Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ufuzz failure #5759

Closed
alexlamsl opened this issue Dec 7, 2022 · 0 comments · Fixed by #5760
Closed

ufuzz failure #5759

alexlamsl opened this issue Dec 7, 2022 · 0 comments · Fixed by #5760
Labels
bug

Comments

@alexlamsl
Copy link
Collaborator 

// original code
// (beautified)
var _calls_ = 10, a = 100, b = 10, c = 0;

function f0({
    "": bar,
    a: foo_2,
    [typeof a == "number"]: a_2
}, Infinity_2, async_1) {
    try {
        {
            var expr2 = [ {
                var: a++ + (1 === 1 ? a : b)
            }.foo, -a, +function() {
            }() ];
            for (let key2 of expr2) {
                c = 1 + c;
                let bar = expr2[key2];
                {
                    var async = function f1(foo_2_2, foo) {
                        function f2() {}
                        var a = f2("undefined");
                        function f3(Infinity_2 = "number", bar_1 = /[abc4]/.test((a++ + (-5 in [ (c = 1 + c, 
                        (bar && (bar[c = 1 + c, !(24..toString() % "b" >= (22 ^ 5))] = 5 <= "undefined")) + ([ , 0 ].length === 2) / -5 & ~38..toString() >>> (async_1 && (async_1[c = 1 + c, 
                        (-4 || "foo" || delete null) / ((c = c + 1, 0) <= !-0)] >>= 3 && Infinity))), ..."" + bar ]) || b || 5).toString()), foo_1 = (c = c + 1) + (b = a)) {
                            {
                                return;
                                c = 1 + c, (foo_1 && (foo_1.next += {} * "b" >> ([ , 0 ][1] != 22))) * ((foo_2 += "c" <= "c") * ("c" == true));
                            }
                        }
                        var async_1_2 = f3();
                        function f4(a_1) {
                            {
                            }
                            {
                            }
                            {
                                var brake8 = 5;
                                L28843: while ((c = 1 + c, ((38..toString(), "number") << (-0 | "a")) / ("c" > NaN & null > "c")) && --brake8 > 0) {
                                    c = 1 + c, "b" >>> 3 >= "c" >>> "number" | false / "undefined" >> (22 && false);
                                }
                            }
                        }
                        var async_1_1 = f4((c = c + 1) + !function() {
                        }(), [], -2);
                        function f5(foo_2) {}
                        var c_1 = f5();
                        function f6(async, arguments) {
                            if (c = 1 + c, "b" * -4 * (3 ^ "a") == (c_1 && (c_1[a++] += {} | 24..toString() | (c_1 += -2 == "bar")))) {
                                c = 1 + c, (Infinity_2 += /[a2][^e]+$/ * 0 >> (/[a2][^e]+$/ < Infinity)) != (false | true) > ("" || "undefined");
                            }
                            {
                                var brake12 = 5;
                                L28844: do {
                                    c = 1 + c, ((22 | import.meta) ^ ("function" && Infinity)) !== (delete false ^ -1 != "b");
                                } while ((c = 1 + c, void ([ , 0 ][1] < "function" < undefined ** 0)) && --brake12 > 0);
                            }
                        }
                        var b_2 = f6("b", 1 === 1 ? a : b, a++ + [].Infinity);
                    }(22);
                }
            }
        }
    } finally {
        {
            var brake14 = 5;
            do {
                switch (a++ + (typeof f8 == "function" && --_calls_ >= 0 && f8(-4, "", 5))) {
                  case typeof f8 == "function" && --_calls_ >= 0 && f8(3, [ , 0 ].length === 2):
                    L28845: for (var brake16 = 5; --b + ~(([] <= "object") - ("undefined" + -1) !== (foo_2 && (foo_2[a++ + ((c = 1 + c, 
                    ("c" || -5) <= -4 >= (24..toString() - "") / (Infinity - !0o644n)) || a || 3).toString()] = (5 == "c") - ([] >= {})))) && brake16 > 0; --brake16) {
                        var expr17 = [ ..."" + foo_2 ];
                        for (const key17 of expr17) {
                            c = 1 + c;
                            var arguments_1 = expr17[key17];
                            {
                                return +((([ , 0 ].length === 2) <= [ , 0 ][1]) - ({} + []) ^ (5 == NaN) % (arguments_1 && (arguments_1.next &&= 25 + -1)));
                            }
                        }
                    }
                    break;

                  default:
                  case !function() {
                        {
                            var brake19 = 5;
                            L28846: do {
                            } while ("bar" && --brake19 > 0);
                        }
                    }():
                    {
                        var brake21 = 5;
                        do {
                            return --b + "";
                        } while (--b + (b = a) && --brake21 > 0);
                    }
                    break;

                  case --b:
                    {
                        var b_1 = function foo_2(a_1 = (c = c + 1) + [ , 0 ][1]) {
                            try {
                                c = 1 + c, (2, 24..toString()) - delete true < (-1 | {}) * (-2 * -0);
                            } finally {
                            }
                            c = 1 + c, ("number" || 23..toString()) > 22 % 25 == ([ , 0 ].length === 2 | 2) << ("foo" != -1);
                        }(-5);
                    }
                    for (var brake27 = 5; (--b + (this in {
                        ...(c = 1 + c, ((bar && (bar[c = 1 + c, (38..toString() << -1 ^ 22 + 38..toString()) ** (bar && (bar[Infinity_2 && Infinity_2[c = 1 + c, 
                        ("number" & [ , 0 ][1]) % (25 < undefined) & (23..toString() === -3 | 25 * -4)]] = 38..toString() >> this && -3 >= "number"))] = undefined + [])) != "c" * true) - ([] >= -1 != /[a2][^e]+$/ + 22)),
                        next: (c = 1 + c, ((async_1 && (async_1.null = [] || {})) ^ "" * 5) ** (("foo" !== 5) % ("a" * -0)))
                    }) ? --b + (b_1 && typeof b_1.get == "function" && --_calls_ >= 0 && b_1.get()) : {}.NaN) && brake27 > 0; --brake27) {
                        switch (typeof f5 == "function" && --_calls_ >= 0 && f5()) {
                          case a++ + ("object" in [ (c = 1 + c, (("c" || "undefined") && -1 & [ , 0 ][1]) > (22 === 38..toString()) >> null * null) ]):
                            break;

                          default:
                            c = c + 1;

                          case +function() {
                                c = 1 + c, (3 % "function" != true < 25) >>> ((Infinity_2 && (Infinity_2.b += [] % -3)) | 0 !== 23..toString());
                            }():
                            var a_1 = (c = 1 + c, ~(38..toString() / 0 < +[])), {} = "", await = (c = 1 + c, 
                            ("b" ^ 24..toString()) / (-4 >> -2) <= (4 + undefined <= ([ , 0 ][1] ^ "foo")));
                            break;

                          case (c = c + 1) + ("object" in {
                                then: (c = 1 + c, ((a_1 = -5 % 5) ^ "c" / this) !== ("c" != "c") << [] * 23..toString()),
                                then: (c = 1 + c, (Infinity_2 && ({
                                    get: Infinity_2[typeof a_1 == "function" && --_calls_ >= 0 && a_1(5, 23..toString())]
                                } = {
                                    get: a_1 && (a_1.NaN = "c" === []) && (Infinity_2 && (Infinity_2[c = 1 + c, 
                                    (c = c + 1, "" & {}) ?? ("object" * NaN && (bar && (bar.var %= /[a2][^e]+$/ || NaN)))] >>>= (-3, 
                                    1)))
                                })) === [ , 0 ][1] * -3 << (c = c + 1, ""))
                            } ? 1 === 1 ? a : b : (c = c + 1) + (typeof a_1 == "function" && --_calls_ >= 0 && a_1(38..toString(), (c = 1 + c, 
                            (bar = "" <= 38..toString() === ("bar" && 4)) > !([ , 0 ][1] | "undefined")), (c = 1 + c, 
                            {} / -0 - (2 === 38..toString()) > ("object" - [] === (1 && 24..toString())))))):
                            {
                                var expr32 = (c = 1 + c, (c = c + 1, 24..toString()) >>> !5 == (c = c + 1, 
                                "foo") >>> ("b" >>> this));
                                for (var key32 in expr32) {
                                    c = 1 + c, ("undefined" <= -3 | (c = c + 1, 
                                    0)) == (-2 ^ 4 ^ /[a2][^e]+$/ >= /[a2][^e]+$/);
                                }
                            }
                        }
                    }
                    break;
                }
            } while (void (b_1 += "function" + this < ("" !== [ , 0 ][1]) == (Infinity_2 && (Infinity_2.then = async_1 && (async_1.done = -3 << 38..toString()) || "number" - this))) && --brake14 > 0);
        }
    }
}

var foo_2 = f0({
    c: [],
    null: (c = c + 1) + (("object" ?? [ , 0 ][1]) || "function" < true) / (a && (a[(c = c + 1) + +function bar_2() {
    }()] = (a && (a[c = 1 + c, ((a && (a[c = 1 + c, (undefined + -4 + ([ , 0 ][1] + [ , 0 ][1])) % ((a = 5 && 24..toString()) * (-2 - 0))] *= 25 ^ "b")) !== "bar" >>> 24..toString()) >= -("b" >= -1)] += "undefined" / "function")) + (38..toString() >>> "a")))
}, typeof Infinity_1 === "string");

console.log(null, a, b, c, Infinity, NaN, undefined);
// uglified code
// (beautified)
var _calls_ = 10, a = 100, b = 10, c = 0;

function f0({
    "": t,
    a: o
}, n, e) {
    try {
        var f, i = [ {
            var: a++ + a
        }.foo, -a, NaN ];
        for (f of i) {
            c = 1 + c;
            let a = i[f], t = t = void 0;
            (+t + (-5 in [ (c = 1 + c, (a && (a[c = 1 + c, !0] = !1)) + (2 === [ , 0 ].length) / -5 & -39 >>> (e && (e[c = 1 + c, 
            -4 / (c += 1, !0)] >>= 1 / 0))), ..."" + a ]) || b || 5).toString(), 
            b = NaN, c = 1 + (c = 1 + (c = 1 + (c = c + 1 + 1))), import.meta, c = 1 + c;
        }
    } finally {
        switch (a++ + ("function" == typeof f8 && 0 <= --_calls_ && f8(-4, "", 5))) {
          case "function" == typeof f8 && 0 <= --_calls_ && f8(3, 2 === [ , 0 ].length):
            for (var l = 5; --b + ~(NaN !== (o && (o[a++ + (c = 1 + c, (24 / (1 / 0 - !0o644n) <= !1 || a || 3).toString())] = 0))) && 0 < l; --l) {
                var r = [ ..."" + o ];
                for (const g of r) {
                    c = 1 + c;
                    var s = r[g];
                    return ((2 === [ , 0 ].length) <= 0) - ({} + []) ^ !1 % (s && (s.next &&= 24));
                }
            }
            break;

          default:
          case !function() {
                for (var c = 5; 0 < --c; ) {}
            }():
            var N = 5;
            do {
                return --b + "";
            } while (--b + (b = a) && 0 < --N);
            break;

          case --b:
            for (var u, v = void (c = 1 + (c = 1 + c)), _ = 5; (--b + (this in {
                ...(c = 1 + c, (NaN != (t && (t[c = 1 + c, 2238 ** (t && (t[n && n[c = 1 + c, 
                0]] = "38" >> this && !1))] = void 0 + []))) - !0),
                next: (c = 1 + c, (0 ^ (e && (e.null = []))) ** NaN)
            }) ? --b + (v && "function" == typeof v.get && 0 <= --_calls_ && v.get()) : {}.NaN) && 0 < _; --_) {
                switch ("function" == typeof f5 && 0 <= --_calls_ && f5()) {
                  case a++ + ("object" in [ (c = 1 + c, !1) ]):
                    break;

                  default:
                    c += 1;

                  case c = 1 + c, +void (n && (n.b += 0)):
                    var h = -1;
                    c = 1 + (c = 1 + c);
                    break;

                  case (c += 1) + ("object" in {
                        then: (c = 1 + c, 0 != ((h = -0) ^ "c" / this)),
                        then: (c = 1 + c, (n && ({
                            get: n["function" == typeof h && 0 <= --_calls_ && h(5, "23")]
                        } = {
                            get: h && (h.NaN = !1)
                        })) === -0 << (c += 1, ""))
                    } ? a : (c += 1) + ("function" == typeof h && 0 <= --_calls_ && h("38", (c = 1 + c, 
                    !0 < (t = !1)), (c = 1 + c, !1)))):
                    for (u in 24 == (c = (c = 1 + c) + 1 + 1, "foo" >>> ("b" >>> this))) {
                        c = 1 + c, c += 1;
                    }
                }
            }
        }
        n && (n.then = e ? e.done = -192 : "number" - this);
    }
}

var foo_2 = f0({
    c: [],
    null: (c += 1) + "object" / (a && (a[(c += 1) + NaN] = (a && (a[c = 1 + c, -0 <= (0 !== (a && (a[c = 1 + c, 
    NaN % (-2 * (a = "24"))] *= 25)))] += NaN)) + 38))
}, "string" == typeof Infinity_1);

console.log(null, a, b, c, 1 / 0, NaN, void 0);
original result:
null 26 NaN 28 Infinity NaN undefined

uglified result:
null 26 8 5 Infinity NaN undefined

// reduced test case (output will differ)

// (beautified)
function f0() {
    var expr2 = [ 0 ];
    for (let key2 of expr2) {
        let bar;
        var async = function f1() {
            function f2() {}
            var a = f2();
            function f3(bar_1 = 0(a + (bar && bar)), foo_1 = 0(a)) {}
            f3();
            var async_1_1 = 0();
            var c_1 = 0;
            function f6() {
                0(c_1 += 0);
            }
            f6();
        }();
    }
}

f0();
// output: TypeError: 0 is not a function
// minify: ReferenceError: Cannot access 'f' before initialization
// options: {
//   "compress": {
//     "passes": 1000000,
//     "sequences": 1000000,
//     "unsafe": true,
//     "unsafe_Function": true,
//     "unsafe_math": true,
//     "unsafe_proto": true,
//     "unsafe_regexp": true
//   },
//   "module": false,
//   "output": {
//     "v8": true
//   },
//   "validate": true
// }
minify(options):
{
  "compress": {
    "passes": 1000000,
    "sequences": 1000000,
    "unsafe": true,
    "unsafe_Function": true,
    "unsafe_math": true,
    "unsafe_proto": true,
    "unsafe_regexp": true
  },
  "module": false,
  "output": {
    "v8": true
  }
}

Suspicious compress options:
  collapse_vars
  conditionals
  evaluate
  inline
  join_vars
  loops
  passes
  reduce_vars
  sequences
  side_effects
  unused

Suspicious options:
  rename
@alexlamsl alexlamsl added the bug label Dec 7, 2022
alexlamsl added a commit to alexlamsl/UglifyJS that referenced this issue Dec 7, 2022
@alexlamsl
fix corner case in inline
f6408fa 
fixes mishoo#5759
@alexlamsl alexlamsl mentioned this issue Dec 7, 2022
Merged
alexlamsl added a commit that referenced this issue Dec 7, 2022
@alexlamsl
fix corner case in inline (#5760)
dd88f38 
fixes #5759
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix corner case in inline alexlamsl/UglifyJS
1 participant
@alexlamsl