archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-28 07:14:30 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8066226: Fuzzing bug: parameter counts differ in TypeConverterFactory

Browse source 
Reviewed-by: attila, sundar
This commit is contained in:
Hannes Wallnöfer 2014-12-16 17:02:54 +01:00
parent f73717b021
commit 36816b6c0a
3 changed files with 327 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

116
nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/linker/PrimitiveLookup.java
View file

@ -26,17 +26,23 @@
package jdk.nashorn.internal.runtime.linker;
import static jdk.nashorn.internal.lookup.Lookup.MH;
import static jdk.nashorn.internal.runtime.ECMAErrors.typeError;
import java.lang.invoke.MethodHandle;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.invoke.SwitchPoint;
import jdk.internal.dynalink.CallSiteDescriptor;
import jdk.internal.dynalink.linker.GuardedInvocation;
import jdk.internal.dynalink.linker.LinkRequest;
import jdk.internal.dynalink.support.CallSiteDescriptorFactory;
import jdk.internal.dynalink.support.Guards;
import jdk.nashorn.internal.runtime.Context;
import jdk.nashorn.internal.runtime.FindProperty;
import jdk.nashorn.internal.runtime.GlobalConstants;
import jdk.nashorn.internal.runtime.JSType;
import jdk.nashorn.internal.runtime.ScriptObject;
import jdk.nashorn.internal.runtime.ScriptRuntime;
import jdk.nashorn.internal.runtime.UserAccessorProperty;
/**
@ -46,6 +52,11 @@ import jdk.nashorn.internal.runtime.UserAccessorProperty;
*/
public final class PrimitiveLookup {
/** Method handle to link setters on primitive base. See ES5 8.7.2. */
private static final MethodHandle PRIMITIVE_SETTER = findOwnMH("primitiveSetter",
MH.type(void.class, ScriptObject.class, Object.class, Object.class, boolean.class, Object.class));
private PrimitiveLookup() {
}
@ -87,40 +98,58 @@ public final class PrimitiveLookup {
final ScriptObject wrappedReceiver, final MethodHandle wrapFilter,
final MethodHandle protoFilter) {
final CallSiteDescriptor desc = request.getCallSiteDescriptor();
final String name;
final FindProperty find;
//checks whether the property name is hard-coded in the call-site (i.e. a getProp vs a getElem, or setProp vs setElem)
//if it is we can make assumptions on the property: that if it is not defined on primitive wrapper itself it never will be.
//so in that case we can skip creation of primitive wrapper and start our search with the prototype.
if (desc.getNameTokenCount() > 2) {
final String name = desc.getNameToken(CallSiteDescriptor.NAME_OPERAND);
final FindProperty find = wrappedReceiver.findProperty(name, true);
name = desc.getNameToken(CallSiteDescriptor.NAME_OPERAND);
find = wrappedReceiver.findProperty(name, true);
} else {
name = null;
find = null;
}
if (find == null) {
// Give up early, give chance to BeanLinker and NashornBottomLinker to deal with it.
return null;
}
final String firstOp = CallSiteDescriptorFactory.tokenizeOperators(desc).get(0);
final SwitchPoint sp = find.getProperty().getBuiltinSwitchPoint(); //can use this instead of proto filter
if (sp instanceof Context.BuiltinSwitchPoint && !sp.hasBeenInvalidated()) {
return new GuardedInvocation(GlobalConstants.staticConstantGetter(find.getObjectValue()), guard, sp, null);
}
switch (firstOp) {
case "getProp":
case "getElem":
case "getMethod":
//checks whether the property name is hard-coded in the call-site (i.e. a getProp vs a getElem, or setProp vs setElem)
//if it is we can make assumptions on the property: that if it is not defined on primitive wrapper itself it never will be.
//so in that case we can skip creation of primitive wrapper and start our search with the prototype.
if (name != null) {
if (find == null) {
// Give up early, give chance to BeanLinker and NashornBottomLinker to deal with it.
return null;
}
if (find.isInherited() && !(find.getProperty() instanceof UserAccessorProperty)) {
// If property is found in the prototype object bind the method handle directly to
// the proto filter instead of going through wrapper instantiation below.
final ScriptObject proto = wrappedReceiver.getProto();
final GuardedInvocation link = proto.lookup(desc, request);
final SwitchPoint sp = find.getProperty().getBuiltinSwitchPoint(); //can use this instead of proto filter
if (sp instanceof Context.BuiltinSwitchPoint && !sp.hasBeenInvalidated()) {
return new GuardedInvocation(GlobalConstants.staticConstantGetter(find.getObjectValue()), guard, sp, null);
}
if (link != null) {
final MethodHandle invocation = link.getInvocation(); //this contains the builtin switchpoint
if (find.isInherited() && !(find.getProperty() instanceof UserAccessorProperty)) {
// If property is found in the prototype object bind the method handle directly to
// the proto filter instead of going through wrapper instantiation below.
final ScriptObject proto = wrappedReceiver.getProto();
final GuardedInvocation link = proto.lookup(desc, request);
final MethodHandle adaptedInvocation = MH.asType(invocation, invocation.type().changeParameterType(0, Object.class));
final MethodHandle method = MH.filterArguments(adaptedInvocation, 0, protoFilter);
final MethodHandle protoGuard = MH.filterArguments(link.getGuard(), 0, protoFilter);
return new GuardedInvocation(method, NashornGuards.combineGuards(guard, protoGuard));
if (link != null) {
final MethodHandle invocation = link.getInvocation(); //this contains the builtin switchpoint
final MethodHandle adaptedInvocation = MH.asType(invocation, invocation.type().changeParameterType(0, Object.class));
final MethodHandle method = MH.filterArguments(adaptedInvocation, 0, protoFilter);
final MethodHandle protoGuard = MH.filterArguments(link.getGuard(), 0, protoFilter);
return new GuardedInvocation(method, NashornGuards.combineGuards(guard, protoGuard));
}
}
}
break;
case "setProp":
case "setElem":
return getPrimitiveSetter(name, guard, wrapFilter, NashornCallSiteDescriptor.isStrict(desc));
default:
break;
}
final GuardedInvocation link = wrappedReceiver.lookup(desc, request);
@ -138,4 +167,41 @@ public final class PrimitiveLookup {
return null;
}
private static GuardedInvocation getPrimitiveSetter(final String name, final MethodHandle guard,
final MethodHandle wrapFilter, final boolean isStrict) {
MethodHandle filter = MH.asType(wrapFilter, wrapFilter.type().changeReturnType(ScriptObject.class));
final MethodHandle target;
if (name == null) {
filter = MH.dropArguments(filter, 1, Object.class, Object.class);
target = MH.insertArguments(PRIMITIVE_SETTER, 3, isStrict);
} else {
filter = MH.dropArguments(filter, 1, Object.class);
target = MH.insertArguments(PRIMITIVE_SETTER, 2, name, isStrict);
}
return new GuardedInvocation(MH.foldArguments(target, filter), guard);
}
@SuppressWarnings("unused")
private static void primitiveSetter(final ScriptObject wrappedSelf, final Object self, final Object key,
final boolean strict, final Object value) {
// See ES5.1 8.7.2 PutValue (V, W)
final String name = JSType.toString(key);
final FindProperty find = wrappedSelf.findProperty(name, true);
if (find == null || !(find.getProperty() instanceof UserAccessorProperty) || !find.getProperty().isWritable()) {
if (strict) {
throw typeError("property.not.writable", name, ScriptRuntime.safeToString(self));
}
return;
}
// property found and is a UserAccessorProperty
find.setValue(value, strict);
}
private static MethodHandle findOwnMH(final String name, final MethodType type) {
return MH.findStatic(MethodHandles.lookup(), PrimitiveLookup.class, name, type);
}
}

132
nashorn/test/script/basic/JDK-8066226.js Normal file
View file

@ -0,0 +1,132 @@
/*
* Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/**
*
JDK-8066226: Fuzzing bug: parameter counts differ in TypeConverterFactory
*
* @test
* @run
*/
Object.defineProperty(Object.prototype, "accessor", {
set: function(value) {
print("Setting accessor on " + this + " to " + value);
}
});
Object.defineProperty(Object.prototype, "getterOnly", {
get: function() {
return 1;
}
});
function set(o) {
print("set(" + o + ")");
o.foo = 1;
o.constructor = 1;
o.accessor = 1;
o.getterOnly = 1;
print();
}
function setStrict(o) {
"use strict";
print("setStrict(" + o + ")")
try {
o.foo = 1;
} catch (e) {
print(e);
}
try {
o.constructor = 1;
} catch (e) {
print(e);
}
try {
o.accessor = 1;
} catch (e) {
print(e);
}
try {
o.getterOnly = 1;
} catch (e) {
print(e);
}
print();
}
function setAttr(o, id) {
print("setAttr(" + o + ", " + id + ")")
o[id] = 1;
print();
}
function setAttrStrict(o, id) {
"use strict";
print("setAttrStrict(" + o + ", " + id + ")")
try {
o[id] = 1;
} catch (e) {
print(e);
}
print();
}
set(1);
set("str");
set(true);
set({});
set([]);
setStrict(1);
setStrict("str");
setStrict(true);
setStrict({});
setStrict([]);
setAttr(1, "foo");
setAttr(1, "constructor");
setAttr(1, "accessor");
setAttr(1, "getterOnly");
setAttr("str", "foo");
setAttr("str", "constructor");
setAttr("str", "accessor");
setAttr("str", "getterOnly");
setAttr(true, "foo");
setAttr(true, "constructor");
setAttr(true, "accessor");
setAttr(true, "getterOnly");
setAttrStrict(1, "foo");
setAttrStrict(1, "constructor");
setAttrStrict(1, "accessor");
setAttrStrict(1, "getterOnly");
setAttrStrict("str", "foo");
setAttrStrict("str", "constructor");
setAttrStrict("str", "accessor");
setAttrStrict("str", "getterOnly");
setAttrStrict(true, "foo");
setAttrStrict(true, "constructor");
setAttrStrict(true, "accessor");
setAttrStrict(true, "getterOnly");

104
nashorn/test/script/basic/JDK-8066226.js.EXPECTED Normal file
View file

@ -0,0 +1,104 @@
set(1)
Setting accessor on 1 to 1
set(str)
Setting accessor on str to 1
set(true)
Setting accessor on true to 1
set([object Object])
Setting accessor on [object Object] to 1
set()
Setting accessor on to 1
setStrict(1)
TypeError: "foo" is not a writable property of 1
TypeError: "constructor" is not a writable property of 1
Setting accessor on 1 to 1
TypeError: Cannot set property "getterOnly" of [object Object] that has only a getter
setStrict(str)
TypeError: "foo" is not a writable property of str
TypeError: "constructor" is not a writable property of str
Setting accessor on str to 1
TypeError: Cannot set property "getterOnly" of [object Object] that has only a getter
setStrict(true)
TypeError: "foo" is not a writable property of true
TypeError: "constructor" is not a writable property of true
Setting accessor on true to 1
TypeError: Cannot set property "getterOnly" of [object Object] that has only a getter
setStrict([object Object])
Setting accessor on [object Object] to 1
TypeError: Cannot set property "getterOnly" of [object Object] that has only a getter
setStrict()
Setting accessor on to 1
TypeError: Cannot set property "getterOnly" of [object Array] that has only a getter
setAttr(1, foo)
setAttr(1, constructor)
setAttr(1, accessor)
Setting accessor on 1 to 1
setAttr(1, getterOnly)
setAttr(str, foo)
setAttr(str, constructor)
setAttr(str, accessor)
Setting accessor on str to 1
setAttr(str, getterOnly)
setAttr(true, foo)
setAttr(true, constructor)
setAttr(true, accessor)
Setting accessor on true to 1
setAttr(true, getterOnly)
setAttrStrict(1, foo)
TypeError: "foo" is not a writable property of 1
setAttrStrict(1, constructor)
TypeError: "constructor" is not a writable property of 1
setAttrStrict(1, accessor)
Setting accessor on 1 to 1
setAttrStrict(1, getterOnly)
TypeError: Cannot set property "getterOnly" of [object Object] that has only a getter
setAttrStrict(str, foo)
TypeError: "foo" is not a writable property of str
setAttrStrict(str, constructor)
TypeError: "constructor" is not a writable property of str
setAttrStrict(str, accessor)
Setting accessor on str to 1
setAttrStrict(str, getterOnly)
TypeError: Cannot set property "getterOnly" of [object Object] that has only a getter
setAttrStrict(true, foo)
TypeError: "foo" is not a writable property of true
setAttrStrict(true, constructor)
TypeError: "constructor" is not a writable property of true
setAttrStrict(true, accessor)
Setting accessor on true to 1
setAttrStrict(true, getterOnly)
TypeError: Cannot set property "getterOnly" of [object Object] that has only a getter