Following up on what I promised earlier here’s another edition on what’s going on behind the scenes of V8 as we are approaching the end of the year. A lot of cool stuff happened in V8 in 2016, probably most importantly that we are changing the focus of V8 to treat Node.js as a first class citizen (similar to Chrome) and moving away from measuring performance only via traditional JavaScript benchmarks to measuring actual performance of real world web pages via tooling built into the browser.

WebAssembly and asm.js

Native WebAssembly support is expected to hit the stable versions of all four browsers in the first half of 2017, but since there’s no polyfill available (partially because WebAssembly semantics for heap access are different from asm.js), only some big players on the web are expected to deliver native WebAssembly bytecode and a separate asm.js fallback based on browser feature detection; the majority of native code on the web users will likely continue to ship asm.js for the next two to three years (based on experience with other new web platform features).

asm.js TurboFan pipeline
The asm.js TurboFan compilation pipeline.

Thus most users will not be able to benefit from the WebAssembly compilation and execution engine we built into Chrome directly. So we built a small wrapper around the WebAssembly component in V8, that allows it to also consume native code input via asm.js in addition to the native bytecode format. Two weeks ago we staged the new asm.js pipeline, which sends asm.js code through the new WebAssembly pipeline instead of the TurboFan JavaScript compiler pipeline, and executes the resulting machine code in the WebAssembly native execution environment. This allows you to leverage many of the benefits of WebAssembly today and brings ahead-of-time compilation (AOT) for asm.js to Chrome, with full backwards compatibility.

asm.js WebAssembly pipeline
The asm.js WebAssembly compilation pipeline.

The WebAssembly compilation pipeline reuses some backend parts of the TurboFan compiler pipeline, and is therefore able to generate similar code, but with a lot less compilation and optimization overhead, and leveraging various benefits of the WebAssembly execution environment. For example, the asm-wasm-builder extracts the asm.js type annotation and uses those to generate typed WebAssembly code. If it hits any unsupported language constructs, it will just bail out and we will fall back to the TurboFan JavaScript compiler pipeline for this asm.js module. In contrast TurboFan must be able to deal with the whole EcmaScript 2017 language and can only consume a fraction of the static type information. For example consider the following asm.js module:

function Module(stdlib) {
"use asm";
function f(x) {
x = +x;
x = x * x;
return +x;
function g(x) {
x = +x;
x = +f(x);
return +x;
return {g: g};

It contains two functions f and g, the latter being exported and callable by regular JavaScript code, i.e. g is an entrypoint to the asm.js module. g doesn’t do much but calls f with whatever input you pass to g converted to a Number. According to the asm.js type annotations, f has type double -> double, but this information is only usable as long as the asm.js module validates, i.e. passes the type checks in the asm.js specification. The asm-wasm-builder does the necessary validation and is thus able to generate code that leverages this type information without having to perform type checks at runtime (type checks are still necessary on the boundary to JavaScript obviously). In this concrete example, the asm-wasm-builder knows after validation that f is only used internally in the asm.js module (i.e. it’s not exported to JavaScript) and all call sites pass a double and expect a double as result. For example, let’s run the module above through the new WebAssembly pipeline:

$ ~/Projects/v8/out/Debug/d8 --validate-asm --trace-wasm-decoder asm.js
+0 local decls count : 00 = 0
local decls count: 0
env = 0x7f4fde004250, state = R, reason = initial, control = #1:Start
wasm-decode 0x7f4fddffebf3...0x7f4fddffec0c (module+92, 25 bytes) graph building
env = 0x7f4fde004278, state = R, reason = initial env, control = #11:Merge
@1 #20:GetLocal | d@1:GetLocal[0]
@3 #44:F64Const | d@1:GetLocal[0] d@3:F64Const
@12 #a2:F64Mul | d@12:F64Mul
@13 #21:SetLocal |
@15 #20:GetLocal | d@15:GetLocal[0]
@17 #20:GetLocal | d@15:GetLocal[0] d@17:GetLocal[0]
@19 #a2:F64Mul | d@19:F64Mul
@20 #21:SetLocal |
@22 #20:GetLocal | d@22:GetLocal[0]
@24 #0f:Return |
wasm-decode ok
asm.js:1: Converted asm.js to WebAssembly: success
asm.js:1: Instantiated asm.js: success

This shows the WebAssembly bytecode generated for the function f. As you can see the code doesn’t need to perform any type checks on the input; there’s still a somewhat unnecessary F64Mul of x and 1.0 in there, but the TurboFan backend will eliminate this prior to code generation. The final code generated for f using WebAssembly looks like this:

                  -- B0 start (no frame) --
0x10a04e985b00 0 493ba5780c0000 REX.W cmpq rsp,[r13+0xc78]
0x10a04e985b07 7 0f8605000000 jna 18 (0x10a04e985b12)
-- B2 start (no frame) --
-- B3 start (no frame) --
0x10a04e985b0d 13 c5f359c9 vmulsd xmm1,xmm1,xmm1
0x10a04e985b11 17 c3 retl
-- B4 start (no frame) --
-- B1 start (deferred) (construct frame) (deconstruct frame) --
0x10a04e985b12 18 55 push rbp
0x10a04e985b13 19 4889e5 REX.W movq rbp,rsp
0x10a04e985b16 22 49ba0000000006000000 REX.W movq r10,0x600000000
0x10a04e985b20 32 4152 push r10
0x10a04e985b22 34 4883ec08 REX.W subq rsp,0x8
0x10a04e985b26 38 c5fb114df0 vmovsd [rbp-0x10],xmm1
0x10a04e985b2b 43 48bb10e4f40f317f0000 REX.W movq rbx,0x7f310ff4e410 ;; external reference (Runtime::StackGuard)
0x10a04e985b35 53 48bef93b5006492e0000 REX.W movq rsi,0x2e4906503bf9 ;; object: 0x2e4906503bf9 <FixedArray[255]>
0x10a04e985b3f 63 33c0 xorl rax,rax
0x10a04e985b41 65 e8bae6e7ff call 0x10a04e804200 ;; code: STUB, CEntryStub, minor: 8
0x10a04e985b46 70 c5fb104df0 vmovsd xmm1,[rbp-0x10]
0x10a04e985b4b 75 488be5 REX.W movq rsp,rbp
0x10a04e985b4e 78 5d pop rbp
0x10a04e985b4f 79 ebbc jmp 13 (0x10a04e985b0d)
0x10a04e985b51 81 0f1f00 nop

It first does a so-called stack check, which checks that we don’t exceed a certain stack limit; besides guarding against stack overflows, this mechanism is used by Chrome to be able to interrupt the main thread of the renderer process, for example by DevTools, or to kill a tab that is executing an endless loop. The code then computes the square of the input, which is passed and returned in machine register xmm1 (WebAssembly has its own native calling convention that is slightly different from the usual platform calling conventions). Contrast this with the code generated via the TurboFan JavaScript compiler pipeline:

                  -- B0 start (construct frame) --
0x26d963005ec0 0 55 push rbp
0x26d963005ec1 1 4889e5 REX.W movq rbp,rsp
0x26d963005ec4 4 56 push rsi
0x26d963005ec5 5 57 push rdi
0x26d963005ec6 6 4883ec08 REX.W subq rsp,0x8
0x26d963005eca 10 493ba5780c0000 REX.W cmpq rsp,[r13+0xc78]
0x26d963005ed1 17 0f8657000000 jna 110 (0x26d963005f2e)
-- B2 start --
-- B3 start --
0x26d963005ed7 23 488b4510 REX.W movq rax,[rbp+0x10]
0x26d963005edb 27 a801 test al,0x1
0x26d963005edd 29 0f8566000000 jnz 137 (0x26d963005f49)
-- B8 start --
0x26d963005ee3 35 48c1e820 REX.W shrq rax, 32
0x26d963005ee7 39 c5f957c0 vxorpd xmm0,xmm0,xmm0
0x26d963005eeb 43 c5fb2ac0 vcvtlsi2sd xmm0,xmm0,rax
-- B9 start --
0x26d963005eef 47 498b85d80c0400 REX.W movq rax,[r13+0x40cd8]
0x26d963005ef6 54 488d5810 REX.W leaq rbx,[rax+0x10]
0x26d963005efa 58 49399de00c0400 REX.W cmpq [r13+0x40ce0],rbx
0x26d963005f01 65 0f866f000000 jna 182 (0x26d963005f76)
-- B11 start --
-- B12 start (deconstruct frame) --
0x26d963005f07 71 488d5810 REX.W leaq rbx,[rax+0x10]
0x26d963005f0b 75 4883c001 REX.W addq rax,0x1
0x26d963005f0f 79 49899dd80c0400 REX.W movq [r13+0x40cd8],rbx
0x26d963005f16 86 498b5d50 REX.W movq rbx,[r13+0x50]
0x26d963005f1a 90 488958ff REX.W movq [rax-0x1],rbx
0x26d963005f1e 94 c5fb59c0 vmulsd xmm0,xmm0,xmm0
0x26d963005f22 98 c5fb114007 vmovsd [rax+0x7],xmm0
0x26d963005f27 103 488be5 REX.W movq rsp,rbp
0x26d963005f2a 106 5d pop rbp
0x26d963005f2b 107 c21000 ret 0x10
-- B13 start (no frame) --
-- B1 start (deferred) --
0x26d963005f2e 110 488975f8 REX.W movq [rbp-0x8],rsi
0x26d963005f32 114 48bb10f4ddd8da7f0000 REX.W movq rbx,0x7fdad8ddf410 ;; external reference (Runtime::StackGuard)
0x26d963005f3c 124 33c0 xorl rax,rax
-- <asm.js:3:13> --
0x26d963005f3e 126 e8bde2e7ff call 0x26d962e84200 ;; code: STUB, CEntryStub, minor: 8
0x26d963005f43 131 488b75f8 REX.W movq rsi,[rbp-0x8]
0x26d963005f47 135 eb8e jmp 23 (0x26d963005ed7)
-- B4 start (deferred) --
0x26d963005f49 137 488975f8 REX.W movq [rbp-0x8],rsi
0x26d963005f4d 141 488b4510 REX.W movq rax,[rbp+0x10]
0x26d963005f51 145 e86a2cefff call ToNumber (0x26d962ef8bc0) ;; code: BUILTIN
0x26d963005f56 150 a801 test al,0x1
0x26d963005f58 152 0f8407000000 jz 165 (0x26d963005f65)
-- B5 start (deferred) --
0x26d963005f5e 158 c5fb104007 vmovsd xmm0,[rax+0x7]
0x26d963005f63 163 eb8a jmp 47 (0x26d963005eef)
-- B6 start (deferred) --
0x26d963005f65 165 48c1e820 REX.W shrq rax, 32
0x26d963005f69 169 c5f957c0 vxorpd xmm0,xmm0,xmm0
0x26d963005f6d 173 c5fb2ac0 vcvtlsi2sd xmm0,xmm0,rax
0x26d963005f71 177 e979ffffff jmp 47 (0x26d963005eef)
-- B7 start (deferred) --
-- B10 start (deferred) --
0x26d963005f76 182 c5fb1145e8 vmovsd [rbp-0x18],xmm0
0x26d963005f7b 187 ba10000000 movl rdx,0x10
0x26d963005f80 192 e81bcdf4ff call AllocateInNewSpace (0x26d962f52ca0) ;; code: BUILTIN
0x26d963005f85 197 4883e801 REX.W subq rax,0x1
0x26d963005f89 201 c5fb1045e8 vmovsd xmm0,[rbp-0x18]
0x26d963005f8e 206 e974ffffff jmp 71 (0x26d963005f07)

It’s a lot heavier since it has to use the JavaScript calling convention and the uniform tagging scheme, and it has to perform type checks and conversions on the input x, and in the end has to allocate a HeapNumber for the resulting value. This translates to a huge improvement in execution speed of bigger applications, which tend to consist of a lot of small to medium sized functions that are called very often, where having native calling conventions helps a lot. For micro-benchmarks that spend most of their time in a single loop or at least a single function, it is unlikely that you experience a lot of benefits from having asm.js code take the WebAssembly pipeline, because the TurboFan type inference does a great job at eliminating almost all type checks.

Speed-ups for the WebAssembly pipeline
Speed-ups on macro-benchmarks in Massive and Embenchen.

If you are running Chrome dev or canary channel, you can give it a try by enabling the experimental flag Experimental Validate Asm.js and convert to WebAssembly when valid and restarting Chrome.

Enable asm-wasm-builder

The asm-wasm-builder will log information about asm.js module validation to the Chrome Developer Tools console, similar to what Firefox does, so you can easily verify that a certain asm.js module is recognized as valid:

Observe asm-wasm-builder in DevTools

We expect to be able to enable this by default in early 2017 unless we hit some terrible stability or security problems.

Real world performance measurements

As mentioned in my blog post about JavaScript benchmarks, we’ve been investigating a lot in techniques to properly measure real world performance, especially on the web. We’ve added a lot of tracing support to V8 and Chrome for that, especially also tracing various internals of V8. One of the new tracing options is the so-called Runtime Call Stats in V8, which collects precise timing information for all V8 components. This is accessible via chrome://tracing and gives you pretty detailed information about where time in V8 is spent.

Chrome tracing runtime call stats

Currently this requires quite a bit of knowledge about V8 to really draw useful conclusions from this, but we’re working on better integration with the developer tools in Chrome (i.e. by exposing the stats via lighthouse). Initially it was mostly useful for us internally since we had to understand where todays web pages spent most of their time in V8, but nevertheless you can probably still use some of the data that is gathered. For example you can check how much overall time is spent preparsing your scripts:

Chrome tracing runtime call stats (Parse)

This is a good indicator whether your JavaScript bundles are bigger than they should be. For example in case of the discourse demo page we have to preparse 1217 times, but parse only 213 times. This doesn’t automatically mean that only 1/6th of the overall script bundles are being needed due to the way that parsing works internally in V8, but it’s an indicator that looking into script size might be a good investment of the developers time.

We plan to make these measurement tools more accessible during 2017 and provide developers with better insight into V8 performance. We also plan to continue our effort to focus on real world performance improvements rather than looking at benchmarks only, which was the main driver in the past.

Real-world JavaScript performance, BlinkOn 6 Day 2 Talk 4.

If you haven’t done so, be sure to watch the BlinkOn 6 talk on Real-world JavaScript performance from my colleagues Toon Verwaest and Camillo Bruni.


Apparently there’s a slide deck from my colleagues Camillo Bruni from the V8 runtime team and Michael Lippautz from the V8 GC team that describes how to get to the Runtime Call Stats and the Heap Stats in chrome://tracing.

V8 Stats

It should give you a rough idea how to use the new functionality in Chrome.