# HG changeset patch # User hannesw # Date 1473281282 -7200 # Node ID c24d212a87333083dbe5738e2db46125f607e88c # Parent e384420383a5b79fa0012ebcb25d8f83cff7f777 8077149: __noSuchProperty__ and __noSuchMethod__ invocations are not properly guarded Reviewed-by: jlaskey, mhaupt diff -r e384420383a5 -r c24d212a8733 nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/ScriptFunction.java --- a/nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/ScriptFunction.java Wed Jul 05 22:10:57 2017 +0200 +++ b/nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/ScriptFunction.java Wed Sep 07 22:48:02 2016 +0200 @@ -1273,7 +1273,11 @@ // a new zeroth element that is set to bindName value. final MethodType methodType = methodHandle.type(); final int parameterCount = methodType.parameterCount(); - final boolean isVarArg = parameterCount > 0 && methodType.parameterType(parameterCount - 1).isArray(); + + if (parameterCount < 2) { + return methodHandle; // method does not have enough parameters + } + final boolean isVarArg = methodType.parameterType(parameterCount - 1).isArray(); if (isVarArg) { return MH.filterArguments(methodHandle, 1, MH.insertArguments(ADD_ZEROTH_ELEMENT, 1, bindName)); diff -r e384420383a5 -r c24d212a8733 nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/ScriptObject.java --- a/nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/ScriptObject.java Wed Jul 05 22:10:57 2017 +0200 +++ b/nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/ScriptObject.java Wed Sep 07 22:48:02 2016 +0200 @@ -2172,6 +2172,21 @@ return switchPoints.toArray(new SwitchPoint[0]); } + // Similar to getProtoSwitchPoints method above, but used for additional prototype switchpoints of + // properties that are known not to exist, e.g. the original property name in a __noSuchProperty__ invocation. + private SwitchPoint getProtoSwitchPoint(final String name) { + if (getProto() == null) { + return null; + } + + for (ScriptObject obj = this; obj.getProto() != null; obj = obj.getProto()) { + final ScriptObject parent = obj.getProto(); + parent.getMap().addListener(name, obj.getMap()); + } + + return getMap().getSwitchPoint(name); + } + private void checkSharedProtoMap() { // Check if our map has an expected shared prototype property map. If it has, make sure that // the prototype map has not been invalidated, and that it does match the actual map of the prototype. @@ -2343,7 +2358,9 @@ final boolean scopeCall = isScope() && NashornCallSiteDescriptor.isScope(desc); if (find == null) { - return noSuchProperty(desc, request); + return noSuchProperty(desc, request) + // Add proto switchpoint to switch from no-such-property to no-such-method if it is ever defined. + .addSwitchPoint(getProtoSwitchPoint(NO_SUCH_METHOD_NAME)); } final boolean explicitInstanceOfCheck = explicitInstanceOfCheck(desc, request); @@ -2366,7 +2383,9 @@ Object.class), NashornGuards.combineGuards( NashornGuards.getIdentityGuard(this), - NashornGuards.getMapGuard(getMap(), true))); + NashornGuards.getMapGuard(getMap(), true))) + // Add a protoype switchpoint for the original name so this gets invalidated if it is ever defined. + .addSwitchPoint(getProtoSwitchPoint(name)); } /** @@ -2412,7 +2431,9 @@ func), getProtoSwitchPoints(NO_SUCH_PROPERTY_NAME, find.getOwner()), //TODO this doesn't need a ClassCastException as guard always checks script object - null); + null) + // Add a protoype switchpoint for the original name so this gets invalidated if it is ever defined. + .addSwitchPoint(getProtoSwitchPoint(name)); } } diff -r e384420383a5 -r c24d212a8733 nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/SharedPropertyMap.java --- a/nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/SharedPropertyMap.java Wed Jul 05 22:10:57 2017 +0200 +++ b/nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/SharedPropertyMap.java Wed Sep 07 22:48:02 2016 +0200 @@ -29,7 +29,7 @@ /** * This class represents a property map that can be shared among multiple prototype objects, allowing all inheriting - * top-level objects to also share one property map. This is class is only used for prototype objects, the + * top-level objects to also share one property map. This class is only used for prototype objects, the * top-level objects use ordinary {@link PropertyMap}s with the {@link PropertyMap#sharedProtoMap} field * set to the expected shared prototype map. * diff -r e384420383a5 -r c24d212a8733 nashorn/test/script/basic/JDK-8077149.js --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/nashorn/test/script/basic/JDK-8077149.js Wed Sep 07 22:48:02 2016 +0200 @@ -0,0 +1,53 @@ +/* + * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/** + * JDK-8077149: __noSuchProperty__ and __noSuchMethod__ invocations are not properly guarded + * + * @test + * @run + */ + +var o = {}; + +function invoke() { + return o._(); +} + +Object.prototype.__noSuchProperty__ = function() { + return function() { return "no such property" }; +}; + +Assert.assertEquals(invoke(), "no such property"); + +Object.prototype.__noSuchMethod__ = function() { + return "no such method"; +}; + +Assert.assertEquals(invoke(), "no such method"); + +Object.prototype._ = function() { + return "underscore method"; +}; + +Assert.assertEquals(invoke(), "underscore method");