Uglifyjs: ufuzz failure

Created on 20 May 2020  路  4Comments  路  Source: mishoo/UglifyJS 
// original code
// (beautified)
var _calls_ = 10, a = 100, b = 10, c = 0;

function f0() {
    var Math_2;
    return function() {
        if (a--) {
            a++ + (b += a);
        }
        var foo_1 = a++ + typeof (typeof f0 == "function" && --_calls_ >= 0 && f0(!b, --b, (c = c + 1) + {
            a: (c = 1 + c, (-0 & 38..toString() || 22 !== "") & (undefined || undefined || (-3, 
            2))),
            c: (c = 1 + c, (("foo" != "function") < (c = c + 1, -2)) >> (-1 <= -4 != "number" - "function")),
            1.5: (c = 1 + c, foo_1 && (foo_1[a++ + typeof (a++ + (b /= a))] &= (foo_1 && (foo_1.undefined += 2 - "function" - 2 % "")) > (c = c + 1, 
            "number" || 3))),
            0: (c = 1 + c, ((true || "a") & NaN !== "function") !== ("", 0) > 25 - 25),
            foo: (c = 1 + c, (0 / -2 >>> (false && -4)) + (-5 == "undefined" == (3 & 23..toString())))
        }));
    };
}

var a = f0();

console.log(null, a, b, c, Infinity, NaN, undefined);

// !!! uglify failed !!!
Error: expressions must contain multiple elements
    at AST_Sequence._validate (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:1073:48)
    at AST_Sequence.validate (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:406:38)
    at AST_Sequence.ctor.transform (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:439:22)
    at AST_Sequence._clone (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:383:25)
    at AST_Sequence.clone (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:392:21)
    at TreeTransformer.eval [as before] (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:385:33)
    at AST_Sequence.eval [as transform] (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3315:31)
    at AST_Sequence.ctor.transform (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:437:34)
    at eval (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3208:31)
    at AST_SimpleStatement.eval [as transform] (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3318:13)
    at AST_SimpleStatement.ctor.transform (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:437:34)
    at AST_SimpleStatement._clone (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:383:25)
    at AST_SimpleStatement.clone (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:392:21)
    at TreeTransformer.eval [as before] (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:385:33)
    at AST_SimpleStatement.eval [as transform] (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3315:31)
    at AST_SimpleStatement.ctor.transform (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:437:34)
    at eval (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3244:31)
    at AST_If.eval [as transform] (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3318:13)
    at AST_If.ctor.transform (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:437:34)
    at AST_If._clone (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:383:25)
    at AST_If.clone (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:392:21)
    at TreeTransformer.eval [as before] (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:385:33)
    at AST_If.eval [as transform] (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3315:31)
    at AST_If.ctor.transform (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:437:34)
    at eval (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3198:25)
    at doit (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:120:23)
    at List (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:145:52)
    at do_list (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3197:16)
    at eval (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3274:21)
    at AST_Function.eval [as transform] (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3318:13)
    at AST_Function.ctor.transform (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:437:34)
    at AST_Function.ctor.transform (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:437:34)
    at AST_Function._clone (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:383:25)
    at AST_Function.clone (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:696:25)
    at return_value (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:11779:35)
    at can_flatten_body (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:11813:20)
    at eval (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:11714:29)
    at AST_Call.eval [as optimize] (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:13971:19)
    at Compressor.before (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:5704:24)
    at AST_Call.eval [as transform] (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3315:31)
    at AST_Call.ctor.transform (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:437:34)
    at eval (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3295:33)
    at Compressor.before (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:5699:9)
    at AST_Binary.eval [as transform] (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3315:31)
    at AST_Binary.ctor.transform (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:437:34)
    at eval (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3291:43)
    at Compressor.before (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:5699:9)
    at AST_UnaryPrefix.eval [as transform] (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3315:31)
    at AST_UnaryPrefix.ctor.transform (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:437:34)
    at AST_UnaryPrefix.ctor.transform (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:437:34)
    at eval (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3295:33)
    at Compressor.before (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:5699:9)
    at AST_Binary.eval [as transform] (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3315:31)
    at AST_Binary.ctor.transform (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:437:34)
    at eval (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3269:49)
    at Compressor.before (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:5699:9)
    at AST_VarDef.eval [as transform] (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3315:31)
    at AST_VarDef.ctor.transform (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:437:34)
    at eval (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3198:25)
    at doit (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:120:23)
    at List (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:145:52)
    at do_list (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3197:16)
    at eval (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3265:28)
    at Compressor.before (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:5699:9)
    at AST_Var.eval [as transform] (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3315:31)
    at AST_Var.ctor.transform (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:437:34)
    at AST_Var.ctor.transform (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:437:34)
    at eval (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3198:25)
    at doit (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:120:23)
    at List (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:145:52)
    at do_list (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3197:16)
    at eval (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3274:21)
    at Compressor.before (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:5699:9)
    at AST_Function.eval [as transform] (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3315:31)
    at AST_Function.ctor.transform (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:437:34)
    at AST_Function.ctor.transform (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:437:34)
    at eval (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3237:49)
    at Compressor.before (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:5699:9)
    at AST_Return.eval [as transform] (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3315:31)
    at AST_Return.ctor.transform (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:437:34)
    at AST_Return.ctor.transform (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:437:34)
    at eval (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3198:25)
    at doit (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:120:23)
    at List (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:145:52)
    at do_list (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3197:16)
    at eval (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3274:21)
    at Compressor.before (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:5699:9)
    at AST_Defun.eval [as transform] (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3315:31)
    at AST_Defun.ctor.transform (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:437:34)
    at AST_Defun.ctor.transform (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:437:34)
    at eval (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3198:25)
    at doit (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:120:23)
    at List (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:145:52)
    at do_list (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3197:16)
    at eval (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3211:21)
    at Compressor.before (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:5699:9)
    at AST_Toplevel.eval [as transform] (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:3315:31)
    at AST_Toplevel.ctor.transform (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:437:34)
    at AST_Toplevel.ctor.transform (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:437:34)
    at AST_Toplevel.ctor.transform (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:437:34)
    at Compressor.compress (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:5662:25)
    at Object.minify (eval at <anonymous> (d:\a\UglifyJS\UglifyJS\tools\node.js:18:1), <anonymous>:15234:75)
    at d:\a\UglifyJS\UglifyJS\test\ufuzz\index.js:1197:32
    at Array.forEach (<anonymous>)
    at Object.<anonymous> (d:\a\UglifyJS\UglifyJS\test\ufuzz\index.js:1193:51)
    at Module._compile (internal/modules/cjs/loader.js:778:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:789:10)
    at Module.load (internal/modules/cjs/loader.js:653:32)
    at tryModuleLoad (internal/modules/cjs/loader.js:593:12)
    at Function.Module._load (internal/modules/cjs/loader.js:585:3)
    at Function.Module.runMain (internal/modules/cjs/loader.js:831:12)
    at startup (internal/bootstrap/node.js:283:19)
    at bootstrapNodeJSCore (internal/bootstrap/node.js:623:3)



md5-23ead225ab28ce3f51350c19798b4a34



minify(options):
{
  "ie8": true,
  "toplevel": true
}
bug
Source
picture alexlamsl

All 4 comments

@kzc easier to discuss it here with the test case right above us :wink:

I used the same Node.js v10.20.1 just in case but no luck for me either. Could it be the beautification of the original test case which is the issue here? 馃

It checks if the original runtime result stay the same, but may be it should check if it reproduces the uglify bug instead?

alexlamsl picture alexlamsl on 20 May 2020
👍1

Yup, I think I've got it:

var _calls_ = 10, a = 100, b = 10, c = 0;

function f0() {
    var Math_2;
    return function() {
        if (a--) a++ + (b += a);
        var foo_1 = a++ + typeof (typeof f0 == "function" && --_calls_ >= 0 && f0(!b, --b, (c = c + 1) + {
            a: (c = 1 + c, (-0 & 38..toString() || 22 !== "") & (undefined || undefined || (-3,
            2))),
            c: (c = 1 + c, (("foo" != "function") < (c = c + 1, -2)) >> (-1 <= -4 != "number" - "function")),
            1.5: (c = 1 + c, foo_1 && (foo_1[a++ + typeof (a++ + (b /= a))] &= (foo_1 && (foo_1.undefined += 2 - "function" - 2 % "")) > (c = c + 1,
            "number" || 3))),
            0: (c = 1 + c, ((true || "a") & NaN !== "function") !== ("", 0) > 25 - 25),
            foo: (c = 1 + c, (0 / -2 >>> (false && -4)) + (-5 == "undefined" == (3 & 23..toString())))
        }));
    };
}

var a = f0();

console.log(null, a, b, c, Infinity, NaN, undefined);

This would reproduce the bug in the test case.

alexlamsl picture alexlamsl on 20 May 2020

Nice job.

How were you able to repro that? Trial and error?

--- 0.js    2020-05-20 14:29:38.000000000 -0400
+++ 1.js    2020-05-20 14:29:53.000000000 -0400
@@ -1,13 +1,9 @@
-// original code
-// (beautified)
 var _calls_ = 10, a = 100, b = 10, c = 0;

 function f0() {
     var Math_2;
     return function() {
-        if (a--) {
-            a++ + (b += a);
-        }
+        if (a--) a++ + (b += a);
         var foo_1 = a++ + typeof (typeof f0 == "function" && --_calls_ >= 0 && f0(!b, --b, (c = c + 1) + {
             a: (c = 1 + c, (-0 & 38..toString() || 22 !== "") & (undefined || undefined || (-3, 
             2))),
kzc picture kzc on 20 May 2020

I would refer to that as an educated guess... 馃槑

alexlamsl picture alexlamsl on 20 May 2020
😄1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

diegocr picture diegocr  路  3Comments
GrosSacASac picture GrosSacASac  路  3Comments
utdrmac picture utdrmac  路  4Comments
Havunen picture Havunen  路  5Comments
alexlamsl picture alexlamsl  路  4Comments