SlideShare une entreprise Scribd logo
1  sur  86
Télécharger pour lire hors ligne
COSCUP 2015
ZongShen Shen
andy.zsshen@gmail.com
A Beginner’s Journey to Mozilla
SpiderMonkey JS Engine
Why Joining SpiderMonkey
• Explore a real language engine implementation
• Good First Features encouraging beginners
About the Talk
• Under the hood of engine implementation
• Begineer’s view and experience sharing
Outline
•Bytecode & Interpreter Basics
•JIT Optimization
SpiderMonkey Overview
NativeCode
Bytecode
JIT Compiler
JS Source
Compiler
Interpreter
CPU
SpiderMonkey Overview
NativeCode
Bytecode
JIT Compiler
JS Source
Compiler
Interpreter
CPU
Bytecode Generation
SpiderMonkey Overview
NativeCode
Bytecode
JIT Compiler
JS Source
Compiler
Interpreter
CPU
Bytecode Interpretation
Bytecode Generation
SpiderMonkey Overview
NativeCode
Bytecode
JIT Compiler
JS Source
Compiler
Interpreter
CPU
Bytecode Interpretation
Hot Code Optimization
Native Code Execution
Bytecode Generation
Bytecode Compiler
• Lexical Analysis
• Split the source script into token stream
• Syntactic Analysis
• Parse token stream and build Abstract Syntax Tree
• Code Generation
• Traverse the AST to emit bytecode
Lexical Analysis
var x = y + z ;
var a = b * c ;
Variable
Name
Assignment
Add
Semicolon
VarOrExprs → varVars | Expr
Vars → Var | Var,Vars
Var → Id | Id = AssignExpr
Expr → AssignExpr | AssignExpr, Expr
AssignExpr → CondExpr | CondExpr AssignOp AssignExpr
AddExprs → MulExpr | MulExpr + AddExpr
MulExpr → UnaryExpr | UnaryExpr * MulExpr
PrimaryExpr → (Expr) | Id | LitInt | LitFloat | LitString
| false | true | null | this
Syntactic Analysis
. . .
Recursive Descent Parsing
. . .
Top to Bottom
Left to Right
Syntactic Analysis
Statement List
Assignment
Def : x BinaryAdd
Use : y Use : z
Assignment
Def : a BinaryMultiply
Use : b Use : c
Result AST
Code Generation
= =
x
y
S
z
+ a
b c
*
Code Generation
= =
x
y
S
z
+ a
b c
*
DefVar x
BindName x
Code Generation
= =
x
y
S
z
+ a
b c
*
DefVar x
BindName x
GetName y
Code Generation
= =
x
y
S
z
+ a
b c
*
DefVar x
BindName x
GetName y
GetName z
Code Generation
= =
x
y
S
z
+ a
b c
*
DefVar x
BindName x
GetName y
GetName z
Add
Code Generation
= =
x
y
S
z
+ a
b c
*
DefVar x
BindName x
GetName y
GetName z
Add
SetName x
Code Generation
= =
x
y
S
z
+ a
b c
*
DefVar x
DefVar a
BindName x
GetName y
GetName z
Add
SetName x
BindName a
GetName b
GetName c
Mul
SetName a
Bytecode Interpreter
• Prepare the stack frame to interpret bytecode
• Dispatch bytecode in a large switch statement
INTERPRETER_LOOP ( )
CASE ( JSOP_GETNAME ) {
GetNameOperation( )
} CASE ( JSOP_ADD ) {
AddOperation( )
} CASE ( JSOP_SETNAME ) {
SetNameOperation( )
} ... ... More Handlers ... ...
END_LOOP ( )
function add (src, dst) {
return src + dst;
}
add(“coscup”, 2015);
GetName “add”
Undefined
String “coscup”
Int16 2015
Call 2
GetArg 0
GetArg 1
Add
Return
Interpretation Example
GetName “add”
Undefined
String “coscup”
Int16 2015
Call 2
GetArg 0
GetArg 1
Add
Return
Caller Callee
Stack Frame
Interpretation Example
GetName “add”
Undefined
String “coscup”
Int16 2015
Call 2
GetArg 0
GetArg 1
Add
Return
JSVal: Func_add
Caller Callee
Stack Frame
Interpretation Example
GetName “add”
Undefined
String “coscup”
Int16 2015
Call 2
GetArg 0
GetArg 1
Add
Return
JSVal: Func_add
JSVal: Undef
Caller Callee
Stack Frame
Interpretation Example
GetName “add”
Undefined
String “coscup”
Int16 2015
Call 2
GetArg 0
GetArg 1
Add
Return
JSVal: Func_add
JSVal: Undef
JSVal:“coscup”
Caller Callee
Stack Frame
Interpretation Example
GetName “add”
Undefined
String “coscup”
Int16 2015
Call 2
GetArg 0
GetArg 1
Add
Return
JSVal: Func_add
JSVal: Undef
JSVal:“coscup”
JSVal: 2015
Caller Callee
Stack Frame
Interpretation Example
GetName “add”
Undefined
String “coscup”
Int16 2015
Call 2
GetArg 0
GetArg 1
Add
Return
JSVal: Func_add
JSVal: Undef
JSVal:“coscup”
JSVal: 2015
Caller Callee
Stack Frame
JSVal:“coscup”
JSVal: 2015
Interpretation Example
GetName “add”
Undefined
String “coscup”
Int16 2015
Call 2
GetArg 0
GetArg 1
Add
Return
JSVal: Func_add
JSVal: Undef
JSVal:“coscup”
JSVal: 2015
JSVal:“coscup”
Caller Callee
Stack Frame
JSVal:“coscup”
JSVal: 2015
Interpretation Example
GetName “add”
Undefined
String “coscup”
Int16 2015
Call 2
GetArg 0
GetArg 1
Add
Return
JSVal: Func_add
JSVal: Undef
JSVal:“coscup”
JSVal: 2015
JSVal:“coscup”
JSVal: 2015
Caller Callee
Stack Frame
JSVal:“coscup”
JSVal: 2015
Interpretation Example
GetName “add”
Undefined
String “coscup”
Int16 2015
Call 2
GetArg 0
GetArg 1
Add
Return
JSVal: Func_add
JSVal: Undef
JSVal:“coscup”
JSVal: 2015
Caller Callee
JSVal:“coscup2015”
Stack Frame
JSVal:“coscup”
JSVal: 2015
Interpretation Example
GetName “add”
Undefined
String “coscup”
Int16 2015
Call 2
GetArg 0
GetArg 1
Add
Return
JSVal: Func_add
JSVal: Undef
JSVal:“coscup”
JSVal: 2015
Caller Callee
JSVal:“coscup2015”
Stack Frame
Interpretation Example
Performance Disadvantage
• Immediate execution without proper redundancy
elimination and task specialized optimization
Performance Disadvantage
• Immediate execution without proper redundancy
elimination and task specialized optimization
Example
Object Property Access
Obj.Prop
JS Object
var People = {
Name : “Me”,
Age : 1,
Gender : “M”
};
Property Value
People.Name
People.Age
People.Gender
Property Access
Object Internal
• A list of shapes each of which
• Represents a named property
• A vector of slots each of which
• Stores the value of the mapped property
• A shape to describe its overall attributes
Object
Name
“Me”
Shape List
SlotVectorAttr
Shape Age Gender
1 “M”
Object Property Access
• Object layout traversal
1. Search shape list to locate
the target property shape
2. Access slot vector with the
index found in the shape
P1
Pi
Pj
Pn
Object
Object Property Access
• Object layout traversal
1. Search shape list to locate
the target property shape
2. Access slot vector with the
index found in the shape
• To speed up traversal
• Attach hash tables with some
shapes for table indexing
P1
Pi
Pj
Pn
Object
Pi
Pj
Performance Gap
lea eax, obj
mov ebx, [eax + 4]
 
AoT Compilation
Direct access Slow object
layout traversal
struct Object {
int Prop1;
int Prop2;
};
int prop = obj -> Prop2;
var obj = {
Prop1 : 1,
Prop2 : 2,
}
var prop = obj.Prop2;
Interpretation
VS
GetName obj
GetProp Prop2
Can we improve the performance?
In addition to object property access,
Still many issues…
Can we improve the performance?
In addition to object property access,
Still many issues…
Interpretation
JIT Compilation
JIT Compilation
• Generate extremely fast native code
• Baseline for hot methods
• Inline cache to speed up dynamic property lookup
• IonMonkey for very hot methods
• Comprehensive optimization to remove redundancy
Inline Cache
• Objective
• Mitigate the overhead of object layout traversal
for each single property access
• Idea
• Cache the resolved value after dynamic lookup
• Emit a piece of direct access code for that value
Inline Cache
var res = obj.prop;
GetName “obj”
GetProp “prop”
Inline Cache
var res = obj.prop;
GetName “obj”
GetProp “prop”
Dynamic lookup logic
Inline Cache
• Efficient code for direct access
• But if obj is modified, the code will be unsafe
var res = obj.prop;
GetName “obj”
GetProp “prop” mov eax, obj
mov eax, [eax + OfstSlot]
Direct Access Guard
• If an object is modified with property insertion or
deletion, its layout is also changed
• Execute the cached code may cause invalid access
• Need a guard to check for object modification
• Object remains the same, enter cached code
• Otherwise, fallback to dynamic lookup and reoptimize
Direct Access Guard
• Benefit from object shape
• Object has a shape to describe its overall attribute
• The object shape is synchronized with its layout
Direct Access Guard
• Benefit from object shape
• Object has a shape to describe its overall attribute
• The object shape is synchronized with its layout
• Applying object shape to guard the cached code
mov eax, obj
cmp [eax + ShapeOfst], CachedShape
Inline Cache Instance
Prologue
mov eax, obj
call VM_CallBack
Inline Cache Instance
Prologue Interpreter Callback
mov eax, obj
call VM_CallBack
1. Resolve designated property
Inline Cache Instance
Prologue Interpreter Callback
mov eax, obj
call VM_CallBack
1. Resolve designated property
2. Generate direct access code
cmp [eax+ShapeOfst], CachedShape
jne MISS
mov eax, [eax+CachedSlotOfst]
jmp EXIT
MISS:
call VM_CallBack
EXIT:
Cached code
Inline Cache Instance
Prologue Interpreter Callback
mov eax, obj 1. Resolve designated property
2. Generate direct access code
3. Modify original call site
cmp [eax+ShapeOfst], CachedShape
jne MISS
mov eax, [eax+CachedSlotOfst]
jmp EXIT
MISS:
call VM_CallBack
EXIT:
Cached code
call VM_CallBack
call Cached_Code
Inline Cache Instance
Prologue Interpreter Callback
mov eax, obj 1. Resolve designated property
2. Generate direct access code
3. Modify original call site
4. Jump to cached code
cmp [eax+ShapeOfst], CachedShape
jne MISS
mov eax, [eax+CachedSlotOfst]
jmp EXIT
MISS:
call VM_CallBack
EXIT:
Cached code
call VM_CallBack
call Cached_Code
Inline Cache Instance
Prologue Interpreter Callback
mov eax, obj 1. Resolve designated property
2. Generate direct access code
3. Modify original call site
4. Jump to cached code
cmp [eax+ShapeOfst], CachedShape
jne MISS
mov eax, [eax+CachedSlotOfst]
jmp EXIT
MISS:
call VM_CallBack
EXIT:
Cached code
call VM_CallBack
call Cached_Code
After code linking,
It will be direct access,
If shape not changed
What If ...
var dog = {
Name : “dog”,
Bow : function( ){ },
}
var cat = {
Name : “cat”,
Meow : function( ){ },
}
for (var i = 0 ; i < 100 ; i++) {
WhoAmI(dog);
WhoAmI(cat);
}
function WhoAmI (obj)
{ return obj.Name; }
dog cat dog cat . . .
Expensive cache and flush
Polymorphic IC
• Cache multiple sets of object shapes and the
resolved values
cmp [eax+ShapeOfst], CachedShape1
jne SHAPE2
mov eax, [eax+CachedSlotOfst1]
jmp EXIT
SHAPE2:
cmp [eax+ShapeOfst], CachedShape2
jne SHAPE3
mov eax, [eax+CachedSlotOfst2]
jmp EXIT
………
MISS:
call VM_CallBack
EXIT:
IonMonkey
• Translate bytecode to static single assignment
form (SSA) and build control flow graph
• Apply data and control flow hybrid optimization
• Translate optimized SSAs to native code
Warm up for basic terms…
Static Single Assignment
• Each expression has at most 3 operands
• Each target operand has an unique assignment
X = 1
X = 2
Y = X + 1
Z = 3
Y = X + 2
X1 = 1
X2 = 2
Y1 = X2 + 1
Z1 = 3
Y2 = X2 + 2
Original Code SSA Form
Control Flow Graph
• The control flow relation
among basic blocks
• Basic block
Consecutiveinstructionswith
last one as control transferGotoCond
X1 = 3
Y1 = A1+B1
Z1 = X1+ 3
Cond
V1 = A1+B1
W1 = B1- 3
U1 = B1- 3
T F
T F
B2 B3
B4 B5
B1
Lets start the optimizations…
Value Numbering
• Eliminate redundant expressions
X1 = A1 + B1
Y1 = 1
Z1 = A1 + B1
X1 = A1 + B1
Y1 = 1
Z1 = X1
• Often combined with other optimizations
• Constant folding and propagation
• Expression simplification
• Unreachable code elimination
Value Numbering
• Assign a hash value to each expression
• Expressions containing the same value of a
former expression can be reduced
• Same set of source values
• Same operator considering algebraic commutative
X1 = A1 + B1
Z1 = B1 + A1
(+,V1,V2) V3
Hash Key Value
Z1 = X1
X1 = A1–B1
X2 = 3
Y1 = A1+B1
Z1 = 3 + 3
T1 = Z1+ 3
U1 = B1+A1
V1 = B1* 8
A1
B1
3
8
Operand
V1
V2
V3
V4
ValueHash Key
(A1)
(B1)
(3)
(8)
Local Scope
X1 = A1–B1
X2 = 3
Y1 = A1+B1
Z1 = 3 + 3
T1 = Z1+ 3
U1 = B1+A1
V1 = B1* 8
A1
B1
3
8
X1
Operand
V1
V2
V3
V4
V5
ValueHash Key
(A1)
(B1)
(3)
(8)
(-,V1,V2)
Local Scope
X1 = A1–B1
X2 = 3
Y1 = A1+B1
Z1 = 3 + 3
T1 = Z1+ 3
U1 = B1+A1
V1 = B1* 8
A1
B1
3
8
X1
X2
Operand
V1
V2
V3
V4
V5
V3
ValueHash Key
(A1)
(B1)
(3)
(8)
(-,V1,V2)
(V3)
Local Scope
X1 = A1–B1
X2 = 3
Y1 = A1+B1
Z1 = 3 + 3
T1 = Z1+ 3
U1 = B1+A1
V1 = B1* 8
A1
B1
3
8
X1
X2
Y1
Operand
V1
V2
V3
V4
V5
V3
V6
ValueHash Key
(A1)
(B1)
(3)
(8)
(-,V1,V2)
(V3)
(+,V1,V2)
Local Scope
X1 = A1–B1
X2 = 3
Y1 = A1+B1
Z1 = 3 + 3
T1 = Z1+ 3
U1 = B1+A1
V1 = B1* 8
Z1 = 6
A1
B1
3
8
6
X1
X2
Y1
Z1
Operand
V1
V2
V3
V4
V7
V5
V3
V6
V7
ValueHash Key
(A1)
(B1)
(3)
(8)
(6)
(-,V1,V2)
(V3)
(+,V1,V2)
(V7)
Local Scope
Constant Folding
X1 = A1–B1
X2 = 3
Y1 = A1+B1
Z1 = 3 + 3
T1 = Z1+ 3
U1 = B1+A1
V1 = B1* 8
Z1 = 6
T1 = 9
A1
B1
3
8
6
9
X1
X2
Y1
Z1
T1
Operand
V1
V2
V3
V4
V7
V8
V5
V3
V6
V7
V8
ValueHash Key
(A1)
(B1)
(3)
(8)
(6)
(9)
(-,V1,V2)
(V3)
(+,V1,V2)
(V7)
(V8)
Local Scope
Constant Folding
Const Propagation
X1 = A1–B1
X2 = 3
Y1 = A1+B1
Z1 = 3 + 3
T1 = Z1+ 3
U1 = B1+A1
V1 = B1* 8
Z1 = 6
T1 = 9
U1 =Y1
A1
B1
3
8
6
9
X1
X2
Y1
Z1
T1
U1
Operand
V1
V2
V3
V4
V7
V8
V5
V3
V6
V7
V8
V6
ValueHash Key
(A1)
(B1)
(3)
(8)
(6)
(9)
(-,V1,V2)
(V3)
(+,V1,V2)
(V7)
(V8)
(+,V1,V2)
Local Scope
Constant Folding
Const Propagation
X1 = A1–B1
X2 = 3
Y1 = A1+B1
Z1 = 3 + 3
T1 = Z1+ 3
U1 = B1+A1
V1 = B1* 8
Z1 = 6
T1 = 9
U1 =Y1
V1 = B1<<3
A1
B1
3
8
6
9
X1
X2
Y1
Z1
T1
U1
Operand
V1
V2
V3
V4
V7
V8
V5
V3
V6
V7
V8
V6
ValueHash Key
(A1)
(B1)
(3)
(8)
(6)
(9)
(-,V1,V2)
(V3)
(+,V1,V2)
(V7)
(V8)
(+,V1,V2)
V1 V9(<<,V2,V3)
Local Scope
Constant Folding
Const Propagation
Expr Simplification
Extend to Global Scope
• Require analysis for dominating relation in CFG
• For exprs e1 and e2, e2 can be reduced if
• e2 has the same value with e1
• e1 dominates e2 in CFG, that is, all paths from entry
point to e2 must go through e1
• Examine basic blocks in reverse post order
• Guarantee dominating exprs are handled first
Global Scope
GotoCond
X1 = 3
Y1 = A1+B1
Z1 = X1+ 3
T1 = A1 – B1
Z1 > 3
V1 = A1+B1
W1 = B1- 3
U1 = B1- 3
T F
T F
B1
B2 B3
B4 B5
• Dominating relation
• B1 dominates B2,B3,B4,B5
• Reverse post order
• B1, B3, B2, B5, B4
• In B1
• In B4
Global Scope
GotoCond
X1 = 3
Y1 = A1+B1
Z1 = X1+ 3
T1 = A1 – B1
Z1 > 3
V1 = A1+B1
W1 = B1- 3
U1 = B1- 3
T F
T F
B1
B2 B3
B4 B5
• Dominating relation
• B1 dominates B2,B3,B4,B5
• Reverse post order
• B1, B3, B2, B5, B4
• In B1
• In B4
Global Scope
GotoCond
X1 = 3
Y1 = A1+B1
Z1 = X1+ 3
T1 = A1 – B1
Z1 > 3
V1 = A1+B1
W1 = B1- 3
U1 = B1- 3
T F
T F
B1
B2 B3
B4 B5
• Dominating relation
• B1 dominates B2,B3,B4,B5
• Reverse post order
• B1, B3, B2, B5, B4
• In B1
• Z1 = 6
• In B4
Global Scope
Cond
X1 = 3
Y1 = A1+B1
Z1 = X1+ 3
T1 = A1 – B1
Z1 > 3
V1 = A1+B1
W1 = B1- 3
U1 = B1- 3
T
T F
B1
B2
B4 B5
• Dominating relation
• B1 dominates B2,B3,B4,B5
• Reverse post order
• B1, B3, B2, B5, B4
• In B1
• Z1 = 6
• B3 is removed via UCE
• In B4
Global Scope
Cond
X1 = 3
Y1 = A1+B1
Z1 = X1+ 3
T1 = A1 – B1
Z1 > 3
V1 = A1+B1
W1 = B1- 3
U1 = B1- 3
T
T F
B1
B2
B4 B5
• Dominating relation
• B1 dominates B2,B3,B4,B5
• Reverse post order
• B1, B3, B2, B5, B4
• In B1
• Z1 = 6
• B3 is removed via UCE
• In B4
Global Scope
Cond
X1 = 3
Y1 = A1+B1
Z1 = X1+ 3
T1 = A1 – B1
Z1 > 3
V1 = A1+B1
W1 = B1- 3
U1 = B1- 3
T
T F
B1
B2
B4 B5
• Dominating relation
• B1 dominates B2,B3,B4,B5
• Reverse post order
• B1, B3, B2, B5, B4
• In B1
• Z1 = 6
• B3 is removed via UCE
• In B4
• V1 =Y1
Global Scope
Cond
X1 = 3
Y1 = A1+B1
Z1 = X1+ 3
T1 = A1 – B1
Z1 > 3
V1 = A1+B1
W1 = B1- 3
U1 = B1- 3
T
T F
B1
B2
B4 B5
• Dominating relation
• B1 dominates B2,B3,B4,B5
• Reverse post order
• B1, B3, B2, B5, B4
• In B1
• Z1 = 6
• B3 is removed via UCE
• In B4
• V1 =Y1
• W1 cannot be simplified
Loop Invariant Code Motion
• Hoist the loop invariant exprs outside the loop
• For a loop invariant expression x = y + z
• y and z should not depend on the operands defined
in the loop
Loop Invariant Code Motion
X1 = A1+B1
Y1 = X1+ 3
Z1 =Y1+ A1
T1 = A1- B1
U1 =T1+ 3
V1 =Y1+ U1
• Invariant expressions
• e1: Y1 = X1 + 3
• e2: T1 = A1 – B1
• Hoist e1 and e2 from
B3 to B1
B1
B2
B3
V1 < 100
Loop Invariant Code Motion
X1 = A1+B1
Y1 = X1+ 3
T1 = A1-B1
Z1 =Y1+ A1
U1 =T1+ 3
V1 =Y1+ U1
• Invariant expressions
• e1: Y1 = X1 + 3
• e2: T1 = A1 – B1
• Hoist e1 and e2 from
B3 to B1
B1
B2
B3
V1 < 100
More Optimizations
• SSA and control flow optimizations
• Dead code elimination
• Value range analysis
• Loop unrolling
• And more . . .
• Native code generation
• Linear scan register allocation
• And more . . .
Conclusion
•Under the hood of SpiderMonkey
•General but slow bytecode interpretation
•Two level JIT optimizations for hot codes
About Me
Security Researcher from
DSNS Lab @ NCTU
• Interests
• Virtual Machine
• Binary Translation
• Current Works
• Android Code Obfuscation
• App Protection
Thanks for Listening

Contenu connexe

Tendances

SyScan 2016 - Remote code execution via Java native deserialization
SyScan 2016 - Remote code execution via Java native deserializationSyScan 2016 - Remote code execution via Java native deserialization
SyScan 2016 - Remote code execution via Java native deserializationDavid Jorm
 
A Taste of Pharo 7.0
A Taste of Pharo 7.0A Taste of Pharo 7.0
A Taste of Pharo 7.0ESUG
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassCODE WHITE GmbH
 
Bytecode manipulation with Javassist for fun and profit
Bytecode manipulation with Javassist for fun and profitBytecode manipulation with Javassist for fun and profit
Bytecode manipulation with Javassist for fun and profitJérôme Kehrli
 
Asynchronous Programming in Android
Asynchronous Programming in AndroidAsynchronous Programming in Android
Asynchronous Programming in AndroidJohn Pendexter
 
New Features Of JDK 7
New Features Of JDK 7New Features Of JDK 7
New Features Of JDK 7Deniz Oguz
 
Packaging perl (LPW2010)
Packaging perl (LPW2010)Packaging perl (LPW2010)
Packaging perl (LPW2010)p3castro
 
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...Christian Schneider
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaCODE WHITE GmbH
 
Java Performance Tuning
Java Performance TuningJava Performance Tuning
Java Performance TuningMinh Hoang
 
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015Christian Schneider
 
Towards JVM Dynamic Languages Toolchain
Towards JVM Dynamic Languages ToolchainTowards JVM Dynamic Languages Toolchain
Towards JVM Dynamic Languages ToolchainAttila Szegedi
 
Native hook mechanism in Android Bionic linker
Native hook mechanism in Android Bionic linkerNative hook mechanism in Android Bionic linker
Native hook mechanism in Android Bionic linkerKevin Mai-Hsuan Chia
 
Apache DeltaSpike
Apache DeltaSpikeApache DeltaSpike
Apache DeltaSpikeos890
 
Introduction to Eclipse Microprofile
Introduction to Eclipse MicroprofileIntroduction to Eclipse Microprofile
Introduction to Eclipse MicroprofileRed Hat Developers
 
JavaOne 2015 : How I Rediscovered My Coding Mojo by Building an IoT/Robotics ...
JavaOne 2015 : How I Rediscovered My Coding Mojo by Building an IoT/Robotics ...JavaOne 2015 : How I Rediscovered My Coding Mojo by Building an IoT/Robotics ...
JavaOne 2015 : How I Rediscovered My Coding Mojo by Building an IoT/Robotics ...Mark West
 
LinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeLinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeAlain Leon
 

Tendances (20)

SyScan 2016 - Remote code execution via Java native deserialization
SyScan 2016 - Remote code execution via Java native deserializationSyScan 2016 - Remote code execution via Java native deserialization
SyScan 2016 - Remote code execution via Java native deserialization
 
A Taste of Pharo 7.0
A Taste of Pharo 7.0A Taste of Pharo 7.0
A Taste of Pharo 7.0
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
 
Android concurrency
Android concurrencyAndroid concurrency
Android concurrency
 
Bytecode manipulation with Javassist for fun and profit
Bytecode manipulation with Javassist for fun and profitBytecode manipulation with Javassist for fun and profit
Bytecode manipulation with Javassist for fun and profit
 
Asynchronous Programming in Android
Asynchronous Programming in AndroidAsynchronous Programming in Android
Asynchronous Programming in Android
 
New Features Of JDK 7
New Features Of JDK 7New Features Of JDK 7
New Features Of JDK 7
 
Packaging perl (LPW2010)
Packaging perl (LPW2010)Packaging perl (LPW2010)
Packaging perl (LPW2010)
 
Java Profiling
Java ProfilingJava Profiling
Java Profiling
 
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in Java
 
Java Performance Tuning
Java Performance TuningJava Performance Tuning
Java Performance Tuning
 
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
 
CDI In Real Life
CDI In Real LifeCDI In Real Life
CDI In Real Life
 
Towards JVM Dynamic Languages Toolchain
Towards JVM Dynamic Languages ToolchainTowards JVM Dynamic Languages Toolchain
Towards JVM Dynamic Languages Toolchain
 
Native hook mechanism in Android Bionic linker
Native hook mechanism in Android Bionic linkerNative hook mechanism in Android Bionic linker
Native hook mechanism in Android Bionic linker
 
Apache DeltaSpike
Apache DeltaSpikeApache DeltaSpike
Apache DeltaSpike
 
Introduction to Eclipse Microprofile
Introduction to Eclipse MicroprofileIntroduction to Eclipse Microprofile
Introduction to Eclipse Microprofile
 
JavaOne 2015 : How I Rediscovered My Coding Mojo by Building an IoT/Robotics ...
JavaOne 2015 : How I Rediscovered My Coding Mojo by Building an IoT/Robotics ...JavaOne 2015 : How I Rediscovered My Coding Mojo by Building an IoT/Robotics ...
JavaOne 2015 : How I Rediscovered My Coding Mojo by Building an IoT/Robotics ...
 
LinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeLinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik Bytecode
 

Similaire à (COSCUP 2015) A Beginner's Journey to Mozilla SpiderMonkey JS Engine

Raffaele Rialdi
Raffaele RialdiRaffaele Rialdi
Raffaele RialdiCodeFest
 
Javascript Everywhere
Javascript EverywhereJavascript Everywhere
Javascript EverywherePascal Rettig
 
XPages and Java (DanNotes 50th conference, November 2013)
XPages and Java (DanNotes 50th conference, November 2013)XPages and Java (DanNotes 50th conference, November 2013)
XPages and Java (DanNotes 50th conference, November 2013)Per Henrik Lausten
 
Cappuccino - A Javascript Application Framework
Cappuccino - A Javascript Application FrameworkCappuccino - A Javascript Application Framework
Cappuccino - A Javascript Application FrameworkAndreas Korth
 
Webinar: What's new in the .NET Driver
Webinar: What's new in the .NET DriverWebinar: What's new in the .NET Driver
Webinar: What's new in the .NET DriverMongoDB
 
Js interpreter interpreted
Js interpreter interpretedJs interpreter interpreted
Js interpreter interpretedMartha Schumann
 
JavaScript in 2016
JavaScript in 2016JavaScript in 2016
JavaScript in 2016Codemotion
 
JavaScript in 2016 (Codemotion Rome)
JavaScript in 2016 (Codemotion Rome)JavaScript in 2016 (Codemotion Rome)
JavaScript in 2016 (Codemotion Rome)Eduard Tomàs
 
Objective C 基本介紹
Objective C 基本介紹Objective C 基本介紹
Objective C 基本介紹Giga Cheng
 
Module design pattern i.e. express js
Module design pattern i.e. express jsModule design pattern i.e. express js
Module design pattern i.e. express jsAhmed Assaf
 
Why you should be using the shiny new C# 6.0 features now!
Why you should be using the shiny new C# 6.0 features now!Why you should be using the shiny new C# 6.0 features now!
Why you should be using the shiny new C# 6.0 features now!Eric Phan
 
JSLT: JSON querying and transformation
JSLT: JSON querying and transformationJSLT: JSON querying and transformation
JSLT: JSON querying and transformationLars Marius Garshol
 
Max Koretskyi "Why are Angular and React so fast?"
Max Koretskyi "Why are Angular and React so fast?"Max Koretskyi "Why are Angular and React so fast?"
Max Koretskyi "Why are Angular and React so fast?"Fwdays
 
Spring framework
Spring frameworkSpring framework
Spring frameworkAircon Chen
 
Dev Jumpstart: Build Your First App with MongoDB
Dev Jumpstart: Build Your First App with MongoDBDev Jumpstart: Build Your First App with MongoDB
Dev Jumpstart: Build Your First App with MongoDBMongoDB
 

Similaire à (COSCUP 2015) A Beginner's Journey to Mozilla SpiderMonkey JS Engine (20)

Raffaele Rialdi
Raffaele RialdiRaffaele Rialdi
Raffaele Rialdi
 
Group111
Group111Group111
Group111
 
Javascript Everywhere
Javascript EverywhereJavascript Everywhere
Javascript Everywhere
 
effective_r27
effective_r27effective_r27
effective_r27
 
XPages and Java (DanNotes 50th conference, November 2013)
XPages and Java (DanNotes 50th conference, November 2013)XPages and Java (DanNotes 50th conference, November 2013)
XPages and Java (DanNotes 50th conference, November 2013)
 
Cappuccino - A Javascript Application Framework
Cappuccino - A Javascript Application FrameworkCappuccino - A Javascript Application Framework
Cappuccino - A Javascript Application Framework
 
Webinar: What's new in the .NET Driver
Webinar: What's new in the .NET DriverWebinar: What's new in the .NET Driver
Webinar: What's new in the .NET Driver
 
Js interpreter interpreted
Js interpreter interpretedJs interpreter interpreted
Js interpreter interpreted
 
JavaScript in 2016
JavaScript in 2016JavaScript in 2016
JavaScript in 2016
 
JavaScript in 2016 (Codemotion Rome)
JavaScript in 2016 (Codemotion Rome)JavaScript in 2016 (Codemotion Rome)
JavaScript in 2016 (Codemotion Rome)
 
Objective C 基本介紹
Objective C 基本介紹Objective C 基本介紹
Objective C 基本介紹
 
Module design pattern i.e. express js
Module design pattern i.e. express jsModule design pattern i.e. express js
Module design pattern i.e. express js
 
Why you should be using the shiny new C# 6.0 features now!
Why you should be using the shiny new C# 6.0 features now!Why you should be using the shiny new C# 6.0 features now!
Why you should be using the shiny new C# 6.0 features now!
 
JSLT: JSON querying and transformation
JSLT: JSON querying and transformationJSLT: JSON querying and transformation
JSLT: JSON querying and transformation
 
Real World MVC
Real World MVCReal World MVC
Real World MVC
 
Max Koretskyi "Why are Angular and React so fast?"
Max Koretskyi "Why are Angular and React so fast?"Max Koretskyi "Why are Angular and React so fast?"
Max Koretskyi "Why are Angular and React so fast?"
 
Nashorn
NashornNashorn
Nashorn
 
Jquery2012 defs
Jquery2012 defsJquery2012 defs
Jquery2012 defs
 
Spring framework
Spring frameworkSpring framework
Spring framework
 
Dev Jumpstart: Build Your First App with MongoDB
Dev Jumpstart: Build Your First App with MongoDBDev Jumpstart: Build Your First App with MongoDB
Dev Jumpstart: Build Your First App with MongoDB
 

Dernier

UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 

Dernier (20)

UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 

(COSCUP 2015) A Beginner's Journey to Mozilla SpiderMonkey JS Engine

  • 1. COSCUP 2015 ZongShen Shen andy.zsshen@gmail.com A Beginner’s Journey to Mozilla SpiderMonkey JS Engine
  • 2. Why Joining SpiderMonkey • Explore a real language engine implementation • Good First Features encouraging beginners
  • 3. About the Talk • Under the hood of engine implementation • Begineer’s view and experience sharing
  • 4. Outline •Bytecode & Interpreter Basics •JIT Optimization
  • 6. SpiderMonkey Overview NativeCode Bytecode JIT Compiler JS Source Compiler Interpreter CPU Bytecode Generation
  • 7. SpiderMonkey Overview NativeCode Bytecode JIT Compiler JS Source Compiler Interpreter CPU Bytecode Interpretation Bytecode Generation
  • 8. SpiderMonkey Overview NativeCode Bytecode JIT Compiler JS Source Compiler Interpreter CPU Bytecode Interpretation Hot Code Optimization Native Code Execution Bytecode Generation
  • 9. Bytecode Compiler • Lexical Analysis • Split the source script into token stream • Syntactic Analysis • Parse token stream and build Abstract Syntax Tree • Code Generation • Traverse the AST to emit bytecode
  • 10. Lexical Analysis var x = y + z ; var a = b * c ; Variable Name Assignment Add Semicolon
  • 11. VarOrExprs → varVars | Expr Vars → Var | Var,Vars Var → Id | Id = AssignExpr Expr → AssignExpr | AssignExpr, Expr AssignExpr → CondExpr | CondExpr AssignOp AssignExpr AddExprs → MulExpr | MulExpr + AddExpr MulExpr → UnaryExpr | UnaryExpr * MulExpr PrimaryExpr → (Expr) | Id | LitInt | LitFloat | LitString | false | true | null | this Syntactic Analysis . . . Recursive Descent Parsing . . . Top to Bottom Left to Right
  • 12. Syntactic Analysis Statement List Assignment Def : x BinaryAdd Use : y Use : z Assignment Def : a BinaryMultiply Use : b Use : c Result AST
  • 14. Code Generation = = x y S z + a b c * DefVar x BindName x
  • 15. Code Generation = = x y S z + a b c * DefVar x BindName x GetName y
  • 16. Code Generation = = x y S z + a b c * DefVar x BindName x GetName y GetName z
  • 17. Code Generation = = x y S z + a b c * DefVar x BindName x GetName y GetName z Add
  • 18. Code Generation = = x y S z + a b c * DefVar x BindName x GetName y GetName z Add SetName x
  • 19. Code Generation = = x y S z + a b c * DefVar x DefVar a BindName x GetName y GetName z Add SetName x BindName a GetName b GetName c Mul SetName a
  • 20. Bytecode Interpreter • Prepare the stack frame to interpret bytecode • Dispatch bytecode in a large switch statement INTERPRETER_LOOP ( ) CASE ( JSOP_GETNAME ) { GetNameOperation( ) } CASE ( JSOP_ADD ) { AddOperation( ) } CASE ( JSOP_SETNAME ) { SetNameOperation( ) } ... ... More Handlers ... ... END_LOOP ( )
  • 21. function add (src, dst) { return src + dst; } add(“coscup”, 2015); GetName “add” Undefined String “coscup” Int16 2015 Call 2 GetArg 0 GetArg 1 Add Return Interpretation Example
  • 22. GetName “add” Undefined String “coscup” Int16 2015 Call 2 GetArg 0 GetArg 1 Add Return Caller Callee Stack Frame Interpretation Example
  • 23. GetName “add” Undefined String “coscup” Int16 2015 Call 2 GetArg 0 GetArg 1 Add Return JSVal: Func_add Caller Callee Stack Frame Interpretation Example
  • 24. GetName “add” Undefined String “coscup” Int16 2015 Call 2 GetArg 0 GetArg 1 Add Return JSVal: Func_add JSVal: Undef Caller Callee Stack Frame Interpretation Example
  • 25. GetName “add” Undefined String “coscup” Int16 2015 Call 2 GetArg 0 GetArg 1 Add Return JSVal: Func_add JSVal: Undef JSVal:“coscup” Caller Callee Stack Frame Interpretation Example
  • 26. GetName “add” Undefined String “coscup” Int16 2015 Call 2 GetArg 0 GetArg 1 Add Return JSVal: Func_add JSVal: Undef JSVal:“coscup” JSVal: 2015 Caller Callee Stack Frame Interpretation Example
  • 27. GetName “add” Undefined String “coscup” Int16 2015 Call 2 GetArg 0 GetArg 1 Add Return JSVal: Func_add JSVal: Undef JSVal:“coscup” JSVal: 2015 Caller Callee Stack Frame JSVal:“coscup” JSVal: 2015 Interpretation Example
  • 28. GetName “add” Undefined String “coscup” Int16 2015 Call 2 GetArg 0 GetArg 1 Add Return JSVal: Func_add JSVal: Undef JSVal:“coscup” JSVal: 2015 JSVal:“coscup” Caller Callee Stack Frame JSVal:“coscup” JSVal: 2015 Interpretation Example
  • 29. GetName “add” Undefined String “coscup” Int16 2015 Call 2 GetArg 0 GetArg 1 Add Return JSVal: Func_add JSVal: Undef JSVal:“coscup” JSVal: 2015 JSVal:“coscup” JSVal: 2015 Caller Callee Stack Frame JSVal:“coscup” JSVal: 2015 Interpretation Example
  • 30. GetName “add” Undefined String “coscup” Int16 2015 Call 2 GetArg 0 GetArg 1 Add Return JSVal: Func_add JSVal: Undef JSVal:“coscup” JSVal: 2015 Caller Callee JSVal:“coscup2015” Stack Frame JSVal:“coscup” JSVal: 2015 Interpretation Example
  • 31. GetName “add” Undefined String “coscup” Int16 2015 Call 2 GetArg 0 GetArg 1 Add Return JSVal: Func_add JSVal: Undef JSVal:“coscup” JSVal: 2015 Caller Callee JSVal:“coscup2015” Stack Frame Interpretation Example
  • 32. Performance Disadvantage • Immediate execution without proper redundancy elimination and task specialized optimization
  • 33. Performance Disadvantage • Immediate execution without proper redundancy elimination and task specialized optimization Example Object Property Access Obj.Prop
  • 34. JS Object var People = { Name : “Me”, Age : 1, Gender : “M” }; Property Value People.Name People.Age People.Gender Property Access
  • 35. Object Internal • A list of shapes each of which • Represents a named property • A vector of slots each of which • Stores the value of the mapped property • A shape to describe its overall attributes Object Name “Me” Shape List SlotVectorAttr Shape Age Gender 1 “M”
  • 36. Object Property Access • Object layout traversal 1. Search shape list to locate the target property shape 2. Access slot vector with the index found in the shape P1 Pi Pj Pn Object
  • 37. Object Property Access • Object layout traversal 1. Search shape list to locate the target property shape 2. Access slot vector with the index found in the shape • To speed up traversal • Attach hash tables with some shapes for table indexing P1 Pi Pj Pn Object Pi Pj
  • 38. Performance Gap lea eax, obj mov ebx, [eax + 4]   AoT Compilation Direct access Slow object layout traversal struct Object { int Prop1; int Prop2; }; int prop = obj -> Prop2; var obj = { Prop1 : 1, Prop2 : 2, } var prop = obj.Prop2; Interpretation VS GetName obj GetProp Prop2
  • 39. Can we improve the performance? In addition to object property access, Still many issues…
  • 40. Can we improve the performance? In addition to object property access, Still many issues… Interpretation JIT Compilation
  • 41. JIT Compilation • Generate extremely fast native code • Baseline for hot methods • Inline cache to speed up dynamic property lookup • IonMonkey for very hot methods • Comprehensive optimization to remove redundancy
  • 42. Inline Cache • Objective • Mitigate the overhead of object layout traversal for each single property access • Idea • Cache the resolved value after dynamic lookup • Emit a piece of direct access code for that value
  • 43. Inline Cache var res = obj.prop; GetName “obj” GetProp “prop”
  • 44. Inline Cache var res = obj.prop; GetName “obj” GetProp “prop” Dynamic lookup logic
  • 45. Inline Cache • Efficient code for direct access • But if obj is modified, the code will be unsafe var res = obj.prop; GetName “obj” GetProp “prop” mov eax, obj mov eax, [eax + OfstSlot]
  • 46. Direct Access Guard • If an object is modified with property insertion or deletion, its layout is also changed • Execute the cached code may cause invalid access • Need a guard to check for object modification • Object remains the same, enter cached code • Otherwise, fallback to dynamic lookup and reoptimize
  • 47. Direct Access Guard • Benefit from object shape • Object has a shape to describe its overall attribute • The object shape is synchronized with its layout
  • 48. Direct Access Guard • Benefit from object shape • Object has a shape to describe its overall attribute • The object shape is synchronized with its layout • Applying object shape to guard the cached code mov eax, obj cmp [eax + ShapeOfst], CachedShape
  • 49. Inline Cache Instance Prologue mov eax, obj call VM_CallBack
  • 50. Inline Cache Instance Prologue Interpreter Callback mov eax, obj call VM_CallBack 1. Resolve designated property
  • 51. Inline Cache Instance Prologue Interpreter Callback mov eax, obj call VM_CallBack 1. Resolve designated property 2. Generate direct access code cmp [eax+ShapeOfst], CachedShape jne MISS mov eax, [eax+CachedSlotOfst] jmp EXIT MISS: call VM_CallBack EXIT: Cached code
  • 52. Inline Cache Instance Prologue Interpreter Callback mov eax, obj 1. Resolve designated property 2. Generate direct access code 3. Modify original call site cmp [eax+ShapeOfst], CachedShape jne MISS mov eax, [eax+CachedSlotOfst] jmp EXIT MISS: call VM_CallBack EXIT: Cached code call VM_CallBack call Cached_Code
  • 53. Inline Cache Instance Prologue Interpreter Callback mov eax, obj 1. Resolve designated property 2. Generate direct access code 3. Modify original call site 4. Jump to cached code cmp [eax+ShapeOfst], CachedShape jne MISS mov eax, [eax+CachedSlotOfst] jmp EXIT MISS: call VM_CallBack EXIT: Cached code call VM_CallBack call Cached_Code
  • 54. Inline Cache Instance Prologue Interpreter Callback mov eax, obj 1. Resolve designated property 2. Generate direct access code 3. Modify original call site 4. Jump to cached code cmp [eax+ShapeOfst], CachedShape jne MISS mov eax, [eax+CachedSlotOfst] jmp EXIT MISS: call VM_CallBack EXIT: Cached code call VM_CallBack call Cached_Code After code linking, It will be direct access, If shape not changed
  • 55. What If ... var dog = { Name : “dog”, Bow : function( ){ }, } var cat = { Name : “cat”, Meow : function( ){ }, } for (var i = 0 ; i < 100 ; i++) { WhoAmI(dog); WhoAmI(cat); } function WhoAmI (obj) { return obj.Name; } dog cat dog cat . . . Expensive cache and flush
  • 56. Polymorphic IC • Cache multiple sets of object shapes and the resolved values cmp [eax+ShapeOfst], CachedShape1 jne SHAPE2 mov eax, [eax+CachedSlotOfst1] jmp EXIT SHAPE2: cmp [eax+ShapeOfst], CachedShape2 jne SHAPE3 mov eax, [eax+CachedSlotOfst2] jmp EXIT ……… MISS: call VM_CallBack EXIT:
  • 57. IonMonkey • Translate bytecode to static single assignment form (SSA) and build control flow graph • Apply data and control flow hybrid optimization • Translate optimized SSAs to native code
  • 58. Warm up for basic terms…
  • 59. Static Single Assignment • Each expression has at most 3 operands • Each target operand has an unique assignment X = 1 X = 2 Y = X + 1 Z = 3 Y = X + 2 X1 = 1 X2 = 2 Y1 = X2 + 1 Z1 = 3 Y2 = X2 + 2 Original Code SSA Form
  • 60. Control Flow Graph • The control flow relation among basic blocks • Basic block Consecutiveinstructionswith last one as control transferGotoCond X1 = 3 Y1 = A1+B1 Z1 = X1+ 3 Cond V1 = A1+B1 W1 = B1- 3 U1 = B1- 3 T F T F B2 B3 B4 B5 B1
  • 61. Lets start the optimizations…
  • 62. Value Numbering • Eliminate redundant expressions X1 = A1 + B1 Y1 = 1 Z1 = A1 + B1 X1 = A1 + B1 Y1 = 1 Z1 = X1 • Often combined with other optimizations • Constant folding and propagation • Expression simplification • Unreachable code elimination
  • 63. Value Numbering • Assign a hash value to each expression • Expressions containing the same value of a former expression can be reduced • Same set of source values • Same operator considering algebraic commutative X1 = A1 + B1 Z1 = B1 + A1 (+,V1,V2) V3 Hash Key Value Z1 = X1
  • 64. X1 = A1–B1 X2 = 3 Y1 = A1+B1 Z1 = 3 + 3 T1 = Z1+ 3 U1 = B1+A1 V1 = B1* 8 A1 B1 3 8 Operand V1 V2 V3 V4 ValueHash Key (A1) (B1) (3) (8) Local Scope
  • 65. X1 = A1–B1 X2 = 3 Y1 = A1+B1 Z1 = 3 + 3 T1 = Z1+ 3 U1 = B1+A1 V1 = B1* 8 A1 B1 3 8 X1 Operand V1 V2 V3 V4 V5 ValueHash Key (A1) (B1) (3) (8) (-,V1,V2) Local Scope
  • 66. X1 = A1–B1 X2 = 3 Y1 = A1+B1 Z1 = 3 + 3 T1 = Z1+ 3 U1 = B1+A1 V1 = B1* 8 A1 B1 3 8 X1 X2 Operand V1 V2 V3 V4 V5 V3 ValueHash Key (A1) (B1) (3) (8) (-,V1,V2) (V3) Local Scope
  • 67. X1 = A1–B1 X2 = 3 Y1 = A1+B1 Z1 = 3 + 3 T1 = Z1+ 3 U1 = B1+A1 V1 = B1* 8 A1 B1 3 8 X1 X2 Y1 Operand V1 V2 V3 V4 V5 V3 V6 ValueHash Key (A1) (B1) (3) (8) (-,V1,V2) (V3) (+,V1,V2) Local Scope
  • 68. X1 = A1–B1 X2 = 3 Y1 = A1+B1 Z1 = 3 + 3 T1 = Z1+ 3 U1 = B1+A1 V1 = B1* 8 Z1 = 6 A1 B1 3 8 6 X1 X2 Y1 Z1 Operand V1 V2 V3 V4 V7 V5 V3 V6 V7 ValueHash Key (A1) (B1) (3) (8) (6) (-,V1,V2) (V3) (+,V1,V2) (V7) Local Scope Constant Folding
  • 69. X1 = A1–B1 X2 = 3 Y1 = A1+B1 Z1 = 3 + 3 T1 = Z1+ 3 U1 = B1+A1 V1 = B1* 8 Z1 = 6 T1 = 9 A1 B1 3 8 6 9 X1 X2 Y1 Z1 T1 Operand V1 V2 V3 V4 V7 V8 V5 V3 V6 V7 V8 ValueHash Key (A1) (B1) (3) (8) (6) (9) (-,V1,V2) (V3) (+,V1,V2) (V7) (V8) Local Scope Constant Folding Const Propagation
  • 70. X1 = A1–B1 X2 = 3 Y1 = A1+B1 Z1 = 3 + 3 T1 = Z1+ 3 U1 = B1+A1 V1 = B1* 8 Z1 = 6 T1 = 9 U1 =Y1 A1 B1 3 8 6 9 X1 X2 Y1 Z1 T1 U1 Operand V1 V2 V3 V4 V7 V8 V5 V3 V6 V7 V8 V6 ValueHash Key (A1) (B1) (3) (8) (6) (9) (-,V1,V2) (V3) (+,V1,V2) (V7) (V8) (+,V1,V2) Local Scope Constant Folding Const Propagation
  • 71. X1 = A1–B1 X2 = 3 Y1 = A1+B1 Z1 = 3 + 3 T1 = Z1+ 3 U1 = B1+A1 V1 = B1* 8 Z1 = 6 T1 = 9 U1 =Y1 V1 = B1<<3 A1 B1 3 8 6 9 X1 X2 Y1 Z1 T1 U1 Operand V1 V2 V3 V4 V7 V8 V5 V3 V6 V7 V8 V6 ValueHash Key (A1) (B1) (3) (8) (6) (9) (-,V1,V2) (V3) (+,V1,V2) (V7) (V8) (+,V1,V2) V1 V9(<<,V2,V3) Local Scope Constant Folding Const Propagation Expr Simplification
  • 72. Extend to Global Scope • Require analysis for dominating relation in CFG • For exprs e1 and e2, e2 can be reduced if • e2 has the same value with e1 • e1 dominates e2 in CFG, that is, all paths from entry point to e2 must go through e1 • Examine basic blocks in reverse post order • Guarantee dominating exprs are handled first
  • 73. Global Scope GotoCond X1 = 3 Y1 = A1+B1 Z1 = X1+ 3 T1 = A1 – B1 Z1 > 3 V1 = A1+B1 W1 = B1- 3 U1 = B1- 3 T F T F B1 B2 B3 B4 B5 • Dominating relation • B1 dominates B2,B3,B4,B5 • Reverse post order • B1, B3, B2, B5, B4 • In B1 • In B4
  • 74. Global Scope GotoCond X1 = 3 Y1 = A1+B1 Z1 = X1+ 3 T1 = A1 – B1 Z1 > 3 V1 = A1+B1 W1 = B1- 3 U1 = B1- 3 T F T F B1 B2 B3 B4 B5 • Dominating relation • B1 dominates B2,B3,B4,B5 • Reverse post order • B1, B3, B2, B5, B4 • In B1 • In B4
  • 75. Global Scope GotoCond X1 = 3 Y1 = A1+B1 Z1 = X1+ 3 T1 = A1 – B1 Z1 > 3 V1 = A1+B1 W1 = B1- 3 U1 = B1- 3 T F T F B1 B2 B3 B4 B5 • Dominating relation • B1 dominates B2,B3,B4,B5 • Reverse post order • B1, B3, B2, B5, B4 • In B1 • Z1 = 6 • In B4
  • 76. Global Scope Cond X1 = 3 Y1 = A1+B1 Z1 = X1+ 3 T1 = A1 – B1 Z1 > 3 V1 = A1+B1 W1 = B1- 3 U1 = B1- 3 T T F B1 B2 B4 B5 • Dominating relation • B1 dominates B2,B3,B4,B5 • Reverse post order • B1, B3, B2, B5, B4 • In B1 • Z1 = 6 • B3 is removed via UCE • In B4
  • 77. Global Scope Cond X1 = 3 Y1 = A1+B1 Z1 = X1+ 3 T1 = A1 – B1 Z1 > 3 V1 = A1+B1 W1 = B1- 3 U1 = B1- 3 T T F B1 B2 B4 B5 • Dominating relation • B1 dominates B2,B3,B4,B5 • Reverse post order • B1, B3, B2, B5, B4 • In B1 • Z1 = 6 • B3 is removed via UCE • In B4
  • 78. Global Scope Cond X1 = 3 Y1 = A1+B1 Z1 = X1+ 3 T1 = A1 – B1 Z1 > 3 V1 = A1+B1 W1 = B1- 3 U1 = B1- 3 T T F B1 B2 B4 B5 • Dominating relation • B1 dominates B2,B3,B4,B5 • Reverse post order • B1, B3, B2, B5, B4 • In B1 • Z1 = 6 • B3 is removed via UCE • In B4 • V1 =Y1
  • 79. Global Scope Cond X1 = 3 Y1 = A1+B1 Z1 = X1+ 3 T1 = A1 – B1 Z1 > 3 V1 = A1+B1 W1 = B1- 3 U1 = B1- 3 T T F B1 B2 B4 B5 • Dominating relation • B1 dominates B2,B3,B4,B5 • Reverse post order • B1, B3, B2, B5, B4 • In B1 • Z1 = 6 • B3 is removed via UCE • In B4 • V1 =Y1 • W1 cannot be simplified
  • 80. Loop Invariant Code Motion • Hoist the loop invariant exprs outside the loop • For a loop invariant expression x = y + z • y and z should not depend on the operands defined in the loop
  • 81. Loop Invariant Code Motion X1 = A1+B1 Y1 = X1+ 3 Z1 =Y1+ A1 T1 = A1- B1 U1 =T1+ 3 V1 =Y1+ U1 • Invariant expressions • e1: Y1 = X1 + 3 • e2: T1 = A1 – B1 • Hoist e1 and e2 from B3 to B1 B1 B2 B3 V1 < 100
  • 82. Loop Invariant Code Motion X1 = A1+B1 Y1 = X1+ 3 T1 = A1-B1 Z1 =Y1+ A1 U1 =T1+ 3 V1 =Y1+ U1 • Invariant expressions • e1: Y1 = X1 + 3 • e2: T1 = A1 – B1 • Hoist e1 and e2 from B3 to B1 B1 B2 B3 V1 < 100
  • 83. More Optimizations • SSA and control flow optimizations • Dead code elimination • Value range analysis • Loop unrolling • And more . . . • Native code generation • Linear scan register allocation • And more . . .
  • 84. Conclusion •Under the hood of SpiderMonkey •General but slow bytecode interpretation •Two level JIT optimizations for hot codes
  • 85. About Me Security Researcher from DSNS Lab @ NCTU • Interests • Virtual Machine • Binary Translation • Current Works • Android Code Obfuscation • App Protection