JDK-8066220 : Fuzzing bug: MethodHandle bug (Object,Object) != (boolean)Object
  • Type: Sub-task
  • Component: core-libs
  • Sub-Component: jdk.nashorn
  • Affected Version: 8u60
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2014-12-01
  • Updated: 2015-09-29
  • Resolved: 2015-06-03
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8 JDK 9
8u60 b20Fixed 9Fixed
Related Reports
Cloners :  
JDK-8066221 - Fuzzing bug: Assertion error related to bytecode slots
Duplicate :  
JDK-8066219 - Fuzzing bug: Cast bug Undefined->Number, requires warmup
Description
Needs warmup to manifest itself


function tryItOut(c) {
 var f = tryCompiling(c);
 if (f !== null && c.indexOf('infloop') === -1) {
   tryRunning(f);
 }
}

function tryCompiling(c) {
 try { return Function(c); } catch(e) { return null; }
}

function tryRunning(f) {
 try {
   return f();
 } catch (e) {
   if (e instanceof java.lang.Throwable) e.printStackTrace();
 }
}

tryItOut("x = 1e-81;");
tryItOut("y = x;");
tryItOut("for(x in (((new Function).call)(true))){}");
tryItOut("(x.constructor = new (new Function)(y));");

java.lang.IllegalArgumentException: target and combiner types must match: (Object,Object)Object != (boolean)Object
   at java.lang.invoke.MethodHandleStatics.newIllegalArgumentException(MethodHandleStatics.java:109)
   at java.lang.invoke.MethodHandles.misMatchedTypes(MethodHandles.java:2775)
   at java.lang.invoke.MethodHandles.foldArguments(MethodHandles.java:2714)
   at jdk.nashorn.internal.lookup.MethodHandleFactory$StandardMethodHandleFunctionality.foldArguments(MethodHandleFactory.java:430)
   at jdk.nashorn.internal.runtime.CompiledFunction.createConstructorFromInvoker(CompiledFunction.java:265)
   at jdk.nashorn.internal.runtime.CompiledFunction.getConstructor(CompiledFunction.java:224)
   at jdk.nashorn.internal.runtime.CompiledFunction.access$300(CompiledFunction.java:61)
   at jdk.nashorn.internal.runtime.CompiledFunction$3.get(CompiledFunction.java:680)
   at jdk.nashorn.internal.runtime.CompiledFunction$3.get(CompiledFunction.java:677)
   at jdk.nashorn.internal.runtime.CompiledFunction.getValidOptimisticInvocation(CompiledFunction.java:606)
   ...
Comments
Reproduced with jdk9-dev as well. With/without -ot=false.
29-05-2015
Reassigning this to Hannes. If this only happens with optimistic, we can probably move this to 9.
04-05-2015
This can be reduced to: function f() {} f.call(1) new f(1); What's happening is that f is called with an int as this-value (the first argument to Function.prototype.call) causing a (int)Object invoker handle to be created. When the function is used as constructor with an int argument, that method handle is used as the base handle for the constructor.
28-04-2015