ContextQMD
Back to V8

Minimize Reproducer

agents/skills/minimize-reproducer/SKILL.md

15.1.1263.3 KB
Original Source

Minimize Reproducer

Workflow

1. Identify the Failure Signature

Before minimizing, understand exactly what "reproduction" looks like.

  • Exact Command: e.g., `out/x64.release/d8 --fuzzing poc.js`
  • Failure Type: Crash (segfault, abort), Assertion failure, Sandbox violation, or Incorrect output.
  • Stability Check: Initially check how stable the reproduction is. If it's flaky, you'll need to run it multiple times at every step. Use the bundled `repro_check.sh` script.

2. Command-Line Flag Minimization

Find the minimal set of V8 flags required to reproduce the issue.

  • Batch Removal: Start by removing larger batches of flags (e.g., all flags starting with `--no-` or all optimization flags).
  • One-by-One: Progressively remove individual flags until only the essential ones remain.
  • Common Critical Flags: Pay attention to flags like `--sandbox-fuzzing`, `--memory-corruption-via-watchpoints`, or `--turbofan`, as these often control the underlying feature being tested.
  • Validation: Test reproduction after every step. If it stops failing, restore the last flag removed.

3. File Minimization (The Iterative Phase)

Reduce the input JavaScript file systematically. Always work on a copy (e.g., `poc-copy.js`) and maintain a `poc-min.js` as your "best known" version.

  • Remove Large Blocks: Start by removing entire functions, classes, or large blocks of code (e.g., fuzzer boilerplate, unused libraries).
  • Binary Search: If a large block is present, try removing half. If it still fails, that half was unnecessary.
  • Remove Individual Lines: Once large blocks are gone, try removing individual lines.
  • Inline Functions: If a function is called only once, inline its content and remove the definition.
  • Simplify Wrappers: Remove `try-catch` blocks but retain the code inside the `try` block.
  • Stabilize with Loops: If a reproduction is flaky (e.g., it only fails 10% of the time), add a loop around the triggering logic to increase the failure probability to 100%.

4. Special API Handling (e.g., Sandbox API)

  • Offset Alignment: Some APIs (like `Sandbox.markForCorruptionOnAccess`) require specific alignments (e.g., tagged-size-aligned offsets like 8, 12, or 16).
  • Object Context: Ensure the object being manipulated (e.g., a String) is large enough for the offset being targeted. Use `%DebugPrint(obj)` with `--allow-natives-syntax` to inspect the internal structure.

5. Clean and Polish

  • Rename Variables: Obfuscated names like `__v_0` should be renamed to something descriptive like `str` or `targetObj`.
  • Readability > Size: A 20-line file that is easy to understand is better than a 10-line file that is completely cryptic.
  • Self-Contained: Ensure the final `poc-min.js` is completely self-contained and does not rely on external fuzzer libraries unless strictly necessary.

Guidelines

  • Work on a copy: Never modify the original reproduction file directly.
  • Validate EVERY change: A single character change can stop a bug from reproducing. Always verify.
  • Keep a "Best Version": Always update your `-min.js` file as soon as you find a smaller working version. This allows you to easily backtrack if a more aggressive minimization fails.