java.lang.VerifyError: Inconsistent stackmap frames at branch target

Attila Szegedi szegedia at gmail.com
Thu Dec 1 12:57:10 UTC 2016


Okay, I tracked this down to an incorrect optimization in code generator for when you use >>=0 to coerce to an uint32 :-( 

There is a special case for exactly this usage, where the right-hand-side operand is a literal 0, so we avoid emitting a no-op “ICONST_0; IUSHR” bytecode sequence. It unfortunately wasn’t working correctly for when the left-hand-side operand of a compound-assignment-shift-right was either a property or element access expression (either “obj.foo” or “obj[x]”)

Decomposing the compound assignment into an explicit shift and assignment would work around the problem for now:

   this.length = this.length >>> 0;  // Coerce to uint32.

I filed <https://bugs.openjdk.java.net/browse/JDK-8170594 <https://bugs.openjdk.java.net/browse/JDK-8170594>> and have a fix for it.

Attila.

> On 01 Dec 2016, at 13:01, Attila Szegedi <szegedia at gmail.com> wrote:
> 
> Running with assertions enabled shows that the error is in “this.length >>>=0” expression on line 31. Reducing the testcase to just:
> 
> (function (p) {
> if (p) {
>   this.length >>>= 0;  // Coerce to uint32.
> }
> })(false)
> 
> also reproduces the problem (at least, the assertion; it will cause a somewhat different issue without assertions).
> 
> Attila.
> 
>> On 01 Dec 2016, at 12:18, Frantzius, Jörg <Joerg.Frantzius at aperto.com> wrote:
>> 
>> Hi Sunda,
>> 
>> you can reproduce by putting the following into a test.js file and executing it using jjs.
>> 
>> ======== snip =============
>> 
>> function Buffer(subject, encoding) {
>> if (!util.isBuffer(this))
>>   return new Buffer(subject, encoding);
>> 
>> if (util.isNumber(subject)) {
>>   this.length = +subject;
>> 
>> } else if (util.isString(subject)) {
>>   if (!util.isString(encoding) || encoding.length === 0)
>>     encoding = 'utf8';
>>   this.length = Buffer.byteLength(subject, encoding);
>> 
>> // Handle Arrays, Buffers, Uint8Arrays or JSON.
>> } else if (util.isObject(subject)) {
>>   if (subject.type === 'Buffer' && util.isArray(subject.data))
>>     subject = subject.data;
>>   this.length = +subject.length;
>> 
>> } else {
>>   throw new TypeError('must start with number, buffer, array or string');
>> }
>> 
>> if (this.length > kMaxLength) {
>>   throw new RangeError('Attempt to allocate Buffer larger than maximum ' +
>>                        'size: 0x' + kMaxLength.toString(16) + ' bytes');
>> }
>> 
>> if (this.length < 0)
>>   this.length = 0;
>> else
>>   this.length >>>= 0;  // Coerce to uint32.
>> 
>> this.parent = undefined;
>> if (this.length <= (Buffer.poolSize >>> 1) && this.length > 0) {
>>   if (this.length > poolSize - poolOffset)
>>     createPool();
>>   this.parent = sliceOnto(allocPool,
>>                           this,
>>                           poolOffset,
>>                           poolOffset + this.length);
>>   poolOffset += this.length;
>> 
>>   // Ensure aligned slices
>>   if (poolOffset & 0x7) {
>>     poolOffset |= 0x7;
>>     poolOffset++;
>>   }
>> } else {
>>   alloc(this, this.length);
>> }
>> 
>> if (util.isNumber(subject)) {
>>   return;
>> }
>> 
>> if (util.isString(subject)) {
>>   // In the case of base64 it's possible that the size of the buffer
>>   // allocated was slightly too large. In this case we need to rewrite
>>   // the length to the actual length written.
>>   var len = this.write(subject, encoding);
>>   // Buffer was truncated after decode, realloc internal ExternalArray
>>   if (len !== this.length) {
>>     var prevLen = this.length;
>>     this.length = len;
>>     truncate(this, this.length);
>>     // Only need to readjust the poolOffset if the allocation is a slice.
>>     if (this.parent != undefined)
>>       poolOffset -= (prevLen - len);
>>   }
>> 
>> } else if (util.isBuffer(subject)) {
>>   subject.copy(this, 0, 0, this.length);
>> 
>> } else if (util.isNumber(subject.length) || util.isArray(subject)) {
>>   // Really crappy way to handle Uint8Arrays, but V8 doesn't give a simple
>>   // way to access the data from the C++ API.
>>   for (var i = 0; i < this.length; i++)
>>     this[i] = subject[i];
>> }
>> }
>> 
>> new Buffer(1024);
>> 
>> ========== snip ==============
>> 
>> 
>> I’ll hopefully get my OCA signed and sent in soon, so I can contribute in JIRA.
>> 
>> Regards,
>> Jörg
>> 
>> 
>> ---
>> 
>> Dipl. Inf. Jörg von Frantzius, Technical Director
>> 
>> E-Mail joerg.frantzius at aperto.com
>> 
>> Phone +49 30 283921-318
>> Fax +49 30 283921-29
>> 
>> Aperto GmbH – An IBM Company
>> Chausseestraße 5, D-10115 Berlin
>> http://www.aperto.com<http://www.aperto.de/>
>> http://www.facebook.com/aperto
>> https://www.xing.com/companies/apertoag
>> 
>> HRB 77049 B, AG Berlin Charlottenburg
>> Geschäftsführer: Dirk Buddensiek, Kai Großmann, Stephan Haagen, Daniel Simon
>> 
>> Am 01.12.2016 um 07:46 schrieb Sundararajan Athijegannathan <sundararajan.athijegannathan at oracle.com<mailto:sundararajan.athijegannathan at oracle.com>>:
>> 
>> Is there a simple reduced test case that we can use it to reproduce the issue you're seeing? Please send us the same and we'll file a bug  (or you may do that as well).
>> 
>> Thanks,
>> -Sundar
>> 
>> On 29/11/16, 11:11 PM, Frantzius, Jörg wrote:
>> Hi,
>> 
>> with JDK 1.8.0_112 (on Mac OS X) I’m running into the following error. When querying bugs.openjdk.java.net<http://bugs.openjdk.java.net><http://bugs.openjdk.java.net>  for "Current frame's stack size doesn't match stackmap“, I only found bugs dating from 2013, so this may not be known yet?
>> 
>> Unfortunately I can’t see the Javascript file name or line number in the error message. The last known source location node/lib/fs.js:374 that I can step to in the Netbeans debugger is calling a constructor „Buffer(size)“, which is likely this source: https://github.com/nodejs/node/blob/v0.12.7-release/lib/buffer.js#L48
>> 
>> Following is the error message:
>> 
>> java.lang.VerifyError: Inconsistent stackmap frames at branch target 404
>> Exception Details:
>> Location:
>>   jdk/nashorn/internal/scripts/Script$Recompilation$414$1806AA$\^function\_.L:1#Buffer(Ljdk/nashorn/internal/runtime/ScriptFunction;Ljava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object; @382: goto
>> Reason:
>>   Current frame's stack size doesn't match stackmap.
>> Current Frame:
>>   bci: @382
>>   flags: { }
>>   locals: { 'jdk/nashorn/internal/runtime/ScriptFunction', 'java/lang/Object', 'java/lang/Object', 'java/lang/Object', 'jdk/nashorn/internal/runtime/ScriptObject' }
>>   stack: { }
>> Stackmap Frame:
>>   bci: @404
>>   flags: { }
>>   locals: { 'jdk/nashorn/internal/runtime/ScriptFunction', 'java/lang/Object', 'java/lang/Object', 'java/lang/Object', 'jdk/nashorn/internal/runtime/ScriptObject' }
>>   stack: { 'java/lang/Object' }
>> Bytecode:
>>   0x0000000: 2ab6 0014 3a04 1904 ba00 2000 0059 ba00
>>   0x0000010: 2300 005f 2bba 0027 0000 9a00 1219 04ba
>>   0x0000020: 002a 0000 2c2d ba00 2e00 00b0 1904 ba00
>>   0x0000030: 2000 0059 ba00 3100 005f 2cba 0034 0000
>>   0x0000040: 9900 102b 2cb8 003a ba00 3e00 00a7 00d5
>>   0x0000050: 1904 ba00 2000 0059 ba00 4100 005f 2cba
>>   0x0000060: 0044 0000 9900 4d19 04ba 0020 0000 59ba
>>   0x0000070: 0041 0000 5f2d ba00 4400 0099 0012 2dba
>>   0x0000080: 0047 0000 b800 4a03 8798 9a00 0912 4cb8
>>   0x0000090: 0050 4e2b 1904 ba00 5500 0059 ba00 5800
>>   0x00000a0: 005f 2c2d ba00 5c00 00ba 005f 0000 a700
>>   0x00000b0: 7419 04ba 0020 0000 59ba 0062 0000 5f2c
>>   0x00000c0: ba00 6500 0099 0043 2cba 0068 0000 126a
>>   0x00000d0: b800 7099 0026 1904 ba00 2000 0059 ba00
>>   0x00000e0: 7300 005f 2cba 0076 0000 ba00 7900 0099
>>   0x00000f0: 000a 2cba 0076 0000 4d2b 2cba 007b 0000
>>   0x0000100: ba00 3e00 00a7 001d 1904 b600 80ba 0083
>>   0x0000110: 0000 1285 ba00 8900 0012 8b10 4507 b800
>>   0x0000120: 91bf 2bba 0047 0000 1904 ba00 9400 00b8
>>   0x0000130: 0097 9900 3a19 04b6 0080 ba00 9a00 0012
>>   0x0000140: 9c19 04ba 0094 0000 59ba 009f 0000 5f10
>>   0x0000150: 10ba 00a3 0000 b800 a712 a9b8 00a7 ba00
>>   0x0000160: ac00 0012 8b10 4907 b800 91bf 2bba 007b
>>   0x0000170: 0000 0e98 9c00 0d2b 03ba 00af 0000 a700
>>   0x0000180: 162b 592b ba00 4700 00b8 00b3 b800 b7ba
>>   0x0000190: 003e 0000 2b19 04b6 0080 ba00 ba00 00ba
>>   0x00001a0: 00bd 0000 2bba 0047 0000 1904 ba00 5500
>>   0x00001b0: 00ba 00c0 0000 047c b800 b75d 58b8 003a
>>   0x00001c0: 5e58 989d 00c3 2bba 007b 0000 0e97 9e00
>>   0x00001d0: b82b ba00 4700 0019 04ba 00c2 0000 1904
>>   0x00001e0: ba00 c500 005f b800 3a5d 58b8 003a 675d
>>   0x00001f0: 58b8 003a 5e58 979e 0013 1904 ba00 c800
>>   0x0000200: 00b2 00cc ba00 d000 0057 2b19 04ba 00d3
>>   0x0000210: 0000 b200 cc19 04ba 00d6 0000 2b19 04ba
>>   0x0000220: 00c5 0000 1904 ba00 c500 002b ba00 4700
>>   0x0000230: 00b8 00a7 ba00 da00 00ba 00bd 0000 1904
>>   0x0000240: 1904 ba00 c500 002b ba00 4700 00b8 00a7
>>   0x0000250: ba00 dd00 0019 04ba 00df 0000 1007 7e99
>>   0x0000260: 0024 1904 1904 ba00 df00 0010 0780 ba00
>>   0x0000270: e100 0019 0419 04ba 00e3 0000 0f63 ba00
>>   0x0000280: e500 00a7 001a 1904 ba00 e800 00b2 00cc
>>   0x0000290: 2b2b ba00 4700 00ba 00ec 0000 5719 04ba
>>   0x00002a0: 0020 0000 59ba 0031 0000 5f2c ba00 3400
>>   0x00002b0: 0099 0007 b200 ccb0 1904 ba00 2000 0059
>>   0x00002c0: ba00 4100 005f 2cba 0044 0000 9900 8b2b
>>   0x00002d0: 59ba 00ef 0000 5f2c 2dba 00f2 0000 3a05
>>   0x00002e0: 1905 2bba 0047 0000 b800 f599 0064 2bba
>>   0x00002f0: 0047 0000 3a06 2b19 05ba 005f 0000 1904
>>   0x0000300: ba00 f800 00b2 00cc 2b2b ba00 4700 00ba
>>   0x0000310: 00fb 0000 572b ba00 fe00 0019 04b6 0080
>>   0x0000320: ba00 ba00 00b8 0101 9900 2419 0419 04ba
>>   0x0000330: 00c5 0000 1906 b800 3a19 05b8 003a 675d
>>   0x0000340: 58b8 003a 5e58 67ba 00e5 0000 a700 08b2
>>   0x0000350: 00cc 3a06 a700 9e19 04ba 0020 0000 59ba
>>   0x0000360: 0023 0000 5f2c ba00 2700 0099 001d 2c59
>>   0x0000370: ba01 0400 005f 2b03 032b ba00 4700 00ba
>>   0x0000380: 0108 0000 57a7 0063 1904 ba00 2000 0059
>>   0x0000390: ba00 3100 005f 2cba 0047 0000 ba00 3400
>>   0x00003a0: 009a 001a 1904 ba00 2000 0059 ba00 7300
>>   0x00003b0: 005f 2cba 0079 0000 9900 3003 3607 1507
>>   0x00003c0: 8739 0818 082b ba00 7b00 0098 9c00 1c2b
>>   0x00003d0: 1808 2c18 08ba 010e 0000 ba01 1200 0018
>>   0x00003e0: 080f 6339 08a7 ffde b200 cc3a 06b2 00cc
>>   0x00003f0: 3a05 b200 ccb0
>> Stackmap Table:
>>   append_frame(@44,Object[#125])
>>   same_frame(@80)
>>   same_frame(@141)
>>   same_frame(@147)
>>   same_frame(@177)
>>   same_frame_extended(@249)
>>   same_frame(@264)
>>   same_frame(@290)
>>   same_frame_extended(@364)
>>   same_frame(@385)
>>   same_locals_1_stack_item_frame(@404,Object[#286])
>>   same_locals_1_stack_item_extended(@522,Object[#286])
>>   same_locals_1_stack_item_extended(@643,Object[#286])
>>   same_locals_1_stack_item_frame(@646,Object[#286])
>>   same_locals_1_stack_item_frame(@669,Object[#286])
>>   same_locals_1_stack_item_frame(@696,Object[#286])
>>   full_frame(@844,{Object[#16],Object[#286],Object[#286],Object[#286],Object[#125],Object[#286],Object[#286]},{Object[#286]})
>>   full_frame(@847,{Object[#16],Object[#286],Object[#286],Object[#286],Object[#125],Object[#286]},{Object[#286]})
>>   full_frame(@852,{Object[#16],Object[#286],Object[#286],Object[#286],Object[#125],Object[#286],Object[#286]},{Object[#286]})
>>   full_frame(@855,{Object[#16],Object[#286],Object[#286],Object[#286],Object[#125]},{Object[#286]})
>>   same_locals_1_stack_item_frame(@904,Object[#286])
>>   same_locals_1_stack_item_frame(@955,Object[#286])
>>   full_frame(@963,{Object[#16],Object[#286],Object[#286],Object[#286],Object[#125],Top,Top,Integer,Double},{Object[#286]})
>>   full_frame(@1000,{Object[#16],Object[#286],Object[#286],Object[#286],Object[#125]},{Object[#286]})
>>   full_frame(@1010,{Object[#16],Object[#286],Object[#286],Object[#286],Object[#125],Object[#286],Object[#286]},{Object[#286]})
>> 
>> at java.lang.Class.getDeclaredFields0(Native Method)
>> at java.lang.Class.privateGetDeclaredFields(Class.java:2583)
>> at java.lang.Class.getDeclaredField(Class.java:2068)
>> at jdk.nashorn.internal.runtime.Context$ContextCodeInstaller$1.run(Context.java:209)
>> at jdk.nashorn.internal.runtime.Context$ContextCodeInstaller$1.run(Context.java:204)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at jdk.nashorn.internal.runtime.Context$ContextCodeInstaller.initialize(Context.java:204)
>> at jdk.nashorn.internal.codegen.CompilationPhase$InstallPhase.transform(CompilationPhase.java:508)
>> at jdk.nashorn.internal.codegen.CompilationPhase.apply(CompilationPhase.java:624)
>> at jdk.nashorn.internal.codegen.Compiler.compile(Compiler.java:655)
>> at jdk.nashorn.internal.runtime.RecompilableScriptFunctionData.compileTypeSpecialization(RecompilableScriptFunctionData.java:725)
>> at jdk.nashorn.internal.runtime.RecompilableScriptFunctionData.getBest(RecompilableScriptFunctionData.java:905)
>> at jdk.nashorn.internal.runtime.ScriptFunctionData.getBest(ScriptFunctionData.java:375)
>> at jdk.nashorn.internal.runtime.ScriptFunctionData.getBestConstructor(ScriptFunctionData.java:247)
>> at jdk.nashorn.internal.runtime.ScriptFunction.findNewMethod(ScriptFunction.java:758)
>> at jdk.nashorn.internal.runtime.ScriptObject.lookup(ScriptObject.java:1827)
>> at jdk.nashorn.internal.runtime.linker.NashornLinker.getGuardedInvocation(NashornLinker.java:104)
>> at jdk.nashorn.internal.runtime.linker.NashornLinker.getGuardedInvocation(NashornLinker.java:98)
>> at jdk.internal.dynalink.support.CompositeTypeBasedGuardingDynamicLinker.getGuardedInvocation(CompositeTypeBasedGuardingDynamicLinker.java:176)
>> at jdk.internal.dynalink.support.CompositeGuardingDynamicLinker.getGuardedInvocation(CompositeGuardingDynamicLinker.java:124)
>> at jdk.internal.dynalink.support.LinkerServicesImpl.getGuardedInvocation(LinkerServicesImpl.java:154)
>> at jdk.internal.dynalink.DynamicLinker.relink(DynamicLinker.java:253)
>> at jdk.nashorn.internal.scripts.Script$Recompilation$402$9044AA$\^function\_.L:1#readFileSync(node/lib/fs.js:374)
>> [..]
>> 
>> Any help or hints would be very appreciated!
>> 
>> Regards,
>> Jörg
>> 
>> ---
>> 
>> Dipl. Inf. Jörg von Frantzius, Technical Director
>> 
>> E-Mail joerg.frantzius at aperto.com<mailto:joerg.frantzius at aperto.com>
>> 
>> Phone +49 30 283921-318
>> Fax +49 30 283921-29
>> 
>> Aperto GmbH – An IBM Company
>> Chausseestraße 5, D-10115 Berlin
>> http://www.aperto.com<http://www.aperto.de/>
>> http://www.facebook.com/aperto
>> https://www.xing.com/companies/apertoag
>> 
>> HRB 77049 B, AG Berlin Charlottenburg
>> Vorstand: Dirk Buddensiek (Vorsitzender), Kai Großmann, Stephan Haagen, Daniel Simon
>> Aufsichtsrat: Matthew Candy (Vorsitzender)
>> 
>> 
> 



More information about the nashorn-dev mailing list