DOCSLIB.ORG

Browser Script Engines - EARLY DRAFT

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Browser Script Engines - EARLY DRAFT Browser Script Engines - EARLY DRAFT Mikko Rinne Department of Computer Science and Engineering Aalto University School of Science and Technology Espoo, Finland Email: mikko.rinne@tkk.fi Abstract—The abstract goes here. A. SpiderMonkey / TraceMonkey / Mozilla Firefox I. INTRODUCTION The tracing JIT-compiler will be new in SpiderMonkey 1.8.1, not released yet at the time of this writing [5]. It is All browser script engines, in practice, are built on EC- based on the work of Andreas Gal et al. [6]. MAScript [1] (MJR temp note: ECMAScript also available as (Note: The JavaScript TraceMonkey page states: ”As of a printed standard). Well-known variants in popular browsers 2009, of the stable builds only the 32-bit versions of Firefox include Microsoft JScript in Internet Explorer, ActionScript in have TraceMonkey available (use nightly builds for 64-bit Adobe Flash and Mozilla JavaScript in e.g. Firefox. [2] support).”, but the page is updated in October 2010???) The three main issues of focus in ECMA-script related 1) Dynamic Machine Code Generation (TraceMonkey): research have been security, correctness and performance. Identification of frequently executed loop traces is used at This literature survey on browser script engine implementation runtime to generate machine code on the fly. The code concentrates on the performance-enhancing features under is specialized for the actual dynamic types used on each development in different browser environments. These opti- path through the loop. Inter-procedural type specialization is mization techniques include construction of a dynamic type provided. There is also a method to incrementally compile system to avoid repeated dictionary lookups of objectives, and alternative paths through nested loops. [6] partial (pre-)compilation of the code with a JIT (just-in-time) JavaScript execution is started in a bytecode interpreter. compiler. [3] During execution, frequently executed sequences are identi- A. Not Part of Script Engine fied, recorded and compiled to fast native machine code. Such The Document Object Model (DOM), even though manipu- instruction sequences are referred to as traces [7]. lated by JavaScript, is typically provided by the browser. E.g. The compiler operates on individual loops with the expecta- in the case of V8, the DOM is provided by Chrome. [4] tion that most of program execution time is spent in hot loops. Hot loops are also expected to have good type stability. II. JAVASCRIPT CHALLENGES Trace creation takes the assumption that the path and typing The object system in JavaScript is extremely flexible. A will remain the same in all iterations of the loop. Every trace property, called using the context of its parent object is contains all the checks to validate the assumption. If control similar to a method in Java. Each object has a prototype flow is different or a value of a different type is generated, fieald referring to another object. A ”property lookup” involves the trace exits. ”If an exit becomes hot, the VM can record a searching the current object, then its parents in succession until branch trace starting at the exit to cover the new path. In this the property is found. way, the VM records a trace tree covering all the hot paths One of the main challenges in JavaScript compiler design through the loop.” are the highly dynamic variables. Several attempts at specify- The problem of nested loops is solved by recording nested ing type systems for JavaScript have been made (References trace trees. ”The system stops extending the inner tree when available from [3], if needed). it reaches an outer loop, starting a new trace at the outer loop Based on [3] use of the same library also emphasizes similar header. When the outer loop reaches the inner loop header, approaches to the coding of JavaScript. Such libraries include the system tries to call the trace tree for the inner loop.” If Objective-J (e.g. 280slides.com), jQuery (Digg, Twitter and the call succeeds, the call to the inner tree is recorded as part WordPress), Prototype (Xxx) and Closure (Google Maps, Mail of the outer trace, finishing the outer trace normally. With and Search). this approach any depth of nested loops can be traced without excessive tail duplication. III. BROWSER ENGINE PROPERTIES JIT compilation approaches were handled in more detail in Due to the dynamic nature of JavaScript allocations, most an earlier seminar [8]. engines use a dynamic lookup for accessing each object 2) Blacklisting [6]: Not all kinds of hot loops result in property. This slows down execution compared to more strictly a legal trace. Current TraceMonkey doesn’t support throwing typed languages, where instance variables can be stored at and catching of arbitrary exceptions, which are usually rare. fixed offsets. [4] However, if exceptions were repeatedly used by a program, a penalty would be observed, because the JIT compiler would runtime reaches an unitialized call site, the dynamic lookup is repeatedly try and fail. performed and the result as stored at the call site, changing The prediction algorithm in TraceMonkey is able blacklists state to ”monomorphic”. If the runtime reaches the same call traces, whose compilation has not succeeded. In case of failure, site again, the callee can be directly invoked without further the trace starting point is recorded. A new trace will not be lookups. recorded at that point until it is passed a few more times (e.g. Some guard conditions are needed for protection against the 32 in the example), which gives a back-off property in case possibility that objects of different types occur at the same call the trace was prevented by temporary conditions. site. The more common way is to apply such guard conditions to the preamble of the callee rather than at the call site to B. V8 / Google Chrome better exploit branch prediction and save space (one copy in 1) Hidden classes: To avoid spending time with dictionary the preamble vs. multiple copies at call sites). If a call site in lookups of dynamic objects, Google V8 dynamically creates ”monomorphic” state encounters a type other than the one it ”hidden classes”, which change with the addition of a new expects it changes back to uninitialized and performs a new property. The following example is presented in [4]: full dynamic lookup. Consider a new object of type ”point” being created: 3) Dynamic Machine Code Generation: In V8 JavaScript is function Point(x, y) { compiled directly into machine code upon the first execution. this.x = x; No intermediate byte codes nor an interpreter are being used. this.y = y; Property access is handled by inline cache code, which can be } patched with other machine instructions during V8 execution. First V8 determines the current hidden class status of an The ”Point” object could be initially associated with a class object. It assumes that the same class will also be used for all C0. If a new property is created with Point (this.x = future objects accessed in the same call site. This information x;), a new hidden class C1 is created, with the value of is used to patch the inline cache code to use the appropriate property x stored at offset zero in the Point object. At the hidden class. If the assumption is correct, the value of the same time C0 is updated with a class transition indicating that property can be assigned or fetched in a single operation. If C0 with property x points to C1. The situation after addition not, the code is patched to remove the optimisation. of one more property y and creation of another hidden class The following example is given in [4]: C2 is shown in Figure 1. The JavaScript code to access property x from a Point object would be For example, the JavaScript code to access property x from A Point Object Hidden Class C2 a Point object would be point.x Class pointer For x see The V8 machine code for accessing x would be: offset 0 Offset 0: x Hidden Class C1 For y see Offset 1: y offset 1 # ebx = the point object For x see cmp [ebx,<hidden class offset>], offset 0 Initial hidden <cached hidden class> Class C0 If you add propert y, jne <inline cache miss> If you add transition to property x, class C2 transition to mov eax,[ebx, <cached x offset>] class C1 In case the hidden class of the point object wouldn’t match the hidden class, execution would jump to the runtime system, Fig. 1. Hidden class creation with additional properties which would patch the inline cache code. If the hidden class matches, which is hoped to be the most common case, the Googles V8 associates classes with objects, assuming that value of property x is retrieved. their shape will not change too much. Highly dynamic objects Especially in the case of many objects sharing the same are treated as fallback cases. [3] hidden class, the benefits are similar to the ones obtained in 2) Inline caching: Hidden classes also enable V8 to make static languages. The combined use of hidden classes, inline better use of inline caching [9]. In inline caching the results caching and machine code generation optimises for cases of a previous method lookup are stored directly at the call where the same type of object is frequently creted and accessed site. This is especially useful for dynamically typed languages, in a similar way. where the method binding typically happens at runtime. 4) Garbage Collection Optimizations: V8 stops program Inline caching is supported by the observation that objects execution during garbage collection. The object heap is seg- occurring on a particular call site are often of the same type, in mented into two parts: New objects are created in a ”new which cases large performance improvements can be achieved.
Load more

Recommended publications
  • Sok: Make JIT-Spray Great Again
    SoK: Make JIT-Spray Great Again Robert Gawlik and Thorsten Holz Ruhr-Universitat¨ Bochum Abstract Attacks against client-side programs such as browsers were at first tackled with a non-executable stack to pre- Since the end of the 20th century, it has become clear that vent execution of data on the stack and also with a non- web browsers will play a crucial role in accessing Internet executable heap to stop heap sprays of data being later resources such as the World Wide Web. They evolved executed as code. This defense became widely known into complex software suites that are able to process a as W ⊕ X (Writable xor eXecutable) or Data Execution multitude of data formats. Just-In-Time (JIT) compilation Prevention (DEP) to make any data region non-executable was incorporated to speed up the execution of script code, in 2003 [45, 54]. To counter DEP, attackers started to per- but is also used besides web browsers for performance form code reuse such as Return-Oriented Programming reasons. Attackers happily welcomed JIT in their own (ROP) and many variants [10, 11, 32, 68]. In general, if an way, and until today, JIT compilers are an important target adversary knows the location of static code in the address of various attacks. This includes for example JIT-Spray, space of the vulnerable target, she can prepare a fake stack JIT-based code-reuse attacks and JIT-specific flaws to cir- with addresses of these gadgets. As soon as control of cumvent mitigation techniques in order to simplify the the instruction pointer is gained, these gadgets execute exploitation of memory-corruption vulnerabilities.
    [Show full text]
  • Getting Started with Firefox OS JOHN DEVIGHT
    Getting Started with Firefox OS JOHN DEVIGHT DMVMUG Reston, VA http://dmvmug.com AGENDA Overview Conference Application Demo Overview Mobile OS Market Company OS Market Share Apple iOS 13.4% Google Android 81.3% Microsoft Windows Phone 4.1% Blackberry Blackberry OS 1.0% Nokia Series 40 N/A Linux Foundation Mer < 1.0% Tizen Association Tizen N/A Sailfish Alliance Sailfish OS N/A Canonical Ltd. Ubuntu Phone ? * Taken from: http://en.wikipedia.org/wiki/Comparison_of_mobile_operating_systems Overview Why Firefox OS? Firefox OS smartphones will arrive in extremely cost-sensitive markets like India and Indonesia where people often buy phones from a bin in a store." With an anticipated device price point of $25, Google (GOOG) and Apple (AAPL) have reason to fear. The Indian and Indonesian markets are the most under-saturated in Asia.... smartphone penetration had reached just 23% in Indonesia and 18% in India... that leaves 1.2 billion users in the two countries currently without access to smartphones or tablets. Smartphone makers have struggled to satisfy the price sensitivity of the lower-end markets in both of these countries, and in doing so have lost out on driving brand adoption for first time users. * Taken from: http://seekingalpha.com/article/2042973-1_2-billion-reasons-why-firefox-os-is-important Overview Why Develop for Firefox OS? Demand for Web Technologies to be used in mobile app development. On July 25, 2011, Dr. Andreas Gal, Director of Research at Mozilla Corporation, announced the "Boot to Gecko" Project (B2G) on the mozilla.dev.platform mailing list. The project proposal was to "pursue the goal of building a complete, standalone operating system for the open web" in order to "find the gaps that keep web developers from being able to build apps that are – in every way – the equals of native apps built for the iPhone [iOS], Android, and WP7 [Windows Phone 7]." Make Web Technologies a 1st Class Citizen in a mobile operating system.
    [Show full text]
  • A Review Paper on Firefox Os
    © 2014 IJIRT | Volume 1 Issue 6 | ISSN : 2349-6002 A REVIEW PAPER ON FIREFOX OS Deepak Kumar, Divanshu Kaushik Department of Information Technology, Dronacharya college of engineering, Gurgaon , Haryana, India Abstract- Firefox OS (project name: Boot to Gecko, also OS as more accessible: "We use completely open known as B2G) is a Linux kernel-based open-source standards and there’s no proprietary software or operating system for Smartphone's and tablet technology involved." Gal also said that because the [8] computers and is set to be used on smart TVs. It is software stack is entirely HTML5, there are already a being developed by Mozilla, the non-profit organization large number of established developers. This best known for the Firefox web browser. Firefox OS is designed to provide a complete community-based assumption is employed in Mozilla's WebAPI. These alternative system for mobile devices, using open are intended W3C standards that attempt to bridge standards and approaches such as HTML5 the capability gap that currently exists between native applications, JavaScript, a robust privilege model, open frameworks and web applications. The goal of these web APIs to communicate directly with cell phone efforts is to enable developers to build applications hardware, and application marketplace. As such, it using WebAPI which would then run in any competes with commercially developed operating standards compliant browser without the need to systems such as Apple's iOS, Google's Android, rewrite their application for each platform. Microsoft's Windows Phone[9] and Jolla's Sailfish OS as well as other community-based open source systems II.
    [Show full text]
  • Firefox Operating Systems
    International Journal of Research, Science, Technology & Management ISSN Online: 2455-2240, Volume 17 Issue III, December 2019 FIREFOX OPERATING SYSTEMS Gigy Mathem, Robert Dzoria ABSTRACT The firefox operating system which is also known by its project name‐ Boot to Gecko (B2G) is mainly an operating system for smartphones and tablet computers and in future it is also used on smart TVs. Firefox os is new to market so, not so many smartphones or tablet computers are running on this os, but in future dozens of smart phones and tablets release on this os. It is an open source mobile operating system that uses modified version of the Linux kernel. It is developed by Mozilla, which is non‐profit organization. Mozilla is best known for the Firefox web browser. Firefox OS provide complete community‐based alternative system for smartphones, using open standards and approaches such as HTML5 applications, JavaScript, a robust privilege model, open web APIs to communicate directly with phone hardware and application marketplace. INTRODUCTION assimilate with all layers in the Firefox OS architecture. Gonk implies a fusion of open source software and Firefox OS is a operating system and software platform hardware‐ and OEM‐dependent components. Gonk also for smartphones developed by Mozilla corporation. It is take cares of B2G processes, like starts, manages, and based on Linex kernel. Firefox OS is open source shuts down processes of Gonk. software stack for smartphones or mobile devices. This OS is little dissimilar from android/iOS. It actually bridges tha gap between feature phones and smartphones which runs on android/iOS.
    [Show full text]
  • Trace-Based Just-In-Time Type Specialization for Dynamic Languages
    Trace-based Just-in-Time Type Specialization for Dynamic Languages + Andreas Gal∗ , Brendan Eich∗, Mike Shaver∗, David Anderson∗, David Mandelin∗, $ Mohammad R. Haghighat , Blake Kaplan∗, Graydon Hoare∗, Boris Zbarsky∗, Jason Orendorff∗, # # + +# + Jesse Ruderman∗, Edwin Smith , Rick Reitmaier , Michael Bebenita , Mason Chang , Michael Franz Mozilla Corporation∗ gal,brendan,shaver,danderson,dmandelin,mrbkap,graydon,bz,jorendorff,jruderman @mozilla.com { } Adobe Corporation# edwsmith,rreitmai @adobe.com { } Intel Corporation$ mohammad.r.haghighat @intel.com { } University of California, Irvine+ mbebenit,changm,franz @uci.edu { } Abstract and is used for the application logic of browser-based productivity Dynamic languages such as JavaScript are more difficult to com- applications such as Google Mail, Google Docs and Zimbra Col- pile than statically typed ones. Since no concrete type information laboration Suite. In this domain, in order to provide a fluid user is available, traditional compilers need to emit generic code that can experience and enable a new generation of applications, virtual ma- handle all possible type combinations at runtime. We present an al- chines must provide a low startup time and high performance. ternative compilation technique for dynamically-typed languages Compilers for statically typed languages rely on type informa- that identifies frequently executed loop traces at run-time and then tion to generate efficient machine code. In a dynamically typed pro- generates machine code on the fly that is specialized for the ac- gramming language such as JavaScript, the types of expressions tual dynamic types occurring on each path through the loop. Our may vary at runtime. This means that the compiler can no longer method provides cheap inter-procedural type specialization, and an easily transform operations into machine instructions that operate elegant and efficient way of incrementally compiling lazily discov- on one specific type.
    [Show full text]
  • Detection and Diagnosis of Memory Leaks in Web Applications
    Detection and Diagnosis of Memory Leaks in Web Applications by Masoomeh Rudafshani A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Doctor of Philosophy in Electrical and Computer Engineering Waterloo, Ontario, Canada, 2015 © Masoomeh Rudafshani 2015 I hereby declare that I am the sole author of this thesis. This is a true copy of the thesis, including any required final revisions, as accepted by my examiners. I understand that my thesis may be made electronically available to the public. iii Abstract Memory leaks { the existence of unused memory on the heap of applications { result in low performance and may, in the worst case, cause applications to crash. The migration of application logic to the client side of modern web applications and the use of JavaScript as the main language for client-side development have made memory leaks in JavaScript an issue for web applications. Significant portions of modern web applications are executed on the client browser, with the server acting only as a data store. Client-side web applications communicate with the server asynchronously, remaining on the same web page during their lifetime. Thus, even minor memory leaks can eventually lead to excessive memory usage, negatively affecting user-perceived response time and possibly causing page crashes. This thesis demonstrates the existence of memory leaks in the client side of large and popular web applications, and develops prototype tools to solve this problem. The first approach taken to address memory leaks in web applications is to detect, diagnose, and fix them during application development.
    [Show full text]
  • Trace-Based Just-In-Time Type Specialization for Dynamic Languages
    Trace-based Just-in-Time Type Specialization for Dynamic Languages Andreas Gal∗+, Brendan Eich∗, Mike Shaver∗, David Anderson∗, David Mandelin∗, Mohammad R. Haghighat$, Blake Kaplan∗, Graydon Hoare∗, Boris Zbarsky∗, Jason Orendorff∗, Jesse Ruderman∗, Edwin Smith#, Rick Reitmaier#, Michael Bebenita+, Mason Chang+#, Michael Franz+ Mozilla Corporation∗ {gal,brendan,shaver,danderson,dmandelin,mrbkap,graydon,bz,jorendorff,jruderman}@mozilla.com Adobe Corporation# {edwsmith,rreitmai}@adobe.com Intel Corporation$ {mohammad.r.haghighat}@intel.com University of California, Irvine+ {mbebenit,changm,franz}@uci.edu Abstract and is used for the application logic of browser-based productivity Dynamic languages such as JavaScript are more difficult to com- applications such as Google Mail, Google Docs and Zimbra Col- pile than statically typed ones. Since no concrete type information laboration Suite. In this domain, in order to provide a fluid user is available, traditional compilers need to emit generic code that can experience and enable a new generation of applications, virtual ma- handle all possible type combinations at runtime. We present an al- chines must provide a low startup time and high performance. ternative compilation technique for dynamically-typed languages Compilers for statically typed languages rely on type informa- that identifies frequently executed loop traces at run-time and then tion to generate efficient machine code. In a dynamically typed pro- generates machine code on the fly that is specialized for the ac- gramming language such as JavaScript, the types of expressions tual dynamic types occurring on each path through the loop. Our may vary at runtime. This means that the compiler can no longer method provides cheap inter-procedural type specialization, and an easily transform operations into machine instructions that operate elegant and efficient way of incrementally compiling lazily discov- on one specific type.
    [Show full text]
  • Make JIT-Spray Great Again
    SoK: Make JIT-Spray Great Again Robert Gawlik and Thorsten Holz Ruhr-Universitat¨ Bochum Abstract Attacks against client-side programs such as browsers were at first tackled with a non-executable stack to pre- Since the end of the 20th century, it has become clear that vent execution of data on the stack and also with a non- web browsers will play a crucial role in accessing Internet executable heap to stop heap sprays of data being later resources such as the World Wide Web. They evolved executed as code. This defense became widely known into complex software suites that are able to process a as W ⊕ X (Writable xor eXecutable) or Data Execution multitude of data formats. Just-In-Time (JIT) compilation Prevention (DEP) to make any data region non-executable was incorporated to speed up the execution of script code, in 2003 [45, 54]. To counter DEP, attackers started to per- but is also used besides web browsers for performance form code reuse such as Return-Oriented Programming reasons. Attackers happily welcomed JIT in their own (ROP) and many variants [10, 11, 32, 68]. In general, if an way, and until today, JIT compilers are an important target adversary knows the location of static code in the address of various attacks. This includes for example JIT-Spray, space of the vulnerable target, she can prepare a fake stack JIT-based code-reuse attacks and JIT-specific flaws to cir- with addresses of these gadgets. As soon as control of cumvent mitigation techniques in order to simplify the the instruction pointer is gained, these gadgets execute exploitation of memory-corruption vulnerabilities.
    [Show full text]