8077149: __noSuchProperty__ and __noSuchMethod__ invocations are not properly guarded
Reviewed-by: jlaskey, mhaupt
--- a/nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/ScriptFunction.java Wed Jul 05 22:10:57 2017 +0200
+++ b/nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/ScriptFunction.java Wed Sep 07 22:48:02 2016 +0200
@@ -1273,7 +1273,11 @@
// a new zeroth element that is set to bindName value.
final MethodType methodType = methodHandle.type();
final int parameterCount = methodType.parameterCount();
- final boolean isVarArg = parameterCount > 0 && methodType.parameterType(parameterCount - 1).isArray();
+
+ if (parameterCount < 2) {
+ return methodHandle; // method does not have enough parameters
+ }
+ final boolean isVarArg = methodType.parameterType(parameterCount - 1).isArray();
if (isVarArg) {
return MH.filterArguments(methodHandle, 1, MH.insertArguments(ADD_ZEROTH_ELEMENT, 1, bindName));
--- a/nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/ScriptObject.java Wed Jul 05 22:10:57 2017 +0200
+++ b/nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/ScriptObject.java Wed Sep 07 22:48:02 2016 +0200
@@ -2172,6 +2172,21 @@
return switchPoints.toArray(new SwitchPoint[0]);
}
+ // Similar to getProtoSwitchPoints method above, but used for additional prototype switchpoints of
+ // properties that are known not to exist, e.g. the original property name in a __noSuchProperty__ invocation.
+ private SwitchPoint getProtoSwitchPoint(final String name) {
+ if (getProto() == null) {
+ return null;
+ }
+
+ for (ScriptObject obj = this; obj.getProto() != null; obj = obj.getProto()) {
+ final ScriptObject parent = obj.getProto();
+ parent.getMap().addListener(name, obj.getMap());
+ }
+
+ return getMap().getSwitchPoint(name);
+ }
+
private void checkSharedProtoMap() {
// Check if our map has an expected shared prototype property map. If it has, make sure that
// the prototype map has not been invalidated, and that it does match the actual map of the prototype.
@@ -2343,7 +2358,9 @@
final boolean scopeCall = isScope() && NashornCallSiteDescriptor.isScope(desc);
if (find == null) {
- return noSuchProperty(desc, request);
+ return noSuchProperty(desc, request)
+ // Add proto switchpoint to switch from no-such-property to no-such-method if it is ever defined.
+ .addSwitchPoint(getProtoSwitchPoint(NO_SUCH_METHOD_NAME));
}
final boolean explicitInstanceOfCheck = explicitInstanceOfCheck(desc, request);
@@ -2366,7 +2383,9 @@
Object.class),
NashornGuards.combineGuards(
NashornGuards.getIdentityGuard(this),
- NashornGuards.getMapGuard(getMap(), true)));
+ NashornGuards.getMapGuard(getMap(), true)))
+ // Add a protoype switchpoint for the original name so this gets invalidated if it is ever defined.
+ .addSwitchPoint(getProtoSwitchPoint(name));
}
/**
@@ -2412,7 +2431,9 @@
func),
getProtoSwitchPoints(NO_SUCH_PROPERTY_NAME, find.getOwner()),
//TODO this doesn't need a ClassCastException as guard always checks script object
- null);
+ null)
+ // Add a protoype switchpoint for the original name so this gets invalidated if it is ever defined.
+ .addSwitchPoint(getProtoSwitchPoint(name));
}
}
--- a/nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/SharedPropertyMap.java Wed Jul 05 22:10:57 2017 +0200
+++ b/nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/SharedPropertyMap.java Wed Sep 07 22:48:02 2016 +0200
@@ -29,7 +29,7 @@
/**
* This class represents a property map that can be shared among multiple prototype objects, allowing all inheriting
- * top-level objects to also share one property map. This is class is only used for prototype objects, the
+ * top-level objects to also share one property map. This class is only used for prototype objects, the
* top-level objects use ordinary {@link PropertyMap}s with the {@link PropertyMap#sharedProtoMap} field
* set to the expected shared prototype map.
*
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/nashorn/test/script/basic/JDK-8077149.js Wed Sep 07 22:48:02 2016 +0200
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * JDK-8077149: __noSuchProperty__ and __noSuchMethod__ invocations are not properly guarded
+ *
+ * @test
+ * @run
+ */
+
+var o = {};
+
+function invoke() {
+ return o._();
+}
+
+Object.prototype.__noSuchProperty__ = function() {
+ return function() { return "no such property" };
+};
+
+Assert.assertEquals(invoke(), "no such property");
+
+Object.prototype.__noSuchMethod__ = function() {
+ return "no such method";
+};
+
+Assert.assertEquals(invoke(), "no such method");
+
+Object.prototype._ = function() {
+ return "underscore method";
+};
+
+Assert.assertEquals(invoke(), "underscore method");