From eb9d1f79a79e3235f25889a25cdba465a7a0f7bf Mon Sep 17 00:00:00 2001 From: Andreas Gampe Date: Fri, 14 Aug 2015 14:07:43 -0700 Subject: ART: Relax verifier aput checking When checking on a null array, the cases of aput and aput-wide are shared between integral and floating point types. Be careful to not reject a valid program. Bug: 21867457 Bug: 23201502 (cherry picked from commit 4bf4c78a6e8b7da7cf306e1dd17ff5a55d0c6c98) Change-Id: I6c54a389c06e40a2dae00995aa16ff08a089e512 --- runtime/verifier/method_verifier.cc | 19 ++++++++++++++++++- test/800-smali/expected.txt | 2 ++ test/800-smali/smali/b_23201502.smali | 23 +++++++++++++++++++++++ test/800-smali/src/Main.java | 4 ++++ 4 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 test/800-smali/smali/b_23201502.smali diff --git a/runtime/verifier/method_verifier.cc b/runtime/verifier/method_verifier.cc index 015e9082b9..df9a6da22d 100644 --- a/runtime/verifier/method_verifier.cc +++ b/runtime/verifier/method_verifier.cc @@ -3828,7 +3828,24 @@ void MethodVerifier::VerifyAPut(const Instruction* inst, if (array_type.IsZero()) { // Null array type; this code path will fail at runtime. // Still check that the given value matches the instruction's type. - work_line_->VerifyRegisterType(this, inst->VRegA_23x(), insn_type); + // Note: this is, as usual, complicated by the fact the the instruction isn't fully typed + // and fits multiple register types. + const RegType* modified_reg_type = &insn_type; + if ((modified_reg_type == ®_types_.Integer()) || + (modified_reg_type == ®_types_.LongLo())) { + // May be integer or float | long or double. Overwrite insn_type accordingly. + const RegType& value_type = work_line_->GetRegisterType(this, inst->VRegA_23x()); + if (modified_reg_type == ®_types_.Integer()) { + if (&value_type == ®_types_.Float()) { + modified_reg_type = &value_type; + } + } else { + if (&value_type == ®_types_.DoubleLo()) { + modified_reg_type = &value_type; + } + } + } + work_line_->VerifyRegisterType(this, inst->VRegA_23x(), *modified_reg_type); } else if (!array_type.IsArrayTypes()) { Fail(VERIFY_ERROR_BAD_CLASS_HARD) << "not array type " << array_type << " with aput"; } else { diff --git a/test/800-smali/expected.txt b/test/800-smali/expected.txt index ebcaad147d..49f5e6c045 100644 --- a/test/800-smali/expected.txt +++ b/test/800-smali/expected.txt @@ -29,4 +29,6 @@ b/22331663 (pass) b/22331663 (fail) b/22881413 b/20843113 +b/23201502 (float) +b/23201502 (double) Done! diff --git a/test/800-smali/smali/b_23201502.smali b/test/800-smali/smali/b_23201502.smali new file mode 100644 index 0000000000..d958938abf --- /dev/null +++ b/test/800-smali/smali/b_23201502.smali @@ -0,0 +1,23 @@ +.class public LB23201502; + +.super Ljava/lang/Object; + +.method public static runFloat()V + .registers 3 + const v0, 0 # Null array. + const v1, 0 # 0 index into array. + const v2, 0 # 0 value, will be turned into float. + int-to-float v2, v2 # Definitely make v2 float. + aput v2 , v0, v1 # Put into null array. + return-void +.end method + +.method public static runDouble()V + .registers 4 + const v0, 0 # Null array. + const v1, 0 # 0 index into array. + const v2, 0 # 0 value, will be turned into double. + int-to-double v2, v2 # Definitely make v2+v3 double. + aput-wide v2 , v0, v1 # Put into null array. + return-void +.end method diff --git a/test/800-smali/src/Main.java b/test/800-smali/src/Main.java index e487374026..1b954a78b4 100644 --- a/test/800-smali/src/Main.java +++ b/test/800-smali/src/Main.java @@ -103,6 +103,10 @@ public class Main { new Object[] { false }, new VerifyError(), null)); testCases.add(new TestCase("b/22881413", "B22881413", "run", null, null, null)); testCases.add(new TestCase("b/20843113", "B20843113", "run", null, null, null)); + testCases.add(new TestCase("b/23201502 (float)", "B23201502", "runFloat", null, + new NullPointerException(), null)); + testCases.add(new TestCase("b/23201502 (double)", "B23201502", "runDouble", null, + new NullPointerException(), null)); } public void runTests() { -- cgit v1.2.3