Minimization tricks include:

• storing all sprites in a string by encoding each pixel in a sprite in 2 bits and storing 6 bits in each character. Each 2 bit chunk can have one of these values: 0=CR/lF (end of line/start of next line in sprite), 1=transparent (do not draw but move to next pixel), 2 = color 1, 3 = color 2. The colors are chosen from a palette, which is a string containing a number of RGB colors encoded in 3 hex chars (‘fff’=white, ’000′=black, ‘f00′=red, etc…). Each sprite has an associated palette based on the number of the sprite. Most sprites use one of two palettes: a one color palette (‘fff’) for the background stars) or a two color palette (’999000′) for the cat’s face, paws and tail. A few other palettes are used for the poptart.
• storing all sprite maps (meaning which sprites to draw where for each frame) in an array of 6 strings, one for each frame, by encoding each position and sprite number in 3 bits. The background stars are not included; their vertical position is based on their number, by multiplying the number of each star by a certain value. Their horizontal position is based on time, by multiplying the time by a certain value modulus the width of the image and adding a “random” value using the value of a different character from the sprites string for each star.
• drawing squares instead of sprites to fill larger regions, as sprites need a lot more bytes to store when they get bigger then code to draw a single square does.
• using one function for two purposes: to draw a specific sprite at a specific location using a specific palette on the canvas, or to draw a square at a specific location, with specific dimensions and a specific color on the canvas. The function will draw a sprite if there are only 4 arguments provided and a square if there are 5.
• using a bit of math to offset multiple sprites based on which frame is being drawn and adding sprites to the sprite. This is done to have the individual sprite maps for each frame contain the same information as much as possible, which makes them easier to compress.

I assumed it would be easy to code this one in 1K, but it turned out that it was pretty hard to minimize my code.

• I started with a large file that draw only the (animated) cat. This wasn’t optimized in any way: it used one big sprite for each frame, with each pixel being stored as byte containing a value 0-8, representing an index into a palette.
• I then cut the cat into smaller individual sprites that I could reuse between frames (eg. the face is always the same, just at a different location). I stored a sprite mapping, meaning which sprite to draw where for each frame. I stored all this information in a string using values between 0-36 encoded using ‘[char] = [value].toString(36)” and read using “[value] = parseInt([char], 36)”.
• I chose to give each sprite only two colors + transparent (3 values), so I can store each pixel in 2 bits (4 values) and use the unused value to signal ‘end of line’ and using ‘end of line’ twice for ‘end of sprite’. This meant I could store the entire sprite as 2 bit values. I encoded 3 of these 2 bit values per byte using “[char] = String.fromCharCode([values]+offset)” and red them using “[values] = [char].charCodeAt(0)-offset”.
• I stored the values in the sprite maps as 3 bit values and encoded 2 of these 3 bit values per byte as well.
• I wrote code that choses an ‘offset’ to use in encoding sprites/sprite maps that caused the resulting string to contain as many of the same bytes as the code, which allows better compression.
• At this point I was down to ~1.2K compressed. By reusing code for two purposes (eg. the ‘f’ function) and rearranging/rewriting code to have it contain as many repeated strings as possible to allow better compression, I as able to get it down to ~1.01K.
• Finally, I optimized my png compressor code to work together with the poptart cat code; eg. do not use ‘eval’ to run the decompressed code, which then uses setTimeout to start the animation, but use ‘setTimeout’ directly. This allowed me to squeeze everything into 1K.

Because manually editing 2/3 bit values stored in 8 bit characters + offset is impractical, and because some of the values where calculated rather than hand-picked. I wrote my development code to generate the final code and data automatically. This means I have a somewhat documented, readable version of the test container HTML and the actual JavaScript code. The test container will load the code, which will show the animation slowed down to 1 frame per second and output the final code below the animation. The final code is what I pumped through my to-be-released JsSfx png compressor.

Afterwards, I realized that there are a few ways in which I could have improved on the code by doing a few things differently:

• Save data as unicode strings; this allows storing not 6 bits per byte, but (effectively) 16 per 2 bytes. This could reduce the size of the data by about 128 bytes, but would use more bytes to store the non-unicode characters outside of the strings.
• Save each entry for each sprite map in a separate string, meaning store the x coordinates in one string, the y coordinates in another and the sprite number in a third. This should result in data that can be compressed better.
• Use scaling for sprites to be able to draw the background, rainbow and body of poptart cat using sprites as well instead of separate code to draw squares. This would use less bytes than having code to draw the cat using both sprites and squares.

Suggestions and comments are appreciated; I have a few ideas of my own, such as allowing you to link to specific zoom settings, but I’m not sure when I’ll have time to add them.

Source code here, install it here

I still believe it is a good exercise to extract the source from the encoded version, as you learn a lot more that way, but I’ll leave that choose to you.

One of my side projects is creating JavaScript demos. Unfortunately, I hardly ever find time to finish and release anything. You may recognize the following: I think of a new effect that would be really cool. I start working on some code and get a proof-of-concept working. The code proves how awesome the end result would be, but it’s nowhere near production quality. Then I waste a lot of time on fine-tuning some aspects of the code (size, speed, various design/implementation details). Finally I get bored with it and/or distracted by a new project. I have a zillion of such projects doing nothing on my harddrive.

Luckily, this is not always the case. I was going through some of the awesome codes of the js1k contest recently and got interested in Perlin noise. I started working on my own version and after only a few iterations I had a pretty decent flame effect going. The amazing thing about Perlin noise is how easy it is to create a decent looking effect with very little effort.

The code starts by creating an array with random numbers. The code needs to have a way of requesting the same random number twice and getting the same value and an array is the fasted way to do this. Using an index into the array as a seed, the code can read the same random number as often as it wants without changes. One side effect is that because the size of the array is limited, you will at some point have to reuse the same data. However, if you make sure the size of this array is sufficiently large (and a prime), this will not be noticed by the average user. Next the code creates three canvas elements. Two are used as off-screen buffers to generate the flames and smoke in, the third is visible and used to combine the two into the final effect. Two one dimentional arrays of perlin data are generated, one for the shape of the flames and one which is used as a projection map for the movement of the flames. For each pixel, the projection map tells the code where in the shape map it should read a byte to use as the color value for that pixel. The color value is converted to an RGB value using two table, one for the flames and one for the smoke. The pixels are drawn at the bottom of the off-screen buffers and all pixels in these buffers are shifted upwards. For the flames, all pixels in the buffer are darkened, causing them to die out as the move up.

When I got his working, I got obsessed, as one does, with size and speed: I wanted to have it run at 60fps and shrink the size of the code to 1k or less. Guaranteeing the frame rate is hard to achieve because the effect needs a few CPU intensive operations to calculate each frame. I could reduce the quality to achieve a higher frame rate, but that would defeat the original goal of creating a nice looking effect. After a bit of tweaking, it is now running at 60fps on my machine without too much loss of quality. However, it may be less on older machines.

Shrinking the size of JavaScript is mostly about rewriting/rearranging your algorithms to be more size efficient. How to best do this depends on the algorithm and many such optimizations are one-offs: they apply only to that one code construct and you’ll probably never use the same trick again. However, there are a few tricks that I find I can commonly use on all scripts to reduce their size:

1. Use one character, global variable and function names:
   • "var iCounter = 0" => "i=0"
2. Do not use expensive keywords:
   • "x=new Array();" => "x=[];"
   • "while(){}", "do {} while ()" => "for(){}"
   • "x=Math.floor(x);" => "x=x>>0;"
   • "x=Math.round(x);" => "x=x-.5>>0;"
   • "x=Math.ceil(x);" => "x=x+.999>>0;"
     (if you don’t mind rounding errors)
   • "x=Math.pow(2,x);" => "x=1<<x;"
   • "x=x/256;" => "x=x>>8;"
     (if you don’t mind the result being rounded down to an integer)
3. Choose the most efficient notation for numbers:
   • "0×10" => "16"
   • "0×20000" => "1<<17"
   • "1000" => "1e3"
   • ".0001" => "1e-4"
4. Optimize how you use the three-expression in for-loops:
   • "for(x=0;x<50;x++){}" => "for(x=50;x–;){}"
   • "for(x=50;x–;){}y=5;" => "for(x=50;x–;y=5){}"
     (this saves 1 semi-colon, but may slow your script down a little)
5. Remove comments and unneeded curly braces, white-space and semi-colons:
   • "for (…) { a+=b; c*=a; }" => "for(…)a+=b,c*=a;"
   • "function () {a+=b;}" => "function(){a+=b}"
   (Some of this can be done automatically and I’ve recently added code to do this to JsSfx)
6. Save often used complex values in variables:
   • "x=document.createElement(…);document.body.appendchild(x);" => "d=document;x=d.createElement(…);d.body.appendchild(x);"
   • "y=x*x*x+x*x-4;z=x*x*x+x*x+5;" => "y=(q=x*x*x+x*x)-4;z=q+5;"
7. Combine setting values:
   • "x=0;y=0;" => "x=y=0;"
   • "x=0;y=[0];" => "y=[x=0];"

This list does not claim to be complete. If you feel that I have omitted something useful, please leave a comment.

After manual optimization of code size, you can probably shrink the size of you script a lot further using some form of compression and self-extraction. I published JsSfx, which implements a custom compression and generates self-extracting JavaScript. I developed the compression technique it uses based on a number of assumptions:

1. JavaScript often contains the same character sequence a number of times (eg. strings like "for(" will appear quite often)
2. JavaScript normally uses a small sub-set of all the bytes valid in JavaScript.
3. The size of the script to be compressed is assumed to be small. Therefore, compression can save only so many bytes and the size of the decoder will have a large impact on the size of the final script. A large decoder negates the benefit of a good compression ratio.

The compression used in JsSfx works by replacing all instances of an often repeated string with one character that is not used in the script. It saves the character and the string it replaced as well. In a way this is similar to the manual step number 6 I explained above. Here’s an example:

code="o = document.createElement('a');\r\ndocument.body.appendChild(o);"
 

May be compressed as:

keys="A"
code="o = AcreateElement('a');\r\nAbody.appendChild(o);Adocument.";
 

In the above example, “document.” was replaced by “A”. The keys variable contains the list of the characters used to replace strings (in this case only “A”). The code variable stores the original string, with the replacements, followed by the key and the replaced string. The original code can be restored by splitting the code string into sub-strings using the keys. In the above example this leads to an array of sub-strings like this:

sub_string=["o = ", "createElement('a');\r\n", "body.appendChild(o);", "document."];
 

By removing the last string from the array and joining the remaining strings back together using this string, the decoder can recreate the original.

The original Perlin noise flames script was about 3.2k in size (excluding comments and whitespace). I manually reduced this to ~1.2k (a lot of gain comes from replacing long variables names with one character). Using JsSfx, I got it just below 1k.

I’d like to thank the people at pouet.net for feedback that allowed me to get this script to run on all browsers except MSIE. I’ve tested it on MSIE9 platform preview, but it doesn’t work (for unknown reasons).

Oracle have released a fix for this issue, which can be found here.

Details can be found here.

Oracle have released a patch for this issue which can be found here.

More details can be found here.

The buffer overflow allows easy control over EIP and creating a working exploit for targets without DEP is as easy as copy+pasting a heap spray into the repro file.

I reported the issue to Oracle, who were already aware of the issue because it had also been reported to them by Stephen Fewer of Harmony Security through ZDI. Oracle has release a patch for this issue, which is available here.

More details can be found here.