Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ufuzz failure #5595

Closed
alexlamsl opened this issue Aug 3, 2022 · 0 comments · Fixed by #5596
Closed

ufuzz failure #5595

alexlamsl opened this issue Aug 3, 2022 · 0 comments · Fixed by #5596
Labels
bug

Comments

@alexlamsl
Copy link
Collaborator 

// original code
// (beautified)
var _calls_ = 10, a = 100, b = 10, c = 0;

function f0() {
    function f1(yield, yield, NaN_2) {
        {
            var NaN_2_1 = function f2(NaN_2, await_1, a_2) {
                function* f3(bar_1, ...async_1) {
                }
                var b = f3((c = 1 + c, ("function" ^ "c" ^ -2 > "object") / (("function" === "a") - "function" * 24..toString())), null).next();
                function f4(await, await_1_1_1, await_1_1) {
                }
                var bar_2 = f4();
                function f5(let_1, b_1, b) {
                }
                var async_2 = f5((c = 1 + c, ((a_2 && (a_2[c = 1 + c, (1 << 38..toString()) - ("object" > -4) - (async_2 && ([ async_2[a++ + [].foo] ] = [ {} % -2 <= -5 >> 1 ]))] += /[a2][^e]+$/ && -4)) <= ("bar" !== 5)) + (22 + false << (2 << "function"))), (c = 1 + c, 
                ~("bar" !== "") >>> (3 << "object") % (4 == this)), (c = 1 + c, 
                ((4 ^ 25) !== void -2) % void (4 != Infinity)));
                function f6() {
                }
                var bar_2 = f6();
            }((c = c + 1) + (0 in [ (c = 1 + c, (yield && (yield[0 in [ (c = 1 + c, 
            ("undefined" != 24..toString() & undefined == -0) % ((yield = "c" || "object") / (4 != 25))), (c = 1 + c, 
            ("a" != "foo") > (24..toString() ^ "undefined") > (yield && ({
                foo: yield.var
            } = {
                foo: "function" * 3
            })) % (-3 === 1)), (c = 1 + c, (3 | 22) % (23..toString() !== NaN) >> ("undefined" << 1, 
            0 || Infinity)), (c = 1 + c, (-1 | "a") >> [] ** 2 !== ((yield && ({
                a: yield[c = 1 + c, yield && (yield[(c = c + 1) + [ (c = 1 + c, 
                delete 0 <= ("bar" & false) ^ ("c" - 38..toString() | -2 == [])), (c = 1 + c, 
                yield = (38..toString() == -4) < (-5 >= this) === (undefined === undefined) < (0 != 38..toString())), (c = 1 + c, 
                yield && (yield[--b + (yield >>= (c = 1 + c, (NaN && "foo") == "object" / "", 
                (yield && (yield.null += [ , 0 ].length === 2 != "c")) / (-2 === 0))) ? a++ + ((c = 1 + c, 
                (2 == 1 | "a" >= 25) > (-2 % (-42n).toString() === -0 < /[a2][^e]+$/)) || 1).toString()[c = 1 + c, 
                (("c" != undefined) <= (23..toString() !== 25)) ** (({} ^ "") & (-5 && "c"))] : b + 1 - .1 - .1 - .1] = ("" || this) != NaN >= undefined != ("bar" & "") * (-2 >= -2))), ...[ (c = 1 + c, 
                "a" % /[a2][^e]+$/ || false / -4 || yield && (yield.b >>>= void false == 5 < "c")), (c = 1 + c, 
                (2 < 2) % (38..toString() - null) / ("" - "a") ** ("b" < -1)), (c = 1 + c, 
                (25 ^ /[a2][^e]+$/) + (3 ^ 1) == (4 || "b") - "a" * 23..toString()), (c = 1 + c, 
                (1 - "" + (yield && ([ yield.a ] = [ -1 % -5 ]))) / ((yield && (yield[c = 1 + c, 
                25 > -4 >= 2 / "bar" < ({} > -3) - (23..toString() == 24..toString())] *= true < "foo")) % (-3 === -0))), (c = 1 + c, 
                -(yield = (Infinity ^ "undefined") * (null || "object"))) ] ][a++ + (b = a)]] = (true % {} || "object" >>> 2) > ((undefined ^ "function") === (23..toString() ^ 2)))]
            } = {
                a: -4 | -0
            })) ^ "a" >= Number(0xdeadn << 16n | 0xbeefn))) ]] += (c = c + 1, 1) < ("undefined" != true))) + ((yield && (yield[c = 1 + c, 
            (23..toString() || {}) / (23..toString() === 24..toString()) > (yield && (yield.value &= "b" + null >>> (0 === NaN)))] &= "c" >= 38..toString())) | -2 & true)), (c = 1 + c, 
            0 >= false !== (23..toString() != -1) === (yield && (yield.set >>>= -5 / "foo" || 3 != -5))), (c = 1 + c, 
            yield = ("object" === 23..toString() ^ undefined / NaN) - ("a" << 0 < undefined * "c")), (c = 1 + c, 
            (-2 > 2) * (23..toString() >>> Infinity) | (yield && (yield[--b + +((void 5 && (c = c + 1, 
            -2)) >= (yield && (yield[--b + (c = 1 + c, (c = c + 1, [ , 0 ][1] == -0) >>> (true + undefined, 
            5 >> NaN))] = "object" * "a" < ("number" != "undefined"))))] = (25 !== "foo") > ("", 
            [])))) ]));
        }
        if (a++ + void b) {
            var brake3 = 5;
            while ("number" in {
                Infinity: (c = 1 + c, (NaN_2_1 = NaN * -2, null ^ -5) + (3 < -1 == [] + -4)),
                [(c = 1 + c, (NaN_2_1 >>>= "b" > 24..toString()) >= "bar" % 3 & (c = c + 1, 
                "") > (23..toString() && false))]: (c = 1 + c, (undefined >> null | (NaN_2 = "bar" + "number")) * (("a" === /[a2][^e]+$/) < (c = c + 1, 
                false))),
                value: (c = 1 + c, NaN_2 && (NaN_2.set = ((false ^ null) >>> (24..toString() | "undefined")) - ((5 ^ "number") >> 3 + "bar"))),
                [(c = 1 + c, -2 >= "a" != -5 >>> 25 && (c = c + 1, "bar" == ""))]: (c = 1 + c, 
                (1 == -4 || "undefined" / "bar") & ("" | "b", "b" && 24..toString())),
                "\t": (c = 1 + c, ("object" && "b") != 4 < [ , 0 ][1] == 22 + "c" >> ("" === -5))
            } && --brake3 > 0) {
                return typeof (c = 1 + c, (c = c + 1, "foo" < true) + (NaN_2_1 && (NaN_2_1[[ (c = 1 + c, 
                (undefined <= ([ , 0 ].length === 2)) >>> "number" + !0o644n || "foo" < "function" > "object" - 3), (c = 1 + c, 
                ((NaN_2_1 && (NaN_2_1[c = 1 + c, ((NaN_2_1 && (NaN_2_1[c = 1 + c, 
                delete (([ , 0 ].length === 2) <= "function") != ("undefined" !== 22, 
                [ , 0 ][1] | [ , 0 ].length === 2)] >>= [ , 0 ].length === 2 ^ 23..toString())) != (5 === null)) >>> (-3 + /[a2][^e]+$/ << ("c" | "foo"))] >>>= -4 || [ 3n ][0] > 2)) == "undefined" << "bar") < (3 == 3) % ~-3), (c = 1 + c, 
                -~([ , 0 ][1] - [])), (c = 1 + c, 2 + -4 <= (c = c + 1, Infinity) <= +(Infinity == 0)), (c = 1 + c, 
                !(-4 - 38..toString() == 23..toString() < 25)) ][c = 1 + c, NaN_2 = ({} < 3 & 2 / 1) >> (5 >> 3 ^ /[a2][^e]+$/ * true)]] = (yield && (yield.set = 1 > undefined)) != 1 % -2)));
            }
        } else {
            return a++ + typeof (--b + (NaN_2 && NaN_2.undefined));
        }
    }
    var b_1 = f1(0, !(0 >> false) <= ((23..toString() | 0) ^ 4 < "function"), null);
    function f7(b, b_1) {
        try {
            {
                var brake7 = 5;
                do {
                    b--;
                } while (--b + ((c = c + 1) + ([ , 0 ].length === 2) || 4).toString()[new function(a_2, b_1, foo_1) {
                    this.a += 4 !== [ , 0 ][1];
                    this.a = 22 >> 4;
                }(...[ (c = 1 + c, ((c = c + 1, {}) != (b_1 = -5 * [ , 0 ][1])) >>> ((23..toString() !== "c") << "number" + 4)), (c = 1 + c, 
                "object" * null << (2, [ , 0 ][1]) < (/[a2][^e]+$/ >>> "function", 
                -5 >>> 0)), (c = 1 + c, 4 * 1 >= ([] >= -3) ^ (b_1 && (b_1[c = 1 + c, 
                (23..toString() > -2 <= ("foo" == "object")) >> ("function" > 3 | 23..toString() * 2)] += 5 !== Infinity)) % (c = c + 1, 
                3)) ], (c = 1 + c, ((23..toString() | -2) !== false > 22) << (false & -3 & 38..toString() != -1)))] && --brake7 > 0);
            }
        } finally {
            if (--b + b_1) {
                try {
                    c = 1 + c, (2 >= "number" == (4, "")) >> (c = c + 1, -2 <= {});
                } catch (b_1) {
                }
            } else {
                var brake13 = 5;
                while ((c = 1 + c, ("undefined" % 1 & (b_1 && (b_1[c = 1 + c, (b += "function" / 22) >>> ("bar" !== "b") == -(-2 & -0)] -= "undefined" == 3))) <= (([] || this) ^ -0 % "bar")) && --brake13 > 0) {
                    c = 1 + c, b_1 && (b_1[b >>= a] <<= (this != "" && 24..toString() <= "") <= ("number" + 22 ^ Infinity <= -3));
                }
            }
        }
        {
            var expr15 = (c = c + 1) + (b = a);
            L57293: for (var key15 in expr15) {
                c = 1 + c;
                var a_2 = expr15[key15];
                {
                    var brake16 = 5;
                    while (a++ + {
                        done: (c = 1 + c, !(c = c + 1, b && (b.in *= "foo" / this))),
                        done: (c = 1 + c, (b_1 += ("foo" >> -2) - (b_1 = 4 % "function")) < (/[a2][^e]+$/ / -2 > -0 - Infinity)),
                        b: (c = 1 + c, (5 | 24..toString()) > 5 % "bar" | (c = c + 1, 
                        undefined) ^ -"c"),
                        var: (c = 1 + c, a_2 && ([ a_2[[].length] ] = [ (c = c + 1, 
                        undefined % ([ 3n ][0] > 2)) && ("object" | "function") / (-0 >= "function") ])),
                        next: (c = 1 + c, ("function" & 2) + ([ , 0 ].length === 2) % 3 && (4 ^ 38..toString()) < ("bar" > 22))
                    }.done && --brake16 > 0) {
                        a--;
                    }
                }
            }
        }
    }
    var Infinity_1 = f7("number", (c = c + 1) + --b);
    function f8(let_2, a_1) {
        for (var brake18 = 5; {
            c: a++ + (1 === 1 ? a : b)
        } && brake18 > 0; --brake18) {
            switch (--b + {}.b) {
              case --b:
                break;

              default:
                var Infinity_1;
                ;

              case (c = c + 1) + (typeof a_1 == "function" && --_calls_ >= 0 && a_1((c = 1 + c, 
                (undefined % this < 5 * 4) << ((3 || [ , 0 ].length === 2) <= (-0 | true))), 2, (c = 1 + c, 
                "bar" % 1 % (null | /[a2][^e]+$/) <= ((false || 3) && "undefined" <= -2)))):
                {
                    var expr22 = (c = 1 + c, Infinity_1 = ([ , 0 ].length === 2) + null << 22 % 5 || -4 - -0 >>> 3 / -1);
                    L57294: for (let key22 in expr22) {
                        c = 1 + c;
                        var let_2 = expr22[key22];
                        c = 1 + c, ("bar" * 22 > ("bar" == "function")) / (NaN !== [] && -1 / 25);
                    }
                }
                {
                }
                break;

              case typeof Infinity != "special":
                {
                    var brake25 = 5;
                    L57295: while ((c = 1 + c, ("undefined" !== -2) << (a_1 && (a_1.get -= ([ , 0 ].length === 2) > "number")) && (Infinity_1 && ([ Infinity_1[--b + new function() {
                        this.b += 25 === null;
                    }()] ] = [ (2 ^ true) <= "c" - "b" ]))) && --brake25 > 0) {
                        c = 1 + c, Infinity_1 += ((/[a2][^e]+$/ && "") ^ (-2 ^ -5)) >>> (22 % "a" && {} % /[a2][^e]+$/);
                    }
                }
                try {
                    c = 1 + c, (38..toString() | NaN) >> ({}, 4) <= ("undefined" === true === -2 + 5);
                } catch (a) {
                } finally {
                }
                break;
            }
        }
    }
    var Infinity_2 = f8(typeof f8 == "function" && --_calls_ >= 0 && f8(..."" + Infinity_2, a++ + ~b));
}

var a = f0("number", -3, 0 === 1 ? a : b);

console.log(null, a, b, c, Infinity, NaN, undefined);
// uglified code
// (beautified)
var _calls_ = 10, a = 100, b = 10, c = 0;

function f0() {
    !function(yield, yield, NaN_2) {
        var brake3, NaN_2_1 = function(a_2) {
            (function*() {})((c = 1 + c, 24..toString())).next();
            c = 1 + c, a_2 && (a_2[c = 1 + c, (1 << 38..toString()) - !1 - (async_2 && ([ async_2[a++ + [].foo] ] = [ {} % -2 <= -3 ]))] += -4);
            var async_2 = void (c = 1 + (c = 1 + c));
        }(void (c = 1 + (c += 1), yield && (yield[0 in [ (c = 1 + c, ("undefined" != 24..toString() & !1) % ((yield = "c") / !0)), (c = 1 + c, 
        ("undefined" ^ 24..toString()) < !0 > (yield && ({
            foo: yield.var
        } = {
            foo: NaN
        })) % !1), (c = 1 + c, 23 % (NaN !== 23..toString()) >> 1 / 0), (c = 1 + c, 
        -1 >> [] ** 2 != ((yield && ({
            a: yield[c = 1 + c, yield && (yield[(c += 1) + [ (c = 1 + c, !1 ^ ("c" - 38..toString() | -2 == [])), (c = 1 + c, 
            yield = (-4 == 38..toString()) < (this <= -5) == !0 < (0 != 38..toString())), (c = 1 + c, 
            yield && (yield[--b + (yield >>= (c = 1 + c, (yield && (yield.null += 2 === [ , 0 ].length != "c")) / !1)) ? a++ + (c = 1 + c, 
            ((-2 % (-42n).toString() === !1) < 0 || 1).toString()[c = 1 + c, (!0 <= (25 !== 23..toString())) ** ("c" & ("" ^ {}))]) : b + 1 - .1 - .1 - .1] = 0 != this != 0)), (c = 1 + c, 
            yield && (yield.b >>>= !1)), (c = 1 + c, !1 % (38..toString() - null)), (c = 1 + c, 
            27 == 4 - "a" * 23..toString()), (c = 1 + c, (1 + (yield && ([ yield.a ] = [ -1 ]))) / ((yield && (yield[c = 1 + c, 
            !1 < (-3 < {}) - (23..toString() == 24..toString())] *= !1)) % !1)), (c = 1 + c, 
            -(yield = NaN)) ][a++ + (b = a)]] = (!0 % {} || 0) > (0 == (2 ^ 23..toString())))]
        } = {
            a: -4
        })) ^ Number(0xdeadn << 16n | 0xbeefn) <= "a")) ]] += (c += 1, !1)), yield && (yield[c = 1 + c, 
        (23..toString() || {}) / (23..toString() === 24..toString()) > (yield && (yield.value &= 0))] &= 38..toString() <= "c"), 
        c = 1 + c, 23..toString(), yield && (yield.set >>>= !0), c = 1 + c, yield = ("object" === 23..toString() ^ NaN) - !1, 
        c = 1 + c, 23..toString(), yield && (yield[--b + +((yield && (yield[--b + (c = 1 + c, 
        c += 1, 0)] = !1)) <= void 0)] = [] < !0)));
        a++ + void 0 && "number" in {
            Infinity: -(brake3 = 5) + (0 == [] + -4),
            [(c = 1 + (c = 1 + c), (NaN_2_1 = NaN) <= (NaN_2_1 >>>= 24..toString() < "b") & (c += 1, 
            (23..toString() && !1) < ""))]: (c = 1 + c, (0 | (NaN_2 = "barnumber")) * (!1 < !1)),
            value: (c = 1 + (c += 1), NaN_2 && (NaN_2.set = (0 >>> ("undefined" | 24..toString())) - 5)),
            [(c = 1 + c, !1)]: (c = 1 + (c += 1), NaN & 24..toString()),
            "\t": (c = 1 + c, !1)
        } && 0 < --brake3 && (c = 1 + c, c += 1, NaN_2_1 && (NaN_2_1[[ (c = 1 + c, 
        (void 0 <= (2 === [ , 0 ].length)) >>> "number" + !0o644n || !1), (c = 1 + c, 
        (0 == (NaN_2_1 && (NaN_2_1[c = 1 + c, (0 != (NaN_2_1 && (NaN_2_1[c = 1 + c, 
        1 != (0 | 2 === [ , 0 ].length)] >>= 2 === [ , 0 ].length ^ 23..toString()))) >>> 0] >>>= -4))) < 1), -~(0 - []), (c = 1 + (c = 1 + c), 
        -2 <= 1 / 0 <= 0), (c = 1 + (c += 1), !(-4 - 38..toString() == 23..toString() < 25)) ][c = 1 + c, 
        NaN_2 = ({} < 3 & 2) >> 0]] = 1 != (yield && (yield.set = !1))));
    }(0, !0 <= (!1 ^ (0 | 23..toString())), null);
    (function(b, b_1) {
        try {
            for (var brake7 = 5; b--, --b + ((c += 1) + (2 === [ , 0 ].length) || 4).toString()[new function(a_2, b_1, foo_1) {
                this.a += !0, this.a = 1;
            }((c = 1 + c, c += 1, b_1 = -0, 23..toString()), c = 1 + c, (c = 1 + c, 
            b_1 && (b_1[c = 1 + c, (-2 < 23..toString() <= !1) >> (!1 | 2 * 23..toString())] += !0), 
            c += 1), (c = 1 + c, 23..toString(), 38..toString()))] && 0 < --brake7; ) {}
        } finally {
            if (--b + b_1) {
                try {
                    c = 1 + c, c += 1;
                } catch (b_1) {}
            } else {
                for (var brake13 = 5; c = 1 + c, (NaN & (b_1 && (b_1[c = 1 + c, 
                (b += NaN) >>> !0 == -0] -= !1))) <= (NaN ^ []) && 0 < --brake13; ) {
                    c = 1 + c, b_1 && (b_1[b >>= a] <<= ("" != this && 24..toString() <= "") <= 0);
                }
            }
        }
        var key15, expr15 = (c += 1) + (b = a);
        for (key15 in expr15) {
            c = 1 + c;
            for (var a_2 = expr15[key15], brake16 = 5; a++ + [ (c = 1 + c, c += 1, 
            b && (b.in *= "foo" / this)), (b_1 += NaN) < !1, (c = 1 + (c = 1 + c), 
            24..toString(), c += 1), (c = 1 + c, a_2 && ([ a_2[[].length] ] = [ (c += 1, 
            void 0 % (2 < 3n) && NaN) ])), (c = 1 + c, 0 + (2 === [ , 0 ].length) % 3 && 38..toString()) ][1] && 0 < --brake16; ) {
                a--;
            }
        }
    })("number", (c += 1) + --b);
    function f8(let_2, a_1) {
        for (var Infinity_1, brake18 = 5; a++, 0 < brake18; --brake18) {
            switch (--b + {}.b) {
              case --b:
                break;

              default:
              case (c += 1) + ("function" == typeof a_1 && 0 <= --_calls_ && a_1((c = 1 + c, 
                (void 0 % this < 20) << !1), 2, (c = 1 + c, !1))):
                c = 1 + c;
                var key22, expr22 = Infinity_1 = (2 === [ , 0 ].length) + null << 2 || 7;
                for (key22 in expr22) {
                    c = 1 + c;
                    c = 1 + c;
                }
                break;

              case !0:
                for (var brake25 = 5; c = 1 + c, !0 << (a_1 && (a_1.get -= "number" < (2 === [ , 0 ].length))) && Infinity_1 && ([ Infinity_1[--b + new function() {
                    this.b += !1;
                }()] ] = [ !1 ]) && 0 < --brake25; ) {
                    c = 1 + c, Infinity_1 += 5;
                }
                try {
                    c = 1 + c, 38..toString();
                } catch (a) {}
            }
        }
    }
    var Infinity_2 = f8(0 <= --_calls_ && f8(..."" + Infinity_2, a++ + ~b));
}

a = f0("number", -3, b);

console.log(null, a, b, c, 1 / 0, NaN, void 0);
original result:
null undefined 80 66 Infinity NaN undefined

uglified result:
null undefined 81 66 Infinity NaN undefined

// reduced test case (output will differ)

// (beautified)
var a;

function f1() {
    if (a) {
        var brake3;
        while (--brake3) {
            return 0;
        }
    } else {
        return NaN_2;
    }
}

f1();
// output: ReferenceError: NaN_2 is not defined
// minify: 
// options: {
//   "mangle": false,
//   "output": {
//     "v8": true
//   },
//   "validate": true
// }
minify(options):
{
  "mangle": false,
  "output": {
    "v8": true
  }
}

Suspicious compress options:
  collapse_vars
  conditionals
  dead_code
  if_return
  loops
@alexlamsl alexlamsl added the bug label Aug 3, 2022
alexlamsl added a commit to alexlamsl/UglifyJS that referenced this issue Aug 3, 2022
@alexlamsl
fix corner case in if_return
042d972 
fixes mishoo#5595
@alexlamsl alexlamsl mentioned this issue Aug 3, 2022
Merged
alexlamsl added a commit that referenced this issue Aug 3, 2022
@alexlamsl
fix corner case in if_return (#5596)
8076d66 
fixes #5595
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix corner case in if_return alexlamsl/UglifyJS
1 participant
@alexlamsl