Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ufuzz failure #4805

Closed
alexlamsl opened this issue Mar 19, 2021 · 3 comments · Fixed by #4808
Closed

ufuzz failure #4805

alexlamsl opened this issue Mar 19, 2021 · 3 comments · Fixed by #4808

Comments

@alexlamsl
Copy link
Collaborator 

// original code
// (beautified)
export var _calls_ = 10, a = 100, b = 10, c = 0;

function f0(a_2, c_1) {
    if (--b + [ --b + (c_1 && (c_1[Infinity in [ (c = 1 + c, "bar" * 22 > ("" > -1) != (5 ^ 38..toString()) % (undefined || "c")), (c = 1 + c, 
    ("bar" << 2 ^ true === "bar") <= (22 >= 1) % ("number" < "a")), , (c = 1 + c, undefined << 38..toString() === (0 & false) !== (null << 24..toString()) + +38..toString()), (c = 1 + c, 
    delete ("number" * "function") ^ "" << 4 << (([ , 0 ].length === 2) >>> -2)) ]] = (22 ^ -3, 
    c = c + 1, 22)) && ([ , 0 ][1] === 5) + (this ^ "foo")) ]) {
        var brake2 = 5;
        while ((c = c + 1) + (a_2 && a_2.done) && --brake2 > 0) {}
    } else {
        var brake4 = 5;
        while (--b + (b = a) && --brake4 > 0) {
            var expr5 = [ (c = c + 1) + (typeof a_1 != "special"), a_2 && a_2.null ];
            L10587: for (c_1 of expr5) {
                c = 1 + c;
                var Infinity_1 = expr5[c_1];
                {
                    var brake6 = 5;
                    do {
                        return typeof f1 == "function" && --_calls_ >= 0 && f1();
                    } while (void function() {
                        {
                            return a++ + /[abc4]/g.exec(((c = c + 1) + +function() {
                            }() || b || 5).toString());
                        }
                        var b_2 = (a++ + [ (c = 1 + c, ("" <= Infinity || -1 > "a") * (1 + "b" & -2 < false)), (c = 1 + c, 
                        (false || 3) + ("object" > ([ , 0 ].length === 2)) - ((undefined && NaN) != (true && 38..toString()))), (c = 1 + c, 
                        (a_2 >>>= (-0 !== 38..toString()) >= ("" <= 5)) & 24..toString() >> 4 >= {} >> true) ] || 9).toString()[!b], b_2_1 = a++ + b_2_1;
                        try {
                            return --b + b_2;
                        } catch (a_2) {
                            for (var brake12 = 5; (c = 1 + c, c = c + 1, (/[a2][^e]+$/ ^ [ , 0 ][1]) & 24..toString() << 3) && brake12 > 0; --brake12) {
                                c = 1 + c, ("function" | -0) * ([ , 0 ].length === 2 || "a") && ((2, []) || [] ^ "bar");
                            }
                            try {
                                c = 1 + c, (b_2 && (b_2.async = ([ , 0 ][1] != -4) << (38..toString() === null))) > (NaN > "number" ^ [ , 0 ][1] / "b");
                            } finally {
                            }
                        } finally {
                            try {
                                c = 1 + c, "foo" - {} == "" * "", void 2 == undefined <= "function";
                            } catch (async) {
                            }
                        }
                        {
                            var brake19 = 5;
                            while (--b + (b_2_1 && typeof b_2_1.then == "function" && --_calls_ >= 0 && (((c = 1 + c, 
                            ((1 == 3) <= (Infinity <= 0)) / (-1 << 0 < ({} | "function"))) || a || 3).toString(), 
                            b_2_1.then)([ , 0 ].length === 2, (c = 1 + c, (b_2_1 && (b_2_1.undefined /= 38..toString() === -3 && 23..toString() < [])) | (/[a2][^e]+$/ != 5) % (c_1 = 2 + "bar")))) && --brake19 > 0) {
                                try {
                                    {
                                    }
                                } catch (arguments_1) {
                                    c = 1 + c, ((c = c + 1, NaN) && "number" != 0) << ((-5 <= -0) >> (23..toString() && "bar"));
                                    c = 1 + c, "undefined" - NaN << (23..toString() & "b"), a_2 && (a_2.Infinity = Infinity + [] !== 2 <= ([ , 0 ].length === 2));
                                }
                            }
                        }
                    }() && --brake6 > 0);
                }
            }
        }
    }
    {
        var brake24 = 5;
        while (--b + a_2 && --brake24 > 0) {
            var brake25 = 5;
            while ({
                ...{
                    set 3(a_2) {
                        {
                            return ++a;
                        }
                        this.Infinity = ((c = c + 1, null) * ("object" / 2), (a_2 >>>= this || Infinity) > (c = c + 1, 
                        false)) && (-1 >> [] < -"undefined") << (+0 ^ (a_2 = 5 >>> "c"));
                    },
                    3: --b + (typeof c_1 == "function" && --_calls_ >= 0 && c_1()),
                    set: typeof c_1 == "function" && --_calls_ >= 0 && c_1(..."" + a_2, b--),
                    1.5: (c = c + 1) + -a
                }
            }[(c = c + 1) + (5 in [ {
                value: --b + ({}[c = 1 + c, "a" - 0 ^ 3 & 22 ^ (/[a2][^e]+$/ < 2) << (-5 !== "function")] || 2).toString()[(c = 1 + c, 
                (NaN * 1 ^ -1 + 5) <= (-0 && 2 || 4 >= 22)) ? (c = 1 + c, (22 === /[a2][^e]+$/) >> (24..toString() >> 23..toString()) === ("foo" >> "object") % (c_1 && (c_1[c = 1 + c, 
                ((1 ^ Infinity) & (c = c + 1, "bar")) == (c_1 && (c_1.c = true >>> {} != (23..toString() === {})))] = 22 & false))) : (c = 1 + c, 
                (a_2 && (a_2.done += "undefined" || 2) || "undefined" << 38..toString()) >> ((c_1 += -4 ^ null) >> ("function" & -4)))],
                ...a++ + (1 === 1 ? a : b),
                "": /[abc4]/g.exec((((c = 1 + c, (1 & "object" | delete NaN) >= (a_2 = 24..toString() % Infinity) >> (a_2 /= 0 - "b")) ? (c = 1 + c, 
                [] >> false | (c_1 *= ([ , 0 ].length === 2) >>> "bar") && (a_2 && (a_2[c = 1 + c, 
                c_1 && (c_1[(typeof a_2 == "function" && --_calls_ >= 0 && a_2() || a || 3).toString()] %= ((1 === NaN) <= (4 & 0)) % ((c_1 = -3 >>> false) >>> (c_1 += -3 !== "bar")))] -= "a" | 4)) >= Infinity ** -0) : (c = 1 + c, 
                ("function" << 38..toString() ^ (null ^ "c")) + (this === "c" === (c_1 && (c_1[c = 1 + c, 
                (38..toString() * -4 ^ 5 / 38..toString()) % (c_1 && (c_1[--b + (b += a)] ^= -2 > -1 === ("" ^ 24..toString())))] *= 23..toString() > true))))) || b || 5).toString()),
                set next(bar) {
                    {
                        var expr27 = (c = 1 + c, (-0 % "c" | -4 >> undefined) === (a_2 && (a_2.value = {} / 2 != 22 > 1)));
                        for (c_1 in expr27) {
                            c = 1 + c;
                            const await_2 = expr27[c_1];
                            c = 1 + c, (c = c + 1, "a" >>> 23..toString()) > ((await_2 && (await_2.var *= true || "object")) != -2 >= -5);
                        }
                    }
                    this.set /= -4 >= "number" >= (2 && -3) > (a_2 && (a_2.var = (-4 <= 0) << (2 || NaN)));
                },
                value: (c = c + 1) + c_1
            }.value ])] && --brake25 > 0) {
                var brake29 = 5;
                do {
                    var bar;
                } while (bar && typeof bar.async == "function" && --_calls_ >= 0 && bar.async((c = c + 1) + typeof (a++ + [ a++ + (c = 1 + c, 
                (23..toString() / "b" << (-2 & 5)) * (c_1 && (c_1[1 === 1 ? a : b] ^= (24..toString() | -5) % !"a"))), b = a, void function Infinity() {
                }() ][--b + (+(-2 != -5) | ("undefined" === 5) << (Infinity & true))]), 2, null) && --brake29 > 0);
            }
        }
    }
}

var yield_2 = f0(-5, false, 38..toString());

console.log(null, a, b, c, Infinity, NaN, undefined);
// uglified code
// (beautified)
var _calls_ = 10, a = 100, b = 10, c = 0;

function f0(a_2, c_1) {
    if (--b + [ --b + (c_1 && (c_1[1 / 0 in [ (c = 1 + c, 0 != (5 ^ 38..toString()) % "c"), !1, , (c = 1 + (c = 1 + c), 
    void 0 << 38..toString() == 0 !== (null << 24..toString()) + +38..toString()), (c = 1 + c, 
    !0 ^ 0 << ((2 === [ , 0 ].length) >>> -2)) ]] = (c += 1, 22)) && !1 + ("foo" ^ this)) ]) {
        for (var brake2 = 5; (c += 1) + (a_2 && a_2.done) && 0 < --brake2; ) {}
    } else {
        for (var brake4 = 5; --b + (b = a) && 0 < --brake4; ) {
            var expr5 = [ (c += 1) + ("special" != typeof a_1), a_2 && a_2.null ];
            for (c_1 of expr5) {
                c = 1 + c;
                return "function" == typeof f1 && 0 <= --_calls_ && f1();
            }
        }
    }
    for (var brake24 = 5; --b + a_2 && 0 < --brake24; ) {
        for (var brake25 = 5; {
            [3]: void 0,
            3: --b + ("function" == typeof c_1 && 0 <= --_calls_ && c_1()),
            set: "function" == typeof c_1 && 0 <= --_calls_ && c_1(..."" + a_2, b--),
            1.5: (c += 1) + -a
        }[(c += 1) + (5 in [ {
            value: --b + ({}[c = 1 + c, 2] || 2).toString()[c = 1 + (c = 1 + c), (a_2 && (a_2.done += "undefined") || "undefined" << 38..toString()) >> ((c_1 += -4) >> 0)],
            ...a++ + a,
            "": /[abc4]/g.exec((c = 1 + c, (((0 | delete NaN) >= (a_2 = 24..toString() % (1 / 0)) >> (a_2 /= NaN) ? (c = 1 + c, 
            [] >> !1 | (c_1 *= (2 === [ , 0 ].length) >>> "bar") && 1 <= (a_2 && (a_2[c = 1 + c, 
            c_1 && (c_1[("function" == typeof a_2 && 0 <= --_calls_ && a_2() || a || 3).toString()] %= !0 % ((c_1 = -3 >>> !1) >>> (c_1 += !0)))] -= 4))) : (c = 1 + c, 
            ("function" << 38..toString() ^ 0) + ("c" === this === (c_1 && (c_1[c = 1 + c, (-4 * 38..toString() ^ 5 / 38..toString()) % (c_1 && (c_1[--b + (b += a)] ^= !1 === ("" ^ 24..toString())))] *= !0 < 23..toString()))))) || b || 5).toString())),
            set next(bar) {
                var expr27 = (c = 1 + c, -4 === (a_2 && (a_2.value = {} / 2 != 1)));
                for (c_1 in expr27) {
                    const await_2 = expr27[c_1];
                    c = 1 + (c = 1 + c), c += 1, 23..toString(), await_2 && (await_2.var *= !0);
                }
                this.set /= (a_2 && (a_2.var = 4)) < !0;
            },
            value: (c += 1) + c_1
        }.value ])] && 0 < --brake25; ) {}
    }
}

var yield_2 = f0(-5, !1, 38..toString());

console.log(null, a, b, c, 1 / 0, NaN, void 0);

export {
    _calls_,
    a,
    b,
    c
};
original result:
null 101 104 10 Infinity NaN undefined

uglified result:
null 102 203 19 Infinity NaN undefined

// reduced test case (output will differ)

// (beautified)
console.log({
    ...{
        set 3(a_2) {},
        3: 0
    }
});
// output: { '3': undefined }
// 
// minify: { '3': 0 }
// 
// options: {
//   "mangle": false,
//   "output": {
//     "v8": true
//   },
//   "validate": true
// }
minify(options):
{
  "mangle": false,
  "output": {
    "v8": true
  }
}

Suspicious compress options:
  objects
  spreads
@alexlamsl
Copy link
Collaborator Author

Looks like V8 bug:

$ cat test.js
console.log({
    ...{
        0: "PASS",
        set 0(v) {},
    },
});
console.log({
    ...{
        set 1(v) {},
        1: "PASS",
    },
});
console.log({
    ...{
        a: "PASS",
        set a(v) {},
    },
});
console.log({
    ...{
        set b(v) {},
        b: "PASS",
    },
});
$ cat test.js | node
{ '0': undefined }
{ '1': undefined }
{ a: undefined }
{ b: 'PASS' }

Since Firefox gives more consistent behaviour:

>> [[ test.js ]]
> Object { 0: undefined }
> Object { 1: "PASS" }
> Object { a: undefined }
> Object { b: "PASS" }

@alexlamsl
Copy link
Collaborator Author

Not even quite consistent without V8 itself:

console.log({
    0: "PASS",
    ...{
        set 0(v) {},
    },
});
console.log({
    ...{
        set 1(v) {},
    },
    1: "PASS",
});
console.log({
    a: "PASS",
    ...{
        set a(v) {},
    },
});
console.log({
    ...{
        set b(v) {},
    },
    b: "PASS",
});
$ cat test.js | node
{ '0': undefined }
{ '1': 'PASS' }
{ a: undefined }
{ b: 'PASS' }

Setter on the outer layer:

console.log({
    ...{
        0: "PASS",
    },
    set 0(v) {},
});
console.log({
    set 1(v) {},
    ...{
        1: "PASS",
    },
});
console.log({
    ...{
        a: "PASS",
    },
    set a(v) {},
});
console.log({
    set b(v) {},
    ...{
        b: "PASS",
    },
});
$ cat test.js | node
{ '0': [Setter] }
{ '1': 'PASS' }
{ a: [Setter] }
{ b: 'PASS' }

@alexlamsl
Copy link
Collaborator Author

Simple redefinition for completeness:

console.log({
    ...{
        0: "PASS",
        0: void 0,
    },
});
console.log({
    ...{
        1: void 0,
        1: "PASS",
    },
});
console.log({
    ...{
        a: "PASS",
        a: void 0,
    },
});
console.log({
    ...{
        b: void 0,
        b: "PASS",
    },
});
$ cat test.js | node
{ '0': undefined }
{ '1': 'PASS' }
{ a: undefined }
{ b: 'PASS' }

alexlamsl added a commit to alexlamsl/UglifyJS that referenced this issue Mar 20, 2021
@alexlamsl
document various v8 bugs
f1ae41d 
closes mishoo#4805
@alexlamsl alexlamsl mentioned this issue Mar 20, 2021
Merged
alexlamsl added a commit to alexlamsl/UglifyJS that referenced this issue Mar 20, 2021
@alexlamsl
document various v8 bugs
aa8b9f3 
closes mishoo#4805
alexlamsl added a commit that referenced this issue Mar 20, 2021
@alexlamsl
document various v8 bugs (#4808)
8ea1ced 
closes #4805
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

document various v8 bugs alexlamsl/UglifyJS
1 participant
@alexlamsl