JDK-8136544 : Call site switching to megamorphic causes incorrect property read
- Type: Bug
- Component: core-libs
- Sub-Component: jdk.nashorn
- Affected Version: 8u51,9
- Priority: P3
- Status: Resolved
- Resolution: Fixed
- OS: generic
- CPU: generic
- Submitted: 2015-09-15
- Updated: 2016-01-14
- Resolved: 2015-09-16
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| JDK 8 | JDK 9 |
|---|---|
8u72Fixed  |
9 b83Fixed |
Description
From http://stackoverflow.com/questions/32585425/java-nashorn-inconsistent-binding-behavior-is-this-a-bug:
-------------------------------
import javax.script.Bindings;
import javax.script.ScriptContext;
import javax.script.ScriptEngine;
import jdk.nashorn.api.scripting.NashornScriptEngineFactory;
public class JsBugTest {
public static Object resolve(final ScriptEngine engine, final String script) {
Object r = null;
try {
r = engine.eval(script);
} catch (final Exception ex) {
System.out.println("exception: " + ex.getMessage());
r = null;
}
return r;
}
public static void runTest()
{
final ScriptEngine jsEngine = new NashornScriptEngineFactory().getScriptEngine("--log=fields", "-ot=false");
final String script = "DataA + 'foo';";
final Bindings binds = jsEngine.getBindings(ScriptContext.ENGINE_SCOPE);
Object ret;
for (int i = 0; i < 12; i++) {
binds.remove("DataA");
ret = resolve(jsEngine, script);
if (ret != null) {
System.out.println("Iteration " + i + ": Returned value should be null but is: \"" + ret + "\"");
}
binds.put("DataA", "foo");
ret = resolve(jsEngine, script);
if (ret == null) {
System.out.println("Iteration " + i + " failed");
}
}
}
public static void main(final String[] args) {
JsBugTest.runTest();
}
}
-------------------------------
The program prints:
exception: ReferenceError: "DataA" is not defined in <eval> at line number 1
but then on iteration 8 starts printing:
Iteration 8: Returned value should be null but is: "undefinedfoo"
Running with "--log=fields" we see:
exception: ReferenceError: "DataA" is not defined in <eval> at line number 1
[fields] Megamorphic getter: dyn:getProp|getElem|getMethod:DataA(Object)Object@jdk.nashorn.internal.scripts.Script$\^eval\_ DataA false
Iteration 8: Returned value should be null but is: "undefinedfoo"
That is, we switch the call site to a megamorphic getter right before the incorrect behaviour starts happening.