1

I'm trying to use JPF to verify my bytecode generated while runtime with javassist.

The code I'm trying to verify is supplied by the user while my program is running. As I can't check all OOP models and stuff like that I need a verification process before running his code.

At the moment I simply generate bytecode with javassist from his classes.

My problem now is that I get exceptions sometimes because the user did some inheritance mistakes and stuff and my application shuts down with an exception cause I tried to load and execute his classes.

Therefore I would like to verify that generated bytecode in runtime to avoid such exceptions and to know earlier if the classes supplied from the user are faulty (or contain any problem).

Is this possible with JPF while in runtime?

Any other solutions on this?

Thanks!

Improve this question
5
  • try to do a hash on the byte code; perhaps select bytes at different/random locations and see if they match; it should be much faster than checking the whole file Commented Mar 26, 2012 at 13:58
  • A hash would be just to compare to things or am I wrong? I need to check wether if the code is valid and can be run without getting an exception or not! Commented Mar 26, 2012 at 20:00
  • My impression was that you were doing equality on all bytes ... not that the bytes are valid code. Did I missinterpret? Commented Mar 26, 2012 at 20:18
  • Yes i think you missinterpreted it. I'm trying to verificate if the bytecode, generated from the classes I created after compilation, is valid or not. Commented Mar 26, 2012 at 21:51
  • May you post a SSCCE code sscce.org we may play with (error injection...) ? Commented Apr 3, 2012 at 19:34

3 Answers 3

Reset to default
2

As JPF uses BCEL Stand-alone Bytecode Verifier might be helpful. Just programmatically invoke the Verifier class - or even dive into the details of this class. hth

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I'm not a 100% sure but some tests showed to me what I meant to read: "Especially, we will not deal with the security constraints that the Java Virtual Machine has to check at run-time, i.e. the byte code verifier." So it looks for me as the bytecode verifier used by BCEL (or Javassist) is no a 100% clean check, that's why I'm trying to use JPF
My mistake. I stumpled upon an old version of JPF that depended on BCEL, but I just saw that new versions are not. So forget my comment...
1
+50

There are many points to check:

From my point of view, a ClassLoader does all that steps but it generally loads one Class at a time, and only on demand.

In your context, I propose you write a ClassLoader that loads in sequence all classes from generated bytecodes and reports each failing class name with caught exceptions. The ClassLoader is instantiated with the reference to the relevant parent ClassLoader and is discarded after the test passed, the generated bytecode is then loaded by the original ClassLoader of your runtime context.

Probably this class loading check may be implemented thanks to OSGi but it will require more efforts than a standalone ClassLoader.

Improve this answer

Comments

0

If you don't have an absolute requirement to use JPF, the ASM library includes CheckClassAdapter which can verify byte code. It is only a sanity check however - I don't believe it will catch problems with inheritance etc.

Improve this answer

1 Comment

That's the problem, as I said I need 100% correct verification which checked oop models and which is secure to run on the jvm without exceptions. In addition to that, I need to get correct and good error messages from the verifier which ASM does not provide

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.