Implement inbound checks (#24)

* feat: add bridge return checks

* feat: add field read check

* feat: add unchecked method return checks

* chore: spotless

Author: thisisalexandercook

checker/src/main/java/io/github/eisop/runtimeframework/checker/nullness/NullnessVerifier.java

@@ -10,8 +10,7 @@
 public class NullnessVerifier implements RuntimeVerifier {
 
   private static final ClassDesc VERIFIER = ClassDesc.of(NullnessRuntimeVerifier.class.getName());
-  private static final ClassDesc ATTRIBUTION_KIND =
-      ClassDesc.of(AttributionKind.class.getName());
+  private static final ClassDesc ATTRIBUTION_KIND = ClassDesc.of(AttributionKind.class.getName());
 
   private static final String METHOD_DEFAULT = "checkNotNull";
   private static final MethodTypeDesc DESC_DEFAULT =

checker/src/test/resources/test-cases/nullness-bridge/InheritanceBridgeTest.java

@@ -28,14 +28,19 @@ public static void main(String[] args) {
         test.finalAction(null);
         // cannot bridge final methods, no error here
 
-        String unsafe = test.returnAction();
+        // :: error: (Return value of inherited method returnAction must be NonNull)
+        test.returnAction();
+
+        // :: error: (Return value of inherited method returnAction must be NonNull)
         // :: error: (Local Variable Assignment (Slot 2) must be NonNull)
+        String unsafe = test.returnAction();
 
+        // :: error: (Return value of inherited method returnAction must be NonNull)
         @Nullable String again = test.returnAction();
     }
 
     @Override
     public void overrideMe(@NonNull String inputA, @Nullable String inputB) {
         System.out.println("safe version of this method" + inputA + inputB);
     }
-}
+}

checker/src/test/resources/test-cases/nullness-field-read/InstanceFieldRead.java

@@ -8,12 +8,22 @@ static class UncheckedLib {
         public String poison = null;
     }
 
+    public static void consume(@Nullable Object o) {}
+
     public static void main(String[] args) {
         UncheckedLib lib = new UncheckedLib();
 
-        String s = lib.poison;
+        // 1. Read without storage (Argument passing)
+        // :: error: (Read Field 'poison' must be NonNull)
+        consume(lib.poison);
+
+        // 2. Assignment
+        // :: error: (Read Field 'poison' must be NonNull)
         // :: error: (Local Variable Assignment (Slot 2) must be NonNull)
+        String s = lib.poison;
 
-	@Nullable String q = lib.poison;
+        // 3. Nullable Assignment (Still checks read)
+        // :: error: (Read Field 'poison' must be NonNull)
+        @Nullable String q = lib.poison;
     }
-}
+}

checker/src/test/resources/test-cases/nullness-field-read/StaticFieldRead.java

@@ -1,3 +1,4 @@
+import org.checkerframework.checker.nullness.qual.Nullable;
 import io.github.eisop.runtimeframework.qual.AnnotatedFor;
 
 @AnnotatedFor("nullness")
@@ -7,8 +8,16 @@ static class UncheckedLib {
         public static String POISON = null;
     }
 
+    public static void consume(@Nullable Object o) {}
+
     public static void main(String[] args) {
-        String s = UncheckedLib.POISON;
+        // 1. Read without storage
+        // :: error: (Read Field 'POISON' must be NonNull)
+        consume(UncheckedLib.POISON);
+
+        // 2. Assignment
+        // :: error: (Read Field 'POISON' must be NonNull)
         // :: error: (Local Variable Assignment (Slot 1) must be NonNull)
+        String s = UncheckedLib.POISON;
     }
-}
+}

checker/src/test/resources/test-cases/nullness-invoke/InstanceBoundary.java

@@ -13,10 +13,11 @@ public static void main(String[] args) {
         UncheckedLib lib = new UncheckedLib();
 
         String s = lib.getNull();
+	// :: error: (Return value of getNull (Boundary) must be NonNull)
 	// :: error: (Local Variable Assignment (Slot 2) must be NonNull)
 
 	lib.getNull();
-	// currently no explicit check on the return if its not stored 
+	// :: error: (Return value of getNull (Boundary) must be NonNull)
 
     }
 }

checker/src/test/resources/test-cases/nullness-invoke/NullableBoundary.java

@@ -12,5 +12,6 @@ public static String getNull() {
 
     public static void main(String[] args) {
         @Nullable String s = UncheckedLib.getNull();
+        // :: error: (Return value of getNull (Boundary) must be NonNull)
     }
 }

checker/src/test/resources/test-cases/nullness-invoke/StaticBoundary.java

@@ -12,6 +12,7 @@ public static String getNull() {
 
     public static void main(String[] args) {
         String s = UncheckedLib.getNull();
+	// :: error: (Return value of getNull (Boundary) must be NonNull)
 	// :: error: (Local Variable Assignment (Slot 1) must be NonNull)
     }
 

checker/src/test/resources/test-cases/nullness-parameter/FieldArgument.java

@@ -10,14 +10,17 @@ static class UncheckedLib {
     }
 
     public static void main(String[] args) {
+        // :: error: (Read Field 'POISON' must be NonNull)
+        // :: error: (Parameter 0 must be NonNull)
         consume(UncheckedLib.POISON);
-	nullableConsume(UncheckedLib.POISON);
+
+        // :: error: (Read Field 'POISON' must be NonNull)
+	    nullableConsume(UncheckedLib.POISON);
     }
 
     public static void consume(@NonNull String arg) {
-	// :: error: (Parameter 0 must be NonNull)
     }
 
     public static void nullableConsume(@Nullable String arg) {
     }
-}
+}

framework/src/main/java/io/github/eisop/runtimeframework/core/AnnotationInstrumenter.java

@@ -154,8 +154,14 @@ protected void generateUncheckedReturnCheck(
 
   @Override
   protected void generateMethodCallCheck(CodeBuilder b, InvokeInstruction invoke) {
-    // empty for now, only need to generate checks when a method call is stored somehwhere
+    RuntimeVerifier target =
+        policy.getBoundaryCallCheck(invoke.owner().asInternalName(), invoke.typeSymbol());
 
+    if (target != null) {
+      b.dup();
+      target.generateCheck(
+          b, TypeKind.REFERENCE, "Return value of " + invoke.name().stringValue() + " (Boundary)");
+    }
   }
 
   @Override
@@ -225,6 +231,16 @@ private void emitBridge(ClassBuilder builder, ParentMethod parentMethod) {
                     ClassDesc.of(
                         parentMethod.owner().thisClass().asInternalName().replace('/', '.'));
                 codeBuilder.invokespecial(parentDesc, methodName, desc);
+
+                RuntimeVerifier returnTarget = policy.getBridgeReturnCheck(parentMethod);
+                if (returnTarget != null) {
+                  codeBuilder.dup();
+                  returnTarget.generateCheck(
+                      codeBuilder,
+                      TypeKind.REFERENCE,
+                      "Return value of inherited method " + methodName);
+                }
+
                 returnResult(
                     codeBuilder, ClassDesc.ofDescriptor(desc.returnType().descriptorString()));
               });

framework/src/main/java/io/github/eisop/runtimeframework/core/RuntimeInstrumenter.java

@@ -66,13 +66,7 @@ public void accept(ClassBuilder classBuilder, ClassElement classElement) {
                             } else if (isFieldRead(fInst)) {
                               codeBuilder.with(element);
                               if (isCheckedScope) {
-                                // generateFieldReadCheck(codeBuilder, fInst, classModel);
-                                // Currently disabling field read checks as the GETFIELD
-                                // and GETSTATIC instructions are not actually dangerous
-                                // on their own. Its when we STORE a field we read from
-                                // that an issue could arise
-                                // TODO: consider method of turning on and off different
-                                // boundary sites
+                                generateFieldReadCheck(codeBuilder, fInst, classModel);
                               }
                             }
                           } else if (element instanceof ReturnInstruction rInst) {