Fuzzer bugs
André Bargull
andrebargull at googlemail.com
Fri Nov 28 16:16:36 UTC 2014
It's been a while since the last jsfunfuzz round. :-)
- André
Environment:
jdk9-dev-nashorn
parent: 1109:0c9f3369f3d3 tip
jdk8u-dev-nashorn
parent: 1096:fc37699ddc0e tip
java version "1.8.0_25"
Java(TM) SE Runtime Environment (build 1.8.0_25-b17)
Java HotSpot(TM) 64-Bit Server VM (build 25.25-b02, mixed mode)
Stacktraces are from jdk9-dev-nashorn, but unless otherwise noted the bugs are also reproducible
under jdk8u-dev-nashorn.
---
Note: Spec compliance and other issues.
jjs> try{ Object.prototype.toLocaleString.call(0) } catch (e) { e.printStackTrace() }
java.lang.ClassCastException: java.lang.Integer cannot be cast to
jdk.nashorn.internal.runtime.ScriptObject
at jdk.nashorn.internal.objects.NativeObject.toLocaleString(NativeObject.java:501)
at jdk.nashorn.internal.scripts.Script$3$\^shell\_.:program(<shell>:1)
at jdk.nashorn.internal.runtime.ScriptFunctionData.invoke(ScriptFunctionData.java:636)
at jdk.nashorn.internal.runtime.ScriptFunction.invoke(ScriptFunction.java:229)
at jdk.nashorn.internal.runtime.ScriptRuntime.apply(ScriptRuntime.java:387)
at jdk.nashorn.internal.runtime.Context.eval(Context.java:715)
at jdk.nashorn.internal.runtime.Context.eval(Context.java:645)
at jdk.nashorn.tools.Shell.readEvalPrint(Shell.java:450)
at jdk.nashorn.tools.Shell.run(Shell.java:158)
at jdk.nashorn.tools.Shell.main(Shell.java:133)
...
Expected: Returns "0"
Actual: ClassCastException
jjs> Object.defineProperty([], "length", {value: {valueOf: function(){ print("(╯°□°)╯︵ ┻━┻");
return 0; }}})
Expected: Two tables flipped ;-)
Actual: print() only called once
Note: ES5 15.4.5.1, steps 3.c and 3.d require two ToNumber conversions.
jjs> function defLen(arr, len, f) {
var c = false;
Object.defineProperty(arr, "length", {value: {
valueOf: function(){ (!c && (c = true)) && f && f(); return len; }
}});
}
jjs> var a = new Array(0);
jjs> defLen(a, 1, function() {defLen(a, 5); a[2] = "test"; Object.seal(a); });
Expected: Throws TypeError, `a.length` is 3
Actual: No TypeError, `a.length` is 1
Note: There is a ES5 spec bug you need to workaround, fixed in ES6 draft
(https://bugs.ecmascript.org/show_bug.cgi?id=1200).
jjs> new ArrayBuffer();
Expected: Throws TypeError (ES6 rev28) or create zero-length buffer (see SpiderMonkey, V8, JSC)
Actual: Throws java.lang.RuntimeException
jjs> Function("this = null")()
Expected: Error string does not contain {U%}
Actual: Error string is: 'ReferenceError: "{U%}this" can not be used as the left-hand side of
assignment'
And jdk.nashorn.internal.runtime.Source#byteToCharArray: Detection for UTF-32LE does not work
because it has the same prefix as UTF-16LE.
---
Note: The following two bugs need some warm-up, I've tried to reduce the STR as much as possible.
function tryItOut(c) {
var f = tryCompiling(c);
if (f !== null && c.indexOf('infloop') === -1) {
tryRunning(f);
}
}
function tryCompiling(c) {
try { return Function(c); } catch(e) { return null; }
}
function tryRunning(f) {
try {
return f();
} catch (e) {
if (e instanceof java.lang.Throwable) e.printStackTrace();
}
}
tryItOut("return;");
tryItOut("var x = [];");
tryItOut("var y = [];");
tryItOut("var z = [];");
tryItOut("return;");
tryItOut("Math.min");
tryItOut("Math.log");
tryItOut("Math.cos");
tryItOut("Math.max");
tryItOut("Math.sin");
tryItOut("Math.random");
tryItOut("");
tryItOut("return 1e81;");
tryItOut("{}");
tryItOut("((new Function(\"([,,]);\")).apply)(3.14);");
tryItOut("Math.tan");
tryItOut("Math.pow");
tryItOut("([,,]);");
java.lang.ClassCastException: jdk.nashorn.internal.runtime.Undefined cannot be cast to java.lang.Number
at sun.invoke.util.ValueConversions.primitiveConversion(ValueConversions.java:199)
at sun.invoke.util.ValueConversions.unboxDouble(ValueConversions.java:119)
at jdk.nashorn.internal.runtime.ScriptFunctionData.invoke(ScriptFunctionData.java:656)
at jdk.nashorn.internal.runtime.ScriptFunction.invoke(ScriptFunction.java:229)
at jdk.nashorn.internal.runtime.ScriptRuntime.apply(ScriptRuntime.java:387)
at jdk.nashorn.internal.scripts.Script$Recompilation$10$213A$a.tryRunning(/tmp/a.js:14)
at jdk.nashorn.internal.scripts.Script$Recompilation$7$a.tryItOut(/tmp/a.js:4)
at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:636)
at jdk.nashorn.internal.scripts.Script$Recompilation$1$a.:program(/tmp/a.js:37)
at jdk.nashorn.internal.runtime.ScriptFunctionData.invoke(ScriptFunctionData.java:636)
...
---
function tryItOut(c) {
var f = tryCompiling(c);
if (f !== null && c.indexOf('infloop') === -1) {
tryRunning(f);
}
}
function tryCompiling(c) {
try { return Function(c); } catch(e) { return null; }
}
function tryRunning(f) {
try {
return f();
} catch (e) {
if (e instanceof java.lang.Throwable) e.printStackTrace();
}
}
tryItOut("x = 1e-81;");
tryItOut("y = x;");
tryItOut("for(x in (((new Function).call)(true))){}");
tryItOut("(x.constructor = new (new Function)(y));");
java.lang.IllegalArgumentException: target and combiner types must match: (Object,Object)Object !=
(boolean)Object
at java.lang.invoke.MethodHandleStatics.newIllegalArgumentException(MethodHandleStatics.java:109)
at java.lang.invoke.MethodHandles.misMatchedTypes(MethodHandles.java:2775)
at java.lang.invoke.MethodHandles.foldArguments(MethodHandles.java:2714)
at
jdk.nashorn.internal.lookup.MethodHandleFactory$StandardMethodHandleFunctionality.foldArguments(MethodHandleFactory.java:430)
at
jdk.nashorn.internal.runtime.CompiledFunction.createConstructorFromInvoker(CompiledFunction.java:265)
at jdk.nashorn.internal.runtime.CompiledFunction.getConstructor(CompiledFunction.java:224)
at jdk.nashorn.internal.runtime.CompiledFunction.access$300(CompiledFunction.java:61)
at jdk.nashorn.internal.runtime.CompiledFunction$3.get(CompiledFunction.java:680)
at jdk.nashorn.internal.runtime.CompiledFunction$3.get(CompiledFunction.java:677)
at
jdk.nashorn.internal.runtime.CompiledFunction.getValidOptimisticInvocation(CompiledFunction.java:606)
...
---
jjs> function f() { x3 = function x1(x3) { function (){} }; } f()
Exception in thread "main" java.lang.AssertionError: x3 (slot=-1 ) 1090
at jdk.nashorn.internal.codegen.AssignSymbols.finalizeParameters(AssignSymbols.java:569)
at jdk.nashorn.internal.codegen.AssignSymbols.leaveFunctionNode(AssignSymbols.java:849)
at jdk.nashorn.internal.ir.FunctionNode.accept(FunctionNode.java:384)
at jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
at jdk.nashorn.internal.ir.LexicalContextExpression.accept(LexicalContextExpression.java:47)
at jdk.nashorn.internal.ir.FunctionNode.accept(FunctionNode.java:59)
at jdk.nashorn.internal.ir.BinaryNode.accept(BinaryNode.java:347)
at jdk.nashorn.internal.ir.ExpressionStatement.accept(ExpressionStatement.java:64)
at jdk.nashorn.internal.ir.Node.accept(Node.java:265)
at jdk.nashorn.internal.ir.Block.accept(Block.java:178)
...
jjs> Function("L: if(true) {x} if([].sort(function x (x){})) { if (eval(\"this\", 0))
{/a/gireturn;return; } else {/*infloop*/for\t(y; (0); 1 ? /x/ : 1) (this);({a:0});{} }}")
<shell>:1 SyntaxError: <function>:1:81 Unsupported RegExp flag: r
jjs> Function("L: if(true) {x} if([].sort(function x (x){})) { if (eval(\"this\", 0))
{/a/gireturn;return; } else {/*infloop*/for\t(y; (0); 1 ? /x/ : 1) (this);({a:0});{} }}")
Exception in thread "main" java.lang.AssertionError
at jdk.nashorn.internal.codegen.AssignSymbols.enterFunctionBody(AssignSymbols.java:494)
at jdk.nashorn.internal.codegen.AssignSymbols.enterBlock(AssignSymbols.java:453)
at jdk.nashorn.internal.ir.Block.accept(Block.java:177)
at jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
at jdk.nashorn.internal.ir.Block.accept(Block.java:425)
at jdk.nashorn.internal.ir.FunctionNode.accept(FunctionNode.java:384)
at jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
at jdk.nashorn.internal.ir.LexicalContextExpression.accept(LexicalContextExpression.java:47)
at jdk.nashorn.internal.ir.FunctionNode.accept(FunctionNode.java:59)
at jdk.nashorn.internal.ir.Node.accept(Node.java:265)
...
jjs> try{ x={}; (function(){ try { throw null; } catch(x) { with({}) return; } finally {
eval("'a'.replace('a', Function.apply)"); }})() }catch(e){e.printStackTrace()}
java.lang.ClassCastException: jdk.nashorn.internal.scripts.JO1P0 cannot be cast to
jdk.nashorn.internal.runtime.WithObject
at jdk.nashorn.internal.runtime.WithObject.withExpressionGuard(WithObject.java:363)
at
jdk.nashorn.internal.scripts.Script$Recompilation$15$\^shell\_#1\!84\^eval\_.:program(<shell>#1:84<eval>:1)
at jdk.nashorn.internal.runtime.ScriptFunctionData.invoke(ScriptFunctionData.java:636)
at jdk.nashorn.internal.runtime.ScriptFunction.invoke(ScriptFunction.java:229)
at jdk.nashorn.internal.runtime.ScriptRuntime.apply(ScriptRuntime.java:387)
at jdk.nashorn.internal.runtime.Context.eval(Context.java:711)
at jdk.nashorn.internal.objects.Global.directEval(Global.java:941)
at jdk.nashorn.internal.scripts.Script$Recompilation$13$12$\^shell\_.L:1(<shell>:1)
at jdk.nashorn.internal.scripts.Script$Recompilation$11$\^shell\_.:program(<shell>:1)
at jdk.nashorn.internal.runtime.ScriptFunctionData.invoke(ScriptFunctionData.java:636)
...
jjs> try{ (function(){ if(false ? (-1) : '' ) {throw false;} else if (x = this) {var x = x; } })() }
catch(e) { e.printStackTrace() }
java.lang.NullPointerException
at jdk.nashorn.internal.codegen.MethodEmitter.pushType(MethodEmitter.java:258)
at jdk.nashorn.internal.codegen.MethodEmitter.loadUndefined(MethodEmitter.java:779)
at jdk.nashorn.internal.codegen.MethodEmitter.emitLocalVariableConversion(MethodEmitter.java:2517)
at jdk.nashorn.internal.codegen.MethodEmitter.beforeJoinPoint(MethodEmitter.java:2492)
at jdk.nashorn.internal.codegen.CodeGenerator.leaveBlock(CodeGenerator.java:1126)
at jdk.nashorn.internal.ir.Block.accept(Block.java:178)
at jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
at jdk.nashorn.internal.ir.Block.accept(Block.java:425)
at jdk.nashorn.internal.codegen.CodeGenerator.enterIfNode(CodeGenerator.java:2025)
at jdk.nashorn.internal.ir.IfNode.accept(IfNode.java:86)
...
jjs> try { function f(){switch(0) { case 8: for (var x in {}) {x} case 8: }} f() } catch(e) {
e.printStackTrace() }
java.lang.NullPointerException
at jdk.nashorn.internal.codegen.MethodEmitter.markDeadSlots(MethodEmitter.java:1154)
at jdk.nashorn.internal.codegen.MethodEmitter.markDeadLocalVariable(MethodEmitter.java:1149)
at jdk.nashorn.internal.codegen.MethodEmitter.beforeJoinPoint(MethodEmitter.java:2494)
at jdk.nashorn.internal.codegen.CodeGenerator.enterSwitchNode(CodeGenerator.java:2932)
at jdk.nashorn.internal.ir.SwitchNode.accept(SwitchNode.java:106)
at jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
at jdk.nashorn.internal.ir.LexicalContextStatement.accept(LexicalContextStatement.java:55)
at jdk.nashorn.internal.ir.SwitchNode.accept(SwitchNode.java:38)
at jdk.nashorn.internal.ir.Node.accept(Node.java:265)
at jdk.nashorn.internal.ir.Block.accept(Block.java:178)
...
jjs> try{ (function(){ if(x, false) { return; var x; } else if (x = 0) { } else { x } })()
}catch(e){e.printStackTrace()}
java.lang.NullPointerException
at jdk.nashorn.internal.codegen.MethodEmitter.markDeadSlots(MethodEmitter.java:1154)
at jdk.nashorn.internal.codegen.MethodEmitter.markDeadLocalVariable(MethodEmitter.java:1149)
at jdk.nashorn.internal.codegen.MethodEmitter.beforeJoinPoint(MethodEmitter.java:2494)
at jdk.nashorn.internal.codegen.CodeGenerator.leaveBlock(CodeGenerator.java:1126)
at jdk.nashorn.internal.ir.Block.accept(Block.java:178)
at jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
at jdk.nashorn.internal.ir.Block.accept(Block.java:425)
at jdk.nashorn.internal.codegen.CodeGenerator.enterIfNode(CodeGenerator.java:2025)
at jdk.nashorn.internal.ir.IfNode.accept(IfNode.java:86)
at jdk.nashorn.internal.ir.Node.accept(Node.java:265)
...
jjs> function f() { function(){}; function(){} } f()
Exception in thread "main" java.lang.AssertionError
at jdk.nashorn.internal.ir.Symbol.getFirstSlot(Symbol.java:545)
at jdk.nashorn.internal.codegen.MethodEmitter.markDeadLocalVariable(MethodEmitter.java:1149)
at jdk.nashorn.internal.codegen.MethodEmitter.store(MethodEmitter.java:1202)
at
jdk.nashorn.internal.codegen.CodeGenerator.storeIdentWithCatchConversion(CodeGenerator.java:3201)
at jdk.nashorn.internal.codegen.CodeGenerator.enterVarNode(CodeGenerator.java:3161)
at jdk.nashorn.internal.ir.VarNode.accept(VarNode.java:171)
at jdk.nashorn.internal.ir.Node.accept(Node.java:265)
at jdk.nashorn.internal.ir.Block.accept(Block.java:178)
at jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
at jdk.nashorn.internal.ir.Block.accept(Block.java:425)
...
jjs> try { false.constructor = 0 } catch(e) { e.printStackTrace() }
java.lang.invoke.WrongMethodTypeException: Parameter counts differ: (Object)Object vs.
(Object,int)Object
at jdk.internal.dynalink.support.TypeConverterFactory.asType(TypeConverterFactory.java:236)
at jdk.internal.dynalink.support.LinkerServicesImpl.asType(LinkerServicesImpl.java:126)
at
jdk.internal.dynalink.linker.LinkerServices$Implementation.asTypeLosslessReturn(LinkerServices.java:197)
at
jdk.internal.dynalink.support.LinkerServicesImpl.asTypeLosslessReturn(LinkerServicesImpl.java:131)
at jdk.internal.dynalink.linker.GuardedInvocation.asTypeSafeReturn(GuardedInvocation.java:340)
at jdk.nashorn.internal.runtime.linker.Bootstrap.asTypeSafeReturn(Bootstrap.java:429)
at
jdk.nashorn.internal.runtime.linker.NashornPrimitiveLinker.getGuardedInvocation(NashornPrimitiveLinker.java:70)
at
jdk.internal.dynalink.support.CompositeTypeBasedGuardingDynamicLinker.getGuardedInvocation(CompositeTypeBasedGuardingDynamicLinker.java:176)
at
jdk.internal.dynalink.support.CompositeGuardingDynamicLinker.getGuardedInvocation(CompositeGuardingDynamicLinker.java:124)
at
jdk.internal.dynalink.support.LinkerServicesImpl.getGuardedInvocation(LinkerServicesImpl.java:149)
...
jjs> function f() { var x; (x -= x = 0); } f()
Exception in thread "main" java.lang.AssertionError: Attempted load of uninitialized slot 1 (as type
int)
at jdk.nashorn.internal.codegen.MethodEmitter.load(MethodEmitter.java:993)
at jdk.nashorn.internal.codegen.MethodEmitter.load(MethodEmitter.java:955)
at jdk.nashorn.internal.codegen.MethodEmitter.load(MethodEmitter.java:937)
at jdk.nashorn.internal.codegen.CodeGenerator.loadIdent(CodeGenerator.java:318)
at jdk.nashorn.internal.codegen.CodeGenerator.access$400(CodeGenerator.java:183)
at jdk.nashorn.internal.codegen.CodeGenerator$1.enterIdentNode(CodeGenerator.java:725)
at jdk.nashorn.internal.ir.IdentNode.accept(IdentNode.java:138)
at jdk.nashorn.internal.codegen.CodeGenerator.loadExpression(CodeGenerator.java:722)
at jdk.nashorn.internal.codegen.CodeGenerator.loadBinaryOperands(CodeGenerator.java:590)
at jdk.nashorn.internal.codegen.CodeGenerator.access$6800(CodeGenerator.java:183)
...
jjs> (function x(x){})
Exception in thread "main" java.lang.AssertionError
at jdk.nashorn.internal.codegen.AssignSymbols.enterFunctionBody(AssignSymbols.java:494)
at jdk.nashorn.internal.codegen.AssignSymbols.enterBlock(AssignSymbols.java:453)
at jdk.nashorn.internal.ir.Block.accept(Block.java:177)
at jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
at jdk.nashorn.internal.ir.Block.accept(Block.java:425)
at jdk.nashorn.internal.ir.FunctionNode.accept(FunctionNode.java:384)
at jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
at jdk.nashorn.internal.ir.LexicalContextExpression.accept(LexicalContextExpression.java:47)
at jdk.nashorn.internal.ir.FunctionNode.accept(FunctionNode.java:59)
at jdk.nashorn.internal.ir.BinaryNode.accept(BinaryNode.java:347)
...
jjs> function f() { x; throw null; (function (){ var x; }); } f()
Exception in thread "main" java.lang.AssertionError: Couldn't find scope depth for symbol x in
[object] function {U%}f()
at jdk.nashorn.internal.codegen.CodeGenerator.loadFastScopeProto(CodeGenerator.java:516)
at jdk.nashorn.internal.codegen.CodeGenerator.access$100(CodeGenerator.java:183)
at jdk.nashorn.internal.codegen.CodeGenerator$LoadFastScopeVar.getProto(CodeGenerator.java:483)
at jdk.nashorn.internal.codegen.CodeGenerator$LoadScopeVar.loadStack(CodeGenerator.java:456)
at jdk.nashorn.internal.codegen.CodeGenerator$OptimisticOperation.emit(CodeGenerator.java:4407)
at jdk.nashorn.internal.codegen.CodeGenerator$OptimisticOperation.emit(CodeGenerator.java:4392)
at jdk.nashorn.internal.codegen.CodeGenerator.loadIdent(CodeGenerator.java:331)
at jdk.nashorn.internal.codegen.CodeGenerator.access$400(CodeGenerator.java:183)
at jdk.nashorn.internal.codegen.CodeGenerator$1.enterIdentNode(CodeGenerator.java:725)
at jdk.nashorn.internal.ir.IdentNode.accept(IdentNode.java:138)
...
jjs> function f() { void null + 0; } f()
Exception in thread "main" java.lang.AssertionError: object<type=Undefined>
at jdk.nashorn.internal.codegen.CodeGenerator$TypeBounds.<init>(CodeGenerator.java:627)
at jdk.nashorn.internal.codegen.CodeGenerator$TypeBounds.maybeNew(CodeGenerator.java:650)
at jdk.nashorn.internal.codegen.CodeGenerator$TypeBounds.notNarrowerThan(CodeGenerator.java:635)
at jdk.nashorn.internal.codegen.CodeGenerator.loadBinaryOperands(CodeGenerator.java:575)
at jdk.nashorn.internal.codegen.CodeGenerator.access$6800(CodeGenerator.java:183)
at jdk.nashorn.internal.codegen.CodeGenerator$14.loadStack(CodeGenerator.java:3575)
at jdk.nashorn.internal.codegen.CodeGenerator$OptimisticOperation.emit(CodeGenerator.java:4407)
at jdk.nashorn.internal.codegen.CodeGenerator$OptimisticOperation.emit(CodeGenerator.java:4392)
at jdk.nashorn.internal.codegen.CodeGenerator.loadADD(CodeGenerator.java:3582)
at jdk.nashorn.internal.codegen.CodeGenerator$1.enterADD(CodeGenerator.java:872)
...
jjs> function f() { var x; x += void x; } f()
Exception in thread "main" java.lang.AssertionError: object<type=Undefined>
at jdk.nashorn.internal.codegen.CodeGenerator$TypeBounds.<init>(CodeGenerator.java:627)
at jdk.nashorn.internal.codegen.CodeGenerator$TypeBounds.maybeNew(CodeGenerator.java:650)
at jdk.nashorn.internal.codegen.CodeGenerator$TypeBounds.notNarrowerThan(CodeGenerator.java:635)
at jdk.nashorn.internal.codegen.CodeGenerator.loadBinaryOperands(CodeGenerator.java:575)
at jdk.nashorn.internal.codegen.CodeGenerator.access$6800(CodeGenerator.java:183)
at
jdk.nashorn.internal.codegen.CodeGenerator$BinaryOptimisticSelfAssignment$1.loadStack(CodeGenerator.java:3700)
at jdk.nashorn.internal.codegen.CodeGenerator$OptimisticOperation.emit(CodeGenerator.java:4407)
at
jdk.nashorn.internal.codegen.CodeGenerator$BinaryOptimisticSelfAssignment.evaluate(CodeGenerator.java:3706)
at jdk.nashorn.internal.codegen.CodeGenerator$Store.store(CodeGenerator.java:4286)
at jdk.nashorn.internal.codegen.CodeGenerator.loadASSIGN_ADD(CodeGenerator.java:3735)
...
jjs> function f(){ var a = true + x, x; } f()
Exception in thread "main" java.lang.AssertionError: object<type=Undefined>
at jdk.nashorn.internal.codegen.CodeGenerator$TypeBounds.<init>(CodeGenerator.java:627)
at jdk.nashorn.internal.codegen.CodeGenerator$TypeBounds.maybeNew(CodeGenerator.java:650)
at jdk.nashorn.internal.codegen.CodeGenerator$TypeBounds.notNarrowerThan(CodeGenerator.java:635)
at jdk.nashorn.internal.codegen.CodeGenerator.loadBinaryOperands(CodeGenerator.java:575)
at jdk.nashorn.internal.codegen.CodeGenerator.access$6800(CodeGenerator.java:183)
at jdk.nashorn.internal.codegen.CodeGenerator$14.loadStack(CodeGenerator.java:3575)
at jdk.nashorn.internal.codegen.CodeGenerator$OptimisticOperation.emit(CodeGenerator.java:4407)
at jdk.nashorn.internal.codegen.CodeGenerator$OptimisticOperation.emit(CodeGenerator.java:4392)
at jdk.nashorn.internal.codegen.CodeGenerator.loadADD(CodeGenerator.java:3582)
at jdk.nashorn.internal.codegen.CodeGenerator$1.enterADD(CodeGenerator.java:872)
...
jjs> function f(){ try { Object; } catch(x if x >>>=0) { throw x2; } finally { } } f()
Exception in thread "main" java.lang.AssertionError
at jdk.nashorn.internal.ir.Symbol.getSlot(Symbol.java:563)
at jdk.nashorn.internal.codegen.MethodEmitter.load(MethodEmitter.java:953)
at jdk.nashorn.internal.codegen.MethodEmitter.emitLocalVariableConversion(MethodEmitter.java:2519)
at jdk.nashorn.internal.codegen.MethodEmitter.beforeJoinPoint(MethodEmitter.java:2492)
at jdk.nashorn.internal.codegen.CodeGenerator.enterThrowNode(CodeGenerator.java:2981)
at jdk.nashorn.internal.ir.ThrowNode.accept(ThrowNode.java:80)
at jdk.nashorn.internal.ir.Node.accept(Node.java:265)
at jdk.nashorn.internal.ir.Block.accept(Block.java:178)
at jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
at jdk.nashorn.internal.ir.Block.accept(Block.java:425)
...
jjs> function f(){ try { return; } catch(x) { return x ^= 0; } finally { throw 0; } } f()
Exception in thread "main" java.lang.AssertionError
at jdk.nashorn.internal.ir.Symbol.getSlot(Symbol.java:555)
at jdk.nashorn.internal.codegen.MethodEmitter.load(MethodEmitter.java:953)
at jdk.nashorn.internal.codegen.MethodEmitter.emitLocalVariableConversion(MethodEmitter.java:2519)
at jdk.nashorn.internal.codegen.MethodEmitter.beforeJoinPoint(MethodEmitter.java:2492)
at jdk.nashorn.internal.codegen.CodeGenerator.enterThrowNode(CodeGenerator.java:2981)
at jdk.nashorn.internal.ir.ThrowNode.accept(ThrowNode.java:80)
at jdk.nashorn.internal.ir.Node.accept(Node.java:265)
at jdk.nashorn.internal.ir.Block.accept(Block.java:178)
at jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
at jdk.nashorn.internal.ir.Block.accept(Block.java:425)
...
jjs> function f(){ try { return; } catch(x) { return x ^= Object; } finally { throw Object; } } f()
Exception in thread "main" java.lang.AssertionError
at jdk.nashorn.internal.ir.Symbol.getSlot(Symbol.java:558)
at jdk.nashorn.internal.codegen.MethodEmitter.load(MethodEmitter.java:953)
at jdk.nashorn.internal.codegen.MethodEmitter.emitLocalVariableConversion(MethodEmitter.java:2519)
at jdk.nashorn.internal.codegen.MethodEmitter.beforeJoinPoint(MethodEmitter.java:2492)
at jdk.nashorn.internal.codegen.CodeGenerator.enterThrowNode(CodeGenerator.java:2981)
at jdk.nashorn.internal.ir.ThrowNode.accept(ThrowNode.java:80)
at jdk.nashorn.internal.ir.Node.accept(Node.java:265)
at jdk.nashorn.internal.ir.Block.accept(Block.java:178)
at jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
at jdk.nashorn.internal.ir.Block.accept(Block.java:425)
...
jjs> function f() { try { undefined } catch(x1) { try { undefined } catch(x2) { x1 = 0; } } } f()
Exception in thread "main" java.lang.AssertionError
at jdk.nashorn.internal.ir.Symbol.getSlot(Symbol.java:558)
at jdk.nashorn.internal.codegen.MethodEmitter.load(MethodEmitter.java:953)
at jdk.nashorn.internal.codegen.MethodEmitter.emitLocalVariableConversion(MethodEmitter.java:2519)
at jdk.nashorn.internal.codegen.MethodEmitter.beforeJoinPoint(MethodEmitter.java:2492)
at jdk.nashorn.internal.codegen.CodeGenerator.leaveBlock(CodeGenerator.java:1126)
at jdk.nashorn.internal.ir.Block.accept(Block.java:178)
at jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
at jdk.nashorn.internal.ir.Block.accept(Block.java:425)
at jdk.nashorn.internal.codegen.CodeGenerator.enterTryNode(CodeGenerator.java:3088)
at jdk.nashorn.internal.ir.TryNode.accept(TryNode.java:110)
...
jjs> function f() { try{ undefined } catch(e if 1) {} } f()
Exception in thread "main" java.lang.AssertionError
at jdk.nashorn.internal.codegen.Label$Stack.defineBlockLocalVariable(Label.java:379)
at jdk.nashorn.internal.codegen.MethodEmitter.defineBlockLocalVariable(MethodEmitter.java:1274)
at
jdk.nashorn.internal.codegen.CodeGeneratorLexicalContext.assignSlots(CodeGeneratorLexicalContext.java:242)
at
jdk.nashorn.internal.codegen.CodeGeneratorLexicalContext.onEnterBlock(CodeGeneratorLexicalContext.java:210)
at jdk.nashorn.internal.codegen.CodeGenerator.initLocals(CodeGenerator.java:1671)
at jdk.nashorn.internal.codegen.CodeGenerator.enterBlock(CodeGenerator.java:1113)
at jdk.nashorn.internal.codegen.CodeGenerator.enterTryNode(CodeGenerator.java:3045)
at jdk.nashorn.internal.ir.TryNode.accept(TryNode.java:110)
at jdk.nashorn.internal.ir.Node.accept(Node.java:265)
at jdk.nashorn.internal.ir.Block.accept(Block.java:178)
...
jjs> function f() { try { undefined } catch(x1 if Object) { } catch(x2) { (function(){x2}) } } f()
Exception in thread "main" java.lang.AssertionError
at jdk.nashorn.internal.codegen.CodeGenerator.enterBlock(CodeGenerator.java:1115)
at jdk.nashorn.internal.codegen.CodeGenerator.enterTryNode(CodeGenerator.java:3045)
at jdk.nashorn.internal.ir.TryNode.accept(TryNode.java:110)
at jdk.nashorn.internal.ir.Node.accept(Node.java:265)
at jdk.nashorn.internal.ir.Block.accept(Block.java:178)
at jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
at jdk.nashorn.internal.ir.Block.accept(Block.java:425)
at jdk.nashorn.internal.codegen.CodeGenerator.enterBlockStatement(CodeGenerator.java:1583)
at jdk.nashorn.internal.ir.BlockStatement.accept(BlockStatement.java:86)
at jdk.nashorn.internal.ir.Node.accept(Node.java:265)
...
jjs> function f() { try { undefined } catch(x4) { var x4; } finally { eval() } } f()
Exception in thread "main" java.lang.AssertionError
at jdk.nashorn.internal.codegen.CodeGenerator.initLocals(CodeGenerator.java:1716)
at jdk.nashorn.internal.codegen.CodeGenerator.enterBlock(CodeGenerator.java:1113)
at jdk.nashorn.internal.ir.Block.accept(Block.java:177)
at jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
at jdk.nashorn.internal.ir.Block.accept(Block.java:425)
at jdk.nashorn.internal.ir.FunctionNode.accept(FunctionNode.java:384)
at jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
at jdk.nashorn.internal.ir.LexicalContextExpression.accept(LexicalContextExpression.java:47)
at jdk.nashorn.internal.ir.FunctionNode.accept(FunctionNode.java:59)
at jdk.nashorn.internal.codegen.CompilationPhase.transformFunction(CompilationPhase.java:732)
...
jjs> Function("L:with(Object in Object)break L;\n{}")()
Exception in thread "main" java.lang.ClassFormatError: Invalid pc in LineNumberTable in class file
jdk/nashorn/internal/scripts/Script$Recompilation$6$1$\^function\_
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:760)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at jdk.nashorn.internal.runtime.ScriptLoader.installClass(ScriptLoader.java:74)
at jdk.nashorn.internal.runtime.Context$ContextCodeInstaller.install(Context.java:183)
at jdk.nashorn.internal.codegen.CompilationPhase$14.transform(CompilationPhase.java:556)
at jdk.nashorn.internal.codegen.CompilationPhase.apply(CompilationPhase.java:728)
at jdk.nashorn.internal.codegen.Compiler.compile(Compiler.java:620)
at
jdk.nashorn.internal.runtime.RecompilableScriptFunctionData.compileTypeSpecialization(RecompilableScriptFunctionData.java:513)
at
jdk.nashorn.internal.runtime.RecompilableScriptFunctionData.getBest(RecompilableScriptFunctionData.java:730)
...
jjs> function f() { L: {this = x;break L}} f()
Exception in thread "main" java.lang.VerifyError: StackMapTable error: bad offset
Exception Details:
Location:
jdk/nashorn/internal/scripts/Script$Recompilation$4$1$\^shell\_.f(Ljdk/nashorn/internal/runtime/ScriptFunction;Ljava/lang/Object;)Ljava/lang/Object;
@0: aload_0
Reason:
Invalid stackmap specification.
Current Frame:
bci: @21
flags: { }
locals: { 'jdk/nashorn/internal/runtime/ScriptFunction', 'java/lang/Object',
'jdk/nashorn/internal/runtime/ScriptObject' }
stack: { }
Bytecode:
0x0000000: 2ab6 0014 4d2b 2cba 0020 0000 1222 b800
0x0000010: 2857 a700 03
Stackmap Table:
append_frame(@21,Object[#48])
jjs> function f(){ L:with(this--)break L; } f()
Exception in thread "main" java.lang.VerifyError: StackMapTable error: bad offset
Exception Details:
Location:
jdk/nashorn/internal/scripts/Script$Recompilation$4$\^shell\_.f(Ljava/lang/Object;)Ljava/lang/Object; @0:
aload_0
Reason:
Invalid stackmap specification.
Current Frame:
bci: @13
flags: { }
locals: { 'java/lang/Object' }
stack: { }
Bytecode:
0x0000000: 2a01 1210 b800 16b8 001c a700 03
Stackmap Table:
same_frame(@13)
jjs> function f(){ L:with(Object in Object) break L; } f()
Exception in thread "main" java.lang.VerifyError: StackMapTable error: bad offset
Exception Details:
Location:
jdk/nashorn/internal/scripts/Script$Recompilation$4$\^shell\_.f(Ljdk/nashorn/internal/runtime/ScriptFunction;Ljava/lang/Object;)Ljava/lang/Object;
@0: aload_0
Reason:
Invalid stackmap specification.
Current Frame:
bci: @42
flags: { }
locals: { 'jdk/nashorn/internal/runtime/ScriptFunction', 'java/lang/Object',
'jdk/nashorn/internal/runtime/ScriptObject' }
stack: { }
Bytecode:
0x0000000: 2ab6 0014 4d2c 2cba 0020 0000 2cba 0020
0x0000010: 0000 b800 26b8 002c b800 304d 2cb6 0035
0x0000020: 4da7 0009 2cb6 0035 4dbf
Exception Handler Table:
bci [28, 36] => handler: 36
Stackmap Table:
full_frame(@36,{Object[#16],Object[#61],Object[#50]},{Object[#63]})
same_frame(@42)
----
Note: Only reproducible with jdk9-dev-nashorn.
jjs> try { function f() { eval("get, a") } f() } catch (e) { e.printStackTrace() }
jdk.nashorn.internal.runtime.ParserException: <shell>#1:21<eval>:1:3 Expected ident but found ,
get, a
^
at jdk.nashorn.internal.parser.AbstractParser.error(AbstractParser.java:292)
at jdk.nashorn.internal.parser.AbstractParser.error(AbstractParser.java:277)
at jdk.nashorn.internal.parser.AbstractParser.expectDontAdvance(AbstractParser.java:348)
at jdk.nashorn.internal.parser.AbstractParser.expect(AbstractParser.java:335)
at jdk.nashorn.internal.parser.AbstractParser.getIdentifierName(AbstractParser.java:486)
at jdk.nashorn.internal.parser.Parser.propertyName(Parser.java:2228)
at jdk.nashorn.internal.parser.Parser.propertyGetterFunction(Parser.java:2294)
at jdk.nashorn.internal.parser.Parser.statement(Parser.java:966)
at jdk.nashorn.internal.parser.Parser.sourceElements(Parser.java:787)
at jdk.nashorn.internal.parser.Parser.program(Parser.java:712)
...
jjs> function f(){ L: ({ set prop(){0 = null} }); }
Exception in thread "main" java.lang.AssertionError
at jdk.nashorn.internal.parser.ParserContext.pop(ParserContext.java:91)
at jdk.nashorn.internal.parser.Parser.functionExpression(Parser.java:2677)
at jdk.nashorn.internal.parser.Parser.statement(Parser.java:887)
at jdk.nashorn.internal.parser.Parser.sourceElements(Parser.java:787)
at jdk.nashorn.internal.parser.Parser.program(Parser.java:712)
at jdk.nashorn.internal.parser.Parser.parse(Parser.java:281)
at jdk.nashorn.internal.parser.Parser.parse(Parser.java:247)
at jdk.nashorn.internal.runtime.Context.compile(Context.java:1207)
at jdk.nashorn.internal.runtime.Context.eval(Context.java:671)
at jdk.nashorn.internal.runtime.Context.eval(Context.java:641)
...
jjs> function f() { do ; while({ get x()1-- }); }
Exception in thread "main" java.lang.AssertionError
at jdk.nashorn.internal.parser.ParserContext.pop(ParserContext.java:91)
at jdk.nashorn.internal.parser.Parser.functionExpression(Parser.java:2677)
at jdk.nashorn.internal.parser.Parser.statement(Parser.java:887)
at jdk.nashorn.internal.parser.Parser.sourceElements(Parser.java:787)
at jdk.nashorn.internal.parser.Parser.program(Parser.java:712)
at jdk.nashorn.internal.parser.Parser.parse(Parser.java:281)
at jdk.nashorn.internal.parser.Parser.parse(Parser.java:247)
at jdk.nashorn.internal.runtime.Context.compile(Context.java:1207)
at jdk.nashorn.internal.runtime.Context.eval(Context.java:671)
at jdk.nashorn.internal.runtime.Context.eval(Context.java:641)
...
jjs> function f() { (x+=void x); } f()
Exception in thread "main" java.lang.AssertionError: object<type=Undefined>
at jdk.nashorn.internal.codegen.CodeGenerator$TypeBounds.<init>(CodeGenerator.java:627)
at jdk.nashorn.internal.codegen.CodeGenerator$TypeBounds.maybeNew(CodeGenerator.java:650)
at jdk.nashorn.internal.codegen.CodeGenerator$TypeBounds.notNarrowerThan(CodeGenerator.java:635)
at jdk.nashorn.internal.codegen.CodeGenerator.loadBinaryOperands(CodeGenerator.java:575)
at jdk.nashorn.internal.codegen.CodeGenerator.access$6800(CodeGenerator.java:183)
at
jdk.nashorn.internal.codegen.CodeGenerator$BinaryOptimisticSelfAssignment$1.loadStack(CodeGenerator.java:3700)
at jdk.nashorn.internal.codegen.CodeGenerator$OptimisticOperation.emit(CodeGenerator.java:4407)
at
jdk.nashorn.internal.codegen.CodeGenerator$BinaryOptimisticSelfAssignment.evaluate(CodeGenerator.java:3706)
at jdk.nashorn.internal.codegen.CodeGenerator$Store.store(CodeGenerator.java:4286)
at jdk.nashorn.internal.codegen.CodeGenerator.loadASSIGN_ADD(CodeGenerator.java:3735)
...
jjs> function f() { try { Object } catch(x) { (x=y); return; } finally { throw Object; } } f()
Exception in thread "main" java.lang.AssertionError
at jdk.nashorn.internal.ir.Symbol.getSlot(Symbol.java:558)
at jdk.nashorn.internal.codegen.MethodEmitter.load(MethodEmitter.java:953)
at jdk.nashorn.internal.codegen.MethodEmitter.emitLocalVariableConversion(MethodEmitter.java:2519)
at jdk.nashorn.internal.codegen.MethodEmitter.beforeJoinPoint(MethodEmitter.java:2492)
at jdk.nashorn.internal.codegen.CodeGenerator.enterThrowNode(CodeGenerator.java:2981)
at jdk.nashorn.internal.ir.ThrowNode.accept(ThrowNode.java:80)
at jdk.nashorn.internal.ir.Node.accept(Node.java:265)
at jdk.nashorn.internal.ir.Block.accept(Block.java:178)
at jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
at jdk.nashorn.internal.ir.Block.accept(Block.java:425)
...
More information about the nashorn-dev
mailing list