Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: P4
Fix Version/s: None
Affects Version/s: 9
Component/s: core-libs
Labels:
None

Subcomponent:
jdk.nashorn
CPU:

generic
OS:

generic

This is an umbrella bug. Need to file sub-tasks after analysis and combining issues together (as needed)

Andre wrote:

Here are the promised fuzzing results. Currently it doesn't make sense
to run longer fuzzing sessions because of the first bug below. That one
is triggered way too often.

- André

Compiler errors:

jjs> Function("for(x.x in 0) {}");
Exception in thread "main" java.lang.AssertionError
     at
jdk.nashorn.internal.codegen.CodeGenerator.enterForIn(CodeGenerator.java:855)
     at
jdk.nashorn.internal.codegen.CodeGenerator.enterForNode(CodeGenerator.java:807)
     at jdk.nashorn.internal.ir.ForNode.accept(ForNode.java:90)
     at
jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
     at
jdk.nashorn.internal.ir.LexicalContextStatement.accept(LexicalContextStatement.java:53)
     ...

jjs> Function("switch((null >> x3)) { default: {var x;break ; }\nthrow
x; }");
java.lang.NullPointerException
     at jdk.internal.org.objectweb.asm.Frame.merge(Frame.java:1321)
     at
jdk.internal.org.objectweb.asm.MethodWriter.visitMaxs(MethodWriter.java:1499)
     at
jdk.nashorn.internal.codegen.MethodEmitter.end(MethodEmitter.java:201)
     at
jdk.nashorn.internal.codegen.CodeGenerator.leaveFunctionNode(CodeGenerator.java:1049)
     at jdk.nashorn.internal.ir.FunctionNode.accept(FunctionNode.java:297)
     ...

jjs> try{Function("switch(x) { case 8: break; case false:
}");}catch(e){e.printStackTrace()}
java.lang.ClassCastException: java.lang.Boolean cannot be cast to
java.lang.Integer
     at
jdk.nashorn.internal.codegen.CodeGenerator.enterSwitchNode(CodeGenerator.java:1844)
     at jdk.nashorn.internal.ir.SwitchNode.accept(SwitchNode.java:103)
     at
jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
     at
jdk.nashorn.internal.ir.LexicalContextStatement.accept(LexicalContextStatement.java:53)
     at jdk.nashorn.internal.ir.SwitchNode.accept(SwitchNode.java:38)
     ...

jjs> Function("try { return true; } finally { return false; } ");
Exception in thread "main" java.lang.AssertionError:
[BinaryNode at 0x396e2f39#:t$1 (Object) root = [:t$1 (Object)] (object)]
     [IdentNode at 0x1990a65e#:return (boolean) (slot=1) lhs = ':return'
[:return (boolean) (slot=1)] (boolean)]
     [UnaryNode at 0x25bbf683#:t$1 (Object) rhs convert [:t$1 (Object)]
(object)]
         [LiteralNode$BooleanLiteralNode at 0x7276c8cd#:l$1 (boolean) rhs =
'true' [:l$1 (boolean)] (boolean)]

     at
jdk.nashorn.internal.codegen.CodeGenerator.enterASSIGN(CodeGenerator.java:2440)
     at
jdk.nashorn.internal.ir.visitor.NodeOperatorVisitor.enterBinaryNode(NodeOperatorVisitor.java:121)
     at jdk.nashorn.internal.ir.BinaryNode.accept(BinaryNode.java:165)
     at
jdk.nashorn.internal.codegen.CodeGenerator$1.enterDefault(CodeGenerator.java:418)
     at
jdk.nashorn.internal.ir.visitor.NodeVisitor.enterBinaryNode(NodeVisitor.java:178)
     ...

jjs> Function("({ get 1e81(){} })");
Exception in thread "main" java.lang.ClassFormatError: Illegal method
name "_L1$get 1.0e+81" in class
jdk/nashorn/internal/scripts/Script$\^function\_
     at java.lang.ClassLoader.defineClass1(Native Method)
     at java.lang.ClassLoader.defineClass(ClassLoader.java:752)
     at
jdk.nashorn.internal.runtime.ScriptLoader.installClass(ScriptLoader.java:87)
     at
jdk.nashorn.internal.runtime.Context$ContextCodeInstaller.install(Context.java:125)
     at jdk.nashorn.internal.codegen.Compiler.install(Compiler.java:408)
     ...

jjs> Function("{var x, x3;try { return 0; } finally { return 3/0; } }");
Exception in thread "main" java.lang.AssertionError: int is not
compatible with double
     at
jdk.nashorn.internal.codegen.MethodEmitter.popType(MethodEmitter.java:235)
     at
jdk.nashorn.internal.codegen.MethodEmitter.store(MethodEmitter.java:953)
     at
jdk.nashorn.internal.codegen.CodeGenerator$Store$2.enterIdentNode(CodeGenerator.java:3164)
     at jdk.nashorn.internal.ir.IdentNode.accept(IdentNode.java:123)
     at
jdk.nashorn.internal.codegen.CodeGenerator$Store.epilogue(CodeGenerator.java:3139)
     ...

jjs> Function("with(x ? 1e81 : (x2.constructor = 0.1)){}")
Exception in thread "main" java.lang.AssertionError: double is not
compatible with object
     at
jdk.nashorn.internal.codegen.MethodEmitter.popType(MethodEmitter.java:235)
     at
jdk.nashorn.internal.codegen.MethodEmitter.fixParamStack(MethodEmitter.java:1109)
     at
jdk.nashorn.internal.codegen.MethodEmitter.invoke(MethodEmitter.java:1128)
     at
jdk.nashorn.internal.codegen.MethodEmitter.invokestatic(MethodEmitter.java:1182)
     at
jdk.nashorn.internal.codegen.CompilerConstants$2.invoke(CompilerConstants.java:359)
     ...

jjs> Function("while(x-=1){var x=0; }")
Exception in thread "main" java.lang.VerifyError: get long/double
overflows locals
Exception Details:
   Location:
jdk/nashorn/internal/scripts/Script$\^function\_._L1(Ljava/lang/Object;)Ljava/lang/Object;
@5: dload_2
   Reason:
     Local index 2 is invalid
   Bytecode:
     0000000: a700 050e 4928 0f67 5c49 b800 339a fff6
     0000010: b200 2bb0
   Stackmap Table:
     append_frame(@3,Top,Double)
     chop_frame(@5,2)

     at java.lang.Class.getDeclaredFields0(Native Method)
     at java.lang.Class.privateGetDeclaredFields(Class.java:2476)
     at java.lang.Class.getDeclaredField(Class.java:1975)
     at jdk.nashorn.internal.codegen.Compiler$2.run(Compiler.java:417)
     at jdk.nashorn.internal.codegen.Compiler$2.run(Compiler.java:413)
     ...

The following scripts have similar VerifyErrors, I think they're related:
Function("while((x-=false) && 0){var x = this; }");
Function("/*infloop*/while(x4-=x)var x, x4 = x1;");
Function("/*infloop*/L:while(x+=null){this;var x = /x/g ; }");
Function("while((x1|=0.1) && 0){var x1 = -0, functional; }");

---

Runtime errors:

jjs> try{Function("with({}) return
(eval(\"arguments\"));")()}catch(e){e.printStackTrace()}
java.lang.NullPointerException
     at
java.lang.invoke.MethodHandles.guardWithTest(MethodHandles.java:2131)
     at
jdk.nashorn.internal.lookup.MethodHandleFactory$StandardMethodHandleFunctionality.guardWithTest(MethodHandleFactory.java:287)
     at
jdk.nashorn.internal.runtime.WithObject.fixScopeCallSite(WithObject.java:258)
     at jdk.nashorn.internal.runtime.WithObject.lookup(WithObject.java:126)
     at
jdk.nashorn.internal.runtime.linker.NashornLinker.getGuardedInvocation(NashornLinker.java:75)
     ...

1.	for (LeftHandSideExpression in Expression) crashes the compiler	Resolved	Sundararajan Athijegannathan
2.	true as case label results in ClassCastException	Resolved	Sundararajan Athijegannathan
3.	Object literal getter, setter function with number format property name results in ClassFormatError	Resolved	Sundararajan Athijegannathan
4.	'while' statement with 'test' using var before being declared in body results in VerifyError	Resolved	Sundararajan Athijegannathan
5.	Switch should load expression even when there are no cases in it	Resolved	Sundararajan Athijegannathan
6.	future strict names are allowed as function name and argument name of a strict function	Resolved	Sundararajan Athijegannathan
7.	Function constructor should convert arguments to String before performing any syntax checks	Resolved	Sundararajan Athijegannathan
8.	Function("with(x ? 1e81 : (x2.constructor = 0.1)){}") throws AssertionError: double is not compatible with object	Resolved	Sundararajan Athijegannathan
9.	Array.prototype.slice.call(Java.type("java.util.HashMap")) throws ClassCastException: jdk.internal.dynalink.beans.StaticClass cannot be cast to jdk.nashorn.internal.runtime.ScriptObject	Resolved	Sundararajan Athijegannathan
10.	Class cache/reuse of 'eval' scripts results in ClassCastException in some cases.	Resolved	Sundararajan Athijegannathan
11.	Getter, setter function name mangling issues	Resolved	Sundararajan Athijegannathan
12.	source representation of getter and setter methods is wrong	Resolved	Sundararajan Athijegannathan
13.	$ in the function name results in wrong function being invoked	Resolved	Sundararajan Athijegannathan
14.	Function("switch((null >> x3)) { default: {var x; break ; }\nthrow x; }")() results in AssertionError in LocalVariableTypesCalculator	Resolved	Attila Szegedi
15.	large string size RangeError should be thrown rather than reporting negative length	Resolved	Sundararajan Athijegannathan
16.	function f() { L1:try { return } finally { break L1 } } f() results in VerifyError	Closed	Attila Szegedi
17.	Very long function names break codegen	Resolved	Hannes Wallnoefer
18.	(1000000000000000128).toString() and (1000000000000000128).toFixed() don't evaluate to expected values.	Resolved	Hannes Wallnoefer
19.	Add regression tests for passing test cases of JDK-8024971	Resolved	Sundararajan Athijegannathan
20.	function f(){ var a=1; with({ get a() { return false } }) return a }; f() throws TypeError with optimistic compilation	Resolved	Attila Szegedi
21.	eval("function " + Array.apply(null,Array(0x10000)).join("a") + "(){}") crashes in codegen	Closed	Hannes Wallnoefer
22.	(1000000000000000128).toString() evaluates "1000000000000000130"	Closed	Hannes Wallnoefer

Assignee:: Sundararajan Athijegannathan

Reporter:: Sundararajan Athijegannathan

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2013-09-17 20:59

Updated:: 2016-05-19 07:37

Resolved:: 2016-05-19 07:37

Details

Description

Attachments

Sub-Tasks

Activity

People

Dates