From 0dea742a3c74ad5a06a92e1415a6b89fb623ec4b Mon Sep 17 00:00:00 2001 From: poonam Date: Tue, 12 Jul 2016 22:31:57 +0000 Subject: [PATCH] 8042660: vm/mlvm/anonloader/stress/byteMutation failed with: assert(index >=0 && index < _length) failed: symbol index overflow Summary: Detect zero length signatures and throw ClassFormatError before bad dereference occurs Reviewed-by: hseigel --- src/share/vm/classfile/classFileParser.cpp | 16 ++- .../classFileParserBug/BadNameAndType.java | 57 ++++++++ .../classFileParserBug/emptyNameUtf8.jcod | 131 ++++++++++++++++++ .../classFileParserBug/emptySigUtf8.jcod | 131 ++++++++++++++++++ 4 files changed, 329 insertions(+), 6 deletions(-) create mode 100644 test/runtime/classFileParserBug/BadNameAndType.java create mode 100644 test/runtime/classFileParserBug/emptyNameUtf8.jcod create mode 100644 test/runtime/classFileParserBug/emptySigUtf8.jcod diff --git a/src/share/vm/classfile/classFileParser.cpp b/src/share/vm/classfile/classFileParser.cpp index e2a64cd76..9e39ac94d 100644 --- a/src/share/vm/classfile/classFileParser.cpp +++ b/src/share/vm/classfile/classFileParser.cpp @@ -537,6 +537,9 @@ constantPoolHandle ClassFileParser::parse_constant_pool(TRAPS) { int name_index = cp->name_ref_index_at(index); Symbol* name = cp->symbol_at(name_index); Symbol* sig = cp->symbol_at(sig_index); + guarantee_property(sig->utf8_length() != 0, + "Illegal zero length constant pool entry at %d in class %s", + sig_index, CHECK_(nullHandle)); if (sig->byte_at(0) == JVM_SIGNATURE_FUNC) { verify_legal_method_signature(name, sig, CHECK_(nullHandle)); } else { @@ -560,8 +563,9 @@ constantPoolHandle ClassFileParser::parse_constant_pool(TRAPS) { verify_legal_field_name(name, CHECK_(nullHandle)); if (_need_verify && _major_version >= JAVA_7_VERSION) { // Signature is verified above, when iterating NameAndType_info. - // Need only to be sure it's the right type. - if (signature->byte_at(0) == JVM_SIGNATURE_FUNC) { + // Need only to be sure it's non-zero length and the right type. + if (signature->utf8_length() == 0 || + signature->byte_at(0) == JVM_SIGNATURE_FUNC) { throwIllegalSignature( "Field", name, signature, CHECK_(nullHandle)); } @@ -572,8 +576,9 @@ constantPoolHandle ClassFileParser::parse_constant_pool(TRAPS) { verify_legal_method_name(name, CHECK_(nullHandle)); if (_need_verify && _major_version >= JAVA_7_VERSION) { // Signature is verified above, when iterating NameAndType_info. - // Need only to be sure it's the right type. - if (signature->byte_at(0) != JVM_SIGNATURE_FUNC) { + // Need only to be sure it's non-zero length and the right type. + if (signature->utf8_length() == 0 || + signature->byte_at(0) != JVM_SIGNATURE_FUNC) { throwIllegalSignature( "Method", name, signature, CHECK_(nullHandle)); } @@ -584,8 +589,7 @@ constantPoolHandle ClassFileParser::parse_constant_pool(TRAPS) { // 4509014: If a class method name begins with '<', it must be "". assert(name != NULL, "method name in constant pool is null"); unsigned int name_len = name->utf8_length(); - assert(name_len > 0, "bad method name"); // already verified as legal name - if (name->byte_at(0) == '<') { + if (name_len != 0 && name->byte_at(0) == '<') { if (name != vmSymbols::object_initializer_name()) { classfile_parse_error( "Bad method name at constant pool index %u in class file %s", diff --git a/test/runtime/classFileParserBug/BadNameAndType.java b/test/runtime/classFileParserBug/BadNameAndType.java new file mode 100644 index 000000000..a8135cb65 --- /dev/null +++ b/test/runtime/classFileParserBug/BadNameAndType.java @@ -0,0 +1,57 @@ +/* + * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + * + */ + +/* + * @test + * @bug 8042660 + * @summary Constant pool NameAndType entries must point to non-zero length Utf8 strings + * @compile emptySigUtf8.jcod + * @compile emptyNameUtf8.jcod + * @run main/othervm -Xverify:all BadNameAndType + */ + +// Test that a constant pool NameAndType descriptor_index and/or name_index +// that points to a zero length Utf8 string causes a ClassFormatError. +public class BadNameAndType { + public static void main(String args[]) throws Throwable { + + System.out.println("Regression test for bug 8042660"); + + // Test descriptor_index pointing to zero-length string. + try { + Class newClass = Class.forName("emptySigUtf8"); + throw new RuntimeException("Expected ClassFormatError exception not thrown"); + } catch (java.lang.ClassFormatError e) { + System.out.println("Test BadNameAndType passed test case emptySigUtf8"); + } + + // Test name_index pointing to zero-length string. + try { + Class newClass = Class.forName("emptyNameUtf8"); + throw new RuntimeException("Expected ClassFormatError exception not thrown"); + } catch (java.lang.ClassFormatError e) { + System.out.println("Test BadNameAndType passed test case emptyNameUtf8"); + } + } +} diff --git a/test/runtime/classFileParserBug/emptyNameUtf8.jcod b/test/runtime/classFileParserBug/emptyNameUtf8.jcod new file mode 100644 index 000000000..1e96aac0a --- /dev/null +++ b/test/runtime/classFileParserBug/emptyNameUtf8.jcod @@ -0,0 +1,131 @@ +/* + * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + * + */ + +// This class has an illegal NameAndType at constant pool #4. It's illegal because +// the Utf8 that it points to at #27 is a zero length string which is not a valid +// name. Loading this class should cause a ClassFormatError exception. +class emptyNameUtf8 { + 0xCAFEBABE; + 0; // minor version + 52; // version + [29] { // Constant Pool + ; // first element is empty + Method #6 #15; // #1 at 0x0A + Field #16 #17; // #2 at 0x0F + String #18; // #3 at 0x14 + NameAndType #27 #28; // #4 at 0x9F + class #21; // #5 at 0x1C + class #22; // #6 at 0x1F + Utf8 ""; // #7 at 0x22 + Utf8 "()V"; // #8 at 0x2B + Utf8 "Code"; // #9 at 0x2E + Utf8 "LineNumberTable"; // #10 at 0x35 + Utf8 "main"; // #11 at 0x47 + Utf8 "([Ljava/lang/String;)V"; // #12 at 0x4E + Utf8 "SourceFile"; // #13 at 0x67 + Utf8 "emptyNameUtf8.java"; // #14 at 0x74 + NameAndType #7 #8; // #15 at 0x81 + class #23; // #16 at 0x86 + NameAndType #24 #25; // #17 at 0x89 + Utf8 "Hello World"; // #18 at 0x8E + class #26; // #19 at 0x9C + Method #19 #4; // #20 at 0x17 + Utf8 "emptyNameUtf8"; // #21 at 0xA4 + Utf8 "java/lang/Object"; // #22 at 0xAC + Utf8 "java/lang/System"; // #23 at 0xBF + Utf8 "out"; // #24 at 0xD2 + Utf8 "Ljava/io/PrintStream;"; // #25 at 0xD8 + Utf8 "java/io/PrintStream"; // #26 at 0xF0 + Utf8 ""; // #27 at 0x0106 + Utf8 "()V"; // #28 at 0x0110 + } // Constant Pool + + 0x0021; // access + #5;// this_cpx + #6;// super_cpx + + [0] { // Interfaces + } // Interfaces + + [0] { // fields + } // fields + + [2] { // methods + { // Member at 0x0134 + 0x0001; // access + #7; // name_cpx + #8; // sig_cpx + [1] { // Attributes + Attr(#9, 29) { // Code at 0x013C + 1; // max_stack + 1; // max_locals + Bytes[5]{ + 0x2AB70001B1; + }; + [0] { // Traps + } // end Traps + [1] { // Attributes + Attr(#10, 6) { // LineNumberTable at 0x0153 + [1] { // LineNumberTable + 0 2; // at 0x015F + } + } // end LineNumberTable + } // Attributes + } // end Code + } // Attributes + } // Member + ; + { // Member at 0x015F + 0x0009; // access + #11; // name_cpx + #12; // sig_cpx + [1] { // Attributes + Attr(#9, 37) { // Code at 0x0167 + 2; // max_stack + 1; // max_locals + Bytes[9]{ + 0xB200021203B60004; + 0xB1; + }; + [0] { // Traps + } // end Traps + [1] { // Attributes + Attr(#10, 10) { // LineNumberTable at 0x0182 + [2] { // LineNumberTable + 0 4; // at 0x018E + 8 5; // at 0x0192 + } + } // end LineNumberTable + } // Attributes + } // end Code + } // Attributes + } // Member + } // methods + + [1] { // Attributes + Attr(#13, 2) { // SourceFile at 0x0194 + #14; + } // end SourceFile + } // Attributes +} // end class emptyNameUtf8 diff --git a/test/runtime/classFileParserBug/emptySigUtf8.jcod b/test/runtime/classFileParserBug/emptySigUtf8.jcod new file mode 100644 index 000000000..0b1957f26 --- /dev/null +++ b/test/runtime/classFileParserBug/emptySigUtf8.jcod @@ -0,0 +1,131 @@ +/* + * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + * + */ + +// This class has an illegal NameAndType at constant pool #4. It's illegal because +// the type that it points to at #28 is a zero length Utf8 string which is not a +// valid signature. Loading this class should cause a ClassFormatError exception. +class emptySigUtf8 { + 0xCAFEBABE; + 0; // minor version + 52; // version + [29] { // Constant Pool + ; // first element is empty + Method #6 #15; // #1 at 0x0A + Field #16 #17; // #2 at 0x0F + String #18; // #3 at 0x14 + NameAndType #27 #28; // #4 at 0x9F + class #21; // #5 at 0x1C + class #22; // #6 at 0x1F + Utf8 ""; // #7 at 0x22 + Utf8 "()V"; // #8 at 0x2B + Utf8 "Code"; // #9 at 0x2E + Utf8 "LineNumberTable"; // #10 at 0x35 + Utf8 "main"; // #11 at 0x47 + Utf8 "([Ljava/lang/String;)V"; // #12 at 0x4E + Utf8 "SourceFile"; // #13 at 0x67 + Utf8 "emptySigUtf8.java"; // #14 at 0x74 + NameAndType #7 #8; // #15 at 0x81 + class #23; // #16 at 0x86 + NameAndType #24 #25; // #17 at 0x89 + Utf8 "Hello World"; // #18 at 0x8E + class #26; // #19 at 0x9C + Method #19 #4; // #20 at 0x17 + Utf8 "emptySigUtf8"; // #21 at 0xA4 + Utf8 "java/lang/Object"; // #22 at 0xAC + Utf8 "java/lang/System"; // #23 at 0xBF + Utf8 "out"; // #24 at 0xD2 + Utf8 "Ljava/io/PrintStream;"; // #25 at 0xD8 + Utf8 "java/io/PrintStream"; // #26 at 0xF0 + Utf8 "hi"; // #27 at 0x0106 + Utf8 ""; // #28 at 0x0110 + } // Constant Pool + + 0x0021; // access + #5;// this_cpx + #6;// super_cpx + + [0] { // Interfaces + } // Interfaces + + [0] { // fields + } // fields + + [2] { // methods + { // Member at 0x0134 + 0x0001; // access + #7; // name_cpx + #8; // sig_cpx + [1] { // Attributes + Attr(#9, 29) { // Code at 0x013C + 1; // max_stack + 1; // max_locals + Bytes[5]{ + 0x2AB70001B1; + }; + [0] { // Traps + } // end Traps + [1] { // Attributes + Attr(#10, 6) { // LineNumberTable at 0x0153 + [1] { // LineNumberTable + 0 2; // at 0x015F + } + } // end LineNumberTable + } // Attributes + } // end Code + } // Attributes + } // Member + ; + { // Member at 0x015F + 0x0009; // access + #11; // name_cpx + #12; // sig_cpx + [1] { // Attributes + Attr(#9, 37) { // Code at 0x0167 + 2; // max_stack + 1; // max_locals + Bytes[9]{ + 0xB200021203B60004; + 0xB1; + }; + [0] { // Traps + } // end Traps + [1] { // Attributes + Attr(#10, 10) { // LineNumberTable at 0x0182 + [2] { // LineNumberTable + 0 4; // at 0x018E + 8 5; // at 0x0192 + } + } // end LineNumberTable + } // Attributes + } // end Code + } // Attributes + } // Member + } // methods + + [1] { // Attributes + Attr(#13, 2) { // SourceFile at 0x0194 + #14; + } // end SourceFile + } // Attributes +} // end class emptySigUtf8 -- GitLab