Fuzzing results with Nashorn (hg tip f1fd5f0bc84c)

A. Sundararajan sundararajan.athijegannathan at oracle.com
Tue Sep 17 20:51:26 PDT 2013 

Thank you!

PS. I am going to file two umbrella bugs for the two batches of issues 
you sent.

Thanks again,
-Sundar


On Tuesday 17 September 2013 11:35 PM, André Bargull wrote:
> Here are the promised fuzzing results. Currently it doesn't make sense 
> to run longer fuzzing sessions because of the first bug below. That 
> one is triggered way too often.
>
> - André
>
>
> Compiler errors:
>
> jjs> Function("for(x.x in 0) {}");
> Exception in thread "main" java.lang.AssertionError
>     at 
> jdk.nashorn.internal.codegen.CodeGenerator.enterForIn(CodeGenerator.java:855)
>     at 
> jdk.nashorn.internal.codegen.CodeGenerator.enterForNode(CodeGenerator.java:807)
>     at jdk.nashorn.internal.ir.ForNode.accept(ForNode.java:90)
>     at 
> jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
>     at 
> jdk.nashorn.internal.ir.LexicalContextStatement.accept(LexicalContextStatement.java:53)
>     ...
>
> jjs> Function("switch((null >> x3)) { default: {var x;break ; }\nthrow 
> x; }");
> java.lang.NullPointerException
>     at jdk.internal.org.objectweb.asm.Frame.merge(Frame.java:1321)
>     at 
> jdk.internal.org.objectweb.asm.MethodWriter.visitMaxs(MethodWriter.java:1499)
>     at 
> jdk.nashorn.internal.codegen.MethodEmitter.end(MethodEmitter.java:201)
>     at 
> jdk.nashorn.internal.codegen.CodeGenerator.leaveFunctionNode(CodeGenerator.java:1049)
>     at jdk.nashorn.internal.ir.FunctionNode.accept(FunctionNode.java:297)
>     ...
>
> jjs> try{Function("switch(x) { case 8: break; case false: 
> }");}catch(e){e.printStackTrace()}
> java.lang.ClassCastException: java.lang.Boolean cannot be cast to 
> java.lang.Integer
>     at 
> jdk.nashorn.internal.codegen.CodeGenerator.enterSwitchNode(CodeGenerator.java:1844)
>     at jdk.nashorn.internal.ir.SwitchNode.accept(SwitchNode.java:103)
>     at 
> jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
>     at 
> jdk.nashorn.internal.ir.LexicalContextStatement.accept(LexicalContextStatement.java:53)
>     at jdk.nashorn.internal.ir.SwitchNode.accept(SwitchNode.java:38)
>     ...
>
> jjs> Function("try { return true; } finally { return false; } ");
> Exception in thread "main" java.lang.AssertionError: 
> [BinaryNode at 0x396e2f39#:t$1 (Object) root = [:t$1 (Object)] (object)]
>     [IdentNode at 0x1990a65e#:return (boolean) (slot=1) lhs = ':return' 
> [:return (boolean) (slot=1)] (boolean)]
>     [UnaryNode at 0x25bbf683#:t$1 (Object) rhs convert [:t$1 (Object)] 
> (object)]
>         [LiteralNode$BooleanLiteralNode at 0x7276c8cd#:l$1 (boolean) rhs 
> = 'true' [:l$1 (boolean)] (boolean)]
>
>     at 
> jdk.nashorn.internal.codegen.CodeGenerator.enterASSIGN(CodeGenerator.java:2440)
>     at 
> jdk.nashorn.internal.ir.visitor.NodeOperatorVisitor.enterBinaryNode(NodeOperatorVisitor.java:121)
>     at jdk.nashorn.internal.ir.BinaryNode.accept(BinaryNode.java:165)
>     at 
> jdk.nashorn.internal.codegen.CodeGenerator$1.enterDefault(CodeGenerator.java:418)
>     at 
> jdk.nashorn.internal.ir.visitor.NodeVisitor.enterBinaryNode(NodeVisitor.java:178)
>     ...
>
> jjs> Function("({ get 1e81(){} })");
> Exception in thread "main" java.lang.ClassFormatError: Illegal method 
> name "_L1$get 1.0e+81" in class 
> jdk/nashorn/internal/scripts/Script$\^function\_
>     at java.lang.ClassLoader.defineClass1(Native Method)
>     at java.lang.ClassLoader.defineClass(ClassLoader.java:752)
>     at 
> jdk.nashorn.internal.runtime.ScriptLoader.installClass(ScriptLoader.java:87)
>     at 
> jdk.nashorn.internal.runtime.Context$ContextCodeInstaller.install(Context.java:125)
>     at jdk.nashorn.internal.codegen.Compiler.install(Compiler.java:408)
>     ...
>
> jjs> Function("{var x, x3;try { return 0; } finally { return 3/0; }  }");
> Exception in thread "main" java.lang.AssertionError: int is not 
> compatible with double
>     at 
> jdk.nashorn.internal.codegen.MethodEmitter.popType(MethodEmitter.java:235)
>     at 
> jdk.nashorn.internal.codegen.MethodEmitter.store(MethodEmitter.java:953)
>     at 
> jdk.nashorn.internal.codegen.CodeGenerator$Store$2.enterIdentNode(CodeGenerator.java:3164)
>     at jdk.nashorn.internal.ir.IdentNode.accept(IdentNode.java:123)
>     at 
> jdk.nashorn.internal.codegen.CodeGenerator$Store.epilogue(CodeGenerator.java:3139)
>     ...
>
> jjs> Function("with(x ? 1e81 : (x2.constructor = 0.1)){}")
> Exception in thread "main" java.lang.AssertionError: double is not 
> compatible with object
>     at 
> jdk.nashorn.internal.codegen.MethodEmitter.popType(MethodEmitter.java:235)
>     at 
> jdk.nashorn.internal.codegen.MethodEmitter.fixParamStack(MethodEmitter.java:1109)
>     at 
> jdk.nashorn.internal.codegen.MethodEmitter.invoke(MethodEmitter.java:1128)
>     at 
> jdk.nashorn.internal.codegen.MethodEmitter.invokestatic(MethodEmitter.java:1182)
>     at 
> jdk.nashorn.internal.codegen.CompilerConstants$2.invoke(CompilerConstants.java:359)
>     ...
>
> jjs> Function("while(x-=1){var x=0; }")
> Exception in thread "main" java.lang.VerifyError: get long/double 
> overflows locals
> Exception Details:
>   Location:
> jdk/nashorn/internal/scripts/Script$\^function\_._L1(Ljava/lang/Object;)Ljava/lang/Object; 
> @5: dload_2
>   Reason:
>     Local index 2 is invalid
>   Bytecode:
>     0000000: a700 050e 4928 0f67 5c49 b800 339a fff6
>     0000010: b200 2bb0
>   Stackmap Table:
>     append_frame(@3,Top,Double)
>     chop_frame(@5,2)
>
>     at java.lang.Class.getDeclaredFields0(Native Method)
>     at java.lang.Class.privateGetDeclaredFields(Class.java:2476)
>     at java.lang.Class.getDeclaredField(Class.java:1975)
>     at jdk.nashorn.internal.codegen.Compiler$2.run(Compiler.java:417)
>     at jdk.nashorn.internal.codegen.Compiler$2.run(Compiler.java:413)
>     ...
>
> The following scripts have similar VerifyErrors, I think they're related:
> Function("while((x-=false) && 0){var x = this; }");
> Function("/*infloop*/while(x4-=x)var x, x4 = x1;");
> Function("/*infloop*/L:while(x+=null){this;var x =  /x/g ; }");
> Function("while((x1|=0.1) && 0){var x1 = -0, functional; }");
>
> ---
>
> Runtime errors:
>
>
> jjs> try{Function("with({}) return 
> (eval(\"arguments\"));")()}catch(e){e.printStackTrace()}
> java.lang.NullPointerException
>     at 
> java.lang.invoke.MethodHandles.guardWithTest(MethodHandles.java:2131)
>     at 
> jdk.nashorn.internal.lookup.MethodHandleFactory$StandardMethodHandleFunctionality.guardWithTest(MethodHandleFactory.java:287)
>     at 
> jdk.nashorn.internal.runtime.WithObject.fixScopeCallSite(WithObject.java:258)
>     at 
> jdk.nashorn.internal.runtime.WithObject.lookup(WithObject.java:126)
>     at 
> jdk.nashorn.internal.runtime.linker.NashornLinker.getGuardedInvocation(NashornLinker.java:75)
>     ...
>

More information about the nashorn-dev mailing list