catch a spider monkey
TRANSCRIPT
Catch a SpiderMonkey抓猴去
@GregWeng2016/04/07 Functional Thursday
Catch aSpider
Monkey
● Overview of SpiderMonkey
● DXR: codebase reference
● Little trick to build it faster for debugging
● Drop into the shell
● Self-hosting functions
● JavaScript in JavaScript engine
● Live demo: path tracing for TypedArray
● The beast: Intepreter.cpp
Catch aSpider
Monkey
● Overview of SpiderMonkey
● DXR: codebase reference
● Little trick to build it faster for debugging
● Drop into the shell
● Self-hosting functions
● JavaScript in JavaScript engine
● Live demo: path tracing for TypedArray
● The beast: Intepreter.cpp
Catch aSpider
Monkey
● Overview of SpiderMonkey
● DXR: codebase reference
● Little trick to build it faster for debugging
● Drop into the shell
● Self-hosting functions
● JavaScript in JavaScript engine
● Live demo: path tracing for TypedArray
● The beast: Intepreter.cpp
https://dxr.mozilla.org/mozilla-central/source/js/src/vm/ForOfIterator.cpp
https://dxr.mozilla.org/mozilla-central/source/js/
Catch aSpider
Monkey
● Overview of SpiderMonkey
● DXR: codebase reference
● Little trick to build it faster for debugging
● Drop into the shell
● Self-hosting functions
● JavaScript in JavaScript engine
● Live demo: path tracing for TypedArray
● The beast: Intepreter.cpp
../configure --enable-debug --disable-optimize --without-intl-api
pref("javascript.options.baselinejit", true → false);
pref("javascript.options.ion", true → false);
https://dxr.mozilla.org/mozilla-central/source/modules/libpref/init/all.js#1149-1150
Catch aSpider
Monkey
● Overview of SpiderMonkey
● DXR: codebase reference
● Little trick to build it faster for debugging
● Drop into the shell
● Self-hosting functions
● JavaScript in JavaScript engine
● Live demo: path tracing for TypedArray
● The beast: Intepreter.cpp
mozilla-central/js/src/build_DBG.OBJ/dist/bin/js
js>
JS Shell
● No DOM (ex: document.all)
● No Jit (debug build)
● With some debug functions
js> dis(function() { a + b })
flags: LAMBDA CONSTRUCTOR
loc op
----- --
main:
00000: getgname "a"
00005: getgname "b"
00010: add
00011: pop
00012: retrval
Source notes:
ofs line pc delta desc args
---- ---- ----- ------ -------- ------
0: 1 0 [ 0] colspan 17
2: 1 12 [ 12] xdelta
3: 1 12 [ 0] colspan 5
From JS to C++
dis()
JS_FN_HELP( macro
"dis", name in JS
Disassemble, implementation
1, nargs
0, flags
"dis([fun/code])", usage
"Disassemble functions...") help
https://dxr.mozilla.org/mozilla-central/source/js/src/shell/js.cpp#5341https://dxr.mozilla.org/mozilla-central/source/js/src/jsfriendapi.h#304
From JS to C++
https://dxr.mozilla.org/mozilla-central/source/js/src/shell/js.cpp#2427
static bool
Disassemble(JSContext* cx, unsigned argc, Value* vp)
{
CallArgs args = CallArgsFromVp(argc, vp);
if (!gOutFile->isOpen()) {
JS_ReportError(cx, "output file is closed");
return false;
}
...
}
JS_FN_HELP("dis", Disassemble
From JS to JS
● Some parts are implemented in JS
● Especially for what spec described
● Need the SelfHosting helpers
js> [2,4,7].find((e) => 0 !== e % 2)
From JS to JS
[...].find()
JS_SELF_HOSTED_FN( macro
"find", name in JS
"ArrayFind", implementation
1, nargs
0 flag
)
https://dxr.mozilla.org/mozilla-central/source/js/src/jsarray.cpp#3114https://dxr.mozilla.org/mozilla-central/source/js/src/jsapi.h#2124
From JS to JS
https://dxr.mozilla.org/mozilla-central/source/js/src/builtin/Array.js#495
/* ES6 draft 2013-05-14 15.4.3.23. */
function ArrayFind(predicate/*, thisArg*/) {
/* Steps 1-2. */
var O = ToObject(this);
/* Steps 3-5. */
var len = ToInteger(O.length);
/* Step 6. */
if (arguments.length === 0)
ThrowTypeError(...
}
JS_SELF_HOSTED_FN("find", "ArrayFind"
Catch aSpider
Monkey
● Overview of SpiderMonkey
● DXR: codebase reference
● Little trick to build it faster for debugging
● Drop into the shell
● Self-hosting functions
● JavaScript in JavaScript engine
● Live demo: path tracing for TypedArray
● The beast: Intepreter.cpp
SelfHosting
Functions
https://dxr.mozilla.org/mozilla-central/source/js/src/builtin/Array.js#495
/* ES6 draft 2013-05-14 15.4.3.23. */
function ArrayFind(predicate/*, thisArg*/) {
/* Steps 1-2. */
var O = ToObject(this);
/* Steps 3-5. */
var len = ToInteger(O.length);
/* Step 6. */
if (arguments.length === 0)
ThrowTypeError(...
}
JS_SELF_HOSTED_FN("find", "ArrayFind"
SelfHosting
Functions
● Defined in C++
● Allow you access C++ helper in JS helper
● Prefix with intrinsic_
● Most of them are in
js/src/vm/SelfHosting.cpp
SelfHosting
Functions
[...].find()
JS_SELF_HOSTED_FN("find", "ArrayFind"
function ArrayFind(predicate... var O = ToObject(this);
JS_INLINABLE_FN("ToObject",intrinsic_ToObject
https://dxr.mozilla.org/mozilla-central/source/js/src/vm/SelfHosting.cpp#2050
SelfHosting
Functions
https://dxr.mozilla.org/mozilla-central/source/js/src/vm/SelfHosting.cpp#70
static bool
intrinsic_ToObject(JSContext* cx, unsigned argc, Value*
vp)
{
CallArgs args = CallArgsFromVp(argc, vp);
RootedValue val(cx, args[0]);
RootedObject obj(cx, ToObject(cx, val));
if (!obj)
return false;
args.rval().setObject(*obj);
return true;
}
Catch aSpider
Monkey
● Overview of SpiderMonkey
● DXR: codebase reference
● Little trick to build it faster for debugging
● Drop into the shell
● Self-hosting functions
● JavaScript in JavaScript engine
● Live demo: path tracing for TypedArray
● The beast: Intepreter.cpp
JS in JS Engine
● Trouble
● Convenient trouble
How to follow spec in C++ ?
Using JS to describe it
/* ES6 draft 2013-05-14 15.4.3.23. */
function ArrayFind(predicate/*, thisArg*/) {
/* Steps 1-2. */
var O = ToObject(this);
/* Steps 3-5. */
var len = ToInteger(O.length);
/* Step 6. */
if (arguments.length === 0)
ThrowTypeError(...
}
No need to worry
about
● Memory safe
● Performance (Jit + intrinsic helpers)
Trouble:Broken stack
Still have some cure
(gdb) call DumpJSStack() debug JS from gdb
Catch aSpider
Monkey
● Overview of SpiderMonkey
● DXR: codebase reference
● Little trick to build it faster for debugging
● Drop into the shell
● Self-hosting functions
● JavaScript in JavaScript engine
● Live demo: path tracing for TypedArray
● The beast: Intepreter.cpp
bugzil.la/1232266
Breakpoints
● js/src/jsfriendapi.h
● js/src/vm/TypedArrayObject.cpp
● js/src/vm/TypedArrayCommon.h
Catch aSpider
Monkey
● Overview of SpiderMonkey
● DXR: codebase reference
● Little trick to build it faster for debugging
● Drop into the shell
● Self-hosting functions
● JavaScript in JavaScript engine
● Live demo: path tracing for TypedArray
● The beast: Interpreter.cpp
HugeSwitchCase
(Macro)
ThingsTo
watch
● Map JSOP_ to stack operations
● Fetch CallArgs on the stack
● Invoke native functions
● Magic goto and macro for performance