Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ufuzz failure #5087

Closed
alexlamsl opened this issue Jul 19, 2021 · 0 comments · Fixed by #5088
Closed

ufuzz failure #5087

alexlamsl opened this issue Jul 19, 2021 · 0 comments · Fixed by #5088
Labels
bug

Comments

@alexlamsl
Copy link
Collaborator 

// original code
// (beautified)
var _calls_ = 10, a = 100, b = 10, c = 0;

function f0(foo_2, a_1, foo_2) {
    function f1() {
        function f2({
            c: bar,
            foo: b_2,
            null: arguments
        }, arguments_2 = 1) {
            function f3(Infinity) {
            }
            var Infinity_2 = f3(NaN, 4, (c = 1 + c, b_2 && (b_2.b = (3 && 0) <= ("foo" !== undefined) ^ (4 ^ "") >> (/[a2][^e]+$/ ^ "object"))));
        }
        var a = f2({
            foo: 0 === 1 ? a : b,
            1.5: 1
        });
        function f4([], a_2) {
            {
                var expr1 = (c = 1 + c, ("function" & {} ^ (a_1 && (a_1.then = 3 && "bar"))) * (("b" || -3) & (this && -4)));
                for (var key1 in expr1) {
                    c = 1 + c, (c = c + 1, "undefined" == -1) - (key1 += (a_1 && (a_1[c = 1 + c, foo_2 = (-1 != true === (null === "bar"), 
                    a = 4 % "number" >= 38..toString() >> -2)] = 0 > "function")) | -1 % 25);
                }
            }
            {
                var expr3 = (c = 1 + c, c = c + 1, (c = c + 1, 1) + ({} + 25));
                for (var key3 in expr3) {
                    c = 1 + c, ("bar", -0) >>> ("object" != Infinity) != (NaN == "function" || 5 * -1);
                }
            }
        }
        var NaN = f4([ --b + ((c = 1 + c, c = c + 1, "a" / 5 >> (/[a2][^e]+$/ & true)) || 9).toString()[c = 1 + c, 
        (c = c + 1, "a" ^ "function") >> (a_1 = false / "undefined" * (null === "bar"))], this, a++ + +function bar_2() {
        }() ], a++ + a, -3);
        function f5(a_1, a_2, a_2) {
            c = 1 + c, (foo_2 += -4 != 24..toString()) % ([] === "undefined") === (true != 22) <= (a_2 && (a_2[c = 1 + c, 
            (([ , 0 ][1], "a") ^ ([ , 0 ][1] ^ 25)) & (4, "object", NaN && (NaN[c = 1 + c, 24..toString() * /[a2][^e]+$/ >> ("foo" !== -5) != ([] ^ -4) < ("c" >= 25)] = 0 >>> /[a2][^e]+$/))] /= (-5, 
            /[a2][^e]+$/)));
            c = c + 1;
        }
        var NaN_2 = f5(0 === 1 ? a : b);
        function f6(bar) {
            try {
                c = 1 + c, ((23..toString() ^ 23..toString()) >> ("c" << NaN)) / (NaN_2 && ({
                    "\t": NaN_2.null
                } = {
                    "\t": (Infinity === [ , 0 ][1]) / ([] << 23..toString())
                }));
            } catch (a_2) {
            } finally {
            }
            {
                var brake9 = 5;
                L13367: while ((c = 1 + c, -1 * false > (bar && ({
                    async: bar.null
                } = {
                    async: "function" << false
                })) && (null || -3) * (-4 % -1)) && --brake9 > 0) {
                    c = 1 + c, ((NaN = 22 ^ "") >= (foo_2 && (foo_2.next = 23..toString() % 0))) / (24..toString() > "" == (a = Infinity >= "number"));
                }
            }
        }
        var a_2 = f6({
            get: (c = 1 + c, (foo_2 && (foo_2[c = 1 + c, ((false !== 22) + ("b" & -0)) % ((c = c + 1, 
            3) * (1 >= "undefined"))] >>>= 4 === 3), 24..toString() & [ , 0 ][1]) ^ ([] | "function" || -5 != NaN))
        }, this);
        function f7(b, a_2) {
            function f8(foo_2_2) {
            }
            var b = f8();
            function f9(b_2, NaN_2, a_1) {
            }
            var a_1 = f9();
            function f10(b_2, a_1, foo) {
            }
            var bar = f10("b", (c = 1 + c, ("" ^ [ , 0 ][1] | "b" >> 22) >= ((-3 ^ 0) != (-1 ^ 25))), -5);
        }
        var foo_2_1 = f7();
    }
    var a = f1(undefined, "function", foo_2 /= b + 1 - .1 - .1 - .1);
}

var bar_1 = f0(1);

console.log(null, a, b, c, Infinity, NaN, undefined);
// uglified code
// (beautified)
var _calls_ = 10, a = 100, b = 10, c = 0;

function f0(foo_2, a_1, foo_2) {
    !function() {
        var b_2;
        c = 1 + c, b && (b_2.b = 5);
        var NaN = function() {
            var key1, key3;
            for (key1 in c = 1 + c, ("function" & {} ^ (a_1 && (a_1.then = "bar"))) * ("b" & (this && -4))) {
                c = 1 + c, c += 1, key1 += -1 | (a_1 && (a_1[c = 1 + c, foo_2 = 0 / 0 >= 38..toString() >> -2] = !1));
            }
            for (key3 in c = 1 + c, c += 1, c += 1, 1 + ({} + 25)) {
                c = 1 + c;
            }
        }((--b, c = 1 + c, c += 1, 9..toString()[c = 1 + c, c += 1, 0 >> (a_1 = 0 / 0)])), NaN_2 = function(a_2, a_2) {
            c = 1 + c, foo_2 += -4 != 24..toString(), a_2 && (a_2[c = 1 + c, 25 & (NaN && (NaN[c = 1 + c, 
            24..toString() * /[a2][^e]+$/ >> !0 != (-4 ^ []) < !1] = 0))] /= /[a2][^e]+$/), 
            c += 1;
        }();
        !function(bar) {
            try {
                c = 1 + c, 23..toString(), 23..toString(), NaN_2 && ({
                    "\t": NaN_2.null
                } = {
                    "\t": !1 / ([] << 23..toString())
                });
            } catch (a_2) {}
            c = 1 + c, bar && ({
                async: bar.null
            } = {
                async: 0
            });
        }({
            get: (c = 1 + c, foo_2 && (foo_2[c = 1 + c, 1 % (!1 * (c += 1, 3))] >>>= !1), 0 & 24..toString() ^ ("function" | [] || -5 != NaN))
        }), c = 1 + c;
    }(foo_2 /= b + 1 - .1 - .1 - .1);
}

var bar_1 = f0(1);

console.log(null, a, b, c, 1 / 0, NaN, void 0);
original result:
null 100 9 33 Infinity NaN undefined

uglified result:
evalmachine.<anonymous>:1
var _calls_=10,a=100,b=10,c=0;function f0(foo_2,a_1,foo_2){!function(){var b_2;c=1+c,b&&(b_2.b=5);var NaN=function(){var key1,key3;for(key1 in c=1+c,("function"&{}^(a_1&&(a_1.then="bar")))*("b"&(this&&-4)))c=1+c,c+=1,key1+=-1|(a_1&&(a_1[c=1+c,foo_2=0/0>=38..toString()>>-2]=!1));for(key3 in c=1+c,c+=1,c+=1,1+({}+25))c=1+c}((--b,c=1+c,c+=1,9..toString()[c=1+c,c+=1,0>>(a_1=0/0)])),NaN_2=function(a_2,a_2){c=1+c,foo_2+=-4!=24..toString(),a_2&&(a_2[c=1+c,25&(NaN&&(NaN[c=1+c,24..toString()*/[a2][^e]+$/>>!0!=(-4^[])<!1]=0))]/=/[a2][^e]+$/),c+=1}();!function(bar){try{c=1+c,23..toString(),23..toString(),NaN_2&&({"\t":NaN_2.null}={"\t":!1/([]<<23..toString())})}catch(a_2){}c=1+c,bar&&({async:bar.null}={async:0})}({get:(c=1+c,foo_2&&(foo_2[c=1+c,1%(!1*(c+=1,3))]>>>=!1),0&24..toString()^("function"|[]||-5!=NaN))}),c=1+c}(foo_2/=b+1-.1-.1-.1)}var bar_1=f0(1);console.log(null,a,b,c,1/0,NaN,void 0);
                                                                                              ^

TypeError: Cannot set property 'b' of undefined
    at evalmachine.<anonymous>:1:95
    at f0 (evalmachine.<anonymous>:1:820)
    at evalmachine.<anonymous>:1:852
    at ContextifyScript.Script.runInContext (vm.js:59:29)
    at Object.runInContext (vm.js:120:6)
    at run_code_vm (D:\a\UglifyJS\UglifyJS\test\sandbox.js:257:12)
    at Object.exports.run_code (D:\a\UglifyJS\UglifyJS\test\sandbox.js:37:16)
    at run_code (D:\a\UglifyJS\UglifyJS\test\ufuzz\index.js:2082:20)
    at D:\a\UglifyJS\UglifyJS\test\ufuzz\index.js:2482:29
    at Array.forEach (<anonymous>)

// reduced test case (output will differ)

// (beautified)
var b = 1;

function f0() {
    function f1() {
        function f2({
            foo: b_2
        }) {
            b_2 && b_2.b;
        }
        f2({
            foo: b
        });
    }
    f1();
}

f0();
// output: 
// minify: TypeError: Cannot read property 'b' of undefined
// options: {
//   "mangle": false,
//   "output": {
//     "v8": true
//   },
//   "validate": true
// }
minify(options):
{
  "mangle": false,
  "output": {
    "v8": true
  }
}

Suspicious compress options:
  collapse_vars
  conditionals
  evaluate
  inline
  keep_fargs
  properties
  reduce_vars
  side_effects
  unused
@alexlamsl alexlamsl added the bug label Jul 19, 2021
alexlamsl added a commit to alexlamsl/UglifyJS that referenced this issue Jul 19, 2021
@alexlamsl
fix corner case in inline
b6eb1f0 
fixes mishoo#5087
@alexlamsl alexlamsl mentioned this issue Jul 19, 2021
Merged
alexlamsl added a commit that referenced this issue Jul 19, 2021
@alexlamsl
fix corner case in inline (#5088)
85968de 
fixes #5087
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix corner case in inline alexlamsl/UglifyJS
1 participant
@alexlamsl