V8 / Chrome Architecture Reading List - For Vulnerability Researchers

Continously Updated! Last Update: 11 November 2022

Want to learn how to break V8 or Chrome? Got some time spare on your commute? Watch these conference talks or read these articles to get up to speed with V8 and Chrome internals.

Videos

• Mathias Bynens - V8 internals for JavaScript developers - JSConf AU 18 - Mathias Bynens - Discusses how elements kinds and different data types are handled in V8. Covers the following topics:

  • SMIs
  • Doubles
  • Regular Elements
  • Packed Elements
  • Holey elements
  • Performance

• JavaScript Engines: The Good Parts - JSConf EU 2018 - Mathias Bynens & Benedikt Meurer Introduction to the four main JavaScript engines. Covers JavaScript engine fundamentals such as:

  • Representation of objects
  • Transition trees
  • High level comparison between the optimizing/JIT compilers in each JS engine.

• JavaScript engines - how do they even? - JSConf EU 2017 - Franziska Hinkelmann - Introduction to JIT, optimizing compilers and compiler differences in each JavaScript engine.

• A Tale of Types, Classes, and Maps - JSCamp Barcelona 2018 - Benedikt Meurer - Introduction to the main four JavaScript engines and how they work. Discusses optimixation, deoptimization fundamentals and differences in each engine.

• Escape Analysis in V8 - Google - Tobias Tebbi - Covers escape analysis in Turbofan. Escape Analysis is a compiler optimization that allows to remove or postpone the allocation of temporary objects, potentially storing the object fields in registers instead.

• Inside V8: The choreography of Ignition and TurboFan - Web Rebels 2018 - Sigurd Scheider

• Garbage Collection in V8 - React Vienna 2017 - Irina Shestak

• Orinoco: The new V8 Garbage Collector - NodeConf EU 2018 - Peter Marshall

• Memory Layout of V8’s Heap - dotJS 2016 - Fedor Indutny - Discusses core V8 concepts such as “SMIs” (Small Integers), Pointer Tagging, Boxing, “Maps” and the object layout in memory. Also introduces “llnode”, a lldb plugin for debugging NodeJS and V8.

• Breaking the JavaScript Speed Limit with V8

• Ignition: An Interpreter for V8

• Turbofan: A new code generation architecture for V8

• Mojo - Chrome’s IPC

• Security 101 (Chrome University)

• Security 201 (Chrome University)

• Anatomy of the Browser 101 (Chrome University)

• Anatomy of the Browser 201 (Chrome University)

• Life of a Process (Chrome University)

• Life of a Script (Chrome Univesity)

V8 Concepts

• JavaScript engine fundamentals: optimizing prototypes
• JavaScript engine fundamentals: Shapes and Inline Caches
• Elements kinds in V8
• Getting garbage collection for free
• Fast Properties in V8
• A tour of V8: full compiler
• A tour of V8: object representation
• Allocating Numbers
• SMIs and Doubles
• ELI5: v8 Isolates and Contexts
• JS Object Structure Analysis
• Pointer Compression In V8
• Hardening V8 Leveraging Array Invariants

Chrome Security and IPC

• Chrome Sandbox Design
• The Security Architecture of Chromium Browser
• Chrome Security Arcitecture Diagram
• Chrome Site Isolation
• Chrome Partition Alloc
• Chrome Mojo IPC Style Guide
• Chrome Mojo Readme
• Intro to Mojo & Services
• How Blink Works

Ignition (V8’s Interpreter)

• Firing up the Ignition interpreter
• Ignition: Jump-starting an Interpreter for V8
• Ignition: An Interpreter for V8
• Ignition Design Document
• Ignition: Register Equivalence Optimization
• Understanding V8’s Bytecode
• Blazingly Fast Parsing, Part 2

Turbofan (V8’s JIT Compiler)

• An Introduction to Speculative Optimization in V8
• Digging into the TurboFan JIT
• Deoptimize me not, v8
• How to start JIT-ting
• Sea of Nodes
• Turbofan Docs
• Hooking up the Ignition to the Turbofan
• Tale of Turbofan
• Ignition+TurboFan and ES2015
• CodeStubAssembler Redux
• Overview of the Turbofan Compiler
• Turbofan IR
• Turbofan’s JIT Design
• Fast Arithmetic for Dynamic Languages
• Deoptimization in V8
• Turbofan a new code generation architecture for V8
• An Internship on Lazyness Slides
• An internship on laziness: lazy unlinking of deoptimized functions
• Turbofan: Function Context Specification
• Turbofan: Rest Parameters and Arguments Exotic Objects optimization plan
• Turbofan Developer Tools Integration
• Turbofan Inlining
• Turbofan Inlining Heuristics
• TurboFan redundant bounds and overflow check elimination
• Turbofan Lazy deoptimization without code patching
• Turbofan Register Allocator
• Projection nodes in TurboFan
• Builtin optimization guards in TurboFan
• Investigation of (transpiled) class performance in V8
• In-place field representation changes
• ES2015 and beyond performance plan
• Fast string concatenation in JavaScript
• Context-sensitive JavaScript operators in TurboFan
• Fast frozen & sealed elements in V8
• Faster calls with arguments mismatch
• Faster Runtime API Calls

Sparkplug (V8’s non optimizing compiler)

• Sparkplug — a non-optimizing JavaScript compiler
• Sparkplug

Turboprop (V8’s Mid Tier Compiler)

• TurboProp Mid-Tier Compiler

Mitigations

• V8 Heap Sandbox
• V8 Sandbox - External Pointer Sandboxing

V8 Garbage Collection

• Jank Busters Part Two: Orinoco
• Garbage Collection: V8’s Orinoco
• Trash talk: the Orinoco garbage collector
• High-Performance Garbabe Collection For C++

Useful Links

• V8 Homepage
• OmahaProxy
• V8 Github Mirror
• V8 / Chrome Source Browser
• Chromium Bug Tracker
• V8 Bug Tracker
• Google Groups V8
• Google Groups Chrome
• Chrome Status
• Chrome Release Schedule
• Chromium Blog
• Chrome Severity Guidelines
• Chromium Code Review Gerrit
• Chromium IRC