changeset 9884:06da8d1995bd

8042660: vm/mlvm/anonloader/stress/byteMutation failed with: assert(index >=0 && index < _length) failed: symbol index overflow Summary: Detect zero length signatures and throw ClassFormatError before bad dereference occurs Reviewed-by: coleenp, lfoltan, acorn, gtriantafill
author hseigel
date Wed, 23 Dec 2015 13:02:15 -0500
parents 903a2e023ffb
children 10a04de22194
files src/share/vm/classfile/classFileParser.cpp test/runtime/classFileParserBug/BadNameAndType.java test/runtime/classFileParserBug/emptyNameUtf8.jcod test/runtime/classFileParserBug/emptySigUtf8.jcod
diffstat 4 files changed, 329 insertions(+), 6 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/vm/classfile/classFileParser.cpp	Wed Dec 23 13:12:15 2015 +0300
+++ b/src/share/vm/classfile/classFileParser.cpp	Wed Dec 23 13:02:15 2015 -0500
@@ -567,6 +567,9 @@
           const int name_index = cp->name_ref_index_at(index);
           const Symbol* const name = cp->symbol_at(name_index);
           const Symbol* const sig = cp->symbol_at(sig_index);
+          guarantee_property(sig->utf8_length() != 0,
+            "Illegal zero length constant pool entry at %d in class %s",
+            sig_index, CHECK);
           if (sig->byte_at(0) == JVM_SIGNATURE_FUNC) {
             verify_legal_method_signature(name, sig, CHECK);
           } else {
@@ -593,8 +596,9 @@
           verify_legal_field_name(name, CHECK);
           if (_need_verify && _major_version >= JAVA_7_VERSION) {
             // Signature is verified above, when iterating NameAndType_info.
-            // Need only to be sure it's the right type.
-            if (signature->byte_at(0) == JVM_SIGNATURE_FUNC) {
+            // Need only to be sure it's non-zero length and the right type.
+            if (signature->utf8_length() == 0 ||
+                signature->byte_at(0) == JVM_SIGNATURE_FUNC) {
               throwIllegalSignature(
                 "Field", name, signature, CHECK);
             }
@@ -605,8 +609,9 @@
           verify_legal_method_name(name, CHECK);
           if (_need_verify && _major_version >= JAVA_7_VERSION) {
             // Signature is verified above, when iterating NameAndType_info.
-            // Need only to be sure it's the right type.
-            if (signature->byte_at(0) != JVM_SIGNATURE_FUNC) {
+            // Need only to be sure it's non-zero length and the right type.
+            if (signature->utf8_length() == 0 ||
+                signature->byte_at(0) != JVM_SIGNATURE_FUNC) {
               throwIllegalSignature(
                 "Method", name, signature, CHECK);
             }
@@ -617,8 +622,7 @@
             // 4509014: If a class method name begins with '<', it must be "<init>".
             assert(name != NULL, "method name in constant pool is null");
             const unsigned int name_len = name->utf8_length();
-            assert(name_len > 0, "bad method name");  // already verified as legal name
-            if (name->byte_at(0) == '<') {
+            if (name_len != 0 && name->byte_at(0) == '<') {
               if (name != vmSymbols::object_initializer_name()) {
                 classfile_parse_error(
                   "Bad method name at constant pool index %u in class file %s",
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/runtime/classFileParserBug/BadNameAndType.java	Wed Dec 23 13:02:15 2015 -0500
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ *
+ */
+
+/*
+ * @test
+ * @bug 8042660
+ * @summary Constant pool NameAndType entries must point to non-zero length Utf8 strings
+ * @compile emptySigUtf8.jcod
+ * @compile emptyNameUtf8.jcod
+ * @run main/othervm -Xverify:all BadNameAndType
+ */
+
+// Test that a constant pool NameAndType descriptor_index and/or name_index
+// that points to a zero length Utf8 string causes a ClassFormatError.
+public class BadNameAndType {
+    public static void main(String args[]) throws Throwable {
+
+        System.out.println("Regression test for bug 8042660");
+
+        // Test descriptor_index pointing to zero-length string.
+        try {
+            Class newClass = Class.forName("emptySigUtf8");
+            throw new RuntimeException("Expected ClassFormatError exception not thrown");
+        } catch (java.lang.ClassFormatError e) {
+            System.out.println("Test BadNameAndType passed test case emptySigUtf8");
+        }
+
+        // Test name_index pointing to zero-length string.
+        try {
+            Class newClass = Class.forName("emptyNameUtf8");
+            throw new RuntimeException("Expected ClassFormatError exception not thrown");
+        } catch (java.lang.ClassFormatError e) {
+            System.out.println("Test BadNameAndType passed test case emptyNameUtf8");
+        }
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/runtime/classFileParserBug/emptyNameUtf8.jcod	Wed Dec 23 13:02:15 2015 -0500
@@ -0,0 +1,131 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ *
+ */
+
+// This class has an illegal NameAndType at constant pool #4.  It's illegal because
+// the Utf8 that it points to at #27 is a zero length string which is not a valid
+// name.  Loading this class should cause a ClassFormatError exception.
+class emptyNameUtf8 {
+  0xCAFEBABE;
+  0; // minor version
+  52; // version
+  [29] { // Constant Pool
+    ; // first element is empty
+    Method #6 #15; // #1     at 0x0A
+    Field #16 #17; // #2     at 0x0F
+    String #18; // #3     at 0x14
+    NameAndType #27 #28; // #4     at 0x9F
+    class #21; // #5     at 0x1C
+    class #22; // #6     at 0x1F
+    Utf8 "<init>"; // #7     at 0x22
+    Utf8 "()V"; // #8     at 0x2B
+    Utf8 "Code"; // #9     at 0x2E
+    Utf8 "LineNumberTable"; // #10     at 0x35
+    Utf8 "main"; // #11     at 0x47
+    Utf8 "([Ljava/lang/String;)V"; // #12     at 0x4E
+    Utf8 "SourceFile"; // #13     at 0x67
+    Utf8 "emptyNameUtf8.java"; // #14     at 0x74
+    NameAndType #7 #8; // #15     at 0x81
+    class #23; // #16     at 0x86
+    NameAndType #24 #25; // #17     at 0x89
+    Utf8 "Hello World"; // #18     at 0x8E
+    class #26; // #19     at 0x9C
+    Method #19 #4; // #20     at 0x17
+    Utf8 "emptyNameUtf8"; // #21     at 0xA4
+    Utf8 "java/lang/Object"; // #22     at 0xAC
+    Utf8 "java/lang/System"; // #23     at 0xBF
+    Utf8 "out"; // #24     at 0xD2
+    Utf8 "Ljava/io/PrintStream;"; // #25     at 0xD8
+    Utf8 "java/io/PrintStream"; // #26     at 0xF0
+    Utf8 ""; // #27     at 0x0106
+    Utf8 "()V"; // #28     at 0x0110
+  } // Constant Pool
+
+  0x0021; // access
+  #5;// this_cpx
+  #6;// super_cpx
+
+  [0] { // Interfaces
+  } // Interfaces
+
+  [0] { // fields
+  } // fields
+
+  [2] { // methods
+    { // Member at 0x0134
+      0x0001; // access
+      #7; // name_cpx
+      #8; // sig_cpx
+      [1] { // Attributes
+        Attr(#9, 29) { // Code at 0x013C
+          1; // max_stack
+          1; // max_locals
+          Bytes[5]{
+            0x2AB70001B1;
+          };
+          [0] { // Traps
+          } // end Traps
+          [1] { // Attributes
+            Attr(#10, 6) { // LineNumberTable at 0x0153
+              [1] { // LineNumberTable
+                0  2; //  at 0x015F
+              }
+            } // end LineNumberTable
+          } // Attributes
+        } // end Code
+      } // Attributes
+    } // Member
+    ;
+    { // Member at 0x015F
+      0x0009; // access
+      #11; // name_cpx
+      #12; // sig_cpx
+      [1] { // Attributes
+        Attr(#9, 37) { // Code at 0x0167
+          2; // max_stack
+          1; // max_locals
+          Bytes[9]{
+            0xB200021203B60004;
+            0xB1;
+          };
+          [0] { // Traps
+          } // end Traps
+          [1] { // Attributes
+            Attr(#10, 10) { // LineNumberTable at 0x0182
+              [2] { // LineNumberTable
+                0  4; //  at 0x018E
+                8  5; //  at 0x0192
+              }
+            } // end LineNumberTable
+          } // Attributes
+        } // end Code
+      } // Attributes
+    } // Member
+  } // methods
+
+  [1] { // Attributes
+    Attr(#13, 2) { // SourceFile at 0x0194
+      #14;
+    } // end SourceFile
+  } // Attributes
+} // end class emptyNameUtf8
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/runtime/classFileParserBug/emptySigUtf8.jcod	Wed Dec 23 13:02:15 2015 -0500
@@ -0,0 +1,131 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ *
+ */
+
+// This class has an illegal NameAndType at constant pool #4.  It's illegal because
+// the type that it points to at #28 is a zero length Utf8 string which is not a
+// valid signature.  Loading this class should cause a ClassFormatError exception.
+class emptySigUtf8 {
+  0xCAFEBABE;
+  0; // minor version
+  52; // version
+  [29] { // Constant Pool
+    ; // first element is empty
+    Method #6 #15; // #1     at 0x0A
+    Field #16 #17; // #2     at 0x0F
+    String #18; // #3     at 0x14
+    NameAndType #27 #28; // #4     at 0x9F
+    class #21; // #5     at 0x1C
+    class #22; // #6     at 0x1F
+    Utf8 "<init>"; // #7     at 0x22
+    Utf8 "()V"; // #8     at 0x2B
+    Utf8 "Code"; // #9     at 0x2E
+    Utf8 "LineNumberTable"; // #10     at 0x35
+    Utf8 "main"; // #11     at 0x47
+    Utf8 "([Ljava/lang/String;)V"; // #12     at 0x4E
+    Utf8 "SourceFile"; // #13     at 0x67
+    Utf8 "emptySigUtf8.java"; // #14     at 0x74
+    NameAndType #7 #8; // #15     at 0x81
+    class #23; // #16     at 0x86
+    NameAndType #24 #25; // #17     at 0x89
+    Utf8 "Hello World"; // #18     at 0x8E
+    class #26; // #19     at 0x9C
+    Method #19 #4; // #20     at 0x17
+    Utf8 "emptySigUtf8"; // #21     at 0xA4
+    Utf8 "java/lang/Object"; // #22     at 0xAC
+    Utf8 "java/lang/System"; // #23     at 0xBF
+    Utf8 "out"; // #24     at 0xD2
+    Utf8 "Ljava/io/PrintStream;"; // #25     at 0xD8
+    Utf8 "java/io/PrintStream"; // #26     at 0xF0
+    Utf8 "hi"; // #27     at 0x0106
+    Utf8 ""; // #28     at 0x0110
+  } // Constant Pool
+
+  0x0021; // access
+  #5;// this_cpx
+  #6;// super_cpx
+
+  [0] { // Interfaces
+  } // Interfaces
+
+  [0] { // fields
+  } // fields
+
+  [2] { // methods
+    { // Member at 0x0134
+      0x0001; // access
+      #7; // name_cpx
+      #8; // sig_cpx
+      [1] { // Attributes
+        Attr(#9, 29) { // Code at 0x013C
+          1; // max_stack
+          1; // max_locals
+          Bytes[5]{
+            0x2AB70001B1;
+          };
+          [0] { // Traps
+          } // end Traps
+          [1] { // Attributes
+            Attr(#10, 6) { // LineNumberTable at 0x0153
+              [1] { // LineNumberTable
+                0  2; //  at 0x015F
+              }
+            } // end LineNumberTable
+          } // Attributes
+        } // end Code
+      } // Attributes
+    } // Member
+    ;
+    { // Member at 0x015F
+      0x0009; // access
+      #11; // name_cpx
+      #12; // sig_cpx
+      [1] { // Attributes
+        Attr(#9, 37) { // Code at 0x0167
+          2; // max_stack
+          1; // max_locals
+          Bytes[9]{
+            0xB200021203B60004;
+            0xB1;
+          };
+          [0] { // Traps
+          } // end Traps
+          [1] { // Attributes
+            Attr(#10, 10) { // LineNumberTable at 0x0182
+              [2] { // LineNumberTable
+                0  4; //  at 0x018E
+                8  5; //  at 0x0192
+              }
+            } // end LineNumberTable
+          } // Attributes
+        } // end Code
+      } // Attributes
+    } // Member
+  } // methods
+
+  [1] { // Attributes
+    Attr(#13, 2) { // SourceFile at 0x0194
+      #14;
+    } // end SourceFile
+  } // Attributes
+} // end class emptySigUtf8