The V8 Engine Series I: Architecture

Mahmoud Yasser
10 min readJun 19, 2024

--

https://portswigger.net/daily-swig/by/emma-woollacott

Introduction

V8 is an open-source high-performance engine developed by Google for executing JavaScript and WebAssembly in contemporary web browsers. In the modern web, it powers Google Chrome and Node.js, ensuring that JavaScript runs fast on both client and server sides. Written in C++, it dramatically enhances the speed at which code can be executed. It is implemented by compiling JavaScript code with the help of modern and advanced Just-In-Time (JIT) compilation techniques, which provides a way to combine quick startup with high-speed execution. It outlines V8 architecture and its operational aspects in this paper to allow further understanding.

In this series, we will explore the internal architecture of the V8 engine, starting with an overview and then diving deep into each component to explain its technical details. By the end of the series, we’ll use the V8 engine to build a simplified version of something akin to Node.js. Stay tuned for an informative and hands-on journey through V8!

Key Components of V8 Architecture

1. Parser

The first component of the V8 architecture is the parser. It takes JavaScript source code and translates it into an Abstract Syntax Tree, which is represented in a hierarchical form according to the structure of the code. This AST is essential for V8, as it allows easier manipulation and optimization of the code.

2. Ignition Interpreter

Ignition is a lightweight interpreter that works on a low level within V8. It compiles AST down to bytecode, which acts like a high-level efficient representation of the JavaScript source code. This serves as a bridge between high-level JavaScript and low-level machine code, which executes more efficiently.

3. TurboFan Compiler

TurboFan is an optimizing compiler for V8. It compiles bytecode produced by Ignition into high-optimized machine code. With that, TurboFan makes many optimizations based on runtime feedback — such as inlining functions and eliminating dead codes — at a more advanced level to provide higher performance.

Detailed V8 Architecture

1. Parsing

Before executing the JavaScript code, the V8 parser comes into action. Parsing is the process of converting the source code into an Abstract Syntax Tree (AST) structure, which retains the syntax of the source code.

This is because it makes the human-readable code one that the engine can correctly and effectively use. V8 doesn’t interpret JavaScript: it must be in this very form for an engine like V8 to run it properly.

The AST is essential for several reasons:

  • Code Understanding: A structured, tree-like representation of the source code enables V8 to more easily understand and manipulate code.
  • Optimization: This aspect of V8 supports the application of an array of optimization techniques for better performance, which include, but is not limited to, constant folding, removal of dead code, or function inlining.
  • Tooling and Analysis: It aids the development tools in analyzing and transforming JavaScript code so developers can write efficient and maintainable code.

Consider the following JavaScript code:

const chk = "have it";

This code would be parsed into an AST that visually looks like this:

2. Bytecode Generation (Ignition)

Once the AST is formed, Ignition compiles it down to bytecode. Bytecode is an intermediate code representation that runs faster than the original JavaScript source. Ignition keeps executing this bytecode, which allows the engine to collect runtime information needed to drive effective optimizations within V8’s optimizing compiler, TurboFan.

Ignition compiles JavaScript functions with V8 into a short, highly-optimized bytecode, which is between 50 and 25 percent the size of an equivalent baseline machine code. This bytecode is then executed by a high-performance interpreter, yielding execution speeds on real-world websites close to those of code generated by V8’s baseline compiler.

The process of the conversion of AST to byte code includes:

  • Traversal: Ignition walks through the AST and visits every node to emit the corresponding bytecode instructions.
  • Instruction Set: The bytecode consists of an instruction set that’s optimized for execution by V8.
  • Efficiency: Bytecode is smaller and more efficient, hence running faster than executing the high-level JavaScript code.

After the generation of the bytecode, Ignition kicks off to execute the bytecode. This is quite a vital execution phase for a couple of reasons:

  • Runtime Information: While executing the bytecode, Ignition collects runtime information such as what functions are called frequently and what properties are accessed commonly, etc. This information is very critical to perform more optimizations.
  • Quick Startup: Ignition runs bytecode instead of original JavaScript, which means quicker startups. Quicker start-ups are essential for apps that need to jump to the user immediately, especially within browsers or the server space.

As the bytecode is generated, it goes through inline optimizations. These do simple analyses on the byte stream of code; they replace common patterns with faster sequences, remove redundant operations and minimize unnecessary register loads and transfers. Such optimizations further reduce the size of the byte code and enhance its performance. All the information captured through runtime while bytecode is being executed is then very important for the following steps in optimization. This includes which functions are called most often, which properties are accessed repeatedly, and how different objects are used.

3. Optimization (TurboFan)

TurboFan is designed to make JavaScript more effective in generating highly optimized machine code. It replaces the old CrankShaft JIT compiler and provides much more sophisticated optimizations. The two critical innovations for TurboFan include using an intermediate representation and a multilayer optimization pipeline.

How TurboFan Works

1. JavaScript to IR (Intermediate Representation)

When JavaScript code is executed, first, an AST is derived from it. Later, TurboFan transforms this AST into a more flexible IR structure, known as the “sea of nodes.” This is a graph-based IR; therefore, many optimizations could be done in TurboFan by expressing complex relationships between operations

2. Optimizations

The TurboFan compiler applies several advanced optimizations to the IR:

  • Numerical Range Analysis: This helps TurboFan to understand numerical operations properly and, in turn, reduces unnecessary checks, making it more efficient.
  • Control Flow Optimizations: Reorders code and removes unnecessary instructions — it moves code out of loops into paths less frequently executed.
  • Inline Caching: It speeds up property access by caching object types and properties once the first reference is made, bypassing checks in type and lookups at repeated accesses.
  • Hidden Classes: This makes object property access very efficient by providing hidden classes to objects and transitioning them as properties are added. It predicts memory layouts and creates optimized code based on the prediction.

3. From IR (Intermediate Representation) to Machine Code

TurboFan takes the optimized IR further and generates machine code. This is the low-level code that’s run directly by the CPU. There are several compilation steps that need to be taken to make that code then execute efficiently on an array of hardware architectures, including x86, ARM, and MIPS.

The compilation of TurboFan proceeds in several stages:

  • Instruction Selection: TurboFan maps the high-level operations in the IR to specific machine instructions. This stage ensures that the code generated exploits the instruction set of the target architecture.
  • Register Allocation: TurboFan allocates CPU registers for variables, thereby minimizing access to memory and, in the process, accelerates its runtime. This is choosing the best registers for the store of variables according to usage patterns and availability.
  • Code Generation: This would be the resulting machine code, including all the optimizations and adaptations from the previous stages. As such, this is the actual machine code that the CPU runs.

At runtime, V8 monitors JavaScript code behavior, collecting data on frequently called functions and commonly accessed properties. This runtime profiling allows TurboFan to make informed decisions about optimizing hot code paths, translating them into the most efficient machine code possible.

Function inlining is a powerful optimization performed by TurboFan based on runtime profiling. When a function is frequently called, TurboFan may inline it, replacing the function call with the actual function body, eliminating the overhead of the call and improving performance.

TurboFan also uses runtime profiling to eliminate dead code — code never executed. By removing such code, TurboFan reduces the size of the generated machine code and improves execution speed.

Importance of TurboFan

  1. Performance: TurboFan’s sophisticated optimizations make JavaScript code run faster. This is crucial for both web applications, where responsiveness is key, and server-side applications, where efficiency significantly impacts scalability and cost.
  2. Support for Modern JavaScript Features: TurboFan is designed to support all modern JavaScript features (ES6 and beyond). Its flexible design makes it easy to add new language features without rewriting a lot of architecture-specific code.
  3. Maintainability: TurboFan’s layered architecture separates high-level and low-level optimizations, simplifying the compiler’s design and making it easier to maintain and extend.

TurboFan’s Layered Architecture

Compilers become complex as they support new features, add optimizations, and target different architectures. TurboFan’s layered architecture addresses these demands effectively by creating a clear separation between the source-level language (JavaScript), VM capabilities (V8), and architecture intricacies (e.g., x86, ARM, MIPS).

This separation allows engineers to reason locally when implementing optimizations and features, leading to more robust and maintainable code. The layered approach also reduces the amount of platform-specific code required. Each of the seven target architectures supported by TurboFan needs fewer than 3,000 lines of platform-specific code, compared to 13,000–16,000 lines in CrankShaft. This streamlined design has enabled more effective contributions from engineers at ARM, Intel, MIPS, and IBM.

TurboFan implements more aggressive optimizations than CrankShaft through several advanced techniques. JavaScript enters the compiler pipeline in an unoptimized form and is progressively translated and optimized into lower forms until machine code is generated. The centerpiece of TurboFan’s design is a relaxed sea-of-nodes internal representation (IR) of the code, which allows for more effective reordering and optimization.

  1. Numerical Range Analysis: This helps TurboFan understand number-crunching code better, allowing for more precise optimizations.
  2. Graph-Based IR: Most optimizations are expressed as simple local reductions, making them easier to write and test independently. An optimization engine applies these local rules systematically.
  3. Innovative Scheduling Algorithm: This algorithm leverages reordering freedom to move code out of loops and into less frequently executed paths.
  4. Architecture-Specific Optimizations: Complex instruction selection exploits features of each target platform to generate the best quality code.

Supporting Modern JavaScript Features

TurboFan was designed from the outset to optimize all JavaScript features available in ES5 and to accommodate future features planned for ES2015 and beyond. Its layered compiler design enables a clean separation between high-level and low-level compiler optimizations, simplifying the addition of new language features without altering architecture-specific code. TurboFan introduces an explicit instruction selection compilation phase, reducing the need for architecture-specific code and making the compiler more maintainable and extensible across all supported architectures.

By grasping these concepts, developers can appreciate the complexities of modern JavaScript engines and write code that fully utilizes V8’s capabilities. TurboFan’s innovations and optimizations make it an indispensable part of the V8 engine, driving the performance and efficiency of JavaScript applications today and in the future.

Deoptimization in Detail

Deoptimization is a crucial feature in the V8 engine, ensuring that code execution remains correct even when initial assumptions change. It involves:

  1. Monitoring: V8 constantly monitors the execution of the optimized machine code.
  2. Triggering Deoptimization: If the runtime environment changes, such as encountering a new object type or an unexpected execution path, V8 identifies the need for deoptimization.
  3. Reverting to Bytecode: V8 then reverts the execution back to the generic bytecode produced by Ignition, which is safer and not based on the invalidated assumptions.
  4. Re-optimization: After reverting, V8 may again optimize the code if new patterns emerge, continuing the cycle of optimization and deoptimization as needed.

V8 Process Flow

  • Loading Code: The engine starts by loading JavaScript or WebAssembly code.
  • Parsing: The Parser converts the source code into an AST.
  • AST Transformation: The AST is processed and passed to Ignition.
  • Bytecode Generation: Ignition compiles the AST into bytecode.
  • Initial Execution: Ignition executes the bytecode, ensuring a quick start and collecting runtime information.
  • Runtime Feedback: Information about frequently used code paths and other runtime data is collected.
  • Feedback Layer: Analyzes the runtime feedback to determine optimization opportunities.
  • Optimization: TurboFan uses the feedback layer’s information to optimize the bytecode into machine code.
  • Execution: The optimized machine code is executed, providing efficient and fast performance.
  • Deoptimization: If runtime conditions change and invalidate the optimized code, V8 reverts to a less optimized version to maintain correctness.

In conclusion, the V8 engine’s architecture exemplifies the blend of rapid startup and high-speed execution crucial for today’s web applications. Understanding V8’s components and their interactions provides valuable insights into the engine’s capabilities, empowering developers to write efficient, high-performance JavaScript code that leverages the full potential of this sophisticated engine.

Thank you for taking the time to read this article. I hope you found it insightful and engaging. Stay tuned for more, as there’s much more to come in this series.

If you have any questions or comments, please don’t hesitate to let me know! I’m always here to help and would love to hear your thoughts. 😊

--

--

Mahmoud Yasser
Mahmoud Yasser

No responses yet