Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ufuzz failure #3375

Closed
alexlamsl opened this issue Apr 22, 2019 · 0 comments · Fixed by #3376
Closed

ufuzz failure #3375

alexlamsl opened this issue Apr 22, 2019 · 0 comments · Fixed by #3376
Labels
bug

Comments

@alexlamsl
Copy link
Collaborator 

// original code
// (beautified)
var _calls_ = 10, a = 100, b = 10, c = 0;

function f0(bar_2, NaN_1) {
    {
        var a_2 = function f1(b, a) {
            var foo_1 = foo_1 += foo_1 = b += a;
            {
                return --b + (foo_1 && foo_1[(c = c + 1) + [].length]);
            }
        }(typeof arguments, 1, --b + /[abc4]/.test(((c = c + 1) + -b || b || 5).toString()));
    }
    if (typeof NaN_1 == "function" && --_calls_ >= 0 && NaN_1(3, [], --b + 38..toString())) {
        var bar = function f2(a, a_2) {
            {
                var Infinity = function f3(NaN_1_2, b_2) {
                    {}
                    switch ((c = c + 1) + (b += a)) {
                      default:
                        c = 1 + c, ((-4 | -3) < NaN << 4) + (a_2 = (c = c + 1, -3) <= "c" >> -4);

                      case (c = c + 1) + "function":
                        c = 1 + c, (5 == 4) % (bar_2 = Infinity & 25) ^ [] >>> 25 & [ , 0 ][1] !== Infinity;
                        break;

                      case 23..toString():
                        break;

                      case a++ + NaN_1_2:
                        break;
                    }
                }("a", null, bar_2 && bar_2[((c = 1 + c, a_2 && (a_2[{
                    length: (c = 1 + c, a_2 && (a_2.Infinity += (NaN_1 && (NaN_1.var *= -1 * "b" + (c = c + 1, 
                    5))) != (-1 == -5 != (undefined !== "number")))),
                    1.5: (c = 1 + c, (a_2 = ("a", "foo")) & -5 - [ , 0 ][1] || ("number" > "undefined") / ("" != 22)),
                    "": (c = 1 + c, (!"" != (25 === -1)) % ("undefined" / [] > ("object" | 1))),
                    "": (c = 1 + c, (c = c + 1, 3 - this) <= ("a" ^ "a" || "function" + false)),
                    c: (c = 1 + c, a_2 && (a_2[a++ + (typeof f4 == "function" && --_calls_ >= 0 && f4())] += (bar_2 && (bar_2[1 === 1 ? a : b] &= ([] === 2) >>> (-1 && "object"))) >= "undefined" * "function" / (null === "function")))
                }.null] = -4 >= 4 >= (-4 < true) ^ (-1 != Infinity) > (bar_2 && (bar_2[(c = 1 + c, 
                (3 === 5) >> ("" || 23..toString()) <= (this >> ([ , 0 ].length === 2)) - (4 << 2))] ^= -3 != "a")))) || 1).toString()[(c = 1 + c, 
                ((undefined, NaN) < (3 != -4)) % (bar_2 && (bar_2[a++ + ~((-5 !== "undefined") < ("undefined" != -2) & (23..toString() === -4) - (NaN || "b"))] = (1 & "foo") << (false ^ 23..toString()))))]]);
            }
            switch (--b + (0 === 1 ? a : b)) {
              case --b + ((c = c + 1) + void (NaN_1 && (NaN_1.Infinity = (a_2 && (a_2.var <<= (2, 
                0) - (c = c + 1, [ , 0 ].length === 2))) ^ (23..toString(), -0) >> -1 / Infinity)) || a || 3).toString():
                {
                    c = 1 + c, void ("object" ^ NaN) << ("undefined" > 4 && (c = c + 1, -5));
                    var Infinity_2 = (c = 1 + c, (a_2 = (22 != "number") >= (false > "foo")) !== (NaN + "b" != NaN < false));
                }
                {
                    var expr15 = --b + typeof (typeof a_2 == "function" && --_calls_ >= 0 && a_2((c = 1 + c, 
                    ((a_2 && (a_2.a |= "object" !== 38..toString())) & delete "c") != (void /[a2][^e]+$/ & (Infinity | this))), 4));
                    for (var key15 in expr15) {
                        c = 1 + c;
                        var parseInt = expr15[key15];
                        {
                            var expr16 = 0 === 1 ? a : b;
                            L319408: for (var key16 in expr16) {
                                c = 1 + c;
                                var Infinity_2 = expr16[key16];
                                c = 1 + c, -5 << -5 || ([] || {}) || ("bar" == false) / + -2;
                            }
                        }
                    }
                }
                break;

              case bar_2:
                break;

              default:
                try {
                    switch ([ (c = 1 + c, undefined / "bar", 25 > 38..toString(), ("c" || 38..toString()) >>> (/[a2][^e]+$/ & [])), (c = 1 + c, 
                    (NaN_1 && (NaN_1.c >>>= (25, 38..toString()) != (0, "bar"))) ^ (a_2 && (a_2.NaN = void -4 > (Infinity | "a")))), (c = 1 + c, 
                    c = c + 1, undefined != Infinity !== (bar_2 += "c" && true)), (c = 1 + c, c = c + 1, 
                    "b" < "foo" >= "b" % 5) ][(c = 1 + c, !(0 >= 5 != ("b" | -5)))]) {
                      case 25:
                        break;

                      case a++ + (typeof foo == "boolean"):
                        c = 1 + c, Infinity_2 && (Infinity_2.foo = ((Infinity_2 && (Infinity_2.var += [ , 0 ][1] ^ false)) <= (NaN <= 25)) >> ("" < "object") / (Infinity && -0));
                        c = 1 + c, (Infinity_2 && (Infinity_2.c += "b" >>> 0 || {} + -3)) % ((-2 << 1) / (-0 !== 4));
                        break;

                      case {
                            NaN: (c = 1 + c, (22 >>> 5) % (a_2 = 1 << NaN) % (+1 % ("function" << -0)))
                        }[(c = 1 + c, c = c + 1, delete [] | "undefined" >= undefined)]:
                        c = 1 + c, delete ("function" || "b") << ("c", "c") % ("undefined" >> 1);
                        break;

                      default:
                        c = 1 + c, (false, [ , 0 ].length === 2) << (this >>> 24..toString()) & (a_2 = [] > "c" === (/[a2][^e]+$/, 
                        "function"));
                    }
                } catch (a_2) {
                    {
                        var brake24 = 5;
                        while ((c = 1 + c, (-4 >>> 3) / (38..toString() && true) >>> (([ , 0 ].length === 2 | "undefined") >> (25 || -5))) && --brake24 > 0) {
                            c = 1 + c, (-4 << -1 | delete 0) ^ (c = c + 1, 3) - (-2 !== 22);
                        }
                    }
                    if (c = 1 + c, (a_2 && (a_2[(c = 1 + c, "a" << -3 >= (false == false) === ((1 & this) == 24..toString() >> [ , 0 ][1]))] += 24..toString() || -5)) >>> (24..toString() ^ "c"), 
                    (([ , 0 ].length === 2) >= -5) >>> (Infinity_2 ^= -2 ^ "number")) {
                        c = 1 + c, "foo" << 3 != ("foo" & 22) | ("bar" ^ -3, 22, 2);
                    }
                } finally {
                    for (var brake28 = 5; (c = 1 + c, ("function" / ([ , 0 ].length === 2) === (-4, 
                    Infinity)) * (3 ^ /[a2][^e]+$/ ^ (-3 || ""))) && brake28 > 0; --brake28) {
                        c = 1 + c, (-0 >>> this !== (-2 | -2)) % (("b" ^ this) == (this & "function"));
                    }
                    c = 1 + c, NaN_1 |= "b" >= 5 > (undefined >= []) & (/[a2][^e]+$/ / -5 | ("undefined" || "c"));
                }
                -((4 !== -3, 0 <= "b") != (Infinity_2 && (Infinity_2[(c = 1 + c, ([ , 0 ][1] != -1) >>> (a_2 && (a_2[(c = 1 + c, 
                (undefined >= 25 === (true || 38..toString())) < ({} ^ 1) / (24..toString() && /[a2][^e]+$/))] = "number" || null)), 
                a_2 |= [ , 0 ].length === 2 ^ 24..toString() ^ (NaN_1 && (NaN_1[(c = 1 + c, (c = c + 1, 
                [] / true) || (3 >> -3) * (22 != "number"))] = NaN | "c")))] += "b" >= "function")) % ("object" * -1));

              case (c = c + 1) + {
                    null: typeof Infinity_2 == "function" && --_calls_ >= 0 && Infinity_2("object"),
                    "": (c = c + 1) + +((-4 != false) * (2 / -1), NaN >>> -1 && -4 % null),
                    "-2": typeof f3 == "function" && --_calls_ >= 0 && f3((c = 1 + c, (3 == "a" == (4 == -5)) / ("undefined" - [] >>> (3 > []))), "function", (c = 1 + c, 
                    NaN_1 && (NaN_1.in = ((/[a2][^e]+$/ | "foo") <= [] % "object", (-5 | -5) * (undefined * null))))),
                    0: Infinity_2 && Infinity_2[--b + (typeof f3 == "function" && --_calls_ >= 0 && f3())],
                    b: -((null << 22) + (25 << 4) !== ~(38..toString() || "function"))
                }[--b + +((-2 ^ 24..toString()) - (-0 >>> "") || ("b" || {}) & "bar" * 22)]:
                for (var brake32 = 5; a++ && brake32 > 0; --brake32) {
                    var brake33 = 5;
                    L319409: do {
                        {
                            var brake34 = 5;
                            while ((c = 1 + c, (-2 <= "bar" == ("undefined" ^ "undefined")) >> (Infinity_2 && (Infinity_2[a++ + Infinity_2] &= (bar_2 && (bar_2[(c = 1 + c, 
                            ((5 & "function") != "bar" > false) > false * "b" % (NaN ^ -3))] += undefined - "c")) + (c = c + 1, 
                            true)))) && --brake34 > 0) {
                                c = 1 + c, Infinity_2 && (Infinity_2[((c = 1 + c, (Infinity == NaN) % (0 >> 5) / ((0 ^ "function") !== true - "object")) || a || 3).toString()] %= (([ , 0 ].length === 2) < "b") >>> [] / "bar"), 
                                ("object", "object") === null < 5;
                            }
                        }
                    } while ((b = a) && --brake33 > 0);
                }
                break;
            }
        }(a++ + 2, (c = c + 1) + "c", "");
    } else {}
}

var undefined_2 = f0(a++ + (typeof f1 == "function" && --_calls_ >= 0 && f1(4)), a++ + b--, typeof f0 == "function" && --_calls_ >= 0 && f0(undefined, --b + a--));

console.log(null, a, b, c, Infinity, NaN, undefined);
// uglified code
// (beautified)
var b = 10, t = 100, h = 10, p = 0;

function o(s, y) {
    var o, a;
    o = typeof arguments, ((p += 1) + - --h || h || 5).toString(), a = a += a = ++o, 
    --o, a && a[(p += 1) + 0], "function" == typeof y && 0 <= --b && y(3, [], --h + "38") && function(t, f) {
        var n = function(o, a) {
            switch ((p += 1) + (h += t)) {
              default:
                p = 1 + p, p += 1, f = !0;

              case (p += 1) + "function":
                p = 1 + p, s = 25 & n;
                break;

              case "23":
              case t++ + "a":
            }
        }(0, 0, s && s[(p = 1 + p, f && (f[{
            length: (p = 1 + p, f && (f.Infinity += 1 != (y && (y.var *= NaN + (p += 1, 5))))),
            1.5: (p = 1 + p, -5 & (f = "foo") || 0),
            "": (p = 1 + p, NaN),
            "": (p = 1 + p, p += 1, 3 - this <= "function" + !1),
            c: (p = 1 + p, f && (f[t++ + ("function" == typeof f4 && 0 <= --b && f4())] += NaN <= (s && (s[t] &= 0))))
        }.null] = !1 ^ (-1 != n) > (s && (s[(p = 1 + p, 0 <= (this >> !0) - 16)] ^= !0))) || 1).toString()[(p = 1 + p, 
        !1 % (s && (s[t++ - 1] = 0)))]]);
        switch (--h + h) {
          case --h + ((p += 1) + void (y && (y.Infinity = (f && (f.var <<= 0 - (p += 1, !0))) ^ -0 >> -1 / n)) || t || 3).toString():
            var o = (p = 1 + (p = 1 + p), 1 != (f = !0)), a = --h + typeof ("function" == typeof f && 0 <= --b && f((p = 1 + p, 
            (!0 & (f && (f.a |= !0))) != (void 0 & (n | this))), 4));
            for (var i in a) {
                p = 1 + p;
                var e = h;
                for (var c in e) {
                    p = 1 + p, o = e[c], p = 1 + p;
                }
            }
            break;

          case s:
            break;

          default:
            try {
                switch ([ (p = 1 + p, 0), (p = 1 + p, (y && (y.c >>>= !0)) ^ (f && (f.NaN = ("a" | n) < void 0))), (p = 1 + p, 
                p += 1, null != n !== (s += !0)), (p = 1 + p, p += 1, !1) ][(p = 1 + p, !1)]) {
                  case 25:
                    break;

                  case t++ + ("boolean" == typeof foo):
                    p = 1 + p, o && (o.foo = ((o && (o.var += 0)) <= !1) >> !0 / (n && -0)), p = 1 + p, 
                    o && (o.c += {} + -3);
                    break;

                  case {
                        NaN: (p = 1 + p, 0 % (f = 1) % NaN)
                    }[(p = 1 + p, p += 1, 1)]:
                    p = 1 + p;
                    break;

                  default:
                    p = 1 + p, f = !1;
                }
            } catch (f) {
                for (var r = 5; p = 1 + p, 0 < --r; ) {
                    p = 1 + p, p += 1;
                }
                p = 1 + p, f && (f[(p = 1 + p, 0 == (24 == (1 & this)))] += "24"), !0 >>> (o ^= -2) && (p = 1 + p);
            } finally {
                for (var N = 5; p = 1 + p, -2 * (NaN === n) && 0 < N; --N) {
                    p = 1 + p;
                }
                p = 1 + p, y |= 0;
            }
            o && (o[(p = 1 + p, f && (f[(p = 1 + p, !1)] = "number"), f |= 25 ^ (y && (y[(p = 1 + p, 
            p += 1, 0)] = 0)))] += !1);

          case (p += 1) + {
                null: "function" == typeof o && 0 <= --b && o("object"),
                "": (p += 1) + 0,
                "-2": "function" == typeof f3 && 0 <= --b && f3((p = 1 + p, 1 / 0), "function", (p = 1 + p, 
                y && (y.in = NaN))),
                0: o && o[--h + ("function" == typeof f3 && 0 <= --b && f3())],
                b: -1
            }[--h - 26]:
            for (var u = 5; t++ && 0 < u; --u) {
                var v = 5;
                do {
                    for (var l = 5; p = 1 + p, !0 >> (o && (o[t++ + o] &= (s && (s[(p = 1 + p, !1)] += NaN)) + (p += 1, 
                    !0))) && 0 < --l; ) {
                        p = 1 + p, o && (o[(p = 1 + p, (NaN == n) % 0 / !0 || t || 3).toString()] %= 0);
                    }
                } while ((h = t) && 0 < --v);
            }
        }
    }(2 + t++, (p += 1) + "c");
}

o(t++ + ("function" == typeof f1 && 0 <= --b && f1(4)), t++ + h--, 0 <= --b && o(void 0, --h + t--)), 
console.log(null, t, h, p, 1 / 0, NaN, void 0);
original result:
�[1mnull�[22m �[33m101�[39m �[33m6�[39m �[33m4�[39m �[33mInfinity�[39m �[33mNaN�[39m �[90mundefined�[39m

uglified result:
�[1mnull�[22m �[33m101�[39m �[33m6�[39m �[33m2�[39m �[33mInfinity�[39m �[33mNaN�[39m �[90mundefined�[39m

minify(options):
{
  "compress": {
    "passes": 1000000,
    "unsafe": true
  },
  "toplevel": true
}
@alexlamsl alexlamsl added the bug label Apr 22, 2019
alexlamsl added a commit to alexlamsl/UglifyJS that referenced this issue Apr 22, 2019
@alexlamsl
fix corner case in assignments
3899d09 
fixes mishoo#3375
@alexlamsl alexlamsl mentioned this issue Apr 22, 2019
Merged
alexlamsl added a commit to alexlamsl/UglifyJS that referenced this issue Apr 22, 2019
@alexlamsl
fix corner case in assignments
4fe4be7 
fixes mishoo#3375
alexlamsl added a commit that referenced this issue Apr 23, 2019
@alexlamsl
fix corner case in assignments (#3376)
a84beaf 
fixes #3375
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix corner case in assignments alexlamsl/UglifyJS
1 participant
@alexlamsl