Fuzzing results 10/10/2013 (hg tip 03a68e7ca1d5)

André Bargull andrebargull at googlemail.com
Thu Oct 10 00:06:17 PDT 2013 

Re-ran jsfunfuzz with the latest patches applied, results below.

- André




function f() { if(x3, y) x; }

Exception in thread "main" java.lang.AssertionError: DISCARD(x3) has no type
     at jdk.nashorn.internal.ir.Expression.getType(Expression.java:96)
     at 
jdk.nashorn.internal.codegen.BranchOptimizer.branchOptimizer(BranchOptimizer.java:87)
     at 
jdk.nashorn.internal.codegen.BranchOptimizer.branchOptimizer(BranchOptimizer.java:163)
     at 
jdk.nashorn.internal.codegen.BranchOptimizer.execute(BranchOptimizer.java:56)
     at 
jdk.nashorn.internal.codegen.CodeGenerator.enterIfNode(CodeGenerator.java:1158)
     at jdk.nashorn.internal.ir.IfNode.accept(IfNode.java:76)
     at jdk.nashorn.internal.ir.Node.accept(Node.java:291)
     at jdk.nashorn.internal.ir.Block.accept(Block.java:143)
     at 
jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
     at jdk.nashorn.internal.ir.Block.accept(Block.java:361)
     ...



function f(x) { return y, x }

Exception in thread "main" java.lang.AssertionError: Illegal conversion 
object -> <unknown> false false
     at 
jdk.nashorn.internal.codegen.types.ObjectType.convert(ObjectType.java:158)
     at 
jdk.nashorn.internal.codegen.MethodEmitter.convert(MethodEmitter.java:1560)
     at 
jdk.nashorn.internal.codegen.CodeGenerator$1.enterDefault(CodeGenerator.java:500)
     at 
jdk.nashorn.internal.ir.visitor.NodeVisitor.enterBinaryNode(NodeVisitor.java:178)
     at jdk.nashorn.internal.ir.BinaryNode.accept(BinaryNode.java:165)
     at 
jdk.nashorn.internal.codegen.CodeGenerator.load(CodeGenerator.java:447)
     at 
jdk.nashorn.internal.codegen.CodeGenerator.load(CodeGenerator.java:359)
     at 
jdk.nashorn.internal.codegen.CodeGenerator.enterReturnNode(CodeGenerator.java:1556)
     at jdk.nashorn.internal.ir.ReturnNode.accept(ReturnNode.java:91)
     at jdk.nashorn.internal.ir.Node.accept(Node.java:291)
     ...



function f() { L: {{break L; } return; } }
function f() { L: {if(x2) {break L; } throw x; } }

Exception in thread "main" java.lang.VerifyError: StackMapTable error: 
bad offset
Exception Details:
   Location:
jdk/nashorn/internal/scripts/Script$\^shell\_.f(Ljdk/nashorn/internal/runtime/ScriptFunction;Ljava/lang/Object;)Ljava/lang/Object; 
@0: aload_0
   Reason:
     Invalid stackmap specification.
   Current Frame:
     bci: @12
     flags: { }
     locals: { 'jdk/nashorn/internal/runtime/ScriptFunction', 
'java/lang/Object', 'jdk/nashorn/internal/runtime/ScriptObject' }
     stack: { }
   Bytecode:
     0000000: 2ab6 0018 4da7 0007 0000 00bf
   Stackmap Table:
     full_frame(@8,{},{Object[#53]})
     append_frame(@12,Object[#20],Object[#55],Object[#57])



function f() { switch(x) { default: if(true) break; return; } }
function f() { switch(x) { default: L: break; return; } }

java.lang.NullPointerException
     at jdk.internal.org.objectweb.asm.Frame.merge(Frame.java:1321)
     at 
jdk.internal.org.objectweb.asm.MethodWriter.visitMaxs(MethodWriter.java:1499)
     at 
jdk.nashorn.internal.codegen.MethodEmitter.end(MethodEmitter.java:200)
     at 
jdk.nashorn.internal.codegen.CodeGenerator.leaveFunctionNode(CodeGenerator.java:1125)
     at jdk.nashorn.internal.ir.FunctionNode.accept(FunctionNode.java:297)
     at 
jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
     at 
jdk.nashorn.internal.ir.LexicalContextExpression.accept(LexicalContextExpression.java:46)
     at jdk.nashorn.internal.ir.FunctionNode.accept(FunctionNode.java:49)
     at 
jdk.nashorn.internal.codegen.CodeGenerator$1.enterFunctionNode(CodeGenerator.java:478)
     at jdk.nashorn.internal.ir.FunctionNode.accept(FunctionNode.java:296)
     ...



function f() { Function.call.call(function x() { eval("x") }); eval("x") 
} try { f() } catch(e) { e.printStackTrace() }

java.lang.ClassCastException: Cannot cast 
jdk.nashorn.internal.scripts.JO1P0 to jdk.nashorn.internal.scripts.JO2P0
     at 
sun.invoke.util.ValueConversions.newClassCastException(ValueConversions.java:461)
     at 
sun.invoke.util.ValueConversions.castReference(ValueConversions.java:456)
     at 
jdk.nashorn.internal.scripts.Script$\^shell\_#1\^eval\_.runScript(<shell>#1<eval>:1)
     at 
jdk.nashorn.internal.runtime.ScriptFunctionData.invoke(ScriptFunctionData.java:527)
     at 
jdk.nashorn.internal.runtime.ScriptFunction.invoke(ScriptFunction.java:204)
     at 
jdk.nashorn.internal.runtime.ScriptRuntime.apply(ScriptRuntime.java:367)
     at jdk.nashorn.internal.runtime.Context.eval(Context.java:465)
     at jdk.nashorn.internal.objects.Global.directEval(Global.java:811)
     at jdk.nashorn.internal.scripts.Script$\^shell\_.f(<shell>:1)
     at jdk.nashorn.internal.scripts.Script$\^shell\_.runScript(<shell>:1)
     ...



function f() { with({}) return eval("arguments", 3/0); } try { f() } 
catch(e) { e.printStackTrace() }

java.lang.NullPointerException
     at 
java.lang.invoke.MethodHandles.guardWithTest(MethodHandles.java:2131)
     at 
jdk.nashorn.internal.lookup.MethodHandleFactory$StandardMethodHandleFunctionality.guardWithTest(MethodHandleFactory.java:287)
     at 
jdk.nashorn.internal.runtime.WithObject.fixScopeCallSite(WithObject.java:258)
     at jdk.nashorn.internal.runtime.WithObject.lookup(WithObject.java:126)
     at 
jdk.nashorn.internal.runtime.linker.NashornLinker.getGuardedInvocation(NashornLinker.java:75)
     at 
jdk.internal.dynalink.support.CompositeTypeBasedGuardingDynamicLinker.getGuardedInvocation(CompositeTypeBasedGuardingDynamicLinker.java:176)
     at 
jdk.internal.dynalink.support.CompositeGuardingDynamicLinker.getGuardedInvocation(CompositeGuardingDynamicLinker.java:124)
     at 
jdk.internal.dynalink.support.LinkerServicesImpl.getGuardedInvocation(LinkerServicesImpl.java:138)
     at jdk.internal.dynalink.DynamicLinker.relink(DynamicLinker.java:232)
     at 
jdk.nashorn.internal.scripts.Script$\^shell\_#1\^eval\_.runScript(<shell>#1<eval>:1)
     ...

More information about the nashorn-dev mailing list