Browser Script Engines - EARLY DRAFT

Mikko Rinne Department of Computer Science and Engineering Aalto University School of Science and Technology Espoo, Finland Email: mikko.rinne@tkk.fi

Abstract—The abstract goes here. A. SpiderMonkey / TraceMonkey / Mozilla Firefox

I.INTRODUCTION The tracing JIT-compiler will be new in SpiderMonkey 1.8.1, not released yet at the time of this writing [5]. It is All browser script engines, in practice, are built on EC- based on the work of Andreas Gal et al. [6]. MAScript [1] (MJR temp note: ECMAScript also available as (Note: The JavaScript TraceMonkey page states: ”As of a printed standard). Well-known variants in popular browsers 2009, of the stable builds only the 32-bit versions of Firefox include Microsoft JScript in Internet Explorer, ActionScript in have TraceMonkey available (use nightly builds for 64-bit Adobe Flash and Mozilla JavaScript in e.g. Firefox. [2] support).”, but the page is updated in October 2010???) The three main issues of focus in ECMA-script related 1) Dynamic Machine Code Generation (TraceMonkey): research have been security, correctness and performance. Identification of frequently executed loop traces is used at This literature survey on browser script engine implementation runtime to generate machine code on the fly. The code concentrates on the performance-enhancing features under is specialized for the actual dynamic types used on each development in different browser environments. These opti- path through the loop. Inter-procedural type specialization is mization techniques include construction of a dynamic type provided. There is also a method to incrementally compile system to avoid repeated dictionary lookups of objectives, and alternative paths through nested loops. [6] partial (pre-)compilation of the code with a JIT (just-in-time) JavaScript execution is started in a bytecode interpreter. compiler. [3] During execution, frequently executed sequences are identi- A. Not Part of Script Engine fied, recorded and compiled to fast native machine code. Such The Document Object Model (DOM), even though manipu- instruction sequences are referred to as traces [7]. lated by JavaScript, is typically provided by the browser. E.g. The compiler operates on individual loops with the expecta- in the case of V8, the DOM is provided by Chrome. [4] tion that most of program execution time is spent in hot loops. Hot loops are also expected to have good type stability. II.JAVASCRIPT CHALLENGES Trace creation takes the assumption that the path and typing The object system in JavaScript is extremely flexible. A will remain the same in all iterations of the loop. Every trace property, called using the context of its parent object is contains all the checks to validate the assumption. If control similar to a method in Java. Each object has a prototype flow is different or a value of a different type is generated, fieald referring to another object. A ”property lookup” involves the trace exits. ”If an exit becomes hot, the VM can record a searching the current object, then its parents in succession until branch trace starting at the exit to cover the new path. In this the property is found. way, the VM records a trace tree covering all the hot paths One of the main challenges in JavaScript compiler design through the loop.” are the highly dynamic variables. Several attempts at specify- The problem of nested loops is solved by recording nested ing type systems for JavaScript have been made (References trace trees. ”The system stops extending the inner tree when available from [3], if needed). it reaches an outer loop, starting a new trace at the outer loop Based on [3] use of the same library also emphasizes similar header. When the outer loop reaches the inner loop header, approaches to the coding of JavaScript. Such libraries include the system tries to call the trace tree for the inner loop.” If Objective-J (e.g. 280slides.com), jQuery (Digg, Twitter and the call succeeds, the call to the inner tree is recorded as part WordPress), Prototype (Xxx) and Closure (Google Maps, Mail of the outer trace, finishing the outer trace normally. With and Search). this approach any depth of nested loops can be traced without excessive tail duplication. III.BROWSER ENGINE PROPERTIES JIT compilation approaches were handled in more detail in Due to the dynamic nature of JavaScript allocations, most an earlier seminar [8]. engines use a dynamic lookup for accessing each object 2) Blacklisting [6]: Not all kinds of hot loops result in property. This slows down execution compared to more strictly a legal trace. Current TraceMonkey doesn’t support throwing typed languages, where instance variables can be stored at and catching of arbitrary exceptions, which are usually rare. fixed offsets. [4] However, if exceptions were repeatedly used by a program, a penalty would be observed, because the JIT compiler would runtime reaches an unitialized call site, the dynamic lookup is repeatedly try and fail. performed and the result as stored at the call site, changing The prediction algorithm in TraceMonkey is able blacklists state to ”monomorphic”. If the runtime reaches the same call traces, whose compilation has not succeeded. In case of failure, site again, the callee can be directly invoked without further the trace starting point is recorded. A new trace will not be lookups. recorded at that point until it is passed a few more times (e.g. Some guard conditions are needed for protection against the 32 in the example), which gives a back-off property in case possibility that objects of different types occur at the same call the trace was prevented by temporary conditions. site. The more common way is to apply such guard conditions to the preamble of the callee rather than at the call site to B. V8 / Google Chrome better exploit branch prediction and save space (one copy in 1) Hidden classes: To avoid spending time with dictionary the preamble vs. multiple copies at call sites). If a call site in lookups of dynamic objects, Google V8 dynamically creates ”monomorphic” state encounters a type other than the one it ”hidden classes”, which change with the addition of a new expects it changes back to uninitialized and performs a new property. The following example is presented in [4]: full dynamic lookup. Consider a new object of type ”point” being created: 3) Dynamic Machine Code Generation: In V8 JavaScript is function Point(x, y) { compiled directly into machine code upon the first execution. this.x = x; No intermediate byte codes nor an interpreter are being used. this.y = y; Property access is handled by inline cache code, which can be } patched with other machine instructions during V8 execution. First V8 determines the current hidden class status of an The ”Point” object could be initially associated with a class object. It assumes that the same class will also be used for all C0. If a new property is created with Point (this.x = future objects accessed in the same call site. This information x;), a new hidden class C1 is created, with the value of is used to patch the inline cache code to use the appropriate property x stored at offset zero in the Point object. At the hidden class. If the assumption is correct, the value of the same time C0 is updated with a class transition indicating that property can be assigned or fetched in a single operation. If C0 with property x points to C1. The situation after addition not, the code is patched to remove the optimisation. of one more property y and creation of another hidden class The following example is given in [4]: C2 is shown in Figure 1. The JavaScript code to access property x from a Point object would be For example, the JavaScript code to access property x from A Point Object Hidden Class C2 a Point object would be point.x

Class pointer For x see The V8 machine code for accessing x would be: offset 0 Offset 0: x Hidden Class C1 For y see Offset 1: y offset 1 # ebx = the point object For x see cmp [ebx,], offset 0 Initial hidden

VI.CONCLUSION The conclusion goes here.

ACKNOWLEDGMENT The authors would like to thank...

REFERENCES [1] “Standard ECMA-262,” http://www.ecma- international.org/publications/standards/Ecma-262.htm. [Online]. Avail- able: http://www.ecma-international.org/publications/standards/Ecma- 262.htm [2] “John resig - the world of ECMAScript,” http://ejohn.org/blog/the- world-of-ecmascript/. [Online]. Available: http://ejohn.org/blog/the- world-of-ecmascript/ [3] G. Richards, S. Lebresne, B. Burg, and J. Vitek, “An analysis of the dynamic behavior of JavaScript programs,” in Proceedings of the 2010 ACM SIGPLAN conference on Programming language design and implementation. Toronto, Ontario, Canada: ACM, 2010, pp. 1–12. [4] “V8 JavaScript engine - google code,” http://code.google.com/apis/v8/. [Online]. Available: http://code.google.com/apis/v8/ [5] “SpiderMonkey internals - MDC,” http://mdn.beonex.com/En/SpiderMonkey/Internals.1. [Online]. Available: http://mdn.beonex.com/En/SpiderMonkey/Internals.1 [6] A. Gal, B. Eich, M. Shaver, D. Anderson, D. Mandelin, M. R. Haghighat, B. Kaplan, G. Hoare, B. Zbarsky, J. Orendorff, J. Ruderman, E. W. Smith, R. Reitmaier, M. Bebenita, M. Chang, and M. Franz, “Trace-based just-in-time type specialization for dynamic languages,” in Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation. Dublin, Ireland: ACM, 2009, pp. 465–478. [Online]. Available: http://portal.acm.org.libproxy.tkk.fi/citation.cfm?id=1542528dl=GUIDEcoll=PortalCFID=104300471CFTOKEN=94245068 [7] A. Gal and M. Franz, “Incremental dynamic code generation with trace trees,” Dec. 2006. [8] “JIT-seminar,” https://wiki.aalto.fi/display/jitsemma/Home. [Online]. Available: https://wiki.aalto.fi/display/jitsemma/Home [9] L. P. Deutsch and A. M. Schiffman, “Efficient imple- mentation of the smalltalk-80 system,” in Proceedings of the 11th ACM SIGACT-SIGPLAN symposium on Principles of programming languages. Salt Lake City, Utah, United States: ACM, 1984, pp. 297–302. [Online]. Available: http://portal.acm.org.libproxy.tkk.fi/citation.cfm?id=800017.800542 [10] “Self paper: ”Optimizing DTOOLs with PICs”,” http://labs.oracle.com/self/papers/pics.html. [Online]. Available: http://labs.oracle.com/self/papers/pics.html [11] M. Berndl, B. Vitale, M. Zaleski, and A. D. Brown, “Context threading: A flexible and efficient dispatch tech- nique for virtual machine interpreters.” [Online]. Available: http://www.cs.toronto.edu/syslab/pubs/demkeacontext.ps [12] S. Lee, S. Moon, W. Jung, J. Oh, and H. Oh, “Code size and performance optimization for mobile JavaScript just- in-time compiler,” in Proceedings of the 2010 Workshop on Interaction between Compilers and Computer Architecture. Pittsburgh, Pennsylvania: ACM, 2010, pp. 1–7. [Online]. Available: http://portal.acm.org.libproxy.tkk.fi/citation.cfm?id=1739034dl=coll=GUIDECFID=104300352CFTOKEN=61326485 [13] “John resig - computing with JavaScript web workers,” http://ejohn.org/blog/web-workers/. [Online]. Available: http://ejohn.org/blog/web-workers/ [14] “WebKit2 WebKit,” http://trac.webkit.org/wiki/WebKit2. [Online]. Available: http://trac.webkit.org/wiki/WebKit2