Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ufuzz failure #3536

Closed
alexlamsl opened this issue Oct 27, 2019 · 0 comments · Fixed by #3537
Closed

ufuzz failure #3536

alexlamsl opened this issue Oct 27, 2019 · 0 comments · Fixed by #3537
Labels
bug

Comments

@alexlamsl
Copy link
Collaborator 

// original code
// (beautified)
var _calls_ = 10, a = 100, b = 10, c = 0;

for (var brake1 = 5; (0 === 1 ? a : b) && brake1 > 0; --brake1) {
    {
        var brake3 = 5;
        do {
            if (--b + (b + 1 - .1 - .1 - .1)) {
                for (var brake5 = 5; --b + ((24..toString() | "", "bar", 23..toString()) - (c = c + 1,
                true >>> "c")) && brake5 > 0; --brake5) {
                    typeof [ (c = c + 1) + ~a ].length;
                }
            }
        } while (a++ + void function b() {
            {
                var Math = function f0(foo_1, a_2) {
                    function f1(b_2, foo_2) {
                    }
                    var bar = f1();
                    function f2(a_1) {
                    }
                    var Math = f2((c = 1 + c, (+{} ^ 1 > {}) !== (a_2 %= (24..toString() ^ null) >= (-5 ^ -0))), (c = 1 + c,
                    ("c" >>> 22, -5 || 24..toString()) << (25 != 38..toString() & {} != -5)));
                    function f3(Infinity_1, foo_1_2, bar_2) {
                        c = 1 + c, (3 !== {} != (foo_1_2 && (foo_1_2[(c = 1 + c, (2 == {} !== -4 * false) >> ((-4 > Infinity) << 2 * 22))] = -2 >> 1))) < (true > "a") % (Infinity && [ , 0 ].length === 2);
                        c = 1 + c, (foo_1 && (foo_1[/[abc4]/.test(((c = 1 + c, ("undefined" != -3 ^ 25 !== 5) / ((0 == "c") < (38..toString() ^ [ , 0 ].length === 2))) || b || 5).toString())] += ("c" !== NaN) >> (this || "undefined"))) != (4 < this ^ 2 >>> "function");
                    }
                    var b_2 = f3((c = 1 + c, (-5 !== ([ , 0 ].length === 2)) + ({} !== "number") == ("function" != "c",
                    1 << 23..toString())), (c = 1 + c, (c = c + 1, foo_1 && (foo_1.foo = 22 >> 24..toString())) >>> ((Infinity == 1) > (1 > false))));
                    function f4() {
                        c = 1 + c, (false % 22 === (b_2 &= "a" | "b")) - (false < "bar" || (c = c + 1, -0));
                        c = 1 + c, (+NaN < ([ , 0 ][1] <= false)) >>> +("bar" <= "c");
                    }
                    var a_1 = f4();
                }(--b + +(!(true != 23..toString()) - (a && (a[0 === 1 ? a : b] += (1 <= /[a2][^e]+$/) << (a && (a.undefined *= /[a2][^e]+$/ >= /[a2][^e]+$/))))));
            }
            if ({
                undefined: a++ + typeof (--b + ((c = 1 + c, ("function" >> 1, 5 || undefined) != null << 5 > ([ , 0 ][1] === "")) || a || 3).toString()),
                Infinity: /[abc4]/.test((!function undefined_1() {
                }() || b || 5).toString())
            }) {
                try {
                    {
                        return c = 1 + c, void (/[a2][^e]+$/ * -5 * (-1 > "bar"));
                    }
                } finally {
                    {
                        var expr17 = a++ + {
                            undefined: (c = 1 + c, -3 >> -4 > (false ^ 38..toString()) > (-1 != -4 | (a && (a.foo = [] >>> 24..toString())))),
                            "-2": (c = 1 + c, (c = c + 1, -5 ^ -4) <= 4 / 38..toString() * (NaN + "bar")),
                            b: (c = 1 + c, (a && (a.var = "undefined" - 23..toString())) / (null & undefined) !== (undefined | [ , 0 ][1]) >>> (a && (a.b = 1 & undefined)))
                        };
                        L25912: for (var key17 in expr17) {
                            {
                            }
                        }
                    }
                }
            } else {
                var b_2;
            }
            try {
                c = c + 1;
            } catch (bar_1) {
                switch (a++ + /[abc4]/.test((+((([] | -5) !== (25 != true)) << ((b_2 && (b_2[(c = 1 + c,
                (3 >= 0) >>> ("foo" <= {}) < (4 & "function") + (0 & [ , 0 ].length === 2))] += false >>> "bar")) | [] & 5)) || b || 5).toString())) {
                  case --b + [ , (c = 1 + c, +((3 ^ -0) === (bar_1 && (bar_1[(c = 1 + c, void (-4 == -5) <= ({} == "c") << (b_2 && (b_2.null = "function" >> 22)))] = "undefined" <= "foo")))), (c = 1 + c,
                    (true > this !== (bar_1 && (bar_1[(c = 1 + c, (4 && false) % (24..toString() >> [ , 0 ][1]) < ("undefined" + null,
                    null > 22))] += 22 && 22))) * ~(this >= ([ , 0 ].length === 2))) ]:
                    break;

                  case (c = c + 1) + (typeof f2 == "function" && --_calls_ >= 0 && f2()):
                    {
                        var brake23 = 5;
                        while ((c = 1 + c, b_2 && (b_2[(c = c + 1) + b_2] += (c = c + 1, [] ^ -3) ^ (b_2 = ({} < this) >> (-3 > "")))) && --brake23 > 0) {
                            c = 1 + c, "a" & -2 && "" <= 3 && (25 <= "") % (null && null);
                        }
                    }
                    try {
                        c = 1 + c, ("c", "c") * (-0 & null) << ((this >= -2) >>> 25 / ([ , 0 ].length === 2));
                    } catch (Infinity_2) {
                    } finally {
                    }
                    break;

                  case a++ + b_2:
                    {
                        var expr27 = (c = 1 + c, ("object" != 4) - (NaN + -2) <= ((-3, [ , 0 ].length === 2) <= (5 != -0)));
                        for (var key27 in expr27) {
                            c = 1 + c, (bar_1 && (bar_1.undefined = 4 === "a" == (c = c + 1, -2))) >> (-5 > ([ , 0 ].length === 2)) / ("bar" && "");
                        }
                    }
                    c = 1 + c, ([ , 0 ][1] != "undefined") >= ([ , 0 ].length === 2) - 24..toString() < ((this && -1) | false == "");
                    break;

                  case a++:
                    {
                    }
                    break;
                }
                var bar = --b + (b += a);
            } finally {
                switch (a++ + (b = a)) {
                  case delete ((c = c + 1, "foo" << 2) || Infinity & 0 & "c" != 38..toString()):
                    c = 1 + c, (([ , 0 ].length === 2, 4) | "object" !== undefined) >> (("undefined" || true) << (b_2 && (b_2.null = [ , 0 ].length === 2 === "undefined")));
                    try {
                        c = 1 + c, {} + 23..toString() < 4 << /[a2][^e]+$/ < (/[a2][^e]+$/ ^ [ , 0 ][1] ^ -3 - 0);
                    } catch (Math_2) {
                    }
                    break;

                  case a++ + --b:
                    {
                        var brake36 = 5;
                        do {
                            c = 1 + c, void (-3 * 0, [ , 0 ].length === 2 && -1);
                        } while ((c = 1 + c, undefined / ([ , 0 ].length === 2) * (-4 <= -5) ^ (NaN <= "object") >> 23..toString() * 25) && --brake36 > 0);
                    }
                    {
                        var expr38 = (c = 1 + c, ~("function" ^ null | (b_2 && (b_2.null = undefined != -3))));
                        for (var key38 in expr38) {
                            c = 1 + c;
                            var arguments = expr38[key38];
                            c = 1 + c, (0 & "function" && 4 >> "number") & "a" * -2 >> (-3 || 5);
                        }
                    }
                    break;

                  case delete void (-0 < ([ , 0 ].length === 2) > (25 !== "object")):
                    break;

                  case a++ + (b = a):
                    break;
                }
                try {
                    --b + [ , 0 ][1];
                } finally {
                    return c = 1 + c, (c = c + 1, 5) > [ , 0 ][1] - "c" & ("a" * -3 && (b_2 = "c" && 1));
                    {
                        var brake43 = 5;
                        L25913: do {
                            c = 1 + c, -5 <= Infinity >= 22 % 22 == ("c" << "number", void 0);
                        } while ((c = 1 + c, !(null << -5) < (b_2 = "bar" > "bar" == "b" >= "c")) && --brake43 > 0);
                    }
                }
            }
            switch ((c = c + 1) + (1 + -3 != 4 > 2 != (b_2 && (b_2[(c = 1 + c, "c" >= "a" <= (-0 ^ "function") == +(false,
            -2))] += null < 38..toString()) && NaN !== 0))) {
              case (c = c + 1) + []:
                try {
                    switch (a++ + a--) {
                      default:
                      case ((c = c + 1, NaN) >>> ([ , 0 ].length === 2 != 23..toString())) * (2 <= 1 >= (5 || -2)):
                        c = 1 + c, [ , 0 ][1] <= "number" > 38..toString() * -0 || (c = c + 1, "undefined") & undefined <= Infinity;
                        c = 1 + c, b_2 = (b_2 && (b_2.c += (c = c + 1, 4) - (NaN != "object"))) < ({} > {} !== ({} && Infinity));
                        break;

                      case a++ + (typeof b_2 == "function" && --_calls_ >= 0 && b_2((c = 1 + c, b_2 && (b_2[a++ + b--] = (b_2 && (b_2.Infinity += (24..toString() === ([ , 0 ].length === 2)) > ("a" !== "b"))) < (5 === "foo",
                        null != ([ , 0 ].length === 2)))), (c = 1 + c, c = c + 1, (25 && "foo") != (23..toString(),
                        -3)), -3)):
                        break;

                      case --b + a++:
                        c = 1 + c, (null || 25) == 3 >>> "object" != ("function" || 38..toString()) <= (b_2 && (b_2.in >>= "c" >>> -3));
                        c = 1 + c, (true ^ -0) + -4 * 23..toString() < ((3, "c") < (22 ^ "b"));
                        break;
                    }
                } catch (a) {
                    c = c + 1;
                }
                break;

              case a++ + (typeof f5 == "function" && --_calls_ >= 0 && f5()):
                switch ((c = c + 1) + +a) {
                  case 22:
                    {
                    }
                    c = c + 1;
                    break;

                  default:
                  case --b + ((b_2 = (b_2 && (b_2.in |= [] - -3)) <= [] - 23..toString()) && (b_2 = ([ , 0 ].length === 2) * /[a2][^e]+$/) >>> (23..toString() >>> "function")):
                    break;

                  case (c = c + 1) + {
                        b: (c = 1 + c, (b_2 >>= -4 > -1 === (b_2 && (b_2[(c = 1 + c, [ , 0 ][1] / 38..toString() % ("c" % 24..toString()) === (c = c + 1,
                        ([ , 0 ].length === 2) >> "c"))] ^= undefined >>> -1))) || (4 ^ false) != "a" > 38..toString()),
                        null: (c = 1 + c, ("undefined" <= 25 || "b" * "undefined") << ("a" > undefined !== ("undefined" == 1)))
                    }:
                    if (c = 1 + c, (undefined != this || ([ , 0 ].length === 2, -5)) < ~([] + undefined)) {
                        c = 1 + c, ((c = c + 1, "object") && (b_2 && (b_2.b = [] >> "a"))) === (false > "object" ^ (Infinity | undefined));
                    } else {
                        c = 1 + c, ("undefined" || 38..toString()) * (-5 < NaN) ^ (b_2 && (b_2.Infinity = 24..toString() < 2 >= [] / 0));
                    }
                    {
                    }
                    break;
                }
                break;

              case a++ + [ --b + {
                    "\t": (c = 1 + c, ("c" + 1 | (c = c + 1, [ , 0 ].length === 2)) & (4 >>> 24..toString()) * (24..toString() << false)),
                    NaN: (c = 1 + c, (undefined && 4) % (5 | "object") == 5 >= 5 >= -0 >>> 1)
                }.null, typeof f1 == "function" && --_calls_ >= 0 && f1(25), --b + (typeof f6 == "function" && --_calls_ >= 0 && f6(-4)) ]:
                break;

              case --b + (typeof f3 == "function" && --_calls_ >= 0 && f3(Infinity, {}, null)):
                break;
                break;
            }
        }() && --brake3 > 0);
    }
    {
        var expr62 = typeof a == "function" && --_calls_ >= 0 && a(--b + ++a, (c = c + 1) + (a += (c = c + 1) + (((c = c + 1,
        1) | (a = {} * 1)) > (0 ^ 24..toString() || 3 ^ [ , 0 ].length === 2))), -2);
        L25914: for (var key62 in expr62) {
            for (var brake63 = 5; typeof f6 == "function" && --_calls_ >= 0 && f6(23..toString(), "a") && brake63 > 0; --brake63) {
                var expr64 = (c = c + 1) + (typeof f3 == "function" && --_calls_ >= 0 && f3());
                L25915: for (var key64 in expr64) {
                    c = 1 + c;
                    var a_2 = expr64[key64];
                    {
                        var brake65 = 5;
                        do {
                            for (var brake66 = 5; a++ + (typeof a_2 == "function" && --_calls_ >= 0 && a_2((c = c + 1) + ((-5 > ([ , 0 ].length === 2)) * ([ , 0 ][1] & 2) >> (null >= "function" || ~false)))) && brake66 > 0; --brake66) {
                                var brake67 = 5;
                                do {
                                    try {
                                    } finally {
                                        c = 1 + c, this << "foo" !== 5 / [ , 0 ][1] ^ ("foo" != "") << (-5 ^ [ , 0 ][1]);
                                        c = 1 + c, 24..toString() ^ "function", a_2 && (a_2[(c = 1 + c, ~(-5 >> {}) <= (a_2 && (a_2.b = 2 - [ , 0 ][1])) * ("" ^ -1))] = 4 << "bar"),
                                        -0 % ([ , 0 ].length === 2) || -5 ^ null;
                                    }
                                } while (--b + (b -= a) && --brake67 > 0);
                            }
                        } while (a++ + void (a_2 && (a_2.a = a_2 && (a_2[(c = 1 + c, ((a_2 && (a_2[(c = 1 + c,
                        (a_2 && (a_2[--b + [ (c = 1 + c, (38..toString() < "bar") - (c = c + 1, "undefined") >>> (("b" === 0) <= (-0 | []))), , (c = 1 + c,
                        ~delete this << (1 || "b") / (24..toString() === 1)), (c = 1 + c, void (5 ^ "a") == (-1 >> -3 !== (-3 ^ "function"))) ]] = NaN * 24..toString() || (3,
                        "number"))) + ((-0 == "") < ([ , 0 ][1] ^ -2)))] = [] && 25)) >> ([] <= 1)) * (+undefined !== -2))] *= (a_2 && (a_2.Infinity = {} % "function")) >>> !null) || (2 && undefined || "" + "number"))) && --brake65 > 0);
                    }
                }
            }
        }
    }
}

var Math_1 = [ --b + b--, typeof f2 == "function" && --_calls_ >= 0 && f2("undefined", 22) ].Infinity, NaN_2 = (typeof f4 == "function" && --_calls_ >= 0 && f4(null, (c = c + 1) + --b) || a || 3).toString();

console.log(null, a, b, c, Infinity, NaN, undefined);
// uglified code
// (beautified)
for (var _calls_ = 10, a = 100, b = 10, c = 0, brake1 = 5; b && 0 < brake1; --brake1) {
    var brake3 = 5;
    do {
        if (--b + (b + 1) - (.2 + .1)) {
            for (var brake5 = 5; --b + "23" - (c += 1, 1) && 0 < brake5; --brake5) {
                c += 1;
            }
        }
    } while (a++ + void function r() {
        var f, n;
        n = --r + +(!1 - (a && (a[r] += !1 << (a && (a.undefined *= !0))))), function(a, e) {
            c = 1 + c, e && (e[(c = 1 + c, 1)] = -1), c = 1 + c, n && (n[/[abc4]/.test("" + (c = 1 + c,
            r || 5))] += !0 >> (this || "undefined"));
        }(c = 1 + (c = 1 + (c = 1 + c)), (c = 1 + c, c += 1, (n && (n.foo = 0)) >>> !1)),
        c = 1 + c, c = 1 + (c += 1), a++, --r, c = 1 + c;
        try {
            return void (c = 1 + c);
        } finally {
            var e = a++ + {
                undefined: (c = 1 + c, (!0 | (a && (a.foo = 0))) < !1),
                "-2": (c = 1 + c, c += 1, !1),
                b: (c = 1 + c, (a && (a.var = NaN)) / 0 != 0 >>> (a && (a.b = 0)))
            };
            for (var t in e) {}
        }
        try {
            c += 1;
        } catch (e) {
            switch (a++ + /[abc4]/.test("" + (+(!0 << (0 | (f && (f[(c = 1 + c, !1)] += 0)))) || r || 5))) {
              case --r + [ , (c = 1 + c, +(3 === (e && (e[(c = 1 + c, void 0 <= !1 << (f && (f.null = 0)))] = !1)))), (c = 1 + c,
                (this < !0 !== (e && (e[(c = 1 + c, !1)] += 22))) * ~(!0 <= this)) ]:
                break;

              case (c += 1) + ("function" == typeof f2 && 0 <= --_calls_ && f2()):
                for (var i = 5; c = 1 + c, f && (f[(c += 1) + f] += (c += 1, -3 ^ (f = ({} < this) >> !1))) && 0 < --i; ) {
                    c = 1 + c;
                }
                try {
                    c = 1 + c;
                } catch (c) {}
                break;

              case a++ + f:
                var l = (c = 1 + c, !1);
                for (var b in l) {
                    c = 1 + c, e && (e.undefined = 0 == (c += 1, -2));
                }
                c = 1 + c;
                break;

              case a++:
            }
            --r;
        } finally {
            switch (a++ + a) {
              case c += 1, !0:
                c = 1 + c, f && (f.null = !1);
                try {
                    c = 1 + c;
                } catch (c) {}
                break;

              case a++ + --r:
                var o = (c = 1 + (c = 1 + (c = 1 + c)), ~(0 | (f && (f.null = !0))));
                for (var _ in o) {
                    c = 1 + (c = 1 + c);
                }
                break;

              case !0:
              case a++ + a:
            }
            try {
                --r;
            } finally {
                return c = 1 + c, NaN & (c += 1, !1);
            }
        }
        switch ((c += 1) + (1 != (f && (f[(c = 1 + c, !1)] += !0) && !0))) {
          case (c += 1) + []:
            try {
                switch (a++ + a--) {
                  default:
                  case !1 * (c += 1, 0):
                    c = 1 + c, c = 1 + (c += 1), f = (f && (f.c += (c += 1, 3))) < !0;
                    break;

                  case a++ + ("function" == typeof f && 0 <= --_calls_ && f((c = 1 + c, f && (f[a++ + r--] = (f && (f.Infinity += !1)) < !0)), (c = 1 + c,
                    c += 1, !0), -3)):
                    break;

                  case --r + a++:
                    c = 1 + c, f && (f.in >>= 0), c = 1 + c;
                }
            } catch (a) {
                c += 1;
            }
            break;

          case a++ + ("function" == typeof f5 && 0 <= --_calls_ && f5()):
            switch ((c += 1) + +a) {
              case 22:
                c += 1;
                break;

              default:
              case --r + ((f = (f && (f.in |= 3)) <= -23) && (f = NaN) >>> 23):
                break;

              case (c += 1) + {
                    b: (c = 1 + c, (f >>= !1 === (f && (f[(c = 1 + c, NaN === (c += 1, 1))] ^= 0))) || !0),
                    null: (c = 1 + c, 0)
                }:
                c = 1 + c, (null != this || -5) < -1 ? (c = 1 + c, c += 1, f && (f.b = 0)) : (c = 1 + c,
                f && (f.Infinity = !1));
            }
            break;

          case a++ + [ --r + {
                "\t": (c = 1 + c, 0 & ("c1" | (c += 1, !0))),
                NaN: (c = 1 + c, !1)
            }.null, "function" == typeof f1 && 0 <= --_calls_ && f1(25), --r + ("function" == typeof f6 && 0 <= --_calls_ && f6(-4)) ]:
          case --r + ("function" == typeof f3 && 0 <= --_calls_ && f3(1 / 0, {}, null)):
        }
    }() && 0 < --brake3);
    var expr62 = "function" == typeof a && 0 <= --_calls_ && a(--b + ++a, (c += 1) + (a += (c += 1) + (c += 1,
    24 < (1 | (a = NaN)))), -2);
    for (var key62 in expr62) {
        for (var brake63 = 5; "function" == typeof f6 && 0 <= --_calls_ && f6("23", "a") && 0 < brake63; --brake63) {
            var expr64 = (c += 1) + ("function" == typeof f3 && 0 <= --_calls_ && f3());
            for (var key64 in expr64) {
                c = 1 + c;
                var a_2 = expr64[key64], brake65 = 5;
                do {
                    for (var brake66 = 5; a++ + ("function" == typeof a_2 && 0 <= --_calls_ && a_2((c += 1) + 0)) && 0 < brake66; --brake66) {
                        for (var brake67 = 5; c = 1 + (c = 1 + c), a_2 && (a_2[(c = 1 + c, 4 <= -1 * (a_2 && (a_2.b = 2)))] = 4),
                        --b + (b -= a) && 0 < --brake67; ) {}
                    }
                } while (a++ + void (a_2 && (a_2.a = a_2 && (a_2[(c = 1 + c, !0 * ((a_2 && (a_2[(c = 1 + c,
                (a_2 && (a_2[--b + [ (c = 1 + c, !0 - (c += 1, "undefined") >>> !0), , (c = 1 + c,
                -2), (c = 1 + c, !1) ]] = "number")) + !1)] = 25)) >> !0))] *= (a_2 && (a_2.Infinity = NaN)) >>> !0) || "number")) && 0 < --brake65);
            }
        }
    }
}

var Math_1 = [ --b + b--, "function" == typeof f2 && 0 <= --_calls_ && f2("undefined", 22) ].Infinity, NaN_2 = "" + ("function" == typeof f4 && 0 <= --_calls_ && f4(null, (c += 1) + --b) || a || 3);

console.log(null, a, b, c, 1 / 0, NaN, void 0);
original result:
null 115 -24 129 Infinity NaN undefined

uglified result:
null 115 -27 135 Infinity NaN undefined

minify(options):
{
  "compress": {
    "keep_fargs": false,
    "passes": 1000000,
    "sequences": 1000000,
    "unsafe": true,
    "unsafe_Function": true,
    "unsafe_math": true,
    "unsafe_proto": true,
    "unsafe_regexp": true
  }
}
@alexlamsl alexlamsl added the bug label Oct 27, 2019
alexlamsl added a commit to alexlamsl/UglifyJS that referenced this issue Oct 27, 2019
@alexlamsl
fix & enhance unsafe_math
d362650 
closes mishoo#3535
fixes mishoo#3536
@alexlamsl alexlamsl mentioned this issue Oct 27, 2019
Merged
alexlamsl added a commit to alexlamsl/UglifyJS that referenced this issue Oct 27, 2019
@alexlamsl
fix & enhance unsafe_math
6c0f62b 
closes mishoo#3535
fixes mishoo#3536
alexlamsl added a commit to alexlamsl/UglifyJS that referenced this issue Oct 27, 2019
@alexlamsl
fix & enhance unsafe_math
470f11b 
closes mishoo#3535
fixes mishoo#3536
alexlamsl added a commit that referenced this issue Oct 28, 2019
@alexlamsl
fix & enhance unsafe_math (#3537)
2f3b460 
closes #3535
fixes #3536
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix & enhance unsafe_math alexlamsl/UglifyJS
1 participant
@alexlamsl