Fuzzing results with Nashorn (hg tip f1fd5f0bc84c)

André Bargull andrebargull at googlemail.com
Tue Sep 17 11:05:49 PDT 2013 

Here are the promised fuzzing results. Currently it doesn't make sense 
to run longer fuzzing sessions because of the first bug below. That one 
is triggered way too often.

- André


Compiler errors:

jjs> Function("for(x.x in 0) {}");
Exception in thread "main" java.lang.AssertionError
     at 
jdk.nashorn.internal.codegen.CodeGenerator.enterForIn(CodeGenerator.java:855)
     at 
jdk.nashorn.internal.codegen.CodeGenerator.enterForNode(CodeGenerator.java:807)
     at jdk.nashorn.internal.ir.ForNode.accept(ForNode.java:90)
     at 
jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
     at 
jdk.nashorn.internal.ir.LexicalContextStatement.accept(LexicalContextStatement.java:53)
     ...

jjs> Function("switch((null >> x3)) { default: {var x;break ; }\nthrow 
x; }");
java.lang.NullPointerException
     at jdk.internal.org.objectweb.asm.Frame.merge(Frame.java:1321)
     at 
jdk.internal.org.objectweb.asm.MethodWriter.visitMaxs(MethodWriter.java:1499)
     at 
jdk.nashorn.internal.codegen.MethodEmitter.end(MethodEmitter.java:201)
     at 
jdk.nashorn.internal.codegen.CodeGenerator.leaveFunctionNode(CodeGenerator.java:1049)
     at jdk.nashorn.internal.ir.FunctionNode.accept(FunctionNode.java:297)
     ...

jjs> try{Function("switch(x) { case 8: break; case false: 
}");}catch(e){e.printStackTrace()}
java.lang.ClassCastException: java.lang.Boolean cannot be cast to 
java.lang.Integer
     at 
jdk.nashorn.internal.codegen.CodeGenerator.enterSwitchNode(CodeGenerator.java:1844)
     at jdk.nashorn.internal.ir.SwitchNode.accept(SwitchNode.java:103)
     at 
jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
     at 
jdk.nashorn.internal.ir.LexicalContextStatement.accept(LexicalContextStatement.java:53)
     at jdk.nashorn.internal.ir.SwitchNode.accept(SwitchNode.java:38)
     ...

jjs> Function("try { return true; } finally { return false; } ");
Exception in thread "main" java.lang.AssertionError: 
[BinaryNode at 0x396e2f39#:t$1 (Object) root = [:t$1 (Object)] (object)]
     [IdentNode at 0x1990a65e#:return (boolean) (slot=1) lhs = ':return' 
[:return (boolean) (slot=1)] (boolean)]
     [UnaryNode at 0x25bbf683#:t$1 (Object) rhs convert [:t$1 (Object)] 
(object)]
         [LiteralNode$BooleanLiteralNode at 0x7276c8cd#:l$1 (boolean) rhs = 
'true' [:l$1 (boolean)] (boolean)]

     at 
jdk.nashorn.internal.codegen.CodeGenerator.enterASSIGN(CodeGenerator.java:2440)
     at 
jdk.nashorn.internal.ir.visitor.NodeOperatorVisitor.enterBinaryNode(NodeOperatorVisitor.java:121)
     at jdk.nashorn.internal.ir.BinaryNode.accept(BinaryNode.java:165)
     at 
jdk.nashorn.internal.codegen.CodeGenerator$1.enterDefault(CodeGenerator.java:418)
     at 
jdk.nashorn.internal.ir.visitor.NodeVisitor.enterBinaryNode(NodeVisitor.java:178)
     ...

jjs> Function("({ get 1e81(){} })");
Exception in thread "main" java.lang.ClassFormatError: Illegal method 
name "_L1$get 1.0e+81" in class 
jdk/nashorn/internal/scripts/Script$\^function\_
     at java.lang.ClassLoader.defineClass1(Native Method)
     at java.lang.ClassLoader.defineClass(ClassLoader.java:752)
     at 
jdk.nashorn.internal.runtime.ScriptLoader.installClass(ScriptLoader.java:87)
     at 
jdk.nashorn.internal.runtime.Context$ContextCodeInstaller.install(Context.java:125)
     at jdk.nashorn.internal.codegen.Compiler.install(Compiler.java:408)
     ...

jjs> Function("{var x, x3;try { return 0; } finally { return 3/0; }  }");
Exception in thread "main" java.lang.AssertionError: int is not 
compatible with double
     at 
jdk.nashorn.internal.codegen.MethodEmitter.popType(MethodEmitter.java:235)
     at 
jdk.nashorn.internal.codegen.MethodEmitter.store(MethodEmitter.java:953)
     at 
jdk.nashorn.internal.codegen.CodeGenerator$Store$2.enterIdentNode(CodeGenerator.java:3164)
     at jdk.nashorn.internal.ir.IdentNode.accept(IdentNode.java:123)
     at 
jdk.nashorn.internal.codegen.CodeGenerator$Store.epilogue(CodeGenerator.java:3139)
     ...

jjs> Function("with(x ? 1e81 : (x2.constructor = 0.1)){}")
Exception in thread "main" java.lang.AssertionError: double is not 
compatible with object
     at 
jdk.nashorn.internal.codegen.MethodEmitter.popType(MethodEmitter.java:235)
     at 
jdk.nashorn.internal.codegen.MethodEmitter.fixParamStack(MethodEmitter.java:1109)
     at 
jdk.nashorn.internal.codegen.MethodEmitter.invoke(MethodEmitter.java:1128)
     at 
jdk.nashorn.internal.codegen.MethodEmitter.invokestatic(MethodEmitter.java:1182)
     at 
jdk.nashorn.internal.codegen.CompilerConstants$2.invoke(CompilerConstants.java:359)
     ...

jjs> Function("while(x-=1){var x=0; }")
Exception in thread "main" java.lang.VerifyError: get long/double 
overflows locals
Exception Details:
   Location:
jdk/nashorn/internal/scripts/Script$\^function\_._L1(Ljava/lang/Object;)Ljava/lang/Object; 
@5: dload_2
   Reason:
     Local index 2 is invalid
   Bytecode:
     0000000: a700 050e 4928 0f67 5c49 b800 339a fff6
     0000010: b200 2bb0
   Stackmap Table:
     append_frame(@3,Top,Double)
     chop_frame(@5,2)

     at java.lang.Class.getDeclaredFields0(Native Method)
     at java.lang.Class.privateGetDeclaredFields(Class.java:2476)
     at java.lang.Class.getDeclaredField(Class.java:1975)
     at jdk.nashorn.internal.codegen.Compiler$2.run(Compiler.java:417)
     at jdk.nashorn.internal.codegen.Compiler$2.run(Compiler.java:413)
     ...

The following scripts have similar VerifyErrors, I think they're related:
Function("while((x-=false) && 0){var x = this; }");
Function("/*infloop*/while(x4-=x)var x, x4 = x1;");
Function("/*infloop*/L:while(x+=null){this;var x =  /x/g ; }");
Function("while((x1|=0.1) && 0){var x1 = -0, functional; }");

---

Runtime errors:


jjs> try{Function("with({}) return 
(eval(\"arguments\"));")()}catch(e){e.printStackTrace()}
java.lang.NullPointerException
     at 
java.lang.invoke.MethodHandles.guardWithTest(MethodHandles.java:2131)
     at 
jdk.nashorn.internal.lookup.MethodHandleFactory$StandardMethodHandleFunctionality.guardWithTest(MethodHandleFactory.java:287)
     at 
jdk.nashorn.internal.runtime.WithObject.fixScopeCallSite(WithObject.java:258)
     at jdk.nashorn.internal.runtime.WithObject.lookup(WithObject.java:126)
     at 
jdk.nashorn.internal.runtime.linker.NashornLinker.getGuardedInvocation(NashornLinker.java:75)
     ...

More information about the nashorn-dev mailing list