JDK-8066223 : Fuzzing bug: ClassCastException between JO1P0 and WithObject
  • Type: Sub-task
  • Component: core-libs
  • Sub-Component: jdk.nashorn
  • Affected Version: 8u60
  • Priority: P3
  • Status: Resolved
  • Resolution: Duplicate
  • OS: generic
  • CPU: generic
  • Submitted: 2014-12-01
  • Updated: 2015-01-28
  • Resolved: 2015-01-28
Related Reports
Cloners :  
JDK-8066224 - Fuzzing bug: constant folding of ternary operator and IfNode with constant test
Cloners :  
JDK-8066222 - too strong assertion on function expression names
Duplicate :  
JDK-8067139 - Finally blocks inlined incorrectly
Description
jjs> try{ x={}; (function(){ try { throw null; } catch(x) { with({}) return; } finally { eval("'a'.replace('a', Function.apply)"); }})() }catch(e){e.printStackTrace()}
java.lang.ClassCastException: jdk.nashorn.internal.scripts.JO1P0 cannot be cast to jdk.nashorn.internal.runtime.WithObject
   at jdk.nashorn.internal.runtime.WithObject.withExpressionGuard(WithObject.java:363)
   at jdk.nashorn.internal.scripts.Script$Recompilation$15$\^shell\_#1\!84\^eval\_.:program(<shell>#1:84<eval>:1)
   at jdk.nashorn.internal.runtime.ScriptFunctionData.invoke(ScriptFunctionData.java:636)
   at jdk.nashorn.internal.runtime.ScriptFunction.invoke(ScriptFunction.java:229)
   at jdk.nashorn.internal.runtime.ScriptRuntime.apply(ScriptRuntime.java:387)
   at jdk.nashorn.internal.runtime.Context.eval(Context.java:711)
   at jdk.nashorn.internal.objects.Global.directEval(Global.java:941)
   at jdk.nashorn.internal.scripts.Script$Recompilation$13$12$\^shell\_.L:1(<shell>:1)
   at jdk.nashorn.internal.scripts.Script$Recompilation$11$\^shell\_.:program(<shell>:1)
   at jdk.nashorn.internal.runtime.ScriptFunctionData.invoke(ScriptFunctionData.java:636)
Comments
Here's a simplified and formatted version of the failing code: (function(){ try { throw "foo"; } catch(x) { with({}) { return; } } finally { eval("'a'.replace('a', Function.apply)"); } })(); I notice that the code in the finally section is executed inside the with-scope, i.e. properties in with object are visible in finally. It seems very likely that this is the root problem here.
12-12-2014