Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8171219

Missing checks in sparse array shift() implementation

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P3
    • Resolution: Fixed
    • Affects Version/s: 8, 9
    • Fix Version/s: 9
    • Component/s: core-libs
    • Labels:
      None
    • Subcomponent:
    • Resolved In Build:
      b150
    • CPU:
      generic
    • OS:
      generic

      Backports

        Description

        There are two bugs in the implementation of shift() in SparseArrayData. Both really occur in the underlying dense array. The first is caused by doing an arraycopy on a zero-length array:

        var a = []
        a[1048577] = 1
        a.shift()

        Throws:
        Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException
        at java.lang.System.arraycopy(java.base@9-ea/Native Method)
        at jdk.nashorn.internal.runtime.arrays.IntArrayData.shiftLeft(jdk.scripting.nashorn@9-ea/IntArrayData.java:180)
        at jdk.nashorn.internal.runtime.arrays.SparseArrayData.shiftLeft(jdk.scripting.nashorn@9-ea/SparseArrayData.java:93)
        at jdk.nashorn.internal.objects.NativeArray.shift(jdk.scripting.nashorn@9-ea/NativeArray.java:1148)
        at jdk.nashorn.internal.scripts.Script$Recompilation$1$shift/403147759.:program(jdk.scripting.nashorn.scripts/shift.js:4)
        at jdk.nashorn.internal.runtime.ScriptFunctionData.invoke(jdk.scripting.nashorn@9-ea/ScriptFunctionData.java:652)
        at jdk.nashorn.internal.runtime.ScriptFunction.invoke(jdk.scripting.nashorn@9-ea/ScriptFunction.java:513)
        at jdk.nashorn.internal.runtime.ScriptRuntime.apply(jdk.scripting.nashorn@9-ea/ScriptRuntime.java:489)
        at jdk.nashorn.tools.Shell.apply(jdk.scripting.nashorn@9-ea/Shell.java:519)
        at jdk.nashorn.tools.Shell.runScripts(jdk.scripting.nashorn@9-ea/Shell.java:448)
        at jdk.nashorn.tools.Shell.run(jdk.scripting.nashorn@9-ea/Shell.java:186)
        at jdk.nashorn.tools.jjs.Main.main(jdk.scripting.nashorn.shell@9-ea/Main.java:104)
        at jdk.nashorn.tools.jjs.Main.main(jdk.scripting.nashorn.shell@9-ea/Main.java:80)

        The second one is caused by missing setLength in shift implementation of underlying dense array:

        var a = []
        a[1048577] = 1
        a[1] = 1
        a.shift()
        print(Object.keys(a))

        Actual: 0,1,1048576
        Expected: 0,1048576

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  hannesw Hannes Wallnoefer
                  Reporter:
                  hannesw Hannes Wallnoefer
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: