Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ufuzz failure #3377

Closed
alexlamsl opened this issue Apr 23, 2019 · 0 comments · Fixed by #3378
Closed

ufuzz failure #3377

alexlamsl opened this issue Apr 23, 2019 · 0 comments · Fixed by #3378
Labels
bug

Comments

@alexlamsl
Copy link
Collaborator 

// original code
// (beautified)
var _calls_ = 10, a = 100, b = 10, c = 0;

function f0(b_2, a_2) {
    function f1() {
        try {
            {
                var brake2 = 5;
                while (--b + (!a || 1).toString()[[ (c = 1 + c, (this ^ -1) + (b_2 && (b_2[(c = 1 + c, 
                ((-3, -1) ^ ("object" && [ , 0 ][1])) === (true !== 3) / (this && -0))] = 4 > 22)) < (undefined >= {} || 22 > "a")), (c = 1 + c, 
                ((1, 23..toString()) != (NaN ^ 5)) * (c = c + 1, ([ , 0 ].length === 2) + -4)), (c = 1 + c, 
                ("c" !== 25) > (a_2 && (a_2.foo = "number" < "")) & [ , 0 ][1] * -0 === 2 >> -0), (c = 1 + c, 
                a_2 && (a_2[--b + (b_2 && b_2.a)] += ((a_2 && (a_2[(c = 1 + c, (undefined * 1 >= (22 ^ true)) * ((-2 || 22) % (23..toString() == [ , 0 ][1])))] >>>= this & 5)) == +"undefined", 
                a_2 && (a_2[(c = 1 + c, void (c = c + 1, 1 & 0))] = 3 * ([ , 0 ].length === 2)), 
                "bar" + "a"))), (c = 1 + c, ((this && []) != ([ , 0 ].length === 2 ^ 4)) < (null % -3 == "" << -3)) ].length] && --brake2 > 0) {
                    var a = --b + ((c = 1 + c, (c = c + 1, 3) ^ 5 / -0 || (b_2 && (b_2.NaN += "" >= -2)) ^ this <= "") || a || 3).toString();
                }
            }
        } catch (c_1) {
            if (typeof f1 == "function" && --_calls_ >= 0 && f1((c = 1 + c, ((22, 5) ^ 24..toString() - 0) << ({} == {}) / (38..toString() == true)))) {
            } else {
                c = c + 1;
            }
            L271417: for (var brake7 = 5; [ (c = 1 + c, "object" >> NaN == (c_1 && (c_1[(c = 1 + c, 
            (2 >>> 1 === -1 >= "function") < (a_2 = true < 2 | -4 === 25))] >>= NaN >> [ , 0 ][1])), 
            +this != {} * 25) ] && brake7 > 0; --brake7) {
                return;
                c = 1 + c, ((true | 5) & 25 - null) - ((-0 >> 2) + ({} <= 24..toString()));
            }
        }
        switch (+((a_2 && (a_2[(c = 1 + c, (-5 ^ "a") >= (this < -1) <= (24..toString() >> {} & false >> -1))] |= "foo" <= "bar" ^ "number" >= 25)) % (~24..toString() ^ NaN !== undefined))) {
          case --b + typeof bar_2:
            L271418: for (var brake10 = 5; typeof b_2 == "function" && --_calls_ >= 0 && b_2(22, true) && brake10 > 0; --brake10) {
            }
            break;

          default:
            {
                var expr12 = b = a;
                L271419: for (var key12 in expr12) {
                    c = 1 + c;
                    var a = expr12[key12];
                    c = 1 + c, ((b_2 && (b_2[(c = 1 + c, "c" === undefined === (b_2 && (b_2[(c = 1 + c, 
                    a_2 && (a_2[--b + (1 === 1 ? a : b)] = (delete "foo" && 25 < -0) * ("bar" === 4 == {} < {})))] += "number" < -1)) ^ false / 3 + ("object" !== -5))] += true >>> -3)) >> (3 >= "c")) / ((a_2 && (a_2.null += "c" < NaN)) >= 25 / "");
                }
            }

          case a++ + [ b = a, a++ + [], a++ + (b_2 += (c = 1 + c, (b_2 && (b_2.b *= {} >= [] >= ({} && -4))) << (0 >>> -1 ^ true << 0))) ]:
            {
                return a++ + function foo_1() {
                };
            }
            {
                var expr15 = /[abc4]/.test(((c = 1 + c, -1 >>> {} < void 25 && (false || undefined) * (false & undefined)) || b || 5).toString());
                for (var key15 in expr15) {
                    c = 1 + c;
                    var b_1 = expr15[key15];
                    {
                    }
                }
            }
            break;

          case --b + +function parseInt_2() {
                if (c = 1 + c, (b_1 && (b_1.var = null ^ -5) && (38..toString(), "a")) * ("b" >>> this == (parseInt_2 && (parseInt_2[(c = 1 + c, 
                (parseInt_2 && (parseInt_2[--b + [ (c = 1 + c, b_2 && (b_2.null = ((1 || 5) ^ (2 ^ "function")) - -("foo" === "a"))), (c = 1 + c, 
                (38..toString() != -3) - (25 ^ /[a2][^e]+$/) && (c = c + 1, "bar") >= ("undefined" === "undefined")), (c = 1 + c, 
                (2 !== -4 ^ ("number" && undefined)) === (25 < 2) / (NaN + -3)) ].NaN] -= (22, 4) * (-2 !== null))) !== (a_2 && (a_2[{
                    "": (c = 1 + c, (false * 25 == ("" == 0)) << (3 || "foo") * ("object" / "foo")),
                    get a() {
                        c = 1 + c, c = c + 1, "a" << /[a2][^e]+$/ & ("" & -0);
                    },
                    "\t": (c = 1 + c, (Infinity >> /[a2][^e]+$/) * (24..toString() || 2) == ([] != 0 == (NaN, 
                    "a")))
                }] <<= [ , 0 ][1] >= 24..toString() ^ "b" <= 3)))] = "number" >= undefined)))) {
                    c = 1 + c, parseInt_2 && (parseInt_2.in = ((-3, "c") || undefined | NaN) < ("b" * 38..toString() === ("" || "number")));
                } else {
                    c = 1 + c, (/[a2][^e]+$/ << 1 && [] >>> ([ , 0 ].length === 2)) != ("c" < 5 ^ undefined / -3);
                }
                L271420: for (var brake21 = 5; (c = 1 + c, -("b" >> -2) ^ (38..toString() === 23..toString()) + ("number" ^ "c")) && brake21 > 0; --brake21) {
                    c = 1 + c, true + 38..toString() >>> (3 > ([ , 0 ].length === 2)) <= (b_2 && (b_2.foo += -2 - "object" ^ (false | "")));
                }
                if (c = 1 + c, ((a_2 && (a_2[(c = 1 + c, (false, -3) << "b" + "bar" && (b_2 && (b_2[(c = 1 + c, 
                parseInt_2 && (parseInt_2[(--b + ((-0 ^ "undefined") & (2 ^ []), "undefined" % false + ("foo" << 25)) || 1).toString()[--b + [].foo]] += (5 >= -3 && +38..toString()) - (23..toString() <= "bar" | (parseInt_2 = 4 >>> 23..toString()))))] = /[a2][^e]+$/ == null)) ^ -5 / /[a2][^e]+$/)] = 22 << 22)) | "" != "c") >= ((true | "c") ^ (c = c + 1, 
                false))) {
                    c = 1 + c, false / 22 != "undefined" - 24..toString() === ("c" && 1) >>> ("function", 
                    3);
                } else {
                    c = 1 + c, (c = c + 1, this < "c") << ((b_1 && (b_1.b = false % "foo")) <= (-0 && "number"));
                }
            }():
            ;
            switch (--b + void ((true ^ this) != ("" !== -2) & ([ , 0 ].length === 2) % "foo" + (NaN === -2))) {
              case b *= a:
                c = 1 + c, ([ , 0 ][1], /[a2][^e]+$/) != (a_2 <<= Infinity >= 0) ^ -2 >= "" < +"foo";
                break;

              case a++ + --b:
                break;

              case function() {
                }():
                c = 1 + c, ("a", 25) + delete 5 || ("" || [ , 0 ].length === 2) % (3 === 0);
                break;

              case void function() {
                }():
                c = 1 + c, (NaN ^ [], b_2 && (b_2[(c = 1 + c, ("undefined" && 38..toString() || [ , 0 ].length === 2 && "b") | NaN !== NaN === "a" <= "foo")] = 5 & "number")) - ("foo" > true, 
                "bar" != "function");
                c = 1 + c, ({} % "b" && "bar" << "function") ^ 24..toString() >>> -3 >> (this | 0);
                break;
            }
        }
    }
    function f2() {
        {
            var brake33 = 5;
            L271421: while ([ --b + (({} !== -4) <= 25 * "b" < ("undefined" << [ , 0 ][1] <= (23..toString() <= -1))), {
                c: (c = 1 + c, (-4 << "undefined", "a" + 3) >= (23..toString() + 38..toString()) % (b_2 && (b_2[(c = 1 + c, 
                -"c" === this <= 24..toString() || b_2 && (b_2.b *= (b_2 && (b_2[(c = 1 + c, (b_2 && (b_2.NaN = -2 > "object")) >= 0 - -3 === (38..toString() === -5) <= (-3 ^ /[a2][^e]+$/))] |= 0 - "c")) ^ (1 && "foo")))] = "" != "foo")))
            } ] && --brake33 > 0) {}
        }
    }
    var NaN_1 = f2(Infinity, 22, typeof f1 == "function" && --_calls_ >= 0 && f1(void function() {}()));
    function f3(b_1, c) {
        function f4(arguments_1, b_1, b_2) {
            for (var brake35 = 5; (c = 1 + c, ([] & [ , 0 ].length === 2) >= false << /[a2][^e]+$/ & {} === NaN === (c = c + 1, 
            "bar")) && brake35 > 0; --brake35) {
                c = 1 + c, arguments_1 &= a_2 && (a_2.a += "a" >>> "bar" && [] >>> -5) && ([ , 0 ][1] && 25) | (b_1 && (b_1[(c = 1 + c, 
                ([ , 0 ][1] * "bar" >= void -4) + ((b_2 && (b_2[(c = 1 + c, void (-3 * []) >> (22 * true >>> ("b" && -5)))] *= [ , 0 ][1] & "c")) >> ("number" === -5)))] = "undefined" << 23..toString()));
            }
            {
            }
        }
        var b = f4();
        function f5() {
            function f6(b_2_1) {
            }
            var foo_1 = f6((c = 1 + c, (4 !== true, null < 25) >> ("function" >> true) - (3 <= "")), [ , 0 ].length === 2, (c = 1 + c, 
            ("c", -3) & "bar" === -4 | 22 + false ^ ("undefined" ^ "undefined")));
            function f7(b_1_2) {
            }
            var bar = f7(23..toString(), (c = 1 + c, (/[a2][^e]+$/ >> null) - ("undefined" >>> "function"), 
            (b_2 && (b_2[(c = 1 + c, 38..toString() < [ , 0 ][1] !== (b_2 && (b_2[(c = 1 + c, 
            (c = c + 1, 0 == /[a2][^e]+$/) | (foo_1 && (foo_1.foo *= ("a", "foo"))) === 25 - "undefined")] = "b" >>> "a")) | (b_2 && (b_2[(c = c + 1) + a--] = "c" + ([ , 0 ].length === 2) + 5 * this)))] = /[a2][^e]+$/ == "undefined")) & "object" - -4));
            function f8(NaN_1_2, a, a_2) {
            }
            var b_1_2 = f8((c = 1 + c, (5 & this && "bar" === 2) > (foo_1 += "c" * 23..toString() <= 1 << "function")), NaN);
        }
        var a = f5((c = c + 1) + (typeof f3 == "function" && --_calls_ >= 0 && f3()));
        function f9(undefined_1, b_2, foo) {
            {
            }
            {
                var expr39 = (c = 1 + c, 38..toString() * "bar" % (c = c + 1, false) >>> (a_2 && (a_2[b_2] += (2 & 1) >> ("c" >= -0))));
                L271422: for (var key39 in expr39) {
                    c = 1 + c;
                    var a_2_1 = expr39[key39];
                    c = 1 + c, (NaN_1 && (NaN_1.Infinity = /[a2][^e]+$/ !== "undefined"), true ^ 4) >> (("object" != -4) <= ("c" != "c"));
                }
            }
        }
        var b_2 = f9();
    }
    function f10(b_1, b_2) {
        L271423: for (var brake41 = 5; --b + (0 === 1 ? a : b) && brake41 > 0; --brake41) {
            var bar_2;
        }
        c = c + 1;
    }
    var a_2 = f10(typeof NaN_2, ((("number" === -5) > (false !== 5)) >>> (c = c + 1, 
    a_2 >>>= 0 <= {}) || 1).toString()[typeof a_2 == "function" && --_calls_ >= 0 && a_2(undefined, "b")], [ a++ + !b, ,  ].Infinity);
}

var a_2 = f0(4, 23..toString(), []);

console.log(null, a, b, c, Infinity, NaN, undefined);
// uglified code
// (beautified)
var c, f, s = 10, v = 10, N = 0;

c = 4, f = "23", function() {
    for (var a = 5; --v, N = 1 + N, c && (c[(N = 1 + N, NaN === this <= "24" || c && (c.b *= "foo" ^ (c && (c[(N = 1 + N, 
    3 <= (c && (c.NaN = !1)) == 0)] |= NaN))))] = !0), 0 < --a; ) {}
}(0 <= --s && function o() {
    try {
        for (var a = 5; --v + ("" + (!r || 1))[[ (N = 1 + N, (-1 ^ this) + (c && (c[(N = 1 + N, 
        -1 == !0 / (this && -0))] = !1)) < !1), (N = 1 + N, !0 * (N += 1, -3)), (N = 1 + N, 
        (f && (f.foo = !1)) < !0 & !1), (N = 1 + N, f && (f[--v + (c && c.a)] += (f && (f[(N = 1 + N, 
        NaN)] >>>= 5 & this), f && (f[(N = 1 + N, void (N += 1))] = 3), "bara"))), (N = 1 + N, 
        (5 != (this && [])) < !0) ].length] && 0 < --a; ) {
            var r = --v + "" + (N = 1 + N, N += 1, 3);
        }
    } catch (a) {
        0 <= --s && o(N = 1 + N) || (N += 1);
        for (var t = 5; N = 1 + N, a && (a[(N = 1 + N, !1 < (f = 1))] >>= 0), 0 < t; --t) {
            return;
        }
    }
    switch (+(f && (f[(N = 1 + N, this < -1 <= -5 <= 0)] |= 0)) % -26) {
      case --v + typeof bar_2:
        for (var i = 5; "function" == typeof c && 0 <= --s && c(22, !0) && 0 < i; --i) {}
        break;

      default:
        var e = v = r;
        for (var n in e) {
            N = 1 + N, r = e[n], N = 1 + N, c && (c[(N = 1 + N, !1 === (c && (c[(N = 1 + N, 
            f && (f[--v + r] = 0))] += !1)) ^ 1)] += 0), f && (f.null += !1);
        }

      case r++ + [ v = r, r++ + [], r++ + (c += (N = 1 + N, (c && (c.b *= !0)) << 1)) ]:
        return r++ + function() {};

      case --v + (N = 1 + (N = 1 + (N = 1 + (N = 1 + N))), +void ((!0 | (f && (f[(N = 1 + N, 
        NaN ^ (c && (c[(N = 1 + N, 0)] = !1)))] = 22 << 22))) >= (1 ^ (N += 1, !1)) ? N = 1 + N : (N = 1 + N, 
        N += 1))):
        switch (--v + void 0) {
          case v *= r:
            N = 1 + N, f <<= !0;
            break;

          case r++ + --v:
            break;

          case void 0:
            N = 1 + N;
            break;

          case void 0:
            N = 1 + N, c && (c[(N = 1 + N, 39)] = 0), N = 1 + N;
        }
    }
}()), f = function(a, o) {
    for (var r = 5; --v + v && 0 < r; --r) {}
    N += 1;
}(0, (N += 1, "function" == typeof (f >>>= !1) && 0 <= --s && f(void 0, "b"))), 
console.log(null, 101, v, N, 1 / 0, NaN, void 0);
original result:
�[1mnull�[22m �[33m101�[39m �[33mNaN�[39m �[33m44�[39m �[33mInfinity�[39m �[33mNaN�[39m �[90mundefined�[39m

uglified result:
�[1mnull�[22m �[33m101�[39m �[33mNaN�[39m �[33m37�[39m �[33mInfinity�[39m �[33mNaN�[39m �[90mundefined�[39m

minify(options):
{
  "compress": {
    "passes": 1000000,
    "unsafe": true
  },
  "toplevel": true
}
@alexlamsl alexlamsl added the bug label Apr 23, 2019
alexlamsl added a commit to alexlamsl/UglifyJS that referenced this issue Apr 23, 2019
@alexlamsl
fix corner case in reduce_vars
e26291a 
fixes mishoo#3377
@alexlamsl alexlamsl mentioned this issue Apr 23, 2019
Merged
alexlamsl added a commit to alexlamsl/UglifyJS that referenced this issue Apr 23, 2019
@alexlamsl
fix corner case in reduce_vars
a8ecf3d 
fixes mishoo#3377
alexlamsl added a commit that referenced this issue Apr 24, 2019
@alexlamsl
fix corner case in reduce_vars (#3378)
dafed54 
fixes #3377
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix corner case in reduce_vars alexlamsl/UglifyJS
1 participant
@alexlamsl