Thank you!
PS. I am going to file two umbrella bugs for the two batches of issues
you sent.
Thanks again,
-Sundar
On Tuesday 17 September 2013 11:35 PM, André Bargull wrote:
Here are the promised fuzzing results. Currently it doesn't make sense
to run longer fuzzing sessions because of the first bug below. That
one is triggered way too often.
- André
Compiler errors:
jjs> Function("for(x.x in 0) {}");
Exception in thread "main" java.lang.AssertionError
at
jdk.nashorn.internal.codegen.CodeGenerator.enterForIn(CodeGenerator.java:855)
at
jdk.nashorn.internal.codegen.CodeGenerator.enterForNode(CodeGenerator.java:807)
at jdk.nashorn.internal.ir.ForNode.accept(ForNode.java:90)
at
jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
at
jdk.nashorn.internal.ir.LexicalContextStatement.accept(LexicalContextStatement.java:53)
...
jjs> Function("switch((null >> x3)) { default: {var x;break ; }\nthrow
x; }");
java.lang.NullPointerException
at jdk.internal.org.objectweb.asm.Frame.merge(Frame.java:1321)
at
jdk.internal.org.objectweb.asm.MethodWriter.visitMaxs(MethodWriter.java:1499)
at
jdk.nashorn.internal.codegen.MethodEmitter.end(MethodEmitter.java:201)
at
jdk.nashorn.internal.codegen.CodeGenerator.leaveFunctionNode(CodeGenerator.java:1049)
at jdk.nashorn.internal.ir.FunctionNode.accept(FunctionNode.java:297)
...
jjs> try{Function("switch(x) { case 8: break; case false:
}");}catch(e){e.printStackTrace()}
java.lang.ClassCastException: java.lang.Boolean cannot be cast to
java.lang.Integer
at
jdk.nashorn.internal.codegen.CodeGenerator.enterSwitchNode(CodeGenerator.java:1844)
at jdk.nashorn.internal.ir.SwitchNode.accept(SwitchNode.java:103)
at
jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
at
jdk.nashorn.internal.ir.LexicalContextStatement.accept(LexicalContextStatement.java:53)
at jdk.nashorn.internal.ir.SwitchNode.accept(SwitchNode.java:38)
...
jjs> Function("try { return true; } finally { return false; } ");
Exception in thread "main" java.lang.AssertionError:
[BinaryNode@0x396e2f39#:t$1 (Object) root = [:t$1 (Object)] (object)]
[IdentNode@0x1990a65e#:return (boolean) (slot=1) lhs = ':return'
[:return (boolean) (slot=1)] (boolean)]
[UnaryNode@0x25bbf683#:t$1 (Object) rhs convert [:t$1 (Object)]
(object)]
[LiteralNode$BooleanLiteralNode@0x7276c8cd#:l$1 (boolean) rhs
= 'true' [:l$1 (boolean)] (boolean)]
at
jdk.nashorn.internal.codegen.CodeGenerator.enterASSIGN(CodeGenerator.java:2440)
at
jdk.nashorn.internal.ir.visitor.NodeOperatorVisitor.enterBinaryNode(NodeOperatorVisitor.java:121)
at jdk.nashorn.internal.ir.BinaryNode.accept(BinaryNode.java:165)
at
jdk.nashorn.internal.codegen.CodeGenerator$1.enterDefault(CodeGenerator.java:418)
at
jdk.nashorn.internal.ir.visitor.NodeVisitor.enterBinaryNode(NodeVisitor.java:178)
...
jjs> Function("({ get 1e81(){} })");
Exception in thread "main" java.lang.ClassFormatError: Illegal method
name "_L1$get 1.0e+81" in class
jdk/nashorn/internal/scripts/Script$\^function\_
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:752)
at
jdk.nashorn.internal.runtime.ScriptLoader.installClass(ScriptLoader.java:87)
at
jdk.nashorn.internal.runtime.Context$ContextCodeInstaller.install(Context.java:125)
at jdk.nashorn.internal.codegen.Compiler.install(Compiler.java:408)
...
jjs> Function("{var x, x3;try { return 0; } finally { return 3/0; } }");
Exception in thread "main" java.lang.AssertionError: int is not
compatible with double
at
jdk.nashorn.internal.codegen.MethodEmitter.popType(MethodEmitter.java:235)
at
jdk.nashorn.internal.codegen.MethodEmitter.store(MethodEmitter.java:953)
at
jdk.nashorn.internal.codegen.CodeGenerator$Store$2.enterIdentNode(CodeGenerator.java:3164)
at jdk.nashorn.internal.ir.IdentNode.accept(IdentNode.java:123)
at
jdk.nashorn.internal.codegen.CodeGenerator$Store.epilogue(CodeGenerator.java:3139)
...
jjs> Function("with(x ? 1e81 : (x2.constructor = 0.1)){}")
Exception in thread "main" java.lang.AssertionError: double is not
compatible with object
at
jdk.nashorn.internal.codegen.MethodEmitter.popType(MethodEmitter.java:235)
at
jdk.nashorn.internal.codegen.MethodEmitter.fixParamStack(MethodEmitter.java:1109)
at
jdk.nashorn.internal.codegen.MethodEmitter.invoke(MethodEmitter.java:1128)
at
jdk.nashorn.internal.codegen.MethodEmitter.invokestatic(MethodEmitter.java:1182)
at
jdk.nashorn.internal.codegen.CompilerConstants$2.invoke(CompilerConstants.java:359)
...
jjs> Function("while(x-=1){var x=0; }")
Exception in thread "main" java.lang.VerifyError: get long/double
overflows locals
Exception Details:
Location:
jdk/nashorn/internal/scripts/Script$\^function\_._L1(Ljava/lang/Object;)Ljava/lang/Object;
@5: dload_2
Reason:
Local index 2 is invalid
Bytecode:
0000000: a700 050e 4928 0f67 5c49 b800 339a fff6
0000010: b200 2bb0
Stackmap Table:
append_frame(@3,Top,Double)
chop_frame(@5,2)
at java.lang.Class.getDeclaredFields0(Native Method)
at java.lang.Class.privateGetDeclaredFields(Class.java:2476)
at java.lang.Class.getDeclaredField(Class.java:1975)
at jdk.nashorn.internal.codegen.Compiler$2.run(Compiler.java:417)
at jdk.nashorn.internal.codegen.Compiler$2.run(Compiler.java:413)
...
The following scripts have similar VerifyErrors, I think they're related:
Function("while((x-=false) && 0){var x = this; }");
Function("/*infloop*/while(x4-=x)var x, x4 = x1;");
Function("/*infloop*/L:while(x+=null){this;var x = /x/g ; }");
Function("while((x1|=0.1) && 0){var x1 = -0, functional; }");
---
Runtime errors:
jjs> try{Function("with({}) return
(eval(\"arguments\"));")()}catch(e){e.printStackTrace()}
java.lang.NullPointerException
at
java.lang.invoke.MethodHandles.guardWithTest(MethodHandles.java:2131)
at
jdk.nashorn.internal.lookup.MethodHandleFactory$StandardMethodHandleFunctionality.guardWithTest(MethodHandleFactory.java:287)
at
jdk.nashorn.internal.runtime.WithObject.fixScopeCallSite(WithObject.java:258)
at
jdk.nashorn.internal.runtime.WithObject.lookup(WithObject.java:126)
at
jdk.nashorn.internal.runtime.linker.NashornLinker.getGuardedInvocation(NashornLinker.java:75)
...
