Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ufuzz failure #4906

Closed
alexlamsl opened this issue May 3, 2021 · 0 comments · Fixed by #4907
Closed

ufuzz failure #4906

alexlamsl opened this issue May 3, 2021 · 0 comments · Fixed by #4907
Labels
bug

Comments

@alexlamsl
Copy link
Collaborator 

// original code
// (beautified)
var _calls_ = 10, a = 100, b = 10, c = 0;

{
    var foo_2 = function f0(yield, bar_1) {
        if (--b + +b) {
            return (-42n).toString() in [ a++ + /[abc4]/.test(((c = c + 1) + a++ || b || 5).toString()), yield, {
                "-2": void a,
                done: void function a_1() {
                    c = 1 + c, ((4 == 1) <= 2 % 1) >> (Number(0xdeadn << 16n | 0xbeefn) <= "a" ^ 5 < "bar");
                    c = 1 + c, 1 / Infinity / (-3 >>> 23..toString()) == (Infinity <= -3 & 1 - "object");
                    c = 1 + c, c = c + 1, void /[a2][^e]+$/ ^ (Infinity, "c");
                    c = 1 + c, (-3 || "number") * !2 == (/[a2][^e]+$/ <= "bar" || yield && (yield.done += null << "object"));
                }(),
                set then(a) {
                    {
                    }
                    this.next = ("foo" < 2 ^ false << -0) === ([ , 0 ][1] && "undefined") >= (Infinity ?? "b");
                }
            }[!(((yield && ({
                [(c = 1 + c, c = c + 1, 38..toString() == -5 ^ 4 - [])]: yield.done
            } = {
                then: 24..toString() / 4
            })) == (bar_1 && (bar_1[c = 1 + c, yield && (yield[24..toString()] = (([ 3n ][0] > 2) << "b" | -2 < "a") >>> ((25, 
            4) && -0 * 4))] &= /[a2][^e]+$/ << "bar"))) - ((bar_1 && (bar_1.Infinity += (-42n).toString() | -2)) >= (yield && (yield[c = 1 + c, 
            "foo" - null >>> (-0 << -4) | !38..toString() == (yield && (yield.foo += Infinity != null))] -= "number" < -1))))], b = a, (c = c + 1) + typeof (--b + (typeof foo !== "crap")) ];
        } else {
            c = c + 1;
        }
        {
            var a_1 = function f1(foo = -5, Infinity_2, NaN_1) {
                function f2(yield, Infinity_2, foo) {
                    {
                        var brake11 = 5;
                        while ((1 === 1 ? a : b) && --brake11 > 0) {
                            if (c = 1 + c, (null ^ Infinity, "a" ^ this) << (5 << 0 >> (25 >= "number"))) {
                                c = 1 + c, c = c + 1, 24..toString() << {} == 22 <= -3;
                            } else {
                                c = 1 + c, ((24..toString() ?? -2) !== 4 < 1) <= (-5 >>> 24..toString()) / ("bar" < []);
                            }
                        }
                    }
                    {
                        var brake15 = 5;
                        while (typeof foo == "function" && --_calls_ >= 0 && foo((c = 1 + c, void NaN % (-4 === 2) >>> (Infinity_2 && (Infinity_2[1 === 1 ? a : b] **= (-4 || -1) | "" / "b"))), (c = 1 + c, 
                        ((/[a2][^e]+$/ & 25) <= (c = c + 1, true)) * (-5 - -0 || ("function" ?? -3)))) && --brake15 > 0) {
                            L15964: for (var brake16 = 5; (c = 1 + c, (foo && (foo[a++ + ((c = 1 + c, (Infinity_2 = ([ , 0 ].length === 2) >= false > "b" + "object") >>> ([ , 0 ][1] * Infinity || 4 !== "")) ? (c = 1 + c, 
                            (("b" == -4) > ([] || undefined)) - ("foo" + /[a2][^e]+$/ << 1 * "foo")) : (c = 1 + c, 
                            -3 <= 3 | "foo" == undefined | 22 !== 22 & {} + /[a2][^e]+$/))] += (-4 > 0) / (-1 >> "bar"))) >= (false === 3 | 23..toString() ^ "object")) && brake16 > 0; --brake16) {
                                c = 1 + c, Infinity_2 && (Infinity_2[a++ + false] >>= (yield && (yield[c = 1 + c, 
                                ({} >= "object") / ("object" ^ null) || ("" >>> 4 ?? "undefined" & -1)] += "c" ^ NaN), 
                                "", true) ^ {} % 0 < (1 >= -2));
                            }
                        }
                    }
                }
                var b_1 = f2(38..toString(), (c = c + 1) + /[abc4]/.test((--b + ({
                    1.5: (c = 1 + c, NaN_1 && (NaN_1[0 === 1 ? a : b] += (null <= -5) / (Infinity % "undefined")) && (0 - 23..toString()) / (-3 >= -1)),
                    length: (c = 1 + c, ("undefined" & "" ^ "object" >> -5) & ("function" | -0) << (-3 || "function")),
                    null: (c = 1 + c, (("function" || -5) === -5 >> 25) << (5 * (-42n).toString() >= 5 / -1)),
                    in: (c = 1 + c, (NaN_1 && (NaN_1[{}] = -2 ^ 4 && -0 > {})) / (("undefined", undefined) && 23..toString() >>> "")),
                    NaN_1: NaN_1
                } || a || 3).toString() || b || 5).toString()), "function");
                function f3(b_2, a_2, NaN_1) {
                    try {
                        {
                            var expr19 = (c = 1 + c, ("number" ^ -4 && -1 > "function") == (5 >>> [ , 0 ][1]) / (c = c + 1, 
                            38..toString()));
                            L15965: for (var key19 in expr19) {
                                c = 1 + c;
                                var foo_2 = expr19[key19];
                                c = 1 + c, (foo && (foo[c = 1 + c, (c = c + 1, bar_1 && (bar_1[c = 1 + c, 5 / "c" << (foo && (foo.done = Number(0xdeadn << 16n | 0xbeefn) > 1)) >> (38..toString() ^ "c" ^ [ , 0 ][1] <= 1)] = (-2) ** "function")) >> (yield && (yield[(c = c + 1) + /[abc4]/g.exec(((c = 1 + c, 
                                (void -0 ^ (3, this)) * ((-2 || Infinity) in ("foo" === true))) || b || 5).toString())] -= (c = c + 1, 
                                "") >> (this >> -0)))] -= true >> 5)) === this < 0 ^ ("function" * "foo" | [] ^ "b");
                            }
                        }
                    } catch (a_1) {
                        c = 1 + c, (false && -1) - ([ , 0 ].length === 2) % 22 || 3 * "a" === ("c" && Infinity);
                        c = 1 + c, ((5, "bar") || 0 - this) >> (null * true >>> (this != NaN));
                    } finally {
                        c = 1 + c, (null << -3 > ("function" | true)) >> (foo && (foo.c = (NaN - 0) % ("bar" !== "bar")));
                        c = 1 + c, ((-3) ** -1, -4 > 22) >>> (4 * 4 !== 22 <= this);
                    }
                    {}
                }
                var b_1_1 = f3(a++ + (b = a), [ --b + [ (c = 1 + c, c = c + 1, (this & "number") >>> ("function" != "bar")), (c = 1 + c, 
                (true - "b") / (foo && (foo.done = -1 === -4)) ^ (yield && (yield.foo >>= 0 - 23..toString() - (5 !== ([ , 0 ].length === 2))))), (c = 1 + c, 
                +/[a2][^e]+$/ > (NaN === NaN) >= (-4 << -0 < (23..toString() & "function"))), (c = 1 + c, 
                b_1 && (b_1[--b + (0 === 1 ? a : b)] **= ({} | "b") > "undefined" + null & "object" % -3 % (Infinity_2 = [ , 0 ][1] | []))), (c = 1 + c, 
                (foo && (foo["bar" in [ (c = 1 + c, (NaN || {} || null + 38..toString()) > ((-5, 
                "bar") & ("" & -1))), (c = 1 + c, delete 1 > (Infinity_2 && (Infinity_2.undefined = "function" % Infinity)) || (1 === 22) << ("function" == 0)) ]] <<= (24..toString() ^ /[a2][^e]+$/) / (Infinity | 0))) ^ ("object" ^ "bar") >>> ([ , 0 ].length === 2 == 22)) ].null, --b + {
                    value: (c = 1 + c, -3 / 3 !== ([ 3n ][0] > 2) << {} & (-1 ^ [ , 0 ][1]) % (false << import.meta))
                }.b ][0 === 1 ? a : b]);
                function f4(foo_2) {
                    c = c + 1;
                    for (var brake27 = 5; (c = c + 1) + (typeof b_1_1 == "function" && --_calls_ >= 0 && b_1_1`${c = 1 + c, 
                    (NaN_1 >>>= "number" || 0) + ("foo" >= 0) > (foo && (foo.static = 38..toString() >= -3 >= ("bar" & [ , 0 ].length === 2)))}${c = 1 + c, 
                    (2 === []) < (Infinity || "object") !== (yield *= "number" != {} == ({}, 38..toString()))}${c = 1 + c, 
                    ("function" << [ , 0 ][1] === null << this) >> ((1 || 22) && 4 & 0)}`) && brake27 > 0; --brake27) {
                        var a_1 = (c = 1 + c, (([ , 0 ].length === 2) / "b" ^ ([ , 0 ].length === 2) > -3) << ("" * "number" ^ "undefined" >>> 3)), b_2 = (c = 1 + c, 
                        (1 % {} && "function" - 2) << ((-4 >= NaN) >> -1 * -3));
                    }
                }
                var b = f4();
                function f5(async, bar_1) {
                    try {
                        L15966: {
                        }
                    } finally {
                        c = 1 + c, (bar_1 && (bar_1.get %= (-1 == "number") >>> ("foo" >= this))) * (-"bar" >>> ("foo" >>> [ , 0 ][1]));
                        c = 1 + c, (4 + ([ , 0 ].length === 2) || 5 / -4) * (("object" >= []) << (-4 ^ {}));
                    }
                    switch ((c = c + 1) + {
                        next: (c = 1 + c, (b_1_1 ??= 1 << "c") >>> (true > "function") > (([ , 0 ].length === 2) >>> 38..toString() < (2 & 38..toString()))),
                        a: (c = 1 + c, ("c" != -2) >= "a" / 25 <= ((-1 ^ true) == (c = c + 1, 38..toString()))),
                        c: (c = 1 + c, ("foo" || "") & ~"a" && ("b" ^ "undefined") & 4 <= "object"),
                        b: (c = 1 + c, !"a" === (38..toString() && /[a2][^e]+$/) & ("c" ^ null ^ (/[a2][^e]+$/, 
                        3)))
                    }) {
                      case (c = c + 1) + [ (c = 1 + c, ("object" !== null !== Infinity / 38..toString()) * (/[a2][^e]+$/ + !0o644n || 3 / 1)) ].static:
                        c = 1 + c, yield && (yield[((c = 1 + c, (c = c + 1, true || 23..toString()) >= (delete false <= ([] >= []))) || 3).toString()[c = 1 + c, 
                        (c = c + 1, this) > 2 - -5 | ([ , 0 ].length === 2, [ , 0 ][1]) / ("" || 23..toString())]] |= 5 > -5 ^ "" >>> 0) || NaN_1 && (NaN_1.then = (b_1_1 += (-1, 
                        25)) / (c = c + 1, 23..toString()));
                        c = 1 + c, (-2 + 23..toString() && 38..toString() * 22) >= (3 * "undefined" || "function" >>> 4);
                        break;

                      case ("bar" - 2 == [] % -1) >> ((c = c + 1, 24..toString()) != (0 != "bar")):
                        c = 1 + c, (async && (async.null = !0o644n && "bar")) + (NaN_1 && (NaN_1[c = 1 + c, 
                        -0 >>> undefined === (-3 ?? "undefined") !== "function" > 3 < ("foo" & 4)] ||= [] / 23..toString())) <= ("b" * false & "undefined" != -3);
                        break;

                      case a--:
                        c = 1 + c, async && (async.get += 24..toString() - "foo" >= ((-42n).toString() === /[a2][^e]+$/) || ([ , 0 ].length === 2, 
                        Infinity) > ([] ^ []));
                        break;

                      default:
                    }
                }
                var a_1 = f5(b = a);
            }();
        }
    }({}, --b, true);
}

var yield = foo_2?.[{} ? void ("" + "number" >>> (-1 >> undefined) >= ("foo" + "undefined" == (Infinity && -0))) : (c = c + 1) + foo_2];

console.log(null, a, b, c, Infinity, NaN, undefined);
// uglified code
// (beautified)
var r = 10, N = 100, n = 10, h = 0;

(function f0(f, c) {
    --n + +n ? (N++, ((h += 1) + N++ || n || 5).toString(), {
        "-2": void 0,
        done: void function a_1() {
            h = 1 + ((h = 1 + (1 + (1 + h))) + 1);
        }(),
        set then(n) {
            this.next = !1;
        }
    }[!(((f && ({
        [(h = 1 + h, h += 1, 4)]: f.done
    } = {
        then: 6
    })) == (c && (c[h = 1 + h, f && (f[24] = ((2 < 3n) << "b" | !1) >>> -0)] &= 0))) - ((c && (c.Infinity += "" + -42n | -2)) >= (f && (f[h = 1 + h, 
    0 | 0 == (f && (f.foo += !0))] -= !1))))], n = N, h += 1, --n) : (h += 1, function f1(t = -5, n, o) {
        var i = function f2(n, t, o) {
            for (var i, e, a = 5; N && 0 < --a; ) {
                h = 1 + h, ("a" ^ this) << 5 ? (h = 1 + h, h += 1) : h = 1 + h;
            }
            for (i = 5; "function" == typeof o && 0 <= --r && o((h = 1 + h, NaN >>> (t && (t[N] **= -4))), (h = 1 + h, 
            -5 * (0 <= (h += 1, !0)))) && 0 < --i; ) {
                for (e = 5; h = 1 + h, 23 <= (o && (o[N++ + (h = 1 + h, (t = "bobject" < (!1 <= (2 === [ , 0 ].length))) >>> !0 ? (h = 1 + h, 
                0) : (h = 1 + h, 1))] += -0)) && 0 < e; --e) {
                    h = 1 + h, t && (t[N++ + !1] >>= !1 ^ (n && (n[h = 1 + h, 0] += 0), !0));
                }
            }
        }("38", (h += 1) + /[abc4]/.test((--a + ("" + {
            1.5: (h = 1 + h, o && (o[a] += NaN) && -23 / !1),
            length: 0,
            null: !1 << (-5 <= 5 * ("" + -42n)),
            in: (h = 1 + (1 + (1 + h)), (o && (o[{}] = !1)) / void 0),
            NaN_1: o
        }) || a || 5).toString()), "function"), e = function f3() {
            try {
                for (var n in h = 1 + h, h += 1, !1) {
                    h = 1 + (h = 1 + h), t && (t[h = 1 + h, h += 1, (c && (c[h = 1 + h, NaN << (t && (t.done = 1 < +("" + (0xdeadn << 16n | 0xbeefn)))) >> 39] = NaN)) >> (f && (f[(h += 1) + /[abc4]/g.exec((h = 1 + h, 
                    ((void 0 ^ this) * (-2 in !1) || a || 5).toString()))] -= (h += 1, "" >> (this >> -0))))] -= 0);
                }
            } catch (n) {
                h = 1 + (h = 1 + h);
            } finally {
                h = 1 + h, t && (t.c = NaN), h = 1 + h;
            }
        }(a = ++N, (--a, h = 1 + ((h = 1 + h) + 1), t && (t.done = !1), f && (f.foo >>= -23 - (5 !== (2 === [ , 0 ].length))), 
        h = 1 + (1 + h), i && (i[--a + a] **= !1 & NaN % (n = 0)), h = 1 + h, t && (t["bar" in [ !1, (h = 1 + (1 + h), 
        (n && (n.undefined = NaN)) < !0 || 0) ]] <<= 24 / 0), --a, h = 1 + h, import.meta)), a = function f4() {
            var n;
            for (h += 1, n = 5; (h += 1) + ("function" == typeof e && 0 <= --r && e`${h = 1 + h, 
            (o >>>= "number") + !1 > (t && (t.static = ("bar" & 2 === [ , 0 ].length) <= !0))}${h = 1 + h, 
            !0 !== (f *= !1)}${h = 1 + h, (0 == null << this) >> 0}`) && 0 < n; --n) {
                h = 1 + (1 + h);
            }
        }();
        !function f5(n, t) {
            switch (h = 1 + h, t && (t.get %= !1 >>> (this <= "foo")), h = 1 + h, (h += 1) + {
                next: (e ??= 1) >>> !1 > ((2 === [ , 0 ].length) >>> "38" < 2),
                a: !0,
                c: 0,
                b: (h = 1 + (1 + ((h = 1 + (1 + h)) + 1)), 0)
            }) {
              case (h += 1) + [ (h = 1 + h, !0 * (/[a2][^e]+$/ + !0o644n || 3)) ].static:
                h = 1 + h, f && (f[("" + !0)[h = 1 + ((h = 1 + h) + 1), 0 | (h += 1, 7 < this)]] |= 1) || o && (o.then = (e += 25) / (h += 1, 
                "23")), h = 1 + h;
                break;

              case !1 >> (1 != (h += 1, "24")):
                h = 1 + h, n && (n.null = !0o644n && "bar"), o && (o[h = 1 + h, !1] ||= 0);
                break;

              case N--:
                h = 1 + h, n && (n.get += ("" + -42n === /[a2][^e]+$/) <= NaN || !0);
            }
        }(a = N);
    }());
})({}, --n), e?.[void 0], console.log(null, N, n, h, Infinity, NaN, void 0);
original result:
null 102 101 11 Infinity NaN undefined

uglified result:
evalmachine.<anonymous>:1
(function(){var r=10,N=100,n=10,h=0;(function f0(f,c){--n+ +n?(N++,((h+=1)+N++||n||5).toString(),{"-2":void 0,done:void function a_1(){h=1+((h=1+(1+(1+h)))+1)}(),set then(n){this.next=!1}}[!(((f&&({[(h=1+h,h+=1,4)]:f.done}={then:6}))==(c&&(c[h=1+h,f&&(f[24]=((2<3n)<<"b"|!1)>>>-0)]&=0)))-((c&&(c.Infinity+=""+-42n|-2))>=(f&&(f[h=1+h,0|0==(f&&(f.foo+=!0))]-=!1))))],n=N,h+=1,--n):(h+=1,function f1(t=-5,n,o){var i=function f2(n,t,o){for(var i,e,a=5;N&&0<--a;)h=1+h,("a"^this)<<5?(h=1+h,h+=1):h=1+h;for(i=5;"function"==typeof o&&0<=--r&&o((h=1+h,NaN>>>(t&&(t[N]**=-4))),(h=1+h,-5*(0<=(h+=1,!0))))&&0<--i;)for(e=5;h=1+h,23<=(o&&(o[N+++(h=1+h,(t="bobject"<(!1<=(2===[,0].length)))>>>!0?(h=1+h,0):(h=1+h,1))]+=-0))&&0<e;--e)h=1+h,t&&(t[N+++!1]>>=!1^(n&&(n[h=1+h,0]+=0),!0))}("38",(h+=1)+/[abc4]/.test((--a+(""+{1.5:(h=1+h,o&&(o[a]+=NaN)&&-23/!1),length:0,null:!1<<(-5<=5*(""+-42n)),in:(h=1+(1+(1+h)),(o&&(o[{}]=!1))/void 0),NaN_1:o})||a||5).toString()),"function"),e=function f3(){try{for(var n in h=1+h,h+=1,!1)h=1+(h=1+h),t&&(t[h=1+h,h+=1,(c&&(c[h=1+h,NaN<<(t&&(t.done=1<+(""+(0xdeadn<<16n|0xbeefn))))>>39]=NaN))>>(f&&(f[(h+=1)+/[abc4]/g.exec((h=1+h,((void 0^this)*(-2 in!1)||a||5).toString()))]-=(h+=1,"">>(this>>-0))))]-=0)}catch(n){h=1+(h=1+h)}finally{h=1+h,t&&(t.c=NaN),h=1+h}}(a=++N,(--a,h=1+((h=1+h)+1),t&&(t.done=!1),f&&(f.foo>>=-23-(5!==(2===[,0].length))),h=1+(1+h),i&&(i[--a+a]**=!1&NaN%(n=0)),h=1+h,t&&(t["bar"in[!1,(h=1+(1+h),(n&&(n.undefined=NaN))<!0||0)]]<<=24/0),--a,h=1+h,({ url: "https://example.com/path/index.html" }))),a=function f4(){var n;for(h+=1,n=5;(h+=1)+("function"==typeof e&&0<=--r&&e`${h=1+h,(o>>>="number")+!1>(t&&(t.static=("bar"&2===[,0].length)<=!0))}${h=1+h,!0!==(f*=!1)}${h=1+h,(0==null<<this)>>0}`)&&0<n;--n)h=1+(1+h)}();!function f5(n,t){switch(h=1+h,t&&(t.get%=!1>>>(this<="foo")),h=1+h,(h+=1)+{next:(e??=1)>>>!1>((2===[,0].length)>>>"38"<2),a:!0,c:0,b:(h=1+(1+((h=1+(1+h))+1)),0)}){case(h+=1)+[(h=1+h,!0*(/[a2][^e]+$/+!0o644n||3))].static:h=1+h,f&&(f[(""+!0)[h=1+((h=1+h)+1),0|(h+=1,7<this)]]|=1)||o&&(o.then=(e+=25)/(h+=1,"23")),h=1+h;break;case!1>>(1!=(h+=1,"24")):h=1+h,n&&(n.null=!0o644n&&"bar"),o&&(o[h=1+h,!1]||=0);break;case N--:h=1+h,n&&(n.get+=(""+-42n===/[a2][^e]+$/)<=NaN||!0)}}(a=N)}())})({},--n),e?.[void 0],console.log(null,N,n,h,Infinity,NaN,void 0);})();
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            

ReferenceError: e is not defined
    at evalmachine.<anonymous>:1:2247
    at evalmachine.<anonymous>:1:2305
    at Script.runInContext (node:vm:141:12)
    at Object.runInContext (node:vm:292:6)
    at run_code_vm (/Users/runner/work/UglifyJS/UglifyJS/test/sandbox.js:257:12)
    at Object.exports.run_code (/Users/runner/work/UglifyJS/UglifyJS/test/sandbox.js:37:16)
    at run_code (/Users/runner/work/UglifyJS/UglifyJS/test/ufuzz/index.js:2077:20)
    at /Users/runner/work/UglifyJS/UglifyJS/test/ufuzz/index.js:2463:29
    at Array.forEach (<anonymous>)
    at Object.<anonymous> (/Users/runner/work/UglifyJS/UglifyJS/test/ufuzz/index.js:2454:20)

// reduced test case (output will differ)

// (beautified)
var a = 0;

var foo_2 = function f0() {
    return a;
    a--;
}();

var yield = foo_2?.[0];
// output: 
// minify: ReferenceError: b is not defined
// options: {
//   "compress": {
//     "hoist_vars": true,
//     "keep_infinity": true,
//     "passes": 1000000,
//     "unsafe": true
//   },
//   "keep_fnames": true,
//   "toplevel": true,
//   "output": {
//     "v8": true
//   },
//   "validate": true
// }
minify(options):
{
  "compress": {
    "hoist_vars": true,
    "keep_infinity": true,
    "passes": 1000000,
    "unsafe": true
  },
  "keep_fnames": true,
  "toplevel": true,
  "output": {
    "v8": true
  }
}

Suspicious compress options:
  unused

Suspicious options:
  rename
  toplevel
@alexlamsl alexlamsl added the bug label May 3, 2021
alexlamsl added a commit to alexlamsl/UglifyJS that referenced this issue May 3, 2021
@alexlamsl
fix corner case in unused
90da330 
fixes mishoo#4906
@alexlamsl alexlamsl mentioned this issue May 3, 2021
Merged
alexlamsl added a commit that referenced this issue May 3, 2021
@alexlamsl
fix corner case in unused (#4907)
ce3c35f 
fixes #4906
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix corner case in unused alexlamsl/UglifyJS
1 participant
@alexlamsl