecode and
uselessly verify it a second time.

This can easily be done by adding an always-fail assertion to the 
assertion table.  Either a special assert(0), or just assert something
that can't be true, like "Object extends String"

Comment 6 Andrew Haley 2004-09-02 13:27:02 UTC

Type assertions are noe generated and checked.

However, the format for encoding these assertions isn't at all compact.

Comment 7 Andrew Haley 2004-10-20 15:59:40 UTC

Job done.

Comment 8 Andrew Pinski 2004-12-01 03:12:13 UTC

Fixed on the mainline by merge of the BC branch.