Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8024971

Fuzzing results on nashorn by Andre

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P4
    • Resolution: Fixed
    • Affects Version/s: 9
    • Fix Version/s: None
    • Component/s: core-libs
    • Labels:
      None

      Description

      This is an umbrella bug. Need to file sub-tasks after analysis and combining issues together (as needed)

      Andre wrote:

      Here are the promised fuzzing results. Currently it doesn't make sense
      to run longer fuzzing sessions because of the first bug below. That one
      is triggered way too often.

      - André

      Compiler errors:

      jjs> Function("for(x.x in 0) {}");
      Exception in thread "main" java.lang.AssertionError
           at
      jdk.nashorn.internal.codegen.CodeGenerator.enterForIn(CodeGenerator.java:855)
           at
      jdk.nashorn.internal.codegen.CodeGenerator.enterForNode(CodeGenerator.java:807)
           at jdk.nashorn.internal.ir.ForNode.accept(ForNode.java:90)
           at
      jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
           at
      jdk.nashorn.internal.ir.LexicalContextStatement.accept(LexicalContextStatement.java:53)
           ...

      jjs> Function("switch((null >> x3)) { default: {var x;break ; }\nthrow
      x; }");
      java.lang.NullPointerException
           at jdk.internal.org.objectweb.asm.Frame.merge(Frame.java:1321)
           at
      jdk.internal.org.objectweb.asm.MethodWriter.visitMaxs(MethodWriter.java:1499)
           at
      jdk.nashorn.internal.codegen.MethodEmitter.end(MethodEmitter.java:201)
           at
      jdk.nashorn.internal.codegen.CodeGenerator.leaveFunctionNode(CodeGenerator.java:1049)
           at jdk.nashorn.internal.ir.FunctionNode.accept(FunctionNode.java:297)
           ...

      jjs> try{Function("switch(x) { case 8: break; case false:
      }");}catch(e){e.printStackTrace()}
      java.lang.ClassCastException: java.lang.Boolean cannot be cast to
      java.lang.Integer
           at
      jdk.nashorn.internal.codegen.CodeGenerator.enterSwitchNode(CodeGenerator.java:1844)
           at jdk.nashorn.internal.ir.SwitchNode.accept(SwitchNode.java:103)
           at
      jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
           at
      jdk.nashorn.internal.ir.LexicalContextStatement.accept(LexicalContextStatement.java:53)
           at jdk.nashorn.internal.ir.SwitchNode.accept(SwitchNode.java:38)
           ...

      jjs> Function("try { return true; } finally { return false; } ");
      Exception in thread "main" java.lang.AssertionError:
      [BinaryNode at 0x396e2f39#:t$1 (Object) root = [:t$1 (Object)] (object)]
           [IdentNode at 0x1990a65e#:return (boolean) (slot=1) lhs = ':return'
      [:return (boolean) (slot=1)] (boolean)]
           [UnaryNode at 0x25bbf683#:t$1 (Object) rhs convert [:t$1 (Object)]
      (object)]
               [LiteralNode$BooleanLiteralNode at 0x7276c8cd#:l$1 (boolean) rhs =
      'true' [:l$1 (boolean)] (boolean)]

           at
      jdk.nashorn.internal.codegen.CodeGenerator.enterASSIGN(CodeGenerator.java:2440)
           at
      jdk.nashorn.internal.ir.visitor.NodeOperatorVisitor.enterBinaryNode(NodeOperatorVisitor.java:121)
           at jdk.nashorn.internal.ir.BinaryNode.accept(BinaryNode.java:165)
           at
      jdk.nashorn.internal.codegen.CodeGenerator$1.enterDefault(CodeGenerator.java:418)
           at
      jdk.nashorn.internal.ir.visitor.NodeVisitor.enterBinaryNode(NodeVisitor.java:178)
           ...

      jjs> Function("({ get 1e81(){} })");
      Exception in thread "main" java.lang.ClassFormatError: Illegal method
      name "_L1$get 1.0e+81" in class
      jdk/nashorn/internal/scripts/Script$\^function\_
           at java.lang.ClassLoader.defineClass1(Native Method)
           at java.lang.ClassLoader.defineClass(ClassLoader.java:752)
           at
      jdk.nashorn.internal.runtime.ScriptLoader.installClass(ScriptLoader.java:87)
           at
      jdk.nashorn.internal.runtime.Context$ContextCodeInstaller.install(Context.java:125)
           at jdk.nashorn.internal.codegen.Compiler.install(Compiler.java:408)
           ...

      jjs> Function("{var x, x3;try { return 0; } finally { return 3/0; } }");
      Exception in thread "main" java.lang.AssertionError: int is not
      compatible with double
           at
      jdk.nashorn.internal.codegen.MethodEmitter.popType(MethodEmitter.java:235)
           at
      jdk.nashorn.internal.codegen.MethodEmitter.store(MethodEmitter.java:953)
           at
      jdk.nashorn.internal.codegen.CodeGenerator$Store$2.enterIdentNode(CodeGenerator.java:3164)
           at jdk.nashorn.internal.ir.IdentNode.accept(IdentNode.java:123)
           at
      jdk.nashorn.internal.codegen.CodeGenerator$Store.epilogue(CodeGenerator.java:3139)
           ...

      jjs> Function("with(x ? 1e81 : (x2.constructor = 0.1)){}")
      Exception in thread "main" java.lang.AssertionError: double is not
      compatible with object
           at
      jdk.nashorn.internal.codegen.MethodEmitter.popType(MethodEmitter.java:235)
           at
      jdk.nashorn.internal.codegen.MethodEmitter.fixParamStack(MethodEmitter.java:1109)
           at
      jdk.nashorn.internal.codegen.MethodEmitter.invoke(MethodEmitter.java:1128)
           at
      jdk.nashorn.internal.codegen.MethodEmitter.invokestatic(MethodEmitter.java:1182)
           at
      jdk.nashorn.internal.codegen.CompilerConstants$2.invoke(CompilerConstants.java:359)
           ...

      jjs> Function("while(x-=1){var x=0; }")
      Exception in thread "main" java.lang.VerifyError: get long/double
      overflows locals
      Exception Details:
         Location:
      jdk/nashorn/internal/scripts/Script$\^function\_._L1(Ljava/lang/Object;)Ljava/lang/Object;
      @5: dload_2
         Reason:
           Local index 2 is invalid
         Bytecode:
           0000000: a700 050e 4928 0f67 5c49 b800 339a fff6
           0000010: b200 2bb0
         Stackmap Table:
           append_frame(@3,Top,Double)
           chop_frame(@5,2)

           at java.lang.Class.getDeclaredFields0(Native Method)
           at java.lang.Class.privateGetDeclaredFields(Class.java:2476)
           at java.lang.Class.getDeclaredField(Class.java:1975)
           at jdk.nashorn.internal.codegen.Compiler$2.run(Compiler.java:417)
           at jdk.nashorn.internal.codegen.Compiler$2.run(Compiler.java:413)
           ...

      The following scripts have similar VerifyErrors, I think they're related:
      Function("while((x-=false) && 0){var x = this; }");
      Function("/*infloop*/while(x4-=x)var x, x4 = x1;");
      Function("/*infloop*/L:while(x+=null){this;var x = /x/g ; }");
      Function("while((x1|=0.1) && 0){var x1 = -0, functional; }");

      ---

      Runtime errors:


      jjs> try{Function("with({}) return
      (eval(\"arguments\"));")()}catch(e){e.printStackTrace()}
      java.lang.NullPointerException
           at
      java.lang.invoke.MethodHandles.guardWithTest(MethodHandles.java:2131)
           at
      jdk.nashorn.internal.lookup.MethodHandleFactory$StandardMethodHandleFunctionality.guardWithTest(MethodHandleFactory.java:287)
           at
      jdk.nashorn.internal.runtime.WithObject.fixScopeCallSite(WithObject.java:258)
           at jdk.nashorn.internal.runtime.WithObject.lookup(WithObject.java:126)
           at
      jdk.nashorn.internal.runtime.linker.NashornLinker.getGuardedInvocation(NashornLinker.java:75)
           ...

        Attachments

        1.
        for (LeftHandSideExpression in Expression) crashes the compiler Sub-task Resolved Sundararajan Athijegannathan  
        2.
        true as case label results in ClassCastException Sub-task Resolved Sundararajan Athijegannathan  
        3.
        Object literal getter, setter function with number format property name results in ClassFormatError Sub-task Resolved Sundararajan Athijegannathan  
        4.
        'while' statement with 'test' using var before being declared in body results in VerifyError Sub-task Resolved Sundararajan Athijegannathan  
        5.
        Switch should load expression even when there are no cases in it Sub-task Resolved Sundararajan Athijegannathan  
        6.
        future strict names are allowed as function name and argument name of a strict function Sub-task Resolved Sundararajan Athijegannathan  
        7.
        Function constructor should convert arguments to String before performing any syntax checks Sub-task Resolved Sundararajan Athijegannathan  
        8.
        Function("with(x ? 1e81 : (x2.constructor = 0.1)){}") throws AssertionError: double is not compatible with object Sub-task Resolved Sundararajan Athijegannathan  
        9.
        Array.prototype.slice.call(Java.type("java.util.HashMap")) throws ClassCastException: jdk.internal.dynalink.beans.StaticClass cannot be cast to jdk.nashorn.internal.runtime.ScriptObject Sub-task Resolved Sundararajan Athijegannathan  
        10.
        Class cache/reuse of 'eval' scripts results in ClassCastException in some cases. Sub-task Resolved Sundararajan Athijegannathan  
        11.
        Getter, setter function name mangling issues Sub-task Resolved Sundararajan Athijegannathan  
        12.
        source representation of getter and setter methods is wrong Sub-task Resolved Sundararajan Athijegannathan  
        13.
        $ in the function name results in wrong function being invoked Sub-task Resolved Sundararajan Athijegannathan  
        14.
        Function("switch((null >> x3)) { default: {var x; break ; }\nthrow x; }")() results in AssertionError in LocalVariableTypesCalculator Sub-task Resolved Attila Szegedi  
        15.
        large string size RangeError should be thrown rather than reporting negative length Sub-task Resolved Sundararajan Athijegannathan  
        16.
        function f() { L1:try { return } finally { break L1 } } f() results in VerifyError Sub-task Resolved Attila Szegedi  
        17.
        Very long function names break codegen Sub-task Resolved Hannes Wallnoefer  
        18.
        (1000000000000000128).toString() and (1000000000000000128).toFixed() don't evaluate to expected values. Sub-task Resolved Hannes Wallnoefer  
        19.
        Add regression tests for passing test cases of JDK-8024971 Sub-task Resolved Sundararajan Athijegannathan  
        20.
        function f(){ var a=1; with({ get a() { return false } }) return a }; f() throws TypeError with optimistic compilation Sub-task Resolved Attila Szegedi  
        21.
        eval("function " + Array.apply(null,Array(0x10000)).join("a") + "(){}") crashes in codegen Sub-task Closed Hannes Wallnoefer  
        22.
        (1000000000000000128).toString() evaluates "1000000000000000130" Sub-task Closed Hannes Wallnoefer  

          Activity

            People

            • Assignee:
              sundar Sundararajan Athijegannathan
              Reporter:
              sundar Sundararajan Athijegannathan
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: