Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8024971

Fuzzing results on nashorn by Andre

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P4 P4
    • None
    • 9
    • core-libs
    • None

      This is an umbrella bug. Need to file sub-tasks after analysis and combining issues together (as needed)

      Andre wrote:

      Here are the promised fuzzing results. Currently it doesn't make sense
      to run longer fuzzing sessions because of the first bug below. That one
      is triggered way too often.

      - André

      Compiler errors:

      jjs> Function("for(x.x in 0) {}");
      Exception in thread "main" java.lang.AssertionError
           at
      jdk.nashorn.internal.codegen.CodeGenerator.enterForIn(CodeGenerator.java:855)
           at
      jdk.nashorn.internal.codegen.CodeGenerator.enterForNode(CodeGenerator.java:807)
           at jdk.nashorn.internal.ir.ForNode.accept(ForNode.java:90)
           at
      jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
           at
      jdk.nashorn.internal.ir.LexicalContextStatement.accept(LexicalContextStatement.java:53)
           ...

      jjs> Function("switch((null >> x3)) { default: {var x;break ; }\nthrow
      x; }");
      java.lang.NullPointerException
           at jdk.internal.org.objectweb.asm.Frame.merge(Frame.java:1321)
           at
      jdk.internal.org.objectweb.asm.MethodWriter.visitMaxs(MethodWriter.java:1499)
           at
      jdk.nashorn.internal.codegen.MethodEmitter.end(MethodEmitter.java:201)
           at
      jdk.nashorn.internal.codegen.CodeGenerator.leaveFunctionNode(CodeGenerator.java:1049)
           at jdk.nashorn.internal.ir.FunctionNode.accept(FunctionNode.java:297)
           ...

      jjs> try{Function("switch(x) { case 8: break; case false:
      }");}catch(e){e.printStackTrace()}
      java.lang.ClassCastException: java.lang.Boolean cannot be cast to
      java.lang.Integer
           at
      jdk.nashorn.internal.codegen.CodeGenerator.enterSwitchNode(CodeGenerator.java:1844)
           at jdk.nashorn.internal.ir.SwitchNode.accept(SwitchNode.java:103)
           at
      jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
           at
      jdk.nashorn.internal.ir.LexicalContextStatement.accept(LexicalContextStatement.java:53)
           at jdk.nashorn.internal.ir.SwitchNode.accept(SwitchNode.java:38)
           ...

      jjs> Function("try { return true; } finally { return false; } ");
      Exception in thread "main" java.lang.AssertionError:
      [BinaryNode at 0x396e2f39#:t$1 (Object) root = [:t$1 (Object)] (object)]
           [IdentNode at 0x1990a65e#:return (boolean) (slot=1) lhs = ':return'
      [:return (boolean) (slot=1)] (boolean)]
           [UnaryNode at 0x25bbf683#:t$1 (Object) rhs convert [:t$1 (Object)]
      (object)]
               [LiteralNode$BooleanLiteralNode at 0x7276c8cd#:l$1 (boolean) rhs =
      'true' [:l$1 (boolean)] (boolean)]

           at
      jdk.nashorn.internal.codegen.CodeGenerator.enterASSIGN(CodeGenerator.java:2440)
           at
      jdk.nashorn.internal.ir.visitor.NodeOperatorVisitor.enterBinaryNode(NodeOperatorVisitor.java:121)
           at jdk.nashorn.internal.ir.BinaryNode.accept(BinaryNode.java:165)
           at
      jdk.nashorn.internal.codegen.CodeGenerator$1.enterDefault(CodeGenerator.java:418)
           at
      jdk.nashorn.internal.ir.visitor.NodeVisitor.enterBinaryNode(NodeVisitor.java:178)
           ...

      jjs> Function("({ get 1e81(){} })");
      Exception in thread "main" java.lang.ClassFormatError: Illegal method
      name "_L1$get 1.0e+81" in class
      jdk/nashorn/internal/scripts/Script$\^function\_
           at java.lang.ClassLoader.defineClass1(Native Method)
           at java.lang.ClassLoader.defineClass(ClassLoader.java:752)
           at
      jdk.nashorn.internal.runtime.ScriptLoader.installClass(ScriptLoader.java:87)
           at
      jdk.nashorn.internal.runtime.Context$ContextCodeInstaller.install(Context.java:125)
           at jdk.nashorn.internal.codegen.Compiler.install(Compiler.java:408)
           ...

      jjs> Function("{var x, x3;try { return 0; } finally { return 3/0; } }");
      Exception in thread "main" java.lang.AssertionError: int is not
      compatible with double
           at
      jdk.nashorn.internal.codegen.MethodEmitter.popType(MethodEmitter.java:235)
           at
      jdk.nashorn.internal.codegen.MethodEmitter.store(MethodEmitter.java:953)
           at
      jdk.nashorn.internal.codegen.CodeGenerator$Store$2.enterIdentNode(CodeGenerator.java:3164)
           at jdk.nashorn.internal.ir.IdentNode.accept(IdentNode.java:123)
           at
      jdk.nashorn.internal.codegen.CodeGenerator$Store.epilogue(CodeGenerator.java:3139)
           ...

      jjs> Function("with(x ? 1e81 : (x2.constructor = 0.1)){}")
      Exception in thread "main" java.lang.AssertionError: double is not
      compatible with object
           at
      jdk.nashorn.internal.codegen.MethodEmitter.popType(MethodEmitter.java:235)
           at
      jdk.nashorn.internal.codegen.MethodEmitter.fixParamStack(MethodEmitter.java:1109)
           at
      jdk.nashorn.internal.codegen.MethodEmitter.invoke(MethodEmitter.java:1128)
           at
      jdk.nashorn.internal.codegen.MethodEmitter.invokestatic(MethodEmitter.java:1182)
           at
      jdk.nashorn.internal.codegen.CompilerConstants$2.invoke(CompilerConstants.java:359)
           ...

      jjs> Function("while(x-=1){var x=0; }")
      Exception in thread "main" java.lang.VerifyError: get long/double
      overflows locals
      Exception Details:
         Location:
      jdk/nashorn/internal/scripts/Script$\^function\_._L1(Ljava/lang/Object;)Ljava/lang/Object;
      @5: dload_2
         Reason:
           Local index 2 is invalid
         Bytecode:
           0000000: a700 050e 4928 0f67 5c49 b800 339a fff6
           0000010: b200 2bb0
         Stackmap Table:
           append_frame(@3,Top,Double)
           chop_frame(@5,2)

           at java.lang.Class.getDeclaredFields0(Native Method)
           at java.lang.Class.privateGetDeclaredFields(Class.java:2476)
           at java.lang.Class.getDeclaredField(Class.java:1975)
           at jdk.nashorn.internal.codegen.Compiler$2.run(Compiler.java:417)
           at jdk.nashorn.internal.codegen.Compiler$2.run(Compiler.java:413)
           ...

      The following scripts have similar VerifyErrors, I think they're related:
      Function("while((x-=false) && 0){var x = this; }");
      Function("/*infloop*/while(x4-=x)var x, x4 = x1;");
      Function("/*infloop*/L:while(x+=null){this;var x = /x/g ; }");
      Function("while((x1|=0.1) && 0){var x1 = -0, functional; }");

      ---

      Runtime errors:


      jjs> try{Function("with({}) return
      (eval(\"arguments\"));")()}catch(e){e.printStackTrace()}
      java.lang.NullPointerException
           at
      java.lang.invoke.MethodHandles.guardWithTest(MethodHandles.java:2131)
           at
      jdk.nashorn.internal.lookup.MethodHandleFactory$StandardMethodHandleFunctionality.guardWithTest(MethodHandleFactory.java:287)
           at
      jdk.nashorn.internal.runtime.WithObject.fixScopeCallSite(WithObject.java:258)
           at jdk.nashorn.internal.runtime.WithObject.lookup(WithObject.java:126)
           at
      jdk.nashorn.internal.runtime.linker.NashornLinker.getGuardedInvocation(NashornLinker.java:75)
           ...

        There are no Sub-Tasks for this issue.

            sundar Sundararajan Athijegannathan
            sundar Sundararajan Athijegannathan
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: