Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ufuzz failure #5638

Closed
alexlamsl opened this issue Aug 30, 2022 · 0 comments · Fixed by #5639
Closed

ufuzz failure #5638

alexlamsl opened this issue Aug 30, 2022 · 0 comments · Fixed by #5639
Labels
bug

Comments

@alexlamsl
Copy link
Collaborator 

// original code
// (beautified)
var _calls_ = 10, a = 100, b = 10, c = 0;

{
    +a ? void function bar() {
        {
            var brake3 = 5;
            L10119: do {
                {
                    var expr4 = (c = c + 1) + (typeof f0 == "function" && --_calls_ >= 0 && f0(...[ (c = 1 + c, 
                    (true === undefined === (NaN ^ "a")) <= (-3 + "c", 1 < Infinity)), (c = 1 + c, 
                    (true === "bar" && "a" | "a") + (22 >= [ , 0 ][1] == (-3 || 3))) ], "object", -5));
                    for (bar in expr4) {
                        c = c + 1;
                    }
                }
            } while (a-- && --brake3 > 0);
        }
        return;
    }() : ++a;
}

{
    var brake7 = 5;
    while (a++ + new function a_1(foo_1) {
        try {
            return (c = c + 1) + {
                async: a++ + ((/[a2][^e]+$/ >>> "b" === -1 - null) >= ("" || -3 || ({}, 
                "undefined")))
            }.async;
        } catch (arguments_2) {
            const a_2 = {
                [--b]: --b + typeof a++
            };
            {
                var expr10 = --b + (b >>= a);
                L10120: for (var key10 in expr10) {
                    c = 1 + c;
                    var Infinity_1 = expr10[key10];
                    {
                        return b = a;
                    }
                }
            }
        }
    }((c = c + 1) + (0 === 1 ? a : b)) && --brake7 > 0) {
        var expr12 = "undefined";
        for (var key12 in expr12) {
            c = 1 + c;
            var foo_1 = expr12[key12];
            a++ + [ typeof key12 == "function" && --_calls_ >= 0 && key12(foo_1, key12 && typeof key12.then == "function" && --_calls_ >= 0 && key12.then(-((3 === "a" ^ -1 <= "undefined") != 38..toString() > NaN >= ("c" || 24..toString())), 2, NaN), "object"), typeof bar ][(c = c + 1) + ({
                value: --b + (foo_1 &&= b++)
            }.async || a || 3).toString()];
        }
    }
}

(c = c + 1) + !(a && (a[!function Infinity_2() {
}()] = Infinity === NaN === -2 * "b" | (25 !== "b" | 4 >= Number(0xdeadn << 16n | 0xbeefn))));

console.log(null, a, b, c, Infinity, NaN, undefined);
// uglified code
// (beautified)
var n, o, e, f = 10, t = 100, i = 10, r = 0;

for (+t ? function bar() {
    var n = 5;
    do {
        for (bar in (r += 1) + ("function" == typeof f0 && 0 <= --f && f0(!0, (r = 1 + (r = 1 + r), 
        0), "object", -5))) {
            r += 1;
        }
    } while (t-- && 0 < --n);
}() : ++t, n = 5; t++ + new function a_1(foo_1) {
    try {
        return (r += 1) + (t++ + !0);
    } catch (n) {
        for (var o in --i, --i, --i + (i >>= ++t)) {
            return r = 1 + r, i = t;
        }
    }
}(r += 1) && 0 < --n; ) {
    for (o in "undefined") {
        r = 1 + r, t++, "function" == typeof o && 0 <= --f && o(e = "undefined"[o], o && "function" == typeof o.then && 0 <= --f && o.then(-0, 2, NaN), "object"), 
        r += 1, ({
            value: --i + (e &&= i++)
        }.async || t || 3).toString();
    }
}

r += 1, t && (t[!0] = !0 | +("" + (0xdeadn << 16n | 0xbeefn)) <= 4 | !1), console.log(null, t, i, r, Infinity, NaN, void 0);
original result:
null 141 10 88 Infinity NaN undefined

uglified result:
null 141 -26 88 Infinity NaN undefined

// reduced test case (output will differ)

// (beautified)
var b;

var expr12 = "undefined";

for (var key12 in expr12) {
    var foo_1 = expr12[key12];
    (key12 == "function" && foo_1)[foo_1 &&= b++];
}

console.log(b);
// output: NaN
// 
// minify: undefined
// 
// options: {
//   "compress": {
//     "hoist_vars": true,
//     "keep_infinity": true,
//     "passes": 1000000,
//     "unsafe": true
//   },
//   "keep_fargs": true,
//   "keep_fnames": true,
//   "toplevel": true,
//   "output": {
//     "v8": true
//   },
//   "validate": true
// }
minify(options):
{
  "compress": {
    "hoist_vars": true,
    "keep_infinity": true,
    "passes": 1000000,
    "unsafe": true
  },
  "keep_fargs": true,
  "keep_fnames": true,
  "toplevel": true,
  "output": {
    "v8": true
  }
}

Suspicious compress options:
  collapse_vars
  hoist_vars
  pure_getters
  reduce_vars

Suspicious options:
  toplevel
@alexlamsl alexlamsl added the bug label Aug 30, 2022
alexlamsl added a commit to alexlamsl/UglifyJS that referenced this issue Aug 30, 2022
@alexlamsl
fix corner case in collapse_vars
ec843a3 
fixes mishoo#5638
@alexlamsl alexlamsl mentioned this issue Aug 30, 2022
Merged
alexlamsl added a commit that referenced this issue Aug 31, 2022
@alexlamsl
fix corner case in collapse_vars (#5639)
f63b7b0 
fixes #5638
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix corner case in collapse_vars alexlamsl/UglifyJS
1 participant
@alexlamsl