As Markus and Amy of Ret2Systems rightly point out, the best way to start vulnerability research in a new area is to aggregate all possible resources on the topic.

As such we will be compiling and listing all good resources on WebKit and JavaScriptCore architecture relevant to vulnerability research here.

Last Update: 17 February 2020


  • Michael Saboff — JavaScriptCore, many compilers make this engine perform HolyJS 2019 - This talk covers how JavaScriptCore transforms JS source into bytecode, and then executes that bytecode using various tiers in the engine. The talk provides details on the four tiers that execute JS, the purpose of each tier and how code execution moves between those tiers.

  • The WebKit Browser Engine An Overview - LinuxConf 2013 - A dated but good basic introduction to the Webkit browser engine.

  • JavaScriptCore’s DFG JIT - JSConf EU 2012 - This talk takes a look at what DFG JIT is and how it works.

  • A Tale of Types, Classes, and Maps - JSCamp Barcelona 2018 - Benedikt Meurer - Introduction to the main four JavaScript engines and how they work. Discusses optimixation, deoptimization fundamentals and differences in each engine.

  • JavaScript engines - how do they even? - JSConf EU 2017 - Franziska Hinkelmann - Introduction to JIT, optimizing compilers and compiler differences in each JavaScript engine.

  • JavaScript Engines: The Good Parts - JSConf EU 2018 - Mathias Bynens & Benedikt Meurer - Introduction to the four main JavaScript engines. Covers JavaScript engine fundamentals, handling of different objects, transition trees, and a high level comparison between the optimizing/JIT compilers in each JS engine.

  • Rendering in WebKit - Google Developers - (Dated) Eric Seidel explains the process from loading the resources, building the DOM tree, and the various trees involved in rendering.

  • The Butterfly of a JSObject - Part of LiveOverflow’s excellent series on browser exploitation. LiveOverflow explains what bufferflies are in JavaScriptCore.