Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ufuzz: inline bug with NaN #2616

Closed
alexlamsl opened this issue Dec 18, 2017 · 9 comments · Fixed by #2617
Closed

ufuzz: inline bug with NaN #2616

alexlamsl opened this issue Dec 18, 2017 · 9 comments · Fixed by #2617
Labels
bug

Comments

@alexlamsl
Copy link
Collaborator 

// original code
// (beautified)
var a = 100, b = 10, c = 0;

c = c + 1;

try {
    if (a++ + {
        var: --b + a++
    }[a++ + void b]) {} else {
        var c_1 = function f0() {
            function f1(bar_2, b, b_2) {
                function f2(a_2, undefined_1, undefined_1_2) {
                }
                var b_2_1 = f2("object", "function");
                function f3(NaN, foo) {
                    c = 1 + c, bar_2 && (bar_2.in += ("bar" < "object" && 1 | {}) < (b_2 &= ("foo" !== -1) % (22 >>> true)));
                    c = 1 + c, void (38..toString() < [] && -5 ^ "");
                }
                var parseInt_1 = f3("undefined");
                function f4(NaN, bar_2_1) {
                    c = 1 + c, 1 / 25 >= (5 <= false) >= ({} >>> 25 < "bar" >> 24..toString());
                    c = 1 + c, (true << NaN) - "foo" * null || (c = c + 1, false || 3);
                }
                var NaN_1 = f4([], (c = 1 + c, (-3 + "" | 5 === -4) >>> ("bar" << 3 << (c = c + 1, 
                "object"))));
            }
            var c_1 = f1(-0, "number");
            function f5() {
                if ((c = 1 + c, (c = c + 1, [ , 0 ].length === 2) << (3 >= Infinity) >= -1 << 38..toString() >>> (/[a2][^e]+$/ > -2)) ? (c = 1 + c, 
                (false && [ , 0 ].length === 2) / (c_1 = "" === null) ^ (null === null) <= !/[a2][^e]+$/) : (c = 1 + c, 
                true * -4 > ("undefined" || [ , 0 ].length === 2), (c_1 && (c_1[(c = 1 + c, 22 / NaN > 24..toString() << 22 >= ((-5 | 3) ^ 2 - 2))] += false >>> 22)) !== -3 % -3)) {
                    return;
                } else {
                    var expr12 = (c = 1 + c, void this - ("number" + -5) >> (true >>> undefined <= (c_1 = -3 === undefined)));
                    L201082: for (var key12 in expr12) {
                        c = 1 + c;
                        var bar_1 = expr12[key12];
                        c = 1 + c, (-1 && 4) >> (1 ^ 23..toString()), bar_1 && (bar_1[function() {
                        }()] ^= -3 * 2 < (c_1 && (c_1.b += 0 != false)));
                    }
                }
                var bar_1 = typeof (c = 1 + c, (c = c + 1, -1 | 38..toString()) || -4 + [] > ("" >= "number")), arguments_2 = --b + (c = c + 1, 
                (bar_1 && (bar_1.Infinity = NaN || undefined)) <= false / 2);
            }
            var bar_2 = f5(1, --b + delete a);
            function f6(b_1) {
                ({
                    c: (c = 1 + c, (this && "bar", 5 << Infinity) | 23..toString() % "bar" ^ "undefined" >> -5),
                    "\t": (c = 1 + c, (undefined === true || 2 + "object") + (-2 + "number") % (2 ^ /[a2][^e]+$/)),
                    in: (c = 1 + c, (bar_2 && (bar_2.null = "foo" === 4)) / (2 - "function") & (c = c + 1, 
                    -4) >= 4 / undefined),
                    "": (c = 1 + c, (([], 2) == (5 || -3)) / ((1 | []) <= ({} || "")))
                });
                c = c + 1;
            }
            var b_2 = f6();
            function f7(b_1) {
                {
                    var brake18 = 5;
                    while ((c = c + 1) + (b_1 && b_1[(c = 1 + c, (this - false ^ ~false) < (3 != "undefined") + undefined * null)]) && --brake18 > 0) {
                    }
                }
            }
            var b_2 = f7(false, --b);
            function f8() {
                {
                    var brake21 = 5;
                    while (--b + ((c = 1 + c, (-5 ^ "foo") * ("object" + 3) | 0 - {} !== (bar_2 && (bar_2[(c = 1 + c, 
                    (0 ^ -1 ^ 23..toString() - "object") < ("function" * "foo" !== ([ , 0 ].length === 2 ^ 2)))] = -3 << [ , 0 ][1]))) || a || 3).toString() && --brake21 > 0) {
                        c = c + 1;
                    }
                }
            }
            var b_2 = f8(Infinity, 4);
        }("function", 3);
    }
} catch (foo_2) {
    {
        var brake23 = 5;
        while ((0 === 1 ? a : b) && --brake23 > 0) {
            var brake24 = 5;
            do {
                {
                    var brake25 = 5;
                    while ((c = c + 1) + (--b + (c_1 && c_1.null) || 5).toString()[{}] && --brake25 > 0) {
                        L201083: {
                            {
                                var brake27 = 5;
                                while (--b + a++ && --brake27 > 0) {
                                    break L201083;
                                }
                            }
                        }
                    }
                }
            } while (a++ + (b -= a) && --brake24 > 0);
        }
    }
    {
        {
            switch (b--) {
              case 0 === 1 ? a : b:
                {
                    if (c = 1 + c, ~(/[a2][^e]+$/ % 3 > (-2 !== true))) {
                        c = 1 + c, (c = c + 1, "object") - (-3 == this) & ([ , 0 ][1] ^ -2) != (c = c + 1, 
                        "");
                    }
                }
                {
                    var brake35 = 5;
                    while ((25 <= 23..toString() != (c_1 && (c_1.NaN = ([ , 0 ].length === 2) - 5))) % ((3 | 1) / (this & 25)) && --brake35 > 0) {}
                }
                break;

              case (c = c + 1) + {
                    0: a++ + (b >>>= a),
                    0: a++ + --b,
                    get undefined() {
                        try {
                            c = 1 + c, +"object" > ([ , 0 ].length === 2 == -5) == (this === [ , 0 ][1]) < ("bar" & 38..toString());
                        } finally {
                        }
                        return delete ("bar" - "" | 2 + "object" | true << "foo" > "object" - []);
                    },
                    foo: --b + c_1 ? !function() {
                    }() : (c = 1 + c, c_1 = ~-0 % ({} === "function") + ((5 || 24..toString()) >= (22 && []))),
                    null: a++ + (--b + ((c = 1 + c, ((NaN && 3) > -0 << -1) + (c_1 && (c_1.foo -= "bar" && undefined), 
                    "function" ^ "")) ? (c = 1 + c, -3 < "bar" && (c = c + 1, Infinity) || 24..toString() >>> 22 < ("" ^ null)) : (c = 1 + c, 
                    (-5 ^ -3) * (-0 >>> Infinity) % (3 <= -5 ^ ("foo" && 2)))) ? a++ + typeof b : --b + [][(c = 1 + c, 
                    ((foo_2 && (foo_2[(c = 1 + c, foo_2 && (foo_2.NaN >>= Infinity * "number" >>> (-0 >> "foo")) && (foo_2 = -5 >>> -1) != ([ , 0 ].length === 2) <= null)] = -1 << true)) & -1 === "object") == [ , 0 ][1] < [] < (true <= [ , 0 ][1]))])
                }[[ a++ + (0 === 1 ? a : b), --b + "object", {
                    null: (c = 1 + c, "foo" * "" !== (25 | "bar") ^ (foo_2 *= 3 % -1) < (1 === null)),
                    length: (c = 1 + c, (-1 * -3 ^ [ , 0 ][1] % 38..toString()) << ([ , 0 ][1] != false == ([ , 0 ].length === 2 & 3)))
                }, --b + ++a ][(c = c + 1) + {}[foo_2]]]:
                {
                    var parseInt = function f9(foo_2, a_2, foo_2_2) {
                        c = 1 + c, [ , 0 ][1] * 23..toString() < (5 ^ -4) == (-0 ^ true) <= (foo_2 && (foo_2[(c = 1 + c, 
                        "" <= "number" === ([ , 0 ][1] ^ this) || (c = c + 1, 4 % true))] = 5 === /[a2][^e]+$/));
                        c = 1 + c, ((undefined || "foo") <= (c_1 && (c_1.Infinity = 2 * this))) >>> ("undefined" >> undefined > (Infinity <= NaN));
                    }("undefined", (c = 1 + c, 2 % -2 >>> (NaN == true) >>> ("function" ^ 4) / ("foo" >> 25)), (c = 1 + c, 
                    (c_1 = [ , 0 ][1] < 5 < ("number" != ([ , 0 ].length === 2))) / ((undefined ^ 38..toString()) * (5 ^ 5))));
                }
                break;

              case [ --b + (0 === 1 ? a : b), --b + {
                    undefined: (c = 1 + c, (3 === -3 && null & false) == (c_1 = ([ , 0 ].length === 2) >> "") >>> (24..toString() ^ 3)),
                    NaN: (c = 1 + c, (undefined << -0 == (true != ([ , 0 ].length === 2))) >= (23..toString() / 3 > (true && "bar")))
                }.Infinity, ~(foo_2 && (foo_2.c = null >> [ , 0 ][1] <= ([ , 0 ].length === 2) + 5 <= (c_1 && (c_1.Infinity = ("undefined" | -3) % (Infinity + undefined))))) ].b:
              case (c = c + 1) + (a++ + --b || a || 3).toString():
                {
                    var expr43 = a++ + (--b + +function c_2() {
                    }() || 9).toString()[--b + b++];
                    for (var key43 in expr43) {
                        c = 1 + c;
                        var b = expr43[key43];
                        try {
                            switch (c = 1 + c, (25 > "object") % (c = c + 1, "undefined") + ((23..toString(), 
                            [ , 0 ].length === 2) !== -0 >> "")) {
                              case c = 1 + c, (5 | -4) * (-0 - "function") * ({} >> 4 && [ , 0 ].length === 2 != -0):
                                ;

                              case c = 1 + c, ("number" / "bar" || 5 > 5) !== (c_1 && (c_1[--b + {
                                    foo: (c = 1 + c, c_1 *= (-5 < -4 ^ 4 >= []) >= (-5 | "number") - (foo_2 && (foo_2.NaN = false >> -2))),
                                    "\t": (c = 1 + c, !((23..toString() || -2) < ("number" !== NaN))),
                                    3: (c = 1 + c, (38..toString() !== []) - (-0 ^ "foo") | (c_1 += 5 <= null < (5 !== -2))),
                                    0: (c = 1 + c, foo_2[(1 === 1 ? a : b) ? --b : --b + ((c = 1 + c, ((Infinity == "function") >= (foo_2 && (foo_2.in |= [ , 0 ][1] % 24..toString()))) - ("bar" >> 2 == (true & -1))) ? (c = 1 + c, 
                                    [ , 0 ][1] !== 1 === Infinity >>> "bar" & (-0 != -1 | "foo" <= 25)) : (c = 1 + c, 
                                    (this >= {}) * (c = c + 1, [ , 0 ][1]) && (foo_2 ^= this >> 2 !== undefined > -4)))] >>>= (false ^ 1 ^ (false || "object")) * (null / /[a2][^e]+$/ == -0 % "number")),
                                    undefined: (c = 1 + c, (([ , 0 ].length === 2) >>> Infinity) / (24..toString(), 
                                    this) && undefined >> 0 == 4 - 4)
                                }[(c = 1 + c, ([ , 0 ][1] || this) << (([ , 0 ].length === 2) < null) !== (([ , 0 ][1] & {}) != "bar" - 23..toString()))]] = -1 < 5 !== 38..toString() > 22)):
                                ;
                                break;

                              default:
                                ;

                              case c = 1 + c, (-2 % ([ , 0 ].length === 2) ^ ([ , 0 ].length === 2 | /[a2][^e]+$/)) != ("object" < -3) + (5 | -2):
                                ;
                                break;
                            }
                        } catch (c_2) {
                            c = 1 + c, (undefined !== "function") > ("object" | 5) || (null - Infinity) / (this | "object");
                            c = 1 + c, ({} >= "function" !== (38..toString() !== [ , 0 ][1])) - ((/[a2][^e]+$/ >= 38..toString()) + ("function" | [ , 0 ][1]));
                        }
                    }
                }
                break;
            }
            if (delete (foo_2 && (foo_2.a %= -5 % "undefined" + (this >> this) + ([ , 0 ][1] < {} < (23..toString() >= -1))))) {
                var expr49 = (((c = 1 + c, (c_1 = 38..toString() <= 23..toString()) - ({} >= 25) & -0 << 22 <= 22 << NaN) || a || 3).toString() || 2).toString()[--b + (--b + (0 === 1 ? a : b) ? true : [ (c = 1 + c, 
                (c_1 && (c_1.Infinity = -0 ^ 2)) === ("undefined" & /[a2][^e]+$/) ^ (void [] | -5 == 5)), (c = 1 + c, 
                ("" & 24..toString()) % ("object", 3) - (("number" | -4) ^ 23..toString() <= [ , 0 ][1])), (c = 1 + c, 
                (25 | "bar") / (undefined ^ 5) >> ~(-4 / NaN)), (c = 1 + c, ([ , 0 ][1] <= -2 !== (c = c + 1, 
                true)) % ((c_1 && (c_1[(c = 1 + c, (c_1 && (c_1.undefined *= [ , 0 ][1] >>> "foo" > (false | "bar"))) * (delete undefined ^ ("", 
                -4)))] = [] >>> 0)) << (25 || 22))) ])];
                L201084: for (var key49 in expr49) {
                    c = 1 + c;
                    var foo_2_2 = expr49[key49];
                    var foo_2 = delete ((("function" ^ "undefined") >= /[a2][^e]+$/ / 0) >>> (0 >>> /[a2][^e]+$/ | 1 / /[a2][^e]+$/));
                }
            } else {
                new function a_2() {
                    this.Infinity += (38..toString() >= "foo") * (foo_2 = "foo" + false) + (-2 % -1 === +3);
                    this.null >>= (3 - -5) % (23..toString() - "bar") >>> (-0 == -4 ^ 38..toString() >>> NaN);
                    {
                        var brake52 = 5;
                        while ((c = 1 + c, ([ , 0 ].length === 2 !== this) % (Infinity | 4) && (2 - -1, 
                        foo_2 && (foo_2[(c = 1 + c, (c = c + 1, "foo" << 3) ^ (a_2 && (a_2[3] += [] >> null ^ (foo_2 && (foo_2[(c = 1 + c, 
                        (void /[a2][^e]+$/ | (foo_2 ^= /[a2][^e]+$/ >>> Infinity)) >> (-4 <= 1 === (c_1 && (c_1.c = this & -1))))] = -5 - null)))))] <<= {} ^ true))) && --brake52 > 0) {
                            c = 1 + c, void (25 + "function" == (c = c + 1, 23..toString()));
                        }
                    }
                    try {
                        c = 1 + c, -1 / {} !== -3 < [] && null % -3 > (null < 2);
                    } catch (NaN_1) {
                    } finally {
                    }
                }();
            }
        }
        L201085: for (var brake56 = 5; (0 === 1 ? a : b) && brake56 > 0; --brake56) {
            var brake57 = 5;
            L201086: while (--b + [ (c = c + 1) + (foo_2_2 && foo_2_2.null ? (c = c + 1) + ++a : [ (c = 1 + c, 
            (("", "bar") ^ (foo_2 && (foo_2.null += -4 >> "function"))) / (("number" && 4) >> (-3 < 38..toString()))), (c = 1 + c, 
            (([] || /[a2][^e]+$/) && -4 - 22) + ("function" >> [ , 0 ][1] && 3 >= 24..toString())), (c = 1 + c, 
            /[a2][^e]+$/ / "object" === (this ^ 3) & (23..toString() > -2 & (38..toString() ^ 25))), (c = 1 + c, 
            ("foo" | 2) >> (24..toString() || [ , 0 ][1]) !== (5 << "undefined" != "object" >= 3)), (c = 1 + c, 
            22 - 5 > ({} || "undefined") >= (foo_2 && (foo_2[(c = c + 1) + +([ , 0 ][1] / -2 >>> ([ , 0 ][1] & 3), 
            5 >>> undefined <= (NaN !== -5))] = -2 + "object" === 23..toString() % null))) ][+(foo_2_2 && (foo_2_2.in = [ , 0 ][1] % 4 | "object" !== "number"))]), b + 1 - .1 - .1 - .1, [ a++ + [ (c = 1 + c, 
            ("number" == "" && "" * -4) !== (38..toString() - {} ^ "undefined" === 1)) ] ].Infinity ] && --brake57 > 0) {
                c = c + 1;
            }
        }
        {
            [ --b + {}, [ (c = 1 + c, (5 >> 5, 24..toString() | 1) < (-3 == Infinity ^ 23..toString() !== 4)), (c = 1 + c, 
            (this >> -0) - (Infinity & 38..toString()) >>> (23..toString() * Infinity && "undefined" - "undefined")), (c = 1 + c, 
            void (([ , 0 ].length === 2 ^ "number") > ("" < null))) ][1 === 1 ? a : b], a++ + "function" ][(c = c + 1) + c_1];
            {
                var brake61 = 5;
                do {
                    if (foo_2 && foo_2[b--]) {
                        try {
                            if (void function() {
                            }()) {
                                for (var brake65 = 5; (c = 1 + c, (-4 + "undefined") % (-1 >> 22) >= ("foo" || 24..toString()) << (-1 << null)) && brake65 > 0; --brake65) {
                                    c = 1 + c, ("number" >= -1 <= (-4 == this)) - (this !== "function") / (-1 & 4);
                                }
                            } else {
                                switch (c = 1 + c, (foo_2 && (foo_2[[ (c = 1 + c, ("" << -4 >= (38..toString() < "number")) << ((-0 ^ -3) <= (-0 && Infinity))), (c = 1 + c, 
                                (true % 1 << ("undefined" ^ 5)) - ((-1 <= NaN) << (3 & -0))), (c = 1 + c, ((-4 && "foo") ^ (-1 ^ "undefined")) + ("function" < 23..toString() || c_1 && (c_1.b = 22 >> "object"))) ][(c = 1 + c, 
                                c_1 && (c_1.b = true != 38..toString() !== {} >>> "number" ^ ("function" >= 25) >> (4 << 22)))]] >>= 22 >> 5 ^ (foo_2_2 += [ , 0 ][1] >> null))) | Infinity >> "undefined" & "" === "undefined") {
                                  case c = 1 + c, (-1 >> {}) + delete 38..toString() === (foo_2_2 && (foo_2_2[(c = 1 + c, 
                                    (c = c + 1, 23..toString() * 38..toString()) & 38..toString() / "function" / ("number" - "function"))] >>>= 3 > -3)) << this / -3:
                                    ;
                                    break;

                                  case c = 1 + c, ~(false == -0) || (-1 + "") / (-3 * -4):
                                    ;
                                    break;

                                  default:
                                    ;

                                  case c = 1 + c, Infinity + "object" == (c = c + 1, [ , 0 ][1]) ^ null * 22 !== (c_1 && (c_1.in *= -2 >>> -0)):
                                    ;
                                    break;
                                }
                            }
                        } finally {
                            try {
                                c = 1 + c, (c = c + 1, [] + undefined) !== ("bar" && 38..toString() && "" | 24..toString());
                            } catch (undefined_1) {
                            } finally {
                            }
                            var bar_1;
                        }
                    }
                } while (a++ + 0 && --brake61 > 0);
            }
            var undefined_2;
        }
    }
}

console.log(null, a, b, c);
// uglified code
// (beautified)
var a = 100, b = 10, c = 0;

c += 1;

try {
    if (a++ + {
        var: --b + a++
    }[a++ + void 0]) {} else {
        var c_1 = function() {
            var c_1 = function(bar_2, b, b_2) {
                var NaN;
                c = 1 + c, bar_2 && (bar_2.in += (1 | {}) < (b_2 &= 1)), c = 1 + c, 38..toString(), 
                NaN = [], c = 1 + c, c = 1 + (c += 1), 24..toString(), c = 1 + c, (!0 << NaN) - NaN || (c += 1);
            }(-0), bar_2 = function() {
                if (c = 1 + c, c += 1, !((2 === [ , 0 ].length) << !1 >= -1 << 38..toString() >>> !1 ? (c = 1 + c, 
                !1 / (c_1 = !1) ^ !1) : (c = 1 + c, -0 !== (c_1 && (c_1[(c = 1 + c, NaN > 24..toString() << 22 >= -5)] += 0))))) {
                    var expr12 = (c = 1 + c, NaN >> (1 <= (c_1 = !1)));
                    for (var key12 in expr12) {
                        var bar_1 = expr12[key12];
                        c = 1 + (c = 1 + c), 23..toString(), bar_1 && (bar_1[void 0] ^= -6 < (c_1 && (c_1.b += !1)));
                    }
                    c = 1 + c, c += 1, bar_1 = typeof (-1 | 38..toString() || -4 + [] > !1), --b, c += 1, 
                    bar_1 && (bar_1.Infinity = void 0);
                }
            }((--b, delete a));
            c = 1 + c, 23..toString(), c = 1 + (c = 1 + c), bar_2 && (bar_2.null = !1), c = 1 + (c += 1), 
            c += 1, function(b_1) {
                for (var brake18 = 5; (c += 1) + (b_1 && b_1[(c = 1 + c, (this - !1 ^ -1) < NaN)]) && --brake18 > 0; ) {}
            }(!1, --b), function() {
                for (var brake21 = 5; --b + (c = 1 + c, NaN | 0 - {} !== (bar_2 && (bar_2[(c = 1 + c, 
                (-1 ^ 23..toString() - "object") < (NaN !== (2 === [ , 0 ].length ^ 2)))] = -3)) || a || 3).toString() && --brake21 > 0; ) {
                    c += 1;
                }
            }();
        }();
    }
} catch (foo_2) {
    for (var brake23 = 5; b && --brake23 > 0; ) {
        var brake24 = 5;
        do {
            for (var brake25 = 5; (c += 1) + (--b + (c_1 && c_1.null) || 5).toString()[{}] && --brake25 > 0; ) {
                L201083: for (var brake27 = 5; --b + a++ && --brake27 > 0; ) {
                    break L201083;
                }
            }
        } while (a++ + (b -= a) && --brake24 > 0);
    }
    switch (b--) {
      case b:
        c = 1 + (c = 1 + c), c += 1, c += 1;
        for (var brake35 = 5; (25 <= 23..toString() != (c_1 && (c_1.NaN = (2 === [ , 0 ].length) - 5))) % (3 / (25 & this)) && --brake35 > 0; ) {}
        break;

      case (c += 1) + {
            0: a++ + (b >>>= a),
            0: a++ + --b,
            get undefined() {
                try {
                    c = 1 + c, 38..toString();
                } finally {}
                return !0;
            },
            foo: !!(--b + c_1) || (c = 1 + c, c_1 = -1 % ("function" === {}) + (5 >= [])),
            null: a++ + (--b + (c = 1 + c, !1 + (c_1 && (c_1.foo -= void 0), 0) ? (c = 1 + c, 
            24..toString() >>> 22 < 0) : (c = 1 + c, 0)) ? a++ + typeof b : --b + [][(c = 1 + c, 
            (!1 & (foo_2 && (foo_2[(c = 1 + c, foo_2 && (foo_2.NaN >>= 0) && (foo_2 = 1) != (2 === [ , 0 ].length) <= null)] = -2))) == 0 < [] < !1)])
        }[[ a++ + b, --b + "object", {
            null: (c = 1 + c, !0 ^ (foo_2 *= 0) < !1),
            length: (c = 1 + c, (3 ^ 0 % 38..toString()) << (0 == (2 === [ , 0 ].length & 3)))
        }, --b + ++a ][(c += 1) + {}[foo_2]]]:
        var parseInt = function(foo_2, a_2, foo_2_2) {
            c = 1 + c, 23..toString(), foo_2 && (foo_2[(c = 1 + c, !0 === (0 ^ this) || (c += 1, 
            0))] = !1), c = 1 + c, c_1 && (c_1.Infinity = 2 * this);
        }("undefined", c = 1 + c, (c = 1 + c, c_1 = !0 < ("number" != (2 === [ , 0 ].length)), 
        38..toString()));
        break;

      case [ --b + b, --b + {
            undefined: (c = 1 + c, !1 == (c_1 = (2 === [ , 0 ].length) >> "") >>> (3 ^ 24..toString())),
            NaN: (c = 1 + c, (0 == (1 != (2 === [ , 0 ].length))) >= (23..toString() / 3 > "bar"))
        }.Infinity, ~(foo_2 && (foo_2.c = 0 <= (2 === [ , 0 ].length) + 5 <= (c_1 && (c_1.Infinity = NaN)))) ].b:
      case (c += 1) + (a++ + --b || a || 3).toString():
        var expr43 = a++ + (--b + NaN || 9).toString()[--b + b++];
        for (var key43 in expr43) {
            c = 1 + c;
            b = expr43[key43];
            try {
                switch (c = 1 + c, !1 % (c += 1, "undefined") + (0 !== (23..toString(), 2 === [ , 0 ].length))) {
                  case c = 1 + c, NaN * ({} >> 4 && 2 === [ , 0 ].length != -0):
                  case c = 1 + c, !1 !== (c_1 && (c_1[--b + {
                        foo: (c = 1 + c, c_1 *= (!0 ^ 4 >= []) >= -5 - (foo_2 && (foo_2.NaN = 0))),
                        "\t": (c = 1 + c, !((23..toString() || -2) < !0)),
                        3: (c = 1 + c, (38..toString() !== []) - 0 | (c_1 += !0)),
                        0: (c = 1 + c, foo_2[a ? --b : --b + (c = 1 + c, (!1 >= (foo_2 && (foo_2.in |= 0 % 24..toString()))) - !1 ? (c = 1 + c, 
                        0) : (c = 1 + c, (this >= {}) * (c += 1, 0) && (foo_2 ^= this >> 2 !== !1)))] >>>= 0),
                        undefined: (c = 1 + c, ((2 === [ , 0 ].length) >>> 1 / 0) / (24..toString(), this) && !0)
                    }[(c = 1 + c, this << ((2 === [ , 0 ].length) < null) !== ((0 & {}) != "bar" - 23..toString()))]] = !0 != 38..toString() > 22)):
                    break;

                  default:
                  case c = 1 + c, -1 != (-2 % (2 === [ , 0 ].length) ^ (2 === [ , 0 ].length | /[a2][^e]+$/)):
                }
            } catch (c_2) {
                c = 1 + (c = 1 + c), 38..toString(), 38..toString();
            }
        }
    }
    foo_2 && (foo_2.a %= NaN + (this >> this) + (0 < {} < (23..toString() >= -1)));
    var expr49 = ((c = 1 + c, (c_1 = 38..toString() <= 23..toString()) - ({} >= 25) & !0 || a || 3).toString() || 2).toString()[--b + (!!(--b + b) || [ (c = 1 + c, 
    0 === (c_1 && (c_1.Infinity = 2)) ^ 0), (c = 1 + c, ("" & 24..toString()) % 3 - (-4 ^ 23..toString() <= 0)), (c = 1 + c, 
    0), (c = 1 + c, (!1 != (c += 1, !0)) % ((c_1 && (c_1[(c = 1 + c, (c_1 && (c_1.undefined *= !1)) * (-4 ^ delete undefined))] = [] >>> 0)) << 25)) ])];
    for (var key49 in expr49) {
        c = 1 + c;
        var foo_2_2 = expr49[key49], foo_2 = !0;
    }
    for (var brake56 = 5; b && brake56 > 0; --brake56) {
        for (var brake57 = 5; --b + [ (c += 1) + (foo_2_2 && foo_2_2.null ? (c += 1) + ++a : [ (c = 1 + c, 
        ("bar" ^ (foo_2 && (foo_2.null += -4))) / (4 >> (-3 < 38..toString()))), (c = 1 + c, 
        -26), (c = 1 + c, NaN === (3 ^ this) & 23..toString() > -2 & (25 ^ 38..toString())), (c = 1 + c, 
        2 >> (24..toString() || 0) !== !0), (c = 1 + c, 17 > ({} || "undefined") >= (foo_2 && (foo_2[(c += 1) + 0] = "-2object" === 23..toString() % null))) ][+(foo_2_2 && (foo_2_2.in = 1))]), b + 1 - .1 - .1 - .1, [ a++ + [ (c = 1 + c, 
        !1 !== (38..toString() - {} ^ !1)) ] ].Infinity ] && --brake57 > 0; ) {
            c += 1;
        }
    }
    --b, c = 1 + c, 24..toString(), 23..toString(), c = 1 + c, 38..toString(), 23..toString(), 
    c = 1 + c, a++, c += 1;
    var brake61 = 5;
    do {
        if (foo_2 && foo_2[b--]) {
            try {
                var brake65;
                switch (c = 1 + c, 0 | (foo_2 && (foo_2[[ (c = 1 + c, (0 >= (38..toString() < "number")) << !0), (c = 1 + c, 
                0), (c = 1 + c, -1 + ("function" < 23..toString() || c_1 && (c_1.b = 22))) ][(c = 1 + c, 
                c_1 && (c_1.b = 1 != 38..toString() !== {} >>> "number" ^ 0))]] >>= 0 ^ (foo_2_2 += 0)))) {
                  case c = 1 + c, (-1 >> {}) + (38..toString(), !0) === (foo_2_2 && (foo_2_2[(c = 1 + c, 
                    c += 1, 23..toString() * 38..toString() & 38..toString() / "function" / NaN)] >>>= !0)) << this / -3:
                  case c = 1 + c, -2:
                    break;

                  default:
                  case c = 1 + c, 1 / 0 + "object" == (c += 1, 0) ^ 0 !== (c_1 && (c_1.in *= -2 >>> -0)):
                }
            } finally {
                try {
                    c = 1 + c, c += 1, 38..toString() && 24..toString();
                } catch (undefined_1) {}
                var bar_1;
            }
        }
    } while (0 + a++ && --brake61 > 0);
    var undefined_2;
}

console.log(null, a, b, c);
original result:
null 103 2 31

uglified result:
null 103 2 30

minify(options):
{
  "mangle": false
}

Suspicious compress options:
  evaluate
  inline
  reduce_vars
  sequences
  unused
@alexlamsl alexlamsl added the bug label Dec 18, 2017
alexlamsl added a commit to alexlamsl/UglifyJS that referenced this issue Dec 18, 2017
@alexlamsl
handle global constant collision with local variable after inline
18943f2 
fixes mishoo#2616
@alexlamsl alexlamsl mentioned this issue Dec 18, 2017
Merged
@kzc
Copy link
Contributor

kzc commented Dec 18, 2017

How many ufuzz iterations to find this one?

@alexlamsl
Copy link
Collaborator Author

alexlamsl commented Dec 18, 2017
edited

1MFuzz

On the first day of Christmas, test/ufuzz.js gave to me... 🎶

@alexlamsl
Copy link
Collaborator Author

It's rather fickly - you can't move the nested functions too much or things will work just fine.

@kzc
Copy link
Contributor

kzc commented Dec 18, 2017
edited

1MFuzz

Is that an official ISO measurement now?

Your initial plan for 8MFuzz is probably a good idea. But with the new ongoing optimizations it's a bit of a moving target.

@alexlamsl
Copy link
Collaborator Author

One thing I observe is that rename now hides a lot of Compressor bugs related to variable collision.

alexlamsl added a commit that referenced this issue Dec 18, 2017
@alexlamsl
handle global constant collision with local variable after inline (#…
4b334ed 
…2617)

fixes #2616
@kzc
Copy link
Contributor

kzc commented Dec 18, 2017

One thing I observe is that rename now hides a lot of Compressor bugs related to variable collision.

Arguably for users of uglifyjs -mc that's a good thing - assuming there are no bugs in rename.

@alexlamsl
Copy link
Collaborator Author

test/ufuzz.js does exercise rename, so the race is on between it and the rest of Internet... 😎

@kzc
Copy link
Contributor

kzc commented Dec 18, 2017
edited

Isn't rename exercised implicitly when both mangle and compress is enabled?

@alexlamsl
Copy link
Collaborator Author

Yup.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

handle global constant collision with local variable after inline alexlamsl/UglifyJS
2 participants
@alexlamsl @kzc