Source to Binary - journey of V8 javascript engine

View Slide

Name
@brn (ꫬꅿ⨳ⵃ)
Occupation
ؿٗٝزؒٝسؒٝآص،٥ط؎ذ؍ـؒٝآص،
Company
Cyberagent ،سذؙأةآؔ AI Messenger
Blog
http://abcdef.gets.b6n.ch/
Twitter
https://twitter.com/brn227
GitHub
https://github.com/brn

View Slide

Agenda
•  What is V8?
•  Execution ﬂow of V8
•  Parsing
•  Abstract Syntax Tree
•  Ignition – BytecodeInterpreter
•  CodeStubAssembler
•  Builtins / Runtime
•  Optimization / Hidden Class / Inline Caching
•  TurboFan / Deoptimization

View Slide

What is V8?
V8הכGoogle爡ָ㹋鄲׃׋javascriptؒٝآٝדծ
Google Chrome/Node.JSךjavascriptؒٝآٝח䱰欽ׁ׸גְתׅկ

View Slide

Execution Flow

View Slide

Source AST Bytecode Graph Assembly
ﬁrst time hot code

View Slide

Parsing

View Slide

Basic parsing
V8כا٦أ؝٦س׾ػ٦أ׃גASTח㢌䳔ׅ׷
ASTהכAbstractSyntaxTreeך殛獥
䬄韋圓俑加הㄎל׸׷
Parsing

View Slide

if (x) {
x = 100
}

View Slide

IF
CONDITION
THEN
BLOCK
EXPRESSION
STATEMENT
ASSIGN
VAR PROXY (X) LITERAL (100)
if
(x)

{

x = 100

View Slide

Problems

View Slide

Parsing all functions - Slow
ׅץגך؝٦س׾剑ⴱחػ٦أׅ׷ךכ֮ת׶״׹׃ֻזְ
׮׃ػ٦أ׃׋؝٦سָ㹋遤ׁ׸זֽ׸ל䠐㄂ָזְ
Parsing

View Slide

Split parsing phase
ػ٦أ׾鹼䒀׃ג遤ֲ׋׭חծػ٦أ׾✳媮ꥡחⴓֽ׷
Parsing

View Slide

PreParsing ✲⵸חׅץגךꟼ侧ךٖ؎،ؐز׾
ػ٦أ׃גֶֻ
Parsing

View Slide

function x(a, b) {
return a + b;
}
FUNCTION(X)
parameter-count: 2
start-position: 1
end-position: 34
use-super-property: false
…

View Slide

// when x is called
x()
FUNCTION
NAME (x)
RETURN
LITERAL(1)

View Slide

Lazy Parsing
V8כ㹋ꥷח״ן׌ׁ׸׷תדػ٦أ׾鹼䒀ׅ׷
ꟼ侧כㄎן⳿ׁ׸גⴱ׭ג؝ٝػ؎ׁٕ׸׷
Parsing

View Slide

More About
https://docs.google.com/presentation/d/1b-
ALt6W01nIxutFVFmXMOyd_6ou_6qqP6S0Prmb1iDs/present?
slide=id.p
Parsing

View Slide

Abstract
Syntax
Tree

View Slide

AST Rewriting
Parserח״׏ג欰䧭ׁ׸׋AST׾㢌䕎ׅ׷
ְֻאַ稱➜
AbstractSyntaxTree

View Slide

Subsclass constructor return
竰䪫׃׋ؙٓأך؝ٝأزؙٓة׾㢌䕎ׅ׷
崢欰ؙٓأך؝ٝأزؙٓةד䒭׾return׃גְ׷儗כծ
3갪怴皾㶨ח㢌䳔׃גծ
䒭ך穠卓ָundeﬁned׌׏׋㜥さחכthis׾䨱ׅկ
AbstractSyntaxTree

View Slide

constructor() {!
super();!
return expr!
}!
!
constructor() {!
super();!
var tmp;!
return (temp = expr) === undefined?!
this: temp;!
}!

View Slide

for (let/const/var in/of e)
for-in/ofךⴱ劍⻉דconst/let׾⢪ֲ׋׭חծⰋ⡤׾ـٗحؙד㔲
׫㢌侧׾㹑鎉ׅ׷կ
AbstractSyntaxTree

View Slide

for (const key of e) {!
...!
}!

View Slide

{!
var temp;!
for (temp of e) {!
const x = temp;!
...!
}!
let x!
}!

View Slide

Spread operator
doהfor-ofח縧ֹ䳔ִגⳢ椚
AbstractSyntaxTree

View Slide

const x = [1,2,3];!
const y = [...x];!

View Slide

do {!
$R = [];!
for ($i of x)!
%AppendElement($R, $i);!
$R!
}!

View Slide

Ecmascript? – Binary AST
➙תד鋅׋״ֲחASTך؟؎ؤכ穠圓㣐ְֹךדծ
׉׸׾㖇簭ׅ׷䲿周
Parsing

View Slide

Ignition

View Slide

Bytecode Interpreter
V8כ欰䧭׃׋AST׾1~4byteךBytecodeח㢌䳔׃גַ׵㹋遤ׅ
׷
Ignition

View Slide

How does it work?
♧אך،ُؗيٖ٦ة٦׾⪒ִٖآأةك٦أד⹛⡲ׅ׷؎ٝ
ة٦فٔة
Ignition

View Slide

Pseudo javascript code
Javascriptד圓鸡׾垷⦺ׅ׷הֿך״ֲחז׷
Ignition

View Slide

const Bytecodes = [0,1,2,3,4,5];!
let index = 0;!
function dispatch(next) {BytecodeHandlers[next]
();}!
const BytecodeHandlers = [!
() => {...; dispatch(Bytecodes[index++])},!
]!
dispatch(Bytecodes[index++]);!

View Slide

How to create bytecode?
BytecodeכASTַ׵AstVisitor׾ⵃ欽׃ג欰䧭ׁ׸׷
AstVisitorכVistorػة٦ٝ׾ⵃ欽׃׋ؙٓأדծ
AST׾帾ׁ⮚⯓䱱稊׃זָ׵㼎䘔ׅ׷؝٦ٕغحؙꟼ侧׾ㄎן⳿
ׅ
Ignition

View Slide

BytecodeArray
欰䧭ׁ׸׋BytecodeכBytecodeArrayח呓秛ׁ׸׷
BytecodeArrayכꟼ侧⽃⡘ד㶷㖈ׅ׷
Ignition

View Slide

Dispatch Table
Stub(Machine Code)
BytecodeArray
Dispatch Tableから対応するHandlerを取り出して実行
0 1 3 4 5 6 7 8
5 6 1

View Slide

InterpreterEntryTrampoline
剑穄涸ח欰䧭ׁ׸׋BytecodeכInterpreterEntrynTrampolineה
ㄎל׸׷Builtin؝٦سַ׵㹋遤ׁ׸׷
InterpreterEntryTrampolineכAssemblyח؝ٝػ؎ׁٕ׸ծ
鸐䌢ךCךꟼ侧הㄎן⳿ׁ׸׷
Ignition

View Slide

InterpreterEntryTrampoline(Assembly)
Script::Run
Call as C function
Ignition DispatchTable
Dispatch First bytecode

View Slide

Ignition Handler
⯓玎亻⡂؝٦سד爙׃׋BytecodeHandlersכV8דכ
Ignition Handlerהㄎל׸גְ׷
Ignition HandlerכCodeStubAssemblerהְֲDSLד鎸鶢ׁ׸ג
ְ׷
Iginition

View Slide

CodeStub
Assember

View Slide

What is CodeStubAssmber?
CodeStubAssembler(CSA)כ؝٦س欰䧭׾ؚٓؿ欰䧭ח䬄韋⻉׃
׋V8ⰻ鿇ךDSL
㹋遤✮㹀Node׾穈׫甧ג׷׌ֽדծCodeGeneratorח״׏גぐ
،٦ؗذؙثٍぢֽך؝٦سָ欰䧭ׁ׸׷׋׭ծ،إٝـٔ鎉铂
׾ְ׍ְ׍倜׋ח剅ֻ䗳銲ָזְ
CodeStubAssembler

View Slide

IGNITION_HANDLER(JumpIfToBooleanFalse, InterpreterAssembler) {!
Node* value = GetAccumulator();!
// Accumulatorの値を取得!
Node* relative_jump = BytecodeOperandUImmWord(0);!
// 引数のoperandを取得!
Label if_true(this), if_false(this);!
BranchIfToBooleanIsTrue(value, &if_true, &if_false);!
// valueがtrueならif_true、falseならif_false!
Bind(&if_true);!
Dispatch();!
Bind(&if_false);!
// operandのbytecodeまでjump!
Jump(relative_jump);!
}!

View Slide

Graph based DSL
ֿךCodeStubAssemblerךֶַ־ד㹋ꥷך،٦ؗذؙثٍぢֽ
ך،إٝـٓ׾擾濼׃גְזֻג׮֮׵׋ח؝٦س׾鷄⸇ׅ׷ֿ
הָ㺁僒חז׶ծ
ת׋〳铣䚍׮ꬊ䌢ח넝ֻז׏גְ׷
CodeStubAssembler

View Slide

Dispatch Table
00 01 02 04 08 0f 10 10
Node
Node
Node
Operator
Operator
IGNITION_HANDLER
Stub (Mahine Code Fragment)
グラフからコードを生成
生成したコードを、
DispatchTableの対応する
バイトコードのインデックスへ
登録
Assemble

View Slide

Assembler
㹋ꥷחぐ،٦ؗذؙثٍぢֽך؝٦س׾⳿⸂ׅ׷
X64ぢֽךjmpص٦ٌصحؙ׾׍׳׏ה׌ֽ鋖ְג׫״ֲ
CodeStubAssembler

View Slide

void Assembler::jmp(!
Handle target,!
RelocInfo::Mode rmode!
) {!
EnsureSpace ensure_space(this);!
// 1110 1001 #32-bit disp.!
// ここでメモリ上にアセンブラを書き出す!
emit(0xE9);!
emit_code_target(target, rmode);!
}!

View Slide

Where to use
BuiltinsכAssemblerؙٓأ׾ⵃ欽׃גぐ،٦ؗذؙثٍ嫣ך
Stubָ鎸鶢ׁ׸גְ׷
♧鿇CSA׾⢪ֲ皘䨽׮֮׷(*-gen.cc)
Ignition HandlerכקרⰋגָCSAד鎸鶢ׁ׸גְ׷
CodeStubAssembler

View Slide

Builtins
&
Runtime

View Slide

Builtins
BuiltinsכV8ך饯⹛儗ח؝ٝػ؎ׁٕ׸׷،إٝـٓך؝٦س晙
ꟼ侧ך״ֲחCallBuiltin穗歋דㄎן⳿ׁ׸׷
Stubה׮ㄎל׸׷
㹋遤儗ך剑黝⻉כ遤׻׸זְ
Builtins & Runtime

View Slide

Runtime
RuntimeכBuiltinsװ׉ך➭ך،إٝـٓ؝٦سַ׵ㄎן⳿ֿׅ
הָדֹ׷C++ך؝٦س
Javascriptך⚅歲ַ׵C++ך⚅歲׾אזּ؝٦س晙
ずֻׄ㹋遤儗ך剑黝⻉כ遤׻׸זְ
Builtins & Runtime

View Slide

Hidden
Class

View Slide

What is Hidden Class?
Javascriptחכ㘗ָזְךדؔـآؙؑز׾鋉㹀ׅ׷׮ךָ搀ְկ
׉ך׋׭ծV8כؔـآؙؑزך圓鸡荈⡤׾㘗ך״ֲח䪔׏גְ׷կ
ֿ׸׾Hidden Classהㄎע
Hidden Class

View Slide

•  Hidden Class
const point1 = {x: 0, y: 0};!
const point2 = {x: 0, y: 0};!
Map
FixedArray [
{x: {offset: 0}},
{y: {offset: 1}}
]

View Slide

Map
׋הִJavascript♳דכⴽךؔـآؙؑزד֮׏ג׮ծ
ずׄ圓鸡׾䭯׏גְ׸לずׄHidden Class׾Ⱏ剣ׅ׷
׉׃גֿךؔـآؙؑزך酅ח֮׷圓鸡׾Mapהㄎע
Hidden Class

View Slide

class PointA {!
constructor() {!
this.x = 0;!
this.y = 0;!
}!
}!
const pointAInstance = new PointA();!
!
class PointB {!
constructor() {!
this.y = 0;!
this.x = 0;!
}!
}!
const pointBInstance = new PointB();!
// PointAInstance.Map !== PointBInstance.Map!

View Slide

Layout
Mapؔـآؙؑزכַז׶⿑㺘חفٗػذ؍ךoffset׾ثؑحؙ
ׅ׷׋׭ծٔذٕٓךⴱ劍⻉갫٥فٗػذ؍ךⴱ劍⻉갫٥فٗػ
ذ؍ך侧ָ麩ֲהⴽךMapָⶴ׶䔲ג׵׸׷
Hidden Class

View Slide

Map Transition
׃ַ׃فٗػذ؍ך㟓幾ָ걼籕ח饯ֿ׷Javascriptדծ嫣㔐Map
׾欰䧭ׅ׷ה؝أزָ搀鋔דֹזְךדכ
V8כفٗػذ؍ך㟓幾ָ֮׏׋㜥さחכMap׾Ⱏ剣׃זָ׵ծ
㟓ִ׋鿇ⴓך׫ך倜׃ְMap׾欰䧭ׅ׷
ֿ׸׾Map Transitionהㄎע
Hidden Class

View Slide

What's Happening?
Hidden Classָ֮׷ה⡦ָ㴍׃ְַהְֲהծ
ؔـآؙؑزךفٗػذ؍،ؙإأװ㘗ךثؑحؙ׾״׶넝鸞חծ
״׶㸜Ⰻח遤ִ׷״ֲחז׷
Hidden Class

View Slide

Inline Caching

View Slide

What is Inline Caching
فٗػذ؍،ؙإأך넝鸞⻉ך׋׭ח麓⿠ך،ؙإأ׾ٍؗح
ءُ׃גֶֻ
Inline Caching

View Slide

function x(obj) {!
return obj.x + obj.y;!
}!
!
x({x: 0, y: 0});!
x({x: 1, y: 1});!
x({x: 2, y: 2});!

View Slide

Search Property
ؔـآؙؑزַ׵فٗػذ؍׾䱱ׅ׋׭חכծ
HashMapװFixedArrayַ׵فٗػذ؍׾ٗ٦سׅ׷
׃ַ׃׉׸׾嫣㔐遤ֲךכꬊ䌢ח鹼ְ
Inline Caching

View Slide

Reduce Property Access
ֿך⢽דכxהyפך،ؙإأָずׄMap׾䭯אؔـآؙؑزח㼎
׃ג⡦䏝׮㹋遤ׁ׸גְ׷
ׅדחobjכ{x, y}ךMapה׻ַ׏גְ׷ךד֮׸לծ
䔲搫ًٌٖٔ؎،ؐز׮׻ַ׏גְ׷ךדծ湫䱸offset׾䭷㹀׃
ג،ؙإأ׃׋קֲָ傍ְ
Inline Caching

View Slide

Cache
זךדծ暴㹀ךMapך،ؙإأ׾鎸䥉׃גֶֻ
֮׷فٗػذ؍פ،ؙإأ׃׋㜥さծ׉ךMapؔـآؙؑز׾鎸
䥉ׅ׷ֿהד2㔐湡⟃꣬ךفٗػذ؍،ؙإأָ넝鸞⻉ׁ׸׷
Inline Caching

View Slide

x({x: 0, y: 0});!
// uninitialized!
x({x: 1, y: 1});!
// stub_call!
x({x: 2, y: 2});!
// found ic!
x({x: 1, y: 1, z: 1})!
// load ic miss!
x({x: 1, y: 1, foo() {}});!
// load ic miss!

View Slide

Cache Miss
׋׌׃ծMapָ㢌⻉׃׋㜥さחכ䔲搫CacheךMissؼحزָ饯ֹ
׷ךדծת׋فٗػذ؍׾ٗ٦س׃ג倜׋ח鎸䥉׃湫ׅ
׋׌׃ׅץג׾鎸ꐮׅ׷ךכ♶〳腉זךדծ4אתדMapؔـ
آؙؑز׾鎸ꐮׅ׷
Inline Cache

View Slide

Cahce State
ٍؗحءُך朐䡾כ⟃♴ך״ֲח鼂獳ׅ׷
PreMonomorphic
Monomorphic
Polymorphic
Megamorphic
Inline Caching

View Slide

Pre Monomorphic
؝٦س♳ך鿪さד劢ⴱ劍ַוֲַⴻ㹀ׅ׷׋׭ח㶷㖈ׅ׷ךדծ
֮ת׶䠐㄂כזְ
Inline Caching

View Slide

Monomorphic
⽃♧ךMapפך،ؙإأ׃ַ㶷㖈׃זְ朐䡾
椚䟝涸ז朐䡾ה鎉ִ׷
Inline Caching

View Slide

Polymorphic
MapָFixedArrayח呓秛ׁ׸גֶ׶醱侧ךMapַ׵嗚稊׃ג
فٗػذ؍،ؙإأ׾㹋遤ׅ׷
ٍؗحءُ荈⡤כׁ׸גְ׷ךדת׌넝鸞
Inline Caching

View Slide

Megamorphic
֮ת׶חMissָ㢳ְךדծMapך鎸ꐮ׾⨡姺׃׋朐䡾
איחStubַ׵GetProperty׾ㄎן⳿׃גفٗػذ؍׾《䖤ׅ׷
剑׮鹼ְ朐䡾
Inline Caching

View Slide

Optimization

View Slide

Hot or Small
䌢ח؝٦س׾剑黝⻉ׅ׷ךכꬊ䌢ח搀꼽
⟃♴ך勴⟝ח䔲גכת׷؝٦س׾剑黝⻉ׅ׷
•  (ꟼ侧ךغ؎ز؝٦سꞿ/ 1200) + 2ך㔐侧ꟼ侧ָㄎן⳿ׁ׸
גְ׷
•  ꟼ侧ָ㼭ְׁ(غ؎ز؝٦سךꞿָׁ90劢弫)
Optimization

View Slide

Optimization Budget
غ؎ز؝٦س㹋遤⚥חぐꟼ侧חכ剑黝⻉✮皾ָⶴ׶䮶׵׸גֶ׶ծ
׉ך⦼ָ0׾ⴖ׷ה؝٦س剑黝⻉⦪酡הז׷
Optimization

View Slide

For loop
ٕ٦فדכJumpLoopהְֲغ؎ز؝٦سָ⳿⸂ׁ׸׷
ֿךJumpLoopך⚥ד䨱׶⯓ך،سٖأ⦼ךoffset׾ꅾ׫ח׃גծ
⯓玎ך✮皾ַ׵⦼׾䒷ֹծ׉׸ָ0׾ⶴ׏׋׵ٕ٦فⰻך剑黝⻉
ָ涪欰ׅ׷
Optimization

View Slide

function id(v) {return v;}!
function x(v) {!
for (var i = 0; i < 10000; i++) {!
id(v + i);!
}!
}!
x(1);!

View Slide

0x1bb9e5e2935e LdaSmi.Wide [1000]
0x1bb9e5e2937e JumpLoop [32], [0] (0x1bb9e5e2935e @ 4)
Bytecode length = 100
if (budget –= 100 < 0) {
OptimizeAndOSR();
}

View Slide

OSR - OnStackReplacement
؝ٝػ؎ׁٕ׸גغ؎ز؝٦سַ׵堣唒铂ח㢌䳔ׁ׸׋؝٦سכծ
ٕ٦فך鷿⚥ד굲ן⯓ָ剅ֹ䳔ִ׵׸ג倜׋ז堣唒铂ך؝٦سָ
㹋遤ׁ׸׷
Optimization

View Slide

For function
ꟼ侧ך㜥さכReturnغ؎ز؝٦سָ䗳׆欰䧭ׁ׸׷
׉ֿדInterruptָ遤׻׸ג✮皾ךثؑحָؙ涪欰ׅ׷
Optimization

View Slide

function x() {!
const x = 1 + 1;!
}!
x();!

View Slide

0x3d22953a917a StackCheck
0x3d22953a9180 Return
Bytecode length 30
if (budget -= 30 < 0) {
OptimizeConcurrent();
}

View Slide

Concurrent Compilation
ꟼ侧׾剑黝⻉ׅ׷㜥さכծ⚛⴨؝ٝػ؎ָٕꬊず劍ח遤׻׸׷
׉ך׋׭如㔐⟃꣬ךꟼ侧ㄎן⳿׃ָ䗳׆剑黝⻉ׁ׸גְ׷׻ֽד
כזְ
Optimization

View Slide

CompilationQueue
CompilationJob
CompilationJob
CompilationJob
Hot Function
Bytecode Called
Hot Function(Queued)
Bytecode Called
Hot Function(Queued)
Bytecode Called
Optimized Function
Assembly Called

View Slide

const x = x => x;!
const y = () => {!
for (let i = 0; i < 1000; i++) {!
x(i);!
}!
!
for (let i = 0; i < 1000; i++) {!
x(i);!
}!
};!
y();!

View Slide

0x13b567fa924e LdaSmi.Wide [1000]
0x13b567fa9268 JumpLoop [26], [0] (0x13b567fa924e @ 4)
Bytecode length 26 budget –= 26
0x13b567fa926e LdaSmi.Wide [1000]
0x13b567fa9288 JumpLoop [26], [0] (0x13b567fa926e @ 36)
Bytecode length 26 budget –= 26
0x13b567fa928c Return
budget –= all_bytecode_length

View Slide

Budget for function
׋הִٕ٦فָⴓⶴׁ׸גְג׮Ⰻ⡤ך✮皾׾Returnד׮鎘皾ׅ
׷ךד㉏겗זֻ剑黝⻉ָ遤׻׸׷
Optimization

View Slide

TurboFan

View Slide

What is TurboFan?
TurboFanהכV8ך剑黝⻉أةحؙךֿה
V8כBytecodeַ׵剑黝⻉؝ٝػ؎ٕ׾遤ֲ㜥さחծ
♧傉IR׾欰䧭ׅ׷
ֿךGraph欰䧭ה剑黝⻉׾遤ֲךָTurboFan
TurboFan

View Slide

Bytecode
IR
TurboFan
Optimization
&
CodeGeneration

View Slide

IR
䬄韋涸ז㹋遤ـٗحؙ
Control Flow Graph
TurboFan

View Slide

#22:Branch[None](#21:SpeculativeNumberLessThan, #9:Loop)
#28:IfTrue(#22:Branch)
#30:JSStackCheck(#11:Phi, #32:FrameState,
#21:SpeculativeNumberLessThan, #28:IfTrue)
#33:JSLoadGlobal[0x2f3e1c607881 , 1]
(#11:Phi, #34:FrameState, #30:JSStackCheck,
#30:JSStackCheck)
#2:HeapConstant[0x2f3e1c6022e1 ]()
#39:FrameState
#36:StateValues[sparse:^^](#12:Phi, #33:JSLoadGlobal)
#37:FrameState#35:Checkpoint(#37:FrameState,
#33:JSLoadGlobal, #33:JSLoadGlobal)
#38:JSCall[2, 15256, NULL_OR_UNDEFINED]
(#33:JSLoadGlobal, #2:HeapConstant, #11:Phi,
#39:FrameState, #35:Checkpoint, #33:JSLoadGlobal)
#9:Loop(#0:Start, #38:JSCall)

View Slide

Optimization
TurboFanכGraphח㼎׃ג剑黝⻉׾遤ֲ
TurboFan

View Slide

inline
ꟼ侧ㄎן⳿׃ךInline⻉
trimming
ⵋ麦׃זְNodeך⵴ꤐ
type
㘗䱿锷
typed-lowering
㘗ח㛇בְג䒭װㄏ⟀׾״׶知⽃זⳢ椚ח縧ֹ䳔ִ׷
loop-peeling
ٕ٦فⰻךⳢ椚׾㢩ח⳿ׅկ

View Slide

loop-exit-elimination
LoopExit׾⵴ꤐ
load-elimination
搀꼽ז⦼ך铣׫⳿׃װcheck׾⵴ꤐ
simpliﬁed-lowering
״׶Ⱗ⡤涸ז⦼דㄏ⟀׾ءٝفٕח㢌䳔ׅ׷
generic-lowering
JSفٖؿ؍حؙأך➰ֻㄏ⟀׾״׶ءٝفٕזㄎן⳿׃װ
stubךㄎן⳿׃ח㢌䳔ׅ׷
dead-code-elimination
ⵋ麦♶腉؝٦سך⵴ꤐ

View Slide

Code generation
剑穄涸חInstructionSelectorהְֲؙٓأָregisterךⶴ➰׾遤
ְծ
ֿךؚٓؿַ׵CodeGeneratorָ堣唒铂׾欰䧭׃ג
PC(ProgramCounter)ח،إٝـٔ׾剅ֹ⳿׃גְֻ
Optimization

View Slide

Deoptimization

View Slide

What is Deoptimization?
Deoptimization(膴剑黝⻉)הכ剑黝⻉׃׋Assembly؝٦سח✮劍
ׇט⦼ָ床׏׋㜥さחծⱄ䏝؝ٝػ؎ٕ׃湫ׅ堣腉
׮׍׹׿㼰זְח馉׃׋ֿהכזְ
Deoptimizationָ涪欰ׅ׷⢽׾然钠׃ג׫״ֲ
Deoptimization

View Slide

const id = x => x;!
const test = obj => {!
for (let i = 0; i < 100000; i++) {!
id(obj.x);!
}!
};!
!
test({x: 1});!
test({x: 1, y: 1});!

View Slide

Wrong Map
➙ך⢽דכ剑ⴱח{x}ךMapח㼎׃ג剑黝⻉ׁ׸׋Assembly׾⳿
⸂׃׋ָծ
✳㔐湡ךㄎן⳿׃ָ{x,y}ךMap׌׏׋׋׭חծⱄ؝ٝػ؎ٕ׾⡭
⭑זֻׁ׸ג׃ת׏׋
׍׳׏ה׌ֽAssembly׾鋖ְג׫״ֲ
Deoptimization

View Slide

0x451eb30464c 8c 48b9f1c7d830391e0000 REX.W movq rcx,
0x1e3930d8c7f1
0x451eb304656 96 483bca REX.W cmpq rcx,rdx
0x451eb304659 99 0f8591000000 jnz 0x451eb3046f0
;; Check Map!!
...
0x451eb3046f0 130 e81ff9cfff call 0x451eb004014
;; deoptimization bailout 2

View Slide

Bailout
ֿך״ֲח⳿⸂ׁ׸׋؝٦سחMap׾然钠ׅ׷؝٦س׮ろת׸ג
ְ׷
Deoptimizationָ遤׻׸׷ה؝٦سכBytecode㹋遤ח䨱׷ָծ
ֿ׸׾Bailoutהㄎע
Deoptimization

View Slide

Summary
⟃♳ָV8ָJS׾㹋遤ׅ׷䊨玎ד֮׷
儗꟦ך鿪さ♳GCכ満ְ׋
V8ך؝٦سٔ٦ر؍ؚٝך䪮遭瘝כת׋ـؚٗח剅ֻ✮㹀
http://abcdef.gets.b6n.ch/
׀幠耮֮׶ָהֲ׀ְׂת׃׋

View Slide

Source to Binary - journey of V8 javascript engine

Source to Binary - journey of V8 javascript engine

Taketoshi Aono(青野健利 a.k.a brn)

More Decks by Taketoshi Aono(青野健利 a.k.a brn)

Other Decks in Programming

Featured

Transcript