JavaScript's V8 engine research

1. Context-specific snapshot technology

What is context (contexts)? is actually the JS application's operating environment, avoids the application modification mutual influence, for example a page JS modifies the built-in object method ToString, should not affect to another page. Chrome browser Each process has only one instance of the V8 engine, and each window and iframe in the browser corresponds to a context.

V8 startup (before executing client JS), you need to initialize the global context (the first context), read and parse the self-implemented built-in JS code (another technique, 2nd), set up function, array, Built-in objects and methods such as String (see the Genesis class in Bootstrapper), the creation of subsequent contexts requires only the creation of built-in objects, and in order to reduce CPU and memory consumption when the global context is created, V8 uses snapshot technology (see v8_ Mksnapshot engineering), (1) After the global context is initialized, the current heap memory is serialized into a byte code and saved to a disk file; This process is most important for the space address and object preservation, the operation (see Serialize file) is: analog linear memory space allocation, Iterates through all the JS objects in the heap memory and allocates memory in the simulated space (which is actually the relative offset address of the Record object), then serializes the object size, offset address, sub-object, object content, and finally serializes the context on the global handler and Stack, and (2) when loaded, The snapshot file is deserialized into memory, avoiding the first context initialization, thus speeding up the V8 startup.

2. Built-in's JS code

(1) The use of JS self-expression built-in objects, methods, such as the above code to implement the Math.min method, so that V8 in the implementation of code translation only need to pay attention to the basic operation, with the% sign function from V8 runtime function (see Runtime and CodeGen);

(2) How to embed JS into the V8? Use the Python tool to convert the JS file code to the const char[] variable (byte code), to natives.cc, and the relevant JS code to Lazy-compile when the relevant method is first accessed during execution.

(digression: Let the interviewer implement some common functions of JS, but also to examine one of its basic methods.) ）

3. Memory management when creating an AST (Abstract syntaxtree)

V8 after the AST is established, it is compiled to generate dynamic machine language, so the AST needs to be recycled after code generated, and for the feature of multi-node memory request and one-time recovery in the AST establishment process, V8 uses the memory segment link list management, and combines Scopelock mode, Implementing a few applications (SEGMENT,8KB~1MB), assigning AST nodes multiple times, and managing the various Segment at once can avoid memory fragmentation and avoid iterating through the AST nodes to reclaim memory.

4. Compilecache avoid repeated compilation of the same Code

For a section of JS code, before starting the lexical analysis, will be compiled from the cache Compilationcache to find whether the code has been compiled, if it is, then directly take out the compiled machine code, and return, so that the CPU usage, in exchange for memory space must occupy If the JS file is loaded repeatedly in a page, the speed of this method is obvious; This approach should be balanced.

Let's take a look at the specific implementation of this buffer:

(1) The data structure adopts compilationcachetableàhashtable, it is three kinds of different JS statement types (Ordinary script,eval statements, regexp regular expressions), and uses the less elegant global variables to record various table. Reasons for using three table records: the same script and eval statements, the compiled machine code is different (from annotation), because the eval statement and the execution period of the context-sensitive, so the cache will need to add context as key, So the three types generate different key ways. The individual values of the table array are empty at the beginning, and Hashtable is not generated until the compiled code needs to be joined.

(2) key generation, it is necessary to ensure that the same statement generated by the key is stable:

A) A normal script statement that uses Stringhasher to generate a key and save it to a string object (because the key is not just used); The build rule is: When the statement is longer than 16K, will use its length as key directly (offset to 32-bit length and make sure it is odd), otherwise use the Bob Jenkins hash algorithm to read each character of the statement individually, and compute the key that makes up a uint;

b) The Eval statement, also used to stringhasher, on this basis combined with the context of share info (also the statement hash, plus the location of the statement information, see Stringsharedhashhelper) to update the hash value;

c) RegExp statement, also used to stringhasher, on this basis, combined with RegExp flag information (i/g, etc.) to update the hash value (see Regexpobjecthash), see Regexpkey.

These keys are derived from Hashtablekey, which defines public interfaces for Hashtable to be used uniformly.

(3) Search method: Using hash algorithm and linear detection to solve the conflict of key, which is determined by Hashtable inherited from the fixedarray characteristics.

5. Quick access to Properties

C + +, Java and other languages have the concept of class, and the properties, methods and classes are bound together, access can be based on object address + displacement quickly obtained, and JS object does not have a class concept, it is actually a hash map, the property can be dynamically added, deleted, and in the execution to learn the object type.

V8 does not manage properties like other JS engine using a dictionary structure or a map implemented by a red-black tree, but instead attaches a pointer to the hidden class (if the type object is created for the first time, creates a new hidden class), and when each property is added to an object, A new class is created (the displacement/position of each property is recorded), and the original class points to the new class, which establishes a hidden class conversion list.

6. Heap Heap Memory management

See:

Http://hi.baidu.com/hycjk/blog/item/20c9ecf87d3d1004d8f9fd6e.html

Http://hi.baidu.com/hycjk/blog/item/86b2bf0e000d34ec37d1221e.html

7. Inline caching reduces function call overhead

See http://en.wikipedia.org/wiki/Inline_caching. The JS function binding occurs at run time, so it is not possible to locate the function entry through method tables, which can record the function entry and avoid the duplicate lookup.

8. One-time compilation generates machine language

The general JS engine will be compiled into the intermediate language (bytecode) after the AST is generated, and then the Bytecode;java will be compiled into these bytecode as well, and then the VM (to implement cross-platform) as the interpreter, in order to improve performance, Java uses a hybrid approach, which compiles irrelevant platforms and common code into machine code. The V8 is a one-time compilation of the AST into machine language. From the copyright of the assembler related file header, it can be seen that these different platforms (IA32, ARM) under the compiler, the prototype from the Sun Microsystems.

Report:

First, some JS engine design considerations:

1, fast-parse, construct syntax tree, execution and other aspects, such as property access, avoid dictionary lookup, optimize the code, compile and generate dynamic machine code, rather than according to the statement interpretation of execution, and machine code can be stored in the cache and repeated execution;

2, small-occupied memory low, the allocation of recovery memory timely and effective;

3, security--run context switch and check;

4. High fault tolerance

5, easy to integrate with the browser;

6, cross-platform;

7, provide API interface;

8, support debugging;

9, other details: the analysis and implementation of regular expressions, the implementation of the hash object (most of these objects size smaller), you need to consider the characteristics and purpose of JS itself.

Second, some JS language features

1, the object is a hash map, attributes can be added, modified, deleted at any time, the object type in the implementation of the known;

2. Prototyp chain can be modified at execution time

3. Eval can change the execution context

4. With dynamic Add object to scope chain (scope)

Third, lexical analyzer

Iv. third-party code referenced by V8:

1. Regular engine: Just beginning to use the Jscre in the WebKit project (based on the widely used PCRE library developed by Philip Hazel of Cambridge University), and later replaced by the new Irregexp (automata theory);

2. dtoa,double converted to string, David m. gay,under an MIT license;

3, Strongtalk Assembler, is a C + + packaging of the JIT (Just-in-time) Assemble.

V. Some information addresses

Http://code.google.com/intl/zh-CN/apis/v8/design.html

Http://code.google.com/intl/zh-CN/apis/v8/embed.html

Http://www.docin.com/p-46635034.html

Http://www.greenpublishers.com/neat/200901/3coverstory.pdf

Http://www.cnblogs.com/RicCC/archive/2008/02/15/javascript-object-model-execution-model.html

http://www.cnblogs.com/duguguiyu/archive/2008/10/02/1303095.html tagged pointer?

http://hllvm.group.javaeye.com/group/topic/17840

JavaScript's V8 engine research