JDK-8171219 : Missing checks in sparse array shift() implementation
- Type: Bug
- Component: core-libs
- Sub-Component: jdk.nashorn
- Affected Version: 8,9
- Priority: P3
- Status: Resolved
- Resolution: Fixed
- OS: generic
- CPU: generic
- Submitted: 2016-12-14
- Updated: 2017-11-29
- Resolved: 2016-12-15
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| JDK 8 | JDK 9 |
|---|---|
8u152Fixed  |
9 b150Fixed |
Description
There are two bugs in the implementation of shift() in SparseArrayData. Both really occur in the underlying dense array. The first is caused by doing an arraycopy on a zero-length array: var a = [] a[1048577] = 1 a.shift() Throws: Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException at java.lang.System.arraycopy(java.base@9-ea/Native Method) at jdk.nashorn.internal.runtime.arrays.IntArrayData.shiftLeft(jdk.scripting.nashorn@9-ea/IntArrayData.java:180) at jdk.nashorn.internal.runtime.arrays.SparseArrayData.shiftLeft(jdk.scripting.nashorn@9-ea/SparseArrayData.java:93) at jdk.nashorn.internal.objects.NativeArray.shift(jdk.scripting.nashorn@9-ea/NativeArray.java:1148) at jdk.nashorn.internal.scripts.Script$Recompilation$1$shift/403147759.:program(jdk.scripting.nashorn.scripts/shift.js:4) at jdk.nashorn.internal.runtime.ScriptFunctionData.invoke(jdk.scripting.nashorn@9-ea/ScriptFunctionData.java:652) at jdk.nashorn.internal.runtime.ScriptFunction.invoke(jdk.scripting.nashorn@9-ea/ScriptFunction.java:513) at jdk.nashorn.internal.runtime.ScriptRuntime.apply(jdk.scripting.nashorn@9-ea/ScriptRuntime.java:489) at jdk.nashorn.tools.Shell.apply(jdk.scripting.nashorn@9-ea/Shell.java:519) at jdk.nashorn.tools.Shell.runScripts(jdk.scripting.nashorn@9-ea/Shell.java:448) at jdk.nashorn.tools.Shell.run(jdk.scripting.nashorn@9-ea/Shell.java:186) at jdk.nashorn.tools.jjs.Main.main(jdk.scripting.nashorn.shell@9-ea/Main.java:104) at jdk.nashorn.tools.jjs.Main.main(jdk.scripting.nashorn.shell@9-ea/Main.java:80) The second one is caused by missing setLength in shift implementation of underlying dense array: var a = [] a[1048577] = 1 a[1] = 1 a.shift() print(Object.keys(a)) Actual: 0,1,1048576 Expected: 0,1048576