Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8171219

Missing checks in sparse array shift() implementation

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P3
    • Resolution: Fixed
    • Affects Version/s: 8, 9
    • Fix Version/s: 9
    • Component/s: core-libs
    • Labels:
      None
    • Subcomponent:
    • Resolved In Build:
      b150
    • CPU:
      generic
    • OS:
      generic

      Backports

        Description

        There are two bugs in the implementation of shift() in SparseArrayData. Both really occur in the underlying dense array. The first is caused by doing an arraycopy on a zero-length array:

        var a = []
        a[1048577] = 1
        a.shift()

        Throws:
        Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException
        at java.lang.System.arraycopy(java.base@9-ea/Native Method)
        at jdk.nashorn.internal.runtime.arrays.IntArrayData.shiftLeft(jdk.scripting.nashorn@9-ea/IntArrayData.java:180)
        at jdk.nashorn.internal.runtime.arrays.SparseArrayData.shiftLeft(jdk.scripting.nashorn@9-ea/SparseArrayData.java:93)
        at jdk.nashorn.internal.objects.NativeArray.shift(jdk.scripting.nashorn@9-ea/NativeArray.java:1148)
        at jdk.nashorn.internal.scripts.Script$Recompilation$1$shift/403147759.:program(jdk.scripting.nashorn.scripts/shift.js:4)
        at jdk.nashorn.internal.runtime.ScriptFunctionData.invoke(jdk.scripting.nashorn@9-ea/ScriptFunctionData.java:652)
        at jdk.nashorn.internal.runtime.ScriptFunction.invoke(jdk.scripting.nashorn@9-ea/ScriptFunction.java:513)
        at jdk.nashorn.internal.runtime.ScriptRuntime.apply(jdk.scripting.nashorn@9-ea/ScriptRuntime.java:489)
        at jdk.nashorn.tools.Shell.apply(jdk.scripting.nashorn@9-ea/Shell.java:519)
        at jdk.nashorn.tools.Shell.runScripts(jdk.scripting.nashorn@9-ea/Shell.java:448)
        at jdk.nashorn.tools.Shell.run(jdk.scripting.nashorn@9-ea/Shell.java:186)
        at jdk.nashorn.tools.jjs.Main.main(jdk.scripting.nashorn.shell@9-ea/Main.java:104)
        at jdk.nashorn.tools.jjs.Main.main(jdk.scripting.nashorn.shell@9-ea/Main.java:80)

        The second one is caused by missing setLength in shift implementation of underlying dense array:

        var a = []
        a[1048577] = 1
        a[1] = 1
        a.shift()
        print(Object.keys(a))

        Actual: 0,1,1048576
        Expected: 0,1048576

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                hannesw Hannes Wallnoefer
                Reporter:
                hannesw Hannes Wallnoefer
                Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: