Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8042304 Fuzzing jdk9/dev/nashorn
  3. JDK-8047165

Function("switch(0) { default: {break;} return }")() crashes with VerifyError

    XMLWordPrintable

    Details

    • Type: Sub-task
    • Status: Resolved
    • Priority: P3
    • Resolution: Duplicate
    • Affects Version/s: 9
    • Fix Version/s: 8u40
    • Component/s: core-libs
    • Labels:
      None

      Description

       jjs -J-Djava.ext.dirs=$jdk9_dev/nashorn/dist

      jjs> Function("switch(0) { default: {break;} return }")()

      Exception in thread "main" java.lang.VerifyError: StackMapTable error: bad offset
      Exception Details:
        Location:
          jdk/nashorn/internal/scripts/Script$Recompilation$3$\^function\_.L:1(Ljava/lang/Object;)Ljava/lang/Object; @0: goto
        Reason:
          Invalid stackmap specification.
        Current Frame:
          bci: @3
          flags: { }
          locals: { 'java/lang/Object' }
          stack: { }
        Bytecode:
          0000000: a700 03
        Stackmap Table:
          same_frame(@3)

      at java.lang.Class.getDeclaredFields0(Native Method)
      at java.lang.Class.privateGetDeclaredFields(Class.java:2570)
      at java.lang.Class.getDeclaredField(Class.java:2055)
      at jdk.nashorn.internal.runtime.Context$ContextCodeInstaller$1$1.run(Context.java:176)
      at jdk.nashorn.internal.runtime.Context$ContextCodeInstaller$1$1.run(Context.java:171)
      at java.security.AccessController.doPrivileged(Native Method)
      at jdk.nashorn.internal.runtime.Context$ContextCodeInstaller$1.accept(Context.java:171)
      at jdk.nashorn.internal.runtime.Context$ContextCodeInstaller$1.accept(Context.java:167)
      at java.util.stream.ForEachOps$ForEachOp$OfRef.accept(ForEachOps.java:183)
      at java.util.Iterator.forEachRemaining(Iterator.java:116)
      at java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801)
      at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:512)
      at java.util.stream.ForEachOps$ForEachTask.compute(ForEachOps.java:290)
      at java.util.concurrent.CountedCompleter.exec(CountedCompleter.java:731)
      at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:289)
      at java.util.concurrent.ForkJoinTask.doInvoke(ForkJoinTask.java:400)
      at java.util.concurrent.ForkJoinTask.invoke(ForkJoinTask.java:728)
      at java.util.stream.ForEachOps$ForEachOp.evaluateParallel(ForEachOps.java:159)
      at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateParallel(ForEachOps.java:173)
      at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:233)
      at java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:418)
      at java.util.stream.ReferencePipeline$Head.forEach(ReferencePipeline.java:583)
      at jdk.nashorn.internal.runtime.Context$ContextCodeInstaller.initialize(Context.java:166)
      at jdk.nashorn.internal.codegen.CompilationPhase$12.transform(CompilationPhase.java:515)
      at jdk.nashorn.internal.codegen.CompilationPhase.apply(CompilationPhase.java:674)
      at jdk.nashorn.internal.codegen.Compiler.compile(Compiler.java:506)
      at jdk.nashorn.internal.runtime.RecompilableScriptFunctionData.compileTypeSpecialization(RecompilableScriptFunctionData.java:420)
      at jdk.nashorn.internal.runtime.RecompilableScriptFunctionData.getBest(RecompilableScriptFunctionData.java:560)
      at jdk.nashorn.internal.runtime.ScriptFunctionData.getBestInvoker(ScriptFunctionData.java:229)
      at jdk.nashorn.internal.runtime.ScriptFunction.findCallMethod(ScriptFunction.java:546)
      at jdk.nashorn.internal.runtime.ScriptObject.lookup(ScriptObject.java:1791)
      at jdk.nashorn.internal.runtime.linker.NashornLinker.getGuardedInvocation(NashornLinker.java:100)
      at jdk.nashorn.internal.runtime.linker.NashornLinker.getGuardedInvocation(NashornLinker.java:94)
      at jdk.internal.dynalink.support.CompositeTypeBasedGuardingDynamicLinker.getGuardedInvocation(CompositeTypeBasedGuardingDynamicLinker.java:176)
      at jdk.internal.dynalink.support.CompositeGuardingDynamicLinker.getGuardedInvocation(CompositeGuardingDynamicLinker.java:124)
      at jdk.internal.dynalink.support.LinkerServicesImpl.getGuardedInvocation(LinkerServicesImpl.java:149)
      at jdk.internal.dynalink.DynamicLinker.relink(DynamicLinker.java:233)
      at jdk.nashorn.internal.scripts.Script$1$\^shell\_.:program(<shell>:1)
      at jdk.nashorn.internal.runtime.ScriptFunctionData.invoke(ScriptFunctionData.java:567)
      at jdk.nashorn.internal.runtime.ScriptFunction.invoke(ScriptFunction.java:221)
      at jdk.nashorn.internal.runtime.ScriptRuntime.apply(ScriptRuntime.java:374)
      at jdk.nashorn.internal.runtime.Context.eval(Context.java:620)
      at jdk.nashorn.tools.Shell.readEvalPrint(Shell.java:448)
      at jdk.nashorn.tools.Shell.run(Shell.java:158)
      at jdk.nashorn.tools.Shell.main(Shell.java:133)
      at jdk.nashorn.tools.Shell.main(Shell.java:112)

      When I turned on asserts, I got the following trace:

      jjs -J-Djava.ext.dirs=$jdk9_dev/nashorn/dist -J-esa -J-ea
      jjs> Function("switch(0) { default: {break;} return }")()
      Exception in thread "main" java.lang.AssertionError: Failed generating bytecode for <function>:2
      at jdk.nashorn.internal.codegen.CompilationPhase$11.transform(CompilationPhase.java:437)
      at jdk.nashorn.internal.codegen.CompilationPhase.apply(CompilationPhase.java:674)
      at jdk.nashorn.internal.codegen.Compiler.compile(Compiler.java:506)
      at jdk.nashorn.internal.runtime.RecompilableScriptFunctionData.compileTypeSpecialization(RecompilableScriptFunctionData.java:420)
      at jdk.nashorn.internal.runtime.RecompilableScriptFunctionData.getBest(RecompilableScriptFunctionData.java:560)
      at jdk.nashorn.internal.runtime.ScriptFunctionData.getBestInvoker(ScriptFunctionData.java:229)
      at jdk.nashorn.internal.runtime.ScriptFunction.findCallMethod(ScriptFunction.java:546)
      at jdk.nashorn.internal.runtime.ScriptObject.lookup(ScriptObject.java:1791)
      at jdk.nashorn.internal.runtime.linker.NashornLinker.getGuardedInvocation(NashornLinker.java:100)
      at jdk.nashorn.internal.runtime.linker.NashornLinker.getGuardedInvocation(NashornLinker.java:94)
      at jdk.internal.dynalink.support.CompositeTypeBasedGuardingDynamicLinker.getGuardedInvocation(CompositeTypeBasedGuardingDynamicLinker.java:176)
      at jdk.internal.dynalink.support.CompositeGuardingDynamicLinker.getGuardedInvocation(CompositeGuardingDynamicLinker.java:124)
      at jdk.internal.dynalink.support.LinkerServicesImpl.getGuardedInvocation(LinkerServicesImpl.java:149)
      at jdk.internal.dynalink.DynamicLinker.relink(DynamicLinker.java:233)
      at jdk.nashorn.internal.scripts.Script$1$\^shell\_.:program(<shell>:1)
      at jdk.nashorn.internal.runtime.ScriptFunctionData.invoke(ScriptFunctionData.java:567)
      at jdk.nashorn.internal.runtime.ScriptFunction.invoke(ScriptFunction.java:221)
      at jdk.nashorn.internal.runtime.ScriptRuntime.apply(ScriptRuntime.java:374)
      at jdk.nashorn.internal.runtime.Context.eval(Context.java:620)
      at jdk.nashorn.tools.Shell.readEvalPrint(Shell.java:448)
      at jdk.nashorn.tools.Shell.run(Shell.java:158)
      at jdk.nashorn.tools.Shell.main(Shell.java:133)
      at jdk.nashorn.tools.Shell.main(Shell.java:112)
      Caused by: java.lang.ArrayIndexOutOfBoundsException: -1
      at jdk.nashorn.internal.codegen.CodeGeneratorLexicalContext.getUsedSlotCount(CodeGeneratorLexicalContext.java:221)
      at jdk.nashorn.internal.codegen.CodeGenerator.leaveBlock(CodeGenerator.java:1087)
      at jdk.nashorn.internal.ir.Block.accept(Block.java:152)
      at jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
      at jdk.nashorn.internal.ir.Block.accept(Block.java:386)
      at jdk.nashorn.internal.ir.FunctionNode.accept(FunctionNode.java:351)
      at jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
      at jdk.nashorn.internal.ir.LexicalContextExpression.accept(LexicalContextExpression.java:46)
      at jdk.nashorn.internal.ir.FunctionNode.accept(FunctionNode.java:52)
      at jdk.nashorn.internal.codegen.CompilationPhase$11.transform(CompilationPhase.java:424)
      ... 22 more

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              attila Attila Szegedi
              Reporter:
              sundar Sundararajan Athijegannathan
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: