Reducing real-world scripts
Sunday, January 11th, 2009Lithium is great at reducing testcases with simple structures, such as scripts generated by jsfunfuzz. Scripts from web pages are harder to reduce, since removing a line frequently introduces a syntax error. But with a few extra tricks, Lithium can be effective against real-world scripts. For example, when Google Maps triggered a JavaScript Engine assertion, I was able to reduce the 40 KB of Google Maps code to five lines.
I've reduced three other JavaScript engine bugs using these methods, but there are many more that could use help.
Start by saving the page using wget -E -H -k -K -p or one of the other methods on DevMo: Reducing Testcases.
Making Firefox exit quickly
For Lithium to reduce a web page quickly, Firefox needs to exit quickly. To make normal exits fast, install Quitter and make the testcase send a special event to Quitter after onload:
<script> function quit() { var evt = document.createEvent("Events"); evt.initEvent("please-quit", true, false); document.dispatchEvent(evt); } window.addEventListener("load", function() { setTimeout(quit, 1000); }, false); window.onerror = quit; </script> <!-- DDBEGIN -->
Making Firefox crash quickly
On Mac OS X, crashes are surprisingly slow: it takes the OS crash reporter about 40 seconds to generate a crash log for Firefox. I don't know a general way to bypass the OS crash reporter, but there are two easy cases. First, for crashes that are easy to anticipate at the code level, such as null dereferences, adding a conditional exit(3) should do the trick.
Second, as of Mac OS X 10.5, fatal assertions are treated as crashes. To make the OS treat fatal assertions as exits rather than crashes, edit the relevant assertion-failure function (JS_Assert or NanoAssertFail) to call "exit(3);" rather than "abort();". To make your debug build pick up this change, run "make -C js/src" from the objdir.
Finding the scripts
An initial run of Lithium should make it clear which external <script> tags are involved in triggering the bug. Convert them to inline scripts so they're no longer loaded over the Web.
You may find that one script calls document.write to include another script. Add this code to the script at the top to see what additional scripts are being included:
document._write = document.write; document.write = function(s) { dump("document.write(" + uneval(s) + ");\n"); document._write(s); };
__noSuchMethod__
You can use SpiderMonkey's nonstandard __noSuchMethod__ feature to turn "no such method" errors into no-ops. This helps Lithium reduce object-oriented scripts by allowing it to remove entire methods even before their callers have been removed.
Object.prototype.__noSuchMethod__ = function(id, args) { dump("Missing method called: " + id + "\n"); };
Note that __noSuchMethod__ does not work for top-level functions unless they are explicitly called as "this.foo()" rather than "foo()".
Pretty-printing JavaScript
You can use jsbeautifier.org or the decompiler built into SpiderMonkey to transform the script into a form that is friendlier to Lithium.
To trigger SpiderMonkey's decompiler, wrap the entire script in an anonymous function and use dump (in the browser) or print (in the shell).
The decompiler has two modes: toString creates one line per statement, while uneval creates one line per function declaration. You'll probably want to run Lithium at least once for each mode, since toString makes it easy to eliminate unnecessary expression-statements while uneval makes it easy to eliminate unnecessary function declarations.
Moving to the shell
As soon as the script seems like it isn't too entangled with the browser DOM, try to eliminate the remaining references to the browser-specific "window" and "document" objects. This should allow you to reproduce the bug in the standalone SpiderMonkey shell, which starts much faster than Firefox (milliseconds rather than seconds).
Note that to reproduce JIT bugs in the shell, you need to use the "-j" switch.
Finishing touches
Lithium may have left empty "if" or "for" blocks, which can almost always be removed. To make the remaining code as simple as possible, try replacing variables with their values and inlining functions. If the code is object-oriented or uses call/apply, this might require a little thinking, but it's usually straightforward.
This post was revised 2009-07-06.