Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ufuzz failure #3515

Closed
alexlamsl opened this issue Oct 22, 2019 · 0 comments · Fixed by #3517
Closed

ufuzz failure #3515

alexlamsl opened this issue Oct 22, 2019 · 0 comments · Fixed by #3517
Labels
bug

Comments

@alexlamsl
Copy link
Collaborator 

// original code
// (beautified)
var _calls_ = 10, a = 100, b = 10, c = 0;

function f0(Infinity_2, b_2, b_2_1) {
    L13933: {
        switch ((c = c + 1) + (((this || Infinity) && "a" >= true) | 0 / Infinity == "number" > 25)) {
          case --b + 23..toString():
            var NaN;
            switch (--b + (0 === 1 ? a : b)) {
              default:
              case (c = c + 1) + ("function" / 4 === ("c" == null) & (-0 === NaN | -5 !== -1)) ? (c = c + 1) + (b = a) : a++ + {
                    0: b++,
                    b: (c = c + 1) + a++
                }:
                break;

              case --b + (1 === 1 ? a : b):
                {
                    var expr5 = {
                        var: (c = 1 + c, ("c" / 25 == (24..toString() === "a")) << ("function" << 24..toString() < -5 * "undefined")),
                        "\t": (c = 1 + c, (22 == NaN ^ 2 % 23..toString()) << (b_2 += 23..toString() << undefined <= 25 >> undefined)),
                        1.5: (c = 1 + c, ("c" & /[a2][^e]+$/) + null * 25 ^ ("bar" < "function") * (([ , 0 ].length === 2) - -5)),
                        Infinity: (c = 1 + c, +((23..toString() < ([ , 0 ].length === 2)) * (/[a2][^e]+$/ | undefined)))
                    }[(c = c + 1) + (b += a)];
                    L13934: for (var key5 in expr5) {
                        return a++ + ((c = 1 + c, (Infinity && "b") & [] - -3 ^ ([] >= undefined) << (b_2 && (b_2[(c = 1 + c, 
                        "number" >>> "" < 0 * 5 !== ("a" << /[a2][^e]+$/) * (4 != 25))] = "number" | 25))) || 6).toString()[(c = 1 + c, 
                        ("number" | -3) ^ {} == -1, ("c" && -1) / ("c" >> "b"))];
                    }
                }
                (c = c + 1) + /[abc4]/.test((~b || b || 5).toString());
                break;

              case b_2_1 && b_2_1[typeof f2 == "function" && --_calls_ >= 0 && f2()]:
                break;
            }
            break;

          case typeof undefined_1 == "number":
            c = c + 1;
            try {
                {
                    return 1 === 1 ? a : b;
                }
            } finally {
                {
                    var expr11 = ++a;
                    for (var key11 in expr11) {
                        c = 1 + c;
                        var a_1 = expr11[key11];
                        "object";
                    }
                }
                {
                    var Infinity = function f1() {
                        c = 1 + c, (null == this && 5 >= 3) % ((-1 && -4) ^ (c = c + 1, [ , 0 ].length === 2));
                        c = 1 + c, (0 <= true && (-5, 4)) < 2 % false % (23..toString() * "a");
                    }(2, (c = 1 + c, (-2 <= -2 ^ 25 - true) / (a_1 = "object" !== -3, a_1 && (a_1[(c = 1 + c, 
                    ("bar" < /[a2][^e]+$/ ^ "bar" !== 25) * ((-3, false) > ("b" > "foo")))] = "bar" - 4))), 24..toString());
                }
            }
            break;

          case -3:
            break;

          default:
        }
        try {
            var a = typeof new function foo_2() {
                this.var ^= (!-4 * (0 <= -3) % ("number" & Infinity & (c = c + 1, 4)), (38..toString() < "number" <= ([ , 0 ].length === 2 ^ [ , 0 ].length === 2)) >>> ((c = c + 1, 
                null) !== (4 === 22)));
                this[a++ + !function() {
                    {
                    }
                    switch (c = 1 + c, c_2 && (c_2.c = (c = c + 1, -3) & ([] | Infinity)) || (false, 
                    "") !== false / "bar") {
                      case c = 1 + c, NaN - 3 | (b_2_1 && (b_2_1.c = 22 !== 0)) && (-1 & 25) == null / 22:
                        ;
                        break;

                      default:
                        ;

                      case c = 1 + c, {} << {} >= (25 >= "") != (false && "bar") < (true <= 0):
                        ;
                        break;

                      case c = 1 + c, (this < 24..toString()) - (true + undefined) !== ((foo_2 && (foo_2[(c = 1 + c, 
                        -5 % "c" * (null >> undefined) !== (b_2 &= 1 & "foo" || "c" << -5))] = -2 / "undefined")) | (c = c + 1, 
                        {})):
                        ;
                        break;
                    }
                }()] = (+(/[a2][^e]+$/ && /[a2][^e]+$/) == -3 % 24..toString() >= ("foo" ^ NaN)) << 24..toString() % 0 % (true | "a") * (null << ([ , 0 ].length === 2) < 25 << NaN);
                {
                    var expr20 = true;
                    for (var key20 in expr20) {
                        c = c + 1;
                    }
                }
                var bar = (c_2 && (c_2.foo = (null == "a") % delete 5)) - ([ , 0 ][1] != -5 !== (NaN || 23..toString())), b_2_1 = a++ + ++b;
                {
                    var brake23 = 5;
                    L13935: while (--b + b++ && --brake23 > 0) {
                        var brake24 = 5;
                        while ((c = 1 + c, (a_1 && (a_1.a ^= 25 !== this)) / (3 - 5) >= (Infinity + 1 <= ([] ^ "undefined"))) && --brake24 > 0) {
                            c = 1 + c, c_2 && (c_2.in ^= ("object" + 1 <= (22 === ([ , 0 ].length === 2)), (-5 && {}) ^ (null ^ "b")));
                        }
                    }
                }
                c = c + 1;
            }(), c_2 = void (c = c + 1, (25 && 5) >= 3 << 4);
        } catch (c_2_1) {
            c = c + 1;
            if (++a) {
                try {
                    {}
                } catch (b_2) {
                    {
                        var b_1 = function f2(Infinity_2) {
                        }((c = 1 + c, ("function" | NaN) >> (2 >>> 4) >= (25 ^ "function" && (true || "number"))));
                    }
                    {
                        var brake32 = 5;
                        while ([ , (c = 1 + c, delete ([ , 0 ].length === 2) ^ 4 != 22 || (b_1 && (b_1.null += ("b", 
                        4))) != (25 & "b")), (c = 1 + c, ("bar" || "function") << "" - [ , 0 ][1] || (2 ^ false) >> undefined / 25), (c = 1 + c, 
                        c_2 = -1 >> "" != [ , 0 ][1] >> undefined === (-2 + 5 == [ , 0 ][1] * undefined)), (c = 1 + c, 
                        (3, /[a2][^e]+$/) < ("number" && -0) || 2 / 23..toString() | 22 & -1) ].a && --brake32 > 0) {
                            switch (c = 1 + c, ("function" << 4, 38..toString() == 22) % (Infinity_2 && (Infinity_2.in += 1 < 24..toString() < (22 == this)))) {
                              case c = 1 + c, (b_2 && (b_2[--b + b++] &= NaN / 4 << ("function" >= true))) | !"c" !== (c = c + 1, 
                                "b"):
                                ;
                                break;

                              case c = 1 + c, ((b_2_1 /= Infinity % undefined) || /[a2][^e]+$/ ^ -5) ^ ("c" | true) & (a_1 && (a_1.Infinity = "function" >> false)):
                                ;
                                break;

                              case c = 1 + c, (-4 ^ /[a2][^e]+$/) << (false >>> 0) ^ (1 - ([ , 0 ].length === 2) ^ ([ , 0 ].length === 2 ^ 3)):
                                ;
                                break;

                              case c = 1 + c, (3 >> "undefined" >> (-4 ^ "foo")) / (b_1 = -3 > ([ , 0 ].length === 2) || b_1 && (b_1[(c = 1 + c, 
                                ((/[a2][^e]+$/ && "b") === 24..toString() - {}) < ("" ^ -1 ^ (24..toString(), 0)))] += "number" < -0)):
                                ;
                                break;
                            }
                        }
                    }
                } finally {
                    --b;
                    {
                        var brake35 = 5;
                        while (a++ + a-- && --brake35 > 0) {
                            switch (c = 1 + c, b_2_1 && (b_2_1[22] = (0 && "object", c = c + 1, "a") ^ ("function" * Infinity ^ 24..toString() * -1))) {
                              case c = 1 + c, 22 > true >= (4 & -5) & ([ , 0 ].length === 2) / -3 - ("" == "object"):
                                ;
                                break;

                              case c = 1 + c, (true * true != -1 >> "b") < (c_2 && (c_2.null = {} << ([ , 0 ].length === 2) < [] % "c")):
                                ;
                                break;

                              case c = 1 + c, (1 != 38..toString()) >> (-4 ^ "foo") >= ((0 | /[a2][^e]+$/) ^ (false || 25)):
                                ;
                                break;

                              case c = 1 + c, ((23..toString() || "foo") >>> ("" ^ 4)) - ~delete "undefined":
                                ;
                                break;
                            }
                        }
                    }
                }
            } else {
                var c_1 = function f3() {
                    function f4(b_1, bar, a) {
                    }
                    var undefined_1 = f4((c = 1 + c, undefined % null === (this && 25) & (this || /[a2][^e]+$/, 
                    undefined < 5)), (c = 1 + c, (b_2 && (b_2.a += (c = c + 1, "bar") || -1 % NaN)) + ("b" * /[a2][^e]+$/ <= (3 || 3))), -4);
                }();
            }
        } finally {
            return --b + !function c_1_2() {}();
            if (delete b) {
                try {
                } catch (Infinity_2_1) {
                    c = 1 + c, (a_1 && (a_1[(c = c + 1) + "number"] += ("bar" || -2) / ("c" % [ , 0 ][1]))) < (c = c + 1, 
                    38..toString() ^ 25);
                    c = 1 + c, ("b" <= [ , 0 ][1]) % (22 % -2) ^ -2 * "object" == (c = c + 1, "a");
                } finally {
                    c = 1 + c, (Infinity_2 >>= -4 & 0) !== (c = c + 1, 0) ^ (38..toString() * 3 | -5 ^ "foo");
                    c = 1 + c, (NaN * "a" && 24..toString() <= "bar") !== ("number" || true) * (c = c + 1, 
                    24..toString());
                }
                {
                    var brake47 = 5;
                    L13936: do {
                        return c = 1 + c, (-0 ^ 1) === ([] == false) & "undefined" << "number" < (-4 && 3);
                    } while (a++ + b_2_1 && --brake47 > 0);
                }
                return;
            } else {
                c = c + 1;
            }
        }
        {
            var brake51 = 5;
            do {
                L13937: for (var brake52 = 5; void function arguments_1() {
                    switch (a++ + Infinity_2) {
                      case [ (c = 1 + c, (Infinity_2 && (Infinity_2[{
                            NaN: (c = 1 + c, ("a" + undefined >> (true >> "object")) % ("number" + Infinity ^ (-0, 
                            "object")))
                        }[(c = 1 + c, delete (2 / 1 - (38..toString() >= -0)))]] += (4 >= "number") / ("foo" == -3))) + (a_1 && (a_1[a++ + (b_1 += (c_2 && (c_2[--b + -a] = 3 >>> 2 === -4 < 22)) ^ NaN < 23..toString() > ("foo" != 38..toString()))] &= ("function" | "bar") !== -2 >= 24..toString()))), (c = 1 + c, 
                        delete "undefined" / ("" % "undefined") >>> (c = c + 1, true >>> -0)), (c = 1 + c, 
                        (this != "foo" ^ NaN - "foo") >>> ((b_2 += this > -5) << (24..toString() == 25))), (c = 1 + c, 
                        (-2 + "undefined" === -3 << true) <= -(c = c + 1, NaN)) ][b_2 && b_2.var]:
                        var b_2;
                        {
                        }
                        break;

                      case typeof f3 == "function" && --_calls_ >= 0 && f3():
                        return c = 1 + c, ({} && "foo") - (arguments_1 = false >> "number") >>> (~"undefined" === 5 - Infinity);
                        c = c + 1;
                        break;

                      default:
                        switch (c = 1 + c, null * 25 >= (24..toString() == true) != -3 <= 38..toString() < (38..toString() || false)) {
                          default:
                            ;

                          case c = 1 + c, -(("undefined" - this) / ([ , 0 ][1] ^ -5)):
                            ;
                            break;

                          case c = 1 + c, "c" << "bar" >>> ("" >= -3) && (b_2_1 && (b_2_1[(c = 1 + c, (25 & "a", 
                            0 >>> -2) && /[a2][^e]+$/ >= -4 != (23..toString() !== -0))] = 3 >>> ([ , 0 ].length === 2))) === (b_1 && (b_1.undefined = 23..toString() << -1)):
                            ;
                            break;

                          case c = 1 + c, (Infinity ^ [ , 0 ].length === 2) - ("b" - 2) << (b_2_1 && (b_2_1.null += (-3 && 2) | 0 & "foo")):
                            ;
                            break;
                        }
                        {
                        }

                      case "number":
                        break;
                    }
                    {
                        var a_1 = function f5(b_2, c_1_2, foo_2) {
                            c = 1 + c, ((Infinity_2 && (Infinity_2.a = -5 != 5)) >= (NaN == ([ , 0 ].length === 2))) % (foo_2 && (foo_2.null ^= (c_1_2 += "bar" > [ , 0 ][1]) * (-3 < "object")));
                            c = 1 + c, 22 + "b" + (Infinity_2 && (Infinity_2[(c = 1 + c, -0 >> [ , 0 ][1] >= (23..toString() == -3) >= (c_2 && (c_2.in = "object" / 1 > (1 === [ , 0 ][1]))))] = "c" >> true)) ^ (false - -4 ^ -1 & undefined);
                        }(4);
                    }
                    b_2_1 && b_2_1[c_1 += (c = 1 + c, -0 >= -4 & (-2 || false) || ("c" <= -0) / (c = c + 1, 
                    "foo"))];
                }() && brake52 > 0; --brake52) {
                    return;
                    (c = c + 1) + (b + 1 - .1 - .1 - .1);
                }
            } while ((c = c + 1) + (typeof b_2 == "function" && --_calls_ >= 0 && b_2(4, -4, (c = c + 1) + (typeof foo_1 !== "number"))) && --brake51 > 0);
        }
        var b_2 = {
            undefined: typeof f2 == "function" && --_calls_ >= 0 && f2(a++ + c_1),
            length: --b + (Infinity_2 && Infinity_2[[ 0 === 1 ? a : b, (c = c + 1) + (typeof f1 == "function" && --_calls_ >= 0 && f1()), (c = c + 1) + {
                undefined: (c = 1 + c, (-0 != -2, b_2 && (b_2.c = true >= "b")) ^ (b_1 && (b_1.NaN = -3 || "undefined")) - ({} + "number")),
                "-2": (c = 1 + c, ("a" >>> "function" >>> ([] && NaN)) % (("undefined" | "") >> "" + 5)),
                0: (c = 1 + c, ([ , 0 ].length === 2 ^ [ , 0 ].length === 2) >= (this <= 25) <= 24..toString() << [] >>> ("" | [ , 0 ][1]))
            }, a++ + ((c_1 && (c_1.c >>>= "a" / 38..toString() & (b_2 >>>= "foo" % undefined))) == (b_2 && (b_2[(c = 1 + c, 
            ((c_2 && (c_2[(c = 1 + c, -0 >> null ^ /[a2][^e]+$/ === 5 || (/[a2][^e]+$/ > this) + (/[a2][^e]+$/ >> null))] >>>= 0 ^ "c")) == (true == 4)) / ((-4 <= "object") + "" * "bar"))] -= 0 % -2) || 24..toString() >>> "undefined")), (c = c + 1) + this ]])
        }.undefined;
    }
    c = c + 1;
}

var undefined_1 = f0("undefined", -4, 22);

console.log(null, a, b, c, Infinity, NaN, undefined);
// uglified code
// (beautified)
var _calls_ = 10, a = 100, b = 10, c = 0;

function f0(n, i, t) {
    switch ((c += 1) + (((this || o) && !1) | 0 / o == 0)) {
      case --b + "23":
        switch (--b + b) {
          default:
          case (c += 1) + 0 ? (c += 1) + (b = N) : N++ + {
                0: b++,
                b: (c += 1) + N++
            }:
            break;

          case --b + N:
            var a = {
                var: (c = 1 + c, 0),
                "\t": (c = 1 + c, 2 << (i += !0)),
                1.5: (c = 1 + c, 6),
                Infinity: (c = 1 + c, 0)
            }[(c += 1) + (b += N)];
            for (var e in a) {
                return N++ + ("" + (c = 1 + c, 3 & (o && "b") ^ !1 << (i && (i[(c = 1 + c, !0)] = 25)) || 6))[(c = 1 + c, 
                -1 / 0)];
            }
            c += 1;
            break;

          case t && t["function" == typeof f2 && 0 <= --_calls_ && f2()]:
        }
        break;

      case "number" == typeof undefined_1:
        c += 1;
        try {
            return N;
        } finally {
            var f = ++N;
            for (var r in f) {
                c = 1 + c;
                var s = f[r];
            }
            var o = (c = 1 + c, (s = !0) && (s[(c = 1 + c, 0)] = NaN), c = 1 + c, void (c = 1 + (c += 1)));
        }
    }
    try {
        var N = typeof new function a() {
            for (var e in this.var ^= (c += 1, !1 >>> (!1 !== (c += 1, null))), this[N++ + !function() {
                switch (c = 1 + c, u && (u.c = (c += 1, -3 & ([] | o))) || !0) {
                  case c = 1 + c, NaN | (n && (n.c = !0)) && !1:
                    break;

                  default:
                  case c = 1 + c, !1:
                  case (this < "24") - NaN != ((a[(c = 1 + (c = 1 + c), NaN !== (i &= 0))] = NaN) | (c += 1, 
                    {})):
                }
            }()] = 0, !(this[N++ + !function() {
                switch (c = 1 + c, u && (u.c = (c += 1, -3 & ([] | o))) || !0) {
                  case c = 1 + c, NaN | (n && (n.c = !0)) && !1:
                    break;

                  default:
                  case c = 1 + c, !1:
                  case (this < "24") - NaN != ((a[(c = 1 + (c = 1 + c), NaN !== (i &= 0))] = NaN) | (c += 1, 
                    {})):
                }
            }()] = 0)) {
                c += 1;
            }
            u && (u.foo = 0);
            for (var n = N++ + ++b, t = 5; --b + b++ && 0 < --t; ) {
                for (var f = 5; c = 1 + c, (s && (s.a ^= 25 !== this)) / -2 >= (o + 1 <= 0) && 0 < --f; ) {
                    c = 1 + c, u && (u.in ^= 0);
                }
            }
            c += 1;
        }(), u = void (c += 1);
    } catch (a) {
        if (c += 1, ++N) {
            var l;
            --b;
            for (var v = 5; N++ + N-- && 0 < --v; ) {
                switch (c = 1 + c, t && (t[22] = (c += 1, "a" ^ "function" * o ^ -24))) {
                  case c = 1 + c, 0:
                  case c = 1 + c, !0 < (u && (u.null = !1)):
                  case c = 1 + c, !1:
                  case c = 1 + c, 3:
                }
            }
        } else {
            var d = (c = 1 + (c = 1 + c), void (i && (i.a += (c += 1, "bar"))));
        }
    } finally {
        return --b + !0;
    }
    var h = 5;
    do {
        for (var _ = 5; void function() {
            switch (N++ + n) {
              case [ (c = 1 + c, (n && (n[{
                    NaN: (c = 1 + c, 0 % ("number" + o ^ "object"))
                }[(c = 1 + c, !0)]] += NaN)) + (e && (e[N++ + (l += !1 ^ (u && (u[--b - N] = !1)))] &= !0))), (c = 1 + c, 
                NaN >>> (c += 1, 1)), (c = 1 + c, ("foo" != this ^ NaN) >>> ((a += -5 < this) << !1)), (c = 1 + c, 
                !1 <= (c += 1, NaN)) ][a && a.var]:
                var a;
                break;

              case "function" == typeof f3 && 0 <= --_calls_ && f3():
                return c = 1 + c;

              default:
                switch (c = 1 + c, !1) {
                  default:
                  case c = 1 + c, -("undefined" - this) / -5:
                  case c = 1 + c, 0:
                  case c = 1 + c, (!0 ^ o) - NaN << (t && (t.null += 2)):
                }

              case "number":
            }
            var e = (c = 1 + c, n && (n.a = !0), c = 1 + c, void (n && (n[(c = 1 + c, (u && (u.in = !1)) <= !0)] = 0)));
            t && t[d += (c = 1 + c, !1 / (c += 1, "foo"))];
        }() && 0 < _; --_) {
            return;
        }
    } while ((c += 1) + ("function" == typeof i && 0 <= --_calls_ && i(4, -4, (c += 1) + ("number" != typeof foo_1))) && 0 < --h);
    i = [ "function" == typeof f2 && 0 <= --_calls_ && f2(N++ + d), (--b, n && n[[ b, (c += 1) + ("function" == typeof f1 && 0 <= --_calls_ && f1()), (c += 1) + {
        undefined: (c = 1 + c, (i && (i.c = !1)) ^ (l && (l.NaN = -3)) - ({} + "number")),
        "-2": (c = 1 + c, NaN),
        0: (c = 1 + c, this <= 25 <= 0 <= 24)
    }, N++ + ((d && (d.c >>>= NaN & (i >>>= NaN))) == (i && (i[(c = 1 + c, (0 == (u && (u[(c = 1 + c, 
    (this < /[a2][^e]+$/) + 0)] >>>= 0))) / NaN)] -= 0) || 24)), (c += 1) + this ]]) ][0], 
    c += 1;
}

var undefined_1 = f0("undefined", -4, 22);

console.log(null, a, b, c, 1 / 0, NaN, void 0);
original result:
null 100 9 15 Infinity NaN undefined

uglified result:
null 100 9 21 Infinity NaN undefined

minify(options):
{
  "compress": {
    "keep_fargs": false,
    "passes": 1000000,
    "sequences": 1000000,
    "unsafe": true,
    "unsafe_Function": true,
    "unsafe_math": true,
    "unsafe_proto": true,
    "unsafe_regexp": true
  }
}
@alexlamsl alexlamsl added the bug label Oct 22, 2019
alexlamsl added a commit to alexlamsl/UglifyJS that referenced this issue Oct 22, 2019
@alexlamsl
fix corner case in unused
a4b2079 
fixes mishoo#3515
@alexlamsl alexlamsl mentioned this issue Oct 22, 2019
Merged
alexlamsl added a commit that referenced this issue Oct 22, 2019
@alexlamsl
fix corner case in unused (#3517)
267bc70 
fixes #3515
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix corner case in unused alexlamsl/UglifyJS
1 participant
@alexlamsl