Okay, I tracked this down to an incorrect optimization in code generator for when you use >>=0 to coerce to an uint32 :-(
There is a special case for exactly this usage, where the right-hand-side operand is a literal 0, so we avoid emitting a no-op “ICONST_0; IUSHR” bytecode sequence. It unfortunately wasn’t working correctly for when the left-hand-side operand of a compound-assignment-shift-right was either a property or element access expression (either “obj.foo” or “obj[x]”) Decomposing the compound assignment into an explicit shift and assignment would work around the problem for now: this.length = this.length >>> 0; // Coerce to uint32. I filed <https://bugs.openjdk.java.net/browse/JDK-8170594 <https://bugs.openjdk.java.net/browse/JDK-8170594>> and have a fix for it. Attila. > On 01 Dec 2016, at 13:01, Attila Szegedi <szege...@gmail.com> wrote: > > Running with assertions enabled shows that the error is in “this.length > >>>=0” expression on line 31. Reducing the testcase to just: > > (function (p) { > if (p) { > this.length >>>= 0; // Coerce to uint32. > } > })(false) > > also reproduces the problem (at least, the assertion; it will cause a > somewhat different issue without assertions). > > Attila. > >> On 01 Dec 2016, at 12:18, Frantzius, Jörg <joerg.frantz...@aperto.com> wrote: >> >> Hi Sunda, >> >> you can reproduce by putting the following into a test.js file and executing >> it using jjs. >> >> ======== snip ============= >> >> function Buffer(subject, encoding) { >> if (!util.isBuffer(this)) >> return new Buffer(subject, encoding); >> >> if (util.isNumber(subject)) { >> this.length = +subject; >> >> } else if (util.isString(subject)) { >> if (!util.isString(encoding) || encoding.length === 0) >> encoding = 'utf8'; >> this.length = Buffer.byteLength(subject, encoding); >> >> // Handle Arrays, Buffers, Uint8Arrays or JSON. >> } else if (util.isObject(subject)) { >> if (subject.type === 'Buffer' && util.isArray(subject.data)) >> subject = subject.data; >> this.length = +subject.length; >> >> } else { >> throw new TypeError('must start with number, buffer, array or string'); >> } >> >> if (this.length > kMaxLength) { >> throw new RangeError('Attempt to allocate Buffer larger than maximum ' + >> 'size: 0x' + kMaxLength.toString(16) + ' bytes'); >> } >> >> if (this.length < 0) >> this.length = 0; >> else >> this.length >>>= 0; // Coerce to uint32. >> >> this.parent = undefined; >> if (this.length <= (Buffer.poolSize >>> 1) && this.length > 0) { >> if (this.length > poolSize - poolOffset) >> createPool(); >> this.parent = sliceOnto(allocPool, >> this, >> poolOffset, >> poolOffset + this.length); >> poolOffset += this.length; >> >> // Ensure aligned slices >> if (poolOffset & 0x7) { >> poolOffset |= 0x7; >> poolOffset++; >> } >> } else { >> alloc(this, this.length); >> } >> >> if (util.isNumber(subject)) { >> return; >> } >> >> if (util.isString(subject)) { >> // In the case of base64 it's possible that the size of the buffer >> // allocated was slightly too large. In this case we need to rewrite >> // the length to the actual length written. >> var len = this.write(subject, encoding); >> // Buffer was truncated after decode, realloc internal ExternalArray >> if (len !== this.length) { >> var prevLen = this.length; >> this.length = len; >> truncate(this, this.length); >> // Only need to readjust the poolOffset if the allocation is a slice. >> if (this.parent != undefined) >> poolOffset -= (prevLen - len); >> } >> >> } else if (util.isBuffer(subject)) { >> subject.copy(this, 0, 0, this.length); >> >> } else if (util.isNumber(subject.length) || util.isArray(subject)) { >> // Really crappy way to handle Uint8Arrays, but V8 doesn't give a simple >> // way to access the data from the C++ API. >> for (var i = 0; i < this.length; i++) >> this[i] = subject[i]; >> } >> } >> >> new Buffer(1024); >> >> ========== snip ============== >> >> >> I’ll hopefully get my OCA signed and sent in soon, so I can contribute in >> JIRA. >> >> Regards, >> Jörg >> >> >> --- >> >> Dipl. Inf. Jörg von Frantzius, Technical Director >> >> E-Mail joerg.frantz...@aperto.com >> >> Phone +49 30 283921-318 >> Fax +49 30 283921-29 >> >> Aperto GmbH – An IBM Company >> Chausseestraße 5, D-10115 Berlin >> http://www.aperto.com<http://www.aperto.de/> >> http://www.facebook.com/aperto >> https://www.xing.com/companies/apertoag >> >> HRB 77049 B, AG Berlin Charlottenburg >> Geschäftsführer: Dirk Buddensiek, Kai Großmann, Stephan Haagen, Daniel Simon >> >> Am 01.12.2016 um 07:46 schrieb Sundararajan Athijegannathan >> <sundararajan.athijegannat...@oracle.com<mailto:sundararajan.athijegannat...@oracle.com>>: >> >> Is there a simple reduced test case that we can use it to reproduce the >> issue you're seeing? Please send us the same and we'll file a bug (or you >> may do that as well). >> >> Thanks, >> -Sundar >> >> On 29/11/16, 11:11 PM, Frantzius, Jörg wrote: >> Hi, >> >> with JDK 1.8.0_112 (on Mac OS X) I’m running into the following error. When >> querying >> bugs.openjdk.java.net<http://bugs.openjdk.java.net><http://bugs.openjdk.java.net> >> for "Current frame's stack size doesn't match stackmap“, I only found bugs >> dating from 2013, so this may not be known yet? >> >> Unfortunately I can’t see the Javascript file name or line number in the >> error message. The last known source location node/lib/fs.js:374 that I can >> step to in the Netbeans debugger is calling a constructor „Buffer(size)“, >> which is likely this source: >> https://github.com/nodejs/node/blob/v0.12.7-release/lib/buffer.js#L48 >> >> Following is the error message: >> >> java.lang.VerifyError: Inconsistent stackmap frames at branch target 404 >> Exception Details: >> Location: >> >> jdk/nashorn/internal/scripts/Script$Recompilation$414$1806AA$\^function\_.L:1#Buffer(Ljdk/nashorn/internal/runtime/ScriptFunction;Ljava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object; >> @382: goto >> Reason: >> Current frame's stack size doesn't match stackmap. >> Current Frame: >> bci: @382 >> flags: { } >> locals: { 'jdk/nashorn/internal/runtime/ScriptFunction', >> 'java/lang/Object', 'java/lang/Object', 'java/lang/Object', >> 'jdk/nashorn/internal/runtime/ScriptObject' } >> stack: { } >> Stackmap Frame: >> bci: @404 >> flags: { } >> locals: { 'jdk/nashorn/internal/runtime/ScriptFunction', >> 'java/lang/Object', 'java/lang/Object', 'java/lang/Object', >> 'jdk/nashorn/internal/runtime/ScriptObject' } >> stack: { 'java/lang/Object' } >> Bytecode: >> 0x0000000: 2ab6 0014 3a04 1904 ba00 2000 0059 ba00 >> 0x0000010: 2300 005f 2bba 0027 0000 9a00 1219 04ba >> 0x0000020: 002a 0000 2c2d ba00 2e00 00b0 1904 ba00 >> 0x0000030: 2000 0059 ba00 3100 005f 2cba 0034 0000 >> 0x0000040: 9900 102b 2cb8 003a ba00 3e00 00a7 00d5 >> 0x0000050: 1904 ba00 2000 0059 ba00 4100 005f 2cba >> 0x0000060: 0044 0000 9900 4d19 04ba 0020 0000 59ba >> 0x0000070: 0041 0000 5f2d ba00 4400 0099 0012 2dba >> 0x0000080: 0047 0000 b800 4a03 8798 9a00 0912 4cb8 >> 0x0000090: 0050 4e2b 1904 ba00 5500 0059 ba00 5800 >> 0x00000a0: 005f 2c2d ba00 5c00 00ba 005f 0000 a700 >> 0x00000b0: 7419 04ba 0020 0000 59ba 0062 0000 5f2c >> 0x00000c0: ba00 6500 0099 0043 2cba 0068 0000 126a >> 0x00000d0: b800 7099 0026 1904 ba00 2000 0059 ba00 >> 0x00000e0: 7300 005f 2cba 0076 0000 ba00 7900 0099 >> 0x00000f0: 000a 2cba 0076 0000 4d2b 2cba 007b 0000 >> 0x0000100: ba00 3e00 00a7 001d 1904 b600 80ba 0083 >> 0x0000110: 0000 1285 ba00 8900 0012 8b10 4507 b800 >> 0x0000120: 91bf 2bba 0047 0000 1904 ba00 9400 00b8 >> 0x0000130: 0097 9900 3a19 04b6 0080 ba00 9a00 0012 >> 0x0000140: 9c19 04ba 0094 0000 59ba 009f 0000 5f10 >> 0x0000150: 10ba 00a3 0000 b800 a712 a9b8 00a7 ba00 >> 0x0000160: ac00 0012 8b10 4907 b800 91bf 2bba 007b >> 0x0000170: 0000 0e98 9c00 0d2b 03ba 00af 0000 a700 >> 0x0000180: 162b 592b ba00 4700 00b8 00b3 b800 b7ba >> 0x0000190: 003e 0000 2b19 04b6 0080 ba00 ba00 00ba >> 0x00001a0: 00bd 0000 2bba 0047 0000 1904 ba00 5500 >> 0x00001b0: 00ba 00c0 0000 047c b800 b75d 58b8 003a >> 0x00001c0: 5e58 989d 00c3 2bba 007b 0000 0e97 9e00 >> 0x00001d0: b82b ba00 4700 0019 04ba 00c2 0000 1904 >> 0x00001e0: ba00 c500 005f b800 3a5d 58b8 003a 675d >> 0x00001f0: 58b8 003a 5e58 979e 0013 1904 ba00 c800 >> 0x0000200: 00b2 00cc ba00 d000 0057 2b19 04ba 00d3 >> 0x0000210: 0000 b200 cc19 04ba 00d6 0000 2b19 04ba >> 0x0000220: 00c5 0000 1904 ba00 c500 002b ba00 4700 >> 0x0000230: 00b8 00a7 ba00 da00 00ba 00bd 0000 1904 >> 0x0000240: 1904 ba00 c500 002b ba00 4700 00b8 00a7 >> 0x0000250: ba00 dd00 0019 04ba 00df 0000 1007 7e99 >> 0x0000260: 0024 1904 1904 ba00 df00 0010 0780 ba00 >> 0x0000270: e100 0019 0419 04ba 00e3 0000 0f63 ba00 >> 0x0000280: e500 00a7 001a 1904 ba00 e800 00b2 00cc >> 0x0000290: 2b2b ba00 4700 00ba 00ec 0000 5719 04ba >> 0x00002a0: 0020 0000 59ba 0031 0000 5f2c ba00 3400 >> 0x00002b0: 0099 0007 b200 ccb0 1904 ba00 2000 0059 >> 0x00002c0: ba00 4100 005f 2cba 0044 0000 9900 8b2b >> 0x00002d0: 59ba 00ef 0000 5f2c 2dba 00f2 0000 3a05 >> 0x00002e0: 1905 2bba 0047 0000 b800 f599 0064 2bba >> 0x00002f0: 0047 0000 3a06 2b19 05ba 005f 0000 1904 >> 0x0000300: ba00 f800 00b2 00cc 2b2b ba00 4700 00ba >> 0x0000310: 00fb 0000 572b ba00 fe00 0019 04b6 0080 >> 0x0000320: ba00 ba00 00b8 0101 9900 2419 0419 04ba >> 0x0000330: 00c5 0000 1906 b800 3a19 05b8 003a 675d >> 0x0000340: 58b8 003a 5e58 67ba 00e5 0000 a700 08b2 >> 0x0000350: 00cc 3a06 a700 9e19 04ba 0020 0000 59ba >> 0x0000360: 0023 0000 5f2c ba00 2700 0099 001d 2c59 >> 0x0000370: ba01 0400 005f 2b03 032b ba00 4700 00ba >> 0x0000380: 0108 0000 57a7 0063 1904 ba00 2000 0059 >> 0x0000390: ba00 3100 005f 2cba 0047 0000 ba00 3400 >> 0x00003a0: 009a 001a 1904 ba00 2000 0059 ba00 7300 >> 0x00003b0: 005f 2cba 0079 0000 9900 3003 3607 1507 >> 0x00003c0: 8739 0818 082b ba00 7b00 0098 9c00 1c2b >> 0x00003d0: 1808 2c18 08ba 010e 0000 ba01 1200 0018 >> 0x00003e0: 080f 6339 08a7 ffde b200 cc3a 06b2 00cc >> 0x00003f0: 3a05 b200 ccb0 >> Stackmap Table: >> append_frame(@44,Object[#125]) >> same_frame(@80) >> same_frame(@141) >> same_frame(@147) >> same_frame(@177) >> same_frame_extended(@249) >> same_frame(@264) >> same_frame(@290) >> same_frame_extended(@364) >> same_frame(@385) >> same_locals_1_stack_item_frame(@404,Object[#286]) >> same_locals_1_stack_item_extended(@522,Object[#286]) >> same_locals_1_stack_item_extended(@643,Object[#286]) >> same_locals_1_stack_item_frame(@646,Object[#286]) >> same_locals_1_stack_item_frame(@669,Object[#286]) >> same_locals_1_stack_item_frame(@696,Object[#286]) >> >> full_frame(@844,{Object[#16],Object[#286],Object[#286],Object[#286],Object[#125],Object[#286],Object[#286]},{Object[#286]}) >> >> full_frame(@847,{Object[#16],Object[#286],Object[#286],Object[#286],Object[#125],Object[#286]},{Object[#286]}) >> >> full_frame(@852,{Object[#16],Object[#286],Object[#286],Object[#286],Object[#125],Object[#286],Object[#286]},{Object[#286]}) >> >> full_frame(@855,{Object[#16],Object[#286],Object[#286],Object[#286],Object[#125]},{Object[#286]}) >> same_locals_1_stack_item_frame(@904,Object[#286]) >> same_locals_1_stack_item_frame(@955,Object[#286]) >> >> full_frame(@963,{Object[#16],Object[#286],Object[#286],Object[#286],Object[#125],Top,Top,Integer,Double},{Object[#286]}) >> >> full_frame(@1000,{Object[#16],Object[#286],Object[#286],Object[#286],Object[#125]},{Object[#286]}) >> >> full_frame(@1010,{Object[#16],Object[#286],Object[#286],Object[#286],Object[#125],Object[#286],Object[#286]},{Object[#286]}) >> >> at java.lang.Class.getDeclaredFields0(Native Method) >> at java.lang.Class.privateGetDeclaredFields(Class.java:2583) >> at java.lang.Class.getDeclaredField(Class.java:2068) >> at >> jdk.nashorn.internal.runtime.Context$ContextCodeInstaller$1.run(Context.java:209) >> at >> jdk.nashorn.internal.runtime.Context$ContextCodeInstaller$1.run(Context.java:204) >> at java.security.AccessController.doPrivileged(Native Method) >> at >> jdk.nashorn.internal.runtime.Context$ContextCodeInstaller.initialize(Context.java:204) >> at >> jdk.nashorn.internal.codegen.CompilationPhase$InstallPhase.transform(CompilationPhase.java:508) >> at >> jdk.nashorn.internal.codegen.CompilationPhase.apply(CompilationPhase.java:624) >> at jdk.nashorn.internal.codegen.Compiler.compile(Compiler.java:655) >> at >> jdk.nashorn.internal.runtime.RecompilableScriptFunctionData.compileTypeSpecialization(RecompilableScriptFunctionData.java:725) >> at >> jdk.nashorn.internal.runtime.RecompilableScriptFunctionData.getBest(RecompilableScriptFunctionData.java:905) >> at >> jdk.nashorn.internal.runtime.ScriptFunctionData.getBest(ScriptFunctionData.java:375) >> at >> jdk.nashorn.internal.runtime.ScriptFunctionData.getBestConstructor(ScriptFunctionData.java:247) >> at >> jdk.nashorn.internal.runtime.ScriptFunction.findNewMethod(ScriptFunction.java:758) >> at jdk.nashorn.internal.runtime.ScriptObject.lookup(ScriptObject.java:1827) >> at >> jdk.nashorn.internal.runtime.linker.NashornLinker.getGuardedInvocation(NashornLinker.java:104) >> at >> jdk.nashorn.internal.runtime.linker.NashornLinker.getGuardedInvocation(NashornLinker.java:98) >> at >> jdk.internal.dynalink.support.CompositeTypeBasedGuardingDynamicLinker.getGuardedInvocation(CompositeTypeBasedGuardingDynamicLinker.java:176) >> at >> jdk.internal.dynalink.support.CompositeGuardingDynamicLinker.getGuardedInvocation(CompositeGuardingDynamicLinker.java:124) >> at >> jdk.internal.dynalink.support.LinkerServicesImpl.getGuardedInvocation(LinkerServicesImpl.java:154) >> at jdk.internal.dynalink.DynamicLinker.relink(DynamicLinker.java:253) >> at >> jdk.nashorn.internal.scripts.Script$Recompilation$402$9044AA$\^function\_.L:1#readFileSync(node/lib/fs.js:374) >> [..] >> >> Any help or hints would be very appreciated! >> >> Regards, >> Jörg >> >> --- >> >> Dipl. Inf. Jörg von Frantzius, Technical Director >> >> E-Mail joerg.frantz...@aperto.com<mailto:joerg.frantz...@aperto.com> >> >> Phone +49 30 283921-318 >> Fax +49 30 283921-29 >> >> Aperto GmbH – An IBM Company >> Chausseestraße 5, D-10115 Berlin >> http://www.aperto.com<http://www.aperto.de/> >> http://www.facebook.com/aperto >> https://www.xing.com/companies/apertoag >> >> HRB 77049 B, AG Berlin Charlottenburg >> Vorstand: Dirk Buddensiek (Vorsitzender), Kai Großmann, Stephan Haagen, >> Daniel Simon >> Aufsichtsrat: Matthew Candy (Vorsitzender) >> >> >