<h1 class="pgc-h-arrow-right" data-track="1" > preface</h1>
The first thirteen articles in this series explain the most basic workflow and principles of V8 when executing JavaScript, including lexical analysis, grammar analysis, bytecode generation, Builtins method, ignition execution unit, etc., to achieve the purpose of starting from scratch and getting started.
Subsequent articles will explain V8 source code in a problem-oriented manner, such as the related source code in V8 with the topic of closure technology or garbage collection (GC). V8 code is too large, and problem-oriented can make learning topics clearer and more effective. At the same time, I strive to make each article an independent knowledge point for everyone to read.
Readers can leave a message in the comment area at the end of the article, and I summarize the special article.
<h1 class="pgc-h-arrow-right" data-track="3" >1 Abstract</h1>
JS objects are described in JavaScript Advanced Programming as follows: "ECMA-262 defines an object as an unordered collection of properties. Strictly speaking, this means that an object is a set of values that have no specific order. Each property or method of an object is identified by a name that maps to a value. An ECMAScript object can be thought of as a hash list, which consists of a set of name/value pairs, which can be data or functions. The official v8 documentation mentions this description: "For performance or code design reasons, the design of data types in V8 has been classified in detail, and the data members inside JS objects have also been designed differently."
This article goes deep into V8 to analyze the creation process of JS objects in detail, and explains the composition of internal members of JS objects, memory layout, and important data structures. How to organize the content of this article: important concepts, member composition and memory layout of JS objects in V8 (Chapter 2); JS Object Creation Process (Chapter 3).
<h1 class="pgc-h-arrow-right" data-track="5" >2 JS objects</h1>
In V8, each member and method of a JS object has detailed classification and memory organization rules, and the internal members are divided into two major classes from the perspective of data type, element class and property class, as shown in Figure 1.
In Figure 1 (from V8 Official), elements and attributes can be seen stored separately for efficiency. Element members can take advantage of subscript access, which exists in contiguous address space. Property members, also exist in the address space of the connection, but can not use subscripts to access members, need to use Map (HiddenClass) access, Map records the descriptor of the data, in layman's terms, Map describes the shape of the data, how the data is accessed, etc., see the fourteenth article. Element class data does not need to use Map, and its access efficiency is higher, as shown in Figure 2.
In Figure 2 (sourced in Figure 1), in addition to Element and Property, there is also an In-object property, which differs from the previously mentioned Property in that it does not require the use of Map when accessing, which improves access efficiency, but the number of In-object properties is limited, and the In-object property is used preferentially, and the "normal" property mentioned earlier is used for storage after use.
In Figure 3 (from the same source as Figure 1), there are three ways for JS object members to access:
(1) In-Object, the JS object is responsible for maintaining the address, it is directly stored in the JS object;
(2) Slow mode, which requires access to its members with the help of Map;
(3) Self-dict, JS objects maintain their own addresses, do not need to use Map, the use of dictionary methods to store data.
Self-dict is the least efficient way to store, when the data is large and discontinuous, V8 will abandon the Map mechanism and use self-dict storage instead.
Figure 4 shows the memory department of the JS object.
When applying for a JS object, the first address of the object points to the Map (Map size: 80byte), there are multiple JS objects sharing the same Map, the object also includes the Property back store and element back store pointer, whether to contain other members depends on the situation, see the code explanation later.
Where do the member methods of the JS object exist? It is mentioned at the beginning of the article that it is a normal Property member. Use the following test code to explain how the member method is stored.
The top half is the js source code, and the bottom half is Bytecode. Code 19 Construct constructs the JS object person and passes the parameters Nicholas, code 16, line 17 takes Nicholas from the constant pool and stores it to the r2 register. The sayname member is a method, because of the reason for lazy compilation, at this time do not compile, but in the code 6 lines to do the compilation, as follows to give the bytecode after the sayname member compiled:
In the bytecode above, the .log of the console is not visible, because at this stage V8 only performs sayname, although we know that the main function of sayname is only console .log, but V8 has not yet executed it, so it does not compile. Not compiling when not executing, that's lazi thinking.
As you can see from the above code, sayname is a member method, but inside the JS object, it is just a normal Property member.
<h1 class="pgc-h-arrow-right" data-track="15" >3 The creation of JS objects</h1>
Using the test case above, here is the source location where the person object was created:
The creation process begins with RUNTIME_FUNCTION (Runtime_NewObject), which is a macro template that was covered in the previous article and is not covered in this article. JSObject::New() method to create a new JS object, enter JSFunction::GetDerivedMap(isolate, constructor, new_target), JSObject); Method, the source code is as follows:
Handle<JSFunction> constructor is the constructor person (test code), code 16 lines when the constructor's Map is basically complete, here set and install the prototype. Code 4 lines, EnsureHasInitialMap(constructor); Importantly, its role is to compute the shape of the constructor and generate a Map. Then use this Map to request memory, create an instance of the object worker (test sample code), and the calculation process needs to compile it (if it has not been compiled before), the code is as follows:
Line 5 of code, if there is already a Map, no need to calculate anymore, returned. Line 7 of code, calculate the property value of the constructor, compiled here. Generation 26~30 lines, generate prototype (note the distinction: here is the generation, and then the previously mentioned settings and security), the constructor is the first generation, no prototype, into the code 29 lines. Note: As can be seen here, there is a common prototype between different instances of the same constructor, because the prototype is set on the constructor person, and when we use the person instance for multiple objects, we only execute 29 lines of code when the person first generates.
Looking at the code line 7 again, the source code is as follows:
Handle<JSFunction> function is the constructor person, code 13 lines to compile and count the number of property values of the object. Line 28 of the code, will be compared with MaxInObject, if greater than MaxInObject, then the number of property values is MaxInObject. As mentioned earlier, the number of In-Objects in JS objects is limited, and MaxInObject is its maximum number. The extra attribute values are processed later - put into the attribute value store in Figure 1.
Back to the JSObject::New() method in the code 27 lines, use Map to apply for the memory of the JS object, followed by the parameter settings of the object instantiation, etc., please follow the reader according to the function stack of Figure 5.
Well, here today, see you next time.
Readers are kindly invited to criticize and correct and make valuable comments
WeChat: qq9123013 Remarks: v8 communication Mailbox: [email protected]
This article was originally published by Gray Bean
Reprint, please refer to the reprint statement, indicating the source: https://www.anquanke.com/post/id/257484
Safety Guest - Thoughtful new media for security