self-hosted js (ffconf 2014)
DESCRIPTION
By Andy Wingo. The parts of V8 and SpiderMonkey that are actually written in JS. Let's implement an ES.next feature in JS, during the talk!TRANSCRIPT
![Page 1: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/1.jpg)
javascriptsin the javascripts
ffconf 2014
andy wingo
![Page 2: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/2.jpg)
![Page 3: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/3.jpg)
thees6circusiscomingtotown
es-discuss clownshoes
C++ knife-jugglers
JavaScript acrobats
![Page 4: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/4.jpg)
buildinges.nextines.now
Hark, an agenda:
Why?❧
How: JavaScriptCore❧
How: SpiderMonkey❧
How: V8❧
![Page 5: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/5.jpg)
whyimplementjs injs?
![Page 6: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/6.jpg)
js isfasterthanc++
![Page 7: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/7.jpg)
js isfasterthanc++
JS can optimize in ways that C++ can’t
dynamic inlining❧
inline allocation (and possiblyscalar replacement)
❧
inline hard-wiring of user objectshapes (slot offsets, getters)
❧
![Page 8: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/8.jpg)
js isfasterthanc++
No JS/C++ transition cost
Especially important for callbacks (e.g.forEach)
![Page 9: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/9.jpg)
js isfasterthanc++
JavaScriptCore’s Oliver Hunt, January2014:
“The initial proof of concept isArray.prototype.every, this shows a65% performance improvement, andthat improvement is significantly hurtby our poor optimisation of op_in.”
![Page 10: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/10.jpg)
jsmatchesjssemanticsbetter
Proxies, accessors, order of effects,has-property versus get-property,user-implemented iteration protocol,exceptions, catch
Terse:for (var x of y) z(x);
![Page 11: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/11.jpg)
jsmoresecurethanc++
GC-related bugs approximatelyimpossible
SM, V8; JSC immune❧
No C++ knife-throwing work-relatedaccidents
integer overflow, use-after-free, etc❧
Cross-iframe leakage concernslessened
![Page 12: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/12.jpg)
choosyhackerschoosejs
Goal: As much in JS as possible
For speed, for security, formaintainability
How?
![Page 13: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/13.jpg)
simplestmodel:javascriptcore
“Methods can be implemented in JS”
![Page 14: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/14.jpg)
example Source/JavaScriptCore/builtins/Array.prototype.jsfunction foo() { return 'ahoy ffconf';}
Source/JavaScriptCore/runtime/ArrayPrototype.cppfoo arrayProtoFuncFoo DontEnum|Function 0
![Page 15: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/15.jpg)
weirdjs: jscedition
Function source compiled separately
Access to globals forbidden in general
Initial values of globals accessible via @prefix, e.g. @Object
Add @call and @apply
http://svn.webkit.org/repository/webkit/trunk@163195
![Page 16: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/16.jpg)
morecomplicated:spidermonkey
“Self-hosted JS” files concatenated andevaluated – more normal model
C++ binds functions by name toprototype properties
![Page 17: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/17.jpg)
feature:es.next‘pipelines’
Old SpiderMonkey:(x*2 for (x in [0,1,2].keys()))
Erstwhile ES6:(for (x of [0,1,2].keys()) x*2)
Maybe ES7:[0,1,2].keys().map(x=>x*2)
Ideally on IteratorPrototype, butlet’s hack it
![Page 18: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/18.jpg)
example js/src/builtin/Iterator.jsfunction* IteratorMap(f) { for (var x of this) yield f(x);}
![Page 19: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/19.jpg)
example No function* at boot-time :(
But, ES6 object literalsfunction IteratorMap(f) { var iter = this[std_iterator](); return { next(val) { var result = iter.next(val) return result.done ? result : { value: callFunction(f, iter, result.value), done: false }; }, [std_iterator]: IteratorIdentity, }}
![Page 20: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/20.jpg)
example Link to C++ files; grep for surroundingidentifiers, make similar modifications(e.g. in jsiter.cpp)js> for (var x of [1,2,3].keys().map(x=>x*2)) print(x)024
![Page 21: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/21.jpg)
nerfthewebforward
![Page 22: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/22.jpg)
nerfthewebforward
Your search - "nerf the web forward" -did not match any documents.
![Page 23: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/23.jpg)
nerfthewebforward
(like, nerf is like a more resilientpolystyrene foam)
![Page 24: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/24.jpg)
nerfthewebforward
(the more joke explanation slides, themore amusing the joke, right?)
![Page 25: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/25.jpg)
nerfthewebforward
(right?)
![Page 26: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/26.jpg)
caveats @@iterator called before or after firstnext()?
Prototype chain of the result of map()?
Should final result.value bemapped?
%IteratorPrototype%
No spec; spec wonkiness
throw()?
next() applied to different object?
![Page 27: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/27.jpg)
v8 Story time!
![Page 28: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/28.jpg)
languagesarelikeoperatingsystems
Visit a page : Install an app
Visit about:blank : Boot OS
Weird self-hosted JS part of OS, notapp
![Page 29: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/29.jpg)
genesis In the beginning, there was the emptyfunction
and the Object function
and its prototype property
![Page 30: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/30.jpg)
genesis And Goog looked upon it and saw thatit was good
![Page 31: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/31.jpg)
genesis Then the strict mode function “maps”(hidden classes)
Then the first global object
Then Array, Number, Boolean, String,Symbol, Date, RegExp, JSON,ArrayBuffer, the TypedArrays, Map,Set, iterator result shapes, WeakMap,WeakSet, arguments object shapes, ...
![Page 32: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/32.jpg)
genesis And Goog looked upon them and sawthat they were good
![Page 33: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/33.jpg)
genesis And Goog looked upon them and sawthat they were good
But FFS it’s a lot of C++, innit?
![Page 34: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/34.jpg)
how 2js
Problem: Need to define helpers in JS,but they shouldn’t be in the user’sscope
Solution: Second global object for self-hosted JS to play in; natives mutate toproduce a more beautiful global
![Page 35: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/35.jpg)
builtins,globals
Global: A global object, correspondingto a user-facing script-level scope
builtins: The global object currentwhen self-hosted JS is being defined
In builtins, user-facing global boundto global
Somewhat confusingly, in V8, “self-hosted JS facilities” are called “natives”
![Page 36: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/36.jpg)
on theseventhday
So, “natives”. That’s JavaScript y’all!
![Page 37: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/37.jpg)
example src/generator.jsfunction* GeneratorObjectMap(f) { for (var x of this) yield f(x);}
![Page 38: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/38.jpg)
weirdjs, v8edition
Verbs
% prefix for low-level C++ runtimefunctions (--allow-natives-syntax)
❧
%_ prefix for magical “inline”runtime functions (%_CallFunction,%_IsSmi)
❧
macros (TO_UINT32, IS_NUMBER)❧
![Page 39: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/39.jpg)
weirdjs, v8edition
Nouns too
global❧
InternalArray (to allow builtins touse .push() without worryingabout user pollution)
❧
Suggested reading order
runtime.js❧
v8natives.js❧
array.js❧
![Page 40: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/40.jpg)
snapshots Lots of work amirite?
Optimization: Serialize heap of new-born world
Load fresh heap from disk to “boot”
Necessary in context of Chrome’smulti-process model
![Page 41: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/41.jpg)
note:thedom issomethingelse
“Blink-in-JS”
Kentaro Haro: DOM binding overheadis 5-15% in real web
DOM objects live in a 1-to-Nrelationship to V8 globals
Search for “Hardening security ofcontent scripts”
![Page 42: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/42.jpg)
butseriously
Strict spec reading
Strict spec translation (optimize later ifever)
Tests (especially proxies, getters, orderof operations)
Patch submission
Feature flags (in v8)
![Page 43: Self-hosted JS (ffconf 2014)](https://reader034.vdocuments.us/reader034/viewer/2022052621/558b0285d8b42aa4688b45a5/html5/thumbnails/43.jpg)
tx nerf the web forward!
http://wingolog.org/
.
big kid circus, by ray forster: https://www.flickr.com/photos/94418464@N08/8686092191