Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ufuzz failure #5264

Closed
alexlamsl opened this issue Jan 4, 2022 · 0 comments · Fixed by #5265
Closed

ufuzz failure #5264

alexlamsl opened this issue Jan 4, 2022 · 0 comments · Fixed by #5265
Labels
bug

Comments

@alexlamsl
Copy link
Collaborator 

// original code
// (beautified)
var _calls_ = 10, a = 100, b = 10, c = 0;

function f0(arguments, b_2, {
    length: undefined_1,
    in: a_1,
    3: a_1_2
}) {
    function f1() {
        {
            var brake1 = 5;
            L10908: do {
                switch (typeof b_1 !== "object") {
                  case --b + [ (c = 1 + c, ("bar" ^ true) - (b_2 && (b_2[c = 1 + c, (-2 >> /[a2][^e]+$/, 
                    -4 >= undefined) - (c = c + 1, [ , 0 ][1] >>> -4)] = 5 ^ this)) <= (0 === "number") >>> "foo" * {}) ][(c = c + 1) + typeof (c = 1 + c, 
                    (a_1_2 && (a_1_2[0 === 1 ? a : b] = NaN && undefined && 0 << {})) >>> ([ , 0 ][1] !== true) * (NaN >>> 4))]:
                    try {
                        c = 1 + c, "undefined" >> "bar" == (c = c + 1, NaN) & 5 / -0 / (22 & -0);
                    } finally {
                    }
                    return c = 1 + c, (1 == [ , 0 ][1] == 38..toString() << /[a2][^e]+$/) << ~(24..toString() - [ , 0 ][1]);
                    break;

                  case --b + [].NaN:
                    for (var brake6 = 5; (c = 1 + c, 4 - true === Infinity <= false ^ 0 * 38..toString() > (true && /[a2][^e]+$/)) && brake6 > 0; --brake6) {
                        c = 1 + c, "a" === 23..toString() != -2 >= 25 !== "function" << -0 >= (NaN && false);
                    }
                    c = 1 + c, ("c" < "bar") % (22 || undefined) || -2 * 0 < (b_2 && (b_2.static += 2 || "bar"));
                    break;

                  case (c = c + 1) + (b = a):
                    switch (c = 1 + c, ("bar" << 3) * (arguments && (arguments[c = 1 + c, (([ , 0 ].length === 2) >>> true & 22 - /[a2][^e]+$/) == ("object" ^ []) + Infinity % -2] = -5 ^ 5)) >> ([ , 0 ][1] & 0 || 0 + {})) {
                      default:
                        ;

                      case c = 1 + c, (a_1 && (a_1[--b + {}.get] = /[a2][^e]+$/ && "object" || this | 38..toString())) % (void false ^ "c" & "b"):
                        ;
                        break;

                      case c = 1 + c, "function" / 24..toString() | "undefined" % null | 24..toString() * -1 == ("function" != 1):
                        ;

                      case c = 1 + c, (/[a2][^e]+$/ === -0) * (-0 - "b") && ([ , 0 ][1] == "undefined" || "undefined" + 4):
                        ;
                        break;
                    }
                    {
                    }
                    break;

                  default:
                }
            } while (b-- && --brake1 > 0);
        }
        for (var brake11 = 5; ~(undefined_1 && (undefined_1[(c = c + 1) + (b_2 && b_2[--b + !function() {
        }()])] = ((/[a2][^e]+$/ && 22) != ("bar", -2)) > ((-2 ^ "number") == (null | 25)))) && brake11 > 0; --brake11) {
            for (var brake12 = 5; --b + (undefined_1 += (c = c + 1) + !(("object" | -5) - ("number" ^ 3) !== delete delete "foo")) && brake12 > 0; --brake12) {
                var let_1 = b |= a, bar_1 = b = a;
            }
        }
    }
    var Infinity = f1(1 === 1 ? a : b, null, null);
    async function f2() {
        {
            var brake14 = 5;
            while (/[abc4]/.test((--b + typeof --b || b || 5).toString()) && --brake14 > 0) {
                --b + (b_2 = (c = 1 + c, (4 == this) <= 5 << 4 || (-3 || 3) <= (Infinity, "b"))) ? (c = 1 + c, 
                (5 == "object") - (undefined_1 && (undefined_1[c = 1 + c, {} >>> [] !== (-4 === "foo") && {} == "b" === -2 >= 24..toString()] = [ , 0 ].length === 2 == "")) || (5 >= undefined) - ("undefined" && "c")) ? (c = 1 + c, 
                24..toString() - -4 !== (null & "object") | (5 & {}) >= (NaN <= {})) : (c = 1 + c, 
                (this ^ "b") >>> ("number" === 38..toString()) ^ (-4 >>> "number") / (23..toString() % "b")) : typeof (c = 1 + c, 
                (1 - -3) % (1 && 1) !== ("c" && "number") * ("function" === 2));
            }
        }
        {
            var expr16 = [ ..."" + b_2, (c = c + 1) + {
                "\t": (c = 1 + c, (({}, -5) + ("number" && 2)) * (undefined_1 && (undefined_1[--b] += (-5 === /[a2][^e]+$/) * (([ , 0 ].length === 2) >>> 0))))
            }[c = 1 + c, (undefined_1 = "b" <= 22) << void undefined || (b_2 <<= "undefined" - -5 + (-3 + -0))], +function a_1() {}() ];
            for (let key16 of expr16) {
                c = c + 1;
            }
        }
    }
    var arguments_2 = f2();
    function f3(arguments_2_2, async_1, arguments) {
        function f4() {
            return;
            {
            }
        }
        var undefined_1 = f4`${c = 1 + c, ([] && -4) <= true % 3 ^ ("object" || "bar") >>> ("" <= undefined)}${c = 1 + c, 
        (-5 > NaN || "function" !== "foo") != (a_1 && ([ a_1.in ] = [ ("number" + Infinity) * (arguments && (arguments.b += false >> -1)) ]))}`;
        function f5(let_1, yield_2) {
            return c = 1 + c, -3 >> 38..toString() >> 24..toString() * -0 << ("foo" << "c" >= (-0 != []));
            if (c = 1 + c, ((undefined_1 >>>= -4 && 38..toString()) && 38..toString() ^ "number") === ((let_1 && (let_1[c = 1 + c, 
            (0 && "a") | -1 == undefined && -0 >>> -0 << ("number" ^ -0)] = {} != false)) ^ (arguments && (arguments.set = 0 ^ 2)))) {
                c = 1 + c, (-1 % "object" === (23..toString() ^ null)) >>> (arguments_2 <<= 5 + 4 || true && 23..toString());
            }
        }
        var undefined_1_1 = f5(--b + (b = a), -2, (c = 1 + c, (true % "object" == ("b" != "number")) > ([ , 0 ][1] / "function" ^ 2 - true)) ? (c = 1 + c, 
        ((null !== 2) < (arguments_2 && (arguments_2.Infinity += "" | NaN))) / (1 == NaN | (Infinity && ""))) : (c = 1 + c, 
        (undefined * "object" | "number" <= 4) >= (false << 4 ^ (undefined_1 *= "a" <= 38..toString()))));
        function f6([], arguments_2) {
            {
                var brake23 = 5;
                while ((c = 1 + c, (-5 & "function") === "a" >>> 3 && 24..toString() >> 22 > "function" * false) && --brake23 > 0) {
                    c = 1 + c, (0 + [ , 0 ][1] | true + "number") == ("function", "b") > (undefined == "undefined");
                }
            }
            c = c + 1;
        }
        var await_1 = f6([], --b + (b ^= a), false);
        function f7() {
            function f8(arguments, b_2, undefined) {
            }
            var a = f8((c = 1 + c, ((this == "foo") <= (a_1_2 = this >= Infinity)) + ("number" / -2 != {} <= 2)));
            function f9(Infinity_2, a_2, foo) {
            }
            var undefined_1_1 = f9((c = 1 + c, (+ -4 && (a_1_2 && (a_1_2[c = 1 + c, +((-2 === -2) >> (false >>> 24..toString()))] >>= {} != "b"))) & null - "foo" == 2 % false), import.meta, (c = 1 + c, 
            3 - /[a2][^e]+$/ >> (-3 << 5) >= (-1 >>> -2 == (23..toString() | "object"))));
        }
        var async_1 = f7`${c = 1 + c, Infinity && (Infinity.Infinity = true % false >>> 5 * "foo" < (1 - Infinity && -2 >> ([ , 0 ].length === 2)))}${c = 1 + c, 
        (a_1 && ([ a_1[a++ + {
            b: (c = 1 + c, undefined_1 && (undefined_1[(c = c + 1) + arguments_2] = (arguments += [ , 0 ][1] > "undefined", 
            25 >= 4) * ((38..toString(), null) == (c = c + 1, 38..toString()))))
        }.async] ] = [ ("foo" <= -5, null === 23..toString()) ])) ^ 0 % "" & "bar" / {}}`;
        async function f10(async_1_2, undefined_1_2, async_1) {
            try {
                c = 1 + c, delete ((-2 & 23..toString()) % (-0 <= ([ , 0 ].length === 2)));
            } catch (async_1_2) {
            }
            var Infinity_2 = (c = 1 + c, 24..toString() - [] !== (true !== 5) == (null <= {} && "foo" / [ , 0 ][1]));
        }
        var a_2 = f10(false);
    }
    var arguments_1 = f3(a++ + (arguments_1 = a--));
    function f11(a_2, {
        a: undefined_1
    }) {
        {
            var brake29 = 5;
            while ((c = c + 1) + a-- && --brake29 > 0) {
                var brake30 = 5;
                do {
                    L10909: for (var brake31 = 5; -1 && brake31 > 0; --brake31) {
                        c = c + 1;
                    }
                } while (--b + (b >>>= a) && --brake30 > 0);
            }
        }
        for (var brake33 = 5; /[abc4]/g.exec(((c = c + 1) + +b || b || 5).toString()) && brake33 > 0; --brake33) {
            c = c + 1;
        }
    }
    var arguments_2 = f11("bar", {
        Infinity: a++ + ("foo" in {
            "-2": --b + [ (c = 1 + c, (c = c + 1, -2) - ("number" ^ 0) == 25 * 3 >> (0 != true)), (c = 1 + c, 
            -(5 == "undefined") + ("a" >> undefined != ("function" && Infinity))), (c = 1 + c, 
            +(Infinity === 2) ^ ({} >> "function" | 0 / true)) ][4],
            [--b + ((a_1_2 && (a_1_2[--b + Infinity] *= ([] || {}) * (null || /[a2][^e]+$/))) ^ (arguments_1 *= Infinity >> 0) / (0 - 1))]: -(a_1_2 && (a_1_2.done = (c = c + 1, 
            2) >= "a" - 2 < ("foo" && []) >>> ("number" ^ "c"))),
            [--b + +(("number" & this) < (arguments_2 && (arguments_2.get *= [ , 0 ][1] ^ [ , 0 ][1])) === (Infinity && (Infinity[typeof f13 == "function" && --_calls_ >= 0 && f13`${c = 1 + c, 
            (b_2 && (b_2.null += (3 !== /[a2][^e]+$/) << (/[a2][^e]+$/ >>> 25))) <= ([] & [ , 0 ].length === 2) >>> void "undefined"}`] = (arguments = -2 - "function") & true % -1)))]: a++ + "a",
            a: a++ + (38..toString() in {
                NaN: (c = 1 + c, (-0 ^ 1) >= (false >= this) == (-3 >= 22, -2 < /[a2][^e]+$/)),
                var: (c = 1 + c, ((null | 22) ^ "bar" >>> "") % ((true >= "number") / ("bar", -5))),
                undefined: (c = 1 + c, (b_2 && (b_2.value = NaN >> 23..toString() > (arguments && (arguments[c = 1 + c, 
                ((a_1_2 && (a_1_2[c = 1 + c, ("function" & {}) + this % 22 === (-4 * "bar" & undefined > "function")] >>>= /[a2][^e]+$/ < "")) >> (Infinity >= "")) % (({} != {}) > this * "b")] = true || "a")))) / ((22 < 23..toString()) % ("" / 25)))
            }),
            c: --b + {}[{
                1.5: (c = 1 + c, (false ^ "undefined") << (3 || "") !== ("undefined" >>> [ , 0 ][1] & [] << {}))
            }]
        }),
        get: "bar"
    });
    function f12() {
        var undefined_1_1 = b = a, b_2 = {
            static: typeof f8 == "function" && --_calls_ >= 0 && f8("number", (c = 1 + c, (c = c + 1, 
            [ , 0 ].length === 2 ^ 2) != /[a2][^e]+$/ + "foo" >> 3 * -4), (c = 1 + c, ((25 | [ , 0 ][1]) >> (arguments_2 && (arguments_2.then &= -0 >>> [ , 0 ][1]))) / ((-5 ^ null) !== 25 >= -3))),
            set: typeof (c = 1 + c, 1 >>> 4 > (true > true) >= "undefined" % "b" >>> "c" - Infinity)
        }[--b];
        var Infinity_2;
    }
    var NaN_1 = f12();
}

var NaN = f0(4, -2, {});

console.log(null, a, b, c, Infinity, NaN, undefined);
// uglified code
// (beautified)
var i = 10, g = 100, u = 10, d = 0;

var S = function(arguments, e, {
    length: r,
    in: f,
    3: a
}) {
    var c = function() {
        var t = 5;
        do {
            switch ("object" != typeof b_1) {
              case --u + [ (d = 1 + d, 1 - (e && (e[d = 1 + d, (undefined <= -4) - (d += 1, 0)] = 5 ^ this)) <= !1 >>> "foo" * {}) ][(d += 1) + (d = 1 + d, 
                typeof ((a && (a[u] = S && undefined && 0 << {})) >>> !0 * (S >>> 4)))]:
                return d = 1 + d, d = 1 + (d += 1), (0 == 38..toString() << /[a2][^e]+$/) << ~+24..toString();

              case --u + [].NaN:
                for (var n = 5; d = 1 + d, 3 === c <= !1 ^ 0 * 38..toString() > /[a2][^e]+$/ && 0 < n; --n) {
                    d = 1 + d, 23..toString();
                }
                d = 1 + d, e && (e["static"] += 2);
                break;

              case (d += 1) + (u = g):
                switch (d = 1 + d, 0 * (arguments && (arguments[d = 1 + d, ((2 === [ , 0 ].length) >>> !0 & NaN) == ("object" ^ []) + c % -2] = -2)) >> 0 + {}) {
                  default:
                  case d = 1 + d, (f && (f[--u + {}.get] = "object")) % 0:
                    break;

                  case d = 1 + d, "function" / 24..toString() | NaN | -1 * 24..toString() == 1:
                  case d = 1 + d, NaN:
                }
            }
        } while (u-- && 0 < --t);
        for (var o = 5; ~(r && (r[(d += 1) + (e && e[--u + !0])] = !0)) && 0 < o; --o) {
            for (var i = 5; --u + (r += (d += 1) + !1) && 0 < i; --i) {
                u |= g, u = g;
            }
        }
    }(g, null, null), t = async function() {
        for (var t, n = 5; /[abc4]/.test((--u + typeof --u || u || 5).toString()) && 0 < --n; ) {
            --u + (d = 1 + d, e = (4 == this) <= 80 || !1) ? (d = 1 + d, !1 - (r && (r[d = 1 + d, 
            {} >>> [] !== !1 && "b" == {} == 24..toString() <= -2] = 2 === [ , 0 ].length == "")) || (undefined <= 5) - "c" ? (d = 1 + d, 
            24..toString()) : (d = 1 + d, 38..toString(), 23..toString())) : d = 1 + d;
        }
        for (t of [ ..."" + e, (d += 1) + {
            "\t": (d = 1 + d, -3 * (r && (r[--u] += !1 * ((2 === [ , 0 ].length) >>> 0))))
        }[d = 1 + d, r = !1, undefined, e <<= NaN], +function f() {}() ]) {
            d += 1;
        }
    }(), arguments = void (g++, g--), n = function() {}`${d = 1 + d, !0 ^ "object" >>> ("" <= undefined)}${d = 1 + d, 
    (S < -5 || !0) != (f && ([ f["in"] ] = [ ("number" + c) * (arguments && (arguments.b += 0)) ]))}`;
    !function(t, n) {
        d = 1 + d, 38..toString(), 24..toString();
    }(--u + (u = g), -2, (d = 1 + (d = 1 + d), ("object" * undefined | !1) >= (0 ^ (n *= "a" <= 38..toString())))), 
    --u, u ^= g;
    for (var o = 5; d = 1 + d, NaN < 24..toString() >> 22 && 0 < --o; ) {
        d = 1 + d, undefined;
    }
    (function() {
        d = 1 + (d = 1 + d), (a = c <= this) && (a[d = 1 + d, +(!0 >> (!1 >>> 24..toString()))] >>= "b" != {}), 
        import.meta, d = 1 + d, 23..toString();
    })`${d = 1 + (d += 1), c && (c.Infinity = 0 < (1 - c && -2 >> (2 === [ , 0 ].length)))}${d = 1 + d, 
    (f && ([ f[g++ + {
        b: (d = 1 + d, n && (n[(d += 1) + t] = (arguments += !1, !0 * (38..toString(), null == (d += 1, 
        38..toString())))))
    }["async"]] ] = [ null === 23..toString() ])) ^ NaN & "bar" / {}}`, async function() {
        try {
            d = 1 + d, 23..toString();
        } catch (t) {}
        d = 1 + d, 24..toString();
    }(), t = function() {
        for (var t = 5; (d += 1) + g-- && 0 < --t; ) {
            var n = 5;
            do {
                for (var o = 5; 0 < o; --o) {
                    d += 1;
                }
            } while (--u + (u >>>= g) && 0 < --n);
        }
        for (var i = 5; /[abc4]/g.exec(((d += 1) + +u || u || 5).toString()) && 0 < i; --i) {
            d += 1;
        }
    }((g++, --u, d = 1 + d, d = 1 + (d += 1), undefined, d = 1 + d, --u, a && (a[--u + c] *= [] * /[a2][^e]+$/), 
    a && (a.done = (d += 1, !1 < [] >>> 0)), --u, t && (t.get *= 0), c && (c["function" == typeof f13 && 0 <= --i && f13`${d = 1 + d, 
    (e && (e["null"] += 1)) <= ([] & 2 === [ , 0 ].length) >>> void 0}`] = 0 & (arguments = NaN)), 
    g++, g++, 38..toString(), d = 1 + (d = 1 + (d = 1 + d)), e && (e.value = S >> 23..toString() > (arguments && (arguments[d = 1 + d, 
    ((a && (a[d = 1 + d, ("function" & {}) + this % 22 == (NaN & "function" < undefined)] >>>= !1)) >> ("" <= c)) % ("b" * this < ({} != {}))] = !0))), 
    23..toString(), --u, d = 1 + d)), u = g, "function" == typeof f8 && 0 <= --i && f8("number", (d = 1 + d, 
    0 != (d += 1, 2 === [ , 0 ].length ^ 2)), (d = 1 + d, (25 >> (t && (t.then &= 0))) / !0)), 
    d = 1 + d, --u;
}(4, -2, {});

console.log(null, g, u, d, Infinity, S, undefined);
original result:
null 98 97 186 Infinity undefined undefined

uglified result:
null 98 97 185 Infinity undefined undefined

// reduced test case (output will differ)

// (beautified)
function f0(b_2, {}) {
    function f3(arguments) {
        function f4() {}
        f4`${arguments}`;
        function f6() {
            while (console.log()) {}
        }
        f6();
    }
    f3();
    arguments[1];
}

f0(2, {});
// output: 
// 
// minify: TypeError: Cannot read property '1' of undefined
// options: {
//   "ie": true,
//   "toplevel": true,
//   "mangle": {
//     "v8": true
//   },
//   "output": {
//     "v8": true
//   },
//   "validate": true
// }
minify(options):
{
  "ie": true,
  "toplevel": true,
  "mangle": {
    "v8": true
  },
  "output": {
    "v8": true
  }
}

Suspicious compress options:
  inline
  reduce_vars
  unused

Suspicious options:
  rename
  toplevel
@alexlamsl alexlamsl added the bug label Jan 4, 2022
alexlamsl added a commit to alexlamsl/UglifyJS that referenced this issue Jan 4, 2022
@alexlamsl
fix corner cases in inline
97fc336 
fixes mishoo#5263
fixes mishoo#5264
@alexlamsl alexlamsl mentioned this issue Jan 4, 2022
Merged
alexlamsl added a commit to alexlamsl/UglifyJS that referenced this issue Jan 4, 2022
@alexlamsl
fix corner cases in inline
3eefc98 
fixes mishoo#5263
fixes mishoo#5264
alexlamsl added a commit that referenced this issue Jan 4, 2022
@alexlamsl
fix corner cases in inline (#5265)
3a3666a 
fixes #5263
fixes #5264
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix corner cases in inline alexlamsl/UglifyJS
1 participant
@alexlamsl