ufuzz failure #5912

alexlamsl · 2024-08-07T09:12:22Z

// original code
// (beautified)
var _calls_ = 10, a = 100, b = 10, c = 0;

try {
    {
        var b = function f0(b_2, a, bar) {
            {
                var bar = function f1(a_1) {
                    var b_2 = --b + (1 === 1 ? a : b);
                }("bar", bar[typeof (--b + ++b)], 25);
            }
            switch (+function c_1() {}()) {
              case new function b_2(a_1) {
                    if ({
                        "": (c = 1 + c, ("a" || 2) / (NaN ^ 23..toString()) >= (23..toString() & true ^ (1 | "function"))),
                        static: (c = 1 + c, ("bar" ^ -5) + ("" === null) + (bar = (24..toString() != false) >= (1 === 1)))
                    }) {} else {
                        for (var brake8 = 5; typeof yield_1 === "unknown" && brake8 > 0; --brake8) {
                            var foo;
                        }
                    }
                    c = c + 1;
                }({
                    a: 0 === 1 ? a : b,
                    "\t": --b + a++,
                    a: (c = c + 1) + [ (c = 1 + c, ((c = c + 1, -1) > (a >>>= 22 << 5)) * (a && (a[typeof b_2 == "function" && --_calls_ >= 0 && b_2(-4)] = ("foo" == 2) <= (-5 < NaN)))), (c = 1 + c, 
                    (a = 5 & {} ^ ("bar" | "number")) != ("number" ^ undefined) >>> ([] != -2)) ][(c = c + 1) + !function arguments_1() {
                    }()],
                    value: typeof bar == "function" && --_calls_ >= 0 && bar(),
                    3: --b + (typeof a_2 == "string")
                }[bar ? (c = c + 1) + (typeof bar == "function" && --_calls_ >= 0 && bar("b")) : a++ + (bar && (bar.async = (-5 === 24..toString() ^ Infinity < -3) + ((5 ?? "number") >= (3, 
                1))))], [][bar.b], !function b_2_1() {}()):
                b++;
                break;

              case a--:
                for (var brake12 = 5; {
                    var: typeof (--b + function foo_2() {
                    }()),
                    value: a++ + [ (c = 1 + c, "function" / "b" === 0 << this || ((b_2 %= -3 >= "b") || (false, 
                    0))), (c = 1 + c, [] <= 0 == !this | 38..toString() >> -3 >> "function" % Infinity) ][{}.var],
                    bar: bar
                }.async && brake12 > 0; --brake12) {
                    try {
                        c = c + 1;
                    } finally {
                        {
                            var brake15 = 5;
                            L29539: while (a++ + (("number" <= 3) / (false & 4), 
                            -5 / 0 * ("" ^ 4)) && --brake15 > 0) {
                                var expr16 = (c = 1 + c, (NaN >>> "" < (-1 != "function")) - (25 * -0, 
                                undefined | false));
                                L29540: for (var key16 in expr16) {
                                    c = 1 + c, "number" % 38..toString() === (2 | {}) != ({} >= [], 
                                    -2 * true);
                                }
                            }
                        }
                    }
                }
                break;

              case (c = c + 1) + (typeof foo != "string"):
                {
                    throw [ (c = c + 1) + (bar && typeof bar.c == "function" && --_calls_ >= 0 && bar.c()), (c = c + 1) + (this in {
                        foo: (c = 1 + c, !3 > ("foo" > "") <= "b" % 4 + (bar && (bar[c = 1 + c, 
                        undefined < 23..toString() & [ , 0 ][1] % null, a = 1 > null ^ 24..toString() != []] *= 24..toString() ^ -2)))
                    }), ...[], (c = c + 1) + -4, a++ + 5 ].next;
                }
                switch ((c = c + 1) + void function NaN_1() {
                    {
                        c = 1 + c, NaN_1 && ([ NaN_1[/[abc4]/.test(((c = c + 1) + {
                            "-2": (c = 1 + c, ("b" % "object" & (23..toString() || 24..toString())) >= (([ 3n ][0] > 2 == undefined) < 1 >>> NaN))
                        } || b || 5).toString())] ] = [ ([ , 0 ].length === 2 != 24..toString() | 22 != "foo") >> (("bar" != 3) >= NaN + -2) ]);
                    }
                }()) {
                  case a++ + --b:
                    {
                        var expr22 = [ bar, --b + (0 === 1 ? a : b) ];
                        for (var key22 of expr22) {
                            c = 1 + c;
                            var foo = expr22[key22];
                            {
                                var brake23 = 5;
                                do {
                                    return c = 1 + c, ("function" || null) == (null ^ []) && (foo && (foo.set = "b" >>> ([ , 0 ].length === 2))) | -2 === /[a2][^e]+$/;
                                } while ([ (c = 1 + c, key22 && (key22[a++ + !function() {
                                    c = 1 + c, (+ -0, bar && (bar[c = 1 + c, ("c" !== [ , 0 ][1]) + ([] ?? 23..toString()) == [ , 0 ][1] % "c" >= -2 + undefined] = "number" ^ 3)) << (undefined ?? null ?? -0 <= Infinity);
                                }()] += (false <= -3) % (38..toString() << 1) < ("foo" != 38..toString()) << ({} ?? "c"))) ].c && --brake23 > 0);
                            }
                        }
                    }
                    break;

                  case [ (1 >= "foo" ^ (c = c + 1, -3)) - ("c" == 1 | [] != -4) ]:
                    !b;
                    --b + ({}.done ? "foo" : (c = c + 1) + /[abc4]/g.exec(((c = 1 + c, 
                    ([ , 0 ].length === 2 && 3) <= (3 == null) > (a = [ , 0 ][1] / "c") << 23..toString() / NaN) || b || 5).toString()));
                    break;

                  case new function b_1(foo_2) {
                        {
                            var brake28 = 5;
                            do {
                                c = 1 + c, (b_2 && (b_2[b %= a] += "foo" | -0 || 24..toString() !== 25)) ^ +([] < 1);
                            } while (-1 && --brake28 > 0);
                        }
                        {
                            var brake30 = 5;
                            while ([] && --brake30 > 0) {
                                for (var brake31 = 5; (c = 1 + c, bar && (bar[[].null] >>= ("number" < "number") * (Infinity ^ "bar") >= ([ , 0 ][1] !== this) % ("function" ?? -1))) && brake31 > 0; --brake31) {
                                    c = 1 + c, ([ , 0 ].length === 2 == -4) << (-4 ^ {}) != (/[a2][^e]+$/ < "") % (true === ([ , 0 ].length === 2));
                                }
                            }
                        }
                        ({
                            foo: (c = 1 + c, c = c + 1, -3 >>> 1 || "object" === "number"),
                            b: (c = 1 + c, delete [] && 0 % ([ , 0 ].length === 2) && -0 >> 38..toString() >>> ({} ^ 22)),
                            [(c = 1 + c, (("number" ^ 5) & (b_2 = -4 + false)) < ([ , 0 ][1] ^ "function") / ("a" | NaN))]: (c = 1 + c, 
                            bar && (bar[--b + void b] += "undefined" << "undefined" & -0 % -2 ^ (Infinity === "foo") >>> (0 !== {})))
                        }).done;
                        c = c + 1;
                        {
                            var brake35 = 5;
                            while (foo_2 && --brake35 > 0) {
                                var expr36 = (c = 1 + c, ((this ?? (-42n).toString()) < (undefined < "")) - (bar && (bar[a++ + ([] in [ (c = 1 + c, 
                                (24..toString() >= "foo") + (3 < "undefined") >> (-5 == "number") + ("b" >>> [])) ])] |= (1 || -4) ^ Infinity + NaN)));
                                for (var key36 in expr36) {
                                    c = 1 + c;
                                    var bar = expr36[key36];
                                    c = 1 + c, (null, -1) << 38..toString() + [ , 0 ][1] ^ (4 % [ , 0 ][1]) ** (-4 == 2);
                                }
                            }
                        }
                    }():
                    break;

                  default:
                }
                (c = c + 1) + (b + 1 - .1 - .1 - .1);
                break;

              case --b + (b = a):
            }
        }(typeof b_2, /[abc4]/.test(((c = c + 1) + (b && b[a++ + b]) || b || 5).toString()), "a");
    }
} catch (NaN) {
    c = c + 1;
    if ((c = c + 1) + (NaN && typeof NaN.null == "function" && --_calls_ >= 0 && NaN.null((c = c + 1) + a++))) {
        ({
            [[]]: {
                __proto__: (c = c + 1) + (--b + typeof (a++ + {
                    async: (c = 1 + c, NaN += (-5 ^ {}) >>> (-4 << [ , 0 ][1]) << (NaN && (NaN[a++] = -5 > this & (5 ^ "b"))))
                }[c = 1 + c, (NaN && (NaN[c = 1 + c, (3 === 38..toString() ^ "bar" <= null) - ((25 ^ []) - ([] ^ 3))] = 4 * -1), 
                -3 === "foo") ^ (undefined > [ , 0 ][1], 4 ^ false)]) || 9).toString()[(c = c + 1) + delete b] || {},
                b: b *= a
            }.length,
            "-2": (c = c + 1) + b
        })[--b + (b && b.next)];
    } else {
        var expr42 = (c = c + 1) + typeof bar_1;
        for (b in expr42) {
        }
    }
} finally {}

{
    var brake44 = 5;
    while ((--b + /[abc4]/g.exec(([ --b + a++, ..."" + b, (c = c + 1) + (b && b[typeof f0 == "function" && --_calls_ >= 0 && f0(b--, null)]), (c = c + 1) + (typeof b == "function" && --_calls_ >= 0 && b({}, [ , 0 ][1])), a++ + [ a++ + b ].a ] || b || 5).toString()) || a || 3).toString() && --brake44 > 0) {
        c = c + 1;
    }
}

console.log(null, a, b, c, Infinity, NaN, undefined);

// uglified code
// (beautified)
var _calls_ = 10, a = 100, b = 10, c = 0;

try {
    b = function(b_2, a, bar) {
        bar[typeof (--b + ++b)];
        var foo, bar = void --b;
        switch (NaN) {
          case new function(a_1) {
                c = 1 + c, 23..toString(), 23..toString(), c = 1 + c, bar = !0 <= (0 != 24..toString()), 
                c += 1;
            }((--b, a++, c = 1 + (c += 1), c += 1, (a >>>= 704) && (a["function" == typeof b_2 && 0 <= --_calls_ && b_2(-4)] = !0), 
            c = 1 + c, a = 5 & {} ^ 0, c += 1, "function" == typeof bar && 0 <= --_calls_ && bar(), 
            --b, bar ? (c += 1, "function" == typeof bar && 0 <= --_calls_ && bar("b")) : (a++, 
            bar && (bar.async = (-5 === 24..toString() ^ !1) + !0)))):
            b++;
            break;

          case a--:
            for (var brake12 = 5; {
                var: typeof (--b + void 0),
                value: a++ + [ NaN === 0 << this || (b_2 %= !1) || 0, (c = 1 + (c = 1 + c), 
                [] <= 0 == !this | 38..toString() >> -3 >> NaN) ][{}.var],
                bar: bar
            }.async && 0 < brake12; --brake12) {
                try {
                    c += 1;
                } finally {
                    for (var brake15 = 5; a++ + -1 / 0 && 0 < --brake15; ) {
                        c = 1 + c;
                        for (var key16 in 1) {
                            c = 1 + c, 38..toString();
                        }
                    }
                }
            }
            break;

          case (c += 1) + ("string" != typeof foo):
            throw [ (c += 1) + (bar && "function" == typeof bar.c && 0 <= --_calls_ && bar.c()), (c += 1) + (this in {
                foo: (c = 1 + c, !1 <= NaN + (bar && (bar[c = 1 + c, 23..toString(), 
                a = !0 ^ 24..toString() != []] *= -2 ^ 24..toString())))
            }), (c += 1) + -4, 5 + a++ ].next;

          case --b + (b = a):
        }
    }(typeof b_2, /[abc4]/.test(((c += 1) + (b && b[a++ + b]) || b || 5).toString()), "a");
} catch (NaN) {
    if ((c = c + 1 + 1) + (NaN && "function" == typeof NaN.null && 0 <= --_calls_ && NaN.null((c += 1) + a++))) {
        (--b + typeof (a++ + {
            async: (c = 1 + (c += 1), NaN += (-5 ^ {}) >>> -4 << (NaN && (NaN[a++] = this < -5 & 5)))
        }[c = 1 + c, 4 ^ (NaN && (NaN[c = 1 + c, (3 === 38..toString() ^ !1) - ((25 ^ []) - (3 ^ []))] = -4), 
        !1)]) || 9).toString()[(c += 1) + delete b], b *= a, c += 1, --b && b.next;
    } else {
        var expr42 = (c += 1) + typeof bar_1;
        for (b in expr42) {}
    }
}

for (var brake44 = 5; (--b + /[abc4]/g.exec([ --b + a++, ..."" + b, (c += 1) + (b && b["function" == typeof f0 && 0 <= --_calls_ && f0(b--, null)]), (c += 1) + ("function" == typeof b && 0 <= --_calls_ && b({}, 0)), a++ + [ a++ + b ].a ].toString()) || a || 3).toString() && 0 < --brake44; ) {
    c += 1;
}

console.log(null, a, b, c, 1 / 0, NaN, void 0);

original result:
null 118 607 28 Infinity NaN undefined

uglified result:
null 116 NaN 24 Infinity NaN undefined

// reduced test case (output will differ)

// (beautified)
(function f0(bar) {
    var bar = bar[0];
    new function b_2() {}(0 && bar.async, bar.b);
})(0);
// output: TypeError: Cannot read properties of undefined (reading 'b')
// minify: 
// options: {
//   "mangle": false,
//   "module": false,
//   "output": {
//     "v8": true
//   },
//   "validate": true
// }

minify(options):
{
  "mangle": false,
  "module": false,
  "output": {
    "v8": true
  }
}

Suspicious compress options:
  pure_getters
  reduce_vars
  unused

The text was updated successfully, but these errors were encountered:

fixes mishoo#5912

fixes #5912

alexlamsl added the bug label Aug 7, 2024

alexlamsl added a commit to alexlamsl/UglifyJS that referenced this issue Aug 7, 2024

fix corner case in reduce_vars

d700395

fixes mishoo#5912

alexlamsl mentioned this issue Aug 7, 2024

fix corner case in reduce_vars #5913

Merged

alexlamsl closed this as completed in #5913 Aug 7, 2024

alexlamsl added a commit that referenced this issue Aug 7, 2024

fix corner case in reduce_vars (#5913)

69f4e3a

fixes #5912

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ufuzz failure #5912

ufuzz failure #5912

alexlamsl commented Aug 7, 2024

ufuzz failure #5912

ufuzz failure #5912

Comments

alexlamsl commented Aug 7, 2024