JS Builtins in the V8 Engine

How are javascript builtin functions implemented in the engine?

Background

Time for a change. This marks the beginning of me learning about browsers!

The only time I’ve touched browsers before was in 2021 where I just regurgitated someone’s writeup for a linear OOBRW ctf challenge in the v8 engine. That was pretty lame and not real research. I now prefer to just explore like a developer rather than go straight in from the security aspect.

The first chapter will be exploring JS Builtins in the v8 engine. It’s kind of my first day doing browser research so don’t mind.

JS Builtins

JS Builtins in v8 are the runtime JS method you can invoke, either as an object method or independent function.

For the purpose of this discussion, we will focus on the Array.prototype.splice() method as an example.

const months = ["Jan", "March", "April", "June"];
months.splice(1, 0, "Feb");
// Inserts at index 1
console.log(months);
// Expected output: Array ["Jan", "Feb", "March", "April", "June"]

Torque

Torque is a language created for v8, intended for developers to express features described by the ECMAScript specification, while still allowing low level control over v8 specific optimizations. v8 encourages the use of Torque to implement builtin functions, as a replacement for CodeStubAssembler(CSA).

Some of the JS Builtin APIs have been re-implemented in Torque, including Array.prototype.splice().

The source code can be found in src\builtins\array-splice.tq:

// https://tc39.github.io/ecma262/#sec-array.prototype.splice
transitioning javascript builtin ArrayPrototypeSplice(
    js-implicit context: NativeContext, receiver: JSAny)(...arguments): JSAny {
  // 1. Let O be ? ToObject(this value).
  const o: JSReceiver = ToObject(context, receiver);

  // 2. Let len be ? ToLength(? Get(O, "length")).
  const len: Number = GetLengthProperty(o);

  // 3. Let relativeStart be ? ToInteger(start).
  const start: JSAny = arguments[0];
  const relativeStart: Number = ToInteger_Inline(start);

  // 4. If relativeStart < 0, let actualStart be max((len + relativeStart),
  // 0);
  //    else let actualStart be min(relativeStart, len).
  const actualStart: Number = relativeStart < 0 ?
      Max((len + relativeStart), 0) :
      Min(relativeStart, len);

  let insertCount: Smi;
  let actualDeleteCount: Number;
  // 5. If the Number of actual arguments is 0, then
  if (arguments.length == 0) {
    // a. Let insertCount be 0.
    insertCount = 0;
    // b. Let actualDeleteCount be 0.
    actualDeleteCount = 0;
    // 6. Else if the Number of actual arguments is 1, then
  } else if (arguments.length == 1) {
    // a. Let insertCount be 0.
    insertCount = 0;
    // b. Let actualDeleteCount be len - actualStart.
    actualDeleteCount = len - actualStart;
    // 7. Else,
  } else {
    // a. Let insertCount be the Number of actual arguments minus 2.
    insertCount = Convert<Smi>(arguments.length) - 2;
    // b. Let dc be ? ToInteger(deleteCount).
    const deleteCount: JSAny = arguments[1];
    const dc: Number = ToInteger_Inline(deleteCount);
    // c. Let actualDeleteCount be min(max(dc, 0), len - actualStart).
    actualDeleteCount = Min(Max(dc, 0), len - actualStart);
  }

  // 8. If len + insertCount - actualDeleteCount > 2^53-1, throw a
  //    Bailout exception.
  const newLength: Number = len + insertCount - actualDeleteCount;
  if (newLength > kMaxSafeInteger) {
    ThrowTypeError(MessageTemplate::kInvalidArrayLength, newLength);
  }

  try {
    return FastArraySplice(
        context, arguments, o, len, actualStart, insertCount, actualDeleteCount)
        otherwise Bailout;
  } label Bailout {}

  // If the fast case fails, just continue with the slow, correct,
  // spec-compliant case.
  return SlowSplice(
      context, arguments, o, len, actualStart, insertCount, actualDeleteCount);
}

Torque is compiled by the torque compiler(at build time) into C++ code.

For Array.prototype.splice(), it is compiled into gen\torque-generated\src\builtins\array-splice-tq-csa.cc:

...

TF_BUILTIN(ArrayPrototypeSplice, CodeStubAssembler) {
  compiler::CodeAssemblerState* state_ = state();  compiler::CodeAssembler ca_(state());
  TNode<Word32T> argc = UncheckedParameter<Word32T>(Descriptor::kJSActualArgumentsCount);
  TNode<IntPtrT> arguments_length(ChangeInt32ToIntPtr(UncheckedCast<Int32T>(argc)));
  TNode<RawPtrT> arguments_frame = UncheckedCast<RawPtrT>(LoadFramePointer());
  TorqueStructArguments torque_arguments(GetFrameArguments(arguments_frame, arguments_length, FrameArgumentsArgcType::kCountIncludesReceiver));
  CodeStubArguments arguments(this, torque_arguments);
  TNode<NativeContext> parameter0 = UncheckedParameter<NativeContext>(Descriptor::kContext);
  USE(parameter0);
  TNode<JSAny> parameter1 = arguments.GetReceiver();
  USE(parameter1);
  compiler::CodeAssemblerParameterizedLabel<> block0(&ca_, compiler::CodeAssemblerLabel::kNonDeferred);
  compiler::CodeAssemblerParameterizedLabel<> block1(&ca_, compiler::CodeAssemblerLabel::kNonDeferred);
  compiler::CodeAssemblerParameterizedLabel<> block2(&ca_, compiler::CodeAssemblerLabel::kNonDeferred);
  compiler::CodeAssemblerParameterizedLabel<Number> block3(&ca_, compiler::CodeAssemblerLabel::kNonDeferred);

...

This is actually expressed using the CSA macros.

CodeStubAssembler

CSA is a set of macros aimed to describe control flow using TurboFan‘s graph format. It was the preferred way to write builtins, until Torque came out, where it was no longer necessary to write CSA manually since Torque will generate it.

In this generated CSA code:

compiler::CodeAssemblerState* state_ = state();

We can see that each CSA function has an internal state that keeps track of how to describe the function in TurboFan graph format.

The TurboFan graph format is TurboFan’s IL, that can be easily compiled into machine code.

The TF_BUILTIN() macro expands to:

// ----------------------------------------------------------------------------
// Support macro for defining builtins with Turbofan.
// ----------------------------------------------------------------------------
//
// A builtin function is defined by writing:
//
//   TF_BUILTIN(name, code_assember_base_class) {
//     ...
//   }
//
// In the body of the builtin function the arguments can be accessed
// as "Parameter(n)".
#define TF_BUILTIN(Name, AssemblerBase)                                     \
  class Name##Assembler : public AssemblerBase {                            \
   public:                                                                  \
    using Descriptor = Builtin_##Name##_InterfaceDescriptor;                \
                                                                            \
    explicit Name##Assembler(compiler::CodeAssemblerState* state)           \
        : AssemblerBase(state) {}                                           \
    void Generate##Name##Impl();                                            \
                                                                            \
    template <class T>                                                      \
    TNode<T> Parameter(                                                     \
        Descriptor::ParameterIndices index,                                 \
        cppgc::SourceLocation loc = cppgc::SourceLocation::Current()) {     \
      return CodeAssembler::Parameter<T>(static_cast<int>(index), loc);     \
    }                                                                       \
                                                                            \
    template <class T>                                                      \
    TNode<T> UncheckedParameter(Descriptor::ParameterIndices index) {       \
      return CodeAssembler::UncheckedParameter<T>(static_cast<int>(index)); \
    }                                                                       \
  };                                                                        \
  void Builtins::Generate_##Name(compiler::CodeAssemblerState* state) {     \
    Name##Assembler assembler(state);                                       \
    state->SetInitialDebugInformation(#Name, __FILE__, __LINE__);           \
    if (Builtins::KindOf(Builtin::k##Name) == Builtins::TFJ) {              \
      assembler.PerformStackCheck(assembler.GetJSContextParameter());       \
    }                                                                       \
    assembler.Generate##Name##Impl();                                       \
  }                                                                         \
  void Name##Assembler::Generate##Name##Impl()

The important part is:

void Builtins::Generate_##Name(compiler::CodeAssemblerState* state) {     \
    Name##Assembler assembler(state);                                       \
    state->SetInitialDebugInformation(#Name, __FILE__, __LINE__);           \
    if (Builtins::KindOf(Builtin::k##Name) == Builtins::TFJ) {              \
      assembler.PerformStackCheck(assembler.GetJSContextParameter());       \
    }                                                                       \
    assembler.Generate##Name##Impl();                                       \
  }                                                                         \

This defines a function in the namespace v8::internal::Builtins.

In our example it would be:

void Builtins::Generate_ArrayPrototypeSplice(compiler::CodeAssemblerState* state);

Checkpoint

At this stage, we have described an implementation of Array.prototype.splice() in Torque, which will be compiled into C++ code that uses the CSA macros.

The C++ code globally defines a generator, that is capable of building a TurboFan graph that describes our implementation.

At this stage, we can invoke TurboFan on demand with the generator to get the resulting machine code of Array.prototype.splice().

Emit Machine Code

The part that converts all the CSA expressions into machine code is SetupIsolateDelegate::SetupBuiltinsInternal() in src\builtins\setup-builtins-internal.cc:

// static
void SetupIsolateDelegate::SetupBuiltinsInternal(
    Isolate* isolate, bool compute_builtins_effects) {
  Builtins* builtins = isolate->builtins();
  DCHECK(!builtins->initialized_);

  BuiltinsEffectsAnalyzer* builtins_effects_analyzer = nullptr;
  if (compute_builtins_effects) {
    builtins_effects_analyzer = BuiltinsEffectsAnalyzer::Setup(isolate);
  }

  if (v8_flags.dump_builtins_hashes_to_file) {
    // Create an empty file.
    std::ofstream(v8_flags.dump_builtins_hashes_to_file, std::ios_base::trunc);
  }

  PopulateWithPlaceholders(isolate);

  // Create a scope for the handles in the builtins.
  HandleScope scope(isolate);

  // Generated builtins are temporarily stored in this array to avoid data races
  // on the isolate's builtin table.
  std::array<Handle<Code>, Builtins::kBuiltinCount> generated_builtins;
  auto install_generated_builtin = [&generated_builtins, isolate](
                                       Builtin builtin, Handle<Code> code) {
    DCHECK_EQ(ThreadId::Current(), isolate->thread_id());
    USE(isolate);
    generated_builtins[Builtins::ToInt(builtin)] = code;
  };

  int builtins_built_without_job_count = 0;
  int job_creation_order = 0;
  BuiltinCompilationScheduler scheduler;
  Tagged<Code> code;

#define BUILD_CPP_WITHOUT_JOB(Name, Argc)                    \
  code = BuildAdaptor(isolate, Builtin::k##Name,             \
                      FUNCTION_ADDR(Builtin_##Name), #Name); \
  generated_builtins[Builtins::ToInt(Builtin::k##Name)] =    \
      handle(code, isolate);                                 \
  builtins_built_without_job_count++;

#define BUILD_TFJ_TSA_WITHOUT_JOB(Name, Argc, ...)                         \
  code = BuildWithTurboshaftAssemblerJS(                                   \
      isolate, Builtin::k##Name, &Builtins::Generate_##Name, Argc, #Name); \
  generated_builtins[Builtins::ToInt(Builtin::k##Name)] =                  \
      handle(code, isolate);                                               \
  builtins_built_without_job_count++;

#define BUILD_TFJ_WITH_JOB(Name, Argc, ...)                               \
  CompileJSLinkageCodeStubBuiltin(isolate, Builtin::k##Name,              \
                                  &Builtins::Generate_##Name,             \
                                  install_generated_builtin, Argc, #Name, \
                                  job_creation_order++, scheduler);

#define BUILD_TFC_TSA_WITHOUT_JOB(Name, InterfaceDescriptor)      \
  /* Return size is from the provided CallInterfaceDescriptor. */ \
  code = BuildWithTurboshaftAssemblerCS(                          \
      isolate, Builtin::k##Name, &Builtins::Generate_##Name,      \
      CallDescriptors::InterfaceDescriptor, #Name);               \
  generated_builtins[Builtins::ToInt(Builtin::k##Name)] =         \
      handle(code, isolate);                                      \
  builtins_built_without_job_count++;

#define BUILD_TFC_WITH_JOB(Name, InterfaceDescriptor)                         \
  /* Return size is from the provided CallInterfaceDescriptor. */             \
  CompileCSLinkageCodeStubBuiltin(                                            \
      isolate, Builtin::k##Name, &Builtins::Generate_##Name,                  \
      install_generated_builtin, CallDescriptors::InterfaceDescriptor, #Name, \
      job_creation_order++, scheduler);

#define BUILD_TFS_WITH_JOB(Name, ...)                                   \
  /* Return size for generic TF builtins (stub linkage) is always 1. */ \
  CompileCSLinkageCodeStubBuiltin(                                      \
      isolate, Builtin::k##Name, &Builtins::Generate_##Name,            \
      install_generated_builtin, CallDescriptors::Name, #Name,          \
      job_creation_order++, scheduler);

#define BUILD_TFH_WITH_JOB(Name, InterfaceDescriptor)                         \
  /* Return size for IC builtins/handlers is always 1. */                     \
  CompileCSLinkageCodeStubBuiltin(                                            \
      isolate, Builtin::k##Name, &Builtins::Generate_##Name,                  \
      install_generated_builtin, CallDescriptors::InterfaceDescriptor, #Name, \
      job_creation_order++, scheduler);

#define BUILD_BCH_WITH_JOB(Name, OperandScale, Bytecode)                    \
  CompileBytecodeHandler(isolate, Builtin::k##Name, OperandScale, Bytecode, \
                         install_generated_builtin, job_creation_order++,   \
                         scheduler);

#define BUILD_BCH_TSA_WITH_JOB(Name, OperandScale, Bytecode)                   \
  CompileBytecodeHandlerTSA(isolate, Builtin::k##Name, OperandScale, Bytecode, \
                            install_generated_builtin, job_creation_order++,   \
                            scheduler);

#define BUILD_ASM_WITHOUT_JOB(Name, InterfaceDescriptor)            \
  code = BuildWithMacroAssembler(isolate, Builtin::k##Name,         \
                                 Builtins::Generate_##Name, #Name); \
  generated_builtins[Builtins::ToInt(Builtin::k##Name)] =           \
      handle(code, isolate);                                        \
  builtins_built_without_job_count++;

#define NOP(...)

  // Build all builtins without jobs first. When concurrent builtin generation
  // is enabled, allocations needs to be deterministic. Having main-thread
  // generated builtins in the middle of the list breaks determinism.
  BUILTIN_LIST(BUILD_CPP_WITHOUT_JOB, BUILD_TFJ_TSA_WITHOUT_JOB, NOP,
               BUILD_TFC_TSA_WITHOUT_JOB, NOP, NOP, NOP, NOP, NOP,
               BUILD_ASM_WITHOUT_JOB);
  BUILTIN_LIST(NOP, NOP, BUILD_TFJ_WITH_JOB, NOP, BUILD_TFC_WITH_JOB,
               BUILD_TFS_WITH_JOB, BUILD_TFH_WITH_JOB, BUILD_BCH_TSA_WITH_JOB,
               BUILD_BCH_WITH_JOB, NOP)

#undef BUILD_CPP_WITHOUT_JOB
#undef BUILD_TFJ_TSA_WITHOUT_JOB
#undef BUILD_TFJ_WITH_JOB
#undef BUILD_TFC_TSA_WITHOUT_JOB
#undef BUILD_TFC_WITH_JOB
#undef BUILD_TFS_WITH_JOB
#undef BUILD_TFH_WITH_JOB
#undef BUILD_BCH_TSA_WITH_JOB
#undef BUILD_BCH_WITH_JOB
#undef BUILD_ASM_WITHOUT_JOB
#undef NOP

  scheduler.AwaitAndFinalizeCurrentBatch(isolate);
  CHECK_EQ(Builtins::kBuiltinCount, builtins_built_without_job_count +
                                        scheduler.builtins_installed_count());

  if (compute_builtins_effects) {
    DCHECK_NOT_NULL(builtins_effects_analyzer);
    builtins_effects_analyzer->Finalize();
  }

  // Add the generated builtins to the isolate.
  for (Builtin builtin = Builtins::kFirst; builtin <= Builtins::kLast;
       ++builtin) {
    AddBuiltin(builtins, builtin,
               *generated_builtins[Builtins::ToInt(builtin)]);
  }

  ReplacePlaceholders(isolate);

  builtins->MarkInitialized();
}

This function first defines many macros to generate machine code from CSA.

The one related to us is:

#define BUILD_TFJ_WITH_JOB(Name, Argc, ...)                               \
  CompileJSLinkageCodeStubBuiltin(isolate, Builtin::k##Name,              \
                                  &Builtins::Generate_##Name,             \
                                  install_generated_builtin, Argc, #Name, \
                                  job_creation_order++, scheduler);

CompileJSLinkageCodeStubBuiltin() eventually calls into CodeAssemblerTurboshaftCompilationJob::ExecuteJobImpl():

PipelineCompilationJob::Status
CodeAssemblerTurboshaftCompilationJob::ExecuteJobImpl(
    RuntimeCallStats* stats, LocalIsolate* local_isolate) {
  if (!pipeline_->pipeline.ComputeScheduledGraph()) return FAILED;
  DCHECK_NULL(pipeline_->data.frame());
  DCHECK_NOT_NULL(pipeline_->data.schedule());

  CallDescriptor* call_descriptor = raw_assembler()->call_descriptor();
  Linkage linkage(call_descriptor);
  turboshaft::BuiltinPipeline turboshaft_pipeline(&turboshaft_data_.value(),
                                                  &linkage);

  CHECK(
      turboshaft_pipeline.CreateGraphFromTurbofan(&pipeline_->data, &linkage));

  turboshaft_pipeline.OptimizeBuiltin();

  CHECK_NULL(pipeline_->data.osr_helper_ptr());
  CHECK(turboshaft_pipeline.GenerateCode(
      &linkage, pipeline_->data.osr_helper_ptr(), jump_opt_.get(),
      profile_data_, initial_graph_hash_));

  return SUCCEEDED;
}

Where turboshaft_pipeline.GenerateCode() is used to compile the TurboFan graph into machine code.

But how is this macro invoked?

It is invoked by this other macro BUILTIN_LIST():

// Build all builtins without jobs first. When concurrent builtin generation
// is enabled, allocations needs to be deterministic. Having main-thread
// generated builtins in the middle of the list breaks determinism.
BUILTIN_LIST(BUILD_CPP_WITHOUT_JOB, BUILD_TFJ_TSA_WITHOUT_JOB, NOP,
             BUILD_TFC_TSA_WITHOUT_JOB, NOP, NOP, NOP, NOP, NOP,
             BUILD_ASM_WITHOUT_JOB);
BUILTIN_LIST(NOP, NOP, BUILD_TFJ_WITH_JOB, NOP, BUILD_TFC_WITH_JOB,
             BUILD_TFS_WITH_JOB, BUILD_TFH_WITH_JOB, BUILD_BCH_TSA_WITH_JOB,
             BUILD_BCH_WITH_JOB, NOP)

This macro takes in arguments of macros to call(that we just defined) and organizes them:

#define BUILTIN_LIST(CPP, TFJ_TSA, TFJ, TFC_TSA, TFC, TFS, TFH, BCH_TSA, BCH, \
                     ASM)                                                     \
  BUILTIN_LIST_BASE(CPP, TFJ_TSA, TFJ, TFC_TSA, TFC, TFS, TFH, ASM)           \
  BUILTIN_LIST_FROM_TORQUE(CPP, TFJ, TFC, TFS, TFH, ASM)                      \
  BUILTIN_LIST_INTL(CPP, TFJ, TFS)                                            \
  BUILTIN_LIST_TEMPORAL(CPP, TFJ)                                             \
  BUILTIN_LIST_BYTECODE_HANDLERS(BCH_TSA, BCH)

And in BUILTIN_LIST_FROM_TORQUE() we see our CSA generator listed:

#define BUILTIN_LIST_FROM_TORQUE(CPP, TFJ, TFC, TFS, TFH, ASM) \
TFJ(AggregateErrorConstructor, kDontAdaptArgumentsSentinel) \

...

TFJ(ArrayPrototypeSplice, kDontAdaptArgumentsSentinel) \

...

These definitions are automatically generated by the Torque compiler.

The chain of macros will take the name ArrayPrototypeSplice and construct the generator function name Generate_ArrayPrototypeSplice(), call it to generate the TurboFan graph, and finally compile to machine code from there.

Bind to JS

After compilation, the compilation job calls the installer callback to handle the generated Code object, which points to the emitted machine code.

// Generated builtins are temporarily stored in this array to avoid data races
// on the isolate's builtin table.
std::array<Handle<Code>, Builtins::kBuiltinCount> generated_builtins;
auto install_generated_builtin = [&generated_builtins, isolate](
                                     Builtin builtin, Handle<Code> code) {
  DCHECK_EQ(ThreadId::Current(), isolate->thread_id());
  USE(isolate);
  generated_builtins[Builtins::ToInt(builtin)] = code;
};

v8 first stores it in a temporary array.

Finally after all every function is compiled, these code objects will be bound to their individual global constants.

In our case, we are bound to the constant Builtin::kArrayPrototypeSplice:

// Add the generated builtins to the isolate.
for (Builtin builtin = Builtins::kFirst; builtin <= Builtins::kLast;
     ++builtin) {
  AddBuiltin(builtins, builtin,
             *generated_builtins[Builtins::ToInt(builtin)]);
}

Now in Genesis::InitializeGlobal() in src\init\bootstrapper.cc:

// Set up %ArrayPrototype%.
// The %ArrayPrototype% has TERMINAL_FAST_ELEMENTS_KIND in order to ensure
// that constant functions stay constant after turning prototype to setup
// mode and back.
DirectHandle<JSArray> proto = factory->NewJSArray(
    0, TERMINAL_FAST_ELEMENTS_KIND, AllocationType::kOld);
JSFunction::SetPrototype(isolate_, array_function, proto);
native_context()->set_initial_array_prototype(*proto);

...

SimpleInstallFunction(isolate_, proto, "splice",
                      Builtin::kArrayPrototypeSplice, 2, kDontAdapt);

The base array prototype is initialized, and the splice() function we just compiled is added as a method using SimpleInstallFunction().

Handle<JSFunction> SimpleInstallFunction(Isolate* isolate,
                                         DirectHandle<JSObject> base,
                                         const char* name, Builtin call,
                                         int len, AdaptArguments adapt,
                                         PropertyAttributes attrs) {
  // Although function name does not have to be internalized the property name
  // will be internalized during property addition anyway, so do it here now.
  DirectHandle<String> internalized_name =
      isolate->factory()->InternalizeUtf8String(name);
  Handle<JSFunction> fun =
      SimpleCreateFunction(isolate, internalized_name, call, len, adapt);
  JSObject::AddProperty(isolate, base, internalized_name, fun, attrs);
  return fun;
}

This function creates a JSFunction object, and set its code pointer to the actual machine code.

At this point, we have successfully bound the builtin function Array.prototype.splice() and exposed it to javascript callers.

Cool!