Bug ID: JDK-8066226 Fuzzing bug: parameter counts differ in TypeConverterFactory

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 8	JDK 9
8u60Fixed	9 b44Fixed

jjs> try { false.constructor = 0 } catch(e) { e.printStackTrace() }
java.lang.invoke.WrongMethodTypeException: Parameter counts differ: (Object)Object vs. (Object,int)Object
   at jdk.internal.dynalink.support.TypeConverterFactory.asType(TypeConverterFactory.java:236)
   at jdk.internal.dynalink.support.LinkerServicesImpl.asType(LinkerServicesImpl.java:126)
   at jdk.internal.dynalink.linker.LinkerServices$Implementation.asTypeLosslessReturn(LinkerServices.java:197)
   at jdk.internal.dynalink.support.LinkerServicesImpl.asTypeLosslessReturn(LinkerServicesImpl.java:131)
   at jdk.internal.dynalink.linker.GuardedInvocation.asTypeSafeReturn(GuardedInvocation.java:340)
   at jdk.nashorn.internal.runtime.linker.Bootstrap.asTypeSafeReturn(Bootstrap.java:429)
   at jdk.nashorn.internal.runtime.linker.NashornPrimitiveLinker.getGuardedInvocation(NashornPrimitiveLinker.java:70)
   at jdk.internal.dynalink.support.CompositeTypeBasedGuardingDynamicLinker.getGuardedInvocation(CompositeTypeBasedGuardingDynamicLinker.java:176)
   at jdk.internal.dynalink.support.CompositeGuardingDynamicLinker.getGuardedInvocation(CompositeGuardingDynamicLinker.java:124)
   at jdk.internal.dynalink.support.LinkerServicesImpl.getGuardedInvocation(LinkerServicesImpl.java:149)
   ...

The reason this happens is that we're erroneously linking a constant-getter for a setter request too for primitive linkage.

08-12-2014

Attached a patch that eliminates the exception. It however exposes a different problem, which is that assigning false.constructor=0; will overwrite Boolean.prototype.constructor.

08-12-2014

Cloners :	JDK-8066227 - Fuzzing bug: CodeGenerator load unitialized slot
Cloners :	JDK-8066225 - Fuzzing bug: duplicate integer switch cases