Mercurial > hg > openjdk > aarch64-port > nashorn
changeset 1412:dcbf5e2121e3
8066220: Fuzzing bug: MethodHandle bug (Object,Object) != (boolean)Object
Reviewed-by: lagergren, attila, sundar
author | hannesw |
---|---|
date | Wed, 03 Jun 2015 10:42:06 +0200 |
parents | ba519ec9ec82 |
children | 07f32a26bc1e |
files | src/jdk/nashorn/internal/runtime/CompiledFunction.java test/script/basic/JDK-8066220.js test/script/basic/JDK-8066220.js.EXPECTED |
diffstat | 3 files changed, 43 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/src/jdk/nashorn/internal/runtime/CompiledFunction.java Tue Jun 02 17:08:13 2015 +0200 +++ b/src/jdk/nashorn/internal/runtime/CompiledFunction.java Wed Jun 03 10:42:06 2015 +0200 @@ -528,8 +528,9 @@ final int fnParamCountNoCallee = fnParamCount - thisThisIndex; final int minParams = Math.min(csParamCount - 1, fnParamCountNoCallee); // callSiteType always has callee, so subtract 1 - // We must match all incoming parameters, except "this". Starting from 1 to skip "this". - for(int i = 1; i < minParams; ++i) { + // We must match all incoming parameters, including "this". "this" will usually be Object, but there + // are exceptions, e.g. when calling functions with primitive "this" in strict mode or through call/apply. + for(int i = 0; i < minParams; ++i) { final Type fnType = Type.typeFor(type.parameterType(i + thisThisIndex)); final Type csType = csIsVarArg ? Type.OBJECT : Type.typeFor(other.parameterType(i + 1)); if(!fnType.isEquivalentTo(csType)) {
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/script/basic/JDK-8066220.js Wed Jun 03 10:42:06 2015 +0200 @@ -0,0 +1,38 @@ +/* + * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/** + * JDK-8066220: Fuzzing bug: MethodHandle bug (Object,Object) != (boolean)Object + * + * @test + * @run + */ + + +function f() {} +// Call f with primitive this first, then as constructor +f.call(1); +new f(); + +// Same as above in strict mode +eval('"use strict"; function e() { print(typeof this); } e.call(1); new e();');