JDK-8066230 : Fuzzing bug: Undefined object type assertion when computing TypeBounds
  • Type: Sub-task
  • Component: core-libs
  • Sub-Component: jdk.nashorn
  • Affected Version: 8u60
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2014-12-01
  • Updated: 2015-06-04
  • Resolved: 2014-12-08
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8 JDK 9
8u40Fixed 9 b43Fixed
Related Reports
Cloners :  
Cloners :  
Description
jjs> function f() { void null + 0; } f()
Exception in thread "main" java.lang.AssertionError: object<type=Undefined>
   at jdk.nashorn.internal.codegen.CodeGenerator$TypeBounds.<init>(CodeGenerator.java:627)
   at jdk.nashorn.internal.codegen.CodeGenerator$TypeBounds.maybeNew(CodeGenerator.java:650)
   at jdk.nashorn.internal.codegen.CodeGenerator$TypeBounds.notNarrowerThan(CodeGenerator.java:635)
   at jdk.nashorn.internal.codegen.CodeGenerator.loadBinaryOperands(CodeGenerator.java:575)
   at jdk.nashorn.internal.codegen.CodeGenerator.access$6800(CodeGenerator.java:183)
   at jdk.nashorn.internal.codegen.CodeGenerator$14.loadStack(CodeGenerator.java:3575)
   at jdk.nashorn.internal.codegen.CodeGenerator$OptimisticOperation.emit(CodeGenerator.java:4407)
   at jdk.nashorn.internal.codegen.CodeGenerator$OptimisticOperation.emit(CodeGenerator.java:4392)
   at jdk.nashorn.internal.codegen.CodeGenerator.loadADD(CodeGenerator.java:3582)
   at jdk.nashorn.internal.codegen.CodeGenerator$1.enterADD(CodeGenerator.java:872)
   ...
Comments
This one is also broken: jjs> function f() { (x+=void x); } f() Exception in thread "main" java.lang.AssertionError: object<type=Undefined> at jdk.nashorn.internal.codegen.CodeGenerator$TypeBounds.<init>(CodeGenerator.java:627) at jdk.nashorn.internal.codegen.CodeGenerator$TypeBounds.maybeNew(CodeGenerator.java:650) at jdk.nashorn.internal.codegen.CodeGenerator$TypeBounds.notNarrowerThan(CodeGenerator.java:635) at jdk.nashorn.internal.codegen.CodeGenerator.loadBinaryOperands(CodeGenerator.java:575) at jdk.nashorn.internal.codegen.CodeGenerator.access$6800(CodeGenerator.java:183) at jdk.nashorn.internal.codegen.CodeGenerator$BinaryOptimisticSelfAssignment$1.loadStack(CodeGenerator.java:3700) at jdk.nashorn.internal.codegen.CodeGenerator$OptimisticOperation.emit(CodeGenerator.java:4407) at jdk.nashorn.internal.codegen.CodeGenerator$BinaryOptimisticSelfAssignment.evaluate(CodeGenerator.java:3706) at jdk.nashorn.internal.codegen.CodeGenerator$Store.store(CodeGenerator.java:4286) at jdk.nashorn.internal.codegen.CodeGenerator.loadASSIGN_ADD(CodeGenerator.java:3735) ���
01-12-2014

Also happens in these two cases: jjs> function f() { var x; x += void x; } f() Exception in thread "main" java.lang.AssertionError: object<type=Undefined> at jdk.nashorn.internal.codegen.CodeGenerator$TypeBounds.<init>(CodeGenerator.java:627) at jdk.nashorn.internal.codegen.CodeGenerator$TypeBounds.maybeNew(CodeGenerator.java:650) at jdk.nashorn.internal.codegen.CodeGenerator$TypeBounds.notNarrowerThan(CodeGenerator.java:635) at jdk.nashorn.internal.codegen.CodeGenerator.loadBinaryOperands(CodeGenerator.java:575) at jdk.nashorn.internal.codegen.CodeGenerator.access$6800(CodeGenerator.java:183) at jdk.nashorn.internal.codegen.CodeGenerator$BinaryOptimisticSelfAssignment$1.loadStack(CodeGenerator.java:3700) at jdk.nashorn.internal.codegen.CodeGenerator$OptimisticOperation.emit(CodeGenerator.java:4407) at jdk.nashorn.internal.codegen.CodeGenerator$BinaryOptimisticSelfAssignment.evaluate(CodeGenerator.java:3706) at jdk.nashorn.internal.codegen.CodeGenerator$Store.store(CodeGenerator.java:4286) at jdk.nashorn.internal.codegen.CodeGenerator.loadASSIGN_ADD(CodeGenerator.java:3735) ��� jjs> function f(){ var a = true + x, x; } f() Exception in thread "main" java.lang.AssertionError: object<type=Undefined> at jdk.nashorn.internal.codegen.CodeGenerator$TypeBounds.<init>(CodeGenerator.java:627) at jdk.nashorn.internal.codegen.CodeGenerator$TypeBounds.maybeNew(CodeGenerator.java:650) at jdk.nashorn.internal.codegen.CodeGenerator$TypeBounds.notNarrowerThan(CodeGenerator.java:635) at jdk.nashorn.internal.codegen.CodeGenerator.loadBinaryOperands(CodeGenerator.java:575) at jdk.nashorn.internal.codegen.CodeGenerator.access$6800(CodeGenerator.java:183) at jdk.nashorn.internal.codegen.CodeGenerator$14.loadStack(CodeGenerator.java:3575) at jdk.nashorn.internal.codegen.CodeGenerator$OptimisticOperation.emit(CodeGenerator.java:4407) at jdk.nashorn.internal.codegen.CodeGenerator$OptimisticOperation.emit(CodeGenerator.java:4392) at jdk.nashorn.internal.codegen.CodeGenerator.loadADD(CodeGenerator.java:3582) at jdk.nashorn.internal.codegen.CodeGenerator$1.enterADD(CodeGenerator.java:872)
01-12-2014