From 2df77e13ce6ac2be68d40e5a81c0c26a9d8f7f73 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hannes=20Walln=C3=B6fer?= Date: Wed, 7 Sep 2016 22:48:02 +0200 Subject: [PATCH] 8077149: __noSuchProperty__ and __noSuchMethod__ invocations are not properly guarded Reviewed-by: jlaskey, mhaupt --- .../internal/runtime/ScriptFunction.java | 6 ++- .../internal/runtime/ScriptObject.java | 27 ++++++++-- .../internal/runtime/SharedPropertyMap.java | 2 +- nashorn/test/script/basic/JDK-8077149.js | 53 +++++++++++++++++++ 4 files changed, 83 insertions(+), 5 deletions(-) create mode 100644 nashorn/test/script/basic/JDK-8077149.js diff --git a/nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/ScriptFunction.java b/nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/ScriptFunction.java index 56bab71752e..3c71880c13f 100644 --- a/nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/ScriptFunction.java +++ b/nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/ScriptFunction.java @@ -1273,7 +1273,11 @@ public class ScriptFunction extends ScriptObject { // a new zeroth element that is set to bindName value. final MethodType methodType = methodHandle.type(); final int parameterCount = methodType.parameterCount(); - final boolean isVarArg = parameterCount > 0 && methodType.parameterType(parameterCount - 1).isArray(); + + if (parameterCount < 2) { + return methodHandle; // method does not have enough parameters + } + final boolean isVarArg = methodType.parameterType(parameterCount - 1).isArray(); if (isVarArg) { return MH.filterArguments(methodHandle, 1, MH.insertArguments(ADD_ZEROTH_ELEMENT, 1, bindName)); diff --git a/nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/ScriptObject.java b/nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/ScriptObject.java index 059cf1d80e1..df348e148b5 100644 --- a/nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/ScriptObject.java +++ b/nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/ScriptObject.java @@ -2172,6 +2172,21 @@ public abstract class ScriptObject implements PropertyAccess, Cloneable { return switchPoints.toArray(new SwitchPoint[0]); } + // Similar to getProtoSwitchPoints method above, but used for additional prototype switchpoints of + // properties that are known not to exist, e.g. the original property name in a __noSuchProperty__ invocation. + private SwitchPoint getProtoSwitchPoint(final String name) { + if (getProto() == null) { + return null; + } + + for (ScriptObject obj = this; obj.getProto() != null; obj = obj.getProto()) { + final ScriptObject parent = obj.getProto(); + parent.getMap().addListener(name, obj.getMap()); + } + + return getMap().getSwitchPoint(name); + } + private void checkSharedProtoMap() { // Check if our map has an expected shared prototype property map. If it has, make sure that // the prototype map has not been invalidated, and that it does match the actual map of the prototype. @@ -2343,7 +2358,9 @@ public abstract class ScriptObject implements PropertyAccess, Cloneable { final boolean scopeCall = isScope() && NashornCallSiteDescriptor.isScope(desc); if (find == null) { - return noSuchProperty(desc, request); + return noSuchProperty(desc, request) + // Add proto switchpoint to switch from no-such-property to no-such-method if it is ever defined. + .addSwitchPoint(getProtoSwitchPoint(NO_SUCH_METHOD_NAME)); } final boolean explicitInstanceOfCheck = explicitInstanceOfCheck(desc, request); @@ -2366,7 +2383,9 @@ public abstract class ScriptObject implements PropertyAccess, Cloneable { Object.class), NashornGuards.combineGuards( NashornGuards.getIdentityGuard(this), - NashornGuards.getMapGuard(getMap(), true))); + NashornGuards.getMapGuard(getMap(), true))) + // Add a protoype switchpoint for the original name so this gets invalidated if it is ever defined. + .addSwitchPoint(getProtoSwitchPoint(name)); } /** @@ -2412,7 +2431,9 @@ public abstract class ScriptObject implements PropertyAccess, Cloneable { func), getProtoSwitchPoints(NO_SUCH_PROPERTY_NAME, find.getOwner()), //TODO this doesn't need a ClassCastException as guard always checks script object - null); + null) + // Add a protoype switchpoint for the original name so this gets invalidated if it is ever defined. + .addSwitchPoint(getProtoSwitchPoint(name)); } } diff --git a/nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/SharedPropertyMap.java b/nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/SharedPropertyMap.java index 215d0c85ad8..5277c4faad4 100644 --- a/nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/SharedPropertyMap.java +++ b/nashorn/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/SharedPropertyMap.java @@ -29,7 +29,7 @@ import java.lang.invoke.SwitchPoint; /** * This class represents a property map that can be shared among multiple prototype objects, allowing all inheriting - * top-level objects to also share one property map. This is class is only used for prototype objects, the + * top-level objects to also share one property map. This class is only used for prototype objects, the * top-level objects use ordinary {@link PropertyMap}s with the {@link PropertyMap#sharedProtoMap} field * set to the expected shared prototype map. * diff --git a/nashorn/test/script/basic/JDK-8077149.js b/nashorn/test/script/basic/JDK-8077149.js new file mode 100644 index 00000000000..b980ff81027 --- /dev/null +++ b/nashorn/test/script/basic/JDK-8077149.js @@ -0,0 +1,53 @@ +/* + * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/** + * JDK-8077149: __noSuchProperty__ and __noSuchMethod__ invocations are not properly guarded + * + * @test + * @run + */ + +var o = {}; + +function invoke() { + return o._(); +} + +Object.prototype.__noSuchProperty__ = function() { + return function() { return "no such property" }; +}; + +Assert.assertEquals(invoke(), "no such property"); + +Object.prototype.__noSuchMethod__ = function() { + return "no such method"; +}; + +Assert.assertEquals(invoke(), "no such method"); + +Object.prototype._ = function() { + return "underscore method"; +}; + +Assert.assertEquals(invoke(), "underscore method");