[Mono-dev] [PATCH] Implement field load/store verification

Rodrigo Kumpera kumpera at gmail.com
Fri Jun 22 08:57:57 EDT 2007 

On 6/22/07, Paolo Molaro <lupus at ximian.com> wrote:
>
> On 06/21/07 Rodrigo Kumpera wrote:
> > >This should be allowed in the .cctor for the class (same for the
> > >equivalent case of an instance field and the .ctor): a test case is
> > >something like:
> > >
> > >        readonly static MyValueType v = new MyValueType (5);
> > >
> > >Note, eventually you also need to add accessibility checks: the method
> > >needs to be able to access the field keeping in mind both the field's
> > >and the field's class visibility.
> > >
> >
> > Definely, the spec say nothing about that, I'll add this check and mark
> it
>
> There are references to this both in the instance constructor and type
> initializers paragraphs (and also under Field contract attributes).
>
> > as a spec issue. About the accessibility checks, I'm going to tackle all
> > cases at once, as it should quite hairy, I believe.
>
> There is code to deal with this in mini/mini.c, it is mostly complete
> (look for can_access_field and can_access_method). Note that such code
> must not be duplicated, we need to share it for both implementations.
>
> > >The code for overlapped fields is not as trivial as this. It is
> moreover
> > >something you should do on a per-type basis instead of per-field access
> > >in the IL code. metadata/object.c has the code to do proper overlapping
> > >field detection: that code should not be duplicated.
> >
> >
> > I don't quite follow you, I should test it it's a load/store to a class
> with
> > bad overlapping, even if the target is a good field?
>
> The process of verification doesn't involve just a single method's
> code: major things in the assembly containing it must be checked first.
> verify.c contains quite a bit of those checks, more are needed of course.
> Between them there is the field overlapping detection: it is a check
> that doesn't belong inside the field access checks, but it belongs
> to a per-type check that you need to perform anyway.
> In the field access you need just to check if the type was ok
> and the type should have been checked earlier (though it's reasonable to
> check it lazily whenever a type is seen, but the full checks for the
> type are needed, not just about overlapping fields). So you'd have code
> like this whenever a type or class is seen:
>
>         if (!type_is_ok (type)) {
>                 report verification/validation issues in type
>                 return;
>         }
>
> and inside type_is_ok():
>         // lazy check
>         if (!type_has_been_checked (type))
>                 check_type (type);
>         return type_status (type) == ok;
>
> With this code field overlapping will just be one of the many checks
> performed inside check_type ().


So the idea is to lazy check all types that a method faces, seen a
reasonable approach. About the overlapping tests, I've been checking against
.net and I got the following results regarding verifiable code:

-can create objects with dangerous overlapping
-can load/store from other non-overlapping field
-only loading from bad overlapping fields cause verification errors.

What you think that should be done on this case?

Rodrigo

lupus
>
> --
> -----------------------------------------------------------------
> lupus at debian.org                                     debian/rules
> lupus at ximian.com                             Monkeys do it better
> _______________________________________________
> Mono-devel-list mailing list
> Mono-devel-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-devel-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.ximian.com/pipermail/mono-devel-list/attachments/20070622/9a680c83/attachment.html

More information about the Mono-devel-list mailing list