8066226: Fuzzing bug: parameter counts differ in TypeConverterFactory

Reviewed-by: attila, sundar

nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/linker/PrimitiveLookup.java

@@ -26,17 +26,23 @@
 package jdk.nashorn.internal.runtime.linker;
 
 import static jdk.nashorn.internal.lookup.Lookup.MH;
+import static jdk.nashorn.internal.runtime.ECMAErrors.typeError;
+
 import java.lang.invoke.MethodHandle;
+import java.lang.invoke.MethodHandles;
 import java.lang.invoke.MethodType;
 import java.lang.invoke.SwitchPoint;
 import jdk.internal.dynalink.CallSiteDescriptor;
 import jdk.internal.dynalink.linker.GuardedInvocation;
 import jdk.internal.dynalink.linker.LinkRequest;
+import jdk.internal.dynalink.support.CallSiteDescriptorFactory;
 import jdk.internal.dynalink.support.Guards;
 import jdk.nashorn.internal.runtime.Context;
 import jdk.nashorn.internal.runtime.FindProperty;
 import jdk.nashorn.internal.runtime.GlobalConstants;
+import jdk.nashorn.internal.runtime.JSType;
 import jdk.nashorn.internal.runtime.ScriptObject;
+import jdk.nashorn.internal.runtime.ScriptRuntime;
 import jdk.nashorn.internal.runtime.UserAccessorProperty;
 
 /**
@@ -46,6 +52,11 @@ import jdk.nashorn.internal.runtime.UserAccessorProperty;
  */
 public final class PrimitiveLookup {
 
+    /** Method handle to link setters on primitive base. See ES5 8.7.2. */
+    private static final MethodHandle PRIMITIVE_SETTER = findOwnMH("primitiveSetter",
+            MH.type(void.class, ScriptObject.class, Object.class, Object.class, boolean.class, Object.class));
+
+
     private PrimitiveLookup() {
     }
 
@@ -87,14 +98,27 @@ public final class PrimitiveLookup {
                                                     final ScriptObject wrappedReceiver, final MethodHandle wrapFilter,
                                                     final MethodHandle protoFilter) {
         final CallSiteDescriptor desc = request.getCallSiteDescriptor();
+        final String name;
+        final FindProperty find;
 
+        if (desc.getNameTokenCount() > 2) {
+            name = desc.getNameToken(CallSiteDescriptor.NAME_OPERAND);
+            find = wrappedReceiver.findProperty(name, true);
+        } else {
+            name = null;
+            find = null;
+        }
+
+        final String firstOp = CallSiteDescriptorFactory.tokenizeOperators(desc).get(0);
+
+        switch (firstOp) {
+        case "getProp":
+        case "getElem":
+        case "getMethod":
             //checks whether the property name is hard-coded in the call-site (i.e. a getProp vs a getElem, or setProp vs setElem)
             //if it is we can make assumptions on the property: that if it is not defined on primitive wrapper itself it never will be.
             //so in that case we can skip creation of primitive wrapper and start our search with the prototype.
-        if (desc.getNameTokenCount() > 2) {
+            if (name != null) {
-            final String name = desc.getNameToken(CallSiteDescriptor.NAME_OPERAND);
-            final FindProperty find = wrappedReceiver.findProperty(name, true);
-
                 if (find == null) {
                     // Give up early, give chance to BeanLinker and NashornBottomLinker to deal with it.
                     return null;
@@ -113,15 +137,20 @@ public final class PrimitiveLookup {
 
                     if (link != null) {
                         final MethodHandle invocation = link.getInvocation(); //this contains the builtin switchpoint
-
                         final MethodHandle adaptedInvocation = MH.asType(invocation, invocation.type().changeParameterType(0, Object.class));
                         final MethodHandle method = MH.filterArguments(adaptedInvocation, 0, protoFilter);
                         final MethodHandle protoGuard = MH.filterArguments(link.getGuard(), 0, protoFilter);
-
                         return new GuardedInvocation(method, NashornGuards.combineGuards(guard, protoGuard));
                     }
                 }
             }
+            break;
+        case "setProp":
+        case "setElem":
+            return getPrimitiveSetter(name, guard, wrapFilter, NashornCallSiteDescriptor.isStrict(desc));
+        default:
+            break;
+        }
 
         final GuardedInvocation link = wrappedReceiver.lookup(desc, request);
         if (link != null) {
@@ -138,4 +167,41 @@ public final class PrimitiveLookup {
 
         return null;
     }
+
+    private static GuardedInvocation getPrimitiveSetter(final String name, final MethodHandle guard,
+                                                        final MethodHandle wrapFilter, final boolean isStrict) {
+        MethodHandle filter = MH.asType(wrapFilter, wrapFilter.type().changeReturnType(ScriptObject.class));
+        final MethodHandle target;
+
+        if (name == null) {
+            filter = MH.dropArguments(filter, 1, Object.class, Object.class);
+            target = MH.insertArguments(PRIMITIVE_SETTER, 3, isStrict);
+        } else {
+            filter = MH.dropArguments(filter, 1, Object.class);
+            target = MH.insertArguments(PRIMITIVE_SETTER, 2, name, isStrict);
+        }
+
+        return new GuardedInvocation(MH.foldArguments(target, filter), guard);
+    }
+
+
+    @SuppressWarnings("unused")
+    private static void primitiveSetter(final ScriptObject wrappedSelf, final Object self, final Object key,
+                                        final boolean strict, final Object value) {
+        // See ES5.1 8.7.2 PutValue (V, W)
+        final String name = JSType.toString(key);
+        final FindProperty find = wrappedSelf.findProperty(name, true);
+        if (find == null || !(find.getProperty() instanceof UserAccessorProperty) || !find.getProperty().isWritable()) {
+            if (strict) {
+                throw typeError("property.not.writable", name, ScriptRuntime.safeToString(self));
+            }
+            return;
+        }
+        // property found and is a UserAccessorProperty
+        find.setValue(value, strict);
+    }
+
+    private static MethodHandle findOwnMH(final String name, final MethodType type) {
+        return MH.findStatic(MethodHandles.lookup(), PrimitiveLookup.class, name, type);
+    }
 }

nashorn/test/script/basic/JDK-8066226.js

@@ -0,0 +1,132 @@
+/*
+ * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ * 
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ * 
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ * 
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ * 
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ *
+ JDK-8066226: Fuzzing bug: parameter counts differ in TypeConverterFactory
+ *
+ * @test
+ * @run
+ */
+
+Object.defineProperty(Object.prototype, "accessor", {
+    set: function(value) {
+        print("Setting accessor on " + this + " to " + value);
+    }
+});
+
+Object.defineProperty(Object.prototype, "getterOnly", {
+    get: function() {
+        return 1;
+    }
+});
+
+function set(o) {
+    print("set(" + o + ")");
+    o.foo = 1;
+    o.constructor = 1;
+    o.accessor = 1;
+    o.getterOnly = 1;
+    print();
+}
+
+function setStrict(o) {
+    "use strict";
+    print("setStrict(" + o + ")")
+    try {
+        o.foo = 1;
+    } catch (e) {
+        print(e);
+    }
+    try {
+        o.constructor = 1;
+    } catch (e) {
+        print(e);
+    }
+    try {
+        o.accessor = 1;
+    } catch (e) {
+        print(e);
+    }
+    try {
+        o.getterOnly = 1;
+    } catch (e) {
+        print(e);
+    }
+    print();
+}
+
+function setAttr(o, id) {
+    print("setAttr(" + o + ", " + id + ")")
+    o[id] = 1;
+    print();
+}
+
+function setAttrStrict(o, id) {
+    "use strict";
+    print("setAttrStrict(" + o + ", " + id + ")")
+    try {
+        o[id] = 1;
+    } catch (e) {
+        print(e);
+    }
+    print();
+}
+
+set(1);
+set("str");
+set(true);
+set({});
+set([]);
+
+setStrict(1);
+setStrict("str");
+setStrict(true);
+setStrict({});
+setStrict([]);
+
+setAttr(1, "foo");
+setAttr(1, "constructor");
+setAttr(1, "accessor");
+setAttr(1, "getterOnly");
+setAttr("str", "foo");
+setAttr("str", "constructor");
+setAttr("str", "accessor");
+setAttr("str", "getterOnly");
+setAttr(true, "foo");
+setAttr(true, "constructor");
+setAttr(true, "accessor");
+setAttr(true, "getterOnly");
+
+setAttrStrict(1, "foo");
+setAttrStrict(1, "constructor");
+setAttrStrict(1, "accessor");
+setAttrStrict(1, "getterOnly");
+setAttrStrict("str", "foo");
+setAttrStrict("str", "constructor");
+setAttrStrict("str", "accessor");
+setAttrStrict("str", "getterOnly");
+setAttrStrict(true, "foo");
+setAttrStrict(true, "constructor");
+setAttrStrict(true, "accessor");
+setAttrStrict(true, "getterOnly");

nashorn/test/script/basic/JDK-8066226.js.EXPECTED

@@ -0,0 +1,104 @@
+set(1)
+Setting accessor on 1 to 1
+
+set(str)
+Setting accessor on str to 1
+
+set(true)
+Setting accessor on true to 1
+
+set([object Object])
+Setting accessor on [object Object] to 1
+
+set()
+Setting accessor on  to 1
+
+setStrict(1)
+TypeError: "foo" is not a writable property of 1
+TypeError: "constructor" is not a writable property of 1
+Setting accessor on 1 to 1
+TypeError: Cannot set property "getterOnly" of [object Object] that has only a getter
+
+setStrict(str)
+TypeError: "foo" is not a writable property of str
+TypeError: "constructor" is not a writable property of str
+Setting accessor on str to 1
+TypeError: Cannot set property "getterOnly" of [object Object] that has only a getter
+
+setStrict(true)
+TypeError: "foo" is not a writable property of true
+TypeError: "constructor" is not a writable property of true
+Setting accessor on true to 1
+TypeError: Cannot set property "getterOnly" of [object Object] that has only a getter
+
+setStrict([object Object])
+Setting accessor on [object Object] to 1
+TypeError: Cannot set property "getterOnly" of [object Object] that has only a getter
+
+setStrict()
+Setting accessor on  to 1
+TypeError: Cannot set property "getterOnly" of [object Array] that has only a getter
+
+setAttr(1, foo)
+
+setAttr(1, constructor)
+
+setAttr(1, accessor)
+Setting accessor on 1 to 1
+
+setAttr(1, getterOnly)
+
+setAttr(str, foo)
+
+setAttr(str, constructor)
+
+setAttr(str, accessor)
+Setting accessor on str to 1
+
+setAttr(str, getterOnly)
+
+setAttr(true, foo)
+
+setAttr(true, constructor)
+
+setAttr(true, accessor)
+Setting accessor on true to 1
+
+setAttr(true, getterOnly)
+
+setAttrStrict(1, foo)
+TypeError: "foo" is not a writable property of 1
+
+setAttrStrict(1, constructor)
+TypeError: "constructor" is not a writable property of 1
+
+setAttrStrict(1, accessor)
+Setting accessor on 1 to 1
+
+setAttrStrict(1, getterOnly)
+TypeError: Cannot set property "getterOnly" of [object Object] that has only a getter
+
+setAttrStrict(str, foo)
+TypeError: "foo" is not a writable property of str
+
+setAttrStrict(str, constructor)
+TypeError: "constructor" is not a writable property of str
+
+setAttrStrict(str, accessor)
+Setting accessor on str to 1
+
+setAttrStrict(str, getterOnly)
+TypeError: Cannot set property "getterOnly" of [object Object] that has only a getter
+
+setAttrStrict(true, foo)
+TypeError: "foo" is not a writable property of true
+
+setAttrStrict(true, constructor)
+TypeError: "constructor" is not a writable property of true
+
+setAttrStrict(true, accessor)
+Setting accessor on true to 1
+
+setAttrStrict(true, getterOnly)
+TypeError: Cannot set property "getterOnly" of [object Object] that has only a getter
+