Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ufuzz failure #3668

Closed
alexlamsl opened this issue Jan 3, 2020 · 1 comment · Fixed by #3669
Closed

ufuzz failure #3668

alexlamsl opened this issue Jan 3, 2020 · 1 comment · Fixed by #3669
Labels
bug

Comments

@alexlamsl
Copy link
Collaborator 

// original code
// (beautified)
var _calls_ = 10, a = 100, b = 10, c = 0;

function f0(b, c, a) {
    {
        var brake1 = 5;
        do {
            try {
                {
                    var expr3 = --b + a++;
                    for (var key3 in expr3) {
                        c = 1 + c;
                        var arguments = expr3[key3];
                        for (var brake4 = 5; +function Math() {
                            {
                                var brake5 = 5;
                                while (a-- && --brake5 > 0) {
                                    try {
                                        c = c + 1;
                                    } catch (b_1) {
                                        c = 1 + c, c = c + 1, 25 + "foo" << (b_1 && (b_1.c |= 5 ^ 3));
                                        c = 1 + c, (Infinity >= -3) * delete "c" < (38..toString() < null) - ("bar" - "undefined");
                                    }
                                }
                            }
                            {
                                var brake10 = 5;
                                L19289: do {
                                } while (a++ + ((c = c + 1) + (typeof f0 == "function" && --_calls_ >= 0 && f0((c = 1 + c, 
                                (c = c + 1, -0) === [] < -4 === (a && (a.c = "foo" >= "undefined" && 24..toString() >= [ , 0 ][1]))))) || a || 3).toString() && --brake10 > 0);
                            }
                        }() && brake4 > 0; --brake4) {
                            switch (a++ + !function foo_2() {}()) {
                              case (c = c + 1) + b++:
                                {
                                    var Math_2 = function f1(bar) {
                                        c = 1 + c, a && (a[a++ + void b] += 3 >> {} <= ("bar" > 1) != -4 << false << "function" - "undefined");
                                        c = 1 + c, a += (-2 > "bar") * ("c" - 1), (a && (a[c = 1 + c, (undefined * true | (c = c + 1, 
                                        -0)) < ("function" << "bar" & (a && (a[c = 1 + c, a && (a[(c = c + 1) + (typeof f2 == "function" && --_calls_ >= 0 && f2(0, (c = 1 + c, 
                                        -1 / 25 <= "bar" << [] != (c = c + 1, false == 5)), (c = 1 + c, (undefined + "foo" ^ 3 * []) <= (("b", 
                                        undefined) <= (a[c = 1 + c, ((-5 || [ , 0 ].length === 2) != (3 || [])) > ("object" & "") * (24..toString() ^ /[a2][^e]+$/)] = Infinity != 1)))))] = (c = c + 1, 
                                        4) === ("object" || "foo") | (c = c + 1, 24..toString()) << ("number" === "number"))] = [ , 0 ][1] / -2)))] += [] % this)) != +4;
                                    }((c = 1 + c, -0 << this < (-4 > "number") >= ((38..toString() | Infinity) & (Math_2 = "a" >> "c"))), (c = 1 + c, 
                                    25 >>> 4, ~undefined, 3 != 24..toString() != "object" / NaN));
                                }
                                break;

                              case (Math_2 = (c = c + 1, this * 1) && this << -3 << -3 / "function") ? --b + (b |= a) : ~((Math_2 && (Math_2.in += NaN << "c")) === (Math_2 && (Math_2.null = NaN >> "undefined")) | (c = c + 1, 
                                2) * ("a" + 5)):
                                a++ + typeof [ (c = 1 + c, ~("" / -4 % (undefined >= 1))), (c = 1 + c, ((undefined ^ "function") === -5 + 25) / delete (24..toString() & "b")), (c = 1 + c, 
                                ([] != "number" ^ -0 === null) / ([ , 0 ][1] >>> "" >>> (-1 === "b"))), (c = 1 + c, 
                                Math_2 && (Math_2[--b + (typeof f2 == "function" && --_calls_ >= 0 && f2((c = 1 + c, 
                                -4 / 23..toString() % ({} >= "c") & "object" << 22 !== "object" + "c"), 1))] >>= (/[a2][^e]+$/ >>> -3) % (25 ^ null) - (delete 24..toString() !== NaN >> 38..toString()))), (c = 1 + c, 
                                (Math_2 *= ("number", /[a2][^e]+$/) < 25 % -5) != (Math_2 && (Math_2[b = a] &= (38..toString() == null) <= ("bar" | "function")))) ].c;
                                {
                                    var arguments = function a_2(Math_2, b_1) {
                                        c = 1 + c, ([ , 0 ].length === 2 != "bar") >= (NaN >= [ , 0 ][1]) < (1 || -1, 4 % 22);
                                        c = 1 + c, ([] >> null && ("a" && "object")) % ((b_1 += -2 && 38..toString()) >> (25 > 0));
                                    }("a");
                                }
                                break;

                              default:
                              case []:
                                return;
                                {
                                    var brake21 = 5;
                                    do {
                                        for (var brake22 = 5; a++ + ++a && brake22 > 0; --brake22) {
                                        }
                                    } while (--b + (typeof Math_2 == "function" && --_calls_ >= 0 && Math_2()) && --brake21 > 0);
                                }
                                break;
                            }
                        }
                    }
                }
            } catch (c) {
                L19290: for (var brake24 = 5; (Infinity + ([ , 0 ].length === 2) ^ (Math_2 && (Math_2[c = 1 + c, 
                ("foo" != 3) * (undefined >> 22) ^ ~(-1, [])] -= -4 ^ "object"))) % ("undefined" << 3 !== "object" >>> 0) && brake24 > 0; --brake24) {}
                {
                    return Math_2 && Math_2.var;
                }
            } finally {
                for (var brake27 = 5; (b += a) && brake27 > 0; --brake27) {
                    var brake28 = 5;
                    do {
                        {
                            return {
                                Infinity: a++ + ((c = 1 + c, Math_2 && (Math_2[void ((3 & 5) > (Infinity | "b"), 
                                +5 << (24..toString() && "bar"))] = ((22 & this) <= (-1 != -4), {} % "foo" != -1 - Infinity))) || a || 3).toString()
                            };
                        }
                    } while (~((-4 >> "" >= undefined << ([ , 0 ].length === 2)) % ((Math_2 = -3 - 3) % (false * "function"))) && --brake28 > 0);
                }
                {
                    var brake30 = 5;
                    while ([ a++ + {
                        c: !((this << "undefined" ^ 24..toString() * false) <= ("object" * -1 >= (1 & Infinity))),
                        NaN: --b + (b *= a),
                        Infinity: !((-5 < {} ^ (Infinity | false)) / ("c" ^ 23..toString() || -5 < 3))
                    }, typeof f0 == "function" && --_calls_ >= 0 && f0() ].b && --brake30 > 0) {}
                }
            }
        } while ((c = c + 1) + (b = a) && --brake1 > 0);
    }
    try {
        {
            var undefined = typeof Math_2 == "function" && --_calls_ >= 0 && Math_2((c = c + 1) + [ --b + ((c = 1 + c, 
            (c = c + 1, "a") << (Infinity > 23..toString()) == (Math_2 >>= (Math_2 ^= null << "a") || "" ^ "undefined")) || a || 3).toString(), Math_2 ], -5, [ , 0 ][1]);
            for (var brake36 = 5; --b + {
                undefined: void (("a" <= this == -5 > "function") + ("function" + /[a2][^e]+$/ >>> (5, 
                "c"))),
                in: --b + (0 === 1 ? a : b),
                length: (c = c + 1) + function() {}()
            }.var && brake36 > 0; --brake36) {
                {
                    return !([ , 0 ].length === 2 & "object") >>> ("c" << "number" == (undefined ^ []));
                }
                return (c = c + 1) + +b;
                try {
                    break;
                } finally {
                    {
                        var expr42 = (c = 1 + c, (("a", undefined) || undefined << "b") ^ ("b" < "foo") >>> (c = c + 1, 
                        /[a2][^e]+$/));
                        for (var key42 in expr42) {
                            c = 1 + c, "undefined" <= "undefined" | (Math_2 && (Math_2.b = 4 * 22)), 5 + NaN | false - NaN;
                        }
                    }
                    {
                        var expr44 = (c = 1 + c, ((2, "undefined") != 3 < "undefined") % ((c = c + 1, 0) >> ("", 
                        24..toString())));
                        for (var key44 in expr44) {
                            c = 1 + c;
                            var b = expr44[key44];
                            c = 1 + c, ([ , 0 ].length === 2) - "foo" > null << 25 !== -4 > null < (NaN, "");
                        }
                    }
                }
                {
                    L19291: {
                    }
                    for (var brake48 = 5; (c = 1 + c, -23..toString() <= (22 ^ this) == (-2 <= false ^ (undefined ^ NaN))) && brake48 > 0; --brake48) {
                        c = 1 + c, (-4 - 24..toString() ^ (Math_2 %= "foo" << 3)) - (Math_2 && (Math_2[/[abc4]/.test(((c = 1 + c, 
                        (-5 || 2) >> 4 * 23..toString() === ("function" !== 25 == ([ , 0 ][1], 2))) || b || 5).toString())] = (Math_2 && (Math_2.in += [ , 0 ].length === 2 || true)) | ([ , 0 ].length === 2, 
                        undefined)));
                    }
                }
            }
            {
                return;
                --b + a++;
            }
        }
    } catch (foo_2) {
        {
            return --b + (foo_2 <<= a++ + ~(foo_2 && (foo_2[b = a] ^= ({} >> "b" ^ -4 > null) <= (Math_2 && (Math_2.a >>= (24..toString() ^ 4) != +"object")))));
        }
        if (typeof f2 == "function" && --_calls_ >= 0 && f2({
            NaN: 0 === 1 ? a : b,
            0: --b + (a++ + (foo_2 && foo_2.Infinity) ? 0 === 1 ? a : b : ((c = 1 + c, ("c" >> 3 || this >> Infinity) ^ (foo_2 && (foo_2.var = (foo_2 = 38..toString() && 1) != (2 == [ , 0 ][1])))) || a || 3).toString())
        })) {} else {
            var brake54 = 5;
            while (--b + {
                foo: (c = c + 1) + (1 === 1 ? a : b),
                length: --b + (a++ + 23..toString() || 7).toString()[a++ + !b]
            }.foo && --brake54 > 0) {
                if (typeof f0 == "function" && --_calls_ >= 0 && f0(-5)) {
                    try {
                        {
                            var brake57 = 5;
                            L19292: do {
                                var b = foo_2 && foo_2.var, parseInt_1 = a++;
                            } while ((c = c + 1) + +function a_2() {
                                c = 1 + c, 3 !== "undefined" === NaN % 2 && "bar" / -1 - (5 === false);
                                c = 1 + c, (a_2 && (a_2.c = this != "a")) | "bar" & 1 || ("undefined" | 5) << (38..toString() ^ 4);
                                c = 1 + c, (parseInt_1.undefined = (this || -1) & "undefined" !== 1) * ((-0 & 23..toString()) - (null <= "c"));
                            }() && --brake57 > 0);
                        }
                    } catch (a) {
                        L19293: {
                            c = 1 + c, (parseInt_1 && (parseInt_1[c = 1 + c, (5 >>> "foo" < (1 != 3)) % (3 * -5 ^ (-2, 
                            1))] %= (22, 24..toString()))) === 5 < Infinity, NaN * -0 | this > 1;
                            c = 1 + c, (-0 === -3 | {} % -5) >= ("" && 5) + delete 22;
                            c = 1 + c, (undefined & null) >> +25 >= (("object" || []) ^ 4 - NaN);
                        }
                        {
                            c = 1 + c, (-1 * -0, -0 === 3) !== (2 | [ , 0 ][1] || (1, -2));
                            c = 1 + c, ([ , 0 ][1] ^ "bar") >= NaN / [ , 0 ][1] === (5 + 23..toString()) % (Math_2 && (Math_2[c = 1 + c, 
                            (("function" === true) >> (-0 === ([ , 0 ].length === 2))) + "undefined" / 0 * (c = c + 1, 
                            4)] = -5 % -5));
                            c = 1 + c, (parseInt_1 && (parseInt_1[b /= a] ^= ("object", NaN) && (true || -2))) === (foo_2 && (foo_2.var += "bar" === this)) / !undefined;
                        }
                    } finally {
                        if ([ (c = 1 + c, (parseInt_1 && (parseInt_1[[ (c = 1 + c, (undefined < "function" || (c = c + 1, 
                        -1)) - ((3, {}) ^ -3 < 1)), (c = 1 + c, ("object" || null) && 5 + false || void 0 === ("function" || -2)), (c = 1 + c, 
                        Math_2 = - -1 / (-0 < this) === ("number" + -3) / ("object" !== -3)), (c = 1 + c, 
                        [ , 0 ][1] < 23..toString() === "foo" + false && (foo_2 && (foo_2[{
                            set in(parseInt_1) {
                                this.a = [ , 0 ].length === 2 ^ true;
                            },
                            Infinity: (c = 1 + c, delete (-"foo" & 2 === 25)),
                            "": (c = 1 + c, "bar" >= 22 >= "undefined" / NaN & (parseInt_1 && (parseInt_1[--b + (typeof foo_2 == "function" && --_calls_ >= 0 && foo_2(2, Infinity, (c = 1 + c, 
                            ("c", undefined) / ("function" ^ 23..toString()) ^ "foo" * "object" >> (NaN << 38..toString()))))] += (2 >> 1) - (25, 
                            0))))
                        }[c = 1 + c, ("", -4) >>> (false || "a") === (1 === -0) >> "bar" % "function"]] += (-5, 
                        [ , 0 ].length === 2) | (null && /[a2][^e]+$/)))) ].in] = [ , 0 ][1] * NaN * (24..toString() !== []))) == (undefined === null) << 1 * "function") ]) {
                            c = c + 1;
                        } else {
                            return;
                            c = 1 + c, "foo" % "a" < ("" || true) != !2 / ({} >> -1);
                        }
                    }
                }
            }
        }
    }
}

var b = f0();

console.log(null, a, b, c, Infinity, NaN, undefined);
// uglified code
// (beautified)
var _calls_ = 10, a = 100, b = 10, c = 0;

function f0(b, c, a) {
    var brake1 = 5;
    do {
        try {
            var expr3 = --b + a++;
            for (var key3 in expr3) {
                c = 1 + c;
                for (var brake4 = 5; +function() {
                    for (var brake5 = 5; a-- && 0 < --brake5; ) {
                        try {
                            c += 1;
                        } catch (b_1) {
                            c = 1 + c, c += 1, b_1 && (b_1.c |= 6), c = 1 + c, 38..toString();
                        }
                    }
                    var brake10 = 5;
                    do {} while (a++ + ((c += 1) + ("function" == typeof f0 && 0 <= --_calls_ && f0((c = 1 + c, 
                    c += 1, -0 === [] < -4 === (a && (a.c = !1))))) || a || 3).toString() && 0 < --brake10);
                }() && 0 < brake4; --brake4) {
                    switch (a++ + !0) {
                      case (c += 1) + b++:
                        var Math_2 = function() {
                            c = 1 + c, a && (a[a++ + void 0] += 3 >> {} <= !1 != -4), c = 1 + c, (a += NaN) && (a[c = 1 + c, 
                            (!0 * undefined | (c += 1, -0)) < (0 & (a && (a[c = 1 + c, a && (a[(c += 1) + ("function" == typeof f2 && 0 <= --_calls_ && f2(0, (c = 1 + c, 
                            -.04 <= "bar" << [] != !1), (undefined + "foo" ^ 3 * []) <= (undefined <= (a[c = 1 + (c = 1 + (c += 1)), 
                            0 * (24..toString() ^ /[a2][^e]+$/) < !0] = !0))))] = "object" === (c += 1, 4) | (c += 1, 
                            24..toString() << !0))] = -0)))] += [] % this);
                        }((c = 1 + c, 38..toString(), Math_2 = 0, c = 1 + c, 24..toString()));
                        break;

                      case c += 1, (Math_2 = +this && this << -3 << NaN) ? --b + (b |= a) : ~((Math_2 && (Math_2.in += 0)) === (Math_2 && (Math_2.null = 0)) | "a5" * (c += 1, 
                        2)):
                        a++, c = 1 + (c = 1 + c), 24..toString(), c = 1 + (c = 1 + c), Math_2 && (Math_2[--b + ("function" == typeof f2 && 0 <= --_calls_ && f2((c = 1 + c, 
                        -4 / 23..toString() % ("c" <= {}) & !0), 1))] >>= 0 - (24..toString(), !0 !== NaN >> 38..toString())), 
                        c = 1 + c, (Math_2 *= !1) && (Math_2[b = a] &= (null == 38..toString()) <= 0);
                        c = 1 + (c = 1 + c), 38..toString();
                        break;

                      default:
                        return;
                    }
                }
            }
        } catch (c) {
            for (var brake24 = 5; (1 / 0 + (2 === [ , 0 ].length) ^ (Math_2 && (Math_2[c = 1 + c, 
            !0 * (undefined >> 22) ^ ~[]] -= -4))) % !1 && 0 < brake24; --brake24) {}
            return Math_2 && Math_2.var;
        } finally {
            for (var brake27 = 5; (b += a) && 0 < brake27; --brake27) {
                var brake28 = 5;
                do {
                    return {
                        Infinity: a++ + (c = 1 + c, Math_2 && (Math_2[void 24..toString()] = {} % "foo" != -1 / 0) || a || 3).toString()
                    };
                } while (~((undefined << (2 === [ , 0 ].length) <= -4) % ((Math_2 = -6) % NaN)) && 0 < --brake28);
            }
            for (var brake30 = 5; [ a++ + {
                c: !((this << "undefined" ^ !1 * 24..toString()) <= !1),
                NaN: --b + (b *= a),
                Infinity: !((-5 < {} ^ 0) / ("c" ^ 23..toString() || !0))
            }, "function" == typeof f0 && 0 <= --_calls_ && f0() ].b && 0 < --brake30; ) {}
        }
    } while ((c += 1) + (b = a) && 0 < --brake1);
    try {
        var undefined = "function" == typeof Math_2 && 0 <= --_calls_ && Math_2((c += 1) + [ --b + (c = 1 + c, 
        c += 1, "a" << (1 / 0 > 23..toString()) == (Math_2 >>= (Math_2 ^= 0) || 0) || a || 3).toString(), Math_2 ], -5, 0), brake36 = 5;
        return --b + {
            undefined: void 0,
            in: --b + b,
            length: (c += 1) + void 0
        }.var && 0 < brake36 ? !(2 === [ , 0 ].length & "object") >>> (0 == (undefined ^ [])) : undefined;
    } catch (foo_2) {
        return --b + (foo_2 << a++ + ~(foo_2 && (foo_2[b = a] ^= ({} >> "b" ^ !1) <= (Math_2 && (Math_2.a >>= NaN != (4 ^ 24..toString()))))));
    }
}

b = f0();

console.log(null, a, b, c, 1 / 0, NaN, void 0);
original result:
null 100 undefined 0 Infinity NaN undefined

uglified result:
null 100 false 0 Infinity NaN undefined

minify(options):
{
  "mangle": false
}
@alexlamsl alexlamsl added the bug label Jan 3, 2020
alexlamsl added a commit to alexlamsl/UglifyJS that referenced this issue Jan 4, 2020
@alexlamsl
fix corner case in conditionals
c7d8b83 
fixes mishoo#3668
@alexlamsl alexlamsl mentioned this issue Jan 4, 2020
Merged
alexlamsl added a commit that referenced this issue Jan 4, 2020
@alexlamsl
fix corner case in conditionals (#3669)
1988495 
fixes #3668
@alexlamsl alexlamsl mentioned this issue Feb 7, 2020
Merged
@alexlamsl
Copy link
Collaborator Author

After #3710:

$ uglifyjs test.js -c --reduce-test
// reduce test pass 1, iteration 0: 14109 bytes
// reduce test pass 1, iteration 25: 3626 bytes
// reduce test pass 1, iteration 50: 3404 bytes
// reduce test pass 1, iteration 75: 2785 bytes
// reduce test pass 1, iteration 100: 1017 bytes
// reduce test pass 1, iteration 125: 234 bytes
// reduce test pass 1: 198 bytes
// reduce test pass 2: 181 bytes
// reduce test pass 3: 181 bytes
var a = 0, c = 0;

function f0(b, c, a) {
    try {
        var undefined = 0;
        for (0; (0).var; 0) {
            return 0;
        }
        return;
    } catch (foo_2) {
        if (undefined) {
            0;
        } else {
            c = 0;
        }
    }
}

var b = f0();

console.log(null, a, b, c, Infinity, NaN, undefined);
// output: null 0 undefined 0 Infinity NaN undefined
// minify: null 0 0 0 Infinity NaN undefined
// options: {"compress":true,"mangle":false}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix corner case in conditionals alexlamsl/UglifyJS
1 participant
@alexlamsl