After perusing the Dalvik VM source code it does not seem to me that the
Dalvik VM is type safe. Consider, as an example, HANDLE_OP_APUT in
dalvik/vm/mterp/c/opcommon.c: there is no protection against vsrc1
containing an arbitrary pointer to any word in the Dalvik VM address
space, and there is also no type checking to ensure the array is
actually of the type corresponding to the instruction, which allows
Dalvik programs to alter the contents of any word in memory (by
creating, say, a byte array, then accessing it as an int array,
circumventing the bounds check). This could be used to execute a heap
spray attack.
I would report this as a bug, but since this is so pervasive within the
Dalvik VM I'm wondering whether it is a design goal of Dalvik to be type
safe. Since I'm interested in possibly writing an LLVM backend for
Dalvik (allowing C code to be compiled to Dalvik), this is something I'd
like to know. Certainly, the lack of type safety makes it easy to write
a C-to-Dalvik compiler, but I want to make sure that my methods won't
depend on exploiting bugs that are going to be fixed.
Patrick
What he said.
If you spot an actual case where type safety is violated, please
report it as a bug, including explicit steps to reproduce (compilable
source code, etc.) that we can use to confirm both the problem and the
fix.
Thanks!
-dan