Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug in inline #2084

Closed
alexlamsl opened this issue Jun 12, 2017 · 1 comment · Fixed by #2085
Closed

Bug in inline #2084

alexlamsl opened this issue Jun 12, 2017 · 1 comment · Fixed by #2085
Labels
bug

Comments

@alexlamsl
Copy link
Collaborator 

// original code
// (beautified)
var a = 100, b = 10, c = 0;

function f0() {
    function f1(undefined) {
        for (var brake1 = 5; ++a && brake1 > 0; --brake1) {
            var a = function f2() {
                c = 1 + c, (-5 && "function") & (a && (a.foo = NaN % ([ , 0 ].length === 2))) ^ (a = (a += [] % "") === "object" - "object");
                c = 1 + c, ([] / -2 === 25 % 5) <= ((/[a2][^e]+$/ == /[a2][^e]+$/) < (2 >= -4));
            }(a++ + []);
        }
        c = c + 1;
    }
    var a_1 = f1();
    function f3() {
        {
            var b_1 = {
                a: (c = 1 + c, ~({} << 2) << ((c = c + 1, 2) | 38..toString() / 22)),
                0: (c = 1 + c, (bar_1 && (bar_1.foo = "foo" < /[a2][^e]+$/ & ("foo" ^ null))) / (c = c + 1, 
                -0 * 22)),
                Infinity: (c = 1 + c, ([] ^ -4) % (b_1 = "undefined" + 24..toString()) + ("function" & 3 && false >>> 24..toString())),
                1.5: (c = 1 + c, (-2 < 23..toString()) * (-5 << undefined) === (b_1 = /[a2][^e]+$/ * 25 === ("foo" ^ 25))),
                undefined: (c = 1 + c, (-0 >>> -5 ^ "function" * -3) - (b_1 && (b_1.c = "object" >> NaN >> (true, 
                -5))))
            }.length, bar_1 = a++ + (b += a);
            {
                c = 1 + c, ((23..toString() ^ "") - (bar_1 = NaN && -4)) / (b_1 && (b_1[(c = c + 1) + function a_2() {
                }()] = null + "" || -0 ^ [ , 0 ][1]));
                c = 1 + c, ([ , 0 ].length === 2 ^ [ , 0 ][1]) << (b_1 && (b_1[(c = 1 + c, (0 <= NaN !== true - Infinity) << (("foo", 
                "undefined") != "function" / 1))] = Infinity - undefined)) || "number" < false !== (4 | 24..toString());
            }
        }
        {
            var brake11 = 5;
            do {
                b--;
            } while ((c = c + 1) + undefined && --brake11 > 0);
        }
    }
    var foo_1 = f3();
    function f4(arguments_1, a_1, a_1) {
        c = c + 1;
        (c = c + 1) + (b = a);
    }
    var a_1 = f4();
    function f5(parseInt_1, c) {
        function f6(parseInt_1_2, parseInt_1) {
            function f7() {
            }
            var b = f7(2, false);
            function f8() {
            }
            var parseInt_1 = f8("number", null, 0);
            function f9() {
            }
            var parseInt_1_2 = f9(3, -1);
            function f10(parseInt_1, b_1, a_1) {
            }
            var parseInt_1_2_2 = f10(-3);
            function f11(a_1_1) {
            }
            var parseInt_1 = f11();
        }
        var a_1 = f6({}, true, null);
        function f12(a_1_1, Infinity, parseInt_1) {
            var undefined_1 = (c = 1 + c, !([] == /[a2][^e]+$/ ^ ("foo" && ""))), parseInt = (c = 1 + c, 
            ("bar" <= -1 != 23..toString() < 4) < (2 === null == (NaN & 0)));
            var b = (c = 1 + c, (c = c + 1, [ , 0 ][1]) >= ([ , 0 ][1] ^ 3) !== (Infinity >>> "function" ^ -0 == 25));
        }
        var a_1_2 = f12();
        function f13(foo_1_1) {
            var NaN;
            L697216: {
            }
        }
        var c = f13(/[a2][^e]+$/);
        function f14(a_2, a_1) {
            if (c = 1 + c, parseInt_1 && (parseInt_1[--b + --b] += ((-2 ^ 3) == ("undefined" & -4)) >> ((true || "") !== (22 === undefined)))) {
                c = 1 + c, ("" & 23..toString()) >= -3 - {} < ((undefined ^ "function") == ("number" || "function"));
            }
            if (c = 1 + c, ("foo" << "bar" & 4 << true) !== void null << 22 % 23..toString()) {
                c = 1 + c, (null + -2) % (2 - [ , 0 ][1]) || a_1 && (a_1[--b + void b] = delete -1 / (1 << [ , 0 ][1]));
            }
        }
        var NaN_2 = f14(-0);
    }
    var foo_2 = f5(3, -1);
    function f15(c, a_2) {
        var b_2 = (c = c + 1) + [ a++ + +(("number" << 3 ^ ("object" || 25)) <= (0 !== "bar") >> (foo_2 && (foo_2.Infinity = (5, 
        "object")))), a++ + (c = 1 + c, -2 < 23..toString() != "object" >>> Infinity == (null != null) < (22 == 23..toString())), a++, (c = c + 1) + ((c = 1 + c, 
        (NaN ^ true) << (3 ^ "bar") == (-1 || 1, -2 & "")) || 4).toString()[(c = 1 + c, 
        (0 ^ [ , 0 ].length === 2 || -1 & NaN) % ((1 || {}) ^ 24..toString() <= "undefined"))], delete (("number", 
        "undefined") <= (-5 != 3) && ~(38..toString() > 24..toString())) ].b, b = foo_2 && foo_2.null;
        for (var brake24 = 5; (a++ + --b || a || 3).toString() && brake24 > 0; --brake24) {
            try {
                c = 1 + c, (a_1 && (a_1[--b + void function() {
                }()] += (-1 ^ null) >= ("function" >= 2))) != -0 / ([ , 0 ].length === 2) < -3 >>> -0;
            } finally {
            }
            c = c + 1;
            {
            }
            {
                var brake30 = 5;
                L697217: do {
                    c = 1 + c, (c = c + 1, "function") << (-5 >= 3) != (-4 | "number") >= (1 ^ -2);
                } while ((c = 1 + c, ([] - "bar") * (a_2 = "bar" ^ 38..toString()) >>> (([ , 0 ].length === 2) < {}) / (-4 % 3)) && --brake30 > 0);
            }
        }
    }
    var Math_2 = f15();
}

var Infinity_2 = f0();

console.log(null, a, b, c);
// uglified code
// (beautified)
function f0() {
    var n = function() {
        for (var n = 5; ++t && n > 0; --n) {
            var t = (t++, c = 1 + c, t && (t.foo = NaN % (2 === [ , 0 ].length)), t = NaN === (t += [] % ""), 
            void (c = 1 + c));
        }
        c += 1;
    }(), n = (function() {
        var n = {
            a: (c = 1 + c, ~({} << 2) << (c += 1, 2 | 38..toString() / 22)),
            0: (c = 1 + c, (t && (t.foo = 0)) / (c += 1, -0)),
            Infinity: (c = 1 + c, (-4 ^ []) % (n = "undefined" + 24..toString()) + 0),
            1.5: (c = 1 + c, -5 * (-2 < 23..toString()) === (n = !1)),
            undefined: (c = 1 + c, 0 - (n && (n.c = 0)))
        }.length, t = a++ + (b += a);
        c = 1 + c, 23..toString(), t = NaN, n && (n[(c += 1) + void 0] = "null"), c = 1 + c, 
        (2 === [ , 0 ].length ^ [ , 0 ][1]) << (n && (n[(c = 1 + c, 2)] = NaN)) || 24..toString();
        var i = 5;
        do {
            b--;
        } while ((c += 1) + void 0 && --i > 0);
    }(), c += 1, c += 1, void (b = a)), t = (c = 1 + (c = 1 + (c = -1)), 23..toString(), 
    c = 1 + c, c += 1, c = 1 + (c = void 0), (3[--b + --b] += 0) && (c = 1 + c, 23..toString()), 
    c = 1 + c, void (0 != void 0 << 22 % 23..toString() && (c = 1 + c)));
    !function(c) {
        c += 1, a++, t && (t.Infinity = "object"), a++, c = 1 + c, 23..toString(), 23..toString(), 
        a++, (c = 1 + (c += 1), 4).toString()[(c = 1 + c, (0 ^ 2 === [ , 0 ].length || 0) % (1 ^ 24..toString() <= "undefined"))];
        for (var i = t && t.null, o = 5; (a++ + --i || a || 3).toString() && o > 0; --o) {
            try {
                c = 1 + c, n && (n[--i + void 0] += !1);
            } finally {}
            c += 1;
            var r = 5;
            do {
                c = 1 + c, c += 1;
            } while (c = 1 + c, ([] - "bar") * ("bar" ^ 38..toString()) >>> ((2 === [ , 0 ].length) < {}) / -1 && --r > 0);
        }
    }();
}

var a = 100, b = 10, c = 0, Infinity_2 = f0();

console.log(null, a, b, c);
original result:
null 110 99 13

uglified result:
null 110 99 NaN

minify(options):
{
  "compress": {
    "keep_fargs": false,
    "passes": 3
  }
}

Suspicious compress options:
  collapse_vars
  conditionals
  evaluate
  inline
  passes
  reduce_vars
  sequences
  side_effects
  unused
@kzc
Copy link
Contributor

kzc commented Jun 12, 2017
edited

Only 2 potential bugs 1 bug in over 5M fuzz iterations is pretty darn good.

alexlamsl added a commit to alexlamsl/UglifyJS that referenced this issue Jun 12, 2017
@alexlamsl
fix variable accounting in inline
6fc4a5a 
fixes mishoo#2084
@alexlamsl alexlamsl mentioned this issue Jun 12, 2017
Merged
@alexlamsl alexlamsl added the bug label Jun 12, 2017
alexlamsl added a commit that referenced this issue Jun 12, 2017
@alexlamsl
fix variable accounting in inline (#2085)
2bdc880 
fixes #2084
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix variable accounting in inline alexlamsl/UglifyJS
2 participants
@alexlamsl @kzc