8129895: New verifier fails to reject erroneous cast from int[] to other arrays of small integer types

Only allow assignability of arrays of primitive types if the types are identical Reviewed-by: dholmes, gtriantafill
2026-05-11 05:59:52 +00:00 · 2015-07-22 08:00:38 -04:00 · 2015-07-22 08:00:38 -04:00 · 9ba9e4aecb
commit 9ba9e4aecb
parent bd27782e17
5 changed files with 168 additions and 1 deletions
--- a/hotspot/src/share/vm/classfile/verificationType.cpp
+++ b/hotspot/src/share/vm/classfile/verificationType.cpp
@ -86,7 +86,7 @@ bool VerificationType::is_reference_assignable_from(
    VerificationType comp_this = get_component(context, CHECK_false);
    VerificationType comp_from = from.get_component(context, CHECK_false);
    if (!comp_this.is_bogus() && !comp_from.is_bogus()) {
-      return comp_this.is_assignable_from(comp_from, context,
+      return comp_this.is_component_assignable_from(comp_from, context,
                                          from_field_is_protected, CHECK_false);
    }
  }
--- a/hotspot/src/share/vm/classfile/verificationType.hpp
+++ b/hotspot/src/share/vm/classfile/verificationType.hpp
@ -297,6 +297,26 @@ class VerificationType VALUE_OBJ_CLASS_SPEC {
    }
  }

+  // Check to see if one array component type is assignable to another.
+  // Same as is_assignable_from() except int primitives must be identical.
+  bool is_component_assignable_from(
+      const VerificationType& from, ClassVerifier* context,
+      bool from_field_is_protected, TRAPS) const {
+    if (equals(from) || is_bogus()) {
+      return true;
+    } else {
+      switch(_u._data) {
+        case Boolean:
+        case Byte:
+        case Char:
+        case Short:
+          return false;
+        default:
+          return is_assignable_from(from, context, from_field_is_protected, CHECK_false);
+      }
+    }
+  }
+
  VerificationType get_component(ClassVerifier* context, TRAPS) const;

  int dimensions() const {
--- a/hotspot/test/runtime/verifier/PrimIntArray.java
+++ b/hotspot/test/runtime/verifier/PrimIntArray.java
@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ *
+ */
+
+/*
+ * @test
+ * @bug 8129895
+ * @summary Throw VerifyError when checking assignability of primitive arrays
+ * that are not identical.  For example, [I is not assignable to [B.
+ * @compile primArray.jasm
+ * @compile primArray49.jasm
+ * @run main/othervm -Xverify:all PrimIntArray
+ */
+
+// Test that an int[] is not assignable to byte[].
+public class PrimIntArray {
+
+    public static void main(String args[]) throws Throwable {
+        System.out.println("Regression test for bug 8129895");
+
+        try {
+            Class newClass = Class.forName("primArray");
+            throw new RuntimeException("Expected VerifyError exception not thrown with new verifier");
+        } catch (java.lang.VerifyError e) {
+            System.out.println("Test PrimIntArray passed with new verifier");
+        }
+
+        try {
+            Class newClass = Class.forName("primArray49");
+            throw new RuntimeException("Expected VerifyError exception not thrown by old verifier");
+        } catch (java.lang.VerifyError e) {
+            System.out.println("Test PrimIntArray passed with old verifier");
+        }
+    }
+}
--- a/hotspot/test/runtime/verifier/primArray.jasm
+++ b/hotspot/test/runtime/verifier/primArray.jasm
@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ *
+ */
+
+// Method castToByteArray() tries to return an array of ints when an array
+// of bytes is expected.
+super class primArray
+version 52:0
+{
+
+    public Method "<init>":"()V"
+    stack 1 locals 1
+    {
+        aload_0;
+        invokespecial Method java/lang/Object."<init>":"()V";
+        return;
+    }
+
+    public static Method castToByteArray:"([I)[B"
+        stack 1 locals 1
+    {
+        aload_0;
+        areturn;
+    }
+
+} // end Class primArray
--- a/hotspot/test/runtime/verifier/primArray49.jasm
+++ b/hotspot/test/runtime/verifier/primArray49.jasm
@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ *
+ */
+
+// Method castToByteArray() tries to return an array of ints when an array
+// of bytes is expected.
+super class primArray49
+version 49:0
+{
+
+    public Method "<init>":"()V"
+    stack 1 locals 1
+    {
+        aload_0;
+        invokespecial Method java/lang/Object."<init>":"()V";
+        return;
+    }
+
+    public static Method castToByteArray:"([I)[B"
+        stack 1 locals 1
+    {
+        aload_0;
+        areturn;
+    }
+
+} // end Class primArray49