ufuzz failure #4882

alexlamsl · 2021-04-30T11:47:46Z

// original code
// (beautified)
var _calls_ = 10, a = 100, b = 10, c = 0;

{
    var NaN_1 = function f0(b_2, await_1, c) {
        if (a++ + {
            __proto__: b + 1 - .1 - .1 - .1 || {},
            ...{
                __proto__: ({
                    "\t": b_2
                } = a++ + (typeof f0 == "function" && --_calls_ >= 0 && f0(-1, (c = 1 + c, (c && (c.async += ([] >>> 4) + [ , 0 ][1] * "function")) * ((-5 !== undefined) - (null - "number"))), 2)) || {}) || {},
                done: (c = c + 1) + (a++ + --b),
                [a--]: a++ + {
                    done: await_1 && typeof await_1.foo == "function" && --_calls_ >= 0 && (c = 1 + c, 
                    (([ , 0 ][1] && [ , 0 ].length === 2) ^ 1 << -0) === ([ , 0 ][1] >= 38..toString() || -5 >>> 0), 
                    await_1.foo)((c = 1 + c, (("b" >> NaN) - (await_1 && (await_1.get += "c" === NaN))) % (-4 >>> -1 !== ("number" !== "undefined"))), (c = 1 + c, 
                    (await_1 = -3 ^ "bar") % (c = c + 1, 24..toString()) - ([ , 0 ][1] <= 25 < (0 != "function"))), /[a2][^e]+$/),
                    in: a++ + [ (c = 1 + c, (null * "object" & 22 !== this) !== (c = c + 1, false || "function")), ...[ (c = 1 + c, 
                    (0 - "number" != 23..toString() > -2) % ("bar" * 25 >= (true ^ 3))), (c = 1 + c, 
                    ((await_1 += false / -3) && (await_1 += -1 > "a")) % (2 > 22 & (0 ^ 24..toString()))), (c = 1 + c, 
                    ((-2 ^ "function") <= (23..toString() ^ "number")) >> ((-3 | this) ^ 22 / 38..toString())), (c = 1 + c, 
                    (Infinity < 22, true !== "undefined") & {} <= [] >= (38..toString() && 2)), (c = 1 + c, 
                    (await_1 = 25 / [ , 0 ][1]) & NaN * ([ , 0 ].length === 2) ^ 2 == 0 != Infinity * undefined) ] ],
                    [--b + (typeof b_2 == "function" && --_calls_ >= 0 && b_2(-5, 38..toString(), "number"))]: a++ + delete a,
                    static: a++ + (c && ([ c.then ] = [ "object" + "b" > ("object" !== 0) ])) * ("foo" > "undefined" | 24..toString() ^ "object")
                },
                static: [ (c = c + 1) + (-1 in {
                    [(c = 1 + c, (38..toString() % "number" >> ("foo" | 2)) - ((c && (c.Infinity = -2 - 5)) >> "foo" % "c"))]: (c = 1 + c, 
                    b_2 && (b_2.undefined = (NaN + Infinity) / ("a" << "b") === (c && (c[a++ + (typeof b_2 == "function" && --_calls_ >= 0 && b_2(-0))] += (this == this) * ("" | "c"))))),
                    [(c = 1 + c, (true ^ -4 || -1 >>> true) !== ("foo" >> "foo" ^ (b_2 && (b_2[c = 1 + c, 
                    (c = c + 1, false < "bar") >= ((b_2 && (b_2.c += "object" != true)) | this ^ "bar")] += "object" != false))))]: (c = 1 + c, 
                    await_1 && (await_1[--b + /[abc4]/.test((-5 || b || 5).toString())] += (38..toString() !== "object" ^ 38..toString() >= 23..toString()) >>> (-2 && 22 || -0 >>> 1)))
                }) ].c
            }
        }[a++ + (await_1 && await_1[(undefined | "function") % (b_2 && (b_2[c = 1 + c, this * -2 / (3 ^ Infinity) || (undefined || 3) | -2 % -5] %= "" + NaN)) == (undefined !== /[a2][^e]+$/) / (1 * 25)])]) {
            var brake3 = 5;
            L19560: while (typeof yield_1 && --brake3 > 0) {}
        }
        typeof f1 == "function" && --_calls_ >= 0 && f1(--b + (c || a || 3).toString(), (2 / "bar" | 1 != "bar") > -(false % -5));
    }(true, 22);
}

({
    [(c = c + 1) + (b = a)]: --b + {
        a: [ NaN_1 && typeof NaN_1.next == "function" && --_calls_ >= 0 && NaN_1.next(), a++ + typeof (--b + (typeof f2 == "function" && --_calls_ >= 0 && f2(--b + (NaN_1 = (c = 1 + c, 
        (undefined || 5) << (-3 < "undefined") && {} !== "" != (Infinity ^ 5)))))), a++ + ("c" in [ --b + (typeof f1 == "function" && --_calls_ >= 0 && f1((c = 1 + c, 
        (c = c + 1, "bar") + this % -2 === (([ , 0 ].length === 2) >>> Infinity == 3 * "object")), (c = 1 + c, 
        "object" + "a" << NaN % "undefined" > (-3 << -0 != Infinity << 0)), "a")), -((NaN_1 && (NaN_1[c = 1 + c, 
        ((c = c + 1, 1) != 2 - []) <= (NaN_1 <<= -0 !== 2 && -0 >>> -5)] >>>= 23..toString() === "function")) >>> (-0 != null) || (-2 !== "undefined") % ("object" ^ 38..toString())) ]), --b + (([ , 0 ].length === 2) in []) ].b,
        get: +function() {
            {
                {}
                {
                    c = 1 + c, (NaN_1 && (NaN_1.in = [ , 0 ][1] >>> 24..toString())) / (25 || false) ^ (NaN_1 && (NaN_1[c = 1 + c, 
                    !(1 || -4) < ("c" !== "bar" || NaN_1 && (NaN_1.value -= 5 <= "foo"))] = 0 ^ -4) && 24..toString() | "function");
                }
                {
                    return NaN_1 && typeof NaN_1.c == "function" && --_calls_ >= 0 && NaN_1.c((c = 1 + c, 
                    (38..toString() >> "foo" || 0 < {}) != (null || 3) >> NaN % "number"), (c = 1 + c, 
                    ("function" / Infinity ^ 38..toString() >>> undefined) * (c = c + 1, 5 < -5)));
                }
            }
            try {
            } finally {
                {
                    c = 1 + c, (c = c + 1, this * 25) == (NaN_1 = (NaN_1 && (NaN_1.var += 24..toString() - -2)) !== (38..toString() !== NaN));
                }
            }
            var Infinity_1 = Infinity in {};
            {
                var brake18 = 5;
                do {
                    if (--b + (((c = 1 + c, "number" + "a" && "" << "bar", (0 || [ , 0 ][1]) / (NaN < 5)) || 8).toString()[c = 1 + c, 
                    NaN_1 && (NaN_1[typeof f2 == "function" && --_calls_ >= 0 && f2(5)] += ((25 & 0) !== -"undefined") >= (-2 === 3) % void 2)] ? --b + [].then : (c = c + 1) + (typeof a == "undefined"))) {
                        return;
                    }
                } while ((c = c + 1) + (0 === 1 ? a : b) && --brake18 > 0);
            }
        }(),
        null: b = a
    }.undefined,
    next: --b + /[abc4]/g.exec(((c = c + 1) + (foo_2 => {
        {
            var async_1 = function f1(arguments_2) {
                {
                    return NaN_1;
                }
                switch ((c = c + 1) + ((c = 1 + c, (arguments_2 && (arguments_2.foo += (NaN_1 && (NaN_1[c = 1 + c, 
                ([ , 0 ].length === 2 === "function" | this + []) == 1 + "b" < (38..toString() && null)] += [ , 0 ][1] >= -0)) > (/[a2][^e]+$/ === null))) & (-4 | (Infinity, 
                2))) || 5).toString()[c = 1 + c, ((-1 << []) + +3) / ("object" * "c" == ([ , 0 ].length === 2 != 5))]) {
                  default:
                  case foo_2:
                    c = 1 + c, foo_2 && (foo_2.get += (foo_2 += (c = c + 1, []) & ([ , 0 ].length === 2) <= null) + ((NaN_1 && (NaN_1[c = 1 + c, 
                    +"b" != "a" >>> "undefined" == (NaN_1 && (NaN_1[c = 1 + c, (-1 != 3) - (3 >= "bar") !== ((arguments_2 && (arguments_2.next ^= -4 / 2)) ^ "function" >>> undefined)] = undefined === [ , 0 ][1]), 
                    !-0)] &= [ , 0 ].length === 2 === "b")) <= (0, 0)));
                    c = 1 + c, ("a" < -0 === (NaN_1 && (NaN_1[c = 1 + c, (foo_2 && ([ foo_2.a ] = [ "number" / this ]) || -5 >>> 4) != -4 / [] % (-2 == 24..toString())] = (23..toString(), 
                    "number")))) < (0 >>> 23..toString() >= "b" / 2);
                    break;

                  case [ (c = 1 + c, arguments_2 -= (foo_2 && (foo_2[(c = c + 1) + {
                        next: (c = 1 + c, (arguments_2 && (arguments_2.value += (NaN_1 && (NaN_1[c = 1 + c, 
                        (arguments_2 && (arguments_2.c = (this || -0) >>> (5 | 4))) < (NaN_1 += (24..toString() & -0) == (24..toString() != "object"))] = 2 != -3)) <= [ , 0 ][1] + NaN)) >= (false <= "") >>> (5 ^ true)),
                        [(c = 1 + c, (NaN_1 && (NaN_1[a++ + (1 === 1 ? a : b)] += ([ , 0 ].length === 2 !== 22) <= (4 & -0))) | (-0 | "b") & true - ([ , 0 ].length === 2))]: (c = 1 + c, 
                        (arguments_2 && (arguments_2.get = ("c" >> "") - ("object" + -4))) === delete ("b" != this)),
                        then: (c = 1 + c, (arguments_2 && (arguments_2[c = 1 + c, (undefined & "c") / ("c" * 2) && (arguments_2 && (arguments_2.foo = "number" && 1) || NaN_1 && (NaN_1[c = 1 + c, 
                        false * 22 * (false ^ 4) !== "c" % "bar" + (24..toString() + false)] ^= ([ , 0 ].length === 2) >> "a"))] += 4 + /[a2][^e]+$/) && {} + 4) | (true != 24..toString()) <= 1 >> true)
                    }[c = 1 + c, ([ , 0 ][1] + 5) / (arguments_2 && ([ arguments_2.value ] = [ NaN != -4 ])) >= ({} > "object" & 24..toString() >> null)]] ^= ([ , 0 ].length === 2) <= false <= ("function" <= Infinity))) | (-3 ^ 0) >> -5 % "bar"), (c = 1 + c, 
                    (4 >= -3) + (foo_2 && ({
                        null: foo_2.null
                    } = {
                        null: false >= []
                    })) - "function" % 5 / (-1 << "number")), (c = 1 + c, (4 * "" || 1 != 1) & (arguments_2 && ([ arguments_2[(c = c + 1) + ""] ] = [ "" > 23..toString() | 22 !== -3 ]))) ][c = 1 + c, 
                    NaN_1 && (NaN_1[typeof "a"] += (-4 & "a") * ("a" << "undefined") && /[a2][^e]+$/ <= "function" === (22 && -5))]:
                    c = 1 + c, ("c" ^ true) === (3 != {}) === ("undefined" > 38..toString() ^ "undefined" >>> "undefined");
                    break;

                  case (c = c + 1) + foo_2:
                    break;
                }
            }("undefined");
        }
        {
            var brake27 = 5;
            do {
                {}
            } while ((typeof f2 == "function" && --_calls_ >= 0 && f2() || 5).toString()[(c = c + 1) + foo_2] && --brake27 > 0);
        }
    }) || b || 5).toString())
});

console.log(null, a, b, c, Infinity, NaN, undefined);

// uglified code
// (beautified)
var _calls_ = 10, a = 100, b = 10, c = 0, NaN_1 = function f0(b_2, await_1, c) {
    if (a++ + {
        __proto__: b + 1 - .1 - .1 - .1 || {},
        __proto__: ({
            "\t": b_2
        } = a++ + (0 <= --_calls_ && f0(-1, NaN * ((c = 1 + c) && (c.async += ([] >>> 4) + NaN)), 2)) || {}) || {},
        done: (c += 1) + (a++ + --b),
        [a--]: a++ + {
            done: await_1 && "function" == typeof await_1.foo && 0 <= --_calls_ && (c = 1 + c, 
            38..toString(), await_1.foo)((c = 1 + c, (0 - (await_1 && (await_1.get += !1))) % !0), (c = 1 + c, 
            (await_1 = -3) % (c += 1, 24..toString()) - !1), /[a2][^e]+$/),
            in: a++ + [ (c = 1 + c, (NaN & 22 !== this) !== "function"), (c = 1 + (c += 1), 
            (NaN != -2 < 23..toString()) % !1), (c = 1 + c, ((await_1 += -0) && (await_1 += !1)) % (!1 & (0 ^ 24..toString()))), (c = 1 + c, 
            (-2 <= ("number" ^ 23..toString())) >> ((-3 | this) ^ 22 / 38..toString())), (c = 1 + c, 
            !0 & {} <= [] >= (38..toString() && 2)), (c = 1 + c, (await_1 = 1 / 0) & NaN * (2 === [ , 0 ].length) ^ !0) ],
            [--b + ("function" == typeof b_2 && 0 <= --_calls_ && b_2(-5, 38..toString(), "number"))]: a++ + delete a,
            static: a++ + (c && ([ c.then ] = [ !1 ])) * (!1 | "object" ^ 24..toString())
        },
        static: [ (c += 1) + (-1 in {
            [(c = 1 + c, (38..toString() % "number" >> 2) - ((c && (c.Infinity = -7)) >> NaN))]: (c = 1 + c, 
            b_2 && (b_2.undefined = NaN === (c && (c[a++ + ("function" == typeof b_2 && 0 <= --_calls_ && b_2(-0))] += 0 * (this == this))))),
            [(c = 1 + c, -3 != (0 ^ (b_2 && (b_2[c = 1 + c, c += 1, ((b_2 && (b_2.c += !0)) | "bar" ^ this) <= !1] += !0))))]: (c = 1 + c, 
            await_1 && (await_1[--b + /[abc4]/.test((-5).toString())] += ("object" !== 38..toString() ^ 38..toString() >= 23..toString()) >>> 22))
        }) ].c
    }[a++ + (await_1 && await_1[0 % (b_2 && (b_2[c = 1 + c, -2 * this / 3 || -1] %= "NaN")) == .04])]) {
        for (var brake3 = 5; 0 < --brake3; ) {}
    }
    "function" == typeof f1 && 0 <= --_calls_ && f1(--b + (c || a || 3).toString(), !0);
}(!0, 22);

c += 1, b = a, --b, NaN_1 && "function" == typeof NaN_1.next && 0 <= --_calls_ && NaN_1.next(), 
a++, --b, "function" == typeof f2 && 0 <= --_calls_ && f2(--b + (c = 1 + c, NaN_1 = "" !== {} != 5)), 
a++, --b, "function" == typeof f1 && 0 <= --_calls_ && f1((c = 1 + c, "bar" + this % -2 === ((2 === [ , 0 ].length) >>> 1 / 0 == NaN)), (c = 1 + (c += 1), 
!1), "a"), (NaN_1 && (NaN_1[c = 1 + c, c += 1, (1 != 2 - []) <= (NaN_1 <<= 0)] >>>= "function" === 23..toString())) >>> !0 || 38..toString(), 
--b, c = 1 + c, NaN_1 && (NaN_1.in = 0 >>> 24..toString()), NaN_1 && (NaN_1[c = 1 + c, 
!0] = -4) && 24..toString(), NaN_1 && "function" == typeof NaN_1.c && 0 <= --_calls_ && NaN_1.c((c = 1 + c, 
3 != (38..toString() >> "foo" || 0 < {})), (c = 1 + c, (NaN ^ 38..toString() >>> void 0) * (c += 1, 
!1))), b = a, --b, /[abc4]/g.exec(((c += 1) + (foo_2 => {
    for (var brake27 = 5; ("function" == typeof f2 && 0 <= --_calls_ && f2() || 5).toString()[(c += 1) + foo_2] && 0 < --brake27; ) {}
}) || b || 5).toString()), console.log(null, a, b, c, 1 / 0, NaN, void 0);

original result:
null 179 178 3 Infinity NaN undefined

uglified result:
evalmachine.<anonymous>:1
var _calls_=10,a=100,b=10,c=0,NaN_1=function f0(b_2,await_1,c){if(a+++{__proto__:b+1-.1-.1-.1||{},__proto__:({"\t":b_2}=a+++(0<=--_calls_&&f0(-1,NaN*((c=1+c)&&(c.async+=([]>>>4)+NaN)),2))||{})||{},done:(c+=1)+(a+++--b),[a--]:a+++{done:await_1&&"function"==typeof await_1.foo&&0<=--_calls_&&(c=1+c,38..toString(),await_1.foo)((c=1+c,(0-(await_1&&(await_1.get+=!1)))%!0),(c=1+c,(await_1=-3)%(c+=1,24..toString())-!1),/[a2][^e]+$/),in:a+++[(c=1+c,(NaN&22!==this)!=="function"),(c=1+(c+=1),(NaN!=-2<23..toString())%!1),(c=1+c,((await_1+=-0)&&(await_1+=!1))%(!1&(0^24..toString()))),(c=1+c,(-2<=("number"^23..toString()))>>((-3|this)^22/38..toString())),(c=1+c,!0&{}<=[]>=(38..toString()&&2)),(c=1+c,(await_1=1/0)&NaN*(2===[,0].length)^!0)],[--b+("function"==typeof b_2&&0<=--_calls_&&b_2(-5,38..toString(),"number"))]:a+++delete a,static:a+++(c&&([c.then]=[!1]))*(!1|"object"^24..toString())},static:[(c+=1)+(-1 in{[(c=1+c,(38..toString()%"number">>2)-((c&&(c.Infinity=-7))>>NaN))]:(c=1+c,b_2&&(b_2.u

SyntaxError: Duplicate __proto__ fields are not allowed in object literals
    at createScript (vm.js:80:10)
    at Object.runInContext (vm.js:119:10)
    at run_code_vm (/home/runner/work/UglifyJS/UglifyJS/test/sandbox.js:257:12)
    at Object.exports.run_code (/home/runner/work/UglifyJS/UglifyJS/test/sandbox.js:37:16)
    at run_code (/home/runner/work/UglifyJS/UglifyJS/test/ufuzz/index.js:2063:20)
    at /home/runner/work/UglifyJS/UglifyJS/test/ufuzz/index.js:2449:29
    at Array.forEach (<anonymous>)
    at Object.<anonymous> (/home/runner/work/UglifyJS/UglifyJS/test/ufuzz/index.js:2440:20)
    at Module._compile (module.js:653:30)
    at Object.Module._extensions..js (module.js:664:10)

// reduced test case (output will differ)

// (beautified)
if ({
    __proto__: 0,
    ...{
        __proto__: 0()
    }
}[0]) {
    brake3;
}
// output: TypeError: 0 is not a function
// minify: SyntaxError: Duplicate __proto__ fields are not allowed in object literals
// options: {
//   "mangle": false,
//   "output": {
//     "v8": true
//   },
//   "validate": true
// }

minify(options):
{
  "mangle": false,
  "output": {
    "v8": true
  }
}

Suspicious compress options:
  objects
  spreads

The text was updated successfully, but these errors were encountered:

fixes mishoo#4882

fixes #4882

alexlamsl added the bug label Apr 30, 2021

alexlamsl added a commit to alexlamsl/UglifyJS that referenced this issue Apr 30, 2021

fix corner case in spreads

f0e5d73

fixes mishoo#4882

alexlamsl mentioned this issue Apr 30, 2021

fix corner case in spreads #4883

Merged

alexlamsl closed this as completed in #4883 Apr 30, 2021

alexlamsl added a commit that referenced this issue Apr 30, 2021

fix corner case in spreads (#4883)

8e4a19f

fixes #4882

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ufuzz failure #4882

ufuzz failure #4882

alexlamsl commented Apr 30, 2021

ufuzz failure #4882

ufuzz failure #4882

Comments

alexlamsl commented Apr 30, 2021