JDK-8066225 : Fuzzing bug: duplicate integer switch cases
  • Type: Sub-task
  • Component: core-libs
  • Sub-Component: jdk.nashorn
  • Affected Version: 8u60
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2014-12-01
  • Updated: 2015-06-04
  • Resolved: 2014-12-10
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8 JDK 9
8u40Fixed 9 b43Fixed
Related Reports
Cloners :  
JDK-8066226 - Fuzzing bug: parameter counts differ in TypeConverterFactory
Cloners :  
JDK-8066224 - Fuzzing bug: constant folding of ternary operator and IfNode with constant test
Description
jjs> try { function f(){switch(0) { case 8: for (var x in {}) {x} case 8: }} f() } catch(e) { e.printStackTrace() }
java.lang.NullPointerException
   at jdk.nashorn.internal.codegen.MethodEmitter.markDeadSlots(MethodEmitter.java:1154)
   at jdk.nashorn.internal.codegen.MethodEmitter.markDeadLocalVariable(MethodEmitter.java:1149)
   at jdk.nashorn.internal.codegen.MethodEmitter.beforeJoinPoint(MethodEmitter.java:2494)
   at jdk.nashorn.internal.codegen.CodeGenerator.enterSwitchNode(CodeGenerator.java:2932)
   at jdk.nashorn.internal.ir.SwitchNode.accept(SwitchNode.java:106)
   at jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57)
   at jdk.nashorn.internal.ir.LexicalContextStatement.accept(LexicalContextStatement.java:55)
   at jdk.nashorn.internal.ir.SwitchNode.accept(SwitchNode.java:38)
   at jdk.nashorn.internal.ir.Node.accept(Node.java:265)
   at jdk.nashorn.internal.ir.Block.accept(Block.java:178)
Comments
And this jjs> function f() { function(){}; function(){} } f() Exception in thread "main" java.lang.AssertionError at jdk.nashorn.internal.ir.Symbol.getFirstSlot(Symbol.java:545) at jdk.nashorn.internal.codegen.MethodEmitter.markDeadLocalVariable(MethodEmitter.java:1149) at jdk.nashorn.internal.codegen.MethodEmitter.store(MethodEmitter.java:1202) at jdk.nashorn.internal.codegen.CodeGenerator.storeIdentWithCatchConversion(CodeGenerator.java:3201) at jdk.nashorn.internal.codegen.CodeGenerator.enterVarNode(CodeGenerator.java:3161) at jdk.nashorn.internal.ir.VarNode.accept(VarNode.java:171) at jdk.nashorn.internal.ir.Node.accept(Node.java:265) at jdk.nashorn.internal.ir.Block.accept(Block.java:178) at jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57) at jdk.nashorn.internal.ir.Block.accept(Block.java:425) ���
01-12-2014
Also this fails the same way: jjs> try{ (function(){ if(x, false) { return; var x; } else if (x = 0) { } else { x } })() }catch(e){e.printStackTrace()} java.lang.NullPointerException at jdk.nashorn.internal.codegen.MethodEmitter.markDeadSlots(MethodEmitter.java:1154) at jdk.nashorn.internal.codegen.MethodEmitter.markDeadLocalVariable(MethodEmitter.java:1149) at jdk.nashorn.internal.codegen.MethodEmitter.beforeJoinPoint(MethodEmitter.java:2494) at jdk.nashorn.internal.codegen.CodeGenerator.leaveBlock(CodeGenerator.java:1126) at jdk.nashorn.internal.ir.Block.accept(Block.java:178) at jdk.nashorn.internal.ir.LexicalContextNode$Acceptor.accept(LexicalContextNode.java:57) at jdk.nashorn.internal.ir.Block.accept(Block.java:425) at jdk.nashorn.internal.codegen.CodeGenerator.enterIfNode(CodeGenerator.java:2025) at jdk.nashorn.internal.ir.IfNode.accept(IfNode.java:86) at jdk.nashorn.internal.ir.Node.accept(Node.java:265)
01-12-2014